1. 07 8月, 2019 40 次提交
    • M
      kconfig: Clear "written" flag to avoid data loss · 3736612d
      M. Vefa Bicakci 提交于
      commit 0c5b6c28ed68becb692b43eae5e44d5aa7e160ce upstream.
      
      Prior to this commit, starting nconfig, xconfig or gconfig, and saving
      the .config file more than once caused data loss, where a .config file
      that contained only comments would be written to disk starting from the
      second save operation.
      
      This bug manifests itself because the SYMBOL_WRITTEN flag is never
      cleared after the first call to conf_write, and subsequent calls to
      conf_write then skip all of the configuration symbols due to the
      SYMBOL_WRITTEN flag being set.
      
      This commit resolves this issue by clearing the SYMBOL_WRITTEN flag
      from all symbols before conf_write returns.
      
      Fixes: 8e2442a5f86e ("kconfig: fix missing choice values in auto.conf")
      Cc: linux-stable <stable@vger.kernel.org> # 4.19+
      Signed-off-by: NM. Vefa Bicakci <m.v.b@runbox.com>
      Signed-off-by: NMasahiro Yamada <yamada.masahiro@socionext.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3736612d
    • Y
      drm/nouveau: fix memory leak in nouveau_conn_reset() · 4c6500b5
      Yongxin Liu 提交于
      [ Upstream commit 09b90e2fe35faeace2488234e2a7728f2ea8ba26 ]
      
      In nouveau_conn_reset(), if connector->state is true,
      __drm_atomic_helper_connector_destroy_state() will be called,
      but the memory pointed by asyc isn't freed. Memory leak happens
      in the following function __drm_atomic_helper_connector_reset(),
      where newly allocated asyc->state will be assigned to connector->state.
      
      So using nouveau_conn_atomic_destroy_state() instead of
      __drm_atomic_helper_connector_destroy_state to free the "old" asyc.
      
      Here the is the log showing memory leak.
      
      unreferenced object 0xffff8c5480483c80 (size 192):
        comm "kworker/0:2", pid 188, jiffies 4294695279 (age 53.179s)
        hex dump (first 32 bytes):
          00 f0 ba 7b 54 8c ff ff 00 00 00 00 00 00 00 00  ...{T...........
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<000000005005c0d0>] kmem_cache_alloc_trace+0x195/0x2c0
          [<00000000a122baed>] nouveau_conn_reset+0x25/0xc0 [nouveau]
          [<000000004fd189a2>] nouveau_connector_create+0x3a7/0x610 [nouveau]
          [<00000000c73343a8>] nv50_display_create+0x343/0x980 [nouveau]
          [<000000002e2b03c3>] nouveau_display_create+0x51f/0x660 [nouveau]
          [<00000000c924699b>] nouveau_drm_device_init+0x182/0x7f0 [nouveau]
          [<00000000cc029436>] nouveau_drm_probe+0x20c/0x2c0 [nouveau]
          [<000000007e961c3e>] local_pci_probe+0x47/0xa0
          [<00000000da14d569>] work_for_cpu_fn+0x1a/0x30
          [<0000000028da4805>] process_one_work+0x27c/0x660
          [<000000001d415b04>] worker_thread+0x22b/0x3f0
          [<0000000003b69f1f>] kthread+0x12f/0x150
          [<00000000c94c29b7>] ret_from_fork+0x3a/0x50
      Signed-off-by: NYongxin Liu <yongxin.liu@windriver.com>
      Signed-off-by: NBen Skeggs <bskeggs@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      4c6500b5
    • Z
      x86, boot: Remove multiple copy of static function sanitize_boot_params() · 84ce0452
      Zhenzhong Duan 提交于
      [ Upstream commit 8c5477e8046ca139bac250386c08453da37ec1ae ]
      
      Kernel build warns:
       'sanitize_boot_params' defined but not used [-Wunused-function]
      
      at below files:
        arch/x86/boot/compressed/cmdline.c
        arch/x86/boot/compressed/error.c
        arch/x86/boot/compressed/early_serial_console.c
        arch/x86/boot/compressed/acpi.c
      
      That's becausethey each include misc.h which includes a definition of
      sanitize_boot_params() via bootparam_utils.h.
      
      Remove the inclusion from misc.h and have the c file including
      bootparam_utils.h directly.
      Signed-off-by: NZhenzhong Duan <zhenzhong.duan@oracle.com>
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/1563283092-1189-1-git-send-email-zhenzhong.duan@oracle.comSigned-off-by: NSasha Levin <sashal@kernel.org>
      84ce0452
    • J
      x86/paravirt: Fix callee-saved function ELF sizes · 740e0167
      Josh Poimboeuf 提交于
      [ Upstream commit 083db6764821996526970e42d09c1ab2f4155dd4 ]
      
      The __raw_callee_save_*() functions have an ELF symbol size of zero,
      which confuses objtool and other tools.
      
      Fixes a bunch of warnings like the following:
      
        arch/x86/xen/mmu_pv.o: warning: objtool: __raw_callee_save_xen_pte_val() is missing an ELF size annotation
        arch/x86/xen/mmu_pv.o: warning: objtool: __raw_callee_save_xen_pgd_val() is missing an ELF size annotation
        arch/x86/xen/mmu_pv.o: warning: objtool: __raw_callee_save_xen_make_pte() is missing an ELF size annotation
        arch/x86/xen/mmu_pv.o: warning: objtool: __raw_callee_save_xen_make_pgd() is missing an ELF size annotation
      Signed-off-by: NJosh Poimboeuf <jpoimboe@redhat.com>
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: NJuergen Gross <jgross@suse.com>
      Acked-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Link: https://lkml.kernel.org/r/afa6d49bb07497ca62e4fc3b27a2d0cece545b4e.1563413318.git.jpoimboe@redhat.comSigned-off-by: NSasha Levin <sashal@kernel.org>
      740e0167
    • J
      x86/kvm: Don't call kvm_spurious_fault() from .fixup · ba5c072f
      Josh Poimboeuf 提交于
      [ Upstream commit 3901336ed9887b075531bffaeef7742ba614058b ]
      
      After making a change to improve objtool's sibling call detection, it
      started showing the following warning:
      
        arch/x86/kvm/vmx/nested.o: warning: objtool: .fixup+0x15: sibling call from callable instruction with modified stack frame
      
      The problem is the ____kvm_handle_fault_on_reboot() macro.  It does a
      fake call by pushing a fake RIP and doing a jump.  That tricks the
      unwinder into printing the function which triggered the exception,
      rather than the .fixup code.
      
      Instead of the hack to make it look like the original function made the
      call, just change the macro so that the original function actually does
      make the call.  This allows removal of the hack, and also makes objtool
      happy.
      
      I triggered a vmx instruction exception and verified that the stack
      trace is still sane:
      
        kernel BUG at arch/x86/kvm/x86.c:358!
        invalid opcode: 0000 [#1] SMP PTI
        CPU: 28 PID: 4096 Comm: qemu-kvm Not tainted 5.2.0+ #16
        Hardware name: Lenovo THINKSYSTEM SD530 -[7X2106Z000]-/-[7X2106Z000]-, BIOS -[TEE113Z-1.00]- 07/17/2017
        RIP: 0010:kvm_spurious_fault+0x5/0x10
        Code: 00 00 00 00 00 8b 44 24 10 89 d2 45 89 c9 48 89 44 24 10 8b 44 24 08 48 89 44 24 08 e9 d4 40 22 00 0f 1f 40 00 0f 1f 44 00 00 <0f> 0b 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 55 49 89 fd 41
        RSP: 0018:ffffbf91c683bd00 EFLAGS: 00010246
        RAX: 000061f040000000 RBX: ffff9e159c77bba0 RCX: ffff9e15a5c87000
        RDX: 0000000665c87000 RSI: ffff9e15a5c87000 RDI: ffff9e159c77bba0
        RBP: 0000000000000000 R08: 0000000000000000 R09: ffff9e15a5c87000
        R10: 0000000000000000 R11: fffff8f2d99721c0 R12: ffff9e159c77bba0
        R13: ffffbf91c671d960 R14: ffff9e159c778000 R15: 0000000000000000
        FS:  00007fa341cbe700(0000) GS:ffff9e15b7400000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 00007fdd38356804 CR3: 00000006759de003 CR4: 00000000007606e0
        DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
        PKRU: 55555554
        Call Trace:
         loaded_vmcs_init+0x4f/0xe0
         alloc_loaded_vmcs+0x38/0xd0
         vmx_create_vcpu+0xf7/0x600
         kvm_vm_ioctl+0x5e9/0x980
         ? __switch_to_asm+0x40/0x70
         ? __switch_to_asm+0x34/0x70
         ? __switch_to_asm+0x40/0x70
         ? __switch_to_asm+0x34/0x70
         ? free_one_page+0x13f/0x4e0
         do_vfs_ioctl+0xa4/0x630
         ksys_ioctl+0x60/0x90
         __x64_sys_ioctl+0x16/0x20
         do_syscall_64+0x55/0x1c0
         entry_SYSCALL_64_after_hwframe+0x44/0xa9
        RIP: 0033:0x7fa349b1ee5b
      Signed-off-by: NJosh Poimboeuf <jpoimboe@redhat.com>
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      Acked-by: NPaolo Bonzini <pbonzini@redhat.com>
      Acked-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Link: https://lkml.kernel.org/r/64a9b64d127e87b6920a97afde8e96ea76f6524e.1563413318.git.jpoimboe@redhat.comSigned-off-by: NSasha Levin <sashal@kernel.org>
      ba5c072f
    • Z
      xen/pv: Fix a boot up hang revealed by int3 self test · 11cb9f87
      Zhenzhong Duan 提交于
      [ Upstream commit b23e5844dfe78a80ba672793187d3f52e4b528d7 ]
      
      Commit 7457c0da024b ("x86/alternatives: Add int3_emulate_call()
      selftest") is used to ensure there is a gap setup in int3 exception stack
      which could be used for inserting call return address.
      
      This gap is missed in XEN PV int3 exception entry path, then below panic
      triggered:
      
      [    0.772876] general protection fault: 0000 [#1] SMP NOPTI
      [    0.772886] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.2.0+ #11
      [    0.772893] RIP: e030:int3_magic+0x0/0x7
      [    0.772905] RSP: 3507:ffffffff82203e98 EFLAGS: 00000246
      [    0.773334] Call Trace:
      [    0.773334]  alternative_instructions+0x3d/0x12e
      [    0.773334]  check_bugs+0x7c9/0x887
      [    0.773334]  ? __get_locked_pte+0x178/0x1f0
      [    0.773334]  start_kernel+0x4ff/0x535
      [    0.773334]  ? set_init_arg+0x55/0x55
      [    0.773334]  xen_start_kernel+0x571/0x57a
      
      For 64bit PV guests, Xen's ABI enters the kernel with using SYSRET, with
      %rcx/%r11 on the stack. To convert back to "normal" looking exceptions,
      the xen thunks do 'xen_*: pop %rcx; pop %r11; jmp *'.
      
      E.g. Extracting 'xen_pv_trap xenint3' we have:
      xen_xenint3:
       pop %rcx;
       pop %r11;
       jmp xenint3
      
      As xenint3 and int3 entry code are same except xenint3 doesn't generate
      a gap, we can fix it by using int3 and drop useless xenint3.
      Signed-off-by: NZhenzhong Duan <zhenzhong.duan@oracle.com>
      Reviewed-by: NJuergen Gross <jgross@suse.com>
      Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: Juergen Gross <jgross@suse.com>
      Cc: Stefano Stabellini <sstabellini@kernel.org>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Andrew Cooper <andrew.cooper3@citrix.com>
      Signed-off-by: NJuergen Gross <jgross@suse.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      11cb9f87
    • P
      mlxsw: spectrum_dcb: Configure DSCP map as the last rule is removed · d3e36788
      Petr Machata 提交于
      [ Upstream commit dedfde2fe1c4ccf27179fcb234e2112d065c39bb ]
      
      Spectrum systems use DSCP rewrite map to update DSCP field in egressing
      packets to correspond to priority that the packet has. Whether rewriting
      will take place is determined at the point when the packet ingresses the
      switch: if the port is in Trust L3 mode, packet priority is determined from
      the DSCP map at the port, and DSCP rewrite will happen. If the port is in
      Trust L2 mode, 802.1p is used for packet prioritization, and no DSCP
      rewrite will happen.
      
      The driver determines the port trust mode based on whether any DSCP
      prioritization rules are in effect at given port. If there are any, trust
      level is L3, otherwise it's L2. When the last DSCP rule is removed, the
      port is switched to trust L2. Under that scenario, if DSCP of a packet
      should be rewritten, it should be rewritten to 0.
      
      However, when switching to Trust L2, the driver neglects to also update the
      DSCP rewrite map. The last DSCP rule thus remains in effect, and packets
      egressing through this port, if they have the right priority, will have
      their DSCP set according to this rule.
      
      Fix by first configuring the rewrite map, and only then switching to trust
      L2 and bailing out.
      
      Fixes: b2b1dab6 ("mlxsw: spectrum: Support ieee_setapp, ieee_delapp")
      Signed-off-by: NPetr Machata <petrm@mellanox.com>
      Reported-by: NAlex Veber <alexve@mellanox.com>
      Tested-by: NAlex Veber <alexve@mellanox.com>
      Signed-off-by: NIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      d3e36788
    • K
      ipc/mqueue.c: only perform resource calculation if user valid · 48c5c4f0
      Kees Cook 提交于
      [ Upstream commit a318f12ed8843cfac53198390c74a565c632f417 ]
      
      Andreas Christoforou reported:
      
        UBSAN: Undefined behaviour in ipc/mqueue.c:414:49 signed integer overflow:
        9 * 2305843009213693951 cannot be represented in type 'long int'
        ...
        Call Trace:
          mqueue_evict_inode+0x8e7/0xa10 ipc/mqueue.c:414
          evict+0x472/0x8c0 fs/inode.c:558
          iput_final fs/inode.c:1547 [inline]
          iput+0x51d/0x8c0 fs/inode.c:1573
          mqueue_get_inode+0x8eb/0x1070 ipc/mqueue.c:320
          mqueue_create_attr+0x198/0x440 ipc/mqueue.c:459
          vfs_mkobj+0x39e/0x580 fs/namei.c:2892
          prepare_open ipc/mqueue.c:731 [inline]
          do_mq_open+0x6da/0x8e0 ipc/mqueue.c:771
      
      Which could be triggered by:
      
              struct mq_attr attr = {
                      .mq_flags = 0,
                      .mq_maxmsg = 9,
                      .mq_msgsize = 0x1fffffffffffffff,
                      .mq_curmsgs = 0,
              };
      
              if (mq_open("/testing", 0x40, 3, &attr) == (mqd_t) -1)
                      perror("mq_open");
      
      mqueue_get_inode() was correctly rejecting the giant mq_msgsize, and
      preparing to return -EINVAL.  During the cleanup, it calls
      mqueue_evict_inode() which performed resource usage tracking math for
      updating "user", before checking if there was a valid "user" at all
      (which would indicate that the calculations would be sane).  Instead,
      delay this check to after seeing a valid "user".
      
      The overflow was real, but the results went unused, so while the flaw is
      harmless, it's noisy for kernel fuzzers, so just fix it by moving the
      calculation under the non-NULL "user" where it actually gets used.
      
      Link: http://lkml.kernel.org/r/201906072207.ECB65450@keescookSigned-off-by: NKees Cook <keescook@chromium.org>
      Reported-by: NAndreas Christoforou <andreaschristofo@gmail.com>
      Acked-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Davidlohr Bueso <dave@stgolabs.net>
      Cc: Manfred Spraul <manfred@colorfullife.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      48c5c4f0
    • D
      drivers/rapidio/devices/rio_mport_cdev.c: NUL terminate some strings · f8731422
      Dan Carpenter 提交于
      [ Upstream commit 156e0b1a8112b76e351684ac948c59757037ac36 ]
      
      The dev_info.name[] array has space for RIO_MAX_DEVNAME_SZ + 1
      characters.  But the problem here is that we don't ensure that the user
      put a NUL terminator on the end of the string.  It could lead to an out
      of bounds read.
      
      Link: http://lkml.kernel.org/r/20190529110601.GB19119@mwanda
      Fixes: e8de3701 ("rapidio: add mport char device driver")
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: NAlexandre Bounine <alex.bou9@gmail.com>
      Cc: Ira Weiny <ira.weiny@intel.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      f8731422
    • M
      uapi linux/coda_psdev.h: move upc_req definition from uapi to kernel side headers · 35ee8b84
      Mikko Rapeli 提交于
      [ Upstream commit f90fb3c7e2c13ae829db2274b88b845a75038b8a ]
      
      Only users of upc_req in kernel side fs/coda/psdev.c and
      fs/coda/upcall.c already include linux/coda_psdev.h.
      
      Suggested by Jan Harkes <jaharkes@cs.cmu.edu> in
        https://lore.kernel.org/lkml/20150531111913.GA23377@cs.cmu.edu/
      
      Fixes these include/uapi/linux/coda_psdev.h compilation errors in userspace:
      
        linux/coda_psdev.h:12:19: error: field `uc_chain' has incomplete type
        struct list_head    uc_chain;
                         ^
        linux/coda_psdev.h:13:2: error: unknown type name `caddr_t'
        caddr_t             uc_data;
        ^
        linux/coda_psdev.h:14:2: error: unknown type name `u_short'
        u_short             uc_flags;
        ^
        linux/coda_psdev.h:15:2: error: unknown type name `u_short'
        u_short             uc_inSize;  /* Size is at most 5000 bytes */
        ^
        linux/coda_psdev.h:16:2: error: unknown type name `u_short'
        u_short             uc_outSize;
        ^
        linux/coda_psdev.h:17:2: error: unknown type name `u_short'
        u_short             uc_opcode;  /* copied from data to save lookup */
        ^
        linux/coda_psdev.h:19:2: error: unknown type name `wait_queue_head_t'
        wait_queue_head_t   uc_sleep;   /* process' wait queue */
        ^
      
      Link: http://lkml.kernel.org/r/9f99f5ce6a0563d5266e6cf7aa9585aac2cae971.1558117389.git.jaharkes@cs.cmu.eduSigned-off-by: NMikko Rapeli <mikko.rapeli@iki.fi>
      Signed-off-by: NJan Harkes <jaharkes@cs.cmu.edu>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Colin Ian King <colin.king@canonical.com>
      Cc: Dan Carpenter <dan.carpenter@oracle.com>
      Cc: David Howells <dhowells@redhat.com>
      Cc: Fabian Frederick <fabf@skynet.be>
      Cc: Sam Protsenko <semen.protsenko@linaro.org>
      Cc: Yann Droneaud <ydroneaud@opteya.com>
      Cc: Zhouyang Jia <jiazhouyang09@gmail.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      35ee8b84
    • S
      coda: fix build using bare-metal toolchain · dea2ee49
      Sam Protsenko 提交于
      [ Upstream commit b2a57e334086602be56b74958d9f29b955cd157f ]
      
      The kernel is self-contained project and can be built with bare-metal
      toolchain.  But bare-metal toolchain doesn't define __linux__.  Because
      of this u_quad_t type is not defined when using bare-metal toolchain and
      codafs build fails.  This patch fixes it by defining u_quad_t type
      unconditionally.
      
      Link: http://lkml.kernel.org/r/3cbb40b0a57b6f9923a9d67b53473c0b691a3eaa.1558117389.git.jaharkes@cs.cmu.eduSigned-off-by: NSam Protsenko <semen.protsenko@linaro.org>
      Signed-off-by: NJan Harkes <jaharkes@cs.cmu.edu>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Colin Ian King <colin.king@canonical.com>
      Cc: Dan Carpenter <dan.carpenter@oracle.com>
      Cc: David Howells <dhowells@redhat.com>
      Cc: Fabian Frederick <fabf@skynet.be>
      Cc: Mikko Rapeli <mikko.rapeli@iki.fi>
      Cc: Yann Droneaud <ydroneaud@opteya.com>
      Cc: Zhouyang Jia <jiazhouyang09@gmail.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      dea2ee49
    • Z
      coda: add error handling for fget · cf3ddc00
      Zhouyang Jia 提交于
      [ Upstream commit 02551c23bcd85f0c68a8259c7b953d49d44f86af ]
      
      When fget fails, the lack of error-handling code may cause unexpected
      results.
      
      This patch adds error-handling code after calling fget.
      
      Link: http://lkml.kernel.org/r/2514ec03df9c33b86e56748513267a80dd8004d9.1558117389.git.jaharkes@cs.cmu.eduSigned-off-by: NZhouyang Jia <jiazhouyang09@gmail.com>
      Signed-off-by: NJan Harkes <jaharkes@cs.cmu.edu>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Colin Ian King <colin.king@canonical.com>
      Cc: Dan Carpenter <dan.carpenter@oracle.com>
      Cc: David Howells <dhowells@redhat.com>
      Cc: Fabian Frederick <fabf@skynet.be>
      Cc: Mikko Rapeli <mikko.rapeli@iki.fi>
      Cc: Sam Protsenko <semen.protsenko@linaro.org>
      Cc: Yann Droneaud <ydroneaud@opteya.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      cf3ddc00
    • P
      lib/test_string.c: avoid masking memset16/32/64 failures · 93b83005
      Peter Rosin 提交于
      [ Upstream commit 33d6e0ff68af74be0c846c8e042e84a9a1a0561e ]
      
      If a memsetXX implementation is completely broken and fails in the first
      iteration, when i, j, and k are all zero, the failure is masked as zero
      is returned.  Failing in the first iteration is perhaps the most likely
      failure, so this makes the tests pretty much useless.  Avoid the
      situation by always setting a random unused bit in the result on
      failure.
      
      Link: http://lkml.kernel.org/r/20190506124634.6807-3-peda@axentia.se
      Fixes: 03270c13 ("lib/string.c: add testcases for memset16/32/64")
      Signed-off-by: NPeter Rosin <peda@axentia.se>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      93b83005
    • K
      lib/test_overflow.c: avoid tainting the kernel and fix wrap size · 8e087a2a
      Kees Cook 提交于
      [ Upstream commit 8e060c21ae2c265a2b596e9e7f9f97ec274151a4 ]
      
      This adds __GFP_NOWARN to the kmalloc()-portions of the overflow test to
      avoid tainting the kernel.  Additionally fixes up the math on wrap size
      to be architecture and page size agnostic.
      
      Link: http://lkml.kernel.org/r/201905282012.0A8767E24@keescook
      Fixes: ca90800a ("test_overflow: Add memory allocation overflow tests")
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Reported-by: NRandy Dunlap <rdunlap@infradead.org>
      Suggested-by: NRasmus Villemoes <linux@rasmusvillemoes.dk>
      Cc: Joe Perches <joe@perches.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      8e087a2a
    • D
      mm/cma.c: fail if fixed declaration can't be honored · 439c79ed
      Doug Berger 提交于
      [ Upstream commit c633324e311243586675e732249339685e5d6faa ]
      
      The description of cma_declare_contiguous() indicates that if the
      'fixed' argument is true the reserved contiguous area must be exactly at
      the address of the 'base' argument.
      
      However, the function currently allows the 'base', 'size', and 'limit'
      arguments to be silently adjusted to meet alignment constraints.  This
      commit enforces the documented behavior through explicit checks that
      return an error if the region does not fit within a specified region.
      
      Link: http://lkml.kernel.org/r/1561422051-16142-1-git-send-email-opendmb@gmail.com
      Fixes: 5ea3b1b2 ("cma: add placement specifier for "cma=" kernel parameter")
      Signed-off-by: NDoug Berger <opendmb@gmail.com>
      Acked-by: NMichal Nazarewicz <mina86@mina86.com>
      Cc: Yue Hu <huyue2@yulong.com>
      Cc: Mike Rapoport <rppt@linux.ibm.com>
      Cc: Laura Abbott <labbott@redhat.com>
      Cc: Peng Fan <peng.fan@nxp.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Marek Szyprowski <m.szyprowski@samsung.com>
      Cc: Andrey Konovalov <andreyknvl@google.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      439c79ed
    • A
      x86: math-emu: Hide clang warnings for 16-bit overflow · 1b84e674
      Arnd Bergmann 提交于
      [ Upstream commit 29e7e9664aec17b94a9c8c5a75f8d216a206aa3a ]
      
      clang warns about a few parts of the math-emu implementation
      where a 16-bit integer becomes negative during assignment:
      
      arch/x86/math-emu/poly_tan.c:88:35: error: implicit conversion from 'int' to 'short' changes value from 49216 to -16320 [-Werror,-Wconstant-conversion]
                                            (0x41 + EXTENDED_Ebias) | SIGN_Negative);
                                            ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~
      arch/x86/math-emu/fpu_emu.h:180:58: note: expanded from macro 'setexponent16'
       #define setexponent16(x,y)  { (*(short *)&((x)->exp)) = (y); }
                                                            ~  ^
      arch/x86/math-emu/reg_constant.c:37:32: error: implicit conversion from 'int' to 'short' changes value from 49085 to -16451 [-Werror,-Wconstant-conversion]
      FPU_REG const CONST_PI2extra = MAKE_REG(NEG, -66,
                                     ^~~~~~~~~~~~~~~~~~
      arch/x86/math-emu/reg_constant.c:21:25: note: expanded from macro 'MAKE_REG'
                      ((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) }
                       ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~
      arch/x86/math-emu/reg_constant.c:48:28: error: implicit conversion from 'int' to 'short' changes value from 65535 to -1 [-Werror,-Wconstant-conversion]
      FPU_REG const CONST_QNaN = MAKE_REG(NEG, EXP_OVER, 0x00000000, 0xC0000000);
                                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      arch/x86/math-emu/reg_constant.c:21:25: note: expanded from macro 'MAKE_REG'
                      ((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) }
                       ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~
      
      The code is correct as is, so add a typecast to shut up the warnings.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20190712090816.350668-1-arnd@arndb.deSigned-off-by: NSasha Levin <sashal@kernel.org>
      1b84e674
    • Q
      x86/apic: Silence -Wtype-limits compiler warnings · 242666b2
      Qian Cai 提交于
      [ Upstream commit ec6335586953b0df32f83ef696002063090c7aef ]
      
      There are many compiler warnings like this,
      
      In file included from ./arch/x86/include/asm/smp.h:13,
                       from ./arch/x86/include/asm/mmzone_64.h:11,
                       from ./arch/x86/include/asm/mmzone.h:5,
                       from ./include/linux/mmzone.h:969,
                       from ./include/linux/gfp.h:6,
                       from ./include/linux/mm.h:10,
                       from arch/x86/kernel/apic/io_apic.c:34:
      arch/x86/kernel/apic/io_apic.c: In function 'check_timer':
      ./arch/x86/include/asm/apic.h:37:11: warning: comparison of unsigned
      expression >= 0 is always true [-Wtype-limits]
         if ((v) <= apic_verbosity) \
                 ^~
      arch/x86/kernel/apic/io_apic.c:2160:2: note: in expansion of macro
      'apic_printk'
        apic_printk(APIC_QUIET, KERN_INFO "..TIMER: vector=0x%02X "
        ^~~~~~~~~~~
      ./arch/x86/include/asm/apic.h:37:11: warning: comparison of unsigned
      expression >= 0 is always true [-Wtype-limits]
         if ((v) <= apic_verbosity) \
                 ^~
      arch/x86/kernel/apic/io_apic.c:2207:4: note: in expansion of macro
      'apic_printk'
          apic_printk(APIC_QUIET, KERN_ERR "..MP-BIOS bug: "
          ^~~~~~~~~~~
      
      APIC_QUIET is 0, so silence them by making apic_verbosity type int.
      Signed-off-by: NQian Cai <cai@lca.pw>
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/1562621805-24789-1-git-send-email-cai@lca.pwSigned-off-by: NSasha Levin <sashal@kernel.org>
      242666b2
    • B
      be2net: Signal that the device cannot transmit during reconfiguration · ade866ad
      Benjamin Poirier 提交于
      [ Upstream commit 7429c6c0d9cb086d8e79f0d2a48ae14851d2115e ]
      
      While changing the number of interrupt channels, be2net stops adapter
      operation (including netif_tx_disable()) but it doesn't signal that it
      cannot transmit. This may lead dev_watchdog() to falsely trigger during
      that time.
      
      Add the missing call to netif_carrier_off(), following the pattern used in
      many other drivers. netif_carrier_on() is already taken care of in
      be_open().
      Signed-off-by: NBenjamin Poirier <bpoirier@suse.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      ade866ad
    • A
      ACPI: fix false-positive -Wuninitialized warning · c0cca0e9
      Arnd Bergmann 提交于
      [ Upstream commit dfd6f9ad36368b8dbd5f5a2b2f0a4705ae69a323 ]
      
      clang gets confused by an uninitialized variable in what looks
      to it like a never executed code path:
      
      arch/x86/kernel/acpi/boot.c:618:13: error: variable 'polarity' is uninitialized when used here [-Werror,-Wuninitialized]
              polarity = polarity ? ACPI_ACTIVE_LOW : ACPI_ACTIVE_HIGH;
                         ^~~~~~~~
      arch/x86/kernel/acpi/boot.c:606:32: note: initialize the variable 'polarity' to silence this warning
              int rc, irq, trigger, polarity;
                                            ^
                                             = 0
      arch/x86/kernel/acpi/boot.c:617:12: error: variable 'trigger' is uninitialized when used here [-Werror,-Wuninitialized]
              trigger = trigger ? ACPI_LEVEL_SENSITIVE : ACPI_EDGE_SENSITIVE;
                        ^~~~~~~
      arch/x86/kernel/acpi/boot.c:606:22: note: initialize the variable 'trigger' to silence this warning
              int rc, irq, trigger, polarity;
                                  ^
                                   = 0
      
      This is unfortunately a design decision in clang and won't be fixed.
      
      Changing the acpi_get_override_irq() macro to an inline function
      reliably avoids the issue.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Reviewed-by: NAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Reviewed-by: NNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      c0cca0e9
    • A
      x86: kvm: avoid constant-conversion warning · 80f58147
      Arnd Bergmann 提交于
      [ Upstream commit a6a6d3b1f867d34ba5bd61aa7bb056b48ca67cff ]
      
      clang finds a contruct suspicious that converts an unsigned
      character to a signed integer and back, causing an overflow:
      
      arch/x86/kvm/mmu.c:4605:39: error: implicit conversion from 'int' to 'u8' (aka 'unsigned char') changes value from -205 to 51 [-Werror,-Wconstant-conversion]
                      u8 wf = (pfec & PFERR_WRITE_MASK) ? ~w : 0;
                         ~~                               ^~
      arch/x86/kvm/mmu.c:4607:38: error: implicit conversion from 'int' to 'u8' (aka 'unsigned char') changes value from -241 to 15 [-Werror,-Wconstant-conversion]
                      u8 uf = (pfec & PFERR_USER_MASK) ? ~u : 0;
                         ~~                              ^~
      arch/x86/kvm/mmu.c:4609:39: error: implicit conversion from 'int' to 'u8' (aka 'unsigned char') changes value from -171 to 85 [-Werror,-Wconstant-conversion]
                      u8 ff = (pfec & PFERR_FETCH_MASK) ? ~x : 0;
                         ~~                               ^~
      
      Add an explicit cast to tell clang that everything works as
      intended here.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Link: https://github.com/ClangBuiltLinux/linux/issues/95Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      80f58147
    • R
      perf version: Fix segfault due to missing OPT_END() · d60e8c0c
      Ravi Bangoria 提交于
      [ Upstream commit 916c31fff946fae0e05862f9b2435fdb29fd5090 ]
      
      'perf version' on powerpc segfaults when used with non-supported
      option:
        # perf version -a
        Segmentation fault (core dumped)
      
      Fix this.
      Signed-off-by: NRavi Bangoria <ravi.bangoria@linux.ibm.com>
      Reviewed-by: NKamalesh Babulal <kamalesh@linux.vnet.ibm.com>
      Tested-by: NMamatha Inamdar <mamatha4@linux.vnet.ibm.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>
      Link: http://lkml.kernel.org/r/20190611030109.20228-1-ravi.bangoria@linux.ibm.comSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      d60e8c0c
    • B
      scsi: zfcp: fix GCC compiler warning emitted with -Wmaybe-uninitialized · abfe761a
      Benjamin Block 提交于
      [ Upstream commit 484647088826f2f651acbda6bcf9536b8a466703 ]
      
      GCC v9 emits this warning:
            CC      drivers/s390/scsi/zfcp_erp.o
          drivers/s390/scsi/zfcp_erp.c: In function 'zfcp_erp_action_enqueue':
          drivers/s390/scsi/zfcp_erp.c:217:26: warning: 'erp_action' may be used uninitialized in this function [-Wmaybe-uninitialized]
            217 |  struct zfcp_erp_action *erp_action;
                |                          ^~~~~~~~~~
      
      This is a possible false positive case, as also documented in the GCC
      documentations:
          https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wmaybe-uninitialized
      
      The actual code-sequence is like this:
          Various callers can invoke the function below with the argument "want"
          being one of:
          ZFCP_ERP_ACTION_REOPEN_ADAPTER,
          ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
          ZFCP_ERP_ACTION_REOPEN_PORT, or
          ZFCP_ERP_ACTION_REOPEN_LUN.
      
          zfcp_erp_action_enqueue(want, ...)
              ...
              need = zfcp_erp_required_act(want, ...)
                  need = want
                  ...
                  maybe: need = ZFCP_ERP_ACTION_REOPEN_PORT
                  maybe: need = ZFCP_ERP_ACTION_REOPEN_ADAPTER
                  ...
                  return need
              ...
              zfcp_erp_setup_act(need, ...)
                  struct zfcp_erp_action *erp_action; // <== line 217
                  ...
                  switch(need) {
                  case ZFCP_ERP_ACTION_REOPEN_LUN:
                          ...
                          erp_action = &zfcp_sdev->erp_action;
                          WARN_ON_ONCE(erp_action->port != port); // <== access
                          ...
                          break;
                  case ZFCP_ERP_ACTION_REOPEN_PORT:
                  case ZFCP_ERP_ACTION_REOPEN_PORT_FORCED:
                          ...
                          erp_action = &port->erp_action;
                          WARN_ON_ONCE(erp_action->port != port); // <== access
                          ...
                          break;
                  case ZFCP_ERP_ACTION_REOPEN_ADAPTER:
                          ...
                          erp_action = &adapter->erp_action;
                          WARN_ON_ONCE(erp_action->port != NULL); // <== access
                          ...
                          break;
                  }
                  ...
                  WARN_ON_ONCE(erp_action->adapter != adapter); // <== access
      
      When zfcp_erp_setup_act() is called, 'need' will never be anything else
      than one of the 4 possible enumeration-names that are used in the
      switch-case, and 'erp_action' is initialized for every one of them, before
      it is used. Thus the warning is a false positive, as documented.
      
      We introduce the extra if{} in the beginning to create an extra code-flow,
      so the compiler can be convinced that the switch-case will never see any
      other value.
      
      BUG_ON()/BUG() is intentionally not used to not crash anything, should
      this ever happen anyway - right now it's impossible, as argued above; and
      it doesn't introduce a 'default:' switch-case to retain warnings should
      'enum zfcp_erp_act_type' ever be extended and no explicit case be
      introduced. See also v5.0 commit 399b6c8bc9f7 ("scsi: zfcp: drop old
      default switch case which might paper over missing case").
      Signed-off-by: NBenjamin Block <bblock@linux.ibm.com>
      Reviewed-by: NJens Remus <jremus@linux.ibm.com>
      Reviewed-by: NSteffen Maier <maier@linux.ibm.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      abfe761a
    • A
      ACPI: blacklist: fix clang warning for unused DMI table · d5568763
      Arnd Bergmann 提交于
      [ Upstream commit b80d6a42bdc97bdb6139107d6034222e9843c6e2 ]
      
      When CONFIG_DMI is disabled, we only have a tentative declaration,
      which causes a warning from clang:
      
      drivers/acpi/blacklist.c:20:35: error: tentative array definition assumed to have one element [-Werror]
      static const struct dmi_system_id acpi_rev_dmi_table[] __initconst;
      
      As the variable is not actually used here, hide it entirely
      in an #ifdef to shut up the warning.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Reviewed-by: NNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      d5568763
    • J
      ceph: return -ERANGE if virtual xattr value didn't fit in buffer · c47e2552
      Jeff Layton 提交于
      [ Upstream commit 3b421018f48c482bdc9650f894aa1747cf90e51d ]
      
      The getxattr manpage states that we should return ERANGE if the
      destination buffer size is too small to hold the value.
      ceph_vxattrcb_layout does this internally, but we should be doing
      this for all vxattrs.
      
      Fix the only caller of getxattr_cb to check the returned size
      against the buffer length and return -ERANGE if it doesn't fit.
      Drop the same check in ceph_vxattrcb_layout and just rely on the
      caller to handle it.
      Signed-off-by: NJeff Layton <jlayton@kernel.org>
      Reviewed-by: N"Yan, Zheng" <zyan@redhat.com>
      Acked-by: NIlya Dryomov <idryomov@gmail.com>
      Signed-off-by: NIlya Dryomov <idryomov@gmail.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      c47e2552
    • A
      ceph: fix improper use of smp_mb__before_atomic() · b39c377e
      Andrea Parri 提交于
      [ Upstream commit 749607731e26dfb2558118038c40e9c0c80d23b5 ]
      
      This barrier only applies to the read-modify-write operations; in
      particular, it does not apply to the atomic64_set() primitive.
      
      Replace the barrier with an smp_mb().
      
      Fixes: fdd4e158 ("ceph: rework dcache readdir")
      Reported-by: N"Paul E. McKenney" <paulmck@linux.ibm.com>
      Reported-by: NPeter Zijlstra <peterz@infradead.org>
      Signed-off-by: NAndrea Parri <andrea.parri@amarulasolutions.com>
      Reviewed-by: N"Yan, Zheng" <zyan@redhat.com>
      Signed-off-by: NIlya Dryomov <idryomov@gmail.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      b39c377e
    • R
      cifs: Fix a race condition with cifs_echo_request · d29fbf67
      Ronnie Sahlberg 提交于
      [ Upstream commit f2caf901c1b7ce65f9e6aef4217e3241039db768 ]
      
      There is a race condition with how we send (or supress and don't send)
      smb echos that will cause the client to incorrectly think the
      server is unresponsive and thus needs to be reconnected.
      
      Summary of the race condition:
       1) Daisy chaining scheduling creates a gap.
       2) If traffic comes unfortunate shortly after
          the last echo, the planned echo is suppressed.
       3) Due to the gap, the next echo transmission is delayed
          until after the timeout, which is set hard to twice
          the echo interval.
      
      This is fixed by changing the timeouts from 2 to three times the echo interval.
      
      Detailed description of the bug: https://lutz.donnerhacke.de/eng/Blog/Groundhog-Day-with-SMB-remountSigned-off-by: NRonnie Sahlberg <lsahlber@redhat.com>
      Reviewed-by: NPavel Shilovsky <pshilov@microsoft.com>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      d29fbf67
    • Q
      btrfs: qgroup: Don't hold qgroup_ioctl_lock in btrfs_qgroup_inherit() · f96c70fa
      Qu Wenruo 提交于
      [ Upstream commit e88439debd0a7f969b3ddba6f147152cd0732676 ]
      
      [BUG]
      Lockdep will report the following circular locking dependency:
      
        WARNING: possible circular locking dependency detected
        5.2.0-rc2-custom #24 Tainted: G           O
        ------------------------------------------------------
        btrfs/8631 is trying to acquire lock:
        000000002536438c (&fs_info->qgroup_ioctl_lock#2){+.+.}, at: btrfs_qgroup_inherit+0x40/0x620 [btrfs]
      
        but task is already holding lock:
        000000003d52cc23 (&fs_info->tree_log_mutex){+.+.}, at: create_pending_snapshot+0x8b6/0xe60 [btrfs]
      
        which lock already depends on the new lock.
      
        the existing dependency chain (in reverse order) is:
      
        -> #2 (&fs_info->tree_log_mutex){+.+.}:
               __mutex_lock+0x76/0x940
               mutex_lock_nested+0x1b/0x20
               btrfs_commit_transaction+0x475/0xa00 [btrfs]
               btrfs_commit_super+0x71/0x80 [btrfs]
               close_ctree+0x2bd/0x320 [btrfs]
               btrfs_put_super+0x15/0x20 [btrfs]
               generic_shutdown_super+0x72/0x110
               kill_anon_super+0x18/0x30
               btrfs_kill_super+0x16/0xa0 [btrfs]
               deactivate_locked_super+0x3a/0x80
               deactivate_super+0x51/0x60
               cleanup_mnt+0x3f/0x80
               __cleanup_mnt+0x12/0x20
               task_work_run+0x94/0xb0
               exit_to_usermode_loop+0xd8/0xe0
               do_syscall_64+0x210/0x240
               entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
        -> #1 (&fs_info->reloc_mutex){+.+.}:
               __mutex_lock+0x76/0x940
               mutex_lock_nested+0x1b/0x20
               btrfs_commit_transaction+0x40d/0xa00 [btrfs]
               btrfs_quota_enable+0x2da/0x730 [btrfs]
               btrfs_ioctl+0x2691/0x2b40 [btrfs]
               do_vfs_ioctl+0xa9/0x6d0
               ksys_ioctl+0x67/0x90
               __x64_sys_ioctl+0x1a/0x20
               do_syscall_64+0x65/0x240
               entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
        -> #0 (&fs_info->qgroup_ioctl_lock#2){+.+.}:
               lock_acquire+0xa7/0x190
               __mutex_lock+0x76/0x940
               mutex_lock_nested+0x1b/0x20
               btrfs_qgroup_inherit+0x40/0x620 [btrfs]
               create_pending_snapshot+0x9d7/0xe60 [btrfs]
               create_pending_snapshots+0x94/0xb0 [btrfs]
               btrfs_commit_transaction+0x415/0xa00 [btrfs]
               btrfs_mksubvol+0x496/0x4e0 [btrfs]
               btrfs_ioctl_snap_create_transid+0x174/0x180 [btrfs]
               btrfs_ioctl_snap_create_v2+0x11c/0x180 [btrfs]
               btrfs_ioctl+0xa90/0x2b40 [btrfs]
               do_vfs_ioctl+0xa9/0x6d0
               ksys_ioctl+0x67/0x90
               __x64_sys_ioctl+0x1a/0x20
               do_syscall_64+0x65/0x240
               entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
        other info that might help us debug this:
      
        Chain exists of:
          &fs_info->qgroup_ioctl_lock#2 --> &fs_info->reloc_mutex --> &fs_info->tree_log_mutex
      
         Possible unsafe locking scenario:
      
               CPU0                    CPU1
               ----                    ----
          lock(&fs_info->tree_log_mutex);
                                       lock(&fs_info->reloc_mutex);
                                       lock(&fs_info->tree_log_mutex);
          lock(&fs_info->qgroup_ioctl_lock#2);
      
         *** DEADLOCK ***
      
        6 locks held by btrfs/8631:
         #0: 00000000ed8f23f6 (sb_writers#12){.+.+}, at: mnt_want_write_file+0x28/0x60
         #1: 000000009fb1597a (&type->i_mutex_dir_key#10/1){+.+.}, at: btrfs_mksubvol+0x70/0x4e0 [btrfs]
         #2: 0000000088c5ad88 (&fs_info->subvol_sem){++++}, at: btrfs_mksubvol+0x128/0x4e0 [btrfs]
         #3: 000000009606fc3e (sb_internal#2){.+.+}, at: start_transaction+0x37a/0x520 [btrfs]
         #4: 00000000f82bbdf5 (&fs_info->reloc_mutex){+.+.}, at: btrfs_commit_transaction+0x40d/0xa00 [btrfs]
         #5: 000000003d52cc23 (&fs_info->tree_log_mutex){+.+.}, at: create_pending_snapshot+0x8b6/0xe60 [btrfs]
      
      [CAUSE]
      Due to the delayed subvolume creation, we need to call
      btrfs_qgroup_inherit() inside commit transaction code, with a lot of
      other mutex hold.
      This hell of lock chain can lead to above problem.
      
      [FIX]
      On the other hand, we don't really need to hold qgroup_ioctl_lock if
      we're in the context of create_pending_snapshot().
      As in that context, we're the only one being able to modify qgroup.
      
      All other qgroup functions which needs qgroup_ioctl_lock are either
      holding a transaction handle, or will start a new transaction:
        Functions will start a new transaction():
        * btrfs_quota_enable()
        * btrfs_quota_disable()
        Functions hold a transaction handler:
        * btrfs_add_qgroup_relation()
        * btrfs_del_qgroup_relation()
        * btrfs_create_qgroup()
        * btrfs_remove_qgroup()
        * btrfs_limit_qgroup()
        * btrfs_qgroup_inherit() call inside create_subvol()
      
      So we have a higher level protection provided by transaction, thus we
      don't need to always hold qgroup_ioctl_lock in btrfs_qgroup_inherit().
      
      Only the btrfs_qgroup_inherit() call in create_subvol() needs to hold
      qgroup_ioctl_lock, while the btrfs_qgroup_inherit() call in
      create_pending_snapshot() is already protected by transaction.
      
      So the fix is to detect the context by checking
      trans->transaction->state.
      If we're at TRANS_STATE_COMMIT_DOING, then we're in commit transaction
      context and no need to get the mutex.
      Reported-by: NNikolay Borisov <nborisov@suse.com>
      Signed-off-by: NQu Wenruo <wqu@suse.com>
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      f96c70fa
    • D
      btrfs: fix minimum number of chunk errors for DUP · d9245dab
      David Sterba 提交于
      [ Upstream commit 0ee5f8ae082e1f675a2fb6db601c31ac9958a134 ]
      
      The list of profiles in btrfs_chunk_max_errors lists DUP as a profile
      DUP able to tolerate 1 device missing. Though this profile is special
      with 2 copies, it still needs the device, unlike the others.
      
      Looking at the history of changes, thre's no clear reason why DUP is
      there, functions were refactored and blocks of code merged to one
      helper.
      
      d20983b4 Btrfs: fix writing data into the seed filesystem
        - factor code to a helper
      
      de11cc12 Btrfs: don't pre-allocate btrfs bio
        - unrelated change, DUP still in the list with max errors 1
      
      a236aed1 Btrfs: Deal with failed writes in mirrored configurations
        - introduced the max errors, leaves DUP and RAID1 in the same group
      Reviewed-by: NQu Wenruo <wqu@suse.com>
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      d9245dab
    • C
      clk: sprd: Add check for return value of sprd_clk_regmap_init() · e7fcc587
      Chunyan Zhang 提交于
      [ Upstream commit c974c48deeb969c5e4250e4f06af91edd84b1f10 ]
      
      sprd_clk_regmap_init() doesn't always return success, adding check
      for its return value should make the code more strong.
      Signed-off-by: NChunyan Zhang <zhang.chunyan@linaro.org>
      Reviewed-by: NBaolin Wang <baolin.wang@linaro.org>
      [sboyd@kernel.org: Add a missing int ret]
      Signed-off-by: NStephen Boyd <sboyd@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      e7fcc587
    • R
      fs/adfs: super: fix use-after-free bug · a093208b
      Russell King 提交于
      [ Upstream commit 5808b14a1f52554de612fee85ef517199855e310 ]
      
      Fix a use-after-free bug during filesystem initialisation, where we
      access the disc record (which is stored in a buffer) after we have
      released the buffer.
      Signed-off-by: NRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      a093208b
    • J
      clk: tegra210: fix PLLU and PLLU_OUT1 · 85d854b4
      JC Kuo 提交于
      [ Upstream commit 0d34dfbf3023cf119b83f6470692c0b10c832495 ]
      
      Full-speed and low-speed USB devices do not work with Tegra210
      platforms because of incorrect PLLU/PLLU_OUT1 clock settings.
      
      When full-speed device is connected:
      [   14.059886] usb 1-3: new full-speed USB device number 2 using tegra-xusb
      [   14.196295] usb 1-3: device descriptor read/64, error -71
      [   14.436311] usb 1-3: device descriptor read/64, error -71
      [   14.675749] usb 1-3: new full-speed USB device number 3 using tegra-xusb
      [   14.812335] usb 1-3: device descriptor read/64, error -71
      [   15.052316] usb 1-3: device descriptor read/64, error -71
      [   15.164799] usb usb1-port3: attempt power cycle
      
      When low-speed device is connected:
      [   37.610949] usb usb1-port3: Cannot enable. Maybe the USB cable is bad?
      [   38.557376] usb usb1-port3: Cannot enable. Maybe the USB cable is bad?
      [   38.564977] usb usb1-port3: attempt power cycle
      
      This commit fixes the issue by:
       1. initializing PLLU_OUT1 before initializing XUSB_FS_SRC clock
          because PLLU_OUT1 is parent of XUSB_FS_SRC.
       2. changing PLLU post-divider to /2 (DIVP=1) according to Technical
          Reference Manual.
      
      Fixes: e745f992 ("clk: tegra: Rework pll_u")
      Signed-off-by: NJC Kuo <jckuo@nvidia.com>
      Acked-By: NPeter De Schrijver <pdeschrijver@nvidia.com>
      Signed-off-by: NStephen Boyd <sboyd@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      85d854b4
    • G
      dmaengine: rcar-dmac: Reject zero-length slave DMA requests · cf0fcc7f
      Geert Uytterhoeven 提交于
      [ Upstream commit 78efb76ab4dfb8f74f290ae743f34162cd627f19 ]
      
      While the .device_prep_slave_sg() callback rejects empty scatterlists,
      it still accepts single-entry scatterlists with a zero-length segment.
      These may happen if a driver calls dmaengine_prep_slave_single() with a
      zero len parameter.  The corresponding DMA request will never complete,
      leading to messages like:
      
          rcar-dmac e7300000.dma-controller: Channel Address Error happen
      
      and DMA timeouts.
      
      Although requesting a zero-length DMA request is a driver bug, rejecting
      it early eases debugging.  Note that the .device_prep_dma_memcpy()
      callback already rejects requests to copy zero bytes.
      Reported-by: NEugeniu Rosca <erosca@de.adit-jv.com>
      Analyzed-by: NYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Signed-off-by: NGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: NVinod Koul <vkoul@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      cf0fcc7f
    • P
      MIPS: lantiq: Fix bitfield masking · a3524486
      Petr Cvek 提交于
      [ Upstream commit ba1bc0fcdeaf3bf583c1517bd2e3e29cf223c969 ]
      
      The modification of EXIN register doesn't clean the bitfield before
      the writing of a new value. After a few modifications the bitfield would
      accumulate only '1's.
      Signed-off-by: NPetr Cvek <petrcvekcz@gmail.com>
      Signed-off-by: NPaul Burton <paul.burton@mips.com>
      Cc: hauke@hauke-m.de
      Cc: john@phrozen.org
      Cc: linux-mips@vger.kernel.org
      Cc: openwrt-devel@lists.openwrt.org
      Cc: pakahmar@hotmail.com
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      a3524486
    • J
      firmware/psci: psci_checker: Park kthreads before stopping them · cdee3f53
      Jean-Philippe Brucker 提交于
      [ Upstream commit 92e074acf6f7694e96204265eb18ac113f546e80 ]
      
      Since commit 85f1abe0 ("kthread, sched/wait: Fix kthread_parkme()
      completion issue"), kthreads that are bound to a CPU must be parked
      before being stopped. At the moment the PSCI checker calls
      kthread_stop() directly on the suspend kthread, which triggers the
      following warning:
      
      [    6.068288] WARNING: CPU: 1 PID: 1 at kernel/kthread.c:398 __kthread_bind_mask+0x20/0x78
                     ...
      [    6.190151] Call trace:
      [    6.192566]  __kthread_bind_mask+0x20/0x78
      [    6.196615]  kthread_unpark+0x74/0x80
      [    6.200235]  kthread_stop+0x44/0x1d8
      [    6.203769]  psci_checker+0x3bc/0x484
      [    6.207389]  do_one_initcall+0x48/0x260
      [    6.211180]  kernel_init_freeable+0x2c8/0x368
      [    6.215488]  kernel_init+0x10/0x100
      [    6.218935]  ret_from_fork+0x10/0x1c
      [    6.222467] ---[ end trace e05e22863d043cd3 ]---
      
      kthread_unpark() tries to bind the thread to its CPU and aborts with a
      WARN() if the thread wasn't in TASK_PARKED state. Park the kthreads
      before stopping them.
      
      Fixes: 85f1abe0 ("kthread, sched/wait: Fix kthread_parkme() completion issue")
      Signed-off-by: NJean-Philippe Brucker <jean-philippe.brucker@arm.com>
      Reviewed-by: NSudeep Holla <sudeep.holla@arm.com>
      Acked-by: NLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Signed-off-by: NOlof Johansson <olof@lixom.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      cdee3f53
    • P
      kernel/module.c: Only return -EEXIST for modules that have finished loading · 09ec6c67
      Prarit Bhargava 提交于
      [ Upstream commit 6e6de3dee51a439f76eb73c22ae2ffd2c9384712 ]
      
      Microsoft HyperV disables the X86_FEATURE_SMCA bit on AMD systems, and
      linux guests boot with repeated errors:
      
      amd64_edac_mod: Unknown symbol amd_unregister_ecc_decoder (err -2)
      amd64_edac_mod: Unknown symbol amd_register_ecc_decoder (err -2)
      amd64_edac_mod: Unknown symbol amd_report_gart_errors (err -2)
      amd64_edac_mod: Unknown symbol amd_unregister_ecc_decoder (err -2)
      amd64_edac_mod: Unknown symbol amd_register_ecc_decoder (err -2)
      amd64_edac_mod: Unknown symbol amd_report_gart_errors (err -2)
      
      The warnings occur because the module code erroneously returns -EEXIST
      for modules that have failed to load and are in the process of being
      removed from the module list.
      
      module amd64_edac_mod has a dependency on module edac_mce_amd.  Using
      modules.dep, systemd will load edac_mce_amd for every request of
      amd64_edac_mod.  When the edac_mce_amd module loads, the module has
      state MODULE_STATE_UNFORMED and once the module load fails and the state
      becomes MODULE_STATE_GOING.  Another request for edac_mce_amd module
      executes and add_unformed_module() will erroneously return -EEXIST even
      though the previous instance of edac_mce_amd has MODULE_STATE_GOING.
      Upon receiving -EEXIST, systemd attempts to load amd64_edac_mod, which
      fails because of unknown symbols from edac_mce_amd.
      
      add_unformed_module() must wait to return for any case other than
      MODULE_STATE_LIVE to prevent a race between multiple loads of
      dependent modules.
      Signed-off-by: NPrarit Bhargava <prarit@redhat.com>
      Signed-off-by: NBarret Rhoden <brho@google.com>
      Cc: David Arcari <darcari@redhat.com>
      Cc: Jessica Yu <jeyu@kernel.org>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: NJessica Yu <jeyu@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      09ec6c67
    • H
      arm64: dts: rockchip: fix isp iommu clocks and power domain · fd53e45a
      Helen Koike 提交于
      [ Upstream commit c432a29d3fc9ee928caeca2f5cf68b3aebfa6817 ]
      
      isp iommu requires wrapper variants of the clocks.
      noc variants are always on and using the wrapper variants will activate
      {A,H}CLK_ISP{0,1} due to the hierarchy.
      
      Tested using the pending isp patch set (which is not upstream
      yet). Without this patch, streaming from the isp stalls.
      
      Also add the respective power domain and remove the "disabled" status.
      
      Refer:
       RK3399 TRM v1.4 Fig. 2-4 RK3399 Clock Architecture Diagram
       RK3399 TRM v1.4 Fig. 8-1 RK3399 Power Domain Partition
      Signed-off-by: NHelen Koike <helen.koike@collabora.com>
      Tested-by: NManivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
      Signed-off-by: NHeiko Stuebner <heiko@sntech.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      fd53e45a
    • D
      dmaengine: tegra-apb: Error out if DMA_PREP_INTERRUPT flag is unset · d8388cbd
      Dmitry Osipenko 提交于
      [ Upstream commit dc161064beb83c668e0f85766b92b1e7ed186e58 ]
      
      Apparently driver was never tested with DMA_PREP_INTERRUPT flag being
      unset since it completely disables interrupt handling instead of skipping
      the callbacks invocations, hence putting channel into unusable state.
      
      The flag is always set by all of kernel drivers that use APB DMA, so let's
      error out in otherwise case for consistency. It won't be difficult to
      support that case properly if ever will be needed.
      Signed-off-by: NDmitry Osipenko <digetx@gmail.com>
      Acked-by: NJon Hunter <jonathanh@nvidia.com>
      Signed-off-by: NVinod Koul <vkoul@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      d8388cbd
    • C
      ftrace: Enable trampoline when rec count returns back to one · f486088d
      Cheng Jian 提交于
      [ Upstream commit a124692b698b00026a58d89831ceda2331b2e1d0 ]
      
      Custom trampolines can only be enabled if there is only a single ops
      attached to it. If there's only a single callback registered to a function,
      and the ops has a trampoline registered for it, then we can call the
      trampoline directly. This is very useful for improving the performance of
      ftrace and livepatch.
      
      If more than one callback is registered to a function, the general
      trampoline is used, and the custom trampoline is not restored back to the
      direct call even if all the other callbacks were unregistered and we are
      back to one callback for the function.
      
      To fix this, set FTRACE_FL_TRAMP flag if rec count is decremented
      to one, and the ops that left has a trampoline.
      
      Testing After this patch :
      
      insmod livepatch_unshare_files.ko
      cat /sys/kernel/debug/tracing/enabled_functions
      
      	unshare_files (1) R I	tramp: 0xffffffffc0000000(klp_ftrace_handler+0x0/0xa0) ->ftrace_ops_assist_func+0x0/0xf0
      
      echo unshare_files > /sys/kernel/debug/tracing/set_ftrace_filter
      echo function > /sys/kernel/debug/tracing/current_tracer
      cat /sys/kernel/debug/tracing/enabled_functions
      
      	unshare_files (2) R I ->ftrace_ops_list_func+0x0/0x150
      
      echo nop > /sys/kernel/debug/tracing/current_tracer
      cat /sys/kernel/debug/tracing/enabled_functions
      
      	unshare_files (1) R I	tramp: 0xffffffffc0000000(klp_ftrace_handler+0x0/0xa0) ->ftrace_ops_assist_func+0x0/0xf0
      
      Link: http://lkml.kernel.org/r/1556969979-111047-1-git-send-email-cj.chengjian@huawei.comSigned-off-by: NCheng Jian <cj.chengjian@huawei.com>
      Signed-off-by: NSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      f486088d
    • D
      ARM: dts: rockchip: Mark that the rk3288 timer might stop in suspend · ea26b427
      Douglas Anderson 提交于
      [ Upstream commit 8ef1ba39a9fa53d2205e633bc9b21840a275908e ]
      
      This is similar to commit e6186820 ("arm64: dts: rockchip: Arch
      counter doesn't tick in system suspend").  Specifically on the rk3288
      it can be seen that the timer stops ticking in suspend if we end up
      running through the "osc_disable" path in rk3288_slp_mode_set().  In
      that path the 24 MHz clock will turn off and the timer stops.
      
      To test this, I ran this on a Chrome OS filesystem:
        before=$(date); \
        suspend_stress_test -c1 --suspend_min=30 --suspend_max=31; \
        echo ${before}; date
      
      ...and I found that unless I plug in a device that requests USB wakeup
      to be active that the two calls to "date" would show that fewer than
      30 seconds passed.
      
      NOTE: deep suspend (where the 24 MHz clock gets disabled) isn't
      supported yet on upstream Linux so this was tested on a downstream
      kernel.
      Signed-off-by: NDouglas Anderson <dianders@chromium.org>
      Signed-off-by: NHeiko Stuebner <heiko@sntech.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      ea26b427
    • D
      ARM: dts: rockchip: Make rk3288-veyron-mickey's emmc work again · 22befe67
      Douglas Anderson 提交于
      [ Upstream commit 99fa066710f75f18f4d9a5bc5f6a711968a581d5 ]
      
      When I try to boot rk3288-veyron-mickey I totally fail to make the
      eMMC work.  Specifically my logs (on Chrome OS 4.19):
      
        mmc_host mmc1: card is non-removable.
        mmc_host mmc1: Bus speed (slot 0) = 400000Hz (slot req 400000Hz, actual 400000HZ div = 0)
        mmc_host mmc1: Bus speed (slot 0) = 50000000Hz (slot req 52000000Hz, actual 50000000HZ div = 0)
        mmc1: switch to bus width 8 failed
        mmc1: switch to bus width 4 failed
        mmc1: new high speed MMC card at address 0001
        mmcblk1: mmc1:0001 HAG2e 14.7 GiB
        mmcblk1boot0: mmc1:0001 HAG2e partition 1 4.00 MiB
        mmcblk1boot1: mmc1:0001 HAG2e partition 2 4.00 MiB
        mmcblk1rpmb: mmc1:0001 HAG2e partition 3 4.00 MiB, chardev (243:0)
        mmc_host mmc1: Bus speed (slot 0) = 400000Hz (slot req 400000Hz, actual 400000HZ div = 0)
        mmc_host mmc1: Bus speed (slot 0) = 50000000Hz (slot req 52000000Hz, actual 50000000HZ div = 0)
        mmc1: switch to bus width 8 failed
        mmc1: switch to bus width 4 failed
        mmc1: tried to HW reset card, got error -110
        mmcblk1: error -110 requesting status
        mmcblk1: recovery failed!
        print_req_error: I/O error, dev mmcblk1, sector 0
        ...
      
      When I remove the '/delete-property/mmc-hs200-1_8v' then everything is
      hunky dory.
      
      That line comes from the original submission of the mickey dts
      upstream, so presumably at the time the HS200 was failing and just
      enumerating things as a high speed device was fine.  ...or maybe it's
      just that some mickey devices work when enumerating at "high speed",
      just not mine?
      
      In any case, hs200 seems good now.  Let's turn it on.
      Signed-off-by: NDouglas Anderson <dianders@chromium.org>
      Signed-off-by: NHeiko Stuebner <heiko@sntech.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      22befe67