1. 06 Sep, 2018 2 commits
  2. 05 Sep, 2018 38 commits
    • Oleksandr Natalenko's avatar
      55967333
    • Benjamin Tissoires's avatar
      HID: core: fix grouping by application · ea8f58d7
      Benjamin Tissoires authored
      commit f07b3c1d ("HID: generic: create one input report per
      application type") was effectively the same as MULTI_INPUT:
      hidinput->report was never set, so hidinput_match_application()
      always returned null.
      
      Fix that by testing against the real application.
      
      Note that this breaks some old eGalax touchscreens that expect MULTI_INPUT
      instead of HID_QUIRK_INPUT_PER_APP. Enable this quirk for backward
      compatibility on all non-Win8 touchscreens.
      
      link: https://bugzilla.kernel.org/show_bug.cgi?id=200847
      link: https://bugzilla.kernel.org/show_bug.cgi?id=200849
      link: https://bugs.archlinux.org/task/59699
      link: https://github.com/NixOS/nixpkgs/issues/45165
      
      Cc: stable@vger.kernel.org # v4.18+
      Signed-off-by: 's avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: 's avatarJiri Kosina <jkosina@suse.cz>
      ea8f58d7
    • Fredrik Schön's avatar
      drm/i915: Increase LSPCON timeout · f6d081e8
      Fredrik Schön authored
      100 ms is not enough time for the LSPCON adapter on Intel NUC devices to
      settle. This causes dropped display modes at boot or screen reconfiguration.
      Empirical testing can reproduce the error up to a timeout of 190 ms. Basic
      boot and stress testing at 200 ms has not (yet) failed.
      
      Increase timeout to 400 ms to get some margin of error.
      
      Changes from v1:
      The initial suggestion of 1000 ms was lowered due to concerns about delaying
      valid timeout cases.
      Update patch metadata.
      
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=107503
      Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1570392
      Fixes: 357c0ae9 ("drm/i915/lspcon: Wait for expected LSPCON mode to settle")
      Cc: Shashank Sharma <shashank.sharma@intel.com>
      Cc: Imre Deak <imre.deak@intel.com>
      Cc: Jani Nikula <jani.nikula@intel.com>
      Cc: <stable@vger.kernel.org> # v4.11+
      Reviewed-by: 's avatarRodrigo Vivi <rodrigo.vivi@intel.com>
      Signed-off-by: Fredrik Schön's avatarFredrik Schön <fredrik.schon@gmail.com>
      Reviewed-by: 's avatarShashank Sharma <shashank.sharma@intel.com>
      f6d081e8
    • Oleksandr Natalenko's avatar
      Revert "Increase timeout in lspcon_wait_mode" · 0a221347
      Oleksandr Natalenko authored
      This reverts commit e08310f7.
      0a221347
    • Oleksandr Natalenko's avatar
      fix merge conflict · 1b837099
      Oleksandr Natalenko authored
      1b837099
    • Greg Kroah-Hartman's avatar
      Linux 4.18.6 · 3a2c2383
      Greg Kroah-Hartman authored
      3a2c2383
    • Jann Horn's avatar
      x86/dumpstack: Don't dump kernel memory based on usermode RIP · 8e6d1567
      Jann Horn authored
      commit 342db04a upstream.
      
      show_opcodes() is used both for dumping kernel instructions and for dumping
      user instructions. If userspace causes #PF by jumping to a kernel address,
      show_opcodes() can be reached with regs->ip controlled by the user,
      pointing to kernel code. Make sure that userspace can't trick us into
      dumping kernel memory into dmesg.
      
      Fixes: 7cccf072 ("x86/dumpstack: Add a show_ip() function")
      Signed-off-by: 's avatarJann Horn <jannh@google.com>
      Signed-off-by: 's avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: 's avatarKees Cook <keescook@chromium.org>
      Reviewed-by: 's avatarBorislav Petkov <bp@suse.de>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: security@kernel.org
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20180828154901.112726-1-jannh@google.comSigned-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      8e6d1567
    • Scott Bauer's avatar
      cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status · 6575b150
      Scott Bauer authored
      commit 8f3fafc9 upstream.
      
      Like d88b6d04: "cdrom: information leak in cdrom_ioctl_media_changed()"
      
      There is another cast from unsigned long to int which causes
      a bounds check to fail with specially crafted input. The value is
      then used as an index in the slot array in cdrom_slot_status().
      Signed-off-by: 's avatarScott Bauer <scott.bauer@intel.com>
      Signed-off-by: Scott Bauer's avatarScott Bauer <sbauer@plzdonthack.me>
      Cc: stable@vger.kernel.org
      Signed-off-by: 's avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6575b150
    • Vincent Whitchurch's avatar
      watchdog: Mark watchdog touch functions as notrace · f9025255
      Vincent Whitchurch authored
      commit cb9d7fd5 upstream.
      
      Some architectures need to use stop_machine() to patch functions for
      ftrace, and the assumption is that the stopped CPUs do not make function
      calls to traceable functions when they are in the stopped state.
      
      Commit ce4f06dc ("stop_machine: Touch_nmi_watchdog() after
      MULTI_STOP_PREPARE") added calls to the watchdog touch functions from
      the stopped CPUs and those functions lack notrace annotations.  This
      leads to crashes when enabling/disabling ftrace on ARM kernels built
      with the Thumb-2 instruction set.
      
      Fix it by adding the necessary notrace annotations.
      
      Fixes: ce4f06dc ("stop_machine: Touch_nmi_watchdog() after MULTI_STOP_PREPARE")
      Signed-off-by: 's avatarVincent Whitchurch <vincent.whitchurch@axis.com>
      Signed-off-by: 's avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: oleg@redhat.com
      Cc: tj@kernel.org
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20180821152507.18313-1-vincent.whitchurch@axis.comSigned-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f9025255
    • H. Nikolaus Schaller's avatar
      power: generic-adc-battery: check for duplicate properties copied from iio channels · 0f9bf062
      H. Nikolaus Schaller authored
      commit a427503e upstream.
      
      If an iio channel defines a basic property, there are duplicate entries
      in /sys/class/power/*/uevent.
      
      So add a check to avoid duplicates. Since all channels may be duplicates,
      we have to modify the related error check.
      Signed-off-by: 's avatarH. Nikolaus Schaller <hns@goldelico.com>
      Cc: stable@vger.kernel.org
      Fixes: e60fea79 ("power: battery: Generic battery driver using IIO")
      Signed-off-by: 's avatarSebastian Reichel <sebastian.reichel@collabora.co.uk>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0f9bf062
    • H. Nikolaus Schaller's avatar
      power: generic-adc-battery: fix out-of-bounds write when copying channel properties · 7ffb7b7e
      H. Nikolaus Schaller authored
      commit 932d4744 upstream.
      
      We did have sporadic problems in the pinctrl framework during boot
      where a pin group name unexpectedly became NULL leading to a NULL
      dereference in strcmp.
      
      Detailled analysis of the failing cases did reveal that there were
      two devm allocated objects close to each other. The second one was
      the affected group_desc in pinmux and the first one was the
      psy_desc->properties buffer of the gab driver.
      
      Review of the gab code showed that the address calculation for
      one memcpy() is wrong. It does
      
      	properties + sizeof(type) * index
      
      but C is defined to do the index multiplication already for
      pointer + integer additions. Hence the factor was applied twice
      and the memcpy() does write outside of the properties buffer.
      Sometimes it happened to be the pinctrl and triggered the strcmp(NULL).
      
      Anyways, it is overkill to use a memcpy() here instead of a simple
      assignment, which is easier to read and has less risk for wrong
      address calculations. So we change code to a simple assignment.
      
      If we initialize the index to the first free location, we can even
      remove the local variable 'properties'.
      
      This bug seems to exist right from the beginning in 3.7-rc1 in
      
      commit e60fea79 ("power: battery: Generic battery driver using IIO")
      Signed-off-by: 's avatarH. Nikolaus Schaller <hns@goldelico.com>
      Cc: stable@vger.kernel.org
      Fixes: e60fea79 ("power: battery: Generic battery driver using IIO")
      Signed-off-by: 's avatarSebastian Reichel <sebastian.reichel@collabora.co.uk>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7ffb7b7e
    • Dan Carpenter's avatar
      PM / clk: signedness bug in of_pm_clk_add_clks() · 86b0dd9d
      Dan Carpenter authored
      commit 5e2e2f9f upstream.
      
      "count" needs to be signed for the error handling to work.  I made "i"
      signed as well so they match.
      
      Fixes: 02113ba9 (PM / clk: Add support for obtaining clocks from device-tree)
      Cc: 4.6+ <stable@vger.kernel.org> # 4.6+
      Signed-off-by: 's avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: 's avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      86b0dd9d
    • Gustavo A. R. Silva's avatar
      clk: npcm7xx: fix memory allocation · 350192f4
      Gustavo A. R. Silva authored
      commit 450b6b9b upstream.
      
      One of the more common cases of allocation size calculations is finding
      the size of a structure that has a zero-sized array at the end, along
      with memory for some number of elements for that array. For example:
      
      struct foo {
      	int stuff;
              void *entry[];
      };
      
      instance = kzalloc(sizeof(struct foo) + sizeof(void *) * count,
      GFP_KERNEL);
      
      Instead of leaving these open-coded and prone to type mistakes, we can
      now use the new struct_size() helper:
      
      instance = kzalloc(struct_size(instance, entry, count), GFP_KERNEL);
      
      Notice that, currently, there is a bug during the allocation:
      
      sizeof(npcm7xx_clk_data) should be sizeof(*npcm7xx_clk_data)
      
      Fix this bug by using struct_size() in kzalloc()
      
      This issue was detected with the help of Coccinelle.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: 's avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Reviewed-by: 's avatarKees Cook <keescook@chromium.org>
      Reviewed-by: 's avatarAvi Fishman <avifishman70@gmail.com>
      Signed-off-by: 's avatarStephen Boyd <sboyd@kernel.org>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      350192f4
    • Alberto Panizzo's avatar
      clk: rockchip: fix clk_i2sout parent selection bits on rk3399 · a8b0c3c7
      Alberto Panizzo authored
      commit a64ad008 upstream.
      
      Register, shift and mask were wrong according to datasheet.
      
      Fixes: 11551005 ("clk: rockchip: add clock controller for the RK3399")
      Cc: stable@vger.kernel.org
      Signed-off-by: 's avatarAlberto Panizzo <alberto@amarulasolutions.com>
      Signed-off-by: 's avatarAnthony Brandon <anthony@amarulasolutions.com>
      Signed-off-by: 's avatarHeiko Stuebner <heiko@sntech.de>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a8b0c3c7
    • Abhishek Sahu's avatar
      mtd: rawnand: qcom: wait for desc completion in all BAM channels · f905fc19
      Abhishek Sahu authored
      commit 6f20070d upstream.
      
      The BAM has 3 channels - tx, rx and command. command channel
      is used for register read/writes, tx channel for data writes
      and rx channel for data reads. Currently, the driver assumes the
      transfer completion once it gets all the command descriptors
      completed. Sometimes, there is race condition between data channel
      (tx/rx) and command channel completion. In these cases,
      the data present in buffer is not valid during small window
      between command descriptor completion and data descriptor
      completion.
      
      This patch generates NAND transfer completion when both
      (Data and Command) DMA channels have completed all its DMA
      descriptors. It assigns completion callback in last
      DMA descriptors of that channel and wait for completion.
      
      Fixes: 8d6b6d7e ("mtd: nand: qcom: support for command descriptor formation")
      Cc: stable@vger.kernel.org
      Signed-off-by: 's avatarAbhishek Sahu <absahu@codeaurora.org>
      Signed-off-by: 's avatarMiquel Raynal <miquel.raynal@bootlin.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f905fc19
    • Daniel Mack's avatar
      mtd: rawnand: marvell: add suspend and resume hooks · 21ab6022
      Daniel Mack authored
      commit bd9c3f9b upstream.
      
      This patch restores the suspend and resume hooks that the old driver used
      to have. Apart from stopping and starting the clocks, the resume callback
      also nullifies the selected_chip pointer, so the next command that is issued
      will re-select the chip and thereby restore the timing registers.
      
      Factor out some code from marvell_nfc_init() into a new function
      marvell_nfc_reset() and also call it at resume time to reset some registers
      that don't retain their contents during low-power mode.
      
      Without this patch, a PXA3xx based system would cough up an error similar to
      the one below after resume.
      
      [   44.660162] marvell-nfc 43100000.nand-controller: Timeout waiting for  RB signal
      [   44.671492] ubi0 error: ubi_io_write: error -110 while writing 2048 bytes to PEB 102:38912, written 0 bytes
      [   44.682887] CPU: 0 PID: 1417 Comm: remote-control Not tainted 4.18.0-rc2+ #344
      [   44.691197] Hardware name: Marvell PXA3xx (Device Tree Support)
      [   44.697111] Backtrace:
      [   44.699593] [<c0106458>] (dump_backtrace) from [<c0106718>] (show_stack+0x18/0x1c)
      [   44.708931]  r7:00000800 r6:00009800 r5:00000066 r4:c6139000
      [   44.715833] [<c0106700>] (show_stack) from [<c0678a60>] (dump_stack+0x20/0x28)
      [   44.724206] [<c0678a40>] (dump_stack) from [<c0456cbc>] (ubi_io_write+0x3d4/0x630)
      [   44.732925] [<c04568e8>] (ubi_io_write) from [<c0454428>] (ubi_eba_write_leb+0x690/0x6fc)
      ...
      
      Fixes: 02f26ecf ("mtd: nand: add reworked Marvell NAND controller driver")
      Cc: stable@vger.kernel.org
      Signed-off-by: 's avatarDaniel Mack <daniel@zonque.org>
      Signed-off-by: 's avatarMiquel Raynal <miquel.raynal@bootlin.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      21ab6022
    • Boris Brezillon's avatar
      mtd: rawnand: fsmc: Stop using chip->read_buf() · f05cb63d
      Boris Brezillon authored
      commit 79e1ca37 upstream.
      
      chip->read_buf is left unassigned since commit 4da712e7 ("mtd: nand:
      fsmc: use ->exec_op()"), leading to a NULL pointer dereference when it's
      called from fsmc_read_page_hwecc(). Fix that by using the appropriate
      helper to read data out of the NAND.
      
      Fixes: 4da712e7 ("mtd: nand: fsmc: use ->exec_op()")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: 's avatarBoris Brezillon <boris.brezillon@bootlin.com>
      Signed-off-by: 's avatarMiquel Raynal <miquel.raynal@bootlin.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f05cb63d
    • Boris Brezillon's avatar
      mtd: rawnand: hynix: Use ->exec_op() in hynix_nand_reg_write_op() · 307b0cf4
      Boris Brezillon authored
      commit 20366e19 upstream.
      
      Modern NAND controller drivers implement ->exec_op() instead of
      ->cmdfunc(), make sure we don't end up with a NULL pointer dereference
      when hynix_nand_reg_write_op() is called.
      
      Fixes: 8878b126 ("mtd: nand: add ->exec_op() implementation")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: 's avatarBoris Brezillon <boris.brezillon@bootlin.com>
      Signed-off-by: 's avatarMiquel Raynal <miquel.raynal@bootlin.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      307b0cf4
    • Mike Christie's avatar
      iscsi target: fix session creation failure handling · d47b35b8
      Mike Christie authored
      commit 26abc916 upstream.
      
      The problem is that iscsi_login_zero_tsih_s1 sets conn->sess early in
      iscsi_login_set_conn_values. If the function fails later like when we
      alloc the idr it does kfree(sess) and leaves the conn->sess pointer set.
      iscsi_login_zero_tsih_s1 then returns -Exyz and we then call
      iscsi_target_login_sess_out and access the freed memory.
      
      This patch has iscsi_login_zero_tsih_s1 either completely setup the
      session or completely tear it down, so later in
      iscsi_target_login_sess_out we can just check for it being set to the
      connection.
      
      Cc: stable@vger.kernel.org
      Fixes: 0957627a ("iscsi-target: Fix sess allocation leak in...")
      Signed-off-by: 's avatarMike Christie <mchristi@redhat.com>
      Acked-by: Martin K. Petersen's avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: 's avatarMatthew Wilcox <willy@infradead.org>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d47b35b8
    • Bart Van Assche's avatar
      scsi: core: Avoid that SCSI device removal through sysfs triggers a deadlock · 9558fc1b
      Bart Van Assche authored
      commit 0ee223b2 upstream.
      
      A long time ago the unfortunate decision was taken to add a self-deletion
      attribute to the sysfs SCSI device directory. That decision was unfortunate
      because self-deletion is really tricky. We can't drop that attribute
      because widely used user space software depends on it, namely the
      rescan-scsi-bus.sh script. Hence this patch that avoids that writing into
      that attribute triggers a deadlock. See also commit 7973cbd9fbd9 ("[PATCH]
      add sysfs attributes to scan and delete scsi_devices").
      
      This patch avoids that self-removal triggers the following deadlock:
      
      ======================================================
      WARNING: possible circular locking dependency detected
      4.18.0-rc2-dbg+ #5 Not tainted
      ------------------------------------------------------
      modprobe/6539 is trying to acquire lock:
      000000008323c4cd (kn->count#202){++++}, at: kernfs_remove_by_name_ns+0x45/0x90
      
      but task is already holding lock:
      00000000a6ec2c69 (&shost->scan_mutex){+.+.}, at: scsi_remove_host+0x21/0x150 [scsi_mod]
      
      which lock already depends on the new lock.
      
      the existing dependency chain (in reverse order) is:
      
      -> #1 (&shost->scan_mutex){+.+.}:
             __mutex_lock+0xfe/0xc70
             mutex_lock_nested+0x1b/0x20
             scsi_remove_device+0x26/0x40 [scsi_mod]
             sdev_store_delete+0x27/0x30 [scsi_mod]
             dev_attr_store+0x3e/0x50
             sysfs_kf_write+0x87/0xa0
             kernfs_fop_write+0x190/0x230
             __vfs_write+0xd2/0x3b0
             vfs_write+0x101/0x270
             ksys_write+0xab/0x120
             __x64_sys_write+0x43/0x50
             do_syscall_64+0x77/0x230
             entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      -> #0 (kn->count#202){++++}:
             lock_acquire+0xd2/0x260
             __kernfs_remove+0x424/0x4a0
             kernfs_remove_by_name_ns+0x45/0x90
             remove_files.isra.1+0x3a/0x90
             sysfs_remove_group+0x5c/0xc0
             sysfs_remove_groups+0x39/0x60
             device_remove_attrs+0x82/0xb0
             device_del+0x251/0x580
             __scsi_remove_device+0x19f/0x1d0 [scsi_mod]
             scsi_forget_host+0x37/0xb0 [scsi_mod]
             scsi_remove_host+0x9b/0x150 [scsi_mod]
             sdebug_driver_remove+0x4b/0x150 [scsi_debug]
             device_release_driver_internal+0x241/0x360
             device_release_driver+0x12/0x20
             bus_remove_device+0x1bc/0x290
             device_del+0x259/0x580
             device_unregister+0x1a/0x70
             sdebug_remove_adapter+0x8b/0xf0 [scsi_debug]
             scsi_debug_exit+0x76/0xe8 [scsi_debug]
             __x64_sys_delete_module+0x1c1/0x280
             do_syscall_64+0x77/0x230
             entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      other info that might help us debug this:
      
       Possible unsafe locking scenario:
      
             CPU0                    CPU1
             ----                    ----
        lock(&shost->scan_mutex);
                                     lock(kn->count#202);
                                     lock(&shost->scan_mutex);
        lock(kn->count#202);
      
       *** DEADLOCK ***
      
      2 locks held by modprobe/6539:
       #0: 00000000efaf9298 (&dev->mutex){....}, at: device_release_driver_internal+0x68/0x360
       #1: 00000000a6ec2c69 (&shost->scan_mutex){+.+.}, at: scsi_remove_host+0x21/0x150 [scsi_mod]
      
      stack backtrace:
      CPU: 10 PID: 6539 Comm: modprobe Not tainted 4.18.0-rc2-dbg+ #5
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
      Call Trace:
       dump_stack+0xa4/0xf5
       print_circular_bug.isra.34+0x213/0x221
       __lock_acquire+0x1a7e/0x1b50
       lock_acquire+0xd2/0x260
       __kernfs_remove+0x424/0x4a0
       kernfs_remove_by_name_ns+0x45/0x90
       remove_files.isra.1+0x3a/0x90
       sysfs_remove_group+0x5c/0xc0
       sysfs_remove_groups+0x39/0x60
       device_remove_attrs+0x82/0xb0
       device_del+0x251/0x580
       __scsi_remove_device+0x19f/0x1d0 [scsi_mod]
       scsi_forget_host+0x37/0xb0 [scsi_mod]
       scsi_remove_host+0x9b/0x150 [scsi_mod]
       sdebug_driver_remove+0x4b/0x150 [scsi_debug]
       device_release_driver_internal+0x241/0x360
       device_release_driver+0x12/0x20
       bus_remove_device+0x1bc/0x290
       device_del+0x259/0x580
       device_unregister+0x1a/0x70
       sdebug_remove_adapter+0x8b/0xf0 [scsi_debug]
       scsi_debug_exit+0x76/0xe8 [scsi_debug]
       __x64_sys_delete_module+0x1c1/0x280
       do_syscall_64+0x77/0x230
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      See also https://www.mail-archive.com/linux-scsi@vger.kernel.org/msg54525.html.
      
      Fixes: ac0ece91 ("scsi: use device_remove_file_self() instead of device_schedule_callback()")
      Signed-off-by: 's avatarBart Van Assche <bart.vanassche@wdc.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Acked-by: 's avatarTejun Heo <tj@kernel.org>
      Cc: Johannes Thumshirn <jthumshirn@suse.de>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: Martin K. Petersen's avatarMartin K. Petersen <martin.petersen@oracle.com>
      9558fc1b
    • Bart Van Assche's avatar
      scsi: sysfs: Introduce sysfs_{un,}break_active_protection() · 807d1d29
      Bart Van Assche authored
      commit 2afc9166 upstream.
      
      Introduce these two functions and export them such that the next patch
      can add calls to these functions from the SCSI core.
      Signed-off-by: 's avatarBart Van Assche <bart.vanassche@wdc.com>
      Acked-by: 's avatarTejun Heo <tj@kernel.org>
      Acked-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: Martin K. Petersen's avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      807d1d29
    • Bart Van Assche's avatar
      scsi: mpt3sas: Fix _transport_smp_handler() error path · 373a1411
      Bart Van Assche authored
      commit 91b7bdb2 upstream.
      
      This patch avoids that smatch complains about a double unlock on
      ioc->transport_cmds.mutex.
      
      Fixes: 651a0136 ("scsi: scsi_transport_sas: switch to bsg-lib for SMP passthrough")
      Signed-off-by: 's avatarBart Van Assche <bart.vanassche@wdc.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Sathya Prakash <sathya.prakash@broadcom.com>
      Cc: Chaitra P B <chaitra.basappa@broadcom.com>
      Cc: Suganath Prabu Subramani <suganath-prabu.subramani@broadcom.com>
      Cc: stable@vger.kernel.org
      Reviewed-by: 's avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: Martin K. Petersen's avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      373a1411
    • Sreekanth Reddy's avatar
      scsi: mpt3sas: Fix calltrace observed while running IO & reset · 8039fa72
      Sreekanth Reddy authored
      commit e7018314 upstream.
      
      Below kernel BUG was observed while running IOs with host reset (issued
      from application),
      
      mpt3sas_cm0: diag reset: SUCCESS
      ------------[ cut here ]------------
      WARNING: CPU: 12 PID: 4336 at drivers/scsi/mpt3sas/mpt3sas_base.c:3282 mpt3sas_base_clear_st+0x3d/0x40 [mpt3sas]
      Modules linked in: macsec tcp_diag udp_diag inet_diag unix_diag af_packet_diag netlink_diag binfmt_misc fuse xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 tun devlink ip6t_rpfilter ipt_REJECT nf_reject_ipv4 ip6t_REJECT nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter sunrpc vfat fat sb_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd iTCO_wdt iTCO_vendor_support
       dcdbas pcspkr joydev ipmi_ssif ses enclosure sg ipmi_devintf acpi_pad ipmi_msghandler acpi_power_meter mei_me lpc_ich wmi mei shpchp ip_tables xfs libcrc32c sd_mod crc_t10dif crct10dif_generic ata_generic pata_acpi uas usb_storage mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm ata_piix mpt3sas libata crct10dif_pclmul crct10dif_common tg3 crc32c_intel i2c_core raid_class ptp scsi_transport_sas pps_core dm_mirror dm_region_hash dm_log dm_mod
      CPU: 12 PID: 4336 Comm: python Kdump: loaded Tainted: G        W      ------------   3.10.0-875.el7.brdc.x86_64 #1
      Hardware name: Dell Inc. PowerEdge R820/0YWR73, BIOS 1.5.0 03/08/2013
      Call Trace:
       [<ffffffff9cf16583>] dump_stack+0x19/0x1b
       [<ffffffff9c891698>] __warn+0xd8/0x100
       [<ffffffff9c8917dd>] warn_slowpath_null+0x1d/0x20
       [<ffffffffc04f3f4d>] mpt3sas_base_clear_st+0x3d/0x40 [mpt3sas]
       [<ffffffffc05047d2>] _scsih_flush_running_cmds+0x92/0xe0 [mpt3sas]
       [<ffffffffc05095db>] mpt3sas_scsih_reset_handler+0x43b/0xaf0 [mpt3sas]
       [<ffffffff9c894829>] ? vprintk_default+0x29/0x40
       [<ffffffff9cf10531>] ? printk+0x60/0x77
       [<ffffffffc04f06c8>] ? _base_diag_reset+0x238/0x340 [mpt3sas]
       [<ffffffffc04f794d>] mpt3sas_base_hard_reset_handler+0x1ad/0x420 [mpt3sas]
       [<ffffffffc05132b9>] _ctl_ioctl_main.isra.12+0x11b9/0x1200 [mpt3sas]
       [<ffffffffc068d585>] ? xfs_file_aio_write+0x155/0x1b0 [xfs]
       [<ffffffff9ca1a4e3>] ? do_sync_write+0x93/0xe0
       [<ffffffffc051337a>] _ctl_ioctl+0x1a/0x20 [mpt3sas]
       [<ffffffff9ca2fe90>] do_vfs_ioctl+0x350/0x560
       [<ffffffff9ca1dec1>] ? __sb_end_write+0x31/0x60
       [<ffffffff9ca30141>] SyS_ioctl+0xa1/0xc0
       [<ffffffff9cf28715>] ? system_call_after_swapgs+0xa2/0x146
       [<ffffffff9cf287d5>] system_call_fastpath+0x1c/0x21
       [<ffffffff9cf28721>] ? system_call_after_swapgs+0xae/0x146
      ---[ end trace 5dac5b98d89aaa3c ]---
      ------------[ cut here ]------------
      kernel BUG at block/blk-core.c:1476!
      invalid opcode: 0000 [#1] SMP
      Modules linked in: macsec tcp_diag udp_diag inet_diag unix_diag af_packet_diag netlink_diag binfmt_misc fuse xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 tun devlink ip6t_rpfilter ipt_REJECT nf_reject_ipv4 ip6t_REJECT nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter sunrpc vfat fat sb_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd iTCO_wdt iTCO_vendor_support
       dcdbas pcspkr joydev ipmi_ssif ses enclosure sg ipmi_devintf acpi_pad ipmi_msghandler acpi_power_meter mei_me lpc_ich wmi mei shpchp ip_tables xfs libcrc32c sd_mod crc_t10dif crct10dif_generic ata_generic pata_acpi uas usb_storage mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm ata_piix mpt3sas libata crct10dif_pclmul crct10dif_common tg3 crc32c_intel i2c_core raid_class ptp scsi_transport_sas pps_core dm_mirror dm_region_hash dm_log dm_mod
      CPU: 12 PID: 4336 Comm: python Kdump: loaded Tainted: G        W      ------------   3.10.0-875.el7.brdc.x86_64 #1
      Hardware name: Dell Inc. PowerEdge R820/0YWR73, BIOS 1.5.0 03/08/2013
      task: ffff903fc96e0fd0 ti: ffff903fb1eec000 task.ti: ffff903fb1eec000
      RIP: 0010:[<ffffffff9cb19ec0>]  [<ffffffff9cb19ec0>] blk_requeue_request+0x90/0xa0
      RSP: 0018:ffff903c6b783dc0  EFLAGS: 00010087
      RAX: ffff903bb67026d0 RBX: ffff903b7d6a6140 RCX: dead000000000200
      RDX: ffff903bb67026d0 RSI: ffff903bb6702580 RDI: ffff903bb67026d0
      RBP: ffff903c6b783dd8 R08: ffff903bb67026d0 R09: ffffd97e80000000
      R10: ffff903c658bac00 R11: 0000000000000000 R12: ffff903bb6702580
      R13: ffff903fa9a292f0 R14: 0000000000000246 R15: 0000000000001057
      FS:  00007f7026f5b740(0000) GS:ffff903c6b780000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f298877c004 CR3: 00000000caf36000 CR4: 00000000000607e0
      Call Trace:
       <IRQ>
       [<ffffffff9cca68ff>] __scsi_queue_insert+0xbf/0x110
       [<ffffffff9cca79ca>] scsi_io_completion+0x5da/0x6a0
       [<ffffffff9cc9ca3c>] scsi_finish_command+0xdc/0x140
       [<ffffffff9cca6aa2>] scsi_softirq_done+0x132/0x160
       [<ffffffff9cb240c6>] blk_done_softirq+0x96/0xc0
       [<ffffffff9c89a905>] __do_softirq+0xf5/0x280
       [<ffffffff9cf2bd2c>] call_softirq+0x1c/0x30
       [<ffffffff9c82d625>] do_softirq+0x65/0xa0
       [<ffffffff9c89ac85>] irq_exit+0x105/0x110
       [<ffffffff9cf2d0a8>] smp_apic_timer_interrupt+0x48/0x60
       [<ffffffff9cf297f2>] apic_timer_interrupt+0x162/0x170
       <EOI>
       [<ffffffff9cca5f41>] ? scsi_done+0x21/0x60
       [<ffffffff9cb5ac18>] ? delay_tsc+0x38/0x60
       [<ffffffff9cb5ab5d>] __const_udelay+0x2d/0x30
       [<ffffffffc04effde>] _base_handshake_req_reply_wait+0x8e/0x4a0 [mpt3sas]
       [<ffffffffc04f0b13>] _base_get_ioc_facts+0x123/0x590 [mpt3sas]
       [<ffffffffc04f06c8>] ? _base_diag_reset+0x238/0x340 [mpt3sas]
       [<ffffffffc04f7993>] mpt3sas_base_hard_reset_handler+0x1f3/0x420 [mpt3sas]
       [<ffffffffc05132b9>] _ctl_ioctl_main.isra.12+0x11b9/0x1200 [mpt3sas]
       [<ffffffffc068d585>] ? xfs_file_aio_write+0x155/0x1b0 [xfs]
       [<ffffffff9ca1a4e3>] ? do_sync_write+0x93/0xe0
       [<ffffffffc051337a>] _ctl_ioctl+0x1a/0x20 [mpt3sas]
       [<ffffffff9ca2fe90>] do_vfs_ioctl+0x350/0x560
       [<ffffffff9ca1dec1>] ? __sb_end_write+0x31/0x60
       [<ffffffff9ca30141>] SyS_ioctl+0xa1/0xc0
       [<ffffffff9cf28715>] ? system_call_after_swapgs+0xa2/0x146
       [<ffffffff9cf287d5>] system_call_fastpath+0x1c/0x21
       [<ffffffff9cf28721>] ? system_call_after_swapgs+0xae/0x146
      Code: 83 c3 10 4c 89 e2 4c 89 ee e8 8d 21 04 00 48 8b 03 48 85 c0 75 e5 41 f6 44 24 4a 10 74 ad 4c 89 e6 4c 89 ef e8 b2 42 00 00 eb a0 <0f> 0b 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90
      RIP  [<ffffffff9cb19ec0>] blk_requeue_request+0x90/0xa0
       RSP <ffff903c6b783dc0>
      
      As a part of host reset operation, driver will flushout all IOs outstanding
      at driver level with "DID_RESET" result.  To find which are all commands
      outstanding at the driver level, driver loops with smid starting from one
      to HBA queue depth and calls mpt3sas_scsih_scsi_lookup_get() to get scmd as
      shown below
      
       for (smid = 1; smid <= ioc->scsiio_depth; smid++) {
                      scmd = mpt3sas_scsih_scsi_lookup_get(ioc, smid);
                      if (!scmd)
                              continue;
      
      But in mpt3sas_scsih_scsi_lookup_get() function, driver returns some scsi
      cmnds which are not outstanding at the driver level (possibly request is
      constructed at block layer since QUEUE_FLAG_QUIESCED is not set. Even if
      driver uses scsi_block_requests and scsi_unblock_requests, issue still
      persists as they will be just blocking further IO from scsi layer and not
      from block layer) and these commands are flushed with DID_RESET host bytes
      thus resulting into above kernel BUG.
      
      This issue got introduced by commit dbec4c90 ("scsi: mpt3sas: lockless
      command submission").
      
      To fix this issue, we have modified the mpt3sas_scsih_scsi_lookup_get() to
      check for smid equals to zero (note: whenever any scsi cmnd is processing
      at the driver level then smid for that scsi cmnd will be non-zero, always
      it starts from one) before it returns the scmd pointer to the caller. If
      smid is zero then this function returns scmd pointer as NULL and driver
      won't flushout those scsi cmnds at driver level with DID_RESET host byte
      thus this issue will not be observed.
      
      [mkp: amended with updated fix from Sreekanth]
      Signed-off-by: 's avatarSreekanth Reddy <sreekanth.reddy@broadcom.com>
      Fixes: dbec4c90 ("scsi: mpt3sas: lockless command submission")
      Cc: stable@vger.kernel.org # v4.16+
      Reviewed-by: 's avatarTomas Henzl <thenzl@redhat.com>
      Reviewed-by: 's avatarBart Van Assche <bart.vanassche@wdc.com>
      Signed-off-by: Martin K. Petersen's avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8039fa72
    • Tomas Winkler's avatar
      tpm: separate cmd_ready/go_idle from runtime_pm · 7624ac87
      Tomas Winkler authored
      commit 627448e8 upstream.
      
      Fix tpm ptt initialization error:
      tpm tpm0: A TPM error (378) occurred get tpm pcr allocation.
      
      We cannot use go_idle cmd_ready commands via runtime_pm handles
      as with the introduction of localities this is no longer an optional
      feature, while runtime pm can be not enabled.
      Though cmd_ready/go_idle provides a power saving, it's also a part of
      TPM2 protocol and should be called explicitly.
      This patch exposes cmd_read/go_idle via tpm class ops and removes
      runtime pm support as it is not used by any driver.
      
      When calling from nested context always use both flags:
      TPM_TRANSMIT_UNLOCKED and TPM_TRANSMIT_RAW. Both are needed to resolve
      tpm spaces and locality request recursive calls to tpm_transmit().
      TPM_TRANSMIT_RAW should never be used standalone as it will fail
      on double locking. While TPM_TRANSMIT_UNLOCKED standalone should be
      called from non-recursive locked contexts.
      
      New wrappers are added tpm_cmd_ready() and tpm_go_idle() to
      streamline tpm_try_transmit code.
      
      tpm_crb no longer needs own power saving functions and can drop using
      tpm_pm_suspend/resume.
      
      This patch cannot be really separated from the locality fix.
      Fixes: 888d867d (tpm: cmd_ready command can be issued only after granting locality)
      
      Cc: stable@vger.kernel.org
      Fixes: 888d867d (tpm: cmd_ready command can be issued only after granting locality)
      Signed-off-by: 's avatarTomas Winkler <tomas.winkler@intel.com>
      Tested-by: 's avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Reviewed-by: 's avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: 's avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7624ac87
    • Ricardo Schwarzmeier's avatar
      tpm: Return the actual size when receiving an unsupported command · b64b3b46
      Ricardo Schwarzmeier authored
      commit 36a11029 upstream.
      
      The userpace expects to read the number of bytes stated in the header.
      Returning the size of the buffer instead would be unexpected.
      
      Cc: stable@vger.kernel.org
      Fixes: 095531f8 ("tpm: return a TPM_RC_COMMAND_CODE response if command is not implemented")
      Signed-off-by: 's avatarRicardo Schwarzmeier <Ricardo.Schwarzmeier@infineon.com>
      Reviewed-by: 's avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: 's avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b64b3b46
    • Paul Burton's avatar
      MIPS: lib: Provide MIPS64r6 __multi3() for GCC < 7 · d07d4e8b
      Paul Burton authored
      commit 690d9163 upstream.
      
      Some versions of GCC suboptimally generate calls to the __multi3()
      intrinsic for MIPS64r6 builds, resulting in link failures due to the
      missing function:
      
          LD      vmlinux.o
          MODPOST vmlinux.o
        kernel/bpf/verifier.o: In function `kmalloc_array':
        include/linux/slab.h:631: undefined reference to `__multi3'
        fs/select.o: In function `kmalloc_array':
        include/linux/slab.h:631: undefined reference to `__multi3'
        ...
      
      We already have a workaround for this in which we provide the
      instrinsic, but we do so selectively for GCC 7 only. Unfortunately the
      issue occurs with older GCC versions too - it has been observed with
      both GCC 5.4.0 & GCC 6.4.0.
      
      MIPSr6 support was introduced in GCC 5, so all major GCC versions prior
      to GCC 8 are affected and we extend our workaround accordingly to all
      MIPS64r6 builds using GCC versions older than GCC 8.
      Signed-off-by: 's avatarPaul Burton <paul.burton@mips.com>
      Reported-by: 's avatarVladimir Kondratiev <vladimir.kondratiev@intel.com>
      Fixes: ebabcf17 ("MIPS: Implement __multi3 for GCC7 MIPS64r6 builds")
      Patchwork: https://patchwork.linux-mips.org/patch/20297/
      Cc: James Hogan <jhogan@kernel.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Cc: stable@vger.kernel.org # 4.15+
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d07d4e8b
    • Huacai Chen's avatar
      MIPS: Change definition of cpu_relax() for Loongson-3 · 8f55e1f5
      Huacai Chen authored
      commit a3071886 upstream.
      
      Linux expects that if a CPU modifies a memory location, then that
      modification will eventually become visible to other CPUs in the system.
      
      Loongson 3 CPUs include a Store Fill Buffer (SFB) which sits between a
      core & its L1 data cache, queueing memory accesses & allowing for faster
      forwarding of data from pending stores to younger loads from the core.
      Unfortunately the SFB prioritizes loads such that a continuous stream of
      loads may cause a pending write to be buffered indefinitely. This is
      problematic if we end up with 2 CPUs which each perform a store that the
      other polls for - one or both CPUs may end up with their stores buffered
      in the SFB, never reaching cache due to the continuous reads from the
      poll loop. Such a deadlock condition has been observed whilst running
      qspinlock code.
      
      This patch changes the definition of cpu_relax() to smp_mb() for
      Loongson-3, forcing a flush of the SFB on SMP systems which will cause
      any pending writes to make it as far as the L1 caches where they will
      become visible to other CPUs. If the kernel is not compiled for SMP
      support, this will expand to a barrier() as before.
      
      This workaround matches that currently implemented for ARM when
      CONFIG_ARM_ERRATA_754327=y, which was introduced by commit 534be1d5
      ("ARM: 6194/1: change definition of cpu_relax() for ARM11MPCore").
      
      Although the workaround is only required when the Loongson 3 SFB
      functionality is enabled, and we only began explicitly enabling that
      functionality in v4.7 with commit 1e820da3 ("MIPS: Loongson-3:
      Introduce CONFIG_LOONGSON3_ENHANCEMENT"), existing or future firmware
      may enable the SFB which means we may need the workaround backported to
      earlier kernels too.
      
      [paul.burton@mips.com:
        - Reword commit message & comment.
        - Limit stable backport to v3.15+ where we support Loongson 3 CPUs.]
      Signed-off-by: 's avatarHuacai Chen <chenhc@lemote.com>
      Signed-off-by: 's avatarPaul Burton <paul.burton@mips.com>
      References: 534be1d5 ("ARM: 6194/1: change definition of cpu_relax() for ARM11MPCore")
      References: 1e820da3 ("MIPS: Loongson-3: Introduce CONFIG_LOONGSON3_ENHANCEMENT")
      Patchwork: https://patchwork.linux-mips.org/patch/19830/
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: James Hogan <jhogan@kernel.org>
      Cc: linux-mips@linux-mips.org
      Cc: Fuxin Zhang <zhangfx@lemote.com>
      Cc: Zhangjin Wu <wuzhangjin@gmail.com>
      Cc: Huacai Chen <chenhuacai@gmail.com>
      Cc: stable@vger.kernel.org # v3.15+
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8f55e1f5
    • Paul Burton's avatar
      MIPS: Always use -march=<arch>, not -<arch> shortcuts · 9238ea28
      Paul Burton authored
      commit 344ebf09 upstream.
      
      The VDSO Makefile filters CFLAGS to select a subset which it uses whilst
      building the VDSO ELF. One of the flags it allows through is the -march=
      flag that selects the architecture/ISA to target.
      
      Unfortunately in cases where CONFIG_CPU_MIPS32_R{1,2}=y and the
      toolchain defaults to building for MIPS64, the main MIPS Makefile ends
      up using the short-form -<arch> flags in cflags-y. This is because the
      calls to cc-option always fail to use the long-form -march=<arch> flag
      due to the lack of an -mabi=<abi> flag in KBUILD_CFLAGS at the point
      where the cc-option function is executed. The resulting GCC invocation
      is something like:
      
        $ mips64-linux-gcc -Werror -march=mips32r2 -c -x c /dev/null -o tmp
        cc1: error: '-march=mips32r2' is not compatible with the selected ABI
      
      These short-form -<arch> flags are dropped by the VDSO Makefile's
      filtering, and so we attempt to build the VDSO without specifying any
      architecture. This results in an attempt to build the VDSO using
      whatever the compiler's default architecture is, regardless of whether
      that is suitable for the kernel configuration.
      
      One encountered build failure resulting from this mismatch is a
      rejection of the sync instruction if the kernel is configured for a
      MIPS32 or MIPS64 r1 or r2 target but the toolchain defaults to an older
      architecture revision such as MIPS1 which did not include the sync
      instruction:
      
          CC      arch/mips/vdso/gettimeofday.o
        /tmp/ccGQKoOj.s: Assembler messages:
        /tmp/ccGQKoOj.s:273: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:329: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:520: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:714: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:1009: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:1066: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:1114: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:1279: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:1334: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:1374: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:1459: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:1514: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:1814: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:2002: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:2066: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        make[2]: *** [scripts/Makefile.build:318: arch/mips/vdso/gettimeofday.o] Error 1
        make[1]: *** [scripts/Makefile.build:558: arch/mips/vdso] Error 2
        make[1]: *** Waiting for unfinished jobs....
      
      This can be reproduced for example by attempting to build
      pistachio_defconfig using Arnd's GCC 8.1.0 mips64 toolchain from
      kernel.org:
      
        https://mirrors.edge.kernel.org/pub/tools/crosstool/files/bin/x86_64/8.1.0/x86_64-gcc-8.1.0-nolibc-mips64-linux.tar.xz
      
      Resolve this problem by using the long-form -march=<arch> in all cases,
      which makes it through the arch/mips/vdso/Makefile's filtering & is thus
      consistently used to build both the kernel proper & the VDSO.
      
      The use of cc-option to prefer the long-form & fall back to the
      short-form flags makes no sense since the short-form is just an
      abbreviation for the also-supported long-form in all GCC versions that
      we support building with. This means there is no case in which we have
      to use the short-form -<arch> flags, so we can simply remove them.
      
      The manual redefinition of _MIPS_ISA is removed naturally along with the
      use of the short-form flags that it accompanied, and whilst here we
      remove the separate assembler ISA selection. I suspect that both of
      these were only required due to the mips32 vs mips2 mismatch that was
      introduced by commit 59b3e8e9 ("[MIPS] Makefile crapectomy.") and
      fixed but not cleaned up by commit 9200c0b2 ("[MIPS] Fix Makefile
      bugs for MIPS32/MIPS64 R1 and R2.").
      
      I've marked this for backport as far as v4.4 where the MIPS VDSO was
      introduced. In earlier kernels there should be no ill effect to using
      the short-form flags.
      Signed-off-by: 's avatarPaul Burton <paul.burton@mips.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Cc: stable@vger.kernel.org # v4.4+
      Reviewed-by: 's avatarJames Hogan <jhogan@kernel.org>
      Patchwork: https://patchwork.linux-mips.org/patch/19579/Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9238ea28
    • Matt Redfearn's avatar
      MIPS: memset.S: Fix byte_fixup for MIPSr6 · 8d6a4b45
      Matt Redfearn authored
      commit b1c03f1e upstream.
      
      The __clear_user function is defined to return the number of bytes that
      could not be cleared. From the underlying memset / bzero implementation
      this means setting register a2 to that number on return. Currently if a
      page fault is triggered within the MIPSr6 version of setting of initial
      unaligned bytes, the value loaded into a2 on return is meaningless.
      
      During the MIPSr6 version of the initial unaligned bytes block, register
      a2 contains the number of bytes to be set beyond the initial unaligned
      bytes. The t0 register is initally set to the number of unaligned bytes
      - STORSIZE, effectively a negative version of the number of unaligned
      bytes. This is then incremented before each byte is saved.
      
      The label .Lbyte_fixup\@ is jumped to on page fault. Currently the value
      in a2 is incorrectly replaced by 0 - t0 + 1, effectively the number of
      unaligned bytes remaining. This leads to the failures being reported by
      the following test code:
      
      static int __init test_clear_user(void)
      {
      	int j, k;
      
      	pr_info("\n\n\nTesting clear_user\n");
      	for (j = 0; j < 512; j++) {
      		if ((k = clear_user(NULL+3, j)) != j) {
      			pr_err("clear_user (NULL %d) returned %d\n", j, k);
      		}
      	}
      	return 0;
      }
      late_initcall(test_clear_user);
      
      Which reports:
      [    3.965439] Testing clear_user
      [    3.973169] clear_user (NULL 8) returned 6
      [    3.976782] clear_user (NULL 9) returned 6
      [    3.980390] clear_user (NULL 10) returned 6
      [    3.984052] clear_user (NULL 11) returned 6
      [    3.987524] clear_user (NULL 12) returned 6
      
      Fix this by subtracting t0 from a2 (rather than $0), effectivey giving:
      unset_bytes = (#bytes - (#unaligned bytes)) - (-#unaligned bytes remaining + 1) + 1
           a2     =             a2                -              t0                   + 1
      
      This fixes the value returned from __clear user when the number of bytes
      to set is > LONGSIZE and the address is invalid and unaligned.
      
      Unfortunately, this breaks the fixup handling for unaligned bytes after
      the final long, where register a2 still contains the number of bytes
      remaining to be set and the t0 register is to 0 - the number of
      unaligned bytes remaining.
      
      Because t0 is now is now subtracted from a2 rather than 0, the number of
      bytes unset is reported incorrectly:
      
      static int __init test_clear_user(void)
      {
      	char *test;
      	int j, k;
      
      	pr_info("\n\n\nTesting clear_user\n");
      	test = vmalloc(PAGE_SIZE);
      
      	for (j = 256; j < 512; j++) {
      		if ((k = clear_user(test + PAGE_SIZE - 254, j)) != j - 254) {
      			pr_err("clear_user (%px %d) returned %d\n",
      				test + PAGE_SIZE - 254, j, k);
      		}
      	}
      	return 0;
      }
      late_initcall(test_clear_user);
      
      [    3.976775] clear_user (c00000000000df02 256) returned 4
      [    3.981957] clear_user (c00000000000df02 257) returned 6
      [    3.986425] clear_user (c00000000000df02 258) returned 8
      [    3.990850] clear_user (c00000000000df02 259) returned 10
      [    3.995332] clear_user (c00000000000df02 260) returned 12
      [    3.999815] clear_user (c00000000000df02 261) returned 14
      
      Fix this by ensuring that a2 is set to 0 during the set of final
      unaligned bytes.
      Signed-off-by: 's avatarMatt Redfearn <matt.redfearn@mips.com>
      Signed-off-by: 's avatarPaul Burton <paul.burton@mips.com>
      Fixes: 8c56208a ("MIPS: lib: memset: Add MIPS R6 support")
      Patchwork: https://patchwork.linux-mips.org/patch/19338/
      Cc: James Hogan <jhogan@kernel.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Cc: linux-kernel@vger.kernel.org
      Cc: stable@vger.kernel.org # v4.0+
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8d6a4b45
    • Maciej W. Rozycki's avatar
      MIPS: Correct the 64-bit DSP accumulator register size · d06e5e4a
      Maciej W. Rozycki authored
      commit f5958b4c upstream.
      
      Use the `unsigned long' rather than `__u32' type for DSP accumulator
      registers, like with the regular MIPS multiply/divide accumulator and
      general-purpose registers, as all are 64-bit in 64-bit implementations
      and using a 32-bit data type leads to contents truncation on context
      saving.
      
      Update `arch_ptrace' and `compat_arch_ptrace' accordingly, removing
      casts that are similarly not used with multiply/divide accumulator or
      general-purpose register accesses.
      Signed-off-by: 's avatarMaciej W. Rozycki <macro@mips.com>
      Signed-off-by: 's avatarPaul Burton <paul.burton@mips.com>
      Fixes: e50c0a8f ("Support the MIPS32 / MIPS64 DSP ASE.")
      Patchwork: https://patchwork.linux-mips.org/patch/19329/
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: James Hogan <jhogan@kernel.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-fsdevel@vger.kernel.org
      Cc: linux-mips@linux-mips.org
      Cc: linux-kernel@vger.kernel.org
      Cc: stable@vger.kernel.org # 2.6.15+
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d06e5e4a
    • Masami Hiramatsu's avatar
      kprobes: Make list and blacklist root user read only · 968a9a4a
      Masami Hiramatsu authored
      commit f2a3ab36 upstream.
      
      Since the blacklist and list files on debugfs indicates
      a sensitive address information to reader, it should be
      restricted to the root user.
      Suggested-by: 's avatarThomas Richter <tmricht@linux.ibm.com>
      Suggested-by: 's avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: 's avatarMasami Hiramatsu <mhiramat@kernel.org>
      Cc: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
      Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: David Howells <dhowells@redhat.com>
      Cc: David S . Miller <davem@davemloft.net>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Jon Medhurst <tixy@linaro.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Tobin C . Harding <me@tobin.cc>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: acme@kernel.org
      Cc: akpm@linux-foundation.org
      Cc: brueckner@linux.vnet.ibm.com
      Cc: linux-arch@vger.kernel.org
      Cc: rostedt@goodmis.org
      Cc: schwidefsky@de.ibm.com
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/lkml/152491890171.9916.5183693615601334087.stgit@devboxSigned-off-by: 's avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      968a9a4a
    • Masami Hiramatsu's avatar
      kprobes/arm: Fix %p uses in error messages · 2f56c8af
      Masami Hiramatsu authored
      commit 75b2f5f5 upstream.
      
      Fix %p uses in error messages by removing it and
      using general dumper.
      Signed-off-by: 's avatarMasami Hiramatsu <mhiramat@kernel.org>
      Cc: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
      Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: David Howells <dhowells@redhat.com>
      Cc: David S . Miller <davem@davemloft.net>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Jon Medhurst <tixy@linaro.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Thomas Richter <tmricht@linux.ibm.com>
      Cc: Tobin C . Harding <me@tobin.cc>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: acme@kernel.org
      Cc: akpm@linux-foundation.org
      Cc: brueckner@linux.vnet.ibm.com
      Cc: linux-arch@vger.kernel.org
      Cc: rostedt@goodmis.org
      Cc: schwidefsky@de.ibm.com
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/lkml/152491905361.9916.15300852365956231645.stgit@devboxSigned-off-by: 's avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2f56c8af
    • Masami Hiramatsu's avatar
      kprobes: Replace %p with other pointer types · 10334e1a
      Masami Hiramatsu authored
      commit 4458515b upstream.
      
      Replace %p with %pS or just remove it if unneeded.
      And use WARN_ONCE() if it is a single bug.
      Signed-off-by: 's avatarMasami Hiramatsu <mhiramat@kernel.org>
      Cc: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
      Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: David Howells <dhowells@redhat.com>
      Cc: David S . Miller <davem@davemloft.net>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Jon Medhurst <tixy@linaro.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Thomas Richter <tmricht@linux.ibm.com>
      Cc: Tobin C . Harding <me@tobin.cc>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: acme@kernel.org
      Cc: akpm@linux-foundation.org
      Cc: brueckner@linux.vnet.ibm.com
      Cc: linux-arch@vger.kernel.org
      Cc: rostedt@goodmis.org
      Cc: schwidefsky@de.ibm.com
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/lkml/152491899284.9916.5350534544808158621.stgit@devboxSigned-off-by: 's avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      10334e1a
    • Masami Hiramatsu's avatar
      kprobes: Show blacklist addresses as same as kallsyms does · b143efb4
      Masami Hiramatsu authored
      commit ffb9bd68 upstream.
      
      Show kprobes blacklist addresses under same condition of
      showing kallsyms addresses.
      
      Since there are several name conflict for local symbols,
      kprobe blacklist needs to show each addresses so that
      user can identify where is on blacklist by comparing
      with kallsyms.
      Signed-off-by: 's avatarMasami Hiramatsu <mhiramat@kernel.org>
      Cc: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
      Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: David Howells <dhowells@redhat.com>
      Cc: David S . Miller <davem@davemloft.net>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Jon Medhurst <tixy@linaro.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Thomas Richter <tmricht@linux.ibm.com>
      Cc: Tobin C . Harding <me@tobin.cc>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: acme@kernel.org
      Cc: akpm@linux-foundation.org
      Cc: brueckner@linux.vnet.ibm.com
      Cc: linux-arch@vger.kernel.org
      Cc: rostedt@goodmis.org
      Cc: schwidefsky@de.ibm.com
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/lkml/152491893217.9916.14760965896164273464.stgit@devboxSigned-off-by: 's avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b143efb4
    • Philipp Rudo's avatar
      s390/purgatory: Add missing FORCE to Makefile targets · d6c96d24
      Philipp Rudo authored
      commit c315e693 upstream.
      
      Without FORCE make does not detect changes only made to the command line
      options. So object files might not be re-built even when they should be.
      Fix this by adding FORCE where it is missing.
      
      Fixes: 840798a1 ("s390/kexec_file: Add purgatory")
      Cc: <stable@vger.kernel.org> # 4.17
      Signed-off-by: 's avatarPhilipp Rudo <prudo@linux.ibm.com>
      Acked-by: 's avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: 's avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d6c96d24
    • Philipp Rudo's avatar
      s390/purgatory: Fix crash with expoline enabled · 5a2e51f9
      Philipp Rudo authored
      commit ad03b821 upstream.
      
      When the kernel is built with CONFIG_EXPOLINE=y and a compiler with
      indirect branch mitigation enabled the purgatory crashes. The reason for
      that is that the macros defined for expoline are used in mem.S. These
      macros define new sections (.text.__s390x_indirect_*) which are marked
      executable. Due to the missing linker script those sections are linked to
      address 0, just as the .text section. In combination with the entry point
      also being at address 0 this causes the purgatory load code
      (kernel/kexec_file.c: kexec_purgatory_setup_sechdrs) to update the entry
      point twice. Thus the old kernel jumps to some 'random' address causing the
      crash.
      
      To fix this turn off expolines for the purgatory. There is no problem with
      this in this case due to the fact that the purgatory only runs once and the
      tlb is purged (diag 308) in the end.
      
      Fixes: 840798a1 ("s390/kexec_file: Add purgatory")
      Cc: <stable@vger.kernel.org> # 4.17
      Signed-off-by: 's avatarPhilipp Rudo <prudo@linux.ibm.com>
      Reviewed-by: 's avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: 's avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5a2e51f9
    • Sebastian Ott's avatar
      s390/pci: fix out of bounds access during irq setup · 87509861
      Sebastian Ott authored
      commit 866f3576 upstream.
      
      During interrupt setup we allocate interrupt vectors, walk the list of msi
      descriptors, and fill in the message data. Requesting more interrupts than
      supported on s390 can lead to an out of bounds access.
      
      When we restrict the number of interrupts we should also stop walking the
      msi list after all supported interrupts are handled.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: 's avatarSebastian Ott <sebott@linux.ibm.com>
      Signed-off-by: 's avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      87509861
    • Martin Schwidefsky's avatar
      s390/numa: move initial setup of node_to_cpumask_map · b51627dc
      Martin Schwidefsky authored
      commit fb7d7518 upstream.
      
      The numa_init_early initcall sets the node_to_cpumask_map[0] to the
      full cpu_possible_mask. Unfortunately this early_initcall is too late,
      the NUMA setup for numa=emu is done even earlier. The order of calls
      is numa_setup() -> emu_update_cpu_topology(), then the early_initcalls(),
      followed by sched_init_domains().
      
      Starting with git commit 051f3ca0
      "sched/topology: Introduce NUMA identity node sched domain"
      the incorrect node_to_cpumask_map[0] really screws up the domain
      setup and the kernel panics with the follow oops:
      
      Cc: <stable@vger.kernel.org> # v4.15+
      Signed-off-by: 's avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b51627dc