1. 24 3月, 2019 40 次提交
    • N
      xprtrdma: Make sure Send CQ is allocated on an existing compvec · d84bc704
      Nicolas Morey-Chaisemartin 提交于
      [ Upstream commit a4cb5bdb754afe21f3e9e7164213e8600cf69427 ]
      
      Make sure the device has at least 2 completion vectors
      before allocating to compvec#1
      
      Fixes: a4699f56 (xprtrdma: Put Send CQ in IB_POLL_WORKQUEUE mode)
      Signed-off-by: NNicolas Morey-Chaisemartin <nmoreychaisemartin@suse.com>
      Reviewed-by: NChuck Lever <chuck.lever@oracle.com>
      Signed-off-by: NAnna Schumaker <Anna.Schumaker@Netapp.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      d84bc704
    • Y
      floppy: check_events callback should not return a negative number · e01f2b08
      Yufen Yu 提交于
      [ Upstream commit 96d7cb932e826219ec41ac02e5af037ffae6098c ]
      
      floppy_check_events() is supposed to return bit flags to say which
      events occured. We should return zero to say that no event flags are
      set.  Only BIT(0) and BIT(1) are used in the caller. And .check_events
      interface also expect to return an unsigned int value.
      
      However, after commit a0c80efe, it may return -EINTR (-4u).
      Here, both BIT(0) and BIT(1) are cleared. So this patch shouldn't
      affect runtime, but it obviously is still worth fixing.
      Reviewed-by: NDan Carpenter <dan.carpenter@oracle.com>
      Fixes: a0c80efe ("floppy: fix lock_fdc() signal handling")
      Signed-off-by: NYufen Yu <yuyufen@huawei.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      e01f2b08
    • A
      ipvs: fix dependency on nf_defrag_ipv6 · 5ca2ef67
      Andrea Claudi 提交于
      [ Upstream commit 098e13f5b21d3398065fce8780f07a3ef62f4812 ]
      
      ipvs relies on nf_defrag_ipv6 module to manage IPv6 fragmentation,
      but lacks proper Kconfig dependencies and does not explicitly
      request defrag features.
      
      As a result, if netfilter hooks are not loaded, when IPv6 fragmented
      packet are handled by ipvs only the first fragment makes through.
      
      Fix it properly declaring the dependency on Kconfig and registering
      netfilter hooks on ip_vs_add_service() and ip_vs_new_dest().
      Reported-by: NLi Shuang <shuali@redhat.com>
      Signed-off-by: NAndrea Claudi <aclaudi@redhat.com>
      Acked-by: NJulian Anastasov <ja@ssi.bg>
      Acked-by: NSimon Horman <horms@verge.net.au>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      5ca2ef67
    • J
      blk-mq: insert rq with DONTPREP to hctx dispatch list when requeue · 29452f66
      Jianchao Wang 提交于
      [ Upstream commit aef1897cd36dcf5e296f1d2bae7e0d268561b685 ]
      
      When requeue, if RQF_DONTPREP, rq has contained some driver
      specific data, so insert it to hctx dispatch list to avoid any
      merge. Take scsi as example, here is the trace event log (no
      io scheduler, because RQF_STARTED would prevent merging),
      
         kworker/0:1H-339   [000] ...1  2037.209289: block_rq_insert: 8,0 R 4096 () 32768 + 8 [kworker/0:1H]
      scsi_inert_test-1987  [000] ....  2037.220465: block_bio_queue: 8,0 R 32776 + 8 [scsi_inert_test]
      scsi_inert_test-1987  [000] ...2  2037.220466: block_bio_backmerge: 8,0 R 32776 + 8 [scsi_inert_test]
         kworker/0:1H-339   [000] ....  2047.220913: block_rq_issue: 8,0 R 8192 () 32768 + 16 [kworker/0:1H]
      scsi_inert_test-1996  [000] ..s1  2047.221007: block_rq_complete: 8,0 R () 32768 + 8 [0]
      scsi_inert_test-1996  [000] .Ns1  2047.221045: block_rq_requeue: 8,0 R () 32776 + 8 [0]
         kworker/0:1H-339   [000] ...1  2047.221054: block_rq_insert: 8,0 R 4096 () 32776 + 8 [kworker/0:1H]
         kworker/0:1H-339   [000] ...1  2047.221056: block_rq_issue: 8,0 R 4096 () 32776 + 8 [kworker/0:1H]
      scsi_inert_test-1986  [000] ..s1  2047.221119: block_rq_complete: 8,0 R () 32776 + 8 [0]
      
      (32768 + 8) was requeued by scsi_queue_insert and had RQF_DONTPREP.
      Then it was merged with (32776 + 8) and issued. Due to RQF_DONTPREP,
      the sdb only contained the part of (32768 + 8), then only that part
      was completed. The lucky thing was that scsi_io_completion detected
      it and requeued the remaining part. So we didn't get corrupted data.
      However, the requeue of (32776 + 8) is not expected.
      Suggested-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NJianchao Wang <jianchao.w.wang@oracle.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      29452f66
    • F
      netfilter: compat: initialize all fields in xt_init · e0e6b0d7
      Francesco Ruggeri 提交于
      [ Upstream commit 8d29d16d21342a0c86405d46de0c4ac5daf1760f ]
      
      If a non zero value happens to be in xt[NFPROTO_BRIDGE].cur at init
      time, the following panic can be caused by running
      
      % ebtables -t broute -F BROUTING
      
      from a 32-bit user level on a 64-bit kernel. This patch replaces
      kmalloc_array with kcalloc when allocating xt.
      
      [  474.680846] BUG: unable to handle kernel paging request at 0000000009600920
      [  474.687869] PGD 2037006067 P4D 2037006067 PUD 2038938067 PMD 0
      [  474.693838] Oops: 0000 [#1] SMP
      [  474.697055] CPU: 9 PID: 4662 Comm: ebtables Kdump: loaded Not tainted 4.19.17-11302235.AroraKernelnext.fc18.x86_64 #1
      [  474.707721] Hardware name: Supermicro X9DRT/X9DRT, BIOS 3.0 06/28/2013
      [  474.714313] RIP: 0010:xt_compat_calc_jump+0x2f/0x63 [x_tables]
      [  474.720201] Code: 40 0f b6 ff 55 31 c0 48 6b ff 70 48 03 3d dc 45 00 00 48 89 e5 8b 4f 6c 4c 8b 47 60 ff c9 39 c8 7f 2f 8d 14 08 d1 fa 48 63 fa <41> 39 34 f8 4c 8d 0c fd 00 00 00 00 73 05 8d 42 01 eb e1 76 05 8d
      [  474.739023] RSP: 0018:ffffc9000943fc58 EFLAGS: 00010207
      [  474.744296] RAX: 0000000000000000 RBX: ffffc90006465000 RCX: 0000000002580249
      [  474.751485] RDX: 00000000012c0124 RSI: fffffffff7be17e9 RDI: 00000000012c0124
      [  474.758670] RBP: ffffc9000943fc58 R08: 0000000000000000 R09: ffffffff8117cf8f
      [  474.765855] R10: ffffc90006477000 R11: 0000000000000000 R12: 0000000000000001
      [  474.773048] R13: 0000000000000000 R14: ffffc9000943fcb8 R15: ffffc9000943fcb8
      [  474.780234] FS:  0000000000000000(0000) GS:ffff88a03f840000(0063) knlGS:00000000f7ac7700
      [  474.788612] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
      [  474.794632] CR2: 0000000009600920 CR3: 0000002037422006 CR4: 00000000000606e0
      [  474.802052] Call Trace:
      [  474.804789]  compat_do_replace+0x1fb/0x2a3 [ebtables]
      [  474.810105]  compat_do_ebt_set_ctl+0x69/0xe6 [ebtables]
      [  474.815605]  ? try_module_get+0x37/0x42
      [  474.819716]  compat_nf_setsockopt+0x4f/0x6d
      [  474.824172]  compat_ip_setsockopt+0x7e/0x8c
      [  474.828641]  compat_raw_setsockopt+0x16/0x3a
      [  474.833220]  compat_sock_common_setsockopt+0x1d/0x24
      [  474.838458]  __compat_sys_setsockopt+0x17e/0x1b1
      [  474.843343]  ? __check_object_size+0x76/0x19a
      [  474.847960]  __ia32_compat_sys_socketcall+0x1cb/0x25b
      [  474.853276]  do_fast_syscall_32+0xaf/0xf6
      [  474.857548]  entry_SYSENTER_compat+0x6b/0x7a
      Signed-off-by: NFrancesco Ruggeri <fruggeri@arista.com>
      Acked-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      e0e6b0d7
    • I
      mac80211: Fix Tx aggregation session tear down with ITXQs · a5a24445
      Ilan Peer 提交于
      [ Upstream commit 6157ca0d6bfe437691b1e98a62e2efe12b6714da ]
      
      When mac80211 requests the low level driver to stop an ongoing
      Tx aggregation, the low level driver is expected to call
      ieee80211_stop_tx_ba_cb_irqsafe() to indicate that it is ready
      to stop the session. The callback in turn schedules a worker
      to complete the session tear down, which in turn also handles
      the relevant state for the intermediate Tx queue.
      
      However, as this flow in asynchronous, the intermediate queue
      should be stopped and not continue servicing frames, as in
      such a case frames that are dequeued would be marked as part
      of an aggregation, although the aggregation is already been
      stopped.
      
      Fix this by stopping the intermediate Tx queue, before
      calling the low level driver to stop the Tx aggregation.
      Signed-off-by: NIlan Peer <ilan.peer@intel.com>
      Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      a5a24445
    • J
      mac80211: call drv_ibss_join() on restart · bff33ba4
      Johannes Berg 提交于
      [ Upstream commit 4926b51bfaa6d36bd6f398fb7698679d3962e19d ]
      
      If a driver does any significant activity in its ibss_join method,
      then it will very well expect that to be called during restart,
      before any stations are added. Do that.
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      bff33ba4
    • D
      Input: matrix_keypad - use flush_delayed_work() · 134891e1
      Dmitry Torokhov 提交于
      [ Upstream commit a342083abe576db43594a32d458a61fa81f7cb32 ]
      
      We should be using flush_delayed_work() instead of flush_work() in
      matrix_keypad_stop() to ensure that we are not missing work that is
      scheduled but not yet put in the workqueue (i.e. its delay timer has not
      expired yet).
      Signed-off-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      134891e1
    • D
      Input: ps2-gpio - flush TX work when closing port · e91dc209
      Dmitry Torokhov 提交于
      [ Upstream commit 33a841ce5cef4ca6c18ad333248b6d273f54c839 ]
      
      To ensure that TX work is not running after serio port has been torn down,
      let's flush it when closing the port.
      Reported-by: NSven Van Asbroeck <thesven73@gmail.com>
      Acked-by: NDanilo Krummrich <danilokrummrich@dk-develop.de>
      Reviewed-by: NSven Van Asbroeck <TheSven73@gmail.com>
      Signed-off-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      e91dc209
    • D
      Input: cap11xx - switch to using set_brightness_blocking() · 4fe714b7
      Dmitry Torokhov 提交于
      [ Upstream commit 628442880af8c201d307a45f3862a7a17df8a189 ]
      
      Updating LED state requires access to regmap and therefore we may sleep,
      so we could not do that directly form set_brightness() method.
      Historically we used private work to adjust the brightness, but with the
      introduction of set_brightness_blocking() we no longer need it.
      
      As a bonus, not having our own work item means we do not have
      use-after-free issue as we neglected to cancel outstanding work on
      driver unbind.
      Reported-by: NSven Van Asbroeck <thesven73@gmail.com>
      Reviewed-by: NSven Van Asbroeck <TheSven73@googlemail.com>
      Acked-by: NJacek Anaszewski <jacek.anaszewski@gmail.com>
      Signed-off-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      4fe714b7
    • R
      ARM: OMAP2+: fix lack of timer interrupts on CPU1 after hotplug · f49f7007
      Russell King 提交于
      [ Upstream commit 50d6b3cf9403879911e06d69c7ef41e43f8f7b4b ]
      
      If we have a kernel configured for periodic timer interrupts, and we
      have cpuidle enabled, then we end up with CPU1 losing timer interupts
      after a hotplug.
      
      This can manifest itself in RCU stall warnings, or userspace becoming
      unresponsive.
      
      The problem is that the kernel initially wants to use the TWD timer
      for interrupts, but the TWD loses context when we enter the C3 cpuidle
      state.  Nothing reprograms the TWD after idle.
      
      We have solved this in the past by switching to broadcast timer ticks,
      and cpuidle44xx switches to that mode at boot time.  However, there is
      nothing to switch from periodic mode local timers after a hotplug
      operation.
      
      We call tick_broadcast_enter() in omap_enter_idle_coupled(), which one
      would expect would take care of the issue, but internally this only
      deals with one-shot local timers - tick_broadcast_enable() on the other
      hand only deals with periodic local timers.  So, we need to call both.
      Signed-off-by: NRussell King <rmk+kernel@armlinux.org.uk>
      [tony@atomide.com: just standardized the subject line]
      Signed-off-by: NTony Lindgren <tony@atomide.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      f49f7007
    • S
      ASoC: samsung: Prevent clk_get_rate() calls in atomic context · 8f07d764
      Sylwester Nawrocki 提交于
      [ Upstream commit 860b454c2c0cbda6892954f5cdbbb48931b3c8db ]
      
      This patch moves clk_get_rate() call from trigger() to hw_params()
      callback to avoid calling sleeping clk API from atomic context
      and prevent deadlock as indicated below.
      
      Before this change clk_get_rate() was being called with same
      spinlock held as the one passed to the clk API when registering
      clocks exposed by the I2S driver.
      
      [   82.109780] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:908
      [   82.117009] in_atomic(): 1, irqs_disabled(): 128, pid: 1554, name: speaker-test
      [   82.124235] 3 locks held by speaker-test/1554:
      [   82.128653]  #0: cc8c5328 (snd_pcm_link_rwlock){...-}, at: snd_pcm_stream_lock_irq+0x20/0x38
      [   82.137058]  #1: ec9eda17 (&(&substream->self_group.lock)->rlock){..-.}, at: snd_pcm_ioctl+0x900/0x1268
      [   82.146417]  #2: 6ac279bf (&(&pri_dai->spinlock)->rlock){..-.}, at: i2s_trigger+0x64/0x6d4
      [   82.154650] irq event stamp: 8144
      [   82.157949] hardirqs last  enabled at (8143): [<c0a0f574>] _raw_read_unlock_irq+0x24/0x5c
      [   82.166089] hardirqs last disabled at (8144): [<c0a0f6a8>] _raw_read_lock_irq+0x18/0x58
      [   82.174063] softirqs last  enabled at (8004): [<c01024e4>] __do_softirq+0x3a4/0x66c
      [   82.181688] softirqs last disabled at (7997): [<c012d730>] irq_exit+0x140/0x168
      [   82.188964] Preemption disabled at:
      [   82.188967] [<00000000>]   (null)
      [   82.195728] CPU: 6 PID: 1554 Comm: speaker-test Not tainted 5.0.0-rc5-00192-ga6e6caca8f03 #191
      [   82.204302] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
      [   82.210376] [<c0111a54>] (unwind_backtrace) from [<c010d8f4>] (show_stack+0x10/0x14)
      [   82.218084] [<c010d8f4>] (show_stack) from [<c09ef004>] (dump_stack+0x90/0xc8)
      [   82.225278] [<c09ef004>] (dump_stack) from [<c0152980>] (___might_sleep+0x22c/0x2c8)
      [   82.232990] [<c0152980>] (___might_sleep) from [<c0a0a2e4>] (__mutex_lock+0x28/0xa3c)
      [   82.240788] [<c0a0a2e4>] (__mutex_lock) from [<c0a0ad80>] (mutex_lock_nested+0x1c/0x24)
      [   82.248763] [<c0a0ad80>] (mutex_lock_nested) from [<c04923dc>] (clk_prepare_lock+0x78/0xec)
      [   82.257079] [<c04923dc>] (clk_prepare_lock) from [<c049538c>] (clk_core_get_rate+0xc/0x5c)
      [   82.265309] [<c049538c>] (clk_core_get_rate) from [<c0766b18>] (i2s_trigger+0x490/0x6d4)
      [   82.273369] [<c0766b18>] (i2s_trigger) from [<c074fec4>] (soc_pcm_trigger+0x100/0x140)
      [   82.281254] [<c074fec4>] (soc_pcm_trigger) from [<c07378a0>] (snd_pcm_do_start+0x2c/0x30)
      [   82.289400] [<c07378a0>] (snd_pcm_do_start) from [<c07376cc>] (snd_pcm_action_single+0x38/0x78)
      [   82.298065] [<c07376cc>] (snd_pcm_action_single) from [<c073a450>] (snd_pcm_ioctl+0x910/0x1268)
      [   82.306734] [<c073a450>] (snd_pcm_ioctl) from [<c0292344>] (do_vfs_ioctl+0x90/0x9ec)
      [   82.314443] [<c0292344>] (do_vfs_ioctl) from [<c0292cd4>] (ksys_ioctl+0x34/0x60)
      [   82.321808] [<c0292cd4>] (ksys_ioctl) from [<c0101000>] (ret_fast_syscall+0x0/0x28)
      [   82.329431] Exception stack(0xeb875fa8 to 0xeb875ff0)
      [   82.334459] 5fa0:                   00033c18 b6e31000 00000004 00004142 00033d80 00033d80
      [   82.342605] 5fc0: 00033c18 b6e31000 00008000 00000036 00008000 00000000 beea38a8 00008000
      [   82.350748] 5fe0: b6e3142c beea384c b6da9a30 b6c9212c
      [   82.355789]
      [   82.357245] ======================================================
      [   82.363397] WARNING: possible circular locking dependency detected
      [   82.369551] 5.0.0-rc5-00192-ga6e6caca8f03 #191 Tainted: G        W
      [   82.376395] ------------------------------------------------------
      [   82.382548] speaker-test/1554 is trying to acquire lock:
      [   82.387834] 6d2007f4 (prepare_lock){+.+.}, at: clk_prepare_lock+0x78/0xec
      [   82.394593]
      [   82.394593] but task is already holding lock:
      [   82.400398] 6ac279bf (&(&pri_dai->spinlock)->rlock){..-.}, at: i2s_trigger+0x64/0x6d4
      [   82.408197]
      [   82.408197] which lock already depends on the new lock.
      [   82.416343]
      [   82.416343] the existing dependency chain (in reverse order) is:
      [   82.423795]
      [   82.423795] -> #1 (&(&pri_dai->spinlock)->rlock){..-.}:
      [   82.430472]        clk_mux_set_parent+0x34/0xb8
      [   82.434975]        clk_core_set_parent_nolock+0x1c4/0x52c
      [   82.440347]        clk_set_parent+0x38/0x6c
      [   82.444509]        of_clk_set_defaults+0xc8/0x308
      [   82.449186]        of_clk_add_provider+0x84/0xd0
      [   82.453779]        samsung_i2s_probe+0x408/0x5f8
      [   82.458376]        platform_drv_probe+0x48/0x98
      [   82.462879]        really_probe+0x224/0x3f4
      [   82.467037]        driver_probe_device+0x70/0x1c4
      [   82.471716]        bus_for_each_drv+0x44/0x8c
      [   82.476049]        __device_attach+0xa0/0x138
      [   82.480382]        bus_probe_device+0x88/0x90
      [   82.484715]        deferred_probe_work_func+0x6c/0xbc
      [   82.489741]        process_one_work+0x200/0x740
      [   82.494246]        worker_thread+0x2c/0x4c8
      [   82.498408]        kthread+0x128/0x164
      [   82.502131]        ret_from_fork+0x14/0x20
      [   82.506204]          (null)
      [   82.508976]
      [   82.508976] -> #0 (prepare_lock){+.+.}:
      [   82.514264]        __mutex_lock+0x60/0xa3c
      [   82.518336]        mutex_lock_nested+0x1c/0x24
      [   82.522756]        clk_prepare_lock+0x78/0xec
      [   82.527088]        clk_core_get_rate+0xc/0x5c
      [   82.531421]        i2s_trigger+0x490/0x6d4
      [   82.535494]        soc_pcm_trigger+0x100/0x140
      [   82.539913]        snd_pcm_do_start+0x2c/0x30
      [   82.544246]        snd_pcm_action_single+0x38/0x78
      [   82.549012]        snd_pcm_ioctl+0x910/0x1268
      [   82.553345]        do_vfs_ioctl+0x90/0x9ec
      [   82.557417]        ksys_ioctl+0x34/0x60
      [   82.561229]        ret_fast_syscall+0x0/0x28
      [   82.565477]        0xbeea384c
      [   82.568421]
      [   82.568421] other info that might help us debug this:
      [   82.568421]
      [   82.576394]  Possible unsafe locking scenario:
      [   82.576394]
      [   82.582285]        CPU0                    CPU1
      [   82.586792]        ----                    ----
      [   82.591297]   lock(&(&pri_dai->spinlock)->rlock);
      [   82.595977]                                lock(prepare_lock);
      [   82.601782]                                lock(&(&pri_dai->spinlock)->rlock);
      [   82.608975]   lock(prepare_lock);
      [   82.612268]
      [   82.612268]  *** DEADLOCK ***
      
      Fixes: 647d04f8 ("ASoC: samsung: i2s: Ensure the RCLK rate is properly determined")
      Reported-by: NKrzysztof Kozłowski <krzk@kernel.org>
      Signed-off-by: NSylwester Nawrocki <s.nawrocki@samsung.com>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      8f07d764
    • J
      KVM: arm64: Forbid kprobing of the VHE world-switch code · 459058f0
      James Morse 提交于
      [ Upstream commit 7d82602909ed9c73b34ad26f05d10db4850a4f8c ]
      
      On systems with VHE the kernel and KVM's world-switch code run at the
      same exception level. Code that is only used on a VHE system does not
      need to be annotated as __hyp_text as it can reside anywhere in the
      kernel text.
      
      __hyp_text was also used to prevent kprobes from patching breakpoint
      instructions into this region, as this code runs at a different
      exception level. While this is no longer true with VHE, KVM still
      switches VBAR_EL1, meaning a kprobe's breakpoint executed in the
      world-switch code will cause a hyp-panic.
      
      echo "p:weasel sysreg_save_guest_state_vhe" > /sys/kernel/debug/tracing/kprobe_events
      echo 1 > /sys/kernel/debug/tracing/events/kprobes/weasel/enable
      lkvm run -k /boot/Image --console serial -p "console=ttyS0 earlycon=uart,mmio,0x3f8"
      
        # lkvm run -k /boot/Image -m 384 -c 3 --name guest-1474
        Info: Placing fdt at 0x8fe00000 - 0x8fffffff
        Info: virtio-mmio.devices=0x200@0x10000:36
      
        Info: virtio-mmio.devices=0x200@0x10200:37
      
        Info: virtio-mmio.devices=0x200@0x10400:38
      
      [  614.178186] Kernel panic - not syncing: HYP panic:
      [  614.178186] PS:404003c9 PC:ffff0000100d70e0 ESR:f2000004
      [  614.178186] FAR:0000000080080000 HPFAR:0000000000800800 PAR:1d00007edbadc0de
      [  614.178186] VCPU:00000000f8de32f1
      [  614.178383] CPU: 2 PID: 1482 Comm: kvm-vcpu-0 Not tainted 5.0.0-rc2 #10799
      [  614.178446] Call trace:
      [  614.178480]  dump_backtrace+0x0/0x148
      [  614.178567]  show_stack+0x24/0x30
      [  614.178658]  dump_stack+0x90/0xb4
      [  614.178710]  panic+0x13c/0x2d8
      [  614.178793]  hyp_panic+0xac/0xd8
      [  614.178880]  kvm_vcpu_run_vhe+0x9c/0xe0
      [  614.178958]  kvm_arch_vcpu_ioctl_run+0x454/0x798
      [  614.179038]  kvm_vcpu_ioctl+0x360/0x898
      [  614.179087]  do_vfs_ioctl+0xc4/0x858
      [  614.179174]  ksys_ioctl+0x84/0xb8
      [  614.179261]  __arm64_sys_ioctl+0x28/0x38
      [  614.179348]  el0_svc_common+0x94/0x108
      [  614.179401]  el0_svc_handler+0x38/0x78
      [  614.179487]  el0_svc+0x8/0xc
      [  614.179558] SMP: stopping secondary CPUs
      [  614.179661] Kernel Offset: disabled
      [  614.179695] CPU features: 0x003,2a80aa38
      [  614.179758] Memory Limit: none
      [  614.179858] ---[ end Kernel panic - not syncing: HYP panic:
      [  614.179858] PS:404003c9 PC:ffff0000100d70e0 ESR:f2000004
      [  614.179858] FAR:0000000080080000 HPFAR:0000000000800800 PAR:1d00007edbadc0de
      [  614.179858] VCPU:00000000f8de32f1 ]---
      
      Annotate the VHE world-switch functions that aren't marked
      __hyp_text using NOKPROBE_SYMBOL().
      Signed-off-by: NJames Morse <james.morse@arm.com>
      Fixes: 3f5c90b8 ("KVM: arm64: Introduce VHE-specific kvm_vcpu_run")
      Acked-by: NMasami Hiramatsu <mhiramat@kernel.org>
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      459058f0
    • C
      KVM: arm/arm64: vgic: Always initialize the group of private IRQs · 04131dfc
      Christoffer Dall 提交于
      [ Upstream commit ab2d5eb03dbb7b37a1c6356686fb48626ab0c93e ]
      
      We currently initialize the group of private IRQs during
      kvm_vgic_vcpu_init, and the value of the group depends on the GIC model
      we are emulating.  However, CPUs created before creating (and
      initializing) the VGIC might end up with the wrong group if the VGIC
      is created as GICv3 later.
      
      Since we have no enforced ordering of creating the VGIC and creating
      VCPUs, we can end up with part the VCPUs being properly intialized and
      the remaining incorrectly initialized.  That also means that we have no
      single place to do the per-cpu data structure initialization which
      depends on knowing the emulated GIC model (which is only the group
      field).
      
      This patch removes the incorrect comment from kvm_vgic_vcpu_init and
      initializes the group of all previously created VCPUs's private
      interrupts in vgic_init in addition to the existing initialization in
      kvm_vgic_vcpu_init.
      Signed-off-by: NChristoffer Dall <christoffer.dall@arm.com>
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      04131dfc
    • M
      arm/arm64: KVM: Don't panic on failure to properly reset system registers · c8312936
      Marc Zyngier 提交于
      [ Upstream commit 20589c8cc47dce5854c8bf1b44a9fc63d798d26d ]
      
      Failing to properly reset system registers is pretty bad. But not
      quite as bad as bringing the whole machine down... So warn loudly,
      but slightly more gracefully.
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      Acked-by: NChristoffer Dall <christoffer.dall@arm.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      c8312936
    • M
      arm/arm64: KVM: Allow a VCPU to fully reset itself · b78379c3
      Marc Zyngier 提交于
      [ Upstream commit 358b28f09f0ab074d781df72b8a671edb1547789 ]
      
      The current kvm_psci_vcpu_on implementation will directly try to
      manipulate the state of the VCPU to reset it.  However, since this is
      not done on the thread that runs the VCPU, we can end up in a strangely
      corrupted state when the source and target VCPUs are running at the same
      time.
      
      Fix this by factoring out all reset logic from the PSCI implementation
      and forwarding the required information along with a request to the
      target VCPU.
      Reviewed-by: NAndrew Jones <drjones@redhat.com>
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: NChristoffer Dall <christoffer.dall@arm.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      b78379c3
    • C
      KVM: arm/arm64: Reset the VCPU without preemption and vcpu state loaded · dfe9b4d9
      Christoffer Dall 提交于
      [ Upstream commit e761a927bc9a7ee6ceb7c4f63d5922dbced87f0d ]
      
      We have two ways to reset a vcpu:
      - either through VCPU_INIT
      - or through a PSCI_ON call
      
      The first one is easy to reason about. The second one is implemented
      in a more bizarre way, as it is the vcpu that handles PSCI_ON that
      resets the vcpu that is being powered-on. As we need to turn the logic
      around and have the target vcpu to reset itself, we must take some
      preliminary steps.
      
      Resetting the VCPU state modifies the system register state in memory,
      but this may interact with vcpu_load/vcpu_put if running with preemption
      disabled, which in turn may lead to corrupted system register state.
      
      Address this by disabling preemption and doing put/load if required
      around the reset logic.
      Reviewed-by: NAndrew Jones <drjones@redhat.com>
      Signed-off-by: NChristoffer Dall <christoffer.dall@arm.com>
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      dfe9b4d9
    • K
      ASoC: rsnd: fixup rsnd_ssi_master_clk_start() user count check · 20604435
      Kuninori Morimoto 提交于
      [ Upstream commit d9111d36024de07784f2e1ba2ccf70b16035f378 ]
      
      commit 4d230d12 ("ASoC: rsnd: fixup not to call clk_get/set
      under non-atomic") added new rsnd_ssi_prepare() and moved
      rsnd_ssi_master_clk_start() to .prepare.
      But, ssi user count (= ssi->usrcnt) is incremented at .init
      (= rsnd_ssi_init()).
      Because of these timing exchange, ssi->usrcnt check at
      rsnd_ssi_master_clk_start() should be adjusted.
      Otherwise, 2nd master clock setup will be no check.
      This patch fixup this issue.
      
      Fixes: commit 4d230d12 ("ASoC: rsnd: fixup not to call clk_get/set under non-atomic")
      Reported-by: NYusuke Goda <yusuke.goda.sx@renesas.com>
      Reported-by: NValentine Barshak <valentine.barshak@cogentembedded.com>
      Signed-off-by: NKuninori Morimoto <kuninori.morimoto.gx@renesas.com>
      Tested-by: NYusuke Goda <yusuke.goda.sx@renesas.com>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      20604435
    • P
      ASoC: dapm: fix out-of-bounds accesses to DAPM lookup tables · e07aaaa7
      Pierre-Louis Bossart 提交于
      [ Upstream commit c16e12010060c6c7a31f08b4a99513064cb53b7d ]
      
      KASAN reports and additional traces point to out-of-bounds accesses to
      the dapm_up_seq and dapm_down_seq lookup tables. The indices used are
      larger than the array definition.
      
      Fix by adding missing entries for the new widget types in these two
      lookup tables, and align them with PGA values.
      
      Also the sequences for the following widgets were not defined. Since
      their values defaulted to zero, assign them explicitly
      
       snd_soc_dapm_input
       snd_soc_dapm_output
       snd_soc_dapm_vmid
       snd_soc_dapm_siggen
       snd_soc_dapm_sink
      
      Fixes: 8a70b454 ('ASoC: dapm: Add new widget type for constructing DAPM graphs on DSPs.').
      Signed-off-by: NPierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      e07aaaa7
    • Y
      ARM: OMAP2+: Variable "reg" in function omap4_dsi_mux_pads() could be uninitialized · f3f7a8b6
      Yizhuo 提交于
      [ Upstream commit dc30e70391376ba3987aeb856ae6d9c0706534f1 ]
      
      In function omap4_dsi_mux_pads(), local variable "reg" could
      be uninitialized if function regmap_read() returns -EINVAL.
      However, it will be used directly in the later context, which
      is potentially unsafe.
      Signed-off-by: NYizhuo <yzhai003@ucr.edu>
      Signed-off-by: NTony Lindgren <tony@atomide.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      f3f7a8b6
    • T
      ARM: dts: Configure clock parent for pwm vibra · ad4507bd
      Tony Lindgren 提交于
      [ Upstream commit 0840242e887586268f665bf58d5e1a7d6ebf35ed ]
      
      Commit 84badc5e ("ARM: dts: omap4: Move l4 child devices to probe
      them with ti-sysc") moved some omap4 timers to probe with ti-sysc
      interconnect target module. Turns out this broke pwm-omap-dmtimer
      for reparenting of the timer clock.
      
      With ti-sysc, we can now configure the clock sources in the dts with
      assigned-clocks and assigned-clock-parents.
      
      Fixes: 84badc5e ("ARM: dts: omap4: Move l4 child devices to probe them with ti-sysc")
      Cc: Bartosz Golaszewski <bgolaszewski@baylibre.com>
      Cc: Daniel Lezcano <daniel.lezcano@linaro.org>
      Cc: H. Nikolaus Schaller <hns@goldelico.com>
      Cc: Keerthy <j-keerthy@ti.com>
      Cc: Ladislav Michl <ladis@linux-mips.org>
      Cc: Pavel Machek <pavel@ucw.cz>
      Cc: Sebastian Reichel <sre@kernel.org>
      Cc: Tero Kristo <t-kristo@ti.com>
      Cc: Thierry Reding <thierry.reding@gmail.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Reported-by: NH. Nikolaus Schaller <hns@goldelico.com>
      Signed-off-by: NTony Lindgren <tony@atomide.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      ad4507bd
    • P
      Input: pwm-vibra - stop regulator after disabling pwm, not before · bac70a89
      Paweł Chmiel 提交于
      [ Upstream commit 94803aef3533676194c772383472636c453e3147 ]
      
      This patch fixes order of disable calls in pwm_vibrator_stop.
      Currently when starting device, we first enable vcc regulator and then
      setup and enable pwm. When stopping, we should do this in oposite order,
      so first disable pwm and then disable regulator.
      Previously order was the same as in start.
      Signed-off-by: NPaweł Chmiel <pawel.mikolaj.chmiel@gmail.com>
      Signed-off-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      bac70a89
    • J
      Input: pwm-vibra - prevent unbalanced regulator · 0ed72d3f
      Jonathan Bakker 提交于
      [ Upstream commit 3ca232df9921f083c3b37ba5fbc76f4d9046268b ]
      
      pwm_vibrator_stop disables the regulator, but it can be called from
      multiple places, even when the regulator is already disabled. Fix this
      by using regulator_is_enabled check when starting and stopping device.
      Signed-off-by: NJonathan Bakker <xc-racer2@live.ca>
      Signed-off-by: NPaweł Chmiel <pawel.mikolaj.chmiel@gmail.com>
      Signed-off-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      0ed72d3f
    • S
      s390/dasd: fix using offset into zero size array error · 98a137cd
      Stefan Haberland 提交于
      [ Upstream commit 4a8ef6999bce998fa5813023a9a6b56eea329dba ]
      
      Dan Carpenter reported the following:
      
      The patch 52898025: "[S390] dasd: security and PSF update patch
      for EMC CKD ioctl" from Mar 8, 2010, leads to the following static
      checker warning:
      
      	drivers/s390/block/dasd_eckd.c:4486 dasd_symm_io()
      	error: using offset into zero size array 'psf_data[]'
      
      drivers/s390/block/dasd_eckd.c
        4458          /* Copy parms from caller */
        4459          rc = -EFAULT;
        4460          if (copy_from_user(&usrparm, argp, sizeof(usrparm)))
                                          ^^^^^^^
      The user can specify any "usrparm.psf_data_len".  They choose zero by
      mistake.
      
        4461                  goto out;
        4462          if (is_compat_task()) {
        4463                  /* Make sure pointers are sane even on 31 bit. */
        4464                  rc = -EINVAL;
        4465                  if ((usrparm.psf_data >> 32) != 0)
        4466                          goto out;
        4467                  if ((usrparm.rssd_result >> 32) != 0)
        4468                          goto out;
        4469                  usrparm.psf_data &= 0x7fffffffULL;
        4470                  usrparm.rssd_result &= 0x7fffffffULL;
        4471          }
        4472          /* alloc I/O data area */
        4473          psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL
        			   				 | GFP_DMA);
        4474          rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL
      							       | GFP_DMA);
        4475          if (!psf_data || !rssd_result) {
      
      kzalloc() returns a ZERO_SIZE_PTR (0x16).
      
        4476                  rc = -ENOMEM;
        4477                  goto out_free;
        4478          }
        4479
        4480          /* get syscall header from user space */
        4481          rc = -EFAULT;
        4482          if (copy_from_user(psf_data,
        4483                             (void __user *)(unsigned long)
        				   	 		 usrparm.psf_data,
        4484                             usrparm.psf_data_len))
      
      That all works great.
      
        4485                  goto out_free;
        4486          psf0 = psf_data[0];
        4487          psf1 = psf_data[1];
      
      But now we're assuming that "->psf_data_len" was at least 2 bytes.
      
      Fix this by checking the user specified length psf_data_len.
      
      Fixes: 52898025 ("[S390] dasd: security and PSF update patch for EMC CKD ioctl")
      Reported-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NStefan Haberland <sth@linux.ibm.com>
      Signed-off-by: NMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      98a137cd
    • E
      arm64: dts: rockchip: fix graph_port warning on rk3399 bob kevin and excavator · cdaf89ab
      Enric Balletbo i Serra 提交于
      [ Upstream commit 26cd8657c7e745686a4c54a5cccf721ede208a25 ]
      
      Ports are described by child 'port' nodes contained in the device node.
      'ports' is optional and is used to group all 'port' nodes which is not
      the case here.
      
      This patch fixes the following warnings:
      
      arch/arm64/boot/dts/rockchip/rk3399-gru-bob.dts:25.9-29.5: Warning (graph_port): /edp-panel/ports: graph port node name should be 'port'
      arch/arm64/boot/dts/rockchip/rk3399-gru-kevin.dts:46.9-50.5: Warningi (graph_port): /edp-panel/ports: graph port node name should be 'port'
      arch/arm64/boot/dts/rockchip/rk3399-sapphire-excavator.dts:94.9-98.5: Warning (graph_port): /edp-panel/ports: graph port node name should be 'port'
      Signed-off-by: NEnric Balletbo i Serra <enric.balletbo@collabora.com>
      Signed-off-by: NHeiko Stuebner <heiko@sntech.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      cdaf89ab
    • J
      KVM: arm/arm64: vgic: Make vgic_dist->lpi_list_lock a raw_spinlock · 5f4a64b0
      Julien Thierry 提交于
      [ Upstream commit fc3bc475231e12e9c0142f60100cf84d077c79e1 ]
      
      vgic_dist->lpi_list_lock must always be taken with interrupts disabled as
      it is used in interrupt context.
      
      For configurations such as PREEMPT_RT_FULL, this means that it should
      be a raw_spinlock since RT spinlocks are interruptible.
      Signed-off-by: NJulien Thierry <julien.thierry@arm.com>
      Acked-by: NChristoffer Dall <christoffer.dall@arm.com>
      Acked-by: NMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: NChristoffer Dall <christoffer.dall@arm.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      5f4a64b0
    • T
      clocksource: timer-ti-dm: Fix pwm dmtimer usage of fck reparenting · ac696b01
      Tony Lindgren 提交于
      [ Upstream commit 983a5a43ec254cd5ddf3254db80ca96e8f8bb2a4 ]
      
      Commit 84badc5e ("ARM: dts: omap4: Move l4 child devices to probe
      them with ti-sysc") moved some omap4 timers to probe with ti-sysc
      interconnect target module. Turns out this broke pwm-omap-dmtimer
      where we now try to reparent the clock to itself with the following:
      
      omap_dm_timer_of_set_source: failed to set parent
      
      With ti-sysc, we can now configure the clock sources in the dts
      with assigned-clocks and assigned-clock-parents. So we should be able
      to remove omap_dm_timer_of_set_source with clean-up patches later on.
      But for now, let's just fix it first by checking if parent and fck
      are the same and bail out of so.
      
      Fixes: 84badc5e ("ARM: dts: omap4: Move l4 child devices to probe them with ti-sysc")
      Cc: Bartosz Golaszewski <bgolaszewski@baylibre.com>
      Cc: Daniel Lezcano <daniel.lezcano@linaro.org>
      Cc: H. Nikolaus Schaller <hns@goldelico.com>
      Cc: Keerthy <j-keerthy@ti.com>
      Cc: Ladislav Michl <ladis@linux-mips.org>
      Cc: Pavel Machek <pavel@ucw.cz>
      Cc: Sebastian Reichel <sre@kernel.org>
      Cc: Tero Kristo <t-kristo@ti.com>
      Cc: Thierry Reding <thierry.reding@gmail.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Reported-by: NH. Nikolaus Schaller <hns@goldelico.com>
      Tested-By: NAndreas Kemnade <andreas@kemnade.info>
      Tested-By: NH. Nikolaus Schaller <hns@goldelico.com>
      Signed-off-by: NTony Lindgren <tony@atomide.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      ac696b01
    • S
      ASoC: rt5682: Correct the setting while select ASRC clk for AD/DA filter · b2c642a1
      Shuming Fan 提交于
      [ Upstream commit 8077ec011b1ea26abb7ca786f28ecccfb352717f ]
      
      AD/DA ASRC function control two ASRC clock sources separately.
      Whether AD/DA filter select which clock source, we enable AD/DA ASRC
      function for all cases.
      Signed-off-by: NShuming Fan <shumingf@realtek.com>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      b2c642a1
    • S
      gpu: ipu-v3: Fix CSI offsets for imx53 · 35ad2e6d
      Steve Longerbeam 提交于
      [ Upstream commit bb867d219fda7fbaabea3314702474c4eac2b91d ]
      
      The CSI offsets are wrong for both CSI0 and CSI1. They are at
      physical address 0x1e030000 and 0x1e038000 respectively.
      
      Fixes: 2ffd48f2 ("gpu: ipu-v3: Add Camera Sensor Interface unit")
      Signed-off-by: NSteve Longerbeam <slongerbeam@gmail.com>
      Signed-off-by: NPhilipp Zabel <p.zabel@pengutronix.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      35ad2e6d
    • J
      drm/imx: imx-ldb: add missing of_node_puts · 04c5c4c4
      Julia Lawall 提交于
      [ Upstream commit aa3312012f103f91f123600bbf768b11c8f431bc ]
      
      The device node iterators perform an of_node_get on each
      iteration, so a jump out of the loop requires an of_node_put.
      
      Move the initialization channel->child = child; down to just
      before the call to imx_ldb_register so that intervening failures
      don't need to clear it.  Add a label at the end of the function to
      do all the of_node_puts.
      
      The semantic patch that finds part of this problem is as follows
      (http://coccinelle.lip6.fr):
      
      // <smpl>
      @@
      expression root,e;
      local idexpression child;
      iterator name for_each_child_of_node;
      @@
      
       for_each_child_of_node(root, child) {
         ... when != of_node_put(child)
             when != e = child
      (
         return child;
      |
      *  return ...;
      )
         ...
       }
      // </smpl>
      Signed-off-by: NJulia Lawall <Julia.Lawall@lip6.fr>
      Signed-off-by: NPhilipp Zabel <p.zabel@pengutronix.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      04c5c4c4
    • A
      gpu: ipu-v3: Fix i.MX51 CSI control registers offset · 1640b528
      Alexander Shiyan 提交于
      [ Upstream commit 2c0408dd0d8906b26fe8023889af7adf5e68b2c2 ]
      
      The CSI0/CSI1 registers offset is at +0xe030000/+0xe038000 relative
      to the control module registers on IPUv3EX.
      This patch fixes wrong values for i.MX51 CSI0/CSI1.
      
      Fixes: 2ffd48f2 ("gpu: ipu-v3: Add Camera Sensor Interface unit")
      Signed-off-by: NAlexander Shiyan <shc_work@mail.ru>
      Signed-off-by: NPhilipp Zabel <p.zabel@pengutronix.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      1640b528
    • P
      drm/imx: ignore plane updates on disabled crtcs · a308622f
      Philipp Zabel 提交于
      [ Upstream commit 4fb873c9648e383206e0a91cef9b03aa54066aca ]
      
      This patch fixes backtraces like the following when sending SIGKILL to a
      process with a currently pending plane update:
      
          [drm:ipu_plane_atomic_check] CRTC should be enabled
          [drm:drm_framebuffer_remove] *ERROR* failed to commit
          ------------[ cut here ]------------
          WARNING: CPU: 3 PID: 63 at drivers/gpu/drm/drm_framebuffer.c:926 drm_framebuffer_remove+0x47c/0x498
          atomic remove_fb failed with -22
      Signed-off-by: NPhilipp Zabel <p.zabel@pengutronix.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      a308622f
    • Z
      crypto: rockchip - update new iv to device in multiple operations · 2e0e1f9a
      Zhang Zhijie 提交于
      commit c1c214adcb56d36433480c8fedf772498e7e539c upstream.
      
      For chain mode in cipher(eg. AES-CBC/DES-CBC), the iv is continuously
      updated in the operation. The new iv value should be written to device
      register by software.
      Reported-by: NEric Biggers <ebiggers@google.com>
      Fixes: 433cd2c6 ("crypto: rockchip - add crypto driver for rk3288")
      Cc: <stable@vger.kernel.org> # v4.5+
      Signed-off-by: NZhang Zhijie <zhangzj@rock-chips.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2e0e1f9a
    • Z
      crypto: rockchip - fix scatterlist nents error · 5aabf067
      Zhang Zhijie 提交于
      commit 4359669a087633132203c52d67dd8c31e09e7b2e upstream.
      
      In some cases, the nents of src scatterlist is different from
      dst scatterlist. So two variables are used to handle the nents
      of src&dst scatterlist.
      Reported-by: NEric Biggers <ebiggers@google.com>
      Fixes: 433cd2c6 ("crypto: rockchip - add crypto driver for rk3288")
      Cc: <stable@vger.kernel.org> # v4.5+
      Signed-off-by: NZhang Zhijie <zhangzj@rock-chips.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5aabf067
    • E
      crypto: ahash - fix another early termination in hash walk · 3c5d7703
      Eric Biggers 提交于
      commit 77568e535af7c4f97eaef1e555bf0af83772456c upstream.
      
      Hash algorithms with an alignmask set, e.g. "xcbc(aes-aesni)" and
      "michael_mic", fail the improved hash tests because they sometimes
      produce the wrong digest.  The bug is that in the case where a
      scatterlist element crosses pages, not all the data is actually hashed
      because the scatterlist walk terminates too early.  This happens because
      the 'nbytes' variable in crypto_hash_walk_done() is assigned the number
      of bytes remaining in the page, then later interpreted as the number of
      bytes remaining in the scatterlist element.  Fix it.
      
      Fixes: 900a081f ("crypto: ahash - Fix early termination in hash walk")
      Cc: stable@vger.kernel.org
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3c5d7703
    • E
      crypto: cfb - remove bogus memcpy() with src == dest · 1a10e6b5
      Eric Biggers 提交于
      commit 6c2e322b3621dc8be72e5c86d4fdb587434ba625 upstream.
      
      The memcpy() in crypto_cfb_decrypt_inplace() uses walk->iv as both the
      source and destination, which has undefined behavior.  It is unneeded
      because walk->iv is already used to hold the previous ciphertext block;
      thus, walk->iv is already updated to its final value.  So, remove it.
      
      Also, note that in-place decryption is the only case where the previous
      ciphertext block is not directly available.  Therefore, as a related
      cleanup I also updated crypto_cfb_encrypt_segment() to directly use the
      previous ciphertext block rather than save it into walk->iv.  This makes
      it consistent with in-place encryption and out-of-place decryption; now
      only in-place decryption is different, because it has to be.
      
      Fixes: a7d85e06 ("crypto: cfb - add support for Cipher FeedBack mode")
      Cc: <stable@vger.kernel.org> # v4.17+
      Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1a10e6b5
    • E
      crypto: cfb - add missing 'chunksize' property · 0b1871d0
      Eric Biggers 提交于
      commit 394a9e044702e6a8958a5e89d2a291605a587a2a upstream.
      
      Like some other block cipher mode implementations, the CFB
      implementation assumes that while walking through the scatterlist, a
      partial block does not occur until the end.  But the walk is incorrectly
      being done with a blocksize of 1, as 'cra_blocksize' is set to 1 (since
      CFB is a stream cipher) but no 'chunksize' is set.  This bug causes
      incorrect encryption/decryption for some scatterlist layouts.
      
      Fix it by setting the 'chunksize'.  Also extend the CFB test vectors to
      cover this bug as well as cases where the message length is not a
      multiple of the block size.
      
      Fixes: a7d85e06 ("crypto: cfb - add support for Cipher FeedBack mode")
      Cc: <stable@vger.kernel.org> # v4.17+
      Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0b1871d0
    • G
      crypto: ccree - don't copy zero size ciphertext · 6ed42ccc
      Gilad Ben-Yossef 提交于
      commit 2b5ac17463dcb2411fed506edcf259a89bb538ba upstream.
      
      For decryption in CBC mode we need to save the last ciphertext block
      for use as the next IV. However, we were trying to do this also with
      zero sized ciphertext resulting in a panic.
      
      Fix this by only doing the copy if the ciphertext length is at least
      of IV size.
      Signed-off-by: NGilad Ben-Yossef <gilad@benyossef.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6ed42ccc
    • G
      crypto: ccree - unmap buffer before copying IV · 0bdd345a
      Gilad Ben-Yossef 提交于
      commit c139c72e2beb3e3db5148910b3962b7322e24374 upstream.
      
      We were copying the last ciphertext block into the IV field
      for CBC before removing the DMA mapping of the output buffer
      with the result of the buffer sometime being out-of-sync cache
      wise and were getting intermittent cases of bad output IV.
      
      Fix it by moving the DMA buffer unmapping before the copy.
      Signed-off-by: NGilad Ben-Yossef <gilad@benyossef.com>
      Fixes: 00904aa0 ("crypto: ccree - fix iv handling")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0bdd345a
    • H
      crypto: ccree - fix free of unallocated mlli buffer · 009eeb98
      Hadar Gat 提交于
      commit a49411959ea6d4915a9fd2a7eb5ba220e6284e9a upstream.
      
      In cc_unmap_aead_request(), call dma_pool_free() for mlli buffer only
      if an item is allocated from the pool and not always if there is a
      pool allocated.
      This fixes a kernel panic when trying to free a non-allocated item.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NHadar Gat <hadar.gat@arm.com>
      Signed-off-by: NGilad Ben-Yossef <gilad@benyossef.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      009eeb98