1. 16 9月, 2019 40 次提交
    • S
      powerpc/mm: Limit rma_size to 1TB when running without HV mode · c4fc7cb9
      Suraj Jitindar Singh 提交于
      [ Upstream commit da0ef93310e67ae6902efded60b6724dab27a5d1 ]
      
      The virtual real mode addressing (VRMA) mechanism is used when a
      partition is using HPT (Hash Page Table) translation and performs real
      mode accesses (MSR[IR|DR] = 0) in non-hypervisor mode. In this mode
      effective address bits 0:23 are treated as zero (i.e. the access is
      aliased to 0) and the access is performed using an implicit 1TB SLB
      entry.
      
      The size of the RMA (Real Memory Area) is communicated to the guest as
      the size of the first memory region in the device tree. And because of
      the mechanism described above can be expected to not exceed 1TB. In
      the event that the host erroneously represents the RMA as being larger
      than 1TB, guest accesses in real mode to memory addresses above 1TB
      will be aliased down to below 1TB. This means that a memory access
      performed in real mode may differ to one performed in virtual mode for
      the same memory address, which would likely have unintended
      consequences.
      
      To avoid this outcome have the guest explicitly limit the size of the
      RMA to the current maximum, which is 1TB. This means that even if the
      first memory block is larger than 1TB, only the first 1TB should be
      accessed in real mode.
      
      Fixes: c610d65c ("powerpc/pseries: lift RTAS limit for hash")
      Cc: stable@vger.kernel.org # v4.16+
      Signed-off-by: NSuraj Jitindar Singh <sjitindarsingh@gmail.com>
      Tested-by: NSatheesh Rajendran <sathnaga@linux.vnet.ibm.com>
      Reviewed-by: NDavid Gibson <david@gibson.dropbear.id.au>
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Link: https://lore.kernel.org/r/20190710052018.14628-1-sjitindarsingh@gmail.comSigned-off-by: NSasha Levin <sashal@kernel.org>
      c4fc7cb9
    • T
      ALSA: hda - Fix intermittent CORB/RIRB stall on Intel chips · 5b9a6ba9
      Takashi Iwai 提交于
      [ Upstream commit 2756d9143aa517b97961e85412882b8ce31371a6 ]
      
      It turned out that the recent Intel HD-audio controller chips show a
      significant stall during the system PM resume intermittently.  It
      doesn't happen so often and usually it may read back successfully
      after one or more seconds, but in some rare worst cases the driver
      went into fallback mode.
      
      After trial-and-error, we found out that the communication stall seems
      covered by issuing the sync after each verb write, as already done for
      AMD and other chipsets.  So this patch enables the write-sync flag for
      the recent Intel chips, Skylake and onward, as a workaround.
      
      Also, since Broxton and co have the very same driver flags as Skylake,
      refer to the Skylake driver flags instead of defining the same
      contents again for simplification.
      
      BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=201901Reported-and-tested-by: NTodd Brandt <todd.e.brandt@linux.intel.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      5b9a6ba9
    • S
      drm/panel: Add support for Armadeus ST0700 Adapt · 87c36921
      Sébastien Szymanski 提交于
      [ Upstream commit c479450f61c7f1f248c9a54aedacd2a6ca521ff8 ]
      
      This patch adds support for the Armadeus ST0700 Adapt. It comes with a
      Santek ST0700I5Y-RBSLW 7.0" WVGA (800x480) TFT and an adapter board so
      that it can be connected on the TFT header of Armadeus Dev boards.
      
      Cc: stable@vger.kernel.org # v4.19
      Reviewed-by: NRob Herring <robh@kernel.org>
      Signed-off-by: NSébastien Szymanski <sebastien.szymanski@armadeus.com>
      Signed-off-by: NSam Ravnborg <sam@ravnborg.org>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190507152713.27494-1-sebastien.szymanski@armadeus.comSigned-off-by: NSasha Levin <sashal@kernel.org>
      87c36921
    • M
      dm thin metadata: check if in fail_io mode when setting needs_check · ecf99cde
      Mike Snitzer 提交于
      [ Upstream commit 54fa16ee532705985e6c946da455856f18f63ee1 ]
      
      Check if in fail_io mode at start of dm_pool_metadata_set_needs_check().
      Otherwise dm_pool_metadata_set_needs_check()'s superblock_lock() can
      crash in dm_bm_write_lock() while accessing the block manager object
      that was previously destroyed as part of a failed
      dm_pool_abort_metadata() that ultimately set fail_io to begin with.
      
      Also, update DMERR() message to more accurately describe
      superblock_lock() failure.
      
      Cc: stable@vger.kernel.org
      Reported-by: NZdenek Kabelac <zkabelac@redhat.com>
      Signed-off-by: NMike Snitzer <snitzer@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      ecf99cde
    • N
      pstore: Fix double-free in pstore_mkfile() failure path · 5e9a2ce6
      Norbert Manthey 提交于
      [ Upstream commit 4c6d80e1144bdf48cae6b602ae30d41f3e5c76a9 ]
      
      The pstore_mkfile() function is passed a pointer to a struct
      pstore_record. On success it consumes this 'record' pointer and
      references it from the created inode.
      
      On failure, however, it may or may not free the record. There are even
      two different code paths which return -ENOMEM -- one of which does and
      the other doesn't free the record.
      
      Make the behaviour deterministic by never consuming and freeing the
      record when returning failure, allowing the caller to do the cleanup
      consistently.
      Signed-off-by: NNorbert Manthey <nmanthey@amazon.de>
      Link: https://lore.kernel.org/r/1562331960-26198-1-git-send-email-nmanthey@amazon.de
      Fixes: 83f70f07 ("pstore: Do not duplicate record metadata")
      Fixes: 1dfff7dd ("pstore: Pass record contents instead of copying")
      Cc: stable@vger.kernel.org
      [kees: also move "private" allocation location, rename inode cleanup label]
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      5e9a2ce6
    • N
      resource: fix locking in find_next_iomem_res() · 192b9af8
      Nadav Amit 提交于
      [ Upstream commit 49f17c26c123b60fd1c74629eef077740d16ffc2 ]
      
      Since resources can be removed, locking should ensure that the resource
      is not removed while accessing it.  However, find_next_iomem_res() does
      not hold the lock while copying the data of the resource.
      
      Keep holding the lock while the data is copied.  While at it, change the
      return value to a more informative value.  It is disregarded by the
      callers.
      
      [akpm@linux-foundation.org: fix find_next_iomem_res() documentation]
      Link: http://lkml.kernel.org/r/20190613045903.4922-2-namit@vmware.com
      Fixes: ff3cc952 ("resource: Add remove_resource interface")
      Signed-off-by: NNadav Amit <namit@vmware.com>
      Reviewed-by: NAndrew Morton <akpm@linux-foundation.org>
      Reviewed-by: NDan Williams <dan.j.williams@intel.com>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Toshi Kani <toshi.kani@hpe.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: Bjorn Helgaas <bhelgaas@google.com>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      192b9af8
    • B
      resource: Fix find_next_iomem_res() iteration issue · 485bcc29
      Bjorn Helgaas 提交于
      [ Upstream commit 010a93bf97c72f43aac664d0a685942f83d1a103 ]
      
      Previously find_next_iomem_res() used "*res" as both an input parameter for
      the range to search and the type of resource to search for, and an output
      parameter for the resource we found, which makes the interface confusing.
      
      The current callers use find_next_iomem_res() incorrectly because they
      allocate a single struct resource and use it for repeated calls to
      find_next_iomem_res().  When find_next_iomem_res() returns a resource, it
      overwrites the start, end, flags, and desc members of the struct.  If we
      call find_next_iomem_res() again, we must update or restore these fields.
      The previous code restored res.start and res.end, but not res.flags or
      res.desc.
      
      Since the callers did not restore res.flags, if they searched for flags
      IORESOURCE_MEM | IORESOURCE_BUSY and found a resource with flags
      IORESOURCE_MEM | IORESOURCE_BUSY | IORESOURCE_SYSRAM, the next search would
      incorrectly skip resources unless they were also marked as
      IORESOURCE_SYSRAM.
      
      Fix this by restructuring the interface so it takes explicit "start, end,
      flags" parameters and uses "*res" only as an output parameter.
      
      Based on a patch by Lianbo Jiang <lijiang@redhat.com>.
      
       [ bp: While at it:
         - make comments kernel-doc style.
         -
      
      Originally-by: http://lore.kernel.org/lkml/20180921073211.20097-2-lijiang@redhat.comSigned-off-by: NBjorn Helgaas <bhelgaas@google.com>
      Signed-off-by: NBorislav Petkov <bp@suse.de>
      CC: Andrew Morton <akpm@linux-foundation.org>
      CC: Brijesh Singh <brijesh.singh@amd.com>
      CC: Dan Williams <dan.j.williams@intel.com>
      CC: H. Peter Anvin <hpa@zytor.com>
      CC: Lianbo Jiang <lijiang@redhat.com>
      CC: Takashi Iwai <tiwai@suse.de>
      CC: Thomas Gleixner <tglx@linutronix.de>
      CC: Tom Lendacky <thomas.lendacky@amd.com>
      CC: Vivek Goyal <vgoyal@redhat.com>
      CC: Yaowei Bai <baiyaowei@cmss.chinamobile.com>
      CC: bhe@redhat.com
      CC: dan.j.williams@intel.com
      CC: dyoung@redhat.com
      CC: kexec@lists.infradead.org
      CC: mingo@redhat.com
      CC: x86-ml <x86@kernel.org>
      Link: http://lkml.kernel.org/r/153805812916.1157.177580438135143788.stgit@bhelgaas-glaptop.roam.corp.google.comSigned-off-by: NSasha Levin <sashal@kernel.org>
      485bcc29
    • B
      resource: Include resource end in walk_*() interfaces · 9a80dfcc
      Bjorn Helgaas 提交于
      [ Upstream commit a98959fdbda1849a01b2150bb635ed559ec06700 ]
      
      find_next_iomem_res() finds an iomem resource that covers part of a range
      described by "start, end".  All callers expect that range to be inclusive,
      i.e., both start and end are included, but find_next_iomem_res() doesn't
      handle the end address correctly.
      
      If it finds an iomem resource that contains exactly the end address, it
      skips it, e.g., if "start, end" is [0x0-0x10000] and there happens to be an
      iomem resource [mem 0x10000-0x10000] (the single byte at 0x10000), we skip
      it:
      
        find_next_iomem_res(...)
        {
          start = 0x0;
          end = 0x10000;
          for (p = next_resource(...)) {
            # p->start = 0x10000;
            # p->end = 0x10000;
            # we *should* return this resource, but this condition is false:
            if ((p->end >= start) && (p->start < end))
              break;
      
      Adjust find_next_iomem_res() so it allows a resource that includes the
      single byte at the end of the range.  This is a corner case that we
      probably don't see in practice.
      
      Fixes: 58c1b5b0 ("[PATCH] memory hotadd fixes: find_next_system_ram catch range fix")
      Signed-off-by: NBjorn Helgaas <bhelgaas@google.com>
      Signed-off-by: NBorislav Petkov <bp@suse.de>
      CC: Andrew Morton <akpm@linux-foundation.org>
      CC: Brijesh Singh <brijesh.singh@amd.com>
      CC: Dan Williams <dan.j.williams@intel.com>
      CC: H. Peter Anvin <hpa@zytor.com>
      CC: Lianbo Jiang <lijiang@redhat.com>
      CC: Takashi Iwai <tiwai@suse.de>
      CC: Thomas Gleixner <tglx@linutronix.de>
      CC: Tom Lendacky <thomas.lendacky@amd.com>
      CC: Vivek Goyal <vgoyal@redhat.com>
      CC: Yaowei Bai <baiyaowei@cmss.chinamobile.com>
      CC: bhe@redhat.com
      CC: dan.j.williams@intel.com
      CC: dyoung@redhat.com
      CC: kexec@lists.infradead.org
      CC: mingo@redhat.com
      CC: x86-ml <x86@kernel.org>
      Link: http://lkml.kernel.org/r/153805812254.1157.16736368485811773752.stgit@bhelgaas-glaptop.roam.corp.google.comSigned-off-by: NSasha Levin <sashal@kernel.org>
      9a80dfcc
    • J
      btrfs: correctly validate compression type · 1c13c9c4
      Johannes Thumshirn 提交于
      [ Upstream commit aa53e3bfac7205fb3a8815ac1c937fd6ed01b41e ]
      
      Nikolay reported the following KASAN splat when running btrfs/048:
      
      [ 1843.470920] ==================================================================
      [ 1843.471971] BUG: KASAN: slab-out-of-bounds in strncmp+0x66/0xb0
      [ 1843.472775] Read of size 1 at addr ffff888111e369e2 by task btrfs/3979
      
      [ 1843.473904] CPU: 3 PID: 3979 Comm: btrfs Not tainted 5.2.0-rc3-default #536
      [ 1843.475009] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
      [ 1843.476322] Call Trace:
      [ 1843.476674]  dump_stack+0x7c/0xbb
      [ 1843.477132]  ? strncmp+0x66/0xb0
      [ 1843.477587]  print_address_description+0x114/0x320
      [ 1843.478256]  ? strncmp+0x66/0xb0
      [ 1843.478740]  ? strncmp+0x66/0xb0
      [ 1843.479185]  __kasan_report+0x14e/0x192
      [ 1843.479759]  ? strncmp+0x66/0xb0
      [ 1843.480209]  kasan_report+0xe/0x20
      [ 1843.480679]  strncmp+0x66/0xb0
      [ 1843.481105]  prop_compression_validate+0x24/0x70
      [ 1843.481798]  btrfs_xattr_handler_set_prop+0x65/0x160
      [ 1843.482509]  __vfs_setxattr+0x71/0x90
      [ 1843.483012]  __vfs_setxattr_noperm+0x84/0x130
      [ 1843.483606]  vfs_setxattr+0xac/0xb0
      [ 1843.484085]  setxattr+0x18c/0x230
      [ 1843.484546]  ? vfs_setxattr+0xb0/0xb0
      [ 1843.485048]  ? __mod_node_page_state+0x1f/0xa0
      [ 1843.485672]  ? _raw_spin_unlock+0x24/0x40
      [ 1843.486233]  ? __handle_mm_fault+0x988/0x1290
      [ 1843.486823]  ? lock_acquire+0xb4/0x1e0
      [ 1843.487330]  ? lock_acquire+0xb4/0x1e0
      [ 1843.487842]  ? mnt_want_write_file+0x3c/0x80
      [ 1843.488442]  ? debug_lockdep_rcu_enabled+0x22/0x40
      [ 1843.489089]  ? rcu_sync_lockdep_assert+0xe/0x70
      [ 1843.489707]  ? __sb_start_write+0x158/0x200
      [ 1843.490278]  ? mnt_want_write_file+0x3c/0x80
      [ 1843.490855]  ? __mnt_want_write+0x98/0xe0
      [ 1843.491397]  __x64_sys_fsetxattr+0xba/0xe0
      [ 1843.492201]  ? trace_hardirqs_off_thunk+0x1a/0x1c
      [ 1843.493201]  do_syscall_64+0x6c/0x230
      [ 1843.493988]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [ 1843.495041] RIP: 0033:0x7fa7a8a7707a
      [ 1843.495819] Code: 48 8b 0d 21 de 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 be 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ee dd 2b 00 f7 d8 64 89 01 48
      [ 1843.499203] RSP: 002b:00007ffcb73bca38 EFLAGS: 00000202 ORIG_RAX: 00000000000000be
      [ 1843.500210] RAX: ffffffffffffffda RBX: 00007ffcb73bda9d RCX: 00007fa7a8a7707a
      [ 1843.501170] RDX: 00007ffcb73bda9d RSI: 00000000006dc050 RDI: 0000000000000003
      [ 1843.502152] RBP: 00000000006dc050 R08: 0000000000000000 R09: 0000000000000000
      [ 1843.503109] R10: 0000000000000002 R11: 0000000000000202 R12: 00007ffcb73bda91
      [ 1843.504055] R13: 0000000000000003 R14: 00007ffcb73bda82 R15: ffffffffffffffff
      
      [ 1843.505268] Allocated by task 3979:
      [ 1843.505771]  save_stack+0x19/0x80
      [ 1843.506211]  __kasan_kmalloc.constprop.5+0xa0/0xd0
      [ 1843.506836]  setxattr+0xeb/0x230
      [ 1843.507264]  __x64_sys_fsetxattr+0xba/0xe0
      [ 1843.507886]  do_syscall_64+0x6c/0x230
      [ 1843.508429]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      [ 1843.509558] Freed by task 0:
      [ 1843.510188] (stack is not available)
      
      [ 1843.511309] The buggy address belongs to the object at ffff888111e369e0
                      which belongs to the cache kmalloc-8 of size 8
      [ 1843.514095] The buggy address is located 2 bytes inside of
                      8-byte region [ffff888111e369e0, ffff888111e369e8)
      [ 1843.516524] The buggy address belongs to the page:
      [ 1843.517561] page:ffff88813f478d80 refcount:1 mapcount:0 mapping:ffff88811940c300 index:0xffff888111e373b8 compound_mapcount: 0
      [ 1843.519993] flags: 0x4404000010200(slab|head)
      [ 1843.520951] raw: 0004404000010200 ffff88813f48b008 ffff888119403d50 ffff88811940c300
      [ 1843.522616] raw: ffff888111e373b8 000000000016000f 00000001ffffffff 0000000000000000
      [ 1843.524281] page dumped because: kasan: bad access detected
      
      [ 1843.525936] Memory state around the buggy address:
      [ 1843.526975]  ffff888111e36880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [ 1843.528479]  ffff888111e36900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [ 1843.530138] >ffff888111e36980: fc fc fc fc fc fc fc fc fc fc fc fc 02 fc fc fc
      [ 1843.531877]                                                        ^
      [ 1843.533287]  ffff888111e36a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [ 1843.534874]  ffff888111e36a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [ 1843.536468] ==================================================================
      
      This is caused by supplying a too short compression value ('lz') in the
      test-case and comparing it to 'lzo' with strncmp() and a length of 3.
      strncmp() read past the 'lz' when looking for the 'o' and thus caused an
      out-of-bounds read.
      
      Introduce a new check 'btrfs_compress_is_valid_type()' which not only
      checks the user-supplied value against known compression types, but also
      employs checks for too short values.
      Reported-by: NNikolay Borisov <nborisov@suse.com>
      Fixes: 272e5326c783 ("btrfs: prop: fix vanished compression property after failed set")
      CC: stable@vger.kernel.org # 5.1+
      Reviewed-by: NNikolay Borisov <nborisov@suse.com>
      Signed-off-by: NJohannes Thumshirn <jthumshirn@suse.de>
      Reviewed-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      1c13c9c4
    • B
      RDMA/srp: Accept again source addresses that do not have a port number · 0ca2688b
      Bart Van Assche 提交于
      [ Upstream commit bcef5b7215681250c4bf8961dfe15e9e4fef97d0 ]
      
      The function srp_parse_in() is used both for parsing source address
      specifications and for target address specifications. Target addresses
      must have a port number. Having to specify a port number for source
      addresses is inconvenient. Make sure that srp_parse_in() supports again
      parsing addresses with no port number.
      
      Cc: <stable@vger.kernel.org>
      Fixes: c62adb7d ("IB/srp: Fix IPv6 address parsing")
      Signed-off-by: NBart Van Assche <bvanassche@acm.org>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      0ca2688b
    • B
      RDMA/srp: Document srp_parse_in() arguments · 95416047
      Bart Van Assche 提交于
      [ Upstream commit e37df2d5b569390e3b80ebed9a73fd5b9dcda010 ]
      
      This patch avoids that a warning is reported when building with W=1.
      
      Cc: Sergey Gorenko <sergeygo@mellanox.com>
      Cc: Max Gurtovoy <maxg@mellanox.com>
      Cc: Laurence Oberman <loberman@redhat.com>
      Signed-off-by: NBart Van Assche <bvanassche@acm.org>
      Signed-off-by: NDoug Ledford <dledford@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      95416047
    • L
      ARM: dts: gemini: Set DIR-685 SPI CS as active low · bab0ff2d
      Linus Walleij 提交于
      [ Upstream commit f90b8fda3a9d72a9422ea80ae95843697f94ea4a ]
      
      The SPI to the display on the DIR-685 is active low, we were
      just saved by the SPI library enforcing active low on everything
      before, so set it as active low to avoid ambiguity.
      
      Link: https://lore.kernel.org/r/20190715202101.16060-1-linus.walleij@linaro.org
      Cc: stable@vger.kernel.org
      Signed-off-by: NLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: NOlof Johansson <olof@lixom.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      bab0ff2d
    • M
      KVM: PPC: Book3S HV: Fix CR0 setting in TM emulation · 3a1b79ad
      Michael Neuling 提交于
      [ Upstream commit 3fefd1cd95df04da67c83c1cb93b663f04b3324f ]
      
      When emulating tsr, treclaim and trechkpt, we incorrectly set CR0. The
      code currently sets:
          CR0 <- 00 || MSR[TS]
      but according to the ISA it should be:
          CR0 <-  0 || MSR[TS] || 0
      
      This fixes the bit shift to put the bits in the correct location.
      
      This is a data integrity issue as CR0 is corrupted.
      
      Fixes: 4bb3c7a0 ("KVM: PPC: Book3S HV: Work around transactional memory bugs in POWER9")
      Cc: stable@vger.kernel.org # v4.17+
      Tested-by: NSuraj Jitindar Singh <sjitindarsingh@gmail.com>
      Signed-off-by: NMichael Neuling <mikey@neuling.org>
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      3a1b79ad
    • P
      KVM: PPC: Use ccr field in pt_regs struct embedded in vcpu struct · 3ac71806
      Paul Mackerras 提交于
      [ Upstream commit fd0944baad806dfb4c777124ec712c55b714ff51 ]
      
      When the 'regs' field was added to struct kvm_vcpu_arch, the code
      was changed to use several of the fields inside regs (e.g., gpr, lr,
      etc.) but not the ccr field, because the ccr field in struct pt_regs
      is 64 bits on 64-bit platforms, but the cr field in kvm_vcpu_arch is
      only 32 bits.  This changes the code to use the regs.ccr field
      instead of cr, and changes the assembly code on 64-bit platforms to
      use 64-bit loads and stores instead of 32-bit ones.
      Reviewed-by: NDavid Gibson <david@gibson.dropbear.id.au>
      Signed-off-by: NPaul Mackerras <paulus@ozlabs.org>
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      3ac71806
    • W
      KVM: VMX: check CPUID before allowing read/write of IA32_XSS · beeeead9
      Wanpeng Li 提交于
      [ Upstream commit 4d763b168e9c5c366b05812c7bba7662e5ea3669 ]
      
      Raise #GP when guest read/write IA32_XSS, but the CPUID bits
      say that it shouldn't exist.
      
      Fixes: 20300099 (kvm: vmx: add MSR logic for XSAVES)
      Reported-by: NXiaoyao Li <xiaoyao.li@linux.intel.com>
      Reported-by: NTao Xu <tao3.xu@intel.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NWanpeng Li <wanpengli@tencent.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      beeeead9
    • S
      KVM: VMX: Fix handling of #MC that occurs during VM-Entry · 891011ca
      Sean Christopherson 提交于
      [ Upstream commit beb8d93b3e423043e079ef3dda19dad7b28467a8 ]
      
      A previous fix to prevent KVM from consuming stale VMCS state after a
      failed VM-Entry inadvertantly blocked KVM's handling of machine checks
      that occur during VM-Entry.
      
      Per Intel's SDM, a #MC during VM-Entry is handled in one of three ways,
      depending on when the #MC is recognoized.  As it pertains to this bug
      fix, the third case explicitly states EXIT_REASON_MCE_DURING_VMENTRY
      is handled like any other VM-Exit during VM-Entry, i.e. sets bit 31 to
      indicate the VM-Entry failed.
      
      If a machine-check event occurs during a VM entry, one of the following occurs:
       - The machine-check event is handled as if it occurred before the VM entry:
              ...
       - The machine-check event is handled after VM entry completes:
              ...
       - A VM-entry failure occurs as described in Section 26.7. The basic
         exit reason is 41, for "VM-entry failure due to machine-check event".
      
      Explicitly handle EXIT_REASON_MCE_DURING_VMENTRY as a one-off case in
      vmx_vcpu_run() instead of binning it into vmx_complete_atomic_exit().
      Doing so allows vmx_vcpu_run() to handle VMX_EXIT_REASONS_FAILED_VMENTRY
      in a sane fashion and also simplifies vmx_complete_atomic_exit() since
      VMCS.VM_EXIT_INTR_INFO is guaranteed to be fresh.
      
      Fixes: b060ca3b ("kvm: vmx: Handle VMLAUNCH/VMRESUME failure properly")
      Cc: stable@vger.kernel.org
      Signed-off-by: NSean Christopherson <sean.j.christopherson@intel.com>
      Reviewed-by: NJim Mattson <jmattson@google.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      891011ca
    • S
      KVM: VMX: Always signal #GP on WRMSR to MSR_IA32_CR_PAT with bad value · 74ce1333
      Sean Christopherson 提交于
      [ Upstream commit d28f4290b53a157191ed9991ad05dffe9e8c0c89 ]
      
      The behavior of WRMSR is in no way dependent on whether or not KVM
      consumes the value.
      
      Fixes: 4566654b ("KVM: vmx: Inject #GP on invalid PAT CR")
      Cc: stable@vger.kernel.org
      Cc: Nadav Amit <nadav.amit@gmail.com>
      Signed-off-by: NSean Christopherson <sean.j.christopherson@intel.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      74ce1333
    • P
      KVM: x86: optimize check for valid PAT value · 74fd8aae
      Paolo Bonzini 提交于
      [ Upstream commit 674ea351cdeb01d2740edce31db7f2d79ce6095d ]
      
      This check will soon be done on every nested vmentry and vmexit,
      "parallelize" it using bitwise operations.
      Reviewed-by: NSean Christopherson <sean.j.christopherson@intel.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      74fd8aae
    • Y
      ceph: use ceph_evict_inode to cleanup inode's resource · 81281039
      Yan, Zheng 提交于
      [ Upstream commit 87bc5b895d94a0f40fe170d4cf5771c8e8f85d15 ]
      
      remove_session_caps() relies on __wait_on_freeing_inode(), to wait for
      freeing inode to remove its caps. But VFS wakes freeing inode waiters
      before calling destroy_inode().
      
      Cc: stable@vger.kernel.org
      Link: https://tracker.ceph.com/issues/40102Signed-off-by: N"Yan, Zheng" <zyan@redhat.com>
      Reviewed-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NIlya Dryomov <idryomov@gmail.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      81281039
    • T
      ALSA: hda - Don't resume forcibly i915 HDMI/DP codec · 42fa0e35
      Takashi Iwai 提交于
      [ Upstream commit 4914da2fb0c89205790503f20dfdde854f3afdd8 ]
      
      We apply the codec resume forcibly at system resume callback for
      updating and syncing the jack detection state that may have changed
      during sleeping.  This is, however, superfluous for the codec like
      Intel HDMI/DP, where the jack detection is managed via the audio
      component notification; i.e. the jack state change shall be reported
      sooner or later from the graphics side at mode change.
      
      This patch changes the codec resume callback to avoid the forcible
      resume conditionally with a new flag, codec->relaxed_resume, for
      reducing the resume time.  The flag is set in the codec probe.
      
      Although this doesn't fix the entire bug mentioned in the bugzilla
      entry below, it's still a good optimization and some improvements are
      seen.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201901
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      42fa0e35
    • P
      cifs: Properly handle auto disabling of serverino option · 987564c2
      Paulo Alcantara (SUSE) 提交于
      [ Upstream commit 29fbeb7a908a60a5ae8c50fbe171cb8fdcef1980 ]
      
      Fix mount options comparison when serverino option is turned off later
      in cifs_autodisable_serverino() and thus avoiding mismatch of new cifs
      mounts.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NPaulo Alcantara (SUSE) <paulo@paulo.ac>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      Reviewed-by: NPavel Shilovsky <pshilove@microsoft.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      987564c2
    • B
      scsi: zfcp: fix request object use-after-free in send path causing wrong traces · d85e830d
      Benjamin Block 提交于
      [ Upstream commit 106d45f350c7cac876844dc685845cba4ffdb70b ]
      
      When tracing instances where we open and close WKA ports, we also pass the
      request-ID of the respective FSF command.
      
      But after successfully sending the FSF command we must not use the
      request-object anymore, as this might result in an use-after-free (see
      "zfcp: fix request object use-after-free in send path causing seqno
      errors" ).
      
      To fix this add a new variable that caches the request-ID before sending
      the request. This won't change during the hand-off to the FCP channel,
      and so it's safe to trace this cached request-ID later, instead of using
      the request object.
      Signed-off-by: NBenjamin Block <bblock@linux.ibm.com>
      Fixes: d27a7cb9 ("zfcp: trace on request for open and close of WKA port")
      Cc: <stable@vger.kernel.org> #2.6.38+
      Reviewed-by: NSteffen Maier <maier@linux.ibm.com>
      Reviewed-by: NJens Remus <jremus@linux.ibm.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      d85e830d
    • A
      staging: wilc1000: fix error path cleanup in wilc_wlan_initialize() · ba8701d2
      Ajay Singh 提交于
      [ Upstream commit 6419f818ababebc1116fb2d0e220bd4fe835d0e3 ]
      
      For the error path in wilc_wlan_initialize(), the resources are not
      cleanup in the correct order. Reverted the previous changes and use the
      correct order to free during error condition.
      
      Fixes: b46d6882 ("staging: wilc1000: remove COMPLEMENT_BOOT")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAjay Singh <ajay.kathat@microchip.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      ba8701d2
    • R
      scsi: target/iblock: Fix overrun in WRITE SAME emulation · 60b856dc
      Roman Bolshakov 提交于
      [ Upstream commit 5676234f20fef02f6ca9bd66c63a8860fce62645 ]
      
      WRITE SAME corrupts data on the block device behind iblock if the command
      is emulated. The emulation code issues (M - 1) * N times more bios than
      requested, where M is the number of 512 blocks per real block size and N is
      the NUMBER OF LOGICAL BLOCKS specified in WRITE SAME command. So, for a
      device with 4k blocks, 7 * N more LBAs gets written after the requested
      range.
      
      The issue happens because the number of 512 byte sectors to be written is
      decreased one by one while the real bios are typically from 1 to 8 512 byte
      sectors per bio.
      
      Fixes: c66ac9db ("[SCSI] target: Add LIO target core v4.0.0-rc6")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NRoman Bolshakov <r.bolshakov@yadro.com>
      Reviewed-by: NBart Van Assche <bvanassche@acm.org>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      60b856dc
    • B
      scsi: target/core: Use the SECTOR_SHIFT constant · ba52842d
      Bart Van Assche 提交于
      [ Upstream commit 80b045b385cfef10939c913fbfeb19ce5491c1f2 ]
      
      Instead of duplicating the SECTOR_SHIFT definition from <linux/blkdev.h>,
      use it. This patch does not change any functionality.
      Reviewed-by: NChristoph Hellwig <hch@lst.de>
      Cc: Nicholas Bellinger <nab@linux-iscsi.org>
      Cc: Mike Christie <mchristi@redhat.com>
      Cc: Hannes Reinecke <hare@suse.de>
      Signed-off-by: NBart Van Assche <bvanassche@acm.org>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      ba52842d
    • M
      apparmor: reset pos on failure to unpack for various functions · 17111037
      Mike Salvatore 提交于
      [ Upstream commit 156e42996bd84eccb6acf319f19ce0cb140d00e3 ]
      
      Each function that manipulates the aa_ext struct should reset it's "pos"
      member on failure. This ensures that, on failure, no changes are made to
      the state of the aa_ext struct.
      
      There are paths were elements are optional and the error path is
      used to indicate the optional element is not present. This means
      instead of just aborting on error the unpack stream can become
      unsynchronized on optional elements, if using one of the affected
      functions.
      
      Cc: stable@vger.kernel.org
      Fixes: 736ec752 ("AppArmor: policy routines for loading and unpacking policy")
      Signed-off-by: NMike Salvatore <mike.salvatore@canonical.com>
      Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      17111037
    • M
      IB/hfi1: Avoid hardlockup with flushlist_lock · 90ca4912
      Mike Marciniszyn 提交于
      [ Upstream commit cf131a81967583ae737df6383a0893b9fee75b4e ]
      
      Heavy contention of the sde flushlist_lock can cause hard lockups at
      extreme scale when the flushing logic is under stress.
      
      Mitigate by replacing the item at a time copy to the local list with
      an O(1) list_splice_init() and using the high priority work queue to
      do the flushes.
      
      Fixes: 77241056 ("IB/hfi1: add driver files")
      Cc: <stable@vger.kernel.org>
      Reviewed-by: NDennis Dalessandro <dennis.dalessandro@intel.com>
      Signed-off-by: NMike Marciniszyn <mike.marciniszyn@intel.com>
      Signed-off-by: NDennis Dalessandro <dennis.dalessandro@intel.com>
      Signed-off-by: NDoug Ledford <dledford@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      90ca4912
    • J
      clk: tegra210: Fix default rates for HDA clocks · fa717fc4
      Jon Hunter 提交于
      [ Upstream commit 9caec6620f25b6d15646bbdb93062c872ba3b56f ]
      
      Currently the default clock rates for the HDA and HDA2CODEC_2X clocks
      are both 19.2MHz. However, the default rates for these clocks should
      actually be 51MHz and 48MHz, respectively. The current clock settings
      results in a distorted output during audio playback. Correct the default
      clock rates for these clocks by specifying them in the clock init table
      for Tegra210.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NJon Hunter <jonathanh@nvidia.com>
      Acked-by: NThierry Reding <treding@nvidia.com>
      Signed-off-by: NStephen Boyd <sboyd@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      fa717fc4
    • J
      clk: tegra: Fix maximum audio sync clock for Tegra124/210 · 350503c8
      Jon Hunter 提交于
      [ Upstream commit 845d782d91448e0fbca686bca2cc9f9c2a9ba3e7 ]
      
      The maximum frequency supported for I2S on Tegra124 and Tegra210 is
      24.576MHz (as stated in the Tegra TK1 data sheet for Tegra124 and the
      Jetson TX1 module data sheet for Tegra210). However, the maximum I2S
      frequency is limited to 24MHz because that is the maximum frequency of
      the audio sync clock. Increase the maximum audio sync clock frequency
      to 24.576MHz for Tegra124 and Tegra210 in order to support 24.576MHz
      for I2S.
      
      Update the tegra_clk_register_sync_source() function so that it does
      not set the initial rate for the sync clocks and use the clock init
      tables to set the initial rate instead.
      Signed-off-by: NJon Hunter <jonathanh@nvidia.com>
      Acked-by: NThierry Reding <treding@nvidia.com>
      Signed-off-by: NStephen Boyd <sboyd@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      350503c8
    • R
      cifs: add spinlock for the openFileList to cifsInodeInfo · acc07941
      Ronnie Sahlberg 提交于
      [ Upstream commit 487317c99477d00f22370625d53be3239febabbe ]
      
      We can not depend on the tcon->open_file_lock here since in multiuser mode
      we may have the same file/inode open via multiple different tcons.
      
      The current code is race prone and will crash if one user deletes a file
      at the same time a different user opens/create the file.
      
      To avoid this we need to have a spinlock attached to the inode and not the tcon.
      
      RHBZ:  1580165
      
      CC: Stable <stable@vger.kernel.org>
      Signed-off-by: NRonnie Sahlberg <lsahlber@redhat.com>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      Reviewed-by: NPavel Shilovsky <pshilov@microsoft.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      acc07941
    • F
      Btrfs: fix race between block group removal and block group allocation · 1d064876
      Filipe Manana 提交于
      [ Upstream commit 8eaf40c0e24e98899a0f3ac9d25a33aafe13822a ]
      
      If a task is removing the block group that currently has the highest start
      offset amongst all existing block groups, there is a short time window
      where it races with a concurrent block group allocation, resulting in a
      transaction abort with an error code of EEXIST.
      
      The following diagram explains the race in detail:
      
            Task A                                                        Task B
      
       btrfs_remove_block_group(bg offset X)
      
         remove_extent_mapping(em offset X)
           -> removes extent map X from the
              tree of extent maps
              (fs_info->mapping_tree), so the
              next call to find_next_chunk()
              will return offset X
      
                                                         btrfs_alloc_chunk()
                                                           find_next_chunk()
                                                             --> returns offset X
      
                                                           __btrfs_alloc_chunk(offset X)
                                                             btrfs_make_block_group()
                                                               btrfs_create_block_group_cache()
                                                                 --> creates btrfs_block_group_cache
                                                                     object with a key corresponding
                                                                     to the block group item in the
                                                                     extent, the key is:
                                                                     (offset X, BTRFS_BLOCK_GROUP_ITEM_KEY, 1G)
      
                                                               --> adds the btrfs_block_group_cache object
                                                                   to the list new_bgs of the transaction
                                                                   handle
      
                                                         btrfs_end_transaction(trans handle)
                                                           __btrfs_end_transaction()
                                                             btrfs_create_pending_block_groups()
                                                               --> sees the new btrfs_block_group_cache
                                                                   in the new_bgs list of the transaction
                                                                   handle
                                                               --> its call to btrfs_insert_item() fails
                                                                   with -EEXIST when attempting to insert
                                                                   the block group item key
                                                                   (offset X, BTRFS_BLOCK_GROUP_ITEM_KEY, 1G)
                                                                   because task A has not removed that key yet
                                                               --> aborts the running transaction with
                                                                   error -EEXIST
      
         btrfs_del_item()
           -> removes the block group's key from
              the extent tree, key is
              (offset X, BTRFS_BLOCK_GROUP_ITEM_KEY, 1G)
      
      A sample transaction abort trace:
      
        [78912.403537] ------------[ cut here ]------------
        [78912.403811] BTRFS: Transaction aborted (error -17)
        [78912.404082] WARNING: CPU: 2 PID: 20465 at fs/btrfs/extent-tree.c:10551 btrfs_create_pending_block_groups+0x196/0x250 [btrfs]
        (...)
        [78912.405642] CPU: 2 PID: 20465 Comm: btrfs Tainted: G        W         5.0.0-btrfs-next-46 #1
        [78912.405941] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014
        [78912.406586] RIP: 0010:btrfs_create_pending_block_groups+0x196/0x250 [btrfs]
        (...)
        [78912.407636] RSP: 0018:ffff9d3d4b7e3b08 EFLAGS: 00010282
        [78912.407997] RAX: 0000000000000000 RBX: ffff90959a3796f0 RCX: 0000000000000006
        [78912.408369] RDX: 0000000000000007 RSI: 0000000000000001 RDI: ffff909636b16860
        [78912.408746] RBP: ffff909626758a58 R08: 0000000000000000 R09: 0000000000000000
        [78912.409144] R10: ffff9095ff462400 R11: 0000000000000000 R12: ffff90959a379588
        [78912.409521] R13: ffff909626758ab0 R14: ffff9095036c0000 R15: ffff9095299e1158
        [78912.409899] FS:  00007f387f16f700(0000) GS:ffff909636b00000(0000) knlGS:0000000000000000
        [78912.410285] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        [78912.410673] CR2: 00007f429fc87cbc CR3: 000000014440a004 CR4: 00000000003606e0
        [78912.411095] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        [78912.411496] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
        [78912.411898] Call Trace:
        [78912.412318]  __btrfs_end_transaction+0x5b/0x1c0 [btrfs]
        [78912.412746]  btrfs_inc_block_group_ro+0xcf/0x160 [btrfs]
        [78912.413179]  scrub_enumerate_chunks+0x188/0x5b0 [btrfs]
        [78912.413622]  ? __mutex_unlock_slowpath+0x100/0x2a0
        [78912.414078]  btrfs_scrub_dev+0x2ef/0x720 [btrfs]
        [78912.414535]  ? __sb_start_write+0xd4/0x1c0
        [78912.414963]  ? mnt_want_write_file+0x24/0x50
        [78912.415403]  btrfs_ioctl+0x17fb/0x3120 [btrfs]
        [78912.415832]  ? lock_acquire+0xa6/0x190
        [78912.416256]  ? do_vfs_ioctl+0xa2/0x6f0
        [78912.416685]  ? btrfs_ioctl_get_supported_features+0x30/0x30 [btrfs]
        [78912.417116]  do_vfs_ioctl+0xa2/0x6f0
        [78912.417534]  ? __fget+0x113/0x200
        [78912.417954]  ksys_ioctl+0x70/0x80
        [78912.418369]  __x64_sys_ioctl+0x16/0x20
        [78912.418812]  do_syscall_64+0x60/0x1b0
        [78912.419231]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
        [78912.419644] RIP: 0033:0x7f3880252dd7
        (...)
        [78912.420957] RSP: 002b:00007f387f16ed68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
        [78912.421426] RAX: ffffffffffffffda RBX: 000055f5becc1df0 RCX: 00007f3880252dd7
        [78912.421889] RDX: 000055f5becc1df0 RSI: 00000000c400941b RDI: 0000000000000003
        [78912.422354] RBP: 0000000000000000 R08: 00007f387f16f700 R09: 0000000000000000
        [78912.422790] R10: 00007f387f16f700 R11: 0000000000000246 R12: 0000000000000000
        [78912.423202] R13: 00007ffda49c266f R14: 0000000000000000 R15: 00007f388145e040
        [78912.425505] ---[ end trace eb9bfe7c426fc4d3 ]---
      
      Fix this by calling remove_extent_mapping(), at btrfs_remove_block_group(),
      only at the very end, after removing the block group item key from the
      extent tree (and removing the free space tree entry if we are using the
      free space tree feature).
      
      Fixes: 04216820 ("Btrfs: fix race between fs trimming and block group remove/allocation")
      CC: stable@vger.kernel.org # 4.4+
      Signed-off-by: NFilipe Manana <fdmanana@suse.com>
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      1d064876
    • S
      drm/amdgpu/{uvd,vcn}: fetch ring's read_ptr after alloc · f276beb3
      Shirish S 提交于
      [ Upstream commit 517b91f4cde3043d77b2178548473e8545ef07cb ]
      
      [What]
      readptr read always returns zero, since most likely
      these blocks are either power or clock gated.
      
      [How]
      fetch rptr after amdgpu_ring_alloc() which informs
      the power management code that the block is about to be
      used and hence the gating is turned off.
      Signed-off-by: NLouis Li <Ching-shih.Li@amd.com>
      Signed-off-by: NShirish S <shirish.s@amd.com>
      Reviewed-by: NChristian König <christian.koenig@amd.com>
      Signed-off-by: NAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      f276beb3
    • L
      drm/amdgpu: fix ring test failure issue during s3 in vce 3.0 (V2) · 7abeffff
      Louis Li 提交于
      [ Upstream commit ce0e22f5d886d1b56c7ab4347c45b9ac5fcc058d ]
      
      [What]
      vce ring test fails consistently during resume in s3 cycle, due to
      mismatch read & write pointers.
      On debug/analysis its found that rptr to be compared is not being
      correctly updated/read, which leads to this failure.
      Below is the failure signature:
      	[drm:amdgpu_vce_ring_test_ring] *ERROR* amdgpu: ring 12 test failed
      	[drm:amdgpu_device_ip_resume_phase2] *ERROR* resume of IP block <vce_v3_0> failed -110
      	[drm:amdgpu_device_resume] *ERROR* amdgpu_device_ip_resume failed (-110).
      
      [How]
      fetch rptr appropriately, meaning move its read location further down
      in the code flow.
      With this patch applied the s3 failure is no more seen for >5k s3 cycles,
      which otherwise is pretty consistent.
      
      V2: remove reduntant fetch of rptr
      Signed-off-by: NLouis Li <Ching-shih.Li@amd.com>
      Reviewed-by: NChristian König <christian.koenig@amd.com>
      Signed-off-by: NAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      7abeffff
    • P
      kvm: Check irqchip mode before assign irqfd · d5f65393
      Peter Xu 提交于
      [ Upstream commit 654f1f13ea56b92bacade8ce2725aea0457f91c0 ]
      
      When assigning kvm irqfd we didn't check the irqchip mode but we allow
      KVM_IRQFD to succeed with all the irqchip modes.  However it does not
      make much sense to create irqfd even without the kernel chips.  Let's
      provide a arch-dependent helper to check whether a specific irqfd is
      allowed by the arch.  At least for x86, it should make sense to check:
      
      - when irqchip mode is NONE, all irqfds should be disallowed, and,
      
      - when irqchip mode is SPLIT, irqfds that are with resamplefd should
        be disallowed.
      
      For either of the case, previously we'll silently ignore the irq or
      the irq ack event if the irqchip mode is incorrect.  However that can
      cause misterious guest behaviors and it can be hard to triage.  Let's
      fail KVM_IRQFD even earlier to detect these incorrect configurations.
      
      CC: Paolo Bonzini <pbonzini@redhat.com>
      CC: Radim Krčmář <rkrcmar@redhat.com>
      CC: Alex Williamson <alex.williamson@redhat.com>
      CC: Eduardo Habkost <ehabkost@redhat.com>
      Signed-off-by: NPeter Xu <peterx@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      d5f65393
    • K
      drm/amdkfd: Add missing Polaris10 ID · 90772cf5
      Kent Russell 提交于
      [ Upstream commit 0a5a9c276c335870a1cecc4f02b76d6d6f663c8b ]
      
      This was added to amdgpu but was missed in amdkfd
      Signed-off-by: NKent Russell <kent.russell@amd.com>
      Reviewed-by: NAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: NAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.rg
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      90772cf5
    • E
      ARC: mm: SIGSEGV userspace trying to access kernel virtual memory · cacbc853
      Eugeniy Paltsev 提交于
      [ Upstream commit a8c715b4dd73c26a81a9cc8dc792aa715d8b4bb2 ]
      
      As of today if userspace process tries to access a kernel virtual addres
      (0x7000_0000 to 0x7ffff_ffff) such that a legit kernel mapping already
      exists, that process hangs instead of being killed with SIGSEGV
      
      Fix that by ensuring that do_page_fault() handles kenrel vaddr only if
      in kernel mode.
      
      And given this, we can also simplify the code a bit. Now a vmalloc fault
      implies kernel mode so its failure (for some reason) can reuse the
      @no_context label and we can remove @bad_area_nosemaphore.
      
      Reproduce user test for original problem:
      
      ------------------------>8-----------------
       #include <stdlib.h>
       #include <stdint.h>
      
       int main(int argc, char *argv[])
       {
       	volatile uint32_t temp;
      
       	temp = *(uint32_t *)(0x70000000);
       }
      ------------------------>8-----------------
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NEugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
      Signed-off-by: NVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      cacbc853
    • E
      ARC: mm: fix uninitialised signal code in do_page_fault · 7edfa9c9
      Eugeniy Paltsev 提交于
      [ Upstream commit 121e38e5acdc8e1e4cdb750fcdcc72f94e420968 ]
      
      Commit 15773ae938d8 ("signal/arc: Use force_sig_fault where
      appropriate") introduced undefined behaviour by leaving si_code
      unitiailized and leaking random kernel values to user space.
      
      Fixes: 15773ae938d8 ("signal/arc: Use force_sig_fault where appropriate")
      Signed-off-by: NEugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
      Signed-off-by: NVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      7edfa9c9
    • E
      signal/arc: Use force_sig_fault where appropriate · 0828438e
      Eric W. Biederman 提交于
      [ Upstream commit 15773ae938d8d93d982461990bebad6e1d7a1830 ]
      Acked-by: NVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      0828438e
    • M
      dm crypt: move detailed message into debug level · fcb2f1e2
      Milan Broz 提交于
      [ Upstream commit 7a1cd7238fde6ab367384a4a2998cba48330c398 ]
      
      The information about tag size should not be printed without debug info
      set. Also print device major:minor in the error message to identify the
      device instance.
      
      Also use rate limiting and debug level for info about used crypto API
      implementaton.  This is important because during online reencryption
      the existing message saturates syslog (because we are moving hotzone
      across the whole device).
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NMilan Broz <gmazyland@gmail.com>
      Signed-off-by: NMike Snitzer <snitzer@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      fcb2f1e2
    • L
      cifs: smbd: take an array of reqeusts when sending upper layer data · 96b44c20
      Long Li 提交于
      [ Upstream commit 4739f2328661d070f93f9bcc8afb2a82706c826d ]
      
      To support compounding, __smb_send_rqst() now sends an array of requests to
      the transport layer.
      Change smbd_send() to take an array of requests, and send them in as few
      packets as possible.
      Signed-off-by: NLong Li <longli@microsoft.com>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      CC: Stable <stable@vger.kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      96b44c20