1. 01 Oct, 2020 40 commits
    • Tom Rix's avatar
      ALSA: asihpi: fix iounmap in error handler · c93d30f5
      Tom Rix authored
      [ Upstream commit 472eb391 ]
      
      clang static analysis flags this problem
      hpioctl.c:513:7: warning: Branch condition evaluates to
        a garbage value
                      if (pci.ap_mem_base[idx]) {
                          ^~~~~~~~~~~~~~~~~~~~
      
      If there is a failure in the middle of the memory space loop,
      only some of the memory spaces need to be cleaned up.
      
      At the error handler, idx holds the number of successful
      memory spaces mapped.  So rework the handler loop to use the
      old idx.
      
      There is a second problem, the memory space loop conditionally
      iomaps()/sets the mem_base so it is necessay to initize pci.
      
      Fixes: 719f82d3 ("ALSA: Add support of AudioScience ASI boards")
      Signed-off-by: default avatarTom Rix <trix@redhat.com>
      Link: https://lore.kernel.org/r/20200913165230.17166-1-trix@redhat.comSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c93d30f5
    • Linus Lüssing's avatar
      batman-adv: mcast: fix duplicate mcast packets in BLA backbone from mesh · f3474ef3
      Linus Lüssing authored
      [ Upstream commit 74c09b72 ]
      
      Scenario:
      * Multicast frame send from mesh to a BLA backbone (multiple nodes
        with their bat0 bridged together, with BLA enabled)
      
      Issue:
      * BLA backbone nodes receive the frame multiple times on bat0,
        once from mesh->bat0 and once from each backbone_gw from LAN
      
      For unicast, a node will send only to the best backbone gateway
      according to the TQ. However for multicast we currently cannot determine
      if multiple destination nodes share the same backbone if they don't share
      the same backbone with us. So we need to keep sending the unicasts to
      all backbone gateways and let the backbone gateways decide which one
      will forward the frame. We can use the CLAIM mechanism to make this
      decision.
      
      One catch: The batman-adv gateway feature for DHCP packets potentially
      sends multicast packets in the same batman-adv unicast header as the
      multicast optimizations code. And we are not allowed to drop those even
      if we did not claim the source address of the sender, as for such
      packets there is only this one multicast-in-unicast packet.
      
      How can we distinguish the two cases?
      
      The gateway feature uses a batman-adv unicast 4 address header. While
      the multicast-to-unicasts feature uses a simple, 3 address batman-adv
      unicast header. So let's use this to distinguish.
      
      Fixes: fe2da6ff ("batman-adv: check incoming packet type for bla")
      Signed-off-by: default avatarLinus Lüssing <linus.luessing@c0d3.blue>
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f3474ef3
    • Sven Eckelmann's avatar
      batman-adv: Add missing include for in_interrupt() · be23ff8b
      Sven Eckelmann authored
      [ Upstream commit 4bba9dab ]
      
      The fix for receiving (internally generated) bla packets outside the
      interrupt context introduced the usage of in_interrupt(). But this
      functionality is only defined in linux/preempt.h which was not included
      with the same patch.
      
      Fixes: 279e89b2 ("batman-adv: bla: use netif_rx_ni when not in interrupt context")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      be23ff8b
    • Eric Dumazet's avatar
      mac802154: tx: fix use-after-free · 20191c79
      Eric Dumazet authored
      [ Upstream commit 0ff4628f ]
      
      syzbot reported a bug in ieee802154_tx() [1]
      
      A similar issue in ieee802154_xmit_worker() is also fixed in this patch.
      
      [1]
      BUG: KASAN: use-after-free in ieee802154_tx+0x3d2/0x480 net/mac802154/tx.c:88
      Read of size 4 at addr ffff8880251a8c70 by task syz-executor.3/928
      
      CPU: 0 PID: 928 Comm: syz-executor.3 Not tainted 5.9.0-rc3-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x198/0x1fd lib/dump_stack.c:118
       print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
       __kasan_report mm/kasan/report.c:513 [inline]
       kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
       ieee802154_tx+0x3d2/0x480 net/mac802154/tx.c:88
       ieee802154_subif_start_xmit+0xbe/0xe4 net/mac802154/tx.c:130
       __netdev_start_xmit include/linux/netdevice.h:4634 [inline]
       netdev_start_xmit include/linux/netdevice.h:4648 [inline]
       dev_direct_xmit+0x4e9/0x6e0 net/core/dev.c:4203
       packet_snd net/packet/af_packet.c:2989 [inline]
       packet_sendmsg+0x2413/0x5290 net/packet/af_packet.c:3014
       sock_sendmsg_nosec net/socket.c:651 [inline]
       sock_sendmsg+0xcf/0x120 net/socket.c:671
       ____sys_sendmsg+0x6e8/0x810 net/socket.c:2353
       ___sys_sendmsg+0xf3/0x170 net/socket.c:2407
       __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440
       do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x45d5b9
      Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007fc98e749c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 000000000002ccc0 RCX: 000000000045d5b9
      RDX: 0000000000000000 RSI: 0000000020007780 RDI: 000000000000000b
      RBP: 000000000118d020 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cfec
      R13: 00007fff690c720f R14: 00007fc98e74a9c0 R15: 000000000118cfec
      
      Allocated by task 928:
       kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
       kasan_set_track mm/kasan/common.c:56 [inline]
       __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
       slab_post_alloc_hook mm/slab.h:518 [inline]
       slab_alloc_node mm/slab.c:3254 [inline]
       kmem_cache_alloc_node+0x136/0x3e0 mm/slab.c:3574
       __alloc_skb+0x71/0x550 net/core/skbuff.c:198
       alloc_skb include/linux/skbuff.h:1094 [inline]
       alloc_skb_with_frags+0x92/0x570 net/core/skbuff.c:5771
       sock_alloc_send_pskb+0x72a/0x880 net/core/sock.c:2348
       packet_alloc_skb net/packet/af_packet.c:2837 [inline]
       packet_snd net/packet/af_packet.c:2932 [inline]
       packet_sendmsg+0x19fb/0x5290 net/packet/af_packet.c:3014
       sock_sendmsg_nosec net/socket.c:651 [inline]
       sock_sendmsg+0xcf/0x120 net/socket.c:671
       ____sys_sendmsg+0x6e8/0x810 net/socket.c:2353
       ___sys_sendmsg+0xf3/0x170 net/socket.c:2407
       __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440
       do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Freed by task 928:
       kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
       kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
       kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
       __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422
       __cache_free mm/slab.c:3418 [inline]
       kmem_cache_free.part.0+0x74/0x1e0 mm/slab.c:3693
       kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:622
       __kfree_skb net/core/skbuff.c:679 [inline]
       consume_skb net/core/skbuff.c:838 [inline]
       consume_skb+0xcf/0x160 net/core/skbuff.c:832
       __dev_kfree_skb_any+0x9c/0xc0 net/core/dev.c:3107
       fakelb_hw_xmit+0x20e/0x2a0 drivers/net/ieee802154/fakelb.c:81
       drv_xmit_async net/mac802154/driver-ops.h:16 [inline]
       ieee802154_tx+0x282/0x480 net/mac802154/tx.c:81
       ieee802154_subif_start_xmit+0xbe/0xe4 net/mac802154/tx.c:130
       __netdev_start_xmit include/linux/netdevice.h:4634 [inline]
       netdev_start_xmit include/linux/netdevice.h:4648 [inline]
       dev_direct_xmit+0x4e9/0x6e0 net/core/dev.c:4203
       packet_snd net/packet/af_packet.c:2989 [inline]
       packet_sendmsg+0x2413/0x5290 net/packet/af_packet.c:3014
       sock_sendmsg_nosec net/socket.c:651 [inline]
       sock_sendmsg+0xcf/0x120 net/socket.c:671
       ____sys_sendmsg+0x6e8/0x810 net/socket.c:2353
       ___sys_sendmsg+0xf3/0x170 net/socket.c:2407
       __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440
       do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      The buggy address belongs to the object at ffff8880251a8c00
       which belongs to the cache skbuff_head_cache of size 224
      The buggy address is located 112 bytes inside of
       224-byte region [ffff8880251a8c00, ffff8880251a8ce0)
      The buggy address belongs to the page:
      page:0000000062b6a4f1 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x251a8
      flags: 0xfffe0000000200(slab)
      raw: 00fffe0000000200 ffffea0000435c88 ffffea00028b6c08 ffff8880a9055d00
      raw: 0000000000000000 ffff8880251a80c0 000000010000000c 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff8880251a8b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff8880251a8b80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
      >ffff8880251a8c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                   ^
       ffff8880251a8c80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
       ffff8880251a8d00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
      
      Fixes: 409c3b0c ("mac802154: tx: move stats tx increment")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Alexander Aring <alex.aring@gmail.com>
      Cc: Stefan Schmidt <stefan@datenfreihafen.org>
      Cc: linux-wpan@vger.kernel.org
      Link: https://lore.kernel.org/r/20200908104025.4009085-1-edumazet@google.comSigned-off-by: default avatarStefan Schmidt <stefan@datenfreihafen.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      20191c79
    • Linus Lüssing's avatar
      batman-adv: mcast/TT: fix wrongly dropped or rerouted packets · ae1ff3f5
      Linus Lüssing authored
      [ Upstream commit 7dda5b33 ]
      
      The unicast packet rerouting code makes several assumptions. For
      instance it assumes that there is always exactly one destination in the
      TT. This breaks for multicast frames in a unicast packets in several ways:
      
      For one thing if there is actually no TT entry and the destination node
      was selected due to the multicast tvlv flags it announced. Then an
      intermediate node will wrongly drop the packet.
      
      For another thing if there is a TT entry but the TTVN of this entry is
      newer than the originally addressed destination node: Then the
      intermediate node will wrongly redirect the packet, leading to
      duplicated multicast packets at a multicast listener and missing
      packets at other multicast listeners or multicast routers.
      
      Fixing this by not applying the unicast packet rerouting to batman-adv
      unicast packets with a multicast payload. We are not able to detect a
      roaming multicast listener at the moment and will just continue to send
      the multicast frame to both the new and old destination for a while in
      case of such a roaming multicast listener.
      
      Fixes: a73105b8 ("batman-adv: improved client announcement mechanism")
      Signed-off-by: default avatarLinus Lüssing <linus.luessing@c0d3.blue>
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ae1ff3f5
    • Jing Xiangfeng's avatar
      atm: eni: fix the missed pci_disable_device() for eni_init_one() · 17100ced
      Jing Xiangfeng authored
      [ Upstream commit c2b94787 ]
      
      eni_init_one() misses to call pci_disable_device() in an error path.
      Jump to err_disable to fix it.
      
      Fixes: ede58ef2 ("atm: remove deprecated use of pci api")
      Signed-off-by: default avatarJing Xiangfeng <jingxiangfeng@huawei.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      17100ced
    • Linus Lüssing's avatar
      batman-adv: bla: fix type misuse for backbone_gw hash indexing · c5edfd85
      Linus Lüssing authored
      [ Upstream commit 097930e8 ]
      
      It seems that due to a copy & paste error the void pointer
      in batadv_choose_backbone_gw() is cast to the wrong type.
      
      Fixing this by using "struct batadv_bla_backbone_gw" instead of "struct
      batadv_bla_claim" which better matches the caller's side.
      
      For now it seems that we were lucky because the two structs both have
      their orig/vid and addr/vid in the beginning. However I stumbled over
      this issue when I was trying to add some debug variables in front of
      "orig" in batadv_backbone_gw, which caused hash lookups to fail.
      
      Fixes: 07568d03 ("batman-adv: don't rely on positions in struct for hashing")
      Signed-off-by: default avatarLinus Lüssing <ll@simonwunderlich.de>
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c5edfd85
    • Maximilian Luz's avatar
      mwifiex: Increase AES key storage size to 256 bits · 4cef2618
      Maximilian Luz authored
      [ Upstream commit 4afc850e ]
      
      Following commit e1869678 ("mwifiex: Prevent memory corruption
      handling keys") the mwifiex driver fails to authenticate with certain
      networks, specifically networks with 256 bit keys, and repeatedly asks
      for the password. The kernel log repeats the following lines (id and
      bssid redacted):
      
          mwifiex_pcie 0000:01:00.0: info: trying to associate to '<id>' bssid <bssid>
          mwifiex_pcie 0000:01:00.0: info: associated to bssid <bssid> successfully
          mwifiex_pcie 0000:01:00.0: crypto keys added
          mwifiex_pcie 0000:01:00.0: info: successfully disconnected from <bssid>: reason code 3
      
      Tracking down this problem lead to the overflow check introduced by the
      aforementioned commit into mwifiex_ret_802_11_key_material_v2(). This
      check fails on networks with 256 bit keys due to the current storage
      size for AES keys in struct mwifiex_aes_param being only 128 bit.
      
      To fix this issue, increase the storage size for AES keys to 256 bit.
      
      Fixes: e1869678 ("mwifiex: Prevent memory corruption handling keys")
      Signed-off-by: default avatarMaximilian Luz <luzmaximilian@gmail.com>
      Reported-by: default avatarKaloyan Nikolov <konik98@gmail.com>
      Tested-by: default avatarKaloyan Nikolov <konik98@gmail.com>
      Reviewed-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: default avatarBrian Norris <briannorris@chromium.org>
      Tested-by: default avatarBrian Norris <briannorris@chromium.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20200825153829.38043-1-luzmaximilian@gmail.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      4cef2618
    • Tianjia Zhang's avatar
      clocksource/drivers/h8300_timer8: Fix wrong return value in h8300_8timer_init() · 92ec195f
      Tianjia Zhang authored
      [ Upstream commit 400d033f ]
      
      In the init function, if the call to of_iomap() fails, the return
      value is ENXIO instead of -ENXIO.
      
      Change to the right negative errno.
      
      Fixes: 691f8f87 ("clocksource/drivers/h8300_timer8: Convert init function to return error")
      Cc: Daniel Lezcano <daniel.lezcano@linaro.org>
      Signed-off-by: default avatarTianjia Zhang <tianjia.zhang@linux.alibaba.com>
      Signed-off-by: default avatarDaniel Lezcano <daniel.lezcano@linaro.org>
      Link: https://lore.kernel.org/r/20200802111541.5429-1-tianjia.zhang@linux.alibaba.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      92ec195f
    • Tom Rix's avatar
      ieee802154/adf7242: check status of adf7242_read_reg · 39c96742
      Tom Rix authored
      [ Upstream commit e3914ed6 ]
      
      Clang static analysis reports this error
      
      adf7242.c:887:6: warning: Assigned value is garbage or undefined
              len = len_u8;
                  ^ ~~~~~~
      
      len_u8 is set in
             adf7242_read_reg(lp, 0, &len_u8);
      
      When this call fails, len_u8 is not set.
      
      So check the return code.
      
      Fixes: 7302b9d9 ("ieee802154/adf7242: Driver for ADF7242 MAC IEEE802154")
      Signed-off-by: default avatarTom Rix <trix@redhat.com>
      Acked-by: default avatarMichael Hennerich <michael.hennerich@analog.com>
      Link: https://lore.kernel.org/r/20200802142339.21091-1-trix@redhat.comSigned-off-by: default avatarStefan Schmidt <stefan@datenfreihafen.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      39c96742
    • Josh Poimboeuf's avatar
      objtool: Fix noreturn detection for ignored functions · 0ce70ef5
      Josh Poimboeuf authored
      [ Upstream commit db6c6a0d ]
      
      When a function is annotated with STACK_FRAME_NON_STANDARD, objtool
      doesn't validate its code paths.  It also skips sibling call detection
      within the function.
      
      But sibling call detection is actually needed for the case where the
      ignored function doesn't have any return instructions.  Otherwise
      objtool naively marks the function as implicit static noreturn, which
      affects the reachability of its callers, resulting in "unreachable
      instruction" warnings.
      
      Fix it by just enabling sibling call detection for ignored functions.
      The 'insn->ignore' check in add_jump_destinations() is no longer needed
      after
      
        e6da9567 ("objtool: Don't use ignore flag for fake jumps").
      
      Fixes the following warning:
      
        arch/x86/kvm/vmx/vmx.o: warning: objtool: vmx_handle_exit_irqoff()+0x142: unreachable instruction
      
      which triggers on an allmodconfig with CONFIG_GCOV_KERNEL unset.
      Reported-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Acked-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Link: https://lkml.kernel.org/r/5b1e2536cdbaa5246b60d7791b76130a74082c62.1599751464.git.jpoimboe@redhat.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      0ce70ef5
    • Hans de Goede's avatar
      i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices() · 8b086aa9
      Hans de Goede authored
      [ Upstream commit 21653a41 ]
      
      Some ACPI i2c-devices _STA method (which is used to detect if the device
      is present) use autodetection code which probes which device is present
      over i2c. This requires the I2C ACPI OpRegion handler to be registered
      before we enumerate i2c-clients under the i2c-adapter.
      
      This fixes the i2c touchpad on the Lenovo ThinkBook 14-IIL and
      ThinkBook 15 IIL not getting an i2c-client instantiated and thus not
      working.
      
      BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1842039Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Reviewed-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: default avatarWolfram Sang <wsa@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8b086aa9
    • Ilya Leoshkevich's avatar
      s390/init: add missing __init annotations · efa34358
      Ilya Leoshkevich authored
      [ Upstream commit fcb2b70c ]
      
      Add __init to reserve_memory_end, reserve_oldmem and remove_oldmem.
      Sometimes these functions are not inlined, and then the build
      complains about section mismatch.
      Signed-off-by: default avatarIlya Leoshkevich <iii@linux.ibm.com>
      Signed-off-by: default avatarHeiko Carstens <hca@linux.ibm.com>
      Signed-off-by: default avatarVasily Gorbik <gor@linux.ibm.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      efa34358
    • Zeng Tao's avatar
      vfio/pci: fix racy on error and request eventfd ctx · f18c38ad
      Zeng Tao authored
      [ Upstream commit b872d064 ]
      
      The vfio_pci_release call will free and clear the error and request
      eventfd ctx while these ctx could be in use at the same time in the
      function like vfio_pci_request, and it's expected to protect them under
      the vdev->igate mutex, which is missing in vfio_pci_release.
      
      This issue is introduced since commit 1518ac27 ("vfio/pci: fix memory
      leaks of eventfd ctx"),and since commit 5c5866c5 ("vfio/pci: Clear
      error and request eventfd ctx after releasing"), it's very easily to
      trigger the kernel panic like this:
      
      [ 9513.904346] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
      [ 9513.913091] Mem abort info:
      [ 9513.915871]   ESR = 0x96000006
      [ 9513.918912]   EC = 0x25: DABT (current EL), IL = 32 bits
      [ 9513.924198]   SET = 0, FnV = 0
      [ 9513.927238]   EA = 0, S1PTW = 0
      [ 9513.930364] Data abort info:
      [ 9513.933231]   ISV = 0, ISS = 0x00000006
      [ 9513.937048]   CM = 0, WnR = 0
      [ 9513.940003] user pgtable: 4k pages, 48-bit VAs, pgdp=0000007ec7d12000
      [ 9513.946414] [0000000000000008] pgd=0000007ec7d13003, p4d=0000007ec7d13003, pud=0000007ec728c003, pmd=0000000000000000
      [ 9513.956975] Internal error: Oops: 96000006 [#1] PREEMPT SMP
      [ 9513.962521] Modules linked in: vfio_pci vfio_virqfd vfio_iommu_type1 vfio hclge hns3 hnae3 [last unloaded: vfio_pci]
      [ 9513.972998] CPU: 4 PID: 1327 Comm: bash Tainted: G        W         5.8.0-rc4+ #3
      [ 9513.980443] Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V3.B270.01 05/08/2020
      [ 9513.989274] pstate: 80400089 (Nzcv daIf +PAN -UAO BTYPE=--)
      [ 9513.994827] pc : _raw_spin_lock_irqsave+0x48/0x88
      [ 9513.999515] lr : eventfd_signal+0x6c/0x1b0
      [ 9514.003591] sp : ffff800038a0b960
      [ 9514.006889] x29: ffff800038a0b960 x28: ffff007ef7f4da10
      [ 9514.012175] x27: ffff207eefbbfc80 x26: ffffbb7903457000
      [ 9514.017462] x25: ffffbb7912191000 x24: ffff007ef7f4d400
      [ 9514.022747] x23: ffff20be6e0e4c00 x22: 0000000000000008
      [ 9514.028033] x21: 0000000000000000 x20: 0000000000000000
      [ 9514.033321] x19: 0000000000000008 x18: 0000000000000000
      [ 9514.038606] x17: 0000000000000000 x16: ffffbb7910029328
      [ 9514.043893] x15: 0000000000000000 x14: 0000000000000001
      [ 9514.049179] x13: 0000000000000000 x12: 0000000000000002
      [ 9514.054466] x11: 0000000000000000 x10: 0000000000000a00
      [ 9514.059752] x9 : ffff800038a0b840 x8 : ffff007ef7f4de60
      [ 9514.065038] x7 : ffff007fffc96690 x6 : fffffe01faffb748
      [ 9514.070324] x5 : 0000000000000000 x4 : 0000000000000000
      [ 9514.075609] x3 : 0000000000000000 x2 : 0000000000000001
      [ 9514.080895] x1 : ffff007ef7f4d400 x0 : 0000000000000000
      [ 9514.086181] Call trace:
      [ 9514.088618]  _raw_spin_lock_irqsave+0x48/0x88
      [ 9514.092954]  eventfd_signal+0x6c/0x1b0
      [ 9514.096691]  vfio_pci_request+0x84/0xd0 [vfio_pci]
      [ 9514.101464]  vfio_del_group_dev+0x150/0x290 [vfio]
      [ 9514.106234]  vfio_pci_remove+0x30/0x128 [vfio_pci]
      [ 9514.111007]  pci_device_remove+0x48/0x108
      [ 9514.115001]  device_release_driver_internal+0x100/0x1b8
      [ 9514.120200]  device_release_driver+0x28/0x38
      [ 9514.124452]  pci_stop_bus_device+0x68/0xa8
      [ 9514.128528]  pci_stop_and_remove_bus_device+0x20/0x38
      [ 9514.133557]  pci_iov_remove_virtfn+0xb4/0x128
      [ 9514.137893]  sriov_disable+0x3c/0x108
      [ 9514.141538]  pci_disable_sriov+0x28/0x38
      [ 9514.145445]  hns3_pci_sriov_configure+0x48/0xb8 [hns3]
      [ 9514.150558]  sriov_numvfs_store+0x110/0x198
      [ 9514.154724]  dev_attr_store+0x44/0x60
      [ 9514.158373]  sysfs_kf_write+0x5c/0x78
      [ 9514.162018]  kernfs_fop_write+0x104/0x210
      [ 9514.166010]  __vfs_write+0x48/0x90
      [ 9514.169395]  vfs_write+0xbc/0x1c0
      [ 9514.172694]  ksys_write+0x74/0x100
      [ 9514.176079]  __arm64_sys_write+0x24/0x30
      [ 9514.179987]  el0_svc_common.constprop.4+0x110/0x200
      [ 9514.184842]  do_el0_svc+0x34/0x98
      [ 9514.188144]  el0_svc+0x14/0x40
      [ 9514.191185]  el0_sync_handler+0xb0/0x2d0
      [ 9514.195088]  el0_sync+0x140/0x180
      [ 9514.198389] Code: b9001020 d2800000 52800022 f9800271 (885ffe61)
      [ 9514.204455] ---[ end trace 648de00c8406465f ]---
      [ 9514.212308] note: bash[1327] exited with preempt_count 1
      
      Cc: Qian Cai <cai@lca.pw>
      Cc: Alex Williamson <alex.williamson@redhat.com>
      Fixes: 1518ac27 ("vfio/pci: fix memory leaks of eventfd ctx")
      Signed-off-by: default avatarZeng Tao <prime.zeng@hisilicon.com>
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f18c38ad
    • Andy Lutomirski's avatar
      selftests/x86/syscall_nt: Clear weird flags after each test · 2566557b
      Andy Lutomirski authored
      [ Upstream commit a61fa279 ]
      
      Clear the weird flags before logging to improve strace output --
      logging results while, say, TF is set does no one any favors.
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/907bfa5a42d4475b8245e18b67a04b13ca51ffdb.1593191971.git.luto@kernel.orgSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      2566557b
    • Zhang Xiaoxu's avatar
      cifs: Fix double add page to memcg when cifs_readpages · d1a2a1c9
      Zhang Xiaoxu authored
      [ Upstream commit 95a3d8f3 ]
      
      When xfstests generic/451, there is an BUG at mm/memcontrol.c:
        page:ffffea000560f2c0 refcount:2 mapcount:0 mapping:000000008544e0ea
             index:0xf
        mapping->aops:cifs_addr_ops dentry name:"tst-aio-dio-cycle-write.451"
        flags: 0x2fffff80000001(locked)
        raw: 002fffff80000001 ffffc90002023c50 ffffea0005280088 ffff88815cda0210
        raw: 000000000000000f 0000000000000000 00000002ffffffff ffff88817287d000
        page dumped because: VM_BUG_ON_PAGE(page->mem_cgroup)
        page->mem_cgroup:ffff88817287d000
        ------------[ cut here ]------------
        kernel BUG at mm/memcontrol.c:2659!
        invalid opcode: 0000 [#1] SMP
        CPU: 2 PID: 2038 Comm: xfs_io Not tainted 5.8.0-rc1 #44
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_
          073836-buildvm-ppc64le-16.ppc.4
        RIP: 0010:commit_charge+0x35/0x50
        Code: 0d 48 83 05 54 b2 02 05 01 48 89 77 38 c3 48 c7
              c6 78 4a ea ba 48 83 05 38 b2 02 05 01 e8 63 0d9
        RSP: 0018:ffffc90002023a50 EFLAGS: 00010202
        RAX: 0000000000000000 RBX: ffff88817287d000 RCX: 0000000000000000
        RDX: 0000000000000000 RSI: ffff88817ac97ea0 RDI: ffff88817ac97ea0
        RBP: ffffea000560f2c0 R08: 0000000000000203 R09: 0000000000000005
        R10: 0000000000000030 R11: ffffc900020237a8 R12: 0000000000000000
        R13: 0000000000000001 R14: 0000000000000001 R15: ffff88815a1272c0
        FS:  00007f5071ab0800(0000) GS:ffff88817ac80000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 000055efcd5ca000 CR3: 000000015d312000 CR4: 00000000000006e0
        DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
        Call Trace:
         mem_cgroup_charge+0x166/0x4f0
         __add_to_page_cache_locked+0x4a9/0x710
         add_to_page_cache_locked+0x15/0x20
         cifs_readpages+0x217/0x1270
         read_pages+0x29a/0x670
         page_cache_readahead_unbounded+0x24f/0x390
         __do_page_cache_readahead+0x3f/0x60
         ondemand_readahead+0x1f1/0x470
         page_cache_async_readahead+0x14c/0x170
         generic_file_buffered_read+0x5df/0x1100
         generic_file_read_iter+0x10c/0x1d0
         cifs_strict_readv+0x139/0x170
         new_sync_read+0x164/0x250
         __vfs_read+0x39/0x60
         vfs_read+0xb5/0x1e0
         ksys_pread64+0x85/0xf0
         __x64_sys_pread64+0x22/0x30
         do_syscall_64+0x69/0x150
         entry_SYSCALL_64_after_hwframe+0x44/0xa9
        RIP: 0033:0x7f5071fcb1af
        Code: Bad RIP value.
        RSP: 002b:00007ffde2cdb8e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000011
        RAX: ffffffffffffffda RBX: 00007ffde2cdb990 RCX: 00007f5071fcb1af
        RDX: 0000000000001000 RSI: 000055efcd5ca000 RDI: 0000000000000003
        RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
        R10: 0000000000001000 R11: 0000000000000293 R12: 0000000000000001
        R13: 000000000009f000 R14: 0000000000000000 R15: 0000000000001000
        Modules linked in:
        ---[ end trace 725fa14a3e1af65c ]---
      
      Since commit 3fea5a49 ("mm: memcontrol: convert page cache to a new
      mem_cgroup_charge() API") not cancel the page charge, the pages maybe
      double add to pagecache:
      thread1                       | thread2
      cifs_readpages
      readpages_get_pages
       add_to_page_cache_locked(head,index=n)=0
                                    | readpages_get_pages
                                    | add_to_page_cache_locked(head,index=n+1)=0
       add_to_page_cache_locked(head, index=n+1)=-EEXIST
       then, will next loop with list head page's
       index=n+1 and the page->mapping not NULL
      readpages_get_pages
      add_to_page_cache_locked(head, index=n+1)
       commit_charge
        VM_BUG_ON_PAGE
      
      So, we should not do the next loop when any page add to page cache
      failed.
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarZhang Xiaoxu <zhangxiaoxu5@huawei.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      Acked-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d1a2a1c9
    • Alex Williamson's avatar
      vfio/pci: Clear error and request eventfd ctx after releasing · f71d82a6
      Alex Williamson authored
      [ Upstream commit 5c5866c5 ]
      
      The next use of the device will generate an underflow from the
      stale reference.
      
      Cc: Qian Cai <cai@lca.pw>
      Fixes: 1518ac27 ("vfio/pci: fix memory leaks of eventfd ctx")
      Reported-by: default avatarDaniel Wagner <dwagner@suse.de>
      Reviewed-by: default avatarCornelia Huck <cohuck@redhat.com>
      Tested-by: default avatarDaniel Wagner <dwagner@suse.de>
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f71d82a6
    • Thomas Gleixner's avatar
      x86/speculation/mds: Mark mds_user_clear_cpu_buffers() __always_inline · 590bcc21
      Thomas Gleixner authored
      [ Upstream commit a7ef9ba9 ]
      
      Prevent the compiler from uninlining and creating traceable/probable
      functions as this is invoked _after_ context tracking switched to
      CONTEXT_USER and rcu idle.
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarAlexandre Chartre <alexandre.chartre@oracle.com>
      Acked-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Link: https://lkml.kernel.org/r/20200505134340.902709267@linutronix.deSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      590bcc21
    • Boris Brezillon's avatar
      mtd: parser: cmdline: Support MTD names containing one or more colons · 95d6ed69
      Boris Brezillon authored
      [ Upstream commit eb13fa02 ]
      
      Looks like some drivers define MTD names with a colon in it, thus
      making mtdpart= parsing impossible. Let's fix the parser to gracefully
      handle that case: the last ':' in a partition definition sequence is
      considered instead of the first one.
      Signed-off-by: default avatarBoris Brezillon <boris.brezillon@collabora.com>
      Signed-off-by: default avatarRon Minnich <rminnich@google.com>
      Tested-by: default avatarRon Minnich <rminnich@google.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      95d6ed69
    • Jeff Layton's avatar
      ceph: fix potential race in ceph_check_caps · 43137370
      Jeff Layton authored
      [ Upstream commit dc3da046 ]
      
      Nothing ensures that session will still be valid by the time we
      dereference the pointer. Take and put a reference.
      
      In principle, we should always be able to get a reference here, but
      throw a warning if that's ever not the case.
      Signed-off-by: default avatarJeff Layton <jlayton@kernel.org>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      43137370
    • Dinghao Liu's avatar
      mtd: rawnand: omap_elm: Fix runtime PM imbalance on error · 5a30a810
      Dinghao Liu authored
      [ Upstream commit 37f72121 ]
      
      pm_runtime_get_sync() increments the runtime PM usage counter even
      when it returns an error code. Thus a pairing decrement is needed on
      the error handling path to keep the counter balanced.
      Signed-off-by: default avatarDinghao Liu <dinghao.liu@zju.edu.cn>
      Signed-off-by: default avatarMiquel Raynal <miquel.raynal@bootlin.com>
      Link: https://lore.kernel.org/linux-mtd/20200522104008.28340-1-dinghao.liu@zju.edu.cnSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      5a30a810
    • Adrian Hunter's avatar
      perf kcore_copy: Fix module map when there are no modules loaded · 2bf6a49c
      Adrian Hunter authored
      [ Upstream commit 61f82e3f ]
      
      In the absence of any modules, no "modules" map is created, but there
      are other executable pages to map, due to eBPF JIT, kprobe or ftrace.
      Map them by recognizing that the first "module" symbol is not
      necessarily from a module, and adjust the map accordingly.
      Signed-off-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Leo Yan <leo.yan@linaro.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
      Cc: x86@kernel.org
      Link: http://lore.kernel.org/lkml/20200512121922.8997-10-adrian.hunter@intel.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2bf6a49c
    • Xie XiuQi's avatar
      perf util: Fix memory leak of prefix_if_not_in · ba749719
      Xie XiuQi authored
      [ Upstream commit 07e9a6f5 ]
      
      Need to free "str" before return when asprintf() failed to avoid memory
      leak.
      Signed-off-by: default avatarXie XiuQi <xiexiuqi@huawei.com>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Hongbo Yao <yaohongbo@huawei.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Li Bin <huawei.libin@huawei.com>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Link: http://lore.kernel.org/lkml/20200521133218.30150-4-liwei391@huawei.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ba749719
    • Qian Cai's avatar
      vfio/pci: fix memory leaks of eventfd ctx · f93c17d3
      Qian Cai authored
      [ Upstream commit 1518ac27 ]
      
      Finished a qemu-kvm (-device vfio-pci,host=0001:01:00.0) triggers a few
      memory leaks after a while because vfio_pci_set_ctx_trigger_single()
      calls eventfd_ctx_fdget() without the matching eventfd_ctx_put() later.
      Fix it by calling eventfd_ctx_put() for those memory in
      vfio_pci_release() before vfio_device_release().
      
      unreferenced object 0xebff008981cc2b00 (size 128):
        comm "qemu-kvm", pid 4043, jiffies 4294994816 (age 9796.310s)
        hex dump (first 32 bytes):
          01 00 00 00 6b 6b 6b 6b 00 00 00 00 ad 4e ad de  ....kkkk.....N..
          ff ff ff ff 6b 6b 6b 6b ff ff ff ff ff ff ff ff  ....kkkk........
        backtrace:
          [<00000000917e8f8d>] slab_post_alloc_hook+0x74/0x9c
          [<00000000df0f2aa2>] kmem_cache_alloc_trace+0x2b4/0x3d4
          [<000000005fcec025>] do_eventfd+0x54/0x1ac
          [<0000000082791a69>] __arm64_sys_eventfd2+0x34/0x44
          [<00000000b819758c>] do_el0_svc+0x128/0x1dc
          [<00000000b244e810>] el0_sync_handler+0xd0/0x268
          [<00000000d495ef94>] el0_sync+0x164/0x180
      unreferenced object 0x29ff008981cc4180 (size 128):
        comm "qemu-kvm", pid 4043, jiffies 4294994818 (age 9796.290s)
        hex dump (first 32 bytes):
          01 00 00 00 6b 6b 6b 6b 00 00 00 00 ad 4e ad de  ....kkkk.....N..
          ff ff ff ff 6b 6b 6b 6b ff ff ff ff ff ff ff ff  ....kkkk........
        backtrace:
          [<00000000917e8f8d>] slab_post_alloc_hook+0x74/0x9c
          [<00000000df0f2aa2>] kmem_cache_alloc_trace+0x2b4/0x3d4
          [<000000005fcec025>] do_eventfd+0x54/0x1ac
          [<0000000082791a69>] __arm64_sys_eventfd2+0x34/0x44
          [<00000000b819758c>] do_el0_svc+0x128/0x1dc
          [<00000000b244e810>] el0_sync_handler+0xd0/0x268
          [<00000000d495ef94>] el0_sync+0x164/0x180
      Signed-off-by: default avatarQian Cai <cai@lca.pw>
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f93c17d3
    • David Sterba's avatar
      btrfs: don't force read-only after error in drop snapshot · 2b8c5a91
      David Sterba authored
      [ Upstream commit 7c09c030 ]
      
      Deleting a subvolume on a full filesystem leads to ENOSPC followed by a
      forced read-only. This is not a transaction abort and the filesystem is
      otherwise ok, so the error should be just propagated to the callers.
      
      This is caused by unnecessary call to btrfs_handle_fs_error for all
      errors, except EAGAIN. This does not make sense as the standard
      transaction abort mechanism is in btrfs_drop_snapshot so all relevant
      failures are handled.
      
      Originally in commit cb1b69f4 ("Btrfs: forced readonly when
      btrfs_drop_snapshot() fails") there was no return value at all, so the
      btrfs_std_error made some sense but once the error handling and
      propagation has been implemented we don't need it anymore.
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2b8c5a91
    • Shreyas Joshi's avatar
      printk: handle blank console arguments passed in. · d8593121
      Shreyas Joshi authored
      [ Upstream commit 48021f98 ]
      
      If uboot passes a blank string to console_setup then it results in
      a trashed memory. Ultimately, the kernel crashes during freeing up
      the memory.
      
      This fix checks if there is a blank parameter being
      passed to console_setup from uboot. In case it detects that
      the console parameter is blank then it doesn't setup the serial
      device and it gracefully exits.
      
      Link: https://lore.kernel.org/r/20200522065306.83-1-shreyas.joshi@biamp.comSigned-off-by: default avatarShreyas Joshi <shreyas.joshi@biamp.com>
      Acked-by: default avatarSergey Senozhatsky <sergey.senozhatsky@gmail.com>
      [pmladek@suse.com: Better format the commit message and code, remove unnecessary brackets.]
      Signed-off-by: default avatarPetr Mladek <pmladek@suse.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d8593121
    • Alexander Duyck's avatar
      e1000: Do not perform reset in reset_task if we are already down · 881e984e
      Alexander Duyck authored
      [ Upstream commit 49ee3c2a ]
      
      We are seeing a deadlock in e1000 down when NAPI is being disabled. Looking
      over the kernel function trace of the system it appears that the interface
      is being closed and then a reset is hitting which deadlocks the interface
      as the NAPI interface is already disabled.
      
      To prevent this from happening I am disabling the reset task when
      __E1000_DOWN is already set. In addition code has been added so that we set
      the __E1000_DOWN while holding the __E1000_RESET flag in e1000_close in
      order to guarantee that the reset task will not run after we have started
      the close call.
      Signed-off-by: default avatarAlexander Duyck <alexander.h.duyck@linux.intel.com>
      Tested-by: default avatarMaxim Zhukov <mussitantesmortem@gmail.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      881e984e
    • Colin Ian King's avatar
      USB: EHCI: ehci-mv: fix less than zero comparison of an unsigned int · 7e3ec9cd
      Colin Ian King authored
      [ Upstream commit a7f40c23 ]
      
      The comparison of hcd->irq to less than zero for an error check will
      never be true because hcd->irq is an unsigned int.  Fix this by
      assigning the int retval to the return of platform_get_irq and checking
      this for the -ve error condition and assigning hcd->irq to retval.
      
      Addresses-Coverity: ("Unsigned compared against 0")
      Fixes: c856b4b0 ("USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe()")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Link: https://lore.kernel.org/r/20200515165453.104028-1-colin.king@canonical.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7e3ec9cd
    • Miklos Szeredi's avatar
      fuse: don't check refcount after stealing page · 3a9677b7
      Miklos Szeredi authored
      [ Upstream commit 32f98877 ]
      
      page_count() is unstable.  Unless there has been an RCU grace period
      between when the page was removed from the page cache and now, a
      speculative reference may exist from the page cache.
      Reported-by: default avatarMatthew Wilcox <willy@infradead.org>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3a9677b7
    • Takashi Iwai's avatar
      ALSA: hda: Fix potential race in unsol event handler · 70109a8b
      Takashi Iwai authored
      [ Upstream commit c637fa15 ]
      
      The unsol event handling code has a loop retrieving the read/write
      indices and the arrays without locking while the append to the array
      may happen concurrently.  This may lead to some inconsistency.
      Although there hasn't been any proof of this bad results, it's still
      safer to protect the racy accesses.
      
      This patch adds the spinlock protection around the unsol handling loop
      for addressing it.  Here we take bus->reg_lock as the writer side
      snd_hdac_bus_queue_event() is also protected by that lock.
      
      Link: https://lore.kernel.org/r/20200516062556.30951-1-tiwai@suse.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      70109a8b
    • Jonathan Bakker's avatar
      tty: serial: samsung: Correct clock selection logic · f2f270bb
      Jonathan Bakker authored
      [ Upstream commit 7d31676a ]
      
      Some variants of the samsung tty driver can pick which clock
      to use for their baud rate generation.  In the DT conversion,
      a default clock was selected to be used if a specific one wasn't
      assigned and then a comparison of which clock rate worked better
      was done.  Unfortunately, the comparison was implemented in such
      a way that only the default clock was ever actually compared.
      Fix this by iterating through all possible clocks, except when a
      specific clock has already been picked via clk_sel (which is
      only possible via board files).
      Signed-off-by: default avatarJonathan Bakker <xc-racer2@live.ca>
      Reviewed-by: default avatarKrzysztof Kozlowski <krzk@kernel.org>
      Link: https://lore.kernel.org/r/BN6PR04MB06604E63833EA41837EBF77BA3A30@BN6PR04MB0660.namprd04.prod.outlook.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f2f270bb
    • Tang Bin's avatar
      USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe() · 93851c86
      Tang Bin authored
      [ Upstream commit c856b4b0 ]
      
      If the function platform_get_irq() failed, the negative value
      returned will not be detected here. So fix error handling in
      mv_ehci_probe(). And when get irq failed, the function
      platform_get_irq() logs an error message, so remove redundant
      message here.
      Signed-off-by: default avatarZhang Shengju <zhangshengju@cmss.chinamobile.com>
      Signed-off-by: default avatarTang Bin <tangbin@cmss.chinamobile.com>
      Link: https://lore.kernel.org/r/20200508114305.15740-1-tangbin@cmss.chinamobile.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      93851c86
    • Sonny Sasaka's avatar
      Bluetooth: Handle Inquiry Cancel error after Inquiry Complete · 7f8a294b
      Sonny Sasaka authored
      [ Upstream commit adf1d692 ]
      
      After sending Inquiry Cancel command to the controller, it is possible
      that Inquiry Complete event comes before Inquiry Cancel command complete
      event. In this case the Inquiry Cancel command will have status of
      Command Disallowed since there is no Inquiry session to be cancelled.
      This case should not be treated as error, otherwise we can reach an
      inconsistent state.
      
      Example of a btmon trace when this happened:
      
      < HCI Command: Inquiry Cancel (0x01|0x0002) plen 0
      > HCI Event: Inquiry Complete (0x01) plen 1
              Status: Success (0x00)
      > HCI Event: Command Complete (0x0e) plen 4
            Inquiry Cancel (0x01|0x0002) ncmd 1
              Status: Command Disallowed (0x0c)
      Signed-off-by: default avatarSonny Sasaka <sonnysasaka@chromium.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7f8a294b
    • Jonathan Bakker's avatar
      phy: samsung: s5pv210-usb2: Add delay after reset · 2eee83e8
      Jonathan Bakker authored
      [ Upstream commit 05942b8c ]
      
      The USB phy takes some time to reset, so make sure we give it to it. The
      delay length was taken from the 4x12 phy driver.
      
      This manifested in issues with the DWC2 driver since commit fe369e18
      ("usb: dwc2: Make dwc2_readl/writel functions endianness-agnostic.")
      where the endianness check would read the DWC ID as 0 due to the phy still
      resetting, resulting in the wrong endian mode being chosen.
      Signed-off-by: default avatarJonathan Bakker <xc-racer2@live.ca>
      Link: https://lore.kernel.org/r/BN6PR04MB06605D52502816E500683553A3D10@BN6PR04MB0660.namprd04.prod.outlook.comSigned-off-by: default avatarKishon Vijay Abraham I <kishon@ti.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2eee83e8
    • Cong Wang's avatar
      atm: fix a memory leak of vcc->user_back · 54d019cd
      Cong Wang authored
      [ Upstream commit 8d9f73c0 ]
      
      In lec_arp_clear_vccs() only entry->vcc is freed, but vcc
      could be installed on entry->recv_vcc too in lec_vcc_added().
      
      This fixes the following memory leak:
      
      unreferenced object 0xffff8880d9266b90 (size 16):
        comm "atm2", pid 425, jiffies 4294907980 (age 23.488s)
        hex dump (first 16 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 6b 6b 6b a5  ............kkk.
        backtrace:
          [<(____ptrval____)>] kmem_cache_alloc_trace+0x10e/0x151
          [<(____ptrval____)>] lane_ioctl+0x4b3/0x569
          [<(____ptrval____)>] do_vcc_ioctl+0x1ea/0x236
          [<(____ptrval____)>] svc_ioctl+0x17d/0x198
          [<(____ptrval____)>] sock_do_ioctl+0x47/0x12f
          [<(____ptrval____)>] sock_ioctl+0x2f9/0x322
          [<(____ptrval____)>] vfs_ioctl+0x1e/0x2b
          [<(____ptrval____)>] ksys_ioctl+0x61/0x80
          [<(____ptrval____)>] __x64_sys_ioctl+0x16/0x19
          [<(____ptrval____)>] do_syscall_64+0x57/0x65
          [<(____ptrval____)>] entry_SYSCALL_64_after_hwframe+0x49/0xb3
      
      Cc: Gengming Liu <l.dmxcsnsbh@gmail.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      54d019cd
    • Krzysztof Kozlowski's avatar
      dt-bindings: sound: wm8994: Correct required supplies based on actual implementaion · 34e255a6
      Krzysztof Kozlowski authored
      [ Upstream commit 8c149b7d ]
      
      The required supplies in bindings were actually not matching
      implementation making the bindings incorrect and misleading.  The Linux
      kernel driver requires all supplies to be present.  Also for wlf,wm8994
      uses just DBVDD-supply instead of DBVDDn-supply (n: <1,3>).
      Reported-by: default avatarJonathan Bakker <xc-racer2@live.ca>
      Signed-off-by: default avatarKrzysztof Kozlowski <krzk@kernel.org>
      Link: https://lore.kernel.org/r/20200501133534.6706-1-krzk@kernel.orgSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      34e255a6
    • Madhuparna Bhowmik's avatar
      drivers: char: tlclk.c: Avoid data race between init and interrupt handler · 73b0eb1b
      Madhuparna Bhowmik authored
      [ Upstream commit 44b8fb6e ]
      
      After registering character device the file operation callbacks can be
      called. The open callback registers interrupt handler.
      Therefore interrupt handler can execute in parallel with rest of the init
      function. To avoid such data race initialize telclk_interrupt variable
      and struct alarm_events before registering character device.
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: default avatarMadhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
      Link: https://lore.kernel.org/r/20200417153451.1551-1-madhuparnabhowmik10@gmail.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      73b0eb1b
    • Douglas Anderson's avatar
      bdev: Reduce time holding bd_mutex in sync in blkdev_close() · 789789a6
      Douglas Anderson authored
      [ Upstream commit b849dd84 ]
      
      While trying to "dd" to the block device for a USB stick, I
      encountered a hung task warning (blocked for > 120 seconds).  I
      managed to come up with an easy way to reproduce this on my system
      (where /dev/sdb is the block device for my USB stick) with:
      
        while true; do dd if=/dev/zero of=/dev/sdb bs=4M; done
      
      With my reproduction here are the relevant bits from the hung task
      detector:
      
       INFO: task udevd:294 blocked for more than 122 seconds.
       ...
       udevd           D    0   294      1 0x00400008
       Call trace:
        ...
        mutex_lock_nested+0x40/0x50
        __blkdev_get+0x7c/0x3d4
        blkdev_get+0x118/0x138
        blkdev_open+0x94/0xa8
        do_dentry_open+0x268/0x3a0
        vfs_open+0x34/0x40
        path_openat+0x39c/0xdf4
        do_filp_open+0x90/0x10c
        do_sys_open+0x150/0x3c8
        ...
      
       ...
       Showing all locks held in the system:
       ...
       1 lock held by dd/2798:
        #0: ffffff814ac1a3b8 (&bdev->bd_mutex){+.+.}, at: __blkdev_put+0x50/0x204
       ...
       dd              D    0  2798   2764 0x00400208
       Call trace:
        ...
        schedule+0x8c/0xbc
        io_schedule+0x1c/0x40
        wait_on_page_bit_common+0x238/0x338
        __lock_page+0x5c/0x68
        write_cache_pages+0x194/0x500
        generic_writepages+0x64/0xa4
        blkdev_writepages+0x24/0x30
        do_writepages+0x48/0xa8
        __filemap_fdatawrite_range+0xac/0xd8
        filemap_write_and_wait+0x30/0x84
        __blkdev_put+0x88/0x204
        blkdev_put+0xc4/0xe4
        blkdev_close+0x28/0x38
        __fput+0xe0/0x238
        ____fput+0x1c/0x28
        task_work_run+0xb0/0xe4
        do_notify_resume+0xfc0/0x14bc
        work_pending+0x8/0x14
      
      The problem appears related to the fact that my USB disk is terribly
      slow and that I have a lot of RAM in my system to cache things.
      Specifically my writes seem to be happening at ~15 MB/s and I've got
      ~4 GB of RAM in my system that can be used for buffering.  To write 4
      GB of buffer to disk thus takes ~4000 MB / ~15 MB/s = ~267 seconds.
      
      The 267 second number is a problem because in __blkdev_put() we call
      sync_blockdev() while holding the bd_mutex.  Any other callers who
      want the bd_mutex will be blocked for the whole time.
      
      The problem is made worse because I believe blkdev_put() specifically
      tells other tasks (namely udev) to go try to access the device at right
      around the same time we're going to hold the mutex for a long time.
      
      Putting some traces around this (after disabling the hung task detector),
      I could confirm:
       dd:    437.608600: __blkdev_put() right before sync_blockdev() for sdb
       udevd: 437.623901: blkdev_open() right before blkdev_get() for sdb
       dd:    661.468451: __blkdev_put() right after sync_blockdev() for sdb
       udevd: 663.820426: blkdev_open() right after blkdev_get() for sdb
      
      A simple fix for this is to realize that sync_blockdev() works fine if
      you're not holding the mutex.  Also, it's not the end of the world if
      you sync a little early (though it can have performance impacts).
      Thus we can make a guess that we're going to need to do the sync and
      then do it without holding the mutex.  We still do one last sync with
      the mutex but it should be much, much faster.
      
      With this, my hung task warnings for my test case are gone.
      Signed-off-by: default avatarDouglas Anderson <dianders@chromium.org>
      Reviewed-by: default avatarGuenter Roeck <groeck@chromium.org>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      789789a6
    • Steve Rutherford's avatar
      KVM: Remove CREATE_IRQCHIP/SET_PIT2 race · 54d2893f
      Steve Rutherford authored
      [ Upstream commit 7289fdb5 ]
      
      Fixes a NULL pointer dereference, caused by the PIT firing an interrupt
      before the interrupt table has been initialized.
      
      SET_PIT2 can race with the creation of the IRQchip. In particular,
      if SET_PIT2 is called with a low PIT timer period (after the creation of
      the IOAPIC, but before the instantiation of the irq routes), the PIT can
      fire an interrupt at an uninitialized table.
      Signed-off-by: default avatarSteve Rutherford <srutherford@google.com>
      Signed-off-by: default avatarJon Cargille <jcargill@google.com>
      Reviewed-by: default avatarJim Mattson <jmattson@google.com>
      Message-Id: <20200416191152.259434-1-jcargill@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      54d2893f
    • Jaewon Kim's avatar
      mm/mmap.c: initialize align_offset explicitly for vm_unmapped_area · c21895bb
      Jaewon Kim authored
      [ Upstream commit 09ef5283 ]
      
      On passing requirement to vm_unmapped_area, arch_get_unmapped_area and
      arch_get_unmapped_area_topdown did not set align_offset.  Internally on
      both unmapped_area and unmapped_area_topdown, if info->align_mask is 0,
      then info->align_offset was meaningless.
      
      But commit df529cab ("mm: mmap: add trace point of
      vm_unmapped_area") always prints info->align_offset even though it is
      uninitialized.
      
      Fix this uninitialized value issue by setting it to 0 explicitly.
      
      Before:
        vm_unmapped_area: addr=0x755b155000 err=0 total_vm=0x15aaf0 flags=0x1 len=0x109000 lo=0x8000 hi=0x75eed48000 mask=0x0 ofs=0x4022
      
      After:
        vm_unmapped_area: addr=0x74a4ca1000 err=0 total_vm=0x168ab1 flags=0x1 len=0x9000 lo=0x8000 hi=0x753d94b000 mask=0x0 ofs=0x0
      Signed-off-by: default avatarJaewon Kim <jaewon31.kim@samsung.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Reviewed-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
      Cc: Michel Lespinasse <walken@google.com>
      Cc: Borislav Petkov <bp@suse.de>
      Link: http://lkml.kernel.org/r/20200409094035.19457-1-jaewon31.kim@samsung.comSigned-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c21895bb