1. 10 7月, 2019 40 次提交
    • E
      tracing/snapshot: Resize spare buffer if size changed · c8790d7f
      Eiichi Tsukata 提交于
      commit 46cc0b44428d0f0e81f11ea98217fc0edfbeab07 upstream.
      
      Current snapshot implementation swaps two ring_buffers even though their
      sizes are different from each other, that can cause an inconsistency
      between the contents of buffer_size_kb file and the current buffer size.
      
      For example:
      
        # cat buffer_size_kb
        7 (expanded: 1408)
        # echo 1 > events/enable
        # grep bytes per_cpu/cpu0/stats
        bytes: 1441020
        # echo 1 > snapshot             // current:1408, spare:1408
        # echo 123 > buffer_size_kb     // current:123,  spare:1408
        # echo 1 > snapshot             // current:1408, spare:123
        # grep bytes per_cpu/cpu0/stats
        bytes: 1443700
        # cat buffer_size_kb
        123                             // != current:1408
      
      And also, a similar per-cpu case hits the following WARNING:
      
      Reproducer:
      
        # echo 1 > per_cpu/cpu0/snapshot
        # echo 123 > buffer_size_kb
        # echo 1 > per_cpu/cpu0/snapshot
      
      WARNING:
      
        WARNING: CPU: 0 PID: 1946 at kernel/trace/trace.c:1607 update_max_tr_single.part.0+0x2b8/0x380
        Modules linked in:
        CPU: 0 PID: 1946 Comm: bash Not tainted 5.2.0-rc6 #20
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014
        RIP: 0010:update_max_tr_single.part.0+0x2b8/0x380
        Code: ff e8 dc da f9 ff 0f 0b e9 88 fe ff ff e8 d0 da f9 ff 44 89 ee bf f5 ff ff ff e8 33 dc f9 ff 41 83 fd f5 74 96 e8 b8 da f9 ff <0f> 0b eb 8d e8 af da f9 ff 0f 0b e9 bf fd ff ff e8 a3 da f9 ff 48
        RSP: 0018:ffff888063e4fca0 EFLAGS: 00010093
        RAX: ffff888066214380 RBX: ffffffff99850fe0 RCX: ffffffff964298a8
        RDX: 0000000000000000 RSI: 00000000fffffff5 RDI: 0000000000000005
        RBP: 1ffff1100c7c9f96 R08: ffff888066214380 R09: ffffed100c7c9f9b
        R10: ffffed100c7c9f9a R11: 0000000000000003 R12: 0000000000000000
        R13: 00000000ffffffea R14: ffff888066214380 R15: ffffffff99851060
        FS:  00007f9f8173c700(0000) GS:ffff88806d000000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 0000000000714dc0 CR3: 0000000066fa6000 CR4: 00000000000006f0
        Call Trace:
         ? trace_array_printk_buf+0x140/0x140
         ? __mutex_lock_slowpath+0x10/0x10
         tracing_snapshot_write+0x4c8/0x7f0
         ? trace_printk_init_buffers+0x60/0x60
         ? selinux_file_permission+0x3b/0x540
         ? tracer_preempt_off+0x38/0x506
         ? trace_printk_init_buffers+0x60/0x60
         __vfs_write+0x81/0x100
         vfs_write+0x1e1/0x560
         ksys_write+0x126/0x250
         ? __ia32_sys_read+0xb0/0xb0
         ? do_syscall_64+0x1f/0x390
         do_syscall_64+0xc1/0x390
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      This patch adds resize_buffer_duplicate_size() to check if there is a
      difference between current/spare buffer sizes and resize a spare buffer
      if necessary.
      
      Link: http://lkml.kernel.org/r/20190625012910.13109-1-devel@etsukata.com
      
      Cc: stable@vger.kernel.org
      Fixes: ad909e21 ("tracing: Add internal tracing_snapshot() functions")
      Signed-off-by: NEiichi Tsukata <devel@etsukata.com>
      Signed-off-by: NSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c8790d7f
    • E
      fs/userfaultfd.c: disable irqs for fault_pending and event locks · 052b3181
      Eric Biggers 提交于
      commit cbcfa130a911c613a1d9d921af2eea171c414172 upstream.
      
      When IOCB_CMD_POLL is used on a userfaultfd, aio_poll() disables IRQs
      and takes kioctx::ctx_lock, then userfaultfd_ctx::fd_wqh.lock.
      
      This may have to wait for userfaultfd_ctx::fd_wqh.lock to be released by
      userfaultfd_ctx_read(), which in turn can be waiting for
      userfaultfd_ctx::fault_pending_wqh.lock or
      userfaultfd_ctx::event_wqh.lock.
      
      But elsewhere the fault_pending_wqh and event_wqh locks are taken with
      IRQs enabled.  Since the IRQ handler may take kioctx::ctx_lock, lockdep
      reports that a deadlock is possible.
      
      Fix it by always disabling IRQs when taking the fault_pending_wqh and
      event_wqh locks.
      
      Commit ae62c16e105a ("userfaultfd: disable irqs when taking the
      waitqueue lock") didn't fix this because it only accounted for the
      fd_wqh lock, not the other locks nested inside it.
      
      Link: http://lkml.kernel.org/r/20190627075004.21259-1-ebiggers@kernel.org
      Fixes: bfe4037e ("aio: implement IOCB_CMD_POLL")
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Reported-by: syzbot+fab6de82892b6b9c6191@syzkaller.appspotmail.com
      Reported-by: syzbot+53c0b767f7ca0dc0c451@syzkaller.appspotmail.com
      Reported-by: syzbot+a3accb352f9c22041cfa@syzkaller.appspotmail.com
      Reviewed-by: NAndrew Morton <akpm@linux-foundation.org>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: <stable@vger.kernel.org>	[4.19+]
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      052b3181
    • H
      lib/mpi: Fix karactx leak in mpi_powm · ea380071
      Herbert Xu 提交于
      commit c8ea9fce2baf7b643384f36f29e4194fa40d33a6 upstream.
      
      Sometimes mpi_powm will leak karactx because a memory allocation
      failure causes a bail-out that skips the freeing of karactx.  This
      patch moves the freeing of karactx to the end of the function like
      everything else so that it can't be skipped.
      
      Reported-by: syzbot+f7baccc38dcc1e094e77@syzkaller.appspotmail.com
      Fixes: cdec9cb5 ("crypto: GnuPG based MPI lib - source files...")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Reviewed-by: NEric Biggers <ebiggers@kernel.org>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ea380071
    • D
      ALSA: hda/realtek - Change front mic location for Lenovo M710q · 7df1e2f5
      Dennis Wassenberg 提交于
      commit bef33e19203dde434bcdf21c449e3fb4f06c2618 upstream.
      
      On M710q Lenovo ThinkCentre machine, there are two front mics,
      we change the location for one of them to avoid conflicts.
      Signed-off-by: NDennis Wassenberg <dennis.wassenberg@secunet.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7df1e2f5
    • R
      ALSA: hda/realtek: Add quirks for several Clevo notebook barebones · 899377c5
      Richard Sailer 提交于
      commit 503d90b30602a3295978e46d844ccc8167400fe6 upstream.
      
      This adds 4 SND_PCI_QUIRK(...) lines for several barebone models of the ODM
      Clevo. The model names are written in regex syntax to describe/match all clevo
      models that are similar enough and use the same PCI SSID that this fixup works
      for them.
      
      Additionally the lines regarding SSID 0x96e1 and 0x97e1 didn't fix audio for the
      all our Clevo notebooks using these SSIDs (models Clevo P960* and P970*) since
      ALC1220_FIXP_CLEVO_PB51ED_PINS swapped pins that are not necesarry to be
      swapped. This patch initiates ALC1220_FIXUP_CLEVO_P950 instead for these model
      and fixes the audio.
      
      Fixes: 80690a276f44 ("ALSA: hda/realtek - Add quirk for Tuxedo XC 1509")
      Signed-off-by: NRichard Sailer <rs@tuxedocomputers.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      899377c5
    • C
      ALSA: usb-audio: fix sign unintended sign extension on left shifts · d9b6936b
      Colin Ian King 提交于
      commit 2acf5a3e6e9371e63c9e4ff54d84d08f630467a0 upstream.
      
      There are a couple of left shifts of unsigned 8 bit values that
      first get promoted to signed ints and hence get sign extended
      on the shift if the top bit of the 8 bit values are set. Fix
      this by casting the 8 bit values to unsigned ints to stop the
      unintentional sign extension.
      
      Addresses-Coverity: ("Unintended sign extension")
      Signed-off-by: NColin Ian King <colin.king@canonical.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d9b6936b
    • T
      ALSA: line6: Fix write on zero-sized buffer · 7f52af5e
      Takashi Iwai 提交于
      commit 3450121997ce872eb7f1248417225827ea249710 upstream.
      
      LINE6 drivers allocate the buffers based on the value returned from
      usb_maxpacket() calls.  The manipulated device may return zero for
      this, and this results in the kmalloc() with zero size (and it may
      succeed) while the other part of the driver code writes the packet
      data with the fixed size -- which eventually overwrites.
      
      This patch adds a simple sanity check for the invalid buffer size for
      avoiding that problem.
      
      Reported-by: syzbot+219f00fb49874dcaea17@syzkaller.appspotmail.com
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7f52af5e
    • T
      ALSA: firewire-lib/fireworks: fix miss detection of received MIDI messages · 3663bf2b
      Takashi Sakamoto 提交于
      commit 7fbd1753b64eafe21cf842348a40a691d0dee440 upstream.
      
      In IEC 61883-6, 8 MIDI data streams are multiplexed into single
      MIDI conformant data channel. The index of stream is calculated by
      modulo 8 of the value of data block counter.
      
      In fireworks, the value of data block counter in CIP header has a quirk
      with firmware version v5.0.0, v5.7.3 and v5.8.0. This brings ALSA
      IEC 61883-1/6 packet streaming engine to miss detection of MIDI
      messages.
      
      This commit fixes the miss detection to modify the value of data block
      counter for the modulo calculation.
      
      For maintainers, this bug exists since a commit 18f5ed36 ("ALSA:
      fireworks/firewire-lib: add support for recent firmware quirk") in Linux
      kernel v4.2. There're many changes since the commit.  This fix can be
      backported to Linux kernel v4.4 or later. I tagged a base commit to the
      backport for your convenience.
      
      Besides, my work for Linux kernel v5.3 brings heavy code refactoring and
      some structure members are renamed in 'sound/firewire/amdtp-stream.h'.
      The content of this patch brings conflict when merging -rc tree with
      this patch and the latest tree. I request maintainers to solve the
      conflict to replace 'tx_first_dbc' with 'ctx_data.tx.first_dbc'.
      
      Fixes: df075fee ("ALSA: firewire-lib: complete AM824 data block processing layer")
      Cc: <stable@vger.kernel.org> # v4.4+
      Signed-off-by: NTakashi Sakamoto <o-takashi@sakamocchi.jp>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3663bf2b
    • C
      ALSA: seq: fix incorrect order of dest_client/dest_ports arguments · 9d2ac58c
      Colin Ian King 提交于
      commit c3ea60c231446663afd6ea1054da6b7f830855ca upstream.
      
      There are two occurrances of a call to snd_seq_oss_fill_addr where
      the dest_client and dest_port arguments are in the wrong order. Fix
      this by swapping them around.
      
      Addresses-Coverity: ("Arguments in wrong order")
      Signed-off-by: NColin Ian King <colin.king@canonical.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9d2ac58c
    • V
      crypto: cryptd - Fix skcipher instance memory leak · ae3fa28f
      Vincent Whitchurch 提交于
      commit 1a0fad630e0b7cff38e7691b28b0517cfbb0633f upstream.
      
      cryptd_skcipher_free() fails to free the struct skcipher_instance
      allocated in cryptd_create_skcipher(), leading to a memory leak.  This
      is detected by kmemleak on bootup on ARM64 platforms:
      
       unreferenced object 0xffff80003377b180 (size 1024):
         comm "cryptomgr_probe", pid 822, jiffies 4294894830 (age 52.760s)
         backtrace:
           kmem_cache_alloc_trace+0x270/0x2d0
           cryptd_create+0x990/0x124c
           cryptomgr_probe+0x5c/0x1e8
           kthread+0x258/0x318
           ret_from_fork+0x10/0x1c
      
      Fixes: 4e0958d1 ("crypto: cryptd - Add support for skcipher")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NVincent Whitchurch <vincent.whitchurch@axis.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ae3fa28f
    • E
      crypto: user - prevent operating on larval algorithms · 015c2053
      Eric Biggers 提交于
      commit 21d4120ec6f5b5992b01b96ac484701163917b63 upstream.
      
      Michal Suchanek reported [1] that running the pcrypt_aead01 test from
      LTP [2] in a loop and holding Ctrl-C causes a NULL dereference of
      alg->cra_users.next in crypto_remove_spawns(), via crypto_del_alg().
      The test repeatedly uses CRYPTO_MSG_NEWALG and CRYPTO_MSG_DELALG.
      
      The crash occurs when the instance that CRYPTO_MSG_DELALG is trying to
      unregister isn't a real registered algorithm, but rather is a "test
      larval", which is a special "algorithm" added to the algorithms list
      while the real algorithm is still being tested.  Larvals don't have
      initialized cra_users, so that causes the crash.  Normally pcrypt_aead01
      doesn't trigger this because CRYPTO_MSG_NEWALG waits for the algorithm
      to be tested; however, CRYPTO_MSG_NEWALG returns early when interrupted.
      
      Everything else in the "crypto user configuration" API has this same bug
      too, i.e. it inappropriately allows operating on larval algorithms
      (though it doesn't look like the other cases can cause a crash).
      
      Fix this by making crypto_alg_match() exclude larval algorithms.
      
      [1] https://lkml.kernel.org/r/20190625071624.27039-1-msuchanek@suse.de
      [2] https://github.com/linux-test-project/ltp/blob/20190517/testcases/kernel/crypto/pcrypt_aead01.cReported-by: NMichal Suchanek <msuchanek@suse.de>
      Fixes: a38f7907 ("crypto: Add userspace configuration API")
      Cc: <stable@vger.kernel.org> # v3.2+
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      015c2053
    • J
      ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME · 54435b7f
      Jann Horn 提交于
      commit 6994eefb0053799d2e07cd140df6c2ea106c41ee upstream.
      
      Fix two issues:
      
      When called for PTRACE_TRACEME, ptrace_link() would obtain an RCU
      reference to the parent's objective credentials, then give that pointer
      to get_cred().  However, the object lifetime rules for things like
      struct cred do not permit unconditionally turning an RCU reference into
      a stable reference.
      
      PTRACE_TRACEME records the parent's credentials as if the parent was
      acting as the subject, but that's not the case.  If a malicious
      unprivileged child uses PTRACE_TRACEME and the parent is privileged, and
      at a later point, the parent process becomes attacker-controlled
      (because it drops privileges and calls execve()), the attacker ends up
      with control over two processes with a privileged ptrace relationship,
      which can be abused to ptrace a suid binary and obtain root privileges.
      
      Fix both of these by always recording the credentials of the process
      that is requesting the creation of the ptrace relationship:
      current_cred() can't change under us, and current is the proper subject
      for access control.
      
      This change is theoretically userspace-visible, but I am not aware of
      any code that it will actually break.
      
      Fixes: 64b875f7 ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP")
      Signed-off-by: NJann Horn <jannh@google.com>
      Acked-by: NOleg Nesterov <oleg@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      54435b7f
    • L
      drm/i915/dmc: protect against reading random memory · 600d3712
      Lucas De Marchi 提交于
      commit bc7b488b1d1c71dc4c5182206911127bc6c410d6 upstream.
      
      While loading the DMC firmware we were double checking the headers made
      sense, but in no place we checked that we were actually reading memory
      we were supposed to. This could be wrong in case the firmware file is
      truncated or malformed.
      
      Before this patch:
      	# ls -l /lib/firmware/i915/icl_dmc_ver1_07.bin
      	-rw-r--r-- 1 root root  25716 Feb  1 12:26 icl_dmc_ver1_07.bin
      	# truncate -s 25700 /lib/firmware/i915/icl_dmc_ver1_07.bin
      	# modprobe i915
      	# dmesg| grep -i dmc
      	[drm:intel_csr_ucode_init [i915]] Loading i915/icl_dmc_ver1_07.bin
      	[drm] Finished loading DMC firmware i915/icl_dmc_ver1_07.bin (v1.7)
      
      i.e. it loads random data. Now it fails like below:
      	[drm:intel_csr_ucode_init [i915]] Loading i915/icl_dmc_ver1_07.bin
      	[drm:csr_load_work_fn [i915]] *ERROR* Truncated DMC firmware, rejecting.
      	i915 0000:00:02.0: Failed to load DMC firmware i915/icl_dmc_ver1_07.bin. Disabling runtime power management.
      	i915 0000:00:02.0: DMC firmware homepage: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/i915
      
      Before reading any part of the firmware file, validate the input first.
      
      Fixes: eb805623 ("drm/i915/skl: Add support to load SKL CSR firmware.")
      Signed-off-by: NLucas De Marchi <lucas.demarchi@intel.com>
      Reviewed-by: NRodrigo Vivi <rodrigo.vivi@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190605235535.17791-1-lucas.demarchi@intel.com
      (cherry picked from commit bc7b488b1d1c71dc4c5182206911127bc6c410d6)
      Signed-off-by: NJani Nikula <jani.nikula@intel.com>
      [ Lucas: backported to 4.9+ adjusting the context ]
      Cc: stable@vger.kernel.org # v4.9+
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      600d3712
    • W
      ftrace: Fix NULL pointer dereference in free_ftrace_func_mapper() · 2b39351e
      Wei Li 提交于
      [ Upstream commit 04e03d9a616c19a47178eaca835358610e63a1dd ]
      
      The mapper may be NULL when called from register_ftrace_function_probe()
      with probe->data == NULL.
      
      This issue can be reproduced as follow (it may be covered by compiler
      optimization sometime):
      
      / # cat /sys/kernel/debug/tracing/set_ftrace_filter
      #### all functions enabled ####
      / # echo foo_bar:dump > /sys/kernel/debug/tracing/set_ftrace_filter
      [  206.949100] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
      [  206.952402] Mem abort info:
      [  206.952819]   ESR = 0x96000006
      [  206.955326]   Exception class = DABT (current EL), IL = 32 bits
      [  206.955844]   SET = 0, FnV = 0
      [  206.956272]   EA = 0, S1PTW = 0
      [  206.956652] Data abort info:
      [  206.957320]   ISV = 0, ISS = 0x00000006
      [  206.959271]   CM = 0, WnR = 0
      [  206.959938] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000419f3a000
      [  206.960483] [0000000000000000] pgd=0000000411a87003, pud=0000000411a83003, pmd=0000000000000000
      [  206.964953] Internal error: Oops: 96000006 [#1] SMP
      [  206.971122] Dumping ftrace buffer:
      [  206.973677]    (ftrace buffer empty)
      [  206.975258] Modules linked in:
      [  206.976631] Process sh (pid: 281, stack limit = 0x(____ptrval____))
      [  206.978449] CPU: 10 PID: 281 Comm: sh Not tainted 5.2.0-rc1+ #17
      [  206.978955] Hardware name: linux,dummy-virt (DT)
      [  206.979883] pstate: 60000005 (nZCv daif -PAN -UAO)
      [  206.980499] pc : free_ftrace_func_mapper+0x2c/0x118
      [  206.980874] lr : ftrace_count_free+0x68/0x80
      [  206.982539] sp : ffff0000182f3ab0
      [  206.983102] x29: ffff0000182f3ab0 x28: ffff8003d0ec1700
      [  206.983632] x27: ffff000013054b40 x26: 0000000000000001
      [  206.984000] x25: ffff00001385f000 x24: 0000000000000000
      [  206.984394] x23: ffff000013453000 x22: ffff000013054000
      [  206.984775] x21: 0000000000000000 x20: ffff00001385fe28
      [  206.986575] x19: ffff000013872c30 x18: 0000000000000000
      [  206.987111] x17: 0000000000000000 x16: 0000000000000000
      [  206.987491] x15: ffffffffffffffb0 x14: 0000000000000000
      [  206.987850] x13: 000000000017430e x12: 0000000000000580
      [  206.988251] x11: 0000000000000000 x10: cccccccccccccccc
      [  206.988740] x9 : 0000000000000000 x8 : ffff000013917550
      [  206.990198] x7 : ffff000012fac2e8 x6 : ffff000012fac000
      [  206.991008] x5 : ffff0000103da588 x4 : 0000000000000001
      [  206.991395] x3 : 0000000000000001 x2 : ffff000013872a28
      [  206.991771] x1 : 0000000000000000 x0 : 0000000000000000
      [  206.992557] Call trace:
      [  206.993101]  free_ftrace_func_mapper+0x2c/0x118
      [  206.994827]  ftrace_count_free+0x68/0x80
      [  206.995238]  release_probe+0xfc/0x1d0
      [  206.995555]  register_ftrace_function_probe+0x4a8/0x868
      [  206.995923]  ftrace_trace_probe_callback.isra.4+0xb8/0x180
      [  206.996330]  ftrace_dump_callback+0x50/0x70
      [  206.996663]  ftrace_regex_write.isra.29+0x290/0x3a8
      [  206.997157]  ftrace_filter_write+0x44/0x60
      [  206.998971]  __vfs_write+0x64/0xf0
      [  206.999285]  vfs_write+0x14c/0x2f0
      [  206.999591]  ksys_write+0xbc/0x1b0
      [  206.999888]  __arm64_sys_write+0x3c/0x58
      [  207.000246]  el0_svc_common.constprop.0+0x408/0x5f0
      [  207.000607]  el0_svc_handler+0x144/0x1c8
      [  207.000916]  el0_svc+0x8/0xc
      [  207.003699] Code: aa0003f8 a9025bf5 aa0103f5 f946ea80 (f9400303)
      [  207.008388] ---[ end trace 7b6d11b5f542bdf1 ]---
      [  207.010126] Kernel panic - not syncing: Fatal exception
      [  207.011322] SMP: stopping secondary CPUs
      [  207.013956] Dumping ftrace buffer:
      [  207.014595]    (ftrace buffer empty)
      [  207.015632] Kernel Offset: disabled
      [  207.017187] CPU features: 0x002,20006008
      [  207.017985] Memory Limit: none
      [  207.019825] ---[ end Kernel panic - not syncing: Fatal exception ]---
      
      Link: http://lkml.kernel.org/r/20190606031754.10798-1-liwei391@huawei.comSigned-off-by: NWei Li <liwei391@huawei.com>
      Signed-off-by: NSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      2b39351e
    • J
      module: Fix livepatch/ftrace module text permissions race · 93804417
      Josh Poimboeuf 提交于
      [ Upstream commit 9f255b632bf12c4dd7fc31caee89aa991ef75176 ]
      
      It's possible for livepatch and ftrace to be toggling a module's text
      permissions at the same time, resulting in the following panic:
      
        BUG: unable to handle page fault for address: ffffffffc005b1d9
        #PF: supervisor write access in kernel mode
        #PF: error_code(0x0003) - permissions violation
        PGD 3ea0c067 P4D 3ea0c067 PUD 3ea0e067 PMD 3cc13067 PTE 3b8a1061
        Oops: 0003 [#1] PREEMPT SMP PTI
        CPU: 1 PID: 453 Comm: insmod Tainted: G           O  K   5.2.0-rc1-a188339ca5 #1
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-20181126_142135-anatol 04/01/2014
        RIP: 0010:apply_relocate_add+0xbe/0x14c
        Code: fa 0b 74 21 48 83 fa 18 74 38 48 83 fa 0a 75 40 eb 08 48 83 38 00 74 33 eb 53 83 38 00 75 4e 89 08 89 c8 eb 0a 83 38 00 75 43 <89> 08 48 63 c1 48 39 c8 74 2e eb 48 83 38 00 75 32 48 29 c1 89 08
        RSP: 0018:ffffb223c00dbb10 EFLAGS: 00010246
        RAX: ffffffffc005b1d9 RBX: 0000000000000000 RCX: ffffffff8b200060
        RDX: 000000000000000b RSI: 0000004b0000000b RDI: ffff96bdfcd33000
        RBP: ffffb223c00dbb38 R08: ffffffffc005d040 R09: ffffffffc005c1f0
        R10: ffff96bdfcd33c40 R11: ffff96bdfcd33b80 R12: 0000000000000018
        R13: ffffffffc005c1f0 R14: ffffffffc005e708 R15: ffffffff8b2fbc74
        FS:  00007f5f447beba8(0000) GS:ffff96bdff900000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: ffffffffc005b1d9 CR3: 000000003cedc002 CR4: 0000000000360ea0
        DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
        Call Trace:
         klp_init_object_loaded+0x10f/0x219
         ? preempt_latency_start+0x21/0x57
         klp_enable_patch+0x662/0x809
         ? virt_to_head_page+0x3a/0x3c
         ? kfree+0x8c/0x126
         patch_init+0x2ed/0x1000 [livepatch_test02]
         ? 0xffffffffc0060000
         do_one_initcall+0x9f/0x1c5
         ? kmem_cache_alloc_trace+0xc4/0xd4
         ? do_init_module+0x27/0x210
         do_init_module+0x5f/0x210
         load_module+0x1c41/0x2290
         ? fsnotify_path+0x3b/0x42
         ? strstarts+0x2b/0x2b
         ? kernel_read+0x58/0x65
         __do_sys_finit_module+0x9f/0xc3
         ? __do_sys_finit_module+0x9f/0xc3
         __x64_sys_finit_module+0x1a/0x1c
         do_syscall_64+0x52/0x61
         entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      The above panic occurs when loading two modules at the same time with
      ftrace enabled, where at least one of the modules is a livepatch module:
      
      CPU0					CPU1
      klp_enable_patch()
        klp_init_object_loaded()
          module_disable_ro()
          					ftrace_module_enable()
      					  ftrace_arch_code_modify_post_process()
      				    	    set_all_modules_text_ro()
            klp_write_object_relocations()
              apply_relocate_add()
      	  *patches read-only code* - BOOM
      
      A similar race exists when toggling ftrace while loading a livepatch
      module.
      
      Fix it by ensuring that the livepatch and ftrace code patching
      operations -- and their respective permissions changes -- are protected
      by the text_mutex.
      
      Link: http://lkml.kernel.org/r/ab43d56ab909469ac5d2520c5d944ad6d4abd476.1560474114.git.jpoimboe@redhat.comReported-by: NJohannes Erdfelt <johannes@erdfelt.com>
      Fixes: 444d13ff ("modules: add ro_after_init support")
      Acked-by: NJessica Yu <jeyu@kernel.org>
      Reviewed-by: NPetr Mladek <pmladek@suse.com>
      Reviewed-by: NMiroslav Benes <mbenes@suse.cz>
      Signed-off-by: NJosh Poimboeuf <jpoimboe@redhat.com>
      Signed-off-by: NSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      93804417
    • V
      tracing: avoid build warning with HAVE_NOP_MCOUNT · 220adcc0
      Vasily Gorbik 提交于
      [ Upstream commit cbdaeaf050b730ea02e9ab4ff844ce54d85dbe1d ]
      
      Selecting HAVE_NOP_MCOUNT enables -mnop-mcount (if gcc supports it)
      and sets CC_USING_NOP_MCOUNT. Reuse __is_defined (which is suitable for
      testing CC_USING_* defines) to avoid conditional compilation and fix
      the following gcc 9 warning on s390:
      
      kernel/trace/ftrace.c:2514:1: warning: ‘ftrace_code_disable’ defined
      but not used [-Wunused-function]
      
      Link: http://lkml.kernel.org/r/patch.git-1a82d13f33ac.your-ad-here.call-01559732716-ext-6629@work.hours
      
      Fixes: 2f4df001 ("tracing: Add -mcount-nop option support")
      Signed-off-by: NVasily Gorbik <gor@linux.ibm.com>
      Signed-off-by: NSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      220adcc0
    • S
      mm/mlock.c: change count_mm_mlocked_page_nr return type · 79fccb98
      swkhack 提交于
      [ Upstream commit 0874bb49bb21bf24deda853e8bf61b8325e24bcb ]
      
      On a 64-bit machine the value of "vma->vm_end - vma->vm_start" may be
      negative when using 32 bit ints and the "count >> PAGE_SHIFT"'s result
      will be wrong.  So change the local variable and return value to
      unsigned long to fix the problem.
      
      Link: http://lkml.kernel.org/r/20190513023701.83056-1-swkhack@gmail.com
      Fixes: 0cf2f6f6 ("mm: mlock: check against vma for actual mlock() size")
      Signed-off-by: Nswkhack <swkhack@gmail.com>
      Acked-by: NMichal Hocko <mhocko@suse.com>
      Reviewed-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      79fccb98
    • M
      scripts/decode_stacktrace.sh: prefix addr2line with $CROSS_COMPILE · 4fce0a79
      Manuel Traut 提交于
      [ Upstream commit c04e32e911653442fc834be6e92e072aeebe01a1 ]
      
      At least for ARM64 kernels compiled with the crosstoolchain from
      Debian/stretch or with the toolchain from kernel.org the line number is
      not decoded correctly by 'decode_stacktrace.sh':
      
        $ echo "[  136.513051]  f1+0x0/0xc [kcrash]" | \
          CROSS_COMPILE=/opt/gcc-8.1.0-nolibc/aarch64-linux/bin/aarch64-linux- \
         ./scripts/decode_stacktrace.sh /scratch/linux-arm64/vmlinux \
                                        /scratch/linux-arm64 \
                                        /nfs/debian/lib/modules/4.20.0-devel
        [  136.513051] f1 (/linux/drivers/staging/kcrash/kcrash.c:68) kcrash
      
      If addr2line from the toolchain is used the decoded line number is correct:
      
        [  136.513051] f1 (/linux/drivers/staging/kcrash/kcrash.c:57) kcrash
      
      Link: http://lkml.kernel.org/r/20190527083425.3763-1-manut@linutronix.deSigned-off-by: NManuel Traut <manut@linutronix.de>
      Acked-by: NKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      4fce0a79
    • J
      cpuset: restore sanity to cpuset_cpus_allowed_fallback() · b7747ecb
      Joel Savitz 提交于
      [ Upstream commit d477f8c202d1f0d4791ab1263ca7657bbe5cf79e ]
      
      In the case that a process is constrained by taskset(1) (i.e.
      sched_setaffinity(2)) to a subset of available cpus, and all of those are
      subsequently offlined, the scheduler will set tsk->cpus_allowed to
      the current value of task_cs(tsk)->effective_cpus.
      
      This is done via a call to do_set_cpus_allowed() in the context of
      cpuset_cpus_allowed_fallback() made by the scheduler when this case is
      detected. This is the only call made to cpuset_cpus_allowed_fallback()
      in the latest mainline kernel.
      
      However, this is not sane behavior.
      
      I will demonstrate this on a system running the latest upstream kernel
      with the following initial configuration:
      
      	# grep -i cpu /proc/$$/status
      	Cpus_allowed:	ffffffff,fffffff
      	Cpus_allowed_list:	0-63
      
      (Where cpus 32-63 are provided via smt.)
      
      If we limit our current shell process to cpu2 only and then offline it
      and reonline it:
      
      	# taskset -p 4 $$
      	pid 2272's current affinity mask: ffffffffffffffff
      	pid 2272's new affinity mask: 4
      
      	# echo off > /sys/devices/system/cpu/cpu2/online
      	# dmesg | tail -3
      	[ 2195.866089] process 2272 (bash) no longer affine to cpu2
      	[ 2195.872700] IRQ 114: no longer affine to CPU2
      	[ 2195.879128] smpboot: CPU 2 is now offline
      
      	# echo on > /sys/devices/system/cpu/cpu2/online
      	# dmesg | tail -1
      	[ 2617.043572] smpboot: Booting Node 0 Processor 2 APIC 0x4
      
      We see that our current process now has an affinity mask containing
      every cpu available on the system _except_ the one we originally
      constrained it to:
      
      	# grep -i cpu /proc/$$/status
      	Cpus_allowed:   ffffffff,fffffffb
      	Cpus_allowed_list:      0-1,3-63
      
      This is not sane behavior, as the scheduler can now not only place the
      process on previously forbidden cpus, it can't even schedule it on
      the cpu it was originally constrained to!
      
      Other cases result in even more exotic affinity masks. Take for instance
      a process with an affinity mask containing only cpus provided by smt at
      the moment that smt is toggled, in a configuration such as the following:
      
      	# taskset -p f000000000 $$
      	# grep -i cpu /proc/$$/status
      	Cpus_allowed:	000000f0,00000000
      	Cpus_allowed_list:	36-39
      
      A double toggle of smt results in the following behavior:
      
      	# echo off > /sys/devices/system/cpu/smt/control
      	# echo on > /sys/devices/system/cpu/smt/control
      	# grep -i cpus /proc/$$/status
      	Cpus_allowed:	ffffff00,ffffffff
      	Cpus_allowed_list:	0-31,40-63
      
      This is even less sane than the previous case, as the new affinity mask
      excludes all smt-provided cpus with ids less than those that were
      previously in the affinity mask, as well as those that were actually in
      the mask.
      
      With this patch applied, both of these cases end in the following state:
      
      	# grep -i cpu /proc/$$/status
      	Cpus_allowed:	ffffffff,ffffffff
      	Cpus_allowed_list:	0-63
      
      The original policy is discarded. Though not ideal, it is the simplest way
      to restore sanity to this fallback case without reinventing the cpuset
      wheel that rolls down the kernel just fine in cgroup v2. A user who wishes
      for the previous affinity mask to be restored in this fallback case can use
      that mechanism instead.
      
      This patch modifies scheduler behavior by instead resetting the mask to
      task_cs(tsk)->cpus_allowed by default, and cpu_possible mask in legacy
      mode. I tested the cases above on both modes.
      
      Note that the scheduler uses this fallback mechanism if and only if
      _every_ other valid avenue has been traveled, and it is the last resort
      before calling BUG().
      Suggested-by: NWaiman Long <longman@redhat.com>
      Suggested-by: NPhil Auld <pauld@redhat.com>
      Signed-off-by: NJoel Savitz <jsavitz@redhat.com>
      Acked-by: NPhil Auld <pauld@redhat.com>
      Acked-by: NWaiman Long <longman@redhat.com>
      Acked-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: NTejun Heo <tj@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      b7747ecb
    • L
      i2c: pca-platform: Fix GPIO lookup code · e33aeb9a
      Linus Walleij 提交于
      [ Upstream commit a0cac264a86fbf4d6cb201fbbb73c1d335e3248a ]
      
      The devm_gpiod_request_gpiod() call will add "-gpios" to
      any passed connection ID before looking it up.
      
      I do not think the reset GPIO on this platform is named
      "reset-gpios-gpios" but rather "reset-gpios" in the device
      tree, so fix this up so that we get a proper reset GPIO
      handle.
      
      Also drop the inclusion of the legacy GPIO header.
      
      Fixes: 0e8ce93b ("i2c: pca-platform: add devicetree awareness")
      Signed-off-by: NLinus Walleij <linus.walleij@linaro.org>
      Reviewed-by: NChris Packham <chris.packham@alliedtelesis.co.nz>
      Signed-off-by: NWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      e33aeb9a
    • V
      platform/mellanox: mlxreg-hotplug: Add devm_free_irq call to remove flow · 7cf431ed
      Vadim Pasternak 提交于
      [ Upstream commit 8c2eb7b6468ad4aa5600aed01aa0715f921a3f8b ]
      
      Add devm_free_irq() call to mlxreg-hotplug remove() for clean release
      of devices irq resource. Fix debugobjects warning triggered by rmmod
      It prevents of use-after-free memory, related to
      mlxreg_hotplug_work_handler.
      
      Issue has been reported as debugobjects warning triggered by
      'rmmod mlxtreg-hotplug' flow, while running kernel with
      CONFIG_DEBUG_OBJECTS* options.
      
      [ 2489.623551] ODEBUG: free active (active state 0) object type: work_struct hint: mlxreg_hotplug_work_handler+0x0/0x7f0 [mlxreg_hotplug]
      [ 2489.637097] WARNING: CPU: 5 PID: 3924 at lib/debugobjects.c:328 debug_print_object+0xfe/0x180
      [ 2489.637165] RIP: 0010:debug_print_object+0xfe/0x180
      ?
      [ 2489.637214] Call Trace:
      [ 2489.637225]  __debug_check_no_obj_freed+0x25e/0x320
      [ 2489.637231]  kfree+0x82/0x110
      [ 2489.637238]  release_nodes+0x33c/0x4e0
      [ 2489.637242]  ? devres_remove_group+0x1b0/0x1b0
      [ 2489.637247]  device_release_driver_internal+0x146/0x270
      [ 2489.637251]  driver_detach+0x73/0xe0
      [ 2489.637254]  bus_remove_driver+0xa1/0x170
      [ 2489.637261]  __x64_sys_delete_module+0x29e/0x320
      [ 2489.637265]  ? __ia32_sys_delete_module+0x320/0x320
      [ 2489.637268]  ? blkcg_exit_queue+0x20/0x20
      [ 2489.637273]  ? task_work_run+0x7d/0x100
      [ 2489.637278]  ? exit_to_usermode_loop+0x5b/0xf0
      [ 2489.637281]  do_syscall_64+0x73/0x160
      [ 2489.637287]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [ 2489.637290] RIP: 0033:0x7f95c3596fd7
      
      The difference in release flow with and with no devm_free_irq is listed
      below:
      
      bus: 'platform': remove driver mlxreg-hotplug
       mlxreg_hotplug_remove(start)
      					-> devm_free_irq (with new code)
       mlxreg_hotplug_remove (end)
       release_nodes (start)
        mlxreg-hotplug: DEVRES REL devm_hwmon_release (8 bytes)
        device: 'hwmon3': device_unregister
        PM: Removing info for No Bus:hwmon3
        mlxreg-hotplug: DEVRES REL devm_kzalloc_release (88 bytes)
        mlxreg-hotplug: DEVRES REL devm_kzalloc_release (6 bytes)
        mlxreg-hotplug: DEVRES REL devm_kzalloc_release (5 bytes)
        mlxreg-hotplug: DEVRES REL devm_kzalloc_release (5 bytes)
        mlxreg-hotplug: DEVRES REL devm_kzalloc_release (5 bytes)
        mlxreg-hotplug: DEVRES REL devm_kzalloc_release (5 bytes)
        mlxreg-hotplug: DEVRES REL devm_kzalloc_release (5 bytes)
        mlxreg-hotplug: DEVRES REL devm_kzalloc_release (5 bytes)
        mlxreg-hotplug: DEVRES REL devm_kzalloc_release (5 bytes)
        mlxreg-hotplug: DEVRES REL devm_kzalloc_release (5 bytes)
        mlxreg-hotplug: DEVRES REL devm_kzalloc_release (5 bytes)
        mlxreg-hotplug: DEVRES REL devm_kzalloc_release (5 bytes)
        mlxreg-hotplug: DEVRES REL devm_irq_release (16 bytes) (no new code)
        mlxreg-hotplug: DEVRES REL devm_kzalloc_release (1376 bytes)
         ------------[ cut here ]------------ (no new code):
         ODEBUG: free active (active state 0) object type: work_struct hint: mlxreg_hotplug_work_handler
      
       release_nodes(end)
      driver: 'mlxreg-hotplug': driver_release
      
      Fixes: 1f976f69 ("platform/x86: Move Mellanox platform hotplug driver to platform/mellanox")
      Signed-off-by: NVadim Pasternak <vadimp@mellanox.com>
      Signed-off-by: NAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      7cf431ed
    • V
      platform/x86: mlx-platform: Fix parent device in i2c-mux-reg device registration · c241f3fb
      Vadim Pasternak 提交于
      [ Upstream commit 160da20b254dd4bfc5828f12c208fa831ad4be6c ]
      
      Fix the issue found while running kernel with the option
      CONFIG_DEBUG_TEST_DRIVER_REMOVE.
      Driver 'mlx-platform' registers 'i2c_mlxcpld' device and then registers
      few underlying 'i2c-mux-reg' devices:
      	priv->pdev_i2c = platform_device_register_simple("i2c_mlxcpld", nr,
      							 NULL, 0);
      	...
      	for (i = 0; i < ARRAY_SIZE(mlxplat_mux_data); i++) {
      		priv->pdev_mux[i] = platform_device_register_resndata(
      						&mlxplat_dev->dev,
      						"i2c-mux-reg", i, NULL,
      						0, &mlxplat_mux_data[i],
      						sizeof(mlxplat_mux_data[i]));
      
      But actual parent of "i2c-mux-reg" device is priv->pdev_i2c->dev and
      not mlxplat_dev->dev.
      Patch fixes parent device parameter in a call to
      platform_device_register_resndata() for "i2c-mux-reg".
      
      It solves the race during initialization flow while 'i2c_mlxcpld.1' is
      removing after probe, while 'i2c-mux-reg.0' is still in probing flow:
      'i2c_mlxcpld.1'	flow:	probe -> remove -> probe.
      'i2c-mux-reg.0'	flow:		  probe -> ...
      
      [   12:621096] Registering platform device 'i2c_mlxcpld.1'. Parent at platform
      [   12:621117] device: 'i2c_mlxcpld.1': device_add
      [   12:621155] bus: 'platform': add device i2c_mlxcpld.1
      [   12:621384] Registering platform device 'i2c-mux-reg.0'. Parent at mlxplat
      [   12:621395] device: 'i2c-mux-reg.0': device_add
      [   12:621425] bus: 'platform': add device i2c-mux-reg.0
      [   12:621806] Registering platform device 'i2c-mux-reg.1'. Parent at mlxplat
      [   12:621828] device: 'i2c-mux-reg.1': device_add
      [   12:621892] bus: 'platform': add device i2c-mux-reg.1
      [   12:621906] bus: 'platform': add driver i2c_mlxcpld
      [   12:621996] bus: 'platform': driver_probe_device: matched device i2c_mlxcpld.1 with driver i2c_mlxcpld
      [   12:622003] bus: 'platform': really_probe: probing driver i2c_mlxcpld with device i2c_mlxcpld.1
      [   12:622100] i2c_mlxcpld i2c_mlxcpld.1: no default pinctrl state
      [   12:622293] device: 'i2c-1': device_add
      [   12:627280] bus: 'i2c': add device i2c-1
      [   12:627692] device: 'i2c-1': device_add
      [   12.629639] bus: 'platform': add driver i2c-mux-reg
      [   12.629718] bus: 'platform': driver_probe_device: matched device i2c-mux-reg.0 with driver i2c-mux-reg
      [   12.629723] bus: 'platform': really_probe: probing driver i2c-mux-reg with device i2c-mux-reg.0
      [   12.629818] i2c-mux-reg i2c-mux-reg.0: no default pinctrl state
      [   12.629981] platform i2c-mux-reg.0: Driver i2c-mux-reg requests probe deferral
      [   12.629986] platform i2c-mux-reg.0: Added to deferred list
      [   12.629992] bus: 'platform': driver_probe_device: matched device i2c-mux-reg.1 with driver i2c-mux-reg
      [   12.629997] bus: 'platform': really_probe: probing driver i2c-mux-reg with device i2c-mux-reg.1
      [   12.630091] i2c-mux-reg i2c-mux-reg.1: no default pinctrl state
      [   12.630247] platform i2c-mux-reg.1: Driver i2c-mux-reg requests probe deferral
      [   12.630252] platform i2c-mux-reg.1: Added to deferred list
      [   12.640892] devices_kset: Moving i2c-mux-reg.0 to end of list
      [   12.640900] platform i2c-mux-reg.0: Retrying from deferred list
      [   12.640911] bus: 'platform': driver_probe_device: matched device i2c-mux-reg.0 with driver i2c-mux-reg
      [   12.640919] bus: 'platform': really_probe: probing driver i2c-mux-reg with device i2c-mux-reg.0
      [   12.640999] i2c-mux-reg i2c-mux-reg.0: no default pinctrl state
      [   12.641177] platform i2c-mux-reg.0: Driver i2c-mux-reg requests probe deferral
      [   12.641187] platform i2c-mux-reg.0: Added to deferred list
      [   12.641198] devices_kset: Moving i2c-mux-reg.1 to end of list
      [   12.641219] platform i2c-mux-reg.1: Retrying from deferred list
      [   12.641237] bus: 'platform': driver_probe_device: matched device i2c-mux-reg.1 with driver i2c-mux-reg
      [   12.641247] bus: 'platform': really_probe: probing driver i2c-mux-reg with device i2c-mux-reg.1
      [   12.641331] i2c-mux-reg i2c-mux-reg.1: no default pinctrl state
      [   12.641465] platform i2c-mux-reg.1: Driver i2c-mux-reg requests probe deferral
      [   12.641469] platform i2c-mux-reg.1: Added to deferred list
      [   12.646427] device: 'i2c-1': device_add
      [   12.646647] bus: 'i2c': add device i2c-1
      [   12.647104] device: 'i2c-1': device_add
      [   12.669231] devices_kset: Moving i2c-mux-reg.0 to end of list
      [   12.669240] platform i2c-mux-reg.0: Retrying from deferred list
      [   12.669258] bus: 'platform': driver_probe_device: matched device i2c-mux-reg.0 with driver i2c-mux-reg
      [   12.669263] bus: 'platform': really_probe: probing driver i2c-mux-reg with device i2c-mux-reg.0
      [   12.669343] i2c-mux-reg i2c-mux-reg.0: no default pinctrl state
      [   12.669585] device: 'i2c-2': device_add
      [   12.669795] bus: 'i2c': add device i2c-2
      [   12.670201] device: 'i2c-2': device_add
      [   12.671427] i2c i2c-1: Added multiplexed i2c bus 2
      [   12.671514] device: 'i2c-3': device_add
      [   12.671724] bus: 'i2c': add device i2c-3
      [   12.672136] device: 'i2c-3': device_add
      [   12.673378] i2c i2c-1: Added multiplexed i2c bus 3
      [   12.673472] device: 'i2c-4': device_add
      [   12.673676] bus: 'i2c': add device i2c-4
      [   12.674060] device: 'i2c-4': device_add
      [   12.675861] i2c i2c-1: Added multiplexed i2c bus 4
      [   12.675941] device: 'i2c-5': device_add
      [   12.676150] bus: 'i2c': add device i2c-5
      [   12.676550] device: 'i2c-5': device_add
      [   12.678103] i2c i2c-1: Added multiplexed i2c bus 5
      [   12.678193] device: 'i2c-6': device_add
      [   12.678395] bus: 'i2c': add device i2c-6
      [   12.678774] device: 'i2c-6': device_add
      [   12.679969] i2c i2c-1: Added multiplexed i2c bus 6
      [   12.680065] device: 'i2c-7': device_add
      [   12.680275] bus: 'i2c': add device i2c-7
      [   12.680913] device: 'i2c-7': device_add
      [   12.682506] i2c i2c-1: Added multiplexed i2c bus 7
      [   12.682600] device: 'i2c-8': device_add
      [   12.682808] bus: 'i2c': add device i2c-8
      [   12.683189] device: 'i2c-8': device_add
      [   12.683907] device: 'i2c-1': device_unregister
      [   12.683945] device: 'i2c-1': device_unregister
      [   12.684387] device: 'i2c-1': device_create_release
      [   12.684536] bus: 'i2c': remove device i2c-1
      [   12.686019] i2c i2c-8: Failed to create compatibility class link
      [   12.686086] ------------[ cut here ]------------
      [   12.686087] can't create symlink to mux device
      [   12.686224] Workqueue: events deferred_probe_work_func
      [   12.686135] WARNING: CPU: 7 PID: 436 at drivers/i2c/i2c-mux.c:416 i2c_mux_add_adapter+0x729/0x7d0 [i2c_mux]
      [   12.686232] RIP: 0010:i2c_mux_add_adapter+0x729/0x7d0 [i2c_mux]
      [   0x190/0x190 [i2c_mux]
      [   12.686300]  ? i2c_mux_alloc+0xac/0x110 [i2c_mux]
      [   12.686306]  ? i2c_mux_reg_set+0x200/0x200 [i2c_mux_reg]
      [   12.686313]  i2c_mux_reg_probe+0x22c/0x731 [i2c_mux_reg]
      [   12.686322]  ? i2c_mux_reg_deselect+0x60/0x60 [i2c_mux_reg]
      [   12.686346]  platform_drv_probe+0xa8/0x110
      [   12.686351]  really_probe+0x185/0x720
      [   12.686358]  driver_probe_device+0xdf/0x1f0
      ...
      [   12.686522] i2c i2c-1: Added multiplexed i2c bus 8
      [   12.686621] device: 'i2c-9': device_add
      [   12.686626] kobject_add_internal failed for i2c-9 (error: -2 parent: i2c-1)
      [   12.694729] i2c-core: adapter 'i2c-1-mux (chan_id 8)': can't register device (-2)
      [   12.705726] i2c i2c-1: failed to add mux-adapter 8 as bus 9 (error=-2)
      [   12.714494] device: 'i2c-8': device_unregister
      [   12.714537] device: 'i2c-8': device_unregister
      
      Fixes: 6613d18e ("platform/x86: mlx-platform: Move module from arch/x86")
      Signed-off-by: NVadim Pasternak <vadimp@mellanox.com>
      Signed-off-by: NAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      c241f3fb
    • M
      platform/x86: intel-vbtn: Report switch events when event wakes device · f8531127
      Mathew King 提交于
      [ Upstream commit cb1921b17adbe6509538098ac431033378cd7165 ]
      
      When a switch event, such as tablet mode/laptop mode or docked/undocked,
      wakes a device make sure that the value of the swich is reported.
      Without when a device is put in tablet mode from laptop mode when it is
      suspended or vice versa the device will wake up but mode will be
      incorrect.
      
      Tested by suspending a device in laptop mode and putting it in tablet
      mode, the device resumes and is in tablet mode. When suspending the
      device in tablet mode and putting it in laptop mode the device resumes
      and is in laptop mode.
      Signed-off-by: NMathew King <mathewk@chromium.org>
      Reviewed-by: NJett Rink <jettrink@chromium.org>
      Reviewed-by: NMario Limonciello <mario.limonciello@dell.com>
      Signed-off-by: NAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      f8531127
    • H
      platform/x86: asus-wmi: Only Tell EC the OS will handle display hotkeys from asus_nb_wmi · 2ac96173
      Hans de Goede 提交于
      [ Upstream commit 401fee8195d401b2b94dee57383f627050724d5b ]
      
      Commit 78f3ac76d9e5 ("platform/x86: asus-wmi: Tell the EC the OS will
      handle the display off hotkey") causes the backlight to be permanently off
      on various EeePC laptop models using the eeepc-wmi driver (Asus EeePC
      1015BX, Asus EeePC 1025C).
      
      The asus_wmi_set_devstate(ASUS_WMI_DEVID_BACKLIGHT, 2, NULL) call added
      by that commit is made conditional in this commit and only enabled in
      the quirk_entry structs in the asus-nb-wmi driver fixing the broken
      display / backlight on various EeePC laptop models.
      
      Cc: João Paulo Rechi Vita <jprvita@endlessm.com>
      Fixes: 78f3ac76d9e5 ("platform/x86: asus-wmi: Tell the EC the OS will handle the display off hotkey")
      Signed-off-by: NHans de Goede <hdegoede@redhat.com>
      Signed-off-by: NAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      2ac96173
    • H
      drm: panel-orientation-quirks: Add quirk for GPD MicroPC · 027e043f
      Hans de Goede 提交于
      [ Upstream commit 652b8b086538c8a10de5aa5cbdaef79333b46358 ]
      
      GPD has done it again, make a nice device (good), use way too generic
      DMI strings (bad) and use a portrait screen rotated 90 degrees (ugly).
      
      Because of the too generic DMI strings this entry is also doing bios-date
      matching, so the gpd_micropc data struct may very well need to be updated
      with some extra bios-dates in the future.
      Acked-by: NMaxime Ripard <maxime.ripard@bootlin.com>
      Signed-off-by: NHans de Goede <hdegoede@redhat.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190524125759.14131-2-hdegoede@redhat.com
      (cherry picked from commit f2f2bb60d998abde10de7e483ef9e17639892450)
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      027e043f
    • H
      drm: panel-orientation-quirks: Add quirk for GPD pocket2 · 2446563d
      Hans de Goede 提交于
      [ Upstream commit 15abc7110a77555d3bf72aaef46d1557db0a4ac5 ]
      
      GPD has done it again, make a nice device (good), use way too generic
      DMI strings (bad) and use a portrait screen rotated 90 degrees (ugly).
      
      Because of the too generic DMI strings this entry is also doing bios-date
      matching, so the gpd_pocket2 data struct may very well need to be updated
      with some extra bios-dates in the future.
      
      Changes in v2:
      -Add one more known BIOS date to the list of BIOS dates
      
      Cc: Jurgen Kramer <gtmkramer@xs4all.nl>
      Reported-by: NJurgen Kramer <gtmkramer@xs4all.nl>
      Acked-by: NMaxime Ripard <maxime.ripard@bootlin.com>
      Signed-off-by: NHans de Goede <hdegoede@redhat.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190524125759.14131-1-hdegoede@redhat.com
      (cherry picked from commit 6dab9102dd7b144e5723915438e0d6c473018cd0)
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      2446563d
    • D
      scsi: hpsa: correct ioaccel2 chaining · 8be5629b
      Don Brace 提交于
      [ Upstream commit 625d7d3518875c4d303c652a198feaa13d9f52d9 ]
      
      - set ioaccel2_sg_element member 'chain_indicator' to IOACCEL2_LAST_SG for
        the last s/g element.
      
      - set ioaccel2_sg_element member 'chain_indicator' to IOACCEL2_CHAIN when
        chaining.
      Reviewed-by: NBader Ali - Saleh <bader.alisaleh@microsemi.com>
      Reviewed-by: NScott Teel <scott.teel@microsemi.com>
      Reviewed-by: NMatt Perricone <matt.perricone@microsemi.com>
      Signed-off-by: NDon Brace <don.brace@microsemi.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      8be5629b
    • A
      SoC: rt274: Fix internal jack assignment in set_jack callback · c1bef204
      Amadeusz Sławiński 提交于
      [ Upstream commit 04268bf2757a125616b6c2140e6250f43b7b737a ]
      
      When we call snd_soc_component_set_jack(component, NULL, NULL) we should
      set rt274->jack to passed jack, so when interrupt is triggered it calls
      snd_soc_jack_report(rt274->jack, ...) with proper value.
      
      This fixes problem in machine where in register, we call
      snd_soc_register(component, &headset, NULL), which just calls
      rt274_mic_detect via callback.
      Now when machine driver is removed "headset" will be gone, so we
      need to tell codec driver that it's gone with:
      snd_soc_register(component, NULL, NULL), but we also need to be able
      to handle NULL jack argument here gracefully.
      If we don't set it to NULL, next time the rt274_irq runs it will call
      snd_soc_jack_report with first argument being invalid pointer and there
      will be Oops.
      Signed-off-by: NAmadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      c1bef204
    • A
      ALSA: hdac: fix memory release for SST and SOF drivers · 1023af0c
      Amadeusz Sławiński 提交于
      [ Upstream commit 6d647b736a6b1cbf2f8deab0e6a94c34a6ea9d60 ]
      
      During the integration of HDaudio support, we changed the way in which
      we get hdev in snd_hdac_ext_bus_device_init() to use one preallocated
      with devm_kzalloc(), however it still left kfree(hdev) in
      snd_hdac_ext_bus_device_exit(). It leads to oopses when trying to
      rmmod and modprobe. Fix it, by just removing kfree call.
      
      SOF also uses some of the snd_hdac_ functions for HDAudio support but
      allocated the memory with kzalloc. A matching fix is provided
      separately to align all users of the snd_hdac_ library.
      
      Fixes: 6298542f ("ALSA: hdac: remove memory allocation from snd_hdac_ext_bus_device_init")
      Reviewed-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NAmadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
      Signed-off-by: NPierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      1023af0c
    • A
      usb: gadget: udc: lpc32xx: allocate descriptor with GFP_ATOMIC · 26a6acde
      Alexandre Belloni 提交于
      [ Upstream commit fbc318afadd6e7ae2252d6158cf7d0c5a2132f7d ]
      
      Gadget drivers may queue request in interrupt context. This would lead to
      a descriptor allocation in that context. In that case we would hit
      BUG_ON(in_interrupt()) in __get_vm_area_node.
      
      Also remove the unnecessary cast.
      Acked-by: NSylvain Lemieux <slemieux.tyco@gmail.com>
      Tested-by: NJames Grant <jamesg@zaltys.org>
      Signed-off-by: NAlexandre Belloni <alexandre.belloni@bootlin.com>
      Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      26a6acde
    • Y
      usb: gadget: fusb300_udc: Fix memory leak of fusb300->ep[i] · 9be058f5
      Young Xiao 提交于
      [ Upstream commit 62fd0e0a24abeebe2c19fce49dd5716d9b62042d ]
      
      There is no deallocation of fusb300->ep[i] elements, allocated at
      fusb300_probe.
      
      The patch adds deallocation of fusb300->ep array elements.
      Signed-off-by: NYoung Xiao <92siuyang@gmail.com>
      Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      9be058f5
    • K
      x86/CPU: Add more Icelake model numbers · 5284327f
      Kan Liang 提交于
      [ Upstream commit e35faeb64146f2015f2aec14b358ae508e4066db ]
      
      Add the CPUID model numbers of Icelake (ICL) desktop and server
      processors to the Intel family list.
      
       [ Qiuxu: Sort the macros by model number. ]
      Signed-off-by: NKan Liang <kan.liang@linux.intel.com>
      Signed-off-by: NBorislav Petkov <bp@suse.de>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
      Cc: Rajneesh Bhardwaj <rajneesh.bhardwaj@linux.intel.com>
      Cc: rui.zhang@intel.com
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: x86-ml <x86@kernel.org>
      Link: https://lkml.kernel.org/r/20190603134122.13853-1-kan.liang@linux.intel.comSigned-off-by: NSasha Levin <sashal@kernel.org>
      5284327f
    • M
      ASoC: sun4i-i2s: Add offset to RX channel select · 74929087
      Marcus Cooper 提交于
      [ Upstream commit f9927000cb35f250051f0f1878db12ee2626eea1 ]
      
      Whilst testing the capture functionality of the i2s on the newer
      SoCs it was noticed that the recording was somewhat distorted.
      This was due to the offset not being set correctly on the receiver
      side.
      Signed-off-by: NMarcus Cooper <codekipper@gmail.com>
      Acked-by: NMaxime Ripard <maxime.ripard@bootlin.com>
      Acked-by: NChen-Yu Tsai <wens@csie.org>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      74929087
    • M
      ASoC: sun4i-i2s: Fix sun8i tx channel offset mask · 32475634
      Marcus Cooper 提交于
      [ Upstream commit 7e46169a5f35762f335898a75d1b8a242f2ae0f5 ]
      
      Although not causing any noticeable issues, the mask for the
      channel offset is covering too many bits.
      Signed-off-by: NMarcus Cooper <codekipper@gmail.com>
      Acked-by: NMaxime Ripard <maxime.ripard@bootlin.com>
      Acked-by: NChen-Yu Tsai <wens@csie.org>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      32475634
    • Y
      ASoC: max98090: remove 24-bit format support if RJ is 0 · 7b748639
      Yu-Hsuan Hsu 提交于
      [ Upstream commit 5628c8979642a076f91ee86c3bae5ad251639af0 ]
      
      The supported formats are S16_LE and S24_LE now. However, by datasheet
      of max98090, S24_LE is only supported when it is in the right justified
      mode. We should remove 24-bit format if it is not in that mode to avoid
      triggering error.
      Signed-off-by: NYu-Hsuan Hsu <yuhsuan@chromium.org>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      7b748639
    • H
      drm/mediatek: call mtk_dsi_stop() after mtk_drm_crtc_atomic_disable() · 3b60f98e
      Hsin-Yi Wang 提交于
      [ Upstream commit 2458d9d6d94be982b917e93c61a89b4426f32e31 ]
      
      mtk_dsi_stop() should be called after mtk_drm_crtc_atomic_disable(), which
      needs ovl irq for drm_crtc_wait_one_vblank(), since after mtk_dsi_stop() is
      called, ovl irq will be disabled. If drm_crtc_wait_one_vblank() is called
      after last irq, it will timeout with this message: "vblank wait timed out
      on crtc 0". This happens sometimes when turning off the screen.
      
      In drm_atomic_helper.c#disable_outputs(),
      the calling sequence when turning off the screen is:
      
      1. mtk_dsi_encoder_disable()
           --> mtk_output_dsi_disable()
             --> mtk_dsi_stop();  /* sometimes make vblank timeout in
                                     atomic_disable */
             --> mtk_dsi_poweroff();
      2. mtk_drm_crtc_atomic_disable()
           --> drm_crtc_wait_one_vblank();
           ...
             --> mtk_dsi_ddp_stop()
               --> mtk_dsi_poweroff();
      
      mtk_dsi_poweroff() has reference count design, change to make
      mtk_dsi_stop() called in mtk_dsi_poweroff() when refcount is 0.
      
      Fixes: 0707632b ("drm/mediatek: update DSI sub driver flow for sending commands to panel")
      Signed-off-by: NHsin-Yi Wang <hsinyi@chromium.org>
      Signed-off-by: NCK Hu <ck.hu@mediatek.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      3b60f98e
    • H
      drm/mediatek: clear num_pipes when unbind driver · 34e5e1c4
      Hsin-Yi Wang 提交于
      [ Upstream commit a4cd1d2b016d5d043ab2c4b9c4ec50a5805f5396 ]
      
      num_pipes is used for mutex created in mtk_drm_crtc_create(). If we
      don't clear num_pipes count, when rebinding driver, the count will
      be accumulated. From mtk_disp_mutex_get(), there can only be at most
      10 mutex id. Clear this number so it starts from 0 in every rebind.
      
      Fixes: 119f5173 ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.")
      Signed-off-by: NHsin-Yi Wang <hsinyi@chromium.org>
      Signed-off-by: NCK Hu <ck.hu@mediatek.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      34e5e1c4
    • H
      drm/mediatek: call drm_atomic_helper_shutdown() when unbinding driver · a8a86e9a
      Hsin-Yi Wang 提交于
      [ Upstream commit cf49b24ffa62766f8f04cd1c4cf17b75d29b240a ]
      
      shutdown all CRTC when unbinding drm driver.
      
      Fixes: 119f5173 ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.")
      Signed-off-by: NHsin-Yi Wang <hsinyi@chromium.org>
      Signed-off-by: NCK Hu <ck.hu@mediatek.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      a8a86e9a
    • H
      drm/mediatek: unbind components in mtk_drm_unbind() · 79e095d2
      Hsin-Yi Wang 提交于
      [ Upstream commit f0fd848342802bc0f74620d387eead53e8905804 ]
      
      Unbinding components (i.e. mtk_dsi and mtk_disp_ovl/rdma/color) will
      trigger master(mtk_drm)'s .unbind(), and currently mtk_drm's unbind
      won't actually unbind components. During the next bind,
      mtk_drm_kms_init() is called, and the components are added back.
      
      .unbind() should call mtk_drm_kms_deinit() to unbind components.
      
      And since component_master_del() in .remove() will trigger .unbind(),
      which will also unregister device, it's fine to remove original functions
      called here.
      
      Fixes: 119f5173 ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.")
      Signed-off-by: NHsin-Yi Wang <hsinyi@chromium.org>
      Signed-off-by: NCK Hu <ck.hu@mediatek.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      79e095d2
    • H
      drm/mediatek: fix unbind functions · 319f4699
      Hsin-Yi Wang 提交于
      [ Upstream commit 8fd7a37b191f93737f6280a9b5de65f98acc12c9 ]
      
      detatch panel in mtk_dsi_destroy_conn_enc(), since .bind will try to
      attach it again.
      
      Fixes: 2e54c14e ("drm/mediatek: Add DSI sub driver")
      Signed-off-by: NHsin-Yi Wang <hsinyi@chromium.org>
      Signed-off-by: NCK Hu <ck.hu@mediatek.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      319f4699