Commit Graph

797983 Commits

Author SHA1 Message Date
Lorenzo Pieralisi ea2412dc21 ACPI/IORT: Fix iort_get_platform_device_domain() uninitialized pointer value
Running the Clang static analyzer on IORT code detected the following
error:

Logic error: Branch condition evaluates to a garbage value

in

iort_get_platform_device_domain()

If the named component associated with a given device has no IORT
mappings, iort_get_platform_device_domain() exits its MSI mapping loop
with msi_parent pointer containing garbage, which can lead to erroneous
code path execution.

Initialize the msi_parent pointer, fixing the bug.

Fixes: d4f54a1866 ("ACPI: platform: setup MSI domain for ACPI based
platform device")
Reported-by: Patrick Bellasi <patrick.bellasi@arm.com>
Reviewed-by: Hanjun Guo <hanjun.guo@linaro.org>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: Sudeep Holla <sudeep.holla@arm.com>
Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
2018-11-30 17:28:39 +00:00
Linus Torvalds 570a37437c drm: i915 gvt, amdgpu, ast, rcar-du, meson + core fixes.
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJcAKgKAAoJEAx081l5xIa+0PgP/A+2bvrs6EgLQHAmdyJtuAzp
 /qeip9RtQG15rmgkzYucRgeTqmIwDHduCJDp7TcJ94Lial2FzBH5o8gRfqcOatgg
 Ury7/MwAOEg4omYxpuRP1qlZkK0wkEZiDT5aWYlYRFZI1+qsL28vdYyA1KflBNLS
 ZbGGB1DOIjtT1NGG4/cMGTd8iGM8cQIDzeKra6ZlTdDA3fARLBrf4bQCuphu7Eqv
 z2n0ZSEmGlvOWEAE4GR3nG3Uu32F6wCKdwWRG+/GLhRRFb8GdXZ3uriZXswdMNwt
 I1pIgHGHcpAGqD6IyHKtoBPlBs1Xs+VL1QwqHkN5hGniF32szBpCKOAPIxhLfJ7w
 S6clk/kauzdlzOI/t31LjKLME9a/mn95wxzridNTv2SmksEmNoNhvsEeXEoMjs2m
 s4CcJTyt5tbRqwXlWQg5DWkBAyNqNI1EkoDJRmefN+rW33m6x79r0RFcv57E8Sbs
 VyaLelyNyOcPm8Tqanko5o9RTQ56sZTNR4aOXVVrxSOBa7iJnK+h/kMeCn8TJDsT
 i8ftCzpco5uycxDgunw+lPoj9rnzuB7i2MgbEb2rOz3Mj8TH/WQnb1YWlUWPejuG
 ClAVjwWJAEy26MdGpMy0XUVtvgJK0h5hvnSA9yXAZjkJzA8LtbV82Nexu2MsEt02
 DiTPOpSgtSyxC4CLZ2G3
 =2Pvh
 -----END PGP SIGNATURE-----

Merge tag 'drm-fixes-2018-11-30' of git://anongit.freedesktop.org/drm/drm

Pull drm fixes from Dave Airlie:
 "This weeks instalment of fixes. Looks fairly like business as usual
  and everything seems to rolling along. There was one MST fix applied
  and reverted in the misc tree, but otherwise nothing too strange in
  here.

  core:
   - incorrect master setting on error fix

  i915:
   - only GVT fixes this week:
      * one MOCS register load
      * rpm lock fix
      * use after free

  rcar-du:
   - regression fix for group start

  amdgpu:
   - DP MST fix
   - GPUVM fix for huge pages
   - RLC fix for vega20

  ast:
   - fix EDID reading stability
   - ioreg free fix

  meson:
   - sleep in irq fix
   - vblank fixes
   - array boundary fix"

* tag 'drm-fixes-2018-11-30' of git://anongit.freedesktop.org/drm/drm:
  drm/ast: fixed reading monitor EDID not stable issue
  drm/ast: Fix incorrect free on ioregs
  Revert "drm/dp_mst: Skip validating ports during destruction, just ref"
  drm/amdgpu: Add delay after enable RLC ucode
  drm/amdgpu: Avoid endless loop in GPUVM fragment processing
  drm/amdgpu: Cast to uint64_t before left shift
  drm/meson: add support for 1080p25 mode
  drm/meson: Fix OOB memory accesses in meson_viu_set_osd_lut()
  drm/meson: Enable fast_io in meson_dw_hdmi_regmap_config
  drm/meson: Fixes for drm_crtc_vblank_on/off support
  drm: set is_master to 0 upon drm_new_set_master() failure
  drm/dp_mst: Skip validating ports during destruction, just ref
  drm: rcar-du: Fix DU3 start/stop on M3-N
  drm/amd/dm: Understand why attaching path/tile properties are needed
  drm/amd/dm: Don't forget to attach MST encoders
  drm/i915/gvt: Avoid use-after-free iterating the gtt list
  drm/i915/gvt: ensure gpu is powered before do i915_gem_gtt_insert
  drm/i915/gvt: not to touch undefined MOCS registers
2018-11-30 09:10:29 -08:00
Jens Axboe 1c9b357ced Merge branch 'nvme-4.20' of git://git.infradead.org/nvme into for-linus
Pull NVMe fixes from Christoph:

"Various fixlets all over."

* 'nvme-4.20' of git://git.infradead.org/nvme:
  nvme-rdma: fix double freeing of async event data
  nvme: flush namespace scanning work just before removing namespaces
  nvme: warn when finding multi-port subsystems without multipathing enabled
  nvme-pci: fix surprise removal
  nvme-fc: initialize nvme_req(rq)->ctrl after calling __nvme_fc_init_request()
  nvme: Free ctrl device name on init failure
2018-11-30 10:08:39 -07:00
Ming Lei 2a5cf35cd6 block: fix single range discard merge
There are actually two kinds of discard merge:

- one is the normal discard merge, just like normal read/write request,
and call it single-range discard

- another is the multi-range discard, queue_max_discard_segments(rq->q) > 1

For the former case, queue_max_discard_segments(rq->q) is 1, and we
should handle this kind of discard merge like the normal read/write
request.

This patch fixes the following kernel panic issue[1], which is caused by
not removing the single-range discard request from elevator queue.

Guangwu has one raid discard test case, in which this issue is a bit
easier to trigger, and I verified that this patch can fix the kernel
panic issue in Guangwu's test case.

[1] kernel panic log from Jens's report

 BUG: unable to handle kernel NULL pointer dereference at 0000000000000148
 PGD 0 P4D 0.
 Oops: 0000 [#1] SMP PTI
 CPU: 37 PID: 763 Comm: kworker/37:1H Not tainted \
4.20.0-rc3-00649-ge64d9a554a91-dirty #14  Hardware name: Wiwynn \
Leopard-Orv2/Leopard-DDR BW, BIOS LBM08   03/03/2017       Workqueue: kblockd \
blk_mq_run_work_fn                                            RIP: \
0010:blk_mq_get_driver_tag+0x81/0x120                                       Code: 24 \
10 48 89 7c 24 20 74 21 83 fa ff 0f 95 c0 48 8b 4c 24 28 65 48 33 0c 25 28 00 00 00 \
0f 85 96 00 00 00 48 83 c4 30 5b 5d c3 <48> 8b 87 48 01 00 00 8b 40 04 39 43 20 72 37 \
f6 87 b0 00 00 00 02  RSP: 0018:ffffc90004aabd30 EFLAGS: 00010246                     \
  RAX: 0000000000000003 RBX: ffff888465ea1300 RCX: ffffc90004aabde8
 RDX: 00000000ffffffff RSI: ffffc90004aabde8 RDI: 0000000000000000
 RBP: 0000000000000000 R08: ffff888465ea1348 R09: 0000000000000000
 R10: 0000000000001000 R11: 00000000ffffffff R12: ffff888465ea1300
 R13: 0000000000000000 R14: ffff888465ea1348 R15: ffff888465d10000
 FS:  0000000000000000(0000) GS:ffff88846f9c0000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000148 CR3: 000000000220a003 CR4: 00000000003606e0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
  blk_mq_dispatch_rq_list+0xec/0x480
  ? elv_rb_del+0x11/0x30
  blk_mq_do_dispatch_sched+0x6e/0xf0
  blk_mq_sched_dispatch_requests+0xfa/0x170
  __blk_mq_run_hw_queue+0x5f/0xe0
  process_one_work+0x154/0x350
  worker_thread+0x46/0x3c0
  kthread+0xf5/0x130
  ? process_one_work+0x350/0x350
  ? kthread_destroy_worker+0x50/0x50
  ret_from_fork+0x1f/0x30
 Modules linked in: sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel \
kvm switchtec irqbypass iTCO_wdt iTCO_vendor_support efivars cdc_ether usbnet mii \
cdc_acm i2c_i801 lpc_ich mfd_core ipmi_si ipmi_devintf ipmi_msghandler acpi_cpufreq \
button sch_fq_codel nfsd nfs_acl lockd grace auth_rpcgss oid_registry sunrpc nvme \
nvme_core fuse sg loop efivarfs autofs4  CR2: 0000000000000148                        \

 ---[ end trace 340a1fb996df1b9b ]---
 RIP: 0010:blk_mq_get_driver_tag+0x81/0x120
 Code: 24 10 48 89 7c 24 20 74 21 83 fa ff 0f 95 c0 48 8b 4c 24 28 65 48 33 0c 25 28 \
00 00 00 0f 85 96 00 00 00 48 83 c4 30 5b 5d c3 <48> 8b 87 48 01 00 00 8b 40 04 39 43 \
20 72 37 f6 87 b0 00 00 00 02

Fixes: 445251d0f4 ("blk-mq: fix discard merge with scheduler attached")
Reported-by: Jens Axboe <axboe@kernel.dk>
Cc: Guangwu Zhang <guazhang@redhat.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Jianchao Wang <jianchao.w.wang@oracle.com>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2018-11-30 10:07:57 -07:00
Alexander Popov ef1a840934 stackleak: Disable function tracing and kprobes for stackleak_erase()
The stackleak_erase() function is called on the trampoline stack at the
end of syscall. This stack is not big enough for ftrace and kprobes
operations, e.g. it can be exhausted if we use kprobe_events for
stackleak_erase().

So let's disable function tracing and kprobes of stackleak_erase().

Reported-by: kernel test robot <lkp@intel.com>
Fixes: 10e9ae9fab ("gcc-plugins: Add STACKLEAK plugin for tracking the kernel stack")
Signed-off-by: Alexander Popov <alex.popov@linux.com>
Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
2018-11-30 09:05:07 -08:00
Linus Torvalds e9eaf72e73 pstore fix:
- Fix corrupted compression due to unlucky size choice with ECC
 -----BEGIN PGP SIGNATURE-----
 Comment: Kees Cook <kees@outflux.net>
 
 iQJKBAABCgA0FiEEpcP2jyKd1g9yPm4TiXL039xtwCYFAlwAcoMWHGtlZXNjb29r
 QGNocm9taXVtLm9yZwAKCRCJcvTf3G3AJjwQD/4t+0AYLLGJKkc+YEXj2aVDPftc
 cjHoNvT4voNTf3UzEsjbegfslg0g9UEAnDSOxlecJs81HYiopFpBQ2RMvYffWH7K
 qhJN9X12Fpop5DYJ7fgJJpNPqmVGY783gMNRA5jgh1SKZhK0yzTIwCElysFMoxKc
 U6cKXfkGwnZggNL3bFjqt5r1tiLVkDQVrfZgqcghrOkROmkF0I1kc+PwxRDkeCYh
 Kk3BtKMHTh3XQoX4Xqkq9bSCACYmfvLg6CuTAzqtw5bpWlgtZ3KcXxDxlbSwNe3X
 8SRr9N0qkUsbiQ/vFXY3PY2l9iI1NSVN0cDldaJ/bagOV7YL0kbQZfM01IEUK0j/
 iPrsv4ELT3w0NTYQCB47x4VOf2pt44OwNAmovAmtg71OwPKXAsFJZ4jCid2Pq4Pr
 esik+vwfroWJb+979WVcpyT9eA1P3BHEhBsl5yJV6jSwhWWBZ670RPRDNcHDol/x
 pJPGfDKTznCxwHqBdycqf1z1YtnD1VwGzd8OkNc183qoLeorew/Zv0VeYOL+6d92
 qVBj3FcKeAuzn6it+trBZ6zbGGH4Nxo68tI2BYiAMQJogxRcVjqJ1dNwoZWjdYNm
 w00jqlItJD0rwE8XAOYBoHg5J1o+/QUyz8dwf4mF2rWjqpBT+YC+Y1V5Xdhxg7D0
 xc0VYYZAYwc3XlR83A==
 =/GIT
 -----END PGP SIGNATURE-----

Merge tag 'pstore-v4.20-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

Pull pstore fix from Kees Cook:
 "Fix corrupted compression due to unlucky size choice with ECC"

* tag 'pstore-v4.20-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
  pstore/ram: Correctly calculate usable PRZ bytes
2018-11-30 09:03:15 -08:00
Linus Torvalds 2b17992f6f First rc pull request
A set of small driver and core code fixes:
 
 - Small series fixing longtime user triggerable bugs in the
   ODP processing inside mlx5 and core code
 
 - Various small driver malfunctions and crashes (use after, free, error
   unwind, implementation bugs)
 
 - A misfunction of the RDMA GID cache that can be triggered by the
   administrator
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEfB7FMLh+8QxL+6i3OG33FX4gmxoFAlwAbPgACgkQOG33FX4g
 mxpMCg/8DMvxyz5byYhLbreKuMCeG8+L5PuvR8myeeA5ycbPUo+HYCFe7fkqpHUH
 tlgLWm0PoMnGh1s8pjD2OvFU2xHAl9tydk1tU8XLBpEjC3XvrD5ZTvd/i2rHdvDy
 hKDGRouU6QnDiNwTR5HrSlqH5OVVZ0K0Oyl3YjAbGItL4xJEEPbiRCWA+SN8tuBl
 mkFEkGr+MKZIDEieatf9KT2cLQbhVbtjG58rTxA1jOVL1ZM+PT0FZ/J7JsQAD2FO
 MVkw2NQrgu/bLiqr2d679rShWRetctap9iYiGna2ftVghCHqXajN477Dv0w01pQu
 5k9JaSPA2j7rGaFql4fyyuHBMqHF+pqwC/p1ExgUpbOTShcibUCIfJbIHhjLVTCl
 sszZculTfCiYnJBiBkSp1G1L784Z6QPnDRacxeHRuV2yUd5MhrW2KCTwk0ZkPV9F
 PKwKCNC90TeD3STUAk0GXouzuZYvqjxDdwiE5ohYgCCR5CNRBS/fdmmRK/PnRb1Y
 ekTYHStoBFT1tkAG5NqAcfKm3qs/tdxlcdo+3sS9n5XWNwyUwUP2buKKnaXu9ACf
 yD3+vDaBCEcGhQXaw6lUm8sTF2P5eD67lMvJiteLJr9dsnk7bUd6+d1sXB3TjJss
 bX5FQx2CwNMnRQ7hKrBqZa3dhCA578Hq0AgmH+1jw/7mD5Ay6Hw=
 =QrHg
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma

Pull rdma fixes from Jason Gunthorpe:
 "This is a bit later than usual for our first -rc but I'm not seeing
  anything worry-some in the RDMA tree right now. Quiet so far this -rc
  cycle, only a few internal driver related bugs and a small series
  fixing ODP bugs found by more advanced testing.

  A set of small driver and core code fixes:

   - Small series fixing longtime user triggerable bugs in the ODP
     processing inside mlx5 and core code

   - Various small driver malfunctions and crashes (use after, free,
     error unwind, implementation bugs)

   - A misfunction of the RDMA GID cache that can be triggered by the
     administrator"

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
  RDMA/mlx5: Initialize return variable in case pagefault was skipped
  IB/mlx5: Fix page fault handling for MW
  IB/umem: Set correct address to the invalidation function
  IB/mlx5: Skip non-ODP MR when handling a page fault
  RDMA/hns: Bugfix pbl configuration for rereg mr
  iser: set sector for ambiguous mr status errors
  RDMA/rdmavt: Fix rvt_create_ah function signature
  IB/mlx5: Avoid load failure due to unknown link width
  IB/mlx5: Fix XRC QP support after introducing extended atomic
  RDMA/bnxt_re: Avoid accessing the device structure after it is freed
  RDMA/bnxt_re: Fix system hang when registration with L2 driver fails
  RDMA/core: Add GIDs while changing MAC addr only for registered ndev
  RDMA/mlx5: Fix fence type for IB_WR_LOCAL_INV WR
  net/mlx5: Fix XRC SRQ umem valid bits
2018-11-30 08:57:31 -08:00
Prabhath Sajeepa 6344d02dc8 nvme-rdma: fix double freeing of async event data
Some error paths in configuration of admin queue free data buffer
associated with async request SQE without resetting the data buffer
pointer to NULL, This buffer is also freed up again if the controller
is shutdown or reset.

Signed-off-by: Prabhath Sajeepa <psajeepa@purestorage.com>
Reviewed-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
2018-11-30 17:23:23 +01:00
Sagi Grimberg f6c8e432cb nvme: flush namespace scanning work just before removing namespaces
nvme_stop_ctrl can be called also for reset flow and there is no need to
flush the scan_work as namespaces are not being removed. This can cause
deadlock in rdma, fc and loop drivers since nvme_stop_ctrl barriers
before controller teardown (and specifically I/O cancellation of the
scan_work itself) takes place, but the scan_work will be blocked anyways
so there is no need to flush it.

Instead, move scan_work flush to nvme_remove_namespaces() where it really
needs to flush.

Reported-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Keith Busch <keith.busch@intel.com>
Reviewed by: James Smart <jsmart2021@gmail.com>
Tested-by: Ewan D. Milne <emilne@redhat.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
2018-11-30 17:23:23 +01:00
Christoph Hellwig 14a1336e6f nvme: warn when finding multi-port subsystems without multipathing enabled
Without CONFIG_NVME_MULTIPATH enabled a multi-port subsystem might
show up as invididual devices and cause problems, warn about it.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
2018-11-30 17:23:22 +01:00
Colin Ian King 31ffa56383 fscache, cachefiles: remove redundant variable 'cache'
Variable 'cache' is being assigned but is never used hence it is
redundant and can be removed.

Cleans up clang warning:
warning: variable 'cache' set but not used [-Wunused-but-set-variable]

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: David Howells <dhowells@redhat.com>
2018-11-30 16:00:58 +00:00
Arnd Bergmann 34e06fe4d0 cachefiles: avoid deprecated get_seconds()
get_seconds() returns an unsigned long can overflow on some architectures
and is deprecated because of that. In cachefs, we cast that number to
a a 32-bit integer, which will overflow in year 2106 on all architectures.

As confirmed by David Howells, the overflow probably isn't harmful
in the end, since the timestamps are only used to make the file names
unique, but they don't strictly have to be in monotonically increasing
order since the files only exist in order to be deleted as quickly
as possible.

Moving to ktime_get_real_seconds() avoids the deprecated interface.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David Howells <dhowells@redhat.com>
2018-11-30 16:00:58 +00:00
Nathan Chancellor b7e768b7e3 cachefiles: Explicitly cast enumerated type in put_object
Clang warns when one enumerated type is implicitly converted to another.

fs/cachefiles/namei.c:247:50: warning: implicit conversion from
enumeration type 'enum cachefiles_obj_ref_trace' to different
enumeration type 'enum fscache_obj_ref_trace' [-Wenum-conversion]
        cache->cache.ops->put_object(&xobject->fscache,
cachefiles_obj_put_wait_retry);

Silence this warning by explicitly casting to fscache_obj_ref_trace,
which is also done in put_object.

Reported-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
2018-11-30 16:00:58 +00:00
NeilBrown c5a94f434c fscache: fix race between enablement and dropping of object
It was observed that a process blocked indefintely in
__fscache_read_or_alloc_page(), waiting for FSCACHE_COOKIE_LOOKING_UP
to be cleared via fscache_wait_for_deferred_lookup().

At this time, ->backing_objects was empty, which would normaly prevent
__fscache_read_or_alloc_page() from getting to the point of waiting.
This implies that ->backing_objects was cleared *after*
__fscache_read_or_alloc_page was was entered.

When an object is "killed" and then "dropped",
FSCACHE_COOKIE_LOOKING_UP is cleared in fscache_lookup_failure(), then
KILL_OBJECT and DROP_OBJECT are "called" and only in DROP_OBJECT is
->backing_objects cleared.  This leaves a window where
something else can set FSCACHE_COOKIE_LOOKING_UP and
__fscache_read_or_alloc_page() can start waiting, before
->backing_objects is cleared

There is some uncertainty in this analysis, but it seems to be fit the
observations.  Adding the wake in this patch will be handled correctly
by __fscache_read_or_alloc_page(), as it checks if ->backing_objects
is empty again, after waiting.

Customer which reported the hang, also report that the hang cannot be
reproduced with this fix.

The backtrace for the blocked process looked like:

PID: 29360  TASK: ffff881ff2ac0f80  CPU: 3   COMMAND: "zsh"
 #0 [ffff881ff43efbf8] schedule at ffffffff815e56f1
 #1 [ffff881ff43efc58] bit_wait at ffffffff815e64ed
 #2 [ffff881ff43efc68] __wait_on_bit at ffffffff815e61b8
 #3 [ffff881ff43efca0] out_of_line_wait_on_bit at ffffffff815e625e
 #4 [ffff881ff43efd08] fscache_wait_for_deferred_lookup at ffffffffa04f2e8f [fscache]
 #5 [ffff881ff43efd18] __fscache_read_or_alloc_page at ffffffffa04f2ffe [fscache]
 #6 [ffff881ff43efd58] __nfs_readpage_from_fscache at ffffffffa0679668 [nfs]
 #7 [ffff881ff43efd78] nfs_readpage at ffffffffa067092b [nfs]
 #8 [ffff881ff43efda0] generic_file_read_iter at ffffffff81187a73
 #9 [ffff881ff43efe50] nfs_file_read at ffffffffa066544b [nfs]
#10 [ffff881ff43efe70] __vfs_read at ffffffff811fc756
#11 [ffff881ff43efee8] vfs_read at ffffffff811fccfa
#12 [ffff881ff43eff18] sys_read at ffffffff811fda62
#13 [ffff881ff43eff50] entry_SYSCALL_64_fastpath at ffffffff815e986e

Signed-off-by: NeilBrown <neilb@suse.com>
Signed-off-by: David Howells <dhowells@redhat.com>
2018-11-30 15:57:31 +00:00
Maximilian Heyne 41e817bca3 fs: fix lost error code in dio_complete
commit e259221763 ("fs: simplify the
generic_write_sync prototype") reworked callers of generic_write_sync(),
and ended up dropping the error return for the directio path. Prior to
that commit, in dio_complete(), an error would be bubbled up the stack,
but after that commit, errors passed on to dio_complete were eaten up.

This was reported on the list earlier, and a fix was proposed in
https://lore.kernel.org/lkml/20160921141539.GA17898@infradead.org/, but
never followed up with.  We recently hit this bug in our testing where
fencing io errors, which were previously erroring out with EIO, were
being returned as success operations after this commit.

The fix proposed on the list earlier was a little short -- it would have
still called generic_write_sync() in case `ret` already contained an
error. This fix ensures generic_write_sync() is only called when there's
no pending error in the write. Additionally, transferred is replaced
with ret to bring this code in line with other callers.

Fixes: e259221763 ("fs: simplify the generic_write_sync prototype")
Reported-by: Ravi Nankani <rnankani@amazon.com>
Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
Reviewed-by: Christoph Hellwig <hch@lst.de>
CC: Torsten Mehlan <tomeh@amazon.de>
CC: Uwe Dannowski <uwed@amazon.de>
CC: Amit Shah <aams@amazon.de>
CC: David Woodhouse <dwmw@amazon.co.uk>
CC: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2018-11-30 08:35:14 -07:00
Steven Rostedt (VMware) 5cf99a0f31 tracing/fgraph: Fix set_graph_function from showing interrupts
The tracefs file set_graph_function is used to only function graph functions
that are listed in that file (or all functions if the file is empty). The
way this is implemented is that the function graph tracer looks at every
function, and if the current depth is zero and the function matches
something in the file then it will trace that function. When other functions
are called, the depth will be greater than zero (because the original
function will be at depth zero), and all functions will be traced where the
depth is greater than zero.

The issue is that when a function is first entered, and the handler that
checks this logic is called, the depth is set to zero. If an interrupt comes
in and a function in the interrupt handler is traced, its depth will be
greater than zero and it will automatically be traced, even if the original
function was not. But because the logic only looks at depth it may trace
interrupts when it should not be.

The recent design change of the function graph tracer to fix other bugs
caused the depth to be zero while the function graph callback handler is
being called for a longer time, widening the race of this happening. This
bug was actually there for a longer time, but because the race window was so
small it seldom happened. The Fixes tag below is for the commit that widen
the race window, because that commit belongs to a series that will also help
fix the original bug.

Cc: stable@kernel.org
Fixes: 39eb456dac ("function_graph: Use new curr_ret_depth to manage depth instead of curr_ret_stack")
Reported-by: Joe Lawrence <joe.lawrence@redhat.com>
Tested-by: Joe Lawrence <joe.lawrence@redhat.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
2018-11-29 22:09:00 -05:00
Zenghui Yu 0c7a52e4d4 tracepoint: Use __idx instead of idx in DO_TRACE macro to make it unique
After enabling KVM event tracing, almost all of trace_kvm_exit()'s
printk shows

	"kvm_exit: IRQ: ..."

even if the actual exception_type is NOT IRQ.  More specifically,
trace_kvm_exit() is defined in virt/kvm/arm/trace.h by TRACE_EVENT.

This slight problem may have existed after commit e6753f23d9
("tracepoint: Make rcuidle tracepoint callers use SRCU"). There are
two variables in trace_kvm_exit() and __DO_TRACE() which have the
same name, *idx*. Thus the actual value of *idx* will be overwritten
when tracing. Fix it by adding a simple prefix.

Cc: Joel Fernandes <joel@joelfernandes.org>
Cc: Wang Haibin <wanghaibin.wang@huawei.com>
Cc: linux-trace-devel@vger.kernel.org
Cc: stable@vger.kernel.org
Fixes: e6753f23d9 ("tracepoint: Make rcuidle tracepoint callers use SRCU")
Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
2018-11-29 22:08:38 -05:00
David Howells 73116df7bb afs: Use d_instantiate() rather than d_add() and don't d_drop()
Use d_instantiate() rather than d_add() and don't d_drop() in
afs_vnode_new_inode().  The dentry shouldn't be removed as it's not
changing its name.

Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2018-11-29 21:08:14 -05:00
David Howells 4584ae96ae afs: Fix missing net error handling
kAFS can be given certain network errors (EADDRNOTAVAIL, EHOSTDOWN and
ERFKILL) that it doesn't handle in its server/address rotation algorithms.
They cause the probing and rotation to abort immediately rather than
rotating.

Fix this by:

 (1) Abstracting out the error prioritisation from the VL and FS rotation
     algorithms into a common function and expand usage into the server
     probing code.

     When multiple errors are available, this code selects the one we'd
     prefer to return.

 (2) Add handling for EADDRNOTAVAIL, EHOSTDOWN and ERFKILL.

Fixes: 0fafdc9f88 ("afs: Fix file locking")
Fixes: 0338747d8454 ("afs: Probe multiple fileservers simultaneously")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2018-11-29 21:08:14 -05:00
David Howells ae3b7361dc afs: Fix validation/callback interaction
When afs_validate() is called to validate a vnode (inode), there are two
unhandled cases in the fastpath at the top of the function:

 (1) If the vnode is promised (AFS_VNODE_CB_PROMISED is set), the break
     counters match and the data has expired, then there's an implicit case
     in which the vnode needs revalidating.

     This has no consequences since the default "valid = false" set at the
     top of the function happens to do the right thing.

 (2) If the vnode is not promised and it hasn't been deleted
     (AFS_VNODE_DELETED is not set) then there's a default case we're not
     handling in which the vnode is invalid.  If the vnode is invalid, we
     need to bring cb_s_break and cb_v_break up to date before we refetch
     the status.

     As a consequence, once the server loses track of the client
     (ie. sufficient time has passed since we last sent it an operation),
     it will send us a CB.InitCallBackState* operation when we next try to
     talk to it.  This calls afs_init_callback_state() which increments
     afs_server::cb_s_break, but this then doesn't propagate to the
     afs_vnode record.

     The result being that every afs_validate() call thereafter sends a
     status fetch operation to the server.

Clarify and fix this by:

 (A) Setting valid in all the branches rather than initialising it at the
     top so that the compiler catches where we've missed.

 (B) Restructuring the logic in the 'promised' branch so that we set valid
     to false if the callback is due to expire (or has expired) and so that
     the final case is that the vnode is still valid.

 (C) Adding an else-statement that ups cb_s_break and cb_v_break if the
     promised and deleted cases don't match.

Fixes: c435ee3455 ("afs: Overhaul the callback handling")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2018-11-29 21:08:14 -05:00
Linus Torvalds 94f371cb73 ACPI fix for 4.20-rc5
Fix a recent regression in ACPICA releted to the Generic Serial Bus
 protocol handling and causing it to read or write too little or too
 much data in some cases, so incorrect data may be written to hardware
 as a result (Hans de Goede).
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABCAAGBQJcAE+KAAoJEILEb/54YlRxoDQP/RIGQDpBQa9AZ4Z0+t2Ehze7
 4WRXAIDJBbV8wz2VOJz1UFIdNvyBIldUZFs2MAdDpMywhuPorTx4SiHsrhQBwUao
 khwMEGvCwzSuAo1aUC/IF7asUB/JWwVp7RusHvExyIMEH4Ie9ZmFfCD9CffMj3ol
 0dq3EJxpCTWEeZkD7cSFRjfmcEXjsx1OKFY65thg5cJaaiNb9UFNMuOQyEVIDuwS
 Mr/NBvj6VsGEe1rNViJlI2N24NVx9mrkqpOol3SRL3N3g022iQlE9WqaA1NOkiWo
 gTaSifY8QHUCFsoZjTyO0rOxr0emQKIS2A0mRBCNBANdRgq98VkwVjStJCndSrKM
 TXJwiZuw0xDphqBUFoTqycE2wTI2RSKvs/WEGYHI0KsPm5MCjxeiDZYgieSx60P5
 j2V2YtOuB4n0q0gjtrEeCJDqtzXsbEBU6YBB1WuV9e5kdk6hePssLGg++bHn3yKX
 j9cKJFnM1FuS83Mgg+QMOUj9Dh2KBTFMsym3I7YQhkGsl3IzLFHtRDrSpdA6tyxQ
 b/q74xw3HbKqbZg/LZDecE+uYdo2abn9elEIu4wRFllFL0x6YiqXOaKEjSPB6l3s
 rm613/0gMSaAGPDFsSIISAMuqjbNbvvJXU45MXfo6XSZRhwP55lmGyxKYm+FhDRv
 fxz2nZMaaeHgdfLYmgsp
 =F3ad
 -----END PGP SIGNATURE-----

Merge tag 'acpi-4.20-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull ACPI fix from Rafael Wysocki:
 "Fix a recent regression in ACPICA releted to the Generic Serial Bus
  protocol handling and causing it to read or write too little or too
  much data in some cases, so incorrect data may be written to hardware
  as a result (Hans de Goede)"

* tag 'acpi-4.20-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  ACPICA: Fix handling of buffer-size in acpi_ex_write_data_to_field()
2018-11-29 15:54:12 -08:00
Linus Torvalds 2f8406891f Power management fixes for 4.20-rc5
- Fix the handling of the "operating-points-v2" property to
    avoid failures if multiple phandles are present in it which
    is legitimate (Viresh Kumar).
 
  - Drop the unnecessary static initialization of the .owner field in
    the ti_opp_supply_driver structure (YueHaibing).
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABCAAGBQJcAE74AAoJEILEb/54YlRxE68P/3VlBcgCQv9u6kHhDi3qMEEI
 VcYtzE17ruUDIfV9IvifeOOYNT0/38nFN947f6QRFOxepsRhStDGAl7VHqfdNF63
 17MWlWD8ko+UUtatOCeHfDbVx+8ssXcAMV5VNu3+2PEb3qNh0C/uILlnQdxqWG2H
 YGo1RHrTMC3Hpavt9HPX6j6Q7wXVz397JdakqjPjp4K8cZzZemzTYzLST/KZrYFy
 th+DhIT7SbtB5WRziyVGalb+aMcLyq/CLOviwVn5NJdsoFHPnPQpYxMVdj3gcpTe
 4XHU225/T7KmDUT4arqhSNBB21b0admrQzmJjVrVHy4swK4xbJKkCE64daApBOlK
 rtpGy9/J5trm0H74OTt691yIT8TRwUrY8BwwHUpFbZD/k1wUQqSG35S88JPtpqmF
 W4Hc1dH4ktkW4foYX+9wZwHPEyTEFowx9u1otRZhBXLlCxGQwi1SPm8FyTifnERp
 KDReKDvA52+bNWwN2TuV3AWjv1oCfX2d5kn28ioVDIU8XRO5bKE67InD8HjIidUH
 cQEZ6Vcu9NAKvFia1h0ZeDr39gVvTSJnF7xU1GPI1D9APNvXkGh/Q5Fa9fr9MO8x
 k+KwxbOo6e3vt8qWIDGCjq8sFtPFCST5nMdl00VMo5t/9FBzClH03D4L0vYv6jjN
 5z8sYv/o1Ac5O6Ypw20Y
 =vxO4
 -----END PGP SIGNATURE-----

Merge tag 'pm-4.20-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull power management fixes from Rafael Wysocki:
 "These fix two issues in the operating performance points (OPP)
  framework.

  Specifics:

   - Fix the handling of the "operating-points-v2" property to avoid
     failures if multiple phandles are present in it which is legitimate
     (Viresh Kumar).

   - Drop the unnecessary static initialization of the .owner field in
     the ti_opp_supply_driver structure (YueHaibing)"

* tag 'pm-4.20-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  OPP: Fix parsing of multiple phandles in "operating-points-v2" property
  opp: ti-opp-supply: Fix platform_no_drv_owner.cocci warnings
2018-11-29 15:07:30 -08:00
Leon Romanovsky 7bca603a69 RDMA/mlx5: Initialize return variable in case pagefault was skipped
Pagefaults occurred in non-ODP MR are completely valid events, so
initialize return variable to 0.

Fixes: 4d5422a309 ("IB/mlx5: Skip non-ODP MR when handling a page fault")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
2018-11-29 15:16:45 -07:00
Kees Cook 89d328f637 pstore/ram: Correctly calculate usable PRZ bytes
The actual number of bytes stored in a PRZ is smaller than the
bytes requested by platform data, since there is a header on each
PRZ. Additionally, if ECC is enabled, there are trailing bytes used
as well. Normally this mismatch doesn't matter since PRZs are circular
buffers and the leading "overflow" bytes are just thrown away. However, in
the case of a compressed record, this rather badly corrupts the results.

This corruption was visible with "ramoops.mem_size=204800 ramoops.ecc=1".
Any stored crashes would not be uncompressable (producing a pstorefs
"dmesg-*.enc.z" file), and triggering errors at boot:

  [    2.790759] pstore: crypto_comp_decompress failed, ret = -22!

Backporting this depends on commit 70ad35db33 ("pstore: Convert console
write to use ->write_buf")

Reported-by: Joel Fernandes <joel@joelfernandes.org>
Fixes: b0aad7a99c ("pstore: Add compression support to pstore")
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
2018-11-29 13:46:43 -08:00
Rafael J. Wysocki c4f7842682 Merge branch 'acpica-fixes'
* acpica-fixes:
  ACPICA: Fix handling of buffer-size in acpi_ex_write_data_to_field()
2018-11-29 21:21:39 +01:00
Linus Torvalds f92a2ebb3d selinux/stable-4.20 PR 20181129
-----BEGIN PGP SIGNATURE-----
 
 iQJIBAABCAAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAlwAFUUUHHBhdWxAcGF1
 bC1tb29yZS5jb20ACgkQ6iDy2pc3iXM7ThAAw1j+HSBNM4util2Ji5JZKjjThdVe
 ZS1Jji30H51lVl3PNOfIUd9Ep3jLVbQOQ40jFQ2B8LEjjITKQykHtp4p6raYAxbb
 yEJGeVikD+UZ0izHMj05uZRBNY5F09s6y1WGMz8EZ6NdSSQezW0CpBCvKN4FpyKQ
 LgHmW7oRccSBgs5IcW8bCX/aM1p+HsI8N508T8MbO3qDt4/0OU/6OM+NAE19WvYp
 HVrq/BfRgDoQSoz3XxW5bCa7r3GFtxYYtTUjVnqBiRcEk+u67JJ5iJMwiUos1kV3
 94iAedGB1cXL0+qgyyb7eaoemSWL2A8FqTwEOL0VoIvaGzW4HJmioIzYgOGd4ni6
 BzXHIfdDff3DDWZ+g/T0da6znDLJ+R6u9xETAXcQ+g15FZ0F1ZY+3lJGlQvYfIVY
 RGHlWB93NU/Y2vebeqaGDuQOTu8XXJfBBjlHNUi3NQbRZ0ITBduTGpwpyKA6Uuiz
 cqrNt7DECTPJzOAJNeZZ7Flhfto1KQvLnPacWzjv9S8Cj1cJn2uS97QPkEqYQVYe
 b5D2PprAXpP6hPq3+Roxe+tBL1G+9XjStNrL0xPLgbiQvGCcsoD0R1dEZAesyfLO
 ZQGBP+0O/lFyQwn8T3A9QKZRgZFcfVMyOGbQRCUs98XkH0gvbLyfBNzN72aEy0+I
 ADbhCoY7pfs1ZZs=
 =SyQy
 -----END PGP SIGNATURE-----

Merge tag 'selinux-pr-20181129' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull SELinux fix from Paul Moore:
 "One more SELinux fix for v4.20: add some missing netlink message to
  SELinux permission mappings. The netlink messages were added in v4.19,
  but unfortunately we didn't catch it then because the mechanism to
  catch these things was bypassed.

  In addition to adding the mappings, we're adding some comments to the
  code to hopefully prevent bypasses in the future"

* tag 'selinux-pr-20181129' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: add support for RTM_NEWCHAIN, RTM_DELCHAIN, and RTM_GETCHAIN
2018-11-29 10:15:06 -08:00
Linus Torvalds 3578f19143 s390 updates for 4.20-rc5
- Add two missing kfree calls on error paths in the vfio-ccw code
 
  - Make sure that all data structures of a mediated vfio-ccw device are
    initialized before registering it
 
  - Fix a sparse warning in vfio-ccw
 
  - A followup patch for the pgtable_bytes accounting, the page table
    downgrade for compat processes missed a mm_dec_nr_pmds()
 
  - Reject sampling requests in the PMU init function of the CPU
    measurement counter facility
 
  - With the vfio AP driver an AP queue needs to be reset on every device
    probe as the alternative driver could have modified the device state
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQEcBAABCAAGBQJb/9clAAoJEDjwexyKj9rgDFIIAMifOGVivY5Dq+PbS2YfVJAS
 QVMN6PZEyOZaLHk9rTxIFTAwaZ6i4i0vw01UOiE91VJkDz49wHenDiwaNELtVQrs
 57FkzbEuAhjKJ6DaWIr7bWgeaBFUlC+Z4mNxXFaNI2olzNncHhDJME7lPI/XoBvu
 zPlWBvliiNiaHAzLBDLw+zx1wyxyYjV+B8ZZ9HtH0xzHm3EOiRWpVsr2TbwePEmd
 yC6fTYoDUSJHZF9eoVZaJ0p1wSa8d6NfTE7a5TZOIv7yZQHWo0/tyN0wzyoWb0Oo
 7volx9/4BjbP7fBIkBN6LMPDNH8itTmrx6wdhekf+tElBj1iOOi27l8rcyTby00=
 =AgxV
 -----END PGP SIGNATURE-----

Merge tag 's390-4.20-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux

Pull s390 updates from Martin Schwidefsky:

 - Add two missing kfree calls on error paths in the vfio-ccw code

 - Make sure that all data structures of a mediated vfio-ccw device are
   initialized before registering it

 - Fix a sparse warning in vfio-ccw

 - A followup patch for the pgtable_bytes accounting, the page table
   downgrade for compat processes missed a mm_dec_nr_pmds()

 - Reject sampling requests in the PMU init function of the CPU
   measurement counter facility

 - With the vfio AP driver an AP queue needs to be reset on every device
   probe as the alternative driver could have modified the device state

* tag 's390-4.20-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
  s390/mm: correct pgtable_bytes on page table downgrade
  s390/zcrypt: reinit ap queue state machine during device probe
  s390/cpum_cf: Reject request for sampling in event initialization
  s390/cio: Fix cleanup when unsupported IDA format is used
  s390/cio: Fix cleanup of pfn_array alloc failure
  vfio: ccw: Register mediated device once all structures are initialized
  s390/cio: make vfio_ccw_io_region static
2018-11-29 10:10:42 -08:00
Linus Torvalds b905e2db5c sound fixes for 4.20-rc5
As a usual pattern, we've got relatively large updates at rc5.
 - A fix for races in ALSA control user elements
 - ASoC DAPM regression due to component refactoring
 - A fix in error handling of ASoC iteration macro
 - ASoC Intel SST Skylake kconfig fix; a new Kconfig will appear as a
   consequence, but in the end it's a good cleanup
 - HD-audio and USB-audio quirks as always
 - Assort of ASoC driver fixes (pcm186x, Intel cht, rockchip, pcm3060,
   rsnd, omap, wm_adsp, qcom, sunxi, stm32)
 -----BEGIN PGP SIGNATURE-----
 
 iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAlv+yaEOHHRpd2FpQHN1
 c2UuZGUACgkQLtJE4w1nLE8rJRAAs3PHBkPy5xVd8bTFiWNPiMrts3GWjTMiQbPf
 oQcgfXjJFyAnsdIQlCGwF9dLCVCRQDGUqe1Uf01CCP/0yzY2aXjzNa8SF8Mxt2PZ
 F5AZs8BgQyMKNqHCvyFEUwrPTwhNj3APk19oBdB+lfU7alFf/JNkuBP3cnYASGeJ
 CybHJzRtPr8r12a46olttU7CqGC6twoNG84It6C+gfIvmG4Wqh0nHVVubLXpwCJG
 mDt/fgsCwXDfUD41mNZ2KjIufWWI1SHcHWSCP9xV8W9vcugH1AvD/DkvBp4JpGuG
 92emTcOVJNV3Xg5fOeL3wMmk8YiDtxezdQs0ZWKSDLINo8Q9jvfCHvFGW3fJI85y
 Fwwm8c2s/MYUEfyUyqbdNekFmQ9t4Gt+tjRKMjZhmj1N40CuyFQOC2kx4oF8J15Z
 7U8/eOQ6paUV+E2Tbrui5qsdt3IzV3YAAJwbVPXjqJQ26uxKwgNzd0oO1mGKUX5N
 f5h2EMb3mwCPwsxZR8Bi5NmSpCyUXNKDrUogauPjV1IX8x3vC5TpwrI9IWupUNQu
 oUOsJxc8Mp4qeufspfdaB3m/8nQJ66sxfLTMuagT7Iy007DfLP2V8xyjAbNtxwq4
 yg2/xTxpictFiAQ5h+Ignk96+aSS1VS77XFTVsyq3cYGRtw2ByUtffG1TUlBu9sg
 mAw9P7I=
 =GXsL
 -----END PGP SIGNATURE-----

Merge tag 'sound-4.20-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "As a usual pattern, we've got relatively large updates at rc5:

   - A fix for races in ALSA control user elements

   - ASoC DAPM regression due to component refactoring

   - A fix in error handling of ASoC iteration macro

   - ASoC Intel SST Skylake kconfig fix; a new Kconfig will appear as a
     consequence, but in the end it's a good cleanup

   - HD-audio and USB-audio quirks as always

   - Assort of ASoC driver fixes (pcm186x, Intel cht, rockchip, pcm3060,
     rsnd, omap, wm_adsp, qcom, sunxi, stm32)"

* tag 'sound-4.20-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (34 commits)
  ALSA: usb-audio: Add vendor and product name for Dell WD19 Dock
  ALSA: hda/realtek - Support ALC300
  ALSA: hda/realtek - Add auto-mute quirk for HP Spectre x360 laptop
  ALSA: hda/realtek - fix the pop noise on headphone for lenovo laptops
  ALSA: control: Fix race between adding and removing a user element
  ALSA: sparc: Fix invalid snd_free_pages() at error path
  ALSA: wss: Fix invalid snd_free_pages() at error path
  ALSA: hda/realtek - fix headset mic detection for MSI MS-B171
  ALSA: hda: Add ASRock N68C-S UCC the power_save blacklist
  ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write
  ASoC: omap-dmic: Add pm_qos handling to avoid overruns with CPU_IDLE
  ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with CPU_IDLE
  ASoC: omap-mcbsp: Fix latency value calculation for pm_qos
  ASoC: acpi: fix: continue searching when machine is ignored
  ASoC: Intel: Skylake: fix Kconfigs, make HDaudio codec optional
  MAINTAINERS: add ASoC maintainers for sound dt-bindings
  ASoC: pcm186x: Fix device reset-registers trigger value
  ASoC: dapm: Recalculate audio map forcely when card instantiated
  ASoC: omap-abe-twl6040: Fix missing audio card caused by deferred probing
  ASoC: pcm3060: Rename output widgets
  ...
2018-11-29 10:03:42 -08:00
Linus Torvalds 9af33b5745 \n
-----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCAAdFiEEq1nRK9aeMoq1VSgcnJ2qBz9kQNkFAlv/mEEACgkQnJ2qBz9k
 QNm0kggA8SckBccdUZqpjxohASx9crp+jJeor2TRYCwyVfqdbDjkCOfv9k7+ddD4
 D1qN/AEudQXPzr/DrjI0W9fnFG957FLo60RQ0aGwsq/3wfmzfMJ0qXIw2tyoqjIH
 VxFecL2f3TKMr5zU9N1QoxJVAMAo5LOGbXO+qNYgTaOJ0EBpw9kxK14ib9JOi+pQ
 CItZkAv4eOWMsA/AaRsWN7AGmsziwcMdoAZYRT2wiWdTmubYn66Negnffq2jVHjP
 /kYlFjNcgpsuTg1AiTM+JlBwctEeLm37PUyimip3cdYwu6HcfNmCHDjEIzN2YphJ
 twzAauTEr0bjNFiNWYraUPVHEcspNw==
 =kKDs
 -----END PGP SIGNATURE-----

Merge tag 'fixes_for_v4.20-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs

Pull ext2 and udf fixes from Jan Kara:
 "Three small ext2 and udf fixes"

* tag 'fixes_for_v4.20-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
  ext2: fix potential use after free
  ext2: initialize opts.s_mount_opt as zero before using it
  udf: Allow mounting volumes with incorrect identification strings
2018-11-29 09:56:00 -08:00
Pan Bian 975ef94a02 pvcalls-front: fixes incorrect error handling
kfree() is incorrectly used to release the pages allocated by
__get_free_page() and __get_free_pages(). Use the matching deallocators
i.e., free_page() and free_pages(), respectively.

Signed-off-by: Pan Bian <bianpan2016@163.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Juergen Gross <jgross@suse.com>
2018-11-29 17:53:33 +01:00
Igor Druzhinin 123664101a Revert "xen/balloon: Mark unallocated host memory as UNUSABLE"
This reverts commit b3cf8528bb.

That commit unintentionally broke Xen balloon memory hotplug with
"hotplug_unpopulated" set to 1. As long as "System RAM" resource
got assigned under a new "Unusable memory" resource in IO/Mem tree
any attempt to online this memory would fail due to general kernel
restrictions on having "System RAM" resources as 1st level only.

The original issue that commit has tried to workaround fa564ad963
("x86/PCI: Enable a 64bit BAR on AMD Family 15h (Models 00-1f, 30-3f,
60-7f)") also got amended by the following 03a551734 ("x86/PCI: Move
and shrink AMD 64-bit window to avoid conflict") which made the
original fix to Xen ballooning unnecessary.

Signed-off-by: Igor Druzhinin <igor.druzhinin@citrix.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
2018-11-29 17:53:31 +01:00
Srikanth Boddepalli 72791ac854 xen: xlate_mmu: add missing header to fix 'W=1' warning
Add a missing header otherwise compiler warns about missed prototype:

drivers/xen/xlate_mmu.c:183:5: warning: no previous prototype for 'xen_xlate_unmap_gfn_range?' [-Wmissing-prototypes]
  int xen_xlate_unmap_gfn_range(struct vm_area_struct *vma,
      ^~~~~~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Srikanth Boddepalli <boddepalli.srikanth@gmail.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Reviewed-by: Joey Pabalinas <joeypabalinas@gmail.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
2018-11-29 17:53:27 +01:00
Juergen Gross a7b403104e xen/x86: add diagnostic printout to xen_mc_flush() in case of error
Failure of an element of a Xen multicall is signalled via a WARN()
only if the kernel is compiled with MC_DEBUG. It is impossible to
know which element failed and why it did so.

Change that by printing the related information even without MC_DEBUG,
even if maybe in some limited form (e.g. without information which
caller produced the failing element).

Move the printing out of the switch statement in order to have the
same information for a single call.

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
2018-11-29 17:53:16 +01:00
Masami Hiramatsu 874bfc6e54 arm64: ftrace: Fix to enable syscall events on arm64
Since commit 4378a7d4be ("arm64: implement syscall wrappers")
introduced "__arm64_" prefix to all syscall wrapper symbols in
sys_call_table, syscall tracer can not find corresponding
metadata from syscall name. In the result, we have no syscall
ftrace events on arm64 kernel, and some bpf testcases are failed
on arm64.

To fix this issue, this introduces custom
arch_syscall_match_sym_name() which skips first 8 bytes when
comparing the syscall and symbol names.

Fixes: 4378a7d4be ("arm64: implement syscall wrappers")
Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Acked-by: Will Deacon <will.deacon@arm.com>
Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Cc: stable@vger.kernel.org
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
2018-11-29 16:53:10 +00:00
Catalin Marinas ce8c80c536 arm64: Add workaround for Cortex-A76 erratum 1286807
On the affected Cortex-A76 cores (r0p0 to r3p0), if a virtual address
for a cacheable mapping of a location is being accessed by a core while
another core is remapping the virtual address to a new physical page
using the recommended break-before-make sequence, then under very rare
circumstances TLBI+DSB completes before a read using the translation
being invalidated has been observed by other observers. The workaround
repeats the TLBI+DSB operation and is shared with the Qualcomm Falkor
erratum 1009

Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
2018-11-29 16:45:45 +00:00
Paul Moore 598e1a42e9 selinux: add support for RTM_NEWCHAIN, RTM_DELCHAIN, and RTM_GETCHAIN
Commit 32a4f5ecd7 ("net: sched: introduce chain object to uapi")
added new RTM_* definitions without properly updating SELinux, this
patch adds the necessary SELinux support.

While there was a BUILD_BUG_ON() in the SELinux code to protect from
exactly this case, it was bypassed in the broken commit.  In order to
hopefully prevent this from happening in the future, add additional
comments which provide some instructions on how to resolve the
BUILD_BUG_ON() failures.

Fixes: 32a4f5ecd7 ("net: sched: introduce chain object to uapi")
Cc: <stable@vger.kernel.org> # 4.19
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2018-11-29 11:32:02 -05:00
Richard Genoud 77e75fda94 dmaengine: at_hdmac: fix module unloading
of_dma_controller_free() was not called on module onloading.
This lead to a soft lockup:
watchdog: BUG: soft lockup - CPU#0 stuck for 23s!
Modules linked in: at_hdmac [last unloaded: at_hdmac]
when of_dma_request_slave_channel() tried to call ofdma->of_dma_xlate().

Cc: stable@vger.kernel.org
Fixes: bbe89c8e3d ("at_hdmac: move to generic DMA binding")
Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
Signed-off-by: Richard Genoud <richard.genoud@gmail.com>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
2018-11-29 19:49:41 +05:30
Richard Genoud 98f5f93225 dmaengine: at_hdmac: fix memory leak in at_dma_xlate()
The leak was found when opening/closing a serial port a great number of
time, increasing kmalloc-32 in slabinfo.

Each time the port was opened, dma_request_slave_channel() was called.
Then, in at_dma_xlate(), atslave was allocated with devm_kzalloc() and
never freed. (Well, it was free at module unload, but that's not what we
want).
So, here, kzalloc is more suited for the job since it has to be freed in
atc_free_chan_resources().

Cc: stable@vger.kernel.org
Fixes: bbe89c8e3d ("at_hdmac: move to generic DMA binding")
Reported-by: Mario Forner <m.forner@be4energy.com>
Suggested-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Acked-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
Signed-off-by: Richard Genoud <richard.genoud@gmail.com>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
2018-11-29 19:49:41 +05:30
Greg Kroah-Hartman 96ae93b46d USB: fixes for v4.20-rc4
In this second set of fixes for the current -rc cycle, we have some
 regressions fixes for the old omap_udc driver done by Aaro Koskinen.
 
 We're also reverting an old patch on dwc3 which is, now, known to
 break USB certification in some cases.
 
 We have a fix on u_ether for an unsafe list iteration.
 -----BEGIN PGP SIGNATURE-----
 
 iQJRBAABCAA7FiEElLzh7wn96CXwjh2IzL64meEamQYFAlv/quMdHGZlbGlwZS5i
 YWxiaUBsaW51eC5pbnRlbC5jb20ACgkQzL64meEamQZIZg//f3aKa9ndfOXfUI60
 GRN9orxj8qRnXhEP0AgjCH6tjdl0PzCcZFD2URkuQWtcbSDEvVzteirpWio4ysUX
 pD24Tl+KHX9Sv1HcdDSHoQXduoyxbsOactYRdPlY6AsBM4oRlvjEpGIFhk8Sk1+y
 8gCdL04Z5opCUi3grmXdzp7yBkThKNsJGzDnQO6sqp/S2LLjwnKDHjSwkxhq8aCu
 0qaRYm1IEWV7pUi1Vjy+1xacbEz6ag2nsergGsJRoT647Hizgx57k9EoT9Yhlhjt
 LQ/ZnCNp91hvZpjb7cnIx1bSv/wuIN4dlrRuP3chGXvOUYYXZStLGfmr7hROZ6BD
 /LhiO5RzLYNjruoktr/mlArLM14u3aPKh0H5mq1vyJ1HFUfcdcEvD379UrFEBaEO
 SEoPa/ZKifLQK3taQtU3nZLdhBUTmJWgXLtw9NqkMe8R5SuiUBQ2Rzc7XCrhhrBn
 xp/iQBYejsRNhGoK8cPz8/lqb4eO7gRMj6zmz57K/yU4VwKFoz2DY440/u10v6oH
 q+mtcBRQPq0bX25jdWi0LB3OGgSUObbZSCnpN2pUtKfN8RK7Sqv+ZTMlo82Mx56t
 OWhbef84y6HbIiiNXdD+1GwJNqaz7+JqTP4DpSpGtpHuujvj3d/A1PgWYFxAZ8LQ
 LW59BUmSCACC/BRQMrWY7+39xHc=
 =MIKU
 -----END PGP SIGNATURE-----

Merge tag 'fixes-for-v4.20-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-linus

Felipe writes:

USB: fixes for v4.20-rc4

In this second set of fixes for the current -rc cycle, we have some
regressions fixes for the old omap_udc driver done by Aaro Koskinen.

We're also reverting an old patch on dwc3 which is, now, known to
break USB certification in some cases.

We have a fix on u_ether for an unsafe list iteration.

* tag 'fixes-for-v4.20-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb:
  usb: gadget: u_ether: fix unsafe list iteration
  USB: omap_udc: fix rejection of out transfers when DMA is used
  USB: omap_udc: fix USB gadget functionality on Palm Tungsten E
  USB: omap_udc: fix omap_udc_start() on 15xx machines
  USB: omap_udc: fix crashes on probe error and module removal
  USB: omap_udc: use devm_request_irq()
  Revert "usb: dwc3: gadget: skip Set/Clear Halt when invalid"
2018-11-29 11:39:35 +01:00
Dexuan Cui c967590457 scsi: storvsc: Fix a race in sub-channel creation that can cause panic
We can concurrently try to open the same sub-channel from 2 paths:

path #1: vmbus_onoffer() -> vmbus_process_offer() -> handle_sc_creation().
path #2: storvsc_probe() -> storvsc_connect_to_vsp() ->
	 -> storvsc_channel_init() -> handle_multichannel_storage() ->
	 -> vmbus_are_subchannels_present() -> handle_sc_creation().

They conflict with each other, but it was not an issue before the recent
commit ae6935ed7d ("vmbus: split ring buffer allocation from open"),
because at the beginning of vmbus_open() we checked newchannel->state so
only one path could succeed, and the other would return with -EINVAL.

After ae6935ed7d, the failing path frees the channel's ringbuffer by
vmbus_free_ring(), and this causes a panic later.

Commit ae6935ed7d itself is good, and it just reveals the longstanding
race. We can resolve the issue by removing path #2, i.e. removing the
second vmbus_are_subchannels_present() in handle_multichannel_storage().

BTW, the comment "Check to see if sub-channels have already been created"
in handle_multichannel_storage() is incorrect: when we unload the driver,
we first close the sub-channel(s) and then close the primary channel, next
the host sends rescind-offer message(s) so primary->sc_list will become
empty. This means the first vmbus_are_subchannels_present() in
handle_multichannel_storage() is never useful.

Fixes: ae6935ed7d ("vmbus: split ring buffer allocation from open")
Cc: stable@vger.kernel.org
Cc: Long Li <longli@microsoft.com>
Cc: Stephen Hemminger <sthemmin@microsoft.com>
Cc: K. Y. Srinivasan <kys@microsoft.com>
Cc: Haiyang Zhang <haiyangz@microsoft.com>
Signed-off-by: Dexuan Cui <decui@microsoft.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2018-11-28 21:33:16 -05:00
Dave Airlie ebcdcef303 - mst: Don't try to validate ports while destroying them (Lyude)
- Revert: Don't try to validate ports while destroying them (Lyude)
 - core: Don't set device to master unless set_master succeeds (Sergio)
 - meson: Do vblank_on/off on enable/disable (Neil)
 - meson: Use fast_io regmap option to avoid sleeping in irq ctx (Lyude)
 - meson: Don't walk off the end of the OSD EOTF LUTs (Lyude)
 
 Cc: Lyude Paul <lyude@redhat.com>
 Cc: Sergio Correia <sergio@correia.cc>
 Cc: Neil Armstrong <narmstrong@baylibre.com>
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCgAdFiEEfxcpfMSgdnQMs+QqlvcN/ahKBwoFAlv/CEwACgkQlvcN/ahK
 Bwq5ewgAjvVOFwA1hhBH9tdtreAyqjYZV6RjQFxWznMiVbI8JDG95Xr81SORoCgA
 zi/XSX98u3YnV8C1YXfuL3FxMGNV69Jjx4ZNDzybrV5Namkcr8CBf31mx46mjzMP
 4YxfdVEHejlaZEmlm+IK5hJULgwObBwcZL3NmxSh31Uf3EFIIfBIYnE6J5sxLpCu
 y/LpGUTQqiIvT25ZG06rlUkCeFE4aO9PeTP7Ema7FoV7aXl7iO/n790r/9yIdrsD
 ft5Ybuug49cdsSj0jGJuNGcHwHXScN5xHKHN+/BHQySukTyYGgRJQd8X23TiI06F
 BJvU1mRKElfO2JtswGga3uIWgEoXXA==
 =SYWR
 -----END PGP SIGNATURE-----

Merge tag 'drm-misc-fixes-2018-11-28-1' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes

- mst: Don't try to validate ports while destroying them (Lyude)
- Revert: Don't try to validate ports while destroying them (Lyude)
- core: Don't set device to master unless set_master succeeds (Sergio)
- meson: Do vblank_on/off on enable/disable (Neil)
- meson: Use fast_io regmap option to avoid sleeping in irq ctx (Lyude)
- meson: Don't walk off the end of the OSD EOTF LUTs (Lyude)

Cc: Lyude Paul <lyude@redhat.com>
Cc: Sergio Correia <sergio@correia.cc>
Cc: Neil Armstrong <narmstrong@baylibre.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Sean Paul <sean@poorly.run>
Link: https://patchwork.freedesktop.org/patch/msgid/20181128212936.GA21379@art_vandelay
2018-11-29 10:11:15 +10:00
Dave Airlie 50c1877127 Merge branch 'drm-fixes-4.20' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
Fixes for 4.20.  Nothing major.
- DC DP MST fix
- GPUVM fix for huge page mapping
- RLC fix for vega20

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Alex Deucher <alexdeucher@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20181128195905.2897-1-alexander.deucher@amd.com
2018-11-29 10:08:14 +10:00
Dave Airlie 5c1c86031e Merge tag 'drm-intel-fixes-2018-11-28' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
Just gvt-fixes-2018-11-26

""One to correct MOCS registers load on engine list, one for rpm lock
warning fix, and another for use-after-free fix for partial ggtt
list destroy. "

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20181128180648.GA17585@jlahtine-desk.ger.corp.intel.com
2018-11-29 09:59:26 +10:00
Dave Airlie c5fbf9ebe0 R-Car DU v4.20 regression fix
-----BEGIN PGP SIGNATURE-----
 
 iQJWBAABCgBAFiEEvZRkio5H7O2/GZsYYiVdKZ4oCyQFAlv7sqoiHGxhdXJlbnQu
 cGluY2hhcnRAaWRlYXNvbmJvYXJkLmNvbQAKCRBiJV0pnigLJOs8D/wPpE41qBLk
 S97doZUPGfb4J5HC+7EqiSyzuQ/f0xYT1bNzKlxeU8FJQtXaph7vsGK9t1N59+/1
 vrqp7sAlKVf6hSaoL85GhWev33oZPtqKL7M6n0a5np5o7unYz+Y68vpPQiAL6MHn
 X4+o9OxEUM8ztuioI5fumtiYhY1fvv19Hhkkgo7FnO8cA48qaf2A6PVrnxM58NJC
 OY2bCHZPKgSp/jPgT8z+ARHo/AZyouBarCruriSLtUSurBm1bSlUCjk83tUUl4TL
 yH4vv4TZ4wprZRg3Xa9NoyPEUSZNkE6Z3Sy1gYldvW6fJEIqRwUXkFB85QOZsmKr
 WgvBbEMJcwQyw0fT4fNZGnuBgTrt0F4vcT86QPom8/499L4RMmMJ5yOA/HQtUclJ
 +yiREv6AB/qmIyBV+w/56+41tUmP+DkdkIf3ryveGjAfS6amVdxrt6nMMPU4ck2x
 FGJUmH+vavgTWO9eA+1bqiK9VUzYY1RUd3xt8tU3cNfhMAbf3g1tGc0mQzueS676
 dLYo9Hy4L+dJhkORB3L4lbcKQPlkzFD0TREn2zmivmG9BHKoVwhOjEk68FpVnkwZ
 P8YHIUze+AntNB4gq27iUx0oI/dVvufAouk98JGv/m17qi+MneySH6J+FovXE8Qu
 1/eSMk1W7UFgjVA57s9D77B/aUCrmePikw==
 =GJBo
 -----END PGP SIGNATURE-----

Merge tag 'du-fixes-20181126' of git://linuxtv.org/pinchartl/media into drm-fixes

R-Car DU v4.20 regression fix

Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Link: https://patchwork.freedesktop.org/patch/msgid/8134504.ZSXK7gKU4H@avalon
2018-11-29 09:58:40 +10:00
Cathy Avery 02f425f811 scsi: vmw_pscsi: Rearrange code to avoid multiple calls to free_irq during unload
Currently pvscsi_remove calls free_irq more than once as
pvscsi_release_resources and __pvscsi_shutdown both call
pvscsi_shutdown_intr. This results in a 'Trying to free already-free IRQ'
warning and stack trace. To solve the problem pvscsi_shutdown_intr has been
moved out of pvscsi_release_resources.

Signed-off-by: Cathy Avery <cavery@redhat.com>
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2018-11-28 18:55:57 -05:00
Y.C. Chen 3006256203 drm/ast: fixed reading monitor EDID not stable issue
v1: over-sample data to increase the stability with some specific monitors
v2: refine to avoid infinite loop
v3: remove un-necessary "volatile" declaration

[airlied: fix two checkpatch warnings]

Signed-off-by: Y.C. Chen <yc_chen@aspeedtech.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/1542858988-1127-1-git-send-email-yc_chen@aspeedtech.com
2018-11-29 09:55:55 +10:00
Sam Bobroff dc25ab0676 drm/ast: Fix incorrect free on ioregs
If the platform has no IO space, ioregs is placed next to the already
allocated regs. In this case, it should not be separately freed.

This prevents a kernel warning from __vunmap "Trying to vfree()
nonexistent vm area" when unloading the driver.

Fixes: 0dd68309b9 ("drm/ast: Try to use MMIO registers when PIO isn't supported")

Signed-off-by: Sam Bobroff <sbobroff@linux.ibm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2018-11-29 09:41:11 +10:00
Fred Herard 5db6dd14b3 scsi: libiscsi: Fix NULL pointer dereference in iscsi_eh_session_reset
This commit addresses NULL pointer dereference in iscsi_eh_session_reset.
Reference should not be made to session->leadconn when session->state is
set to ISCSI_STATE_TERMINATE.

Signed-off-by: Fred Herard <fred.herard@oracle.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Lee Duncan <lduncan@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2018-11-28 18:38:22 -05:00
Lyude Paul 9765635b30 Revert "drm/dp_mst: Skip validating ports during destruction, just ref"
This reverts commit:

c54c7374ff ("drm/dp_mst: Skip validating ports during destruction, just ref")

ugh.

In drm_dp_destroy_connector_work(), we have a pretty good chance of
freeing the actual struct drm_dp_mst_port. However, after destroying
things we send a hotplug through (*mgr->cbs->hotplug)(mgr) which is
where the problems start.

For i915, this calls all the way down to the fbcon probing helpers,
which start trying to access the port in a modeset.

[   45.062001] ==================================================================
[   45.062112] BUG: KASAN: use-after-free in ex_handler_refcount+0x146/0x180
[   45.062196] Write of size 4 at addr ffff8882b4b70968 by task kworker/3:1/53

[   45.062325] CPU: 3 PID: 53 Comm: kworker/3:1 Kdump: loaded Tainted: G           O      4.20.0-rc4Lyude-Test+ #3
[   45.062442] Hardware name: LENOVO 20BWS1KY00/20BWS1KY00, BIOS JBET71WW (1.35 ) 09/14/2018
[   45.062554] Workqueue: events drm_dp_destroy_connector_work [drm_kms_helper]
[   45.062641] Call Trace:
[   45.062685]  dump_stack+0xbd/0x15a
[   45.062735]  ? dump_stack_print_info.cold.0+0x1b/0x1b
[   45.062801]  ? printk+0x9f/0xc5
[   45.062847]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   45.062909]  ? ex_handler_refcount+0x146/0x180
[   45.062970]  print_address_description+0x71/0x239
[   45.063036]  ? ex_handler_refcount+0x146/0x180
[   45.063095]  kasan_report.cold.5+0x242/0x30b
[   45.063155]  __asan_report_store4_noabort+0x1c/0x20
[   45.063313]  ex_handler_refcount+0x146/0x180
[   45.063371]  ? ex_handler_clear_fs+0xb0/0xb0
[   45.063428]  fixup_exception+0x98/0xd7
[   45.063484]  ? raw_notifier_call_chain+0x20/0x20
[   45.063548]  do_trap+0x6d/0x210
[   45.063605]  ? _GLOBAL__sub_I_65535_1_drm_dp_aux_unregister_devnode+0x2f/0x1c6 [drm_kms_helper]
[   45.063732]  do_error_trap+0xc0/0x170
[   45.063802]  ? _GLOBAL__sub_I_65535_1_drm_dp_aux_unregister_devnode+0x2f/0x1c6 [drm_kms_helper]
[   45.063929]  do_invalid_op+0x3b/0x50
[   45.063997]  ? _GLOBAL__sub_I_65535_1_drm_dp_aux_unregister_devnode+0x2f/0x1c6 [drm_kms_helper]
[   45.064103]  invalid_op+0x14/0x20
[   45.064162] RIP: 0010:_GLOBAL__sub_I_65535_1_drm_dp_aux_unregister_devnode+0x2f/0x1c6 [drm_kms_helper]
[   45.064274] Code: 00 48 c7 c7 80 fe 53 a0 48 89 e5 e8 5b 6f 26 e1 5d c3 48 8d 0e 0f 0b 48 8d 0b 0f 0b 48 8d 0f 0f 0b 48 8d 0f 0f 0b 49 8d 4d 00 <0f> 0b 49 8d 0e 0f 0b 48 8d 08 0f 0b 49 8d 4d 00 0f 0b 48 8d 0b 0f
[   45.064569] RSP: 0018:ffff8882b789ee10 EFLAGS: 00010282
[   45.064637] RAX: ffff8882af47ae70 RBX: ffff8882af47aa60 RCX: ffff8882b4b70968
[   45.064723] RDX: ffff8882af47ae70 RSI: 0000000000000008 RDI: ffff8882b788bdb8
[   45.064808] RBP: ffff8882b789ee28 R08: ffffed1056f13db4 R09: ffffed1056f13db3
[   45.064894] R10: ffffed1056f13db3 R11: ffff8882b789ed9f R12: ffff8882af47ad28
[   45.064980] R13: ffff8882b4b70968 R14: ffff8882acd86728 R15: ffff8882b4b75dc8
[   45.065084]  drm_dp_mst_reset_vcpi_slots+0x12/0x80 [drm_kms_helper]
[   45.065225]  intel_mst_disable_dp+0xda/0x180 [i915]
[   45.065361]  intel_encoders_disable.isra.107+0x197/0x310 [i915]
[   45.065498]  haswell_crtc_disable+0xbe/0x400 [i915]
[   45.065622]  ? i9xx_disable_plane+0x1c0/0x3e0 [i915]
[   45.065750]  intel_atomic_commit_tail+0x74e/0x3e60 [i915]
[   45.065884]  ? intel_pre_plane_update+0xbc0/0xbc0 [i915]
[   45.065968]  ? drm_atomic_helper_swap_state+0x88b/0x1d90 [drm_kms_helper]
[   45.066054]  ? kasan_check_write+0x14/0x20
[   45.066165]  ? i915_gem_track_fb+0x13a/0x330 [i915]
[   45.066277]  ? i915_sw_fence_complete+0xe9/0x140 [i915]
[   45.066406]  ? __i915_sw_fence_complete+0xc50/0xc50 [i915]
[   45.066540]  intel_atomic_commit+0x72e/0xef0 [i915]
[   45.066635]  ? drm_dev_dbg+0x200/0x200 [drm]
[   45.066764]  ? intel_atomic_commit_tail+0x3e60/0x3e60 [i915]
[   45.066898]  ? intel_atomic_commit_tail+0x3e60/0x3e60 [i915]
[   45.067001]  drm_atomic_commit+0xc4/0xf0 [drm]
[   45.067074]  restore_fbdev_mode_atomic+0x562/0x780 [drm_kms_helper]
[   45.067166]  ? drm_fb_helper_debug_leave+0x690/0x690 [drm_kms_helper]
[   45.067249]  ? kasan_check_read+0x11/0x20
[   45.067324]  restore_fbdev_mode+0x127/0x4b0 [drm_kms_helper]
[   45.067364]  ? kasan_check_read+0x11/0x20
[   45.067406]  drm_fb_helper_restore_fbdev_mode_unlocked+0x164/0x200 [drm_kms_helper]
[   45.067462]  ? drm_fb_helper_hotplug_event+0x30/0x30 [drm_kms_helper]
[   45.067508]  ? kasan_check_write+0x14/0x20
[   45.070360]  ? mutex_unlock+0x22/0x40
[   45.073748]  drm_fb_helper_set_par+0xb2/0xf0 [drm_kms_helper]
[   45.075846]  drm_fb_helper_hotplug_event.part.33+0x1cd/0x290 [drm_kms_helper]
[   45.078088]  drm_fb_helper_hotplug_event+0x1c/0x30 [drm_kms_helper]
[   45.082614]  intel_fbdev_output_poll_changed+0x9f/0x140 [i915]
[   45.087069]  drm_kms_helper_hotplug_event+0x67/0x90 [drm_kms_helper]
[   45.089319]  intel_dp_mst_hotplug+0x37/0x50 [i915]
[   45.091496]  drm_dp_destroy_connector_work+0x510/0x6f0 [drm_kms_helper]
[   45.093675]  ? drm_dp_update_payload_part1+0x1220/0x1220 [drm_kms_helper]
[   45.095851]  ? kasan_check_write+0x14/0x20
[   45.098473]  ? kasan_check_read+0x11/0x20
[   45.101155]  ? strscpy+0x17c/0x530
[   45.103808]  ? __switch_to_asm+0x34/0x70
[   45.106456]  ? syscall_return_via_sysret+0xf/0x7f
[   45.109711]  ? read_word_at_a_time+0x20/0x20
[   45.113138]  ? __switch_to_asm+0x40/0x70
[   45.116529]  ? __switch_to_asm+0x34/0x70
[   45.119891]  ? __switch_to_asm+0x40/0x70
[   45.123224]  ? __switch_to_asm+0x34/0x70
[   45.126540]  ? __switch_to_asm+0x34/0x70
[   45.129824]  process_one_work+0x88d/0x15d0
[   45.133172]  ? pool_mayday_timeout+0x850/0x850
[   45.136459]  ? pci_mmcfg_check_reserved+0x110/0x128
[   45.139739]  ? wake_q_add+0xb0/0xb0
[   45.143010]  ? check_preempt_wakeup+0x652/0x1050
[   45.146304]  ? worker_enter_idle+0x29e/0x740
[   45.149589]  ? __schedule+0x1ec0/0x1ec0
[   45.152937]  ? kasan_check_read+0x11/0x20
[   45.156179]  ? _raw_spin_lock_irq+0xa3/0x130
[   45.159382]  ? _raw_read_unlock_irqrestore+0x30/0x30
[   45.162542]  ? kasan_check_write+0x14/0x20
[   45.165657]  worker_thread+0x1a5/0x1470
[   45.168725]  ? set_load_weight+0x2e0/0x2e0
[   45.171755]  ? process_one_work+0x15d0/0x15d0
[   45.174806]  ? __switch_to_asm+0x34/0x70
[   45.177645]  ? __switch_to_asm+0x40/0x70
[   45.180323]  ? __switch_to_asm+0x34/0x70
[   45.182936]  ? __switch_to_asm+0x40/0x70
[   45.185539]  ? __switch_to_asm+0x34/0x70
[   45.188100]  ? __switch_to_asm+0x40/0x70
[   45.190628]  ? __schedule+0x7d4/0x1ec0
[   45.193143]  ? save_stack+0xa9/0xd0
[   45.195632]  ? kasan_check_write+0x10/0x20
[   45.198162]  ? kasan_kmalloc+0xc4/0xe0
[   45.200609]  ? kmem_cache_alloc_trace+0xdd/0x190
[   45.203046]  ? kthread+0x9f/0x3b0
[   45.205470]  ? ret_from_fork+0x35/0x40
[   45.207876]  ? unwind_next_frame+0x43/0x50
[   45.210273]  ? __save_stack_trace+0x82/0x100
[   45.212658]  ? deactivate_slab.isra.67+0x3d4/0x580
[   45.215026]  ? default_wake_function+0x35/0x50
[   45.217399]  ? kasan_check_read+0x11/0x20
[   45.219825]  ? _raw_spin_lock_irqsave+0xae/0x140
[   45.222174]  ? __lock_text_start+0x8/0x8
[   45.224521]  ? replenish_dl_entity.cold.62+0x4f/0x4f
[   45.226868]  ? __kthread_parkme+0x87/0xf0
[   45.229200]  kthread+0x2f7/0x3b0
[   45.231557]  ? process_one_work+0x15d0/0x15d0
[   45.233923]  ? kthread_park+0x120/0x120
[   45.236249]  ret_from_fork+0x35/0x40

[   45.240875] Allocated by task 242:
[   45.243136]  save_stack+0x43/0xd0
[   45.245385]  kasan_kmalloc+0xc4/0xe0
[   45.247597]  kmem_cache_alloc_trace+0xdd/0x190
[   45.249793]  drm_dp_add_port+0x1e0/0x2170 [drm_kms_helper]
[   45.252000]  drm_dp_send_link_address+0x4a7/0x740 [drm_kms_helper]
[   45.254389]  drm_dp_check_and_send_link_address+0x1a7/0x210 [drm_kms_helper]
[   45.256803]  drm_dp_mst_link_probe_work+0x6f/0xb0 [drm_kms_helper]
[   45.259200]  process_one_work+0x88d/0x15d0
[   45.261597]  worker_thread+0x1a5/0x1470
[   45.264038]  kthread+0x2f7/0x3b0
[   45.266371]  ret_from_fork+0x35/0x40

[   45.270937] Freed by task 53:
[   45.273170]  save_stack+0x43/0xd0
[   45.275382]  __kasan_slab_free+0x139/0x190
[   45.277604]  kasan_slab_free+0xe/0x10
[   45.279826]  kfree+0x99/0x1b0
[   45.282044]  drm_dp_free_mst_port+0x4a/0x60 [drm_kms_helper]
[   45.284330]  drm_dp_destroy_connector_work+0x43e/0x6f0 [drm_kms_helper]
[   45.286660]  process_one_work+0x88d/0x15d0
[   45.288934]  worker_thread+0x1a5/0x1470
[   45.291231]  kthread+0x2f7/0x3b0
[   45.293547]  ret_from_fork+0x35/0x40

[   45.298206] The buggy address belongs to the object at ffff8882b4b70968
                which belongs to the cache kmalloc-2k of size 2048
[   45.303047] The buggy address is located 0 bytes inside of
                2048-byte region [ffff8882b4b70968, ffff8882b4b71168)
[   45.308010] The buggy address belongs to the page:
[   45.310477] page:ffffea000ad2dc00 count:1 mapcount:0 mapping:ffff8882c080cf40 index:0x0 compound_mapcount: 0
[   45.313051] flags: 0x8000000000010200(slab|head)
[   45.315635] raw: 8000000000010200 ffffea000aac2808 ffffea000abe8608 ffff8882c080cf40
[   45.318300] raw: 0000000000000000 00000000000d000d 00000001ffffffff 0000000000000000
[   45.320966] page dumped because: kasan: bad access detected

[   45.326312] Memory state around the buggy address:
[   45.329085]  ffff8882b4b70800: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   45.331845]  ffff8882b4b70880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   45.334584] >ffff8882b4b70900: fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb
[   45.337302]                                                           ^
[   45.340061]  ffff8882b4b70980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   45.342910]  ffff8882b4b70a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   45.345748] ==================================================================

So, this definitely isn't a fix that we want. This being said; there's
no real easy fix for this problem because of some of the catch-22's of
the MST helpers current design. For starters; we always need to validate
a port with drm_dp_get_validated_port_ref(), but validation relies on
the lifetime of the port in the actual topology. So once the port is
gone, it can't be validated again.

If we were to try to make the payload helpers not use port validation,
then we'd cause another problem: if the port isn't validated, it could
be freed and we'd just start causing more KASAN issues. There are
already hacks that attempt to workaround this in
drm_dp_mst_destroy_connector_work() by re-initializing the kref so that
it can be used again and it's memory can be freed once the VCPI helpers
finish removing the port's respective payloads. But none of these really
do anything helpful since the port still can't be validated since it's
gone from the topology. Also, that workaround is immensely confusing to
read through.

What really needs to be done in order to fix this is to teach DRM how to
track the lifetime of the structs for MST ports and branch devices
separately from their lifetime in the actual topology. Simply put; this
means having two different krefs-one that removes the port/branch device
from the topology, and one that finally calls kfree(). This would let us
simplify things, since we'd now be able to keep ports around without
having to keep them in the topology at the same time, which is exactly
what we need in order to teach our VCPI helpers to only validate ports
when it's actually necessary without running the risk of trying to use
unallocated memory.

Such a fix is on it's way, but for now let's play it safe and just
revert this. If this bug has been around for well over a year, we can
wait a little while to get an actual proper fix here.

Signed-off-by: Lyude Paul <lyude@redhat.com>
Fixes: c54c7374ff ("drm/dp_mst: Skip validating ports during destruction, just ref")
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: Sean Paul <sean@poorly.run>
Cc: Jerry Zuo <Jerry.Zuo@amd.com>
Cc: Harry Wentland <Harry.Wentland@amd.com>
Cc: stable@vger.kernel.org # v4.6+
Acked-by: Sean Paul <sean@poorly.run>
Link: https://patchwork.freedesktop.org/patch/msgid/20181128210005.24434-1-lyude@redhat.com
2018-11-28 16:22:17 -05:00
Linus Torvalds 60b548237f Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:

 1) ARM64 JIT fixes for subprog handling from Daniel Borkmann.

 2) Various sparc64 JIT bug fixes (fused branch convergance, frame
    pointer usage detection logic, PSEODU call argument handling).

 3) Fix to use BH locking in nf_conncount, from Taehee Yoo.

 4) Fix race of TX skb freeing in ipheth driver, from Bernd Eckstein.

 5) Handle return value of TX NAPI completion properly in lan743x
    driver, from Bryan Whitehead.

 6) MAC filter deletion in i40e driver clears wrong state bit, from
    Lihong Yang.

 7) Fix use after free in rionet driver, from Pan Bian.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (53 commits)
  s390/qeth: fix length check in SNMP processing
  net: hisilicon: remove unexpected free_netdev
  rapidio/rionet: do not free skb before reading its length
  i40e: fix kerneldoc for xsk methods
  ixgbe: recognize 1000BaseLX SFP modules as 1Gbps
  i40e: Fix deletion of MAC filters
  igb: fix uninitialized variables
  netfilter: nf_tables: deactivate expressions in rule replecement routine
  lan743x: Enable driver to work with LAN7431
  tipc: fix lockdep warning during node delete
  lan743x: fix return value for lan743x_tx_napi_poll
  net: via: via-velocity: fix spelling mistake "alignement" -> "alignment"
  qed: fix spelling mistake "attnetion" -> "attention"
  net: thunderx: fix NULL pointer dereference in nic_remove
  sctp: increase sk_wmem_alloc when head->truesize is increased
  firestream: fix spelling mistake: "Inititing" -> "Initializing"
  net: phy: add workaround for issue where PHY driver doesn't bind to the device
  usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2
  sparc: Adjust bpf JIT prologue for PSEUDO calls.
  bpf, doc: add entries of who looks over which jits
  ...
2018-11-28 12:53:48 -08:00