1. 10 Sep, 2019 15 commits
  2. 06 Sep, 2019 25 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.19.71 · e7d2672c
      Greg Kroah-Hartman authored
      e7d2672c
    • Benjamin Tissoires's avatar
      Revert "Input: elantech - enable SMBus on new (2018+) systems" · 72168ae7
      Benjamin Tissoires authored
      This reverts commit 3d180fe5 which is
      commit 883a2a80 upstream.
      
      This patch depends on an other series:
      https://patchwork.kernel.org/project/linux-input/list/?series=122327&state=%2A&archive=both
      
      It was a mistake to backport it in the v5.2 branch, as there
      is a high chance we encounter a touchpad that needs the series
      above.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=204733
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=204771Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      72168ae7
    • Greg Kroah-Hartman's avatar
      Linux 4.19.70 · 0fed55c2
      Greg Kroah-Hartman authored
      0fed55c2
    • Greg Kroah-Hartman's avatar
      Revert "ASoC: Fail card instantiation if DAI format setup fails" · 9854d089
      Greg Kroah-Hartman authored
      This reverts commit 714a8438 which is
      commit 40aa5383 upstream.
      
      Mark Brown writes:
      	I nacked this patch when Sasha posted it - it only improves
      	diagnostics and might make systems that worked by accident break
      	since it turns things into a hard failure, it won't make
      	anything that didn't work previously work.
      Reported-by: default avatarMark Brown <broonie@kernel.org>
      Cc: Ricard Wanderlof <ricardw@axis.com>
      Cc: Sasha Levin <sashal@kernel.org>
      Link: https://lore.kernel.org/lkml/20190904181027.GG4348@sirena.co.ukSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9854d089
    • Stanislaw Gruszka's avatar
      mt76: mt76x0u: do not reset radio on resume · e064466c
      Stanislaw Gruszka authored
      commit 8f2d163c upstream.
      
      On some machines mt76x0u firmware can hung during resume,
      what result on messages like below:
      
      [  475.480062] mt76x0 1-8:1.0: Error: MCU response pre-completed!
      [  475.990066] mt76x0 1-8:1.0: Error: send MCU cmd failed:-110
      [  475.990075] mt76x0 1-8:1.0: Error: MCU response pre-completed!
      [  476.500003] mt76x0 1-8:1.0: Error: send MCU cmd failed:-110
      [  476.500012] mt76x0 1-8:1.0: Error: MCU response pre-completed!
      [  477.010046] mt76x0 1-8:1.0: Error: send MCU cmd failed:-110
      [  477.010055] mt76x0 1-8:1.0: Error: MCU response pre-completed!
      [  477.529997] mt76x0 1-8:1.0: Error: send MCU cmd failed:-110
      [  477.530006] mt76x0 1-8:1.0: Error: MCU response pre-completed!
      [  477.824907] mt76x0 1-8:1.0: Error: send MCU cmd failed:-71
      [  477.824916] mt76x0 1-8:1.0: Error: MCU response pre-completed!
      [  477.825029] usb 1-8: USB disconnect, device number 6
      
      and possible whole system freeze.
      
      This can be avoided, if we do not perform mt76x0_chip_onoff() reset.
      
      Cc: stable@vger.kernel.org
      Fixes: 134b2d0d ("mt76x0: init files")
      Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e064466c
    • Greg Kroah-Hartman's avatar
      x86/ptrace: fix up botched merge of spectrev1 fix · b307f99d
      Greg Kroah-Hartman authored
      I incorrectly merged commit 31a2fbb3 ("x86/ptrace: Fix possible
      spectre-v1 in ptrace_get_debugreg()") when backporting it, as was
      graciously pointed out at
      https://grsecurity.net/teardown_of_a_failed_linux_lts_spectre_fix.php
      
      Resolve the upstream difference with the stable kernel merge to properly
      protect things.
      Reported-by: default avatarBrad Spengler <spender@grsecurity.net>
      Cc: Dianzhang Chen <dianzhangchen0@gmail.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: <bp@alien8.de>
      Cc: <hpa@zytor.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b307f99d
    • Andrew Cooks's avatar
      i2c: piix4: Fix port selection for AMD Family 16h Model 30h · 3b26fa9e
      Andrew Cooks authored
      [ Upstream commit c7c06a15 ]
      
      Family 16h Model 30h SMBus controller needs the same port selection fix
      as described and fixed in commit 0fe16195 ("i2c: piix4: Fix SMBus port
      selection for AMD Family 17h chips")
      
      commit 6befa3fd ("i2c: piix4: Support alternative port selection
      register") also fixed the port selection for Hudson2, but unfortunately
      this is not the exact same device and the AMD naming and PCI Device IDs
      aren't particularly helpful here.
      
      The SMBus port selection register is common to the following Families
      and models, as documented in AMD's publicly available BIOS and Kernel
      Developer Guides:
      
       50742 - Family 15h Model 60h-6Fh (PCI_DEVICE_ID_AMD_KERNCZ_SMBUS)
       55072 - Family 15h Model 70h-7Fh (PCI_DEVICE_ID_AMD_KERNCZ_SMBUS)
       52740 - Family 16h Model 30h-3Fh (PCI_DEVICE_ID_AMD_HUDSON2_SMBUS)
      
      The Hudson2 PCI Device ID (PCI_DEVICE_ID_AMD_HUDSON2_SMBUS) is shared
      between Bolton FCH and Family 16h Model 30h, but the location of the
      SmBus0Sel port selection bits are different:
      
       51192 - Bolton Register Reference Guide
      
      We distinguish between Bolton and Family 16h Model 30h using the PCI
      Revision ID:
      
        Bolton is device 0x780b, revision 0x15
        Family 16h Model 30h is device 0x780b, revision 0x1F
        Family 15h Model 60h and 70h are both device 0x790b, revision 0x4A.
      
      The following additional public AMD BKDG documents were checked and do
      not share the same port selection register:
      
       42301 - Family 15h Model 00h-0Fh doesn't mention any
       42300 - Family 15h Model 10h-1Fh doesn't mention any
       49125 - Family 15h Model 30h-3Fh doesn't mention any
      
       48751 - Family 16h Model 00h-0Fh uses the previously supported
               index register SB800_PIIX4_PORT_IDX_ALT at 0x2e
      Signed-off-by: default avatarAndrew Cooks <andrew.cooks@opengear.com>
      Signed-off-by: default avatarJean Delvare <jdelvare@suse.de>
      Cc: stable@vger.kernel.org [v4.6+]
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3b26fa9e
    • Trond Myklebust's avatar
      NFS: Ensure O_DIRECT reports an error if the bytes read/written is 0 · 4f4be79c
      Trond Myklebust authored
      [ Upstream commit eb2c50da ]
      
      If the attempt to resend the I/O results in no bytes being read/written,
      we must ensure that we report the error.
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
      Fixes: 0a00b77b ("nfs: mirroring support for direct io")
      Cc: stable@vger.kernel.org # v3.20+
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      4f4be79c
    • Trond Myklebust's avatar
      NFS: Pass error information to the pgio error cleanup routine · b5891b62
      Trond Myklebust authored
      [ Upstream commit df3accb8 ]
      
      Allow the caller to pass error information when cleaning up a failed
      I/O request so that we can conditionally take action to cancel the
      request altogether if the error turned out to be fatal.
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b5891b62
    • Trond Myklebust's avatar
      NFSv4/pnfs: Fix a page lock leak in nfs_pageio_resend() · 812de6de
      Trond Myklebust authored
      [ Upstream commit f4340e93 ]
      
      If the attempt to resend the pages fails, we need to ensure that we
      clean up those pages that were not transmitted.
      
      Fixes: d600ad1f ("NFS41: pop some layoutget errors to application")
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
      Cc: stable@vger.kernel.org # v4.5+
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      812de6de
    • Trond Myklebust's avatar
      NFS: Clean up list moves of struct nfs_page · 57c491fd
      Trond Myklebust authored
      [ Upstream commit 078b5fd9 ]
      
      In several places we're just moving the struct nfs_page from one list to
      another by first removing from the existing list, then adding to the new
      one.
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      57c491fd
    • Marc Zyngier's avatar
      KVM: arm/arm64: vgic-v2: Handle SGI bits in GICD_I{S,C}PENDR0 as WI · 79f1b33c
      Marc Zyngier authored
      [ Upstream commit 82e40f55 ]
      
      A guest is not allowed to inject a SGI (or clear its pending state)
      by writing to GICD_ISPENDR0 (resp. GICD_ICPENDR0), as these bits are
      defined as WI (as per ARM IHI 0048B 4.3.7 and 4.3.8).
      
      Make sure we correctly emulate the architecture.
      
      Fixes: 96b29800 ("KVM: arm/arm64: vgic-new: Add PENDING registers handlers")
      Cc: stable@vger.kernel.org # 4.7+
      Reported-by: default avatarAndre Przywara <andre.przywara@arm.com>
      Signed-off-by: default avatarMarc Zyngier <maz@kernel.org>
      Signed-off-by: default avatarWill Deacon <will@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      79f1b33c
    • Heyi Guo's avatar
      KVM: arm/arm64: vgic: Fix potential deadlock when ap_list is long · ab8ecc27
      Heyi Guo authored
      [ Upstream commit d4a8061a ]
      
      If the ap_list is longer than 256 entries, merge_final() in list_sort()
      will call the comparison callback with the same element twice, causing
      a deadlock in vgic_irq_cmp().
      
      Fix it by returning early when irqa == irqb.
      
      Cc: stable@vger.kernel.org # 4.7+
      Fixes: 8e444745 ("KVM: arm/arm64: vgic-new: Add IRQ sorting")
      Signed-off-by: default avatarZenghui Yu <yuzenghui@huawei.com>
      Signed-off-by: default avatarHeyi Guo <guoheyi@huawei.com>
      [maz: massaged commit log and patch, added Fixes and Cc-stable]
      Signed-off-by: default avatarMarc Zyngier <maz@kernel.org>
      Signed-off-by: default avatarWill Deacon <will@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ab8ecc27
    • Alexey Kardashevskiy's avatar
      KVM: PPC: Book3S: Fix incorrect guest-to-user-translation error handling · db1841a2
      Alexey Kardashevskiy authored
      [ Upstream commit ddfd151f ]
      
      H_PUT_TCE_INDIRECT handlers receive a page with up to 512 TCEs from
      a guest. Although we verify correctness of TCEs before we do anything
      with the existing tables, there is a small window when a check in
      kvmppc_tce_validate might pass and right after that the guest alters
      the page of TCEs, causing an early exit from the handler and leaving
      srcu_read_lock(&vcpu->kvm->srcu) (virtual mode) or lock_rmap(rmap)
      (real mode) locked.
      
      This fixes the bug by jumping to the common exit code with an appropriate
      unlock.
      
      Cc: stable@vger.kernel.org # v4.11+
      Fixes: 121f80ba ("KVM: PPC: VFIO: Add in-kernel acceleration for VFIO")
      Signed-off-by: default avatarAlexey Kardashevskiy <aik@ozlabs.ru>
      Signed-off-by: default avatarPaul Mackerras <paulus@ozlabs.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      db1841a2
    • Denis Kenzior's avatar
      mac80211: Correctly set noencrypt for PAE frames · 938e3837
      Denis Kenzior authored
      commit f8b43c5c upstream.
      
      The noencrypt flag was intended to be set if the "frame was received
      unencrypted" according to include/uapi/linux/nl80211.h.  However, the
      current behavior is opposite of this.
      
      Cc: stable@vger.kernel.org
      Fixes: 018f6fbf ("mac80211: Send control port frames over nl80211")
      Signed-off-by: default avatarDenis Kenzior <denkenz@gmail.com>
      Link: https://lore.kernel.org/r/20190827224120.14545-3-denkenz@gmail.comSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      938e3837
    • Denis Kenzior's avatar
      mac80211: Don't memset RXCB prior to PAE intercept · 4f139c03
      Denis Kenzior authored
      commit c8a41c6a upstream.
      
      In ieee80211_deliver_skb_to_local_stack intercepts EAPoL frames if
      mac80211 is configured to do so and forwards the contents over nl80211.
      During this process some additional data is also forwarded, including
      whether the frame was received encrypted or not.  Unfortunately just
      prior to the call to ieee80211_deliver_skb_to_local_stack, skb->cb is
      cleared, resulting in incorrect data being exposed over nl80211.
      
      Fixes: 018f6fbf ("mac80211: Send control port frames over nl80211")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDenis Kenzior <denkenz@gmail.com>
      Link: https://lore.kernel.org/r/20190827224120.14545-2-denkenz@gmail.comSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4f139c03
    • Johannes Berg's avatar
      mac80211: fix possible sta leak · 58f91aac
      Johannes Berg authored
      commit 5fd2f91a upstream.
      
      If TDLS station addition is rejected, the sta memory is leaked.
      Avoid this by moving the check before the allocation.
      
      Cc: stable@vger.kernel.org
      Fixes: 7ed52853 ("mac80211: don't initiate TDLS connection if station is not associated to AP")
      Link: https://lore.kernel.org/r/20190801073033.7892-1-johannes@sipsolutions.netSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      58f91aac
    • Hodaszi, Robert's avatar
      Revert "cfg80211: fix processing world regdomain when non modular" · 945b3597
      Hodaszi, Robert authored
      commit 0d31d4db upstream.
      
      This reverts commit 96cce12f ("cfg80211: fix processing world
      regdomain when non modular").
      
      Re-triggering a reg_process_hint with the last request on all events,
      can make the regulatory domain fail in case of multiple WiFi modules. On
      slower boards (espacially with mdev), enumeration of the WiFi modules
      can end up in an intersected regulatory domain, and user cannot set it
      with 'iw reg set' anymore.
      
      This is happening, because:
      - 1st module enumerates, queues up a regulatory request
      - request gets processed by __reg_process_hint_driver():
        - checks if previous was set by CORE -> yes
          - checks if regulator domain changed -> yes, from '00' to e.g. 'US'
            -> sends request to the 'crda'
      - 2nd module enumerates, queues up a regulator request (which triggers
        the reg_todo() work)
      - reg_todo() -> reg_process_pending_hints() sees, that the last request
        is not processed yet, so it tries to process it again.
        __reg_process_hint driver() will run again, and:
        - checks if the last request's initiator was the core -> no, it was
          the driver (1st WiFi module)
        - checks, if the previous initiator was the driver -> yes
          - checks if the regulator domain changed -> yes, it was '00' (set by
            core, and crda call did not return yet), and should be changed to 'US'
      
      ------> __reg_process_hint_driver calls an intersect
      
      Besides, the reg_process_hint call with the last request is meaningless
      since the crda call has a timeout work. If that timeout expires, the
      first module's request will lost.
      
      Cc: stable@vger.kernel.org
      Fixes: 96cce12f ("cfg80211: fix processing world regdomain when non modular")
      Signed-off-by: default avatarRobert Hodaszi <robert.hodaszi@digi.com>
      Link: https://lore.kernel.org/r/20190614131600.GA13897@a1-hrSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      945b3597
    • Gary R Hook's avatar
      crypto: ccp - Ignore unconfigured CCP device on suspend/resume · 690a4248
      Gary R Hook authored
      commit 5871cd93 upstream.
      
      If a CCP is unconfigured (e.g. there are no available queues) then
      there will be no data structures allocated for the device. Thus, we
      must check for validity of a pointer before trying to access structure
      members.
      
      Fixes: 720419f0 ("crypto: ccp - Introduce the AMD Secure Processor device")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarGary R Hook <gary.hook@amd.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      690a4248
    • Nadav Amit's avatar
      VMCI: Release resource if the work is already queued · 4e77b2ea
      Nadav Amit authored
      commit ba03a9bb upstream.
      
      Francois reported that VMware balloon gets stuck after a balloon reset,
      when the VMCI doorbell is removed. A similar error can occur when the
      balloon driver is removed with the following splat:
      
      [ 1088.622000] INFO: task modprobe:3565 blocked for more than 120 seconds.
      [ 1088.622035]       Tainted: G        W         5.2.0 #4
      [ 1088.622087] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
      [ 1088.622205] modprobe        D    0  3565   1450 0x00000000
      [ 1088.622210] Call Trace:
      [ 1088.622246]  __schedule+0x2a8/0x690
      [ 1088.622248]  schedule+0x2d/0x90
      [ 1088.622250]  schedule_timeout+0x1d3/0x2f0
      [ 1088.622252]  wait_for_completion+0xba/0x140
      [ 1088.622320]  ? wake_up_q+0x80/0x80
      [ 1088.622370]  vmci_resource_remove+0xb9/0xc0 [vmw_vmci]
      [ 1088.622373]  vmci_doorbell_destroy+0x9e/0xd0 [vmw_vmci]
      [ 1088.622379]  vmballoon_vmci_cleanup+0x6e/0xf0 [vmw_balloon]
      [ 1088.622381]  vmballoon_exit+0x18/0xcc8 [vmw_balloon]
      [ 1088.622394]  __x64_sys_delete_module+0x146/0x280
      [ 1088.622408]  do_syscall_64+0x5a/0x130
      [ 1088.622410]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [ 1088.622415] RIP: 0033:0x7f54f62791b7
      [ 1088.622421] Code: Bad RIP value.
      [ 1088.622421] RSP: 002b:00007fff2a949008 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
      [ 1088.622426] RAX: ffffffffffffffda RBX: 000055dff8b55d00 RCX: 00007f54f62791b7
      [ 1088.622426] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055dff8b55d68
      [ 1088.622427] RBP: 000055dff8b55d00 R08: 00007fff2a947fb1 R09: 0000000000000000
      [ 1088.622427] R10: 00007f54f62f5cc0 R11: 0000000000000206 R12: 000055dff8b55d68
      [ 1088.622428] R13: 0000000000000001 R14: 000055dff8b55d68 R15: 00007fff2a94a3f0
      
      The cause for the bug is that when the "delayed" doorbell is invoked, it
      takes a reference on the doorbell entry and schedules work that is
      supposed to run the appropriate code and drop the doorbell entry
      reference. The code ignores the fact that if the work is already queued,
      it will not be scheduled to run one more time. As a result one of the
      references would not be dropped. When the code waits for the reference
      to get to zero, during balloon reset or module removal, it gets stuck.
      
      Fix it. Drop the reference if schedule_work() indicates that the work is
      already queued.
      
      Note that this bug got more apparent (or apparent at all) due to
      commit ce664331 ("vmw_balloon: VMCI_DOORBELL_SET does not check status").
      
      Fixes: 83e2ec76 ("VMCI: doorbell implementation.")
      Reported-by: default avatarFrancois Rigault <rigault.francois@gmail.com>
      Cc: Jorgen Hansen <jhansen@vmware.com>
      Cc: Adit Ranadive <aditr@vmware.com>
      Cc: Alexios Zavras <alexios.zavras@intel.com>
      Cc: Vishnu DASA <vdasa@vmware.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Reviewed-by: default avatarVishnu Dasa <vdasa@vmware.com>
      Link: https://lore.kernel.org/r/20190820202638.49003-1-namit@vmware.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4e77b2ea
    • John Garry's avatar
      bus: hisi_lpc: Add .remove method to avoid driver unbind crash · 2a964875
      John Garry authored
      commit 10e62b47 upstream.
      
      The original driver author seemed to be under the impression that a driver
      cannot be removed if it does not have a .remove method. Or maybe if it is
      a built-in platform driver.
      
      This is not true. This crash can be created:
      
      root@ubuntu:/sys/bus/platform/drivers/hisi-lpc# echo HISI0191\:00 > unbind
      root@ubuntu:/sys/bus/platform/drivers/hisi-lpc# ipmitool raw 6 1
       Unable to handle kernel paging request at virtual address ffff000010035010
       Mem abort info:
         ESR = 0x96000047
         Exception class = DABT (current EL), IL = 32 bits
         SET = 0, FnV = 0
         EA = 0, S1PTW = 0
       Data abort info:
         ISV = 0, ISS = 0x00000047
         CM = 0, WnR = 1
       swapper pgtable: 4k pages, 48-bit VAs, pgdp=000000000118b000
       [ffff000010035010] pgd=0000041ffbfff003, pud=0000041ffbffe003, pmd=0000041ffbffd003, pte=0000000000000000
       Internal error: Oops: 96000047 [#1] PREEMPT SMP
       Modules linked in:
       CPU: 17 PID: 1473 Comm: ipmitool Not tainted 5.2.0-rc5-00003-gf68c53b414a3-dirty #198
       Hardware name: Huawei Taishan 2280 /D05, BIOS Hisilicon D05 IT21 Nemo 2.0 RC0 04/18/2018
       pstate: 20000085 (nzCv daIf -PAN -UAO)
       pc : hisi_lpc_target_in+0x7c/0x120
       lr : hisi_lpc_target_in+0x70/0x120
       sp : ffff00001efe3930
       x29: ffff00001efe3930 x28: ffff841f9f599200
       x27: 0000000000000002 x26: 0000000000000000
       x25: 0000000000000080 x24: 00000000000000e4
       x23: 0000000000000000 x22: 0000000000000064
       x21: ffff801fb667d280 x20: 0000000000000001
       x19: ffff00001efe39ac x18: 0000000000000000
       x17: 0000000000000000 x16: 0000000000000000
       x15: 0000000000000000 x14: 0000000000000000
       x13: 0000000000000000 x12: 0000000000000000
       x11: 0000000000000000 x10: 0000000000000000
       x9 : 0000000000000000 x8 : ffff841febe60340
       x7 : ffff801fb55c52e8 x6 : 0000000000000000
       x5 : 0000000000ffc0e3 x4 : 0000000000000001
       x3 : ffff801fb667d280 x2 : 0000000000000001
       x1 : ffff000010035010 x0 : ffff000010035000
       Call trace:
        hisi_lpc_target_in+0x7c/0x120
        hisi_lpc_comm_in+0x88/0x98
        logic_inb+0x5c/0xb8
        port_inb+0x18/0x20
        bt_event+0x38/0x808
        smi_event_handler+0x4c/0x5a0
        check_start_timer_thread.part.4+0x40/0x58
        sender+0x78/0x88
        smi_send.isra.6+0x94/0x108
        i_ipmi_request+0x2c4/0x8f8
        ipmi_request_settime+0x124/0x160
        handle_send_req+0x19c/0x208
        ipmi_ioctl+0x2c0/0x990
        do_vfs_ioctl+0xb8/0x8f8
        ksys_ioctl+0x80/0xb8
        __arm64_sys_ioctl+0x1c/0x28
        el0_svc_common.constprop.0+0x64/0x160
        el0_svc_handler+0x28/0x78
        el0_svc+0x8/0xc
       Code: 941d1511 aa0003f9 f94006a0 91004001 (b9000034)
       ---[ end trace aa842b86af7069e4 ]---
      
      The problem here is that the host goes away but the associated logical PIO
      region remains registered, as do the children devices.
      
      Fix by adding a .remove method to tidy-up by removing the child devices
      and unregistering the logical PIO region.
      
      Cc: stable@vger.kernel.org
      Fixes: adf38bb0 ("HISI LPC: Support the LPC host on Hip06/Hip07 with DT bindings")
      Signed-off-by: default avatarJohn Garry <john.garry@huawei.com>
      Signed-off-by: default avatarWei Xu <xuwei5@hisilicon.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2a964875
    • John Garry's avatar
      bus: hisi_lpc: Unregister logical PIO range to avoid potential use-after-free · 649532ef
      John Garry authored
      commit 1b15a563 upstream.
      
      If, after registering a logical PIO range, the driver probe later fails,
      the logical PIO range memory will be released automatically.
      
      This causes an issue, in that the logical PIO range is not unregistered
      and the released range memory may be later referenced.
      
      Fix by unregistering the logical PIO range.
      
      And since we now unregister the logical PIO range for probe failure, avoid
      the special ordering of setting logical PIO range ops, which was the
      previous (poor) attempt at a safeguard against this.
      
      Cc: stable@vger.kernel.org
      Fixes: adf38bb0 ("HISI LPC: Support the LPC host on Hip06/Hip07 with DT bindings")
      Signed-off-by: default avatarJohn Garry <john.garry@huawei.com>
      Signed-off-by: default avatarWei Xu <xuwei5@hisilicon.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      649532ef
    • Lyude Paul's avatar
      drm/i915: Call dma_set_max_seg_size() in i915_driver_hw_probe() · 68b58d39
      Lyude Paul authored
      commit 32f0a982 upstream.
      
      Currently, we don't call dma_set_max_seg_size() for i915 because we
      intentionally do not limit the segment length that the device supports.
      However, this results in a warning being emitted if we try to map
      anything larger than SZ_64K on a kernel with CONFIG_DMA_API_DEBUG_SG
      enabled:
      
      [    7.751926] DMA-API: i915 0000:00:02.0: mapping sg segment longer
      than device claims to support [len=98304] [max=65536]
      [    7.751934] WARNING: CPU: 5 PID: 474 at kernel/dma/debug.c:1220
      debug_dma_map_sg+0x20f/0x340
      
      This was originally brought up on
      https://bugs.freedesktop.org/show_bug.cgi?id=108517 , and the consensus
      there was it wasn't really useful to set a limit (and that dma-debug
      isn't really all that useful for i915 in the first place). Unfortunately
      though, CONFIG_DMA_API_DEBUG_SG is enabled in the debug configs for
      various distro kernels. Since a WARN_ON() will disable automatic problem
      reporting (and cause any CI with said option enabled to start
      complaining), we really should just fix the problem.
      
      Note that as me and Chris Wilson discussed, the other solution for this
      would be to make DMA-API not make such assumptions when a driver hasn't
      explicitly set a maximum segment size. But, taking a look at the commit
      which originally introduced this behavior, commit 78c47830
      ("dma-debug: check scatterlist segments"), there is an explicit mention
      of this assumption and how it applies to devices with no segment size:
      
      	Conversely, devices which are less limited than the rather
      	conservative defaults, or indeed have no limitations at all
      	(e.g. GPUs with their own internal MMU), should be encouraged to
      	set appropriate dma_parms, as they may get more efficient DMA
      	mapping performance out of it.
      
      So unless there's any concerns (I'm open to discussion!), let's just
      follow suite and call dma_set_max_seg_size() with UINT_MAX as our limit
      to silence any warnings.
      
      Changes since v3:
      * Drop patch for enabling CONFIG_DMA_API_DEBUG_SG in CI. It looks like
        just turning it on causes the kernel to spit out bogus WARN_ONs()
        during some igt tests which would otherwise require teaching igt to
        disable the various DMA-API debugging options causing this. This is
        too much work to be worth it, since DMA-API debugging is useless for
        us. So, we'll just settle with this single patch to squelch WARN_ONs()
        during driver load for users that have CONFIG_DMA_API_DEBUG_SG turned
        on for some reason.
      * Move dma_set_max_seg_size() call into i915_driver_hw_probe() - Chris
        Wilson
      Signed-off-by: default avatarLyude Paul <lyude@redhat.com>
      Reviewed-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Cc: <stable@vger.kernel.org> # v4.18+
      Link: https://patchwork.freedesktop.org/patch/msgid/20190823205251.14298-1-lyude@redhat.com
      (cherry picked from commit acd674af)
      Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      68b58d39
    • Xiong Zhang's avatar
      drm/i915: Don't deballoon unused ggtt drm_mm_node in linux guest · c7615333
      Xiong Zhang authored
      commit 0a3dfbb5 upstream.
      
      The following call trace may exist in linux guest dmesg when guest i915
      driver is unloaded.
      [   90.776610] [drm:vgt_deballoon_space.isra.0 [i915]] deballoon space: range [0x0 - 0x0] 0 KiB.
      [   90.776621] BUG: unable to handle kernel NULL pointer dereference at 00000000000000c0
      [   90.776691] IP: drm_mm_remove_node+0x4d/0x320 [drm]
      [   90.776718] PGD 800000012c7d0067 P4D 800000012c7d0067 PUD 138e4c067 PMD 0
      [   90.777091] task: ffff9adab60f2f00 task.stack: ffffaf39c0fe0000
      [   90.777142] RIP: 0010:drm_mm_remove_node+0x4d/0x320 [drm]
      [   90.777573] Call Trace:
      [   90.777653]  intel_vgt_deballoon+0x4c/0x60 [i915]
      [   90.777729]  i915_ggtt_cleanup_hw+0x121/0x190 [i915]
      [   90.777792]  i915_driver_unload+0x145/0x180 [i915]
      [   90.777856]  i915_pci_remove+0x15/0x20 [i915]
      [   90.777890]  pci_device_remove+0x3b/0xc0
      [   90.777916]  device_release_driver_internal+0x157/0x220
      [   90.777945]  driver_detach+0x39/0x70
      [   90.777967]  bus_remove_driver+0x51/0xd0
      [   90.777990]  pci_unregister_driver+0x23/0x90
      [   90.778019]  SyS_delete_module+0x1da/0x240
      [   90.778045]  entry_SYSCALL_64_fastpath+0x24/0x87
      [   90.778072] RIP: 0033:0x7f34312af067
      [   90.778092] RSP: 002b:00007ffdea3da0d8 EFLAGS: 00000206
      [   90.778297] RIP: drm_mm_remove_node+0x4d/0x320 [drm] RSP: ffffaf39c0fe3dc0
      [   90.778344] ---[ end trace f4b1bc8305fc59dd ]---
      
      Four drm_mm_node are used to reserve guest ggtt space, but some of them
      may be skipped and not initialised due to space constraints in
      intel_vgt_balloon(). If drm_mm_remove_node() is called with
      uninitialized drm_mm_node, the above call trace occurs.
      
      This patch check drm_mm_node's validity before calling
      drm_mm_remove_node().
      
      Fixes: ff8f7975("drm/i915: return the correct usable aperture size under gvt environment")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarXiong Zhang <xiong.y.zhang@intel.com>
      Acked-by: default avatarZhenyu Wang <zhenyuw@linux.intel.com>
      Reviewed-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Link: https://patchwork.freedesktop.org/patch/msgid/1566279978-9659-1-git-send-email-xiong.y.zhang@intel.com
      (cherry picked from commit 4776f352)
      Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c7615333
    • Kai-Heng Feng's avatar
      drm/amdgpu: Add APTX quirk for Dell Latitude 5495 · 6d3003f5
      Kai-Heng Feng authored
      commit 317a3aae upstream.
      
      Needs ATPX rather than _PR3 to really turn off the dGPU. This can save
      ~5W when dGPU is runtime-suspended.
      Signed-off-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6d3003f5