1. 27 Apr, 2019 40 commits
    • Dan Williams's avatar
      nfit/ars: Avoid stale ARS results · be608583
      Dan Williams authored
      commit 78153dd4 upstream.
      
      Gate ARS result consumption on whether the OS issued start-ARS since the
      previous consumption. The BIOS may only clear its result buffers after a
      successful start-ARS.
      
      Fixes: 0caeef63 ("libnvdimm: Add a poison list and export badblocks")
      Cc: <stable@vger.kernel.org>
      Reported-by: default avatarKrzysztof Rusocki <krzysztof.rusocki@intel.com>
      Reported-by: default avatarVishal Verma <vishal.l.verma@intel.com>
      Reviewed-by: default avatarToshi Kani <toshi.kani@hpe.com>
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      be608583
    • Dan Williams's avatar
      nfit/ars: Allow root to busy-poll the ARS state machine · 40221d56
      Dan Williams authored
      commit 5479b275 upstream.
      
      The ARS implementation implements exponential back-off on the poll
      interval to prevent high-frequency access to the DIMM / platform
      interface. Depending on when the ARS completes the poll interval may
      exceed the completion event by minutes. Allow root to reset the timeout
      each time it probes the status. A one-second timeout is still enforced,
      but root can otherwise can control the poll interval.
      
      Fixes: bc6ba808 ("nfit, address-range-scrub: rework and simplify ARS...")
      Cc: <stable@vger.kernel.org>
      Reported-by: default avatarErwin Tsaur <erwin.tsaur@oracle.com>
      Reviewed-by: default avatarToshi Kani <toshi.kani@hpe.com>
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      40221d56
    • Dan Williams's avatar
      nfit/ars: Introduce scrub_flags · bc18c259
      Dan Williams authored
      commit e34b8252 upstream.
      
      In preparation for introducing new flags to gate whether ARS results are
      stale, or poll the completion state, convert the existing flags to an
      unsigned long with enumerated values. This conversion allows the flags
      to be atomically updated outside of ->init_mutex.
      Reviewed-by: default avatarToshi Kani <toshi.kani@hpe.com>
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      bc18c259
    • Dan Williams's avatar
      nfit/ars: Remove ars_start_flags · 82a13a00
      Dan Williams authored
      commit 317a992a upstream.
      
      The ars_start_flags property of 'struct acpi_nfit_desc' is no longer
      used since ARS_REQ_SHORT and ARS_REQ_LONG were added.
      Reviewed-by: default avatarToshi Kani <toshi.kani@hpe.com>
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      82a13a00
    • Chang-An Chen's avatar
      timers/sched_clock: Prevent generic sched_clock wrap caused by tick_freeze() · cd37fd46
      Chang-An Chen authored
      commit 3f2552f7 upstream.
      
      tick_freeze() introduced by suspend-to-idle in commit 124cf911 ("PM /
      sleep: Make it possible to quiesce timers during suspend-to-idle") uses
      timekeeping_suspend() instead of syscore_suspend() during
      suspend-to-idle. As a consequence generic sched_clock will keep going
      because sched_clock_suspend() and sched_clock_resume() are not invoked
      during suspend-to-idle which can result in a generic sched_clock wrap.
      
      On a ARM system with suspend-to-idle enabled, sched_clock is registered
      as "56 bits at 13MHz, resolution 76ns, wraps every 4398046511101ns", which
      means the real wrapping duration is 8796093022202ns.
      
      [  134.551779] suspend-to-idle suspend (timekeeping_suspend())
      [ 1204.912239] suspend-to-idle resume (timekeeping_resume())
      ......
      [ 1206.912239] suspend-to-idle suspend (timekeeping_suspend())
      [ 5880.502807] suspend-to-idle resume (timekeeping_resume())
      ......
      [ 6000.403724] suspend-to-idle suspend (timekeeping_suspend())
      [ 8035.753167] suspend-to-idle resume  (timekeeping_resume())
      ......
      [ 8795.786684] (2)[321:charger_thread]......
      [ 8795.788387] (2)[321:charger_thread]......
      [    0.057226] (0)[0:swapper/0]......
      [    0.061447] (2)[0:swapper/2]......
      
      sched_clock was not stopped during suspend-to-idle, and sched_clock_poll
      hrtimer was not expired because timekeeping_suspend() was invoked during
      suspend-to-idle. It makes sched_clock wrap at kernel time 8796s.
      
      To prevent this, invoke sched_clock_suspend() and sched_clock_resume() in
      tick_freeze() together with timekeeping_suspend() and timekeeping_resume().
      
      Fixes: 124cf911 (PM / sleep: Make it possible to quiesce timers during suspend-to-idle)
      Signed-off-by: default avatarChang-An Chen <chang-an.chen@mediatek.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Frederic Weisbecker <fweisbec@gmail.com>
      Cc: Matthias Brugger <matthias.bgg@gmail.com>
      Cc: John Stultz <john.stultz@linaro.org>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Corey Minyard <cminyard@mvista.com>
      Cc: <linux-mediatek@lists.infradead.org>
      Cc: <linux-arm-kernel@lists.infradead.org>
      Cc: Stanley Chu <stanley.chu@mediatek.com>
      Cc: <kuohong.wang@mediatek.com>
      Cc: <freddy.hsin@mediatek.com>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/1553828349-8914-1-git-send-email-chang-an.chen@mediatek.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cd37fd46
    • Thomas Gleixner's avatar
      x86/speculation: Prevent deadlock on ssb_state::lock · 5680b063
      Thomas Gleixner authored
      commit 2f5fb193 upstream.
      
      Mikhail reported a lockdep splat related to the AMD specific ssb_state
      lock:
      
        CPU0                       CPU1
        lock(&st->lock);
                                   local_irq_disable();
                                   lock(&(&sighand->siglock)->rlock);
                                   lock(&st->lock);
        <Interrupt>
           lock(&(&sighand->siglock)->rlock);
      
        *** DEADLOCK ***
      
      The connection between sighand->siglock and st->lock comes through seccomp,
      which takes st->lock while holding sighand->siglock.
      
      Make sure interrupts are disabled when __speculation_ctrl_update() is
      invoked via prctl() -> speculation_ctrl_update(). Add a lockdep assert to
      catch future offenders.
      
      Fixes: 1f50ddb4 ("x86/speculation: Handle HT correctly on AMD")
      Reported-by: default avatarMikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Tested-by: default avatarMikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
      Cc: Thomas Lendacky <thomas.lendacky@amd.com>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1904141948200.4917@nanos.tec.linutronix.deSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5680b063
    • Kan Liang's avatar
      perf/x86: Fix incorrect PEBS_REGS · 90e17512
      Kan Liang authored
      commit 9d5dcc93 upstream.
      
      PEBS_REGS used as mask for the supported registers for large PEBS.
      However, the mask cannot filter the sample_regs_user/sample_regs_intr
      correctly.
      
      (1ULL << PERF_REG_X86_*) should be used to replace PERF_REG_X86_*, which
      is only the index.
      
      Rename PEBS_REGS to PEBS_GP_REGS, because the mask is only for general
      purpose registers.
      Signed-off-by: default avatarKan Liang <kan.liang@linux.intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: <stable@vger.kernel.org>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Cc: acme@kernel.org
      Cc: jolsa@kernel.org
      Fixes: 2fe1bc1f ("perf/x86: Enable free running PEBS for REGS_USER/INTR")
      Link: https://lkml.kernel.org/r/20190402194509.2832-2-kan.liang@linux.intel.com
      [ Renamed it to PEBS_GP_REGS - as 'GPRS' is used elsewhere ;-) ]
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      90e17512
    • Andi Kleen's avatar
      x86/cpu/bugs: Use __initconst for 'const' init data · 293926b3
      Andi Kleen authored
      commit 1de7edbb upstream.
      
      Some of the recently added const tables use __initdata which causes section
      attribute conflicts.
      
      Use __initconst instead.
      
      Fixes: fa1202ef ("x86/speculation: Add command line control")
      Signed-off-by: default avatarAndi Kleen <ak@linux.intel.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20190330004743.29541-9-andi@firstfloor.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      293926b3
    • Kim Phillips's avatar
      perf/x86/amd: Add event map for AMD Family 17h · f45829e6
      Kim Phillips authored
      commit 3fe3331b upstream.
      
      Family 17h differs from prior families by:
      
       - Does not support an L2 cache miss event
       - It has re-enumerated PMC counters for:
         - L2 cache references
         - front & back end stalled cycles
      
      So we add a new amd_f17h_perfmon_event_map[] so that the generic
      perf event names will resolve to the correct h/w events on
      family 17h and above processors.
      
      Reference sections 2.1.13.3.3 (stalls) and 2.1.13.3.6 (L2):
      
        https://www.amd.com/system/files/TechDocs/54945_PPR_Family_17h_Models_00h-0Fh.pdfSigned-off-by: default avatarKim Phillips <kim.phillips@amd.com>
      Cc: <stable@vger.kernel.org> # v4.9+
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Martin Liška <mliska@suse.cz>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Pu Wen <puwen@hygon.cn>
      Cc: Suravee Suthikulpanit <Suravee.Suthikulpanit@amd.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: linux-kernel@vger.kernel.org
      Fixes: e40ed154 ("perf/x86: Add perf support for AMD family-17h processors")
      [ Improved the formatting a bit. ]
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f45829e6
    • Alex Deucher's avatar
      drm/amdgpu/gmc9: fix VM_L2_CNTL3 programming · ba407222
      Alex Deucher authored
      commit 1925e7d3 upstream.
      
      Got accidently dropped when 2+1 level support was added.
      
      Fixes: 6a42fd6f ("drm/amdgpu: implement 2+1 PD support for Raven v3")
      Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ba407222
    • Felix Fietkau's avatar
      mac80211: do not call driver wake_tx_queue op during reconfig · 39cad03c
      Felix Fietkau authored
      commit 4856bfd2 upstream.
      
      There are several scenarios in which mac80211 can call drv_wake_tx_queue
      after ieee80211_restart_hw has been called and has not yet completed.
      Driver private structs are considered uninitialized until mac80211 has
      uploaded the vifs, stations and keys again, so using private tx queue
      data during that time is not safe.
      
      The driver can also not rely on drv_reconfig_complete to figure out when
      it is safe to accept drv_wake_tx_queue calls again, because it is only
      called after all tx queues are woken again.
      
      To fix this, bail out early in drv_wake_tx_queue if local->in_reconfig
      is set.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      39cad03c
    • Vijayakumar Durai's avatar
      rt2x00: do not increment sequence number while re-transmitting · 852de0d5
      Vijayakumar Durai authored
      commit 746ba11f upstream.
      
      Currently rt2x00 devices retransmit the management frames with
      incremented sequence number if hardware is assigning the sequence.
      
      This is HW bug fixed already for non-QOS data frames, but it should
      be fixed for management frames except beacon.
      
      Without fix retransmitted frames have wrong SN:
      
       AlphaNet_e8:fb:36 Vivotek_52:31:51 Authentication, SN=1648, FN=0, Flags=........C Frame is not being retransmitted 1648 1
       AlphaNet_e8:fb:36 Vivotek_52:31:51 Authentication, SN=1649, FN=0, Flags=....R...C Frame is being retransmitted 1649 1
       AlphaNet_e8:fb:36 Vivotek_52:31:51 Authentication, SN=1650, FN=0, Flags=....R...C Frame is being retransmitted 1650 1
      
      With the fix SN stays correctly the same:
      
       88:6a:e3:e8:f9:a2 8c:f5:a3:88:76:87 Authentication, SN=1450, FN=0, Flags=........C
       88:6a:e3:e8:f9:a2 8c:f5:a3:88:76:87 Authentication, SN=1450, FN=0, Flags=....R...C
       88:6a:e3:e8:f9:a2 8c:f5:a3:88:76:87 Authentication, SN=1450, FN=0, Flags=....R...C
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarVijayakumar Durai <vijayakumar.durai1@vivint.com>
      [sgruszka: simplify code, change comments and changelog]
      Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      852de0d5
    • Masami Hiramatsu's avatar
      kprobes: Fix error check when reusing optimized probes · 23a926e5
      Masami Hiramatsu authored
      commit 5f843ed4 upstream.
      
      The following commit introduced a bug in one of our error paths:
      
        819319fc ("kprobes: Return error if we fail to reuse kprobe instead of BUG_ON()")
      
      it missed to handle the return value of kprobe_optready() as
      error-value. In reality, the kprobe_optready() returns a bool
      result, so "true" case must be passed instead of 0.
      
      This causes some errors on kprobe boot-time selftests on ARM:
      
       [   ] Beginning kprobe tests...
       [   ] Probe ARM code
       [   ]     kprobe
       [   ]     kretprobe
       [   ] ARM instruction simulation
       [   ]     Check decoding tables
       [   ]     Run test cases
       [   ] FAIL: test_case_handler not run
       [   ] FAIL: Test andge	r10, r11, r14, asr r7
       [   ] FAIL: Scenario 11
       ...
       [   ] FAIL: Scenario 7
       [   ] Total instruction simulation tests=1631, pass=1433 fail=198
       [   ] kprobe tests failed
      
      This can happen if an optimized probe is unregistered and next
      kprobe is registered on same address until the previous probe
      is not reclaimed.
      
      If this happens, a hidden aggregated probe may be kept in memory,
      and no new kprobe can probe same address. Also, in that case
      register_kprobe() will return "1" instead of minus error value,
      which can mislead caller logic.
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
      Cc: David S . Miller <davem@davemloft.net>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Naveen N . Rao <naveen.n.rao@linux.vnet.ibm.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: stable@vger.kernel.org # v5.0+
      Fixes: 819319fc ("kprobes: Return error if we fail to reuse kprobe instead of BUG_ON()")
      Link: http://lkml.kernel.org/r/155530808559.32517.539898325433642204.stgit@devnote2Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      23a926e5
    • Masami Hiramatsu's avatar
      kprobes: Mark ftrace mcount handler functions nokprobe · 426e2a80
      Masami Hiramatsu authored
      commit fabe38ab upstream.
      
      Mark ftrace mcount handler functions nokprobe since
      probing on these functions with kretprobe pushes
      return address incorrectly on kretprobe shadow stack.
      Reported-by: default avatarFrancis Deslauriers <francis.deslauriers@efficios.com>
      Tested-by: default avatarAndrea Righi <righi.andrea@gmail.com>
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Acked-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Acked-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: stable@vger.kernel.org
      Link: http://lkml.kernel.org/r/155094062044.6137.6419622920568680640.stgit@devboxSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      426e2a80
    • Masami Hiramatsu's avatar
      x86/kprobes: Verify stack frame on kretprobe · 1fab567a
      Masami Hiramatsu authored
      commit 3ff9c075 upstream.
      
      Verify the stack frame pointer on kretprobe trampoline handler,
      If the stack frame pointer does not match, it skips the wrong
      entry and tries to find correct one.
      
      This can happen if user puts the kretprobe on the function
      which can be used in the path of ftrace user-function call.
      Such functions should not be probed, so this adds a warning
      message that reports which function should be blacklisted.
      Tested-by: default avatarAndrea Righi <righi.andrea@gmail.com>
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Acked-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: stable@vger.kernel.org
      Link: http://lkml.kernel.org/r/155094059185.6137.15527904013362842072.stgit@devboxSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1fab567a
    • Nathan Chancellor's avatar
      arm64: futex: Restore oldval initialization to work around buggy compilers · 5105fc75
      Nathan Chancellor authored
      commit ff8acf92 upstream.
      
      Commit 045afc24 ("arm64: futex: Fix FUTEX_WAKE_OP atomic ops with
      non-zero result value") removed oldval's zero initialization in
      arch_futex_atomic_op_inuser because it is not necessary. Unfortunately,
      Android's arm64 GCC 4.9.4 [1] does not agree:
      
      ../kernel/futex.c: In function 'do_futex':
      ../kernel/futex.c:1658:17: warning: 'oldval' may be used uninitialized
      in this function [-Wmaybe-uninitialized]
         return oldval == cmparg;
                       ^
      In file included from ../kernel/futex.c:73:0:
      ../arch/arm64/include/asm/futex.h:53:6: note: 'oldval' was declared here
        int oldval, ret, tmp;
            ^
      
      GCC fails to follow that when ret is non-zero, futex_atomic_op_inuser
      returns right away, avoiding the uninitialized use that it claims.
      Restoring the zero initialization works around this issue.
      
      [1]: https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.9/
      
      Cc: stable@vger.kernel.org
      Fixes: 045afc24 ("arm64: futex: Fix FUTEX_WAKE_OP atomic ops with non-zero result value")
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5105fc75
    • Christian König's avatar
      drm/ttm: fix out-of-bounds read in ttm_put_pages() v2 · 96800ba9
      Christian König authored
      commit a66477b0 upstream.
      
      When ttm_put_pages() tries to figure out whether it's dealing with
      transparent hugepages, it just reads past the bounds of the pages array
      without a check.
      
      v2: simplify the test if enough pages are left in the array (Christian).
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Signed-off-by: default avatarChristian König <christian.koenig@amd.com>
      Fixes: 5c42c64f ("drm/ttm: fix the fix for huge compound pages")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarMichel Dänzer <michel.daenzer@amd.com>
      Reviewed-by: default avatarJunwei Zhang <Jerry.Zhang@amd.com>
      Reviewed-by: default avatarHuang Rui <ray.huang@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      96800ba9
    • Eric Biggers's avatar
      crypto: x86/poly1305 - fix overflow during partial reduction · fbe5cff9
      Eric Biggers authored
      commit 678cce40 upstream.
      
      The x86_64 implementation of Poly1305 produces the wrong result on some
      inputs because poly1305_4block_avx2() incorrectly assumes that when
      partially reducing the accumulator, the bits carried from limb 'd4' to
      limb 'h0' fit in a 32-bit integer.  This is true for poly1305-generic
      which processes only one block at a time.  However, it's not true for
      the AVX2 implementation, which processes 4 blocks at a time and
      therefore can produce intermediate limbs about 4x larger.
      
      Fix it by making the relevant calculations use 64-bit arithmetic rather
      than 32-bit.  Note that most of the carries already used 64-bit
      arithmetic, but the d4 -> h0 carry was different for some reason.
      
      To be safe I also made the same change to the corresponding SSE2 code,
      though that only operates on 1 or 2 blocks at a time.  I don't think
      it's really needed for poly1305_block_sse2(), but it doesn't hurt
      because it's already x86_64 code.  It *might* be needed for
      poly1305_2block_sse2(), but overflows aren't easy to reproduce there.
      
      This bug was originally detected by my patches that improve testmgr to
      fuzz algorithms against their generic implementation.  But also add a
      test vector which reproduces it directly (in the AVX2 case).
      
      Fixes: b1ccc8f4 ("crypto: poly1305 - Add a four block AVX2 variant for x86_64")
      Fixes: c70f4abe ("crypto: poly1305 - Add a SSE2 SIMD variant for x86_64")
      Cc: <stable@vger.kernel.org> # v4.3+
      Cc: Martin Willi <martin@strongswan.org>
      Cc: Jason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Reviewed-by: default avatarMartin Willi <martin@strongswan.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fbe5cff9
    • Corey Minyard's avatar
      ipmi: fix sleep-in-atomic in free_user at cleanup SRCU user->release_barrier · dacdbc11
      Corey Minyard authored
      commit 3b9a9072 upstream.
      
      free_user() could be called in atomic context.
      
      This patch pushed the free operation off into a workqueue.
      
      Example:
      
       BUG: sleeping function called from invalid context at kernel/workqueue.c:2856
       in_atomic(): 1, irqs_disabled(): 0, pid: 177, name: ksoftirqd/27
       CPU: 27 PID: 177 Comm: ksoftirqd/27 Not tainted 4.19.25-3 #1
       Hardware name: AIC 1S-HV26-08/MB-DPSB04-06, BIOS IVYBV060 10/21/2015
       Call Trace:
        dump_stack+0x5c/0x7b
        ___might_sleep+0xec/0x110
        __flush_work+0x48/0x1f0
        ? try_to_del_timer_sync+0x4d/0x80
        _cleanup_srcu_struct+0x104/0x140
        free_user+0x18/0x30 [ipmi_msghandler]
        ipmi_free_recv_msg+0x3a/0x50 [ipmi_msghandler]
        deliver_response+0xbd/0xd0 [ipmi_msghandler]
        deliver_local_response+0xe/0x30 [ipmi_msghandler]
        handle_one_recv_msg+0x163/0xc80 [ipmi_msghandler]
        ? dequeue_entity+0xa0/0x960
        handle_new_recv_msgs+0x15c/0x1f0 [ipmi_msghandler]
        tasklet_action_common.isra.22+0x103/0x120
        __do_softirq+0xf8/0x2d7
        run_ksoftirqd+0x26/0x50
        smpboot_thread_fn+0x11d/0x1e0
        kthread+0x103/0x140
        ? sort_range+0x20/0x20
        ? kthread_destroy_worker+0x40/0x40
        ret_from_fork+0x1f/0x40
      
      Fixes: 77f82696 ("ipmi: fix use-after-free of user->release_barrier.rda")
      Reported-by: default avatarKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      Cc: stable@vger.kernel.org # 5.0
      Cc: Yang Yingliang <yangyingliang@huawei.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dacdbc11
    • Andrea Arcangeli's avatar
      coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping · 6ff17bc5
      Andrea Arcangeli authored
      commit 04f5866e upstream.
      
      The core dumping code has always run without holding the mmap_sem for
      writing, despite that is the only way to ensure that the entire vma
      layout will not change from under it.  Only using some signal
      serialization on the processes belonging to the mm is not nearly enough.
      This was pointed out earlier.  For example in Hugh's post from Jul 2017:
      
        https://lkml.kernel.org/r/alpine.LSU.2.11.1707191716030.2055@eggly.anvils
      
        "Not strictly relevant here, but a related note: I was very surprised
         to discover, only quite recently, how handle_mm_fault() may be called
         without down_read(mmap_sem) - when core dumping. That seems a
         misguided optimization to me, which would also be nice to correct"
      
      In particular because the growsdown and growsup can move the
      vm_start/vm_end the various loops the core dump does around the vma will
      not be consistent if page faults can happen concurrently.
      
      Pretty much all users calling mmget_not_zero()/get_task_mm() and then
      taking the mmap_sem had the potential to introduce unexpected side
      effects in the core dumping code.
      
      Adding mmap_sem for writing around the ->core_dump invocation is a
      viable long term fix, but it requires removing all copy user and page
      faults and to replace them with get_dump_page() for all binary formats
      which is not suitable as a short term fix.
      
      For the time being this solution manually covers the places that can
      confuse the core dump either by altering the vma layout or the vma flags
      while it runs.  Once ->core_dump runs under mmap_sem for writing the
      function mmget_still_valid() can be dropped.
      
      Allowing mmap_sem protected sections to run in parallel with the
      coredump provides some minor parallelism advantage to the swapoff code
      (which seems to be safe enough by never mangling any vma field and can
      keep doing swapins in parallel to the core dumping) and to some other
      corner case.
      
      In order to facilitate the backporting I added "Fixes: 86039bd3"
      however the side effect of this same race condition in /proc/pid/mem
      should be reproducible since before 2.6.12-rc2 so I couldn't add any
      other "Fixes:" because there's no hash beyond the git genesis commit.
      
      Because find_extend_vma() is the only location outside of the process
      context that could modify the "mm" structures under mmap_sem for
      reading, by adding the mmget_still_valid() check to it, all other cases
      that take the mmap_sem for reading don't need the new check after
      mmget_not_zero()/get_task_mm().  The expand_stack() in page fault
      context also doesn't need the new check, because all tasks under core
      dumping are frozen.
      
      Link: http://lkml.kernel.org/r/20190325224949.11068-1-aarcange@redhat.com
      Fixes: 86039bd3 ("userfaultfd: add new syscall to provide memory externalization")
      Signed-off-by: default avatarAndrea Arcangeli <aarcange@redhat.com>
      Reported-by: default avatarJann Horn <jannh@google.com>
      Suggested-by: default avatarOleg Nesterov <oleg@redhat.com>
      Acked-by: default avatarPeter Xu <peterx@redhat.com>
      Reviewed-by: default avatarMike Rapoport <rppt@linux.ibm.com>
      Reviewed-by: default avatarOleg Nesterov <oleg@redhat.com>
      Reviewed-by: default avatarJann Horn <jannh@google.com>
      Acked-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6ff17bc5
    • Suthikulpanit, Suravee's avatar
      Revert "svm: Fix AVIC incomplete IPI emulation" · 3e1b3e4d
      Suthikulpanit, Suravee authored
      commit 4a58038b upstream.
      
      This reverts commit bb218fbc.
      
      As Oren Twaig pointed out the old discussion:
      
        https://patchwork.kernel.org/patch/8292231/
      
      that the change coud potentially cause an extra IPI to be sent to
      the destination vcpu because the AVIC hardware already set the IRR bit
      before the incomplete IPI #VMEXIT with id=1 (target vcpu is not running).
      Since writting to ICR and ICR2 will also set the IRR. If something triggers
      the destination vcpu to get scheduled before the emulation finishes, then
      this could result in an additional IPI.
      
      Also, the issue mentioned in the commit bb218fbc was misdiagnosed.
      
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Reported-by: default avatarOren Twaig <oren@scalemp.com>
      Signed-off-by: default avatarSuravee Suthikulpanit <suravee.suthikulpanit@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3e1b3e4d
    • Saurav Kashyap's avatar
      Revert "scsi: fcoe: clear FC_RP_STARTED flags when receiving a LOGO" · ee4b8e26
      Saurav Kashyap authored
      commit 0228034d upstream.
      
      This patch clears FC_RP_STARTED flag during logoff, because of this
      re-login(flogi) didn't happen to the switch.
      
      This reverts commit 1550ec45.
      
      Fixes: 1550ec45 ("scsi: fcoe: clear FC_RP_STARTED flags when receiving a LOGO")
      Cc: <stable@vger.kernel.org> # v4.18+
      Signed-off-by: default avatarSaurav Kashyap <skashyap@marvell.com>
      Reviewed-by: default avatarHannes Reinecke <hare@#suse.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ee4b8e26
    • Jaesoo Lee's avatar
      scsi: core: set result when the command cannot be dispatched · 1aa2682d
      Jaesoo Lee authored
      commit be549d49 upstream.
      
      When SCSI blk-mq is enabled, there is a bug in handling errors in
      scsi_queue_rq.  Specifically, the bug is not setting result field of
      scsi_request correctly when the dispatch of the command has been
      failed. Since the upper layer code including the sg_io ioctl expects to
      receive any error status from result field of scsi_request, the error is
      silently ignored and this could cause data corruptions for some
      applications.
      
      Fixes: d285203c ("scsi: add support for a blk-mq based I/O path.")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarJaesoo Lee <jalee@purestorage.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Reviewed-by: default avatarBart Van Assche <bvanassche@acm.org>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1aa2682d
    • Mikulas Patocka's avatar
      vt: fix cursor when clearing the screen · 8f2ef0e8
      Mikulas Patocka authored
      commit b2ecf006 upstream.
      
      The patch a6dbe442 ("vt: perform safe console erase in the right
      order") introduced a bug. The conditional do_update_region() was
      replaced by a call to update_region() that does contain the conditional
      already, but with unwanted extra side effects such as restoring the cursor
      drawing.
      
      In order to reproduce the bug:
      - use framebuffer console with the AMDGPU driver
      - type "links" to start the console www browser
      - press 'q' and space to exit links
      
      Now the cursor will be permanently visible in the center of the
      screen. It will stay there until something overwrites it.
      
      The bug goes away if we change update_region() back to the conditional
      do_update_region().
      
      [ nico: reworded changelog ]
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Reviewed-by: default avatarNicolas Pitre <nico@fluxnic.net>
      Cc: stable@vger.kernel.org
      Fixes: a6dbe442 ("vt: perform safe console erase in the right order")
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8f2ef0e8
    • Geert Uytterhoeven's avatar
      serial: sh-sci: Fix HSCIF RX sampling point calculation · 38b7f09a
      Geert Uytterhoeven authored
      commit ace96569 upstream.
      
      There are several issues with the formula used for calculating the
      deviation from the intended rate:
        1. While min_err and last_stop are signed, srr and baud are unsigned.
           Hence the signed values are promoted to unsigned, which will lead
           to a bogus value of deviation if min_err is negative,
        2. Srr is the register field value, which is one less than the actual
           sampling rate factor,
        3. The divisions do not use rounding.
      
      Fix this by casting unsigned variables to int, adding one to srr, and
      using a single DIV_ROUND_CLOSEST().
      
      Fixes: 63ba1e00 ("serial: sh-sci: Support for HSCIF RX sampling point adjustment")
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Reviewed-by: default avatarMukesh Ojha <mojha@codeaurora.org>
      Cc: stable <stable@vger.kernel.org>
      Reviewed-by: default avatarUlrich Hecht <uli+renesas@fpond.eu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      38b7f09a
    • Geert Uytterhoeven's avatar
      serial: sh-sci: Fix HSCIF RX sampling point adjustment · de6d6b89
      Geert Uytterhoeven authored
      commit 6b87784b upstream.
      
      The calculation of the sampling point has min() and max() exchanged.
      Fix this by using the clamp() helper instead.
      
      Fixes: 63ba1e00 ("serial: sh-sci: Support for HSCIF RX sampling point adjustment")
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Reviewed-by: default avatarUlrich Hecht <uli+renesas@fpond.eu>
      Reviewed-by: default avatarWolfram Sang <wsa+renesas@sang-engineering.com>
      Acked-by: default avatarDirk Behme <dirk.behme@de.bosch.com>
      Cc: stable <stable@vger.kernel.org>
      Reviewed-by: default avatarSimon Horman <horms+renesas@verge.net.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      de6d6b89
    • KT Liao's avatar
      Input: elan_i2c - add hardware ID for multiple Lenovo laptops · ec96f65e
      KT Liao authored
      commit 738c06d0 upstream.
      
      There are many Lenovo laptops which need elan_i2c support, this patch adds
      relevant IDs to the Elan driver so that touchpads are recognized.
      Signed-off-by: default avatarKT Liao <kt.liao@emc.com.tw>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ec96f65e
    • Takashi Iwai's avatar
      ALSA: core: Fix card races between register and disconnect · b50e435d
      Takashi Iwai authored
      commit 2a3f7221 upstream.
      
      There is a small race window in the card disconnection code that
      allows the registration of another card with the very same card id.
      This leads to a warning in procfs creation as caught by syzkaller.
      
      The problem is that we delete snd_cards and snd_cards_lock entries at
      the very beginning of the disconnection procedure.  This makes the
      slot available to be assigned for another card object while the
      disconnection procedure is being processed.  Then it becomes possible
      to issue a procfs registration with the existing file name although we
      check the conflict beforehand.
      
      The fix is simply to move the snd_cards and snd_cards_lock clearances
      at the end of the disconnection procedure.  The references to these
      entries are merely either from the global proc files like
      /proc/asound/cards or from the card registration / disconnection, so
      it should be fine to shift at the very end.
      
      Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b50e435d
    • Hui Wang's avatar
      ALSA: hda/realtek - add two more pin configuration sets to quirk table · 4171b6ee
      Hui Wang authored
      commit b26e36b7 upstream.
      
      We have two Dell laptops which have the codec 10ec0236 and 10ec0256
      respectively, the headset mic on them can't work, need to apply the
      quirk of ALC255_FIXUP_DELL1_MIC_NO_PRESENCE. So adding their pin
      configurations in the pin quirk table.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarHui Wang <hui.wang@canonical.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4171b6ee
    • Ian Abbott's avatar
      staging: comedi: ni_usb6501: Fix possible double-free of ->usb_rx_buf · 4e78a1fb
      Ian Abbott authored
      commit af4b54a2 upstream.
      
      `ni6501_alloc_usb_buffers()` is called from `ni6501_auto_attach()` to
      allocate RX and TX buffers for USB transfers.  It allocates
      `devpriv->usb_rx_buf` followed by `devpriv->usb_tx_buf`.  If the
      allocation of `devpriv->usb_tx_buf` fails, it frees
      `devpriv->usb_rx_buf`, leaving the pointer set dangling, and returns an
      error.  Later, `ni6501_detach()` will be called from the core comedi
      module code to clean up.  `ni6501_detach()` also frees both
      `devpriv->usb_rx_buf` and `devpriv->usb_tx_buf`, but
      `devpriv->usb_rx_buf` may have already beed freed, leading to a
      double-free error.  Fix it bu removing the call to
      `kfree(devpriv->usb_rx_buf)` from `ni6501_alloc_usb_buffers()`, relying
      on `ni6501_detach()` to free the memory.
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4e78a1fb
    • Ian Abbott's avatar
      staging: comedi: ni_usb6501: Fix use of uninitialized mutex · 09f9baca
      Ian Abbott authored
      commit 660cf4ce upstream.
      
      If `ni6501_auto_attach()` returns an error, the core comedi module code
      will call `ni6501_detach()` to clean up.  If `ni6501_auto_attach()`
      successfully allocated the comedi device private data, `ni6501_detach()`
      assumes that a `struct mutex mut` contained in the private data has been
      initialized and uses it.  Unfortunately, there are a couple of places
      where `ni6501_auto_attach()` can return an error after allocating the
      device private data but before initializing the mutex, so this
      assumption is invalid.  Fix it by initializing the mutex just after
      allocating the private data in `ni6501_auto_attach()` before any other
      errors can be retturned.  Also move the call to `usb_set_intfdata()`
      just to keep the code a bit neater (either position for the call is
      fine).
      
      I believe this was the cause of the following syzbot crash report
      <https://syzkaller.appspot.com/bug?extid=cf4f2b6c24aff0a3edf6>:
      
      usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
      usb 1-1: config 0 descriptor??
      usb 1-1: string descriptor 0 read error: -71
      comedi comedi0: Wrong number of endpoints
      ni6501 1-1:0.233: driver 'ni6501' failed to auto-configure device.
      INFO: trying to register non-static key.
      the code is fine but needs lockdep annotation.
      turning off the locking correctness validator.
      CPU: 0 PID: 585 Comm: kworker/0:3 Not tainted 5.1.0-rc4-319354-g9a33b36 #3
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: usb_hub_wq hub_event
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0xe8/0x16e lib/dump_stack.c:113
       assign_lock_key kernel/locking/lockdep.c:786 [inline]
       register_lock_class+0x11b8/0x1250 kernel/locking/lockdep.c:1095
       __lock_acquire+0xfb/0x37c0 kernel/locking/lockdep.c:3582
       lock_acquire+0x10d/0x2f0 kernel/locking/lockdep.c:4211
       __mutex_lock_common kernel/locking/mutex.c:925 [inline]
       __mutex_lock+0xfe/0x12b0 kernel/locking/mutex.c:1072
       ni6501_detach+0x5b/0x110 drivers/staging/comedi/drivers/ni_usb6501.c:567
       comedi_device_detach+0xed/0x800 drivers/staging/comedi/drivers.c:204
       comedi_device_cleanup.part.0+0x68/0x140 drivers/staging/comedi/comedi_fops.c:156
       comedi_device_cleanup drivers/staging/comedi/comedi_fops.c:187 [inline]
       comedi_free_board_dev.part.0+0x16/0x90 drivers/staging/comedi/comedi_fops.c:190
       comedi_free_board_dev drivers/staging/comedi/comedi_fops.c:189 [inline]
       comedi_release_hardware_device+0x111/0x140 drivers/staging/comedi/comedi_fops.c:2880
       comedi_auto_config.cold+0x124/0x1b0 drivers/staging/comedi/drivers.c:1068
       usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361
       really_probe+0x2da/0xb10 drivers/base/dd.c:509
       driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
       __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
       bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
       __device_attach+0x223/0x3a0 drivers/base/dd.c:844
       bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
       device_add+0xad2/0x16e0 drivers/base/core.c:2106
       usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021
       generic_probe+0xa2/0xda drivers/usb/core/generic.c:210
       usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266
       really_probe+0x2da/0xb10 drivers/base/dd.c:509
       driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
       __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
       bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
       __device_attach+0x223/0x3a0 drivers/base/dd.c:844
       bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
       device_add+0xad2/0x16e0 drivers/base/core.c:2106
       usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534
       hub_port_connect drivers/usb/core/hub.c:5089 [inline]
       hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
       port_event drivers/usb/core/hub.c:5350 [inline]
       hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432
       process_one_work+0x90f/0x1580 kernel/workqueue.c:2269
       worker_thread+0x9b/0xe20 kernel/workqueue.c:2415
       kthread+0x313/0x420 kernel/kthread.c:253
       ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
      
      Reported-by: syzbot+cf4f2b6c24aff0a3edf6@syzkaller.appspotmail.com
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      09f9baca
    • Ian Abbott's avatar
      staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf · edf2f548
      Ian Abbott authored
      commit 663d294b upstream.
      
      `vmk80xx_alloc_usb_buffers()` is called from `vmk80xx_auto_attach()` to
      allocate RX and TX buffers for USB transfers.  It allocates
      `devpriv->usb_rx_buf` followed by `devpriv->usb_tx_buf`.  If the
      allocation of `devpriv->usb_tx_buf` fails, it frees
      `devpriv->usb_rx_buf`,  leaving the pointer set dangling, and returns an
      error.  Later, `vmk80xx_detach()` will be called from the core comedi
      module code to clean up.  `vmk80xx_detach()` also frees both
      `devpriv->usb_rx_buf` and `devpriv->usb_tx_buf`, but
      `devpriv->usb_rx_buf` may have already been freed, leading to a
      double-free error.  Fix it by removing the call to
      `kfree(devpriv->usb_rx_buf)` from `vmk80xx_alloc_usb_buffers()`, relying
      on `vmk80xx_detach()` to free the memory.
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      edf2f548
    • Ian Abbott's avatar
      staging: comedi: vmk80xx: Fix use of uninitialized semaphore · 1f01a970
      Ian Abbott authored
      commit 08b7c2f9 upstream.
      
      If `vmk80xx_auto_attach()` returns an error, the core comedi module code
      will call `vmk80xx_detach()` to clean up.  If `vmk80xx_auto_attach()`
      successfully allocated the comedi device private data,
      `vmk80xx_detach()` assumes that a `struct semaphore limit_sem` contained
      in the private data has been initialized and uses it.  Unfortunately,
      there are a couple of places where `vmk80xx_auto_attach()` can return an
      error after allocating the device private data but before initializing
      the semaphore, so this assumption is invalid.  Fix it by initializing
      the semaphore just after allocating the private data in
      `vmk80xx_auto_attach()` before any other errors can be returned.
      
      I believe this was the cause of the following syzbot crash report
      <https://syzkaller.appspot.com/bug?extid=54c2f58f15fe6876b6ad>:
      
      usb 1-1: config 0 has no interface number 0
      usb 1-1: New USB device found, idVendor=10cf, idProduct=8068, bcdDevice=e6.8d
      usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
      usb 1-1: config 0 descriptor??
      vmk80xx 1-1:0.117: driver 'vmk80xx' failed to auto-configure device.
      INFO: trying to register non-static key.
      the code is fine but needs lockdep annotation.
      turning off the locking correctness validator.
      CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: usb_hub_wq hub_event
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0xe8/0x16e lib/dump_stack.c:113
       assign_lock_key kernel/locking/lockdep.c:786 [inline]
       register_lock_class+0x11b8/0x1250 kernel/locking/lockdep.c:1095
       __lock_acquire+0xfb/0x37c0 kernel/locking/lockdep.c:3582
       lock_acquire+0x10d/0x2f0 kernel/locking/lockdep.c:4211
       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
       _raw_spin_lock_irqsave+0x44/0x60 kernel/locking/spinlock.c:152
       down+0x12/0x80 kernel/locking/semaphore.c:58
       vmk80xx_detach+0x59/0x100 drivers/staging/comedi/drivers/vmk80xx.c:829
       comedi_device_detach+0xed/0x800 drivers/staging/comedi/drivers.c:204
       comedi_device_cleanup.part.0+0x68/0x140 drivers/staging/comedi/comedi_fops.c:156
       comedi_device_cleanup drivers/staging/comedi/comedi_fops.c:187 [inline]
       comedi_free_board_dev.part.0+0x16/0x90 drivers/staging/comedi/comedi_fops.c:190
       comedi_free_board_dev drivers/staging/comedi/comedi_fops.c:189 [inline]
       comedi_release_hardware_device+0x111/0x140 drivers/staging/comedi/comedi_fops.c:2880
       comedi_auto_config.cold+0x124/0x1b0 drivers/staging/comedi/drivers.c:1068
       usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361
       really_probe+0x2da/0xb10 drivers/base/dd.c:509
       driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
       __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
       bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
       __device_attach+0x223/0x3a0 drivers/base/dd.c:844
       bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
       device_add+0xad2/0x16e0 drivers/base/core.c:2106
       usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021
       generic_probe+0xa2/0xda drivers/usb/core/generic.c:210
       usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266
       really_probe+0x2da/0xb10 drivers/base/dd.c:509
       driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
       __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
       bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
       __device_attach+0x223/0x3a0 drivers/base/dd.c:844
       bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
       device_add+0xad2/0x16e0 drivers/base/core.c:2106
       usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534
       hub_port_connect drivers/usb/core/hub.c:5089 [inline]
       hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
       port_event drivers/usb/core/hub.c:5350 [inline]
       hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432
       process_one_work+0x90f/0x1580 kernel/workqueue.c:2269
       worker_thread+0x9b/0xe20 kernel/workqueue.c:2415
       kthread+0x313/0x420 kernel/kthread.c:253
       ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
      
      Reported-by: syzbot+54c2f58f15fe6876b6ad@syzkaller.appspotmail.com
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1f01a970
    • Christian Gromm's avatar
      staging: most: core: use device description as name · a1da981f
      Christian Gromm authored
      commit 131ac622 upstream.
      
      This patch uses the device description to clearly identity a device
      attached to the bus. It is needed as the currently useed mdevX
      notation is not sufficiant in case more than one network
      interface controller is being used at the same time.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarChristian Gromm <christian.gromm@microchip.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a1da981f
    • he, bo's avatar
      io: accel: kxcjk1013: restore the range after resume. · b007c64d
      he, bo authored
      commit fe2d3df6 upstream.
      
      On some laptops, kxcjk1013 is powered off when system enters S3. We need
      restore the range regiter during resume. Otherwise, the sensor doesn't
      work properly after S3.
      Signed-off-by: default avatarhe, bo <bo.he@intel.com>
      Signed-off-by: default avatarChen, Hu <hu1.chen@intel.com>
      Reviewed-by: default avatarHans de Goede <hdegoede@redhat.com>
      Cc: <Stable@vger.kernel.org>
      Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b007c64d
    • Fabrice Gasnier's avatar
      iio: core: fix a possible circular locking dependency · bbe0bed4
      Fabrice Gasnier authored
      commit 7f75591f upstream.
      
      This fixes a possible circular locking dependency detected warning seen
      with:
      - CONFIG_PROVE_LOCKING=y
      - consumer/provider IIO devices (ex: "voltage-divider" consumer of "adc")
      
      When using the IIO consumer interface, e.g. iio_channel_get(), the consumer
      device will likely call iio_read_channel_raw() or similar that rely on
      'info_exist_lock' mutex.
      
      typically:
      ...
      	mutex_lock(&chan->indio_dev->info_exist_lock);
      	if (chan->indio_dev->info == NULL) {
      		ret = -ENODEV;
      		goto err_unlock;
      	}
      	ret = do_some_ops()
      err_unlock:
      	mutex_unlock(&chan->indio_dev->info_exist_lock);
      	return ret;
      ...
      
      Same mutex is also hold in iio_device_unregister().
      
      The following deadlock warning happens when:
      - the consumer device has called an API like iio_read_channel_raw()
        at least once.
      - the consumer driver is unregistered, removed (unbind from sysfs)
      
      ======================================================
      WARNING: possible circular locking dependency detected
      4.19.24 #577 Not tainted
      ------------------------------------------------------
      sh/372 is trying to acquire lock:
      (kn->count#30){++++}, at: kernfs_remove_by_name_ns+0x3c/0x84
      
      but task is already holding lock:
      (&dev->info_exist_lock){+.+.}, at: iio_device_unregister+0x18/0x60
      
      which lock already depends on the new lock.
      
      the existing dependency chain (in reverse order) is:
      
      -> #1 (&dev->info_exist_lock){+.+.}:
             __mutex_lock+0x70/0xa3c
             mutex_lock_nested+0x1c/0x24
             iio_read_channel_raw+0x1c/0x60
             iio_read_channel_info+0xa8/0xb0
             dev_attr_show+0x1c/0x48
             sysfs_kf_seq_show+0x84/0xec
             seq_read+0x154/0x528
             __vfs_read+0x2c/0x15c
             vfs_read+0x8c/0x110
             ksys_read+0x4c/0xac
             ret_fast_syscall+0x0/0x28
             0xbedefb60
      
      -> #0 (kn->count#30){++++}:
             lock_acquire+0xd8/0x268
             __kernfs_remove+0x288/0x374
             kernfs_remove_by_name_ns+0x3c/0x84
             remove_files+0x34/0x78
             sysfs_remove_group+0x40/0x9c
             sysfs_remove_groups+0x24/0x34
             device_remove_attrs+0x38/0x64
             device_del+0x11c/0x360
             cdev_device_del+0x14/0x2c
             iio_device_unregister+0x24/0x60
             release_nodes+0x1bc/0x200
             device_release_driver_internal+0x1a0/0x230
             unbind_store+0x80/0x130
             kernfs_fop_write+0x100/0x1e4
             __vfs_write+0x2c/0x160
             vfs_write+0xa4/0x17c
             ksys_write+0x4c/0xac
             ret_fast_syscall+0x0/0x28
             0xbe906840
      
      other info that might help us debug this:
      
       Possible unsafe locking scenario:
      
             CPU0                    CPU1
             ----                    ----
        lock(&dev->info_exist_lock);
                                     lock(kn->count#30);
                                     lock(&dev->info_exist_lock);
        lock(kn->count#30);
      
       *** DEADLOCK ***
      ...
      
      cdev_device_del() can be called without holding the lock. It should be safe
      as info_exist_lock prevents kernelspace consumers to use the exported
      routines during/after provider removal. cdev_device_del() is for userspace.
      
      Help to reproduce:
      See example: Documentation/devicetree/bindings/iio/afe/voltage-divider.txt
      sysv {
      	compatible = "voltage-divider";
      	io-channels = <&adc 0>;
      	output-ohms = <22>;
      	full-ohms = <222>;
      };
      
      First, go to iio:deviceX for the "voltage-divider", do one read:
      $ cd /sys/bus/iio/devices/iio:deviceX
      $ cat in_voltage0_raw
      
      Then, unbind the consumer driver. It triggers above deadlock warning.
      $ cd /sys/bus/platform/drivers/iio-rescale/
      $ echo sysv > unbind
      
      Note I don't actually expect stable will pick this up all the
      way back into IIO being in staging, but if's probably valid that
      far back.
      Signed-off-by: default avatarFabrice Gasnier <fabrice.gasnier@st.com>
      Fixes: ac917a81 ("staging:iio:core set the iio_dev.info pointer to null on unregister")
      Cc: <Stable@vger.kernel.org>
      Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bbe0bed4
    • Georg Ottinger's avatar
      iio: adc: at91: disable adc channel interrupt in timeout case · 98171e19
      Georg Ottinger authored
      commit 09c6bdee upstream.
      
      Having a brief look at at91_adc_read_raw() it is obvious that in the case
      of a timeout the setting of AT91_ADC_CHDR and AT91_ADC_IDR registers is
      omitted. If 2 different channels are queried we can end up with a
      situation where two interrupts are enabled, but only one interrupt is
      cleared in the interrupt handler. Resulting in a interrupt loop and a
      system hang.
      Signed-off-by: default avatarGeorg Ottinger <g.ottinger@abatec.at>
      Acked-by: default avatarLudovic Desroches <ludovic.desroches@microchip.com>
      Cc: <Stable@vger.kernel.org>
      Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      98171e19
    • Lars-Peter Clausen's avatar
      iio: Fix scan mask selection · 36971130
      Lars-Peter Clausen authored
      commit 20ea39ef upstream.
      
      The trialmask is expected to have all bits set to 0 after allocation.
      Currently kmalloc_array() is used which does not zero the memory and so
      random bits are set. This results in random channels being enabled when
      they shouldn't. Replace kmalloc_array() with kcalloc() which has the same
      interface but zeros the memory.
      
      Note the fix is actually required earlier than the below fixes tag, but
      will require a manual backport due to move from kmalloc to kmalloc_array.
      Signed-off-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Signed-off-by: default avatarAlexandru Ardelean <alexandru.ardelean@analog.com>
      Fixes commit 057ac1ac ("iio: Use kmalloc_array() in iio_scan_mask_set()").
      Cc: <Stable@vger.kernel.org>
      Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      36971130
    • Jean-Francois Dagenais's avatar
      iio: dac: mcp4725: add missing powerdown bits in store eeprom · 0e47edde
      Jean-Francois Dagenais authored
      commit 06003531 upstream.
      
      When issuing the write DAC register and write eeprom command, the two
      powerdown bits (PD0 and PD1) are assumed by the chip to be present in
      the bytes sent. Leaving them at 0 implies "powerdown disabled" which is
      a different state that the current one. By adding the current state of
      the powerdown in the i2c write, the chip will correctly power-on exactly
      like as it is at the moment of store_eeprom call.
      
      This is documented in MCP4725's datasheet, FIGURE 6-2: "Write Commands
      for DAC Input Register and EEPROM" and MCP4726's datasheet, FIGURE 6-3:
      "Write All Memory Command".
      Signed-off-by: default avatarJean-Francois Dagenais <jeff.dagenais@gmail.com>
      Acked-by: default avatarPeter Meerwald-Stadler <pmeerw@pmeerw.net>
      Cc: <Stable@vger.kernel.org>
      Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0e47edde
    • Dragos Bogdan's avatar
      iio: ad_sigma_delta: select channel when reading register · 5ad173ea
      Dragos Bogdan authored
      commit fccfb9ce upstream.
      
      The desired channel has to be selected in order to correctly fill the
      buffer with the corresponding data.
      The `ad_sd_write_reg()` already does this, but for the
      `ad_sd_read_reg_raw()` this was omitted.
      
      Fixes: af300848 ("iio:adc: Add common code for ADI Sigma Delta devices")
      Signed-off-by: default avatarDragos Bogdan <dragos.bogdan@analog.com>
      Signed-off-by: default avatarAlexandru Ardelean <alexandru.ardelean@analog.com>
      Cc: <Stable@vger.kernel.org>
      Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5ad173ea