1. 14 11月, 2018 40 次提交
    • L
      irqchip/pdc: Setup all edge interrupts as rising edge at GIC · 106d970b
      Lina Iyer 提交于
      [ Upstream commit 7bae48b22c8d38c5cd50f52b6e15d134e2bb3935 ]
      
      The PDC irqchp can convert a falling edge or level low interrupt to a
      rising edge or level high interrupt at the GIC. We just need to setup
      the GIC correctly. Set up the interrupt type for the IRQ_TYPE_EDGE_BOTH
      as IRQ_TYPE_EDGE_RISING at the GIC.
      
      Fixes: f55c73ae ("irqchip/pdc: Add PDC interrupt controller for QCOM SoCs")
      Reported-by: NEvan Green <evgreen@chromium.org>
      Reviewed-by: NEvan Green <evgreen@chromium.org>
      Signed-off-by: NLina Iyer <ilina@codeaurora.org>
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      106d970b
    • C
      xprtrdma: Reset credit grant properly after a disconnect · 5fac1c6c
      Chuck Lever 提交于
      [ Upstream commit ef739b2175dde9c05594f768cb78149f1ce2ac36 ]
      
      On a fresh connection, an RPC/RDMA client is supposed to send only
      one RPC Call until it gets a credit grant in the first RPC Reply
      from the server [RFC 8166, Section 3.3.3].
      
      There is a bug in the Linux client's credit accounting mechanism
      introduced by commit e7ce710a ("xprtrdma: Avoid deadlock when
      credit window is reset"). On connect, it simply dumps all pending
      RPC Calls onto the new connection.
      
      Servers have been tolerant of this bad behavior. Currently no server
      implementation ever changes its credit grant over reconnects, and
      servers always repost enough Receives before connections are fully
      established.
      
      To correct this issue, ensure that the client resets both the credit
      grant _and_ the congestion window when handling a reconnect.
      
      Fixes: e7ce710a ("xprtrdma: Avoid deadlock when credit ... ")
      Signed-off-by: NChuck Lever <chuck.lever@oracle.com>
      Cc: stable@kernel.org
      Signed-off-by: NAnna Schumaker <Anna.Schumaker@Netapp.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5fac1c6c
    • M
      PCI / ACPI: Enable wake automatically for power managed bridges · 1997aecd
      Mika Westerberg 提交于
      [ Upstream commit 6299cf9e ]
      
      We enable power management automatically for bridges where
      pci_bridge_d3_possible() returns true. However, these bridges may have
      ACPI methods such as _DSW that need to be called before D3 entry. For
      example in Lenovo Thinkpad X1 Carbon 6th _DSW method is used to prepare
      D3cold for the PCIe root port hosting Thunderbolt chain. Because wake is
      not enabled _DSW method is never called and the port does not enter
      D3cold properly consuming more power than necessary.
      
      Users can work this around by writing "enabled" to "wakeup" sysfs file
      under the device in question but that is not something an ordinary user
      is expected to do.
      
      Since we already automatically enable power management for PCIe ports
      with ->bridge_d3 set extend that to enable wake for them as well,
      assuming the port has any ACPI wakeup related objects implemented in the
      namespace (adev->wakeup.flags.valid is true). This ensures the necessary
      ACPI methods get called at appropriate times and allows the root port in
      Thinkpad X1 Carbon 6th to go into D3cold.
      Signed-off-by: NMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: NBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1997aecd
    • J
      VMCI: Resource wildcard match fixed · 894e62f5
      Jorgen Hansen 提交于
      [ Upstream commit 11924ba5e671d6caef1516923e2bd8c72929a3fe ]
      
      When adding a VMCI resource, the check for an existing entry
      would ignore that the new entry could be a wildcard. This could
      result in multiple resource entries that would match a given
      handle. One disastrous outcome of this is that the
      refcounting used to ensure that delayed callbacks for VMCI
      datagrams have run before the datagram is destroyed can be
      wrong, since the refcount could be increased on the duplicate
      entry. This in turn leads to a use after free bug. This issue
      was discovered by Hangbin Liu using KASAN and syzkaller.
      
      Fixes: bc63dedb ("VMCI: resource object implementation")
      Reported-by: NHangbin Liu <liuhangbin@gmail.com>
      Reviewed-by: NAdit Ranadive <aditr@vmware.com>
      Reviewed-by: NVishnu Dasa <vdasa@vmware.com>
      Signed-off-by: NJorgen Hansen <jhansen@vmware.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      894e62f5
    • D
      Drivers: hv: vmbus: Use cpumask_var_t for on-stack cpu mask · 56628c19
      Dexuan Cui 提交于
      [ Upstream commit 25355252607ca288f329ee033f387764883393f6 ]
      
      A cpumask structure on the stack can cause a warning with
      CONFIG_NR_CPUS=8192 (e.g. Ubuntu 16.04 and 18.04 use this):
      
      drivers/hv//channel_mgmt.c: In function ‘init_vp_index’:
      drivers/hv//channel_mgmt.c:702:1: warning: the frame size of 1032 bytes
        is larger than 1024 bytes [-Wframe-larger-than=]
      
      Nowadays it looks most distros enable CONFIG_CPUMASK_OFFSTACK=y, and
      hence we can work around the warning by using cpumask_var_t.
      Signed-off-by: NDexuan Cui <decui@microsoft.com>
      Cc: K. Y. Srinivasan <kys@microsoft.com>
      Cc: Haiyang Zhang <haiyangz@microsoft.com>
      Cc: Stephen Hemminger <sthemmin@microsoft.com>
      Cc: <Stable@vger.kernel.org>
      Signed-off-by: NK. Y. Srinivasan <kys@microsoft.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      56628c19
    • J
      f2fs: clear PageError on the read path · a28549b8
      Jaegeuk Kim 提交于
      [ Upstream commit fb7d70db305a1446864227abf711b756568f8242 ]
      
      When running fault injection test, I hit somewhat wrong behavior in f2fs_gc ->
      gc_data_segment():
      
      0. fault injection generated some PageError'ed pages
      
      1. gc_data_segment
       -> f2fs_get_read_data_page(REQ_RAHEAD)
      
      2. move_data_page
       -> f2fs_get_lock_data_page()
        -> f2f_get_read_data_page()
         -> f2fs_submit_page_read()
          -> submit_bio(READ)
        -> return EIO due to PageError
        -> fail to move data
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a28549b8
    • J
      tpm: suppress transmit cmd error logs when TPM 1.2 is disabled/deactivated · f4b5f439
      Javier Martinez Canillas 提交于
      [ Upstream commit 0d6d0d62d9505a9816716aa484ebd0b04c795063 ]
      
      For TPM 1.2 chips the system setup utility allows to set the TPM device in
      one of the following states:
      
        * Active: Security chip is functional
        * Inactive: Security chip is visible, but is not functional
        * Disabled: Security chip is hidden and is not functional
      
      When choosing the "Inactive" state, the TPM 1.2 device is enumerated and
      registered, but sending TPM commands fail with either TPM_DEACTIVATED or
      TPM_DISABLED depending if the firmware deactivated or disabled the TPM.
      
      Since these TPM 1.2 error codes don't have special treatment, inactivating
      the TPM leads to a very noisy kernel log buffer that shows messages like
      the following:
      
        tpm_tis 00:05: 1.2 TPM (device-id 0x0, rev-id 78)
        tpm tpm0: A TPM error (6) occurred attempting to read a pcr value
        tpm tpm0: TPM is disabled/deactivated (0x6)
        tpm tpm0: A TPM error (6) occurred attempting get random
        tpm tpm0: A TPM error (6) occurred attempting to read a pcr value
        ima: No TPM chip found, activating TPM-bypass! (rc=6)
        tpm tpm0: A TPM error (6) occurred attempting get random
        tpm tpm0: A TPM error (6) occurred attempting get random
        tpm tpm0: A TPM error (6) occurred attempting get random
        tpm tpm0: A TPM error (6) occurred attempting get random
      
      Let's just suppress error log messages for the TPM_{DEACTIVATED,DISABLED}
      return codes, since this is expected when the TPM 1.2 is set to Inactive.
      
      In that case the kernel log is cleaner and less confusing for users, i.e:
      
        tpm_tis 00:05: 1.2 TPM (device-id 0x0, rev-id 78)
        tpm tpm0: TPM is disabled/deactivated (0x6)
        ima: No TPM chip found, activating TPM-bypass! (rc=6)
      Reported-by: NHans de Goede <hdegoede@redhat.com>
      Signed-off-by: NJavier Martinez Canillas <javierm@redhat.com>
      Reviewed-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f4b5f439
    • A
      usb: typec: tcpm: Report back negotiated PPS voltage and current · 18083411
      Adam Thomson 提交于
      [ Upstream commit 554fab6dbf20ee7298ed2d4e8398b85e6058abb7 ]
      
      Currently when requesting a specific voltage or current through
      the psy interface, for PPS, when reading back from that interface
      the values will always be the same as previously given, if the
      request was successful. However PPS only allows for 20mV voltage
      steps and 50mA current steps, and the psy class expects microvolt
      and micro amp requests, so inbetween values can be provided through
      this interface. Really when reading back the true values negotiated
      should be given, and not the ones originally asked for.
      
      To report the actual values negotiated with the Source, the values
      stored are now rounded down to the relevant step units prior to
      building the PPS request, so that those values are later correctly
      reported through the psy interface. In addition this improves the
      adjustments made to meet the operating power requirements of the
      platform, which previously could have been slightly out due to not
      using valid PPS units of voltage and current.
      Signed-off-by: NAdam Thomson <Adam.Thomson.Opensource@diasemi.com>
      Reviewed-by: NGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      18083411
    • A
      PCI: cadence: Use AXI region 0 to signal interrupts from EP · 7c190bb8
      Alan Douglas 提交于
      [ Upstream commit 0652d4b6b56f73c81abbdbc7e26f772cb2dfe370 ]
      
      The IRQ physical address is allocated from region 0, rather than
      the highest region. Update the driver to reserve this region in
      the bitmap and to use region 0 for all types of interrupt.
      
      This corrects a problem which prevents the interrupt being
      signalled correctly if using the first address in the AXI region,
      since an offset of zero will always be mapped to region 0.
      
      Fixes: 37dddf14 ("PCI: cadence: Add EndPoint Controller driver for Cadence PCIe controller")
      Signed-off-by: NAlan Douglas <adouglas@cadence.com>
      Signed-off-by: NLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7c190bb8
    • H
      PCI: mediatek: Fix mtk_pcie_find_port() endpoint/port matching logic · 1a5908dd
      Honghui Zhang 提交于
      [ Upstream commit 074d6f32689ce05a084b6fa3db38445745bf11cc ]
      
      The Mediatek's host controller has two slots, each with its own control
      registers. The host driver needs to identify what slot is connected to
      what port in order to access the device's configuration space.
      
      Current code retrieving slot connected to a given endpoint device.
      
      Assuming each slot is connected to one endpoint device as below:
      
                      host bridge
        bus 0 --> __________|_______
                 |                  |
                 |                  |
               slot 0             slot 1
        bus 1 -->|        bus 2 --> |
                 |                  |
               EP 0               EP 1
      
      During PCI enumeration, system software will scan all the PCI devices on
      every bus starting from devfn 0. Using PCI_SLOT(devfn) for matching an
      endpoint to its slot is erroneous in that the devfn does not contain the
      hierarchical bus numbering in it. In order to match an endpoint with its
      slot (and related port), the PCI tree must be walked up to the root bus
      (where the root ports are situated) and then the PCI_SLOT(devfn)
      matching logic can be correctly applied for matching.
      
      This patch fixes the mtk_pcie_find_port() slot matching logic by adding
      appropriate PCI tree walking code to retrieve the slot/port a given
      endpoint is connected to.
      Signed-off-by: NHonghui Zhang <honghui.zhang@mediatek.com>
      [lorenzo.pieralisi@arm.com: rewrote the commit log]
      Signed-off-by: NLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Acked-by: NRyder Lee <ryder.lee@mediatek.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1a5908dd
    • T
      usb: host: ohci-at91: fix request of irq for optional gpio · 49c8a09e
      Tudor.Ambarus@microchip.com 提交于
      [ Upstream commit 325b9313ec3be56c8e2fe03f977fee19cec75820 ]
      
      atmel,oc-gpio is optional. Request its irq only when atmel,oc is set
      in device tree.
      
      devm_gpiod_get_index_optional returns NULL if -ENOENT. Check its
      return value for NULL before error, because it is more probable that
      atmel,oc is not set.
      
      This fixes the following errors on boards where atmel,oc is not set in
      device tree:
      [    0.960000] at91_ohci 500000.ohci: failed to request gpio "overcurrent" IRQ
      [    0.960000] at91_ohci 500000.ohci: failed to request gpio "overcurrent" IRQ
      [    0.970000] at91_ohci 500000.ohci: failed to request gpio "overcurrent" IRQ
      Signed-off-by: NTudor Ambarus <tudor.ambarus@microchip.com>
      Acked-by: NNicolas Ferre <nicolas.ferre@microchip.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      49c8a09e
    • S
      RDMA/bnxt_re: Fix recursive lock warning in debug kernel · 6a89b3a6
      Selvin Xavier 提交于
      [ Upstream commit d455f29f6d76a5f94881ca1289aaa1e90617ff5d ]
      
      Fix possible recursive lock warning. Its a false warning as the locks are
      part of two differnt HW Queue data structure - cmdq and creq. Debug kernel
      is throwing the following warning and stack trace.
      
      [  783.914967] ============================================
      [  783.914970] WARNING: possible recursive locking detected
      [  783.914973] 4.19.0-rc2+ #33 Not tainted
      [  783.914976] --------------------------------------------
      [  783.914979] swapper/2/0 is trying to acquire lock:
      [  783.914982] 000000002aa3949d (&(&hwq->lock)->rlock){..-.}, at: bnxt_qplib_service_creq+0x232/0x350 [bnxt_re]
      [  783.914999]
      but task is already holding lock:
      [  783.915002] 00000000be73920d (&(&hwq->lock)->rlock){..-.}, at: bnxt_qplib_service_creq+0x2a/0x350 [bnxt_re]
      [  783.915013]
      other info that might help us debug this:
      [  783.915016]  Possible unsafe locking scenario:
      
      [  783.915019]        CPU0
      [  783.915021]        ----
      [  783.915034]   lock(&(&hwq->lock)->rlock);
      [  783.915035]   lock(&(&hwq->lock)->rlock);
      [  783.915037]
       *** DEADLOCK ***
      
      [  783.915038]  May be due to missing lock nesting notation
      
      [  783.915039] 1 lock held by swapper/2/0:
      [  783.915040]  #0: 00000000be73920d (&(&hwq->lock)->rlock){..-.}, at: bnxt_qplib_service_creq+0x2a/0x350 [bnxt_re]
      [  783.915044]
      stack backtrace:
      [  783.915046] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.19.0-rc2+ #33
      [  783.915047] Hardware name: Dell Inc. PowerEdge R730/0599V5, BIOS 1.0.4 08/28/2014
      [  783.915048] Call Trace:
      [  783.915049]  <IRQ>
      [  783.915054]  dump_stack+0x90/0xe3
      [  783.915058]  __lock_acquire+0x106c/0x1080
      [  783.915061]  ? sched_clock+0x5/0x10
      [  783.915063]  lock_acquire+0xbd/0x1a0
      [  783.915065]  ? bnxt_qplib_service_creq+0x232/0x350 [bnxt_re]
      [  783.915069]  _raw_spin_lock_irqsave+0x4a/0x90
      [  783.915071]  ? bnxt_qplib_service_creq+0x232/0x350 [bnxt_re]
      [  783.915073]  bnxt_qplib_service_creq+0x232/0x350 [bnxt_re]
      [  783.915078]  tasklet_action_common.isra.17+0x197/0x1b0
      [  783.915081]  __do_softirq+0xcb/0x3a6
      [  783.915084]  irq_exit+0xe9/0x100
      [  783.915085]  do_IRQ+0x6a/0x120
      [  783.915087]  common_interrupt+0xf/0xf
      [  783.915088]  </IRQ>
      
      Use nested notation for the spin_lock to avoid this warning.
      Signed-off-by: NSelvin Xavier <selvin.xavier@broadcom.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6a89b3a6
    • S
      RDMA/bnxt_re: Avoid accessing nq->bar_reg_iomem in failure case · 0b27b2b2
      Selvin Xavier 提交于
      [ Upstream commit ed51efd2ce44091a858ad829f666727e7c95695e ]
      
      In the failure path, nq->bar_reg_iomem gets accessed without
      initializing. Avoid this by calling the bnxt_qplib_nq_stop_irq only if the
      initialization is complete.
      Reported-by: NDan Carpenter <dan.carpenter@oracle.com>
      Fixes: 1ac5a404 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
      Fixes: 6e04b103 ("RDMA/bnxt_re: Fix broken RoCE driver due to recent L2 driver changes")
      Signed-off-by: NSelvin Xavier <selvin.xavier@broadcom.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0b27b2b2
    • D
      IB/ipoib: Clear IPCB before icmp_send · ebd7595d
      Denis Drozdov 提交于
      [ Upstream commit 4d6e4d12da2c308f8f976d3955c45ee62539ac98 ]
      
      IPCB should be cleared before icmp_send, since it may contain data from
      previous layers and the data could be misinterpreted as ip header options,
      which later caused the ihl to be set to an invalid value and resulted in
      the following stack corruption:
      
      [ 1083.031512] ib0: packet len 57824 (> 2048) too long to send, dropping
      [ 1083.031843] ib0: packet len 37904 (> 2048) too long to send, dropping
      [ 1083.032004] ib0: packet len 4040 (> 2048) too long to send, dropping
      [ 1083.032253] ib0: packet len 63800 (> 2048) too long to send, dropping
      [ 1083.032481] ib0: packet len 23960 (> 2048) too long to send, dropping
      [ 1083.033149] ib0: packet len 63800 (> 2048) too long to send, dropping
      [ 1083.033439] ib0: packet len 63800 (> 2048) too long to send, dropping
      [ 1083.033700] ib0: packet len 63800 (> 2048) too long to send, dropping
      [ 1083.034124] ib0: packet len 63800 (> 2048) too long to send, dropping
      [ 1083.034387] ==================================================================
      [ 1083.034602] BUG: KASAN: stack-out-of-bounds in __ip_options_echo+0xf08/0x1310
      [ 1083.034798] Write of size 4 at addr ffff880353457c5f by task kworker/u16:0/7
      [ 1083.034990]
      [ 1083.035104] CPU: 7 PID: 7 Comm: kworker/u16:0 Tainted: G           O      4.19.0-rc5+ #1
      [ 1083.035316] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu2 04/01/2014
      [ 1083.035573] Workqueue: ipoib_wq ipoib_cm_skb_reap [ib_ipoib]
      [ 1083.035750] Call Trace:
      [ 1083.035888]  dump_stack+0x9a/0xeb
      [ 1083.036031]  print_address_description+0xe3/0x2e0
      [ 1083.036213]  kasan_report+0x18a/0x2e0
      [ 1083.036356]  ? __ip_options_echo+0xf08/0x1310
      [ 1083.036522]  __ip_options_echo+0xf08/0x1310
      [ 1083.036688]  icmp_send+0x7b9/0x1cd0
      [ 1083.036843]  ? icmp_route_lookup.constprop.9+0x1070/0x1070
      [ 1083.037018]  ? netif_schedule_queue+0x5/0x200
      [ 1083.037180]  ? debug_show_all_locks+0x310/0x310
      [ 1083.037341]  ? rcu_dynticks_curr_cpu_in_eqs+0x85/0x120
      [ 1083.037519]  ? debug_locks_off+0x11/0x80
      [ 1083.037673]  ? debug_check_no_obj_freed+0x207/0x4c6
      [ 1083.037841]  ? check_flags.part.27+0x450/0x450
      [ 1083.037995]  ? debug_check_no_obj_freed+0xc3/0x4c6
      [ 1083.038169]  ? debug_locks_off+0x11/0x80
      [ 1083.038318]  ? skb_dequeue+0x10e/0x1a0
      [ 1083.038476]  ? ipoib_cm_skb_reap+0x2b5/0x650 [ib_ipoib]
      [ 1083.038642]  ? netif_schedule_queue+0xa8/0x200
      [ 1083.038820]  ? ipoib_cm_skb_reap+0x544/0x650 [ib_ipoib]
      [ 1083.038996]  ipoib_cm_skb_reap+0x544/0x650 [ib_ipoib]
      [ 1083.039174]  process_one_work+0x912/0x1830
      [ 1083.039336]  ? wq_pool_ids_show+0x310/0x310
      [ 1083.039491]  ? lock_acquire+0x145/0x3a0
      [ 1083.042312]  worker_thread+0x87/0xbb0
      [ 1083.045099]  ? process_one_work+0x1830/0x1830
      [ 1083.047865]  kthread+0x322/0x3e0
      [ 1083.050624]  ? kthread_create_worker_on_cpu+0xc0/0xc0
      [ 1083.053354]  ret_from_fork+0x3a/0x50
      
      For instance __ip_options_echo is failing to proceed with invalid srr and
      optlen passed from another layer via IPCB
      
      [  762.139568] IPv4: __ip_options_echo rr=0 ts=0 srr=43 cipso=0
      [  762.139720] IPv4: ip_options_build: IPCB 00000000f3cd969e opt 000000002ccb3533
      [  762.139838] IPv4: __ip_options_echo in srr: optlen 197 soffset 84
      [  762.139852] IPv4: ip_options_build srr=0 is_frag=0 rr_needaddr=0 ts_needaddr=0 ts_needtime=0 rr=0 ts=0
      [  762.140269] ==================================================================
      [  762.140713] IPv4: __ip_options_echo rr=0 ts=0 srr=0 cipso=0
      [  762.141078] BUG: KASAN: stack-out-of-bounds in __ip_options_echo+0x12ec/0x1680
      [  762.141087] Write of size 4 at addr ffff880353457c7f by task kworker/u16:0/7
      Signed-off-by: NDenis Drozdov <denisd@mellanox.com>
      Reviewed-by: NErez Shitrit <erezsh@mellanox.com>
      Reviewed-by: NFeras Daoud <ferasda@mellanox.com>
      Signed-off-by: NLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ebd7595d
    • L
      RDMA/cm: Respect returned status of cm_init_av_by_path · 9f7a37ef
      Leon Romanovsky 提交于
      [ Upstream commit e54b6a3bcd1ec972b25a164bdf495d9e7120b107 ]
      
      Add missing check for failure of cm_init_av_by_path
      
      Fixes: e1444b5a ("IB/cm: Fix automatic path migration support")
      Reported-by: NSlava Shwartsman <slavash@mellanox.com>
      Reviewed-by: NParav Pandit <parav@mellanox.com>
      Signed-off-by: NLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9f7a37ef
    • P
      RDMA/core: Do not expose unsupported counters · bc280cf5
      Parav Pandit 提交于
      [ Upstream commit 0f6ef65d1c6ec8deb5d0f11f86631ec4cfe8f22e ]
      
      If the provider driver (such as rdma_rxe) doesn't support pma counters,
      avoid exposing its directory similar to optional hw_counters directory.
      If core fails to read the PMA counter, return an error so that user can
      retry later if needed.
      
      Fixes: 35c4cbb1 ("IB/core: Create get_perf_mad function in sysfs.c")
      Reported-by: NHolger Hoffstätte <holger@applied-asynchrony.com>
      Tested-by: NHolger Hoffstätte <holger@applied-asynchrony.com>
      Signed-off-by: NParav Pandit <parav@mellanox.com>
      Signed-off-by: NLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: NDoug Ledford <dledford@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bc280cf5
    • W
      scsi: megaraid_sas: fix a missing-check bug · 51b6d8b0
      Wenwen Wang 提交于
      [ Upstream commit 47db7873136a9c57c45390a53b57019cf73c8259 ]
      
      In megasas_mgmt_compat_ioctl_fw(), to handle the structure
      compat_megasas_iocpacket 'cioc', a user-space structure megasas_iocpacket
      'ioc' is allocated before megasas_mgmt_ioctl_fw() is invoked to handle
      the packet. Since the two data structures have different fields, the data
      is copied from 'cioc' to 'ioc' field by field. In the copy process,
      'sense_ptr' is prepared if the field 'sense_len' is not null, because it
      will be used in megasas_mgmt_ioctl_fw(). To prepare 'sense_ptr', the
      user-space data 'ioc->sense_off' and 'cioc->sense_off' are copied and
      saved to kernel-space variables 'local_sense_off' and 'user_sense_off'
      respectively. Given that 'ioc->sense_off' is also copied from
      'cioc->sense_off', 'local_sense_off' and 'user_sense_off' should have the
      same value. However, 'cioc' is in the user space and a malicious user can
      race to change the value of 'cioc->sense_off' after it is copied to
      'ioc->sense_off' but before it is copied to 'user_sense_off'. By doing
      so, the attacker can inject different values into 'local_sense_off' and
      'user_sense_off'. This can cause undefined behavior in the following
      execution, because the two variables are supposed to be same.
      
      This patch enforces a check on the two kernel variables 'local_sense_off'
      and 'user_sense_off' to make sure they are the same after the copy. In
      case they are not, an error code EINVAL will be returned.
      Signed-off-by: NWenwen Wang <wang6495@umn.edu>
      Acked-by: NSumit Saxena <sumit.saxena@broadcom.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      51b6d8b0
    • J
      KVM: nVMX: Clear reserved bits of #DB exit qualification · 3223e557
      Jim Mattson 提交于
      [ Upstream commit cfb634fe3052aefc4e1360fa322018c9a0b49755 ]
      
      According to volume 3 of the SDM, bits 63:15 and 12:4 of the exit
      qualification field for debug exceptions are reserved (cleared to
      0). However, the SDM is incorrect about bit 16 (corresponding to
      DR6.RTM). This bit should be set if a debug exception (#DB) or a
      breakpoint exception (#BP) occurred inside an RTM region while
      advanced debugging of RTM transactional regions was enabled. Note that
      this is the opposite of DR6.RTM, which "indicates (when clear) that a
      debug exception (#DB) or breakpoint exception (#BP) occurred inside an
      RTM region while advanced debugging of RTM transactional regions was
      enabled."
      
      There is still an issue with stale DR6 bits potentially being
      misreported for the current debug exception.  DR6 should not have been
      modified before vectoring the #DB exception, and the "new DR6 bits"
      should be available somewhere, but it was and they aren't.
      
      Fixes: b96fb439 ("KVM: nVMX: fixes to nested virt interrupt injection")
      Signed-off-by: NJim Mattson <jmattson@google.com>
      Reviewed-by: NSean Christopherson <sean.j.christopherson@intel.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3223e557
    • D
      UAPI: ndctl: Fix g++-unsupported initialisation in headers · cd888e8a
      David Howells 提交于
      [ Upstream commit 9607871f37dc3e717639694b8d0dc738f2a68efc ]
      
      The following code in the linux/ndctl header file:
      
      	static inline const char *nvdimm_bus_cmd_name(unsigned cmd)
      	{
      		static const char * const names[] = {
      			[ND_CMD_ARS_CAP] = "ars_cap",
      			[ND_CMD_ARS_START] = "ars_start",
      			[ND_CMD_ARS_STATUS] = "ars_status",
      			[ND_CMD_CLEAR_ERROR] = "clear_error",
      			[ND_CMD_CALL] = "cmd_call",
      		};
      
      		if (cmd < ARRAY_SIZE(names) && names[cmd])
      			return names[cmd];
      		return "unknown";
      	}
      
      is broken in a number of ways:
      
       (1) ARRAY_SIZE() is not generally defined.
      
       (2) g++ does not support "non-trivial" array initialisers fully yet.
      
       (3) Every file that calls this function will acquire a copy of names[].
      
      The same goes for nvdimm_cmd_name().
      
      Fix all three by converting to a switch statement where each case returns a
      string.  That way if cmd is a constant, the compiler can trivially reduce it
      and, if not, the compiler can use a shared lookup table if it thinks that is
      more efficient.
      
      A better way would be to remove these functions and their arrays from the
      header entirely.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NDan Williams <dan.j.williams@intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cd888e8a
    • E
      scsi: ufs: Schedule clk gating work on correct queue · f2470959
      Evan Green 提交于
      [ Upstream commit f4bb7704699beee9edfbee875daa9089c86cf724 ]
      
      With commit 10e5e375 ("scsi: ufs: Add clock ungating to a separate
      workqueue"), clock gating work was moved to a separate work queue with
      WQ_MEM_RECLAIM set, since clock gating could occur from a memory reclaim
      context. Unfortunately, clk_gating.gate_work was left queued via
      schedule_delayed_work, which is a system workqueue that does not have
      WQ_MEM_RECLAIM set.  Because ufshcd_ungate_work attempts to cancel
      gate_work, the following warning appears:
      
      [   14.174170] workqueue: WQ_MEM_RECLAIM ufs_clk_gating_0:ufshcd_ungate_work is flushing !WQ_MEM_RECLAIM events:ufshcd_gate_work
      [   14.174179] WARNING: CPU: 4 PID: 173 at kernel/workqueue.c:2440 check_flush_dependency+0x110/0x118
      [   14.205725] CPU: 4 PID: 173 Comm: kworker/u16:3 Not tainted 4.14.68 #1
      [   14.212437] Hardware name: Google Cheza (rev1) (DT)
      [   14.217459] Workqueue: ufs_clk_gating_0 ufshcd_ungate_work
      [   14.223107] task: ffffffc0f6a40080 task.stack: ffffff800a490000
      [   14.229195] PC is at check_flush_dependency+0x110/0x118
      [   14.234569] LR is at check_flush_dependency+0x110/0x118
      [   14.239944] pc : [<ffffff80080cad14>] lr : [<ffffff80080cad14>] pstate: 60c001c9
      [   14.333050] Call trace:
      [   14.427767] [<ffffff80080cad14>] check_flush_dependency+0x110/0x118
      [   14.434219] [<ffffff80080cafec>] start_flush_work+0xac/0x1fc
      [   14.440046] [<ffffff80080caeec>] flush_work+0x40/0x94
      [   14.445246] [<ffffff80080cb288>] __cancel_work_timer+0x11c/0x1b8
      [   14.451433] [<ffffff80080cb4b8>] cancel_delayed_work_sync+0x20/0x30
      [   14.457886] [<ffffff80085b9294>] ufshcd_ungate_work+0x24/0xd0
      [   14.463800] [<ffffff80080cfb04>] process_one_work+0x32c/0x690
      [   14.469713] [<ffffff80080d0154>] worker_thread+0x218/0x338
      [   14.475361] [<ffffff80080d527c>] kthread+0x120/0x130
      [   14.480470] [<ffffff8008084814>] ret_from_fork+0x10/0x18
      
      The simple solution is to put the gate_work on the same WQ_MEM_RECLAIM
      work queue as the ungate_work.
      
      Fixes: 10e5e375 ("scsi: ufs: Add clock ungating to a separate workqueue")
      Signed-off-by: NEvan Green <evgreen@chromium.org>
      Reviewed-by: NDouglas Anderson <dianders@chromium.org>
      Reviewed-by: NStephen Boyd <swboyd@chromium.org>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f2470959
    • F
      scsi: esp_scsi: Track residual for PIO transfers · 1057c647
      Finn Thain 提交于
      [ Upstream commit fd47d919d0c336e7c22862b51ee94927ffea227a ]
      
      If a target disconnects during a PIO data transfer the command may fail
      when the target reconnects:
      
      scsi host1: DMA length is zero!
      scsi host1: cur adr[04380000] len[00000000]
      
      The scsi bus is then reset. This happens because the residual reached
      zero before the transfer was completed.
      
      The usual residual calculation relies on the Transfer Count registers.
      That works for DMA transfers but not for PIO transfers. Fix the problem
      by storing the PIO transfer residual and using that to correctly
      calculate bytes_sent.
      
      Fixes: 6fe07aaf ("[SCSI] m68k: new mac_esp scsi driver")
      Tested-by: NStan Johnson <userm57@yahoo.com>
      Signed-off-by: NFinn Thain <fthain@telegraphics.com.au>
      Tested-by: NMichael Schmitz <schmitzmic@gmail.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1057c647
    • R
      of: Add missing exports of node name compare functions · 1db5dec2
      Rob Herring 提交于
      [ Upstream commit 173ee3962959a1985a109f81539a403b5cd07ae7 ]
      
      Commit f42b0e18 ("of: add node name compare helper functions")
      failed to add the module exports to of_node_name_eq() and
      of_node_name_prefix(). Add them now.
      
      Fixes: f42b0e18 ("of: add node name compare helper functions")
      Signed-off-by: NRob Herring <robh@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1db5dec2
    • J
      md: fix memleak for mempool · b5e07d44
      Jack Wang 提交于
      [ Upstream commit 6aaa58c994277647f8b05ffef3b9b225a2d08f36 ]
      
      I noticed kmemleak report memory leak when run create/stop
      md in a loop, backtrace:
      [<000000001ca975e7>] mempool_create_node+0x86/0xd0
      [<0000000095576bcd>] md_run+0x1057/0x1410 [md_mod]
      [<000000007b45c5fc>] do_md_run+0x15/0x130 [md_mod]
      [<000000001ede9ec0>] md_ioctl+0x1f49/0x25d0 [md_mod]
      [<000000004142cacf>] blkdev_ioctl+0x680/0xd00
      
      The root cause is we alloc mddev->flush_pool and
      mddev->flush_bio_pool in md_run, but from do_md_stop
      will not call into md_stop but __md_stop, move the
      mempool_destroy to __md_stop fixes the problem for me.
      
      The bug was introduced in 5a409b4f, the fixes should go to
      4.18+
      
      Fixes: 5a409b4f ("MD: fix lock contention for flush bios")
      Signed-off-by: NJack Wang <jinpu.wang@profitbricks.com>
      Reviewed-by: NXiao Ni <xni@redhat.com>
      Signed-off-by: NShaohua Li <shli@fb.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b5e07d44
    • X
      MD: Memory leak when flush bio size is zero · fbf975ef
      Xiao Ni 提交于
      [ Upstream commit af9b926de9c5986ab009e64917de87c9758bab10 ]
      
      flush_pool is leaked when flush bio size is zero
      
      Fixes: 5a409b4f ("MD: fix lock contention for flush bios")
      Signed-off-by: NDavid Jeffery <djeffery@redhat.com>
      Signed-off-by: NXiao Ni <xni@redhat.com>
      Signed-off-by: NShaohua Li <shli@fb.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fbf975ef
    • C
      f2fs: fix to account IO correctly for cgroup writeback · 64c90d9c
      Chao Yu 提交于
      [ Upstream commit 78efac537de33faab9a4302cc05a70bb4a8b3b63 ]
      
      Now, we have supported cgroup writeback, it depends on correctly IO
      account of specified filesystem.
      
      But in commit d1b3e72d ("f2fs: submit bio of in-place-update pages"),
      we split write paths from f2fs_submit_page_mbio() to two:
      - f2fs_submit_page_bio() for IPU path
      - f2fs_submit_page_bio() for OPU path
      
      But still we account write IO only in f2fs_submit_page_mbio(), result in
      incorrect IO account, fix it by adding missing IO account in IPU path.
      
      Fixes: d1b3e72d ("f2fs: submit bio of in-place-update pages")
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      64c90d9c
    • J
      net: stmmac: dwmac-sun8i: fix OF child-node lookup · 5151f440
      Johan Hovold 提交于
      [ Upstream commit ac63043d8cb5503c7e0fe110f947eacf2663804e ]
      
      Use the new of_get_compatible_child() helper to lookup the mdio-internal
      child node instead of using of_find_compatible_node(), which searches
      the entire tree from a given start node and thus can return an unrelated
      (i.e. non-child) node.
      
      This also addresses a potential use-after-free (e.g. after probe
      deferral) as the tree-wide helper drops a reference to its first
      argument (i.e. the mdio-mux node). Fortunately, this was inadvertently
      balanced by a failure to drop the mdio-mux reference after lookup.
      
      While at it, also fix the related mdio-internal- and phy-node reference
      leaks.
      
      Fixes: 634db83b ("net: stmmac: dwmac-sun8i: Handle integrated/external MDIOs")
      Tested-by: NCorentin Labbe <clabbe.montjoie@gmail.com>
      Cc: Andrew Lunn <andrew@lunn.ch>
      Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
      Cc: Alexandre Torgue <alexandre.torgue@st.com>
      Cc: Jose Abreu <joabreu@synopsys.com>
      Cc: David S. Miller <davem@davemloft.net>
      Signed-off-by: NJohan Hovold <johan@kernel.org>
      Signed-off-by: NRob Herring <robh@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5151f440
    • M
      cgroup, netclassid: add a preemption point to write_classid · 48936133
      Michal Hocko 提交于
      [ Upstream commit a90e90b7d55e789c71d85b946ffb5c1ab2f137ca ]
      
      We have seen a customer complaining about soft lockups on !PREEMPT
      kernel config with 4.4 based kernel
      
      [1072141.435366] NMI watchdog: BUG: soft lockup - CPU#21 stuck for 22s! [systemd:1]
      [1072141.444090] Modules linked in: mpt3sas raid_class binfmt_misc af_packet 8021q garp mrp stp llc xfs libcrc32c bonding iscsi_ibft iscsi_boot_sysfs msr ext4 crc16 jbd2 mbcache cdc_ether usbnet mii joydev hid_generic usbhid intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp crct10dif_pclmul crc32_pclmul ghash_clmulni_intel ipmi_ssif mgag200 i2c_algo_bit ttm ipmi_devintf drbg ixgbe drm_kms_helper vxlan ansi_cprng ip6_udp_tunnel drm aesni_intel udp_tunnel aes_x86_64 iTCO_wdt syscopyarea ptp xhci_pci lrw iTCO_vendor_support pps_core gf128mul ehci_pci glue_helper sysfillrect mdio pcspkr sb_edac ablk_helper cryptd ehci_hcd sysimgblt xhci_hcd fb_sys_fops edac_core mei_me lpc_ich ses usbcore enclosure dca mfd_core ipmi_si mei i2c_i801 scsi_transport_sas usb_common ipmi_msghandler shpchp fjes wmi processor button acpi_pad btrfs xor raid6_pq sd_mod crc32c_intel megaraid_sas sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua scsi_mod md_mod autofs4
      [1072141.444146] Supported: Yes
      [1072141.444149] CPU: 21 PID: 1 Comm: systemd Not tainted 4.4.121-92.80-default #1
      [1072141.444150] Hardware name: LENOVO Lenovo System x3650 M5 -[5462P4U]- -[5462P4U]-/01GR451, BIOS -[TCE136H-2.70]- 06/13/2018
      [1072141.444151] task: ffff880191bd0040 ti: ffff880191bd4000 task.ti: ffff880191bd4000
      [1072141.444153] RIP: 0010:[<ffffffff815229f9>]  [<ffffffff815229f9>] update_classid_sock+0x29/0x40
      [1072141.444157] RSP: 0018:ffff880191bd7d58  EFLAGS: 00000286
      [1072141.444158] RAX: ffff883b177cb7c0 RBX: 0000000000000000 RCX: 0000000000000000
      [1072141.444159] RDX: 00000000000009c7 RSI: ffff880191bd7d5c RDI: ffff8822e29bb200
      [1072141.444160] RBP: ffff883a72230980 R08: 0000000000000101 R09: 0000000000000000
      [1072141.444161] R10: 0000000000000008 R11: f000000000000000 R12: ffffffff815229d0
      [1072141.444162] R13: 0000000000000000 R14: ffff881fd0a47ac0 R15: ffff880191bd7f28
      [1072141.444163] FS:  00007f3e2f1eb8c0(0000) GS:ffff882000340000(0000) knlGS:0000000000000000
      [1072141.444164] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [1072141.444165] CR2: 00007f3e2f200000 CR3: 0000001ffea4e000 CR4: 00000000001606f0
      [1072141.444166] Stack:
      [1072141.444166]  ffffffa800000246 00000000000009c7 ffffffff8121d583 ffff8818312a05c0
      [1072141.444168]  ffff8818312a1100 ffff880197c3b280 ffff881861422858 ffffffffffffffea
      [1072141.444170]  ffffffff81522b1c ffffffff81d0ca20 ffff8817fa17b950 ffff883fdd8121e0
      [1072141.444171] Call Trace:
      [1072141.444179]  [<ffffffff8121d583>] iterate_fd+0x53/0x80
      [1072141.444182]  [<ffffffff81522b1c>] write_classid+0x4c/0x80
      [1072141.444187]  [<ffffffff8111328b>] cgroup_file_write+0x9b/0x100
      [1072141.444193]  [<ffffffff81278bcb>] kernfs_fop_write+0x11b/0x150
      [1072141.444198]  [<ffffffff81201566>] __vfs_write+0x26/0x100
      [1072141.444201]  [<ffffffff81201bed>] vfs_write+0x9d/0x190
      [1072141.444203]  [<ffffffff812028c2>] SyS_write+0x42/0xa0
      [1072141.444207]  [<ffffffff815f58c3>] entry_SYSCALL_64_fastpath+0x1e/0xca
      [1072141.445490] DWARF2 unwinder stuck at entry_SYSCALL_64_fastpath+0x1e/0xca
      
      If a cgroup has many tasks with many open file descriptors then we would
      end up in a large loop without any rescheduling point throught the
      operation. Add cond_resched once per task.
      Signed-off-by: NMichal Hocko <mhocko@suse.com>
      Signed-off-by: NTejun Heo <tj@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      48936133
    • R
      cifs: fix a credits leak for compund commands · c24f57c6
      Ronnie Sahlberg 提交于
      [ Upstream commit cb5c2e63948451d38c977685fffc06e23beb4517 ]
      
      When processing the mids for compounds we would only add credits based on
      the last successful mid in the compound which would leak credits and
      eventually triggering a re-connect.
      
      Fix this by splitting the mid processing part into two loops instead of one
      where the first loop just waits for all mids and then counts how many
      credits we were granted for the whole compound.
      Signed-off-by: NRonnie Sahlberg <lsahlber@redhat.com>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c24f57c6
    • G
      thermal: da9062/61: Prevent hardware access during system suspend · c016b6d3
      Geert Uytterhoeven 提交于
      [ Upstream commit 760eea43f8c6d48684f1f34b8a02fddc1456e849 ]
      
      The workqueue used for monitoring the hardware may run while the device
      is already suspended.  Fix this by using the freezable system workqueue
      instead, cfr. commit 51e20d0e ("thermal: Prevent polling from
      happening during system suspend").
      
      Fixes: 608567aa ("thermal: da9062/61: Thermal junction temperature monitoring driver")
      Signed-off-by: NGeert Uytterhoeven <geert+renesas@glider.be>
      Acked-by: NSteve Twiss <stwiss.opensource@diasemi.com>
      Signed-off-by: NEduardo Valentin <edubezval@gmail.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c016b6d3
    • G
      thermal: rcar_thermal: Prevent doing work after unbind · 509859e4
      Geert Uytterhoeven 提交于
      [ Upstream commit 697ee786f15d7b65c7f3045d45fe3a05d28e0911 ]
      
      When testing bind/unbind on r8a7791/koelsch:
      
          WARNING: CPU: 1 PID: 697 at lib/debugobjects.c:329 debug_print_object+0x8c/0xb4
          ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x10
      
      This happens if the workqueue runs after the device has been unbound.
      Fix this by cancelling any queued work during remove.
      
      Fixes: e0a5172e ("thermal: rcar: add interrupt support")
      Signed-off-by: NGeert Uytterhoeven <geert+renesas@glider.be>
      Reviewed-by: NNiklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
      Signed-off-by: NEduardo Valentin <edubezval@gmail.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      509859e4
    • D
      libata: Apply NOLPM quirk for SAMSUNG MZ7TD256HAFV-000L9 · aa3bbb8d
      Diego Viola 提交于
      [ Upstream commit a435ab4f80f983c53b4ca4f8c12b3ddd3ca17670 ]
      
      med_power_with_dipm causes my T450 to freeze with a SAMSUNG
      MZ7TD256HAFV-000L9 SSD (firmware DXT02L5Q).
      
      Switching the LPM to max_performance fixes this issue.
      Acked-by: NHans de Goede <hdegoede@redhat.com>
      Signed-off-by: NDiego Viola <diego.viola@gmail.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aa3bbb8d
    • M
      ath10k: schedule hardware restart if WMI command times out · 27baa32c
      Martin Willi 提交于
      [ Upstream commit a9911937e7d332761e8c4fcbc7ba0426bdc3956f ]
      
      When running in AP mode, ath10k sometimes suffers from TX credit
      starvation. The issue is hard to reproduce and shows up once in a
      few days, but has been repeatedly seen with QCA9882 and a large
      range of firmwares, including 10.2.4.70.67.
      
      Once the module is in this state, TX credits are never replenished,
      which results in "SWBA overrun" errors, as no beacons can be sent.
      Even worse, WMI commands run in a timeout while holding the conf
      mutex for three seconds each, making any further operations slow
      and the whole system unresponsive.
      
      The firmware/driver never recovers from that state automatically,
      and triggering TX flush or warm restarts won't work over WMI. So
      issue a hardware restart if a WMI command times out due to missing
      TX credits. This implies a connectivity outage of about 1.4s in AP
      mode, but brings back the interface and the whole system to a usable
      state. WMI command timeouts have not been seen in absent of this
      specific issue, so taking such drastic actions seems legitimate.
      Signed-off-by: NMartin Willi <martin@strongswan.org>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      27baa32c
    • M
      wil6210: fix RX buffers release and unmap · b8345244
      Maya Erez 提交于
      [ Upstream commit 84f16fbb62384fb209cd35741d94eb00b5ca2746 ]
      
      RX SKBs are released in both wil6210 rmmod and RX handle.
      As there is no lock to protect the buffers DMA unmap,
      the SKB pointer in buff_arr is used to check if the buffer
      memory was already released.
      Setting wil->rx_buff_mgmt.buff_arr[buff_id].skb to NULL before the DMA
      memory unmap will prevent duplicate unmapping of the same memory.
      Move the buffer ID to the free list also in case the SKB is NULL.
      Signed-off-by: NMaya Erez <merez@codeaurora.org>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b8345244
    • S
      ixgbevf: VF2VF TCP RSS · ef172c74
      Sebastian Basierski 提交于
      [ Upstream commit 7fb94bd58dd6650a0158e68d414e185077d8b57a ]
      
      While VF2VF with RSS communication, RSS Type were wrongly recognized
      and RSS hash was not calculated as it should be. Packets was
      distributed on various queues by accident.
      This commit fixes that behaviour and causes proper RSS Type recognition.
      Signed-off-by: NSebastian Basierski <sebastianx.basierski@intel.com>
      Tested-by: NAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ef172c74
    • S
      ixgbe: disallow IPsec Tx offload when in SR-IOV mode · d0530284
      Shannon Nelson 提交于
      [ Upstream commit 47b6f50077e68bcd544f657526dad4bfdce7e87d ]
      
      There seems to be a problem in the x540's internal switch wherein if SR-IOV
      mode is enabled and an offloaded IPsec packet is sent to a local VF,
      the packet is silently dropped.  This might never be a problem as it is
      somewhat a corner case, but if someone happens to be using IPsec offload
      from the PF to a VF that just happens to get migrated to the local box,
      communication will mysteriously fail.
      
      Not good.
      
      A simple way to protect from this is to simply not allow any IPsec offloads
      for outgoing packets when num_vfs != 0.  This doesn't help any offloads that
      were created before SR-IOV was enabled, but we'll get to that later.
      Signed-off-by: NShannon Nelson <shannon.nelson@oracle.com>
      Tested-by: NAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d0530284
    • J
      gpio: brcmstb: allow 0 width GPIO banks · 545a0303
      Justin Chen 提交于
      [ Upstream commit bfba223dcc4548632d8f3bfd15690a86d4c68504 ]
      
      Sometimes we have empty banks within the GPIO block. This commit allows
      proper handling of 0 width GPIO banks. We handle 0 width GPIO banks by
      incrementing the bank and number of GPIOs, but not initializing them.
      This will mean a call into the non-existent GPIOs will return an error.
      
      Also remove "GPIO registered" dev print. This information is misleading
      since the incremented banks and gpio_base do not reflect the actual GPIOs
      that get initialized. We leave this information out since it is already
      printed with dev_dbg.
      Signed-off-by: NJustin Chen <justinpopo6@gmail.com>
      Acked-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      545a0303
    • S
      iwlwifi: mvm: fix BAR seq ctrl reporting · 8ba36c16
      Sara Sharon 提交于
      [ Upstream commit 941ab4eb66c10bc5c7234e83a7a858b2806ed151 ]
      
      There is a bug in FW where the sequence control may be
      incorrect, and the driver overrides it with the value
      of the ieee80211 header.
      
      However, in BAR there is no sequence control in the header,
      which result with arbitrary sequence.
      
      This access to an unknown location is bad and it makes the
      logs very confusing - so fix it.
      Signed-off-by: NSara Sharon <sara.sharon@intel.com>
      Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8ba36c16
    • D
      libertas_tf: prevent underflow in process_cmdrequest() · 44e0f15b
      Dan Carpenter 提交于
      [ Upstream commit 3348ef6a6a126706d6a73ed40c18d8033df72783 ]
      
      If recvlength is less than MESSAGE_HEADER_LEN (4) we would end up
      corrupting memory.
      
      Fixes: c305a19a ("libertas_tf: usb specific functions")
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      44e0f15b
    • S
      rsi: fix memory alignment issue in ARM32 platforms · 14e0b9bb
      Siva Rebbagondla 提交于
      [ Upstream commit baa8caf4ab7af2d9e84b566b99fe919a4e9e7562 ]
      
      During testing in ARM32 platforms, observed below kernel panic, as driver
      accessing data beyond the allocated memory while submitting URB to USB.
      
      Fix: Resolved this by specifying correct length by considering 64 bit
      alignment. so that, USB bus driver will access only allocated memory.
      
      Unit-test: Tested and confirm that driver bring up and scanning,
      connection and data transfer works fine with this fix.
      
      ...skipping...
      [   25.389450] Unable to handle kernel paging request at virtual
      	       address 5aa11422
      [   25.403078] Internal error: Oops: 5 [#1] SMP ARM
      [   25.407703] Modules linked in: rsi_usb
      [   25.411473] CPU: 1 PID: 317 Comm: RX-Thread Not tainted 4.18.0-rc7 #1
      [   25.419221] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
      [   25.425764] PC is at skb_release_data+0x90/0x168
      [   25.430393] LR is at skb_release_all+0x28/0x2c
      [   25.434842] pc : [<807435b0>] lr : [<80742ba0>] psr: 200e0013 5aa1141e
      [   25.464633] Flags: nzCv  IRQs on  FIQs on  Mode SVC_32 ISA ARM Segment none
      [   25.477524] Process RX-Thread (pid: 317, stack limit = 0x(ptrval))
      [   25.483709] Stack: (0xedf69ed8 to 0xedf6a000)
      [   25.569907] Backtrace:
      [   25.572368] [<80743520>] (skb_release_data) from [<80742ba0>]
      	       (skb_release_all+0x28/0x2c)
      [   25.580555] r9:7f00258c r8:00000001 r7:ee355000 r6:eddab0d0
      	       r5:eddab000 r4:eddbb840
      [   25.588308] [<80742b78>] (skb_release_all) from [<807432cc>]
      	       (consume_skb+0x30/0x50)
      [   25.596055] r5:eddab000 r4:eddbb840
      [   25.599648] [<8074329c>] (consume_skb) from [<7f00117c>]
      	       (rsi_usb_rx_thread+0x64/0x12c [rsi_usb])
      [   25.608524] r5:eddab000 r4:eddbb840
      [   25.612116] [<7f001118>] (rsi_usb_rx_thread [rsi_usb]) from
      	       [<80142750>] (kthread+0x11c/0x15c)
      [   25.620735] r10:ee9ff9e0 r9:edcde3b8 r8:ee355000 r7:edf68000
      	       r6:edd3a780 r5:00000000
      [   25.628567] r4:edcde380
      [   25.631110] [<80142634>] (kthread) from [<801010e8>]
      	       (ret_from_fork+0x14/0x2c)
      [   25.638336] Exception stack(0xedf69fb0 to 0xedf69ff8)
      [   25.682929] ---[ end trace 8236a5496f5b5d3b ]---
      Signed-off-by: NSiva Rebbagondla <siva.rebbagondla@redpinesignals.com>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      14e0b9bb
    • L
      mt76x2u: run device cleanup routine if resume fails · 3041b096
      Lorenzo Bianconi 提交于
      [ Upstream commit 9b2fd48d36e25b9be9ddb8be8cc1eb263a1d1843 ]
      
      Cleanup {tx,rx} and mcu queues if resume operation fails
      
      Fixes: ee676cd5 ("mt76: add driver code for MT76x2u based devices")
      Signed-off-by: NLorenzo Bianconi <lorenzo.bianconi@redhat.com>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3041b096