1. 31 May, 2019 40 commits
    • Shuah Khan's avatar
      media: au0828: Fix NULL pointer dereference in au0828_analog_stream_enable() · e70d90cd
      Shuah Khan authored
      [ Upstream commit 898bc40b ]
      
      Fix au0828_analog_stream_enable() to check if device is in the right
      state first. When unbind happens while bind is in progress, usbdev
      pointer could be invalid in au0828_analog_stream_enable() and a call
      to usb_ifnum_to_if() will result in the null pointer dereference.
      
      This problem is found with the new media_dev_allocator.sh test.
      
      kernel: [  590.359623] BUG: unable to handle kernel NULL pointer dereference at 00000000000004e8
      kernel: [  590.359627] #PF error: [normal kernel read fault]
      kernel: [  590.359629] PGD 0 P4D 0
      kernel: [  590.359632] Oops: 0000 [#1] SMP PTI
      kernel: [  590.359634] CPU: 3 PID: 1458 Comm: v4l_id Not tainted 5.1.0-rc2+ #30
      kernel: [  590.359636] Hardware name: Dell Inc. OptiPlex 7 90/0HY9JP, BIOS A18 09/24/2013
      kernel: [  590.359641] RIP: 0010:usb_ifnum_to_if+0x6/0x60
      kernel: [  590.359643] Code: 5d 41 5e 41 5f 5d c3 48 83 c4
       10 b8 fa ff ff ff 5b 41 5c 41 5d 41 5e 41 5f 5d c3 b8 fa ff ff ff c3 0f 1f 00 6
      6 66 66 66 90 55 <48> 8b 97 e8 04 00 00 48 89 e5 48 85 d2 74 41 0f b6 4a 04 84 c
      9 74
      kernel: [  590.359645] RSP: 0018:ffffad3cc3c1fc00 EFLAGS: 00010246
      kernel: [  590.359646] RAX: 0000000000000000 RBX: ffff8ded b1f3c000 RCX: 1f377e4500000000
      kernel: [  590.359648] RDX: ffff8dedfa3a6b50 RSI: 00000000 00000000 RDI: 0000000000000000
      kernel: [  590.359649] RBP: ffffad3cc3c1fc28 R08: 00000000 8574acc2 R09: ffff8dedfa3a6b50
      kernel: [  590.359650] R10: 0000000000000001 R11: 00000000 00000000 R12: 0000000000000000
      kernel: [  590.359652] R13: ffff8dedb1f3f0f0 R14: ffffffff adcf7ec0 R15: 0000000000000000
      kernel: [  590.359654] FS:  00007f7917198540(0000) GS:ffff 8dee258c0000(0000) knlGS:0000000000000000
      kernel: [  590.359655] CS:  0010 DS: 0000 ES: 0000 CR0: 00 00000080050033
      kernel: [  590.359657] CR2: 00000000000004e8 CR3: 00000001 a388e002 CR4: 00000000000606e0
      kernel: [  590.359658] Call Trace:
      kernel: [  590.359664]  ? au0828_analog_stream_enable+0x2c/0x180
      kernel: [  590.359666]  au0828_v4l2_open+0xa4/0x110
      kernel: [  590.359670]  v4l2_open+0x8b/0x120
      kernel: [  590.359674]  chrdev_open+0xa6/0x1c0
      kernel: [  590.359676]  ? cdev_put.part.3+0x20/0x20
      kernel: [  590.359678]  do_dentry_open+0x1f6/0x360
      kernel: [  590.359681]  vfs_open+0x2f/0x40
      kernel: [  590.359684]  path_openat+0x299/0xc20
      kernel: [  590.359688]  do_filp_open+0x9b/0x110
      kernel: [  590.359695]  ? _raw_spin_unlock+0x27/0x40
      kernel: [  590.359697]  ? __alloc_fd+0xb2/0x160
      kernel: [  590.359700]  do_sys_open+0x1ba/0x260
      kernel: [  590.359702]  ? do_sys_open+0x1ba/0x260
      kernel: [  590.359712]  __x64_sys_openat+0x20/0x30
      kernel: [  590.359715]  do_syscall_64+0x5a/0x120
      kernel: [  590.359718]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      Signed-off-by: default avatarShuah Khan <shuah@kernel.org>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e70d90cd
    • Wenwen Wang's avatar
      audit: fix a memory leak bug · 51e088ba
      Wenwen Wang authored
      [ Upstream commit 70c4cf17 ]
      
      In audit_rule_change(), audit_data_to_entry() is firstly invoked to
      translate the payload data to the kernel's rule representation. In
      audit_data_to_entry(), depending on the audit field type, an audit tree may
      be created in audit_make_tree(), which eventually invokes kmalloc() to
      allocate the tree.  Since this tree is a temporary tree, it will be then
      freed in the following execution, e.g., audit_add_rule() if the message
      type is AUDIT_ADD_RULE or audit_del_rule() if the message type is
      AUDIT_DEL_RULE. However, if the message type is neither AUDIT_ADD_RULE nor
      AUDIT_DEL_RULE, i.e., the default case of the switch statement, this
      temporary tree is not freed.
      
      To fix this issue, only allocate the tree when the type is AUDIT_ADD_RULE
      or AUDIT_DEL_RULE.
      Signed-off-by: default avatarWenwen Wang <wang6495@umn.edu>
      Reviewed-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      51e088ba
    • Akinobu Mita's avatar
      media: ov2659: make S_FMT succeed even if requested format doesn't match · 32696deb
      Akinobu Mita authored
      [ Upstream commit bccb89cf ]
      
      This driver returns an error if unsupported media bus pixel code is
      requested by VIDIOC_SUBDEV_S_FMT.
      
      But according to Documentation/media/uapi/v4l/vidioc-subdev-g-fmt.rst,
      
      Drivers must not return an error solely because the requested format
      doesn't match the device capabilities. They must instead modify the
      format to match what the hardware can provide.
      
      So select default format code and return success in that case.
      
      This is detected by v4l2-compliance.
      
      Cc: "Lad, Prabhakar" <prabhakar.csengg@gmail.com>
      Signed-off-by: default avatarAkinobu Mita <akinobu.mita@gmail.com>
      Acked-by: default avatarLad, Prabhakar <prabhakar.csengg@gmail.com>
      Signed-off-by: default avatarSakari Ailus <sakari.ailus@linux.intel.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      32696deb
    • Hans Verkuil's avatar
      media: au0828: stop video streaming only when last user stops · f84c1010
      Hans Verkuil authored
      [ Upstream commit f604f0f5 ]
      
      If the application was streaming from both videoX and vbiX, and streaming
      from videoX was stopped, then the vbi streaming also stopped.
      
      The cause being that stop_streaming for video stopped the subdevs as well,
      instead of only doing that if dev->streaming_users reached 0.
      
      au0828_stop_vbi_streaming was also wrong since it didn't stop the subdevs
      at all when dev->streaming_users reached 0.
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Tested-by: default avatarShuah Khan <shuah@kernel.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f84c1010
    • Janusz Krzysztofik's avatar
      media: ov6650: Move v4l2_clk_get() to ov6650_video_probe() helper · d539dc26
      Janusz Krzysztofik authored
      [ Upstream commit ccdd85d5 ]
      
      In preparation for adding asynchronous subdevice support to the driver,
      don't acquire v4l2_clk from the driver .probe() callback as that may
      fail if the clock is provided by a bridge driver which may be not yet
      initialized.  Move the v4l2_clk_get() to ov6650_video_probe() helper
      which is going to be converted to v4l2_subdev_internal_ops.registered()
      callback, executed only when the bridge driver is ready.
      Signed-off-by: default avatarJanusz Krzysztofik <jmkrzyszt@gmail.com>
      Signed-off-by: default avatarSakari Ailus <sakari.ailus@linux.intel.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d539dc26
    • Philipp Zabel's avatar
      media: coda: clear error return value before picture run · 109f7097
      Philipp Zabel authored
      [ Upstream commit bbeefa73 ]
      
      The error return value is not written by some firmware codecs, such as
      MPEG-2 decode on CodaHx4. Clear the error return value before starting
      the picture run to avoid misinterpreting unrelated values returned by
      sequence initialization as error return value.
      Signed-off-by: default avatarPhilipp Zabel <p.zabel@pengutronix.de>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      109f7097
    • Nicolas Ferre's avatar
      dmaengine: at_xdmac: remove BUG_ON macro in tasklet · 5c1c6e26
      Nicolas Ferre authored
      [ Upstream commit e2c114c0 ]
      
      Even if this case shouldn't happen when controller is properly programmed,
      it's still better to avoid dumping a kernel Oops for this.
      As the sequence may happen only for debugging purposes, log the error and
      just finish the tasklet call.
      Signed-off-by: default avatarNicolas Ferre <nicolas.ferre@microchip.com>
      Acked-by: default avatarLudovic Desroches <ludovic.desroches@microchip.com>
      Signed-off-by: default avatarVinod Koul <vkoul@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5c1c6e26
    • Wen Yang's avatar
      pinctrl: pistachio: fix leaked of_node references · 2da57fa0
      Wen Yang authored
      [ Upstream commit 44a4455a ]
      
      The call to of_get_child_by_name returns a node pointer with refcount
      incremented thus it must be explicitly decremented after the last
      usage.
      
      Detected by coccinelle with the following warnings:
      ./drivers/pinctrl/pinctrl-pistachio.c:1422:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 1360, but without a corresponding object release within this function.
      Signed-off-by: default avatarWen Yang <wen.yang99@zte.com.cn>
      Cc: Linus Walleij <linus.walleij@linaro.org>
      Cc: linux-gpio@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2da57fa0
    • Hans de Goede's avatar
      HID: logitech-hidpp: use RAP instead of FAP to get the protocol version · e2cde780
      Hans de Goede authored
      [ Upstream commit 09637752 ]
      
      According to the logitech_hidpp_2.0_specification_draft_2012-06-04.pdf doc:
      https://lekensteyn.nl/files/logitech/logitech_hidpp_2.0_specification_draft_2012-06-04.pdf
      
      We should use a register-access-protocol request using the short input /
      output report ids. This is necessary because 27MHz HID++ receivers have
      a max-packetsize on their HIP++ endpoint of 8, so they cannot support
      long reports. Using a feature-access-protocol request (which is always
      long or very-long) with these will cause a timeout error, followed by
      the hidpp driver treating the device as not being HID++ capable.
      
      This commit fixes this by switching to using a rap request to get the
      protocol version.
      
      Besides being tested with a (046d:c517) 27MHz receiver with various
      27MHz keyboards and mice, this has also been tested to not cause
      regressions on a non-unifying dual-HID++ nano receiver (046d:c534) with
      k270 and m185 HID++-2.0 devices connected and on a unifying/dj receiver
      (046d:c52b) with a HID++-2.0 Logitech Rechargeable Touchpad T650.
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e2cde780
    • Peter Zijlstra's avatar
      mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions · 50013ead
      Peter Zijlstra authored
      [ Upstream commit 29da93fe ]
      
      Randy reported objtool triggered on his (GCC-7.4) build:
      
        lib/strncpy_from_user.o: warning: objtool: strncpy_from_user()+0x315: call to __ubsan_handle_add_overflow() with UACCESS enabled
        lib/strnlen_user.o: warning: objtool: strnlen_user()+0x337: call to __ubsan_handle_sub_overflow() with UACCESS enabled
      
      This is due to UBSAN generating signed-overflow-UB warnings where it
      should not. Prior to GCC-8 UBSAN ignored -fwrapv (which the kernel
      uses through -fno-strict-overflow).
      
      Make the functions use 'unsigned long' throughout.
      Reported-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested
      Acked-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: luto@kernel.org
      Link: http://lkml.kernel.org/r/20190424072208.754094071@infradead.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      50013ead
    • Jiri Kosina's avatar
      x86/mm: Remove in_nmi() warning from 64-bit implementation of vmalloc_fault() · f08f10f7
      Jiri Kosina authored
      [ Upstream commit a65c88e1 ]
      
      In-NMI warnings have been added to vmalloc_fault() via:
      
        ebc8827f ("x86: Barf when vmalloc and kmemcheck faults happen in NMI")
      
      back in the time when our NMI entry code could not cope with nested NMIs.
      
      These days, it's perfectly fine to take a fault in NMI context and we
      don't have to care about the fact that IRET from the fault handler might
      cause NMI nesting.
      
      This warning has already been removed from 32-bit implementation of
      vmalloc_fault() in:
      
        6863ea0c ("x86/mm: Remove in_nmi() warning from vmalloc_fault()")
      
      but the 64-bit version was omitted.
      
      Remove the bogus warning also from 64-bit implementation of vmalloc_fault().
      Reported-by: default avatarNicolai Stange <nstange@suse.de>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Acked-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: Frederic Weisbecker <fweisbec@gmail.com>
      Cc: Joerg Roedel <jroedel@suse.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: 6863ea0c ("x86/mm: Remove in_nmi() warning from vmalloc_fault()")
      Link: http://lkml.kernel.org/r/nycvar.YFH.7.76.1904240902280.9803@cbobk.fhfr.pmSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f08f10f7
    • Sebastian Andrzej Siewior's avatar
      smpboot: Place the __percpu annotation correctly · a5f3559f
      Sebastian Andrzej Siewior authored
      [ Upstream commit d4645d30 ]
      
      The test robot reported a wrong assignment of a per-CPU variable which
      it detected by using sparse and sent a report. The assignment itself is
      correct. The annotation for sparse was wrong and hence the report.
      The first pointer is a "normal" pointer and points to the per-CPU memory
      area. That means that the __percpu annotation has to be moved.
      
      Move the __percpu annotation to pointer which points to the per-CPU
      area. This change affects only the sparse tool (and is ignored by the
      compiler).
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Paul E. McKenney <paulmck@linux.ibm.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: f97f8f06 ("smpboot: Provide infrastructure for percpu hotplug threads")
      Link: http://lkml.kernel.org/r/20190424085253.12178-1-bigeasy@linutronix.deSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a5f3559f
    • Kees Cook's avatar
      x86/build: Move _etext to actual end of .text · 87386764
      Kees Cook authored
      [ Upstream commit 392bef70 ]
      
      When building x86 with Clang LTO and CFI, CFI jump regions are
      automatically added to the end of the .text section late in linking. As a
      result, the _etext position was being labelled before the appended jump
      regions, causing confusion about where the boundaries of the executable
      region actually are in the running kernel, and broke at least the fault
      injection code. This moves the _etext mark to outside (and immediately
      after) the .text area, as it already the case on other architectures
      (e.g. arm64, arm).
      Reported-and-tested-by: default avatarSami Tolvanen <samitolvanen@google.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/20190423183827.GA4012@beastSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      87386764
    • Arnd Bergmann's avatar
      bcache: avoid clang -Wunintialized warning · 56df2dbe
      Arnd Bergmann authored
      [ Upstream commit 78d4eb8a ]
      
      clang has identified a code path in which it thinks a
      variable may be unused:
      
      drivers/md/bcache/alloc.c:333:4: error: variable 'bucket' is used uninitialized whenever 'if' condition is false
            [-Werror,-Wsometimes-uninitialized]
                              fifo_pop(&ca->free_inc, bucket);
                              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      drivers/md/bcache/util.h:219:27: note: expanded from macro 'fifo_pop'
       #define fifo_pop(fifo, i)       fifo_pop_front(fifo, (i))
                                      ^~~~~~~~~~~~~~~~~~~~~~~~~
      drivers/md/bcache/util.h:189:6: note: expanded from macro 'fifo_pop_front'
              if (_r) {                                                       \
                  ^~
      drivers/md/bcache/alloc.c:343:46: note: uninitialized use occurs here
                              allocator_wait(ca, bch_allocator_push(ca, bucket));
                                                                        ^~~~~~
      drivers/md/bcache/alloc.c:287:7: note: expanded from macro 'allocator_wait'
                      if (cond)                                               \
                          ^~~~
      drivers/md/bcache/alloc.c:333:4: note: remove the 'if' if its condition is always true
                              fifo_pop(&ca->free_inc, bucket);
                              ^
      drivers/md/bcache/util.h:219:27: note: expanded from macro 'fifo_pop'
       #define fifo_pop(fifo, i)       fifo_pop_front(fifo, (i))
                                      ^
      drivers/md/bcache/util.h:189:2: note: expanded from macro 'fifo_pop_front'
              if (_r) {                                                       \
              ^
      drivers/md/bcache/alloc.c:331:15: note: initialize the variable 'bucket' to silence this warning
                              long bucket;
                                         ^
      
      This cannot happen in practice because we only enter the loop
      if there is at least one element in the list.
      
      Slightly rearranging the code makes this clearer to both the
      reader and the compiler, which avoids the warning.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reviewed-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      56df2dbe
    • Coly Li's avatar
      bcache: add failure check to run_cache_set() for journal replay · 282ae1e8
      Coly Li authored
      [ Upstream commit ce3e4cfb ]
      
      Currently run_cache_set() has no return value, if there is failure in
      bch_journal_replay(), the caller of run_cache_set() has no idea about
      such failure and just continue to execute following code after
      run_cache_set().  The internal failure is triggered inside
      bch_journal_replay() and being handled in async way. This behavior is
      inefficient, while failure handling inside bch_journal_replay(), cache
      register code is still running to start the cache set. Registering and
      unregistering code running as same time may introduce some rare race
      condition, and make the code to be more hard to be understood.
      
      This patch adds return value to run_cache_set(), and returns -EIO if
      bch_journal_rreplay() fails. Then caller of run_cache_set() may detect
      such failure and stop registering code flow immedidately inside
      register_cache_set().
      
      If journal replay fails, run_cache_set() can report error immediately
      to register_cache_set(). This patch makes the failure handling for
      bch_journal_replay() be in synchronized way, easier to understand and
      debug, and avoid poetential race condition for register-and-unregister
      in same time.
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      282ae1e8
    • Tang Junhui's avatar
      bcache: fix failure in journal relplay · abc77ba7
      Tang Junhui authored
      [ Upstream commit 63120731 ]
      
      journal replay failed with messages:
      Sep 10 19:10:43 ceph kernel: bcache: error on
      bb379a64-e44e-4812-b91d-a5599871a3b1: bcache: journal entries
      2057493-2057567 missing! (replaying 2057493-20766016), disabling
      caching
      
      The reason is in journal_reclaim(), when discard is enabled, we send
      discard command and reclaim those journal buckets whose seq is old
      than the last_seq_now, but before we write a journal with last_seq_now,
      the machine is restarted, so the journal with the last_seq_now is not
      written to the journal bucket, and the last_seq_wrote in the newest
      journal is old than last_seq_now which we expect to be, so when we doing
      replay, journals from last_seq_wrote to last_seq_now are missing.
      
      It's hard to write a journal immediately after journal_reclaim(),
      and it harmless if those missed journal are caused by discarding
      since those journals are already wrote to btree node. So, if miss
      seqs are started from the beginning journal, we treat it as normal,
      and only print a message to show the miss journal, and point out
      it maybe caused by discarding.
      
      Patch v2 add a judgement condition to ignore the missed journal
      only when discard enabled as Coly suggested.
      
      (Coly Li: rebase the patch with other changes in bch_journal_replay())
      Signed-off-by: default avatarTang Junhui <tang.junhui.linux@gmail.com>
      Tested-by: default avatarDennis Schridde <devurandom@gmx.net>
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      abc77ba7
    • Coly Li's avatar
      bcache: return error immediately in bch_journal_replay() · e7321da1
      Coly Li authored
      [ Upstream commit 68d10e69 ]
      
      When failure happens inside bch_journal_replay(), calling
      cache_set_err_on() and handling the failure in async way is not a good
      idea. Because after bch_journal_replay() returns, registering code will
      continue to execute following steps, and unregistering code triggered
      by cache_set_err_on() is running in same time. First it is unnecessary
      to handle failure and unregister cache set in an async way, second there
      might be potential race condition to run register and unregister code
      for same cache set.
      
      So in this patch, if failure happens in bch_journal_replay(), we don't
      call cache_set_err_on(), and just print out the same error message to
      kernel message buffer, then return -EIO immediately caller. Then caller
      can detect such failure and handle it in synchrnozied way.
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e7321da1
    • Corentin Labbe's avatar
      crypto: sun4i-ss - Fix invalid calculation of hash end · 2ed24236
      Corentin Labbe authored
      [ Upstream commit f8739155 ]
      
      When nbytes < 4, end is wronlgy set to a negative value which, due to
      uint, is then interpreted to a large value leading to a deadlock in the
      following code.
      
      This patch fix this problem.
      
      Fixes: 6298e948 ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator")
      Signed-off-by: default avatarCorentin Labbe <clabbe.montjoie@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2ed24236
    • Kangjie Lu's avatar
      net: cw1200: fix a NULL pointer dereference · 2f3201b2
      Kangjie Lu authored
      [ Upstream commit 0ed2a005 ]
      
      In case create_singlethread_workqueue fails, the fix free the
      hardware and returns NULL to avoid NULL pointer dereference.
      Signed-off-by: default avatarKangjie Lu <kjlu@umn.edu>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2f3201b2
    • Dan Carpenter's avatar
      mwifiex: prevent an array overflow · bc2c8535
      Dan Carpenter authored
      [ Upstream commit b4c35c17 ]
      
      The "rate_index" is only used as an index into the phist_data->rx_rate[]
      array in the mwifiex_hist_data_set() function.  That array has
      MWIFIEX_MAX_AC_RX_RATES (74) elements and it's used to generate some
      debugfs information.  The "rate_index" variable comes from the network
      skb->data[] and it is a u8 so it's in the 0-255 range.  We need to cap
      it to prevent an array overflow.
      
      Fixes: cbf6e055 ("mwifiex: add rx histogram statistics support")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      bc2c8535
    • Daniel Baluta's avatar
      ASoC: fsl_sai: Update is_slave_mode with correct value · 043a7a24
      Daniel Baluta authored
      [ Upstream commit ddb35114 ]
      
      is_slave_mode defaults to false because sai structure
      that contains it is kzalloc'ed.
      
      Anyhow, if we decide to set the following configuration
      SAI slave -> SAI master, is_slave_mode will remain set on true
      although SAI being master it should be set to false.
      
      Fix this by updating is_slave_mode for each call of
      fsl_sai_set_dai_fmt.
      Signed-off-by: default avatarDaniel Baluta <daniel.baluta@nxp.com>
      Acked-by: default avatarNicolin Chen <nicoleotsuka@gmail.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      043a7a24
    • Sergey Matyukevich's avatar
      mac80211/cfg80211: update bss channel on channel switch · e5c17240
      Sergey Matyukevich authored
      [ Upstream commit 5dc8cdce ]
      
      FullMAC STAs have no way to update bss channel after CSA channel switch
      completion. As a result, user-space tools may provide inconsistent
      channel info. For instance, consider the following two commands:
      $ sudo iw dev wlan0 link
      $ sudo iw dev wlan0 info
      The latter command gets channel info from the hardware, so most probably
      its output will be correct. However the former command gets channel info
      from scan cache, so its output will contain outdated channel info.
      In fact, current bss channel info will not be updated until the
      next [re-]connect.
      
      Note that mac80211 STAs have a workaround for this, but it requires
      access to internal cfg80211 data, see ieee80211_chswitch_work:
      
      	/* XXX: shouldn't really modify cfg80211-owned data! */
      	ifmgd->associated->channel = sdata->csa_chandef.chan;
      
      This patch suggests to convert mac80211 workaround into cfg80211 behavior
      and to update current bss channel in cfg80211_ch_switch_notify.
      Signed-off-by: default avatarSergey Matyukevich <sergey.matyukevich.os@quantenna.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e5c17240
    • Sugar Zhang's avatar
      dmaengine: pl330: _stop: clear interrupt status · ab53d054
      Sugar Zhang authored
      [ Upstream commit 2da254cc ]
      
      This patch kill instructs the DMAC to immediately terminate
      execution of a thread. and then clear the interrupt status,
      at last, stop generating interrupts for DMA_SEV. to guarantee
      the next dma start is clean. otherwise, one interrupt maybe leave
      to next start and make some mistake.
      
      we can reporduce the problem as follows:
      
      DMASEV: modify the event-interrupt resource, and if the INTEN sets
      function as interrupt, the DMAC will set irq<event_num> HIGH to
      generate interrupt. write INTCLR to clear interrupt.
      
      	DMA EXECUTING INSTRUCTS		DMA TERMINATE
      		|				|
      		|				|
      	       ...			      _stop
      		|				|
      		|			spin_lock_irqsave
      	     DMASEV				|
      		|				|
      		|			    mask INTEN
      		|				|
      		|			     DMAKILL
      		|				|
      		|			spin_unlock_irqrestore
      
      in above case, a interrupt was left, and if we unmask INTEN, the DMAC
      will set irq<event_num> HIGH to generate interrupt.
      
      to fix this, do as follows:
      
      	DMA EXECUTING INSTRUCTS		DMA TERMINATE
      		|				|
      		|				|
      	       ...			      _stop
      		|				|
      		|			spin_lock_irqsave
      	     DMASEV				|
      		|				|
      		|			     DMAKILL
      		|				|
      		|			   clear INTCLR
      		|			    mask INTEN
      		|				|
      		|			spin_unlock_irqrestore
      Signed-off-by: default avatarSugar Zhang <sugar.zhang@rock-chips.com>
      Signed-off-by: default avatarVinod Koul <vkoul@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ab53d054
    • Mariusz Bialonczyk's avatar
      w1: fix the resume command API · 1f7f676b
      Mariusz Bialonczyk authored
      [ Upstream commit 62909da8 ]
      
      >From the DS2408 datasheet [1]:
      "Resume Command function checks the status of the RC flag and, if it is set,
       directly transfers control to the control functions, similar to a Skip ROM
       command. The only way to set the RC flag is through successfully executing
       the Match ROM, Search ROM, Conditional Search ROM, or Overdrive-Match ROM
       command"
      
      The function currently works perfectly fine in a multidrop bus, but when we
      have only a single slave connected, then only a Skip ROM is used and Match
      ROM is not called at all. This is leading to problems e.g. with single one
      DS2408 connected, as the Resume Command is not working properly and the
      device is responding with failing results after the Resume Command.
      
      This commit is fixing this by using a Skip ROM instead in those cases.
      The bandwidth / performance advantage is exactly the same.
      
      Refs:
      [1] https://datasheets.maximintegrated.com/en/ds/DS2408.pdfSigned-off-by: default avatarMariusz Bialonczyk <manio@skyboo.net>
      Reviewed-by: default avatarJean-Francois Dagenais <jeff.dagenais@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1f7f676b
    • Sven Van Asbroeck's avatar
      rtc: 88pm860x: prevent use-after-free on device remove · 8685a298
      Sven Van Asbroeck authored
      [ Upstream commit f22b1ba1 ]
      
      The device's remove() attempts to shut down the delayed_work scheduled
      on the kernel-global workqueue by calling flush_scheduled_work().
      
      Unfortunately, flush_scheduled_work() does not prevent the delayed_work
      from re-scheduling itself. The delayed_work might run after the device
      has been removed, and touch the already de-allocated info structure.
      This is a potential use-after-free.
      
      Fix by calling cancel_delayed_work_sync() during remove(): this ensures
      that the delayed work is properly cancelled, is no longer running, and
      is not able to re-schedule itself.
      
      This issue was detected with the help of Coccinelle.
      Signed-off-by: default avatarSven Van Asbroeck <TheSven73@gmail.com>
      Signed-off-by: default avatarAlexandre Belloni <alexandre.belloni@bootlin.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8685a298
    • Johannes Berg's avatar
      iwlwifi: pcie: don't crash on invalid RX interrupt · af73fb33
      Johannes Berg authored
      [ Upstream commit 30f24eab ]
      
      If for some reason the device gives us an RX interrupt before we're
      ready for it, perhaps during device power-on with misconfigured IRQ
      causes mapping or so, we can crash trying to access the queues.
      
      Prevent that by checking that we actually have RXQs and that they
      were properly allocated.
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      af73fb33
    • Bart Van Assche's avatar
      scsi: qla2xxx: Fix a qla24xx_enable_msix() error path · 9375939f
      Bart Van Assche authored
      [ Upstream commit 24afabdb ]
      
      Make sure that the allocated interrupts are freed if allocating memory for
      the msix_entries array fails.
      
      Cc: Himanshu Madhani <hmadhani@marvell.com>
      Cc: Giridhar Malavali <gmalavali@marvell.com>
      Signed-off-by: default avatarBart Van Assche <bvanassche@acm.org>
      Acked-by: default avatarHimanshu Madhani <hmadhani@marvell.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9375939f
    • Viresh Kumar's avatar
      sched/cpufreq: Fix kobject memleak · 4e0c06e0
      Viresh Kumar authored
      [ Upstream commit 9a4f26cc ]
      
      Currently the error return path from kobject_init_and_add() is not
      followed by a call to kobject_put() - which means we are leaking
      the kobject.
      
      Fix it by adding a call to kobject_put() in the error path of
      kobject_init_and_add().
      Signed-off-by: default avatarTobin C. Harding <tobin@kernel.org>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Tobin C. Harding <tobin@kernel.org>
      Cc: Vincent Guittot <vincent.guittot@linaro.org>
      Cc: Viresh Kumar <viresh.kumar@linaro.org>
      Link: http://lkml.kernel.org/r/20190430001144.24890-1-tobin@kernel.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      4e0c06e0
    • Qian Cai's avatar
      arm64: Fix compiler warning from pte_unmap() with -Wunused-but-set-variable · b5b14bf2
      Qian Cai authored
      [ Upstream commit 74dd022f ]
      
      When building with -Wunused-but-set-variable, the compiler shouts about
      a number of pte_unmap() users, since this expands to an empty macro on
      arm64:
      
        | mm/gup.c: In function 'gup_pte_range':
        | mm/gup.c:1727:16: warning: variable 'ptem' set but not used
        | [-Wunused-but-set-variable]
        | mm/gup.c: At top level:
        | mm/memory.c: In function 'copy_pte_range':
        | mm/memory.c:821:24: warning: variable 'orig_dst_pte' set but not used
        | [-Wunused-but-set-variable]
        | mm/memory.c:821:9: warning: variable 'orig_src_pte' set but not used
        | [-Wunused-but-set-variable]
        | mm/swap_state.c: In function 'swap_ra_info':
        | mm/swap_state.c:641:15: warning: variable 'orig_pte' set but not used
        | [-Wunused-but-set-variable]
        | mm/madvise.c: In function 'madvise_free_pte_range':
        | mm/madvise.c:318:9: warning: variable 'orig_pte' set but not used
        | [-Wunused-but-set-variable]
      
      Rewrite pte_unmap() as a static inline function, which silences the
      warnings.
      Signed-off-by: default avatarQian Cai <cai@lca.pw>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b5b14bf2
    • Marc Zyngier's avatar
      ARM: vdso: Remove dependency with the arch_timer driver internals · 79940ddb
      Marc Zyngier authored
      [ Upstream commit 1f5b62f0 ]
      
      The VDSO code uses the kernel helper that was originally designed
      to abstract the access between 32 and 64bit systems. It worked so
      far because this function is declared as 'inline'.
      
      As we're about to revamp that part of the code, the VDSO would
      break. Let's fix it by doing what should have been done from
      the start, a proper system register access.
      Reviewed-by: default avatarMark Rutland <mark.rutland@arm.com>
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      79940ddb
    • Dan Carpenter's avatar
      brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler() · 146579dd
      Dan Carpenter authored
      [ Upstream commit e025da3d ]
      
      If "ret_len" is negative then it could lead to a NULL dereference.
      
      The "ret_len" value comes from nl80211_vendor_cmd(), if it's negative
      then we don't allocate the "dcmd_buf" buffer.  Then we pass "ret_len" to
      brcmf_fil_cmd_data_set() where it is cast to a very high u32 value.
      Most of the functions in that call tree check whether the buffer we pass
      is NULL but there are at least a couple places which don't such as
      brcmf_dbg_hex_dump() and brcmf_msgbuf_query_dcmd().  We memcpy() to and
      from the buffer so it would result in a NULL dereference.
      
      The fix is to change the types so that "ret_len" can't be negative.  (If
      we memcpy() zero bytes to NULL, that's a no-op and doesn't cause an
      issue).
      
      Fixes: 1bacb048 ("brcmfmac: replace cfg80211 testmode with vendor command")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      146579dd
    • Flavio Suligoi's avatar
      spi: pxa2xx: fix SCR (divisor) calculation · 0f31932a
      Flavio Suligoi authored
      [ Upstream commit 29f21337 ]
      
      Calculate the divisor for the SCR (Serial Clock Rate), avoiding
      that the SSP transmission rate can be greater than the device rate.
      
      When the division between the SSP clock and the device rate generates
      a reminder, we have to increment by one the divisor.
      In this way the resulting SSP clock will never be greater than the
      device SPI max frequency.
      
      For example, with:
      
       - ssp_clk  = 50 MHz
       - dev freq = 15 MHz
      
      without this patch the SSP clock will be greater than 15 MHz:
      
       - 25 MHz for PXA25x_SSP and CE4100_SSP
       - 16,56 MHz for the others
      
      Instead, with this patch, we have in both case an SSP clock of 12.5MHz,
      so the max rate of the SPI device clock is respected.
      Signed-off-by: default avatarFlavio Suligoi <f.suligoi@asem.it>
      Reviewed-by: default avatarJarkko Nikula <jarkko.nikula@linux.intel.com>
      Reviewed-by: default avatarJarkko Nikula <jarkko.nikula@linux.intel.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0f31932a
    • Arnd Bergmann's avatar
      ASoC: imx: fix fiq dependencies · 68f630d8
      Arnd Bergmann authored
      [ Upstream commit ea751227 ]
      
      During randconfig builds, I occasionally run into an invalid configuration
      of the freescale FIQ sound support:
      
      WARNING: unmet direct dependencies detected for SND_SOC_IMX_PCM_FIQ
        Depends on [m]: SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && SND_IMX_SOC [=m]
        Selected by [y]:
        - SND_SOC_FSL_SPDIF [=y] && SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && SND_IMX_SOC [=m]!=n && (MXC_TZIC [=n] || MXC_AVIC [=y])
      
      sound/soc/fsl/imx-ssi.o: In function `imx_ssi_remove':
      imx-ssi.c:(.text+0x28): undefined reference to `imx_pcm_fiq_exit'
      sound/soc/fsl/imx-ssi.o: In function `imx_ssi_probe':
      imx-ssi.c:(.text+0xa64): undefined reference to `imx_pcm_fiq_init'
      
      The Kconfig warning is a result of the symbol being defined inside of
      the "if SND_IMX_SOC" block, and is otherwise harmless. The link error
      is more tricky and happens with SND_SOC_IMX_SSI=y, which may or may not
      imply FIQ support. However, if SND_SOC_FSL_SSI is set to =m at the same
      time, that selects SND_SOC_IMX_PCM_FIQ as a loadable module dependency,
      which then causes a link failure from imx-ssi.
      
      The solution here is to make SND_SOC_IMX_PCM_FIQ built-in whenever
      one of its potential users is built-in.
      
      Fixes: ff40260f ("ASoC: fsl: refine DMA/FIQ dependencies")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      68f630d8
    • Bo YU's avatar
      powerpc/boot: Fix missing check of lseek() return value · bfcbe505
      Bo YU authored
      [ Upstream commit 5d085ec0 ]
      
      This is detected by Coverity scan: CID: 1440481
      Signed-off-by: default avatarBo YU <tsu.yubo@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      bfcbe505
    • Jerome Brunet's avatar
      ASoC: hdmi-codec: unlock the device on startup errors · da8db898
      Jerome Brunet authored
      [ Upstream commit 30180e84 ]
      
      If the hdmi codec startup fails, it should clear the current_substream
      pointer to free the device. This is properly done for the audio_startup()
      callback but for snd_pcm_hw_constraint_eld().
      
      Make sure the pointer cleared if an error is reported.
      Signed-off-by: default avatarJerome Brunet <jbrunet@baylibre.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      da8db898
    • Sameeh Jubran's avatar
      net: ena: gcc 8: fix compilation warning · 7b4ff6ae
      Sameeh Jubran authored
      [ Upstream commit f9133088 ]
      
      GCC 8 contains a number of new warnings as well as enhancements to existing
      checkers. The warning - Wstringop-truncation - warns for calls to bounded
      string manipulation functions such as strncat, strncpy, and stpncpy that
      may either truncate the copied string or leave the destination unchanged.
      
      In our case the destination string length (32 bytes) is much shorter than
      the source string (64 bytes) which causes this warning to show up. In
      general the destination has to be at least a byte larger than the length
      of the source string with strncpy for this warning not to showup.
      
      This can be easily fixed by using strlcpy instead which already does the
      truncation to the string. Documentation for this function can be
      found here:
      
      https://elixir.bootlin.com/linux/latest/source/lib/string.c#L141
      
      Fixes: 1738cd3e ("net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)")
      Signed-off-by: default avatarSameeh Jubran <sameehj@amazon.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7b4ff6ae
    • Sameer Pujar's avatar
      dmaengine: tegra210-dma: free dma controller in remove() · 12ada5b2
      Sameer Pujar authored
      [ Upstream commit f030e419 ]
      
      Following kernel panic is seen during DMA driver unload->load sequence
      ==========================================================================
      Unable to handle kernel paging request at virtual address ffffff8001198880
      Internal error: Oops: 86000007 [#1] PREEMPT SMP
      CPU: 0 PID: 5907 Comm: HwBinder:4123_1 Tainted: G C 4.9.128-tegra-g065839f
      Hardware name: galen (DT)
      task: ffffffc3590d1a80 task.stack: ffffffc3d0678000
      PC is at 0xffffff8001198880
      LR is at of_dma_request_slave_channel+0xd8/0x1f8
      pc : [<ffffff8001198880>] lr : [<ffffff8008746f30>] pstate: 60400045
      sp : ffffffc3d067b710
      x29: ffffffc3d067b710 x28: 000000000000002f
      x27: ffffff800949e000 x26: ffffff800949e750
      x25: ffffff800949e000 x24: ffffffbefe817d84
      x23: ffffff8009f77cb0 x22: 0000000000000028
      x21: ffffffc3ffda49c8 x20: 0000000000000029
      x19: 0000000000000001 x18: ffffffffffffffff
      x17: 0000000000000000 x16: ffffff80082b66a0
      x15: ffffff8009e78250 x14: 000000000000000a
      x13: 0000000000000038 x12: 0101010101010101
      x11: 0000000000000030 x10: 0101010101010101
      x9 : fffffffffffffffc x8 : 7f7f7f7f7f7f7f7f
      x7 : 62ff726b6b64622c x6 : 0000000000008064
      x5 : 6400000000000000 x4 : ffffffbefe817c44
      x3 : ffffffc3ffda3e08 x2 : ffffff8001198880
      x1 : ffffffc3d48323c0 x0 : ffffffc3d067b788
      
      Process HwBinder:4123_1 (pid: 5907, stack limit = 0xffffffc3d0678028)
      Call trace:
      [<ffffff8001198880>] 0xffffff8001198880
      [<ffffff80087459f8>] dma_request_chan+0x50/0x1f0
      [<ffffff8008745bc0>] dma_request_slave_channel+0x28/0x40
      [<ffffff8001552c44>] tegra_alt_pcm_open+0x114/0x170
      [<ffffff8008d65fa4>] soc_pcm_open+0x10c/0x878
      [<ffffff8008d18618>] snd_pcm_open_substream+0xc0/0x170
      [<ffffff8008d1878c>] snd_pcm_open+0xc4/0x240
      [<ffffff8008d189e0>] snd_pcm_playback_open+0x58/0x80
      [<ffffff8008cfc6d4>] snd_open+0xb4/0x178
      [<ffffff8008250628>] chrdev_open+0xb8/0x1d0
      [<ffffff8008246fdc>] do_dentry_open+0x214/0x318
      [<ffffff80082485d0>] vfs_open+0x58/0x88
      [<ffffff800825bce0>] do_last+0x450/0xde0
      [<ffffff800825c718>] path_openat+0xa8/0x368
      [<ffffff800825dd84>] do_filp_open+0x8c/0x110
      [<ffffff8008248a74>] do_sys_open+0x164/0x220
      [<ffffff80082b66dc>] compat_SyS_openat+0x3c/0x50
      [<ffffff8008083040>] el0_svc_naked+0x34/0x38
      ---[ end trace 67e6d544e65b5145 ]---
      Kernel panic - not syncing: Fatal exception
      ==========================================================================
      
      In device probe(), of_dma_controller_register() registers DMA controller.
      But when driver is removed, this is not freed. During driver reload this
      results in data abort and kernel panic. Add of_dma_controller_free() in
      driver remove path to fix the issue.
      
      Fixes: f46b1957 ("dmaengine: tegra-adma: Add support for Tegra210 ADMA")
      Signed-off-by: default avatarSameer Pujar <spujar@nvidia.com>
      Reviewed-by: default avatarJon Hunter <jonathanh@nvidia.com>
      Signed-off-by: default avatarVinod Koul <vkoul@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      12ada5b2
    • Raul E Rangel's avatar
      mmc: core: Verify SD bus width · 48b759f4
      Raul E Rangel authored
      [ Upstream commit 9e4be8d0 ]
      
      The SD Physical Layer Spec says the following: Since the SD Memory Card
      shall support at least the two bus modes 1-bit or 4-bit width, then any SD
      Card shall set at least bits 0 and 2 (SD_BUS_WIDTH="0101").
      
      This change verifies the card has specified a bus width.
      
      AMD SDHC Device 7806 can get into a bad state after a card disconnect
      where anything transferred via the DATA lines will always result in a
      zero filled buffer. Currently the driver will continue without error if
      the HC is in this condition. A block device will be created, but reading
      from it will result in a zero buffer. This makes it seem like the SD
      device has been erased, when in actuality the data is never getting
      copied from the DATA lines to the data buffer.
      
      SCR is the first command in the SD initialization sequence that uses the
      DATA lines. By checking that the response was invalid, we can abort
      mounting the card.
      Reviewed-by: default avatarAvri Altman <avri.altman@wdc.com>
      Signed-off-by: default avatarRaul E Rangel <rrangel@chromium.org>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      48b759f4
    • YueHaibing's avatar
      cxgb4: Fix error path in cxgb4_init_module · af763226
      YueHaibing authored
      [ Upstream commit a3147770 ]
      
      BUG: unable to handle kernel paging request at ffffffffa016a270
      PGD 3270067 P4D 3270067 PUD 3271063 PMD 230bbd067 PTE 0
      Oops: 0000 [#1
      CPU: 0 PID: 6134 Comm: modprobe Not tainted 5.1.0+ #33
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
      RIP: 0010:atomic_notifier_chain_register+0x24/0x60
      Code: 1f 80 00 00 00 00 55 48 89 e5 41 54 49 89 f4 53 48 89 fb e8 ae b4 38 01 48 8b 53 38 48 8d 4b 38 48 85 d2 74 20 45 8b 44 24 10 <44> 3b 42 10 7e 08 eb 13 44 39 42 10 7c 0d 48 8d 4a 08 48 8b 52 08
      RSP: 0018:ffffc90000e2bc60 EFLAGS: 00010086
      RAX: 0000000000000292 RBX: ffffffff83467240 RCX: ffffffff83467278
      RDX: ffffffffa016a260 RSI: ffffffff83752140 RDI: ffffffff83467240
      RBP: ffffc90000e2bc70 R08: 0000000000000000 R09: 0000000000000001
      R10: 0000000000000000 R11: 00000000014fa61f R12: ffffffffa01c8260
      R13: ffff888231091e00 R14: 0000000000000000 R15: ffffc90000e2be78
      FS:  00007fbd8d7cd540(0000) GS:ffff888237a00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: ffffffffa016a270 CR3: 000000022c7e3000 CR4: 00000000000006f0
      Call Trace:
       register_inet6addr_notifier+0x13/0x20
       cxgb4_init_module+0x6c/0x1000 [cxgb4
       ? 0xffffffffa01d7000
       do_one_initcall+0x6c/0x3cc
       ? do_init_module+0x22/0x1f1
       ? rcu_read_lock_sched_held+0x97/0xb0
       ? kmem_cache_alloc_trace+0x325/0x3b0
       do_init_module+0x5b/0x1f1
       load_module+0x1db1/0x2690
       ? m_show+0x1d0/0x1d0
       __do_sys_finit_module+0xc5/0xd0
       __x64_sys_finit_module+0x15/0x20
       do_syscall_64+0x6b/0x1d0
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      If pci_register_driver fails, register inet6addr_notifier is
      pointless. This patch fix the error path in cxgb4_init_module.
      
      Fixes: b5a02f50 ("cxgb4 : Update ipv6 address handling api")
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      af763226
    • Ross Lagerwall's avatar
      gfs2: Fix lru_count going negative · b568ed38
      Ross Lagerwall authored
      [ Upstream commit 7881ef3f ]
      
      Under certain conditions, lru_count may drop below zero resulting in
      a large amount of log spam like this:
      
      vmscan: shrink_slab: gfs2_dump_glock+0x3b0/0x630 [gfs2] \
          negative objects to delete nr=-1
      
      This happens as follows:
      1) A glock is moved from lru_list to the dispose list and lru_count is
         decremented.
      2) The dispose function calls cond_resched() and drops the lru lock.
      3) Another thread takes the lru lock and tries to add the same glock to
         lru_list, checking if the glock is on an lru list.
      4) It is on a list (actually the dispose list) and so it avoids
         incrementing lru_count.
      5) The glock is moved to lru_list.
      5) The original thread doesn't dispose it because it has been re-added
         to the lru list but the lru_count has still decreased by one.
      
      Fix by checking if the LRU flag is set on the glock rather than checking
      if the glock is on some list and rearrange the code so that the LRU flag
      is added/removed precisely when the glock is added/removed from lru_list.
      Signed-off-by: default avatarRoss Lagerwall <ross.lagerwall@citrix.com>
      Signed-off-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b568ed38