1. 25 Jun, 2020 40 commits
    • Andy Shevchenko's avatar
      gpio: dwapb: Append MODULE_ALIAS for platform driver · e81df5b3
      Andy Shevchenko authored
      [ Upstream commit c58220cb ]
      
      The commit 3d2613c4
        ("GPIO: gpio-dwapb: Enable platform driver binding to MFD driver")
      introduced a use of the platform driver but missed to add the following line
      to it:
        MODULE_ALIAS("platform:gpio-dwapb");
      
      Add this to get driver loaded automatically if platform device is registered.
      
      Fixes: 3d2613c4 ("GPIO: gpio-dwapb: Enable platform driver binding to MFD driver")
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Tested-by: default avatarSerge Semin <fancer.lancer@gmail.com>
      Reviewed-by: default avatarSerge Semin <fancer.lancer@gmail.com>
      Link: https://lore.kernel.org/r/20200415141534.31240-2-andriy.shevchenko@linux.intel.comSigned-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e81df5b3
    • Vincent Stehlé's avatar
      ARM: dts: sun8i-h2-plus-bananapi-m2-zero: Fix led polarity · 98ea71ef
      Vincent Stehlé authored
      [ Upstream commit 34b6826d ]
      
      The PWR-LED on the bananapi m2 zero board is on when gpio PL10 is low.
      This has been verified on a board and in the schematics [1].
      
      [1]: http://wiki.banana-pi.org/Banana_Pi_BPI-M2_ZERO#Documents
      
      Fixes: 8b8061fc ("ARM: dts: sun8i: h2+: add support for Banana Pi M2 Zero board")
      Signed-off-by: default avatarVincent Stehlé <vincent.stehle@laposte.net>
      Cc: Icenowy Zheng <icenowy@aosc.io>
      Cc: Maxime Ripard <mripard@kernel.org>
      Signed-off-by: default avatarMaxime Ripard <maxime@cerno.tech>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      98ea71ef
    • Nilesh Javali's avatar
      scsi: qedi: Do not flush offload work if ARP not resolved · 2f968772
      Nilesh Javali authored
      [ Upstream commit 927527ae ]
      
      For an unreachable target, offload_work is not initialized and the endpoint
      state is set to OFLDCONN_NONE. This results in a WARN_ON due to the check
      of the work function field being set to zero.
      
      ------------[ cut here ]------------
      WARNING: CPU: 24 PID: 18587 at ../kernel/workqueue.c:3037 __flush_work+0x1c1/0x1d0
      :
      Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 02/01/2020
      RIP: 0010:__flush_work+0x1c1/0x1d0
      Code: ba 6d 00 03 80 c9 f0 eb b6 48 c7 c7 20 ee 6c a4 e8 52 d3 04 00 0f 0b 31 c0 e9 d1 fe ff
      ff 48 c7 c7 20 ee 6c a4 e8 3d d3 04 00 <0f> 0b 31 c0 e9 bc fe ff ff e8 11 f3 f
       00 31 f6
      RSP: 0018:ffffac5a8cd47a80 EFLAGS: 00010282
      RAX: 0000000000000024 RBX: ffff98d68c1fcaf0 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: ffff98ce9fd99898 RDI: ffff98ce9fd99898
      RBP: ffff98d68c1fcbc0 R08: 00000000000006fa R09: 0000000000000001
      R10: ffffac5a8cd47b50 R11: 0000000000000001 R12: 0000000000000000
      R13: 000000000000489b R14: ffff98d68c1fc800 R15: ffff98d692132c00
      FS:  00007f65f7f62280(0000) GS:ffff98ce9fd80000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007ffd2435e880 CR3: 0000000809334003 CR4: 00000000007606e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      PKRU: 55555554
      Call Trace:
       ? class_create_release+0x40/0x40
       ? klist_put+0x2c/0x80
       qedi_ep_disconnect+0xdd/0x400 [qedi]
       iscsi_if_ep_disconnect.isra.20+0x59/0x70 [scsi_transport_iscsi]
       iscsi_if_rx+0x129b/0x1670 [scsi_transport_iscsi]
       ? __netlink_lookup+0xe7/0x160
       netlink_unicast+0x21d/0x300
       netlink_sendmsg+0x30f/0x430
       sock_sendmsg+0x5b/0x60
       ____sys_sendmsg+0x1e2/0x240
       ? copy_msghdr_from_user+0xd9/0x160
       ___sys_sendmsg+0x88/0xd0
       ? ___sys_recvmsg+0xa2/0xe0
       ? hrtimer_try_to_cancel+0x25/0x100
       ? do_nanosleep+0x9c/0x170
       ? __sys_sendmsg+0x5e/0xa0
       __sys_sendmsg+0x5e/0xa0
       do_syscall_64+0x60/0x1f0
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x7f65f6f16107
      Code: 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 80 00 00 00 00 8b 05 aa d2 2b 00 48 63 d2 48
      63 ff 85 c0 75 18 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 59 f3 c3 0f 1f 8
          0 00 00 00 00 53 48 89 f3 48
       RSP: 002b:00007ffd24367ca8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
       RAX: ffffffffffffffda RBX: 000055a7aeaaf110 RCX: 00007f65f6f16107
       RDX: 0000000000000000 RSI: 00007ffd24367cc0 RDI: 0000000000000003
       RBP: 0000000000000070 R08: 0000000000000000 R09: 0000000000000000
       R10: 000000000000075c R11: 0000000000000246 R12: 00007ffd24367cc0
       R13: 000055a7ae560008 R14: 00007ffd24367db0 R15: 0000000000000000
       ---[ end trace 54f499c05d41f8bb ]---
      
      Only flush if the connection endpoint state if different from
      OFLDCONN_NONE.
      
      [mkp: clarified commit desc]
      
      Link: https://lore.kernel.org/r/20200408064332.19377-5-mrangankar@marvell.comReviewed-by: default avatarLee Duncan <lduncan@suse.com>
      Signed-off-by: default avatarNilesh Javali <njavali@marvell.com>
      Signed-off-by: default avatarManish Rangankar <mrangankar@marvell.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2f968772
    • Hsin-Yi Wang's avatar
      arm64: dts: mt8173: fix unit name warnings · 46d29305
      Hsin-Yi Wang authored
      [ Upstream commit 72b29215 ]
      
      Fixing several unit name warnings:
      
      Warning (unit_address_vs_reg): /oscillator@0: node has a unit name, but no reg property
      Warning (unit_address_vs_reg): /oscillator@1: node has a unit name, but no reg property
      Warning (unit_address_vs_reg): /oscillator@2: node has a unit name, but no reg property
      Warning (unit_address_vs_reg): /thermal-zones/cpu_thermal/trips/trip-point@0: node has a unit name, but no reg property
      Warning (unit_address_vs_reg): /thermal-zones/cpu_thermal/trips/trip-point@1: node has a unit name, but no reg property
      Warning (unit_address_vs_reg): /thermal-zones/cpu_thermal/trips/cpu_crit@0: node has a unit name, but no reg property
      Warning (unit_address_vs_reg): /thermal-zones/cpu_thermal/cooling-maps/map@0: node has a unit name, but no reg property
      Warning (unit_address_vs_reg): /thermal-zones/cpu_thermal/cooling-maps/map@1: node has a unit name, but no reg property
      Warning (unit_address_vs_reg): /reserved-memory/vpu_dma_mem_region: node has a reg or ranges property, but no unit name
      Warning (simple_bus_reg): /soc/pinctrl@10005000: simple-bus unit address format error, expected "1000b000"
      Warning (simple_bus_reg): /soc/interrupt-controller@10220000: simple-bus unit address format error, expected "10221000"
      Signed-off-by: default avatarHsin-Yi Wang <hsinyi@chromium.org>
      Link: https://lore.kernel.org/r/20200210063523.133333-4-hsinyi@chromium.org
      [mb: drop fixes for '_' in property name]
      Signed-off-by: default avatarMatthias Brugger <matthias.bgg@gmail.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      46d29305
    • Chen Zhou's avatar
      staging: greybus: fix a missing-check bug in gb_lights_light_config() · d485ba3c
      Chen Zhou authored
      [ Upstream commit 9bb086e5 ]
      
      In gb_lights_light_config(), 'light->name' is allocated by kstrndup().
      It returns NULL when fails, add check for it.
      Signed-off-by: default avatarChen Zhou <chenzhou10@huawei.com>
      Acked-by: default avatarRui Miguel Silva <rmfrfs@gmail.com>
      Link: https://lore.kernel.org/r/20200401030017.100274-1-chenzhou10@huawei.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d485ba3c
    • Hans de Goede's avatar
      x86/purgatory: Disable various profiling and sanitizing options · d85760a6
      Hans de Goede authored
      [ Upstream commit e2ac07c0 ]
      
      Since the purgatory is a special stand-alone binary, various profiling
      and sanitizing options must be disabled. Having these options enabled
      typically will cause dependencies on various special symbols exported by
      special libs / stubs used by these frameworks. Since the purgatory is
      special, it is not linked against these stubs causing missing symbols in
      the purgatory if these options are not disabled.
      
      Sync the set of disabled profiling and sanitizing options with that from
      drivers/firmware/efi/libstub/Makefile, adding
      -DDISABLE_BRANCH_PROFILING to the CFLAGS and setting:
      
        GCOV_PROFILE                    := n
        UBSAN_SANITIZE                  := n
      
      This fixes broken references to ftrace_likely_update() when
      CONFIG_TRACE_BRANCH_PROFILING is enabled and to __gcov_init() and
      __gcov_exit() when CONFIG_GCOV_KERNEL is enabled.
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Link: https://lkml.kernel.org/r/20200317130841.290418-1-hdegoede@redhat.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      d85760a6
    • John Johansen's avatar
      apparmor: fix nnp subset test for unconfined · 3cc2aec6
      John Johansen authored
      [ Upstream commit 3ed4aaa9 ]
      
      The subset test is not taking into account the unconfined exception
      which will cause profile transitions in the stacked confinement
      case to fail when no_new_privs is applied.
      
      This fixes a regression introduced in the fix for
      https://bugs.launchpad.net/bugs/1839037
      
      BugLink: https://bugs.launchpad.net/bugs/1844186Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3cc2aec6
    • Tyrel Datwyler's avatar
      scsi: ibmvscsi: Don't send host info in adapter info MAD after LPM · 890775dc
      Tyrel Datwyler authored
      [ Upstream commit 4919b33b ]
      
      The adapter info MAD is used to send the client info and receive the host
      info as a response. A persistent buffer is used and as such the client info
      is overwritten after the response. During the course of a normal adapter
      reset the client info is refreshed in the buffer in preparation for sending
      the adapter info MAD.
      
      However, in the special case of LPM where we reenable the CRQ instead of a
      full CRQ teardown and reset we fail to refresh the client info in the
      adapter info buffer. As a result, after Live Partition Migration (LPM) we
      erroneously report the host's info as our own.
      
      [mkp: typos]
      
      Link: https://lore.kernel.org/r/20200603203632.18426-1-tyreld@linux.ibm.comSigned-off-by: default avatarTyrel Datwyler <tyreld@linux.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      890775dc
    • Simon Arlott's avatar
      scsi: sr: Fix sr_probe() missing deallocate of device minor · 5d41879d
      Simon Arlott authored
      [ Upstream commit 6555781b ]
      
      If the cdrom fails to be registered then the device minor should be
      deallocated.
      
      Link: https://lore.kernel.org/r/072dac4b-8402-4de8-36bd-47e7588969cd@0882a8b5-c6c3-11e9-b005-00805fc181feSigned-off-by: default avatarSimon Arlott <simon@octiron.net>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5d41879d
    • Pavel Machek (CIP)'s avatar
      ASoC: meson: add missing free_irq() in error path · e6fe402e
      Pavel Machek (CIP) authored
      [ Upstream commit 3b8a299a ]
      
      free_irq() is missing in case of error, fix that.
      Signed-off-by: default avatarPavel Machek (CIP) <pavel@denx.de>
      Reviewed-by: default avatarJerome Brunet <jbrunet@baylibre.com>
      
      Link: https://lore.kernel.org/r/20200606153103.GA17905@amdSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e6fe402e
    • Mauricio Faria de Oliveira's avatar
      apparmor: check/put label on apparmor_sk_clone_security() · 70fa5992
      Mauricio Faria de Oliveira authored
      [ Upstream commit 3b646abc ]
      
      Currently apparmor_sk_clone_security() does not check for existing
      label/peer in the 'new' struct sock; it just overwrites it, if any
      (with another reference to the label of the source sock.)
      
          static void apparmor_sk_clone_security(const struct sock *sk,
                                                 struct sock *newsk)
          {
                  struct aa_sk_ctx *ctx = SK_CTX(sk);
                  struct aa_sk_ctx *new = SK_CTX(newsk);
      
                  new->label = aa_get_label(ctx->label);
                  new->peer = aa_get_label(ctx->peer);
          }
      
      This might leak label references, which might overflow under load.
      Thus, check for and put labels, to prevent such errors.
      
      Note this is similarly done on:
      
          static int apparmor_socket_post_create(struct socket *sock, ...)
          ...
                  if (sock->sk) {
                          struct aa_sk_ctx *ctx = SK_CTX(sock->sk);
      
                          aa_put_label(ctx->label);
                          ctx->label = aa_get_label(label);
                  }
          ...
      
      Context:
      -------
      
      The label reference count leak is observed if apparmor_sock_graft()
      is called previously: this sets the 'ctx->label' field by getting
      a reference to the current label (later overwritten, without put.)
      
          static void apparmor_sock_graft(struct sock *sk, ...)
          {
                  struct aa_sk_ctx *ctx = SK_CTX(sk);
      
                  if (!ctx->label)
                          ctx->label = aa_get_current_label();
          }
      
      And that is the case on crypto/af_alg.c:af_alg_accept():
      
          int af_alg_accept(struct sock *sk, struct socket *newsock, ...)
          ...
                  struct sock *sk2;
                  ...
                  sk2 = sk_alloc(...);
                  ...
                  security_sock_graft(sk2, newsock);
                  security_sk_clone(sk, sk2);
          ...
      
      Apparently both calls are done on their own right, especially for
      other LSMs, being introduced in 2010/2014, before apparmor socket
      mediation in 2017 (see commits [1,2,3,4]).
      
      So, it looks OK there! Let's fix the reference leak in apparmor.
      
      Test-case:
      ---------
      
      Exercise that code path enough to overflow label reference count.
      
          $ cat aa-refcnt-af_alg.c
          #include <stdio.h>
          #include <string.h>
          #include <unistd.h>
          #include <sys/socket.h>
          #include <linux/if_alg.h>
      
          int main() {
                  int sockfd;
                  struct sockaddr_alg sa;
      
                  /* Setup the crypto API socket */
                  sockfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
                  if (sockfd < 0) {
                          perror("socket");
                          return 1;
                  }
      
                  memset(&sa, 0, sizeof(sa));
                  sa.salg_family = AF_ALG;
                  strcpy((char *) sa.salg_type, "rng");
                  strcpy((char *) sa.salg_name, "stdrng");
      
                  if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) < 0) {
                          perror("bind");
                          return 1;
                  }
      
                  /* Accept a "connection" and close it; repeat. */
                  while (!close(accept(sockfd, NULL, 0)));
      
                  return 0;
          }
      
          $ gcc -o aa-refcnt-af_alg aa-refcnt-af_alg.c
      
          $ ./aa-refcnt-af_alg
          <a few hours later>
      
          [ 9928.475953] refcount_t overflow at apparmor_sk_clone_security+0x37/0x70 in aa-refcnt-af_alg[1322], uid/euid: 1000/1000
          ...
          [ 9928.507443] RIP: 0010:apparmor_sk_clone_security+0x37/0x70
          ...
          [ 9928.514286]  security_sk_clone+0x33/0x50
          [ 9928.514807]  af_alg_accept+0x81/0x1c0 [af_alg]
          [ 9928.516091]  alg_accept+0x15/0x20 [af_alg]
          [ 9928.516682]  SYSC_accept4+0xff/0x210
          [ 9928.519609]  SyS_accept+0x10/0x20
          [ 9928.520190]  do_syscall_64+0x73/0x130
          [ 9928.520808]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      
      Note that other messages may be seen, not just overflow, depending on
      the value being incremented by kref_get(); on another run:
      
          [ 7273.182666] refcount_t: saturated; leaking memory.
          ...
          [ 7273.185789] refcount_t: underflow; use-after-free.
      
      Kprobes:
      -------
      
      Using kprobe events to monitor sk -> sk_security -> label -> count (kref):
      
      Original v5.7 (one reference leak every iteration)
      
       ... (af_alg_accept+0x0/0x1c0) label=0xffff8a0f36c25eb0 label_refcnt=0x11fd2
       ... (af_alg_release_parent+0x0/0xd0) label=0xffff8a0f36c25eb0 label_refcnt=0x11fd4
       ... (af_alg_accept+0x0/0x1c0) label=0xffff8a0f36c25eb0 label_refcnt=0x11fd3
       ... (af_alg_release_parent+0x0/0xd0) label=0xffff8a0f36c25eb0 label_refcnt=0x11fd5
       ... (af_alg_accept+0x0/0x1c0) label=0xffff8a0f36c25eb0 label_refcnt=0x11fd4
       ... (af_alg_release_parent+0x0/0xd0) label=0xffff8a0f36c25eb0 label_refcnt=0x11fd6
      
      Patched v5.7 (zero reference leak per iteration)
      
       ... (af_alg_accept+0x0/0x1c0) label=0xffff9ff376c25eb0 label_refcnt=0x593
       ... (af_alg_release_parent+0x0/0xd0) label=0xffff9ff376c25eb0 label_refcnt=0x594
       ... (af_alg_accept+0x0/0x1c0) label=0xffff9ff376c25eb0 label_refcnt=0x593
       ... (af_alg_release_parent+0x0/0xd0) label=0xffff9ff376c25eb0 label_refcnt=0x594
       ... (af_alg_accept+0x0/0x1c0) label=0xffff9ff376c25eb0 label_refcnt=0x593
       ... (af_alg_release_parent+0x0/0xd0) label=0xffff9ff376c25eb0 label_refcnt=0x594
      
      Commits:
      -------
      
      [1] commit 507cad35 ("crypto: af_alg - Make sure sk_security is initialized on accept()ed sockets")
      [2] commit 4c63f83c ("crypto: af_alg - properly label AF_ALG socket")
      [3] commit 2acce6aa ("Networking") a.k.a ("crypto: af_alg - Avoid sock_graft call warning)
      [4] commit 56974a6f ("apparmor: add base infastructure for socket mediation")
      
      Fixes: 56974a6f ("apparmor: add base infastructure for socket mediation")
      Reported-by: default avatarBrian Moyles <bmoyles@netflix.com>
      Signed-off-by: default avatarMauricio Faria de Oliveira <mfo@canonical.com>
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      70fa5992
    • John Johansen's avatar
      apparmor: fix introspection of of task mode for unconfined tasks · 86396a49
      John Johansen authored
      [ Upstream commit dd2569fb ]
      
      Fix two issues with introspecting the task mode.
      
      1. If a task is attached to a unconfined profile that is not the
         ns->unconfined profile then. Mode the mode is always reported
         as -
      
            $ ps -Z
            LABEL                               PID TTY          TIME CMD
            unconfined                         1287 pts/0    00:00:01 bash
            test (-)                           1892 pts/0    00:00:00 ps
      
         instead of the correct value of (unconfined) as shown below
      
            $ ps -Z
            LABEL                               PID TTY          TIME CMD
            unconfined                         2483 pts/0    00:00:01 bash
            test (unconfined)                  3591 pts/0    00:00:00 ps
      
      2. if a task is confined by a stack of profiles that are unconfined
         the output of label mode is again the incorrect value of (-) like
         above, instead of (unconfined). This is because the visibile
         profile count increment is skipped by the special casing of
         unconfined.
      
      Fixes: f1bd9041 ("apparmor: add the base fns() for domain labels")
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      86396a49
    • ashimida's avatar
      mksysmap: Fix the mismatch of '.L' symbols in System.map · e71c1098
      ashimida authored
      [ Upstream commit 72d24acc ]
      
      When System.map was generated, the kernel used mksysmap to
      filter the kernel symbols, but all the symbols with the
      second letter 'L' in the kernel were filtered out, not just
      the symbols starting with 'dot + L'.
      
      For example:
      ashimida@ubuntu:~/linux$ cat System.map |grep ' .L'
      ashimida@ubuntu:~/linux$ nm -n vmlinux |grep ' .L'
      ffff0000088028e0 t bLength_show
      ......
      ffff0000092e0408 b PLLP_OUTC_lock
      ffff0000092e0410 b PLLP_OUTA_lock
      
      The original intent should be to filter out all local symbols
      starting with '.L', so the dot should be escaped.
      
      Fixes: 00902e98 ("mksysmap: Add h8300 local symbol pattern")
      Signed-off-by: default avatarashimida <ashimida@linux.alibaba.com>
      Signed-off-by: default avatarMasahiro Yamada <masahiroy@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e71c1098
    • Logan Gunthorpe's avatar
      NTB: Fix the default port and peer numbers for legacy drivers · f6328a0b
      Logan Gunthorpe authored
      [ Upstream commit fc8b086d ]
      
      When the commit adding ntb_default_port_number() and
      ntb_default_peer_port_number()  entered the kernel there was no
      users of it so it was impossible to tell what the API needed.
      
      When a user finally landed a year later (ntb_pingpong) there were
      more NTB topologies were created and no consideration was considered
      to how other drivers had changed.
      
      Now that there is a user it can be fixed to provide a sensible default
      for the legacy drivers that do not implement ntb_{peer_}port_number().
      Seeing ntb_pingpong doesn't check error codes returning EINVAL was also
      not sensible.
      
      Patches for ntb_pingpong and ntb_perf follow (which are broken
      otherwise) to support hardware that doesn't have port numbers. This is
      important not only to not break support with existing drivers but for
      the cross link topology which, due to its perfect symmetry, cannot
      assign unique port numbers to each side.
      
      Fixes: 1e530119 ("NTB: Add indexed ports NTB API")
      Signed-off-by: default avatarLogan Gunthorpe <logang@deltatee.com>
      Acked-by: default avatarAllen Hubbe <allenbh@gmail.com>
      Tested-by: default avatarAlexander Fomichev <fomichev.ru@gmail.com>
      Signed-off-by: default avatarJon Mason <jdmason@kudzu.us>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f6328a0b
    • Logan Gunthorpe's avatar
      NTB: ntb_pingpong: Choose doorbells based on port number · ce8280b1
      Logan Gunthorpe authored
      [ Upstream commit ca93c457 ]
      
      This commit fixes pingpong support for existing drivers that do not
      implement ntb_default_port_number() and ntb_default_peer_port_number().
      This is required for hardware (like the crosslink topology of
      switchtec) which cannot assign reasonable port numbers to each port due
      to its perfect symmetry.
      
      Instead of picking the doorbell to use based on the the index of the
      peer, we use the peer's port number. This is a bit clearer and easier
      to understand.
      
      Fixes: c7aeb0af ("NTB: ntb_pp: Add full multi-port NTB API support")
      Signed-off-by: default avatarLogan Gunthorpe <logang@deltatee.com>
      Acked-by: default avatarAllen Hubbe <allenbh@gmail.com>
      Tested-by: default avatarAlexander Fomichev <fomichev.ru@gmail.com>
      Signed-off-by: default avatarJon Mason <jdmason@kudzu.us>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ce8280b1
    • Wang Hai's avatar
      yam: fix possible memory leak in yam_init_driver · 2c75b5c3
      Wang Hai authored
      [ Upstream commit 98749b71 ]
      
      If register_netdev(dev) fails, free_netdev(dev) needs
      to be called, otherwise a memory leak will occur.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarWang Hai <wanghai38@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2c75b5c3
    • Navid Emamdoost's avatar
      pwm: img: Call pm_runtime_put() in pm_runtime_get_sync() failed case · 97c36deb
      Navid Emamdoost authored
      [ Upstream commit ca162ce9 ]
      
      Even in failed case of pm_runtime_get_sync(), the usage_count is
      incremented. In order to keep the usage_count with correct value call
      appropriate pm_runtime_put().
      Signed-off-by: default avatarNavid Emamdoost <navid.emamdoost@gmail.com>
      Signed-off-by: default avatarThierry Reding <thierry.reding@gmail.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      97c36deb
    • Pingfan Liu's avatar
      powerpc/crashkernel: Take "mem=" option into account · 78c131f6
      Pingfan Liu authored
      [ Upstream commit be5470e0 ]
      
      'mem=" option is an easy way to put high pressure on memory during
      some test. Hence after applying the memory limit, instead of total
      mem, the actual usable memory should be considered when reserving mem
      for crashkernel. Otherwise the boot up may experience OOM issue.
      
      E.g. it would reserve 4G prior to the change and 512M afterward, if
      passing
      crashkernel="2G-4G:384M,4G-16G:512M,16G-64G:1G,64G-128G:2G,128G-:4G",
      and mem=5G on a 256G machine.
      
      This issue is powerpc specific because it puts higher priority on
      fadump and kdump reservation than on "mem=". Referring the following
      code:
          if (fadump_reserve_mem() == 0)
                  reserve_crashkernel();
          ...
          /* Ensure that total memory size is page-aligned. */
          limit = ALIGN(memory_limit ?: memblock_phys_mem_size(), PAGE_SIZE);
          memblock_enforce_memory_limit(limit);
      
      While on other arches, the effect of "mem=" takes a higher priority
      and pass through memblock_phys_mem_size() before calling
      reserve_crashkernel().
      Signed-off-by: default avatarPingfan Liu <kernelfans@gmail.com>
      Reviewed-by: default avatarHari Bathini <hbathini@linux.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Link: https://lore.kernel.org/r/1585749644-4148-1-git-send-email-kernelfans@gmail.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      78c131f6
    • Jon Derrick's avatar
      PCI: vmd: Filter resource type bits from shadow register · 8861d95c
      Jon Derrick authored
      [ Upstream commit 3e5095ee ]
      
      Versions of VMD with the Host Physical Address shadow register use this
      register to calculate the bus address offset needed to do guest
      passthrough of the domain. This register shadows the Host Physical
      Address registers including the resource type bits. After calculating
      the offset, the extra resource type bits lead to the VMD resources being
      over-provisioned at the front and under-provisioned at the back.
      
      Example:
      pci 10000:80:02.0: reg 0x10: [mem 0xf801fffc-0xf803fffb 64bit]
      
      Expected:
      pci 10000:80:02.0: reg 0x10: [mem 0xf8020000-0xf803ffff 64bit]
      
      If other devices are mapped in the over-provisioned front, it could lead
      to resource conflict issues with VMD or those devices.
      
      Link: https://lore.kernel.org/r/20200528030240.16024-3-jonathan.derrick@intel.com
      Fixes: a1a30170 ("PCI: vmd: Fix shadow offsets to reflect spec changes")
      Signed-off-by: default avatarJon Derrick <jonathan.derrick@intel.com>
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8861d95c
    • Xiyu Yang's avatar
      nfsd: Fix svc_xprt refcnt leak when setup callback client failed · 22c72156
      Xiyu Yang authored
      [ Upstream commit a4abc6b1 ]
      
      nfsd4_process_cb_update() invokes svc_xprt_get(), which increases the
      refcount of the "c->cn_xprt".
      
      The reference counting issue happens in one exception handling path of
      nfsd4_process_cb_update(). When setup callback client failed, the
      function forgets to decrease the refcnt increased by svc_xprt_get(),
      causing a refcnt leak.
      
      Fix this issue by calling svc_xprt_put() when setup callback client
      failed.
      Signed-off-by: default avatarXiyu Yang <xiyuyang19@fudan.edu.cn>
      Signed-off-by: default avatarXin Tan <tanxin.ctf@gmail.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      22c72156
    • Kajol Jain's avatar
      powerpc/perf/hv-24x7: Fix inconsistent output values incase multiple hv-24x7 events run · 4b2f2a38
      Kajol Jain authored
      [ Upstream commit b4ac18ee ]
      
      Commit 2b206ee6 ("powerpc/perf/hv-24x7: Display change in counter
      values")' added to print _change_ in the counter value rather then raw
      value for 24x7 counters. Incase of transactions, the event count
      is set to 0 at the beginning of the transaction. It also sets
      the event's prev_count to the raw value at the time of initialization.
      Because of setting event count to 0, we are seeing some weird behaviour,
      whenever we run multiple 24x7 events at a time.
      
      For example:
      
      command#: ./perf stat -e "{hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=0/,
      			   hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=1/}"
      	  		   -C 0 -I 1000 sleep 100
      
           1.000121704                120 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=0/
           1.000121704                  5 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=1/
           2.000357733                  8 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=0/
           2.000357733                 10 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=1/
           3.000495215 18,446,744,073,709,551,616 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=0/
           3.000495215 18,446,744,073,709,551,616 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=1/
           4.000641884                 56 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=0/
           4.000641884 18,446,744,073,709,551,616 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=1/
           5.000791887 18,446,744,073,709,551,616 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=0/
      
      Getting these large values in case we do -I.
      
      As we are setting event_count to 0, for interval case, overall event_count is not
      coming in incremental order. As we may can get new delta lesser then previous count.
      Because of which when we print intervals, we are getting negative value which create
      these large values.
      
      This patch removes part where we set event_count to 0 in function
      'h_24x7_event_read'. There won't be much impact as we do set event->hw.prev_count
      to the raw value at the time of initialization to print change value.
      
      With this patch
      In power9 platform
      
      command#: ./perf stat -e "{hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=0/,
      		           hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=1/}"
      			   -C 0 -I 1000 sleep 100
      
           1.000117685                 93 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=0/
           1.000117685                  1 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=1/
           2.000349331                 98 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=0/
           2.000349331                  2 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=1/
           3.000495900                131 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=0/
           3.000495900                  4 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=1/
           4.000645920                204 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=0/
           4.000645920                 61 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=1/
           4.284169997                 22 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=0/
      Suggested-by: default avatarSukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>
      Signed-off-by: default avatarKajol Jain <kjain@linux.ibm.com>
      Tested-by: default avatarMadhavan Srinivasan <maddy@linux.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Link: https://lore.kernel.org/r/20200525104308.9814-2-kjain@linux.ibm.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      4b2f2a38
    • Alain Volmat's avatar
      clk: clk-flexgen: fix clock-critical handling · f59c4d14
      Alain Volmat authored
      [ Upstream commit a403bbab ]
      
      Fixes an issue leading to having all clocks following a critical
      clocks marked as well as criticals.
      
      Fixes: fa6415af ("clk: st: clk-flexgen: Detect critical clocks")
      Signed-off-by: default avatarAlain Volmat <avolmat@me.com>
      Link: https://lkml.kernel.org/r/20200322140740.3970-1-avolmat@me.comReviewed-by: default avatarPatrice Chotard <patrice.chotard@st.com>
      Signed-off-by: default avatarStephen Boyd <sboyd@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f59c4d14
    • Xiyu Yang's avatar
      scsi: lpfc: Fix lpfc_nodelist leak when processing unsolicited event · b3cad8af
      Xiyu Yang authored
      [ Upstream commit 7217e6e6 ]
      
      In order to create or activate a new node, lpfc_els_unsol_buffer() invokes
      lpfc_nlp_init() or lpfc_enable_node() or lpfc_nlp_get(), all of them will
      return a reference of the specified lpfc_nodelist object to "ndlp" with
      increased refcnt.
      
      When lpfc_els_unsol_buffer() returns, local variable "ndlp" becomes
      invalid, so the refcount should be decreased to keep refcount balanced.
      
      The reference counting issue happens in one exception handling path of
      lpfc_els_unsol_buffer(). When "ndlp" in DEV_LOSS, the function forgets to
      decrease the refcnt increased by lpfc_nlp_init() or lpfc_enable_node() or
      lpfc_nlp_get(), causing a refcnt leak.
      
      Fix this issue by calling lpfc_nlp_put() when "ndlp" in DEV_LOSS.
      
      Link: https://lore.kernel.org/r/1590416184-52592-1-git-send-email-xiyuyang19@fudan.edu.cnReviewed-by: default avatarDaniel Wagner <dwagner@suse.de>
      Reviewed-by: default avatarJames Smart <james.smart@broadcom.com>
      Signed-off-by: default avatarXiyu Yang <xiyuyang19@fudan.edu.cn>
      Signed-off-by: default avatarXin Tan <tanxin.ctf@gmail.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b3cad8af
    • Marek Szyprowski's avatar
      mfd: wm8994: Fix driver operation if loaded as modules · e3f5b9a3
      Marek Szyprowski authored
      [ Upstream commit d4f9b542 ]
      
      WM8994 chip has built-in regulators, which might be used for chip
      operation. They are controlled by a separate wm8994-regulator driver,
      which should be loaded before this driver calls regulator_get(), because
      that driver also provides consumer-supply mapping for the them. If that
      driver is not yet loaded, regulator core substitute them with dummy
      regulator, what breaks chip operation, because the built-in regulators are
      never enabled. Fix this by annotating this driver with MODULE_SOFTDEP()
      "pre" dependency to "wm8994_regulator" module.
      Signed-off-by: default avatarMarek Szyprowski <m.szyprowski@samsung.com>
      Acked-by: default avatarCharles Keepax <ckeepax@opensource.cirrus.com>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e3f5b9a3
    • Andy Shevchenko's avatar
      gpio: dwapb: Call acpi_gpiochip_free_interrupts() on GPIO chip de-registration · 3bb97b7d
      Andy Shevchenko authored
      [ Upstream commit 494a94e3 ]
      
      Add missed acpi_gpiochip_free_interrupts() call when unregistering ports.
      
      While at it, drop extra check to call acpi_gpiochip_request_interrupts().
      There is no need to have an additional check to call
      acpi_gpiochip_request_interrupts(). Even without any interrupts available
      the registered ACPI Event handlers can be useful for debugging purposes.
      
      Fixes: e6cb3486 ("gpio: dwapb: add gpio-signaled acpi event support")
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Tested-by: default avatarSerge Semin <fancer.lancer@gmail.com>
      Acked-by: default avatarSerge Semin <fancer.lancer@gmail.com>
      Link: https://lore.kernel.org/r/20200519131233.59032-1-andriy.shevchenko@linux.intel.comSigned-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3bb97b7d
    • Christophe JAILLET's avatar
      m68k/PCI: Fix a memory leak in an error handling path · 1bcf9749
      Christophe JAILLET authored
      [ Upstream commit c3f4ec05 ]
      
      If 'ioremap' fails, we must free 'bridge', as done in other error handling
      path bellow.
      
      Fixes: 19cc4c84 ("m68k/PCI: Replace pci_fixup_irqs() call with host bridge IRQ mapping hooks")
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Reviewed-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: default avatarGreg Ungerer <gerg@linux-m68k.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1bcf9749
    • Aharon Landau's avatar
      RDMA/mlx5: Add init2init as a modify command · e70fd099
      Aharon Landau authored
      [ Upstream commit 819f7427 ]
      
      Missing INIT2INIT entry in the list of modify commands caused DEVX
      applications to be unable to modify_qp for this transition state. Add the
      MLX5_CMD_OP_INIT2INIT_QP opcode to the list of allowed DEVX opcodes.
      
      Fixes: e662e14d ("IB/mlx5: Add DEVX support for modify and query commands")
      Link: https://lore.kernel.org/r/20200513095550.211345-1-leon@kernel.orgSigned-off-by: default avatarAharon Landau <aharonl@mellanox.com>
      Reviewed-by: default avatarMaor Gottlieb <maorg@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e70fd099
    • Qian Cai's avatar
      vfio/pci: fix memory leaks in alloc_perm_bits() · 78914f16
      Qian Cai authored
      [ Upstream commit 3e63b94b ]
      
      vfio_pci_disable() calls vfio_config_free() but forgets to call
      free_perm_bits() resulting in memory leaks,
      
      unreferenced object 0xc000000c4db2dee0 (size 16):
        comm "qemu-kvm", pid 4305, jiffies 4295020272 (age 3463.780s)
        hex dump (first 16 bytes):
          00 00 ff 00 ff ff ff ff ff ff ff ff ff ff 00 00  ................
        backtrace:
          [<00000000a6a4552d>] alloc_perm_bits+0x58/0xe0 [vfio_pci]
          [<00000000ac990549>] vfio_config_init+0xdf0/0x11b0 [vfio_pci]
          init_pci_cap_msi_perm at drivers/vfio/pci/vfio_pci_config.c:1125
          (inlined by) vfio_msi_cap_len at drivers/vfio/pci/vfio_pci_config.c:1180
          (inlined by) vfio_cap_len at drivers/vfio/pci/vfio_pci_config.c:1241
          (inlined by) vfio_cap_init at drivers/vfio/pci/vfio_pci_config.c:1468
          (inlined by) vfio_config_init at drivers/vfio/pci/vfio_pci_config.c:1707
          [<000000006db873a1>] vfio_pci_open+0x234/0x700 [vfio_pci]
          [<00000000630e1906>] vfio_group_fops_unl_ioctl+0x8e0/0xb84 [vfio]
          [<000000009e34c54f>] ksys_ioctl+0xd8/0x130
          [<000000006577923d>] sys_ioctl+0x28/0x40
          [<000000006d7b1cf2>] system_call_exception+0x114/0x1e0
          [<0000000008ea7dd5>] system_call_common+0xf0/0x278
      unreferenced object 0xc000000c4db2e330 (size 16):
        comm "qemu-kvm", pid 4305, jiffies 4295020272 (age 3463.780s)
        hex dump (first 16 bytes):
          00 ff ff 00 ff ff ff ff ff ff ff ff ff ff 00 00  ................
        backtrace:
          [<000000004c71914f>] alloc_perm_bits+0x44/0xe0 [vfio_pci]
          [<00000000ac990549>] vfio_config_init+0xdf0/0x11b0 [vfio_pci]
          [<000000006db873a1>] vfio_pci_open+0x234/0x700 [vfio_pci]
          [<00000000630e1906>] vfio_group_fops_unl_ioctl+0x8e0/0xb84 [vfio]
          [<000000009e34c54f>] ksys_ioctl+0xd8/0x130
          [<000000006577923d>] sys_ioctl+0x28/0x40
          [<000000006d7b1cf2>] system_call_exception+0x114/0x1e0
          [<0000000008ea7dd5>] system_call_common+0xf0/0x278
      
      Fixes: 89e1f7d4 ("vfio: Add PCI device driver")
      Signed-off-by: default avatarQian Cai <cai@lca.pw>
      [aw: rolled in follow-up patch]
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      78914f16
    • Emmanuel Nicolet's avatar
      ps3disk: use the default segment boundary · 302f0c5e
      Emmanuel Nicolet authored
      [ Upstream commit 720bc316 ]
      
      Since commit dcebd755 ("block: use bio_for_each_bvec() to compute
      multi-page bvec count"), the kernel will bug_on on the PS3 because
      bio_split() is called with sectors == 0:
      
        kernel BUG at block/bio.c:1853!
        Oops: Exception in kernel mode, sig: 5 [#1]
        BE PAGE_SIZE=4K MMU=Hash PREEMPT SMP NR_CPUS=8 NUMA PS3
        Modules linked in: firewire_sbp2 rtc_ps3(+) soundcore ps3_gelic(+) \
        ps3rom(+) firewire_core ps3vram(+) usb_common crc_itu_t
        CPU: 0 PID: 97 Comm: blkid Not tainted 5.3.0-rc4 #1
        NIP:  c00000000027d0d0 LR: c00000000027d0b0 CTR: 0000000000000000
        REGS: c00000000135ae90 TRAP: 0700   Not tainted  (5.3.0-rc4)
        MSR:  8000000000028032 <SF,EE,IR,DR,RI>  CR: 44008240  XER: 20000000
        IRQMASK: 0
        GPR00: c000000000289368 c00000000135b120 c00000000084a500 c000000004ff8300
        GPR04: 0000000000000c00 c000000004c905e0 c000000004c905e0 000000000000ffff
        GPR08: 0000000000000000 0000000000000001 0000000000000000 000000000000ffff
        GPR12: 0000000000000000 c0000000008ef000 000000000000003e 0000000000080001
        GPR16: 0000000000000100 000000000000ffff 0000000000000000 0000000000000004
        GPR20: c00000000062fd7e 0000000000000001 000000000000ffff 0000000000000080
        GPR24: c000000000781788 c00000000135b350 0000000000000080 c000000004c905e0
        GPR28: c00000000135b348 c000000004ff8300 0000000000000000 c000000004c90000
        NIP [c00000000027d0d0] .bio_split+0x28/0xac
        LR [c00000000027d0b0] .bio_split+0x8/0xac
        Call Trace:
        [c00000000135b120] [c00000000027d130] .bio_split+0x88/0xac (unreliable)
        [c00000000135b1b0] [c000000000289368] .__blk_queue_split+0x11c/0x53c
        [c00000000135b2d0] [c00000000028f614] .blk_mq_make_request+0x80/0x7d4
        [c00000000135b3d0] [c000000000283a8c] .generic_make_request+0x118/0x294
        [c00000000135b4b0] [c000000000283d34] .submit_bio+0x12c/0x174
        [c00000000135b580] [c000000000205a44] .mpage_bio_submit+0x3c/0x4c
        [c00000000135b600] [c000000000206184] .mpage_readpages+0xa4/0x184
        [c00000000135b750] [c0000000001ff8fc] .blkdev_readpages+0x24/0x38
        [c00000000135b7c0] [c0000000001589f0] .read_pages+0x6c/0x1a8
        [c00000000135b8b0] [c000000000158c74] .__do_page_cache_readahead+0x118/0x184
        [c00000000135b9b0] [c0000000001591a8] .force_page_cache_readahead+0xe4/0xe8
        [c00000000135ba50] [c00000000014fc24] .generic_file_read_iter+0x1d8/0x830
        [c00000000135bb50] [c0000000001ffadc] .blkdev_read_iter+0x40/0x5c
        [c00000000135bbc0] [c0000000001b9e00] .new_sync_read+0x144/0x1a0
        [c00000000135bcd0] [c0000000001bc454] .vfs_read+0xa0/0x124
        [c00000000135bd70] [c0000000001bc7a4] .ksys_read+0x70/0xd8
        [c00000000135be20] [c00000000000a524] system_call+0x5c/0x70
        Instruction dump:
        7fe3fb78 482e30dc 7c0802a6 482e3085 7c9e2378 f821ff71 7ca42b78 7d3e00d0
        7c7d1b78 79290fe0 7cc53378 69290001 <0b090000> 81230028 7bca0020 7929ba62
        [ end trace 313fec760f30aa1f ]---
      
      The problem originates from setting the segment boundary of the
      request queue to -1UL. This makes get_max_segment_size() return zero
      when offset is zero, whatever the max segment size. The test with
      BLK_SEG_BOUNDARY_MASK fails and 'mask - (mask & offset) + 1' overflows
      to zero in the return statement.
      
      Not setting the segment boundary and using the default
      value (BLK_SEG_BOUNDARY_MASK) fixes the problem.
      Signed-off-by: default avatarEmmanuel Nicolet <emmanuel.nicolet@gmail.com>
      Signed-off-by: default avatarGeoff Levand <geoff@infradead.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Link: https://lore.kernel.org/r/060a416c43138f45105c0540eff1a45539f7e2fc.1589049250.git.geoff@infradead.orgSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      302f0c5e
    • Pali Rohár's avatar
      PCI: aardvark: Don't blindly enable ASPM L0s and don't write to read-only register · bee54028
      Pali Rohár authored
      [ Upstream commit 90c6cb4a ]
      
      Trying to change Link Status register does not have any effect as this
      is a read-only register. Trying to overwrite bits for Negotiated Link
      Width does not make sense.
      
      In future proper change of link width can be done via Lane Count Select
      bits in PCIe Control 0 register.
      
      Trying to unconditionally enable ASPM L0s via ASPM Control bits in Link
      Control register is wrong. There should be at least some detection if
      endpoint supports L0s as isn't mandatory.
      
      Moreover ASPM Control bits in Link Control register are controlled by
      pcie/aspm.c code which sets it according to system ASPM settings,
      immediately after aardvark driver probes. So setting these bits by
      aardvark driver has no long running effect.
      
      Remove code which touches ASPM L0s bits from this driver and let
      kernel's ASPM implementation to set ASPM state properly.
      
      Some users are reporting issues that this code is problematic for some
      Intel wifi cards and removing it fixes them, see e.g.:
      https://bugzilla.kernel.org/show_bug.cgi?id=196339
      
      If problems with Intel wifi cards occur even after this commit, then
      pcie/aspm.c code could be modified / hooked to not enable ASPM L0s state
      for affected problematic cards.
      
      Link: https://lore.kernel.org/r/20200430080625.26070-3-pali@kernel.orgTested-by: default avatarTomasz Maciej Nowak <tmn505@gmail.com>
      Signed-off-by: default avatarPali Rohár <pali@kernel.org>
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Acked-by: default avatarRob Herring <robh@kernel.org>
      Acked-by: default avatarThomas Petazzoni <thomas.petazzoni@bootlin.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      bee54028
    • Martin Wilck's avatar
      dm mpath: switch paths in dm_blk_ioctl() code path · 49306a3e
      Martin Wilck authored
      [ Upstream commit 2361ae59 ]
      
      SCSI LUN passthrough code such as qemu's "scsi-block" device model
      pass every IO to the host via SG_IO ioctls. Currently, dm-multipath
      calls choose_pgpath() only in the block IO code path, not in the ioctl
      code path (unless current_pgpath is NULL). This has the effect that no
      path switching and thus no load balancing is done for SCSI-passthrough
      IO, unless the active path fails.
      
      Fix this by using the same logic in multipath_prepare_ioctl() as in
      multipath_clone_and_map().
      
      Note: The allegedly best path selection algorithm, service-time,
      still wouldn't work perfectly, because the io size of the current
      request is always set to 0. Changing that for the IO passthrough
      case would require the ioctl cmd and arg to be passed to dm's
      prepare_ioctl() method.
      Signed-off-by: default avatarMartin Wilck <mwilck@suse.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.de>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      49306a3e
    • Serge Semin's avatar
      serial: 8250: Fix max baud limit in generic 8250 port · 0eeaf629
      Serge Semin authored
      [ Upstream commit 7b668c06 ]
      
      Standard 8250 UART ports are designed in a way so they can communicate
      with baud rates up to 1/16 of a reference frequency. It's expected from
      most of the currently supported UART controllers. That's why the former
      version of serial8250_get_baud_rate() method called uart_get_baud_rate()
      with min and max baud rates passed as (port->uartclk / 16 / UART_DIV_MAX)
      and ((port->uartclk + tolerance) / 16) respectively. Doing otherwise, like
      it was suggested in commit ("serial: 8250_mtk: support big baud rate."),
      caused acceptance of bauds, which was higher than the normal UART
      controllers actually supported. As a result if some user-space program
      requested to set a baud greater than (uartclk / 16) it would have been
      permitted without truncation, but then serial8250_get_divisor(baud)
      (which calls uart_get_divisor() to get the reference clock divisor) would
      have returned a zero divisor. Setting zero divisor will cause an
      unpredictable effect varying from chip to chip. In case of DW APB UART the
      communications just stop.
      
      Lets fix this problem by getting back the limitation of (uartclk +
      tolerance) / 16 maximum baud supported by the generic 8250 port. Mediatek
      8250 UART ports driver developer shouldn't have touched it in the first
      place  notably seeing he already provided a custom version of set_termios()
      callback in that glue-driver which took into account the extended baud
      rate values and accordingly updated the standard and vendor-specific
      divisor latch registers anyway.
      
      Fixes: 81bb549f ("serial: 8250_mtk: support big baud rate.")
      Signed-off-by: default avatarSerge Semin <Sergey.Semin@baikalelectronics.ru>
      Cc: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
      Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
      Cc: Paul Burton <paulburton@kernel.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Long Cheng <long.cheng@mediatek.com>
      Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: Maxime Ripard <mripard@kernel.org>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Will Deacon <will@kernel.org>
      Cc: Russell King <linux@armlinux.org.uk>
      Cc: linux-mips@vger.kernel.org
      Cc: linux-arm-kernel@lists.infradead.org
      Cc: linux-mediatek@lists.infradead.org
      Link: https://lore.kernel.org/r/20200506233136.11842-2-Sergey.Semin@baikalelectronics.ruSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0eeaf629
    • Oliver Neukum's avatar
      usblp: poison URBs upon disconnect · 04519854
      Oliver Neukum authored
      [ Upstream commit 296a193b ]
      
      syzkaller reported an URB that should have been killed to be active.
      We do not understand it, but this should fix the issue if it is real.
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Reported-by: syzbot+be5b5f86a162a6c281e6@syzkaller.appspotmail.com
      Link: https://lore.kernel.org/r/20200507085806.5793-1-oneukum@suse.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      04519854
    • Marek Szyprowski's avatar
      clk: samsung: Mark top ISP and CAM clocks on Exynos542x as critical · aba4a507
      Marek Szyprowski authored
      [ Upstream commit e47bd937 ]
      
      The TOP 'aclk*_isp', 'aclk550_cam', 'gscl_wa' and 'gscl_wb' clocks must
      be kept enabled all the time to allow proper access to power management
      control for the ISP and CAM power domains. The last two clocks, although
      related to GScaler device and GSCL power domain, provides also the
      I_WRAP_CLK signal to MIPI CSIS0/1 devices, which are a part of CAM power
      domain and are needed for proper power on/off sequence.
      
      Currently there are no drivers for the devices, which are part of CAM and
      ISP power domains yet. This patch only fixes the race between disabling
      the unused power domains and disabling unused clocks, which randomly
      resulted in the following error during boot:
      
      Power domain CAM disable failed
      Power domain ISP disable failed
      
      Fixes: 318fa46c ("clk/samsung: exynos542x: mark some clocks as critical")
      Signed-off-by: default avatarMarek Szyprowski <m.szyprowski@samsung.com>
      Acked-by: default avatarChanwoo Choi <cw00.choi@samsung.com>
      Signed-off-by: default avatarSylwester Nawrocki <s.nawrocki@samsung.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      aba4a507
    • Russell King's avatar
      i2c: pxa: clear all master action bits in i2c_pxa_stop_message() · 3018d81c
      Russell King authored
      [ Upstream commit e81c979f ]
      
      If we timeout during a message transfer, the control register may
      contain bits that cause an action to be set. Read-modify-writing the
      register leaving these bits set may trigger the hardware to attempt
      one of these actions unintentionally.
      
      Always clear these bits when cleaning up after a message or after
      a timeout.
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarWolfram Sang <wsa@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3018d81c
    • Konstantin Khlebnikov's avatar
      f2fs: report delalloc reserve as non-free in statfs for project quota · 9ecdbfee
      Konstantin Khlebnikov authored
      [ Upstream commit baaa7ebf ]
      
      This reserved space isn't committed yet but cannot be used for
      allocations. For userspace it has no difference from used space.
      
      See the same fix in ext4 commit f06925c7 ("ext4: report delalloc
      reserve as non-free in statfs for project quota").
      
      Fixes: ddc34e32 ("f2fs: introduce f2fs_statfs_project")
      Signed-off-by: default avatarKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9ecdbfee
    • Andreas Klinger's avatar
      iio: bmp280: fix compensation of humidity · 89d3d21b
      Andreas Klinger authored
      [ Upstream commit dee2dabc ]
      
      Limit the output of humidity compensation to the range between 0 and 100
      percent.
      
      Depending on the calibration parameters of the individual sensor it
      happens, that a humidity above 100 percent or below 0 percent is
      calculated, which don't make sense in terms of relative humidity.
      
      Add a clamp to the compensation formula as described in the datasheet of
      the sensor in chapter 4.2.3.
      
      Although this clamp is documented, it was never in the driver of the
      kernel.
      
      It depends on the circumstances (calibration parameters, temperature,
      humidity) if one can see a value above 100 percent without the clamp.
      The writer of this patch was working with this type of sensor without
      noting this error. So it seems to be a rare event when this bug occures.
      Signed-off-by: default avatarAndreas Klinger <ak@it-klinger.de>
      Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      89d3d21b
    • Viacheslav Dubeyko's avatar
      scsi: qla2xxx: Fix issue with adapter's stopping state · 63ec23f6
      Viacheslav Dubeyko authored
      [ Upstream commit 803e4555 ]
      
      The goal of the following command sequence is to restart the adapter.
      However, the tgt_stop flag remains set, indicating that the adapter is
      still in stopping state even after re-enabling it.
      
      echo 0x7fffffff > /sys/module/qla2xxx/parameters/logging
      modprobe target_core_mod
      modprobe tcm_qla2xxx
      mkdir /sys/kernel/config/target/qla2xxx
      mkdir /sys/kernel/config/target/qla2xxx/<port-name>
      mkdir /sys/kernel/config/target/qla2xxx/<port-name>/tpgt_1
      echo 1 > /sys/kernel/config/target/qla2xxx/<port-name>/tpgt_1/enable
      echo 0 > /sys/kernel/config/target/qla2xxx/<port-name>/tpgt_1/enable
      echo 1 > /sys/kernel/config/target/qla2xxx/<port-name>/tpgt_1/enable
      
      kernel: PID 1396:qla_target.c:1555 qlt_stop_phase1(): tgt_stop 0x0, tgt_stopped 0x0
      kernel: qla2xxx [0001:00:02.0]-e803:1: PID 1396:qla_target.c:1567: Stopping target for host 1(c0000000033557e8)
      kernel: PID 1396:qla_target.c:1579 qlt_stop_phase1(): tgt_stop 0x1, tgt_stopped 0x0
      kernel: PID 1396:qla_target.c:1266 qlt_schedule_sess_for_deletion(): tgt_stop 0x1, tgt_stopped 0x0
      kernel: qla2xxx [0001:00:02.0]-e801:1: PID 1396:qla_target.c:1316: Scheduling sess c00000002d5cd800 for deletion 21:00:00:24:ff:7f:35:c7
      <skipped>
      kernel: qla2xxx [0001:00:02.0]-290a:1: PID 340:qla_target.c:1187: qlt_unreg_sess sess c00000002d5cd800 for deletion 21:00:00:24:ff:7f:35:c7
      <skipped>
      kernel: qla2xxx [0001:00:02.0]-f801:1: PID 340:qla_target.c:1145: Unregistration of sess c00000002d5cd800 21:00:00:24:ff:7f:35:c7 finished fcp_cnt 0
      kernel: PID 340:qla_target.c:1155 qlt_free_session_done(): tgt_stop 0x1, tgt_stopped 0x0
      kernel: qla2xxx [0001:00:02.0]-4807:1: PID 346:qla_os.c:6329: ISP abort scheduled.
      <skipped>
      kernel: qla2xxx [0001:00:02.0]-28f1:1: PID 346:qla_os.c:3956: Mark all dev lost
      kernel: PID 346:qla_target.c:1266 qlt_schedule_sess_for_deletion(): tgt_stop 0x1, tgt_stopped 0x0
      kernel: qla2xxx [0001:00:02.0]-4808:1: PID 346:qla_os.c:6338: ISP abort end.
      <skipped>
      kernel: PID 1396:qla_target.c:6812 qlt_enable_vha(): tgt_stop 0x1, tgt_stopped 0x0
      <skipped>
      kernel: qla2xxx [0001:00:02.0]-4807:1: PID 346:qla_os.c:6329: ISP abort scheduled.
      <skipped>
      kernel: qla2xxx [0001:00:02.0]-4808:1: PID 346:qla_os.c:6338: ISP abort end.
      
      qlt_handle_cmd_for_atio() rejects the request to send commands because the
      adapter is in the stopping state:
      
      kernel: PID 0:qla_target.c:4442 qlt_handle_cmd_for_atio(): tgt_stop 0x1, tgt_stopped 0x0
      kernel: qla2xxx [0001:00:02.0]-3861:1: PID 0:qla_target.c:4447: New command while device c000000005314600 is shutting down
      kernel: qla2xxx [0001:00:02.0]-e85f:1: PID 0:qla_target.c:5728: qla_target: Unable to send command to target
      
      This patch calls qla_stop_phase2() in addition to qlt_stop_phase1() in
      tcm_qla2xxx_tpg_enable_store() and tcm_qla2xxx_npiv_tpg_enable_store(). The
      qlt_stop_phase1() marks adapter as stopping (tgt_stop == 0x1, tgt_stopped
      == 0x0) but qlt_stop_phase2() marks adapter as stopped (tgt_stop == 0x0,
      tgt_stopped == 0x1).
      
      Link: https://lore.kernel.org/r/52be1e8a3537f6c5407eae3edd4c8e08a9545ea5.camel@yadro.comReviewed-by: default avatarRoman Bolshakov <r.bolshakov@yadro.com>
      Reviewed-by: default avatarHimanshu Madhani <himanshu.madhani@oracle.com>
      Signed-off-by: default avatarViacheslav Dubeyko <v.dubeiko@yadro.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      63ec23f6
    • Ard Biesheuvel's avatar
      PCI: Allow pci_resize_resource() for devices on root bus · f7ec6056
      Ard Biesheuvel authored
      [ Upstream commit d09ddd81 ]
      
      When resizing a BAR, pci_reassign_bridge_resources() is invoked to bring
      the bridge windows of parent bridges in line with the new BAR assignment.
      
      This assumes the device whose BAR is being resized lives on a subordinate
      bus, but this is not necessarily the case. A device may live on the root
      bus, in which case dev->bus->self is NULL, and passing a NULL pci_dev
      pointer to pci_reassign_bridge_resources() will cause it to crash.
      
      So let's make the call to pci_reassign_bridge_resources() conditional on
      whether dev->bus->self is non-NULL in the first place.
      
      Fixes: 8bb705e3 ("PCI: Add pci_resize_resource() for resizing BARs")
      Link: https://lore.kernel.org/r/20200421162256.26887-1-ardb@kernel.orgSigned-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f7ec6056
    • Dan Carpenter's avatar
      ALSA: isa/wavefront: prevent out of bounds write in ioctl · f2ad530b
      Dan Carpenter authored
      [ Upstream commit 7f0d5053 ]
      
      The "header->number" comes from the ioctl and it needs to be clamped to
      prevent out of bounds writes.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Link: https://lore.kernel.org/r/20200501094011.GA960082@mwandaSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f2ad530b