1. 17 Apr, 2020 40 commits
    • Takashi Iwai's avatar
      ALSA: hda: Add driver blacklist · d1fea655
      Takashi Iwai authored
      commit 3c6fd1f0 upstream.
      
      The recent AMD platform exposes an HD-audio bus but without any actual
      codecs, which is internally tied with a USB-audio device, supposedly.
      It results in "no codecs" error of HD-audio bus driver, and it's
      nothing but a waste of resources.
      
      This patch introduces a static blacklist table for skipping such a
      known bogus PCI SSID entry.  As of writing this patch, the known SSIDs
      are:
      * 1043:874f - ASUS ROG Zenith II / Strix
      * 1462:cb59 - MSI TRX40 Creator
      * 1462:cb60 - MSI TRX40
      
      BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=206543
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200408140449.22319-2-tiwai@suse.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d1fea655
    • Takashi Iwai's avatar
      ALSA: usb-audio: Add mixer workaround for TRX40 and co · 2754914b
      Takashi Iwai authored
      commit 2a48218f upstream.
      
      Some recent boards (supposedly with a new AMD platform) contain the
      USB audio class 2 device that is often tied with HD-audio.  The device
      exposes an Input Gain Pad control (id=19, control=12) but this node
      doesn't behave correctly, returning an error for each inquiry of
      GET_MIN and GET_MAX that should have been mandatory.
      
      As a workaround, simply ignore this node by adding a usbmix_name_map
      table entry.  The currently known devices are:
      * 0414:a002 - Gigabyte TRX40 Aorus Pro WiFi
      * 0b05:1916 - ASUS ROG Zenith II
      * 0b05:1917 - ASUS ROG Strix
      * 0db0:0d64 - MSI TRX40 Creator
      * 0db0:543d - MSI TRX40
      
      BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=206543
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200408140449.22319-1-tiwai@suse.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2754914b
    • Thinh Nguyen's avatar
      usb: gadget: composite: Inform controller driver of self-powered · 62769157
      Thinh Nguyen authored
      commit 5e5caf4f upstream.
      
      Different configuration/condition may draw different power. Inform the
      controller driver of the change so it can respond properly (e.g.
      GET_STATUS request). This fixes an issue with setting MaxPower from
      configfs. The composite driver doesn't check this value when setting
      self-powered.
      
      Cc: stable@vger.kernel.org
      Fixes: 88af8bbe ("usb: gadget: the start of the configfs interface")
      Signed-off-by: default avatarThinh Nguyen <thinhn@synopsys.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      62769157
    • Sriharsha Allenki's avatar
      usb: gadget: f_fs: Fix use after free issue as part of queue failure · 2ad53606
      Sriharsha Allenki authored
      commit f63ec55f upstream.
      
      In AIO case, the request is freed up if ep_queue fails.
      However, io_data->req still has the reference to this freed
      request. In the case of this failure if there is aio_cancel
      call on this io_data it will lead to an invalid dequeue
      operation and a potential use after free issue.
      Fix this by setting the io_data->req to NULL when the request
      is freed as part of queue failure.
      
      Fixes: 2e4c7553 ("usb: gadget: f_fs: add aio support")
      Signed-off-by: default avatarSriharsha Allenki <sallenki@codeaurora.org>
      CC: stable <stable@vger.kernel.org>
      Reviewed-by: default avatarPeter Chen <peter.chen@nxp.com>
      Link: https://lore.kernel.org/r/20200326115620.12571-1-sallenki@codeaurora.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2ad53606
    • 이경택's avatar
      ASoC: topology: use name_prefix for new kcontrol · 10848d3c
      이경택 authored
      commit abca9e4a upstream.
      
      Current topology doesn't add prefix of component to new kcontrol.
      Signed-off-by: default avatarGyeongtaek Lee <gt82.lee@samsung.com>
      Link: https://lore.kernel.org/r/009b01d60804$ae25c2d0$0a714870$@samsung.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      10848d3c
    • 이경택's avatar
      ASoC: dpcm: allow start or stop during pause for backend · e1093a17
      이경택 authored
      commit 21fca8bd upstream.
      
      soc_compr_trigger_fe() allows start or stop after pause_push.
      In dpcm_be_dai_trigger(), however, only pause_release is allowed
      command after pause_push.
      So, start or stop after pause in compress offload is always
      returned as error if the compress offload is used with dpcm.
      To fix the problem, SND_SOC_DPCM_STATE_PAUSED should be allowed
      for start or stop command.
      Signed-off-by: default avatarGyeongtaek Lee <gt82.lee@samsung.com>
      Reviewed-by: default avatarVinod Koul <vkoul@kernel.org>
      Link: https://lore.kernel.org/r/004d01d607c1$7a3d5250$6eb7f6f0$@samsung.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e1093a17
    • 이경택's avatar
      ASoC: dapm: connect virtual mux with default value · 0185a432
      이경택 authored
      commit 3bbbb772 upstream.
      
      Since a virtual mixer has no backing registers
      to decide which path to connect,
      it will try to match with initial state.
      This is to ensure that the default mixer choice will be
      correctly powered up during initialization.
      Invert flag is used to select initial state of the virtual switch.
      Since actual hardware can't be disconnected by virtual switch,
      connected is better choice as initial state in many cases.
      Signed-off-by: default avatarGyeongtaek Lee <gt82.lee@samsung.com>
      Link: https://lore.kernel.org/r/01a301d60731$b724ea10$256ebe30$@samsung.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0185a432
    • 이경택's avatar
      ASoC: fix regwmask · 66f493d9
      이경택 authored
      commit 0ab07091 upstream.
      
      If regwshift is 32 and the selected architecture compiles '<<' operator
      for signed int literal into rotating shift, '1<<regwshift' became 1 and
      it makes regwmask to 0x0.
      The literal is set to unsigned long to get intended regwmask.
      Signed-off-by: default avatarGyeongtaek Lee <gt82.lee@samsung.com>
      Link: https://lore.kernel.org/r/001001d60665$db7af3e0$9270dba0$@samsung.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      66f493d9
    • Kees Cook's avatar
      slub: improve bit diffusion for freelist ptr obfuscation · 9ee0e501
      Kees Cook authored
      commit 1ad53d9f upstream.
      
      Under CONFIG_SLAB_FREELIST_HARDENED=y, the obfuscation was relatively weak
      in that the ptr and ptr address were usually so close that the first XOR
      would result in an almost entirely 0-byte value[1], leaving most of the
      "secret" number ultimately being stored after the third XOR.  A single
      blind memory content exposure of the freelist was generally sufficient to
      learn the secret.
      
      Add a swab() call to mix bits a little more.  This is a cheap way (1
      cycle) to make attacks need more than a single exposure to learn the
      secret (or to know _where_ the exposure is in memory).
      
      kmalloc-32 freelist walk, before:
      
      ptr              ptr_addr            stored value      secret
      ffff90c22e019020@ffff90c22e019000 is 86528eb656b3b5bd (86528eb656b3b59d)
      ffff90c22e019040@ffff90c22e019020 is 86528eb656b3b5fd (86528eb656b3b59d)
      ffff90c22e019060@ffff90c22e019040 is 86528eb656b3b5bd (86528eb656b3b59d)
      ffff90c22e019080@ffff90c22e019060 is 86528eb656b3b57d (86528eb656b3b59d)
      ffff90c22e0190a0@ffff90c22e019080 is 86528eb656b3b5bd (86528eb656b3b59d)
      ...
      
      after:
      
      ptr              ptr_addr            stored value      secret
      ffff9eed6e019020@ffff9eed6e019000 is 793d1135d52cda42 (86528eb656b3b59d)
      ffff9eed6e019040@ffff9eed6e019020 is 593d1135d52cda22 (86528eb656b3b59d)
      ffff9eed6e019060@ffff9eed6e019040 is 393d1135d52cda02 (86528eb656b3b59d)
      ffff9eed6e019080@ffff9eed6e019060 is 193d1135d52cdae2 (86528eb656b3b59d)
      ffff9eed6e0190a0@ffff9eed6e019080 is f93d1135d52cdac2 (86528eb656b3b59d)
      
      [1] https://blog.infosectcbr.com.au/2020/03/weaknesses-in-linux-kernel-heap.html
      
      Fixes: 2482ddec ("mm: add SLUB free list pointer obfuscation")
      Reported-by: default avatarSilvio Cesare <silvio.cesare@gmail.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: <stable@vger.kernel.org>
      Link: http://lkml.kernel.org/r/202003051623.AF4F8CB@keescookSigned-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [kees: Backport to v4.19 which doesn't call kasan_reset_untag()]
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9ee0e501
    • Yury Norov's avatar
      uapi: rename ext2_swab() to swab() and share globally in swab.h · 9af535dc
      Yury Norov authored
      [ Upstream commit d5767057 ]
      
      ext2_swab() is defined locally in lib/find_bit.c However it is not
      specific to ext2, neither to bitmaps.
      
      There are many potential users of it, so rename it to just swab() and
      move to include/uapi/linux/swab.h
      
      ABI guarantees that size of unsigned long corresponds to BITS_PER_LONG,
      therefore drop unneeded cast.
      
      Link: http://lkml.kernel.org/r/20200103202846.21616-1-yury.norov@gmail.comSigned-off-by: default avatarYury Norov <yury.norov@gmail.com>
      Cc: Allison Randal <allison@lohutok.net>
      Cc: Joe Perches <joe@perches.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: William Breathitt Gray <vilhelm.gray@gmail.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9af535dc
    • Alex Vesker's avatar
      IB/mlx5: Replace tunnel mpls capability bits for tunnel_offloads · dce1622d
      Alex Vesker authored
      [ Upstream commit 41e684ef ]
      
      Until now the flex parser capability was used in ib_query_device() to
      indicate tunnel_offloads_caps support for mpls_over_gre/mpls_over_udp.
      
      Newer devices and firmware will have configurations with the flexparser
      but without mpls support.
      
      Testing for the flex parser capability was a mistake, the tunnel_stateless
      capability was intended for detecting mpls and was introduced at the same
      time as the flex parser capability.
      
      Otherwise userspace will be incorrectly informed that a future device
      supports MPLS when it does not.
      
      Link: https://lore.kernel.org/r/20200305123841.196086-1-leon@kernel.org
      Cc: <stable@vger.kernel.org> # 4.17
      Fixes: e818e255 ("IB/mlx5: Expose MPLS related tunneling offloads")
      Signed-off-by: default avatarAlex Vesker <valex@mellanox.com>
      Reviewed-by: default avatarAriel Levkovich <lariel@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      dce1622d
    • Josef Bacik's avatar
      btrfs: track reloc roots based on their commit root bytenr · 32fb859e
      Josef Bacik authored
      [ Upstream commit ea287ab1 ]
      
      We always search the commit root of the extent tree for looking up back
      references, however we track the reloc roots based on their current
      bytenr.
      
      This is wrong, if we commit the transaction between relocating tree
      blocks we could end up in this code in build_backref_tree
      
        if (key.objectid == key.offset) {
      	  /*
      	   * Only root blocks of reloc trees use backref
      	   * pointing to itself.
      	   */
      	  root = find_reloc_root(rc, cur->bytenr);
      	  ASSERT(root);
      	  cur->root = root;
      	  break;
        }
      
      find_reloc_root() is looking based on the bytenr we had in the commit
      root, but if we've COWed this reloc root we will not find that bytenr,
      and we will trip over the ASSERT(root).
      
      Fix this by using the commit_root->start bytenr for indexing the commit
      root.  Then we change the __update_reloc_root() caller to be used when
      we switch the commit root for the reloc root during commit.
      
      This fixes the panic I was seeing when we started throttling relocation
      for delayed refs.
      Signed-off-by: default avatarJosef Bacik <josef@toxicpanda.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      32fb859e
    • Josef Bacik's avatar
      btrfs: remove a BUG_ON() from merge_reloc_roots() · 7d0ef631
      Josef Bacik authored
      [ Upstream commit 7b7b7431 ]
      
      This was pretty subtle, we default to reloc roots having 0 root refs, so
      if we crash in the middle of the relocation they can just be deleted.
      If we successfully complete the relocation operations we'll set our root
      refs to 1 in prepare_to_merge() and then go on to merge_reloc_roots().
      
      At prepare_to_merge() time if any of the reloc roots have a 0 reference
      still, we will remove that reloc root from our reloc root rb tree, and
      then clean it up later.
      
      However this only happens if we successfully start a transaction.  If
      we've aborted previously we will skip this step completely, and only
      have reloc roots with a reference count of 0, but were never properly
      removed from the reloc control's rb tree.
      
      This isn't a problem per-se, our references are held by the list the
      reloc roots are on, and by the original root the reloc root belongs to.
      If we end up in this situation all the reloc roots will be added to the
      dirty_reloc_list, and then properly dropped at that point.  The reloc
      control will be free'd and the rb tree is no longer used.
      
      There were two options when fixing this, one was to remove the BUG_ON(),
      the other was to make prepare_to_merge() handle the case where we
      couldn't start a trans handle.
      
      IMO this is the cleaner solution.  I started with handling the error in
      prepare_to_merge(), but it turned out super ugly.  And in the end this
      BUG_ON() simply doesn't matter, the cleanup was happening properly, we
      were just panicing because this BUG_ON() only matters in the success
      case.  So I've opted to just remove it and add a comment where it was.
      Reviewed-by: default avatarQu Wenruo <wqu@suse.com>
      Signed-off-by: default avatarJosef Bacik <josef@toxicpanda.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7d0ef631
    • Qu Wenruo's avatar
      btrfs: qgroup: ensure qgroup_rescan_running is only set when the worker is at least queued · b8ab26fd
      Qu Wenruo authored
      [ Upstream commit d61acbbf ]
      
      [BUG]
      There are some reports about btrfs wait forever to unmount itself, with
      the following call trace:
      
        INFO: task umount:4631 blocked for more than 491 seconds.
              Tainted: G               X  5.3.8-2-default #1
        "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
        umount          D    0  4631   3337 0x00000000
        Call Trace:
        ([<00000000174adf7a>] __schedule+0x342/0x748)
         [<00000000174ae3ca>] schedule+0x4a/0xd8
         [<00000000174b1f08>] schedule_timeout+0x218/0x420
         [<00000000174af10c>] wait_for_common+0x104/0x1d8
         [<000003ff804d6994>] btrfs_qgroup_wait_for_completion+0x84/0xb0 [btrfs]
         [<000003ff8044a616>] close_ctree+0x4e/0x380 [btrfs]
         [<0000000016fa3136>] generic_shutdown_super+0x8e/0x158
         [<0000000016fa34d6>] kill_anon_super+0x26/0x40
         [<000003ff8041ba88>] btrfs_kill_super+0x28/0xc8 [btrfs]
         [<0000000016fa39f8>] deactivate_locked_super+0x68/0x98
         [<0000000016fcb198>] cleanup_mnt+0xc0/0x140
         [<0000000016d6a846>] task_work_run+0xc6/0x110
         [<0000000016d04f76>] do_notify_resume+0xae/0xb8
         [<00000000174b30ae>] system_call+0xe2/0x2c8
      
      [CAUSE]
      The problem happens when we have called qgroup_rescan_init(), but
      not queued the worker. It can be caused mostly by error handling.
      
      	Qgroup ioctl thread		|	Unmount thread
      ----------------------------------------+-----------------------------------
      					|
      btrfs_qgroup_rescan()			|
      |- qgroup_rescan_init()			|
      |  |- qgroup_rescan_running = true;	|
      |					|
      |- trans = btrfs_join_transaction()	|
      |  Some error happened			|
      |					|
      |- btrfs_qgroup_rescan() returns error	|
         But qgroup_rescan_running == true;	|
      					| close_ctree()
      					| |- btrfs_qgroup_wait_for_completion()
      					|    |- running == true;
      					|    |- wait_for_completion();
      
      btrfs_qgroup_rescan_worker is never queued, thus no one is going to wake
      up close_ctree() and we get a deadlock.
      
      All involved qgroup_rescan_init() callers are:
      
      - btrfs_qgroup_rescan()
        The example above. It's possible to trigger the deadlock when error
        happened.
      
      - btrfs_quota_enable()
        Not possible. Just after qgroup_rescan_init() we queue the work.
      
      - btrfs_read_qgroup_config()
        It's possible to trigger the deadlock. It only init the work, the
        work queueing happens in btrfs_qgroup_rescan_resume().
        Thus if error happened in between, deadlock is possible.
      
      We shouldn't set fs_info->qgroup_rescan_running just in
      qgroup_rescan_init(), as at that stage we haven't yet queued qgroup
      rescan worker to run.
      
      [FIX]
      Set qgroup_rescan_running before queueing the work, so that we ensure
      the rescan work is queued when we wait for it.
      
      Fixes: 8d9eddad ("Btrfs: fix qgroup rescan worker initialization")
      Signed-off-by: default avatarJeff Mahoney <jeffm@suse.com>
      [ Change subject and cause analyse, use a smaller fix ]
      Signed-off-by: default avatarQu Wenruo <wqu@suse.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b8ab26fd
    • Zhiqiang Liu's avatar
      block, bfq: fix use-after-free in bfq_idle_slice_timer_body · d999063b
      Zhiqiang Liu authored
      [ Upstream commit 2f95fa5c ]
      
      In bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is
      not in bfqd-lock critical section. The bfqq, which is not
      equal to NULL in bfq_idle_slice_timer, may be freed after passing
      to bfq_idle_slice_timer_body. So we will access the freed memory.
      
      In addition, considering the bfqq may be in race, we should
      firstly check whether bfqq is in service before doing something
      on it in bfq_idle_slice_timer_body func. If the bfqq in race is
      not in service, it means the bfqq has been expired through
      __bfq_bfqq_expire func, and wait_request flags has been cleared in
      __bfq_bfqd_reset_in_service func. So we do not need to re-clear the
      wait_request of bfqq which is not in service.
      
      KASAN log is given as follows:
      [13058.354613] ==================================================================
      [13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290
      [13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767
      [13058.354646]
      [13058.354655] CPU: 96 PID: 19767 Comm: fork13
      [13058.354661] Call trace:
      [13058.354667]  dump_backtrace+0x0/0x310
      [13058.354672]  show_stack+0x28/0x38
      [13058.354681]  dump_stack+0xd8/0x108
      [13058.354687]  print_address_description+0x68/0x2d0
      [13058.354690]  kasan_report+0x124/0x2e0
      [13058.354697]  __asan_load8+0x88/0xb0
      [13058.354702]  bfq_idle_slice_timer+0xac/0x290
      [13058.354707]  __hrtimer_run_queues+0x298/0x8b8
      [13058.354710]  hrtimer_interrupt+0x1b8/0x678
      [13058.354716]  arch_timer_handler_phys+0x4c/0x78
      [13058.354722]  handle_percpu_devid_irq+0xf0/0x558
      [13058.354731]  generic_handle_irq+0x50/0x70
      [13058.354735]  __handle_domain_irq+0x94/0x110
      [13058.354739]  gic_handle_irq+0x8c/0x1b0
      [13058.354742]  el1_irq+0xb8/0x140
      [13058.354748]  do_wp_page+0x260/0xe28
      [13058.354752]  __handle_mm_fault+0x8ec/0x9b0
      [13058.354756]  handle_mm_fault+0x280/0x460
      [13058.354762]  do_page_fault+0x3ec/0x890
      [13058.354765]  do_mem_abort+0xc0/0x1b0
      [13058.354768]  el0_da+0x24/0x28
      [13058.354770]
      [13058.354773] Allocated by task 19731:
      [13058.354780]  kasan_kmalloc+0xe0/0x190
      [13058.354784]  kasan_slab_alloc+0x14/0x20
      [13058.354788]  kmem_cache_alloc_node+0x130/0x440
      [13058.354793]  bfq_get_queue+0x138/0x858
      [13058.354797]  bfq_get_bfqq_handle_split+0xd4/0x328
      [13058.354801]  bfq_init_rq+0x1f4/0x1180
      [13058.354806]  bfq_insert_requests+0x264/0x1c98
      [13058.354811]  blk_mq_sched_insert_requests+0x1c4/0x488
      [13058.354818]  blk_mq_flush_plug_list+0x2d4/0x6e0
      [13058.354826]  blk_flush_plug_list+0x230/0x548
      [13058.354830]  blk_finish_plug+0x60/0x80
      [13058.354838]  read_pages+0xec/0x2c0
      [13058.354842]  __do_page_cache_readahead+0x374/0x438
      [13058.354846]  ondemand_readahead+0x24c/0x6b0
      [13058.354851]  page_cache_sync_readahead+0x17c/0x2f8
      [13058.354858]  generic_file_buffered_read+0x588/0xc58
      [13058.354862]  generic_file_read_iter+0x1b4/0x278
      [13058.354965]  ext4_file_read_iter+0xa8/0x1d8 [ext4]
      [13058.354972]  __vfs_read+0x238/0x320
      [13058.354976]  vfs_read+0xbc/0x1c0
      [13058.354980]  ksys_read+0xdc/0x1b8
      [13058.354984]  __arm64_sys_read+0x50/0x60
      [13058.354990]  el0_svc_common+0xb4/0x1d8
      [13058.354994]  el0_svc_handler+0x50/0xa8
      [13058.354998]  el0_svc+0x8/0xc
      [13058.354999]
      [13058.355001] Freed by task 19731:
      [13058.355007]  __kasan_slab_free+0x120/0x228
      [13058.355010]  kasan_slab_free+0x10/0x18
      [13058.355014]  kmem_cache_free+0x288/0x3f0
      [13058.355018]  bfq_put_queue+0x134/0x208
      [13058.355022]  bfq_exit_icq_bfqq+0x164/0x348
      [13058.355026]  bfq_exit_icq+0x28/0x40
      [13058.355030]  ioc_exit_icq+0xa0/0x150
      [13058.355035]  put_io_context_active+0x250/0x438
      [13058.355038]  exit_io_context+0xd0/0x138
      [13058.355045]  do_exit+0x734/0xc58
      [13058.355050]  do_group_exit+0x78/0x220
      [13058.355054]  __wake_up_parent+0x0/0x50
      [13058.355058]  el0_svc_common+0xb4/0x1d8
      [13058.355062]  el0_svc_handler+0x50/0xa8
      [13058.355066]  el0_svc+0x8/0xc
      [13058.355067]
      [13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464
      [13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)
      [13058.355077] The buggy address belongs to the page:
      [13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0
      [13058.366175] flags: 0x2ffffe0000008100(slab|head)
      [13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780
      [13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000
      [13058.370789] page dumped because: kasan: bad access detected
      [13058.370791]
      [13058.370792] Memory state around the buggy address:
      [13058.370797]  ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb
      [13058.370801]  ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [13058.370808]                                                                 ^
      [13058.370811]  ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [13058.370815]  ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
      [13058.370817] ==================================================================
      [13058.370820] Disabling lock debugging due to kernel taint
      
      Here, we directly pass the bfqd to bfq_idle_slice_timer_body func.
      --
      V2->V3: rewrite the comment as suggested by Paolo Valente
      V1->V2: add one comment, and add Fixes and Reported-by tag.
      
      Fixes: aee69d78 ("block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler")
      Acked-by: default avatarPaolo Valente <paolo.valente@linaro.org>
      Reported-by: default avatarWang Wang <wangwang2@huawei.com>
      Signed-off-by: default avatarZhiqiang Liu <liuzhiqiang26@huawei.com>
      Signed-off-by: default avatarFeilong Lin <linfeilong@huawei.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d999063b
    • Boqun Feng's avatar
      locking/lockdep: Avoid recursion in lockdep_count_{for,back}ward_deps() · c6090fe7
      Boqun Feng authored
      [ Upstream commit 25016bd7 ]
      
      Qian Cai reported a bug when PROVE_RCU_LIST=y, and read on /proc/lockdep
      triggered a warning:
      
        [ ] DEBUG_LOCKS_WARN_ON(current->hardirqs_enabled)
        ...
        [ ] Call Trace:
        [ ]  lock_is_held_type+0x5d/0x150
        [ ]  ? rcu_lockdep_current_cpu_online+0x64/0x80
        [ ]  rcu_read_lock_any_held+0xac/0x100
        [ ]  ? rcu_read_lock_held+0xc0/0xc0
        [ ]  ? __slab_free+0x421/0x540
        [ ]  ? kasan_kmalloc+0x9/0x10
        [ ]  ? __kmalloc_node+0x1d7/0x320
        [ ]  ? kvmalloc_node+0x6f/0x80
        [ ]  __bfs+0x28a/0x3c0
        [ ]  ? class_equal+0x30/0x30
        [ ]  lockdep_count_forward_deps+0x11a/0x1a0
      
      The warning got triggered because lockdep_count_forward_deps() call
      __bfs() without current->lockdep_recursion being set, as a result
      a lockdep internal function (__bfs()) is checked by lockdep, which is
      unexpected, and the inconsistency between the irq-off state and the
      state traced by lockdep caused the warning.
      
      Apart from this warning, lockdep internal functions like __bfs() should
      always be protected by current->lockdep_recursion to avoid potential
      deadlocks and data inconsistency, therefore add the
      current->lockdep_recursion on-and-off section to protect __bfs() in both
      lockdep_count_forward_deps() and lockdep_count_backward_deps()
      Reported-by: default avatarQian Cai <cai@lca.pw>
      Signed-off-by: default avatarBoqun Feng <boqun.feng@gmail.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Link: https://lkml.kernel.org/r/20200312151258.128036-1-boqun.feng@gmail.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      c6090fe7
    • Junyong Sun's avatar
      firmware: fix a double abort case with fw_load_sysfs_fallback · 1a5613b5
      Junyong Sun authored
      [ Upstream commit bcfbd352 ]
      
      fw_sysfs_wait_timeout may return err with -ENOENT
      at fw_load_sysfs_fallback and firmware is already
      in abort status, no need to abort again, so skip it.
      
      This issue is caused by concurrent situation like below:
      when thread 1# wait firmware loading, thread 2# may write
      -1 to abort loading and wakeup thread 1# before it timeout.
      so wait_for_completion_killable_timeout of thread 1# would
      return remaining time which is != 0 with fw_st->status
      FW_STATUS_ABORTED.And the results would be converted into
      err -ENOENT in __fw_state_wait_common and transfered to
      fw_load_sysfs_fallback in thread 1#.
      The -ENOENT means firmware status is already at ABORTED,
      so fw_load_sysfs_fallback no need to get mutex to abort again.
      -----------------------------
      thread 1#,wait for loading
      fw_load_sysfs_fallback
       ->fw_sysfs_wait_timeout
          ->__fw_state_wait_common
             ->wait_for_completion_killable_timeout
      
      in __fw_state_wait_common,
      ...
      93    ret = wait_for_completion_killable_timeout(&fw_st->completion, timeout);
      94    if (ret != 0 && fw_st->status == FW_STATUS_ABORTED)
      95       return -ENOENT;
      96    if (!ret)
      97	 return -ETIMEDOUT;
      98
      99    return ret < 0 ? ret : 0;
      -----------------------------
      thread 2#, write -1 to abort loading
      firmware_loading_store
       ->fw_load_abort
         ->__fw_load_abort
           ->fw_state_aborted
             ->__fw_state_set
               ->complete_all
      
      in __fw_state_set,
      ...
      111    if (status == FW_STATUS_DONE || status == FW_STATUS_ABORTED)
      112       complete_all(&fw_st->completion);
      -------------------------------------------
      BTW,the double abort issue would not cause kernel panic or create an issue,
      but slow down it sometimes.The change is just a minor optimization.
      Signed-off-by: default avatarJunyong Sun <sunjunyong@xiaomi.com>
      Acked-by: default avatarLuis Chamberlain <mcgrof@kernel.org>
      Link: https://lore.kernel.org/r/1583202968-28792-1-git-send-email-sunjunyong@xiaomi.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1a5613b5
    • Guoqing Jiang's avatar
      md: check arrays is suspended in mddev_detach before call quiesce operations · 41778458
      Guoqing Jiang authored
      [ Upstream commit 6b40bec3 ]
      
      Don't call quiesce(1) and quiesce(0) if array is already suspended,
      otherwise in level_store, the array is writable after mddev_detach
      in below part though the intention is to make array writable after
      resume.
      
      	mddev_suspend(mddev);
      	mddev_detach(mddev);
      	...
      	mddev_resume(mddev);
      
      And it also causes calltrace as follows in [1].
      
      [48005.653834] WARNING: CPU: 1 PID: 45380 at kernel/kthread.c:510 kthread_park+0x77/0x90
      [...]
      [48005.653976] CPU: 1 PID: 45380 Comm: mdadm Tainted: G           OE     5.4.10-arch1-1 #1
      [48005.653979] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./J4105-ITX, BIOS P1.40 08/06/2018
      [48005.653984] RIP: 0010:kthread_park+0x77/0x90
      [48005.654015] Call Trace:
      [48005.654039]  r5l_quiesce+0x3c/0x70 [raid456]
      [48005.654052]  raid5_quiesce+0x228/0x2e0 [raid456]
      [48005.654073]  mddev_detach+0x30/0x70 [md_mod]
      [48005.654090]  level_store+0x202/0x670 [md_mod]
      [48005.654099]  ? security_capable+0x40/0x60
      [48005.654114]  md_attr_store+0x7b/0xc0 [md_mod]
      [48005.654123]  kernfs_fop_write+0xce/0x1b0
      [48005.654132]  vfs_write+0xb6/0x1a0
      [48005.654138]  ksys_write+0x67/0xe0
      [48005.654146]  do_syscall_64+0x4e/0x140
      [48005.654155]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [48005.654161] RIP: 0033:0x7fa0c8737497
      
      [1]: https://bugzilla.kernel.org/show_bug.cgi?id=206161Signed-off-by: default avatarGuoqing Jiang <guoqing.jiang@cloud.ionos.com>
      Signed-off-by: default avatarSong Liu <songliubraving@fb.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      41778458
    • Marc Zyngier's avatar
      irqchip/gic-v4: Provide irq_retrigger to avoid circular locking dependency · 702f64bc
      Marc Zyngier authored
      [ Upstream commit 7809f701 ]
      
      On a very heavily loaded D05 with GICv4, I managed to trigger the
      following lockdep splat:
      
      [ 6022.598864] ======================================================
      [ 6022.605031] WARNING: possible circular locking dependency detected
      [ 6022.611200] 5.6.0-rc4-00026-geee7c7b0f498 #680 Tainted: G            E
      [ 6022.618061] ------------------------------------------------------
      [ 6022.624227] qemu-system-aar/7569 is trying to acquire lock:
      [ 6022.629789] ffff042f97606808 (&p->pi_lock){-.-.}, at: try_to_wake_up+0x54/0x7a0
      [ 6022.637102]
      [ 6022.637102] but task is already holding lock:
      [ 6022.642921] ffff002fae424cf0 (&irq_desc_lock_class){-.-.}, at: __irq_get_desc_lock+0x5c/0x98
      [ 6022.651350]
      [ 6022.651350] which lock already depends on the new lock.
      [ 6022.651350]
      [ 6022.659512]
      [ 6022.659512] the existing dependency chain (in reverse order) is:
      [ 6022.666980]
      [ 6022.666980] -> #2 (&irq_desc_lock_class){-.-.}:
      [ 6022.672983]        _raw_spin_lock_irqsave+0x50/0x78
      [ 6022.677848]        __irq_get_desc_lock+0x5c/0x98
      [ 6022.682453]        irq_set_vcpu_affinity+0x40/0xc0
      [ 6022.687236]        its_make_vpe_non_resident+0x6c/0xb8
      [ 6022.692364]        vgic_v4_put+0x54/0x70
      [ 6022.696273]        vgic_v3_put+0x20/0xd8
      [ 6022.700183]        kvm_vgic_put+0x30/0x48
      [ 6022.704182]        kvm_arch_vcpu_put+0x34/0x50
      [ 6022.708614]        kvm_sched_out+0x34/0x50
      [ 6022.712700]        __schedule+0x4bc/0x7f8
      [ 6022.716697]        schedule+0x50/0xd8
      [ 6022.720347]        kvm_arch_vcpu_ioctl_run+0x5f0/0x978
      [ 6022.725473]        kvm_vcpu_ioctl+0x3d4/0x8f8
      [ 6022.729820]        ksys_ioctl+0x90/0xd0
      [ 6022.733642]        __arm64_sys_ioctl+0x24/0x30
      [ 6022.738074]        el0_svc_common.constprop.3+0xa8/0x1e8
      [ 6022.743373]        do_el0_svc+0x28/0x88
      [ 6022.747198]        el0_svc+0x14/0x40
      [ 6022.750761]        el0_sync_handler+0x124/0x2b8
      [ 6022.755278]        el0_sync+0x140/0x180
      [ 6022.759100]
      [ 6022.759100] -> #1 (&rq->lock){-.-.}:
      [ 6022.764143]        _raw_spin_lock+0x38/0x50
      [ 6022.768314]        task_fork_fair+0x40/0x128
      [ 6022.772572]        sched_fork+0xe0/0x210
      [ 6022.776484]        copy_process+0x8c4/0x18d8
      [ 6022.780742]        _do_fork+0x88/0x6d8
      [ 6022.784478]        kernel_thread+0x64/0x88
      [ 6022.788563]        rest_init+0x30/0x270
      [ 6022.792390]        arch_call_rest_init+0x14/0x1c
      [ 6022.796995]        start_kernel+0x498/0x4c4
      [ 6022.801164]
      [ 6022.801164] -> #0 (&p->pi_lock){-.-.}:
      [ 6022.806382]        __lock_acquire+0xdd8/0x15c8
      [ 6022.810813]        lock_acquire+0xd0/0x218
      [ 6022.814896]        _raw_spin_lock_irqsave+0x50/0x78
      [ 6022.819761]        try_to_wake_up+0x54/0x7a0
      [ 6022.824018]        wake_up_process+0x1c/0x28
      [ 6022.828276]        wakeup_softirqd+0x38/0x40
      [ 6022.832533]        __tasklet_schedule_common+0xc4/0xf0
      [ 6022.837658]        __tasklet_schedule+0x24/0x30
      [ 6022.842176]        check_irq_resend+0xc8/0x158
      [ 6022.846609]        irq_startup+0x74/0x128
      [ 6022.850606]        __enable_irq+0x6c/0x78
      [ 6022.854602]        enable_irq+0x54/0xa0
      [ 6022.858431]        its_make_vpe_non_resident+0xa4/0xb8
      [ 6022.863557]        vgic_v4_put+0x54/0x70
      [ 6022.867469]        kvm_arch_vcpu_blocking+0x28/0x38
      [ 6022.872336]        kvm_vcpu_block+0x48/0x490
      [ 6022.876594]        kvm_handle_wfx+0x18c/0x310
      [ 6022.880938]        handle_exit+0x138/0x198
      [ 6022.885022]        kvm_arch_vcpu_ioctl_run+0x4d4/0x978
      [ 6022.890148]        kvm_vcpu_ioctl+0x3d4/0x8f8
      [ 6022.894494]        ksys_ioctl+0x90/0xd0
      [ 6022.898317]        __arm64_sys_ioctl+0x24/0x30
      [ 6022.902748]        el0_svc_common.constprop.3+0xa8/0x1e8
      [ 6022.908046]        do_el0_svc+0x28/0x88
      [ 6022.911871]        el0_svc+0x14/0x40
      [ 6022.915434]        el0_sync_handler+0x124/0x2b8
      [ 6022.919951]        el0_sync+0x140/0x180
      [ 6022.923773]
      [ 6022.923773] other info that might help us debug this:
      [ 6022.923773]
      [ 6022.931762] Chain exists of:
      [ 6022.931762]   &p->pi_lock --> &rq->lock --> &irq_desc_lock_class
      [ 6022.931762]
      [ 6022.942101]  Possible unsafe locking scenario:
      [ 6022.942101]
      [ 6022.948007]        CPU0                    CPU1
      [ 6022.952523]        ----                    ----
      [ 6022.957039]   lock(&irq_desc_lock_class);
      [ 6022.961036]                                lock(&rq->lock);
      [ 6022.966595]                                lock(&irq_desc_lock_class);
      [ 6022.973109]   lock(&p->pi_lock);
      [ 6022.976324]
      [ 6022.976324]  *** DEADLOCK ***
      
      This is happening because we have a pending doorbell that requires
      retrigger. As SW retriggering is done in a tasklet, we trigger the
      circular dependency above.
      
      The easy cop-out is to provide a retrigger callback that doesn't
      require acquiring any extra lock.
      Signed-off-by: default avatarMarc Zyngier <maz@kernel.org>
      Link: https://lore.kernel.org/r/20200310184921.23552-5-maz@kernel.orgSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      702f64bc
    • Neil Armstrong's avatar
      usb: dwc3: core: add support for disabling SS instances in park mode · 831494cb
      Neil Armstrong authored
      [ Upstream commit 7ba6b09f ]
      
      In certain circumstances, the XHCI SuperSpeed instance in park mode
      can fail to recover, thus on Amlogic G12A/G12B/SM1 SoCs when there is high
      load on the single XHCI SuperSpeed instance, the controller can crash like:
       xhci-hcd xhci-hcd.0.auto: xHCI host not responding to stop endpoint command.
       xhci-hcd xhci-hcd.0.auto: Host halt failed, -110
       xhci-hcd xhci-hcd.0.auto: xHCI host controller not responding, assume dead
       xhci-hcd xhci-hcd.0.auto: xHCI host not responding to stop endpoint command.
       hub 2-1.1:1.0: hub_ext_port_status failed (err = -22)
       xhci-hcd xhci-hcd.0.auto: HC died; cleaning up
       usb 2-1.1-port1: cannot reset (err = -22)
      
      Setting the PARKMODE_DISABLE_SS bit in the DWC3_USB3_GUCTL1 mitigates
      the issue. The bit is described as :
      "When this bit is set to '1' all SS bus instances in park mode are disabled"
      
      Synopsys explains:
      The GUCTL1.PARKMODE_DISABLE_SS is only available in
      dwc_usb3 controller running in host mode.
      This should not be set for other IPs.
      This can be disabled by default based on IP, but I recommend to have a
      property to enable this feature for devices that need this.
      
      CC: Dongjin Kim <tobetter@gmail.com>
      Cc: Jianxin Pan <jianxin.pan@amlogic.com>
      Cc: Thinh Nguyen <thinhn@synopsys.com>
      Cc: Jun Li <lijun.kernel@gmail.com>
      Reported-by: default avatarTim <elatllat@gmail.com>
      Signed-off-by: default avatarNeil Armstrong <narmstrong@baylibre.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      831494cb
    • Dongchun Zhu's avatar
      media: i2c: ov5695: Fix power on and off sequences · 505e557c
      Dongchun Zhu authored
      [ Upstream commit f1a64f56 ]
      
      From the measured hardware signal, OV5695 reset pin goes high for a
      short period of time during boot-up. From the sensor specification, the
      reset pin is active low and the DT binding defines the pin as active
      low, which means that the values set by the driver are inverted and thus
      the value requested in probe ends up high.
      
      Fix it by changing probe to request the reset GPIO initialized to high,
      which makes the initial state of the physical signal low.
      
      In addition, DOVDD rising must occur before DVDD rising from spec., but
      regulator_bulk_enable() API enables all the regulators asynchronously.
      Use an explicit loops of regulator_enable() instead.
      
      For power off sequence, it is required that DVDD falls first. Given the
      bulk API does not give any guarantee about the order of regulators,
      change the driver to use regulator_disable() instead.
      
      The sensor also requires a delay between reset high and first I2C
      transaction, which was assumed to be 8192 XVCLK cycles, but 1ms is
      recommended by the vendor. Fix this as well.
      Signed-off-by: default avatarDongchun Zhu <dongchun.zhu@mediatek.com>
      Signed-off-by: default avatarTomasz Figa <tfiga@chromium.org>
      Signed-off-by: default avatarSakari Ailus <sakari.ailus@linux.intel.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      505e557c
    • Sahitya Tummala's avatar
      block: Fix use-after-free issue accessing struct io_cq · cf535659
      Sahitya Tummala authored
      [ Upstream commit 30a2da7b ]
      
      There is a potential race between ioc_release_fn() and
      ioc_clear_queue() as shown below, due to which below kernel
      crash is observed. It also can result into use-after-free
      issue.
      
      context#1:				context#2:
      ioc_release_fn()			__ioc_clear_queue() gets the same icq
      ->spin_lock(&ioc->lock);		->spin_lock(&ioc->lock);
      ->ioc_destroy_icq(icq);
        ->list_del_init(&icq->q_node);
        ->call_rcu(&icq->__rcu_head,
        	icq_free_icq_rcu);
      ->spin_unlock(&ioc->lock);
      					->ioc_destroy_icq(icq);
      					  ->hlist_del_init(&icq->ioc_node);
      					  This results into below crash as this memory
      					  is now used by icq->__rcu_head in context#1.
      					  There is a chance that icq could be free'd
      					  as well.
      
      22150.386550:   <6> Unable to handle kernel write to read-only memory
      at virtual address ffffffaa8d31ca50
      ...
      Call trace:
      22150.607350:   <2>  ioc_destroy_icq+0x44/0x110
      22150.611202:   <2>  ioc_clear_queue+0xac/0x148
      22150.615056:   <2>  blk_cleanup_queue+0x11c/0x1a0
      22150.619174:   <2>  __scsi_remove_device+0xdc/0x128
      22150.623465:   <2>  scsi_forget_host+0x2c/0x78
      22150.627315:   <2>  scsi_remove_host+0x7c/0x2a0
      22150.631257:   <2>  usb_stor_disconnect+0x74/0xc8
      22150.635371:   <2>  usb_unbind_interface+0xc8/0x278
      22150.639665:   <2>  device_release_driver_internal+0x198/0x250
      22150.644897:   <2>  device_release_driver+0x24/0x30
      22150.649176:   <2>  bus_remove_device+0xec/0x140
      22150.653204:   <2>  device_del+0x270/0x460
      22150.656712:   <2>  usb_disable_device+0x120/0x390
      22150.660918:   <2>  usb_disconnect+0xf4/0x2e0
      22150.664684:   <2>  hub_event+0xd70/0x17e8
      22150.668197:   <2>  process_one_work+0x210/0x480
      22150.672222:   <2>  worker_thread+0x32c/0x4c8
      
      Fix this by adding a new ICQ_DESTROYED flag in ioc_destroy_icq() to
      indicate this icq is once marked as destroyed. Also, ensure
      __ioc_clear_queue() is accessing icq within rcu_read_lock/unlock so
      that icq doesn't get free'd up while it is still using it.
      Signed-off-by: default avatarSahitya Tummala <stummala@codeaurora.org>
      Co-developed-by: default avatarPradeep P V K <ppvk@codeaurora.org>
      Signed-off-by: default avatarPradeep P V K <ppvk@codeaurora.org>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      cf535659
    • Alexander Sverdlin's avatar
      genirq/irqdomain: Check pointer in irq_domain_alloc_irqs_hierarchy() · 1b16ddb2
      Alexander Sverdlin authored
      [ Upstream commit 87f2d1c6 ]
      
      irq_domain_alloc_irqs_hierarchy() has 3 call sites in the compilation unit
      but only one of them checks for the pointer which is being dereferenced
      inside the called function. Move the check into the function. This allows
      for catching the error instead of the following crash:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000000
      PC is at 0x0
      LR is at gpiochip_hierarchy_irq_domain_alloc+0x11f/0x140
      ...
      [<c06c23ff>] (gpiochip_hierarchy_irq_domain_alloc)
      [<c0462a89>] (__irq_domain_alloc_irqs)
      [<c0462dad>] (irq_create_fwspec_mapping)
      [<c06c2251>] (gpiochip_to_irq)
      [<c06c1c9b>] (gpiod_to_irq)
      [<bf973073>] (gpio_irqs_init [gpio_irqs])
      [<bf974048>] (gpio_irqs_exit+0xecc/0xe84 [gpio_irqs])
      Code: bad PC value
      Signed-off-by: default avatarAlexander Sverdlin <alexander.sverdlin@nokia.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20200306174720.82604-1-alexander.sverdlin@nokia.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      1b16ddb2
    • Ard Biesheuvel's avatar
      efi/x86: Ignore the memory attributes table on i386 · f533f211
      Ard Biesheuvel authored
      [ Upstream commit dd09fad9 ]
      
      Commit:
      
        3a6b6c6f ("efi: Make EFI_MEMORY_ATTRIBUTES_TABLE initialization common across all architectures")
      
      moved the call to efi_memattr_init() from ARM specific to the generic
      EFI init code, in order to be able to apply the restricted permissions
      described in that table on x86 as well.
      
      We never enabled this feature fully on i386, and so mapping and
      reserving this table is pointless. However, due to the early call to
      memblock_reserve(), the memory bookkeeping gets confused to the point
      where it produces the splat below when we try to map the memory later
      on:
      
        ------------[ cut here ]------------
        ioremap on RAM at 0x3f251000 - 0x3fa1afff
        WARNING: CPU: 0 PID: 0 at arch/x86/mm/ioremap.c:166 __ioremap_caller ...
        Modules linked in:
        CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.20.0 #48
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
        EIP: __ioremap_caller.constprop.0+0x249/0x260
        Code: 90 0f b7 05 4e 38 40 de 09 45 e0 e9 09 ff ff ff 90 8d 45 ec c6 05 ...
        EAX: 00000029 EBX: 00000000 ECX: de59c228 EDX: 00000001
        ESI: 3f250fff EDI: 00000000 EBP: de3edf20 ESP: de3edee0
        DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00200296
        CR0: 80050033 CR2: ffd17000 CR3: 1e58c000 CR4: 00040690
        Call Trace:
         ioremap_cache+0xd/0x10
         ? old_map_region+0x72/0x9d
         old_map_region+0x72/0x9d
         efi_map_region+0x8/0xa
         efi_enter_virtual_mode+0x260/0x43b
         start_kernel+0x329/0x3aa
         i386_start_kernel+0xa7/0xab
         startup_32_smp+0x164/0x168
        ---[ end trace e15ccf6b9f356833 ]---
      
      Let's work around this by disregarding the memory attributes table
      altogether on i386, which does not result in a loss of functionality
      or protection, given that we never consumed the contents.
      
      Fixes: 3a6b6c6f ("efi: Make EFI_MEMORY_ATTRIBUTES_TABLE ... ")
      Tested-by: default avatarArvind Sankar <nivedita@alum.mit.edu>
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Link: https://lore.kernel.org/r/20200304165917.5893-1-ardb@kernel.org
      Link: https://lore.kernel.org/r/20200308080859.21568-21-ardb@kernel.orgSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      f533f211
    • Arvind Sankar's avatar
      x86/boot: Use unsigned comparison for addresses · 615d0014
      Arvind Sankar authored
      [ Upstream commit 81a34892 ]
      
      The load address is compared with LOAD_PHYSICAL_ADDR using a signed
      comparison currently (using jge instruction).
      
      When loading a 64-bit kernel using the new efi32_pe_entry() point added by:
      
        97aa2765 ("efi/x86: Add true mixed mode entry point into .compat section")
      
      using Qemu with -m 3072, the firmware actually loads us above 2Gb,
      resulting in a very early crash.
      
      Use the JAE instruction to perform a unsigned comparison instead, as physical
      addresses should be considered unsigned.
      Signed-off-by: default avatarArvind Sankar <nivedita@alum.mit.edu>
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Link: https://lore.kernel.org/r/20200301230436.2246909-6-nivedita@alum.mit.edu
      Link: https://lore.kernel.org/r/20200308080859.21568-14-ardb@kernel.orgSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      615d0014
    • Bob Peterson's avatar
      gfs2: Don't demote a glock until its revokes are written · 09f8ac74
      Bob Peterson authored
      [ Upstream commit df5db5f9 ]
      
      Before this patch, run_queue would demote glocks based on whether
      there are any more holders. But if the glock has pending revokes that
      haven't been written to the media, giving up the glock might end in
      file system corruption if the revokes never get written due to
      io errors, node crashes and fences, etc. In that case, another node
      will replay the metadata blocks associated with the glock, but
      because the revoke was never written, it could replay that block
      even though the glock had since been granted to another node who
      might have made changes.
      
      This patch changes the logic in run_queue so that it never demotes
      a glock until its count of pending revokes reaches zero.
      Signed-off-by: default avatarBob Peterson <rpeterso@redhat.com>
      Reviewed-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      09f8ac74
    • chenqiwu's avatar
      pstore/platform: fix potential mem leak if pstore_init_fs failed · 3e61c4fa
      chenqiwu authored
      [ Upstream commit 8a57d6d4 ]
      
      There is a potential mem leak when pstore_init_fs failed,
      since the pstore compression maybe unlikey to initialized
      successfully. We must clean up the allocation once this
      unlikey issue happens.
      Signed-off-by: default avatarchenqiwu <chenqiwu@xiaomi.com>
      Link: https://lore.kernel.org/r/1581068800-13817-1-git-send-email-qiwuchen55@gmail.comSigned-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3e61c4fa
    • John Garry's avatar
      libata: Remove extra scsi_host_put() in ata_scsi_add_hosts() · 7371ef43
      John Garry authored
      [ Upstream commit 1d72f7ae ]
      
      If the call to scsi_add_host_with_dma() in ata_scsi_add_hosts() fails,
      then we may get use-after-free KASAN warns:
      
      ==================================================================
      BUG: KASAN: use-after-free in kobject_put+0x24/0x180
      Read of size 1 at addr ffff0026b8c80364 by task swapper/0/1
      CPU: 1 PID: 1 Comm: swapper/0 Tainted: G        W         5.6.0-rc3-00004-g5a71b206ea82-dirty #1765
      Hardware name: Huawei TaiShan 200 (Model 2280)/BC82AMDD, BIOS 2280-V2 CS V3.B160.01 02/24/2020
      Call trace:
      dump_backtrace+0x0/0x298
      show_stack+0x14/0x20
      dump_stack+0x118/0x190
      print_address_description.isra.9+0x6c/0x3b8
      __kasan_report+0x134/0x23c
      kasan_report+0xc/0x18
      __asan_load1+0x5c/0x68
      kobject_put+0x24/0x180
      put_device+0x10/0x20
      scsi_host_put+0x10/0x18
      ata_devres_release+0x74/0xb0
      release_nodes+0x2d0/0x470
      devres_release_all+0x50/0x78
      really_probe+0x2d4/0x560
      driver_probe_device+0x7c/0x148
      device_driver_attach+0x94/0xa0
      __driver_attach+0xa8/0x110
      bus_for_each_dev+0xe8/0x158
      driver_attach+0x30/0x40
      bus_add_driver+0x220/0x2e0
      driver_register+0xbc/0x1d0
      __pci_register_driver+0xbc/0xd0
      ahci_pci_driver_init+0x20/0x28
      do_one_initcall+0xf0/0x608
      kernel_init_freeable+0x31c/0x384
      kernel_init+0x10/0x118
      ret_from_fork+0x10/0x18
      
      Allocated by task 5:
      save_stack+0x28/0xc8
      __kasan_kmalloc.isra.8+0xbc/0xd8
      kasan_kmalloc+0xc/0x18
      __kmalloc+0x1a8/0x280
      scsi_host_alloc+0x44/0x678
      ata_scsi_add_hosts+0x74/0x268
      ata_host_register+0x228/0x488
      ahci_host_activate+0x1c4/0x2a8
      ahci_init_one+0xd18/0x1298
      local_pci_probe+0x74/0xf0
      work_for_cpu_fn+0x2c/0x48
      process_one_work+0x488/0xc08
      worker_thread+0x330/0x5d0
      kthread+0x1c8/0x1d0
      ret_from_fork+0x10/0x18
      
      Freed by task 5:
      save_stack+0x28/0xc8
      __kasan_slab_free+0x118/0x180
      kasan_slab_free+0x10/0x18
      slab_free_freelist_hook+0xa4/0x1a0
      kfree+0xd4/0x3a0
      scsi_host_dev_release+0x100/0x148
      device_release+0x7c/0xe0
      kobject_put+0xb0/0x180
      put_device+0x10/0x20
      scsi_host_put+0x10/0x18
      ata_scsi_add_hosts+0x210/0x268
      ata_host_register+0x228/0x488
      ahci_host_activate+0x1c4/0x2a8
      ahci_init_one+0xd18/0x1298
      local_pci_probe+0x74/0xf0
      work_for_cpu_fn+0x2c/0x48
      process_one_work+0x488/0xc08
      worker_thread+0x330/0x5d0
      kthread+0x1c8/0x1d0
      ret_from_fork+0x10/0x18
      
      There is also refcount issue, as well:
      WARNING: CPU: 1 PID: 1 at lib/refcount.c:28 refcount_warn_saturate+0xf8/0x170
      
      The issue is that we make an erroneous extra call to scsi_host_put()
      for that host:
      
      So in ahci_init_one()->ata_host_alloc_pinfo()->ata_host_alloc(), we setup
      a device release method - ata_devres_release() - which intends to release
      the SCSI hosts:
      
      static void ata_devres_release(struct device *gendev, void *res)
      {
      	...
      	for (i = 0; i < host->n_ports; i++) {
      		struct ata_port *ap = host->ports[i];
      
      		if (!ap)
      			continue;
      
      		if (ap->scsi_host)
      			scsi_host_put(ap->scsi_host);
      
      	}
      	...
      }
      
      However in the ata_scsi_add_hosts() error path, we also call
      scsi_host_put() for the SCSI hosts.
      
      Fix by removing the the scsi_host_put() calls in ata_scsi_add_hosts() and
      leave this to ata_devres_release().
      
      Fixes: f3187195 ("libata: separate out ata_host_alloc() and ata_host_register()")
      Signed-off-by: default avatarJohn Garry <john.garry@huawei.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7371ef43
    • Matt Ranostay's avatar
      media: i2c: video-i2c: fix build errors due to 'imply hwmon' · 6a63ea10
      Matt Ranostay authored
      [ Upstream commit 64d4fc99 ]
      
      Fix build fault when CONFIG_HWMON is a module, and CONFIG_VIDEO_I2C
      as builtin. This is due to 'imply hwmon' in the respective Kconfig.
      
      Issue build log:
      
      ld: drivers/media/i2c/video-i2c.o: in function `amg88xx_hwmon_init':
      video-i2c.c:(.text+0x2e1): undefined reference to `devm_hwmon_device_register_with_info
      
      Cc: rdunlap@infradead.org
      Fixes: acbea679 (media: video-i2c: add hwmon support for amg88xx)
      Signed-off-by: default avatarMatt Ranostay <matt.ranostay@konsulko.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6a63ea10
    • Logan Gunthorpe's avatar
      PCI/switchtec: Fix init_completion race condition with poll_wait() · 12ce9fd7
      Logan Gunthorpe authored
      [ Upstream commit efbdc769 ]
      
      The call to init_completion() in mrpc_queue_cmd() can theoretically
      race with the call to poll_wait() in switchtec_dev_poll().
      
        poll()			write()
          switchtec_dev_poll()   	  switchtec_dev_write()
            poll_wait(&s->comp.wait);      mrpc_queue_cmd()
      			               init_completion(&s->comp)
      				         init_waitqueue_head(&s->comp.wait)
      
      To my knowledge, no one has hit this bug.
      
      Fix this by using reinit_completion() instead of init_completion() in
      mrpc_queue_cmd().
      
      Fixes: 080b47de ("MicroSemi Switchtec management interface driver")
      Reported-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarLogan Gunthorpe <logang@deltatee.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Acked-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Link: https://lkml.kernel.org/r/20200313183608.2646-1-logang@deltatee.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      12ce9fd7
    • Andy Lutomirski's avatar
      selftests/x86/ptrace_syscall_32: Fix no-vDSO segfault · 5004f40b
      Andy Lutomirski authored
      [ Upstream commit 630b99ab ]
      
      If AT_SYSINFO is not present, don't try to call a NULL pointer.
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Link: https://lkml.kernel.org/r/faaf688265a7e1a5b944d6f8bc0f6368158306d3.1584052409.git.luto@kernel.orgSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      5004f40b
    • Michael Wang's avatar
      sched: Avoid scale real weight down to zero · 28516217
      Michael Wang authored
      [ Upstream commit 26cf5222 ]
      
      During our testing, we found a case that shares no longer
      working correctly, the cgroup topology is like:
      
        /sys/fs/cgroup/cpu/A		(shares=102400)
        /sys/fs/cgroup/cpu/A/B	(shares=2)
        /sys/fs/cgroup/cpu/A/B/C	(shares=1024)
      
        /sys/fs/cgroup/cpu/D		(shares=1024)
        /sys/fs/cgroup/cpu/D/E	(shares=1024)
        /sys/fs/cgroup/cpu/D/E/F	(shares=1024)
      
      The same benchmark is running in group C & F, no other tasks are
      running, the benchmark is capable to consumed all the CPUs.
      
      We suppose the group C will win more CPU resources since it could
      enjoy all the shares of group A, but it's F who wins much more.
      
      The reason is because we have group B with shares as 2, since
      A->cfs_rq.load.weight == B->se.load.weight == B->shares/nr_cpus,
      so A->cfs_rq.load.weight become very small.
      
      And in calc_group_shares() we calculate shares as:
      
        load = max(scale_load_down(cfs_rq->load.weight), cfs_rq->avg.load_avg);
        shares = (tg_shares * load) / tg_weight;
      
      Since the 'cfs_rq->load.weight' is too small, the load become 0
      after scale down, although 'tg_shares' is 102400, shares of the se
      which stand for group A on root cfs_rq become 2.
      
      While the se of D on root cfs_rq is far more bigger than 2, so it
      wins the battle.
      
      Thus when scale_load_down() scale real weight down to 0, it's no
      longer telling the real story, the caller will have the wrong
      information and the calculation will be buggy.
      
      This patch add check in scale_load_down(), so the real weight will
      be >= MIN_SHARES after scale, after applied the group C wins as
      expected.
      Suggested-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarMichael Wang <yun.wang@linux.alibaba.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Reviewed-by: default avatarVincent Guittot <vincent.guittot@linaro.org>
      Link: https://lkml.kernel.org/r/38e8e212-59a1-64b2-b247-b6d0b52d8dc1@linux.alibaba.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      28516217
    • Sungbo Eo's avatar
      irqchip/versatile-fpga: Handle chained IRQs properly · a99fafc9
      Sungbo Eo authored
      [ Upstream commit 486562da ]
      
      Enclose the chained handler with chained_irq_{enter,exit}(), so that the
      muxed interrupts get properly acked.
      
      This patch also fixes a reboot bug on OX820 SoC, where the jiffies timer
      interrupt is never acked. The kernel waits a clock tick forever in
      calibrate_delay_converge(), which leads to a boot hang.
      
      Fixes: c41b16f8 ("ARM: integrator/versatile: consolidate FPGA IRQ handling code")
      Signed-off-by: default avatarSungbo Eo <mans0n@gorani.run>
      Signed-off-by: default avatarMarc Zyngier <maz@kernel.org>
      Link: https://lore.kernel.org/r/20200319023448.1479701-1-mans0n@gorani.runSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      a99fafc9
    • Konstantin Khlebnikov's avatar
      block: keep bdi->io_pages in sync with max_sectors_kb for stacked devices · fd397508
      Konstantin Khlebnikov authored
      [ Upstream commit e74d93e9 ]
      
      Field bdi->io_pages added in commit 9491ae4a ("mm: don't cap request
      size based on read-ahead setting") removes unneeded split of read requests.
      
      Stacked drivers do not call blk_queue_max_hw_sectors(). Instead they set
      limits of their devices by blk_set_stacking_limits() + disk_stack_limits().
      Field bio->io_pages stays zero until user set max_sectors_kb via sysfs.
      
      This patch updates io_pages after merging limits in disk_stack_limits().
      
      Commit c6d6e9b0 ("dm: do not allow readahead to limit IO size") fixed
      the same problem for device-mapper devices, this one fixes MD RAIDs.
      
      Fixes: 9491ae4a ("mm: don't cap request size based on read-ahead setting")
      Reviewed-by: default avatarPaul Menzel <pmenzel@molgen.mpg.de>
      Reviewed-by: default avatarBob Liu <bob.liu@oracle.com>
      Signed-off-by: default avatarKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Signed-off-by: default avatarSong Liu <songliubraving@fb.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      fd397508
    • Thomas Hellstrom's avatar
      x86: Don't let pgprot_modify() change the page encryption bit · 88d5a6fc
      Thomas Hellstrom authored
      [ Upstream commit 6db73f17 ]
      
      When SEV or SME is enabled and active, vm_get_page_prot() typically
      returns with the encryption bit set. This means that users of
      pgprot_modify(, vm_get_page_prot()) (mprotect_fixup(), do_mmap()) end up
      with a value of vma->vm_pg_prot that is not consistent with the intended
      protection of the PTEs.
      
      This is also important for fault handlers that rely on the VMA
      vm_page_prot to set the page protection. Fix this by not allowing
      pgprot_modify() to change the encryption bit, similar to how it's done
      for PAT bits.
      Signed-off-by: default avatarThomas Hellstrom <thellstrom@vmware.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Reviewed-by: default avatarDave Hansen <dave.hansen@linux.intel.com>
      Acked-by: default avatarTom Lendacky <thomas.lendacky@amd.com>
      Link: https://lkml.kernel.org/r/20200304114527.3636-2-thomas_os@shipmail.orgSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      88d5a6fc
    • Mathias Nyman's avatar
      xhci: bail out early if driver can't accress host in resume · 2554ae0c
      Mathias Nyman authored
      [ Upstream commit 72ae1947 ]
      
      Bail out early if the xHC host needs to be reset at resume
      but driver can't access xHC PCI registers.
      
      If xhci driver already fails to reset the controller then there
      is no point in attempting to free, re-initialize, re-allocate and
      re-start the host. If failure to access the host is detected later,
      failing the resume, xhci interrupts will be double freed
      when remove is called.
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Link: https://lore.kernel.org/r/20200312144517.1593-2-mathias.nyman@linux.intel.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2554ae0c
    • Alexey Dobriyan's avatar
      null_blk: fix spurious IO errors after failed past-wp access · fe5b2e54
      Alexey Dobriyan authored
      [ Upstream commit ff770422 ]
      
      Steps to reproduce:
      
      	BLKRESETZONE zone 0
      
      	// force EIO
      	pwrite(fd, buf, 4096, 4096);
      
      	[issue more IO including zone ioctls]
      
      It will start failing randomly including IO to unrelated zones because of
      ->error "reuse". Trigger can be partition detection as well if test is not
      run immediately which is even more entertaining.
      
      The fix is of course to clear ->error where necessary.
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarAlexey Dobriyan (SK hynix) <adobriyan@gmail.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      fe5b2e54
    • Bart Van Assche's avatar
      null_blk: Handle null_add_dev() failures properly · 3e57e69b
      Bart Van Assche authored
      [ Upstream commit 9b03b713 ]
      
      If null_add_dev() fails then null_del_dev() is called with a NULL argument.
      Make null_del_dev() handle this scenario correctly. This patch fixes the
      following KASAN complaint:
      
      null-ptr-deref in null_del_dev+0x28/0x280 [null_blk]
      Read of size 8 at addr 0000000000000000 by task find/1062
      
      Call Trace:
       dump_stack+0xa5/0xe6
       __kasan_report.cold+0x65/0x99
       kasan_report+0x16/0x20
       __asan_load8+0x58/0x90
       null_del_dev+0x28/0x280 [null_blk]
       nullb_group_drop_item+0x7e/0xa0 [null_blk]
       client_drop_item+0x53/0x80 [configfs]
       configfs_rmdir+0x395/0x4e0 [configfs]
       vfs_rmdir+0xb6/0x220
       do_rmdir+0x238/0x2c0
       __x64_sys_unlinkat+0x75/0x90
       do_syscall_64+0x6f/0x2f0
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      Signed-off-by: default avatarBart Van Assche <bvanassche@acm.org>
      Reviewed-by: default avatarChaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
      Cc: Johannes Thumshirn <jth@kernel.org>
      Cc: Hannes Reinecke <hare@suse.com>
      Cc: Ming Lei <ming.lei@redhat.com>
      Cc: Christoph Hellwig <hch@infradead.org>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3e57e69b
    • Bart Van Assche's avatar
      null_blk: Fix the null_add_dev() error path · d1964461
      Bart Van Assche authored
      [ Upstream commit 2004bfde ]
      
      If null_add_dev() fails, clear dev->nullb.
      
      This patch fixes the following KASAN complaint:
      
      BUG: KASAN: use-after-free in nullb_device_submit_queues_store+0xcf/0x160 [null_blk]
      Read of size 8 at addr ffff88803280fc30 by task check/8409
      
      Call Trace:
       dump_stack+0xa5/0xe6
       print_address_description.constprop.0+0x26/0x260
       __kasan_report.cold+0x7b/0x99
       kasan_report+0x16/0x20
       __asan_load8+0x58/0x90
       nullb_device_submit_queues_store+0xcf/0x160 [null_blk]
       configfs_write_file+0x1c4/0x250 [configfs]
       __vfs_write+0x4c/0x90
       vfs_write+0x145/0x2c0
       ksys_write+0xd7/0x180
       __x64_sys_write+0x47/0x50
       do_syscall_64+0x6f/0x2f0
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x7ff370926317
      Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
      RSP: 002b:00007fff2dd2da48 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
      RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007ff370926317
      RDX: 0000000000000002 RSI: 0000559437ef23f0 RDI: 0000000000000001
      RBP: 0000559437ef23f0 R08: 000000000000000a R09: 0000000000000001
      R10: 0000559436703471 R11: 0000000000000246 R12: 0000000000000002
      R13: 00007ff370a006a0 R14: 00007ff370a014a0 R15: 00007ff370a008a0
      
      Allocated by task 8409:
       save_stack+0x23/0x90
       __kasan_kmalloc.constprop.0+0xcf/0xe0
       kasan_kmalloc+0xd/0x10
       kmem_cache_alloc_node_trace+0x129/0x4c0
       null_add_dev+0x24a/0xe90 [null_blk]
       nullb_device_power_store+0x1b6/0x270 [null_blk]
       configfs_write_file+0x1c4/0x250 [configfs]
       __vfs_write+0x4c/0x90
       vfs_write+0x145/0x2c0
       ksys_write+0xd7/0x180
       __x64_sys_write+0x47/0x50
       do_syscall_64+0x6f/0x2f0
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Freed by task 8409:
       save_stack+0x23/0x90
       __kasan_slab_free+0x112/0x160
       kasan_slab_free+0x12/0x20
       kfree+0xdf/0x250
       null_add_dev+0xaf3/0xe90 [null_blk]
       nullb_device_power_store+0x1b6/0x270 [null_blk]
       configfs_write_file+0x1c4/0x250 [configfs]
       __vfs_write+0x4c/0x90
       vfs_write+0x145/0x2c0
       ksys_write+0xd7/0x180
       __x64_sys_write+0x47/0x50
       do_syscall_64+0x6f/0x2f0
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: 2984c868 ("nullb: factor disk parameters")
      Signed-off-by: default avatarBart Van Assche <bvanassche@acm.org>
      Reviewed-by: default avatarChaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
      Cc: Johannes Thumshirn <jth@kernel.org>
      Cc: Hannes Reinecke <hare@suse.com>
      Cc: Ming Lei <ming.lei@redhat.com>
      Cc: Christoph Hellwig <hch@infradead.org>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d1964461
    • James Morse's avatar
      firmware: arm_sdei: fix double-lock on hibernate with shared events · 0dbab95a
      James Morse authored
      [ Upstream commit 6ded0b61 ]
      
      SDEI has private events that must be registered on each CPU. When
      CPUs come and go they must re-register and re-enable their private
      events. Each event has flags to indicate whether this should happen
      to protect against an event being registered on a CPU coming online,
      while all the others are unregistering the event.
      
      These flags are protected by the sdei_list_lock spinlock, because
      the cpuhp callbacks can't take the mutex.
      
      Hibernate needs to unregister all events, but keep the in-memory
      re-register and re-enable as they are. sdei_unregister_shared()
      takes the spinlock to walk the list, then calls _sdei_event_unregister()
      on each shared event. _sdei_event_unregister() tries to take the
      same spinlock to update re-register and re-enable. This doesn't go
      so well.
      
      Push the re-register and re-enable updates out to their callers.
      sdei_unregister_shared() doesn't want these values updated, so
      doesn't need to do anything.
      
      This also fixes shared events getting lost over hibernate as this
      path made them look unregistered.
      
      Fixes: da351827 ("firmware: arm_sdei: Add support for CPU and system power states")
      Reported-by: default avatarLiguang Zhang <zhangliguang@linux.alibaba.com>
      Signed-off-by: default avatarJames Morse <james.morse@arm.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0dbab95a