1. 30 May, 2018 40 commits
    • Milton Miller's avatar
      watchdog: aspeed: Fix translation of reset mode to ctrl register · b5c7dedc
      Milton Miller authored
      [ Upstream commit d2fc8db6 ]
      
      Assert RESET_SYSTEM bit for any reset and set MODE field from reset
      type.
      
      The watchdog control register has a RESET_SYSTEM bit that is really
      closer to activate a reset, and RESET_SYSTEM_MODE field that chooses
      how much to reset.
      
      Before this patch, a node without these optional property would do a
      SOC reset, but a node with properties requesting a cpu or SOC reset
      would do nothing and a node requesting a system reset would do a
      SOC reset.
      
      Fixes: b7f0b8ad ("drivers/watchdog: ASPEED reference dev tree properties for config")
      Signed-off-by: default avatarMilton Miller <miltonm@us.ibm.com>
      Signed-off-by: default avatarEddie James <eajames@linux.vnet.ibm.com>
      Reviewed-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarWim Van Sebroeck <wim@iguana.be>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b5c7dedc
    • Brian Norris's avatar
      watchdog: dw: RMW the control register · e2906fc8
      Brian Norris authored
      [ Upstream commit a81abbb4 ]
      
      RK3399 has rst_pulse_length in CONTROL_REG[4:2], determining the length
      of pulse to issue for system reset. We shouldn't clobber this value,
      because that might make the system reset ineffective. On RK3399, we're
      seeing that a value of 000b (meaning 2 cycles) yields an unreliable
      (partial?) reset, and so we only fully reset after the watchdog fires a
      second time. If we retain the system default (010b, or 8 clock cycles),
      then the watchdog reset is much more reliable.
      
      Read-modify-write retains the system value and improves reset
      reliability.
      
      It seems we were intentionally clobbering the response mode previously,
      to ensure we performed a system reset (we don't support an interrupt
      notification), so retain that explicitly.
      Signed-off-by: default avatarBrian Norris <briannorris@chromium.org>
      Reviewed-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarWim Van Sebroeck <wim@iguana.be>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e2906fc8
    • Rafael J. Wysocki's avatar
      PCI: Restore config space on runtime resume despite being unbound · e2b3fa0c
      Rafael J. Wysocki authored
      [ Upstream commit 5775b843 ]
      
      We leave PCI devices not bound to a driver in D0 during runtime suspend.
      But they may have a parent which is bound and can be transitioned to
      D3cold at runtime.  Once the parent goes to D3cold, the unbound child
      may go to D3cold as well.  When the child goes to D3cold, its internal
      state, including configuration of BARs, MSI, ASPM, MPS, etc., is lost.
      
      One example are recent hybrid graphics laptops which cut power to the
      discrete GPU when the root port above it goes to ACPI power state D3.
      Users may provoke this by unbinding the GPU driver and allowing runtime
      PM on the GPU via sysfs:  The PM core will then treat the GPU as
      "suspended", which in turn allows the root port to runtime suspend,
      causing the power resources listed in its _PR3 object to be powered off.
      The GPU's BARs will be uninitialized when a driver later probes it.
      
      Another example are hybrid graphics laptops where the GPU itself (rather
      than the root port) is capable of runtime suspending to D3cold.  If the
      GPU's integrated HDA controller is not bound and the GPU's driver
      decides to runtime suspend to D3cold, the HDA controller's BARs will be
      uninitialized when a driver later probes it.
      
      Fix by saving and restoring config space over a runtime suspend cycle
      even if the device is not bound.
      Acked-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Tested-by: Peter Wu <peter@lekensteyn.nl>              # Nvidia Optimus
      Tested-by: Lukas Wunner <lukas@wunner.de>              # MacBook Pro
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      [lukas: add commit message, bikeshed code comments for clarity]
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Link: https://patchwork.freedesktop.org/patch/msgid/92fb6e6ae2730915eb733c08e2f76c6a313e3860.1520068884.git.lukas@wunner.deSigned-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e2b3fa0c
    • Mathias Kresin's avatar
      MIPS: ath79: Fix AR724X_PLL_REG_PCIE_CONFIG offset · 12c663e4
      Mathias Kresin authored
      [ Upstream commit 05454c1b ]
      
      According to the QCA u-boot source the "PCIE Phase Lock Loop
      Configuration (PCIE_PLL_CONFIG)" register is for all SoCs except the
      QCA955X and QCA956X at offset 0x10.
      
      Since the PCIE PLL config register is only defined for the AR724x fix
      only this value. The value is wrong since the day it was added and isn't
      used by any driver yet.
      Signed-off-by: default avatarMathias Kresin <dev@kresin.me>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/16048/Signed-off-by: default avatarJames Hogan <jhogan@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      12c663e4
    • Ursula Braun's avatar
      net/smc: pay attention to MAX_ORDER for CQ entries · 2a0bc4ad
      Ursula Braun authored
      [ Upstream commit c9f4c6cf ]
      
      smc allocates a certain number of CQ entries for used RoCE devices. For
      mlx5 devices the chosen constant number results in a large allocation
      causing this warning:
      
      [13355.124656] WARNING: CPU: 3 PID: 16535 at mm/page_alloc.c:3883 __alloc_pages_nodemask+0x2be/0x10c0
      [13355.124657] Modules linked in: smc_diag(O) smc(O) xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp bridge stp llc ip6table_filter ip6_tables iptable_filter mlx5_ib ib_core sunrpc mlx5_core s390_trng rng_core ghash_s390 prng aes_s390 des_s390 des_generic sha512_s390 sha256_s390 sha1_s390 sha_common ptp pps_core eadm_sch dm_multipath dm_mod vhost_net tun vhost tap sch_fq_codel kvm ip_tables x_tables autofs4 [last unloaded: smc]
      [13355.124672] CPU: 3 PID: 16535 Comm: kworker/3:0 Tainted: G           O    4.14.0uschi #1
      [13355.124673] Hardware name: IBM 3906 M04 704 (LPAR)
      [13355.124675] Workqueue: events smc_listen_work [smc]
      [13355.124677] task: 00000000e2f22100 task.stack: 0000000084720000
      [13355.124678] Krnl PSW : 0704c00180000000 000000000029da76 (__alloc_pages_nodemask+0x2be/0x10c0)
      [13355.124681]            R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3
      [13355.124682] Krnl GPRS: 0000000000000000 00550e00014080c0 0000000000000000 0000000000000001
      [13355.124684]            000000000029d8b6 00000000f3bfd710 0000000000000000 00000000014080c0
      [13355.124685]            0000000000000009 00000000ec277a00 0000000000200000 0000000000000000
      [13355.124686]            0000000000000000 00000000000001ff 000000000029d8b6 0000000084723720
      [13355.124708] Krnl Code: 000000000029da6a: a7110200		tmll	%r1,512
                                000000000029da6e: a774ff29		brc	7,29d8c0
                               #000000000029da72: a7f40001		brc	15,29da74
                               >000000000029da76: a7f4ff25		brc	15,29d8c0
                                000000000029da7a: a7380000		lhi	%r3,0
                                000000000029da7e: a7f4fef1		brc	15,29d860
                                000000000029da82: 5820f0c4		l	%r2,196(%r15)
                                000000000029da86: a53e0048		llilh	%r3,72
      [13355.124720] Call Trace:
      [13355.124722] ([<000000000029d8b6>] __alloc_pages_nodemask+0xfe/0x10c0)
      [13355.124724]  [<000000000013bd1e>] s390_dma_alloc+0x6e/0x148
      [13355.124733]  [<000003ff802eeba6>] mlx5_dma_zalloc_coherent_node+0x8e/0xe0 [mlx5_core]
      [13355.124740]  [<000003ff802eee18>] mlx5_buf_alloc_node+0x70/0x108 [mlx5_core]
      [13355.124744]  [<000003ff804eb410>] mlx5_ib_create_cq+0x558/0x898 [mlx5_ib]
      [13355.124749]  [<000003ff80407d40>] ib_create_cq+0x48/0x88 [ib_core]
      [13355.124751]  [<000003ff80109fba>] smc_ib_setup_per_ibdev+0x52/0x118 [smc]
      [13355.124753]  [<000003ff8010bcb6>] smc_conn_create+0x65e/0x728 [smc]
      [13355.124755]  [<000003ff801081a2>] smc_listen_work+0x2d2/0x540 [smc]
      [13355.124756]  [<0000000000162c66>] process_one_work+0x1be/0x440
      [13355.124758]  [<0000000000162f40>] worker_thread+0x58/0x458
      [13355.124759]  [<0000000000169e7e>] kthread+0x14e/0x168
      [13355.124760]  [<00000000009ce8be>] kernel_thread_starter+0x6/0xc
      [13355.124762]  [<00000000009ce8b8>] kernel_thread_starter+0x0/0xc
      [13355.124762] Last Breaking-Event-Address:
      [13355.124764]  [<000000000029da72>] __alloc_pages_nodemask+0x2ba/0x10c0
      [13355.124764] ---[ end trace 34be38b581c0b585 ]---
      
      This patch reduces the smc constant for the maximum number of allocated
      completion queue entries SMC_MAX_CQE by 2 to avoid high round up values
      in the mlx5 code, and reduces the number of allocated completion queue
      entries even more, if the final allocation for an mlx5 device hits the
      MAX_ORDER limit.
      Reported-by: default avatarIhnken Menssen <menssen@de.ibm.com>
      Signed-off-by: default avatarUrsula Braun <ubraun@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2a0bc4ad
    • Christophe Jaillet's avatar
      spi: bcm-qspi: fIX some error handling paths · 289e6fa3
      Christophe Jaillet authored
      [ Upstream commit bc3cc752 ]
      
      For some reason, commit c0368e4d ("spi: bcm-qspi: Fix use after free
      in bcm_qspi_probe() in error path") has updated some gotos, but not all of
      them.
      
      This looks spurious, so fix it.
      
      Fixes: fa236a7e ("spi: bcm-qspi: Add Broadcom MSPI driver")
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      289e6fa3
    • Christophe Jaillet's avatar
      regulator: gpio: Fix some error handling paths in 'gpio_regulator_probe()' · 1fae5e92
      Christophe Jaillet authored
      [ Upstream commit ed8cffda ]
      
      Re-order error handling code and gotos to avoid leaks in error handling
      paths.
      
      Fixes: 9f946099 ("regulator: gpio: fix parsing of gpio list")
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1fae5e92
    • Leo Yan's avatar
      coresight: Use %px to print pcsr instead of %p · 9fe2e97e
      Leo Yan authored
      [ Upstream commit 831c326f ]
      
      Commit ad67b74d ("printk: hash addresses printed with %p") lets
      printk specifier %p to hash all addresses before printing, this was
      resulting in the high 32 bits of pcsr can only output zeros.  So
      module cannot completely print pc value and it's pointless for debugging
      purpose.
      
      This patch fixes this by using %px to print pcsr instead.
      
      Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
      Signed-off-by: default avatarLeo Yan <leo.yan@linaro.org>
      Signed-off-by: default avatarMathieu Poirier <mathieu.poirier@linaro.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9fe2e97e
    • Oded Gabbay's avatar
      drm/amdkfd: add missing include of mm.h · 12b29e1c
      Oded Gabbay authored
      [ Upstream commit 7420f482 ]
      
      This patch fixes kernel build in ARCH=frv
      Signed-off-by: default avatarOded Gabbay <oded.gabbay@gmail.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      12b29e1c
    • Parav Pandit's avatar
      IB/core: Honor port_num while resolving GID for IB link layer · 739c8e70
      Parav Pandit authored
      [ Upstream commit 563c4ba3 ]
      
      ah_attr contains the port number to which cm_id is bound. However, while
      searching for GID table for matching GID entry, the port number is
      ignored.
      
      This could cause the wrong GID to be used when the ah_attr is converted to
      an AH.
      Reviewed-by: default avatarDaniel Jurgens <danielj@mellanox.com>
      Signed-off-by: default avatarParav Pandit <parav@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      739c8e70
    • Thomas Richter's avatar
      perf stat: Fix core dump when flag T is used · 7166fb17
      Thomas Richter authored
      [ Upstream commit fca32340 ]
      
      Executing command 'perf stat -T -- ls' dumps core on x86 and s390.
      
      Here is the call back chain (done on x86):
      
       # gdb ./perf
       ....
       (gdb) r stat -T -- ls
      ...
      Program received signal SIGSEGV, Segmentation fault.
      0x00007ffff56d1963 in vasprintf () from /lib64/libc.so.6
      (gdb) where
       #0  0x00007ffff56d1963 in vasprintf () from /lib64/libc.so.6
       #1  0x00007ffff56ae484 in asprintf () from /lib64/libc.so.6
       #2  0x00000000004f1982 in __parse_events_add_pmu (parse_state=0x7fffffffd580,
          list=0xbfb970, name=0xbf3ef0 "cpu",
          head_config=0xbfb930, auto_merge_stats=false) at util/parse-events.c:1233
       #3  0x00000000004f1c8e in parse_events_add_pmu (parse_state=0x7fffffffd580,
          list=0xbfb970, name=0xbf3ef0 "cpu",
          head_config=0xbfb930) at util/parse-events.c:1288
       #4  0x0000000000537ce3 in parse_events_parse (_parse_state=0x7fffffffd580,
          scanner=0xbf4210) at util/parse-events.y:234
       #5  0x00000000004f2c7a in parse_events__scanner (str=0x6b66c0
          "task-clock,{instructions,cycles,cpu/cycles-t/,cpu/tx-start/}",
          parse_state=0x7fffffffd580, start_token=258) at util/parse-events.c:1673
       #6  0x00000000004f2e23 in parse_events (evlist=0xbe9990, str=0x6b66c0
          "task-clock,{instructions,cycles,cpu/cycles-t/,cpu/tx-start/}", err=0x0)
          at util/parse-events.c:1713
       #7  0x000000000044e137 in add_default_attributes () at builtin-stat.c:2281
       #8  0x000000000044f7b5 in cmd_stat (argc=1, argv=0x7fffffffe3b0) at
          builtin-stat.c:2828
       #9  0x00000000004c8b0f in run_builtin (p=0xab01a0 <commands+288>, argc=4,
          argv=0x7fffffffe3b0) at perf.c:297
       #10 0x00000000004c8d7c in handle_internal_command (argc=4,
          argv=0x7fffffffe3b0) at perf.c:349
       #11 0x00000000004c8ece in run_argv (argcp=0x7fffffffe20c,
         argv=0x7fffffffe200) at perf.c:393
       #12 0x00000000004c929c in main (argc=4, argv=0x7fffffffe3b0) at perf.c:537
      (gdb)
      
      It turns out that a NULL pointer is referenced. Here are the
      function calls:
      
        ...
        cmd_stat()
        +---> add_default_attributes()
      	+---> parse_events(evsel_list, transaction_attrs, NULL);
      	             3rd parameter set to NULL
      
      Function parse_events(xx, xx, struct parse_events_error *err) dives
      into a bison generated scanner and creates
      parser state information for it first:
      
         struct parse_events_state parse_state = {
                      .list   = LIST_HEAD_INIT(parse_state.list),
                      .idx    = evlist->nr_entries,
                      .error  = err,   <--- NULL POINTER !!!
                      .evlist = evlist,
              };
      
      Now various functions inside the bison scanner are called to end up in
      __parse_events_add_pmu(struct parse_events_state *parse_state, ..) with
      first parameter being a pointer to above structure definition.
      
      Now the PMU event name is not found (because being executed in a VM) and
      this function tries to create an error message with
      
         asprintf(&parse_state->error.str, ....)
      
      which references a NULL pointer and dumps core.
      
      Fix this by providing a pointer to the necessary error information
      instead of NULL. Technically only the else part is needed to avoid the
      core dump, just lets be safe...
      Signed-off-by: default avatarThomas Richter <tmricht@linux.vnet.ibm.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Link: http://lkml.kernel.org/r/20180308145735.64717-1-tmricht@linux.vnet.ibm.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7166fb17
    • Yisheng Xie's avatar
      perf top: Fix top.call-graph config option reading · 8cde0897
      Yisheng Xie authored
      [ Upstream commit a3a4a3b3 ]
      
      When trying to add the "call-graph" variable for top into the
      .perfconfig file, like:
      
            [top]
                  call-graph = fp
      
      I that perf_top_config() do not parse this variable.
      
      Fix it by calling perf_default_config() when the top.call-graph variable
      is set.
      Signed-off-by: default avatarYisheng Xie <xieyisheng1@huawei.com>
      Tested-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Wang Nan <wangnan0@huawei.com>
      Fixes: b8cbb349 ("perf config: Bring perf_default_config to the very beginning at main()")
      Link: http://lkml.kernel.org/r/1520853957-36106-1-git-send-email-xieyisheng1@huawei.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8cde0897
    • Vitaly Kuznetsov's avatar
      KVM: lapic: stop advertising DIRECTED_EOI when in-kernel IOAPIC is in use · 25b69a42
      Vitaly Kuznetsov authored
      [ Upstream commit 0bcc3fb9 ]
      
      Devices which use level-triggered interrupts under Windows 2016 with
      Hyper-V role enabled don't work: Windows disables EOI broadcast in SPIV
      unconditionally. Our in-kernel IOAPIC implementation emulates an old IOAPIC
      version which has no EOI register so EOI never happens.
      
      The issue was discovered and discussed a while ago:
      https://www.spinics.net/lists/kvm/msg148098.html
      
      While this is a guest OS bug (it should check that IOAPIC has the required
      capabilities before disabling EOI broadcast) we can workaround it in KVM:
      advertising DIRECTED_EOI with in-kernel IOAPIC makes little sense anyway.
      Signed-off-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      25b69a42
    • Gregory CLEMENT's avatar
      i2c: mv64xxx: Apply errata delay only in standard mode · 982f8f14
      Gregory CLEMENT authored
      [ Upstream commit 31184d8c ]
      
      The errata FE-8471889 description has been updated. There is still a
      timing violation for repeated start. But the errata now states that it
      was only the case for the Standard mode (100 kHz), in Fast mode (400 kHz)
      there is no issue.
      
      This patch limit the errata fix to the Standard mode.
      
      It has been tesed successfully on the clearfog (Aramda 388 based board).
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      982f8f14
    • Arjun Vynipadath's avatar
      cxgb4: Fix queue free path of ULD drivers · 8d1b1e79
      Arjun Vynipadath authored
      [ Upstream commit d7cb4449 ]
      
      Setting sge_uld_rxq_info to NULL in free_queues_uld().
      We are referencing sge_uld_rxq_info in cxgb_up(). This
      will fix a panic when interface is brought up after a
      ULDq creation failure.
      
      Fixes: 94cdb8bb (cxgb4: Add support for dynamic allocation
             of resources for ULD)
      Signed-off-by: default avatarArjun Vynipadath <arjun@chelsio.com>
      Signed-off-by: default avatarCasey Leedom <leedom@chelsio.com>
      Signed-off-by: default avatarGanesh Goudhar <ganeshgr@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8d1b1e79
    • Seunghun Han's avatar
      ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c · 1d1646c4
      Seunghun Han authored
      [ Upstream commit 97f3c0a4 ]
      
      I found an ACPI cache leak in ACPI early termination and boot continuing case.
      
      When early termination occurs due to malicious ACPI table, Linux kernel
      terminates ACPI function and continues to boot process. While kernel terminates
      ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.
      
      Boot log of ACPI operand cache leak is as follows:
      >[    0.464168] ACPI: Added _OSI(Module Device)
      >[    0.467022] ACPI: Added _OSI(Processor Device)
      >[    0.469376] ACPI: Added _OSI(3.0 _SCP Extensions)
      >[    0.471647] ACPI: Added _OSI(Processor Aggregator Device)
      >[    0.477997] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
      >[    0.482706] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461)
      >[    0.487503] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
      >[    0.492136] ACPI Error: Method parse/execution failed [\_SB._INI] (Node ffff88021710a618), AE_AML_INTERNAL (20170303/psparse-543)
      >[    0.497683] ACPI: Interpreter enabled
      >[    0.499385] ACPI: (supports S0)
      >[    0.501151] ACPI: Using IOAPIC for interrupt routing
      >[    0.503342] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
      >[    0.506522] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461)
      >[    0.510463] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
      >[    0.514477] ACPI Error: Method parse/execution failed [\_PIC] (Node ffff88021710ab18), AE_AML_INTERNAL (20170303/psparse-543)
      >[    0.518867] ACPI Exception: AE_AML_INTERNAL, Evaluating _PIC (20170303/bus-991)
      >[    0.522384] kmem_cache_destroy Acpi-Operand: Slab cache still has objects
      >[    0.524597] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26
      >[    0.526795] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006
      >[    0.529668] Call Trace:
      >[    0.530811]  ? dump_stack+0x5c/0x81
      >[    0.532240]  ? kmem_cache_destroy+0x1aa/0x1c0
      >[    0.533905]  ? acpi_os_delete_cache+0xa/0x10
      >[    0.535497]  ? acpi_ut_delete_caches+0x3f/0x7b
      >[    0.537237]  ? acpi_terminate+0xa/0x14
      >[    0.538701]  ? acpi_init+0x2af/0x34f
      >[    0.540008]  ? acpi_sleep_proc_init+0x27/0x27
      >[    0.541593]  ? do_one_initcall+0x4e/0x1a0
      >[    0.543008]  ? kernel_init_freeable+0x19e/0x21f
      >[    0.546202]  ? rest_init+0x80/0x80
      >[    0.547513]  ? kernel_init+0xa/0x100
      >[    0.548817]  ? ret_from_fork+0x25/0x30
      >[    0.550587] vgaarb: loaded
      >[    0.551716] EDAC MC: Ver: 3.0.0
      >[    0.553744] PCI: Probing PCI hardware
      >[    0.555038] PCI host bridge to bus 0000:00
      > ... Continue to boot and log is omitted ...
      
      I analyzed this memory leak in detail and found acpi_ns_evaluate() function
      only removes Info->return_object in AE_CTRL_RETURN_VALUE case. But, when errors
      occur, the status value is not AE_CTRL_RETURN_VALUE, and Info->return_object is
      also not null. Therefore, this causes acpi operand memory leak.
      
      This cache leak causes a security threat because an old kernel (<= 4.9) shows
      memory locations of kernel functions in stack dump. Some malicious users
      could use this information to neutralize kernel ASLR.
      
      I made a patch to fix ACPI operand cache leak.
      Signed-off-by: default avatarSeunghun Han <kkamagui@gmail.com>
      Signed-off-by: default avatarErik Schmauss <erik.schmauss@intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1d1646c4
    • Bob Moore's avatar
      ACPICA: Fix memory leak on unusual memory leak · c827ed01
      Bob Moore authored
      [ Upstream commit 1c29c372 ]
      
      Fixes a single-object memory leak on a store-to-reference method
      invocation. ACPICA BZ 1439.
      Signed-off-by: default avatarBob Moore <robert.moore@intel.com>
      Signed-off-by: default avatarErik Schmauss <erik.schmauss@intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c827ed01
    • Erik Schmauss's avatar
      ACPICA: Events: add a return on failure from acpi_hw_register_read · bf9b263b
      Erik Schmauss authored
      [ Upstream commit b4c0de31 ]
      
      This ensures that acpi_ev_fixed_event_detect() does not use fixed_status
      and and fixed_enable as uninitialized variables.
      Signed-off-by: default avatarErik Schmauss <erik.schmauss@intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bf9b263b
    • Icenowy Zheng's avatar
      dt-bindings: add device tree binding for Allwinner H6 main CCU · 601ae35b
      Icenowy Zheng authored
      [ Upstream commit 2e08e4d2 ]
      
      The Allwinner H6 main CCU uses the internal oscillator of the SoC, which
      is different with old SoCs' main CCU.
      
      Add device tree binding for the Allwinner H6 main CCU.
      Signed-off-by: default avatarIcenowy Zheng <icenowy@aosc.io>
      Signed-off-by: default avatarMaxime Ripard <maxime.ripard@bootlin.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      601ae35b
    • Christophe JAILLET's avatar
      remoteproc: imx_rproc: Fix an error handling path in 'imx_rproc_probe()' · 35a4f782
      Christophe JAILLET authored
      [ Upstream commit de6f83f8 ]
      
      If 'of_device_get_match_data()' fails, we must undo the previous
      'rproc_alloc()' call.
      
      Fixes: a0ff4aa6 ("remoteproc: imx_rproc: add a NXP/Freescale imx_rproc driver")
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Signed-off-by: default avatarBjorn Andersson <bjorn.andersson@linaro.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      35a4f782
    • Coly Li's avatar
      bcache: quit dc->writeback_thread when BCACHE_DEV_DETACHING is set · 4a092479
      Coly Li authored
      [ Upstream commit fadd94e0 ]
      
      In patch "bcache: fix cached_dev->count usage for bch_cache_set_error()",
      cached_dev_get() is called when creating dc->writeback_thread, and
      cached_dev_put() is called when exiting dc->writeback_thread. This
      modification works well unless people detach the bcache device manually by
          'echo 1 > /sys/block/bcache<N>/bcache/detach'
      Because this sysfs interface only calls bch_cached_dev_detach() which wakes
      up dc->writeback_thread but does not stop it. The reason is, before patch
      "bcache: fix cached_dev->count usage for bch_cache_set_error()", inside
      bch_writeback_thread(), if cache is not dirty after writeback,
      cached_dev_put() will be called here. And in cached_dev_make_request() when
      a new write request makes cache from clean to dirty, cached_dev_get() will
      be called there. Since we don't operate dc->count in these locations,
      refcount d->count cannot be dropped after cache becomes clean, and
      cached_dev_detach_finish() won't be called to detach bcache device.
      
      This patch fixes the issue by checking whether BCACHE_DEV_DETACHING is
      set inside bch_writeback_thread(). If this bit is set and cache is clean
      (no existing writeback_keys), break the while-loop, call cached_dev_put()
      and quit the writeback thread.
      
      Please note if cache is still dirty, even BCACHE_DEV_DETACHING is set the
      writeback thread should continue to perform writeback, this is the original
      design of manually detach.
      
      It is safe to do the following check without locking, let me explain why,
      +	if (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) &&
      +	    (!atomic_read(&dc->has_dirty) || !dc->writeback_running)) {
      
      If the kenrel thread does not sleep and continue to run due to conditions
      are not updated in time on the running CPU core, it just consumes more CPU
      cycles and has no hurt. This should-sleep-but-run is safe here. We just
      focus on the should-run-but-sleep condition, which means the writeback
      thread goes to sleep in mistake while it should continue to run.
      1, First of all, no matter the writeback thread is hung or not,
         kthread_stop() from cached_dev_detach_finish() will wake up it and
         terminate by making kthread_should_stop() return true. And in normal
         run time, bit on index BCACHE_DEV_DETACHING is always cleared, the
         condition
      	!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags)
         is always true and can be ignored as constant value.
      2, If one of the following conditions is true, the writeback thread should
         go to sleep,
         "!atomic_read(&dc->has_dirty)" or "!dc->writeback_running)"
         each of them independently controls the writeback thread should sleep or
         not, let's analyse them one by one.
      2.1 condition "!atomic_read(&dc->has_dirty)"
         If dc->has_dirty is set from 0 to 1 on another CPU core, bcache will
         call bch_writeback_queue() immediately or call bch_writeback_add() which
         indirectly calls bch_writeback_queue() too. In bch_writeback_queue(),
         wake_up_process(dc->writeback_thread) is called. It sets writeback
         thread's task state to TASK_RUNNING and following an implicit memory
         barrier, then tries to wake up the writeback thread.
         In writeback thread, its task state is set to TASK_INTERRUPTIBLE before
         doing the condition check. If other CPU core sets the TASK_RUNNING state
         after writeback thread setting TASK_INTERRUPTIBLE, the writeback thread
         will be scheduled to run very soon because its state is not
         TASK_INTERRUPTIBLE. If other CPU core sets the TASK_RUNNING state before
         writeback thread setting TASK_INTERRUPTIBLE, the implict memory barrier
         of wake_up_process() will make sure modification of dc->has_dirty on
         other CPU core is updated and observed on the CPU core of writeback
         thread. Therefore the condition check will correctly be false, and
         continue writeback code without sleeping.
      2.2 condition "!dc->writeback_running)"
         dc->writeback_running can be changed via sysfs file, every time it is
         modified, a following bch_writeback_queue() is alwasy called. So the
         change is always observed on the CPU core of writeback thread. If
         dc->writeback_running is changed from 0 to 1 on other CPU core, this
         condition check will observe the modification and allow writeback
         thread to continue to run without sleeping.
      Now we can see, even without a locking protection, multiple conditions
      check is safe here, no deadlock or process hang up will happen.
      
      I compose a separte patch because that patch "bcache: fix cached_dev->count
      usage for bch_cache_set_error()" already gets a "Reviewed-by:" from Hannes
      Reinecke. Also this fix is not trivial and good for a separate patch.
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Reviewed-by: default avatarMichael Lyle <mlyle@lyle.org>
      Cc: Hannes Reinecke <hare@suse.com>
      Cc: Huijun Tang <tang.junhui@zte.com.cn>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4a092479
    • Michael Schmitz's avatar
      zorro: Set up z->dev.dma_mask for the DMA API · 590e13a6
      Michael Schmitz authored
      [ Upstream commit 55496d3f ]
      
      The generic DMA API uses dev->dma_mask to check the DMA addressable
      memory bitmask, and warns if no mask is set or even allocated.
      
      Set z->dev.dma_coherent_mask on Zorro bus scan, and make z->dev.dma_mask
      to point to z->dev.dma_coherent_mask so device drivers that need DMA have
      everything set up to avoid warnings from dma_alloc_coherent(). Drivers can
      still use dma_set_mask_and_coherent() to explicitly set their DMA bit mask.
      Signed-off-by: default avatarMichael Schmitz <schmitzmic@gmail.com>
      [geert: Handle Zorro II with 24-bit address space]
      Acked-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      590e13a6
    • Honggang Li's avatar
      IB/mlx5: Set the default active rate and width to QDR and 4X · 5e8f4ec7
      Honggang Li authored
      [ Upstream commit 7672ed33 ]
      
      Before commit f1b65df5 ("IB/mlx5: Add support for active_width and
      active_speed in RoCE"), the mlx5_ib driver set the default active_width
      and active_speed to IB_WIDTH_4X and IB_SPEED_QDR.
      
      When the RoCE port is down, the RoCE port does not negotiate the active
      width with the remote side, causing the active width to be zero. When
      running userspace ibstat to view the port status, ibstat will panic as it
      reads an invalid width from sys file.
      
      This patch restores the original behavior.
      
      Fixes: f1b65df5 ("IB/mlx5: Add support for active_width and active_speed in RoCE").
      Signed-off-by: default avatarHonggang Li <honli@redhat.com>
      Reviewed-by: default avatarHal Rosenstock <hal@mellanox.com>
      Reviewed-by: default avatarNoa Osherovich <noaos@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5e8f4ec7
    • Chunyu Hu's avatar
      cpufreq: cppc_cpufreq: Fix cppc_cpufreq_init() failure path · 4a8b1c46
      Chunyu Hu authored
      [ Upstream commit 55b55abc ]
      
      Kmemleak reported the below leak. When cppc_cpufreq_init went into
      failure path, the cpu mask is not freed. After fix, this report is
      gone. And to avaoid potential NULL pointer reference, check the cpu
      value first.
      
      unreferenced object 0xffff800fd5ea4880 (size 128):
        comm "swapper/0", pid 1, jiffies 4294939510 (age 668.680s)
        hex dump (first 32 bytes):
          00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00  .... ...........
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffff0000082c4ae4>] __kmalloc_node+0x278/0x634
          [<ffff0000088f4a74>] alloc_cpumask_var_node+0x28/0x60
          [<ffff0000088f4af0>] zalloc_cpumask_var+0x14/0x1c
          [<ffff000008d20254>] cppc_cpufreq_init+0xd0/0x19c
          [<ffff000008083828>] do_one_initcall+0xec/0x15c
          [<ffff000008cd1018>] kernel_init_freeable+0x1f4/0x2a4
          [<ffff0000089099b0>] kernel_init+0x18/0x10c
          [<ffff000008084d50>] ret_from_fork+0x10/0x18
          [<ffffffffffffffff>] 0xffffffffffffffff
      Signed-off-by: default avatarChunyu Hu <chuhu@redhat.com>
      Acked-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4a8b1c46
    • Yong Wu's avatar
      iommu/mediatek: Fix protect memory setting · f69b5296
      Yong Wu authored
      [ Upstream commit 70ca608b ]
      
      In MediaTek's IOMMU design, When a iommu translation fault occurs
      (HW can NOT translate the destination address to a valid physical
      address), the IOMMU HW output the dirty data into a special memory
      to avoid corrupting the main memory, this is called "protect memory".
      the register(0x114) for protect memory is a little different between
      mt8173 and mt2712.
      
      In the mt8173, bit[30:6] in the register represents [31:7] of the
      physical address. In the 4GB mode, the register bit[31] should be 1.
      While in the mt2712, the bits don't shift. bit[31:7] in the register
      represents [31:7] in the physical address, and bit[1:0] in the
      register represents bit[33:32] of the physical address if it has.
      
      Fixes: e6dec923 ("iommu/mediatek: Add mt2712 IOMMU support")
      Reported-by: default avatarHonghui Zhang <honghui.zhang@mediatek.com>
      Signed-off-by: default avatarYong Wu <yong.wu@mediatek.com>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f69b5296
    • Thomas Hellstrom's avatar
      drm/vmwgfx: Unpin the screen object backup buffer when not used · 8c8f0b1f
      Thomas Hellstrom authored
      [ Upstream commit 20fb5a63 ]
      
      We were relying on the pinned screen object backup buffer to be destroyed
      when not used. But if we hold a copy of the atomic state, like when
      hibernating, the backup buffer might not be destroyed since it's
      refcounted by the atomic state. This causes us to hibernate with a
      buffer pinned in VRAM.
      
      Fix this by only having the buffer pinned when it is actually used by a
      screen object.
      Signed-off-by: default avatarThomas Hellstrom <thellstrom@vmware.com>
      Reviewed-by: default avatarBrian Paul <brianp@vmware.com>
      Reviewed-by: default avatarSinclair Yeh <syeh@vmware.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8c8f0b1f
    • Eric Sandeen's avatar
      ext4: don't complain about incorrect features when probing · 791a1ef7
      Eric Sandeen authored
      [ Upstream commit 0d9366d6 ]
      
      If mount is auto-probing for filesystem type, it will try various
      filesystems in order, with the MS_SILENT flag set.  We get
      that flag as the silent arg to ext4_fill_super.
      
      If we're probing (silent==1) then don't complain about feature
      incompatibilities that are found if it looks like it's actually
      a different valid extN type - failed probes should be silent
      in this case.
      
      If the on-disk features are unknown even to ext4, then complain.
      Reported-by: default avatarJoakim Tjernlund <Joakim.Tjernlund@infinera.com>
      Tested-by: default avatarJoakim Tjernlund <Joakim.Tjernlund@infinera.com>
      Signed-off-by: default avatarEric Sandeen <sandeen@redhat.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      791a1ef7
    • Philipp Puschmann's avatar
      arm: dts: socfpga: fix GIC PPI warning · 1891e0bb
      Philipp Puschmann authored
      [ Upstream commit 6d97d5ab ]
      
      Fixes the warning "GIC: PPI13 is secure or misconfigured" by
      changing the interrupt type from level_low to edge_raising
      Signed-off-by: default avatarPhilipp Puschmann <pp@emlix.com>
      Signed-off-by: default avatarDinh Nguyen <dinguyen@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1891e0bb
    • Jay Vosburgh's avatar
      virtio-net: Fix operstate for virtio when no VIRTIO_NET_F_STATUS · b5fb65c5
      Jay Vosburgh authored
      [ Upstream commit bda7fab5 ]
      
      The operstate update logic will leave an interface in the
      default UNKNOWN operstate if the interface carrier state never changes
      from the default carrier up state set at creation.  This includes the
      case of an explicit call to netif_carrier_on, as the carrier on to on
      transition has no effect on operstate.
      
      	This affects virtio-net for the case that the virtio peer does
      not support VIRTIO_NET_F_STATUS (the feature that provides carrier state
      updates).  Without this feature, the virtio specification states that
      "the link should be assumed active," so, logically, the operstate should
      be UP instead of UNKNOWN.  This has impact on user space applications
      that use the operstate to make availability decisions for the interface.
      
      	Resolve this by changing the virtio probe logic slightly to call
      netif_carrier_off for both the "with" and "without" VIRTIO_NET_F_STATUS
      cases, and then the existing call to netif_carrier_on for the "without"
      case will cause an operstate transition.
      
      Cc: "Michael S. Tsirkin" <mst@redhat.com>
      Cc: Jason Wang <jasowang@redhat.com>
      Cc: Ben Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarJay Vosburgh <jay.vosburgh@canonical.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b5fb65c5
    • Milton Miller's avatar
      watchdog: aspeed: Allow configuring for alternate boot · a54e06d4
      Milton Miller authored
      [ Upstream commit 6ffa3402 ]
      
      Allow the device tree to specify a watchdog to fallover to
      the alternate boot source.
      
      The aspeeed watchdog can set a latch directing flash chip select 0 to
      chip select 1, allowing boot from an alternate media if the watchdog
      is not reset in time.  On the ast2400 bank 1 also goes to flash bank 1,
      while on the ast2500 the chip selects are swapped.
      
      Also clear the secondary boot bit during the machine restart operation.
      Otherwise, the system will switch to the alternate boot after every
      reboot, which is not desired.
      Signed-off-by: default avatarMilton Miller <miltonm@us.ibm.com>
      Signed-off-by: default avatarEddie James <eajames@linux.vnet.ibm.com>
      Reviewed-by: default avatarJoel Stanley <joel@jms.id.au>
      Reviewed-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarWim Van Sebroeck <wim@iguana.be>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a54e06d4
    • Petr Vorel's avatar
      ima: Fallback to the builtin hash algorithm · cd2399b4
      Petr Vorel authored
      [ Upstream commit ab60368a ]
      
      IMA requires having it's hash algorithm be compiled-in due to it's
      early use.  The default IMA algorithm is protected by Kconfig to be
      compiled-in.
      
      The ima_hash kernel parameter allows to choose the hash algorithm. When
      the specified algorithm is not available or available as a module, IMA
      initialization fails, which leads to a kernel panic (mknodat syscall calls
      ima_post_path_mknod()).  Therefore as fallback we force IMA to use
      the default builtin Kconfig hash algorithm.
      
      Fixed crash:
      
      $ grep CONFIG_CRYPTO_MD4 .config
      CONFIG_CRYPTO_MD4=m
      
      [    0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-4.12.14-2.3-default root=UUID=74ae8202-9ca7-4e39-813b-22287ec52f7a video=1024x768-16 plymouth.ignore-serial-consoles console=ttyS0 console=tty resume=/dev/disk/by-path/pci-0000:00:07.0-part3 splash=silent showopts ima_hash=md4
      ...
      [    1.545190] ima: Can not allocate md4 (reason: -2)
      ...
      [    2.610120] BUG: unable to handle kernel NULL pointer dereference at           (null)
      [    2.611903] IP: ima_match_policy+0x23/0x390
      [    2.612967] PGD 0 P4D 0
      [    2.613080] Oops: 0000 [#1] SMP
      [    2.613080] Modules linked in: autofs4
      [    2.613080] Supported: Yes
      [    2.613080] CPU: 0 PID: 1 Comm: systemd Not tainted 4.12.14-2.3-default #1
      [    2.613080] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
      [    2.613080] task: ffff88003e2d0040 task.stack: ffffc90000190000
      [    2.613080] RIP: 0010:ima_match_policy+0x23/0x390
      [    2.613080] RSP: 0018:ffffc90000193e88 EFLAGS: 00010296
      [    2.613080] RAX: 0000000000000000 RBX: 000000000000000c RCX: 0000000000000004
      [    2.613080] RDX: 0000000000000010 RSI: 0000000000000001 RDI: ffff880037071728
      [    2.613080] RBP: 0000000000008000 R08: 0000000000000000 R09: 0000000000000000
      [    2.613080] R10: 0000000000000008 R11: 61c8864680b583eb R12: 00005580ff10086f
      [    2.613080] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000008000
      [    2.613080] FS:  00007f5c1da08940(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
      [    2.613080] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [    2.613080] CR2: 0000000000000000 CR3: 0000000037002000 CR4: 00000000003406f0
      [    2.613080] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [    2.613080] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [    2.613080] Call Trace:
      [    2.613080]  ? shmem_mknod+0xbf/0xd0
      [    2.613080]  ima_post_path_mknod+0x1c/0x40
      [    2.613080]  SyS_mknod+0x210/0x220
      [    2.613080]  entry_SYSCALL_64_fastpath+0x1a/0xa5
      [    2.613080] RIP: 0033:0x7f5c1bfde570
      [    2.613080] RSP: 002b:00007ffde1c90dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000085
      [    2.613080] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5c1bfde570
      [    2.613080] RDX: 0000000000000000 RSI: 0000000000008000 RDI: 00005580ff10086f
      [    2.613080] RBP: 00007ffde1c91040 R08: 00005580ff10086f R09: 0000000000000000
      [    2.613080] R10: 0000000000104000 R11: 0000000000000246 R12: 00005580ffb99660
      [    2.613080] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002
      [    2.613080] Code: 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 57 41 56 44 8d 14 09 41 55 41 54 55 53 44 89 d3 09 cb 48 83 ec 38 48 8b 05 c5 03 29 01 <4c> 8b 20 4c 39 e0 0f 84 d7 01 00 00 4c 89 44 24 08 89 54 24 20
      [    2.613080] RIP: ima_match_policy+0x23/0x390 RSP: ffffc90000193e88
      [    2.613080] CR2: 0000000000000000
      [    2.613080] ---[ end trace 9a9f0a8a73079f6a ]---
      [    2.673052] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009
      [    2.673052]
      [    2.675337] Kernel Offset: disabled
      [    2.676405] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009
      Signed-off-by: default avatarPetr Vorel <pvorel@suse.cz>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cd2399b4
    • Jiandi An's avatar
      ima: Fix Kconfig to select TPM 2.0 CRB interface · bc72e4fc
      Jiandi An authored
      [ Upstream commit fac37c62 ]
      
      TPM_CRB driver provides TPM CRB 2.0 support.  If it is built as a
      module, the TPM chip is registered after IMA init.  tpm_pcr_read() in
      IMA fails and displays the following message even though eventually
      there is a TPM chip on the system.
      
      ima: No TPM chip found, activating TPM-bypass! (rc=-19)
      
      Fix IMA Kconfig to select TPM_CRB so TPM_CRB driver is built in the kernel
      and initializes before IMA.
      Signed-off-by: default avatarJiandi An <anjiandi@codeaurora.org>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bc72e4fc
    • Arjun Vynipadath's avatar
      cxgb4: Setup FW queues before registering netdev · d7b13824
      Arjun Vynipadath authored
      [ Upstream commit 843bd7db ]
      
      When NetworkManager is enabled, there are chances that interface up
      is called even before probe completes. This means we have not yet
      allocated the FW sge queues, hence rest of ingress queue allocation
      wont be proper. Fix this by calling setup_fw_sge_queues() before
      register_netdev().
      
      Fixes: 0fbc81b3 ('chcr/cxgb4i/cxgbit/RDMA/cxgb4: Allocate resources dynamically for all cxgb4 ULD's')
      Signed-off-by: default avatarArjun Vynipadath <arjun@chelsio.com>
      Signed-off-by: default avatarCasey Leedom <leedom@chelsio.com>
      Signed-off-by: default avatarGanesh Goudar <ganeshgr@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d7b13824
    • Sebastian Gottschall's avatar
      ath9k: fix crash in spectral scan · aa5a781f
      Sebastian Gottschall authored
      [ Upstream commit 221b6ec6 ]
      
      Fixes crash seen on arm smp systems (gateworks ventana imx6):
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000014
      pgd = 80004000
      [00000014] *pgd=00000000
      Internal error: Oops - BUG: 17 [#1] PREEMPT SMP ARM
      Modules linked in: ip6table_filter nf_conntrack_ipv6 ip6_tables nf_log_ipv6 nf_defrag_ipv6 shortcut_fe ipcomp6 xfrm_ipcomp xfrm6_tunnel xfrm6_mode_tunnel xfrm6_mode_transport xfrm6_mode_ro xfrm6_mode_beet ip6_tunnel tunnel6 mip6 ah6 esp6 xfrm_algo sit ip_tunnel tunnel4 ipv6 ath10k_pci ath10k_core ath9k ath mac80211 cfg80211 compat ath_pci ath_hal(P) caamalg authencesn authenc caamrng caamhash caam_jr caam cdc_ncm usbnet usbcore sky2 imx2_wdt
      CPU: 0 PID: 3 Comm: ksoftirqd/0 Tainted: P                4.9.85 #19
      Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
      task: bf064980 task.stack: bf07c000
      PC is at relay_buf_full+0xc/0x30
      LR is at _674+0x740/0xf10 [ath9k]
      pc : [<8018bce0>]    lr : [<7f1aa604>]    psr: 80000013
      sp : bf07dbf0  ip : bf07dc00  fp : bf07dbfc
      r10: 0000003f  r9 : bf130e00  r8 : 809044b0
      r7 : 00000000  r6 : be67a9f0  r5 : 00000000  r4 : 809043e4
      r3 : c0864c24  r2 : 00000000  r1 : 00000004  r0 : 00000000
      Flags: Nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
      Control: 10c5387d  Table: 4e6a004a  DAC: 00000055
      Process ksoftirqd/0 (pid: 3, stack limit = 0xbf07c210)
      Stack: (0xbf07dbf0 to 0xbf07e000)
      dbe0:                                     bf07dd04 bf07dc00 7f1aa604 8018bce0
      dc00: 00004014 be59e010 bf07dc34 bf07dc18 7f1a7084 7f19c07c be59c010 be6470a0
      dc20: 0000096c be648954 bf07dc6c bf07dc38 7f1c286c bf07dd90 bf07dc5c bf07dc48
      dc40: 8029ea4c 0000003c 00000001 be59c010 00000094 00000000 00000000 00000000
      dc60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      dc80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      dca0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      dcc0: 00000000 00000000 00000000 00000000 00000000 00000000 8010ef24 00000030
      dce0: be94f5e8 be6485a0 bddf0200 be59c010 be6465a0 be6415a0 bf07ddf4 bf07dd08
      dd00: 7f1cf800 7f1aa55c 1fc38c4c 00000000 bf07dd58 cccccccd 66666667 be640bc0
      dd20: bf07dd54 be6415a0 1fc38c4c 00000000 00000000 be59c038 be67a9c0 be59e010
      dd40: be67a9f0 be647170 8090c904 be59c010 00000000 00000001 1fc38e84 00000000
      dd60: be640bc0 bddf0200 00000200 00000010 0000003f 00000002 20000013 be59c010
      dd80: 8092d940 bf7ca2c0 bf07ddb4 bf07dd98 1fc38c4c 2602003f 0100ff1b 80ff1b00
      dda0: 00808080 00000000 00000000 80808080 80808080 80808080 80808080 00008080
      ddc0: 00000000 00000000 7f1b62b8 00000002 be6470ec be6470f0 00000000 bf07de98
      dde0: 8092d940 be6415a0 bf07de94 bf07ddf8 7f1d1ed8 7f1cf1fc 00000000 00000000
      de00: bf7cc4c0 00000400 be6470f0 bf07de18 8015165c be59c010 8090453c 8090453c
      de20: bf07dec4 be6465a0 8014f614 80148884 0000619a 00000001 bf07c000 00000100
      de40: bf07de78 00000001 7f327850 00000002 afb50401 bf064980 bf07de9c bf07de68
      de60: bf064a00 803cc668 bf064a00 be6470b4 be6470b8 80844180 00000000 bf07de98
      de80: 8092d940 bf07c000 bf07dec4 bf07de98 80124d18 7f1d1c44 80124c94 00000000
      dea0: 00000006 80902098 80902080 40000006 00000100 bf07c000 bf07df24 bf07dec8
      dec0: 8012501c 80124ca0 bf7cc4c0 bf064980 be95e1c0 04208040 80902d00 000061c7
      dee0: 0000000a 80600b54 8092d940 808441f8 80902080 bf07dec8 bf03b200 bf07c000
      df00: bf03b200 8090fe54 00000000 00000000 00000000 00000000 bf07df34 bf07df28
      df20: 80125148 80124f28 bf07df5c bf07df38 8013deb4 8012511c 00000000 bf03b240
      df40: bf03b200 8013dc90 00000000 00000000 bf07dfac bf07df60 8013ad40 8013dc9c
      df60: 70448040 00000001 00000000 bf03b200 00000000 00030003 bf07df78 bf07df78
      df80: 00000000 00000000 bf07df88 bf07df88 bf03b240 8013ac48 00000000 00000000
      dfa0: 00000000 bf07dfb0 80107760 8013ac54 00000000 00000000 00000000 00000000
      dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      dfe0: 00000000 00000000 00000000 00000000 00000013 00000000 8c120004 1190ad04
      Backtrace:
      [<8018bcd4>] (relay_buf_full) from [<7f1aa604>] (_674+0x740/0xf10 [ath9k])
      [<7f1aa550>] (_674 [ath9k]) from [<7f1cf800>] (_582+0x14b4/0x3708 [ath9k])
       r10:be6415a0 r9:be6465a0 r8:be59c010 r7:bddf0200 r6:be6485a0 r5:be94f5e8
       r4:00000030
      [<7f1cf1f0>] (_582 [ath9k]) from [<7f1d1ed8>] (_735+0x2a0/0xec4 [ath9k])
       r10:be6415a0 r9:8092d940 r8:bf07de98 r7:00000000 r6:be6470f0 r5:be6470ec
       r4:00000002
      [<7f1d1c38>] (_735 [ath9k]) from [<80124d18>] (tasklet_action+0x84/0xf8)
       r10:bf07c000 r9:8092d940 r8:bf07de98 r7:00000000 r6:80844180 r5:be6470b8
       r4:be6470b4
      [<80124c94>] (tasklet_action) from [<8012501c>] (__do_softirq+0x100/0x1f4)
       r10:bf07c000 r9:00000100 r8:40000006 r7:80902080 r6:80902098 r5:00000006
       r4:00000000 r3:80124c94
      [<80124f1c>] (__do_softirq) from [<80125148>] (run_ksoftirqd+0x38/0x4c)
       r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:8090fe54 r5:bf03b200
       r4:bf07c000
      [<80125110>] (run_ksoftirqd) from [<8013deb4>] (smpboot_thread_fn+0x224/0x260)
      [<8013dc90>] (smpboot_thread_fn) from [<8013ad40>] (kthread+0xf8/0x100)
       r9:00000000 r8:00000000 r7:8013dc90 r6:bf03b200 r5:bf03b240 r4:00000000
      [<8013ac48>] (kthread) from [<80107760>] (ret_from_fork+0x14/0x34)
       r7:00000000 r6:00000000 r5:8013ac48 r4:bf03b240
      Code: e89da800 e1a0c00d e92dd800 e24cb004 (e5901014)
      ---[ end trace dddf11ac9111b272 ]---
      Kernel panic - not syncing: Fatal exception in interrupt
      CPU1: stopping
      CPU: 1 PID: 0 Comm: swapper/1 Tainted: P      D         4.9.85 #19
      Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
      Backtrace:
      [<8010a708>] (dump_backtrace) from [<8010a99c>] (show_stack+0x18/0x1c)
       r7:bf093f58 r6:20000193 r5:809168e8 r4:00000000
      [<8010a984>] (show_stack) from [<802a09c4>] (dump_stack+0x94/0xa8)
      [<802a0930>] (dump_stack) from [<8010d184>] (handle_IPI+0xe8/0x180)
       r7:bf093f58 r6:00000000 r5:00000001 r4:808478c4
      [<8010d09c>] (handle_IPI) from [<801013e8>] (gic_handle_irq+0x78/0x7c)
       r7:f4000100 r6:bf093f58 r5:f400010c r4:8090467c
      [<80101370>] (gic_handle_irq) from [<8010b378>] (__irq_svc+0x58/0x8c)
      Exception stack(0xbf093f58 to 0xbf093fa0)
      3f40:                                                       bf7d62a0 00000000
      3f60: 0010a5f4 80113460 bf092000 809043e4 00000002 80904434 bf092008 412fc09a
      3f80: 00000000 bf093fb4 bf093fb8 bf093fa8 8010804c 80108050 60000013 ffffffff
       r9:bf092000 r8:bf092008 r7:bf093f8c r6:ffffffff r5:60000013 r4:80108050
      [<80108014>] (arch_cpu_idle) from [<80553c2c>] (default_idle_call+0x30/0x34)
      [<80553bfc>] (default_idle_call) from [<80158394>] (cpu_startup_entry+0xc4/0xfc)
      [<801582d0>] (cpu_startup_entry) from [<8010ce40>] (secondary_start_kernel+0x168/0x174)
       r7:8092d2f8 r4:80913568
      [<8010ccd8>] (secondary_start_kernel) from [<10101488>] (0x10101488)
       r5:00000055 r4:4f07806a
      Rebooting in 10 seconds..
      Reboot failed -- System halted
      Signed-off-by: default avatarSebastian Gottschall <s.gottschall@dd-wrt.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aa5a781f
    • Jarosław Janik's avatar
      nvme-pci: disable APST for Samsung NVMe SSD 960 EVO + ASUS PRIME Z370-A · 085ec7d5
      Jarosław Janik authored
      [ Upstream commit 467c77d4 ]
      
      Yet another "incompatible" Samsung NVMe SSD 960 EVO and Asus motherboard
      combination. 960 EVO device disappears from PCIe bus within few minutes
      after boot-up when APST is in use and never gets back. Forcing
      NVME_QUIRK_NO_APST is the only way to make this drive work with this
      particular motherboard. NVME_QUIRK_NO_DEEPEST_PS doesn't work, upgrading
      motherboard's BIOS didn't help either.
      Since this is a desktop motherboard, the only drawback of not using APST
      is increased device temperature.
      Signed-off-by: default avatarJarosław Janik <jaroslaw.janik@gmail.com>
      Signed-off-by: default avatarKeith Busch <keith.busch@intel.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      085ec7d5
    • Karthikeyan Periyasamy's avatar
      ath10k: Fix kernel panic while using worker (ath10k_sta_rc_update_wk) · 7e5487b3
      Karthikeyan Periyasamy authored
      [ Upstream commit 8b2d93dd ]
      
      When attempt to run worker (ath10k_sta_rc_update_wk) after the station object
      (ieee80211_sta) delete will trigger the kernel panic.
      
      This problem arise in AP + Mesh configuration, Where the current node AP VAP
      and neighbor node mesh VAP MAC address are same. When the current mesh node
      try to establish the mesh link with neighbor node, driver peer creation for
      the neighbor mesh node fails due to duplication MAC address. Already the AP
      VAP created with same MAC address.
      
      It is caused by the following scenario steps.
      
      Steps:
      1. In above condition, ath10k driver sta_state callback (ath10k_sta_state)
         fails to do the state change for a station from IEEE80211_STA_NOTEXIST
         to IEEE80211_STA_NONE due to peer creation fails. Sta_state callback is
         called from ieee80211_add_station() to handle the new station
         (neighbor mesh node) request from the wpa_supplicant.
      2. Concurrently ath10k receive the sta_rc_update callback notification from
         the mesh_neighbour_update() to handle the beacon frames of the above
         neighbor mesh node. since its atomic callback, ath10k driver queue the
         work (ath10k_sta_rc_update_wk) to handle rc update.
      3. Due to driver sta_state callback fails (step 1), mac80211 free the station
         object.
      4. When the worker (ath10k_sta_rc_update_wk) scheduled to run, it will access
         the station object which is already deleted. so it will trigger kernel
         panic.
      
      Added the peer exist check in sta_rc_update callback before queue the work.
      
      Kernel Panic log:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000000
      pgd = c0204000
      [00000000] *pgd=00000000
      Internal error: Oops: 17 [#1] PREEMPT SMP ARM
      CPU: 1 PID: 1833 Comm: kworker/u4:2 Not tainted 3.14.77 #1
      task: dcef0000 ti: d72b6000 task.ti: d72b6000
      PC is at pwq_activate_delayed_work+0x10/0x40
      LR is at pwq_activate_delayed_work+0xc/0x40
      pc : [<c023f988>]    lr : [<c023f984>]    psr: 40000193
      sp : d72b7f18  ip : 0000007a  fp : d72b6000
      r10: 00000000  r9 : dd404414  r8 : d8c31998
      r7 : d72b6038  r6 : 00000004  r5 : d4907ec8  r4 : dcee1300
      r3 : ffffffe0  r2 : 00000000  r1 : 00000001  r0 : 00000000
      Flags: nZcv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
      Control: 10c5787d  Table: 595bc06a  DAC: 00000015
      ...
      Process kworker/u4:2 (pid: 1833, stack limit = 0xd72b6238)
      Stack: (0xd72b7f18 to 0xd72b8000)
      7f00:                                                       00000001 dcee1300
      7f20: 00000001 c02410dc d8c31980 dd404400 dd404400 c0242790 d8c31980 00000089
      7f40: 00000000 d93e1340 00000000 d8c31980 c0242568 00000000 00000000 00000000
      7f60: 00000000 c02474dc 00000000 00000000 000000f8 d8c31980 00000000 00000000
      7f80: d72b7f80 d72b7f80 00000000 00000000 d72b7f90 d72b7f90 d72b7fac d93e1340
      7fa0: c0247404 00000000 00000000 c0208d20 00000000 00000000 00000000 00000000
      7fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      7fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
      [<c023f988>] (pwq_activate_delayed_work) from [<c02410dc>] (pwq_dec_nr_in_flight+0x58/0xc4)
      [<c02410dc>] (pwq_dec_nr_in_flight) from [<c0242790>] (worker_thread+0x228/0x360)
      [<c0242790>] (worker_thread) from [<c02474dc>] (kthread+0xd8/0xec)
      [<c02474dc>] (kthread) from [<c0208d20>] (ret_from_fork+0x14/0x34)
      Code: e92d4038 e1a05000 ebffffbc[69210.619376] SMP: failed to stop secondary CPUs
      Rebooting in 3 seconds..
      Signed-off-by: default avatarKarthikeyan Periyasamy <periyasa@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7e5487b3
    • Alexey Khoroshilov's avatar
      watchdog: davinci_wdt: fix error handling in davinci_wdt_probe() · 5db7e1bb
      Alexey Khoroshilov authored
      [ Upstream commit d66e5364 ]
      
      clk_disable_unprepare() was added to one error path,
      but there is another one. The patch makes sure clk is
      disabled at the both of them.
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: default avatarAlexey Khoroshilov <khoroshilov@ispras.ru>
      Reviewed-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarWim Van Sebroeck <wim@iguana.be>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5db7e1bb
    • Leon Romanovsky's avatar
      net/mlx5: Protect from command bit overflow · fc7bcbb9
      Leon Romanovsky authored
      [ Upstream commit 957f6ba8 ]
      
      The system with CONFIG_UBSAN enabled on produces the following error
      during driver initialization. The reason to it that max_reg_cmds can be
      larger enough to cause to "1 << max_reg_cmds" overflow the unsigned long.
      
      ================================================================================
      UBSAN: Undefined behaviour in drivers/net/ethernet/mellanox/mlx5/core/cmd.c:1805:42
      signed integer overflow:
      -2147483648 - 1 cannot be represented in type 'int'
      CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.15.0-rc2-00032-g06cda2358d9b-dirty #724
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
      Call Trace:
       dump_stack+0xe9/0x18f
       ? dma_virt_alloc+0x81/0x81
       ubsan_epilogue+0xe/0x4e
       handle_overflow+0x187/0x20c
       mlx5_cmd_init+0x73a/0x12b0
       mlx5_load_one+0x1c3d/0x1d30
       init_one+0xd02/0xf10
       pci_device_probe+0x26c/0x3b0
       driver_probe_device+0x622/0xb40
       __driver_attach+0x175/0x1b0
       bus_for_each_dev+0xef/0x190
       bus_add_driver+0x2db/0x490
       driver_register+0x16b/0x1e0
       __pci_register_driver+0x177/0x1b0
       init+0x6d/0x92
       do_one_initcall+0x15b/0x270
       kernel_init_freeable+0x2d8/0x3d0
       kernel_init+0x14/0x190
       ret_from_fork+0x24/0x30
      ================================================================================
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fc7bcbb9
    • Michael Ellerman's avatar
      selftests: Print the test we're running to /dev/kmsg · d018d551
      Michael Ellerman authored
      [ Upstream commit 88893cf7 ]
      
      Some tests cause the kernel to print things to the kernel log
      buffer (ie. printk), in particular oops and warnings etc. However when
      running all the tests in succession it's not always obvious which
      test(s) caused the kernel to print something.
      
      We can narrow it down by printing which test directory we're running
      in to /dev/kmsg, if it's writable.
      
      Example output:
      
        [  170.149149] kselftest: Running tests in powerpc
        [  305.300132] kworker/dying (71) used greatest stack depth: 7776 bytes
                       left
        [  808.915456] kselftest: Running tests in pstore
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d018d551
    • Frank Asseg's avatar
      tools/thermal: tmon: fix for segfault · faace30e
      Frank Asseg authored
      [ Upstream commit 6c59f64b ]
      
      Fixes a segfault occurring when e.g. <TAB> is pressed multiple times in the
      ncurses tmon application. The segfault is caused by incrementing
      cur_thermal_record in the main function without checking if it's value reached
      NR_THERMAL_RECORD immediately. Since the boundary check only occurred in
      update_thermal_data a race condition existed, which lead to an attempted read
      beyond the last element of the trec array.
      
      The fix was implemented by moving the cur_thermal_record incrementation to the
      update_thermal_data function using a temporary variable on which the boundary
      condition is checked before updating cur_thread_record, so that the variable is
      never incremented beyond the trec array's boundary.
      
      It seems the segfault does not occur on every machine: On a HP EliteBook G4 the
      segfault happens, while it does not happen on a Thinkpad T540p.
      Signed-off-by: default avatarFrank Asseg <frank.asseg@objecthunter.net>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      faace30e