1. 14 7月, 2019 15 次提交
  2. 10 7月, 2019 25 次提交
    • G
      Linux 4.19.58 · 7a6bfa08
      Greg Kroah-Hartman 提交于
      7a6bfa08
    • R
      dmaengine: imx-sdma: remove BD_INTR for channel0 · f37de75c
      Robin Gong 提交于
      commit 3f93a4f297961c12bb17aa16cb3a4d1291823cae upstream.
      
      It is possible for an irq triggered by channel0 to be received later
      after clks are disabled once firmware loaded during sdma probe. If
      that happens then clearing them by writing to SDMA_H_INTR won't work
      and the kernel will hang processing infinite interrupts. Actually,
      don't need interrupt triggered on channel0 since it's pollling
      SDMA_H_STATSTOP to know channel0 done rather than interrupt in
      current code, just clear BD_INTR to disable channel0 interrupt to
      avoid the above case.
      This issue was brought by commit 1d069bfa ("dmaengine: imx-sdma:
      ack channel 0 IRQ in the interrupt handler") which didn't take care
      the above case.
      
      Fixes: 1d069bfa ("dmaengine: imx-sdma: ack channel 0 IRQ in the interrupt handler")
      Cc: stable@vger.kernel.org #5.0+
      Signed-off-by: NRobin Gong <yibin.gong@nxp.com>
      Reported-by: NSven Van Asbroeck <thesven73@gmail.com>
      Tested-by: NSven Van Asbroeck <thesven73@gmail.com>
      Reviewed-by: NMichael Olbrich <m.olbrich@pengutronix.de>
      Signed-off-by: NVinod Koul <vkoul@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f37de75c
    • S
      dmaengine: qcom: bam_dma: Fix completed descriptors count · 018c968d
      Sricharan R 提交于
      commit f6034225442c4a87906d36e975fd9e99a8f95487 upstream.
      
      One space is left unused in circular FIFO to differentiate
      'full' and 'empty' cases. So take that in to account while
      counting for the descriptors completed.
      
      Fixes the issue reported here,
      	https://lkml.org/lkml/2019/6/18/669
      
      Cc: stable@vger.kernel.org
      Reported-by: NSrinivas Kandagatla <srinivas.kandagatla@linaro.org>
      Signed-off-by: NSricharan R <sricharan@codeaurora.org>
      Tested-by: NSrinivas Kandagatla <srinivas.kandagatla@linaro.org>
      Signed-off-by: NVinod Koul <vkoul@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      018c968d
    • C
      MIPS: have "plain" make calls build dtbs for selected platforms · 870de149
      Cedric Hombourger 提交于
      commit 637dfa0fad6d91a9a709dc70549a6d20fa77f615 upstream.
      
      scripts/package/builddeb calls "make dtbs_install" after executing
      a plain make (i.e. no build targets specified). It will fail if dtbs
      were not built beforehand. Match the arm64 architecture where DTBs get
      built by the "all" target.
      Signed-off-by: NCedric Hombourger <Cedric_Hombourger@mentor.com>
      [paul.burton@mips.com: s/builddep/builddeb]
      Signed-off-by: NPaul Burton <paul.burton@mips.com>
      Cc: linux-mips@vger.kernel.org
      Cc: stable@vger.kernel.org # v4.1+
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      870de149
    • D
      MIPS: Add missing EHB in mtc0 -> mfc0 sequence. · 8957895b
      Dmitry Korotin 提交于
      commit 0b24cae4d535045f4c9e177aa228d4e97bad212c upstream.
      
      Add a missing EHB (Execution Hazard Barrier) in mtc0 -> mfc0 sequence.
      Without this execution hazard barrier it's possible for the value read
      back from the KScratch register to be the value from before the mtc0.
      
      Reproducible on P5600 & P6600.
      
      The hazard is documented in the MIPS Architecture Reference Manual Vol.
      III: MIPS32/microMIPS32 Privileged Resource Architecture (MD00088), rev
      6.03 table 8.1 which includes:
      
         Producer | Consumer | Hazard
        ----------|----------|----------------------------
         mtc0     | mfc0     | any coprocessor 0 register
      Signed-off-by: NDmitry Korotin <dkorotin@wavecomp.com>
      [paul.burton@mips.com:
        - Commit message tweaks.
        - Add Fixes tags.
        - Mark for stable back to v3.15 where P5600 support was introduced.]
      Signed-off-by: NPaul Burton <paul.burton@mips.com>
      Fixes: 3d8bfdd0 ("MIPS: Use C0_KScratch (if present) to hold PGD pointer.")
      Fixes: 829dcc0a ("MIPS: Add MIPS P5600 probe support")
      Cc: linux-mips@vger.kernel.org
      Cc: stable@vger.kernel.org # v3.15+
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8957895b
    • H
      MIPS: Fix bounds check virt_addr_valid · 2b8f8a80
      Hauke Mehrtens 提交于
      commit d6ed083f5cc621e15c15b56c3b585fd524dbcb0f upstream.
      
      The bounds check used the uninitialized variable vaddr, it should use
      the given parameter kaddr instead. When using the uninitialized value
      the compiler assumed it to be 0 and optimized this function to just
      return 0 in all cases.
      
      This should make the function check the range of the given address and
      only do the page map check in case it is in the expected range of
      virtual addresses.
      
      Fixes: 074a1e1167af ("MIPS: Bounds check virt_addr_valid")
      Cc: stable@vger.kernel.org # v4.12+
      Cc: Paul Burton <paul.burton@mips.com>
      Signed-off-by: NHauke Mehrtens <hauke@hauke-m.de>
      Signed-off-by: NPaul Burton <paul.burton@mips.com>
      Cc: ralf@linux-mips.org
      Cc: jhogan@kernel.org
      Cc: f4bug@amsat.org
      Cc: linux-mips@vger.kernel.org
      Cc: ysu@wavecomp.com
      Cc: jcristau@debian.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2b8f8a80
    • C
      svcrdma: Ignore source port when computing DRC hash · 80b25628
      Chuck Lever 提交于
      commit 1e091c3bbf51d34d5d96337a59ce5ab2ac3ba2cc upstream.
      
      The DRC appears to be effectively empty after an RPC/RDMA transport
      reconnect. The problem is that each connection uses a different
      source port, which defeats the DRC hash.
      
      Clients always have to disconnect before they send retransmissions
      to reset the connection's credit accounting, thus every retransmit
      on NFS/RDMA will miss the DRC.
      
      An NFS/RDMA client's IP source port is meaningless for RDMA
      transports. The transport layer typically sets the source port value
      on the connection to a random ephemeral port. The server already
      ignores it for the "secure port" check. See commit 16e4d93f
      ("NFSD: Ignore client's source port on RDMA transports").
      
      The Linux NFS server's DRC resolves XID collisions from the same
      source IP address by using the checksum of the first 200 bytes of
      the RPC call header.
      Signed-off-by: NChuck Lever <chuck.lever@oracle.com>
      Cc: stable@vger.kernel.org # v4.14+
      Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      80b25628
    • P
      nfsd: Fix overflow causing non-working mounts on 1 TB machines · 8129a10c
      Paul Menzel 提交于
      commit 3b2d4dcf71c4a91b420f835e52ddea8192300a3b upstream.
      
      Since commit 10a68cdf (nfsd: fix performance-limiting session
      calculation) (Linux 5.1-rc1 and 4.19.31), shares from NFS servers with
      1 TB of memory cannot be mounted anymore. The mount just hangs on the
      client.
      
      The gist of commit 10a68cdf is the change below.
      
          -avail = clamp_t(int, avail, slotsize, avail/3);
          +avail = clamp_t(int, avail, slotsize, total_avail/3);
      
      Here are the macros.
      
          #define min_t(type, x, y)       __careful_cmp((type)(x), (type)(y), <)
          #define clamp_t(type, val, lo, hi) min_t(type, max_t(type, val, lo), hi)
      
      `total_avail` is 8,434,659,328 on the 1 TB machine. `clamp_t()` casts
      the values to `int`, which for 32-bit integers can only hold values
      −2,147,483,648 (−2^31) through 2,147,483,647 (2^31 − 1).
      
      `avail` (in the function signature) is just 65536, so that no overflow
      was happening. Before the commit the assignment would result in 21845,
      and `num = 4`.
      
      When using `total_avail`, it is causing the assignment to be
      18446744072226137429 (printed as %lu), and `num` is then 4164608182.
      
      My next guess is, that `nfsd_drc_mem_used` is then exceeded, and the
      server thinks there is no memory available any more for this client.
      
      Updating the arguments of `clamp_t()` and `min_t()` to `unsigned long`
      fixes the issue.
      
      Now, `avail = 65536` (before commit 10a68cdf `avail = 21845`), but
      `num = 4` remains the same.
      
      Fixes: c54f24e338ed (nfsd: fix performance-limiting session calculation)
      Cc: stable@vger.kernel.org
      Signed-off-by: NPaul Menzel <pmenzel@molgen.mpg.de>
      Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8129a10c
    • W
      KVM: LAPIC: Fix pending interrupt in IRR blocked by software disable LAPIC · f25c0695
      Wanpeng Li 提交于
      commit bb34e690e9340bc155ebed5a3d75fc63ff69e082 upstream.
      
      Thomas reported that:
      
       | Background:
       |
       |    In preparation of supporting IPI shorthands I changed the CPU offline
       |    code to software disable the local APIC instead of just masking it.
       |    That's done by clearing the APIC_SPIV_APIC_ENABLED bit in the APIC_SPIV
       |    register.
       |
       | Failure:
       |
       |    When the CPU comes back online the startup code triggers occasionally
       |    the warning in apic_pending_intr_clear(). That complains that the IRRs
       |    are not empty.
       |
       |    The offending vector is the local APIC timer vector who's IRR bit is set
       |    and stays set.
       |
       | It took me quite some time to reproduce the issue locally, but now I can
       | see what happens.
       |
       | It requires apicv_enabled=0, i.e. full apic emulation. With apicv_enabled=1
       | (and hardware support) it behaves correctly.
       |
       | Here is the series of events:
       |
       |     Guest CPU
       |
       |     goes down
       |
       |       native_cpu_disable()
       |
       | 			apic_soft_disable();
       |
       |     play_dead()
       |
       |     ....
       |
       |     startup()
       |
       |       if (apic_enabled())
       |         apic_pending_intr_clear()	<- Not taken
       |
       |      enable APIC
       |
       |         apic_pending_intr_clear()	<- Triggers warning because IRR is stale
       |
       | When this happens then the deadline timer or the regular APIC timer -
       | happens with both, has fired shortly before the APIC is disabled, but the
       | interrupt was not serviced because the guest CPU was in an interrupt
       | disabled region at that point.
       |
       | The state of the timer vector ISR/IRR bits:
       |
       |     	     	       	        ISR     IRR
       | before apic_soft_disable()    0	      1
       | after apic_soft_disable()     0	      1
       |
       | On startup		      		 0	      1
       |
       | Now one would assume that the IRR is cleared after the INIT reset, but this
       | happens only on CPU0.
       |
       | Why?
       |
       | Because our CPU0 hotplug is just for testing to make sure nothing breaks
       | and goes through an NMI wakeup vehicle because INIT would send it through
       | the boots-trap code which is not really working if that CPU was not
       | physically unplugged.
       |
       | Now looking at a real world APIC the situation in that case is:
       |
       |     	     	       	      	ISR     IRR
       | before apic_soft_disable()    0	      1
       | after apic_soft_disable()     0	      1
       |
       | On startup		      		 0	      0
       |
       | Why?
       |
       | Once the dying CPU reenables interrupts the pending interrupt gets
       | delivered as a spurious interupt and then the state is clear.
       |
       | While that CPU0 hotplug test case is surely an esoteric issue, the APIC
       | emulation is still wrong, Even if the play_dead() code would not enable
       | interrupts then the pending IRR bit would turn into an ISR .. interrupt
       | when the APIC is reenabled on startup.
      
      From SDM 10.4.7.2 Local APIC State After It Has Been Software Disabled
      * Pending interrupts in the IRR and ISR registers are held and require
        masking or handling by the CPU.
      
      In Thomas's testing, hardware cpu will not respect soft disable LAPIC
      when IRR has already been set or APICv posted-interrupt is in flight,
      so we can skip soft disable APIC checking when clearing IRR and set ISR,
      continue to respect soft disable APIC when attempting to set IRR.
      Reported-by: NRong Chen <rong.a.chen@intel.com>
      Reported-by: NFeng Tang <feng.tang@intel.com>
      Reported-by: NThomas Gleixner <tglx@linutronix.de>
      Tested-by: NThomas Gleixner <tglx@linutronix.de>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Rong Chen <rong.a.chen@intel.com>
      Cc: Feng Tang <feng.tang@intel.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NWanpeng Li <wanpengli@tencent.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f25c0695
    • P
      KVM: x86: degrade WARN to pr_warn_ratelimited · f6472f50
      Paolo Bonzini 提交于
      commit 3f16a5c318392cbb5a0c7a3d19dff8c8ef3c38ee upstream.
      
      This warning can be triggered easily by userspace, so it should certainly not
      cause a panic if panic_on_warn is set.
      
      Reported-by: syzbot+c03f30b4f4c46bdf8575@syzkaller.appspotmail.com
      Suggested-by: NAlexander Potapenko <glider@google.com>
      Acked-by: NAlexander Potapenko <glider@google.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f6472f50
    • G
      netfilter: ipv6: nf_defrag: accept duplicate fragments again · ac0024ba
      Guillaume Nault 提交于
      [ Upstream commit 8a3dca632538c550930ce8bafa8c906b130d35cf ]
      
      When fixing the skb leak introduced by the conversion to rbtree, I
      forgot about the special case of duplicate fragments. The condition
      under the 'insert_error' label isn't effective anymore as
      nf_ct_frg6_gather() doesn't override the returned value anymore. So
      duplicate fragments now get NF_DROP verdict.
      
      To accept duplicate fragments again, handle them specially as soon as
      inet_frag_queue_insert() reports them. Return -EINPROGRESS which will
      translate to NF_STOLEN verdict, like any accepted fragment. However,
      such packets don't carry any new information and aren't queued, so we
      just drop them immediately.
      
      Fixes: a0d56cb911ca ("netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments")
      Signed-off-by: NGuillaume Nault <gnault@redhat.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      ac0024ba
    • D
      bpf: fix bpf_jit_limit knob for PAGE_SIZE >= 64K · 54e8cf41
      Daniel Borkmann 提交于
      [ Upstream commit fdadd04931c2d7cd294dc5b2b342863f94be53a3 ]
      
      Michael and Sandipan report:
      
        Commit ede95a63b5 introduced a bpf_jit_limit tuneable to limit BPF
        JIT allocations. At compile time it defaults to PAGE_SIZE * 40000,
        and is adjusted again at init time if MODULES_VADDR is defined.
      
        For ppc64 kernels, MODULES_VADDR isn't defined, so we're stuck with
        the compile-time default at boot-time, which is 0x9c400000 when
        using 64K page size. This overflows the signed 32-bit bpf_jit_limit
        value:
      
        root@ubuntu:/tmp# cat /proc/sys/net/core/bpf_jit_limit
        -1673527296
      
        and can cause various unexpected failures throughout the network
        stack. In one case `strace dhclient eth0` reported:
      
        setsockopt(5, SOL_SOCKET, SO_ATTACH_FILTER, {len=11, filter=0x105dd27f8},
                   16) = -1 ENOTSUPP (Unknown error 524)
      
        and similar failures can be seen with tools like tcpdump. This doesn't
        always reproduce however, and I'm not sure why. The more consistent
        failure I've seen is an Ubuntu 18.04 KVM guest booted on a POWER9
        host would time out on systemd/netplan configuring a virtio-net NIC
        with no noticeable errors in the logs.
      
      Given this and also given that in near future some architectures like
      arm64 will have a custom area for BPF JIT image allocations we should
      get rid of the BPF_JIT_LIMIT_DEFAULT fallback / default entirely. For
      4.21, we have an overridable bpf_jit_alloc_exec(), bpf_jit_free_exec()
      so therefore add another overridable bpf_jit_alloc_exec_limit() helper
      function which returns the possible size of the memory area for deriving
      the default heuristic in bpf_jit_charge_init().
      
      Like bpf_jit_alloc_exec() and bpf_jit_free_exec(), the new
      bpf_jit_alloc_exec_limit() assumes that module_alloc() is the default
      JIT memory provider, and therefore in case archs implement their custom
      module_alloc() we use MODULES_{END,_VADDR} for limits and otherwise for
      vmalloc_exec() cases like on ppc64 we use VMALLOC_{END,_START}.
      
      Additionally, for archs supporting large page sizes, we should change
      the sysctl to be handled as long to not run into sysctl restrictions
      in future.
      
      Fixes: ede95a63b5e8 ("bpf: add bpf_jit_limit knob to restrict unpriv allocations")
      Reported-by: NSandipan Das <sandipan@linux.ibm.com>
      Reported-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Tested-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
      Signed-off-by: NAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      54e8cf41
    • C
      net: hns: fix unsigned comparison to less than zero · e6c288f7
      Colin Ian King 提交于
      [ Upstream commit ea401685a20b5d631957f024bda86e1f6118eb20 ]
      
      Currently mskid is unsigned and hence comparisons with negative
      error return values are always false. Fix this by making mskid an
      int.
      
      Fixes: f058e46855dc ("net: hns: fix ICMP6 neighbor solicitation messages discard problem")
      Addresses-Coverity: ("Operands don't affect result")
      Signed-off-by: NColin Ian King <colin.king@canonical.com>
      Reviewed-by: NMukesh Ojha <mojha@codeaurora.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      e6c288f7
    • G
      sc16is7xx: move label 'err_spi' to correct section · 4f24801e
      Guoqing Jiang 提交于
      [ Upstream commit e00164a0f000de893944981f41a568c981aca658 ]
      
      err_spi is used when SERIAL_SC16IS7XX_SPI is enabled, so make
      the label only available under SERIAL_SC16IS7XX_SPI option.
      Otherwise, the below warning appears.
      
      drivers/tty/serial/sc16is7xx.c:1523:1: warning: label ‘err_spi’ defined but not used [-Wunused-label]
       err_spi:
        ^~~~~~~
      Signed-off-by: NGuoqing Jiang <gqjiang@suse.com>
      Fixes: ac0cdb3d9901 ("sc16is7xx: missing unregister/delete driver on error in sc16is7xx_init()")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      4f24801e
    • G
      netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments · 318244f3
      Guillaume Nault 提交于
      [ Upstream commit a0d56cb911ca301de81735f1d73c2aab424654ba ]
      
      With commit 997dd9647164 ("net: IP6 defrag: use rbtrees in
      nf_conntrack_reasm.c"), nf_ct_frag6_reasm() is now called from
      nf_ct_frag6_queue(). With this change, nf_ct_frag6_queue() can fail
      after the skb has been added to the fragment queue and
      nf_ct_frag6_gather() was adapted to handle this case.
      
      But nf_ct_frag6_queue() can still fail before the fragment has been
      queued. nf_ct_frag6_gather() can't handle this case anymore, because it
      has no way to know if nf_ct_frag6_queue() queued the fragment before
      failing. If it didn't, the skb is lost as the error code is overwritten
      with -EINPROGRESS.
      
      Fix this by setting -EINPROGRESS directly in nf_ct_frag6_queue(), so
      that nf_ct_frag6_gather() can propagate the error as is.
      
      Fixes: 997dd9647164 ("net: IP6 defrag: use rbtrees in nf_conntrack_reasm.c")
      Signed-off-by: NGuillaume Nault <gnault@redhat.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      318244f3
    • E
      ip6: fix skb leak in ip6frag_expire_frag_queue() · a8891c5e
      Eric Dumazet 提交于
      [ Upstream commit 47d3d7fdb10a21c223036b58bd70ffdc24a472c4 ]
      
      Since ip6frag_expire_frag_queue() now pulls the head skb
      from frag queue, we should no longer use skb_get(), since
      this leads to an skb leak.
      
      Stefan Bader initially reported a problem in 4.4.stable [1] caused
      by the skb_get(), so this patch should also fix this issue.
      
      296583.091021] kernel BUG at /build/linux-6VmqmP/linux-4.4.0/net/core/skbuff.c:1207!
      [296583.091734] Call Trace:
      [296583.091749]  [<ffffffff81740e50>] __pskb_pull_tail+0x50/0x350
      [296583.091764]  [<ffffffff8183939a>] _decode_session6+0x26a/0x400
      [296583.091779]  [<ffffffff817ec719>] __xfrm_decode_session+0x39/0x50
      [296583.091795]  [<ffffffff818239d0>] icmpv6_route_lookup+0xf0/0x1c0
      [296583.091809]  [<ffffffff81824421>] icmp6_send+0x5e1/0x940
      [296583.091823]  [<ffffffff81753238>] ? __netif_receive_skb+0x18/0x60
      [296583.091838]  [<ffffffff817532b2>] ? netif_receive_skb_internal+0x32/0xa0
      [296583.091858]  [<ffffffffc0199f74>] ? ixgbe_clean_rx_irq+0x594/0xac0 [ixgbe]
      [296583.091876]  [<ffffffffc04eb260>] ? nf_ct_net_exit+0x50/0x50 [nf_defrag_ipv6]
      [296583.091893]  [<ffffffff8183d431>] icmpv6_send+0x21/0x30
      [296583.091906]  [<ffffffff8182b500>] ip6_expire_frag_queue+0xe0/0x120
      [296583.091921]  [<ffffffffc04eb27f>] nf_ct_frag6_expire+0x1f/0x30 [nf_defrag_ipv6]
      [296583.091938]  [<ffffffff810f3b57>] call_timer_fn+0x37/0x140
      [296583.091951]  [<ffffffffc04eb260>] ? nf_ct_net_exit+0x50/0x50 [nf_defrag_ipv6]
      [296583.091968]  [<ffffffff810f5464>] run_timer_softirq+0x234/0x330
      [296583.091982]  [<ffffffff8108a339>] __do_softirq+0x109/0x2b0
      
      Fixes: d4289fcc9b16 ("net: IP6 defrag: use rbtrees for IPv6 defrag")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: NStefan Bader <stefan.bader@canonical.com>
      Cc: Peter Oskolkov <posk@google.com>
      Cc: Florian Westphal <fw@strlen.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      a8891c5e
    • D
      rds: Fix warning. · 382bc84d
      David S. Miller 提交于
      [ Upstream commit d84e7bc0595a7e146ad0ddb80b240cea77825245 ]
      
      >> net/rds/send.c:1109:42: warning: Using plain integer as NULL pointer
      
      Fixes: ea010070d0a7 ("net/rds: fix warn in rds_message_alloc_sgs")
      Reported-by: Nkbuild test robot <lkp@intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      382bc84d
    • T
      ALSA: hda: Initialize power_state field properly · 7e6af1fa
      Takashi Iwai 提交于
      [ Upstream commit 183ab39eb0ea9879bb68422a83e65f750f3192f0 ]
      
      The recent commit 98081ca62cba ("ALSA: hda - Record the current power
      state before suspend/resume calls") made the HD-audio driver to store
      the PM state in power_state field.  This forgot, however, the
      initialization at power up.  Although the codec drivers usually don't
      need to refer to this field in the normal operation, let's initialize
      it properly for consistency.
      
      Fixes: 98081ca62cba ("ALSA: hda - Record the current power state before suspend/resume calls")
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      7e6af1fa
    • S
      net: hns: Fixes the missing put_device in positive leg for roce reset · c8c88293
      Salil Mehta 提交于
      [ Upstream commit 4d96e13ee9cd1f7f801e8c7f4b12f09d1da4a5d8 ]
      
      This patch fixes the missing device reference release-after-use in
      the positive leg of the roce reset API of the HNS DSAF.
      
      Fixes: c969c6e7ab8c ("net: hns: Fix object reference leaks in hns_dsaf_roce_reset()")
      Reported-by: NJohn Garry <john.garry@huawei.com>
      Signed-off-by: NSalil Mehta <salil.mehta@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      c8c88293
    • K
      x86/boot/compressed/64: Do not corrupt EDX on EFER.LME=1 setting · 6bf96773
      Kirill A. Shutemov 提交于
      [ Upstream commit 45b13b424faafb81c8c44541f093a682fdabdefc ]
      
      RDMSR in the trampoline code overwrites EDX but that register is used
      to indicate whether 5-level paging has to be enabled and if clobbered,
      leads to failure to boot on a 5-level paging machine.
      
      Preserve EDX on the stack while we are dealing with EFER.
      
      Fixes: b677dfae5aa1 ("x86/boot/compressed/64: Set EFER.LME=1 in 32-bit trampoline before returning to long mode")
      Reported-by: NKyle D Pelton <kyle.d.pelton@intel.com>
      Signed-off-by: NKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Signed-off-by: NBorislav Petkov <bp@suse.de>
      Cc: dave.hansen@linux.intel.com
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Wei Huang <wei@redhat.com>
      Cc: x86-ml <x86@kernel.org>
      Link: https://lkml.kernel.org/r/20190206115253.1907-1-kirill.shutemov@linux.intel.comSigned-off-by: NSasha Levin <sashal@kernel.org>
      6bf96773
    • D
      selftests: fib_rule_tests: Fix icmp proto with ipv6 · b91ec6ae
      David Ahern 提交于
      [ Upstream commit 15d55bae4e3c43cd9f87fd93c73a263e172d34e1 ]
      
      A recent commit returns an error if icmp is used as the ip-proto for
      IPv6 fib rules. Update fib_rule_tests to send ipv6-icmp instead of icmp.
      
      Fixes: 5e1a99eae8499 ("ipv4: Add ICMPv6 support when parse route ipproto")
      Signed-off-by: NDavid Ahern <dsahern@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      b91ec6ae
    • X
      scsi: tcmu: fix use after free · e2851c3e
      Xiubo Li 提交于
      [ Upstream commit 40d883b091758472c79b81fa1c0e0347e24a9cff ]
      
      Fixes: a94a2572b977 ("scsi: tcmu: avoid cmd/qfull timers updated whenever a new cmd comes")
      Reported-by: NDan Carpenter <dan.carpenter@oracle.com>
      Cc: Mike Christie <mchristi@redhat.com>
      Signed-off-by: NXiubo Li <xiubli@redhat.com>
      Reviewed-by: NMike Christie <mchristi@redhat.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      e2851c3e
    • W
      mac80211: mesh: fix missing unlock on error in table_path_del() · 04096b3b
      Wei Yongjun 提交于
      [ Upstream commit f2ffff085d287eec499f1fccd682796ad8010303 ]
      
      spin_lock_bh() is used in table_path_del() but rcu_read_unlock()
      is used for unlocking. Fix it by using spin_unlock_bh() instead
      of rcu_read_unlock() in the error handling case.
      
      Fixes: b4c3fbe63601 ("mac80211: Use linked list instead of rhashtable walk for mesh tables")
      Acked-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NWei Yongjun <weiyongjun1@huawei.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      04096b3b
    • J
      f2fs: don't access node/meta inode mapping after iput · e2379b04
      Jaegeuk Kim 提交于
      [ Upstream commit 7c77bf7de1574ac7a31a2b76f4927404307d13e7 ]
      
      This fixes wrong access of address spaces of node and meta inodes after iput.
      
      Fixes: 60aa4d5536ab ("f2fs: fix use-after-free issue when accessing sbi->stat_info")
      Reviewed-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      e2379b04
    • N
      drm/fb-helper: generic: Don't take module ref for fbcon · e9fde78c
      Noralf Trønnes 提交于
      [ Upstream commit 6ab20a05f4c7ed45632e24d5397d6284e192567d ]
      
      It's now safe to let fbcon unbind automatically on fbdev unregister.
      The crash problem was fixed in commit 2122b40580dd
      ("fbdev: fbcon: Fix unregister crash when more than one framebuffer")
      Signed-off-by: NNoralf Trønnes <noralf@tronnes.org>
      Reviewed-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190210131039.52664-13-noralf@tronnes.orgSigned-off-by: NSasha Levin <sashal@kernel.org>
      e9fde78c