OSDN Git Service
Linux Build Service Account [Wed, 26 Dec 2018 10:52:51 +0000 (02:52 -0800)]
Merge "usb: gadget: u_audio: Check return value from config_ep_by_speed()"
Linux Build Service Account [Wed, 26 Dec 2018 10:52:51 +0000 (02:52 -0800)]
Merge "usb: gadget: u_audio: protect stream runtime fields with stream spinlock"
Linux Build Service Account [Wed, 26 Dec 2018 10:52:46 +0000 (02:52 -0800)]
Merge "usb: gadget: u_audio: remove caching of stream buffer parameters"
Linux Build Service Account [Fri, 21 Dec 2018 05:01:35 +0000 (21:01 -0800)]
Merge "msm: ais: Fix for OOB security CR"
Linux Build Service Account [Fri, 21 Dec 2018 05:01:34 +0000 (21:01 -0800)]
Merge "soc: qcom: glink: Initialize local state while fetching ctx"
Linux Build Service Account [Fri, 21 Dec 2018 05:01:33 +0000 (21:01 -0800)]
Merge "Revert "ARM: dts: msm: Enabled dt entry for bmi160 and iam20680""
Hemant Kumar [Wed, 19 Sep 2018 18:34:48 +0000 (11:34 -0700)]
usb: gadget: u_audio: Check return value from config_ep_by_speed()
In case config_ep_by_speed() returns error, endpoint descriptors
would not get populated. This results into NULL pointer dereference
when ep desc is accessed later. Fix this by bailing out set_alt if
config_ep_by_speed() API returns error.
Change-Id: Iaf9a0001973753988ff200edad3ed8587b6a4181
Signed-off-by: Hemant Kumar <hemantk@codeaurora.org>
Signed-off-by: Ajay Agarwal <ajaya@codeaurora.org>
Vladimir Zapolskiy [Thu, 21 Jun 2018 15:22:52 +0000 (17:22 +0200)]
usb: gadget: u_audio: protect stream runtime fields with stream spinlock
The change protects almost the whole body of u_audio_iso_complete()
function by PCM stream lock, this is mainly sufficient to avoid a race
between USB request completion and stream termination, the change
prevents a possibility of invalid memory access in interrupt context
by memcpy():
Unable to handle kernel paging request at virtual address
00004e80
pgd =
c0004000
[
00004e80] *pgd=
00000000
Internal error: Oops: 817 [#1] PREEMPT SMP ARM
CPU: 0 PID: 3 Comm: ksoftirqd/0 Tainted: G C 3.14.54+ #117
task:
da180b80 ti:
da192000 task.ti:
da192000
PC is at memcpy+0x50/0x330
LR is at 0xcdd92b0e
pc : [<
c029ef30>] lr : [<
cdd92b0e>] psr:
20000193
sp :
da193ce4 ip :
dd86ae26 fp :
0000b180
r10:
daf81680 r9 :
00000000 r8 :
d58a01ea
r7 :
2c0b43e4 r6 :
acdfb08b r5 :
01a271cf r4 :
87389377
r3 :
69469782 r2 :
00000020 r1 :
daf82fe0 r0 :
00004e80
Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel
Control:
10c5387d Table:
2b70804a DAC:
00000015
Process ksoftirqd/0 (pid: 3, stack limit = 0xda192238)
Also added a check for potential !runtime condition, commonly it is
done by PCM_RUNTIME_CHECK(substream) in the beginning, however this
does not completely prevent from oopses in u_audio_iso_complete(),
because the proper protection scheme must be implemented in PCM
library functions.
An example of *not fixed* oops due to substream->runtime->*
dereference by snd_pcm_running(substream) from
snd_pcm_period_elapsed(), where substream->runtime is gone while
waiting the substream lock:
Unable to handle kernel paging request at virtual address
6b6b6b6b
pgd =
db7e4000
[
6b6b6b6b] *pgd=
00000000
CPU: 0 PID: 193 Comm: klogd Tainted: G C 3.14.54+ #118
task:
db5ac500 ti:
db60c000 task.ti:
db60c000
PC is at snd_pcm_period_elapsed+0x48/0xd8 [snd_pcm]
LR is at snd_pcm_period_elapsed+0x40/0xd8 [snd_pcm]
pc : [<>] lr : [<>] psr:
60000193
Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user
Control:
10c5387d Table:
2b7e404a DAC:
00000015
Process klogd (pid: 193, stack limit = 0xdb60c238)
[<>] (snd_pcm_period_elapsed [snd_pcm]) from [<>] (udc_irq+0x500/0xbbc)
[<>] (udc_irq) from [<>] (ci_irq+0x280/0x304)
[<>] (ci_irq) from [<>] (handle_irq_event_percpu+0xa4/0x40c)
[<>] (handle_irq_event_percpu) from [<>] (handle_irq_event+0x3c/0x5c)
[<>] (handle_irq_event) from [<>] (handle_fasteoi_irq+0xc4/0x110)
[<>] (handle_fasteoi_irq) from [<>] (generic_handle_irq+0x20/0x30)
[<>] (generic_handle_irq) from [<>] (handle_IRQ+0x80/0xc0)
[<>] (handle_IRQ) from [<>] (gic_handle_irq+0x3c/0x60)
[<>] (gic_handle_irq) from [<>] (__irq_svc+0x44/0x78)
Signed-off-by: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
[erosca: W/o this patch, with minimal instrumentation [1], I can
consistently reproduce BUG: KASAN: use-after-free [2]]
[1] Instrumentation to reproduce issue [2]:
diff --git a/drivers/usb/gadget/function/u_audio.c b/drivers/usb/gadget/function/u_audio.c
index
a72295c953bb..
bd0b308024fe 100644
--- a/drivers/usb/gadget/function/u_audio.c
+++ b/drivers/usb/gadget/function/u_audio.c
@@ -16,6 +16,7 @@
#include <sound/core.h>
#include <sound/pcm.h>
#include <sound/pcm_params.h>
+#include <linux/delay.h>
#include "u_audio.h"
@@ -147,6 +148,8 @@ static void u_audio_iso_complete(struct usb_ep *ep, struct usb_request *req)
spin_unlock_irqrestore(&prm->lock, flags);
+ udelay(500); //delay here to increase probability of parallel activities
+
/* Pack USB load in ALSA ring buffer */
pending = prm->dma_bytes - hw_ptr;
[2] After applying [1], below BUG occurs on Rcar-H3-Salvator-X board:
==================================================================
BUG: KASAN: use-after-free in u_audio_iso_complete+0x24c/0x520 [u_audio]
Read of size 8 at addr
ffff8006cafcc248 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G WC 4.14.47+ #160
Hardware name: Renesas Salvator-X board based on r8a7795 ES2.0+ (DT)
Call trace:
[<
ffff2000080925ac>] dump_backtrace+0x0/0x364
[<
ffff200008092924>] show_stack+0x14/0x1c
[<
ffff200008f8dbcc>] dump_stack+0x108/0x174
[<
ffff2000083c71b8>] print_address_description+0x7c/0x32c
[<
ffff2000083c78e8>] kasan_report+0x324/0x354
[<
ffff2000083c6114>] __asan_load8+0x24/0x94
[<
ffff2000021d1b34>] u_audio_iso_complete+0x24c/0x520 [u_audio]
[<
ffff20000152fe50>] usb_gadget_giveback_request+0x480/0x4d0 [udc_core]
[<
ffff200001860ab8>] usbhsg_queue_done+0x100/0x130 [renesas_usbhs]
[<
ffff20000185f814>] usbhsf_pkt_handler+0x1a4/0x298 [renesas_usbhs]
[<
ffff20000185fb38>] usbhsf_irq_ready+0x128/0x178 [renesas_usbhs]
[<
ffff200001859cc8>] usbhs_interrupt+0x440/0x490 [renesas_usbhs]
[<
ffff2000081a0288>] __handle_irq_event_percpu+0x594/0xa58
[<
ffff2000081a07d0>] handle_irq_event_percpu+0x84/0x12c
[<
ffff2000081a0928>] handle_irq_event+0xb0/0x10c
[<
ffff2000081a8384>] handle_fasteoi_irq+0x1e0/0x2ec
[<
ffff20000819e5f8>] generic_handle_irq+0x2c/0x44
[<
ffff20000819f0d0>] __handle_domain_irq+0x190/0x194
[<
ffff20000808177c>] gic_handle_irq+0x80/0xac
Exception stack(0xffff200009e97c80 to 0xffff200009e97dc0)
7c80:
0000000000000000 0000000000000000 0000000000000003 ffff200008179298
7ca0:
ffff20000ae1c180 dfff200000000000 0000000000000000 ffff2000081f9a88
7cc0:
ffff200009eb5960 ffff200009e97cf0 0000000000001600 ffff0400041b064b
7ce0:
0000000000000000 0000000000000002 0000000200000001 0000000000000001
7d00:
ffff20000842197c 0000ffff958c4970 0000000000000000 ffff8006da0d5b80
7d20:
ffff8006d4678498 0000000000000000 000000126bde0a8b ffff8006d4678480
7d40:
0000000000000000 000000126bdbea64 ffff200008fd0000 ffff8006fffff980
7d60:
00000000495f0018 ffff200009e97dc0 ffff200008b6c4ec ffff200009e97dc0
7d80:
ffff200008b6c4f0 0000000020000145 ffff8006da0d5b80 ffff8006d4678498
7da0:
ffffffffffffffff ffff8006d4678498 ffff200009e97dc0 ffff200008b6c4f0
[<
ffff200008084034>] el1_irq+0xb4/0x12c
[<
ffff200008b6c4f0>] cpuidle_enter_state+0x818/0x844
[<
ffff200008b6c59c>] cpuidle_enter+0x18/0x20
[<
ffff20000815f2e4>] call_cpuidle+0x98/0x9c
[<
ffff20000815f674>] do_idle+0x214/0x264
[<
ffff20000815facc>] cpu_startup_entry+0x20/0x24
[<
ffff200008fb09d8>] rest_init+0x30c/0x320
[<
ffff2000095f1338>] start_kernel+0x570/0x5b0
---<-snip->---
Change-Id: I1cfbc0de5590fefa2ad069b10df4e6cabc932546
Fixes:
132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver")
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Git-commit:
56bc61587daadef67712068f251c4ef2e3932d94
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Ajay Agarwal <ajaya@codeaurora.org>
Vladimir Zapolskiy [Thu, 21 Jun 2018 15:22:50 +0000 (17:22 +0200)]
usb: gadget: u_audio: remove cached period bytes value
Substream period size potentially can be changed in runtime, however
this is not accounted in the data copying routine, the change replaces
the cached value with an actual value from substream runtime.
As a side effect the change also removes a potential division by zero
in u_audio_iso_complete() function, if there is a race with
uac_pcm_hw_free(), which sets prm->period_size to 0.
Change-Id: I27a98aa61544ba7cfd64be6bc1c2262fe1116598
Fixes:
132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver")
Signed-off-by: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Git-commit:
773e53d50e227b0c03d0bb434c1636f6c49c75b2
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Ajay Agarwal <ajaya@codeaurora.org>
Vladimir Zapolskiy [Thu, 21 Jun 2018 15:22:49 +0000 (17:22 +0200)]
usb: gadget: u_audio: remove caching of stream buffer parameters
There is no necessity to copy PCM stream ring buffer area and size
properties to UAC private data structure, these values can be got
from substream itself.
The change gives more control on substream and avoid stale caching.
Change-Id: I305a3aab7c80efe153cb3e14d060d883d3637ab3
Fixes:
132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver")
Signed-off-by: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Git-commit:
96afb54ece0ee903d23a7ac04ddc461413b972c4
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Ajay Agarwal <ajaya@codeaurora.org>
Joshua Frkuska [Thu, 21 Jun 2018 15:22:48 +0000 (17:22 +0200)]
usb: gadget: u_audio: update hw_ptr in iso_complete after data copied
In u_audio_iso_complete, the runtime hw_ptr is updated before the
data is actually copied over to/from the buffer/dma area. When
ALSA uses this hw_ptr, the data may not actually be available to
be used. This causes trash/stale audio to play/record. This
patch updates the hw_ptr after the data has been copied to avoid
this.
Change-Id: I94736e4ea899ac781076e9c425dda65eed7cc319
Fixes:
132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver")
Signed-off-by: Joshua Frkuska <joshua_frkuska@mentor.com>
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Git-commit:
6b37bd78d30c890e575a1bda22978d1d2a233362
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Ajay Agarwal <ajaya@codeaurora.org>
Eugeniu Rosca [Thu, 21 Jun 2018 15:22:47 +0000 (17:22 +0200)]
usb: gadget: u_audio: fix pcm/card naming in g_audio_setup()
Fix below smatch (
v0.5.0-4443-g69e9094e11c1) warnings:
drivers/usb/gadget/function/u_audio.c:607 g_audio_setup() warn: strcpy() 'pcm_name' of unknown size might be too large for 'pcm->name'
drivers/usb/gadget/function/u_audio.c:614 g_audio_setup() warn: strcpy() 'card_name' of unknown size might be too large for 'card->driver'
drivers/usb/gadget/function/u_audio.c:615 g_audio_setup() warn: strcpy() 'card_name' of unknown size might be too large for 'card->shortname'
Below commits performed a similar 's/strcpy/strlcpy/' rework:
* v2.6.31 commit
8372d4980fbc ("ALSA: ctxfi - Fix PCM device naming")
* v4.14 commit
003d3e70dbeb ("ALSA: ad1848: fix format string overflow warning")
* v4.14 commit
6d8b04de87e1 ("ALSA: cs423x: fix format string overflow warning")
Change-Id: I4d98b36feb40530f3758189d4b0d0643569e6be7
Fixes:
eb9fecb9e69b ("usb: gadget: f_uac2: split out audio core")
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Git-commit:
dfa042fa310caa475667b8c38d852f14439e0b01
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Ajay Agarwal <ajaya@codeaurora.org>
Bhumika Goyal [Sun, 13 Aug 2017 12:43:11 +0000 (18:13 +0530)]
usb: gadget: make snd_pcm_hardware const
Make this const as it is only used during a copy operation.
Done using Coccinelle.
Change-Id: I3db5b880248aeee8f845148093f7d6768db009e6
Signed-off-by: Bhumika Goyal <bhumirks@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit:
2ab3c34c9c75331143d67042e826bdcde4d6ab37
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Ajay Agarwal <ajaya@codeaurora.org>
Arvind Yadav [Wed, 9 Aug 2017 07:46:51 +0000 (13:16 +0530)]
usb: gadget: f_uac2: constify snd_pcm_ops structures
snd_pcm_ops are not supposed to change at runtime. All functions
working with snd_pcm_ops provided by <sound/pcm.h> work with
const snd_pcm_ops. So mark the non-const structs as const.
Change-Id: Ia05f088487fd410b1567353512e4c3d457aaf96f
Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit:
640c0be81b9c33485559e716d914252228361b1c
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Ajay Agarwal <ajaya@codeaurora.org>
Ruslan Bilovol [Sun, 25 Jun 2017 13:23:46 +0000 (16:23 +0300)]
usb: gadget: f_uac1: endianness fixes.
As per USB spec, multiple-bytes fields are stored
in little-endian order. Use CPU<->LE helpers for
such fields.
Change-Id: Iba552e473a39be4adafd641692d5aca12f7adf06
Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Git-commit:
42370b821168e6730ec4c7d988aeadc1260c7b4d
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Ajay Agarwal <ajaya@codeaurora.org>
Ajay Agarwal [Tue, 27 Nov 2018 13:49:29 +0000 (19:19 +0530)]
usb: gadget: add f_uac1 variant based on a new u_audio api
This patch adds a new function 'f_uac1'
(f_uac1 with virtual "ALSA card") that
uses recently created u_audio API. Comparing
to legacy f_uac1 function implementation it
doesn't require any real Audio codec to be
present on the device. In f_uac1 audio
streams are simply sinked to and sourced
from a virtual ALSA sound card created
using u_audio API.
Legacy f_uac1 approach is to write audio
samples directly to existing ALSA sound
card
f_uac1 approach is more generic/flexible
one - create an ALSA sound card that
represents USB Audio function and allows to
be used by userspace application that
may choose to do whatever it wants with the
data received from the USB Host and choose
to provide whatever it wants as audio data
to the USB Host.
f_uac1 also has capture support (gadget->host)
thanks to easy implementation via u_audio.
By default, capture interface has 48000kHz/2ch
configuration, same as playback channel has.
f_uac1 descriptors naming convention
uses f_uac2 driver naming convention that
makes it more common and meaningful.
Comparing to f_uac1_legacy, the f_uac1 doesn't
have volume/mute functionality. This is because
the f_uac1 volume/mute feature unit was dummy
implementation since that driver creation (2009)
and never had any real volume control or mute
functionality, so there is no any difference
here.
Since f_uac1 functionality, exposed
interface to userspace (virtual ALSA card),
input parameters are so different comparing
to f_uac1_legacy, that there is no any
reason to keep them in the same file/module,
and separate function was created.
Change-Id: Ib40c144ef0f35ee7d906ce3489f3e7780f3d5e1b
Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Git-commit:
0591bc2360152f851e29246884805bb77a2c3b9d
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Ajay Agarwal <ajaya@codeaurora.org>
Ajay Agarwal [Tue, 27 Nov 2018 13:35:32 +0000 (19:05 +0530)]
usb: gadget: function: make current f_uac1 implementation legacy
Before introducing new f_uac1 function (with virtual
ALSA card) make current implementation legacy.
This includes renaming of existing files, some
variables, config options and documentation
Change-Id: Ie3a826f356cc6571ce5967cd0bf8263b630b7249
Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Git-commit:
d355339eecd986648420e05f8c958fbc78dbb382
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Ajay Agarwal <ajaya@codeaurora.org>
Ajay Agarwal [Tue, 27 Nov 2018 13:22:44 +0000 (18:52 +0530)]
usb: gadget: split out audio core
Abstract the peripheral side ALSA sound card code into a
component that can be called by various functions, so the
various flavors can be split apart and selectively reused.
Visible changes:
- add uac_params structure to pass audio paramteres for
g_audio_setup
- make ALSA sound card's name configurable
- add [in/out]_ep_maxpsize
- allocate snd_uac_chip structure during g_audio_setup
- add u_audio_[start/stop]_[capture/playback] functions
This change differs from opensource patch in that it does not
modify the UAC2 driver to use u_audio helper file for ALSA
sound card support.
Change-Id: Ia67ec02ed442a67bc359efc2655aa9ba49b79368
Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Git-commit:
eb9fecb9e69b0be8c267c55b0bb52a08e8fb6bee
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Ajay Agarwal <ajaya@codeaurora.org>
Ruslan Bilovol [Sat, 17 Jun 2017 21:23:58 +0000 (00:23 +0300)]
usb: gadget: function: f_uac1: implement get_alt()
After commit
7e4da3fcf7c9 ("usb: gadget: composite:
Test get_alt() presence instead of set_alt()") f_uac1
function became broken because it doesn't have
get_alt() callback implementation and composite
framework never set altsetting 1 for audiostreaming
interface. On host site it looks like:
[424339.017711] 21:1:1: usb_set_interface failed (-32)
Since host can't set altsetting 1, it can't start
playing audio.
In order to fix it implemented get_alt along with
minor improvements (error conditions checking)
similar to what existing f_uac2 has.
Change-Id: I0a8371ed74a1b27cbba2261e5dab28c8d4af44b2
Cc: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Git-commit:
1fc4926d92b9515b44f35b339bab5d2ca474a723
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Signed-off-by: Ajay Agarwal <ajaya@codeaurora.org>
Linux Build Service Account [Thu, 20 Dec 2018 14:51:25 +0000 (06:51 -0800)]
Merge "clk: msm: mmss: Add dev_pm_ops for MMSS PLL for 8996"
Dhoat Harpal [Wed, 17 Jan 2018 18:59:20 +0000 (00:29 +0530)]
soc: qcom: glink: Initialize local state while fetching ctx
Initialization of channel's local state is not done at the time of
fetching context from list of channels. This leads to race condition
if remote close happens during this time. Remote close will check if
local state is not open then delete channel from list. This leads to
use after free scenerio.
Initialize local state at the time of fetching channel context from
list of channels.
CRs-Fixed:
2155992
Change-Id: If113daba129191bd67ef2460eb4e87c2d5614403
Signed-off-by: Dhoat Harpal <hdhoat@codeaurora.org>
Puneet Yatnal [Thu, 20 Dec 2018 05:05:06 +0000 (10:35 +0530)]
Revert "ARM: dts: msm: Enabled dt entry for bmi160 and iam20680"
BMI160 and IAM20680 sensor driver was used in automotive platform for
dead reckoning solution, reverting the change since QDR no longer
required.
This reverts commit
b7d92272196b67b22a2aeda2080efe268e3609ab.
Change-Id: Id5e41b0fa7f0a145c40e01d1cc9a3869f4688b9a
Signed-off-by: Puneet Yatnal <puneet@codeaurora.org>
Linux Build Service Account [Thu, 20 Dec 2018 07:29:14 +0000 (23:29 -0800)]
Merge "perf: Cancel the mux hrtimer during CPU hotplug to avoid migration"
Linux Build Service Account [Thu, 20 Dec 2018 07:29:13 +0000 (23:29 -0800)]
Merge "msm: adsprpc: Maintain the same structures in kernel and user-space"
Taniya Das [Fri, 13 Jul 2018 06:21:02 +0000 (11:51 +0530)]
clk: msm: mmss: Add dev_pm_ops for MMSS PLL for 8996
Support early resume and late suspend for MMPLLs
to support hibernation. Without this change, the mmplls
were not getting restored to a sane state on the
hibernate resume.
Change-Id: I7edb7219149d2e96a9487cdaf19a0bc4b9ec709f
Signed-off-by: Taniya Das <tdas@codeaurora.org>
Signed-off-by: Siddhartha Agrawal <agrawals@codeaurora.org>
Linux Build Service Account [Wed, 19 Dec 2018 23:20:24 +0000 (15:20 -0800)]
Merge "ASoC: msm: Group mi2s driver support for msm8996"
Cong Tang [Tue, 27 Nov 2018 09:20:39 +0000 (17:20 +0800)]
ASoC: msm: Group mi2s driver support for msm8996
Support group mi2s driver for sec/tert/quat mi2s interface in
msm8996.
Change-Id: I656612ca104c80770e316bc4d541d2ae56164e61
Signed-off-by: Cong Tang <congt@codeaurora.org>
Linux Build Service Account [Wed, 19 Dec 2018 00:11:27 +0000 (16:11 -0800)]
Merge "Merge android-4.4.167 (
ad9ce19) into msm-4.4"
Linux Build Service Account [Tue, 18 Dec 2018 17:07:03 +0000 (09:07 -0800)]
Merge "ARM: dts: msm: Update mi2s group port id for msm8996"
Linux Build Service Account [Tue, 18 Dec 2018 17:07:02 +0000 (09:07 -0800)]
Merge "ARM: dts: msm: Add dt node for earlydomain"
E V Ravi [Tue, 18 Dec 2018 09:11:59 +0000 (14:41 +0530)]
msm: ais: Fix for OOB security CR
If the user passes the arbitrary command with _IOC_DIR(cmd) == _IOC_NONE,
"arg" should point to any arbitrary address.
Check for invalid command and return error.
CRs-Fixed:
2299567
Change-Id: Ibd77adfe53ef0777ff4eb96c914e21f43dfd6749
Signed-off-by: E V Ravi <evenka@codeaurora.org>
Linux Build Service Account [Tue, 18 Dec 2018 10:51:50 +0000 (02:51 -0800)]
Merge "drm: msm: sde: reorder call sequence in splash release thread"
Linux Build Service Account [Tue, 18 Dec 2018 10:51:49 +0000 (02:51 -0800)]
Merge "Revert "ARM: dts: msm: Disable runtime PM in host mode for automotive""
Linux Build Service Account [Tue, 18 Dec 2018 10:51:46 +0000 (02:51 -0800)]
Merge "drm: msm: sde: Update splash handoff with new APIs"
Vivek Kumar [Mon, 10 Dec 2018 12:49:17 +0000 (18:19 +0530)]
ARM: dts: msm: Add dt node for earlydomain
Add DT node for early domain driver for msm8996 cdp
boards and remove reserved memory node for lk_pool
as it will be populated by bootloader if early domain
is enabled.
Change-Id: Iedcb4b47544a2355e98429a786d246351fdca75e
Signed-off-by: Vivek Kumar <vivekuma@codeaurora.org>
Tharun Kumar Merugu [Mon, 17 Dec 2018 08:32:07 +0000 (14:02 +0530)]
msm: adsprpc: Maintain the same structures in kernel and user-space
Mismatch in structures in user-space and kernel is leading to
unknown ioctl code and leading to failure in FASTRPC_IOCTL_CONTROL call.
Change-Id: I38537f128dc9a2815c1a98ec4ee59b2265c9159c
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
Ajay Agarwal [Wed, 12 Dec 2018 09:15:48 +0000 (14:45 +0530)]
Revert "ARM: dts: msm: Disable runtime PM in host mode for automotive"
'Commit
f09d23c34f2f ("ARM: dts: msm: Disable runtime PM in host
mode for automotive")' was disabling runtime PM in host mode for
automotive targets. This lead to leakage being observed on 1.8V
regulator for the USB2 PHY in target RBSC state. Revert this to
avoid the leakage.
Change-Id: Ia5da723764c289612d74287af8cf87f22e852abb
Signed-off-by: Ajay Agarwal <ajaya@codeaurora.org>
Cong Tang [Mon, 17 Dec 2018 06:16:49 +0000 (14:16 +0800)]
ARM: dts: msm: Update mi2s group port id for msm8996
Revise group afe port id for secondary and tertiary due to adsp
firmware definition change.
Change-Id: I829437bc7ac7ff5159a86f667b7a5b58f36e0c66
Signed-off-by: Cong Tang <congt@codeaurora.org>
Linux Build Service Account [Sat, 15 Dec 2018 01:11:11 +0000 (17:11 -0800)]
Merge "ASoC: sdm660: Update VI sense sample rate to 8k" into msm-4.4
Linux Build Service Account [Sat, 15 Dec 2018 01:35:59 +0000 (17:35 -0800)]
Merge "ASoC: msm_sdw: Update VI sense sample rate to 8k"
Soumya Managoli [Fri, 14 Dec 2018 07:07:44 +0000 (12:37 +0530)]
ASoC: sdm660: Update VI sense sample rate to 8k
SR was changed from 8kHz to 48kHz due to capturing
of garbled VI sense data as per HW team suggestion.
With new speaker protection algo in dsp, 8kHz is
expected and earlier issue with 8kHz is not seen.
Reverting the SR change back to 8kHz.
CRs-Fixed:
2364486
Change-Id: I379a080eb17e7a82fe87608f89dcbfa5444e8916
Signed-off-by: Soumya Managoli <smanag@codeaurora.org>
Laxminath Kasam [Thu, 6 Dec 2018 07:24:57 +0000 (12:54 +0530)]
ASoC: msm_sdw: Update VI sense sample rate to 8k
SR was changed from 8kHz to 48kHz due to capturing
of garbled VI sense data as per HW team suggestion.
With new speaker protection algo in dsp, 8kHz is
expected and earlier issue with 8kHz is not seen.
Reverting the SR change back to 8kHz.
CRs-Fixed:
2364486
Change-Id: I29947f87f182fc1de7a7002fcee0899b0f622103
Signed-off-by: Laxminath Kasam <lkasam@codeaurora.org>
Srinivasarao P [Fri, 14 Dec 2018 07:16:29 +0000 (12:46 +0530)]
Merge android-4.4.167 (
ad9ce19) into msm-4.4
* refs/heads/tmp-
ad9ce19
Linux 4.4.167
mac80211: ignore NullFunc frames in the duplicate detection
mac80211: fix reordering of buffered broadcast packets
mac80211: ignore tx status for PS stations in ieee80211_tx_status_ext
mac80211: Clear beacon_int in ieee80211_do_stop
mac80211_hwsim: Timer should be initialized before device registered
kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var()
tty: serial: 8250_mtk: always resume the device in probe.
cifs: Fix separator when building path from dentry
Staging: lustre: remove two build warnings
xhci: Prevent U1/U2 link pm states if exit latency is too long
SUNRPC: Fix leak of krb5p encode pages
virtio/s390: fix race in ccw_io_helper()
virtio/s390: avoid race on vcdev->config
ALSA: pcm: Fix interval evaluation with openmin/max
ALSA: pcm: Call snd_pcm_unlink() conditionally at closing
ALSA: pcm: Fix starvation on down_write_nonblock()
ALSA: hda: Add support for AMD Stoney Ridge
ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c
USB: check usb_get_extra_descriptor for proper size
usb: appledisplay: Add 27" Apple Cinema Display
usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device
net: amd: add missing of_node_put()
iommu/vt-d: Use memunmap to free memremap
net: faraday: ftmac100: remove netif_running(netdev) check before disabling interrupts
net/mlx4: Fix UBSAN warning of signed integer overflow
net/mlx4_core: Fix uninitialized variable compilation warning
net/mlx4_core: Zero out lkey field in SW2HW_MPT fw command
qed: Fix reading wrong value in loop condition
qed: Fix PTT leak in qed_drain()
bnx2x: Assign unique DMAE channel number for FW DMAE transactions.
batman-adv: Expand merged fragment buffer for full packet
can: rcar_can: Fix erroneous registration
iommu/ipmmu-vmsa: Fix crash on early domain free
iommu/vt-d: Fix NULL pointer dereference in prq_event_thread()
usb: gadget: dummy: fix nonsensical comparisons
mm: mlock: avoid increase mm->locked_vm on mlock() when already mlock2(,MLOCK_ONFAULT)
mm: cleancache: fix corruption on missed inode invalidation
arc: [devboards] Add support of NFSv3 ACL
ARC: change defconfig defaults to ARCv2
Btrfs: fix use-after-free when dumping free space
btrfs: Always try all copies when reading extent buffers
Input: elan_i2c - add support for ELAN0621 touchpad
Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15ARR
Input: elan_i2c - add ELAN0620 to the ACPI table
Input: matrix_keypad - check for errors from of_get_named_gpio()
Input: xpad - quirk all PDP Xbox One gamepads
leds: leds-gpio: Fix return value check in create_gpio_led()
leds: turn off the LED and wait for completion on unregistering LED class device
leds: call led_pwm_set() in leds-pwm to enforce default LED_OFF
kgdboc: Fix warning with module build
kgdboc: Fix restrict error
scsi: csiostor: Avoid content leaks and casts
ALSA: trident: Suppress gcc string warning
scsi: scsi_devinfo: cleanly zero-pad devinfo strings
drm/ast: Fix incorrect free on ioregs
mips: fix mips_get_syscall_arg o32 check
MIPS: ralink: Fix mt7620 nd_sd pinmux
uprobes: Fix handle_swbp() vs. unregister() + register() race once more
iser: set sector for ambiguous mr status errors
kdb: use memmove instead of overlapping memcpy
staging: rts5208: fix gcc-8 logic error warning
scsi: bfa: convert to strlcpy/strlcat
drm: gma500: fix logic error
ip_tunnel: Fix name string concatenate in __ip_tunnel_create()
kernfs: Replace strncpy with memcpy
unifdef: use memcpy instead of strncpy
kobject: Replace strncpy with memcpy
disable stringop truncation warnings for now
exec: avoid gcc-8 warning for get_task_comm
Kbuild: suppress packed-not-aligned warning for default setting only
misc: mic/scif: fix copy-paste error in scif_create_remote_lookup
usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series
USB: usb-storage: Add new IDs to ums-realtek
btrfs: release metadata before running delayed refs
dmaengine: at_hdmac: fix module unloading
dmaengine: at_hdmac: fix memory leak in at_dma_xlate()
ext2: fix potential use after free
ALSA: sparc: Fix invalid snd_free_pages() at error path
ALSA: control: Fix race between adding and removing a user element
ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write
ALSA: wss: Fix invalid snd_free_pages() at error path
Btrfs: ensure path name is null terminated at btrfs_control_ioctl
xtensa: fix coprocessor context offset definitions
xtensa: enable coprocessors that are being flushed
kvm: mmu: Fix race in emulated page table writes
usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2
s390/qeth: fix length check in SNMP processing
rapidio/rionet: do not free skb before reading its length
Revert "wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout()"
media: em28xx: Fix use-after-free when disconnecting
ANDROID: cuttlefish_defconfig: Enable VIRT_WIFI
FROMGIT, BACKPORT: mac80211-next: rtnetlink wifi simulation device
ANDROID: Move from clang r328903 to r346389b.
UPSTREAM: binder: fix race that allows malicious free of live buffer
Change-Id: If4e5a3a45f6f0b7de31f203c09fce5bae1466e49
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
Linux Build Service Account [Fri, 14 Dec 2018 03:17:34 +0000 (19:17 -0800)]
Merge "msm: adsprpc: allocate all remote memory in kernel"
Linux Build Service Account [Thu, 13 Dec 2018 21:04:00 +0000 (13:04 -0800)]
Merge "memshare: Conditional free the clients allotted memory"
Linux Build Service Account [Thu, 13 Dec 2018 21:03:59 +0000 (13:03 -0800)]
Merge "msm: ais: Update early camera with new apis"
Linux Build Service Account [Thu, 13 Dec 2018 21:03:58 +0000 (13:03 -0800)]
Merge "ARM: dts: msm: Add Tert Mi2s Group node for msm8996"
Linux Build Service Account [Thu, 13 Dec 2018 21:03:57 +0000 (13:03 -0800)]
Merge "msm: ASoC: enable aptX HD decoder"
Linux Build Service Account [Thu, 13 Dec 2018 13:14:14 +0000 (05:14 -0800)]
Merge "drm: msm: sde: update blob property after splash is done"
Linux Build Service Account [Thu, 13 Dec 2018 13:14:13 +0000 (05:14 -0800)]
Merge "drm/msm/sde: Reserve one more layer for early DRM"
Manoj Prabhu B [Thu, 6 Dec 2018 08:55:01 +0000 (14:25 +0530)]
memshare: Conditional free the clients allotted memory
The patch adds an additional check to not free the clients memory
if the client has a designated property of allocate-on-request.
Change-Id: Iecf5886034ccd052ab82fff18cc66f1868604284
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
Greg Kroah-Hartman [Thu, 13 Dec 2018 08:42:11 +0000 (09:42 +0100)]
Merge 4.4.167 into android-4.4
Changes in 4.4.167
media: em28xx: Fix use-after-free when disconnecting
Revert "wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout()"
rapidio/rionet: do not free skb before reading its length
s390/qeth: fix length check in SNMP processing
usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2
kvm: mmu: Fix race in emulated page table writes
xtensa: enable coprocessors that are being flushed
xtensa: fix coprocessor context offset definitions
Btrfs: ensure path name is null terminated at btrfs_control_ioctl
ALSA: wss: Fix invalid snd_free_pages() at error path
ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write
ALSA: control: Fix race between adding and removing a user element
ALSA: sparc: Fix invalid snd_free_pages() at error path
ext2: fix potential use after free
dmaengine: at_hdmac: fix memory leak in at_dma_xlate()
dmaengine: at_hdmac: fix module unloading
btrfs: release metadata before running delayed refs
USB: usb-storage: Add new IDs to ums-realtek
usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series
misc: mic/scif: fix copy-paste error in scif_create_remote_lookup
Kbuild: suppress packed-not-aligned warning for default setting only
exec: avoid gcc-8 warning for get_task_comm
disable stringop truncation warnings for now
kobject: Replace strncpy with memcpy
unifdef: use memcpy instead of strncpy
kernfs: Replace strncpy with memcpy
ip_tunnel: Fix name string concatenate in __ip_tunnel_create()
drm: gma500: fix logic error
scsi: bfa: convert to strlcpy/strlcat
staging: rts5208: fix gcc-8 logic error warning
kdb: use memmove instead of overlapping memcpy
iser: set sector for ambiguous mr status errors
uprobes: Fix handle_swbp() vs. unregister() + register() race once more
MIPS: ralink: Fix mt7620 nd_sd pinmux
mips: fix mips_get_syscall_arg o32 check
drm/ast: Fix incorrect free on ioregs
scsi: scsi_devinfo: cleanly zero-pad devinfo strings
ALSA: trident: Suppress gcc string warning
scsi: csiostor: Avoid content leaks and casts
kgdboc: Fix restrict error
kgdboc: Fix warning with module build
leds: call led_pwm_set() in leds-pwm to enforce default LED_OFF
leds: turn off the LED and wait for completion on unregistering LED class device
leds: leds-gpio: Fix return value check in create_gpio_led()
Input: xpad - quirk all PDP Xbox One gamepads
Input: matrix_keypad - check for errors from of_get_named_gpio()
Input: elan_i2c - add ELAN0620 to the ACPI table
Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15ARR
Input: elan_i2c - add support for ELAN0621 touchpad
btrfs: Always try all copies when reading extent buffers
Btrfs: fix use-after-free when dumping free space
ARC: change defconfig defaults to ARCv2
arc: [devboards] Add support of NFSv3 ACL
mm: cleancache: fix corruption on missed inode invalidation
mm: mlock: avoid increase mm->locked_vm on mlock() when already mlock2(,MLOCK_ONFAULT)
usb: gadget: dummy: fix nonsensical comparisons
iommu/vt-d: Fix NULL pointer dereference in prq_event_thread()
iommu/ipmmu-vmsa: Fix crash on early domain free
can: rcar_can: Fix erroneous registration
batman-adv: Expand merged fragment buffer for full packet
bnx2x: Assign unique DMAE channel number for FW DMAE transactions.
qed: Fix PTT leak in qed_drain()
qed: Fix reading wrong value in loop condition
net/mlx4_core: Zero out lkey field in SW2HW_MPT fw command
net/mlx4_core: Fix uninitialized variable compilation warning
net/mlx4: Fix UBSAN warning of signed integer overflow
net: faraday: ftmac100: remove netif_running(netdev) check before disabling interrupts
iommu/vt-d: Use memunmap to free memremap
net: amd: add missing of_node_put()
usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device
usb: appledisplay: Add 27" Apple Cinema Display
USB: check usb_get_extra_descriptor for proper size
ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c
ALSA: hda: Add support for AMD Stoney Ridge
ALSA: pcm: Fix starvation on down_write_nonblock()
ALSA: pcm: Call snd_pcm_unlink() conditionally at closing
ALSA: pcm: Fix interval evaluation with openmin/max
virtio/s390: avoid race on vcdev->config
virtio/s390: fix race in ccw_io_helper()
SUNRPC: Fix leak of krb5p encode pages
xhci: Prevent U1/U2 link pm states if exit latency is too long
Staging: lustre: remove two build warnings
cifs: Fix separator when building path from dentry
tty: serial: 8250_mtk: always resume the device in probe.
kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var()
mac80211_hwsim: Timer should be initialized before device registered
mac80211: Clear beacon_int in ieee80211_do_stop
mac80211: ignore tx status for PS stations in ieee80211_tx_status_ext
mac80211: fix reordering of buffered broadcast packets
mac80211: ignore NullFunc frames in the duplicate detection
Linux 4.4.167
Change-Id: Ib893e2bb7e739960eed0710447033f7ab65dab4f
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Greg Kroah-Hartman [Thu, 13 Dec 2018 08:21:37 +0000 (09:21 +0100)]
Linux 4.4.167
Emmanuel Grumbach [Mon, 3 Dec 2018 19:16:07 +0000 (21:16 +0200)]
mac80211: ignore NullFunc frames in the duplicate detection
commit
990d71846a0b7281bd933c34d734e6afc7408e7e upstream.
NullFunc packets should never be duplicate just like
QoS-NullFunc packets.
We saw a client that enters / exits power save with
NullFunc frames (and not with QoS-NullFunc) despite the
fact that the association supports HT.
This specific client also re-uses a non-zero sequence number
for different NullFunc frames.
At some point, the client had to send a retransmission of
the NullFunc frame and we dropped it, leading to a
misalignment in the power save state.
Fix this by never consider a NullFunc frame as duplicate,
just like we do for QoS NullFunc frames.
This fixes https://bugzilla.kernel.org/show_bug.cgi?id=201449
CC: <stable@vger.kernel.org>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Felix Fietkau [Wed, 28 Nov 2018 21:39:16 +0000 (22:39 +0100)]
mac80211: fix reordering of buffered broadcast packets
commit
9ec1190d065998650fd9260dea8cf3e1f56c0e8c upstream.
If the buffered broadcast queue contains packets, letting new packets bypass
that queue can lead to heavy reordering, since the driver is probably throttling
transmission of buffered multicast packets after beacons.
Keep buffering packets until the buffer has been cleared (and no client
is in powersave mode).
Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Felix Fietkau [Tue, 13 Nov 2018 19:32:13 +0000 (20:32 +0100)]
mac80211: ignore tx status for PS stations in ieee80211_tx_status_ext
commit
a317e65face482371de30246b6494feb093ff7f9 upstream.
Make it behave like regular ieee80211_tx_status calls, except for the lack of
filtered frame processing.
This fixes spurious low-ack triggered disconnections with powersave clients
connected to an AP.
Fixes:
f027c2aca0cf4 ("mac80211: add ieee80211_tx_status_noskb")
Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ben Greear [Tue, 23 Oct 2018 20:36:52 +0000 (13:36 -0700)]
mac80211: Clear beacon_int in ieee80211_do_stop
commit
5c21e8100dfd57c806e833ae905e26efbb87840f upstream.
This fixes stale beacon-int values that would keep a netdev
from going up.
To reproduce:
Create two VAP on one radio.
vap1 has beacon-int 100, start it.
vap2 has beacon-int 240, start it (and it will fail
because beacon-int mismatch).
reconfigure vap2 to have beacon-int 100 and start it.
It will fail because the stale beacon-int 240 will be used
in the ifup path and hostapd never gets a chance to set the
new beacon interval.
Cc: stable@vger.kernel.org
Signed-off-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Vasyl Vavrychuk [Wed, 17 Oct 2018 22:02:12 +0000 (01:02 +0300)]
mac80211_hwsim: Timer should be initialized before device registered
commit
a1881c9b8a1edef0a5ae1d5c1b61406fe3402114 upstream.
Otherwise if network manager starts configuring Wi-Fi interface
immidiatelly after getting notification of its creation, we will get
NULL pointer dereference:
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<
ffffffff95ae94c8>] hrtimer_active+0x28/0x50
...
Call Trace:
[<
ffffffff95ae9997>] ? hrtimer_try_to_cancel+0x27/0x110
[<
ffffffff95ae9a95>] ? hrtimer_cancel+0x15/0x20
[<
ffffffffc0803bf0>] ? mac80211_hwsim_config+0x140/0x1c0 [mac80211_hwsim]
Cc: stable@vger.kernel.org
Signed-off-by: Vasyl Vavrychuk <vasyl.vavrychuk@globallogic.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Macpaul Lin [Wed, 17 Oct 2018 15:08:38 +0000 (23:08 +0800)]
kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var()
commit
dada6a43b0402eba438a17ac86fdc64ac56a4607 upstream.
This patch is trying to fix KE issue due to
"BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198"
reported by Syzkaller scan."
[26364:syz-executor0][name:report8t]BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198
[26364:syz-executor0][name:report&]Read of size 1 at addr
ffffff900e44f95f by task syz-executor0/26364
[26364:syz-executor0][name:report&]
[26364:syz-executor0]CPU: 7 PID: 26364 Comm: syz-executor0 Tainted: G W 0
[26364:syz-executor0]Call trace:
[26364:syz-executor0][<
ffffff9008095cf8>] dump_bacIctrace+Ox0/0x470
[26364:syz-executor0][<
ffffff9008096de0>] show_stack+0x20/0x30
[26364:syz-executor0][<
ffffff90089cc9c8>] dump_stack+Oxd8/0x128
[26364:syz-executor0][<
ffffff90084edb38>] print_address_description +0x80/0x4a8
[26364:syz-executor0][<
ffffff90084ee270>] kasan_report+Ox178/0x390
[26364:syz-executor0][<
ffffff90084ee4a0>] _asan_report_loadi_noabort+Ox18/0x20
[26364:syz-executor0][<
ffffff9008b092ac>] param_set_kgdboc_var+Ox194/0x198
[26364:syz-executor0][<
ffffff900813af64>] param_attr_store+Ox14c/0x270
[26364:syz-executor0][<
ffffff90081394c8>] module_attr_store+0x60/0x90
[26364:syz-executor0][<
ffffff90086690c0>] sysfs_kl_write+Ox100/0x158
[26364:syz-executor0][<
ffffff9008666d84>] kernfs_fop_write+0x27c/0x3a8
[26364:syz-executor0][<
ffffff9008508264>] do_loop_readv_writev+0x114/0x1b0
[26364:syz-executor0][<
ffffff9008509ac8>] do_readv_writev+0x4f8/0x5e0
[26364:syz-executor0][<
ffffff9008509ce4>] vfs_writev+0x7c/Oxb8
[26364:syz-executor0][<
ffffff900850ba64>] SyS_writev+Oxcc/0x208
[26364:syz-executor0][<
ffffff90080883f0>] elO_svc_naked +0x24/0x28
[26364:syz-executor0][name:report&]
[26364:syz-executor0][name:report&]The buggy address belongs to the variable:
[26364:syz-executor0][name:report&] kgdb_tty_line+Ox3f/0x40
[26364:syz-executor0][name:report&]
[26364:syz-executor0][name:report&]Memory state around the buggy address:
[26364:syz-executor0]
ffffff900e44f800: 00 00 00 00 00 04 fa fa fa fa fa fa 00 fa fa fa
[26364:syz-executor0]
ffffff900e44f880: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa
[26364:syz-executor0]>
ffffff900e44f900: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00
[26364:syz-executor0][name:report&] ^
[26364:syz-executor0]
ffffff900e44f980: 00 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa
[26364:syz-executor0]
ffffff900e44fa00: 04 fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa
[26364:syz-executor0][name:report&]
[26364:syz-executor0][name:panic&]Disabling lock debugging due to kernel taint
[26364:syz-executor0]------------[cut here]------------
After checking the source code, we've found there might be an out-of-bounds
access to "config[len - 1]" array when the variable "len" is zero.
Signed-off-by: Macpaul Lin <macpaul@gmail.com>
Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Peter Shih [Tue, 27 Nov 2018 04:49:50 +0000 (12:49 +0800)]
tty: serial: 8250_mtk: always resume the device in probe.
commit
100bc3e2bebf95506da57cbdf5f26b25f6da4c81 upstream.
serial8250_register_8250_port calls uart_config_port, which calls
config_port on the port before it tries to power on the port. So we need
the port to be on before calling serial8250_register_8250_port. Change
the code to always do a runtime resume in probe before registering port,
and always do a runtime suspend in remove.
This basically reverts the change in commit
68e5fc4a255a ("tty: serial:
8250_mtk: use pm_runtime callbacks for enabling"), but still use
pm_runtime callbacks.
Fixes:
68e5fc4a255a ("tty: serial: 8250_mtk: use pm_runtime callbacks for enabling")
Signed-off-by: Peter Shih <pihsun@chromium.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Paulo Alcantara [Thu, 15 Nov 2018 14:20:52 +0000 (15:20 +0100)]
cifs: Fix separator when building path from dentry
commit
c988de29ca161823db6a7125e803d597ef75b49c upstream.
Make sure to use the CIFS_DIR_SEP(cifs_sb) as path separator for
prefixpath too. Fixes a bug with smb1 UNIX extensions.
Fixes:
a6b5058fafdf ("fs/cifs: make share unaccessible at root level mountable")
Signed-off-by: Paulo Alcantara <palcantara@suse.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Greg Kroah-Hartman [Tue, 11 Dec 2018 12:50:37 +0000 (13:50 +0100)]
Staging: lustre: remove two build warnings
[for older kernels only, lustre has been removed from upstream]
When someone writes:
strncpy(dest, source, sizeof(source));
they really are just doing the same thing as:
strcpy(dest, source);
but somehow they feel better because they are now using the "safe"
version of the string functions. Cargo-cult programming at its
finest...
gcc-8 rightfully warns you about doing foolish things like this. Now
that the stable kernels are all starting to be built using gcc-8, let's
get rid of this warning so that we do not have to gaze at this horror.
To dropt the warning, just convert the code to using strcpy() so that if
someone really wants to audit this code and find all of the obvious
problems, it will be easier to do so.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mathias Nyman [Wed, 5 Dec 2018 12:22:39 +0000 (14:22 +0200)]
xhci: Prevent U1/U2 link pm states if exit latency is too long
commit
0472bf06c6fd33c1a18aaead4c8f91e5a03d8d7b upstream.
Don't allow USB3 U1 or U2 if the latency to wake up from the U-state
reaches the service interval for a periodic endpoint.
This is according to xhci 1.1 specification section 4.23.5.2 extra note:
"Software shall ensure that a device is prevented from entering a U-state
where its worst case exit latency approaches the ESIT."
Allowing too long exit latencies for periodic endpoint confuses xHC
internal scheduling, and new devices may fail to enumerate with a
"Not enough bandwidth for new device state" error from the host.
Cc: <stable@vger.kernel.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Chuck Lever [Fri, 30 Nov 2018 20:39:57 +0000 (15:39 -0500)]
SUNRPC: Fix leak of krb5p encode pages
commit
8dae5398ab1ac107b1517e8195ed043d5f422bd0 upstream.
call_encode can be invoked more than once per RPC call. Ensure that
each call to gss_wrap_req_priv does not overwrite pointers to
previously allocated memory.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Cc: stable@kernel.org
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Halil Pasic [Wed, 26 Sep 2018 16:48:30 +0000 (18:48 +0200)]
virtio/s390: fix race in ccw_io_helper()
commit
78b1a52e05c9db11d293342e8d6d8a230a04b4e7 upstream.
While ccw_io_helper() seems like intended to be exclusive in a sense that
it is supposed to facilitate I/O for at most one thread at any given
time, there is actually nothing ensuring that threads won't pile up at
vcdev->wait_q. If they do, all threads get woken up and see the status
that belongs to some other request than their own. This can lead to bugs.
For an example see:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/
1788432
This race normally does not cause any problems. The operations provided
by struct virtio_config_ops are usually invoked in a well defined
sequence, normally don't fail, and are normally used quite infrequent
too.
Yet, if some of the these operations are directly triggered via sysfs
attributes, like in the case described by the referenced bug, userspace
is given an opportunity to force races by increasing the frequency of the
given operations.
Let us fix the problem by ensuring, that for each device, we finish
processing the previous request before starting with a new one.
Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
Reported-by: Colin Ian King <colin.king@canonical.com>
Cc: stable@vger.kernel.org
Message-Id: <
20180925121309.58524-3-pasic@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Halil Pasic [Wed, 26 Sep 2018 16:48:29 +0000 (18:48 +0200)]
virtio/s390: avoid race on vcdev->config
commit
2448a299ec416a80f699940a86f4a6d9a4f643b1 upstream.
Currently we have a race on vcdev->config in virtio_ccw_get_config() and
in virtio_ccw_set_config().
This normally does not cause problems, as these are usually infrequent
operations. However, for some devices writing to/reading from the config
space can be triggered through sysfs attributes. For these, userspace can
force the race by increasing the frequency.
Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
Cc: stable@vger.kernel.org
Message-Id: <
20180925121309.58524-2-pasic@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Takashi Iwai [Thu, 29 Nov 2018 11:05:19 +0000 (12:05 +0100)]
ALSA: pcm: Fix interval evaluation with openmin/max
commit
5363857b916c1f48027e9b96ee8be8376bf20811 upstream.
As addressed in alsa-lib (commit
b420056604f0), we need to fix the
case where the evaluation of PCM interval "(x x+1]" leading to
-EINVAL. After applying rules, such an interval may be translated as
"(x x+1)".
Fixes:
ff2d6acdf6f1 ("ALSA: pcm: Fix snd_interval_refine first/last with open min/max")
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Takashi Iwai [Thu, 29 Nov 2018 07:02:49 +0000 (08:02 +0100)]
ALSA: pcm: Call snd_pcm_unlink() conditionally at closing
commit
b51abed8355e5556886623b2772fa6b7598d2282 upstream.
Currently the PCM core calls snd_pcm_unlink() always unconditionally
at closing a stream. However, since snd_pcm_unlink() invokes the
global rwsem down, the lock can be easily contended. More badly, when
a thread runs in a high priority RT-FIFO, it may stall at spinning.
Basically the call of snd_pcm_unlink() is required only for the linked
streams that are already rare occasion. For normal use cases, this
code path is fairly superfluous.
As an optimization (and also as a workaround for the RT problem
above in normal situations without linked streams), this patch adds a
check before calling snd_pcm_unlink() and calls it only when needed.
Reported-by: Chanho Min <chanho.min@lge.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Chanho Min [Mon, 26 Nov 2018 05:36:37 +0000 (14:36 +0900)]
ALSA: pcm: Fix starvation on down_write_nonblock()
commit
b888a5f713e4d17faaaff24316585a4eb07f35b7 upstream.
Commit
67ec1072b053 ("ALSA: pcm: Fix rwsem deadlock for non-atomic PCM
stream") fixes deadlock for non-atomic PCM stream. But, This patch
causes antother stuck.
If writer is RT thread and reader is a normal thread, the reader
thread will be difficult to get scheduled. It may not give chance to
release readlocks and writer gets stuck for a long time if they are
pinned to single cpu.
The deadlock described in the previous commit is because the linux
rwsem queues like a FIFO. So, we might need non-FIFO writelock, not
non-block one.
My suggestion is that the writer gives reader a chance to be scheduled
by using the minimum msleep() instaed of spinning without blocking by
writer. Also, The *_nonblock may be changed to *_nonfifo appropriately
to this concept.
In terms of performance, when trylock is failed, this minimum periodic
msleep will have the same performance as the tick-based
schedule()/wake_up_q().
[ Although this has a fairly high performance penalty, the relevant
code path became already rare due to the previous commit ("ALSA:
pcm: Call snd_pcm_unlink() conditionally at closing"). That is, now
this unconditional msleep appears only when using linked streams,
and this must be a rare case. So we accept this as a quick
workaround until finding a more suitable one -- tiwai ]
Fixes:
67ec1072b053 ("ALSA: pcm: Fix rwsem deadlock for non-atomic PCM stream")
Suggested-by: Wonmin Jung <wonmin.jung@lge.com>
Signed-off-by: Chanho Min <chanho.min@lge.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Kai-Heng Feng [Thu, 29 Nov 2018 08:57:37 +0000 (08:57 +0000)]
ALSA: hda: Add support for AMD Stoney Ridge
commit
3deef52ce10514ccdebba8e8ab85f9cebd0eb3f7 upstream.
It's similar to other AMD audio devices, it also supports D3, which can
save some power drain.
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Hui Peng [Mon, 3 Dec 2018 15:09:34 +0000 (16:09 +0100)]
ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c
commit
5f8cf712582617d523120df67d392059eaf2fc4b upstream.
If a USB sound card reports 0 interfaces, an error condition is triggered
and the function usb_audio_probe errors out. In the error path, there was a
use-after-free vulnerability where the memory object of the card was first
freed, followed by a decrement of the number of active chips. Moving the
decrement above the atomic_dec fixes the UAF.
[ The original problem was introduced in 3.1 kernel, while it was
developed in a different form. The Fixes tag below indicates the
original commit but it doesn't mean that the patch is applicable
cleanly. -- tiwai ]
Fixes:
362e4e49abe5 ("ALSA: usb-audio - clear chip->probing on error exit")
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mathias Payer [Wed, 5 Dec 2018 20:19:59 +0000 (21:19 +0100)]
USB: check usb_get_extra_descriptor for proper size
commit
704620afc70cf47abb9d6a1a57f3825d2bca49cf upstream.
When reading an extra descriptor, we need to properly check the minimum
and maximum size allowed, to prevent from invalid data being sent by a
device.
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Co-developed-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Hui Peng <benquike@gmail.com>
Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Alexander Theissen [Tue, 4 Dec 2018 22:43:35 +0000 (23:43 +0100)]
usb: appledisplay: Add 27" Apple Cinema Display
commit
d7859905301880ad3e16272399d26900af3ac496 upstream.
Add another Apple Cinema Display to the list of supported displays.
Signed-off-by: Alexander Theissen <alex.theissen@me.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Harry Pan [Wed, 28 Nov 2018 16:40:41 +0000 (00:40 +0800)]
usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device
commit
2f2dde6ba89b1ef1fe23c1138131b315d9aa4019 upstream.
Some lower volume SanDisk Ultra Flair in 16GB, which the VID:PID is
in 0781:5591, will aggressively request LPM of U1/U2 during runtime,
when using this thumb drive as the OS installation key we found the
device will generate failure during U1 exit path making it dropped
from the USB bus, this causes a corrupted installation in system at
the end.
i.e.,
[ 166.918296] hub 2-0:1.0: state 7 ports 7 chg 0000 evt 0004
[ 166.918327] usb usb2-port2: link state change
[ 166.918337] usb usb2-port2: do warm reset
[ 166.970039] usb usb2-port2: not warm reset yet, waiting 50ms
[ 167.022040] usb usb2-port2: not warm reset yet, waiting 200ms
[ 167.276043] usb usb2-port2: status 02c0, change 0041, 5.0 Gb/s
[ 167.276050] usb 2-2: USB disconnect, device number 2
[ 167.276058] usb 2-2: unregistering device
[ 167.276060] usb 2-2: unregistering interface 2-2:1.0
[ 167.276170] xhci_hcd 0000:00:15.0: shutdown urb
ffffa3c7cc695cc0 ep1in-bulk
[ 167.284055] sd 0:0:0:0: [sda] tag#0 FAILED Result: hostbyte=DID_NO_CONNECT driverbyte=DRIVER_OK
[ 167.284064] sd 0:0:0:0: [sda] tag#0 CDB: Read(10) 28 00 00 33 04 90 00 01 00 00
...
Analyzed the USB trace in the link layer we realized it is because
of the 6-ms timer of tRecoveryConfigurationTimeout which documented
on the USB 3.2 Revision 1.0, the section 7.5.10.4.2 of "Exit from
Recovery.Configuration"; device initiates U1 exit -> Recovery.Active
-> Recovery.Configuration, then the host timer timeout makes the link
transits to eSS.Inactive -> Rx.Detect follows by a Warm Reset.
Interestingly, the other higher volume of SanDisk Ultra Flair sharing
the same VID:PID, such as 64GB, would not request LPM during runtime,
it sticks at U0 always, thus disabling LPM does not affect those thumb
drives at all.
The same odd occures in SanDisk Ultra Fit 16GB, VID:PID in 0781:5583.
Signed-off-by: Harry Pan <harry.pan@intel.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Yangtao Li [Thu, 22 Nov 2018 12:34:41 +0000 (07:34 -0500)]
net: amd: add missing of_node_put()
[ Upstream commit
c44c749d3b6fdfca39002e7e48e03fe9f9fe37a3 ]
of_find_node_by_path() acquires a reference to the node
returned by it and that reference needs to be dropped by its caller.
This place doesn't do that, so fix it.
Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Pan Bian [Wed, 21 Nov 2018 09:53:47 +0000 (17:53 +0800)]
iommu/vt-d: Use memunmap to free memremap
[ Upstream commit
829383e183728dec7ed9150b949cd6de64127809 ]
memunmap() should be used to free the return of memremap(), not
iounmap().
Fixes:
dfddb969edf0 ('iommu/vt-d: Switch from ioremap_cache to memremap')
Signed-off-by: Pan Bian <bianpan2016@163.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Vincent Chen [Wed, 21 Nov 2018 01:38:11 +0000 (09:38 +0800)]
net: faraday: ftmac100: remove netif_running(netdev) check before disabling interrupts
[ Upstream commit
426a593e641ebf0d9288f0a2fcab644a86820220 ]
In the original ftmac100_interrupt(), the interrupts are only disabled when
the condition "netif_running(netdev)" is true. However, this condition
causes kerenl hang in the following case. When the user requests to
disable the network device, kernel will clear the bit __LINK_STATE_START
from the dev->state and then call the driver's ndo_stop function. Network
device interrupts are not blocked during this process. If an interrupt
occurs between clearing __LINK_STATE_START and stopping network device,
kernel cannot disable the interrupts due to the condition
"netif_running(netdev)" in the ISR. Hence, kernel will hang due to the
continuous interruption of the network device.
In order to solve the above problem, the interrupts of the network device
should always be disabled in the ISR without being restricted by the
condition "netif_running(netdev)".
[V2]
Remove unnecessary curly braces.
Signed-off-by: Vincent Chen <vincentc@andestech.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Aya Levin [Thu, 15 Nov 2018 16:05:15 +0000 (18:05 +0200)]
net/mlx4: Fix UBSAN warning of signed integer overflow
[ Upstream commit
a463146e67c848cbab5ce706d6528281b7cded08 ]
UBSAN: Undefined behavior in
drivers/net/ethernet/mellanox/mlx4/resource_tracker.c:626:29
signed integer overflow:
1802201963 +
1802201963 cannot be represented
in type 'int'
The union of res_reserved and res_port_rsvd[MLX4_MAX_PORTS] monitors
granting of reserved resources. The grant operation is calculated and
protected, thus both members of the union cannot be negative. Changed
type of res_reserved and of res_port_rsvd[MLX4_MAX_PORTS] from signed
int to unsigned int, allowing large value.
Fixes:
5a0d0a6161ae ("mlx4: Structures and init/teardown for VF resource quotas")
Signed-off-by: Aya Levin <ayal@mellanox.com>
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Tariq Toukan [Thu, 15 Nov 2018 16:05:14 +0000 (18:05 +0200)]
net/mlx4_core: Fix uninitialized variable compilation warning
[ Upstream commit
3ea7e7ea53c9f6ee41cb69a29c375fe9dd9a56a7 ]
Initialize the uid variable to zero to avoid the compilation warning.
Fixes:
7a89399ffad7 ("net/mlx4: Add mlx4_bitmap zone allocator")
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Jack Morgenstein [Thu, 15 Nov 2018 16:05:13 +0000 (18:05 +0200)]
net/mlx4_core: Zero out lkey field in SW2HW_MPT fw command
[ Upstream commit
bd85fbc2038a1bbe84990b23ff69b6fc81a32b2c ]
When re-registering a user mr, the mpt information for the
existing mr when running SRIOV is obtained via the QUERY_MPT
fw command. The returned information includes the mpt's lkey.
This retrieved mpt information is used to move the mpt back
to hardware ownership in the rereg flow (via the SW2HW_MPT
fw command when running SRIOV).
The fw API spec states that for SW2HW_MPT, the lkey field
must be zero. Any ConnectX-3 PF driver which checks for strict spec
adherence will return failure for SW2HW_MPT if the lkey field is not
zero (although the fw in practice ignores this field for SW2HW_MPT).
Thus, in order to conform to the fw API spec, set the lkey field to zero
before invoking SW2HW_MPT when running SRIOV.
Fixes:
e630664c8383 ("mlx4_core: Add helper functions to support MR re-registration")
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Denis Bolotin [Mon, 12 Nov 2018 10:50:23 +0000 (12:50 +0200)]
qed: Fix reading wrong value in loop condition
[ Upstream commit
ed4eac20dcffdad47709422e0cb925981b056668 ]
The value of "sb_index" is written by the hardware. Reading its value and
writing it to "index" must finish before checking the loop condition.
Signed-off-by: Denis Bolotin <denis.bolotin@cavium.com>
Signed-off-by: Michal Kalderon <michal.kalderon@cavium.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Denis Bolotin [Mon, 12 Nov 2018 10:50:20 +0000 (12:50 +0200)]
qed: Fix PTT leak in qed_drain()
[ Upstream commit
9aaa4e8ba12972d674caeefbc5f88d83235dd697 ]
Release PTT before entering error flow.
Signed-off-by: Denis Bolotin <denis.bolotin@cavium.com>
Signed-off-by: Michal Kalderon <michal.kalderon@cavium.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Sudarsana Reddy Kalluru [Mon, 12 Nov 2018 02:27:34 +0000 (18:27 -0800)]
bnx2x: Assign unique DMAE channel number for FW DMAE transactions.
[ Upstream commit
77e461d14ed141253573eeeb4d34eccc51e38328 ]
Driver assigns DMAE channel 0 for FW as part of START_RAMROD command. FW
uses this channel for DMAE operations (e.g., TIME_SYNC implementation).
Driver also uses the same channel 0 for DMAE operations for some of the PFs
(e.g., PF0 on Port0). This could lead to concurrent access to the DMAE
channel by FW and driver which is not legal. Hence need to assign unique
DMAE id for FW.
Currently following DMAE channels are used by the clients,
MFW - OCBB/OCSD functionality uses DMAE channel 14/15
Driver 0-3 and 8-11 (for PF dmae operations)
4 and 12 (for stats requests)
Assigning unique dmae_id '13' to the FW.
Changes from previous version:
------------------------------
v2: Incorporated the review comments.
Signed-off-by: Sudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
Signed-off-by: Michal Kalderon <Michal.Kalderon@cavium.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Sven Eckelmann [Wed, 7 Nov 2018 22:09:12 +0000 (23:09 +0100)]
batman-adv: Expand merged fragment buffer for full packet
[ Upstream commit
d7d8bbb40a5b1f682ee6589e212934f4c6b8ad60 ]
The complete size ("total_size") of the fragmented packet is stored in the
fragment header and in the size of the fragment chain. When the fragments
are ready for merge, the skbuff's tail of the first fragment is expanded to
have enough room after the data pointer for at least total_size. This means
that it gets expanded by total_size - first_skb->len.
But this is ignoring the fact that after expanding the buffer, the fragment
header is pulled by from this buffer. Assuming that the tailroom of the
buffer was already 0, the buffer after the data pointer of the skbuff is
now only total_size - len(fragment_header) large. When the merge function
is then processing the remaining fragments, the code to copy the data over
to the merged skbuff will cause an skb_over_panic when it tries to actually
put enough data to fill the total_size bytes of the packet.
The size of the skb_pull must therefore also be taken into account when the
buffer's tailroom is expanded.
Fixes:
610bfc6bc99b ("batman-adv: Receive fragmented packets and merge")
Reported-by: Martin Weinelt <martin@darmstadt.freifunk.net>
Co-authored-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Fabrizio Castro [Mon, 10 Sep 2018 10:43:13 +0000 (11:43 +0100)]
can: rcar_can: Fix erroneous registration
[ Upstream commit
68c8d209cd4337da4fa04c672f0b62bb735969bc ]
Assigning 2 to "renesas,can-clock-select" tricks the driver into
registering the CAN interface, even though we don't want that.
This patch improves one of the checks to prevent that from happening.
Fixes:
862e2b6af9413b43 ("can: rcar_can: support all input clocks")
Signed-off-by: Fabrizio Castro <fabrizio.castro@bp.renesas.com>
Signed-off-by: Chris Paterson <Chris.Paterson2@renesas.com>
Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Geert Uytterhoeven [Wed, 7 Nov 2018 13:18:50 +0000 (14:18 +0100)]
iommu/ipmmu-vmsa: Fix crash on early domain free
[ Upstream commit
e5b78f2e349eef5d4fca5dc1cf5a3b4b2cc27abd ]
If iommu_ops.add_device() fails, iommu_ops.domain_free() is still
called, leading to a crash, as the domain was only partially
initialized:
ipmmu-vmsa
e67b0000.mmu: Cannot accommodate DMA translation for IOMMU page tables
sata_rcar
ee300000.sata: Unable to initialize IPMMU context
iommu: Failed to add device
ee300000.sata to group 0: -22
Unable to handle kernel NULL pointer dereference at virtual address
0000000000000038
...
Call trace:
ipmmu_domain_free+0x1c/0xa0
iommu_group_release+0x48/0x68
kobject_put+0x74/0xe8
kobject_del.part.0+0x3c/0x50
kobject_put+0x60/0xe8
iommu_group_get_for_dev+0xa8/0x1f0
ipmmu_add_device+0x1c/0x40
of_iommu_configure+0x118/0x190
Fix this by checking if the domain's context already exists, before
trying to destroy it.
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Robin Murphy <robin.murphy@arm.com>
Fixes:
d25a2a16f0889 ('iommu: Add driver for Renesas VMSA-compatible IPMMU')
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Lu Baolu [Mon, 5 Nov 2018 02:18:58 +0000 (10:18 +0800)]
iommu/vt-d: Fix NULL pointer dereference in prq_event_thread()
[ Upstream commit
19ed3e2dd8549c1a34914e8dad01b64e7837645a ]
When handling page request without pasid event, go to "no_pasid"
branch instead of "bad_req". Otherwise, a NULL pointer deference
will happen there.
Cc: Ashok Raj <ashok.raj@intel.com>
Cc: Jacob Pan <jacob.jun.pan@linux.intel.com>
Cc: Sohil Mehta <sohil.mehta@intel.com>
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Fixes:
a222a7f0bb6c9 'iommu/vt-d: Implement page request handling'
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Arnd Bergmann [Thu, 7 Sep 2017 14:14:31 +0000 (16:14 +0200)]
usb: gadget: dummy: fix nonsensical comparisons
commit
7661ca09b2ff98f48693f431bb01fed62830e433 upstream.
gcc-8 points out two comparisons that are clearly bogus
and almost certainly not what the author intended to write:
drivers/usb/gadget/udc/dummy_hcd.c: In function 'set_link_state_by_speed':
drivers/usb/gadget/udc/dummy_hcd.c:379:31: error: bitwise comparison always evaluates to false [-Werror=tautological-compare]
USB_PORT_STAT_ENABLE) == 1 &&
^~
drivers/usb/gadget/udc/dummy_hcd.c:381:25: error: bitwise comparison always evaluates to false [-Werror=tautological-compare]
USB_SS_PORT_LS_U0) == 1 &&
^~
I looked at the code for a bit and came up with a change that makes
it look like what the author probably meant here. This makes it
look reasonable to me and to gcc, shutting up the warning.
It does of course change behavior as the two conditions are actually
evaluated rather than being hardcoded to false, and I have made no
attempt at verifying that the changed logic makes sense in the context
of a USB HCD, so that part needs to be reviewed carefully.
Fixes:
1cd8fd2887e1 ("usb: gadget: dummy_hcd: add SuperSpeed support")
Cc: Tatyana Brokhman <tlinder@codeaurora.org>
Cc: Felipe Balbi <balbi@kernel.org>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Simon Guo [Fri, 7 Oct 2016 23:59:40 +0000 (16:59 -0700)]
mm: mlock: avoid increase mm->locked_vm on mlock() when already mlock2(,MLOCK_ONFAULT)
commit
b155b4fde5bdde9fed439cd1f5ea07173df2ed31 upstream.
When one vma was with flag VM_LOCKED|VM_LOCKONFAULT (by invoking
mlock2(,MLOCK_ONFAULT)), it can again be populated with mlock() with
VM_LOCKED flag only.
There is a hole in mlock_fixup() which increase mm->locked_vm twice even
the two operations are on the same vma and both with VM_LOCKED flags.
The issue can be reproduced by following code:
mlock2(p, 1024 * 64, MLOCK_ONFAULT); //VM_LOCKED|VM_LOCKONFAULT
mlock(p, 1024 * 64); //VM_LOCKED
Then check the increase VmLck field in /proc/pid/status(to 128k).
When vma is set with different vm_flags, and the new vm_flags is with
VM_LOCKED, it is not necessarily be a "new locked" vma. This patch
corrects this bug by prevent mm->locked_vm from increment when old
vm_flags is already VM_LOCKED.
Link: http://lkml.kernel.org/r/1472554781-9835-3-git-send-email-wei.guo.simon@gmail.com
Signed-off-by: Simon Guo <wei.guo.simon@gmail.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Alexey Klimov <klimov.linux@gmail.com>
Cc: Eric B Munson <emunson@akamai.com>
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Simon Guo <wei.guo.simon@gmail.com>
Cc: Thierry Reding <treding@nvidia.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Rafael David Tinoco <rafael.tinoco@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Pavel Tikhomirov [Fri, 30 Nov 2018 22:09:00 +0000 (14:09 -0800)]
mm: cleancache: fix corruption on missed inode invalidation
commit
6ff38bd40230af35e446239396e5fc8ebd6a5248 upstream.
If all pages are deleted from the mapping by memory reclaim and also
moved to the cleancache:
__delete_from_page_cache
(no shadow case)
unaccount_page_cache_page
cleancache_put_page
page_cache_delete
mapping->nrpages -= nr
(nrpages becomes 0)
We don't clean the cleancache for an inode after final file truncation
(removal).
truncate_inode_pages_final
check (nrpages || nrexceptional) is false
no truncate_inode_pages
no cleancache_invalidate_inode(mapping)
These way when reading the new file created with same inode we may get
these trash leftover pages from cleancache and see wrong data instead of
the contents of the new file.
Fix it by always doing truncate_inode_pages which is already ready for
nrpages == 0 && nrexceptional == 0 case and just invalidates inode.
[akpm@linux-foundation.org: add comment, per Jan]
Link: http://lkml.kernel.org/r/20181112095734.17979-1-ptikhomirov@virtuozzo.com
Fixes: commit
91b0abe36a7b ("mm + fs: store shadow entries in page cache")
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Reviewed-by: Vasily Averin <vvs@virtuozzo.com>
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Alexey Brodkin [Tue, 20 Nov 2018 10:30:19 +0000 (13:30 +0300)]
arc: [devboards] Add support of NFSv3 ACL
commit
6b04114f6fae5e84d33404c2970b1949c032546e upstream.
By default NFSv3 doesn't support ACL (Access Control Lists)
which might be quite convenient to have so that
mounted NFS behaves exactly as any other local file-system.
In particular missing support of ACL makes umask useless.
This among other thigs fixes Glibc's "nptl/tst-umask1".
Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Cc: Cupertino Miranda <cmiranda@synopsys.com>
Cc: stable@vger.kernel.org #4.14+
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Kevin Hilman [Fri, 30 Nov 2018 12:51:56 +0000 (15:51 +0300)]
ARC: change defconfig defaults to ARCv2
commit
b7cc40c32a8bfa6f2581a71747f6a7d491fe43ba upstream.
Change the default defconfig (used with 'make defconfig') to the ARCv2
nsim_hs_defconfig, and also switch the default Kconfig ISA selection to
ARCv2.
This allows several default defconfigs (e.g. make defconfig, make
allnoconfig, make tinyconfig) to all work with ARCv2 by default.
Note since we change default architecture from ARCompact to ARCv2
it's required to explicitly mention architecture type in ARCompact
defconfigs otherwise ARCv2 will be implied and binaries will be
generated for ARCv2.
Cc: <stable@vger.kernel.org> # 4.4.x
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Filipe Manana [Mon, 22 Oct 2018 09:43:06 +0000 (10:43 +0100)]
Btrfs: fix use-after-free when dumping free space
commit
9084cb6a24bf5838a665af92ded1af8363f9e563 upstream.
We were iterating a block group's free space cache rbtree without locking
first the lock that protects it (the free_space_ctl->free_space_offset
rbtree is protected by the free_space_ctl->tree_lock spinlock).
KASAN reported an use-after-free problem when iterating such a rbtree due
to a concurrent rbtree delete:
[ 9520.359168] ==================================================================
[ 9520.359656] BUG: KASAN: use-after-free in rb_next+0x13/0x90
[ 9520.359949] Read of size 8 at addr
ffff8800b7ada500 by task btrfs-transacti/1721
[ 9520.360357]
[ 9520.360530] CPU: 4 PID: 1721 Comm: btrfs-transacti Tainted: G L 4.19.0-rc8-nbor #555
[ 9520.360990] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[ 9520.362682] Call Trace:
[ 9520.362887] dump_stack+0xa4/0xf5
[ 9520.363146] print_address_description+0x78/0x280
[ 9520.363412] kasan_report+0x263/0x390
[ 9520.363650] ? rb_next+0x13/0x90
[ 9520.363873] __asan_load8+0x54/0x90
[ 9520.364102] rb_next+0x13/0x90
[ 9520.364380] btrfs_dump_free_space+0x146/0x160 [btrfs]
[ 9520.364697] dump_space_info+0x2cd/0x310 [btrfs]
[ 9520.364997] btrfs_reserve_extent+0x1ee/0x1f0 [btrfs]
[ 9520.365310] __btrfs_prealloc_file_range+0x1cc/0x620 [btrfs]
[ 9520.365646] ? btrfs_update_time+0x180/0x180 [btrfs]
[ 9520.365923] ? _raw_spin_unlock+0x27/0x40
[ 9520.366204] ? btrfs_alloc_data_chunk_ondemand+0x2c0/0x5c0 [btrfs]
[ 9520.366549] btrfs_prealloc_file_range_trans+0x23/0x30 [btrfs]
[ 9520.366880] cache_save_setup+0x42e/0x580 [btrfs]
[ 9520.367220] ? btrfs_check_data_free_space+0xd0/0xd0 [btrfs]
[ 9520.367518] ? lock_downgrade+0x2f0/0x2f0
[ 9520.367799] ? btrfs_write_dirty_block_groups+0x11f/0x6e0 [btrfs]
[ 9520.368104] ? kasan_check_read+0x11/0x20
[ 9520.368349] ? do_raw_spin_unlock+0xa8/0x140
[ 9520.368638] btrfs_write_dirty_block_groups+0x2af/0x6e0 [btrfs]
[ 9520.368978] ? btrfs_start_dirty_block_groups+0x870/0x870 [btrfs]
[ 9520.369282] ? do_raw_spin_unlock+0xa8/0x140
[ 9520.369534] ? _raw_spin_unlock+0x27/0x40
[ 9520.369811] ? btrfs_run_delayed_refs+0x1b8/0x230 [btrfs]
[ 9520.370137] commit_cowonly_roots+0x4b9/0x610 [btrfs]
[ 9520.370560] ? commit_fs_roots+0x350/0x350 [btrfs]
[ 9520.370926] ? btrfs_run_delayed_refs+0x1b8/0x230 [btrfs]
[ 9520.371285] btrfs_commit_transaction+0x5e5/0x10e0 [btrfs]
[ 9520.371612] ? btrfs_apply_pending_changes+0x90/0x90 [btrfs]
[ 9520.371943] ? start_transaction+0x168/0x6c0 [btrfs]
[ 9520.372257] transaction_kthread+0x21c/0x240 [btrfs]
[ 9520.372537] kthread+0x1d2/0x1f0
[ 9520.372793] ? btrfs_cleanup_transaction+0xb50/0xb50 [btrfs]
[ 9520.373090] ? kthread_park+0xb0/0xb0
[ 9520.373329] ret_from_fork+0x3a/0x50
[ 9520.373567]
[ 9520.373738] Allocated by task 1804:
[ 9520.373974] kasan_kmalloc+0xff/0x180
[ 9520.374208] kasan_slab_alloc+0x11/0x20
[ 9520.374447] kmem_cache_alloc+0xfc/0x2d0
[ 9520.374731] __btrfs_add_free_space+0x40/0x580 [btrfs]
[ 9520.375044] unpin_extent_range+0x4f7/0x7a0 [btrfs]
[ 9520.375383] btrfs_finish_extent_commit+0x15f/0x4d0 [btrfs]
[ 9520.375707] btrfs_commit_transaction+0xb06/0x10e0 [btrfs]
[ 9520.376027] btrfs_alloc_data_chunk_ondemand+0x237/0x5c0 [btrfs]
[ 9520.376365] btrfs_check_data_free_space+0x81/0xd0 [btrfs]
[ 9520.376689] btrfs_delalloc_reserve_space+0x25/0x80 [btrfs]
[ 9520.377018] btrfs_direct_IO+0x42e/0x6d0 [btrfs]
[ 9520.377284] generic_file_direct_write+0x11e/0x220
[ 9520.377587] btrfs_file_write_iter+0x472/0xac0 [btrfs]
[ 9520.377875] aio_write+0x25c/0x360
[ 9520.378106] io_submit_one+0xaa0/0xdc0
[ 9520.378343] __se_sys_io_submit+0xfa/0x2f0
[ 9520.378589] __x64_sys_io_submit+0x43/0x50
[ 9520.378840] do_syscall_64+0x7d/0x240
[ 9520.379081] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 9520.379387]
[ 9520.379557] Freed by task 1802:
[ 9520.379782] __kasan_slab_free+0x173/0x260
[ 9520.380028] kasan_slab_free+0xe/0x10
[ 9520.380262] kmem_cache_free+0xc1/0x2c0
[ 9520.380544] btrfs_find_space_for_alloc+0x4cd/0x4e0 [btrfs]
[ 9520.380866] find_free_extent+0xa99/0x17e0 [btrfs]
[ 9520.381166] btrfs_reserve_extent+0xd5/0x1f0 [btrfs]
[ 9520.381474] btrfs_get_blocks_direct+0x60b/0xbd0 [btrfs]
[ 9520.381761] __blockdev_direct_IO+0x10ee/0x58a1
[ 9520.382059] btrfs_direct_IO+0x25a/0x6d0 [btrfs]
[ 9520.382321] generic_file_direct_write+0x11e/0x220
[ 9520.382623] btrfs_file_write_iter+0x472/0xac0 [btrfs]
[ 9520.382904] aio_write+0x25c/0x360
[ 9520.383172] io_submit_one+0xaa0/0xdc0
[ 9520.383416] __se_sys_io_submit+0xfa/0x2f0
[ 9520.383678] __x64_sys_io_submit+0x43/0x50
[ 9520.383927] do_syscall_64+0x7d/0x240
[ 9520.384165] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 9520.384439]
[ 9520.384610] The buggy address belongs to the object at
ffff8800b7ada500
which belongs to the cache btrfs_free_space of size 72
[ 9520.385175] The buggy address is located 0 bytes inside of
72-byte region [
ffff8800b7ada500,
ffff8800b7ada548)
[ 9520.385691] The buggy address belongs to the page:
[ 9520.385957] page:
ffffea0002deb680 count:1 mapcount:0 mapping:
ffff880108a1d700 index:0x0 compound_mapcount: 0
[ 9520.388030] flags: 0x8100(slab|head)
[ 9520.388281] raw:
0000000000008100 ffffea0002deb608 ffffea0002728808 ffff880108a1d700
[ 9520.388722] raw:
0000000000000000 0000000000130013 00000001ffffffff 0000000000000000
[ 9520.389169] page dumped because: kasan: bad access detected
[ 9520.389473]
[ 9520.389658] Memory state around the buggy address:
[ 9520.389943]
ffff8800b7ada400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 9520.390368]
ffff8800b7ada480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 9520.390796] >
ffff8800b7ada500: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[ 9520.391223] ^
[ 9520.391461]
ffff8800b7ada580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 9520.391885]
ffff8800b7ada600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 9520.392313] ==================================================================
[ 9520.392772] BTRFS critical (device vdc): entry offset
2258497536, bytes 131072, bitmap no
[ 9520.393247] BUG: unable to handle kernel NULL pointer dereference at
0000000000000011
[ 9520.393705] PGD
800000010dbab067 P4D
800000010dbab067 PUD
107551067 PMD 0
[ 9520.394059] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
[ 9520.394378] CPU: 4 PID: 1721 Comm: btrfs-transacti Tainted: G B L 4.19.0-rc8-nbor #555
[ 9520.394858] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[ 9520.395350] RIP: 0010:rb_next+0x3c/0x90
[ 9520.396461] RSP: 0018:
ffff8801074ff780 EFLAGS:
00010292
[ 9520.396762] RAX:
0000000000000000 RBX:
0000000000000001 RCX:
ffffffff81b5ac4c
[ 9520.397115] RDX:
0000000000000000 RSI:
0000000000000008 RDI:
0000000000000011
[ 9520.397468] RBP:
ffff8801074ff7a0 R08:
ffffed0021d64ccc R09:
ffffed0021d64ccc
[ 9520.397821] R10:
0000000000000001 R11:
ffffed0021d64ccb R12:
ffff8800b91e0000
[ 9520.398188] R13:
ffff8800a3ceba48 R14:
ffff8800b627bf80 R15:
0000000000020000
[ 9520.398555] FS:
0000000000000000(0000) GS:
ffff88010eb00000(0000) knlGS:
0000000000000000
[ 9520.399007] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 9520.399335] CR2:
0000000000000011 CR3:
0000000106b52000 CR4:
00000000000006a0
[ 9520.399679] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
[ 9520.400023] DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000400
[ 9520.400400] Call Trace:
[ 9520.400648] btrfs_dump_free_space+0x146/0x160 [btrfs]
[ 9520.400974] dump_space_info+0x2cd/0x310 [btrfs]
[ 9520.401287] btrfs_reserve_extent+0x1ee/0x1f0 [btrfs]
[ 9520.401609] __btrfs_prealloc_file_range+0x1cc/0x620 [btrfs]
[ 9520.401952] ? btrfs_update_time+0x180/0x180 [btrfs]
[ 9520.402232] ? _raw_spin_unlock+0x27/0x40
[ 9520.402522] ? btrfs_alloc_data_chunk_ondemand+0x2c0/0x5c0 [btrfs]
[ 9520.402882] btrfs_prealloc_file_range_trans+0x23/0x30 [btrfs]
[ 9520.403261] cache_save_setup+0x42e/0x580 [btrfs]
[ 9520.403570] ? btrfs_check_data_free_space+0xd0/0xd0 [btrfs]
[ 9520.403871] ? lock_downgrade+0x2f0/0x2f0
[ 9520.404161] ? btrfs_write_dirty_block_groups+0x11f/0x6e0 [btrfs]
[ 9520.404481] ? kasan_check_read+0x11/0x20
[ 9520.404732] ? do_raw_spin_unlock+0xa8/0x140
[ 9520.405026] btrfs_write_dirty_block_groups+0x2af/0x6e0 [btrfs]
[ 9520.405375] ? btrfs_start_dirty_block_groups+0x870/0x870 [btrfs]
[ 9520.405694] ? do_raw_spin_unlock+0xa8/0x140
[ 9520.405958] ? _raw_spin_unlock+0x27/0x40
[ 9520.406243] ? btrfs_run_delayed_refs+0x1b8/0x230 [btrfs]
[ 9520.406574] commit_cowonly_roots+0x4b9/0x610 [btrfs]
[ 9520.406899] ? commit_fs_roots+0x350/0x350 [btrfs]
[ 9520.407253] ? btrfs_run_delayed_refs+0x1b8/0x230 [btrfs]
[ 9520.407589] btrfs_commit_transaction+0x5e5/0x10e0 [btrfs]
[ 9520.407925] ? btrfs_apply_pending_changes+0x90/0x90 [btrfs]
[ 9520.408262] ? start_transaction+0x168/0x6c0 [btrfs]
[ 9520.408582] transaction_kthread+0x21c/0x240 [btrfs]
[ 9520.408870] kthread+0x1d2/0x1f0
[ 9520.409138] ? btrfs_cleanup_transaction+0xb50/0xb50 [btrfs]
[ 9520.409440] ? kthread_park+0xb0/0xb0
[ 9520.409682] ret_from_fork+0x3a/0x50
[ 9520.410508] Dumping ftrace buffer:
[ 9520.410764] (ftrace buffer empty)
[ 9520.411007] CR2:
0000000000000011
[ 9520.411297] ---[ end trace
01a0863445cf360a ]---
[ 9520.411568] RIP: 0010:rb_next+0x3c/0x90
[ 9520.412644] RSP: 0018:
ffff8801074ff780 EFLAGS:
00010292
[ 9520.412932] RAX:
0000000000000000 RBX:
0000000000000001 RCX:
ffffffff81b5ac4c
[ 9520.413274] RDX:
0000000000000000 RSI:
0000000000000008 RDI:
0000000000000011
[ 9520.413616] RBP:
ffff8801074ff7a0 R08:
ffffed0021d64ccc R09:
ffffed0021d64ccc
[ 9520.414007] R10:
0000000000000001 R11:
ffffed0021d64ccb R12:
ffff8800b91e0000
[ 9520.414349] R13:
ffff8800a3ceba48 R14:
ffff8800b627bf80 R15:
0000000000020000
[ 9520.416074] FS:
0000000000000000(0000) GS:
ffff88010eb00000(0000) knlGS:
0000000000000000
[ 9520.416536] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 9520.416848] CR2:
0000000000000011 CR3:
0000000106b52000 CR4:
00000000000006a0
[ 9520.418477] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
[ 9520.418846] DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000400
[ 9520.419204] Kernel panic - not syncing: Fatal exception
[ 9520.419666] Dumping ftrace buffer:
[ 9520.419930] (ftrace buffer empty)
[ 9520.420168] Kernel Offset: disabled
[ 9520.420406] ---[ end Kernel panic - not syncing: Fatal exception ]---
Fix this by acquiring the respective lock before iterating the rbtree.
Reported-by: Nikolay Borisov <nborisov@suse.com>
CC: stable@vger.kernel.org # 4.4+
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Cc: Nikolay Borisov <nborisov@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Nikolay Borisov [Tue, 6 Nov 2018 14:40:20 +0000 (16:40 +0200)]
btrfs: Always try all copies when reading extent buffers
commit
f8397d69daef06d358430d3054662fb597e37c00 upstream.
When a metadata read is served the endio routine btree_readpage_end_io_hook
is called which eventually runs the tree-checker. If tree-checker fails
to validate the read eb then it sets EXTENT_BUFFER_CORRUPT flag. This
leads to btree_read_extent_buffer_pages wrongly assuming that all
available copies of this extent buffer are wrong and failing prematurely.
Fix this modify btree_read_extent_buffer_pages to read all copies of
the data.
This failure was exhibitted in xfstests btrfs/124 which would
spuriously fail its balance operations. The reason was that when balance
was run following re-introduction of the missing raid1 disk
__btrfs_map_block would map the read request to stripe 0, which
corresponded to devid 2 (the disk which is being removed in the test):
item 2 key (FIRST_CHUNK_TREE CHUNK_ITEM
3553624064) itemoff 15975 itemsize 112
length
1073741824 owner 2 stripe_len 65536 type DATA|RAID1
io_align 65536 io_width 65536 sector_size 4096
num_stripes 2 sub_stripes 1
stripe 0 devid 2 offset
2156920832
dev_uuid
8466c350-ed0c-4c3b-b17d-
6379b445d5c8
stripe 1 devid 1 offset
3553624064
dev_uuid
1265d8db-5596-477e-af03-
df08eb38d2ca
This caused read requests for a checksum item that to be routed to the
stale disk which triggered the aforementioned logic involving
EXTENT_BUFFER_CORRUPT flag. This then triggered cascading failures of
the balance operation.
Fixes:
a826d6dcb32d ("Btrfs: check items for correctness as we search")
CC: stable@vger.kernel.org # 4.4+
Suggested-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Nikolay Borisov <nborisov@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Adam Wong [Thu, 29 Nov 2018 18:04:35 +0000 (10:04 -0800)]
Input: elan_i2c - add support for ELAN0621 touchpad
commit
bf87ade0dd7f8cf19dac4d3161d5e86abe0c062b upstream.
Added the ability to detect the ELAN0621 touchpad found in some Lenovo
laptops.
Signed-off-by: Adam Wong <adam@adamwong.me>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Noah Westervelt [Thu, 29 Nov 2018 18:10:35 +0000 (10:10 -0800)]
Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15ARR
commit
ad33429cd02565c28404bb16ae7a4c2bdfda6626 upstream.
Add ELAN061E to the ACPI table to support Elan touchpad found in Lenovo
IdeaPad 330-15ARR.
Signed-off-by: Noah Westervelt <nwestervelt@outlook.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Patrick Gaskin [Mon, 12 Nov 2018 19:12:24 +0000 (11:12 -0800)]
Input: elan_i2c - add ELAN0620 to the ACPI table
commit
3ed64da3b790be7c63601e8ca6341b7dff74a660 upstream.
Add ELAN0620 to the ACPI table to support the elan touchpad in
the Lenovo IdeaPad 130-15IKB.
Signed-off-by: Patrick Gaskin <patrick@pgaskin.net>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Christian Hoff [Mon, 12 Nov 2018 19:11:29 +0000 (11:11 -0800)]
Input: matrix_keypad - check for errors from of_get_named_gpio()
commit
d55bda1b3e7c5a87f10da54fdda866a9a9cef30b upstream.
"of_get_named_gpio()" returns a negative error value if it fails
and drivers should check for this. This missing check was now
added to the matrix_keypad driver.
In my case "of_get_named_gpio()" returned -EPROBE_DEFER because
the referenced GPIOs belong to an I/O expander, which was not yet
probed at the point in time when the matrix_keypad driver was
loading. Because the driver did not check for errors from the
"of_get_named_gpio()" routine, it was assuming that "-EPROBE_DEFER"
is actually a GPIO number and continued as usual, which led to further
errors like this later on:
WARNING: CPU: 3 PID: 167 at drivers/gpio/gpiolib.c:114
gpio_to_desc+0xc8/0xd0
invalid GPIO -517
Note that the "GPIO number" -517 in the error message above is
actually "-EPROBE_DEFER".
As part of the patch a misleading error message "no platform data defined"
was also removed. This does not lead to information loss because the other
error paths in matrix_keypad_parse_dt() already print an error.
Signed-off-by: Christian Hoff <christian_hoff@gmx.net>
Suggested-by: Sebastian Reichel <sre@kernel.org>
Reviewed-by: Sebastian Reichel <sre@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cameron Gutman [Thu, 29 Nov 2018 18:09:33 +0000 (10:09 -0800)]
Input: xpad - quirk all PDP Xbox One gamepads
commit
a6754fae1e66e9a40fed406290d7ca3f2b4d227c upstream.
Since we continue to find tons of new variants [0,1,2,3,4,5,6] that
need the PDP quirk, let's just quirk all devices from PDP.
[0]: https://github.com/paroj/xpad/pull/104
[1]: https://github.com/paroj/xpad/pull/105
[2]: https://github.com/paroj/xpad/pull/108
[3]: https://github.com/paroj/xpad/pull/109
[4]: https://github.com/paroj/xpad/pull/112
[5]: https://github.com/paroj/xpad/pull/115
[6]: https://github.com/paroj/xpad/pull/116
Fixes:
e5c9c6a885fa ("Input: xpad - add support for PDP Xbox One controllers")
Cc: stable@vger.kernel.org
Signed-off-by: Cameron Gutman <aicommander@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Wei Yongjun [Sat, 6 Feb 2016 14:37:33 +0000 (22:37 +0800)]
leds: leds-gpio: Fix return value check in create_gpio_led()
commit
2d88a331e48095cf60ad9bdf3177bd401bf99727 upstream.
In case of error, the function gpio_to_desc() returns NULL
pointer not ERR_PTR(). The IS_ERR() test in the return value
check should be replaced with NULL test.
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Signed-off-by: Jacek Anaszewski <j.anaszewski@samsung.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
OSDN Git Service
