1. 08 Jul, 2018 15 commits
    • Rex Zhu's avatar
      drm/amdgpu: Add APU support in vi_set_uvd_clocks · ce686c42
      Rex Zhu authored
      commit 819a23f8 upstream.
      
      fix the issue set uvd clock failed on CZ/ST
      which lead 1s delay when boot up.
      Reviewed-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Reviewed-by: default avatarHuang Rui <ray.huang@amd.com>
      Acked-by: default avatarChristian König <christian.koenig@amd.com>
      Acked-by: default avatarShirish S <shirish.s@amd.com>
      Signed-off-by: default avatarRex Zhu <Rex.Zhu@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ce686c42
    • Alexander Potapenko's avatar
      vt: prevent leaking uninitialized data to userspace via /dev/vcs* · b141de45
      Alexander Potapenko authored
      commit 21eff69a upstream.
      
      KMSAN reported an infoleak when reading from /dev/vcs*:
      
        BUG: KMSAN: kernel-infoleak in vcs_read+0x18ba/0x1cc0
        Call Trace:
        ...
         kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
         copy_to_user ./include/linux/uaccess.h:184
         vcs_read+0x18ba/0x1cc0 drivers/tty/vt/vc_screen.c:352
         __vfs_read+0x1b2/0x9d0 fs/read_write.c:416
         vfs_read+0x36c/0x6b0 fs/read_write.c:452
        ...
        Uninit was created at:
         kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279
         kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
         kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
         __kmalloc+0x13a/0x350 mm/slub.c:3818
         kmalloc ./include/linux/slab.h:517
         vc_allocate+0x438/0x800 drivers/tty/vt/vt.c:787
         con_install+0x8c/0x640 drivers/tty/vt/vt.c:2880
         tty_driver_install_tty drivers/tty/tty_io.c:1224
         tty_init_dev+0x1b5/0x1020 drivers/tty/tty_io.c:1324
         tty_open_by_driver drivers/tty/tty_io.c:1959
         tty_open+0x17b4/0x2ed0 drivers/tty/tty_io.c:2007
         chrdev_open+0xc25/0xd90 fs/char_dev.c:417
         do_dentry_open+0xccc/0x1440 fs/open.c:794
         vfs_open+0x1b6/0x2f0 fs/open.c:908
        ...
        Bytes 0-79 of 240 are uninitialized
      
      Consistently allocating |vc_screenbuf| with kzalloc() fixes the problem
      
      Reported-by: syzbot+17a8efdf800000@syzkaller.appspotmail.com
      Signed-off-by: default avatarAlexander Potapenko <glider@google.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b141de45
    • Johan Hovold's avatar
      serdev: fix memleak on module unload · b124a1c1
      Johan Hovold authored
      commit bc6cf366 upstream.
      
      Make sure to free all resources associated with the ida on module
      exit.
      
      Fixes: cd6484e1 ("serdev: Introduce new bus for serial attached devices")
      Cc: stable <stable@vger.kernel.org>	# 4.11
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b124a1c1
    • Andy Shevchenko's avatar
      serial: 8250_pci: Remove stalled entries in blacklist · 3ff8e558
      Andy Shevchenko authored
      commit 20dcff43 upstream.
      
      After the commit
      
        7d8905d0 ("serial: 8250_pci: Enable device after we check black list")
      
      pure serial multi-port cards, such as CH355, got blacklisted and thus
      not being enumerated anymore. Previously, it seems, blacklisting them
      was on purpose to shut up pciserial_init_one() about record duplication.
      
      So, remove the entries from blacklist in order to get cards enumerated.
      
      Fixes: 7d8905d0 ("serial: 8250_pci: Enable device after we check black list")
      Reported-by: default avatarMatt Turner <mattst88@gmail.com>
      Cc: Sergej Pupykin <ml@sergej.pp.ru>
      Cc: Alexandr Petrenko <petrenkoas83@gmail.com>
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Reviewed-and-Tested-by: default avatarMatt Turner <mattst88@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3ff8e558
    • Laura Abbott's avatar
      staging: android: ion: Return an ERR_PTR in ion_map_kernel · 2a7a8556
      Laura Abbott authored
      commit 0a2bc003 upstream.
      
      The expected return value from ion_map_kernel is an ERR_PTR. The error
      path for a vmalloc failure currently just returns NULL, triggering
      a warning in ion_buffer_kmap_get. Encode the vmalloc failure as an ERR_PTR.
      
      Reported-by: syzbot+55b1d9f811650de944c6@syzkaller.appspotmail.com
      Signed-off-by: default avatarLaura Abbott <labbott@redhat.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2a7a8556
    • Tetsuo Handa's avatar
      n_tty: Access echo_* variables carefully. · c034d161
      Tetsuo Handa authored
      commit ebec3f8f upstream.
      
      syzbot is reporting stalls at __process_echoes() [1]. This is because
      since ldata->echo_commit < ldata->echo_tail becomes true for some reason,
      the discard loop is serving as almost infinite loop. This patch tries to
      avoid falling into ldata->echo_commit < ldata->echo_tail situation by
      making access to echo_* variables more carefully.
      
      Since reset_buffer_flags() is called without output_lock held, it should
      not touch echo_* variables. And omit a call to reset_buffer_flags() from
      n_tty_open() by using vzalloc().
      
      Since add_echo_byte() is called without output_lock held, it needs memory
      barrier between storing into echo_buf[] and incrementing echo_head counter.
      echo_buf() needs corresponding memory barrier before reading echo_buf[].
      Lack of handling the possibility of not-yet-stored multi-byte operation
      might be the reason of falling into ldata->echo_commit < ldata->echo_tail
      situation, for if I do WARN_ON(ldata->echo_commit == tail + 1) prior to
      echo_buf(ldata, tail + 1), the WARN_ON() fires.
      
      Also, explicitly masking with buffer for the former "while" loop, and
      use ldata->echo_commit > tail for the latter "while" loop.
      
      [1] https://syzkaller.appspot.com/bug?id=17f23b094cd80df750e5b0f8982c521ee6bcbf40Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Reported-by: default avatarsyzbot <syzbot+108696293d7a21ab688f@syzkaller.appspotmail.com>
      Cc: Peter Hurley <peter@hurleysoftware.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c034d161
    • Tetsuo Handa's avatar
      n_tty: Fix stall at n_tty_receive_char_special(). · d105fb8c
      Tetsuo Handa authored
      commit 3d63b7e4 upstream.
      
      syzbot is reporting stalls at n_tty_receive_char_special() [1]. This is
      because comparison is not working as expected since ldata->read_head can
      change at any moment. Mitigate this by explicitly masking with buffer size
      when checking condition for "while" loops.
      
      [1] https://syzkaller.appspot.com/bug?id=3d7481a346958d9469bebbeb0537d5f056bdd6e8Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Reported-by: default avatarsyzbot <syzbot+18df353d7540aa6b5467@syzkaller.appspotmail.com>
      Fixes: bc5a5e3f ("n_tty: Don't wrap input buffer indices at buffer size")
      Cc: stable <stable@vger.kernel.org>
      Cc: Peter Hurley <peter@hurleysoftware.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d105fb8c
    • Zhengjun Xing's avatar
      xhci: Fix kernel oops in trace_xhci_free_virt_device · 716382f1
      Zhengjun Xing authored
      commit d850c165 upstream.
      
      commit 44a182b9 ("xhci: Fix use-after-free in xhci_free_virt_device")
      set dev->udev pointer to NULL in xhci_free_dev(), it will cause kernel
      panic in trace_xhci_free_virt_device. This patch reimplement the trace
      function trace_xhci_free_virt_device, remove dev->udev dereference and
      added more useful parameters to show in the trace function,it also makes
      sure dev->udev is not NULL before calling trace_xhci_free_virt_device.
      This issue happened when xhci-hcd trace is enabled and USB devices hot
      plug test. Original use-after-free patch went to stable so this needs so
      be applied there as well.
      
      [ 1092.022457] usb 2-4: USB disconnect, device number 6
      [ 1092.092772] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
      [ 1092.101694] PGD 0 P4D 0
      [ 1092.104601] Oops: 0000 [#1] SMP
      [ 1092.207734] Workqueue: usb_hub_wq hub_event
      [ 1092.212507] RIP: 0010:trace_event_raw_event_xhci_log_virt_dev+0x6c/0xf0
      [ 1092.220050] RSP: 0018:ffff8c252e883d28 EFLAGS: 00010086
      [ 1092.226024] RAX: ffff8c24af86fa84 RBX: 0000000000000003 RCX: ffff8c25255c2a01
      [ 1092.234130] RDX: 0000000000000000 RSI: 00000000aef55009 RDI: ffff8c252e883d28
      [ 1092.242242] RBP: ffff8c252550e2c0 R08: ffff8c24af86fa84 R09: 0000000000000a70
      [ 1092.250364] R10: 0000000000000a70 R11: 0000000000000000 R12: ffff8c251f21a000
      [ 1092.258468] R13: 000000000000000c R14: ffff8c251f21a000 R15: ffff8c251f432f60
      [ 1092.266572] FS:  0000000000000000(0000) GS:ffff8c252e880000(0000) knlGS:0000000000000000
      [ 1092.275757] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 1092.282281] CR2: 0000000000000000 CR3: 0000000154209001 CR4: 00000000003606e0
      [ 1092.290384] Call Trace:
      [ 1092.293156]  <IRQ>
      [ 1092.295439]  xhci_free_virt_device.part.34+0x182/0x1a0
      [ 1092.301288]  handle_cmd_completion+0x7ac/0xfa0
      [ 1092.306336]  ? trace_event_raw_event_xhci_log_trb+0x6e/0xa0
      [ 1092.312661]  xhci_irq+0x3e8/0x1f60
      [ 1092.316524]  __handle_irq_event_percpu+0x75/0x180
      [ 1092.321876]  handle_irq_event_percpu+0x20/0x50
      [ 1092.326922]  handle_irq_event+0x36/0x60
      [ 1092.331273]  handle_edge_irq+0x6d/0x180
      [ 1092.335644]  handle_irq+0x16/0x20
      [ 1092.339417]  do_IRQ+0x41/0xc0
      [ 1092.342782]  common_interrupt+0xf/0xf
      [ 1092.346955]  </IRQ>
      
      Fixes: 44a182b9 ("xhci: Fix use-after-free in xhci_free_virt_device")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarZhengjun Xing <zhengjun.xing@linux.intel.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      716382f1
    • Heikki Krogerus's avatar
      usb: typec: ucsi: Fix for incorrect status data issue · 0a7db82e
      Heikki Krogerus authored
      commit 68816e16 upstream.
      
      According to UCSI Specification, Connector Change Event only
      means a change in the Connector Status and Operation Mode
      fields of the STATUS data structure. So any other change
      should create another event.
      
      Unfortunately on some platforms the firmware acting as PPM
      (platform policy manager - usually embedded controller
      firmware) still does not report any other status changes if
      there is a connector change event. So if the connector power
      or data role was changed when a device was plugged to the
      connector, the driver does not get any indication about
      that. The port will show wrong roles if that happens.
      
      To fix the issue, always checking the data and power role
      together with a connector change event.
      
      Fixes: c1b0bc2d ("usb: typec: Add support for UCSI interface")
      Signed-off-by: default avatarHeikki Krogerus <heikki.krogerus@linux.intel.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0a7db82e
    • Heikki Krogerus's avatar
      usb: typec: ucsi: acpi: Workaround for cache mode issue · 47adbb26
      Heikki Krogerus authored
      commit 1f9f9d16 upstream.
      
      This fixes an issue where the driver fails with an error:
      
      	ioremap error for 0x3f799000-0x3f79a000, requested 0x2, got 0x0
      
      On some platforms the UCSI ACPI mailbox SystemMemory
      Operation Region may be setup before the driver has been
      loaded. That will lead into the driver failing to map the
      mailbox region, as it has been already marked as write-back
      memory. acpi_os_ioremap() for x86 uses ioremap_cache()
      unconditionally.
      
      When the issue happens, the embedded controller has a
      pending query event for the UCSI notification right after
      boot-up which causes the operation region to be setup before
      UCSI driver has been loaded.
      
      The fix is to notify acpi core that the driver is about to
      access memory region which potentially overlaps with an
      operation region right before mapping it.
      acpi_release_memory() will check if the memory has already
      been setup (mapped) by acpi core, and deactivate it (unmap)
      if it has. The driver is then able to map the memory with
      ioremap_nocache() and set the memtype to uncached for the
      region.
      Reported-by: default avatarPaul Menzel <pmenzel@molgen.mpg.de>
      Fixes: 8243edf4 ("usb: typec: ucsi: Add ACPI driver")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHeikki Krogerus <heikki.krogerus@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      47adbb26
    • Heikki Krogerus's avatar
      acpi: Add helper for deactivating memory region · f2e9a385
      Heikki Krogerus authored
      commit d2d2e3c4 upstream.
      
      Sometimes memory resource may be overlapping with
      SystemMemory Operation Region by design, for example if the
      memory region is used as a mailbox for communication with a
      firmware in the system. One occasion of such mailboxes is
      USB Type-C Connector System Software Interface (UCSI).
      
      With regions like that, it is important that the driver is
      able to map the memory with the requirements it has. For
      example, the driver should be allowed to map the memory as
      non-cached memory. However, if the operation region has been
      accessed before the driver has mapped the memory, the memory
      has been marked as write-back by the time the driver is
      loaded. That means the driver will fail to map the memory
      if it expects non-cached memory.
      
      To work around the problem, introducing helper that the
      drivers can use to temporarily deactivate (unmap)
      SystemMemory Operation Regions that overlap with their
      IO memory.
      
      Fixes: 8243edf4 ("usb: typec: ucsi: Add ACPI driver")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarHeikki Krogerus <heikki.krogerus@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f2e9a385
    • William Wu's avatar
      usb: dwc2: fix the incorrect bitmaps for the ports of multi_tt hub · 447294ef
      William Wu authored
      commit 87606759 upstream.
      
      The dwc2_get_ls_map() use ttport to reference into the
      bitmap if we're on a multi_tt hub. But the bitmaps index
      from 0 to (hub->maxchild - 1), while the ttport index from
      1 to hub->maxchild. This will cause invalid memory access
      when the number of ttport is hub->maxchild.
      
      Without this patch, I can easily meet a Kernel panic issue
      if connect a low-speed USB mouse with the max port of FE2.1
      multi-tt hub (1a40:0201) on rk3288 platform.
      
      Fixes: 9f9f09b0 ("usb: dwc2: host: Totally redo the microframe scheduler")
      Cc: <stable@vger.kernel.org>
      Reviewed-by: default avatarDouglas Anderson <dianders@chromium.org>
      Acked-by: Minas Harutyunyan hminas@synopsys.com>
      Signed-off-by: default avatarWilliam Wu <william.wu@rock-chips.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      447294ef
    • Karoly Pados's avatar
      USB: serial: cp210x: add Silicon Labs IDs for Windows Update · e80add52
      Karoly Pados authored
      commit 2f839823 upstream.
      
      Silicon Labs defines alternative VID/PID pairs for some chips that when
      used will automatically install drivers for Windows users without manual
      intervention. Unfortunately, these IDs are not recognized by the Linux
      module, so using these IDs improves user experience on one platform but
      degrades it on Linux. This patch addresses this problem.
      Signed-off-by: default avatarKaroly Pados <pados@pados.hu>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e80add52
    • Johan Hovold's avatar
      USB: serial: cp210x: add CESINEL device ids · 15e44996
      Johan Hovold authored
      commit 24160628 upstream.
      
      Add device ids for CESINEL products.
      Reported-by: default avatarCarlos Barcala Lara <cabl@cesinel.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      15e44996
    • Houston Yaroschoff's avatar
      usb: cdc_acm: Add quirk for Uniden UBC125 scanner · 874f2a7d
      Houston Yaroschoff authored
      commit 4a762569 upstream.
      
      Uniden UBC125 radio scanner has USB interface which fails to work
      with cdc_acm driver:
        usb 1-1.5: new full-speed USB device number 4 using xhci_hcd
        cdc_acm 1-1.5:1.0: Zero length descriptor references
        cdc_acm: probe of 1-1.5:1.0 failed with error -22
      
      Adding the NO_UNION_NORMAL quirk for the device fixes the issue:
        usb 1-4: new full-speed USB device number 15 using xhci_hcd
        usb 1-4: New USB device found, idVendor=1965, idProduct=0018
        usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=3
        usb 1-4: Product: UBC125XLT
        usb 1-4: Manufacturer: Uniden Corp.
        usb 1-4: SerialNumber: 0001
        cdc_acm 1-4:1.0: ttyACM0: USB ACM device
      
      `lsusb -v` of the device:
      
        Bus 001 Device 015: ID 1965:0018 Uniden Corporation
        Device Descriptor:
          bLength                18
          bDescriptorType         1
          bcdUSB               2.00
          bDeviceClass            2 Communications
          bDeviceSubClass         0
          bDeviceProtocol         0
          bMaxPacketSize0        64
          idVendor           0x1965 Uniden Corporation
          idProduct          0x0018
          bcdDevice            0.01
          iManufacturer           1 Uniden Corp.
          iProduct                2 UBC125XLT
          iSerial                 3 0001
          bNumConfigurations      1
          Configuration Descriptor:
            bLength                 9
            bDescriptorType         2
            wTotalLength           48
            bNumInterfaces          2
            bConfigurationValue     1
            iConfiguration          0
            bmAttributes         0x80
              (Bus Powered)
            MaxPower              500mA
            Interface Descriptor:
              bLength                 9
              bDescriptorType         4
              bInterfaceNumber        0
              bAlternateSetting       0
              bNumEndpoints           1
              bInterfaceClass         2 Communications
              bInterfaceSubClass      2 Abstract (modem)
              bInterfaceProtocol      0 None
              iInterface              0
              Endpoint Descriptor:
                bLength                 7
                bDescriptorType         5
                bEndpointAddress     0x87  EP 7 IN
                bmAttributes            3
                  Transfer Type            Interrupt
                  Synch Type               None
                  Usage Type               Data
                wMaxPacketSize     0x0008  1x 8 bytes
                bInterval              10
            Interface Descriptor:
              bLength                 9
              bDescriptorType         4
              bInterfaceNumber        1
              bAlternateSetting       0
              bNumEndpoints           2
              bInterfaceClass        10 CDC Data
              bInterfaceSubClass      0 Unused
              bInterfaceProtocol      0
              iInterface              0
              Endpoint Descriptor:
                bLength                 7
                bDescriptorType         5
                bEndpointAddress     0x81  EP 1 IN
                bmAttributes            2
                  Transfer Type            Bulk
                  Synch Type               None
                  Usage Type               Data
                wMaxPacketSize     0x0040  1x 64 bytes
                bInterval               0
              Endpoint Descriptor:
                bLength                 7
                bDescriptorType         5
                bEndpointAddress     0x02  EP 2 OUT
                bmAttributes            2
                  Transfer Type            Bulk
                  Synch Type               None
                  Usage Type               Data
                wMaxPacketSize     0x0040  1x 64 bytes
                bInterval               0
        Device Status:     0x0000
          (Bus Powered)
      Signed-off-by: default avatarHouston Yaroschoff <hstn@4ever3.net>
      Cc: stable <stable@vger.kernel.org>
      Acked-by: default avatarOliver Neukum <oneukum@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      874f2a7d
  2. 03 Jul, 2018 25 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.14.53 · fa745a1b
      Greg Kroah-Hartman authored
      fa745a1b
    • Mathias Nyman's avatar
      xhci: Fix use-after-free in xhci_free_virt_device · 4798e96b
      Mathias Nyman authored
      commit 44a182b9 upstream.
      
      KASAN found a use-after-free in xhci_free_virt_device+0x33b/0x38e
      where xhci_free_virt_device() sets slot id to 0 if udev exists:
      if (dev->udev && dev->udev->slot_id)
      	dev->udev->slot_id = 0;
      
      dev->udev will be true even if udev is freed because dev->udev is
      not set to NULL.
      
      set dev->udev pointer to NULL in xhci_free_dev()
      
      The original patch went to stable so this fix needs to be applied
      there as well.
      
      Fixes: a400efe4 ("xhci: zero usb device slot_id member when disabling and freeing a xhci slot")
      Cc: <stable@vger.kernel.org>
      Reported-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Reviewed-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Tested-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarSudip Mukherjee <sudipm.mukherjee@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4798e96b
    • Mike Snitzer's avatar
      dm thin: handle running out of data space vs concurrent discard · 0b19825f
      Mike Snitzer authored
      commit a685557f upstream.
      
      Discards issued to a DM thin device can complete to userspace (via
      fstrim) _before_ the metadata changes associated with the discards is
      reflected in the thinp superblock (e.g. free blocks).  As such, if a
      user constructs a test that loops repeatedly over these steps, block
      allocation can fail due to discards not having completed yet:
      1) fill thin device via filesystem file
      2) remove file
      3) fstrim
      
      From initial report, here:
      https://www.redhat.com/archives/dm-devel/2018-April/msg00022.html
      
      "The root cause of this issue is that dm-thin will first remove
      mapping and increase corresponding blocks' reference count to prevent
      them from being reused before DISCARD bios get processed by the
      underlying layers. However. increasing blocks' reference count could
      also increase the nr_allocated_this_transaction in struct sm_disk
      which makes smd->old_ll.nr_allocated +
      smd->nr_allocated_this_transaction bigger than smd->old_ll.nr_blocks.
      In this case, alloc_data_block() will never commit metadata to reset
      the begin pointer of struct sm_disk, because sm_disk_get_nr_free()
      always return an underflow value."
      
      While there is room for improvement to the space-map accounting that
      thinp is making use of: the reality is this test is inherently racey and
      will result in the previous iteration's fstrim's discard(s) completing
      vs concurrent block allocation, via dd, in the next iteration of the
      loop.
      
      No amount of space map accounting improvements will be able to allow
      user's to use a block before a discard of that block has completed.
      
      So the best we can really do is allow DM thinp to gracefully handle such
      aggressive use of all the pool's data by degrading the pool into
      out-of-data-space (OODS) mode.  We _should_ get that behaviour already
      (if space map accounting didn't falsely cause alloc_data_block() to
      believe free space was available).. but short of that we handle the
      current reality that dm_pool_alloc_data_block() can return -ENOSPC.
      Reported-by: default avatarDennis Yang <dennisyang@qnap.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0b19825f
    • Bart Van Assche's avatar
      dm zoned: avoid triggering reclaim from inside dmz_map() · fb4d8744
      Bart Van Assche authored
      commit 2d0b2d64 upstream.
      
      This patch avoids that lockdep reports the following:
      
      ======================================================
      WARNING: possible circular locking dependency detected
      4.18.0-rc1 #62 Not tainted
      ------------------------------------------------------
      kswapd0/84 is trying to acquire lock:
      00000000c313516d (&xfs_nondir_ilock_class){++++}, at: xfs_free_eofblocks+0xa2/0x1e0
      
      but task is already holding lock:
      00000000591c83ae (fs_reclaim){+.+.}, at: __fs_reclaim_acquire+0x5/0x30
      
      which lock already depends on the new lock.
      
      the existing dependency chain (in reverse order) is:
      
      -> #2 (fs_reclaim){+.+.}:
        kmem_cache_alloc+0x2c/0x2b0
        radix_tree_node_alloc.constprop.19+0x3d/0xc0
        __radix_tree_create+0x161/0x1c0
        __radix_tree_insert+0x45/0x210
        dmz_map+0x245/0x2d0 [dm_zoned]
        __map_bio+0x40/0x260
        __split_and_process_non_flush+0x116/0x220
        __split_and_process_bio+0x81/0x180
        __dm_make_request.isra.32+0x5a/0x100
        generic_make_request+0x36e/0x690
        submit_bio+0x6c/0x140
        mpage_readpages+0x19e/0x1f0
        read_pages+0x6d/0x1b0
        __do_page_cache_readahead+0x21b/0x2d0
        force_page_cache_readahead+0xc4/0x100
        generic_file_read_iter+0x7c6/0xd20
        __vfs_read+0x102/0x180
        vfs_read+0x9b/0x140
        ksys_read+0x55/0xc0
        do_syscall_64+0x5a/0x1f0
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      -> #1 (&dmz->chunk_lock){+.+.}:
        dmz_map+0x133/0x2d0 [dm_zoned]
        __map_bio+0x40/0x260
        __split_and_process_non_flush+0x116/0x220
        __split_and_process_bio+0x81/0x180
        __dm_make_request.isra.32+0x5a/0x100
        generic_make_request+0x36e/0x690
        submit_bio+0x6c/0x140
        _xfs_buf_ioapply+0x31c/0x590
        xfs_buf_submit_wait+0x73/0x520
        xfs_buf_read_map+0x134/0x2f0
        xfs_trans_read_buf_map+0xc3/0x580
        xfs_read_agf+0xa5/0x1e0
        xfs_alloc_read_agf+0x59/0x2b0
        xfs_alloc_pagf_init+0x27/0x60
        xfs_bmap_longest_free_extent+0x43/0xb0
        xfs_bmap_btalloc_nullfb+0x7f/0xf0
        xfs_bmap_btalloc+0x428/0x7c0
        xfs_bmapi_write+0x598/0xcc0
        xfs_iomap_write_allocate+0x15a/0x330
        xfs_map_blocks+0x1cf/0x3f0
        xfs_do_writepage+0x15f/0x7b0
        write_cache_pages+0x1ca/0x540
        xfs_vm_writepages+0x65/0xa0
        do_writepages+0x48/0xf0
        __writeback_single_inode+0x58/0x730
        writeback_sb_inodes+0x249/0x5c0
        wb_writeback+0x11e/0x550
        wb_workfn+0xa3/0x670
        process_one_work+0x228/0x670
        worker_thread+0x3c/0x390
        kthread+0x11c/0x140
        ret_from_fork+0x3a/0x50
      
      -> #0 (&xfs_nondir_ilock_class){++++}:
        down_read_nested+0x43/0x70
        xfs_free_eofblocks+0xa2/0x1e0
        xfs_fs_destroy_inode+0xac/0x270
        dispose_list+0x51/0x80
        prune_icache_sb+0x52/0x70
        super_cache_scan+0x127/0x1a0
        shrink_slab.part.47+0x1bd/0x590
        shrink_node+0x3b5/0x470
        balance_pgdat+0x158/0x3b0
        kswapd+0x1ba/0x600
        kthread+0x11c/0x140
        ret_from_fork+0x3a/0x50
      
      other info that might help us debug this:
      
      Chain exists of:
        &xfs_nondir_ilock_class --> &dmz->chunk_lock --> fs_reclaim
      
      Possible unsafe locking scenario:
      
           CPU0                    CPU1
           ----                    ----
      lock(fs_reclaim);
                                   lock(&dmz->chunk_lock);
                                   lock(fs_reclaim);
      lock(&xfs_nondir_ilock_class);
      fb4d8744
    • Kirill A. Shutemov's avatar
      x86/efi: Fix efi_call_phys_epilog() with CONFIG_X86_5LEVEL=y · 0cfb151b
      Kirill A. Shutemov authored
      commit cfe19577 upstream.
      
      Open-coded page table entry checks don't work correctly when we fold the
      page table level at runtime.
      
      pgd_present() on 4-level paging machine always returns true, but
      open-coded version of the check may return false-negative result and
      we silently skip the rest of the loop body in efi_call_phys_epilog().
      
      Replace open-coded checks with proper helpers.
      Signed-off-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Acked-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Baoquan He <bhe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Matt Fleming <matt@codeblueprint.co.uk>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: stable@vger.kernel.org # v4.12+
      Fixes: 94133e46 ("x86/efi: Correct EFI identity mapping under 'efi=old_map' when KASLR is enabled")
      Link: http://lkml.kernel.org/r/20180625120852.18300-1-kirill.shutemov@linux.intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0cfb151b
    • Bart Van Assche's avatar
      block: Fix cloning of requests with a special payload · 25114134
      Bart Van Assche authored
      commit 297ba57d upstream.
      
      This patch avoids that removing a path controlled by the dm-mpath driver
      while mkfs is running triggers the following kernel bug:
      
          kernel BUG at block/blk-core.c:3347!
          invalid opcode: 0000 [#1] PREEMPT SMP KASAN
          CPU: 20 PID: 24369 Comm: mkfs.ext4 Not tainted 4.18.0-rc1-dbg+ #2
          RIP: 0010:blk_end_request_all+0x68/0x70
          Call Trace:
           <IRQ>
           dm_softirq_done+0x326/0x3d0 [dm_mod]
           blk_done_softirq+0x19b/0x1e0
           __do_softirq+0x128/0x60d
           irq_exit+0x100/0x110
           smp_call_function_single_interrupt+0x90/0x330
           call_function_single_interrupt+0xf/0x20
           </IRQ>
      
      Fixes: f9d03f96 ("block: improve handling of the magic discard payload")
      Reviewed-by: default avatarMing Lei <ming.lei@redhat.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Acked-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@wdc.com>
      Cc: Hannes Reinecke <hare@suse.com>
      Cc: Johannes Thumshirn <jthumshirn@suse.de>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      25114134
    • Keith Busch's avatar
      block: Fix transfer when chunk sectors exceeds max · 29413e06
      Keith Busch authored
      commit 15bfd21f upstream.
      
      A device may have boundary restrictions where the number of sectors
      between boundaries exceeds its max transfer size. In this case, we need
      to cap the max size to the smaller of the two limits.
      Reported-by: default avatarJitendra Bhivare <jitendra.bhivare@broadcom.com>
      Tested-by: default avatarJitendra Bhivare <jitendra.bhivare@broadcom.com>
      Cc: <stable@vger.kernel.org>
      Reviewed-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarKeith Busch <keith.busch@intel.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      29413e06
    • Mikulas Patocka's avatar
      slub: fix failure when we delete and create a slab cache · 804a0db7
      Mikulas Patocka authored
      commit d50d82fa upstream.
      
      In kernel 4.17 I removed some code from dm-bufio that did slab cache
      merging (commit 21bb1327: "dm bufio: remove code that merges slab
      caches") - both slab and slub support merging caches with identical
      attributes, so dm-bufio now just calls kmem_cache_create and relies on
      implicit merging.
      
      This uncovered a bug in the slub subsystem - if we delete a cache and
      immediatelly create another cache with the same attributes, it fails
      because of duplicate filename in /sys/kernel/slab/.  The slub subsystem
      offloads freeing the cache to a workqueue - and if we create the new
      cache before the workqueue runs, it complains because of duplicate
      filename in sysfs.
      
      This patch fixes the bug by moving the call of kobject_del from
      sysfs_slab_remove_workfn to shutdown_cache.  kobject_del must be called
      while we hold slab_mutex - so that the sysfs entry is deleted before a
      cache with the same attributes could be created.
      
      Running device-mapper-test-suite with:
      
        dmtest run --suite thin-provisioning -n /commit_failure_causes_fallback/
      
      triggered:
      
        Buffer I/O error on dev dm-0, logical block 1572848, async page read
        device-mapper: thin: 253:1: metadata operation 'dm_pool_alloc_data_block' failed: error = -5
        device-mapper: thin: 253:1: aborting current metadata transaction
        sysfs: cannot create duplicate filename '/kernel/slab/:a-0000144'
        CPU: 2 PID: 1037 Comm: kworker/u48:1 Not tainted 4.17.0.snitm+ #25
        Hardware name: Supermicro SYS-1029P-WTR/X11DDW-L, BIOS 2.0a 12/06/2017
        Workqueue: dm-thin do_worker [dm_thin_pool]
        Call Trace:
         dump_stack+0x5a/0x73
         sysfs_warn_dup+0x58/0x70
         sysfs_create_dir_ns+0x77/0x80
         kobject_add_internal+0xba/0x2e0
         kobject_init_and_add+0x70/0xb0
         sysfs_slab_add+0xb1/0x250
         __kmem_cache_create+0x116/0x150
         create_cache+0xd9/0x1f0
         kmem_cache_create_usercopy+0x1c1/0x250
         kmem_cache_create+0x18/0x20
         dm_bufio_client_create+0x1ae/0x410 [dm_bufio]
         dm_block_manager_create+0x5e/0x90 [dm_persistent_data]
         __create_persistent_data_objects+0x38/0x940 [dm_thin_pool]
         dm_pool_abort_metadata+0x64/0x90 [dm_thin_pool]
         metadata_operation_failed+0x59/0x100 [dm_thin_pool]
         alloc_data_block.isra.53+0x86/0x180 [dm_thin_pool]
         process_cell+0x2a3/0x550 [dm_thin_pool]
         do_worker+0x28d/0x8f0 [dm_thin_pool]
         process_one_work+0x171/0x370
         worker_thread+0x49/0x3f0
         kthread+0xf8/0x130
         ret_from_fork+0x35/0x40
        kobject_add_internal failed for :a-0000144 with -EEXIST, don't try to register things with the same name in the same directory.
        kmem_cache_create(dm_bufio_buffer-16) failed with error -17
      
      Link: http://lkml.kernel.org/r/alpine.LRH.2.02.1806151817130.6333@file01.intranet.prod.int.rdu2.redhat.comSigned-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Reported-by: default avatarMike Snitzer <snitzer@redhat.com>
      Tested-by: default avatarMike Snitzer <snitzer@redhat.com>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      804a0db7
    • Hui Wang's avatar
      ALSA: hda/realtek - Fix the problem of two front mics on more machines · cd41a8fa
      Hui Wang authored
      commit e41fc8c5 upstream.
      
      We have 3 more Lenovo machines, they all have 2 front mics on them,
      so they need the fixup to change the location for one of two mics.
      
      Among these 3 Lenovo machines, one of them has the same pin cfg as the
      machine with subid 0x17aa3138, so use the pin cfg table to apply fixup
      for them. The rest machines don't share the same pin cfg, so far use
      the subid to apply fixup for them.
      
      Fixes: a3dafb22 ("ALSA: hda/realtek - adjust the location of one mic")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarHui Wang <hui.wang@canonical.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cd41a8fa
    • Takashi Iwai's avatar
      ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210 · c75f0475
      Takashi Iwai authored
      commit 275ec0cb upstream.
      
      Fujitsu Seimens ESPRIMO Mobile U9210 requires the same fixup as H270
      for the correct pin configs.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200107
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c75f0475
    • Takashi Iwai's avatar
      ALSA: hda/realtek - Fix pop noise on Lenovo P50 & co · 59bcd694
      Takashi Iwai authored
      commit d5a6cabf upstream.
      
      Some Lenovo laptops, e.g. Lenovo P50, showed the pop noise at resume
      or runtime resume.  It turned out to be reduced by applying
      alc_no_shutup() just like TPT440 quirk does.
      
      Since there are many Lenovo models showing the same behavior, put this
      workaround in ALC269_FIXUP_THINKPAD_ACPI entry so that it's applied
      commonly to all such Lenovo machines.
      Reported-by: default avatarHans de Goede <hdegoede@redhat.com>
      Tested-by: default avatarBenjamin Berg <bberg@redhat.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      59bcd694
    • Takashi Iwai's avatar
      ALSA: timer: Fix UBSAN warning at SNDRV_TIMER_IOCTL_NEXT_DEVICE ioctl · 69f96e9b
      Takashi Iwai authored
      commit b41f794f upstream.
      
      The kernel may spew a WARNING about UBSAN undefined behavior at
      handling ALSA timer ioctl SNDRV_TIMER_IOCTL_NEXT_DEVICE:
      
      UBSAN: Undefined behaviour in sound/core/timer.c:1524:19
      signed integer overflow:
      2147483647 + 1 cannot be represented in type 'int'
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x122/0x1c8 lib/dump_stack.c:113
       ubsan_epilogue+0x12/0x86 lib/ubsan.c:159
       handle_overflow+0x1c2/0x21f lib/ubsan.c:190
       __ubsan_handle_add_overflow+0x2a/0x31 lib/ubsan.c:198
       snd_timer_user_next_device sound/core/timer.c:1524 [inline]
       __snd_timer_user_ioctl+0x204d/0x2520 sound/core/timer.c:1939
       snd_timer_user_ioctl+0x67/0x95 sound/core/timer.c:1994
       ....
      
      It happens only when a value with INT_MAX is passed, as we're
      incrementing it unconditionally.  So the fix is trivial, check the
      value with INT_MAX.  Although the bug itself is fairly harmless, it's
      better to fix it so that fuzzers won't hit this again later.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200213Reported-and-tested-by: default avatarTeam OWL337 <icytxw@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      69f96e9b
    • ???'s avatar
      Input: elantech - fix V4 report decoding for module with middle key · 3d1de951
      ??? authored
      commit e0ae2519 upstream.
      
      Some touchpad has middle key and it will be indicated in bit 2 of packet[0].
      We need to fix V4 formation's byte mask to prevent error decoding.
      Signed-off-by: default avatarKT Liao <kt.liao@emc.com.tw>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3d1de951
    • Aaron Ma's avatar
      Input: elantech - enable middle button of touchpads on ThinkPad P52 · 524a0c6f
      Aaron Ma authored
      commit 24bb555e upstream.
      
      PNPID is better way to identify the type of touchpads.
      Enable middle button support on 2 types of touchpads on Lenovo P52.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAaron Ma <aaron.ma@canonical.com>
      Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      524a0c6f
    • Ben Hutchings's avatar
      Input: elan_i2c_smbus - fix more potential stack buffer overflows · ade76764
      Ben Hutchings authored
      commit 50fc7b61 upstream.
      
      Commit 40f7090b ("Input: elan_i2c_smbus - fix corrupted stack")
      fixed most of the functions using i2c_smbus_read_block_data() to
      allocate a buffer with the maximum block size.  However three
      functions were left unchanged:
      
      * In elan_smbus_initialize(), increase the buffer size in the same
        way.
      * In elan_smbus_calibrate_result(), the buffer is provided by the
        caller (calibrate_store()), so introduce a bounce buffer.  Also
        name the result buffer size.
      * In elan_smbus_get_report(), the buffer is provided by the caller
        but happens to be the right length.  Add a compile-time assertion
        to ensure this remains the case.
      
      Cc: <stable@vger.kernel.org> # 3.19+
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ade76764
    • Enno Boland's avatar
      Input: xpad - fix GPD Win 2 controller name · 8fa05285
      Enno Boland authored
      commit dd6bee81 upstream.
      
      This fixes using the controller with SDL2.
      
      SDL2 has a naive algorithm to apply the correct settings to a controller.
      For X-Box compatible controllers it expects that the controller name
      contains a variation of a 'XBOX'-string.
      
      This patch changes the identifier to contain "X-Box" as substring.  Tested
      with Steam and C-Dogs-SDL which both detect the controller properly after
      adding this patch.
      
      Fixes: c1ba0839 ("Input: xpad - add GPD Win 2 Controller USB IDs")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarEnno Boland <gottox@voidlinux.eu>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8fa05285
    • Jan Kara's avatar
      udf: Detect incorrect directory size · 1b241aa8
      Jan Kara authored
      commit fa65653e upstream.
      
      Detect when a directory entry is (possibly partially) beyond directory
      size and return EIO in that case since it means the filesystem is
      corrupted. Otherwise directory operations can further corrupt the
      directory and possibly also oops the kernel.
      
      CC: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
      CC: stable@vger.kernel.org
      Reported-and-tested-by: default avatarAnatoly Trosinenko <anatoly.trosinenko@gmail.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1b241aa8
    • Boris Ostrovsky's avatar
      xen: Remove unnecessary BUG_ON from __unbind_from_irq() · d08dfdea
      Boris Ostrovsky authored
      commit eef04c7b upstream.
      
      Commit 910f8bef ("xen/pirq: fix error path cleanup when binding
      MSIs") fixed a couple of errors in error cleanup path of
      xen_bind_pirq_msi_to_irq(). This cleanup allowed a call to
      __unbind_from_irq() with an unbound irq, which would result in
      triggering the BUG_ON there.
      
      Since there is really no reason for the BUG_ON (xen_free_irq() can
      operate on unbound irqs) we can remove it.
      Reported-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d08dfdea
    • Dan Williams's avatar
      mm: fix devmem_is_allowed() for sub-page System RAM intersections · fff76ff5
      Dan Williams authored
      commit 2bdce744 upstream.
      
      Hussam reports:
      
          I was poking around and for no real reason, I did cat /dev/mem and
          strings /dev/mem.  Then I saw the following warning in dmesg. I saved it
          and rebooted immediately.
      
           memremap attempted on mixed range 0x000000000009c000 size: 0x1000
           ------------[ cut here ]------------
           WARNING: CPU: 0 PID: 11810 at kernel/memremap.c:98 memremap+0x104/0x170
           [..]
           Call Trace:
            xlate_dev_mem_ptr+0x25/0x40
            read_mem+0x89/0x1a0
            __vfs_read+0x36/0x170
      
      The memremap() implementation checks for attempts to remap System RAM
      with MEMREMAP_WB and instead redirects those mapping attempts to the
      linear map.  However, that only works if the physical address range
      being remapped is page aligned.  In low memory we have situations like
      the following:
      
          00000000-00000fff : Reserved
          00001000-0009fbff : System RAM
          0009fc00-0009ffff : Reserved
      
      ...where System RAM intersects Reserved ranges on a sub-page page
      granularity.
      
      Given that devmem_is_allowed() special cases any attempt to map System
      RAM in the first 1MB of memory, replace page_is_ram() with the more
      precise region_intersects() to trap attempts to map disallowed ranges.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=199999
      Link: http://lkml.kernel.org/r/152856436164.18127.2847888121707136898.stgit@dwillia2-desk3.amr.corp.intel.com
      Fixes: 92281dee ("arch: introduce memremap()")
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Reported-by: default avatarHussam Al-Tayeb <me@hussam.eu.org>
      Tested-by: default avatarHussam Al-Tayeb <me@hussam.eu.org>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fff76ff5
    • Jia He's avatar
      mm/ksm.c: ignore STABLE_FLAG of rmap_item->address in rmap_walk_ksm() · 6f230284
      Jia He authored
      commit 1105a2fc upstream.
      
      In our armv8a server(QDF2400), I noticed lots of WARN_ON caused by
      PAGE_SIZE unaligned for rmap_item->address under memory pressure
      tests(start 20 guests and run memhog in the host).
      
        WARNING: CPU: 4 PID: 4641 at virt/kvm/arm/mmu.c:1826 kvm_age_hva_handler+0xc0/0xc8
        CPU: 4 PID: 4641 Comm: memhog Tainted: G        W 4.17.0-rc3+ #8
        Call trace:
         kvm_age_hva_handler+0xc0/0xc8
         handle_hva_to_gpa+0xa8/0xe0
         kvm_age_hva+0x4c/0xe8
         kvm_mmu_notifier_clear_flush_young+0x54/0x98
         __mmu_notifier_clear_flush_young+0x6c/0xa0
         page_referenced_one+0x154/0x1d8
         rmap_walk_ksm+0x12c/0x1d0
         rmap_walk+0x94/0xa0
         page_referenced+0x194/0x1b0
         shrink_page_list+0x674/0xc28
         shrink_inactive_list+0x26c/0x5b8
         shrink_node_memcg+0x35c/0x620
         shrink_node+0x100/0x430
         do_try_to_free_pages+0xe0/0x3a8
         try_to_free_pages+0xe4/0x230
         __alloc_pages_nodemask+0x564/0xdc0
         alloc_pages_vma+0x90/0x228
         do_anonymous_page+0xc8/0x4d0
         __handle_mm_fault+0x4a0/0x508
         handle_mm_fault+0xf8/0x1b0
         do_page_fault+0x218/0x4b8
         do_translation_fault+0x90/0xa0
         do_mem_abort+0x68/0xf0
         el0_da+0x24/0x28
      
      In rmap_walk_ksm, the rmap_item->address might still have the
      STABLE_FLAG, then the start and end in handle_hva_to_gpa might not be
      PAGE_SIZE aligned.  Thus it will cause exceptions in handle_hva_to_gpa
      on arm64.
      
      This patch fixes it by ignoring (not removing) the low bits of address
      when doing rmap_walk_ksm.
      
      IMO, it should be backported to stable tree.  the storm of WARN_ONs is
      very easy for me to reproduce.  More than that, I watched a panic (not
      reproducible) as follows:
      
        page:ffff7fe003742d80 count:-4871 mapcount:-2126053375 mapping: (null) index:0x0
        flags: 0x1fffc00000000000()
        raw: 1fffc00000000000 0000000000000000 0000000000000000 ffffecf981470000
        raw: dead000000000100 dead000000000200 ffff8017c001c000 0000000000000000
        page dumped because: nonzero _refcount
        CPU: 29 PID: 18323 Comm: qemu-kvm Tainted: G W 4.14.15-5.hxt.aarch64 #1
        Hardware name: <snip for confidential issues>
        Call trace:
          dump_backtrace+0x0/0x22c
          show_stack+0x24/0x2c
          dump_stack+0x8c/0xb0
          bad_page+0xf4/0x154
          free_pages_check_bad+0x90/0x9c
          free_pcppages_bulk+0x464/0x518
          free_hot_cold_page+0x22c/0x300
          __put_page+0x54/0x60
          unmap_stage2_range+0x170/0x2b4
          kvm_unmap_hva_handler+0x30/0x40
          handle_hva_to_gpa+0xb0/0xec
          kvm_unmap_hva_range+0x5c/0xd0
      
      I even injected a fault on purpose in kvm_unmap_hva_range by seting
      size=size-0x200, the call trace is similar as above.  So I thought the
      panic is similarly caused by the root cause of WARN_ON.
      
      Andrea said:
      
      : It looks a straightforward safe fix, on x86 hva_to_gfn_memslot would
      : zap those bits and hide the misalignment caused by the low metadata
      : bits being erroneously left set in the address, but the arm code
      : notices when that's the last page in the memslot and the hva_end is
      : getting aligned and the size is below one page.
      :
      : I think the problem triggers in the addr += PAGE_SIZE of
      : unmap_stage2_ptes that never matches end because end is aligned but
      : addr is not.
      :
      : 	} while (pte++, addr += PAGE_SIZE, addr != end);
      :
      : x86 again only works on hva_start/hva_end after converting it to
      : gfn_start/end and that being in pfn units the bits are zapped before
      : they risk to cause trouble.
      
      Jia He said:
      
      : I've tested by myself in arm64 server (QDF2400,46 cpus,96G mem) Without
      : this patch, the WARN_ON is very easy for reproducing.  After this patch, I
      : have run the same benchmarch for a whole day without any WARN_ONs
      
      Link: http://lkml.kernel.org/r/1525403506-6750-1-git-send-email-hejianet@gmail.comSigned-off-by: default avatarJia He <jia.he@hxt-semitech.com>
      Reviewed-by: default avatarAndrea Arcangeli <aarcange@redhat.com>
      Tested-by: default avatarJia He <hejianet@gmail.com>
      Cc: Suzuki K Poulose <Suzuki.Poulose@arm.com>
      Cc: Minchan Kim <minchan@kernel.org>
      Cc: Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>
      Cc: Arvind Yadav <arvind.yadav.cs@gmail.com>
      Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6f230284
    • Dongsheng Yang's avatar
      rbd: flush rbd_dev->watch_dwork after watch is unregistered · 76022230
      Dongsheng Yang authored
      commit 23edca86 upstream.
      
      There is a problem if we are going to unmap a rbd device and the
      watch_dwork is going to queue delayed work for watch:
      
      unmap Thread                    watch Thread                  timer
      do_rbd_remove
        cancel_tasks_sync(rbd_dev)
                                      queue_delayed_work for watch
        destroy_workqueue(rbd_dev->task_wq)
          drain_workqueue(wq)
          destroy other resources in wq
                                                                    call_timer_fn
                                                                      __queue_work()
      
      Then the delayed work escape the cancel_tasks_sync() and
      destroy_workqueue() and we will get an user-after-free call trace:
      
        BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
        PGD 0 P4D 0
        Oops: 0000 [#1] SMP PTI
        Modules linked in:
        CPU: 7 PID: 0 Comm: swapper/7 Tainted: G           OE     4.17.0-rc6+ #13
        Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
        RIP: 0010:__queue_work+0x6a/0x3b0
        RSP: 0018:ffff9427df1c3e90 EFLAGS: 00010086
        RAX: ffff9427deca8400 RBX: 0000000000000000 RCX: 0000000000000000
        RDX: ffff9427deca8400 RSI: ffff9427df1c3e50 RDI: 0000000000000000
        RBP: ffff942783e39e00 R08: ffff9427deca8400 R09: ffff9427df1c3f00
        R10: 0000000000000004 R11: 0000000000000005 R12: ffff9427cfb85970
        R13: 0000000000002000 R14: 000000000001eca0 R15: 0000000000000007
        FS:  0000000000000000(0000) GS:ffff9427df1c0000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 0000000000000000 CR3: 00000004c900a005 CR4: 00000000000206e0
        Call Trace:
         <IRQ>
         ? __queue_work+0x3b0/0x3b0
         call_timer_fn+0x2d/0x130
         run_timer_softirq+0x16e/0x430
         ? tick_sched_timer+0x37/0x70
         __do_softirq+0xd2/0x280
         irq_exit+0xd5/0xe0
         smp_apic_timer_interrupt+0x6c/0x130
         apic_timer_interrupt+0xf/0x20
      
      [ Move rbd_dev->watch_dwork cancellation so that rbd_reregister_watch()
        either bails out early because the watch is UNREGISTERED at that point
        or just gets cancelled. ]
      
      Cc: stable@vger.kernel.org
      Fixes: 99d16943 ("rbd: retry watch re-registration periodically")
      Signed-off-by: default avatarDongsheng Yang <dongsheng.yang@easystack.cn>
      Reviewed-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      76022230
    • Hans de Goede's avatar
      pwm: lpss: platform: Save/restore the ctrl register over a suspend/resume · 3c718460
      Hans de Goede authored
      commit 1d375b58 upstream.
      
      On some devices the contents of the ctrl register get lost over a
      suspend/resume and the PWM comes back up disabled after the resume.
      
      This is seen on some Bay Trail devices with the PWM in ACPI enumerated
      mode, so it shows up as a platform device instead of a PCI device.
      
      If we still think it is enabled and then try to change the duty-cycle
      after this, we end up with a "PWM_SW_UPDATE was not cleared" error and
      the PWM is stuck in that state from then on.
      
      This commit adds suspend and resume pm callbacks to the pwm-lpss-platform
      code, which save/restore the ctrl register over a suspend/resume, fixing
      this.
      
      Note that:
      
      1) There is no need to do this over a runtime suspend, since we
      only runtime suspend when disabled and then we properly set the enable
      bit and reprogram the timings when we re-enable the PWM.
      
      2) This may be happening on more systems then we realize, but has been
      covered up sofar by a bug in the acpi-lpss.c code which was save/restoring
      the regular device registers instead of the lpss private registers due to
      lpss_device_desc.prv_offset not being set. This is fixed by a later patch
      in this series.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Reviewed-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarThierry Reding <thierry.reding@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3c718460
    • Alexandr Savca's avatar
      Input: elan_i2c - add ELAN0618 (Lenovo v330 15IKB) ACPI ID · 24ab6e68
      Alexandr Savca authored
      commit 8938fc7b upstream.
      
      Add ELAN0618 to the list of supported touchpads; this ID is used in
      Lenovo v330 15IKB devices.
      Signed-off-by: default avatarAlexandr Savca <alexandr.savca@saltedge.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      24ab6e68
    • Hans de Goede's avatar
      ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices · a7f3c0ab
      Hans de Goede authored
      commit fdcb613d upstream.
      
      The LPSS PWM device on on Bay Trail and Cherry Trail devices has a set
      of private registers at offset 0x800, the current lpss_device_desc for
      them already sets the LPSS_SAVE_CTX flag to have these saved/restored
      over device-suspend, but the current lpss_device_desc was not setting
      the prv_offset field, leading to the regular device registers getting
      saved/restored instead.
      
      This is causing the PWM controller to no longer work, resulting in a black
      screen,  after a suspend/resume on systems where the firmware clears the
      APB clock and reset bits at offset 0x804.
      
      This commit fixes this by properly setting prv_offset to 0x800 for
      the PWM devices.
      
      Cc: stable@vger.kernel.org
      Fixes: e1c74817 ("ACPI / LPSS: Add Intel BayTrail ACPI mode PWM")
      Fixes: 1bfbd8eb ("ACPI / LPSS: Add ACPI IDs for Intel Braswell")
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Acked-by: default avatarRafael J . Wysocki <rjw@rjwysocki.net>
      Signed-off-by: default avatarThierry Reding <thierry.reding@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a7f3c0ab
    • Kees Cook's avatar
      video: uvesafb: Fix integer overflow in allocation · 9aa818d4
      Kees Cook authored
      commit 9f645bcc upstream.
      
      cmap->len can get close to INT_MAX/2, allowing for an integer overflow in
      allocation. This uses kmalloc_array() instead to catch the condition.
      Reported-by: default avatarDr Silvio Cesare of InfoSect <silvio.cesare@gmail.com>
      Fixes: 8bdb3a2d ("uvesafb: the driver core")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9aa818d4