1. 31 May, 2019 40 commits
    • Leon Romanovsky's avatar
      RDMA/rxe: Fix slab-out-bounds access which lead to kernel crash later · 8063559d
      Leon Romanovsky authored
      [ Upstream commit a4b7013d ]
      
      BUG: KASAN: slab-out-of-bounds in rxe_mem_init_user+0x6c1/0x740 [rdma_rxe]
      Read of size 8 at addr ffff88805c01a608 by task ib_send_bw/573
      
      CPU: 24 PID: 573 Comm: ib_send_bw Not tainted 5.0.0-rc5+ #189
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
      Call Trace:
       rxe_mem_init_user+0x6c1/0x740 [rdma_rxe]
       rxe_reg_user_mr+0x9b/0x110 [rdma_rxe]
       ib_uverbs_reg_mr+0x428/0x9c0 [ib_uverbs]
       ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2b0/0x410 [ib_uverbs]
       ib_uverbs_run_method+0x79c/0x1da0 [ib_uverbs]
       rxe_mem_init_user+0x6c1/0x740 [rdma_rxe]
       rxe_reg_user_mr+0x9b/0x110 [rdma_rxe]
       ib_uverbs_reg_mr+0x428/0x9c0 [ib_uverbs]
       ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2b0/0x410 [ib_uverbs]
       ib_uverbs_run_method+0x79c/0x1da0 [ib_uverbs]
       ib_uverbs_cmd_verbs+0x5f2/0xf20 [ib_uverbs]
       ib_uverbs_ioctl+0x202/0x310 [ib_uverbs]
       do_vfs_ioctl+0x193/0x1440
       ksys_ioctl+0x3a/0x70
       __x64_sys_ioctl+0x6f/0xb0
       do_syscall_64+0x13f/0x570
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Allocated by task 573:
       __kasan_kmalloc.constprop.5+0xc1/0xd0
       __kmalloc+0x161/0x310
       rxe_mem_alloc+0x52/0x470 [rdma_rxe]
       rxe_mem_init_user+0x113/0x740 [rdma_rxe]
       rxe_reg_user_mr+0x9b/0x110 [rdma_rxe]
       ib_uverbs_reg_mr+0x428/0x9c0 [ib_uverbs]
       ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2b0/0x410 [ib_uverbs]
       ib_uverbs_run_method+0x79c/0x1da0 [ib_uverbs]
       ib_uverbs_cmd_verbs+0x5f2/0xf20 [ib_uverbs]
       ib_uverbs_ioctl+0x202/0x310 [ib_uverbs]
       do_vfs_ioctl+0x193/0x1440
       ksys_ioctl+0x3a/0x70
       __x64_sys_ioctl+0x6f/0xb0
       do_syscall_64+0x13f/0x570
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Freed by task 0:
       __kasan_slab_free+0x12e/0x180
       kfree+0x10a/0x2c0
       rcu_process_callbacks+0xa77/0x1260
       __do_softirq+0x2ad/0xacb
      
      Test scenario:
       ib_send_bw -x 1 -d rxe0 -a &
       ib_send_bw -x 1 -d rxe0 -a localhost
      
      Fixes: 8700e3e7 ("Soft RoCE driver")
      Reported-by: default avatarParav Pandit <parav@mellanox.com>
      Reviewed-by: default avatarZhu Yanjun <yanjun.zhu@oracle.com>
      Tested-by: default avatarZhu Yanjun <yanjun.zhu@oracle.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8063559d
    • Kangjie Lu's avatar
      x86/platform/uv: Fix missing checks of kcalloc() return values · 6937a052
      Kangjie Lu authored
      [ Upstream commit 76646085 ]
      
      Handle potential errors returned from kcalloc().
      
       [ bp: rewrite commit message. ]
      Signed-off-by: default avatarKangjie Lu <kjlu@umn.edu>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: Andrew Banman <abanman@hpe.com>
      Cc: Andy Shevchenko <andy@infradead.org>
      Cc: Colin Ian King <colin.king@canonical.com>
      Cc: Darren Hart <dvhart@infradead.org>
      Cc: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Mike Travis <mike.travis@hpe.com>
      Cc: Nicolai Stange <nstange@suse.de>
      Cc: pakki001@umn.edu
      Cc: platform-driver-x86@vger.kernel.org
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Varsha Rao <rvarsha016@gmail.com>
      Cc: x86-ml <x86@kernel.org>
      Link: https://lkml.kernel.org/r/20190325202924.4624-1-kjlu@umn.eduSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      6937a052
    • Neeraj Upadhyay's avatar
      rcu: Do a single rhp->func read in rcu_head_after_call_rcu() · e8cfc326
      Neeraj Upadhyay authored
      [ Upstream commit b699cce1 ]
      
      The rcu_head_after_call_rcu() function reads the rhp->func pointer twice,
      which can result in a false-positive WARN_ON_ONCE() if the callback
      were passed to call_rcu() between the two reads.  Although racing
      rcu_head_after_call_rcu() with call_rcu() is to be a dubious use case
      (the return value is not reliable in that case), intermittent and
      irreproducible warnings are also quite dubious.  This commit therefore
      uses a single READ_ONCE() to pick up the value of rhp->func once, then
      tests that value twice, thus guaranteeing consistent processing within
      rcu_head_after_call_rcu()().
      
      Neverthless, racing rcu_head_after_call_rcu() with call_rcu() is still
      a dubious use case.
      Signed-off-by: default avatarNeeraj Upadhyay <neeraju@codeaurora.org>
      [ paulmck: Add blank line after declaration per checkpatch.pl. ]
      Signed-off-by: default avatarPaul E. McKenney <paulmck@linux.ibm.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e8cfc326
    • Paul E. McKenney's avatar
      rcuperf: Fix cleanup path for invalid perf_type strings · f618b46f
      Paul E. McKenney authored
      [ Upstream commit ad092c02 ]
      
      If the specified rcuperf.perf_type is not in the rcu_perf_init()
      function's perf_ops[] array, rcuperf prints some console messages and
      then invokes rcu_perf_cleanup() to set state so that a future torture
      test can run.  However, rcu_perf_cleanup() also attempts to end the
      test that didn't actually start, and in doing so relies on the value
      of cur_ops, a value that is not particularly relevant in this case.
      This can result in confusing output or even follow-on failures due to
      attempts to use facilities that have not been properly initialized.
      
      This commit therefore sets the value of cur_ops to NULL in this case and
      inserts a check near the beginning of rcu_perf_cleanup(), thus avoiding
      relying on an irrelevant cur_ops value.
      Signed-off-by: default avatarPaul E. McKenney <paulmck@linux.ibm.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f618b46f
    • Yazen Ghannam's avatar
      x86/mce: Handle varying MCA bank counts · 776613c5
      Yazen Ghannam authored
      [ Upstream commit 006c0770 ]
      
      Linux reads MCG_CAP[Count] to find the number of MCA banks visible to a
      CPU. Currently, this number is the same for all CPUs and a warning is
      shown if there is a difference. The number of banks is overwritten with
      the MCG_CAP[Count] value of each following CPU that boots.
      
      According to the Intel SDM and AMD APM, the MCG_CAP[Count] value gives
      the number of banks that are available to a "processor implementation".
      The AMD BKDGs/PPRs further clarify that this value is per core. This
      value has historically been the same for every core in the system, but
      that is not an architectural requirement.
      
      Future AMD systems may have different MCG_CAP[Count] values per core,
      so the assumption that all CPUs will have the same MCG_CAP[Count] value
      will no longer be valid.
      
      Also, the first CPU to boot will allocate the struct mce_banks[] array
      using the number of banks based on its MCG_CAP[Count] value. The machine
      check handler and other functions use the global number of banks to
      iterate and index into the mce_banks[] array. So it's possible to use an
      out-of-bounds index on an asymmetric system where a following CPU sees a
      MCG_CAP[Count] value greater than its predecessors.
      
      Thus, allocate the mce_banks[] array to the maximum number of banks.
      This will avoid the potential out-of-bounds index since the value of
      mca_cfg.banks is capped to MAX_NR_BANKS.
      
      Set the value of mca_cfg.banks equal to the max of the previous value
      and the value for the current CPU. This way mca_cfg.banks will always
      represent the max number of banks detected on any CPU in the system.
      
      This will ensure that all CPUs will access all the banks that are
      visible to them. A CPU that can access fewer than the max number of
      banks will find the registers of the extra banks to be read-as-zero.
      
      Furthermore, print the resulting number of MCA banks in use. Do this in
      mcheck_late_init() so that the final value is printed after all CPUs
      have been initialized.
      
      Finally, get bank count from target CPU when doing injection with mce-inject
      module.
      
       [ bp: Remove out-of-bounds example, passify and cleanup commit message. ]
      Signed-off-by: default avatarYazen Ghannam <yazen.ghannam@amd.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: linux-edac <linux-edac@vger.kernel.org>
      Cc: Pu Wen <puwen@hygon.cn>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: Vishal Verma <vishal.l.verma@intel.com>
      Cc: x86-ml <x86@kernel.org>
      Link: https://lkml.kernel.org/r/20180727214009.78289-1-Yazen.Ghannam@amd.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      776613c5
    • Paul E. McKenney's avatar
      rcutorture: Fix cleanup path for invalid torture_type strings · f55e548f
      Paul E. McKenney authored
      [ Upstream commit b813afae ]
      
      If the specified rcutorture.torture_type is not in the rcu_torture_init()
      function's torture_ops[] array, rcutorture prints some console messages
      and then invokes rcu_torture_cleanup() to set state so that a future
      torture test can run.  However, rcu_torture_cleanup() also attempts to
      end the test that didn't actually start, and in doing so relies on the
      value of cur_ops, a value that is not particularly relevant in this case.
      This can result in confusing output or even follow-on failures due to
      attempts to use facilities that have not been properly initialized.
      
      This commit therefore sets the value of cur_ops to NULL in this case
      and inserts a check near the beginning of rcu_torture_cleanup(),
      thus avoiding relying on an irrelevant cur_ops value.
      Reported-by: default avatarkernel test robot <rong.a.chen@intel.com>
      Signed-off-by: default avatarPaul E. McKenney <paulmck@linux.ibm.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f55e548f
    • Tony Luck's avatar
      x86/mce: Fix machine_check_poll() tests for error types · 34315916
      Tony Luck authored
      [ Upstream commit f19501aa ]
      
      There has been a lurking "TBD" in the machine check poll routine ever
      since it was first split out from the machine check handler. The
      potential issue is that the poll routine may have just begun a read from
      the STATUS register in a machine check bank when the hardware logs an
      error in that bank and signals a machine check.
      
      That race used to be pretty small back when machine checks were
      broadcast, but the addition of local machine check means that the poll
      code could continue running and clear the error from the bank before the
      local machine check handler on another CPU gets around to reading it.
      
      Fix the code to be sure to only process errors that need to be processed
      in the poll code, leaving other logged errors alone for the machine
      check handler to find and process.
      
       [ bp: Massage a bit and flip the "== 0" check to the usual !(..) test. ]
      
      Fixes: b79109c3 ("x86, mce: separate correct machine check poller and fatal exception handler")
      Fixes: ed7290d0 ("x86, mce: implement new status bits")
      Reported-by: default avatarAshok Raj <ashok.raj@intel.com>
      Signed-off-by: default avatarTony Luck <tony.luck@intel.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: Ashok Raj <ashok.raj@intel.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: linux-edac <linux-edac@vger.kernel.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: x86-ml <x86@kernel.org>
      Cc: Yazen Ghannam <Yazen.Ghannam@amd.com>
      Link: https://lkml.kernel.org/r/20190312170938.GA23035@agluck-deskSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      34315916
    • Leon Romanovsky's avatar
      overflow: Fix -Wtype-limits compilation warnings · a3d4afff
      Leon Romanovsky authored
      [ Upstream commit dc7fe518 ]
      
      Attempt to use check_shl_overflow() with inputs of unsigned type
      produces the following compilation warnings.
      
      drivers/infiniband/hw/mlx5/qp.c: In function _set_user_rq_size_:
      ./include/linux/overflow.h:230:6: warning: comparison of unsigned
      expression >= 0 is always true [-Wtype-limits]
         _s >= 0 && _s < 8 * sizeof(*d) ? _s : 0;  \
            ^~
      drivers/infiniband/hw/mlx5/qp.c:5820:6: note: in expansion of macro _check_shl_overflow_
        if (check_shl_overflow(rwq->wqe_count, rwq->wqe_shift,
      &rwq->buf_size))
            ^~~~~~~~~~~~~~~~~~
      ./include/linux/overflow.h:232:26: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
        (_to_shift != _s || *_d < 0 || _a < 0 ||   \
                                ^
      drivers/infiniband/hw/mlx5/qp.c:5820:6: note: in expansion of macro _check_shl_overflow_
        if (check_shl_overflow(rwq->wqe_count, rwq->wqe_shift, &rwq->buf_size))
            ^~~~~~~~~~~~~~~~~~
      ./include/linux/overflow.h:232:36: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
        (_to_shift != _s || *_d < 0 || _a < 0 ||   \
                                          ^
      drivers/infiniband/hw/mlx5/qp.c:5820:6: note: in expansion of macro _check_shl_overflow_
        if (check_shl_overflow(rwq->wqe_count, rwq->wqe_shift,&rwq->buf_size))
            ^~~~~~~~~~~~~~~~~~
      
      Fixes: 0c668477 ("overflow.h: Add arithmetic shift helper")
      Reviewed-by: default avatarBart Van Assche <bvanassche@acm.org>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a3d4afff
    • George Hilliard's avatar
      staging: mt7621-mmc: Initialize completions a single time during probe · a36c3c66
      George Hilliard authored
      [ Upstream commit 7ca8c2c8 ]
      
      The module was initializing completions whenever it was going to wait on
      them, and not when the completion was allocated.  This is incorrect
      according to the completion docs:
      
          Calling init_completion() on the same completion object twice is
          most likely a bug [...]
      
      Re-initialization is also unnecessary because the module never uses
      complete_all().  Fix this by only ever initializing the completion a
      single time, and log if the completions are not consumed as intended
      (this is not a fatal problem, but should not go unnoticed).
      Signed-off-by: default avatarGeorge Hilliard <thirtythreeforty@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a36c3c66
    • Kangjie Lu's avatar
      tty: ipwireless: fix missing checks for ioremap · a04b2936
      Kangjie Lu authored
      [ Upstream commit 1bbb1c31 ]
      
      ipw->attr_memory and ipw->common_memory are assigned with the
      return value of ioremap. ioremap may fail, but no checks
      are enforced. The fix inserts the checks to avoid potential
      NULL pointer dereferences.
      Signed-off-by: default avatarKangjie Lu <kjlu@umn.edu>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a04b2936
    • Pankaj Gupta's avatar
      virtio_console: initialize vtermno value for ports · ddbc7bfa
      Pankaj Gupta authored
      [ Upstream commit 4b0a2c5f ]
      
      For regular serial ports we do not initialize value of vtermno
      variable. A garbage value is assigned for non console ports.
      The value can be observed as a random integer with [1].
      
      [1] vim /sys/kernel/debug/virtio-ports/vport*p*
      
      This patch initialize the value of vtermno for console serial
      ports to '1' and regular serial ports are initiaized to '0'.
      
      Reported-by: siliu@redhat.com
      Signed-off-by: default avatarPankaj Gupta <pagupta@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ddbc7bfa
    • Thierry Escande's avatar
      misc: fastrpc: Fix a possible double free · aaf5aa44
      Thierry Escande authored
      [ Upstream commit b49f6d83 ]
      
      This patch fixes the error exit path of fastrpc_init_create_process().
      If the DMA allocation or the DSP invoke fails the fastrpc_map was freed
      but not removed from the mapping list leading to a double free once the
      mapping list is emptied in fastrpc_device_release().
      
      [srinivas kandagatla]: Cleaned up error path labels and reset init mem
      to NULL after free
      Fixes: d73f71c7("misc: fastrpc: Add support for create remote init process")
      Signed-off-by: default avatarThierry Escande <thierry.escande@linaro.org>
      Signed-off-by: default avatarSrinivas Kandagatla <srinivas.kandagatla@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      aaf5aa44
    • Srinivas Kandagatla's avatar
      misc: fastrpc: make sure memory read and writes are visible · 8b29b2bf
      Srinivas Kandagatla authored
      [ Upstream commit 415a0729 ]
      
      dma_alloc_coherent buffers could have writes queued in store buffers so
      commit them before sending buffer to DSP using correct dma barriers.
      Same with vice-versa.
      
      Fixes: c68cfb71 ("misc: fastrpc: Add support for context Invoke method")
      Signed-off-by: default avatarSrinivas Kandagatla <srinivas.kandagatla@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8b29b2bf
    • Srinivas Kandagatla's avatar
      misc: fastrpc: consider address offset before sending to DSP · 954edc46
      Srinivas Kandagatla authored
      [ Upstream commit 80f3afd7 ]
      
      While passing address phy address to DSP, take care of the offset
      calculated from virtual address vma.
      
      Fixes: c68cfb71 ("misc: fastrpc: Add support for context Invoke method")
      Signed-off-by: default avatarSrinivas Kandagatla <srinivas.kandagatla@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      954edc46
    • Chad Dupuis's avatar
      scsi: qedf: Add missing return in qedf_post_io_req() in the fcport offload check · 9b1ce019
      Chad Dupuis authored
      [ Upstream commit c5e06ba2 ]
      
      Fixes the following crash as the return was missing from the check if an
      fcport is offloaded. If we hit this code we continue to try to post an
      invalid task which can lead to the crash:
      
      [30259.616411] [0000:61:00.3]:[qedf_post_io_req:989]:3: Session not offloaded yet.
      [30259.616413] [0000:61:00.3]:[qedf_upload_connection:1340]:3: Uploading connection port_id=490020.
      [30259.623769] BUG: unable to handle kernel NULL pointer dereference at 0000000000000198
      [30259.631645] IP: [<ffffffffc035b1ed>] qedf_init_task.isra.16+0x3d/0x450 [qedf]
      [30259.638816] PGD 0
      [30259.640841] Oops: 0000 [#1] SMP
      [30259.644098] Modules linked in: fuse xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 tun bridge stp llc ebtable_filter ebtables devlink ip6table_filter ip6_tables iptable_filter vfat fat ib_isert iscsi_target_mod ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib ib_ucm ib_umad dm_service_time skx_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass crc32_pclmul ghash_clmulni_intel aesni_intel rpcrdma sunrpc rdma_ucm ib_uverbs lrw gf128mul ib_iser rdma_cm iw_cm ib_cm libiscsi scsi_transport_iscsi qedr(OE) glue_helper ablk_helper cryptd ib_core dm_round_robin joydev pcspkr ipmi_ssif ses enclosure ipmi_si ipmi_devintf ipmi_msghandler mei_me
      [30259.715529]  mei sg hpilo hpwdt shpchp wmi lpc_ich acpi_power_meter dm_multipath ip_tables xfs libcrc32c sd_mod crc_t10dif crct10dif_generic uas usb_storage mgag200 qedf(OE) i2c_algo_bit libfcoe drm_kms_helper libfc syscopyarea sysfillrect scsi_transport_fc qede(OE) sysimgblt fb_sys_fops ptp ttm pps_core drm qed(OE) smartpqi crct10dif_pclmul crct10dif_common crc32c_intel i2c_core scsi_transport_sas scsi_tgt dm_mirror dm_region_hash dm_log dm_mod
      [30259.754237] CPU: 9 PID: 977 Comm: kdmwork-253:7 Kdump: loaded Tainted: G        W  OE  ------------   3.10.0-862.el7.x86_64 #1
      [30259.765664] Hardware name: HPE Synergy 480 Gen10/Synergy 480 Gen10 Compute Module, BIOS I42 04/04/2018
      [30259.775000] task: ffff8c801efd0000 ti: ffff8c801efd8000 task.ti: ffff8c801efd8000
      [30259.782505] RIP: 0010:[<ffffffffc035b1ed>]  [<ffffffffc035b1ed>] qedf_init_task.isra.16+0x3d/0x450 [qedf]
      [30259.792116] RSP: 0018:ffff8c801efdbbb0  EFLAGS: 00010046
      [30259.797444] RAX: 0000000000000000 RBX: ffffa7f1450948d8 RCX: ffff8c7fe5bc40c8
      [30259.804600] RDX: ffff8c800715b300 RSI: ffffa7f1450948d8 RDI: ffff8c80169c2480
      [30259.811755] RBP: ffff8c801efdbc30 R08: 00000000000000ae R09: ffff8c800a314540
      [30259.818911] R10: ffff8c7fe5bc40c8 R11: ffff8c801efdb8ae R12: 0000000000000000
      [30259.826068] R13: ffff8c800715b300 R14: ffff8c80169c2480 R15: ffff8c8005da28e0
      [30259.833223] FS:  0000000000000000(0000) GS:ffff8c803f840000(0000) knlGS:0000000000000000
      [30259.841338] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [30259.847100] CR2: 0000000000000198 CR3: 000000081242e000 CR4: 00000000007607e0
      [30259.854256] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [30259.861412] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [30259.868568] PKRU: 00000000
      [30259.871278] Call Trace:
      [30259.873737]  [<ffffffffc035c948>] qedf_post_io_req+0x148/0x680 [qedf]
      [30259.880201]  [<ffffffffc035d070>] qedf_queuecommand+0x1f0/0x240 [qedf]
      [30259.886749]  [<ffffffffa329b050>] scsi_dispatch_cmd+0xb0/0x240
      [30259.892600]  [<ffffffffa32a45bc>] scsi_request_fn+0x4cc/0x680
      [30259.898364]  [<ffffffffa3118ad9>] __blk_run_queue+0x39/0x50
      [30259.903954]  [<ffffffffa3114393>] __elv_add_request+0xd3/0x260
      [30259.909805]  [<ffffffffa311baf0>] blk_insert_cloned_request+0xf0/0x1b0
      [30259.916358]  [<ffffffffc010b622>] map_request+0x142/0x220 [dm_mod]
      [30259.922560]  [<ffffffffc010b716>] map_tio_request+0x16/0x40 [dm_mod]
      [30259.928932]  [<ffffffffa2ebb1f5>] kthread_worker_fn+0x85/0x180
      [30259.934782]  [<ffffffffa2ebb170>] ? kthread_stop+0xf0/0xf0
      [30259.940284]  [<ffffffffa2ebae31>] kthread+0xd1/0xe0
      [30259.945176]  [<ffffffffa2ebad60>] ? insert_kthread_work+0x40/0x40
      [30259.951290]  [<ffffffffa351f61d>] ret_from_fork_nospec_begin+0x7/0x21
      [30259.957750]  [<ffffffffa2ebad60>] ? insert_kthread_work+0x40/0x40
      [30259.963860] Code: fe 41 55 49 89 d5 41 54 53 48 89 f3 48 83 ec 58 4c 8b 67 28 4c 8b 4e 18 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 4c 8b 7e 58 <49> 8b 84 24 98 01 00 00 48 8b 00 f6 80 31 01 00 00 10 0f 85 0b
      [30259.983372] RIP  [<ffffffffc035b1ed>] qedf_init_task.isra.16+0x3d/0x450 [qedf]
      [30259.990630]  RSP <ffff8c801efdbbb0>
      [30259.994127] CR2: 0000000000000198
      Signed-off-by: default avatarChad Dupuis <cdupuis@marvell.com>
      Signed-off-by: default avatarSaurav Kashyap <skashyap@marvell.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9b1ce019
    • Artemy Kovalyov's avatar
      IB/mlx5: Compare only index part of a memory window rkey · 1a2fdf1c
      Artemy Kovalyov authored
      [ Upstream commit d623dfd2 ]
      
      The InfiniBand Architecture Specification section 10.6.7.2.4 TYPE 2 MEMORY
      WINDOWS says that if the CI supports the Base Memory Management Extensions
      defined in this specification, the R_Key format for a Type 2 Memory Window
      must consist of:
      
      * 24 bit index in the most significant bits of the R_Key, which is owned
        by the CI, and
      * 8 bit key in the least significant bits of the R_Key, which is owned by
        the Consumer.
      
      This means that the kernel should compare only the index part of a R_Key
      to determine equality with another R_Key.
      
      Fixes: db570d7d ("IB/mlx5: Add ODP support to MW")
      Signed-off-by: default avatarArtemy Kovalyov <artemyko@mellanox.com>
      Signed-off-by: default avatarMoni Shoua <monis@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1a2fdf1c
    • Thomas Gleixner's avatar
      timekeeping: Force upper bound for setting CLOCK_REALTIME · 5e04fcba
      Thomas Gleixner authored
      [ Upstream commit 7a8e61f8 ]
      
      Several people reported testing failures after setting CLOCK_REALTIME close
      to the limits of the kernel internal representation in nanoseconds,
      i.e. year 2262.
      
      The failures are exposed in subsequent operations, i.e. when arming timers
      or when the advancing CLOCK_MONOTONIC makes the calculation of
      CLOCK_REALTIME overflow into negative space.
      
      Now people start to paper over the underlying problem by clamping
      calculations to the valid range, but that's just wrong because such
      workarounds will prevent detection of real issues as well.
      
      It is reasonable to force an upper bound for the various methods of setting
      CLOCK_REALTIME. Year 2262 is the absolute upper bound. Assume a maximum
      uptime of 30 years which is plenty enough even for esoteric embedded
      systems. That results in an upper bound of year 2232 for setting the time.
      
      Once that limit is reached in reality this limit is only a small part of
      the problem space. But until then this stops people from trying to paper
      over the problem at the wrong places.
      Reported-by: default avatarXiongfeng Wang <wangxiongfeng2@huawei.com>
      Reported-by: default avatarHongbo Yao <yaohongbo@huawei.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: John Stultz <john.stultz@linaro.org>
      Cc: Stephen Boyd <sboyd@kernel.org>
      Cc: Miroslav Lichvar <mlichvar@redhat.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Richard Cochran <richardcochran@gmail.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1903231125480.2157@nanos.tec.linutronix.deSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      5e04fcba
    • Laurent Pinchart's avatar
      drm: rcar-du: lvds: Fix post-DLL divider calculation · 6eb883c4
      Laurent Pinchart authored
      [ Upstream commit 167e5354 ]
      
      The PLL parameters are computed by looping over the range of acceptable
      M, N and E values, and selecting the combination that produces the
      output frequency closest to the target. The internal frequency
      constraints are taken into account by restricting the tested values for
      the PLL parameters, reducing the search space. The target frequency,
      however, is only taken into account when computing the post-PLL divider,
      which can result in a 0 value for the divider when the PLL output
      frequency being tested is lower than half of the target frequency.
      Subsequent loops will produce a better set of PLL parameters, but for
      some of the iterations this can result in a division by 0.
      
      Fix it by clamping the divider value. We could instead restrict the E
      values being tested in the inner loop, but that would require additional
      calculation that would likely be less efficient as the E parameter can
      only take three different values.
      
      Fixes: c25c0136 ("drm: rcar-du: lvds: D3/E3 support")
      Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
      Reviewed-by: default avatarKieran Bingham <kieran.bingham+renesas@ideasonboard.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6eb883c4
    • Laurent Pinchart's avatar
      drm: rcar-du: lvds: Set LVEN and LVRES bits together on D3 · 7beeeb71
      Laurent Pinchart authored
      [ Upstream commit 00d082cc ]
      
      On the D3 SoC the LVDS PHY must be enabled in the same register write
      that enables the LVDS output. Skip writing the LVEN bit independently
      on that platform, it will be set by the write that sets LVRES.
      Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
      Reviewed-by: default avatarJacopo Mondi <jacopo+renesas@jmondi.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7beeeb71
    • Aditya Pakki's avatar
      thunderbolt: Fix to check the return value of kmemdup · fffcfb22
      Aditya Pakki authored
      [ Upstream commit fd21b79e ]
      
      uuid in add_switch is allocted via kmemdup which can fail. The patch
      logs the error and cleans up the allocated memory for switch.
      Signed-off-by: default avatarAditya Pakki <pakki001@umn.edu>
      Reviewed-by: default avatarMukesh Ojha <mojha@codeaurora.org>
      Signed-off-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      fffcfb22
    • Kangjie Lu's avatar
      thunderbolt: property: Fix a missing check of kzalloc · f0cc2ffb
      Kangjie Lu authored
      [ Upstream commit 6183d5a5 ]
      
      No check is enforced for the return value of kzalloc,
      which may lead to NULL-pointer dereference.
      
      The patch fixes this issue.
      Signed-off-by: default avatarKangjie Lu <kjlu@umn.edu>
      Reviewed-by: default avatarMukesh Ojha <mojha@codeaurora.org>
      Signed-off-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f0cc2ffb
    • Alexandre Courbot's avatar
      media: mtk-vcodec: fix access to incorrect planes member · d1d090c4
      Alexandre Courbot authored
      [ Upstream commit 52fafc58 ]
      
      Commit 0650a914 ("media: mtk-vcodec: Correct return type for mem2mem
      buffer helpers") fixed the return types for mem2mem buffer helper
      functions by changing a few local variables from vb2_buffer to
      vb2_v4l2_buffer. However, it left a few accesses to vb2_buffer::planes
      as-is, accidentally turning them into accesses to
      vb2_v4l2_buffer::planes and resulting in values being read from/written
      to the wrong place.
      
      Fix this by inserting vb2_buf into these accesses so they mimic their
      original behavior.
      
      Fixes: 0650a914 ("media: mtk-vcodec: Correct return type for mem2mem buffer helpers")
      Signed-off-by: default avatarAlexandre Courbot <acourbot@chromium.org>
      Reviewed-by: default avatarEzequiel Garcia <ezequiel@collabora.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d1d090c4
    • Ard Biesheuvel's avatar
      efifb: Omit memory map check on legacy boot · 44f212eb
      Ard Biesheuvel authored
      [ Upstream commit c2999c28 ]
      
      Since the following commit:
      
        38ac0287 ("fbdev/efifb: Honour UEFI memory map attributes when mapping the FB")
      
      efifb_probe() checks its memory range via efi_mem_desc_lookup(),
      and this leads to a spurious error message:
      
         EFI_MEMMAP is not enabled
      
      at every boot on KVM.  This is quite annoying since the error message
      appears even if you set "quiet" boot option.
      
      Since this happens on legacy boot, which strangely enough exposes
      a EFI framebuffer via screen_info, let's double check that we are
      doing an EFI boot before attempting to access the EFI memory map.
      Reported-by: default avatarTakashi Iwai <tiwai@suse.de>
      Tested-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Matt Fleming <matt@codeblueprint.co.uk>
      Cc: Peter Jones <pjones@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: linux-efi@vger.kernel.org
      Link: http://lkml.kernel.org/r/20190328193429.21373-3-ard.biesheuvel@linaro.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      44f212eb
    • Ezequiel Garcia's avatar
      media: gspca: Kill URBs on USB device disconnect · b1c4294f
      Ezequiel Garcia authored
      [ Upstream commit 9b9ea7c2 ]
      
      In order to prevent ISOC URBs from being infinitely resubmitted,
      the driver's USB disconnect handler must kill all the in-flight URBs.
      
      While here, change the URB packet status message to a debug level,
      to avoid spamming the console too much.
      
      This commit fixes a lockup caused by an interrupt storm coming
      from the URB completion handler.
      Signed-off-by: default avatarEzequiel Garcia <ezequiel@collabora.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b1c4294f
    • Dan Carpenter's avatar
      media: wl128x: prevent two potential buffer overflows · 7e8750d0
      Dan Carpenter authored
      [ Upstream commit 9c2ccc32 ]
      
      Smatch marks skb->data as untrusted so it warns that "evt_hdr->dlen"
      can copy up to 255 bytes and we only have room for two bytes.  Even
      if this comes from the firmware and we trust it, the new policy
      generally is just to fix it as kernel hardenning.
      
      I can't test this code so I tried to be very conservative.  I considered
      not allowing "evt_hdr->dlen == 1" because it doesn't initialize the
      whole variable but in the end I decided to allow it and manually
      initialized "asic_id" and "asic_ver" to zero.
      
      Fixes: e8454ff7 ("[media] drivers:media:radio: wl128x: FM Driver Common sources")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7e8750d0
    • Kangjie Lu's avatar
      media: video-mux: fix null pointer dereferences · ff560d4b
      Kangjie Lu authored
      [ Upstream commit aeb0d0f5 ]
      
      devm_kcalloc may fail and return a null pointer. The fix returns
      -ENOMEM upon failures to avoid null pointer dereferences.
      Signed-off-by: default avatarKangjie Lu <kjlu@umn.edu>
      Reviewed-by: default avatarPhilipp Zabel <p.zabel@pengutronix.de>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ff560d4b
    • Tetsuo Handa's avatar
      kobject: Don't trigger kobject_uevent(KOBJ_REMOVE) twice. · 2472b708
      Tetsuo Handa authored
      [ Upstream commit c03a0fd0 ]
      
      syzbot is hitting use-after-free bug in uinput module [1]. This is because
      kobject_uevent(KOBJ_REMOVE) is called again due to commit 0f4dafc0
      ("Kobject: auto-cleanup on final unref") after memory allocation fault
      injection made kobject_uevent(KOBJ_REMOVE) from device_del() from
      input_unregister_device() fail, while uinput_destroy_device() is expecting
      that kobject_uevent(KOBJ_REMOVE) is not called after device_del() from
      input_unregister_device() completed.
      
      That commit intended to catch cases where nobody even attempted to send
      "remove" uevents. But there is no guarantee that an event will ultimately
      be sent. We are at the point of no return as far as the rest of the kernel
      is concerned; there are no repeats or do-overs.
      
      Also, it is not clear whether some subsystem depends on that commit.
      If no subsystem depends on that commit, it will be better to remove
      the state_{add,remove}_uevent_sent logic. But we don't want to risk
      a regression (in a patch which will be backported) by trying to remove
      that logic. Therefore, as a first step, let's avoid the use-after-free bug
      by making sure that kobject_uevent(KOBJ_REMOVE) won't be triggered twice.
      
      [1] https://syzkaller.appspot.com/bug?id=8b17c134fe938bbddd75a45afaa9e68af43a362dReported-by: default avatarsyzbot <syzbot+f648cfb7e0b52bf7ae32@syzkaller.appspotmail.com>
      Analyzed-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Fixes: 0f4dafc0 ("Kobject: auto-cleanup on final unref")
      Cc: Kay Sievers <kay@vrfy.org>
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2472b708
    • Oded Gabbay's avatar
      habanalabs: prevent CPU soft lockup on Palladium · 9965948a
      Oded Gabbay authored
      [ Upstream commit e850b89f ]
      
      Unmapping ptes in the device MMU on Palladium can take a long time, which
      can cause a kernel BUG of CPU soft lockup.
      
      This patch minimize the chances for this bug by sleeping a little between
      unmapping ptes.
      Signed-off-by: default avatarOded Gabbay <oded.gabbay@gmail.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9965948a
    • Sowjanya Komatineni's avatar
      spi: tegra114: reset controller on probe · 1955cfc8
      Sowjanya Komatineni authored
      [ Upstream commit 01919493 ]
      
      Fixes: SPI driver can be built as module so perform SPI controller reset
      on probe to make sure it is in valid state before initiating transfer.
      Signed-off-by: default avatarSowjanya Komatineni <skomatineni@nvidia.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1955cfc8
    • Hans de Goede's avatar
      HID: logitech-hidpp: change low battery level threshold from 31 to 30 percent · ddd85a2f
      Hans de Goede authored
      [ Upstream commit 1f87b0cd ]
      
      According to hidpp20_batterylevel_get_battery_info my Logitech K270
      keyboard reports only 2 battery levels. This matches with what I've seen
      after testing with batteries at varying level of fullness, it always
      reports either 5% or 30%.
      
      Windows reports "battery good" for the 30% level. I've captured an USB
      trace of Windows reading the battery and it is getting the same info
      as the Linux hidpp code gets.
      
      Now that Linux handles these devices as hidpp devices, it reports the
      battery as being low as it treats anything under 31% as low, this leads
      to the user constantly getting a "Keyboard battery is low" warning from
      GNOME3, which is very annoying.
      
      This commit fixes this by changing the low threshold to anything under
      30%, which I assume is what Windows does.
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ddd85a2f
    • Takeshi Kihara's avatar
      clk: renesas: rcar-gen3: Correct parent clock of Audio-DMAC · f67fd9a6
      Takeshi Kihara authored
      [ Upstream commit b9df2ea2 ]
      
      The clock sources of the AXI-bus clock (266.66 MHz) used for Audio-DMAC
      DMA transfers are:
      
          Channel        R-Car H3    R-Car M3-W    R-Car M3-N    R-Car E3
          ---------------------------------------------------------------
          Audio-DMAC0    S1D2        S1D2          S1D2          S1D2
          Audio-DMAC1    S1D2        S1D2          S1D2          -
      
      As a result, change the parent clocks of the Audio-DMAC{0,1} module
      clocks on R-Car H3, R-Car M3-W, and R-Car M3-N to S1D2, and change the
      parent clock of the Audio-DMAC0 module on R-Car E3 to S1D2.
      
      NOTE: This information will be reflected in a future revision of the
            R-Car Gen3 Hardware Manual.
      Signed-off-by: default avatarTakeshi Kihara <takeshi.kihara.df@renesas.com>
      [geert: Update R-Car D3, RZ/G2M, and RZ/G2E]
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Reviewed-by: default avatarSimon Horman <horms+renesas@verge.net.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f67fd9a6
    • Ming Lei's avatar
      block: pass page to xen_biovec_phys_mergeable · 36478bcf
      Ming Lei authored
      [ Upstream commit 0383ad43 ]
      
      xen_biovec_phys_mergeable() only needs .bv_page of the 2nd bio bvec
      for checking if the two bvecs can be merged, so pass page to
      xen_biovec_phys_mergeable() directly.
      
      No function change.
      
      Cc: ris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: Juergen Gross <jgross@suse.com>
      Cc: xen-devel@lists.xenproject.org
      Cc: Omar Sandoval <osandov@fb.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: default avatarMing Lei <ming.lei@redhat.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      36478bcf
    • Ming Lei's avatar
      block: avoid to break XEN by multi-page bvec · 0aa9a8d4
      Ming Lei authored
      [ Upstream commit db5ebd6e ]
      
      XEN has special page merge requirement, see xen_biovec_phys_mergeable().
      We can't merge pages into one bvec simply for XEN.
      
      So move XEN's specific check on page merge into __bio_try_merge_page(),
      then abvoid to break XEN by multi-page bvec.
      
      Cc: ris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: xen-devel@lists.xenproject.org
      Cc: Omar Sandoval <osandov@fb.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarMing Lei <ming.lei@redhat.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0aa9a8d4
    • Takeshi Kihara's avatar
      clk: renesas: rcar-gen3: Correct parent clock of SYS-DMAC · 46a9cbe9
      Takeshi Kihara authored
      [ Upstream commit 3c772f71 ]
      
      The clock sources of the AXI BUS clock (266.66 MHz) used for SYS-DMAC
      DMA transfers are:
      
          Channel      R-Car H3    R-Car M3-W    R-Car M3-N
          -------------------------------------------------
          SYS-DMAC0    S0D3        S0D3          S0D3
          SYS-DMAC1    S3D1        S3D1          S3D1
          SYS-DMAC2    S3D1        S3D1          S3D1
      
      As a result, change the parent clocks of the SYS-DMAC{1,2} module clocks
      on R-Car H3, R-Car M3-W, and R-Car M3-N to S3D1.
      
      NOTE: This information will be reflected in a future revision of the
            R-Car Gen3 Hardware Manual.
      Signed-off-by: default avatarTakeshi Kihara <takeshi.kihara.df@renesas.com>
      [geert: Update RZ/G2M]
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Reviewed-by: default avatarSimon Horman <horms+renesas@verge.net.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      46a9cbe9
    • Gustavo A. R. Silva's avatar
      cxgb3/l2t: Fix undefined behaviour · c9e691c2
      Gustavo A. R. Silva authored
      [ Upstream commit 76497732 ]
      
      The use of zero-sized array causes undefined behaviour when it is not
      the last member in a structure. As it happens to be in this case.
      
      Also, the current code makes use of a language extension to the C90
      standard, but the preferred mechanism to declare variable-length
      types such as this one is a flexible array member, introduced in
      C99:
      
      struct foo {
              int stuff;
              struct boo array[];
      };
      
      By making use of the mechanism above, we will get a compiler warning
      in case the flexible array does not occur last. Which is beneficial
      to cultivate a high-quality code.
      
      Fixes: e48f129c ("[SCSI] cxgb3i: convert cdev->l2opt to use rcu to prevent NULL dereference")
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c9e691c2
    • Wen Yang's avatar
      ASoC: wcd9335: fix a leaked reference by adding missing of_node_put · 58492aad
      Wen Yang authored
      [ Upstream commit 64b92de9 ]
      
      The call to of_parse_phandle returns a node pointer with refcount
      incremented thus it must be explicitly decremented after the last
      usage.
      
      Detected by coccinelle with the following warnings:
      ./sound/soc/codecs/wcd9335.c:5193:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 5183, but without a correspon    ding object release within this function.
      Signed-off-by: default avatarWen Yang <wen.yang99@zte.com.cn>
      Cc: Liam Girdwood <lgirdwood@gmail.com>
      Cc: Mark Brown <broonie@kernel.org>
      Cc: Jaroslav Kysela <perex@perex.cz>
      Cc: Takashi Iwai <tiwai@suse.com>
      Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
      Cc: Vinod Koul <vkoul@kernel.org>
      Cc: Dan Carpenter <dan.carpenter@oracle.com> (commit_signer:1/11=9%,authored:1/11=9%)
      Cc: alsa-devel@alsa-project.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      58492aad
    • Wen Yang's avatar
      ASoC: fsl_utils: fix a leaked reference by adding missing of_node_put · f7d84b84
      Wen Yang authored
      [ Upstream commit c7052471 ]
      
      The call to of_parse_phandle returns a node pointer with refcount
      incremented thus it must be explicitly decremented after the last
      usage.
      
      Detected by coccinelle with the following warnings:
      ./sound/soc/fsl/fsl_utils.c:74:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 38, but without a corresponding     object release within this function.
      Signed-off-by: default avatarWen Yang <wen.yang99@zte.com.cn>
      Cc: Timur Tabi <timur@kernel.org>
      Cc: Nicolin Chen <nicoleotsuka@gmail.com>
      Cc: Xiubo Li <Xiubo.Lee@gmail.com>
      Cc: Fabio Estevam <festevam@gmail.com>
      Cc: Liam Girdwood <lgirdwood@gmail.com>
      Cc: Mark Brown <broonie@kernel.org>
      Cc: Jaroslav Kysela <perex@perex.cz>
      Cc: Takashi Iwai <tiwai@suse.com>
      Cc: alsa-devel@alsa-project.org
      Cc: linuxppc-dev@lists.ozlabs.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f7d84b84
    • Wen Yang's avatar
      ASoC: eukrea-tlv320: fix a leaked reference by adding missing of_node_put · 28779829
      Wen Yang authored
      [ Upstream commit b820d52e ]
      
      The call to of_parse_phandle returns a node pointer with refcount
      incremented thus it must be explicitly decremented after the last
      usage.
      
      Detected by coccinelle with the following warnings:
      ./sound/soc/fsl/eukrea-tlv320.c:121:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 102, but without a correspo    nding object release within this function.
      ./sound/soc/fsl/eukrea-tlv320.c:127:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 102, but without a correspo    nding object release within this function.
      Signed-off-by: default avatarWen Yang <wen.yang99@zte.com.cn>
      Cc: Liam Girdwood <lgirdwood@gmail.com>
      Cc: Mark Brown <broonie@kernel.org>
      Cc: Jaroslav Kysela <perex@perex.cz>
      Cc: Takashi Iwai <tiwai@suse.com>
      Cc: alsa-devel@alsa-project.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      28779829
    • Nicolas Saenz Julienne's avatar
      HID: core: move Usage Page concatenation to Main item · a30cdaf1
      Nicolas Saenz Julienne authored
      [ Upstream commit 58e75155 ]
      
      As seen on some USB wireless keyboards manufactured by Primax, the HID
      parser was using some assumptions that are not always true. In this case
      it's s the fact that, inside the scope of a main item, an Usage Page
      will always precede an Usage.
      
      The spec is not pretty clear as 6.2.2.7 states "Any usage that follows
      is interpreted as a Usage ID and concatenated with the Usage Page".
      While 6.2.2.8 states "When the parser encounters a main item it
      concatenates the last declared Usage Page with a Usage to form a
      complete usage value." Being somewhat contradictory it was decided to
      match Window's implementation, which follows 6.2.2.8.
      
      In summary, the patch moves the Usage Page concatenation from the local
      item parsing function to the main item parsing function.
      Signed-off-by: default avatarNicolas Saenz Julienne <nsaenzjulienne@suse.de>
      Reviewed-by: default avatarTerry Junge <terry.junge@poly.com>
      Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a30cdaf1
    • Geert Uytterhoeven's avatar
      sh: sh7786: Add explicit I/O cast to sh7786_mm_sel() · 653117ea
      Geert Uytterhoeven authored
      [ Upstream commit 8440bb9b ]
      
      When compile-testing on arm:
      
          arch/sh/include/cpu-sh4/cpu/sh7786.h: In function ‘sh7786_mm_sel’:
          arch/sh/include/cpu-sh4/cpu/sh7786.h:135:21: warning: passing argument 1 of ‘__raw_readl’ makes pointer from integer without a cast [-Wint-conversion]
            return __raw_readl(0xFC400020) & 0x7;
      			 ^~~~~~~~~~
          In file included from include/linux/io.h:25:0,
      		     from arch/sh/include/cpu-sh4/cpu/sh7786.h:14,
      		     from drivers/pinctrl/sh-pfc/pfc-sh7786.c:15:
          arch/arm/include/asm/io.h:113:21: note: expected ‘const volatile void *’ but argument is of type ‘unsigned int’
           #define __raw_readl __raw_readl
      			 ^
          arch/arm/include/asm/io.h:114:19: note: in expansion of macro ‘__raw_readl’
           static inline u32 __raw_readl(const volatile void __iomem *addr)
      		       ^~~~~~~~~~~
      
      __raw_readl() on SuperH is a macro that casts the passed I/O address to
      the correct type, while the implementations on most other architectures
      expect to be passed the correct pointer type.
      
      Add an explicit cast to fix this.
      
      Note that this also gets rid of a sparse warning on SuperH:
      
          arch/sh/include/cpu-sh4/cpu/sh7786.h:135:16: warning: incorrect type in argument 1 (different base types)
          arch/sh/include/cpu-sh4/cpu/sh7786.h:135:16:    expected void const volatile [noderef] <asn:2>*<noident>
          arch/sh/include/cpu-sh4/cpu/sh7786.h:135:16:    got unsigned int
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Reviewed-by: default avatarSimon Horman <horms+renesas@verge.net.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      653117ea