1. 24 3月, 2019 40 次提交
    • D
      keys: Fix dependency loop between construction record and auth key · 72683282
      David Howells 提交于
      [ Upstream commit 822ad64d7e46a8e2c8b8a796738d7b657cbb146d ]
      
      In the request_key() upcall mechanism there's a dependency loop by which if
      a key type driver overrides the ->request_key hook and the userspace side
      manages to lose the authorisation key, the auth key and the internal
      construction record (struct key_construction) can keep each other pinned.
      
      Fix this by the following changes:
      
       (1) Killing off the construction record and using the auth key instead.
      
       (2) Including the operation name in the auth key payload and making the
           payload available outside of security/keys/.
      
       (3) The ->request_key hook is given the authkey instead of the cons
           record and operation name.
      
      Changes (2) and (3) allow the auth key to naturally be cleaned up if the
      keyring it is in is destroyed or cleared or the auth key is unlinked.
      
      Fixes: 7ee02a316600 ("keys: Fix dependency loop between construction record and auth key")
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NJames Morris <james.morris@microsoft.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      72683282
    • D
      assoc_array: Fix shortcut creation · fac71ac3
      David Howells 提交于
      [ Upstream commit bb2ba2d75a2d673e76ddaf13a9bd30d6a8b1bb08 ]
      
      Fix the creation of shortcuts for which the length of the index key value
      is an exact multiple of the machine word size.  The problem is that the
      code that blanks off the unused bits of the shortcut value malfunctions if
      the number of bits in the last word equals machine word size.  This is due
      to the "<<" operator being given a shift of zero in this case, and so the
      mask that should be all zeros is all ones instead.  This causes the
      subsequent masking operation to clear everything rather than clearing
      nothing.
      
      Ordinarily, the presence of the hash at the beginning of the tree index key
      makes the issue very hard to test for, but in this case, it was encountered
      due to a development mistake that caused the hash output to be either 0
      (keyring) or 1 (non-keyring) only.  This made it susceptible to the
      keyctl/unlink/valid test in the keyutils package.
      
      The fix is simply to skip the blanking if the shift would be 0.  For
      example, an index key that is 64 bits long would produce a 0 shift and thus
      a 'blank' of all 1s.  This would then be inverted and AND'd onto the
      index_key, incorrectly clearing the entire last word.
      
      Fixes: 3cb98950 ("Add a generic associative array implementation.")
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NJames Morris <james.morris@microsoft.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      fac71ac3
    • R
      ARM: 8835/1: dma-mapping: Clear DMA ops on teardown · 84657a1b
      Robin Murphy 提交于
      [ Upstream commit fc67e6f120a388b611d94cc40baf99a5cc56b283 ]
      
      Installing the appropriate non-IOMMU DMA ops in arm_iommu_detch_device()
      serves the case where IOMMU-aware drivers choose to control their own
      mapping but still make DMA API calls, however it also affects the case
      when the arch code itself tears down the mapping upon driver unbinding,
      where the ops now get left in place and can inhibit arch_setup_dma_ops()
      on subsequent re-probe attempts.
      
      Fix the latter case by making sure that arch_teardown_dma_ops() cleans
      up whenever the ops were automatically installed by its counterpart.
      Reported-by: NTobias Jakobi <tjakobi@math.uni-bielefeld.de>
      Reported-by: NMarek Szyprowski <m.szyprowski@samsung.com>
      Fixes: 1874619a "ARM: dma-mapping: Set proper DMA ops in arm_iommu_detach_device()"
      Tested-by: NTobias Jakobi <tjakobi@math.uni-bielefeld.de>
      Tested-by: NThierry Reding <treding@nvidia.com>
      Signed-off-by: NRobin Murphy <robin.murphy@arm.com>
      Signed-off-by: NRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      84657a1b
    • S
      af_key: unconditionally clone on broadcast · 978e0388
      Sean Tranchetti 提交于
      [ Upstream commit fc2d5cfdcfe2ab76b263d91429caa22451123085 ]
      
      Attempting to avoid cloning the skb when broadcasting by inflating
      the refcount with sock_hold/sock_put while under RCU lock is dangerous
      and violates RCU principles. It leads to subtle race conditions when
      attempting to free the SKB, as we may reference sockets that have
      already been freed by the stack.
      
      Unable to handle kernel paging request at virtual address 6b6b6b6b6b6c4b
      [006b6b6b6b6b6c4b] address between user and kernel address ranges
      Internal error: Oops: 96000004 [#1] PREEMPT SMP
      task: fffffff78f65b380 task.stack: ffffff8049a88000
      pc : sock_rfree+0x38/0x6c
      lr : skb_release_head_state+0x6c/0xcc
      Process repro (pid: 7117, stack limit = 0xffffff8049a88000)
      Call trace:
      	sock_rfree+0x38/0x6c
      	skb_release_head_state+0x6c/0xcc
      	skb_release_all+0x1c/0x38
      	__kfree_skb+0x1c/0x30
      	kfree_skb+0xd0/0xf4
      	pfkey_broadcast+0x14c/0x18c
      	pfkey_sendmsg+0x1d8/0x408
      	sock_sendmsg+0x44/0x60
      	___sys_sendmsg+0x1d0/0x2a8
      	__sys_sendmsg+0x64/0xb4
      	SyS_sendmsg+0x34/0x4c
      	el0_svc_naked+0x34/0x38
      Kernel panic - not syncing: Fatal exception
      Suggested-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NSean Tranchetti <stranche@codeaurora.org>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      978e0388
    • A
      bpf: fix lockdep false positive in stackmap · c7c68a1b
      Alexei Starovoitov 提交于
      [ Upstream commit 3defaf2f15b2bfd86c6664181ac009e91985f8ac ]
      
      Lockdep warns about false positive:
      [   11.211460] ------------[ cut here ]------------
      [   11.211936] DEBUG_LOCKS_WARN_ON(depth <= 0)
      [   11.211985] WARNING: CPU: 0 PID: 141 at ../kernel/locking/lockdep.c:3592 lock_release+0x1ad/0x280
      [   11.213134] Modules linked in:
      [   11.214954] RIP: 0010:lock_release+0x1ad/0x280
      [   11.223508] Call Trace:
      [   11.223705]  <IRQ>
      [   11.223874]  ? __local_bh_enable+0x7a/0x80
      [   11.224199]  up_read+0x1c/0xa0
      [   11.224446]  do_up_read+0x12/0x20
      [   11.224713]  irq_work_run_list+0x43/0x70
      [   11.225030]  irq_work_run+0x26/0x50
      [   11.225310]  smp_irq_work_interrupt+0x57/0x1f0
      [   11.225662]  irq_work_interrupt+0xf/0x20
      
      since rw_semaphore is released in a different task vs task that locked the sema.
      It is expected behavior.
      Fix the warning with up_read_non_owner() and rwsem_release() annotation.
      
      Fixes: bae77c5e ("bpf: enable stackmap with build_id in nmi context")
      Signed-off-by: NAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      c7c68a1b
    • W
      bpf: only adjust gso_size on bytestream protocols · 413e3985
      Willem de Bruijn 提交于
      [ Upstream commit b90efd2258749e04e1b3f71ef0d716f2ac2337e0 ]
      
      bpf_skb_change_proto and bpf_skb_adjust_room change skb header length.
      For GSO packets they adjust gso_size to maintain the same MTU.
      
      The gso size can only be safely adjusted on bytestream protocols.
      Commit d02f51cb ("bpf: fix bpf_skb_adjust_net/bpf_skb_proto_xlat
      to deal with gso sctp skbs") excluded SKB_GSO_SCTP.
      
      Since then type SKB_GSO_UDP_L4 has been added, whose contents are one
      gso_size unit per datagram. Also exclude these.
      
      Move from a blacklist to a whitelist check to future proof against
      additional such new GSO types, e.g., for fraglist based GRO.
      
      Fixes: bec1f6f6 ("udp: generate gso with UDP_SEGMENT")
      Signed-off-by: NWillem de Bruijn <willemb@google.com>
      Signed-off-by: NAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      413e3985
    • D
      ARM: 8824/1: fix a migrating irq bug when hotplug cpu · da349530
      Dietmar Eggemann 提交于
      [ Upstream commit 1b5ba350784242eb1f899bcffd95d2c7cff61e84 ]
      
      Arm TC2 fails cpu hotplug stress test.
      
      This issue was tracked down to a missing copy of the new affinity
      cpumask for the vexpress-spc interrupt into struct
      irq_common_data.affinity when the interrupt is migrated in
      migrate_one_irq().
      
      Fix it by replacing the arm specific hotplug cpu migration with the
      generic irq code.
      
      This is the counterpart implementation to commit 217d453d ("arm64:
      fix a migrating irq bug when hotplug cpu").
      
      Tested with cpu hotplug stress test on Arm TC2 (multi_v7_defconfig plus
      CONFIG_ARM_BIG_LITTLE_CPUFREQ=y and CONFIG_ARM_VEXPRESS_SPC_CPUFREQ=y).
      The vexpress-spc interrupt (irq=22) on this board is affine to CPU0.
      Its affinity cpumask now changes correctly e.g. from 0 to 1-4 when
      CPU0 is hotplugged out.
      Suggested-by: NMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: NDietmar Eggemann <dietmar.eggemann@arm.com>
      Acked-by: NMarc Zyngier <marc.zyngier@arm.com>
      Reviewed-by: NLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: NRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      da349530
    • M
      esp: Skip TX bytes accounting when sending from a request socket · b92eaed3
      Martin Willi 提交于
      [ Upstream commit 09db51241118aeb06e1c8cd393b45879ce099b36 ]
      
      On ESP output, sk_wmem_alloc is incremented for the added padding if a
      socket is associated to the skb. When replying with TCP SYNACKs over
      IPsec, the associated sk is a casted request socket, only. Increasing
      sk_wmem_alloc on a request socket results in a write at an arbitrary
      struct offset. In the best case, this produces the following WARNING:
      
      WARNING: CPU: 1 PID: 0 at lib/refcount.c:102 esp_output_head+0x2e4/0x308 [esp4]
      refcount_t: addition on 0; use-after-free.
      CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.0.0-rc3 #2
      Hardware name: Marvell Armada 380/385 (Device Tree)
      [...]
      [<bf0ff354>] (esp_output_head [esp4]) from [<bf1006a4>] (esp_output+0xb8/0x180 [esp4])
      [<bf1006a4>] (esp_output [esp4]) from [<c05dee64>] (xfrm_output_resume+0x558/0x664)
      [<c05dee64>] (xfrm_output_resume) from [<c05d07b0>] (xfrm4_output+0x44/0xc4)
      [<c05d07b0>] (xfrm4_output) from [<c05956bc>] (tcp_v4_send_synack+0xa8/0xe8)
      [<c05956bc>] (tcp_v4_send_synack) from [<c0586ad8>] (tcp_conn_request+0x7f4/0x948)
      [<c0586ad8>] (tcp_conn_request) from [<c058c404>] (tcp_rcv_state_process+0x2a0/0xe64)
      [<c058c404>] (tcp_rcv_state_process) from [<c05958ac>] (tcp_v4_do_rcv+0xf0/0x1f4)
      [<c05958ac>] (tcp_v4_do_rcv) from [<c0598a4c>] (tcp_v4_rcv+0xdb8/0xe20)
      [<c0598a4c>] (tcp_v4_rcv) from [<c056eb74>] (ip_protocol_deliver_rcu+0x2c/0x2dc)
      [<c056eb74>] (ip_protocol_deliver_rcu) from [<c056ee6c>] (ip_local_deliver_finish+0x48/0x54)
      [<c056ee6c>] (ip_local_deliver_finish) from [<c056eecc>] (ip_local_deliver+0x54/0xec)
      [<c056eecc>] (ip_local_deliver) from [<c056efac>] (ip_rcv+0x48/0xb8)
      [<c056efac>] (ip_rcv) from [<c0519c2c>] (__netif_receive_skb_one_core+0x50/0x6c)
      [...]
      
      The issue triggers only when not using TCP syncookies, as for syncookies
      no socket is associated.
      
      Fixes: cac2661c ("esp4: Avoid skb_cow_data whenever possible")
      Fixes: 03e2a30f ("esp6: Avoid skb_cow_data whenever possible")
      Signed-off-by: NMartin Willi <martin@strongswan.org>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      b92eaed3
    • A
      clk: sunxi: A31: Fix wrong AHB gate number · 2f3b4f96
      Andre Przywara 提交于
      [ Upstream commit ee0b27a3a4da0b0ed2318aa092f8856896e9450b ]
      
      According to the manual the gate clock for MMC3 is at bit 11, and NAND1
      is controlled by bit 12.
      
      Fix the gate bit definitions in the clock driver.
      
      Fixes: c6e6c96d ("clk: sunxi-ng: Add A31/A31s clocks")
      Signed-off-by: NAndre Przywara <andre.przywara@arm.com>
      Signed-off-by: NMaxime Ripard <maxime.ripard@bootlin.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      2f3b4f96
    • E
      kallsyms: Handle too long symbols in kallsyms.c · cacf3c0d
      Eugene Loh 提交于
      [ Upstream commit 6db2983cd8064808141ccefd75218f5b4345ffae ]
      
      When checking for symbols with excessively long names,
      account for null terminating character.
      
      Fixes: f3462aa9 ("Kbuild: Handle longer symbols in kallsyms.c")
      Signed-off-by: NEugene Loh <eugene.loh@oracle.com>
      Acked-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: NMasahiro Yamada <yamada.masahiro@socionext.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      cacf3c0d
    • P
      clk: sunxi-ng: v3s: Fix TCON reset de-assert bit · 980f44f8
      Paul Kocialkowski 提交于
      [ Upstream commit 5c59801f7018acba11b12de59017a3fcdcf7421d ]
      
      According to the datasheet and the reference code from Allwinner, the
      bit used to de-assert the TCON reset is bit 4, not bit 3.
      
      Fix it in the V3s CCU driver.
      Signed-off-by: NPaul Kocialkowski <paul.kocialkowski@bootlin.com>
      Signed-off-by: NMaxime Ripard <maxime.ripard@bootlin.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      980f44f8
    • G
      Input: st-keyscan - fix potential zalloc NULL dereference · 5050f03f
      Gabriel Fernandez 提交于
      [ Upstream commit 2439d37e1bf8a34d437573c086572abe0f3f1b15 ]
      
      This patch fixes the following static checker warning:
      
      drivers/input/keyboard/st-keyscan.c:156 keyscan_probe()
      error: potential zalloc NULL dereference: 'keypad_data->input_dev'
      Reported-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NGabriel Fernandez <gabriel.fernandez@st.com>
      Signed-off-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      5050f03f
    • M
      auxdisplay: ht16k33: fix potential user-after-free on module unload · bf26fecc
      Miguel Ojeda 提交于
      [ Upstream commit 69ef9bc54715fb1cb7786ada15774e469e822209 ]
      
      On module unload/remove, we need to ensure that work does not run
      after we have freed resources. Concretely, cancel_delayed_work()
      may return while the callback function is still running.
      
      From kernel/workqueue.c:
      
          The work callback function may still be running on return,
          unless it returns true and the work doesn't re-arm itself.
          Explicitly flush or use cancel_delayed_work_sync() to wait on it.
      
      Link: https://lore.kernel.org/lkml/20190204220952.30761-1-TheSven73@googlemail.com/Reported-by: NSven Van Asbroeck <thesven73@gmail.com>
      Reviewed-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
      Reviewed-by: NSven Van Asbroeck <TheSven73@gmail.com>
      Acked-by: NRobin van der Gracht <robin@protonic.nl>
      Signed-off-by: NMiguel Ojeda <miguel.ojeda.sandonis@gmail.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      bf26fecc
    • P
      i2c: bcm2835: Clear current buffer pointers and counts after a transfer · 8e770d99
      Paul Kocialkowski 提交于
      [ Upstream commit f275a4659484716259cc46268d9043424e51cf0f ]
      
      The driver's interrupt handler checks whether a message is currently
      being handled with the curr_msg pointer. When it is NULL, the interrupt
      is considered to be unexpected. Similarly, the i2c_start_transfer
      routine checks for the remaining number of messages to handle in
      num_msgs.
      
      However, these values are never cleared and always keep the message and
      number relevant to the latest transfer (which might be done already and
      the underlying message memory might have been freed).
      
      When an unexpected interrupt hits with the DONE bit set, the isr will
      then try to access the flags field of the curr_msg structure, leading
      to a fatal page fault.
      
      The msg_buf and msg_buf_remaining fields are also never cleared at the
      end of the transfer, which can lead to similar pitfalls.
      
      Fix these issues by introducing a cleanup function and always calling
      it after a transfer is finished.
      
      Fixes: e2474541 ("i2c: bcm2835: Fix hang for writing messages larger than 16 bytes")
      Signed-off-by: NPaul Kocialkowski <paul.kocialkowski@bootlin.com>
      Acked-by: NStefan Wahren <stefan.wahren@i2se.com>
      Signed-off-by: NWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      8e770d99
    • S
      i2c: cadence: Fix the hold bit setting · d9ce9aea
      Shubhrajyoti Datta 提交于
      [ Upstream commit d358def706880defa4c9e87381c5bf086a97d5f9 ]
      
      In case the hold bit is not needed we are carrying the old values.
      Fix the same by resetting the bit when not needed.
      
      Fixes the sporadic i2c bus lockups on National Instruments
      Zynq-based devices.
      
      Fixes: df8eb569 ("i2c: Add driver for Cadence I2C controller")
      Reported-by: NKyle Roeschley <kyle.roeschley@ni.com>
      Acked-by: NMichal Simek <michal.simek@xilinx.com>
      Signed-off-by: NShubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
      Tested-by: NKyle Roeschley <kyle.roeschley@ni.com>
      Signed-off-by: NWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      d9ce9aea
    • H
      net: hns: Fix object reference leaks in hns_dsaf_roce_reset() · 8f622a7d
      Huang Zijiang 提交于
      [ Upstream commit c969c6e7ab8cb42b5c787c567615474fdbad9d6a ]
      
      The of_find_device_by_node() takes a reference to the underlying device
      structure, we should release that reference.
      Signed-off-by: NHuang Zijiang <huang.zijiang@zte.com.cn>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      8f622a7d
    • J
      mm: page_alloc: fix ref bias in page_frag_alloc() for 1-byte allocs · 33e83ea3
      Jann Horn 提交于
      [ Upstream commit 2c2ade81741c66082f8211f0b96cf509cc4c0218 ]
      
      The basic idea behind ->pagecnt_bias is: If we pre-allocate the maximum
      number of references that we might need to create in the fastpath later,
      the bump-allocation fastpath only has to modify the non-atomic bias value
      that tracks the number of extra references we hold instead of the atomic
      refcount. The maximum number of allocations we can serve (under the
      assumption that no allocation is made with size 0) is nc->size, so that's
      the bias used.
      
      However, even when all memory in the allocation has been given away, a
      reference to the page is still held; and in the `offset < 0` slowpath, the
      page may be reused if everyone else has dropped their references.
      This means that the necessary number of references is actually
      `nc->size+1`.
      
      Luckily, from a quick grep, it looks like the only path that can call
      page_frag_alloc(fragsz=1) is TAP with the IFF_NAPI_FRAGS flag, which
      requires CAP_NET_ADMIN in the init namespace and is only intended to be
      used for kernel testing and fuzzing.
      
      To test for this issue, put a `WARN_ON(page_ref_count(page) == 0)` in the
      `offset < 0` path, below the virt_to_page() call, and then repeatedly call
      writev() on a TAP device with IFF_TAP|IFF_NO_PI|IFF_NAPI_FRAGS|IFF_NAPI,
      with a vector consisting of 15 elements containing 1 byte each.
      Signed-off-by: NJann Horn <jannh@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      33e83ea3
    • R
      x86/CPU: Add Icelake model number · a9503ade
      Rajneesh Bhardwaj 提交于
      [ Upstream commit 8cd8f0ce0d6aafe661cb3d6781c8b82bc696c04d ]
      
      Add the CPUID model number of Icelake (ICL) mobile processors to the
      Intel family list. Icelake U/Y series uses model number 0x7E.
      Signed-off-by: NRajneesh Bhardwaj <rajneesh.bhardwaj@linux.intel.com>
      Signed-off-by: NBorislav Petkov <bp@suse.de>
      Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: "David E. Box" <david.e.box@intel.com>
      Cc: dvhart@infradead.org
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Kan Liang <kan.liang@linux.intel.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: platform-driver-x86@vger.kernel.org
      Cc: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
      Cc: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: x86-ml <x86@kernel.org>
      Link: https://lkml.kernel.org/r/20190214115712.19642-2-rajneesh.bhardwaj@linux.intel.comSigned-off-by: NSasha Levin <sashal@kernel.org>
      a9503ade
    • D
      net: dsa: bcm_sf2: potential array overflow in bcm_sf2_sw_suspend() · 388f3adb
      Dan Carpenter 提交于
      [ Upstream commit 8d6ea932856c7087ce8c3d0e79494b7d5386f962 ]
      
      The value of ->num_ports comes from bcm_sf2_sw_probe() and it is less
      than or equal to DSA_MAX_PORTS.  The ds->ports[] array is used inside
      the dsa_is_user_port() and dsa_is_cpu_port() functions.  The ds->ports[]
      array is allocated in dsa_switch_alloc() and it has ds->num_ports
      elements so this leads to a static checker warning about a potential out
      of bounds read.
      
      Fixes: 8cfa9498 ("net: dsa: bcm_sf2: add suspend/resume callbacks")
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: NVivien Didelot <vivien.didelot@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      388f3adb
    • B
      scsi: qla2xxx: Fix panic from use after free in qla2x00_async_tm_cmd · 8ab49fd5
      Bill Kuzeja 提交于
      [ Upstream commit 388a49959ee4e4e99f160241d9599efa62cd4299 ]
      
      In qla2x00_async_tm_cmd, we reference off sp after it has been freed.  This
      caused a panic on a system running a slub debug kernel. Since fcport is
      passed in anyways, just use that instead.
      Signed-off-by: NBill Kuzeja <william.kuzeja@stratus.com>
      Acked-by: NGiridhar Malavali <gmalavali@marvell.com>
      Acked-by: NHimanshu Madhani <hmadhani@marvell.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      8ab49fd5
    • Q
      Revert "mm: use early_pfn_to_nid in page_ext_init" · 53dcaeef
      Qian Cai 提交于
      [ Upstream commit 2f1ee0913ce58efe7f18fbd518bd54c598559b89 ]
      
      This reverts commit fe53ca54 ("mm: use early_pfn_to_nid in
      page_ext_init").
      
      When booting a system with "page_owner=on",
      
      start_kernel
        page_ext_init
          invoke_init_callbacks
            init_section_page_ext
              init_page_owner
                init_early_allocated_pages
                  init_zones_in_node
                    init_pages_in_zone
                      lookup_page_ext
                        page_to_nid
      
      The issue here is that page_to_nid() will not work since some page flags
      have no node information until later in page_alloc_init_late() due to
      DEFERRED_STRUCT_PAGE_INIT.  Hence, it could trigger an out-of-bounds
      access with an invalid nid.
      
        UBSAN: Undefined behaviour in ./include/linux/mm.h:1104:50
        index 7 is out of range for type 'zone [5]'
      
      Also, kernel will panic since flags were poisoned earlier with,
      
      CONFIG_DEBUG_VM_PGFLAGS=y
      CONFIG_NODE_NOT_IN_PAGE_FLAGS=n
      
      start_kernel
        setup_arch
          pagetable_init
            paging_init
              sparse_init
                sparse_init_nid
                  memblock_alloc_try_nid_raw
      
      It did not handle it well in init_pages_in_zone() which ends up calling
      page_to_nid().
      
        page:ffffea0004200000 is uninitialized and poisoned
        raw: ffffffffffffffff ffffffffffffffff ffffffffffffffff ffffffffffffffff
        raw: ffffffffffffffff ffffffffffffffff ffffffffffffffff ffffffffffffffff
        page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p))
        page_owner info is not active (free page?)
        kernel BUG at include/linux/mm.h:990!
        RIP: 0010:init_page_owner+0x486/0x520
      
      This means that assumptions behind commit fe53ca54 ("mm: use
      early_pfn_to_nid in page_ext_init") are incomplete.  Therefore, revert
      the commit for now.  A proper way to move the page_owner initialization
      to sooner is to hook into memmap initialization.
      
      Link: http://lkml.kernel.org/r/20190115202812.75820-1-cai@lca.pwSigned-off-by: NQian Cai <cai@lca.pw>
      Acked-by: NMichal Hocko <mhocko@kernel.org>
      Cc: Pasha Tatashin <Pavel.Tatashin@microsoft.com>
      Cc: Mel Gorman <mgorman@techsingularity.net>
      Cc: Yang Shi <yang.shi@linaro.org>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      53dcaeef
    • Y
      mm/gup: fix gup_pmd_range() for dax · 8b1a7762
      Yu Zhao 提交于
      [ Upstream commit 414fd080d125408cb15d04ff4907e1dd8145c8c7 ]
      
      For dax pmd, pmd_trans_huge() returns false but pmd_huge() returns true
      on x86.  So the function works as long as hugetlb is configured.
      However, dax doesn't depend on hugetlb.
      
      Link: http://lkml.kernel.org/r/20190111034033.601-1-yuzhao@google.comSigned-off-by: NYu Zhao <yuzhao@google.com>
      Reviewed-by: NJan Kara <jack@suse.cz>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: Huang Ying <ying.huang@intel.com>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: Keith Busch <keith.busch@intel.com>
      Cc: "Michael S . Tsirkin" <mst@redhat.com>
      Cc: John Hubbard <jhubbard@nvidia.com>
      Cc: Wei Yang <richard.weiyang@gmail.com>
      Cc: Mike Rapoport <rppt@linux.ibm.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      8b1a7762
    • B
      NFS: Don't use page_file_mapping after removing the page · 6c023d86
      Benjamin Coddington 提交于
      [ Upstream commit d2ceb7e57086750ea6198a31fd942d98099a0786 ]
      
      If nfs_page_async_flush() removes the page from the mapping, then we can't
      use page_file_mapping() on it as nfs_updatepate() is wont to do when
      receiving an error.  Instead, push the mapping to the stack before the page
      is possibly truncated.
      
      Fixes: 8fc75bed96bb ("NFS: Fix up return value on fatal errors in nfs_page_async_flush()")
      Signed-off-by: NBenjamin Coddington <bcodding@redhat.com>
      Signed-off-by: NAnna Schumaker <Anna.Schumaker@Netapp.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      6c023d86
    • N
      xprtrdma: Make sure Send CQ is allocated on an existing compvec · d84bc704
      Nicolas Morey-Chaisemartin 提交于
      [ Upstream commit a4cb5bdb754afe21f3e9e7164213e8600cf69427 ]
      
      Make sure the device has at least 2 completion vectors
      before allocating to compvec#1
      
      Fixes: a4699f56 (xprtrdma: Put Send CQ in IB_POLL_WORKQUEUE mode)
      Signed-off-by: NNicolas Morey-Chaisemartin <nmoreychaisemartin@suse.com>
      Reviewed-by: NChuck Lever <chuck.lever@oracle.com>
      Signed-off-by: NAnna Schumaker <Anna.Schumaker@Netapp.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      d84bc704
    • Y
      floppy: check_events callback should not return a negative number · e01f2b08
      Yufen Yu 提交于
      [ Upstream commit 96d7cb932e826219ec41ac02e5af037ffae6098c ]
      
      floppy_check_events() is supposed to return bit flags to say which
      events occured. We should return zero to say that no event flags are
      set.  Only BIT(0) and BIT(1) are used in the caller. And .check_events
      interface also expect to return an unsigned int value.
      
      However, after commit a0c80efe, it may return -EINTR (-4u).
      Here, both BIT(0) and BIT(1) are cleared. So this patch shouldn't
      affect runtime, but it obviously is still worth fixing.
      Reviewed-by: NDan Carpenter <dan.carpenter@oracle.com>
      Fixes: a0c80efe ("floppy: fix lock_fdc() signal handling")
      Signed-off-by: NYufen Yu <yuyufen@huawei.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      e01f2b08
    • A
      ipvs: fix dependency on nf_defrag_ipv6 · 5ca2ef67
      Andrea Claudi 提交于
      [ Upstream commit 098e13f5b21d3398065fce8780f07a3ef62f4812 ]
      
      ipvs relies on nf_defrag_ipv6 module to manage IPv6 fragmentation,
      but lacks proper Kconfig dependencies and does not explicitly
      request defrag features.
      
      As a result, if netfilter hooks are not loaded, when IPv6 fragmented
      packet are handled by ipvs only the first fragment makes through.
      
      Fix it properly declaring the dependency on Kconfig and registering
      netfilter hooks on ip_vs_add_service() and ip_vs_new_dest().
      Reported-by: NLi Shuang <shuali@redhat.com>
      Signed-off-by: NAndrea Claudi <aclaudi@redhat.com>
      Acked-by: NJulian Anastasov <ja@ssi.bg>
      Acked-by: NSimon Horman <horms@verge.net.au>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      5ca2ef67
    • J
      blk-mq: insert rq with DONTPREP to hctx dispatch list when requeue · 29452f66
      Jianchao Wang 提交于
      [ Upstream commit aef1897cd36dcf5e296f1d2bae7e0d268561b685 ]
      
      When requeue, if RQF_DONTPREP, rq has contained some driver
      specific data, so insert it to hctx dispatch list to avoid any
      merge. Take scsi as example, here is the trace event log (no
      io scheduler, because RQF_STARTED would prevent merging),
      
         kworker/0:1H-339   [000] ...1  2037.209289: block_rq_insert: 8,0 R 4096 () 32768 + 8 [kworker/0:1H]
      scsi_inert_test-1987  [000] ....  2037.220465: block_bio_queue: 8,0 R 32776 + 8 [scsi_inert_test]
      scsi_inert_test-1987  [000] ...2  2037.220466: block_bio_backmerge: 8,0 R 32776 + 8 [scsi_inert_test]
         kworker/0:1H-339   [000] ....  2047.220913: block_rq_issue: 8,0 R 8192 () 32768 + 16 [kworker/0:1H]
      scsi_inert_test-1996  [000] ..s1  2047.221007: block_rq_complete: 8,0 R () 32768 + 8 [0]
      scsi_inert_test-1996  [000] .Ns1  2047.221045: block_rq_requeue: 8,0 R () 32776 + 8 [0]
         kworker/0:1H-339   [000] ...1  2047.221054: block_rq_insert: 8,0 R 4096 () 32776 + 8 [kworker/0:1H]
         kworker/0:1H-339   [000] ...1  2047.221056: block_rq_issue: 8,0 R 4096 () 32776 + 8 [kworker/0:1H]
      scsi_inert_test-1986  [000] ..s1  2047.221119: block_rq_complete: 8,0 R () 32776 + 8 [0]
      
      (32768 + 8) was requeued by scsi_queue_insert and had RQF_DONTPREP.
      Then it was merged with (32776 + 8) and issued. Due to RQF_DONTPREP,
      the sdb only contained the part of (32768 + 8), then only that part
      was completed. The lucky thing was that scsi_io_completion detected
      it and requeued the remaining part. So we didn't get corrupted data.
      However, the requeue of (32776 + 8) is not expected.
      Suggested-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NJianchao Wang <jianchao.w.wang@oracle.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      29452f66
    • F
      netfilter: compat: initialize all fields in xt_init · e0e6b0d7
      Francesco Ruggeri 提交于
      [ Upstream commit 8d29d16d21342a0c86405d46de0c4ac5daf1760f ]
      
      If a non zero value happens to be in xt[NFPROTO_BRIDGE].cur at init
      time, the following panic can be caused by running
      
      % ebtables -t broute -F BROUTING
      
      from a 32-bit user level on a 64-bit kernel. This patch replaces
      kmalloc_array with kcalloc when allocating xt.
      
      [  474.680846] BUG: unable to handle kernel paging request at 0000000009600920
      [  474.687869] PGD 2037006067 P4D 2037006067 PUD 2038938067 PMD 0
      [  474.693838] Oops: 0000 [#1] SMP
      [  474.697055] CPU: 9 PID: 4662 Comm: ebtables Kdump: loaded Not tainted 4.19.17-11302235.AroraKernelnext.fc18.x86_64 #1
      [  474.707721] Hardware name: Supermicro X9DRT/X9DRT, BIOS 3.0 06/28/2013
      [  474.714313] RIP: 0010:xt_compat_calc_jump+0x2f/0x63 [x_tables]
      [  474.720201] Code: 40 0f b6 ff 55 31 c0 48 6b ff 70 48 03 3d dc 45 00 00 48 89 e5 8b 4f 6c 4c 8b 47 60 ff c9 39 c8 7f 2f 8d 14 08 d1 fa 48 63 fa <41> 39 34 f8 4c 8d 0c fd 00 00 00 00 73 05 8d 42 01 eb e1 76 05 8d
      [  474.739023] RSP: 0018:ffffc9000943fc58 EFLAGS: 00010207
      [  474.744296] RAX: 0000000000000000 RBX: ffffc90006465000 RCX: 0000000002580249
      [  474.751485] RDX: 00000000012c0124 RSI: fffffffff7be17e9 RDI: 00000000012c0124
      [  474.758670] RBP: ffffc9000943fc58 R08: 0000000000000000 R09: ffffffff8117cf8f
      [  474.765855] R10: ffffc90006477000 R11: 0000000000000000 R12: 0000000000000001
      [  474.773048] R13: 0000000000000000 R14: ffffc9000943fcb8 R15: ffffc9000943fcb8
      [  474.780234] FS:  0000000000000000(0000) GS:ffff88a03f840000(0063) knlGS:00000000f7ac7700
      [  474.788612] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
      [  474.794632] CR2: 0000000009600920 CR3: 0000002037422006 CR4: 00000000000606e0
      [  474.802052] Call Trace:
      [  474.804789]  compat_do_replace+0x1fb/0x2a3 [ebtables]
      [  474.810105]  compat_do_ebt_set_ctl+0x69/0xe6 [ebtables]
      [  474.815605]  ? try_module_get+0x37/0x42
      [  474.819716]  compat_nf_setsockopt+0x4f/0x6d
      [  474.824172]  compat_ip_setsockopt+0x7e/0x8c
      [  474.828641]  compat_raw_setsockopt+0x16/0x3a
      [  474.833220]  compat_sock_common_setsockopt+0x1d/0x24
      [  474.838458]  __compat_sys_setsockopt+0x17e/0x1b1
      [  474.843343]  ? __check_object_size+0x76/0x19a
      [  474.847960]  __ia32_compat_sys_socketcall+0x1cb/0x25b
      [  474.853276]  do_fast_syscall_32+0xaf/0xf6
      [  474.857548]  entry_SYSENTER_compat+0x6b/0x7a
      Signed-off-by: NFrancesco Ruggeri <fruggeri@arista.com>
      Acked-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      e0e6b0d7
    • I
      mac80211: Fix Tx aggregation session tear down with ITXQs · a5a24445
      Ilan Peer 提交于
      [ Upstream commit 6157ca0d6bfe437691b1e98a62e2efe12b6714da ]
      
      When mac80211 requests the low level driver to stop an ongoing
      Tx aggregation, the low level driver is expected to call
      ieee80211_stop_tx_ba_cb_irqsafe() to indicate that it is ready
      to stop the session. The callback in turn schedules a worker
      to complete the session tear down, which in turn also handles
      the relevant state for the intermediate Tx queue.
      
      However, as this flow in asynchronous, the intermediate queue
      should be stopped and not continue servicing frames, as in
      such a case frames that are dequeued would be marked as part
      of an aggregation, although the aggregation is already been
      stopped.
      
      Fix this by stopping the intermediate Tx queue, before
      calling the low level driver to stop the Tx aggregation.
      Signed-off-by: NIlan Peer <ilan.peer@intel.com>
      Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      a5a24445
    • J
      mac80211: call drv_ibss_join() on restart · bff33ba4
      Johannes Berg 提交于
      [ Upstream commit 4926b51bfaa6d36bd6f398fb7698679d3962e19d ]
      
      If a driver does any significant activity in its ibss_join method,
      then it will very well expect that to be called during restart,
      before any stations are added. Do that.
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      bff33ba4
    • D
      Input: matrix_keypad - use flush_delayed_work() · 134891e1
      Dmitry Torokhov 提交于
      [ Upstream commit a342083abe576db43594a32d458a61fa81f7cb32 ]
      
      We should be using flush_delayed_work() instead of flush_work() in
      matrix_keypad_stop() to ensure that we are not missing work that is
      scheduled but not yet put in the workqueue (i.e. its delay timer has not
      expired yet).
      Signed-off-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      134891e1
    • D
      Input: ps2-gpio - flush TX work when closing port · e91dc209
      Dmitry Torokhov 提交于
      [ Upstream commit 33a841ce5cef4ca6c18ad333248b6d273f54c839 ]
      
      To ensure that TX work is not running after serio port has been torn down,
      let's flush it when closing the port.
      Reported-by: NSven Van Asbroeck <thesven73@gmail.com>
      Acked-by: NDanilo Krummrich <danilokrummrich@dk-develop.de>
      Reviewed-by: NSven Van Asbroeck <TheSven73@gmail.com>
      Signed-off-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      e91dc209
    • D
      Input: cap11xx - switch to using set_brightness_blocking() · 4fe714b7
      Dmitry Torokhov 提交于
      [ Upstream commit 628442880af8c201d307a45f3862a7a17df8a189 ]
      
      Updating LED state requires access to regmap and therefore we may sleep,
      so we could not do that directly form set_brightness() method.
      Historically we used private work to adjust the brightness, but with the
      introduction of set_brightness_blocking() we no longer need it.
      
      As a bonus, not having our own work item means we do not have
      use-after-free issue as we neglected to cancel outstanding work on
      driver unbind.
      Reported-by: NSven Van Asbroeck <thesven73@gmail.com>
      Reviewed-by: NSven Van Asbroeck <TheSven73@googlemail.com>
      Acked-by: NJacek Anaszewski <jacek.anaszewski@gmail.com>
      Signed-off-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      4fe714b7
    • R
      ARM: OMAP2+: fix lack of timer interrupts on CPU1 after hotplug · f49f7007
      Russell King 提交于
      [ Upstream commit 50d6b3cf9403879911e06d69c7ef41e43f8f7b4b ]
      
      If we have a kernel configured for periodic timer interrupts, and we
      have cpuidle enabled, then we end up with CPU1 losing timer interupts
      after a hotplug.
      
      This can manifest itself in RCU stall warnings, or userspace becoming
      unresponsive.
      
      The problem is that the kernel initially wants to use the TWD timer
      for interrupts, but the TWD loses context when we enter the C3 cpuidle
      state.  Nothing reprograms the TWD after idle.
      
      We have solved this in the past by switching to broadcast timer ticks,
      and cpuidle44xx switches to that mode at boot time.  However, there is
      nothing to switch from periodic mode local timers after a hotplug
      operation.
      
      We call tick_broadcast_enter() in omap_enter_idle_coupled(), which one
      would expect would take care of the issue, but internally this only
      deals with one-shot local timers - tick_broadcast_enable() on the other
      hand only deals with periodic local timers.  So, we need to call both.
      Signed-off-by: NRussell King <rmk+kernel@armlinux.org.uk>
      [tony@atomide.com: just standardized the subject line]
      Signed-off-by: NTony Lindgren <tony@atomide.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      f49f7007
    • S
      ASoC: samsung: Prevent clk_get_rate() calls in atomic context · 8f07d764
      Sylwester Nawrocki 提交于
      [ Upstream commit 860b454c2c0cbda6892954f5cdbbb48931b3c8db ]
      
      This patch moves clk_get_rate() call from trigger() to hw_params()
      callback to avoid calling sleeping clk API from atomic context
      and prevent deadlock as indicated below.
      
      Before this change clk_get_rate() was being called with same
      spinlock held as the one passed to the clk API when registering
      clocks exposed by the I2S driver.
      
      [   82.109780] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:908
      [   82.117009] in_atomic(): 1, irqs_disabled(): 128, pid: 1554, name: speaker-test
      [   82.124235] 3 locks held by speaker-test/1554:
      [   82.128653]  #0: cc8c5328 (snd_pcm_link_rwlock){...-}, at: snd_pcm_stream_lock_irq+0x20/0x38
      [   82.137058]  #1: ec9eda17 (&(&substream->self_group.lock)->rlock){..-.}, at: snd_pcm_ioctl+0x900/0x1268
      [   82.146417]  #2: 6ac279bf (&(&pri_dai->spinlock)->rlock){..-.}, at: i2s_trigger+0x64/0x6d4
      [   82.154650] irq event stamp: 8144
      [   82.157949] hardirqs last  enabled at (8143): [<c0a0f574>] _raw_read_unlock_irq+0x24/0x5c
      [   82.166089] hardirqs last disabled at (8144): [<c0a0f6a8>] _raw_read_lock_irq+0x18/0x58
      [   82.174063] softirqs last  enabled at (8004): [<c01024e4>] __do_softirq+0x3a4/0x66c
      [   82.181688] softirqs last disabled at (7997): [<c012d730>] irq_exit+0x140/0x168
      [   82.188964] Preemption disabled at:
      [   82.188967] [<00000000>]   (null)
      [   82.195728] CPU: 6 PID: 1554 Comm: speaker-test Not tainted 5.0.0-rc5-00192-ga6e6caca8f03 #191
      [   82.204302] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
      [   82.210376] [<c0111a54>] (unwind_backtrace) from [<c010d8f4>] (show_stack+0x10/0x14)
      [   82.218084] [<c010d8f4>] (show_stack) from [<c09ef004>] (dump_stack+0x90/0xc8)
      [   82.225278] [<c09ef004>] (dump_stack) from [<c0152980>] (___might_sleep+0x22c/0x2c8)
      [   82.232990] [<c0152980>] (___might_sleep) from [<c0a0a2e4>] (__mutex_lock+0x28/0xa3c)
      [   82.240788] [<c0a0a2e4>] (__mutex_lock) from [<c0a0ad80>] (mutex_lock_nested+0x1c/0x24)
      [   82.248763] [<c0a0ad80>] (mutex_lock_nested) from [<c04923dc>] (clk_prepare_lock+0x78/0xec)
      [   82.257079] [<c04923dc>] (clk_prepare_lock) from [<c049538c>] (clk_core_get_rate+0xc/0x5c)
      [   82.265309] [<c049538c>] (clk_core_get_rate) from [<c0766b18>] (i2s_trigger+0x490/0x6d4)
      [   82.273369] [<c0766b18>] (i2s_trigger) from [<c074fec4>] (soc_pcm_trigger+0x100/0x140)
      [   82.281254] [<c074fec4>] (soc_pcm_trigger) from [<c07378a0>] (snd_pcm_do_start+0x2c/0x30)
      [   82.289400] [<c07378a0>] (snd_pcm_do_start) from [<c07376cc>] (snd_pcm_action_single+0x38/0x78)
      [   82.298065] [<c07376cc>] (snd_pcm_action_single) from [<c073a450>] (snd_pcm_ioctl+0x910/0x1268)
      [   82.306734] [<c073a450>] (snd_pcm_ioctl) from [<c0292344>] (do_vfs_ioctl+0x90/0x9ec)
      [   82.314443] [<c0292344>] (do_vfs_ioctl) from [<c0292cd4>] (ksys_ioctl+0x34/0x60)
      [   82.321808] [<c0292cd4>] (ksys_ioctl) from [<c0101000>] (ret_fast_syscall+0x0/0x28)
      [   82.329431] Exception stack(0xeb875fa8 to 0xeb875ff0)
      [   82.334459] 5fa0:                   00033c18 b6e31000 00000004 00004142 00033d80 00033d80
      [   82.342605] 5fc0: 00033c18 b6e31000 00008000 00000036 00008000 00000000 beea38a8 00008000
      [   82.350748] 5fe0: b6e3142c beea384c b6da9a30 b6c9212c
      [   82.355789]
      [   82.357245] ======================================================
      [   82.363397] WARNING: possible circular locking dependency detected
      [   82.369551] 5.0.0-rc5-00192-ga6e6caca8f03 #191 Tainted: G        W
      [   82.376395] ------------------------------------------------------
      [   82.382548] speaker-test/1554 is trying to acquire lock:
      [   82.387834] 6d2007f4 (prepare_lock){+.+.}, at: clk_prepare_lock+0x78/0xec
      [   82.394593]
      [   82.394593] but task is already holding lock:
      [   82.400398] 6ac279bf (&(&pri_dai->spinlock)->rlock){..-.}, at: i2s_trigger+0x64/0x6d4
      [   82.408197]
      [   82.408197] which lock already depends on the new lock.
      [   82.416343]
      [   82.416343] the existing dependency chain (in reverse order) is:
      [   82.423795]
      [   82.423795] -> #1 (&(&pri_dai->spinlock)->rlock){..-.}:
      [   82.430472]        clk_mux_set_parent+0x34/0xb8
      [   82.434975]        clk_core_set_parent_nolock+0x1c4/0x52c
      [   82.440347]        clk_set_parent+0x38/0x6c
      [   82.444509]        of_clk_set_defaults+0xc8/0x308
      [   82.449186]        of_clk_add_provider+0x84/0xd0
      [   82.453779]        samsung_i2s_probe+0x408/0x5f8
      [   82.458376]        platform_drv_probe+0x48/0x98
      [   82.462879]        really_probe+0x224/0x3f4
      [   82.467037]        driver_probe_device+0x70/0x1c4
      [   82.471716]        bus_for_each_drv+0x44/0x8c
      [   82.476049]        __device_attach+0xa0/0x138
      [   82.480382]        bus_probe_device+0x88/0x90
      [   82.484715]        deferred_probe_work_func+0x6c/0xbc
      [   82.489741]        process_one_work+0x200/0x740
      [   82.494246]        worker_thread+0x2c/0x4c8
      [   82.498408]        kthread+0x128/0x164
      [   82.502131]        ret_from_fork+0x14/0x20
      [   82.506204]          (null)
      [   82.508976]
      [   82.508976] -> #0 (prepare_lock){+.+.}:
      [   82.514264]        __mutex_lock+0x60/0xa3c
      [   82.518336]        mutex_lock_nested+0x1c/0x24
      [   82.522756]        clk_prepare_lock+0x78/0xec
      [   82.527088]        clk_core_get_rate+0xc/0x5c
      [   82.531421]        i2s_trigger+0x490/0x6d4
      [   82.535494]        soc_pcm_trigger+0x100/0x140
      [   82.539913]        snd_pcm_do_start+0x2c/0x30
      [   82.544246]        snd_pcm_action_single+0x38/0x78
      [   82.549012]        snd_pcm_ioctl+0x910/0x1268
      [   82.553345]        do_vfs_ioctl+0x90/0x9ec
      [   82.557417]        ksys_ioctl+0x34/0x60
      [   82.561229]        ret_fast_syscall+0x0/0x28
      [   82.565477]        0xbeea384c
      [   82.568421]
      [   82.568421] other info that might help us debug this:
      [   82.568421]
      [   82.576394]  Possible unsafe locking scenario:
      [   82.576394]
      [   82.582285]        CPU0                    CPU1
      [   82.586792]        ----                    ----
      [   82.591297]   lock(&(&pri_dai->spinlock)->rlock);
      [   82.595977]                                lock(prepare_lock);
      [   82.601782]                                lock(&(&pri_dai->spinlock)->rlock);
      [   82.608975]   lock(prepare_lock);
      [   82.612268]
      [   82.612268]  *** DEADLOCK ***
      
      Fixes: 647d04f8 ("ASoC: samsung: i2s: Ensure the RCLK rate is properly determined")
      Reported-by: NKrzysztof Kozłowski <krzk@kernel.org>
      Signed-off-by: NSylwester Nawrocki <s.nawrocki@samsung.com>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      8f07d764
    • J
      KVM: arm64: Forbid kprobing of the VHE world-switch code · 459058f0
      James Morse 提交于
      [ Upstream commit 7d82602909ed9c73b34ad26f05d10db4850a4f8c ]
      
      On systems with VHE the kernel and KVM's world-switch code run at the
      same exception level. Code that is only used on a VHE system does not
      need to be annotated as __hyp_text as it can reside anywhere in the
      kernel text.
      
      __hyp_text was also used to prevent kprobes from patching breakpoint
      instructions into this region, as this code runs at a different
      exception level. While this is no longer true with VHE, KVM still
      switches VBAR_EL1, meaning a kprobe's breakpoint executed in the
      world-switch code will cause a hyp-panic.
      
      echo "p:weasel sysreg_save_guest_state_vhe" > /sys/kernel/debug/tracing/kprobe_events
      echo 1 > /sys/kernel/debug/tracing/events/kprobes/weasel/enable
      lkvm run -k /boot/Image --console serial -p "console=ttyS0 earlycon=uart,mmio,0x3f8"
      
        # lkvm run -k /boot/Image -m 384 -c 3 --name guest-1474
        Info: Placing fdt at 0x8fe00000 - 0x8fffffff
        Info: virtio-mmio.devices=0x200@0x10000:36
      
        Info: virtio-mmio.devices=0x200@0x10200:37
      
        Info: virtio-mmio.devices=0x200@0x10400:38
      
      [  614.178186] Kernel panic - not syncing: HYP panic:
      [  614.178186] PS:404003c9 PC:ffff0000100d70e0 ESR:f2000004
      [  614.178186] FAR:0000000080080000 HPFAR:0000000000800800 PAR:1d00007edbadc0de
      [  614.178186] VCPU:00000000f8de32f1
      [  614.178383] CPU: 2 PID: 1482 Comm: kvm-vcpu-0 Not tainted 5.0.0-rc2 #10799
      [  614.178446] Call trace:
      [  614.178480]  dump_backtrace+0x0/0x148
      [  614.178567]  show_stack+0x24/0x30
      [  614.178658]  dump_stack+0x90/0xb4
      [  614.178710]  panic+0x13c/0x2d8
      [  614.178793]  hyp_panic+0xac/0xd8
      [  614.178880]  kvm_vcpu_run_vhe+0x9c/0xe0
      [  614.178958]  kvm_arch_vcpu_ioctl_run+0x454/0x798
      [  614.179038]  kvm_vcpu_ioctl+0x360/0x898
      [  614.179087]  do_vfs_ioctl+0xc4/0x858
      [  614.179174]  ksys_ioctl+0x84/0xb8
      [  614.179261]  __arm64_sys_ioctl+0x28/0x38
      [  614.179348]  el0_svc_common+0x94/0x108
      [  614.179401]  el0_svc_handler+0x38/0x78
      [  614.179487]  el0_svc+0x8/0xc
      [  614.179558] SMP: stopping secondary CPUs
      [  614.179661] Kernel Offset: disabled
      [  614.179695] CPU features: 0x003,2a80aa38
      [  614.179758] Memory Limit: none
      [  614.179858] ---[ end Kernel panic - not syncing: HYP panic:
      [  614.179858] PS:404003c9 PC:ffff0000100d70e0 ESR:f2000004
      [  614.179858] FAR:0000000080080000 HPFAR:0000000000800800 PAR:1d00007edbadc0de
      [  614.179858] VCPU:00000000f8de32f1 ]---
      
      Annotate the VHE world-switch functions that aren't marked
      __hyp_text using NOKPROBE_SYMBOL().
      Signed-off-by: NJames Morse <james.morse@arm.com>
      Fixes: 3f5c90b8 ("KVM: arm64: Introduce VHE-specific kvm_vcpu_run")
      Acked-by: NMasami Hiramatsu <mhiramat@kernel.org>
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      459058f0
    • C
      KVM: arm/arm64: vgic: Always initialize the group of private IRQs · 04131dfc
      Christoffer Dall 提交于
      [ Upstream commit ab2d5eb03dbb7b37a1c6356686fb48626ab0c93e ]
      
      We currently initialize the group of private IRQs during
      kvm_vgic_vcpu_init, and the value of the group depends on the GIC model
      we are emulating.  However, CPUs created before creating (and
      initializing) the VGIC might end up with the wrong group if the VGIC
      is created as GICv3 later.
      
      Since we have no enforced ordering of creating the VGIC and creating
      VCPUs, we can end up with part the VCPUs being properly intialized and
      the remaining incorrectly initialized.  That also means that we have no
      single place to do the per-cpu data structure initialization which
      depends on knowing the emulated GIC model (which is only the group
      field).
      
      This patch removes the incorrect comment from kvm_vgic_vcpu_init and
      initializes the group of all previously created VCPUs's private
      interrupts in vgic_init in addition to the existing initialization in
      kvm_vgic_vcpu_init.
      Signed-off-by: NChristoffer Dall <christoffer.dall@arm.com>
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      04131dfc
    • M
      arm/arm64: KVM: Don't panic on failure to properly reset system registers · c8312936
      Marc Zyngier 提交于
      [ Upstream commit 20589c8cc47dce5854c8bf1b44a9fc63d798d26d ]
      
      Failing to properly reset system registers is pretty bad. But not
      quite as bad as bringing the whole machine down... So warn loudly,
      but slightly more gracefully.
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      Acked-by: NChristoffer Dall <christoffer.dall@arm.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      c8312936
    • M
      arm/arm64: KVM: Allow a VCPU to fully reset itself · b78379c3
      Marc Zyngier 提交于
      [ Upstream commit 358b28f09f0ab074d781df72b8a671edb1547789 ]
      
      The current kvm_psci_vcpu_on implementation will directly try to
      manipulate the state of the VCPU to reset it.  However, since this is
      not done on the thread that runs the VCPU, we can end up in a strangely
      corrupted state when the source and target VCPUs are running at the same
      time.
      
      Fix this by factoring out all reset logic from the PSCI implementation
      and forwarding the required information along with a request to the
      target VCPU.
      Reviewed-by: NAndrew Jones <drjones@redhat.com>
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: NChristoffer Dall <christoffer.dall@arm.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      b78379c3
    • C
      KVM: arm/arm64: Reset the VCPU without preemption and vcpu state loaded · dfe9b4d9
      Christoffer Dall 提交于
      [ Upstream commit e761a927bc9a7ee6ceb7c4f63d5922dbced87f0d ]
      
      We have two ways to reset a vcpu:
      - either through VCPU_INIT
      - or through a PSCI_ON call
      
      The first one is easy to reason about. The second one is implemented
      in a more bizarre way, as it is the vcpu that handles PSCI_ON that
      resets the vcpu that is being powered-on. As we need to turn the logic
      around and have the target vcpu to reset itself, we must take some
      preliminary steps.
      
      Resetting the VCPU state modifies the system register state in memory,
      but this may interact with vcpu_load/vcpu_put if running with preemption
      disabled, which in turn may lead to corrupted system register state.
      
      Address this by disabling preemption and doing put/load if required
      around the reset logic.
      Reviewed-by: NAndrew Jones <drjones@redhat.com>
      Signed-off-by: NChristoffer Dall <christoffer.dall@arm.com>
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      dfe9b4d9