1. 31 May, 2019 40 commits
    • Julian Wiedmann's avatar
      s390/qeth: handle error from qeth_update_from_chp_desc() · dfb23004
      Julian Wiedmann authored
      [ Upstream commit a4cdc9ba ]
      
      Subsequent code relies on the values that qeth_update_from_chp_desc()
      reads from the CHP descriptor. Rather than dealing with weird errors
      later on, just handle it properly here.
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      dfb23004
    • Mika Westerberg's avatar
      thunderbolt: Take domain lock in switch sysfs attribute callbacks · 6a3d844b
      Mika Westerberg authored
      [ Upstream commit 09f11b6c ]
      
      switch_lock was introduced because it allowed serialization of device
      authorization requests from userspace without need to take the big
      domain lock (tb->lock). This was fine because device authorization with
      ICM is just one command that is sent to the firmware. Now that we start
      to handle all tunneling in the driver switch_lock is not enough because
      we need to walk over the topology to establish paths.
      
      For this reason drop switch_lock from the driver completely in favour of
      big domain lock.
      
      There is one complication, though. If userspace is waiting for the lock
      in tb_switch_set_authorized(), it keeps the device_del() from removing
      the sysfs attribute because it waits for active users to release the
      attribute first which leads into following splat:
      
          INFO: task kworker/u8:3:73 blocked for more than 61 seconds.
                Tainted: G        W         5.1.0-rc1+ #244
          "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
          kworker/u8:3    D12976    73      2 0x80000000
          Workqueue: thunderbolt0 tb_handle_hotplug [thunderbolt]
          Call Trace:
           ? __schedule+0x2e5/0x740
           ? _raw_spin_lock_irqsave+0x12/0x40
           ? prepare_to_wait_event+0xc5/0x160
           schedule+0x2d/0x80
           __kernfs_remove.part.17+0x183/0x1f0
           ? finish_wait+0x80/0x80
           kernfs_remove_by_name_ns+0x4a/0x90
           remove_files.isra.1+0x2b/0x60
           sysfs_remove_group+0x38/0x80
           sysfs_remove_groups+0x24/0x40
           device_remove_attrs+0x3d/0x70
           device_del+0x14c/0x360
           device_unregister+0x15/0x50
           tb_switch_remove+0x9e/0x1d0 [thunderbolt]
           tb_handle_hotplug+0x119/0x5a0 [thunderbolt]
           ? process_one_work+0x1b7/0x420
           process_one_work+0x1b7/0x420
           worker_thread+0x37/0x380
           ? _raw_spin_unlock_irqrestore+0xf/0x30
           ? process_one_work+0x420/0x420
           kthread+0x118/0x130
           ? kthread_create_on_node+0x60/0x60
           ret_from_fork+0x35/0x40
      
      We deal this by following what network stack did for some of their
      attributes and use mutex_trylock() with restart_syscall(). This makes
      userspace release the attribute allowing sysfs attribute removal to
      progress before the write is restarted and eventually fail when the
      attribute is removed.
      Signed-off-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6a3d844b
    • Nicholas Piggin's avatar
      irq_work: Do not raise an IPI when queueing work on the local CPU · 5f335f7c
      Nicholas Piggin authored
      [ Upstream commit 471ba0e6 ]
      
      The QEMU PowerPC/PSeries machine model was not expecting a self-IPI,
      and it may be a bit surprising thing to do, so have irq_work_queue_on
      do local queueing when target is the current CPU.
      Suggested-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Reported-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Tested-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarNicholas Piggin <npiggin@gmail.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Reviewed-by: default avatarFrederic Weisbecker <frederic@kernel.org>
      Acked-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@kaod.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20190409093403.20994-1-npiggin@gmail.com
      [ Simplified the preprocessor comments.
        Fixed unbalanced curly brackets pointed out by Thomas. ]
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5f335f7c
    • Luca Weiss's avatar
      drm/msm: Fix NULL pointer dereference · a02a8367
      Luca Weiss authored
      [ Upstream commit 7603df38 ]
      
      [    3.707412] Unable to handle kernel NULL pointer dereference at virtual address 0000009c
      [    3.714511] pgd = (ptrval)
      [    3.722742] [0000009c] *pgd=00000000
      [    3.725238] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
      [    3.728968] Modules linked in:
      [    3.734265] CPU: 3 PID: 112 Comm: kworker/3:2 Tainted: G        W         5.0.0-rc7-00183-g06a1c31df9eb #4
      [    3.737142] Hardware name: Generic DT based system
      [    3.746778] Workqueue: events deferred_probe_work_func
      [    3.751542] PC is at msm_gem_map_vma+0x3c/0xac
      [    3.756669] LR is at msm_gem_get_and_pin_iova+0xd8/0x134
      [    3.761086] pc : [<c07d3b7c>]    lr : [<c07d14f8>]    psr: 60000013
      [    3.766560] sp : ee297be8  ip : ed9ab1c0  fp : ed93b800
      [    3.772546] r10: ee35e180  r9 : 00000000  r8 : ee297c80
      [    3.777752] r7 : 00000000  r6 : 7c100000  r5 : 00000000  r4 : ee35e180
      [    3.782968] r3 : 00000001  r2 : 00000003  r1 : ee35e180  r0 : 00000000
      [    3.789562] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
      [    3.796079] Control: 10c5787d  Table: 2e3a806a  DAC: 00000051
      [    3.803282] Process kworker/3:2 (pid: 112, stack limit = 0x(ptrval))
      [    3.809006] Stack: (0xee297be8 to 0xee298000)
      [    3.815445] 7be0:                   00000000 c1108c48 eda8c000 00000003 eda8c0fc c1108c48
      [    3.819715] 7c00: eda8c000 00000003 eda8c0fc c07d14f8 00000001 c07d1100 7c100000 00000000
      [    3.827873] 7c20: eda8c000 bb7ffb78 00000000 eda8c000 00000000 00000000 c0c8b1d4 ee3bfa00
      [    3.836037] 7c40: ee3b9800 c07d1684 00000000 c1108c48 ee0d7810 ee3b9800 c0c8b1d4 c07d222c
      [    3.844193] 7c60: ee3bfd84 ee297c80 00000000 c0b1d5b0 ee3bfc40 c07dcfd8 ee3bfd84 ee297c80
      [    3.852357] 7c80: 0000006d ee3bfc40 ee0d7810 bb7ffb78 c0c8b1d4 00000000 ee3bfc40 c07ddb48
      [    3.860516] 7ca0: 00002004 c0eba384 ee3bfc40 c079eba0 ee3bd040 ee3b9800 00000001 ed93b800
      [    3.868673] 7cc0: ed9aa100 c07db7e8 ee3bf240 ed9a6500 00000001 ee3b9800 ee3bf2d4 c07a0a30
      [    3.876834] 7ce0: ed93b800 7d100000 c1108c48 ee0d7610 ee3b9800 ed93b800 c1108c48 00000000
      [    3.884991] 7d00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      [    3.893151] 7d20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 bb7ffb78
      [    3.901310] 7d40: c12113c4 ed93b800 ee3b9800 c1108c48 ee9eec10 00000000 ed93b800 7d100000
      [    3.909472] 7d60: eff7b000 c07cf748 7d100000 00000000 c0e9a350 c0b1d5b0 c12113c4 c0961e40
      [    3.917633] 7d80: c12113c4 40000113 eeff4bec c0ebe004 00000019 c0b1d230 ee9eeda8 60000113
      [    3.925791] 7da0: ee35d300 ee9eeda8 c07ce260 bb7ffb78 c07ce260 ee35d2c0 00000028 00000002
      [    3.933950] 7dc0: eeb76280 c118f884 ee0be640 c11c6128 c07ce260 c07ea4ac 00000000 c0962b48
      [    3.942108] 7de0: c118f868 00000001 c0ebbc98 ee35d2c0 00000000 eeb76280 00000000 c118f87c
      [    3.950270] 7e00: ee35d2c0 00000000 c11c63e0 c118f694 00000019 c07ea5d0 ee0d7810 00000000
      [    3.958430] 7e20: c118f694 00000000 00000000 c07f2b0c c120f55c ee0d7810 c120f560 00000000
      [    3.966590] 7e40: 00000000 c07f08c4 c07f0e8c ee0d7810 c11ba3d0 ee0d7810 c118f694 c07f0e8c
      [    3.974748] 7e60: c1108c48 00000001 c0ebc3cc c11c63f8 c11ba3d0 c07f0c08 00000001 c07f2f8c
      [    3.982908] 7e80: c118f694 00000000 ee297ed4 c07f0e8c c1108c48 00000001 c0ebc3cc c11c63f8
      [    3.991068] 7ea0: c11ba3d0 c07ee8a0 c11ba3d0 ee82686c ee0baf38 bb7ffb78 ee0d7810 ee0d7810
      [    3.999227] 7ec0: c1108c48 ee0d7844 c118faac c07f05b0 ee0d7810 ee0d7810 00000001 bb7ffb78
      [    4.007389] 7ee0: ee0d7810 ee0d7810 c118fd18 c118faac c11c63e0 c07ef7d0 ee0d7810 c118fa90
      [    4.015548] 7f00: c118fa90 c07efd68 c118fac8 ee27fe00 eefd9c80 eefdcd00 00000000 c118facc
      [    4.023708] 7f20: 00000000 c033c038 eefd9c80 eefd9c80 00000008 ee27fe00 ee27fe14 eefd9c80
      [    4.031866] 7f40: 00000008 c1103d00 eefd9c98 ee296000 eefd9c80 c033ce54 ee907eac c0b1d230
      [    4.040026] 7f60: ee907eac eea24440 ee285000 00000000 ee296000 ee27fe00 c033ce24 eea2445c
      [    4.048188] 7f80: ee907eac c0341db0 00000000 ee285000 c0341c8c 00000000 00000000 00000000
      [    4.056346] 7fa0: 00000000 00000000 00000000 c03010e8 00000000 00000000 00000000 00000000
      [    4.064505] 7fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      [    4.072665] 7fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
      [    4.080828] [<c07d3b7c>] (msm_gem_map_vma) from [<c07d14f8>] (msm_gem_get_and_pin_iova+0xd8/0x134)
      [    4.088983] [<c07d14f8>] (msm_gem_get_and_pin_iova) from [<c07d1684>] (_msm_gem_kernel_new+0x38/0xac)
      [    4.097839] [<c07d1684>] (_msm_gem_kernel_new) from [<c07d222c>] (msm_gem_kernel_new+0x24/0x2c)
      [    4.107130] [<c07d222c>] (msm_gem_kernel_new) from [<c07dcfd8>] (dsi_tx_buf_alloc_6g+0x44/0x90)
      [    4.115631] [<c07dcfd8>] (dsi_tx_buf_alloc_6g) from [<c07ddb48>] (msm_dsi_host_modeset_init+0x80/0x104)
      [    4.124313] [<c07ddb48>] (msm_dsi_host_modeset_init) from [<c07db7e8>] (msm_dsi_modeset_init+0x34/0x1c0)
      [    4.133691] [<c07db7e8>] (msm_dsi_modeset_init) from [<c07a0a30>] (mdp5_kms_init+0x764/0x7e0)
      [    4.143409] [<c07a0a30>] (mdp5_kms_init) from [<c07cf748>] (msm_drm_bind+0x56c/0x740)
      [    4.151824] [<c07cf748>] (msm_drm_bind) from [<c07ea4ac>] (try_to_bring_up_master+0x238/0x2b4)
      [    4.159636] [<c07ea4ac>] (try_to_bring_up_master) from [<c07ea5d0>] (component_add+0xa8/0x170)
      [    4.168146] [<c07ea5d0>] (component_add) from [<c07f2b0c>] (platform_drv_probe+0x48/0x9c)
      [    4.176737] [<c07f2b0c>] (platform_drv_probe) from [<c07f08c4>] (really_probe+0x278/0x404)
      [    4.184981] [<c07f08c4>] (really_probe) from [<c07f0c08>] (driver_probe_device+0x78/0x1c0)
      [    4.193147] [<c07f0c08>] (driver_probe_device) from [<c07ee8a0>] (bus_for_each_drv+0x74/0xb8)
      [    4.201389] [<c07ee8a0>] (bus_for_each_drv) from [<c07f05b0>] (__device_attach+0xd0/0x164)
      [    4.209984] [<c07f05b0>] (__device_attach) from [<c07ef7d0>] (bus_probe_device+0x84/0x8c)
      [    4.218143] [<c07ef7d0>] (bus_probe_device) from [<c07efd68>] (deferred_probe_work_func+0x48/0xc4)
      [    4.226398] [<c07efd68>] (deferred_probe_work_func) from [<c033c038>] (process_one_work+0x204/0x574)
      [    4.235254] [<c033c038>] (process_one_work) from [<c033ce54>] (worker_thread+0x30/0x560)
      [    4.244534] [<c033ce54>] (worker_thread) from [<c0341db0>] (kthread+0x124/0x154)
      [    4.252606] [<c0341db0>] (kthread) from [<c03010e8>] (ret_from_fork+0x14/0x2c)
      [    4.259966] Exception stack(0xee297fb0 to 0xee297ff8)
      [    4.266998] 7fa0:                                     00000000 00000000 00000000 00000000
      [    4.272143] 7fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      [    4.280297] 7fe0: 00000000 00000000 00000000 00000000 00000013 00000000
      [    4.288451] Code: e5813080 1a000013 e3a03001 e5c4307c (e590009c)
      [    4.294933] ---[ end trace 18729cc2bca2b4b3 ]---
      Signed-off-by: default avatarLuca Weiss <luca@z3ntu.xyz>
      Signed-off-by: default avatarRob Clark <robdclark@gmail.com>
      Signed-off-by: default avatarRob Clark <robdclark@chromium.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a02a8367
    • Sean Paul's avatar
      drm/msm: dpu: Don't set frame_busy_mask for async updates · 48f41424
      Sean Paul authored
      [ Upstream commit f98baa31 ]
      
      The frame_busy mask is used in frame_done event handling, which is not
      invoked for async commits. So an async commit will leave the
      frame_busy mask populated after it completes and future commits will start
      with the busy mask incorrect.
      
      This showed up on disable after cursor move. I was hitting the "this should
      not happen" comment in the frame event worker since frame_busy was set,
      we queued the event, but there were no frames pending (since async
      also doesn't set that).
      Reviewed-by: default avatarFritz Koenig <frkoenig@google.com>
      Signed-off-by: default avatarSean Paul <seanpaul@chromium.org>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190130163220.138637-1-sean@poorly.runSigned-off-by: default avatarRob Clark <robdclark@chromium.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      48f41424
    • Wen Yang's avatar
      drm/msm: a5xx: fix possible object reference leak · 15180fd9
      Wen Yang authored
      [ Upstream commit 6cd5235c ]
      
      The call to of_get_child_by_name returns a node pointer with refcount
      incremented thus it must be explicitly decremented after the last
      usage.
      
      Detected by coccinelle with the following warnings:
      drivers/gpu/drm/msm/adreno/a5xx_gpu.c:57:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 47, but without a corresponding object release within this function.
      drivers/gpu/drm/msm/adreno/a5xx_gpu.c:66:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 47, but without a corresponding object release within this function.
      drivers/gpu/drm/msm/adreno/a5xx_gpu.c:118:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 47, but without a corresponding object release within this function.
      drivers/gpu/drm/msm/adreno/a5xx_gpu.c:57:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 51, but without a corresponding object release within this function.
      drivers/gpu/drm/msm/adreno/a5xx_gpu.c:66:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 51, but without a corresponding object release within this function.
      drivers/gpu/drm/msm/adreno/a5xx_gpu.c:118:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 51, but without a corresponding object release within this function.
      Signed-off-by: default avatarWen Yang <wen.yang99@zte.com.cn>
      Cc: Rob Clark <robdclark@gmail.com>
      Cc: Sean Paul <sean@poorly.run>
      Cc: David Airlie <airlied@linux.ie>
      Cc: Daniel Vetter <daniel@ffwll.ch>
      Cc: Jordan Crouse <jcrouse@codeaurora.org>
      Cc: Mamta Shukla <mamtashukla555@gmail.com>
      Cc: Thomas Zimmermann <tzimmermann@suse.de>
      Cc: Sharat Masetty <smasetty@codeaurora.org>
      Cc: linux-arm-msm@vger.kernel.org
      Cc: dri-devel@lists.freedesktop.org
      Cc: freedreno@lists.freedesktop.org
      Cc: linux-kernel@vger.kernel.org (open list)
      Reviewed-by: default avatarJordan Crouse <jcrouse@codeaurora.org>
      Signed-off-by: default avatarRob Clark <robdclark@gmail.com>
      Signed-off-by: default avatarRob Clark <robdclark@chromium.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      15180fd9
    • Jeykumar Sankaran's avatar
      drm/msm/dpu: release resources on modeset failure · aa6b53c2
      Jeykumar Sankaran authored
      [ Upstream commit a7fcc323 ]
      
      release resources allocated in mode_set if any of
      the hw check fails. Most of these checks are not
      necessary and they will be removed in the follow up
      patches with state based resource allocations.
      Signed-off-by: default avatarJeykumar Sankaran <jsanka@codeaurora.org>
      Signed-off-by: default avatarSean Paul <seanpaul@chromium.org>
      Link: https://patchwork.freedesktop.org/patch/msgid/1550107156-17625-4-git-send-email-jsanka@codeaurora.orgSigned-off-by: default avatarRob Clark <robdclark@chromium.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      aa6b53c2
    • Nicholas Mc Guire's avatar
      staging: vc04_services: handle kzalloc failure · 216fb3cc
      Nicholas Mc Guire authored
      [ Upstream commit a5112277 ]
      
      The kzalloc here was being used without checking the return - if the
      kzalloc fails return VCHIQ_ERROR. The call-site of
      vchiq_platform_init_state() vchiq_init_state() was not responding
      to an allocation failure so checks for != VCHIQ_SUCCESS
      and pass VCHIQ_ERROR up to vchiq_platform_init() which then
      will fail with -EINVAL.
      Signed-off-by: default avatarNicholas Mc Guire <hofrat@osadl.org>
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      Acked-By: default avatarStefan Wahren <stefan.wahren@i2se.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      216fb3cc
    • Konstantin Khlebnikov's avatar
      sched/core: Handle overflow in cpu_shares_write_u64 · 16e061eb
      Konstantin Khlebnikov authored
      [ Upstream commit 5b61d50a ]
      
      Bit shift in scale_load() could overflow shares. This patch saturates
      it to MAX_SHARES like following sched_group_set_shares().
      
      Example:
      
       # echo 9223372036854776832 > cpu.shares
       # cat cpu.shares
      
      Before patch: 1024
      After pattch: 262144
      Signed-off-by: default avatarKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Acked-by: default avatarPeter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/155125501891.293431.3345233332801109696.stgit@buzzSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      16e061eb
    • Konstantin Khlebnikov's avatar
      sched/rt: Check integer overflow at usec to nsec conversion · b698e991
      Konstantin Khlebnikov authored
      [ Upstream commit 1a010e29 ]
      
      Example of unhandled overflows:
      
       # echo 18446744073709651 > cpu.rt_runtime_us
       # cat cpu.rt_runtime_us
       99
      
       # echo 18446744073709900 > cpu.rt_period_us
       # cat cpu.rt_period_us
       348
      
      After this patch they will fail with -EINVAL.
      Signed-off-by: default avatarKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Acked-by: default avatarPeter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/155125501739.293431.5252197504404771496.stgit@buzzSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b698e991
    • Konstantin Khlebnikov's avatar
      sched/core: Check quota and period overflow at usec to nsec conversion · dcfdbf77
      Konstantin Khlebnikov authored
      [ Upstream commit 1a8b4540 ]
      
      Large values could overflow u64 and pass following sanity checks.
      
       # echo 18446744073750000 > cpu.cfs_period_us
       # cat cpu.cfs_period_us
       40448
      
       # echo 18446744073750000 > cpu.cfs_quota_us
       # cat cpu.cfs_quota_us
       40448
      
      After this patch they will fail with -EINVAL.
      Signed-off-by: default avatarKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Acked-by: default avatarPeter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/155125502079.293431.3947497929372138600.stgit@buzzSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      dcfdbf77
    • Roman Gushchin's avatar
      cgroup: protect cgroup->nr_(dying_)descendants by css_set_lock · fa317078
      Roman Gushchin authored
      [ Upstream commit 4dcabece ]
      
      The number of descendant cgroups and the number of dying
      descendant cgroups are currently synchronized using the cgroup_mutex.
      
      The number of descendant cgroups will be required by the cgroup v2
      freezer, which will use it to determine if a cgroup is frozen
      (depending on total number of descendants and number of frozen
      descendants). It's not always acceptable to grab the cgroup_mutex,
      especially from quite hot paths (e.g. exit()).
      
      To avoid this, let's additionally synchronize these counters using
      the css_set_lock.
      
      So, it's safe to read these counters with either cgroup_mutex or
      css_set_lock locked, and for changing both locks should be acquired.
      Signed-off-by: default avatarRoman Gushchin <guro@fb.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Cc: kernel-team@fb.com
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      fa317078
    • Sebastian Andrzej Siewior's avatar
      random: add a spinlock_t to struct batched_entropy · 50a41f60
      Sebastian Andrzej Siewior authored
      [ Upstream commit b7d5dc21 ]
      
      The per-CPU variable batched_entropy_uXX is protected by get_cpu_var().
      This is just a preempt_disable() which ensures that the variable is only
      from the local CPU. It does not protect against users on the same CPU
      from another context. It is possible that a preemptible context reads
      slot 0 and then an interrupt occurs and the same value is read again.
      
      The above scenario is confirmed by lockdep if we add a spinlock:
      | ================================
      | WARNING: inconsistent lock state
      | 5.1.0-rc3+ #42 Not tainted
      | --------------------------------
      | inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
      | ksoftirqd/9/56 [HC0[0]:SC1[1]:HE0:SE0] takes:
      | (____ptrval____) (batched_entropy_u32.lock){+.?.}, at: get_random_u32+0x3e/0xe0
      | {SOFTIRQ-ON-W} state was registered at:
      |   _raw_spin_lock+0x2a/0x40
      |   get_random_u32+0x3e/0xe0
      |   new_slab+0x15c/0x7b0
      |   ___slab_alloc+0x492/0x620
      |   __slab_alloc.isra.73+0x53/0xa0
      |   kmem_cache_alloc_node+0xaf/0x2a0
      |   copy_process.part.41+0x1e1/0x2370
      |   _do_fork+0xdb/0x6d0
      |   kernel_thread+0x20/0x30
      |   kthreadd+0x1ba/0x220
      |   ret_from_fork+0x3a/0x50
      …
      | other info that might help us debug this:
      |  Possible unsafe locking scenario:
      |
      |        CPU0
      |        ----
      |   lock(batched_entropy_u32.lock);
      |   <Interrupt>
      |     lock(batched_entropy_u32.lock);
      |
      |  *** DEADLOCK ***
      |
      | stack backtrace:
      | Call Trace:
      …
      |  kmem_cache_alloc_trace+0x20e/0x270
      |  ipmi_alloc_recv_msg+0x16/0x40
      …
      |  __do_softirq+0xec/0x48d
      |  run_ksoftirqd+0x37/0x60
      |  smpboot_thread_fn+0x191/0x290
      |  kthread+0xfe/0x130
      |  ret_from_fork+0x3a/0x50
      
      Add a spinlock_t to the batched_entropy data structure and acquire the
      lock while accessing it. Acquire the lock with disabled interrupts
      because this function may be used from interrupt context.
      
      Remove the batched_entropy_reset_lock lock. Now that we have a lock for
      the data scructure, we can access it from a remote CPU.
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      50a41f60
    • Jon DeVree's avatar
      random: fix CRNG initialization when random.trust_cpu=1 · 6f9c63bc
      Jon DeVree authored
      [ Upstream commit fe6f1a6a ]
      
      When the system boots with random.trust_cpu=1 it doesn't initialize the
      per-NUMA CRNGs because it skips the rest of the CRNG startup code. This
      means that the code from 1e7f583a ("random: make /dev/urandom scalable
      for silly userspace programs") is not used when random.trust_cpu=1.
      
      crash> dmesg | grep random:
      [    0.000000] random: get_random_bytes called from start_kernel+0x94/0x530 with crng_init=0
      [    0.314029] random: crng done (trusting CPU's manufacturer)
      crash> print crng_node_pool
      $6 = (struct crng_state **) 0x0
      
      After adding the missing call to numa_crng_init() the per-NUMA CRNGs are
      initialized again:
      
      crash> dmesg | grep random:
      [    0.000000] random: get_random_bytes called from start_kernel+0x94/0x530 with crng_init=0
      [    0.314031] random: crng done (trusting CPU's manufacturer)
      crash> print crng_node_pool
      $1 = (struct crng_state **) 0xffff9a915f4014a0
      
      The call to invalidate_batched_entropy() was also missing. This is
      important for architectures like PPC and S390 which only have the
      arch_get_random_seed_* functions.
      
      Fixes: 39a8883a ("random: add a config option to trust the CPU's hwrng")
      Signed-off-by: default avatarJon DeVree <nuxi@vault24.org>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6f9c63bc
    • Russell Currey's avatar
      powerpc/64: Fix booting large kernels with STRICT_KERNEL_RWX · ee079354
      Russell Currey authored
      [ Upstream commit 56c46bba ]
      
      With STRICT_KERNEL_RWX enabled anything marked __init is placed at a 16M
      boundary.  This is necessary so that it can be repurposed later with
      different permissions.  However, in kernels with text larger than 16M,
      this pushes early_setup past 32M, incapable of being reached by the
      branch instruction.
      
      Fix this by setting the CTR and branching there instead.
      
      Fixes: 1e0fc9d1 ("powerpc/Kconfig: Enable STRICT_KERNEL_RWX for some configs")
      Signed-off-by: default avatarRussell Currey <ruscur@russell.cc>
      [mpe: Fix it to work on BE by using DOTSYM()]
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ee079354
    • Nathan Lynch's avatar
      powerpc/numa: improve control of topology updates · c4fb49c7
      Nathan Lynch authored
      [ Upstream commit 2d4d9b30 ]
      
      When booted with "topology_updates=no", or when "off" is written to
      /proc/powerpc/topology_updates, NUMA reassignments are inhibited for
      PRRN and VPHN events. However, migration and suspend unconditionally
      re-enable reassignments via start_topology_update(). This is
      incoherent.
      
      Check the topology_updates_enabled flag in
      start/stop_topology_update() so that callers of those APIs need not be
      aware of whether reassignments are enabled. This allows the
      administrative decision on reassignments to remain in force across
      migrations and suspensions.
      Signed-off-by: default avatarNathan Lynch <nathanl@linux.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c4fb49c7
    • Yufen Yu's avatar
      block: fix use-after-free on gendisk · 5090dd8f
      Yufen Yu authored
      [ Upstream commit 2c88e3c7 ]
      
      commit 2da78092 "block: Fix dev_t minor allocation lifetime"
      specifically moved blk_free_devt(dev->devt) call to part_release()
      to avoid reallocating device number before the device is fully
      shutdown.
      
      However, it can cause use-after-free on gendisk in get_gendisk().
      We use md device as example to show the race scenes:
      
      Process1		Worker			Process2
      md_free
      						blkdev_open
      del_gendisk
        add delete_partition_work_fn() to wq
        						__blkdev_get
      						get_gendisk
      put_disk
        disk_release
          kfree(disk)
          						find part from ext_devt_idr
      						get_disk_and_module(disk)
          					  	cause use after free
      
          			delete_partition_work_fn
      			put_device(part)
          		  	part_release
      		    	remove part from ext_devt_idr
      
      Before <devt, hd_struct pointer> is removed from ext_devt_idr by
      delete_partition_work_fn(), we can find the devt and then access
      gendisk by hd_struct pointer. But, if we access the gendisk after
      it have been freed, it can cause in use-after-freeon gendisk in
      get_gendisk().
      
      We fix this by adding a new helper blk_invalidate_devt() in
      delete_partition() and del_gendisk(). It replaces hd_struct
      pointer in idr with value 'NULL', and deletes the entry from
      idr in part_release() as we do now.
      
      Thanks to Jan Kara for providing the solution and more clear comments
      for the code.
      
      Fixes: 2da78092 ("block: Fix dev_t minor allocation lifetime")
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Reviewed-by: default avatarBart Van Assche <bvanassche@acm.org>
      Reviewed-by: default avatarKeith Busch <keith.busch@intel.com>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Suggested-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarYufen Yu <yuyufen@huawei.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5090dd8f
    • Fabrice Gasnier's avatar
      iio: adc: stm32-dfsdm: fix unmet direct dependencies detected · 3404d705
      Fabrice Gasnier authored
      [ Upstream commit ba7ecfe4 ]
      
      This fixes unmet direct dependencies seen when CONFIG_STM32_DFSDM_ADC
      is selected:
      
      WARNING: unmet direct dependencies detected for IIO_BUFFER_HW_CONSUMER
        Depends on [n]: IIO [=y] && IIO_BUFFER [=n]
        Selected by [y]:
        - STM32_DFSDM_ADC [=y] && IIO [=y] && (ARCH_STM32 [=y] && OF [=y] ||
          COMPILE_TEST [=n])
      
      Fixes: e2e6771c ("IIO: ADC: add STM32 DFSDM sigma delta ADC support")
      Signed-off-by: default avatarFabrice Gasnier <fabrice.gasnier@st.com>
      Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3404d705
    • Dan Carpenter's avatar
      media: pvrusb2: Prevent a buffer overflow · 5ffb30e6
      Dan Carpenter authored
      [ Upstream commit c1ced46c ]
      
      The ctrl_check_input() function is called from pvr2_ctrl_range_check().
      It's supposed to validate user supplied input and return true or false
      depending on whether the input is valid or not.  The problem is that
      negative shifts or shifts greater than 31 are undefined in C.  In
      practice with GCC they result in shift wrapping so this function returns
      true for some inputs which are not valid and this could result in a
      buffer overflow:
      
          drivers/media/usb/pvrusb2/pvrusb2-ctrl.c:205 pvr2_ctrl_get_valname()
          warn: uncapped user index 'names[val]'
      
      The cptr->hdw->input_allowed_mask mask is configured in pvr2_hdw_create()
      and the highest valid bit is BIT(4).
      
      Fixes: 7fb20fa3 ("V4L/DVB (7299): pvrusb2: Improve logic which handles input choice availability")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5ffb30e6
    • Shuah Khan's avatar
      media: au0828: Fix NULL pointer dereference in au0828_analog_stream_enable() · 02dce75a
      Shuah Khan authored
      [ Upstream commit 898bc40b ]
      
      Fix au0828_analog_stream_enable() to check if device is in the right
      state first. When unbind happens while bind is in progress, usbdev
      pointer could be invalid in au0828_analog_stream_enable() and a call
      to usb_ifnum_to_if() will result in the null pointer dereference.
      
      This problem is found with the new media_dev_allocator.sh test.
      
      kernel: [  590.359623] BUG: unable to handle kernel NULL pointer dereference at 00000000000004e8
      kernel: [  590.359627] #PF error: [normal kernel read fault]
      kernel: [  590.359629] PGD 0 P4D 0
      kernel: [  590.359632] Oops: 0000 [#1] SMP PTI
      kernel: [  590.359634] CPU: 3 PID: 1458 Comm: v4l_id Not tainted 5.1.0-rc2+ #30
      kernel: [  590.359636] Hardware name: Dell Inc. OptiPlex 7 90/0HY9JP, BIOS A18 09/24/2013
      kernel: [  590.359641] RIP: 0010:usb_ifnum_to_if+0x6/0x60
      kernel: [  590.359643] Code: 5d 41 5e 41 5f 5d c3 48 83 c4
       10 b8 fa ff ff ff 5b 41 5c 41 5d 41 5e 41 5f 5d c3 b8 fa ff ff ff c3 0f 1f 00 6
      6 66 66 66 90 55 <48> 8b 97 e8 04 00 00 48 89 e5 48 85 d2 74 41 0f b6 4a 04 84 c
      9 74
      kernel: [  590.359645] RSP: 0018:ffffad3cc3c1fc00 EFLAGS: 00010246
      kernel: [  590.359646] RAX: 0000000000000000 RBX: ffff8ded b1f3c000 RCX: 1f377e4500000000
      kernel: [  590.359648] RDX: ffff8dedfa3a6b50 RSI: 00000000 00000000 RDI: 0000000000000000
      kernel: [  590.359649] RBP: ffffad3cc3c1fc28 R08: 00000000 8574acc2 R09: ffff8dedfa3a6b50
      kernel: [  590.359650] R10: 0000000000000001 R11: 00000000 00000000 R12: 0000000000000000
      kernel: [  590.359652] R13: ffff8dedb1f3f0f0 R14: ffffffff adcf7ec0 R15: 0000000000000000
      kernel: [  590.359654] FS:  00007f7917198540(0000) GS:ffff 8dee258c0000(0000) knlGS:0000000000000000
      kernel: [  590.359655] CS:  0010 DS: 0000 ES: 0000 CR0: 00 00000080050033
      kernel: [  590.359657] CR2: 00000000000004e8 CR3: 00000001 a388e002 CR4: 00000000000606e0
      kernel: [  590.359658] Call Trace:
      kernel: [  590.359664]  ? au0828_analog_stream_enable+0x2c/0x180
      kernel: [  590.359666]  au0828_v4l2_open+0xa4/0x110
      kernel: [  590.359670]  v4l2_open+0x8b/0x120
      kernel: [  590.359674]  chrdev_open+0xa6/0x1c0
      kernel: [  590.359676]  ? cdev_put.part.3+0x20/0x20
      kernel: [  590.359678]  do_dentry_open+0x1f6/0x360
      kernel: [  590.359681]  vfs_open+0x2f/0x40
      kernel: [  590.359684]  path_openat+0x299/0xc20
      kernel: [  590.359688]  do_filp_open+0x9b/0x110
      kernel: [  590.359695]  ? _raw_spin_unlock+0x27/0x40
      kernel: [  590.359697]  ? __alloc_fd+0xb2/0x160
      kernel: [  590.359700]  do_sys_open+0x1ba/0x260
      kernel: [  590.359702]  ? do_sys_open+0x1ba/0x260
      kernel: [  590.359712]  __x64_sys_openat+0x20/0x30
      kernel: [  590.359715]  do_syscall_64+0x5a/0x120
      kernel: [  590.359718]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      Signed-off-by: default avatarShuah Khan <shuah@kernel.org>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      02dce75a
    • Hugues Fruchet's avatar
      media: stm32-dcmi: fix crash when subdev do not expose any formats · 74a8b114
      Hugues Fruchet authored
      [ Upstream commit 33dfeb62 ]
      
      Do not access sd_formats[] if num_of_sd_formats is zero, ie
      subdev sensor didn't expose any formats.
      Signed-off-by: default avatarHugues Fruchet <hugues.fruchet@st.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      74a8b114
    • Wenwen Wang's avatar
      audit: fix a memory leak bug · bfda6425
      Wenwen Wang authored
      [ Upstream commit 70c4cf17 ]
      
      In audit_rule_change(), audit_data_to_entry() is firstly invoked to
      translate the payload data to the kernel's rule representation. In
      audit_data_to_entry(), depending on the audit field type, an audit tree may
      be created in audit_make_tree(), which eventually invokes kmalloc() to
      allocate the tree.  Since this tree is a temporary tree, it will be then
      freed in the following execution, e.g., audit_add_rule() if the message
      type is AUDIT_ADD_RULE or audit_del_rule() if the message type is
      AUDIT_DEL_RULE. However, if the message type is neither AUDIT_ADD_RULE nor
      AUDIT_DEL_RULE, i.e., the default case of the switch statement, this
      temporary tree is not freed.
      
      To fix this issue, only allocate the tree when the type is AUDIT_ADD_RULE
      or AUDIT_DEL_RULE.
      Signed-off-by: default avatarWenwen Wang <wang6495@umn.edu>
      Reviewed-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      bfda6425
    • Akinobu Mita's avatar
      media: ov2659: make S_FMT succeed even if requested format doesn't match · e76dde35
      Akinobu Mita authored
      [ Upstream commit bccb89cf ]
      
      This driver returns an error if unsupported media bus pixel code is
      requested by VIDIOC_SUBDEV_S_FMT.
      
      But according to Documentation/media/uapi/v4l/vidioc-subdev-g-fmt.rst,
      
      Drivers must not return an error solely because the requested format
      doesn't match the device capabilities. They must instead modify the
      format to match what the hardware can provide.
      
      So select default format code and return success in that case.
      
      This is detected by v4l2-compliance.
      
      Cc: "Lad, Prabhakar" <prabhakar.csengg@gmail.com>
      Signed-off-by: default avatarAkinobu Mita <akinobu.mita@gmail.com>
      Acked-by: default avatarLad, Prabhakar <prabhakar.csengg@gmail.com>
      Signed-off-by: default avatarSakari Ailus <sakari.ailus@linux.intel.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e76dde35
    • Hans Verkuil's avatar
      media: au0828: stop video streaming only when last user stops · 84e9e876
      Hans Verkuil authored
      [ Upstream commit f604f0f5 ]
      
      If the application was streaming from both videoX and vbiX, and streaming
      from videoX was stopped, then the vbi streaming also stopped.
      
      The cause being that stop_streaming for video stopped the subdevs as well,
      instead of only doing that if dev->streaming_users reached 0.
      
      au0828_stop_vbi_streaming was also wrong since it didn't stop the subdevs
      at all when dev->streaming_users reached 0.
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Tested-by: default avatarShuah Khan <shuah@kernel.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      84e9e876
    • Janusz Krzysztofik's avatar
      media: ov6650: Move v4l2_clk_get() to ov6650_video_probe() helper · bb9d3fab
      Janusz Krzysztofik authored
      [ Upstream commit ccdd85d5 ]
      
      In preparation for adding asynchronous subdevice support to the driver,
      don't acquire v4l2_clk from the driver .probe() callback as that may
      fail if the clock is provided by a bridge driver which may be not yet
      initialized.  Move the v4l2_clk_get() to ov6650_video_probe() helper
      which is going to be converted to v4l2_subdev_internal_ops.registered()
      callback, executed only when the bridge driver is ready.
      Signed-off-by: default avatarJanusz Krzysztofik <jmkrzyszt@gmail.com>
      Signed-off-by: default avatarSakari Ailus <sakari.ailus@linux.intel.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      bb9d3fab
    • Philipp Zabel's avatar
      media: coda: clear error return value before picture run · d209a6be
      Philipp Zabel authored
      [ Upstream commit bbeefa73 ]
      
      The error return value is not written by some firmware codecs, such as
      MPEG-2 decode on CodaHx4. Clear the error return value before starting
      the picture run to avoid misinterpreting unrelated values returned by
      sequence initialization as error return value.
      Signed-off-by: default avatarPhilipp Zabel <p.zabel@pengutronix.de>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d209a6be
    • Nicolas Ferre's avatar
      dmaengine: at_xdmac: remove BUG_ON macro in tasklet · d8ccd99e
      Nicolas Ferre authored
      [ Upstream commit e2c114c0 ]
      
      Even if this case shouldn't happen when controller is properly programmed,
      it's still better to avoid dumping a kernel Oops for this.
      As the sequence may happen only for debugging purposes, log the error and
      just finish the tasklet call.
      Signed-off-by: default avatarNicolas Ferre <nicolas.ferre@microchip.com>
      Acked-by: default avatarLudovic Desroches <ludovic.desroches@microchip.com>
      Signed-off-by: default avatarVinod Koul <vkoul@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d8ccd99e
    • Robin Murphy's avatar
      perf/arm-cci: Remove broken race mitigation · 8cc056ec
      Robin Murphy authored
      [ Upstream commit 0d2e2a82 ]
      
      Uncore PMU drivers face an awkward cyclic dependency wherein:
      
       - They have to pick a valid online CPU to associate with before
         registering the PMU device, since it will get exposed to userspace
         immediately.
       - The PMU registration has to be be at least partly complete before
         hotplug events can be handled, since trying to migrate an
         uninitialised context would be bad.
       - The hotplug handler has to be ready as soon as a CPU is chosen, lest
         it go offline without the user-visible cpumask value getting updated.
      
      The arm-cci driver has tried to solve this by using get_cpu() to pick
      the current CPU and prevent it from disappearing while both
      registrations are performed, but that results in taking mutexes with
      preemption disabled, which makes certain configurations very unhappy:
      
      [ 1.983337] BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:2004
      [ 1.983340] in_atomic(): 1, irqs_disabled(): 0, pid: 1, name: swapper/0
      [ 1.983342] Preemption disabled at:
      [ 1.983353] [<ffffff80089801f4>] cci_pmu_probe+0x1dc/0x488
      [ 1.983360] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.18.20-rt8-yocto-preempt-rt #1
      [ 1.983362] Hardware name: ZynqMP ZCU102 Rev1.0 (DT)
      [ 1.983364] Call trace:
      [ 1.983369] dump_backtrace+0x0/0x158
      [ 1.983372] show_stack+0x24/0x30
      [ 1.983378] dump_stack+0x80/0xa4
      [ 1.983383] ___might_sleep+0x138/0x160
      [ 1.983386] __might_sleep+0x58/0x90
      [ 1.983391] __rt_mutex_lock_state+0x30/0xc0
      [ 1.983395] _mutex_lock+0x24/0x30
      [ 1.983400] perf_pmu_register+0x2c/0x388
      [ 1.983404] cci_pmu_probe+0x2bc/0x488
      [ 1.983409] platform_drv_probe+0x58/0xa8
      
      It is not feasible to resolve all the possible races outside of the perf
      core itself, so address the immediate bug by following the example of
      nearly every other PMU driver and not even trying to do so. Registering
      the hotplug notifier first should minimise the window in which things
      can go wrong, so that's about as much as we can reasonably do here. This
      also revealed an additional race in assigning the global pointer too
      late relative to the hotplug notifier, which gets fixed in the process.
      Reported-by: default avatarLi, Meng <Meng.Li@windriver.com>
      Tested-by: default avatarCorentin Labbe <clabbe.montjoie@gmail.com>
      Reviewed-by: default avatarSuzuki K Poulose <suzuki.poulose@arm.com>
      Signed-off-by: default avatarRobin Murphy <robin.murphy@arm.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8cc056ec
    • Douglas Anderson's avatar
      clk: rockchip: undo several noc and special clocks as critical on rk3288 · d7c7530c
      Douglas Anderson authored
      [ Upstream commit f4033db5 ]
      
      This is mostly a revert of commit 55bb6a63 ("clk: rockchip: mark
      noc and some special clk as critical on rk3288") except that we're
      keeping "pmu_hclk_otg0" as critical still.
      
      NOTE: turning these clocks off doesn't seem to do a whole lot in terms
      of power savings (checking the power on the logic rail).  It appears
      to save maybe 1-2mW.  ...but still it seems like we should turn the
      clocks off if they aren't needed.
      
      About "pmu_hclk_otg0" (the one clock from the original commit we're
      still keeping critical) from an email thread:
      
      > pmu ahb clock
      >
      > Function: Clock to pmu module when hibernation and/or ADP is
      > enabled. Must be greater than or equal to 30 MHz.
      >
      > If the SOC design does not support hibernation/ADP function, only have
      > hclk_otg, this clk can be switched according to the usage of otg.
      > If the SOC design support hibernation/ADP, has two clocks, hclk_otg and
      > pmu_hclk_otg0.
      > Hclk_otg belongs to the closed part of otg logic, which can be switched
      > according to the use of otg.
      >
      > pmu_hclk_otg0 belongs to the always on part.
      >
      > As for whether pmu_hclk_otg0 can be turned off when otg is not in use,
      > we have not tested. IC suggest make pmu_hclk_otg0 always on.
      
      For the rest of the clocks:
      
      atclk: No documentation about this clock other than that it goes to
      the CPU.  CPU functions fine without it on.  Maybe needed for JTAG?
      
      jtag: Presumably this clock is only needed if you're debugging with
      JTAG.  It doesn't seem like it makes sense to waste power for every
      rk3288 user.  In any case to do JTAG you'd need private patches to
      adjust the pinctrl the mux the JTAG out anyway.
      
      pclk_dbg, pclk_core_niu: On veyron Chromebooks we turn these two
      clocks on only during kernel panics in order to access some coresight
      registers.  Since nothing in the upstream kernel does this we should
      be able to leave them off safely.  Maybe also needed for JTAG?
      
      hsicphy12m_xin12m: There is no indication of why this clock would need
      to be turned on for boards that don't use HSIC.
      
      pclk_ddrupctl[0-1], pclk_publ0[0-1]: On veyron Chromebooks we turn
      these 4 clocks on only when doing DDR transitions and they are off
      otherwise.  I see no reason why they'd need to be on in the upstream
      kernel which doesn't support DDRFreq.
      Signed-off-by: default avatarDouglas Anderson <dianders@chromium.org>
      Reviewed-by: default avatarElaine Zhang <zhangqing@rock-chips.com>
      Signed-off-by: default avatarHeiko Stuebner <heiko@sntech.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d7c7530c
    • Wen Yang's avatar
      pinctrl: samsung: fix leaked of_node references · d7f62072
      Wen Yang authored
      [ Upstream commit 44b9f86c ]
      
      The call to of_find_compatible_node returns a node pointer with refcount
      incremented thus it must be explicitly decremented after the last
      usage.
      
      Detected by coccinelle with the following warnings:
      ./drivers/pinctrl/samsung/pinctrl-exynos-arm.c:76:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 66, but without a corresponding object release within this function.
      ./drivers/pinctrl/samsung/pinctrl-exynos-arm.c:82:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 66, but without a corresponding object release within this function.
      Signed-off-by: default avatarWen Yang <wen.yang99@zte.com.cn>
      Cc: Linus Walleij <linus.walleij@linaro.org>
      Cc: Tomasz Figa <tomasz.figa@gmail.com>
      Cc: Sylwester Nawrocki <s.nawrocki@samsung.com>
      Cc: Kukjin Kim <kgene@kernel.org>
      Cc: linux-samsung-soc@vger.kernel.org
      Cc: linux-gpio@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Reviewed-by: default avatarKrzysztof Kozlowski <krzk@kernel.org>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d7f62072
    • Wen Yang's avatar
      pinctrl: st: fix leaked of_node references · e2ef3ec3
      Wen Yang authored
      [ Upstream commit 483d70d7 ]
      
      The call to of_get_child_by_name returns a node pointer with refcount
      incremented thus it must be explicitly decremented after the last
      usage.
      
      Detected by coccinelle with the following warnings:
      ./drivers/pinctrl/pinctrl-st.c:1188:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 1175, but without a corresponding object release within this function.
      ./drivers/pinctrl/pinctrl-st.c:1188:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 1175, but without a corresponding object release within this function.
      ./drivers/pinctrl/pinctrl-st.c:1199:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 1175, but without a corresponding object release within this function.
      ./drivers/pinctrl/pinctrl-st.c:1199:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 1175, but without a corresponding object release within this function.
      Signed-off-by: default avatarWen Yang <wen.yang99@zte.com.cn>
      Cc: Patrice Chotard <patrice.chotard@st.com>
      Cc: Linus Walleij <linus.walleij@linaro.org>
      Cc: linux-gpio@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org (open list)
      Reviewed-by: default avatarPatrice Chotard <patrice.chotard@st.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e2ef3ec3
    • Wen Yang's avatar
      pinctrl: pistachio: fix leaked of_node references · a101de06
      Wen Yang authored
      [ Upstream commit 44a4455a ]
      
      The call to of_get_child_by_name returns a node pointer with refcount
      incremented thus it must be explicitly decremented after the last
      usage.
      
      Detected by coccinelle with the following warnings:
      ./drivers/pinctrl/pinctrl-pistachio.c:1422:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 1360, but without a corresponding object release within this function.
      Signed-off-by: default avatarWen Yang <wen.yang99@zte.com.cn>
      Cc: Linus Walleij <linus.walleij@linaro.org>
      Cc: linux-gpio@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a101de06
    • Hans de Goede's avatar
      HID: logitech-hidpp: use RAP instead of FAP to get the protocol version · fe340cca
      Hans de Goede authored
      [ Upstream commit 09637752 ]
      
      According to the logitech_hidpp_2.0_specification_draft_2012-06-04.pdf doc:
      https://lekensteyn.nl/files/logitech/logitech_hidpp_2.0_specification_draft_2012-06-04.pdf
      
      We should use a register-access-protocol request using the short input /
      output report ids. This is necessary because 27MHz HID++ receivers have
      a max-packetsize on their HIP++ endpoint of 8, so they cannot support
      long reports. Using a feature-access-protocol request (which is always
      long or very-long) with these will cause a timeout error, followed by
      the hidpp driver treating the device as not being HID++ capable.
      
      This commit fixes this by switching to using a rap request to get the
      protocol version.
      
      Besides being tested with a (046d:c517) 27MHz receiver with various
      27MHz keyboards and mice, this has also been tested to not cause
      regressions on a non-unifying dual-HID++ nano receiver (046d:c534) with
      k270 and m185 HID++-2.0 devices connected and on a unifying/dj receiver
      (046d:c52b) with a HID++-2.0 Logitech Rechargeable Touchpad T650.
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      fe340cca
    • Sean Wang's avatar
      Bluetooth: mediatek: Fixed incorrect type in assignment · a07c802b
      Sean Wang authored
      [ Upstream commit cac63f9b ]
      
      Fixed warning: incorrect type in assignment reported by kbuild test robot.
      The detailed warning is shown as below.
      
      make ARCH=x86_64 allmodconfig
      make C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__'
      
      All warnings (new ones prefixed by >>):
      
      btmtkuart.c:671:18: sparse:    warning: incorrect type in assignment
      			       (different base types)
      btmtkuart.c:671:18: sparse:    expected unsigned int [usertype] baudrate
      btmtkuart.c:671:18: sparse:    got restricted __le32 [usertype]
      
      sparse warnings: (new ones prefixed by >>)
      btmtkuart.c:671:18: sparse: warning: incorrect type in assignment
      			       (different base types)
      btmtkuart.c:671:18: sparse:    expected unsigned int [usertype] baudrate
      btmtkuart.c:671:18: sparse:    got restricted __le32 [usertype]
      
      vim +671 drivers/bluetooth/btmtkuart.c
      
         659
         660	static int btmtkuart_change_baudrate(struct hci_dev *hdev)
         661	{
         662		struct btmtkuart_dev *bdev = hci_get_drvdata(hdev);
         663		struct btmtk_hci_wmt_params wmt_params;
         664		u32 baudrate;
         665		u8 param;
         666		int err;
         667
         668		/* Indicate the device to enter the probe state the host is
         669		 * ready to change a new baudrate.
         670		 */
       > 671		baudrate = cpu_to_le32(bdev->desired_speed);
         672		wmt_params.op = MTK_WMT_HIF;
      
      Fixes: 22eaf6c9 ("Bluetooth: mediatek: add support for MediaTek MT7663U and MT7668U UART devices")
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Signed-off-by: default avatarSean Wang <sean.wang@mediatek.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a07c802b
    • Ferry Toth's avatar
      Bluetooth: btbcm: Add default address for BCM43341B · 0bc530b8
      Ferry Toth authored
      [ Upstream commit 50357261 ]
      
      The BCM43341B has the default MAC address 43:34:1B:00:1F:AC if none
      is given. This address was found when enabling Bluetooth on multiple
      Intel Edison modules. It also contains the sequence 43341B, the name
      the chip identifies itself as. Using the same BD_ADDR is problematic
      when having multiple Intel Edison modules in each others range.
      The default address also has the LAA (locally administered address)
      bit set which prevents a BNEP device from being created, needed for
      BT tethering.
      
      Add this to the list of black listed default MAC addresses and let
      the user configure a valid one using f.i.
      `btmgmt -i hci0 public-addr xx:xx:xx:xx:xx:xx`
      Suggested-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarFerry Toth <ftoth@exalondelft.nl>
      Reviewed-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0bc530b8
    • Balakrishna Godavarthi's avatar
      Bluetooth: hci_qca: Give enough time to ROME controller to bootup. · c5da31c4
      Balakrishna Godavarthi authored
      [ Upstream commit 7f09d5a6 ]
      
      This patch enables enough time to ROME controller to bootup
      after we bring the enable pin out of reset.
      
      Fixes: 05ba533c ("Bluetooth: hci_qca: Add serdev support").
      Signed-off-by: default avatarBalakrishna Godavarthi <bgodavar@codeaurora.org>
      Reviewed-by: default avatarRocky Liao <rjliao@codeaurora.org>
      Tested-by: default avatarRocky Liao <rjliao@codeaurora.org>
      Tested-by: default avatarClaire Chang <tientzu@chromium.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c5da31c4
    • Matthias Kaehlcke's avatar
      Bluetooth: hci_qca: Fix crash with non-serdev devices · 0d4ca252
      Matthias Kaehlcke authored
      [ Upstream commit ecf2b768 ]
      
      qca_set_baudrate() calls serdev_device_wait_until_sent() assuming that
      the HCI is always associated with a serdev device. This isn't true for
      ROME controllers instantiated through ldisc, where the call causes a
      crash due to a NULL pointer dereferentiation. Only call the function
      when we have a serdev device. The timeout for ROME devices at the end
      of qca_set_baudrate() is long enough to be reasonably sure that the
      command was sent.
      
      Fixes: fa9ad876 ("Bluetooth: hci_qca: Add support for Qualcomm Bluetooth chip wcn3990")
      Reported-by: default avatarBalakrishna Godavarthi <bgodavar@codeaurora.org>
      Reported-by: default avatarRocky Liao <rjliao@codeaurora.org>
      Signed-off-by: default avatarMatthias Kaehlcke <mka@chromium.org>
      Reviewed-by: default avatarRocky Liao <rjliao@codeaurora.org>
      Tested-by: default avatarRocky Liao <rjliao@codeaurora.org>
      Reviewed-by: default avatarBalakrishna Godavarthi <bgodavar@codeaurora.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0d4ca252
    • Peter Zijlstra's avatar
      mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions · 095eaec4
      Peter Zijlstra authored
      [ Upstream commit 29da93fe ]
      
      Randy reported objtool triggered on his (GCC-7.4) build:
      
        lib/strncpy_from_user.o: warning: objtool: strncpy_from_user()+0x315: call to __ubsan_handle_add_overflow() with UACCESS enabled
        lib/strnlen_user.o: warning: objtool: strnlen_user()+0x337: call to __ubsan_handle_sub_overflow() with UACCESS enabled
      
      This is due to UBSAN generating signed-overflow-UB warnings where it
      should not. Prior to GCC-8 UBSAN ignored -fwrapv (which the kernel
      uses through -fno-strict-overflow).
      
      Make the functions use 'unsigned long' throughout.
      Reported-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested
      Acked-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: luto@kernel.org
      Link: http://lkml.kernel.org/r/20190424072208.754094071@infradead.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      095eaec4
    • Jiri Kosina's avatar
      x86/mm: Remove in_nmi() warning from 64-bit implementation of vmalloc_fault() · 9ab589a0
      Jiri Kosina authored
      [ Upstream commit a65c88e1 ]
      
      In-NMI warnings have been added to vmalloc_fault() via:
      
        ebc8827f ("x86: Barf when vmalloc and kmemcheck faults happen in NMI")
      
      back in the time when our NMI entry code could not cope with nested NMIs.
      
      These days, it's perfectly fine to take a fault in NMI context and we
      don't have to care about the fact that IRET from the fault handler might
      cause NMI nesting.
      
      This warning has already been removed from 32-bit implementation of
      vmalloc_fault() in:
      
        6863ea0c ("x86/mm: Remove in_nmi() warning from vmalloc_fault()")
      
      but the 64-bit version was omitted.
      
      Remove the bogus warning also from 64-bit implementation of vmalloc_fault().
      Reported-by: default avatarNicolai Stange <nstange@suse.de>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Acked-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: Frederic Weisbecker <fweisbec@gmail.com>
      Cc: Joerg Roedel <jroedel@suse.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: 6863ea0c ("x86/mm: Remove in_nmi() warning from vmalloc_fault()")
      Link: http://lkml.kernel.org/r/nycvar.YFH.7.76.1904240902280.9803@cbobk.fhfr.pmSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9ab589a0
    • Peter Zijlstra's avatar
      x86/uaccess: Dont leak the AC flag into __put_user() argument evaluation · c0b481eb
      Peter Zijlstra authored
      [ Upstream commit 6ae86561 ]
      
      The __put_user() macro evaluates it's @ptr argument inside the
      __uaccess_begin() / __uaccess_end() region. While this would normally
      not be expected to be an issue, an UBSAN bug (it ignored -fwrapv,
      fixed in GCC 8+) would transform the @ptr evaluation for:
      
        drivers/gpu/drm/i915/i915_gem_execbuffer.c: if (unlikely(__put_user(offset, &urelocs[r-stack].presumed_offset))) {
      
      into a signed-overflow-UB check and trigger the objtool AC validation.
      
      Finish this commit:
      
        2a418cf3 ("x86/uaccess: Don't leak the AC flag into __put_user() value evaluation")
      
      and explicitly evaluate all 3 arguments early.
      Reported-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested
      Acked-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: luto@kernel.org
      Fixes: 2a418cf3 ("x86/uaccess: Don't leak the AC flag into __put_user() value evaluation")
      Link: http://lkml.kernel.org/r/20190424072208.695962771@infradead.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c0b481eb