OSDN Git Service
Gerrit - the friendly Code Review server [Tue, 2 Apr 2019 19:09:32 +0000 (12:09 -0700)]
Merge changes into msm-4.4
Linux Build Service Account [Tue, 2 Apr 2019 10:57:43 +0000 (03:57 -0700)]
Merge "Merge android-4.4.177 (
0c3b8c4) into msm-4.4"
Linux Build Service Account [Mon, 1 Apr 2019 03:13:23 +0000 (20:13 -0700)]
Merge "Scsi: ufs: fix issue of task tag in used"
Shadab Naseem [Wed, 20 Feb 2019 07:27:27 +0000 (12:57 +0530)]
scripts: gcc-wrapper: Route the GCC errors to stderr
The GCC wrapper writes any error message from GCC to stdout
along with the messages from the wrapper itself. This is okay
for most case, but when GCC is used with -print-xxx flags,
the stdout output is supposed to be taken as input to some
other build command, so putting error messages in there is
pretty bad. Fix this by writing error messages to stderr.
Change-Id: I4656033f11ba5212fdcc884cc588f8b9d2c23419
Signed-off-by: Shadab Naseem <snaseem@codeaurora.org>
Ziqi Chen [Wed, 27 Mar 2019 07:50:27 +0000 (15:50 +0800)]
Scsi: ufs: fix issue of task tag in used
Fix a coding error that lrb_in_use bitmap is cleared twice after its
corresponding request is completed. Otherwise, a tag, which is assigned
to a new request, get released from lrb_in_use in the first clear shall
be cleared again even before the new request is actually completed. Fix
this error by removing the second clear.
CRs-Fixed:
2417820
Change-Id: I4216fa32073d2a0f0f15c0979e4dd0ad542ce684
Signed-off-by: Ziqi Chen <ziqichen@codeaurora.org>
Linux Build Service Account [Thu, 28 Mar 2019 11:23:56 +0000 (04:23 -0700)]
Merge "msm: asm: validate ADSP data before access"
Linux Build Service Account [Thu, 28 Mar 2019 11:23:52 +0000 (04:23 -0700)]
Merge "soc: qcom: subsystem_notif_virt: Add waitqueue support for SSR"
Linux Build Service Account [Wed, 27 Mar 2019 23:34:42 +0000 (16:34 -0700)]
Merge "usb: gadget: f_fs: Queue request after setting is_busy flag"
Anant Goel [Tue, 26 Mar 2019 04:56:58 +0000 (21:56 -0700)]
soc: qcom: subsystem_notif_virt: Add waitqueue support for SSR
Add blocking support for SSR on the GHS platform. SSR will
block until receiving acknowledgment.
Change-Id: I549908f702318fc9e9dca5cdb12ad353881b6991
Signed-off-by: Anant Goel <anantg@codeaurora.org>
Linux Build Service Account [Wed, 27 Mar 2019 15:15:08 +0000 (08:15 -0700)]
Merge "drivers: soc: qcom: Added check to avoid opening multiple instance"
Linux Build Service Account [Wed, 27 Mar 2019 15:14:53 +0000 (08:14 -0700)]
Merge "msm: vidc: Disable DCVS in DTSI"
Linux Build Service Account [Wed, 27 Mar 2019 15:14:50 +0000 (08:14 -0700)]
Merge "msm: vidc: Add common Boot KPI marker"
Linux Build Service Account [Wed, 27 Mar 2019 05:47:18 +0000 (22:47 -0700)]
Merge "drm/msm: read V' only for non-zero device count repeater"
Ajay Agarwal [Mon, 11 Mar 2019 11:28:06 +0000 (16:58 +0530)]
usb: gadget: f_fs: Queue request after setting is_busy flag
Currently the driver queues OUT EP request after ensuring that
is_busy flag is false, and then sets it true. It might be
possible that the queued request is completed before the
execution reaches next line to set is_busy to true. As a result,
is_busy remains true even after successful completion and no
further request is queued.
Fix this by first setting is_busy to true and then queueing the
request.
Change-Id: I87fce4e2cc94be8e6b6fb63fb1fc9afb9cf0d005
Signed-off-by: Ajay Agarwal <ajaya@codeaurora.org>
Vignesh Kulothungan [Thu, 28 Feb 2019 22:55:05 +0000 (14:55 -0800)]
msm: asm: validate ADSP data before access
Validate buffer index obtained from ADSP token before using it.
CRs-Fixed:
2372302
Change-Id: I5c3b1634bd08b516844638dd67f726a882edfc17
Signed-off-by: Vignesh Kulothungan <vigneshk@codeaurora.org>
Abhinav Kumar [Wed, 20 Feb 2019 23:37:47 +0000 (15:37 -0800)]
drm/msm: read V' only for non-zero device count repeater
For repeaters having zero device count, the HDCP CTS expects
the device under test to either read V' and perform full
authentication or not read V' and re-authenticate.
Current HDCP driver reads V' and also re-authenticates causing
a failure of zero device count repeater test cases.
Fix this issue by implementing the correct sequence
in case of zero downstream devices.
Signed-off-by: Abhinav Kumar <abhinavk@codeaurora.org>
Change-Id: Idc36b4bc08091e23c23503aed815e19f459a62d2
Linux Build Service Account [Tue, 26 Mar 2019 22:26:07 +0000 (15:26 -0700)]
Merge "icnss: Add Api to Block/Unblock modem shutdown"
Suprith Malligere Shankaregowda [Wed, 20 Mar 2019 06:41:48 +0000 (12:11 +0530)]
msm: vidc: Disable DCVS in DTSI
DCVS is not required for automotive and it is causing significant
frame drops for some clips. Hence disable it for automotive, adding
an entry in DTSI so that this can be made platform-specific.
Change-Id: I02e7ec16c7024bbc82cae93aa3e27ca8a46bb503
Signed-off-by: Suprith Malligere Shankaregowda <supgow@codeaurora.org>
Suprith Malligere Shankaregowda [Sat, 23 Mar 2019 19:23:02 +0000 (00:53 +0530)]
msm: vidc: Add common Boot KPI marker
Add a boot marker to indicate the time when video
driver probe is completed and the device is ready.
Change-Id: Ic9deb35cabbfa1cc7ad079656bde711014d3529e
Signed-off-by: Suprith Malligere Shankaregowda <supgow@codeaurora.org>
Linux Build Service Account [Tue, 26 Mar 2019 14:12:52 +0000 (07:12 -0700)]
Merge "cnss2: Initialize plat_priv during bus_init"
Linux Build Service Account [Tue, 26 Mar 2019 14:12:50 +0000 (07:12 -0700)]
Merge "icnss: Defer modem graceful shutdown until probe complete"
Anurag Chouhan [Fri, 8 Feb 2019 10:16:53 +0000 (15:46 +0530)]
icnss: Add Api to Block/Unblock modem shutdown
Add API to Block/Unblock modem graceful shutdown.
Change-Id: I69b061fc7d25762b2c36d9590802addfc170f91f
Signed-off-by: Sandeep Singh <sandsing@codeaurora.org>
Anurag Chouhan [Fri, 8 Feb 2019 09:59:11 +0000 (15:29 +0530)]
icnss: Defer modem graceful shutdown until probe complete
In case WLAN driver probe is in progress and modem graceful
shutdown occurs and if modem shutdown request is sent just
before the mode on request sent to firmware, firmware may end up
in illegal memory access.
To address this issue, modem notifier needs to be blocked needs for
probe to complete or max 5 seconds timeout.
CRs-Fixed:
2381846
Change-Id: I9e13a11c56059cb29e161c34df11de484f87ac5e
Signed-off-by: Sandeep Singh <sandsing@codeaurora.org>
Jayachandran Sreekumaran [Tue, 26 Mar 2019 06:35:48 +0000 (12:05 +0530)]
cnss2: Initialize plat_priv during bus_init
cnss_usb_data structure member plat_priv remains uninitialized till
the function invoke of cnss_usb_probe. This leads to the access of
uninitialized pointer plat_priv if CLD gets loaded prior to
firmware download completion. Hence initialize the plat_priv
in cnss_usb_data structure during cnss_usb_init.
Change-Id: Ic471eacf22b112aaffe61458e22c7a9102470467
Signed-off-by: Jayachandran Sreekumaran <jsreekum@codeaurora.org>
Rajasekaran Kalidoss [Mon, 21 Jan 2019 07:57:48 +0000 (13:27 +0530)]
cnss2: Add QCN7605 USB for cold boot cal via fs_ready
For triggering cold boot via fs_ready, the device ID
and bus type of QCN7605 USB was added in fs_ready and
cold boot cal start and done handlers.
Change-Id: I28801207c7833af18a09819cd9ab07ede556ac87
Signed-off-by: Rajasekaran Kalidoss <rkalidos@codeaurora.org>
Linux Build Service Account [Mon, 25 Mar 2019 13:22:51 +0000 (06:22 -0700)]
Merge "diag: Add protection while accessing usb_info's buffer table"
Hardik Arya [Thu, 29 Mar 2018 08:28:19 +0000 (13:58 +0530)]
diag: Add protection while accessing usb_info's buffer table
Currently there a possibility of NULL pointer dereference while
accessing usb_info's buffer table due to missing proper protection.
The patch adds protection for the same.
Change-Id: I974a70a48e7ac47b42bc237aac4db1b9e47be6be
Signed-off-by: Hardik Arya <harya@codeaurora.org>
Hardik Arya [Mon, 16 Apr 2018 11:16:58 +0000 (16:46 +0530)]
diag: Free usb buffer's entry after removing from list
Currently, there is possibility of memory leak due to not
freeing allocated memory for usb buffer's entry after
removing it from list. The patch handle this by freeing
the entry.
Change-Id: Idb08ecad859749e6ab1b09184362de38de4a9836
Signed-off-by: Hardik Arya <harya@codeaurora.org>
Srinivasarao P [Mon, 25 Mar 2019 05:54:03 +0000 (11:24 +0530)]
Merge android-4.4.177 (
0c3b8c4) into msm-4.4
* refs/heads/tmp-
0c3b8c4
Linux 4.4.177
KVM: X86: Fix residual mmio emulation request to userspace
KVM: nVMX: Ignore limit checks on VMX instructions using flat segments
KVM: nVMX: Sign extend displacements of VMX instr's mem operands
drm/radeon/evergreen_cs: fix missing break in switch statement
media: uvcvideo: Avoid NULL pointer dereference at the end of streaming
rcu: Do RCU GP kthread self-wakeup from softirq and interrupt
PM / wakeup: Rework wakeup source timer cancellation
nfsd: fix wrong check in write_v4_end_grace()
nfsd: fix memory corruption caused by readdir
NFS: Don't recoalesce on error in nfs_pageio_complete_mirror()
NFS: Fix an I/O request leakage in nfs_do_recoalesce
md: Fix failed allocation of md_register_thread
perf intel-pt: Fix overlap calculation for padding
perf auxtrace: Define auxtrace record alignment
perf intel-pt: Fix CYC timestamp calculation after OVF
NFS41: pop some layoutget errors to application
dm: fix to_sector() for 32bit
ARM: s3c24xx: Fix boolean expressions in osiris_dvs_notify
powerpc/83xx: Also save/restore SPRG4-7 during suspend
powerpc/powernv: Make opal log only readable by root
powerpc/wii: properly disable use of BATs when requested.
powerpc/32: Clear on-stack exception marker upon exception return
jbd2: fix compile warning when using JBUFFER_TRACE
jbd2: clear dirty flag when revoking a buffer from an older transaction
serial: 8250_pci: Have ACCES cards that use the four port Pericom PI7C9X7954 chip use the pci_pericom_setup()
serial: 8250_pci: Fix number of ports for ACCES serial cards
perf bench: Copy kernel files needed to build mem{cpy,set} x86_64 benchmarks
i2c: tegra: fix maximum transfer size
parport_pc: fix find_superio io compare code, should use equal test.
intel_th: Don't reference unassigned outputs
kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv
mm/vmalloc: fix size check for remap_vmalloc_range_partial()
dmaengine: usb-dmac: Make DMAC system sleep callbacks explicit
clk: ingenic: Fix round_rate misbehaving with non-integer dividers
ext2: Fix underflow in ext2_max_size()
ext4: fix crash during online resizing
cpufreq: pxa2xx: remove incorrect __init annotation
cpufreq: tegra124: add missing of_node_put()
crypto: pcbc - remove bogus memcpy()s with src == dest
Btrfs: fix corruption reading shared and compressed extents after hole punching
btrfs: ensure that a DUP or RAID1 block group has exactly two stripes
m68k: Add -ffreestanding to CFLAGS
scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock
scsi: virtio_scsi: don't send sc payload with tmfs
s390/virtio: handle find on invalid queue gracefully
clocksource/drivers/exynos_mct: Clear timer interrupt when shutdown
clocksource/drivers/exynos_mct: Move one-shot check from tick clear to ISR
regulator: s2mpa01: Fix step values for some LDOs
regulator: s2mps11: Fix steps for buck7, buck8 and LDO35
ACPI / device_sysfs: Avoid OF modalias creation for removed device
tracing: Do not free iter->trace in fail path of tracing_open_pipe()
CIFS: Fix read after write for files with read caching
crypto: arm64/aes-ccm - fix logical bug in AAD MAC handling
stm class: Prevent division by zero
tmpfs: fix uninitialized return value in shmem_link
net: set static variable an initial value in atl2_probe()
mac80211_hwsim: propagate genlmsg_reply return code
phonet: fix building with clang
ARC: uacces: remove lp_start, lp_end from clobber list
tmpfs: fix link accounting when a tmpfile is linked in
arm64: Relax GIC version check during early boot
ASoC: topology: free created components in tplg load error
net: mv643xx_eth: disable clk on error path in mv643xx_eth_shared_probe()
pinctrl: meson: meson8b: fix the sdxc_a data 1..3 pins
net: systemport: Fix reception of BPDUs
scsi: libiscsi: Fix race between iscsi_xmit_task and iscsi_complete_task
assoc_array: Fix shortcut creation
ARM: 8824/1: fix a migrating irq bug when hotplug cpu
Input: st-keyscan - fix potential zalloc NULL dereference
i2c: cadence: Fix the hold bit setting
Input: matrix_keypad - use flush_delayed_work()
ARM: OMAP2+: Variable "reg" in function omap4_dsi_mux_pads() could be uninitialized
s390/dasd: fix using offset into zero size array error
gpu: ipu-v3: Fix CSI offsets for imx53
gpu: ipu-v3: Fix i.MX51 CSI control registers offset
crypto: ahash - fix another early termination in hash walk
crypto: caam - fixed handling of sg list
stm class: Fix an endless loop in channel allocation
ASoC: fsl_esai: fix register setting issue in RIGHT_J mode
9p/net: fix memory leak in p9_client_create
9p: use inode->i_lock to protect i_size_write() under 32-bit
media: videobuf2-v4l2: drop WARN_ON in vb2_warn_zero_bytesused()
It's wrong to add len to sector_nr in raid10 reshape twice
fs/9p: use fscache mutex rather than spinlock
ALSA: bebob: use more identical mod_alias for Saffire Pro 10 I/O against Liquid Saffire 56
tcp/dccp: remove reqsk_put() from inet_child_forget()
gro_cells: make sure device is up in gro_cells_receive()
net/hsr: fix possible crash in add_timer()
vxlan: Fix GRO cells race condition between receive and link delete
vxlan: test dev->flags & IFF_UP before calling gro_cells_receive()
ipvlan: disallow userns cap_net_admin to change global mode/flags
missing barriers in some of unix_sock ->addr and ->path accesses
net: Set rtm_table to RT_TABLE_COMPAT for ipv6 for tables > 255
mdio_bus: Fix use-after-free on device_register fails
net/x25: fix a race in x25_bind()
net/mlx4_core: Fix qp mtt size calculation
net/mlx4_core: Fix reset flow when in command polling mode
tcp: handle inet_csk_reqsk_queue_add() failures
route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race
ravb: Decrease TxFIFO depth of Q3 and Q2 to one
pptp: dst_release sk_dst_cache in pptp_sock_destruct
net/x25: reset state in x25_connect()
net/x25: fix use-after-free in x25_device_event()
net: sit: fix UBSAN Undefined behaviour in check_6rd
net: hsr: fix memory leak in hsr_dev_finalize()
l2tp: fix infoleak in l2tp_ip6_recvmsg()
KEYS: restrict /proc/keys by credentials at open time
netfilter: nf_conntrack_tcp: Fix stack out of bounds when parsing TCP options
netfilter: nfnetlink_acct: validate NFACCT_FILTER parameters
netfilter: nfnetlink_log: just returns error for unknown command
netfilter: x_tables: enforce nul-terminated table name from getsockopt GET_ENTRIES
udplite: call proper backlog handlers
ARM: dts: exynos: Do not ignore real-world fuse values for thermal zone 0 on Exynos5420
Revert "x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls"
ARM: dts: exynos: Add minimal clkout parameters to Exynos3250 PMU
futex,rt_mutex: Restructure rt_mutex_finish_proxy_lock()
iscsi_ibft: Fix missing break in switch statement
Input: elan_i2c - add id for touchpad found in Lenovo s21e-20
Input: wacom_serial4 - add support for Wacom ArtPad II tablet
MIPS: Remove function size check in get_frame_info()
perf symbols: Filter out hidden symbols from labels
s390/qeth: fix use-after-free in error path
dmaengine: dmatest: Abort test in case of mapping error
dmaengine: at_xdmac: Fix wrongfull report of a channel as in use
irqchip/mmp: Only touch the PJ4 IRQ & FIQ bits on enable/disable
ARM: pxa: ssp: unneeded to free devm_ allocated data
autofs: fix error return in autofs_fill_super()
autofs: drop dentry reference only when it is never used
fs/drop_caches.c: avoid softlockups in drop_pagecache_sb()
mm, memory_hotplug: test_pages_in_a_zone do not pass the end of zone
mm, memory_hotplug: is_mem_section_removable do not pass the end of a zone
x86_64: increase stack size for KASAN_EXTRA
x86/kexec: Don't setup EFI info if EFI runtime is not enabled
cifs: fix computation for MAX_SMB2_HDR_SIZE
platform/x86: Fix unmet dependency warning for SAMSUNG_Q10
scsi: libfc: free skb when receiving invalid flogi resp
nfs: Fix NULL pointer dereference of dev_name
gpio: vf610: Mask all GPIO interrupts
net: stmmac: dwmac-rk: fix error handling in rk_gmac_powerup()
net: hns: Fix wrong read accesses via Clause 45 MDIO protocol
net: altera_tse: fix msgdma_tx_completion on non-zero fill_level case
xtensa: SMP: limit number of possible CPUs by NR_CPUS
xtensa: SMP: mark each possible CPU as present
xtensa: smp_lx200_defconfig: fix vectors clash
xtensa: SMP: fix secondary CPU initialization
xtensa: SMP: fix ccount_timer_shutdown
iommu/amd: Fix IOMMU page flush when detach device from a domain
ipvs: Fix signed integer overflow when setsockopt timeout
IB/{hfi1, qib}: Fix WC.byte_len calculation for UD_SEND_WITH_IMM
perf tools: Handle TOPOLOGY headers with no CPU
vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel
media: uvcvideo: Fix 'type' check leading to overflow
ip6mr: Do not call __IP6_INC_STATS() from preemptible context
net: dsa: mv88e6xxx: Fix u64 statistics
netlabel: fix out-of-bounds memory accesses
hugetlbfs: fix races and page leaks during migration
MIPS: irq: Allocate accurate order pages for irq stack
applicom: Fix potential Spectre v1 vulnerabilities
x86/CPU/AMD: Set the CPB bit unconditionally on F17h
net: phy: Micrel KSZ8061: link failure after cable connect
net: avoid use IPCB in cipso_v4_error
net: Add __icmp_send helper.
xen-netback: fix occasional leak of grant ref mappings under memory pressure
net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails
bnxt_en: Drop oversize TX packets to prevent errors.
team: Free BPF filter when unregistering netdev
sky2: Disable MSI on Dell Inspiron 1545 and Gateway P-79
net-sysfs: Fix mem leak in netdev_register_kobject
staging: lustre: fix buffer overflow of string buffer
isdn: isdn_tty: fix build warning of strncpy
ncpfs: fix build warning of strncpy
sockfs: getxattr: Fail with -EOPNOTSUPP for invalid attribute names
cpufreq: Use struct kobj_attribute instead of struct global_attr
USB: serial: ftdi_sio: add ID for Hjelmslund Electronics USB485
USB: serial: cp210x: add ID for Ingenico 3070
USB: serial: option: add Telit ME910 ECM composition
x86/uaccess: Don't leak the AC flag into __put_user() value evaluation
mm: enforce min addr even if capable() in expand_downwards()
mmc: spi: Fix card detection during probe
powerpc: Always initialize input array when calling epapr_hypercall()
KVM: arm/arm64: Fix MMIO emulation data handling
arm/arm64: KVM: Feed initialized memory to MMIO accesses
KVM: nSVM: clear events pending from svm_complete_interrupts() when exiting to L1
cfg80211: extend range deviation for DMG
mac80211: don't initiate TDLS connection if station is not associated to AP
ibmveth: Do not process frames after calling napi_reschedule
net: altera_tse: fix connect_local_phy error path
scsi: csiostor: fix NULL pointer dereference in csio_vport_set_state()
serial: fsl_lpuart: fix maximum acceptable baud rate with over-sampling
mac80211: fix miscounting of ttl-dropped frames
ARC: fix __ffs return value to avoid build warnings
ASoC: imx-audmux: change snprintf to scnprintf for possible overflow
ASoC: dapm: change snprintf to scnprintf for possible overflow
usb: gadget: Potential NULL dereference on allocation error
usb: dwc3: gadget: Fix the uninitialized link_state when udc starts
thermal: int340x_thermal: Fix a NULL vs IS_ERR() check
ALSA: compress: prevent potential divide by zero bugs
ASoC: Intel: Haswell/Broadwell: fix setting for .dynamic field
drm/msm: Unblock writer if reader closes file
scsi: libsas: Fix rphy phy_identifier for PHYs with end devices attached
libceph: handle an empty authorize reply
Revert "bridge: do not add port to router list when receives query with source 0.0.0.0"
ARCv2: Enable unaligned access in early ASM code
net/mlx4_en: Force CHECKSUM_NONE for short ethernet frames
sit: check if IPv6 enabled before calling ip6_err_gen_icmpv6_unreach()
team: avoid complex list operations in team_nl_cmd_options_set()
net/packet: fix 4gb buffer limit due to overflow check
batman-adv: fix uninit-value in batadv_interface_tx()
KEYS: always initialize keyring_index_key::desc_len
KEYS: user: Align the payload buffer
RDMA/srp: Rework SCSI device reset handling
isdn: avm: Fix string plus integer warning from Clang
leds: lp5523: fix a missing check of return value of lp55xx_read
atm: he: fix sign-extension overflow on large shift
isdn: i4l: isdn_tty: Fix some concurrency double-free bugs
MIPS: jazz: fix 64bit build
scsi: isci: initialize shost fully before calling scsi_add_host()
scsi: qla4xxx: check return code of qla4xxx_copy_from_fwddb_param
MIPS: ath79: Enable OF serial ports in the default config
net: hns: Fix use after free identified by SLUB debug
mfd: mc13xxx: Fix a missing check of a register-read failure
mfd: wm5110: Add missing ASRC rate register
mfd: qcom_rpm: write fw_version to CTRL_REG
mfd: ab8500-core: Return zero in get_register_interruptible()
mfd: db8500-prcmu: Fix some section annotations
mfd: twl-core: Fix section annotations on {,un}protect_pm_master
mfd: ti_am335x_tscadc: Use PLATFORM_DEVID_AUTO while registering mfd cells
KEYS: allow reaching the keys quotas exactly
numa: change get_mempolicy() to use nr_node_ids instead of MAX_NUMNODES
ceph: avoid repeatedly adding inode to mdsc->snap_flush_list
Revert "ANDROID: arm: process: Add display of memory around registers when displaying regs."
ANDROID: mnt: Propagate remount correctly
ANDROID: cuttlefish_defconfig: Add support for AC97 audio
ANDROID: overlayfs: override_creds=off option bypass creator_cred
FROMGIT: binder: create node flag to request sender's security context
Conflicts:
arch/arm/kernel/irq.c
drivers/media/v4l2-core/videobuf2-v4l2.c
sound/core/compress_offload.c
Change-Id: I998f8d53b0c5b8a7102816034452b1779a3b69a3
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
Greg Kroah-Hartman [Sat, 23 Mar 2019 07:59:43 +0000 (08:59 +0100)]
Merge 4.4.177 into android-4.4
Changes in 4.4.177
ceph: avoid repeatedly adding inode to mdsc->snap_flush_list
numa: change get_mempolicy() to use nr_node_ids instead of MAX_NUMNODES
KEYS: allow reaching the keys quotas exactly
mfd: ti_am335x_tscadc: Use PLATFORM_DEVID_AUTO while registering mfd cells
mfd: twl-core: Fix section annotations on {,un}protect_pm_master
mfd: db8500-prcmu: Fix some section annotations
mfd: ab8500-core: Return zero in get_register_interruptible()
mfd: qcom_rpm: write fw_version to CTRL_REG
mfd: wm5110: Add missing ASRC rate register
mfd: mc13xxx: Fix a missing check of a register-read failure
net: hns: Fix use after free identified by SLUB debug
MIPS: ath79: Enable OF serial ports in the default config
scsi: qla4xxx: check return code of qla4xxx_copy_from_fwddb_param
scsi: isci: initialize shost fully before calling scsi_add_host()
MIPS: jazz: fix 64bit build
isdn: i4l: isdn_tty: Fix some concurrency double-free bugs
atm: he: fix sign-extension overflow on large shift
leds: lp5523: fix a missing check of return value of lp55xx_read
isdn: avm: Fix string plus integer warning from Clang
RDMA/srp: Rework SCSI device reset handling
KEYS: user: Align the payload buffer
KEYS: always initialize keyring_index_key::desc_len
batman-adv: fix uninit-value in batadv_interface_tx()
net/packet: fix 4gb buffer limit due to overflow check
team: avoid complex list operations in team_nl_cmd_options_set()
sit: check if IPv6 enabled before calling ip6_err_gen_icmpv6_unreach()
net/mlx4_en: Force CHECKSUM_NONE for short ethernet frames
ARCv2: Enable unaligned access in early ASM code
Revert "bridge: do not add port to router list when receives query with source 0.0.0.0"
libceph: handle an empty authorize reply
scsi: libsas: Fix rphy phy_identifier for PHYs with end devices attached
drm/msm: Unblock writer if reader closes file
ASoC: Intel: Haswell/Broadwell: fix setting for .dynamic field
ALSA: compress: prevent potential divide by zero bugs
thermal: int340x_thermal: Fix a NULL vs IS_ERR() check
usb: dwc3: gadget: Fix the uninitialized link_state when udc starts
usb: gadget: Potential NULL dereference on allocation error
ASoC: dapm: change snprintf to scnprintf for possible overflow
ASoC: imx-audmux: change snprintf to scnprintf for possible overflow
ARC: fix __ffs return value to avoid build warnings
mac80211: fix miscounting of ttl-dropped frames
serial: fsl_lpuart: fix maximum acceptable baud rate with over-sampling
scsi: csiostor: fix NULL pointer dereference in csio_vport_set_state()
net: altera_tse: fix connect_local_phy error path
ibmveth: Do not process frames after calling napi_reschedule
mac80211: don't initiate TDLS connection if station is not associated to AP
cfg80211: extend range deviation for DMG
KVM: nSVM: clear events pending from svm_complete_interrupts() when exiting to L1
arm/arm64: KVM: Feed initialized memory to MMIO accesses
KVM: arm/arm64: Fix MMIO emulation data handling
powerpc: Always initialize input array when calling epapr_hypercall()
mmc: spi: Fix card detection during probe
mm: enforce min addr even if capable() in expand_downwards()
x86/uaccess: Don't leak the AC flag into __put_user() value evaluation
USB: serial: option: add Telit ME910 ECM composition
USB: serial: cp210x: add ID for Ingenico 3070
USB: serial: ftdi_sio: add ID for Hjelmslund Electronics USB485
cpufreq: Use struct kobj_attribute instead of struct global_attr
sockfs: getxattr: Fail with -EOPNOTSUPP for invalid attribute names
ncpfs: fix build warning of strncpy
isdn: isdn_tty: fix build warning of strncpy
staging: lustre: fix buffer overflow of string buffer
net-sysfs: Fix mem leak in netdev_register_kobject
sky2: Disable MSI on Dell Inspiron 1545 and Gateway P-79
team: Free BPF filter when unregistering netdev
bnxt_en: Drop oversize TX packets to prevent errors.
net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails
xen-netback: fix occasional leak of grant ref mappings under memory pressure
net: Add __icmp_send helper.
net: avoid use IPCB in cipso_v4_error
net: phy: Micrel KSZ8061: link failure after cable connect
x86/CPU/AMD: Set the CPB bit unconditionally on F17h
applicom: Fix potential Spectre v1 vulnerabilities
MIPS: irq: Allocate accurate order pages for irq stack
hugetlbfs: fix races and page leaks during migration
netlabel: fix out-of-bounds memory accesses
net: dsa: mv88e6xxx: Fix u64 statistics
ip6mr: Do not call __IP6_INC_STATS() from preemptible context
media: uvcvideo: Fix 'type' check leading to overflow
vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel
perf tools: Handle TOPOLOGY headers with no CPU
IB/{hfi1, qib}: Fix WC.byte_len calculation for UD_SEND_WITH_IMM
ipvs: Fix signed integer overflow when setsockopt timeout
iommu/amd: Fix IOMMU page flush when detach device from a domain
xtensa: SMP: fix ccount_timer_shutdown
xtensa: SMP: fix secondary CPU initialization
xtensa: smp_lx200_defconfig: fix vectors clash
xtensa: SMP: mark each possible CPU as present
xtensa: SMP: limit number of possible CPUs by NR_CPUS
net: altera_tse: fix msgdma_tx_completion on non-zero fill_level case
net: hns: Fix wrong read accesses via Clause 45 MDIO protocol
net: stmmac: dwmac-rk: fix error handling in rk_gmac_powerup()
gpio: vf610: Mask all GPIO interrupts
nfs: Fix NULL pointer dereference of dev_name
scsi: libfc: free skb when receiving invalid flogi resp
platform/x86: Fix unmet dependency warning for SAMSUNG_Q10
cifs: fix computation for MAX_SMB2_HDR_SIZE
x86/kexec: Don't setup EFI info if EFI runtime is not enabled
x86_64: increase stack size for KASAN_EXTRA
mm, memory_hotplug: is_mem_section_removable do not pass the end of a zone
mm, memory_hotplug: test_pages_in_a_zone do not pass the end of zone
fs/drop_caches.c: avoid softlockups in drop_pagecache_sb()
autofs: drop dentry reference only when it is never used
autofs: fix error return in autofs_fill_super()
ARM: pxa: ssp: unneeded to free devm_ allocated data
irqchip/mmp: Only touch the PJ4 IRQ & FIQ bits on enable/disable
dmaengine: at_xdmac: Fix wrongfull report of a channel as in use
dmaengine: dmatest: Abort test in case of mapping error
s390/qeth: fix use-after-free in error path
perf symbols: Filter out hidden symbols from labels
MIPS: Remove function size check in get_frame_info()
Input: wacom_serial4 - add support for Wacom ArtPad II tablet
Input: elan_i2c - add id for touchpad found in Lenovo s21e-20
iscsi_ibft: Fix missing break in switch statement
futex,rt_mutex: Restructure rt_mutex_finish_proxy_lock()
ARM: dts: exynos: Add minimal clkout parameters to Exynos3250 PMU
Revert "x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls"
ARM: dts: exynos: Do not ignore real-world fuse values for thermal zone 0 on Exynos5420
udplite: call proper backlog handlers
netfilter: x_tables: enforce nul-terminated table name from getsockopt GET_ENTRIES
netfilter: nfnetlink_log: just returns error for unknown command
netfilter: nfnetlink_acct: validate NFACCT_FILTER parameters
netfilter: nf_conntrack_tcp: Fix stack out of bounds when parsing TCP options
KEYS: restrict /proc/keys by credentials at open time
l2tp: fix infoleak in l2tp_ip6_recvmsg()
net: hsr: fix memory leak in hsr_dev_finalize()
net: sit: fix UBSAN Undefined behaviour in check_6rd
net/x25: fix use-after-free in x25_device_event()
net/x25: reset state in x25_connect()
pptp: dst_release sk_dst_cache in pptp_sock_destruct
ravb: Decrease TxFIFO depth of Q3 and Q2 to one
route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race
tcp: handle inet_csk_reqsk_queue_add() failures
net/mlx4_core: Fix reset flow when in command polling mode
net/mlx4_core: Fix qp mtt size calculation
net/x25: fix a race in x25_bind()
mdio_bus: Fix use-after-free on device_register fails
net: Set rtm_table to RT_TABLE_COMPAT for ipv6 for tables > 255
missing barriers in some of unix_sock ->addr and ->path accesses
ipvlan: disallow userns cap_net_admin to change global mode/flags
vxlan: test dev->flags & IFF_UP before calling gro_cells_receive()
vxlan: Fix GRO cells race condition between receive and link delete
net/hsr: fix possible crash in add_timer()
gro_cells: make sure device is up in gro_cells_receive()
tcp/dccp: remove reqsk_put() from inet_child_forget()
ALSA: bebob: use more identical mod_alias for Saffire Pro 10 I/O against Liquid Saffire 56
fs/9p: use fscache mutex rather than spinlock
It's wrong to add len to sector_nr in raid10 reshape twice
media: videobuf2-v4l2: drop WARN_ON in vb2_warn_zero_bytesused()
9p: use inode->i_lock to protect i_size_write() under 32-bit
9p/net: fix memory leak in p9_client_create
ASoC: fsl_esai: fix register setting issue in RIGHT_J mode
stm class: Fix an endless loop in channel allocation
crypto: caam - fixed handling of sg list
crypto: ahash - fix another early termination in hash walk
gpu: ipu-v3: Fix i.MX51 CSI control registers offset
gpu: ipu-v3: Fix CSI offsets for imx53
s390/dasd: fix using offset into zero size array error
ARM: OMAP2+: Variable "reg" in function omap4_dsi_mux_pads() could be uninitialized
Input: matrix_keypad - use flush_delayed_work()
i2c: cadence: Fix the hold bit setting
Input: st-keyscan - fix potential zalloc NULL dereference
ARM: 8824/1: fix a migrating irq bug when hotplug cpu
assoc_array: Fix shortcut creation
scsi: libiscsi: Fix race between iscsi_xmit_task and iscsi_complete_task
net: systemport: Fix reception of BPDUs
pinctrl: meson: meson8b: fix the sdxc_a data 1..3 pins
net: mv643xx_eth: disable clk on error path in mv643xx_eth_shared_probe()
ASoC: topology: free created components in tplg load error
arm64: Relax GIC version check during early boot
tmpfs: fix link accounting when a tmpfile is linked in
ARC: uacces: remove lp_start, lp_end from clobber list
phonet: fix building with clang
mac80211_hwsim: propagate genlmsg_reply return code
net: set static variable an initial value in atl2_probe()
tmpfs: fix uninitialized return value in shmem_link
stm class: Prevent division by zero
crypto: arm64/aes-ccm - fix logical bug in AAD MAC handling
CIFS: Fix read after write for files with read caching
tracing: Do not free iter->trace in fail path of tracing_open_pipe()
ACPI / device_sysfs: Avoid OF modalias creation for removed device
regulator: s2mps11: Fix steps for buck7, buck8 and LDO35
regulator: s2mpa01: Fix step values for some LDOs
clocksource/drivers/exynos_mct: Move one-shot check from tick clear to ISR
clocksource/drivers/exynos_mct: Clear timer interrupt when shutdown
s390/virtio: handle find on invalid queue gracefully
scsi: virtio_scsi: don't send sc payload with tmfs
scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock
m68k: Add -ffreestanding to CFLAGS
btrfs: ensure that a DUP or RAID1 block group has exactly two stripes
Btrfs: fix corruption reading shared and compressed extents after hole punching
crypto: pcbc - remove bogus memcpy()s with src == dest
cpufreq: tegra124: add missing of_node_put()
cpufreq: pxa2xx: remove incorrect __init annotation
ext4: fix crash during online resizing
ext2: Fix underflow in ext2_max_size()
clk: ingenic: Fix round_rate misbehaving with non-integer dividers
dmaengine: usb-dmac: Make DMAC system sleep callbacks explicit
mm/vmalloc: fix size check for remap_vmalloc_range_partial()
kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv
intel_th: Don't reference unassigned outputs
parport_pc: fix find_superio io compare code, should use equal test.
i2c: tegra: fix maximum transfer size
perf bench: Copy kernel files needed to build mem{cpy,set} x86_64 benchmarks
serial: 8250_pci: Fix number of ports for ACCES serial cards
serial: 8250_pci: Have ACCES cards that use the four port Pericom PI7C9X7954 chip use the pci_pericom_setup()
jbd2: clear dirty flag when revoking a buffer from an older transaction
jbd2: fix compile warning when using JBUFFER_TRACE
powerpc/32: Clear on-stack exception marker upon exception return
powerpc/wii: properly disable use of BATs when requested.
powerpc/powernv: Make opal log only readable by root
powerpc/83xx: Also save/restore SPRG4-7 during suspend
ARM: s3c24xx: Fix boolean expressions in osiris_dvs_notify
dm: fix to_sector() for 32bit
NFS41: pop some layoutget errors to application
perf intel-pt: Fix CYC timestamp calculation after OVF
perf auxtrace: Define auxtrace record alignment
perf intel-pt: Fix overlap calculation for padding
md: Fix failed allocation of md_register_thread
NFS: Fix an I/O request leakage in nfs_do_recoalesce
NFS: Don't recoalesce on error in nfs_pageio_complete_mirror()
nfsd: fix memory corruption caused by readdir
nfsd: fix wrong check in write_v4_end_grace()
PM / wakeup: Rework wakeup source timer cancellation
rcu: Do RCU GP kthread self-wakeup from softirq and interrupt
media: uvcvideo: Avoid NULL pointer dereference at the end of streaming
drm/radeon/evergreen_cs: fix missing break in switch statement
KVM: nVMX: Sign extend displacements of VMX instr's mem operands
KVM: nVMX: Ignore limit checks on VMX instructions using flat segments
KVM: X86: Fix residual mmio emulation request to userspace
Linux 4.4.177
Change-Id: Ide9813404248e6d7f9dc4024ac244dc1fbdd21b6
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Greg Kroah-Hartman [Sat, 23 Mar 2019 07:44:40 +0000 (08:44 +0100)]
Linux 4.4.177
Wanpeng Li [Thu, 10 Aug 2017 05:33:12 +0000 (22:33 -0700)]
KVM: X86: Fix residual mmio emulation request to userspace
commit
bbeac2830f4de270bb48141681cb730aadf8dce1 upstream.
Reported by syzkaller:
The kvm-intel.unrestricted_guest=0
WARNING: CPU: 5 PID: 1014 at /home/kernel/data/kvm/arch/x86/kvm//x86.c:7227 kvm_arch_vcpu_ioctl_run+0x38b/0x1be0 [kvm]
CPU: 5 PID: 1014 Comm: warn_test Tainted: G W OE 4.13.0-rc3+ #8
RIP: 0010:kvm_arch_vcpu_ioctl_run+0x38b/0x1be0 [kvm]
Call Trace:
? put_pid+0x3a/0x50
? rcu_read_lock_sched_held+0x79/0x80
? kmem_cache_free+0x2f2/0x350
kvm_vcpu_ioctl+0x340/0x700 [kvm]
? kvm_vcpu_ioctl+0x340/0x700 [kvm]
? __fget+0xfc/0x210
do_vfs_ioctl+0xa4/0x6a0
? __fget+0x11d/0x210
SyS_ioctl+0x79/0x90
entry_SYSCALL_64_fastpath+0x23/0xc2
? __this_cpu_preempt_check+0x13/0x20
The syszkaller folks reported a residual mmio emulation request to userspace
due to vm86 fails to emulate inject real mode interrupt(fails to read CS) and
incurs a triple fault. The vCPU returns to userspace with vcpu->mmio_needed == true
and KVM_EXIT_SHUTDOWN exit reason. However, the syszkaller testcase constructs
several threads to launch the same vCPU, the thread which lauch this vCPU after
the thread whichs get the vcpu->mmio_needed == true and KVM_EXIT_SHUTDOWN will
trigger the warning.
#define _GNU_SOURCE
#include <pthread.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/wait.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <unistd.h>
#include <linux/kvm.h>
#include <stdio.h>
int kvmcpu;
struct kvm_run *run;
void* thr(void* arg)
{
int res;
res = ioctl(kvmcpu, KVM_RUN, 0);
printf("ret1=%d exit_reason=%d suberror=%d\n",
res, run->exit_reason, run->internal.suberror);
return 0;
}
void test()
{
int i, kvm, kvmvm;
pthread_t th[4];
kvm = open("/dev/kvm", O_RDWR);
kvmvm = ioctl(kvm, KVM_CREATE_VM, 0);
kvmcpu = ioctl(kvmvm, KVM_CREATE_VCPU, 0);
run = (struct kvm_run*)mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_SHARED, kvmcpu, 0);
srand(getpid());
for (i = 0; i < 4; i++) {
pthread_create(&th[i], 0, thr, 0);
usleep(rand() % 10000);
}
for (i = 0; i < 4; i++)
pthread_join(th[i], 0);
}
int main()
{
for (;;) {
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
test();
exit(0);
}
int status;
while (waitpid(pid, &status, __WALL) != pid) {}
}
return 0;
}
This patch fixes it by resetting the vcpu->mmio_needed once we receive
the triple fault to avoid the residue.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Cc: Zubin Mithra <zsm@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sean Christopherson [Wed, 23 Jan 2019 22:39:25 +0000 (14:39 -0800)]
KVM: nVMX: Ignore limit checks on VMX instructions using flat segments
commit
34333cc6c2cb021662fd32e24e618d1b86de95bf upstream.
Regarding segments with a limit==0xffffffff, the SDM officially states:
When the effective limit is FFFFFFFFH (4 GBytes), these accesses may
or may not cause the indicated exceptions. Behavior is
implementation-specific and may vary from one execution to another.
In practice, all CPUs that support VMX ignore limit checks for "flat
segments", i.e. an expand-up data or code segment with base=0 and
limit=0xffffffff. This is subtly different than wrapping the effective
address calculation based on the address size, as the flat segment
behavior also applies to accesses that would wrap the 4g boundary, e.g.
a 4-byte access starting at 0xffffffff will access linear addresses
0xffffffff, 0x0, 0x1 and 0x2.
Fixes:
f9eb4af67c9d ("KVM: nVMX: VMX instructions: add checks for #GP/#SS exceptions")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sean Christopherson [Wed, 23 Jan 2019 22:39:23 +0000 (14:39 -0800)]
KVM: nVMX: Sign extend displacements of VMX instr's mem operands
commit
946c522b603f281195af1df91837a1d4d1eb3bc9 upstream.
The VMCS.EXIT_QUALIFCATION field reports the displacements of memory
operands for various instructions, including VMX instructions, as a
naturally sized unsigned value, but masks the value by the addr size,
e.g. given a ModRM encoded as -0x28(%ebp), the -0x28 displacement is
reported as 0xffffffd8 for a 32-bit address size. Despite some weird
wording regarding sign extension, the SDM explicitly states that bits
beyond the instructions address size are undefined:
In all cases, bits of this field beyond the instruction’s address
size are undefined.
Failure to sign extend the displacement results in KVM incorrectly
treating a negative displacement as a large positive displacement when
the address size of the VMX instruction is smaller than KVM's native
size, e.g. a 32-bit address size on a 64-bit KVM.
The very original decoding, added by commit
064aea774768 ("KVM: nVMX:
Decoding memory operands of VMX instructions"), sort of modeled sign
extension by truncating the final virtual/linear address for a 32-bit
address size. I.e. it messed up the effective address but made it work
by adjusting the final address.
When segmentation checks were added, the truncation logic was kept
as-is and no sign extension logic was introduced. In other words, it
kept calculating the wrong effective address while mostly generating
the correct virtual/linear address. As the effective address is what's
used in the segment limit checks, this results in KVM incorreclty
injecting #GP/#SS faults due to non-existent segment violations when
a nested VMM uses negative displacements with an address size smaller
than KVM's native address size.
Using the -0x28(%ebp) example, an EBP value of 0x1000 will result in
KVM using 0x100000fd8 as the effective address when checking for a
segment limit violation. This causes a 100% failure rate when running
a 32-bit KVM build as L1 on top of a 64-bit KVM L0.
Fixes:
f9eb4af67c9d ("KVM: nVMX: VMX instructions: add checks for #GP/#SS exceptions")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Gustavo A. R. Silva [Fri, 15 Feb 2019 20:29:26 +0000 (14:29 -0600)]
drm/radeon/evergreen_cs: fix missing break in switch statement
commit
cc5034a5d293dd620484d1d836aa16c6764a1c8c upstream.
Add missing break statement in order to prevent the code from falling
through to case CB_TARGET_MASK.
This bug was found thanks to the ongoing efforts to enable
-Wimplicit-fallthrough.
Fixes:
dd220a00e8bd ("drm/radeon/kms: add support for streamout v7")
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sakari Ailus [Wed, 30 Jan 2019 10:09:41 +0000 (05:09 -0500)]
media: uvcvideo: Avoid NULL pointer dereference at the end of streaming
commit
9dd0627d8d62a7ddb001a75f63942d92b5336561 upstream.
The UVC video driver converts the timestamp from hardware specific unit
to one known by the kernel at the time when the buffer is dequeued. This
is fine in general, but the streamoff operation consists of the
following steps (among other things):
1. uvc_video_clock_cleanup --- the hardware clock sample array is
released and the pointer to the array is set to NULL,
2. buffers in active state are returned to the user and
3. buf_finish callback is called on buffers that are prepared.
buf_finish includes calling uvc_video_clock_update that accesses the
hardware clock sample array.
The above is serialised by a queue specific mutex. Address the problem
by skipping the clock conversion if the hardware clock sample array is
already released.
Fixes:
9c0863b1cc48 ("[media] vb2: call buf_finish from __queue_cancel")
Reported-by: Chiranjeevi Rapolu <chiranjeevi.rapolu@intel.com>
Tested-by: Chiranjeevi Rapolu <chiranjeevi.rapolu@intel.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Zhang, Jun [Tue, 18 Dec 2018 14:55:01 +0000 (06:55 -0800)]
rcu: Do RCU GP kthread self-wakeup from softirq and interrupt
commit
1d1f898df6586c5ea9aeaf349f13089c6fa37903 upstream.
The rcu_gp_kthread_wake() function is invoked when it might be necessary
to wake the RCU grace-period kthread. Because self-wakeups are normally
a useless waste of CPU cycles, if rcu_gp_kthread_wake() is invoked from
this kthread, it naturally refuses to do the wakeup.
Unfortunately, natural though it might be, this heuristic fails when
rcu_gp_kthread_wake() is invoked from an interrupt or softirq handler
that interrupted the grace-period kthread just after the final check of
the wait-event condition but just before the schedule() call. In this
case, a wakeup is required, even though the call to rcu_gp_kthread_wake()
is within the RCU grace-period kthread's context. Failing to provide
this wakeup can result in grace periods failing to start, which in turn
results in out-of-memory conditions.
This race window is quite narrow, but it actually did happen during real
testing. It would of course need to be fixed even if it was strictly
theoretical in nature.
This patch does not Cc stable because it does not apply cleanly to
earlier kernel versions.
Fixes:
48a7639ce80c ("rcu: Make callers awaken grace-period kthread")
Reported-by: "He, Bo" <bo.he@intel.com>
Co-developed-by: "Zhang, Jun" <jun.zhang@intel.com>
Co-developed-by: "He, Bo" <bo.he@intel.com>
Co-developed-by: "xiao, jin" <jin.xiao@intel.com>
Co-developed-by: Bai, Jie A <jie.a.bai@intel.com>
Signed-off: "Zhang, Jun" <jun.zhang@intel.com>
Signed-off: "He, Bo" <bo.he@intel.com>
Signed-off: "xiao, jin" <jin.xiao@intel.com>
Signed-off: Bai, Jie A <jie.a.bai@intel.com>
Signed-off-by: "Zhang, Jun" <jun.zhang@intel.com>
[ paulmck: Switch from !in_softirq() to "!in_interrupt() &&
!in_serving_softirq() to avoid redundant wakeups and to also handle the
interrupt-handler scenario as well as the softirq-handler scenario that
actually occurred in testing. ]
Signed-off-by: Paul E. McKenney <paulmck@linux.ibm.com>
Link: https://lkml.kernel.org/r/CD6925E8781EFD4D8E11882D20FC406D52A11F61@SHSMSX104.ccr.corp.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Viresh Kumar [Fri, 8 Mar 2019 09:53:11 +0000 (15:23 +0530)]
PM / wakeup: Rework wakeup source timer cancellation
commit
1fad17fb1bbcd73159c2b992668a6957ecc5af8a upstream.
If wakeup_source_add() is called right after wakeup_source_remove()
for the same wakeup source, timer_setup() may be called for a
potentially scheduled timer which is incorrect.
To avoid that, move the wakeup source timer cancellation from
wakeup_source_drop() to wakeup_source_remove().
Moreover, make wakeup_source_remove() clear the timer function after
canceling the timer to let wakeup_source_not_registered() treat
unregistered wakeup sources in the same way as the ones that have
never been registered.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Cc: 4.4+ <stable@vger.kernel.org> # 4.4+
[ rjw: Subject, changelog, merged two patches together ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Yihao Wu [Wed, 6 Mar 2019 13:03:50 +0000 (21:03 +0800)]
nfsd: fix wrong check in write_v4_end_grace()
commit
dd838821f0a29781b185cd8fb8e48d5c177bd838 upstream.
Commit
62a063b8e7d1 "nfsd4: fix crash on writing v4_end_grace before
nfsd startup" is trying to fix a NULL dereference issue, but it
mistakenly checks if the nfsd server is started. So fix it.
Fixes:
62a063b8e7d1 "nfsd4: fix crash on writing v4_end_grace before nfsd startup"
Cc: stable@vger.kernel.org
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Signed-off-by: Yihao Wu <wuyihao@linux.alibaba.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
NeilBrown [Mon, 4 Mar 2019 03:08:22 +0000 (14:08 +1100)]
nfsd: fix memory corruption caused by readdir
commit
b602345da6cbb135ba68cf042df8ec9a73da7981 upstream.
If the result of an NFSv3 readdir{,plus} request results in the
"offset" on one entry having to be split across 2 pages, and is sized
so that the next directory entry doesn't fit in the requested size,
then memory corruption can happen.
When encode_entry() is called after encoding the last entry that fits,
it notices that ->offset and ->offset1 are set, and so stores the
offset value in the two pages as required. It clears ->offset1 but
*does not* clear ->offset.
Normally this omission doesn't matter as encode_entry_baggage() will
be called, and will set ->offset to a suitable value (not on a page
boundary).
But in the case where cd->buflen < elen and nfserr_toosmall is
returned, ->offset is not reset.
This means that nfsd3proc_readdirplus will see ->offset with a value 4
bytes before the end of a page, and ->offset1 set to NULL.
It will try to write 8bytes to ->offset.
If we are lucky, the next page will be read-only, and the system will
BUG: unable to handle kernel paging request at...
If we are unlucky, some innocent page will have the first 4 bytes
corrupted.
nfsd3proc_readdir() doesn't even check for ->offset1, it just blindly
writes 8 bytes to the offset wherever it is.
Fix this by clearing ->offset after it is used, and copying the
->offset handling code from nfsd3_proc_readdirplus into
nfsd3_proc_readdir.
(Note that the commit hash in the Fixes tag is from the 'history'
tree - this bug predates git).
Fixes:
0b1d57cf7654 ("[PATCH] kNFSd: Fix nfs3 dentry encoding")
Fixes-URL: https://git.kernel.org/pub/scm/linux/kernel/git/history/history.git/commit/?id=
0b1d57cf7654
Cc: stable@vger.kernel.org (v2.6.12+)
Signed-off-by: NeilBrown <neilb@suse.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Trond Myklebust [Fri, 15 Feb 2019 21:08:25 +0000 (16:08 -0500)]
NFS: Don't recoalesce on error in nfs_pageio_complete_mirror()
commit
8127d82705998568b52ac724e28e00941538083d upstream.
If the I/O completion failed with a fatal error, then we should just
exit nfs_pageio_complete_mirror() rather than try to recoalesce.
Fixes:
a7d42ddb3099 ("nfs: add mirroring support to pgio layer")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Cc: stable@vger.kernel.org # v4.0+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Trond Myklebust [Fri, 15 Feb 2019 19:59:52 +0000 (14:59 -0500)]
NFS: Fix an I/O request leakage in nfs_do_recoalesce
commit
4d91969ed4dbcefd0e78f77494f0cb8fada9048a upstream.
Whether we need to exit early, or just reprocess the list, we
must not lost track of the request which failed to get recoalesced.
Fixes:
03d5eb65b538 ("NFS: Fix a memory leak in nfs_do_recoalesce")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Cc: stable@vger.kernel.org # v4.0+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Aditya Pakki [Mon, 4 Mar 2019 22:48:54 +0000 (16:48 -0600)]
md: Fix failed allocation of md_register_thread
commit
e406f12dde1a8375d77ea02d91f313fb1a9c6aec upstream.
mddev->sync_thread can be set to NULL on kzalloc failure downstream.
The patch checks for such a scenario and frees allocated resources.
Committer node:
Added similar fix to raid5.c, as suggested by Guoqing.
Cc: stable@vger.kernel.org # v3.16+
Acked-by: Guoqing Jiang <gqjiang@suse.com>
Signed-off-by: Aditya Pakki <pakki001@umn.edu>
Signed-off-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Adrian Hunter [Wed, 6 Feb 2019 10:39:44 +0000 (12:39 +0200)]
perf intel-pt: Fix overlap calculation for padding
commit
5a99d99e3310a565b0cf63f785b347be9ee0da45 upstream.
Auxtrace records might have up to 7 bytes of padding appended. Adjust
the overlap accordingly.
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/20190206103947.15750-3-adrian.hunter@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Adrian Hunter [Wed, 6 Feb 2019 10:39:43 +0000 (12:39 +0200)]
perf auxtrace: Define auxtrace record alignment
commit
c3fcadf0bb765faf45d6d562246e1d08885466df upstream.
Define auxtrace record alignment so that it can be referenced elsewhere.
Note this is preparation for patch "perf intel-pt: Fix overlap calculation
for padding"
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/20190206103947.15750-2-adrian.hunter@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Adrian Hunter [Wed, 6 Feb 2019 10:39:45 +0000 (12:39 +0200)]
perf intel-pt: Fix CYC timestamp calculation after OVF
commit
03997612904866abe7cdcc992784ef65cb3a4b81 upstream.
CYC packet timestamp calculation depends upon CBR which was being
cleared upon overflow (OVF). That can cause errors due to failing to
synchronize with sideband events. Even if a CBR change has been lost,
the old CBR is still a better estimate than zero. So remove the clearing
of CBR.
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/20190206103947.15750-4-adrian.hunter@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Peng Tao [Thu, 3 Dec 2015 18:57:48 +0000 (02:57 +0800)]
NFS41: pop some layoutget errors to application
commit
d600ad1f2bdbf97c4818dcc85b174f72c90c21bd upstream.
For ERESTARTSYS/EIO/EROFS/ENOSPC/E2BIG in layoutget, we
should just bail out instead of hiding the error and
retrying inband IO.
Change all the call sites to pop the error all the way up.
Signed-off-by: Peng Tao <tao.peng@primarydata.com>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
NeilBrown [Sun, 6 Jan 2019 10:06:25 +0000 (21:06 +1100)]
dm: fix to_sector() for 32bit
commit
0bdb50c531f7377a9da80d3ce2d61f389c84cb30 upstream.
A dm-raid array with devices larger than 4GB won't assemble on
a 32 bit host since _check_data_dev_sectors() was added in 4.16.
This is because to_sector() treats its argument as an "unsigned long"
which is 32bits (4GB) on a 32bit host. Using "unsigned long long"
is more correct.
Kernels as early as 4.2 can have other problems due to to_sector()
being used on the size of a device.
Fixes:
0cf4503174c1 ("dm raid: add support for the MD RAID0 personality")
cc: stable@vger.kernel.org (v4.2+)
Reported-and-tested-by: Guillaume Perréal <gperreal@free.fr>
Signed-off-by: NeilBrown <neil@brown.name>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Gustavo A. R. Silva [Thu, 3 Jan 2019 20:14:08 +0000 (14:14 -0600)]
ARM: s3c24xx: Fix boolean expressions in osiris_dvs_notify
commit
e2477233145f2156434afb799583bccd878f3e9f upstream.
Fix boolean expressions by using logical AND operator '&&' instead of
bitwise operator '&'.
This issue was detected with the help of Coccinelle.
Fixes:
4fa084af28ca ("ARM: OSIRIS: DVS (Dynamic Voltage Scaling) supoort.")
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
[krzk: Fix -Wparentheses warning]
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Christophe Leroy [Fri, 25 Jan 2019 12:03:55 +0000 (12:03 +0000)]
powerpc/83xx: Also save/restore SPRG4-7 during suspend
commit
36da5ff0bea2dc67298150ead8d8471575c54c7d upstream.
The 83xx has 8 SPRG registers and uses at least SPRG4
for DTLB handling LRU.
Fixes:
2319f1239592 ("powerpc/mm: e300c2/c3/c4 TLB errata workaround")
Cc: stable@vger.kernel.org
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jordan Niethe [Wed, 27 Feb 2019 03:02:29 +0000 (14:02 +1100)]
powerpc/powernv: Make opal log only readable by root
commit
7b62f9bd2246b7d3d086e571397c14ba52645ef1 upstream.
Currently the opal log is globally readable. It is kernel policy to
limit the visibility of physical addresses / kernel pointers to root.
Given this and the fact the opal log may contain this information it
would be better to limit the readability to root.
Fixes:
bfc36894a48b ("powerpc/powernv: Add OPAL message log interface")
Cc: stable@vger.kernel.org # v3.15+
Signed-off-by: Jordan Niethe <jniethe5@gmail.com>
Reviewed-by: Stewart Smith <stewart@linux.ibm.com>
Reviewed-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Christophe Leroy [Thu, 21 Feb 2019 19:08:37 +0000 (19:08 +0000)]
powerpc/wii: properly disable use of BATs when requested.
commit
6d183ca8baec983dc4208ca45ece3c36763df912 upstream.
'nobats' kernel parameter or some options like CONFIG_DEBUG_PAGEALLOC
deny the use of BATS for mapping memory.
This patch makes sure that the specific wii RAM mapping function
takes it into account as well.
Fixes:
de32400dd26e ("wii: use both mem1 and mem2 as ram")
Cc: stable@vger.kernel.org
Reviewed-by: Jonathan Neuschafer <j.neuschaefer@gmx.net>
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Christophe Leroy [Wed, 27 Feb 2019 11:45:30 +0000 (11:45 +0000)]
powerpc/32: Clear on-stack exception marker upon exception return
commit
9580b71b5a7863c24a9bd18bcd2ad759b86b1eff upstream.
Clear the on-stack STACK_FRAME_REGS_MARKER on exception exit in order
to avoid confusing stacktrace like the one below.
Call Trace:
[
c0e9dca0] [
c01c42a0] print_address_description+0x64/0x2bc (unreliable)
[
c0e9dcd0] [
c01c4684] kasan_report+0xfc/0x180
[
c0e9dd10] [
c0895130] memchr+0x24/0x74
[
c0e9dd30] [
c00a9e38] msg_print_text+0x124/0x574
[
c0e9dde0] [
c00ab710] console_unlock+0x114/0x4f8
[
c0e9de40] [
c00adc60] vprintk_emit+0x188/0x1c4
--- interrupt:
c0e9df00 at 0x400f330
LR = init_stack+0x1f00/0x2000
[
c0e9de80] [
c00ae3c4] printk+0xa8/0xcc (unreliable)
[
c0e9df20] [
c0c27e44] early_irq_init+0x38/0x108
[
c0e9df50] [
c0c15434] start_kernel+0x310/0x488
[
c0e9dff0] [
00003484] 0x3484
With this patch the trace becomes:
Call Trace:
[
c0e9dca0] [
c01c42c0] print_address_description+0x64/0x2bc (unreliable)
[
c0e9dcd0] [
c01c46a4] kasan_report+0xfc/0x180
[
c0e9dd10] [
c0895150] memchr+0x24/0x74
[
c0e9dd30] [
c00a9e58] msg_print_text+0x124/0x574
[
c0e9dde0] [
c00ab730] console_unlock+0x114/0x4f8
[
c0e9de40] [
c00adc80] vprintk_emit+0x188/0x1c4
[
c0e9de80] [
c00ae3e4] printk+0xa8/0xcc
[
c0e9df20] [
c0c27e44] early_irq_init+0x38/0x108
[
c0e9df50] [
c0c15434] start_kernel+0x310/0x488
[
c0e9dff0] [
00003484] 0x3484
Cc: stable@vger.kernel.org
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
zhangyi (F) [Thu, 21 Feb 2019 16:24:09 +0000 (11:24 -0500)]
jbd2: fix compile warning when using JBUFFER_TRACE
commit
01215d3edb0f384ddeaa5e4a22c1ae5ff634149f upstream.
The jh pointer may be used uninitialized in the two cases below and the
compiler complain about it when enabling JBUFFER_TRACE macro, fix them.
In file included from fs/jbd2/transaction.c:19:0:
fs/jbd2/transaction.c: In function ‘jbd2_journal_get_undo_access’:
./include/linux/jbd2.h:1637:38: warning: ‘jh’ is used uninitialized in this function [-Wuninitialized]
#define JBUFFER_TRACE(jh, info) do { printk("%s: %d\n", __func__, jh->b_jcount);} while (0)
^
fs/jbd2/transaction.c:1219:23: note: ‘jh’ was declared here
struct journal_head *jh;
^
In file included from fs/jbd2/transaction.c:19:0:
fs/jbd2/transaction.c: In function ‘jbd2_journal_dirty_metadata’:
./include/linux/jbd2.h:1637:38: warning: ‘jh’ may be used uninitialized in this function [-Wmaybe-uninitialized]
#define JBUFFER_TRACE(jh, info) do { printk("%s: %d\n", __func__, jh->b_jcount);} while (0)
^
fs/jbd2/transaction.c:1332:23: note: ‘jh’ was declared here
struct journal_head *jh;
^
Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@vger.kernel.org
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
zhangyi (F) [Mon, 11 Feb 2019 04:23:04 +0000 (23:23 -0500)]
jbd2: clear dirty flag when revoking a buffer from an older transaction
commit
904cdbd41d749a476863a0ca41f6f396774f26e4 upstream.
Now, we capture a data corruption problem on ext4 while we're truncating
an extent index block. Imaging that if we are revoking a buffer which
has been journaled by the committing transaction, the buffer's jbddirty
flag will not be cleared in jbd2_journal_forget(), so the commit code
will set the buffer dirty flag again after refile the buffer.
fsx kjournald2
jbd2_journal_commit_transaction
jbd2_journal_revoke commit phase 1~5...
jbd2_journal_forget
belongs to older transaction commit phase 6
jbddirty not clear __jbd2_journal_refile_buffer
__jbd2_journal_unfile_buffer
test_clear_buffer_jbddirty
mark_buffer_dirty
Finally, if the freed extent index block was allocated again as data
block by some other files, it may corrupt the file data after writing
cached pages later, such as during unmount time. (In general,
clean_bdev_aliases() related helpers should be invoked after
re-allocation to prevent the above corruption, but unfortunately we
missed it when zeroout the head of extra extent blocks in
ext4_ext_handle_unwritten_extents()).
This patch mark buffer as freed and set j_next_transaction to the new
transaction when it already belongs to the committing transaction in
jbd2_journal_forget(), so that commit code knows it should clear dirty
bits when it is done with the buffer.
This problem can be reproduced by xfstests generic/455 easily with
seeds (3246 3247 3248 3249).
Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jay Dolan [Wed, 13 Feb 2019 05:43:12 +0000 (21:43 -0800)]
serial: 8250_pci: Have ACCES cards that use the four port Pericom PI7C9X7954 chip use the pci_pericom_setup()
commit
78d3820b9bd39028727c6aab7297b63c093db343 upstream.
The four port Pericom chips have the fourth port at the wrong address.
Make use of quirk to fix it.
Fixes:
c8d192428f52 ("serial: 8250: added acces i/o products quad and octal serial cards")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Jay Dolan <jay.dolan@accesio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jay Dolan [Wed, 13 Feb 2019 05:43:11 +0000 (21:43 -0800)]
serial: 8250_pci: Fix number of ports for ACCES serial cards
commit
b896b03bc7fce43a07012cc6bf5e2ab2fddf3364 upstream.
Have the correct number of ports created for ACCES serial cards. Two port
cards show up as four ports, and four port cards show up as eight.
Fixes:
c8d192428f52 ("serial: 8250: added acces i/o products quad and octal serial cards")
Signed-off-by: Jay Dolan <jay.dolan@accesio.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Arnaldo Carvalho de Melo [Mon, 11 Jul 2016 15:36:41 +0000 (12:36 -0300)]
perf bench: Copy kernel files needed to build mem{cpy,set} x86_64 benchmarks
commit
7d7d1bf1d1dabe435ef50efb051724b8664749cb upstream.
We can't access kernel files directly from tools/, so copy the required
bits, and make sure that we detect when the original files, in the
kernel, gets modified.
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Link: http://lkml.kernel.org/n/tip-z7e76274ch5j4nugv048qacb@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Daniel Díaz <daniel.diaz@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sowjanya Komatineni [Tue, 12 Feb 2019 19:06:44 +0000 (11:06 -0800)]
i2c: tegra: fix maximum transfer size
commit
f4e3f4ae1d9c9330de355f432b69952e8cef650c upstream.
Tegra186 and prior supports maximum 4K bytes per packet transfer
including 12 bytes of packet header.
This patch fixes max write length limit to account packet header
size for transfers.
Cc: stable@vger.kernel.org # 4.4+
Reviewed-by: Dmitry Osipenko <digetx@gmail.com>
Signed-off-by: Sowjanya Komatineni <skomatineni@nvidia.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
QiaoChong [Sat, 9 Feb 2019 20:59:07 +0000 (20:59 +0000)]
parport_pc: fix find_superio io compare code, should use equal test.
commit
21698fd57984cd28207d841dbdaa026d6061bceb upstream.
In the original code before
181bf1e815a2 the loop was continuing until
it finds the first matching superios[i].io and p->base.
But after
181bf1e815a2 the logic changed and the loop now returns the
pointer to the first mismatched array element which is then used in
get_superio_dma() and get_superio_irq() and thus returning the wrong
value.
Fix the condition so that it now returns the correct pointer.
Fixes:
181bf1e815a2 ("parport_pc: clean up the modified while loops using for")
Cc: Alan Cox <alan@linux.intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: QiaoChong <qiaochong@loongson.cn>
[rewrite the commit message]
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Alexander Shishkin [Thu, 24 Jan 2019 13:11:53 +0000 (15:11 +0200)]
intel_th: Don't reference unassigned outputs
commit
9ed3f22223c33347ed963e7c7019cf2956dd4e37 upstream.
When an output port driver is removed, also remove references to it from
any masters. Failing to do this causes a NULL ptr dereference when
configuring another output port:
> BUG: unable to handle kernel NULL pointer dereference at
000000000000000d
> RIP: 0010:master_attr_store+0x9d/0x160 [intel_th_gth]
> Call Trace:
> dev_attr_store+0x1b/0x30
> sysfs_kf_write+0x3c/0x50
> kernfs_fop_write+0x125/0x1a0
> __vfs_write+0x3a/0x190
> ? __vfs_write+0x5/0x190
> ? _cond_resched+0x1a/0x50
> ? rcu_all_qs+0x5/0xb0
> ? __vfs_write+0x5/0x190
> vfs_write+0xb8/0x1b0
> ksys_write+0x55/0xc0
> __x64_sys_write+0x1a/0x20
> do_syscall_64+0x5a/0x140
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Fixes:
b27a6a3f97b9 ("intel_th: Add Global Trace Hub driver")
CC: stable@vger.kernel.org # v4.4+
Reported-by: Ammy Yi <ammy.yi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Zev Weiss [Tue, 12 Mar 2019 06:28:02 +0000 (23:28 -0700)]
kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv
commit
8cf7630b29701d364f8df4a50e4f1f5e752b2778 upstream.
This bug has apparently existed since the introduction of this function
in the pre-git era (
4500e91754d3 in Thomas Gleixner's history.git,
"[NET]: Add proc_dointvec_userhz_jiffies, use it for proper handling of
neighbour sysctls.").
As a minimal fix we can simply duplicate the corresponding check in
do_proc_dointvec_conv().
Link: http://lkml.kernel.org/r/20190207123426.9202-3-zev@bewilderbeest.net
Signed-off-by: Zev Weiss <zev@bewilderbeest.net>
Cc: Brendan Higgins <brendanhiggins@google.com>
Cc: Iurii Zaikin <yzaikin@google.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Luis Chamberlain <mcgrof@kernel.org>
Cc: <stable@vger.kernel.org> [2.6.2+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Roman Penyaev [Tue, 5 Mar 2019 23:43:20 +0000 (15:43 -0800)]
mm/vmalloc: fix size check for remap_vmalloc_range_partial()
commit
401592d2e095947344e10ec0623adbcd58934dd4 upstream.
When VM_NO_GUARD is not set area->size includes adjacent guard page,
thus for correct size checking get_vm_area_size() should be used, but
not area->size.
This fixes possible kernel oops when userspace tries to mmap an area on
1 page bigger than was allocated by vmalloc_user() call: the size check
inside remap_vmalloc_range_partial() accounts non-existing guard page
also, so check successfully passes but vmalloc_to_page() returns NULL
(guard page does not physically exist).
The following code pattern example should trigger an oops:
static int oops_mmap(struct file *file, struct vm_area_struct *vma)
{
void *mem;
mem = vmalloc_user(4096);
BUG_ON(!mem);
/* Do not care about mem leak */
return remap_vmalloc_range(vma, mem, 0);
}
And userspace simply mmaps size + PAGE_SIZE:
mmap(NULL, 8192, PROT_WRITE|PROT_READ, MAP_PRIVATE, fd, 0);
Possible candidates for oops which do not have any explicit size
checks:
*** drivers/media/usb/stkwebcam/stk-webcam.c:
v4l_stk_mmap[789] ret = remap_vmalloc_range(vma, sbuf->buffer, 0);
Or the following one:
*** drivers/video/fbdev/core/fbmem.c
static int
fb_mmap(struct file *file, struct vm_area_struct * vma)
...
res = fb->fb_mmap(info, vma);
Where fb_mmap callback calls remap_vmalloc_range() directly without any
explicit checks:
*** drivers/video/fbdev/vfb.c
static int vfb_mmap(struct fb_info *info,
struct vm_area_struct *vma)
{
return remap_vmalloc_range(vma, (void *)info->fix.smem_start, vma->vm_pgoff);
}
Link: http://lkml.kernel.org/r/20190103145954.16942-2-rpenyaev@suse.de
Signed-off-by: Roman Penyaev <rpenyaev@suse.de>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Joe Perches <joe@perches.com>
Cc: "Luis R. Rodriguez" <mcgrof@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Phuong Nguyen [Thu, 17 Jan 2019 08:44:17 +0000 (17:44 +0900)]
dmaengine: usb-dmac: Make DMAC system sleep callbacks explicit
commit
d9140a0da4a230a03426d175145989667758aa6a upstream.
This commit fixes the issue that USB-DMAC hangs silently after system
resumes on R-Car Gen3 hence renesas_usbhs will not work correctly
when using USB-DMAC for bulk transfer e.g. ethernet or serial
gadgets.
The issue can be reproduced by these steps:
1. modprobe g_serial
2. Suspend and resume system.
3. connect a usb cable to host side
4. Transfer data from Host to Target
5. cat /dev/ttyGS0 (Target side)
6. echo "test" > /dev/ttyACM0 (Host side)
The 'cat' will not result anything. However, system still can work
normally.
Currently, USB-DMAC driver does not have system sleep callbacks hence
this driver relies on the PM core to force runtime suspend/resume to
suspend and reinitialize USB-DMAC during system resume. After
the commit
17218e0092f8 ("PM / genpd: Stop/start devices without
pm_runtime_force_suspend/resume()"), PM core will not force
runtime suspend/resume anymore so this issue happens.
To solve this, make system suspend resume explicit by using
pm_runtime_force_{suspend,resume}() as the system sleep callbacks.
SET_NOIRQ_SYSTEM_SLEEP_PM_OPS() is used to make sure USB-DMAC
suspended after and initialized before renesas_usbhs."
Signed-off-by: Phuong Nguyen <phuong.nguyen.xw@renesas.com>
Signed-off-by: Hiroyuki Yokoyama <hiroyuki.yokoyama.vx@renesas.com>
Cc: <stable@vger.kernel.org> # v4.16+
[shimoda: revise the commit log and add Cc tag]
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Paul Cercueil [Mon, 28 Jan 2019 02:09:20 +0000 (23:09 -0300)]
clk: ingenic: Fix round_rate misbehaving with non-integer dividers
commit
bc5d922c93491878c44c9216e9d227c7eeb81d7f upstream.
Take a parent rate of 180 MHz, and a requested rate of 4.285715 MHz.
This results in a theorical divider of 41.999993 which is then rounded
up to 42. The .round_rate function would then return (180 MHz / 42) as
the clock, rounded down, so 4.285714 MHz.
Calling clk_set_rate on 4.285714 MHz would round the rate again, and
give a theorical divider of 42,
0000028, now rounded up to 43, and the
rate returned would be (180 MHz / 43) which is 4.186046 MHz, aka. not
what we requested.
Fix this by rounding up the divisions.
Signed-off-by: Paul Cercueil <paul@crapouillou.net>
Tested-by: Maarten ter Huurne <maarten@treewalker.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jan Kara [Tue, 29 Jan 2019 16:17:24 +0000 (17:17 +0100)]
ext2: Fix underflow in ext2_max_size()
commit
1c2d14212b15a60300a2d4f6364753e87394c521 upstream.
When ext2 filesystem is created with 64k block size, ext2_max_size()
will return value less than 0. Also, we cannot write any file in this fs
since the sb->maxbytes is less than 0. The core of the problem is that
the size of block index tree for such large block size is more than
i_blocks can carry. So fix the computation to count with this
possibility.
File size limits computed with the new function for the full range of
possible block sizes look like:
bits file_size
10
17247252480
11
275415851008
12
2196873666560
13
2197948973056
14
2198486220800
15
2198754754560
16
2198888906752
CC: stable@vger.kernel.org
Reported-by: yangerkun <yangerkun@huawei.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jan Kara [Mon, 11 Feb 2019 18:30:32 +0000 (13:30 -0500)]
ext4: fix crash during online resizing
commit
f96c3ac8dfc24b4e38fc4c2eba5fea2107b929d1 upstream.
When computing maximum size of filesystem possible with given number of
group descriptor blocks, we forget to include s_first_data_block into
the number of blocks. Thus for filesystems with non-zero
s_first_data_block it can happen that computed maximum filesystem size
is actually lower than current filesystem size which confuses the code
and eventually leads to a BUG_ON in ext4_alloc_group_tables() hitting on
flex_gd->count == 0. The problem can be reproduced like:
truncate -s 100g /tmp/image
mkfs.ext4 -b 1024 -E resize=262144 /tmp/image 32768
mount -t ext4 -o loop /tmp/image /mnt
resize2fs /dev/loop0 262145
resize2fs /dev/loop0 300000
Fix the problem by properly including s_first_data_block into the
computed number of filesystem blocks.
Fixes:
1c6bd7173d66 "ext4: convert file system to meta_bg if needed..."
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Arnd Bergmann [Thu, 7 Mar 2019 10:22:41 +0000 (11:22 +0100)]
cpufreq: pxa2xx: remove incorrect __init annotation
commit
9505b98ccddc454008ca7efff90044e3e857c827 upstream.
pxa_cpufreq_init_voltages() is marked __init but usually inlined into
the non-__init pxa_cpufreq_init() function. When building with clang,
it can stay as a standalone function in a discarded section, and produce
this warning:
WARNING: vmlinux.o(.text+0x616a00): Section mismatch in reference from the function pxa_cpufreq_init() to the function .init.text:pxa_cpufreq_init_voltages()
The function pxa_cpufreq_init() references
the function __init pxa_cpufreq_init_voltages().
This is often because pxa_cpufreq_init lacks a __init
annotation or the annotation of pxa_cpufreq_init_voltages is wrong.
Fixes:
50e77fcd790e ("ARM: pxa: remove __init from cpufreq_driver->init()")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
Acked-by: Robert Jarzmik <robert.jarzmik@free.fr>
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Yangtao Li [Mon, 4 Feb 2019 07:48:54 +0000 (02:48 -0500)]
cpufreq: tegra124: add missing of_node_put()
commit
446fae2bb5395f3028d8e3aae1508737e5a72ea1 upstream.
of_cpu_device_node_get() will increase the refcount of device_node,
it is necessary to call of_node_put() at the end to release the
refcount.
Fixes:
9eb15dbbfa1a2 ("cpufreq: Add cpufreq driver for Tegra124")
Cc: <stable@vger.kernel.org> # 4.4+
Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
Acked-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Biggers [Fri, 4 Jan 2019 04:16:13 +0000 (20:16 -0800)]
crypto: pcbc - remove bogus memcpy()s with src == dest
commit
251b7aea34ba3c4d4fdfa9447695642eb8b8b098 upstream.
The memcpy()s in the PCBC implementation use walk->iv as both the source
and destination, which has undefined behavior. These memcpy()'s are
actually unneeded, because walk->iv is already used to hold the previous
plaintext block XOR'd with the previous ciphertext block. Thus,
walk->iv is already updated to its final value.
So remove the broken and unnecessary memcpy()s.
Fixes:
91652be5d1b9 ("[CRYPTO] pcbc: Add Propagated CBC template")
Cc: <stable@vger.kernel.org> # v2.6.21+
Cc: David Howells <dhowells@redhat.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Maxim Zhukov <mussitantesmortem@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Filipe Manana [Thu, 14 Feb 2019 15:17:20 +0000 (15:17 +0000)]
Btrfs: fix corruption reading shared and compressed extents after hole punching
commit
8e928218780e2f1cf2f5891c7575e8f0b284fcce upstream.
In the past we had data corruption when reading compressed extents that
are shared within the same file and they are consecutive, this got fixed
by commit
005efedf2c7d0 ("Btrfs: fix read corruption of compressed and
shared extents") and by commit
808f80b46790f ("Btrfs: update fix for read
corruption of compressed and shared extents"). However there was a case
that was missing in those fixes, which is when the shared and compressed
extents are referenced with a non-zero offset. The following shell script
creates a reproducer for this issue:
#!/bin/bash
mkfs.btrfs -f /dev/sdc &> /dev/null
mount -o compress /dev/sdc /mnt/sdc
# Create a file with 3 consecutive compressed extents, each has an
# uncompressed size of 128Kb and a compressed size of 4Kb.
for ((i = 1; i <= 3; i++)); do
head -c 4096 /dev/zero
for ((j = 1; j <= 31; j++)); do
head -c 4096 /dev/zero | tr '\0' "\377"
done
done > /mnt/sdc/foobar
sync
echo "Digest after file creation: $(md5sum /mnt/sdc/foobar)"
# Clone the first extent into offsets 128K and 256K.
xfs_io -c "reflink /mnt/sdc/foobar 0 128K 128K" /mnt/sdc/foobar
xfs_io -c "reflink /mnt/sdc/foobar 0 256K 128K" /mnt/sdc/foobar
sync
echo "Digest after cloning: $(md5sum /mnt/sdc/foobar)"
# Punch holes into the regions that are already full of zeroes.
xfs_io -c "fpunch 0 4K" /mnt/sdc/foobar
xfs_io -c "fpunch 128K 4K" /mnt/sdc/foobar
xfs_io -c "fpunch 256K 4K" /mnt/sdc/foobar
sync
echo "Digest after hole punching: $(md5sum /mnt/sdc/foobar)"
echo "Dropping page cache..."
sysctl -q vm.drop_caches=1
echo "Digest after hole punching: $(md5sum /mnt/sdc/foobar)"
umount /dev/sdc
When running the script we get the following output:
Digest after file creation:
5a0888d80d7ab1fd31c229f83a3bbcc8 /mnt/sdc/foobar
linked 131072/131072 bytes at offset 131072
128 KiB, 1 ops; 0.0033 sec (36.960 MiB/sec and 295.6830 ops/sec)
linked 131072/131072 bytes at offset 262144
128 KiB, 1 ops; 0.0015 sec (78.567 MiB/sec and 628.5355 ops/sec)
Digest after cloning:
5a0888d80d7ab1fd31c229f83a3bbcc8 /mnt/sdc/foobar
Digest after hole punching:
5a0888d80d7ab1fd31c229f83a3bbcc8 /mnt/sdc/foobar
Dropping page cache...
Digest after hole punching:
fba694ae8664ed0c2e9ff8937e7f1484 /mnt/sdc/foobar
This happens because after reading all the pages of the extent in the
range from 128K to 256K for example, we read the hole at offset 256K
and then when reading the page at offset 260K we don't submit the
existing bio, which is responsible for filling all the page in the
range 128K to 256K only, therefore adding the pages from range 260K
to 384K to the existing bio and submitting it after iterating over the
entire range. Once the bio completes, the uncompressed data fills only
the pages in the range 128K to 256K because there's no more data read
from disk, leaving the pages in the range 260K to 384K unfilled. It is
just a slightly different variant of what was solved by commit
005efedf2c7d0 ("Btrfs: fix read corruption of compressed and shared
extents").
Fix this by forcing a bio submit, during readpages(), whenever we find a
compressed extent map for a page that is different from the extent map
for the previous page or has a different starting offset (in case it's
the same compressed extent), instead of the extent map's original start
offset.
A test case for fstests follows soon.
Reported-by: Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
Fixes:
808f80b46790f ("Btrfs: update fix for read corruption of compressed and shared extents")
Fixes:
005efedf2c7d0 ("Btrfs: fix read corruption of compressed and shared extents")
Cc: stable@vger.kernel.org # 4.3+
Tested-by: Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johannes Thumshirn [Mon, 18 Feb 2019 10:28:37 +0000 (11:28 +0100)]
btrfs: ensure that a DUP or RAID1 block group has exactly two stripes
commit
349ae63f40638a28c6fce52e8447c2d14b84cc0c upstream.
We recently had a customer issue with a corrupted filesystem. When
trying to mount this image btrfs panicked with a division by zero in
calc_stripe_length().
The corrupt chunk had a 'num_stripes' value of 1. calc_stripe_length()
takes this value and divides it by the number of copies the RAID profile
is expected to have to calculate the amount of data stripes. As a DUP
profile is expected to have 2 copies this division resulted in 1/2 = 0.
Later then the 'data_stripes' variable is used as a divisor in the
stripe length calculation which results in a division by 0 and thus a
kernel panic.
When encountering a filesystem with a DUP block group and a
'num_stripes' value unequal to 2, refuse mounting as the image is
corrupted and will lead to unexpected behaviour.
Code inspection showed a RAID1 block group has the same issues.
Fixes:
e06cd3dd7cea ("Btrfs: add validadtion checks for chunk loading")
CC: stable@vger.kernel.org # 4.4+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Finn Thain [Wed, 16 Jan 2019 05:23:24 +0000 (16:23 +1100)]
m68k: Add -ffreestanding to CFLAGS
commit
28713169d879b67be2ef2f84dcf54905de238294 upstream.
This patch fixes a build failure when using GCC 8.1:
/usr/bin/ld: block/partitions/ldm.o: in function `ldm_parse_tocblock':
block/partitions/ldm.c:153: undefined reference to `strcmp'
This is caused by a new optimization which effectively replaces a
strncmp() call with a strcmp() call. This affects a number of strncmp()
call sites in the kernel.
The entire class of optimizations is avoided with -fno-builtin, which
gets enabled by -ffreestanding. This may avoid possible future build
failures in case new optimizations appear in future compilers.
I haven't done any performance measurements with this patch but I did
count the function calls in a defconfig build. For example, there are now
23 more sprintf() calls and 39 fewer strcpy() calls. The effect on the
other libc functions is smaller.
If this harms performance we can tackle that regression by optimizing
the call sites, ideally using semantic patches. That way, clang and ICC
builds might benfit too.
Cc: stable@vger.kernel.org
Reference: https://marc.info/?l=linux-m68k&m=
154514816222244&w=2
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bart Van Assche [Fri, 25 Jan 2019 18:34:56 +0000 (10:34 -0800)]
scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock
commit
32e36bfbcf31452a854263e7c7f32fbefc4b44d8 upstream.
When using SCSI passthrough in combination with the iSCSI target driver
then cmd->t_state_lock may be obtained from interrupt context. Hence, all
code that obtains cmd->t_state_lock from thread context must disable
interrupts first. This patch avoids that lockdep reports the following:
WARNING: inconsistent lock state
4.18.0-dbg+ #1 Not tainted
--------------------------------
inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage.
iscsi_ttx/1800 [HC1[1]:SC0[2]:HE0:SE0] takes:
000000006e7b0ceb (&(&cmd->t_state_lock)->rlock){?...}, at: target_complete_cmd+0x47/0x2c0 [target_core_mod]
{HARDIRQ-ON-W} state was registered at:
lock_acquire+0xd2/0x260
_raw_spin_lock+0x32/0x50
iscsit_close_connection+0x97e/0x1020 [iscsi_target_mod]
iscsit_take_action_for_connection_exit+0x108/0x200 [iscsi_target_mod]
iscsi_target_rx_thread+0x180/0x190 [iscsi_target_mod]
kthread+0x1cf/0x1f0
ret_from_fork+0x24/0x30
irq event stamp: 1281
hardirqs last enabled at (1279): [<
ffffffff970ade79>] __local_bh_enable_ip+0xa9/0x160
hardirqs last disabled at (1281): [<
ffffffff97a008a5>] interrupt_entry+0xb5/0xd0
softirqs last enabled at (1278): [<
ffffffff977cd9a1>] lock_sock_nested+0x51/0xc0
softirqs last disabled at (1280): [<
ffffffffc07a6e04>] ip6_finish_output2+0x124/0xe40 [ipv6]
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&(&cmd->t_state_lock)->rlock);
<Interrupt>
lock(&(&cmd->t_state_lock)->rlock);
Felipe Franciosi [Wed, 27 Feb 2019 16:10:34 +0000 (16:10 +0000)]
scsi: virtio_scsi: don't send sc payload with tmfs
commit
3722e6a52174d7c3a00e6f5efd006ca093f346c1 upstream.
The virtio scsi spec defines struct virtio_scsi_ctrl_tmf as a set of
device-readable records and a single device-writable response entry:
struct virtio_scsi_ctrl_tmf
{
// Device-readable part
le32 type;
le32 subtype;
u8 lun[8];
le64 id;
// Device-writable part
u8 response;
}
The above should be organised as two descriptor entries (or potentially
more if using VIRTIO_F_ANY_LAYOUT), but without any extra data after "le64
id" or after "u8 response".
The Linux driver doesn't respect that, with virtscsi_abort() and
virtscsi_device_reset() setting cmd->sc before calling virtscsi_tmf(). It
results in the original scsi command payload (or writable buffers) added to
the tmf.
This fixes the problem by leaving cmd->sc zeroed out, which makes
virtscsi_kick_cmd() add the tmf to the control vq without any payload.
Cc: stable@vger.kernel.org
Signed-off-by: Felipe Franciosi <felipe@nutanix.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Halil Pasic [Mon, 21 Jan 2019 12:19:43 +0000 (13:19 +0100)]
s390/virtio: handle find on invalid queue gracefully
commit
3438b2c039b4bf26881786a1f3450f016d66ad11 upstream.
A queue with a capacity of zero is clearly not a valid virtio queue.
Some emulators report zero queue size if queried with an invalid queue
index. Instead of crashing in this case let us just return -ENOENT. To
make that work properly, let us fix the notifier cleanup logic as well.
Cc: stable@vger.kernel.org
Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stuart Menefy [Sun, 10 Feb 2019 22:51:14 +0000 (22:51 +0000)]
clocksource/drivers/exynos_mct: Clear timer interrupt when shutdown
commit
d2f276c8d3c224d5b493c42b6cf006ae4e64fb1c upstream.
When shutting down the timer, ensure that after we have stopped the
timer any pending interrupts are cleared. This fixes a problem when
suspending, as interrupts are disabled before the timer is stopped,
so the timer interrupt may still be asserted, preventing the system
entering a low power state when the wfi is executed.
Signed-off-by: Stuart Menefy <stuart.menefy@mathembedded.com>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
Cc: <stable@vger.kernel.org> # v4.3+
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stuart Menefy [Sun, 10 Feb 2019 22:51:13 +0000 (22:51 +0000)]
clocksource/drivers/exynos_mct: Move one-shot check from tick clear to ISR
commit
a5719a40aef956ba704f2aa1c7b977224d60fa96 upstream.
When a timer tick occurs and the clock is in one-shot mode, the timer
needs to be stopped to prevent it triggering subsequent interrupts.
Currently this code is in exynos4_mct_tick_clear(), but as it is
only needed when an ISR occurs move it into exynos4_mct_tick_isr(),
leaving exynos4_mct_tick_clear() just doing what its name suggests it
should.
Signed-off-by: Stuart Menefy <stuart.menefy@mathembedded.com>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
Cc: stable@vger.kernel.org # v4.3+
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stuart Menefy [Tue, 12 Feb 2019 21:51:18 +0000 (21:51 +0000)]
regulator: s2mpa01: Fix step values for some LDOs
commit
28c4f730d2a44f2591cb104091da29a38dac49fe upstream.
The step values for some of the LDOs appears to be incorrect, resulting
in incorrect voltages (or at least, ones which are different from the
Samsung 3.4 vendor kernel).
Signed-off-by: Stuart Menefy <stuart.menefy@mathembedded.com>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Krzysztof Kozlowski [Sat, 9 Feb 2019 17:14:14 +0000 (18:14 +0100)]
regulator: s2mps11: Fix steps for buck7, buck8 and LDO35
commit
56b5d4ea778c1b0989c5cdb5406d4a488144c416 upstream.
LDO35 uses 25 mV step, not 50 mV. Bucks 7 and 8 use 12.5 mV step
instead of 6.25 mV. Wrong step caused over-voltage (LDO35) or
under-voltage (buck7 and 8) if regulators were used (e.g. on Exynos5420
Arndale Octa board).
Cc: <stable@vger.kernel.org>
Fixes:
cb74685ecb39 ("regulator: s2mps11: Add samsung s2mps11 regulator driver")
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Andy Shevchenko [Mon, 11 Mar 2019 16:41:03 +0000 (18:41 +0200)]
ACPI / device_sysfs: Avoid OF modalias creation for removed device
commit
f16eb8a4b096514ac06fb25bf599dcc792899b3d upstream.
If SSDT overlay is loaded via ConfigFS and then unloaded the device,
we would like to have OF modalias for, already gone. Thus, acpi_get_name()
returns no allocated buffer for such case and kernel crashes afterwards:
ACPI: Host-directed Dynamic ACPI Table Unload
ads7950 spi-PRP0001:00: Dropping the link to regulator.0
BUG: unable to handle kernel NULL pointer dereference at
0000000000000000
#PF error: [normal kernel read fault]
PGD
80000000070d6067 P4D
80000000070d6067 PUD
70d0067 PMD 0
Oops: 0000 [#1] SMP PTI
CPU: 0 PID: 40 Comm: kworker/u4:2 Not tainted 5.0.0+ #96
Hardware name: Intel Corporation Merrifield/BODEGA BAY, BIOS 542 2015.01.21:18.19.48
Workqueue: kacpi_hotplug acpi_device_del_work_fn
RIP: 0010:create_of_modalias.isra.1+0x4c/0x150
Code: 00 00 48 89 44 24 18 31 c0 48 8d 54 24 08 48 c7 44 24 10 00 00 00 00 48 c7 44 24 08 ff ff ff ff e8 7a b0 03 00 48 8b 4c 24 10 <0f> b6 01 84 c0 74 27 48 c7 c7 00 09 f4 a5 0f b6 f0 8d 50 20 f6 04
RSP: 0000:
ffffa51040297c10 EFLAGS:
00010246
RAX:
0000000000001001 RBX:
0000000000000785 RCX:
0000000000000000
RDX:
0000000000001001 RSI:
0000000000000286 RDI:
ffffa2163dc042e0
RBP:
ffffa216062b1196 R08:
0000000000001001 R09:
ffffa21639873000
R10:
ffffffffa606761d R11:
0000000000000001 R12:
ffffa21639873218
R13:
ffffa2163deb5060 R14:
ffffa216063d1010 R15:
0000000000000000
FS:
0000000000000000(0000) GS:
ffffa2163e000000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
CR2:
0000000000000000 CR3:
0000000007114000 CR4:
00000000001006f0
Call Trace:
__acpi_device_uevent_modalias+0xb0/0x100
spi_uevent+0xd/0x40
...
In order to fix above let create_of_modalias() check the status returned
by acpi_get_name() and bail out in case of failure.
Fixes:
8765c5ba1949 ("ACPI / scan: Rework modalias creation when "compatible" is present")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=201381
Reported-by: Ferry Toth <fntoth@gmail.com>
Tested-by: Ferry Toth<fntoth@gmail.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Cc: 4.1+ <stable@vger.kernel.org> # 4.1+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
zhangyi (F) [Wed, 13 Feb 2019 12:29:06 +0000 (20:29 +0800)]
tracing: Do not free iter->trace in fail path of tracing_open_pipe()
commit
e7f0c424d0806b05d6f47be9f202b037eb701707 upstream.
Commit
d716ff71dd12 ("tracing: Remove taking of trace_types_lock in
pipe files") use the current tracer instead of the copy in
tracing_open_pipe(), but it forget to remove the freeing sentence in
the error path.
There's an error path that can call kfree(iter->trace) after the iter->trace
was assigned to tr->current_trace, which would be bad to free.
Link: http://lkml.kernel.org/r/1550060946-45984-1-git-send-email-yi.zhang@huawei.com
Cc: stable@vger.kernel.org
Fixes:
d716ff71dd12 ("tracing: Remove taking of trace_types_lock in pipe files")
Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Pavel Shilovsky [Tue, 5 Mar 2019 01:48:01 +0000 (17:48 -0800)]
CIFS: Fix read after write for files with read caching
commit
6dfbd84684700cb58b34e8602c01c12f3d2595c8 upstream.
When we have a READ lease for a file and have just issued a write
operation to the server we need to purge the cache and set oplock/lease
level to NONE to avoid reading stale data. Currently we do that
only if a write operation succedeed thus not covering cases when
a request was sent to the server but a negative error code was
returned later for some other reasons (e.g. -EIOCBQUEUED or -EINTR).
Fix this by turning off caching regardless of the error code being
returned.
The patches fixes generic tests 075 and 112 from the xfs-tests.
Cc: <stable@vger.kernel.org>
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ard Biesheuvel [Thu, 24 Jan 2019 16:33:45 +0000 (17:33 +0100)]
crypto: arm64/aes-ccm - fix logical bug in AAD MAC handling
commit
eaf46edf6ea89675bd36245369c8de5063a0272c upstream.
The NEON MAC calculation routine fails to handle the case correctly
where there is some data in the buffer, and the input fills it up
exactly. In this case, we enter the loop at the end with w8 == 0,
while a negative value is assumed, and so the loop carries on until
the increment of the 32-bit counter wraps around, which is quite
obviously wrong.
So omit the loop altogether in this case, and exit right away.
Reported-by: Eric Biggers <ebiggers@kernel.org>
Fixes:
a3fd82105b9d1 ("arm64/crypto: AES in CCM mode using ARMv8 Crypto ...")
Cc: stable@vger.kernel.org
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Alexander Shishkin [Thu, 21 Feb 2019 12:19:17 +0000 (14:19 +0200)]
stm class: Prevent division by zero
commit
bf7cbaae0831252b416f375ca9b1027ecd4642dd upstream.
Using STP_POLICY_ID_SET ioctl command with dummy_stm device, or any STM
device that supplies zero mmio channel size, will trigger a division by
zero bug in the kernel.
Prevent this by disallowing channel widths other than 1 for such devices.
Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Fixes:
7bd1d4093c2f ("stm class: Introduce an abstraction for System Trace Module devices")
CC: stable@vger.kernel.org # v4.4+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Darrick J. Wong [Sat, 23 Feb 2019 06:35:32 +0000 (22:35 -0800)]
tmpfs: fix uninitialized return value in shmem_link
[ Upstream commit
29b00e609960ae0fcff382f4c7079dd0874a5311 ]
When we made the shmem_reserve_inode call in shmem_link conditional, we
forgot to update the declaration for ret so that it always has a known
value. Dan Carpenter pointed out this deficiency in the original patch.
Fixes:
1062af920c07 ("tmpfs: fix link accounting when a tmpfile is linked in")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Matej Kupljen <matej.kupljen@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Mao Wenan [Fri, 22 Feb 2019 06:57:23 +0000 (14:57 +0800)]
net: set static variable an initial value in atl2_probe()
[ Upstream commit
4593403fa516a5a4cffe6883c5062d60932cbfbe ]
cards_found is a static variable, but when it enters atl2_probe(),
cards_found is set to zero, the value is not consistent with last probe,
so next behavior is not our expect.
Signed-off-by: Mao Wenan <maowenan@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Li RongQing [Tue, 19 Feb 2019 05:12:40 +0000 (13:12 +0800)]
mac80211_hwsim: propagate genlmsg_reply return code
[ Upstream commit
17407715240456448e4989bee46ffc93991add83 ]
genlmsg_reply can fail, so propagate its return code
Signed-off-by: Li RongQing <lirongqing@baidu.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Arnd Bergmann [Tue, 19 Feb 2019 21:53:50 +0000 (22:53 +0100)]
phonet: fix building with clang
[ Upstream commit
6321aa197547da397753757bd84c6ce64b3e3d89 ]
clang warns about overflowing the data[] member in the struct pnpipehdr:
net/phonet/pep.c:295:8: warning: array index 4 is past the end of the array (which contains 1 element) [-Warray-bounds]
if (hdr->data[4] == PEP_IND_READY)
^ ~
include/net/phonet/pep.h:66:3: note: array 'data' declared here
u8 data[1];
Using a flexible array member at the end of the struct avoids the
warning, but since we cannot have a flexible array member inside
of the union, each index now has to be moved back by one, which
makes it a little uglier.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Rémi Denis-Courmont <remi@remlab.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Vineet Gupta [Tue, 5 Feb 2019 18:07:07 +0000 (10:07 -0800)]
ARC: uacces: remove lp_start, lp_end from clobber list
[ Upstream commit
d5e3c55e01d8b1774b37b4647c30fb22f1d39077 ]
Newer ARC gcc handles lp_start, lp_end in a different way and doesn't
like them in the clobber list.
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Darrick J. Wong [Thu, 21 Feb 2019 16:48:09 +0000 (08:48 -0800)]
tmpfs: fix link accounting when a tmpfile is linked in
[ Upstream commit
1062af920c07f5b54cf5060fde3339da6df0cf6b ]
tmpfs has a peculiarity of accounting hard links as if they were
separate inodes: so that when the number of inodes is limited, as it is
by default, a user cannot soak up an unlimited amount of unreclaimable
dcache memory just by repeatedly linking a file.
But when v3.11 added O_TMPFILE, and the ability to use linkat() on the
fd, we missed accommodating this new case in tmpfs: "df -i" shows that
an extra "inode" remains accounted after the file is unlinked and the fd
closed and the actual inode evicted. If a user repeatedly links
tmpfiles into a tmpfs, the limit will be hit (ENOSPC) even after they
are deleted.
Just skip the extra reservation from shmem_link() in this case: there's
a sense in which this first link of a tmpfile is then cheaper than a
hard link of another file, but the accounting works out, and there's
still good limiting, so no need to do anything more complicated.
Link: http://lkml.kernel.org/r/alpine.LSU.2.11.1902182134370.7035@eggly.anvils
Fixes:
f4e0c30c191 ("allow the temp files created by open() to be linked to")
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
Reported-by: Matej Kupljen <matej.kupljen@gmail.com>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Vladimir Murzin [Wed, 20 Feb 2019 11:43:05 +0000 (11:43 +0000)]
arm64: Relax GIC version check during early boot
[ Upstream commit
74698f6971f25d045301139413578865fc2bd8f9 ]
Updates to the GIC architecture allow ID_AA64PFR0_EL1.GIC to have
values other than 0 or 1. At the moment, Linux is quite strict in the
way it handles this field at early boot stage (cpufeature is fine) and
will refuse to use the system register CPU interface if it doesn't
find the value 1.
Fixes:
021f653791ad17e03f98aaa7fb933816ae16f161 ("irqchip: gic-v3: Initial support for GICv3")
Reported-by: Chase Conklin <Chase.Conklin@arm.com>
Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Bard liao [Sun, 17 Feb 2019 13:23:47 +0000 (21:23 +0800)]
ASoC: topology: free created components in tplg load error
[ Upstream commit
304017d31df36fb61eb2ed3ebf65fb6870b3c731 ]
Topology resources are no longer needed if any element failed to load.
Signed-off-by: Bard liao <yung-chuan.liao@linux.intel.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Alexey Khoroshilov [Fri, 15 Feb 2019 21:20:54 +0000 (00:20 +0300)]
net: mv643xx_eth: disable clk on error path in mv643xx_eth_shared_probe()
[ Upstream commit
e928b5d6b75e239feb9c6d5488974b6646a0ebc8 ]
If mv643xx_eth_shared_of_probe() fails, mv643xx_eth_shared_probe()
leaves clk enabled.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Martin Blumenstingl [Sat, 9 Feb 2019 01:01:01 +0000 (02:01 +0100)]
pinctrl: meson: meson8b: fix the sdxc_a data 1..3 pins
[ Upstream commit
c17abcfa93bf0be5e48bb011607d237ac2bfc839 ]
Fix the mismatch between the "sdxc_d13_1_a" pin group definition from
meson8b_cbus_groups and the entry in sdxc_a_groups ("sdxc_d0_13_1_a").
This makes it possible to use "sdxc_d13_1_a" in device-tree files to
route the MMC data 1..3 pins to GPIOX_1..3.
Fixes:
0fefcb6876d0d6 ("pinctrl: Add support for Meson8b")
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Florian Fainelli [Fri, 15 Feb 2019 20:16:51 +0000 (12:16 -0800)]
net: systemport: Fix reception of BPDUs
[ Upstream commit
a40061ea2e39494104602b3048751341bda374a1 ]
SYSTEMPORT has its RXCHK parser block that attempts to validate the
packet structures, unfortunately setting the L2 header check bit will
cause Bridge PDUs (BPDUs) to be incorrectly rejected because they look
like LLC/SNAP packets with a non-IPv4 or non-IPv6 Ethernet Type.
Fixes:
4e8aedfe78c7 ("net: systemport: Turn on offloads by default")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Anoob Soman [Wed, 13 Feb 2019 05:21:39 +0000 (13:21 +0800)]
scsi: libiscsi: Fix race between iscsi_xmit_task and iscsi_complete_task
[ Upstream commit
79edd00dc6a96644d76b4a1cb97d94d49e026768 ]
When a target sends Check Condition, whilst initiator is busy xmiting
re-queued data, could lead to race between iscsi_complete_task() and
iscsi_xmit_task() and eventually crashing with the following kernel
backtrace.
[
3326150.987523] ALERT: BUG: unable to handle kernel NULL pointer dereference at
0000000000000078
[
3326150.987549] ALERT: IP: [<
ffffffffa05ce70d>] iscsi_xmit_task+0x2d/0xc0 [libiscsi]
[
3326150.987571] WARN: PGD
569c8067 PUD
569c9067 PMD 0
[
3326150.987582] WARN: Oops: 0002 [#1] SMP
[
3326150.987593] WARN: Modules linked in: tun nfsv3 nfs fscache dm_round_robin
[
3326150.987762] WARN: CPU: 2 PID: 8399 Comm: kworker/u32:1 Tainted: G O 4.4.0+2 #1
[
3326150.987774] WARN: Hardware name: Dell Inc. PowerEdge R720/0W7JN5, BIOS 2.5.4 01/22/2016
[
3326150.987790] WARN: Workqueue: iscsi_q_13 iscsi_xmitworker [libiscsi]
[
3326150.987799] WARN: task:
ffff8801d50f3800 ti:
ffff8801f5458000 task.ti:
ffff8801f5458000
[
3326150.987810] WARN: RIP: e030:[<
ffffffffa05ce70d>] [<
ffffffffa05ce70d>] iscsi_xmit_task+0x2d/0xc0 [libiscsi]
[
3326150.987825] WARN: RSP: e02b:
ffff8801f545bdb0 EFLAGS:
00010246
[
3326150.987831] WARN: RAX:
00000000ffffffc3 RBX:
ffff880282d2ab20 RCX:
ffff88026b6ac480
[
3326150.987842] WARN: RDX:
0000000000000000 RSI:
00000000fffffe01 RDI:
ffff880282d2ab20
[
3326150.987852] WARN: RBP:
ffff8801f545bdc8 R08:
0000000000000000 R09:
0000000000000008
[
3326150.987862] WARN: R10:
0000000000000000 R11:
000000000000fe88 R12:
0000000000000000
[
3326150.987872] WARN: R13:
ffff880282d2abe8 R14:
ffff880282d2abd8 R15:
ffff880282d2ac08
[
3326150.987890] WARN: FS:
00007f5a866b4840(0000) GS:
ffff88028a640000(0000) knlGS:
0000000000000000
[
3326150.987900] WARN: CS: e033 DS: 0000 ES: 0000 CR0:
0000000080050033
[
3326150.987907] WARN: CR2:
0000000000000078 CR3:
0000000070244000 CR4:
0000000000042660
[
3326150.987918] WARN: Stack:
[
3326150.987924] WARN:
ffff880282d2ad58 ffff880282d2ab20 ffff880282d2abe8 ffff8801f545be18
[
3326150.987938] WARN:
ffffffffa05cea90 ffff880282d2abf8 ffff88026b59cc80 ffff88026b59cc00
[
3326150.987951] WARN:
ffff88022acf32c0 ffff880289491800 ffff880255a80800 0000000000000400
[
3326150.987964] WARN: Call Trace:
[
3326150.987975] WARN: [<
ffffffffa05cea90>] iscsi_xmitworker+0x2f0/0x360 [libiscsi]
[
3326150.987988] WARN: [<
ffffffff8108862c>] process_one_work+0x1fc/0x3b0
[
3326150.987997] WARN: [<
ffffffff81088f95>] worker_thread+0x2a5/0x470
[
3326150.988006] WARN: [<
ffffffff8159cad8>] ? __schedule+0x648/0x870
[
3326150.988015] WARN: [<
ffffffff81088cf0>] ? rescuer_thread+0x300/0x300
[
3326150.988023] WARN: [<
ffffffff8108ddf5>] kthread+0xd5/0xe0
[
3326150.988031] WARN: [<
ffffffff8108dd20>] ? kthread_stop+0x110/0x110
[
3326150.988040] WARN: [<
ffffffff815a0bcf>] ret_from_fork+0x3f/0x70
[
3326150.988048] WARN: [<
ffffffff8108dd20>] ? kthread_stop+0x110/0x110
[
3326150.988127] ALERT: RIP [<
ffffffffa05ce70d>] iscsi_xmit_task+0x2d/0xc0 [libiscsi]
[
3326150.988138] WARN: RSP <
ffff8801f545bdb0>
[
3326150.988144] WARN: CR2:
0000000000000078
[
3326151.020366] WARN: ---[ end trace
1c60974d4678d81b ]---
Commit
6f8830f5bbab ("scsi: libiscsi: add lock around task lists to fix
list corruption regression") introduced "taskqueuelock" to fix list
corruption during the race, but this wasn't enough.
Re-setting of conn->task to NULL, could race with iscsi_xmit_task().
iscsi_complete_task()
{
....
if (conn->task == task)
conn->task = NULL;
}
conn->task in iscsi_xmit_task() could be NULL and so will be task.
__iscsi_get_task(task) will crash (NullPtr de-ref), trying to access
refcount.
iscsi_xmit_task()
{
struct iscsi_task *task = conn->task;
__iscsi_get_task(task);
}
This commit will take extra conn->session->back_lock in iscsi_xmit_task()
to ensure iscsi_xmit_task() waits for iscsi_complete_task(), if
iscsi_complete_task() wins the race. If iscsi_xmit_task() wins the race,
iscsi_xmit_task() increments task->refcount
(__iscsi_get_task) ensuring iscsi_complete_task() will not iscsi_free_task().
Signed-off-by: Anoob Soman <anoob.soman@citrix.com>
Signed-off-by: Bob Liu <bob.liu@oracle.com>
Acked-by: Lee Duncan <lduncan@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
David Howells [Thu, 14 Feb 2019 16:20:15 +0000 (16:20 +0000)]
assoc_array: Fix shortcut creation
[ Upstream commit
bb2ba2d75a2d673e76ddaf13a9bd30d6a8b1bb08 ]
Fix the creation of shortcuts for which the length of the index key value
is an exact multiple of the machine word size. The problem is that the
code that blanks off the unused bits of the shortcut value malfunctions if
the number of bits in the last word equals machine word size. This is due
to the "<<" operator being given a shift of zero in this case, and so the
mask that should be all zeros is all ones instead. This causes the
subsequent masking operation to clear everything rather than clearing
nothing.
Ordinarily, the presence of the hash at the beginning of the tree index key
makes the issue very hard to test for, but in this case, it was encountered
due to a development mistake that caused the hash output to be either 0
(keyring) or 1 (non-keyring) only. This made it susceptible to the
keyctl/unlink/valid test in the keyutils package.
The fix is simply to skip the blanking if the shift would be 0. For
example, an index key that is 64 bits long would produce a 0 shift and thus
a 'blank' of all 1s. This would then be inverted and AND'd onto the
index_key, incorrectly clearing the entire last word.
Fixes:
3cb989501c26 ("Add a generic associative array implementation.")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Dietmar Eggemann [Mon, 21 Jan 2019 13:42:42 +0000 (14:42 +0100)]
ARM: 8824/1: fix a migrating irq bug when hotplug cpu
[ Upstream commit
1b5ba350784242eb1f899bcffd95d2c7cff61e84 ]
Arm TC2 fails cpu hotplug stress test.
This issue was tracked down to a missing copy of the new affinity
cpumask for the vexpress-spc interrupt into struct
irq_common_data.affinity when the interrupt is migrated in
migrate_one_irq().
Fix it by replacing the arm specific hotplug cpu migration with the
generic irq code.
This is the counterpart implementation to commit
217d453d473c ("arm64:
fix a migrating irq bug when hotplug cpu").
Tested with cpu hotplug stress test on Arm TC2 (multi_v7_defconfig plus
CONFIG_ARM_BIG_LITTLE_CPUFREQ=y and CONFIG_ARM_VEXPRESS_SPC_CPUFREQ=y).
The vexpress-spc interrupt (irq=22) on this board is affine to CPU0.
Its affinity cpumask now changes correctly e.g. from 0 to 1-4 when
CPU0 is hotplugged out.
Suggested-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Gabriel Fernandez [Sun, 17 Feb 2019 05:10:16 +0000 (21:10 -0800)]
Input: st-keyscan - fix potential zalloc NULL dereference
[ Upstream commit
2439d37e1bf8a34d437573c086572abe0f3f1b15 ]
This patch fixes the following static checker warning:
drivers/input/keyboard/st-keyscan.c:156 keyscan_probe()
error: potential zalloc NULL dereference: 'keypad_data->input_dev'
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Gabriel Fernandez <gabriel.fernandez@st.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
OSDN Git Service
