Navid Emamdoost [Fri, 4 Oct 2019 20:16:48 +0000 (15:16 -0500)]
mwifiex: pcie: Fix memory leak in mwifiex_pcie_init_evt_ring
[ Upstream commit
d10dcb615c8e29d403a24d35f8310a7a53e3050c ]
In mwifiex_pcie_init_evt_ring, a new skb is allocated which should be
released if mwifiex_map_pci_memory() fails. The release for skb and
card->evtbd_ring_vbase is added.
Fixes: 0732484b47b5 ("mwifiex: separate ring initialization and ring creation routines")
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Acked-by: Ganapathi Bhat <gbhat@marvell.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Paul Burton [Tue, 1 Oct 2019 21:53:38 +0000 (21:53 +0000)]
MIPS: futex: Emit Loongson3 sync workarounds within asm
[ Upstream commit
3c1d3f0979721a39dd2980c97466127ce65aa130 ]
Generate the sync instructions required to workaround Loongson3 LL/SC
errata within inline asm blocks, which feels a little safer than doing
it from C where strictly speaking the compiler would be well within its
rights to insert a memory access between the separate asm statements we
previously had, containing sync & ll instructions respectively.
Signed-off-by: Paul Burton <paul.burton@mips.com>
Cc: linux-mips@vger.kernel.org
Cc: Huacai Chen <chenhc@lemote.com>
Cc: Jiaxun Yang <jiaxun.yang@flygoat.com>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
Oak Zeng [Fri, 4 Oct 2019 14:28:21 +0000 (09:28 -0500)]
drm/amdkfd: Fix MQD size calculation
[ Upstream commit
40a9592a26608e16f7545a068ea4165e1869f629 ]
On device initialization, a chunk of GTT memory is pre-allocated for
HIQ and all SDMA queues mqd. The size of this allocation was wrong.
The correct sdma engine number should be PCIe-optimized SDMA engine
number plus xgmi SDMA engine number.
Reported-by: Jonathan Kim <Jonathan.Kim@amd.com>
Signed-off-by: Jonathan Kim <Jonathan.Kim@amd.com>
Signed-off-by: Oak Zeng <Oak.Zeng@amd.com>
Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Bart Van Assche [Mon, 30 Sep 2019 23:00:41 +0000 (16:00 -0700)]
block: Fix writeback throttling W=1 compiler warnings
[ Upstream commit
1d200e9d6f635ae894993a7d0f1b9e0b6e522e3b ]
Fix the following compiler warnings:
In file included from ./include/linux/bitmap.h:9,
from ./include/linux/cpumask.h:12,
from ./arch/x86/include/asm/cpumask.h:5,
from ./arch/x86/include/asm/msr.h:11,
from ./arch/x86/include/asm/processor.h:21,
from ./arch/x86/include/asm/cpufeature.h:5,
from ./arch/x86/include/asm/thread_info.h:53,
from ./include/linux/thread_info.h:38,
from ./arch/x86/include/asm/preempt.h:7,
from ./include/linux/preempt.h:78,
from ./include/linux/spinlock.h:51,
from ./include/linux/mmzone.h:8,
from ./include/linux/gfp.h:6,
from ./include/linux/mm.h:10,
from ./include/linux/bvec.h:13,
from ./include/linux/blk_types.h:10,
from block/blk-wbt.c:23:
In function 'strncpy',
inlined from 'perf_trace_wbt_stat' at ./include/trace/events/wbt.h:15:1:
./include/linux/string.h:260:9: warning: '__builtin_strncpy' specified bound 32 equals destination size [-Wstringop-truncation]
return __builtin_strncpy(p, q, size);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function 'strncpy',
inlined from 'perf_trace_wbt_lat' at ./include/trace/events/wbt.h:58:1:
./include/linux/string.h:260:9: warning: '__builtin_strncpy' specified bound 32 equals destination size [-Wstringop-truncation]
return __builtin_strncpy(p, q, size);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function 'strncpy',
inlined from 'perf_trace_wbt_step' at ./include/trace/events/wbt.h:87:1:
./include/linux/string.h:260:9: warning: '__builtin_strncpy' specified bound 32 equals destination size [-Wstringop-truncation]
return __builtin_strncpy(p, q, size);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function 'strncpy',
inlined from 'perf_trace_wbt_timer' at ./include/trace/events/wbt.h:126:1:
./include/linux/string.h:260:9: warning: '__builtin_strncpy' specified bound 32 equals destination size [-Wstringop-truncation]
return __builtin_strncpy(p, q, size);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function 'strncpy',
inlined from 'trace_event_raw_event_wbt_stat' at ./include/trace/events/wbt.h:15:1:
./include/linux/string.h:260:9: warning: '__builtin_strncpy' specified bound 32 equals destination size [-Wstringop-truncation]
return __builtin_strncpy(p, q, size);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function 'strncpy',
inlined from 'trace_event_raw_event_wbt_lat' at ./include/trace/events/wbt.h:58:1:
./include/linux/string.h:260:9: warning: '__builtin_strncpy' specified bound 32 equals destination size [-Wstringop-truncation]
return __builtin_strncpy(p, q, size);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function 'strncpy',
inlined from 'trace_event_raw_event_wbt_timer' at ./include/trace/events/wbt.h:126:1:
./include/linux/string.h:260:9: warning: '__builtin_strncpy' specified bound 32 equals destination size [-Wstringop-truncation]
return __builtin_strncpy(p, q, size);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function 'strncpy',
inlined from 'trace_event_raw_event_wbt_step' at ./include/trace/events/wbt.h:87:1:
./include/linux/string.h:260:9: warning: '__builtin_strncpy' specified bound 32 equals destination size [-Wstringop-truncation]
return __builtin_strncpy(p, q, size);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Ming Lei <ming.lei@redhat.com>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Johannes Thumshirn <jthumshirn@suse.de>
Fixes: e34cbd307477 ("blk-wbt: add general throttling mechanism"; v4.10).
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Daniel T. Lee [Sat, 5 Oct 2019 08:25:07 +0000 (17:25 +0900)]
samples: pktgen: fix proc_cmd command result check logic
[ Upstream commit
3cad8f911575191fb3b81d8ed0e061e30f922223 ]
Currently, proc_cmd is used to dispatch command to 'pg_ctrl', 'pg_thread',
'pg_set'. proc_cmd is designed to check command result with grep the
"Result:", but this might fail since this string is only shown in
'pg_thread' and 'pg_set'.
This commit fixes this logic by grep-ing the "Result:" string only when
the command is not for 'pg_ctrl'.
For clarity of an execution flow, 'errexit' flag has been set.
To cleanup pktgen on exit, trap has been added for EXIT signal.
Signed-off-by: Daniel T. Lee <danieltimlee@gmail.com>
Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Matthias Kaehlcke [Wed, 2 Oct 2019 19:44:06 +0000 (12:44 -0700)]
drm/bridge: dw-hdmi: Refuse DDC/CI transfers on the internal I2C controller
[ Upstream commit
bee447e224b2645911c5d06e35dc90d8433fcef6 ]
The DDC/CI protocol involves sending a multi-byte request to the
display via I2C, which is typically followed by a multi-byte
response. The internal I2C controller only allows single byte
reads/writes or reads of 8 sequential bytes, hence DDC/CI is not
supported when the internal I2C controller is used. The I2C
transfers complete without errors, however the data in the response
is garbage. Abort transfers to/from slave address 0x37 (DDC) with
-EOPNOTSUPP, to make it evident that the communication is failing.
Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Reviewed-by: Sean Paul <sean@poorly.run>
Acked-by: Neil Armstrong <narmstrong@baylibre.com>
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20191002124354.v2.1.I709dfec496f5f0b44a7b61dcd4937924da8d8382@changeid
Signed-off-by: Sasha Levin <sashal@kernel.org>
Neil Armstrong [Fri, 4 Oct 2019 14:47:19 +0000 (11:47 -0300)]
media: meson/ao-cec: move cec_notifier_cec_adap_register after hw setup
[ Upstream commit
3e84a18a259e1df35e5b549ab92ec3baf82ff010 ]
When probed after the HDMI notifier, calling cec_notifier_cec_adap_register()
calls the enable() adapter callback, but the HW is not yet set up.
Moving cec_notifier_cec_adap_register() right before cec_register_adapter()
fixes the following crash:
Ignoring spurious kernel translation fault at virtual address
0000000000000008
[...]
Hardware name: Khadas VIM (DT)
[...]
pc : __do_kernel_fault+0xdc/0x120
lr : __do_kernel_fault+0xdc/0x120
[...]
Call trace:
__do_kernel_fault+0xdc/0x120
do_page_fault+0x180/0x458
do_translation_fault+0x64/0x70
do_mem_abort+0x3c/0x98
el1_da+0x20/0x94
meson_ao_cec_adap_enable+0x30/0x218 [ao_cec]
__cec_s_phys_addr+0x184/0x270
cec_s_phys_addr+0x44/0x60
cec_notifier_cec_adap_register+0x68/0x90
meson_ao_cec_probe+0xb0/0x288 [ao_cec]
[...]
el0_svc_compat+0x8/0x10
Reported-by: Christian Hewitt <christianshewitt@gmail.com>
Suggested-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Fixes: 20958f9d5c48 ("media: meson/ao-cec: use cec_notifier_cec_adap_(un)register")
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Hans Verkuil [Tue, 1 Oct 2019 07:56:38 +0000 (04:56 -0300)]
media: cec-funcs.h: add status_req checks
[ Upstream commit
9b211f9c5a0b67afc435b86f75d78273b97db1c5 ]
The CEC_MSG_GIVE_DECK_STATUS and CEC_MSG_GIVE_TUNER_DEVICE_STATUS commands
both have a status_req argument: ON, OFF, ONCE. If ON or ONCE, then the
follower will reply with a STATUS message. Either once or whenever the
status changes (status_req == ON).
If status_req == OFF, then it will stop sending continuous status updates,
but the follower will *not* send a STATUS message in that case.
This means that if status_req == OFF, then msg->reply should be 0 as well
since no reply is expected in that case.
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Yang Yingliang [Tue, 24 Sep 2019 09:49:04 +0000 (06:49 -0300)]
media: flexcop-usb: fix NULL-ptr deref in flexcop_usb_transfer_init()
[ Upstream commit
649cd16c438f51d4cd777e71ca1f47f6e0c5e65d ]
If usb_set_interface() failed, iface->cur_altsetting will
not be assigned and it will be used in flexcop_usb_transfer_init()
It may lead a NULL pointer dereference.
Check usb_set_interface() return value in flexcop_usb_init()
and return failed to avoid using this NULL pointer.
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Alan Stern [Fri, 6 Sep 2019 20:57:22 +0000 (16:57 -0400)]
tools/memory-model: Fix data race detection for unordered store and load
[ Upstream commit
daebf24a8e8c6064cba3a330db9fe9376a137d2c ]
Currently the Linux Kernel Memory Model gives an incorrect response
for the following litmus test:
C plain-WWC
{}
P0(int *x)
{
WRITE_ONCE(*x, 2);
}
P1(int *x, int *y)
{
int r1;
int r2;
int r3;
r1 = READ_ONCE(*x);
if (r1 == 2) {
smp_rmb();
r2 = *x;
}
smp_rmb();
r3 = READ_ONCE(*x);
WRITE_ONCE(*y, r3 - 1);
}
P2(int *x, int *y)
{
int r4;
r4 = READ_ONCE(*y);
if (r4 > 0)
WRITE_ONCE(*x, 1);
}
exists (x=2 /\ 1:r2=2 /\ 2:r4=1)
The memory model says that the plain read of *x in P1 races with the
WRITE_ONCE(*x) in P2.
The problem is that we have a write W and a read R related by neither
fre or rfe, but rather W ->coe W' ->rfe R, where W' is an intermediate
write (the WRITE_ONCE() in P0). In this situation there is no
particular ordering between W and R, so either a wr-vis link from W to
R or an rw-xbstar link from R to W would prove that the accesses
aren't concurrent.
But the LKMM only looks for a wr-vis link, which is equivalent to
assuming that W must execute before R. This is not necessarily true
on non-multicopy-atomic systems, as the WWC pattern demonstrates.
This patch changes the LKMM to accept either a wr-vis or a reverse
rw-xbstar link as a proof of non-concurrency.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Acked-by: Andrea Parri <parri.andrea@gmail.com>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Yizhuo [Thu, 3 Oct 2019 17:58:13 +0000 (10:58 -0700)]
regulator: max8907: Fix the usage of uninitialized variable in max8907_regulator_probe()
[ Upstream commit
472b39c3d1bba0616eb0e9a8fa3ad0f56927c7d7 ]
Inside function max8907_regulator_probe(), variable val could
be uninitialized if regmap_read() fails. However, val is used
later in the if statement to decide the content written to
"pmic", which is potentially unsafe.
Signed-off-by: Yizhuo <yzhai003@ucr.edu>
Link: https://lore.kernel.org/r/20191003175813.16415-1-yzhai003@ucr.edu
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Tony Lindgren [Sat, 14 Sep 2019 21:02:56 +0000 (14:02 -0700)]
hwrng: omap3-rom - Call clk_disable_unprepare() on exit only if not idled
[ Upstream commit
eaecce12f5f0d2c35d278e41e1bc4522393861ab ]
When unloading omap3-rom-rng, we'll get the following:
WARNING: CPU: 0 PID: 100 at drivers/clk/clk.c:948 clk_core_disable
This is because the clock may be already disabled by omap3_rom_rng_idle().
Let's fix the issue by checking for rng_idle on exit.
Cc: Aaro Koskinen <aaro.koskinen@iki.fi>
Cc: Adam Ford <aford173@gmail.com>
Cc: Pali Rohár <pali.rohar@gmail.com>
Cc: Sebastian Reichel <sre@kernel.org>
Cc: Tero Kristo <t-kristo@ti.com>
Fixes: 1c6b7c2108bd ("hwrng: OMAP3 ROM Random Number Generator support")
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Ard Biesheuvel [Fri, 13 Sep 2019 18:36:18 +0000 (19:36 +0100)]
crypto: aegis128-neon - use Clang compatible cflags for ARM
[ Upstream commit
2eb2d198bd6cd0083a5363ce66272fb34a19928f ]
The next version of Clang will start policing compiler command line
options, and will reject combinations of -march and -mfpu that it
thinks are incompatible.
This results in errors like
clang-10: warning: ignoring extension 'crypto' because the 'armv7-a'
architecture does not support it [-Winvalid-command-line-argument]
/tmp/aegis128-neon-inner-5ee428.s: Assembler messages:
/tmp/aegis128-neon-inner-5ee428.s:73: Error: selected
processor does not support `aese.8 q2,q14' in ARM mode
when buiding the SIMD aegis128 code for 32-bit ARM, given that the
'armv7-a' -march argument is considered to be compatible with the
ARM crypto extensions. Instead, we should use armv8-a, which does
allow the crypto extensions to be enabled.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Veeraiyan Chidambaram [Wed, 11 Sep 2019 13:15:56 +0000 (15:15 +0200)]
usb: renesas_usbhs: add suspend event support in gadget mode
[ Upstream commit
39abcc84846bbc0538f13c190b6a9c7e36890cd2 ]
When R-Car Gen3 USB 2.0 is in Gadget mode, if host is detached an interrupt
will be generated and Suspended state bit is set in interrupt status
register. Interrupt handler will call driver->suspend(composite_suspend)
if suspended state bit is set. composite_suspend will call
ffs_func_suspend which will post FUNCTIONFS_SUSPEND and will be consumed
by user space application via /dev/ep0.
To be able to detect host detach, extend the DVSQ_MASK to cover the
Suspended bit of the DVSQ[2:0] bitfield from the Interrupt Status
Register 0 (INTSTS0) register and perform appropriate action in the
DVST interrupt handler (usbhsg_irq_dev_state).
Without this commit, disconnection of the phone from R-Car-H3 ES2.0
Salvator-X CN9 port is not recognized and reverse role switch does
not happen. If phone is connected again it does not enumerate.
With this commit, disconnection will be recognized and reverse role
switch will happen by a user space application. If phone is connected
again it will enumerate properly and will become visible in the output
of 'lsusb'.
Signed-off-by: Veeraiyan Chidambaram <veeraiyan.chidambaram@in.bosch.com>
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Link: https://lore.kernel.org/r/1568207756-22325-3-git-send-email-external.veeraiyan.c@de.adit-jv.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Raul E Rangel [Thu, 3 Oct 2019 20:24:44 +0000 (14:24 -0600)]
drm/amd/display: fix struct init in update_bounding_box
[ Upstream commit
960b6f4f2d2e96d5f7ffe2854e0040b46cafbd36 ]
dcn20_resource.c:2636:9: error: missing braces around initializer [-Werror=missing-braces]
struct _vcs_dpi_voltage_scaling_st calculated_states[MAX_CLOCK_LIMIT_STATES] = {0};
^
Fixes: 7ed4e6352c16f ("drm/amd/display: Add DCN2 HW Sequencer and Resource")
Signed-off-by: Raul E Rangel <rrangel@chromium.org>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Ping-Ke Shih [Wed, 2 Oct 2019 06:35:30 +0000 (14:35 +0800)]
rtw88: fix NSS of hw_cap
[ Upstream commit
4f5bb7ff8b8d4bafd91243fc969ed240e67aa1ca ]
8822C is a 2x2 11ac chip, and then NSS must be less or equal to 2. However,
current nss of hw cap is 3, likes
hw cap: hci=0x0f, bw=0x07, ptcl=0x03, ant_num=7, nss=3
This commit adds constraint to make sure NSS <= rf_path_num, and result
looks like
hw cap: hci=0x0f, bw=0x07, ptcl=0x03, ant_num=7, nss=2
Fixes: e3037485c68e ("rtw88: new Realtek 802.11ac driver")
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Stanimir Varbanov [Tue, 17 Sep 2019 12:02:26 +0000 (09:02 -0300)]
media: venus: Fix occasionally failures to suspend
[ Upstream commit
8dbebb2bd01e6f36e9a215dcde99ace70408f2c8 ]
Failure to suspend (venus_suspend_3xx) happens when the system
is fresh booted and loading venus driver. This happens once and
after reload the venus driver modules the problem disrepair.
Fix the failure by skipping the check for WFI and IDLE bits if
PC_READY is on in control status register.
Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Anthony Koo [Thu, 29 Aug 2019 14:49:12 +0000 (10:49 -0400)]
drm/amd/display: set minimum abm backlight level
[ Upstream commit
2ad0cdf9e2e9e079af34af681863fa638f2ee212 ]
[Why]
A lot of the time, the backlight characteristic curve maps min backlight
to a non-zero value.
But there are cases where we want the curve to intersect at 0.
In this scenario even if OS never asks to set 0% backlight, the ABM
reduction can result in backlight being lowered close to 0.
This particularly can cause problems in some LED drivers, and in
general just looks like backlight is completely off.
[How]
Add default cap to disallow backlight from dropping below 1%
even after ABM reduction is applied.
Signed-off-by: Anthony Koo <Anthony.Koo@amd.com>
Reviewed-by: Aric Cyr <Aric.Cyr@amd.com>
Acked-by: Leo Li <sunpeng.li@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Ivan Khoronzhuk [Wed, 2 Oct 2019 12:04:04 +0000 (15:04 +0300)]
selftests/bpf: Correct path to include msg + path
[ Upstream commit
c588146378962786ddeec817f7736a53298a7b01 ]
The "path" buf is supposed to contain path + printf msg up to 24 bytes.
It will be cut anyway, but compiler generates truncation warns like:
"
samples/bpf/../../tools/testing/selftests/bpf/cgroup_helpers.c: In
function ‘setup_cgroup_environment’:
samples/bpf/../../tools/testing/selftests/bpf/cgroup_helpers.c:52:34:
warning: ‘/cgroup.controllers’ directive output may be truncated
writing 19 bytes into a region of size between 1 and 4097
[-Wformat-truncation=]
snprintf(path, sizeof(path), "%s/cgroup.controllers", cgroup_path);
^~~~~~~~~~~~~~~~~~~
samples/bpf/../../tools/testing/selftests/bpf/cgroup_helpers.c:52:2:
note: ‘snprintf’ output between 20 and 4116 bytes into a destination
of size 4097
snprintf(path, sizeof(path), "%s/cgroup.controllers", cgroup_path);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
samples/bpf/../../tools/testing/selftests/bpf/cgroup_helpers.c:72:34:
warning: ‘/cgroup.subtree_control’ directive output may be truncated
writing 23 bytes into a region of size between 1 and 4097
[-Wformat-truncation=]
snprintf(path, sizeof(path), "%s/cgroup.subtree_control",
^~~~~~~~~~~~~~~~~~~~~~~
cgroup_path);
samples/bpf/../../tools/testing/selftests/bpf/cgroup_helpers.c:72:2:
note: ‘snprintf’ output between 24 and 4120 bytes into a destination
of size 4097
snprintf(path, sizeof(path), "%s/cgroup.subtree_control",
cgroup_path);
"
In order to avoid warns, lets decrease buf size for cgroup workdir on
24 bytes with assumption to include also "/cgroup.subtree_control" to
the address. The cut will never happen anyway.
Signed-off-by: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Song Liu <songliubraving@fb.com>
Link: https://lore.kernel.org/bpf/20191002120404.26962-3-ivan.khoronzhuk@linaro.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
chen gong [Mon, 23 Sep 2019 07:02:56 +0000 (15:02 +0800)]
drm/amd/powerplay: A workaround to GPU RESET on APU
[ Upstream commit
068ad870bbd8f4f2c5b2fd4977a4f3330c9988f4 ]
Changes to function "smu_suspend" in amdgpu_smu.c is a workaround.
We should get real information about if baco is enabled or not, while we
always consider APU SMU feature as enabled in current code.
I know APU do not support baco mode for GPU reset, so I use
"adev->flags" to skip function "smu_feature_is_enabled".
Signed-off-by: chen gong <curry.gong@amd.com>
Reviewed-by: Aaron Liu <aaron.liu@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Arnd Bergmann [Tue, 1 Oct 2019 14:23:34 +0000 (16:23 +0200)]
x86/math-emu: Check __copy_from_user() result
[ Upstream commit
e6b44ce1925a8329a937c57f0d60ba0d9bb5d226 ]
The new __must_check annotation on __copy_from_user() successfully
identified some code that has lacked the check since at least
linux-2.1.73:
arch/x86/math-emu/reg_ld_str.c:88:2: error: ignoring return value of \
function declared with 'warn_unused_result' attribute [-Werror,-Wunused-result]
__copy_from_user(sti_ptr, s, 10);
^~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~
arch/x86/math-emu/reg_ld_str.c:1129:2: error: ignoring return value of \
function declared with 'warn_unused_result' attribute [-Werror,-Wunused-result]
__copy_from_user(register_base + offset, s, other);
^~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
arch/x86/math-emu/reg_ld_str.c:1131:3: error: ignoring return value of \
function declared with 'warn_unused_result' attribute [-Werror,-Wunused-result]
__copy_from_user(register_base, s + other, offset);
^~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In addition, the get_user()/put_user() helpers do not enforce a return
value check, but actually still require one. These have been missing for
even longer.
Change the internal wrappers around get_user()/put_user() to force
a signal and add a corresponding wrapper around __copy_from_user()
to check all such cases.
[ bp: Break long lines. ]
Fixes: 257e458057e5 ("Import 2.1.73")
Fixes: 9dd819a15162 ("uaccess: add missing __must_check attributes")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Bill Metzenthen <billm@melbpc.org.au>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86-ml <x86@kernel.org>
Link: https://lkml.kernel.org/r/20191001142344.1274185-1-arnd@arndb.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
Allen Pais [Wed, 18 Sep 2019 16:30:31 +0000 (22:00 +0530)]
drm/amdkfd: fix a potential NULL pointer dereference (v2)
[ Upstream commit
81de29d842ccb776c0f77aa3e2b11b07fff0c0e2 ]
alloc_workqueue is not checked for errors and as a result,
a potential NULL dereference could occur.
v2 (Felix Kuehling):
* Fix compile error (kfifo_free instead of fifo_free)
* Return proper error code
Signed-off-by: Allen Pais <allen.pais@oracle.com>
Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Jagan Teki [Thu, 3 Oct 2019 06:45:21 +0000 (12:15 +0530)]
drm/sun4i: dsi: Fix TCON DRQ set bits
[ Upstream commit
7ac6269968826f9cad61b501bb613cc5cadb7229 ]
The LCD timing definitions between Linux DRM vs Allwinner are different,
below diagram shows this clear differences.
Active Front Sync Back
Region Porch Porch
<-----------------------><----------------><--------------><-------------->
//////////////////////|
////////////////////// |
////////////////////// |.................. ................
________________
<----- [hv]display ----->
<------------- [hv]sync_start ------------>
<--------------------- [hv]sync_end ---------------------->
<-------------------------------- [hv]total ------------------------------>
<----- lcd_[xy] --------> <- lcd_[hv]spw ->
<---------- lcd_[hv]bp --------->
<-------------------------------- lcd_[hv]t ------------------------------>
The DSI driver misinterpreted the hbp term from the BSP code to refer
only to the backporch, when in fact it was backporch + sync. Thus the
driver incorrectly used the horizontal front porch plus sync in its
calculation of the DRQ set bit value, when it should not have included
the sync timing.
Including additional sync timings leads to flip_done timed out as:
WARNING: CPU: 0 PID: 31 at drivers/gpu/drm/drm_atomic_helper.c:1429 drm_atomic_helper_wait_for_vblanks.part.1+0x298/0x2a0
[CRTC:46:crtc-0] vblank wait timed out
Modules linked in:
CPU: 0 PID: 31 Comm: kworker/0:1 Not tainted
5.1.0-next-20190514-00026-g01f0c75b902d-dirty #13
Hardware name: Allwinner sun8i Family
Workqueue: events deferred_probe_work_func
[<
c010ed54>] (unwind_backtrace) from [<
c010b76c>] (show_stack+0x10/0x14)
[<
c010b76c>] (show_stack) from [<
c0688c70>] (dump_stack+0x84/0x98)
[<
c0688c70>] (dump_stack) from [<
c011d9e4>] (__warn+0xfc/0x114)
[<
c011d9e4>] (__warn) from [<
c011da40>] (warn_slowpath_fmt+0x44/0x68)
[<
c011da40>] (warn_slowpath_fmt) from [<
c040cd50>] (drm_atomic_helper_wait_for_vblanks.part.1+0x298/0x2a0)
[<
c040cd50>] (drm_atomic_helper_wait_for_vblanks.part.1) from [<
c040e694>] (drm_atomic_helper_commit_tail_rpm+0x5c/0x6c)
[<
c040e694>] (drm_atomic_helper_commit_tail_rpm) from [<
c040e4dc>] (commit_tail+0x40/0x6c)
[<
c040e4dc>] (commit_tail) from [<
c040e5cc>] (drm_atomic_helper_commit+0xbc/0x128)
[<
c040e5cc>] (drm_atomic_helper_commit) from [<
c0411b64>] (restore_fbdev_mode_atomic+0x1cc/0x1dc)
[<
c0411b64>] (restore_fbdev_mode_atomic) from [<
c04156f8>] (drm_fb_helper_restore_fbdev_mode_unlocked+0x54/0xa0)
[<
c04156f8>] (drm_fb_helper_restore_fbdev_mode_unlocked) from [<
c0415774>] (drm_fb_helper_set_par+0x30/0x54)
[<
c0415774>] (drm_fb_helper_set_par) from [<
c03ad450>] (fbcon_init+0x560/0x5ac)
[<
c03ad450>] (fbcon_init) from [<
c03eb8a0>] (visual_init+0xbc/0x104)
[<
c03eb8a0>] (visual_init) from [<
c03ed1b8>] (do_bind_con_driver+0x1b0/0x390)
[<
c03ed1b8>] (do_bind_con_driver) from [<
c03ed780>] (do_take_over_console+0x13c/0x1c4)
[<
c03ed780>] (do_take_over_console) from [<
c03ad800>] (do_fbcon_takeover+0x74/0xcc)
[<
c03ad800>] (do_fbcon_takeover) from [<
c013c9c8>] (notifier_call_chain+0x44/0x84)
[<
c013c9c8>] (notifier_call_chain) from [<
c013cd20>] (__blocking_notifier_call_chain+0x48/0x60)
[<
c013cd20>] (__blocking_notifier_call_chain) from [<
c013cd50>] (blocking_notifier_call_chain+0x18/0x20)
[<
c013cd50>] (blocking_notifier_call_chain) from [<
c03a6e44>] (register_framebuffer+0x1e0/0x2f8)
[<
c03a6e44>] (register_framebuffer) from [<
c04153c0>] (__drm_fb_helper_initial_config_and_unlock+0x2fc/0x50c)
[<
c04153c0>] (__drm_fb_helper_initial_config_and_unlock) from [<
c04158c8>] (drm_fbdev_client_hotplug+0xe8/0x1b8)
[<
c04158c8>] (drm_fbdev_client_hotplug) from [<
c0415a20>] (drm_fbdev_generic_setup+0x88/0x118)
[<
c0415a20>] (drm_fbdev_generic_setup) from [<
c043f060>] (sun4i_drv_bind+0x128/0x160)
[<
c043f060>] (sun4i_drv_bind) from [<
c044b598>] (try_to_bring_up_master+0x164/0x1a0)
[<
c044b598>] (try_to_bring_up_master) from [<
c044b668>] (__component_add+0x94/0x140)
[<
c044b668>] (__component_add) from [<
c0445e1c>] (sun6i_dsi_probe+0x144/0x234)
[<
c0445e1c>] (sun6i_dsi_probe) from [<
c0452ef4>] (platform_drv_probe+0x48/0x9c)
[<
c0452ef4>] (platform_drv_probe) from [<
c04512cc>] (really_probe+0x1dc/0x2c8)
[<
c04512cc>] (really_probe) from [<
c0451518>] (driver_probe_device+0x60/0x160)
[<
c0451518>] (driver_probe_device) from [<
c044f7a4>] (bus_for_each_drv+0x74/0xb8)
[<
c044f7a4>] (bus_for_each_drv) from [<
c045107c>] (__device_attach+0xd0/0x13c)
[<
c045107c>] (__device_attach) from [<
c0450474>] (bus_probe_device+0x84/0x8c)
[<
c0450474>] (bus_probe_device) from [<
c0450900>] (deferred_probe_work_func+0x64/0x90)
[<
c0450900>] (deferred_probe_work_func) from [<
c0135970>] (process_one_work+0x204/0x420)
[<
c0135970>] (process_one_work) from [<
c013690c>] (worker_thread+0x274/0x5a0)
[<
c013690c>] (worker_thread) from [<
c013b3d8>] (kthread+0x11c/0x14c)
[<
c013b3d8>] (kthread) from [<
c01010e8>] (ret_from_fork+0x14/0x2c)
Exception stack(0xde539fb0 to 0xde539ff8)
9fa0:
00000000 00000000 00000000 00000000
9fc0:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9fe0:
00000000 00000000 00000000 00000000 00000013 00000000
---[ end trace
b57eb1e5c64c6b8b ]---
random: fast init done
[drm:drm_atomic_helper_wait_for_dependencies] *ERROR* [CRTC:46:crtc-0] flip_done timed out
[drm:drm_atomic_helper_wait_for_dependencies] *ERROR* [CONNECTOR:48:DSI-1] flip_done timed out
[drm:drm_atomic_helper_wait_for_dependencies] *ERROR* [PLANE:30:plane-0] flip_done timed out
With the terms(as described in above diagram) fixed, the panel
displays correctly without any timeouts.
Tested-by: Merlijn Wajer <merlijn@wizzup.org>
Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
Signed-off-by: Maxime Ripard <mripard@kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20191003064527.15128-2-jagan@amarulasolutions.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Will Deacon [Wed, 2 Oct 2019 12:42:06 +0000 (13:42 +0100)]
pinctrl: devicetree: Avoid taking direct reference to device name string
[ Upstream commit
be4c60b563edee3712d392aaeb0943a768df7023 ]
When populating the pinctrl mapping table entries for a device, the
'dev_name' field for each entry is initialised to point directly at the
string returned by 'dev_name()' for the device and subsequently used by
'create_pinctrl()' when looking up the mappings for the device being
probed.
This is unreliable in the presence of calls to 'dev_set_name()', which may
reallocate the device name string leaving the pinctrl mappings with a
dangling reference. This then leads to a use-after-free every time the
name is dereferenced by a device probe:
| BUG: KASAN: invalid-access in strcmp+0x20/0x64
| Read of size 1 at addr
13ffffc153494b00 by task modprobe/590
| Pointer tag: [13], memory tag: [fe]
|
| Call trace:
| __kasan_report+0x16c/0x1dc
| kasan_report+0x10/0x18
| check_memory_region
| __hwasan_load1_noabort+0x4c/0x54
| strcmp+0x20/0x64
| create_pinctrl+0x18c/0x7f4
| pinctrl_get+0x90/0x114
| devm_pinctrl_get+0x44/0x98
| pinctrl_bind_pins+0x5c/0x450
| really_probe+0x1c8/0x9a4
| driver_probe_device+0x120/0x1d8
Follow the example of sysfs, and duplicate the device name string before
stashing it away in the pinctrl mapping entries.
Cc: Linus Walleij <linus.walleij@linaro.org>
Reported-by: Elena Petrova <lenaptr@google.com>
Tested-by: Elena Petrova <lenaptr@google.com>
Signed-off-by: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20191002124206.22928-1-will@kernel.org
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Nikola Cornij [Wed, 28 Aug 2019 22:30:43 +0000 (18:30 -0400)]
drm/amd/display: Set number of pipes to 1 if the second pipe was disabled
[ Upstream commit
2fef0faa1cdc5d41ce3ef83f7b8f7e7ecb02d700 ]
[why]
Some ODM-related register settings are inconsistently updated by VBIOS, causing
the state in DC to be invalid, which would then end up crashing in certain
use-cases (such as disable/enable device).
[how]
Check the enabled status of the second pipe when determining the number of
OPTC sources. If the second pipe is disabled, set the number of sources to 1
regardless of other settings (that may not be updated correctly).
Signed-off-by: Nikola Cornij <nikola.cornij@amd.com>
Reviewed-by: Dmytro Laktyushkin <Dmytro.Laktyushkin@amd.com>
Acked-by: Leo Li <sunpeng.li@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Shuah Khan [Tue, 17 Sep 2019 16:35:09 +0000 (13:35 -0300)]
media: vimc: Fix gpf in rmmod path when stream is active
[ Upstream commit
d7fb5c361c2a2666d20e044206e1756bc8e87df2 ]
If vimc module is removed while streaming is in progress, sensor subdev
unregister runs into general protection fault when it tries to unregister
media entities. This is a common subdev problem related to releasing
pads from v4l2_device_unregister_subdev() before calling unregister.
Unregister references pads during unregistering subdev.
The sd release handler is the right place for releasing all sd resources
including pads. The release handlers currently release all resources
except the pads.
Fix v4l2_device_unregister_subdev() not release pads and release pads
from the sd_int_op release handlers.
kernel: [ 4136.715839] general protection fault: 0000 [#1] SMP PTI
kernel: [ 4136.715847] CPU: 2 PID: 1972 Comm: bash Not tainted 5.3.0-rc2+ #4
kernel: [ 4136.715850] Hardware name: Dell Inc. OptiPlex 790/0HY9JP, BIOS A18 09/24/2013
kernel: [ 4136.715858] RIP: 0010:media_gobj_destroy.part.16+0x1f/0x60
kernel: [ 4136.715863] Code: ff 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 fe 48 89 e5 53 48 89 fb 48 c7 c7 00 7f cf b0 e8 24 fa ff ff 48 8b 03 <48> 83 80 a0 00 00 00 01 48 8b 43 18 48 8b 53 10 48 89 42 08 48 89
kernel: [ 4136.715866] RSP: 0018:
ffff9b2248fe3cb0 EFLAGS:
00010246
kernel: [ 4136.715870] RAX:
bcf2bfbfa0d63c2f RBX:
ffff88c3eb37e9c0 RCX:
00000000802a0018
kernel: [ 4136.715873] RDX:
ffff88c3e4f6a078 RSI:
ffff88c3eb37e9c0 RDI:
ffffffffb0cf7f00
kernel: [ 4136.715876] RBP:
ffff9b2248fe3cb8 R08:
0000000001000002 R09:
ffffffffb0492b00
kernel: [ 4136.715879] R10:
ffff9b2248fe3c28 R11:
0000000000000001 R12:
0000000000000038
kernel: [ 4136.715881] R13:
ffffffffc09a1628 R14:
ffff88c3e4f6a028 R15:
fffffffffffffff2
kernel: [ 4136.715885] FS:
00007f8389647740(0000) GS:
ffff88c465500000(0000) knlGS:
0000000000000000
kernel: [ 4136.715888] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
kernel: [ 4136.715891] CR2:
000055d008f80fd8 CR3:
00000001996ec005 CR4:
00000000000606e0
kernel: [ 4136.715894] Call Trace:
kernel: [ 4136.715903] media_gobj_destroy+0x14/0x20
kernel: [ 4136.715908] __media_device_unregister_entity+0xb3/0xe0
kernel: [ 4136.715915] media_device_unregister_entity+0x30/0x40
kernel: [ 4136.715920] v4l2_device_unregister_subdev+0xa8/0xe0
kernel: [ 4136.715928] vimc_ent_sd_unregister+0x1e/0x30 [vimc]
kernel: [ 4136.715933] vimc_sen_rm+0x16/0x20 [vimc]
kernel: [ 4136.715938] vimc_remove+0x3e/0xa0 [vimc]
kernel: [ 4136.715945] platform_drv_remove+0x25/0x50
kernel: [ 4136.715951] device_release_driver_internal+0xe0/0x1b0
kernel: [ 4136.715956] device_driver_detach+0x14/0x20
kernel: [ 4136.715960] unbind_store+0xd1/0x130
kernel: [ 4136.715965] drv_attr_store+0x27/0x40
kernel: [ 4136.715971] sysfs_kf_write+0x48/0x60
kernel: [ 4136.715976] kernfs_fop_write+0x128/0x1b0
kernel: [ 4136.715982] __vfs_write+0x1b/0x40
kernel: [ 4136.715987] vfs_write+0xc3/0x1d0
kernel: [ 4136.715993] ksys_write+0xaa/0xe0
kernel: [ 4136.715999] __x64_sys_write+0x1a/0x20
kernel: [ 4136.716005] do_syscall_64+0x5a/0x130
kernel: [ 4136.716010] entry_SYSCALL_64_after_hwframe+0x4
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Acked-by: Helen Koike <helen.koike@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Ben Greear [Wed, 18 Oct 2017 00:03:12 +0000 (17:03 -0700)]
ath10k: fix offchannel tx failure when no ath10k_mac_tx_frm_has_freq
[ Upstream commit
cc6df017e55764ffef9819dd9554053182535ffd ]
Offchannel management frames were failing:
[18099.253732] ath10k_pci 0000:01:00.0: timed out waiting for offchannel skb
cf0e3780
[18102.293686] ath10k_pci 0000:01:00.0: timed out waiting for offchannel skb
cf0e3780
[18105.333653] ath10k_pci 0000:01:00.0: timed out waiting for offchannel skb
cf0e3780
[18108.373712] ath10k_pci 0000:01:00.0: timed out waiting for offchannel skb
cf0e3780
[18111.413687] ath10k_pci 0000:01:00.0: timed out waiting for offchannel skb
cf0e36c0
[18114.453726] ath10k_pci 0000:01:00.0: timed out waiting for offchannel skb
cf0e3f00
[18117.493773] ath10k_pci 0000:01:00.0: timed out waiting for offchannel skb
cf0e36c0
[18120.533631] ath10k_pci 0000:01:00.0: timed out waiting for offchannel skb
cf0e3f00
This bug appears to have been added between 4.0 (which works for us),
and 4.4, which does not work.
I think this is because the tx-offchannel logic gets in a loop when
ath10k_mac_tx_frm_has_freq(ar) is false, so pkt is never actually
sent to the firmware for transmit.
This patch fixes the problem on 4.9 for me, and now HS20 clients
can work again with my firmware.
Antonio: tested with 10.4-3.5.3-00057 on QCA4019 and QCA9888
Signed-off-by: Ben Greear <greearb@candelatech.com>
Tested-by: Antonio Quartulli <antonio.quartulli@kaiwoo.ai>
[kvalo@codeaurora.org: improve commit log, remove unneeded parenthesis]
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Loic Poulain [Wed, 11 Sep 2019 14:45:59 +0000 (11:45 -0300)]
media: venus: core: Fix msm8996 frequency table
[ Upstream commit
c690435ed07901737e5c007a65ec59f53b33eb71 ]
In downstream driver, there are two frequency tables defined,
one for the encoder and one for the decoder:
/* Encoders /
<972000
490000000 0x55555555>, / 4k UHD @ 30 /
<489600
320000000 0x55555555>, / 1080p @ 60 /
<244800
150000000 0x55555555>, / 1080p @ 30 /
<108000
75000000 0x55555555>, / 720p @ 30 */
/* Decoders /
<
1944000 490000000 0xffffffff>, / 4k UHD @ 60 /
< 972000
320000000 0xffffffff>, / 4k UHD @ 30 /
< 489600
150000000 0xffffffff>, / 1080p @ 60 /
< 244800
75000000 0xffffffff>; / 1080p @ 30 */
It shows that encoder always needs a higher clock than decoder.
In current venus driver, the unified frequency table is aligned
with the downstream decoder table which causes performance issues
in encoding scenarios. Fix that by aligning frequency table on
worst case (encoding).
Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Nathan Chancellor [Fri, 27 Sep 2019 16:26:42 +0000 (09:26 -0700)]
tools/power/cpupower: Fix initializer override in hsw_ext_cstates
[ Upstream commit
7e5705c635ecfccde559ebbbe1eaf05b5cc60529 ]
When building cpupower with clang, the following warning appears:
utils/idle_monitor/hsw_ext_idle.c:42:16: warning: initializer overrides
prior initialization of this subobject [-Winitializer-overrides]
.desc = N_("Processor Package C2"),
^~~~~~~~~~~~~~~~~~~~~~
./utils/helpers/helpers.h:25:33: note: expanded from macro 'N_'
#define N_(String) gettext_noop(String)
^~~~~~
./utils/helpers/helpers.h:23:30: note: expanded from macro
'gettext_noop'
#define gettext_noop(String) String
^~~~~~
utils/idle_monitor/hsw_ext_idle.c:41:16: note: previous initialization
is here
.desc = N_("Processor Package C9"),
^~~~~~~~~~~~~~~~~~~~~~
./utils/helpers/helpers.h:25:33: note: expanded from macro 'N_'
#define N_(String) gettext_noop(String)
^~~~~~
./utils/helpers/helpers.h:23:30: note: expanded from macro
'gettext_noop'
#define gettext_noop(String) String
^~~~~~
1 warning generated.
This appears to be a copy and paste or merge mistake because the name
and id fields both have PC9 in them, not PC2. Remove the second
assignment to fix the warning.
Fixes: 7ee767b69b68 ("cpupower: Add Haswell family 0x45 specific idle monitor to show PC8,9,10 states")
Link: https://github.com/ClangBuiltLinux/linux/issues/718
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Janusz Krzysztofik [Tue, 3 Sep 2019 20:11:44 +0000 (17:11 -0300)]
media: ov6650: Fix stored crop rectangle not in sync with hardware
[ Upstream commit
1463b371aff0682c70141f7521db13cc4bbf3016 ]
The driver stores crop rectangle settings supposed to be in line with
hardware state in a device private structure. Since the driver initial
submission, crop rectangle width and height settings are not updated
correctly when rectangle offset settings are applied on hardware. If
an error occurs while the device is updated, the stored settings my no
longer reflect hardware state and consecutive calls to .get_selection()
as well as .get/set_fmt() may return incorrect information. That in
turn may affect ability of a bridge device to use correct DMA transfer
settings if such incorrect informamtion on active frame format returned
by .get/set_fmt() is used.
Assuming a failed update of the device means its actual settings haven't
changed, update crop rectangle width and height settings stored in the
device private structure correctly while the rectangle offset is
successfully applied on hardware so the stored values always reflect
actual hardware state to the extent possible.
Fixes: 2f6e2404799a ("[media] SoC Camera: add driver for OV6650 sensor")
Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Janusz Krzysztofik [Tue, 3 Sep 2019 20:11:43 +0000 (17:11 -0300)]
media: ov6650: Fix stored frame format not in sync with hardware
[ Upstream commit
3143b459de4cdcce67b36827476c966e93c1cf01 ]
The driver stores frame format settings supposed to be in line with
hardware state in a device private structure. Since the driver initial
submission, those settings are updated before they are actually applied
on hardware. If an error occurs on device update, the stored settings
my not reflect hardware state anymore and consecutive calls to
.get_fmt() may return incorrect information. That in turn may affect
ability of a bridge device to use correct DMA transfer settings if such
incorrect informmation on active frame format returned by .get_fmt() is
used.
Assuming a failed device update means its state hasn't changed, update
frame format related settings stored in the device private structure
only after they are successfully applied so the stored values always
reflect hardware state as closely as possible.
Fixes: 2f6e2404799a ("[media] SoC Camera: add driver for OV6650 sensor")
Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Benoit Parrot [Mon, 30 Sep 2019 13:06:43 +0000 (10:06 -0300)]
media: i2c: ov2659: Fix missing 720p register config
[ Upstream commit
9d669fbfca20e6035ead814e55d9ef1a6b500540 ]
The initial registers sequence is only loaded at probe
time. Afterward only the resolution and format specific
register are modified. Care must be taken to make sure
registers modified by one resolution setting are reverted
back when another resolution is programmed.
This was not done properly for the 720p case.
Signed-off-by: Benoit Parrot <bparrot@ti.com>
Acked-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Janusz Krzysztofik [Tue, 3 Sep 2019 20:11:38 +0000 (17:11 -0300)]
media: ov6650: Fix crop rectangle alignment not passed back
[ Upstream commit
7b188d6ba27a131e7934a51a14ece331c0491f18 ]
Commit
4f996594ceaf ("[media] v4l2: make vidioc_s_crop const")
introduced a writable copy of constified user requested crop rectangle
in order to be able to perform hardware alignments on it. Later
on, commit
10d5509c8d50 ("[media] v4l2: remove g/s_crop from video
ops") replaced s_crop() video operation using that const argument with
set_selection() pad operation which had a corresponding argument not
constified, however the original behavior of the driver was not
restored. Since that time, any hardware alignment applied on a user
requested crop rectangle is not passed back to the user calling
.set_selection() as it should be.
Fix the issue by dropping the copy and replacing all references to it
with references to the crop rectangle embedded in the user argument.
Fixes: 10d5509c8d50 ("[media] v4l2: remove g/s_crop from video ops")
Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Benoit Parrot [Mon, 30 Sep 2019 13:06:40 +0000 (10:06 -0300)]
media: i2c: ov2659: fix s_stream return value
[ Upstream commit
85c4043f1d403c222d481dfc91846227d66663fb ]
In ov2659_s_stream() return value for invoked function should be checked
and propagated.
Signed-off-by: Benoit Parrot <bparrot@ti.com>
Acked-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Janusz Krzysztofik [Tue, 3 Sep 2019 20:11:37 +0000 (17:11 -0300)]
media: ov6650: Fix control handler not freed on init error
[ Upstream commit
c404af950d14b71bfbf574a752b6c29d726baaba ]
Since commit
afd9690c72c3 ("[media] ov6650: convert to the control
framework"), if an error occurs during initialization of a control
handler, resources possibly allocated to the handler are not freed
before device initialiaton is aborted. Fix it.
Fixes: afd9690c72c3 ("[media] ov6650: convert to the control framework")
Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
YueHaibing [Tue, 3 Sep 2019 12:09:45 +0000 (09:09 -0300)]
media: max2175: Fix build error without CONFIG_REGMAP_I2C
[ Upstream commit
36756fbff1e4a31d71d262ae6a04a20b38efa874 ]
If CONFIG_REGMAP_I2C is not set, building fails:
drivers/media/i2c/max2175.o: In function `max2175_probe':
max2175.c:(.text+0x1404): undefined reference to `__devm_regmap_init_i2c'
Select REGMAP_I2C to fix this.
Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: b47b79d8a231 ("[media] media: i2c: max2175: Add MAX2175 support")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Kefeng Wang [Sun, 8 Sep 2019 04:12:54 +0000 (01:12 -0300)]
media: vim2m: Fix BUG_ON in vim2m_device_release()
[ Upstream commit
2455d417c03aa0cbafed04c46cbb354643238318 ]
If v4l2_m2m_init() fails, m2m_dev pointer will be set ERR_PTR(-ENOMEM),
then kfree m2m_dev will trigger BUG_ON, see below, fix it by setting m2m_dev
to NULL.
vim2m vim2m.0: Failed to init mem2mem device
------------[ cut here ]------------
kernel BUG at mm/slub.c:3944!
invalid opcode: 0000 [#1] SMP PTI
CPU: 11 PID: 9061 Comm: insmod Tainted: G E 5.2.0-rc2 #81
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
RIP: 0010:kfree+0x11a/0x160
Call Trace:
vim2m_device_release+0x3f/0x50 [vim2m]
device_release+0x27/0x80
kobject_release+0x68/0x190
vim2m_probe+0x20f/0x280 [vim2m]
platform_drv_probe+0x37/0x90
really_probe+0xef/0x3d0
driver_probe_device+0x110/0x120
device_driver_attach+0x4f/0x60
__driver_attach+0x9a/0x140
? device_driver_attach+0x60/0x60
bus_for_each_dev+0x76/0xc0
? klist_add_tail+0x57/0x70
bus_add_driver+0x141/0x210
driver_register+0x5b/0xe0
vim2m_init+0x29/0x1000 [vim2m]
do_one_initcall+0x46/0x1f4
? __slab_alloc+0x1c/0x30
? kmem_cache_alloc_trace+0x167/0x1b0
do_init_module+0x5b/0x21f
load_module+0x1add/0x1fb0
? __do_sys_finit_module+0xe9/0x110
__do_sys_finit_module+0xe9/0x110
do_syscall_64+0x5b/0x1c0
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Fixes: ea6c7e34f3b2 ("media: vim2m: replace devm_kzalloc by kzalloc")
Reported-by: Hulk Robot <hulkci@huawei.com>
Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Jernej Skrabec [Thu, 12 Sep 2019 18:55:55 +0000 (15:55 -0300)]
media: vim2m: Fix abort issue
[ Upstream commit
c362f77a243bfd1daec21b6c36491c061ee2f31b ]
Currently, if start streaming -> stop streaming -> start streaming
sequence is executed, driver will end job prematurely, if ctx->translen
is higher than 1, because "aborting" flag is still set from previous
stop streaming command.
Fix that by clearing "aborting" flag in start streaming handler.
Fixes: 96d8eab5d0a1 ("V4L/DVB: [v5,2/2] v4l: Add a mem-to-mem videobuf framework test device")
Signed-off-by: Jernej Skrabec <jernej.skrabec@siol.net>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Christophe JAILLET [Sat, 31 Aug 2019 06:42:58 +0000 (03:42 -0300)]
media: seco-cec: Add a missing 'release_region()' in an error handling path
[ Upstream commit
a9cc4cbcdfd378b65fd4e398800cfa14e3855042 ]
At the beginning of the probe function, we have a call to
'request_muxed_region(BRA_SMB_BASE_ADDR, 7, "
CEC00001")()'
A corresponding 'release_region()' is performed in the remove function but
is lacking in the error handling path.
Add it.
Fixes: b03c2fb97adc ("media: add SECO cec driver")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Hans Verkuil [Fri, 30 Aug 2019 09:26:22 +0000 (06:26 -0300)]
media: cedrus: fill in bus_info for media device
[ Upstream commit
ae0688f659adb17ae6ae5710c886b20b5406e5c4 ]
Fixes this compliance warning:
$ v4l2-compliance -m0
v4l2-compliance SHA:
b514d615166bdc0901a4c71261b87db31e89f464, 32 bits
Compliance test for cedrus device /dev/media0:
Media Driver Info:
Driver name : cedrus
Model : cedrus
Serial :
Bus info :
Media version : 5.3.0
Hardware revision: 0x00000000 (0)
Driver version : 5.3.0
Required ioctls:
warn: v4l2-test-media.cpp(51): empty bus_info
test MEDIA_IOC_DEVICE_INFO: OK
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Reviewed-by: Jernej Skrabec <jernej.skrabec@siol.net>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Benoit Parrot [Fri, 20 Sep 2019 17:05:48 +0000 (14:05 -0300)]
media: am437x-vpfe: Setting STD to current value is not an error
[ Upstream commit
13aa21cfe92ce9ebb51824029d89f19c33f81419 ]
VIDIOC_S_STD should not return an error if the value is identical
to the current one.
This error was highlighted by the v4l2-compliance test.
Signed-off-by: Benoit Parrot <bparrot@ti.com>
Acked-by: Lad Prabhakar <prabhakar.csengg@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Navid Emamdoost [Mon, 30 Sep 2019 20:52:40 +0000 (15:52 -0500)]
spi: gpio: prevent memory leak in spi_gpio_probe
[ Upstream commit
d3b0ffa1d75d5305ebe34735598993afbb8a869d ]
In spi_gpio_probe an SPI master is allocated via spi_alloc_master, but
this controller should be released if devm_add_action_or_reset fails,
otherwise memory leaks. In order to avoid leak spi_contriller_put must
be called in case of failure for devm_add_action_or_reset.
Fixes: 8b797490b4db ("spi: gpio: Make sure spi_master_put() is called in every error path")
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Link: https://lore.kernel.org/r/20190930205241.5483-1-navid.emamdoost@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Mihail Atanassov [Tue, 1 Oct 2019 14:21:40 +0000 (14:21 +0000)]
drm/komeda: Workaround for broken FLIP_COMPLETE timestamps
[ Upstream commit
f59769c52cd7d158df53487ec2936f5592073340 ]
When initially turning a crtc on, drm_reset_vblank_timestamp will
set the vblank timestamp to 0 for any driver that doesn't provide
a ->get_vblank_timestamp() hook.
Unfortunately, the FLIP_COMPLETE event depends on that timestamp,
and the only way to regenerate a valid one is to have vblank
interrupts enabled and have a valid in-ISR call to
drm_crtc_handle_vblank.
Additionally, if the user doesn't request vblanks but _does_ request
FLIP_COMPLETE events, we still don't have a good timestamp: it'll be the
same stamp as the last vblank one.
Work around the issue by always enabling vblanks when the CRTC is on.
Reducing the amount of time that PL0 has to be unmasked would be nice to
fix at a later time.
Changes since v1 [https://patchwork.freedesktop.org/patch/331727/]:
- moved drm_crtc_vblank_put call to the ->atomic_disable() hook
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: Liviu Dudau <Liviu.Dudau@arm.com>
Signed-off-by: Mihail Atanassov <mihail.atanassov@arm.com>
Reviewed-by: James Qian Wang (Arm Technology China) <james.qian.wang@arm.com>
Signed-off-by: Ayan kumar halder <ayan.halder@arm.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20191001142121.13939-1-mihail.atanassov@arm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Max Gurtovoy [Tue, 24 Sep 2019 21:03:47 +0000 (00:03 +0300)]
IB/iser: bound protection_sg size by data_sg size
[ Upstream commit
7718cf03c3ce4b6ebd90107643ccd01c952a1fce ]
In case we don't set the sg_prot_tablesize, the scsi layer assign the
default size (65535 entries). We should limit this size since we should
take into consideration the underlaying device capability. This cap is
considered when calculating the sg_tablesize. Otherwise, for example,
we can get that /sys/block/sdb/queue/max_segments is 128 and
/sys/block/sdb/queue/max_integrity_segments is 65535.
Link: https://lore.kernel.org/r/1569359027-10987-1-git-send-email-maxg@mellanox.com
Signed-off-by: Max Gurtovoy <maxg@mellanox.com>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Anilkumar Kolli [Thu, 26 Sep 2019 13:37:01 +0000 (19:07 +0530)]
ath10k: fix backtrace on coredump
[ Upstream commit
d98ddae85a4a57124f87960047b1b6419312147f ]
In a multiradio board with one QCA9984 and one AR9987
after enabling the crashdump with module parameter
coredump_mask=7, below backtrace is seen.
vmalloc: allocation failure: 0 bytes
kworker/u4:0: page allocation failure: order:0, mode:0x80d2
CPU: 0 PID: 6 Comm: kworker/u4:0 Not tainted 3.14.77 #130
Workqueue: ath10k_wq ath10k_core_register_work [ath10k_core]
(unwind_backtrace) from [<
c021abf8>] (show_stack+0x10/0x14)
(dump_stack+0x80/0xa0)
(warn_alloc_failed+0xd0/0xfc)
(__vmalloc_node_range+0x1b4/0x1d8)
(__vmalloc_node+0x34/0x40)
(vzalloc+0x24/0x30)
(ath10k_coredump_register+0x6c/0x88 [ath10k_core])
(ath10k_core_register_work+0x350/0xb34 [ath10k_core])
(process_one_work+0x20c/0x32c)
(worker_thread+0x228/0x360)
This is due to ath10k_hw_mem_layout is not defined for AR9987.
For coredump undefined hw ramdump_size is 0.
Check for the ramdump_size before allocation memory.
Tested on: AR9987, QCA9984
FW version: 10.4-3.9.0.2-00044
Signed-off-by: Anilkumar Kolli <akolli@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Geert Uytterhoeven [Wed, 4 Sep 2019 12:16:58 +0000 (14:16 +0200)]
Revert "pinctrl: sh-pfc: r8a77990: Fix MOD_SEL1 bit31 when using SIM0_D"
[ Upstream commit
7666dfd533d4c55733037775d47a8e3551b341a2 ]
This reverts commit
e167d723e1a472d252e5c4baf823b77ce5543b05.
According to the R-Car Gen3 Hardware Manual Errata for Rev 1.00 of Aug
24, 2018, the SEL_SIMCARD_{0,1} definition was to be deleted. However,
this errata merely fixed an accidental double definition in the Hardware
User's Manual Rev. 1.00. The real definition is still present in later
revisions of the manual (Rev. 1.50 and Rev. 2.00).
Hence revert the commit to recover the definition.
Based on a patch in the BSP by Takeshi Kihara
<takeshi.kihara.df@renesas.com>.
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
Link: https://lore.kernel.org/r/20190904121658.2617-4-geert+renesas@glider.be
Signed-off-by: Sasha Levin <sashal@kernel.org>
Geert Uytterhoeven [Wed, 4 Sep 2019 12:16:57 +0000 (14:16 +0200)]
Revert "pinctrl: sh-pfc: r8a77990: Fix MOD_SEL1 bit30 when using SSI_SCK2 and SSI_WS2"
[ Upstream commit
3672bc7093434621c83299ef27ea3b3225a67600 ]
This reverts commit
e87882eb9be10b2b9e28156922c2a47d877f5db4.
According to the R-Car Gen3 Hardware Manual Errata for Rev 1.00 of Aug
24, 2018, the SEL_SSI2_{0,1} definition was to be deleted. However,
this errata merely fixed an accidental double definition in the Hardware
User's Manual Rev. 1.00. The real definition is still present in later
revisions of the manual (Rev. 1.50 and Rev. 2.00).
Hence revert the commit to recover the definition.
Based on a patch in the BSP by Takeshi Kihara
<takeshi.kihara.df@renesas.com>.
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
Link: https://lore.kernel.org/r/20190904121658.2617-3-geert+renesas@glider.be
Signed-off-by: Sasha Levin <sashal@kernel.org>
Allen Pais [Wed, 18 Sep 2019 16:35:00 +0000 (22:05 +0530)]
libertas: fix a potential NULL pointer dereference
[ Upstream commit
7da413a18583baaf35dd4a8eb414fa410367d7f2 ]
alloc_workqueue is not checked for errors and as a result,
a potential NULL dereference could occur.
Signed-off-by: Allen Pais <allen.pais@oracle.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Navid Emamdoost [Wed, 25 Sep 2019 01:20:21 +0000 (20:20 -0500)]
rtlwifi: prevent memory leak in rtl_usb_probe
[ Upstream commit
3f93616951138a598d930dcaec40f2bfd9ce43bb ]
In rtl_usb_probe if allocation for usb_data fails the allocated hw
should be released. In addition the allocated rtlpriv->usb_data should
be released on error handling path.
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Connor Kuehl [Thu, 26 Sep 2019 15:03:17 +0000 (08:03 -0700)]
staging: rtl8188eu: fix possible null dereference
[ Upstream commit
228241944a48113470d3c3b46c88ba7fbe0a274b ]
Inside a nested 'else' block at the beginning of this function is a
call that assigns 'psta' to the return value of 'rtw_get_stainfo()'.
If 'rtw_get_stainfo()' returns NULL and the flow of control reaches
the 'else if' where 'psta' is dereferenced, then we will dereference
a NULL pointer.
Fix this by checking if 'psta' is not NULL before reading its
'psta->qos_option' data member.
Addresses-Coverity: ("Dereference null return value")
Signed-off-by: Connor Kuehl <connor.kuehl@canonical.com>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Link: https://lore.kernel.org/r/20190926150317.5894-1-connor.kuehl@canonical.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Navid Emamdoost [Fri, 20 Sep 2019 02:51:33 +0000 (21:51 -0500)]
staging: rtl8192u: fix multiple memory leaks on error path
[ Upstream commit
ca312438cf176a16d4b89350cade8789ba8d7133 ]
In rtl8192_tx on error handling path allocated urbs and also skb should
be released.
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Link: https://lore.kernel.org/r/20190920025137.29407-1-navid.emamdoost@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Neil Armstrong [Wed, 28 Aug 2019 13:23:11 +0000 (15:23 +0200)]
drm/meson: vclk: use the correct G12A frac max value
[ Upstream commit
d56276a13c2b9ea287b9fc7cc78bed4c43b286f9 ]
When calculating the HDMI PLL settings for a DMT mode PHY frequency,
use the correct max fractional PLL value for G12A VPU.
With this fix, we can finally setup the 1024x768-60 mode.
Fixes: 202b9808f8ed ("drm/meson: Add G12A Video Clock setup")
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
Reviewed-by: Kevin Hilman <khilman@baylibre.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190828132311.23881-1-narmstrong@baylibre.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Lukasz Majewski [Wed, 25 Sep 2019 09:11:42 +0000 (11:11 +0200)]
spi: Add call to spi_slave_abort() function when spidev driver is released
[ Upstream commit
9f918a728cf86b2757b6a7025e1f46824bfe3155 ]
This change is necessary for spidev devices (e.g. /dev/spidev3.0) working
in the slave mode (like NXP's dspi driver for Vybrid SoC).
When SPI HW works in this mode - the master is responsible for providing
CS and CLK signals. However, when some fault happens - like for example
distortion on SPI lines - the SPI Linux driver needs a chance to recover
from this abnormal situation and prepare itself for next (correct)
transmission.
This change doesn't pose any threat on drivers working in master mode as
spi_slave_abort() function checks if SPI slave mode is supported.
Signed-off-by: Lukasz Majewski <lukma@denx.de>
Link: https://lore.kernel.org/r/20190924110547.14770-2-lukma@denx.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Reported-by: kbuild test robot <lkp@intel.com>
Link: https://lore.kernel.org/r/20190925091143.15468-2-lukma@denx.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Hauke Mehrtens [Sun, 18 Aug 2019 19:09:20 +0000 (21:09 +0200)]
ath10k: Check if station exists before forwarding tx airtime report
[ Upstream commit
b10f32672946ad638a430cc4289029b7acf8e979 ]
It looks like the FW on QCA9984 already reports the tx airtimes before
the station is added to the peer entry. The peer entry is created in
ath10k_peer_map_event() just with the vdev_id and the ethaddr, but
not with a station entry, this is added later in ath10k_peer_create() in
callbacks from mac80211.
When there is no sta added to the peer entry, this function fails
because it calls ieee80211_sta_register_airtime() with NULL.
This was reported in OpenWrt some time ago:
https://bugs.openwrt.org/index.php?do=details&task_id=2414
This commit should fix this crash:
[ 75.991714] Unable to handle kernel paging request at virtual address
fffff9e8
[ 75.991756] pgd =
c0204000
[ 75.997955] [
fffff9e8] *pgd=
5fdfd861, *pte=
00000000, *ppte=
00000000
[ 76.000537] Internal error: Oops: 37 [#1] SMP ARM
[ 76.006686] Modules linked in: pppoe ppp_async ath10k_pci ath10k_core ath pptp pppox ppp_mppe ppp_generic mac80211 iptable_nat ipt_REJECT ipt_MASQUERADE cfg80211 xt_time xt_tcpudp xt_tcpmss xt_statistic xt_state xt_recent xt_nat xt_multiport xt_mark xt_mac xt_limit xt_length xt_hl xt_helper xt_esp xt_ecn xt_dscp xt_conntrack xt_connmark xt_connlimit xt_connbytes xt_comment xt_TCPMSS xt_REDIRECT xt_LOG xt_HL xt_FLOWOFFLOAD xt_DSCP xt_CT xt_CLASSIFY usbserial slhc nf_reject_ipv4 nf_nat_redirect nf_nat_masquerade_ipv4 nf_conntrack_ipv4 nf_nat_ipv4 nf_log_ipv4 nf_flow_table_hw nf_flow_table nf_defrag_ipv4 nf_conntrack_rtcache nf_conntrack_netlink iptable_raw iptable_mangle iptable_filter ipt_ah ipt_ECN ip_tables crc_ccitt compat chaoskey fuse sch_cake sch_tbf sch_ingress sch_htb sch_hfsc em_u32 cls_u32
[ 76.059974] cls_tcindex cls_route cls_matchall cls_fw cls_flow cls_basic act_skbedit act_mirred ledtrig_usbport xt_set ip_set_list_set ip_set_hash_netportnet ip_set_hash_netport ip_set_hash_netnet ip_set_hash_netiface ip_set_hash_net ip_set_hash_mac ip_set_hash_ipportnet ip_set_hash_ipportip ip_set_hash_ipport ip_set_hash_ipmark ip_set_hash_ip ip_set_bitmap_port ip_set_bitmap_ipmac ip_set_bitmap_ip ip_set nfnetlink ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6t_NPT ip6t_MASQUERADE nf_nat_masquerade_ipv6 nf_nat nf_conntrack nf_log_ipv6 nf_log_common ip6table_mangle ip6table_filter ip6_tables ip6t_REJECT x_tables nf_reject_ipv6 msdos ip_gre gre ifb sit tunnel4 ip_tunnel tun vfat fat hfsplus cifs nls_utf8 nls_iso8859_15 nls_iso8859_1 nls_cp850 nls_cp437 nls_cp1250 sha1_generic md5 md4
[ 76.130634] usb_storage leds_gpio xhci_plat_hcd xhci_pci xhci_hcd dwc3 dwc3_of_simple ohci_platform ohci_hcd phy_qcom_dwc3 ahci ehci_platform sd_mod ahci_platform libahci_platform libahci libata scsi_mod ehci_hcd gpio_button_hotplug ext4 mbcache jbd2 exfat crc32c_generic
[ 76.154772] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.14.132 #0
[ 76.177001] Hardware name: Generic DT based system
[ 76.182990] task:
c0b06d80 task.stack:
c0b00000
[ 76.187832] PC is at ieee80211_sta_register_airtime+0x24/0x148 [mac80211]
[ 76.192211] LR is at ath10k_htt_t2h_msg_handler+0x678/0x10f4 [ath10k_core]
[ 76.199052] pc : [<
bf75bfac>] lr : [<
bf83e8b0>] psr:
a0000113
[ 76.205820] sp :
c0b01d54 ip :
00000002 fp :
bf869c0c
[ 76.211981] r10:
0000003c r9 :
dbdca138 r8 :
00060002
[ 76.217192] r7 :
00000000 r6 :
dabe1150 r5 :
00000000 r4 :
dbdc95c0
[ 76.222401] r3 :
00000000 r2 :
00060002 r1 :
00000000 r0 :
00000000
[ 76.229003] Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
[ 76.235509] Control:
10c5787d Table:
5c94006a DAC:
00000051
[ 76.242716] Process swapper/0 (pid: 0, stack limit = 0xc0b00210)
[ 76.248446] Stack: (0xc0b01d54 to 0xc0b02000)
[ 76.254532] 1d40:
dbdc95c0 00000000 dabe1150
[ 76.258808] 1d60:
00000001 dabe1150 dbdca138 0000003c bf869c0c bf83e8b0 00000002 c0314b10
[ 76.266969] 1d80:
dbdc9c70 00000001 00000001 dabe114c 00010000 00000000 dbdcd724 bf88f3d8
[ 76.275126] 1da0:
c0310d28 db393c00 dbdc95c0 00000000 c0b01dd0 c07fb4c4 dbdcd724 00000001
[ 76.283286] 1dc0:
00000022 bf88b09c db393c00 00000022 c0b01dd0 c0b01dd0 00000000 dbdcc5c0
[ 76.291445] 1de0:
bf88f04c dbdcd654 dbdcd71c dbdc95c0 00000014 dbdcd724 dbdcc5c0 00000005
[ 76.299605] 1e00:
0004b400 bf85c360 00000000 bf87101c c0b01e24 00000006 00000000 dbdc95c0
[ 76.307764] 1e20:
00000001 00000040 0000012c c0b01e80 1cf51000 bf85c448 dbdcd440 dbdc95c0
[ 76.315925] 1e40:
dbdca440 ffffa880 00000040 bf88cb68 dbdcd440 00000001 00000040 ffffa880
[ 76.324084] 1e60:
c0b02d00 c06d72e0 dd990080 c0a3f080 c0b255dc c0b047e4 c090afac c090e80c
[ 76.332244] 1e80:
c0b01e80 c0b01e80 c0b01e88 c0b01e88 dd4cc200 00000000 00000003 c0b0208c
[ 76.340405] 1ea0:
c0b02080 40000003 ffffe000 00000100 c0b02080 c03015c8 00000000 00000001
[ 76.348564] 1ec0:
dd408000 c0a38210 c0b2c7c0 0000000a ffffa880 c0b02d00 c07fb764 00200102
[ 76.356723] 1ee0:
dd4cc268 c0a3e414 00000000 00000000 00000001 dd408000 de803000 00000000
[ 76.364883] 1f00:
00000000 c03247cc c0a3e414 c0368f1c c0b03f60 c0b153cc de80200c de802000
[ 76.373042] 1f20:
c0b01f48 c0301488 c0308630 60000013 ffffffff c0b01f7c 00000000 c0b00000
[ 76.381204] 1f40:
00000000 c030c08c 00000001 00000000 00000000 c0315180 ffffe000 c0b03cc0
[ 76.389363] 1f60:
c0b03c70 00000000 00000000 c0a2da28 00000000 00000000 c0b01f90 c0b01f98
[ 76.397522] 1f80:
c030862c c0308630 60000013 ffffffff 00000051 00000000 ffffe000 c035dd18
[ 76.405681] 1fa0:
000000bf c0b03c40 00000000 c0b2c000 dddfce80 c035e060 c0b2c040 c0a00cf4
[ 76.413842] 1fc0:
ffffffff ffffffff 00000000 c0a0067c c0a2da28 00000000 00000000 c0b2c1d4
[ 76.422001] 1fe0:
c0b03c5c c0a2da24 c0b07ee0 4220406a 512f04d0 4220807c 00000000 00000000
[ 76.430335] [<
bf75bfac>] (ieee80211_sta_register_airtime [mac80211]) from [<
00000002>] (0x2)
[ 76.438314] Code:
e1cd81f0 e1a08002 e1cda1f8 e58de020 (
e5102618)
[ 76.446965] ---[ end trace
227a38ade964d642 ]---
Fixes: bb31b7cb106c ("ath10k: report tx airtime provided by fw")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Martin Tsai [Thu, 22 Aug 2019 02:02:13 +0000 (10:02 +0800)]
drm/amd/display: Handle virtual signal type in disable_link()
[ Upstream commit
616f5b65f1c02d3d6ae370644670d14c57de2fd8 ]
[Why]
The new implementation changed the behavior to allow process setMode
to DAL when DAL returns empty mode query for unplugged display.
This will trigger additional disable_link().
When unplug HDMI from MST dock, driver will update stream->signal to
"Virtual". disable_link() will call disable_output() if the signal type
is not DP and induce other displays on MST dock show black screen.
[How]
Don't need to process disable_output() if the signal type is virtual.
Signed-off-by: Martin Tsai <martin.tsai@amd.com>
Reviewed-by: Charlene Liu <Charlene.Liu@amd.com>
Acked-by: Leo Li <sunpeng.li@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Wenwen Wang [Thu, 15 Aug 2019 21:04:31 +0000 (16:04 -0500)]
ath10k: add cleanup in ath10k_sta_state()
[ Upstream commit
334f5b61a6f29834e881923b98d1e27e5ce9620d ]
If 'sta->tdls' is false, no cleanup is executed, leading to memory/resource
leaks, e.g., 'arsta->tx_stats'. To fix this issue, perform cleanup before
go to the 'exit' label.
Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Mikita Lipski [Fri, 23 Aug 2019 17:26:24 +0000 (13:26 -0400)]
drm/amd/display: Rebuild mapped resources after pipe split
[ Upstream commit
387596ef2859c37d564ce15abddbc9063a132e2c ]
[why]
The issue is specific for linux, as on timings such as 8K@60
or 4K@144 DSC should be working in combination with ODM Combine
in order to ensure that we can run those timings. The validation
for those timings was passing, but when pipe split was happening
second pipe wasn't being programmed.
[how]
Rebuild mapped resources if we split stream for ODM.
Signed-off-by: Mikita Lipski <mikita.lipski@amd.com>
Acked-by: Leo Li <sunpeng.li@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Christian König [Mon, 16 Sep 2019 15:20:47 +0000 (10:20 -0500)]
drm/ttm: return -EBUSY on pipelining with no_gpu_wait (v2)
[ Upstream commit
3084cf46cf8110826a42de8c8ef30e8fa48974c2 ]
Setting the no_gpu_wait flag means that the allocate BO must be available
immediately and we can't wait for any GPU operation to finish.
v2: squash in mem leak fix, rebase
Signed-off-by: Christian König <christian.koenig@amd.com>
Acked-by: Felix Kuehling <Felix.Kuehling@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Christian König [Mon, 9 Sep 2019 11:57:32 +0000 (13:57 +0200)]
drm/amdgpu: grab the id mgr lock while accessing passid_mapping
[ Upstream commit
6817bf283b2b851095825ec7f0e9f10398e09125 ]
Need to make sure that we actually dropping the right fence.
Could be done with RCU as well, but to complicated for a fix.
Signed-off-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Chunming Zhou <david1.zhou@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Jack Zhang [Tue, 10 Sep 2019 04:29:14 +0000 (12:29 +0800)]
drm/amdgpu/sriov: add ring_stop before ring_create in psp v11 code
[ Upstream commit
51c0f58e9f6af3a387d14608033e6796a7ad90ee ]
psp v11 code missed ring stop in ring create function(VMR)
while psp v3.1 code had the code. This will cause VM destroy1
fail and psp ring create fail.
For SIOV-VF, ring_stop should not be deleted in ring_create
function.
Signed-off-by: Jack Zhang <Jack.Zhang1@amd.com>
Reviewed-by: Feifei Xu <Feifei.Xu@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Krzysztof Wilczynski [Fri, 13 Sep 2019 20:24:13 +0000 (22:24 +0200)]
iio: light: bh1750: Resolve compiler warning and make code more readable
[ Upstream commit
f552fde983d378e7339f9ea74a25f918563bf0d3 ]
Separate the declaration of struct bh1750_chip_info from definition
of bh1750_chip_info_tbl[] in a single statement as it makes the code
hard to read, and with the extra newline it makes it look as if the
bh1750_chip_info_tbl[] had no explicit type.
This change also resolves the following compiler warning about the
unusual position of the static keyword that can be seen when building
with warnings enabled (W=1):
drivers/iio/light/bh1750.c:64:1: warning:
‘static’ is not at beginning of declaration [-Wold-style-declaration]
Related to commit
3a11fbb037a1 ("iio: light: add support for ROHM
BH1710/BH1715/BH1721/BH1750/BH1751 ambient light sensors").
Signed-off-by: Krzysztof Wilczynski <kw@linux.com>
Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Andrea Merello [Mon, 9 Sep 2019 12:58:17 +0000 (14:58 +0200)]
iio: max31856: add missing of_node and parent references to iio_dev
[ Upstream commit
505ea3ada665c466d0064b11b6e611b7f995517d ]
Adding missing indio_dev->dev.of_node references so that, in case multiple
max31856 are present, users can get some clues to being able to distinguish
each of them. While at it, add also the missing parent reference.
Signed-off-by: Andrea Merello <andrea.merello@gmail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Jaehyun Chung [Mon, 19 Aug 2019 20:45:05 +0000 (16:45 -0400)]
drm/amd/display: OTC underflow fix
[ Upstream commit
785908cf19c9eb4803f6bf9c0a7447dc3661d5c3 ]
[Why] Underflow occurs on some display setups(repro'd on 3x4K HDR) on boot,
mode set, and hot-plugs with. Underflow occurs because mem clk
is not set high after disabling pstate switching. This behaviour occurs
because some calculations assumed displays were synchronized.
[How] Add a condition to check if timing sync is disabled so that
synchronized vblank can be set to false.
Signed-off-by: Jaehyun Chung <jaehyun.chung@amd.com>
Reviewed-by: Alvin Lee <Alvin.Lee2@amd.com>
Acked-by: Bhawanpreet Lakha <Bhawanpreet.Lakha@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Brian Masney [Thu, 15 Aug 2019 00:48:46 +0000 (20:48 -0400)]
drm/bridge: analogix-anx78xx: silence -EPROBE_DEFER warnings
[ Upstream commit
2708e876272d89bbbff811d12834adbeef85f022 ]
Silence two warning messages that occur due to -EPROBE_DEFER errors to
help cleanup the system boot log.
Signed-off-by: Brian Masney <masneyb@onstation.org>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190815004854.19860-4-masneyb@onstation.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
Jing Zhou [Thu, 22 Aug 2019 06:26:33 +0000 (14:26 +0800)]
drm/amd/display: verify stream link before link test
[ Upstream commit
b131932215c993ea5adf8192d1de2e8d6b23048d ]
[Why]
DP1.2 LL CTS test failure.
[How]
The failure is caused by not verify stream link is equal
to link, only check stream and link is not null.
Signed-off-by: Jing Zhou <Jing.Zhou@amd.com>
Reviewed-by: Wenjing Liu <Wenjing.Liu@amd.com>
Acked-by: Bhawanpreet Lakha <Bhawanpreet.Lakha@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Daniel Vetter [Wed, 4 Sep 2019 14:39:42 +0000 (16:39 +0200)]
drm: Use EOPNOTSUPP, not ENOTSUPP
[ Upstream commit
c7581a414d28413c1dd6d116d44859b5a52e0950 ]
- it's what we recommend in our docs:
https://dri.freedesktop.org/docs/drm/gpu/drm-uapi.html#recommended-ioctl-return-values
- it's the overwhelmingly used error code for "operation not
supported", at least in drm core (slightly less so in drivers):
$ git grep EOPNOTSUPP -- drivers/gpu/drm/*c | wc -l
83
$ git grep ENOTSUPP -- drivers/gpu/drm/*c | wc -l
5
- include/linux/errno.h makes it fairly clear that these are for nfsv3
(plus they also have error codes above 512, which is the block with
some special behaviour ...)
/* Defined for the NFSv3 protocol */
If the above isn't reflecting current practice, then I guess we should
at least update the docs.
Noralf commented:
Ben Hutchings made this comment[1] in a thread about use of ENOTSUPP in
drivers:
glibc's strerror() returns these strings for ENOTSUPP and EOPNOTSUPP
respectively:
"Unknown error 524"
"Operation not supported"
So at least for errors returned to userspace EOPNOTSUPP makes sense.
José asked:
> Hopefully this will not break any userspace
None of the functions in drm_edid.c affected by this reach userspace,
it's all driver internal.
Same for the mipi function, that error code should be handled by
drivers. Drivers are supposed to remap "the hw is on fire" to EIO when
reporting up to userspace, but I think if a driver sees this it would
be a driver bug.
v2: Augment commit message with comments from Noralf and José
Reviewed-by: José Roberto de Souza <jose.souza@intel.com>
Acked-by: Noralf Trønnes <noralf@tronnes.org>
Cc: José Roberto de Souza <jose.souza@intel.com>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Maxime Ripard <mripard@kernel.org>
Cc: Sean Paul <sean@poorly.run>
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: Andres Rodriguez <andresx7@gmail.com>
Cc: Noralf Trønnes <noralf@tronnes.org>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190904143942.31756-1-daniel.vetter@ffwll.ch
Signed-off-by: Sasha Levin <sashal@kernel.org>
Dariusz Marcinkiewicz [Wed, 28 Aug 2019 12:34:15 +0000 (14:34 +0200)]
drm: exynos: exynos_hdmi: use cec_notifier_conn_(un)register
[ Upstream commit
71137bfd98973efb7b762ba168df077b87b34311 ]
Use the new cec_notifier_conn_(un)register() functions to
(un)register the notifier for the HDMI connector, and fill in
the cec_connector_info.
Changes since v7:
- err_runtime_disable -> err_rpm_disable
Changes since v2:
- removed unnecessary call to invalidate phys address before
deregistering the notifier,
- use cec_notifier_phys_addr_invalidate instead of setting
invalid address on a notifier.
Signed-off-by: Dariusz Marcinkiewicz <darekm@google.com>
Tested-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
[hverkuil-cisco@xs4all.nl: use 'if (!hdata->notifier)' instead of '== NULL']
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Link: https://patchwork.freedesktop.org/patch/msgid/20190828123415.139441-1-darekm@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Laurent Pinchart [Fri, 23 Aug 2019 19:32:42 +0000 (22:32 +0300)]
drm/panel: Add missing drm_panel_init() in panel drivers
[ Upstream commit
65abbda8ed7ca48c8807d6b04a77431b438fa659 ]
Panels must be initialised with drm_panel_init(). Add the missing
function call in the panel-raspberrypi-touchscreen.c and
panel-sitronix-st7789v.c drivers.
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20190823193245.23876-2-laurent.pinchart@ideasonboard.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Dan Carpenter [Wed, 21 Aug 2019 07:24:56 +0000 (10:24 +0300)]
drm/mipi-dbi: fix a loop in debugfs code
[ Upstream commit
d72cf01f410aa09868d98b672f3f92328c96b32d ]
This code will likely crash if we try to do a zero byte write. The code
looks like this:
/* strip trailing whitespace */
for (i = count - 1; i > 0; i--)
if (isspace(buf[i]))
...
We're writing zero bytes so count = 0. You would think that "count - 1"
would be negative one, but because "i" is unsigned it is a large
positive numer instead. The "i > 0" condition is true and the "buf[i]"
access will be out of bounds.
The fix is to make "i" signed and now everything works as expected. The
upper bound of "count" is capped in __kernel_write() at MAX_RW_COUNT so
we don't have to worry about it being higher than INT_MAX.
Fixes: 02dd95fe3169 ("drm/tinydrm: Add MIPI DBI support")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
[noralf: Adjust title]
Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20190821072456.GJ26957@mwanda
Signed-off-by: Sasha Levin <sashal@kernel.org>
Sean Paul [Thu, 29 Aug 2019 16:52:19 +0000 (12:52 -0400)]
drm: mst: Fix query_payload ack reply struct
[ Upstream commit
268de6530aa18fe5773062367fd119f0045f6e88 ]
Spec says[1] Allocated_PBN is 16 bits
[1]- DisplayPort 1.2 Spec, Section 2.11.9.8, Table 2-98
Fixes: ad7f8a1f9ced ("drm/helper: add Displayport multi-stream helper (v0.6)")
Cc: Lyude Paul <lyude@redhat.com>
Cc: Todd Previte <tprevite@gmail.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Maxime Ripard <maxime.ripard@bootlin.com>
Cc: Sean Paul <sean@poorly.run>
Cc: David Airlie <airlied@linux.ie>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: dri-devel@lists.freedesktop.org
Reviewed-by: Lyude Paul <lyude@redhat.com>
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20190829165223.129662-1-sean@poorly.run
Signed-off-by: Sasha Levin <sashal@kernel.org>
Gerd Hoffmann [Thu, 29 Aug 2019 10:32:45 +0000 (12:32 +0200)]
drm/virtio: switch virtio_gpu_wait_ioctl() to gem helper.
[ Upstream commit
29cf12394c0565d7eb1685bf0c1b4749aa6a8b66 ]
Use drm_gem_reservation_object_wait() in virtio_gpu_wait_ioctl().
This also makes the ioctl run lockless.
v9: fix return value.
v5: handle lookup failure.
v2: use reservation_object_test_signaled_rcu for VIRTGPU_WAIT_NOWAIT.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20190829103301.3539-3-kraxel@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Dariusz Marcinkiewicz [Fri, 23 Aug 2019 11:24:25 +0000 (13:24 +0200)]
drm/vc4/vc4_hdmi: fill in connector info
[ Upstream commit
66c2dee4ae10a2d841c40b9dd9c7141eb23eee76 ]
Fill in the connector info, allowing userspace to associate
the CEC device with the drm connector.
Tested on a Raspberry Pi 3B.
Signed-off-by: Dariusz Marcinkiewicz <darekm@google.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Tested-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Acked-by: Eric Anholt <eric@anholt.net>
Link: https://patchwork.freedesktop.org/patch/msgid/20190823112427.42394-2-hverkuil-cisco@xs4all.nl
Signed-off-by: Sasha Levin <sashal@kernel.org>
Takashi Iwai [Fri, 13 Dec 2019 08:51:11 +0000 (09:51 +0100)]
ALSA: hda/ca0132 - Fix work handling in delayed HP detection
commit
42fb6b1d41eb5905d77c06cad2e87b70289bdb76 upstream.
CA0132 has the delayed HP jack detection code that is invoked from the
unsol handler, but it does a few weird things: it contains the cancel
of a work inside the work handler, and yet it misses the cancel-sync
call at (runtime-)suspend. This patch addresses those issues.
Fixes: 15c2b3cc09a3 ("ALSA: hda/ca0132 - Fix possible workqueue stall")
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191213085111.22855-4-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Takashi Iwai [Fri, 13 Dec 2019 08:51:10 +0000 (09:51 +0100)]
ALSA: hda/ca0132 - Avoid endless loop
commit
cb04fc3b6b076f67d228a0b7d096c69ad486c09c upstream.
Introduce a timeout to dspio_clear_response_queue() so that it won't
be caught in an endless loop even if the hardware doesn't respond
properly.
Fixes: a73d511c4867 ("ALSA: hda/ca0132: Add unsol handler for DSP and jack detection")
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191213085111.22855-3-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Takashi Iwai [Fri, 13 Dec 2019 08:51:09 +0000 (09:51 +0100)]
ALSA: hda/ca0132 - Keep power on during processing DSP response
commit
377bc0cfabce0244632dada19060839ced4e6949 upstream.
We need to keep power on while processing the DSP response via unsol
event. Each snd_hda_codec_read() call does the power management, so
it should work normally, but still it's safer to keep the power up for
the whole function.
Fixes: a73d511c4867 ("ALSA: hda/ca0132: Add unsol handler for DSP and jack detection")
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191213085111.22855-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Takashi Iwai [Wed, 11 Dec 2019 15:57:42 +0000 (16:57 +0100)]
ALSA: pcm: Avoid possible info leaks from PCM stream buffers
commit
add9d56d7b3781532208afbff5509d7382fb6efe upstream.
The current PCM code doesn't initialize explicitly the buffers
allocated for PCM streams, hence it might leak some uninitialized
kernel data or previous stream contents by mmapping or reading the
buffer before actually starting the stream.
Since this is a common problem, this patch simply adds the clearance
of the buffer data at hw_params callback. Although this does only
zero-clear no matter which format is used, which doesn't mean the
silence for some formats, but it should be OK because the intention is
just to clear the previous data on the buffer.
Reported-by: Lionel Koenig <lionel.koenig@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191211155742.3213-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Filipe Manana [Fri, 6 Dec 2019 12:27:39 +0000 (12:27 +0000)]
Btrfs: fix removal logic of the tree mod log that leads to use-after-free issues
commit
6609fee8897ac475378388238456c84298bff802 upstream.
When a tree mod log user no longer needs to use the tree it calls
btrfs_put_tree_mod_seq() to remove itself from the list of users and
delete all no longer used elements of the tree's red black tree, which
should be all elements with a sequence number less then our equals to
the caller's sequence number. However the logic is broken because it
can delete and free elements from the red black tree that have a
sequence number greater then the caller's sequence number:
1) At a point in time we have sequence numbers 1, 2, 3 and 4 in the
tree mod log;
2) The task which got assigned the sequence number 1 calls
btrfs_put_tree_mod_seq();
3) Sequence number 1 is deleted from the list of sequence numbers;
4) The current minimum sequence number is computed to be the sequence
number 2;
5) A task using sequence number 2 is at tree_mod_log_rewind() and gets
a pointer to one of its elements from the red black tree through
a call to tree_mod_log_search();
6) The task with sequence number 1 iterates the red black tree of tree
modification elements and deletes (and frees) all elements with a
sequence number less then or equals to 2 (the computed minimum sequence
number) - it ends up only leaving elements with sequence numbers of 3
and 4;
7) The task with sequence number 2 now uses the pointer to its element,
already freed by the other task, at __tree_mod_log_rewind(), resulting
in a use-after-free issue. When CONFIG_DEBUG_PAGEALLOC=y it produces
a trace like the following:
[16804.546854] general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI
[16804.547451] CPU: 0 PID: 28257 Comm: pool Tainted: G W 5.4.0-rc8-btrfs-next-51 #1
[16804.548059] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014
[16804.548666] RIP: 0010:rb_next+0x16/0x50
(...)
[16804.550581] RSP: 0018:
ffffb948418ef9b0 EFLAGS:
00010202
[16804.551227] RAX:
6b6b6b6b6b6b6b6b RBX:
ffff90e0247f6600 RCX:
6b6b6b6b6b6b6b6b
[16804.551873] RDX:
0000000000000000 RSI:
0000000000000000 RDI:
ffff90e0247f6600
[16804.552504] RBP:
ffff90dffe0d4688 R08:
0000000000000001 R09:
0000000000000000
[16804.553136] R10:
ffff90dffa4a0040 R11:
0000000000000000 R12:
000000000000002e
[16804.553768] R13:
ffff90e0247f6600 R14:
0000000000001663 R15:
ffff90dff77862b8
[16804.554399] FS:
00007f4b197ae700(0000) GS:
ffff90e036a00000(0000) knlGS:
0000000000000000
[16804.555039] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[16804.555683] CR2:
00007f4b10022000 CR3:
00000002060e2004 CR4:
00000000003606f0
[16804.556336] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
[16804.556968] DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000400
[16804.557583] Call Trace:
[16804.558207] __tree_mod_log_rewind+0xbf/0x280 [btrfs]
[16804.558835] btrfs_search_old_slot+0x105/0xd00 [btrfs]
[16804.559468] resolve_indirect_refs+0x1eb/0xc70 [btrfs]
[16804.560087] ? free_extent_buffer.part.19+0x5a/0xc0 [btrfs]
[16804.560700] find_parent_nodes+0x388/0x1120 [btrfs]
[16804.561310] btrfs_check_shared+0x115/0x1c0 [btrfs]
[16804.561916] ? extent_fiemap+0x59d/0x6d0 [btrfs]
[16804.562518] extent_fiemap+0x59d/0x6d0 [btrfs]
[16804.563112] ? __might_fault+0x11/0x90
[16804.563706] do_vfs_ioctl+0x45a/0x700
[16804.564299] ksys_ioctl+0x70/0x80
[16804.564885] ? trace_hardirqs_off_thunk+0x1a/0x20
[16804.565461] __x64_sys_ioctl+0x16/0x20
[16804.566020] do_syscall_64+0x5c/0x250
[16804.566580] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[16804.567153] RIP: 0033:0x7f4b1ba2add7
(...)
[16804.568907] RSP: 002b:
00007f4b197adc88 EFLAGS:
00000246 ORIG_RAX:
0000000000000010
[16804.569513] RAX:
ffffffffffffffda RBX:
00007f4b100210d8 RCX:
00007f4b1ba2add7
[16804.570133] RDX:
00007f4b100210d8 RSI:
00000000c020660b RDI:
0000000000000003
[16804.570726] RBP:
000055de05a6cfe0 R08:
0000000000000000 R09:
00007f4b197add44
[16804.571314] R10:
0000000000000000 R11:
0000000000000246 R12:
00007f4b197add48
[16804.571905] R13:
00007f4b197add40 R14:
00007f4b100210d0 R15:
00007f4b197add50
(...)
[16804.575623] ---[ end trace
87317359aad4ba50 ]---
Fix this by making btrfs_put_tree_mod_seq() skip deletion of elements that
have a sequence number equals to the computed minimum sequence number, and
not just elements with a sequence number greater then that minimum.
Fixes: bd989ba359f2ac ("Btrfs: add tree modification log functions")
CC: stable@vger.kernel.org # 4.4+
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Josef Bacik [Fri, 6 Dec 2019 16:39:00 +0000 (11:39 -0500)]
btrfs: handle ENOENT in btrfs_uuid_tree_iterate
commit
714cd3e8cba6841220dce9063a7388a81de03825 upstream.
If we get an -ENOENT back from btrfs_uuid_iter_rem when iterating the
uuid tree we'll just continue and do btrfs_next_item(). However we've
done a btrfs_release_path() at this point and no longer have a valid
path. So increment the key and go back and do a normal search.
CC: stable@vger.kernel.org # 4.4+
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Josef Bacik [Fri, 6 Dec 2019 14:37:18 +0000 (09:37 -0500)]
btrfs: do not leak reloc root if we fail to read the fs root
commit
ca1aa2818a53875cfdd175fb5e9a2984e997cce9 upstream.
If we fail to read the fs root corresponding with a reloc root we'll
just break out and free the reloc roots. But we remove our current
reloc_root from this list higher up, which means we'll leak this
reloc_root. Fix this by adding ourselves back to the reloc_roots list
so we are properly cleaned up.
CC: stable@vger.kernel.org # 4.4+
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Josef Bacik [Fri, 6 Dec 2019 14:37:17 +0000 (09:37 -0500)]
btrfs: skip log replay on orphaned roots
commit
9bc574de590510eff899c3ca8dbaf013566b5efe upstream.
My fsstress modifications coupled with generic/475 uncovered a failure
to mount and replay the log if we hit a orphaned root. We do not want
to replay the log for an orphan root, but it's completely legitimate to
have an orphaned root with a log attached. Fix this by simply skipping
replaying the log. We still need to pin it's root node so that we do
not overwrite it while replaying other logs, as we re-read the log root
at every stage of the replay.
CC: stable@vger.kernel.org # 4.4+
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Josef Bacik [Fri, 6 Dec 2019 14:37:15 +0000 (09:37 -0500)]
btrfs: abort transaction after failed inode updates in create_subvol
commit
c7e54b5102bf3614cadb9ca32d7be73bad6cecf0 upstream.
We can just abort the transaction here, and in fact do that for every
other failure in this function except these two cases.
CC: stable@vger.kernel.org # 4.4+
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Anand Jain [Thu, 5 Dec 2019 11:39:07 +0000 (19:39 +0800)]
btrfs: send: remove WARN_ON for readonly mount
commit
fbd542971aa1e9ec33212afe1d9b4f1106cd85a1 upstream.
We log warning if root::orphan_cleanup_state is not set to
ORPHAN_CLEANUP_DONE in btrfs_ioctl_send(). However if the filesystem is
mounted as readonly we skip the orphan item cleanup during the lookup
and root::orphan_cleanup_state remains at the init state 0 instead of
ORPHAN_CLEANUP_DONE (2). So during send in btrfs_ioctl_send() we hit the
warning as below.
WARN_ON(send_root->orphan_cleanup_state != ORPHAN_CLEANUP_DONE);
WARNING: CPU: 0 PID: 2616 at /Volumes/ws/btrfs-devel/fs/btrfs/send.c:7090 btrfs_ioctl_send+0xb2f/0x18c0 [btrfs]
::
RIP: 0010:btrfs_ioctl_send+0xb2f/0x18c0 [btrfs]
::
Call Trace:
::
_btrfs_ioctl_send+0x7b/0x110 [btrfs]
btrfs_ioctl+0x150a/0x2b00 [btrfs]
::
do_vfs_ioctl+0xa9/0x620
? __fget+0xac/0xe0
ksys_ioctl+0x60/0x90
__x64_sys_ioctl+0x16/0x20
do_syscall_64+0x49/0x130
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Reproducer:
mkfs.btrfs -fq /dev/sdb
mount /dev/sdb /btrfs
btrfs subvolume create /btrfs/sv1
btrfs subvolume snapshot -r /btrfs/sv1 /btrfs/ss1
umount /btrfs
mount -o ro /dev/sdb /btrfs
btrfs send /btrfs/ss1 -f /tmp/f
The warning exists because having orphan inodes could confuse send and
cause it to fail or produce incorrect streams. The two cases that would
cause such send failures, which are already fixed are:
1) Inodes that were unlinked - these are orphanized and remain with a
link count of 0. These caused send operations to fail because it
expected to always find at least one path for an inode. However this
is no longer a problem since send is now able to deal with such
inodes since commit
46b2f4590aab ("Btrfs: fix send failure when root
has deleted files still open") and treats them as having been
completely removed (the state after an orphan cleanup is performed).
2) Inodes that were in the process of being truncated. These resulted in
send not knowing about the truncation and potentially issue write
operations full of zeroes for the range from the new file size to the
old file size. This is no longer a problem because we no longer
create orphan items for truncation since commit
f7e9e8fc792f ("Btrfs:
stop creating orphan items for truncate").
As such before these commits, the WARN_ON here provided a clue in case
something went wrong. Instead of being a warning against the
root::orphan_cleanup_state value, it could have been more accurate by
checking if there were actually any orphan items, and then issue a
warning only if any exists, but that would be more expensive to check.
Since orphanized inodes no longer cause problems for send, just remove
the warning.
Reported-by: Christoph Anton Mitterer <calestyo@scientia.net>
Link: https://lore.kernel.org/linux-btrfs/21cb5e8d059f6e1496a903fa7bfc0a297e2f5370.camel@scientia.net/
CC: stable@vger.kernel.org # 4.19+
Suggested-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Filipe Manana [Thu, 5 Dec 2019 16:58:30 +0000 (16:58 +0000)]
Btrfs: fix missing data checksums after replaying a log tree
commit
40e046acbd2f369cfbf93c3413639c66514cec2d upstream.
When logging a file that has shared extents (reflinked with other files or
with itself), we can end up logging multiple checksum items that cover
overlapping ranges. This confuses the search for checksums at log replay
time causing some checksums to never be added to the fs/subvolume tree.
Consider the following example of a file that shares the same extent at
offsets 0 and 256Kb:
[ bytenr
13893632, offset 64Kb, len 64Kb ]
0 64Kb
[ bytenr
13631488, offset 64Kb, len 192Kb ]
64Kb 256Kb
[ bytenr
13893632, offset 0, len 256Kb ]
256Kb 512Kb
When logging the inode, at tree-log.c:copy_items(), when processing the
file extent item at offset 0, we log a checksum item covering the range
13959168 to
14024704, which corresponds to
13893632 + 64Kb and
13893632 +
64Kb + 64Kb, respectively.
Later when processing the extent item at offset 256K, we log the checksums
for the range from
13893632 to
14155776 (which corresponds to
13893632 +
256Kb). These checksums get merged with the checksum item for the range
from
13631488 to
13893632 (
13631488 + 256Kb), logged by a previous fsync.
So after this we get the two following checksum items in the log tree:
(...)
item 6 key (EXTENT_CSUM EXTENT_CSUM
13631488) itemoff 3095 itemsize 512
range start
13631488 end
14155776 length 524288
item 7 key (EXTENT_CSUM EXTENT_CSUM
13959168) itemoff 3031 itemsize 64
range start
13959168 end
14024704 length 65536
The first one covers the range from the second one, they overlap.
So far this does not cause a problem after replaying the log, because
when replaying the file extent item for offset 256K, we copy all the
checksums for the extent
13893632 from the log tree to the fs/subvolume
tree, since searching for an checksum item for bytenr
13893632 leaves us
at the first checksum item, which covers the whole range of the extent.
However if we write 64Kb to file offset 256Kb for example, we will
not be able to find and copy the checksums for the last 128Kb of the
extent at bytenr
13893632, referenced by the file range 384Kb to 512Kb.
After writing 64Kb into file offset 256Kb we get the following extent
layout for our file:
[ bytenr
13893632, offset 64K, len 64Kb ]
0 64Kb
[ bytenr
13631488, offset 64Kb, len 192Kb ]
64Kb 256Kb
[ bytenr
14155776, offset 0, len 64Kb ]
256Kb 320Kb
[ bytenr
13893632, offset 64Kb, len 192Kb ]
320Kb 512Kb
After fsync'ing the file, if we have a power failure and then mount
the filesystem to replay the log, the following happens:
1) When replaying the file extent item for file offset 320Kb, we
lookup for the checksums for the extent range from
13959168
(
13893632 + 64Kb) to
14155776 (
13893632 + 256Kb), through a call
to btrfs_lookup_csums_range();
2) btrfs_lookup_csums_range() finds the checksum item that starts
precisely at offset
13959168 (item 7 in the log tree, shown before);
3) However that checksum item only covers 64Kb of data, and not 192Kb
of data;
4) As a result only the checksums for the first 64Kb of data referenced
by the file extent item are found and copied to the fs/subvolume tree.
The remaining 128Kb of data, file range 384Kb to 512Kb, doesn't get
the corresponding data checksums found and copied to the fs/subvolume
tree.
5) After replaying the log userspace will not be able to read the file
range from 384Kb to 512Kb, because the checksums are missing and
resulting in an -EIO error.
The following steps reproduce this scenario:
$ mkfs.btrfs -f /dev/sdc
$ mount /dev/sdc /mnt/sdc
$ xfs_io -f -c "pwrite -S 0xa3 0 256K" /mnt/sdc/foobar
$ xfs_io -c "fsync" /mnt/sdc/foobar
$ xfs_io -c "pwrite -S 0xc7 256K 256K" /mnt/sdc/foobar
$ xfs_io -c "reflink /mnt/sdc/foobar 320K 0 64K" /mnt/sdc/foobar
$ xfs_io -c "fsync" /mnt/sdc/foobar
$ xfs_io -c "pwrite -S 0xe5 256K 64K" /mnt/sdc/foobar
$ xfs_io -c "fsync" /mnt/sdc/foobar
<power failure>
$ mount /dev/sdc /mnt/sdc
$ md5sum /mnt/sdc/foobar
md5sum: /mnt/sdc/foobar: Input/output error
$ dmesg | tail
[165305.003464] BTRFS info (device sdc): no csum found for inode 257 start 401408
[165305.004014] BTRFS info (device sdc): no csum found for inode 257 start 405504
[165305.004559] BTRFS info (device sdc): no csum found for inode 257 start 409600
[165305.005101] BTRFS info (device sdc): no csum found for inode 257 start 413696
[165305.005627] BTRFS info (device sdc): no csum found for inode 257 start 417792
[165305.006134] BTRFS info (device sdc): no csum found for inode 257 start 421888
[165305.006625] BTRFS info (device sdc): no csum found for inode 257 start 425984
[165305.007278] BTRFS info (device sdc): no csum found for inode 257 start 430080
[165305.008248] BTRFS warning (device sdc): csum failed root 5 ino 257 off 393216 csum 0x1337385e expected csum 0x00000000 mirror 1
[165305.009550] BTRFS warning (device sdc): csum failed root 5 ino 257 off 393216 csum 0x1337385e expected csum 0x00000000 mirror 1
Fix this simply by deleting first any checksums, from the log tree, for the
range of the extent we are logging at copy_items(). This ensures we do not
get checksum items in the log tree that have overlapping ranges.
This is a long time issue that has been present since we have the clone
(and deduplication) ioctl, and can happen both when an extent is shared
between different files and within the same file.
A test case for fstests follows soon.
CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dan Carpenter [Tue, 3 Dec 2019 11:24:58 +0000 (14:24 +0300)]
btrfs: return error pointer from alloc_test_extent_buffer
commit
b6293c821ea8fa2a631a2112cd86cd435effeb8b upstream.
Callers of alloc_test_extent_buffer have not correctly interpreted the
return value as error pointer, as alloc_test_extent_buffer should behave
as alloc_extent_buffer. The self-tests were unaffected but
btrfs_find_create_tree_block could call both functions and that would
cause problems up in the call chain.
Fixes: faa2dbf004e8 ("Btrfs: add sanity tests for new qgroup accounting code")
CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Filipe Manana [Mon, 2 Dec 2019 11:01:03 +0000 (11:01 +0000)]
Btrfs: make tree checker detect checksum items with overlapping ranges
commit
ad1d8c439978ede77cbf73cbdd11bafe810421a5 upstream.
Having checksum items, either on the checksums tree or in a log tree, that
represent ranges that overlap each other is a sign of a corruption. Such
case confuses the checksum lookup code and can result in not being able to
find checksums or find stale checksums.
So add a check for such case.
This is motivated by a recent fix for a case where a log tree had checksum
items covering ranges that overlap each other due to extent cloning, and
resulted in missing checksums after replaying the log tree. It also helps
detect past issues such as stale and outdated checksums due to overlapping,
commit
27b9a8122ff71a ("Btrfs: fix csum tree corruption, duplicate and
outdated checksums").
CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Josef Bacik [Tue, 19 Nov 2019 18:59:35 +0000 (13:59 -0500)]
btrfs: do not call synchronize_srcu() in inode_tree_del
commit
f72ff01df9cf5db25c76674cac16605992d15467 upstream.
Testing with the new fsstress uncovered a pretty nasty deadlock with
lookup and snapshot deletion.
Process A
unlink
-> final iput
-> inode_tree_del
-> synchronize_srcu(subvol_srcu)
Process B
btrfs_lookup <- srcu_read_lock() acquired here
-> btrfs_iget
-> find inode that has I_FREEING set
-> __wait_on_freeing_inode()
We're holding the srcu_read_lock() while doing the iget in order to make
sure our fs root doesn't go away, and then we are waiting for the inode
to finish freeing. However because the free'ing process is doing a
synchronize_srcu() we deadlock.
Fix this by dropping the synchronize_srcu() in inode_tree_del(). We
don't need people to stop accessing the fs root at this point, we're
only adding our empty root to the dead roots list.
A larger much more invasive fix is forthcoming to address how we deal
with fs roots, but this fixes the immediate problem.
Fixes: 76dda93c6ae2 ("Btrfs: add snapshot/subvolume destroy ioctl")
CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Josef Bacik [Tue, 19 Nov 2019 18:59:20 +0000 (13:59 -0500)]
btrfs: don't double lock the subvol_sem for rename exchange
commit
943eb3bf25f4a7b745dd799e031be276aa104d82 upstream.
If we're rename exchanging two subvols we'll try to lock this lock
twice, which is bad. Just lock once if either of the ino's are subvols.
Fixes: cdd1fedf8261 ("btrfs: add support for RENAME_EXCHANGE and RENAME_WHITEOUT")
CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stephan Gerhold [Mon, 9 Dec 2019 18:53:43 +0000 (19:53 +0100)]
NFC: nxp-nci: Fix probing without ACPI
[ Upstream commit
868afbaca1e2a7923e48b5e8c07be34660525db5 ]
devm_acpi_dev_add_driver_gpios() returns -ENXIO if CONFIG_ACPI
is disabled (e.g. on device tree platforms).
In this case, nxp-nci will silently fail to probe.
The other NFC drivers only log a debug message if
devm_acpi_dev_add_driver_gpios() fails.
Do the same in nxp-nci to fix this problem.
Fixes: ad0acfd69add ("NFC: nxp-nci: Get rid of code duplication in ->probe()")
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Acked-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Florian Fainelli [Fri, 13 Dec 2019 20:00:27 +0000 (12:00 -0800)]
net: dsa: b53: Fix egress flooding settings
[ Upstream commit
63cc54a6f0736a432b04308a74677ab0ba8a58ee ]
There were several issues with
53568438e381 ("net: dsa: b53: Add support for port_egress_floods callback") that resulted in breaking connectivity for standalone ports:
- both user and CPU ports must allow unicast and multicast forwarding by
default otherwise this just flat out breaks connectivity for
standalone DSA ports
- IP multicast is treated similarly as multicast, but has separate
control registers
- the UC, MC and IPMC lookup failure register offsets were wrong, and
instead used bit values that are meaningful for the
B53_IP_MULTICAST_CTRL register
Fixes: 53568438e381 ("net: dsa: b53: Add support for port_egress_floods callback")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Reviewed-by: Vivien Didelot <vivien.didelot@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Padmanabhan Rajanbabu [Thu, 19 Dec 2019 10:17:01 +0000 (15:47 +0530)]
net: stmmac: platform: Fix MDIO init for platforms without PHY
[ Upstream commit
d3e014ec7d5ebe9644b5486bc530b91e62bbf624 ]
The current implementation of "stmmac_dt_phy" function initializes
the MDIO platform bus data, even in the absence of PHY. This fix
will skip MDIO initialization if there is no PHY present.
Fixes: 7437127 ("net: stmmac: Convert to phylink and remove phylib logic")
Acked-by: Jayati Sahu <jayati.sahu@samsung.com>
Signed-off-by: Sriram Dash <sriram.dash@samsung.com>
Signed-off-by: Padmanabhan Rajanbabu <p.rajanbabu@samsung.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Grygorii Strashko [Mon, 9 Dec 2019 11:19:24 +0000 (13:19 +0200)]
net: ethernet: ti: davinci_cpdma: fix warning "device driver frees DMA memory with different size"
[ Upstream commit
8a2b22203f8596729c54eba221b4044351bfe167 ]
The TI CPSW(s) driver produces warning with DMA API debug options enabled:
WARNING: CPU: 0 PID: 1033 at kernel/dma/debug.c:1025 check_unmap+0x4a8/0x968
DMA-API: cpsw
48484000.ethernet: device driver frees DMA memory with different size
[device address=0x00000000abc6aa02] [map size=64 bytes] [unmap size=42 bytes]
CPU: 0 PID: 1033 Comm: ping Not tainted 5.3.0-dirty #41
Hardware name: Generic DRA72X (Flattened Device Tree)
[<
c0112c60>] (unwind_backtrace) from [<
c010d270>] (show_stack+0x10/0x14)
[<
c010d270>] (show_stack) from [<
c09bc564>] (dump_stack+0xd8/0x110)
[<
c09bc564>] (dump_stack) from [<
c013b93c>] (__warn+0xe0/0x10c)
[<
c013b93c>] (__warn) from [<
c013b9ac>] (warn_slowpath_fmt+0x44/0x6c)
[<
c013b9ac>] (warn_slowpath_fmt) from [<
c01e0368>] (check_unmap+0x4a8/0x968)
[<
c01e0368>] (check_unmap) from [<
c01e08a8>] (debug_dma_unmap_page+0x80/0x90)
[<
c01e08a8>] (debug_dma_unmap_page) from [<
c0752414>] (__cpdma_chan_free+0x114/0x16c)
[<
c0752414>] (__cpdma_chan_free) from [<
c07525c4>] (__cpdma_chan_process+0x158/0x17c)
[<
c07525c4>] (__cpdma_chan_process) from [<
c0753690>] (cpdma_chan_process+0x3c/0x5c)
[<
c0753690>] (cpdma_chan_process) from [<
c0758660>] (cpsw_tx_mq_poll+0x48/0x94)
[<
c0758660>] (cpsw_tx_mq_poll) from [<
c0803018>] (net_rx_action+0x108/0x4e4)
[<
c0803018>] (net_rx_action) from [<
c010230c>] (__do_softirq+0xec/0x598)
[<
c010230c>] (__do_softirq) from [<
c0143914>] (do_softirq.part.4+0x68/0x74)
[<
c0143914>] (do_softirq.part.4) from [<
c0143a44>] (__local_bh_enable_ip+0x124/0x17c)
[<
c0143a44>] (__local_bh_enable_ip) from [<
c0871590>] (ip_finish_output2+0x294/0xb7c)
[<
c0871590>] (ip_finish_output2) from [<
c0875440>] (ip_output+0x210/0x364)
[<
c0875440>] (ip_output) from [<
c0875e2c>] (ip_send_skb+0x1c/0xf8)
[<
c0875e2c>] (ip_send_skb) from [<
c08a7fd4>] (raw_sendmsg+0x9a8/0xc74)
[<
c08a7fd4>] (raw_sendmsg) from [<
c07d6b90>] (sock_sendmsg+0x14/0x24)
[<
c07d6b90>] (sock_sendmsg) from [<
c07d8260>] (__sys_sendto+0xbc/0x100)
[<
c07d8260>] (__sys_sendto) from [<
c01011ac>] (__sys_trace_return+0x0/0x14)
Exception stack(0xea9a7fa8 to 0xea9a7ff0)
...
The reason is that cpdma_chan_submit_si() now stores original buffer length
(sw_len) in CPDMA descriptor instead of adjusted buffer length (hw_len)
used to map the buffer.
Hence, fix an issue by passing correct buffer length in CPDMA descriptor.
Cc: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
Fixes: 6670acacd59e ("net: ethernet: ti: davinci_cpdma: add dma mapped submit")
Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
Reviewed-by: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ido Schimmel [Mon, 9 Dec 2019 06:55:20 +0000 (08:55 +0200)]
mlxsw: spectrum_router: Remove unlikely user-triggerable warning
[ Upstream commit
62201c00c4679ad8f0730d6d925a5d23651dfad2 ]
In case the driver vetoes the addition of an IPv6 multipath route, the
IPv6 stack will emit delete notifications for the sibling routes that
were already added to the FIB trie. Since these siblings are not present
in hardware, a warning will be generated.
Have the driver ignore notifications for routes it does not have.
Fixes: ebee3cad835f ("ipv6: Add IPv6 multipath notifications for add / replace")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ioana Ciornei [Mon, 16 Dec 2019 15:32:30 +0000 (17:32 +0200)]
dpaa2-ptp: fix double free of the ptp_qoriq IRQ
[ Upstream commit
daa6eb5a149519583c8a8cb31945f06417d21902 ]
Upon reusing the ptp_qoriq driver, the ptp_qoriq_free() function was
used on the remove path to free any allocated resources.
The ptp_qoriq IRQ is among these resources that are freed in
ptp_qoriq_free() even though it is also a managed one (allocated using
devm_request_threaded_irq).
Drop the resource managed version of requesting the IRQ in order to not
trigger a double free of the interrupt as below:
[ 226.731005] Trying to free already-free IRQ 126
[ 226.735533] WARNING: CPU: 6 PID: 749 at kernel/irq/manage.c:1707
__free_irq+0x9c/0x2b8
[ 226.743435] Modules linked in:
[ 226.746480] CPU: 6 PID: 749 Comm: bash Tainted: G W
5.4.0-03629-gfd7102c32b2c-dirty #912
[ 226.755857] Hardware name: NXP Layerscape LX2160ARDB (DT)
[ 226.761244] pstate:
40000085 (nZcv daIf -PAN -UAO)
[ 226.766022] pc : __free_irq+0x9c/0x2b8
[ 226.769758] lr : __free_irq+0x9c/0x2b8
[ 226.773493] sp :
ffff8000125039f0
(...)
[ 226.856275] Call trace:
[ 226.858710] __free_irq+0x9c/0x2b8
[ 226.862098] free_irq+0x30/0x70
[ 226.865229] devm_irq_release+0x14/0x20
[ 226.869054] release_nodes+0x1b0/0x220
[ 226.872790] devres_release_all+0x34/0x50
[ 226.876790] device_release_driver_internal+0x100/0x1c0
Fixes: d346c9e86d86 ("dpaa2-ptp: reuse ptp_qoriq driver")
Cc: Yangbo Lu <yangbo.lu@nxp.com>
Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Reviewed-by: Yangbo Lu <yangbo.lu@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Arthur Kiyanovski [Thu, 19 Dec 2019 15:40:56 +0000 (17:40 +0200)]
net: ena: fix issues in setting interrupt moderation params in ethtool
[ Upstream commit
41c53caa5a61ebc9221b71cc37f4a90549f1121d ]
Issue 1:
--------
Reproduction steps:
1. sudo ethtool -C eth0 rx-usecs 128
2. sudo ethtool -C eth0 adaptive-rx on
3. sudo ethtool -C eth0 adaptive-rx off
4. ethtool -c eth0
expected output: rx-usecs 128
actual output: rx-usecs 0
Reason for issue:
In stage 3, ethtool userspace calls first the ena_get_coalesce() handler
to get the current value of all properties, and then the ena_set_coalesce()
handler. When ena_get_coalesce() is called the adaptive interrupt
moderation is still on. There is an if in the code that returns the
rx_coalesce_usecs only if the adaptive interrupt moderation is off.
And since it is still on, rx_coalesce_usecs is not set, meaning it
stays 0.
Solution to issue:
Remove this if static interrupt moderation intervals have nothing to do
with dynamic ones.
Issue 2:
--------
Reproduction steps:
1. sudo ethtool -C eth0 adaptive-rx on
2. sudo ethtool -C eth0 rx-usecs 128
3. ethtool -c eth0
expected output: rx-usecs 128
actual output: rx-usecs 0
Reason for issue:
In stage 2, when ena_set_coalesce() is called, the handler tests if
rx adaptive interrupt moderation is on, and if it is, it returns before
getting to the part in the function that sets the rx non-adaptive
interrupt moderation interval.
Solution to issue:
Remove the return from the function when rx adaptive interrupt moderation
is on.
Also cleaned up the fixed code in ena_set_coalesce by grouping together
adaptive interrupt moderation toggling, and using && instead of nested
ifs.
Fixes: b3db86dc4b82 ("net: ena: reimplement set/get_coalesce()")
Fixes: 0eda847953d8 ("net: ena: fix retrieval of nonadaptive interrupt moderation intervals")
Fixes: 1738cd3ed342 ("net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)")
Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Arthur Kiyanovski [Thu, 19 Dec 2019 15:40:55 +0000 (17:40 +0200)]
net: ena: fix default tx interrupt moderation interval
[ Upstream commit
05785adf6e570a068adf0502b61fe2b521d7f0ca ]
Current default non-adaptive tx interrupt moderation interval is 196 us.
This value is too high and might cause the tx queue to fill up.
In this commit we set the default non-adaptive tx interrupt moderation
interval to 64 us in order to:
1. Reduce the probability of the queue filling-up (when compared to the
current default value of 196 us).
2. Reduce unnecessary tx interrupt overhead (which happens if we set the
default tx interval to 0).
We determined experimentally that 64 us is an optimal value that
reduces interrupt rate by more than 20% without affecting performance.
Fixes: 1738cd3ed342 ("net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)")
Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Dumazet [Sat, 7 Dec 2019 22:10:34 +0000 (14:10 -0800)]
bonding: fix bond_neigh_init()
[ Upstream commit
9e99bfefdbce2e23ef37487a3bcb4adf90a791d1 ]
1) syzbot reported an uninit-value in bond_neigh_setup() [1]
bond_neigh_setup() uses a temporary on-stack 'struct neigh_parms parms',
but only clears parms.neigh_setup field.
A stacked bonding device would then enter bond_neigh_setup()
and read garbage from parms->dev.
If we get really unlucky and garbage is matching @dev, then we
could recurse and eventually crash.
Let's make sure the whole structure is cleared to avoid surprises.
2) bond_neigh_setup() can be called while another cpu manipulates
the master device, removing or adding a slave.
We need at least rcu protection to prevent use-after-free.
Note: Prior code does not support a stack of bonding devices,
this patch does not attempt to fix this, and leave a comment instead.
[1]
BUG: KMSAN: uninit-value in bond_neigh_setup+0xa4/0x110 drivers/net/bonding/bond_main.c:3655
CPU: 0 PID: 11256 Comm: syz-executor.0 Not tainted 5.4.0-rc8-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x220 lib/dump_stack.c:118
kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108
__msan_warning+0x57/0xa0 mm/kmsan/kmsan_instr.c:245
bond_neigh_setup+0xa4/0x110 drivers/net/bonding/bond_main.c:3655
bond_neigh_init+0x216/0x4b0 drivers/net/bonding/bond_main.c:3626
___neigh_create+0x169e/0x2c40 net/core/neighbour.c:613
__neigh_create+0xbd/0xd0 net/core/neighbour.c:674
ip6_finish_output2+0x149a/0x2670 net/ipv6/ip6_output.c:113
__ip6_finish_output+0x83d/0x8f0 net/ipv6/ip6_output.c:142
ip6_finish_output+0x2db/0x420 net/ipv6/ip6_output.c:152
NF_HOOK_COND include/linux/netfilter.h:294 [inline]
ip6_output+0x5d3/0x720 net/ipv6/ip6_output.c:175
dst_output include/net/dst.h:436 [inline]
NF_HOOK include/linux/netfilter.h:305 [inline]
mld_sendpack+0xebd/0x13d0 net/ipv6/mcast.c:1682
mld_send_cr net/ipv6/mcast.c:1978 [inline]
mld_ifc_timer_expire+0x116b/0x1680 net/ipv6/mcast.c:2477
call_timer_fn+0x232/0x530 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers+0xd60/0x1270 kernel/time/timer.c:1773
run_timer_softirq+0x2d/0x50 kernel/time/timer.c:1786
__do_softirq+0x4a1/0x83a kernel/softirq.c:293
invoke_softirq kernel/softirq.c:375 [inline]
irq_exit+0x230/0x280 kernel/softirq.c:416
exiting_irq+0xe/0x10 arch/x86/include/asm/apic.h:536
smp_apic_timer_interrupt+0x48/0x70 arch/x86/kernel/apic/apic.c:1138
apic_timer_interrupt+0x2e/0x40 arch/x86/entry/entry_64.S:835
</IRQ>
RIP: 0010:kmsan_free_page+0x18d/0x1c0 mm/kmsan/kmsan_shadow.c:439
Code: 4c 89 ff 44 89 f6 e8 82 0d ee ff 65 ff 0d 9f 26 3b 60 65 8b 05 98 26 3b 60 85 c0 75 24 e8 5b f6 35 ff 4c 89 6d d0 ff 75 d0 9d <48> 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 0f 0b 0f 0b 0f
RSP: 0018:
ffffb328034af818 EFLAGS:
00000246 ORIG_RAX:
ffffffffffffff13
RAX:
0000000000000000 RBX:
ffffe2d7471f8360 RCX:
0000000000000000
RDX:
ffffffffadea7000 RSI:
0000000000000004 RDI:
ffff93496fcda104
RBP:
ffffb328034af850 R08:
ffff934a47e86d00 R09:
ffff93496fc41900
R10:
0000000000000000 R11:
0000000000000000 R12:
0000000000000001
R13:
0000000000000246 R14:
0000000000000000 R15:
ffffe2d7472225c0
free_pages_prepare mm/page_alloc.c:1138 [inline]
free_pcp_prepare mm/page_alloc.c:1230 [inline]
free_unref_page_prepare+0x1d9/0x770 mm/page_alloc.c:3025
free_unref_page mm/page_alloc.c:3074 [inline]
free_the_page mm/page_alloc.c:4832 [inline]
__free_pages+0x154/0x230 mm/page_alloc.c:4840
__vunmap+0xdac/0xf20 mm/vmalloc.c:2277
__vfree mm/vmalloc.c:2325 [inline]
vfree+0x7c/0x170 mm/vmalloc.c:2355
copy_entries_to_user net/ipv6/netfilter/ip6_tables.c:883 [inline]
get_entries net/ipv6/netfilter/ip6_tables.c:1041 [inline]
do_ip6t_get_ctl+0xfa4/0x1030 net/ipv6/netfilter/ip6_tables.c:1709
nf_sockopt net/netfilter/nf_sockopt.c:104 [inline]
nf_getsockopt+0x481/0x4e0 net/netfilter/nf_sockopt.c:122
ipv6_getsockopt+0x264/0x510 net/ipv6/ipv6_sockglue.c:1400
tcp_getsockopt+0x1c6/0x1f0 net/ipv4/tcp.c:3688
sock_common_getsockopt+0x13f/0x180 net/core/sock.c:3110
__sys_getsockopt+0x533/0x7b0 net/socket.c:2129
__do_sys_getsockopt net/socket.c:2144 [inline]
__se_sys_getsockopt+0xe1/0x100 net/socket.c:2141
__x64_sys_getsockopt+0x62/0x80 net/socket.c:2141
do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45d20a
Code: b8 34 01 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 8d 8b fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 6a 8b fb ff c3 66 0f 1f 84 00 00 00 00 00
RSP: 002b:
0000000000a6f618 EFLAGS:
00000212 ORIG_RAX:
0000000000000037
RAX:
ffffffffffffffda RBX:
0000000000a6f640 RCX:
000000000045d20a
RDX:
0000000000000041 RSI:
0000000000000029 RDI:
0000000000000003
RBP:
0000000000717cc0 R08:
0000000000a6f63c R09:
0000000000004000
R10:
0000000000a6f740 R11:
0000000000000212 R12:
0000000000000003
R13:
0000000000000000 R14:
0000000000000029 R15:
0000000000715b00
Local variable description: ----parms@bond_neigh_init
Variable was created at:
bond_neigh_init+0x8c/0x4b0 drivers/net/bonding/bond_main.c:3617
bond_neigh_init+0x8c/0x4b0 drivers/net/bonding/bond_main.c:3617
Fixes: 9918d5bf329d ("bonding: modify only neigh_parms owned by us")
Fixes: 234bcf8a499e ("net/bonding: correctly proxy slave neigh param setup ndo function")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Jay Vosburgh <j.vosburgh@gmail.com>
Cc: Veaceslav Falico <vfalico@gmail.com>
Cc: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Dumazet [Sat, 7 Dec 2019 20:23:21 +0000 (12:23 -0800)]
neighbour: remove neigh_cleanup() method
[ Upstream commit
f394722fb0d0f701119368959d7cd0ecbc46363a ]
neigh_cleanup() has not been used for seven years, and was a wrong design.
Messing with shared pointer in bond_neigh_init() without proper
memory barriers would at least trigger syzbot complains eventually.
It is time to remove this stuff.
Fixes: b63b70d87741 ("IPoIB: Use a private hash table for path lookup in xmit path")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ido Schimmel [Mon, 9 Dec 2019 06:56:34 +0000 (08:56 +0200)]
selftests: forwarding: Delete IPv6 address at the end
[ Upstream commit
65cb13986229cec02635a1ecbcd1e2dd18353201 ]
When creating the second host in h2_create(), two addresses are assigned
to the interface, but only one is deleted. When running the test twice
in a row the following error is observed:
$ ./router_bridge_vlan.sh
TEST: ping [ OK ]
TEST: ping6 [ OK ]
TEST: vlan [ OK ]
$ ./router_bridge_vlan.sh
RTNETLINK answers: File exists
TEST: ping [ OK ]
TEST: ping6 [ OK ]
TEST: vlan [ OK ]
Fix this by deleting the address during cleanup.
Fixes: 5b1e7f9ebd56 ("selftests: forwarding: Test routed bridge interface")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Xin Long [Mon, 9 Dec 2019 05:45:54 +0000 (13:45 +0800)]
sctp: fully initialize v4 addr in some functions
[ Upstream commit
b6f3320b1d5267e7b583a6d0c88dda518101740c ]
Syzbot found a crash:
BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:112 [inline]
BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline]
BUG: KMSAN: uninit-value in __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202
Call Trace:
crc32_body lib/crc32.c:112 [inline]
crc32_le_generic lib/crc32.c:179 [inline]
__crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202
chksum_update+0xb2/0x110 crypto/crc32c_generic.c:90
crypto_shash_update+0x4c5/0x530 crypto/shash.c:107
crc32c+0x150/0x220 lib/libcrc32c.c:47
sctp_csum_update+0x89/0xa0 include/net/sctp/checksum.h:36
__skb_checksum+0x1297/0x12a0 net/core/skbuff.c:2640
sctp_compute_cksum include/net/sctp/checksum.h:59 [inline]
sctp_packet_pack net/sctp/output.c:528 [inline]
sctp_packet_transmit+0x40fb/0x4250 net/sctp/output.c:597
sctp_outq_flush_transports net/sctp/outqueue.c:1146 [inline]
sctp_outq_flush+0x1823/0x5d80 net/sctp/outqueue.c:1194
sctp_outq_uncork+0xd0/0xf0 net/sctp/outqueue.c:757
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1781 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1184 [inline]
sctp_do_sm+0x8fe1/0x9720 net/sctp/sm_sideeffect.c:1155
sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:185
sctp_apply_peer_addr_params+0x212/0x1d40 net/sctp/socket.c:2433
sctp_setsockopt_peer_addr_params net/sctp/socket.c:2686 [inline]
sctp_setsockopt+0x189bb/0x19090 net/sctp/socket.c:4672
The issue was caused by transport->ipaddr set with uninit addr param, which
was passed by:
sctp_transport_init net/sctp/transport.c:47 [inline]
sctp_transport_new+0x248/0xa00 net/sctp/transport.c:100
sctp_assoc_add_peer+0x5ba/0x2030 net/sctp/associola.c:611
sctp_process_param net/sctp/sm_make_chunk.c:2524 [inline]
where 'addr' is set by sctp_v4_from_addr_param(), and it doesn't initialize
the padding of addr->v4.
Later when calling sctp_make_heartbeat(), hbinfo.daddr(=transport->ipaddr)
will become the part of skb, and the issue occurs.
This patch is to fix it by initializing the padding of addr->v4 in
sctp_v4_from_addr_param(), as well as other functions that do the similar
thing, and these functions shouldn't trust that the caller initializes the
memory, as Marcelo suggested.
Reported-by: syzbot+6dcbfea81cd3d4dd0b02@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Marcelo Ricardo Leitner [Tue, 17 Dec 2019 01:01:16 +0000 (22:01 -0300)]
sctp: fix memleak on err handling of stream initialization
[ Upstream commit
951c6db954a1adefab492f6da805decacabbd1a7 ]
syzbot reported a memory leak when an allocation fails within
genradix_prealloc() for output streams. That's because
genradix_prealloc() leaves initialized members initialized when the
issue happens and SCTP stack will abort the current initialization but
without cleaning up such members.
The fix here is to always call genradix_free() when genradix_prealloc()
fails, for output and also input streams, as it suffers from the same
issue.
Reported-by: syzbot+772d9e36c490b18d51d1@syzkaller.appspotmail.com
Fixes: 2075e50caf5e ("sctp: convert to genradix")
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Tested-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>