1. 31 5月, 2019 40 次提交
    • A
      i40e: Able to add up to 16 MAC filters on an untrusted VF · e3e8cdac
      Adam Ludkiewicz 提交于
      [ Upstream commit 06b6e2a2333eb3581567a7ac43ca465ef45f4daa ]
      
      This patch fixes the problem with the driver being able to add only 7
      multicast MAC address filters instead of 16. The problem is fixed by
      changing the maximum number of MAC address filters to 16+1+1 (two extra
      are needed because the driver uses 1 for unicast MAC address and 1 for
      broadcast).
      Signed-off-by: NAdam Ludkiewicz <adam.ludkiewicz@intel.com>
      Tested-by: NAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      e3e8cdac
    • A
      phy: mapphone-mdm6600: add gpiolib dependency · 267b3c6b
      Arnd Bergmann 提交于
      [ Upstream commit 208d3423ee463ab257908456f6bbca4024ab63f7 ]
      
      gcc points out that when CONFIG_GPIOLIB is disabled,
      gpiod_get_array_value_cansleep() returns 0 but fails to set its output:
      
      drivers/phy/motorola/phy-mapphone-mdm6600.c: In function 'phy_mdm6600_status':
      drivers/phy/motorola/phy-mapphone-mdm6600.c:220:24: error: 'values[0]' is used uninitialized in this function [-Werror=uninitialized]
      
      This could be fixed more generally in gpiolib by returning a failure
      code, but for this specific case, the easier workaround is to add a
      gpiolib dependency.
      
      Fixes: 5d1ebbda ("phy: mapphone-mdm6600: Add USB PHY driver for MDM6600 on Droid 4")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Acked-by: NTony Lindgren <tony@atomide.com>
      Signed-off-by: NKishon Vijay Abraham I <kishon@ti.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      267b3c6b
    • P
      phy: sun4i-usb: Make sure to disable PHY0 passby for peripheral mode · 3ecda688
      Paul Kocialkowski 提交于
      [ Upstream commit e6f32efb1b128344a2c7df9875bc1a1abaa1d395 ]
      
      On platforms where the MUSB and HCI controllers share PHY0, PHY passby
      is required when using the HCI controller with the PHY, but it must be
      disabled when the MUSB controller is used instead.
      
      Without this, PHY0 passby is always enabled, which results in broken
      peripheral mode on such platforms (e.g. H3/H5).
      
      Fixes: ba4bdc9e ("PHY: sunxi: Add driver for sunxi usb phy")
      Signed-off-by: NPaul Kocialkowski <paul.kocialkowski@bootlin.com>
      Signed-off-by: NKishon Vijay Abraham I <kishon@ti.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      3ecda688
    • R
      drm: etnaviv: avoid DMA API warning when importing buffers · 63b4f89d
      Russell King 提交于
      [ Upstream commit 1262cc8893ecb0eb2c21e042d0d268cc180edb61 ]
      
      During boot, I get this kernel warning:
      
      WARNING: CPU: 0 PID: 19001 at kernel/dma/debug.c:1301 debug_dma_map_sg+0x284/0x3dc
      etnaviv etnaviv: DMA-API: mapping sg segment longer than device claims to support [len=3145728] [max=65536]
      Modules linked in: ip6t_REJECT nf_reject_ipv6 ip6t_rpfilter xt_tcpudp ipt_REJECT nf_reject_ipv4 xt_conntrack ip_set nfnetlink ebtable_broute ebtable_nat ip6table_raw ip6table_nat nf_nat_ipv6 ip6table_mangle iptable_raw iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv4 nf_defrag_ipv6 libcrc32c iptable_mangle ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter caam_jr error snd_soc_imx_spdif imx_thermal snd_soc_imx_audmux nvmem_imx_ocotp snd_soc_sgtl5000
      caam imx_sdma virt_dma coda rc_cec v4l2_mem2mem snd_soc_fsl_ssi snd_soc_fsl_spdif imx_vdoa imx_pcm_dma videobuf2_dma_contig etnaviv dw_hdmi_cec gpu_sched dw_hdmi_ahb_audio imx6q_cpufreq nfsd sch_fq_codel ip_tables x_tables
      CPU: 0 PID: 19001 Comm: Xorg Not tainted 4.20.0+ #307
      Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
      [<c0019658>] (unwind_backtrace) from [<c001489c>] (show_stack+0x10/0x14)
      [<c001489c>] (show_stack) from [<c07fb420>] (dump_stack+0x9c/0xd4)
      [<c07fb420>] (dump_stack) from [<c00312dc>] (__warn+0xf8/0x124)
      [<c00312dc>] (__warn) from [<c00313d0>] (warn_slowpath_fmt+0x38/0x48)
      [<c00313d0>] (warn_slowpath_fmt) from [<c00b14e8>] (debug_dma_map_sg+0x284/0x3dc)
      [<c00b14e8>] (debug_dma_map_sg) from [<c046eb40>] (drm_gem_map_dma_buf+0xc4/0x13c)
      [<c046eb40>] (drm_gem_map_dma_buf) from [<c04c3314>] (dma_buf_map_attachment+0x38/0x5c)
      [<c04c3314>] (dma_buf_map_attachment) from [<c046e728>] (drm_gem_prime_import_dev+0x74/0x104)
      [<c046e728>] (drm_gem_prime_import_dev) from [<c046e5bc>] (drm_gem_prime_fd_to_handle+0x84/0x17c)
      [<c046e5bc>] (drm_gem_prime_fd_to_handle) from [<c046edd0>] (drm_prime_fd_to_handle_ioctl+0x38/0x4c)
      [<c046edd0>] (drm_prime_fd_to_handle_ioctl) from [<c0460efc>] (drm_ioctl_kernel+0x90/0xc8)
      [<c0460efc>] (drm_ioctl_kernel) from [<c0461114>] (drm_ioctl+0x1e0/0x3b0)
      [<c0461114>] (drm_ioctl) from [<c01cae20>] (do_vfs_ioctl+0x90/0xa48)
      [<c01cae20>] (do_vfs_ioctl) from [<c01cb80c>] (ksys_ioctl+0x34/0x60)
      [<c01cb80c>] (ksys_ioctl) from [<c0009000>] (ret_fast_syscall+0x0/0x28)
      Exception stack(0xd81a9fa8 to 0xd81a9ff0)
      9fa0:                   b6c69c88 bec613f8 00000009 c00c642e bec613f8 b86c4600
      9fc0: b6c69c88 bec613f8 c00c642e 00000036 012762e0 01276348 00000300 012d91f8
      9fe0: b6989f18 bec613dc b697185c b667be5c
      irq event stamp: 47905
      hardirqs last  enabled at (47913): [<c0098824>] console_unlock+0x46c/0x680
      hardirqs last disabled at (47922): [<c0098470>] console_unlock+0xb8/0x680
      softirqs last  enabled at (47754): [<c000a484>] __do_softirq+0x344/0x540
      softirqs last disabled at (47701): [<c0038700>] irq_exit+0x124/0x144
      ---[ end trace af477747acbcc642 ]---
      
      The reason is the contiguous buffer exceeds the default maximum segment
      size of 64K as specified by dma_get_max_seg_size() in
      linux/dma-mapping.h.  Fix this by providing our own segment size, which
      is set to 2GiB to cover the window found in MMUv1 GPUs.
      Signed-off-by: NRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: NLucas Stach <l.stach@pengutronix.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      63b4f89d
    • T
      x86/irq/64: Limit IST stack overflow check to #DB stack · f843f848
      Thomas Gleixner 提交于
      [ Upstream commit 7dbcf2b0b770eeb803a416ee8dcbef78e6389d40 ]
      
      Commit
      
        37fe6a42 ("x86: Check stack overflow in detail")
      
      added a broad check for the full exception stack area, i.e. it considers
      the full exception stack area as valid.
      
      That's wrong in two aspects:
      
       1) It does not check the individual areas one by one
      
       2) #DF, NMI and #MCE are not enabling interrupts which means that a
          regular device interrupt cannot happen in their context. In fact if a
          device interrupt hits one of those IST stacks that's a bug because some
          code path enabled interrupts while handling the exception.
      
      Limit the check to the #DB stack and consider all other IST stacks as
      'overflow' or invalid.
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: NBorislav Petkov <bp@suse.de>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Mitsuo Hayasaka <mitsuo.hayasaka.hu@hitachi.com>
      Cc: Nicolai Stange <nstange@suse.de>
      Cc: Sean Christopherson <sean.j.christopherson@intel.com>
      Cc: x86-ml <x86@kernel.org>
      Link: https://lkml.kernel.org/r/20190414160143.682135110@linutronix.deSigned-off-by: NSasha Levin <sashal@kernel.org>
      f843f848
    • A
      USB: core: Don't unbind interfaces following device reset failure · 97abdfa8
      Alan Stern 提交于
      [ Upstream commit 381419fa720060ba48b7bbc483be787d5b1dca6f ]
      
      The SCSI core does not like to have devices or hosts unregistered
      while error recovery is in progress.  Trying to do so can lead to
      self-deadlock: Part of the removal code tries to obtain a lock already
      held by the error handler.
      
      This can cause problems for the usb-storage and uas drivers, because
      their error handler routines perform a USB reset, and if the reset
      fails then the USB core automatically goes on to unbind all drivers
      from the device's interfaces -- all while still in the context of the
      SCSI error handler.
      
      As it turns out, practically all the scenarios leading to a USB reset
      failure end up causing a device disconnect (the main error pathway in
      usb_reset_and_verify_device(), at the end of the routine, calls
      hub_port_logical_disconnect() before returning).  As a result, the
      hub_wq thread will soon become aware of the problem and will unbind
      all the device's drivers in its own context, not in the
      error-handler's context.
      
      This means that usb_reset_device() does not need to call
      usb_unbind_and_rebind_marked_interfaces() in cases where
      usb_reset_and_verify_device() has returned an error, because hub_wq
      will take care of everything anyway.
      
      This particular problem was observed in somewhat artificial
      circumstances, by using usbfs to tell a hub to power-down a port
      connected to a USB-3 mass storage device using the UAS protocol.  With
      the port turned off, the currently executing command timed out and the
      error handler started running.  The USB reset naturally failed,
      because the hub port was off, and the error handler deadlocked as
      described above.  Not carrying out the call to
      usb_unbind_and_rebind_marked_interfaces() fixes this issue.
      Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
      Reported-by: NKento Kobayashi <Kento.A.Kobayashi@sony.com>
      Tested-by: NKento Kobayashi <Kento.A.Kobayashi@sony.com>
      CC: Bart Van Assche <bvanassche@acm.org>
      CC: Martin K. Petersen <martin.petersen@oracle.com>
      CC: Jacky Cao <Jacky.Cao@sony.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      97abdfa8
    • J
      s390/qeth: handle error from qeth_update_from_chp_desc() · 3711c988
      Julian Wiedmann 提交于
      [ Upstream commit a4cdc9baee0740748f16e50cd70c2607510df492 ]
      
      Subsequent code relies on the values that qeth_update_from_chp_desc()
      reads from the CHP descriptor. Rather than dealing with weird errors
      later on, just handle it properly here.
      Signed-off-by: NJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      3711c988
    • M
      thunderbolt: Take domain lock in switch sysfs attribute callbacks · 5d5652b5
      Mika Westerberg 提交于
      [ Upstream commit 09f11b6c99feaf86a26444bca85dc693b3f58f8b ]
      
      switch_lock was introduced because it allowed serialization of device
      authorization requests from userspace without need to take the big
      domain lock (tb->lock). This was fine because device authorization with
      ICM is just one command that is sent to the firmware. Now that we start
      to handle all tunneling in the driver switch_lock is not enough because
      we need to walk over the topology to establish paths.
      
      For this reason drop switch_lock from the driver completely in favour of
      big domain lock.
      
      There is one complication, though. If userspace is waiting for the lock
      in tb_switch_set_authorized(), it keeps the device_del() from removing
      the sysfs attribute because it waits for active users to release the
      attribute first which leads into following splat:
      
          INFO: task kworker/u8:3:73 blocked for more than 61 seconds.
                Tainted: G        W         5.1.0-rc1+ #244
          "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
          kworker/u8:3    D12976    73      2 0x80000000
          Workqueue: thunderbolt0 tb_handle_hotplug [thunderbolt]
          Call Trace:
           ? __schedule+0x2e5/0x740
           ? _raw_spin_lock_irqsave+0x12/0x40
           ? prepare_to_wait_event+0xc5/0x160
           schedule+0x2d/0x80
           __kernfs_remove.part.17+0x183/0x1f0
           ? finish_wait+0x80/0x80
           kernfs_remove_by_name_ns+0x4a/0x90
           remove_files.isra.1+0x2b/0x60
           sysfs_remove_group+0x38/0x80
           sysfs_remove_groups+0x24/0x40
           device_remove_attrs+0x3d/0x70
           device_del+0x14c/0x360
           device_unregister+0x15/0x50
           tb_switch_remove+0x9e/0x1d0 [thunderbolt]
           tb_handle_hotplug+0x119/0x5a0 [thunderbolt]
           ? process_one_work+0x1b7/0x420
           process_one_work+0x1b7/0x420
           worker_thread+0x37/0x380
           ? _raw_spin_unlock_irqrestore+0xf/0x30
           ? process_one_work+0x420/0x420
           kthread+0x118/0x130
           ? kthread_create_on_node+0x60/0x60
           ret_from_fork+0x35/0x40
      
      We deal this by following what network stack did for some of their
      attributes and use mutex_trylock() with restart_syscall(). This makes
      userspace release the attribute allowing sysfs attribute removal to
      progress before the write is restarted and eventually fail when the
      attribute is removed.
      Signed-off-by: NMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      5d5652b5
    • N
      irq_work: Do not raise an IPI when queueing work on the local CPU · afee27f3
      Nicholas Piggin 提交于
      [ Upstream commit 471ba0e686cb13752bc1ff3216c54b69a2d250ea ]
      
      The QEMU PowerPC/PSeries machine model was not expecting a self-IPI,
      and it may be a bit surprising thing to do, so have irq_work_queue_on
      do local queueing when target is the current CPU.
      Suggested-by: NSteven Rostedt <rostedt@goodmis.org>
      Reported-by: NSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Tested-by: NSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: NNicholas Piggin <npiggin@gmail.com>
      Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Reviewed-by: NFrederic Weisbecker <frederic@kernel.org>
      Acked-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@kaod.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20190409093403.20994-1-npiggin@gmail.com
      [ Simplified the preprocessor comments.
        Fixed unbalanced curly brackets pointed out by Thomas. ]
      Signed-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      afee27f3
    • W
      drm/msm: a5xx: fix possible object reference leak · dee2faf0
      Wen Yang 提交于
      [ Upstream commit 6cd5235c3135ea84b32469ea51b2aae384eda8af ]
      
      The call to of_get_child_by_name returns a node pointer with refcount
      incremented thus it must be explicitly decremented after the last
      usage.
      
      Detected by coccinelle with the following warnings:
      drivers/gpu/drm/msm/adreno/a5xx_gpu.c:57:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 47, but without a corresponding object release within this function.
      drivers/gpu/drm/msm/adreno/a5xx_gpu.c:66:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 47, but without a corresponding object release within this function.
      drivers/gpu/drm/msm/adreno/a5xx_gpu.c:118:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 47, but without a corresponding object release within this function.
      drivers/gpu/drm/msm/adreno/a5xx_gpu.c:57:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 51, but without a corresponding object release within this function.
      drivers/gpu/drm/msm/adreno/a5xx_gpu.c:66:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 51, but without a corresponding object release within this function.
      drivers/gpu/drm/msm/adreno/a5xx_gpu.c:118:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 51, but without a corresponding object release within this function.
      Signed-off-by: NWen Yang <wen.yang99@zte.com.cn>
      Cc: Rob Clark <robdclark@gmail.com>
      Cc: Sean Paul <sean@poorly.run>
      Cc: David Airlie <airlied@linux.ie>
      Cc: Daniel Vetter <daniel@ffwll.ch>
      Cc: Jordan Crouse <jcrouse@codeaurora.org>
      Cc: Mamta Shukla <mamtashukla555@gmail.com>
      Cc: Thomas Zimmermann <tzimmermann@suse.de>
      Cc: Sharat Masetty <smasetty@codeaurora.org>
      Cc: linux-arm-msm@vger.kernel.org
      Cc: dri-devel@lists.freedesktop.org
      Cc: freedreno@lists.freedesktop.org
      Cc: linux-kernel@vger.kernel.org (open list)
      Reviewed-by: NJordan Crouse <jcrouse@codeaurora.org>
      Signed-off-by: NRob Clark <robdclark@gmail.com>
      Signed-off-by: NRob Clark <robdclark@chromium.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      dee2faf0
    • N
      staging: vc04_services: handle kzalloc failure · e0b75a79
      Nicholas Mc Guire 提交于
      [ Upstream commit a5112277872a56017b777770e2fd4324d4a6c866 ]
      
      The kzalloc here was being used without checking the return - if the
      kzalloc fails return VCHIQ_ERROR. The call-site of
      vchiq_platform_init_state() vchiq_init_state() was not responding
      to an allocation failure so checks for != VCHIQ_SUCCESS
      and pass VCHIQ_ERROR up to vchiq_platform_init() which then
      will fail with -EINVAL.
      Signed-off-by: NNicholas Mc Guire <hofrat@osadl.org>
      Reported-by: Nkbuild test robot <lkp@intel.com>
      Acked-By: NStefan Wahren <stefan.wahren@i2se.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      e0b75a79
    • K
      sched/core: Handle overflow in cpu_shares_write_u64 · 355673f8
      Konstantin Khlebnikov 提交于
      [ Upstream commit 5b61d50ab4ef590f5e1d4df15cd2cea5f5715308 ]
      
      Bit shift in scale_load() could overflow shares. This patch saturates
      it to MAX_SHARES like following sched_group_set_shares().
      
      Example:
      
       # echo 9223372036854776832 > cpu.shares
       # cat cpu.shares
      
      Before patch: 1024
      After pattch: 262144
      Signed-off-by: NKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Acked-by: NPeter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/155125501891.293431.3345233332801109696.stgit@buzzSigned-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      355673f8
    • K
      sched/rt: Check integer overflow at usec to nsec conversion · 7053046e
      Konstantin Khlebnikov 提交于
      [ Upstream commit 1a010e29cfa00fee2888fd2fd4983f848cbafb58 ]
      
      Example of unhandled overflows:
      
       # echo 18446744073709651 > cpu.rt_runtime_us
       # cat cpu.rt_runtime_us
       99
      
       # echo 18446744073709900 > cpu.rt_period_us
       # cat cpu.rt_period_us
       348
      
      After this patch they will fail with -EINVAL.
      Signed-off-by: NKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Acked-by: NPeter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/155125501739.293431.5252197504404771496.stgit@buzzSigned-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      7053046e
    • K
      sched/core: Check quota and period overflow at usec to nsec conversion · 925275d0
      Konstantin Khlebnikov 提交于
      [ Upstream commit 1a8b4540db732ca16c9e43ac7c08b1b8f0b252d8 ]
      
      Large values could overflow u64 and pass following sanity checks.
      
       # echo 18446744073750000 > cpu.cfs_period_us
       # cat cpu.cfs_period_us
       40448
      
       # echo 18446744073750000 > cpu.cfs_quota_us
       # cat cpu.cfs_quota_us
       40448
      
      After this patch they will fail with -EINVAL.
      Signed-off-by: NKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Acked-by: NPeter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/155125502079.293431.3947497929372138600.stgit@buzzSigned-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      925275d0
    • R
      cgroup: protect cgroup->nr_(dying_)descendants by css_set_lock · 4e4d5cea
      Roman Gushchin 提交于
      [ Upstream commit 4dcabece4c3a9f9522127be12cc12cc120399b2f ]
      
      The number of descendant cgroups and the number of dying
      descendant cgroups are currently synchronized using the cgroup_mutex.
      
      The number of descendant cgroups will be required by the cgroup v2
      freezer, which will use it to determine if a cgroup is frozen
      (depending on total number of descendants and number of frozen
      descendants). It's not always acceptable to grab the cgroup_mutex,
      especially from quite hot paths (e.g. exit()).
      
      To avoid this, let's additionally synchronize these counters using
      the css_set_lock.
      
      So, it's safe to read these counters with either cgroup_mutex or
      css_set_lock locked, and for changing both locks should be acquired.
      Signed-off-by: NRoman Gushchin <guro@fb.com>
      Signed-off-by: NTejun Heo <tj@kernel.org>
      Cc: kernel-team@fb.com
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      4e4d5cea
    • S
      random: add a spinlock_t to struct batched_entropy · 944c5852
      Sebastian Andrzej Siewior 提交于
      [ Upstream commit b7d5dc21072cda7124d13eae2aefb7343ef94197 ]
      
      The per-CPU variable batched_entropy_uXX is protected by get_cpu_var().
      This is just a preempt_disable() which ensures that the variable is only
      from the local CPU. It does not protect against users on the same CPU
      from another context. It is possible that a preemptible context reads
      slot 0 and then an interrupt occurs and the same value is read again.
      
      The above scenario is confirmed by lockdep if we add a spinlock:
      | ================================
      | WARNING: inconsistent lock state
      | 5.1.0-rc3+ #42 Not tainted
      | --------------------------------
      | inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
      | ksoftirqd/9/56 [HC0[0]:SC1[1]:HE0:SE0] takes:
      | (____ptrval____) (batched_entropy_u32.lock){+.?.}, at: get_random_u32+0x3e/0xe0
      | {SOFTIRQ-ON-W} state was registered at:
      |   _raw_spin_lock+0x2a/0x40
      |   get_random_u32+0x3e/0xe0
      |   new_slab+0x15c/0x7b0
      |   ___slab_alloc+0x492/0x620
      |   __slab_alloc.isra.73+0x53/0xa0
      |   kmem_cache_alloc_node+0xaf/0x2a0
      |   copy_process.part.41+0x1e1/0x2370
      |   _do_fork+0xdb/0x6d0
      |   kernel_thread+0x20/0x30
      |   kthreadd+0x1ba/0x220
      |   ret_from_fork+0x3a/0x50
      …
      | other info that might help us debug this:
      |  Possible unsafe locking scenario:
      |
      |        CPU0
      |        ----
      |   lock(batched_entropy_u32.lock);
      |   <Interrupt>
      |     lock(batched_entropy_u32.lock);
      |
      |  *** DEADLOCK ***
      |
      | stack backtrace:
      | Call Trace:
      …
      |  kmem_cache_alloc_trace+0x20e/0x270
      |  ipmi_alloc_recv_msg+0x16/0x40
      …
      |  __do_softirq+0xec/0x48d
      |  run_ksoftirqd+0x37/0x60
      |  smpboot_thread_fn+0x191/0x290
      |  kthread+0xfe/0x130
      |  ret_from_fork+0x3a/0x50
      
      Add a spinlock_t to the batched_entropy data structure and acquire the
      lock while accessing it. Acquire the lock with disabled interrupts
      because this function may be used from interrupt context.
      
      Remove the batched_entropy_reset_lock lock. Now that we have a lock for
      the data scructure, we can access it from a remote CPU.
      Signed-off-by: NSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      944c5852
    • J
      random: fix CRNG initialization when random.trust_cpu=1 · 6fa6381a
      Jon DeVree 提交于
      [ Upstream commit fe6f1a6a8eedc1aa538fee0baa612b6a59639cf8 ]
      
      When the system boots with random.trust_cpu=1 it doesn't initialize the
      per-NUMA CRNGs because it skips the rest of the CRNG startup code. This
      means that the code from 1e7f583a ("random: make /dev/urandom scalable
      for silly userspace programs") is not used when random.trust_cpu=1.
      
      crash> dmesg | grep random:
      [    0.000000] random: get_random_bytes called from start_kernel+0x94/0x530 with crng_init=0
      [    0.314029] random: crng done (trusting CPU's manufacturer)
      crash> print crng_node_pool
      $6 = (struct crng_state **) 0x0
      
      After adding the missing call to numa_crng_init() the per-NUMA CRNGs are
      initialized again:
      
      crash> dmesg | grep random:
      [    0.000000] random: get_random_bytes called from start_kernel+0x94/0x530 with crng_init=0
      [    0.314031] random: crng done (trusting CPU's manufacturer)
      crash> print crng_node_pool
      $1 = (struct crng_state **) 0xffff9a915f4014a0
      
      The call to invalidate_batched_entropy() was also missing. This is
      important for architectures like PPC and S390 which only have the
      arch_get_random_seed_* functions.
      
      Fixes: 39a8883a ("random: add a config option to trust the CPU's hwrng")
      Signed-off-by: NJon DeVree <nuxi@vault24.org>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      6fa6381a
    • R
      powerpc/64: Fix booting large kernels with STRICT_KERNEL_RWX · fec8a09f
      Russell Currey 提交于
      [ Upstream commit 56c46bba9bbfe229b4472a5be313c44c5b714a39 ]
      
      With STRICT_KERNEL_RWX enabled anything marked __init is placed at a 16M
      boundary.  This is necessary so that it can be repurposed later with
      different permissions.  However, in kernels with text larger than 16M,
      this pushes early_setup past 32M, incapable of being reached by the
      branch instruction.
      
      Fix this by setting the CTR and branching there instead.
      
      Fixes: 1e0fc9d1 ("powerpc/Kconfig: Enable STRICT_KERNEL_RWX for some configs")
      Signed-off-by: NRussell Currey <ruscur@russell.cc>
      [mpe: Fix it to work on BE by using DOTSYM()]
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      fec8a09f
    • N
      powerpc/numa: improve control of topology updates · f488832c
      Nathan Lynch 提交于
      [ Upstream commit 2d4d9b308f8f8dec68f6dbbff18c68ec7c6bd26f ]
      
      When booted with "topology_updates=no", or when "off" is written to
      /proc/powerpc/topology_updates, NUMA reassignments are inhibited for
      PRRN and VPHN events. However, migration and suspend unconditionally
      re-enable reassignments via start_topology_update(). This is
      incoherent.
      
      Check the topology_updates_enabled flag in
      start/stop_topology_update() so that callers of those APIs need not be
      aware of whether reassignments are enabled. This allows the
      administrative decision on reassignments to remain in force across
      migrations and suspensions.
      Signed-off-by: NNathan Lynch <nathanl@linux.ibm.com>
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      f488832c
    • Y
      block: fix use-after-free on gendisk · ad393793
      Yufen Yu 提交于
      [ Upstream commit 2c88e3c7ec32d7a40cc7c9b4a487cf90e4671bdd ]
      
      commit 2da78092 "block: Fix dev_t minor allocation lifetime"
      specifically moved blk_free_devt(dev->devt) call to part_release()
      to avoid reallocating device number before the device is fully
      shutdown.
      
      However, it can cause use-after-free on gendisk in get_gendisk().
      We use md device as example to show the race scenes:
      
      Process1		Worker			Process2
      md_free
      						blkdev_open
      del_gendisk
        add delete_partition_work_fn() to wq
        						__blkdev_get
      						get_gendisk
      put_disk
        disk_release
          kfree(disk)
          						find part from ext_devt_idr
      						get_disk_and_module(disk)
          					  	cause use after free
      
          			delete_partition_work_fn
      			put_device(part)
          		  	part_release
      		    	remove part from ext_devt_idr
      
      Before <devt, hd_struct pointer> is removed from ext_devt_idr by
      delete_partition_work_fn(), we can find the devt and then access
      gendisk by hd_struct pointer. But, if we access the gendisk after
      it have been freed, it can cause in use-after-freeon gendisk in
      get_gendisk().
      
      We fix this by adding a new helper blk_invalidate_devt() in
      delete_partition() and del_gendisk(). It replaces hd_struct
      pointer in idr with value 'NULL', and deletes the entry from
      idr in part_release() as we do now.
      
      Thanks to Jan Kara for providing the solution and more clear comments
      for the code.
      
      Fixes: 2da78092 ("block: Fix dev_t minor allocation lifetime")
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Reviewed-by: NBart Van Assche <bvanassche@acm.org>
      Reviewed-by: NKeith Busch <keith.busch@intel.com>
      Reviewed-by: NJan Kara <jack@suse.cz>
      Suggested-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NYufen Yu <yuyufen@huawei.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      ad393793
    • F
      iio: adc: stm32-dfsdm: fix unmet direct dependencies detected · 30f8da71
      Fabrice Gasnier 提交于
      [ Upstream commit ba7ecfe43d6bf12e2aa76705c45f7d187ae3d7c0 ]
      
      This fixes unmet direct dependencies seen when CONFIG_STM32_DFSDM_ADC
      is selected:
      
      WARNING: unmet direct dependencies detected for IIO_BUFFER_HW_CONSUMER
        Depends on [n]: IIO [=y] && IIO_BUFFER [=n]
        Selected by [y]:
        - STM32_DFSDM_ADC [=y] && IIO [=y] && (ARCH_STM32 [=y] && OF [=y] ||
          COMPILE_TEST [=n])
      
      Fixes: e2e6771c ("IIO: ADC: add STM32 DFSDM sigma delta ADC support")
      Signed-off-by: NFabrice Gasnier <fabrice.gasnier@st.com>
      Signed-off-by: NJonathan Cameron <Jonathan.Cameron@huawei.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      30f8da71
    • D
      media: pvrusb2: Prevent a buffer overflow · 11ad5277
      Dan Carpenter 提交于
      [ Upstream commit c1ced46c7b49ad7bc064e68d966e0ad303f917fb ]
      
      The ctrl_check_input() function is called from pvr2_ctrl_range_check().
      It's supposed to validate user supplied input and return true or false
      depending on whether the input is valid or not.  The problem is that
      negative shifts or shifts greater than 31 are undefined in C.  In
      practice with GCC they result in shift wrapping so this function returns
      true for some inputs which are not valid and this could result in a
      buffer overflow:
      
          drivers/media/usb/pvrusb2/pvrusb2-ctrl.c:205 pvr2_ctrl_get_valname()
          warn: uncapped user index 'names[val]'
      
      The cptr->hdw->input_allowed_mask mask is configured in pvr2_hdw_create()
      and the highest valid bit is BIT(4).
      
      Fixes: 7fb20fa3 ("V4L/DVB (7299): pvrusb2: Improve logic which handles input choice availability")
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      11ad5277
    • S
      media: au0828: Fix NULL pointer dereference in au0828_analog_stream_enable() · a90ce66a
      Shuah Khan 提交于
      [ Upstream commit 898bc40bfcc26abb6e06e960d6d4754c36c58b50 ]
      
      Fix au0828_analog_stream_enable() to check if device is in the right
      state first. When unbind happens while bind is in progress, usbdev
      pointer could be invalid in au0828_analog_stream_enable() and a call
      to usb_ifnum_to_if() will result in the null pointer dereference.
      
      This problem is found with the new media_dev_allocator.sh test.
      
      kernel: [  590.359623] BUG: unable to handle kernel NULL pointer dereference at 00000000000004e8
      kernel: [  590.359627] #PF error: [normal kernel read fault]
      kernel: [  590.359629] PGD 0 P4D 0
      kernel: [  590.359632] Oops: 0000 [#1] SMP PTI
      kernel: [  590.359634] CPU: 3 PID: 1458 Comm: v4l_id Not tainted 5.1.0-rc2+ #30
      kernel: [  590.359636] Hardware name: Dell Inc. OptiPlex 7 90/0HY9JP, BIOS A18 09/24/2013
      kernel: [  590.359641] RIP: 0010:usb_ifnum_to_if+0x6/0x60
      kernel: [  590.359643] Code: 5d 41 5e 41 5f 5d c3 48 83 c4
       10 b8 fa ff ff ff 5b 41 5c 41 5d 41 5e 41 5f 5d c3 b8 fa ff ff ff c3 0f 1f 00 6
      6 66 66 66 90 55 <48> 8b 97 e8 04 00 00 48 89 e5 48 85 d2 74 41 0f b6 4a 04 84 c
      9 74
      kernel: [  590.359645] RSP: 0018:ffffad3cc3c1fc00 EFLAGS: 00010246
      kernel: [  590.359646] RAX: 0000000000000000 RBX: ffff8ded b1f3c000 RCX: 1f377e4500000000
      kernel: [  590.359648] RDX: ffff8dedfa3a6b50 RSI: 00000000 00000000 RDI: 0000000000000000
      kernel: [  590.359649] RBP: ffffad3cc3c1fc28 R08: 00000000 8574acc2 R09: ffff8dedfa3a6b50
      kernel: [  590.359650] R10: 0000000000000001 R11: 00000000 00000000 R12: 0000000000000000
      kernel: [  590.359652] R13: ffff8dedb1f3f0f0 R14: ffffffff adcf7ec0 R15: 0000000000000000
      kernel: [  590.359654] FS:  00007f7917198540(0000) GS:ffff 8dee258c0000(0000) knlGS:0000000000000000
      kernel: [  590.359655] CS:  0010 DS: 0000 ES: 0000 CR0: 00 00000080050033
      kernel: [  590.359657] CR2: 00000000000004e8 CR3: 00000001 a388e002 CR4: 00000000000606e0
      kernel: [  590.359658] Call Trace:
      kernel: [  590.359664]  ? au0828_analog_stream_enable+0x2c/0x180
      kernel: [  590.359666]  au0828_v4l2_open+0xa4/0x110
      kernel: [  590.359670]  v4l2_open+0x8b/0x120
      kernel: [  590.359674]  chrdev_open+0xa6/0x1c0
      kernel: [  590.359676]  ? cdev_put.part.3+0x20/0x20
      kernel: [  590.359678]  do_dentry_open+0x1f6/0x360
      kernel: [  590.359681]  vfs_open+0x2f/0x40
      kernel: [  590.359684]  path_openat+0x299/0xc20
      kernel: [  590.359688]  do_filp_open+0x9b/0x110
      kernel: [  590.359695]  ? _raw_spin_unlock+0x27/0x40
      kernel: [  590.359697]  ? __alloc_fd+0xb2/0x160
      kernel: [  590.359700]  do_sys_open+0x1ba/0x260
      kernel: [  590.359702]  ? do_sys_open+0x1ba/0x260
      kernel: [  590.359712]  __x64_sys_openat+0x20/0x30
      kernel: [  590.359715]  do_syscall_64+0x5a/0x120
      kernel: [  590.359718]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      Signed-off-by: NShuah Khan <shuah@kernel.org>
      Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      a90ce66a
    • H
      media: stm32-dcmi: fix crash when subdev do not expose any formats · 2096b3ba
      Hugues Fruchet 提交于
      [ Upstream commit 33dfeb62e23c31619d2197850f7e8b50e8cc5466 ]
      
      Do not access sd_formats[] if num_of_sd_formats is zero, ie
      subdev sensor didn't expose any formats.
      Signed-off-by: NHugues Fruchet <hugues.fruchet@st.com>
      Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      2096b3ba
    • W
      audit: fix a memory leak bug · 6c21fa84
      Wenwen Wang 提交于
      [ Upstream commit 70c4cf17e445264453bc5323db3e50aa0ac9e81f ]
      
      In audit_rule_change(), audit_data_to_entry() is firstly invoked to
      translate the payload data to the kernel's rule representation. In
      audit_data_to_entry(), depending on the audit field type, an audit tree may
      be created in audit_make_tree(), which eventually invokes kmalloc() to
      allocate the tree.  Since this tree is a temporary tree, it will be then
      freed in the following execution, e.g., audit_add_rule() if the message
      type is AUDIT_ADD_RULE or audit_del_rule() if the message type is
      AUDIT_DEL_RULE. However, if the message type is neither AUDIT_ADD_RULE nor
      AUDIT_DEL_RULE, i.e., the default case of the switch statement, this
      temporary tree is not freed.
      
      To fix this issue, only allocate the tree when the type is AUDIT_ADD_RULE
      or AUDIT_DEL_RULE.
      Signed-off-by: NWenwen Wang <wang6495@umn.edu>
      Reviewed-by: NRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: NPaul Moore <paul@paul-moore.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      6c21fa84
    • A
      media: ov2659: make S_FMT succeed even if requested format doesn't match · 9fcfaab6
      Akinobu Mita 提交于
      [ Upstream commit bccb89cf9cd07a0690d519696a00c00a973b3fe4 ]
      
      This driver returns an error if unsupported media bus pixel code is
      requested by VIDIOC_SUBDEV_S_FMT.
      
      But according to Documentation/media/uapi/v4l/vidioc-subdev-g-fmt.rst,
      
      Drivers must not return an error solely because the requested format
      doesn't match the device capabilities. They must instead modify the
      format to match what the hardware can provide.
      
      So select default format code and return success in that case.
      
      This is detected by v4l2-compliance.
      
      Cc: "Lad, Prabhakar" <prabhakar.csengg@gmail.com>
      Signed-off-by: NAkinobu Mita <akinobu.mita@gmail.com>
      Acked-by: NLad, Prabhakar <prabhakar.csengg@gmail.com>
      Signed-off-by: NSakari Ailus <sakari.ailus@linux.intel.com>
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      9fcfaab6
    • H
      media: au0828: stop video streaming only when last user stops · e3a9d646
      Hans Verkuil 提交于
      [ Upstream commit f604f0f5afb88045944567f604409951b5eb6af8 ]
      
      If the application was streaming from both videoX and vbiX, and streaming
      from videoX was stopped, then the vbi streaming also stopped.
      
      The cause being that stop_streaming for video stopped the subdevs as well,
      instead of only doing that if dev->streaming_users reached 0.
      
      au0828_stop_vbi_streaming was also wrong since it didn't stop the subdevs
      at all when dev->streaming_users reached 0.
      Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl>
      Tested-by: NShuah Khan <shuah@kernel.org>
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      e3a9d646
    • J
      media: ov6650: Move v4l2_clk_get() to ov6650_video_probe() helper · 3ccd8912
      Janusz Krzysztofik 提交于
      [ Upstream commit ccdd85d518d8b9320ace1d87271f0ba2175f21fa ]
      
      In preparation for adding asynchronous subdevice support to the driver,
      don't acquire v4l2_clk from the driver .probe() callback as that may
      fail if the clock is provided by a bridge driver which may be not yet
      initialized.  Move the v4l2_clk_get() to ov6650_video_probe() helper
      which is going to be converted to v4l2_subdev_internal_ops.registered()
      callback, executed only when the bridge driver is ready.
      Signed-off-by: NJanusz Krzysztofik <jmkrzyszt@gmail.com>
      Signed-off-by: NSakari Ailus <sakari.ailus@linux.intel.com>
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      3ccd8912
    • P
      media: coda: clear error return value before picture run · 81a0b6ff
      Philipp Zabel 提交于
      [ Upstream commit bbeefa7357a648afe70e7183914c87c3878d528d ]
      
      The error return value is not written by some firmware codecs, such as
      MPEG-2 decode on CodaHx4. Clear the error return value before starting
      the picture run to avoid misinterpreting unrelated values returned by
      sequence initialization as error return value.
      Signed-off-by: NPhilipp Zabel <p.zabel@pengutronix.de>
      Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      81a0b6ff
    • N
      dmaengine: at_xdmac: remove BUG_ON macro in tasklet · 83544b04
      Nicolas Ferre 提交于
      [ Upstream commit e2c114c06da2d9ffad5b16690abf008d6696f689 ]
      
      Even if this case shouldn't happen when controller is properly programmed,
      it's still better to avoid dumping a kernel Oops for this.
      As the sequence may happen only for debugging purposes, log the error and
      just finish the tasklet call.
      Signed-off-by: NNicolas Ferre <nicolas.ferre@microchip.com>
      Acked-by: NLudovic Desroches <ludovic.desroches@microchip.com>
      Signed-off-by: NVinod Koul <vkoul@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      83544b04
    • R
      perf/arm-cci: Remove broken race mitigation · bfb9e836
      Robin Murphy 提交于
      [ Upstream commit 0d2e2a82d4de298d006bf8eddc86829e3c7da820 ]
      
      Uncore PMU drivers face an awkward cyclic dependency wherein:
      
       - They have to pick a valid online CPU to associate with before
         registering the PMU device, since it will get exposed to userspace
         immediately.
       - The PMU registration has to be be at least partly complete before
         hotplug events can be handled, since trying to migrate an
         uninitialised context would be bad.
       - The hotplug handler has to be ready as soon as a CPU is chosen, lest
         it go offline without the user-visible cpumask value getting updated.
      
      The arm-cci driver has tried to solve this by using get_cpu() to pick
      the current CPU and prevent it from disappearing while both
      registrations are performed, but that results in taking mutexes with
      preemption disabled, which makes certain configurations very unhappy:
      
      [ 1.983337] BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:2004
      [ 1.983340] in_atomic(): 1, irqs_disabled(): 0, pid: 1, name: swapper/0
      [ 1.983342] Preemption disabled at:
      [ 1.983353] [<ffffff80089801f4>] cci_pmu_probe+0x1dc/0x488
      [ 1.983360] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.18.20-rt8-yocto-preempt-rt #1
      [ 1.983362] Hardware name: ZynqMP ZCU102 Rev1.0 (DT)
      [ 1.983364] Call trace:
      [ 1.983369] dump_backtrace+0x0/0x158
      [ 1.983372] show_stack+0x24/0x30
      [ 1.983378] dump_stack+0x80/0xa4
      [ 1.983383] ___might_sleep+0x138/0x160
      [ 1.983386] __might_sleep+0x58/0x90
      [ 1.983391] __rt_mutex_lock_state+0x30/0xc0
      [ 1.983395] _mutex_lock+0x24/0x30
      [ 1.983400] perf_pmu_register+0x2c/0x388
      [ 1.983404] cci_pmu_probe+0x2bc/0x488
      [ 1.983409] platform_drv_probe+0x58/0xa8
      
      It is not feasible to resolve all the possible races outside of the perf
      core itself, so address the immediate bug by following the example of
      nearly every other PMU driver and not even trying to do so. Registering
      the hotplug notifier first should minimise the window in which things
      can go wrong, so that's about as much as we can reasonably do here. This
      also revealed an additional race in assigning the global pointer too
      late relative to the hotplug notifier, which gets fixed in the process.
      Reported-by: NLi, Meng <Meng.Li@windriver.com>
      Tested-by: NCorentin Labbe <clabbe.montjoie@gmail.com>
      Reviewed-by: NSuzuki K Poulose <suzuki.poulose@arm.com>
      Signed-off-by: NRobin Murphy <robin.murphy@arm.com>
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      bfb9e836
    • D
      clk: rockchip: undo several noc and special clocks as critical on rk3288 · 2d1df7fa
      Douglas Anderson 提交于
      [ Upstream commit f4033db5b84ebe4b32c25ba2ed65ab20b628996a ]
      
      This is mostly a revert of commit 55bb6a63 ("clk: rockchip: mark
      noc and some special clk as critical on rk3288") except that we're
      keeping "pmu_hclk_otg0" as critical still.
      
      NOTE: turning these clocks off doesn't seem to do a whole lot in terms
      of power savings (checking the power on the logic rail).  It appears
      to save maybe 1-2mW.  ...but still it seems like we should turn the
      clocks off if they aren't needed.
      
      About "pmu_hclk_otg0" (the one clock from the original commit we're
      still keeping critical) from an email thread:
      
      > pmu ahb clock
      >
      > Function: Clock to pmu module when hibernation and/or ADP is
      > enabled. Must be greater than or equal to 30 MHz.
      >
      > If the SOC design does not support hibernation/ADP function, only have
      > hclk_otg, this clk can be switched according to the usage of otg.
      > If the SOC design support hibernation/ADP, has two clocks, hclk_otg and
      > pmu_hclk_otg0.
      > Hclk_otg belongs to the closed part of otg logic, which can be switched
      > according to the use of otg.
      >
      > pmu_hclk_otg0 belongs to the always on part.
      >
      > As for whether pmu_hclk_otg0 can be turned off when otg is not in use,
      > we have not tested. IC suggest make pmu_hclk_otg0 always on.
      
      For the rest of the clocks:
      
      atclk: No documentation about this clock other than that it goes to
      the CPU.  CPU functions fine without it on.  Maybe needed for JTAG?
      
      jtag: Presumably this clock is only needed if you're debugging with
      JTAG.  It doesn't seem like it makes sense to waste power for every
      rk3288 user.  In any case to do JTAG you'd need private patches to
      adjust the pinctrl the mux the JTAG out anyway.
      
      pclk_dbg, pclk_core_niu: On veyron Chromebooks we turn these two
      clocks on only during kernel panics in order to access some coresight
      registers.  Since nothing in the upstream kernel does this we should
      be able to leave them off safely.  Maybe also needed for JTAG?
      
      hsicphy12m_xin12m: There is no indication of why this clock would need
      to be turned on for boards that don't use HSIC.
      
      pclk_ddrupctl[0-1], pclk_publ0[0-1]: On veyron Chromebooks we turn
      these 4 clocks on only when doing DDR transitions and they are off
      otherwise.  I see no reason why they'd need to be on in the upstream
      kernel which doesn't support DDRFreq.
      Signed-off-by: NDouglas Anderson <dianders@chromium.org>
      Reviewed-by: NElaine Zhang <zhangqing@rock-chips.com>
      Signed-off-by: NHeiko Stuebner <heiko@sntech.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      2d1df7fa
    • W
      pinctrl: samsung: fix leaked of_node references · 86a1de9c
      Wen Yang 提交于
      [ Upstream commit 44b9f86cd41db6c522effa5aec251d664a52fbc0 ]
      
      The call to of_find_compatible_node returns a node pointer with refcount
      incremented thus it must be explicitly decremented after the last
      usage.
      
      Detected by coccinelle with the following warnings:
      ./drivers/pinctrl/samsung/pinctrl-exynos-arm.c:76:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 66, but without a corresponding object release within this function.
      ./drivers/pinctrl/samsung/pinctrl-exynos-arm.c:82:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 66, but without a corresponding object release within this function.
      Signed-off-by: NWen Yang <wen.yang99@zte.com.cn>
      Cc: Linus Walleij <linus.walleij@linaro.org>
      Cc: Tomasz Figa <tomasz.figa@gmail.com>
      Cc: Sylwester Nawrocki <s.nawrocki@samsung.com>
      Cc: Kukjin Kim <kgene@kernel.org>
      Cc: linux-samsung-soc@vger.kernel.org
      Cc: linux-gpio@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Reviewed-by: NKrzysztof Kozlowski <krzk@kernel.org>
      Signed-off-by: NLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      86a1de9c
    • W
      pinctrl: pistachio: fix leaked of_node references · c3933fd4
      Wen Yang 提交于
      [ Upstream commit 44a4455ac2c6b0981eace683a2b6eccf47689022 ]
      
      The call to of_get_child_by_name returns a node pointer with refcount
      incremented thus it must be explicitly decremented after the last
      usage.
      
      Detected by coccinelle with the following warnings:
      ./drivers/pinctrl/pinctrl-pistachio.c:1422:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 1360, but without a corresponding object release within this function.
      Signed-off-by: NWen Yang <wen.yang99@zte.com.cn>
      Cc: Linus Walleij <linus.walleij@linaro.org>
      Cc: linux-gpio@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: NLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      c3933fd4
    • H
      HID: logitech-hidpp: use RAP instead of FAP to get the protocol version · 12e7faac
      Hans de Goede 提交于
      [ Upstream commit 096377525cdb8251e4656085efc988bdf733fb4c ]
      
      According to the logitech_hidpp_2.0_specification_draft_2012-06-04.pdf doc:
      https://lekensteyn.nl/files/logitech/logitech_hidpp_2.0_specification_draft_2012-06-04.pdf
      
      We should use a register-access-protocol request using the short input /
      output report ids. This is necessary because 27MHz HID++ receivers have
      a max-packetsize on their HIP++ endpoint of 8, so they cannot support
      long reports. Using a feature-access-protocol request (which is always
      long or very-long) with these will cause a timeout error, followed by
      the hidpp driver treating the device as not being HID++ capable.
      
      This commit fixes this by switching to using a rap request to get the
      protocol version.
      
      Besides being tested with a (046d:c517) 27MHz receiver with various
      27MHz keyboards and mice, this has also been tested to not cause
      regressions on a non-unifying dual-HID++ nano receiver (046d:c534) with
      k270 and m185 HID++-2.0 devices connected and on a unifying/dj receiver
      (046d:c52b) with a HID++-2.0 Logitech Rechargeable Touchpad T650.
      Signed-off-by: NHans de Goede <hdegoede@redhat.com>
      Signed-off-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      12e7faac
    • B
      Bluetooth: hci_qca: Give enough time to ROME controller to bootup. · 1eafabe1
      Balakrishna Godavarthi 提交于
      [ Upstream commit 7f09d5a6c33be66a5ca19bf9dd1c2d90c5dfcf0d ]
      
      This patch enables enough time to ROME controller to bootup
      after we bring the enable pin out of reset.
      
      Fixes: 05ba533c ("Bluetooth: hci_qca: Add serdev support").
      Signed-off-by: NBalakrishna Godavarthi <bgodavar@codeaurora.org>
      Reviewed-by: NRocky Liao <rjliao@codeaurora.org>
      Tested-by: NRocky Liao <rjliao@codeaurora.org>
      Tested-by: NClaire Chang <tientzu@chromium.org>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      1eafabe1
    • P
      mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions · 189b396a
      Peter Zijlstra 提交于
      [ Upstream commit 29da93fea3ea39ab9b12270cc6be1b70ef201c9e ]
      
      Randy reported objtool triggered on his (GCC-7.4) build:
      
        lib/strncpy_from_user.o: warning: objtool: strncpy_from_user()+0x315: call to __ubsan_handle_add_overflow() with UACCESS enabled
        lib/strnlen_user.o: warning: objtool: strnlen_user()+0x337: call to __ubsan_handle_sub_overflow() with UACCESS enabled
      
      This is due to UBSAN generating signed-overflow-UB warnings where it
      should not. Prior to GCC-8 UBSAN ignored -fwrapv (which the kernel
      uses through -fno-strict-overflow).
      
      Make the functions use 'unsigned long' throughout.
      Reported-by: NRandy Dunlap <rdunlap@infradead.org>
      Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested
      Acked-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: luto@kernel.org
      Link: http://lkml.kernel.org/r/20190424072208.754094071@infradead.orgSigned-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      189b396a
    • J
      x86/mm: Remove in_nmi() warning from 64-bit implementation of vmalloc_fault() · f46ae1cd
      Jiri Kosina 提交于
      [ Upstream commit a65c88e16f32aa9ef2e8caa68ea5c29bd5eb0ff0 ]
      
      In-NMI warnings have been added to vmalloc_fault() via:
      
        ebc8827f ("x86: Barf when vmalloc and kmemcheck faults happen in NMI")
      
      back in the time when our NMI entry code could not cope with nested NMIs.
      
      These days, it's perfectly fine to take a fault in NMI context and we
      don't have to care about the fact that IRET from the fault handler might
      cause NMI nesting.
      
      This warning has already been removed from 32-bit implementation of
      vmalloc_fault() in:
      
        6863ea0c ("x86/mm: Remove in_nmi() warning from vmalloc_fault()")
      
      but the 64-bit version was omitted.
      
      Remove the bogus warning also from 64-bit implementation of vmalloc_fault().
      Reported-by: NNicolai Stange <nstange@suse.de>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      Acked-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: Frederic Weisbecker <fweisbec@gmail.com>
      Cc: Joerg Roedel <jroedel@suse.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: 6863ea0c ("x86/mm: Remove in_nmi() warning from vmalloc_fault()")
      Link: http://lkml.kernel.org/r/nycvar.YFH.7.76.1904240902280.9803@cbobk.fhfr.pmSigned-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      f46ae1cd
    • S
      smpboot: Place the __percpu annotation correctly · 3dc1e338
      Sebastian Andrzej Siewior 提交于
      [ Upstream commit d4645d30b50d1691c26ff0f8fa4e718b08f8d3bb ]
      
      The test robot reported a wrong assignment of a per-CPU variable which
      it detected by using sparse and sent a report. The assignment itself is
      correct. The annotation for sparse was wrong and hence the report.
      The first pointer is a "normal" pointer and points to the per-CPU memory
      area. That means that the __percpu annotation has to be moved.
      
      Move the __percpu annotation to pointer which points to the per-CPU
      area. This change affects only the sparse tool (and is ignored by the
      compiler).
      Reported-by: Nkbuild test robot <lkp@intel.com>
      Signed-off-by: NSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Paul E. McKenney <paulmck@linux.ibm.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: f97f8f06 ("smpboot: Provide infrastructure for percpu hotplug threads")
      Link: http://lkml.kernel.org/r/20190424085253.12178-1-bigeasy@linutronix.deSigned-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      3dc1e338
    • K
      x86/build: Move _etext to actual end of .text · 0fcb3cd5
      Kees Cook 提交于
      [ Upstream commit 392bef709659abea614abfe53cf228e7a59876a4 ]
      
      When building x86 with Clang LTO and CFI, CFI jump regions are
      automatically added to the end of the .text section late in linking. As a
      result, the _etext position was being labelled before the appended jump
      regions, causing confusion about where the boundaries of the executable
      region actually are in the running kernel, and broke at least the fault
      injection code. This moves the _etext mark to outside (and immediately
      after) the .text area, as it already the case on other architectures
      (e.g. arm64, arm).
      Reported-and-tested-by: NSami Tolvanen <samitolvanen@google.com>
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/20190423183827.GA4012@beastSigned-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      0fcb3cd5