1. 30 May, 2018 40 commits
    • Jiandi An's avatar
      ima: Fix Kconfig to select TPM 2.0 CRB interface · bc72e4fc
      Jiandi An authored
      [ Upstream commit fac37c62 ]
      
      TPM_CRB driver provides TPM CRB 2.0 support.  If it is built as a
      module, the TPM chip is registered after IMA init.  tpm_pcr_read() in
      IMA fails and displays the following message even though eventually
      there is a TPM chip on the system.
      
      ima: No TPM chip found, activating TPM-bypass! (rc=-19)
      
      Fix IMA Kconfig to select TPM_CRB so TPM_CRB driver is built in the kernel
      and initializes before IMA.
      Signed-off-by: default avatarJiandi An <anjiandi@codeaurora.org>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bc72e4fc
    • Arjun Vynipadath's avatar
      cxgb4: Setup FW queues before registering netdev · d7b13824
      Arjun Vynipadath authored
      [ Upstream commit 843bd7db ]
      
      When NetworkManager is enabled, there are chances that interface up
      is called even before probe completes. This means we have not yet
      allocated the FW sge queues, hence rest of ingress queue allocation
      wont be proper. Fix this by calling setup_fw_sge_queues() before
      register_netdev().
      
      Fixes: 0fbc81b3 ('chcr/cxgb4i/cxgbit/RDMA/cxgb4: Allocate resources dynamically for all cxgb4 ULD's')
      Signed-off-by: default avatarArjun Vynipadath <arjun@chelsio.com>
      Signed-off-by: default avatarCasey Leedom <leedom@chelsio.com>
      Signed-off-by: default avatarGanesh Goudar <ganeshgr@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d7b13824
    • Sebastian Gottschall's avatar
      ath9k: fix crash in spectral scan · aa5a781f
      Sebastian Gottschall authored
      [ Upstream commit 221b6ec6 ]
      
      Fixes crash seen on arm smp systems (gateworks ventana imx6):
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000014
      pgd = 80004000
      [00000014] *pgd=00000000
      Internal error: Oops - BUG: 17 [#1] PREEMPT SMP ARM
      Modules linked in: ip6table_filter nf_conntrack_ipv6 ip6_tables nf_log_ipv6 nf_defrag_ipv6 shortcut_fe ipcomp6 xfrm_ipcomp xfrm6_tunnel xfrm6_mode_tunnel xfrm6_mode_transport xfrm6_mode_ro xfrm6_mode_beet ip6_tunnel tunnel6 mip6 ah6 esp6 xfrm_algo sit ip_tunnel tunnel4 ipv6 ath10k_pci ath10k_core ath9k ath mac80211 cfg80211 compat ath_pci ath_hal(P) caamalg authencesn authenc caamrng caamhash caam_jr caam cdc_ncm usbnet usbcore sky2 imx2_wdt
      CPU: 0 PID: 3 Comm: ksoftirqd/0 Tainted: P                4.9.85 #19
      Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
      task: bf064980 task.stack: bf07c000
      PC is at relay_buf_full+0xc/0x30
      LR is at _674+0x740/0xf10 [ath9k]
      pc : [<8018bce0>]    lr : [<7f1aa604>]    psr: 80000013
      sp : bf07dbf0  ip : bf07dc00  fp : bf07dbfc
      r10: 0000003f  r9 : bf130e00  r8 : 809044b0
      r7 : 00000000  r6 : be67a9f0  r5 : 00000000  r4 : 809043e4
      r3 : c0864c24  r2 : 00000000  r1 : 00000004  r0 : 00000000
      Flags: Nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
      Control: 10c5387d  Table: 4e6a004a  DAC: 00000055
      Process ksoftirqd/0 (pid: 3, stack limit = 0xbf07c210)
      Stack: (0xbf07dbf0 to 0xbf07e000)
      dbe0:                                     bf07dd04 bf07dc00 7f1aa604 8018bce0
      dc00: 00004014 be59e010 bf07dc34 bf07dc18 7f1a7084 7f19c07c be59c010 be6470a0
      dc20: 0000096c be648954 bf07dc6c bf07dc38 7f1c286c bf07dd90 bf07dc5c bf07dc48
      dc40: 8029ea4c 0000003c 00000001 be59c010 00000094 00000000 00000000 00000000
      dc60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      dc80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      dca0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      dcc0: 00000000 00000000 00000000 00000000 00000000 00000000 8010ef24 00000030
      dce0: be94f5e8 be6485a0 bddf0200 be59c010 be6465a0 be6415a0 bf07ddf4 bf07dd08
      dd00: 7f1cf800 7f1aa55c 1fc38c4c 00000000 bf07dd58 cccccccd 66666667 be640bc0
      dd20: bf07dd54 be6415a0 1fc38c4c 00000000 00000000 be59c038 be67a9c0 be59e010
      dd40: be67a9f0 be647170 8090c904 be59c010 00000000 00000001 1fc38e84 00000000
      dd60: be640bc0 bddf0200 00000200 00000010 0000003f 00000002 20000013 be59c010
      dd80: 8092d940 bf7ca2c0 bf07ddb4 bf07dd98 1fc38c4c 2602003f 0100ff1b 80ff1b00
      dda0: 00808080 00000000 00000000 80808080 80808080 80808080 80808080 00008080
      ddc0: 00000000 00000000 7f1b62b8 00000002 be6470ec be6470f0 00000000 bf07de98
      dde0: 8092d940 be6415a0 bf07de94 bf07ddf8 7f1d1ed8 7f1cf1fc 00000000 00000000
      de00: bf7cc4c0 00000400 be6470f0 bf07de18 8015165c be59c010 8090453c 8090453c
      de20: bf07dec4 be6465a0 8014f614 80148884 0000619a 00000001 bf07c000 00000100
      de40: bf07de78 00000001 7f327850 00000002 afb50401 bf064980 bf07de9c bf07de68
      de60: bf064a00 803cc668 bf064a00 be6470b4 be6470b8 80844180 00000000 bf07de98
      de80: 8092d940 bf07c000 bf07dec4 bf07de98 80124d18 7f1d1c44 80124c94 00000000
      dea0: 00000006 80902098 80902080 40000006 00000100 bf07c000 bf07df24 bf07dec8
      dec0: 8012501c 80124ca0 bf7cc4c0 bf064980 be95e1c0 04208040 80902d00 000061c7
      dee0: 0000000a 80600b54 8092d940 808441f8 80902080 bf07dec8 bf03b200 bf07c000
      df00: bf03b200 8090fe54 00000000 00000000 00000000 00000000 bf07df34 bf07df28
      df20: 80125148 80124f28 bf07df5c bf07df38 8013deb4 8012511c 00000000 bf03b240
      df40: bf03b200 8013dc90 00000000 00000000 bf07dfac bf07df60 8013ad40 8013dc9c
      df60: 70448040 00000001 00000000 bf03b200 00000000 00030003 bf07df78 bf07df78
      df80: 00000000 00000000 bf07df88 bf07df88 bf03b240 8013ac48 00000000 00000000
      dfa0: 00000000 bf07dfb0 80107760 8013ac54 00000000 00000000 00000000 00000000
      dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      dfe0: 00000000 00000000 00000000 00000000 00000013 00000000 8c120004 1190ad04
      Backtrace:
      [<8018bcd4>] (relay_buf_full) from [<7f1aa604>] (_674+0x740/0xf10 [ath9k])
      [<7f1aa550>] (_674 [ath9k]) from [<7f1cf800>] (_582+0x14b4/0x3708 [ath9k])
       r10:be6415a0 r9:be6465a0 r8:be59c010 r7:bddf0200 r6:be6485a0 r5:be94f5e8
       r4:00000030
      [<7f1cf1f0>] (_582 [ath9k]) from [<7f1d1ed8>] (_735+0x2a0/0xec4 [ath9k])
       r10:be6415a0 r9:8092d940 r8:bf07de98 r7:00000000 r6:be6470f0 r5:be6470ec
       r4:00000002
      [<7f1d1c38>] (_735 [ath9k]) from [<80124d18>] (tasklet_action+0x84/0xf8)
       r10:bf07c000 r9:8092d940 r8:bf07de98 r7:00000000 r6:80844180 r5:be6470b8
       r4:be6470b4
      [<80124c94>] (tasklet_action) from [<8012501c>] (__do_softirq+0x100/0x1f4)
       r10:bf07c000 r9:00000100 r8:40000006 r7:80902080 r6:80902098 r5:00000006
       r4:00000000 r3:80124c94
      [<80124f1c>] (__do_softirq) from [<80125148>] (run_ksoftirqd+0x38/0x4c)
       r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:8090fe54 r5:bf03b200
       r4:bf07c000
      [<80125110>] (run_ksoftirqd) from [<8013deb4>] (smpboot_thread_fn+0x224/0x260)
      [<8013dc90>] (smpboot_thread_fn) from [<8013ad40>] (kthread+0xf8/0x100)
       r9:00000000 r8:00000000 r7:8013dc90 r6:bf03b200 r5:bf03b240 r4:00000000
      [<8013ac48>] (kthread) from [<80107760>] (ret_from_fork+0x14/0x34)
       r7:00000000 r6:00000000 r5:8013ac48 r4:bf03b240
      Code: e89da800 e1a0c00d e92dd800 e24cb004 (e5901014)
      ---[ end trace dddf11ac9111b272 ]---
      Kernel panic - not syncing: Fatal exception in interrupt
      CPU1: stopping
      CPU: 1 PID: 0 Comm: swapper/1 Tainted: P      D         4.9.85 #19
      Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
      Backtrace:
      [<8010a708>] (dump_backtrace) from [<8010a99c>] (show_stack+0x18/0x1c)
       r7:bf093f58 r6:20000193 r5:809168e8 r4:00000000
      [<8010a984>] (show_stack) from [<802a09c4>] (dump_stack+0x94/0xa8)
      [<802a0930>] (dump_stack) from [<8010d184>] (handle_IPI+0xe8/0x180)
       r7:bf093f58 r6:00000000 r5:00000001 r4:808478c4
      [<8010d09c>] (handle_IPI) from [<801013e8>] (gic_handle_irq+0x78/0x7c)
       r7:f4000100 r6:bf093f58 r5:f400010c r4:8090467c
      [<80101370>] (gic_handle_irq) from [<8010b378>] (__irq_svc+0x58/0x8c)
      Exception stack(0xbf093f58 to 0xbf093fa0)
      3f40:                                                       bf7d62a0 00000000
      3f60: 0010a5f4 80113460 bf092000 809043e4 00000002 80904434 bf092008 412fc09a
      3f80: 00000000 bf093fb4 bf093fb8 bf093fa8 8010804c 80108050 60000013 ffffffff
       r9:bf092000 r8:bf092008 r7:bf093f8c r6:ffffffff r5:60000013 r4:80108050
      [<80108014>] (arch_cpu_idle) from [<80553c2c>] (default_idle_call+0x30/0x34)
      [<80553bfc>] (default_idle_call) from [<80158394>] (cpu_startup_entry+0xc4/0xfc)
      [<801582d0>] (cpu_startup_entry) from [<8010ce40>] (secondary_start_kernel+0x168/0x174)
       r7:8092d2f8 r4:80913568
      [<8010ccd8>] (secondary_start_kernel) from [<10101488>] (0x10101488)
       r5:00000055 r4:4f07806a
      Rebooting in 10 seconds..
      Reboot failed -- System halted
      Signed-off-by: default avatarSebastian Gottschall <s.gottschall@dd-wrt.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aa5a781f
    • Jarosław Janik's avatar
      nvme-pci: disable APST for Samsung NVMe SSD 960 EVO + ASUS PRIME Z370-A · 085ec7d5
      Jarosław Janik authored
      [ Upstream commit 467c77d4 ]
      
      Yet another "incompatible" Samsung NVMe SSD 960 EVO and Asus motherboard
      combination. 960 EVO device disappears from PCIe bus within few minutes
      after boot-up when APST is in use and never gets back. Forcing
      NVME_QUIRK_NO_APST is the only way to make this drive work with this
      particular motherboard. NVME_QUIRK_NO_DEEPEST_PS doesn't work, upgrading
      motherboard's BIOS didn't help either.
      Since this is a desktop motherboard, the only drawback of not using APST
      is increased device temperature.
      Signed-off-by: default avatarJarosław Janik <jaroslaw.janik@gmail.com>
      Signed-off-by: default avatarKeith Busch <keith.busch@intel.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      085ec7d5
    • Karthikeyan Periyasamy's avatar
      ath10k: Fix kernel panic while using worker (ath10k_sta_rc_update_wk) · 7e5487b3
      Karthikeyan Periyasamy authored
      [ Upstream commit 8b2d93dd ]
      
      When attempt to run worker (ath10k_sta_rc_update_wk) after the station object
      (ieee80211_sta) delete will trigger the kernel panic.
      
      This problem arise in AP + Mesh configuration, Where the current node AP VAP
      and neighbor node mesh VAP MAC address are same. When the current mesh node
      try to establish the mesh link with neighbor node, driver peer creation for
      the neighbor mesh node fails due to duplication MAC address. Already the AP
      VAP created with same MAC address.
      
      It is caused by the following scenario steps.
      
      Steps:
      1. In above condition, ath10k driver sta_state callback (ath10k_sta_state)
         fails to do the state change for a station from IEEE80211_STA_NOTEXIST
         to IEEE80211_STA_NONE due to peer creation fails. Sta_state callback is
         called from ieee80211_add_station() to handle the new station
         (neighbor mesh node) request from the wpa_supplicant.
      2. Concurrently ath10k receive the sta_rc_update callback notification from
         the mesh_neighbour_update() to handle the beacon frames of the above
         neighbor mesh node. since its atomic callback, ath10k driver queue the
         work (ath10k_sta_rc_update_wk) to handle rc update.
      3. Due to driver sta_state callback fails (step 1), mac80211 free the station
         object.
      4. When the worker (ath10k_sta_rc_update_wk) scheduled to run, it will access
         the station object which is already deleted. so it will trigger kernel
         panic.
      
      Added the peer exist check in sta_rc_update callback before queue the work.
      
      Kernel Panic log:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000000
      pgd = c0204000
      [00000000] *pgd=00000000
      Internal error: Oops: 17 [#1] PREEMPT SMP ARM
      CPU: 1 PID: 1833 Comm: kworker/u4:2 Not tainted 3.14.77 #1
      task: dcef0000 ti: d72b6000 task.ti: d72b6000
      PC is at pwq_activate_delayed_work+0x10/0x40
      LR is at pwq_activate_delayed_work+0xc/0x40
      pc : [<c023f988>]    lr : [<c023f984>]    psr: 40000193
      sp : d72b7f18  ip : 0000007a  fp : d72b6000
      r10: 00000000  r9 : dd404414  r8 : d8c31998
      r7 : d72b6038  r6 : 00000004  r5 : d4907ec8  r4 : dcee1300
      r3 : ffffffe0  r2 : 00000000  r1 : 00000001  r0 : 00000000
      Flags: nZcv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
      Control: 10c5787d  Table: 595bc06a  DAC: 00000015
      ...
      Process kworker/u4:2 (pid: 1833, stack limit = 0xd72b6238)
      Stack: (0xd72b7f18 to 0xd72b8000)
      7f00:                                                       00000001 dcee1300
      7f20: 00000001 c02410dc d8c31980 dd404400 dd404400 c0242790 d8c31980 00000089
      7f40: 00000000 d93e1340 00000000 d8c31980 c0242568 00000000 00000000 00000000
      7f60: 00000000 c02474dc 00000000 00000000 000000f8 d8c31980 00000000 00000000
      7f80: d72b7f80 d72b7f80 00000000 00000000 d72b7f90 d72b7f90 d72b7fac d93e1340
      7fa0: c0247404 00000000 00000000 c0208d20 00000000 00000000 00000000 00000000
      7fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      7fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
      [<c023f988>] (pwq_activate_delayed_work) from [<c02410dc>] (pwq_dec_nr_in_flight+0x58/0xc4)
      [<c02410dc>] (pwq_dec_nr_in_flight) from [<c0242790>] (worker_thread+0x228/0x360)
      [<c0242790>] (worker_thread) from [<c02474dc>] (kthread+0xd8/0xec)
      [<c02474dc>] (kthread) from [<c0208d20>] (ret_from_fork+0x14/0x34)
      Code: e92d4038 e1a05000 ebffffbc[69210.619376] SMP: failed to stop secondary CPUs
      Rebooting in 3 seconds..
      Signed-off-by: default avatarKarthikeyan Periyasamy <periyasa@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7e5487b3
    • Alexey Khoroshilov's avatar
      watchdog: davinci_wdt: fix error handling in davinci_wdt_probe() · 5db7e1bb
      Alexey Khoroshilov authored
      [ Upstream commit d66e5364 ]
      
      clk_disable_unprepare() was added to one error path,
      but there is another one. The patch makes sure clk is
      disabled at the both of them.
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: default avatarAlexey Khoroshilov <khoroshilov@ispras.ru>
      Reviewed-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarWim Van Sebroeck <wim@iguana.be>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5db7e1bb
    • Leon Romanovsky's avatar
      net/mlx5: Protect from command bit overflow · fc7bcbb9
      Leon Romanovsky authored
      [ Upstream commit 957f6ba8 ]
      
      The system with CONFIG_UBSAN enabled on produces the following error
      during driver initialization. The reason to it that max_reg_cmds can be
      larger enough to cause to "1 << max_reg_cmds" overflow the unsigned long.
      
      ================================================================================
      UBSAN: Undefined behaviour in drivers/net/ethernet/mellanox/mlx5/core/cmd.c:1805:42
      signed integer overflow:
      -2147483648 - 1 cannot be represented in type 'int'
      CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.15.0-rc2-00032-g06cda2358d9b-dirty #724
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
      Call Trace:
       dump_stack+0xe9/0x18f
       ? dma_virt_alloc+0x81/0x81
       ubsan_epilogue+0xe/0x4e
       handle_overflow+0x187/0x20c
       mlx5_cmd_init+0x73a/0x12b0
       mlx5_load_one+0x1c3d/0x1d30
       init_one+0xd02/0xf10
       pci_device_probe+0x26c/0x3b0
       driver_probe_device+0x622/0xb40
       __driver_attach+0x175/0x1b0
       bus_for_each_dev+0xef/0x190
       bus_add_driver+0x2db/0x490
       driver_register+0x16b/0x1e0
       __pci_register_driver+0x177/0x1b0
       init+0x6d/0x92
       do_one_initcall+0x15b/0x270
       kernel_init_freeable+0x2d8/0x3d0
       kernel_init+0x14/0x190
       ret_from_fork+0x24/0x30
      ================================================================================
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fc7bcbb9
    • Michael Ellerman's avatar
      selftests: Print the test we're running to /dev/kmsg · d018d551
      Michael Ellerman authored
      [ Upstream commit 88893cf7 ]
      
      Some tests cause the kernel to print things to the kernel log
      buffer (ie. printk), in particular oops and warnings etc. However when
      running all the tests in succession it's not always obvious which
      test(s) caused the kernel to print something.
      
      We can narrow it down by printing which test directory we're running
      in to /dev/kmsg, if it's writable.
      
      Example output:
      
        [  170.149149] kselftest: Running tests in powerpc
        [  305.300132] kworker/dying (71) used greatest stack depth: 7776 bytes
                       left
        [  808.915456] kselftest: Running tests in pstore
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d018d551
    • Frank Asseg's avatar
      tools/thermal: tmon: fix for segfault · faace30e
      Frank Asseg authored
      [ Upstream commit 6c59f64b ]
      
      Fixes a segfault occurring when e.g. <TAB> is pressed multiple times in the
      ncurses tmon application. The segfault is caused by incrementing
      cur_thermal_record in the main function without checking if it's value reached
      NR_THERMAL_RECORD immediately. Since the boundary check only occurred in
      update_thermal_data a race condition existed, which lead to an attempted read
      beyond the last element of the trec array.
      
      The fix was implemented by moving the cur_thermal_record incrementation to the
      update_thermal_data function using a temporary variable on which the boundary
      condition is checked before updating cur_thread_record, so that the variable is
      never incremented beyond the trec array's boundary.
      
      It seems the segfault does not occur on every machine: On a HP EliteBook G4 the
      segfault happens, while it does not happen on a Thinkpad T540p.
      Signed-off-by: default avatarFrank Asseg <frank.asseg@objecthunter.net>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      faace30e
    • Amitkumar Karwar's avatar
      rsi: fix kernel panic observed on 64bit machine · b652092f
      Amitkumar Karwar authored
      [ Upstream commit 864db4d5 ]
      
      Following kernel panic is observed on 64bit machine while loading
      the driver. It is fixed if we pass dynamically allocated memory to
      SDIO for DMA.
      
      BUG: unable to handle kernel paging request at ffffeb04000172e0
      IP: sg_miter_stop+0x56/0x70
      PGD 0 P4D 0
      Oops: 0000 [#1] SMP PTI
      Modules linked in: rsi_sdio(OE+) rsi_91x(OE) btrsi(OE) rfcomm bluetooth
      ecdh_generic mac80211 mmc_block fuse xt_CHECKSUM iptable_mangle
      drm_kms_helper mmc_core serio_raw drm firewire_ohci tg3
      CPU: 0 PID: 4003 Comm: insmod Tainted: G           OE    4.16.0-rc1+ #27
      Hardware name: Dell Inc. Latitude E5500                  /0DW634, BIOS
      A19 06/13/2013
      RIP: 0010:sg_miter_stop+0x56/0x70
      RSP: 0018:ffff88007d003e78 EFLAGS: 00010002
      RAX: 0000000000000003 RBX: 0000000000000004 RCX: 0000000000000000
      RDX: ffffeb04000172c0 RSI: ffff88002f58002c RDI: ffff88007d003e80
      RBP: 0000000000000004 R08: ffff88007d003e80 R09: 0000000000000008
      R10: 0000000000000003 R11: 0000000000000001 R12: 0000000000000004
      R13: ffff88002f580028 R14: 0000000000000000 R15: 0000000000000004
      FS:  00007f35c29db700(0000) GS:ffff88007d000000(0000)
      knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: ffffeb04000172e0 CR3: 000000007038e000 CR4: 00000000000406f0
      Call Trace:
      <IRQ>
      sg_copy_buffer+0xc6/0xf0
      sdhci_tasklet_finish+0x170/0x260 [sdhci]
      tasklet_action+0xf4/0x100
      __do_softirq+0xef/0x26e
      irq_exit+0xbe/0xd0
      do_IRQ+0x4a/0xc0
      common_interrupt+0xa2/0xa2
      </IRQ>
      Signed-off-by: default avatarAmitkumar Karwar <amit.karwar@redpinesignals.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b652092f
    • Michael Ellerman's avatar
      powerpc/perf: Fix kernel address leak via sampling registers · 31dbd9cf
      Michael Ellerman authored
      [ Upstream commit e1ebd0e5 ]
      
      Current code in power_pmu_disable() does not clear the sampling
      registers like Sampling Instruction Address Register (SIAR) and
      Sampling Data Address Register (SDAR) after disabling the PMU. Since
      these are userspace readable and could contain kernel addresses, add
      code to explicitly clear the content of these registers.
      
      Also add a "context synchronizing instruction" to enforce no further
      updates to these registers as suggested by Power ISA v3.0B. From
      section 9.4, on page 1108:
      
        "If an mtspr instruction is executed that changes the value of a
        Performance Monitor register other than SIAR, SDAR, and SIER, the
        change is not guaranteed to have taken effect until after a
        subsequent context synchronizing instruction has been executed (see
        Chapter 11. "Synchronization Requirements for Context Alterations"
        on page 1133)."
      Signed-off-by: default avatarMadhavan Srinivasan <maddy@linux.vnet.ibm.com>
      [mpe: Massage change log and add ISA reference]
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      31dbd9cf
    • Madhavan Srinivasan's avatar
      powerpc/perf: Prevent kernel address leak to userspace via BHRB buffer · 6a0a9f0a
      Madhavan Srinivasan authored
      [ Upstream commit bb19af81 ]
      
      The current Branch History Rolling Buffer (BHRB) code does not check
      for any privilege levels before updating the data from BHRB. This
      could leak kernel addresses to userspace even when profiling only with
      userspace privileges. Add proper checks to prevent it.
      Acked-by: default avatarBalbir Singh <bsingharora@gmail.com>
      Signed-off-by: default avatarMadhavan Srinivasan <maddy@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6a0a9f0a
    • Guenter Roeck's avatar
      hwmon: (nct6775) Fix writing pwmX_mode · 68a38ced
      Guenter Roeck authored
      [ Upstream commit 415eb2a1 ]
      
      pwmX_mode is defined in the ABI as 0=DC mode, 1=pwm mode. The chip
      register bit is set to 1 for DC mode. This got mixed up, and writing
      1 into pwmX_mode resulted in DC mode enabled. Fix it up by using
      the ABI definition throughout the driver for consistency.
      
      Fixes: 77eb5b37 ("hwmon: (nct6775) Add support for pwm, pwm_mode, ... ")
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      68a38ced
    • Helge Deller's avatar
      parisc/pci: Switch LBA PCI bus from Hard Fail to Soft Fail mode · dbce9e41
      Helge Deller authored
      [ Upstream commit b845f66f ]
      
      Carlo Pisani noticed that his C3600 workstation behaved unstable during heavy
      I/O on the PCI bus with a VIA VT6421 IDE/SATA PCI card.
      
      To avoid such instability, this patch switches the LBA PCI bus from Hard Fail
      mode into Soft Fail mode. In this mode the bus will return -1UL for timed out
      MMIO transactions, which is exactly how the x86 (and most other architectures)
      PCI busses behave.
      
      This patch is based on a proposal by Grant Grundler and Kyle McMartin 10
      years ago:
      https://www.spinics.net/lists/linux-parisc/msg01027.html
      
      Cc: Carlo Pisani <carlojpisani@gmail.com>
      Cc: Kyle McMartin <kyle@mcmartin.ca>
      Reviewed-by: default avatarGrant Grundler <grantgrundler@gmail.com>
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dbce9e41
    • Luca Coelho's avatar
      iwlwifi: mvm: check if mac80211_queue is valid in iwl_mvm_disable_txq · f3751954
      Luca Coelho authored
      [ Upstream commit 9a233bb8 ]
      
      Sometimes iwl_mvm_disable_txq() may be called with mac80211_queue ==
      IEEE80211_INVAL_HW_QUEUE, and this would cause us to use BIT(0xFF)
      which is way too large for the u16 we used to store it in
      hw_queue_to_mac820211.  If this happens the following UBSAN warning
      will be generated:
      
      [  167.185167] UBSAN: Undefined behaviour in drivers/net/wireless/intel/iwlwifi/mvm/utils.c:838:5
      [  167.185171] shift exponent 255 is too large for 64-bit type 'long unsigned int'
      
      Fix that by checking that it is not IEEE80211_INVAL_HW_QUEUE and,
      while at it, add a warning if the queue number is larger than
      IEEE80211_MAX_QUEUES.
      
      Fixes: 34e10860 ("iwlwifi: mvm: remove references to queue_info in new TX path")
      Reported-by: default avatarPaul Menzel <pmenzel+linux-wireless@molgen.mpg.de>
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f3751954
    • Greg Ungerer's avatar
      m68k: set dma and coherent masks for platform FEC ethernets · 6a020bb3
      Greg Ungerer authored
      [ Upstream commit f61e6431 ]
      
      As of commit 205e1b7f ("dma-mapping: warn when there is no
      coherent_dma_mask") the Freescale FEC driver is issuing the following
      warning on driver initialization on ColdFire systems:
      
      WARNING: CPU: 0 PID: 1 at ./include/linux/dma-mapping.h:516 0x40159e20
      Modules linked in:
      CPU: 0 PID: 1 Comm: swapper Not tainted 4.16.0-rc7-dirty #4
      Stack from 41833dd8:
              41833dd8 40259c53 40025534 40279e26 00000003 00000000 4004e514 41827000
              400255de 40244e42 00000204 40159e20 00000009 00000000 00000000 4024531d
              40159e20 40244e42 00000204 00000000 00000000 00000000 00000007 00000000
              00000000 40279e26 4028d040 40226576 4003ae88 40279e26 418273f6 41833ef8
              7fffffff 418273f2 41867028 4003c9a2 4180ac6c 00000004 41833f8c 4013e71c
              40279e1c 40279e26 40226c16 4013ced2 40279e26 40279e58 4028d040 00000000
      Call Trace:
              [<40025534>] 0x40025534
       [<4004e514>] 0x4004e514
       [<400255de>] 0x400255de
       [<40159e20>] 0x40159e20
       [<40159e20>] 0x40159e20
      
      It is not fatal, the driver and the system continue to function normally.
      
      As per the warning the coherent_dma_mask is not set on this device.
      There is nothing special about the DMA memory coherency on this hardware
      so we can just set the mask to 32bits in the platform data for the FEC
      ethernet devices.
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6a020bb3
    • Alexander Shishkin's avatar
      intel_th: Use correct method of finding hub · 80fceaf3
      Alexander Shishkin authored
      [ Upstream commit 9ad57708 ]
      
      Since commit 8edc514b ("intel_th: Make SOURCE devices children of the
      root device") the hub is not the parent of SOURCE devices any more, so the
      new helper function should be used for that instead of always using the
      parent. The intel_th_set_output() path, however, still uses the old
      logic, leading to the hub driver structure being aliased with something
      else, like struct pci_driver or struct acpi_driver, and an incorrect call
      to an address inferred from that, potentially resulting in a crash.
      
      Fixes: 8edc514b ("intel_th: Make SOURCE devices children of the root device")
      Signed-off-by: default avatarAlexander Shishkin <alexander.shishkin@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      80fceaf3
    • Sebastian Andrzej Siewior's avatar
      iommu/amd: Take into account that alloc_dev_data() may return NULL · 1366b31d
      Sebastian Andrzej Siewior authored
      [ Upstream commit 39ffe395 ]
      
      find_dev_data() does not check whether the return value alloc_dev_data()
      is NULL. This was okay once because the pointer was returned once as-is.
      Since commit df3f7a6e ("iommu/amd: Use is_attach_deferred
      call-back") the pointer may be used within find_dev_data() so a NULL
      check is required.
      
      Cc: Baoquan He <bhe@redhat.com>
      Fixes: df3f7a6e ("iommu/amd: Use is_attach_deferred call-back")
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1366b31d
    • Anilkumar Kolli's avatar
      ath10k: advertize beacon_int_min_gcd · 6bc2bf60
      Anilkumar Kolli authored
      [ Upstream commit 8ebee73b ]
      
      This patch fixes regression caused by 0c317a02
      ("cfg80211: support virtual interfaces with different beacon intervals"),
      with this change cfg80211 expects the driver to advertize
      'beacon_int_min_gcd' to support different beacon intervals in multivap
      scenario. This support is added for, QCA988X/QCA99X0/QCA9984/QCA4019.
      
      Verifed AP + mesh bring up on QCA9984 with beacon interval 100msec and
      1000msec respectively.
      Frimware: firmware-5.bin_10.4-3.5.3-00053
      
      Fixes: 0c317a02 ("cfg80211: support virtual interfaces with different beacon intervals")
      Signed-off-by: default avatarAnilkumar Kolli <akolli@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6bc2bf60
    • Harry Morris's avatar
      ieee802154: ca8210: fix uninitialised data read · 9c222c49
      Harry Morris authored
      [ Upstream commit 86674a97 ]
      
      In ca8210_test_int_user_write() a user can request the transfer of a
      frame with a length field (command.length) that is longer than the
      actual buffer provided (len). In this scenario the driver will copy
      the buffer contents into the uninitialised command[] buffer, then
      transfer <data.length> bytes over the SPI even though only <len> bytes
      had been populated, potentially leaking sensitive kernel memory.
      
      Also the first 6 bytes of the command buffer must be initialised in case
      a malformed, short packet is written and the uninitialised bytes are
      read in ca8210_test_check_upstream.
      Reported-by: default avatarDomen Puncer Kugler <domen.puncer@samsung.com>
      Signed-off-by: default avatarHarry Morris <h.morris@cascoda.com>
      Tested-by: default avatarHarry Morris <h.morris@cascoda.com>
      Signed-off-by: default avatarStefan Schmidt <stefan@osg.samsung.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9c222c49
    • Michael Ellerman's avatar
      powerpc/mpic: Check if cpu_possible() in mpic_physmask() · c3a2a878
      Michael Ellerman authored
      [ Upstream commit 0834d627 ]
      
      In mpic_physmask() we loop over all CPUs up to 32, then get the hard
      SMP processor id of that CPU.
      
      Currently that's possibly walking off the end of the paca array, but
      in a future patch we will change the paca array to be an array of
      pointers, and in that case we will get a NULL for missing CPUs and
      oops. eg:
      
        Unable to handle kernel paging request for data at address 0x88888888888888b8
        Faulting instruction address: 0xc00000000004e380
        Oops: Kernel access of bad area, sig: 11 [#1]
        ...
        NIP .mpic_set_affinity+0x60/0x1a0
        LR  .irq_do_set_affinity+0x48/0x100
      
      Fix it by checking the CPU is possible, this also fixes the code if
      there are gaps in the CPU numbering which probably never happens on
      mpic systems but who knows.
      Debugged-by: default avatarNicholas Piggin <npiggin@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c3a2a878
    • Lenny Szubowicz's avatar
      ACPI: acpi_pad: Fix memory leak in power saving threads · fc2de796
      Lenny Szubowicz authored
      [ Upstream commit 8b29d29a ]
      
      Fix once per second (round_robin_time) memory leak of about 1 KB in
      each acpi_pad kernel idling thread that is activated.
      
      Found by testing with kmemleak.
      Signed-off-by: default avatarLenny Szubowicz <lszubowi@redhat.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fc2de796
    • Aaro Koskinen's avatar
      drivers: macintosh: rack-meter: really fix bogus memsets · d023498f
      Aaro Koskinen authored
      [ Upstream commit e283655b ]
      
      We should zero an array using sizeof instead of number of elements.
      
      Fixes the following compiler (GCC 7.3.0) warnings:
      
      drivers/macintosh/rack-meter.c: In function 'rackmeter_do_pause':
      drivers/macintosh/rack-meter.c:157:2: warning: 'memset' used with length equal to number of elements without multiplication by element size [-Wmemset-elt-size]
      drivers/macintosh/rack-meter.c:158:2: warning: 'memset' used with length equal to number of elements without multiplication by element size [-Wmemset-elt-size]
      
      Fixes: 4f7bef7a ("drivers: macintosh: rack-meter: fix bogus memsets")
      Reported-by: default avatarStephen Rothwell <sfr@canb.auug.org.au>
      Signed-off-by: default avatarAaro Koskinen <aaro.koskinen@iki.fi>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d023498f
    • Dan Carpenter's avatar
      xen/acpi: off by one in read_acpi_id() · 8effa218
      Dan Carpenter authored
      [ Upstream commit c37a3c94 ]
      
      If acpi_id is == nr_acpi_bits, then we access one element beyond the end
      of the acpi_psd[] array or we set one bit beyond the end of the bit map
      when we do __set_bit(acpi_id, acpi_id_present);
      
      Fixes: 59a56802 ("xen/acpi-processor: C and P-state driver that uploads said data to hypervisor.")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: default avatarJoao Martins <joao.m.martins@oracle.com>
      Reviewed-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8effa218
    • David Howells's avatar
      rxrpc: Don't treat call aborts as conn aborts · 637b9b18
      David Howells authored
      [ Upstream commit 57b0c9d4 ]
      
      If a call-level abort is received for the previous call to complete on a
      connection channel, then that abort is queued for the connection processor
      to handle.  Unfortunately, the connection processor then assumes without
      checking that the abort is connection-level (ie. callNumber is 0) and
      distributes it over all active calls on that connection, thereby
      incorrectly aborting them.
      
      Fix this by discarding aborts aimed at a completed call.
      
      Further, discard all packets aimed at a call that's complete if there's
      currently an active call on a channel, since the DATA packets associated
      with the new call automatically terminate the old call.
      
      Fixes: 18bfeba5 ("rxrpc: Perform terminal call ACK/ABORT retransmission from conn processor")
      Reported-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      637b9b18
    • David Howells's avatar
      rxrpc: Fix Tx ring annotation after initial Tx failure · 4a9fabcd
      David Howells authored
      [ Upstream commit 03877bf6 ]
      
      rxrpc calls have a ring of packets that are awaiting ACK or retransmission
      and a parallel ring of annotations that tracks the state of those packets.
      If the initial transmission of a packet on the underlying UDP socket fails
      then the packet annotation is marked for resend - but the setting of this
      mark accidentally erases the last-packet mark also stored in the same
      annotation slot.  If this happens, a call won't switch out of the Tx phase
      when all the packets have been transmitted.
      
      Fix this by retaining the last-packet mark and only altering the packet
      state.
      
      Fixes: 248f219c ("rxrpc: Rewrite the data and ack handling code")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4a9fabcd
    • Qu Wenruo's avatar
      btrfs: qgroup: Fix root item corruption when multiple same source snapshots... · 204bfcda
      Qu Wenruo authored
      btrfs: qgroup: Fix root item corruption when multiple same source snapshots are created with quota enabled
      
      [ Upstream commit 4d31778a ]
      
      When multiple pending snapshots referring to the same source subvolume
      are executed, enabled quota will cause root item corruption, where root
      items are using old bytenr (no backref in extent tree).
      
      This can be triggered by fstests btrfs/152.
      
      The cause is when source subvolume is still dirty, extra commit
      (simplied transaction commit) of qgroup_account_snapshot() can skip
      dirty roots not recorded in current transaction, making root item of
      source subvolume not updated.
      
      Fix it by forcing recording source subvolume in current transaction
      before qgroup sub-transaction commit.
      Reported-by: default avatarJustin Maggard <jmaggard@netgear.com>
      Signed-off-by: default avatarQu Wenruo <wqu@suse.com>
      Reviewed-by: default avatarFilipe Manana <fdmanana@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      204bfcda
    • Jeff Mahoney's avatar
      btrfs: fix lockdep splat in btrfs_alloc_subvolume_writers · de00d572
      Jeff Mahoney authored
      [ Upstream commit 8a5a916d ]
      
      While running btrfs/011, I hit the following lockdep splat.
      
      This is the important bit:
         pcpu_alloc+0x1ac/0x5e0
         __percpu_counter_init+0x4e/0xb0
         btrfs_init_fs_root+0x99/0x1c0 [btrfs]
         btrfs_get_fs_root.part.54+0x5b/0x150 [btrfs]
         resolve_indirect_refs+0x130/0x830 [btrfs]
         find_parent_nodes+0x69e/0xff0 [btrfs]
         btrfs_find_all_roots_safe+0xa0/0x110 [btrfs]
         btrfs_find_all_roots+0x50/0x70 [btrfs]
         btrfs_qgroup_prepare_account_extents+0x53/0x90 [btrfs]
         btrfs_commit_transaction+0x3ce/0x9b0 [btrfs]
      
      The percpu_counter_init call in btrfs_alloc_subvolume_writers
      uses GFP_KERNEL, which we can't do during transaction commit.
      
      This switches it to GFP_NOFS.
      
      ========================================================
      WARNING: possible irq lock inversion dependency detected
      4.12.14-kvmsmall #8 Tainted: G        W
      --------------------------------------------------------
      kswapd0/50 just changed the state of lock:
       (&delayed_node->mutex){+.+.-.}, at: [<ffffffffc06994fa>] __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
      but this lock took another, RECLAIM_FS-unsafe lock in the past:
       (pcpu_alloc_mutex){+.+.+.}
      
      and interrupts could create inverse lock ordering between them.
      
      other info that might help us debug this:
      Chain exists of:
        &delayed_node->mutex --> &found->groups_sem --> pcpu_alloc_mutex
      
       Possible interrupt unsafe locking scenario:
      
             CPU0                    CPU1
             ----                    ----
        lock(pcpu_alloc_mutex);
                                     local_irq_disable();
                                     lock(&delayed_node->mutex);
                                     lock(&found->groups_sem);
        <Interrupt>
          lock(&delayed_node->mutex);
      
       *** DEADLOCK ***
      
      2 locks held by kswapd0/50:
       #0:  (shrinker_rwsem){++++..}, at: [<ffffffff811dc11f>] shrink_slab+0x7f/0x5b0
       #1:  (&type->s_umount_key#30){+++++.}, at: [<ffffffff8126dec6>] trylock_super+0x16/0x50
      
      the shortest dependencies between 2nd lock and 1st lock:
         -> (pcpu_alloc_mutex){+.+.+.} ops: 4904 {
            HARDIRQ-ON-W at:
                                __mutex_lock+0x4e/0x8c0
                                pcpu_alloc+0x1ac/0x5e0
                                alloc_kmem_cache_cpus.isra.70+0x25/0xa0
                                __do_tune_cpucache+0x2c/0x220
                                do_tune_cpucache+0x26/0xc0
                                enable_cpucache+0x6d/0xf0
                                kmem_cache_init_late+0x42/0x75
                                start_kernel+0x343/0x4cb
                                x86_64_start_kernel+0x127/0x134
                                secondary_startup_64+0xa5/0xb0
            SOFTIRQ-ON-W at:
                                __mutex_lock+0x4e/0x8c0
                                pcpu_alloc+0x1ac/0x5e0
                                alloc_kmem_cache_cpus.isra.70+0x25/0xa0
                                __do_tune_cpucache+0x2c/0x220
                                do_tune_cpucache+0x26/0xc0
                                enable_cpucache+0x6d/0xf0
                                kmem_cache_init_late+0x42/0x75
                                start_kernel+0x343/0x4cb
                                x86_64_start_kernel+0x127/0x134
                                secondary_startup_64+0xa5/0xb0
            RECLAIM_FS-ON-W at:
                                   __kmalloc+0x47/0x310
                                   pcpu_extend_area_map+0x2b/0xc0
                                   pcpu_alloc+0x3ec/0x5e0
                                   alloc_kmem_cache_cpus.isra.70+0x25/0xa0
                                   __do_tune_cpucache+0x2c/0x220
                                   do_tune_cpucache+0x26/0xc0
                                   enable_cpucache+0x6d/0xf0
                                   __kmem_cache_create+0x1bf/0x390
                                   create_cache+0xba/0x1b0
                                   kmem_cache_create+0x1f8/0x2b0
                                   ksm_init+0x6f/0x19d
                                   do_one_initcall+0x50/0x1b0
                                   kernel_init_freeable+0x201/0x289
                                   kernel_init+0xa/0x100
                                   ret_from_fork+0x3a/0x50
            INITIAL USE at:
                               __mutex_lock+0x4e/0x8c0
                               pcpu_alloc+0x1ac/0x5e0
                               alloc_kmem_cache_cpus.isra.70+0x25/0xa0
                               setup_cpu_cache+0x2f/0x1f0
                               __kmem_cache_create+0x1bf/0x390
                               create_boot_cache+0x8b/0xb1
                               kmem_cache_init+0xa1/0x19e
                               start_kernel+0x270/0x4cb
                               x86_64_start_kernel+0x127/0x134
                               secondary_startup_64+0xa5/0xb0
          }
          ... key      at: [<ffffffff821d8e70>] pcpu_alloc_mutex+0x70/0xa0
          ... acquired at:
         pcpu_alloc+0x1ac/0x5e0
         __percpu_counter_init+0x4e/0xb0
         btrfs_init_fs_root+0x99/0x1c0 [btrfs]
         btrfs_get_fs_root.part.54+0x5b/0x150 [btrfs]
         resolve_indirect_refs+0x130/0x830 [btrfs]
         find_parent_nodes+0x69e/0xff0 [btrfs]
         btrfs_find_all_roots_safe+0xa0/0x110 [btrfs]
         btrfs_find_all_roots+0x50/0x70 [btrfs]
         btrfs_qgroup_prepare_account_extents+0x53/0x90 [btrfs]
         btrfs_commit_transaction+0x3ce/0x9b0 [btrfs]
         transaction_kthread+0x176/0x1b0 [btrfs]
         kthread+0x102/0x140
         ret_from_fork+0x3a/0x50
      
        -> (&fs_info->commit_root_sem){++++..} ops: 1566382 {
           HARDIRQ-ON-W at:
                              down_write+0x3e/0xa0
                              cache_block_group+0x287/0x420 [btrfs]
                              find_free_extent+0x106c/0x12d0 [btrfs]
                              btrfs_reserve_extent+0xd8/0x170 [btrfs]
                              cow_file_range.isra.66+0x133/0x470 [btrfs]
                              run_delalloc_range+0x121/0x410 [btrfs]
                              writepage_delalloc.isra.50+0xfe/0x180 [btrfs]
                              __extent_writepage+0x19a/0x360 [btrfs]
                              extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs]
                              extent_writepages+0x4d/0x60 [btrfs]
                              do_writepages+0x1a/0x70
                              __filemap_fdatawrite_range+0xa7/0xe0
                              btrfs_rename+0x5ee/0xdb0 [btrfs]
                              vfs_rename+0x52a/0x7e0
                              SyS_rename+0x351/0x3b0
                              do_syscall_64+0x79/0x1e0
                              entry_SYSCALL_64_after_hwframe+0x42/0xb7
           HARDIRQ-ON-R at:
                              down_read+0x35/0x90
                              caching_thread+0x57/0x560 [btrfs]
                              normal_work_helper+0x1c0/0x5e0 [btrfs]
                              process_one_work+0x1e0/0x5c0
                              worker_thread+0x44/0x390
                              kthread+0x102/0x140
                              ret_from_fork+0x3a/0x50
           SOFTIRQ-ON-W at:
                              down_write+0x3e/0xa0
                              cache_block_group+0x287/0x420 [btrfs]
                              find_free_extent+0x106c/0x12d0 [btrfs]
                              btrfs_reserve_extent+0xd8/0x170 [btrfs]
                              cow_file_range.isra.66+0x133/0x470 [btrfs]
                              run_delalloc_range+0x121/0x410 [btrfs]
                              writepage_delalloc.isra.50+0xfe/0x180 [btrfs]
                              __extent_writepage+0x19a/0x360 [btrfs]
                              extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs]
                              extent_writepages+0x4d/0x60 [btrfs]
                              do_writepages+0x1a/0x70
                              __filemap_fdatawrite_range+0xa7/0xe0
                              btrfs_rename+0x5ee/0xdb0 [btrfs]
                              vfs_rename+0x52a/0x7e0
                              SyS_rename+0x351/0x3b0
                              do_syscall_64+0x79/0x1e0
                              entry_SYSCALL_64_after_hwframe+0x42/0xb7
           SOFTIRQ-ON-R at:
                              down_read+0x35/0x90
                              caching_thread+0x57/0x560 [btrfs]
                              normal_work_helper+0x1c0/0x5e0 [btrfs]
                              process_one_work+0x1e0/0x5c0
                              worker_thread+0x44/0x390
                              kthread+0x102/0x140
                              ret_from_fork+0x3a/0x50
           INITIAL USE at:
                             down_write+0x3e/0xa0
                             cache_block_group+0x287/0x420 [btrfs]
                             find_free_extent+0x106c/0x12d0 [btrfs]
                             btrfs_reserve_extent+0xd8/0x170 [btrfs]
                             cow_file_range.isra.66+0x133/0x470 [btrfs]
                             run_delalloc_range+0x121/0x410 [btrfs]
                             writepage_delalloc.isra.50+0xfe/0x180 [btrfs]
                             __extent_writepage+0x19a/0x360 [btrfs]
                             extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs]
                             extent_writepages+0x4d/0x60 [btrfs]
                             do_writepages+0x1a/0x70
                             __filemap_fdatawrite_range+0xa7/0xe0
                             btrfs_rename+0x5ee/0xdb0 [btrfs]
                             vfs_rename+0x52a/0x7e0
                             SyS_rename+0x351/0x3b0
                             do_syscall_64+0x79/0x1e0
                             entry_SYSCALL_64_after_hwframe+0x42/0xb7
         }
         ... key      at: [<ffffffffc0729578>] __key.61970+0x0/0xfffffffffff9aa88 [btrfs]
         ... acquired at:
         cache_block_group+0x287/0x420 [btrfs]
         find_free_extent+0x106c/0x12d0 [btrfs]
         btrfs_reserve_extent+0xd8/0x170 [btrfs]
         btrfs_alloc_tree_block+0x12f/0x4c0 [btrfs]
         btrfs_create_tree+0xbb/0x2a0 [btrfs]
         btrfs_create_uuid_tree+0x37/0x140 [btrfs]
         open_ctree+0x23c0/0x2660 [btrfs]
         btrfs_mount+0xd36/0xf90 [btrfs]
         mount_fs+0x3a/0x160
         vfs_kern_mount+0x66/0x150
         btrfs_mount+0x18c/0xf90 [btrfs]
         mount_fs+0x3a/0x160
         vfs_kern_mount+0x66/0x150
         do_mount+0x1c1/0xcc0
         SyS_mount+0x7e/0xd0
         do_syscall_64+0x79/0x1e0
         entry_SYSCALL_64_after_hwframe+0x42/0xb7
      
       -> (&found->groups_sem){++++..} ops: 2134587 {
          HARDIRQ-ON-W at:
                            down_write+0x3e/0xa0
                            __link_block_group+0x34/0x130 [btrfs]
                            btrfs_read_block_groups+0x33d/0x7b0 [btrfs]
                            open_ctree+0x2054/0x2660 [btrfs]
                            btrfs_mount+0xd36/0xf90 [btrfs]
                            mount_fs+0x3a/0x160
                            vfs_kern_mount+0x66/0x150
                            btrfs_mount+0x18c/0xf90 [btrfs]
                            mount_fs+0x3a/0x160
                            vfs_kern_mount+0x66/0x150
                            do_mount+0x1c1/0xcc0
                            SyS_mount+0x7e/0xd0
                            do_syscall_64+0x79/0x1e0
                            entry_SYSCALL_64_after_hwframe+0x42/0xb7
          HARDIRQ-ON-R at:
                            down_read+0x35/0x90
                            btrfs_calc_num_tolerated_disk_barrier_failures+0x113/0x1f0 [btrfs]
                            open_ctree+0x207b/0x2660 [btrfs]
                            btrfs_mount+0xd36/0xf90 [btrfs]
                            mount_fs+0x3a/0x160
                            vfs_kern_mount+0x66/0x150
                            btrfs_mount+0x18c/0xf90 [btrfs]
                            mount_fs+0x3a/0x160
                            vfs_kern_mount+0x66/0x150
                            do_mount+0x1c1/0xcc0
                            SyS_mount+0x7e/0xd0
                            do_syscall_64+0x79/0x1e0
                            entry_SYSCALL_64_after_hwframe+0x42/0xb7
          SOFTIRQ-ON-W at:
                            down_write+0x3e/0xa0
                            __link_block_group+0x34/0x130 [btrfs]
                            btrfs_read_block_groups+0x33d/0x7b0 [btrfs]
                            open_ctree+0x2054/0x2660 [btrfs]
                            btrfs_mount+0xd36/0xf90 [btrfs]
                            mount_fs+0x3a/0x160
                            vfs_kern_mount+0x66/0x150
                            btrfs_mount+0x18c/0xf90 [btrfs]
                            mount_fs+0x3a/0x160
                            vfs_kern_mount+0x66/0x150
                            do_mount+0x1c1/0xcc0
                            SyS_mount+0x7e/0xd0
                            do_syscall_64+0x79/0x1e0
                            entry_SYSCALL_64_after_hwframe+0x42/0xb7
          SOFTIRQ-ON-R at:
                            down_read+0x35/0x90
                            btrfs_calc_num_tolerated_disk_barrier_failures+0x113/0x1f0 [btrfs]
                            open_ctree+0x207b/0x2660 [btrfs]
                            btrfs_mount+0xd36/0xf90 [btrfs]
                            mount_fs+0x3a/0x160
                            vfs_kern_mount+0x66/0x150
                            btrfs_mount+0x18c/0xf90 [btrfs]
                            mount_fs+0x3a/0x160
                            vfs_kern_mount+0x66/0x150
                            do_mount+0x1c1/0xcc0
                            SyS_mount+0x7e/0xd0
                            do_syscall_64+0x79/0x1e0
                            entry_SYSCALL_64_after_hwframe+0x42/0xb7
          INITIAL USE at:
                           down_write+0x3e/0xa0
                           __link_block_group+0x34/0x130 [btrfs]
                           btrfs_read_block_groups+0x33d/0x7b0 [btrfs]
                           open_ctree+0x2054/0x2660 [btrfs]
                           btrfs_mount+0xd36/0xf90 [btrfs]
                           mount_fs+0x3a/0x160
                           vfs_kern_mount+0x66/0x150
                           btrfs_mount+0x18c/0xf90 [btrfs]
                           mount_fs+0x3a/0x160
                           vfs_kern_mount+0x66/0x150
                           do_mount+0x1c1/0xcc0
                           SyS_mount+0x7e/0xd0
                           do_syscall_64+0x79/0x1e0
                           entry_SYSCALL_64_after_hwframe+0x42/0xb7
        }
        ... key      at: [<ffffffffc0729488>] __key.59101+0x0/0xfffffffffff9ab78 [btrfs]
        ... acquired at:
         find_free_extent+0xcb4/0x12d0 [btrfs]
         btrfs_reserve_extent+0xd8/0x170 [btrfs]
         btrfs_alloc_tree_block+0x12f/0x4c0 [btrfs]
         __btrfs_cow_block+0x110/0x5b0 [btrfs]
         btrfs_cow_block+0xd7/0x290 [btrfs]
         btrfs_search_slot+0x1f6/0x960 [btrfs]
         btrfs_lookup_inode+0x2a/0x90 [btrfs]
         __btrfs_update_delayed_inode+0x65/0x210 [btrfs]
         btrfs_commit_inode_delayed_inode+0x121/0x130 [btrfs]
         btrfs_evict_inode+0x3fe/0x6a0 [btrfs]
         evict+0xc4/0x190
         __dentry_kill+0xbf/0x170
         dput+0x2ae/0x2f0
         SyS_rename+0x2a6/0x3b0
         do_syscall_64+0x79/0x1e0
         entry_SYSCALL_64_after_hwframe+0x42/0xb7
      
      -> (&delayed_node->mutex){+.+.-.} ops: 5580204 {
         HARDIRQ-ON-W at:
                          __mutex_lock+0x4e/0x8c0
                          btrfs_delayed_update_inode+0x46/0x6e0 [btrfs]
                          btrfs_update_inode+0x83/0x110 [btrfs]
                          btrfs_dirty_inode+0x62/0xe0 [btrfs]
                          touch_atime+0x8c/0xb0
                          do_generic_file_read+0x818/0xb10
                          __vfs_read+0xdc/0x150
                          vfs_read+0x8a/0x130
                          SyS_read+0x45/0xa0
                          do_syscall_64+0x79/0x1e0
                          entry_SYSCALL_64_after_hwframe+0x42/0xb7
         SOFTIRQ-ON-W at:
                          __mutex_lock+0x4e/0x8c0
                          btrfs_delayed_update_inode+0x46/0x6e0 [btrfs]
                          btrfs_update_inode+0x83/0x110 [btrfs]
                          btrfs_dirty_inode+0x62/0xe0 [btrfs]
                          touch_atime+0x8c/0xb0
                          do_generic_file_read+0x818/0xb10
                          __vfs_read+0xdc/0x150
                          vfs_read+0x8a/0x130
                          SyS_read+0x45/0xa0
                          do_syscall_64+0x79/0x1e0
                          entry_SYSCALL_64_after_hwframe+0x42/0xb7
         IN-RECLAIM_FS-W at:
                             __mutex_lock+0x4e/0x8c0
                             __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
                             btrfs_evict_inode+0x22c/0x6a0 [btrfs]
                             evict+0xc4/0x190
                             dispose_list+0x35/0x50
                             prune_icache_sb+0x42/0x50
                             super_cache_scan+0x139/0x190
                             shrink_slab+0x262/0x5b0
                             shrink_node+0x2eb/0x2f0
                             kswapd+0x2eb/0x890
                             kthread+0x102/0x140
                             ret_from_fork+0x3a/0x50
         INITIAL USE at:
                         __mutex_lock+0x4e/0x8c0
                         btrfs_delayed_update_inode+0x46/0x6e0 [btrfs]
                         btrfs_update_inode+0x83/0x110 [btrfs]
                         btrfs_dirty_inode+0x62/0xe0 [btrfs]
                         touch_atime+0x8c/0xb0
                         do_generic_file_read+0x818/0xb10
                         __vfs_read+0xdc/0x150
                         vfs_read+0x8a/0x130
                         SyS_read+0x45/0xa0
                         do_syscall_64+0x79/0x1e0
                         entry_SYSCALL_64_after_hwframe+0x42/0xb7
       }
       ... key      at: [<ffffffffc072d488>] __key.56935+0x0/0xfffffffffff96b78 [btrfs]
       ... acquired at:
         __lock_acquire+0x264/0x11c0
         lock_acquire+0xbd/0x1e0
         __mutex_lock+0x4e/0x8c0
         __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
         btrfs_evict_inode+0x22c/0x6a0 [btrfs]
         evict+0xc4/0x190
         dispose_list+0x35/0x50
         prune_icache_sb+0x42/0x50
         super_cache_scan+0x139/0x190
         shrink_slab+0x262/0x5b0
         shrink_node+0x2eb/0x2f0
         kswapd+0x2eb/0x890
         kthread+0x102/0x140
         ret_from_fork+0x3a/0x50
      
      stack backtrace:
      CPU: 1 PID: 50 Comm: kswapd0 Tainted: G        W        4.12.14-kvmsmall #8 SLE15 (unreleased)
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
      Call Trace:
       dump_stack+0x78/0xb7
       print_irq_inversion_bug.part.38+0x19f/0x1aa
       check_usage_forwards+0x102/0x120
       ? ret_from_fork+0x3a/0x50
       ? check_usage_backwards+0x110/0x110
       mark_lock+0x16c/0x270
       __lock_acquire+0x264/0x11c0
       ? pagevec_lookup_entries+0x1a/0x30
       ? truncate_inode_pages_range+0x2b3/0x7f0
       lock_acquire+0xbd/0x1e0
       ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
       __mutex_lock+0x4e/0x8c0
       ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
       ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
       ? btrfs_evict_inode+0x1f6/0x6a0 [btrfs]
       __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
       btrfs_evict_inode+0x22c/0x6a0 [btrfs]
       evict+0xc4/0x190
       dispose_list+0x35/0x50
       prune_icache_sb+0x42/0x50
       super_cache_scan+0x139/0x190
       shrink_slab+0x262/0x5b0
       shrink_node+0x2eb/0x2f0
       kswapd+0x2eb/0x890
       kthread+0x102/0x140
       ? mem_cgroup_shrink_node+0x2c0/0x2c0
       ? kthread_create_on_node+0x40/0x40
       ret_from_fork+0x3a/0x50
      Signed-off-by: default avatarJeff Mahoney <jeffm@suse.com>
      Reviewed-by: default avatarLiu Bo <bo.liu@linux.alibaba.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      de00d572
    • Filipe Manana's avatar
      Btrfs: fix copy_items() return value when logging an inode · 92efba91
      Filipe Manana authored
      [ Upstream commit 8434ec46 ]
      
      When logging an inode, at tree-log.c:copy_items(), if we call
      btrfs_next_leaf() at the loop which checks for the need to log holes, we
      need to make sure copy_items() returns the value 1 to its caller and
      not 0 (on success). This is because the path the caller passed was
      released and is now different from what is was before, and the caller
      expects a return value of 0 to mean both success and that the path
      has not changed, while a return value of 1 means both success and
      signals the caller that it can not reuse the path, it has to perform
      another tree search.
      
      Even though this is a case that should not be triggered on normal
      circumstances or very rare at least, its consequences can be very
      unpredictable (especially when replaying a log tree).
      
      Fixes: 16e7549f ("Btrfs: incompatible format change to remove hole extents")
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      92efba91
    • Qu Wenruo's avatar
      btrfs: tests/qgroup: Fix wrong tree backref level · d7255626
      Qu Wenruo authored
      [ Upstream commit 3c0efdf0 ]
      
      The extent tree of the test fs is like the following:
      
       BTRFS info (device (null)): leaf 16327509003777336587 total ptrs 1 free space 3919
        item 0 key (4096 168 4096) itemoff 3944 itemsize 51
                extent refs 1 gen 1 flags 2
                tree block key (68719476736 0 0) level 1
                                                 ^^^^^^^
                ref#0: tree block backref root 5
      
      And it's using an empty tree for fs tree, so there is no way that its
      level can be 1.
      
      For REAL (created by mkfs) fs tree backref with no skinny metadata, the
      result should look like:
      
       item 3 key (30408704 EXTENT_ITEM 4096) itemoff 3845 itemsize 51
               refs 1 gen 4 flags TREE_BLOCK
               tree block key (256 INODE_ITEM 0) level 0
                                                 ^^^^^^^
               tree block backref root 5
      
      Fix the level to 0, so it won't break later tree level checker.
      
      Fixes: faa2dbf0 ("Btrfs: add sanity tests for new qgroup accounting code")
      Signed-off-by: default avatarQu Wenruo <wqu@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d7255626
    • Nicholas Piggin's avatar
      powerpc/64s: sreset panic if there is no debugger or crash dump handlers · 27a913cc
      Nicholas Piggin authored
      [ Upstream commit d40b6768 ]
      
      system_reset_exception does most of its own crash handling now,
      invoking the debugger or crash dumps if they are registered. If not,
      then it goes through to die() to print stack traces, and then is
      supposed to panic (according to comments).
      
      However after die() prints oopses, it does its own handling which
      doesn't allow system_reset_exception to panic (e.g., it may just
      kill the current process). This patch causes sreset exceptions to
      return from die after it prints messages but before acting.
      
      This also stops die from invoking the debugger on 0x100 crashes.
      system_reset_exception similarly calls the debugger. It had been
      thought this was harmless (because if the debugger was disabled,
      neither call would fire, and if it was enabled the first call
      would return). However in some cases like xmon 'X' command, the
      debugger returns 0, which currently causes it to be entered
      again (first in system_reset_exception, then in die), which is
      confusing.
      Signed-off-by: default avatarNicholas Piggin <npiggin@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      27a913cc
    • Florian Fainelli's avatar
      net: bgmac: Correctly annotate register space · 305f25c1
      Florian Fainelli authored
      [ Upstream commit 16a1c064 ]
      
      All the members: base, idm_base and nicpm_base should be annotated with
      __iomem since they are pointers to register space. This fixes a bunch of
      sparse reported warnings.
      
      Fixes: f6a95a24 ("net: ethernet: bgmac: Add platform device support")
      Fixes: dd5c5d03 ("net: ethernet: bgmac: add NS2 support")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      305f25c1
    • Florian Fainelli's avatar
      net: bgmac: Fix endian access in bgmac_dma_tx_ring_free() · 435290f7
      Florian Fainelli authored
      [ Upstream commit 60d6e6f0 ]
      
      bgmac_dma_tx_ring_free() assigns the ctl1 word which is a litle endian
      32-bit word without using proper accessors, fix this, and because a
      length cannot be negative, use unsigned int while at it.
      
      Fixes: 9cde9450 ("bgmac: implement scatter/gather support")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      435290f7
    • David S. Miller's avatar
      sparc64: Make atomic_xchg() an inline function rather than a macro. · 4a6cd791
      David S. Miller authored
      [ Upstream commit d13864b6 ]
      
      This avoids a lot of -Wunused warnings such as:
      
      ====================
      kernel/debug/debug_core.c: In function ‘kgdb_cpu_enter’:
      ./arch/sparc/include/asm/cmpxchg_64.h:55:22: warning: value computed is not used [-Wunused-value]
       #define xchg(ptr,x) ((__typeof__(*(ptr)))__xchg((unsigned long)(x),(ptr),sizeof(*(ptr))))
      
      ./arch/sparc/include/asm/atomic_64.h:86:30: note: in expansion of macro ‘xchg’
       #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
                                    ^~~~
      kernel/debug/debug_core.c:508:4: note: in expansion of macro ‘atomic_xchg’
          atomic_xchg(&kgdb_active, cpu);
          ^~~~~~~~~~~
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4a6cd791
    • David Howells's avatar
      fscache: Fix hanging wait on page discarded by writeback · 22f1bde5
      David Howells authored
      [ Upstream commit 2c984257 ]
      
      If the fscache asynchronous write operation elects to discard a page that's
      pending storage to the cache because the page would be over the store limit
      then it needs to wake the page as someone may be waiting on completion of
      the write.
      
      The problem is that the store limit may be updated by a different
      asynchronous operation - and so may miss the write - and that the store
      limit may not even get updated until later by the netfs.
      
      Fix the kernel hang by making fscache_write_op() mark as written any pages
      that are over the limit.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      22f1bde5
    • Alexander Graf's avatar
      lan78xx: Connect phy early · 6d03ff16
      Alexander Graf authored
      [ Upstream commit 92571a1a ]
      
      When using wicked with a lan78xx device attached to the system, we
      end up with ethtool commands issued on the device before an ifup
      got issued. That lead to the following crash:
      
          Unable to handle kernel NULL pointer dereference at virtual address 0000039c
          pgd = ffff800035b30000
          [0000039c] *pgd=0000000000000000
          Internal error: Oops: 96000004 [#1] SMP
          Modules linked in: [...]
          Supported: Yes
          CPU: 3 PID: 638 Comm: wickedd Tainted: G            E      4.12.14-0-default #1
          Hardware name: raspberrypi rpi/rpi, BIOS 2018.03-rc2 02/21/2018
          task: ffff800035e74180 task.stack: ffff800036718000
          PC is at phy_ethtool_ksettings_get+0x20/0x98
          LR is at lan78xx_get_link_ksettings+0x44/0x60 [lan78xx]
          pc : [<ffff0000086f7f30>] lr : [<ffff000000dcca84>] pstate: 20000005
          sp : ffff80003671bb20
          x29: ffff80003671bb20 x28: ffff800035e74180
          x27: ffff000008912000 x26: 000000000000001d
          x25: 0000000000000124 x24: ffff000008f74d00
          x23: 0000004000114809 x22: 0000000000000000
          x21: ffff80003671bbd0 x20: 0000000000000000
          x19: ffff80003671bbd0 x18: 000000000000040d
          x17: 0000000000000001 x16: 0000000000000000
          x15: 0000000000000000 x14: ffffffffffffffff
          x13: 0000000000000000 x12: 0000000000000020
          x11: 0101010101010101 x10: fefefefefefefeff
          x9 : 7f7f7f7f7f7f7f7f x8 : fefefeff31677364
          x7 : 0000000080808080 x6 : ffff80003671bc9c
          x5 : ffff80003671b9f8 x4 : ffff80002c296190
          x3 : 0000000000000000 x2 : 0000000000000000
          x1 : ffff80003671bbd0 x0 : ffff80003671bc00
          Process wickedd (pid: 638, stack limit = 0xffff800036718000)
          Call trace:
          Exception stack(0xffff80003671b9e0 to 0xffff80003671bb20)
          b9e0: ffff80003671bc00 ffff80003671bbd0 0000000000000000 0000000000000000
          ba00: ffff80002c296190 ffff80003671b9f8 ffff80003671bc9c 0000000080808080
          ba20: fefefeff31677364 7f7f7f7f7f7f7f7f fefefefefefefeff 0101010101010101
          ba40: 0000000000000020 0000000000000000 ffffffffffffffff 0000000000000000
          ba60: 0000000000000000 0000000000000001 000000000000040d ffff80003671bbd0
          ba80: 0000000000000000 ffff80003671bbd0 0000000000000000 0000004000114809
          baa0: ffff000008f74d00 0000000000000124 000000000000001d ffff000008912000
          bac0: ffff800035e74180 ffff80003671bb20 ffff000000dcca84 ffff80003671bb20
          bae0: ffff0000086f7f30 0000000020000005 ffff80002c296000 ffff800035223900
          bb00: 0000ffffffffffff 0000000000000000 ffff80003671bb20 ffff0000086f7f30
          [<ffff0000086f7f30>] phy_ethtool_ksettings_get+0x20/0x98
          [<ffff000000dcca84>] lan78xx_get_link_ksettings+0x44/0x60 [lan78xx]
          [<ffff0000087cbc40>] ethtool_get_settings+0x68/0x210
          [<ffff0000087cc0d4>] dev_ethtool+0x214/0x2180
          [<ffff0000087e5008>] dev_ioctl+0x400/0x630
          [<ffff00000879dd00>] sock_do_ioctl+0x70/0x88
          [<ffff00000879f5f8>] sock_ioctl+0x208/0x368
          [<ffff0000082cde10>] do_vfs_ioctl+0xb0/0x848
          [<ffff0000082ce634>] SyS_ioctl+0x8c/0xa8
          Exception stack(0xffff80003671bec0 to 0xffff80003671c000)
          bec0: 0000000000000009 0000000000008946 0000fffff4e841d0 0000aa0032687465
          bee0: 0000aaaafa2319d4 0000fffff4e841d4 0000000032687465 0000000032687465
          bf00: 000000000000001d 7f7fff7f7f7f7f7f 72606b622e71ff4c 7f7f7f7f7f7f7f7f
          bf20: 0101010101010101 0000000000000020 ffffffffffffffff 0000ffff7f510c68
          bf40: 0000ffff7f6a9d18 0000ffff7f44ce30 000000000000040d 0000ffff7f6f98f0
          bf60: 0000fffff4e842c0 0000000000000001 0000aaaafa2c2e00 0000ffff7f6ab000
          bf80: 0000fffff4e842c0 0000ffff7f62a000 0000aaaafa2b9f20 0000aaaafa2c2e00
          bfa0: 0000fffff4e84818 0000fffff4e841a0 0000ffff7f5ad0cc 0000fffff4e841a0
          bfc0: 0000ffff7f44ce3c 0000000080000000 0000000000000009 000000000000001d
          bfe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
      
      The culprit is quite simple: The driver tries to access the phy left and right,
      but only actually has a working reference to it when the device is up.
      
      The fix thus is quite simple too: Get a reference to the phy on probe already
      and keep it even when the device is going down.
      
      With this patch applied, I can successfully run wicked on my system and bring
      the interface up and down as many times as I want, without getting NULL pointer
      dereferences in between.
      Signed-off-by: default avatarAlexander Graf <agraf@suse.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6d03ff16
    • Sean Christopherson's avatar
      KVM: VMX: raise internal error for exception during invalid protected mode state · 80b8f3da
      Sean Christopherson authored
      [ Upstream commit add5ff7a ]
      
      Exit to userspace with KVM_INTERNAL_ERROR_EMULATION if we encounter
      an exception in Protected Mode while emulating guest due to invalid
      guest state.  Unlike Big RM, KVM doesn't support emulating exceptions
      in PM, i.e. PM exceptions are always injected via the VMCS.  Because
      we will never do VMRESUME due to emulation_required, the exception is
      never realized and we'll keep emulating the faulting instruction over
      and over until we receive a signal.
      
      Exit to userspace iff there is a pending exception, i.e. don't exit
      simply on a requested event. The purpose of this check and exit is to
      aid in debugging a guest that is in all likelihood already doomed.
      Invalid guest state in PM is extremely limited in normal operation,
      e.g. it generally only occurs for a few instructions early in BIOS,
      and any exception at this time is all but guaranteed to be fatal.
      Non-vectored interrupts, e.g. INIT, SIPI and SMI, can be cleanly
      handled/emulated, while checking for vectored interrupts, e.g. INTR
      and NMI, without hitting false positives would add a fair amount of
      complexity for almost no benefit (getting hit by lightning seems
      more likely than encountering this specific scenario).
      
      Add a WARN_ON_ONCE to vmx_queue_exception() if we try to inject an
      exception via the VMCS and emulation_required is true.
      Signed-off-by: default avatarSean Christopherson <sean.j.christopherson@intel.com>
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      80b8f3da
    • Sai Praneeth's avatar
      x86/mm: Fix bogus warning during EFI bootup, use boot_cpu_has() instead of... · fd97bbca
      Sai Praneeth authored
      x86/mm: Fix bogus warning during EFI bootup, use boot_cpu_has() instead of this_cpu_has() in build_cr3_noflush()
      
      [ Upstream commit 162ee5a8 ]
      
      Linus reported the following boot warning:
      
        WARNING: CPU: 0 PID: 0 at arch/x86/include/asm/tlbflush.h:134 load_new_mm_cr3+0x114/0x170
        [...]
        Call Trace:
        switch_mm_irqs_off+0x267/0x590
        switch_mm+0xe/0x20
        efi_switch_mm+0x3e/0x50
        efi_enter_virtual_mode+0x43f/0x4da
        start_kernel+0x3bf/0x458
        secondary_startup_64+0xa5/0xb0
      
      ... after merging:
      
        03781e40: x86/efi: Use efi_switch_mm() rather than manually twiddling with %cr3
      
      When the platform supports PCID and if CONFIG_DEBUG_VM=y is enabled,
      build_cr3_noflush() (called via switch_mm()) does a sanity check to see
      if X86_FEATURE_PCID is set.
      
      Presently, build_cr3_noflush() uses "this_cpu_has(X86_FEATURE_PCID)" to
      perform the check but this_cpu_has() works only after SMP is initialized
      (i.e. per cpu cpu_info's should be populated) and this happens to be very
      late in the boot process (during rest_init()).
      
      As efi_runtime_services() are called during (early) kernel boot time
      and run time, modify build_cr3_noflush() to use boot_cpu_has() all the
      time. As suggested by Dave Hansen, this should be OK because all CPU's have
      same capabilities on x86.
      
      With this change the warning is fixed.
      
      ( Dave also suggested that we put a warning in this_cpu_has() if it's used
        early in the boot process. This is still work in progress as it affects
        MCE. )
      Reported-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Lee Chun-Yi <jlee@suse.com>
      Cc: Matt Fleming <matt@codeblueprint.co.uk>
      Cc: Michael S. Tsirkin <mst@redhat.com>
      Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Ravi Shankar <ravi.v.shankar@intel.com>
      Cc: Ricardo Neri <ricardo.neri@intel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: linux-efi@vger.kernel.org
      Link: http://lkml.kernel.org/r/1522870459-7432-1-git-send-email-sai.praneeth.prakhya@intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fd97bbca
    • Davidlohr Bueso's avatar
      sched/rt: Fix rq->clock_update_flags < RQCF_ACT_SKIP warning · 3aeaeecd
      Davidlohr Bueso authored
      [ Upstream commit d29a2064 ]
      
      While running rt-tests' pi_stress program I got the following splat:
      
        rq->clock_update_flags < RQCF_ACT_SKIP
        WARNING: CPU: 27 PID: 0 at kernel/sched/sched.h:960 assert_clock_updated.isra.38.part.39+0x13/0x20
      
        [...]
      
        <IRQ>
        enqueue_top_rt_rq+0xf4/0x150
        ? cpufreq_dbs_governor_start+0x170/0x170
        sched_rt_rq_enqueue+0x65/0x80
        sched_rt_period_timer+0x156/0x360
        ? sched_rt_rq_enqueue+0x80/0x80
        __hrtimer_run_queues+0xfa/0x260
        hrtimer_interrupt+0xcb/0x220
        smp_apic_timer_interrupt+0x62/0x120
        apic_timer_interrupt+0xf/0x20
        </IRQ>
      
        [...]
      
        do_idle+0x183/0x1e0
        cpu_startup_entry+0x5f/0x70
        start_secondary+0x192/0x1d0
        secondary_startup_64+0xa5/0xb0
      
      We can get rid of it be the "traditional" means of adding an
      update_rq_clock() call after acquiring the rq->lock in
      do_sched_rt_period_timer().
      
      The case for the RT task throttling (which this workload also hits)
      can be ignored in that the skip_update call is actually bogus and
      quite the contrary (the request bits are removed/reverted).
      
      By setting RQCF_UPDATED we really don't care if the skip is happening
      or not and will therefore make the assert_clock_updated() check happy.
      Signed-off-by: default avatarDavidlohr Bueso <dbueso@suse.de>
      Reviewed-by: default avatarMatt Fleming <matt@codeblueprint.co.uk>
      Acked-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Mike Galbraith <efault@gmx.de>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: dave@stgolabs.net
      Cc: linux-kernel@vger.kernel.org
      Cc: rostedt@goodmis.org
      Link: http://lkml.kernel.org/r/20180402164954.16255-1-dave@stgolabs.netSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3aeaeecd
    • Nicholas Piggin's avatar
      powerpc/64s/idle: Fix restore of AMOR on POWER9 after deep sleep · be6a5ad5
      Nicholas Piggin authored
      [ Upstream commit c1b25a17 ]
      
      POWER8 restores AMOR when waking from deep sleep, but POWER9 does not,
      because it does not go through the subcore restore.
      
      Have POWER9 restore it in core restore.
      
      Fixes: ee97b6b9 ("powerpc/mm/radix: Setup AMOR in HV mode to allow key 0")
      Signed-off-by: default avatarNicholas Piggin <npiggin@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      be6a5ad5