1. 20 4月, 2019 40 次提交
    • C
      xfrm: destroy xfrm_state synchronously on net exit path · bbbe4746
      Cong Wang 提交于
      [ Upstream commit f75a2804da391571563c4b6b29e7797787332673 ]
      
      xfrm_state_put() moves struct xfrm_state to the GC list
      and schedules the GC work to clean it up. On net exit call
      path, xfrm_state_flush() is called to clean up and
      xfrm_flush_gc() is called to wait for the GC work to complete
      before exit.
      
      However, this doesn't work because one of the ->destructor(),
      ipcomp_destroy(), schedules the same GC work again inside
      the GC work. It is hard to wait for such a nested async
      callback. This is also why syzbot still reports the following
      warning:
      
       WARNING: CPU: 1 PID: 33 at net/ipv6/xfrm6_tunnel.c:351 xfrm6_tunnel_net_exit+0x2cb/0x500 net/ipv6/xfrm6_tunnel.c:351
       ...
        ops_exit_list.isra.0+0xb0/0x160 net/core/net_namespace.c:153
        cleanup_net+0x51d/0xb10 net/core/net_namespace.c:551
        process_one_work+0xd0c/0x1ce0 kernel/workqueue.c:2153
        worker_thread+0x143/0x14a0 kernel/workqueue.c:2296
        kthread+0x357/0x430 kernel/kthread.c:246
        ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
      
      In fact, it is perfectly fine to bypass GC and destroy xfrm_state
      synchronously on net exit call path, because it is in process context
      and doesn't need a work struct to do any blocking work.
      
      This patch introduces xfrm_state_put_sync() which simply bypasses
      GC, and lets its callers to decide whether to use this synchronous
      version. On net exit path, xfrm_state_fini() and
      xfrm6_tunnel_net_exit() use it. And, as ipcomp_destroy() itself is
      blocking, it can use xfrm_state_put_sync() directly too.
      
      Also rename xfrm_state_gc_destroy() to ___xfrm_state_destroy() to
      reflect this change.
      
      Fixes: b48c05ab ("xfrm: Fix warning in xfrm6_tunnel_net_exit.")
      Reported-and-tested-by: syzbot+e9aebef558e3ed673934@syzkaller.appspotmail.com
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      bbbe4746
    • S
      net/rds: fix warn in rds_message_alloc_sgs · 5be4bb31
      shamir rabinovitch 提交于
      [ Upstream commit ea010070d0a7497253d5a6f919f6dd107450b31a ]
      
      redundant copy_from_user in rds_sendmsg system call expose rds
      to issue where rds_rdma_extra_size walk the rds iovec and and
      calculate the number pf pages (sgs) it need to add to the tail of
      rds message and later rds_cmsg_rdma_args copy the rds iovec again
      and re calculate the same number and get different result causing
      WARN_ON in rds_message_alloc_sgs.
      
      fix this by doing the copy_from_user only once per rds_sendmsg
      system call.
      
      When issue occur the below dump is seen:
      
      WARNING: CPU: 0 PID: 19789 at net/rds/message.c:316 rds_message_alloc_sgs+0x10c/0x160 net/rds/message.c:316
      Kernel panic - not syncing: panic_on_warn set ...
      CPU: 0 PID: 19789 Comm: syz-executor827 Not tainted 4.19.0-next-20181030+ #101
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x244/0x39d lib/dump_stack.c:113
       panic+0x2ad/0x55c kernel/panic.c:188
       __warn.cold.8+0x20/0x45 kernel/panic.c:540
       report_bug+0x254/0x2d0 lib/bug.c:186
       fixup_bug arch/x86/kernel/traps.c:178 [inline]
       do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271
       do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:290
       invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:969
      RIP: 0010:rds_message_alloc_sgs+0x10c/0x160 net/rds/message.c:316
      Code: c0 74 04 3c 03 7e 6c 44 01 ab 78 01 00 00 e8 2b 9e 35 fa 4c 89 e0 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 14 9e 35 fa <0f> 0b 31 ff 44 89 ee e8 18 9f 35 fa 45 85 ed 75 1b e8 fe 9d 35 fa
      RSP: 0018:ffff8801c51b7460 EFLAGS: 00010293
      RAX: ffff8801bc412080 RBX: ffff8801d7bf4040 RCX: ffffffff8749c9e6
      RDX: 0000000000000000 RSI: ffffffff8749ca5c RDI: 0000000000000004
      RBP: ffff8801c51b7490 R08: ffff8801bc412080 R09: ffffed003b5c5b67
      R10: ffffed003b5c5b67 R11: ffff8801dae2db3b R12: 0000000000000000
      R13: 000000000007165c R14: 000000000007165c R15: 0000000000000005
       rds_cmsg_rdma_args+0x82d/0x1510 net/rds/rdma.c:623
       rds_cmsg_send net/rds/send.c:971 [inline]
       rds_sendmsg+0x19a2/0x3180 net/rds/send.c:1273
       sock_sendmsg_nosec net/socket.c:622 [inline]
       sock_sendmsg+0xd5/0x120 net/socket.c:632
       ___sys_sendmsg+0x7fd/0x930 net/socket.c:2117
       __sys_sendmsg+0x11d/0x280 net/socket.c:2155
       __do_sys_sendmsg net/socket.c:2164 [inline]
       __se_sys_sendmsg net/socket.c:2162 [inline]
       __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2162
       do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x44a859
      Code: e8 dc e6 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b cb fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f1d4710ada8 EFLAGS: 00000297 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00000000006dcc28 RCX: 000000000044a859
      RDX: 0000000000000000 RSI: 0000000020001600 RDI: 0000000000000003
      RBP: 00000000006dcc20 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000297 R12: 00000000006dcc2c
      R13: 646e732f7665642f R14: 00007f1d4710b9c0 R15: 00000000006dcd2c
      Kernel Offset: disabled
      Rebooting in 86400 seconds..
      
      Reported-by: syzbot+26de17458aeda9d305d8@syzkaller.appspotmail.com
      Acked-by: NSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: Nshamir rabinovitch <shamir.rabinovitch@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      5be4bb31
    • R
      ACPI: EC / PM: Disable non-wakeup GPEs for suspend-to-idle · d801282d
      Rafael J. Wysocki 提交于
      [ Upstream commit f941d3e41da7f86bdb9dcc1977c2bcc6b89bfe47 ]
      
      There are systems in which non-wakeup GPEs fire during the "noirq"
      suspend stage of suspending devices and that effectively prevents the
      system that tries to suspend to idle from entering any low-power
      state at all.  If the offending GPE fires regularly and often enough,
      the system appears to be suspended, but in fact it is in a tight loop
      over "noirq" suspend and "noirq" resume of devices all the time.
      
      To prevent that from happening, disable all non-wakeup GPEs except
      for the EC GPE for suspend-to-idle (the EC GPE is special, because
      on some systems it has to be enabled for power button wakeup events
      to be generated as expected).
      
      Fixes: 147a7d9d (ACPI / PM: Do not reconfigure GPEs for suspend-to-idle)
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=201987Reported-by: NZhang Rui <rui.zhang@intel.com>
      Tested-by: NMika Westerberg <mika.westerberg@linux.intel.com>
      Tested-by: NZhang Rui <rui.zhang@intel.com>
      Signed-off-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      d801282d
    • A
      ALSA: hda: fix front speakers on Huawei MBXP · e434fbf4
      Ayman Bagabas 提交于
      [ Upstream commit 8ac51bbc4cfec4ef08b03bef24b31e2d50ef8b37 ]
      
      This patch solves bug 200501 'Only 2 of 4 speakers playing sound.'
      It enables the front speakers on Huawei Matebook X Pro laptops.
      These laptops come with Dolby Atmos sound system and these pins
      configuration enables the front speakers.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200501Reviewed-by: NAndy Shevchenko <andy.shevchenko@gmail.com>
      Reviewed-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NAyman Bagabas <ayman.bagabas@gmail.com>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      e434fbf4
    • T
      drm/ttm: Fix bo_global and mem_global kfree error · b10cc083
      Trigger Huang 提交于
      [ Upstream commit 30f33126feca0fe16df9e9302ffc28a953e2eb37 ]
      
      ttm_bo_glob and ttm_mem_glob are defined as structure instance, while
      not allocated by kzalloc, so kfree should not be invoked to release
      them anymore. Otherwise, it will cause the following kernel BUG when
      unloading amdgpu module
      
      [   48.419294] kernel BUG at /build/linux-5s7Xkn/linux-4.15.0/mm/slub.c:3894!
      [   48.419352] invalid opcode: 0000 [#1] SMP PTI
      [   48.419387] Modules linked in: amdgpu(OE-) amdchash(OE) amdttm(OE) amd_sched(OE) amdkcl(OE) amd_iommu_v2 drm_kms_helper drm i2c_algo_bit fb_sys_fops syscopyarea sysfillrect sysimgblt snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi pcbc snd_seq snd_seq_device snd_timer aesni_intel snd soundcore joydev aes_x86_64 crypto_simd glue_helper cryptd input_leds mac_hid serio_raw binfmt_misc nfsd auth_rpcgss nfs_acl lockd grace sunrpc sch_fq_codel parport_pc ppdev lp parport ip_tables x_tables autofs4 8139too psmouse i2c_piix4 8139cp mii floppy pata_acpi
      [   48.419782] CPU: 1 PID: 1281 Comm: modprobe Tainted: G           OE    4.15.0-20-generic #21-Ubuntu
      [   48.419838] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [   48.419901] RIP: 0010:kfree+0x137/0x180
      [   48.419934] RSP: 0018:ffffb02101273bf8 EFLAGS: 00010246
      [   48.419974] RAX: ffffeee1418ad7e0 RBX: ffffffffc075f100 RCX: ffff8fed7fca7ed0
      [   48.420025] RDX: 0000000000000000 RSI: 000000000003440e RDI: 0000000022400000
      [   48.420073] RBP: ffffb02101273c10 R08: 0000000000000010 R09: ffff8fed7ffd3680
      [   48.420121] R10: ffffeee1418ad7c0 R11: ffff8fed7ffd3000 R12: ffffffffc075e2c0
      [   48.420169] R13: ffffffffc074ec10 R14: ffff8fed73063900 R15: ffff8fed737428e8
      [   48.420216] FS:  00007fdc912ec540(0000) GS:ffff8fed7fc80000(0000) knlGS:0000000000000000
      [   48.420267] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   48.420308] CR2: 000055fa40c30060 CR3: 000000023470a006 CR4: 00000000003606e0
      [   48.420358] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [   48.420405] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [   48.420452] Call Trace:
      [   48.420485]  ttm_bo_global_kobj_release+0x20/0x30 [amdttm]
      [   48.420528]  kobject_release+0x6a/0x180
      [   48.420562]  kobject_put+0x28/0x50
      [   48.420595]  ttm_bo_global_release+0x36/0x50 [amdttm]
      [   48.420636]  amdttm_bo_device_release+0x119/0x180 [amdttm]
      [   48.420678]  ? amdttm_bo_clean_mm+0xa6/0xf0 [amdttm]
      [   48.420760]  amdgpu_ttm_fini+0xc9/0x180 [amdgpu]
      [   48.420821]  amdgpu_bo_fini+0x12/0x40 [amdgpu]
      [   48.420889]  gmc_v9_0_sw_fini+0x40/0x50 [amdgpu]
      [   48.420947]  amdgpu_device_fini+0x36f/0x4c0 [amdgpu]
      [   48.421007]  amdgpu_driver_unload_kms+0xb4/0x150 [amdgpu]
      [   48.421058]  drm_dev_unregister+0x46/0xf0 [drm]
      [   48.421102]  drm_dev_unplug+0x12/0x70 [drm]
      Signed-off-by: NTrigger Huang <Trigger.Huang@amd.com>
      Reviewed-by: NChristian König <christian.koenig@amd.com>
      Signed-off-by: NAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      b10cc083
    • H
      platform/x86: Add Intel AtomISP2 dummy / power-management driver · cb09e99b
      Hans de Goede 提交于
      [ Upstream commit 49ad712afa88c502831d37f7089d98eac441fb80 ]
      
      The Image Signal Processor found on Cherry Trail devices is brought up in
      D0 state on devices which have camera sensors attached to it. The ISP will
      not enter D3 state again without some massaging of its registers beforehand
      and the ISP not being in D3 state blocks the SoC from entering S0ix modes.
      
      There was a driver for the ISP in drivers/staging but that got removed
      again because it never worked. It does not seem likely that a real
      driver for the ISP will be added to the mainline kernel anytime soon.
      
      This commit adds a dummy driver which contains the necessary magic from
      the staging driver to powerdown the ISP, so that Cherry Trail devices where
      the ISP is used will properly use S0ix modes when suspended.
      
      Together with other recent S0ix related fixes this allows S0ix modes to
      be entered on e.g. a Chuwi Hi8 Pro and a HP x2 210.
      
      BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=196915Signed-off-by: NHans de Goede <hdegoede@redhat.com>
      Reviewed-by: NAlan Cox <alan@linux.intel.com>
      Signed-off-by: NAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      cb09e99b
    • V
      kernel: hung_task.c: disable on suspend · 491dee74
      Vitaly Kuznetsov 提交于
      [ Upstream commit a1c6ca3c6de763459a6e93b644ec6518c890ba1c ]
      
      It is possible to observe hung_task complaints when system goes to
      suspend-to-idle state:
      
       # echo freeze > /sys/power/state
      
       PM: Syncing filesystems ... done.
       Freezing user space processes ... (elapsed 0.001 seconds) done.
       OOM killer disabled.
       Freezing remaining freezable tasks ... (elapsed 0.002 seconds) done.
       sd 0:0:0:0: [sda] Synchronizing SCSI cache
       INFO: task bash:1569 blocked for more than 120 seconds.
             Not tainted 4.19.0-rc3_+ #687
       "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
       bash            D    0  1569    604 0x00000000
       Call Trace:
        ? __schedule+0x1fe/0x7e0
        schedule+0x28/0x80
        suspend_devices_and_enter+0x4ac/0x750
        pm_suspend+0x2c0/0x310
      
      Register a PM notifier to disable the detector on suspend and re-enable
      back on wakeup.
      Signed-off-by: NVitaly Kuznetsov <vkuznets@redhat.com>
      Signed-off-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      491dee74
    • S
      cifs: fallback to older infolevels on findfirst queryinfo retry · e9603cff
      Steve French 提交于
      [ Upstream commit 3b7960caceafdfc2cdfe2850487f8d091eb41144 ]
      
      In cases where queryinfo fails, we have cases in cifs (vers=1.0)
      where with backupuid mounts we retry the query info with findfirst.
      This doesn't work to some NetApp servers which don't support
      WindowsXP (and later) infolevel 261 (SMB_FIND_FILE_ID_FULL_DIR_INFO)
      so in this case use other info levels (in this case it will usually
      be level 257, SMB_FIND_FILE_DIRECTORY_INFO).
      
      (Also fixes some indentation)
      
      See kernel bugzilla 201435
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      e9603cff
    • T
      net: stmmac: Set OWN bit for jumbo frames · fc34758d
      Thor Thayer 提交于
      [ Upstream commit 487e2e22ab7968f2c0c82f37b5ca5883efd1a354 ]
      
      Ping with Jumbo packet does not reply and get a watchdog timeout
      
      [   46.059616] ------------[ cut here ]------------
      [   46.064268] NETDEV WATCHDOG: eth0 (socfpga-dwmac): transmit queue 0 timed out
      [   46.071471] WARNING: CPU: 1 PID: 0 at net/sched/sch_generic.c:461 dev_watchdog+0x2cc/0x2d8
      [   46.079708] Modules linked in:
      [   46.082761] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.18.0-00115-gc262be665854-dirty #264
      [   46.091082] Hardware name: SoCFPGA Stratix 10 SoCDK (DT)
      [   46.096377] pstate: 20000005 (nzCv daif -PAN -UAO)
      [   46.101152] pc : dev_watchdog+0x2cc/0x2d8
      [   46.105149] lr : dev_watchdog+0x2cc/0x2d8
      [   46.109144] sp : ffff00000800bd80
      [   46.112447] x29: ffff00000800bd80 x28: ffff80007a9b4940
      [   46.117744] x27: 00000000ffffffff x26: ffff80007aa183b0
      [   46.123040] x25: 0000000000000001 x24: 0000000000000140
      [   46.128336] x23: ffff80007aa1839c x22: ffff80007aa17fb0
      [   46.133632] x21: ffff80007aa18000 x20: ffff0000091a7000
      [   46.138927] x19: 0000000000000000 x18: ffffffffffffffff
      [   46.144223] x17: 0000000000000000 x16: 0000000000000000
      [   46.149519] x15: ffff0000091a96c8 x14: 07740775076f0720
      [   46.154814] x13: 07640765076d0769 x12: 0774072007300720
      [   46.160110] x11: 0765077507650775 x10: 0771072007740769
      [   46.165406] x9 : 076d0773076e0761 x8 : 077207740720073a
      [   46.170702] x7 : 072907630761076d x6 : ffff80007ff9a0c0
      [   46.175997] x5 : ffff80007ff9a0c0 x4 : 0000000000000002
      [   46.181293] x3 : 0000000000000000 x2 : ffff0000091ac180
      [   46.186589] x1 : e6a742ebe628e800 x0 : 0000000000000000
      [   46.191885] Call trace:
      [   46.194326]  dev_watchdog+0x2cc/0x2d8
      [   46.197980]  call_timer_fn+0x20/0x78
      [   46.201544]  expire_timers+0xa4/0xb0
      [   46.205108]  run_timer_softirq+0xe4/0x198
      [   46.209107]  __do_softirq+0x114/0x210
      [   46.212760]  irq_exit+0xd0/0xd8
      [   46.215895]  __handle_domain_irq+0x60/0xb0
      [   46.219977]  gic_handle_irq+0x58/0xa8
      [   46.223628]  el1_irq+0xb0/0x128
      [   46.226761]  arch_cpu_idle+0x10/0x18
      [   46.230326]  do_idle+0x1d4/0x288
      [   46.233544]  cpu_startup_entry+0x24/0x28
      [   46.237457]  secondary_start_kernel+0x17c/0x1c0
      [   46.241971] ---[ end trace 57048cd1372cd828 ]---
      
      Inspection of queue showed Jumbo packets were not sent out.
      The ring Jumbo packet function needs to set the OWN bit so
      the packet is sent.
      Signed-off-by: NThor Thayer <thor.thayer@linux.intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      fc34758d
    • S
      f2fs: cleanup dirty pages if recover failed · 8722566b
      Sheng Yong 提交于
      [ Upstream commit 26b5a079197c8cb6725565968b7fd3299bd1877b ]
      
      During recover, we will try to create new dentries for inodes with
      dentry_mark. But if the parent is missing (e.g. killed by fsck),
      recover will break. But those recovered dirty pages are not cleanup.
      This will hit f2fs_bug_on:
      
      [   53.519566] F2FS-fs (loop0): Found nat_bits in checkpoint
      [   53.539354] F2FS-fs (loop0): recover_inode: ino = 5, name = file, inline = 3
      [   53.539402] F2FS-fs (loop0): recover_dentry: ino = 5, name = file, dir = 0, err = -2
      [   53.545760] F2FS-fs (loop0): Cannot recover all fsync data errno=-2
      [   53.546105] F2FS-fs (loop0): access invalid blkaddr:4294967295
      [   53.546171] WARNING: CPU: 1 PID: 1798 at fs/f2fs/checkpoint.c:163 f2fs_is_valid_blkaddr+0x26c/0x320
      [   53.546174] Modules linked in:
      [   53.546183] CPU: 1 PID: 1798 Comm: mount Not tainted 4.19.0-rc2+ #1
      [   53.546186] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [   53.546191] RIP: 0010:f2fs_is_valid_blkaddr+0x26c/0x320
      [   53.546195] Code: 85 bb 00 00 00 48 89 df 88 44 24 07 e8 ad a8 db ff 48 8b 3b 44 89 e1 48 c7 c2 40 03 72 a9 48 c7 c6 e0 01 72 a9 e8 84 3c ff ff <0f> 0b 0f b6 44 24 07 e9 8a 00 00 00 48 8d bf 38 01 00 00 e8 7c a8
      [   53.546201] RSP: 0018:ffff88006c067768 EFLAGS: 00010282
      [   53.546208] RAX: 0000000000000000 RBX: ffff880068844200 RCX: ffffffffa83e1a33
      [   53.546211] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88006d51e590
      [   53.546215] RBP: 0000000000000005 R08: ffffed000daa3cb3 R09: ffffed000daa3cb3
      [   53.546218] R10: 0000000000000001 R11: ffffed000daa3cb2 R12: 00000000ffffffff
      [   53.546221] R13: ffff88006a1f8000 R14: 0000000000000200 R15: 0000000000000009
      [   53.546226] FS:  00007fb2f3646840(0000) GS:ffff88006d500000(0000) knlGS:0000000000000000
      [   53.546229] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   53.546234] CR2: 00007f0fd77f0008 CR3: 00000000687e6002 CR4: 00000000000206e0
      [   53.546237] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [   53.546240] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [   53.546242] Call Trace:
      [   53.546248]  f2fs_submit_page_bio+0x95/0x740
      [   53.546253]  read_node_page+0x161/0x1e0
      [   53.546271]  ? truncate_node+0x650/0x650
      [   53.546283]  ? add_to_page_cache_lru+0x12c/0x170
      [   53.546288]  ? pagecache_get_page+0x262/0x2d0
      [   53.546292]  __get_node_page+0x200/0x660
      [   53.546302]  f2fs_update_inode_page+0x4a/0x160
      [   53.546306]  f2fs_write_inode+0x86/0xb0
      [   53.546317]  __writeback_single_inode+0x49c/0x620
      [   53.546322]  writeback_single_inode+0xe4/0x1e0
      [   53.546326]  sync_inode_metadata+0x93/0xd0
      [   53.546330]  ? sync_inode+0x10/0x10
      [   53.546342]  ? do_raw_spin_unlock+0xed/0x100
      [   53.546347]  f2fs_sync_inode_meta+0xe0/0x130
      [   53.546351]  f2fs_fill_super+0x287d/0x2d10
      [   53.546367]  ? vsnprintf+0x742/0x7a0
      [   53.546372]  ? f2fs_commit_super+0x180/0x180
      [   53.546379]  ? up_write+0x20/0x40
      [   53.546385]  ? set_blocksize+0x5f/0x140
      [   53.546391]  ? f2fs_commit_super+0x180/0x180
      [   53.546402]  mount_bdev+0x181/0x200
      [   53.546406]  mount_fs+0x94/0x180
      [   53.546411]  vfs_kern_mount+0x6c/0x1e0
      [   53.546415]  do_mount+0xe5e/0x1510
      [   53.546420]  ? fs_reclaim_release+0x9/0x30
      [   53.546424]  ? copy_mount_string+0x20/0x20
      [   53.546428]  ? fs_reclaim_acquire+0xd/0x30
      [   53.546435]  ? __might_sleep+0x2c/0xc0
      [   53.546440]  ? ___might_sleep+0x53/0x170
      [   53.546453]  ? __might_fault+0x4c/0x60
      [   53.546468]  ? _copy_from_user+0x95/0xa0
      [   53.546474]  ? memdup_user+0x39/0x60
      [   53.546478]  ksys_mount+0x88/0xb0
      [   53.546482]  __x64_sys_mount+0x5d/0x70
      [   53.546495]  do_syscall_64+0x65/0x130
      [   53.546503]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [   53.547639] ---[ end trace b804d1ea2fec893e ]---
      
      So if recover fails, we need to drop all recovered data.
      Signed-off-by: NSheng Yong <shengyong1@huawei.com>
      Reviewed-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      8722566b
    • T
      netfilter: nf_flow_table: remove flowtable hook flush routine in netns exit routine · 263ed7e6
      Taehee Yoo 提交于
      [ Upstream commit b7f1a16d29b2e28d3dcbb070511bd703e306281b ]
      
      When device is unregistered, flowtable flush routine is called
      by notifier_call(nf_tables_flowtable_event). and exit callback of
      nftables pernet_operation(nf_tables_exit_net) also has flowtable flush
      routine. but when network namespace is destroyed, both notifier_call
      and pernet_operation are called. hence flowtable flush routine in
      pernet_operation is unnecessary.
      
      test commands:
         %ip netns add vm1
         %ip netns exec vm1 nft add table ip filter
         %ip netns exec vm1 nft add flowtable ip filter w \
      	{ hook ingress priority 0\; devices = { lo }\; }
         %ip netns del vm1
      
      splat looks like:
      [  265.187019] WARNING: CPU: 0 PID: 87 at net/netfilter/core.c:309 nf_hook_entry_head+0xc7/0xf0
      [  265.187112] Modules linked in: nf_flow_table_ipv4 nf_flow_table nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink ip_tables x_tables
      [  265.187390] CPU: 0 PID: 87 Comm: kworker/u4:2 Not tainted 4.19.0-rc3+ #5
      [  265.187453] Workqueue: netns cleanup_net
      [  265.187514] RIP: 0010:nf_hook_entry_head+0xc7/0xf0
      [  265.187546] Code: 8d 81 68 03 00 00 5b c3 89 d0 83 fa 04 48 8d 84 c7 e8 11 00 00 76 81 0f 0b 31 c0 e9 78 ff ff ff 0f 0b 48 83 c4 08 31 c0 5b c3 <0f> 0b 31 c0 e9 65 ff ff ff 0f 0b 31 c0 e9 5c ff ff ff 48 89 0c 24
      [  265.187573] RSP: 0018:ffff88011546f098 EFLAGS: 00010246
      [  265.187624] RAX: ffffffff8d90e135 RBX: 1ffff10022a8de1c RCX: 0000000000000000
      [  265.187645] RDX: 0000000000000000 RSI: 0000000000000005 RDI: ffff880116298040
      [  265.187645] RBP: ffff88010ea4c1a8 R08: 0000000000000000 R09: 0000000000000000
      [  265.187645] R10: ffff88011546f1d8 R11: ffffed0022c532c1 R12: ffff88010ea4c1d0
      [  265.187645] R13: 0000000000000005 R14: dffffc0000000000 R15: ffff88010ea4c1c4
      [  265.187645] FS:  0000000000000000(0000) GS:ffff88011b200000(0000) knlGS:0000000000000000
      [  265.187645] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  265.187645] CR2: 00007fdfb8d00000 CR3: 0000000057a16000 CR4: 00000000001006f0
      [  265.187645] Call Trace:
      [  265.187645]  __nf_unregister_net_hook+0xca/0x5d0
      [  265.187645]  ? nf_hook_entries_free.part.3+0x80/0x80
      [  265.187645]  ? save_trace+0x300/0x300
      [  265.187645]  nf_unregister_net_hooks+0x2e/0x40
      [  265.187645]  nf_tables_exit_net+0x479/0x1340 [nf_tables]
      [  265.187645]  ? find_held_lock+0x39/0x1c0
      [  265.187645]  ? nf_tables_abort+0x30/0x30 [nf_tables]
      [  265.187645]  ? inet_frag_destroy_rcu+0xd0/0xd0
      [  265.187645]  ? trace_hardirqs_on+0x93/0x210
      [  265.187645]  ? __bpf_trace_preemptirq_template+0x10/0x10
      [  265.187645]  ? inet_frag_destroy_rcu+0xd0/0xd0
      [  265.187645]  ? inet_frag_destroy_rcu+0xd0/0xd0
      [  265.187645]  ? __mutex_unlock_slowpath+0x17f/0x740
      [  265.187645]  ? wait_for_completion+0x710/0x710
      [  265.187645]  ? bucket_table_free+0xb2/0x1f0
      [  265.187645]  ? nested_table_free+0x130/0x130
      [  265.187645]  ? __lock_is_held+0xb4/0x140
      [  265.187645]  ops_exit_list.isra.10+0x94/0x140
      [  265.187645]  cleanup_net+0x45b/0x900
      [ ... ]
      
      This WARNING means that hook unregisteration is failed because
      all flowtables hooks are already unregistered by notifier_call.
      
      Network namespace exit routine guarantees that all devices will be
      unregistered first. then, other exit callbacks of pernet_operations
      are called. so that removing flowtable flush routine in exit callback of
      pernet_operation(nf_tables_exit_net) doesn't make flowtable leak.
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      263ed7e6
    • N
      compiler.h: update definition of unreachable() · 19e6ff01
      ndesaulniers@google.com 提交于
      [ Upstream commit fe0640eb30b7da261ae84d252ed9ed3c7e68dfd8 ]
      
      Fixes the objtool warning seen with Clang:
      arch/x86/mm/fault.o: warning: objtool: no_context()+0x220: unreachable
      instruction
      
      Fixes commit 815f0ddb ("include/linux/compiler*.h: make compiler-*.h
      mutually exclusive")
      
      Josh noted that the fallback definition was meant to work around a
      pre-gcc-4.6 bug. GCC still needs to work around
      https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82365, so compiler-gcc.h
      defines its own version of unreachable().  Clang and ICC can use this
      shared definition.
      
      Link: https://github.com/ClangBuiltLinux/linux/issues/204Suggested-by: NAndy Lutomirski <luto@amacapital.net>
      Suggested-by: NJosh Poimboeuf <jpoimboe@redhat.com>
      Tested-by: NNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: NNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: NMiguel Ojeda <miguel.ojeda.sandonis@gmail.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      19e6ff01
    • S
      KVM: nVMX: restore host state in nested_vmx_vmexit for VMFail · f35e2a68
      Sean Christopherson 提交于
      [ Upstream commit bd18bffca35397214ae68d85cf7203aca25c3c1d ]
      
      A VMEnter that VMFails (as opposed to VMExits) does not touch host
      state beyond registers that are explicitly noted in the VMFail path,
      e.g. EFLAGS.  Host state does not need to be loaded because VMFail
      is only signaled for consistency checks that occur before the CPU
      starts to load guest state, i.e. there is no need to restore any
      state as nothing has been modified.  But in the case where a VMFail
      is detected by hardware and not by KVM (due to deferring consistency
      checks to hardware), KVM has already loaded some amount of guest
      state.  Luckily, "loaded" only means loaded to KVM's software model,
      i.e. vmcs01 has not been modified.  So, unwind our software model to
      the pre-VMEntry host state.
      
      Not restoring host state in this VMFail path leads to a variety of
      failures because we end up with stale data in vcpu->arch, e.g. CR0,
      CR4, EFER, etc... will all be out of sync relative to vmcs01.  Any
      significant delta in the stale data is all but guaranteed to crash
      L1, e.g. emulation of SMEP, SMAP, UMIP, WP, etc... will be wrong.
      
      An alternative to this "soft" reload would be to load host state from
      vmcs12 as if we triggered a VMExit (as opposed to VMFail), but that is
      wildly inconsistent with respect to the VMX architecture, e.g. an L1
      VMM with separate VMExit and VMFail paths would explode.
      
      Note that this approach does not mean KVM is 100% accurate with
      respect to VMX hardware behavior, even at an architectural level
      (the exact order of consistency checks is microarchitecture specific).
      But 100% emulation accuracy isn't the goal (with this patch), rather
      the goal is to be consistent in the information delivered to L1, e.g.
      a VMExit should not fall-through VMENTER, and a VMFail should not jump
      to HOST_RIP.
      
      This technically reverts commit "5af41573 (KVM: nVMX: Fix mmu
      context after VMLAUNCH/VMRESUME failure)", but retains the core
      aspects of that patch, just in an open coded form due to the need to
      pull state from vmcs01 instead of vmcs12.  Restoring host state
      resolves a variety of issues introduced by commit "4f350c6d
      (kvm: nVMX: Handle deferred early VMLAUNCH/VMRESUME failure properly)",
      which remedied the incorrect behavior of treating VMFail like VMExit
      but in doing so neglected to restore arch state that had been modified
      prior to attempting nested VMEnter.
      
      A sample failure that occurs due to stale vcpu.arch state is a fault
      of some form while emulating an LGDT (due to emulated UMIP) from L1
      after a failed VMEntry to L3, in this case when running the KVM unit
      test test_tpr_threshold_values in L1.  L0 also hits a WARN in this
      case due to a stale arch.cr4.UMIP.
      
      L1:
        BUG: unable to handle kernel paging request at ffffc90000663b9e
        PGD 276512067 P4D 276512067 PUD 276513067 PMD 274efa067 PTE 8000000271de2163
        Oops: 0009 [#1] SMP
        CPU: 5 PID: 12495 Comm: qemu-system-x86 Tainted: G        W         4.18.0-rc2+ #2
        Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
        RIP: 0010:native_load_gdt+0x0/0x10
      
        ...
      
        Call Trace:
         load_fixmap_gdt+0x22/0x30
         __vmx_load_host_state+0x10e/0x1c0 [kvm_intel]
         vmx_switch_vmcs+0x2d/0x50 [kvm_intel]
         nested_vmx_vmexit+0x222/0x9c0 [kvm_intel]
         vmx_handle_exit+0x246/0x15a0 [kvm_intel]
         kvm_arch_vcpu_ioctl_run+0x850/0x1830 [kvm]
         kvm_vcpu_ioctl+0x3a1/0x5c0 [kvm]
         do_vfs_ioctl+0x9f/0x600
         ksys_ioctl+0x66/0x70
         __x64_sys_ioctl+0x16/0x20
         do_syscall_64+0x4f/0x100
         entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      L0:
        WARNING: CPU: 2 PID: 3529 at arch/x86/kvm/vmx.c:6618 handle_desc+0x28/0x30 [kvm_intel]
        ...
        CPU: 2 PID: 3529 Comm: qemu-system-x86 Not tainted 4.17.2-coffee+ #76
        Hardware name: Intel Corporation Kabylake Client platform/KBL S
        RIP: 0010:handle_desc+0x28/0x30 [kvm_intel]
      
        ...
      
        Call Trace:
         kvm_arch_vcpu_ioctl_run+0x863/0x1840 [kvm]
         kvm_vcpu_ioctl+0x3a1/0x5c0 [kvm]
         do_vfs_ioctl+0x9f/0x5e0
         ksys_ioctl+0x66/0x70
         __x64_sys_ioctl+0x16/0x20
         do_syscall_64+0x49/0xf0
         entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: 5af41573 (KVM: nVMX: Fix mmu context after VMLAUNCH/VMRESUME failure)
      Fixes: 4f350c6d (kvm: nVMX: Handle deferred early VMLAUNCH/VMRESUME failure properly)
      Cc: Jim Mattson <jmattson@google.com>
      Cc: Krish Sadhukhan <krish.sadhukhan@oracle.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Radim KrÄmář <rkrcmar@redhat.com>
      Cc: Wanpeng Li <wanpeng.li@hotmail.com>
      Signed-off-by: NSean Christopherson <sean.j.christopherson@intel.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      f35e2a68
    • K
      HID: usbhid: Add quirk for Redragon/Dragonrise Seymur 2 · 3d11fc93
      Kai-Heng Feng 提交于
      [ Upstream commit ce9d58d3eafcb2d452a69bdcc1c5f8b8ff640de5 ]
      
      Redragon Seymur 2 stops working since commit 190d7f02 ("HID: input:
      do not increment usages when a duplicate is found").
      
      Use quirk HID_QUIRK_INCREMENT_USAGE_ON_DUPLICATE suggested by the commit
      can solve the issue.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200995
      BugLink: https://bugs.launchpad.net/bugs/1793846Signed-off-by: NKai-Heng Feng <kai.heng.feng@canonical.com>
      Reviewed-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      3d11fc93
    • R
      ACPI / SBS: Fix GPE storm on recent MacBookPro's · 1424b7fe
      Ronald Tschalär 提交于
      [ Upstream commit ca1721c5bee77105829cbd7baab8ee0eab85b06d ]
      
      On Apple machines, plugging-in or unplugging the power triggers a GPE
      for the EC. Since these machines expose an SBS device, this GPE ends
      up triggering the acpi_sbs_callback(). This in turn tries to get the
      status of the SBS charger. However, on MBP13,* and MBP14,* machines,
      performing the smbus-read operation to get the charger's status triggers
      the EC's GPE again. The result is an endless re-triggering and handling
      of that GPE, consuming significant CPU resources (> 50% in irq).
      
      In the end this is quite similar to commit 3031cdde (ACPI / SBS:
      Don't assume the existence of an SBS charger), except that on the above
      machines a status of all 1's is returned. And like there, we just want
      ignore the charger here.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=198169Signed-off-by: NRonald Tschalär <ronald@innovation.ch>
      Signed-off-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      1424b7fe
    • M
      usbip: fix vhci_hcd controller counting · 0d41c7b3
      Maciej Żenczykowski 提交于
      [ Upstream commit e0a2e73e501c77037c8756137e87b12c7c3c9793 ]
      
      Without this usbip fails on a machine with devices
      that lexicographically come after vhci_hcd.
      
      ie.
        $ ls -l /sys/devices/platform
        ...
        drwxr-xr-x. 4 root root    0 Sep 19 16:21 serial8250
        -rw-r--r--. 1 root root 4096 Sep 19 23:50 uevent
        drwxr-xr-x. 6 root root    0 Sep 20 13:15 vhci_hcd.0
        drwxr-xr-x. 4 root root    0 Sep 19 16:22 w83627hf.656
      
      Because it detects 'w83627hf.656' as another vhci_hcd controller,
      and then fails to be able to talk to it.
      
      Note: this doesn't actually fix usbip's support for multiple
      controllers... that's still broken for other reasons
      ("vhci_hcd.0" is hardcoded in a string macro), but is enough to
      actually make it work on the above machine.
      
      See also:
        https://bugzilla.redhat.com/show_bug.cgi?id=1631148
      
      Cc: Jonathan Dieter <jdieter@gmail.com>
      Cc: Valentina Manea <valentina.manea.m@gmail.com>
      Cc: Shuah Khan <shuah@kernel.org>
      Cc: linux-usb@vger.kernel.org
      Signed-off-by: NMaciej Żenczykowski <zenczykowski@gmail.com>
      Acked-by: NShuah Khan (Samsung OSG) <shuah@kernel.org>
      Tested-by: NJonathan Dieter <jdieter@gmail.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      0d41c7b3
    • B
      ARM: samsung: Limit SAMSUNG_PM_CHECK config option to non-Exynos platforms · 360186d8
      Bartlomiej Zolnierkiewicz 提交于
      [ Upstream commit 6862fdf2201ab67cd962dbf0643d37db909f4860 ]
      
      "S3C2410 PM Suspend Memory CRC" feature (controlled by
      SAMSUNG_PM_CHECK config option) is incompatible with highmem
      (uses phys_to_virt() instead of proper mapping) which is used by
      the majority of Exynos boards. The issue manifests itself in OOPS
      on affected boards, i.e. on Odroid-U3 I got the following one:
      
      Unable to handle kernel paging request at virtual address f0000000
      pgd = 1c0f9bb4
      [f0000000] *pgd=00000000
      Internal error: Oops: 5 [#1] PREEMPT SMP ARM
      [<c0458034>] (crc32_le) from [<c0121f8c>] (s3c_pm_makecheck+0x34/0x54)
      [<c0121f8c>] (s3c_pm_makecheck) from [<c0121efc>] (s3c_pm_run_res+0x74/0x8c)
      [<c0121efc>] (s3c_pm_run_res) from [<c0121ecc>] (s3c_pm_run_res+0x44/0x8c)
      [<c0121ecc>] (s3c_pm_run_res) from [<c01210b8>] (exynos_suspend_enter+0x64/0x148)
      [<c01210b8>] (exynos_suspend_enter) from [<c018893c>] (suspend_devices_and_enter+0x9ec/0xe74)
      [<c018893c>] (suspend_devices_and_enter) from [<c0189534>] (pm_suspend+0x770/0xc04)
      [<c0189534>] (pm_suspend) from [<c0186ce8>] (state_store+0x6c/0xcc)
      [<c0186ce8>] (state_store) from [<c09db434>] (kobj_attr_store+0x14/0x20)
      [<c09db434>] (kobj_attr_store) from [<c02fa63c>] (sysfs_kf_write+0x4c/0x50)
      [<c02fa63c>] (sysfs_kf_write) from [<c02f97a4>] (kernfs_fop_write+0xfc/0x1e4)
      [<c02f97a4>] (kernfs_fop_write) from [<c027b198>] (__vfs_write+0x2c/0x140)
      [<c027b198>] (__vfs_write) from [<c027b418>] (vfs_write+0xa4/0x160)
      [<c027b418>] (vfs_write) from [<c027b5d8>] (ksys_write+0x40/0x8c)
      [<c027b5d8>] (ksys_write) from [<c0101000>] (ret_fast_syscall+0x0/0x28)
      
      Add PLAT_S3C24XX, ARCH_S3C64XX and ARCH_S5PV210 dependencies to
      SAMSUNG_PM_CHECK config option to hide it on Exynos platforms.
      Signed-off-by: NBartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
      Signed-off-by: NKrzysztof Kozlowski <krzk@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      360186d8
    • Y
      pinctrl: core: make sure strcmp() doesn't get a null parameter · 1475ce4f
      Yanjiang Jin 提交于
      [ Upstream commit 54a58185bfafb5af5045fb8388c45daa373f90f3 ]
      
      Some drivers, for example, QCOM's qdf2xxx, set groups[gpio].name only
      when gpio is valid, and leave invalid gpio names as null.
      If we want to access the sys node "pinconf-groups",
      pinctrl_get_group_selector() -> get_group_name() may return a null
      pointer if group_selector is invalid, then the below Kernel panic
      would happen since strcmp() uses this null pointer to do comparison.
      
       Unable to handle kernel NULL pointer dereference at ss 00000000
      el:Internal error: Oops: 9600000[ 143.080279]
      SMP
       CPU: 19 PID: 2493 Comm: read_all Tainted: G O
      .aarch64 #1
       Hardware name: HXT Semiconductor HXT REP-2 System
       PC is at strcmp+0x18/0x154
       LR is at pinctrl_get_group_selector+0x6c/0xe8
       Process read_all (pid: 2493, stack limit =
       Call trace:
       Exception stack
        strcmp+0x18/0x154
        pin_config_group_get+0x64/0xd8
        pinconf_generic_dump_one+0xd8/0x1c0
        pinconf_generic_dump_pins+0x94/0xc8
        pinconf_groups_show+0xb4/0x104
        seq_read+0x178/0x464
        full_proxy_read+0x6c/0xac
        __vfs_read+0x58/0x178
        vfs_read+0x94/0x164
        SyS_read+0x60/0xc0
        __sys_trace_return+0x0/0x4
       --[ end trace]--
       Kernel panic - not syncing: Fatal exception
      Signed-off-by: NYanjiang Jin <yanjiang.jin@hxt-semitech.com>
      Signed-off-by: NLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      1475ce4f
    • J
      HID: i2c-hid: override HID descriptors for certain devices · 8e271100
      Julian Sax 提交于
      [ Upstream commit 9ee3e06610fdb8a601cde59c92089fb6c1deb4aa ]
      
      A particular touchpad (SIPODEV SP1064) refuses to supply the HID
      descriptors. This patch provides the framework for overriding these
      descriptors based on DMI data. It also includes the descriptors for
      said touchpad, which were extracted by listening to the traffic of the
      windows filter driver, as well as the DMI data for the laptops known
      to use this device.
      
      Relevant Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1526312
      
      Cc: Hans de Goede <hdegoede@redhat.com>
      Reported-and-tested-by: ahormann@gmx.net
      Reported-and-tested-by: NBruno Jesus <bruno.fl.jesus@gmail.com>
      Reported-and-tested-by: NDietrich <enaut.w@googlemail.com>
      Reported-and-tested-by: kloxdami@yahoo.com
      Signed-off-by: NJulian Sax <jsbc@gmx.de>
      Reviewed-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      8e271100
    • M
      Bluetooth: Fix debugfs NULL pointer dereference · 09b6c080
      Matias Karhumaa 提交于
      [ Upstream commit 30d65e0804d58a03d1a8ea4e12c6fc07ed08218b ]
      
      Fix crash caused by NULL pointer dereference when debugfs functions
      le_max_key_read, le_max_key_size_write, le_min_key_size_read or
      le_min_key_size_write and Bluetooth adapter was powered off.
      
      Fix is to move max_key_size and min_key_size from smp_dev to hci_dev.
      At the same time they were renamed to le_max_key_size and
      le_min_key_size.
      
      BUG: unable to handle kernel NULL pointer dereference at 00000000000002e8
      PGD 0 P4D 0
      Oops: 0000 [#24] SMP PTI
      CPU: 2 PID: 6255 Comm: cat Tainted: G      D    OE     4.18.9-200.fc28.x86_64 #1
      Hardware name: LENOVO 4286CTO/4286CTO, BIOS 8DET76WW (1.46 ) 06/21/2018
      RIP: 0010:le_max_key_size_read+0x45/0xb0 [bluetooth]
      Code: 00 00 00 48 83 ec 10 65 48 8b 04 25 28 00 00 00 48 89 44 24 08 31 c0 48 8b 87 c8 00 00 00 48 8d 7c 24 04 48 8b 80 48 0a 00 00 <48> 8b 80 e8 02 00 00 0f b6 48 52 e8 fb b6 b3 ed be 04 00 00 00 48
      RSP: 0018:ffffab23c3ff3df0 EFLAGS: 00010246
      RAX: 0000000000000000 RBX: 00007f0b4ca2e000 RCX: ffffab23c3ff3f08
      RDX: ffffffffc0ddb033 RSI: 0000000000000004 RDI: ffffab23c3ff3df4
      RBP: 0000000000020000 R08: 0000000000000000 R09: 0000000000000000
      R10: ffffab23c3ff3ed8 R11: 0000000000000000 R12: ffffab23c3ff3f08
      R13: 00007f0b4ca2e000 R14: 0000000000020000 R15: ffffab23c3ff3f08
      FS:  00007f0b4ca0f540(0000) GS:ffff91bd5e280000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000000000002e8 CR3: 00000000629fa006 CR4: 00000000000606e0
      Call Trace:
       full_proxy_read+0x53/0x80
       __vfs_read+0x36/0x180
       vfs_read+0x8a/0x140
       ksys_read+0x4f/0xb0
       do_syscall_64+0x5b/0x160
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      Signed-off-by: NMatias Karhumaa <matias.karhumaa@gmail.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      09b6c080
    • B
      media: au0828: cannot kfree dev before usb disconnect · 6496b963
      Brad Love 提交于
      [ Upstream commit 4add7104919f9e94e0db03e234caeadbfcc02ea9 ]
      
      If au0828_analog_register fails, the dev is kfree'd and then flow
      jumps to done, which can call au0828_usb_disconnect. Since all USB
      error codes are negative, au0828_usb_disconnect will be called. The
      problem is au0828_usb_disconnect uses dev, if dev is NULL then there
      is immediate oops encountered.
      
      [    7.454307] au0828: au0828_usb_probe() au0282_dev_register failed to register on V4L2
      [    7.454323] BUG: unable to handle kernel NULL pointer dereference at 0000000000000050
      [    7.454421] PGD 0 P4D 0
      [    7.454457] Oops: 0002 [#1] SMP PTI
      [    7.454500] CPU: 1 PID: 262 Comm: systemd-udevd Tainted: P           O      4.18.3 #1
      [    7.454584] Hardware name: Google Panther/Panther, BIOS MattDevo 04/27/2015
      [    7.454670] RIP: 0010:_raw_spin_lock_irqsave+0x2c/0x50
      [    7.454725] Code: 44 00 00 55 48 89 e5 41 54 53 48 89 fb 9c 58 0f 1f 44 00 00 49 89 c4 fa 66 0f 1f 44 00 00 e8 db 23 1b ff 31 c0 ba 01 00 00 00 <f0> 0f b1 13 85 c0 75 08 4c 89 e0 5b 41 5c 5d c3 89 c6 48 89 df e8
      [    7.455004] RSP: 0018:ffff9130f53ef988 EFLAGS: 00010046
      [    7.455063] RAX: 0000000000000000 RBX: 0000000000000050 RCX: 0000000000000000
      [    7.455139] RDX: 0000000000000001 RSI: 0000000000000003 RDI: 0000000000000050
      [    7.455216] RBP: ffff9130f53ef998 R08: 0000000000000018 R09: 0000000000000090
      [    7.455292] R10: ffffed4cc53cb000 R11: ffffed4cc53cb108 R12: 0000000000000082
      [    7.455369] R13: ffff9130cf2c6188 R14: 0000000000000000 R15: 0000000000000018
      [    7.455447] FS:  00007f2ff8514cc0(0000) GS:ffff9130fcb00000(0000) knlGS:0000000000000000
      [    7.455535] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [    7.455597] CR2: 0000000000000050 CR3: 00000001753f0002 CR4: 00000000000606a0
      [    7.455675] Call Trace:
      [    7.455713]  __wake_up_common_lock+0x65/0xc0
      [    7.455764]  __wake_up+0x13/0x20
      [    7.455808]  ir_lirc_unregister+0x57/0xe0 [rc_core]
      [    7.455865]  rc_unregister_device+0xa0/0xc0 [rc_core]
      [    7.455935]  au0828_rc_unregister+0x25/0x40 [au0828]
      [    7.455999]  au0828_usb_disconnect+0x33/0x80 [au0828]
      [    7.456064]  au0828_usb_probe.cold.16+0x8d/0x2aa [au0828]
      [    7.456130]  usb_probe_interface+0xf1/0x300
      [    7.456184]  driver_probe_device+0x2e3/0x460
      [    7.456235]  __driver_attach+0xe4/0x110
      [    7.456282]  ? driver_probe_device+0x460/0x460
      [    7.456335]  bus_for_each_dev+0x74/0xb0
      [    7.456385]  ? kmem_cache_alloc_trace+0x15d/0x1d0
      [    7.456441]  driver_attach+0x1e/0x20
      [    7.456485]  bus_add_driver+0x159/0x230
      [    7.456532]  driver_register+0x70/0xc0
      [    7.456578]  usb_register_driver+0x7f/0x140
      [    7.456626]  ? 0xffffffffc0474000
      [    7.456674]  au0828_init+0xbc/0x1000 [au0828]
      [    7.456725]  do_one_initcall+0x4a/0x1c9
      [    7.456771]  ? _cond_resched+0x19/0x30
      [    7.456817]  ? kmem_cache_alloc_trace+0x15d/0x1d0
      [    7.456873]  do_init_module+0x60/0x210
      [    7.456918]  load_module+0x221b/0x2710
      [    7.456966]  ? vfs_read+0xf5/0x120
      [    7.457010]  __do_sys_finit_module+0xbd/0x120
      [    7.457061]  ? __do_sys_finit_module+0xbd/0x120
      [    7.457115]  __x64_sys_finit_module+0x1a/0x20
      [    7.457166]  do_syscall_64+0x5b/0x110
      [    7.457210]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      Signed-off-by: NBrad Love <brad@nextdimension.cc>
      Signed-off-by: NHans Verkuil <hans.verkuil@cisco.com>
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      6496b963
    • N
      powerpc/pseries: Remove prrn_work workqueue · 6947d853
      Nathan Fontenot 提交于
      [ Upstream commit cd24e457fd8b2d087d9236700c8d2957054598bf ]
      
      When a PRRN event is received we are already running in a worker
      thread. Instead of spawning off another worker thread on the prrn_work
      workqueue to handle the PRRN event we can just call the PRRN handler
      routine directly.
      
      With this update we can also pass the scope variable for the PRRN
      event directly to the handler instead of it being a global variable.
      
      This patch fixes the following oops mnessage we are seeing in PRRN testing:
      
        Oops: Bad kernel stack pointer, sig: 6 [#1]
        SMP NR_CPUS=2048 NUMA pSeries
        Modules linked in: nfsv3 nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace sunrpc fscache binfmt_misc reiserfs vfat fat rpadlpar_io(X) rpaphp(X) tcp_diag udp_diag inet_diag unix_diag af_packet_diag netlink_diag af_packet xfs libcrc32c dm_service_time ibmveth(X) ses enclosure scsi_transport_sas rtc_generic btrfs xor raid6_pq sd_mod ibmvscsi(X) scsi_transport_srp ipr(X) libata sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua scsi_mod autofs4
        Supported: Yes, External                                                     54
        CPU: 7 PID: 18967 Comm: kworker/u96:0 Tainted: G                 X 4.4.126-94.22-default #1
        Workqueue: pseries hotplug workque pseries_hp_work_fn
        task: c000000775367790 ti: c00000001ebd4000 task.ti: c00000070d140000
        NIP: 0000000000000000 LR: 000000001fb3d050 CTR: 0000000000000000
        REGS: c00000001ebd7d40 TRAP: 0700   Tainted: G                 X  (4.4.126-94.22-default)
        MSR: 8000000102081000 <41,VEC,ME5  CR: 28000002  XER: 20040018   4
        CFAR: 000000001fb3d084 40 419   1                                3
        GPR00: 000000000000000040000000000010007 000000001ffff400 000000041fffe200
        GPR04: 000000000000008050000000000000000 000000001fb15fa8 0000000500000500
        GPR08: 000000000001f40040000000000000001 0000000000000000 000005:5200040002
        GPR12: 00000000000000005c000000007a05400 c0000000000e89f8 000000001ed9f668
        GPR16: 000000001fbeff944000000001fbeff94 000000001fb545e4 0000006000000060
        GPR20: ffffffffffffffff4ffffffffffffffff 0000000000000000 0000000000000000
        GPR24: 00000000000000005400000001fb3c000 0000000000000000 000000001fb1b040
        GPR28: 000000001fb240004000000001fb440d8 0000000000000008 0000000000000000
        NIP [0000000000000000] 5         (null)
        LR [000000001fb3d050] 031fb3d050
        Call Trace:            4
        Instruction dump:      4                                       5:47 12    2
        XXXXXXXX XXXXXXXX XXXXX4XX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
        XXXXXXXX XXXXXXXX XXXXX5XX XXXXXXXX 60000000 60000000 60000000 60000000
        ---[ end trace aa5627b04a7d9d6b ]---                                       3NMI watchdog: BUG: soft lockup - CPU#27 stuck for 23s! [kworker/27:0:13903]
        Modules linked in: nfsv3 nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace sunrpc fscache binfmt_misc reiserfs vfat fat rpadlpar_io(X) rpaphp(X) tcp_diag udp_diag inet_diag unix_diag af_packet_diag netlink_diag af_packet xfs libcrc32c dm_service_time ibmveth(X) ses enclosure scsi_transport_sas rtc_generic btrfs xor raid6_pq sd_mod ibmvscsi(X) scsi_transport_srp ipr(X) libata sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua scsi_mod autofs4
        Supported: Yes, External
        CPU: 27 PID: 13903 Comm: kworker/27:0 Tainted: G      D          X 4.4.126-94.22-default #1
        Workqueue: events prrn_work_fn
        task: c000000747cfa390 ti: c00000074712c000 task.ti: c00000074712c000
        NIP: c0000000008002a8 LR: c000000000090770 CTR: 000000000032e088
        REGS: c00000074712f7b0 TRAP: 0901   Tainted: G      D          X  (4.4.126-94.22-default)
        MSR: 8000000100009033 <SF,EE,ME,IR,DR,RI,LE>  CR: 22482044  XER: 20040000
        CFAR: c0000000008002c4 SOFTE: 1
        GPR00: c000000000090770 c00000074712fa30 c000000000f09800 c000000000fa1928 6:02
        GPR04: c000000775f5e000 fffffffffffffffe 0000000000000001 c000000000f42db8
        GPR08: 0000000000000001 0000000080000007 0000000000000000 0000000000000000
        GPR12: 8006210083180000 c000000007a14400
        NIP [c0000000008002a8] _raw_spin_lock+0x68/0xd0
        LR [c000000000090770] mobility_rtas_call+0x50/0x100
        Call Trace:            59                                        5
        [c00000074712fa60] [c000000000090770] mobility_rtas_call+0x50/0x100
        [c00000074712faf0] [c000000000090b08] pseries_devicetree_update+0xf8/0x530
        [c00000074712fc20] [c000000000031ba4] prrn_work_fn+0x34/0x50
        [c00000074712fc40] [c0000000000e0390] process_one_work+0x1a0/0x4e0
        [c00000074712fcd0] [c0000000000e0870] worker_thread+0x1a0/0x6105:57       2
        [c00000074712fd80] [c0000000000e8b18] kthread+0x128/0x150
        [c00000074712fe30] [c0000000000096f8] ret_from_kernel_thread+0x5c/0x64
        Instruction dump:
        2c090000 40c20010 7d40192d 40c2fff0 7c2004ac 2fa90000 40de0018 5:540030   3
        e8010010 ebe1fff8 7c0803a6 4e800020 <7c210b78> e92d0000 89290009 792affe3
      Signed-off-by: NJohn Allen <jallen@linux.ibm.com>
      Signed-off-by: NHaren Myneni <haren@us.ibm.com>
      Signed-off-by: NNathan Fontenot <nfont@linux.vnet.ibm.com>
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      6947d853
    • M
      serial: uartps: console_setup() can't be placed to init section · 7863304b
      Michal Simek 提交于
      [ Upstream commit 4bb1ce2350a598502b23088b169e16b43d4bc639 ]
      
      When console device is rebinded, console_setup() is called again.
      But marking it as __init means that function will be clear after boot is
      complete. If console device is binded again console_setup() is not found
      and error "Unable to handle kernel paging request at virtual address"
      is reported.
      Signed-off-by: NMichal Simek <michal.simek@xilinx.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      7863304b
    • P
      netfilter: xt_cgroup: shrink size of v2 path · 1f2b1c6a
      Pablo Neira Ayuso 提交于
      [ Upstream commit 0d704967f4a49cc2212350b3e4a8231f8b4283ed ]
      
      cgroup v2 path field is PATH_MAX which is too large, this is placing too
      much pressure on memory allocation for people with many rules doing
      cgroup v1 classid matching, side effects of this are bug reports like:
      
      https://bugzilla.kernel.org/show_bug.cgi?id=200639
      
      This patch registers a new revision that shrinks the cgroup path to 512
      bytes, which is the same approach we follow in similar extensions that
      have a path field.
      
      Cc: Tejun Heo <tj@kernel.org>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Acked-by: NTejun Heo <tj@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      1f2b1c6a
    • C
      f2fs: fix to do sanity check with current segment number · 14b18321
      Chao Yu 提交于
      [ Upstream commit 042be0f849e5fc24116d0afecfaf926eed5cac63 ]
      
      https://bugzilla.kernel.org/show_bug.cgi?id=200219
      
      Reproduction way:
      - mount image
      - run poc code
      - umount image
      
      F2FS-fs (loop1): Bitmap was wrongly set, blk:15364
      ------------[ cut here ]------------
      kernel BUG at /home/yuchao/git/devf2fs/segment.c:2061!
      invalid opcode: 0000 [#1] PREEMPT SMP
      CPU: 2 PID: 17686 Comm: umount Tainted: G        W  O      4.18.0-rc2+ #39
      Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      EIP: update_sit_entry+0x459/0x4e0 [f2fs]
      Code: e8 1c b5 fd ff 0f 0b 0f 0b 8b 45 e4 c7 44 24 08 9c 7a 6c f8 c7 44 24 04 bc 4a 6c f8 89 44 24 0c 8b 06 89 04 24 e8 f7 b4 fd ff <0f> 0b 8b 45 e4 0f b6 d2 89 54 24 10 c7 44 24 08 60 7a 6c f8 c7 44
      EAX: 00000032 EBX: 000000f8 ECX: 00000002 EDX: 00000001
      ESI: d7177000 EDI: f520fe68 EBP: d6477c6c ESP: d6477c34
      DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010282
      CR0: 80050033 CR2: b7fbe000 CR3: 2a99b3c0 CR4: 000406f0
      Call Trace:
       f2fs_allocate_data_block+0x124/0x580 [f2fs]
       do_write_page+0x78/0x150 [f2fs]
       f2fs_do_write_node_page+0x25/0xa0 [f2fs]
       __write_node_page+0x2bf/0x550 [f2fs]
       f2fs_sync_node_pages+0x60e/0x6d0 [f2fs]
       ? sync_inode_metadata+0x2f/0x40
       ? f2fs_write_checkpoint+0x28f/0x7d0 [f2fs]
       ? up_write+0x1e/0x80
       f2fs_write_checkpoint+0x2a9/0x7d0 [f2fs]
       ? mark_held_locks+0x5d/0x80
       ? _raw_spin_unlock_irq+0x27/0x50
       kill_f2fs_super+0x68/0x90 [f2fs]
       deactivate_locked_super+0x3d/0x70
       deactivate_super+0x40/0x60
       cleanup_mnt+0x39/0x70
       __cleanup_mnt+0x10/0x20
       task_work_run+0x81/0xa0
       exit_to_usermode_loop+0x59/0xa7
       do_fast_syscall_32+0x1f5/0x22c
       entry_SYSENTER_32+0x53/0x86
      EIP: 0xb7f95c51
      Code: c1 1e f7 ff ff 89 e5 8b 55 08 85 d2 8b 81 64 cd ff ff 74 02 89 02 5d c3 8b 0c 24 c3 8b 1c 24 c3 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76
      EAX: 00000000 EBX: 0871ab90 ECX: bfb2cd00 EDX: 00000000
      ESI: 00000000 EDI: 0871ab90 EBP: 0871ab90 ESP: bfb2cd7c
      DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000246
      Modules linked in: f2fs(O) crc32_generic bnep rfcomm bluetooth ecdh_generic snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq pcbc joydev aesni_intel snd_seq_device aes_i586 snd_timer crypto_simd snd cryptd soundcore mac_hid serio_raw video i2c_piix4 parport_pc ppdev lp parport hid_generic psmouse usbhid hid e1000 [last unloaded: f2fs]
      ---[ end trace d423f83982cfcdc5 ]---
      
      The reason is, different log headers using the same segment, once
      one log's next block address is used by another log, it will cause
      panic as above.
      
      Main area: 24 segs, 24 secs 24 zones
        - COLD  data: 0, 0, 0
        - WARM  data: 1, 1, 1
        - HOT   data: 20, 20, 20
        - Dir   dnode: 22, 22, 22
        - File   dnode: 22, 22, 22
        - Indir nodes: 21, 21, 21
      
      So this patch adds sanity check to detect such condition to avoid
      this issue.
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      14b18321
    • R
      ASoC: Fix UBSAN warning at snd_soc_get/put_volsw_sx() · 7fcce182
      Rohit kumar 提交于
      [ Upstream commit ae7d1247d8673ebfd686b17e759d4be391165368 ]
      
      In functions snd_soc_get_volsw_sx() or snd_soc_put_volsw_sx(),
      if the result of (min + max) is negative, then fls() returns
      signed integer with value as 32. This leads to signed integer
      overflow as complete operation is considered as signed integer.
      
      UBSAN: Undefined behaviour in sound/soc/soc-ops.c:382:50
      signed integer overflow:
      -2147483648 - 1 cannot be represented in type 'int'
      Call trace:
      [<ffffff852f746fe4>] __dump_stack lib/dump_stack.c:15 [inline]
      [<ffffff852f746fe4>] dump_stack+0xec/0x158 lib/dump_stack.c:51
      [<ffffff852f7b5f3c>] ubsan_epilogue+0x18/0x50 lib/ubsan.c:164
      [<ffffff852f7b6840>] handle_overflow+0xf8/0x130 lib/ubsan.c:195
      [<ffffff852f7b68f0>] __ubsan_handle_sub_overflow+0x34/0x44 lib/ubsan.c:211
      [<ffffff85307971a0>] snd_soc_get_volsw_sx+0x1a8/0x1f8 sound/soc/soc-ops.c:382
      
      Typecast the operation to unsigned int to fix the issue.
      Signed-off-by: NRohit kumar <rohitkr@codeaurora.org>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      7fcce182
    • D
      9p locks: add mount option for lock retry interval · 4369f8a3
      Dinu-Razvan Chis-Serban 提交于
      [ Upstream commit 5e172f75e51e3de1b4274146d9b990f803cb5c2a ]
      
      The default P9_LOCK_TIMEOUT can be too long for some users exporting
      a local file system to a guest VM (30s), make this configurable at
      mount time.
      
      Link: http://lkml.kernel.org/r/1536295827-3181-1-git-send-email-asmadeus@codewreck.org
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195727Signed-off-by: NDinu-Razvan Chis-Serban <justcsdr@gmail.com>
      Signed-off-by: NDominique Martinet <dominique.martinet@cea.fr>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      4369f8a3
    • G
      9p: do not trust pdu content for stat item size · db77c789
      Gertjan Halkes 提交于
      [ Upstream commit 2803cf4379ed252894f046cb8812a48db35294e3 ]
      
      v9fs_dir_readdir() could deadloop if a struct was sent with a size set
      to -2
      
      Link: http://lkml.kernel.org/r/1536134432-11997-1-git-send-email-asmadeus@codewreck.org
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=88021Signed-off-by: NGertjan Halkes <gertjan@google.com>
      Signed-off-by: NDominique Martinet <dominique.martinet@cea.fr>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      db77c789
    • C
      f2fs: fix to avoid NULL pointer dereference on se->discard_map · f9368366
      Chao Yu 提交于
      [ Upstream commit 7d20c8abb2edcf962ca857d51f4d0f9cd4b19053 ]
      
      https://bugzilla.kernel.org/show_bug.cgi?id=200951
      
      These is a NULL pointer dereference issue reported in bugzilla:
      
      Hi,
      in the setup there is a SATA SSD connected to a SATA-to-USB bridge.
      
      The disc is "Samsung SSD 850 PRO 256G" which supports TRIM.
      There are four partitions:
       sda1: FAT  /boot
       sda2: F2FS /
       sda3: F2FS /home
       sda4: F2FS
      
      The bridge is ASMT1153e which uses the "uas" driver.
      There is no TRIM pass-through, so, when mounting it reports:
       mounting with "discard" option, but the device does not support discard
      
      The USB host is USB3.0 and UASP capable. It is the one on RK3399.
      
      Given this everything works fine, except there is no TRIM support.
      
      In order to enable TRIM a new UDEV rule is added [1]:
       /etc/udev/rules.d/10-sata-bridge-trim.rules:
       ACTION=="add|change", ATTRS{idVendor}=="174c", ATTRS{idProduct}=="55aa", SUBSYSTEM=="scsi_disk", ATTR{provisioning_mode}="unmap"
      After reboot any F2FS write hangs forever and dmesg reports:
       Unable to handle kernel NULL pointer dereference
      
      Also tested on a x86_64 system: works fine even with TRIM enabled.
       same disc
       same bridge
       different usb host controller
       different cpu architecture
       not root filesystem
      
      Regards,
        Vicenç.
      
      [1] Post #5 in https://bbs.archlinux.org/viewtopic.php?id=236280
      
       Unable to handle kernel NULL pointer dereference at virtual address 000000000000003e
       Mem abort info:
         ESR = 0x96000004
         Exception class = DABT (current EL), IL = 32 bits
         SET = 0, FnV = 0
         EA = 0, S1PTW = 0
       Data abort info:
         ISV = 0, ISS = 0x00000004
         CM = 0, WnR = 0
       user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000626e3122
       [000000000000003e] pgd=0000000000000000
       Internal error: Oops: 96000004 [#1] SMP
       Modules linked in: overlay snd_soc_hdmi_codec rc_cec dw_hdmi_i2s_audio dw_hdmi_cec snd_soc_simple_card snd_soc_simple_card_utils snd_soc_rockchip_i2s rockchip_rga snd_soc_rockchip_pcm rockchipdrm videobuf2_dma_sg v4l2_mem2mem rtc_rk808 videobuf2_memops analogix_dp videobuf2_v4l2 videobuf2_common dw_hdmi dw_wdt cec rc_core videodev drm_kms_helper media drm rockchip_thermal rockchip_saradc realtek drm_panel_orientation_quirks syscopyarea sysfillrect sysimgblt fb_sys_fops dwmac_rk stmmac_platform stmmac pwm_bl squashfs loop crypto_user gpio_keys hid_kensington
       CPU: 5 PID: 957 Comm: nvim Not tainted 4.19.0-rc1-1-ARCH #1
       Hardware name: Sapphire-RK3399 Board (DT)
       pstate: 00000005 (nzcv daif -PAN -UAO)
       pc : update_sit_entry+0x304/0x4b0
       lr : update_sit_entry+0x108/0x4b0
       sp : ffff00000ca13bd0
       x29: ffff00000ca13bd0 x28: 000000000000003e
       x27: 0000000000000020 x26: 0000000000080000
       x25: 0000000000000048 x24: ffff8000ebb85cf8
       x23: 0000000000000253 x22: 00000000ffffffff
       x21: 00000000000535f2 x20: 00000000ffffffdf
       x19: ffff8000eb9e6800 x18: ffff8000eb9e6be8
       x17: 0000000007ce6926 x16: 000000001c83ffa8
       x15: 0000000000000000 x14: ffff8000f602df90
       x13: 0000000000000006 x12: 0000000000000040
       x11: 0000000000000228 x10: 0000000000000000
       x9 : 0000000000000000 x8 : 0000000000000000
       x7 : 00000000000535f2 x6 : ffff8000ebff3440
       x5 : ffff8000ebff3440 x4 : ffff8000ebe3a6c8
       x3 : 00000000ffffffff x2 : 0000000000000020
       x1 : 0000000000000000 x0 : ffff8000eb9e5800
       Process nvim (pid: 957, stack limit = 0x0000000063a78320)
       Call trace:
        update_sit_entry+0x304/0x4b0
        f2fs_invalidate_blocks+0x98/0x140
        truncate_node+0x90/0x400
        f2fs_remove_inode_page+0xe8/0x340
        f2fs_evict_inode+0x2b0/0x408
        evict+0xe0/0x1e0
        iput+0x160/0x260
        do_unlinkat+0x214/0x298
        __arm64_sys_unlinkat+0x3c/0x68
        el0_svc_handler+0x94/0x118
        el0_svc+0x8/0xc
       Code: f9400800 b9488400 36080140 f9400f01 (387c4820)
       ---[ end trace a0f21a307118c477 ]---
      
      The reason is it is possible to enable discard flag on block queue via
      UDEV, but during mount, f2fs will initialize se->discard_map only if
      this flag is set, once the flag is set after mount, f2fs may dereference
      NULL pointer on se->discard_map.
      
      So this patch does below changes to fix this issue:
      - initialize and update se->discard_map all the time.
      - don't clear DISCARD option if device has no QUEUE_FLAG_DISCARD flag
      during mount.
      - don't issue small discard on zoned block device.
      - introduce some functions to enhance the readability.
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Tested-by: NVicente Bergas <vicencb@gmail.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      f9368366
    • S
      rsi: improve kernel thread handling to fix kernel panic · de1fd69b
      Siva Rebbagondla 提交于
      [ Upstream commit 4c62764d0fc21a34ffc44eec1210038c3a2e4473 ]
      
      While running regressions, observed below kernel panic when sdio disconnect
      called. This is because of, kthread_stop() is taking care of
      wait_for_completion() by default. When wait_for_completion triggered
      in kthread_stop and as it was done already, giving kernel panic.
      Hence, removing redundant wait_for_completion() from rsi_kill_thread().
      
      ... skipping ...
      BUG: unable to handle kernel NULL pointer dereference at           (null)
      IP: [<ffffffff810a63df>] exit_creds+0x1f/0x50
      PGD 0
      Oops: 0002 [#1] SMP
      CPU: 0 PID: 6502 Comm: rmmod Tainted: G  OE   4.15.9-Generic #154-Ubuntu
      Hardware name: Dell Inc. Edge Gateway 3003/ , BIOS 01.00.00 04/17/2017
      Stack:
      ffff88007392e600 ffff880075847dc0 ffffffff8108160a 0000000000000000
      ffff88007392e600 ffff880075847de8 ffffffff810a484b ffff880076127000
      ffff88003cd3a800 ffff880074f12a00 ffff880075847e28 ffffffffc09bed15
      Call Trace:
      [<ffffffff8108160a>] __put_task_struct+0x5a/0x140
      [<ffffffff810a484b>] kthread_stop+0x10b/0x110
      [<ffffffffc09bed15>] rsi_disconnect+0x2f5/0x300 [ven_rsi_sdio]
      [<ffffffff81578bcb>] ? __pm_runtime_resume+0x5b/0x80
      [<ffffffff816f0918>] sdio_bus_remove+0x38/0x100
      [<ffffffff8156cc64>] __device_release_driver+0xa4/0x150
      [<ffffffff8156d7a5>] driver_detach+0xb5/0xc0
      [<ffffffff8156c6c5>] bus_remove_driver+0x55/0xd0
      [<ffffffff8156dfbc>] driver_unregister+0x2c/0x50
      [<ffffffff816f0b8a>] sdio_unregister_driver+0x1a/0x20
      [<ffffffffc09bf0f5>] rsi_module_exit+0x15/0x30 [ven_rsi_sdio]
      [<ffffffff8110cad8>] SyS_delete_module+0x1b8/0x210
      [<ffffffff81851dc8>] entry_SYSCALL_64_fastpath+0x1c/0xbb
      Signed-off-by: NSiva Rebbagondla <siva.rebbagondla@redpinesignals.com>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      de1fd69b
    • R
      gpio: pxa: handle corner case of unprobed device · 93b7c722
      Robert Jarzmik 提交于
      [ Upstream commit 9ce3ebe973bf4073426f35f282c6b955ed802765 ]
      
      In the corner case where the gpio driver probe fails, for whatever
      reason, the suspend and resume handlers will still be called as they
      have to be registered as syscore operations. This applies as well when
      no probe was called while the driver has been built in the kernel.
      
      Nicolas tracked this in :
      https://bugzilla.kernel.org/show_bug.cgi?id=200905
      
      Therefore, add a failsafe in these function, and test if a proper probe
      succeeded and the driver is functional.
      Signed-off-by: NRobert Jarzmik <robert.jarzmik@free.fr>
      Reported-by: NNicolas Chauvet <kwizart@gmail.com>
      Signed-off-by: NLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      93b7c722
    • T
      drm/cirrus: Use drm_framebuffer_put to avoid kernel oops in clean-up · 13cc3e6b
      Thomas Zimmermann 提交于
      [ Upstream commit abf7b30d7f61d981bfcca65d1e8331b27021b475 ]
      
      In the Cirrus driver, the regular clean-up code also performs the clean-up
      of a failed initialization. If the fbdev's framebuffer was not initialized,
      the clean-up will fail within drm_framebuffer_unregister_private. Booting
      with cirrus.bpp=16 triggers this bug.
      
      The framebuffer is currently stored directly within struct cirrus_fbdev. To
      fix the bug, we turn it into a pointer that is only set for initialized
      framebuffers. The fbdev's clean-up code skips uninitialized framebuffers.
      
      The memory for struct drm_framebuffer is allocated dynamically. This requires
      additional error handling within cirrusfb_create. The framebuffer clean-up is
      now performed by drm_framebuffer_put, which also frees the data strcuture's
      memory.
      
      Link: https://bugzilla.suse.com/show_bug.cgi?id=1101822Signed-off-by: NThomas Zimmermann <tzimmermann@suse.de>
      Link: http://patchwork.freedesktop.org/patch/msgid/20180720112743.27159-1-tzimmermann@suse.deSigned-off-by: NGerd Hoffmann <kraxel@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      13cc3e6b
    • D
      ext4: prohibit fstrim in norecovery mode · 6fd66bec
      Darrick J. Wong 提交于
      [ Upstream commit 18915b5873f07e5030e6fb108a050fa7c71c59fb ]
      
      The ext4 fstrim implementation uses the block bitmaps to find free space
      that can be discarded.  If we haven't replayed the journal, the bitmaps
      will be stale and we absolutely *cannot* use stale metadata to zap the
      underlying storage.
      Signed-off-by: NDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      6fd66bec
    • K
      x86/gart: Exclude GART aperture from kcore · 83e3e89d
      Kairui Song 提交于
      [ Upstream commit ffc8599aa9763f39f6736a79da4d1575e7006f9a ]
      
      On machines where the GART aperture is mapped over physical RAM,
      /proc/kcore contains the GART aperture range. Accessing the GART range via
      /proc/kcore results in a kernel crash.
      
      vmcore used to have the same issue, until it was fixed with commit
      2a3e83c6 ("x86/gart: Exclude GART aperture from vmcore")', leveraging
      existing hook infrastructure in vmcore to let /proc/vmcore return zeroes
      when attempting to read the aperture region, and so it won't read from the
      actual memory.
      
      Apply the same workaround for kcore. First implement the same hook
      infrastructure for kcore, then reuse the hook functions introduced in the
      previous vmcore fix. Just with some minor adjustment, rename some functions
      for more general usage, and simplify the hook infrastructure a bit as there
      is no module usage yet.
      Suggested-by: NBaoquan He <bhe@redhat.com>
      Signed-off-by: NKairui Song <kasong@redhat.com>
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: NJiri Bohac <jbohac@suse.cz>
      Acked-by: NBaoquan He <bhe@redhat.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Alexey Dobriyan <adobriyan@gmail.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Omar Sandoval <osandov@fb.com>
      Cc: Dave Young <dyoung@redhat.com>
      Link: https://lkml.kernel.org/r/20190308030508.13548-1-kasong@redhat.comSigned-off-by: NSasha Levin <sashal@kernel.org>
      83e3e89d
    • S
      fix incorrect error code mapping for OBJECTID_NOT_FOUND · 40276e4e
      Steve French 提交于
      [ Upstream commit 85f9987b236cf46e06ffdb5c225cf1f3c0acb789 ]
      
      It was mapped to EIO which can be confusing when user space
      queries for an object GUID for an object for which the server
      file system doesn't support (or hasn't saved one).
      
      As Amir Goldstein suggested this is similar to ENOATTR
      (equivalently ENODATA in Linux errno definitions) so
      changing NT STATUS code mapping for OBJECTID_NOT_FOUND
      to ENODATA.
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      CC: Amir Goldstein <amir73il@gmail.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      40276e4e
    • N
      x86/hw_breakpoints: Make default case in hw_breakpoint_arch_parse() return an error · 777cd268
      Nathan Chancellor 提交于
      [ Upstream commit e898e69d6b9475bf123f99b3c5d1a67bb7cb2361 ]
      
      When building with -Wsometimes-uninitialized, Clang warns:
      
      arch/x86/kernel/hw_breakpoint.c:355:2: warning: variable 'align' is used
      uninitialized whenever switch default is taken
      [-Wsometimes-uninitialized]
      
      The default cannot be reached because arch_build_bp_info() initializes
      hw->len to one of the specified cases. Nevertheless the warning is valid
      and returning -EINVAL makes sure that this cannot be broken by future
      modifications.
      Suggested-by: NNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: NNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: NNick Desaulniers <ndesaulniers@google.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: clang-built-linux@googlegroups.com
      Link: https://github.com/ClangBuiltLinux/linux/issues/392
      Link: https://lkml.kernel.org/r/20190307212756.4648-1-natechancellor@gmail.comSigned-off-by: NSasha Levin <sashal@kernel.org>
      777cd268
    • L
      iommu/vt-d: Check capability before disabling protected memory · cff04fad
      Lu Baolu 提交于
      [ Upstream commit 5bb71fc790a88d063507dc5d445ab8b14e845591 ]
      
      The spec states in 10.4.16 that the Protected Memory Enable
      Register should be treated as read-only for implementations
      not supporting protected memory regions (PLMR and PHMR fields
      reported as Clear in the Capability register).
      
      Cc: Jacob Pan <jacob.jun.pan@linux.intel.com>
      Cc: mark gross <mgross@intel.com>
      Suggested-by: NAshok Raj <ashok.raj@intel.com>
      Fixes: f8bab735 ("intel-iommu: PMEN support")
      Signed-off-by: NLu Baolu <baolu.lu@linux.intel.com>
      Signed-off-by: NJoerg Roedel <jroedel@suse.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      cff04fad
    • Y
      drm/nouveau/debugfs: Fix check of pm_runtime_get_sync failure · 181117a1
      YueHaibing 提交于
      [ Upstream commit 909e9c9c428376e2a43d178ed4b0a2d5ba9cb7d3 ]
      
      pm_runtime_get_sync returns negative on failure.
      
      Fixes: eaeb9010 ("drm/nouveau/debugfs: Wake up GPU before doing any reclocking")
      Signed-off-by: NYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: NBen Skeggs <bskeggs@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      181117a1
    • M
      x86/cpu/cyrix: Use correct macros for Cyrix calls on Geode processors · 276084f0
      Matthew Whitehead 提交于
      [ Upstream commit 18fb053f9b827bd98cfc64f2a35df8ab19745a1d ]
      
      There are comments in processor-cyrix.h advising you to _not_ make calls
      using the deprecated macros in this style:
      
        setCx86_old(CX86_CCR4, getCx86_old(CX86_CCR4) | 0x80);
      
      This is because it expands the macro into a non-functioning calling
      sequence. The calling order must be:
      
        outb(CX86_CCR2, 0x22);
        inb(0x23);
      
      From the comments:
      
       * When using the old macros a line like
       *   setCx86(CX86_CCR2, getCx86(CX86_CCR2) | 0x88);
       * gets expanded to:
       *  do {
       *    outb((CX86_CCR2), 0x22);
       *    outb((({
       *        outb((CX86_CCR2), 0x22);
       *        inb(0x23);
       *    }) | 0x88), 0x23);
       *  } while (0);
      
      The new macros fix this problem, so use them instead. Tested on an
      actual Geode processor.
      Signed-off-by: NMatthew Whitehead <tedheadster@gmail.com>
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      Cc: luto@kernel.org
      Link: https://lkml.kernel.org/r/1552596361-8967-2-git-send-email-tedheadster@gmail.comSigned-off-by: NSasha Levin <sashal@kernel.org>
      276084f0
    • K
      x86/hyperv: Prevent potential NULL pointer dereference · 16dab291
      Kangjie Lu 提交于
      [ Upstream commit 534c89c22e26b183d838294f0937ee092c82ad3a ]
      
      The page allocation in hv_cpu_init() can fail, but the code does not
      have a check for that.
      
      Add a check and return -ENOMEM when the allocation fails.
      
      [ tglx: Massaged changelog ]
      Signed-off-by: NKangjie Lu <kjlu@umn.edu>
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: NMukesh Ojha <mojha@codeaurora.org>
      Acked-by: N"K. Y. Srinivasan" <kys@microsoft.com>
      Cc: pakki001@umn.edu
      Cc: Haiyang Zhang <haiyangz@microsoft.com>
      Cc: Stephen Hemminger <sthemmin@microsoft.com>
      Cc: Sasha Levin <sashal@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: linux-hyperv@vger.kernel.org
      Link: https://lkml.kernel.org/r/20190314054651.1315-1-kjlu@umn.eduSigned-off-by: NSasha Levin <sashal@kernel.org>
      16dab291