1. 15 5月, 2019 10 次提交
  2. 10 5月, 2019 30 次提交
    • G
      Linux 4.19.42 · 9c2556f4
      Greg Kroah-Hartman 提交于
      9c2556f4
    • W
      arm64: futex: Bound number of LDXR/STXR loops in FUTEX_WAKE_OP · 9ccdbde1
      Will Deacon 提交于
      commit 03110a5cb2161690ae5ac04994d47ed0cd6cef75 upstream.
      
      Our futex implementation makes use of LDXR/STXR loops to perform atomic
      updates to user memory from atomic context. This can lead to latency
      problems if we end up spinning around the LL/SC sequence at the expense
      of doing something useful.
      
      Rework our futex atomic operations so that we return -EAGAIN if we fail
      to update the futex word after 128 attempts. The core futex code will
      reschedule if necessary and we'll try again later.
      
      Cc: <stable@kernel.org>
      Fixes: 6170a974 ("arm64: Atomic operations")
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9ccdbde1
    • W
      locking/futex: Allow low-level atomic operations to return -EAGAIN · 0f4ef8fb
      Will Deacon 提交于
      commit 6b4f4bc9cb22875f97023984a625386f0c7cc1c0 upstream.
      
      Some futex() operations, including FUTEX_WAKE_OP, require the kernel to
      perform an atomic read-modify-write of the futex word via the userspace
      mapping. These operations are implemented by each architecture in
      arch_futex_atomic_op_inuser() and futex_atomic_cmpxchg_inatomic(), which
      are called in atomic context with the relevant hash bucket locks held.
      
      Although these routines may return -EFAULT in response to a page fault
      generated when accessing userspace, they are expected to succeed (i.e.
      return 0) in all other cases. This poses a problem for architectures
      that do not provide bounded forward progress guarantees or fairness of
      contended atomic operations and can lead to starvation in some cases.
      
      In these problematic scenarios, we must return back to the core futex
      code so that we can drop the hash bucket locks and reschedule if
      necessary, much like we do in the case of a page fault.
      
      Allow architectures to return -EAGAIN from their implementations of
      arch_futex_atomic_op_inuser() and futex_atomic_cmpxchg_inatomic(), which
      will cause the core futex code to reschedule if necessary and return
      back to the architecture code later on.
      
      Cc: <stable@kernel.org>
      Acked-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0f4ef8fb
    • R
      ASoC: Intel: avoid Oops if DMA setup fails · 6fee3987
      Ross Zwisler 提交于
      commit 0efa3334d65b7f421ba12382dfa58f6ff5bf83c4 upstream.
      
      Currently in sst_dsp_new() if we get an error return from sst_dma_new()
      we just print an error message and then still complete the function
      successfully.  This means that we are trying to run without sst->dma
      properly set up, which will result in NULL pointer dereference when
      sst->dma is later used.  This was happening for me in
      sst_dsp_dma_get_channel():
      
              struct sst_dma *dma = dsp->dma;
      	...
              dma->ch = dma_request_channel(mask, dma_chan_filter, dsp);
      
      This resulted in:
      
         BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
         IP: sst_dsp_dma_get_channel+0x4f/0x125 [snd_soc_sst_firmware]
      
      Fix this by adding proper error handling for the case where we fail to
      set up DMA.
      
      This change only affects Haswell and Broadwell systems.  Baytrail
      systems explicilty opt-out of DMA via sst->pdata->resindex_dma_base
      being set to -1.
      Signed-off-by: NRoss Zwisler <zwisler@google.com>
      Cc: stable@vger.kernel.org
      Acked-by: NPierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6fee3987
    • O
      UAS: fix alignment of scatter/gather segments · c3b3955f
      Oliver Neukum 提交于
      commit 3ae62a42090f1ed48e2313ed256a1182a85fb575 upstream.
      
      This is the UAS version of
      
      747668dbc061b3e62bc1982767a3a1f9815fcf0e
      usb-storage: Set virt_boundary_mask to avoid SG overflows
      
      We are not as likely to be vulnerable as storage, as it is unlikelier
      that UAS is run over a controller without native support for SG,
      but the issue exists.
      The issue has been existing since the inception of the driver.
      
      Fixes: 115bb1ff ("USB: Add UAS driver")
      Signed-off-by: NOliver Neukum <oneukum@suse.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c3b3955f
    • M
      Bluetooth: Align minimum encryption key size for LE and BR/EDR connections · 38f092c4
      Marcel Holtmann 提交于
      commit d5bb334a8e171b262e48f378bd2096c0ea458265 upstream.
      
      The minimum encryption key size for LE connections is 56 bits and to
      align LE with BR/EDR, enforce 56 bits of minimum encryption key size for
      BR/EDR connections as well.
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      38f092c4
    • Y
      Bluetooth: hidp: fix buffer overflow · c6d1f9b4
      Young Xiao 提交于
      commit a1616a5ac99ede5d605047a9012481ce7ff18b16 upstream.
      
      Struct ca is copied from userspace. It is not checked whether the "name"
      field is NULL terminated, which allows local users to obtain potentially
      sensitive information from kernel stack memory, via a HIDPCONNADD command.
      
      This vulnerability is similar to CVE-2011-1079.
      Signed-off-by: NYoung Xiao <YangX92@hotmail.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c6d1f9b4
    • Q
      scsi: qla2xxx: Fix device staying in blocked state · de7fe08b
      Quinn Tran 提交于
      commit 2137490f2147a8d0799b72b9a1023efb012d40c7 upstream.
      
      This patch fixes issue reported by some of the customers, who discovered
      that after cable pull scenario the devices disappear and path seems to
      remain in blocked state. Once the device reappears, driver does not seem to
      update path to online. This issue appears because of the defer flag
      creating race condition where the same session reappears.  This patch fixes
      this issue by indicating SCSI-ML of device lost when
      qlt_free_session_done() is called from qlt_unreg_sess().
      
      Fixes: 41dc529a ("qla2xxx: Improve RSCN handling in driver")
      Signed-off-by: NQuinn Tran <qtran@marvell.com>
      Cc: stable@vger.kernel.org #4.19
      Signed-off-by: NHimanshu Madhani <hmadhani@marvell.com>
      Reviewed-by: NEwan D. Milne <emilne@redhat.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      de7fe08b
    • A
      scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS routines · ef7014d7
      Andrew Vasquez 提交于
      commit 5cbdae10bf11f96e30b4d14de7b08c8b490e903c upstream.
      
      Commit e6f77540 ("scsi: qla2xxx: Fix an integer overflow in sysfs
      code") incorrectly set 'optrom_region_size' to 'start+size', which can
      overflow option-rom boundaries when 'start' is non-zero.  Continue setting
      optrom_region_size to the proper adjusted value of 'size'.
      
      Fixes: e6f77540 ("scsi: qla2xxx: Fix an integer overflow in sysfs code")
      Cc: stable@vger.kernel.org
      Signed-off-by: NAndrew Vasquez <andrewv@marvell.com>
      Signed-off-by: NHimanshu Madhani <hmadhani@marvell.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ef7014d7
    • S
      scsi: lpfc: change snprintf to scnprintf for possible overflow · 7a793ca1
      Silvio Cesare 提交于
      commit e7f7b6f38a44697428f5a2e7c606de028df2b0e3 upstream.
      
      Change snprintf to scnprintf. There are generally two cases where using
      snprintf causes problems.
      
      1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
      In this case, if snprintf would have written more characters than what the
      buffer size (SIZE) is, then size will end up larger than SIZE. In later
      uses of snprintf, SIZE - size will result in a negative number, leading
      to problems. Note that size might already be too large by using
      size = snprintf before the code reaches a case of size += snprintf.
      
      2) If size is ultimately used as a length parameter for a copy back to user
      space, then it will potentially allow for a buffer overflow and information
      disclosure when size is greater than SIZE. When the size is used to index
      the buffer directly, we can have memory corruption. This also means when
      size = snprintf... is used, it may also cause problems since size may become
      large.  Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
      configuration.
      
      The solution to these issues is to use scnprintf which returns the number of
      characters actually written to the buffer, so the size variable will never
      exceed SIZE.
      Signed-off-by: NSilvio Cesare <silvio.cesare@gmail.com>
      Signed-off-by: NWilly Tarreau <w@1wt.eu>
      Signed-off-by: NJames Smart <james.smart@broadcom.com>
      Cc: Dick Kennedy <dick.kennedy@broadcom.com>
      Cc: Dan Carpenter <dan.carpenter@oracle.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Greg KH <greg@kroah.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7a793ca1
    • S
      soc: sunxi: Fix missing dependency on REGMAP_MMIO · 8b330b3e
      Samuel Holland 提交于
      commit a84014e1db35d8e7af09878d0b4bf30804fb17d5 upstream.
      
      When enabling ARCH_SUNXI from allnoconfig, SUNXI_SRAM is enabled, but
      not REGMAP_MMIO, so the kernel fails to link with an undefined reference
      to __devm_regmap_init_mmio_clk. Select REGMAP_MMIO, as suggested in
      drivers/base/regmap/Kconfig.
      
      This creates the following dependency loop:
      
        drivers/of/Kconfig:68:                symbol OF_IRQ depends on IRQ_DOMAIN
        kernel/irq/Kconfig:63:                symbol IRQ_DOMAIN is selected by REGMAP
        drivers/base/regmap/Kconfig:7:        symbol REGMAP default is visible depending on REGMAP_MMIO
        drivers/base/regmap/Kconfig:39:       symbol REGMAP_MMIO is selected by SUNXI_SRAM
        drivers/soc/sunxi/Kconfig:4:          symbol SUNXI_SRAM is selected by USB_MUSB_SUNXI
        drivers/usb/musb/Kconfig:63:          symbol USB_MUSB_SUNXI depends on GENERIC_PHY
        drivers/phy/Kconfig:7:                symbol GENERIC_PHY is selected by PHY_BCM_NS_USB3
        drivers/phy/broadcom/Kconfig:29:      symbol PHY_BCM_NS_USB3 depends on MDIO_BUS
        drivers/net/phy/Kconfig:12:           symbol MDIO_BUS default is visible depending on PHYLIB
        drivers/net/phy/Kconfig:181:          symbol PHYLIB is selected by ARC_EMAC_CORE
        drivers/net/ethernet/arc/Kconfig:18:  symbol ARC_EMAC_CORE is selected by ARC_EMAC
        drivers/net/ethernet/arc/Kconfig:24:  symbol ARC_EMAC depends on OF_IRQ
      
      To fix the circular dependency, make USB_MUSB_SUNXI select GENERIC_PHY
      instead of depending on it. This matches the use of GENERIC_PHY by all
      but two other drivers.
      
      Cc: <stable@vger.kernel.org> # 4.19
      Fixes: 5828729b ("soc: sunxi: export a regmap for EMAC clock reg on A64")
      Signed-off-by: NSamuel Holland <samuel@sholland.org>
      Acked-by: NMaxime Ripard <maxime.ripard@bootlin.com>
      Signed-off-by: NBin Liu <b-liu@ti.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8b330b3e
    • G
      cpufreq: armada-37xx: fix frequency calculation for opp · 557be577
      Gregory CLEMENT 提交于
      commit 8db82563451f976597ab7b282ec655e4390a4088 upstream.
      
      The frequency calculation was based on the current(max) frequency of the
      CPU. However for low frequency, the value used was already the parent
      frequency divided by a factor of 2.
      
      Instead of using this frequency, this fix directly get the frequency from
      the parent clock.
      
      Fixes: 92ce45fb ("cpufreq: Add DVFS support for Armada 37xx")
      Cc: <stable@vger.kernel.org>
      Reported-by: NChristian Neubert <christian.neubert.86@gmail.com>
      Signed-off-by: NGregory CLEMENT <gregory.clement@bootlin.com>
      Signed-off-by: NViresh Kumar <viresh.kumar@linaro.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      557be577
    • A
      intel_th: pci: Add Comet Lake support · 6b7daf1f
      Alexander Shishkin 提交于
      commit e60e9a4b231a20a199d7a61caadc48693c30d695 upstream.
      
      This adds support for Intel TH on Comet Lake.
      Signed-off-by: NAlexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6b7daf1f
    • A
      usb-storage: Set virt_boundary_mask to avoid SG overflows · 5b2ba943
      Alan Stern 提交于
      commit 747668dbc061b3e62bc1982767a3a1f9815fcf0e upstream.
      
      The USB subsystem has always had an unusual requirement for its
      scatter-gather transfers: Each element in the scatterlist (except the
      last one) must have a length divisible by the bulk maxpacket size.
      This is a particular issue for USB mass storage, which uses SG lists
      created by the block layer rather than setting up its own.
      
      So far we have scraped by okay because most devices have a logical
      block size of 512 bytes or larger, and the bulk maxpacket sizes for
      USB 2 and below are all <= 512.  However, USB 3 has a bulk maxpacket
      size of 1024.  Since the xhci-hcd driver includes native SG support,
      this hasn't mattered much.  But now people are trying to use USB-3
      mass storage devices with USBIP, and the vhci-hcd driver currently
      does not have full SG support.
      
      The result is an overflow error, when the driver attempts to implement
      an SG transfer of 63 512-byte blocks as a single
      3584-byte (7 blocks) transfer followed by seven 4096-byte (8 blocks)
      transfers.  The device instead sends 31 1024-byte packets followed by
      a 512-byte packet, and this overruns the first SG buffer.
      
      Ideally this would be fixed by adding better SG support to vhci-hcd.
      But for now it appears we can work around the problem by
      asking the block layer to respect the maxpacket limitation, through
      the use of the virt_boundary_mask.
      Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
      Reported-by: NSeth Bollinger <Seth.Bollinger@digi.com>
      Tested-by: NSeth Bollinger <Seth.Bollinger@digi.com>
      CC: Ming Lei <tom.leiming@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5b2ba943
    • J
      USB: cdc-acm: fix unthrottle races · 18e6f302
      Johan Hovold 提交于
      commit 764478f41130f1b8d8057575b89e69980a0f600d upstream.
      
      Fix two long-standing bugs which could potentially lead to memory
      corruption or leave the port throttled until it is reopened (on weakly
      ordered systems), respectively, when read-URB completion races with
      unthrottle().
      
      First, the URB must not be marked as free before processing is complete
      to prevent it from being submitted by unthrottle() on another CPU.
      
      	CPU 1				CPU 2
      	================		================
      	complete()			unthrottle()
      	  process_urb();
      	  smp_mb__before_atomic();
      	  set_bit(i, free);		  if (test_and_clear_bit(i, free))
      						  submit_urb();
      
      Second, the URB must be marked as free before checking the throttled
      flag to prevent unthrottle() on another CPU from failing to observe that
      the URB needs to be submitted if complete() sees that the throttled flag
      is set.
      
      	CPU 1				CPU 2
      	================		================
      	complete()			unthrottle()
      	  set_bit(i, free);		  throttled = 0;
      	  smp_mb__after_atomic();	  smp_mb();
      	  if (throttled)		  if (test_and_clear_bit(i, free))
      		  return;			  submit_urb();
      
      Note that test_and_clear_bit() only implies barriers when the test is
      successful. To handle the case where the URB is still in use an explicit
      barrier needs to be added to unthrottle() for the second race condition.
      
      Also note that the first race was fixed by 36e59e0d ("cdc-acm: fix
      race between callback and unthrottle") back in 2015, but the bug was
      reintroduced a year later.
      
      Fixes: 1aba579f ("cdc-acm: handle read pipe errors")
      Fixes: 088c64f8 ("USB: cdc-acm: re-write read processing")
      Signed-off-by: NJohan Hovold <johan@kernel.org>
      Acked-by: NOliver Neukum <oneukum@suse.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      18e6f302
    • J
      USB: serial: f81232: fix interrupt worker not stop · bce2b9d6
      Ji-Ze Hong (Peter Hong) 提交于
      commit 804dbee1e49774918339c1e5a87400988c0819e8 upstream.
      
      The F81232 will use interrupt worker to handle MSR change.
      This patch will fix the issue that interrupt work should stop
      in close() and suspend().
      
      This also fixes line-status events being disabled after a suspend cycle
      until the port is re-opened.
      Signed-off-by: NJi-Ze Hong (Peter Hong) <hpeter+linux_kernel@gmail.com>
      [ johan: amend commit message ]
      Fixes: 87fe5adc ("USB: f81232: implement read IIR/MSR with endpoint")
      Cc: stable <stable@vger.kernel.org>	# 4.1
      Signed-off-by: NJohan Hovold <johan@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bce2b9d6
    • T
      usb: dwc3: Fix default lpm_nyet_threshold value · caa5680d
      Thinh Nguyen 提交于
      commit 8d791929b2fbdf7734c1596d808e55cb457f4562 upstream.
      
      The max possible value for DCTL.LPM_NYET_THRES is 15 and not 255. Change
      the default value to 15.
      
      Cc: stable@vger.kernel.org
      Fixes: 80caf7d2 ("usb: dwc3: add lpm erratum support")
      Signed-off-by: NThinh Nguyen <thinhn@synopsys.com>
      Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      caa5680d
    • P
      genirq: Prevent use-after-free and work list corruption · 33f2aa87
      Prasad Sodagudi 提交于
      [ Upstream commit 59c39840f5abf4a71e1810a8da71aaccd6c17d26 ]
      
      When irq_set_affinity_notifier() replaces the notifier, then the
      reference count on the old notifier is dropped which causes it to be
      freed. But nothing ensures that the old notifier is not longer queued
      in the work list. If it is queued this results in a use after free and
      possibly in work list corruption.
      
      Ensure that the work is canceled before the reference is dropped.
      Signed-off-by: NPrasad Sodagudi <psodagud@codeaurora.org>
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      Cc: marc.zyngier@arm.com
      Link: https://lkml.kernel.org/r/1553439424-6529-1-git-send-email-psodagud@codeaurora.orgSigned-off-by: NSasha Levin <sashal@kernel.org>
      33f2aa87
    • J
      iommu/amd: Set exclusion range correctly · 29184cba
      Joerg Roedel 提交于
      [ Upstream commit 3c677d206210f53a4be972211066c0f1cd47fe12 ]
      
      The exlcusion range limit register needs to contain the
      base-address of the last page that is part of the range, as
      bits 0-11 of this register are treated as 0xfff by the
      hardware for comparisons.
      
      So correctly set the exclusion range in the hardware to the
      last page which is _in_ the range.
      
      Fixes: b2026aa2 ('x86, AMD IOMMU: add functions for programming IOMMU MMIO space')
      Signed-off-by: NJoerg Roedel <jroedel@suse.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      29184cba
    • P
      perf/core: Fix perf_event_disable_inatomic() race · 42638d6a
      Peter Zijlstra 提交于
      [ Upstream commit 1d54ad944074010609562da5c89e4f5df2f4e5db ]
      
      Thomas-Mich Richter reported he triggered a WARN()ing from event_function_local()
      on his s390. The problem boils down to:
      
      	CPU-A				CPU-B
      
      	perf_event_overflow()
      	  perf_event_disable_inatomic()
      	    @pending_disable = 1
      	    irq_work_queue();
      
      	sched-out
      	  event_sched_out()
      	    @pending_disable = 0
      
      					sched-in
      					perf_event_overflow()
      					  perf_event_disable_inatomic()
      					    @pending_disable = 1;
      					    irq_work_queue(); // FAILS
      
      	irq_work_run()
      	  perf_pending_event()
      	    if (@pending_disable)
      	      perf_event_disable_local(); // WHOOPS
      
      The problem exists in generic, but s390 is particularly sensitive
      because it doesn't implement arch_irq_work_raise(), nor does it call
      irq_work_run() from it's PMU interrupt handler (nor would that be
      sufficient in this case, because s390 also generates
      perf_event_overflow() from pmu::stop). Add to that the fact that s390
      is a virtual architecture and (virtual) CPU-A can stall long enough
      for the above race to happen, even if it would self-IPI.
      
      Adding a irq_work_sync() to event_sched_in() would work for all hardare
      PMUs that properly use irq_work_run() but fails for software PMUs.
      
      Instead encode the CPU number in @pending_disable, such that we can
      tell which CPU requested the disable. This then allows us to detect
      the above scenario and even redirect the IPI to make up for the failed
      queue.
      Reported-by: NThomas-Mich Richter <tmricht@linux.ibm.com>
      Tested-by: NThomas Richter <tmricht@linux.ibm.com>
      Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Acked-by: NMark Rutland <mark.rutland@arm.com>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Hendrik Brueckner <brueckner@linux.ibm.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      42638d6a
    • S
      platform/x86: pmc_atom: Drop __initconst on dmi table · c1189d68
      Stephen Boyd 提交于
      [ Upstream commit b995dcca7cf12f208cfd95fd9d5768dca7cccec7 ]
      
      It's used by probe and that isn't an init function. Drop this so that we
      don't get a section mismatch.
      Reported-by: Nkbuild test robot <lkp@intel.com>
      Cc: David Müller <dave.mueller@gmx.ch>
      Cc: Hans de Goede <hdegoede@redhat.com>
      Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
      Fixes: 7c2e07130090 ("clk: x86: Add system specific quirk to mark clocks as critical")
      Signed-off-by: NStephen Boyd <sboyd@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      c1189d68
    • J
      nvme-fc: correct csn initialization and increments on error · 777943cd
      James Smart 提交于
      [ Upstream commit 67f471b6ed3b09033c4ac77ea03f92afdb1989fe ]
      
      This patch fixes a long-standing bug that initialized the FC-NVME
      cmnd iu CSN value to 1. Early FC-NVME specs had the connection starting
      with CSN=1. By the time the spec reached approval, the language had
      changed to state a connection should start with CSN=0.  This patch
      corrects the initialization value for FC-NVME connections.
      
      Additionally, in reviewing the transport, the CSN value is assigned to
      the new IU early in the start routine. It's possible that a later dma
      map request may fail, causing the command to never be sent to the
      controller.  Change the location of the assignment so that it is
      immediately prior to calling the lldd. Add a comment block to explain
      the impacts if the lldd were to additionally fail sending the command.
      Signed-off-by: NDick Kennedy <dick.kennedy@broadcom.com>
      Signed-off-by: NJames Smart <jsmart2021@gmail.com>
      Reviewed-by: NEwan D. Milne <emilne@redhat.com>
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      777943cd
    • D
      virtio-blk: limit number of hw queues by nr_cpu_ids · 0e8e67b8
      Dongli Zhang 提交于
      [ Upstream commit bf348f9b78d413e75bb079462751a1d86b6de36c ]
      
      When tag_set->nr_maps is 1, the block layer limits the number of hw queues
      by nr_cpu_ids. No matter how many hw queues are used by virtio-blk, as it
      has (tag_set->nr_maps == 1), it can use at most nr_cpu_ids hw queues.
      
      In addition, specifically for pci scenario, when the 'num-queues' specified
      by qemu is more than maxcpus, virtio-blk would not be able to allocate more
      than maxcpus vectors in order to have a vector for each queue. As a result,
      it falls back into MSI-X with one vector for config and one shared for
      queues.
      
      Considering above reasons, this patch limits the number of hw queues used
      by virtio-blk by nr_cpu_ids.
      Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
      Signed-off-by: NDongli Zhang <dongli.zhang@oracle.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      0e8e67b8
    • T
      ASoC: Intel: kbl: fix wrong number of channels · d955bb0b
      Tzung-Bi Shih 提交于
      [ Upstream commit d6ba3f815bc5f3c4249d15c8bc5fbb012651b4a4 ]
      
      Fix wrong setting on number of channels.  The context wants to set
      constraint to 2 channels instead of 4.
      Signed-off-by: NTzung-Bi Shih <tzungbi@google.com>
      Acked-by: NPierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      d955bb0b
    • W
      drm/mediatek: fix possible object reference leak · e5c749ad
      Wen Yang 提交于
      [ Upstream commit 2ae2c3316fb77dcf64275d011596b60104c45426 ]
      
      The call to of_parse_phandle returns a node pointer with refcount
      incremented thus it must be explicitly decremented after the last
      usage.
      
      Detected by coccinelle with the following warnings:
      drivers/gpu/drm/mediatek/mtk_hdmi.c:1521:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 1509, but without a corresponding object release within this function.
      drivers/gpu/drm/mediatek/mtk_hdmi.c:1524:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 1509, but without a corresponding object release within this function.
      Signed-off-by: NWen Yang <wen.yang99@zte.com.cn>
      Cc: CK Hu <ck.hu@mediatek.com>
      Cc: Philipp Zabel <p.zabel@pengutronix.de>
      Cc: David Airlie <airlied@linux.ie>
      Cc: Daniel Vetter <daniel@ffwll.ch>
      Cc: Matthias Brugger <matthias.bgg@gmail.com>
      Cc: dri-devel@lists.freedesktop.org
      Cc: linux-arm-kernel@lists.infradead.org
      Cc: linux-mediatek@lists.infradead.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: NCK Hu <ck.hu@mediatek.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      e5c749ad
    • V
      scsi: csiostor: fix missing data copy in csio_scsi_err_handler() · 8f4dbd17
      Varun Prakash 提交于
      [ Upstream commit 5c2442fd78998af60e13aba506d103f7f43f8701 ]
      
      If scsi cmd sglist is not suitable for DDP then csiostor driver uses
      preallocated buffers for DDP, because of this data copy is required from
      DDP buffer to scsi cmd sglist before calling ->scsi_done().
      Signed-off-by: NVarun Prakash <varun@chelsio.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      8f4dbd17
    • L
      RDMA/hns: Fix bug that caused srq creation to fail · fb357b9e
      Lijun Ou 提交于
      [ Upstream commit 4772e03d239484f3461e33c79d721c8ea03f7416 ]
      
      Due to the incorrect use of the seg and obj information, the position of
      the mtt is calculated incorrectly, and the free space of the page is not
      enough to store the entire mtt, resulting in access to the next page. This
      patch fixes this problem.
      
       Unable to handle kernel paging request at virtual address ffff00006e3cd000
       ...
       Call trace:
        hns_roce_write_mtt+0x154/0x2f0 [hns_roce]
        hns_roce_buf_write_mtt+0xa8/0xd8 [hns_roce]
        hns_roce_create_srq+0x74c/0x808 [hns_roce]
        ib_create_srq+0x28/0xc8
      
      Fixes: 0203b14c ("RDMA/hns: Unify the calculation for hem index in hip08")
      Signed-off-by: Nchenglang <chenglang@huawei.com>
      Signed-off-by: NLijun Ou <oulijun@huawei.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      fb357b9e
    • K
      RDMA/vmw_pvrdma: Fix memory leak on pvrdma_pci_remove · 8dfb2896
      Kamal Heib 提交于
      [ Upstream commit ea7a5c706fa49273cf6d1d9def053ecb50db2076 ]
      
      Make sure to free the DSR on pvrdma_pci_remove() to avoid the memory leak.
      
      Fixes: 29c8d9eb ("IB: Add vmw_pvrdma driver")
      Signed-off-by: NKamal Heib <kamalheib1@gmail.com>
      Acked-by: NAdit Ranadive <aditr@vmware.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      8dfb2896
    • L
      virtio_pci: fix a NULL pointer reference in vp_del_vqs · 5984fd68
      Longpeng 提交于
      [ Upstream commit 6a8aae68c87349dbbcd46eac380bc43cdb98a13b ]
      
      If the msix_affinity_masks is alloced failed, then we'll
      try to free some resources in vp_free_vectors() that may
      access it directly.
      
      We met the following stack in our production:
      [   29.296767] BUG: unable to handle kernel NULL pointer dereference at  (null)
      [   29.311151] IP: [<ffffffffc04fe35a>] vp_free_vectors+0x6a/0x150 [virtio_pci]
      [   29.324787] PGD 0
      [   29.333224] Oops: 0000 [#1] SMP
      [...]
      [   29.425175] RIP: 0010:[<ffffffffc04fe35a>]  [<ffffffffc04fe35a>] vp_free_vectors+0x6a/0x150 [virtio_pci]
      [   29.441405] RSP: 0018:ffff9a55c2dcfa10  EFLAGS: 00010206
      [   29.453491] RAX: 0000000000000000 RBX: ffff9a55c322c400 RCX: 0000000000000000
      [   29.467488] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9a55c322c400
      [   29.481461] RBP: ffff9a55c2dcfa20 R08: 0000000000000000 R09: ffffc1b6806ff020
      [   29.495427] R10: 0000000000000e95 R11: 0000000000aaaaaa R12: 0000000000000000
      [   29.509414] R13: 0000000000010000 R14: ffff9a55bd2d9e98 R15: ffff9a55c322c400
      [   29.523407] FS:  00007fdcba69f8c0(0000) GS:ffff9a55c2840000(0000) knlGS:0000000000000000
      [   29.538472] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   29.551621] CR2: 0000000000000000 CR3: 000000003ce52000 CR4: 00000000003607a0
      [   29.565886] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [   29.580055] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [   29.594122] Call Trace:
      [   29.603446]  [<ffffffffc04fe8a2>] vp_request_msix_vectors+0xe2/0x260 [virtio_pci]
      [   29.618017]  [<ffffffffc04fedc5>] vp_try_to_find_vqs+0x95/0x3b0 [virtio_pci]
      [   29.632152]  [<ffffffffc04ff117>] vp_find_vqs+0x37/0xb0 [virtio_pci]
      [   29.645582]  [<ffffffffc057bf63>] init_vq+0x153/0x260 [virtio_blk]
      [   29.658831]  [<ffffffffc057c1e8>] virtblk_probe+0xe8/0x87f [virtio_blk]
      [...]
      
      Cc: Gonglei <arei.gonglei@huawei.com>
      Signed-off-by: NLongpeng <longpeng2@huawei.com>
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      Reviewed-by: NGonglei <arei.gonglei@huawei.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      5984fd68
    • O
      drm/sun4i: tcon top: Fix NULL/invalid pointer dereference in sun8i_tcon_top_un/bind · a8f5c1bc
      Ondrej Jirman 提交于
      [ Upstream commit 1a07a94b47b1f528f39c3e6187b5eaf02efe44ea ]
      
      There are two problems here:
      
      1. Not all clk_data->hws[] need to be initialized, depending on various
         configured quirks. This leads to NULL ptr deref in
         clk_hw_unregister_gate() in sun8i_tcon_top_unbind()
      2. If there is error when registering the clk_data->hws[],
         err_unregister_gates error path will try to unregister
         IS_ERR()=true (invalid) pointer.
      
      For problem (1) I have this stack trace:
      
      Unable to handle kernel NULL pointer dereference at virtual
        address 0000000000000008
      Call trace:
       clk_hw_unregister+0x8/0x18
       clk_hw_unregister_gate+0x14/0x28
       sun8i_tcon_top_unbind+0x2c/0x60
       component_unbind.isra.4+0x2c/0x50
       component_bind_all+0x1d4/0x230
       sun4i_drv_bind+0xc4/0x1a0
       try_to_bring_up_master+0x164/0x1c0
       __component_add+0xa0/0x168
       component_add+0x10/0x18
       sun8i_dw_hdmi_probe+0x18/0x20
       platform_drv_probe+0x3c/0x70
       really_probe+0xcc/0x278
       driver_probe_device+0x34/0xa8
      
      Problem (2) was identified by head scratching.
      Signed-off-by: NOndrej Jirman <megous@megous.com>
      Signed-off-by: NMaxime Ripard <maxime.ripard@bootlin.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190405233048.3823-1-megous@megous.comSigned-off-by: NSasha Levin <sashal@kernel.org>
      a8f5c1bc