1. 20 Sep, 2018 1 commit
  2. 19 Sep, 2018 39 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.18.9 · 86e014f5
      Greg Kroah-Hartman authored
      86e014f5
    • Linus Torvalds's avatar
      mm: get rid of vmacache_flush_all() entirely · 175ad0cb
      Linus Torvalds authored
      commit 7a9cdebdcc17e426fb5287e4a82db1dfe86339b2 upstream.
      
      Jann Horn points out that the vmacache_flush_all() function is not only
      potentially expensive, it's buggy too.  It also happens to be entirely
      unnecessary, because the sequence number overflow case can be avoided by
      simply making the sequence number be 64-bit.  That doesn't even grow the
      data structures in question, because the other adjacent fields are
      already 64-bit.
      
      So simplify the whole thing by just making the sequence number overflow
      case go away entirely, which gets rid of all the complications and makes
      the code faster too.  Win-win.
      
      [ Oleg Nesterov points out that the VMACACHE_FULL_FLUSHES statistics
        also just goes away entirely with this ]
      Reported-by: 's avatarJann Horn <jannh@google.com>
      Suggested-by: 's avatarWill Deacon <will.deacon@arm.com>
      Acked-by: 's avatarDavidlohr Bueso <dave@stgolabs.net>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: stable@kernel.org
      Signed-off-by: 's avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      175ad0cb
    • Ian Kent's avatar
      autofs: fix autofs_sbi() does not check super block type · 39998fd5
      Ian Kent authored
      commit 0633da48f0793aeba27f82d30605624416723a91 upstream.
      
      autofs_sbi() does not check the superblock magic number to verify it has
      been given an autofs super block.
      
      Link: http://lkml.kernel.org/r/153475422934.17131.7563724552005298277.stgit@pluto.themaw.net
      Reported-by: <syzbot+87c3c541582e56943277@syzkaller.appspotmail.com>
      Signed-off-by: 's avatarIan Kent <raven@themaw.net>
      Reviewed-by: 's avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: 's avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: 's avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Guenter Roeck <groeck@google.com>
      Cc: Zubin Mithra <zsm@chromium.org>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      39998fd5
    • Peter Zijlstra's avatar
      clocksource: Revert "Remove kthread" · 51d34e94
      Peter Zijlstra authored
      commit e2c631ba75a7e727e8db0a9d30a06bfd434adb3a upstream.
      
      I turns out that the silly spawn kthread from worker was actually needed.
      
      clocksource_watchdog_kthread() cannot be called directly from
      clocksource_watchdog_work(), because clocksource_select() calls
      timekeeping_notify() which uses stop_machine(). One cannot use
      stop_machine() from a workqueue() due lock inversions wrt CPU hotplug.
      
      Revert the patch but add a comment that explain why we jump through such
      apparently silly hoops.
      
      Fixes: 7197e77a ("clocksource: Remove kthread")
      Reported-by: 's avatarSiegfried Metz <frame@mailbox.org>
      Signed-off-by: 's avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: 's avatarThomas Gleixner <tglx@linutronix.de>
      Tested-by: 's avatarNiklas Cassel <niklas.cassel@linaro.org>
      Tested-by: 's avatarKevin Shanahan <kevin@shanahan.id.au>
      Tested-by: viktor_jaegerskuepper@freenet.de
      Tested-by: 's avatarSiegfried Metz <frame@mailbox.org>
      Cc: rafael.j.wysocki@intel.com
      Cc: len.brown@intel.com
      Cc: diego.viola@gmail.com
      Cc: rui.zhang@intel.com
      Cc: bjorn.andersson@linaro.org
      Link: https://lkml.kernel.org/r/20180905084158.GR24124@hirez.programming.kicks-ass.net
      Cc: Siegfried Metz <frame@mailbox.org>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      51d34e94
    • Parav Pandit's avatar
      RDMA/cma: Do not ignore net namespace for unbound cm_id · 777c7b84
      Parav Pandit authored
      [ Upstream commit 643d213a9a034fa04f5575a40dfc8548e33ce04f ]
      
      Currently if the cm_id is not bound to any netdevice, than for such cm_id,
      net namespace is ignored; which is incorrect.
      
      Regardless of cm_id bound to a netdevice or not, net namespace must
      match. When a cm_id is bound to a netdevice, in such case net namespace
      and netdevice both must match.
      
      Fixes: 4c21b5bc ("IB/cma: Add net_dev and private data checks to RDMA CM")
      Signed-off-by: 's avatarParav Pandit <parav@mellanox.com>
      Reviewed-by: 's avatarDaniel Jurgens <danielj@mellanox.com>
      Signed-off-by: 's avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: 's avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      777c7b84
    • Quentin Schulz's avatar
      MIPS: mscc: ocelot: fix length of memory address space for MIIM · 9daa1d75
      Quentin Schulz authored
      [ Upstream commit 49e5bb13adc11fe6e2e40f65c04f3a461aea1fec ]
      
      The length of memory address space for MIIM0 is from 0x7107009c to
      0x710700bf included which is 36 bytes long in decimal, or 0x24 bytes in
      hexadecimal and not 0x36.
      
      Fixes: 49b03169 ("MIPS: mscc: Add switch to ocelot")
      Signed-off-by: 's avatarQuentin Schulz <quentin.schulz@bootlin.com>
      Acked-by: 's avatarAlexandre Belloni <alexandre.belloni@bootlin.com>
      Signed-off-by: 's avatarPaul Burton <paul.burton@mips.com>
      Patchwork: https://patchwork.linux-mips.org/patch/20013/
      Cc: robh+dt@kernel.org
      Cc: mark.rutland@arm.com
      Cc: ralf@linux-mips.org
      Cc: jhogan@kernel.org
      Cc: linux-mips@linux-mips.org
      Cc: devicetree@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Cc: thomas.petazzoni@bootlin.com
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9daa1d75
    • Paul Burton's avatar
      MIPS: WARN_ON invalid DMA cache maintenance, not BUG_ON · 20452f8f
      Paul Burton authored
      [ Upstream commit d4da0e97baea8768b3d66ccef3967bebd50dfc3b ]
      
      If a driver causes DMA cache maintenance with a zero length then we
      currently BUG and kill the kernel. As this is a scenario that we may
      well be able to recover from, WARN & return in the condition instead.
      Signed-off-by: 's avatarPaul Burton <paul.burton@mips.com>
      Acked-by: 's avatarFlorian Fainelli <f.fainelli@gmail.com>
      Patchwork: https://patchwork.linux-mips.org/patch/14623/
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      20452f8f
    • Lijun Ou's avatar
      RDMA/hns: Update the data type of immediate data · 1c7b8cf2
      Lijun Ou authored
      [ Upstream commit 0c4a0e2987a51415de73180ce9f389a99b3dddd1 ]
      
      Because the data structure of hip08 is little endian, it needs to fix the
      immediate field of wqe and cqe into __le32.
      Signed-off-by: 's avatarLijun Ou <oulijun@huawei.com>
      Signed-off-by: 's avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1c7b8cf2
    • Trond Myklebust's avatar
      NFSv4.1: Fix a potential layoutget/layoutrecall deadlock · 137fee53
      Trond Myklebust authored
      [ Upstream commit bd3d16a887b0c19a2a20d35ffed499e3a3637feb ]
      
      If the client is sending a layoutget, but the server issues a callback
      to recall what it thinks may be an outstanding layout, then we may find
      an uninitialised layout attached to the inode due to the layoutget.
      In that case, it is appropriate to return NFS4ERR_NOMATCHING_LAYOUT
      rather than NFS4ERR_DELAY, as the latter can end up deadlocking.
      Signed-off-by: 's avatarTrond Myklebust <trond.myklebust@hammerspace.com>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      137fee53
    • Lijun Ou's avatar
      RDMA/hns: Add illegal hop_num judgement · 1256eeb1
      Lijun Ou authored
      [ Upstream commit 26f63b9c33ceda12fb9136a1d0c80e03c9ebb514 ]
      
      When hop_num is more than three, it need to return -EINVAL.  This patch
      fixes it.
      Signed-off-by: 's avatarLijun Ou <oulijun@huawei.com>
      Signed-off-by: 's avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1256eeb1
    • Chao Yu's avatar
      f2fs: fix to do sanity check with extra_attr feature · b6f49345
      Chao Yu authored
      [ Upstream commit 76d56d4ab4f2a9e4f085c7d77172194ddaccf7d2 ]
      
      If FI_EXTRA_ATTR is set in inode by fuzzing, inode.i_addr[0] will be
      parsed as inode.i_extra_isize, then in __recover_inline_status, inline
      data address will beyond boundary of page, result in accessing invalid
      memory.
      
      So in this condition, during reading inode page, let's do sanity check
      with EXTRA_ATTR feature of fs and extra_attr bit of inode, if they're
      inconsistent, deny to load this inode.
      
      - Overview
      Out-of-bound access in f2fs_iget() when mounting a corrupted f2fs image
      
      - Reproduce
      
      The following message will be got in KASAN build of 4.18 upstream kernel.
      [  819.392227] ==================================================================
      [  819.393901] BUG: KASAN: slab-out-of-bounds in f2fs_iget+0x736/0x1530
      [  819.395329] Read of size 4 at addr ffff8801f099c968 by task mount/1292
      
      [  819.397079] CPU: 1 PID: 1292 Comm: mount Not tainted 4.18.0-rc1+ #4
      [  819.397082] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  819.397088] Call Trace:
      [  819.397124]  dump_stack+0x7b/0xb5
      [  819.397154]  print_address_description+0x70/0x290
      [  819.397159]  kasan_report+0x291/0x390
      [  819.397163]  ? f2fs_iget+0x736/0x1530
      [  819.397176]  check_memory_region+0x139/0x190
      [  819.397182]  __asan_loadN+0xf/0x20
      [  819.397185]  f2fs_iget+0x736/0x1530
      [  819.397197]  f2fs_fill_super+0x1b4f/0x2b40
      [  819.397202]  ? f2fs_fill_super+0x1b4f/0x2b40
      [  819.397208]  ? f2fs_commit_super+0x1b0/0x1b0
      [  819.397227]  ? set_blocksize+0x90/0x140
      [  819.397241]  mount_bdev+0x1c5/0x210
      [  819.397245]  ? f2fs_commit_super+0x1b0/0x1b0
      [  819.397252]  f2fs_mount+0x15/0x20
      [  819.397256]  mount_fs+0x60/0x1a0
      [  819.397267]  ? alloc_vfsmnt+0x309/0x360
      [  819.397272]  vfs_kern_mount+0x6b/0x1a0
      [  819.397282]  do_mount+0x34a/0x18c0
      [  819.397300]  ? lockref_put_or_lock+0xcf/0x160
      [  819.397306]  ? copy_mount_string+0x20/0x20
      [  819.397318]  ? memcg_kmem_put_cache+0x1b/0xa0
      [  819.397324]  ? kasan_check_write+0x14/0x20
      [  819.397334]  ? _copy_from_user+0x6a/0x90
      [  819.397353]  ? memdup_user+0x42/0x60
      [  819.397359]  ksys_mount+0x83/0xd0
      [  819.397365]  __x64_sys_mount+0x67/0x80
      [  819.397388]  do_syscall_64+0x78/0x170
      [  819.397403]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  819.397422] RIP: 0033:0x7f54c667cb9a
      [  819.397424] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
      [  819.397483] RSP: 002b:00007ffd8f46cd08 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
      [  819.397496] RAX: ffffffffffffffda RBX: 0000000000dfa030 RCX: 00007f54c667cb9a
      [  819.397498] RDX: 0000000000dfa210 RSI: 0000000000dfbf30 RDI: 0000000000e02ec0
      [  819.397501] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
      [  819.397503] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000000000e02ec0
      [  819.397505] R13: 0000000000dfa210 R14: 0000000000000000 R15: 0000000000000003
      
      [  819.397866] Allocated by task 139:
      [  819.398702]  save_stack+0x46/0xd0
      [  819.398705]  kasan_kmalloc+0xad/0xe0
      [  819.398709]  kasan_slab_alloc+0x11/0x20
      [  819.398713]  kmem_cache_alloc+0xd1/0x1e0
      [  819.398717]  dup_fd+0x50/0x4c0
      [  819.398740]  copy_process.part.37+0xbed/0x32e0
      [  819.398744]  _do_fork+0x16e/0x590
      [  819.398748]  __x64_sys_clone+0x69/0x80
      [  819.398752]  do_syscall_64+0x78/0x170
      [  819.398756]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [  819.399097] Freed by task 159:
      [  819.399743]  save_stack+0x46/0xd0
      [  819.399747]  __kasan_slab_free+0x13c/0x1a0
      [  819.399750]  kasan_slab_free+0xe/0x10
      [  819.399754]  kmem_cache_free+0x89/0x1e0
      [  819.399757]  put_files_struct+0x132/0x150
      [  819.399761]  exit_files+0x62/0x70
      [  819.399766]  do_exit+0x47b/0x1390
      [  819.399770]  do_group_exit+0x86/0x130
      [  819.399774]  __x64_sys_exit_group+0x2c/0x30
      [  819.399778]  do_syscall_64+0x78/0x170
      [  819.399782]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [  819.400115] The buggy address belongs to the object at ffff8801f099c680
                      which belongs to the cache files_cache of size 704
      [  819.403234] The buggy address is located 40 bytes to the right of
                      704-byte region [ffff8801f099c680, ffff8801f099c940)
      [  819.405689] The buggy address belongs to the page:
      [  819.406709] page:ffffea0007c26700 count:1 mapcount:0 mapping:ffff8801f69a3340 index:0xffff8801f099d380 compound_mapcount: 0
      [  819.408984] flags: 0x2ffff0000008100(slab|head)
      [  819.409932] raw: 02ffff0000008100 ffffea00077fb600 0000000200000002 ffff8801f69a3340
      [  819.411514] raw: ffff8801f099d380 0000000080130000 00000001ffffffff 0000000000000000
      [  819.413073] page dumped because: kasan: bad access detected
      
      [  819.414539] Memory state around the buggy address:
      [  819.415521]  ffff8801f099c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  819.416981]  ffff8801f099c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  819.418454] >ffff8801f099c900: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
      [  819.419921]                                                           ^
      [  819.421265]  ffff8801f099c980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
      [  819.422745]  ffff8801f099ca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  819.424206] ==================================================================
      [  819.425668] Disabling lock debugging due to kernel taint
      [  819.457463] F2FS-fs (loop0): Mounted with checkpoint version = 3
      
      The kernel still mounts the image. If you run the following program on the mounted folder mnt,
      
      (poc.c)
      
      static void activity(char *mpoint) {
      
        char *foo_bar_baz;
        int err;
      
        static int buf[8192];
        memset(buf, 0, sizeof(buf));
      
        err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);
          int fd = open(foo_bar_baz, O_RDONLY, 0);
        if (fd >= 0) {
            read(fd, (char *)buf, 11);
            close(fd);
        }
      }
      
      int main(int argc, char *argv[]) {
        activity(argv[1]);
        return 0;
      }
      
      You can get kernel crash:
      [  819.457463] F2FS-fs (loop0): Mounted with checkpoint version = 3
      [  918.028501] BUG: unable to handle kernel paging request at ffffed0048000d82
      [  918.044020] PGD 23ffee067 P4D 23ffee067 PUD 23fbef067 PMD 0
      [  918.045207] Oops: 0000 [#1] SMP KASAN PTI
      [  918.046048] CPU: 0 PID: 1309 Comm: poc Tainted: G    B             4.18.0-rc1+ #4
      [  918.047573] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  918.049552] RIP: 0010:check_memory_region+0x5e/0x190
      [  918.050565] Code: f8 49 c1 e8 03 49 89 db 49 c1 eb 03 4d 01 cb 4d 01 c1 4d 8d 63 01 4c 89 c8 4d 89 e2 4d 29 ca 49 83 fa 10 7f 3d 4d 85 d2 74 32 <41> 80 39 00 75 23 48 b8 01 00 00 00 00 fc ff df 4d 01 d1 49 01 c0
      [  918.054322] RSP: 0018:ffff8801e3a1f258 EFLAGS: 00010202
      [  918.055400] RAX: ffffed0048000d82 RBX: ffff880240006c11 RCX: ffffffffb8867d14
      [  918.056832] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff880240006c10
      [  918.058253] RBP: ffff8801e3a1f268 R08: 1ffff10048000d82 R09: ffffed0048000d82
      [  918.059717] R10: 0000000000000001 R11: ffffed0048000d82 R12: ffffed0048000d83
      [  918.061159] R13: ffff8801e3a1f390 R14: 0000000000000000 R15: ffff880240006c08
      [  918.062614] FS:  00007fac9732c700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  918.064246] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  918.065412] CR2: ffffed0048000d82 CR3: 00000001df77a000 CR4: 00000000000006f0
      [  918.066882] Call Trace:
      [  918.067410]  __asan_loadN+0xf/0x20
      [  918.068149]  f2fs_find_target_dentry+0xf4/0x270
      [  918.069083]  ? __get_node_page+0x331/0x5b0
      [  918.069925]  f2fs_find_in_inline_dir+0x24b/0x310
      [  918.070881]  ? f2fs_recover_inline_data+0x4c0/0x4c0
      [  918.071905]  ? unwind_next_frame.part.5+0x34f/0x490
      [  918.072901]  ? unwind_dump+0x290/0x290
      [  918.073695]  ? is_bpf_text_address+0xe/0x20
      [  918.074566]  __f2fs_find_entry+0x599/0x670
      [  918.075408]  ? kasan_unpoison_shadow+0x36/0x50
      [  918.076315]  ? kasan_kmalloc+0xad/0xe0
      [  918.077100]  ? memcg_kmem_put_cache+0x55/0xa0
      [  918.077998]  ? f2fs_find_target_dentry+0x270/0x270
      [  918.079006]  ? d_set_d_op+0x30/0x100
      [  918.079749]  ? __d_lookup_rcu+0x69/0x2e0
      [  918.080556]  ? __d_alloc+0x275/0x450
      [  918.081297]  ? kasan_check_write+0x14/0x20
      [  918.082135]  ? memset+0x31/0x40
      [  918.082820]  ? fscrypt_setup_filename+0x1ec/0x4c0
      [  918.083782]  ? d_alloc_parallel+0x5bb/0x8c0
      [  918.084640]  f2fs_find_entry+0xe9/0x110
      [  918.085432]  ? __f2fs_find_entry+0x670/0x670
      [  918.086308]  ? kasan_check_write+0x14/0x20
      [  918.087163]  f2fs_lookup+0x297/0x590
      [  918.087902]  ? f2fs_link+0x2b0/0x2b0
      [  918.088646]  ? legitimize_path.isra.29+0x61/0xa0
      [  918.089589]  __lookup_slow+0x12e/0x240
      [  918.090371]  ? may_delete+0x2b0/0x2b0
      [  918.091123]  ? __nd_alloc_stack+0xa0/0xa0
      [  918.091944]  lookup_slow+0x44/0x60
      [  918.092642]  walk_component+0x3ee/0xa40
      [  918.093428]  ? is_bpf_text_address+0xe/0x20
      [  918.094283]  ? pick_link+0x3e0/0x3e0
      [  918.095047]  ? in_group_p+0xa5/0xe0
      [  918.095771]  ? generic_permission+0x53/0x1e0
      [  918.096666]  ? security_inode_permission+0x1d/0x70
      [  918.097646]  ? inode_permission+0x7a/0x1f0
      [  918.098497]  link_path_walk+0x2a2/0x7b0
      [  918.099298]  ? apparmor_capget+0x3d0/0x3d0
      [  918.100140]  ? walk_component+0xa40/0xa40
      [  918.100958]  ? path_init+0x2e6/0x580
      [  918.101695]  path_openat+0x1bb/0x2160
      [  918.102471]  ? __save_stack_trace+0x92/0x100
      [  918.103352]  ? save_stack+0xb5/0xd0
      [  918.104070]  ? vfs_unlink+0x250/0x250
      [  918.104822]  ? save_stack+0x46/0xd0
      [  918.105538]  ? kasan_slab_alloc+0x11/0x20
      [  918.106370]  ? kmem_cache_alloc+0xd1/0x1e0
      [  918.107213]  ? getname_flags+0x76/0x2c0
      [  918.107997]  ? getname+0x12/0x20
      [  918.108677]  ? do_sys_open+0x14b/0x2c0
      [  918.109450]  ? __x64_sys_open+0x4c/0x60
      [  918.110255]  ? do_syscall_64+0x78/0x170
      [  918.111083]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  918.112148]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  918.113204]  ? f2fs_empty_inline_dir+0x1e0/0x1e0
      [  918.114150]  ? timespec64_trunc+0x5c/0x90
      [  918.114993]  ? wb_io_lists_depopulated+0x1a/0xc0
      [  918.115937]  ? inode_io_list_move_locked+0x102/0x110
      [  918.116949]  do_filp_open+0x12b/0x1d0
      [  918.117709]  ? may_open_dev+0x50/0x50
      [  918.118475]  ? kasan_kmalloc+0xad/0xe0
      [  918.119246]  do_sys_open+0x17c/0x2c0
      [  918.119983]  ? do_sys_open+0x17c/0x2c0
      [  918.120751]  ? filp_open+0x60/0x60
      [  918.121463]  ? task_work_run+0x4d/0xf0
      [  918.122237]  __x64_sys_open+0x4c/0x60
      [  918.123001]  do_syscall_64+0x78/0x170
      [  918.123759]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  918.124802] RIP: 0033:0x7fac96e3e040
      [  918.125537] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 09 27 2d 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 7e e0 01 00 48 89 04 24
      [  918.129341] RSP: 002b:00007fff1b37f848 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
      [  918.130870] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fac96e3e040
      [  918.132295] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000122d080
      [  918.133748] RBP: 00007fff1b37f9b0 R08: 00007fac9710bbd8 R09: 0000000000000001
      [  918.135209] R10: 000000000000069d R11: 0000000000000246 R12: 0000000000400c20
      [  918.136650] R13: 00007fff1b37fab0 R14: 0000000000000000 R15: 0000000000000000
      [  918.138093] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
      [  918.147924] CR2: ffffed0048000d82
      [  918.148619] ---[ end trace 4ce02f25ff7d3df5 ]---
      [  918.149563] RIP: 0010:check_memory_region+0x5e/0x190
      [  918.150576] Code: f8 49 c1 e8 03 49 89 db 49 c1 eb 03 4d 01 cb 4d 01 c1 4d 8d 63 01 4c 89 c8 4d 89 e2 4d 29 ca 49 83 fa 10 7f 3d 4d 85 d2 74 32 <41> 80 39 00 75 23 48 b8 01 00 00 00 00 fc ff df 4d 01 d1 49 01 c0
      [  918.154360] RSP: 0018:ffff8801e3a1f258 EFLAGS: 00010202
      [  918.155411] RAX: ffffed0048000d82 RBX: ffff880240006c11 RCX: ffffffffb8867d14
      [  918.156833] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff880240006c10
      [  918.158257] RBP: ffff8801e3a1f268 R08: 1ffff10048000d82 R09: ffffed0048000d82
      [  918.159722] R10: 0000000000000001 R11: ffffed0048000d82 R12: ffffed0048000d83
      [  918.161149] R13: ffff8801e3a1f390 R14: 0000000000000000 R15: ffff880240006c08
      [  918.162587] FS:  00007fac9732c700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  918.164203] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  918.165356] CR2: ffffed0048000d82 CR3: 00000001df77a000 CR4: 00000000000006f0
      Reported-by: 's avatarWen Xu <wen.xu@gatech.edu>
      Signed-off-by: 's avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: 's avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b6f49345
    • Chao Yu's avatar
      f2fs: fix to propagate return value of scan_nat_page() · 05931191
      Chao Yu authored
      [ Upstream commit e2374015f27fe5ee5d5c37966e2faf396cdaaa65 ]
      
      As Anatoly Trosinenko reported in bugzilla:
      
      How to reproduce:
      1. Compile the 73fcb1a3 version of the kernel using the config attached
      2. Unpack and mount the attached filesystem image as F2FS
      3. The kernel will BUG() on mount (BUGs are explicitly enabled in config)
      
      [    2.233612] F2FS-fs (sda): Found nat_bits in checkpoint
      [    2.248422] ------------[ cut here ]------------
      [    2.248857] kernel BUG at fs/f2fs/node.c:1967!
      [    2.249760] invalid opcode: 0000 [#1] SMP NOPTI
      [    2.250219] Modules linked in:
      [    2.251848] CPU: 0 PID: 944 Comm: mount Not tainted 4.17.0-rc5+ #1
      [    2.252331] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
      [    2.253305] RIP: 0010:build_free_nids+0x337/0x3f0
      [    2.253672] RSP: 0018:ffffae7fc0857c50 EFLAGS: 00000246
      [    2.254080] RAX: 00000000ffffffff RBX: 0000000000000123 RCX: 0000000000000001
      [    2.254638] RDX: ffff9aa7063d5c00 RSI: 0000000000000122 RDI: ffff9aa705852e00
      [    2.255190] RBP: ffff9aa705852e00 R08: 0000000000000001 R09: ffff9aa7059090c0
      [    2.255719] R10: 0000000000000000 R11: 0000000000000000 R12: ffff9aa705852e00
      [    2.256242] R13: ffff9aa7063ad000 R14: ffff9aa705919000 R15: 0000000000000123
      [    2.256809] FS:  00000000023078c0(0000) GS:ffff9aa707800000(0000) knlGS:0000000000000000
      [    2.258654] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [    2.259153] CR2: 00000000005511ae CR3: 0000000005872000 CR4: 00000000000006f0
      [    2.259801] Call Trace:
      [    2.260583]  build_node_manager+0x5cd/0x600
      [    2.260963]  f2fs_fill_super+0x66a/0x17c0
      [    2.261300]  ? f2fs_commit_super+0xe0/0xe0
      [    2.261622]  mount_bdev+0x16e/0x1a0
      [    2.261899]  mount_fs+0x30/0x150
      [    2.262398]  vfs_kern_mount.part.28+0x4f/0xf0
      [    2.262743]  do_mount+0x5d0/0xc60
      [    2.263010]  ? _copy_from_user+0x37/0x60
      [    2.263313]  ? memdup_user+0x39/0x60
      [    2.263692]  ksys_mount+0x7b/0xd0
      [    2.263960]  __x64_sys_mount+0x1c/0x20
      [    2.264268]  do_syscall_64+0x43/0xf0
      [    2.264560]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [    2.265095] RIP: 0033:0x48d31a
      [    2.265502] RSP: 002b:00007ffc6fe60a08 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
      [    2.266089] RAX: ffffffffffffffda RBX: 0000000000008000 RCX: 000000000048d31a
      [    2.266607] RDX: 00007ffc6fe62fa5 RSI: 00007ffc6fe62f9d RDI: 00007ffc6fe62f94
      [    2.267130] RBP: 00000000023078a0 R08: 0000000000000000 R09: 0000000000000000
      [    2.267670] R10: 0000000000008000 R11: 0000000000000246 R12: 0000000000000000
      [    2.268192] R13: 0000000000000000 R14: 00007ffc6fe60c78 R15: 0000000000000000
      [    2.268767] Code: e8 5f c3 ff ff 83 c3 01 41 83 c7 01 81 fb c7 01 00 00 74 48 44 39 7d 04 76 42 48 63 c3 48 8d 04 c0 41 8b 44 06 05 83 f8 ff 75 c1 <0f> 0b 49 8b 45 50 48 8d b8 b0 00 00 00 e8 37 59 69 00 b9 01 00
      [    2.270434] RIP: build_free_nids+0x337/0x3f0 RSP: ffffae7fc0857c50
      [    2.271426] ---[ end trace ab20c06cd3c8fde4 ]---
      
      During loading NAT entries, we will do sanity check, once the entry info
      is corrupted, it will cause BUG_ON directly to protect user data from
      being overwrited.
      
      In this case, it will be better to just return failure on mount() instead
      of panic, so that user can get hint from kmsg and try fsck for recovery
      immediately rather than after an abnormal reboot.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=199769Reported-by: 's avatarAnatoly Trosinenko <anatoly.trosinenko@gmail.com>
      Signed-off-by: 's avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: 's avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      05931191
    • Chao Yu's avatar
      f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize · 8d65ffb3
      Chao Yu authored
      [ Upstream commit c77ec61ca0a49544ca81881cc5d5529858f7e196 ]
      
      This patch adds to do sanity check with {sit,nat}_ver_bitmap_bytesize
      during mount, in order to avoid accessing across cache boundary with
      this abnormal bitmap size.
      
      - Overview
      buffer overrun in build_sit_info() when mounting a crafted f2fs image
      
      - Reproduce
      
      - Kernel message
      [  548.580867] F2FS-fs (loop0): Invalid log blocks per segment (8201)
      
      [  548.580877] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
      [  548.584979] ==================================================================
      [  548.586568] BUG: KASAN: use-after-free in kmemdup+0x36/0x50
      [  548.587715] Read of size 64 at addr ffff8801e9c265ff by task mount/1295
      
      [  548.589428] CPU: 1 PID: 1295 Comm: mount Not tainted 4.18.0-rc1+ #4
      [  548.589432] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  548.589438] Call Trace:
      [  548.589474]  dump_stack+0x7b/0xb5
      [  548.589487]  print_address_description+0x70/0x290
      [  548.589492]  kasan_report+0x291/0x390
      [  548.589496]  ? kmemdup+0x36/0x50
      [  548.589509]  check_memory_region+0x139/0x190
      [  548.589514]  memcpy+0x23/0x50
      [  548.589518]  kmemdup+0x36/0x50
      [  548.589545]  f2fs_build_segment_manager+0x8fa/0x3410
      [  548.589551]  ? __asan_loadN+0xf/0x20
      [  548.589560]  ? f2fs_sanity_check_ckpt+0x1be/0x240
      [  548.589566]  ? f2fs_flush_sit_entries+0x10c0/0x10c0
      [  548.589587]  ? __put_user_ns+0x40/0x40
      [  548.589604]  ? find_next_bit+0x57/0x90
      [  548.589610]  f2fs_fill_super+0x194b/0x2b40
      [  548.589617]  ? f2fs_commit_super+0x1b0/0x1b0
      [  548.589637]  ? set_blocksize+0x90/0x140
      [  548.589651]  mount_bdev+0x1c5/0x210
      [  548.589655]  ? f2fs_commit_super+0x1b0/0x1b0
      [  548.589667]  f2fs_mount+0x15/0x20
      [  548.589672]  mount_fs+0x60/0x1a0
      [  548.589683]  ? alloc_vfsmnt+0x309/0x360
      [  548.589688]  vfs_kern_mount+0x6b/0x1a0
      [  548.589699]  do_mount+0x34a/0x18c0
      [  548.589710]  ? lockref_put_or_lock+0xcf/0x160
      [  548.589716]  ? copy_mount_string+0x20/0x20
      [  548.589728]  ? memcg_kmem_put_cache+0x1b/0xa0
      [  548.589734]  ? kasan_check_write+0x14/0x20
      [  548.589740]  ? _copy_from_user+0x6a/0x90
      [  548.589744]  ? memdup_user+0x42/0x60
      [  548.589750]  ksys_mount+0x83/0xd0
      [  548.589755]  __x64_sys_mount+0x67/0x80
      [  548.589781]  do_syscall_64+0x78/0x170
      [  548.589797]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  548.589820] RIP: 0033:0x7f76fc331b9a
      [  548.589821] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
      [  548.589880] RSP: 002b:00007ffd4f0a0e48 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
      [  548.589890] RAX: ffffffffffffffda RBX: 000000000146c030 RCX: 00007f76fc331b9a
      [  548.589892] RDX: 000000000146c210 RSI: 000000000146df30 RDI: 0000000001474ec0
      [  548.589895] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
      [  548.589897] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001474ec0
      [  548.589900] R13: 000000000146c210 R14: 0000000000000000 R15: 0000000000000003
      
      [  548.590242] The buggy address belongs to the page:
      [  548.591243] page:ffffea0007a70980 count:0 mapcount:0 mapping:0000000000000000 index:0x0
      [  548.592886] flags: 0x2ffff0000000000()
      [  548.593665] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
      [  548.595258] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
      [  548.603713] page dumped because: kasan: bad access detected
      
      [  548.605203] Memory state around the buggy address:
      [  548.606198]  ffff8801e9c26480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      [  548.607676]  ffff8801e9c26500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      [  548.609157] >ffff8801e9c26580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      [  548.610629]                                                                 ^
      [  548.612088]  ffff8801e9c26600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      [  548.613674]  ffff8801e9c26680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      [  548.615141] ==================================================================
      [  548.616613] Disabling lock debugging due to kernel taint
      [  548.622871] WARNING: CPU: 1 PID: 1295 at mm/page_alloc.c:4065 __alloc_pages_slowpath+0xe4a/0x1420
      [  548.622878] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
      [  548.623217] CPU: 1 PID: 1295 Comm: mount Tainted: G    B             4.18.0-rc1+ #4
      [  548.623219] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  548.623226] RIP: 0010:__alloc_pages_slowpath+0xe4a/0x1420
      [  548.623227] Code: ff ff 01 89 85 c8 fe ff ff e9 91 fc ff ff 41 89 c5 e9 5c fc ff ff 0f 0b 89 f8 25 ff ff f7 ff 89 85 8c fe ff ff e9 d5 f2 ff ff <0f> 0b e9 65 f2 ff ff 65 8b 05 38 81 d2 47 f6 c4 01 74 1c 65 48 8b
      [  548.623281] RSP: 0018:ffff8801f28c7678 EFLAGS: 00010246
      [  548.623284] RAX: 0000000000000000 RBX: 00000000006040c0 RCX: ffffffffb82f73b7
      [  548.623287] RDX: 1ffff1003e518eeb RSI: 000000000000000c RDI: 0000000000000000
      [  548.623290] RBP: ffff8801f28c7880 R08: 0000000000000000 R09: ffffed0047fff2c5
      [  548.623292] R10: 0000000000000001 R11: ffffed0047fff2c4 R12: ffff8801e88de040
      [  548.623295] R13: 00000000006040c0 R14: 000000000000000c R15: ffff8801f28c7938
      [  548.623299] FS:  00007f76fca51840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
      [  548.623302] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  548.623304] CR2: 00007f19b9171760 CR3: 00000001ed952000 CR4: 00000000000006e0
      [  548.623317] Call Trace:
      [  548.623325]  ? kasan_check_read+0x11/0x20
      [  548.623330]  ? __zone_watermark_ok+0x92/0x240
      [  548.623336]  ? get_page_from_freelist+0x1c3/0x1d90
      [  548.623347]  ? _raw_spin_lock_irqsave+0x2a/0x60
      [  548.623353]  ? warn_alloc+0x250/0x250
      [  548.623358]  ? save_stack+0x46/0xd0
      [  548.623361]  ? kasan_kmalloc+0xad/0xe0
      [  548.623366]  ? __isolate_free_page+0x2a0/0x2a0
      [  548.623370]  ? mount_fs+0x60/0x1a0
      [  548.623374]  ? vfs_kern_mount+0x6b/0x1a0
      [  548.623378]  ? do_mount+0x34a/0x18c0
      [  548.623383]  ? ksys_mount+0x83/0xd0
      [  548.623387]  ? __x64_sys_mount+0x67/0x80
      [  548.623391]  ? do_syscall_64+0x78/0x170
      [  548.623396]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  548.623401]  __alloc_pages_nodemask+0x3c5/0x400
      [  548.623407]  ? __alloc_pages_slowpath+0x1420/0x1420
      [  548.623412]  ? __mutex_lock_slowpath+0x20/0x20
      [  548.623417]  ? kvmalloc_node+0x31/0x80
      [  548.623424]  alloc_pages_current+0x75/0x110
      [  548.623436]  kmalloc_order+0x24/0x60
      [  548.623442]  kmalloc_order_trace+0x24/0xb0
      [  548.623448]  __kmalloc_track_caller+0x207/0x220
      [  548.623455]  ? f2fs_build_node_manager+0x399/0xbb0
      [  548.623460]  kmemdup+0x20/0x50
      [  548.623465]  f2fs_build_node_manager+0x399/0xbb0
      [  548.623470]  f2fs_fill_super+0x195e/0x2b40
      [  548.623477]  ? f2fs_commit_super+0x1b0/0x1b0
      [  548.623481]  ? set_blocksize+0x90/0x140
      [  548.623486]  mount_bdev+0x1c5/0x210
      [  548.623489]  ? f2fs_commit_super+0x1b0/0x1b0
      [  548.623495]  f2fs_mount+0x15/0x20
      [  548.623498]  mount_fs+0x60/0x1a0
      [  548.623503]  ? alloc_vfsmnt+0x309/0x360
      [  548.623508]  vfs_kern_mount+0x6b/0x1a0
      [  548.623513]  do_mount+0x34a/0x18c0
      [  548.623518]  ? lockref_put_or_lock+0xcf/0x160
      [  548.623523]  ? copy_mount_string+0x20/0x20
      [  548.623528]  ? memcg_kmem_put_cache+0x1b/0xa0
      [  548.623533]  ? kasan_check_write+0x14/0x20
      [  548.623537]  ? _copy_from_user+0x6a/0x90
      [  548.623542]  ? memdup_user+0x42/0x60
      [  548.623547]  ksys_mount+0x83/0xd0
      [  548.623552]  __x64_sys_mount+0x67/0x80
      [  548.623557]  do_syscall_64+0x78/0x170
      [  548.623562]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  548.623566] RIP: 0033:0x7f76fc331b9a
      [  548.623567] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
      [  548.623632] RSP: 002b:00007ffd4f0a0e48 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
      [  548.623636] RAX: ffffffffffffffda RBX: 000000000146c030 RCX: 00007f76fc331b9a
      [  548.623639] RDX: 000000000146c210 RSI: 000000000146df30 RDI: 0000000001474ec0
      [  548.623641] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
      [  548.623643] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001474ec0
      [  548.623646] R13: 000000000146c210 R14: 0000000000000000 R15: 0000000000000003
      [  548.623650] ---[ end trace 4ce02f25ff7d3df5 ]---
      [  548.623656] F2FS-fs (loop0): Failed to initialize F2FS node manager
      [  548.627936] F2FS-fs (loop0): Invalid log blocks per segment (8201)
      
      [  548.627940] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
      [  548.635835] F2FS-fs (loop0): Failed to initialize F2FS node manager
      
      - Location
      https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/segment.c#L3578
      
      	sit_i->sit_bitmap = kmemdup(src_bitmap, bitmap_size, GFP_KERNEL);
      
      Buffer overrun happens when doing memcpy. I suspect there is missing (inconsistent) checks on bitmap_size.
      
      Reported by Wen Xu (wen.xu@gatech.edu) from SSLab, Gatech.
      Reported-by: 's avatarWen Xu <wen.xu@gatech.edu>
      Signed-off-by: 's avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: 's avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8d65ffb3
    • Zumeng Chen's avatar
      mfd: ti_am335x_tscadc: Fix struct clk memory leak · ea080140
      Zumeng Chen authored
      [ Upstream commit c2b1509c77a99a0dcea0a9051ca743cb88385f50 ]
      
      Use devm_elk_get() to let Linux manage struct clk memory to avoid the following
      memory leakage report:
      
      unreferenced object 0xdd75efc0 (size 64):
        comm "systemd-udevd", pid 186, jiffies 4294945126 (age 1195.750s)
        hex dump (first 32 bytes):
          61 64 63 5f 74 73 63 5f 66 63 6b 00 00 00 00 00  adc_tsc_fck.....
          00 00 00 00 92 03 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<c0a15260>] kmemleak_alloc+0x40/0x74
          [<c0287a10>] __kmalloc_track_caller+0x198/0x388
          [<c0255610>] kstrdup+0x40/0x5c
          [<c025565c>] kstrdup_const+0x30/0x3c
          [<c0636630>] __clk_create_clk+0x60/0xac
          [<c0630918>] clk_get_sys+0x74/0x144
          [<c0630cdc>] clk_get+0x5c/0x68
          [<bf0ac540>] ti_tscadc_probe+0x260/0x468 [ti_am335x_tscadc]
          [<c06f3c0c>] platform_drv_probe+0x60/0xac
          [<c06f1abc>] driver_probe_device+0x214/0x2dc
          [<c06f1c18>] __driver_attach+0x94/0xc0
          [<c06efe2c>] bus_for_each_dev+0x90/0xa0
          [<c06f1470>] driver_attach+0x28/0x30
          [<c06f1030>] bus_add_driver+0x184/0x1ec
          [<c06f2b74>] driver_register+0xb0/0xf0
          [<c06f3b4c>] __platform_driver_register+0x40/0x54
      Signed-off-by: 's avatarZumeng Chen <zumeng.chen@gmail.com>
      Signed-off-by: 's avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ea080140
    • Geert Uytterhoeven's avatar
      iommu/ipmmu-vmsa: Fix allocation in atomic context · ff418359
      Geert Uytterhoeven authored
      [ Upstream commit 46583e8c48c5a094ba28060615b3a7c8c576690f ]
      
      When attaching a device to an IOMMU group with
      CONFIG_DEBUG_ATOMIC_SLEEP=y:
      
          BUG: sleeping function called from invalid context at mm/slab.h:421
          in_atomic(): 1, irqs_disabled(): 128, pid: 61, name: kworker/1:1
          ...
          Call trace:
           ...
           arm_lpae_alloc_pgtable+0x114/0x184
           arm_64_lpae_alloc_pgtable_s1+0x2c/0x128
           arm_32_lpae_alloc_pgtable_s1+0x40/0x6c
           alloc_io_pgtable_ops+0x60/0x88
           ipmmu_attach_device+0x140/0x334
      
      ipmmu_attach_device() takes a spinlock, while arm_lpae_alloc_pgtable()
      allocates memory using GFP_KERNEL.  Originally, the ipmmu-vmsa driver
      had its own custom page table allocation implementation using
      GFP_ATOMIC, hence the spinlock was fine.
      
      Fix this by replacing the spinlock by a mutex, like the arm-smmu driver
      does.
      
      Fixes: f20ed39f ("iommu/ipmmu-vmsa: Use the ARM LPAE page table allocator")
      Signed-off-by: 's avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Reviewed-by: Laurent Pinchart's avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: 's avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ff418359
    • Andrey Smirnov's avatar
      mfd: rave-sp: Initialize flow control and parity of the port · 3ca5bae4
      Andrey Smirnov authored
      [ Upstream commit 6c450bdf13ebe110821a74960936cec936edae49 ]
      
      Relying on serial port defaults for flow control and parity can result
      in complete breakdown of communication with RAVE SP on some platforms
      where defaults are not what we need them to be. One such case is
      VF610-base ZII SPU3 board (not supported upstream). To avoid this
      problem in the future, add code to explicitly configure both.
      Signed-off-by: 's avatarAndrey Smirnov <andrew.smirnov@gmail.com>
      Signed-off-by: 's avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3ca5bae4
    • Chao Yu's avatar
      f2fs: fix to do sanity check with secs_per_zone · 0342426f
      Chao Yu authored
      [ Upstream commit 42bf546c1fe3f3654bdf914e977acbc2b80a5be5 ]
      
      As Wen Xu reported in below link:
      
      https://bugzilla.kernel.org/show_bug.cgi?id=200183
      
      - Overview
      Divide zero in reset_curseg() when mounting a crafted f2fs image
      
      - Reproduce
      
      - Kernel message
      [  588.281510] divide error: 0000 [#1] SMP KASAN PTI
      [  588.282701] CPU: 0 PID: 1293 Comm: mount Not tainted 4.18.0-rc1+ #4
      [  588.284000] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  588.286178] RIP: 0010:reset_curseg+0x94/0x1a0
      [  588.298166] RSP: 0018:ffff8801e88d7940 EFLAGS: 00010246
      [  588.299360] RAX: 0000000000000014 RBX: ffff8801e1d46d00 RCX: ffffffffb88bf60b
      [  588.300809] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e1d46d64
      [  588.305272] R13: 0000000000000000 R14: 0000000000000014 R15: 0000000000000000
      [  588.306822] FS:  00007fad85008840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  588.308456] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  588.309623] CR2: 0000000001705078 CR3: 00000001f30f8000 CR4: 00000000000006f0
      [  588.311085] Call Trace:
      [  588.311637]  f2fs_build_segment_manager+0x103f/0x3410
      [  588.316136]  ? f2fs_commit_super+0x1b0/0x1b0
      [  588.317031]  ? set_blocksize+0x90/0x140
      [  588.319473]  f2fs_mount+0x15/0x20
      [  588.320166]  mount_fs+0x60/0x1a0
      [  588.320847]  ? alloc_vfsmnt+0x309/0x360
      [  588.321647]  vfs_kern_mount+0x6b/0x1a0
      [  588.322432]  do_mount+0x34a/0x18c0
      [  588.323175]  ? strndup_user+0x46/0x70
      [  588.323937]  ? copy_mount_string+0x20/0x20
      [  588.324793]  ? memcg_kmem_put_cache+0x1b/0xa0
      [  588.325702]  ? kasan_check_write+0x14/0x20
      [  588.326562]  ? _copy_from_user+0x6a/0x90
      [  588.327375]  ? memdup_user+0x42/0x60
      [  588.328118]  ksys_mount+0x83/0xd0
      [  588.328808]  __x64_sys_mount+0x67/0x80
      [  588.329607]  do_syscall_64+0x78/0x170
      [  588.330400]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  588.331461] RIP: 0033:0x7fad848e8b9a
      [  588.336022] RSP: 002b:00007ffd7c5b6be8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
      [  588.337547] RAX: ffffffffffffffda RBX: 00000000016f8030 RCX: 00007fad848e8b9a
      [  588.338999] RDX: 00000000016f8210 RSI: 00000000016f9f30 RDI: 0000000001700ec0
      [  588.340442] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
      [  588.341887] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001700ec0
      [  588.343341] R13: 00000000016f8210 R14: 0000000000000000 R15: 0000000000000003
      [  588.354891] ---[ end trace 4ce02f25ff7d3df5 ]---
      [  588.355862] RIP: 0010:reset_curseg+0x94/0x1a0
      [  588.360742] RSP: 0018:ffff8801e88d7940 EFLAGS: 00010246
      [  588.361812] RAX: 0000000000000014 RBX: ffff8801e1d46d00 RCX: ffffffffb88bf60b
      [  588.363485] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e1d46d64
      [  588.365213] RBP: ffff8801e88d7968 R08: ffffed003c32266f R09: ffffed003c32266f
      [  588.366661] R10: 0000000000000001 R11: ffffed003c32266e R12: ffff8801f0337700
      [  588.368110] R13: 0000000000000000 R14: 0000000000000014 R15: 0000000000000000
      [  588.370057] FS:  00007fad85008840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  588.372099] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  588.373291] CR2: 0000000001705078 CR3: 00000001f30f8000 CR4: 00000000000006f0
      
      - Location
      https://elixir.bootlin.com/linux/latest/source/fs/f2fs/segment.c#L2147
              curseg->zone = GET_ZONE_FROM_SEG(sbi, curseg->segno);
      
      If secs_per_zone is corrupted due to fuzzing test, it will cause divide
      zero operation when using GET_ZONE_FROM_SEG macro, so we should do more
      sanity check with secs_per_zone during mount to avoid this issue.
      Signed-off-by: 's avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: 's avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0342426f
    • Jaegeuk Kim's avatar
      f2fs: avoid potential deadlock in f2fs_sbi_store · ee0b97e1
      Jaegeuk Kim authored
      [ Upstream commit a1933c09ef84c2fd187e05b560ddc6e1267d6508 ]
      
      [  155.018460] ======================================================
      [  155.021431] WARNING: possible circular locking dependency detected
      [  155.024339] 4.18.0-rc3+ #5 Tainted: G           OE
      [  155.026879] ------------------------------------------------------
      [  155.029783] umount/2901 is trying to acquire lock:
      [  155.032187] 00000000c4282f1f (kn->count#130){++++}, at: kernfs_remove+0x1f/0x30
      [  155.035439]
      [  155.035439] but task is already holding lock:
      [  155.038892] 0000000056e4307b (&type->s_umount_key#41){++++}, at: deactivate_super+0x33/0x50
      [  155.042602]
      [  155.042602] which lock already depends on the new lock.
      [  155.042602]
      [  155.047465]
      [  155.047465] the existing dependency chain (in reverse order) is:
      [  155.051354]
      [  155.051354] -> #1 (&type->s_umount_key#41){++++}:
      [  155.054768]        f2fs_sbi_store+0x61/0x460 [f2fs]
      [  155.057083]        kernfs_fop_write+0x113/0x1a0
      [  155.059277]        __vfs_write+0x36/0x180
      [  155.061250]        vfs_write+0xbe/0x1b0
      [  155.063179]        ksys_write+0x55/0xc0
      [  155.065068]        do_syscall_64+0x60/0x1b0
      [  155.067071]        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  155.069529]
      [  155.069529] -> #0 (kn->count#130){++++}:
      [  155.072421]        __kernfs_remove+0x26f/0x2e0
      [  155.074452]        kernfs_remove+0x1f/0x30
      [  155.076342]        kobject_del.part.5+0xe/0x40
      [  155.078354]        f2fs_put_super+0x12d/0x290 [f2fs]
      [  155.080500]        generic_shutdown_super+0x6c/0x110
      [  155.082655]        kill_block_super+0x21/0x50
      [  155.084634]        kill_f2fs_super+0x9c/0xc0 [f2fs]
      [  155.086726]        deactivate_locked_super+0x3f/0x70
      [  155.088826]        cleanup_mnt+0x3b/0x70
      [  155.090584]        task_work_run+0x93/0xc0
      [  155.092367]        exit_to_usermode_loop+0xf0/0x100
      [  155.094466]        do_syscall_64+0x162/0x1b0
      [  155.096312]        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  155.098603]
      [  155.098603] other info that might help us debug this:
      [  155.098603]
      [  155.102418]  Possible unsafe locking scenario:
      [  155.102418]
      [  155.105134]        CPU0                    CPU1
      [  155.107037]        ----                    ----
      [  155.108910]   lock(&type->s_umount_key#41);
      [  155.110674]                                lock(kn->count#130);
      [  155.113010]                                lock(&type->s_umount_key#41);
      [  155.115608]   lock(kn->count#130);
      Reviewed-by: 's avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: 's avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ee0b97e1
    • Brad Love's avatar
      media: em28xx: Fix DualHD disconnect oops · d92dadb8
      Brad Love authored
      [ Upstream commit 20cdcaf903298d54b834daedf65a2ddef70cae0a ]
      
      During the duplication of em28xx state for the second tuner pair
      a pointer to alt_max_pkt_size_isoc is copied. During tear down
      the second tuner is destroyed first and kfrees alt_max_pkt_size_isoc,
      then the first tuner is destroyed and kfrees it again. The property
      should only be kfree'd if the tuner is PRIMARY_TS.
      
      [  354.888560] ------------[ cut here ]------------
      [  354.888562] kernel BUG at mm/slub.c:296!
      [  354.888574] invalid opcode: 0000 [#1] SMP NOPTI
      [  354.888869] CPU: 1 PID: 19 Comm: kworker/1:0 Not tainted 4.18.0-rc1+ #20
      [  354.889140] Hardware name: MSI MS-7A39/B350M GAMING PRO (MS-7A39), BIOS 2.G0 04/27/2018
      [  354.889408] Workqueue: usb_hub_wq hub_event
      [  354.889679] RIP: 0010:__slab_free+0x217/0x370
      [  354.889942] Code: bb c0 e8 07 41 38 c7 72 39 48 83 c4 70 5b 41 5a 41 5c 41 5d 41 5e 41 5f 5d 49 8d 62 f8 c3 f3 90 49 8b 04 24 a8 01 75 f6 eb 82 <0f> 0b 44 89 45 80 48 89 4d 88 e8 aa fa ff ff 85 c0 74 cc e9 b7 fe
      [  354.890598] RSP: 0018:ffffb84c41a4fad0 EFLAGS: 00010246
      [  354.890934] RAX: ffff948646e85150 RBX: ffff948646e85150 RCX: ffff948646e85150
      [  354.891280] RDX: 00000000820001d9 RSI: fffffa8fd01ba140 RDI: ffff94865e807c00
      [  354.891649] RBP: ffffb84c41a4fb70 R08: 0000000000000001 R09: ffffffffc059ce21
      [  354.892025] R10: ffff948646e85150 R11: 0000000000000001 R12: fffffa8fd01ba140
      [  354.892403] R13: ffff948646e85150 R14: ffff94865e807c00 R15: ffff94864c92e0a0
      [  354.892780] FS:  0000000000000000(0000) GS:ffff94865ec40000(0000) knlGS:0000000000000000
      [  354.893150] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  354.893530] CR2: 00007f4e476da950 CR3: 000000040112c000 CR4: 00000000003406e0
      [  354.893917] Call Trace:
      [  354.894315]  ? __dev_printk+0x3c/0x80
      [  354.894695]  ? _dev_info+0x64/0x80
      [  354.895082]  ? em28xx_free_device+0x41/0x50 [em28xx]
      [  354.895464]  kfree+0x17a/0x190
      [  354.895852]  ? kfree+0x17a/0x190
      [  354.896310]  em28xx_free_device+0x41/0x50 [em28xx]
      [  354.896698]  em28xx_usb_disconnect+0xfa/0x110 [em28xx]
      [  354.897083]  usb_unbind_interface+0x7a/0x270
      [  354.897475]  device_release_driver_internal+0x17c/0x250
      [  354.897864]  device_release_driver+0x12/0x20
      [  354.898252]  bus_remove_device+0xec/0x160
      [  354.898639]  device_del+0x13d/0x320
      [  354.899018]  ? usb_remove_ep_devs+0x1f/0x30
      [  354.899392]  usb_disable_device+0x9e/0x270
      [  354.899772]  usb_disconnect+0x92/0x2a0
      [  354.900149]  hub_event+0x98e/0x1650
      [  354.900519]  ? sched_clock_cpu+0x11/0xa0
      [  354.900890]  process_one_work+0x167/0x3f0
      [  354.901251]  worker_thread+0x4d/0x460
      [  354.901610]  kthread+0x105/0x140
      [  354.901964]  ? rescuer_thread+0x360/0x360
      [  354.902318]  ? kthread_associate_blkcg+0xa0/0xa0
      [  354.902672]  ret_from_fork+0x22/0x40
      [  354.903024] Modules linked in: rc_hauppauge em28xx_rc rc_core si2157 lgdt3306a i2c_mux em28xx_dvb dvb_core videobuf2_vmalloc videobuf2_memops videobuf2_common snd_hda_codec_hdmi nls_iso8859_1 edac_mce_amd kvm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_seq_midi aesni_intel snd_seq_midi_event aes_x86_64 snd_rawmidi crypto_simd em28xx cryptd glue_helper asix tveeprom usbnet snd_seq v4l2_common mii videodev snd_seq_device media input_leds snd_timer joydev ccp k10temp wmi_bmof snd soundcore mac_hid sch_fq_codel parport_pc ppdev lp parport ip_tables x_tables vfio_pci vfio_virqfd irqbypass vfio_iommu_type1 vfio nouveau mxm_wmi video i2c_algo_bit ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops i2c_piix4 drm ahci libahci
      [  354.905129]  wmi gpio_amdpt gpio_generic hid_generic usbhid hid
      [  354.908140] ---[ end trace c230d02716298c34 ]---
      [  354.908145] RIP: 0010:__slab_free+0x217/0x370
      [  354.908147] Code: bb c0 e8 07 41 38 c7 72 39 48 83 c4 70 5b 41 5a 41 5c 41 5d 41 5e 41 5f 5d 49 8d 62 f8 c3 f3 90 49 8b 04 24 a8 01 75 f6 eb 82 <0f> 0b 44 89 45 80 48 89 4d 88 e8 aa fa ff ff 85 c0 74 cc e9 b7 fe
      [  354.908183] RSP: 0018:ffffb84c41a4fad0 EFLAGS: 00010246
      [  354.908186] RAX: ffff948646e85150 RBX: ffff948646e85150 RCX: ffff948646e85150
      [  354.908189] RDX: 00000000820001d9 RSI: fffffa8fd01ba140 RDI: ffff94865e807c00
      [  354.908191] RBP: ffffb84c41a4fb70 R08: 0000000000000001 R09: ffffffffc059ce21
      [  354.908193] R10: ffff948646e85150 R11: 0000000000000001 R12: fffffa8fd01ba140
      [  354.908195] R13: ffff948646e85150 R14: ffff94865e807c00 R15: ffff94864c92e0a0
      [  354.908198] FS:  0000000000000000(0000) GS:ffff94865ec40000(0000) knlGS:0000000000000000
      [  354.908201] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  354.908203] CR2: 00007f4e476da950 CR3: 000000016b20a000 CR4: 00000000003406e0
      Signed-off-by: 's avatarBrad Love <brad@nextdimension.cc>
      Signed-off-by: 's avatarMichael Ira Krufky <mkrufky@gmail.com>
      Signed-off-by: 's avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d92dadb8
    • Dan Carpenter's avatar
      f2fs: Fix uninitialized return in f2fs_ioc_shutdown() · aba03a8b
      Dan Carpenter authored
      [ Upstream commit 2a96d8ad94ce57cb0072f7a660b1039720c47716 ]
      
      "ret" can be uninitialized on the success path when "in ==
      F2FS_GOING_DOWN_FULLSYNC".
      
      Fixes: 60b2b4ee ("f2fs: Fix deadlock in shutdown ioctl")
      Signed-off-by: 's avatarDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: 's avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: 's avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aba03a8b
    • Chao Yu's avatar
      f2fs: fix to wait on page writeback before updating page · eade994b
      Chao Yu authored
      [ Upstream commit 6aead1617b3adf2b7e2c56f0f13e4e0ee42ebb4a ]
      
      In error path of f2fs_move_rehashed_dirents, inode page could be writeback
      state, so we should wait on inode page writeback before updating it.
      Signed-off-by: 's avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: 's avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eade994b
    • Will Deacon's avatar
      iommu/arm-smmu-v3: Abort all transactions if SMMU is enabled in kdump kernel · f9ce9240
      Will Deacon authored
      [ Upstream commit b63b3439b85609338e4faabd5d2588dbda137e5c ]
      
      If we find that the SMMU is enabled during probe, we reset it by
      re-initialising its registers and either enabling translation or placing
      it into bypass based on the disable_bypass commandline option.
      
      In the case of a kdump kernel, the SMMU won't have been shutdown cleanly
      by the previous kernel and there may be concurrent DMA through the SMMU.
      Rather than reset the SMMU to bypass, which would likely lead to rampant
      data corruption, we can instead configure the SMMU to abort all incoming
      transactions when we find that it is enabled from within a kdump kernel.
      Reported-by: 's avatarSameer Goel <sgoel@codeaurora.org>
      Signed-off-by: 's avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f9ce9240
    • Brad Love's avatar
      media: em28xx: Fix dual transport stream operation · 1b210d52
      Brad Love authored
      [ Upstream commit a7853c257a3ea0907467a1750ff45de4d9ba1915 ]
      
      Addresses the following, which introduced a regression itself:
      
      Commit 509f8965 ("media: em28xx: fix a regression with HVR-950")
      
      The regression fix breaks dual transport stream support. Currently,
      when a tuner starts streaming it sets alt mode on the USB interface.
      The problem is, in a dual tuner model, both tuners share the same
      USB interface, so when the second tuner becomes active and sets alt
      mode on the interface it kills streaming on the other port.
      
      This patch addresses the regression by only setting alt mode
      on the USB interface during em28xx_start_streaming, if the
      device is not a dual tuner model. This allows all older and
      single tuner devices to explicitly set alt mode during stream
      startup. Testers report both isoc and bulk DualHD models work
      correctly with the alt mode set only once, in em28xx_dvb_init.
      
      Fixes: 509f8965 ("media: em28xx: fix a regression with HVR-950")
      Signed-off-by: 's avatarBrad Love <brad@nextdimension.cc>
      Signed-off-by: 's avatarMichael Ira Krufky <mkrufky@gmail.com>
      Signed-off-by: 's avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1b210d52
    • Anthony Koo's avatar
      drm/amd/display: Prevent PSR from being enabled if initialization fails · 088ce054
      Anthony Koo authored
      [ Upstream commit 9907704174e0ad4ed02766fac4049971e583323d ]
      
      [Why]
      PSR_SET command is sent to the microcontroller in order to initialize
      parameters needed for PSR feature, such as telling the microcontroller
      which pipe is driving the PSR supported panel. When this command is
      skipped or fails, the microcontroller may program the wrong thing if
      driver tries to enable PSR.
      
      [How]
      If PSR_SET fails, do not set psr_enable flag to indicate the feature is
      not yet initialized.
      Signed-off-by: 's avatarAnthony Koo <Anthony.Koo@amd.com>
      Reviewed-by: 's avatarAric Cyr <Aric.Cyr@amd.com>
      Acked-by: 's avatarBhawanpreet Lakha <Bhawanpreet.Lakha@amd.com>
      Signed-off-by: 's avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      088ce054
    • Katsuhiro Suzuki's avatar
      media: helene: fix xtal frequency setting at power on · fdc340f5
      Katsuhiro Suzuki authored
      [ Upstream commit a00e5f074b3f3cd39d1ccdc53d4d805b014df3f3 ]
      
      This patch fixes crystal frequency setting when power on this device.
      Signed-off-by: 's avatarKatsuhiro Suzuki <suzuki.katsuhiro@socionext.com>
      Acked-by: 's avatarAbylay Ospan <aospan@netup.ru>
      Signed-off-by: 's avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fdc340f5
    • Niklas Söderlund's avatar
      media: rcar-csi2: update stream start for V3M · 18f4b79e
      Niklas Söderlund authored
      [ Upstream commit 4070fc9ade52f7d0ad1397fe74f564ae95e68a4f ]
      
      Latest errata document updates the start procedure for V3M. This change
      in addition to adhering to the datasheet update fixes capture on early
      revisions of V3M.
      Signed-off-by: 's avatarNiklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
      Reviewed-by: Laurent Pinchart's avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: 's avatarHans Verkuil <hans.verkuil@cisco.com>
      Signed-off-by: 's avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      18f4b79e
    • Mauricio Faria de Oliveira's avatar
      partitions/aix: fix usage of uninitialized lv_info and lvname structures · e681be23
      Mauricio Faria de Oliveira authored
      [ Upstream commit 14cb2c8a6c5dae57ee3e2da10fa3db2b9087e39e ]
      
      The if-block that sets a successful return value in aix_partition()
      uses 'lvip[].pps_per_lv' and 'n[].name' potentially uninitialized.
      
      For example, if 'numlvs' is zero or alloc_lvn() fails, neither is
      initialized, but are used anyway if alloc_pvd() succeeds after it.
      
      So, make the alloc_pvd() call conditional on their initialization.
      
      This has been hit when attaching an apparently corrupted/stressed
      AIX LUN, misleading the kernel to pr_warn() invalid data and hang.
      
          [...] partition (null) (11 pp's found) is not contiguous
          [...] partition (null) (2 pp's found) is not contiguous
          [...] partition (null) (3 pp's found) is not contiguous
          [...] partition (null) (64 pp's found) is not contiguous
      
      Fixes: 6ceea22b ("partitions: add aix lvm partition support files")
      Signed-off-by: 's avatarMauricio Faria de Oliveira <mfo@canonical.com>
      Signed-off-by: 's avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e681be23
    • Mauricio Faria de Oliveira's avatar
      partitions/aix: append null character to print data from disk · 06a557d1
      Mauricio Faria de Oliveira authored
      [ Upstream commit d43fdae7bac2def8c4314b5a49822cb7f08a45f1 ]
      
      Even if properly initialized, the lvname array (i.e., strings)
      is read from disk, and might contain corrupt data (e.g., lack
      the null terminating character for strings).
      
      So, make sure the partition name string used in pr_warn() has
      the null terminating character.
      
      Fixes: 6ceea22b ("partitions: add aix lvm partition support files")
      Suggested-by: 's avatarDaniel J. Axtens <daniel.axtens@canonical.com>
      Signed-off-by: 's avatarMauricio Faria de Oliveira <mfo@canonical.com>
      Signed-off-by: 's avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      06a557d1
    • Sylwester Nawrocki's avatar
      media: s5p-mfc: Fix buffer look up in s5p_mfc_handle_frame_{new, copy_time} functions · c57525ab
      Sylwester Nawrocki authored
      [ Upstream commit 4faeaf9c0f4581667ce5826f9c90c4fd463ef086 ]
      
      Look up of buffers in s5p_mfc_handle_frame_new, s5p_mfc_handle_frame_copy_time
      functions is not working properly for DMA addresses above 2 GiB. As a result
      flags and timestamp of returned buffers are not set correctly and it breaks
      operation of GStreamer/OMX plugins which rely on the CAPTURE buffer queue
      flags.
      
      Due to improper return type of the get_dec_y_adr, get_dspl_y_adr callbacks
      and sign bit extension these callbacks return incorrect address values,
      e.g. 0xfffffffffefc0000 instead of 0x00000000fefc0000. Then the statement:
      
      "if (vb2_dma_contig_plane_dma_addr(&dst_buf->b->vb2_buf, 0) == dec_y_addr)"
      
      is always false, which breaks looking up capture queue buffers.
      
      To ensure proper matching by address u32 type is used for the DMA
      addresses. This should work on all related SoCs, since the MFC DMA
      address width is not larger than 32-bit.
      
      Changes done in this patch are minimal as there is a larger patch series
      pending refactoring the whole driver.
      Signed-off-by: 's avatarSylwester Nawrocki <s.nawrocki@samsung.com>
      Signed-off-by: 's avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c57525ab
    • Nick Dyer's avatar
      Input: atmel_mxt_ts - only use first T9 instance · 3f659244
      Nick Dyer authored
      [ Upstream commit 36f5d9ef26e52edff046b4b097855db89bf0cd4a ]
      
      The driver only registers one input device, which uses the screen
      parameters from the first T9 instance. The first T63 instance also uses
      those parameters.
      
      It is incorrect to send input reports from the second instances of these
      objects if they are enabled: the input scaling will be wrong and the
      positions will be mashed together.
      
      This also causes problems on Android if the number of slots exceeds 32.
      
      In the future, this could be handled by looking for enabled touch object
      instances and creating an input device for each one.
      Signed-off-by: 's avatarNick Dyer <nick.dyer@itdev.co.uk>
      Acked-by: 's avatarBenson Leung <bleung@chromium.org>
      Acked-by: 's avatarYufeng Shen <miletus@chromium.org>
      Signed-off-by: 's avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3f659244
    • John Pittman's avatar
      dm cache: only allow a single io_mode cache feature to be requested · 5864b9e0
      John Pittman authored
      [ Upstream commit af9313c32c0fa2a0ac3b113669273833d60cc9de ]
      
      More than one io_mode feature can be requested when creating a dm cache
      device (as is: last one wins).  The io_mode selections are incompatible
      with one another, we should force them to be selected exclusively.  Add
      a counter to check for more than one io_mode selection.
      
      Fixes: 629d0a8a ("dm cache metadata: add "metadata2" feature")
      Signed-off-by: 's avatarJohn Pittman <jpittman@redhat.com>
      Signed-off-by: 's avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5864b9e0
    • Petr Machata's avatar
      net: dcb: For wild-card lookups, use priority -1, not 0 · 24983c81
      Petr Machata authored
      [ Upstream commit 08193d1a893c802c4b807e4d522865061f4e9f4f ]
      
      The function dcb_app_lookup walks the list of specified DCB APP entries,
      looking for one that matches a given criteria: ifindex, selector,
      protocol ID and optionally also priority. The "don't care" value for
      priority is set to 0, because that priority has not been allowed under
      CEE regime, which predates the IEEE standardization.
      
      Under IEEE, 0 is a valid priority number. But because dcb_app_lookup
      considers zero a wild card, attempts to add an APP entry with priority 0
      fail when other entries exist for a given ifindex / selector / PID
      triplet.
      
      Fix by changing the wild-card value to -1.
      Signed-off-by: 's avatarPetr Machata <petrm@mellanox.com>
      Signed-off-by: 's avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      24983c81
    • Marc Zyngier's avatar
      thermal_hwmon: Sanitize attribute name passed to hwmon · e6681395
      Marc Zyngier authored
      [ Upstream commit 409ef0bacacf72c51cc876349ae3fdf7cf726d47 ]
      
      My Chromebook Plus (kevin) is spitting the following at boot time:
      
      (NULL device *): hwmon: 'sbs-9-000b' is not a valid name attribute, please fix
      
      Clearly, __hwmon_device_register is unhappy about the property name.
      Some investigation reveals that thermal_add_hwmon_sysfs doesn't
      sanitize the name of the attribute.
      
      In order to keep it quiet, let's replace '-' with '_' in hwmon->type
      This is consistent with what iio-hwmon does since b92fe9e3.
      Signed-off-by: 's avatarMarc Zyngier <marc.zyngier@arm.com>
      Tested-by: 's avatarEnric Balletbo i Serra <enric.balletbo@collabora.com>
      Signed-off-by: 's avatarEduardo Valentin <edubezval@gmail.com>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e6681395
    • Simon Horman's avatar
      thermal: rcar_thermal: avoid NULL dereference in absence of IRQ resources · 8cc36414
      Simon Horman authored
      [ Upstream commit 542cdf4068049458e1411b120bd5a4bbe3ddc49a ]
      
      Ensure that the base address used by a call to rcar_thermal_common_write()
      may be NULL if the SOC supports interrupts for use with the thermal device
      but none are defined in DT as is the case for R-Car H1 (r8a7779). Guard
      against this condition to prevent a NULL dereference when the device is
      probed.
      
      Tested on:
      * R-Mobile APE6 (r8a73a4) / APE6EVM
      * R-Car H1 (r8a7779) / Marzen
      * R-Car H2 (r8a7790) / Lager
      * R-Car M2-W (r8a7791) / Koelsch
      * R-Car M2-N (r8a7793) / Gose
      * R-Car D3 ES1.0 (r8a77995) / Draak
      
      Fixes: 1969d9dc ("thermal: rcar_thermal: add r8a77995 support")
      Signed-off-by: 's avatarSimon Horman <horms+renesas@verge.net.au>
      Reviewed-by: 's avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: 's avatarEduardo Valentin <edubezval@gmail.com>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8cc36414
    • Nicholas Mc Guire's avatar
      MIPS: generic: fix missing of_node_put() · 273234f2
      Nicholas Mc Guire authored
      [ Upstream commit 28ec2238f37e72a3a40a7eb46893e7651bcc40a6 ]
      
      of_find_compatible_node() returns a device_node pointer with refcount
      incremented and must be decremented explicitly.
       As this code is using the result only to check presence of the interrupt
      controller (!NULL) but not actually using the result otherwise the
      refcount can be decremented here immediately again.
      Signed-off-by: 's avatarNicholas Mc Guire <hofrat@osadl.org>
      Signed-off-by: 's avatarPaul Burton <paul.burton@mips.com>
      Patchwork: https://patchwork.linux-mips.org/patch/19820/
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: James Hogan <jhogan@kernel.org>
      Cc: linux-mips@linux-mips.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      273234f2
    • Nicholas Mc Guire's avatar
      MIPS: Octeon: add missing of_node_put() · 9449bd8f
      Nicholas Mc Guire authored
      [ Upstream commit b1259519e618d479ede8a0db5474b3aff99f5056 ]
      
      The call to of_find_node_by_name returns a node pointer with refcount
      incremented thus it must be explicitly decremented here after the last
      usage.
      Signed-off-by: 's avatarNicholas Mc Guire <hofrat@osadl.org>
      Signed-off-by: 's avatarPaul Burton <paul.burton@mips.com>
      Patchwork: https://patchwork.linux-mips.org/patch/19558/
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: James Hogan <jhogan@kernel.org>
      Cc: linux-mips@linux-mips.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9449bd8f
    • Chao Yu's avatar
      f2fs: fix to do sanity check with reserved blkaddr of inline inode · 235fd393
      Chao Yu authored
      [ Upstream commit 4dbe38dc386910c668c75ae616b99b823b59f3eb ]
      
      As Wen Xu reported in bugzilla, after image was injected with random data
      by fuzzing, inline inode would contain invalid reserved blkaddr, then
      during inline conversion, we will encounter illegal memory accessing
      reported by KASAN, the root cause of this is when writing out converted
      inline page, we will use invalid reserved blkaddr to update sit bitmap,
      result in accessing memory beyond sit bitmap boundary.
      
      In order to fix this issue, let's do sanity check with reserved block
      address of inline inode to avoid above condition.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=200179
      
      [ 1428.846352] BUG: KASAN: use-after-free in update_sit_entry+0x80/0x7f0
      [ 1428.846618] Read of size 4 at addr ffff880194483540 by task a.out/2741
      
      [ 1428.846855] CPU: 0 PID: 2741 Comm: a.out Tainted: G        W         4.17.0+ #1
      [ 1428.846858] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [ 1428.846860] Call Trace:
      [ 1428.846868]  dump_stack+0x71/0xab
      [ 1428.846875]  print_address_description+0x6b/0x290
      [ 1428.846881]  kasan_report+0x28e/0x390
      [ 1428.846888]  ? update_sit_entry+0x80/0x7f0
      [ 1428.846898]  update_sit_entry+0x80/0x7f0
      [ 1428.846906]  f2fs_allocate_data_block+0x6db/0xc70
      [ 1428.846914]  ? f2fs_get_node_info+0x14f/0x590
      [ 1428.846920]  do_write_page+0xc8/0x150
      [ 1428.846928]  f2fs_outplace_write_data+0xfe/0x210
      [ 1428.846935]  ? f2fs_do_write_node_page+0x170/0x170
      [ 1428.846941]  ? radix_tree_tag_clear+0xff/0x130
      [ 1428.846946]  ? __mod_node_page_state+0x22/0xa0
      [ 1428.846951]  ? inc_zone_page_state+0x54/0x100
      [ 1428.846956]  ? __test_set_page_writeback+0x336/0x5d0
      [ 1428.846964]  f2fs_convert_inline_page+0x407/0x6d0
      [ 1428.846971]  ? f2fs_read_inline_data+0x3b0/0x3b0
      [ 1428.846978]  ? __get_node_page+0x335/0x6b0
      [ 1428.846987]  f2fs_convert_inline_inode+0x41b/0x500
      [ 1428.846994]  ? f2fs_convert_inline_page+0x6d0/0x6d0
      [ 1428.847000]  ? kasan_unpoison_shadow+0x31/0x40
      [ 1428.847005]  ? kasan_kmalloc+0xa6/0xd0
      [ 1428.847024]  f2fs_file_mmap+0x79/0xc0
      [ 1428.847029]  mmap_region+0x58b/0x880
      [ 1428.847037]  ? arch_get_unmapped_area+0x370/0x370
      [ 1428.847042]  do_mmap+0x55b/0x7a0
      [ 1428.847048]  vm_mmap_pgoff+0x16f/0x1c0
      [ 1428.847055]  ? vma_is_stack_for_current+0x50/0x50
      [ 1428.847062]  ? __fsnotify_update_child_dentry_flags.part.1+0x160/0x160
      [ 1428.847068]  ? do_sys_open+0x206/0x2a0
      [ 1428.847073]  ? __fget+0xb4/0x100
      [ 1428.847079]  ksys_mmap_pgoff+0x278/0x360
      [ 1428.847085]  ? find_mergeable_anon_vma+0x50/0x50
      [ 1428.847091]  do_syscall_64+0x73/0x160
      [ 1428.847098]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [ 1428.847102] RIP: 0033:0x7fb1430766ba
      [ 1428.847103] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00
      [ 1428.847162] RSP: 002b:00007ffc651d9388 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
      [ 1428.847167] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb1430766ba
      [ 1428.847170] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
      [ 1428.847173] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000
      [ 1428.847176] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000
      [ 1428.847179] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000
      
      [ 1428.847252] Allocated by task 2683:
      [ 1428.847372]  kasan_kmalloc+0xa6/0xd0
      [ 1428.847380]  kmem_cache_alloc+0xc8/0x1e0
      [ 1428.847385]  getname_flags+0x73/0x2b0
      [ 1428.847390]  user_path_at_empty+0x1d/0x40
      [ 1428.847395]  vfs_statx+0xc1/0x150
      [ 1428.847401]  __do_sys_newlstat+0x7e/0xd0
      [ 1428.847405]  do_syscall_64+0x73/0x160
      [ 1428.847411]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [ 1428.847466] Freed by task 2683:
      [ 1428.847566]  __kasan_slab_free+0x137/0x190
      [ 1428.847571]  kmem_cache_free+0x85/0x1e0
      [ 1428.847575]  filename_lookup+0x191/0x280
      [ 1428.847580]  vfs_statx+0xc1/0x150
      [ 1428.847585]  __do_sys_newlstat+0x7e/0xd0
      [ 1428.847590]  do_syscall_64+0x73/0x160
      [ 1428.847596]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [ 1428.847648] The buggy address belongs to the object at ffff880194483300
                      which belongs to the cache names_cache of size 4096
      [ 1428.847946] The buggy address is located 576 bytes inside of
                      4096-byte region [ffff880194483300, ffff880194484300)
      [ 1428.848234] The buggy address belongs to the page:
      [ 1428.848366] page:ffffea0006512000 count:1 mapcount:0 mapping:ffff8801f3586380 index:0x0 compound_mapcount: 0
      [ 1428.848606] flags: 0x17fff8000008100(slab|head)
      [ 1428.848737] raw: 017fff8000008100 dead000000000100 dead000000000200 ffff8801f3586380
      [ 1428.848931] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
      [ 1428.849122] page dumped because: kasan: bad access detected
      
      [ 1428.849305] Memory state around the buggy address:
      [ 1428.849436]  ffff880194483400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [ 1428.849620]  ffff880194483480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [ 1428.849804] >ffff880194483500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [ 1428.849985]                                            ^
      [ 1428.850120]  ffff880194483580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [ 1428.850303]  ffff880194483600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [ 1428.850498] ==================================================================
      Reported-by: 's avatarWen Xu <wen.xu@gatech.edu>
      Signed-off-by: 's avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: 's avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      235fd393
    • Peter Rosin's avatar
      tpm/tpm_i2c_infineon: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT) · d44e0ddb
      Peter Rosin authored
      [ Upstream commit bb853aac2c478ce78116128263801189408ad2a8 ]
      
      Locking the root adapter for __i2c_transfer will deadlock if the
      device sits behind a mux-locked I2C mux. Switch to the finer-grained
      i2c_lock_bus with the I2C_LOCK_SEGMENT flag. If the device does not
      sit behind a mux-locked mux, the two locking variants are equivalent.
      Signed-off-by: Peter Rosin's avatarPeter Rosin <peda@axentia.se>
      Reviewed-by: 's avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Tested-by: 's avatarAlexander Steffen <Alexander.Steffen@infineon.com>
      Signed-off-by: 's avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d44e0ddb
    • Linus Walleij's avatar
      tpm_tis_spi: Pass the SPI IRQ down to the driver · d229e7ec
      Linus Walleij authored
      [ Upstream commit 1a339b658d9dbe1471f67b78237cf8fa08bbbeb5 ]
      
      An SPI TPM device managed directly on an embedded board using
      the SPI bus and some GPIO or similar line as IRQ handler will
      pass the IRQn from the TPM device associated with the SPI
      device. This is already handled by the SPI core, so make sure
      to pass this down to the core as well.
      
      (The TPM core habit of using -1 to signal no IRQ is dubious
      (as IRQ 0 is NO_IRQ) but I do not want to mess with that
      semantic in this patch.)
      
      Cc: Mark Brown <broonie@kernel.org>
      Signed-off-by: 's avatarLinus Walleij <linus.walleij@linaro.org>
      Reviewed-by: 's avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Tested-by: 's avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: 's avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: 's avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d229e7ec