1. 22 Jun, 2020 40 commits
    • Pavel Tatashin's avatar
      mm: initialize deferred pages with interrupts enabled · 88afa532
      Pavel Tatashin authored
      commit 3d060856 upstream.
      
      Initializing struct pages is a long task and keeping interrupts disabled
      for the duration of this operation introduces a number of problems.
      
      1. jiffies are not updated for long period of time, and thus incorrect time
         is reported. See proposed solution and discussion here:
         lkml/20200311123848.118638-1-shile.zhang@linux.alibaba.com
      2. It prevents farther improving deferred page initialization by allowing
         intra-node multi-threading.
      
      We are keeping interrupts disabled to solve a rather theoretical problem
      that was never observed in real world (See 3a2d7fa8).
      
      Let's keep interrupts enabled. In case we ever encounter a scenario where
      an interrupt thread wants to allocate large amount of memory this early in
      boot we can deal with that by growing zone (see deferred_grow_zone()) by
      the needed amount before starting deferred_init_memmap() threads.
      
      Before:
      [    1.232459] node 0 initialised, 12058412 pages in 1ms
      
      After:
      [    1.632580] node 0 initialised, 12051227 pages in 436ms
      
      Fixes: 3a2d7fa8 ("mm: disable interrupts while initializing deferred pages")
      Reported-by: default avatarShile Zhang <shile.zhang@linux.alibaba.com>
      Signed-off-by: default avatarPavel Tatashin <pasha.tatashin@soleen.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Reviewed-by: default avatarDaniel Jordan <daniel.m.jordan@oracle.com>
      Reviewed-by: default avatarDavid Hildenbrand <david@redhat.com>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Acked-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: James Morris <jmorris@namei.org>
      Cc: Kirill Tkhai <ktkhai@virtuozzo.com>
      Cc: Sasha Levin <sashal@kernel.org>
      Cc: Yiqian Wei <yiwei@redhat.com>
      Cc: <stable@vger.kernel.org>	[4.17+]
      Link: http://lkml.kernel.org/r/20200403140952.17177-3-pasha.tatashin@soleen.comSigned-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      88afa532
    • Andrea Arcangeli's avatar
      mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked() · 453d8a48
      Andrea Arcangeli authored
      commit c444eb56 upstream.
      
      Write protect anon page faults require an accurate mapcount to decide
      if to break the COW or not. This is implemented in the THP path with
      reuse_swap_page() ->
      page_trans_huge_map_swapcount()/page_trans_huge_mapcount().
      
      If the COW triggers while the other processes sharing the page are
      under a huge pmd split, to do an accurate reading, we must ensure the
      mapcount isn't computed while it's being transferred from the head
      page to the tail pages.
      
      reuse_swap_cache() already runs serialized by the page lock, so it's
      enough to add the page lock around __split_huge_pmd_locked too, in
      order to add the missing serialization.
      
      Note: the commit in "Fixes" is just to facilitate the backporting,
      because the code before such commit didn't try to do an accurate THP
      mapcount calculation and it instead used the page_count() to decide if
      to COW or not. Both the page_count and the pin_count are THP-wide
      refcounts, so they're inaccurate if used in
      reuse_swap_page(). Reverting such commit (besides the unrelated fix to
      the local anon_vma assignment) would have also opened the window for
      memory corruption side effects to certain workloads as documented in
      such commit header.
      Signed-off-by: default avatarAndrea Arcangeli <aarcange@redhat.com>
      Suggested-by: default avatarJann Horn <jannh@google.com>
      Reported-by: default avatarJann Horn <jannh@google.com>
      Acked-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Fixes: 6d0a07ed ("mm: thp: calculate the mapcount correctly for THP pages during WP faults")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      453d8a48
    • Marcos Paulo de Souza's avatar
      btrfs: send: emit file capabilities after chown · e2049349
      Marcos Paulo de Souza authored
      commit 89efda52 upstream.
      
      Whenever a chown is executed, all capabilities of the file being touched
      are lost.  When doing incremental send with a file with capabilities,
      there is a situation where the capability can be lost on the receiving
      side. The sequence of actions bellow shows the problem:
      
        $ mount /dev/sda fs1
        $ mount /dev/sdb fs2
      
        $ touch fs1/foo.bar
        $ setcap cap_sys_nice+ep fs1/foo.bar
        $ btrfs subvolume snapshot -r fs1 fs1/snap_init
        $ btrfs send fs1/snap_init | btrfs receive fs2
      
        $ chgrp adm fs1/foo.bar
        $ setcap cap_sys_nice+ep fs1/foo.bar
      
        $ btrfs subvolume snapshot -r fs1 fs1/snap_complete
        $ btrfs subvolume snapshot -r fs1 fs1/snap_incremental
      
        $ btrfs send fs1/snap_complete | btrfs receive fs2
        $ btrfs send -p fs1/snap_init fs1/snap_incremental | btrfs receive fs2
      
      At this point, only a chown was emitted by "btrfs send" since only the
      group was changed. This makes the cap_sys_nice capability to be dropped
      from fs2/snap_incremental/foo.bar
      
      To fix that, only emit capabilities after chown is emitted. The current
      code first checks for xattrs that are new/changed, emits them, and later
      emit the chown. Now, __process_new_xattr skips capabilities, letting
      only finish_inode_if_needed to emit them, if they exist, for the inode
      being processed.
      
      This behavior was being worked around in "btrfs receive" side by caching
      the capability and only applying it after chown. Now, xattrs are only
      emmited _after_ chown, making that workaround not needed anymore.
      
      Link: https://github.com/kdave/btrfs-progs/issues/202
      CC: stable@vger.kernel.org # 4.4+
      Suggested-by: default avatarFilipe Manana <fdmanana@suse.com>
      Reviewed-by: default avatarFilipe Manana <fdmanana@suse.com>
      Signed-off-by: default avatarMarcos Paulo de Souza <mpdesouza@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e2049349
    • Anand Jain's avatar
      btrfs: include non-missing as a qualifier for the latest_bdev · bcad3df8
      Anand Jain authored
      commit 998a0671 upstream.
      
      btrfs_free_extra_devids() updates fs_devices::latest_bdev to point to
      the bdev with greatest device::generation number.  For a typical-missing
      device the generation number is zero so fs_devices::latest_bdev will
      never point to it.
      
      But if the missing device is due to alienation [1], then
      device::generation is not zero and if it is greater or equal to the rest
      of device  generations in the list, then fs_devices::latest_bdev ends up
      pointing to the missing device and reports the error like [2].
      
      [1] We maintain devices of a fsid (as in fs_device::fsid) in the
      fs_devices::devices list, a device is considered as an alien device
      if its fsid does not match with the fs_device::fsid
      
      Consider a working filesystem with raid1:
      
        $ mkfs.btrfs -f -d raid1 -m raid1 /dev/sda /dev/sdb
        $ mount /dev/sda /mnt-raid1
        $ umount /mnt-raid1
      
      While mnt-raid1 was unmounted the user force-adds one of its devices to
      another btrfs filesystem:
      
        $ mkfs.btrfs -f /dev/sdc
        $ mount /dev/sdc /mnt-single
        $ btrfs dev add -f /dev/sda /mnt-single
      
      Now the original mnt-raid1 fails to mount in degraded mode, because
      fs_devices::latest_bdev is pointing to the alien device.
      
        $ mount -o degraded /dev/sdb /mnt-raid1
      
      [2]
      mount: wrong fs type, bad option, bad superblock on /dev/sdb,
             missing codepage or helper program, or other error
      
             In some cases useful info is found in syslog - try
             dmesg | tail or so.
      
        kernel: BTRFS warning (device sdb): devid 1 uuid 072a0192-675b-4d5a-8640-a5cf2b2c704d is missing
        kernel: BTRFS error (device sdb): failed to read devices
        kernel: BTRFS error (device sdb): open_ctree failed
      
      Fix the root cause by checking if the device is not missing before it
      can be considered for the fs_devices::latest_bdev.
      
      CC: stable@vger.kernel.org # 4.19+
      Reviewed-by: default avatarJosef Bacik <josef@toxicpanda.com>
      Signed-off-by: default avatarAnand Jain <anand.jain@oracle.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bcad3df8
    • Daniel Axtens's avatar
      string.h: fix incompatibility between FORTIFY_SOURCE and KASAN · 6d49d04c
      Daniel Axtens authored
      [ Upstream commit 47227d27 ]
      
      The memcmp KASAN self-test fails on a kernel with both KASAN and
      FORTIFY_SOURCE.
      
      When FORTIFY_SOURCE is on, a number of functions are replaced with
      fortified versions, which attempt to check the sizes of the operands.
      However, these functions often directly invoke __builtin_foo() once they
      have performed the fortify check.  Using __builtins may bypass KASAN
      checks if the compiler decides to inline it's own implementation as
      sequence of instructions, rather than emit a function call that goes out
      to a KASAN-instrumented implementation.
      
      Why is only memcmp affected?
      ============================
      
      Of the string and string-like functions that kasan_test tests, only memcmp
      is replaced by an inline sequence of instructions in my testing on x86
      with gcc version 9.2.1 20191008 (Ubuntu 9.2.1-9ubuntu2).
      
      I believe this is due to compiler heuristics.  For example, if I annotate
      kmalloc calls with the alloc_size annotation (and disable some fortify
      compile-time checking!), the compiler will replace every memset except the
      one in kmalloc_uaf_memset with inline instructions.  (I have some WIP
      patches to add this annotation.)
      
      Does this affect other functions in string.h?
      =============================================
      
      Yes. Anything that uses __builtin_* rather than __real_* could be
      affected. This looks like:
      
       - strncpy
       - strcat
       - strlen
       - strlcpy maybe, under some circumstances?
       - strncat under some circumstances
       - memset
       - memcpy
       - memmove
       - memcmp (as noted)
       - memchr
       - strcpy
      
      Whether a function call is emitted always depends on the compiler.  Most
      bugs should get caught by FORTIFY_SOURCE, but the missed memcmp test shows
      that this is not always the case.
      
      Isn't FORTIFY_SOURCE disabled with KASAN?
      ========================================-
      
      The string headers on all arches supporting KASAN disable fortify with
      kasan, but only when address sanitisation is _also_ disabled.  For example
      from x86:
      
       #if defined(CONFIG_KASAN) && !defined(__SANITIZE_ADDRESS__)
       /*
        * For files that are not instrumented (e.g. mm/slub.c) we
        * should use not instrumented version of mem* functions.
        */
       #define memcpy(dst, src, len) __memcpy(dst, src, len)
       #define memmove(dst, src, len) __memmove(dst, src, len)
       #define memset(s, c, n) __memset(s, c, n)
      
       #ifndef __NO_FORTIFY
       #define __NO_FORTIFY /* FORTIFY_SOURCE uses __builtin_memcpy, etc. */
       #endif
      
       #endif
      
      This comes from commit 6974f0c4 ("include/linux/string.h: add the
      option of fortified string.h functions"), and doesn't work when KASAN is
      enabled and the file is supposed to be sanitised - as with test_kasan.c
      
      I'm pretty sure this is not wrong, but not as expansive it should be:
      
       * we shouldn't use __builtin_memcpy etc in files where we don't have
         instrumentation - it could devolve into a function call to memcpy,
         which will be instrumented. Rather, we should use __memcpy which
         by convention is not instrumented.
      
       * we also shouldn't be using __builtin_memcpy when we have a KASAN
         instrumented file, because it could be replaced with inline asm
         that will not be instrumented.
      
      What is correct behaviour?
      ==========================
      
      Firstly, there is some overlap between fortification and KASAN: both
      provide some level of _runtime_ checking. Only fortify provides
      compile-time checking.
      
      KASAN and fortify can pick up different things at runtime:
      
       - Some fortify functions, notably the string functions, could easily be
         modified to consider sub-object sizes (e.g. members within a struct),
         and I have some WIP patches to do this. KASAN cannot detect these
         because it cannot insert poision between members of a struct.
      
       - KASAN can detect many over-reads/over-writes when the sizes of both
         operands are unknown, which fortify cannot.
      
      So there are a couple of options:
      
       1) Flip the test: disable fortify in santised files and enable it in
          unsanitised files. This at least stops us missing KASAN checking, but
          we lose the fortify checking.
      
       2) Make the fortify code always call out to real versions. Do this only
          for KASAN, for fear of losing the inlining opportunities we get from
          __builtin_*.
      
      (We can't use kasan_check_{read,write}: because the fortify functions are
      _extern inline_, you can't include _static_ inline functions without a
      compiler warning. kasan_check_{read,write} are static inline so we can't
      use them even when they would otherwise be suitable.)
      
      Take approach 2 and call out to real versions when KASAN is enabled.
      
      Use __underlying_foo to distinguish from __real_foo: __real_foo always
      refers to the kernel's implementation of foo, __underlying_foo could be
      either the kernel implementation or the __builtin_foo implementation.
      
      This is sometimes enough to make the memcmp test succeed with
      FORTIFY_SOURCE enabled. It is at least enough to get the function call
      into the module. One more fix is needed to make it reliable: see the next
      patch.
      
      Fixes: 6974f0c4 ("include/linux/string.h: add the option of fortified string.h functions")
      Signed-off-by: default avatarDaniel Axtens <dja@axtens.net>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Tested-by: default avatarDavid Gow <davidgow@google.com>
      Reviewed-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: Daniel Micay <danielmicay@gmail.com>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Alexander Potapenko <glider@google.com>
      Link: http://lkml.kernel.org/r/20200423154503.5103-3-dja@axtens.netSigned-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6d49d04c
    • Hans de Goede's avatar
      platform/x86: intel-vbtn: Only blacklist SW_TABLET_MODE on the 9 / "Laptop" chasis-type · 6e048553
      Hans de Goede authored
      [ Upstream commit cfae58ed ]
      
      The HP Stream x360 11-p000nd no longer report SW_TABLET_MODE state / events
      with recent kernels. This model reports a chassis-type of 10 / "Notebook"
      which is not on the recently introduced chassis-type whitelist
      
      Commit de9647ef ("platform/x86: intel-vbtn: Only activate tablet mode
      switch on 2-in-1's") added a chassis-type whitelist and only listed 31 /
      "Convertible" as being capable of generating valid SW_TABLET_MOD events.
      
      Commit 1fac39fd ("platform/x86: intel-vbtn: Also handle tablet-mode
      switch on "Detachable" and "Portable" chassis-types") extended the
      whitelist with chassis-types 8 / "Portable" and 32 / "Detachable".
      
      And now we need to exten the whitelist again with 10 / "Notebook"...
      
      The issue original fixed by the whitelist is really a ACPI DSDT bug on
      the Dell XPS 9360 where it has a VGBS which reports it is in tablet mode
      even though it is not a 2-in-1 at all, but a regular laptop.
      
      So since this is a workaround for a DSDT issue on that specific model,
      instead of extending the whitelist over and over again, lets switch to
      a blacklist and only blacklist the chassis-type of the model for which
      the chassis-type check was added.
      
      Note this also fixes the current version of the code no longer checking
      if dmi_get_system_info(DMI_CHASSIS_TYPE) returns NULL.
      
      Fixes: 1fac39fd ("platform/x86: intel-vbtn: Also handle tablet-mode switch on "Detachable" and "Portable" chassis-types")
      Cc: Mario Limonciello <mario.limonciello@dell.com>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Reviewed-by: default avatarMario Limonciello <Mario.limonciello@dell.com>
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6e048553
    • Nickolai Kozachenko's avatar
      platform/x86: intel-hid: Add a quirk to support HP Spectre X2 (2015) · da725858
      Nickolai Kozachenko authored
      [ Upstream commit 8fe63eb7 ]
      
      HEBC method reports capabilities of 5 button array but HP Spectre X2 (2015)
      does not have this control method (the same was for Wacom MobileStudio Pro).
      Expand previous DMI quirk by Alex Hung to also enable 5 button array
      for this system.
      Signed-off-by: default avatarNickolai Kozachenko <daemongloom@gmail.com>
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      da725858
    • Andy Shevchenko's avatar
      platform/x86: hp-wmi: Convert simple_strtoul() to kstrtou32() · 1a3cee00
      Andy Shevchenko authored
      [ Upstream commit 5cdc45ed ]
      
      First of all, unsigned long can overflow u32 value on 64-bit machine.
      Second, simple_strtoul() doesn't check for overflow in the input.
      
      Convert simple_strtoul() to kstrtou32() to eliminate above issues.
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1a3cee00
    • Qiushi Wu's avatar
      cpuidle: Fix three reference count leaks · fad0431b
      Qiushi Wu authored
      [ Upstream commit c343bf1b ]
      
      kobject_init_and_add() takes reference even when it fails.
      If this function returns an error, kobject_put() must be called to
      properly clean up the memory associated with the object.
      
      Previous commit "b8eb7183" fixed a similar problem.
      Signed-off-by: default avatarQiushi Wu <wu000273@umn.edu>
      [ rjw: Subject ]
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      fad0431b
    • Serge Semin's avatar
      spi: dw: Return any value retrieved from the dma_transfer callback · 6d15fe48
      Serge Semin authored
      [ Upstream commit f0410bbf ]
      
      DW APB SSI DMA-part of the driver may need to perform the requested
      SPI-transfer synchronously. In that case the dma_transfer() callback
      will return 0 as a marker of the SPI transfer being finished so the
      SPI core doesn't need to wait and may proceed with the SPI message
      trasnfers pumping procedure. This will be needed to fix the problem
      when DMA transactions are finished, but there is still data left in
      the SPI Tx/Rx FIFOs being sent/received. But for now make dma_transfer
      to return 1 as the normal dw_spi_transfer_one() method.
      Signed-off-by: default avatarSerge Semin <Sergey.Semin@baikalelectronics.ru>
      Cc: Georgy Vlasov <Georgy.Vlasov@baikalelectronics.ru>
      Cc: Ramil Zaripov <Ramil.Zaripov@baikalelectronics.ru>
      Cc: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
      Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: Feng Tang <feng.tang@intel.com>
      Cc: Rob Herring <robh+dt@kernel.org>
      Cc: linux-mips@vger.kernel.org
      Cc: devicetree@vger.kernel.org
      Link: https://lore.kernel.org/r/20200529131205.31838-3-Sergey.Semin@baikalelectronics.ruSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6d15fe48
    • Haibo Chen's avatar
      mmc: sdhci-esdhc-imx: fix the mask for tuning start point · 6190bf27
      Haibo Chen authored
      [ Upstream commit 1194be8c ]
      
      According the RM, the bit[6~0] of register ESDHC_TUNING_CTRL is
      TUNING_START_TAP, bit[7] of this register is to disable the command
      CRC check for standard tuning. So fix it here.
      
      Fixes: d87fc966 ("mmc: sdhci-esdhc-imx: support setting tuning start point")
      Signed-off-by: default avatarHaibo Chen <haibo.chen@nxp.com>
      Link: https://lore.kernel.org/r/1590488522-9292-1-git-send-email-haibo.chen@nxp.comSigned-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6190bf27
    • Xie XiuQi's avatar
      ixgbe: fix signed-integer-overflow warning · a7a2e0c2
      Xie XiuQi authored
      [ Upstream commit 3b70683f ]
      
      ubsan report this warning, fix it by adding a unsigned suffix.
      
      UBSAN: signed-integer-overflow in
      drivers/net/ethernet/intel/ixgbe/ixgbe_common.c:2246:26
      65535 * 65537 cannot be represented in type 'int'
      CPU: 21 PID: 7 Comm: kworker/u256:0 Not tainted 5.7.0-rc3-debug+ #39
      Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 03/27/2020
      Workqueue: ixgbe ixgbe_service_task [ixgbe]
      Call trace:
       dump_backtrace+0x0/0x3f0
       show_stack+0x28/0x38
       dump_stack+0x154/0x1e4
       ubsan_epilogue+0x18/0x60
       handle_overflow+0xf8/0x148
       __ubsan_handle_mul_overflow+0x34/0x48
       ixgbe_fc_enable_generic+0x4d0/0x590 [ixgbe]
       ixgbe_service_task+0xc20/0x1f78 [ixgbe]
       process_one_work+0x8f0/0xf18
       worker_thread+0x430/0x6d0
       kthread+0x218/0x238
       ret_from_fork+0x10/0x18
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarXie XiuQi <xiexiuqi@huawei.com>
      Tested-by: default avatarAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a7a2e0c2
    • Ulf Hansson's avatar
      mmc: via-sdmmc: Respect the cmd->busy_timeout from the mmc core · 4fb193a4
      Ulf Hansson authored
      [ Upstream commit 966244cc ]
      
      Using a fixed 1s timeout for all commands (and data transfers) is a bit
      problematic.
      
      For some commands it means waiting longer than needed for the timer to
      expire, which may not a big issue, but still. For other commands, like for
      an erase (CMD38) that uses a R1B response, may require longer timeouts than
      1s. In these cases, we may end up treating the command as it failed, while
      it just needed some more time to complete successfully.
      
      Fix the problem by respecting the cmd->busy_timeout, which is provided by
      the mmc core.
      
      Cc: Bruce Chang <brucechang@via.com.tw>
      Cc: Harald Welte <HaraldWelte@viatech.com>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Link: https://lore.kernel.org/r/20200414161413.3036-17-ulf.hansson@linaro.orgSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      4fb193a4
    • Ulf Hansson's avatar
      staging: greybus: sdio: Respect the cmd->busy_timeout from the mmc core · 2c4db628
      Ulf Hansson authored
      [ Upstream commit a389087e ]
      
      Using a fixed 1s timeout for all commands is a bit problematic.
      
      For some commands it means waiting longer than needed for the timeout to
      expire, which may not a big issue, but still. For other commands, like for
      an erase (CMD38) that uses a R1B response, may require longer timeouts than
      1s. In these cases, we may end up treating the command as it failed, while
      it just needed some more time to complete successfully.
      
      Fix the problem by respecting the cmd->busy_timeout, which is provided by
      the mmc core.
      
      Cc: Rui Miguel Silva <rmfrfs@gmail.com>
      Cc: Johan Hovold <johan@kernel.org>
      Cc: Alex Elder <elder@kernel.org>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: greybus-dev@lists.linaro.org
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Acked-by: default avatarRui Miguel Silva <rmfrfs@gmail.com>
      Acked-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Link: https://lore.kernel.org/r/20200414161413.3036-20-ulf.hansson@linaro.orgSigned-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2c4db628
    • Veerabhadrarao Badiganti's avatar
      mmc: sdhci-msm: Set SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12 quirk · 59b87f26
      Veerabhadrarao Badiganti authored
      [ Upstream commit d863cb03 ]
      
      sdhci-msm can support auto cmd12.
      So enable SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12 quirk.
      Signed-off-by: default avatarVeerabhadrarao Badiganti <vbadigan@codeaurora.org>
      Acked-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Link: https://lore.kernel.org/r/1587363626-20413-3-git-send-email-vbadigan@codeaurora.orgSigned-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      59b87f26
    • Coly Li's avatar
      bcache: fix refcount underflow in bcache_device_free() · 63581542
      Coly Li authored
      [ Upstream commit 86da9f73 ]
      
      The problematic code piece in bcache_device_free() is,
      
       785 static void bcache_device_free(struct bcache_device *d)
       786 {
       787     struct gendisk *disk = d->disk;
       [snipped]
       799     if (disk) {
       800             if (disk->flags & GENHD_FL_UP)
       801                     del_gendisk(disk);
       802
       803             if (disk->queue)
       804                     blk_cleanup_queue(disk->queue);
       805
       806             ida_simple_remove(&bcache_device_idx,
       807                               first_minor_to_idx(disk->first_minor));
       808             put_disk(disk);
       809         }
       [snipped]
       816 }
      
      At line 808, put_disk(disk) may encounter kobject refcount of 'disk'
      being underflow.
      
      Here is how to reproduce the issue,
      - Attche the backing device to a cache device and do random write to
        make the cache being dirty.
      - Stop the bcache device while the cache device has dirty data of the
        backing device.
      - Only register the backing device back, NOT register cache device.
      - The bcache device node /dev/bcache0 won't show up, because backing
        device waits for the cache device shows up for the missing dirty
        data.
      - Now echo 1 into /sys/fs/bcache/pendings_cleanup, to stop the pending
        backing device.
      - After the pending backing device stopped, use 'dmesg' to check kernel
        message, a use-after-free warning from KASA reported the refcount of
        kobject linked to the 'disk' is underflow.
      
      The dropping refcount at line 808 in the above code piece is added by
      add_disk(d->disk) in bch_cached_dev_run(). But in the above condition
      the cache device is not registered, bch_cached_dev_run() has no chance
      to be called and the refcount is not added. The put_disk() for a non-
      added refcount of gendisk kobject triggers a underflow warning.
      
      This patch checks whether GENHD_FL_UP is set in disk->flags, if it is
      not set then the bcache device was not added, don't call put_disk()
      and the the underflow issue can be avoided.
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      63581542
    • YuanJunQing's avatar
      MIPS: Fix IRQ tracing when call handle_fpe() and handle_msa_fpe() · dfb3dbf0
      YuanJunQing authored
      [ Upstream commit 31e1b3ef ]
      
      Register "a1" is unsaved in this function,
       when CONFIG_TRACE_IRQFLAGS is enabled,
       the TRACE_IRQS_OFF macro will call trace_hardirqs_off(),
       and this may change register "a1".
       The changed register "a1" as argument will be send
       to do_fpe() and do_msa_fpe().
      Signed-off-by: default avatarYuanJunQing <yuanjunqing66@163.com>
      Signed-off-by: default avatarThomas Bogendoerfer <tsbogend@alpha.franken.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      dfb3dbf0
    • Jiaxun Yang's avatar
      PCI: Don't disable decoding when mmio_always_on is set · 40a94a1a
      Jiaxun Yang authored
      [ Upstream commit b6caa1d8 ]
      
      Don't disable MEM/IO decoding when a device have both non_compliant_bars
      and mmio_always_on.
      
      That would allow us quirk devices with junk in BARs but can't disable
      their decoding.
      Signed-off-by: default avatarJiaxun Yang <jiaxun.yang@flygoat.com>
      Acked-by: default avatarBjorn Helgaas <helgaas@kernel.org>
      Signed-off-by: default avatarThomas Bogendoerfer <tsbogend@alpha.franken.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      40a94a1a
    • Alexander Sverdlin's avatar
      macvlan: Skip loopback packets in RX handler · 133b3d24
      Alexander Sverdlin authored
      [ Upstream commit 81f3dc93 ]
      
      Ignore loopback-originatig packets soon enough and don't try to process L2
      header where it doesn't exist. The very similar br_handle_frame() in bridge
      code performs exactly the same check.
      
      This is an example of such ICMPv6 packet:
      
      skb len=96 headroom=40 headlen=96 tailroom=56
      mac=(40,0) net=(40,40) trans=80
      shinfo(txflags=0 nr_frags=0 gso(size=0 type=0 segs=0))
      csum(0xae2e9a2f ip_summed=1 complete_sw=0 valid=0 level=0)
      hash(0xc97ebd88 sw=1 l4=1) proto=0x86dd pkttype=5 iif=24
      dev name=etha01.212 feat=0x0x0000000040005000
      skb headroom: 00000000: 00 7c 86 52 84 88 ff ff 00 00 00 00 00 00 08 00
      skb headroom: 00000010: 45 00 00 9e 5d 5c 40 00 40 11 33 33 00 00 00 01
      skb headroom: 00000020: 02 40 43 80 00 00 86 dd
      skb linear:   00000000: 60 09 88 bd 00 38 3a ff fe 80 00 00 00 00 00 00
      skb linear:   00000010: 00 40 43 ff fe 80 00 00 ff 02 00 00 00 00 00 00
      skb linear:   00000020: 00 00 00 00 00 00 00 01 86 00 61 00 40 00 00 2d
      skb linear:   00000030: 00 00 00 00 00 00 00 00 03 04 40 e0 00 00 01 2c
      skb linear:   00000040: 00 00 00 78 00 00 00 00 fd 5f 42 68 23 87 a8 81
      skb linear:   00000050: 00 00 00 00 00 00 00 00 01 01 02 40 43 80 00 00
      skb tailroom: 00000000: ...
      skb tailroom: 00000010: ...
      skb tailroom: 00000020: ...
      skb tailroom: 00000030: ...
      
      Call Trace, how it happens exactly:
       ...
       macvlan_handle_frame+0x321/0x425 [macvlan]
       ? macvlan_forward_source+0x110/0x110 [macvlan]
       __netif_receive_skb_core+0x545/0xda0
       ? enqueue_task_fair+0xe5/0x8e0
       ? __netif_receive_skb_one_core+0x36/0x70
       __netif_receive_skb_one_core+0x36/0x70
       process_backlog+0x97/0x140
       net_rx_action+0x1eb/0x350
       ? __hrtimer_run_queues+0x136/0x2e0
       __do_softirq+0xe3/0x383
       do_softirq_own_stack+0x2a/0x40
       </IRQ>
       do_softirq.part.4+0x4e/0x50
       netif_rx_ni+0x60/0xd0
       dev_loopback_xmit+0x83/0xf0
       ip6_finish_output2+0x575/0x590 [ipv6]
       ? ip6_cork_release.isra.1+0x64/0x90 [ipv6]
       ? __ip6_make_skb+0x38d/0x680 [ipv6]
       ? ip6_output+0x6c/0x140 [ipv6]
       ip6_output+0x6c/0x140 [ipv6]
       ip6_send_skb+0x1e/0x60 [ipv6]
       rawv6_sendmsg+0xc4b/0xe10 [ipv6]
       ? proc_put_long+0xd0/0xd0
       ? rw_copy_check_uvector+0x4e/0x110
       ? sock_sendmsg+0x36/0x40
       sock_sendmsg+0x36/0x40
       ___sys_sendmsg+0x2b6/0x2d0
       ? proc_dointvec+0x23/0x30
       ? addrconf_sysctl_forward+0x8d/0x250 [ipv6]
       ? dev_forward_change+0x130/0x130 [ipv6]
       ? _raw_spin_unlock+0x12/0x30
       ? proc_sys_call_handler.isra.14+0x9f/0x110
       ? __call_rcu+0x213/0x510
       ? get_max_files+0x10/0x10
       ? trace_hardirqs_on+0x2c/0xe0
       ? __sys_sendmsg+0x63/0xa0
       __sys_sendmsg+0x63/0xa0
       do_syscall_64+0x6c/0x1e0
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      Signed-off-by: default avatarAlexander Sverdlin <alexander.sverdlin@nokia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      133b3d24
    • Qu Wenruo's avatar
      btrfs: qgroup: mark qgroup inconsistent if we're inherting snapshot to a new qgroup · 4ab61600
      Qu Wenruo authored
      [ Upstream commit cbab8ade ]
      
      [BUG]
      For the following operation, qgroup is guaranteed to be screwed up due
      to snapshot adding to a new qgroup:
      
        # mkfs.btrfs -f $dev
        # mount $dev $mnt
        # btrfs qgroup en $mnt
        # btrfs subv create $mnt/src
        # xfs_io -f -c "pwrite 0 1m" $mnt/src/file
        # sync
        # btrfs qgroup create 1/0 $mnt/src
        # btrfs subv snapshot -i 1/0 $mnt/src $mnt/snapshot
        # btrfs qgroup show -prce $mnt/src
        qgroupid         rfer         excl     max_rfer     max_excl parent  child
        --------         ----         ----     --------     -------- ------  -----
        0/5          16.00KiB     16.00KiB         none         none ---     ---
        0/257         1.02MiB     16.00KiB         none         none ---     ---
        0/258         1.02MiB     16.00KiB         none         none 1/0     ---
        1/0             0.00B        0.00B         none         none ---     0/258
      	        ^^^^^^^^^^^^^^^^^^^^
      
      [CAUSE]
      The problem is in btrfs_qgroup_inherit(), we don't have good enough
      check to determine if the new relation would break the existing
      accounting.
      
      Unlike btrfs_add_qgroup_relation(), which has proper check to determine
      if we can do quick update without a rescan, in btrfs_qgroup_inherit() we
      can even assign a snapshot to multiple qgroups.
      
      [FIX]
      Fix it by manually marking qgroup inconsistent for snapshot inheritance.
      
      For subvolume creation, since all its extents are exclusively owned, we
      don't need to rescan.
      
      In theory, we should call relation check like quick_update_accounting()
      when doing qgroup inheritance and inform user about qgroup accounting
      inconsistency.
      
      But we don't have good mechanism to relay that back to the user in the
      snapshot creation context, thus we can only silently mark the qgroup
      inconsistent.
      
      Anyway, user shouldn't use qgroup inheritance during snapshot creation,
      and should add qgroup relationship after snapshot creation by 'btrfs
      qgroup assign', which has a much better UI to inform user about qgroup
      inconsistent and kick in rescan automatically.
      Reviewed-by: default avatarJosef Bacik <josef@toxicpanda.com>
      Signed-off-by: default avatarQu Wenruo <wqu@suse.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      4ab61600
    • Finn Thain's avatar
      m68k: mac: Don't call via_flush_cache() on Mac IIfx · 7736adec
      Finn Thain authored
      [ Upstream commit bcc44f6b ]
      
      There is no VIA2 chip on the Mac IIfx, so don't call via_flush_cache().
      This avoids a boot crash which appeared in v5.4.
      
      printk: console [ttyS0] enabled
      printk: bootconsole [debug0] disabled
      printk: bootconsole [debug0] disabled
      Calibrating delay loop... 9.61 BogoMIPS (lpj=48064)
      pid_max: default: 32768 minimum: 301
      Mount-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
      Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
      devtmpfs: initialized
      random: get_random_u32 called from bucket_table_alloc.isra.27+0x68/0x194 with crng_init=0
      clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
      futex hash table entries: 256 (order: -1, 3072 bytes, linear)
      NET: Registered protocol family 16
      Data read fault at 0x00000000 in Super Data (pc=0x8a6a)
      BAD KERNEL BUSERR
      Oops: 00000000
      Modules linked in:
      PC: [<00008a6a>] via_flush_cache+0x12/0x2c
      SR: 2700  SP: 01c1fe3c  a2: 01c24000
      d0: 00001119    d1: 0000000c    d2: 00012000    d3: 0000000f
      d4: 01c06840    d5: 00033b92    a0: 00000000    a1: 00000000
      Process swapper (pid: 1, task=01c24000)
      Frame format=B ssw=0755 isc=0200 isb=fff7 daddr=00000000 dobuf=01c1fed0
      baddr=00008a6e dibuf=0000004e ver=f
      Stack from 01c1fec4:
              01c1fed0 00007d7e 00010080 01c1fedc 0000792e 00000001 01c1fef4 00006b40
              01c80000 00040000 00000006 00000003 01c1ff1c 004a545e 004ff200 00040000
              00000000 00000003 01c06840 00033b92 004a5410 004b6c88 01c1ff84 000021e2
              00000073 00000003 01c06840 00033b92 0038507a 004bb094 004b6ca8 004b6c88
              004b6ca4 004b6c88 000021ae 00020002 00000000 01c0685d 00000000 01c1ffb4
              0049f938 00409c85 01c06840 0045bd40 00000073 00000002 00000002 00000000
      Call Trace: [<00007d7e>] mac_cache_card_flush+0x12/0x1c
       [<00010080>] fix_dnrm+0x2/0x18
       [<0000792e>] cache_push+0x46/0x5a
       [<00006b40>] arch_dma_prep_coherent+0x60/0x6e
       [<00040000>] switched_to_dl+0x76/0xd0
       [<004a545e>] dma_atomic_pool_init+0x4e/0x188
       [<00040000>] switched_to_dl+0x76/0xd0
       [<00033b92>] parse_args+0x0/0x370
       [<004a5410>] dma_atomic_pool_init+0x0/0x188
       [<000021e2>] do_one_initcall+0x34/0x1be
       [<00033b92>] parse_args+0x0/0x370
       [<0038507a>] strcpy+0x0/0x1e
       [<000021ae>] do_one_initcall+0x0/0x1be
       [<00020002>] do_proc_dointvec_conv+0x54/0x74
       [<0049f938>] kernel_init_freeable+0x126/0x190
       [<0049f94c>] kernel_init_freeable+0x13a/0x190
       [<004a5410>] dma_atomic_pool_init+0x0/0x188
       [<00041798>] complete+0x0/0x3c
       [<000b9b0c>] kfree+0x0/0x20a
       [<0038df98>] schedule+0x0/0xd0
       [<0038d604>] kernel_init+0x0/0xda
       [<0038d610>] kernel_init+0xc/0xda
       [<0038d604>] kernel_init+0x0/0xda
       [<00002d38>] ret_from_kernel_thread+0xc/0x14
      Code: 0000 2079 0048 10da 2279 0048 10c8 d3c8 <1011> 0200 fff7 1280 d1f9 0048 10c8 1010 0000 0008 1080 4e5e 4e75 4e56 0000 2039
      Disabling lock debugging due to kernel taint
      Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
      
      Thanks to Stan Johnson for capturing the console log and running git
      bisect.
      
      Git bisect said commit 8e3a68fb ("dma-mapping: make
      dma_atomic_pool_init self-contained") is the first "bad" commit. I don't
      know why. Perhaps mach_l2_flush first became reachable with that commit.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-and-tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Cc: Joshua Thompson <funaho@jurai.org>
      Link: https://lore.kernel.org/r/b8bbeef197d6b3898e82ed0d231ad08f575a4b34.1589949122.git.fthain@telegraphics.com.auSigned-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7736adec
    • Arvind Sankar's avatar
      x86/mm: Stop printing BRK addresses · 7fe5e915
      Arvind Sankar authored
      [ Upstream commit 67d631b7 ]
      
      This currently leaks kernel physical addresses into userspace.
      Signed-off-by: default avatarArvind Sankar <nivedita@alum.mit.edu>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Acked-by: default avatarDave Hansen <dave.hansen@intel.com>
      Link: https://lkml.kernel.org/r/20200229231120.1147527-1-nivedita@alum.mit.eduSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      7fe5e915
    • Nicolas Toromanoff's avatar
      crypto: stm32/crc32 - fix multi-instance · 06bd7d87
      Nicolas Toromanoff authored
      [ Upstream commit 10b89c43 ]
      
      Ensure CRC algorithm is registered only once in crypto framework when
      there are several instances of CRC devices.
      
      Update the CRC device list management to avoid that only the first CRC
      instance is used.
      
      Fixes: b51dbe90 ("crypto: stm32 - Support for STM32 CRC32 crypto module")
      Signed-off-by: default avatarNicolas Toromanoff <nicolas.toromanoff@st.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      06bd7d87
    • Nicolas Toromanoff's avatar
      crypto: stm32/crc32 - fix run-time self test issue. · a94c7a08
      Nicolas Toromanoff authored
      [ Upstream commit a8cc3128 ]
      
      Fix wrong crc32 initialisation value:
      "alg: shash: stm32_crc32 test failed (wrong result) on test vector 0,
      cfg="init+update+final aligned buffer"
      cra_name="crc32c" expects an init value of 0XFFFFFFFF,
      cra_name="crc32" expects an init value of 0.
      
      Fixes: b51dbe90 ("crypto: stm32 - Support for STM32 CRC32 crypto module")
      Signed-off-by: default avatarNicolas Toromanoff <nicolas.toromanoff@st.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a94c7a08
    • Nicolas Toromanoff's avatar
      crypto: stm32/crc32 - fix ext4 chksum BUG_ON() · b5528bda
      Nicolas Toromanoff authored
      [ Upstream commit 49c2c082 ]
      
      Allow use of crc_update without prior call to crc_init.
      And change (and fix) driver to use CRC device even on unaligned buffers.
      
      Fixes: b51dbe90 ("crypto: stm32 - Support for STM32 CRC32 crypto module")
      Signed-off-by: default avatarNicolas Toromanoff <nicolas.toromanoff@st.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b5528bda
    • Serge Semin's avatar
      mips: Add udelay lpj numbers adjustment · 240934c2
      Serge Semin authored
      [ Upstream commit ed26aacf ]
      
      Loops-per-jiffies is a special number which represents a number of
      noop-loop cycles per CPU-scheduler quantum - jiffies. As you
      understand aside from CPU-specific implementation it depends on
      the CPU frequency. So when a platform has the CPU frequency fixed,
      we have no problem and the current udelay interface will work
      just fine. But as soon as CPU-freq driver is enabled and the cores
      frequency changes, we'll end up with distorted udelay's. In order
      to fix this we have to accordinly adjust the per-CPU udelay_val
      (the same as the global loops_per_jiffy) number. This can be done
      in the CPU-freq transition event handler. We subscribe to that event
      in the MIPS arch time-inititalization method.
      Co-developed-by: default avatarAlexey Malahov <Alexey.Malahov@baikalelectronics.ru>
      Signed-off-by: default avatarAlexey Malahov <Alexey.Malahov@baikalelectronics.ru>
      Signed-off-by: default avatarSerge Semin <Sergey.Semin@baikalelectronics.ru>
      Reviewed-by: default avatarJiaxun Yang <jiaxun.yang@flygoat.com>
      Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
      Cc: Paul Burton <paulburton@kernel.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Rob Herring <robh+dt@kernel.org>
      Cc: devicetree@vger.kernel.org
      Signed-off-by: default avatarThomas Bogendoerfer <tsbogend@alpha.franken.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      240934c2
    • Serge Semin's avatar
      mips: MAAR: Use more precise address mask · 909b50e8
      Serge Semin authored
      [ Upstream commit bbb5946e ]
      
      Indeed according to the MIPS32 Privileged Resource Architecgture the MAAR
      pair register address field either takes [12:31] bits for non-XPA systems
      and [12:55] otherwise. In any case the current address mask is just
      wrong for 64-bit and 32-bits XPA chips. So lets extend it to 59-bits
      of physical address value. This shall cover the 64-bits architecture and
      systems with XPA enabled, and won't cause any problem for non-XPA 32-bit
      systems, since address values exceeding the architecture specific MAAR
      mask will be just truncated with setting zeros in the unsupported upper
      bits.
      Co-developed-by: default avatarAlexey Malahov <Alexey.Malahov@baikalelectronics.ru>
      Signed-off-by: default avatarAlexey Malahov <Alexey.Malahov@baikalelectronics.ru>
      Signed-off-by: default avatarSerge Semin <Sergey.Semin@baikalelectronics.ru>
      Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
      Cc: Paul Burton <paulburton@kernel.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Rob Herring <robh+dt@kernel.org>
      Cc: devicetree@vger.kernel.org
      Signed-off-by: default avatarThomas Bogendoerfer <tsbogend@alpha.franken.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      909b50e8
    • Arvind Sankar's avatar
      x86/boot: Correct relocation destination on old linkers · 9b7dbeed
      Arvind Sankar authored
      [ Upstream commit 5214028d ]
      
      For the 32-bit kernel, as described in
      
        6d92bc9d ("x86/build: Build compressed x86 kernels as PIE"),
      
      pre-2.26 binutils generates R_386_32 relocations in PIE mode. Since the
      startup code does not perform relocation, any reloc entry with R_386_32
      will remain as 0 in the executing code.
      
      Commit
      
        974f221c ("x86/boot: Move compressed kernel to the end of the
                       decompression buffer")
      
      added a new symbol _end but did not mark it hidden, which doesn't give
      the correct offset on older linkers. This causes the compressed kernel
      to be copied beyond the end of the decompression buffer, rather than
      flush against it. This region of memory may be reserved or already
      allocated for other purposes by the bootloader.
      
      Mark _end as hidden to fix. This changes the relocation from R_386_32 to
      R_386_RELATIVE even on the pre-2.26 binutils.
      
      For 64-bit, this is not strictly necessary, as the 64-bit kernel is only
      built as PIE if the linker supports -z noreloc-overflow, which implies
      binutils-2.27+, but for consistency, mark _end as hidden here too.
      
      The below illustrates the before/after impact of the patch using
      binutils-2.25 and gcc-4.6.4 (locally compiled from source) and QEMU.
      
        Disassembly before patch:
          48:   8b 86 60 02 00 00       mov    0x260(%esi),%eax
          4e:   2d 00 00 00 00          sub    $0x0,%eax
                                4f: R_386_32    _end
        Disassembly after patch:
          48:   8b 86 60 02 00 00       mov    0x260(%esi),%eax
          4e:   2d 00 f0 76 00          sub    $0x76f000,%eax
                                4f: R_386_RELATIVE      *ABS*
      
      Dump from extract_kernel before patch:
      	early console in extract_kernel
      	input_data: 0x0207c098 <--- this is at output + init_size
      	input_len: 0x0074fef1
      	output: 0x01000000
      	output_len: 0x00fa63d0
      	kernel_total_size: 0x0107c000
      	needed_size: 0x0107c000
      
      Dump from extract_kernel after patch:
      	early console in extract_kernel
      	input_data: 0x0190d098 <--- this is at output + init_size - _end
      	input_len: 0x0074fef1
      	output: 0x01000000
      	output_len: 0x00fa63d0
      	kernel_total_size: 0x0107c000
      	needed_size: 0x0107c000
      
      Fixes: 974f221c ("x86/boot: Move compressed kernel to the end of the decompression buffer")
      Signed-off-by: default avatarArvind Sankar <nivedita@alum.mit.edu>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Link: https://lkml.kernel.org/r/20200207214926.3564079-1-nivedita@alum.mit.eduSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      9b7dbeed
    • Pali Rohár's avatar
      mwifiex: Fix memory corruption in dump_station · be2ce127
      Pali Rohár authored
      [ Upstream commit 3aa42bae ]
      
      The mwifiex_cfg80211_dump_station() uses static variable for iterating
      over a linked list of all associated stations (when the driver is in UAP
      role). This has a race condition if .dump_station is called in parallel
      for multiple interfaces. This corruption can be triggered by registering
      multiple SSIDs and calling, in parallel for multiple interfaces
          iw dev <iface> station dump
      
      [16750.719775] Unable to handle kernel paging request at virtual address dead000000000110
      ...
      [16750.899173] Call trace:
      [16750.901696]  mwifiex_cfg80211_dump_station+0x94/0x100 [mwifiex]
      [16750.907824]  nl80211_dump_station+0xbc/0x278 [cfg80211]
      [16750.913160]  netlink_dump+0xe8/0x320
      [16750.916827]  netlink_recvmsg+0x1b4/0x338
      [16750.920861]  ____sys_recvmsg+0x7c/0x2b0
      [16750.924801]  ___sys_recvmsg+0x70/0x98
      [16750.928564]  __sys_recvmsg+0x58/0xa0
      [16750.932238]  __arm64_sys_recvmsg+0x28/0x30
      [16750.936453]  el0_svc_common.constprop.3+0x90/0x158
      [16750.941378]  do_el0_svc+0x74/0x90
      [16750.944784]  el0_sync_handler+0x12c/0x1a8
      [16750.948903]  el0_sync+0x114/0x140
      [16750.952312] Code: f9400003 f907f423 eb02007f 54fffd60 (b9401060)
      [16750.958583] ---[ end trace c8ad181c2f4b8576 ]---
      
      This patch drops the use of the static iterator, and instead every time
      the function is called iterates to the idx-th position of the
      linked-list.
      
      It would be better to convert the code not to use linked list for
      associated stations storage (since the chip has a limited number of
      associated stations anyway - it could just be an array). Such a change
      may be proposed in the future. In the meantime this patch can backported
      into stable kernels in this simple form.
      
      Fixes: 8baca1a3 ("mwifiex: dump station support in uap mode")
      Signed-off-by: default avatarPali Rohár <pali@kernel.org>
      Acked-by: default avatarGanapathi Bhat <ganapathi.bhat@nxp.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20200515075924.13841-1-pali@kernel.orgSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      be2ce127
    • Dan Carpenter's avatar
      rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup() · 2048a786
      Dan Carpenter authored
      [ Upstream commit beb12813 ]
      
      Seven years ago we tried to fix a leak but actually introduced a double
      free instead.  It was an understandable mistake because the code was a
      bit confusing and the free was done in the wrong place.  The "skb"
      pointer is freed in both _rtl_usb_tx_urb_setup() and _rtl_usb_transmit().
      The free belongs _rtl_usb_transmit() instead of _rtl_usb_tx_urb_setup()
      and I've cleaned the code up a bit to hopefully make it more clear.
      
      Fixes: 36ef0b47 ("rtlwifi: usb: add missing freeing of skbuff")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20200513093951.GD347693@mwandaSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      2048a786
    • Erez Shitrit's avatar
      net/mlx5e: IPoIB, Drop multicast packets that this interface sent · dfca13aa
      Erez Shitrit authored
      [ Upstream commit 8b46d424 ]
      
      After enabled loopback packets for IPoIB, we need to drop these packets
      that this HCA has replicated and came back to the same interface that
      sent them.
      
      Fixes: 4c6c615e ("net/mlx5e: IPoIB, Add PKEY child interface nic profile")
      Signed-off-by: default avatarErez Shitrit <erezsh@mellanox.com>
      Reviewed-by: default avatarAlex Vesker <valex@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      dfca13aa
    • Jesper Dangaard Brouer's avatar
      veth: Adjust hard_start offset on redirect XDP frames · b6c90a7d
      Jesper Dangaard Brouer authored
      [ Upstream commit 5c857225 ]
      
      When native XDP redirect into a veth device, the frame arrives in the
      xdp_frame structure. It is then processed in veth_xdp_rcv_one(),
      which can run a new XDP bpf_prog on the packet. Doing so requires
      converting xdp_frame to xdp_buff, but the tricky part is that
      xdp_frame memory area is located in the top (data_hard_start) memory
      area that xdp_buff will point into.
      
      The current code tried to protect the xdp_frame area, by assigning
      xdp_buff.data_hard_start past this memory. This results in 32 bytes
      less headroom to expand into via BPF-helper bpf_xdp_adjust_head().
      
      This protect step is actually not needed, because BPF-helper
      bpf_xdp_adjust_head() already reserve this area, and don't allow
      BPF-prog to expand into it. Thus, it is safe to point data_hard_start
      directly at xdp_frame memory area.
      
      Fixes: 9fc8d518 ("veth: Handle xdp_frames in xdp napi ring")
      Reported-by: default avatarMao Wenan <maowenan@huawei.com>
      Signed-off-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarToshiaki Makita <toshiaki.makita1@gmail.com>
      Acked-by: default avatarToke Høiland-Jørgensen <toke@redhat.com>
      Link: https://lore.kernel.org/bpf/158945338331.97035.5923525383710752178.stgit@firesoulSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      b6c90a7d
    • Guoqing Jiang's avatar
      md: don't flush workqueue unconditionally in md_open · 868b8e43
      Guoqing Jiang authored
      [ Upstream commit f6766ff6 ]
      
      We need to check mddev->del_work before flush workqueu since the purpose
      of flush is to ensure the previous md is disappeared. Otherwise the similar
      deadlock appeared if LOCKDEP is enabled, it is due to md_open holds the
      bdev->bd_mutex before flush workqueue.
      
      kernel: [  154.522645] ======================================================
      kernel: [  154.522647] WARNING: possible circular locking dependency detected
      kernel: [  154.522650] 5.6.0-rc7-lp151.27-default #25 Tainted: G           O
      kernel: [  154.522651] ------------------------------------------------------
      kernel: [  154.522653] mdadm/2482 is trying to acquire lock:
      kernel: [  154.522655] ffff888078529128 ((wq_completion)md_misc){+.+.}, at: flush_workqueue+0x84/0x4b0
      kernel: [  154.522673]
      kernel: [  154.522673] but task is already holding lock:
      kernel: [  154.522675] ffff88804efa9338 (&bdev->bd_mutex){+.+.}, at: __blkdev_get+0x79/0x590
      kernel: [  154.522691]
      kernel: [  154.522691] which lock already depends on the new lock.
      kernel: [  154.522691]
      kernel: [  154.522694]
      kernel: [  154.522694] the existing dependency chain (in reverse order) is:
      kernel: [  154.522696]
      kernel: [  154.522696] -> #4 (&bdev->bd_mutex){+.+.}:
      kernel: [  154.522704]        __mutex_lock+0x87/0x950
      kernel: [  154.522706]        __blkdev_get+0x79/0x590
      kernel: [  154.522708]        blkdev_get+0x65/0x140
      kernel: [  154.522709]        blkdev_get_by_dev+0x2f/0x40
      kernel: [  154.522716]        lock_rdev+0x3d/0x90 [md_mod]
      kernel: [  154.522719]        md_import_device+0xd6/0x1b0 [md_mod]
      kernel: [  154.522723]        new_dev_store+0x15e/0x210 [md_mod]
      kernel: [  154.522728]        md_attr_store+0x7a/0xc0 [md_mod]
      kernel: [  154.522732]        kernfs_fop_write+0x117/0x1b0
      kernel: [  154.522735]        vfs_write+0xad/0x1a0
      kernel: [  154.522737]        ksys_write+0xa4/0xe0
      kernel: [  154.522745]        do_syscall_64+0x64/0x2b0
      kernel: [  154.522748]        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      kernel: [  154.522749]
      kernel: [  154.522749] -> #3 (&mddev->reconfig_mutex){+.+.}:
      kernel: [  154.522752]        __mutex_lock+0x87/0x950
      kernel: [  154.522756]        new_dev_store+0xc9/0x210 [md_mod]
      kernel: [  154.522759]        md_attr_store+0x7a/0xc0 [md_mod]
      kernel: [  154.522761]        kernfs_fop_write+0x117/0x1b0
      kernel: [  154.522763]        vfs_write+0xad/0x1a0
      kernel: [  154.522765]        ksys_write+0xa4/0xe0
      kernel: [  154.522767]        do_syscall_64+0x64/0x2b0
      kernel: [  154.522769]        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      kernel: [  154.522770]
      kernel: [  154.522770] -> #2 (kn->count#253){++++}:
      kernel: [  154.522775]        __kernfs_remove+0x253/0x2c0
      kernel: [  154.522778]        kernfs_remove+0x1f/0x30
      kernel: [  154.522780]        kobject_del+0x28/0x60
      kernel: [  154.522783]        mddev_delayed_delete+0x24/0x30 [md_mod]
      kernel: [  154.522786]        process_one_work+0x2a7/0x5f0
      kernel: [  154.522788]        worker_thread+0x2d/0x3d0
      kernel: [  154.522793]        kthread+0x117/0x130
      kernel: [  154.522795]        ret_from_fork+0x3a/0x50
      kernel: [  154.522796]
      kernel: [  154.522796] -> #1 ((work_completion)(&mddev->del_work)){+.+.}:
      kernel: [  154.522800]        process_one_work+0x27e/0x5f0
      kernel: [  154.522802]        worker_thread+0x2d/0x3d0
      kernel: [  154.522804]        kthread+0x117/0x130
      kernel: [  154.522806]        ret_from_fork+0x3a/0x50
      kernel: [  154.522807]
      kernel: [  154.522807] -> #0 ((wq_completion)md_misc){+.+.}:
      kernel: [  154.522813]        __lock_acquire+0x1392/0x1690
      kernel: [  154.522816]        lock_acquire+0xb4/0x1a0
      kernel: [  154.522818]        flush_workqueue+0xab/0x4b0
      kernel: [  154.522821]        md_open+0xb6/0xc0 [md_mod]
      kernel: [  154.522823]        __blkdev_get+0xea/0x590
      kernel: [  154.522825]        blkdev_get+0x65/0x140
      kernel: [  154.522828]        do_dentry_open+0x1d1/0x380
      kernel: [  154.522831]        path_openat+0x567/0xcc0
      kernel: [  154.522834]        do_filp_open+0x9b/0x110
      kernel: [  154.522836]        do_sys_openat2+0x201/0x2a0
      kernel: [  154.522838]        do_sys_open+0x57/0x80
      kernel: [  154.522840]        do_syscall_64+0x64/0x2b0
      kernel: [  154.522842]        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      kernel: [  154.522844]
      kernel: [  154.522844] other info that might help us debug this:
      kernel: [  154.522844]
      kernel: [  154.522846] Chain exists of:
      kernel: [  154.522846]   (wq_completion)md_misc --> &mddev->reconfig_mutex --> &bdev->bd_mutex
      kernel: [  154.522846]
      kernel: [  154.522850]  Possible unsafe locking scenario:
      kernel: [  154.522850]
      kernel: [  154.522852]        CPU0                    CPU1
      kernel: [  154.522853]        ----                    ----
      kernel: [  154.522854]   lock(&bdev->bd_mutex);
      kernel: [  154.522856]                                lock(&mddev->reconfig_mutex);
      kernel: [  154.522858]                                lock(&bdev->bd_mutex);
      kernel: [  154.522860]   lock((wq_completion)md_misc);
      kernel: [  154.522861]
      kernel: [  154.522861]  *** DEADLOCK ***
      kernel: [  154.522861]
      kernel: [  154.522864] 1 lock held by mdadm/2482:
      kernel: [  154.522865]  #0: ffff88804efa9338 (&bdev->bd_mutex){+.+.}, at: __blkdev_get+0x79/0x590
      kernel: [  154.522868]
      kernel: [  154.522868] stack backtrace:
      kernel: [  154.522873] CPU: 1 PID: 2482 Comm: mdadm Tainted: G           O      5.6.0-rc7-lp151.27-default #25
      kernel: [  154.522875] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
      kernel: [  154.522878] Call Trace:
      kernel: [  154.522881]  dump_stack+0x8f/0xcb
      kernel: [  154.522884]  check_noncircular+0x194/0x1b0
      kernel: [  154.522888]  ? __lock_acquire+0x1392/0x1690
      kernel: [  154.522890]  __lock_acquire+0x1392/0x1690
      kernel: [  154.522893]  lock_acquire+0xb4/0x1a0
      kernel: [  154.522895]  ? flush_workqueue+0x84/0x4b0
      kernel: [  154.522898]  flush_workqueue+0xab/0x4b0
      kernel: [  154.522900]  ? flush_workqueue+0x84/0x4b0
      kernel: [  154.522905]  ? md_open+0xb6/0xc0 [md_mod]
      kernel: [  154.522908]  md_open+0xb6/0xc0 [md_mod]
      kernel: [  154.522910]  __blkdev_get+0xea/0x590
      kernel: [  154.522912]  ? bd_acquire+0xc0/0xc0
      kernel: [  154.522914]  blkdev_get+0x65/0x140
      kernel: [  154.522916]  ? bd_acquire+0xc0/0xc0
      kernel: [  154.522918]  do_dentry_open+0x1d1/0x380
      kernel: [  154.522921]  path_openat+0x567/0xcc0
      kernel: [  154.522923]  ? __lock_acquire+0x380/0x1690
      kernel: [  154.522926]  do_filp_open+0x9b/0x110
      kernel: [  154.522929]  ? __alloc_fd+0xe5/0x1f0
      kernel: [  154.522935]  ? kmem_cache_alloc+0x28c/0x630
      kernel: [  154.522939]  ? do_sys_openat2+0x201/0x2a0
      kernel: [  154.522941]  do_sys_openat2+0x201/0x2a0
      kernel: [  154.522944]  do_sys_open+0x57/0x80
      kernel: [  154.522946]  do_syscall_64+0x64/0x2b0
      kernel: [  154.522948]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      kernel: [  154.522951] RIP: 0033:0x7f98d279d9ae
      
      And md_alloc also flushed the same workqueue, but the thing is different
      here. Because all the paths call md_alloc don't hold bdev->bd_mutex, and
      the flush is necessary to avoid race condition, so leave it as it is.
      Signed-off-by: default avatarGuoqing Jiang <guoqing.jiang@cloud.ionos.com>
      Signed-off-by: default avatarSong Liu <songliubraving@fb.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      868b8e43
    • Ryder Lee's avatar
      mt76: avoid rx reorder buffer overflow · 13964369
      Ryder Lee authored
      [ Upstream commit 7c4f744d ]
      
      Enlarge slot to support 11ax 256 BA (256 MPDUs in an AMPDU)
      Signed-off-by: default avatarChih-Min Chen <chih-min.chen@mediatek.com>
      Signed-off-by: default avatarRyder Lee <ryder.lee@mediatek.com>
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      13964369
    • Bhupesh Sharma's avatar
      net: qed*: Reduce RX and TX default ring count when running inside kdump kernel · 35fde8a6
      Bhupesh Sharma authored
      [ Upstream commit 73e03097 ]
      
      Normally kdump kernel(s) run under severe memory constraint with the
      basic idea being to save the crashdump vmcore reliably when the primary
      kernel panics/hangs.
      
      Currently the qed* ethernet driver ends up consuming a lot of memory in
      the kdump kernel, leading to kdump kernel panic when one tries to save
      the vmcore via ssh/nfs (thus utilizing the services of the underlying
      qed* network interfaces).
      
      An example OOM message log seen in the kdump kernel can be seen here
      [1], with crashkernel size reservation of 512M.
      
      Using tools like memstrack (see [2]), we can track the modules taking up
      the bulk of memory in the kdump kernel and organize the memory usage
      output as per 'highest allocator first'. An example log for the OOM case
      indicates that the qed* modules end up allocating approximately 216M
      memory, which is a large part of the total crashkernel size:
      
       dracut-pre-pivot[676]: ======== Report format module_summary: ========
       dracut-pre-pivot[676]: Module qed using 149.6MB (2394 pages), peak allocation 149.6MB (2394 pages)
       dracut-pre-pivot[676]: Module qede using 65.3MB (1045 pages), peak allocation 65.3MB (1045 pages)
      
      This patch reduces the default RX and TX ring count from 1024 to 64
      when running inside kdump kernel, which leads to a significant memory
      saving.
      
      An example log with the patch applied shows the reduced memory
      allocation in the kdump kernel:
       dracut-pre-pivot[674]: ======== Report format module_summary: ========
       dracut-pre-pivot[674]: Module qed using 141.8MB (2268 pages), peak allocation 141.8MB (2268 pages)
       <..snip..>
      [dracut-pre-pivot[674]: Module qede using 4.8MB (76 pages), peak allocation 4.9MB (78 pages)
      
      Tested crashdump vmcore save via ssh/nfs protocol using underlying qed*
      network interface after applying this patch.
      
      [1] OOM log:
      ------------
      
       kworker/0:6: page allocation failure: order:6,
       mode:0x60c0c0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), nodemask=(null)
       kworker/0:6 cpuset=/ mems_allowed=0
       CPU: 0 PID: 145 Comm: kworker/0:6 Not tainted 4.18.0-109.el8.aarch64 #1
       Hardware name: To be filled by O.E.M. Saber/Saber, BIOS 0ACKL025
       01/18/2019
       Workqueue: events work_for_cpu_fn
       Call trace:
        dump_backtrace+0x0/0x188
        show_stack+0x24/0x30
        dump_stack+0x90/0xb4
        warn_alloc+0xf4/0x178
        __alloc_pages_nodemask+0xcac/0xd58
        alloc_pages_current+0x8c/0xf8
        kmalloc_order_trace+0x38/0x108
        qed_iov_alloc+0x40/0x248 [qed]
        qed_resc_alloc+0x224/0x518 [qed]
        qed_slowpath_start+0x254/0x928 [qed]
         __qede_probe+0xf8/0x5e0 [qede]
        qede_probe+0x68/0xd8 [qede]
        local_pci_probe+0x44/0xa8
        work_for_cpu_fn+0x20/0x30
        process_one_work+0x1ac/0x3e8
        worker_thread+0x44/0x448
        kthread+0x130/0x138
        ret_from_fork+0x10/0x18
        Cannot start slowpath
        qede: probe of 0000:05:00.1 failed with error -12
      
      [2]. Memstrack tool: https://github.com/ryncsn/memstrack
      
      Cc: kexec@lists.infradead.org
      Cc: linux-kernel@vger.kernel.org
      Cc: Ariel Elior <aelior@marvell.com>
      Cc: GR-everest-linux-l2@marvell.com
      Cc: Manish Chopra <manishc@marvell.com>
      Cc: David S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBhupesh Sharma <bhsharma@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      35fde8a6
    • Christophe JAILLET's avatar
      wcn36xx: Fix error handling path in 'wcn36xx_probe()' · ef93244e
      Christophe JAILLET authored
      [ Upstream commit a86308fc ]
      
      In case of error, 'qcom_wcnss_open_channel()' must be undone by a call to
      'rpmsg_destroy_ept()', as already done in the remove function.
      
      Fixes: 5052de8d ("soc: qcom: smd: Transition client drivers from smd to rpmsg")
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Reviewed-by: default avatarBjorn Andersson <bjorn.andersson@linaro.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20200507043619.200051-1-christophe.jaillet@wanadoo.frSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      ef93244e
    • Rakesh Pillai's avatar
      ath10k: Remove msdu from idr when management pkt send fails · 2bc8b181
      Rakesh Pillai authored
      [ Upstream commit c730c477 ]
      
      Currently when the sending of any management pkt
      via wmi command fails, the packet is being unmapped
      freed in the error handling. But the idr entry added,
      which is used to track these packet is not getting removed.
      
      Hence, during unload, in wmi cleanup, all the entries
      in IDR are removed and the corresponding buffer is
      attempted to be freed. This can cause a situation where
      one packet is attempted to be freed twice.
      
      Fix this error by rmeoving the msdu from the idr
      list when the sending of a management packet over
      wmi fails.
      
      Tested HW: WCN3990
      Tested FW: WLAN.HL.3.1-01040-QCAHLSWMTPLZ-1
      
      Fixes: 1807da49 ("ath10k: wmi: add management tx by reference support over wmi")
      Signed-off-by: default avatarRakesh Pillai <pillair@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/1588667015-25490-1-git-send-email-pillair@codeaurora.orgSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      2bc8b181
    • Christoph Hellwig's avatar
      nvme: refine the Qemu Identify CNS quirk · 15757cfd
      Christoph Hellwig authored
      [ Upstream commit b9a5c3d4 ]
      
      Add a helper to check if we can use Identify CNS values > 1, and refine
      the Qemu quirk to not apply to reported versions larger than 1.1, as the
      Qemu implementation had been fixed by then.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarKeith Busch <kbusch@kernel.org>
      Reviewed-by: default avatarSagi Grimberg <sagi@grimberg.me>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      15757cfd
    • Hans de Goede's avatar
      platform/x86: intel-vbtn: Also handle tablet-mode switch on "Detachable" and... · a323c77b
      Hans de Goede authored
      platform/x86: intel-vbtn: Also handle tablet-mode switch on "Detachable" and "Portable" chassis-types
      
      [ Upstream commit 1fac39fd ]
      
      Commit de9647ef ("platform/x86: intel-vbtn: Only activate tablet mode
      switch on 2-in-1's") added a DMI chassis-type check to avoid accidentally
      reporting SW_TABLET_MODE = 1 to userspace on laptops.
      
      Some devices with a detachable keyboard and using the intel-vbnt (INT33D6)
      interface to report if they are in tablet mode (keyboard detached) or not,
      report 32 / "Detachable" as chassis-type, e.g. the HP Pavilion X2 series.
      
      Other devices with a detachable keyboard and using the intel-vbnt (INT33D6)
      interface to report SW_TABLET_MODE, report 8 / "Portable" as chassis-type.
      The Dell Venue 11 Pro 7130 is an example of this.
      
      Extend the DMI chassis-type check to also accept Portables and Detachables
      so that the intel-vbtn driver will report SW_TABLET_MODE on these devices.
      
      Note the chassis-type check was originally added to avoid a false-positive
      tablet-mode report on the Dell XPS 9360 laptop. To the best of my knowledge
      that laptop is using a chassis-type of 9 / "Laptop", so after this commit
      we still ignore the tablet-switch for that chassis-type.
      
      Fixes: de9647ef ("platform/x86: intel-vbtn: Only activate tablet mode switch on 2-in-1's")
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Reviewed-by: default avatarMario Limonciello <Mario.limonciello@dell.com>
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a323c77b
    • Hans de Goede's avatar
      platform/x86: intel-vbtn: Do not advertise switches to userspace if they are not there · eeb28a17
      Hans de Goede authored
      [ Upstream commit 990fbb48 ]
      
      Commit de9647ef ("platform/x86: intel-vbtn: Only activate tablet mode
      switch on 2-in-1's") added a DMI chassis-type check to avoid accidentally
      reporting SW_TABLET_MODE = 1 to userspace on laptops (specifically on the
      Dell XPS 9360), to avoid e.g. userspace ignoring touchpad events because
      userspace thought the device was in tablet-mode.
      
      But if we are not getting the initial status of the switch because the
      device does not have a tablet mode, then we really should not advertise
      the presence of a tablet-mode switch to userspace at all, as userspace may
      use the mere presence of this switch for certain heuristics.
      
      Fixes: de9647ef ("platform/x86: intel-vbtn: Only activate tablet mode switch on 2-in-1's")
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      eeb28a17