1. 05 Sep, 2020 3 commits
    • Linus Torvalds's avatar
      Merge tag 'xfs-5.9-fixes-2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · 9322c47b
      Linus Torvalds authored
      Pull xfs fix from Darrick Wong:
       "Fix a broken metadata verifier that would incorrectly validate attr
        fork extents of a realtime file against the realtime volume"
      
      * tag 'xfs-5.9-fixes-2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        xfs: fix xfs_bmap_validate_extent_raw when checking attr fork of rt files
      9322c47b
    • Mikulas Patocka's avatar
      xfs: don't update mtime on COW faults · b17164e2
      Mikulas Patocka authored
      When running in a dax mode, if the user maps a page with MAP_PRIVATE and
      PROT_WRITE, the xfs filesystem would incorrectly update ctime and mtime
      when the user hits a COW fault.
      
      This breaks building of the Linux kernel.  How to reproduce:
      
       1. extract the Linux kernel tree on dax-mounted xfs filesystem
       2. run make clean
       3. run make -j12
       4. run make -j12
      
      at step 4, make would incorrectly rebuild the whole kernel (although it
      was already built in step 3).
      
      The reason for the breakage is that almost all object files depend on
      objtool.  When we run objtool, it takes COW page fault on its .data
      section, and these faults will incorrectly update the timestamp of the
      objtool binary.  The updated timestamp causes make to rebuild the whole
      tree.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b17164e2
    • Mikulas Patocka's avatar
      ext2: don't update mtime on COW faults · 1ef6ea0e
      Mikulas Patocka authored
      When running in a dax mode, if the user maps a page with MAP_PRIVATE and
      PROT_WRITE, the ext2 filesystem would incorrectly update ctime and mtime
      when the user hits a COW fault.
      
      This breaks building of the Linux kernel.  How to reproduce:
      
       1. extract the Linux kernel tree on dax-mounted ext2 filesystem
       2. run make clean
       3. run make -j12
       4. run make -j12
      
      at step 4, make would incorrectly rebuild the whole kernel (although it
      was already built in step 3).
      
      The reason for the breakage is that almost all object files depend on
      objtool.  When we run objtool, it takes COW page fault on its .data
      section, and these faults will incorrectly update the timestamp of the
      objtool binary.  The updated timestamp causes make to rebuild the whole
      tree.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      1ef6ea0e
  2. 04 Sep, 2020 32 commits
    • Linus Torvalds's avatar
      Merge tag 's390-5.9-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · c70672d8
      Linus Torvalds authored
      Pull s390 fixes from Vasily Gorbik:
      
       - Fix GENERIC_LOCKBREAK dependency on PREEMPTION in Kconfig broken
         because of a typo
      
       - Update defconfigs
      
      * tag 's390-5.9-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390: update defconfigs
        s390: fix GENERIC_LOCKBREAK dependency typo in Kconfig
      c70672d8
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 09274aed
      Linus Torvalds authored
      Pull arm64 fixes from Catalin Marinas:
      
       - Fix the loading of modules built with binutils-2.35. This version
         produces writable and executable .text.ftrace_trampoline section
         which is rejected by the kernel.
      
       - Remove the exporting of cpu_logical_map() as the Tegra driver has now
         been fixed and no longer uses this function.
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64/module: set trampoline section flags regardless of CONFIG_DYNAMIC_FTRACE
        arm64: Remove exporting cpu_logical_map symbol
      09274aed
    • Linus Torvalds's avatar
      Merge tag 'mips_fixes_5.9_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux · 16bf121b
      Linus Torvalds authored
      Pull MIPS fixes from Thomas Bogendoerfer:
       "A few MIPS fixes:
      
         - fallthrough fallout fix
      
         - BMIPS fixes
      
         - MSA fix to avoid leaking MSA register contents
      
         - Loongson perf and cpu feature fix
      
         - SNI interrupt fix"
      
      * tag 'mips_fixes_5.9_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux:
        MIPS: SNI: Fix SCSI interrupt
        MIPS: add missing MSACSR and upper MSA initialization
        MIPS: perf: Fix wrong check condition of Loongson event IDs
        mips/oprofile: Fix fallthrough placement
        MIPS: Loongson64: Remove unnecessary inclusion of boot_param.h
        MIPS: BMIPS: Also call bmips_cpu_setup() for secondary cores
        MIPS: mm: BMIPS5000 has inclusive physical caches
        MIPS: Loongson64: Do not override watch and ejtag feature
      16bf121b
    • Linus Torvalds's avatar
      Merge tag 'kbuild-fixes-v5.9-2' of... · 41bef91c
      Linus Torvalds authored
      Merge tag 'kbuild-fixes-v5.9-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
      
      Pull Kbuild fixes from Masahiro Yamada:
      
       - fix documents
      
       - fix warning in 'make localmodconfig'
      
      * tag 'kbuild-fixes-v5.9-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        kconfig: remove redundant assignment prompt = prompt
        kbuild: Documentation: clean up makefiles.rst
        kconfig: streamline_config.pl: check defined(ENV variable) before using it
        Documentation/llvm: Improve formatting of commands, variables, and arguments
      41bef91c
    • Linus Torvalds's avatar
      Merge tag 'pm-5.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · f162626a
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "These fix reference counting in the operating performance points (OPP)
        framework and address a few intel_pstate driver issues, mostly related
        to switching driver operation modes and similar with hardware-managed
        P-states (HWP) enabled.
      
        Specifics:
      
         - Fix reference counting of operating performance points (OPP) tables
           (Viresh Kumar).
      
         - Address intel_pstate driver interface issues, mostly related to
           switching operation modes and handling CPU offline and online and
           system-wide suspend/resume with hardware-managed P-states (HWP)
           enabled (Rafael Wysocki).
      
         - Fix the maximum frequency computation in the intel_pstate driver
           with turbo P-states disabled by the platform firmware and HWP
           enabled (Francisco Jerez)"
      
      * tag 'pm-5.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        cpufreq: intel_pstate: Fix intel_pstate_get_hwp_max() for turbo disabled
        cpufreq: intel_pstate: Free memory only when turning off
        cpufreq: intel_pstate: Add ->offline and ->online callbacks
        cpufreq: intel_pstate: Tweak the EPP sysfs interface
        cpufreq: intel_pstate: Update cached EPP in the active mode
        cpufreq: intel_pstate: Refuse to turn off with HWP enabled
        opp: Don't drop reference for an OPP table that was never parsed
      f162626a
    • Linus Torvalds's avatar
      Merge tag 'libata-5.9-2020-09-04' of git://git.kernel.dk/linux-block · d824e080
      Linus Torvalds authored
      Pull libata fixes from Jens Axboe:
      
       - improve Sandisks ATA_HORKAGE on NCQ (Tejun)
      
       - link printk cleanup (Xu)
      
      * tag 'libata-5.9-2020-09-04' of git://git.kernel.dk/linux-block:
        libata: implement ATA_HORKAGE_MAX_TRIM_128M and apply to Sandisks
        ata: ahci: use ata_link_info() instead of ata_link_printk()
      d824e080
    • Linus Torvalds's avatar
      Merge tag 'block-5.9-2020-09-04' of git://git.kernel.dk/linux-block · 8075fc3b
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "A bit larger than usual this week, mostly due to the NVMe fixes
        arriving late for -rc3 and hence didn't make last weeks pull request.
      
         - NVMe:
              - instance leak and io boundary fixes from Keith
              - fc locking fix from Christophe
              - various tcp/rdma reset during traffic fixes from Sagi
              - pci use-after-free fix from Tong
              - tcp target null deref fix from Ziye
      
         - Locking fix for partition removal (Christoph)
      
         - Ensure bdi->io_pages is always set (me)
      
         - Fixup for hd struct reference (Ming)
      
         - Fix for zero length bvecs (Ming)
      
         - Two small blk-iocost fixes (Tejun)"
      
      * tag 'block-5.9-2020-09-04' of git://git.kernel.dk/linux-block:
        block: allow for_each_bvec to support zero len bvec
        blk-stat: make q->stats->lock irqsafe
        blk-iocost: ioc_pd_free() shouldn't assume irq disabled
        block: fix locking in bdev_del_partition
        block: release disk reference in hd_struct_free_work
        block: ensure bdi->io_pages is always initialized
        nvme-pci: cancel nvme device request before disabling
        nvme: only use power of two io boundaries
        nvme: fix controller instance leak
        nvmet-fc: Fix a missed _irqsave version of spin_lock in 'nvmet_fc_fod_op_done()'
        nvme: Fix NULL dereference for pci nvme controllers
        nvme-rdma: fix reset hang if controller died in the middle of a reset
        nvme-rdma: fix timeout handler
        nvme-rdma: serialize controller teardown sequences
        nvme-tcp: fix reset hang if controller died in the middle of a reset
        nvme-tcp: fix timeout handler
        nvme-tcp: serialize controller teardown sequences
        nvme: have nvme_wait_freeze_timeout return if it timed out
        nvme-fabrics: don't check state NVME_CTRL_NEW for request acceptance
        nvmet-tcp: Fix NULL dereference when a connect data comes in h2cdata pdu
      8075fc3b
    • Linus Torvalds's avatar
      Merge tag 'io_uring-5.9-2020-09-04' of git://git.kernel.dk/linux-block · d849ca48
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
      
       - EAGAIN with O_NONBLOCK retry fix
      
       - Two small fixes for registered files (Jiufei)
      
      * tag 'io_uring-5.9-2020-09-04' of git://git.kernel.dk/linux-block:
        io_uring: no read/write-retry on -EAGAIN error and O_NONBLOCK marked file
        io_uring: set table->files[i] to NULL when io_sqe_file_register failed
        io_uring: fix removing the wrong file in __io_sqe_files_update()
      d849ca48
    • Linus Torvalds's avatar
      Merge tag 'thermal-v5.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/thermal/linux · 2fb54791
      Linus Torvalds authored
      Pull thermal fixes from Daniel Lezcano:
      
       - Fix bogus thermal shutdowns for omap4430 where bogus values resulting
         from an incorrect ADC conversion are too high and fire an emergency
         shutdown (Tony Lindgren)
      
       - Don't suppress negative temp for qcom spmi as they are valid and
         userspace needs them (Veera Vegivada)
      
       - Fix use-after-free in thermal_zone_device_unregister reported by
         Kasan (Dmitry Osipenko)
      
      * tag 'thermal-v5.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/thermal/linux:
        thermal: core: Fix use-after-free in thermal_zone_device_unregister()
        thermal: qcom-spmi-temp-alarm: Don't suppress negative temp
        thermal: ti-soc-thermal: Fix bogus thermal shutdowns for omap4430
      2fb54791
    • Linus Torvalds's avatar
      Merge tag 'dmaengine-fix-5.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine · e2dacf6c
      Linus Torvalds authored
      Pull dmaengine fixes from Vinod Koul:
       "A couple of core fixes and odd driver fixes for dmaengine subsystem:
      
        Core:
         - drop ACPI CSRT table reference after using it
         - fix of_dma_router_xlate() error handling
      
        Drivers fixes in idxd, at_hdmac, pl330, dw-edma and jz478"
      
      * tag 'dmaengine-fix-5.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine:
        dmaengine: ti: k3-udma: Update rchan_oes_offset for am654 SYSFW ABI 3.0
        drivers/dma/dma-jz4780: Fix race condition between probe and irq handler
        dmaengine: dw-edma: Fix scatter-gather address calculation
        dmaengine: ti: k3-udma: Fix the TR initialization for prep_slave_sg
        dmaengine: pl330: Fix burst length if burst size is smaller than bus width
        dmaengine: at_hdmac: add missing kfree() call in at_dma_xlate()
        dmaengine: at_hdmac: add missing put_device() call in at_dma_xlate()
        dmaengine: at_hdmac: check return value of of_find_device_by_node() in at_dma_xlate()
        dmaengine: of-dma: Fix of_dma_router_xlate's of_dma_xlate handling
        dmaengine: idxd: reset states after device disable or reset
        dmaengine: acpi: Put the CSRT table after using it
      e2dacf6c
    • Linus Torvalds's avatar
      Merge tag 'sound-5.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 86edf52e
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "A collection of small changes, nothing intrusive:
      
         - remaining tasklet API conversions, now all sound stuff have been
           converted
      
         - a few HD-audio and USB-audio quirks and minor fixes
      
         - FireWire Tascam and Digi00xx fixes
      
         - drop a kernel WARNING from PCM OSS for syzkaller"
      
      * tag 'sound-5.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (29 commits)
        ALSA: hda/realtek - Improved routing for Thinkpad X1 7th/8th Gen
        ALSA: hda: use consistent HDAudio spelling in comments/docs
        ALSA: hda: add dev_dbg log when driver is not selected
        ALSA: hda: fix a runtime pm issue in SOF when integrated GPU is disabled
        ALSA: hda: hdmi - add Rocketlake support
        ALSA: ua101: convert tasklets to use new tasklet_setup() API
        ALSA: usb-audio: convert tasklets to use new tasklet_setup() API
        ASoC: txx9: convert tasklets to use new tasklet_setup() API
        ASoC: siu: convert tasklets to use new tasklet_setup() API
        ASoC: fsl_esai: convert tasklets to use new tasklet_setup() API
        ALSA: hdsp: convert tasklets to use new tasklet_setup() API
        ALSA: riptide: convert tasklets to use new tasklet_setup() API
        ALSA: pci/asihpi: convert tasklets to use new tasklet_setup() API
        ALSA: firewire: convert tasklets to use new tasklet_setup() API
        ALSA: core: convert tasklets to use new tasklet_setup() API
        ALSA: pcm: oss: Remove superfluous WARN_ON() for mulaw sanity check
        ALSA: hda - Fix silent audio output and corrupted input on MSI X570-A PRO
        ALSA: hda/hdmi: always check pin power status in i915 pin fixup
        ALSA: hda/realtek: Add quirk for Samsung Galaxy Book Ion NT950XCJ-X716A
        ALSA: usb-audio: Add basic capture support for Pioneer DJ DJM-250MK2
        ...
      86edf52e
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2020-09-04' of git://anongit.freedesktop.org/drm/drm · cf85f5de
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Not much going on this week, nouveau has a display hw bug workaround,
        amdgpu has some PM fixes and CIK regression fixes, one single radeon
        PLL fix, and a couple of i915 display fixes.
      
        amdgpu:
         - Fix for 32bit systems
         - SW CTF fix
         - Update for Sienna Cichlid
         - CIK bug fixes
      
        radeon:
         - PLL fix
      
        i915:
         - Clang build warning fix
         - HDCP fixes
      
        nouveau:
         - display fixes"
      
      * tag 'drm-fixes-2020-09-04' of git://anongit.freedesktop.org/drm/drm:
        drm/nouveau/kms/nv50-gp1xx: add WAR for EVO push buffer HW bug
        drm/nouveau/kms/nv50-gp1xx: disable notifies again after core update
        drm/nouveau/kms/nv50-: add some whitespace before debug message
        drm/nouveau/kms/gv100-: Include correct push header in crcc37d.c
        drm/radeon: Prefer lower feedback dividers
        drm/amdgpu: Fix bug in reporting voltage for CIK
        drm/amdgpu: Specify get_argument function for ci_smu_funcs
        drm/amd/pm: enable MP0 DPM for sienna_cichlid
        drm/amd/pm: avoid false alarm due to confusing softwareshutdowntemp setting
        drm/amd/pm: fix is_dpm_running() run error on 32bit system
        drm/i915: Clear the repeater bit on HDCP disable
        drm/i915: Fix sha_text population code
        drm/i915/display: Ensure that ret is always initialized in icl_combo_phy_verify_state
      cf85f5de
    • Or Cohen's avatar
      net/packet: fix overflow in tpacket_rcv · acf69c94
      Or Cohen authored
      Using tp_reserve to calculate netoff can overflow as
      tp_reserve is unsigned int and netoff is unsigned short.
      
      This may lead to macoff receving a smaller value then
      sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
      is set, an out-of-bounds write will occur when
      calling virtio_net_hdr_from_skb.
      
      The bug is fixed by converting netoff to unsigned int
      and checking if it exceeds USHRT_MAX.
      
      This addresses CVE-2020-14386
      
      Fixes: 8913336a ("packet: add PACKET_RESERVE sockopt")
      Signed-off-by: default avatarOr Cohen <orcohen@paloaltonetworks.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      acf69c94
    • Linus Torvalds's avatar
      Merge branch 'simplify-do_wp_page' · b25d1dc9
      Linus Torvalds authored
      Merge emailed patches from Peter Xu:
       "This is a small series that I picked up from Linus's suggestion to
        simplify cow handling (and also make it more strict) by checking
        against page refcounts rather than mapcounts.
      
        This makes uffd-wp work again (verified by running upmapsort)"
      
      Note: this is horrendously bad timing, and making this kind of
      fundamental vm change after -rc3 is not at all how things should work.
      The saving grace is that it really is a a nice simplification:
      
       8 files changed, 29 insertions(+), 120 deletions(-)
      
      The reason for the bad timing is that it turns out that commit
      17839856 ("gup: document and work around 'COW can break either way'
      issue" broke not just UFFD functionality (as Peter noticed), but Mikulas
      Patocka also reports that it caused issues for strace when running in a
      DAX environment with ext4 on a persistent memory setup.
      
      And we can't just revert that commit without re-introducing the original
      issue that is a potential security hole, so making COW stricter (and in
      the process much simpler) is a step to then undoing the forced COW that
      broke other uses.
      
      Link: https://lore.kernel.org/lkml/alpine.LRH.2.02.2009031328040.6929@file01.intranet.prod.int.rdu2.redhat.com/
      
      * emailed patches from Peter Xu <peterx@redhat.com>:
        mm: Add PGREUSE counter
        mm/gup: Remove enfornced COW mechanism
        mm/ksm: Remove reuse_ksm_page()
        mm: do_wp_page() simplification
      b25d1dc9
    • Rafael J. Wysocki's avatar
      Merge branch 'pm-cpufreq' · f7ce2c3a
      Rafael J. Wysocki authored
      * pm-cpufreq:
        cpufreq: intel_pstate: Fix intel_pstate_get_hwp_max() for turbo disabled
        cpufreq: intel_pstate: Free memory only when turning off
        cpufreq: intel_pstate: Add ->offline and ->online callbacks
        cpufreq: intel_pstate: Tweak the EPP sysfs interface
        cpufreq: intel_pstate: Update cached EPP in the active mode
        cpufreq: intel_pstate: Refuse to turn off with HWP enabled
      f7ce2c3a
    • Peter Xu's avatar
      mm: Add PGREUSE counter · 798a6b87
      Peter Xu authored
      This accounts for wp_page_reuse() case, where we reused a page for COW.
      Signed-off-by: default avatarPeter Xu <peterx@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      798a6b87
    • Peter Xu's avatar
      mm/gup: Remove enfornced COW mechanism · a308c71b
      Peter Xu authored
      With the more strict (but greatly simplified) page reuse logic in
      do_wp_page(), we can safely go back to the world where cow is not
      enforced with writes.
      
      This essentially reverts commit 17839856 ("gup: document and work
      around 'COW can break either way' issue").  There are some context
      differences due to some changes later on around it:
      
        2170ecfa ("drm/i915: convert get_user_pages() --> pin_user_pages()", 2020-06-03)
        376a34ef ("mm/gup: refactor and de-duplicate gup_fast() code", 2020-06-03)
      
      Some lines moved back and forth with those, but this revert patch should
      have striped out and covered all the enforced cow bits anyways.
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarPeter Xu <peterx@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a308c71b
    • Peter Xu's avatar
      mm/ksm: Remove reuse_ksm_page() · 1a0cf263
      Peter Xu authored
      Remove the function as the last reference has gone away with the do_wp_page()
      changes.
      Signed-off-by: default avatarPeter Xu <peterx@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      1a0cf263
    • Linus Torvalds's avatar
      mm: do_wp_page() simplification · 09854ba9
      Linus Torvalds authored
      How about we just make sure we're the only possible valid user fo the
      page before we bother to reuse it?
      
      Simplify, simplify, simplify.
      
      And get rid of the nasty serialization on the page lock at the same time.
      
      [peterx: add subject prefix]
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarPeter Xu <peterx@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      09854ba9
    • Leon Romanovsky's avatar
      gcov: Disable gcov build with GCC 10 · cfc905f1
      Leon Romanovsky authored
      GCOV built with GCC 10 doesn't initialize n_function variable.  This
      produces different kernel panics as was seen by Colin in Ubuntu and me
      in FC 32.
      
      As a workaround, let's disable GCOV build for broken GCC 10 version.
      
      Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1891288
      Link: https://lore.kernel.org/lkml/20200827133932.3338519-1-leon@kernel.org
      Link: https://lore.kernel.org/lkml/CAHk-=whbijeSdSvx-Xcr0DPMj0BiwhJ+uiNnDSVZcr_h_kg7UA@mail.gmail.com/
      Cc: Colin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      cfc905f1
    • Barret Rhoden's avatar
      init: fix error check in clean_path() · 7b81ce7c
      Barret Rhoden authored
      init_stat() returns 0 on success, same as vfs_lstat().  When it replaced
      vfs_lstat(), the '!' was dropped.
      
      Fixes: 716308a5 ("init: add an init_stat helper")
      Signed-off-by: default avatarBarret Rhoden <brho@google.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      7b81ce7c
    • Dmitry Osipenko's avatar
      thermal: core: Fix use-after-free in thermal_zone_device_unregister() · a5f785ce
      Dmitry Osipenko authored
      The user-after-free bug in thermal_zone_device_unregister() is reported by
      KASAN. It happens because struct thermal_zone_device is released during of
      device_unregister() invocation, and hence the "tz" variable shouldn't be
      touched by thermal_notify_tz_delete(tz->id).
      
      Fixes: 55cdf0a2 ("thermal: core: Add notifications call in the framework")
      Signed-off-by: default avatarDmitry Osipenko <digetx@gmail.com>
      Signed-off-by: default avatarDaniel Lezcano <daniel.lezcano@linaro.org>
      Link: https://lore.kernel.org/r/20200817235854.26816-1-digetx@gmail.com
      a5f785ce
    • Veera Vegivada's avatar
      thermal: qcom-spmi-temp-alarm: Don't suppress negative temp · 0ffdab6f
      Veera Vegivada authored
      Currently driver is suppressing the negative temperature
      readings from the vadc. Consumers of the thermal zones need
      to read the negative temperature too. Don't suppress the
      readings.
      
      Fixes: c610afaa ("thermal: Add QPNP PMIC temperature alarm driver")
      Signed-off-by: default avatarVeera Vegivada <vvegivad@codeaurora.org>
      Signed-off-by: default avatarGuru Das Srinagesh <gurus@codeaurora.org>
      Reviewed-by: default avatarStephen Boyd <sboyd@kernel.org>
      Signed-off-by: default avatarDaniel Lezcano <daniel.lezcano@linaro.org>
      Link: https://lore.kernel.org/r/944856eb819081268fab783236a916257de120e4.1596040416.git.gurus@codeaurora.org
      0ffdab6f
    • Tony Lindgren's avatar
      thermal: ti-soc-thermal: Fix bogus thermal shutdowns for omap4430 · 30d24fab
      Tony Lindgren authored
      We can sometimes get bogus thermal shutdowns on omap4430 at least with
      droid4 running idle with a battery charger connected:
      
      thermal thermal_zone0: critical temperature reached (143 C), shutting down
      
      Dumping out the register values shows we can occasionally get a 0x7f value
      that is outside the TRM listed values in the ADC conversion table. And then
      we get a normal value when reading again after that. Reading the register
      multiple times does not seem help avoiding the bogus values as they stay
      until the next sample is ready.
      
      Looking at the TRM chapter "18.4.10.2.3 ADC Codes Versus Temperature", we
      should have values from 13 to 107 listed with a total of 95 values. But
      looking at the omap4430_adc_to_temp array, the values are off, and the
      end values are missing. And it seems that the 4430 ADC table is similar
      to omap3630 rather than omap4460.
      
      Let's fix the issue by using values based on the omap3630 table and just
      ignoring invalid values. Compared to the 4430 TRM, the omap3630 table has
      the missing values added while the TRM table only shows every second
      value.
      
      Note that sometimes the ADC register values within the valid table can
      also be way off for about 1 out of 10 values. But it seems that those
      just show about 25 C too low values rather than too high values. So those
      do not cause a bogus thermal shutdown.
      
      Fixes: 1a31270e ("staging: omap-thermal: add OMAP4 data structures")
      Cc: Merlijn Wajer <merlijn@wizzup.org>
      Cc: Pavel Machek <pavel@ucw.cz>
      Cc: Sebastian Reichel <sebastian.reichel@collabora.com>
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarDaniel Lezcano <daniel.lezcano@linaro.org>
      Link: https://lore.kernel.org/r/20200706183338.25622-1-tony@atomide.com
      30d24fab
    • Linus Torvalds's avatar
      Merge tag 'perf-tools-fixes-for-v5.9-2020-09-03' of... · 59126901
      Linus Torvalds authored
      Merge tag 'perf-tools-fixes-for-v5.9-2020-09-03' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux
      
      Pull more perf tools fixes from Arnaldo Carvalho de Melo:
      
       - Use uintptr_t when casting numbers to pointers
      
       - Keep output expected by 3rd parties: Turn off summary for interval
         mode by default.
      
       - BPF is in kernel space, make sure do_validate_kcore_modules() knows
         about that.
      
       - Explicitly call out event modifiers in the documentation.
      
       - Fix jevents() allocation of space for regular expressions.
      
       - Address libtraceevent build warnings on 32-bit arches.
      
       - Fix checking of functions returns using ERR_PTR() in 'perf bench'.
      
      * tag 'perf-tools-fixes-for-v5.9-2020-09-03' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux:
        perf tools: Add bpf image check to __map__is_kmodule
        perf record/stat: Explicitly call out event modifiers in the documentation
        perf bench: The do_run_multi_threaded() function must use IS_ERR(perf_session__new())
        perf stat: Turn off summary for interval mode by default
        libtraceevent: Fix build warning on 32-bit arches
        perf jevents: Fix suspicious code in fixregex()
        perf parse-events: Use uintptr_t when casting numbers to pointers
      59126901
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 3e8d3bdc
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Use netif_rx_ni() when necessary in batman-adv stack, from Jussi
          Kivilinna.
      
       2) Fix loss of RTT samples in rxrpc, from David Howells.
      
       3) Memory leak in hns_nic_dev_probe(), from Dignhao Liu.
      
       4) ravb module cannot be unloaded, fix from Yuusuke Ashizuka.
      
       5) We disable BH for too lokng in sctp_get_port_local(), add a
          cond_resched() here as well, from Xin Long.
      
       6) Fix memory leak in st95hf_in_send_cmd, from Dinghao Liu.
      
       7) Out of bound access in bpf_raw_tp_link_fill_link_info(), from
          Yonghong Song.
      
       8) Missing of_node_put() in mt7530 DSA driver, from Sumera
          Priyadarsini.
      
       9) Fix crash in bnxt_fw_reset_task(), from Michael Chan.
      
      10) Fix geneve tunnel checksumming bug in hns3, from Yi Li.
      
      11) Memory leak in rxkad_verify_response, from Dinghao Liu.
      
      12) In tipc, don't use smp_processor_id() in preemptible context. From
          Tuong Lien.
      
      13) Fix signedness issue in mlx4 memory allocation, from Shung-Hsi Yu.
      
      14) Missing clk_disable_prepare() in gemini driver, from Dan Carpenter.
      
      15) Fix ABI mismatch between driver and firmware in nfp, from Louis
          Peens.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (110 commits)
        net/smc: fix sock refcounting in case of termination
        net/smc: reset sndbuf_desc if freed
        net/smc: set rx_off for SMCR explicitly
        net/smc: fix toleration of fake add_link messages
        tg3: Fix soft lockup when tg3_reset_task() fails.
        doc: net: dsa: Fix typo in config code sample
        net: dp83867: Fix WoL SecureOn password
        nfp: flower: fix ABI mismatch between driver and firmware
        tipc: fix shutdown() of connectionless socket
        ipv6: Fix sysctl max for fib_multipath_hash_policy
        drivers/net/wan/hdlc: Change the default of hard_header_len to 0
        net: gemini: Fix another missing clk_disable_unprepare() in probe
        net: bcmgenet: fix mask check in bcmgenet_validate_flow()
        amd-xgbe: Add support for new port mode
        net: usb: dm9601: Add USB ID of Keenetic Plus DSL
        vhost: fix typo in error message
        net: ethernet: mlx4: Fix memory allocation in mlx4_buddy_init()
        pktgen: fix error message with wrong function name
        net: ethernet: ti: am65-cpsw: fix rmii 100Mbit link mode
        cxgb4: fix thermal zone device registration
        ...
      3e8d3bdc
    • Linus Torvalds's avatar
      Merge branch 'gate-page-refcount' (patches from Dave Hansen) · 8381979d
      Linus Torvalds authored
      Merge gate page refcount fix from Dave Hansen:
       "During the conversion over to pin_user_pages(), gate pages were missed.
      
        The fix is pretty simple, and is accompanied by a new test from Andy
        which probably would have caught this earlier"
      
      * emailed patches from Dave Hansen <dave.hansen@linux.intel.com>:
        selftests/x86/test_vsyscall: Improve the process_vm_readv() test
        mm: fix pin vs. gup mismatch with gate pages
      8381979d
    • Andy Lutomirski's avatar
      selftests/x86/test_vsyscall: Improve the process_vm_readv() test · 8891adc6
      Andy Lutomirski authored
      The existing code accepted process_vm_readv() success or failure as long
      as it didn't return garbage.  This is too weak: if the vsyscall page is
      readable, then process_vm_readv() should succeed and, if the page is not
      readable, then it should fail.
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Signed-off-by: default avatarDave Hansen <dave.hansen@linux.intel.com>
      Cc: x86@kernel.org
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Jann Horn <jannh@google.com>
      Cc: John Hubbard <jhubbard@nvidia.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      8891adc6
    • Dave Hansen's avatar
      mm: fix pin vs. gup mismatch with gate pages · 9fa2dd94
      Dave Hansen authored
      Gate pages were missed when converting from get to pin_user_pages().
      This can lead to refcount imbalances.  This is reliably and quickly
      reproducible running the x86 selftests when vsyscall=emulate is enabled
      (the default).  Fix by using try_grab_page() with appropriate flags
      passed.
      
      The long story:
      
      Today, pin_user_pages() and get_user_pages() are similar interfaces for
      manipulating page reference counts.  However, "pins" use a "bias" value
      and manipulate the actual reference count by 1024 instead of 1 used by
      plain "gets".
      
      That means that pin_user_pages() must be matched with unpin_user_pages()
      and can't be mixed with a plain put_user_pages() or put_page().
      
      Enter gate pages, like the vsyscall page.  They are pages usually in the
      kernel image, but which are mapped to userspace.  Userspace is allowed
      access to them, including interfaces using get/pin_user_pages().  The
      refcount of these kernel pages is manipulated just like a normal user
      page on the get/pin side so that the put/unpin side can work the same
      for normal user pages or gate pages.
      
      get_gate_page() uses try_get_page() which only bumps the refcount by
      1, not 1024, even if called in the pin_user_pages() path.  If someone
      pins a gate page, this happens:
      
      	pin_user_pages()
      		get_gate_page()
      			try_get_page() // bump refcount +1
      	... some time later
      	unpin_user_pages()
      		page_ref_sub_and_test(page, 1024))
      
      ... and boom, we get a refcount off by 1023.  This is reliably and
      quickly reproducible running the x86 selftests when booted with
      vsyscall=emulate (the default).  The selftests use ptrace(), but I
      suspect anything using pin_user_pages() on gate pages could hit this.
      
      To fix it, simply use try_grab_page() instead of try_get_page(), and
      pass 'gup_flags' in so that FOLL_PIN can be respected.
      
      This bug traces back to the very beginning of the FOLL_PIN support in
      commit 3faa52c0 ("mm/gup: track FOLL_PIN pages"), which showed up in
      the 5.7 release.
      Signed-off-by: default avatarDave Hansen <dave.hansen@linux.intel.com>
      Fixes: 3faa52c0 ("mm/gup: track FOLL_PIN pages")
      Reported-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Reviewed-by: default avatarJohn Hubbard <jhubbard@nvidia.com>
      Acked-by: default avatarAndy Lutomirski <luto@kernel.org>
      Cc: x86@kernel.org
      Cc: Jann Horn <jannh@google.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      9fa2dd94
    • Dave Airlie's avatar
      Merge branch 'linux-5.9' of git://github.com/skeggsb/linux into drm-fixes · d37d5692
      Dave Airlie authored
      A couple of minor fixes to the display changes that went in for 5.9.
      The most important of which is a workaround for a HW bug that was
      exposed by better push buffer space management, leading to
      random(ish...) display engine hangs.
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Ben Skeggs <skeggsb@gmail.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/ <CACAvsv5QDxyMihrxbPk+-sORnaYtjR6_dbM68gEhb2wxht_G1w@mail.gmail.com
      d37d5692
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2020-09-03' of... · 0f8aeef1
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2020-09-03' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
      
      drm/i915 fixes for v5.9-rc4:
      - Clang build warning fix
      - HDCP fixes
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Jani Nikula <jani.nikula@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/87sgbz2pnx.fsf@intel.com
      0f8aeef1
    • Dave Airlie's avatar
      Merge tag 'amd-drm-fixes-5.9-2020-09-03' of... · b596649f
      Dave Airlie authored
      Merge tag 'amd-drm-fixes-5.9-2020-09-03' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
      
      amd-drm-fixes-5.9-2020-09-03:
      
      amdgpu:
      - Fix for 32bit systems
      - SW CTF fix
      - Update for Sienna Cichlid
      - CIK bug fixes
      
      radeon:
      - PLL fix
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Alex Deucher <alexdeucher@gmail.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20200903050022.3960-1-alexander.deucher@amd.com
      b596649f
  3. 03 Sep, 2020 5 commits
    • David S. Miller's avatar
      Merge branch 'smc-fixes' · b61ac5bb
      David S. Miller authored
      Karsten Graul says:
      
      ====================
      net/smc: fixes 2020-09-03
      
      Please apply the following patch series for smc to netdev's net tree.
      
      Patch 1 fixes the toleration of older SMC implementations. Patch 2
      takes care of a problem that happens when SMCR is used after SMCD
      initialization failed. Patch 3 fixes a problem with freed send buffers,
      and patch 4 corrects refcounting when SMC terminates due to device
      removal.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b61ac5bb
    • Ursula Braun's avatar
      net/smc: fix sock refcounting in case of termination · 5fb8642a
      Ursula Braun authored
      When an ISM device is removed, all its linkgroups are terminated,
      i.e. all the corresponding connections are killed.
      Connection killing invokes smc_close_active_abort(), which decreases
      the sock refcount for certain states to simulate passive closing.
      And it cancels the close worker and has to give up the sock lock for
      this timeframe. This opens the door for a passive close worker or a
      socket close to run in between. In this case smc_close_active_abort() and
      passive close worker resp. smc_release() might do a sock_put for passive
      closing. This causes:
      
      [ 1323.315943] refcount_t: underflow; use-after-free.
      [ 1323.316055] WARNING: CPU: 3 PID: 54469 at lib/refcount.c:28 refcount_warn_saturate+0xe8/0x130
      [ 1323.316069] Kernel panic - not syncing: panic_on_warn set ...
      [ 1323.316084] CPU: 3 PID: 54469 Comm: uperf Not tainted 5.9.0-20200826.rc2.git0.46328853ed20.300.fc32.s390x+debug #1
      [ 1323.316096] Hardware name: IBM 2964 NC9 702 (z/VM 6.4.0)
      [ 1323.316108] Call Trace:
      [ 1323.316125]  [<00000000c0d4aae8>] show_stack+0x90/0xf8
      [ 1323.316143]  [<00000000c15989b0>] dump_stack+0xa8/0xe8
      [ 1323.316158]  [<00000000c0d8344e>] panic+0x11e/0x288
      [ 1323.316173]  [<00000000c0d83144>] __warn+0xac/0x158
      [ 1323.316187]  [<00000000c1597a7a>] report_bug+0xb2/0x130
      [ 1323.316201]  [<00000000c0d36424>] monitor_event_exception+0x44/0xc0
      [ 1323.316219]  [<00000000c195c716>] pgm_check_handler+0x1da/0x238
      [ 1323.316234]  [<00000000c151844c>] refcount_warn_saturate+0xec/0x130
      [ 1323.316280] ([<00000000c1518448>] refcount_warn_saturate+0xe8/0x130)
      [ 1323.316310]  [<000003ff801f2e2a>] smc_release+0x192/0x1c8 [smc]
      [ 1323.316323]  [<00000000c169f1fa>] __sock_release+0x5a/0xe0
      [ 1323.316334]  [<00000000c169f2ac>] sock_close+0x2c/0x40
      [ 1323.316350]  [<00000000c1086de0>] __fput+0xb8/0x278
      [ 1323.316362]  [<00000000c0db1e0e>] task_work_run+0x76/0xb8
      [ 1323.316393]  [<00000000c0d8ab84>] do_exit+0x26c/0x520
      [ 1323.316408]  [<00000000c0d8af08>] do_group_exit+0x48/0xc0
      [ 1323.316421]  [<00000000c0d8afa8>] __s390x_sys_exit_group+0x28/0x38
      [ 1323.316433]  [<00000000c195c32c>] system_call+0xe0/0x2b4
      [ 1323.316446] 1 lock held by uperf/54469:
      [ 1323.316456]  #0: 0000000044125e60 (&sb->s_type->i_mutex_key#9){+.+.}-{3:3}, at: __sock_release+0x44/0xe0
      
      The patch rechecks sock state in smc_close_active_abort() after
      smc_close_cancel_work() to avoid duplicate decrease of sock
      refcount for the same purpose.
      
      Fixes: 611b63a1 ("net/smc: cancel tx worker in case of socket aborts")
      Reviewed-by: default avatarKarsten Graul <kgraul@linux.ibm.com>
      Signed-off-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: default avatarKarsten Graul <kgraul@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5fb8642a
    • Ursula Braun's avatar
      net/smc: reset sndbuf_desc if freed · 1d8df41d
      Ursula Braun authored
      When an SMC connection is created, and there is a problem to
      create an RMB or DMB, the previously created send buffer is
      thrown away as well including buffer descriptor freeing.
      Make sure the connection no longer references the freed
      buffer descriptor, otherwise bugs like this are possible:
      
      [71556.835148] =============================================================================
      [71556.835168] BUG kmalloc-128 (Tainted: G    B      OE    ): Poison overwritten
      [71556.835172] -----------------------------------------------------------------------------
      
      [71556.835179] INFO: 0x00000000d20894be-0x00000000aaef63e9 @offset=2724. First byte 0x0 instead of 0x6b
      [71556.835215] INFO: Allocated in __smc_buf_create+0x184/0x578 [smc] age=0 cpu=5 pid=46726
      [71556.835234]     ___slab_alloc+0x5a4/0x690
      [71556.835239]     __slab_alloc.constprop.0+0x70/0xb0
      [71556.835243]     kmem_cache_alloc_trace+0x38e/0x3f8
      [71556.835250]     __smc_buf_create+0x184/0x578 [smc]
      [71556.835257]     smc_buf_create+0x2e/0xe8 [smc]
      [71556.835264]     smc_listen_work+0x516/0x6a0 [smc]
      [71556.835275]     process_one_work+0x280/0x478
      [71556.835280]     worker_thread+0x66/0x368
      [71556.835287]     kthread+0x17a/0x1a0
      [71556.835294]     ret_from_fork+0x28/0x2c
      [71556.835301] INFO: Freed in smc_buf_create+0xd8/0xe8 [smc] age=0 cpu=5 pid=46726
      [71556.835307]     __slab_free+0x246/0x560
      [71556.835311]     kfree+0x398/0x3f8
      [71556.835318]     smc_buf_create+0xd8/0xe8 [smc]
      [71556.835324]     smc_listen_work+0x516/0x6a0 [smc]
      [71556.835328]     process_one_work+0x280/0x478
      [71556.835332]     worker_thread+0x66/0x368
      [71556.835337]     kthread+0x17a/0x1a0
      [71556.835344]     ret_from_fork+0x28/0x2c
      [71556.835348] INFO: Slab 0x00000000a0744551 objects=51 used=51 fp=0x0000000000000000 flags=0x1ffff00000010200
      [71556.835352] INFO: Object 0x00000000563480a1 @offset=2688 fp=0x00000000289567b2
      
      [71556.835359] Redzone 000000006783cde2: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
      [71556.835363] Redzone 00000000e35b876e: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
      [71556.835367] Redzone 0000000023074562: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
      [71556.835372] Redzone 00000000b9564b8c: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
      [71556.835376] Redzone 00000000810c6362: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
      [71556.835380] Redzone 0000000065ef52c3: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
      [71556.835384] Redzone 00000000c5dd6984: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
      [71556.835388] Redzone 000000004c480f8f: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
      [71556.835392] Object 00000000563480a1: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
      [71556.835397] Object 000000009c479d06: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
      [71556.835401] Object 000000006e1dce92: 6b 6b 6b 6b 00 00 00 00 6b 6b 6b 6b 6b 6b 6b 6b  kkkk....kkkkkkkk
      [71556.835405] Object 00000000227f7cf8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
      [71556.835410] Object 000000009a701215: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
      [71556.835414] Object 000000003731ce76: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
      [71556.835418] Object 00000000f7085967: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
      [71556.835422] Object 0000000007f99927: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5  kkkkkkkkkkkkkkk.
      [71556.835427] Redzone 00000000579c4913: bb bb bb bb bb bb bb bb                          ........
      [71556.835431] Padding 00000000305aef82: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
      [71556.835435] Padding 00000000b1cdd722: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
      [71556.835438] Padding 00000000c7568199: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
      [71556.835442] Padding 00000000fad4c4d4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
      [71556.835451] CPU: 0 PID: 47939 Comm: kworker/0:15 Tainted: G    B      OE     5.9.0-rc1uschi+ #54
      [71556.835456] Hardware name: IBM 3906 M03 703 (LPAR)
      [71556.835464] Workqueue: events smc_listen_work [smc]
      [71556.835470] Call Trace:
      [71556.835478]  [<00000000d5eaeb10>] show_stack+0x90/0xf8
      [71556.835493]  [<00000000d66fc0f8>] dump_stack+0xa8/0xe8
      [71556.835499]  [<00000000d61a511c>] check_bytes_and_report+0x104/0x130
      [71556.835504]  [<00000000d61a57b2>] check_object+0x26a/0x2e0
      [71556.835509]  [<00000000d61a59bc>] alloc_debug_processing+0x194/0x238
      [71556.835514]  [<00000000d61a8c14>] ___slab_alloc+0x5a4/0x690
      [71556.835519]  [<00000000d61a9170>] __slab_alloc.constprop.0+0x70/0xb0
      [71556.835524]  [<00000000d61aaf66>] kmem_cache_alloc_trace+0x38e/0x3f8
      [71556.835530]  [<000003ff80549bbc>] __smc_buf_create+0x184/0x578 [smc]
      [71556.835538]  [<000003ff8054a396>] smc_buf_create+0x2e/0xe8 [smc]
      [71556.835545]  [<000003ff80540c16>] smc_listen_work+0x516/0x6a0 [smc]
      [71556.835549]  [<00000000d5f0f448>] process_one_work+0x280/0x478
      [71556.835554]  [<00000000d5f0f6a6>] worker_thread+0x66/0x368
      [71556.835559]  [<00000000d5f18692>] kthread+0x17a/0x1a0
      [71556.835563]  [<00000000d6abf3b8>] ret_from_fork+0x28/0x2c
      [71556.835569] INFO: lockdep is turned off.
      [71556.835573] FIX kmalloc-128: Restoring 0x00000000d20894be-0x00000000aaef63e9=0x6b
      
      [71556.835577] FIX kmalloc-128: Marking all objects used
      
      Fixes: fd7f3a74 ("net/smc: remove freed buffer from list")
      Reviewed-by: default avatarKarsten Graul <kgraul@linux.ibm.com>
      Signed-off-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: default avatarKarsten Graul <kgraul@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1d8df41d
    • Ursula Braun's avatar
      net/smc: set rx_off for SMCR explicitly · 2d2bfeb8
      Ursula Braun authored
      SMC tries to make use of SMCD first. If a problem shows up,
      it tries to switch to SMCR. If the SMCD initializing problem shows
      up after the SMCD connection has already been initialized, field
      rx_off keeps the wrong SMCD value for SMCR, which results in corrupted
      data at the receiver.
      This patch adds an explicit (re-)setting of field rx_off to zero if the
      connection uses SMCR.
      
      Fixes: be244f28 ("net/smc: add SMC-D support in data transfer")
      Reviewed-by: default avatarKarsten Graul <kgraul@linux.ibm.com>
      Signed-off-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: default avatarKarsten Graul <kgraul@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2d2bfeb8
    • Karsten Graul's avatar
      net/smc: fix toleration of fake add_link messages · fffe83c8
      Karsten Graul authored
      Older SMCR implementations had no link failover support and used one
      link only. Because the handshake protocol requires to try the
      establishment of a second link the old code sent a fake add_link message
      and declined any server response afterwards.
      The current code supports multiple links and inspects the received fake
      add_link message more closely. To tolerate the fake add_link messages
      smc_llc_is_local_add_link() needs an improved check of the message to
      be able to separate between locally enqueued and fake add_link messages.
      And smc_llc_cli_add_link() needs to check if the provided qp_mtu size is
      invalid and reject the add_link request in that case.
      
      Fixes: c48254fa ("net/smc: move add link processing for new device into llc layer")
      Reviewed-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: default avatarKarsten Graul <kgraul@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fffe83c8