1. 31 5月, 2019 40 次提交
    • K
      thunderbolt: property: Fix a NULL pointer dereference · 495e34e6
      Kangjie Lu 提交于
      [ Upstream commit 106204b56f60abf1bead7dceb88f2be3e34433da ]
      
      In case kzalloc fails, the fix releases resources and returns
      -ENOMEM to avoid the NULL pointer dereference.
      Signed-off-by: NKangjie Lu <kjlu@umn.edu>
      Signed-off-by: NMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      495e34e6
    • D
      drm/amd/display: fix releasing planes when exiting odm · 70611b1b
      Dmytro Laktyushkin 提交于
      [ Upstream commit bc2193992b00488f5734613ac95b78ef2d2803ab ]
      
      Releasing planes should not release the 2nd odm pipe right away,
      this change leaves us with 2 pipes with null planes and same stream
      when planes are released during odm.
      Signed-off-by: NDmytro Laktyushkin <Dmytro.Laktyushkin@amd.com>
      Reviewed-by: NTony Cheng <Tony.Cheng@amd.com>
      Acked-by: NBhawanpreet Lakha <Bhawanpreet.Lakha@amd.com>
      Signed-off-by: NAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      70611b1b
    • A
      thunderbolt: Fix to check for kmemdup failure · 988dab7f
      Aditya Pakki 提交于
      [ Upstream commit 2cc12751cf464a722ff57b54d17d30c84553f9c0 ]
      
      Memory allocated via kmemdup might fail and return a NULL pointer.
      This patch adds a check on the return value of kmemdup and passes the
      error upstream.
      Signed-off-by: NAditya Pakki <pakki001@umn.edu>
      Reviewed-by: NMukesh Ojha <mojha@codeaurora.org>
      Signed-off-by: NMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      988dab7f
    • A
      thunderbolt: Fix to check return value of ida_simple_get · 877a202f
      Aditya Pakki 提交于
      [ Upstream commit 9aabb68568b473bf2f0b179d053b403961e42e4d ]
      
      In enumerate_services, ida_simple_get on failure can return an error and
      leaks memory. The patch ensures that the dev_set_name is set on non
      failure cases, and releases memory during failure.
      Signed-off-by: NAditya Pakki <pakki001@umn.edu>
      Signed-off-by: NMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      877a202f
    • R
      hwrng: omap - Set default quality · b9291078
      Rouven Czerwinski 提交于
      [ Upstream commit 62f95ae805fa9e1e84d47d3219adddd97b2654b7 ]
      
      Newer combinations of the glibc, kernel and openssh can result in long initial
      startup times on OMAP devices:
      
      [    6.671425] systemd-rc-once[102]: Creating ED25519 key; this may take some time ...
      [  142.652491] systemd-rc-once[102]: Creating ED25519 key; done.
      
      due to the blocking getrandom(2) system call:
      
      [  142.610335] random: crng init done
      
      Set the quality level for the omap hwrng driver allowing the kernel to use the
      hwrng as an entropy source at boot.
      Signed-off-by: NRouven Czerwinski <r.czerwinski@pengutronix.de>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      b9291078
    • S
      dmaengine: tegra210-adma: use devm_clk_*() helpers · 6b2d1934
      Sameer Pujar 提交于
      [ Upstream commit f6ed6491d565c336a360471e0c29228e34f4380e ]
      
      adma driver is using pm_clk_*() interface for managing clock resources.
      With this it is observed that clocks remain ON always. This happens on
      Tegra devices which use BPMP co-processor to manage clock resources,
      where clocks are enabled during prepare phase. This is necessary because
      clocks to BPMP are always blocking. When pm_clk_*() interface is used on
      such Tegra devices, clock prepare count is not balanced till remove call
      happens for the driver and hence clocks are seen ON always. Thus this
      patch replaces pm_clk_*() with devm_clk_*() framework.
      Suggested-by: NMohan Kumar D <mkumard@nvidia.com>
      Reviewed-by: NJonathan Hunter <jonathanh@nvidia.com>
      Signed-off-by: NSameer Pujar <spujar@nvidia.com>
      Signed-off-by: NVinod Koul <vkoul@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      6b2d1934
    • L
      batman-adv: allow updating DAT entry timeouts on incoming ARP Replies · 25204fe6
      Linus Lüssing 提交于
      [ Upstream commit 099e6cc1582dc2903fecb898bbeae8f7cf4262c7 ]
      
      Currently incoming ARP Replies, for example via a DHT-PUT message, do
      not update the timeout for an already existing DAT entry. These ARP
      Replies are dropped instead.
      
      This however defeats the purpose of the DHCPACK snooping, for instance.
      Right now, a DAT entry in the DHT will be purged every five minutes,
      likely leading to a mesh-wide ARP Request broadcast after this timeout.
      Which then recreates the entry. The idea of the DHCPACK snooping is to
      be able to update an entry before a timeout happens, to avoid ARP Request
      flooding.
      
      This patch fixes this issue by updating a DAT entry on incoming
      ARP Replies even if a matching DAT entry already exists. While still
      filtering the ARP Reply towards the soft-interface, to avoid duplicate
      messages on the client device side.
      Signed-off-by: NLinus Lüssing <linus.luessing@c0d3.blue>
      Acked-by: NAntonio Quartulli <a@unstable.cc>
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      Signed-off-by: NSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      25204fe6
    • A
      selinux: avoid uninitialized variable warning · a2ace9b2
      Arnd Bergmann 提交于
      [ Upstream commit 98bbbb76f2edcfb8fb2b8f4b3ccc7b6e99d64bd8 ]
      
      clang correctly points out a code path that would lead
      to an uninitialized variable use:
      
      security/selinux/netlabel.c:310:6: error: variable 'addr' is used uninitialized whenever 'if' condition is false
            [-Werror,-Wsometimes-uninitialized]
              if (ip_hdr(skb)->version == 4) {
                  ^~~~~~~~~~~~~~~~~~~~~~~~~
      security/selinux/netlabel.c:322:40: note: uninitialized use occurs here
              rc = netlbl_conn_setattr(ep->base.sk, addr, &secattr);
                                                    ^~~~
      security/selinux/netlabel.c:310:2: note: remove the 'if' if its condition is always true
              if (ip_hdr(skb)->version == 4) {
              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      security/selinux/netlabel.c:291:23: note: initialize the variable 'addr' to silence this warning
              struct sockaddr *addr;
                                   ^
                                    = NULL
      
      This is probably harmless since we should not see ipv6 packets
      of CONFIG_IPV6 is disabled, but it's better to rearrange the code
      so this cannot happen.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      [PM: removed old patchwork link, fixed checkpatch.pl style errors]
      Signed-off-by: NPaul Moore <paul@paul-moore.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      a2ace9b2
    • A
      scsi: lpfc: avoid uninitialized variable warning · c7595096
      Arnd Bergmann 提交于
      [ Upstream commit faf5a744f4f8d76e7c03912b5cd381ac8045f6ec ]
      
      clang -Wuninitialized incorrectly sees a variable being used without
      initialization:
      
      drivers/scsi/lpfc/lpfc_nvme.c:2102:37: error: variable 'localport' is uninitialized when used here
            [-Werror,-Wuninitialized]
                      lport = (struct lpfc_nvme_lport *)localport->private;
                                                        ^~~~~~~~~
      drivers/scsi/lpfc/lpfc_nvme.c:2059:38: note: initialize the variable 'localport' to silence this warning
              struct nvme_fc_local_port *localport;
                                                  ^
                                                   = NULL
      1 error generated.
      
      This is clearly in dead code, as the condition leading up to it is always
      false when CONFIG_NVME_FC is disabled, and the variable is always
      initialized when nvme_fc_register_localport() got called successfully.
      
      Change the preprocessor conditional to the equivalent C construct, which
      makes the code more readable and gets rid of the warning.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Acked-by: NJames Smart <james.smart@broadcom.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      c7595096
    • A
      scsi: qla4xxx: avoid freeing unallocated dma memory · ac9149bc
      Arnd Bergmann 提交于
      [ Upstream commit 608f729c31d4caf52216ea00d20092a80959256d ]
      
      Clang -Wuninitialized notices that on is_qla40XX we never allocate any DMA
      memory in get_fw_boot_info() but attempt to free it anyway:
      
      drivers/scsi/qla4xxx/ql4_os.c:5915:7: error: variable 'buf_dma' is used uninitialized whenever 'if' condition is false
            [-Werror,-Wsometimes-uninitialized]
                      if (!(val & 0x07)) {
                          ^~~~~~~~~~~~~
      drivers/scsi/qla4xxx/ql4_os.c:5985:47: note: uninitialized use occurs here
              dma_free_coherent(&ha->pdev->dev, size, buf, buf_dma);
                                                           ^~~~~~~
      drivers/scsi/qla4xxx/ql4_os.c:5915:3: note: remove the 'if' if its condition is always true
                      if (!(val & 0x07)) {
                      ^~~~~~~~~~~~~~~~~~~
      drivers/scsi/qla4xxx/ql4_os.c:5885:20: note: initialize the variable 'buf_dma' to silence this warning
              dma_addr_t buf_dma;
                                ^
                                 = 0
      
      Skip the call to dma_free_coherent() here.
      
      Fixes: 2a991c21 ("[SCSI] qla4xxx: Boot from SAN support for open-iscsi")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Reviewed-by: NNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      ac9149bc
    • T
      usb: core: Add PM runtime calls to usb_hcd_platform_shutdown · 239156e0
      Tony Lindgren 提交于
      [ Upstream commit 8ead7e817224d7832fe51a19783cb8fcadc79467 ]
      
      If ohci-platform is runtime suspended, we can currently get an "imprecise
      external abort" on reboot with ohci-platform loaded when PM runtime
      is implemented for the SoC.
      
      Let's fix this by adding PM runtime support to usb_hcd_platform_shutdown.
      Signed-off-by: NTony Lindgren <tony@atomide.com>
      Acked-by: NAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      239156e0
    • P
      rcuperf: Fix cleanup path for invalid perf_type strings · 506b28fb
      Paul E. McKenney 提交于
      [ Upstream commit ad092c027713a68a34168942a5ef422e42e039f4 ]
      
      If the specified rcuperf.perf_type is not in the rcu_perf_init()
      function's perf_ops[] array, rcuperf prints some console messages and
      then invokes rcu_perf_cleanup() to set state so that a future torture
      test can run.  However, rcu_perf_cleanup() also attempts to end the
      test that didn't actually start, and in doing so relies on the value
      of cur_ops, a value that is not particularly relevant in this case.
      This can result in confusing output or even follow-on failures due to
      attempts to use facilities that have not been properly initialized.
      
      This commit therefore sets the value of cur_ops to NULL in this case and
      inserts a check near the beginning of rcu_perf_cleanup(), thus avoiding
      relying on an irrelevant cur_ops value.
      Signed-off-by: NPaul E. McKenney <paulmck@linux.ibm.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      506b28fb
    • Y
      x86/mce: Handle varying MCA bank counts · 75a96196
      Yazen Ghannam 提交于
      [ Upstream commit 006c077041dc73b9490fffc4c6af5befe0687110 ]
      
      Linux reads MCG_CAP[Count] to find the number of MCA banks visible to a
      CPU. Currently, this number is the same for all CPUs and a warning is
      shown if there is a difference. The number of banks is overwritten with
      the MCG_CAP[Count] value of each following CPU that boots.
      
      According to the Intel SDM and AMD APM, the MCG_CAP[Count] value gives
      the number of banks that are available to a "processor implementation".
      The AMD BKDGs/PPRs further clarify that this value is per core. This
      value has historically been the same for every core in the system, but
      that is not an architectural requirement.
      
      Future AMD systems may have different MCG_CAP[Count] values per core,
      so the assumption that all CPUs will have the same MCG_CAP[Count] value
      will no longer be valid.
      
      Also, the first CPU to boot will allocate the struct mce_banks[] array
      using the number of banks based on its MCG_CAP[Count] value. The machine
      check handler and other functions use the global number of banks to
      iterate and index into the mce_banks[] array. So it's possible to use an
      out-of-bounds index on an asymmetric system where a following CPU sees a
      MCG_CAP[Count] value greater than its predecessors.
      
      Thus, allocate the mce_banks[] array to the maximum number of banks.
      This will avoid the potential out-of-bounds index since the value of
      mca_cfg.banks is capped to MAX_NR_BANKS.
      
      Set the value of mca_cfg.banks equal to the max of the previous value
      and the value for the current CPU. This way mca_cfg.banks will always
      represent the max number of banks detected on any CPU in the system.
      
      This will ensure that all CPUs will access all the banks that are
      visible to them. A CPU that can access fewer than the max number of
      banks will find the registers of the extra banks to be read-as-zero.
      
      Furthermore, print the resulting number of MCA banks in use. Do this in
      mcheck_late_init() so that the final value is printed after all CPUs
      have been initialized.
      
      Finally, get bank count from target CPU when doing injection with mce-inject
      module.
      
       [ bp: Remove out-of-bounds example, passify and cleanup commit message. ]
      Signed-off-by: NYazen Ghannam <yazen.ghannam@amd.com>
      Signed-off-by: NBorislav Petkov <bp@suse.de>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: linux-edac <linux-edac@vger.kernel.org>
      Cc: Pu Wen <puwen@hygon.cn>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: Vishal Verma <vishal.l.verma@intel.com>
      Cc: x86-ml <x86@kernel.org>
      Link: https://lkml.kernel.org/r/20180727214009.78289-1-Yazen.Ghannam@amd.comSigned-off-by: NSasha Levin <sashal@kernel.org>
      75a96196
    • P
      rcutorture: Fix cleanup path for invalid torture_type strings · aa7919e3
      Paul E. McKenney 提交于
      [ Upstream commit b813afae7ab6a5e91b4e16cc567331d9c2ae1f04 ]
      
      If the specified rcutorture.torture_type is not in the rcu_torture_init()
      function's torture_ops[] array, rcutorture prints some console messages
      and then invokes rcu_torture_cleanup() to set state so that a future
      torture test can run.  However, rcu_torture_cleanup() also attempts to
      end the test that didn't actually start, and in doing so relies on the
      value of cur_ops, a value that is not particularly relevant in this case.
      This can result in confusing output or even follow-on failures due to
      attempts to use facilities that have not been properly initialized.
      
      This commit therefore sets the value of cur_ops to NULL in this case
      and inserts a check near the beginning of rcu_torture_cleanup(),
      thus avoiding relying on an irrelevant cur_ops value.
      Reported-by: Nkernel test robot <rong.a.chen@intel.com>
      Signed-off-by: NPaul E. McKenney <paulmck@linux.ibm.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      aa7919e3
    • T
      x86/mce: Fix machine_check_poll() tests for error types · 3d036cba
      Tony Luck 提交于
      [ Upstream commit f19501aa07f18268ab14f458b51c1c6b7f72a134 ]
      
      There has been a lurking "TBD" in the machine check poll routine ever
      since it was first split out from the machine check handler. The
      potential issue is that the poll routine may have just begun a read from
      the STATUS register in a machine check bank when the hardware logs an
      error in that bank and signals a machine check.
      
      That race used to be pretty small back when machine checks were
      broadcast, but the addition of local machine check means that the poll
      code could continue running and clear the error from the bank before the
      local machine check handler on another CPU gets around to reading it.
      
      Fix the code to be sure to only process errors that need to be processed
      in the poll code, leaving other logged errors alone for the machine
      check handler to find and process.
      
       [ bp: Massage a bit and flip the "== 0" check to the usual !(..) test. ]
      
      Fixes: b79109c3 ("x86, mce: separate correct machine check poller and fatal exception handler")
      Fixes: ed7290d0 ("x86, mce: implement new status bits")
      Reported-by: NAshok Raj <ashok.raj@intel.com>
      Signed-off-by: NTony Luck <tony.luck@intel.com>
      Signed-off-by: NBorislav Petkov <bp@suse.de>
      Cc: Ashok Raj <ashok.raj@intel.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: linux-edac <linux-edac@vger.kernel.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: x86-ml <x86@kernel.org>
      Cc: Yazen Ghannam <Yazen.Ghannam@amd.com>
      Link: https://lkml.kernel.org/r/20190312170938.GA23035@agluck-deskSigned-off-by: NSasha Levin <sashal@kernel.org>
      3d036cba
    • L
      overflow: Fix -Wtype-limits compilation warnings · 3c2b1ae4
      Leon Romanovsky 提交于
      [ Upstream commit dc7fe518b0493faa0af0568d6d8c2a33c00f58d0 ]
      
      Attempt to use check_shl_overflow() with inputs of unsigned type
      produces the following compilation warnings.
      
      drivers/infiniband/hw/mlx5/qp.c: In function _set_user_rq_size_:
      ./include/linux/overflow.h:230:6: warning: comparison of unsigned
      expression >= 0 is always true [-Wtype-limits]
         _s >= 0 && _s < 8 * sizeof(*d) ? _s : 0;  \
            ^~
      drivers/infiniband/hw/mlx5/qp.c:5820:6: note: in expansion of macro _check_shl_overflow_
        if (check_shl_overflow(rwq->wqe_count, rwq->wqe_shift,
      &rwq->buf_size))
            ^~~~~~~~~~~~~~~~~~
      ./include/linux/overflow.h:232:26: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
        (_to_shift != _s || *_d < 0 || _a < 0 ||   \
                                ^
      drivers/infiniband/hw/mlx5/qp.c:5820:6: note: in expansion of macro _check_shl_overflow_
        if (check_shl_overflow(rwq->wqe_count, rwq->wqe_shift, &rwq->buf_size))
            ^~~~~~~~~~~~~~~~~~
      ./include/linux/overflow.h:232:36: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
        (_to_shift != _s || *_d < 0 || _a < 0 ||   \
                                          ^
      drivers/infiniband/hw/mlx5/qp.c:5820:6: note: in expansion of macro _check_shl_overflow_
        if (check_shl_overflow(rwq->wqe_count, rwq->wqe_shift,&rwq->buf_size))
            ^~~~~~~~~~~~~~~~~~
      
      Fixes: 0c668477 ("overflow.h: Add arithmetic shift helper")
      Reviewed-by: NBart Van Assche <bvanassche@acm.org>
      Acked-by: NKees Cook <keescook@chromium.org>
      Signed-off-by: NLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      3c2b1ae4
    • K
      tty: ipwireless: fix missing checks for ioremap · 19ae270d
      Kangjie Lu 提交于
      [ Upstream commit 1bbb1c318cd8a3a39e8c3e2e83d5e90542d6c3e3 ]
      
      ipw->attr_memory and ipw->common_memory are assigned with the
      return value of ioremap. ioremap may fail, but no checks
      are enforced. The fix inserts the checks to avoid potential
      NULL pointer dereferences.
      Signed-off-by: NKangjie Lu <kjlu@umn.edu>
      Reviewed-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      19ae270d
    • P
      virtio_console: initialize vtermno value for ports · 3392cc5f
      Pankaj Gupta 提交于
      [ Upstream commit 4b0a2c5ff7215206ea6135a405f17c5f6fca7d00 ]
      
      For regular serial ports we do not initialize value of vtermno
      variable. A garbage value is assigned for non console ports.
      The value can be observed as a random integer with [1].
      
      [1] vim /sys/kernel/debug/virtio-ports/vport*p*
      
      This patch initialize the value of vtermno for console serial
      ports to '1' and regular serial ports are initiaized to '0'.
      
      Reported-by: siliu@redhat.com
      Signed-off-by: NPankaj Gupta <pagupta@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      3392cc5f
    • C
      scsi: qedf: Add missing return in qedf_post_io_req() in the fcport offload check · e819d4a1
      Chad Dupuis 提交于
      [ Upstream commit c5e06ba2f76809ad1492fdad312e81335df46bc5 ]
      
      Fixes the following crash as the return was missing from the check if an
      fcport is offloaded. If we hit this code we continue to try to post an
      invalid task which can lead to the crash:
      
      [30259.616411] [0000:61:00.3]:[qedf_post_io_req:989]:3: Session not offloaded yet.
      [30259.616413] [0000:61:00.3]:[qedf_upload_connection:1340]:3: Uploading connection port_id=490020.
      [30259.623769] BUG: unable to handle kernel NULL pointer dereference at 0000000000000198
      [30259.631645] IP: [<ffffffffc035b1ed>] qedf_init_task.isra.16+0x3d/0x450 [qedf]
      [30259.638816] PGD 0
      [30259.640841] Oops: 0000 [#1] SMP
      [30259.644098] Modules linked in: fuse xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 tun bridge stp llc ebtable_filter ebtables devlink ip6table_filter ip6_tables iptable_filter vfat fat ib_isert iscsi_target_mod ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib ib_ucm ib_umad dm_service_time skx_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass crc32_pclmul ghash_clmulni_intel aesni_intel rpcrdma sunrpc rdma_ucm ib_uverbs lrw gf128mul ib_iser rdma_cm iw_cm ib_cm libiscsi scsi_transport_iscsi qedr(OE) glue_helper ablk_helper cryptd ib_core dm_round_robin joydev pcspkr ipmi_ssif ses enclosure ipmi_si ipmi_devintf ipmi_msghandler mei_me
      [30259.715529]  mei sg hpilo hpwdt shpchp wmi lpc_ich acpi_power_meter dm_multipath ip_tables xfs libcrc32c sd_mod crc_t10dif crct10dif_generic uas usb_storage mgag200 qedf(OE) i2c_algo_bit libfcoe drm_kms_helper libfc syscopyarea sysfillrect scsi_transport_fc qede(OE) sysimgblt fb_sys_fops ptp ttm pps_core drm qed(OE) smartpqi crct10dif_pclmul crct10dif_common crc32c_intel i2c_core scsi_transport_sas scsi_tgt dm_mirror dm_region_hash dm_log dm_mod
      [30259.754237] CPU: 9 PID: 977 Comm: kdmwork-253:7 Kdump: loaded Tainted: G        W  OE  ------------   3.10.0-862.el7.x86_64 #1
      [30259.765664] Hardware name: HPE Synergy 480 Gen10/Synergy 480 Gen10 Compute Module, BIOS I42 04/04/2018
      [30259.775000] task: ffff8c801efd0000 ti: ffff8c801efd8000 task.ti: ffff8c801efd8000
      [30259.782505] RIP: 0010:[<ffffffffc035b1ed>]  [<ffffffffc035b1ed>] qedf_init_task.isra.16+0x3d/0x450 [qedf]
      [30259.792116] RSP: 0018:ffff8c801efdbbb0  EFLAGS: 00010046
      [30259.797444] RAX: 0000000000000000 RBX: ffffa7f1450948d8 RCX: ffff8c7fe5bc40c8
      [30259.804600] RDX: ffff8c800715b300 RSI: ffffa7f1450948d8 RDI: ffff8c80169c2480
      [30259.811755] RBP: ffff8c801efdbc30 R08: 00000000000000ae R09: ffff8c800a314540
      [30259.818911] R10: ffff8c7fe5bc40c8 R11: ffff8c801efdb8ae R12: 0000000000000000
      [30259.826068] R13: ffff8c800715b300 R14: ffff8c80169c2480 R15: ffff8c8005da28e0
      [30259.833223] FS:  0000000000000000(0000) GS:ffff8c803f840000(0000) knlGS:0000000000000000
      [30259.841338] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [30259.847100] CR2: 0000000000000198 CR3: 000000081242e000 CR4: 00000000007607e0
      [30259.854256] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [30259.861412] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [30259.868568] PKRU: 00000000
      [30259.871278] Call Trace:
      [30259.873737]  [<ffffffffc035c948>] qedf_post_io_req+0x148/0x680 [qedf]
      [30259.880201]  [<ffffffffc035d070>] qedf_queuecommand+0x1f0/0x240 [qedf]
      [30259.886749]  [<ffffffffa329b050>] scsi_dispatch_cmd+0xb0/0x240
      [30259.892600]  [<ffffffffa32a45bc>] scsi_request_fn+0x4cc/0x680
      [30259.898364]  [<ffffffffa3118ad9>] __blk_run_queue+0x39/0x50
      [30259.903954]  [<ffffffffa3114393>] __elv_add_request+0xd3/0x260
      [30259.909805]  [<ffffffffa311baf0>] blk_insert_cloned_request+0xf0/0x1b0
      [30259.916358]  [<ffffffffc010b622>] map_request+0x142/0x220 [dm_mod]
      [30259.922560]  [<ffffffffc010b716>] map_tio_request+0x16/0x40 [dm_mod]
      [30259.928932]  [<ffffffffa2ebb1f5>] kthread_worker_fn+0x85/0x180
      [30259.934782]  [<ffffffffa2ebb170>] ? kthread_stop+0xf0/0xf0
      [30259.940284]  [<ffffffffa2ebae31>] kthread+0xd1/0xe0
      [30259.945176]  [<ffffffffa2ebad60>] ? insert_kthread_work+0x40/0x40
      [30259.951290]  [<ffffffffa351f61d>] ret_from_fork_nospec_begin+0x7/0x21
      [30259.957750]  [<ffffffffa2ebad60>] ? insert_kthread_work+0x40/0x40
      [30259.963860] Code: fe 41 55 49 89 d5 41 54 53 48 89 f3 48 83 ec 58 4c 8b 67 28 4c 8b 4e 18 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 4c 8b 7e 58 <49> 8b 84 24 98 01 00 00 48 8b 00 f6 80 31 01 00 00 10 0f 85 0b
      [30259.983372] RIP  [<ffffffffc035b1ed>] qedf_init_task.isra.16+0x3d/0x450 [qedf]
      [30259.990630]  RSP <ffff8c801efdbbb0>
      [30259.994127] CR2: 0000000000000198
      Signed-off-by: NChad Dupuis <cdupuis@marvell.com>
      Signed-off-by: NSaurav Kashyap <skashyap@marvell.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      e819d4a1
    • T
      timekeeping: Force upper bound for setting CLOCK_REALTIME · dc0f37b7
      Thomas Gleixner 提交于
      [ Upstream commit 7a8e61f8478639072d402a26789055a4a4de8f77 ]
      
      Several people reported testing failures after setting CLOCK_REALTIME close
      to the limits of the kernel internal representation in nanoseconds,
      i.e. year 2262.
      
      The failures are exposed in subsequent operations, i.e. when arming timers
      or when the advancing CLOCK_MONOTONIC makes the calculation of
      CLOCK_REALTIME overflow into negative space.
      
      Now people start to paper over the underlying problem by clamping
      calculations to the valid range, but that's just wrong because such
      workarounds will prevent detection of real issues as well.
      
      It is reasonable to force an upper bound for the various methods of setting
      CLOCK_REALTIME. Year 2262 is the absolute upper bound. Assume a maximum
      uptime of 30 years which is plenty enough even for esoteric embedded
      systems. That results in an upper bound of year 2232 for setting the time.
      
      Once that limit is reached in reality this limit is only a small part of
      the problem space. But until then this stops people from trying to paper
      over the problem at the wrong places.
      Reported-by: NXiongfeng Wang <wangxiongfeng2@huawei.com>
      Reported-by: NHongbo Yao <yaohongbo@huawei.com>
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      Cc: John Stultz <john.stultz@linaro.org>
      Cc: Stephen Boyd <sboyd@kernel.org>
      Cc: Miroslav Lichvar <mlichvar@redhat.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Richard Cochran <richardcochran@gmail.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1903231125480.2157@nanos.tec.linutronix.deSigned-off-by: NSasha Levin <sashal@kernel.org>
      dc0f37b7
    • A
      thunderbolt: Fix to check the return value of kmemdup · ee40c8a3
      Aditya Pakki 提交于
      [ Upstream commit fd21b79e541e4666c938a344f3ad2df74b4f5120 ]
      
      uuid in add_switch is allocted via kmemdup which can fail. The patch
      logs the error and cleans up the allocated memory for switch.
      Signed-off-by: NAditya Pakki <pakki001@umn.edu>
      Reviewed-by: NMukesh Ojha <mojha@codeaurora.org>
      Signed-off-by: NMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      ee40c8a3
    • K
      thunderbolt: property: Fix a missing check of kzalloc · c8eecd65
      Kangjie Lu 提交于
      [ Upstream commit 6183d5a51866f3acdeeb66b75e87d44025b01a55 ]
      
      No check is enforced for the return value of kzalloc,
      which may lead to NULL-pointer dereference.
      
      The patch fixes this issue.
      Signed-off-by: NKangjie Lu <kjlu@umn.edu>
      Reviewed-by: NMukesh Ojha <mojha@codeaurora.org>
      Signed-off-by: NMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      c8eecd65
    • A
      efifb: Omit memory map check on legacy boot · 1de8f965
      Ard Biesheuvel 提交于
      [ Upstream commit c2999c281ea2d2ebbdfce96cecc7b52e2ae7c406 ]
      
      Since the following commit:
      
        38ac0287 ("fbdev/efifb: Honour UEFI memory map attributes when mapping the FB")
      
      efifb_probe() checks its memory range via efi_mem_desc_lookup(),
      and this leads to a spurious error message:
      
         EFI_MEMMAP is not enabled
      
      at every boot on KVM.  This is quite annoying since the error message
      appears even if you set "quiet" boot option.
      
      Since this happens on legacy boot, which strangely enough exposes
      a EFI framebuffer via screen_info, let's double check that we are
      doing an EFI boot before attempting to access the EFI memory map.
      Reported-by: NTakashi Iwai <tiwai@suse.de>
      Tested-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Matt Fleming <matt@codeblueprint.co.uk>
      Cc: Peter Jones <pjones@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: linux-efi@vger.kernel.org
      Link: http://lkml.kernel.org/r/20190328193429.21373-3-ard.biesheuvel@linaro.orgSigned-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      1de8f965
    • E
      media: gspca: Kill URBs on USB device disconnect · 356f05fd
      Ezequiel Garcia 提交于
      [ Upstream commit 9b9ea7c2b57a0c9c3341fc6db039d1f7971a432e ]
      
      In order to prevent ISOC URBs from being infinitely resubmitted,
      the driver's USB disconnect handler must kill all the in-flight URBs.
      
      While here, change the URB packet status message to a debug level,
      to avoid spamming the console too much.
      
      This commit fixes a lockup caused by an interrupt storm coming
      from the URB completion handler.
      Signed-off-by: NEzequiel Garcia <ezequiel@collabora.com>
      Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      356f05fd
    • D
      media: wl128x: prevent two potential buffer overflows · 2a9331ce
      Dan Carpenter 提交于
      [ Upstream commit 9c2ccc324b3a6cbc865ab8b3e1a09e93d3c8ade9 ]
      
      Smatch marks skb->data as untrusted so it warns that "evt_hdr->dlen"
      can copy up to 255 bytes and we only have room for two bytes.  Even
      if this comes from the firmware and we trust it, the new policy
      generally is just to fix it as kernel hardenning.
      
      I can't test this code so I tried to be very conservative.  I considered
      not allowing "evt_hdr->dlen == 1" because it doesn't initialize the
      whole variable but in the end I decided to allow it and manually
      initialized "asic_id" and "asic_ver" to zero.
      
      Fixes: e8454ff7 ("[media] drivers:media:radio: wl128x: FM Driver Common sources")
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      2a9331ce
    • K
      media: video-mux: fix null pointer dereferences · 6b5693f2
      Kangjie Lu 提交于
      [ Upstream commit aeb0d0f581e2079868e64a2e5ee346d340376eae ]
      
      devm_kcalloc may fail and return a null pointer. The fix returns
      -ENOMEM upon failures to avoid null pointer dereferences.
      Signed-off-by: NKangjie Lu <kjlu@umn.edu>
      Reviewed-by: NPhilipp Zabel <p.zabel@pengutronix.de>
      Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      6b5693f2
    • T
      kobject: Don't trigger kobject_uevent(KOBJ_REMOVE) twice. · bc75207a
      Tetsuo Handa 提交于
      [ Upstream commit c03a0fd0b609e2f5c669c2b7f27c8e1928e9196e ]
      
      syzbot is hitting use-after-free bug in uinput module [1]. This is because
      kobject_uevent(KOBJ_REMOVE) is called again due to commit 0f4dafc0
      ("Kobject: auto-cleanup on final unref") after memory allocation fault
      injection made kobject_uevent(KOBJ_REMOVE) from device_del() from
      input_unregister_device() fail, while uinput_destroy_device() is expecting
      that kobject_uevent(KOBJ_REMOVE) is not called after device_del() from
      input_unregister_device() completed.
      
      That commit intended to catch cases where nobody even attempted to send
      "remove" uevents. But there is no guarantee that an event will ultimately
      be sent. We are at the point of no return as far as the rest of the kernel
      is concerned; there are no repeats or do-overs.
      
      Also, it is not clear whether some subsystem depends on that commit.
      If no subsystem depends on that commit, it will be better to remove
      the state_{add,remove}_uevent_sent logic. But we don't want to risk
      a regression (in a patch which will be backported) by trying to remove
      that logic. Therefore, as a first step, let's avoid the use-after-free bug
      by making sure that kobject_uevent(KOBJ_REMOVE) won't be triggered twice.
      
      [1] https://syzkaller.appspot.com/bug?id=8b17c134fe938bbddd75a45afaa9e68af43a362dReported-by: Nsyzbot <syzbot+f648cfb7e0b52bf7ae32@syzkaller.appspotmail.com>
      Analyzed-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
      Fixes: 0f4dafc0 ("Kobject: auto-cleanup on final unref")
      Cc: Kay Sievers <kay@vrfy.org>
      Signed-off-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      bc75207a
    • S
      spi: tegra114: reset controller on probe · ba906246
      Sowjanya Komatineni 提交于
      [ Upstream commit 019194933339b3e9b486639c8cb3692020844d65 ]
      
      Fixes: SPI driver can be built as module so perform SPI controller reset
      on probe to make sure it is in valid state before initiating transfer.
      Signed-off-by: NSowjanya Komatineni <skomatineni@nvidia.com>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      ba906246
    • H
      HID: logitech-hidpp: change low battery level threshold from 31 to 30 percent · 2cd236c2
      Hans de Goede 提交于
      [ Upstream commit 1f87b0cd32b3456d7efdfb017fcf74d0bfe3ec29 ]
      
      According to hidpp20_batterylevel_get_battery_info my Logitech K270
      keyboard reports only 2 battery levels. This matches with what I've seen
      after testing with batteries at varying level of fullness, it always
      reports either 5% or 30%.
      
      Windows reports "battery good" for the 30% level. I've captured an USB
      trace of Windows reading the battery and it is getting the same info
      as the Linux hidpp code gets.
      
      Now that Linux handles these devices as hidpp devices, it reports the
      battery as being low as it treats anything under 31% as low, this leads
      to the user constantly getting a "Keyboard battery is low" warning from
      GNOME3, which is very annoying.
      
      This commit fixes this by changing the low threshold to anything under
      30%, which I assume is what Windows does.
      Signed-off-by: NHans de Goede <hdegoede@redhat.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      2cd236c2
    • G
      cxgb3/l2t: Fix undefined behaviour · fb2c65b4
      Gustavo A. R. Silva 提交于
      [ Upstream commit 76497732932f15e7323dc805e8ea8dc11bb587cf ]
      
      The use of zero-sized array causes undefined behaviour when it is not
      the last member in a structure. As it happens to be in this case.
      
      Also, the current code makes use of a language extension to the C90
      standard, but the preferred mechanism to declare variable-length
      types such as this one is a flexible array member, introduced in
      C99:
      
      struct foo {
              int stuff;
              struct boo array[];
      };
      
      By making use of the mechanism above, we will get a compiler warning
      in case the flexible array does not occur last. Which is beneficial
      to cultivate a high-quality code.
      
      Fixes: e48f129c ("[SCSI] cxgb3i: convert cdev->l2opt to use rcu to prevent NULL dereference")
      Signed-off-by: NGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      fb2c65b4
    • W
      ASoC: fsl_utils: fix a leaked reference by adding missing of_node_put · 71efe4c7
      Wen Yang 提交于
      [ Upstream commit c705247136a523488eac806bd357c3e5d79a7acd ]
      
      The call to of_parse_phandle returns a node pointer with refcount
      incremented thus it must be explicitly decremented after the last
      usage.
      
      Detected by coccinelle with the following warnings:
      ./sound/soc/fsl/fsl_utils.c:74:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 38, but without a corresponding     object release within this function.
      Signed-off-by: NWen Yang <wen.yang99@zte.com.cn>
      Cc: Timur Tabi <timur@kernel.org>
      Cc: Nicolin Chen <nicoleotsuka@gmail.com>
      Cc: Xiubo Li <Xiubo.Lee@gmail.com>
      Cc: Fabio Estevam <festevam@gmail.com>
      Cc: Liam Girdwood <lgirdwood@gmail.com>
      Cc: Mark Brown <broonie@kernel.org>
      Cc: Jaroslav Kysela <perex@perex.cz>
      Cc: Takashi Iwai <tiwai@suse.com>
      Cc: alsa-devel@alsa-project.org
      Cc: linuxppc-dev@lists.ozlabs.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      71efe4c7
    • W
      ASoC: eukrea-tlv320: fix a leaked reference by adding missing of_node_put · b6b7a78c
      Wen Yang 提交于
      [ Upstream commit b820d52e7eed7b30b2dfef5f4213a2bc3cbea6f3 ]
      
      The call to of_parse_phandle returns a node pointer with refcount
      incremented thus it must be explicitly decremented after the last
      usage.
      
      Detected by coccinelle with the following warnings:
      ./sound/soc/fsl/eukrea-tlv320.c:121:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 102, but without a correspo    nding object release within this function.
      ./sound/soc/fsl/eukrea-tlv320.c:127:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 102, but without a correspo    nding object release within this function.
      Signed-off-by: NWen Yang <wen.yang99@zte.com.cn>
      Cc: Liam Girdwood <lgirdwood@gmail.com>
      Cc: Mark Brown <broonie@kernel.org>
      Cc: Jaroslav Kysela <perex@perex.cz>
      Cc: Takashi Iwai <tiwai@suse.com>
      Cc: alsa-devel@alsa-project.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      b6b7a78c
    • N
      HID: core: move Usage Page concatenation to Main item · 69f67200
      Nicolas Saenz Julienne 提交于
      [ Upstream commit 58e75155009cc800005629955d3482f36a1e0eec ]
      
      As seen on some USB wireless keyboards manufactured by Primax, the HID
      parser was using some assumptions that are not always true. In this case
      it's s the fact that, inside the scope of a main item, an Usage Page
      will always precede an Usage.
      
      The spec is not pretty clear as 6.2.2.7 states "Any usage that follows
      is interpreted as a Usage ID and concatenated with the Usage Page".
      While 6.2.2.8 states "When the parser encounters a main item it
      concatenates the last declared Usage Page with a Usage to form a
      complete usage value." Being somewhat contradictory it was decided to
      match Window's implementation, which follows 6.2.2.8.
      
      In summary, the patch moves the Usage Page concatenation from the local
      item parsing function to the main item parsing function.
      Signed-off-by: NNicolas Saenz Julienne <nsaenzjulienne@suse.de>
      Reviewed-by: NTerry Junge <terry.junge@poly.com>
      Signed-off-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      69f67200
    • G
      sh: sh7786: Add explicit I/O cast to sh7786_mm_sel() · 256f63c6
      Geert Uytterhoeven 提交于
      [ Upstream commit 8440bb9b944c02222c7a840d406141ed42e945cd ]
      
      When compile-testing on arm:
      
          arch/sh/include/cpu-sh4/cpu/sh7786.h: In function ‘sh7786_mm_sel’:
          arch/sh/include/cpu-sh4/cpu/sh7786.h:135:21: warning: passing argument 1 of ‘__raw_readl’ makes pointer from integer without a cast [-Wint-conversion]
            return __raw_readl(0xFC400020) & 0x7;
      			 ^~~~~~~~~~
          In file included from include/linux/io.h:25:0,
      		     from arch/sh/include/cpu-sh4/cpu/sh7786.h:14,
      		     from drivers/pinctrl/sh-pfc/pfc-sh7786.c:15:
          arch/arm/include/asm/io.h:113:21: note: expected ‘const volatile void *’ but argument is of type ‘unsigned int’
           #define __raw_readl __raw_readl
      			 ^
          arch/arm/include/asm/io.h:114:19: note: in expansion of macro ‘__raw_readl’
           static inline u32 __raw_readl(const volatile void __iomem *addr)
      		       ^~~~~~~~~~~
      
      __raw_readl() on SuperH is a macro that casts the passed I/O address to
      the correct type, while the implementations on most other architectures
      expect to be passed the correct pointer type.
      
      Add an explicit cast to fix this.
      
      Note that this also gets rid of a sparse warning on SuperH:
      
          arch/sh/include/cpu-sh4/cpu/sh7786.h:135:16: warning: incorrect type in argument 1 (different base types)
          arch/sh/include/cpu-sh4/cpu/sh7786.h:135:16:    expected void const volatile [noderef] <asn:2>*<noident>
          arch/sh/include/cpu-sh4/cpu/sh7786.h:135:16:    got unsigned int
      Signed-off-by: NGeert Uytterhoeven <geert+renesas@glider.be>
      Reviewed-by: NSimon Horman <horms+renesas@verge.net.au>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      256f63c6
    • L
      RDMA/hns: Fix bad endianess of port_pd variable · 8ea27918
      Leon Romanovsky 提交于
      [ Upstream commit 6734b2973565e36659e97e12ab0d0faf1d9f3fbe ]
      
      port_pd is treated as le32 in declaration and read, fix assignment to be
      in le32 too. This change fixes the following compilation warnings.
      
      drivers/infiniband/hw/hns/hns_roce_ah.c:67:24: warning: incorrect type
      in assignment (different base types)
      drivers/infiniband/hw/hns/hns_roce_ah.c:67:24: expected restricted __le32 [usertype] port_pd
      drivers/infiniband/hw/hns/hns_roce_ah.c:67:24: got restricted __be32 [usertype]
      
      Fixes: 9a443537 ("IB/hns: Add driver files for hns RoCE driver")
      Signed-off-by: NLeon Romanovsky <leonro@mellanox.com>
      Reviewed-by: NGal Pressman <galpress@amazon.com>
      Reviewed-by: NLijun Ou <ouliun@huawei.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      8ea27918
    • C
      chardev: add additional check for minor range overlap · 65ec64f2
      Chengguang Xu 提交于
      [ Upstream commit de36e16d1557a0b6eb328bc3516359a12ba5c25c ]
      
      Current overlap checking cannot correctly handle
      a case which is baseminor < existing baseminor &&
      baseminor + minorct > existing baseminor + minorct.
      Signed-off-by: NChengguang Xu <cgxu519@gmx.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      65ec64f2
    • P
      x86/uaccess: Fix up the fixup · fc242af8
      Peter Zijlstra 提交于
      [ Upstream commit b69656fa7ea2f75e47d7bd5b9430359fa46488af ]
      
      New tooling got confused about this:
      
        arch/x86/lib/memcpy_64.o: warning: objtool: .fixup+0x7: return with UACCESS enabled
      
      While the code isn't wrong, it is tedious (if at all possible) to
      figure out what function a particular chunk of .fixup belongs to.
      
      This then confuses the objtool uaccess validation. Instead of
      returning directly from the .fixup, jump back into the right function.
      Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      fc242af8
    • P
      x86/ia32: Fix ia32_restore_sigcontext() AC leak · 5007453c
      Peter Zijlstra 提交于
      [ Upstream commit 67a0514afdbb8b2fc70b771b8c77661a9cb9d3a9 ]
      
      Objtool spotted that we call native_load_gs_index() with AC set.
      Re-arrange the code to avoid that.
      Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      5007453c
    • P
      x86/uaccess, signal: Fix AC=1 bloat · 4614b0bb
      Peter Zijlstra 提交于
      [ Upstream commit 88e4718275c1bddca6f61f300688b4553dc8584b ]
      
      Occasionally GCC is less agressive with inlining and the following is
      observed:
      
        arch/x86/kernel/signal.o: warning: objtool: restore_sigcontext()+0x3cc: call to force_valid_ss.isra.5() with UACCESS enabled
        arch/x86/kernel/signal.o: warning: objtool: do_signal()+0x384: call to frame_uc_flags.isra.0() with UACCESS enabled
      
      Cure this by moving this code out of the AC=1 region, since it really
      isn't needed for the user access.
      Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Reviewed-by: NAndy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      4614b0bb
    • P
      x86/uaccess, ftrace: Fix ftrace_likely_update() vs. SMAP · 1a3188d7
      Peter Zijlstra 提交于
      [ Upstream commit 4a6c91fbdef846ec7250b82f2eeeb87ac5f18cf9 ]
      
      For CONFIG_TRACE_BRANCH_PROFILING=y the likely/unlikely things get
      overloaded and generate callouts to this code, and thus also when
      AC=1.
      
      Make it safe.
      Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      1a3188d7