1. 01 Oct, 2020 40 commits
    • Jason Gunthorpe's avatar
      RDMA/cm: Remove a race freeing timewait_info · 851eba10
      Jason Gunthorpe authored
      [ Upstream commit bede86a3 ]
      
      When creating a cm_id during REQ the id immediately becomes visible to the
      other MAD handlers, and shortly after the state is moved to IB_CM_REQ_RCVD
      
      This allows cm_rej_handler() to run concurrently and free the work:
      
              CPU 0                                CPU1
       cm_req_handler()
        ib_create_cm_id()
        cm_match_req()
          id_priv->state = IB_CM_REQ_RCVD
                                             cm_rej_handler()
                                               cm_acquire_id()
                                               spin_lock(&id_priv->lock)
                                               switch (id_priv->state)
        					   case IB_CM_REQ_RCVD:
                                                  cm_reset_to_idle()
                                                   kfree(id_priv->timewait_info);
         goto destroy
        destroy:
          kfree(id_priv->timewait_info);
                                                   id_priv->timewait_info = NULL
      
      Causing a double free or worse.
      
      Do not free the timewait_info without also holding the
      id_priv->lock. Simplify this entire flow by making the free unconditional
      during cm_destroy_id() and removing the confusing special case error
      unwind during creation of the timewait_info.
      
      This also fixes a leak of the timewait if cm_destroy_id() is called in
      IB_CM_ESTABLISHED with an XRC TGT QP. The state machine will be left in
      ESTABLISHED while it needed to transition through IB_CM_TIMEWAIT to
      release the timewait pointer.
      
      Also fix a leak of the timewait_info if the caller mis-uses the API and
      does ib_send_cm_reqs().
      
      Fixes: a977049d ("[PATCH] IB: Add the kernel CM implementation")
      Link: https://lore.kernel.org/r/20200310092545.251365-4-leon@kernel.orgSigned-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      851eba10
    • Trond Myklebust's avatar
      nfsd: Don't add locks to closed or closing open stateids · 1ab250aa
      Trond Myklebust authored
      [ Upstream commit a451b123 ]
      
      In NFSv4, the lock stateids are tied to the lockowner, and the open stateid,
      so that the action of closing the file also results in either an automatic
      loss of the locks, or an error of the form NFS4ERR_LOCKS_HELD.
      
      In practice this means we must not add new locks to the open stateid
      after the close process has been invoked. In fact doing so, can result
      in the following panic:
      
       kernel BUG at lib/list_debug.c:51!
       invalid opcode: 0000 [#1] SMP NOPTI
       CPU: 2 PID: 1085 Comm: nfsd Not tainted 5.6.0-rc3+ #2
       Hardware name: VMware, Inc. VMware7,1/440BX Desktop Reference Platform, BIOS VMW71.00V.14410784.B64.1908150010 08/15/2019
       RIP: 0010:__list_del_entry_valid.cold+0x31/0x55
       Code: 1a 3d 9b e8 74 10 c2 ff 0f 0b 48 c7 c7 f0 1a 3d 9b e8 66 10 c2 ff 0f 0b 48 89 f2 48 89 fe 48 c7 c7 b0 1a 3d 9b e8 52 10 c2 ff <0f> 0b 48 89 fe 4c 89 c2 48 c7 c7 78 1a 3d 9b e8 3e 10 c2 ff 0f 0b
       RSP: 0018:ffffb296c1d47d90 EFLAGS: 00010246
       RAX: 0000000000000054 RBX: ffff8ba032456ec8 RCX: 0000000000000000
       RDX: 0000000000000000 RSI: ffff8ba039e99cc8 RDI: ffff8ba039e99cc8
       RBP: ffff8ba032456e60 R08: 0000000000000781 R09: 0000000000000003
       R10: 0000000000000000 R11: 0000000000000001 R12: ffff8ba009a4abe0
       R13: ffff8ba032456e8c R14: 0000000000000000 R15: ffff8ba00adb01d8
       FS:  0000000000000000(0000) GS:ffff8ba039e80000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 00007fb213f0b008 CR3: 00000001347de006 CR4: 00000000003606e0
       Call Trace:
        release_lock_stateid+0x2b/0x80 [nfsd]
        nfsd4_free_stateid+0x1e9/0x210 [nfsd]
        nfsd4_proc_compound+0x414/0x700 [nfsd]
        ? nfs4svc_decode_compoundargs+0x407/0x4c0 [nfsd]
        nfsd_dispatch+0xc1/0x200 [nfsd]
        svc_process_common+0x476/0x6f0 [sunrpc]
        ? svc_sock_secure_port+0x12/0x30 [sunrpc]
        ? svc_recv+0x313/0x9c0 [sunrpc]
        ? nfsd_svc+0x2d0/0x2d0 [nfsd]
        svc_process+0xd4/0x110 [sunrpc]
        nfsd+0xe3/0x140 [nfsd]
        kthread+0xf9/0x130
        ? nfsd_destroy+0x50/0x50 [nfsd]
        ? kthread_park+0x90/0x90
        ret_from_fork+0x1f/0x40
      
      The fix is to ensure that lock creation tests for whether or not the
      open stateid is unhashed, and to fail if that is the case.
      
      Fixes: 659aefb6 ("nfsd: Ensure we don't recognise lock stateids after freeing them")
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1ab250aa
    • Alexandre Belloni's avatar
      rtc: ds1374: fix possible race condition · 142513a2
      Alexandre Belloni authored
      [ Upstream commit c11af813 ]
      
      The RTC IRQ is requested before the struct rtc_device is allocated,
      this may lead to a NULL pointer dereference in the IRQ handler.
      
      To fix this issue, allocating the rtc_device struct before requesting
      the RTC IRQ using devm_rtc_allocate_device, and use rtc_register_device
      to register the RTC device.
      
      Link: https://lore.kernel.org/r/20200306073404.56921-1-alexandre.belloni@bootlin.comSigned-off-by: default avatarAlexandre Belloni <alexandre.belloni@bootlin.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      142513a2
    • Alexandre Belloni's avatar
      rtc: sa1100: fix possible race condition · e934a66d
      Alexandre Belloni authored
      [ Upstream commit f2997775 ]
      
      Both RTC IRQs are requested before the struct rtc_device is allocated,
      this may lead to a NULL pointer dereference in the IRQ handler.
      
      To fix this issue, allocating the rtc_device struct before requesting
      the IRQs using devm_rtc_allocate_device, and use rtc_register_device
      to register the RTC device.
      
      Link: https://lore.kernel.org/r/20200306010146.39762-1-alexandre.belloni@bootlin.comSigned-off-by: default avatarAlexandre Belloni <alexandre.belloni@bootlin.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e934a66d
    • Stefan Berger's avatar
      tpm: ibmvtpm: Wait for buffer to be set before proceeding · abc5b427
      Stefan Berger authored
      [ Upstream commit d8d74ea3 ]
      
      Synchronize with the results from the CRQs before continuing with
      the initialization. This avoids trying to send TPM commands while
      the rtce buffer has not been allocated, yet.
      
      This patch fixes an existing race condition that may occurr if the
      hypervisor does not quickly respond to the VTPM_GET_RTCE_BUFFER_SIZE
      request sent during initialization and therefore the ibmvtpm->rtce_buf
      has not been allocated at the time the first TPM command is sent.
      
      Fixes: 132f7629 ("drivers/char/tpm: Add new device driver to support IBM vTPM")
      Signed-off-by: default avatarStefan Berger <stefanb@linux.ibm.com>
      Acked-by: default avatarNayna Jain <nayna@linux.ibm.com>
      Tested-by: default avatarNayna Jain <nayna@linux.ibm.com>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      abc5b427
    • Dmitry Monakhov's avatar
      ext4: mark block bitmap corrupted when found instead of BUGON · ff331054
      Dmitry Monakhov authored
      [ Upstream commit eb576086 ]
      
      We already has similar code in ext4_mb_complex_scan_group(), but
      ext4_mb_simple_scan_group() still affected.
      
      Other reports: https://www.spinics.net/lists/linux-ext4/msg60231.htmlReviewed-by: default avatarAndreas Dilger <adilger@dilger.ca>
      Signed-off-by: default avatarDmitry Monakhov <dmonakhov@gmail.com>
      Link: https://lore.kernel.org/r/20200310150156.641-1-dmonakhov@gmail.comSigned-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ff331054
    • Darrick J. Wong's avatar
      xfs: mark dir corrupt when lookup-by-hash fails · 7fff3f7f
      Darrick J. Wong authored
      [ Upstream commit 2e107cf8 ]
      
      In xchk_dir_actor, we attempt to validate the directory hash structures
      by performing a directory entry lookup by (hashed) name.  If the lookup
      returns ENOENT, that means that the hash information is corrupt.  The
      _process_error functions don't catch this, so we have to add that
      explicitly.
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Reviewed-by: default avatarDave Chinner <dchinner@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7fff3f7f
    • Darrick J. Wong's avatar
      xfs: don't ever return a stale pointer from __xfs_dir3_free_read · 6ab959f1
      Darrick J. Wong authored
      [ Upstream commit 1cb5deb5 ]
      
      If we decide that a directory free block is corrupt, we must take care
      not to leak a buffer pointer to the caller.  After xfs_trans_brelse
      returns, the buffer can be freed or reused, which means that we have to
      set *bpp back to NULL.
      
      Callers are supposed to notice the nonzero return value and not use the
      buffer pointer, but we should code more defensively, even if all current
      callers handle this situation correctly.
      
      Fixes: de14c5f5 ("xfs: verify free block header fields")
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Reviewed-by: default avatarDave Chinner <dchinner@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6ab959f1
    • Colin Ian King's avatar
      media: tda10071: fix unsigned sign extension overflow · 7bf06146
      Colin Ian King authored
      [ Upstream commit a7463e2d ]
      
      The shifting of buf[3] by 24 bits to the left will be promoted to
      a 32 bit signed int and then sign-extended to an unsigned long. In
      the unlikely event that the the top bit of buf[3] is set then all
      then all the upper bits end up as also being set because of
      the sign-extension and this affect the ev->post_bit_error sum.
      Fix this by using the temporary u32 variable bit_error to avoid
      the sign-extension promotion. This also removes the need to do the
      computation twice.
      
      Addresses-Coverity: ("Unintended sign extension")
      
      Fixes: 267897a4 ("[media] tda10071: implement DVBv5 statistics")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7bf06146
    • Howard Chung's avatar
      Bluetooth: L2CAP: handle l2cap config request during open state · 8828622f
      Howard Chung authored
      [ Upstream commit 96298f64 ]
      
      According to Core Spec Version 5.2 | Vol 3, Part A 6.1.5,
      the incoming L2CAP_ConfigReq should be handled during
      OPEN state.
      
      The section below shows the btmon trace when running
      L2CAP/COS/CFD/BV-12-C before and after this change.
      
      === Before ===
      ...
      > ACL Data RX: Handle 256 flags 0x02 dlen 12                #22
            L2CAP: Connection Request (0x02) ident 2 len 4
              PSM: 1 (0x0001)
              Source CID: 65
      < ACL Data TX: Handle 256 flags 0x00 dlen 16                #23
            L2CAP: Connection Response (0x03) ident 2 len 8
              Destination CID: 64
              Source CID: 65
              Result: Connection successful (0x0000)
              Status: No further information available (0x0000)
      < ACL Data TX: Handle 256 flags 0x00 dlen 12                #24
            L2CAP: Configure Request (0x04) ident 2 len 4
              Destination CID: 65
              Flags: 0x0000
      > HCI Event: Number of Completed Packets (0x13) plen 5      #25
              Num handles: 1
              Handle: 256
              Count: 1
      > HCI Event: Number of Completed Packets (0x13) plen 5      #26
              Num handles: 1
              Handle: 256
              Count: 1
      > ACL Data RX: Handle 256 flags 0x02 dlen 16                #27
            L2CAP: Configure Request (0x04) ident 3 len 8
              Destination CID: 64
              Flags: 0x0000
              Option: Unknown (0x10) [hint]
              01 00                                            ..
      < ACL Data TX: Handle 256 flags 0x00 dlen 18                #28
            L2CAP: Configure Response (0x05) ident 3 len 10
              Source CID: 65
              Flags: 0x0000
              Result: Success (0x0000)
              Option: Maximum Transmission Unit (0x01) [mandatory]
                MTU: 672
      > HCI Event: Number of Completed Packets (0x13) plen 5      #29
              Num handles: 1
              Handle: 256
              Count: 1
      > ACL Data RX: Handle 256 flags 0x02 dlen 14                #30
            L2CAP: Configure Response (0x05) ident 2 len 6
              Source CID: 64
              Flags: 0x0000
              Result: Success (0x0000)
      > ACL Data RX: Handle 256 flags 0x02 dlen 20                #31
            L2CAP: Configure Request (0x04) ident 3 len 12
              Destination CID: 64
              Flags: 0x0000
              Option: Unknown (0x10) [hint]
              01 00 91 02 11 11                                ......
      < ACL Data TX: Handle 256 flags 0x00 dlen 14                #32
            L2CAP: Command Reject (0x01) ident 3 len 6
              Reason: Invalid CID in request (0x0002)
              Destination CID: 64
              Source CID: 65
      > HCI Event: Number of Completed Packets (0x13) plen 5      #33
              Num handles: 1
              Handle: 256
              Count: 1
      ...
      === After ===
      ...
      > ACL Data RX: Handle 256 flags 0x02 dlen 12               #22
            L2CAP: Connection Request (0x02) ident 2 len 4
              PSM: 1 (0x0001)
              Source CID: 65
      < ACL Data TX: Handle 256 flags 0x00 dlen 16               #23
            L2CAP: Connection Response (0x03) ident 2 len 8
              Destination CID: 64
              Source CID: 65
              Result: Connection successful (0x0000)
              Status: No further information available (0x0000)
      < ACL Data TX: Handle 256 flags 0x00 dlen 12               #24
            L2CAP: Configure Request (0x04) ident 2 len 4
              Destination CID: 65
              Flags: 0x0000
      > HCI Event: Number of Completed Packets (0x13) plen 5     #25
              Num handles: 1
              Handle: 256
              Count: 1
      > HCI Event: Number of Completed Packets (0x13) plen 5     #26
              Num handles: 1
              Handle: 256
              Count: 1
      > ACL Data RX: Handle 256 flags 0x02 dlen 16               #27
            L2CAP: Configure Request (0x04) ident 3 len 8
              Destination CID: 64
              Flags: 0x0000
              Option: Unknown (0x10) [hint]
              01 00                                            ..
      < ACL Data TX: Handle 256 flags 0x00 dlen 18               #28
            L2CAP: Configure Response (0x05) ident 3 len 10
              Source CID: 65
              Flags: 0x0000
              Result: Success (0x0000)
              Option: Maximum Transmission Unit (0x01) [mandatory]
                MTU: 672
      > HCI Event: Number of Completed Packets (0x13) plen 5     #29
              Num handles: 1
              Handle: 256
              Count: 1
      > ACL Data RX: Handle 256 flags 0x02 dlen 14               #30
            L2CAP: Configure Response (0x05) ident 2 len 6
              Source CID: 64
              Flags: 0x0000
              Result: Success (0x0000)
      > ACL Data RX: Handle 256 flags 0x02 dlen 20               #31
            L2CAP: Configure Request (0x04) ident 3 len 12
              Destination CID: 64
              Flags: 0x0000
              Option: Unknown (0x10) [hint]
              01 00 91 02 11 11                                .....
      < ACL Data TX: Handle 256 flags 0x00 dlen 18               #32
            L2CAP: Configure Response (0x05) ident 3 len 10
              Source CID: 65
              Flags: 0x0000
              Result: Success (0x0000)
              Option: Maximum Transmission Unit (0x01) [mandatory]
                MTU: 672
      < ACL Data TX: Handle 256 flags 0x00 dlen 12               #33
            L2CAP: Configure Request (0x04) ident 3 len 4
              Destination CID: 65
              Flags: 0x0000
      > HCI Event: Number of Completed Packets (0x13) plen 5     #34
              Num handles: 1
              Handle: 256
              Count: 1
      > HCI Event: Number of Completed Packets (0x13) plen 5     #35
              Num handles: 1
              Handle: 256
              Count: 1
      ...
      Signed-off-by: default avatarHoward Chung <howardchung@google.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8828622f
    • Sagar Biradar's avatar
      scsi: aacraid: Disabling TM path and only processing IOP reset · ae5afc39
      Sagar Biradar authored
      [ Upstream commit bef18d30 ]
      
      Fixes the occasional adapter panic when sg_reset is issued with -d, -t, -b
      and -H flags.  Removal of command type HBA_IU_TYPE_SCSI_TM_REQ in
      aac_hba_send since iu_type, request_id and fib_flags are not populated.
      Device and target reset handlers are made to send TMF commands only when
      reset_state is 0.
      
      Link: https://lore.kernel.org/r/1581553771-25796-1-git-send-email-Sagar.Biradar@microchip.comReviewed-by: default avatarSagar Biradar <Sagar.Biradar@microchip.com>
      Signed-off-by: default avatarSagar Biradar <Sagar.Biradar@microchip.com>
      Signed-off-by: default avatarBalsundar P <balsundar.p@microsemi.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ae5afc39
    • Wen Gong's avatar
      ath10k: use kzalloc to read for ath10k_sdio_hif_diag_read · 6854738c
      Wen Gong authored
      [ Upstream commit 402f2992 ]
      
      When use command to read values, it crashed.
      
      command:
      dd if=/sys/kernel/debug/ieee80211/phy0/ath10k/mem_value count=1 bs=4 skip=$((0x100233))
      
      It will call to ath10k_sdio_hif_diag_read with address = 0x4008cc and buf_len = 4.
      
      Then system crash:
      [ 1786.013258] Unable to handle kernel paging request at virtual address ffffffc00bd45000
      [ 1786.013273] Mem abort info:
      [ 1786.013281]   ESR = 0x96000045
      [ 1786.013291]   Exception class = DABT (current EL), IL = 32 bits
      [ 1786.013299]   SET = 0, FnV = 0
      [ 1786.013307]   EA = 0, S1PTW = 0
      [ 1786.013314] Data abort info:
      [ 1786.013322]   ISV = 0, ISS = 0x00000045
      [ 1786.013330]   CM = 0, WnR = 1
      [ 1786.013342] swapper pgtable: 4k pages, 39-bit VAs, pgdp = 000000008542a60e
      [ 1786.013350] [ffffffc00bd45000] pgd=0000000000000000, pud=0000000000000000
      [ 1786.013368] Internal error: Oops: 96000045 [#1] PREEMPT SMP
      [ 1786.013609] Process swapper/0 (pid: 0, stack limit = 0x0000000084b153c6)
      [ 1786.013623] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.19.86 #137
      [ 1786.013631] Hardware name: MediaTek krane sku176 board (DT)
      [ 1786.013643] pstate: 80000085 (Nzcv daIf -PAN -UAO)
      [ 1786.013662] pc : __memcpy+0x94/0x180
      [ 1786.013678] lr : swiotlb_tbl_unmap_single+0x84/0x150
      [ 1786.013686] sp : ffffff8008003c60
      [ 1786.013694] x29: ffffff8008003c90 x28: ffffffae96411f80
      [ 1786.013708] x27: ffffffae960d2018 x26: ffffff8019a4b9a8
      [ 1786.013721] x25: 0000000000000000 x24: 0000000000000001
      [ 1786.013734] x23: ffffffae96567000 x22: 00000000000051d4
      [ 1786.013747] x21: 0000000000000000 x20: 00000000fe6e9000
      [ 1786.013760] x19: 0000000000000004 x18: 0000000000000020
      [ 1786.013773] x17: 0000000000000001 x16: 0000000000000000
      [ 1786.013787] x15: 00000000ffffffff x14: 00000000000044c0
      [ 1786.013800] x13: 0000000000365ba4 x12: 0000000000000000
      [ 1786.013813] x11: 0000000000000001 x10: 00000037be6e9000
      [ 1786.013826] x9 : ffffffc940000000 x8 : 000000000bd45000
      [ 1786.013839] x7 : 0000000000000000 x6 : ffffffc00bd45000
      [ 1786.013852] x5 : 0000000000000000 x4 : 0000000000000000
      [ 1786.013865] x3 : 0000000000000c00 x2 : 0000000000000004
      [ 1786.013878] x1 : fffffff7be6e9004 x0 : ffffffc00bd45000
      [ 1786.013891] Call trace:
      [ 1786.013903]  __memcpy+0x94/0x180
      [ 1786.013914]  unmap_single+0x6c/0x84
      [ 1786.013925]  swiotlb_unmap_sg_attrs+0x54/0x80
      [ 1786.013938]  __swiotlb_unmap_sg_attrs+0x8c/0xa4
      [ 1786.013952]  msdc_unprepare_data+0x6c/0x84
      [ 1786.013963]  msdc_request_done+0x58/0x84
      [ 1786.013974]  msdc_data_xfer_done+0x1a0/0x1c8
      [ 1786.013985]  msdc_irq+0x12c/0x17c
      [ 1786.013996]  __handle_irq_event_percpu+0xe4/0x250
      [ 1786.014006]  handle_irq_event_percpu+0x28/0x68
      [ 1786.014015]  handle_irq_event+0x48/0x78
      [ 1786.014026]  handle_fasteoi_irq+0xd0/0x1a0
      [ 1786.014039]  __handle_domain_irq+0x84/0xc4
      [ 1786.014050]  gic_handle_irq+0x124/0x1a4
      [ 1786.014059]  el1_irq+0xb0/0x128
      [ 1786.014072]  cpuidle_enter_state+0x298/0x328
      [ 1786.014082]  cpuidle_enter+0x30/0x40
      [ 1786.014094]  do_idle+0x190/0x268
      [ 1786.014104]  cpu_startup_entry+0x24/0x28
      [ 1786.014116]  rest_init+0xd4/0xe0
      [ 1786.014126]  start_kernel+0x30c/0x38c
      [ 1786.014139] Code: f8408423 f80084c3 36100062 b8404423 (b80044c3)
      [ 1786.014150] ---[ end trace 3b02ddb698ea69ee ]---
      [ 1786.015415] Kernel panic - not syncing: Fatal exception in interrupt
      [ 1786.015433] SMP: stopping secondary CPUs
      [ 1786.015447] Kernel Offset: 0x2e8d200000 from 0xffffff8008000000
      [ 1786.015458] CPU features: 0x0,2188200c
      [ 1786.015466] Memory Limit: none
      
      For sdio chip, it need the memory which is kmalloc, if it is
      vmalloc from ath10k_mem_value_read, then it have a memory error.
      kzalloc of ath10k_sdio_hif_diag_read32 is the correct type, so
      add kzalloc in ath10k_sdio_hif_diag_read to replace the buffer
      which is vmalloc from ath10k_mem_value_read.
      
      This patch only effect sdio chip.
      
      Tested with QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00029.
      Signed-off-by: default avatarWen Gong <wgong@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6854738c
    • Rodrigo Siqueira's avatar
      drm/amd/display: Stop if retimer is not available · 47721e8f
      Rodrigo Siqueira authored
      [ Upstream commit a0e40018 ]
      
      Raven provides retimer feature support that requires i2c interaction in
      order to make it work well, all settings required for this configuration
      are loaded from the Atom bios which include the i2c address. If the
      retimer feature is not available, we should abort the attempt to set
      this feature, otherwise, it makes the following line return
      I2C_CHANNEL_OPERATION_NO_RESPONSE:
      
       i2c_success = i2c_write(pipe_ctx, slave_address, buffer, sizeof(buffer));
       ...
       if (!i2c_success)
         ASSERT(i2c_success);
      
      This ends up causing problems with hotplugging HDMI displays on Raven,
      and causes retimer settings to warn like so:
      
      WARNING: CPU: 1 PID: 429 at
      drivers/gpu/drm/amd/amdgpu/../dal/dc/core/dc_link.c:1998
      write_i2c_retimer_setting+0xc2/0x3c0 [amdgpu] Modules linked in:
      edac_mce_amd ccp kvm irqbypass binfmt_misc crct10dif_pclmul crc32_pclmul
      ghash_clmulni_intel snd_hda_codec_realtek snd_hda_codec_generic
      ledtrig_audio snd_hda_codec_hdmi snd_hda_intel amdgpu(+) snd_hda_codec
      snd_hda_core snd_hwdep snd_pcm snd_seq_midi snd_seq_midi_event
      snd_rawmidi aesni_intel snd_seq amd_iommu_v2 gpu_sched aes_x86_64
      crypto_simd cryptd glue_helper snd_seq_device ttm drm_kms_helper
      snd_timer eeepc_wmi wmi_bmof asus_wmi sparse_keymap drm mxm_wmi snd
      k10temp fb_sys_fops syscopyarea sysfillrect sysimgblt soundcore joydev
      input_leds mac_hid sch_fq_codel parport_pc ppdev lp parport ip_tables
      x_tables autofs4 igb i2c_algo_bit hid_generic usbhid i2c_piix4 dca ahci
      hid libahci video wmi gpio_amdpt gpio_generic CPU: 1 PID: 429 Comm:
      systemd-udevd Tainted: G        W         5.2.0-rc1sept162019+ #1
      Hardware name: System manufacturer System Product Name/ROG STRIX B450-F
      GAMING, BIOS 2605 08/06/2019
      RIP: 0010:write_i2c_retimer_setting+0xc2/0x3c0 [amdgpu]
      Code: ff 0f b6 4d ce 44 0f b6 45 cf 44 0f b6 c8 45 89 cf 44 89 e2 48 c7
      c6 f0 34 bc c0 bf 04 00 00 00 e8 63 b0 90 ff 45 84 ff 75 02 <0f> 0b 42
      0f b6 04 73 8d 50 f6 80 fa 02 77 8c 3c 0a 0f 85 c8 00 00 RSP:
      0018:ffffa99d02726fd0 EFLAGS: 00010246
      RAX: 0000000000000000 RBX: ffffa99d02727035 RCX: 0000000000000006
      RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff976acc857440
      RBP: ffffa99d02727018 R08: 0000000000000002 R09: 000000000002a600
      R10: ffffe90610193680 R11: 00000000000005e3 R12: 000000000000005d
      R13: ffff976ac4b201b8 R14: 0000000000000001 R15: 0000000000000000
      FS:  00007f14f99e1680(0000) GS:ffff976acc840000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007fdf212843b8 CR3: 0000000408906000 CR4: 00000000003406e0
      Call Trace:
       core_link_enable_stream+0x626/0x680 [amdgpu]
       dce110_apply_ctx_to_hw+0x414/0x4e0 [amdgpu]
       dc_commit_state+0x331/0x5e0 [amdgpu]
       ? drm_calc_timestamping_constants+0xf9/0x150 [drm]
       amdgpu_dm_atomic_commit_tail+0x395/0x1e00 [amdgpu]
       ? dm_plane_helper_prepare_fb+0x20c/0x280 [amdgpu]
       commit_tail+0x42/0x70 [drm_kms_helper]
       drm_atomic_helper_commit+0x10c/0x120 [drm_kms_helper]
       amdgpu_dm_atomic_commit+0x95/0xa0 [amdgpu]
       drm_atomic_commit+0x4a/0x50 [drm]
       restore_fbdev_mode_atomic+0x1c0/0x1e0 [drm_kms_helper]
       restore_fbdev_mode+0x4c/0x160 [drm_kms_helper]
       ? _cond_resched+0x19/0x40
       drm_fb_helper_restore_fbdev_mode_unlocked+0x4e/0xa0 [drm_kms_helper]
       drm_fb_helper_set_par+0x2d/0x50 [drm_kms_helper]
       fbcon_init+0x471/0x630
       visual_init+0xd5/0x130
       do_bind_con_driver+0x20a/0x430
       do_take_over_console+0x7d/0x1b0
       do_fbcon_takeover+0x5c/0xb0
       fbcon_event_notify+0x6cd/0x8a0
       notifier_call_chain+0x4c/0x70
       blocking_notifier_call_chain+0x43/0x60
       fb_notifier_call_chain+0x1b/0x20
       register_framebuffer+0x254/0x360
       __drm_fb_helper_initial_config_and_unlock+0x2c5/0x510 [drm_kms_helper]
       drm_fb_helper_initial_config+0x35/0x40 [drm_kms_helper]
       amdgpu_fbdev_init+0xcd/0x100 [amdgpu]
       amdgpu_device_init+0x1156/0x1930 [amdgpu]
       amdgpu_driver_load_kms+0x8d/0x2e0 [amdgpu]
       drm_dev_register+0x12b/0x1c0 [drm]
       amdgpu_pci_probe+0xd3/0x160 [amdgpu]
       local_pci_probe+0x47/0xa0
       pci_device_probe+0x142/0x1b0
       really_probe+0xf5/0x3d0
       driver_probe_device+0x11b/0x130
       device_driver_attach+0x58/0x60
       __driver_attach+0xa3/0x140
       ? device_driver_attach+0x60/0x60
       ? device_driver_attach+0x60/0x60
       bus_for_each_dev+0x74/0xb0
       ? kmem_cache_alloc_trace+0x1a3/0x1c0
       driver_attach+0x1e/0x20
       bus_add_driver+0x147/0x220
       ? 0xffffffffc0cb9000
       driver_register+0x60/0x100
       ? 0xffffffffc0cb9000
       __pci_register_driver+0x5a/0x60
       amdgpu_init+0x74/0x83 [amdgpu]
       do_one_initcall+0x4a/0x1fa
       ? _cond_resched+0x19/0x40
       ? kmem_cache_alloc_trace+0x3f/0x1c0
       ? __vunmap+0x1cc/0x200
       do_init_module+0x5f/0x227
       load_module+0x2330/0x2b40
       __do_sys_finit_module+0xfc/0x120
       ? __do_sys_finit_module+0xfc/0x120
       __x64_sys_finit_module+0x1a/0x20
       do_syscall_64+0x5a/0x130
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x7f14f9500839
      Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89
      f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
      f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
      RSP: 002b:00007fff9bc4f5a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
      RAX: ffffffffffffffda RBX: 000055afb5abce30 RCX: 00007f14f9500839
      RDX: 0000000000000000 RSI: 000055afb5ace0f0 RDI: 0000000000000017
      RBP: 000055afb5ace0f0 R08: 0000000000000000 R09: 000000000000000a
      R10: 0000000000000017 R11: 0000000000000246 R12: 0000000000000000
      R13: 000055afb5aad800 R14: 0000000000020000 R15: 0000000000000000
      ---[ end trace c286e96563966f08 ]---
      
      This commit reworks the way that we handle i2c write for retimer in the
      way that we abort this configuration if the feature is not available in
      the device. For debug sake, we kept a simple log message in case the
      retimer is not available.
      Signed-off-by: default avatarRodrigo Siqueira <Rodrigo.Siqueira@amd.com>
      Reviewed-by: default avatarHersen Wu <hersenxs.wu@amd.com>
      Acked-by: default avatarRodrigo Siqueira <Rodrigo.Siqueira@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      47721e8f
    • John Clements's avatar
      drm/amdgpu: increase atombios cmd timeout · e5bc081a
      John Clements authored
      [ Upstream commit 1b3460a8 ]
      
      mitigates race condition on BACO reset between GPU bootcode and driver reload
      Reviewed-by: default avatarHawking Zhang <Hawking.Zhang@amd.com>
      Signed-off-by: default avatarJohn Clements <john.clements@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e5bc081a
    • Kirill A. Shutemov's avatar
      mm: avoid data corruption on CoW fault into PFN-mapped VMA · 2b294ac3
      Kirill A. Shutemov authored
      [ Upstream commit c3e5ea6e ]
      
      Jeff Moyer has reported that one of xfstests triggers a warning when run
      on DAX-enabled filesystem:
      
      	WARNING: CPU: 76 PID: 51024 at mm/memory.c:2317 wp_page_copy+0xc40/0xd50
      	...
      	wp_page_copy+0x98c/0xd50 (unreliable)
      	do_wp_page+0xd8/0xad0
      	__handle_mm_fault+0x748/0x1b90
      	handle_mm_fault+0x120/0x1f0
      	__do_page_fault+0x240/0xd70
      	do_page_fault+0x38/0xd0
      	handle_page_fault+0x10/0x30
      
      The warning happens on failed __copy_from_user_inatomic() which tries to
      copy data into a CoW page.
      
      This happens because of race between MADV_DONTNEED and CoW page fault:
      
      	CPU0					CPU1
       handle_mm_fault()
         do_wp_page()
           wp_page_copy()
             do_wp_page()
      					madvise(MADV_DONTNEED)
      					  zap_page_range()
      					    zap_pte_range()
      					      ptep_get_and_clear_full()
      					      <TLB flush>
      	 __copy_from_user_inatomic()
      	 sees empty PTE and fails
      	 WARN_ON_ONCE(1)
      	 clear_page()
      
      The solution is to re-try __copy_from_user_inatomic() under PTL after
      checking that PTE is matches the orig_pte.
      
      The second copy attempt can still fail, like due to non-readable PTE, but
      there's nothing reasonable we can do about, except clearing the CoW page.
      Reported-by: default avatarJeff Moyer <jmoyer@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Tested-by: default avatarJeff Moyer <jmoyer@redhat.com>
      Cc: <stable@vger.kernel.org>
      Cc: Justin He <Justin.He@arm.com>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Link: http://lkml.kernel.org/r/20200218154151.13349-1-kirill.shutemov@linux.intel.comSigned-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2b294ac3
    • John Garry's avatar
      perf jevents: Fix leak of mapfile memory · 2002c630
      John Garry authored
      [ Upstream commit 3f5777fb ]
      
      The memory for global pointer is never freed during normal program
      execution, so let's do that in the main function exit as a good
      programming practice.
      
      A stray blank line is also removed.
      Reported-by: default avatarJiri Olsa <jolsa@redhat.com>
      Signed-off-by: default avatarJohn Garry <john.garry@huawei.com>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: James Clark <james.clark@arm.com>
      Cc: Joakim Zhang <qiangqing.zhang@nxp.com>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Will Deacon <will@kernel.org>
      Cc: linuxarm@huawei.com
      Link: http://lore.kernel.org/lkml/1583406486-154841-2-git-send-email-john.garry@huawei.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2002c630
    • Qiujun Huang's avatar
      ext4: fix a data race at inode->i_disksize · 47c5fa5b
      Qiujun Huang authored
      [ Upstream commit dce8e237 ]
      
      KCSAN find inode->i_disksize could be accessed concurrently.
      
      BUG: KCSAN: data-race in ext4_mark_iloc_dirty / ext4_write_end
      
      write (marked) to 0xffff8b8932f40090 of 8 bytes by task 66792 on cpu 0:
       ext4_write_end+0x53f/0x5b0
       ext4_da_write_end+0x237/0x510
       generic_perform_write+0x1c4/0x2a0
       ext4_buffered_write_iter+0x13a/0x210
       ext4_file_write_iter+0xe2/0x9b0
       new_sync_write+0x29c/0x3a0
       __vfs_write+0x92/0xa0
       vfs_write+0xfc/0x2a0
       ksys_write+0xe8/0x140
       __x64_sys_write+0x4c/0x60
       do_syscall_64+0x8a/0x2a0
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      read to 0xffff8b8932f40090 of 8 bytes by task 14414 on cpu 1:
       ext4_mark_iloc_dirty+0x716/0x1190
       ext4_mark_inode_dirty+0xc9/0x360
       ext4_convert_unwritten_extents+0x1bc/0x2a0
       ext4_convert_unwritten_io_end_vec+0xc5/0x150
       ext4_put_io_end+0x82/0x130
       ext4_writepages+0xae7/0x16f0
       do_writepages+0x64/0x120
       __writeback_single_inode+0x7d/0x650
       writeback_sb_inodes+0x3a4/0x860
       __writeback_inodes_wb+0xc4/0x150
       wb_writeback+0x43f/0x510
       wb_workfn+0x3b2/0x8a0
       process_one_work+0x39b/0x7e0
       worker_thread+0x88/0x650
       kthread+0x1d4/0x1f0
       ret_from_fork+0x35/0x40
      
      The plain read is outside of inode->i_data_sem critical section
      which results in a data race. Fix it by adding READ_ONCE().
      Signed-off-by: default avatarQiujun Huang <hqjagain@gmail.com>
      Link: https://lore.kernel.org/r/1582556566-3909-1-git-send-email-hqjagain@gmail.comSigned-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      47c5fa5b
    • Wen Yang's avatar
      timekeeping: Prevent 32bit truncation in scale64_check_overflow() · 627b771b
      Wen Yang authored
      [ Upstream commit 4cbbc3a0 ]
      
      While unlikely the divisor in scale64_check_overflow() could be >= 32bit in
      scale64_check_overflow(). do_div() truncates the divisor to 32bit at least
      on 32bit platforms.
      
      Use div64_u64() instead to avoid the truncation to 32-bit.
      
      [ tglx: Massaged changelog ]
      Signed-off-by: default avatarWen Yang <wenyang@linux.alibaba.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20200120100523.45656-1-wenyang@linux.alibaba.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      627b771b
    • Alain Michaud's avatar
      Bluetooth: guard against controllers sending zero'd events · 1ee3da6b
      Alain Michaud authored
      [ Upstream commit 08bb4da9 ]
      
      Some controllers have been observed to send zero'd events under some
      conditions.  This change guards against this condition as well as adding
      a trace to facilitate diagnosability of this condition.
      Signed-off-by: default avatarAlain Michaud <alainm@chromium.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1ee3da6b
    • Takashi Iwai's avatar
      media: go7007: Fix URB type for interrupt handling · 8910d3f0
      Takashi Iwai authored
      [ Upstream commit a3ea410c ]
      
      Josef reported that his old-and-good Plextor ConvertX M402U video
      converter spews lots of WARNINGs on the recent kernels, and it turned
      out that the device uses a bulk endpoint for interrupt handling just
      like 2250 board.
      
      For fixing it, generalize the check with the proper verification of
      the endpoint instead of hard-coded board type check.
      
      Fixes: 7e5219d1 ("[media] go7007: Fix 2250 urb type")
      Reported-and-tested-by: default avatarJosef Möllers <josef.moellers@suse.com>
      BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1162583
      BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=206427Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8910d3f0
    • John Garry's avatar
      bus: hisi_lpc: Fixup IO ports addresses to avoid use-after-free in host removal · 4ba1aee1
      John Garry authored
      [ Upstream commit a6dd255b ]
      
      Some released ACPI FW for Huawei boards describes incorrect the port IO
      address range for child devices, in that it tells us the IO port max range
      is 0x3fff for each child device, which is not correct. The address range
      should be [e4:e8) or similar. With this incorrect upper range, the child
      device IO port resources overlap.
      
      As such, the kernel thinks that the LPC host serial device is a child of
      the IPMI device:
      
      root@(none)$ more /proc/ioports
      [...]
      00ffc0e3-00ffffff : hisi-lpc-ipmi.0.auto
        00ffc0e3-00ffc0e3 : ipmi_si
        00ffc0e4-00ffc0e4 : ipmi_si
        00ffc0e5-00ffc0e5 : ipmi_si
        00ffc2f7-00ffffff : serial8250.1.auto
          00ffc2f7-00ffc2fe : serial
      root@(none)$
      
      They should both be siblings. Note that these are logical PIO addresses,
      which have a direct mapping from the FW IO port ranges.
      
      This shows up as a real issue when we enable CONFIG_KASAN and
      CONFIG_DEBUG_TEST_DRIVER_REMOVE - we see use-after-free warnings in the
      host removal path:
      
      ==================================================================
      BUG: KASAN: use-after-free in release_resource+0x38/0xc8
      Read of size 8 at addr ffff0026accdbc38 by task swapper/0/1
      
      CPU: 2 PID: 1 Comm: swapper/0 Not tainted 5.5.0-rc6-00001-g68e186e77b5c-dirty #1593
      Hardware name: Huawei Taishan 2180 /D03, BIOS Hisilicon D03 IT20 Nemo 2.0 RC0 03/30/2018
      Call trace:
      dump_backtrace+0x0/0x290
      show_stack+0x14/0x20
      dump_stack+0xf0/0x14c
      print_address_description.isra.9+0x6c/0x3b8
      __kasan_report+0x12c/0x23c
      kasan_report+0xc/0x18
      __asan_load8+0x94/0xb8
      release_resource+0x38/0xc8
      platform_device_del.part.10+0x80/0xe0
      platform_device_unregister+0x20/0x38
      hisi_lpc_acpi_remove_subdev+0x10/0x20
      device_for_each_child+0xc8/0x128
      hisi_lpc_acpi_remove+0x4c/0xa8
      hisi_lpc_remove+0xbc/0xc0
      platform_drv_remove+0x3c/0x68
      really_probe+0x174/0x548
      driver_probe_device+0x7c/0x148
      device_driver_attach+0x94/0xa0
      __driver_attach+0xa4/0x110
      bus_for_each_dev+0xe8/0x158
      driver_attach+0x30/0x40
      bus_add_driver+0x234/0x2f0
      driver_register+0xbc/0x1d0
      __platform_driver_register+0x7c/0x88
      hisi_lpc_driver_init+0x18/0x20
      do_one_initcall+0xb4/0x258
      kernel_init_freeable+0x248/0x2c0
      kernel_init+0x10/0x118
      ret_from_fork+0x10/0x1c
      
      ...
      
      The issue here is that the kernel created an incorrect parent-child
      resource dependency between two devices, and references the false parent
      node when deleting the second child device, when it had been deleted
      already.
      
      Fix up the child device resources from FW to create proper IO port
      resource relationships for broken FW.
      
      With this, the IO port layout looks more healthy:
      
      root@(none)$ more /proc/ioports
      [...]
      00ffc0e3-00ffc0e7 : hisi-lpc-ipmi.0.auto
        00ffc0e3-00ffc0e3 : ipmi_si
        00ffc0e4-00ffc0e4 : ipmi_si
        00ffc0e5-00ffc0e5 : ipmi_si
      00ffc2f7-00ffc2ff : serial8250.1.auto
        00ffc2f7-00ffc2fe : serial
      Signed-off-by: default avatarJohn Garry <john.garry@huawei.com>
      Signed-off-by: default avatarWei Xu <xuwei5@hisilicon.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      4ba1aee1
    • Qian Cai's avatar
      random: fix data races at timer_rand_state · dca75ae6
      Qian Cai authored
      [ Upstream commit e00d996a ]
      
      Fields in "struct timer_rand_state" could be accessed concurrently.
      Lockless plain reads and writes result in data races. Fix them by adding
      pairs of READ|WRITE_ONCE(). The data races were reported by KCSAN,
      
       BUG: KCSAN: data-race in add_timer_randomness / add_timer_randomness
      
       write to 0xffff9f320a0a01d0 of 8 bytes by interrupt on cpu 22:
        add_timer_randomness+0x100/0x190
        add_timer_randomness at drivers/char/random.c:1152
        add_disk_randomness+0x85/0x280
        scsi_end_request+0x43a/0x4a0
        scsi_io_completion+0xb7/0x7e0
        scsi_finish_command+0x1ed/0x2a0
        scsi_softirq_done+0x1c9/0x1d0
        blk_done_softirq+0x181/0x1d0
        __do_softirq+0xd9/0x57c
        irq_exit+0xa2/0xc0
        do_IRQ+0x8b/0x190
        ret_from_intr+0x0/0x42
        cpuidle_enter_state+0x15e/0x980
        cpuidle_enter+0x69/0xc0
        call_cpuidle+0x23/0x40
        do_idle+0x248/0x280
        cpu_startup_entry+0x1d/0x1f
        start_secondary+0x1b2/0x230
        secondary_startup_64+0xb6/0xc0
      
       no locks held by swapper/22/0.
       irq event stamp: 32871382
       _raw_spin_unlock_irqrestore+0x53/0x60
       _raw_spin_lock_irqsave+0x21/0x60
       _local_bh_enable+0x21/0x30
       irq_exit+0xa2/0xc0
      
       read to 0xffff9f320a0a01d0 of 8 bytes by interrupt on cpu 2:
        add_timer_randomness+0xe8/0x190
        add_disk_randomness+0x85/0x280
        scsi_end_request+0x43a/0x4a0
        scsi_io_completion+0xb7/0x7e0
        scsi_finish_command+0x1ed/0x2a0
        scsi_softirq_done+0x1c9/0x1d0
        blk_done_softirq+0x181/0x1d0
        __do_softirq+0xd9/0x57c
        irq_exit+0xa2/0xc0
        do_IRQ+0x8b/0x190
        ret_from_intr+0x0/0x42
        cpuidle_enter_state+0x15e/0x980
        cpuidle_enter+0x69/0xc0
        call_cpuidle+0x23/0x40
        do_idle+0x248/0x280
        cpu_startup_entry+0x1d/0x1f
        start_secondary+0x1b2/0x230
        secondary_startup_64+0xb6/0xc0
      
       no locks held by swapper/2/0.
       irq event stamp: 37846304
       _raw_spin_unlock_irqrestore+0x53/0x60
       _raw_spin_lock_irqsave+0x21/0x60
       _local_bh_enable+0x21/0x30
       irq_exit+0xa2/0xc0
      
       Reported by Kernel Concurrency Sanitizer on:
       Hardware name: HP ProLiant BL660c Gen9, BIOS I38 10/17/2018
      
      Link: https://lore.kernel.org/r/1582648024-13111-1-git-send-email-cai@lca.pwSigned-off-by: default avatarQian Cai <cai@lca.pw>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      dca75ae6
    • James Morse's avatar
      firmware: arm_sdei: Use cpus_read_lock() to avoid races with cpuhp · f674193b
      James Morse authored
      [ Upstream commit 54f529a6 ]
      
      SDEI has private events that need registering and enabling on each CPU.
      CPUs can come and go while we are trying to do this. SDEI tries to avoid
      these problems by setting the reregister flag before the register call,
      so any CPUs that come online register the event too. Sticking plaster
      like this doesn't work, as if the register call fails, a CPU that
      subsequently comes online will register the event before reregister
      is cleared.
      
      Take cpus_read_lock() around the register and enable calls. We don't
      want surprise CPUs to do the wrong thing if they race with these calls
      failing.
      Signed-off-by: default avatarJames Morse <james.morse@arm.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f674193b
    • Aric Cyr's avatar
      drm/amd/display: dal_ddc_i2c_payloads_create can fail causing panic · 5fe40ed2
      Aric Cyr authored
      [ Upstream commit 6a6c4a4d ]
      
      [Why]
      Since the i2c payload allocation can fail need to check return codes
      
      [How]
      Clean up i2c payload allocations and check for errors
      Signed-off-by: default avatarAric Cyr <aric.cyr@amd.com>
      Reviewed-by: default avatarJoshua Aberback <Joshua.Aberback@amd.com>
      Acked-by: default avatarRodrigo Siqueira <Rodrigo.Siqueira@amd.com>
      Acked-by: default avatarHarry Wentland <harry.wentland@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5fe40ed2
    • Dmitry Osipenko's avatar
      dmaengine: tegra-apb: Prevent race conditions on channel's freeing · 7fbd24e0
      Dmitry Osipenko authored
      [ Upstream commit 8e84172e ]
      
      It's incorrect to check the channel's "busy" state without taking a lock.
      That shouldn't cause any real troubles, nevertheless it's always better
      not to have any race conditions in the code.
      Signed-off-by: default avatarDmitry Osipenko <digetx@gmail.com>
      Acked-by: default avatarJon Hunter <jonathanh@nvidia.com>
      Link: https://lore.kernel.org/r/20200209163356.6439-5-digetx@gmail.comSigned-off-by: default avatarVinod Koul <vkoul@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7fbd24e0
    • Amelie Delaunay's avatar
      dmaengine: stm32-dma: use vchan_terminate_vdesc() in .terminate_all · 1da6faf4
      Amelie Delaunay authored
      [ Upstream commit d80cbef3 ]
      
      To avoid race with vchan_complete, use the race free way to terminate
      running transfer.
      
      Move vdesc->node list_del in stm32_dma_start_transfer instead of in
      stm32_mdma_chan_complete to avoid another race in vchan_dma_desc_free_list.
      Signed-off-by: default avatarAmelie Delaunay <amelie.delaunay@st.com>
      Link: https://lore.kernel.org/r/20200129153628.29329-9-amelie.delaunay@st.comSigned-off-by: default avatarVinod Koul <vkoul@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1da6faf4
    • Thomas Gleixner's avatar
      bpf: Remove recursion prevention from rcu free callback · 1baf2360
      Thomas Gleixner authored
      [ Upstream commit 8a37963c ]
      
      If an element is freed via RCU then recursion into BPF instrumentation
      functions is not a concern. The element is already detached from the map
      and the RCU callback does not hold any locks on which a kprobe, perf event
      or tracepoint attached BPF program could deadlock.
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Link: https://lore.kernel.org/bpf/20200224145643.259118710@linutronix.deSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      1baf2360
    • Dave Hansen's avatar
      x86/pkeys: Add check for pkey "overflow" · 03dda956
      Dave Hansen authored
      [ Upstream commit 16171bff ]
      
      Alex Shi reported the pkey macros above arch_set_user_pkey_access()
      to be unused.  They are unused, and even refer to a nonexistent
      CONFIG option.
      
      But, they might have served a good use, which was to ensure that
      the code does not try to set values that would not fit in the
      PKRU register.  As it stands, a too-large 'pkey' value would
      be likely to silently overflow the u32 new_pkru_bits.
      
      Add a check to look for overflows.  Also add a comment to remind
      any future developer to closely examine the types used to store
      pkey values if arch_max_pkey() ever changes.
      
      This boots and passes the x86 pkey selftests.
      Reported-by: default avatarAlex Shi <alex.shi@linux.alibaba.com>
      Signed-off-by: default avatarDave Hansen <dave.hansen@intel.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Link: https://lkml.kernel.org/r/20200122165346.AD4DA150@viggo.jf.intel.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      03dda956
    • Dan Carpenter's avatar
      media: staging/imx: Missing assignment in imx_media_capture_device_register() · eec0eacf
      Dan Carpenter authored
      [ Upstream commit ef0ed05d ]
      
      There was supposed to be a "ret = " assignment here, otherwise the
      error handling on the next line won't work.
      
      Fixes: 64b5a49d ("[media] media: imx: Add Capture Device Interface")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: default avatarSteve Longerbeam <slongerbeam@gmail.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      eec0eacf
    • Amelie Delaunay's avatar
      dmaengine: stm32-mdma: use vchan_terminate_vdesc() in .terminate_all · bb198240
      Amelie Delaunay authored
      [ Upstream commit dfc70881 ]
      
      To avoid race with vchan_complete, use the race free way to terminate
      running transfer.
      
      Move vdesc->node list_del in stm32_mdma_start_transfer instead of in
      stm32_mdma_xfer_end to avoid another race in vchan_dma_desc_free_list.
      Signed-off-by: default avatarAmelie Delaunay <amelie.delaunay@st.com>
      Link: https://lore.kernel.org/r/20200127085334.13163-7-amelie.delaunay@st.comSigned-off-by: default avatarVinod Koul <vkoul@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      bb198240
    • Paolo Bonzini's avatar
      KVM: x86: fix incorrect comparison in trace event · 09ace5ea
      Paolo Bonzini authored
      [ Upstream commit 147f1a1f ]
      
      The "u" field in the event has three states, -1/0/1.  Using u8 however means that
      comparison with -1 will always fail, so change to signed char.
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      09ace5ea
    • Bart Van Assche's avatar
      RDMA/rxe: Fix configuration of atomic queue pair attributes · 46a57510
      Bart Van Assche authored
      [ Upstream commit fb3063d3 ]
      
      From the comment above the definition of the roundup_pow_of_two() macro:
      
           The result is undefined when n == 0.
      
      Hence only pass positive values to roundup_pow_of_two(). This patch fixes
      the following UBSAN complaint:
      
        UBSAN: Undefined behaviour in ./include/linux/log2.h:57:13
        shift exponent 64 is too large for 64-bit type 'long unsigned int'
        Call Trace:
         dump_stack+0xa5/0xe6
         ubsan_epilogue+0x9/0x26
         __ubsan_handle_shift_out_of_bounds.cold+0x4c/0xf9
         rxe_qp_from_attr.cold+0x37/0x5d [rdma_rxe]
         rxe_modify_qp+0x59/0x70 [rdma_rxe]
         _ib_modify_qp+0x5aa/0x7c0 [ib_core]
         ib_modify_qp+0x3b/0x50 [ib_core]
         cma_modify_qp_rtr+0x234/0x260 [rdma_cm]
         __rdma_accept+0x1a7/0x650 [rdma_cm]
         nvmet_rdma_cm_handler+0x1286/0x14cd [nvmet_rdma]
         cma_cm_event_handler+0x6b/0x330 [rdma_cm]
         cma_ib_req_handler+0xe60/0x22d0 [rdma_cm]
         cm_process_work+0x30/0x140 [ib_cm]
         cm_req_handler+0x11f4/0x1cd0 [ib_cm]
         cm_work_handler+0xb8/0x344e [ib_cm]
         process_one_work+0x569/0xb60
         worker_thread+0x7a/0x5d0
         kthread+0x1e6/0x210
         ret_from_fork+0x24/0x30
      
      Link: https://lore.kernel.org/r/20200217205714.26937-1-bvanassche@acm.org
      Fixes: 8700e3e7 ("Soft RoCE driver")
      Signed-off-by: default avatarBart Van Assche <bvanassche@acm.org>
      Reviewed-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      46a57510
    • Thomas Richter's avatar
      perf test: Fix test trace+probe_vfs_getname.sh on s390 · 345dc71a
      Thomas Richter authored
      [ Upstream commit 2bbc8353 ]
      
      This test places a kprobe to function getname_flags() in the kernel
      which has the following prototype:
      
        struct filename *getname_flags(const char __user *filename, int flags, int *empty)
      
      The 'filename' argument points to a filename located in user space memory.
      
      Looking at commit 88903c46 ("tracing/probe: Add ustring type for
      user-space string") the kprobe should indicate that user space memory is
      accessed.
      
      Output before:
      
         [root@m35lp76 perf]# ./perf test 66 67
         66: Use vfs_getname probe to get syscall args filenames   : FAILED!
         67: Check open filename arg using perf trace + vfs_getname: FAILED!
         [root@m35lp76 perf]#
      
      Output after:
      
         [root@m35lp76 perf]# ./perf test 66 67
         66: Use vfs_getname probe to get syscall args filenames   : Ok
         67: Check open filename arg using perf trace + vfs_getname: Ok
         [root@m35lp76 perf]#
      
      Comments from Masami Hiramatsu:
      
      This bug doesn't happen on x86 or other archs on which user address
      space and kernel address space is the same. On some arches (ppc64 in
      this case?) user address space is partially or completely the same as
      kernel address space.
      
      (Yes, they switch the world when running into the kernel) In this case,
      we need to use different data access functions for each space.
      
      That is why I introduced the "ustring" type for kprobe events.
      
      As far as I can see, Thomas's patch is sane. Thomas, could you show us
      your result on your test environment?
      
      Comments from Thomas Richter:
      
      Test results for s/390 included above.
      Signed-off-by: default avatarThomas Richter <tmricht@linux.ibm.com>
      Acked-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Tested-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Sumanth Korikkar <sumanthk@linux.ibm.com>
      Cc: Vasily Gorbik <gor@linux.ibm.com>
      Link: http://lore.kernel.org/lkml/20200217102111.61137-1-tmricht@linux.ibm.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      345dc71a
    • Takashi Iwai's avatar
      ALSA: usb-audio: Don't create a mixer element with bogus volume range · 0cafae90
      Takashi Iwai authored
      [ Upstream commit e9a0ef0b ]
      
      Some USB-audio descriptors provide a bogus volume range (e.g. volume
      min and max are identical), which confuses user-space.
      This patch makes the driver skipping such a control element.
      
      BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=206221
      Link: https://lore.kernel.org/r/20200214144928.23628-1-tiwai@suse.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0cafae90
    • Felix Fietkau's avatar
      mt76: clear skb pointers from rx aggregation reorder buffer during cleanup · ac6724d4
      Felix Fietkau authored
      [ Upstream commit 9379df2f ]
      
      During the cleanup of the aggregation session, a rx handler (or release timer)
      on another CPU might still hold a pointer to the reorder buffer and could
      attempt to release some packets.
      Clearing pointers during cleanup avoids a theoretical use-after-free bug here.
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ac6724d4
    • Ayush Sawal's avatar
      crypto: chelsio - This fixes the kernel panic which occurs during a libkcapi test · 7444a79b
      Ayush Sawal authored
      [ Upstream commit 9195189e ]
      
      The libkcapi test which causes kernel panic is
      aead asynchronous vmsplice multiple test.
      
      ./bin/kcapi  -v -d 4 -x 10   -c "ccm(aes)"
      -q 4edb58e8d5eb6bc711c43a6f3693daebde2e5524f1b55297abb29f003236e43d
      -t a7877c99 -n 674742abd0f5ba -k 2861fd0253705d7875c95ba8a53171b4
      -a fb7bc304a3909e66e2e0c5ef952712dd884ce3e7324171369f2c5db1adc48c7d
      
      This patch avoids dma_mapping of a zero length sg which causes the panic,
      by using sg_nents_for_len which maps only upto a specific length
      Signed-off-by: default avatarAyush Sawal <ayush.sawal@chelsio.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7444a79b
    • Dinh Nguyen's avatar
      clk: stratix10: use do_div() for 64-bit calculation · f99ca8f0
      Dinh Nguyen authored
      [ Upstream commit cc26ed7b ]
      
      do_div() macro to perform u64 division and guards against overflow if
      the result is too large for the unsigned long return type.
      Signed-off-by: default avatarDinh Nguyen <dinguyen@kernel.org>
      Link: https://lkml.kernel.org/r/20200114160726.19771-1-dinguyen@kernel.orgSigned-off-by: default avatarStephen Boyd <sboyd@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f99ca8f0
    • Wen Yang's avatar
      drm/omap: fix possible object reference leak · d4c38bfb
      Wen Yang authored
      [ Upstream commit 47340e46 ]
      
      The call to of_find_matching_node returns a node pointer with refcount
      incremented thus it must be explicitly decremented after the last
      usage.
      
      Detected by coccinelle with the following warnings:
      drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c:212:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 209, but without a corresponding object release within this function.
      drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c:237:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 209, but without a corresponding object release within this function.
      Signed-off-by: default avatarWen Yang <wen.yang99@zte.com.cn>
      Reviewed-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Reviewed-by: default avatarMukesh Ojha <mojha@codeaurora.org>
      Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
      Cc: David Airlie <airlied@linux.ie>
      Cc: Daniel Vetter <daniel@ffwll.ch>
      Cc: Sebastian Reichel <sebastian.reichel@collabora.com>
      Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
      Cc: dri-devel@lists.freedesktop.org
      Cc: linux-kernel@vger.kernel.org
      Cc: Markus Elfring <Markus.Elfring@web.de>
      Signed-off-by: default avatarTomi Valkeinen <tomi.valkeinen@ti.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/1554692313-28882-2-git-send-email-wen.yang99@zte.com.cnSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      d4c38bfb
    • James Smart's avatar
      scsi: lpfc: Fix coverity errors in fmdi attribute handling · b4ba41c8
      James Smart authored
      [ Upstream commit 4cb9e1dd ]
      
      Coverity reported a memory corruption error for the fdmi attributes
      routines:
      
        CID 15768 [Memory Corruption] Out-of-bounds access on FDMI
      
      Sloppy coding of the fmdi structures. In both the lpfc_fdmi_attr_def and
      lpfc_fdmi_reg_port_list structures, a field was placed at the start of
      payload that may have variable content. The field was given an arbitrary
      type (uint32_t). The code then uses the field name to derive an address,
      which it used in things such as memset and memcpy. The memset sizes or
      memcpy lengths were larger than the arbitrary type, thus coverity reported
      an error.
      
      Fix by replacing the arbitrary fields with the real field structures
      describing the payload.
      
      Link: https://lore.kernel.org/r/20200128002312.16346-8-jsmart2021@gmail.comSigned-off-by: default avatarDick Kennedy <dick.kennedy@broadcom.com>
      Signed-off-by: default avatarJames Smart <jsmart2021@gmail.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b4ba41c8
    • James Smart's avatar
      scsi: lpfc: Fix RQ buffer leakage when no IOCBs available · 1ae009aa
      James Smart authored
      [ Upstream commit 39c4f1a9 ]
      
      The driver is occasionally seeing the following SLI Port error, requiring
      reset and reinit:
      
       Port Status Event: ... error 1=0x52004a01, error 2=0x218
      
      The failure means an RQ timeout. That is, the adapter had received
      asynchronous receive frames, ran out of buffer slots to place the frames,
      and the driver did not replenish the buffer slots before a timeout
      occurred. The driver should not be so slow in replenishing buffers that a
      timeout can occur.
      
      When the driver received all the frames of a sequence, it allocates an IOCB
      to put the frames in. In a situation where there was no IOCB available for
      the frame of a sequence, the RQ buffer corresponding to the first frame of
      the sequence was not returned to the FW. Eventually, with enough traffic
      encountering the situation, the timeout occurred.
      
      Fix by releasing the buffer back to firmware whenever there is no IOCB for
      the first frame.
      
      [mkp: typo]
      
      Link: https://lore.kernel.org/r/20200128002312.16346-2-jsmart2021@gmail.comSigned-off-by: default avatarDick Kennedy <dick.kennedy@broadcom.com>
      Signed-off-by: default avatarJames Smart <jsmart2021@gmail.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1ae009aa