(Upstream commit 3d6e893575).
In coresight perf mode, we need to prepare the sink before
starting a session, which is done via set_buffer call back.
We then proceed to enable the tracing. If we fail to start
the session successfully, we leave the sink configuration
unchanged. In order to make the operation atomic and to
avoid yet another call back to clear the buffer, we get
rid of the "set_buffer" call back and pass the buffer details
via enable() call back to the sink.
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 140266694
Change-Id: I2a858def1342d0f06c5643f638cb6d5c49d70ccf
Signed-off-by: Yabin Cui <yabinc@google.com>
(Upstream commit d25054ee8d).
We can always find the sink configuration for a given perf_output_handle.
Add a helper to retrieve the sink configuration for a given
perf_output_handle. This will be used to get rid of the set_buffer()
call back.
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 140266694
Change-Id: I0a9d8d9d8370fea5e4245697dca1e510d3f9438c
Signed-off-by: Yabin Cui <yabinc@google.com>
(Upstream commit 7ec786ad19).
Right now we issue an update_buffer() and reset_buffer() call backs
in succession when we stop tracing an event. The update_buffer is
supposed to check the status of the buffer and make sure the ring buffer
is updated with the trace data. And we store information about the
size of the data collected only to be consumed by the reset_buffer
callback which always follows the update_buffer. This was originally
designed for handling future IPs which could trigger a buffer overflow
interrupt. This patch gets rid of the reset_buffer callback altogether
and performs the actions in update_buffer, making it return the size
collected. We can always add the support for handling the overflow
interrupt case later.
This removes some not-so pretty hack (storing the new head in the
size field for snapshot mode) and cleans it up a little bit.
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 140266694
Change-Id: I5264db2e453909473b6ab5cb9ea0cba10091ff6e
Signed-off-by: Yabin Cui <yabinc@google.com>
(Upstream commit 41a75cdde7).
Convert component enable/disable messages from dev_info to dev_dbg.
When used with perf, the components in the paths are enabled/disabled
during each schedule of the run, which can flood the dmesg with these
messages. Moreover, they are only useful for debug purposes. So,
convert such messages to dev_dbg() which can be turned on as
needed.
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 140266694
Change-Id: I44698c3c29b1d8cee3f2813a11dd5be1606e9ca3
Signed-off-by: Yabin Cui <yabinc@google.com>
(Upstream commit cad5f8d399).
Since the ETR now uses mode specific buffers, we can reliably
provide the trace data captured in sysfs mode, even when the ETR
is operating in PERF mode.
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 140266694
Change-Id: I2c4849f9664de698cba483c5ba897bce1f34e54b
Signed-off-by: Yabin Cui <yabinc@google.com>
(Upstream commit 96a7f64400).
Since the ETR could be driven either by SYSFS or by perf, it
becomes complicated how we deal with the buffers used for each
of these modes. The ETR driver cannot simply free the current
attached buffer without knowing the provider (i.e, sysfs vs perf).
To solve this issue, we provide:
1) the driver-mode specific etr buffer to be retained in the drvdata
2) the etr_buf for a session should be passed on when enabling the
hardware, which will be stored in drvdata->etr_buf. This will be
replaced (not free'd) as soon as the hardware is disabled, after
necessary sync operation.
The advantages of this are :
1) The common code path doesn't need to worry about how to dispose
an existing buffer, if it is about to start a new session with a
different buffer, possibly in a different mode.
2) The driver mode can control its buffers and can get access to the
saved session even when the hardware is operating in a different
mode. (e.g, we can still access a trace buffer from a sysfs mode
even if the etr is now used in perf mode, without disrupting the
current session.)
Towards this, we introduce a sysfs specific data which will hold the
etr_buf used for sysfs mode of operation, controlled solely by the
sysfs mode handling code.
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 140266694
Change-Id: I8a85ab42cbf077ca803c633b3c35375117a35f85
Signed-off-by: Yabin Cui <yabinc@google.com>
(Upstream commit 4f8ef21007).
We enable the trace path, before activating the source.
If we fail to enable the source, we must disable the path
to make sure it is available for another session.
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 140266694
Change-Id: I20b672edfcaca5d3851284ec4fbe20ffaebbe5f4
Signed-off-by: Yabin Cui <yabinc@google.com>
(Upstream commit f9d81a657b).
At the moment, if there is no CPU specified for a given
event, we use cpu_online_mask and try to build path for
each of the CPUs in the mask. This could prevent any CPU
that is turned online later to be used for the tracing.
This patch changes to use the cpu_present_mask and tries
to build path for as much CPUs as possible ignoring the
failures in building path for some of the CPUs. If ever
we try to trace on those CPUs, we fail the operation.
Based on a patch from Mathieu Poirier.
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 140266694
Change-Id: I5771870e7eee8fc9af8478f96a0a30e32e456e28
Signed-off-by: Yabin Cui <yabinc@google.com>
(Upstream commit 5ecabe4a76).
We create a coresight trace path for each online CPU when
we start the event. We rely on the number of online CPUs
and then go on to allocate an array matching the "number of
online CPUs" for holding the path and then uses normal
CPU id as the index to the array. This is problematic as
we could have some offline CPUs causing us to access beyond
the actual array size (e.g, on a dual SMP system, if CPU0 is
offline, CPU1 could be really accessing beyond the array).
The solution is to switch to per-cpu array for holding the path.
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 140266694
Change-Id: I8b54ae229c296465bed9a62f0cd9648327fd0dc5
Signed-off-by: Yabin Cui <yabinc@google.com>
(Upstream commit c71369de02).
The coresight components could be operated either in sysfs mode or in perf
mode. For some of the components, the mode of operation doesn't matter as
they simply relay the data to the next component in the trace path. But for
sinks, they need to be able to provide the trace data back to the user.
Thus we need to make sure that "mode" is handled appropriately. e.g,
the sysfs mode could have multiple sources driving the trace data, while
perf mode doesn't allow sharing the sink.
The coresight_enable_sink() however doesn't really allow this check to
trigger as it skips the "enable_sink" callback if the component is
already enabled, irrespective of the mode. This could cause mixing
of data from different modes or even same mode (in perf), if the
sources are different. Also, if we fail to enable the sink while
enabling a path (where sink is the first component enabled),
we could end up in disabling the components in the "entire"
path which were not enabled in this trial, causing disruptions
in the existing trace paths.
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 140266694
Change-Id: I3c3d6b38456a435a008f38359deac85dfdbd5b72
Signed-off-by: Yabin Cui <yabinc@google.com>
(Upstream commit bbd35ba6fa).
Use ERR_CAT inlined function to replace the ERR_PTR(PTR_ERR). It
make the code more concise.
Signed-off-by: zhong jiang <zhongjiang@huawei.com>
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 140266694
Change-Id: I9eea8c7fdf388164d5863facc9cb66ba9ceb525b
Signed-off-by: Yabin Cui <yabinc@google.com>
(Upstream commit 96330407f8).
When parsing the remote endpoint of an output port, we do :
rport = of_graph_get_remote_port(ep);
rparent = of_graph_get_remote_port_parent(ep);
and then parse the "remote_port" as if it was the remote endpoint,
which is wrong. The code worked fine because we used endpoint number
as the port number. Let us fix it and optimise a bit as:
remote_ep = of_graph_get_remote_endpoint(ep);
if (remote_ep)
remote_parent = of_graph_get_port_parent(remote_ep);
and then, parse the remote_ep for the port/endpoint details.
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 140266694
Change-Id: I7e14250f73f78e39aa979bf71d2cbc6314de3b39
Signed-off-by: Yabin Cui <yabinc@google.com>
(Upstream commit fac253e52f).
commit 6403587a930c ("coresight: use put_device() instead of kfree()")
fixes the double freeing of resources and ensures that the device
refcount is dropped properly. Add a comment to explain this to
help the readers and prevent people trying to "unfix" it again.
While at it, rename the labels for better readability.
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Cc: Arvind Yadav <arvind.yadav.cs@gmail.com>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 140266694
Change-Id: Ie4f5a46348fe4a02d2b6ced743a64b680ee9f21f
Signed-off-by: Yabin Cui <yabinc@google.com>
Solve a regression introduced by
commit 272fcd1ca7
("ANDROID: overlayfs: override_creds=off option bypass creator_cred")
where a crash is observed a crash in ovl_create_or_link() when a
simple re-direction command in vendor directory.
/vendor/bin/<Any test> > /vendor/bin/test_log.txt 2>&1&
After further debugging we see that if the output is redirected to a
file which doesn’t exist we see this stack:
[ 377.382745] ovl_create_or_link+0xac/0x710
[ 377.382745] ovl_create_object+0xb8/0x110
[ 377.382745] ovl_create+0x34/0x40
[ 377.382745] path_openat+0xd44/0x15a8
[ 377.382745] do_filp_open+0x80/0x128
[ 377.382745] do_sys_open+0x140/0x250
[ 377.382745] __arm64_sys_openat+0x2c/0x38
ovl_override_creds returns NULL because the override_cred flag is set
to false. This causes ovl_revert_creds also to fail.
There is another call to check override_cred in override_cred call
which overrides the creds permanently as there no revert_creds
associated. So whenever next commit_cred is called we see the crash
as the credentials are permanently overridden.
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Tested-by: Rishabh/Jeevan <jshriram@qualcomm.corp-partner.google.com>
Bug: 140816499
Change-Id: Icd0d9be82fc57af5ead1eeab99f79adf3adf62ef
Check impure, opaque, origin & meta xattr with no sepolicy audit
(using __vfs_getxattr) since these operations are internal to
overlayfs operations and do not disclose any data. This became
an issue for credential override off since sys_admin would have
been required by the caller; whereas would have been inherently
present for the creator since it performed the mount.
This is a change in operations since we do not check in the new
ovl_vfs_getxattr function if the credential override is off or
not. Reasoning is that the sepolicy check is unnecessary overhead,
especially since the check can be expensive.
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 133515582
Bug: 136124883
Bug: 129319403
Change-Id: I34d99cc46e9e87a79efc8d05f85980bbc137f7eb
Because of the overlayfs getxattr recursion, the incoming inode fails
to update the selinux sid resulting in avc denials being reported
against a target context of u:object_r:unlabeled:s0.
Solution is to add a _get xattr method that calls the __vfs_getxattr
handler so that the context can be read in, rather than being denied
with an -EACCES when vfs_getxattr handler is called.
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 133515582
Bug: 136124883
Bug: 129319403
Change-Id: Ia39543c5ce617976f14d790fb88e471d575ffd65
Add an optional __get xattr method that would be called, if set, only
in __vfs_getxattr instead of the regular get xattr method.
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 133515582
Bug: 136124883
Bug: 129319403
Change-Id: If9f6cf3e0d964e77af769244bb1e8f6aee4f4445
Changes in 4.19.82
zram: fix race between backing_dev_show and backing_dev_store
dm snapshot: introduce account_start_copy() and account_end_copy()
dm snapshot: rework COW throttling to fix deadlock
Btrfs: fix inode cache block reserve leak on failure to allocate data space
Btrfs: fix memory leak due to concurrent append writes with fiemap
btrfs: qgroup: Always free PREALLOC META reserve in btrfs_delalloc_release_extents()
btrfs: tracepoints: Fix wrong parameter order for qgroup events
wil6210: fix freeing of rx buffers in EDMA mode
f2fs: flush quota blocks after turnning it off
scsi: lpfc: Fix a duplicate 0711 log message number.
sc16is7xx: Fix for "Unexpected interrupt: 8"
powerpc/powernv: hold device_hotplug_lock when calling memtrace_offline_pages()
f2fs: fix to recover inode's i_gc_failures during POR
f2fs: fix to recover inode->i_flags of inode block during POR
HID: i2c-hid: add Direkt-Tek DTLAPY133-1 to descriptor override
usb: dwc2: fix unbalanced use of external vbus-supply
tools/power turbostat: fix goldmont C-state limit decoding
x86/cpu: Add Atom Tremont (Jacobsville)
drm/msm/dpu: handle failures while initializing displays
bcache: fix input overflow to writeback_rate_minimum
PCI: Fix Switchtec DMA aliasing quirk dmesg noise
Btrfs: fix deadlock on tree root leaf when finding free extent
netfilter: ipset: Make invalid MAC address checks consistent
HID: i2c-hid: Disable runtime PM for LG touchscreen
HID: i2c-hid: Ignore input report if there's no data present on Elan touchpanels
HID: i2c-hid: Add Odys Winbook 13 to descriptor override
platform/x86: Add the VLV ISP PCI ID to atomisp2_pm
platform/x86: Fix config space access for intel_atomisp2_pm
ath10k: assign 'n_cipher_suites = 11' for WCN3990 to enable WPA3
clk: boston: unregister clks on failure in clk_boston_setup()
scripts/setlocalversion: Improve -dirty check with git-status --no-optional-locks
staging: mt7621-pinctrl: use pinconf-generic for 'dt_node_to_map' and 'dt_free_map'
HID: Add ASUS T100CHI keyboard dock battery quirks
NFSv4: Ensure that the state manager exits the loop on SIGKILL
HID: steam: fix boot loop with bluetooth firmware
HID: steam: fix deadlock with input devices.
samples: bpf: fix: seg fault with NULL pointer arg
usb: dwc3: gadget: early giveback if End Transfer already completed
usb: dwc3: gadget: clear DWC3_EP_TRANSFER_STARTED on cmd complete
ALSA: usb-audio: Cleanup DSD whitelist
usb: handle warm-reset port requests on hub resume
rtc: pcf8523: set xtal load capacitance from DT
arm64: Add MIDR encoding for HiSilicon Taishan CPUs
arm64: kpti: Whitelist HiSilicon Taishan v110 CPUs
mlxsw: spectrum: Set LAG port collector only when active
scsi: lpfc: Correct localport timeout duration error
CIFS: Respect SMB2 hdr preamble size in read responses
cifs: add credits from unmatched responses/messages
ALSA: hda/realtek - Apply ALC294 hp init also for S4 resume
media: vimc: Remove unused but set variables
ext4: disallow files with EXT4_JOURNAL_DATA_FL from EXT4_IOC_SWAP_BOOT
exec: load_script: Do not exec truncated interpreter path
net: dsa: mv88e6xxx: Release lock while requesting IRQ
PCI/PME: Fix possible use-after-free on remove
drm/amd/display: fix odm combine pipe reset
power: supply: max14656: fix potential use-after-free
iio: adc: meson_saradc: Fix memory allocation order
iio: fix center temperature of bmc150-accel-core
libsubcmd: Make _FORTIFY_SOURCE defines dependent on the feature
perf tests: Avoid raising SEGV using an obvious NULL dereference
perf map: Fix overlapped map handling
perf script brstackinsn: Fix recovery from LBR/binary mismatch
perf jevents: Fix period for Intel fixed counters
perf tools: Propagate get_cpuid() error
perf annotate: Propagate perf_env__arch() error
perf annotate: Fix the signedness of failure returns
perf annotate: Propagate the symbol__annotate() error return
perf annotate: Return appropriate error code for allocation failures
staging: rtl8188eu: fix null dereference when kzalloc fails
RDMA/hfi1: Prevent memory leak in sdma_init
RDMA/iwcm: Fix a lock inversion issue
HID: hyperv: Use in-place iterator API in the channel callback
nfs: Fix nfsi->nrequests count error on nfs_inode_remove_request
arm64: ftrace: Ensure synchronisation in PLT setup for Neoverse-N1 #1542419
tty: serial: owl: Fix the link time qualifier of 'owl_uart_exit()'
tty: n_hdlc: fix build on SPARC
gpio: max77620: Use correct unit for debounce times
fs: cifs: mute -Wunused-const-variable message
serial: mctrl_gpio: Check for NULL pointer
efi/cper: Fix endianness of PCIe class code
efi/x86: Do not clean dummy variable in kexec path
MIPS: include: Mark __cmpxchg as __always_inline
x86/xen: Return from panic notifier
ocfs2: clear zero in unaligned direct IO
fs: ocfs2: fix possible null-pointer dereferences in ocfs2_xa_prepare_entry()
fs: ocfs2: fix a possible null-pointer dereference in ocfs2_write_end_nolock()
fs: ocfs2: fix a possible null-pointer dereference in ocfs2_info_scan_inode_alloc()
arm64: armv8_deprecated: Checking return value for memory allocation
x86/cpu: Add Comet Lake to the Intel CPU models header
sched/vtime: Fix guest/system mis-accounting on task switch
perf/x86/amd: Change/fix NMI latency mitigation to use a timestamp
drm/amdgpu: fix memory leak
iio: imu: adis16400: release allocated memory on failure
MIPS: include: Mark __xchg as __always_inline
MIPS: fw: sni: Fix out of bounds init of o32 stack
virt: vbox: fix memory leak in hgcm_call_preprocess_linaddr
nbd: fix possible sysfs duplicate warning
NFSv4: Fix leak of clp->cl_acceptor string
s390/uaccess: avoid (false positive) compiler warnings
tracing: Initialize iter->seq after zeroing in tracing_read_pipe()
ARM: 8914/1: NOMMU: Fix exc_ret for XIP
ALSA: hda/realtek: Reduce the Headphone static noise on XPS 9350/9360
iwlwifi: exclude GEO SAR support for 3168
nbd: verify socket is supported during setup
USB: legousbtower: fix a signedness bug in tower_probe()
thunderbolt: Use 32-bit writes when writing ring producer/consumer
ath6kl: fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe()
fuse: flush dirty data/metadata before non-truncate setattr
fuse: truncate pending writes on O_TRUNC
ALSA: bebob: Fix prototype of helper function to return negative value
ALSA: hda/realtek - Fix 2 front mics of codec 0x623
ALSA: hda/realtek - Add support for ALC623
UAS: Revert commit 3ae62a4209 ("UAS: fix alignment of scatter/gather segments")
USB: gadget: Reject endpoints with 0 maxpacket value
usb-storage: Revert commit 747668dbc0 ("usb-storage: Set virt_boundary_mask to avoid SG overflows")
USB: ldusb: fix ring-buffer locking
USB: ldusb: fix control-message timeout
usb: xhci: fix __le32/__le64 accessors in debugfs code
USB: serial: whiteheat: fix potential slab corruption
USB: serial: whiteheat: fix line-speed endianness
scsi: target: cxgbit: Fix cxgbit_fw4_ack()
HID: i2c-hid: add Trekstor Primebook C11B to descriptor override
HID: Fix assumption that devices have inputs
HID: fix error message in hid_open_report()
nl80211: fix validation of mesh path nexthop
s390/cmm: fix information leak in cmm_timeout_handler()
s390/idle: fix cpu idle time calculation
arm64: Ensure VM_WRITE|VM_SHARED ptes are clean by default
rtlwifi: Fix potential overflow on P2P code
dmaengine: qcom: bam_dma: Fix resource leak
dmaengine: cppi41: Fix cppi41_dma_prep_slave_sg() when idle
drm/amdgpu/powerplay/vega10: allow undervolting in p7
NFS: Fix an RCU lock leak in nfs4_refresh_delegation_stateid()
batman-adv: Avoid free/alloc race when handling OGM buffer
llc: fix sk_buff leak in llc_sap_state_process()
llc: fix sk_buff leak in llc_conn_service()
rxrpc: Fix call ref leak
rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record
rxrpc: Fix trace-after-put looking at the put peer record
NFC: pn533: fix use-after-free and memleaks
bonding: fix potential NULL deref in bond_update_slave_arr
net: usb: sr9800: fix uninitialized local variable
sch_netem: fix rcu splat in netem_enqueue()
ALSA: timer: Simplify error path in snd_timer_open()
ALSA: timer: Fix mutex deadlock at releasing card
ALSA: usb-audio: DSD auto-detection for Playback Designs
ALSA: usb-audio: Update DSD support quirks for Oppo and Rotel
ALSA: usb-audio: Add DSD support for Gustard U16/X26 USB Interface
powerpc/powernv: Fix CPU idle to be called with IRQs disabled
Revert "ALSA: hda: Flush interrupts on disabling"
Linux 4.19.82
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I79ced3dcffed0086af7d8a77116e8061915677a1
[ Upstream commit 7d6475051f ]
Commit e78a7614f3 ("idle: Prevent late-arriving interrupts from
disrupting offline") changes arch_cpu_idle_dead to be called with
interrupts disabled, which triggers the WARN in pnv_smp_cpu_kill_self.
Fix this by fixing up irq_happened after hard disabling, rather than
requiring there are no pending interrupts, similarly to what was done
done until commit 2525db04d1 ("powerpc/powernv: Simplify lazy IRQ
handling in CPU offline").
Fixes: e78a7614f3 ("idle: Prevent late-arriving interrupts from disrupting offline")
Reported-by: Paul Mackerras <paulus@samba.org>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
[mpe: Add unexpected_mask rather than checking for known bad values,
change the WARN_ON() to a WARN_ON_ONCE()]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20191022115814.22456-1-npiggin@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 0067e154b1 ]
Oppo has issued firmware updates that change alt setting used for DSD
support. However, these devices seem to support auto-detection, so
support is moved from explicit whitelisting to auto-detection.
Also Rotel devices have USB interfaces that support DSD with
auto-detection.
Signed-off-by: Jussi Laako <jussi@sonarnerd.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit eb7505d52a ]
Add DSD support auto-detection for newer Playback Designs devices. Older
device generations have a different USB interface implementation.
Keep the auto-detection VID whitelist sorted.
Signed-off-by: Jussi Laako <jussi@sonarnerd.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit a393318673 ]
When a card is disconnected while in use, the system waits until all
opened files are closed then releases the card. This is done via
put_device() of the card device in each device release code.
The recently reported mutex deadlock bug happens in this code path;
snd_timer_close() for the timer device deals with the global
register_mutex and it calls put_device() there. When this timer
device is the last one, the card gets freed and it eventually calls
snd_timer_free(), which has again the protection with the global
register_mutex -- boom.
Basically put_device() call itself is race-free, so a relative simple
workaround is to move this put_device() call out of the mutex. For
achieving that, in this patch, snd_timer_close_locked() got a new
argument to store the card device pointer in return, and each caller
invokes put_device() with the returned object after the mutex unlock.
Reported-and-tested-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 41672c0c24 ]
Just a minor refactoring to use the standard goto for error paths in
snd_timer_open() instead of open code. The first mutex_lock() is
moved to the beginning of the function to make the code clearer.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 55f6c98e36 upstream.
rxrpc_put_peer() calls trace_rxrpc_peer() after it has done the decrement
of the refcount - which looks at the debug_id in the peer record. But
unless the refcount was reduced to zero, we no longer have the right to
look in the record and, indeed, it may be deleted by some other thread.
Fix this by getting the debug_id out before decrementing the refcount and
then passing that into the tracepoint.
This can cause the following symptoms:
BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411
[inline]
BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0
net/rxrpc/peer_object.c:435
Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216
Fixes: 1159d4b496 ("rxrpc: Add a tracepoint to track rxrpc_peer refcounting")
Reported-by: syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9ebeddef58 upstream.
The rxrpc_peer record needs to hold a reference on the rxrpc_local record
it points as the peer is used as a base to access information in the
rxrpc_local record.
This can cause problems in __rxrpc_put_peer(), where we need the network
namespace pointer, and in rxrpc_send_keepalive(), where we need to access
the UDP socket, leading to symptoms like:
BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411
[inline]
BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0
net/rxrpc/peer_object.c:435
Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216
Fix this by taking a ref on the local record for the peer record.
Fixes: ace45bec6d ("rxrpc: Fix firewall route keepalive")
Fixes: 2baec2c3f8 ("rxrpc: Support network namespacing")
Reported-by: syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c48fc11b69 upstream.
When sendmsg() finds a call to continue on with, if the call is in an
inappropriate state, it doesn't release the ref it just got on that call
before returning an error.
This causes the following symptom to show up with kasan:
BUG: KASAN: use-after-free in rxrpc_send_keepalive+0x8a2/0x940
net/rxrpc/output.c:635
Read of size 8 at addr ffff888064219698 by task kworker/0:3/11077
where line 635 is:
whdr.epoch = htonl(peer->local->rxnet->epoch);
The local endpoint (which cannot be pinned by the call) has been released,
but not the peer (which is pinned by the call).
Fix this by releasing the call in the error path.
Fixes: 37411cad63 ("rxrpc: Fix potential NULL-pointer exception")
Reported-by: syzbot+d850c266e3df14da1d31@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 40e220b421 upstream.
Each slave interface of an B.A.T.M.A.N. IV virtual interface has an OGM
packet buffer which is initialized using data from netdevice notifier and
other rtnetlink related hooks. It is sent regularly via various slave
interfaces of the batadv virtual interface and in this process also
modified (realloced) to integrate additional state information via TVLV
containers.
It must be avoided that the worker item is executed without a common lock
with the netdevice notifier/rtnetlink helpers. Otherwise it can either
happen that half modified/freed data is sent out or functions modifying the
OGM buffer try to access already freed memory regions.
Reported-by: syzbot+0cc629f19ccb8534935b@syzkaller.appspotmail.com
Fixes: c6c8fea297 ("net: Add batman-adv meshing protocol")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 79cc55422c upstream.
A typo in nfs4_refresh_delegation_stateid() means we're leaking an
RCU lock, and always returning a value of 'false'. As the function
description states, we were always supposed to return 'true' if a
matching delegation was found.
Fixes: 12f275cdd1 ("NFSv4: Retry CLOSE and DELEGRETURN on NFS4ERR_OLD_STATEID.")
Cc: stable@vger.kernel.org # v4.15+
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit bacdcb6675 upstream.
Yegor Yefremov <yegorslists@googlemail.com> reported that musb and ftdi
uart can fail for the first open of the uart unless connected using
a hub.
This is because the first dma call done by musb_ep_program() must wait
if cppi41 is PM runtime suspended. Otherwise musb_ep_program() continues
with other non-dma packets before the DMA transfer is started causing at
least ftdi uarts to fail to receive data.
Let's fix the issue by waking up cppi41 with PM runtime calls added to
cppi41_dma_prep_slave_sg() and return NULL if still idled. This way we
have musb_ep_program() continue with PIO until cppi41 is awake.
Fixes: fdea2d09b9 ("dmaengine: cppi41: Add basic PM runtime support")
Reported-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Cc: stable@vger.kernel.org # v4.9+
Link: https://lore.kernel.org/r/20191023153138.23442-1-tony@atomide.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7667819385 upstream.
bam_dma_terminate_all() will leak resources if any of the transactions are
committed to the hardware (present in the desc fifo), and not complete.
Since bam_dma_terminate_all() does not cause the hardware to be updated,
the hardware will still operate on any previously committed transactions.
This can cause memory corruption if the memory for the transaction has been
reassigned, and will cause a sync issue between the BAM and its client(s).
Fix this by properly updating the hardware in bam_dma_terminate_all().
Fixes: e7c0fe2a5c ("dmaengine: add Qualcomm BAM dma driver")
Signed-off-by: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20191017152606.34120-1-jeffrey.l.hugo@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8c55dedb79 upstream.
Nicolas Waisman noticed that even though noa_len is checked for
a compatible length it's still possible to overrun the buffers
of p2pinfo since there's no check on the upper bound of noa_num.
Bound noa_num against P2P_MAX_NOA_NUM.
Reported-by: Nicolas Waisman <nico@semmle.com>
Signed-off-by: Laura Abbott <labbott@redhat.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit aa57157be6 upstream.
Shared and writable mappings (__S.1.) should be clean (!dirty) initially
and made dirty on a subsequent write either through the hardware DBM
(dirty bit management) mechanism or through a write page fault. A clean
pte for the arm64 kernel is one that has PTE_RDONLY set and PTE_DIRTY
clear.
The PAGE_SHARED{,_EXEC} attributes have PTE_WRITE set (PTE_DBM) and
PTE_DIRTY clear. Prior to commit 73e86cb03c ("arm64: Move PTE_RDONLY
bit handling out of set_pte_at()"), it was the responsibility of
set_pte_at() to set the PTE_RDONLY bit and mark the pte clean if the
software PTE_DIRTY bit was not set. However, the above commit removed
the pte_sw_dirty() check and the subsequent setting of PTE_RDONLY in
set_pte_at() while leaving the PAGE_SHARED{,_EXEC} definitions
unchanged. The result is that shared+writable mappings are now dirty by
default
Fix the above by explicitly setting PTE_RDONLY in PAGE_SHARED{,_EXEC}.
In addition, remove the superfluous PTE_DIRTY bit from the kernel PROT_*
attributes.
Fixes: 73e86cb03c ("arm64: Move PTE_RDONLY bit handling out of set_pte_at()")
Cc: <stable@vger.kernel.org> # 4.14.x-
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3d7efa4edd upstream.
The idle time reported in /proc/stat sometimes incorrectly contains
huge values on s390. This is caused by a bug in arch_cpu_idle_time().
The kernel tries to figure out when a different cpu entered idle by
accessing its per-cpu data structure. There is an ordering problem: if
the remote cpu has an idle_enter value which is not zero, and an
idle_exit value which is zero, it is assumed it is idle since
"now". The "now" timestamp however is taken before the idle_enter
value is read.
Which in turn means that "now" can be smaller than idle_enter of the
remote cpu. Unconditionally subtracting idle_enter from "now" can thus
lead to a negative value (aka large unsigned value).
Fix this by moving the get_tod_clock() invocation out of the
loop. While at it also make the code a bit more readable.
A similar bug also exists for show_idle_time(). Fix this is as well.
Cc: <stable@vger.kernel.org>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b8e51a6a9d upstream.
The problem is that we were putting the NUL terminator too far:
buf[sizeof(buf) - 1] = '\0';
If the user input isn't NUL terminated and they haven't initialized the
whole buffer then it leads to an info leak. The NUL terminator should
be:
buf[len - 1] = '\0';
Signed-off-by: Yihui Zeng <yzeng56@asu.edu>
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
[heiko.carstens@de.ibm.com: keep semantics of how *lenp and *ppos are handled]
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b3a81c777d upstream.
On HID report descriptor parsing error the code displays bogus
pointer instead of error offset (subtracts start=NULL from end).
Make the message more useful by displaying correct error offset
and include total buffer size for reference.
This was carried over from ancient times - "Fixed" commit just
promoted the message from DEBUG to ERROR.
Cc: stable@vger.kernel.org
Fixes: 8c3d52fc39 ("HID: make parser more verbose about parsing errors by default")
Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
