1. 03 4月, 2019 40 次提交
    • S
      staging: speakup_soft: Fix alternate speech with other synths · 86092f2d
      Samuel Thibault 提交于
      commit 45ac7b31bc6c4af885cc5b5d6c534c15bcbe7643 upstream.
      
      When switching from speakup_soft to another synth, speakup_soft would
      keep calling synth_buffer_getc() from softsynthx_read.
      
      Let's thus make synth.c export the knowledge of the current synth, so
      that speakup_soft can determine whether it should be running.
      
      speakup_soft also needs to set itself alive, otherwise the switch would
      let it remain silent.
      Signed-off-by: NSamuel Thibault <samuel.thibault@ens-lyon.org>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      86092f2d
    • I
      staging: comedi: ni_mio_common: Fix divide-by-zero for DIO cmdtest · d0360bf4
      Ian Abbott 提交于
      commit bafd9c64056cd034a1174dcadb65cd3b294ff8f6 upstream.
      
      `ni_cdio_cmdtest()` validates Comedi asynchronous commands for the DIO
      subdevice (subdevice 2) of supported National Instruments M-series
      cards.  It is called when handling the `COMEDI_CMD` and `COMEDI_CMDTEST`
      ioctls for this subdevice.  There are two causes for a possible
      divide-by-zero error when validating that the `stop_arg` member of the
      passed-in command is not too large.
      
      The first cause for the divide-by-zero is that calls to
      `comedi_bytes_per_scan()` are only valid once the command has been
      copied to `s->async->cmd`, but that copy is only done for the
      `COMEDI_CMD` ioctl.  For the `COMEDI_CMDTEST` ioctl, it will use
      whatever was left there by the previous `COMEDI_CMD` ioctl, if any.
      (This is very likely, as it is usual for the application to use
      `COMEDI_CMDTEST` before `COMEDI_CMD`.) If there has been no previous,
      valid `COMEDI_CMD` for this subdevice, then `comedi_bytes_per_scan()`
      will return 0, so the subsequent division in `ni_cdio_cmdtest()` of
      `s->async->prealloc_bufsz / comedi_bytes_per_scan(s)` will be a
      divide-by-zero error.  To fix this error, call a new function
      `comedi_bytes_per_scan_cmd(s, cmd)`, based on the existing
      `comedi_bytes_per_scan(s)` but using a specified `struct comedi_cmd` for
      its calculations.  (Also refactor `comedi_bytes_per_scan()` to call the
      new function.)
      
      Once the first cause for the divide-by-zero has been fixed, the second
      cause is that `comedi_bytes_per_scan_cmd()` can legitimately return 0 if
      the `scan_end_arg` member of the `struct comedi_cmd` being tested is 0.
      Fix it by only performing the division (and validating that `stop_arg`
      is no more than the maximum value) if `comedi_bytes_per_scan_cmd()`
      returns a non-zero value.
      
      The problem was reported on the COMEDI mailing list here:
      https://groups.google.com/forum/#!topic/comedi_list/4t9WlHzMhKMReported-by: NIvan Vasilyev <grabesstimme@gmail.com>
      Tested-by: NIvan Vasilyev <grabesstimme@gmail.com>
      Fixes: f164cbf9 ("staging: comedi: ni_mio_common: add finite regeneration to dio output")
      Cc: <stable@vger.kernel.org> # 4.6+
      Cc: Spencer E. Olson <olsonse@umich.edu>
      Signed-off-by: NIan Abbott <abbotti@mev.co.uk>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d0360bf4
    • N
      tty: serial: qcom_geni_serial: Initialize baud in qcom_geni_console_setup · 668ba38d
      Nathan Chancellor 提交于
      commit c5cbc78acf693f5605d4a85b1327fa7933daf092 upstream.
      
      When building with -Wsometimes-uninitialized, Clang warns:
      
      drivers/tty/serial/qcom_geni_serial.c:1079:6: warning: variable 'baud'
      is used uninitialized whenever 'if' condition is false
      [-Wsometimes-uninitialized]
      
      It's not wrong; when options is NULL, baud has no default value. Use
      9600 as that is a sane default.
      
      Link: https://github.com/ClangBuiltLinux/linux/issues/395Suggested-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NNathan Chancellor <natechancellor@gmail.com>
      Reviewed-by: NNick Desaulniers <ndesaulniers@google.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      668ba38d
    • K
      tty: atmel_serial: fix a potential NULL pointer dereference · b9bbd1ed
      Kangjie Lu 提交于
      commit c85be041065c0be8bc48eda4c45e0319caf1d0e5 upstream.
      
      In case dmaengine_prep_dma_cyclic fails, the fix returns a proper
      error code to avoid NULL pointer dereference.
      Signed-off-by: NKangjie Lu <kjlu@umn.edu>
      Fixes: 34df42f5 ("serial: at91: add rx dma support")
      Acked-by: NRichard Genoud <richard.genoud@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b9bbd1ed
    • K
      tty: mxs-auart: fix a potential NULL pointer dereference · 124e4206
      Kangjie Lu 提交于
      commit 6734330654dac550f12e932996b868c6d0dcb421 upstream.
      
      In case ioremap fails, the fix returns -ENOMEM to avoid NULL
      pointer dereferences.
      Multiple places use port.membase.
      Signed-off-by: NKangjie Lu <kjlu@umn.edu>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      124e4206
    • J
      drm/rockchip: vop: reset scale mode when win is disabled · 7fb7414d
      Jonas Karlman 提交于
      commit e9abc611a941d4051cde1d94b2ab7473fdb50102 upstream.
      
      NV12 framebuffers produced by the VPU shows distorted on RK3288
      after win has been disabled when scaling is active.
      
      This issue can be reproduced using a 1080p modeset by:
      - Scale a 1280x720 NV12 framebuffer to 1920x1080 on win0
      - Disable win0
      - Display a 1920x1080 NV12 framebuffer without scaling on win0
      - Output will now show the framebuffer distorted
      
      And by:
      - Scale a 1280x720 NV12 framebuffer to 1920x1080
      - Change to a 720p modeset (win gets disabled and scaling reset to none)
      - Output will now show the framebuffer distorted
      
      Fix this by setting scale mode to none when win is disabled.
      
      Fixes: 4c156c21 ("drm/rockchip: vop: support plane scale")
      Cc: stable@vger.kernel.org
      Signed-off-by: NJonas Karlman <jonas@kwiboo.se>
      Signed-off-by: NHeiko Stuebner <heiko@sntech.de>
      Link: https://patchwork.freedesktop.org/patch/msgid/AM3PR03MB0966DE3E19BACE07328CD637AC7D0@AM3PR03MB0966.eurprd03.prod.outlook.comSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7fb7414d
    • S
      scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV FCP devices · a93cd913
      Steffen Maier 提交于
      commit 242ec1455151267fe35a0834aa9038e4c4670884 upstream.
      
      Suppose more than one non-NPIV FCP device is active on the same channel.
      Send I/O to storage and have some of the pending I/O run into a SCSI
      command timeout, e.g. due to bit errors on the fibre. Now the error
      situation stops. However, we saw FCP requests continue to timeout in the
      channel. The abort will be successful, but the subsequent TUR fails.
      Scsi_eh starts. The LUN reset fails. The target reset fails.  The host
      reset only did an FCP device recovery. However, for non-NPIV FCP devices,
      this does not close and reopen ports on the SAN-side if other non-NPIV FCP
      device(s) share the same open ports.
      
      In order to resolve the continuing FCP request timeouts, we need to
      explicitly close and reopen ports on the SAN-side.
      
      This was missing since the beginning of zfcp in v2.6.0 history commit
      ea127f975424 ("[PATCH] s390 (7/7): zfcp host adapter.").
      
      Note: The FSF requests for forced port reopen could run into FSF request
      timeouts due to other reasons. This would trigger an internal FCP device
      recovery. Pending forced port reopen recoveries would get dismissed. So
      some ports might not get fully reopened during this host reset handler.
      However, subsequent I/O would trigger the above described escalation and
      eventually all ports would be forced reopen to resolve any continuing FCP
      request timeouts due to earlier bit errors.
      Signed-off-by: NSteffen Maier <maier@linux.ibm.com>
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: <stable@vger.kernel.org> #3.0+
      Reviewed-by: NJens Remus <jremus@linux.ibm.com>
      Reviewed-by: NBenjamin Block <bblock@linux.ibm.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a93cd913
    • S
      scsi: zfcp: fix rport unblock if deleted SCSI devices on Scsi_Host · 983a543d
      Steffen Maier 提交于
      commit fe67888fc007a76b81e37da23ce5bd8fb95890b0 upstream.
      
      An already deleted SCSI device can exist on the Scsi_Host and remain there
      because something still holds a reference.  A new SCSI device with the same
      H:C:T:L and FCP device, target port WWPN, and FCP LUN can be created.  When
      we try to unblock an rport, we still find the deleted SCSI device and
      return early because the zfcp_scsi_dev of that SCSI device is not
      ZFCP_STATUS_COMMON_UNBLOCKED. Hence we miss to unblock the rport, even if
      the new proper SCSI device would be in good state.
      
      Therefore, skip deleted SCSI devices when iterating the sdevs of the shost.
      [cf. __scsi_device_lookup{_by_target}() or scsi_device_get()]
      
      The following abbreviated trace sequence can indicate such problem:
      
      Area           : REC
      Tag            : ersfs_3
      LUN            : 0x4045400300000000
      WWPN           : 0x50050763031bd327
      LUN status     : 0x40000000     not ZFCP_STATUS_COMMON_UNBLOCKED
      Ready count    : n		not incremented yet
      Running count  : 0x00000000
      ERP want       : 0x01
      ERP need       : 0xc1		ZFCP_ERP_ACTION_NONE
      
      Area           : REC
      Tag            : ersfs_3
      LUN            : 0x4045400300000000
      WWPN           : 0x50050763031bd327
      LUN status     : 0x41000000
      Ready count    : n+1
      Running count  : 0x00000000
      ERP want       : 0x01
      ERP need       : 0x01
      
      ...
      
      Area           : REC
      Level          : 4		only with increased trace level
      Tag            : ertru_l
      LUN            : 0x4045400300000000
      WWPN           : 0x50050763031bd327
      LUN status     : 0x40000000
      Request ID     : 0x0000000000000000
      ERP status     : 0x01800000
      ERP step       : 0x1000
      ERP action     : 0x01
      ERP count      : 0x00
      
      NOT followed by a trace record with tag "scpaddy"
      for WWPN 0x50050763031bd327.
      Signed-off-by: NSteffen Maier <maier@linux.ibm.com>
      Fixes: 6f2ce1c6 ("scsi: zfcp: fix rport unblock race with LUN recovery")
      Cc: <stable@vger.kernel.org> #2.6.32+
      Reviewed-by: NJens Remus <jremus@linux.ibm.com>
      Reviewed-by: NBenjamin Block <bblock@linux.ibm.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      983a543d
    • M
      scsi: sd: Quiesce warning if device does not report optimal I/O size · a52eb223
      Martin K. Petersen 提交于
      commit 1d5de5bd311be7cd54f02f7cd164f0349a75c876 upstream.
      
      Commit a83da8a4509d ("scsi: sd: Optimal I/O size should be a multiple
      of physical block size") split one conditional into several separate
      statements in an effort to provide more accurate warning messages when
      a device reports a nonsensical value. However, this reorganization
      accidentally dropped the precondition of the reported value being
      larger than zero. This lead to a warning getting emitted on devices
      that do not report an optimal I/O size at all.
      
      Remain silent if a device does not report an optimal I/O size.
      
      Fixes: a83da8a4509d ("scsi: sd: Optimal I/O size should be a multiple of physical block size")
      Cc: Randy Dunlap <rdunlap@infradead.org>
      Cc: <stable@vger.kernel.org>
      Reported-by: NHussam Al-Tayeb <ht990332@gmx.com>
      Tested-by: NHussam Al-Tayeb <ht990332@gmx.com>
      Reviewed-by: NBart Van Assche <bvanassche@acm.org>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a52eb223
    • B
      scsi: sd: Fix a race between closing an sd device and sd I/O · d7265877
      Bart Van Assche 提交于
      commit c14a57264399efd39514a2329c591a4b954246d8 upstream.
      
      The scsi_end_request() function calls scsi_cmd_to_driver() indirectly and
      hence needs the disk->private_data pointer. Avoid that that pointer is
      cleared before all affected I/O requests have finished. This patch avoids
      that the following crash occurs:
      
      Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
      Call trace:
       scsi_mq_uninit_cmd+0x1c/0x30
       scsi_end_request+0x7c/0x1b8
       scsi_io_completion+0x464/0x668
       scsi_finish_command+0xbc/0x160
       scsi_eh_flush_done_q+0x10c/0x170
       sas_scsi_recover_host+0x84c/0xa98 [libsas]
       scsi_error_handler+0x140/0x5b0
       kthread+0x100/0x12c
       ret_from_fork+0x10/0x18
      
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Ming Lei <ming.lei@redhat.com>
      Cc: Hannes Reinecke <hare@suse.com>
      Cc: Johannes Thumshirn <jthumshirn@suse.de>
      Cc: Jason Yan <yanaijie@huawei.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NBart Van Assche <bvanassche@acm.org>
      Reported-by: NJason Yan <yanaijie@huawei.com>
      Reviewed-by: NChristoph Hellwig <hch@lst.de>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d7265877
    • D
      ocfs2: fix inode bh swapping mixup in ocfs2_reflink_inodes_lock · 3b3fcc3d
      Darrick J. Wong 提交于
      commit e6a9467ea14bae8691b0f72c500510c42ea8edb8 upstream.
      
      ocfs2_reflink_inodes_lock() can swap the inode1/inode2 variables so that
      we always grab cluster locks in order of increasing inode number.
      
      Unfortunately, we forget to swap the inode record buffer head pointers
      when we've done this, which leads to incorrect bookkeepping when we're
      trying to make the two inodes have the same refcount tree.
      
      This has the effect of causing filesystem shutdowns if you're trying to
      reflink data from inode 100 into inode 97, where inode 100 already has a
      refcount tree attached and inode 97 doesn't.  The reflink code decides
      to copy the refcount tree pointer from 100 to 97, but uses inode 97's
      inode record to open the tree root (which it doesn't have) and blows up.
      This issue causes filesystem shutdowns and metadata corruption!
      
      Link: http://lkml.kernel.org/r/20190312214910.GK20533@magnolia
      Fixes: 29ac8e85 ("ocfs2: implement the VFS clone_range, copy_range, and dedupe_range features")
      Signed-off-by: NDarrick J. Wong <darrick.wong@oracle.com>
      Reviewed-by: NJoseph Qi <jiangqi903@gmail.com>
      Cc: Mark Fasheh <mfasheh@versity.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Junxiao Bi <junxiao.bi@oracle.com>
      Cc: Joseph Qi <joseph.qi@huawei.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3b3fcc3d
    • T
      fs/open.c: allow opening only regular files during execve() · 72b790c4
      Tetsuo Handa 提交于
      commit 73601ea5b7b18eb234219ae2adf77530f389da79 upstream.
      
      syzbot is hitting lockdep warning [1] due to trying to open a fifo
      during an execve() operation.  But we don't need to open non regular
      files during an execve() operation, for all files which we will need are
      the executable file itself and the interpreter programs like /bin/sh and
      ld-linux.so.2 .
      
      Since the manpage for execve(2) says that execve() returns EACCES when
      the file or a script interpreter is not a regular file, and the manpage
      for uselib(2) says that uselib() can return EACCES, and we use
      FMODE_EXEC when opening for execve()/uselib(), we can bail out if a non
      regular file is requested with FMODE_EXEC set.
      
      Since this deadlock followed by khungtaskd warnings is trivially
      reproducible by a local unprivileged user, and syzbot's frequent crash
      due to this deadlock defers finding other bugs, let's workaround this
      deadlock until we get a chance to find a better solution.
      
      [1] https://syzkaller.appspot.com/bug?id=b5095bfec44ec84213bac54742a82483aad578ce
      
      Link: http://lkml.kernel.org/r/1552044017-7890-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jpReported-by: Nsyzbot <syzbot+e93a80c1bb7c5c56e522461c149f8bf55eab1b2b@syzkaller.appspotmail.com>
      Fixes: 8924feff ("splice: lift pipe_lock out of splice_to_pipe()")
      Signed-off-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Acked-by: NKees Cook <keescook@chromium.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Eric Biggers <ebiggers3@gmail.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: <stable@vger.kernel.org>	[4.9+]
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      72b790c4
    • F
      kbuild: modversions: Fix relative CRC byte order interpretation · aa7f29f8
      Fredrik Noring 提交于
      commit 54a7151b1496cddbb7a83546b7998103e98edc88 upstream.
      
      Fix commit 56067812 ("kbuild: modversions: add infrastructure for
      emitting relative CRCs") where CRCs are interpreted in host byte order
      rather than proper kernel byte order. The bug is conditional on
      CONFIG_MODULE_REL_CRCS.
      
      For example, when loading a BE module into a BE kernel compiled with a LE
      system, the error "disagrees about version of symbol module_layout" is
      produced. A message such as "Found checksum D7FA6856 vs module 5668FAD7"
      will be given with debug enabled, which indicates an obvious endian
      problem within __kcrctab within the kernel image.
      
      The general solution is to use the macro TO_NATIVE, as is done in
      similar cases throughout modpost.c. With this correction it has been
      verified that a BE kernel compiled with a LE system accepts BE modules.
      
      This change has also been verified with a LE kernel compiled with a LE
      system, in which case TO_NATIVE returns its value unmodified since the
      byte orders match. This is by far the common case.
      
      Fixes: 56067812 ("kbuild: modversions: add infrastructure for emitting relative CRCs")
      Signed-off-by: NFredrik Noring <noring@nocrew.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: NMasahiro Yamada <yamada.masahiro@socionext.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aa7f29f8
    • B
      ALSA: hda/realtek - Fix speakers on Acer Predator Helios 500 Ryzen laptops · 4dfae837
      Bernhard Rosenkraenzer 提交于
      commit e2a829b3da01b9b32c4d0291d042b8a6e2a98ca3 upstream.
      
      On an Acer Predator Helios 500 (Ryzen version), the laptop's speakers
      don't work out of the box.
      
      The problem can be worked around with hdajackretask, remapping the
      "Black Headphone, Right side" pin (0x21) to the Internal speaker.
      
      This patch adds a quirk to change this mapping by default.
      
      [ corrected ALC299_FIXUP_PREDATOR_SPK definition and adapted for the
        latest tree by tiwai ]
      Signed-off-by: NBernhard Rosenkraenzer <bero@lindev.ch>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4dfae837
    • J
      ALSA: hda/realtek: Enable headset MIC of ASUS X430UN and X512DK with ALC256 · 6f3dbb71
      Jian-Hong Pan 提交于
      commit 6ac371aa1a74240fb910c98aa3484d5ece8473d3 upstream.
      
      The ASUS X430UN and X512DK with ALC256 cannot detect the headset MIC
      until ALC256_FIXUP_ASUS_MIC_NO_PRESENCE quirk applied.
      Signed-off-by: NJian-Hong Pan <jian-hong@endlessm.com>
      Signed-off-by: NDaniel Drake <drake@endlessm.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6f3dbb71
    • C
      ALSA: hda/realtek: Enable headset mic of ASUS P5440FF with ALC256 · 633d5db4
      Chris Chiu 提交于
      commit a806ef1cf3bbc0baadc6cdeb11f12b5dd27e91c2 upstream.
      
      The ASUS laptop P5440FF with ALC256 can't detect the headset microphone
      until ALC256_FIXUP_ASUS_MIC_NO_PRESENCE quirk applied.
      Signed-off-by: NChris Chiu <chiu@endlessm.com>
      Signed-off-by: NDaniel Drake <drake@endlessm.com>
      Signed-off-by: NJian-Hong Pan <jian-hong@endlessm.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      633d5db4
    • J
      ALSA: hda/realtek: Enable ASUS X441MB and X705FD headset MIC with ALC256 · fd4000c7
      Jian-Hong Pan 提交于
      commit e1037354a0a75acdea2b27043c0a371ed85cf262 upstream.
      
      The ASUS laptop X441MB and X705FD with ALC256 cannot detect the headset
      MIC until ALC256_FIXUP_ASUS_MIC_NO_PRESENCE quirk applied.
      Signed-off-by: NChris Chiu <chiu@endlessm.com>
      Signed-off-by: NDaniel Drake <drake@endlessm.com>
      Signed-off-by: NJian-Hong Pan <jian-hong@endlessm.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fd4000c7
    • C
      ALSA: hda/realtek - Add support for Acer Aspire E5-523G/ES1-432 headset mic · 48e8e6a7
      Chris Chiu 提交于
      commit c7531e31c8a440b5fe6bd62664def5bcb6262f96 upstream.
      
      The Acer laptop Aspire E5-523G and ES1-432 with ALC255 can't detect
      the headset microphone until ALC255_FIXUP_ACER_MIC_NO_PRESENCE quirk
      applied.
      Signed-off-by: NChris Chiu <chiu@endlessm.com>
      Signed-off-by: NDaniel Drake <drake@endlessm.com>
      Signed-off-by: NJian-Hong Pan <jian-hong@endlessm.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      48e8e6a7
    • J
      ALSA: hda/realtek: Enable headset MIC of Acer Aspire Z24-890 with ALC286 · 5fa5a867
      Jian-Hong Pan 提交于
      commit 2733ccebf4a937a0858e7d05a4a003b89715033f upstream.
      
      The Acer Aspire Z24-890 cannot detect the headset MIC until
      ALC286_FIXUP_ACER_AIO_HEADSET_MIC quirk applied.
      Signed-off-by: NJian-Hong Pan <jian-hong@endlessm.com>
      Signed-off-by: NDaniel Drake <drake@endlessm.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5fa5a867
    • J
      ALSA: hda/realtek: Enable headset MIC of Acer AIO with ALC286 · 5ec67684
      Jian-Hong Pan 提交于
      commit 667a8f73753908c4d0171e52b71774f9be5d6713 upstream.
      
      Some Acer AIO desktops like Veriton Z6860G, Z4860G and Z4660G cannot
      record sound from headset MIC.  This patch adds the
      ALC286_FIXUP_ACER_AIO_HEADSET_MIC quirk to fix this issue.
      
      Fixes: 9f8aefed9623 ("ALSA: hda/realtek: Fix mic issue on Acer AIO Veriton Z4660G")
      Fixes: b72f936f6b32 ("ALSA: hda/realtek: Fix mic issue on Acer AIO Veriton Z4860G/Z6860G")
      Signed-off-by: NJian-Hong Pan <jian-hong@endlessm.com>
      Reviewed-by: NKailang Yang <kailang@realtek.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5ec67684
    • K
      ALSA: hda/realtek - Add support headset mode for New DELL WYSE NB · 89ec6d40
      Kailang Yang 提交于
      commit da484d00f020af3dd7cfcc6c4b69a7f856832883 upstream.
      
      Enable headset mode support for new WYSE NB platform.
      Signed-off-by: NKailang Yang <kailang@realtek.com>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      89ec6d40
    • K
      ALSA: hda/realtek - Add support headset mode for DELL WYSE AIO · 522f06c9
      Kailang Yang 提交于
      commit 136824efaab2c095fc911048f7c7ddeda258c965 upstream.
      
      This patch will enable WYSE AIO for Headset mode.
      Signed-off-by: NKailang Yang <kailang@realtek.com>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      522f06c9
    • T
      ALSA: pcm: Don't suspend stream in unrecoverable PCM state · 5b93302b
      Takashi Iwai 提交于
      commit 113ce08109f8e3b091399e7cc32486df1cff48e7 upstream.
      
      Currently PCM core sets each opened stream forcibly to SUSPENDED state
      via snd_pcm_suspend_all() call, and the user-space is responsible for
      re-triggering the resume manually either via snd_pcm_resume() or
      prepare call.  The scheme works fine usually, but there are corner
      cases where the stream can't be resumed by that call: the streams
      still in OPEN state before finishing hw_params.  When they are
      suspended, user-space cannot perform resume or prepare because they
      haven't been set up yet.  The only possible recovery is to re-open the
      device, which isn't nice at all.  Similarly, when a stream is in
      DISCONNECTED state, it makes no sense to change it to SUSPENDED
      state.  Ditto for in SETUP state; which you can re-prepare directly.
      
      So, this patch addresses these issues by filtering the PCM streams to
      be suspended by checking the PCM state.  When a stream is in either
      OPEN, SETUP or DISCONNECTED as well as already SUSPENDED, the suspend
      action is skipped.
      
      To be noted, this problem was originally reported for the PCM runtime
      PM on HD-audio.  And, the runtime PM problem itself was already
      addressed (although not intended) by the code refactoring commits
      3d21ef0b49f8 ("ALSA: pcm: Suspend streams globally via device type PM
      ops") and 17bc4815de58 ("ALSA: pci: Remove superfluous
      snd_pcm_suspend*() calls").  These commits eliminated the
      snd_pcm_suspend*() calls from the runtime PM suspend callback code
      path, hence the racy OPEN state won't appear while runtime PM.
      (FWIW, the race window is between snd_pcm_open_substream() and the
      first power up in azx_pcm_open().)
      
      Although the runtime PM issue was already "fixed", the same problem is
      still present for the system PM, hence this patch is still needed.
      And for stable trees, this patch alone should suffice for fixing the
      runtime PM problem, too.
      Reported-and-tested-by: NJon Hunter <jonathanh@nvidia.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5b93302b
    • T
      ALSA: pcm: Fix possible OOB access in PCM oss plugins · 7fc6064d
      Takashi Iwai 提交于
      commit ca0214ee2802dd47239a4e39fb21c5b00ef61b22 upstream.
      
      The PCM OSS emulation converts and transfers the data on the fly via
      "plugins".  The data is converted over the dynamically allocated
      buffer for each plugin, and recently syzkaller caught OOB in this
      flow.
      
      Although the bisection by syzbot pointed out to the commit
      65766ee0bf7f ("ALSA: oss: Use kvzalloc() for local buffer
      allocations"), this is merely a commit to replace vmalloc() with
      kvmalloc(), hence it can't be the cause.  The further debug action
      revealed that this happens in the case where a slave PCM doesn't
      support only the stereo channels while the OSS stream is set up for a
      mono channel.  Below is a brief explanation:
      
      At each OSS parameter change, the driver sets up the PCM hw_params
      again in snd_pcm_oss_change_params_lock().  This is also the place
      where plugins are created and local buffers are allocated.  The
      problem is that the plugins are created before the final hw_params is
      determined.  Namely, two snd_pcm_hw_param_near() calls for setting the
      period size and periods may influence on the final result of channels,
      rates, etc, too, while the current code has already created plugins
      beforehand with the premature values.  So, the plugin believes that
      channels=1, while the actual I/O is with channels=2, which makes the
      driver reading/writing over the allocated buffer size.
      
      The fix is simply to move the plugin allocation code after the final
      hw_params call.
      
      Reported-by: syzbot+d4503ae45b65c5bc1194@syzkaller.appspotmail.com
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7fc6064d
    • G
      ALSA: seq: oss: Fix Spectre v1 vulnerability · b425f452
      Gustavo A. R. Silva 提交于
      commit c709f14f0616482b67f9fbcb965e1493a03ff30b upstream.
      
      dev is indirectly controlled by user-space, hence leading to
      a potential exploitation of the Spectre variant 1 vulnerability.
      
      This issue was detected with the help of Smatch:
      
      sound/core/seq/oss/seq_oss_synth.c:626 snd_seq_oss_synth_make_info() warn: potential spectre issue 'dp->synths' [w] (local cap)
      
      Fix this by sanitizing dev before using it to index dp->synths.
      
      Notice that given that speculation windows are large, the policy is
      to kill the speculation on the first load and not worry if it can be
      completed with a dependent load/store [1].
      
      [1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b425f452
    • G
      ALSA: rawmidi: Fix potential Spectre v1 vulnerability · bd55e672
      Gustavo A. R. Silva 提交于
      commit 2b1d9c8f87235f593826b9cf46ec10247741fff9 upstream.
      
      info->stream is indirectly controlled by user-space, hence leading to
      a potential exploitation of the Spectre variant 1 vulnerability.
      
      This issue was detected with the help of Smatch:
      
      sound/core/rawmidi.c:604 __snd_rawmidi_info_select() warn: potential spectre issue 'rmidi->streams' [r] (local cap)
      
      Fix this by sanitizing info->stream before using it to index
      rmidi->streams.
      
      Notice that given that speculation windows are large, the policy is
      to kill the speculation on the first load and not worry if it can be
      completed with a dependent load/store [1].
      
      [1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bd55e672
    • C
      net: dsa: qca8k: remove leftover phy accessors · a485919f
      Christian Lamparter 提交于
      commit 1eec7151ae0e134bd42e3f128066b2ff8da21393 upstream.
      
      This belated patch implements Andrew Lunn's request of
      "remove the phy_read() and phy_write() functions."
      <https://lore.kernel.org/patchwork/comment/902734/>
      
      While seemingly harmless, this causes the switch's user
      port PHYs to get registered twice. This is because the
      DSA subsystem will create a slave mdio-bus not knowing
      that the qca8k_phy_(read|write) accessors operate on
      the external mdio-bus. So the same "bus" gets effectively
      duplicated.
      
      Cc: stable@vger.kernel.org
      Fixes: 6b93fb46 ("net-next: dsa: add new driver for qca8xxx family")
      Signed-off-by: NChristian Lamparter <chunkeey@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a485919f
    • O
      NFSv4.1 don't free interrupted slot on open · 64751542
      Olga Kornievskaia 提交于
      commit 0cb98abb5bd13b9a636bde603d952d722688b428 upstream.
      
      Allow the async rpc task for finish and update the open state if needed,
      then free the slot. Otherwise, the async rpc unable to decode the reply.
      Signed-off-by: NOlga Kornievskaia <kolga@netapp.com>
      Fixes: ae55e59d ("pnfs: Don't release the sequence slot...")
      Cc: stable@vger.kernel.org # v4.18+
      Signed-off-by: NTrond Myklebust <trond.myklebust@hammerspace.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      64751542
    • N
      NFS: fix mount/umount race in nlmclnt. · da57cba4
      NeilBrown 提交于
      commit 4a9be28c45bf02fa0436808bb6c0baeba30e120e upstream.
      
      If the last NFSv3 unmount from a given host races with a mount from the
      same host, we can destroy an nlm_host that is still in use.
      
      Specifically nlmclnt_lookup_host() can increment h_count on
      an nlm_host that nlmclnt_release_host() has just successfully called
      refcount_dec_and_test() on.
      Once nlmclnt_lookup_host() drops the mutex, nlm_destroy_host_lock()
      will be called to destroy the nlmclnt which is now in use again.
      
      The cause of the problem is that the dec_and_test happens outside the
      locked region.  This is easily fixed by using
      refcount_dec_and_mutex_lock().
      
      Fixes: 8ea6ecc8 ("lockd: Create client-side nlm_host cache")
      Cc: stable@vger.kernel.org (v2.6.38+)
      Signed-off-by: NNeilBrown <neilb@suse.com>
      Signed-off-by: NTrond Myklebust <trond.myklebust@hammerspace.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      da57cba4
    • C
      vfio: ccw: only free cp on final interrupt · 0f273f0c
      Cornelia Huck 提交于
      commit 50b7f1b7236bab08ebbbecf90521e84b068d7a17 upstream.
      
      When we get an interrupt for a channel program, it is not
      necessarily the final interrupt; for example, the issuing
      guest may request an intermediate interrupt by specifying
      the program-controlled-interrupt flag on a ccw.
      
      We must not switch the state to idle if the interrupt is not
      yet final; even more importantly, we must not free the translated
      channel program if the interrupt is not yet final, or the host
      can crash during cp rewind.
      
      Fixes: e5f84dba ("vfio: ccw: return I/O results asynchronously")
      Cc: stable@vger.kernel.org # v4.12+
      Reviewed-by: NEric Farman <farman@linux.ibm.com>
      Signed-off-by: NCornelia Huck <cohuck@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0f273f0c
    • N
      powerpc: bpf: Fix generation of load/store DW instructions · 92d4ee2e
      Naveen N. Rao 提交于
      commit 86be36f6502c52ddb4b85938145324fd07332da1 upstream.
      
      Yauheni Kaliuta pointed out that PTR_TO_STACK store/load verifier test
      was failing on powerpc64 BE, and rightfully indicated that the PPC_LD()
      macro is not masking away the last two bits of the offset per the ISA,
      resulting in the generation of 'lwa' instruction instead of the intended
      'ld' instruction.
      
      Segher also pointed out that we can't simply mask away the last two bits
      as that will result in loading/storing from/to a memory location that
      was not intended.
      
      This patch addresses this by using ldx/stdx if the offset is not
      word-aligned. We load the offset into a temporary register (TMP_REG_2)
      and use that as the index register in a subsequent ldx/stdx. We fix
      PPC_LD() macro to mask off the last two bits, but enhance PPC_BPF_LL()
      and PPC_BPF_STL() to factor in the offset value and generate the proper
      instruction sequence. We also convert all existing users of PPC_LD() and
      PPC_STD() to use these macros. All existing uses of these macros have
      been audited to ensure that TMP_REG_2 can be clobbered.
      
      Fixes: 156d0e29 ("powerpc/ebpf/jit: Implement JIT compiler for extended BPF")
      Cc: stable@vger.kernel.org # v4.9+
      Reported-by: NYauheni Kaliuta <yauheni.kaliuta@redhat.com>
      Signed-off-by: NNaveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      92d4ee2e
    • K
      ARM: imx6q: cpuidle: fix bug that CPU might not wake up at expected time · 9397f0d9
      Kohji Okuno 提交于
      commit 91740fc8242b4f260cfa4d4536d8551804777fae upstream.
      
      In the current cpuidle implementation for i.MX6q, the CPU that sets
      'WAIT_UNCLOCKED' and the CPU that returns to 'WAIT_CLOCKED' are always
      the same. While the CPU that sets 'WAIT_UNCLOCKED' is in IDLE state of
      "WAIT", if the other CPU wakes up and enters IDLE state of "WFI"
      istead of "WAIT", this CPU can not wake up at expired time.
       Because, in the case of "WFI", the CPU must be waked up by the local
      timer interrupt. But, while 'WAIT_UNCLOCKED' is set, the local timer
      is stopped, when all CPUs execute "wfi" instruction. As a result, the
      local timer interrupt is not fired.
       In this situation, this CPU will wake up by IRQ different from local
      timer. (e.g. broacast timer)
      
      So, this fix changes CPU to return to 'WAIT_CLOCKED'.
      Signed-off-by: NKohji Okuno <okuno.kohji@jp.panasonic.com>
      Fixes: e5f9dec8 ("ARM: imx6q: support WAIT mode using cpuidle")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NShawn Guo <shawnguo@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9397f0d9
    • F
      Btrfs: fix assertion failure on fsync with NO_HOLES enabled · fd1b2536
      Filipe Manana 提交于
      commit 0ccc3876e4b2a1559a4dbe3126dda4459d38a83b upstream.
      
      Back in commit a89ca6f2 ("Btrfs: fix fsync after truncate when
      no_holes feature is enabled") I added an assertion that is triggered when
      an inline extent is found to assert that the length of the (uncompressed)
      data the extent represents is the same as the i_size of the inode, since
      that is true most of the time I couldn't find or didn't remembered about
      any exception at that time. Later on the assertion was expanded twice to
      deal with a case of a compressed inline extent representing a range that
      matches the sector size followed by an expanding truncate, and another
      case where fallocate can update the i_size of the inode without adding
      or updating existing extents (if the fallocate range falls entirely within
      the first block of the file). These two expansion/fixes of the assertion
      were done by commit 7ed586d0a8241 ("Btrfs: fix assertion on fsync of
      regular file when using no-holes feature") and commit 6399fb5a
      ("Btrfs: fix assertion failure during fsync in no-holes mode").
      These however missed the case where an falloc expands the i_size of an
      inode to exactly the sector size and inline extent exists, for example:
      
       $ mkfs.btrfs -f -O no-holes /dev/sdc
       $ mount /dev/sdc /mnt
      
       $ xfs_io -f -c "pwrite -S 0xab 0 1096" /mnt/foobar
       wrote 1096/1096 bytes at offset 0
       1 KiB, 1 ops; 0.0002 sec (4.448 MiB/sec and 4255.3191 ops/sec)
      
       $ xfs_io -c "falloc 1096 3000" /mnt/foobar
       $ xfs_io -c "fsync" /mnt/foobar
       Segmentation fault
      
       $ dmesg
       [701253.602385] assertion failed: len == i_size || (len == fs_info->sectorsize && btrfs_file_extent_compression(leaf, extent) != BTRFS_COMPRESS_NONE) || (len < i_size && i_size < fs_info->sectorsize), file: fs/btrfs/tree-log.c, line: 4727
       [701253.602962] ------------[ cut here ]------------
       [701253.603224] kernel BUG at fs/btrfs/ctree.h:3533!
       [701253.603503] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC PTI
       [701253.603774] CPU: 2 PID: 7192 Comm: xfs_io Tainted: G        W         5.0.0-rc8-btrfs-next-45 #1
       [701253.604054] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014
       [701253.604650] RIP: 0010:assfail.constprop.23+0x18/0x1a [btrfs]
       (...)
       [701253.605591] RSP: 0018:ffffbb48c186bc48 EFLAGS: 00010286
       [701253.605914] RAX: 00000000000000de RBX: ffff921d0a7afc08 RCX: 0000000000000000
       [701253.606244] RDX: 0000000000000000 RSI: ffff921d36b16868 RDI: ffff921d36b16868
       [701253.606580] RBP: ffffbb48c186bcf0 R08: 0000000000000000 R09: 0000000000000000
       [701253.606913] R10: 0000000000000003 R11: 0000000000000000 R12: ffff921d05d2de18
       [701253.607247] R13: ffff921d03b54000 R14: 0000000000000448 R15: ffff921d059ecf80
       [701253.607769] FS:  00007f14da906700(0000) GS:ffff921d36b00000(0000) knlGS:0000000000000000
       [701253.608163] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       [701253.608516] CR2: 000056087ea9f278 CR3: 00000002268e8001 CR4: 00000000003606e0
       [701253.608880] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
       [701253.609250] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
       [701253.609608] Call Trace:
       [701253.609994]  btrfs_log_inode+0xdfb/0xe40 [btrfs]
       [701253.610383]  btrfs_log_inode_parent+0x2be/0xa60 [btrfs]
       [701253.610770]  ? do_raw_spin_unlock+0x49/0xc0
       [701253.611150]  btrfs_log_dentry_safe+0x4a/0x70 [btrfs]
       [701253.611537]  btrfs_sync_file+0x3b2/0x440 [btrfs]
       [701253.612010]  ? do_sysinfo+0xb0/0xf0
       [701253.612552]  do_fsync+0x38/0x60
       [701253.612988]  __x64_sys_fsync+0x10/0x20
       [701253.613360]  do_syscall_64+0x60/0x1b0
       [701253.613733]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
       [701253.614103] RIP: 0033:0x7f14da4e66d0
       (...)
       [701253.615250] RSP: 002b:00007fffa670fdb8 EFLAGS: 00000246 ORIG_RAX: 000000000000004a
       [701253.615647] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f14da4e66d0
       [701253.616047] RDX: 000056087ea9c260 RSI: 000056087ea9c260 RDI: 0000000000000003
       [701253.616450] RBP: 0000000000000001 R08: 0000000000000020 R09: 0000000000000010
       [701253.616854] R10: 000000000000009b R11: 0000000000000246 R12: 000056087ea9c260
       [701253.617257] R13: 000056087ea9c240 R14: 0000000000000000 R15: 000056087ea9dd10
       (...)
       [701253.619941] ---[ end trace e088d74f132b6da5 ]---
      
      Updating the assertion again to allow for this particular case would result
      in a meaningless assertion, plus there is currently no risk of logging
      content that would result in any corruption after a log replay if the size
      of the data encoded in an inline extent is greater than the inode's i_size
      (which is not currently possibe either with or without compression),
      therefore just remove the assertion.
      
      CC: stable@vger.kernel.org # 4.4+
      Signed-off-by: NFilipe Manana <fdmanana@suse.com>
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fd1b2536
    • N
      btrfs: Avoid possible qgroup_rsv_size overflow in btrfs_calculate_inode_block_rsv_size · 0ae3b84b
      Nikolay Borisov 提交于
      commit 139a56170de67101791d6e6c8e940c6328393fe9 upstream.
      
      qgroup_rsv_size is calculated as the product of
      outstanding_extent * fs_info->nodesize. The product is calculated with
      32 bit precision since both variables are defined as u32. Yet
      qgroup_rsv_size expects a 64 bit result.
      
      Avoid possible multiplication overflow by casting outstanding_extent to
      u64. Such overflow would in the worst case (64K nodesize) require more
      than 65536 extents, which is quite large and i'ts not likely that it
      would happen in practice.
      
      Fixes-coverity-id: 1435101
      Fixes: ff6bc37e ("btrfs: qgroup: Use independent and accurate per inode qgroup rsv")
      CC: stable@vger.kernel.org # 4.19+
      Reviewed-by: NQu Wenruo <wqu@suse.com>
      Signed-off-by: NNikolay Borisov <nborisov@suse.com>
      Reviewed-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0ae3b84b
    • A
      btrfs: raid56: properly unmap parity page in finish_parity_scrub() · 1cf4ab01
      Andrea Righi 提交于
      commit 3897b6f0a859288c22fb793fad11ec2327e60fcd upstream.
      
      Parity page is incorrectly unmapped in finish_parity_scrub(), triggering
      a reference counter bug on i386, i.e.:
      
       [ 157.662401] kernel BUG at mm/highmem.c:349!
       [ 157.666725] invalid opcode: 0000 [#1] SMP PTI
      
      The reason is that kunmap(p_page) was completely left out, so we never
      did an unmap for the p_page and the loop unmapping the rbio page was
      iterating over the wrong number of stripes: unmapping should be done
      with nr_data instead of rbio->real_stripes.
      
      Test case to reproduce the bug:
      
       - create a raid5 btrfs filesystem:
         # mkfs.btrfs -m raid5 -d raid5 /dev/sdb /dev/sdc /dev/sdd /dev/sde
      
       - mount it:
         # mount /dev/sdb /mnt
      
       - run btrfs scrub in a loop:
         # while :; do btrfs scrub start -BR /mnt; done
      
      BugLink: https://bugs.launchpad.net/bugs/1812845
      Fixes: 5a6ac9ea ("Btrfs, raid56: support parity scrub on raid56")
      CC: stable@vger.kernel.org # 4.4+
      Reviewed-by: NJohannes Thumshirn <jthumshirn@suse.de>
      Signed-off-by: NAndrea Righi <andrea.righi@canonical.com>
      Reviewed-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1cf4ab01
    • D
      btrfs: don't report readahead errors and don't update statistics · d952c337
      David Sterba 提交于
      commit 0cc068e6ee59c1fffbfa977d8bf868b7551d80ac upstream.
      
      As readahead is an optimization, all errors are usually filtered out,
      but still properly handled when the real read call is done. The commit
      5e9d3982 ("btrfs: readpages() should submit IO as read-ahead") added
      REQ_RAHEAD to readpages() because that's only used for readahead
      (despite what one would expect from the callback name).
      
      This causes a flood of messages and inflated read error stats, so skip
      reporting in case it's readahead.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202403Reported-by: NLimeTech <tomm@lime-technology.com>
      Fixes: 5e9d3982 ("btrfs: readpages() should submit IO as read-ahead")
      CC: stable@vger.kernel.org # 4.19+
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d952c337
    • J
      btrfs: remove WARN_ON in log_dir_items · b57220cc
      Josef Bacik 提交于
      commit 2cc8334270e281815c3850c3adea363c51f21e0d upstream.
      
      When Filipe added the recursive directory logging stuff in
      2f2ff0ee ("Btrfs: fix metadata inconsistencies after directory
      fsync") he specifically didn't take the directory i_mutex for the
      children directories that we need to log because of lockdep.  This is
      generally fine, but can lead to this WARN_ON() tripping if we happen to
      run delayed deletion's in between our first search and our second search
      of dir_item/dir_indexes for this directory.  We expect this to happen,
      so the WARN_ON() isn't necessary.  Drop the WARN_ON() and add a comment
      so we know why this case can happen.
      
      CC: stable@vger.kernel.org # 4.4+
      Reviewed-by: NFilipe Manana <fdmanana@suse.com>
      Signed-off-by: NJosef Bacik <josef@toxicpanda.com>
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b57220cc
    • F
      Btrfs: fix incorrect file size after shrinking truncate and fsync · 22dcb30f
      Filipe Manana 提交于
      commit bf504110bc8aa05df48b0e5f0aa84bfb81e0574b upstream.
      
      If we do a shrinking truncate against an inode which is already present
      in the respective log tree and then rename it, as part of logging the new
      name we end up logging an inode item that reflects the old size of the
      file (the one which we previously logged) and not the new smaller size.
      The decision to preserve the size previously logged was added by commit
      1a4bcf47 ("Btrfs: fix fsync data loss after adding hard link to
      inode") in order to avoid data loss after replaying the log. However that
      decision is only needed for the case the logged inode size is smaller then
      the current size of the inode, as explained in that commit's change log.
      If the current size of the inode is smaller then the previously logged
      size, we know a shrinking truncate happened and therefore need to use
      that smaller size.
      
      Example to trigger the problem:
      
        $ mkfs.btrfs -f /dev/sdb
        $ mount /dev/sdb /mnt
      
        $ xfs_io -f -c "pwrite -S 0xab 0 8000" /mnt/foo
        $ xfs_io -c "fsync" /mnt/foo
        $ xfs_io -c "truncate 3000" /mnt/foo
      
        $ mv /mnt/foo /mnt/bar
        $ xfs_io -c "fsync" /mnt/bar
      
        <power failure>
      
        $ mount /dev/sdb /mnt
        $ od -t x1 -A d /mnt/bar
        0000000 ab ab ab ab ab ab ab ab ab ab ab ab ab ab ab ab
        *
        0008000
      
      Once we rename the file, we log its name (and inode item), and because
      the inode was already logged before in the current transaction, we log it
      with a size of 8000 bytes because that is the size we previously logged
      (with the first fsync). As part of the rename, besides logging the inode,
      we do also sync the log, which is done since commit d4682ba0
      ("Btrfs: sync log after logging new name"), so the next fsync against our
      inode is effectively a no-op, since no new changes happened since the
      rename operation. Even if did not sync the log during the rename
      operation, the same problem (fize size of 8000 bytes instead of 3000
      bytes) would be visible after replaying the log if the log ended up
      getting synced to disk through some other means, such as for example by
      fsyncing some other modified file. In the example above the fsync after
      the rename operation is there just because not every filesystem may
      guarantee logging/journalling the inode (and syncing the log/journal)
      during the rename operation, for example it is needed for f2fs, but not
      for ext4 and xfs.
      
      Fix this scenario by, when logging a new name (which is triggered by
      rename and link operations), using the current size of the inode instead
      of the previously logged inode size.
      
      A test case for fstests follows soon.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202695
      CC: stable@vger.kernel.org # 4.4+
      Reported-by: NSeulbae Kim <seulbae@gatech.edu>
      Signed-off-by: NFilipe Manana <fdmanana@suse.com>
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      22dcb30f
    • M
      powerpc/security: Fix spectre_v2 reporting · a1df5db3
      Michael Ellerman 提交于
      commit 92edf8df0ff2ae86cc632eeca0e651fd8431d40d upstream.
      
      When I updated the spectre_v2 reporting to handle software count cache
      flush I got the logic wrong when there's no software count cache
      enabled at all.
      
      The result is that on systems with the software count cache flush
      disabled we print:
      
        Mitigation: Indirect branch cache disabled, Software count cache flush
      
      Which correctly indicates that the count cache is disabled, but
      incorrectly says the software count cache flush is enabled.
      
      The root of the problem is that we are trying to handle all
      combinations of options. But we know now that we only expect to see
      the software count cache flush enabled if the other options are false.
      
      So split the two cases, which simplifies the logic and fixes the bug.
      We were also missing a space before "(hardware accelerated)".
      
      The result is we see one of:
      
        Mitigation: Indirect branch serialisation (kernel only)
        Mitigation: Indirect branch cache disabled
        Mitigation: Software count cache flush
        Mitigation: Software count cache flush (hardware accelerated)
      
      Fixes: ee13cb24 ("powerpc/64s: Add support for software count cache flush")
      Cc: stable@vger.kernel.org # v4.19+
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Reviewed-by: NMichael Neuling <mikey@neuling.org>
      Reviewed-by: NDiana Craciun <diana.craciun@nxp.com>
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a1df5db3
    • C
      powerpc/fsl: Fix the flush of branch predictor. · 986f0c65
      Christophe Leroy 提交于
      commit 27da80719ef132cf8c80eb406d5aeb37dddf78cc upstream.
      
      The commit identified below adds MC_BTB_FLUSH macro only when
      CONFIG_PPC_FSL_BOOK3E is defined. This results in the following error
      on some configs (seen several times with kisskb randconfig_defconfig)
      
      arch/powerpc/kernel/exceptions-64e.S:576: Error: Unrecognized opcode: `mc_btb_flush'
      make[3]: *** [scripts/Makefile.build:367: arch/powerpc/kernel/exceptions-64e.o] Error 1
      make[2]: *** [scripts/Makefile.build:492: arch/powerpc/kernel] Error 2
      make[1]: *** [Makefile:1043: arch/powerpc] Error 2
      make: *** [Makefile:152: sub-make] Error 2
      
      This patch adds a blank definition of MC_BTB_FLUSH for other cases.
      
      Fixes: 10c5e83afd4a ("powerpc/fsl: Flush the branch predictor at each kernel entry (64bit)")
      Cc: Diana Craciun <diana.craciun@nxp.com>
      Signed-off-by: NChristophe Leroy <christophe.leroy@c-s.fr>
      Reviewed-by: NDaniel Axtens <dja@axtens.net>
      Reviewed-by: NDiana Craciun <diana.craciun@nxp.com>
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      986f0c65