1. 17 Dec, 2018 18 commits
    • Guenter Roeck's avatar
      staging: speakup: Replace strncpy with memcpy · df62280b
      Guenter Roeck authored
      commit fd29edc7232bc19f969e8f463138afc5472b3d5f upstream.
      
      gcc 8.1.0 generates the following warnings.
      
      drivers/staging/speakup/kobjects.c: In function 'punc_store':
      drivers/staging/speakup/kobjects.c:522:2: warning:
      	'strncpy' output truncated before terminating nul
      	copying as many bytes from a string as its length
      drivers/staging/speakup/kobjects.c:504:6: note: length computed here
      
      drivers/staging/speakup/kobjects.c: In function 'synth_store':
      drivers/staging/speakup/kobjects.c:391:2: warning:
      	'strncpy' output truncated before terminating nul
      	copying as many bytes from a string as its length
      drivers/staging/speakup/kobjects.c:388:8: note: length computed here
      
      Using strncpy() is indeed less than perfect since the length of data to
      be copied has already been determined with strlen(). Replace strncpy()
      with memcpy() to address the warning and optimize the code a little.
      Signed-off-by: 's avatarGuenter Roeck <linux@roeck-us.net>
      Reviewed-by: 's avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      df62280b
    • Srikanth Boddepalli's avatar
      xen: xlate_mmu: add missing header to fix 'W=1' warning · c5ca49a5
      Srikanth Boddepalli authored
      [ Upstream commit 72791ac854fea36034fa7976b748fde585008e78 ]
      
      Add a missing header otherwise compiler warns about missed prototype:
      
      drivers/xen/xlate_mmu.c:183:5: warning: no previous prototype for 'xen_xlate_unmap_gfn_range?' [-Wmissing-prototypes]
        int xen_xlate_unmap_gfn_range(struct vm_area_struct *vma,
            ^~~~~~~~~~~~~~~~~~~~~~~~~
      Signed-off-by: 's avatarSrikanth Boddepalli <boddepalli.srikanth@gmail.com>
      Reviewed-by: 's avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Reviewed-by: 's avatarJoey Pabalinas <joeypabalinas@gmail.com>
      Signed-off-by: 's avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      c5ca49a5
    • Y.C. Chen's avatar
      drm/ast: fixed reading monitor EDID not stable issue · 9e5c74f0
      Y.C. Chen authored
      [ Upstream commit 300625620314194d9e6d4f6dda71f2dc9cf62d9f ]
      
      v1: over-sample data to increase the stability with some specific monitors
      v2: refine to avoid infinite loop
      v3: remove un-necessary "volatile" declaration
      
      [airlied: fix two checkpatch warnings]
      Signed-off-by: 's avatarY.C. Chen <yc_chen@aspeedtech.com>
      Signed-off-by: 's avatarDave Airlie <airlied@redhat.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/1542858988-1127-1-git-send-email-yc_chen@aspeedtech.comSigned-off-by: 's avatarSasha Levin <sashal@kernel.org>
      9e5c74f0
    • Pan Bian's avatar
      net: hisilicon: remove unexpected free_netdev · 1bb6e0cc
      Pan Bian authored
      [ Upstream commit c758940158bf29fe14e9d0f89d5848f227b48134 ]
      
      The net device ndev is freed via free_netdev when failing to register
      the device. The control flow then jumps to the error handling code
      block. ndev is used and freed again. Resulting in a use-after-free bug.
      Signed-off-by: 's avatarPan Bian <bianpan2016@163.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      1bb6e0cc
    • Josh Elsasser's avatar
      ixgbe: recognize 1000BaseLX SFP modules as 1Gbps · 992963c6
      Josh Elsasser authored
      [ Upstream commit a8bf879af7b1999eba36303ce9cc60e0e7dd816c ]
      
      Add the two 1000BaseLX enum values to the X550's check for 1Gbps modules,
      allowing the core driver code to establish a link over this SFP type.
      
      This is done by the out-of-tree driver but the fix wasn't in mainline.
      
      Fixes: e23f3336 ("ixgbe: Fix 1G and 10G link stability for X550EM_x SFP+”)
      Fixes: 6a14ee0c ("ixgbe: Add X550 support function pointers")
      Signed-off-by: 's avatarJosh Elsasser <jelsasser@appneta.com>
      Tested-by: 's avatarAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: 's avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      992963c6
    • Yunjian Wang's avatar
      igb: fix uninitialized variables · f30f32d6
      Yunjian Wang authored
      [ Upstream commit e4c39f7926b4de355f7df75651d75003806aae09 ]
      
      This patch fixes the variable 'phy_word' may be used uninitialized.
      Signed-off-by: 's avatarYunjian Wang <wangyunjian@huawei.com>
      Tested-by: 's avatarAaron Brown <aaron.f.brown@intel.com>
      Signed-off-by: 's avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      f30f32d6
    • Lorenzo Bianconi's avatar
      net: thunderx: fix NULL pointer dereference in nic_remove · f05ca3e4
      Lorenzo Bianconi authored
      [ Upstream commit 24a6d2dd263bc910de018c78d1148b3e33b94512 ]
      
      Fix a possible NULL pointer dereference in nic_remove routine
      removing the nicpf module if nic_probe fails.
      The issue can be triggered with the following reproducer:
      
      $rmmod nicvf
      $rmmod nicpf
      
      [  521.412008] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000014
      [  521.422777] Mem abort info:
      [  521.425561]   ESR = 0x96000004
      [  521.428624]   Exception class = DABT (current EL), IL = 32 bits
      [  521.434535]   SET = 0, FnV = 0
      [  521.437579]   EA = 0, S1PTW = 0
      [  521.440730] Data abort info:
      [  521.443603]   ISV = 0, ISS = 0x00000004
      [  521.447431]   CM = 0, WnR = 0
      [  521.450417] user pgtable: 4k pages, 48-bit VAs, pgdp = 0000000072a3da42
      [  521.457022] [0000000000000014] pgd=0000000000000000
      [  521.461916] Internal error: Oops: 96000004 [#1] SMP
      [  521.511801] Hardware name: GIGABYTE H270-T70/MT70-HD0, BIOS T49 02/02/2018
      [  521.518664] pstate: 80400005 (Nzcv daif +PAN -UAO)
      [  521.523451] pc : nic_remove+0x24/0x88 [nicpf]
      [  521.527808] lr : pci_device_remove+0x48/0xd8
      [  521.532066] sp : ffff000013433cc0
      [  521.535370] x29: ffff000013433cc0 x28: ffff810f6ac50000
      [  521.540672] x27: 0000000000000000 x26: 0000000000000000
      [  521.545974] x25: 0000000056000000 x24: 0000000000000015
      [  521.551274] x23: ffff8007ff89a110 x22: ffff000001667070
      [  521.556576] x21: ffff8007ffb170b0 x20: ffff8007ffb17000
      [  521.561877] x19: 0000000000000000 x18: 0000000000000025
      [  521.567178] x17: 0000000000000000 x16: 000000000000010ffc33ff98 x8 : 0000000000000000
      [  521.593683] x7 : 0000000000000000 x6 : 0000000000000001
      [  521.598983] x5 : 0000000000000002 x4 : 0000000000000003
      [  521.604284] x3 : ffff8007ffb17184 x2 : ffff8007ffb17184
      [  521.609585] x1 : ffff000001662118 x0 : ffff000008557be0
      [  521.614887] Process rmmod (pid: 1897, stack limit = 0x00000000859535c3)
      [  521.621490] Call trace:
      [  521.623928]  nic_remove+0x24/0x88 [nicpf]
      [  521.627927]  pci_device_remove+0x48/0xd8
      [  521.631847]  device_release_driver_internal+0x1b0/0x248
      [  521.637062]  driver_detach+0x50/0xc0
      [  521.640628]  bus_remove_driver+0x60/0x100
      [  521.644627]  driver_unregister+0x34/0x60
      [  521.648538]  pci_unregister_driver+0x24/0xd8
      [  521.652798]  nic_cleanup_module+0x14/0x111c [nicpf]
      [  521.657672]  __arm64_sys_delete_module+0x150/0x218
      [  521.662460]  el0_svc_handler+0x94/0x110
      [  521.666287]  el0_svc+0x8/0xc
      [  521.669160] Code: aa1e03e0 9102c295 d503201f f9404eb3 (b9401660)
      
      Fixes: 4863dea3 ("net: Adding support for Cavium ThunderX network controller")
      Signed-off-by: 's avatarLorenzo Bianconi <lorenzo.bianconi@redhat.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      f05ca3e4
    • Aaro Koskinen's avatar
      USB: omap_udc: fix USB gadget functionality on Palm Tungsten E · def38db5
      Aaro Koskinen authored
      [ Upstream commit 2c2322fbcab8102b8cadc09d66714700a2da42c2 ]
      
      On Palm TE nothing happens when you try to use gadget drivers and plug
      the USB cable. Fix by adding the board to the vbus sense quirk list.
      Signed-off-by: 's avatarAaro Koskinen <aaro.koskinen@iki.fi>
      Signed-off-by: 's avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      def38db5
    • Aaro Koskinen's avatar
      USB: omap_udc: fix omap_udc_start() on 15xx machines · 42aea74f
      Aaro Koskinen authored
      [ Upstream commit 6ca6695f576b8453fe68865e84d25946d63b10ad ]
      
      On OMAP 15xx machines there are no transceivers, and omap_udc_start()
      always fails as it forgot to adjust the default return value.
      Signed-off-by: 's avatarAaro Koskinen <aaro.koskinen@iki.fi>
      Signed-off-by: 's avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      42aea74f
    • Aaro Koskinen's avatar
      USB: omap_udc: fix crashes on probe error and module removal · a2aa761a
      Aaro Koskinen authored
      [ Upstream commit 99f700366fcea1aa2fa3c49c99f371670c3c62f8 ]
      
      We currently crash if usb_add_gadget_udc_release() fails, since the
      udc->done is not initialized until in the remove function.
      Furthermore, on module removal the udc data is accessed although
      the release function is already triggered by usb_del_gadget_udc()
      early in the function.
      
      Fix by rewriting the release and remove functions, basically moving
      all the cleanup into the release function, and doing the completion
      only in the module removal case.
      
      The patch fixes omap_udc module probe with a failing gadged, and also
      allows the removal of omap_udc. Tested by running "modprobe omap_udc;
      modprobe -r omap_udc" in a loop.
      Signed-off-by: 's avatarAaro Koskinen <aaro.koskinen@iki.fi>
      Signed-off-by: 's avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      a2aa761a
    • Aaro Koskinen's avatar
      USB: omap_udc: use devm_request_irq() · 2c37b2f4
      Aaro Koskinen authored
      [ Upstream commit 286afdde1640d8ea8916a0f05e811441fbbf4b9d ]
      
      The current code fails to release the third irq on the error path
      (observed by reading the code), and we get also multiple WARNs with
      failing gadget drivers due to duplicate IRQ releases. Fix by using
      devm_request_irq().
      Signed-off-by: 's avatarAaro Koskinen <aaro.koskinen@iki.fi>
      Signed-off-by: 's avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      2c37b2f4
    • Majd Dibbiny's avatar
      RDMA/mlx5: Fix fence type for IB_WR_LOCAL_INV WR · 454892c3
      Majd Dibbiny authored
      [ Upstream commit 074fca3a18e7e1e0d4d7dcc9d7badc43b90232f4 ]
      
      Currently, for IB_WR_LOCAL_INV WR, when the next fence is None, the
      current fence will be SMALL instead of Normal Fence.
      
      Without this patch krping doesn't work on CX-5 devices and throws
      following error:
      
      The error messages are from CX5 driver are: (from server side)
      [ 710.434014] mlx5_0:dump_cqe:278:(pid 2712): dump error cqe
      [ 710.434016] 00000000 00000000 00000000 00000000
      [ 710.434016] 00000000 00000000 00000000 00000000
      [ 710.434017] 00000000 00000000 00000000 00000000
      [ 710.434018] 00000000 93003204 100000b8 000524d2
      [ 710.434019] krping: cq completion failed with wr_id 0 status 4 opcode 128 vender_err 32
      
      Fixed the logic to set the correct fence type.
      
      Fixes: 6e8484c5 ("RDMA/mlx5: set UMR wqe fence according to HCA cap")
      Signed-off-by: 's avatarMajd Dibbiny <majd@mellanox.com>
      Signed-off-by: 's avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: 's avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      454892c3
    • Huacai Chen's avatar
      hwmon: (w83795) temp4_type has writable permission · da7e373e
      Huacai Chen authored
      [ Upstream commit 09aaf6813cfca4c18034fda7a43e68763f34abb1 ]
      
      Both datasheet and comments of store_temp_mode() tell us that temp1~4_type
      is writable, so fix it.
      Signed-off-by: 's avatarYao Wang <wangyao@lemote.com>
      Signed-off-by: 's avatarHuacai Chen <chenhc@lemote.com>
      Fixes: 39deb699 (" hwmon: (w83795) Simplify temperature sensor type handling")
      Signed-off-by: 's avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      da7e373e
    • Nicolin Chen's avatar
      hwmon: (ina2xx) Fix current value calculation · 526bbd2c
      Nicolin Chen authored
      [ Upstream commit 38cd989ee38c16388cde89db5b734f9d55b905f9 ]
      
      The current register (04h) has a sign bit at MSB. The comments
      for this calculation also mention that it's a signed register.
      
      However, the regval is unsigned type so result of calculation
      turns out to be an incorrect value when current is negative.
      
      This patch simply fixes this by adding a casting to s16.
      
      Fixes: 5d389b12 ("hwmon: (ina2xx) Make calibration register value fixed")
      Signed-off-by: 's avatarNicolin Chen <nicoleotsuka@gmail.com>
      Signed-off-by: 's avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      526bbd2c
    • Nicolas Dichtel's avatar
      tun: forbid iface creation with rtnl ops · b28c2c74
      Nicolas Dichtel authored
      [ Upstream commit 35b827b6d06199841a83839e8bb69c0cd13a28be ]
      
      It's not supported right now (the goal of the initial patch was to support
      'ip link del' only).
      
      Before the patch:
      $ ip link add foo type tun
      [  239.632660] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
      [snip]
      [  239.636410] RIP: 0010:register_netdevice+0x8e/0x3a0
      
      This panic occurs because dev->netdev_ops is not set by tun_setup(). But to
      have something usable, it will require more than just setting
      netdev_ops.
      
      Fixes: f019a7a5 ("tun: Implement ip link del tunXXX")
      CC: Eric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: 's avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b28c2c74
    • Heiner Kallweit's avatar
      net: phy: don't allow __set_phy_supported to add unsupported modes · 4f384d94
      Heiner Kallweit authored
      [ Upstream commit d2a36971ef595069b7a600d1144c2e0881a930a1 ]
      
      Currently __set_phy_supported allows to add modes w/o checking whether
      the PHY supports them. This is wrong, it should never add modes but
      only remove modes we don't want to support.
      
      The commit marked as fixed didn't do anything wrong, it just copied
      existing functionality to the helper which is being fixed now.
      
      Fixes: f3a6bd39 ("phylib: Add phy_set_max_speed helper")
      Signed-off-by: 's avatarHeiner Kallweit <hkallweit1@gmail.com>
      Reviewed-by: 's avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4f384d94
    • Tarick Bedeir's avatar
      net/mlx4_core: Correctly set PFC param if global pause is turned off. · 5765610c
      Tarick Bedeir authored
      [ Upstream commit bd5122cd1e0644d8bd8dd84517c932773e999766 ]
      
      rx_ppp and tx_ppp can be set between 0 and 255, so don't clamp to 1.
      
      Fixes: 6e8814ceb7e8 ("net/mlx4_en: Fix mixed PFC and Global pause user control requests")
      Signed-off-by: 's avatarTarick Bedeir <tarick@google.com>
      Reviewed-by: 's avatarEran Ben Elisha <eranbe@mellanox.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5765610c
    • Su Yanjun's avatar
      net: 8139cp: fix a BUG triggered by changing mtu with network traffic · 25a445d3
      Su Yanjun authored
      [ Upstream commit a5d4a89245ead1f37ed135213653c5beebea4237 ]
      
      When changing mtu many times with traffic, a bug is triggered:
      
      [ 1035.684037] kernel BUG at lib/dynamic_queue_limits.c:26!
      [ 1035.684042] invalid opcode: 0000 [#1] SMP
      [ 1035.684049] Modules linked in: loop binfmt_misc 8139cp(OE) macsec
      tcp_diag udp_diag inet_diag unix_diag af_packet_diag netlink_diag tcp_lp
      fuse uinput xt_CHECKSUM iptable_mangle ipt_MASQUERADE
      nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4
      nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 tun
      bridge stp llc ebtable_filter ebtables ip6table_filter devlink
      ip6_tables iptable_filter sunrpc snd_hda_codec_generic snd_hda_intel
      snd_hda_codec snd_hda_core snd_hwdep ppdev snd_seq iosf_mbi crc32_pclmul
      parport_pc snd_seq_device ghash_clmulni_intel parport snd_pcm
      aesni_intel joydev lrw snd_timer virtio_balloon sg gf128mul glue_helper
      ablk_helper cryptd snd soundcore i2c_piix4 pcspkr ip_tables xfs
      libcrc32c sr_mod sd_mod cdrom crc_t10dif crct10dif_generic ata_generic
      [ 1035.684102]  pata_acpi virtio_console qxl drm_kms_helper syscopyarea
      sysfillrect sysimgblt floppy fb_sys_fops crct10dif_pclmul
      crct10dif_common ttm crc32c_intel serio_raw ata_piix drm libata 8139too
      virtio_pci drm_panel_orientation_quirks virtio_ring virtio mii dm_mirror
      dm_region_hash dm_log dm_mod [last unloaded: 8139cp]
      [ 1035.684132] CPU: 9 PID: 25140 Comm: if-mtu-change Kdump: loaded
      Tainted: G           OE  ------------ T 3.10.0-957.el7.x86_64 #1
      [ 1035.684134] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
      [ 1035.684136] task: ffff8f59b1f5a080 ti: ffff8f5a2e32c000 task.ti:
      ffff8f5a2e32c000
      [ 1035.684149] RIP: 0010:[<ffffffffba3a40d0>]  [<ffffffffba3a40d0>]
      dql_completed+0x180/0x190
      [ 1035.684162] RSP: 0000:ffff8f5a75483e50  EFLAGS: 00010093
      [ 1035.684162] RAX: 00000000000000c2 RBX: ffff8f5a6f91c000 RCX:
      0000000000000000
      [ 1035.684162] RDX: 0000000000000000 RSI: 0000000000000184 RDI:
      ffff8f599fea3ec0
      [ 1035.684162] RBP: ffff8f5a75483ea8 R08: 00000000000000c2 R09:
      0000000000000000
      [ 1035.684162] R10: 00000000000616ef R11: ffff8f5a75483b56 R12:
      ffff8f599fea3e00
      [ 1035.684162] R13: 0000000000000001 R14: 0000000000000000 R15:
      0000000000000184
      [ 1035.684162] FS:  00007fa8434de740(0000) GS:ffff8f5a75480000(0000)
      knlGS:0000000000000000
      [ 1035.684162] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 1035.684162] CR2: 00000000004305d0 CR3: 000000024eb66000 CR4:
      00000000001406e0
      [ 1035.684162] Call Trace:
      [ 1035.684162]  <IRQ>
      [ 1035.684162]  [<ffffffffc08cbaf8>] ? cp_interrupt+0x478/0x580 [8139cp]
      [ 1035.684162]  [<ffffffffba14a294>]
      __handle_irq_event_percpu+0x44/0x1c0
      [ 1035.684162]  [<ffffffffba14a442>] handle_irq_event_percpu+0x32/0x80
      [ 1035.684162]  [<ffffffffba14a4cc>] handle_irq_event+0x3c/0x60
      [ 1035.684162]  [<ffffffffba14db29>] handle_fasteoi_irq+0x59/0x110
      [ 1035.684162]  [<ffffffffba02e554>] handle_irq+0xe4/0x1a0
      [ 1035.684162]  [<ffffffffba7795dd>] do_IRQ+0x4d/0xf0
      [ 1035.684162]  [<ffffffffba76b362>] common_interrupt+0x162/0x162
      [ 1035.684162]  <EOI>
      [ 1035.684162]  [<ffffffffba0c2ae4>] ? __wake_up_bit+0x24/0x70
      [ 1035.684162]  [<ffffffffba1e46f5>] ? do_set_pte+0xd5/0x120
      [ 1035.684162]  [<ffffffffba1b64fb>] unlock_page+0x2b/0x30
      [ 1035.684162]  [<ffffffffba1e4879>] do_read_fault.isra.61+0x139/0x1b0
      [ 1035.684162]  [<ffffffffba1e9134>] handle_pte_fault+0x2f4/0xd10
      [ 1035.684162]  [<ffffffffba1ebc6d>] handle_mm_fault+0x39d/0x9b0
      [ 1035.684162]  [<ffffffffba76f5e3>] __do_page_fault+0x203/0x500
      [ 1035.684162]  [<ffffffffba76f9c6>] trace_do_page_fault+0x56/0x150
      [ 1035.684162]  [<ffffffffba76ef42>] do_async_page_fault+0x22/0xf0
      [ 1035.684162]  [<ffffffffba76b788>] async_page_fault+0x28/0x30
      [ 1035.684162] Code: 54 c7 47 54 ff ff ff ff 44 0f 49 ce 48 8b 35 48 2f
      9c 00 48 89 77 58 e9 fe fe ff ff 0f 1f 80 00 00 00 00 41 89 d1 e9 ef fe
      ff ff <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 55 8d 42 ff 48
      [ 1035.684162] RIP  [<ffffffffba3a40d0>] dql_completed+0x180/0x190
      [ 1035.684162]  RSP <ffff8f5a75483e50>
      
      It's not the same as in 7fe0ee09 patch described.
      As 8139cp uses shared irq mode, other device irq will trigger
      cp_interrupt to execute.
      
      cp_change_mtu
       -> cp_close
       -> cp_open
      
      In cp_close routine  just before free_irq(), some interrupt may occur.
      In my environment, cp_interrupt exectutes and IntrStatus is 0x4,
      exactly TxOk. That will cause cp_tx to wake device queue.
      
      As device queue is started, cp_start_xmit and cp_open will run at same
      time which will cause kernel BUG.
      
      For example:
      [#] for tx descriptor
      
      At start:
      
      [#][#][#]
      num_queued=3
      
      After cp_init_hw->cp_start_hw->netdev_reset_queue:
      
      [#][#][#]
      num_queued=0
      
      When 8139cp starts to work then cp_tx will check
      num_queued mismatchs the complete_bytes.
      
      The patch will check IntrMask before check IntrStatus in cp_interrupt.
      When 8139cp interrupt is disabled, just return.
      Signed-off-by: 's avatarSu Yanjun <suyj.fnst@cn.fujitsu.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      25a445d3
  2. 13 Dec, 2018 22 commits
    • Vasyl Vavrychuk's avatar
      mac80211_hwsim: Timer should be initialized before device registered · 3a492ce1
      Vasyl Vavrychuk authored
      commit a1881c9b8a1edef0a5ae1d5c1b61406fe3402114 upstream.
      
      Otherwise if network manager starts configuring Wi-Fi interface
      immidiatelly after getting notification of its creation, we will get
      NULL pointer dereference:
      
        BUG: unable to handle kernel NULL pointer dereference at           (null)
        IP: [<ffffffff95ae94c8>] hrtimer_active+0x28/0x50
        ...
        Call Trace:
         [<ffffffff95ae9997>] ? hrtimer_try_to_cancel+0x27/0x110
         [<ffffffff95ae9a95>] ? hrtimer_cancel+0x15/0x20
         [<ffffffffc0803bf0>] ? mac80211_hwsim_config+0x140/0x1c0 [mac80211_hwsim]
      
      Cc: stable@vger.kernel.org
      Signed-off-by: 's avatarVasyl Vavrychuk <vasyl.vavrychuk@globallogic.com>
      Signed-off-by: 's avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3a492ce1
    • Macpaul Lin's avatar
      kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var() · 6d861927
      Macpaul Lin authored
      commit dada6a43b0402eba438a17ac86fdc64ac56a4607 upstream.
      
      This patch is trying to fix KE issue due to
      "BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198"
      reported by Syzkaller scan."
      
      [26364:syz-executor0][name:report8t]BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198
      [26364:syz-executor0][name:report&]Read of size 1 at addr ffffff900e44f95f by task syz-executor0/26364
      [26364:syz-executor0][name:report&]
      [26364:syz-executor0]CPU: 7 PID: 26364 Comm: syz-executor0 Tainted: G W 0
      [26364:syz-executor0]Call trace:
      [26364:syz-executor0][<ffffff9008095cf8>] dump_bacIctrace+Ox0/0x470
      [26364:syz-executor0][<ffffff9008096de0>] show_stack+0x20/0x30
      [26364:syz-executor0][<ffffff90089cc9c8>] dump_stack+Oxd8/0x128
      [26364:syz-executor0][<ffffff90084edb38>] print_address_description +0x80/0x4a8
      [26364:syz-executor0][<ffffff90084ee270>] kasan_report+Ox178/0x390
      [26364:syz-executor0][<ffffff90084ee4a0>] _asan_report_loadi_noabort+Ox18/0x20
      [26364:syz-executor0][<ffffff9008b092ac>] param_set_kgdboc_var+Ox194/0x198
      [26364:syz-executor0][<ffffff900813af64>] param_attr_store+Ox14c/0x270
      [26364:syz-executor0][<ffffff90081394c8>] module_attr_store+0x60/0x90
      [26364:syz-executor0][<ffffff90086690c0>] sysfs_kl_write+Ox100/0x158
      [26364:syz-executor0][<ffffff9008666d84>] kernfs_fop_write+0x27c/0x3a8
      [26364:syz-executor0][<ffffff9008508264>] do_loop_readv_writev+0x114/0x1b0
      [26364:syz-executor0][<ffffff9008509ac8>] do_readv_writev+0x4f8/0x5e0
      [26364:syz-executor0][<ffffff9008509ce4>] vfs_writev+0x7c/Oxb8
      [26364:syz-executor0][<ffffff900850ba64>] SyS_writev+Oxcc/0x208
      [26364:syz-executor0][<ffffff90080883f0>] elO_svc_naked +0x24/0x28
      [26364:syz-executor0][name:report&]
      [26364:syz-executor0][name:report&]The buggy address belongs to the variable:
      [26364:syz-executor0][name:report&] kgdb_tty_line+Ox3f/0x40
      [26364:syz-executor0][name:report&]
      [26364:syz-executor0][name:report&]Memory state around the buggy address:
      [26364:syz-executor0] ffffff900e44f800: 00 00 00 00 00 04 fa fa fa fa fa fa 00 fa fa fa
      [26364:syz-executor0] ffffff900e44f880: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa
      [26364:syz-executor0]> ffffff900e44f900: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00
      [26364:syz-executor0][name:report&]                                       ^
      [26364:syz-executor0] ffffff900e44f980: 00 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa
      [26364:syz-executor0] ffffff900e44fa00: 04 fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa
      [26364:syz-executor0][name:report&]
      [26364:syz-executor0][name:panic&]Disabling lock debugging due to kernel taint
      [26364:syz-executor0]------------[cut here]------------
      
      After checking the source code, we've found there might be an out-of-bounds
      access to "config[len - 1]" array when the variable "len" is zero.
      Signed-off-by: 's avatarMacpaul Lin <macpaul@gmail.com>
      Acked-by: 's avatarDaniel Thompson <daniel.thompson@linaro.org>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6d861927
    • Chanho Park's avatar
      tty: do not set TTY_IO_ERROR flag if console port · 9696ca90
      Chanho Park authored
      commit 2a48602615e0a2f563549c7d5c8d507f904cf96e upstream.
      
      Since Commit 761ed4a9 ('tty: serial_core: convert uart_close to use
      tty_port_close') and Commit 4dda864d ('tty: serial_core: Fix serial
      console crash on port shutdown), a serial port which is used as
      console can be stuck when logging out if there is a remained process.
      After logged out, agetty will try to grab the serial port but it will
      be failed because the previous process did not release the port
      correctly. To fix this, TTY_IO_ERROR bit should not be enabled of
      tty_port_close if the port is console port.
      
      Reproduce step:
      - Run background processes from serial console
      $ while true; do sleep 10; done &
      
      - Log out
      $ logout
      -> Stuck
      
      - Read journal log by journalctl | tail
      Jan 28 16:07:01 ubuntu systemd[1]: Stopped Serial Getty on ttyAMA0.
      Jan 28 16:07:01 ubuntu systemd[1]: Started Serial Getty on ttyAMA0.
      Jan 28 16:07:02 ubuntu agetty[1643]: /dev/ttyAMA0: not a tty
      
      Fixes: 761ed4a9 ("tty: serial_core: convert uart_close to use tty_port_close")
      Cc: Geert Uytterhoeven <geert+renesas@glider.be>
      Cc: Rob Herring <robh@kernel.org>
      Cc: Jiri Slaby <jslaby@suse.com>
      Signed-off-by: 's avatarChanho Park <parkch98@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9696ca90
    • Peter Shih's avatar
      tty: serial: 8250_mtk: always resume the device in probe. · 32445bd5
      Peter Shih authored
      commit 100bc3e2bebf95506da57cbdf5f26b25f6da4c81 upstream.
      
      serial8250_register_8250_port calls uart_config_port, which calls
      config_port on the port before it tries to power on the port. So we need
      the port to be on before calling serial8250_register_8250_port. Change
      the code to always do a runtime resume in probe before registering port,
      and always do a runtime suspend in remove.
      
      This basically reverts the change in commit 68e5fc4a ("tty: serial:
      8250_mtk: use pm_runtime callbacks for enabling"), but still use
      pm_runtime callbacks.
      
      Fixes: 68e5fc4a ("tty: serial: 8250_mtk: use pm_runtime callbacks for enabling")
      Signed-off-by: 's avatarPeter Shih <pihsun@chromium.org>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      32445bd5
    • Young Xiao's avatar
      staging: rtl8712: Fix possible buffer overrun · 902d410d
      Young Xiao authored
      commit 300cd664865bed5d50ae0a42fb4e3a6f415e8a10 upstream.
      
      In commit 8b7a13c3 ("staging: r8712u: Fix possible buffer
      overrun") we fix a potential off by one by making the limit smaller.
      The better fix is to make the buffer larger.  This makes it match up
      with the similar code in other drivers.
      
      Fixes: 8b7a13c3 ("staging: r8712u: Fix possible buffer overrun")
      Signed-off-by: 's avatarYoung Xiao <YangX92@hotmail.com>
      Cc: stable <stable@vger.kernel.org>
      Reviewed-by: 's avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      902d410d
    • Greg Kroah-Hartman's avatar
      Staging: lustre: remove two build warnings · 2f5b7679
      Greg Kroah-Hartman authored
      [for older kernels only, lustre has been removed from upstream]
      
      When someone writes:
      	strncpy(dest, source, sizeof(source));
      they really are just doing the same thing as:
      	strcpy(dest, source);
      but somehow they feel better because they are now using the "safe"
      version of the string functions.  Cargo-cult programming at its
      finest...
      
      gcc-8 rightfully warns you about doing foolish things like this.  Now
      that the stable kernels are all starting to be built using gcc-8, let's
      get rid of this warning so that we do not have to gaze at this horror.
      
      To dropt the warning, just convert the code to using strcpy() so that if
      someone really wants to audit this code and find all of the obvious
      problems, it will be easier to do so.
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2f5b7679
    • Stefan Hajnoczi's avatar
      vhost/vsock: fix use-after-free in network stack callers · 569fc4ff
      Stefan Hajnoczi authored
      [ Upstream commit 834e772c8db0c6a275d75315d90aba4ebbb1e249 ]
      
      If the network stack calls .send_pkt()/.cancel_pkt() during .release(),
      a struct vhost_vsock use-after-free is possible.  This occurs because
      .release() does not wait for other CPUs to stop using struct
      vhost_vsock.
      
      Switch to an RCU-enabled hashtable (indexed by guest CID) so that
      .release() can wait for other CPUs by calling synchronize_rcu().  This
      also eliminates vhost_vsock_lock acquisition in the data path so it
      could have a positive effect on performance.
      
      This is CVE-2018-14625 "kernel: use-after-free Read in vhost_transport_send_pkt".
      
      Cc: stable@vger.kernel.org
      Reported-and-tested-by: syzbot+bd391451452fb0b93039@syzkaller.appspotmail.com
      Reported-by: syzbot+e3e074963495f92a89ed@syzkaller.appspotmail.com
      Reported-by: syzbot+d5a0a170c5069658b141@syzkaller.appspotmail.com
      Signed-off-by: 's avatarStefan Hajnoczi <stefanha@redhat.com>
      Signed-off-by: 's avatarMichael S. Tsirkin <mst@redhat.com>
      Acked-by: 's avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      569fc4ff
    • Gao feng's avatar
      vsock: lookup and setup guest_cid inside vhost_vsock_lock · 2d5a1b31
      Gao feng authored
      [ Upstream commit 6c083c2b ]
      
      Multi vsocks may setup the same cid at the same time.
      Signed-off-by: 's avatarGao feng <omarapazanadi@gmail.com>
      Signed-off-by: 's avatarMichael S. Tsirkin <mst@redhat.com>
      Reviewed-by: 's avatarStefan Hajnoczi <stefanha@redhat.com>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      2d5a1b31
    • Jens Axboe's avatar
      sr: pass down correctly sized SCSI sense buffer · cb101349
      Jens Axboe authored
      commit f7068114d45ec55996b9040e98111afa56e010fe upstream.
      
      We're casting the CDROM layer request_sense to the SCSI sense
      buffer, but the former is 64 bytes and the latter is 96 bytes.
      As we generally allocate these on the stack, we end up blowing
      up the stack.
      
      Fix this by wrapping the scsi_execute() call with a properly
      sized sense buffer, and copying back the bits for the CDROM
      layer.
      Reported-by: 's avatarPiotr Gabriel Kosinski <pg.kosinski@gmail.com>
      Reported-by: 's avatarDaniel Shapira <daniel@twistlock.com>
      Tested-by: 's avatarKees Cook <keescook@chromium.org>
      Fixes: 82ed4db4 ("block: split scsi_request out of struct request")
      Signed-off-by: 's avatarJens Axboe <axboe@kernel.dk>
      [bwh: Despite what the "Fixes" field says, a buffer overrun was already
       possible if the sense data was really > 64 bytes long.
       Backported to 4.9:
       - We always need to allocate a sense buffer in order to call
         scsi_normalize_sense()
       - Remove the existing conditional heap-allocation of the sense buffer]
      Signed-off-by: 's avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      cb101349
    • Mathias Nyman's avatar
      xhci: Prevent U1/U2 link pm states if exit latency is too long · d65afda6
      Mathias Nyman authored
      commit 0472bf06c6fd33c1a18aaead4c8f91e5a03d8d7b upstream.
      
      Don't allow USB3 U1 or U2 if the latency to wake up from the U-state
      reaches the service interval for a periodic endpoint.
      
      This is according to xhci 1.1 specification section 4.23.5.2 extra note:
      
      "Software shall ensure that a device is prevented from entering a U-state
       where its worst case exit latency approaches the ESIT."
      
      Allowing too long exit latencies for periodic endpoint confuses xHC
      internal scheduling, and new devices may fail to enumerate with a
      "Not enough bandwidth for new device state" error from the host.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: 's avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d65afda6
    • Bin Liu's avatar
      dmaengine: cppi41: delete channel from pending list when stop channel · 1f717070
      Bin Liu authored
      commit 59861547ec9a9736e7882f6fb0c096a720ff811a upstream.
      
      The driver defines three states for a cppi channel.
      - idle: .chan_busy == 0 && not in .pending list
      - pending: .chan_busy == 0 && in .pending list
      - busy: .chan_busy == 1 && not in .pending list
      
      There are cases in which the cppi channel could be in the pending state
      when cppi41_dma_issue_pending() is called after cppi41_runtime_suspend()
      is called.
      
      cppi41_stop_chan() has a bug for these cases to set channels to idle state.
      It only checks the .chan_busy flag, but not the .pending list, then later
      when cppi41_runtime_resume() is called the channels in .pending list will
      be transitioned to busy state.
      
      Removing channels from the .pending list solves the problem.
      
      Fixes: 975faaeb ("dma: cppi41: start tear down only if channel is busy")
      Cc: stable@vger.kernel.org # v3.15+
      Signed-off-by: 's avatarBin Liu <b-liu@ti.com>
      Reviewed-by: 's avatarPeter Ujfalusi <peter.ujfalusi@ti.com>
      Signed-off-by: 's avatarVinod Koul <vkoul@kernel.org>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1f717070
    • Halil Pasic's avatar
      virtio/s390: fix race in ccw_io_helper() · 95e3e514
      Halil Pasic authored
      commit 78b1a52e05c9db11d293342e8d6d8a230a04b4e7 upstream.
      
      While ccw_io_helper() seems like intended to be exclusive in a sense that
      it is supposed to facilitate I/O for at most one thread at any given
      time, there is actually nothing ensuring that threads won't pile up at
      vcdev->wait_q. If they do, all threads get woken up and see the status
      that belongs to some other request than their own. This can lead to bugs.
      For an example see:
      https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1788432
      
      This race normally does not cause any problems. The operations provided
      by struct virtio_config_ops are usually invoked in a well defined
      sequence, normally don't fail, and are normally used quite infrequent
      too.
      
      Yet, if some of the these operations are directly triggered via sysfs
      attributes, like in the case described by the referenced bug, userspace
      is given an opportunity to force races by increasing the frequency of the
      given operations.
      
      Let us fix the problem by ensuring, that for each device, we finish
      processing the previous request before starting with a new one.
      Signed-off-by: 's avatarHalil Pasic <pasic@linux.ibm.com>
      Reported-by: 's avatarColin Ian King <colin.king@canonical.com>
      Cc: stable@vger.kernel.org
      Message-Id: <20180925121309.58524-3-pasic@linux.ibm.com>
      Signed-off-by: 's avatarCornelia Huck <cohuck@redhat.com>
      Signed-off-by: 's avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      95e3e514
    • Halil Pasic's avatar
      virtio/s390: avoid race on vcdev->config · 92054f4d
      Halil Pasic authored
      commit 2448a299ec416a80f699940a86f4a6d9a4f643b1 upstream.
      
      Currently we have a race on vcdev->config in virtio_ccw_get_config() and
      in virtio_ccw_set_config().
      
      This normally does not cause problems, as these are usually infrequent
      operations. However, for some devices writing to/reading from the config
      space can be triggered through sysfs attributes. For these, userspace can
      force the race by increasing the frequency.
      Signed-off-by: 's avatarHalil Pasic <pasic@linux.ibm.com>
      Cc: stable@vger.kernel.org
      Message-Id: <20180925121309.58524-2-pasic@linux.ibm.com>
      Signed-off-by: 's avatarCornelia Huck <cohuck@redhat.com>
      Signed-off-by: 's avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      92054f4d
    • Mathias Payer's avatar
      USB: check usb_get_extra_descriptor for proper size · fe26b8d0
      Mathias Payer authored
      commit 704620afc70cf47abb9d6a1a57f3825d2bca49cf upstream.
      
      When reading an extra descriptor, we need to properly check the minimum
      and maximum size allowed, to prevent from invalid data being sent by a
      device.
      Reported-by: 's avatarHui Peng <benquike@gmail.com>
      Reported-by: 's avatarMathias Payer <mathias.payer@nebelwelt.net>
      Co-developed-by: 's avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: 's avatarHui Peng <benquike@gmail.com>
      Signed-off-by: 's avatarMathias Payer <mathias.payer@nebelwelt.net>
      Signed-off-by: 's avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: stable <stable@kernel.org>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fe26b8d0
    • Alexander Theissen's avatar
      usb: appledisplay: Add 27" Apple Cinema Display · c037e887
      Alexander Theissen authored
      commit d7859905301880ad3e16272399d26900af3ac496 upstream.
      
      Add another Apple Cinema Display to the list of supported displays.
      Signed-off-by: 's avatarAlexander Theissen <alex.theissen@me.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c037e887
    • Harry Pan's avatar
      usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device · 2457aa82
      Harry Pan authored
      commit 2f2dde6ba89b1ef1fe23c1138131b315d9aa4019 upstream.
      
      Some lower volume SanDisk Ultra Flair in 16GB, which the VID:PID is
      in 0781:5591, will aggressively request LPM of U1/U2 during runtime,
      when using this thumb drive as the OS installation key we found the
      device will generate failure during U1 exit path making it dropped
      from the USB bus, this causes a corrupted installation in system at
      the end.
      
      i.e.,
      [  166.918296] hub 2-0:1.0: state 7 ports 7 chg 0000 evt 0004
      [  166.918327] usb usb2-port2: link state change
      [  166.918337] usb usb2-port2: do warm reset
      [  166.970039] usb usb2-port2: not warm reset yet, waiting 50ms
      [  167.022040] usb usb2-port2: not warm reset yet, waiting 200ms
      [  167.276043] usb usb2-port2: status 02c0, change 0041, 5.0 Gb/s
      [  167.276050] usb 2-2: USB disconnect, device number 2
      [  167.276058] usb 2-2: unregistering device
      [  167.276060] usb 2-2: unregistering interface 2-2:1.0
      [  167.276170] xhci_hcd 0000:00:15.0: shutdown urb ffffa3c7cc695cc0 ep1in-bulk
      [  167.284055] sd 0:0:0:0: [sda] tag#0 FAILED Result: hostbyte=DID_NO_CONNECT driverbyte=DRIVER_OK
      [  167.284064] sd 0:0:0:0: [sda] tag#0 CDB: Read(10) 28 00 00 33 04 90 00 01 00 00
      ...
      
      Analyzed the USB trace in the link layer we realized it is because
      of the 6-ms timer of tRecoveryConfigurationTimeout which documented
      on the USB 3.2 Revision 1.0, the section 7.5.10.4.2 of "Exit from
      Recovery.Configuration"; device initiates U1 exit -> Recovery.Active
      -> Recovery.Configuration, then the host timer timeout makes the link
      transits to eSS.Inactive -> Rx.Detect follows by a Warm Reset.
      
      Interestingly, the other higher volume of SanDisk Ultra Flair sharing
      the same VID:PID, such as 64GB, would not request LPM during runtime,
      it sticks at U0 always, thus disabling LPM does not affect those thumb
      drives at all.
      
      The same odd occures in SanDisk Ultra Fit 16GB, VID:PID in 0781:5583.
      Signed-off-by: 's avatarHarry Pan <harry.pan@intel.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2457aa82
    • Yangtao Li's avatar
      net: amd: add missing of_node_put() · 52c87255
      Yangtao Li authored
      [ Upstream commit c44c749d3b6fdfca39002e7e48e03fe9f9fe37a3 ]
      
      of_find_node_by_path() acquires a reference to the node
      returned by it and that reference needs to be dropped by its caller.
      This place doesn't do that, so fix it.
      Signed-off-by: 's avatarYangtao Li <tiny.windzz@gmail.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      52c87255
    • Hangbin Liu's avatar
      team: no need to do team_notify_peers or team_mcast_rejoin when disabling port · 1c0d7303
      Hangbin Liu authored
      [ Upstream commit 5ed9dc99107144f83b6c1bb52a69b58875baf540 ]
      
      team_notify_peers() will send ARP and NA to notify peers. team_mcast_rejoin()
      will send multicast join group message to notify peers. We should do this when
      enabling/changed to a new port. But it doesn't make sense to do it when a port
      is disabled.
      
      On the other hand, when we set mcast_rejoin_count to 2, and do a failover,
      team_port_disable() will increase mcast_rejoin.count_pending to 2 and then
      team_port_enable() will increase mcast_rejoin.count_pending to 4. We will send
      4 mcast rejoin messages at latest, which will make user confused. The same
      with notify_peers.count.
      
      Fix it by deleting team_notify_peers() and team_mcast_rejoin() in
      team_port_disable().
      Reported-by: 's avatarLiang Li <liali@redhat.com>
      Fixes: fc423ff0 ("team: add peer notification")
      Fixes: 492b200e ("team: add support for sending multicast rejoins")
      Signed-off-by: 's avatarHangbin Liu <liuhangbin@gmail.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      1c0d7303
    • Pan Bian's avatar
      iommu/vt-d: Use memunmap to free memremap · 782d0b84
      Pan Bian authored
      [ Upstream commit 829383e183728dec7ed9150b949cd6de64127809 ]
      
      memunmap() should be used to free the return of memremap(), not
      iounmap().
      
      Fixes: dfddb969 ('iommu/vt-d: Switch from ioremap_cache to memremap')
      Signed-off-by: 's avatarPan Bian <bianpan2016@163.com>
      Signed-off-by: 's avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      782d0b84
    • Vincent Chen's avatar
      net: faraday: ftmac100: remove netif_running(netdev) check before disabling interrupts · 94d9befe
      Vincent Chen authored
      [ Upstream commit 426a593e641ebf0d9288f0a2fcab644a86820220 ]
      
      In the original ftmac100_interrupt(), the interrupts are only disabled when
      the condition "netif_running(netdev)" is true. However, this condition
      causes kerenl hang in the following case. When the user requests to
      disable the network device, kernel will clear the bit __LINK_STATE_START
      from the dev->state and then call the driver's ndo_stop function. Network
      device interrupts are not blocked during this process. If an interrupt
      occurs between clearing __LINK_STATE_START and stopping network device,
      kernel cannot disable the interrupts due to the condition
      "netif_running(netdev)" in the ISR. Hence, kernel will hang due to the
      continuous interruption of the network device.
      
      In order to solve the above problem, the interrupts of the network device
      should always be disabled in the ISR without being restricted by the
      condition "netif_running(netdev)".
      
      [V2]
      Remove unnecessary curly braces.
      Signed-off-by: 's avatarVincent Chen <vincentc@andestech.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      94d9befe
    • Olof Johansson's avatar
      mtd: rawnand: qcom: Namespace prefix some commands · fc70b21f
      Olof Johansson authored
      [ Upstream commit 33bf5519ae5dd356b182a94e3622f42860274a38 ]
      
      PAGE_READ is used by RISC-V arch code included through mm headers,
      and it makes sense to bring in a prefix on these in the driver.
      
      drivers/mtd/nand/raw/qcom_nandc.c:153: warning: "PAGE_READ" redefined
       #define PAGE_READ   0x2
      In file included from include/linux/memremap.h:7,
                       from include/linux/mm.h:27,
                       from include/linux/scatterlist.h:8,
                       from include/linux/dma-mapping.h:11,
                       from drivers/mtd/nand/raw/qcom_nandc.c:17:
      arch/riscv/include/asm/pgtable.h:48: note: this is the location of the previous definition
      
      Caught by riscv allmodconfig.
      Signed-off-by: 's avatarOlof Johansson <olof@lixom.net>
      Reviewed-by: 's avatarMiquel Raynal <miquel.raynal@bootlin.com>
      Signed-off-by: 's avatarBoris Brezillon <boris.brezillon@bootlin.com>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      fc70b21f
    • Aya Levin's avatar
      net/mlx4: Fix UBSAN warning of signed integer overflow · 89860d2c
      Aya Levin authored
      [ Upstream commit a463146e67c848cbab5ce706d6528281b7cded08 ]
      
      UBSAN: Undefined behavior in
      drivers/net/ethernet/mellanox/mlx4/resource_tracker.c:626:29
      signed integer overflow: 1802201963 + 1802201963 cannot be represented
      in type 'int'
      
      The union of res_reserved and res_port_rsvd[MLX4_MAX_PORTS] monitors
      granting of reserved resources. The grant operation is calculated and
      protected, thus both members of the union cannot be negative.  Changed
      type of res_reserved and of res_port_rsvd[MLX4_MAX_PORTS] from signed
      int to unsigned int, allowing large value.
      
      Fixes: 5a0d0a61 ("mlx4: Structures and init/teardown for VF resource quotas")
      Signed-off-by: 's avatarAya Levin <ayal@mellanox.com>
      Signed-off-by: 's avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
      89860d2c