1. 27 Jul, 2017 40 commits
    • James Hogan's avatar
      MIPS: Negate error syscall return in trace · 6b748363
      James Hogan authored
      commit 4f32a39d upstream.
      
      The sys_exit trace event takes a single return value for the system
      call, which MIPS passes the value of the $v0 (result) register, however
      MIPS returns positive error codes in $v0 with $a3 specifying that $v0
      contains an error code. As a result erroring system calls are traced
      returning positive error numbers that can't always be distinguished from
      success.
      
      Use regs_return_value() to negate the error code if $a3 is set.
      
      Fixes: 1d7bf993 ("MIPS: ftrace: Add support for syscall tracepoints.")
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/16651/Acked-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6b748363
    • James Hogan's avatar
      MIPS: Fix mips_atomic_set() with EVA · f5dc5861
      James Hogan authored
      commit 4915e1b0 upstream.
      
      EVA linked loads (LLE) and conditional stores (SCE) should be used on
      EVA kernels for the MIPS_ATOMIC_SET operation of the sysmips system
      call, or else the atomic set will apply to the kernel view of the
      virtual address space (potentially unmapped on EVA kernels) rather than
      the user view (TLB mapped).
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/16151/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f5dc5861
    • James Hogan's avatar
      MIPS: Fix mips_atomic_set() retry condition · e742bca1
      James Hogan authored
      commit 2ec420b2 upstream.
      
      The inline asm retry check in the MIPS_ATOMIC_SET operation of the
      sysmips system call has been backwards since commit f1e39a4a ("MIPS:
      Rewrite sysmips(MIPS_ATOMIC_SET, ...) in C with inline assembler")
      merged in v2.6.32, resulting in the non R10000_LLSC_WAR case retrying
      until the operation was inatomic, before returning the new value that
      was probably just written multiple times instead of the old value.
      
      Invert the branch condition to fix that particular issue.
      
      Fixes: f1e39a4a ("MIPS: Rewrite sysmips(MIPS_ATOMIC_SET, ...) in C with inline assembler")
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/16148/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e742bca1
    • Maarten Lankhorst's avatar
      drm/atomic: Add missing drm_atomic_state_clear to atomic_remove_fb · 82823554
      Maarten Lankhorst authored
      commit 4086d90c upstream.
      
      All atomic state should be cleared when drm_modeset_backoff() is
      called, because it drops all locks and the state becomes invalid.
      
      The call to drm_atomic_state_clear was missing in atomic_remove_fb,
      so add the missing call there.
      Signed-off-by: default avatarMaarten Lankhorst <maarten.lankhorst@linux.intel.com>
      Link: http://patchwork.freedesktop.org/patch/msgid/20170629115954.26029-1-maarten.lankhorst@linux.intel.comReviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Fixes: db8f6403 ("drm: Convert drm_framebuffer_remove to atomic, v4.")
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      82823554
    • Chuanxiao Dong's avatar
      drm/i915/gvt: Fix inconsistent locks holding sequence · 25408498
      Chuanxiao Dong authored
      commit f16bd3dd upstream.
      
      There are two kinds of locking sequence.
      
      One is in the thread which is started by vfio ioctl to do
      the iommu unmapping. The locking sequence is:
      	down_read(&group_lock) ----> mutex_lock(&cached_lock)
      
      The other is in the vfio release thread which will unpin all
      the cached pages. The lock sequence is:
      	mutex_lock(&cached_lock) ---> down_read(&group_lock)
      
      And, the cache_lock is used to protect the rb tree of the cache
      node and doing vfio unpin doesn't require this lock. Move the
      vfio unpin out of the cache_lock protected region.
      
      v2:
      - use for style instead of do{}while(1). (Zhenyu)
      
      Fixes: f30437c5 ("drm/i915/gvt: add KVMGT support")
      Signed-off-by: default avatarChuanxiao Dong <chuanxiao.dong@intel.com>
      Cc: Zhenyu Wang <zhenyuw@linux.intel.com>
      Signed-off-by: default avatarZhenyu Wang <zhenyuw@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      25408498
    • Robin Murphy's avatar
      iommu/arm-smmu: Plumb in new ACPI identifiers · 6dbeea7d
      Robin Murphy authored
      commit 84c24379 upstream.
      
      Revision C of IORT now allows us to identify ARM MMU-401 and the Cavium
      ThunderX implementation. Wire them up so that we can probe these models
      once firmware starts using the new codes in place of generic ones, and
      so that the appropriate features and quirks get enabled when we do.
      
      For the sake of backports and mitigating sychronisation problems with
      the ACPICA headers, we'll carry a backup copy of the new definitions
      locally for the short term to make life simpler.
      Acked-by: default avatarRobert Richter <rrichter@cavium.com>
      Tested-by: default avatarRobert Richter <rrichter@cavium.com>
      Signed-off-by: default avatarRobin Murphy <robin.murphy@arm.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6dbeea7d
    • Dan Carpenter's avatar
      ftrace: Fix uninitialized variable in match_records() · 57c2c7df
      Dan Carpenter authored
      commit 2e028c4f upstream.
      
      My static checker complains that if "func" is NULL then "clear_filter"
      is uninitialized.  This seems like it could be true, although it's
      possible something subtle is happening that I haven't seen.
      
          kernel/trace/ftrace.c:3844 match_records()
          error: uninitialized symbol 'clear_filter'.
      
      Link: http://lkml.kernel.org/r/20170712073556.h6tkpjcdzjaozozs@mwanda
      
      Fixes: f0a3b154 ("ftrace: Clarify code for mod command")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      57c2c7df
    • Marta Rybczynska's avatar
      nvme-rdma: remove race conditions from IB signalling · 3ea54f66
      Marta Rybczynska authored
      commit 5e599d73 upstream.
      
      This patch improves the way the RDMA IB signalling is done by using atomic
      operations for the signalling variable. This avoids race conditions on
      sig_count.
      
      The signalling interval changes slightly and is now the largest power of
      two not larger than queue depth / 2.
      
      ilog() usage idea by Bart Van Assche.
      Signed-off-by: default avatarMarta Rybczynska <marta.rybczynska@kalray.eu>
      Reviewed-by: default avatarSagi Grimberg <sagi@grimberg.me>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3ea54f66
    • Alex Williamson's avatar
      vfio: Remove unnecessary uses of vfio_container.group_lock · 5a5e706f
      Alex Williamson authored
      commit 7f56c30b upstream.
      
      The original intent of vfio_container.group_lock is to protect
      vfio_container.group_list, however over time it's become a crutch to
      prevent changes in container composition any time we call into the
      iommu driver backend.  This introduces problems when we start to have
      more complex interactions, for example when a user's DMA unmap request
      triggers a notification to an mdev vendor driver, who responds by
      attempting to unpin mappings within that request, re-entering the
      iommu backend.  We incorrectly assume that the use of read-locks here
      allow for this nested locking behavior, but a poorly timed write-lock
      could in fact trigger a deadlock.
      
      The current use of group_lock seems to fall into the trap of locking
      code, not data.  Correct that by removing uses of group_lock that are
      not directly related to group_list.  Note that the vfio type1 iommu
      backend has its own mutex, vfio_iommu.lock, which it uses to protect
      itself for each of these interfaces anyway.  The group_lock appears to
      be a redundancy for these interfaces and type1 even goes so far as to
      release its mutex to allow for exactly the re-entrant code path above.
      Reported-by: default avatarChuanxiao Dong <chuanxiao.dong@intel.com>
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Acked-by: default avatarAlexey Kardashevskiy <aik@ozlabs.ru>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5a5e706f
    • Alex Williamson's avatar
      vfio: New external user group/file match · 9ffc6fc6
      Alex Williamson authored
      commit 5d6dee80 upstream.
      
      At the point where the kvm-vfio pseudo device wants to release its
      vfio group reference, we can't always acquire a new reference to make
      that happen.  The group can be in a state where we wouldn't allow a
      new reference to be added.  This new helper function allows a caller
      to match a file to a group to facilitate this.  Given a file and
      group, report if they match.  Thus the caller needs to already have a
      group reference to match to the file.  This allows the deletion of a
      group without acquiring a new reference.
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Reviewed-by: default avatarEric Auger <eric.auger@redhat.com>
      Reviewed-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Tested-by: default avatarEric Auger <eric.auger@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9ffc6fc6
    • Alex Williamson's avatar
      vfio: Fix group release deadlock · 4fb3d76f
      Alex Williamson authored
      commit 811642d8 upstream.
      
      If vfio_iommu_group_notifier() acquires a group reference and that
      reference becomes the last reference to the group, then vfio_group_put
      introduces a deadlock code path where we're trying to unregister from
      the iommu notifier chain from within a callout of that chain.  Use a
      work_struct to release this reference asynchronously.
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Reviewed-by: default avatarEric Auger <eric.auger@redhat.com>
      Tested-by: default avatarEric Auger <eric.auger@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4fb3d76f
    • Ville Syrjälä's avatar
      drm/i915: Disable MSI for all pre-gen5 · 72ec4c2f
      Ville Syrjälä authored
      commit ce3f7163 upstream.
      
      We have pretty clear evidence that MSIs are getting lost on g4x and
      somehow the interrupt logic doesn't seem to recover from that state
      even if we try hard to clear the IIR.
      
      Disabling IER around the normal IIR clearing in the irq handler isn't
      sufficient to avoid this, so the problem really seems to be further
      up the interrupt chain. This should guarantee that there's always
      an edge if any IIR bits are set after the interrupt handler is done,
      which should normally guarantee that the CPU interrupt is generated.
      That approach seems to work perfectly on VLV/CHV, but apparently
      not on g4x.
      
      MSI is documented to be broken on 965gm at least. The chipset spec
      says MSI is defeatured because interrupts can be delayed or lost,
      which fits well with what we're seeing on g4x. Previously we've
      already disabled GMBUS interrupts on g4x because somehow GMBUS
      manages to raise legacy interrupts even when MSI is enabled.
      
      Since there's such widespread MSI breakahge all over in the pre-gen5
      land let's just give up on MSI on these platforms.
      
      Seqno reporting might be negatively affected by this since the legcy
      interrupts aren't guaranteed to be ordered with the seqno writes,
      whereas MSI interrupts may be? But an occasioanlly missed seqno
      seems like a small price to pay for generally working interrupts.
      
      Cc: Diego Viola <diego.viola@gmail.com>
      Tested-by: default avatarDiego Viola <diego.viola@gmail.com>
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=101261Signed-off-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      Link: http://patchwork.freedesktop.org/patch/msgid/20170626203051.28480-1-ville.syrjala@linux.intel.comReviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      (cherry picked from commit e38c2da0)
      Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      72ec4c2f
    • Hawking Zhang's avatar
      drm/amd/powerplay: fix memory leak in cz_hwmgr backend · 7d47d0b9
      Hawking Zhang authored
      commit b1e8b9c5 upstream.
      
      vddc_dep_on_dal_pwrl is allocated and initialized in cz_hwmgr_backend_init
      Thus free the memory in cz_hwmgr_backend_fini
      Signed-off-by: default avatarHawking Zhang <Hawking.Zhang@amd.com>
      Reviewed-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7d47d0b9
    • Amir Goldstein's avatar
      ovl: fix random return value on mount · 98cc417e
      Amir Goldstein authored
      commit 8fc646b4 upstream.
      
      On failure to prepare_creds(), mount fails with a random
      return value, as err was last set to an integer cast of
      a valid lower mnt pointer or set to 0 if inodes index feature
      is enabled.
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Fixes: 3fe6e52f ("ovl: override creds with the ones from ...")
      Signed-off-by: default avatarAmir Goldstein <amir73il@gmail.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      98cc417e
    • Amir Goldstein's avatar
      ovl: mark parent impure on ovl_link() · aedd116d
      Amir Goldstein authored
      commit ea3dad18 upstream.
      
      When linking a file with copy up origin into a new parent, mark the
      new parent dir "impure".
      
      Fixes: ee1d6d37 ("ovl: mark upper dir with type origin entries "impure"")
      Signed-off-by: default avatarAmir Goldstein <amir73il@gmail.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aedd116d
    • Dan Carpenter's avatar
      serial: sh-sci: Uninitialized variables in sysfs files · 6a2c4169
      Dan Carpenter authored
      commit 4ab3c51e upstream.
      
      The kstrtol() function returns -ERANGE as well as -EINVAL so these tests
      are not enough.  It's not a super serious bug, but my static checker
      correctly complains that the "r" variable might be used uninitialized.
      
      Fixes: 5d23188a ("serial: sh-sci: make RX FIFO parameters tunable via sysfs")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6a2c4169
    • Dan Carpenter's avatar
      serial: st-asc: Potential error pointer dereference · bc6ff930
      Dan Carpenter authored
      commit 2b01bfae upstream.
      
      It looks like we intended to return an error code here, because we
      dereference "ascport->pinctrl" on the next lines.
      
      Fixes: 6929cb00 ("serial: st-asc: Read in all Pinctrl states")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bc6ff930
    • Jaegeuk Kim's avatar
      f2fs: Don't clear SGID when inheriting ACLs · 893425c7
      Jaegeuk Kim authored
      commit c925dc16 upstream.
      
      This patch copies commit b7f8a09f:
      "btrfs: Don't clear SGID when inheriting ACLs" written by Jan.
      
      Fixes: 07393101Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      893425c7
    • Chao Yu's avatar
      f2fs: use spin_{,un}lock_irq{save,restore} · 65483db1
      Chao Yu authored
      commit d1aa2453 upstream.
      
      generic/361 reports below warning, this is because: once, there is
      someone entering into critical region of sbi.cp_lock, if write_end_io.
      f2fs_stop_checkpoint is invoked from an triggered IRQ, we will encounter
      deadlock.
      
      So this patch changes to use spin_{,un}lock_irq{save,restore} to create
      critical region without IRQ enabled to avoid potential deadlock.
      
       irq event stamp: 83391573
       loop: Write error at byte offset 438729728, length 1024.
       hardirqs last  enabled at (83391573): [<c1809752>] restore_all+0xf/0x65
       hardirqs last disabled at (83391572): [<c1809eac>] reschedule_interrupt+0x30/0x3c
       loop: Write error at byte offset 438860288, length 1536.
       softirqs last  enabled at (83389244): [<c180cc4e>] __do_softirq+0x1ae/0x476
       softirqs last disabled at (83389237): [<c101ca7c>] do_softirq_own_stack+0x2c/0x40
       loop: Write error at byte offset 438990848, length 2048.
       ================================
       WARNING: inconsistent lock state
       4.12.0-rc2+ #30 Tainted: G           O
       --------------------------------
       inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage.
       xfs_io/7959 [HC1[1]:SC0[0]:HE0:SE1] takes:
        (&(&sbi->cp_lock)->rlock){?.+...}, at: [<f96f96cc>] f2fs_stop_checkpoint+0x1c/0x50 [f2fs]
       {HARDIRQ-ON-W} state was registered at:
         __lock_acquire+0x527/0x7b0
         lock_acquire+0xae/0x220
         _raw_spin_lock+0x42/0x50
         do_checkpoint+0x165/0x9e0 [f2fs]
         write_checkpoint+0x33f/0x740 [f2fs]
         __f2fs_sync_fs+0x92/0x1f0 [f2fs]
         f2fs_sync_fs+0x12/0x20 [f2fs]
         sync_filesystem+0x67/0x80
         generic_shutdown_super+0x27/0x100
         kill_block_super+0x22/0x50
         kill_f2fs_super+0x3a/0x40 [f2fs]
         deactivate_locked_super+0x3d/0x70
         deactivate_super+0x40/0x60
         cleanup_mnt+0x39/0x70
         __cleanup_mnt+0x10/0x20
         task_work_run+0x69/0x80
         exit_to_usermode_loop+0x57/0x85
         do_fast_syscall_32+0x18c/0x1b0
         entry_SYSENTER_32+0x4c/0x7b
       irq event stamp: 1957420
       hardirqs last  enabled at (1957419): [<c1808f37>] _raw_spin_unlock_irq+0x27/0x50
       hardirqs last disabled at (1957420): [<c1809f9c>] call_function_single_interrupt+0x30/0x3c
       softirqs last  enabled at (1953784): [<c180cc4e>] __do_softirq+0x1ae/0x476
       softirqs last disabled at (1953773): [<c101ca7c>] do_softirq_own_stack+0x2c/0x40
      
       other info that might help us debug this:
        Possible unsafe locking scenario:
      
              CPU0
              ----
         lock(&(&sbi->cp_lock)->rlock);
         <Interrupt>
           lock(&(&sbi->cp_lock)->rlock);
      
        *** DEADLOCK ***
      
       2 locks held by xfs_io/7959:
        #0:  (sb_writers#13){.+.+.+}, at: [<c11fd7ca>] vfs_write+0x16a/0x190
        #1:  (&sb->s_type->i_mutex_key#16){+.+.+.}, at: [<f96e33f5>] f2fs_file_write_iter+0x25/0x140 [f2fs]
      
       stack backtrace:
       CPU: 2 PID: 7959 Comm: xfs_io Tainted: G           O    4.12.0-rc2+ #30
       Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
       Call Trace:
        dump_stack+0x5f/0x92
        print_usage_bug+0x1d3/0x1dd
        ? check_usage_backwards+0xe0/0xe0
        mark_lock+0x23d/0x280
        __lock_acquire+0x699/0x7b0
        ? __this_cpu_preempt_check+0xf/0x20
        ? trace_hardirqs_off_caller+0x91/0xe0
        lock_acquire+0xae/0x220
        ? f2fs_stop_checkpoint+0x1c/0x50 [f2fs]
        _raw_spin_lock+0x42/0x50
        ? f2fs_stop_checkpoint+0x1c/0x50 [f2fs]
        f2fs_stop_checkpoint+0x1c/0x50 [f2fs]
        f2fs_write_end_io+0x147/0x150 [f2fs]
        bio_endio+0x7a/0x1e0
        blk_update_request+0xad/0x410
        blk_mq_end_request+0x16/0x60
        lo_complete_rq+0x3c/0x70
        __blk_mq_complete_request_remote+0x11/0x20
        flush_smp_call_function_queue+0x6d/0x120
        ? debug_smp_processor_id+0x12/0x20
        generic_smp_call_function_single_interrupt+0x12/0x30
        smp_call_function_single_interrupt+0x25/0x40
        call_function_single_interrupt+0x37/0x3c
       EIP: _raw_spin_unlock_irq+0x2d/0x50
       EFLAGS: 00000296 CPU: 2
       EAX: 00000001 EBX: d2ccc51c ECX: 00000001 EDX: c1aacebd
       ESI: 00000000 EDI: 00000000 EBP: c96c9d1c ESP: c96c9d18
        DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
        ? inherit_task_group.isra.98.part.99+0x6b/0xb0
        __add_to_page_cache_locked+0x1d4/0x290
        add_to_page_cache_lru+0x38/0xb0
        pagecache_get_page+0x8e/0x200
        f2fs_write_begin+0x96/0xf00 [f2fs]
        ? trace_hardirqs_on_caller+0xdd/0x1c0
        ? current_time+0x17/0x50
        ? trace_hardirqs_on+0xb/0x10
        generic_perform_write+0xa9/0x170
        __generic_file_write_iter+0x1a2/0x1f0
        ? f2fs_preallocate_blocks+0x137/0x160 [f2fs]
        f2fs_file_write_iter+0x6e/0x140 [f2fs]
        ? __lock_acquire+0x429/0x7b0
        __vfs_write+0xc1/0x140
        vfs_write+0x9b/0x190
        SyS_pwrite64+0x63/0xa0
        do_fast_syscall_32+0xa1/0x1b0
        entry_SYSENTER_32+0x4c/0x7b
       EIP: 0xb7786c61
       EFLAGS: 00000293 CPU: 2
       EAX: ffffffda EBX: 00000003 ECX: 08416000 EDX: 00001000
       ESI: 18b24000 EDI: 00000000 EBP: 00000003 ESP: bf9b36b0
        DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b
      
      Fixes: aaec2b1d ("f2fs: introduce cp_lock to protect updating of ckpt_flags")
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      65483db1
    • Jin Qian's avatar
      f2fs: sanity check size of nat and sit cache · d0f0ccf8
      Jin Qian authored
      commit 21d3f8e1 upstream.
      
      Make sure number of entires doesn't exceed max journal size.
      Signed-off-by: default avatarJin Qian <jinqian@android.com>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d0f0ccf8
    • Damien Le Moal's avatar
      f2fs: Do not issue small discards in LFS mode · dca54568
      Damien Le Moal authored
      commit acfd2810 upstream.
      
      clear_prefree_segments() issues small discards after discarding full
      segments. These small discards may not be section aligned, so not zone
      aligned on a zoned block device, causing __f2fs_iissue_discard_zone() to fail.
      Fix this by not issuing small discards for a volume mounted with the BLKZONED
      feature enabled.
      Signed-off-by: default avatarDamien Le Moal <damien.lemoal@wdc.com>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dca54568
    • Jaegeuk Kim's avatar
      f2fs: try to freeze in gc and discard threads · 4567789d
      Jaegeuk Kim authored
      commit 1d7be270 upstream.
      
      This allows to freeze gc and discard threads.
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4567789d
    • Jin Qian's avatar
      f2fs: sanity check checkpoint segno and blkoff · 55df2e68
      Jin Qian authored
      commit 15d3042a upstream.
      
      Make sure segno and blkoff read from raw image are valid.
      Signed-off-by: default avatarJin Qian <jinqian@google.com>
      [Jaegeuk Kim: adjust minor coding style]
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      55df2e68
    • Chao Yu's avatar
      f2fs: wake up all waiters in f2fs_submit_discard_endio · 378560b8
      Chao Yu authored
      commit e31b9821 upstream.
      
      There could be more than one waiter waiting discard IO completion, so we
      need use complete_all() instead of complete() in f2fs_submit_discard_endio
      to avoid hungtask.
      
      Fixes: 	ec9895ad ("f2fs: don't hold cmd_lock during waiting discard
      command")
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      378560b8
    • Jaegeuk Kim's avatar
      f2fs: load inode's flag from disk · 9aabcf47
      Jaegeuk Kim authored
      commit 93607124 upstream.
      
      This patch fixes missing inode flag loaded from disk, reported by Tom.
      
      [tom@localhost ~]$ sudo mount /dev/loop0 /mnt/
      [tom@localhost ~]$ sudo chown tom:tom /mnt/
      [tom@localhost ~]$ touch /mnt/testfile
      [tom@localhost ~]$ sudo chattr +i /mnt/testfile
      [tom@localhost ~]$ echo test > /mnt/testfile
      bash: /mnt/testfile: Operation not permitted
      [tom@localhost ~]$ rm /mnt/testfile
      rm: cannot remove '/mnt/testfile': Operation not permitted
      [tom@localhost ~]$ sudo umount /mnt/
      [tom@localhost ~]$ sudo mount /dev/loop0 /mnt/
      [tom@localhost ~]$ lsattr /mnt/testfile
      ----i-------------- /mnt/testfile
      [tom@localhost ~]$ echo test > /mnt/testfile
      [tom@localhost ~]$ rm /mnt/testfile
      [tom@localhost ~]$ sudo umount /mnt/
      Reported-by: default avatarTom Yan <tom.ty89@outlook.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9aabcf47
    • Pavel Shilovsky's avatar
      CIFS: Reconnect expired SMB sessions · ac7e0a9e
      Pavel Shilovsky authored
      commit 511c54a2 upstream.
      
      According to the MS-SMB2 spec (3.2.5.1.6) once the client receives
      STATUS_NETWORK_SESSION_EXPIRED error code from a server it should
      reconnect the current SMB session. Currently the client doesn't do
      that. This can result in subsequent client requests failing by
      the server. The patch adds an additional logic to the demultiplex
      thread to identify expired sessions and reconnect them.
      Signed-off-by: default avatarPavel Shilovsky <pshilov@microsoft.com>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ac7e0a9e
    • Jan Kara's avatar
      xfs: Don't clear SGID when inheriting ACLs · 7350fbef
      Jan Kara authored
      commit 8ba35875 upstream.
      
      When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
      set, DIR1 is expected to have SGID bit set (and owning group equal to
      the owning group of 'DIR0'). However when 'DIR0' also has some default
      ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
      'DIR1' to get cleared if user is not member of the owning group.
      
      Fix the problem by calling __xfs_set_acl() instead of xfs_set_acl() when
      setting up inode in xfs_generic_create(). That prevents SGID bit
      clearing and mode is properly set by posix_acl_create() anyway. We also
      reorder arguments of __xfs_set_acl() to match the ordering of
      xfs_set_acl() to make things consistent.
      
      Fixes: 07393101
      CC: Darrick J. Wong <darrick.wong@oracle.com>
      CC: linux-xfs@vger.kernel.org
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Reviewed-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7350fbef
    • Corey Minyard's avatar
      ipmi:ssif: Add missing unlock in error branch · d4a0964c
      Corey Minyard authored
      commit 4495ec6d upstream.
      
      When getting flags, a response to a different message would
      result in a deadlock because of a missing unlock.  Add that
      unlock and a comment.  Found by static analysis.
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d4a0964c
    • Tony Camuso's avatar
      ipmi: use rcu lock around call to intf->handlers->sender() · 65acfd38
      Tony Camuso authored
      commit cdea4656 upstream.
      
      A vendor with a system having more than 128 CPUs occasionally encounters
      the following crash during shutdown. This is not an easily reproduceable
      event, but the vendor was able to provide the following analysis of the
      crash, which exhibits the same footprint each time.
      
      crash> bt
      PID: 0      TASK: ffff88017c70ce70  CPU: 5   COMMAND: "swapper/5"
       #0 [ffff88085c143ac8] machine_kexec at ffffffff81059c8b
       #1 [ffff88085c143b28] __crash_kexec at ffffffff811052e2
       #2 [ffff88085c143bf8] crash_kexec at ffffffff811053d0
       #3 [ffff88085c143c10] oops_end at ffffffff8168ef88
       #4 [ffff88085c143c38] no_context at ffffffff8167ebb3
       #5 [ffff88085c143c88] __bad_area_nosemaphore at ffffffff8167ec49
       #6 [ffff88085c143cd0] bad_area_nosemaphore at ffffffff8167edb3
       #7 [ffff88085c143ce0] __do_page_fault at ffffffff81691d1e
       #8 [ffff88085c143d40] do_page_fault at ffffffff81691ec5
       #9 [ffff88085c143d70] page_fault at ffffffff8168e188
          [exception RIP: unknown or invalid address]
          RIP: ffffffffa053c800  RSP: ffff88085c143e28  RFLAGS: 00010206
          RAX: ffff88017c72bfd8  RBX: ffff88017a8dc000  RCX: ffff8810588b5ac8
          RDX: ffff8810588b5a00  RSI: ffffffffa053c800  RDI: ffff8810588b5a00
          RBP: ffff88085c143e58   R8: ffff88017c70d408   R9: ffff88017a8dc000
          R10: 0000000000000002  R11: ffff88085c143da0  R12: ffff8810588b5ac8
          R13: 0000000000000100  R14: ffffffffa053c800  R15: ffff8810588b5a00
          ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
          <IRQ stack>
          [exception RIP: cpuidle_enter_state+82]
          RIP: ffffffff81514192  RSP: ffff88017c72be50  RFLAGS: 00000202
          RAX: 0000001e4c3c6f16  RBX: 000000000000f8a0  RCX: 0000000000000018
          RDX: 0000000225c17d03  RSI: ffff88017c72bfd8  RDI: 0000001e4c3c6f16
          RBP: ffff88017c72be78   R8: 000000000000237e   R9: 0000000000000018
          R10: 0000000000002494  R11: 0000000000000001  R12: ffff88017c72be20
          R13: ffff88085c14f8e0  R14: 0000000000000082  R15: 0000001e4c3bb400
          ORIG_RAX: ffffffffffffff10  CS: 0010  SS: 0018
      
      This is the corresponding stack trace
      
      It has crashed because the area pointed with RIP extracted from timer
      element is already removed during a shutdown process.
      
      The function is smi_timeout().
      
      And we think ffff8810588b5a00 in RDX is a parameter struct smi_info
      
      crash> rd ffff8810588b5a00 20
      ffff8810588b5a00:  ffff8810588b6000 0000000000000000   .`.X............
      ffff8810588b5a10:  ffff880853264400 ffffffffa05417e0   .D&S......T.....
      ffff8810588b5a20:  24a024a000000000 0000000000000000   .....$.$........
      ffff8810588b5a30:  0000000000000000 0000000000000000   ................
      ffff8810588b5a30:  0000000000000000 0000000000000000   ................
      ffff8810588b5a40:  ffffffffa053a040 ffffffffa053a060   @.S.....`.S.....
      ffff8810588b5a50:  0000000000000000 0000000100000001   ................
      ffff8810588b5a60:  0000000000000000 0000000000000e00   ................
      ffff8810588b5a70:  ffffffffa053a580 ffffffffa053a6e0   ..S.......S.....
      ffff8810588b5a80:  ffffffffa053a4a0 ffffffffa053a250   ..S.....P.S.....
      ffff8810588b5a90:  0000000500000002 0000000000000000   ................
      
      Unfortunately the top of this area is already detroyed by someone.
      But because of two reasonns we think this is struct smi_info
       1) The address included in between  ffff8810588b5a70 and ffff8810588b5a80:
        are inside of ipmi_si_intf.c  see crash> module ffff88085779d2c0
      
       2) We've found the area which point this.
        It is offset 0x68 of  ffff880859df4000
      
      crash> rd  ffff880859df4000 100
      ffff880859df4000:  0000000000000000 0000000000000001   ................
      ffff880859df4010:  ffffffffa0535290 dead000000000200   .RS.............
      ffff880859df4020:  ffff880859df4020 ffff880859df4020    @.Y.... @.Y....
      ffff880859df4030:  0000000000000002 0000000000100010   ................
      ffff880859df4040:  ffff880859df4040 ffff880859df4040   @@.Y....@@.Y....
      ffff880859df4050:  0000000000000000 0000000000000000   ................
      ffff880859df4060:  0000000000000000 ffff8810588b5a00   .........Z.X....
      ffff880859df4070:  0000000000000001 ffff880859df4078   ........x@.Y....
      
       If we regards it as struct ipmi_smi in shutdown process
       it looks consistent.
      
      The remedy for this apparent race is affixed below.
      Signed-off-by: default avatarTony Camuso <tcamuso@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      This was first introduced in 7ea0ed2b ipmi: Make the
      message handler easier to use for SMI interfaces
      where some code was moved outside of the rcu_read_lock()
      and the lock was not added.
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      65acfd38
    • Eric Anholt's avatar
      drm/etnaviv: Expose our reservation object when exporting a dmabuf. · 719829d1
      Eric Anholt authored
      commit 8555137e upstream.
      
      Without this, polling on the dma-buf (and presumably other devices
      synchronizing against our rendering) would return immediately, even
      while the BO was busy.
      Signed-off-by: default avatarEric Anholt <eric@anholt.net>
      Cc: Lucas Stach <l.stach@pengutronix.de>
      Cc: Russell King <linux+etnaviv@armlinux.org.uk>
      Cc: Christian Gmeiner <christian.gmeiner@gmail.com>
      Cc: etnaviv@lists.freedesktop.org
      Signed-off-by: default avatarLucas Stach <l.stach@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      719829d1
    • John Brooks's avatar
      drm/ttm: Fix use-after-free in ttm_bo_clean_mm · cb5634ea
      John Brooks authored
      commit 8046e195 upstream.
      
      We unref the man->move fence in ttm_bo_clean_mm() and then call
      ttm_bo_force_list_clean() which waits on it, except the refcount is now
      zero so a warning is generated (or worse):
      
      [149492.279301] refcount_t: increment on 0; use-after-free.
      [149492.279309] ------------[ cut here ]------------
      [149492.279315] WARNING: CPU: 3 PID: 18726 at lib/refcount.c:150 refcount_inc+0x2b/0x30
      [149492.279315] Modules linked in: vhost_net vhost tun x86_pkg_temp_thermal crc32_pclmul ghash_clmulni_intel efivarfs amdgpu(
      -) i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm
      [149492.279326] CPU: 3 PID: 18726 Comm: rmmod Not tainted 4.12.0-rc5-drm-next-4.13-ttmpatch+ #1
      [149492.279326] Hardware name: Gigabyte Technology Co., Ltd. Z97X-UD3H-BK/Z97X-UD3H-BK-CF, BIOS F6 06/17/2014
      [149492.279327] task: ffff8804ddfedcc0 task.stack: ffffc90008d20000
      [149492.279329] RIP: 0010:refcount_inc+0x2b/0x30
      [149492.279330] RSP: 0018:ffffc90008d23c30 EFLAGS: 00010286
      [149492.279331] RAX: 000000000000002b RBX: 0000000000000170 RCX: 0000000000000000
      [149492.279331] RDX: 0000000000000000 RSI: ffff88051ecccbe8 RDI: ffff88051ecccbe8
      [149492.279332] RBP: ffffc90008d23c30 R08: 0000000000000001 R09: 00000000000003ee
      [149492.279333] R10: ffffc90008d23bb0 R11: 00000000000003ee R12: ffff88043aaac960
      [149492.279333] R13: ffff8805005e28a8 R14: 0000000000000002 R15: ffff88050115e178
      [149492.279334] FS:  00007fc540168700(0000) GS:ffff88051ecc0000(0000) knlGS:0000000000000000
      [149492.279335] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [149492.279336] CR2: 00007fc3e8654140 CR3: 000000027ba77000 CR4: 00000000001426e0
      [149492.279337] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [149492.279337] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [149492.279338] Call Trace:
      [149492.279345]  ttm_bo_force_list_clean+0xb9/0x110 [ttm]
      [149492.279348]  ttm_bo_clean_mm+0x7a/0xe0 [ttm]
      [149492.279375]  amdgpu_ttm_fini+0xc9/0x1f0 [amdgpu]
      [149492.279392]  amdgpu_bo_fini+0x12/0x40 [amdgpu]
      [149492.279415]  gmc_v7_0_sw_fini+0x32/0x40 [amdgpu]
      [149492.279430]  amdgpu_fini+0x2c9/0x490 [amdgpu]
      [149492.279445]  amdgpu_device_fini+0x58/0x1b0 [amdgpu]
      [149492.279461]  amdgpu_driver_unload_kms+0x4f/0xa0 [amdgpu]
      [149492.279470]  drm_dev_unregister+0x3c/0xe0 [drm]
      [149492.279485]  amdgpu_pci_remove+0x19/0x30 [amdgpu]
      [149492.279487]  pci_device_remove+0x39/0xc0
      [149492.279490]  device_release_driver_internal+0x155/0x210
      [149492.279491]  driver_detach+0x38/0x70
      [149492.279493]  bus_remove_driver+0x4c/0xa0
      [149492.279494]  driver_unregister+0x2c/0x40
      [149492.279496]  pci_unregister_driver+0x21/0x90
      [149492.279520]  amdgpu_exit+0x15/0x406 [amdgpu]
      [149492.279523]  SyS_delete_module+0x1a8/0x270
      [149492.279525]  ? exit_to_usermode_loop+0x92/0xa0
      [149492.279528]  entry_SYSCALL_64_fastpath+0x13/0x94
      [149492.279529] RIP: 0033:0x7fc53fcb68e7
      [149492.279529] RSP: 002b:00007ffcfbfaabb8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
      [149492.279531] RAX: ffffffffffffffda RBX: 0000563117adb200 RCX: 00007fc53fcb68e7
      [149492.279531] RDX: 000000000000000a RSI: 0000000000000800 RDI: 0000563117adb268
      [149492.279532] RBP: 0000000000000003 R08: 0000000000000000 R09: 1999999999999999
      [149492.279533] R10: 0000000000000883 R11: 0000000000000206 R12: 00007ffcfbfa9ba0
      [149492.279533] R13: 0000000000000000 R14: 0000000000000000 R15: 0000563117adb200
      [149492.279534] Code: 55 48 89 e5 e8 77 fe ff ff 84 c0 74 02 5d c3 80 3d 40 f2 a4 00 00 75 f5 48 c7 c7 20 3c ca 81 c6 05 30 f2 a4 00 01 e8 91 f0 d7 ff <0f> ff 5d c3 90 55 48 89 fe bf 01 00 00 00 48 89 e5 e8 9f fe ff
      [149492.279557] ---[ end trace 2d4e0ffcb66a1016 ]---
      
      Unref the fence *after* waiting for it.
      
      v2: Set man->move to NULL after dropping the last ref (Christian König)
      
      Fixes: aff98ba1 (drm/ttm: wait for eviction in ttm_bo_force_list_clean)
      Signed-off-by: default avatarJohn Brooks <john@fastquake.com>
      Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
      Reviewed-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cb5634ea
    • Mario Kleiner's avatar
      drm/radeon: Fix eDP for single-display iMac10,1 (v2) · 011a0006
      Mario Kleiner authored
      commit 564d8a2c upstream.
      
      The late 2009, 27 inch Apple iMac10,1 has an
      internal eDP display and an external Mini-
      Displayport output, driven by a DCE-3.2, RV730
      Radeon Mobility HD-4670.
      
      The machine worked fine in a dual-display setup
      with eDP panel + externally connected HDMI
      or DVI-D digital display sink, connected via
      MiniDP to DVI or HDMI adapter.
      
      However, booting the machine single-display with
      only eDP panel results in a completely black
      display - even backlight powering off, as soon as
      the radeon modesetting driver loads.
      
      This patch fixes the single dispay eDP case by
      assigning encoders based on dig->linkb, similar
      to DCE-4+. While this should not be generally
      necessary (Alex: "...atom on normal boards
      should be able to handle any mapping."), Apple
      seems to use some special routing here.
      
      One remaining problem not solved by this patch
      is that an external Minidisplayport->DP sink
      does still not work on iMac10,1, whereas external
      DVI and HDMI sinks continue to work.
      
      The problem affects at least all tested kernels
      since Linux 3.13 - didn't test earlier kernels, so
      backporting to stable probably makes sense.
      
      v2: With the original patch from 2016, Alex was worried it
          will break other DCE3.2 systems. Use dmi_match() to
          apply this special encoder assignment only for the
          Apple iMac 10,1 from late 2009.
      Signed-off-by: default avatarMario Kleiner <mario.kleiner.de@gmail.com>
      Cc: Alex Deucher <alexander.deucher@amd.com>
      Cc: Michel Dänzer <michel.daenzer@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      011a0006
    • Alex Deucher's avatar
      drm/radeon/ci: disable mclk switching for high refresh rates (v2) · b123162f
      Alex Deucher authored
      commit ab03d9fe upstream.
      
      Even if the vblank period would allow it, it still seems to
      be problematic on some cards.
      
      v2: fix logic inversion (Nils)
      
      bug: https://bugs.freedesktop.org/show_bug.cgi?id=96868Acked-by: default avatarChristian König <christian.koenig@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b123162f
    • John Brooks's avatar
      drm/amdgpu: Don't call amd_powerplay_destroy() if we don't have powerplay · e97b3dc3
      John Brooks authored
      commit 7bc7b777 upstream.
      
      amd_powerplay_destroy() expects a handle pointing to a struct pp_instance.
      On chips without PowerPlay, pp_handle points to a struct amdgpu_device. The
      resulting attempt to kfree() fields of the wrong struct ends in fire:
      
      [   91.560405] BUG: unable to handle kernel paging request at ffffebe000000620
      [   91.560414] IP: kfree+0x57/0x160
      [   91.560416] PGD 0
      [   91.560416] P4D 0
      
      [   91.560420] Oops: 0000 [#1] SMP
      [   91.560422] Modules linked in: tun x86_pkg_temp_thermal crc32_pclmul ghash_clmulni_intel efivarfs amdgpu(-) i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm
      [   91.560438] CPU: 6 PID: 3598 Comm: rmmod Not tainted 4.12.0-rc5-drm-next-4.13-ttmpatch+ #1
      [   91.560443] Hardware name: Gigabyte Technology Co., Ltd. Z97X-UD3H-BK/Z97X-UD3H-BK-CF, BIOS F6 06/17/2014
      [   91.560448] task: ffff8805063d6a00 task.stack: ffffc90003400000
      [   91.560451] RIP: 0010:kfree+0x57/0x160
      [   91.560454] RSP: 0018:ffffc90003403cc0 EFLAGS: 00010286
      [   91.560457] RAX: 000077ff80000000 RBX: 00000000000186a0 RCX: 0000000180400035
      [   91.560460] RDX: 0000000180400036 RSI: ffffea001418e740 RDI: ffffea0000000000
      [   91.560463] RBP: ffffc90003403cd8 R08: 000000000639d201 R09: 0000000180400035
      [   91.560467] R10: ffffebe000000600 R11: 0000000000000300 R12: ffff880500530030
      [   91.560470] R13: ffffffffa01e70fc R14: 00000000ffffffff R15: ffff880500530000
      [   91.560473] FS:  00007f7e500c3700(0000) GS:ffff88051ed80000(0000) knlGS:0000000000000000
      [   91.560478] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   91.560480] CR2: ffffebe000000620 CR3: 0000000503103000 CR4: 00000000001406e0
      [   91.560483] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [   91.560487] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [   91.560489] Call Trace:
      [   91.560530]  amd_powerplay_destroy+0x1c/0x60 [amdgpu]
      [   91.560558]  amdgpu_pp_late_fini+0x44/0x60 [amdgpu]
      [   91.560575]  amdgpu_fini+0x254/0x490 [amdgpu]
      [   91.560593]  amdgpu_device_fini+0x58/0x1b0 [amdgpu]
      [   91.560610]  amdgpu_driver_unload_kms+0x4f/0xa0 [amdgpu]
      [   91.560622]  drm_dev_unregister+0x3c/0xe0 [drm]
      [   91.560638]  amdgpu_pci_remove+0x19/0x30 [amdgpu]
      [   91.560643]  pci_device_remove+0x39/0xc0
      [   91.560648]  device_release_driver_internal+0x155/0x210
      [   91.560651]  driver_detach+0x38/0x70
      [   91.560655]  bus_remove_driver+0x4c/0xa0
      [   91.560658]  driver_unregister+0x2c/0x40
      [   91.560662]  pci_unregister_driver+0x21/0x90
      [   91.560689]  amdgpu_exit+0x15/0x406 [amdgpu]
      [   91.560694]  SyS_delete_module+0x1a8/0x270
      [   91.560698]  ? exit_to_usermode_loop+0x92/0xa0
      [   91.560702]  entry_SYSCALL_64_fastpath+0x13/0x94
      [   91.560705] RIP: 0033:0x7f7e4fc118e7
      [   91.560708] RSP: 002b:00007fff978ca118 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
      [   91.560713] RAX: ffffffffffffffda RBX: 000055afe21bc200 RCX: 00007f7e4fc118e7
      [   91.560716] RDX: 000000000000000a RSI: 0000000000000800 RDI: 000055afe21bc268
      [   91.560719] RBP: 0000000000000003 R08: 0000000000000000 R09: 1999999999999999
      [   91.560722] R10: 0000000000000883 R11: 0000000000000206 R12: 00007fff978c9100
      [   91.560725] R13: 0000000000000000 R14: 0000000000000000 R15: 000055afe21bc200
      [   91.560728] Code: 00 00 00 80 ff 77 00 00 48 bf 00 00 00 00 00 ea ff ff 49 01 da 48 0f 42 05 57 33 bd 00 49 01 c2 49 c1 ea 0c 49 c1 e2 06 49 01 fa <49> 8b 42 20 48 8d 78 ff a8 01 4c 0f 45 d7 49 8b 52 20 48 8d 42
      [   91.560759] RIP: kfree+0x57/0x160 RSP: ffffc90003403cc0
      [   91.560761] CR2: ffffebe000000620
      [   91.560765] ---[ end trace 08a9f3cd82223c1d ]---
      
      Fixes: 1c863802 (drm/amd/powerplay: refine powerplay interface.)
      Signed-off-by: default avatarJohn Brooks <john@fastquake.com>
      Acked-by: default avatarChristian König <christian.koenig@amd.com>
      Reviewed-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e97b3dc3
    • Huang Rui's avatar
      drm/amdgpu: fix the memory corruption on S3 · 3738cd03
      Huang Rui authored
      commit 67bef0f7 upstream.
      
      psp->cmd will be used on resume phase, so we can not free it on hw_init.
      Otherwise, a memory corruption will be triggered.
      Signed-off-by: default avatarHuang Rui <ray.huang@amd.com>
      Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
      Tested-by: default avatarXiaojie Yuan <Xiaojie.Yuan@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3738cd03
    • Tom St Denis's avatar
      drm/amd/amdgpu: Return error if initiating read out of range on vram · 9a0b375b
      Tom St Denis authored
      commit 9156e723 upstream.
      
      If you initiate a read that is out of the VRAM address space return
      ENXIO instead of 0.
      
      Reads that begin below that point will read upto the VRAM limit as
      before.
      Signed-off-by: default avatarTom St Denis <tom.stdenis@amd.com>
      Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9a0b375b
    • Alex Deucher's avatar
      drm/amdgpu/cgs: always set reference clock in mode_info · f64c0826
      Alex Deucher authored
      commit 73cc9079 upstream.
      
      It's relevent regardless of whether there are displays
      enabled.  Fixes garbage values for ref clock in powerplay
      leading to incorrect fan speed reporting when displays
      are disabled.
      
      bug: https://bugs.freedesktop.org/show_bug.cgi?id=101653Acked-by: default avatarChristian König <christian.koenig@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f64c0826
    • Alex Deucher's avatar
      drm/amdgpu: fix vblank_time when displays are off · 2dc1889e
      Alex Deucher authored
      commit beb37776 upstream.
      
      If the displays are off, set the vblank time to max to make
      sure mclk switching is enabled.  Avoid mclk getting set
      to high when no displays are attached.
      
      bug: https://bugs.freedesktop.org/show_bug.cgi?id=101528
      fixes: 09be4a52 (drm/amd/powerplay/smu7: add vblank check for mclk switching (v2))
      Reviewed-by: default avatarMichel Dänzer <michel.daenzer@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2dc1889e
    • Alex Deucher's avatar
      drm/amdgpu/gfx8: drop per-APU CU limits · 4a0b1855
      Alex Deucher authored
      commit 943c05bd upstream.
      
      Always use the max for the family rather than the per sku limits.
      This makes sure the mask is always the max size to avoid reporting
      the wrong number of CUs.
      Reviewed-by: default avatarAlex Xie <AlexBin.Xie@amd.com>
      Reviewed-by: default avatarAndres Rodriguez <andresx7@gmail.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4a0b1855
    • Jiri Olsa's avatar
      s390/syscalls: Fix out of bounds arguments access · eee9c161
      Jiri Olsa authored
      commit c46fc042 upstream.
      
      Zorro reported following crash while having enabled
      syscall tracing (CONFIG_FTRACE_SYSCALLS):
      
        Unable to handle kernel pointer dereference at virtual ...
        Oops: 0011 [#1] SMP DEBUG_PAGEALLOC
      
        SNIP
      
        Call Trace:
        ([<000000000024d79c>] ftrace_syscall_enter+0xec/0x1d8)
         [<00000000001099c6>] do_syscall_trace_enter+0x236/0x2f8
         [<0000000000730f1c>] sysc_tracesys+0x1a/0x32
         [<000003fffcf946a2>] 0x3fffcf946a2
        INFO: lockdep is turned off.
        Last Breaking-Event-Address:
         [<000000000022dd44>] rb_event_data+0x34/0x40
        ---[ end trace 8c795f86b1b3f7b9 ]---
      
      The crash happens in syscall_get_arguments function for
      syscalls with zero arguments, that will try to access
      first argument (args[0]) in event entry, but it's not
      allocated.
      
      Bail out of there are no arguments.
      Reported-by: default avatarZorro Lang <zlang@redhat.com>
      Signed-off-by: default avatarJiri Olsa <jolsa@kernel.org>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eee9c161