1. 17 Jul, 2018 23 commits
    • Christian Brauner's avatar
      devpts: resolve devpts bind-mounts · a6d26649
      Christian Brauner authored
      commit a319b01d upstream.
      
      Most libcs will still look at /dev/ptmx when opening the master fd of a pty
      device. When /dev/ptmx is a bind-mount of /dev/pts/ptmx and the TIOCGPTPEER
      ioctl() is used to safely retrieve a file descriptor for the slave side of
      the pty based on the master fd, the /proc/self/fd/{0,1,2} symlinks will
      point to /. A very simply reproducer for this issue presupposing a libc
      that uses TIOCGPTPEER in its openpty() implementation is:
      
      unshare --mount
      mount --bind /dev/pts/ptmx /dev/ptmx
      chmod 666 /dev/ptmx
      script
      ls -al /proc/self/fd/0
      
      Having bind-mounts of /dev/pts/ptmx to /dev/ptmx not working correctly is a
      regression. In addition, it is also a fairly common scenario in containers
      employing user namespaces.
      
      The reason for the current failure is that the kernel tries to verify the
      useability of the devpts filesystem without resolving the /dev/ptmx
      bind-mount first. This will lead it to detect that the dentry is escaping
      its bind-mount. The reason is that while the devpts filesystem mounted at
      /dev/pts has the devtmpfs mounted at /dev as its parent mount:
      
      21 -- -- / /dev
      -- 21 -- / /dev/pts
      
      devtmpfs and devpts are on different devices
      
      -- -- 0:6  / /dev
      -- -- 0:20 / /dev/pts
      
      This has the consequence that the pathname of the parent directory of the
      devpts filesystem mount at /dev/pts is /. So if /dev/ptmx is a bind-mount
      of /dev/pts/ptmx then the /dev/ptmx bind-mount and the devpts mount at
      /dev/pts will end up being located on the same device which is recorded in
      the superblock of their vfsmount. This means the parent directory of the
      /dev/ptmx bind-mount will be /ptmx:
      
      -- -- ---- /ptmx /dev/ptmx
      
      Without the bind-mount resolution patch the kernel will now perform the
      bind-mount escape check directly on /dev/ptmx. The function responsible for
      this is devpts_ptmx_path() which calls pts_path() which in turn calls
      path_parent_directory(). Based on the above explanation,
      path_parent_directory() will yield / as the parent directory for the
      /dev/ptmx bind-mount and not the expected /dev. Thus, the kernel detects
      that /dev/ptmx is escaping its bind-mount and will set /proc/<pid>/fd/<nr>
      to /.
      
      This patch changes the logic to first resolve any bind-mounts. After the
      bind-mounts have been resolved (i.e. we have traced it back to the
      associated devpts mount) devpts_ptmx_path() can be called. In order to
      guarantee correct path generation for the slave file descriptor the kernel
      now requires that a pts directory is found in the parent directory of the
      ptmx bind-mount. This implies that when doing bind-mounts the ptmx
      bind-mount and the devpts mount should have a common parent directory. A
      valid example is:
      
      mount -t devpts devpts /dev/pts
      mount --bind /dev/pts/ptmx /dev/ptmx
      
      an invalid example is:
      
      mount -t devpts devpts /dev/pts
      mount --bind /dev/pts/ptmx /ptmx
      
      This allows us to support:
      - calling open on ptmx devices located inside non-standard devpts mounts:
        mount -t devpts devpts /mnt
        master = open("/mnt/ptmx", ...);
        slave = ioctl(master, TIOCGPTPEER, ...);
      - calling open on ptmx devices located outside the devpts mount with a
        common ancestor directory:
        mount -t devpts devpts /dev/pts
        mount --bind /dev/pts/ptmx /dev/ptmx
        master = open("/dev/ptmx", ...);
        slave = ioctl(master, TIOCGPTPEER, ...);
      
      while failing on ptmx devices located outside the devpts mount without a
      common ancestor directory:
        mount -t devpts devpts /dev/pts
        mount --bind /dev/pts/ptmx /ptmx
        master = open("/ptmx", ...);
        slave = ioctl(master, TIOCGPTPEER, ...);
      
      in which case save path generation cannot be guaranteed.
      Signed-off-by: default avatarChristian Brauner <christian.brauner@ubuntu.com>
      Suggested-by: default avatarEric Biederman <ebiederm@xmission.com>
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Reviewed-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Acked-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a6d26649
    • Christian Brauner's avatar
      devpts: hoist out check for DEVPTS_SUPER_MAGIC · cd360be6
      Christian Brauner authored
      commit 7d71109d upstream.
      
      Hoist the check whether we have already found a suitable devpts filesystem
      out of devpts_ptmx_path() in preparation for the devpts bind-mount
      resolution patch. This is a non-functional change.
      Signed-off-by: default avatarChristian Brauner <christian.brauner@ubuntu.com>
      Reviewed-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Acked-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cd360be6
    • Dan Carpenter's avatar
      xhci: xhci-mem: off by one in xhci_stream_id_to_ring() · 7499390b
      Dan Carpenter authored
      commit 313db3d6 upstream.
      
      The > should be >= here so that we don't read one element beyond the end
      of the ep->stream_info->stream_rings[] array.
      
      Fixes: e9df17eb ("USB: xhci: Correct assumptions about number of rings per endpoint.")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7499390b
    • Nico Sneck's avatar
      usb: quirks: add delay quirks for Corsair Strafe · 55f51e5b
      Nico Sneck authored
      commit bba57edd upstream.
      
      Corsair Strafe appears to suffer from the same issues
      as the Corsair Strafe RGB.
      Apply the same quirks (control message delay and init delay)
      that the RGB version has to 1b1c:1b15.
      
      With these quirks in place the keyboard works correctly upon
      booting the system, and no longer requires reattaching the device.
      Signed-off-by: default avatarNico Sneck <snecknico@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      55f51e5b
    • Johan Hovold's avatar
      USB: serial: mos7840: fix status-register error handling · 82b9cb4d
      Johan Hovold authored
      commit 794744ab upstream.
      
      Add missing transfer-length sanity check to the status-register
      completion handler to avoid leaking bits of uninitialised slab data to
      user space.
      
      Fixes: 3f542974 ("USB: Moschip 7840 USB-Serial Driver")
      Cc: stable <stable@vger.kernel.org>     # 2.6.19
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      82b9cb4d
    • Jann Horn's avatar
      USB: yurex: fix out-of-bounds uaccess in read handler · 90f2a76c
      Jann Horn authored
      commit f1e255d6 upstream.
      
      In general, accessing userspace memory beyond the length of the supplied
      buffer in VFS read/write handlers can lead to both kernel memory corruption
      (via kernel_read()/kernel_write(), which can e.g. be triggered via
      sys_splice()) and privilege escalation inside userspace.
      
      Fix it by using simple_read_from_buffer() instead of custom logic.
      
      Fixes: 6bc235a2 ("USB: add driver for Meywa-Denki & Kayac YUREX")
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      90f2a76c
    • Johan Hovold's avatar
      USB: serial: keyspan_pda: fix modem-status error handling · f24b02c3
      Johan Hovold authored
      commit 01b3cdfc upstream.
      
      Fix broken modem-status error handling which could lead to bits of slab
      data leaking to user space.
      
      Fixes: 3b36a8fd ("usb: fix uninitialized variable warning in keyspan_pda")
      Cc: stable <stable@vger.kernel.org>     # 2.6.27
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f24b02c3
    • Olli Salonen's avatar
      USB: serial: cp210x: add another USB ID for Qivicon ZigBee stick · 7aa69d8f
      Olli Salonen authored
      commit 367b160f upstream.
      
      There are two versions of the Qivicon Zigbee stick in circulation. This
      adds the second USB ID to the cp210x driver.
      Signed-off-by: default avatarOlli Salonen <olli.salonen@iki.fi>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7aa69d8f
    • Dan Carpenter's avatar
      USB: serial: ch341: fix type promotion bug in ch341_control_in() · 7ce4add9
      Dan Carpenter authored
      commit e33eab9d upstream.
      
      The "r" variable is an int and "bufsize" is an unsigned int so the
      comparison is type promoted to unsigned.  If usb_control_msg() returns a
      negative that is treated as a high positive value and the error handling
      doesn't work.
      
      Fixes: 2d5a9c72 ("USB: serial: ch341: fix control-message error handling")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7ce4add9
    • Hans de Goede's avatar
      ahci: Disable LPM on Lenovo 50 series laptops with a too old BIOS · 1fb3563f
      Hans de Goede authored
      commit 240630e6 upstream.
      
      There have been several reports of LPM related hard freezes about once
      a day on multiple Lenovo 50 series models. Strange enough these reports
      where not disk model specific as LPM issues usually are and some users
      with the exact same disk + laptop where seeing them while other users
      where not seeing these issues.
      
      It turns out that enabling LPM triggers a firmware bug somewhere, which
      has been fixed in later BIOS versions.
      
      This commit adds a new ahci_broken_lpm() function and a new ATA_FLAG_NO_LPM
      for dealing with this.
      
      The ahci_broken_lpm() function contains DMI match info for the 4 models
      which are known to be affected by this and the DMI BIOS date field for
      known good BIOS versions. If the BIOS date is older then the one in the
      table LPM will be disabled and a warning will be printed.
      
      Note the BIOS dates are for known good versions, some older versions may
      work too, but we don't know for sure, the table is using dates from BIOS
      versions for which users have confirmed that upgrading to that version
      makes the problem go away.
      
      Unfortunately I've been unable to get hold of the reporter who reported
      that BIOS version 2.35 fixed the problems on the W541 for him. I've been
      able to verify the DMI_SYS_VENDOR and DMI_PRODUCT_VERSION from an older
      dmidecode, but I don't know the exact BIOS date as reported in the DMI.
      Lenovo keeps a changelog with dates in their release notes, but the
      dates there are the release dates not the build dates which are in DMI.
      So I've chosen to set the date to which we compare to one day past the
      release date of the 2.34 BIOS. I plan to fix this with a follow up
      commit once I've the necessary info.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1fb3563f
    • Nadav Amit's avatar
      vmw_balloon: fix inflation with batching · 1e39eb1b
      Nadav Amit authored
      commit 90d72ce0 upstream.
      
      Embarrassingly, the recent fix introduced worse problem than it solved,
      causing the balloon not to inflate. The VM informed the hypervisor that
      the pages for lock/unlock are sitting in the wrong address, as it used
      the page that is used the uninitialized page variable.
      
      Fixes: b23220fe ("vmw_balloon: fixing double free when batching mode is off")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarXavier Deguillard <xdeguillard@vmware.com>
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1e39eb1b
    • Damien Le Moal's avatar
      ata: Fix ZBC_OUT all bit handling · 33b9257a
      Damien Le Moal authored
      commit 6edf1d4c upstream.
      
      If the ALL bit is set in the ZBC_OUT command, the command zone ID field
      (block) should be ignored.
      Reported-by: default avatarDavid Butterfield <david.butterfield@wdc.com>
      Signed-off-by: default avatarDamien Le Moal <damien.lemoal@wdc.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      33b9257a
    • Damien Le Moal's avatar
      ata: Fix ZBC_OUT command block check · aae31a16
      Damien Le Moal authored
      commit b320a0a9 upstream.
      
      The block (LBA) specified must not exceed the last addressable LBA,
      which is dev->nr_sectors - 1. So fix the correct check is
      "if (block >= dev->n_sectors)" and not "if (block > dev->n_sectords)".
      
      Additionally, the asc/ascq to return for an LBA that is not a zone start
      LBA should be ILLEGAL REQUEST, regardless if the bad LBA is out of
      range.
      Reported-by: default avatarDavid Butterfield <david.butterfield@wdc.com>
      Signed-off-by: default avatarDamien Le Moal <damien.lemoal@wdc.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aae31a16
    • Ping-Ke Shih's avatar
      staging: r8822be: Fix RTL8822be can't find any wireless AP · a3bb42c1
      Ping-Ke Shih authored
      commit d59d2f99 upstream.
      
      RTL8822be can't bring up properly on ASUS X530UN, and dmesg says:
      [ 8.591333] r8822be: module is from the staging directory, the quality
      is unknown, you have been warned.
      [ 8.593122] r8822be 0000:02:00.0: enabling device (0000 -> 0003)
      [ 8.669163] r8822be: Using firmware rtlwifi/rtl8822befw.bin
      [ 9.289939] r8822be: rtlwifi: wireless switch is on
      [ 10.056426] r8822be 0000:02:00.0 wlp2s0: renamed from wlan0
      ...
      [ 11.952534] r8822be: halmac_init_hal failed
      [ 11.955933] r8822be: halmac_init_hal failed
      [ 11.956227] r8822be: halmac_init_hal failed
      [ 22.007942] r8822be: halmac_init_hal failed
      
      Jian-Hong reported it works if turn off ASPM with module parameter aspm=0.
      In order to fix this problem kindly, this commit don't turn off aspm but
      enlarge ASPM L1 latency to 7.
      Reported-by: default avatarJian-Hong Pan <jian-hong@endlessm.com>
      Tested-by: default avatarJian-Hong Pan <jian-hong@endlessm.com>
      Signed-off-by: default avatarPing-Ke Shih <pkshih@realtek.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a3bb42c1
    • Murray McAllister's avatar
      staging: rtl8723bs: Prevent an underflow in rtw_check_beacon_data(). · e5bb39fa
      Murray McAllister authored
      commit 920c9244 upstream.
      
      Dan Carpenter reported an integer underflow issue in the rtl8188eu driver.
      This is also needed for the length (signed integer) in rtl8723bs, as it is
      later converted to an unsigned integer and used in a memcpy operation.
      
      Original issue is at https://patchwork.kernel.org/patch/9796371/Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarMurray McAllister <murray.mcallister@insomniasec.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e5bb39fa
    • Jann Horn's avatar
      ibmasm: don't write out of bounds in read handler · 908bfe10
      Jann Horn authored
      commit a0341fc1 upstream.
      
      This read handler had a lot of custom logic and wrote outside the bounds of
      the provided buffer. This could lead to kernel and userspace memory
      corruption. Just use simple_read_from_buffer() with a stack buffer.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      908bfe10
    • x00270170's avatar
      mmc: dw_mmc: fix card threshold control configuration · ccb242ec
      x00270170 authored
      commit 7a6b9f4d upstream.
      
      Card write threshold control is supposed to be set since controller
      version 2.80a for data write in HS400 mode and data read in
      HS200/HS400/SDR104 mode. However the current code returns without
      configuring it in the case of data writing in HS400 mode.
      Meanwhile the patch fixes that the current code goes to
      'disable' when doing data reading in HS400 mode.
      
      Fixes: 7e4bf1bc ("mmc: dw_mmc: add the card write threshold for HS400 mode")
      Signed-off-by: default avatarQing Xia <xiaqing17@hisilicon.com>
      Cc: stable@vger.kernel.org # v4.8+
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ccb242ec
    • Stefan Agner's avatar
      mmc: sdhci-esdhc-imx: allow 1.8V modes without 100/200MHz pinctrl states · 2c9fa8ff
      Stefan Agner authored
      commit 92748bea upstream.
      
      If pinctrl nodes for 100/200MHz are missing, the controller should
      not select any mode which need signal frequencies 100MHz or higher.
      To prevent such speed modes the driver currently uses the quirk flag
      SDHCI_QUIRK2_NO_1_8_V. This works nicely for SD cards since 1.8V
      signaling is required for all faster modes and slower modes use 3.3V
      signaling only.
      
      However, there are eMMC modes which use 1.8V signaling and run below
      100MHz, e.g. DDR52 at 1.8V. With using SDHCI_QUIRK2_NO_1_8_V this
      mode is prevented. When using a fixed 1.8V regulator as vqmmc-supply
      the stack has no valid mode to use. In this tenuous situation the
      kernel continuously prints voltage switching errors:
        mmc1: Switching to 3.3V signalling voltage failed
      
      Avoid using SDHCI_QUIRK2_NO_1_8_V and prevent faster modes by
      altering the SDHCI capability register. With that the stack is able
      to select 1.8V modes even if no faster pinctrl states are available:
        # cat /sys/kernel/debug/mmc1/ios
        ...
        timing spec:    8 (mmc DDR52)
        signal voltage: 1 (1.80 V)
        ...
      
      Link: http://lkml.kernel.org/r/20180628081331.13051-1-stefan@agner.chSigned-off-by: default avatarStefan Agner <stefan@agner.ch>
      Fixes: ad93220d ("mmc: sdhci-esdhc-imx: change pinctrl state according
      to uhs mode")
      Cc: <stable@vger.kernel.org> # v4.13+
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2c9fa8ff
    • Paul Burton's avatar
      MIPS: Fix ioremap() RAM check · 6fce06b6
      Paul Burton authored
      commit 523402fa upstream.
      
      We currently attempt to check whether a physical address range provided
      to __ioremap() may be in use by the page allocator by examining the
      value of PageReserved for each page in the region - lowmem pages not
      marked reserved are presumed to be in use by the page allocator, and
      requests to ioremap them fail.
      
      The way we check this has been broken since commit 92923ca3 ("mm:
      meminit: only set page reserved in the memblock region"), because
      memblock will typically not have any knowledge of non-RAM pages and
      therefore those pages will not have the PageReserved flag set. Thus when
      we attempt to ioremap a region outside of RAM we incorrectly fail
      believing that the region is RAM that may be in use.
      
      In most cases ioremap() on MIPS will take a fast-path to use the
      unmapped kseg1 or xkphys virtual address spaces and never hit this path,
      so the only way to hit it is for a MIPS32 system to attempt to ioremap()
      an address range in lowmem with flags other than _CACHE_UNCACHED.
      Perhaps the most straightforward way to do this is using
      ioremap_uncached_accelerated(), which is how the problem was discovered.
      
      Fix this by making use of walk_system_ram_range() to test the address
      range provided to __ioremap() against only RAM pages, rather than all
      lowmem pages. This means that if we have a lowmem I/O region, which is
      very common for MIPS systems, we're free to ioremap() address ranges
      within it. A nice bonus is that the test is no longer limited to lowmem.
      
      The approach here matches the way x86 performed the same test after
      commit c81c8a1e ("x86, ioremap: Speed up check for RAM pages") until
      x86 moved towards a slightly more complicated check using walk_mem_res()
      for unrelated reasons with commit 0e4c12b4 ("x86/mm, resource: Use
      PAGE_KERNEL protection for ioremap of memory pages").
      Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
      Reported-by: default avatarSerge Semin <fancer.lancer@gmail.com>
      Tested-by: default avatarSerge Semin <fancer.lancer@gmail.com>
      Fixes: 92923ca3 ("mm: meminit: only set page reserved in the memblock region")
      Cc: James Hogan <jhogan@kernel.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Cc: stable@vger.kernel.org # v4.2+
      Patchwork: https://patchwork.linux-mips.org/patch/19786/Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6fce06b6
    • Paul Burton's avatar
      MIPS: Use async IPIs for arch_trigger_cpumask_backtrace() · 0818c44b
      Paul Burton authored
      commit b63e132b upstream.
      
      The current MIPS implementation of arch_trigger_cpumask_backtrace() is
      broken because it attempts to use synchronous IPIs despite the fact that
      it may be run with interrupts disabled.
      
      This means that when arch_trigger_cpumask_backtrace() is invoked, for
      example by the RCU CPU stall watchdog, we may:
      
        - Deadlock due to use of synchronous IPIs with interrupts disabled,
          causing the CPU that's attempting to generate the backtrace output
          to hang itself.
      
        - Not succeed in generating the desired output from remote CPUs.
      
        - Produce warnings about this from smp_call_function_many(), for
          example:
      
          [42760.526910] INFO: rcu_sched detected stalls on CPUs/tasks:
          [42760.535755]  0-...!: (1 GPs behind) idle=ade/140000000000000/0 softirq=526944/526945 fqs=0
          [42760.547874]  1-...!: (0 ticks this GP) idle=e4a/140000000000000/0 softirq=547885/547885 fqs=0
          [42760.559869]  (detected by 2, t=2162 jiffies, g=266689, c=266688, q=33)
          [42760.568927] ------------[ cut here ]------------
          [42760.576146] WARNING: CPU: 2 PID: 1216 at kernel/smp.c:416 smp_call_function_many+0x88/0x20c
          [42760.587839] Modules linked in:
          [42760.593152] CPU: 2 PID: 1216 Comm: sh Not tainted 4.15.4-00373-gee058bb4d0c2 #2
          [42760.603767] Stack : 8e09bd20 8e09bd20 8e09bd20 fffffff0 00000007 00000006 00000000 8e09bca8
          [42760.616937]         95b2b379 95b2b379 807a0080 00000007 81944518 0000018a 00000032 00000000
          [42760.630095]         00000000 00000030 80000000 00000000 806eca74 00000009 8017e2b8 000001a0
          [42760.643169]         00000000 00000002 00000000 8e09baa4 00000008 808b8008 86d69080 8e09bca0
          [42760.656282]         8e09ad50 805e20aa 00000000 00000000 00000000 8017e2b8 00000009 801070ca
          [42760.669424]         ...
          [42760.673919] Call Trace:
          [42760.678672] [<27fde568>] show_stack+0x70/0xf0
          [42760.685417] [<84751641>] dump_stack+0xaa/0xd0
          [42760.692188] [<699d671c>] __warn+0x80/0x92
          [42760.698549] [<68915d41>] warn_slowpath_null+0x28/0x36
          [42760.705912] [<f7c76c1c>] smp_call_function_many+0x88/0x20c
          [42760.713696] [<6bbdfc2a>] arch_trigger_cpumask_backtrace+0x30/0x4a
          [42760.722216] [<f845bd33>] rcu_dump_cpu_stacks+0x6a/0x98
          [42760.729580] [<796e7629>] rcu_check_callbacks+0x672/0x6ac
          [42760.737476] [<059b3b43>] update_process_times+0x18/0x34
          [42760.744981] [<6eb94941>] tick_sched_handle.isra.5+0x26/0x38
          [42760.752793] [<478d3d70>] tick_sched_timer+0x1c/0x50
          [42760.759882] [<e56ea39f>] __hrtimer_run_queues+0xc6/0x226
          [42760.767418] [<e88bbcae>] hrtimer_interrupt+0x88/0x19a
          [42760.775031] [<6765a19e>] gic_compare_interrupt+0x2e/0x3a
          [42760.782761] [<0558bf5f>] handle_percpu_devid_irq+0x78/0x168
          [42760.790795] [<90c11ba2>] generic_handle_irq+0x1e/0x2c
          [42760.798117] [<1b6d462c>] gic_handle_local_int+0x38/0x86
          [42760.805545] [<b2ada1c7>] gic_irq_dispatch+0xa/0x14
          [42760.812534] [<90c11ba2>] generic_handle_irq+0x1e/0x2c
          [42760.820086] [<c7521934>] do_IRQ+0x16/0x20
          [42760.826274] [<9aef3ce6>] plat_irq_dispatch+0x62/0x94
          [42760.833458] [<6a94b53c>] except_vec_vi_end+0x70/0x78
          [42760.840655] [<22284043>] smp_call_function_many+0x1ba/0x20c
          [42760.848501] [<54022b58>] smp_call_function+0x1e/0x2c
          [42760.855693] [<ab9fc705>] flush_tlb_mm+0x2a/0x98
          [42760.862730] [<0844cdd0>] tlb_flush_mmu+0x1c/0x44
          [42760.869628] [<cb259b74>] arch_tlb_finish_mmu+0x26/0x3e
          [42760.877021] [<1aeaaf74>] tlb_finish_mmu+0x18/0x66
          [42760.883907] [<b3fce717>] exit_mmap+0x76/0xea
          [42760.890428] [<c4c8a2f6>] mmput+0x80/0x11a
          [42760.896632] [<a41a08f4>] do_exit+0x1f4/0x80c
          [42760.903158] [<ee01cef6>] do_group_exit+0x20/0x7e
          [42760.909990] [<13fa8d54>] __wake_up_parent+0x0/0x1e
          [42760.917045] [<46cf89d0>] smp_call_function_many+0x1a2/0x20c
          [42760.924893] [<8c21a93b>] syscall_common+0x14/0x1c
          [42760.931765] ---[ end trace 02aa09da9dc52a60 ]---
          [42760.938342] ------------[ cut here ]------------
          [42760.945311] WARNING: CPU: 2 PID: 1216 at kernel/smp.c:291 smp_call_function_single+0xee/0xf8
          ...
      
      This patch switches MIPS' arch_trigger_cpumask_backtrace() to use async
      IPIs & smp_call_function_single_async() in order to resolve this
      problem. We ensure use of the pre-allocated call_single_data_t
      structures is serialized by maintaining a cpumask indicating that
      they're busy, and refusing to attempt to send an IPI when a CPU's bit is
      set in this mask. This should only happen if a CPU hasn't responded to a
      previous backtrace IPI - ie. if it's hung - and we print a warning to
      the console in this case.
      
      I've marked this for stable branches as far back as v4.9, to which it
      applies cleanly. Strictly speaking the faulty MIPS implementation can be
      traced further back to commit 856839b7 ("MIPS: Add
      arch_trigger_all_cpu_backtrace() function") in v3.19, but kernel
      versions v3.19 through v4.8 will require further work to backport due to
      the rework performed in commit 9a01c3ed ("nmi_backtrace: add more
      trigger_*_cpu_backtrace() methods").
      Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
      Patchwork: https://patchwork.linux-mips.org/patch/19597/
      Cc: James Hogan <jhogan@kernel.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Huacai Chen <chenhc@lemote.com>
      Cc: linux-mips@linux-mips.org
      Cc: stable@vger.kernel.org # v4.9+
      Fixes: 856839b7 ("MIPS: Add arch_trigger_all_cpu_backtrace() function")
      Fixes: 9a01c3ed ("nmi_backtrace: add more trigger_*_cpu_backtrace() methods")
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0818c44b
    • Paul Burton's avatar
      MIPS: Call dump_stack() from show_regs() · 14ab9902
      Paul Burton authored
      commit 5a267832 upstream.
      
      The generic nmi_cpu_backtrace() function calls show_regs() when a struct
      pt_regs is available, and dump_stack() otherwise. If we were to make use
      of the generic nmi_cpu_backtrace() with MIPS' current implementation of
      show_regs() this would mean that we see only register data with no
      accompanying stack information, in contrast with our current
      implementation which calls dump_stack() regardless of whether register
      state is available.
      
      In preparation for making use of the generic nmi_cpu_backtrace() to
      implement arch_trigger_cpumask_backtrace(), have our implementation of
      show_regs() call dump_stack() and drop the explicit dump_stack() call in
      arch_dump_stack() which is invoked by arch_trigger_cpumask_backtrace().
      
      This will allow the output we produce to remain the same after a later
      patch switches to using nmi_cpu_backtrace(). It may mean that we produce
      extra stack output in other uses of show_regs(), but this:
      
        1) Seems harmless.
        2) Is good for consistency between arch_trigger_cpumask_backtrace()
           and other users of show_regs().
        3) Matches the behaviour of the ARM & PowerPC architectures.
      
      Marked for stable back to v4.9 as a prerequisite of the following patch
      "MIPS: Call dump_stack() from show_regs()".
      Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
      Patchwork: https://patchwork.linux-mips.org/patch/19596/
      Cc: James Hogan <jhogan@kernel.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Huacai Chen <chenhc@lemote.com>
      Cc: linux-mips@linux-mips.org
      Cc: stable@vger.kernel.org # v4.9+
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      14ab9902
    • Kai Chieh Chuang's avatar
      ASoC: mediatek: preallocate pages use platform device · 77f738e8
      Kai Chieh Chuang authored
      commit 5845e615 upstream.
      
      preallocate pages should use platform device,
      since we set dma mask for platform device.
      Signed-off-by: default avatarKaiChieh Chuang <kaichieh.chuang@mediatek.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSudip Mukherjee <sudipm.mukherjee@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      77f738e8
    • Sean Young's avatar
      media: rc: mce_kbd decoder: fix stuck keys · 99ebaf4f
      Sean Young authored
      commit 63039c29 upstream.
      
      The MCE Remote sends a 0 scancode when keys are released. If this is not
      received or decoded, then keys can get "stuck"; the keyup event is not
      sent since the input_sync() is missing from the timeout handler.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarSudip Mukherjee <sudipm.mukherjee@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      99ebaf4f
  2. 11 Jul, 2018 17 commits