1. 30 May, 2018 40 commits
    • Geert Uytterhoeven's avatar
      serial: fsl_lpuart: Fix out-of-bounds access through DT alias · f213d3f9
      Geert Uytterhoeven authored
      [ Upstream commit ffab87fd ]
      
      The lpuart_ports[] array is indexed using a value derived from the
      "serialN" alias in DT, which may lead to an out-of-bounds access.
      
      Fix this by adding a range check.
      
      Fixes: c9e2e946 ("tty: serial: add Freescale lpuart driver support")
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f213d3f9
    • Geert Uytterhoeven's avatar
      serial: imx: Fix out-of-bounds access through serial port index · 25c19968
      Geert Uytterhoeven authored
      [ Upstream commit 56734448 ]
      
      The imx_ports[] array is indexed using a value derived from the
      "serialN" alias in DT, or from platform data, which may lead to an
      out-of-bounds access.
      
      Fix this by adding a range check.
      
      Fixes: ff05967a ("serial/imx: add of_alias_get_id() reference back")
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Reviewed-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      25c19968
    • Geert Uytterhoeven's avatar
      serial: mxs-auart: Fix out-of-bounds access through serial port index · 8b8a30d0
      Geert Uytterhoeven authored
      [ Upstream commit dd345a31 ]
      
      The auart_port[] array is indexed using a value derived from the
      "serialN" alias in DT, or from platform data, which may lead to an
      out-of-bounds access.
      
      Fix this by adding a range check.
      
      Fixes: 1ea6607d ("serial: mxs-auart: Allow device tree probing")
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8b8a30d0
    • Geert Uytterhoeven's avatar
      serial: samsung: Fix out-of-bounds access through serial port index · 8b8e8559
      Geert Uytterhoeven authored
      [ Upstream commit 49ee23b7 ]
      
      The s3c24xx_serial_ports[] array is indexed using a value derived from
      the "serialN" alias in DT, or from an incrementing probe index, which
      may lead to an out-of-bounds access.
      
      Fix this by adding a range check.
      
      Note that the array size is defined by a Kconfig symbol
      (CONFIG_SERIAL_SAMSUNG_UARTS), so this can even be triggered using
      a legitimate DTB or legitimate board code.
      
      Fixes: 13a9f6c6 ("serial: samsung: Consider DT alias when probing ports")
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8b8e8559
    • Geert Uytterhoeven's avatar
      serial: xuartps: Fix out-of-bounds access through DT alias · 6ba58eaf
      Geert Uytterhoeven authored
      [ Upstream commit e7d75e18 ]
      
      The cdns_uart_port[] array is indexed using a value derived from the
      "serialN" alias in DT, which may lead to an out-of-bounds access.
      
      Fix this by adding a range check.
      
      Fixes: 928e9263 ("tty: xuartps: Initialize ports according to aliases")
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Reviewed-by: default avatarMichal Simek <michal.simek@xilinx.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6ba58eaf
    • Colin Ian King's avatar
      rtc: tx4939: avoid unintended sign extension on a 24 bit shift · cf4c7b3a
      Colin Ian King authored
      [ Upstream commit 347876ad ]
      
      The shifting of buf[5] by 24 bits to the left will be promoted to
      a 32 bit signed int and then sign-extended to an unsigned long. If
      the top bit of buf[5] is set then all then all the upper bits sec
      end up as also being set because of the sign-extension. Fix this by
      casting buf[5] to an unsigned long before the shift.
      
      Detected by CoverityScan, CID#1465292 ("Unintended sign extension")
      
      Fixes: 0e149233 ("rtc: add rtc-tx4939 driver")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarAlexandre Belloni <alexandre.belloni@bootlin.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cf4c7b3a
    • Colin Ian King's avatar
      staging: rtl8192u: return -ENOMEM on failed allocation of priv->oldaddr · cc1cf4ac
      Colin Ian King authored
      [ Upstream commit e1a74185 ]
      
      Currently the allocation of priv->oldaddr is not null checked which will
      lead to subsequent errors when accessing priv->oldaddr.  Fix this with
      a null pointer check and a return of -ENOMEM on allocation failure.
      
      Detected with Coccinelle:
      drivers/staging/rtl8192u/r8192U_core.c:1708:2-15: alloc with no test,
      possible model on line 1723
      
      Fixes: 8fc8598e ("Staging: Added Realtek rtl8192u driver to staging")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cc1cf4ac
    • lionel.debieve@st.com's avatar
      hwrng: stm32 - add reset during probe · dbe213d8
      lionel.debieve@st.com authored
      [ Upstream commit 326ed382 ]
      
      Avoid issue when probing the RNG without
      reset if bad status has been detected previously
      Signed-off-by: default avatarLionel Debieve <lionel.debieve@st.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dbe213d8
    • Govindarajulu Varadarajan's avatar
      enic: enable rq before updating rq descriptors · 6af8cf3c
      Govindarajulu Varadarajan authored
      [ Upstream commit e8588e26 ]
      
      rq should be enabled before posting the buffers to rq desc. If not hw sees
      stale value and casuses DMAR errors.
      Signed-off-by: default avatarGovindarajulu Varadarajan <gvaradar@cisco.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6af8cf3c
    • Shawn Lin's avatar
      clk: rockchip: Prevent calculating mmc phase if clock rate is zero · 48337eb7
      Shawn Lin authored
      [ Upstream commit 4bf59902 ]
      
      The MMC sample and drv clock for rockchip platforms are derived from
      the bus clock output to the MMC/SDIO card. So it should never happens
      that the clk rate is zero given it should inherits the clock rate from
      its parent. If something goes wrong and makes the clock rate to be zero,
      the calculation would be wrong but may still make the mmc tuning process
      work luckily. However it makes people harder to debug when the following
      data transfer is unstable.
      Signed-off-by: default avatarShawn Lin <shawn.lin@rock-chips.com>
      Signed-off-by: default avatarHeiko Stuebner <heiko@sntech.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      48337eb7
    • Brad Love's avatar
      media: em28xx: USB bulk packet size fix · b2895b91
      Brad Love authored
      [ Upstream commit c7c7e8d7 ]
      
      Hauppauge em28xx bulk devices exhibit continuity errors and corrupted
      packets, when run in VMWare virtual machines. Unknown if other
      manufacturers bulk models exhibit the same issue. KVM/Qemu is unaffected.
      
      According to documentation the maximum packet multiplier for em28xx in bulk
      transfer mode is 256 * 188 bytes. This changes the size of bulk transfers
      to maximum supported value and have a bonus beneficial alignment.
      
      Before:
      
      After:
      
      This sets up USB to expect just as many bytes as the em28xx is set to emit.
      
      Successful usage under load afterwards natively and in both VMWare
      and KVM/Qemu virtual machines.
      Signed-off-by: default avatarBrad Love <brad@nextdimension.cc>
      Reviewed-by: default avatarMichael Ira Krufky <mkrufky@linuxtv.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b2895b91
    • Qi Hou's avatar
      dmaengine: pl330: fix a race condition in case of threaded irqs · 1f8b9262
      Qi Hou authored
      [ Upstream commit a3ca8312 ]
      
      When booting up with "threadirqs" in command line, all irq handlers of the DMA
      controller pl330 will be threaded forcedly. These threads will race for the same
      list, pl330->req_done.
      
      Before the callback, the spinlock was released. And after it, the spinlock was
      taken. This opened an race window where another threaded irq handler could steal
      the spinlock and be permitted to delete entries of the list, pl330->req_done.
      
      If the later deleted an entry that was still referred to by the former, there would
      be a kernel panic when the former was scheduled and tried to get the next sibling
      of the deleted entry.
      
      The scenario could be depicted as below:
      
        Thread: T1  pl330->req_done  Thread: T2
            |             |              |
            |          -A-B-C-D-         |
          Locked          |              |
            |             |           Waiting
          Del A           |              |
            |          -B-C-D-           |
          Unlocked        |              |
            |             |           Locked
          Waiting         |              |
            |             |            Del B
            |             |              |
            |           -C-D-         Unlocked
          Waiting         |              |
            |
          Locked
            |
         get C via B
            \
             - Kernel panic
      
      The kernel panic looked like as below:
      
      Unable to handle kernel paging request at virtual address dead000000000108
      pgd = ffffff8008c9e000
      [dead000000000108] *pgd=000000027fffe003, *pud=000000027fffe003, *pmd=0000000000000000
      Internal error: Oops: 96000044 [#1] PREEMPT SMP
      Modules linked in:
      CPU: 0 PID: 85 Comm: irq/59-66330000 Not tainted 4.8.24-WR9.0.0.12_standard #2
      Hardware name: Broadcom NS2 SVK (DT)
      task: ffffffc1f5cc3c00 task.stack: ffffffc1f5ce0000
      PC is at pl330_irq_handler+0x27c/0x390
      LR is at pl330_irq_handler+0x2a8/0x390
      pc : [<ffffff80084cb694>] lr : [<ffffff80084cb6c0>] pstate: 800001c5
      sp : ffffffc1f5ce3d00
      x29: ffffffc1f5ce3d00 x28: 0000000000000140
      x27: ffffffc1f5c530b0 x26: dead000000000100
      x25: dead000000000200 x24: 0000000000418958
      x23: 0000000000000001 x22: ffffffc1f5ccd668
      x21: ffffffc1f5ccd590 x20: ffffffc1f5ccd418
      x19: dead000000000060 x18: 0000000000000001
      x17: 0000000000000007 x16: 0000000000000001
      x15: ffffffffffffffff x14: ffffffffffffffff
      x13: ffffffffffffffff x12: 0000000000000000
      x11: 0000000000000001 x10: 0000000000000840
      x9 : ffffffc1f5ce0000 x8 : ffffffc1f5cc3338
      x7 : ffffff8008ce2020 x6 : 0000000000000000
      x5 : 0000000000000000 x4 : 0000000000000001
      x3 : dead000000000200 x2 : dead000000000100
      x1 : 0000000000000140 x0 : ffffffc1f5ccd590
      
      Process irq/59-66330000 (pid: 85, stack limit = 0xffffffc1f5ce0020)
      Stack: (0xffffffc1f5ce3d00 to 0xffffffc1f5ce4000)
      3d00: ffffffc1f5ce3d80 ffffff80080f09d0 ffffffc1f5ca0c00 ffffffc1f6f7c600
      3d20: ffffffc1f5ce0000 ffffffc1f6f7c600 ffffffc1f5ca0c00 ffffff80080f0998
      3d40: ffffffc1f5ce0000 ffffff80080f0000 0000000000000000 0000000000000000
      3d60: ffffff8008ce202c ffffff8008ce2020 ffffffc1f5ccd668 ffffffc1f5c530b0
      3d80: ffffffc1f5ce3db0 ffffff80080f0d70 ffffffc1f5ca0c40 0000000000000001
      3da0: ffffffc1f5ce0000 ffffff80080f0cfc ffffffc1f5ce3e20 ffffff80080bf4f8
      3dc0: ffffffc1f5ca0c80 ffffff8008bf3798 ffffff8008955528 ffffffc1f5ca0c00
      3de0: ffffff80080f0c30 0000000000000000 0000000000000000 0000000000000000
      3e00: 0000000000000000 0000000000000000 0000000000000000 ffffff80080f0b68
      3e20: 0000000000000000 ffffff8008083690 ffffff80080bf420 ffffffc1f5ca0c80
      3e40: 0000000000000000 0000000000000000 0000000000000000 ffffff80080cb648
      3e60: ffffff8008b1c780 0000000000000000 0000000000000000 ffffffc1f5ca0c00
      3e80: ffffffc100000000 ffffff8000000000 ffffffc1f5ce3e90 ffffffc1f5ce3e90
      3ea0: 0000000000000000 ffffff8000000000 ffffffc1f5ce3eb0 ffffffc1f5ce3eb0
      3ec0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
      3ee0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
      3f00: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
      3f20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
      3f40: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
      3f60: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
      3f80: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
      3fa0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
      3fc0: 0000000000000000 0000000000000005 0000000000000000 0000000000000000
      3fe0: 0000000000000000 0000000000000000 0000000275ce3ff0 0000000275ce3ff8
      Call trace:
      Exception stack(0xffffffc1f5ce3b30 to 0xffffffc1f5ce3c60)
      3b20:                                   dead000000000060 0000008000000000
      3b40: ffffffc1f5ce3d00 ffffff80084cb694 0000000000000008 0000000000000e88
      3b60: ffffffc1f5ce3bb0 ffffff80080dac68 ffffffc1f5ce3b90 ffffff8008826fe4
      3b80: 00000000000001c0 00000000000001c0 ffffffc1f5ce3bb0 ffffff800848dfcc
      3ba0: 0000000000020000 ffffff8008b15ae4 ffffffc1f5ce3c00 ffffff800808f000
      3bc0: 0000000000000010 ffffff80088377f0 ffffffc1f5ccd590 0000000000000140
      3be0: dead000000000100 dead000000000200 0000000000000001 0000000000000000
      3c00: 0000000000000000 ffffff8008ce2020 ffffffc1f5cc3338 ffffffc1f5ce0000
      3c20: 0000000000000840 0000000000000001 0000000000000000 ffffffffffffffff
      3c40: ffffffffffffffff ffffffffffffffff 0000000000000001 0000000000000007
      [<ffffff80084cb694>] pl330_irq_handler+0x27c/0x390
      [<ffffff80080f09d0>] irq_forced_thread_fn+0x38/0x88
      [<ffffff80080f0d70>] irq_thread+0x140/0x200
      [<ffffff80080bf4f8>] kthread+0xd8/0xf0
      [<ffffff8008083690>] ret_from_fork+0x10/0x40
      Code: f2a00838 f9405763 aa1c03e1 aa1503e0 (f9000443)
      ---[ end trace f50005726d31199c ]---
      Kernel panic - not syncing: Fatal exception in interrupt
      SMP: stopping secondary CPUs
      SMP: failed to stop secondary CPUs 0-1
      Kernel Offset: disabled
      Memory Limit: none
      ---[ end Kernel panic - not syncing: Fatal exception in interrupt
      
      To fix this, re-start with the list-head after dropping the lock then
      re-takeing it.
      Reviewed-by: default avatarFrank Mori Hess <fmh6jj@gmail.com>
      Tested-by: default avatarFrank Mori Hess <fmh6jj@gmail.com>
      Signed-off-by: default avatarQi Hou <qi.hou@windriver.com>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1f8b9262
    • Arnd Bergmann's avatar
      media: s3c-camif: fix out-of-bounds array access · c9e62716
      Arnd Bergmann authored
      [ Upstream commit a398e043 ]
      
      While experimenting with older compiler versions, I ran
      into a warning that no longer shows up on gcc-4.8 or newer:
      
      drivers/media/platform/s3c-camif/camif-capture.c: In function '__camif_subdev_try_format':
      drivers/media/platform/s3c-camif/camif-capture.c:1265:25: error: array subscript is below array bounds
      
      This is an off-by-one bug, leading to an access before the start of the
      array, while newer compilers silently assume this undefined behavior
      cannot happen and leave the loop at index 0 if no other entry matches.
      
      As Sylvester explains, we actually need to ensure that the
      value is within the range, so this reworks the loop to be
      easier to parse correctly, and an additional check to fall
      back on the first format value for any unexpected input.
      
      I found an existing gcc bug for it and added a reduced version
      of the function there.
      
      Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69249#c3
      Fixes: babde1c2 ("[media] V4L: Add driver for S3C24XX/S3C64XX SoC series camera interface")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reviewed-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Acked-by: default avatarSakari Ailus <sakari.ailus@linux.intel.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c9e62716
    • Brad Love's avatar
      media: cx23885: Set subdev host data to clk_freq pointer · e059f9f9
      Brad Love authored
      [ Upstream commit 5ceade1d ]
      
      Currently clk_freq is ignored entirely, because the cx235840 driver
      configures the xtal at the chip defaults. This is an issue if a
      board is produced with a non-default frequency crystal. If clk_freq
      is not zero the cx25840 will attempt to use the setting provided,
      or fall back to defaults otherwise.
      Signed-off-by: default avatarBrad Love <brad@nextdimension.cc>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e059f9f9
    • Brad Love's avatar
      media: cx23885: Override 888 ImpactVCBe crystal frequency · dfd5ad1f
      Brad Love authored
      [ Upstream commit 779c79d4 ]
      
      Hauppauge produced a revision of ImpactVCBe using an 888,
      with a 25MHz crystal, instead of using the default third
      overtone 50Mhz crystal. This overrides that frequency so
      that the cx25840 is properly configured. Without the proper
      crystal setup the cx25840 cannot load the firmware or
      decode video.
      Signed-off-by: default avatarBrad Love <brad@nextdimension.cc>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dfd5ad1f
    • Takashi Iwai's avatar
      ALSA: vmaster: Propagate slave error · 6eff7dc9
      Takashi Iwai authored
      [ Upstream commit 2e2c177c ]
      
      In slave_update() of vmaster code ignores the error from the slave
      get() callback and copies the values.  It's not only about the missing
      error code but also that this may potentially lead to a leak of
      uninitialized variables when the slave get() don't clear them.
      
      This patch fixes slave_update() not to copy the potentially
      uninitialized values when an error is returned from the slave get()
      callback, and to propagate the error value properly.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6eff7dc9
    • Ivan Gorinov's avatar
      x86/devicetree: Fix device IRQ settings in DT · cd425208
      Ivan Gorinov authored
      [ Upstream commit 0a5169ad ]
      
      IRQ parameters for the SoC devices connected directly to I/O APIC lines
      (without PCI IRQ routing) may be specified in the Device Tree.
      
      Called from DT IRQ parser, irq_create_fwspec_mapping() calls
      irq_domain_alloc_irqs() with a pointer to irq_fwspec structure as @arg.
      
      But x86-specific DT IRQ allocation code casts @arg to of_phandle_args
      structure pointer and crashes trying to read the IRQ parameters. The
      function was not converted when the mapping descriptor was changed to
      irq_fwspec in the generic irqdomain code.
      
      Fixes: 11e4438e ("irqdomain: Introduce a firmware-specific IRQ specifier structure")
      Signed-off-by: default avatarIvan Gorinov <ivan.gorinov@intel.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Rob Herring <robh+dt@kernel.org>
      Link: https://lkml.kernel.org/r/a234dee27ea60ce76141872da0d6bdb378b2a9ee.1520450752.git.ivan.gorinov@intel.comSigned-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cd425208
    • Ivan Gorinov's avatar
      x86/devicetree: Initialize device tree before using it · 5eed18d5
      Ivan Gorinov authored
      [ Upstream commit 628df9dc ]
      
      Commit 08d53aa5 added CRC32 calculation in early_init_dt_verify() and
      checking in late initcall of_fdt_raw_init(), making early_init_dt_verify()
      mandatory.
      
      The required call to early_init_dt_verify() was not added to the
      x86-specific implementation, causing failure to create the sysfs entry in
      of_fdt_raw_init().
      
      Fixes: 08d53aa5 ("of/fdt: export fdt blob as /sys/firmware/fdt")
      Signed-off-by: default avatarIvan Gorinov <ivan.gorinov@intel.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Rob Herring <robh+dt@kernel.org>
      Link: https://lkml.kernel.org/r/c8c7e941efc63b5d25ebf9b6350b0f3df38f6098.1520450752.git.ivan.gorinov@intel.comSigned-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5eed18d5
    • Chris Dickens's avatar
      usb: gadget: composite: fix incorrect handling of OS desc requests · 825c1ae0
      Chris Dickens authored
      [ Upstream commit 5d6ae4f0 ]
      
      When handling an OS descriptor request, one of the first operations is
      to zero out the request buffer using the wLength from the setup packet.
      There is no bounds checking, so a wLength > 4096 would clobber memory
      adjacent to the request buffer. Fix this by taking the min of wLength
      and the request buffer length prior to the memset. While at it, define
      the buffer length in a header file so that magic numbers don't appear
      throughout the code.
      
      When returning data to the host, the data length should be the min of
      the wLength and the valid data we have to return. Currently we are
      returning wLength, thus requests for a wLength greater than the amount
      of data in the OS descriptor buffer would return invalid (albeit zero'd)
      data following the valid descriptor data. Fix this by counting the
      number of bytes when constructing the data and using this when
      determining the length of the request.
      Signed-off-by: default avatarChris Dickens <christopher.a.dickens@gmail.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      825c1ae0
    • Wolfram Sang's avatar
      usb: gadget: udc: change comparison to bitshift when dealing with a mask · 345c799a
      Wolfram Sang authored
      [ Upstream commit ac87e560 ]
      
      Due to a typo, the mask was destroyed by a comparison instead of a bit
      shift.
      Reported-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: default avatarWolfram Sang <wsa+renesas@sang-engineering.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      345c799a
    • Andreas Gruenbacher's avatar
      gfs2: Fix fallocate chunk size · ad29babb
      Andreas Gruenbacher authored
      [ Upstream commit 174d1232 ]
      
      The chunk size of allocations in __gfs2_fallocate is calculated
      incorrectly.  The size can collapse, causing __gfs2_fallocate to
      allocate one block at a time, which is very inefficient.  This needs
      fixing in two places:
      
      In gfs2_quota_lock_check, always set ap->allowed to UINT_MAX to indicate
      that there is no quota limit.  This fixes callers that rely on
      ap->allowed to be set even when quotas are off.
      
      In __gfs2_fallocate, reset max_blks to UINT_MAX in each iteration of the
      loop to make sure that allocation limits from one resource group won't
      spill over into another resource group.
      Signed-off-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
      Signed-off-by: default avatarBob Peterson <rpeterso@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ad29babb
    • Maurizio Lombardi's avatar
      cdrom: do not call check_disk_change() inside cdrom_open() · 5e699836
      Maurizio Lombardi authored
      [ Upstream commit 2bbea6e1 ]
      
      when mounting an ISO filesystem sometimes (very rarely)
      the system hangs because of a race condition between two tasks.
      
      PID: 6766   TASK: ffff88007b2a6dd0  CPU: 0   COMMAND: "mount"
       #0 [ffff880078447ae0] __schedule at ffffffff8168d605
       #1 [ffff880078447b48] schedule_preempt_disabled at ffffffff8168ed49
       #2 [ffff880078447b58] __mutex_lock_slowpath at ffffffff8168c995
       #3 [ffff880078447bb8] mutex_lock at ffffffff8168bdef
       #4 [ffff880078447bd0] sr_block_ioctl at ffffffffa00b6818 [sr_mod]
       #5 [ffff880078447c10] blkdev_ioctl at ffffffff812fea50
       #6 [ffff880078447c70] ioctl_by_bdev at ffffffff8123a8b3
       #7 [ffff880078447c90] isofs_fill_super at ffffffffa04fb1e1 [isofs]
       #8 [ffff880078447da8] mount_bdev at ffffffff81202570
       #9 [ffff880078447e18] isofs_mount at ffffffffa04f9828 [isofs]
      #10 [ffff880078447e28] mount_fs at ffffffff81202d09
      #11 [ffff880078447e70] vfs_kern_mount at ffffffff8121ea8f
      #12 [ffff880078447ea8] do_mount at ffffffff81220fee
      #13 [ffff880078447f28] sys_mount at ffffffff812218d6
      #14 [ffff880078447f80] system_call_fastpath at ffffffff81698c49
          RIP: 00007fd9ea914e9a  RSP: 00007ffd5d9bf648  RFLAGS: 00010246
          RAX: 00000000000000a5  RBX: ffffffff81698c49  RCX: 0000000000000010
          RDX: 00007fd9ec2bc210  RSI: 00007fd9ec2bc290  RDI: 00007fd9ec2bcf30
          RBP: 0000000000000000   R8: 0000000000000000   R9: 0000000000000010
          R10: 00000000c0ed0001  R11: 0000000000000206  R12: 00007fd9ec2bc040
          R13: 00007fd9eb6b2380  R14: 00007fd9ec2bc210  R15: 00007fd9ec2bcf30
          ORIG_RAX: 00000000000000a5  CS: 0033  SS: 002b
      
      This task was trying to mount the cdrom.  It allocated and configured a
      super_block struct and owned the write-lock for the super_block->s_umount
      rwsem. While exclusively owning the s_umount lock, it called
      sr_block_ioctl and waited to acquire the global sr_mutex lock.
      
      PID: 6785   TASK: ffff880078720fb0  CPU: 0   COMMAND: "systemd-udevd"
       #0 [ffff880078417898] __schedule at ffffffff8168d605
       #1 [ffff880078417900] schedule at ffffffff8168dc59
       #2 [ffff880078417910] rwsem_down_read_failed at ffffffff8168f605
       #3 [ffff880078417980] call_rwsem_down_read_failed at ffffffff81328838
       #4 [ffff8800784179d0] down_read at ffffffff8168cde0
       #5 [ffff8800784179e8] get_super at ffffffff81201cc7
       #6 [ffff880078417a10] __invalidate_device at ffffffff8123a8de
       #7 [ffff880078417a40] flush_disk at ffffffff8123a94b
       #8 [ffff880078417a88] check_disk_change at ffffffff8123ab50
       #9 [ffff880078417ab0] cdrom_open at ffffffffa00a29e1 [cdrom]
      #10 [ffff880078417b68] sr_block_open at ffffffffa00b6f9b [sr_mod]
      #11 [ffff880078417b98] __blkdev_get at ffffffff8123ba86
      #12 [ffff880078417bf0] blkdev_get at ffffffff8123bd65
      #13 [ffff880078417c78] blkdev_open at ffffffff8123bf9b
      #14 [ffff880078417c90] do_dentry_open at ffffffff811fc7f7
      #15 [ffff880078417cd8] vfs_open at ffffffff811fc9cf
      #16 [ffff880078417d00] do_last at ffffffff8120d53d
      #17 [ffff880078417db0] path_openat at ffffffff8120e6b2
      #18 [ffff880078417e48] do_filp_open at ffffffff8121082b
      #19 [ffff880078417f18] do_sys_open at ffffffff811fdd33
      #20 [ffff880078417f70] sys_open at ffffffff811fde4e
      #21 [ffff880078417f80] system_call_fastpath at ffffffff81698c49
          RIP: 00007f29438b0c20  RSP: 00007ffc76624b78  RFLAGS: 00010246
          RAX: 0000000000000002  RBX: ffffffff81698c49  RCX: 0000000000000000
          RDX: 00007f2944a5fa70  RSI: 00000000000a0800  RDI: 00007f2944a5fa70
          RBP: 00007f2944a5f540   R8: 0000000000000000   R9: 0000000000000020
          R10: 00007f2943614c40  R11: 0000000000000246  R12: ffffffff811fde4e
          R13: ffff880078417f78  R14: 000000000000000c  R15: 00007f2944a4b010
          ORIG_RAX: 0000000000000002  CS: 0033  SS: 002b
      
      This task tried to open the cdrom device, the sr_block_open function
      acquired the global sr_mutex lock. The call to check_disk_change()
      then saw an event flag indicating a possible media change and tried
      to flush any cached data for the device.
      As part of the flush, it tried to acquire the super_block->s_umount
      lock associated with the cdrom device.
      This was the same super_block as created and locked by the previous task.
      
      The first task acquires the s_umount lock and then the sr_mutex_lock;
      the second task acquires the sr_mutex_lock and then the s_umount lock.
      
      This patch fixes the issue by moving check_disk_change() out of
      cdrom_open() and let the caller take care of it.
      Signed-off-by: default avatarMaurizio Lombardi <mlombard@redhat.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5e699836
    • Guenter Roeck's avatar
      hwmon: (pmbus/adm1275) Accept negative page register values · 0bd0d4ff
      Guenter Roeck authored
      [ Upstream commit ecb29abd ]
      
      A negative page register value means that no page needs to be
      selected. This is used by status register read operations and needs
      to be accepted. The failure to do so so results in missed status
      and limit registers.
      
      Fixes: da8e48ab ("hwmon: (pmbus) Always call _pmbus_read_byte in core driver")
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0bd0d4ff
    • Guenter Roeck's avatar
      hwmon: (pmbus/max8688) Accept negative page register values · 770d3ead
      Guenter Roeck authored
      [ Upstream commit a46f8cd6 ]
      
      A negative page register value means that no page needs to be
      selected. This is used by status register evaluations and needs
      to be accepted.
      
      Fixes: da8e48ab ("hwmon: (pmbus) Always call _pmbus_read_byte in core driver")
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      770d3ead
    • Peter Zijlstra's avatar
      perf/core: Fix perf_output_read_group() · 9a1dcfb8
      Peter Zijlstra authored
      [ Upstream commit 9e5b127d ]
      
      Mark reported his arm64 perf fuzzer runs sometimes splat like:
      
        armv8pmu_read_counter+0x1e8/0x2d8
        armpmu_event_update+0x8c/0x188
        armpmu_read+0xc/0x18
        perf_output_read+0x550/0x11e8
        perf_event_read_event+0x1d0/0x248
        perf_event_exit_task+0x468/0xbb8
        do_exit+0x690/0x1310
        do_group_exit+0xd0/0x2b0
        get_signal+0x2e8/0x17a8
        do_signal+0x144/0x4f8
        do_notify_resume+0x148/0x1e8
        work_pending+0x8/0x14
      
      which asserts that we only call pmu::read() on ACTIVE events.
      
      The above callchain does:
      
        perf_event_exit_task()
          perf_event_exit_task_context()
            task_ctx_sched_out() // INACTIVE
            perf_event_exit_event()
              perf_event_set_state(EXIT) // EXIT
              sync_child_event()
                perf_event_read_event()
                  perf_output_read()
                    perf_output_read_group()
                      leader->pmu->read()
      
      Which results in doing a pmu::read() on an !ACTIVE event.
      
      I _think_ this is 'new' since we added attr.inherit_stat, which added
      the perf_event_read_event() to the exit path, without that
      perf_event_read_output() would only trigger from samples and for
      @event to trigger a sample, it's leader _must_ be ACTIVE too.
      
      Still, adding this check makes it consistent with the @sub case for
      the siblings.
      Reported-and-Tested-by: default avatarMark Rutland <mark.rutland@arm.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9a1dcfb8
    • Ranjani Sridharan's avatar
      ASoC: topology: create TLV data for dapm widgets · f8eb1df0
      Ranjani Sridharan authored
      [ Upstream commit bde8b388 ]
      
      This patch adds the change required to create the TLV data
      for dapm widget kcontrols from topology. This also fixes the following
      TLV read error shown in amixer while showing the card control contents.
      "amixer: Control hw:1 element TLV read error: No such device or address"
      Signed-off-by: default avatarRanjani Sridharan <ranjani.sridharan@linux.intel.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f8eb1df0
    • Mathieu Malaterre's avatar
      powerpc: Add missing prototype for arch_irq_work_raise() · fd03df45
      Mathieu Malaterre authored
      [ Upstream commit f5246862 ]
      
      In commit 4f8b50bb ("irq_work, ppc: Fix up arch hooks") a new
      function arch_irq_work_raise() was added without a prototype in header
      irq_work.h.
      
      Fix the following warning (treated as error in W=1):
        arch/powerpc/kernel/time.c:523:6: error: no previous prototype for ‘arch_irq_work_raise’
      Signed-off-by: default avatarMathieu Malaterre <malat@debian.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fd03df45
    • Lars-Peter Clausen's avatar
      usb: gadget: ffs: Execute copy_to_user() with USER_DS set · aa8141da
      Lars-Peter Clausen authored
      [ Upstream commit 4058ebf3 ]
      
      When using a AIO read() operation on the function FS gadget driver a URB is
      submitted asynchronously and on URB completion the received data is copied
      to the userspace buffer associated with the read operation.
      
      This is done from a kernel worker thread invoking copy_to_user() (through
      copy_to_iter()). And while the user space process memory is made available
      to the kernel thread using use_mm(), some architecture require in addition
      to this that the operation runs with USER_DS set. Otherwise the userspace
      memory access will fail.
      
      For example on ARM64 with Privileged Access Never (PAN) and User Access
      Override (UAO) enabled the following crash occurs.
      
      	Internal error: Accessing user space memory with fs=KERNEL_DS: 9600004f [#1] SMP
      	Modules linked in:
      	CPU: 2 PID: 1636 Comm: kworker/2:1 Not tainted 4.9.0-04081-g8ab2dfb-dirty #487
      	Hardware name: ZynqMP ZCU102 Rev1.0 (DT)
      	Workqueue: events ffs_user_copy_worker
      	task: ffffffc87afc8080 task.stack: ffffffc87a00c000
      	PC is at __arch_copy_to_user+0x190/0x220
      	LR is at copy_to_iter+0x78/0x3c8
      	[...]
      	[<ffffff800847b790>] __arch_copy_to_user+0x190/0x220
      	[<ffffff80086f25d8>] ffs_user_copy_worker+0x70/0x130
      	[<ffffff80080b8c64>] process_one_work+0x1dc/0x460
      	[<ffffff80080b8f38>] worker_thread+0x50/0x4b0
      	[<ffffff80080bf5a0>] kthread+0xd8/0xf0
      	[<ffffff8008083680>] ret_from_fork+0x10/0x50
      
      Address this by placing a set_fs(USER_DS) before of the copy operation
      and revert it again once the copy operation has finished.
      
      This patch is analogous to commit d7ffde35 ("vhost: use USER_DS in
      vhost_worker thread") which addresses the same underlying issue.
      Signed-off-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aa8141da
    • Lars-Peter Clausen's avatar
      usb: gadget: ffs: Let setup() return USB_GADGET_DELAYED_STATUS · 3fb5102f
      Lars-Peter Clausen authored
      [ Upstream commit 946ef68a ]
      
      Some UDC drivers (like the DWC3) expect that the response to a setup()
      request is queued from within the setup function itself so that it is
      available as soon as setup() has completed.
      
      Upon receiving a setup request the function fs driver creates an event that
      is made available to userspace. And only once userspace has acknowledged
      that event the response to the setup request is queued.
      
      So it violates the requirement of those UDC drivers and random failures can
      be observed. This is basically a race condition and if userspace is able to
      read the event and queue the response fast enough all is good. But if it is
      not, for example because other processes are currently scheduled to run,
      the USB host that sent the setup request will observe an error.
      
      To avoid this the gadget framework provides the USB_GADGET_DELAYED_STATUS
      return code. If a setup() callback returns this value the UDC driver is
      aware that response is not yet available and can uses the appropriate
      methods to handle this case.
      
      Since in the case of function fs the response will never be available when
      the setup() function returns make sure that this status code is used.
      
      This fixed random occasional failures that were previously observed on a
      DWC3 based system under high system load.
      Signed-off-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3fb5102f
    • Grigor Tovmasyan's avatar
      usb: dwc2: Fix interval type issue · 18f31bd0
      Grigor Tovmasyan authored
      [ Upstream commit 12814a3f ]
      
      The maximum value that unsigned char can hold is 255, meanwhile
      the maximum value of interval is  2^(bIntervalMax-1)=2^15.
      Signed-off-by: default avatarGrigor Tovmasyan <tovmasya@synopsys.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      18f31bd0
    • Kamlakant Patel's avatar
      ipmi_ssif: Fix kernel panic at msg_done_handler · b066c9b1
      Kamlakant Patel authored
      [ Upstream commit f002612b ]
      
      This happens when BMC doesn't return any data and the code is trying
      to print the value of data[2].
      
      Getting following crash:
      [  484.728410] Unable to handle kernel NULL pointer dereference at virtual address 00000002
      [  484.736496] pgd = ffff0000094a2000
      [  484.739885] [00000002] *pgd=00000047fcffe003, *pud=00000047fcffd003, *pmd=0000000000000000
      [  484.748158] Internal error: Oops: 96000005 [#1] SMP
      [...]
      [  485.101451] Call trace:
      [...]
      [  485.188473] [<ffff000000a46e68>] msg_done_handler+0x668/0x700 [ipmi_ssif]
      [  485.195249] [<ffff000000a456b8>] ipmi_ssif_thread+0x110/0x128 [ipmi_ssif]
      [  485.202038] [<ffff0000080f1430>] kthread+0x108/0x138
      [  485.206994] [<ffff0000080838e0>] ret_from_fork+0x10/0x30
      [  485.212294] Code: aa1903e1 aa1803e0 b900227f 95fef6a5 (39400aa3)
      
      Adding a check to validate the data len before printing data[2] to fix this issue.
      Signed-off-by: default avatarKamlakant Patel <kamlakant.patel@cavium.com>
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b066c9b1
    • Rafael J. Wysocki's avatar
      PCI: Restore config space on runtime resume despite being unbound · 17369d7e
      Rafael J. Wysocki authored
      [ Upstream commit 5775b843 ]
      
      We leave PCI devices not bound to a driver in D0 during runtime suspend.
      But they may have a parent which is bound and can be transitioned to
      D3cold at runtime.  Once the parent goes to D3cold, the unbound child
      may go to D3cold as well.  When the child goes to D3cold, its internal
      state, including configuration of BARs, MSI, ASPM, MPS, etc., is lost.
      
      One example are recent hybrid graphics laptops which cut power to the
      discrete GPU when the root port above it goes to ACPI power state D3.
      Users may provoke this by unbinding the GPU driver and allowing runtime
      PM on the GPU via sysfs:  The PM core will then treat the GPU as
      "suspended", which in turn allows the root port to runtime suspend,
      causing the power resources listed in its _PR3 object to be powered off.
      The GPU's BARs will be uninitialized when a driver later probes it.
      
      Another example are hybrid graphics laptops where the GPU itself (rather
      than the root port) is capable of runtime suspending to D3cold.  If the
      GPU's integrated HDA controller is not bound and the GPU's driver
      decides to runtime suspend to D3cold, the HDA controller's BARs will be
      uninitialized when a driver later probes it.
      
      Fix by saving and restoring config space over a runtime suspend cycle
      even if the device is not bound.
      Acked-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Tested-by: Peter Wu <peter@lekensteyn.nl>              # Nvidia Optimus
      Tested-by: Lukas Wunner <lukas@wunner.de>              # MacBook Pro
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      [lukas: add commit message, bikeshed code comments for clarity]
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Link: https://patchwork.freedesktop.org/patch/msgid/92fb6e6ae2730915eb733c08e2f76c6a313e3860.1520068884.git.lukas@wunner.deSigned-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      17369d7e
    • Mathias Kresin's avatar
      MIPS: ath79: Fix AR724X_PLL_REG_PCIE_CONFIG offset · 6ab31bbf
      Mathias Kresin authored
      [ Upstream commit 05454c1b ]
      
      According to the QCA u-boot source the "PCIE Phase Lock Loop
      Configuration (PCIE_PLL_CONFIG)" register is for all SoCs except the
      QCA955X and QCA956X at offset 0x10.
      
      Since the PCIE PLL config register is only defined for the AR724x fix
      only this value. The value is wrong since the day it was added and isn't
      used by any driver yet.
      Signed-off-by: default avatarMathias Kresin <dev@kresin.me>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/16048/Signed-off-by: default avatarJames Hogan <jhogan@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6ab31bbf
    • Mathias Nyman's avatar
      xhci: zero usb device slot_id member when disabling and freeing a xhci slot · 36f64085
      Mathias Nyman authored
      [ Upstream commit a400efe4 ]
      
      set udev->slot_id to zero when disabling and freeing the xhci slot.
      Prevents usb core from calling xhci with a stale slot id.
      
      xHC controller may be reset during resume to recover from some error.
      All slots are unusable as they are disabled and freed.
      xhci driver starts slot enumeration again from 1 in the order they are
      enabled. In the worst case a stale udev->slot_id for one device matches
      a newly enabled slot_id for a different device, causing us to
      perform a action on the wrong device.
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      36f64085
    • Vitaly Kuznetsov's avatar
      KVM: lapic: stop advertising DIRECTED_EOI when in-kernel IOAPIC is in use · 462558ae
      Vitaly Kuznetsov authored
      [ Upstream commit 0bcc3fb9 ]
      
      Devices which use level-triggered interrupts under Windows 2016 with
      Hyper-V role enabled don't work: Windows disables EOI broadcast in SPIV
      unconditionally. Our in-kernel IOAPIC implementation emulates an old IOAPIC
      version which has no EOI register so EOI never happens.
      
      The issue was discovered and discussed a while ago:
      https://www.spinics.net/lists/kvm/msg148098.html
      
      While this is a guest OS bug (it should check that IOAPIC has the required
      capabilities before disabling EOI broadcast) we can workaround it in KVM:
      advertising DIRECTED_EOI with in-kernel IOAPIC makes little sense anyway.
      Signed-off-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      462558ae
    • Gregory CLEMENT's avatar
      i2c: mv64xxx: Apply errata delay only in standard mode · 82eac614
      Gregory CLEMENT authored
      [ Upstream commit 31184d8c ]
      
      The errata FE-8471889 description has been updated. There is still a
      timing violation for repeated start. But the errata now states that it
      was only the case for the Standard mode (100 kHz), in Fast mode (400 kHz)
      there is no issue.
      
      This patch limit the errata fix to the Standard mode.
      
      It has been tesed successfully on the clearfog (Aramda 388 based board).
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      82eac614
    • Seunghun Han's avatar
      ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c · dfcb739c
      Seunghun Han authored
      [ Upstream commit 97f3c0a4 ]
      
      I found an ACPI cache leak in ACPI early termination and boot continuing case.
      
      When early termination occurs due to malicious ACPI table, Linux kernel
      terminates ACPI function and continues to boot process. While kernel terminates
      ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.
      
      Boot log of ACPI operand cache leak is as follows:
      >[    0.464168] ACPI: Added _OSI(Module Device)
      >[    0.467022] ACPI: Added _OSI(Processor Device)
      >[    0.469376] ACPI: Added _OSI(3.0 _SCP Extensions)
      >[    0.471647] ACPI: Added _OSI(Processor Aggregator Device)
      >[    0.477997] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
      >[    0.482706] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461)
      >[    0.487503] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
      >[    0.492136] ACPI Error: Method parse/execution failed [\_SB._INI] (Node ffff88021710a618), AE_AML_INTERNAL (20170303/psparse-543)
      >[    0.497683] ACPI: Interpreter enabled
      >[    0.499385] ACPI: (supports S0)
      >[    0.501151] ACPI: Using IOAPIC for interrupt routing
      >[    0.503342] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
      >[    0.506522] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461)
      >[    0.510463] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
      >[    0.514477] ACPI Error: Method parse/execution failed [\_PIC] (Node ffff88021710ab18), AE_AML_INTERNAL (20170303/psparse-543)
      >[    0.518867] ACPI Exception: AE_AML_INTERNAL, Evaluating _PIC (20170303/bus-991)
      >[    0.522384] kmem_cache_destroy Acpi-Operand: Slab cache still has objects
      >[    0.524597] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26
      >[    0.526795] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006
      >[    0.529668] Call Trace:
      >[    0.530811]  ? dump_stack+0x5c/0x81
      >[    0.532240]  ? kmem_cache_destroy+0x1aa/0x1c0
      >[    0.533905]  ? acpi_os_delete_cache+0xa/0x10
      >[    0.535497]  ? acpi_ut_delete_caches+0x3f/0x7b
      >[    0.537237]  ? acpi_terminate+0xa/0x14
      >[    0.538701]  ? acpi_init+0x2af/0x34f
      >[    0.540008]  ? acpi_sleep_proc_init+0x27/0x27
      >[    0.541593]  ? do_one_initcall+0x4e/0x1a0
      >[    0.543008]  ? kernel_init_freeable+0x19e/0x21f
      >[    0.546202]  ? rest_init+0x80/0x80
      >[    0.547513]  ? kernel_init+0xa/0x100
      >[    0.548817]  ? ret_from_fork+0x25/0x30
      >[    0.550587] vgaarb: loaded
      >[    0.551716] EDAC MC: Ver: 3.0.0
      >[    0.553744] PCI: Probing PCI hardware
      >[    0.555038] PCI host bridge to bus 0000:00
      > ... Continue to boot and log is omitted ...
      
      I analyzed this memory leak in detail and found acpi_ns_evaluate() function
      only removes Info->return_object in AE_CTRL_RETURN_VALUE case. But, when errors
      occur, the status value is not AE_CTRL_RETURN_VALUE, and Info->return_object is
      also not null. Therefore, this causes acpi operand memory leak.
      
      This cache leak causes a security threat because an old kernel (<= 4.9) shows
      memory locations of kernel functions in stack dump. Some malicious users
      could use this information to neutralize kernel ASLR.
      
      I made a patch to fix ACPI operand cache leak.
      Signed-off-by: default avatarSeunghun Han <kkamagui@gmail.com>
      Signed-off-by: default avatarErik Schmauss <erik.schmauss@intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dfcb739c
    • Erik Schmauss's avatar
      ACPICA: Events: add a return on failure from acpi_hw_register_read · 0170c505
      Erik Schmauss authored
      [ Upstream commit b4c0de31 ]
      
      This ensures that acpi_ev_fixed_event_detect() does not use fixed_status
      and and fixed_enable as uninitialized variables.
      Signed-off-by: default avatarErik Schmauss <erik.schmauss@intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0170c505
    • Coly Li's avatar
      bcache: quit dc->writeback_thread when BCACHE_DEV_DETACHING is set · 7fb3ba30
      Coly Li authored
      [ Upstream commit fadd94e0 ]
      
      In patch "bcache: fix cached_dev->count usage for bch_cache_set_error()",
      cached_dev_get() is called when creating dc->writeback_thread, and
      cached_dev_put() is called when exiting dc->writeback_thread. This
      modification works well unless people detach the bcache device manually by
          'echo 1 > /sys/block/bcache<N>/bcache/detach'
      Because this sysfs interface only calls bch_cached_dev_detach() which wakes
      up dc->writeback_thread but does not stop it. The reason is, before patch
      "bcache: fix cached_dev->count usage for bch_cache_set_error()", inside
      bch_writeback_thread(), if cache is not dirty after writeback,
      cached_dev_put() will be called here. And in cached_dev_make_request() when
      a new write request makes cache from clean to dirty, cached_dev_get() will
      be called there. Since we don't operate dc->count in these locations,
      refcount d->count cannot be dropped after cache becomes clean, and
      cached_dev_detach_finish() won't be called to detach bcache device.
      
      This patch fixes the issue by checking whether BCACHE_DEV_DETACHING is
      set inside bch_writeback_thread(). If this bit is set and cache is clean
      (no existing writeback_keys), break the while-loop, call cached_dev_put()
      and quit the writeback thread.
      
      Please note if cache is still dirty, even BCACHE_DEV_DETACHING is set the
      writeback thread should continue to perform writeback, this is the original
      design of manually detach.
      
      It is safe to do the following check without locking, let me explain why,
      +	if (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) &&
      +	    (!atomic_read(&dc->has_dirty) || !dc->writeback_running)) {
      
      If the kenrel thread does not sleep and continue to run due to conditions
      are not updated in time on the running CPU core, it just consumes more CPU
      cycles and has no hurt. This should-sleep-but-run is safe here. We just
      focus on the should-run-but-sleep condition, which means the writeback
      thread goes to sleep in mistake while it should continue to run.
      1, First of all, no matter the writeback thread is hung or not,
         kthread_stop() from cached_dev_detach_finish() will wake up it and
         terminate by making kthread_should_stop() return true. And in normal
         run time, bit on index BCACHE_DEV_DETACHING is always cleared, the
         condition
      	!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags)
         is always true and can be ignored as constant value.
      2, If one of the following conditions is true, the writeback thread should
         go to sleep,
         "!atomic_read(&dc->has_dirty)" or "!dc->writeback_running)"
         each of them independently controls the writeback thread should sleep or
         not, let's analyse them one by one.
      2.1 condition "!atomic_read(&dc->has_dirty)"
         If dc->has_dirty is set from 0 to 1 on another CPU core, bcache will
         call bch_writeback_queue() immediately or call bch_writeback_add() which
         indirectly calls bch_writeback_queue() too. In bch_writeback_queue(),
         wake_up_process(dc->writeback_thread) is called. It sets writeback
         thread's task state to TASK_RUNNING and following an implicit memory
         barrier, then tries to wake up the writeback thread.
         In writeback thread, its task state is set to TASK_INTERRUPTIBLE before
         doing the condition check. If other CPU core sets the TASK_RUNNING state
         after writeback thread setting TASK_INTERRUPTIBLE, the writeback thread
         will be scheduled to run very soon because its state is not
         TASK_INTERRUPTIBLE. If other CPU core sets the TASK_RUNNING state before
         writeback thread setting TASK_INTERRUPTIBLE, the implict memory barrier
         of wake_up_process() will make sure modification of dc->has_dirty on
         other CPU core is updated and observed on the CPU core of writeback
         thread. Therefore the condition check will correctly be false, and
         continue writeback code without sleeping.
      2.2 condition "!dc->writeback_running)"
         dc->writeback_running can be changed via sysfs file, every time it is
         modified, a following bch_writeback_queue() is alwasy called. So the
         change is always observed on the CPU core of writeback thread. If
         dc->writeback_running is changed from 0 to 1 on other CPU core, this
         condition check will observe the modification and allow writeback
         thread to continue to run without sleeping.
      Now we can see, even without a locking protection, multiple conditions
      check is safe here, no deadlock or process hang up will happen.
      
      I compose a separte patch because that patch "bcache: fix cached_dev->count
      usage for bch_cache_set_error()" already gets a "Reviewed-by:" from Hannes
      Reinecke. Also this fix is not trivial and good for a separate patch.
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Reviewed-by: default avatarMichael Lyle <mlyle@lyle.org>
      Cc: Hannes Reinecke <hare@suse.com>
      Cc: Huijun Tang <tang.junhui@zte.com.cn>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7fb3ba30
    • Michael Schmitz's avatar
      zorro: Set up z->dev.dma_mask for the DMA API · ae90d151
      Michael Schmitz authored
      [ Upstream commit 55496d3f ]
      
      The generic DMA API uses dev->dma_mask to check the DMA addressable
      memory bitmask, and warns if no mask is set or even allocated.
      
      Set z->dev.dma_coherent_mask on Zorro bus scan, and make z->dev.dma_mask
      to point to z->dev.dma_coherent_mask so device drivers that need DMA have
      everything set up to avoid warnings from dma_alloc_coherent(). Drivers can
      still use dma_set_mask_and_coherent() to explicitly set their DMA bit mask.
      Signed-off-by: default avatarMichael Schmitz <schmitzmic@gmail.com>
      [geert: Handle Zorro II with 24-bit address space]
      Acked-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ae90d151