1. 31 5月, 2019 40 次提交
    • Y
      mmc: sdhci-of-esdhc: add erratum eSDHC5 support · 80118cba
      Yinbo Zhu 提交于
      [ Upstream commit a46e42712596b51874f04c73f1cdf1017f88df52 ]
      
      Software writing to the Transfer Type configuration register
      (system clock domain) can cause a setup/hold violation in the
      CRC flops (card clock domain), which can cause write accesses
      to be sent with corrupt CRC values. This issue occurs only for
      write preceded by read. this erratum is to fix this issue.
      Signed-off-by: NYinbo Zhu <yinbo.zhu@nxp.com>
      Acked-by: NAdrian Hunter <adrian.hunter@intel.com>
      Signed-off-by: NUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      80118cba
    • K
      mmc_spi: add a status check for spi_sync_locked · fa291e89
      Kangjie Lu 提交于
      [ Upstream commit 611025983b7976df0183390a63a2166411d177f1 ]
      
      In case spi_sync_locked fails, the fix reports the error and
      returns the error code upstream.
      Signed-off-by: NKangjie Lu <kjlu@umn.edu>
      Reviewed-by: NLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: NUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      fa291e89
    • A
      mmc: core: make pwrseq_emmc (partially) support sleepy GPIO controllers · 059c2f53
      Andrea Merello 提交于
      [ Upstream commit 002ee28e8b322d4d4b7b83234b5d0f4ebd428eda ]
      
      pwrseq_emmc.c implements a HW reset procedure for eMMC chip by driving a
      GPIO line.
      
      It registers the .reset() cb on mmc_pwrseq_ops and it registers a system
      restart notification handler; both of them perform reset by unconditionally
      calling gpiod_set_value().
      
      If the eMMC reset line is tied to a GPIO controller whose driver can sleep
      (i.e. I2C GPIO controller), then the kernel would spit warnings when trying
      to reset the eMMC chip by means of .reset() mmc_pwrseq_ops cb (that is
      exactly what I'm seeing during boot).
      
      Furthermore, on system reset we would gets to the system restart
      notification handler with disabled interrupts - local_irq_disable() is
      called in machine_restart() at least on ARM/ARM64 - and we would be in
      trouble when the GPIO driver tries to sleep (which indeed doesn't happen
      here, likely because in my case the machine specific code doesn't call
      do_kernel_restart(), I guess..).
      
      This patch fixes the .reset() cb to make use of gpiod_set_value_cansleep(),
      so that the eMMC gets reset on boot without complaints, while, since there
      isn't that much we can do, we avoid register the restart handler if the
      GPIO controller has a sleepy driver (and we spit a dev_notice() message to
      let people know)..
      
      This had been tested on a downstream 4.9 kernel with backported
      commit 83f37ee7ba33 ("mmc: pwrseq: Add reset callback to the struct
      mmc_pwrseq_ops") and commit ae60fb031cf2 ("mmc: core: Don't do eMMC HW
      reset when resuming the eMMC card"), because I couldn't boot my board
      otherwise. Maybe worth to RFT.
      Signed-off-by: NAndrea Merello <andrea.merello@gmail.com>
      Signed-off-by: NUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      059c2f53
    • J
      scsi: libsas: Do discovery on empty PHY to update PHY info · aa06e612
      John Garry 提交于
      [ Upstream commit d8649fc1c5e40e691d589ed825998c36a947491c ]
      
      When we discover the PHY is empty in sas_rediscover_dev(), the PHY
      information (like negotiated linkrate) is not updated.
      
      As such, for a user examining sysfs for that PHY, they would see
      incorrect values:
      
      root@(none)$ cd /sys/class/sas_phy/phy-0:0:20
      root@(none)$ more negotiated_linkrate
      3.0 Gbit
      root@(none)$ echo 0 > enable
      root@(none)$ more negotiated_linkrate
      3.0 Gbit
      
      So fix this, simply discover the PHY again, even though we know it's empty;
      in the above example, this gives us:
      
      root@(none)$ more negotiated_linkrate
      Phy disabled
      
      We must do this after unregistering the device associated with the PHY
      (in sas_unregister_devs_sas_addr()).
      Signed-off-by: NJohn Garry <john.garry@huawei.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      aa06e612
    • G
      hwmon: (f71805f) Use request_muxed_region for Super-IO accesses · 4e98f3b1
      Guenter Roeck 提交于
      [ Upstream commit 73e6ff71a7ea924fb7121d576a2d41e3be3fc6b5 ]
      
      Super-IO accesses may fail on a system with no or unmapped LPC bus.
      
      Unable to handle kernel paging request at virtual address ffffffbffee0002e
      pgd = ffffffc1d68d4000
      [ffffffbffee0002e] *pgd=0000000000000000, *pud=0000000000000000
      Internal error: Oops: 94000046 [#1] PREEMPT SMP
      Modules linked in: f71805f(+) hwmon
      CPU: 3 PID: 1659 Comm: insmod Not tainted 4.5.0+ #88
      Hardware name: linux,dummy-virt (DT)
      task: ffffffc1f6665400 ti: ffffffc1d6418000 task.ti: ffffffc1d6418000
      PC is at f71805f_find+0x6c/0x358 [f71805f]
      
      Also, other drivers may attempt to access the LPC bus at the same time,
      resulting in undefined behavior.
      
      Use request_muxed_region() to ensure that IO access on the requested
      address space is supported, and to ensure that access by multiple
      drivers is synchronized.
      
      Fixes: e53004e2 ("hwmon: New f71805f driver")
      Reported-by: NKefeng Wang <wangkefeng.wang@huawei.com>
      Reported-by: NJohn Garry <john.garry@huawei.com>
      Cc: John Garry <john.garry@huawei.com>
      Acked-by: NJohn Garry <john.garry@huawei.com>
      Signed-off-by: NGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      4e98f3b1
    • G
      hwmon: (pc87427) Use request_muxed_region for Super-IO accesses · 8cfe000d
      Guenter Roeck 提交于
      [ Upstream commit 755a9b0f8aaa5639ba5671ca50080852babb89ce ]
      
      Super-IO accesses may fail on a system with no or unmapped LPC bus.
      
      Also, other drivers may attempt to access the LPC bus at the same time,
      resulting in undefined behavior.
      
      Use request_muxed_region() to ensure that IO access on the requested
      address space is supported, and to ensure that access by multiple drivers
      is synchronized.
      
      Fixes: ba224e2c ("hwmon: New PC87427 hardware monitoring driver")
      Reported-by: NKefeng Wang <wangkefeng.wang@huawei.com>
      Reported-by: NJohn Garry <john.garry@huawei.com>
      Cc: John Garry <john.garry@huawei.com>
      Acked-by: NJohn Garry <john.garry@huawei.com>
      Signed-off-by: NGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      8cfe000d
    • G
      hwmon: (smsc47b397) Use request_muxed_region for Super-IO accesses · 48b31e8a
      Guenter Roeck 提交于
      [ Upstream commit 8c0826756744c0ac1df600a5e4cca1a341b13101 ]
      
      Super-IO accesses may fail on a system with no or unmapped LPC bus.
      
      Also, other drivers may attempt to access the LPC bus at the same time,
      resulting in undefined behavior.
      
      Use request_muxed_region() to ensure that IO access on the requested
      address space is supported, and to ensure that access by multiple drivers
      is synchronized.
      
      Fixes: 8d5d45fb ("I2C: Move hwmon drivers (2/3)")
      Reported-by: NKefeng Wang <wangkefeng.wang@huawei.com>
      Reported-by: NJohn Garry <john.garry@huawei.com>
      Cc: John Garry <john.garry@huawei.com>
      Acked-by: NJohn Garry <john.garry@huawei.com>
      Signed-off-by: NGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      48b31e8a
    • G
      hwmon: (smsc47m1) Use request_muxed_region for Super-IO accesses · e7dbe597
      Guenter Roeck 提交于
      [ Upstream commit d6410408ad2a798c4cc685252c1baa713be0ad69 ]
      
      Super-IO accesses may fail on a system with no or unmapped LPC bus.
      
      Also, other drivers may attempt to access the LPC bus at the same time,
      resulting in undefined behavior.
      
      Use request_muxed_region() to ensure that IO access on the requested
      address space is supported, and to ensure that access by multiple drivers
      is synchronized.
      
      Fixes: 8d5d45fb ("I2C: Move hwmon drivers (2/3)")
      Reported-by: NKefeng Wang <wangkefeng.wang@huawei.com>
      Reported-by: NJohn Garry <john.garry@huawei.com>
      Cc: John Garry <john.garry@huawei.com>
      Acked-by: NJohn Garry <john.garry@huawei.com>
      Signed-off-by: NGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      e7dbe597
    • G
      hwmon: (vt1211) Use request_muxed_region for Super-IO accesses · fbdce79e
      Guenter Roeck 提交于
      [ Upstream commit 14b97ba5c20056102b3dd22696bf17b057e60976 ]
      
      Super-IO accesses may fail on a system with no or unmapped LPC bus.
      
      Also, other drivers may attempt to access the LPC bus at the same time,
      resulting in undefined behavior.
      
      Use request_muxed_region() to ensure that IO access on the requested
      address space is supported, and to ensure that access by multiple drivers
      is synchronized.
      
      Fixes: 2219cd81 ("hwmon/vt1211: Add probing of alternate config index port")
      Signed-off-by: NGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      fbdce79e
    • K
      perf/x86/intel/cstate: Add Icelake support · 1cd4902d
      Kan Liang 提交于
      [ Upstream commit f08c47d1f86c6dc666c7e659d94bf6d4492aa9d7 ]
      
      Icelake uses the same C-state residency events as Sandy Bridge.
      Signed-off-by: NKan Liang <kan.liang@linux.intel.com>
      Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Cc: acme@kernel.org
      Cc: jolsa@kernel.org
      Link: https://lkml.kernel.org/r/20190402194509.2832-10-kan.liang@linux.intel.comSigned-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      1cd4902d
    • K
      perf/x86/intel/rapl: Add Icelake support · ea6ff1bb
      Kan Liang 提交于
      [ Upstream commit b3377c3acb9e54cf86efcfe25f2e792bca599ed4 ]
      
      Icelake support the same RAPL counters as Skylake.
      Signed-off-by: NKan Liang <kan.liang@linux.intel.com>
      Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Cc: acme@kernel.org
      Cc: jolsa@kernel.org
      Link: https://lkml.kernel.org/r/20190402194509.2832-11-kan.liang@linux.intel.comSigned-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      ea6ff1bb
    • K
      perf/x86/msr: Add Icelake support · 3a9a1fd1
      Kan Liang 提交于
      [ Upstream commit cf50d79a8cfe5adae37fec026220b009559bbeed ]
      
      Icelake is the same as the existing Skylake parts.
      Signed-off-by: NKan Liang <kan.liang@linux.intel.com>
      Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Cc: acme@kernel.org
      Cc: jolsa@kernel.org
      Link: https://lkml.kernel.org/r/20190402194509.2832-12-kan.liang@linux.intel.comSigned-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      3a9a1fd1
    • C
      RDMA/cxgb4: Fix null pointer dereference on alloc_skb failure · 9754bab2
      Colin Ian King 提交于
      [ Upstream commit a6d2a5a92e67d151c98886babdc86d530d27111c ]
      
      Currently if alloc_skb fails to allocate the skb a null skb is passed to
      t4_set_arp_err_handler and this ends up dereferencing the null skb.  Avoid
      the NULL pointer dereference by checking for a NULL skb and returning
      early.
      
      Addresses-Coverity: ("Dereference null return")
      Fixes: b38a0ad8 ("RDMA/cxgb4: Set arp error handler for PASS_ACCEPT_RPL messages")
      Signed-off-by: NColin Ian King <colin.king@canonical.com>
      Acked-by: NPotnuri Bharat Teja <bharat@chelsio.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      9754bab2
    • V
      arm64: vdso: Fix clock_getres() for CLOCK_REALTIME · b0f6ac8c
      Vincenzo Frascino 提交于
      [ Upstream commit 81fb8736dd81da3fe94f28968dac60f392ec6746 ]
      
      clock_getres() in the vDSO library has to preserve the same behaviour
      of posix_get_hrtimer_res().
      
      In particular, posix_get_hrtimer_res() does:
      
          sec = 0;
          ns = hrtimer_resolution;
      
      where 'hrtimer_resolution' depends on whether or not high resolution
      timers are enabled, which is a runtime decision.
      
      The vDSO incorrectly returns the constant CLOCK_REALTIME_RES. Fix this
      by exposing 'hrtimer_resolution' in the vDSO datapage and returning that
      instead.
      Reviewed-by: NCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: NVincenzo Frascino <vincenzo.frascino@arm.com>
      [will: Use WRITE_ONCE(), move adr off COARSE path, renumber labels, use 'w' reg]
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      b0f6ac8c
    • K
      ACPI/IORT: Reject platform device creation on NUMA node mapping failure · 9082058b
      Kefeng Wang 提交于
      [ Upstream commit 36a2ba07757df790b4a874efb1a105b9330a9ae7 ]
      
      In a system where, through IORT firmware mappings, the SMMU device is
      mapped to a NUMA node that is not online, the kernel bootstrap results
      in the following crash:
      
        Unable to handle kernel paging request at virtual address 0000000000001388
        Mem abort info:
          ESR = 0x96000004
          Exception class = DABT (current EL), IL = 32 bits
          SET = 0, FnV = 0
          EA = 0, S1PTW = 0
        Data abort info:
          ISV = 0, ISS = 0x00000004
          CM = 0, WnR = 0
        [0000000000001388] user address but active_mm is swapper
        Internal error: Oops: 96000004 [#1] SMP
        Modules linked in:
        CPU: 5 PID: 1 Comm: swapper/0 Not tainted 5.0.0 #15
        pstate: 80c00009 (Nzcv daif +PAN +UAO)
        pc : __alloc_pages_nodemask+0x13c/0x1068
        lr : __alloc_pages_nodemask+0xdc/0x1068
        ...
        Process swapper/0 (pid: 1, stack limit = 0x(____ptrval____))
        Call trace:
         __alloc_pages_nodemask+0x13c/0x1068
         new_slab+0xec/0x570
         ___slab_alloc+0x3e0/0x4f8
         __slab_alloc+0x60/0x80
         __kmalloc_node_track_caller+0x10c/0x478
         devm_kmalloc+0x44/0xb0
         pinctrl_bind_pins+0x4c/0x188
         really_probe+0x78/0x2b8
         driver_probe_device+0x64/0x110
         device_driver_attach+0x74/0x98
         __driver_attach+0x9c/0xe8
         bus_for_each_dev+0x84/0xd8
         driver_attach+0x30/0x40
         bus_add_driver+0x170/0x218
         driver_register+0x64/0x118
         __platform_driver_register+0x54/0x60
         arm_smmu_driver_init+0x24/0x2c
         do_one_initcall+0xbc/0x328
         kernel_init_freeable+0x304/0x3ac
         kernel_init+0x18/0x110
         ret_from_fork+0x10/0x1c
        Code: f90013b5 b9410fa1 1a9f0694 b50014c2 (b9400804)
        ---[ end trace dfeaed4c373a32da ]--
      
      Change the dev_set_proximity() hook prototype so that it returns a
      value and make it return failure if the PXM->NUMA-node mapping
      corresponds to an offline node, fixing the crash.
      Acked-by: NLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Signed-off-by: NKefeng Wang <wangkefeng.wang@huawei.com>
      Link: https://lore.kernel.org/linux-arm-kernel/20190315021940.86905-1-wangkefeng.wang@huawei.com/Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      9082058b
    • N
      i40e: don't allow changes to HW VLAN stripping on active port VLANs · 4a9c8449
      Nicholas Nunley 提交于
      [ Upstream commit bfb0ebed53857cfc57f11c63fa3689940d71c1c8 ]
      
      Modifying the VLAN stripping options when a port VLAN is configured
      will break traffic for the VSI, and conceptually doesn't make sense,
      so don't allow this.
      Signed-off-by: NNicholas Nunley <nicholas.d.nunley@intel.com>
      Signed-off-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      4a9c8449
    • A
      i40e: Able to add up to 16 MAC filters on an untrusted VF · e3e8cdac
      Adam Ludkiewicz 提交于
      [ Upstream commit 06b6e2a2333eb3581567a7ac43ca465ef45f4daa ]
      
      This patch fixes the problem with the driver being able to add only 7
      multicast MAC address filters instead of 16. The problem is fixed by
      changing the maximum number of MAC address filters to 16+1+1 (two extra
      are needed because the driver uses 1 for unicast MAC address and 1 for
      broadcast).
      Signed-off-by: NAdam Ludkiewicz <adam.ludkiewicz@intel.com>
      Tested-by: NAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      e3e8cdac
    • A
      phy: mapphone-mdm6600: add gpiolib dependency · 267b3c6b
      Arnd Bergmann 提交于
      [ Upstream commit 208d3423ee463ab257908456f6bbca4024ab63f7 ]
      
      gcc points out that when CONFIG_GPIOLIB is disabled,
      gpiod_get_array_value_cansleep() returns 0 but fails to set its output:
      
      drivers/phy/motorola/phy-mapphone-mdm6600.c: In function 'phy_mdm6600_status':
      drivers/phy/motorola/phy-mapphone-mdm6600.c:220:24: error: 'values[0]' is used uninitialized in this function [-Werror=uninitialized]
      
      This could be fixed more generally in gpiolib by returning a failure
      code, but for this specific case, the easier workaround is to add a
      gpiolib dependency.
      
      Fixes: 5d1ebbda ("phy: mapphone-mdm6600: Add USB PHY driver for MDM6600 on Droid 4")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Acked-by: NTony Lindgren <tony@atomide.com>
      Signed-off-by: NKishon Vijay Abraham I <kishon@ti.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      267b3c6b
    • P
      phy: sun4i-usb: Make sure to disable PHY0 passby for peripheral mode · 3ecda688
      Paul Kocialkowski 提交于
      [ Upstream commit e6f32efb1b128344a2c7df9875bc1a1abaa1d395 ]
      
      On platforms where the MUSB and HCI controllers share PHY0, PHY passby
      is required when using the HCI controller with the PHY, but it must be
      disabled when the MUSB controller is used instead.
      
      Without this, PHY0 passby is always enabled, which results in broken
      peripheral mode on such platforms (e.g. H3/H5).
      
      Fixes: ba4bdc9e ("PHY: sunxi: Add driver for sunxi usb phy")
      Signed-off-by: NPaul Kocialkowski <paul.kocialkowski@bootlin.com>
      Signed-off-by: NKishon Vijay Abraham I <kishon@ti.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      3ecda688
    • R
      drm: etnaviv: avoid DMA API warning when importing buffers · 63b4f89d
      Russell King 提交于
      [ Upstream commit 1262cc8893ecb0eb2c21e042d0d268cc180edb61 ]
      
      During boot, I get this kernel warning:
      
      WARNING: CPU: 0 PID: 19001 at kernel/dma/debug.c:1301 debug_dma_map_sg+0x284/0x3dc
      etnaviv etnaviv: DMA-API: mapping sg segment longer than device claims to support [len=3145728] [max=65536]
      Modules linked in: ip6t_REJECT nf_reject_ipv6 ip6t_rpfilter xt_tcpudp ipt_REJECT nf_reject_ipv4 xt_conntrack ip_set nfnetlink ebtable_broute ebtable_nat ip6table_raw ip6table_nat nf_nat_ipv6 ip6table_mangle iptable_raw iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv4 nf_defrag_ipv6 libcrc32c iptable_mangle ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter caam_jr error snd_soc_imx_spdif imx_thermal snd_soc_imx_audmux nvmem_imx_ocotp snd_soc_sgtl5000
      caam imx_sdma virt_dma coda rc_cec v4l2_mem2mem snd_soc_fsl_ssi snd_soc_fsl_spdif imx_vdoa imx_pcm_dma videobuf2_dma_contig etnaviv dw_hdmi_cec gpu_sched dw_hdmi_ahb_audio imx6q_cpufreq nfsd sch_fq_codel ip_tables x_tables
      CPU: 0 PID: 19001 Comm: Xorg Not tainted 4.20.0+ #307
      Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
      [<c0019658>] (unwind_backtrace) from [<c001489c>] (show_stack+0x10/0x14)
      [<c001489c>] (show_stack) from [<c07fb420>] (dump_stack+0x9c/0xd4)
      [<c07fb420>] (dump_stack) from [<c00312dc>] (__warn+0xf8/0x124)
      [<c00312dc>] (__warn) from [<c00313d0>] (warn_slowpath_fmt+0x38/0x48)
      [<c00313d0>] (warn_slowpath_fmt) from [<c00b14e8>] (debug_dma_map_sg+0x284/0x3dc)
      [<c00b14e8>] (debug_dma_map_sg) from [<c046eb40>] (drm_gem_map_dma_buf+0xc4/0x13c)
      [<c046eb40>] (drm_gem_map_dma_buf) from [<c04c3314>] (dma_buf_map_attachment+0x38/0x5c)
      [<c04c3314>] (dma_buf_map_attachment) from [<c046e728>] (drm_gem_prime_import_dev+0x74/0x104)
      [<c046e728>] (drm_gem_prime_import_dev) from [<c046e5bc>] (drm_gem_prime_fd_to_handle+0x84/0x17c)
      [<c046e5bc>] (drm_gem_prime_fd_to_handle) from [<c046edd0>] (drm_prime_fd_to_handle_ioctl+0x38/0x4c)
      [<c046edd0>] (drm_prime_fd_to_handle_ioctl) from [<c0460efc>] (drm_ioctl_kernel+0x90/0xc8)
      [<c0460efc>] (drm_ioctl_kernel) from [<c0461114>] (drm_ioctl+0x1e0/0x3b0)
      [<c0461114>] (drm_ioctl) from [<c01cae20>] (do_vfs_ioctl+0x90/0xa48)
      [<c01cae20>] (do_vfs_ioctl) from [<c01cb80c>] (ksys_ioctl+0x34/0x60)
      [<c01cb80c>] (ksys_ioctl) from [<c0009000>] (ret_fast_syscall+0x0/0x28)
      Exception stack(0xd81a9fa8 to 0xd81a9ff0)
      9fa0:                   b6c69c88 bec613f8 00000009 c00c642e bec613f8 b86c4600
      9fc0: b6c69c88 bec613f8 c00c642e 00000036 012762e0 01276348 00000300 012d91f8
      9fe0: b6989f18 bec613dc b697185c b667be5c
      irq event stamp: 47905
      hardirqs last  enabled at (47913): [<c0098824>] console_unlock+0x46c/0x680
      hardirqs last disabled at (47922): [<c0098470>] console_unlock+0xb8/0x680
      softirqs last  enabled at (47754): [<c000a484>] __do_softirq+0x344/0x540
      softirqs last disabled at (47701): [<c0038700>] irq_exit+0x124/0x144
      ---[ end trace af477747acbcc642 ]---
      
      The reason is the contiguous buffer exceeds the default maximum segment
      size of 64K as specified by dma_get_max_seg_size() in
      linux/dma-mapping.h.  Fix this by providing our own segment size, which
      is set to 2GiB to cover the window found in MMUv1 GPUs.
      Signed-off-by: NRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: NLucas Stach <l.stach@pengutronix.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      63b4f89d
    • T
      x86/irq/64: Limit IST stack overflow check to #DB stack · f843f848
      Thomas Gleixner 提交于
      [ Upstream commit 7dbcf2b0b770eeb803a416ee8dcbef78e6389d40 ]
      
      Commit
      
        37fe6a42 ("x86: Check stack overflow in detail")
      
      added a broad check for the full exception stack area, i.e. it considers
      the full exception stack area as valid.
      
      That's wrong in two aspects:
      
       1) It does not check the individual areas one by one
      
       2) #DF, NMI and #MCE are not enabling interrupts which means that a
          regular device interrupt cannot happen in their context. In fact if a
          device interrupt hits one of those IST stacks that's a bug because some
          code path enabled interrupts while handling the exception.
      
      Limit the check to the #DB stack and consider all other IST stacks as
      'overflow' or invalid.
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: NBorislav Petkov <bp@suse.de>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Mitsuo Hayasaka <mitsuo.hayasaka.hu@hitachi.com>
      Cc: Nicolai Stange <nstange@suse.de>
      Cc: Sean Christopherson <sean.j.christopherson@intel.com>
      Cc: x86-ml <x86@kernel.org>
      Link: https://lkml.kernel.org/r/20190414160143.682135110@linutronix.deSigned-off-by: NSasha Levin <sashal@kernel.org>
      f843f848
    • A
      USB: core: Don't unbind interfaces following device reset failure · 97abdfa8
      Alan Stern 提交于
      [ Upstream commit 381419fa720060ba48b7bbc483be787d5b1dca6f ]
      
      The SCSI core does not like to have devices or hosts unregistered
      while error recovery is in progress.  Trying to do so can lead to
      self-deadlock: Part of the removal code tries to obtain a lock already
      held by the error handler.
      
      This can cause problems for the usb-storage and uas drivers, because
      their error handler routines perform a USB reset, and if the reset
      fails then the USB core automatically goes on to unbind all drivers
      from the device's interfaces -- all while still in the context of the
      SCSI error handler.
      
      As it turns out, practically all the scenarios leading to a USB reset
      failure end up causing a device disconnect (the main error pathway in
      usb_reset_and_verify_device(), at the end of the routine, calls
      hub_port_logical_disconnect() before returning).  As a result, the
      hub_wq thread will soon become aware of the problem and will unbind
      all the device's drivers in its own context, not in the
      error-handler's context.
      
      This means that usb_reset_device() does not need to call
      usb_unbind_and_rebind_marked_interfaces() in cases where
      usb_reset_and_verify_device() has returned an error, because hub_wq
      will take care of everything anyway.
      
      This particular problem was observed in somewhat artificial
      circumstances, by using usbfs to tell a hub to power-down a port
      connected to a USB-3 mass storage device using the UAS protocol.  With
      the port turned off, the currently executing command timed out and the
      error handler started running.  The USB reset naturally failed,
      because the hub port was off, and the error handler deadlocked as
      described above.  Not carrying out the call to
      usb_unbind_and_rebind_marked_interfaces() fixes this issue.
      Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
      Reported-by: NKento Kobayashi <Kento.A.Kobayashi@sony.com>
      Tested-by: NKento Kobayashi <Kento.A.Kobayashi@sony.com>
      CC: Bart Van Assche <bvanassche@acm.org>
      CC: Martin K. Petersen <martin.petersen@oracle.com>
      CC: Jacky Cao <Jacky.Cao@sony.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      97abdfa8
    • J
      s390/qeth: handle error from qeth_update_from_chp_desc() · 3711c988
      Julian Wiedmann 提交于
      [ Upstream commit a4cdc9baee0740748f16e50cd70c2607510df492 ]
      
      Subsequent code relies on the values that qeth_update_from_chp_desc()
      reads from the CHP descriptor. Rather than dealing with weird errors
      later on, just handle it properly here.
      Signed-off-by: NJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      3711c988
    • M
      thunderbolt: Take domain lock in switch sysfs attribute callbacks · 5d5652b5
      Mika Westerberg 提交于
      [ Upstream commit 09f11b6c99feaf86a26444bca85dc693b3f58f8b ]
      
      switch_lock was introduced because it allowed serialization of device
      authorization requests from userspace without need to take the big
      domain lock (tb->lock). This was fine because device authorization with
      ICM is just one command that is sent to the firmware. Now that we start
      to handle all tunneling in the driver switch_lock is not enough because
      we need to walk over the topology to establish paths.
      
      For this reason drop switch_lock from the driver completely in favour of
      big domain lock.
      
      There is one complication, though. If userspace is waiting for the lock
      in tb_switch_set_authorized(), it keeps the device_del() from removing
      the sysfs attribute because it waits for active users to release the
      attribute first which leads into following splat:
      
          INFO: task kworker/u8:3:73 blocked for more than 61 seconds.
                Tainted: G        W         5.1.0-rc1+ #244
          "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
          kworker/u8:3    D12976    73      2 0x80000000
          Workqueue: thunderbolt0 tb_handle_hotplug [thunderbolt]
          Call Trace:
           ? __schedule+0x2e5/0x740
           ? _raw_spin_lock_irqsave+0x12/0x40
           ? prepare_to_wait_event+0xc5/0x160
           schedule+0x2d/0x80
           __kernfs_remove.part.17+0x183/0x1f0
           ? finish_wait+0x80/0x80
           kernfs_remove_by_name_ns+0x4a/0x90
           remove_files.isra.1+0x2b/0x60
           sysfs_remove_group+0x38/0x80
           sysfs_remove_groups+0x24/0x40
           device_remove_attrs+0x3d/0x70
           device_del+0x14c/0x360
           device_unregister+0x15/0x50
           tb_switch_remove+0x9e/0x1d0 [thunderbolt]
           tb_handle_hotplug+0x119/0x5a0 [thunderbolt]
           ? process_one_work+0x1b7/0x420
           process_one_work+0x1b7/0x420
           worker_thread+0x37/0x380
           ? _raw_spin_unlock_irqrestore+0xf/0x30
           ? process_one_work+0x420/0x420
           kthread+0x118/0x130
           ? kthread_create_on_node+0x60/0x60
           ret_from_fork+0x35/0x40
      
      We deal this by following what network stack did for some of their
      attributes and use mutex_trylock() with restart_syscall(). This makes
      userspace release the attribute allowing sysfs attribute removal to
      progress before the write is restarted and eventually fail when the
      attribute is removed.
      Signed-off-by: NMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      5d5652b5
    • N
      irq_work: Do not raise an IPI when queueing work on the local CPU · afee27f3
      Nicholas Piggin 提交于
      [ Upstream commit 471ba0e686cb13752bc1ff3216c54b69a2d250ea ]
      
      The QEMU PowerPC/PSeries machine model was not expecting a self-IPI,
      and it may be a bit surprising thing to do, so have irq_work_queue_on
      do local queueing when target is the current CPU.
      Suggested-by: NSteven Rostedt <rostedt@goodmis.org>
      Reported-by: NSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Tested-by: NSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: NNicholas Piggin <npiggin@gmail.com>
      Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Reviewed-by: NFrederic Weisbecker <frederic@kernel.org>
      Acked-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@kaod.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20190409093403.20994-1-npiggin@gmail.com
      [ Simplified the preprocessor comments.
        Fixed unbalanced curly brackets pointed out by Thomas. ]
      Signed-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      afee27f3
    • W
      drm/msm: a5xx: fix possible object reference leak · dee2faf0
      Wen Yang 提交于
      [ Upstream commit 6cd5235c3135ea84b32469ea51b2aae384eda8af ]
      
      The call to of_get_child_by_name returns a node pointer with refcount
      incremented thus it must be explicitly decremented after the last
      usage.
      
      Detected by coccinelle with the following warnings:
      drivers/gpu/drm/msm/adreno/a5xx_gpu.c:57:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 47, but without a corresponding object release within this function.
      drivers/gpu/drm/msm/adreno/a5xx_gpu.c:66:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 47, but without a corresponding object release within this function.
      drivers/gpu/drm/msm/adreno/a5xx_gpu.c:118:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 47, but without a corresponding object release within this function.
      drivers/gpu/drm/msm/adreno/a5xx_gpu.c:57:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 51, but without a corresponding object release within this function.
      drivers/gpu/drm/msm/adreno/a5xx_gpu.c:66:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 51, but without a corresponding object release within this function.
      drivers/gpu/drm/msm/adreno/a5xx_gpu.c:118:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 51, but without a corresponding object release within this function.
      Signed-off-by: NWen Yang <wen.yang99@zte.com.cn>
      Cc: Rob Clark <robdclark@gmail.com>
      Cc: Sean Paul <sean@poorly.run>
      Cc: David Airlie <airlied@linux.ie>
      Cc: Daniel Vetter <daniel@ffwll.ch>
      Cc: Jordan Crouse <jcrouse@codeaurora.org>
      Cc: Mamta Shukla <mamtashukla555@gmail.com>
      Cc: Thomas Zimmermann <tzimmermann@suse.de>
      Cc: Sharat Masetty <smasetty@codeaurora.org>
      Cc: linux-arm-msm@vger.kernel.org
      Cc: dri-devel@lists.freedesktop.org
      Cc: freedreno@lists.freedesktop.org
      Cc: linux-kernel@vger.kernel.org (open list)
      Reviewed-by: NJordan Crouse <jcrouse@codeaurora.org>
      Signed-off-by: NRob Clark <robdclark@gmail.com>
      Signed-off-by: NRob Clark <robdclark@chromium.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      dee2faf0
    • N
      staging: vc04_services: handle kzalloc failure · e0b75a79
      Nicholas Mc Guire 提交于
      [ Upstream commit a5112277872a56017b777770e2fd4324d4a6c866 ]
      
      The kzalloc here was being used without checking the return - if the
      kzalloc fails return VCHIQ_ERROR. The call-site of
      vchiq_platform_init_state() vchiq_init_state() was not responding
      to an allocation failure so checks for != VCHIQ_SUCCESS
      and pass VCHIQ_ERROR up to vchiq_platform_init() which then
      will fail with -EINVAL.
      Signed-off-by: NNicholas Mc Guire <hofrat@osadl.org>
      Reported-by: Nkbuild test robot <lkp@intel.com>
      Acked-By: NStefan Wahren <stefan.wahren@i2se.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      e0b75a79
    • K
      sched/core: Handle overflow in cpu_shares_write_u64 · 355673f8
      Konstantin Khlebnikov 提交于
      [ Upstream commit 5b61d50ab4ef590f5e1d4df15cd2cea5f5715308 ]
      
      Bit shift in scale_load() could overflow shares. This patch saturates
      it to MAX_SHARES like following sched_group_set_shares().
      
      Example:
      
       # echo 9223372036854776832 > cpu.shares
       # cat cpu.shares
      
      Before patch: 1024
      After pattch: 262144
      Signed-off-by: NKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Acked-by: NPeter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/155125501891.293431.3345233332801109696.stgit@buzzSigned-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      355673f8
    • K
      sched/rt: Check integer overflow at usec to nsec conversion · 7053046e
      Konstantin Khlebnikov 提交于
      [ Upstream commit 1a010e29cfa00fee2888fd2fd4983f848cbafb58 ]
      
      Example of unhandled overflows:
      
       # echo 18446744073709651 > cpu.rt_runtime_us
       # cat cpu.rt_runtime_us
       99
      
       # echo 18446744073709900 > cpu.rt_period_us
       # cat cpu.rt_period_us
       348
      
      After this patch they will fail with -EINVAL.
      Signed-off-by: NKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Acked-by: NPeter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/155125501739.293431.5252197504404771496.stgit@buzzSigned-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      7053046e
    • K
      sched/core: Check quota and period overflow at usec to nsec conversion · 925275d0
      Konstantin Khlebnikov 提交于
      [ Upstream commit 1a8b4540db732ca16c9e43ac7c08b1b8f0b252d8 ]
      
      Large values could overflow u64 and pass following sanity checks.
      
       # echo 18446744073750000 > cpu.cfs_period_us
       # cat cpu.cfs_period_us
       40448
      
       # echo 18446744073750000 > cpu.cfs_quota_us
       # cat cpu.cfs_quota_us
       40448
      
      After this patch they will fail with -EINVAL.
      Signed-off-by: NKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Acked-by: NPeter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/155125502079.293431.3947497929372138600.stgit@buzzSigned-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      925275d0
    • R
      cgroup: protect cgroup->nr_(dying_)descendants by css_set_lock · 4e4d5cea
      Roman Gushchin 提交于
      [ Upstream commit 4dcabece4c3a9f9522127be12cc12cc120399b2f ]
      
      The number of descendant cgroups and the number of dying
      descendant cgroups are currently synchronized using the cgroup_mutex.
      
      The number of descendant cgroups will be required by the cgroup v2
      freezer, which will use it to determine if a cgroup is frozen
      (depending on total number of descendants and number of frozen
      descendants). It's not always acceptable to grab the cgroup_mutex,
      especially from quite hot paths (e.g. exit()).
      
      To avoid this, let's additionally synchronize these counters using
      the css_set_lock.
      
      So, it's safe to read these counters with either cgroup_mutex or
      css_set_lock locked, and for changing both locks should be acquired.
      Signed-off-by: NRoman Gushchin <guro@fb.com>
      Signed-off-by: NTejun Heo <tj@kernel.org>
      Cc: kernel-team@fb.com
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      4e4d5cea
    • S
      random: add a spinlock_t to struct batched_entropy · 944c5852
      Sebastian Andrzej Siewior 提交于
      [ Upstream commit b7d5dc21072cda7124d13eae2aefb7343ef94197 ]
      
      The per-CPU variable batched_entropy_uXX is protected by get_cpu_var().
      This is just a preempt_disable() which ensures that the variable is only
      from the local CPU. It does not protect against users on the same CPU
      from another context. It is possible that a preemptible context reads
      slot 0 and then an interrupt occurs and the same value is read again.
      
      The above scenario is confirmed by lockdep if we add a spinlock:
      | ================================
      | WARNING: inconsistent lock state
      | 5.1.0-rc3+ #42 Not tainted
      | --------------------------------
      | inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
      | ksoftirqd/9/56 [HC0[0]:SC1[1]:HE0:SE0] takes:
      | (____ptrval____) (batched_entropy_u32.lock){+.?.}, at: get_random_u32+0x3e/0xe0
      | {SOFTIRQ-ON-W} state was registered at:
      |   _raw_spin_lock+0x2a/0x40
      |   get_random_u32+0x3e/0xe0
      |   new_slab+0x15c/0x7b0
      |   ___slab_alloc+0x492/0x620
      |   __slab_alloc.isra.73+0x53/0xa0
      |   kmem_cache_alloc_node+0xaf/0x2a0
      |   copy_process.part.41+0x1e1/0x2370
      |   _do_fork+0xdb/0x6d0
      |   kernel_thread+0x20/0x30
      |   kthreadd+0x1ba/0x220
      |   ret_from_fork+0x3a/0x50
      …
      | other info that might help us debug this:
      |  Possible unsafe locking scenario:
      |
      |        CPU0
      |        ----
      |   lock(batched_entropy_u32.lock);
      |   <Interrupt>
      |     lock(batched_entropy_u32.lock);
      |
      |  *** DEADLOCK ***
      |
      | stack backtrace:
      | Call Trace:
      …
      |  kmem_cache_alloc_trace+0x20e/0x270
      |  ipmi_alloc_recv_msg+0x16/0x40
      …
      |  __do_softirq+0xec/0x48d
      |  run_ksoftirqd+0x37/0x60
      |  smpboot_thread_fn+0x191/0x290
      |  kthread+0xfe/0x130
      |  ret_from_fork+0x3a/0x50
      
      Add a spinlock_t to the batched_entropy data structure and acquire the
      lock while accessing it. Acquire the lock with disabled interrupts
      because this function may be used from interrupt context.
      
      Remove the batched_entropy_reset_lock lock. Now that we have a lock for
      the data scructure, we can access it from a remote CPU.
      Signed-off-by: NSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      944c5852
    • J
      random: fix CRNG initialization when random.trust_cpu=1 · 6fa6381a
      Jon DeVree 提交于
      [ Upstream commit fe6f1a6a8eedc1aa538fee0baa612b6a59639cf8 ]
      
      When the system boots with random.trust_cpu=1 it doesn't initialize the
      per-NUMA CRNGs because it skips the rest of the CRNG startup code. This
      means that the code from 1e7f583a ("random: make /dev/urandom scalable
      for silly userspace programs") is not used when random.trust_cpu=1.
      
      crash> dmesg | grep random:
      [    0.000000] random: get_random_bytes called from start_kernel+0x94/0x530 with crng_init=0
      [    0.314029] random: crng done (trusting CPU's manufacturer)
      crash> print crng_node_pool
      $6 = (struct crng_state **) 0x0
      
      After adding the missing call to numa_crng_init() the per-NUMA CRNGs are
      initialized again:
      
      crash> dmesg | grep random:
      [    0.000000] random: get_random_bytes called from start_kernel+0x94/0x530 with crng_init=0
      [    0.314031] random: crng done (trusting CPU's manufacturer)
      crash> print crng_node_pool
      $1 = (struct crng_state **) 0xffff9a915f4014a0
      
      The call to invalidate_batched_entropy() was also missing. This is
      important for architectures like PPC and S390 which only have the
      arch_get_random_seed_* functions.
      
      Fixes: 39a8883a ("random: add a config option to trust the CPU's hwrng")
      Signed-off-by: NJon DeVree <nuxi@vault24.org>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      6fa6381a
    • R
      powerpc/64: Fix booting large kernels with STRICT_KERNEL_RWX · fec8a09f
      Russell Currey 提交于
      [ Upstream commit 56c46bba9bbfe229b4472a5be313c44c5b714a39 ]
      
      With STRICT_KERNEL_RWX enabled anything marked __init is placed at a 16M
      boundary.  This is necessary so that it can be repurposed later with
      different permissions.  However, in kernels with text larger than 16M,
      this pushes early_setup past 32M, incapable of being reached by the
      branch instruction.
      
      Fix this by setting the CTR and branching there instead.
      
      Fixes: 1e0fc9d1 ("powerpc/Kconfig: Enable STRICT_KERNEL_RWX for some configs")
      Signed-off-by: NRussell Currey <ruscur@russell.cc>
      [mpe: Fix it to work on BE by using DOTSYM()]
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      fec8a09f
    • N
      powerpc/numa: improve control of topology updates · f488832c
      Nathan Lynch 提交于
      [ Upstream commit 2d4d9b308f8f8dec68f6dbbff18c68ec7c6bd26f ]
      
      When booted with "topology_updates=no", or when "off" is written to
      /proc/powerpc/topology_updates, NUMA reassignments are inhibited for
      PRRN and VPHN events. However, migration and suspend unconditionally
      re-enable reassignments via start_topology_update(). This is
      incoherent.
      
      Check the topology_updates_enabled flag in
      start/stop_topology_update() so that callers of those APIs need not be
      aware of whether reassignments are enabled. This allows the
      administrative decision on reassignments to remain in force across
      migrations and suspensions.
      Signed-off-by: NNathan Lynch <nathanl@linux.ibm.com>
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      f488832c
    • Y
      block: fix use-after-free on gendisk · ad393793
      Yufen Yu 提交于
      [ Upstream commit 2c88e3c7ec32d7a40cc7c9b4a487cf90e4671bdd ]
      
      commit 2da78092 "block: Fix dev_t minor allocation lifetime"
      specifically moved blk_free_devt(dev->devt) call to part_release()
      to avoid reallocating device number before the device is fully
      shutdown.
      
      However, it can cause use-after-free on gendisk in get_gendisk().
      We use md device as example to show the race scenes:
      
      Process1		Worker			Process2
      md_free
      						blkdev_open
      del_gendisk
        add delete_partition_work_fn() to wq
        						__blkdev_get
      						get_gendisk
      put_disk
        disk_release
          kfree(disk)
          						find part from ext_devt_idr
      						get_disk_and_module(disk)
          					  	cause use after free
      
          			delete_partition_work_fn
      			put_device(part)
          		  	part_release
      		    	remove part from ext_devt_idr
      
      Before <devt, hd_struct pointer> is removed from ext_devt_idr by
      delete_partition_work_fn(), we can find the devt and then access
      gendisk by hd_struct pointer. But, if we access the gendisk after
      it have been freed, it can cause in use-after-freeon gendisk in
      get_gendisk().
      
      We fix this by adding a new helper blk_invalidate_devt() in
      delete_partition() and del_gendisk(). It replaces hd_struct
      pointer in idr with value 'NULL', and deletes the entry from
      idr in part_release() as we do now.
      
      Thanks to Jan Kara for providing the solution and more clear comments
      for the code.
      
      Fixes: 2da78092 ("block: Fix dev_t minor allocation lifetime")
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Reviewed-by: NBart Van Assche <bvanassche@acm.org>
      Reviewed-by: NKeith Busch <keith.busch@intel.com>
      Reviewed-by: NJan Kara <jack@suse.cz>
      Suggested-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NYufen Yu <yuyufen@huawei.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      ad393793
    • F
      iio: adc: stm32-dfsdm: fix unmet direct dependencies detected · 30f8da71
      Fabrice Gasnier 提交于
      [ Upstream commit ba7ecfe43d6bf12e2aa76705c45f7d187ae3d7c0 ]
      
      This fixes unmet direct dependencies seen when CONFIG_STM32_DFSDM_ADC
      is selected:
      
      WARNING: unmet direct dependencies detected for IIO_BUFFER_HW_CONSUMER
        Depends on [n]: IIO [=y] && IIO_BUFFER [=n]
        Selected by [y]:
        - STM32_DFSDM_ADC [=y] && IIO [=y] && (ARCH_STM32 [=y] && OF [=y] ||
          COMPILE_TEST [=n])
      
      Fixes: e2e6771c ("IIO: ADC: add STM32 DFSDM sigma delta ADC support")
      Signed-off-by: NFabrice Gasnier <fabrice.gasnier@st.com>
      Signed-off-by: NJonathan Cameron <Jonathan.Cameron@huawei.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      30f8da71
    • D
      media: pvrusb2: Prevent a buffer overflow · 11ad5277
      Dan Carpenter 提交于
      [ Upstream commit c1ced46c7b49ad7bc064e68d966e0ad303f917fb ]
      
      The ctrl_check_input() function is called from pvr2_ctrl_range_check().
      It's supposed to validate user supplied input and return true or false
      depending on whether the input is valid or not.  The problem is that
      negative shifts or shifts greater than 31 are undefined in C.  In
      practice with GCC they result in shift wrapping so this function returns
      true for some inputs which are not valid and this could result in a
      buffer overflow:
      
          drivers/media/usb/pvrusb2/pvrusb2-ctrl.c:205 pvr2_ctrl_get_valname()
          warn: uncapped user index 'names[val]'
      
      The cptr->hdw->input_allowed_mask mask is configured in pvr2_hdw_create()
      and the highest valid bit is BIT(4).
      
      Fixes: 7fb20fa3 ("V4L/DVB (7299): pvrusb2: Improve logic which handles input choice availability")
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      11ad5277
    • S
      media: au0828: Fix NULL pointer dereference in au0828_analog_stream_enable() · a90ce66a
      Shuah Khan 提交于
      [ Upstream commit 898bc40bfcc26abb6e06e960d6d4754c36c58b50 ]
      
      Fix au0828_analog_stream_enable() to check if device is in the right
      state first. When unbind happens while bind is in progress, usbdev
      pointer could be invalid in au0828_analog_stream_enable() and a call
      to usb_ifnum_to_if() will result in the null pointer dereference.
      
      This problem is found with the new media_dev_allocator.sh test.
      
      kernel: [  590.359623] BUG: unable to handle kernel NULL pointer dereference at 00000000000004e8
      kernel: [  590.359627] #PF error: [normal kernel read fault]
      kernel: [  590.359629] PGD 0 P4D 0
      kernel: [  590.359632] Oops: 0000 [#1] SMP PTI
      kernel: [  590.359634] CPU: 3 PID: 1458 Comm: v4l_id Not tainted 5.1.0-rc2+ #30
      kernel: [  590.359636] Hardware name: Dell Inc. OptiPlex 7 90/0HY9JP, BIOS A18 09/24/2013
      kernel: [  590.359641] RIP: 0010:usb_ifnum_to_if+0x6/0x60
      kernel: [  590.359643] Code: 5d 41 5e 41 5f 5d c3 48 83 c4
       10 b8 fa ff ff ff 5b 41 5c 41 5d 41 5e 41 5f 5d c3 b8 fa ff ff ff c3 0f 1f 00 6
      6 66 66 66 90 55 <48> 8b 97 e8 04 00 00 48 89 e5 48 85 d2 74 41 0f b6 4a 04 84 c
      9 74
      kernel: [  590.359645] RSP: 0018:ffffad3cc3c1fc00 EFLAGS: 00010246
      kernel: [  590.359646] RAX: 0000000000000000 RBX: ffff8ded b1f3c000 RCX: 1f377e4500000000
      kernel: [  590.359648] RDX: ffff8dedfa3a6b50 RSI: 00000000 00000000 RDI: 0000000000000000
      kernel: [  590.359649] RBP: ffffad3cc3c1fc28 R08: 00000000 8574acc2 R09: ffff8dedfa3a6b50
      kernel: [  590.359650] R10: 0000000000000001 R11: 00000000 00000000 R12: 0000000000000000
      kernel: [  590.359652] R13: ffff8dedb1f3f0f0 R14: ffffffff adcf7ec0 R15: 0000000000000000
      kernel: [  590.359654] FS:  00007f7917198540(0000) GS:ffff 8dee258c0000(0000) knlGS:0000000000000000
      kernel: [  590.359655] CS:  0010 DS: 0000 ES: 0000 CR0: 00 00000080050033
      kernel: [  590.359657] CR2: 00000000000004e8 CR3: 00000001 a388e002 CR4: 00000000000606e0
      kernel: [  590.359658] Call Trace:
      kernel: [  590.359664]  ? au0828_analog_stream_enable+0x2c/0x180
      kernel: [  590.359666]  au0828_v4l2_open+0xa4/0x110
      kernel: [  590.359670]  v4l2_open+0x8b/0x120
      kernel: [  590.359674]  chrdev_open+0xa6/0x1c0
      kernel: [  590.359676]  ? cdev_put.part.3+0x20/0x20
      kernel: [  590.359678]  do_dentry_open+0x1f6/0x360
      kernel: [  590.359681]  vfs_open+0x2f/0x40
      kernel: [  590.359684]  path_openat+0x299/0xc20
      kernel: [  590.359688]  do_filp_open+0x9b/0x110
      kernel: [  590.359695]  ? _raw_spin_unlock+0x27/0x40
      kernel: [  590.359697]  ? __alloc_fd+0xb2/0x160
      kernel: [  590.359700]  do_sys_open+0x1ba/0x260
      kernel: [  590.359702]  ? do_sys_open+0x1ba/0x260
      kernel: [  590.359712]  __x64_sys_openat+0x20/0x30
      kernel: [  590.359715]  do_syscall_64+0x5a/0x120
      kernel: [  590.359718]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      Signed-off-by: NShuah Khan <shuah@kernel.org>
      Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      a90ce66a
    • H
      media: stm32-dcmi: fix crash when subdev do not expose any formats · 2096b3ba
      Hugues Fruchet 提交于
      [ Upstream commit 33dfeb62e23c31619d2197850f7e8b50e8cc5466 ]
      
      Do not access sd_formats[] if num_of_sd_formats is zero, ie
      subdev sensor didn't expose any formats.
      Signed-off-by: NHugues Fruchet <hugues.fruchet@st.com>
      Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      2096b3ba