1. 26 Jul, 2019 40 commits
    • Wen Yang's avatar
      ASoC: audio-graph-card: fix use-after-free in graph_for_each_link · b2e77a92
      Wen Yang authored
      [ Upstream commit 1bcc1fd6 ]
      
      After calling of_node_put() on the codec_ep and codec_port variables,
      they are still being used, which may result in use-after-free.
      We fix this issue by calling of_node_put() after the last usage.
      
      Fixes: fce9b90c ("ASoC: audio-graph-card: cleanup DAI link loop method - step2")
      Signed-off-by: default avatarWen Yang <wen.yang99@zte.com.cn>
      Cc: Liam Girdwood <lgirdwood@gmail.com>
      Cc: Mark Brown <broonie@kernel.org>
      Cc: Jaroslav Kysela <perex@perex.cz>
      Cc: Takashi Iwai <tiwai@suse.com>
      Cc: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
      Cc: alsa-devel@alsa-project.org
      Cc: linux-kernel@vger.kernel.org
      Link: https://lore.kernel.org/r/1562229530-8121-1-git-send-email-wen.yang99@zte.com.cnSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b2e77a92
    • Geert Uytterhoeven's avatar
      gpiolib: Fix references to gpiod_[gs]et_*value_cansleep() variants · cbd7d2d8
      Geert Uytterhoeven authored
      [ Upstream commit 3285170f ]
      
      Commit 372e722e ("gpiolib: use descriptors internally") renamed
      the functions to use a "gpiod" prefix, and commit 79a9becd
      ("gpiolib: export descriptor-based GPIO interface") introduced the "raw"
      variants, but both changes forgot to update the comments.
      
      Readd a similar reference to gpiod_set_value(), which was accidentally
      removed by commit 1e77fc82 ("gpio: Add missing open drain/source
      handling to gpiod_set_value_cansleep()").
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Link: https://lore.kernel.org/r/20190701142738.25219-1-geert+renesas@glider.beSigned-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      cbd7d2d8
    • Cong Wang's avatar
      bonding: validate ip header before check IPPROTO_IGMP · 6ddf0813
      Cong Wang authored
      [ Upstream commit 9d1bc24b ]
      
      bond_xmit_roundrobin() checks for IGMP packets but it parses
      the IP header even before checking skb->protocol.
      
      We should validate the IP header with pskb_may_pull() before
      using iph->protocol.
      
      Reported-and-tested-by: syzbot+e5be16aa39ad6e755391@syzkaller.appspotmail.com
      Fixes: a2fd940f ("bonding: fix broken multicast with round-robin mode")
      Cc: Jay Vosburgh <j.vosburgh@gmail.com>
      Cc: Veaceslav Falico <vfalico@gmail.com>
      Cc: Andy Gospodarek <andy@greyhouse.net>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6ddf0813
    • Jiri Benc's avatar
      selftests: bpf: fix inlines in test_lwt_seg6local · f9cae712
      Jiri Benc authored
      [ Upstream commit 11aca65e ]
      
      Selftests are reporting this failure in test_lwt_seg6local.sh:
      
      + ip netns exec ns2 ip -6 route add fb00::6 encap bpf in obj test_lwt_seg6local.o sec encap_srh dev veth2
      Error fetching program/map!
      Failed to parse eBPF program: Operation not permitted
      
      The problem is __attribute__((always_inline)) alone is not enough to prevent
      clang from inserting those functions in .text. In that case, .text is not
      marked as relocateable.
      
      See the output of objdump -h test_lwt_seg6local.o:
      
      Idx Name          Size      VMA               LMA               File off  Algn
        0 .text         00003530  0000000000000000  0000000000000000  00000040  2**3
                        CONTENTS, ALLOC, LOAD, READONLY, CODE
      
      This causes the iproute bpf loader to fail in bpf_fetch_prog_sec:
      bpf_has_call_data returns true but bpf_fetch_prog_relo fails as there's no
      relocateable .text section in the file.
      
      To fix this, convert to 'static __always_inline'.
      
      v2: Use 'static __always_inline' instead of 'static inline
          __attribute__((always_inline))'
      
      Fixes: c99a84ea ("selftests/bpf: test for seg6local End.BPF action")
      Signed-off-by: default avatarJiri Benc <jbenc@redhat.com>
      Acked-by: default avatarYonghong Song <yhs@fb.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f9cae712
    • Leo Yan's avatar
      bpf, libbpf, smatch: Fix potential NULL pointer dereference · b8bf2e82
      Leo Yan authored
      [ Upstream commit 33bae185 ]
      
      Based on the following report from Smatch, fix the potential NULL
      pointer dereference check:
      
        tools/lib/bpf/libbpf.c:3493
        bpf_prog_load_xattr() warn: variable dereferenced before check 'attr'
        (see line 3483)
      
        3479 int bpf_prog_load_xattr(const struct bpf_prog_load_attr *attr,
        3480                         struct bpf_object **pobj, int *prog_fd)
        3481 {
        3482         struct bpf_object_open_attr open_attr = {
        3483                 .file           = attr->file,
        3484                 .prog_type      = attr->prog_type,
                                               ^^^^^^
        3485         };
      
      At the head of function, it directly access 'attr' without checking
      if it's NULL pointer. This patch moves the values assignment after
      validating 'attr' and 'attr->file'.
      Signed-off-by: default avatarLeo Yan <leo.yan@linaro.org>
      Acked-by: default avatarYonghong Song <yhs@fb.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b8bf2e82
    • Andrii Nakryiko's avatar
      libbpf: fix GCC8 warning for strncpy · 925df798
      Andrii Nakryiko authored
      [ Upstream commit cdfc7f88 ]
      
      GCC8 started emitting warning about using strncpy with number of bytes
      exactly equal destination size, which is generally unsafe, as can lead
      to non-zero terminated string being copied. Use IFNAMSIZ - 1 as number
      of bytes to ensure name is always zero-terminated.
      Signed-off-by: default avatarAndrii Nakryiko <andriin@fb.com>
      Cc: Magnus Karlsson <magnus.karlsson@intel.com>
      Acked-by: default avatarYonghong Song <yhs@fb.com>
      Acked-by: default avatarMagnus Karlsson <magnus.karlsson@intel.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      925df798
    • David Howells's avatar
      rxrpc: Fix oops in tracepoint · 8cf52280
      David Howells authored
      [ Upstream commit 99f0eae6 ]
      
      If the rxrpc_eproto tracepoint is enabled, an oops will be cause by the
      trace line that rxrpc_extract_header() tries to emit when a protocol error
      occurs (typically because the packet is short) because the call argument is
      NULL.
      
      Fix this by using ?: to assume 0 as the debug_id if call is NULL.
      
      This can then be induced by:
      
      	echo -e '\0\0\0\0\0\0\0\0' | ncat -4u --send-only <addr> 20001
      
      where addr has the following program running on it:
      
      	#include <stdio.h>
      	#include <stdlib.h>
      	#include <string.h>
      	#include <unistd.h>
      	#include <sys/socket.h>
      	#include <arpa/inet.h>
      	#include <linux/rxrpc.h>
      	int main(void)
      	{
      		struct sockaddr_rxrpc srx;
      		int fd;
      		memset(&srx, 0, sizeof(srx));
      		srx.srx_family			= AF_RXRPC;
      		srx.srx_service			= 0;
      		srx.transport_type		= AF_INET;
      		srx.transport_len		= sizeof(srx.transport.sin);
      		srx.transport.sin.sin_family	= AF_INET;
      		srx.transport.sin.sin_port	= htons(0x4e21);
      		fd = socket(AF_RXRPC, SOCK_DGRAM, AF_INET6);
      		bind(fd, (struct sockaddr *)&srx, sizeof(srx));
      		sleep(20);
      		return 0;
      	}
      
      It results in the following oops.
      
      	BUG: kernel NULL pointer dereference, address: 0000000000000340
      	#PF: supervisor read access in kernel mode
      	#PF: error_code(0x0000) - not-present page
      	...
      	RIP: 0010:trace_event_raw_event_rxrpc_rx_eproto+0x47/0xac
      	...
      	Call Trace:
      	 <IRQ>
      	 rxrpc_extract_header+0x86/0x171
      	 ? rcu_read_lock_sched_held+0x5d/0x63
      	 ? rxrpc_new_skb+0xd4/0x109
      	 rxrpc_input_packet+0xef/0x14fc
      	 ? rxrpc_input_data+0x986/0x986
      	 udp_queue_rcv_one_skb+0xbf/0x3d0
      	 udp_unicast_rcv_skb.isra.8+0x64/0x71
      	 ip_protocol_deliver_rcu+0xe4/0x1b4
      	 ip_local_deliver+0xf0/0x154
      	 __netif_receive_skb_one_core+0x50/0x6c
      	 netif_receive_skb_internal+0x26b/0x2e9
      	 napi_gro_receive+0xf8/0x1da
      	 rtl8169_poll+0x303/0x4c4
      	 net_rx_action+0x10e/0x333
      	 __do_softirq+0x1a5/0x38f
      	 irq_exit+0x54/0xc4
      	 do_IRQ+0xda/0xf8
      	 common_interrupt+0xf/0xf
      	 </IRQ>
      	 ...
      	 ? cpuidle_enter_state+0x23c/0x34d
      	 cpuidle_enter+0x2a/0x36
      	 do_idle+0x163/0x1ea
      	 cpu_startup_entry+0x1d/0x1f
      	 start_secondary+0x157/0x172
      	 secondary_startup_64+0xa4/0xb0
      
      Fixes: a25e21f0 ("rxrpc, afs: Use debug_ids rather than pointers in traces")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8cf52280
    • Phong Tran's avatar
      net: usb: asix: init MAC address buffers · b12cc046
      Phong Tran authored
      [ Upstream commit 78226f6e ]
      
      This is for fixing bug KMSAN: uninit-value in ax88772_bind
      
      Tested by
      https://groups.google.com/d/msg/syzkaller-bugs/aFQurGotng4/eB_HlNhhCwAJ
      
      Reported-by: syzbot+8a3fc6674bbc3978ed4e@syzkaller.appspotmail.com
      
      syzbot found the following crash on:
      
      HEAD commit:    f75e4cfe kmsan: use kmsan_handle_urb() in urb.c
      git tree:       kmsan
      console output: https://syzkaller.appspot.com/x/log.txt?x=136d720ea00000
      kernel config:
      https://syzkaller.appspot.com/x/.config?x=602468164ccdc30a
      dashboard link:
      https://syzkaller.appspot.com/bug?extid=8a3fc6674bbc3978ed4e
      compiler:       clang version 9.0.0 (/home/glider/llvm/clang
      06d00afa61eef8f7f501ebdb4e8612ea43ec2d78)
      syz repro:
      https://syzkaller.appspot.com/x/repro.syz?x=12788316a00000
      C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=120359aaa00000
      
      ==================================================================
      BUG: KMSAN: uninit-value in is_valid_ether_addr
      include/linux/etherdevice.h:200 [inline]
      BUG: KMSAN: uninit-value in asix_set_netdev_dev_addr
      drivers/net/usb/asix_devices.c:73 [inline]
      BUG: KMSAN: uninit-value in ax88772_bind+0x93d/0x11e0
      drivers/net/usb/asix_devices.c:724
      CPU: 0 PID: 3348 Comm: kworker/0:2 Not tainted 5.1.0+ #1
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Workqueue: usb_hub_wq hub_event
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0x191/0x1f0 lib/dump_stack.c:113
        kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:622
        __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:310
        is_valid_ether_addr include/linux/etherdevice.h:200 [inline]
        asix_set_netdev_dev_addr drivers/net/usb/asix_devices.c:73 [inline]
        ax88772_bind+0x93d/0x11e0 drivers/net/usb/asix_devices.c:724
        usbnet_probe+0x10f5/0x3940 drivers/net/usb/usbnet.c:1728
        usb_probe_interface+0xd66/0x1320 drivers/usb/core/driver.c:361
        really_probe+0xdae/0x1d80 drivers/base/dd.c:513
        driver_probe_device+0x1b3/0x4f0 drivers/base/dd.c:671
        __device_attach_driver+0x5b8/0x790 drivers/base/dd.c:778
        bus_for_each_drv+0x28e/0x3b0 drivers/base/bus.c:454
        __device_attach+0x454/0x730 drivers/base/dd.c:844
        device_initial_probe+0x4a/0x60 drivers/base/dd.c:891
        bus_probe_device+0x137/0x390 drivers/base/bus.c:514
        device_add+0x288d/0x30e0 drivers/base/core.c:2106
        usb_set_configuration+0x30dc/0x3750 drivers/usb/core/message.c:2027
        generic_probe+0xe7/0x280 drivers/usb/core/generic.c:210
        usb_probe_device+0x14c/0x200 drivers/usb/core/driver.c:266
        really_probe+0xdae/0x1d80 drivers/base/dd.c:513
        driver_probe_device+0x1b3/0x4f0 drivers/base/dd.c:671
        __device_attach_driver+0x5b8/0x790 drivers/base/dd.c:778
        bus_for_each_drv+0x28e/0x3b0 drivers/base/bus.c:454
        __device_attach+0x454/0x730 drivers/base/dd.c:844
        device_initial_probe+0x4a/0x60 drivers/base/dd.c:891
        bus_probe_device+0x137/0x390 drivers/base/bus.c:514
        device_add+0x288d/0x30e0 drivers/base/core.c:2106
        usb_new_device+0x23e5/0x2ff0 drivers/usb/core/hub.c:2534
        hub_port_connect drivers/usb/core/hub.c:5089 [inline]
        hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
        port_event drivers/usb/core/hub.c:5350 [inline]
        hub_event+0x48d1/0x7290 drivers/usb/core/hub.c:5432
        process_one_work+0x1572/0x1f00 kernel/workqueue.c:2269
        process_scheduled_works kernel/workqueue.c:2331 [inline]
        worker_thread+0x189c/0x2460 kernel/workqueue.c:2417
        kthread+0x4b5/0x4f0 kernel/kthread.c:254
        ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355
      Signed-off-by: default avatarPhong Tran <tranmanphong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b12cc046
    • Guilherme G. Piccoli's avatar
      bnx2x: Prevent ptp_task to be rescheduled indefinitely · 74d03f7e
      Guilherme G. Piccoli authored
      [ Upstream commit 3c91f25c ]
      
      Currently bnx2x ptp worker tries to read a register with timestamp
      information in case of TX packet timestamping and in case it fails,
      the routine reschedules itself indefinitely. This was reported as a
      kworker always at 100% of CPU usage, which was narrowed down to be
      bnx2x ptp_task.
      
      By following the ioctl handler, we could narrow down the problem to
      an NTP tool (chrony) requesting HW timestamping from bnx2x NIC with
      RX filter zeroed; this isn't reproducible for example with ptp4l
      (from linuxptp) since this tool requests a supported RX filter.
      It seems NIC FW timestamp mechanism cannot work well with
      RX_FILTER_NONE - driver's PTP filter init routine skips a register
      write to the adapter if there's not a supported filter request.
      
      This patch addresses the problem of bnx2x ptp thread's everlasting
      reschedule by retrying the register read 10 times; between the read
      attempts the thread sleeps for an increasing amount of time starting
      in 1ms to give FW some time to perform the timestamping. If it still
      fails after all retries, we bail out in order to prevent an unbound
      resource consumption from bnx2x.
      
      The patch also adds an ethtool statistic for accounting the skipped
      TX timestamp packets and it reduces the priority of timestamping
      error messages to prevent log flooding. The code was tested using
      both linuxptp and chrony.
      Reported-and-tested-by: default avatarPrzemyslaw Hausman <przemyslaw.hausman@canonical.com>
      Suggested-by: default avatarSudarsana Reddy Kalluru <skalluru@marvell.com>
      Signed-off-by: default avatarGuilherme G. Piccoli <gpiccoli@canonical.com>
      Acked-by: default avatarSudarsana Reddy Kalluru <skalluru@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      74d03f7e
    • Taehee Yoo's avatar
      vxlan: do not destroy fdb if register_netdevice() is failed · 5a439255
      Taehee Yoo authored
      [ Upstream commit 7c31e54a ]
      
      __vxlan_dev_create() destroys FDB using specific pointer which indicates
      a fdb when error occurs.
      But that pointer should not be used when register_netdevice() fails because
      register_netdevice() internally destroys fdb when error occurs.
      
      This patch makes vxlan_fdb_create() to do not link fdb entry to vxlan dev
      internally.
      Instead, a new function vxlan_fdb_insert() is added to link fdb to vxlan
      dev.
      
      vxlan_fdb_insert() is called after calling register_netdevice().
      This routine can avoid situation that ->ndo_uninit() destroys fdb entry
      in error path of register_netdevice().
      Hence, error path of __vxlan_dev_create() routine can have an opportunity
      to destroy default fdb entry by hand.
      
      Test command
          ip link add bonding_masters type vxlan id 0 group 239.1.1.1 \
      	    dev enp0s9 dstport 4789
      
      Splat looks like:
      [  213.392816] kasan: GPF could be caused by NULL-ptr deref or user memory access
      [  213.401257] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
      [  213.402178] CPU: 0 PID: 1414 Comm: ip Not tainted 5.2.0-rc5+ #256
      [  213.402178] RIP: 0010:vxlan_fdb_destroy+0x120/0x220 [vxlan]
      [  213.402178] Code: df 48 8b 2b 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 06 01 00 00 4c 8b 63 08 48 b8 00 00 00 00 00 fc d
      [  213.402178] RSP: 0018:ffff88810cb9f0a0 EFLAGS: 00010202
      [  213.402178] RAX: dffffc0000000000 RBX: ffff888101d4a8c8 RCX: 0000000000000000
      [  213.402178] RDX: 1bd5a00000000040 RSI: ffff888101d4a8c8 RDI: ffff888101d4a8d0
      [  213.402178] RBP: 0000000000000000 R08: fffffbfff22b72d9 R09: 0000000000000000
      [  213.402178] R10: 00000000ffffffef R11: 0000000000000000 R12: dead000000000200
      [  213.402178] R13: ffff88810cb9f1f8 R14: ffff88810efccda0 R15: ffff88810efccda0
      [  213.402178] FS:  00007f7f6621a0c0(0000) GS:ffff88811b000000(0000) knlGS:0000000000000000
      [  213.402178] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  213.402178] CR2: 000055746f0807d0 CR3: 00000001123e0000 CR4: 00000000001006f0
      [  213.402178] Call Trace:
      [  213.402178]  __vxlan_dev_create+0x3a9/0x7d0 [vxlan]
      [  213.402178]  ? vxlan_changelink+0x740/0x740 [vxlan]
      [  213.402178]  ? rcu_read_unlock+0x60/0x60 [vxlan]
      [  213.402178]  ? __kasan_kmalloc.constprop.3+0xa0/0xd0
      [  213.402178]  vxlan_newlink+0x8d/0xc0 [vxlan]
      [  213.402178]  ? __vxlan_dev_create+0x7d0/0x7d0 [vxlan]
      [  213.554119]  ? __netlink_ns_capable+0xc3/0xf0
      [  213.554119]  __rtnl_newlink+0xb75/0x1180
      [  213.554119]  ? rtnl_link_unregister+0x230/0x230
      [ ... ]
      
      Fixes: 0241b836 ("vxlan: fix default fdb entry netlink notify ordering during netdev create")
      Suggested-by: default avatarRoopa Prabhu <roopa@cumulusnetworks.com>
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Acked-by: default avatarRoopa Prabhu <roopa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5a439255
    • Andi Kleen's avatar
      perf stat: Fix group lookup for metric group · e128d856
      Andi Kleen authored
      [ Upstream commit 2f87f33f ]
      
      The metric group code tries to find a group it added earlier in the
      evlist. Fix the lookup to handle groups with partially overlaps
      correctly. When a sub string match fails and we reset the match, we have
      to compare the first element again.
      
      I also renamed the find_evsel function to find_evsel_group to make its
      purpose clearer.
      
      With the earlier changes this fixes:
      
      Before:
      
        % perf stat -M UPI,IPC sleep 1
        ...
               1,032,922      uops_retired.retire_slots #      1.1 UPI
               1,896,096      inst_retired.any
               1,896,096      inst_retired.any
               1,177,254      cpu_clk_unhalted.thread
      
      After:
      
        % perf stat -M UPI,IPC sleep 1
        ...
              1,013,193      uops_retired.retire_slots #      1.1 UPI
                 932,033      inst_retired.any
                 932,033      inst_retired.any          #      0.9 IPC
               1,091,245      cpu_clk_unhalted.thread
      Signed-off-by: default avatarAndi Kleen <ak@linux.intel.com>
      Acked-by: default avatarJiri Olsa <jolsa@kernel.org>
      Cc: Kan Liang <kan.liang@linux.intel.com>
      Fixes: b18f3e36 ("perf stat: Support JSON metrics in perf stat")
      Link: http://lkml.kernel.org/r/20190624193711.35241-4-andi@firstfloor.orgSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e128d856
    • Andi Kleen's avatar
      perf stat: Don't merge events in the same PMU · db8ce0db
      Andi Kleen authored
      [ Upstream commit 6c5f4e5c ]
      
      Event merging is mainly to collapse similar events in lots of different
      duplicated PMUs.
      
      It can break metric displaying. It's possible for two metrics to have
      the same event, and when the two events happen in a row the second
      wouldn't be displayed.  This would also not show the second metric.
      
      To avoid this don't merge events in the same PMU. This makes sense, if
      we have multiple events in the same PMU there is likely some reason for
      it (e.g. using multiple groups) and we better not merge them.
      
      While in theory it would be possible to construct metrics that have
      events with the same name in different PMU no current metrics have this
      problem.
      
      This is the fix for perf stat -M UPI,IPC (needs also another bug fix to
      completely work)
      Signed-off-by: default avatarAndi Kleen <ak@linux.intel.com>
      Acked-by: default avatarJiri Olsa <jolsa@kernel.org>
      Cc: Kan Liang <kan.liang@linux.intel.com>
      Fixes: 430daf2d ("perf stat: Collapse identically named events")
      Link: http://lkml.kernel.org/r/20190624193711.35241-3-andi@firstfloor.orgSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      db8ce0db
    • Andi Kleen's avatar
      perf stat: Fix metrics with --no-merge · beba77a8
      Andi Kleen authored
      [ Upstream commit e3a94273 ]
      
      Since Fixes: 8c5421c0 ("perf pmu: Display pmu name when printing
      unmerged events in stat") using --no-merge adds the PMU name to the
      evsel name.
      
      This breaks the metric value lookup because the parser doesn't know
      about this.
      
      Remove the extra postfixes for the metric evaluation.
      Signed-off-by: default avatarAndi Kleen <ak@linux.intel.com>
      Acked-by: default avatarJiri Olsa <jolsa@kernel.org>
      Cc: Agustin Vega-Frias <agustinv@codeaurora.org>
      Cc: Kan Liang <kan.liang@linux.intel.com>
      Fixes: 8c5421c0 ("perf pmu: Display pmu name when printing unmerged events in stat")
      Link: http://lkml.kernel.org/r/20190624193711.35241-5-andi@firstfloor.orgSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      beba77a8
    • Andi Kleen's avatar
      perf stat: Make metric event lookup more robust · 6f800cb1
      Andi Kleen authored
      [ Upstream commit 145c407c ]
      
      After setting up metric groups through the event parser, the metricgroup
      code looks them up again in the event list.
      
      Make sure we only look up events that haven't been used by some other
      metric. The data structures currently cannot handle more than one metric
      per event. This avoids problems with multiple events partially
      overlapping.
      Signed-off-by: default avatarAndi Kleen <ak@linux.intel.com>
      Acked-by: default avatarJiri Olsa <jolsa@kernel.org>
      Cc: Kan Liang <kan.liang@linux.intel.com>
      Link: http://lkml.kernel.org/r/20190624193711.35241-2-andi@firstfloor.orgSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6f800cb1
    • Rander Wang's avatar
      ALSA: hda: Fix a headphone detection issue when using SOF · 7a6030b1
      Rander Wang authored
      [ Upstream commit 7c2b3629 ]
      
      To save power, the hda hdmi driver in ASoC invokes snd_hdac_ext_bus_link_put
      to disable CORB/RIRB buffers DMA if there is no user of bus and invokes
      snd_hdac_ext_bus_link_get to set up CORB/RIRB buffers when it is used.
      Unsolicited responses is disabled in snd_hdac_bus_stop_cmd_io called by
      snd_hdac_ext_bus_link_put , but it is not enabled in snd_hdac_bus_init_cmd_io
      called by snd_hdac_ext_bus_link_get. So for put-get sequence, Unsolicited
      responses is disabled and headphone can't be detected by hda codecs.
      
      Now unsolicited responses is only enabled in snd_hdac_bus_reset_link
      which resets controller. The function is only called for setup of
      controller. This patch enables Unsolicited responses after RIRB is
      initialized in snd_hdac_bus_init_cmd_io which works together with
      snd_hdac_bus_reset_link to set up controller.
      
      Tested legacy hda driver and SOF driver on intel whiskeylake.
      Reviewed-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarRander Wang <rander.wang@linux.intel.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7a6030b1
    • Michael Chan's avatar
      bnxt_en: Fix statistics context reservation logic for RDMA driver. · dcbc804c
      Michael Chan authored
      [ Upstream commit d77b1ad8 ]
      
      The current logic assumes that the RDMA driver uses one statistics
      context adjacent to the ones used by the network driver.  This
      assumption is not true and the statistics context used by the
      RDMA driver is tied to its MSIX base vector.  This wrong assumption
      can cause RDMA driver failure after changing ethtool rings on the
      network side.  Fix the statistics reservation logic accordingly.
      
      Fixes: 780baad4 ("bnxt_en: Reserve 1 stat_ctx for RDMA driver.")
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      dcbc804c
    • Michael Chan's avatar
      bnxt_en: Disable bus master during PCI shutdown and driver unload. · 51a21893
      Michael Chan authored
      [ Upstream commit c20dc142 ]
      
      Some chips with older firmware can continue to perform DMA read from
      context memory even after the memory has been freed.  In the PCI shutdown
      method, we need to call pci_disable_device() to shutdown DMA to prevent
      this DMA before we put the device into D3hot.  DMA memory request in
      D3hot state will generate PCI fatal error.  Similarly, in the driver
      remove method, the context memory should only be freed after DMA has
      been shutdown for correctness.
      
      Fixes: 98f04cf0 ("bnxt_en: Check context memory requirements from firmware.")
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      51a21893
    • Shahar S Matityahu's avatar
      iwlwifi: dbg: fix debug monitor stop and restart delays · 8d4c01b3
      Shahar S Matityahu authored
      [ Upstream commit fc838c77 ]
      
      The driver should delay only in recording stop flow between writing to
      DBGC_IN_SAMPLE register and DBGC_OUT_CTRL register. Any other delay is
      not needed.
      
      Change the following:
      1. Remove any unnecessary delays in the flow
      2. Increase the delay in the stop recording flow since 100 micro is
         not enough
      3. Use usleep_range instead of delay since the driver is allowed to
         sleep in this flow.
      Signed-off-by: default avatarShahar S Matityahu <shahar.s.matityahu@intel.com>
      Fixes: 5cfe79c8 ("iwlwifi: fw: stop and start debugging using host command")
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8d4c01b3
    • He Zhe's avatar
      netfilter: Fix remainder of pseudo-header protocol 0 · 7bc8dfa0
      He Zhe authored
      [ Upstream commit 5d154984 ]
      
      Since v5.1-rc1, some types of packets do not get unreachable reply with the
      following iptables setting. Fox example,
      
      $ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
      $ ping 127.0.0.1 -c 1
      PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
      — 127.0.0.1 ping statistics —
      1 packets transmitted, 0 received, 100% packet loss, time 0ms
      
      We should have got the following reply from command line, but we did not.
      From 127.0.0.1 icmp_seq=1 Destination Port Unreachable
      
      Yi Zhao reported it and narrowed it down to:
      7fc38225 ("netfilter: reject: skip csum verification for protocols that don't support it"),
      
      This is because nf_ip_checksum still expects pseudo-header protocol type 0 for
      packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly
      treated as TCP/UDP.
      
      This patch corrects the conditions in nf_ip_checksum and all other places that
      still call it with protocol 0.
      
      Fixes: 7fc38225 ("netfilter: reject: skip csum verification for protocols that don't support it")
      Reported-by: default avatarYi Zhao <yi.zhao@windriver.com>
      Signed-off-by: default avatarHe Zhe <zhe.he@windriver.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7bc8dfa0
    • Baruch Siach's avatar
      bpf: fix uapi bpf_prog_info fields alignment · 91adaf0e
      Baruch Siach authored
      [ Upstream commit 0472301a ]
      
      Merge commit 1c8c5a9d ("Merge
      git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next") undid the
      fix from commit 36f9814a ("bpf: fix uapi hole for 32 bit compat
      applications") by taking the gpl_compatible 1-bit field definition from
      commit b85fab0e ("bpf: Add gpl_compatible flag to struct
      bpf_prog_info") as is. That breaks architectures with 16-bit alignment
      like m68k. Add 31-bit pad after gpl_compatible to restore alignment of
      following fields.
      
      Thanks to Dmitry V. Levin his analysis of this bug history.
      Signed-off-by: default avatarBaruch Siach <baruch@tkos.co.il>
      Acked-by: default avatarSong Liu <songliubraving@fb.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Geert Uytterhoeven <geert@linux-m68k.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      91adaf0e
    • Andrei Otcheretianski's avatar
      iwlwifi: mvm: Drop large non sta frames · c3674310
      Andrei Otcheretianski authored
      [ Upstream commit ac70499e ]
      
      In some buggy scenarios we could possible attempt to transmit frames larger
      than maximum MSDU size. Since our devices don't know how to handle this,
      it may result in asserts, hangs etc.
      This can happen, for example, when we receive a large multicast frame
      and try to transmit it back to the air in AP mode.
      Since in a legal scenario this should never happen, drop such frames and
      warn about it.
      Signed-off-by: default avatarAndrei Otcheretianski <andrei.otcheretianski@intel.com>
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c3674310
    • Dann Frazier's avatar
      ixgbe: Avoid NULL pointer dereference with VF on non-IPsec hw · f2c23ab2
      Dann Frazier authored
      [ Upstream commit 92924064 ]
      
      An ipsec structure will not be allocated if the hardware does not support
      offload. Fixes the following Oops:
      
      [  191.045452] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
      [  191.054232] Mem abort info:
      [  191.057014]   ESR = 0x96000004
      [  191.060057]   Exception class = DABT (current EL), IL = 32 bits
      [  191.065963]   SET = 0, FnV = 0
      [  191.069004]   EA = 0, S1PTW = 0
      [  191.072132] Data abort info:
      [  191.074999]   ISV = 0, ISS = 0x00000004
      [  191.078822]   CM = 0, WnR = 0
      [  191.081780] user pgtable: 4k pages, 48-bit VAs, pgdp = 0000000043d9e467
      [  191.088382] [0000000000000000] pgd=0000000000000000
      [  191.093252] Internal error: Oops: 96000004 [#1] SMP
      [  191.098119] Modules linked in: vhost_net vhost tap vfio_pci vfio_virqfd vfio_iommu_type1 vfio xt_CHECKSUM iptable_mangle ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ipt_REJECT nf_reject_ipv4 xt_tcpudp bridge stp llc ebtable_filter devlink ebtables ip6table_filter ip6_tables iptable_filter bpfilter ipmi_ssif nls_iso8859_1 input_leds joydev ipmi_si hns_roce_hw_v2 ipmi_devintf hns_roce ipmi_msghandler cppc_cpufreq sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 ses enclosure btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor hid_generic usbhid hid raid6_pq libcrc32c raid1 raid0 multipath linear ixgbevf hibmc_drm ttm
      [  191.168607]  drm_kms_helper aes_ce_blk aes_ce_cipher syscopyarea crct10dif_ce sysfillrect ghash_ce qla2xxx sysimgblt sha2_ce sha256_arm64 hisi_sas_v3_hw fb_sys_fops sha1_ce uas nvme_fc mpt3sas ixgbe drm hisi_sas_main nvme_fabrics usb_storage hclge scsi_transport_fc ahci libsas hnae3 raid_class libahci xfrm_algo scsi_transport_sas mdio aes_neon_bs aes_neon_blk crypto_simd cryptd aes_arm64
      [  191.202952] CPU: 94 PID: 0 Comm: swapper/94 Not tainted 4.19.0-rc1+ #11
      [  191.209553] Hardware name: Huawei D06 /D06, BIOS Hisilicon D06 UEFI RC0 - V1.20.01 04/26/2019
      [  191.218064] pstate: 20400089 (nzCv daIf +PAN -UAO)
      [  191.222873] pc : ixgbe_ipsec_vf_clear+0x60/0xd0 [ixgbe]
      [  191.228093] lr : ixgbe_msg_task+0x2d0/0x1088 [ixgbe]
      [  191.233044] sp : ffff000009b3bcd0
      [  191.236346] x29: ffff000009b3bcd0 x28: 0000000000000000
      [  191.241647] x27: ffff000009628000 x26: 0000000000000000
      [  191.246946] x25: ffff803f652d7600 x24: 0000000000000004
      [  191.252246] x23: ffff803f6a718900 x22: 0000000000000000
      [  191.257546] x21: 0000000000000000 x20: 0000000000000000
      [  191.262845] x19: 0000000000000000 x18: 0000000000000000
      [  191.268144] x17: 0000000000000000 x16: 0000000000000000
      [  191.273443] x15: 0000000000000000 x14: 0000000100000026
      [  191.278742] x13: 0000000100000025 x12: ffff8a5f7fbe0df0
      [  191.284042] x11: 000000010000000b x10: 0000000000000040
      [  191.289341] x9 : 0000000000001100 x8 : ffff803f6a824fd8
      [  191.294640] x7 : ffff803f6a825098 x6 : 0000000000000001
      [  191.299939] x5 : ffff000000f0ffc0 x4 : 0000000000000000
      [  191.305238] x3 : ffff000028c00000 x2 : ffff803f652d7600
      [  191.310538] x1 : 0000000000000000 x0 : ffff000000f205f0
      [  191.315838] Process swapper/94 (pid: 0, stack limit = 0x00000000addfed5a)
      [  191.322613] Call trace:
      [  191.325055]  ixgbe_ipsec_vf_clear+0x60/0xd0 [ixgbe]
      [  191.329927]  ixgbe_msg_task+0x2d0/0x1088 [ixgbe]
      [  191.334536]  ixgbe_msix_other+0x274/0x330 [ixgbe]
      [  191.339233]  __handle_irq_event_percpu+0x78/0x270
      [  191.343924]  handle_irq_event_percpu+0x40/0x98
      [  191.348355]  handle_irq_event+0x50/0xa8
      [  191.352180]  handle_fasteoi_irq+0xbc/0x148
      [  191.356263]  generic_handle_irq+0x34/0x50
      [  191.360259]  __handle_domain_irq+0x68/0xc0
      [  191.364343]  gic_handle_irq+0x84/0x180
      [  191.368079]  el1_irq+0xe8/0x180
      [  191.371208]  arch_cpu_idle+0x30/0x1a8
      [  191.374860]  do_idle+0x1dc/0x2a0
      [  191.378077]  cpu_startup_entry+0x2c/0x30
      [  191.381988]  secondary_start_kernel+0x150/0x1e0
      [  191.386506] Code: 6b15003f 54000320 f1404a9f 54000060 (79400260)
      
      Fixes: eda0333a ("ixgbe: add VF IPsec management")
      Signed-off-by: default avatarDann Frazier <dann.frazier@canonical.com>
      Acked-by: default avatarShannon Nelson <snelson@pensando.io>
      Tested-by: default avatarAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f2c23ab2
    • Yonglong Liu's avatar
      net: hns3: add Asym Pause support to fix autoneg problem · 724dffdf
      Yonglong Liu authored
      [ Upstream commit bc3781ed ]
      
      Local device and link partner config auto-negotiation on both,
      local device config pause frame use as: rx on/tx off,
      link partner config pause frame use as: rx off/tx on.
      
      We except the result is:
      Local device:
      Autonegotiate:  on
      RX:             on
      TX:             off
      RX negotiated:  on
      TX negotiated:  off
      
      Link partner:
      Autonegotiate:  on
      RX:             off
      TX:             on
      RX negotiated:  off
      TX negotiated:  on
      
      But actually, the result of Local device and link partner is both:
      Autonegotiate:  on
      RX:             off
      TX:             off
      RX negotiated:  off
      TX negotiated:  off
      
      The root cause is that the supported flag is has only Pause,
      reference to the function genphy_config_advert():
      static int genphy_config_advert(struct phy_device *phydev)
      {
      	...
      	linkmode_and(phydev->advertising, phydev->advertising,
      		     phydev->supported);
      	...
      }
      The pause frame use of link partner is rx off/tx on, so its
      advertising only set the bit Asym_Pause, and the supported is
      only set the bit Pause, so the result of linkmode_and(), is
      rx off/tx off.
      
      This patch adds Asym_Pause to the supported flag to fix it.
      Signed-off-by: default avatarYonglong Liu <liuyonglong@huawei.com>
      Signed-off-by: default avatarPeng Li <lipeng321@huawei.com>
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      724dffdf
    • Vedang Patel's avatar
      igb: clear out skb->tstamp after reading the txtime · d7924e6f
      Vedang Patel authored
      [ Upstream commit 1e08511d ]
      
      If a packet which is utilizing the launchtime feature (via SO_TXTIME socket
      option) also requests the hardware transmit timestamp, the hardware
      timestamp is not delivered to the userspace. This is because the value in
      skb->tstamp is mistaken as the software timestamp.
      
      Applications, like ptp4l, request a hardware timestamp by setting the
      SOF_TIMESTAMPING_TX_HARDWARE socket option. Whenever a new timestamp is
      detected by the driver (this work is done in igb_ptp_tx_work() which calls
      igb_ptp_tx_hwtstamps() in igb_ptp.c[1]), it will queue the timestamp in the
      ERR_QUEUE for the userspace to read. When the userspace is ready, it will
      issue a recvmsg() call to collect this timestamp.  The problem is in this
      recvmsg() call. If the skb->tstamp is not cleared out, it will be
      interpreted as a software timestamp and the hardware tx timestamp will not
      be successfully sent to the userspace. Look at skb_is_swtx_tstamp() and the
      callee function __sock_recv_timestamp() in net/socket.c for more details.
      Signed-off-by: default avatarVedang Patel <vedang.patel@intel.com>
      Tested-by: default avatarAaron Brown <aaron.f.brown@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d7924e6f
    • Maxime Chevallier's avatar
      net: mvpp2: prs: Don't override the sign bit in SRAM parser shift · aa6a8b84
      Maxime Chevallier authored
      [ Upstream commit 8ec3ede5 ]
      
      The Header Parser allows identifying various fields in the packet
      headers, used for various kind of filtering and classification
      steps.
      
      This is a re-entrant process, where the offset in the packet header
      depends on the previous lookup results. This offset is represented in
      the SRAM results of the TCAM, as a shift to be operated.
      
      This shift can be negative in some cases, such as in IPv6 parsing.
      
      This commit prevents overriding the sign bit when setting the shift
      value, which could cause instabilities when parsing IPv6 flows.
      
      Fixes: 3f518509 ("ethernet: Add new driver for Marvell Armada 375 network unit")
      Suggested-by: default avatarAlan Winkowski <walan@marvell.com>
      Signed-off-by: default avatarMaxime Chevallier <maxime.chevallier@bootlin.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      aa6a8b84
    • Wen Gong's avatar
      ath10k: destroy sdio workqueue while remove sdio module · d77aa904
      Wen Gong authored
      [ Upstream commit 3ed39f8e ]
      
      The workqueue need to flush and destory while remove sdio module,
      otherwise it will have thread which is not destory after remove
      sdio modules.
      
      Tested with QCA6174 SDIO with firmware
      WLAN.RMH.4.4.1-00007-QCARMSWP-1.
      Signed-off-by: default avatarWen Gong <wgong@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d77aa904
    • Dundi Raviteja's avatar
      ath10k: Fix memory leak in qmi · 60dd7a80
      Dundi Raviteja authored
      [ Upstream commit c709df58 ]
      
      Currently the memory allocated for qmi handle is
      not being freed during de-init which leads to memory leak.
      
      Free the allocated qmi memory in qmi deinit
      to avoid memory leak.
      
      Tested HW: WCN3990
      Tested FW: WLAN.HL.3.1-01040-QCAHLSWMTPLZ-1
      
      Fixes: fda6fee0001e ("ath10k: add QMI message handshake for wcn3990 client")
      Signed-off-by: default avatarDundi Raviteja <dundi@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      60dd7a80
    • Yunsheng Lin's avatar
      net: hns3: add some error checking in hclge_tm module · 56591adf
      Yunsheng Lin authored
      [ Upstream commit 04f25edb ]
      
      When hdev->tx_sch_mode is HCLGE_FLAG_VNET_BASE_SCH_MODE, the
      hclge_tm_schd_mode_vnet_base_cfg calls hclge_tm_pri_schd_mode_cfg
      with vport->vport_id as pri_id, which is used as index for
      hdev->tm_info.tc_info, it will cause out of bound access issue
      if vport_id is equal to or larger than HNAE3_MAX_TC.
      
      Also hardware only support maximum speed of HCLGE_ETHER_MAX_RATE.
      
      So this patch adds two checks for above cases.
      
      Fixes: 84844054 ("net: hns3: Add support of TX Scheduler & Shaper to HNS3 driver")
      Signed-off-by: default avatarYunsheng Lin <linyunsheng@huawei.com>
      Signed-off-by: default avatarPeng Li <lipeng321@huawei.com>
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      56591adf
    • Yonglong Liu's avatar
      net: hns3: fix a -Wformat-nonliteral compile warning · a8368069
      Yonglong Liu authored
      [ Upstream commit 18d219b7 ]
      
      When setting -Wformat=2, there is a compiler warning like this:
      
      hclge_main.c:xxx:x: warning: format not a string literal and no
      format arguments [-Wformat-nonliteral]
      strs[i].desc);
      ^~~~
      
      This patch adds missing format parameter "%s" to snprintf() to
      fix it.
      
      Fixes: 46a3df9f ("Add HNS3 Acceleration Engine & Compatibility Layer Support")
      Signed-off-by: default avatarYonglong Liu <liuyonglong@huawei.com>
      Signed-off-by: default avatarPeng Li <lipeng321@huawei.com>
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a8368069
    • Coly Li's avatar
      bcache: fix potential deadlock in cached_def_free() · 5f5eb171
      Coly Li authored
      [ Upstream commit 7e865eba ]
      
      When enable lockdep and reboot system with a writeback mode bcache
      device, the following potential deadlock warning is reported by lockdep
      engine.
      
      [  101.536569][  T401] kworker/2:2/401 is trying to acquire lock:
      [  101.538575][  T401] 00000000bbf6e6c7 ((wq_completion)bcache_writeback_wq){+.+.}, at: flush_workqueue+0x87/0x4c0
      [  101.542054][  T401]
      [  101.542054][  T401] but task is already holding lock:
      [  101.544587][  T401] 00000000f5f305b3 ((work_completion)(&cl->work)#2){+.+.}, at: process_one_work+0x21e/0x640
      [  101.548386][  T401]
      [  101.548386][  T401] which lock already depends on the new lock.
      [  101.548386][  T401]
      [  101.551874][  T401]
      [  101.551874][  T401] the existing dependency chain (in reverse order) is:
      [  101.555000][  T401]
      [  101.555000][  T401] -> #1 ((work_completion)(&cl->work)#2){+.+.}:
      [  101.557860][  T401]        process_one_work+0x277/0x640
      [  101.559661][  T401]        worker_thread+0x39/0x3f0
      [  101.561340][  T401]        kthread+0x125/0x140
      [  101.562963][  T401]        ret_from_fork+0x3a/0x50
      [  101.564718][  T401]
      [  101.564718][  T401] -> #0 ((wq_completion)bcache_writeback_wq){+.+.}:
      [  101.567701][  T401]        lock_acquire+0xb4/0x1c0
      [  101.569651][  T401]        flush_workqueue+0xae/0x4c0
      [  101.571494][  T401]        drain_workqueue+0xa9/0x180
      [  101.573234][  T401]        destroy_workqueue+0x17/0x250
      [  101.575109][  T401]        cached_dev_free+0x44/0x120 [bcache]
      [  101.577304][  T401]        process_one_work+0x2a4/0x640
      [  101.579357][  T401]        worker_thread+0x39/0x3f0
      [  101.581055][  T401]        kthread+0x125/0x140
      [  101.582709][  T401]        ret_from_fork+0x3a/0x50
      [  101.584592][  T401]
      [  101.584592][  T401] other info that might help us debug this:
      [  101.584592][  T401]
      [  101.588355][  T401]  Possible unsafe locking scenario:
      [  101.588355][  T401]
      [  101.590974][  T401]        CPU0                    CPU1
      [  101.592889][  T401]        ----                    ----
      [  101.594743][  T401]   lock((work_completion)(&cl->work)#2);
      [  101.596785][  T401]                                lock((wq_completion)bcache_writeback_wq);
      [  101.600072][  T401]                                lock((work_completion)(&cl->work)#2);
      [  101.602971][  T401]   lock((wq_completion)bcache_writeback_wq);
      [  101.605255][  T401]
      [  101.605255][  T401]  *** DEADLOCK ***
      [  101.605255][  T401]
      [  101.608310][  T401] 2 locks held by kworker/2:2/401:
      [  101.610208][  T401]  #0: 00000000cf2c7d17 ((wq_completion)events){+.+.}, at: process_one_work+0x21e/0x640
      [  101.613709][  T401]  #1: 00000000f5f305b3 ((work_completion)(&cl->work)#2){+.+.}, at: process_one_work+0x21e/0x640
      [  101.617480][  T401]
      [  101.617480][  T401] stack backtrace:
      [  101.619539][  T401] CPU: 2 PID: 401 Comm: kworker/2:2 Tainted: G        W         5.2.0-rc4-lp151.20-default+ #1
      [  101.623225][  T401] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/13/2018
      [  101.627210][  T401] Workqueue: events cached_dev_free [bcache]
      [  101.629239][  T401] Call Trace:
      [  101.630360][  T401]  dump_stack+0x85/0xcb
      [  101.631777][  T401]  print_circular_bug+0x19a/0x1f0
      [  101.633485][  T401]  __lock_acquire+0x16cd/0x1850
      [  101.635184][  T401]  ? __lock_acquire+0x6a8/0x1850
      [  101.636863][  T401]  ? lock_acquire+0xb4/0x1c0
      [  101.638421][  T401]  ? find_held_lock+0x34/0xa0
      [  101.640015][  T401]  lock_acquire+0xb4/0x1c0
      [  101.641513][  T401]  ? flush_workqueue+0x87/0x4c0
      [  101.643248][  T401]  flush_workqueue+0xae/0x4c0
      [  101.644832][  T401]  ? flush_workqueue+0x87/0x4c0
      [  101.646476][  T401]  ? drain_workqueue+0xa9/0x180
      [  101.648303][  T401]  drain_workqueue+0xa9/0x180
      [  101.649867][  T401]  destroy_workqueue+0x17/0x250
      [  101.651503][  T401]  cached_dev_free+0x44/0x120 [bcache]
      [  101.653328][  T401]  process_one_work+0x2a4/0x640
      [  101.655029][  T401]  worker_thread+0x39/0x3f0
      [  101.656693][  T401]  ? process_one_work+0x640/0x640
      [  101.658501][  T401]  kthread+0x125/0x140
      [  101.660012][  T401]  ? kthread_create_worker_on_cpu+0x70/0x70
      [  101.661985][  T401]  ret_from_fork+0x3a/0x50
      [  101.691318][  T401] bcache: bcache_device_free() bcache0 stopped
      
      Here is how the above potential deadlock may happen in reboot/shutdown
      code path,
      1) bcache_reboot() is called firstly in the reboot/shutdown code path,
         then in bcache_reboot(), bcache_device_stop() is called.
      2) bcache_device_stop() sets BCACHE_DEV_CLOSING on d->falgs, then call
         closure_queue(&d->cl) to invoke cached_dev_flush(). And in turn
         cached_dev_flush() calls cached_dev_free() via closure_at()
      3) In cached_dev_free(), after stopped writebach kthread
         dc->writeback_thread, the kwork dc->writeback_write_wq is stopping by
         destroy_workqueue().
      4) Inside destroy_workqueue(), drain_workqueue() is called. Inside
         drain_workqueue(), flush_workqueue() is called. Then wq->lockdep_map
         is acquired by lock_map_acquire() in flush_workqueue(). After the
         lock acquired the rest part of flush_workqueue() just wait for the
         workqueue to complete.
      5) Now we look back at writeback thread routine bch_writeback_thread(),
         in the main while-loop, write_dirty() is called via continue_at() in
         read_dirty_submit(), which is called via continue_at() in while-loop
         level called function read_dirty(). Inside write_dirty() it may be
         re-called on workqueeu dc->writeback_write_wq via continue_at().
         It means when the writeback kthread is stopped in cached_dev_free()
         there might be still one kworker queued on dc->writeback_write_wq
         to execute write_dirty() again.
      6) Now this kworker is scheduled on dc->writeback_write_wq to run by
         process_one_work() (which is called by worker_thread()). Before
         calling the kwork routine, wq->lockdep_map is acquired.
      7) But wq->lockdep_map is acquired already in step 4), so a A-A lock
         (lockdep terminology) scenario happens.
      
      Indeed on multiple cores syatem, the above deadlock is very rare to
      happen, just as the code comments in process_one_work() says,
      2263     * AFAICT there is no possible deadlock scenario between the
      2264     * flush_work() and complete() primitives (except for
      	   single-threaded
      2265     * workqueues), so hiding them isn't a problem.
      
      But it is still good to fix such lockdep warning, even no one running
      bcache on single core system.
      
      The fix is simple. This patch solves the above potential deadlock by,
      - Do not destroy workqueue dc->writeback_write_wq in cached_dev_free().
      - Flush and destroy dc->writeback_write_wq in writebach kthread routine
        bch_writeback_thread(), where after quit the thread main while-loop
        and before cached_dev_put() is called.
      
      By this fix, dc->writeback_write_wq will be stopped and destroy before
      the writeback kthread stopped, so the chance for a A-A locking on
      wq->lockdep_map is disappeared, such A-A deadlock won't happen
      any more.
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5f5eb171
    • Coly Li's avatar
      bcache: check c->gc_thread by IS_ERR_OR_NULL in cache_set_flush() · 2d1169fe
      Coly Li authored
      [ Upstream commit b387e9b5 ]
      
      When system memory is in heavy pressure, bch_gc_thread_start() from
      run_cache_set() may fail due to out of memory. In such condition,
      c->gc_thread is assigned to -ENOMEM, not NULL pointer. Then in following
      failure code path bch_cache_set_error(), when cache_set_flush() gets
      called, the code piece to stop c->gc_thread is broken,
               if (!IS_ERR_OR_NULL(c->gc_thread))
                       kthread_stop(c->gc_thread);
      
      And KASAN catches such NULL pointer deference problem, with the warning
      information:
      
      [  561.207881] ==================================================================
      [  561.207900] BUG: KASAN: null-ptr-deref in kthread_stop+0x3b/0x440
      [  561.207904] Write of size 4 at addr 000000000000001c by task kworker/15:1/313
      
      [  561.207913] CPU: 15 PID: 313 Comm: kworker/15:1 Tainted: G        W         5.0.0-vanilla+ #3
      [  561.207916] Hardware name: Lenovo ThinkSystem SR650 -[7X05CTO1WW]-/-[7X05CTO1WW]-, BIOS -[IVE136T-2.10]- 03/22/2019
      [  561.207935] Workqueue: events cache_set_flush [bcache]
      [  561.207940] Call Trace:
      [  561.207948]  dump_stack+0x9a/0xeb
      [  561.207955]  ? kthread_stop+0x3b/0x440
      [  561.207960]  ? kthread_stop+0x3b/0x440
      [  561.207965]  kasan_report+0x176/0x192
      [  561.207973]  ? kthread_stop+0x3b/0x440
      [  561.207981]  kthread_stop+0x3b/0x440
      [  561.207995]  cache_set_flush+0xd4/0x6d0 [bcache]
      [  561.208008]  process_one_work+0x856/0x1620
      [  561.208015]  ? find_held_lock+0x39/0x1d0
      [  561.208028]  ? drain_workqueue+0x380/0x380
      [  561.208048]  worker_thread+0x87/0xb80
      [  561.208058]  ? __kthread_parkme+0xb6/0x180
      [  561.208067]  ? process_one_work+0x1620/0x1620
      [  561.208072]  kthread+0x326/0x3e0
      [  561.208079]  ? kthread_create_worker_on_cpu+0xc0/0xc0
      [  561.208090]  ret_from_fork+0x3a/0x50
      [  561.208110] ==================================================================
      [  561.208113] Disabling lock debugging due to kernel taint
      [  561.208115] irq event stamp: 11800231
      [  561.208126] hardirqs last  enabled at (11800231): [<ffffffff83008538>] do_syscall_64+0x18/0x410
      [  561.208127] BUG: unable to handle kernel NULL pointer dereference at 000000000000001c
      [  561.208129] #PF error: [WRITE]
      [  561.312253] hardirqs last disabled at (11800230): [<ffffffff830052ff>] trace_hardirqs_off_thunk+0x1a/0x1c
      [  561.312259] softirqs last  enabled at (11799832): [<ffffffff850005c7>] __do_softirq+0x5c7/0x8c3
      [  561.405975] PGD 0 P4D 0
      [  561.442494] softirqs last disabled at (11799821): [<ffffffff831add2c>] irq_exit+0x1ac/0x1e0
      [  561.791359] Oops: 0002 [#1] SMP KASAN NOPTI
      [  561.791362] CPU: 15 PID: 313 Comm: kworker/15:1 Tainted: G    B   W         5.0.0-vanilla+ #3
      [  561.791363] Hardware name: Lenovo ThinkSystem SR650 -[7X05CTO1WW]-/-[7X05CTO1WW]-, BIOS -[IVE136T-2.10]- 03/22/2019
      [  561.791371] Workqueue: events cache_set_flush [bcache]
      [  561.791374] RIP: 0010:kthread_stop+0x3b/0x440
      [  561.791376] Code: 00 00 65 8b 05 26 d5 e0 7c 89 c0 48 0f a3 05 ec aa df 02 0f 82 dc 02 00 00 4c 8d 63 20 be 04 00 00 00 4c 89 e7 e8 65 c5 53 00 <f0> ff 43 20 48 8d 7b 24 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48
      [  561.791377] RSP: 0018:ffff88872fc8fd10 EFLAGS: 00010286
      [  561.838895] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
      [  561.838916] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
      [  561.838934] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
      [  561.838948] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
      [  561.838966] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
      [  561.838979] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
      [  561.838996] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
      [  563.067028] RAX: 0000000000000000 RBX: fffffffffffffffc RCX: ffffffff832dd314
      [  563.067030] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000297
      [  563.067032] RBP: ffff88872fc8fe88 R08: fffffbfff0b8213d R09: fffffbfff0b8213d
      [  563.067034] R10: 0000000000000001 R11: fffffbfff0b8213c R12: 000000000000001c
      [  563.408618] R13: ffff88dc61cc0f68 R14: ffff888102b94900 R15: ffff88dc61cc0f68
      [  563.408620] FS:  0000000000000000(0000) GS:ffff888f7dc00000(0000) knlGS:0000000000000000
      [  563.408622] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  563.408623] CR2: 000000000000001c CR3: 0000000f48a1a004 CR4: 00000000007606e0
      [  563.408625] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  563.408627] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  563.904795] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
      [  563.915796] PKRU: 55555554
      [  563.915797] Call Trace:
      [  563.915807]  cache_set_flush+0xd4/0x6d0 [bcache]
      [  563.915812]  process_one_work+0x856/0x1620
      [  564.001226] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
      [  564.033563]  ? find_held_lock+0x39/0x1d0
      [  564.033567]  ? drain_workqueue+0x380/0x380
      [  564.033574]  worker_thread+0x87/0xb80
      [  564.062823] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
      [  564.118042]  ? __kthread_parkme+0xb6/0x180
      [  564.118046]  ? process_one_work+0x1620/0x1620
      [  564.118048]  kthread+0x326/0x3e0
      [  564.118050]  ? kthread_create_worker_on_cpu+0xc0/0xc0
      [  564.167066] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
      [  564.252441]  ret_from_fork+0x3a/0x50
      [  564.252447] Modules linked in: msr rpcrdma sunrpc rdma_ucm ib_iser ib_umad rdma_cm ib_ipoib i40iw configfs iw_cm ib_cm libiscsi scsi_transport_iscsi mlx4_ib ib_uverbs mlx4_en ib_core nls_iso8859_1 nls_cp437 vfat fat intel_rapl skx_edac x86_pkg_temp_thermal coretemp iTCO_wdt iTCO_vendor_support crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel ses raid0 aesni_intel cdc_ether enclosure usbnet ipmi_ssif joydev aes_x86_64 i40e scsi_transport_sas mii bcache md_mod crypto_simd mei_me ioatdma crc64 ptp cryptd pcspkr i2c_i801 mlx4_core glue_helper pps_core mei lpc_ich dca wmi ipmi_si ipmi_devintf nd_pmem dax_pmem nd_btt ipmi_msghandler device_dax pcc_cpufreq button hid_generic usbhid mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect xhci_pci sysimgblt fb_sys_fops xhci_hcd ttm megaraid_sas drm usbcore nfit libnvdimm sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua efivarfs
      [  564.299390] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
      [  564.348360] CR2: 000000000000001c
      [  564.348362] ---[ end trace b7f0e5cc7b2103b0 ]---
      
      Therefore, it is not enough to only check whether c->gc_thread is NULL,
      we should use IS_ERR_OR_NULL() to check both NULL pointer and error
      value.
      
      This patch changes the above buggy code piece in this way,
               if (!IS_ERR_OR_NULL(c->gc_thread))
                       kthread_stop(c->gc_thread);
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2d1169fe
    • Coly Li's avatar
      bcache: acquire bch_register_lock later in cached_dev_free() · 02d4c4ba
      Coly Li authored
      [ Upstream commit 80265d8d ]
      
      When enable lockdep engine, a lockdep warning can be observed when
      reboot or shutdown system,
      
      [ 3142.764557][    T1] bcache: bcache_reboot() Stopping all devices:
      [ 3142.776265][ T2649]
      [ 3142.777159][ T2649] ======================================================
      [ 3142.780039][ T2649] WARNING: possible circular locking dependency detected
      [ 3142.782869][ T2649] 5.2.0-rc4-lp151.20-default+ #1 Tainted: G        W
      [ 3142.785684][ T2649] ------------------------------------------------------
      [ 3142.788479][ T2649] kworker/3:67/2649 is trying to acquire lock:
      [ 3142.790738][ T2649] 00000000aaf02291 ((wq_completion)bcache_writeback_wq){+.+.}, at: flush_workqueue+0x87/0x4c0
      [ 3142.794678][ T2649]
      [ 3142.794678][ T2649] but task is already holding lock:
      [ 3142.797402][ T2649] 000000004fcf89c5 (&bch_register_lock){+.+.}, at: cached_dev_free+0x17/0x120 [bcache]
      [ 3142.801462][ T2649]
      [ 3142.801462][ T2649] which lock already depends on the new lock.
      [ 3142.801462][ T2649]
      [ 3142.805277][ T2649]
      [ 3142.805277][ T2649] the existing dependency chain (in reverse order) is:
      [ 3142.808902][ T2649]
      [ 3142.808902][ T2649] -> #2 (&bch_register_lock){+.+.}:
      [ 3142.812396][ T2649]        __mutex_lock+0x7a/0x9d0
      [ 3142.814184][ T2649]        cached_dev_free+0x17/0x120 [bcache]
      [ 3142.816415][ T2649]        process_one_work+0x2a4/0x640
      [ 3142.818413][ T2649]        worker_thread+0x39/0x3f0
      [ 3142.820276][ T2649]        kthread+0x125/0x140
      [ 3142.822061][ T2649]        ret_from_fork+0x3a/0x50
      [ 3142.823965][ T2649]
      [ 3142.823965][ T2649] -> #1 ((work_completion)(&cl->work)#2){+.+.}:
      [ 3142.827244][ T2649]        process_one_work+0x277/0x640
      [ 3142.829160][ T2649]        worker_thread+0x39/0x3f0
      [ 3142.830958][ T2649]        kthread+0x125/0x140
      [ 3142.832674][ T2649]        ret_from_fork+0x3a/0x50
      [ 3142.834915][ T2649]
      [ 3142.834915][ T2649] -> #0 ((wq_completion)bcache_writeback_wq){+.+.}:
      [ 3142.838121][ T2649]        lock_acquire+0xb4/0x1c0
      [ 3142.840025][ T2649]        flush_workqueue+0xae/0x4c0
      [ 3142.842035][ T2649]        drain_workqueue+0xa9/0x180
      [ 3142.844042][ T2649]        destroy_workqueue+0x17/0x250
      [ 3142.846142][ T2649]        cached_dev_free+0x52/0x120 [bcache]
      [ 3142.848530][ T2649]        process_one_work+0x2a4/0x640
      [ 3142.850663][ T2649]        worker_thread+0x39/0x3f0
      [ 3142.852464][ T2649]        kthread+0x125/0x140
      [ 3142.854106][ T2649]        ret_from_fork+0x3a/0x50
      [ 3142.855880][ T2649]
      [ 3142.855880][ T2649] other info that might help us debug this:
      [ 3142.855880][ T2649]
      [ 3142.859663][ T2649] Chain exists of:
      [ 3142.859663][ T2649]   (wq_completion)bcache_writeback_wq --> (work_completion)(&cl->work)#2 --> &bch_register_lock
      [ 3142.859663][ T2649]
      [ 3142.865424][ T2649]  Possible unsafe locking scenario:
      [ 3142.865424][ T2649]
      [ 3142.868022][ T2649]        CPU0                    CPU1
      [ 3142.869885][ T2649]        ----                    ----
      [ 3142.871751][ T2649]   lock(&bch_register_lock);
      [ 3142.873379][ T2649]                                lock((work_completion)(&cl->work)#2);
      [ 3142.876399][ T2649]                                lock(&bch_register_lock);
      [ 3142.879727][ T2649]   lock((wq_completion)bcache_writeback_wq);
      [ 3142.882064][ T2649]
      [ 3142.882064][ T2649]  *** DEADLOCK ***
      [ 3142.882064][ T2649]
      [ 3142.885060][ T2649] 3 locks held by kworker/3:67/2649:
      [ 3142.887245][ T2649]  #0: 00000000e774cdd0 ((wq_completion)events){+.+.}, at: process_one_work+0x21e/0x640
      [ 3142.890815][ T2649]  #1: 00000000f7df89da ((work_completion)(&cl->work)#2){+.+.}, at: process_one_work+0x21e/0x640
      [ 3142.894884][ T2649]  #2: 000000004fcf89c5 (&bch_register_lock){+.+.}, at: cached_dev_free+0x17/0x120 [bcache]
      [ 3142.898797][ T2649]
      [ 3142.898797][ T2649] stack backtrace:
      [ 3142.900961][ T2649] CPU: 3 PID: 2649 Comm: kworker/3:67 Tainted: G        W         5.2.0-rc4-lp151.20-default+ #1
      [ 3142.904789][ T2649] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/13/2018
      [ 3142.909168][ T2649] Workqueue: events cached_dev_free [bcache]
      [ 3142.911422][ T2649] Call Trace:
      [ 3142.912656][ T2649]  dump_stack+0x85/0xcb
      [ 3142.914181][ T2649]  print_circular_bug+0x19a/0x1f0
      [ 3142.916193][ T2649]  __lock_acquire+0x16cd/0x1850
      [ 3142.917936][ T2649]  ? __lock_acquire+0x6a8/0x1850
      [ 3142.919704][ T2649]  ? lock_acquire+0xb4/0x1c0
      [ 3142.921335][ T2649]  ? find_held_lock+0x34/0xa0
      [ 3142.923052][ T2649]  lock_acquire+0xb4/0x1c0
      [ 3142.924635][ T2649]  ? flush_workqueue+0x87/0x4c0
      [ 3142.926375][ T2649]  flush_workqueue+0xae/0x4c0
      [ 3142.928047][ T2649]  ? flush_workqueue+0x87/0x4c0
      [ 3142.929824][ T2649]  ? drain_workqueue+0xa9/0x180
      [ 3142.931686][ T2649]  drain_workqueue+0xa9/0x180
      [ 3142.933534][ T2649]  destroy_workqueue+0x17/0x250
      [ 3142.935787][ T2649]  cached_dev_free+0x52/0x120 [bcache]
      [ 3142.937795][ T2649]  process_one_work+0x2a4/0x640
      [ 3142.939803][ T2649]  worker_thread+0x39/0x3f0
      [ 3142.941487][ T2649]  ? process_one_work+0x640/0x640
      [ 3142.943389][ T2649]  kthread+0x125/0x140
      [ 3142.944894][ T2649]  ? kthread_create_worker_on_cpu+0x70/0x70
      [ 3142.947744][ T2649]  ret_from_fork+0x3a/0x50
      [ 3142.970358][ T2649] bcache: bcache_device_free() bcache0 stopped
      
      Here is how the deadlock happens.
      1) bcache_reboot() calls bcache_device_stop(), then inside
         bcache_device_stop() BCACHE_DEV_CLOSING bit is set on d->flags.
         Then closure_queue(&d->cl) is called to invoke cached_dev_flush().
      2) In cached_dev_flush(), cached_dev_free() is called by continu_at().
      3) In cached_dev_free(), when stopping the writeback kthread of the
         cached device by kthread_stop(), dc->writeback_thread will be waken
         up to quite the kthread while-loop, then cached_dev_put() is called
         in bch_writeback_thread().
      4) Calling cached_dev_put() in writeback kthread may drop dc->count to
         0, then dc->detach kworker is scheduled, which is initialized as
         cached_dev_detach_finish().
      5) Inside cached_dev_detach_finish(), the last line of code is to call
         closure_put(&dc->disk.cl), which drops the last reference counter of
         closrure dc->disk.cl, then the callback cached_dev_flush() gets
         called.
      Now cached_dev_flush() is called for second time in the code path, the
      first time is in step 2). And again bch_register_lock will be acquired
      again, and a A-A lock (lockdep terminology) is happening.
      
      The root cause of the above A-A lock is in cached_dev_free(), mutex
      bch_register_lock is held before stopping writeback kthread and other
      kworkers. Fortunately now we have variable 'bcache_is_reboot', which may
      prevent device registration or unregistration during reboot/shutdown
      time, so it is unncessary to hold bch_register_lock such early now.
      
      This is how this patch fixes the reboot/shutdown time A-A lock issue:
      After moving mutex_lock(&bch_register_lock) to a later location where
      before atomic_read(&dc->running) in cached_dev_free(), such A-A lock
      problem can be solved without any reboot time registration race.
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      02d4c4ba
    • Coly Li's avatar
      bcache: check CACHE_SET_IO_DISABLE bit in bch_journal() · 7afcee10
      Coly Li authored
      [ Upstream commit 383ff218 ]
      
      When too many I/O errors happen on cache set and CACHE_SET_IO_DISABLE
      bit is set, bch_journal() may continue to work because the journaling
      bkey might be still in write set yet. The caller of bch_journal() may
      believe the journal still work but the truth is in-memory journal write
      set won't be written into cache device any more. This behavior may
      introduce potential inconsistent metadata status.
      
      This patch checks CACHE_SET_IO_DISABLE bit at the head of bch_journal(),
      if the bit is set, bch_journal() returns NULL immediately to notice
      caller to know journal does not work.
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7afcee10
    • Coly Li's avatar
      bcache: check CACHE_SET_IO_DISABLE in allocator code · 2e99386f
      Coly Li authored
      [ Upstream commit e775339e ]
      
      If CACHE_SET_IO_DISABLE of a cache set flag is set by too many I/O
      errors, currently allocator routines can still continue allocate
      space which may introduce inconsistent metadata state.
      
      This patch checkes CACHE_SET_IO_DISABLE bit in following allocator
      routines,
      - bch_bucket_alloc()
      - __bch_bucket_alloc_set()
      Once CACHE_SET_IO_DISABLE is set on cache set, the allocator routines
      may reject allocation request earlier to avoid potential inconsistent
      metadata.
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2e99386f
    • Eiichi Tsukata's avatar
      EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec · 6a512abe
      Eiichi Tsukata authored
      [ Upstream commit d8655e76 ]
      
      Commit 9da21b15 ("EDAC: Poll timeout cannot be zero, p2") assumes
      edac_mc_poll_msec to be unsigned long, but the type of the variable still
      remained as int. Setting edac_mc_poll_msec can trigger out-of-bounds
      write.
      
      Reproducer:
      
        # echo 1001 > /sys/module/edac_core/parameters/edac_mc_poll_msec
      
      KASAN report:
      
        BUG: KASAN: global-out-of-bounds in edac_set_poll_msec+0x140/0x150
        Write of size 8 at addr ffffffffb91b2d00 by task bash/1996
      
        CPU: 1 PID: 1996 Comm: bash Not tainted 5.2.0-rc6+ #23
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014
        Call Trace:
         dump_stack+0xca/0x13e
         print_address_description.cold+0x5/0x246
         __kasan_report.cold+0x75/0x9a
         ? edac_set_poll_msec+0x140/0x150
         kasan_report+0xe/0x20
         edac_set_poll_msec+0x140/0x150
         ? dimmdev_location_show+0x30/0x30
         ? vfs_lock_file+0xe0/0xe0
         ? _raw_spin_lock+0x87/0xe0
         param_attr_store+0x1b5/0x310
         ? param_array_set+0x4f0/0x4f0
         module_attr_store+0x58/0x80
         ? module_attr_show+0x80/0x80
         sysfs_kf_write+0x13d/0x1a0
         kernfs_fop_write+0x2bc/0x460
         ? sysfs_kf_bin_read+0x270/0x270
         ? kernfs_notify+0x1f0/0x1f0
         __vfs_write+0x81/0x100
         vfs_write+0x1e1/0x560
         ksys_write+0x126/0x250
         ? __ia32_sys_read+0xb0/0xb0
         ? do_syscall_64+0x1f/0x390
         do_syscall_64+0xc1/0x390
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
        RIP: 0033:0x7fa7caa5e970
        Code: 73 01 c3 48 8b 0d 28 d5 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 99 2d 2c 00 00 75 10 b8 01 00 00 00 04
        RSP: 002b:00007fff6acfdfe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
        RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fa7caa5e970
        RDX: 0000000000000005 RSI: 0000000000e95c08 RDI: 0000000000000001
        RBP: 0000000000e95c08 R08: 00007fa7cad1e760 R09: 00007fa7cb36a700
        R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000005
        R13: 0000000000000001 R14: 00007fa7cad1d600 R15: 0000000000000005
      
        The buggy address belongs to the variable:
         edac_mc_poll_msec+0x0/0x40
      
        Memory state around the buggy address:
         ffffffffb91b2c00: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa
         ffffffffb91b2c80: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa
        >ffffffffb91b2d00: 04 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa
                           ^
         ffffffffb91b2d80: 04 fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
         ffffffffb91b2e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      
      Fix it by changing the type of edac_mc_poll_msec to unsigned int.
      The reason why this patch adopts unsigned int rather than unsigned long
      is msecs_to_jiffies() assumes arg to be unsigned int. We can avoid
      integer conversion bugs and unsigned int will be large enough for
      edac_mc_poll_msec.
      Reviewed-by: default avatarJames Morse <james.morse@arm.com>
      Fixes: 9da21b15 ("EDAC: Poll timeout cannot be zero, p2")
      Signed-off-by: default avatarEiichi Tsukata <devel@etsukata.com>
      Signed-off-by: default avatarTony Luck <tony.luck@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6a512abe
    • Ahmad Masri's avatar
      wil6210: drop old event after wmi_call timeout · 12058bfa
      Ahmad Masri authored
      [ Upstream commit 1a276003 ]
      
      This change fixes a rare race condition of handling WMI events after
      wmi_call expires.
      
      wmi_recv_cmd immediately handles an event when reply_buf is defined and
      a wmi_call is waiting for the event.
      However, in case the wmi_call has already timed-out, there will be no
      waiting/running wmi_call and the event will be queued in WMI queue and
      will be handled later in wmi_event_handle.
      Meanwhile, a new similar wmi_call for the same command and event may
      be issued. In this case, when handling the queued event we got WARN_ON
      printed.
      
      Fixing this case as a valid timeout and drop the unexpected event.
      Signed-off-by: default avatarAhmad Masri <amasri@codeaurora.org>
      Signed-off-by: default avatarMaya Erez <merez@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      12058bfa
    • Zefir Kurtisi's avatar
      ath9k: correctly handle short radar pulses · 9ef7f897
      Zefir Kurtisi authored
      [ Upstream commit df5c4150 ]
      
      In commit 3c0efb74 ("ath9k: discard undersized packets")
      the lower bound of RX packets was set to 10 (min ACK size) to
      filter those that would otherwise be treated as invalid at
      mac80211.
      
      Alas, short radar pulses are reported as PHY_ERROR frames
      with length set to 3. Therefore their detection stopped
      working after that commit.
      
      NOTE: ath9k drivers built thereafter will not pass DFS
      certification.
      
      This extends the criteria for short packets to explicitly
      handle PHY_ERROR frames.
      
      Fixes: 3c0efb74 ("ath9k: discard undersized packets")
      Signed-off-by: default avatarZefir Kurtisi <zefir.kurtisi@neratec.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9ef7f897
    • Arnd Bergmann's avatar
      crypto: asymmetric_keys - select CRYPTO_HASH where needed · 58093426
      Arnd Bergmann authored
      [ Upstream commit 90acc065 ]
      
      Build testing with some core crypto options disabled revealed
      a few modules that are missing CRYPTO_HASH:
      
      crypto/asymmetric_keys/x509_public_key.o: In function `x509_get_sig_params':
      x509_public_key.c:(.text+0x4c7): undefined reference to `crypto_alloc_shash'
      x509_public_key.c:(.text+0x5e5): undefined reference to `crypto_shash_digest'
      crypto/asymmetric_keys/pkcs7_verify.o: In function `pkcs7_digest.isra.0':
      pkcs7_verify.c:(.text+0xab): undefined reference to `crypto_alloc_shash'
      pkcs7_verify.c:(.text+0x1b2): undefined reference to `crypto_shash_digest'
      pkcs7_verify.c:(.text+0x3c1): undefined reference to `crypto_shash_update'
      pkcs7_verify.c:(.text+0x411): undefined reference to `crypto_shash_finup'
      
      This normally doesn't show up in randconfig tests because there is
      a large number of other options that select CRYPTO_HASH.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      58093426
    • Arnd Bergmann's avatar
      crypto: serpent - mark __serpent_setkey_sbox noinline · 34bfba9d
      Arnd Bergmann authored
      [ Upstream commit 47397118 ]
      
      The same bug that gcc hit in the past is apparently now showing
      up with clang, which decides to inline __serpent_setkey_sbox:
      
      crypto/serpent_generic.c:268:5: error: stack frame size of 2112 bytes in function '__serpent_setkey' [-Werror,-Wframe-larger-than=]
      
      Marking it 'noinline' reduces the stack usage from 2112 bytes to
      192 and 96 bytes, respectively, and seems to generate more
      useful object code.
      
      Fixes: c871c10e ("crypto: serpent - improve __serpent_setkey with UBSAN")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reviewed-by: default avatarEric Biggers <ebiggers@kernel.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      34bfba9d
    • Mauro S. M. Rodrigues's avatar
      ixgbe: Check DDM existence in transceiver before access · 53b3ba90
      Mauro S. M. Rodrigues authored
      [ Upstream commit 655c9141 ]
      
      Some transceivers may comply with SFF-8472 but not implement the Digital
      Diagnostic Monitoring (DDM) interface described in it. The existence of
      such area is specified by bit 6 of byte 92, set to 1 if implemented.
      
      Currently, due to not checking this bit ixgbe fails trying to read SFP
      module's eeprom with the follow message:
      
      ethtool -m enP51p1s0f0
      Cannot get Module EEPROM data: Input/output error
      
      Because it fails to read the additional 256 bytes in which it was assumed
      to exist the DDM data.
      
      This issue was noticed using a Mellanox Passive DAC PN 01FT738. The eeprom
      data was confirmed by Mellanox as correct and present in other Passive
      DACs in from other manufacturers.
      Signed-off-by: default avatar"Mauro S. M. Rodrigues" <maurosr@linux.vnet.ibm.com>
      Reviewed-by: default avatarJesse Brandeburg <jesse.brandeburg@intel.com>
      Tested-by: default avatarAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      53b3ba90