1. 03 4月, 2019 40 次提交
    • N
      iommu/io-pgtable-arm-v7s: request DMA32 memory, and improve debugging · c9874d39
      Nicolas Boichat 提交于
      commit 0a352554da69b02f75ca3389c885c741f1f63235 upstream.
      
      IOMMUs using ARMv7 short-descriptor format require page tables (level 1
      and 2) to be allocated within the first 4GB of RAM, even on 64-bit
      systems.
      
      For level 1/2 pages, ensure GFP_DMA32 is used if CONFIG_ZONE_DMA32 is
      defined (e.g.  on arm64 platforms).
      
      For level 2 pages, allocate a slab cache in SLAB_CACHE_DMA32.  Note that
      we do not explicitly pass GFP_DMA[32] to kmem_cache_zalloc, as this is
      not strictly necessary, and would cause a warning in mm/sl*b.c, as we
      did not update GFP_SLAB_BUG_MASK.
      
      Also, print an error when the physical address does not fit in
      32-bit, to make debugging easier in the future.
      
      Link: http://lkml.kernel.org/r/20181210011504.122604-3-drinkcat@chromium.org
      Fixes: ad67f5a6 ("arm64: replace ZONE_DMA with ZONE_DMA32")
      Signed-off-by: NNicolas Boichat <drinkcat@chromium.org>
      Acked-by: NWill Deacon <will.deacon@arm.com>
      Cc: Christoph Hellwig <hch@infradead.org>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Hsin-Yi Wang <hsinyi@chromium.org>
      Cc: Huaisheng Ye <yehs1@lenovo.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: Matthias Brugger <matthias.bgg@gmail.com>
      Cc: Mel Gorman <mgorman@techsingularity.net>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: Robin Murphy <robin.murphy@arm.com>
      Cc: Sasha Levin <Alexander.Levin@microsoft.com>
      Cc: Tomasz Figa <tfiga@google.com>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Yingjoe Chen <yingjoe.chen@mediatek.com>
      Cc: Yong Wu <yong.wu@mediatek.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c9874d39
    • N
      mm: add support for kmem caches in DMA32 zone · 62d342d6
      Nicolas Boichat 提交于
      commit 6d6ea1e967a246f12cfe2f5fb743b70b2e608d4a upstream.
      
      Patch series "iommu/io-pgtable-arm-v7s: Use DMA32 zone for page tables",
      v6.
      
      This is a followup to the discussion in [1], [2].
      
      IOMMUs using ARMv7 short-descriptor format require page tables (level 1
      and 2) to be allocated within the first 4GB of RAM, even on 64-bit
      systems.
      
      For L1 tables that are bigger than a page, we can just use
      __get_free_pages with GFP_DMA32 (on arm64 systems only, arm would still
      use GFP_DMA).
      
      For L2 tables that only take 1KB, it would be a waste to allocate a full
      page, so we considered 3 approaches:
       1. This series, adding support for GFP_DMA32 slab caches.
       2. genalloc, which requires pre-allocating the maximum number of L2 page
          tables (4096, so 4MB of memory).
       3. page_frag, which is not very memory-efficient as it is unable to reuse
          freed fragments until the whole page is freed. [3]
      
      This series is the most memory-efficient approach.
      
      stable@ note:
        We confirmed that this is a regression, and IOMMU errors happen on 4.19
        and linux-next/master on MT8173 (elm, Acer Chromebook R13). The issue
        most likely starts from commit ad67f5a6 ("arm64: replace ZONE_DMA
        with ZONE_DMA32"), i.e. 4.15, and presumably breaks a number of Mediatek
        platforms (and maybe others?).
      
      [1] https://lists.linuxfoundation.org/pipermail/iommu/2018-November/030876.html
      [2] https://lists.linuxfoundation.org/pipermail/iommu/2018-December/031696.html
      [3] https://patchwork.codeaurora.org/patch/671639/
      
      This patch (of 3):
      
      IOMMUs using ARMv7 short-descriptor format require page tables to be
      allocated within the first 4GB of RAM, even on 64-bit systems.  On arm64,
      this is done by passing GFP_DMA32 flag to memory allocation functions.
      
      For IOMMU L2 tables that only take 1KB, it would be a waste to allocate
      a full page using get_free_pages, so we considered 3 approaches:
       1. This patch, adding support for GFP_DMA32 slab caches.
       2. genalloc, which requires pre-allocating the maximum number of L2
          page tables (4096, so 4MB of memory).
       3. page_frag, which is not very memory-efficient as it is unable
          to reuse freed fragments until the whole page is freed.
      
      This change makes it possible to create a custom cache in DMA32 zone using
      kmem_cache_create, then allocate memory using kmem_cache_alloc.
      
      We do not create a DMA32 kmalloc cache array, as there are currently no
      users of kmalloc(..., GFP_DMA32).  These calls will continue to trigger a
      warning, as we keep GFP_DMA32 in GFP_SLAB_BUG_MASK.
      
      This implies that calls to kmem_cache_*alloc on a SLAB_CACHE_DMA32
      kmem_cache must _not_ use GFP_DMA32 (it is anyway redundant and
      unnecessary).
      
      Link: http://lkml.kernel.org/r/20181210011504.122604-2-drinkcat@chromium.orgSigned-off-by: NNicolas Boichat <drinkcat@chromium.org>
      Acked-by: NVlastimil Babka <vbabka@suse.cz>
      Acked-by: NWill Deacon <will.deacon@arm.com>
      Cc: Robin Murphy <robin.murphy@arm.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: Mel Gorman <mgorman@techsingularity.net>
      Cc: Sasha Levin <Alexander.Levin@microsoft.com>
      Cc: Huaisheng Ye <yehs1@lenovo.com>
      Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
      Cc: Yong Wu <yong.wu@mediatek.com>
      Cc: Matthias Brugger <matthias.bgg@gmail.com>
      Cc: Tomasz Figa <tfiga@google.com>
      Cc: Yingjoe Chen <yingjoe.chen@mediatek.com>
      Cc: Christoph Hellwig <hch@infradead.org>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: Hsin-Yi Wang <hsinyi@chromium.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      62d342d6
    • R
      usb: cdc-acm: fix race during wakeup blocking TX traffic · 2392ffab
      Romain Izard 提交于
      commit 93e1c8a638308980309e009cc40b5a57ef87caf1 upstream.
      
      When the kernel is compiled with preemption enabled, the URB completion
      handler can run in parallel with the work responsible for waking up the
      tty layer. If the URB handler sets the EVENT_TTY_WAKEUP bit during the
      call to tty_port_tty_wakeup() to signal that there is room for additional
      input, it will be cleared at the end of this call. As a result, TX traffic
      on the upper layer will be blocked.
      
      This can be seen with a kernel configured with CONFIG_PREEMPT, and a fast
      modem connected with PPP running over a USB CDC-ACM port.
      
      Use test_and_clear_bit() instead, which ensures that each wakeup requested
      by the URB completion code will trigger a call to tty_port_tty_wakeup().
      
      Fixes: 1aba579f cdc-acm: handle read pipe errors
      Signed-off-by: NRomain Izard <romain.izard.pro@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Acked-by: NOliver Neukum <oneukum@suse.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2392ffab
    • M
      xhci: Don't let USB3 ports stuck in polling state prevent suspend · 82a5090a
      Mathias Nyman 提交于
      commit d92f2c59cc2cbca6bfb2cc54882b58ba76b15fd4 upstream.
      
      Commit 2f31a67f01a8 ("usb: xhci: Prevent bus suspend if a port connect
      change or polling state is detected") was intended to prevent ports that
      were still link training from being forced to U3 suspend state mid
      enumeration.
      This solved enumeration issues for devices with slow link training.
      
      Turns out some devices are stuck in the link training/polling state,
      and thus that patch will prevent suspend completely for these devices.
      This is seen with USB3 card readers in some MacBooks.
      
      Instead of preventing suspend, give some time to complete the link
      training. On successful training the port will end up as connected
      and enabled.
      If port instead is stuck in link training the bus suspend will continue
      suspending after 360ms (10 * 36ms) timeout (tPollingLFPSTimeout).
      
      Original patch was sent to stable, this one should go there as well
      
      Fixes: 2f31a67f01a8 ("usb: xhci: Prevent bus suspend if a port connect change or polling state is detected")
      Cc: stable@vger.kernel.org
      Signed-off-by: NMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      82a5090a
    • M
      usb: xhci: dbc: Don't free all memory with spinlock held · 20a09a2e
      Mathias Nyman 提交于
      commit 8867ea262196a6945c24a0fb739575af646ec0e9 upstream.
      
      The xhci debug capability (DbC) feature did its memory cleanup with
      spinlock held. dma_free_coherent() warns if called with interrupts
      disabled
      
      move the memory cleanup outside the spinlock
      
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      20a09a2e
    • M
      xhci: Fix port resume done detection for SS ports with LPM enabled · c81b8722
      Mathias Nyman 提交于
      commit 6cbcf596934c8e16d6288c7cc62dfb7ad8eadf15 upstream.
      
      A suspended SS port in U3 link state will go to U0 when resumed, but
      can almost immediately after that enter U1 or U2 link power save
      states before host controller driver reads the port status.
      
      Host controller driver only checks for U0 state, and might miss
      the finished resume, leaving flags unclear and skip notifying usb
      code of the wake.
      
      Add U1 and U2 to the possible link states when checking for finished
      port resume.
      
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c81b8722
    • Y
      usb: host: xhci-rcar: Add XHCI_TRUST_TX_LENGTH quirk · 093ccda1
      Yasushi Asano 提交于
      commit 40fc165304f0faaae78b761f8ee30b5d216b1850 upstream.
      
      When plugging BUFFALO LUA4-U3-AGT USB3.0 to Gigabit Ethernet LAN
      Adapter, warning messages filled up dmesg.
      
      [  101.098287] xhci-hcd ee000000.usb: WARN Successful completion on short TX for slot 1 ep 4: needs XHCI_TRUST_TX_LENGTH quirk?
      [  101.117463] xhci-hcd ee000000.usb: WARN Successful completion on short TX for slot 1 ep 4: needs XHCI_TRUST_TX_LENGTH quirk?
      [  101.136513] xhci-hcd ee000000.usb: WARN Successful completion on short TX for slot 1 ep 4: needs XHCI_TRUST_TX_LENGTH quirk?
      
      Adding the XHCI_TRUST_TX_LENGTH quirk resolves the issue.
      Signed-off-by: NYasushi Asano <yasano@jp.adit-jv.com>
      Signed-off-by: NSpyridon Papageorgiou <spapageorgiou@de.adit-jv.com>
      Acked-by: NYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      093ccda1
    • F
      usb: common: Consider only available nodes for dr_mode · 015e5c17
      Fabrizio Castro 提交于
      commit 238e0268c82789e4c107a37045d529a6dbce51a9 upstream.
      
      There are cases where multiple device tree nodes point to the
      same phy node by means of the "phys" property, but we should
      only consider those nodes that are marked as available rather
      than just any node.
      
      Fixes: 98bfb394 ("usb: of: add an api to get dr_mode by the phy node")
      Cc: stable@vger.kernel.org # v4.4+
      Signed-off-by: NFabrizio Castro <fabrizio.castro@bp.renesas.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      015e5c17
    • R
      USB: gadget: f_hid: fix deadlock in f_hidg_write() · ef4df134
      Radoslav Gerganov 提交于
      commit 072684e8c58d17e853f8e8b9f6d9ce2e58d2b036 upstream.
      
      In f_hidg_write() the write_spinlock is acquired before calling
      usb_ep_queue() which causes a deadlock when dummy_hcd is being used.
      This is because dummy_queue() callbacks into f_hidg_req_complete() which
      tries to acquire the same spinlock. This is (part of) the backtrace when
      the deadlock occurs:
      
        0xffffffffc06b1410 in f_hidg_req_complete
        0xffffffffc06a590a in usb_gadget_giveback_request
        0xffffffffc06cfff2 in dummy_queue
        0xffffffffc06a4b96 in usb_ep_queue
        0xffffffffc06b1eb6 in f_hidg_write
        0xffffffff8127730b in __vfs_write
        0xffffffff812774d1 in vfs_write
        0xffffffff81277725 in SYSC_write
      
      Fix this by releasing the write_spinlock before calling usb_ep_queue()
      Reviewed-by: NJames Bottomley <James.Bottomley@HansenPartnership.com>
      Tested-by: NJames Bottomley <James.Bottomley@HansenPartnership.com>
      Cc: stable@vger.kernel.org # 4.11+
      Fixes: 749494b6 ("usb: gadget: f_hid: fix: Move IN request allocation to set_alt()")
      Signed-off-by: NRadoslav Gerganov <rgerganov@vmware.com>
      Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ef4df134
    • A
      usb: mtu3: fix EXTCON dependency · 614ac345
      Arnd Bergmann 提交于
      commit 3d54d10c6afed34fd45b852bf76f55e8da31d8ef upstream.
      
      When EXTCON is a loadable module, mtu3 fails to link as built-in:
      
      drivers/usb/mtu3/mtu3_plat.o: In function `mtu3_probe':
      mtu3_plat.c:(.text+0x690): undefined reference to `extcon_get_edev_by_phandle'
      
      Add a Kconfig dependency to force mtu3 also to be a loadable module
      if extconn is, but still allow it to be built without extcon.
      
      Fixes: d0ed062a ("usb: mtu3: dual-role mode support")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      614ac345
    • C
      phy: sun4i-usb: Support set_mode to USB_HOST for non-OTG PHYs · 66e44981
      Chen-Yu Tsai 提交于
      commit 1396929e8a903db80425343cacca766a18ad6409 upstream.
      
      While only the first PHY supports mode switching, the remaining PHYs
      work in USB host mode. They should support set_mode with mode=USB_HOST
      instead of failing. This is especially needed now that the USB core does
      set_mode for all USB ports, which was added in commit b97a31348379 ("usb:
      core: comply to PHY framework").
      
      Make set_mode with mode=USB_HOST a no-op instead of failing for the
      non-OTG USB PHYs.
      
      Fixes: 6ba43c29 ("phy-sun4i-usb: Add support for phy_set_mode")
      Signed-off-by: NChen-Yu Tsai <wens@csie.org>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      66e44981
    • A
      gpio: adnp: Fix testing wrong value in adnp_gpio_direction_input · 6ebe0373
      Axel Lin 提交于
      commit c5bc6e526d3f217ed2cc3681d256dc4a2af4cc2b upstream.
      
      Current code test wrong value so it does not verify if the written
      data is correctly read back. Fix it.
      Also make it return -EPERM if read value does not match written bit,
      just like it done for adnp_gpio_direction_output().
      
      Fixes: 5e969a40 ("gpio: Add Avionic Design N-bit GPIO expander support")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAxel Lin <axel.lin@ingics.com>
      Reviewed-by: NThierry Reding <thierry.reding@gmail.com>
      Signed-off-by: NBartosz Golaszewski <bgolaszewski@baylibre.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6ebe0373
    • K
      gpio: exar: add a check for the return value of ida_simple_get fails · b26f7e86
      Kangjie Lu 提交于
      commit 7ecced0934e574b528a1ba6c237731e682216a74 upstream.
      
      ida_simple_get may fail and return a negative error number.
      The fix checks its return value; if it fails, go to err_destroy.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NKangjie Lu <kjlu@umn.edu>
      Signed-off-by: NBartosz Golaszewski <bgolaszewski@baylibre.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b26f7e86
    • Z
      drm/i915/gvt: Fix MI_FLUSH_DW parsing with correct index check · df74e70f
      Zhenyu Wang 提交于
      commit 13bcb80b7ee79431fce361e060611134cb19e209 upstream.
      
      When MI_FLUSH_DW post write hw status page in index mode, the index
      value is in dword step and turned into address offset in cmd dword1.
      As status page size is 4K, so can't exceed that.
      
      This fixed upper bound check in cmd parser code which incorrectly
      stopped VM for reason of invalid MI_FLUSH_DW write index.
      
      v2:
      - Fix upper bound as 4K page size because index value is address offset.
      
      Fixes: be1da707 ("drm/i915/gvt: vGPU command scanner")
      Cc: stable@vger.kernel.org # v4.10+
      Cc: "Zhao, Yan Y" <yan.y.zhao@intel.com>
      Reviewed-by: NYan Zhao <yan.y.zhao@intel.com>
      Signed-off-by: NZhenyu Wang <zhenyuw@linux.intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      df74e70f
    • E
      drm/vkms: fix use-after-free when drm_gem_handle_create() fails · 75f9e994
      Eric Biggers 提交于
      commit 36b6c9ed45afe89045973e8dee1b004dd5372d40 upstream.
      
      If drm_gem_handle_create() fails in vkms_gem_create(), then the
      vkms_gem_object is freed twice: once when the reference is dropped by
      drm_gem_object_put_unlocked(), and again by the extra calls to
      drm_gem_object_release() and kfree().
      
      Fix it by skipping the second release and free.
      
      This bug was originally found in the vgem driver by syzkaller using
      fault injection, but I noticed it's also present in the vkms driver.
      
      Fixes: 559e50fd ("drm/vkms: Add dumb operations")
      Cc: Rodrigo Siqueira <rodrigosiqueiramelo@gmail.com>
      Cc: Haneen Mohammed <hamohammed.sa@gmail.com>
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Cc: Chris Wilson <chris@chris-wilson.co.uk>
      Cc: stable@vger.kernel.org
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Reviewed-by: NChris Wilson <chris@chris-wilson.co.uk>
      Reviewed-by: NRodrigo Siqueira <rodrigosiqueiramelo@gmail.com>
      Signed-off-by: NRodrigo Siqueira <rodrigosiqueiramelo@gmail.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190226220858.214438-1-ebiggers@kernel.orgSigned-off-by: NMaxime Ripard <maxime.ripard@bootlin.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      75f9e994
    • E
      drm/vgem: fix use-after-free when drm_gem_handle_create() fails · eb1e5525
      Eric Biggers 提交于
      commit 21d2b122732318b48c10b7262e15595ce54511d3 upstream.
      
      If drm_gem_handle_create() fails in vgem_gem_create(), then the
      drm_vgem_gem_object is freed twice: once when the reference is dropped
      by drm_gem_object_put_unlocked(), and again by __vgem_gem_destroy().
      
      This was hit by syzkaller using fault injection.
      
      Fix it by skipping the second free.
      
      Reported-by: syzbot+e73f2fb5ed5a5df36d33@syzkaller.appspotmail.com
      Fixes: af33a919 ("drm/vgem: Enable dmabuf import interfaces")
      Reviewed-by: NChris Wilson <chris@chris-wilson.co.uk>
      Cc: Laura Abbott <labbott@redhat.com>
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Cc: stable@vger.kernel.org
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Acked-by: NLaura Abbott <labbott@redhat.com>
      Signed-off-by: NRodrigo Siqueira <rodrigosiqueiramelo@gmail.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190226214451.195123-1-ebiggers@kernel.orgSigned-off-by: NMaxime Ripard <maxime.ripard@bootlin.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eb1e5525
    • Y
      fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links · 07d0d2bd
      YueHaibing 提交于
      commit 23da9588037ecdd4901db76a5b79a42b529c4ec3 upstream.
      
      Syzkaller reports:
      
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] SMP KASAN PTI
      CPU: 1 PID: 5373 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
      RIP: 0010:put_links+0x101/0x440 fs/proc/proc_sysctl.c:1599
      Code: 00 0f 85 3a 03 00 00 48 8b 43 38 48 89 44 24 20 48 83 c0 38 48 89 c2 48 89 44 24 28 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 fe 02 00 00 48 8b 74 24 20 48 c7 c7 60 2a 9d 91
      RSP: 0018:ffff8881d828f238 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: ffff8881e01b1140 RCX: ffffffff8ee98267
      RDX: 0000000000000007 RSI: ffffc90001479000 RDI: ffff8881e01b1178
      RBP: dffffc0000000000 R08: ffffed103ee27259 R09: ffffed103ee27259
      R10: 0000000000000001 R11: ffffed103ee27258 R12: fffffffffffffff4
      R13: 0000000000000006 R14: ffff8881f59838c0 R15: dffffc0000000000
      FS:  00007f072254f700(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007fff8b286668 CR3: 00000001f0542002 CR4: 00000000007606e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      PKRU: 55555554
      Call Trace:
       drop_sysctl_table+0x152/0x9f0 fs/proc/proc_sysctl.c:1629
       get_subdir fs/proc/proc_sysctl.c:1022 [inline]
       __register_sysctl_table+0xd65/0x1090 fs/proc/proc_sysctl.c:1335
       br_netfilter_init+0xbc/0x1000 [br_netfilter]
       do_one_initcall+0xfa/0x5ca init/main.c:887
       do_init_module+0x204/0x5f6 kernel/module.c:3460
       load_module+0x66b2/0x8570 kernel/module.c:3808
       __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
       do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x462e99
      Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007f072254ec58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
      RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
      RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
      RBP: 00007f072254ec70 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007f072254f6bc
      R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004
      Modules linked in: br_netfilter(+) dvb_usb_dibusb_mc_common dib3000mc dibx000_common dvb_usb_dibusb_common dvb_usb_dw2102 dvb_usb classmate_laptop palmas_regulator cn videobuf2_v4l2 v4l2_common snd_soc_bd28623 mptbase snd_usb_usx2y snd_usbmidi_lib snd_rawmidi wmi libnvdimm lockd sunrpc grace rc_kworld_pc150u rc_core rtc_da9063 sha1_ssse3 i2c_cros_ec_tunnel adxl34x_spi adxl34x nfnetlink lib80211 i5500_temp dvb_as102 dvb_core videobuf2_common videodev media videobuf2_vmalloc videobuf2_memops udc_core lnbp22 leds_lp3952 hid_roccat_ryos s1d13xxxfb mtd vport_geneve openvswitch nf_conncount nf_nat_ipv6 nsh geneve udp_tunnel ip6_udp_tunnel snd_soc_mt6351 sis_agp phylink snd_soc_adau1761_spi snd_soc_adau1761 snd_soc_adau17x1 snd_soc_core snd_pcm_dmaengine ac97_bus snd_compress snd_soc_adau_utils snd_soc_sigmadsp_regmap snd_soc_sigmadsp raid_class hid_roccat_konepure hid_roccat_common hid_roccat c2port_duramar2150 core mdio_bcm_unimac iptable_security iptable_raw iptable_mangle
       iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim devlink vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel joydev mousedev ide_pci_generic piix aesni_intel aes_x86_64 ide_core crypto_simd atkbd cryptd glue_helper serio_raw ata_generic pata_acpi i2c_piix4 floppy sch_fq_codel ip_tables x_tables ipv6 [last unloaded: lm73]
      Dumping ftrace buffer:
         (ftrace buffer empty)
      ---[ end trace 770020de38961fd0 ]---
      
      A new dir entry can be created in get_subdir and its 'header->parent' is
      set to NULL.  Only after insert_header success, it will be set to 'dir',
      otherwise 'header->parent' is set to NULL and drop_sysctl_table is called.
      However in err handling path of get_subdir, drop_sysctl_table also be
      called on 'new->header' regardless its value of parent pointer.  Then
      put_links is called, which triggers NULL-ptr deref when access member of
      header->parent.
      
      In fact we have multiple error paths which call drop_sysctl_table() there,
      upon failure on insert_links() we also call drop_sysctl_table().And even
      in the successful case on __register_sysctl_table() we still always call
      drop_sysctl_table().This patch fix it.
      
      Link: http://lkml.kernel.org/r/20190314085527.13244-1-yuehaibing@huawei.com
      Fixes: 0e47c99d ("sysctl: Replace root_list with links between sysctl_table_sets")
      Signed-off-by: NYueHaibing <yuehaibing@huawei.com>
      Reported-by: NHulk Robot <hulkci@huawei.com>
      Acked-by: NLuis Chamberlain <mcgrof@kernel.org>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Alexey Dobriyan <adobriyan@gmail.com>
      Cc: Alexei Starovoitov <ast@kernel.org>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Eric W. Biederman <ebiederm@xmission.com>
      Cc: <stable@vger.kernel.org>    [3.4+]
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      07d0d2bd
    • W
      Disable kgdboc failed by echo space to /sys/module/kgdboc/parameters/kgdboc · c956914f
      Wentao Wang 提交于
      commit 3ec8002951ea173e24b466df1ea98c56b7920e63 upstream.
      
      Echo "" to /sys/module/kgdboc/parameters/kgdboc will fail with "No such
      device” error.
      
      This is caused by function "configure_kgdboc" who init err to ENODEV
      when the config is empty (legal input) the code go out with ENODEV
      returned.
      
      Fixes: 2dd453168643 ("kgdboc: Fix restrict error")
      Signed-off-by: NWentao Wang <witallwang@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Acked-by: NDaniel Thompson <daniel.thompson@linaro.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c956914f
    • B
      USB: serial: option: add Olicard 600 · 1c992ea0
      Bjørn Mork 提交于
      commit 84f3b43f7378b98b7e3096d5499de75183d4347c upstream.
      
      This is a Qualcomm based device with a QMI function on interface 4.
      It is mode switched from 2020:2030 using a standard eject message.
      
      T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  6 Spd=480  MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=2020 ProdID=2031 Rev= 2.32
      S:  Manufacturer=Mobile Connect
      S:  Product=Mobile Connect
      S:  SerialNumber=0123456789ABCDEF
      C:* #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
      E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
      E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
      E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
      E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      E:  Ad=89(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
      E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none)
      E:  Ad=8a(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=125us
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NBjørn Mork <bjorn@mork.no>
      [ johan: use tabs to align comments in adjacent lines ]
      Signed-off-by: NJohan Hovold <johan@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1c992ea0
    • K
      USB: serial: option: add support for Quectel EM12 · 19151c64
      Kristian Evensen 提交于
      commit d1252f0237238b912c3e7a51bf237acf34c97983 upstream.
      
      The Quectel EM12 is a Cat. 12 LTE modem. It behaves in the exactly the
      same way as the EP06 (including the dynamic configuration behavior), so
      the same checks on reserved interfaces, etc. are needed.
      Signed-off-by: NKristian Evensen <kristian.evensen@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NJohan Hovold <johan@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      19151c64
    • M
      USB: serial: option: set driver_info for SIM5218 and compatibles · 002795b0
      Mans Rullgard 提交于
      commit f8df5c2c3e2df5ffaf9fb5503da93d477a8c7db4 upstream.
      
      The SIMCom SIM5218 and compatible devices have 5 USB interfaces, only 4
      of which are serial ports.  The fifth is a network interface supported
      by the qmi-wwan driver.  Furthermore, the serial ports do not support
      modem control signals.  Add driver_info flags to reflect this.
      Signed-off-by: NMans Rullgard <mans@mansr.com>
      Fixes: ec0cd94d ("usb: option: add SIMCom SIM5218")
      Cc: stable <stable@vger.kernel.org>	# 3.2
      Signed-off-by: NJohan Hovold <johan@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      002795b0
    • L
      USB: serial: mos7720: fix mos_parport refcount imbalance on error path · d7dfccfd
      Lin Yi 提交于
      commit 2908b076f5198d231de62713cb2b633a3a4b95ac upstream.
      
      The write_parport_reg_nonblock() helper takes a reference to the struct
      mos_parport, but failed to release it in a couple of error paths after
      allocation failures, leading to a memory leak.
      
      Johan said that move the kref_get() and mos_parport assignment to the
      end of urbtrack initialisation is a better way, so move it. and
      mos_parport do not used until urbtrack initialisation.
      Signed-off-by: NLin Yi <teroincn@163.com>
      Fixes: b69578df ("USB: usbserial: mos7720: add support for parallel port on moschip 7715")
      Cc: stable <stable@vger.kernel.org>     # 2.6.35
      Signed-off-by: NJohan Hovold <johan@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d7dfccfd
    • G
      USB: serial: ftdi_sio: add additional NovaTech products · 1f46db3c
      George McCollister 提交于
      commit 422c2537ba9d42320f8ab6573940269f87095320 upstream.
      
      Add PIDs for the NovaTech OrionLX+ and Orion I/O so they can be
      automatically detected.
      Signed-off-by: NGeorge McCollister <george.mccollister@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NJohan Hovold <johan@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1f46db3c
    • G
      USB: serial: cp210x: add new device id · 2a630035
      Greg Kroah-Hartman 提交于
      commit a595ecdd5f60b2d93863cebb07eec7f935839b54 upstream.
      
      Lorenz Messtechnik has a device that is controlled by the cp210x driver,
      so add the device id to the driver.  The device id was provided by
      Silicon-Labs for the devices from this vendor.
      Reported-by: NUli <t9cpu@web.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NJohan Hovold <johan@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2a630035
    • H
      serial: sh-sci: Fix setting SCSCR_TIE while transferring data · 59203f07
      Hoan Nguyen An 提交于
      commit 93bcefd4c6bad4c69dbc4edcd3fbf774b24d930d upstream.
      
      We disable transmission interrupt (clear SCSCR_TIE) after all data has been transmitted
      (if uart_circ_empty(xmit)). While transmitting, if the data is still in the tty buffer,
      re-enable the SCSCR_TIE bit, which was done at sci_start_tx().
      This is unnecessary processing, wasting CPU operation if the data transmission length is large.
      And further, transmit end, FIFO empty bits disabling have also been performed in the step above.
      Signed-off-by: NHoan Nguyen An <na-hoan@jinso.co.jp>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      59203f07
    • A
      serial: mvebu-uart: Fix to avoid a potential NULL pointer dereference · b1e660c6
      Aditya Pakki 提交于
      commit 32f47179833b63de72427131169809065db6745e upstream.
      
      of_match_device on failure to find a matching device can return a NULL
      pointer. The patch checks for such a scenrio and passes the error upstream.
      Signed-off-by: NAditya Pakki <pakki001@umn.edu>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b1e660c6
    • A
      serial: max310x: Fix to avoid potential NULL pointer dereference · f34ec64b
      Aditya Pakki 提交于
      commit 3a10e3dd52e80b9a97a3346020024d17b2c272d6 upstream.
      
      of_match_device can return a NULL pointer when matching device is not
      found. This patch avoids a scenario causing NULL pointer derefernce.
      Signed-off-by: NAditya Pakki <pakki001@umn.edu>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f34ec64b
    • C
      staging: erofs: fix to handle error path of erofs_vmap() · a090ed15
      Chao Yu 提交于
      commit 8bce6dcede65139a087ff240127e3f3c01363eed upstream.
      
      erofs_vmap() wrapped vmap() and vm_map_ram() to return virtual
      continuous memory, but both of them can failed due to a lot of
      reason, previously, erofs_vmap()'s callers didn't handle them,
      which can potentially cause NULL pointer access, fix it.
      
      Fixes: 3883a79a ("staging: erofs: introduce VLE decompression support")
      Fixes: 0d40d6e3 ("staging: erofs: add a generic z_erofs VLE decompressor")
      Cc: <stable@vger.kernel.org> # 4.19+
      Signed-off-by: NGao Xiang <gaoxiang25@huawei.com>
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a090ed15
    • M
      staging: vt6655: Fix interrupt race condition on device start up. · 3b6b7664
      Malcolm Priestley 提交于
      commit 3b9c2f2e0e99bb67c96abcb659b3465efe3bee1f upstream.
      
      It appears on some slower systems that the driver can find its way
      out of the workqueue while the interrupt is disabled by continuous polling
      by it.
      
      Move MACvIntEnable to vnt_interrupt_work so that it is always enabled
      on all routes out of vnt_interrupt_process.
      
      Move MACvIntDisable so that the device doesn't keep polling the system
      while the workqueue is being processed.
      Signed-off-by: NMalcolm Priestley <tvboxspy@gmail.com>
      CC: stable@vger.kernel.org # v4.2+
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3b6b7664
    • M
      staging: vt6655: Remove vif check from vnt_interrupt · b9ddff2a
      Malcolm Priestley 提交于
      commit cc26358f89c3e493b54766b1ca56cfc6b14db78a upstream.
      
      A check for vif is made in vnt_interrupt_work.
      
      There is a small chance of leaving interrupt disabled while vif
      is NULL and the work hasn't been scheduled.
      Signed-off-by: NMalcolm Priestley <tvboxspy@gmail.com>
      CC: stable@vger.kernel.org # v4.2+
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b9ddff2a
    • S
      staging: speakup_soft: Fix alternate speech with other synths · 86092f2d
      Samuel Thibault 提交于
      commit 45ac7b31bc6c4af885cc5b5d6c534c15bcbe7643 upstream.
      
      When switching from speakup_soft to another synth, speakup_soft would
      keep calling synth_buffer_getc() from softsynthx_read.
      
      Let's thus make synth.c export the knowledge of the current synth, so
      that speakup_soft can determine whether it should be running.
      
      speakup_soft also needs to set itself alive, otherwise the switch would
      let it remain silent.
      Signed-off-by: NSamuel Thibault <samuel.thibault@ens-lyon.org>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      86092f2d
    • I
      staging: comedi: ni_mio_common: Fix divide-by-zero for DIO cmdtest · d0360bf4
      Ian Abbott 提交于
      commit bafd9c64056cd034a1174dcadb65cd3b294ff8f6 upstream.
      
      `ni_cdio_cmdtest()` validates Comedi asynchronous commands for the DIO
      subdevice (subdevice 2) of supported National Instruments M-series
      cards.  It is called when handling the `COMEDI_CMD` and `COMEDI_CMDTEST`
      ioctls for this subdevice.  There are two causes for a possible
      divide-by-zero error when validating that the `stop_arg` member of the
      passed-in command is not too large.
      
      The first cause for the divide-by-zero is that calls to
      `comedi_bytes_per_scan()` are only valid once the command has been
      copied to `s->async->cmd`, but that copy is only done for the
      `COMEDI_CMD` ioctl.  For the `COMEDI_CMDTEST` ioctl, it will use
      whatever was left there by the previous `COMEDI_CMD` ioctl, if any.
      (This is very likely, as it is usual for the application to use
      `COMEDI_CMDTEST` before `COMEDI_CMD`.) If there has been no previous,
      valid `COMEDI_CMD` for this subdevice, then `comedi_bytes_per_scan()`
      will return 0, so the subsequent division in `ni_cdio_cmdtest()` of
      `s->async->prealloc_bufsz / comedi_bytes_per_scan(s)` will be a
      divide-by-zero error.  To fix this error, call a new function
      `comedi_bytes_per_scan_cmd(s, cmd)`, based on the existing
      `comedi_bytes_per_scan(s)` but using a specified `struct comedi_cmd` for
      its calculations.  (Also refactor `comedi_bytes_per_scan()` to call the
      new function.)
      
      Once the first cause for the divide-by-zero has been fixed, the second
      cause is that `comedi_bytes_per_scan_cmd()` can legitimately return 0 if
      the `scan_end_arg` member of the `struct comedi_cmd` being tested is 0.
      Fix it by only performing the division (and validating that `stop_arg`
      is no more than the maximum value) if `comedi_bytes_per_scan_cmd()`
      returns a non-zero value.
      
      The problem was reported on the COMEDI mailing list here:
      https://groups.google.com/forum/#!topic/comedi_list/4t9WlHzMhKMReported-by: NIvan Vasilyev <grabesstimme@gmail.com>
      Tested-by: NIvan Vasilyev <grabesstimme@gmail.com>
      Fixes: f164cbf9 ("staging: comedi: ni_mio_common: add finite regeneration to dio output")
      Cc: <stable@vger.kernel.org> # 4.6+
      Cc: Spencer E. Olson <olsonse@umich.edu>
      Signed-off-by: NIan Abbott <abbotti@mev.co.uk>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d0360bf4
    • N
      tty: serial: qcom_geni_serial: Initialize baud in qcom_geni_console_setup · 668ba38d
      Nathan Chancellor 提交于
      commit c5cbc78acf693f5605d4a85b1327fa7933daf092 upstream.
      
      When building with -Wsometimes-uninitialized, Clang warns:
      
      drivers/tty/serial/qcom_geni_serial.c:1079:6: warning: variable 'baud'
      is used uninitialized whenever 'if' condition is false
      [-Wsometimes-uninitialized]
      
      It's not wrong; when options is NULL, baud has no default value. Use
      9600 as that is a sane default.
      
      Link: https://github.com/ClangBuiltLinux/linux/issues/395Suggested-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NNathan Chancellor <natechancellor@gmail.com>
      Reviewed-by: NNick Desaulniers <ndesaulniers@google.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      668ba38d
    • K
      tty: atmel_serial: fix a potential NULL pointer dereference · b9bbd1ed
      Kangjie Lu 提交于
      commit c85be041065c0be8bc48eda4c45e0319caf1d0e5 upstream.
      
      In case dmaengine_prep_dma_cyclic fails, the fix returns a proper
      error code to avoid NULL pointer dereference.
      Signed-off-by: NKangjie Lu <kjlu@umn.edu>
      Fixes: 34df42f5 ("serial: at91: add rx dma support")
      Acked-by: NRichard Genoud <richard.genoud@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b9bbd1ed
    • K
      tty: mxs-auart: fix a potential NULL pointer dereference · 124e4206
      Kangjie Lu 提交于
      commit 6734330654dac550f12e932996b868c6d0dcb421 upstream.
      
      In case ioremap fails, the fix returns -ENOMEM to avoid NULL
      pointer dereferences.
      Multiple places use port.membase.
      Signed-off-by: NKangjie Lu <kjlu@umn.edu>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      124e4206
    • J
      drm/rockchip: vop: reset scale mode when win is disabled · 7fb7414d
      Jonas Karlman 提交于
      commit e9abc611a941d4051cde1d94b2ab7473fdb50102 upstream.
      
      NV12 framebuffers produced by the VPU shows distorted on RK3288
      after win has been disabled when scaling is active.
      
      This issue can be reproduced using a 1080p modeset by:
      - Scale a 1280x720 NV12 framebuffer to 1920x1080 on win0
      - Disable win0
      - Display a 1920x1080 NV12 framebuffer without scaling on win0
      - Output will now show the framebuffer distorted
      
      And by:
      - Scale a 1280x720 NV12 framebuffer to 1920x1080
      - Change to a 720p modeset (win gets disabled and scaling reset to none)
      - Output will now show the framebuffer distorted
      
      Fix this by setting scale mode to none when win is disabled.
      
      Fixes: 4c156c21 ("drm/rockchip: vop: support plane scale")
      Cc: stable@vger.kernel.org
      Signed-off-by: NJonas Karlman <jonas@kwiboo.se>
      Signed-off-by: NHeiko Stuebner <heiko@sntech.de>
      Link: https://patchwork.freedesktop.org/patch/msgid/AM3PR03MB0966DE3E19BACE07328CD637AC7D0@AM3PR03MB0966.eurprd03.prod.outlook.comSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7fb7414d
    • S
      scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV FCP devices · a93cd913
      Steffen Maier 提交于
      commit 242ec1455151267fe35a0834aa9038e4c4670884 upstream.
      
      Suppose more than one non-NPIV FCP device is active on the same channel.
      Send I/O to storage and have some of the pending I/O run into a SCSI
      command timeout, e.g. due to bit errors on the fibre. Now the error
      situation stops. However, we saw FCP requests continue to timeout in the
      channel. The abort will be successful, but the subsequent TUR fails.
      Scsi_eh starts. The LUN reset fails. The target reset fails.  The host
      reset only did an FCP device recovery. However, for non-NPIV FCP devices,
      this does not close and reopen ports on the SAN-side if other non-NPIV FCP
      device(s) share the same open ports.
      
      In order to resolve the continuing FCP request timeouts, we need to
      explicitly close and reopen ports on the SAN-side.
      
      This was missing since the beginning of zfcp in v2.6.0 history commit
      ea127f975424 ("[PATCH] s390 (7/7): zfcp host adapter.").
      
      Note: The FSF requests for forced port reopen could run into FSF request
      timeouts due to other reasons. This would trigger an internal FCP device
      recovery. Pending forced port reopen recoveries would get dismissed. So
      some ports might not get fully reopened during this host reset handler.
      However, subsequent I/O would trigger the above described escalation and
      eventually all ports would be forced reopen to resolve any continuing FCP
      request timeouts due to earlier bit errors.
      Signed-off-by: NSteffen Maier <maier@linux.ibm.com>
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: <stable@vger.kernel.org> #3.0+
      Reviewed-by: NJens Remus <jremus@linux.ibm.com>
      Reviewed-by: NBenjamin Block <bblock@linux.ibm.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a93cd913
    • S
      scsi: zfcp: fix rport unblock if deleted SCSI devices on Scsi_Host · 983a543d
      Steffen Maier 提交于
      commit fe67888fc007a76b81e37da23ce5bd8fb95890b0 upstream.
      
      An already deleted SCSI device can exist on the Scsi_Host and remain there
      because something still holds a reference.  A new SCSI device with the same
      H:C:T:L and FCP device, target port WWPN, and FCP LUN can be created.  When
      we try to unblock an rport, we still find the deleted SCSI device and
      return early because the zfcp_scsi_dev of that SCSI device is not
      ZFCP_STATUS_COMMON_UNBLOCKED. Hence we miss to unblock the rport, even if
      the new proper SCSI device would be in good state.
      
      Therefore, skip deleted SCSI devices when iterating the sdevs of the shost.
      [cf. __scsi_device_lookup{_by_target}() or scsi_device_get()]
      
      The following abbreviated trace sequence can indicate such problem:
      
      Area           : REC
      Tag            : ersfs_3
      LUN            : 0x4045400300000000
      WWPN           : 0x50050763031bd327
      LUN status     : 0x40000000     not ZFCP_STATUS_COMMON_UNBLOCKED
      Ready count    : n		not incremented yet
      Running count  : 0x00000000
      ERP want       : 0x01
      ERP need       : 0xc1		ZFCP_ERP_ACTION_NONE
      
      Area           : REC
      Tag            : ersfs_3
      LUN            : 0x4045400300000000
      WWPN           : 0x50050763031bd327
      LUN status     : 0x41000000
      Ready count    : n+1
      Running count  : 0x00000000
      ERP want       : 0x01
      ERP need       : 0x01
      
      ...
      
      Area           : REC
      Level          : 4		only with increased trace level
      Tag            : ertru_l
      LUN            : 0x4045400300000000
      WWPN           : 0x50050763031bd327
      LUN status     : 0x40000000
      Request ID     : 0x0000000000000000
      ERP status     : 0x01800000
      ERP step       : 0x1000
      ERP action     : 0x01
      ERP count      : 0x00
      
      NOT followed by a trace record with tag "scpaddy"
      for WWPN 0x50050763031bd327.
      Signed-off-by: NSteffen Maier <maier@linux.ibm.com>
      Fixes: 6f2ce1c6 ("scsi: zfcp: fix rport unblock race with LUN recovery")
      Cc: <stable@vger.kernel.org> #2.6.32+
      Reviewed-by: NJens Remus <jremus@linux.ibm.com>
      Reviewed-by: NBenjamin Block <bblock@linux.ibm.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      983a543d
    • M
      scsi: sd: Quiesce warning if device does not report optimal I/O size · a52eb223
      Martin K. Petersen 提交于
      commit 1d5de5bd311be7cd54f02f7cd164f0349a75c876 upstream.
      
      Commit a83da8a4509d ("scsi: sd: Optimal I/O size should be a multiple
      of physical block size") split one conditional into several separate
      statements in an effort to provide more accurate warning messages when
      a device reports a nonsensical value. However, this reorganization
      accidentally dropped the precondition of the reported value being
      larger than zero. This lead to a warning getting emitted on devices
      that do not report an optimal I/O size at all.
      
      Remain silent if a device does not report an optimal I/O size.
      
      Fixes: a83da8a4509d ("scsi: sd: Optimal I/O size should be a multiple of physical block size")
      Cc: Randy Dunlap <rdunlap@infradead.org>
      Cc: <stable@vger.kernel.org>
      Reported-by: NHussam Al-Tayeb <ht990332@gmx.com>
      Tested-by: NHussam Al-Tayeb <ht990332@gmx.com>
      Reviewed-by: NBart Van Assche <bvanassche@acm.org>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a52eb223
    • B
      scsi: sd: Fix a race between closing an sd device and sd I/O · d7265877
      Bart Van Assche 提交于
      commit c14a57264399efd39514a2329c591a4b954246d8 upstream.
      
      The scsi_end_request() function calls scsi_cmd_to_driver() indirectly and
      hence needs the disk->private_data pointer. Avoid that that pointer is
      cleared before all affected I/O requests have finished. This patch avoids
      that the following crash occurs:
      
      Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
      Call trace:
       scsi_mq_uninit_cmd+0x1c/0x30
       scsi_end_request+0x7c/0x1b8
       scsi_io_completion+0x464/0x668
       scsi_finish_command+0xbc/0x160
       scsi_eh_flush_done_q+0x10c/0x170
       sas_scsi_recover_host+0x84c/0xa98 [libsas]
       scsi_error_handler+0x140/0x5b0
       kthread+0x100/0x12c
       ret_from_fork+0x10/0x18
      
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Ming Lei <ming.lei@redhat.com>
      Cc: Hannes Reinecke <hare@suse.com>
      Cc: Johannes Thumshirn <jthumshirn@suse.de>
      Cc: Jason Yan <yanaijie@huawei.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NBart Van Assche <bvanassche@acm.org>
      Reported-by: NJason Yan <yanaijie@huawei.com>
      Reviewed-by: NChristoph Hellwig <hch@lst.de>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d7265877