1. 05 Sep, 2018 40 commits
    • Bart Van Assche's avatar
      scsi: core: Avoid that SCSI device removal through sysfs triggers a deadlock · 9558fc1b
      Bart Van Assche authored
      commit 0ee223b2 upstream.
      
      A long time ago the unfortunate decision was taken to add a self-deletion
      attribute to the sysfs SCSI device directory. That decision was unfortunate
      because self-deletion is really tricky. We can't drop that attribute
      because widely used user space software depends on it, namely the
      rescan-scsi-bus.sh script. Hence this patch that avoids that writing into
      that attribute triggers a deadlock. See also commit 7973cbd9fbd9 ("[PATCH]
      add sysfs attributes to scan and delete scsi_devices").
      
      This patch avoids that self-removal triggers the following deadlock:
      
      ======================================================
      WARNING: possible circular locking dependency detected
      4.18.0-rc2-dbg+ #5 Not tainted
      ------------------------------------------------------
      modprobe/6539 is trying to acquire lock:
      000000008323c4cd (kn->count#202){++++}, at: kernfs_remove_by_name_ns+0x45/0x90
      
      but task is already holding lock:
      00000000a6ec2c69 (&shost->scan_mutex){+.+.}, at: scsi_remove_host+0x21/0x150 [scsi_mod]
      
      which lock already depends on the new lock.
      
      the existing dependency chain (in reverse order) is:
      
      -> #1 (&shost->scan_mutex){+.+.}:
             __mutex_lock+0xfe/0xc70
             mutex_lock_nested+0x1b/0x20
             scsi_remove_device+0x26/0x40 [scsi_mod]
             sdev_store_delete+0x27/0x30 [scsi_mod]
             dev_attr_store+0x3e/0x50
             sysfs_kf_write+0x87/0xa0
             kernfs_fop_write+0x190/0x230
             __vfs_write+0xd2/0x3b0
             vfs_write+0x101/0x270
             ksys_write+0xab/0x120
             __x64_sys_write+0x43/0x50
             do_syscall_64+0x77/0x230
             entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      -> #0 (kn->count#202){++++}:
             lock_acquire+0xd2/0x260
             __kernfs_remove+0x424/0x4a0
             kernfs_remove_by_name_ns+0x45/0x90
             remove_files.isra.1+0x3a/0x90
             sysfs_remove_group+0x5c/0xc0
             sysfs_remove_groups+0x39/0x60
             device_remove_attrs+0x82/0xb0
             device_del+0x251/0x580
             __scsi_remove_device+0x19f/0x1d0 [scsi_mod]
             scsi_forget_host+0x37/0xb0 [scsi_mod]
             scsi_remove_host+0x9b/0x150 [scsi_mod]
             sdebug_driver_remove+0x4b/0x150 [scsi_debug]
             device_release_driver_internal+0x241/0x360
             device_release_driver+0x12/0x20
             bus_remove_device+0x1bc/0x290
             device_del+0x259/0x580
             device_unregister+0x1a/0x70
             sdebug_remove_adapter+0x8b/0xf0 [scsi_debug]
             scsi_debug_exit+0x76/0xe8 [scsi_debug]
             __x64_sys_delete_module+0x1c1/0x280
             do_syscall_64+0x77/0x230
             entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      other info that might help us debug this:
      
       Possible unsafe locking scenario:
      
             CPU0                    CPU1
             ----                    ----
        lock(&shost->scan_mutex);
                                     lock(kn->count#202);
                                     lock(&shost->scan_mutex);
        lock(kn->count#202);
      
       *** DEADLOCK ***
      
      2 locks held by modprobe/6539:
       #0: 00000000efaf9298 (&dev->mutex){....}, at: device_release_driver_internal+0x68/0x360
       #1: 00000000a6ec2c69 (&shost->scan_mutex){+.+.}, at: scsi_remove_host+0x21/0x150 [scsi_mod]
      
      stack backtrace:
      CPU: 10 PID: 6539 Comm: modprobe Not tainted 4.18.0-rc2-dbg+ #5
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
      Call Trace:
       dump_stack+0xa4/0xf5
       print_circular_bug.isra.34+0x213/0x221
       __lock_acquire+0x1a7e/0x1b50
       lock_acquire+0xd2/0x260
       __kernfs_remove+0x424/0x4a0
       kernfs_remove_by_name_ns+0x45/0x90
       remove_files.isra.1+0x3a/0x90
       sysfs_remove_group+0x5c/0xc0
       sysfs_remove_groups+0x39/0x60
       device_remove_attrs+0x82/0xb0
       device_del+0x251/0x580
       __scsi_remove_device+0x19f/0x1d0 [scsi_mod]
       scsi_forget_host+0x37/0xb0 [scsi_mod]
       scsi_remove_host+0x9b/0x150 [scsi_mod]
       sdebug_driver_remove+0x4b/0x150 [scsi_debug]
       device_release_driver_internal+0x241/0x360
       device_release_driver+0x12/0x20
       bus_remove_device+0x1bc/0x290
       device_del+0x259/0x580
       device_unregister+0x1a/0x70
       sdebug_remove_adapter+0x8b/0xf0 [scsi_debug]
       scsi_debug_exit+0x76/0xe8 [scsi_debug]
       __x64_sys_delete_module+0x1c1/0x280
       do_syscall_64+0x77/0x230
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      See also https://www.mail-archive.com/linux-scsi@vger.kernel.org/msg54525.html.
      
      Fixes: ac0ece91
      
       ("scsi: use device_remove_file_self() instead of device_schedule_callback()")
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@wdc.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Cc: Johannes Thumshirn <jthumshirn@suse.de>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      9558fc1b
    • Bart Van Assche's avatar
      scsi: sysfs: Introduce sysfs_{un,}break_active_protection() · 807d1d29
      Bart Van Assche authored
      commit 2afc9166
      
       upstream.
      
      Introduce these two functions and export them such that the next patch
      can add calls to these functions from the SCSI core.
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@wdc.com>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Acked-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      807d1d29
    • Bart Van Assche's avatar
      scsi: mpt3sas: Fix _transport_smp_handler() error path · 373a1411
      Bart Van Assche authored
      commit 91b7bdb2 upstream.
      
      This patch avoids that smatch complains about a double unlock on
      ioc->transport_cmds.mutex.
      
      Fixes: 651a0136
      
       ("scsi: scsi_transport_sas: switch to bsg-lib for SMP passthrough")
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@wdc.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Sathya Prakash <sathya.prakash@broadcom.com>
      Cc: Chaitra P B <chaitra.basappa@broadcom.com>
      Cc: Suganath Prabu Subramani <suganath-prabu.subramani@broadcom.com>
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      373a1411
    • Sreekanth Reddy's avatar
      scsi: mpt3sas: Fix calltrace observed while running IO & reset · 8039fa72
      Sreekanth Reddy authored
      commit e7018314 upstream.
      
      Below kernel BUG was observed while running IOs with host reset (issued
      from application),
      
      mpt3sas_cm0: diag reset: SUCCESS
      ------------[ cut here ]------------
      WARNING: CPU: 12 PID: 4336 at drivers/scsi/mpt3sas/mpt3sas_base.c:3282 mpt3sas_base_clear_st+0x3d/0x40 [mpt3sas]
      Modules linked in: macsec tcp_diag udp_diag inet_diag unix_diag af_packet_diag netlink_diag binfmt_misc fuse xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 tun devlink ip6t_rpfilter ipt_REJECT nf_reject_ipv4 ip6t_REJECT nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter sunrpc vfat fat sb_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd iTCO_wdt iTCO_vendor_support
       dcdbas pcspkr joydev ipmi_ssif ses enclosure sg ipmi_devintf acpi_pad ipmi_msghandler acpi_power_meter mei_me lpc_ich wmi mei shpchp ip_tables xfs libcrc32c sd_mod crc_t10dif crct10dif_generic ata_generic pata_acpi uas usb_storage mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm ata_piix mpt3sas libata crct10dif_pclmul crct10dif_common tg3 crc32c_intel i2c_core raid_class ptp scsi_transport_sas pps_core dm_mirror dm_region_hash dm_log dm_mod
      CPU: 12 PID: 4336 Comm: python Kdump: loaded Tainted: G        W      ------------   3.10.0-875.el7.brdc.x86_64 #1
      Hardware name: Dell Inc. PowerEdge R820/0YWR73, BIOS 1.5.0 03/08/2013
      Call Trace:
       [<ffffffff9cf16583>] dump_stack+0x19/0x1b
       [<ffffffff9c891698>] __warn+0xd8/0x100
       [<ffffffff9c8917dd>] warn_slowpath_null+0x1d/0x20
       [<ffffffffc04f3f4d>] mpt3sas_base_clear_st+0x3d/0x40 [mpt3sas]
       [<ffffffffc05047d2>] _scsih_flush_running_cmds+0x92/0xe0 [mpt3sas]
       [<ffffffffc05095db>] mpt3sas_scsih_reset_handler+0x43b/0xaf0 [mpt3sas]
       [<ffffffff9c894829>] ? vprintk_default+0x29/0x40
       [<ffffffff9cf10531>] ? printk+0x60/0x77
       [<ffffffffc04f06c8>] ? _base_diag_reset+0x238/0x340 [mpt3sas]
       [<ffffffffc04f794d>] mpt3sas_base_hard_reset_handler+0x1ad/0x420 [mpt3sas]
       [<ffffffffc05132b9>] _ctl_ioctl_main.isra.12+0x11b9/0x1200 [mpt3sas]
       [<ffffffffc068d585>] ? xfs_file_aio_write+0x155/0x1b0 [xfs]
       [<ffffffff9ca1a4e3>] ? do_sync_write+0x93/0xe0
       [<ffffffffc051337a>] _ctl_ioctl+0x1a/0x20 [mpt3sas]
       [<ffffffff9ca2fe90>] do_vfs_ioctl+0x350/0x560
       [<ffffffff9ca1dec1>] ? __sb_end_write+0x31/0x60
       [<ffffffff9ca30141>] SyS_ioctl+0xa1/0xc0
       [<ffffffff9cf28715>] ? system_call_after_swapgs+0xa2/0x146
       [<ffffffff9cf287d5>] system_call_fastpath+0x1c/0x21
       [<ffffffff9cf28721>] ? system_call_after_swapgs+0xae/0x146
      ---[ end trace 5dac5b98d89aaa3c ]---
      ------------[ cut here ]------------
      kernel BUG at block/blk-core.c:1476!
      invalid opcode: 0000 [#1] SMP
      Modules linked in: macsec tcp_diag udp_diag inet_diag unix_diag af_packet_diag netlink_diag binfmt_misc fuse xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 tun devlink ip6t_rpfilter ipt_REJECT nf_reject_ipv4 ip6t_REJECT nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter sunrpc vfat fat sb_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd iTCO_wdt iTCO_vendor_support
       dcdbas pcspkr joydev ipmi_ssif ses enclosure sg ipmi_devintf acpi_pad ipmi_msghandler acpi_power_meter mei_me lpc_ich wmi mei shpchp ip_tables xfs libcrc32c sd_mod crc_t10dif crct10dif_generic ata_generic pata_acpi uas usb_storage mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm ata_piix mpt3sas libata crct10dif_pclmul crct10dif_common tg3 crc32c_intel i2c_core raid_class ptp scsi_transport_sas pps_core dm_mirror dm_region_hash dm_log dm_mod
      CPU: 12 PID: 4336 Comm: python Kdump: loaded Tainted: G        W      ------------   3.10.0-875.el7.brdc.x86_64 #1
      Hardware name: Dell Inc. PowerEdge R820/0YWR73, BIOS 1.5.0 03/08/2013
      task: ffff903fc96e0fd0 ti: ffff903fb1eec000 task.ti: ffff903fb1eec000
      RIP: 0010:[<ffffffff9cb19ec0>]  [<ffffffff9cb19ec0>] blk_requeue_request+0x90/0xa0
      RSP: 0018:ffff903c6b783dc0  EFLAGS: 00010087
      RAX: ffff903bb67026d0 RBX: ffff903b7d6a6140 RCX: dead000000000200
      RDX: ffff903bb67026d0 RSI: ffff903bb6702580 RDI: ffff903bb67026d0
      RBP: ffff903c6b783dd8 R08: ffff903bb67026d0 R09: ffffd97e80000000
      R10: ffff903c658bac00 R11: 0000000000000000 R12: ffff903bb6702580
      R13: ffff903fa9a292f0 R14: 0000000000000246 R15: 0000000000001057
      FS:  00007f7026f5b740(0000) GS:ffff903c6b780000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f298877c004 CR3: 00000000caf36000 CR4: 00000000000607e0
      Call Trace:
       <IRQ>
       [<ffffffff9cca68ff>] __scsi_queue_insert+0xbf/0x110
       [<ffffffff9cca79ca>] scsi_io_completion+0x5da/0x6a0
       [<ffffffff9cc9ca3c>] scsi_finish_command+0xdc/0x140
       [<ffffffff9cca6aa2>] scsi_softirq_done+0x132/0x160
       [<ffffffff9cb240c6>] blk_done_softirq+0x96/0xc0
       [<ffffffff9c89a905>] __do_softirq+0xf5/0x280
       [<ffffffff9cf2bd2c>] call_softirq+0x1c/0x30
       [<ffffffff9c82d625>] do_softirq+0x65/0xa0
       [<ffffffff9c89ac85>] irq_exit+0x105/0x110
       [<ffffffff9cf2d0a8>] smp_apic_timer_interrupt+0x48/0x60
       [<ffffffff9cf297f2>] apic_timer_interrupt+0x162/0x170
       <EOI>
       [<ffffffff9cca5f41>] ? scsi_done+0x21/0x60
       [<ffffffff9cb5ac18>] ? delay_tsc+0x38/0x60
       [<ffffffff9cb5ab5d>] __const_udelay+0x2d/0x30
       [<ffffffffc04effde>] _base_handshake_req_reply_wait+0x8e/0x4a0 [mpt3sas]
       [<ffffffffc04f0b13>] _base_get_ioc_facts+0x123/0x590 [mpt3sas]
       [<ffffffffc04f06c8>] ? _base_diag_reset+0x238/0x340 [mpt3sas]
       [<ffffffffc04f7993>] mpt3sas_base_hard_reset_handler+0x1f3/0x420 [mpt3sas]
       [<ffffffffc05132b9>] _ctl_ioctl_main.isra.12+0x11b9/0x1200 [mpt3sas]
       [<ffffffffc068d585>] ? xfs_file_aio_write+0x155/0x1b0 [xfs]
       [<ffffffff9ca1a4e3>] ? do_sync_write+0x93/0xe0
       [<ffffffffc051337a>] _ctl_ioctl+0x1a/0x20 [mpt3sas]
       [<ffffffff9ca2fe90>] do_vfs_ioctl+0x350/0x560
       [<ffffffff9ca1dec1>] ? __sb_end_write+0x31/0x60
       [<ffffffff9ca30141>] SyS_ioctl+0xa1/0xc0
       [<ffffffff9cf28715>] ? system_call_after_swapgs+0xa2/0x146
       [<ffffffff9cf287d5>] system_call_fastpath+0x1c/0x21
       [<ffffffff9cf28721>] ? system_call_after_swapgs+0xae/0x146
      Code: 83 c3 10 4c 89 e2 4c 89 ee e8 8d 21 04 00 48 8b 03 48 85 c0 75 e5 41 f6 44 24 4a 10 74 ad 4c 89 e6 4c 89 ef e8 b2 42 00 00 eb a0 <0f> 0b 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90
      RIP  [<ffffffff9cb19ec0>] blk_requeue_request+0x90/0xa0
       RSP <ffff903c6b783dc0>
      
      As a part of host reset operation, driver will flushout all IOs outstanding
      at driver level with "DID_RESET" result.  To find which are all commands
      outstanding at the driver level, driver loops with smid starting from one
      to HBA queue depth and calls mpt3sas_scsih_scsi_lookup_get() to get scmd as
      shown below
      
       for (smid = 1; smid <= ioc->scsiio_depth; smid++) {
                      scmd = mpt3sas_scsih_scsi_lookup_get(ioc, smid);
                      if (!scmd)
                              continue;
      
      But in mpt3sas_scsih_scsi_lookup_get() function, driver returns some scsi
      cmnds which are not outstanding at the driver level (possibly request is
      constructed at block layer since QUEUE_FLAG_QUIESCED is not set. Even if
      driver uses scsi_block_requests and scsi_unblock_requests, issue still
      persists as they will be just blocking further IO from scsi layer and not
      from block layer) and these commands are flushed with DID_RESET host bytes
      thus resulting into above kernel BUG.
      
      This issue got introduced by commit dbec4c90
      
       ("scsi: mpt3sas: lockless
      command submission").
      
      To fix this issue, we have modified the mpt3sas_scsih_scsi_lookup_get() to
      check for smid equals to zero (note: whenever any scsi cmnd is processing
      at the driver level then smid for that scsi cmnd will be non-zero, always
      it starts from one) before it returns the scmd pointer to the caller. If
      smid is zero then this function returns scmd pointer as NULL and driver
      won't flushout those scsi cmnds at driver level with DID_RESET host byte
      thus this issue will not be observed.
      
      [mkp: amended with updated fix from Sreekanth]
      Signed-off-by: default avatarSreekanth Reddy <sreekanth.reddy@broadcom.com>
      Fixes: dbec4c90
      
       ("scsi: mpt3sas: lockless command submission")
      Cc: stable@vger.kernel.org # v4.16+
      Reviewed-by: default avatarTomas Henzl <thenzl@redhat.com>
      Reviewed-by: default avatarBart Van Assche <bart.vanassche@wdc.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8039fa72
    • Tomas Winkler's avatar
      tpm: separate cmd_ready/go_idle from runtime_pm · 7624ac87
      Tomas Winkler authored
      commit 627448e8 upstream.
      
      Fix tpm ptt initialization error:
      tpm tpm0: A TPM error (378) occurred get tpm pcr allocation.
      
      We cannot use go_idle cmd_ready commands via runtime_pm handles
      as with the introduction of localities this is no longer an optional
      feature, while runtime pm can be not enabled.
      Though cmd_ready/go_idle provides a power saving, it's also a part of
      TPM2 protocol and should be called explicitly.
      This patch exposes cmd_read/go_idle via tpm class ops and removes
      runtime pm support as it is not used by any driver.
      
      When calling from nested context always use both flags:
      TPM_TRANSMIT_UNLOCKED and TPM_TRANSMIT_RAW. Both are needed to resolve
      tpm spaces and locality request recursive calls to tpm_transmit().
      TPM_TRANSMIT_RAW should never be used standalone as it will fail
      on double locking. While TPM_TRANSMIT_UNLOCKED standalone should be
      called from non-recursive locked contexts.
      
      New wrappers are added tpm_cmd_ready() and tpm_go_idle() to
      streamline tpm_try_transmit code.
      
      tpm_crb no longer needs own power saving functions and can drop using
      tpm_pm_suspend/resume.
      
      This patch cannot be really separated from the locality fix.
      Fixes: 888d867d (tpm: cmd_ready command can be issued only after granting locality)
      
      Cc: stable@vger.kernel.org
      Fixes: 888d867d
      
       (tpm: cmd_ready command can be issued only after granting locality)
      Signed-off-by: default avatarTomas Winkler <tomas.winkler@intel.com>
      Tested-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7624ac87
    • Ricardo Schwarzmeier's avatar
      tpm: Return the actual size when receiving an unsupported command · b64b3b46
      Ricardo Schwarzmeier authored
      commit 36a11029 upstream.
      
      The userpace expects to read the number of bytes stated in the header.
      Returning the size of the buffer instead would be unexpected.
      
      Cc: stable@vger.kernel.org
      Fixes: 095531f8
      
       ("tpm: return a TPM_RC_COMMAND_CODE response if command is not implemented")
      Signed-off-by: default avatarRicardo Schwarzmeier <Ricardo.Schwarzmeier@infineon.com>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b64b3b46
    • Paul Burton's avatar
      MIPS: lib: Provide MIPS64r6 __multi3() for GCC < 7 · d07d4e8b
      Paul Burton authored
      commit 690d9163
      
       upstream.
      
      Some versions of GCC suboptimally generate calls to the __multi3()
      intrinsic for MIPS64r6 builds, resulting in link failures due to the
      missing function:
      
          LD      vmlinux.o
          MODPOST vmlinux.o
        kernel/bpf/verifier.o: In function `kmalloc_array':
        include/linux/slab.h:631: undefined reference to `__multi3'
        fs/select.o: In function `kmalloc_array':
        include/linux/slab.h:631: undefined reference to `__multi3'
        ...
      
      We already have a workaround for this in which we provide the
      instrinsic, but we do so selectively for GCC 7 only. Unfortunately the
      issue occurs with older GCC versions too - it has been observed with
      both GCC 5.4.0 & GCC 6.4.0.
      
      MIPSr6 support was introduced in GCC 5, so all major GCC versions prior
      to GCC 8 are affected and we extend our workaround accordingly to all
      MIPS64r6 builds using GCC versions older than GCC 8.
      Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
      Reported-by: default avatarVladimir Kondratiev <vladimir.kondratiev@intel.com>
      Fixes: ebabcf17 ("MIPS: Implement __multi3 for GCC7 MIPS64r6 builds")
      Patchwork: https://patchwork.linux-mips.org/patch/20297/
      
      
      Cc: James Hogan <jhogan@kernel.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Cc: stable@vger.kernel.org # 4.15+
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d07d4e8b
    • Huacai Chen's avatar
      MIPS: Change definition of cpu_relax() for Loongson-3 · 8f55e1f5
      Huacai Chen authored
      commit a3071886 upstream.
      
      Linux expects that if a CPU modifies a memory location, then that
      modification will eventually become visible to other CPUs in the system.
      
      Loongson 3 CPUs include a Store Fill Buffer (SFB) which sits between a
      core & its L1 data cache, queueing memory accesses & allowing for faster
      forwarding of data from pending stores to younger loads from the core.
      Unfortunately the SFB prioritizes loads such that a continuous stream of
      loads may cause a pending write to be buffered indefinitely. This is
      problematic if we end up with 2 CPUs which each perform a store that the
      other polls for - one or both CPUs may end up with their stores buffered
      in the SFB, never reaching cache due to the continuous reads from the
      poll loop. Such a deadlock condition has been observed whilst running
      qspinlock code.
      
      This patch changes the definition of cpu_relax() to smp_mb() for
      Loongson-3, forcing a flush of the SFB on SMP systems which will cause
      any pending writes to make it as far as the L1 caches where they will
      become visible to other CPUs. If the kernel is not compiled for SMP
      support, this will expand to a barrier() as before.
      
      This workaround matches that currently implemented for ARM when
      CONFIG_ARM_ERRATA_754327=y, which was introduced by commit 534be1d5
      ("ARM: 6194/1: change definition of cpu_relax() for ARM11MPCore").
      
      Although the workaround is only required when the Loongson 3 SFB
      functionality is enabled, and we only began explicitly enabling that
      functionality in v4.7 with commit 1e820da3
      
       ("MIPS: Loongson-3:
      Introduce CONFIG_LOONGSON3_ENHANCEMENT"), existing or future firmware
      may enable the SFB which means we may need the workaround backported to
      earlier kernels too.
      
      [paul.burton@mips.com:
        - Reword commit message & comment.
        - Limit stable backport to v3.15+ where we support Loongson 3 CPUs.]
      Signed-off-by: default avatarHuacai Chen <chenhc@lemote.com>
      Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
      References: 534be1d5 ("ARM: 6194/1: change definition of cpu_relax() for ARM11MPCore")
      References: 1e820da3 ("MIPS: Loongson-3: Introduce CONFIG_LOONGSON3_ENHANCEMENT")
      Patchwork: https://patchwork.linux-mips.org/patch/19830/
      
      
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: James Hogan <jhogan@kernel.org>
      Cc: linux-mips@linux-mips.org
      Cc: Fuxin Zhang <zhangfx@lemote.com>
      Cc: Zhangjin Wu <wuzhangjin@gmail.com>
      Cc: Huacai Chen <chenhuacai@gmail.com>
      Cc: stable@vger.kernel.org # v3.15+
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8f55e1f5
    • Paul Burton's avatar
      MIPS: Always use -march=<arch>, not -<arch> shortcuts · 9238ea28
      Paul Burton authored
      commit 344ebf09 upstream.
      
      The VDSO Makefile filters CFLAGS to select a subset which it uses whilst
      building the VDSO ELF. One of the flags it allows through is the -march=
      flag that selects the architecture/ISA to target.
      
      Unfortunately in cases where CONFIG_CPU_MIPS32_R{1,2}=y and the
      toolchain defaults to building for MIPS64, the main MIPS Makefile ends
      up using the short-form -<arch> flags in cflags-y. This is because the
      calls to cc-option always fail to use the long-form -march=<arch> flag
      due to the lack of an -mabi=<abi> flag in KBUILD_CFLAGS at the point
      where the cc-option function is executed. The resulting GCC invocation
      is something like:
      
        $ mips64-linux-gcc -Werror -march=mips32r2 -c -x c /dev/null -o tmp
        cc1: error: '-march=mips32r2' is not compatible with the selected ABI
      
      These short-form -<arch> flags are dropped by the VDSO Makefile's
      filtering, and so we attempt to build the VDSO without specifying any
      architecture. This results in an attempt to build the VDSO using
      whatever the compiler's default architecture is, regardless of whether
      that is suitable for the kernel configuration.
      
      One encountered build failure resulting from this mismatch is a
      rejection of the sync instruction if the kernel is configured for a
      MIPS32 or MIPS64 r1 or r2 target but the toolchain defaults to an older
      architecture revision such as MIPS1 which did not include the sync
      instruction:
      
          CC      arch/mips/vdso/gettimeofday.o
        /tmp/ccGQKoOj.s: Assembler messages:
        /tmp/ccGQKoOj.s:273: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:329: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:520: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:714: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:1009: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:1066: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:1114: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:1279: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:1334: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:1374: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:1459: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:1514: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:1814: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:2002: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        /tmp/ccGQKoOj.s:2066: Error: opcode not supported on this processor: mips1 (mips1) `sync'
        make[2]: *** [scripts/Makefile.build:318: arch/mips/vdso/gettimeofday.o] Error 1
        make[1]: *** [scripts/Makefile.build:558: arch/mips/vdso] Error 2
        make[1]: *** Waiting for unfinished jobs....
      
      This can be reproduced for example by attempting to build
      pistachio_defconfig using Arnd's GCC 8.1.0 mips64 toolchain from
      kernel.org:
      
        https://mirrors.edge.kernel.org/pub/tools/crosstool/files/bin/x86_64/8.1.0/x86_64-gcc-8.1.0-nolibc-mips64-linux.tar.xz
      
      Resolve this problem by using the long-form -march=<arch> in all cases,
      which makes it through the arch/mips/vdso/Makefile's filtering & is thus
      consistently used to build both the kernel proper & the VDSO.
      
      The use of cc-option to prefer the long-form & fall back to the
      short-form flags makes no sense since the short-form is just an
      abbreviation for the also-supported long-form in all GCC versions that
      we support building with. This means there is no case in which we have
      to use the short-form -<arch> flags, so we can simply remove them.
      
      The manual redefinition of _MIPS_ISA is removed naturally along with the
      use of the short-form flags that it accompanied, and whilst here we
      remove the separate assembler ISA selection. I suspect that both of
      these were only required due to the mips32 vs mips2 mismatch that was
      introduced by commit 59b3e8e9 ("[MIPS] Makefile crapectomy.") and
      fixed but not cleaned up by commit 9200c0b2
      
       ("[MIPS] Fix Makefile
      bugs for MIPS32/MIPS64 R1 and R2.").
      
      I've marked this for backport as far as v4.4 where the MIPS VDSO was
      introduced. In earlier kernels there should be no ill effect to using
      the short-form flags.
      Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Cc: stable@vger.kernel.org # v4.4+
      Reviewed-by: default avatarJames Hogan <jhogan@kernel.org>
      Patchwork: https://patchwork.linux-mips.org/patch/19579/
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9238ea28
    • Matt Redfearn's avatar
      MIPS: memset.S: Fix byte_fixup for MIPSr6 · 8d6a4b45
      Matt Redfearn authored
      commit b1c03f1e
      
       upstream.
      
      The __clear_user function is defined to return the number of bytes that
      could not be cleared. From the underlying memset / bzero implementation
      this means setting register a2 to that number on return. Currently if a
      page fault is triggered within the MIPSr6 version of setting of initial
      unaligned bytes, the value loaded into a2 on return is meaningless.
      
      During the MIPSr6 version of the initial unaligned bytes block, register
      a2 contains the number of bytes to be set beyond the initial unaligned
      bytes. The t0 register is initally set to the number of unaligned bytes
      - STORSIZE, effectively a negative version of the number of unaligned
      bytes. This is then incremented before each byte is saved.
      
      The label .Lbyte_fixup\@ is jumped to on page fault. Currently the value
      in a2 is incorrectly replaced by 0 - t0 + 1, effectively the number of
      unaligned bytes remaining. This leads to the failures being reported by
      the following test code:
      
      static int __init test_clear_user(void)
      {
      	int j, k;
      
      	pr_info("\n\n\nTesting clear_user\n");
      	for (j = 0; j < 512; j++) {
      		if ((k = clear_user(NULL+3, j)) != j) {
      			pr_err("clear_user (NULL %d) returned %d\n", j, k);
      		}
      	}
      	return 0;
      }
      late_initcall(test_clear_user);
      
      Which reports:
      [    3.965439] Testing clear_user
      [    3.973169] clear_user (NULL 8) returned 6
      [    3.976782] clear_user (NULL 9) returned 6
      [    3.980390] clear_user (NULL 10) returned 6
      [    3.984052] clear_user (NULL 11) returned 6
      [    3.987524] clear_user (NULL 12) returned 6
      
      Fix this by subtracting t0 from a2 (rather than $0), effectivey giving:
      unset_bytes = (#bytes - (#unaligned bytes)) - (-#unaligned bytes remaining + 1) + 1
           a2     =             a2                -              t0                   + 1
      
      This fixes the value returned from __clear user when the number of bytes
      to set is > LONGSIZE and the address is invalid and unaligned.
      
      Unfortunately, this breaks the fixup handling for unaligned bytes after
      the final long, where register a2 still contains the number of bytes
      remaining to be set and the t0 register is to 0 - the number of
      unaligned bytes remaining.
      
      Because t0 is now is now subtracted from a2 rather than 0, the number of
      bytes unset is reported incorrectly:
      
      static int __init test_clear_user(void)
      {
      	char *test;
      	int j, k;
      
      	pr_info("\n\n\nTesting clear_user\n");
      	test = vmalloc(PAGE_SIZE);
      
      	for (j = 256; j < 512; j++) {
      		if ((k = clear_user(test + PAGE_SIZE - 254, j)) != j - 254) {
      			pr_err("clear_user (%px %d) returned %d\n",
      				test + PAGE_SIZE - 254, j, k);
      		}
      	}
      	return 0;
      }
      late_initcall(test_clear_user);
      
      [    3.976775] clear_user (c00000000000df02 256) returned 4
      [    3.981957] clear_user (c00000000000df02 257) returned 6
      [    3.986425] clear_user (c00000000000df02 258) returned 8
      [    3.990850] clear_user (c00000000000df02 259) returned 10
      [    3.995332] clear_user (c00000000000df02 260) returned 12
      [    3.999815] clear_user (c00000000000df02 261) returned 14
      
      Fix this by ensuring that a2 is set to 0 during the set of final
      unaligned bytes.
      Signed-off-by: default avatarMatt Redfearn <matt.redfearn@mips.com>
      Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
      Fixes: 8c56208a ("MIPS: lib: memset: Add MIPS R6 support")
      Patchwork: https://patchwork.linux-mips.org/patch/19338/
      
      
      Cc: James Hogan <jhogan@kernel.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Cc: linux-kernel@vger.kernel.org
      Cc: stable@vger.kernel.org # v4.0+
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8d6a4b45
    • Maciej W. Rozycki's avatar
      MIPS: Correct the 64-bit DSP accumulator register size · d06e5e4a
      Maciej W. Rozycki authored
      commit f5958b4c
      
       upstream.
      
      Use the `unsigned long' rather than `__u32' type for DSP accumulator
      registers, like with the regular MIPS multiply/divide accumulator and
      general-purpose registers, as all are 64-bit in 64-bit implementations
      and using a 32-bit data type leads to contents truncation on context
      saving.
      
      Update `arch_ptrace' and `compat_arch_ptrace' accordingly, removing
      casts that are similarly not used with multiply/divide accumulator or
      general-purpose register accesses.
      Signed-off-by: default avatarMaciej W. Rozycki <macro@mips.com>
      Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
      Fixes: e50c0a8f ("Support the MIPS32 / MIPS64 DSP ASE.")
      Patchwork: https://patchwork.linux-mips.org/patch/19329/
      
      
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: James Hogan <jhogan@kernel.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-fsdevel@vger.kernel.org
      Cc: linux-mips@linux-mips.org
      Cc: linux-kernel@vger.kernel.org
      Cc: stable@vger.kernel.org # 2.6.15+
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d06e5e4a
    • Masami Hiramatsu's avatar
      kprobes: Make list and blacklist root user read only · 968a9a4a
      Masami Hiramatsu authored
      commit f2a3ab36
      
       upstream.
      
      Since the blacklist and list files on debugfs indicates
      a sensitive address information to reader, it should be
      restricted to the root user.
      Suggested-by: default avatarThomas Richter <tmricht@linux.ibm.com>
      Suggested-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Cc: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
      Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: David Howells <dhowells@redhat.com>
      Cc: David S . Miller <davem@davemloft.net>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Jon Medhurst <tixy@linaro.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Tobin C . Harding <me@tobin.cc>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: acme@kernel.org
      Cc: akpm@linux-foundation.org
      Cc: brueckner@linux.vnet.ibm.com
      Cc: linux-arch@vger.kernel.org
      Cc: rostedt@goodmis.org
      Cc: schwidefsky@de.ibm.com
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/lkml/152491890171.9916.5183693615601334087.stgit@devbox
      
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      968a9a4a
    • Masami Hiramatsu's avatar
      kprobes/arm: Fix %p uses in error messages · 2f56c8af
      Masami Hiramatsu authored
      commit 75b2f5f5
      
       upstream.
      
      Fix %p uses in error messages by removing it and
      using general dumper.
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Cc: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
      Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: David Howells <dhowells@redhat.com>
      Cc: David S . Miller <davem@davemloft.net>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Jon Medhurst <tixy@linaro.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Thomas Richter <tmricht@linux.ibm.com>
      Cc: Tobin C . Harding <me@tobin.cc>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: acme@kernel.org
      Cc: akpm@linux-foundation.org
      Cc: brueckner@linux.vnet.ibm.com
      Cc: linux-arch@vger.kernel.org
      Cc: rostedt@goodmis.org
      Cc: schwidefsky@de.ibm.com
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/lkml/152491905361.9916.15300852365956231645.stgit@devbox
      
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2f56c8af
    • Masami Hiramatsu's avatar
      kprobes: Replace %p with other pointer types · 10334e1a
      Masami Hiramatsu authored
      commit 4458515b
      
       upstream.
      
      Replace %p with %pS or just remove it if unneeded.
      And use WARN_ONCE() if it is a single bug.
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Cc: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
      Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: David Howells <dhowells@redhat.com>
      Cc: David S . Miller <davem@davemloft.net>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Jon Medhurst <tixy@linaro.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Thomas Richter <tmricht@linux.ibm.com>
      Cc: Tobin C . Harding <me@tobin.cc>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: acme@kernel.org
      Cc: akpm@linux-foundation.org
      Cc: brueckner@linux.vnet.ibm.com
      Cc: linux-arch@vger.kernel.org
      Cc: rostedt@goodmis.org
      Cc: schwidefsky@de.ibm.com
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/lkml/152491899284.9916.5350534544808158621.stgit@devbox
      
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      10334e1a
    • Masami Hiramatsu's avatar
      kprobes: Show blacklist addresses as same as kallsyms does · b143efb4
      Masami Hiramatsu authored
      commit ffb9bd68
      
       upstream.
      
      Show kprobes blacklist addresses under same condition of
      showing kallsyms addresses.
      
      Since there are several name conflict for local symbols,
      kprobe blacklist needs to show each addresses so that
      user can identify where is on blacklist by comparing
      with kallsyms.
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Cc: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
      Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: David Howells <dhowells@redhat.com>
      Cc: David S . Miller <davem@davemloft.net>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Jon Medhurst <tixy@linaro.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Thomas Richter <tmricht@linux.ibm.com>
      Cc: Tobin C . Harding <me@tobin.cc>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: acme@kernel.org
      Cc: akpm@linux-foundation.org
      Cc: brueckner@linux.vnet.ibm.com
      Cc: linux-arch@vger.kernel.org
      Cc: rostedt@goodmis.org
      Cc: schwidefsky@de.ibm.com
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/lkml/152491893217.9916.14760965896164273464.stgit@devbox
      
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b143efb4
    • Philipp Rudo's avatar
      s390/purgatory: Add missing FORCE to Makefile targets · d6c96d24
      Philipp Rudo authored
      commit c315e693 upstream.
      
      Without FORCE make does not detect changes only made to the command line
      options. So object files might not be re-built even when they should be.
      Fix this by adding FORCE where it is missing.
      
      Fixes: 840798a1
      
       ("s390/kexec_file: Add purgatory")
      Cc: <stable@vger.kernel.org> # 4.17
      Signed-off-by: default avatarPhilipp Rudo <prudo@linux.ibm.com>
      Acked-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d6c96d24
    • Philipp Rudo's avatar
      s390/purgatory: Fix crash with expoline enabled · 5a2e51f9
      Philipp Rudo authored
      commit ad03b821 upstream.
      
      When the kernel is built with CONFIG_EXPOLINE=y and a compiler with
      indirect branch mitigation enabled the purgatory crashes. The reason for
      that is that the macros defined for expoline are used in mem.S. These
      macros define new sections (.text.__s390x_indirect_*) which are marked
      executable. Due to the missing linker script those sections are linked to
      address 0, just as the .text section. In combination with the entry point
      also being at address 0 this causes the purgatory load code
      (kernel/kexec_file.c: kexec_purgatory_setup_sechdrs) to update the entry
      point twice. Thus the old kernel jumps to some 'random' address causing the
      crash.
      
      To fix this turn off expolines for the purgatory. There is no problem with
      this in this case due to the fact that the purgatory only runs once and the
      tlb is purged (diag 308) in the end.
      
      Fixes: 840798a1
      
       ("s390/kexec_file: Add purgatory")
      Cc: <stable@vger.kernel.org> # 4.17
      Signed-off-by: default avatarPhilipp Rudo <prudo@linux.ibm.com>
      Reviewed-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5a2e51f9
    • Sebastian Ott's avatar
      s390/pci: fix out of bounds access during irq setup · 87509861
      Sebastian Ott authored
      commit 866f3576
      
       upstream.
      
      During interrupt setup we allocate interrupt vectors, walk the list of msi
      descriptors, and fill in the message data. Requesting more interrupts than
      supported on s390 can lead to an out of bounds access.
      
      When we restrict the number of interrupts we should also stop walking the
      msi list after all supported interrupts are handled.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSebastian Ott <sebott@linux.ibm.com>
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      87509861
    • Martin Schwidefsky's avatar
      s390/numa: move initial setup of node_to_cpumask_map · b51627dc
      Martin Schwidefsky authored
      commit fb7d7518 upstream.
      
      The numa_init_early initcall sets the node_to_cpumask_map[0] to the
      full cpu_possible_mask. Unfortunately this early_initcall is too late,
      the NUMA setup for numa=emu is done even earlier. The order of calls
      is numa_setup() -> emu_update_cpu_topology(), then the early_initcalls(),
      followed by sched_init_domains().
      
      Starting with git commit 051f3ca0
      
      
      "sched/topology: Introduce NUMA identity node sched domain"
      the incorrect node_to_cpumask_map[0] really screws up the domain
      setup and the kernel panics with the follow oops:
      
      Cc: <stable@vger.kernel.org> # v4.15+
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b51627dc
    • Julian Wiedmann's avatar
      s390/qdio: reset old sbal_state flags · d695333c
      Julian Wiedmann authored
      commit 64e03ff7 upstream.
      
      When allocating a new AOB fails, handle_outbound() is still capable of
      transmitting the selected buffer (just without async completion).
      
      But if a previous transfer on this queue slot used async completion, its
      sbal_state flags field is still set to QDIO_OUTBUF_STATE_FLAG_PENDING.
      So when the upper layer driver sees this stale flag, it expects an async
      completion that never happens.
      
      Fix this by unconditionally clearing the flags field.
      
      Fixes: 104ea556
      
       ("qdio: support asynchronous delivery of storage blocks")
      Cc: <stable@vger.kernel.org> #v3.2+
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d695333c
    • Martin Schwidefsky's avatar
      s390: fix br_r1_trampoline for machines without exrl · dacf5e59
      Martin Schwidefsky authored
      commit 26f84384 upstream.
      
      For machines without the exrl instruction the BFP jit generates
      code that uses an "br %r1" instruction located in the lowcore page.
      Unfortunately there is a cut & paste error that puts an additional
      "larl %r1,.+14" instruction in the code that clobbers the branch
      target address in %r1. Remove the larl instruction.
      
      Cc: <stable@vger.kernel.org> # v4.17+
      Fixes: de5cb6eb
      
       ("s390: use expoline thunks in the BPF JIT")
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dacf5e59
    • Martin Schwidefsky's avatar
      s390/lib: use expoline for all bcr instructions · 6a32f6f8
      Martin Schwidefsky authored
      commit 5eda25b1 upstream.
      
      The memove, memset, memcpy, __memset16, __memset32 and __memset64
      function have an additional indirect return branch in form of a
      "bzr" instruction. These need to use expolines as well.
      
      Cc: <stable@vger.kernel.org> # v4.17+
      Fixes: 97489e06
      
       ("s390/lib: use expoline for indirect branches")
      Reviewed-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6a32f6f8
    • Gerald Schaefer's avatar
      s390/mm: fix addressing exception after suspend/resume · 120c776a
      Gerald Schaefer authored
      commit 37a366fa upstream.
      
      Commit c9b5ad54 "s390/mm: tag normal pages vs pages used in page tables"
      accidentally changed the logic in arch_set_page_states(), which is used by
      the suspend/resume code. set_page_stable(page, order) was changed to
      set_page_stable_dat(page, 0). After this, only the first page of higher order
      pages will be set to stable, and a write to one of the unstable pages will
      result in an addressing exception.
      
      Fix this by using "order" again, instead of "0".
      
      Fixes: c9b5ad54
      
       ("s390/mm: tag normal pages vs pages used in page tables")
      Cc: stable@vger.kernel.org # 4.14+
      Reviewed-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarGerald Schaefer <gerald.schaefer@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      120c776a
    • Ben Hutchings's avatar
      x86: Allow generating user-space headers without a compiler · 77207a7e
      Ben Hutchings authored
      commit 829fe4aa upstream.
      
      When bootstrapping an architecture, it's usual to generate the kernel's
      user-space headers (make headers_install) before building a compiler.  Move
      the compiler check (for asm goto support) to the archprepare target so that
      it is only done when building code for the target.
      
      Fixes: e501ce95
      
       ("x86: Force asm-goto")
      Reported-by: default avatarHelmut Grohne <helmutg@debian.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20180829194317.GA4765@decadent.org.uk
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      77207a7e
    • Jann Horn's avatar
      x86/entry/64: Wipe KASAN stack shadow before rewind_stack_do_exit() · 3fef5c2f
      Jann Horn authored
      commit f12d11c5 upstream.
      
      Reset the KASAN shadow state of the task stack before rewinding RSP.
      Without this, a kernel oops will leave parts of the stack poisoned, and
      code running under do_exit() can trip over such poisoned regions and cause
      nonsensical false-positive KASAN reports about stack-out-of-bounds bugs.
      
      This does not wipe the exception stacks; if an oops happens on an exception
      stack, it might result in random KASAN false-positives from other tasks
      afterwards. This is probably relatively uninteresting, since if the kernel
      oopses on an exception stack, there are most likely bigger things to worry
      about. It'd be more interesting if vmapped stacks and KASAN were
      compatible, since then handle_stack_overflow() would oops from exception
      stack context.
      
      Fixes: 2deb4be2
      
       ("x86/dumpstack: When OOPSing, rewind the stack before do_exit()")
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Acked-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: kasan-dev@googlegroups.com
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20180828184033.93712-1-jannh@google.com
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3fef5c2f
    • Gustavo A. R. Silva's avatar
      hwmon: (nct6775) Fix potential Spectre v1 · b1491dae
      Gustavo A. R. Silva authored
      commit d49dbfad upstream.
      
      val can be indirectly controlled by user-space, hence leading to
      a potential exploitation of the Spectre variant 1 vulnerability.
      
      This issue was detected with the help of Smatch:
      
      vers/hwmon/nct6775.c:2698 store_pwm_weight_temp_sel() warn: potential
      spectre issue 'data->temp_src' [r]
      
      Fix this by sanitizing val before using it to index data->temp_src
      
      Notice that given that speculation windows are large, the policy is
      to kill the speculation on the first load and not worry if it can be
      completed with a dependent load/store [1].
      
      [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
      
      
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b1491dae
    • Andi Kleen's avatar
      x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ · 2ff13cec
      Andi Kleen authored
      commit cc51e542 upstream.
      
      On Nehalem and newer core CPUs the CPU cache internally uses 44 bits
      physical address space. The L1TF workaround is limited by this internal
      cache address width, and needs to have one bit free there for the
      mitigation to work.
      
      Older client systems report only 36bit physical address space so the range
      check decides that L1TF is not mitigated for a 36bit phys/32GB system with
      some memory holes.
      
      But since these actually have the larger internal cache width this warning
      is bogus because it would only really be needed if the system had more than
      43bits of memory.
      
      Add a new internal x86_cache_bits field. Normally it is the same as the
      physical bits field reported by CPUID, but for Nehalem and newerforce it to
      be at least 44bits.
      
      Change the L1TF memory size warning to use the new cache_bits field to
      avoid bogus warnings and remove the bogus comment about memory size.
      
      Fixes: 17dbca11
      
       ("x86/speculation/l1tf: Add sysfs reporting for l1tf")
      Reported-by: default avatarGeorge Anchev <studio@anchev.net>
      Reported-by: default avatarChristopher Snowhill <kode54@gmail.com>
      Signed-off-by: default avatarAndi Kleen <ak@linux.intel.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: x86@kernel.org
      Cc: linux-kernel@vger.kernel.org
      Cc: Michael Hocko <mhocko@suse.com>
      Cc: vbabka@suse.cz
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20180824170351.34874-1-andi@firstfloor.org
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2ff13cec
    • Andi Kleen's avatar
      x86/spectre: Add missing family 6 check to microcode check · 084c0d5b
      Andi Kleen authored
      commit 1ab534e8 upstream.
      
      The check for Spectre microcodes does not check for family 6, only the
      model numbers.
      
      Add a family 6 check to avoid ambiguity with other families.
      
      Fixes: a5b29663
      
       ("x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 microcodes")
      Signed-off-by: default avatarAndi Kleen <ak@linux.intel.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: x86@kernel.org
      Cc: linux-kernel@vger.kernel.org
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20180824170351.34874-2-andi@firstfloor.org
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      084c0d5b
    • Nick Desaulniers's avatar
      x86/irqflags: Mark native_restore_fl extern inline · c6941f12
      Nick Desaulniers authored
      commit 1f59a458 upstream.
      
      This should have been marked extern inline in order to pick up the out
      of line definition in arch/x86/kernel/irqflags.S.
      
      Fixes: 208cbb32
      
       ("x86/irqflags: Provide a declaration for native_save_fl")
      Reported-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarJuergen Gross <jgross@suse.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20180827214011.55428-1-ndesaulniers@google.com
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c6941f12
    • Andy Lutomirski's avatar
      x86/nmi: Fix NMI uaccess race against CR3 switching · 20a10314
      Andy Lutomirski authored
      commit 4012e77a
      
       upstream.
      
      A NMI can hit in the middle of context switching or in the middle of
      switch_mm_irqs_off().  In either case, CR3 might not match current->mm,
      which could cause copy_from_user_nmi() and friends to read the wrong
      memory.
      
      Fix it by adding a new nmi_uaccess_okay() helper and checking it in
      copy_from_user_nmi() and in __copy_from_user_nmi()'s callers.
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarRik van Riel <riel@surriel.com>
      Cc: Nadav Amit <nadav.amit@gmail.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Jann Horn <jannh@google.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/dd956eba16646fd0b15c3c0741269dfd84452dac.1535557289.git.luto@kernel.org
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      20a10314
    • Samuel Neves's avatar
      x86/vdso: Fix lsl operand order · aa3ad431
      Samuel Neves authored
      commit e78e5a91 upstream.
      
      In the __getcpu function, lsl is using the wrong target and destination
      registers. Luckily, the compiler tends to choose %eax for both variables,
      so it has been working so far.
      
      Fixes: a582c540
      
       ("x86/vdso: Use RDPID in preference to LSL when available")
      Signed-off-by: default avatarSamuel Neves <sneves@dei.uc.pt>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Acked-by: default avatarAndy Lutomirski <luto@kernel.org>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20180901201452.27828-1-sneves@dei.uc.pt
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aa3ad431
    • Himanshu Madhani's avatar
      scsi: qla2xxx: Fix stalled relogin · 306f625c
      Himanshu Madhani authored
      commit 15b6c3c9 upstream.
      
      This patch sets and clears FCF_ASYNC_{SENT|ACTIVE} flags to prevent
      stalling of relogin attempt. Once flag are correctly set/cleared, relogin
      timer can retry relogin attempt for driver to continue login.
      
      Fixes: fa83e658
      
       ("scsi: qla2xxx: ensure async flags are reset correctly")
      Cc: stable@vger.kernel.org #4.17
      Signed-off-by: default avatarHimanshu Madhani <himanshu.madhani@cavium.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      306f625c
    • Dan Carpenter's avatar
      pinctrl: freescale: off by one in imx1_pinconf_group_dbg_show() · 82964fac
      Dan Carpenter authored
      commit 19da44cd upstream.
      
      The info->groups[] array is allocated in imx1_pinctrl_parse_dt().  It
      has info->ngroups elements.  Thus the > here should be >= to prevent
      reading one element beyond the end of the array.
      
      Cc: stable@vger.kernel.org
      Fixes: 30612cd9
      
       ("pinctrl: imx1 core driver")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: default avatarUwe Kleine-König <u.kleine-könig@pengutronix.de>
      Acked-by: default avatarDong Aisheng <Aisheng.dong@nxp.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      82964fac
    • Johan Hovold's avatar
      soc: qcom: rmtfs-mem: fix memleak in probe error paths · f8fa13e1
      Johan Hovold authored
      commit 78ee559d upstream.
      
      Make sure to set the mem device release callback before calling
      put_device() in a couple of probe error paths so that the containing
      object also gets freed.
      
      Fixes: d1de6d6c
      
       ("soc: qcom: Remote filesystem memory driver")
      Cc: stable <stable@vger.kernel.org>     # 4.15
      Cc: Bjorn Andersson <bjorn.andersson@linaro.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarAndy Gross <andy.gross@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f8fa13e1
    • Ajit Pandey's avatar
      ASoC: wm_adsp: Correct DSP pointer for preloader control · e550a74a
      Ajit Pandey authored
      commit b1470d4c
      
       upstream.
      
      The offset of the DSP core needs to be taken into account for the DSP
      preloader control get and put. Currently the dsp->preloaded variable
      will only ever be read/updated on the first DSP, whilst this doesn't
      affect the operation of the control the readback will be incorrect.
      Signed-off-by: default avatarAjit Pandey <ajit.pandey@cirrus.com>
      Signed-off-by: default avatarCharles Keepax <ckeepax@opensource.cirrus.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e550a74a
    • Gustavo A. R. Silva's avatar
      ASoC: sirf: Fix potential NULL pointer dereference · 00bdd9bf
      Gustavo A. R. Silva authored
      commit ae1c696a upstream.
      
      There is a potential execution path in which function
      platform_get_resource() returns NULL. If this happens,
      we will end up having a NULL pointer dereference.
      
      Fix this by replacing devm_ioremap with devm_ioremap_resource,
      which has the NULL check and the memory region request.
      
      This code was detected with the help of Coccinelle.
      
      Cc: stable@vger.kernel.org
      Fixes: 2bd8d1d5
      
       ("ASoC: sirf: Add audio usp interface driver")
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      00bdd9bf
    • Takashi Iwai's avatar
      ASoC: zte: Fix incorrect PCM format bit usages · cde7486a
      Takashi Iwai authored
      commit c889a45d upstream.
      
      zx-tdm driver sets the DAI driver definitions with the format bits
      wrongly set with SNDRV_PCM_FORMAT_*, instead of SNDRV_PCM_FMTBIT_*.
      
      This patch corrects the definitions.
      
      Spotted by a sparse warning:
        sound/soc/zte/zx-tdm.c:363:35: warning: restricted snd_pcm_format_t degrades to integer
      
      Fixes: 870e0ddc
      
       ("ASoC: zx-tdm: add zte's tdm controller driver")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cde7486a
    • Jerome Brunet's avatar
      ASoC: dpcm: don't merge format from invalid codec dai · aeb4906d
      Jerome Brunet authored
      commit 4febced1 upstream.
      
      When merging codec formats, dpcm_runtime_base_format() should skip
      the codecs which are not supporting the current stream direction.
      
      At the moment, if a BE link has more than one codec, and only one
      of these codecs has no capture DAI, it becomes impossible to start
      a capture stream because the merged format would be 0.
      
      Skipping invalid codec DAI solves the problem.
      
      Fixes: b073ed4e
      
       ("ASoC: soc-pcm: DPCM cares BE format")
      Signed-off-by: default avatarJerome Brunet <jbrunet@baylibre.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aeb4906d
    • Michael Buesch's avatar
      b43/leds: Ensure NUL-termination of LED name string · a8d15632
      Michael Buesch authored
      commit 2aa650d1
      
       upstream.
      
      strncpy might not NUL-terminate the string, if the name equals the buffer size.
      Use strlcpy instead.
      Signed-off-by: default avatarMichael Buesch <m@bues.ch>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a8d15632
    • Michael Buesch's avatar
      b43legacy/leds: Ensure NUL-termination of LED name string · 579cdda6
      Michael Buesch authored
      commit 4d77a89e
      
       upstream.
      
      strncpy might not NUL-terminate the string, if the name equals the buffer size.
      Use strlcpy instead.
      Signed-off-by: default avatarMichael Buesch <m@bues.ch>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      579cdda6