1. 25 6月, 2019 5 次提交
  2. 22 6月, 2019 35 次提交
    • G
      Linux 4.19.55 · 78778071
      Greg Kroah-Hartman 提交于
      78778071
    • E
      tcp: refine memory limit test in tcp_fragment() · dad3a931
      Eric Dumazet 提交于
      commit b6653b3629e5b88202be3c9abc44713973f5c4b4 upstream.
      
      tcp_fragment() might be called for skbs in the write queue.
      
      Memory limits might have been exceeded because tcp_sendmsg() only
      checks limits at full skb (64KB) boundaries.
      
      Therefore, we need to make sure tcp_fragment() wont punish applications
      that might have setup very low SO_SNDBUF values.
      
      Fixes: f070ef2ac667 ("tcp: tcp_fragment() should apply sane memory limits")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: NChristoph Paasch <cpaasch@apple.com>
      Tested-by: NChristoph Paasch <cpaasch@apple.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dad3a931
    • G
      Linux 4.19.54 · 63bbbcd8
      Greg Kroah-Hartman 提交于
      63bbbcd8
    • A
      Abort file_remove_privs() for non-reg. files · e8e448b0
      Alexander Lochmann 提交于
      commit f69e749a49353d96af1a293f56b5b56de59c668a upstream.
      
      file_remove_privs() might be called for non-regular files, e.g.
      blkdev inode. There is no reason to do its job on things
      like blkdev inodes, pipes, or cdevs. Hence, abort if
      file does not refer to a regular inode.
      
      AV: more to the point, for devices there might be any number of
      inodes refering to given device.  Which one to strip the permissions
      from, even if that made any sense in the first place?  All of them
      will be observed with contents modified, after all.
      
      Found by LockDoc (Alexander Lochmann, Horst Schirmeier and Olaf
      Spinczyk)
      Reviewed-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NAlexander Lochmann <alexander.lochmann@tu-dortmund.de>
      Signed-off-by: NHorst Schirmeier <horst.schirmeier@tu-dortmund.de>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      Cc: Zubin Mithra <zsm@chromium.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e8e448b0
    • A
      coredump: fix race condition between collapse_huge_page() and core dumping · 465ce9a5
      Andrea Arcangeli 提交于
      commit 59ea6d06cfa9247b586a695c21f94afa7183af74 upstream.
      
      When fixing the race conditions between the coredump and the mmap_sem
      holders outside the context of the process, we focused on
      mmget_not_zero()/get_task_mm() callers in 04f5866e41fb70 ("coredump: fix
      race condition between mmget_not_zero()/get_task_mm() and core
      dumping"), but those aren't the only cases where the mmap_sem can be
      taken outside of the context of the process as Michal Hocko noticed
      while backporting that commit to older -stable kernels.
      
      If mmgrab() is called in the context of the process, but then the
      mm_count reference is transferred outside the context of the process,
      that can also be a problem if the mmap_sem has to be taken for writing
      through that mm_count reference.
      
      khugepaged registration calls mmgrab() in the context of the process,
      but the mmap_sem for writing is taken later in the context of the
      khugepaged kernel thread.
      
      collapse_huge_page() after taking the mmap_sem for writing doesn't
      modify any vma, so it's not obvious that it could cause a problem to the
      coredump, but it happens to modify the pmd in a way that breaks an
      invariant that pmd_trans_huge_lock() relies upon.  collapse_huge_page()
      needs the mmap_sem for writing just to block concurrent page faults that
      call pmd_trans_huge_lock().
      
      Specifically the invariant that "!pmd_trans_huge()" cannot become a
      "pmd_trans_huge()" doesn't hold while collapse_huge_page() runs.
      
      The coredump will call __get_user_pages() without mmap_sem for reading,
      which eventually can invoke a lockless page fault which will need a
      functional pmd_trans_huge_lock().
      
      So collapse_huge_page() needs to use mmget_still_valid() to check it's
      not running concurrently with the coredump...  as long as the coredump
      can invoke page faults without holding the mmap_sem for reading.
      
      This has "Fixes: khugepaged" to facilitate backporting, but in my view
      it's more a bug in the coredump code that will eventually have to be
      rewritten to stop invoking page faults without the mmap_sem for reading.
      So the long term plan is still to drop all mmget_still_valid().
      
      Link: http://lkml.kernel.org/r/20190607161558.32104-1-aarcange@redhat.com
      Fixes: ba76149f ("thp: khugepaged")
      Signed-off-by: NAndrea Arcangeli <aarcange@redhat.com>
      Reported-by: NMichal Hocko <mhocko@suse.com>
      Acked-by: NMichal Hocko <mhocko@suse.com>
      Acked-by: NKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Jann Horn <jannh@google.com>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
      Cc: Mike Kravetz <mike.kravetz@oracle.com>
      Cc: Peter Xu <peterx@redhat.com>
      Cc: Jason Gunthorpe <jgg@mellanox.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      465ce9a5
    • T
      ocfs2: fix error path kobject memory leak · c7fb6b75
      Tobin C. Harding 提交于
      [ Upstream commit b9fba67b3806e21b98bd5a98dc3921a8e9b42d61 ]
      
      If a call to kobject_init_and_add() fails we should call kobject_put()
      otherwise we leak memory.
      
      Add call to kobject_put() in the error path of call to
      kobject_init_and_add().  Please note, this has the side effect that the
      release method is called if kobject_init_and_add() fails.
      
      Link: http://lkml.kernel.org/r/20190513033458.2824-1-tobin@kernel.orgSigned-off-by: NTobin C. Harding <tobin@kernel.org>
      Reviewed-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Reviewed-by: NJoseph Qi <joseph.qi@linux.alibaba.com>
      Cc: Mark Fasheh <mark@fasheh.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Junxiao Bi <junxiao.bi@oracle.com>
      Cc: Changwei Ge <gechangwei@live.cn>
      Cc: Gang He <ghe@suse.com>
      Cc: Jun Piao <piaojun@huawei.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      c7fb6b75
    • A
      mlxsw: spectrum: Prevent force of 56G · fedb1b9c
      Amit Cohen 提交于
      [ Upstream commit 275e928f19117d22f6d26dee94548baf4041b773 ]
      
      Force of 56G is not supported by hardware in Ethernet devices. This
      configuration fails with a bad parameter error from firmware.
      
      Add check of this case. Instead of trying to set 56G with autoneg off,
      return a meaningful error.
      
      Fixes: 56ade8fe ("mlxsw: spectrum: Add initial support for Spectrum ASIC")
      Signed-off-by: NAmit Cohen <amitc@mellanox.com>
      Acked-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      fedb1b9c
    • J
      scsi: libsas: delete sas port if expander discover failed · 114e8135
      Jason Yan 提交于
      [ Upstream commit 3b0541791453fbe7f42867e310e0c9eb6295364d ]
      
      The sas_port(phy->port) allocated in sas_ex_discover_expander() will not be
      deleted when the expander failed to discover. This will cause resource leak
      and a further issue of kernel BUG like below:
      
      [159785.843156]  port-2:17:29: trying to add phy phy-2:17:29 fails: it's
      already part of another port
      [159785.852144] ------------[ cut here  ]------------
      [159785.856833] kernel BUG at drivers/scsi/scsi_transport_sas.c:1086!
      [159785.863000] Internal error: Oops - BUG: 0 [#1] SMP
      [159785.867866] CPU: 39 PID: 16993 Comm: kworker/u96:2 Tainted: G
      W  OE     4.19.25-vhulk1901.1.0.h111.aarch64 #1
      [159785.878458] Hardware name: Huawei Technologies Co., Ltd.
      Hi1620EVBCS/Hi1620EVBCS, BIOS Hi1620 CS B070 1P TA 03/21/2019
      [159785.889231] Workqueue: 0000:74:02.0_disco_q sas_discover_domain
      [159785.895224] pstate: 40c00009 (nZcv daif +PAN +UAO)
      [159785.900094] pc : sas_port_add_phy+0x188/0x1b8
      [159785.904524] lr : sas_port_add_phy+0x188/0x1b8
      [159785.908952] sp : ffff0001120e3b80
      [159785.912341] x29: ffff0001120e3b80 x28: 0000000000000000
      [159785.917727] x27: ffff802ade8f5400 x26: ffff0000681b7560
      [159785.923111] x25: ffff802adf11a800 x24: ffff0000680e8000
      [159785.928496] x23: ffff802ade8f5728 x22: ffff802ade8f5708
      [159785.933880] x21: ffff802adea2db40 x20: ffff802ade8f5400
      [159785.939264] x19: ffff802adea2d800 x18: 0000000000000010
      [159785.944649] x17: 00000000821bf734 x16: ffff00006714faa0
      [159785.950033] x15: ffff0000e8ab4ecf x14: 7261702079646165
      [159785.955417] x13: 726c612073277469 x12: ffff00006887b830
      [159785.960802] x11: ffff00006773eaa0 x10: 7968702079687020
      [159785.966186] x9 : 0000000000002453 x8 : 726f702072656874
      [159785.971570] x7 : 6f6e6120666f2074 x6 : ffff802bcfb21290
      [159785.976955] x5 : ffff802bcfb21290 x4 : 0000000000000000
      [159785.982339] x3 : ffff802bcfb298c8 x2 : 337752b234c2ab00
      [159785.987723] x1 : 337752b234c2ab00 x0 : 0000000000000000
      [159785.993108] Process kworker/u96:2 (pid: 16993, stack limit =
      0x0000000072dae094)
      [159786.000576] Call trace:
      [159786.003097]  sas_port_add_phy+0x188/0x1b8
      [159786.007179]  sas_ex_get_linkrate.isra.5+0x134/0x140
      [159786.012130]  sas_ex_discover_expander+0x128/0x408
      [159786.016906]  sas_ex_discover_dev+0x218/0x4c8
      [159786.021249]  sas_ex_discover_devices+0x9c/0x1a8
      [159786.025852]  sas_discover_root_expander+0x134/0x160
      [159786.030802]  sas_discover_domain+0x1b8/0x1e8
      [159786.035148]  process_one_work+0x1b4/0x3f8
      [159786.039230]  worker_thread+0x54/0x470
      [159786.042967]  kthread+0x134/0x138
      [159786.046269]  ret_from_fork+0x10/0x18
      [159786.049918] Code: 91322300 f0004402 91178042 97fe4c9b (d4210000)
      [159786.056083] Modules linked in: hns3_enet_ut(OE) hclge(OE) hnae3(OE)
      hisi_sas_test_hw(OE) hisi_sas_test_main(OE) serdes(OE)
      [159786.067202] ---[ end trace 03622b9e2d99e196  ]---
      [159786.071893] Kernel panic - not syncing: Fatal exception
      [159786.077190] SMP: stopping secondary CPUs
      [159786.081192] Kernel Offset: disabled
      [159786.084753] CPU features: 0x2,a2a00a38
      
      Fixes: 2908d778 ("[SCSI] aic94xx: new driver")
      Reported-by: NJian Luo <luojian5@huawei.com>
      Signed-off-by: NJason Yan <yanaijie@huawei.com>
      CC: John Garry <john.garry@huawei.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      114e8135
    • Y
      scsi: scsi_dh_alua: Fix possible null-ptr-deref · 89ede9d8
      YueHaibing 提交于
      [ Upstream commit 12e750bc62044de096ab9a95201213fd912b9994 ]
      
      If alloc_workqueue fails in alua_init, it should return -ENOMEM, otherwise
      it will trigger null-ptr-deref while unloading module which calls
      destroy_workqueue dereference
      wq->lock like this:
      
      BUG: KASAN: null-ptr-deref in __lock_acquire+0x6b4/0x1ee0
      Read of size 8 at addr 0000000000000080 by task syz-executor.0/7045
      
      CPU: 0 PID: 7045 Comm: syz-executor.0 Tainted: G         C        5.1.0+ #28
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1
      Call Trace:
       dump_stack+0xa9/0x10e
       __kasan_report+0x171/0x18d
       ? __lock_acquire+0x6b4/0x1ee0
       kasan_report+0xe/0x20
       __lock_acquire+0x6b4/0x1ee0
       lock_acquire+0xb4/0x1b0
       __mutex_lock+0xd8/0xb90
       drain_workqueue+0x25/0x290
       destroy_workqueue+0x1f/0x3f0
       __x64_sys_delete_module+0x244/0x330
       do_syscall_64+0x72/0x2a0
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      Reported-by: NHulk Robot <hulkci@huawei.com>
      Fixes: 03197b61 ("scsi_dh_alua: Use workqueue for RTPG")
      Signed-off-by: NYueHaibing <yuehaibing@huawei.com>
      Reviewed-by: NBart Van Assche <bvanassche@acm.org>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      89ede9d8
    • L
      scsi: smartpqi: properly set both the DMA mask and the coherent DMA mask · cb7c6c33
      Lianbo Jiang 提交于
      [ Upstream commit 1d94f06e7f5df4064ef336b7b710f50143b64a53 ]
      
      When SME is enabled, the smartpqi driver won't work on the HP DL385 G10
      machine, which causes the failure of kernel boot because it fails to
      allocate pqi error buffer. Please refer to the kernel log:
      ....
      [    9.431749] usbcore: registered new interface driver uas
      [    9.441524] Microsemi PQI Driver (v1.1.4-130)
      [    9.442956] i40e 0000:04:00.0: fw 6.70.48768 api 1.7 nvm 10.2.5
      [    9.447237] smartpqi 0000:23:00.0: Microsemi Smart Family Controller found
               Starting dracut initqueue hook...
      [  OK  ] Started Show Plymouth Boot Scre[    9.471654] Broadcom NetXtreme-C/E driver bnxt_en v1.9.1
      en.
      [  OK  ] Started Forward Password Requests to Plymouth Directory Watch.
      [[0;[    9.487108] smartpqi 0000:23:00.0: failed to allocate PQI error buffer
      ....
      [  139.050544] dracut-initqueue[949]: Warning: dracut-initqueue timeout - starting timeout scripts
      [  139.589779] dracut-initqueue[949]: Warning: dracut-initqueue timeout - starting timeout scripts
      
      Basically, the fact that the coherent DMA mask value wasn't set caused the
      driver to fall back to SWIOTLB when SME is active.
      
      For correct operation, lets call the dma_set_mask_and_coherent() to
      properly set the mask for both streaming and coherent, in order to inform
      the kernel about the devices DMA addressing capabilities.
      Signed-off-by: NLianbo Jiang <lijiang@redhat.com>
      Acked-by: NDon Brace <don.brace@microsemi.com>
      Tested-by: NDon Brace <don.brace@microsemi.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      cb7c6c33
    • V
      scsi: libcxgbi: add a check for NULL pointer in cxgbi_check_route() · 214c5933
      Varun Prakash 提交于
      [ Upstream commit cc555759117e8349088e0c5d19f2f2a500bafdbd ]
      
      ip_dev_find() can return NULL so add a check for NULL pointer.
      Signed-off-by: NVarun Prakash <varun@chelsio.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      214c5933
    • M
      net: phy: dp83867: Set up RGMII TX delay · 7b9e1094
      Max Uvarov 提交于
      [ Upstream commit 2b892649254fec01678c64f16427622b41fa27f4 ]
      
      PHY_INTERFACE_MODE_RGMII_RXID is less then TXID
      so code to set tx delay is never called.
      
      Fixes: 2a10154a ("net: phy: dp83867: Add TI dp83867 phy")
      Signed-off-by: NMax Uvarov <muvarov@gmail.com>
      Cc: Florian Fainelli <f.fainelli@gmail.com>
      Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      7b9e1094
    • R
      net: phylink: ensure consistent phy interface mode · 7698ad8c
      Russell King 提交于
      [ Upstream commit c678726305b9425454be7c8a7624290b602602fc ]
      
      Ensure that we supply the same phy interface mode to mac_link_down() as
      we did for the corresponding mac_link_up() call.  This ensures that MAC
      drivers that use the phy interface mode in these methods can depend on
      mac_link_down() always corresponding to a mac_link_up() call for the
      same interface mode.
      Signed-off-by: NRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      7698ad8c
    • Y
      net: sh_eth: fix mdio access in sh_eth_close() for R-Car Gen2 and RZ/A1 SoCs · 8fb2c796
      Yoshihiro Shimoda 提交于
      [ Upstream commit 315ca92dd863fecbffc0bb52ae0ac11e0398726a ]
      
      The sh_eth_close() resets the MAC and then calls phy_stop()
      so that mdio read access result is incorrect without any error
      according to kernel trace like below:
      
      ifconfig-216   [003] .n..   109.133124: mdio_access: ee700000.ethernet-ffffffff read  phy:0x01 reg:0x00 val:0xffff
      
      According to the hardware manual, the RMII mode should be set to 1
      before operation the Ethernet MAC. However, the previous code was not
      set to 1 after the driver issued the soft_reset in sh_eth_dev_exit()
      so that the mdio read access result seemed incorrect. To fix the issue,
      this patch adds a condition and set the RMII mode register in
      sh_eth_dev_exit() for R-Car Gen2 and RZ/A1 SoCs.
      
      Note that when I have tried to move the sh_eth_dev_exit() calling
      after phy_stop() on sh_eth_close(), but it gets worse (kernel panic
      happened and it seems that a register is accessed while the clock is
      off).
      Signed-off-by: NYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      8fb2c796
    • S
      arm64: use the correct function type for __arm64_sys_ni_syscall · 467f9026
      Sami Tolvanen 提交于
      [ Upstream commit 1e29ab3186e33c77dbb2d7566172a205b59fa390 ]
      
      Calling sys_ni_syscall through a syscall_fn_t pointer trips indirect
      call Control-Flow Integrity checking due to a function type
      mismatch. Use SYSCALL_DEFINE0 for __arm64_sys_ni_syscall instead and
      remove the now unnecessary casts.
      Signed-off-by: NSami Tolvanen <samitolvanen@google.com>
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      467f9026
    • S
      arm64: use the correct function type in SYSCALL_DEFINE0 · 98fd62e0
      Sami Tolvanen 提交于
      [ Upstream commit 0e358bd7b7ebd27e491dabed938eae254c17fe3b ]
      
      Although a syscall defined using SYSCALL_DEFINE0 doesn't accept
      parameters, use the correct function type to avoid indirect call
      type mismatches with Control-Flow Integrity checking.
      Signed-off-by: NSami Tolvanen <samitolvanen@google.com>
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      98fd62e0
    • S
      arm64: fix syscall_fn_t type · c5fdfaed
      Sami Tolvanen 提交于
      [ Upstream commit 8ef8f368ce72b5e17f7c1f1ef15c38dcfd0fef64 ]
      
      Syscall wrappers in <asm/syscall_wrapper.h> use const struct pt_regs *
      as the argument type. Use const in syscall_fn_t as well to fix indirect
      call type mismatches with Control-Flow Integrity checking.
      Signed-off-by: NSami Tolvanen <samitolvanen@google.com>
      Reviewed-by: NMark Rutland <mark.rutland@arm.com>
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      c5fdfaed
    • P
      KVM: PPC: Book3S HV: Don't take kvm->lock around kvm_for_each_vcpu · df6384e0
      Paul Mackerras 提交于
      [ Upstream commit 5a3f49364c3ffa1107bd88f8292406e98c5d206c ]
      
      Currently the HV KVM code takes the kvm->lock around calls to
      kvm_for_each_vcpu() and kvm_get_vcpu_by_id() (which can call
      kvm_for_each_vcpu() internally).  However, that leads to a lock
      order inversion problem, because these are called in contexts where
      the vcpu mutex is held, but the vcpu mutexes nest within kvm->lock
      according to Documentation/virtual/kvm/locking.txt.  Hence there
      is a possibility of deadlock.
      
      To fix this, we simply don't take the kvm->lock mutex around these
      calls.  This is safe because the implementations of kvm_for_each_vcpu()
      and kvm_get_vcpu_by_id() have been designed to be able to be called
      locklessly.
      Signed-off-by: NPaul Mackerras <paulus@ozlabs.org>
      Reviewed-by: NCédric Le Goater <clg@kaod.org>
      Signed-off-by: NPaul Mackerras <paulus@ozlabs.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      df6384e0
    • P
      KVM: PPC: Book3S: Use new mutex to synchronize access to rtas token list · b376683f
      Paul Mackerras 提交于
      [ Upstream commit 1659e27d2bc1ef47b6d031abe01b467f18cb72d9 ]
      
      Currently the Book 3S KVM code uses kvm->lock to synchronize access
      to the kvm->arch.rtas_tokens list.  Because this list is scanned
      inside kvmppc_rtas_hcall(), which is called with the vcpu mutex held,
      taking kvm->lock cause a lock inversion problem, which could lead to
      a deadlock.
      
      To fix this, we add a new mutex, kvm->arch.rtas_token_lock, which nests
      inside the vcpu mutexes, and use that instead of kvm->lock when
      accessing the rtas token list.
      
      This removes the lockdep_assert_held() in kvmppc_rtas_tokens_free().
      At this point we don't hold the new mutex, but that is OK because
      kvmppc_rtas_tokens_free() is only called when the whole VM is being
      destroyed, and at that point nothing can be looking up a token in
      the list.
      Signed-off-by: NPaul Mackerras <paulus@ozlabs.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      b376683f
    • R
      xenbus: Avoid deadlock during suspend due to open transactions · 4acce744
      Ross Lagerwall 提交于
      [ Upstream commit d10e0cc113c9e1b64b5c6e3db37b5c839794f3df ]
      
      During a suspend/resume, the xenwatch thread waits for all outstanding
      xenstore requests and transactions to complete. This does not work
      correctly for transactions started by userspace because it waits for
      them to complete after freezing userspace threads which means the
      transactions have no way of completing, resulting in a deadlock. This is
      trivial to reproduce by running this script and then suspending the VM:
      
          import pyxs, time
          c = pyxs.client.Client(xen_bus_path="/dev/xen/xenbus")
          c.connect()
          c.transaction()
          time.sleep(3600)
      
      Even if this deadlock were resolved, misbehaving userspace should not
      prevent a VM from being migrated. So, instead of waiting for these
      transactions to complete before suspending, store the current generation
      id for each transaction when it is started. The global generation id is
      incremented during resume. If the caller commits the transaction and the
      generation id does not match the current generation id, return EAGAIN so
      that they try again. If the transaction was instead discarded, return OK
      since no changes were made anyway.
      
      This only affects users of the xenbus file interface. In-kernel users of
      xenbus are assumed to be well-behaved and complete all transactions
      before freezing.
      Signed-off-by: NRoss Lagerwall <ross.lagerwall@citrix.com>
      Reviewed-by: NJuergen Gross <jgross@suse.com>
      Signed-off-by: NBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      4acce744
    • Y
      xen/pvcalls: Remove set but not used variable · 66f33b2b
      YueHaibing 提交于
      [ Upstream commit 41349672e3cbc2e8349831f21253509c3415aa2b ]
      
      Fixes gcc '-Wunused-but-set-variable' warning:
      
      drivers/xen/pvcalls-front.c: In function pvcalls_front_sendmsg:
      drivers/xen/pvcalls-front.c:543:25: warning: variable bedata set but not used [-Wunused-but-set-variable]
      drivers/xen/pvcalls-front.c: In function pvcalls_front_recvmsg:
      drivers/xen/pvcalls-front.c:638:25: warning: variable bedata set but not used [-Wunused-but-set-variable]
      
      They are never used since introduction.
      Signed-off-by: NYueHaibing <yuehaibing@huawei.com>
      Reviewed-by: NJuergen Gross <jgross@suse.com>
      Signed-off-by: NBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      66f33b2b
    • R
      ia64: fix build errors by exporting paddr_to_nid() · d92ebe0c
      Randy Dunlap 提交于
      [ Upstream commit 9a626c4a6326da4433a0d4d4a8a7d1571caf1ed3 ]
      
      Fix build errors on ia64 when DISCONTIGMEM=y and NUMA=y by
      exporting paddr_to_nid().
      
      Fixes these build errors:
      
      ERROR: "paddr_to_nid" [sound/core/snd-pcm.ko] undefined!
      ERROR: "paddr_to_nid" [net/sunrpc/sunrpc.ko] undefined!
      ERROR: "paddr_to_nid" [fs/cifs/cifs.ko] undefined!
      ERROR: "paddr_to_nid" [drivers/video/fbdev/core/fb.ko] undefined!
      ERROR: "paddr_to_nid" [drivers/usb/mon/usbmon.ko] undefined!
      ERROR: "paddr_to_nid" [drivers/usb/core/usbcore.ko] undefined!
      ERROR: "paddr_to_nid" [drivers/md/raid1.ko] undefined!
      ERROR: "paddr_to_nid" [drivers/md/dm-mod.ko] undefined!
      ERROR: "paddr_to_nid" [drivers/md/dm-crypt.ko] undefined!
      ERROR: "paddr_to_nid" [drivers/md/dm-bufio.ko] undefined!
      ERROR: "paddr_to_nid" [drivers/ide/ide-core.ko] undefined!
      ERROR: "paddr_to_nid" [drivers/ide/ide-cd_mod.ko] undefined!
      ERROR: "paddr_to_nid" [drivers/gpu/drm/drm.ko] undefined!
      ERROR: "paddr_to_nid" [drivers/char/agp/agpgart.ko] undefined!
      ERROR: "paddr_to_nid" [drivers/block/nbd.ko] undefined!
      ERROR: "paddr_to_nid" [drivers/block/loop.ko] undefined!
      ERROR: "paddr_to_nid" [drivers/block/brd.ko] undefined!
      ERROR: "paddr_to_nid" [crypto/ccm.ko] undefined!
      Reported-by: Nkbuild test robot <lkp@intel.com>
      Signed-off-by: NRandy Dunlap <rdunlap@infradead.org>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: linux-ia64@vger.kernel.org
      Signed-off-by: NTony Luck <tony.luck@intel.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      d92ebe0c
    • T
      perf record: Fix s390 missing module symbol and warning for non-root users · 60a3e3b9
      Thomas Richter 提交于
      [ Upstream commit 6738028dd57df064b969d8392c943ef3b3ae705d ]
      
      Command 'perf record' and 'perf report' on a system without kernel
      debuginfo packages uses /proc/kallsyms and /proc/modules to find
      addresses for kernel and module symbols. On x86 this works for root and
      non-root users.
      
      On s390, when invoked as non-root user, many of the following warnings
      are shown and module symbols are missing:
      
          proc/{kallsyms,modules} inconsistency while looking for
              "[sha1_s390]" module!
      
      Command 'perf record' creates a list of module start addresses by
      parsing the output of /proc/modules and creates a PERF_RECORD_MMAP
      record for the kernel and each module. The following function call
      sequence is executed:
      
        machine__create_kernel_maps
          machine__create_module
            modules__parse
              machine__create_module --> for each line in /proc/modules
                arch__fix_module_text_start
      
      Function arch__fix_module_text_start() is s390 specific. It opens
      file /sys/module/<name>/sections/.text to extract the module's .text
      section start address. On s390 the module loader prepends a header
      before the first section, whereas on x86 the module's text section
      address is identical the the module's load address.
      
      However module section files are root readable only. For non-root the
      read operation fails and machine__create_module() returns an error.
      Command perf record does not generate any PERF_RECORD_MMAP record
      for loaded modules. Later command perf report complains about missing
      module maps.
      
      To fix this function arch__fix_module_text_start() always returns
      success. For root users there is no change, for non-root users
      the module's load address is used as module's text start address
      (the prepended header then counts as part of the text section).
      
      This enable non-root users to use module symbols and avoid the
      warning when perf report is executed.
      
      Output before:
      
        [tmricht@m83lp54 perf]$ ./perf report -D | fgrep MMAP
        0 0x168 [0x50]: PERF_RECORD_MMAP ... x [kernel.kallsyms]_text
      
      Output after:
      
        [tmricht@m83lp54 perf]$ ./perf report -D | fgrep MMAP
        0 0x168 [0x50]: PERF_RECORD_MMAP ... x [kernel.kallsyms]_text
        0 0x1b8 [0x98]: PERF_RECORD_MMAP ... x /lib/modules/.../autofs4.ko.xz
        0 0x250 [0xa8]: PERF_RECORD_MMAP ... x /lib/modules/.../sha_common.ko.xz
        0 0x2f8 [0x98]: PERF_RECORD_MMAP ... x /lib/modules/.../des_generic.ko.xz
      Signed-off-by: NThomas Richter <tmricht@linux.ibm.com>
      Reviewed-by: NHendrik Brueckner <brueckner@linux.ibm.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Link: http://lkml.kernel.org/r/20190522144601.50763-4-tmricht@linux.ibm.comSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      60a3e3b9
    • N
      perf namespace: Protect reading thread's namespace · be0e6266
      Namhyung Kim 提交于
      [ Upstream commit 6584140ba9e6762dd7ec73795243289b914f31f9 ]
      
      It seems that the current code lacks holding the namespace lock in
      thread__namespaces().  Otherwise it can see inconsistent results.
      Signed-off-by: NNamhyung Kim <namhyung@kernel.org>
      Cc: Hari Bathini <hbathini@linux.vnet.ibm.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Krister Johansen <kjlx@templeofstupid.com>
      Link: http://lkml.kernel.org/r/20190522053250.207156-2-namhyung@kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      be0e6266
    • S
      perf data: Fix 'strncat may truncate' build failure with recent gcc · 7d523e33
      Shawn Landden 提交于
      [ Upstream commit 97acec7df172cd1e450f81f5e293c0aa145a2797 ]
      
      This strncat() is safe because the buffer was allocated with zalloc(),
      however gcc doesn't know that. Since the string always has 4 non-null
      bytes, just use memcpy() here.
      
          CC       /home/shawn/linux/tools/perf/util/data-convert-bt.o
        In file included from /usr/include/string.h:494,
                         from /home/shawn/linux/tools/lib/traceevent/event-parse.h:27,
                         from util/data-convert-bt.c:22:
        In function ‘strncat’,
            inlined from ‘string_set_value’ at util/data-convert-bt.c:274:4:
        /usr/include/powerpc64le-linux-gnu/bits/string_fortified.h:136:10: error: ‘__builtin_strncat’ output may be truncated copying 4 bytes from a string of length 4 [-Werror=stringop-truncation]
          136 |   return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest));
              |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      Signed-off-by: NShawn Landden <shawn@git.icu>
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Wang Nan <wangnan0@huawei.com>
      LPU-Reference: 20190518183238.10954-1-shawn@git.icu
      Link: https://lkml.kernel.org/n/tip-289f1jice17ta7tr3tstm9jm@git.kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      7d523e33
    • S
      configfs: Fix use-after-free when accessing sd->s_dentry · e9fcebe0
      Sahitya Tummala 提交于
      [ Upstream commit f6122ed2a4f9c9c1c073ddf6308d1b2ac10e0781 ]
      
      In the vfs_statx() context, during path lookup, the dentry gets
      added to sd->s_dentry via configfs_attach_attr(). In the end,
      vfs_statx() kills the dentry by calling path_put(), which invokes
      configfs_d_iput(). Ideally, this dentry must be removed from
      sd->s_dentry but it doesn't if the sd->s_count >= 3. As a result,
      sd->s_dentry is holding reference to a stale dentry pointer whose
      memory is already freed up. This results in use-after-free issue,
      when this stale sd->s_dentry is accessed later in
      configfs_readdir() path.
      
      This issue can be easily reproduced, by running the LTP test case -
      sh fs_racer_file_list.sh /config
      (https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/fs/racer/fs_racer_file_list.sh)
      
      Fixes: 76ae281f ('configfs: fix race between dentry put and lookup')
      Signed-off-by: NSahitya Tummala <stummala@codeaurora.org>
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      e9fcebe0
    • B
      ALSA: hda - Force polling mode on CNL for fixing codec communication · ab7a3d9a
      Bard Liao 提交于
      [ Upstream commit fa763f1b2858752e6150ffff46886a1b7faffc82 ]
      
      We observed the same issue as reported by commit a8d7bde2
      ("ALSA: hda - Force polling mode on CFL for fixing codec communication")
      We don't have a better solution. So apply the same workaround to CNL.
      Signed-off-by: NBard Liao <yung-chuan.liao@linux.intel.com>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      ab7a3d9a
    • Y
      i2c: dev: fix potential memory leak in i2cdev_ioctl_rdwr · 7bea5618
      Yingjoe Chen 提交于
      [ Upstream commit a0692f0eef91354b62c2b4c94954536536be5425 ]
      
      If I2C_M_RECV_LEN check failed, msgs[i].buf allocated by memdup_user
      will not be freed. Pump index up so it will be freed.
      
      Fixes: 838bfa60 ("i2c-dev: Add support for I2C_M_RECV_LEN")
      Signed-off-by: NYingjoe Chen <yingjoe.chen@mediatek.com>
      Signed-off-by: NWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      7bea5618
    • D
      net: aquantia: fix LRO with FCS error · 197501af
      Dmitry Bogdanov 提交于
      [ Upstream commit eaeb3b7494ba9159323814a8ce8af06a9277d99b ]
      
      Driver stops producing skbs on ring if a packet with FCS error
      was coalesced into LRO session. Ring gets hang forever.
      
      Thats a logical error in driver processing descriptors:
      When rx_stat indicates MAC Error, next pointer and eop flags
      are not filled. This confuses driver so it waits for descriptor 0
      to be filled by HW.
      
      Solution is fill next pointer and eop flag even for packets with FCS error.
      
      Fixes: bab6de8f ("net: ethernet: aquantia: Atlantic A0 and B0 specific functions.")
      Signed-off-by: NIgor Russkikh <igor.russkikh@aquantia.com>
      Signed-off-by: NDmitry Bogdanov <dmitry.bogdanov@aquantia.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      197501af
    • I
      net: aquantia: tx clean budget logic error · 388534d4
      Igor Russkikh 提交于
      [ Upstream commit 31bafc49a7736989e4c2d9f7280002c66536e590 ]
      
      In case no other traffic happening on the ring, full tx cleanup
      may not be completed. That may cause socket buffer to overflow
      and tx traffic to stuck until next activity on the ring happens.
      
      This is due to logic error in budget variable decrementor.
      Variable is compared with zero, and then post decremented,
      causing it to become MAX_INT. Solution is remove decrementor
      from the `for` statement and rewrite it in a clear way.
      
      Fixes: b647d398 ("net: aquantia: Add tx clean budget and valid budget handling logic")
      Signed-off-by: NIgor Russkikh <igor.russkikh@aquantia.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      388534d4
    • L
      drm/etnaviv: lock MMU while dumping core · b7ca3f33
      Lucas Stach 提交于
      [ Upstream commit 1396500d673bd027683a0609ff84dca7eb6ea2e7 ]
      
      The devcoredump needs to operate on a stable state of the MMU while
      it is writing the MMU state to the coredump. The missing lock
      allowed both the userspace submit, as well as the GPU job finish
      paths to mutate the MMU state while a coredump is under way.
      
      Fixes: a8c21a54 (drm/etnaviv: add initial etnaviv DRM driver)
      Reported-by: NDavid Jander <david@protonic.nl>
      Signed-off-by: NLucas Stach <l.stach@pengutronix.de>
      Tested-by: NDavid Jander <david@protonic.nl>
      Reviewed-by: NPhilipp Zabel <p.zabel@pengutronix.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      b7ca3f33
    • R
      ACPI/PCI: PM: Add missing wakeup.flags.valid checks · ee61fb4d
      Rafael J. Wysocki 提交于
      [ Upstream commit 9a51c6b1f9e0239a9435db036b212498a2a3b75c ]
      
      Both acpi_pci_need_resume() and acpi_dev_needs_resume() check if the
      current ACPI wakeup configuration of the device matches what is
      expected as far as system wakeup from sleep states is concerned, as
      reflected by the device_may_wakeup() return value for the device.
      
      However, they only should do that if wakeup.flags.valid is set for
      the device's ACPI companion, because otherwise the wakeup.prepare_count
      value for it is meaningless.
      
      Add the missing wakeup.flags.valid checks to these functions.
      Signed-off-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Reviewed-by: NMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      ee61fb4d
    • K
      net: tulip: de4x5: Drop redundant MODULE_DEVICE_TABLE() · bc19b50b
      Kees Cook 提交于
      [ Upstream commit 3e66b7cc50ef921121babc91487e1fb98af1ba6e ]
      
      Building with Clang reports the redundant use of MODULE_DEVICE_TABLE():
      
      drivers/net/ethernet/dec/tulip/de4x5.c:2110:1: error: redefinition of '__mod_eisa__de4x5_eisa_ids_device_table'
      MODULE_DEVICE_TABLE(eisa, de4x5_eisa_ids);
      ^
      ./include/linux/module.h:229:21: note: expanded from macro 'MODULE_DEVICE_TABLE'
      extern typeof(name) __mod_##type##__##name##_device_table               \
                          ^
      <scratch space>:90:1: note: expanded from here
      __mod_eisa__de4x5_eisa_ids_device_table
      ^
      drivers/net/ethernet/dec/tulip/de4x5.c:2100:1: note: previous definition is here
      MODULE_DEVICE_TABLE(eisa, de4x5_eisa_ids);
      ^
      ./include/linux/module.h:229:21: note: expanded from macro 'MODULE_DEVICE_TABLE'
      extern typeof(name) __mod_##type##__##name##_device_table               \
                          ^
      <scratch space>:85:1: note: expanded from here
      __mod_eisa__de4x5_eisa_ids_device_table
      ^
      
      This drops the one further from the table definition to match the common
      use of MODULE_DEVICE_TABLE().
      
      Fixes: 07563c71 ("EISA bus MODALIAS attributes support")
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      bc19b50b
    • B
      net: stmmac: update rx tail pointer register to fix rx dma hang issue. · 9a3208b6
      Biao Huang 提交于
      [ Upstream commit 4523a5611526709ec9b4e2574f1bb7818212651e ]
      
      Currently we will not update the receive descriptor tail pointer in
      stmmac_rx_refill. Rx dma will think no available descriptors and stop
      once received packets exceed DMA_RX_SIZE, so that the rx only test will fail.
      
      Update the receive tail pointer in stmmac_rx_refill to add more descriptors
      to the rx channel, so packets can be received continually
      
      Fixes: 54139cf3 ("net: stmmac: adding multiple buffers for rx")
      Signed-off-by: NBiao Huang <biao.huang@mediatek.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      9a3208b6
    • R
      gpio: fix gpio-adp5588 build errors · 3fbcef33
      Randy Dunlap 提交于
      [ Upstream commit e9646f0f5bb62b7d43f0968f39d536cfe7123b53 ]
      
      The gpio-adp5588 driver uses interfaces that are provided by
      GPIOLIB_IRQCHIP, so select that symbol in its Kconfig entry.
      
      Fixes these build errors:
      
      ../drivers/gpio/gpio-adp5588.c: In function ‘adp5588_irq_handler’:
      ../drivers/gpio/gpio-adp5588.c:266:26: error: ‘struct gpio_chip’ has no member named ‘irq’
                  dev->gpio_chip.irq.domain, gpio));
                                ^
      ../drivers/gpio/gpio-adp5588.c: In function ‘adp5588_irq_setup’:
      ../drivers/gpio/gpio-adp5588.c:298:2: error: implicit declaration of function ‘gpiochip_irqchip_add_nested’ [-Werror=implicit-function-declaration]
        ret = gpiochip_irqchip_add_nested(&dev->gpio_chip,
        ^
      ../drivers/gpio/gpio-adp5588.c:307:2: error: implicit declaration of function ‘gpiochip_set_nested_irqchip’ [-Werror=implicit-function-declaration]
        gpiochip_set_nested_irqchip(&dev->gpio_chip,
        ^
      
      Fixes: 459773ae ("gpio: adp5588-gpio: support interrupt controller")
      Reported-by: Nkbuild test robot <lkp@intel.com>
      Signed-off-by: NRandy Dunlap <rdunlap@infradead.org>
      Cc: linux-gpio@vger.kernel.org
      Reviewed-by: NBartosz Golaszewski <bgolaszewski@baylibre.com>
      Acked-by: NMichael Hennerich <michael.hennerich@analog.com>
      Signed-off-by: NLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      3fbcef33