1. 01 10月, 2019 25 次提交
    • H
      ASoC: Intel: cht_bsw_max98090_ti: Enable codec clock once and keep it enabled · a5e2c650
      Hans de Goede 提交于
      commit 4bcdec39c454c4e8f9512115bdcc3efec1ba5f55 upstream.
      
      Users have been seeing sound stability issues with max98090 codecs since:
      commit 648e9218 ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL")
      
      At first that commit broke sound for Chromebook Swanky and Clapper models,
      the problem was that the machine-driver has been controlling the wrong
      clock on those models since support for them was added. This was hidden by
      clk-pmc-atom.c keeping the actual clk on unconditionally.
      
      With the machine-driver controlling the proper clock, sound works again
      but we are seeing bug reports describing it as: low volume,
      "sounds like played at 10x speed" and instable.
      
      When these issues are hit the following message is seen in dmesg:
      "max98090 i2c-193C9890:00: PLL unlocked".
      
      Attempts have been made to fix this by inserting a delay between enabling
      the clk and enabling and checking the pll, but this has not helped.
      
      It seems that at least on boards which use pmc_plt_clk_0 as clock,
      if we ever disable the clk, the pll looses its lock and after that we get
      various issues.
      
      This commit fixes this by enabling the clock once at probe time on
      these boards. In essence this restores the old behavior of clk-pmc-atom.c
      always keeping the clk on on these boards.
      
      Fixes: 648e9218 ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL")
      Reported-by: NMogens Jensen <mogens-jensen@protonmail.com>
      Reported-by: NDean Wallace <duffydack73@gmail.com>
      Signed-off-by: NHans de Goede <hdegoede@redhat.com>
      Acked-by: NPierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a5e2c650
    • M
      media: tvp5150: fix switch exit in set control handler · ec2a3681
      Marco Felsch 提交于
      commit 2d29bcc8c237874795175b2930fa9a45a115175a upstream.
      
      The function only consists of a single switch case block without a
      default case. Unsupported control requests are indicated by the -EINVAL
      return code trough the last return statement at the end of the function. So
      exiting just the switch case block returns the -EINVAL error code but the
      hue control is supported and a zero should be returned instead.
      
      Replace the break by a 'return 0' to fix this behaviour.
      
      Fixes: d183e4ef ("[media] v4l: tvp5150: Add missing break in set
      control handler")
      Signed-off-by: NMarco Felsch <m.felsch@pengutronix.de>
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ec2a3681
    • N
      iwlwifi: mvm: always init rs_fw with 20MHz bandwidth rates · ba686070
      Naftali Goldstein 提交于
      commit 2859de7637b541dc7191f4d3fce4a1adba80fb3e upstream.
      
      As with the non-offloaded rs case, during assoc on the ap side the phy
      context is set to 20MHz until authorization of a client that supports
      wider channel-widths. Support this by sending the initial
      tlc_config_cmd with max supported channel width of 20MHz until
      authorization succeeds.
      
      Fixes: 6b7a5aea ("iwlwifi: mvm: always init rs with 20mhz bandwidth rates")
      Signed-off-by: NNaftali Goldstein <naftali.goldstein@intel.com>
      Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ba686070
    • E
      iwlwifi: mvm: send BCAST management frames to the right station · ced0676f
      Emmanuel Grumbach 提交于
      commit 65c3b582ecab7a403efdf08babbf87fdbe27369c upstream.
      
      Probe responses were sent to the multicast station while
      they should be routed to the broadcast station.
      This has no negative effect since the frame was still
      routed to the right queue, but it looked very fishy
      to send a frame to a (queue, station) tuple where
      'queue' is not mapped to 'station'.
      
      Fixes: 7c305de2 ("iwlwifi: mvm: Direct multicast frames to the correct station")
      Signed-off-by: NEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ced0676f
    • S
      net/mlx5e: Rx, Check ip headers sanity · b3873e34
      Saeed Mahameed 提交于
      [ Upstream commit 0318a7b7fcad9765931146efa7ca3a034194737c ]
      
      In the two places is_last_ethertype_ip is being called, the caller will
      be looking inside the ip header, to be safe, add ip{4,6} header sanity
      check. And return true only on valid ip headers, i.e: the whole header
      is contained in the linear part of the skb.
      
      Note: Such situation is very rare and hard to reproduce, since mlx5e
      allocates a large enough headroom to contain the largest header one can
      imagine.
      
      Fixes: fe1dc069990c ("net/mlx5e: don't set CHECKSUM_COMPLETE on SCTP packets")
      Reported-by: NCong Wang <xiyou.wangcong@gmail.com>
      Reviewed-by: NTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b3873e34
    • S
      net/mlx5e: Rx, Fixup skb checksum for packets with tail padding · 404f118f
      Saeed Mahameed 提交于
      [ Upstream commit 0aa1d18615c163f92935b806dcaff9157645233a ]
      
      When an ethernet frame with ip payload is padded, the padding octets are
      not covered by the hardware checksum.
      
      Prior to the cited commit, skb checksum was forced to be CHECKSUM_NONE
      when padding is detected. After it, the kernel will try to trim the
      padding bytes and subtract their checksum from skb->csum.
      
      In this patch we fixup skb->csum for any ip packet with tail padding of
      any size, if any padding found.
      FCS case is just one special case of this general purpose patch, hence,
      it is removed.
      
      Fixes: 88078d98 ("net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends"),
      Cc: Eric Dumazet <edumazet@google.com>
      Reviewed-by: NTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      404f118f
    • S
      net/mlx5e: XDP, Avoid checksum complete when XDP prog is loaded · c95ebb39
      Saeed Mahameed 提交于
      [ Upstream commit 5d0bb3bac4b9f6c22280b04545626fdfd99edc6b ]
      
      XDP programs might change packets data contents which will make the
      reported skb checksum (checksum complete) invalid.
      
      When XDP programs are loaded/unloaded set/clear rx RQs
      MLX5E_RQ_STATE_NO_CSUM_COMPLETE flag.
      
      Fixes: 86994156 ("net/mlx5e: XDP fast RX drop bpf programs support")
      Reviewed-by: NTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c95ebb39
    • O
      net/mlx5e: Allow reporting of checksum unnecessary · 79e972a8
      Or Gerlitz 提交于
      [ Upstream commit b856df28f9230a47669efbdd57896084caadb2b3 ]
      
      Currently we practically never report checksum unnecessary, because
      for all IP packets we take the checksum complete path.
      
      Enable non-default runs with reprorting checksum unnecessary, using
      an ethtool private flag. This can be useful for performance evals
      and other explorations.
      
      Required by downstream patch which fixes XDP checksum.
      
      Fixes: 86994156 ("net/mlx5e: XDP fast RX drop bpf programs support")
      Signed-off-by: NOr Gerlitz <ogerlitz@mellanox.com>
      Reviewed-by: NTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      79e972a8
    • C
      mlx5: fix get_ip_proto() · 8da68f79
      Cong Wang 提交于
      [ Upstream commit ef6fcd455278c2be3032a346cc66d9dd9866b787 ]
      
      IP header is not necessarily located right after struct ethhdr,
      there could be multiple 802.1Q headers in between, this is why
      we call __vlan_get_protocol().
      
      Fixes: fe1dc069990c ("net/mlx5e: don't set CHECKSUM_COMPLETE on SCTP packets")
      Cc: Alaa Hleihel <alaa@mellanox.com>
      Cc: Or Gerlitz <ogerlitz@mellanox.com>
      Cc: Saeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Reviewed-by: NTariq Toukan <tariqt@mellanox.com>
      Acked-by: NSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8da68f79
    • A
      net/mlx5e: don't set CHECKSUM_COMPLETE on SCTP packets · 44da0257
      Alaa Hleihel 提交于
      [ Upstream commit fe1dc069990c1f290ef6b99adb46332c03258f38 ]
      
      CHECKSUM_COMPLETE is not applicable to SCTP protocol.
      Setting it for SCTP packets leads to CRC32c validation failure.
      
      Fixes: bbceefce ("net/mlx5e: Support RX CHECKSUM_COMPLETE")
      Signed-off-by: NAlaa Hleihel <alaa@mellanox.com>
      Reviewed-by: NOr Gerlitz <ogerlitz@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      44da0257
    • N
      net/mlx5e: Set ECN for received packets using CQE indication · 6debda97
      Natali Shechtman 提交于
      [ Upstream commit f007c13d4ad62f494c83897eda96437005df4a91 ]
      
      In multi-host (MH) NIC scheme, a single HW port serves multiple hosts
      or sockets on the same host.
      The HW uses a mechanism in the PCIe buffer which monitors
      the amount of consumed PCIe buffers per host.
      On a certain configuration, under congestion,
      the HW emulates a switch doing ECN marking on packets using ECN
      indication on the completion descriptor (CQE).
      
      The driver needs to set the ECN bits on the packet SKB,
      such that the network stack can react on that, this commit does that.
      
      Needed by downstream patch which fixes a mlx5 checksum issue.
      
      Fixes: bbceefce ("net/mlx5e: Support RX CHECKSUM_COMPLETE")
      Signed-off-by: NNatali Shechtman <natali@mellanox.com>
      Reviewed-by: NTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6debda97
    • A
      CIFS: fix deadlock in cached root handling · e867ef11
      Aurelien Aptel 提交于
      commit 7e5a70ad88b1e6f6d9b934b2efb41afff496820f upstream.
      
      Prevent deadlock between open_shroot() and
      cifs_mark_open_files_invalid() by releasing the lock before entering
      SMB2_open, taking it again after and checking if we still need to use
      the result.
      
      Link: https://lore.kernel.org/linux-cifs/684ed01c-cbca-2716-bc28-b0a59a0f8521@prodrive-technologies.com/T/#u
      Fixes: 3d4ef9a1 ("smb3: fix redundant opens on root")
      Signed-off-by: NAurelien Aptel <aaptel@suse.com>
      Reviewed-by: NPavel Shilovsky <pshilov@microsoft.com>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      CC: Stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      e867ef11
    • G
      crypto: talitos - fix missing break in switch statement · f3160a1d
      Gustavo A. R. Silva 提交于
      commit 5fc194ea6d34dfad9833d3043ce41d6c52aff39a upstream.
      
      Add missing break statement in order to prevent the code from falling
      through to case CRYPTO_ALG_TYPE_AHASH.
      
      Fixes: aeb4c132 ("crypto: talitos - Convert to new AEAD interface")
      Cc: stable@vger.kernel.org
      Reported-by: Nkbuild test robot <lkp@intel.com>
      Signed-off-by: NGustavo A. R. Silva <gustavo@embeddedor.com>
      Reviewed-by: NChristophe Leroy <christophe.leroy@c-s.fr>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f3160a1d
    • T
      mtd: cfi_cmdset_0002: Use chip_good() to retry in do_write_oneword() · c1a7fe48
      Tokunori Ikegami 提交于
      commit 37c673ade35c707d50583b5b25091ff8ebdeafd7 upstream.
      
      As reported by the OpenWRT team, write requests sometimes fail on some
      platforms.
      Currently to check the state chip_ready() is used correctly as described by
      the flash memory S29GL256P11TFI01 datasheet.
      Also chip_good() is used to check if the write is succeeded and it was
      implemented by the commit fb4a90bf ("[MTD] CFI-0002 - Improve error
      checking").
      But actually the write failure is caused on some platforms and also it can
      be fixed by using chip_good() to check the state and retry instead.
      Also it seems that it is caused after repeated about 1,000 times to retry
      the write one word with the reset command.
      By using chip_good() to check the state to be done it can be reduced the
      retry with reset.
      It is depended on the actual flash chip behavior so the root cause is
      unknown.
      
      Cc: Chris Packham <chris.packham@alliedtelesis.co.nz>
      Cc: Joakim Tjernlund <Joakim.Tjernlund@infinera.com>
      Cc: linux-mtd@lists.infradead.org
      Cc: stable@vger.kernel.org
      Reported-by: NFabio Bettoni <fbettoni@gmail.com>
      Signed-off-by: NFelix Fietkau <nbd@nbd.name>
      Signed-off-by: NHauke Mehrtens <hauke@hauke-m.de>
      Signed-off-by: NTokunori Ikegami <ikegami.t@gmail.com>
      [vigneshr@ti.com: Fix a checkpatch warning]
      Signed-off-by: NVignesh Raghavendra <vigneshr@ti.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c1a7fe48
    • S
      HID: Add quirk for HP X500 PIXART OEM mouse · 5fdefdcb
      Sebastian Parschauer 提交于
      commit 2acf40f0454d41b8d51c95d317283c20c931164d upstream.
      
      The PixArt OEM mice are known for disconnecting every minute in
      runlevel 1 or 3 if they are not always polled. So add quirk
      ALWAYS_POLL for this one as well.
      
      Ville Viinikka (viinikv) reported and tested the quirk.
      Link: https://github.com/sriemer/fix-linux-mouse issue 15
      Signed-off-by: NSebastian Parschauer <s.parschauer@gmx.de>
      CC: stable@vger.kernel.org # v4.16+
      Signed-off-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5fdefdcb
    • A
      HID: hidraw: Fix invalid read in hidraw_ioctl · 3d072c27
      Alan Stern 提交于
      commit 416dacb819f59180e4d86a5550052033ebb6d72c upstream.
      
      The syzbot fuzzer has reported a pair of problems in the
      hidraw_ioctl() function: slab-out-of-bounds read and use-after-free
      read.  An example of the first:
      
      BUG: KASAN: slab-out-of-bounds in strlen+0x79/0x90 lib/string.c:525
      Read of size 1 at addr ffff8881c8035f38 by task syz-executor.4/2833
      
      CPU: 1 PID: 2833 Comm: syz-executor.4 Not tainted 5.3.0-rc2+ #1
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0xca/0x13e lib/dump_stack.c:113
        print_address_description+0x6a/0x32c mm/kasan/report.c:351
        __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
        kasan_report+0xe/0x12 mm/kasan/common.c:612
        strlen+0x79/0x90 lib/string.c:525
        strlen include/linux/string.h:281 [inline]
        hidraw_ioctl+0x245/0xae0 drivers/hid/hidraw.c:446
        vfs_ioctl fs/ioctl.c:46 [inline]
        file_ioctl fs/ioctl.c:509 [inline]
        do_vfs_ioctl+0xd2d/0x1330 fs/ioctl.c:696
        ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713
        __do_sys_ioctl fs/ioctl.c:720 [inline]
        __se_sys_ioctl fs/ioctl.c:718 [inline]
        __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718
        do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x459829
      Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
      48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
      ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f7a68f6dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459829
      RDX: 0000000000000000 RSI: 0000000080404805 RDI: 0000000000000004
      RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7a68f6e6d4
      R13: 00000000004c21de R14: 00000000004d5620 R15: 00000000ffffffff
      
      The two problems have the same cause: hidraw_ioctl() fails to test
      whether the device has been removed.  This patch adds the missing test.
      
      Reported-and-tested-by: syzbot+5a6c4ec678a0c6ee84ba@syzkaller.appspotmail.com
      Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
      CC: <stable@vger.kernel.org>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3d072c27
    • A
      HID: logitech: Fix general protection fault caused by Logitech driver · acc96be8
      Alan Stern 提交于
      commit 5f9242775bb61f390f0885f23fc16397262c7538 upstream.
      
      The syzbot fuzzer found a general protection fault in the HID subsystem:
      
      kasan: CONFIG_KASAN_INLINE enabled
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] SMP KASAN
      CPU: 0 PID: 3715 Comm: syz-executor.3 Not tainted 5.2.0-rc6+ #15
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      RIP: 0010:__pm_runtime_resume+0x49/0x180 drivers/base/power/runtime.c:1069
      Code: ed 74 d5 fe 45 85 ed 0f 85 9a 00 00 00 e8 6f 73 d5 fe 48 8d bd c1 02
      00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48
      89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 fe 00 00 00
      RSP: 0018:ffff8881d99d78e0 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: 0000000000000020 RCX: ffffc90003f3f000
      RDX: 0000000416d8686d RSI: ffffffff82676841 RDI: 00000020b6c3436a
      RBP: 00000020b6c340a9 R08: ffff8881c6d64800 R09: fffffbfff0e84c25
      R10: ffff8881d99d7940 R11: ffffffff87426127 R12: 0000000000000004
      R13: 0000000000000000 R14: ffff8881d9b94000 R15: ffffffff897f9048
      FS:  00007f047f542700(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000001b30f21000 CR3: 00000001ca032000 CR4: 00000000001406f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
        pm_runtime_get_sync include/linux/pm_runtime.h:226 [inline]
        usb_autopm_get_interface+0x1b/0x50 drivers/usb/core/driver.c:1707
        usbhid_power+0x7c/0xe0 drivers/hid/usbhid/hid-core.c:1234
        hid_hw_power include/linux/hid.h:1038 [inline]
        hidraw_open+0x20d/0x740 drivers/hid/hidraw.c:282
        chrdev_open+0x219/0x5c0 fs/char_dev.c:413
        do_dentry_open+0x497/0x1040 fs/open.c:778
        do_last fs/namei.c:3416 [inline]
        path_openat+0x1430/0x3ff0 fs/namei.c:3533
        do_filp_open+0x1a1/0x280 fs/namei.c:3563
        do_sys_open+0x3c0/0x580 fs/open.c:1070
        do_syscall_64+0xb7/0x560 arch/x86/entry/common.c:301
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      It turns out the fault was caused by a bug in the HID Logitech driver,
      which violates the requirement that every pathway calling
      hid_hw_start() must also call hid_hw_stop().  This patch fixes the bug
      by making sure the requirement is met.
      
      Reported-and-tested-by: syzbot+3cbe5cd105d2ad56a1df@syzkaller.appspotmail.com
      Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
      CC: <stable@vger.kernel.org>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      acc96be8
    • R
      HID: sony: Fix memory corruption issue on cleanup. · 3e785174
      Roderick Colenbrander 提交于
      commit 2bcdacb70327013ca2066bfcf2af1009eff01f1d upstream.
      
      The sony driver is not properly cleaning up from potential failures in
      sony_input_configured. Currently it calls hid_hw_stop, while hid_connect
      is still running. This is not a good idea, instead hid_hw_stop should
      be moved to sony_probe. Similar changes were recently made to Logitech
      drivers, which were also doing improper cleanup.
      Signed-off-by: NRoderick Colenbrander <roderick.colenbrander@sony.com>
      CC: stable@vger.kernel.org
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3e785174
    • A
      HID: prodikeys: Fix general protection fault during probe · eb779297
      Alan Stern 提交于
      commit 98375b86c79137416e9fd354177b85e768c16e56 upstream.
      
      The syzbot fuzzer provoked a general protection fault in the
      hid-prodikeys driver:
      
      kasan: CONFIG_KASAN_INLINE enabled
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] SMP KASAN
      CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.3.0-rc5+ #28
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Workqueue: usb_hub_wq hub_event
      RIP: 0010:pcmidi_submit_output_report drivers/hid/hid-prodikeys.c:300  [inline]
      RIP: 0010:pcmidi_set_operational drivers/hid/hid-prodikeys.c:558 [inline]
      RIP: 0010:pcmidi_snd_initialise drivers/hid/hid-prodikeys.c:686 [inline]
      RIP: 0010:pk_probe+0xb51/0xfd0 drivers/hid/hid-prodikeys.c:836
      Code: 0f 85 50 04 00 00 48 8b 04 24 4c 89 7d 10 48 8b 58 08 e8 b2 53 e4 fc
      48 8b 54 24 20 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f
      85 13 04 00 00 48 ba 00 00 00 00 00 fc ff df 49 8b
      
      The problem is caused by the fact that pcmidi_get_output_report() will
      return an error if the HID device doesn't provide the right sort of
      output report, but pcmidi_set_operational() doesn't bother to check
      the return code and assumes the function call always succeeds.
      
      This patch adds the missing check and aborts the probe operation if
      necessary.
      
      Reported-and-tested-by: syzbot+1088533649dafa1c9004@syzkaller.appspotmail.com
      Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
      CC: <stable@vger.kernel.org>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eb779297
    • J
      IB/core: Add an unbound WQ type to the new CQ API · 2661d462
      Jack Morgenstein 提交于
      commit f794809a7259dfaa3d47d90ef5a86007cf48b1ce upstream.
      
      The upstream kernel commit cited below modified the workqueue in the
      new CQ API to be bound to a specific CPU (instead of being unbound).
      This caused ALL users of the new CQ API to use the same bound WQ.
      
      Specifically, MAD handling was severely delayed when the CPU bound
      to the WQ was busy handling (higher priority) interrupts.
      
      This caused a delay in the MAD "heartbeat" response handling,
      which resulted in ports being incorrectly classified as "down".
      
      To fix this, add a new "unbound" WQ type to the new CQ API, so that users
      have the option to choose either a bound WQ or an unbound WQ.
      
      For MADs, choose the new "unbound" WQ.
      
      Fixes: b7363e67 ("IB/device: Convert ib-comp-wq to be CPU-bound")
      Signed-off-by: NJack Morgenstein <jackm@dev.mellanox.co.il>
      Signed-off-by: NLeon Romanovsky <leonro@mellanox.com>
      Reviewed-by: NSagi Grimberg <sagi@grimberg.m>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2661d462
    • N
      drm/amd/display: readd -msse2 to prevent Clang from emitting libcalls to undefined SW FP routines · 70ec2eec
      Nick Desaulniers 提交于
      [ Upstream commit 0f0727d971f6fdf8f1077180d495ddb9928f0c8b ]
      
      arch/x86/Makefile disables SSE and SSE2 for the whole kernel.  The
      AMDGPU drivers modified in this patch re-enable SSE but not SSE2.  Turn
      on SSE2 to support emitting double precision floating point instructions
      rather than calls to non-existent (usually available from gcc_s or
      compiler_rt) floating point helper routines for Clang.
      
      This was originally landed in:
      commit 10117450735c ("drm/amd/display: add -msse2 to prevent Clang from emitting libcalls to undefined SW FP routines")
      but reverted in:
      commit 193392ed9f69 ("Revert "drm/amd/display: add -msse2 to prevent Clang from emitting libcalls to undefined SW FP routines"")
      due to bugreports from GCC builds. Add guards to only do so for Clang.
      
      Link: https://bugs.freedesktop.org/show_bug.cgi?id=109487
      Link: https://github.com/ClangBuiltLinux/linux/issues/327Suggested-by: NSedat Dilek <sedat.dilek@gmail.com>
      Suggested-by: NSami Tolvanen <samitolvanen@google.com>
      Signed-off-by: NNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: NAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      70ec2eec
    • G
      powerpc/xive: Fix bogus error code returned by OPAL · 80fc2795
      Greg Kurz 提交于
      commit 6ccb4ac2bf8a35c694ead92f8ac5530a16e8f2c8 upstream.
      
      There's a bug in skiboot that causes the OPAL_XIVE_ALLOCATE_IRQ call
      to return the 32-bit value 0xffffffff when OPAL has run out of IRQs.
      Unfortunatelty, OPAL return values are signed 64-bit entities and
      errors are supposed to be negative. If that happens, the linux code
      confusingly treats 0xffffffff as a valid IRQ number and panics at some
      point.
      
      A fix was recently merged in skiboot:
      
      e97391ae2bb5 ("xive: fix return value of opal_xive_allocate_irq()")
      
      but we need a workaround anyway to support older skiboots already
      in the field.
      
      Internally convert 0xffffffff to OPAL_RESOURCE which is the usual error
      returned upon resource exhaustion.
      
      Cc: stable@vger.kernel.org # v4.12+
      Signed-off-by: NGreg Kurz <groug@kaod.org>
      Reviewed-by: NCédric Le Goater <clg@kaod.org>
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Link: https://lore.kernel.org/r/156821713818.1985334.14123187368108582810.stgit@bahia.lan
      (groug: fix arch/powerpc/platforms/powernv/opal-wrappers.S instead of
              non-existing arch/powerpc/platforms/powernv/opal-call.c)
      Signed-off-by: NGreg Kurz <groug@kaod.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      80fc2795
    • L
      RDMA/restrack: Protect from reentry to resource return path · 4eb92a11
      Leon Romanovsky 提交于
      commit fe9bc1644918aa1d02a889b4ca788bfb67f90816 upstream.
      
      Nullify the resource task struct pointer to ensure that subsequent calls
      won't try to release task_struct again.
      
      ------------[ cut here ]------------
      ODEBUG: free active (active state 1) object type: rcu_head hint:
      (null)
      WARNING: CPU: 0 PID: 6048 at lib/debugobjects.c:329
      debug_print_object+0x16a/0x210 lib/debugobjects.c:326
      Kernel panic - not syncing: panic_on_warn set ...
      
      CPU: 0 PID: 6048 Comm: syz-executor022 Not tainted
      4.19.0-rc7-next-20181008+ #89
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0x244/0x3ab lib/dump_stack.c:113
        panic+0x238/0x4e7 kernel/panic.c:184
        __warn.cold.8+0x163/0x1ba kernel/panic.c:536
        report_bug+0x254/0x2d0 lib/bug.c:186
        fixup_bug arch/x86/kernel/traps.c:178 [inline]
        do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271
        do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:290
        invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:969
      RIP: 0010:debug_print_object+0x16a/0x210 lib/debugobjects.c:326
      Code: 41 88 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 92 00 00 00 48 8b 14
      dd
      60 02 41 88 4c 89 fe 48 c7 c7 00 f8 40 88 e8 36 2f b4 fd <0f> 0b 83 05
      a9
      f4 5e 06 01 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f
      RSP: 0018:ffff8801d8c3eda8 EFLAGS: 00010086
      RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: ffffffff8164d235 RDI: 0000000000000005
      RBP: ffff8801d8c3ede8 R08: ffff8801d70aa280 R09: ffffed003b5c3eda
      R10: ffffed003b5c3eda R11: ffff8801dae1f6d7 R12: 0000000000000001
      R13: ffffffff8939a760 R14: 0000000000000000 R15: ffffffff8840fca0
        __debug_check_no_obj_freed lib/debugobjects.c:786 [inline]
        debug_check_no_obj_freed+0x3ae/0x58d lib/debugobjects.c:818
        kmem_cache_free+0x202/0x290 mm/slab.c:3759
        free_task_struct kernel/fork.c:163 [inline]
        free_task+0x16e/0x1f0 kernel/fork.c:457
        __put_task_struct+0x2e6/0x620 kernel/fork.c:730
        put_task_struct include/linux/sched/task.h:96 [inline]
        finish_task_switch+0x66c/0x900 kernel/sched/core.c:2715
        context_switch kernel/sched/core.c:2834 [inline]
        __schedule+0x8d7/0x21d0 kernel/sched/core.c:3480
        schedule+0xfe/0x460 kernel/sched/core.c:3524
        freezable_schedule include/linux/freezer.h:172 [inline]
        futex_wait_queue_me+0x3f9/0x840 kernel/futex.c:2530
        futex_wait+0x45c/0xa50 kernel/futex.c:2645
        do_futex+0x31a/0x26d0 kernel/futex.c:3528
        __do_sys_futex kernel/futex.c:3589 [inline]
        __se_sys_futex kernel/futex.c:3557 [inline]
        __x64_sys_futex+0x472/0x6a0 kernel/futex.c:3557
        do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x446549
      Code: e8 2c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
      48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
      ff 0f 83 2b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f3a998f5da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
      RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 0000000000446549
      RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dbc38
      RBP: 00000000006dbc30 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc3c
      R13: 2f646e6162696e69 R14: 666e692f7665642f R15: 00000000006dbd2c
      Kernel Offset: disabled
      
      Reported-by: syzbot+71aff6ea121ffefc280f@syzkaller.appspotmail.com
      Fixes: ed7a01fd3fd7 ("RDMA/restrack: Release task struct which was hold by CM_ID object")
      Signed-off-by: NLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      Cc: Pavel Machek <pavel@denx.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4eb92a11
    • J
      net/ibmvnic: free reset work of removed device from queue · 373f9092
      Juliet Kim 提交于
      [ Upstream commit 1c2977c094998de032fee6e898c88b4a05483d08 ]
      
      Commit 36f1031c51a2 ("ibmvnic: Do not process reset during or after
       device removal") made the change to exit reset if the driver has been
      removed, but does not free reset work items of the adapter from queue.
      
      Ensure all reset work items are freed when breaking out of the loop early.
      
      Fixes: 36f1031c51a2 ("ibmnvic: Do not process reset during or after device removal”)
      Signed-off-by: NJuliet Kim <julietk@linux.vnet.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      373f9092
    • M
      Revert "Bluetooth: validate BLE connection interval updates" · 2af977b0
      Marcel Holtmann 提交于
      [ Upstream commit 68d19d7d995759b96169da5aac313363f92a9075 ]
      
      This reverts commit c49a8682fc5d298d44e8d911f4fa14690ea9485e.
      
      There are devices which require low connection intervals for usable operation
      including keyboards and mice. Forcing a static connection interval for
      these types of devices has an impact in latency and causes a regression.
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      2af977b0
  2. 21 9月, 2019 15 次提交