1. 02 Apr, 2018 6 commits
  2. 31 Mar, 2018 1 commit
    • Chris Chiu's avatar
      ACPI / PM: Fix keyboard wakeup from suspend-to-idle on ASUS UX331UA · 6f1d7c45
      Chris Chiu authored
      
      
      This issue happens on new ASUS laptop UX331UA which has modern
      standby mode (suspend-to-idle). Pressing keys on the PS2 keyboard
      can't wake up the system from suspend-to-idle which is not expected.
      However, pressing power button can wake up without problem.
      
      Per the engineers of ASUS, the keypress event is routed to Embedded
      Controller (EC) in standby mode. EC then signals the SCI event to
      BIOS so BIOS would Notify() power button to wake up the system. It's
      from BIOS perspective. What we observe here is that kernel receives
      the SCI event from SCI interrupt handler which informs that the GPE
      status bit belongs to EC needs to be handled and then queries the EC
      to find out what event is pending. Then execute the following ACPI
      _QDF method which defined in ACPI DSDT for EC to notify power button.
      
       Method (_QDF, 0, NotSerialized)  // _Qxx: EC Query
              {
                  Notify (PWRB, 0x80) // Status Change
              }
      
      With more debug messages added to analyze this problem, we find that
      the keypress does wake up the system from suspend-to-idle but it's back
      to suspend again almost immediately. As we see in the following messages,
      the acpi_button_notify() is invoked but acpi_pm_wakeup_event() can not
      really wake up the system here because acpi_s2idle_wakeup() is false.
      The acpi_s2idle_wakeup() returnd false because the acpi_s2idle_sync() has
      alrealdy exited.
      
      [   52.987048] s2idle_loop going s2idle
      [   59.713392] acpi_s2idle_wake enter
      [   59.713394] acpi_s2idle_wake exit
      [   59.760888] acpi_ev_gpe_detect enter
      [   59.760893] acpi_s2idle_sync enter
      [   59.760893] acpi_ec_query_flushed ec pending queries 0
      [   59.760953] Read registers for GPE 50-57: Status=01, Enable=01, RunEnable=01, WakeEnable=00
      [   59.760955] ACPI: EC: ===== IRQ (1) =====
      [   59.760972] ACPI: EC: EC_SC(R) = 0x28 SCI_EVT=1 BURST=0 CMD=1 IBF=0 OBF=0
      [   59.760979] ACPI: EC: +++++ Polling enabled +++++
      [   59.760979] ACPI: EC: ##### Command(QR_EC) submitted/blocked #####
      [   59.761003] acpi_s2idle_sync exit
      [   59.769587] ACPI: EC: ##### Query(0xdf) started #####
      [   59.769611] ACPI: EC: ##### Query(0xdf) stopped #####
      [   59.774154] acpi_button_notify button type 1
      [   59.813175] s2idle_loop going s2idle
      
      acpi_s2idle_sync() already makes an effort to flush the EC event
      queue, but in this case, the EC event has yet to be generated when
      the call to acpi_ec_flush_work() is made. The event is generated
      shortly after, through the ongoing handling of the SCI interrupt
      which is happening on another CPU, and we must synchronize that
      to make sure that it has run and completed. Adding another call to
      acpi_os_wait_events_complete() solves this issue, since that
      function synchronizes with SCI interrupt completion.
      Signed-off-by: default avatarChris Chiu <chiu@endlessm.com>
      [ rjw: Subject ]
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      6f1d7c45
  3. 30 Mar, 2018 6 commits
  4. 29 Mar, 2018 12 commits
  5. 28 Mar, 2018 4 commits
  6. 27 Mar, 2018 11 commits
    • Colin Ian King's avatar
      RDMA/hns: ensure for-loop actually iterates and free's buffers · 38759d61
      Colin Ian King authored
      The current for-loop zeros variable i and only loops once, hence
      not all the buffers are free'd.  Fix this by setting i correctly.
      
      Detected by CoverityScan, CID#1463415 ("Operands don't affect result")
      
      Fixes: a5073d60
      
       ("RDMA/hns: Add eq support of hip08")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Reviewed-by: default avatarYixian Liu <liuyixian@huawei.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      38759d61
    • Leon Romanovsky's avatar
      RDMA/ucma: Check that device exists prior to accessing it · c8d3bcbf
      Leon Romanovsky authored
      Ensure that device exists prior to accessing its properties.
      
      Reported-by: <syzbot+71655d44855ac3e76366@syzkaller.appspotmail.com>
      Fixes: 75216638
      
       ("RDMA/cma: Export rdma cm interface to userspace")
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      c8d3bcbf
    • Leon Romanovsky's avatar
      RDMA/ucma: Check that device is connected prior to access it · 4b658d1b
      Leon Romanovsky authored
      Add missing check that device is connected prior to access it.
      
      [   55.358652] BUG: KASAN: null-ptr-deref in rdma_init_qp_attr+0x4a/0x2c0
      [   55.359389] Read of size 8 at addr 00000000000000b0 by task qp/618
      [   55.360255]
      [   55.360432] CPU: 1 PID: 618 Comm: qp Not tainted 4.16.0-rc1-00071-gcaf61b1b #91
      [   55.361693] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
      [   55.363264] Call Trace:
      [   55.363833]  dump_stack+0x5c/0x77
      [   55.364215]  kasan_report+0x163/0x380
      [   55.364610]  ? rdma_init_qp_attr+0x4a/0x2c0
      [   55.365238]  rdma_init_qp_attr+0x4a/0x2c0
      [   55.366410]  ucma_init_qp_attr+0x111/0x200
      [   55.366846]  ? ucma_notify+0xf0/0xf0
      [   55.367405]  ? _get_random_bytes+0xea/0x1b0
      [   55.367846]  ? urandom_read+0x2f0/0x2f0
      [   55.368436]  ? kmem_cache_alloc_trace+0xd2/0x1e0
      [   55.369104]  ? refcount_inc_not_zero+0x9/0x60
      [   55.369583]  ? refcount_inc+0x5/0x30
      [   55.370155]  ? rdma_create_id+0x215/0x240
      [   55.370937]  ? _copy_to_user+0x4f/0x60
      [   55.371620]  ? mem_cgroup_commit_charge+0x1f5/0x290
      [   55.372127]  ? _copy_from_user+0x5e/0x90
      [   55.372720]  ucma_write+0x174/0x1f0
      [   55.373090]  ? ucma_close_id+0x40/0x40
      [   55.373805]  ? __lru_cache_add+0xa8/0xd0
      [   55.374403]  __vfs_write+0xc4/0x350
      [   55.374774]  ? kernel_read+0xa0/0xa0
      [   55.375173]  ? fsnotify+0x899/0x8f0
      [   55.375544]  ? fsnotify_unmount_inodes+0x170/0x170
      [   55.376689]  ? __fsnotify_update_child_dentry_flags+0x30/0x30
      [   55.377522]  ? handle_mm_fault+0x174/0x320
      [   55.378169]  vfs_write+0xf7/0x280
      [   55.378864]  SyS_write+0xa1/0x120
      [   55.379270]  ? SyS_read+0x120/0x120
      [   55.379643]  ? mm_fault_error+0x180/0x180
      [   55.380071]  ? task_work_run+0x7d/0xd0
      [   55.380910]  ? __task_pid_nr_ns+0x120/0x140
      [   55.381366]  ? SyS_read+0x120/0x120
      [   55.381739]  do_syscall_64+0xeb/0x250
      [   55.382143]  entry_SYSCALL_64_after_hwframe+0x21/0x86
      [   55.382841] RIP: 0033:0x7fc2ef803e99
      [   55.383227] RSP: 002b:00007fffcc5f3be8 EFLAGS: 00000217 ORIG_RAX: 0000000000000001
      [   55.384173] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc2ef803e99
      [   55.386145] RDX: 0000000000000057 RSI: 0000000020000080 RDI: 0000000000000003
      [   55.388418] RBP: 00007fffcc5f3c00 R08: 0000000000000000 R09: 0000000000000000
      [   55.390542] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000400480
      [   55.392916] R13: 00007fffcc5f3cf0 R14: 0000000000000000 R15: 0000000000000000
      [   55.521088] Code: e5 4d 1e ff 48 89 df 44 0f b6 b3 b8 01 00 00 e8 65 50 1e ff 4c 8b 2b 49
      8d bd b0 00 00 00 e8 56 50 1e ff 41 0f b6 c6 48 c1 e0 04 <49> 03 85 b0 00 00 00 48 8d 78 08
      48 89 04 24 e8 3a 4f 1e ff 48
      [   55.525980] RIP: rdma_init_qp_attr+0x52/0x2c0 RSP: ffff8801e2c2f9d8
      [   55.532648] CR2: 00000000000000b0
      [   55.534396] ---[ end trace 70cee64090251c0b ]---
      
      Fixes: 75216638 ("RDMA/cma: Export rdma cm interface to userspace")
      Fixes: d541e455
      
       ("IB/core: Convert ah_attr from OPA to IB when copying to user")
      Reported-by: <syzbot+7b62c837c2516f8f38c8@syzkaller.appspotmail.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      4b658d1b
    • Jason Gunthorpe's avatar
      RDMA/rdma_cm: Fix use after free race with process_one_req · 9137108c
      Jason Gunthorpe authored
      process_one_req() can race with rdma_addr_cancel():
      
                 CPU0                                 CPU1
                 ====                                 ====
       process_one_work()
        debug_work_deactivate(work);
        process_one_req()
                                              rdma_addr_cancel()
      	                                  mutex_lock(&lock);
       			    	           set_timeout(&req->work,..);
                                                    __queue_work()
      				   	       debug_work_activate(work);
      	                                  mutex_unlock(&lock);
      
         mutex_lock(&lock);
      [..]
      	list_del(&req->list);
         mutex_unlock(&lock);
      [..]
      
         // ODEBUG explodes since the work is still queued.
         kfree(req);
      
      Causing ODEBUG to detect the use after free:
      
      ODEBUG: free active (active state 0) object type: work_struct hint: process_one_req+0x0/0x6c0 include/net/dst.h:165
      WARNING: CPU: 0 PID: 79 at lib/debugobjects.c:291 debug_print_object+0x166/0x220 lib/debugobjects.c:288
      kvm: emulating exchange as write
      Kernel panic - not syncing: panic_on_warn set ...
      
      CPU: 0 PID: 79 Comm: kworker/u4:3 Not tainted 4.16.0-rc6+ #361
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: ib_addr process_one_req
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x194/0x24d lib/dump_stack.c:53
       panic+0x1e4/0x41c kernel/panic.c:183
       __warn+0x1dc/0x200 kernel/panic.c:547
       report_bug+0x1f4/0x2b0 lib/bug.c:186
       fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
       fixup_bug arch/x86/kernel/traps.c:247 [inline]
       do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
       do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
       invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:986
      RIP: 0010:debug_print_object+0x166/0x220 lib/debugobjects.c:288
      RSP: 0000:ffff8801d966f210 EFLAGS: 00010086
      RAX: dffffc0000000008 RBX: 0000000000000003 RCX: ffffffff815acd6e
      RDX: 0000000000000000 RSI: 1ffff1003b2cddf2 RDI: 0000000000000000
      RBP: ffff8801d966f250 R08: 0000000000000000 R09: 1ffff1003b2cddc8
      R10: ffffed003b2cde71 R11: ffffffff86f39a98 R12: 0000000000000001
      R13: ffffffff86f15540 R14: ffffffff86408700 R15: ffffffff8147c0a0
       __debug_check_no_obj_freed lib/debugobjects.c:745 [inline]
       debug_check_no_obj_freed+0x662/0xf1f lib/debugobjects.c:774
       kfree+0xc7/0x260 mm/slab.c:3799
       process_one_req+0x2e7/0x6c0 drivers/infiniband/core/addr.c:592
       process_one_work+0xc47/0x1bb0 kernel/workqueue.c:2113
       worker_thread+0x223/0x1990 kernel/workqueue.c:2247
       kthread+0x33c/0x400 kernel/kthread.c:238
       ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:406
      
      Fixes: 5fff41e1
      
       ("IB/core: Fix race condition in resolving IP to MAC")
      Reported-by: <syzbot+3b4acab09b6463472d0a@syzkaller.appspotmail.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      9137108c
    • Manish Chopra's avatar
      qede: Fix barrier usage after tx doorbell write. · b9fc828d
      Manish Chopra authored
      Since commit c5ad119f
      
      
      ("net: sched: pfifo_fast use skb_array") driver is exposed
      to an issue where it is hitting NULL skbs while handling TX
      completions. Driver uses mmiowb() to flush the writes to the
      doorbell bar which is a write-combined bar, however on x86
      mmiowb() does not flush the write combined buffer.
      
      This patch fixes this problem by replacing mmiowb() with wmb()
      after the write combined doorbell write so that writes are
      flushed and synchronized from more than one processor.
      
      V1->V2:
      -------
      This patch was marked as "superseded" in patchwork.
      (Not really sure for what reason).Resending it as v2.
      Signed-off-by: default avatarAriel Elior <ariel.elior@cavium.com>
      Signed-off-by: default avatarManish Chopra <manish.chopra@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b9fc828d
    • Jason Wang's avatar
      vhost: correctly remove wait queue during poll failure · dc6455a7
      Jason Wang authored
      We tried to remove vq poll from wait queue, but do not check whether
      or not it was in a list before. This will lead double free. Fixing
      this by switching to use vhost_poll_stop() which zeros poll->wqh after
      removing poll from waitqueue to make sure it won't be freed twice.
      
      Cc: Darren Kenny <darren.kenny@oracle.com>
      Reported-by: syzbot+c0272972b01b872e604a@syzkaller.appspotmail.com
      Fixes: 2b8b328b
      
       ("vhost_net: handle polling errors when setting backend")
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Reviewed-by: default avatarDarren Kenny <darren.kenny@oracle.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dc6455a7
    • Moshe Shemesh's avatar
      net/mlx4_core: Fix memory leak while delete slave's resources · 461d5f1b
      Moshe Shemesh authored
      mlx4_delete_all_resources_for_slave in resource tracker should free all
      memory allocated for a slave.
      While releasing memory of fs_rule, it misses releasing memory of
      fs_rule->mirr_mbox.
      
      Fixes: 78efed27
      
       ('net/mlx4_core: Support mirroring VF DMFS rules on both ports')
      Signed-off-by: default avatarMoshe Shemesh <moshe@mellanox.com>
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      461d5f1b
    • Eran Ben Elisha's avatar
      net/mlx4_en: Fix mixed PFC and Global pause user control requests · 6e8814ce
      Eran Ben Elisha authored
      Global pause and PFC configuration should be mutually exclusive (i.e. only
      one of them at most can be set). However, once PFC was turned off,
      driver automatically turned Global pause on. This is a bug.
      
      Fix the driver behaviour to turn off PFC/Global once the user turned the
      other on.
      
      This also fixed a weird behaviour that at a current time, the profile
      had both PFC and global pause configuration turned on, which is
      Hardware-wise impossible and caused returning false positive indication
      to query tools.
      
      In addition, fix error code when setting global pause or PFC to change
      metadata only upon successful change.
      
      Also, removed useless debug print.
      
      Fixes: af7d5185 ("net/mlx4_en: Add DCB PFC support through CEE netlink commands")
      Fixes: c27a02cd
      
       ("mlx4_en: Add driver for Mellanox ConnectX 10GbE NIC")
      Signed-off-by: default avatarEran Ben Elisha <eranbe@mellanox.com>
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6e8814ce
    • Heiner Kallweit's avatar
      r8169: fix setting driver_data after register_netdev · 19c9ea36
      Heiner Kallweit authored
      
      
      pci_set_drvdata() is called only after registering the net_device,
      therefore we could run into a NPE if one of the functions using
      driver_data is called before it's set.
      
      Fix this by calling pci_set_drvdata() before registering the
      net_device.
      
      This fix is a candidate for stable. As far as I can see the
      bug has been there in kernel version 3.2 already, therefore
      I can't provide a reference which commit is fixed by it.
      
      The fix may need small adjustments per kernel version because
      due to other changes the label which is jumped to if
      register_netdev() fails has changed over time.
      Reported-by: default avatarDavid Miller <davem@davemloft.net>
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      19c9ea36
    • Giuseppe Lippolis's avatar
      net-usb: add qmi_wwan if on lte modem wistron neweb d18q1 · d4c4bc11
      Giuseppe Lippolis authored
      
      
      This modem is embedded on dlink dwr-921 router.
          The oem configuration states:
      
          T:  Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=480 MxCh= 0
          D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
          P:  Vendor=1435 ProdID=0918 Rev= 2.32
          S:  Manufacturer=Android
          S:  Product=Android
          S:  SerialNumber=0123456789ABCDEF
          C:* #Ifs= 7 Cfg#= 1 Atr=80 MxPwr=500mA
          I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
          E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
          E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
          I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
          E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
          E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
          I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
          E:  Ad=84(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
          E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
          E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
          I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
          E:  Ad=86(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
          E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
          E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
          I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
          E:  Ad=88(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
          E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
          E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
          I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
          E:  Ad=8a(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
          E:  Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
          E:  Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
          I:* If#= 6 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none)
          E:  Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
          E:  Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=125us
      
      Tested on openwrt distribution
      Signed-off-by: default avatarGiuseppe Lippolis <giu.lippolis@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d4c4bc11
    • Andy Shevchenko's avatar
      firmware/dmi_scan: Uninline dmi_get_bios_year() helper · 3af34525
      Andy Shevchenko authored
      
      
      Uninline dmi_get_bios_year() which, in particular, allows us
      to optimize it in the future.
      
      While doing this, convert the function to return an error code
      when BIOS date is not present or not parsable, or CONFIG_DMI=n.
      
      Additionally, during the move, add a bit of documentation.
      Suggested-by: default avatarBjorn Helgaas <helgaas@kernel.org>
      Suggested-by: default avatarRafael J. Wysocki <rafael@kernel.org>
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Reviewed-by: default avatarJean Delvare <jdelvare@suse.de>
      Reviewed-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Acked-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Bjorn Helgaas <bhelgaas@google.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Lukas Wunner <lukas@wunner.de>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Rafael J . Wysocki <rjw@rjwysocki.net>
      Cc: linux-acpi@vger.kernel.org
      Cc: linux-pci@vger.kernel.org
      Fixes: 492a1abd
      
       ("dmi: Introduce the dmi_get_bios_year() helper function")
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      3af34525