commit 0e719302d0640118037c3189b6007f4fc95a9e39 Author: Alexandre Frade Date: Thu May 13 02:01:29 2021 +0000 Linux 5.10.35-rt39-xanmod1 Signed-off-by: Alexandre Frade commit cb72597870a24aa4344221d2841fd0b2e0095563 Author: Alexey Avramov Date: Mon Apr 12 22:08:24 2021 +0900 mm/vmscan: add sysctl knobs for protecting clean cache The patch provides sysctl knobs for protecting the specified amount of clean file pages (CFP) under memory pressure. The kernel does not have a mechanism for selectively protecting clean file pages. A certain amount of the CFP is required by the userspace for normal operation. First of all, you need a cache of shared libraries and executable files. If the volume of the CFP cache falls below a certain level, thrashing and even livelock occurs. Protection of CFP may be used to prevent thrashing and reducing I/O under memory pressure. Hard protection of CFP may be used to avoid high latency and prevent livelock in near-OOM conditions. The patch provides sysctl knobs for protecting the specified amount of clean file cache under memory pressure. The vm.clean_low_kbytes sysctl knob provides *best-effort* protection of CFP. The CFP on the current node won't be reclaimed uder memory pressure when their amount is below vm.clean_low_kbytes *unless* we threaten to OOM or have no free swap space or vm.swappiness=0. Setting it to a high value may result in a early eviction of anonymous pages into the swap space by attempting to hold the protected amount of clean file pages in memory. The default value is defined by CONFIG_CLEAN_LOW_KBYTES (suggested 150000 in Kconfig). The vm.clean_min_kbytes sysctl knob provides *hard* protection of CFP. The CFP on the current node won't be reclaimed under memory pressure when their amount is below vm.clean_min_kbytes. Setting it to a high value may result in a early out-of-memory condition due to the inability to reclaim the protected amount of CFP when other types of pages cannot be reclaimed. The default value is defined by CONFIG_CLEAN_MIN_KBYTES (suggested 0 in Kconfig). Signed-off-by: Alexey Avramov commit adc2af1a248ad7c7bee0bdfccc34b8ebd8d3ec1e Author: Christian Brauner Date: Wed Jan 23 21:54:23 2019 +0100 SAUCE: binder: give binder_alloc its own debug mask file Currently both binder.c and binder_alloc.c both register the /sys/module/binder_linux/paramters/debug_mask file which leads to conflicts in sysfs. This commit gives binder_alloc.c its own /sys/module/binder_linux/paramters/alloc_debug_mask file. Signed-off-by: Christian Brauner Signed-off-by: Seth Forshee commit 008aee34db713aa71fa9587812b8180df83aaf73 Author: Christian Brauner Date: Wed Jan 16 23:13:25 2019 +0100 SAUCE: binder: turn into module The Android binder driver needs to become a module for the sake of shipping Anbox. To do this we need to export the following functions since binder is currently still using them: - security_binder_set_context_mgr() - security_binder_transaction() - security_binder_transfer_binder() - security_binder_transfer_file() - can_nice() - __close_fd_get_file() - mmput_async() - task_work_add() - map_kernel_range_noflush() - get_vm_area() - zap_page_range() - put_ipc_ns() - get_ipc_ns_exported() - show_init_ipc_ns() Signed-off-by: Christian Brauner [ saf: fix additional reference to init_ipc_ns from 5.0-rc6 ] Signed-off-by: Seth Forshee commit e169e01dc037a9f9f217a2761a08d32a1a7d98d4 Author: Christian Brauner Date: Wed Jun 20 19:21:37 2018 +0200 SAUCE: ashmem: turn into module The Android ashmem driver needs to become a module for the sake of Anbox. To do this we need to export shmem_zero_setup() since ashmem is currently using is. Note, the abomination that is the Android ashmem driver will go away in the not so distant future in favour of memfds. Signed-off-by: Christian Brauner Signed-off-by: Seth Forshee commit f13b8af3b35dc3d9a45c3a540da8d24945c50e00 Merge: 3914ea70db02 e4eb257a89aa Author: Alexandre Frade Date: Thu May 13 01:56:29 2021 +0000 Merge tag 'v5.10.35-rt39' into 5.10-rt Linux 5.10.35-rt39 commit 3914ea70db026d3b4ca7a2e9b878cd067fbdf430 Author: Alexandre Frade Date: Thu May 13 01:54:52 2021 +0000 Revert "android: Enable building ashmem and binder as modules" This reverts commit 6665150f4172c8cdda2c1a25817cdf3264fd8e79. commit b5a01d233b6982bf5d27b02bfdb793e562e73975 Author: Alexandre Frade Date: Thu May 13 01:54:19 2021 +0000 Revert "android: Export symbols needed by Android drivers" This reverts commit cdc1cedf140cb10eed81d3689bdcd351efc9a41a. commit e4eb257a89aa78a3634b921908ca18018e759c81 Author: Steven Rostedt (VMware) Date: Wed May 12 09:33:35 2021 -0400 Linux 5.10.35-rt39 commit 65217dfb2656b13cf32c416cb835bc0df026f96c Merge: a2847d56ef8c f53a3a480862 Author: Steven Rostedt (VMware) Date: Tue May 11 14:13:09 2021 -0400 Merge tag 'v5.10.35' into v5.10-rt This is the 5.10.35 stable release commit f53a3a4808625f876aebc5a0bfb354480bbf0c21 Author: Greg Kroah-Hartman Date: Fri May 7 11:04:33 2021 +0200 Linux 5.10.35 Tested-By: Patrick McCormick Tested-by: Jon Hunter Tested-by: Florian Fainelli Tested-by: Fox Chen Tested-by: Shuah Khan Tested-by: Salvatore Bonaccorso Tested-by: Jason Self Tested-by: Guenter Roeck Tested-by: Hulk Robot Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Sudip Mukherjee Link: https://lore.kernel.org/r/20210505112326.195493232@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 94c76056fc3f7e0f0cbdb6b92935d18752eae8df Author: Jason Gunthorpe Date: Thu Mar 4 21:30:03 2021 -0400 vfio: Depend on MMU commit b2b12db53507bc97d96f6b7cb279e831e5eafb00 upstream. VFIO_IOMMU_TYPE1 does not compile with !MMU: ../drivers/vfio/vfio_iommu_type1.c: In function 'follow_fault_pfn': ../drivers/vfio/vfio_iommu_type1.c:536:22: error: implicit declaration of function 'pte_write'; did you mean 'vfs_write'? [-Werror=implicit-function-declaration] So require it. Suggested-by: Cornelia Huck Signed-off-by: Jason Gunthorpe Message-Id: <0-v1-02cb5500df6e+78-vfio_no_mmu_jgg@nvidia.com> Signed-off-by: Alex Williamson Signed-off-by: Greg Kroah-Hartman commit 4348d3b5027bc3ff6336368b6c60605d4ef8e1ce Author: Ondrej Mosnacek Date: Wed Feb 24 22:56:28 2021 +0100 perf/core: Fix unconditional security_locked_down() call commit 08ef1af4de5fe7de9c6d69f1e22e51b66e385d9b upstream. Currently, the lockdown state is queried unconditionally, even though its result is used only if the PERF_SAMPLE_REGS_INTR bit is set in attr.sample_type. While that doesn't matter in case of the Lockdown LSM, it causes trouble with the SELinux's lockdown hook implementation. SELinux implements the locked_down hook with a check whether the current task's type has the corresponding "lockdown" class permission ("integrity" or "confidentiality") allowed in the policy. This means that calling the hook when the access control decision would be ignored generates a bogus permission check and audit record. Fix this by checking sample_type first and only calling the hook when its result would be honored. Fixes: b0c8fdc7fdb7 ("lockdown: Lock down perf when in confidentiality mode") Signed-off-by: Ondrej Mosnacek Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Paul Moore Link: https://lkml.kernel.org/r/20210224215628.192519-1-omosnace@redhat.com Signed-off-by: Greg Kroah-Hartman commit 399f9c18473cefe76420a5764253b74b3add7f8f Author: Mark Pearson Date: Wed Apr 7 17:20:15 2021 -0400 platform/x86: thinkpad_acpi: Correct thermal sensor allocation commit 6759e18e5cd8745a5dfc5726e4a3db5281ec1639 upstream. On recent Thinkpad platforms it was reported that temp sensor 11 was always incorrectly displaying 66C. It turns out the reason for this is that this location in EC RAM is not a temperature sensor but is the power supply ID (offset 0xC2). Based on feedback from the Lenovo firmware team the EC RAM version can be determined and for the current version (3) only the 0x78 to 0x7F range is used for temp sensors. I don't have any details for earlier versions so I have left the implementation unaltered there. Note - in this block only 0x78 and 0x79 are officially designated (CPU & GPU sensors). The use of the other locations in the block will vary from platform to platform; but the existing logic to detect a sensor presence holds. Signed-off-by: Mark Pearson Link: https://lore.kernel.org/r/20210407212015.298222-1-markpearson@lenovo.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Signed-off-by: Greg Kroah-Hartman commit ac2cd82c76099f579be39087125010a201dac01a Author: Chris Chiu Date: Wed Apr 21 01:46:51 2021 +0800 USB: Add reset-resume quirk for WD19's Realtek Hub commit ca91fd8c7643d93bfc18a6fec1a0d3972a46a18a upstream. Realtek Hub (0bda:5487) in Dell Dock WD19 sometimes fails to work after the system resumes from suspend with remote wakeup enabled device connected: [ 1947.640907] hub 5-2.3:1.0: hub_ext_port_status failed (err = -71) [ 1947.641208] usb 5-2.3-port5: cannot disable (err = -71) [ 1947.641401] hub 5-2.3:1.0: hub_ext_port_status failed (err = -71) [ 1947.641450] usb 5-2.3-port4: cannot reset (err = -71) Information of this hub: T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 10 Spd=480 MxCh= 5 D: Ver= 2.10 Cls=09(hub ) Sub=00 Prot=02 MxPS=64 #Cfgs= 1 P: Vendor=0bda ProdID=5487 Rev= 1.47 S: Manufacturer=Dell Inc. S: Product=Dell dock C:* #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr= 0mA I: If#= 0 Alt= 0 #EPs= 1 Cls=09(hub ) Sub=00 Prot=01 Driver=hub E: Ad=81(I) Atr=03(Int.) MxPS= 1 Ivl=256ms I:* If#= 0 Alt= 1 #EPs= 1 Cls=09(hub ) Sub=00 Prot=02 Driver=hub E: Ad=81(I) Atr=03(Int.) MxPS= 1 Ivl=256ms The failure results from the ETIMEDOUT by chance when turning on the suspend feature for the specified port of the hub. The port seems to be in an unknown state so the hub_activate during resume fails the hub_port_status, then the hub will fail to work. The quirky hub needs the reset-resume quirk to function correctly. Acked-by: Alan Stern Signed-off-by: Chris Chiu Cc: stable Link: https://lore.kernel.org/r/20210420174651.6202-1-chris.chiu@canonical.com Signed-off-by: Greg Kroah-Hartman commit d844aaa49ac8b3225e906a150f89d2b805ad8cfc Author: Kai-Heng Feng Date: Mon Apr 12 21:54:53 2021 +0800 USB: Add LPM quirk for Lenovo ThinkPad USB-C Dock Gen2 Ethernet commit 8f23fe35ff1e5491b4d279323a8209a31f03ae65 upstream. This is another branded 8153 device that doesn't work well with LPM enabled: [ 400.597506] r8152 5-1.1:1.0 enx482ae3a2a6f0: Tx status -71 So disable LPM to resolve the issue. Signed-off-by: Kai-Heng Feng BugLink: https://bugs.launchpad.net/bugs/1922651 Link: https://lore.kernel.org/r/20210412135455.791971-1-kai.heng.feng@canonical.com Cc: stable Signed-off-by: Greg Kroah-Hartman commit 59b3f88386b5f5b4ab6622cd7307be40e871684c Author: Takashi Iwai Date: Wed Apr 7 16:45:49 2021 +0200 ALSA: usb-audio: Add MIDI quirk for Vox ToneLab EX commit 64f40f9be14106e7df0098c427cb60be645bddb7 upstream. ToneLab EX guitar pedal device requires the same quirk like ToneLab ST for supporting the MIDI. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=212593 Cc: Link: https://lore.kernel.org/r/20210407144549.1530-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 27c1936af5068b5367078a65df6a3d4de3e94e9a Author: Miklos Szeredi Date: Mon Apr 12 12:00:37 2021 +0200 ovl: allow upperdir inside lowerdir commit 708fa01597fa002599756bf56a96d0de1677375c upstream. Commit 146d62e5a586 ("ovl: detect overlapping layers") made sure we don't have overlapping layers, but it also broke the arguably valid use case of mount -olowerdir=/,upperdir=/subdir,.. where upperdir overlaps lowerdir on the same filesystem. This has been causing regressions. Revert the check, but only for the specific case where upperdir and/or workdir are subdirectories of lowerdir. Any other overlap (e.g. lowerdir is subdirectory of upperdir, etc) case is crazy, so leave the check in place for those. Overlaps are detected at lookup time too, so reverting the mount time check should be safe. Fixes: 146d62e5a586 ("ovl: detect overlapping layers") Cc: # v5.2 Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 71d58457a8afc650da5d3292a7f7029317654d95 Author: Mickaël Salaün Date: Mon Mar 29 18:49:07 2021 +0200 ovl: fix leaked dentry commit eaab1d45cdb4bb0c846bd23c3d666d5b90af7b41 upstream. Since commit 6815f479ca90 ("ovl: use only uppermetacopy state in ovl_lookup()"), overlayfs doesn't put temporary dentry when there is a metacopy error, which leads to dentry leaks when shutting down the related superblock: overlayfs: refusing to follow metacopy origin for (/file0) ... BUG: Dentry (____ptrval____){i=3f33,n=file3} still in use (1) [unmount of overlay overlay] ... WARNING: CPU: 1 PID: 432 at umount_check.cold+0x107/0x14d CPU: 1 PID: 432 Comm: unmount-overlay Not tainted 5.12.0-rc5 #1 ... RIP: 0010:umount_check.cold+0x107/0x14d ... Call Trace: d_walk+0x28c/0x950 ? dentry_lru_isolate+0x2b0/0x2b0 ? __kasan_slab_free+0x12/0x20 do_one_tree+0x33/0x60 shrink_dcache_for_umount+0x78/0x1d0 generic_shutdown_super+0x70/0x440 kill_anon_super+0x3e/0x70 deactivate_locked_super+0xc4/0x160 deactivate_super+0xfa/0x140 cleanup_mnt+0x22e/0x370 __cleanup_mnt+0x1a/0x30 task_work_run+0x139/0x210 do_exit+0xb0c/0x2820 ? __kasan_check_read+0x1d/0x30 ? find_held_lock+0x35/0x160 ? lock_release+0x1b6/0x660 ? mm_update_next_owner+0xa20/0xa20 ? reacquire_held_locks+0x3f0/0x3f0 ? __sanitizer_cov_trace_const_cmp4+0x22/0x30 do_group_exit+0x135/0x380 __do_sys_exit_group.isra.0+0x20/0x20 __x64_sys_exit_group+0x3c/0x50 do_syscall_64+0x45/0x70 entry_SYSCALL_64_after_hwframe+0x44/0xae ... VFS: Busy inodes after unmount of overlay. Self-destruct in 5 seconds. Have a nice day... This fix has been tested with a syzkaller reproducer. Cc: Amir Goldstein Cc: # v5.8+ Reported-by: syzbot Fixes: 6815f479ca90 ("ovl: use only uppermetacopy state in ovl_lookup()") Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20210329164907.2133175-1-mic@digikod.net Reviewed-by: Vivek Goyal Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 2fa0387fa2d00924aca0a5fa4c48eb6a4b3f8731 Author: Jianxiong Gao Date: Thu Apr 29 17:33:15 2021 +0000 nvme-pci: set min_align_mask commit: 3d2d861eb03e8ee96dc430a54361c900cbe28afd The PRP addressing scheme requires all PRP entries except for the first one to have a zero offset into the NVMe controller pages (which can be different from the Linux PAGE_SIZE). Use the min_align_mask device parameter to ensure that swiotlb does not change the address of the buffer modulo the device page size to ensure that the PRPs won't be malformed. Signed-off-by: Jianxiong Gao Signed-off-by: Christoph Hellwig Tested-by: Jianxiong Gao Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Greg Kroah-Hartman commit f8e71c667ee12094b50f5a935133d080740cd66b Author: Jianxiong Gao Date: Thu Apr 29 17:33:14 2021 +0000 swiotlb: respect min_align_mask commit: 1f221a0d0dbf0e48ef3a9c62871281d6a7819f05 swiotlb: respect min_align_mask Respect the min_align_mask in struct device_dma_parameters in swiotlb. There are two parts to it: 1) for the lower bits of the alignment inside the io tlb slot, just extent the size of the allocation and leave the start of the slot empty 2) for the high bits ensure we find a slot that matches the high bits of the alignment to avoid wasting too much memory Based on an earlier patch from Jianxiong Gao . Signed-off-by: Christoph Hellwig Acked-by: Jianxiong Gao Tested-by: Jianxiong Gao Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Jianxiong Gao Signed-off-by: Greg Kroah-Hartman commit 85a5a6875ca93dc4efbf20df942ba41d27a917e3 Author: Jianxiong Gao Date: Thu Apr 29 17:33:13 2021 +0000 swiotlb: don't modify orig_addr in swiotlb_tbl_sync_single commit: 16fc3cef33a04632ab6b31758abdd77563a20759 swiotlb_tbl_map_single currently nevers sets a tlb_addr that is not aligned to the tlb bucket size. But we're going to add such a case soon, for which this adjustment would be bogus. Signed-off-by: Christoph Hellwig Acked-by: Jianxiong Gao Tested-by: Jianxiong Gao Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Jianxiong Gao Signed-off-by: Greg Kroah-Hartman commit 25ed8827cfbf017ffcd195258643c54b55db08c5 Author: Jianxiong Gao Date: Thu Apr 29 17:33:12 2021 +0000 swiotlb: refactor swiotlb_tbl_map_single commit: 26a7e094783d482f3e125f09945a5bb1d867b2e6 Split out a bunch of a self-contained helpers to make the function easier to follow. Signed-off-by: Christoph Hellwig Acked-by: Jianxiong Gao Tested-by: Jianxiong Gao Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Jianxiong Gao Signed-off-by: Greg Kroah-Hartman commit 9efd5df078a7e1aa2a825855688025b586ed880f Author: Jianxiong Gao Date: Thu Apr 29 17:33:11 2021 +0000 swiotlb: clean up swiotlb_tbl_unmap_single commit: ca10d0f8e530600ec63c603dbace2c30927d70b7 swiotlb: clean up swiotlb_tbl_unmap_single Remove a layer of pointless indentation, replace a hard to follow ternary expression with a plain if/else. Signed-off-by: Christoph Hellwig Acked-by: Jianxiong Gao Tested-by: Jianxiong Gao Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Jianxiong Gao Signed-off-by: Greg Kroah-Hartman commit 1f2ef5a0f771f69f71549bb1917c6e8cb23e6818 Author: Jianxiong Gao Date: Thu Apr 29 17:33:10 2021 +0000 swiotlb: factor out a nr_slots helper commit: c32a77fd18780a5192dfb6eec69f239faebf28fd Factor out a helper to find the number of slots for a given size. Signed-off-by: Christoph Hellwig Acked-by: Jianxiong Gao Tested-by: Jianxiong Gao Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Jianxiong Gao Signed-off-by: Greg Kroah-Hartman commit 1bbcc985d19524114bd2e0db1d826807043348cd Author: Jianxiong Gao Date: Thu Apr 29 17:33:09 2021 +0000 swiotlb: factor out an io_tlb_offset helper commit: c7fbeca757fe74135d8b6a4c8ddaef76f5775d68 Replace the very genericly named OFFSET macro with a little inline helper that hardcodes the alignment to the only value ever passed. Signed-off-by: Christoph Hellwig Acked-by: Jianxiong Gao Tested-by: Jianxiong Gao Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Jianxiong Gao Signed-off-by: Greg Kroah-Hartman commit 22163a8ec863f98bc4a096ac08b2dfe9edc5ddf1 Author: Jianxiong Gao Date: Thu Apr 29 17:33:08 2021 +0000 swiotlb: add a IO_TLB_SIZE define commit: b5d7ccb7aac3895c2138fe0980a109116ce15eff Add a new IO_TLB_SIZE define instead open coding it using IO_TLB_SHIFT all over. Signed-off-by: Christoph Hellwig Acked-by: Jianxiong Gao Tested-by: Jianxiong Gao Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Jianxiong Gao Signed-off-by: Greg Kroah-Hartman commit 2e8b3b0b8e2d3b56a0b653980c62cbcb374ffedf Author: Jianxiong Gao Date: Thu Apr 29 17:33:07 2021 +0000 driver core: add a min_align_mask field to struct device_dma_parameters commit: 36950f2da1ea4cb683be174f6f581e25b2d33e71 Some devices rely on the address offset in a page to function correctly (NVMe driver as an example). These devices may use a different page size than the Linux kernel. The address offset has to be preserved upon mapping, and in order to do so, we need to record the page_offset_mask first. Signed-off-by: Jianxiong Gao Signed-off-by: Christoph Hellwig Acked-by: Greg Kroah-Hartman Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Greg Kroah-Hartman commit 6995512a472f3b57d2838dcae725c01ceb0bb4f5 Author: Vasily Averin Date: Fri Apr 23 14:29:03 2021 -0700 tools/cgroup/slabinfo.py: updated to work on current kernel [ Upstream commit 1974c45dd7745e999b9387be3d8fdcb27a5b1721 ] slabinfo.py script does not work with actual kernel version. First, it was unable to recognise SLUB susbsytem, and when I specified it manually it failed again with AttributeError: 'struct page' has no member 'obj_cgroups' .. and then again with File "tools/cgroup/memcg_slabinfo.py", line 221, in main memcg.kmem_caches.address_of_(), AttributeError: 'struct mem_cgroup' has no member 'kmem_caches' Link: https://lkml.kernel.org/r/cec1a75e-43b4-3d64-2084-d9f98fda037f@virtuozzo.com Signed-off-by: Vasily Averin Tested-by: Roman Gushchin Acked-by: Roman Gushchin Cc: Michal Hocko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit a7c37332afa8916ac55509e3df6a4cfdbb570a4e Author: Thomas Richter Date: Wed Apr 21 14:04:00 2021 +0200 perf ftrace: Fix access to pid in array when setting a pid filter [ Upstream commit 671b60cb6a897a5b3832fe57657152f2c3995e25 ] Command 'perf ftrace -v -- ls' fails in s390 (at least 5.12.0rc6). The root cause is a missing pointer dereference which causes an array element address to be used as PID. Fix this by extracting the PID. Output before: # ./perf ftrace -v -- ls function_graph tracer is used write '-263732416' to tracing/set_ftrace_pid failed: Invalid argument failed to set ftrace pid # Output after: ./perf ftrace -v -- ls function_graph tracer is used # tracer: function_graph # # CPU DURATION FUNCTION CALLS # | | | | | | | 4) | rcu_read_lock_sched_held() { 4) 0.552 us | rcu_lockdep_current_cpu_online(); 4) 6.124 us | } Reported-by: Alexander Schmidt Signed-off-by: Thomas Richter Acked-by: Namhyung Kim Cc: Heiko Carstens Cc: Sumanth Korikkar Cc: Sven Schnelle Cc: Vasily Gorbik Link: http://lore.kernel.org/lkml/20210421120400.2126433-1-tmricht@linux.ibm.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit fb4c1c2e9fd1adb19452bbaa75f0f2bb2826ac0d Author: Serge E. Hallyn Date: Tue Apr 20 08:43:34 2021 -0500 capabilities: require CAP_SETFCAP to map uid 0 [ Upstream commit db2e718a47984b9d71ed890eb2ea36ecf150de18 ] cap_setfcap is required to create file capabilities. Since commit 8db6c34f1dbc ("Introduce v3 namespaced file capabilities"), a process running as uid 0 but without cap_setfcap is able to work around this as follows: unshare a new user namespace which maps parent uid 0 into the child namespace. While this task will not have new capabilities against the parent namespace, there is a loophole due to the way namespaced file capabilities are represented as xattrs. File capabilities valid in userns 1 are distinguished from file capabilities valid in userns 2 by the kuid which underlies uid 0. Therefore the restricted root process can unshare a new self-mapping namespace, add a namespaced file capability onto a file, then use that file capability in the parent namespace. To prevent that, do not allow mapping parent uid 0 if the process which opened the uid_map file does not have CAP_SETFCAP, which is the capability for setting file capabilities. As a further wrinkle: a task can unshare its user namespace, then open its uid_map file itself, and map (only) its own uid. In this case we do not have the credential from before unshare, which was potentially more restricted. So, when creating a user namespace, we record whether the creator had CAP_SETFCAP. Then we can use that during map_write(). With this patch: 1. Unprivileged user can still unshare -Ur ubuntu@caps:~$ unshare -Ur root@caps:~# logout 2. Root user can still unshare -Ur ubuntu@caps:~$ sudo bash root@caps:/home/ubuntu# unshare -Ur root@caps:/home/ubuntu# logout 3. Root user without CAP_SETFCAP cannot unshare -Ur: root@caps:/home/ubuntu# /sbin/capsh --drop=cap_setfcap -- root@caps:/home/ubuntu# /sbin/setcap cap_setfcap=p /sbin/setcap unable to set CAP_SETFCAP effective capability: Operation not permitted root@caps:/home/ubuntu# unshare -Ur unshare: write failed /proc/self/uid_map: Operation not permitted Note: an alternative solution would be to allow uid 0 mappings by processes without CAP_SETFCAP, but to prevent such a namespace from writing any file capabilities. This approach can be seen at [1]. Background history: commit 95ebabde382 ("capabilities: Don't allow writing ambiguous v3 file capabilities") tried to fix the issue by preventing v3 fscaps to be written to disk when the root uid would map to the same uid in nested user namespaces. This led to regressions for various workloads. For example, see [2]. Ultimately this is a valid use-case we have to support meaning we had to revert this change in 3b0c2d3eaa83 ("Revert 95ebabde382c ("capabilities: Don't allow writing ambiguous v3 file capabilities")"). Link: https://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux.git/log/?h=2021-04-15/setfcap-nsfscaps-v4 [1] Link: https://github.com/containers/buildah/issues/3071 [2] Signed-off-by: Serge Hallyn Reviewed-by: Andrew G. Morgan Tested-by: Christian Brauner Reviewed-by: Christian Brauner Tested-by: Giuseppe Scrivano Cc: Eric Biederman Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit b571a6302a64fd1d516a1843afc893f0dfdf23d5 Author: Zhen Lei Date: Thu Apr 15 16:34:16 2021 +0800 perf data: Fix error return code in perf_data__create_dir() [ Upstream commit f2211881e737cade55e0ee07cf6a26d91a35a6fe ] Although 'ret' has been initialized to -1, but it will be reassigned by the "ret = open(...)" statement in the for loop. So that, the value of 'ret' is unknown when asprintf() failed. Reported-by: Hulk Robot Signed-off-by: Zhen Lei Cc: Alexander Shishkin Cc: Jiri Olsa Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: http://lore.kernel.org/lkml/20210415083417.3740-1-thunder.leizhen@huawei.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 48ec949ac979b4b42d740f67b6177797af834f80 Author: Bjorn Andersson Date: Wed Apr 21 10:40:07 2021 -0700 net: qrtr: Avoid potential use after free in MHI send commit 47a017f33943278570c072bc71681809b2567b3a upstream. It is possible that the MHI ul_callback will be invoked immediately following the queueing of the skb for transmission, leading to the callback decrementing the refcount of the associated sk and freeing the skb. As such the dereference of skb and the increment of the sk refcount must happen before the skb is queued, to avoid the skb to be used after free and potentially the sk to drop its last refcount.. Fixes: 6e728f321393 ("net: qrtr: Add MHI transport layer") Signed-off-by: Bjorn Andersson Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2fa15d61e4cbaaa1d1250e67b251ff96952fa614 Author: Daniel Borkmann Date: Thu Apr 29 15:19:37 2021 +0000 bpf: Fix leakage of uninitialized bpf stack under speculation commit 801c6058d14a82179a7ee17a4b532cac6fad067f upstream. The current implemented mechanisms to mitigate data disclosure under speculation mainly address stack and map value oob access from the speculative domain. However, Piotr discovered that uninitialized BPF stack is not protected yet, and thus old data from the kernel stack, potentially including addresses of kernel structures, could still be extracted from that 512 bytes large window. The BPF stack is special compared to map values since it's not zero initialized for every program invocation, whereas map values /are/ zero initialized upon their initial allocation and thus cannot leak any prior data in either domain. In the non-speculative domain, the verifier ensures that every stack slot read must have a prior stack slot write by the BPF program to avoid such data leaking issue. However, this is not enough: for example, when the pointer arithmetic operation moves the stack pointer from the last valid stack offset to the first valid offset, the sanitation logic allows for any intermediate offsets during speculative execution, which could then be used to extract any restricted stack content via side-channel. Given for unprivileged stack pointer arithmetic the use of unknown but bounded scalars is generally forbidden, we can simply turn the register-based arithmetic operation into an immediate-based arithmetic operation without the need for masking. This also gives the benefit of reducing the needed instructions for the operation. Given after the work in 7fedb63a8307 ("bpf: Tighten speculative pointer arithmetic mask"), the aux->alu_limit already holds the final immediate value for the offset register with the known scalar. Thus, a simple mov of the immediate to AX register with using AX as the source for the original instruction is sufficient and possible now in this case. Reported-by: Piotr Krysiuk Signed-off-by: Daniel Borkmann Tested-by: Piotr Krysiuk Reviewed-by: Piotr Krysiuk Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman commit 2cfa537674cd1051a3b8111536d77d0558f33d5d Author: Daniel Borkmann Date: Fri Apr 30 16:21:46 2021 +0200 bpf: Fix masking negation logic upon negative dst register commit b9b34ddbe2076ade359cd5ce7537d5ed019e9807 upstream. The negation logic for the case where the off_reg is sitting in the dst register is not correct given then we cannot just invert the add to a sub or vice versa. As a fix, perform the final bitwise and-op unconditionally into AX from the off_reg, then move the pointer from the src to dst and finally use AX as the source for the original pointer arithmetic operation such that the inversion yields a correct result. The single non-AX mov in between is possible given constant blinding is retaining it as it's not an immediate based operation. Fixes: 979d63d50c0c ("bpf: prevent out of bounds speculation on pointer arithmetic") Signed-off-by: Daniel Borkmann Tested-by: Piotr Krysiuk Reviewed-by: Piotr Krysiuk Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman commit a41c193d004eac7c4daf5166030001d9763a6ebe Author: Nick Lowe Date: Mon Dec 21 22:25:02 2020 +0000 igb: Enable RSS for Intel I211 Ethernet Controller commit 6e6026f2dd2005844fb35c3911e8083c09952c6c upstream. The Intel I211 Ethernet Controller supports 2 Receive Side Scaling (RSS) queues. It should not be excluded from having this feature enabled. Via commit c883de9fd787 ("igb: rename igb define to be more generic") E1000_MRQC_ENABLE_RSS_4Q was renamed to E1000_MRQC_ENABLE_RSS_MQ to indicate that this is a generic bit flag to enable queues and not a flag that is specific to devices that support 4 queues The bit flag enables 2, 4 or 8 queues appropriately depending on the part. Tested with a multicore CPU and frames were then distributed as expected. This issue appears to have been introduced because of confusion caused by the prior name. Signed-off-by: Nick Lowe Tested-by: David Switzer Signed-off-by: Tony Nguyen Signed-off-by: Greg Kroah-Hartman commit 2e68890993d0940cedc1f0369282256854293a93 Author: Phillip Potter Date: Thu Apr 1 23:36:07 2021 +0100 net: usb: ax88179_178a: initialize local variables before use commit bd78980be1a68d14524c51c4b4170782fada622b upstream. Use memset to initialize local array in drivers/net/usb/ax88179_178a.c, and also set a local u16 and u32 variable to 0. Fixes a KMSAN found uninit-value bug reported by syzbot at: https://syzkaller.appspot.com/bug?id=00371c73c72f72487c1d0bfe0cc9d00de339d5aa Reported-by: syzbot+4993e4a0e237f1b53747@syzkaller.appspotmail.com Signed-off-by: Phillip Potter Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d3598eb3915cc0c0d8cab42f4a6258ff44c4033e Author: Jonathon Reinhart Date: Mon Apr 12 00:24:53 2021 -0400 netfilter: conntrack: Make global sysctls readonly in non-init netns commit 2671fa4dc0109d3fb581bc3078fdf17b5d9080f6 upstream. These sysctls point to global variables: - NF_SYSCTL_CT_MAX (&nf_conntrack_max) - NF_SYSCTL_CT_EXPECT_MAX (&nf_ct_expect_max) - NF_SYSCTL_CT_BUCKETS (&nf_conntrack_htable_size_user) Because their data pointers are not updated to point to per-netns structures, they must be marked read-only in a non-init_net ns. Otherwise, changes in any net namespace are reflected in (leaked into) all other net namespaces. This problem has existed since the introduction of net namespaces. The current logic marks them read-only only if the net namespace is owned by an unprivileged user (other than init_user_ns). Commit d0febd81ae77 ("netfilter: conntrack: re-visit sysctls in unprivileged namespaces") "exposes all sysctls even if the namespace is unpriviliged." Since we need to mark them readonly in any case, we can forego the unprivileged user check altogether. Fixes: d0febd81ae77 ("netfilter: conntrack: re-visit sysctls in unprivileged namespaces") Signed-off-by: Jonathon Reinhart Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c239bfc2e4aca29bfd02e9f63d32763f528bbfdf Author: Romain Naour Date: Tue Apr 20 22:12:10 2021 +0100 mips: Do not include hi and lo in clobber list for R6 commit 1d7ba0165d8206ac073f7ac3b14fc0836b66eae7 upstream. From [1] "GCC 10 (PR 91233) won't silently allow registers that are not architecturally available to be present in the clobber list anymore, resulting in build failure for mips*r6 targets in form of: ... .../sysdep.h:146:2: error: the register ‘lo’ cannot be clobbered in ‘asm’ for the current target 146 | __asm__ volatile ( \ | ^~~~~~~ This is because base R6 ISA doesn't define hi and lo registers w/o DSP extension. This patch provides the alternative clobber list for r6 targets that won't include those registers." Since kernel 5.4 and mips support for generic vDSO [2], the kernel fail to build for mips r6 cpus with gcc 10 for the same reason as glibc. [1] https://sourceware.org/git/?p=glibc.git;a=commit;h=020b2a97bb15f807c0482f0faee2184ed05bcad8 [2] '24640f233b46 ("mips: Add support for generic vDSO")' Signed-off-by: Romain Naour Signed-off-by: Sudip Mukherjee Signed-off-by: Thomas Bogendoerfer Signed-off-by: Greg Kroah-Hartman commit 0aa66717f684f0280cc9bccf50f603e80d05495b Author: Greg Kroah-Hartman Date: Sun May 2 11:06:09 2021 +0200 Linux 5.10.34 Tested-by: Jon Hunter Tested-by: Fox Chen Tested-by: Linux Kernel Functional Testing Tested-by: Guenter Roeck Link: https://lore.kernel.org/r/20210430141910.693887691@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 47d54b99010363ab6f0f6dae582cff517c283946 Author: Tomas Winkler Date: Wed Apr 14 07:52:00 2021 +0300 mei: me: add Alder Lake P device id. commit 0df74278faedf20f9696bf2755cf0ce34afa4c3a upstream. Add Alder Lake P device ID. Cc: Signed-off-by: Tomas Winkler Link: https://lore.kernel.org/r/20210414045200.3498241-1-tomas.winkler@intel.com Signed-off-by: Greg Kroah-Hartman commit 2a442f11407ec9c9bc9b84d7155484f2b60d01f9 Author: Jiri Kosina Date: Sat Apr 17 11:13:39 2021 +0200 iwlwifi: Fix softirq/hardirq disabling in iwl_pcie_gen2_enqueue_hcmd() commit e7020bb068d8be50a92f48e36b236a1a1ef9282e upstream. Analogically to what we did in 2800aadc18a6 ("iwlwifi: Fix softirq/hardirq disabling in iwl_pcie_enqueue_hcmd()"), we must apply the same fix to iwl_pcie_gen2_enqueue_hcmd(), as it's being called from exactly the same contexts. Reported-by: Heiner Kallweit Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/nycvar.YFH.7.76.2104171112390.18270@cbobk.fhfr.pm Signed-off-by: Greg Kroah-Hartman commit 8bd8301ccc115b7885517077a097ee028fcb1ec2 Author: Greg Kroah-Hartman Date: Wed Apr 28 13:40:03 2021 +0200 Linux 5.10.33 Tested-by: Jon Hunter Tested-by: Fox Chen Tested-By: Patrick McCormick Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Salvatore Bonaccorso Tested-by: Sudip Mukherjee Tested-by: Jason Self Tested-by: Shuah Khan Tested-by: Hulk Robot Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Andrei Rabusov Link: https://lore.kernel.org/r/20210426072818.777662399@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 8a661bad6cee44d897f9840995f2caf81e1fea49 Author: Oliver Neukum Date: Wed Apr 21 09:45:13 2021 +0200 USB: CDC-ACM: fix poison/unpoison imbalance commit a8b3b519618f30a87a304c4e120267ce6f8dc68a upstream. suspend() does its poisoning conditionally, resume() does it unconditionally. On a device with combined interfaces this will balance, on a device with two interfaces the counter will go negative and resubmission will fail. Both actions need to be done conditionally. Fixes: 6069e3e927c8f ("USB: cdc-acm: untangle a circular dependency between callback and softint") Signed-off-by: Oliver Neukum Cc: stable Link: https://lore.kernel.org/r/20210421074513.4327-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman commit 90642ee9eb581a13569b1c0bd57e85d962215273 Author: Johan Hovold Date: Mon Apr 26 10:11:49 2021 +0200 net: hso: fix NULL-deref on disconnect regression commit 2ad5692db72874f02b9ad551d26345437ea4f7f3 upstream. Commit 8a12f8836145 ("net: hso: fix null-ptr-deref during tty device unregistration") fixed the racy minor allocation reported by syzbot, but introduced an unconditional NULL-pointer dereference on every disconnect instead. Specifically, the serial device table must no longer be accessed after the minor has been released by hso_serial_tty_unregister(). Fixes: 8a12f8836145 ("net: hso: fix null-ptr-deref during tty device unregistration") Cc: stable@vger.kernel.org Cc: Anirudh Rayabharam Reported-by: Leonardo Antoniazzi Signed-off-by: Johan Hovold Reviewed-by: Anirudh Rayabharam Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 31720f9e87c032b74de9661e67cfc01414d27052 Author: Mike Galbraith Date: Fri Apr 16 14:02:07 2021 +0200 x86/crash: Fix crash_setup_memmap_entries() out-of-bounds access commit 5849cdf8c120e3979c57d34be55b92d90a77a47e upstream. Commit in Fixes: added support for kexec-ing a kernel on panic using a new system call. As part of it, it does prepare a memory map for the new kernel. However, while doing so, it wrongly accesses memory it has not allocated: it accesses the first element of the cmem->ranges[] array in memmap_exclude_ranges() but it has not allocated the memory for it in crash_setup_memmap_entries(). As KASAN reports: BUG: KASAN: vmalloc-out-of-bounds in crash_setup_memmap_entries+0x17e/0x3a0 Write of size 8 at addr ffffc90000426008 by task kexec/1187 (gdb) list *crash_setup_memmap_entries+0x17e 0xffffffff8107cafe is in crash_setup_memmap_entries (arch/x86/kernel/crash.c:322). 317 unsigned long long mend) 318 { 319 unsigned long start, end; 320 321 cmem->ranges[0].start = mstart; 322 cmem->ranges[0].end = mend; 323 cmem->nr_ranges = 1; 324 325 /* Exclude elf header region */ 326 start = image->arch.elf_load_addr; (gdb) Make sure the ranges array becomes a single element allocated. [ bp: Write a proper commit message. ] Fixes: dd5f726076cc ("kexec: support for kexec on panic using new system call") Signed-off-by: Mike Galbraith Signed-off-by: Borislav Petkov Reviewed-by: Dave Young Cc: Link: https://lkml.kernel.org/r/725fa3dc1da2737f0f6188a1a9701bead257ea9d.camel@gmx.de Signed-off-by: Greg Kroah-Hartman commit bed21bed2e79eb3687370bec6eaa36c4857c40db Author: John Paul Adrian Glaubitz Date: Fri Apr 16 15:46:15 2021 -0700 ia64: tools: remove duplicate definition of ia64_mf() on ia64 [ Upstream commit f4bf09dc3aaa4b07cd15630f2023f68cb2668809 ] The ia64_mf() macro defined in tools/arch/ia64/include/asm/barrier.h is already defined in on ia64 which causes libbpf failing to build: CC /usr/src/linux/tools/bpf/bpftool//libbpf/staticobjs/libbpf.o In file included from /usr/src/linux/tools/include/asm/barrier.h:24, from /usr/src/linux/tools/include/linux/ring_buffer.h:4, from libbpf.c:37: /usr/src/linux/tools/include/asm/../../arch/ia64/include/asm/barrier.h:43: error: "ia64_mf" redefined [-Werror] 43 | #define ia64_mf() asm volatile ("mf" ::: "memory") | In file included from /usr/include/ia64-linux-gnu/asm/intrinsics.h:20, from /usr/include/ia64-linux-gnu/asm/swab.h:11, from /usr/include/linux/swab.h:8, from /usr/include/linux/byteorder/little_endian.h:13, from /usr/include/ia64-linux-gnu/asm/byteorder.h:5, from /usr/src/linux/tools/include/uapi/linux/perf_event.h:20, from libbpf.c:36: /usr/include/ia64-linux-gnu/asm/gcc_intrin.h:382: note: this is the location of the previous definition 382 | #define ia64_mf() __asm__ volatile ("mf" ::: "memory") | cc1: all warnings being treated as errors Thus, remove the definition from tools/arch/ia64/include/asm/barrier.h. Signed-off-by: John Paul Adrian Glaubitz Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit ba0910ad1c5770ff74b71000b131a7965c373c30 Author: Randy Dunlap Date: Fri Apr 16 15:46:09 2021 -0700 ia64: fix discontig.c section mismatches [ Upstream commit e2af9da4f867a1a54f1252bf3abc1a5c63951778 ] Fix IA64 discontig.c Section mismatch warnings. When CONFIG_SPARSEMEM=y and CONFIG_MEMORY_HOTPLUG=y, the functions computer_pernodesize() and scatter_node_data() should not be marked as __meminit because they are needed after init, on any memory hotplug event. Also, early_nr_cpus_node() is called by compute_pernodesize(), so early_nr_cpus_node() cannot be __meminit either. WARNING: modpost: vmlinux.o(.text.unlikely+0x1612): Section mismatch in reference from the function arch_alloc_nodedata() to the function .meminit.text:compute_pernodesize() The function arch_alloc_nodedata() references the function __meminit compute_pernodesize(). This is often because arch_alloc_nodedata lacks a __meminit annotation or the annotation of compute_pernodesize is wrong. WARNING: modpost: vmlinux.o(.text.unlikely+0x1692): Section mismatch in reference from the function arch_refresh_nodedata() to the function .meminit.text:scatter_node_data() The function arch_refresh_nodedata() references the function __meminit scatter_node_data(). This is often because arch_refresh_nodedata lacks a __meminit annotation or the annotation of scatter_node_data is wrong. WARNING: modpost: vmlinux.o(.text.unlikely+0x1502): Section mismatch in reference from the function compute_pernodesize() to the function .meminit.text:early_nr_cpus_node() The function compute_pernodesize() references the function __meminit early_nr_cpus_node(). This is often because compute_pernodesize lacks a __meminit annotation or the annotation of early_nr_cpus_node is wrong. Link: https://lkml.kernel.org/r/20210411001201.3069-1-rdunlap@infradead.org Signed-off-by: Randy Dunlap Cc: Mike Rapoport Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit f4a777bcc8d194cdaae1220d35073fe2828dbb3d Author: Randy Dunlap Date: Fri Apr 16 15:46:03 2021 -0700 csky: change a Kconfig symbol name to fix e1000 build error [ Upstream commit d199161653d612b8fb96ac51bfd5b2d2782ecef3 ] e1000's #define of CONFIG_RAM_BASE conflicts with a Kconfig symbol in arch/csky/Kconfig. The symbol in e1000 has been around longer, so change arch/csky/ to use DRAM_BASE instead of RAM_BASE to remove the conflict. (although e1000 is also a 2-line change) Link: https://lkml.kernel.org/r/20210411055335.7111-1-rdunlap@infradead.org Signed-off-by: Randy Dunlap Reported-by: kernel test robot Acked-by: Guo Ren Cc: Jesse Brandeburg Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 393200a1b095bb5bae17ed06340f4848f5cc152a Author: Arnd Bergmann Date: Fri Apr 16 15:45:57 2021 -0700 kasan: fix hwasan build for gcc [ Upstream commit 5c595ac4c776c44b5c59de22ab43b3fe256d9fbb ] gcc-11 adds support for -fsanitize=kernel-hwaddress, so it becomes possible to enable CONFIG_KASAN_SW_TAGS. Unfortunately this fails to build at the moment, because the corresponding command line arguments use llvm specific syntax. Change it to use the cc-param macro instead, which works on both clang and gcc. [elver@google.com: fixup for "kasan: fix hwasan build for gcc"] Link: https://lkml.kernel.org/r/YHQZVfVVLE/LDK2v@elver.google.com Link: https://lkml.kernel.org/r/20210323124112.1229772-1-arnd@kernel.org Signed-off-by: Arnd Bergmann Signed-off-by: Marco Elver Reviewed-by: Marco Elver Acked-by: Andrey Konovalov Cc: Masahiro Yamada Cc: Michal Marek Cc: Andrey Ryabinin Cc: Nathan Chancellor Cc: Nick Desaulniers Cc: Alexander Potapenko Cc: Dmitry Vyukov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit f2b46286e3260c8f416af8b1360a0d3858db618e Author: Wan Jiabing Date: Wed Apr 14 19:31:48 2021 +0800 cavium/liquidio: Fix duplicate argument [ Upstream commit 416dcc5ce9d2a810477171c62ffa061a98f87367 ] Fix the following coccicheck warning: ./drivers/net/ethernet/cavium/liquidio/cn66xx_regs.h:413:6-28: duplicated argument to & or | The CN6XXX_INTR_M1UPB0_ERR here is duplicate. Here should be CN6XXX_INTR_M1UNB0_ERR. Signed-off-by: Wan Jiabing Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1bfefd866195987ded82605dc417c1a2ba523bf7 Author: Michael Brown Date: Tue Apr 13 16:25:12 2021 +0100 xen-netback: Check for hotplug-status existence before watching [ Upstream commit 2afeec08ab5c86ae21952151f726bfe184f6b23d ] The logic in connect() is currently written with the assumption that xenbus_watch_pathfmt() will return an error for a node that does not exist. This assumption is incorrect: xenstore does allow a watch to be registered for a nonexistent node (and will send notifications should the node be subsequently created). As of commit 1f2565780 ("xen-netback: remove 'hotplug-status' once it has served its purpose"), this leads to a failure when a domU transitions into XenbusStateConnected more than once. On the first domU transition into Connected state, the "hotplug-status" node will be deleted by the hotplug_status_changed() callback in dom0. On the second or subsequent domU transition into Connected state, the hotplug_status_changed() callback will therefore never be invoked, and so the backend will remain stuck in InitWait. This failure prevents scenarios such as reloading the xen-netfront module within a domU, or booting a domU via iPXE. There is unfortunately no way for the domU to work around this dom0 bug. Fix by explicitly checking for existence of the "hotplug-status" node, thereby creating the behaviour that was previously assumed to exist. Signed-off-by: Michael Brown Reviewed-by: Paul Durrant Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 509ae27a1874389182b3709de0940a8f8d4dfb8b Author: Jisheng Zhang Date: Mon Apr 12 17:41:01 2021 +0800 arm64: kprobes: Restore local irqflag if kprobes is cancelled [ Upstream commit 738fa58ee1328481d1d7889e7c430b3401c571b9 ] If instruction being single stepped caused a page fault, the kprobes is cancelled to let the page fault handler continue as a normal page fault. But the local irqflags are disabled so cpu will restore pstate with DAIF masked. After pagefault is serviced, the kprobes is triggerred again, we overwrite the saved_irqflag by calling kprobes_save_local_irqflag(). NOTE, DAIF is masked in this new saved irqflag. After kprobes is serviced, the cpu pstate is retored with DAIF masked. This patch is inspired by one patch for riscv from Liao Chang. Signed-off-by: Jisheng Zhang Acked-by: Masami Hiramatsu Link: https://lore.kernel.org/r/20210412174101.6bfb0594@xhacker.debian Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit da99331fc6ce2d25f88d47249f04714633d3f0ec Author: Vasily Gorbik Date: Fri Apr 9 00:15:21 2021 +0200 s390/entry: save the caller of psw_idle [ Upstream commit a994eddb947ea9ebb7b14d9a1267001699f0a136 ] Currently psw_idle does not allocate a stack frame and does not save its r14 and r15 into the save area. Even though this is valid from call ABI point of view, because psw_idle does not make any calls explicitly, in reality psw_idle is an entry point for controlled transition into serving interrupts. So, in practice, psw_idle stack frame is analyzed during stack unwinding. Depending on build options that r14 slot in the save area of psw_idle might either contain a value saved by previous sibling call or complete garbage. [task 0000038000003c28] do_ext_irq+0xd6/0x160 [task 0000038000003c78] ext_int_handler+0xba/0xe8 [task *0000038000003dd8] psw_idle_exit+0x0/0x8 <-- pt_regs ([task 0000038000003dd8] 0x0) [task 0000038000003e10] default_idle_call+0x42/0x148 [task 0000038000003e30] do_idle+0xce/0x160 [task 0000038000003e70] cpu_startup_entry+0x36/0x40 [task 0000038000003ea0] arch_call_rest_init+0x76/0x80 So, to make a stacktrace nicer and actually point for the real caller of psw_idle in this frequently occurring case, make psw_idle save its r14. [task 0000038000003c28] do_ext_irq+0xd6/0x160 [task 0000038000003c78] ext_int_handler+0xba/0xe8 [task *0000038000003dd8] psw_idle_exit+0x0/0x6 <-- pt_regs ([task 0000038000003dd8] arch_cpu_idle+0x3c/0xd0) [task 0000038000003e10] default_idle_call+0x42/0x148 [task 0000038000003e30] do_idle+0xce/0x160 [task 0000038000003e70] cpu_startup_entry+0x36/0x40 [task 0000038000003ea0] arch_call_rest_init+0x76/0x80 Reviewed-by: Sven Schnelle Signed-off-by: Vasily Gorbik Signed-off-by: Heiko Carstens Signed-off-by: Sasha Levin commit d33031a894d2f6476e54cccfbfa9f7971e5522af Author: Dinghao Liu Date: Fri Apr 9 16:28:05 2021 +0800 dmaengine: tegra20: Fix runtime PM imbalance on error [ Upstream commit 917a3200b9f467a154999c7572af345f2470aaf4 ] pm_runtime_get_sync() will increase the runtime PM counter even it returns an error. Thus a pairing decrement is needed to prevent refcount leak. Fix this by replacing this API with pm_runtime_resume_and_get(), which will not change the runtime PM counter on error. Signed-off-by: Dinghao Liu Acked-by: Thierry Reding Link: https://lore.kernel.org/r/20210409082805.23643-1-dinghao.liu@zju.edu.cn Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 66d0cf7dcaa1093b7bc3f6e8995240b8be8b287d Author: Phillip Potter Date: Sun Apr 11 12:28:24 2021 +0100 net: geneve: check skb is large enough for IPv4/IPv6 header [ Upstream commit 6628ddfec7580882f11fdc5c194a8ea781fdadfa ] Check within geneve_xmit_skb/geneve6_xmit_skb that sk_buff structure is large enough to include IPv4 or IPv6 header, and reject if not. The geneve_xmit_skb portion and overall idea was contributed by Eric Dumazet. Fixes a KMSAN-found uninit-value bug reported by syzbot at: https://syzkaller.appspot.com/bug?id=abe95dc3e3e9667fc23b8d81f29ecad95c6f106f Suggested-by: Eric Dumazet Reported-by: syzbot+2e406a9ac75bb71d4b7a@syzkaller.appspotmail.com Signed-off-by: Phillip Potter Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6ce64437224df9f28bb4bc17a4b5363560dcc79a Author: Tony Lindgren Date: Wed Mar 24 15:10:32 2021 +0200 ARM: dts: Fix swapped mmc order for omap3 [ Upstream commit a1ebdb3741993f853865d1bd8f77881916ad53a7 ] Also some omap3 devices like n900 seem to have eMMC and micro-sd swapped around with commit 21b2cec61c04 ("mmc: Set PROBE_PREFER_ASYNCHRONOUS for drivers that existed in v4.4"). Let's fix the issue with aliases as discussed on the mailing lists. While the mmc aliases should be board specific, let's first fix the issue with minimal changes. Cc: Aaro Koskinen Cc: Peter Ujfalusi Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit db010ba54a96128f65b388c46875e7b991982ba4 Author: Laurent Pinchart Date: Sun Mar 7 06:06:29 2021 +0200 dmaengine: xilinx: dpdma: Fix race condition in done IRQ [ Upstream commit 868833fbffbe51c487df4f95d4de9194264a4b30 ] The active descriptor pointer is accessed from different contexts, including different interrupt handlers, and its access must be protected by the channel's lock. This wasn't done in the done IRQ handler. Fix it. Signed-off-by: Laurent Pinchart Link: https://lore.kernel.org/r/20210307040629.29308-3-laurent.pinchart@ideasonboard.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit e8d9a93ec46e52188a95bc87924681c379e359cd Author: Laurent Pinchart Date: Sun Mar 7 06:06:28 2021 +0200 dmaengine: xilinx: dpdma: Fix descriptor issuing on video group [ Upstream commit 1cbd44666216278bbb6a55bcb6b9283702171c77 ] When multiple channels are part of a video group, the transfer is triggered only when all channels in the group are ready. The logic to do so is incorrect, as it causes the descriptors for all channels but the last one in a group to not being pushed to the hardware. Fix it. Signed-off-by: Laurent Pinchart Link: https://lore.kernel.org/r/20210307040629.29308-2-laurent.pinchart@ideasonboard.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit eb2c81ee764db18e525e0f701540afef4025a571 Author: Shawn Guo Date: Thu Jan 14 19:29:28 2021 +0800 soc: qcom: geni: shield geni_icc_get() for ACPI boot [ Upstream commit 0c9fdcdba68208270ae85d39600ea97da1718344 ] Currently, GENI devices like i2c-qcom-geni fails to probe in ACPI boot, if interconnect support is enabled. That's because interconnect driver only supports DT right now. As interconnect is not necessarily required for basic function of GENI devices, let's shield geni_icc_get() call, and then all other ICC calls become nop due to NULL icc_path, so that GENI devices keep working for ACPI boot. Reviewed-by: Bjorn Andersson Signed-off-by: Shawn Guo Link: https://lore.kernel.org/r/20210114112928.11368-1-shawn.guo@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 8c4bfe30eb555bf72e2b675597a8c9304e85d376 Author: Jiapeng Zhong Date: Wed Jan 20 15:34:30 2021 +0800 HID: wacom: Assign boolean values to a bool variable [ Upstream commit e29c62ffb008829dc8bcc0a2ec438adc25a8255e ] Fix the following coccicheck warnings: ./drivers/hid/wacom_wac.c:2536:2-6: WARNING: Assignment of 0/1 to bool variable. Reported-by: Abaci Robot Signed-off-by: Jiapeng Zhong Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit e913cbc952c300cd99ce40538b1c53438f9f7ffd Author: Douglas Gilbert Date: Sat Jan 9 17:36:58 2021 -0500 HID cp2112: fix support for multiple gpiochips [ Upstream commit 2a2b09c867fdac63f430a45051e7bd0c46edc381 ] In lk 5.11.0-rc2 connecting a USB based Silicon Labs HID to I2C bridge evaluation board (CP2112EK) causes this warning: gpio gpiochip0: (cp2112_gpio): detected irqchip that is shared with multiple gpiochips: please fix the driver Simply copy what other gpio related drivers do to fix this particular warning: replicate the struct irq_chip object in each device instance rather than have a static object which makes that object (incorrectly) shared by each device. Signed-off-by: Douglas Gilbert Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit f691dc86411d80005dcf26fedd5c95c834a9da09 Author: Jia-Ju Bai Date: Thu Mar 4 05:19:57 2021 -0800 HID: alps: fix error return code in alps_input_configured() [ Upstream commit fa8ba6e5dc0e78e409e503ddcfceef5dd96527f4 ] When input_register_device() fails, no error return code is assigned. To fix this bug, ret is assigned with -ENOENT as error return code. Reported-by: TOTE Robot Signed-off-by: Jia-Ju Bai Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 079e32723f78ef814f3973b4598b581275463836 Author: Shou-Chieh Hsu Date: Tue Mar 2 11:58:01 2021 +0800 HID: google: add don USB id [ Upstream commit 36b87cf302a4f13f8b4344bcf98f67405a145e2f ] Add 1 additional hammer-like device. Signed-off-by: Shou-Chieh Hsu Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit ffe249b4fc2ce48a6e32485bd593a28e00448128 Author: Zhen Lei Date: Thu Apr 15 17:27:44 2021 +0800 perf map: Fix error return code in maps__clone() [ Upstream commit c6f87141254d16e281e4b4431af7316895207b8f ] Although 'err' has been initialized to -ENOMEM, but it will be reassigned by the "err = unwind__prepare_access(...)" statement in the for loop. So that, the value of 'err' is unknown when map__clone() failed. Fixes: 6c502584438bda63 ("perf unwind: Call unwind__prepare_access for forked thread") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Cc: Alexander Shishkin Cc: Jiri Olsa Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Cc: zhen lei Link: http://lore.kernel.org/lkml/20210415092744.3793-1-thunder.leizhen@huawei.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 4d0cfb3713bc3263cd4b6d43d5fcb96c7fdaead3 Author: Leo Yan Date: Tue Apr 20 23:15:53 2021 +0800 perf auxtrace: Fix potential NULL pointer dereference [ Upstream commit b14585d9f18dc617e975815570fe836be656b1da ] In the function auxtrace_parse_snapshot_options(), the callback pointer "itr->parse_snapshot_options" can be NULL if it has not been set during the AUX record initialization. This can cause tool crashing if the callback pointer "itr->parse_snapshot_options" is dereferenced without performing NULL check. Add a NULL check for the pointer "itr->parse_snapshot_options" before invoke the callback. Fixes: d20031bb63dd6dde ("perf tools: Add AUX area tracing Snapshot Mode") Signed-off-by: Leo Yan Acked-by: Adrian Hunter Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Andi Kleen Cc: Jiri Olsa Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Tiezhu Yang Link: http://lore.kernel.org/lkml/20210420151554.2031768-1-leo.yan@linaro.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit ab112cc573ccde3cff7e9159d5fe21c793242b55 Author: Jim Mattson Date: Wed Apr 21 17:18:34 2021 -0700 perf/x86/kvm: Fix Broadwell Xeon stepping in isolation_ucodes[] [ Upstream commit 4b2f1e59229b9da319d358828cdfa4ddbc140769 ] The only stepping of Broadwell Xeon parts is stepping 1. Fix the relevant isolation_ucodes[] entry, which previously enumerated stepping 2. Although the original commit was characterized as an optimization, it is also a workaround for a correctness issue. If a PMI arrives between kvm's call to perf_guest_get_msrs() and the subsequent VM-entry, a stale value for the IA32_PEBS_ENABLE MSR may be restored at the next VM-exit. This is because, unbeknownst to kvm, PMI throttling may clear bits in the IA32_PEBS_ENABLE MSR. CPUs with "PEBS isolation" don't suffer from this issue, because perf_guest_get_msrs() doesn't report the IA32_PEBS_ENABLE value. Fixes: 9b545c04abd4f ("perf/x86/kvm: Avoid unnecessary work in guest filtering") Signed-off-by: Jim Mattson Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Peter Shier Acked-by: Andi Kleen Link: https://lkml.kernel.org/r/20210422001834.1748319-1-jmattson@google.com Signed-off-by: Sasha Levin commit 6f8315e5d9511ed1cf28ee2afbc9f89ff693de7b Author: Kan Liang Date: Thu Apr 15 14:22:43 2021 -0700 perf/x86/intel/uncore: Remove uncore extra PCI dev HSWEP_PCI_PCU_3 [ Upstream commit 9d480158ee86ad606d3a8baaf81e6b71acbfd7d5 ] There may be a kernel panic on the Haswell server and the Broadwell server, if the snbep_pci2phy_map_init() return error. The uncore_extra_pci_dev[HSWEP_PCI_PCU_3] is used in the cpu_init() to detect the existence of the SBOX, which is a MSR type of PMON unit. The uncore_extra_pci_dev is allocated in the uncore_pci_init(). If the snbep_pci2phy_map_init() returns error, perf doesn't initialize the PCI type of the PMON units, so the uncore_extra_pci_dev will not be allocated. But perf may continue initializing the MSR type of PMON units. A null dereference kernel panic will be triggered. The sockets in a Haswell server or a Broadwell server are identical. Only need to detect the existence of the SBOX once. Current perf probes all available PCU devices and stores them into the uncore_extra_pci_dev. It's unnecessary. Use the pci_get_device() to replace the uncore_extra_pci_dev. Only detect the existence of the SBOX on the first available PCU device once. Factor out hswep_has_limit_sbox(), since the Haswell server and the Broadwell server uses the same way to detect the existence of the SBOX. Add some macros to replace the magic number. Fixes: 5306c31c5733 ("perf/x86/uncore/hsw-ep: Handle systems with only two SBOXes") Reported-by: Steve Wahl Signed-off-by: Kan Liang Signed-off-by: Peter Zijlstra (Intel) Tested-by: Steve Wahl Link: https://lkml.kernel.org/r/1618521764-100923-1-git-send-email-kan.liang@linux.intel.com Signed-off-by: Sasha Levin commit 82fa9ced35d88581cffa4a1c856fc41fca96d80a Author: Ali Saidi Date: Thu Apr 15 17:27:11 2021 +0000 locking/qrwlock: Fix ordering in queued_write_lock_slowpath() [ Upstream commit 84a24bf8c52e66b7ac89ada5e3cfbe72d65c1896 ] While this code is executed with the wait_lock held, a reader can acquire the lock without holding wait_lock. The writer side loops checking the value with the atomic_cond_read_acquire(), but only truly acquires the lock when the compare-and-exchange is completed successfully which isn’t ordered. This exposes the window between the acquire and the cmpxchg to an A-B-A problem which allows reads following the lock acquisition to observe values speculatively before the write lock is truly acquired. We've seen a problem in epoll where the reader does a xchg while holding the read lock, but the writer can see a value change out from under it. Writer | Reader -------------------------------------------------------------------------------- ep_scan_ready_list() | |- write_lock_irq() | |- queued_write_lock_slowpath() | |- atomic_cond_read_acquire() | | read_lock_irqsave(&ep->lock, flags); --> (observes value before unlock) | chain_epi_lockless() | | epi->next = xchg(&ep->ovflist, epi); | | read_unlock_irqrestore(&ep->lock, flags); | | | atomic_cmpxchg_relaxed() | |-- READ_ONCE(ep->ovflist); | A core can order the read of the ovflist ahead of the atomic_cmpxchg_relaxed(). Switching the cmpxchg to use acquire semantics addresses this issue at which point the atomic_cond_read can be switched to use relaxed semantics. Fixes: b519b56e378ee ("locking/qrwlock: Use atomic_cond_read_acquire() when spinning in qrwlock") Signed-off-by: Ali Saidi [peterz: use try_cmpxchg()] Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Steve Capper Acked-by: Will Deacon Acked-by: Waiman Long Tested-by: Steve Capper Signed-off-by: Sasha Levin commit b642e493a9a0ed56be3b8cfcfb95fe3c7cea0b55 Author: Daniel Borkmann Date: Wed Mar 24 10:38:26 2021 +0100 bpf: Tighten speculative pointer arithmetic mask [ Upstream commit 7fedb63a8307dda0ec3b8969a3b233a1dd7ea8e0 ] This work tightens the offset mask we use for unprivileged pointer arithmetic in order to mitigate a corner case reported by Piotr and Benedict where in the speculative domain it is possible to advance, for example, the map value pointer by up to value_size-1 out-of-bounds in order to leak kernel memory via side-channel to user space. Before this change, the computed ptr_limit for retrieve_ptr_limit() helper represents largest valid distance when moving pointer to the right or left which is then fed as aux->alu_limit to generate masking instructions against the offset register. After the change, the derived aux->alu_limit represents the largest potential value of the offset register which we mask against which is just a narrower subset of the former limit. For minimal complexity, we call sanitize_ptr_alu() from 2 observation points in adjust_ptr_min_max_vals(), that is, before and after the simulated alu operation. In the first step, we retieve the alu_state and alu_limit before the operation as well as we branch-off a verifier path and push it to the verification stack as we did before which checks the dst_reg under truncation, in other words, when the speculative domain would attempt to move the pointer out-of-bounds. In the second step, we retrieve the new alu_limit and calculate the absolute distance between both. Moreover, we commit the alu_state and final alu_limit via update_alu_sanitation_state() to the env's instruction aux data, and bail out from there if there is a mismatch due to coming from different verification paths with different states. Reported-by: Piotr Krysiuk Reported-by: Benedict Schlueter Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov Tested-by: Benedict Schlueter Signed-off-by: Sasha Levin commit 2982ea926b5cb97ff79fbb27eba72521568811ff Author: Daniel Borkmann Date: Tue Mar 23 15:05:48 2021 +0100 bpf: Refactor and streamline bounds check into helper [ Upstream commit 073815b756c51ba9d8384d924c5d1c03ca3d1ae4 ] Move the bounds check in adjust_ptr_min_max_vals() into a small helper named sanitize_check_bounds() in order to simplify the former a bit. Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit f3c4b01689d392373301e6e60d1b02c5b4020afc Author: Andrei Matei Date: Sat Feb 6 20:10:24 2021 -0500 bpf: Allow variable-offset stack access [ Upstream commit 01f810ace9ed37255f27608a0864abebccf0aab3 ] Before this patch, variable offset access to the stack was dissalowed for regular instructions, but was allowed for "indirect" accesses (i.e. helpers). This patch removes the restriction, allowing reading and writing to the stack through stack pointers with variable offsets. This makes stack-allocated buffers more usable in programs, and brings stack pointers closer to other types of pointers. The motivation is being able to use stack-allocated buffers for data manipulation. When the stack size limit is sufficient, allocating buffers on the stack is simpler than per-cpu arrays, or other alternatives. In unpriviledged programs, variable-offset reads and writes are disallowed (they were already disallowed for the indirect access case) because the speculative execution checking code doesn't support them. Additionally, when writing through a variable-offset stack pointer, if any pointers are in the accessible range, there's possilibities of later leaking pointers because the write cannot be tracked precisely. Writes with variable offset mark the whole range as initialized, even though we don't know which stack slots are actually written. This is in order to not reject future reads to these slots. Note that this doesn't affect writes done through helpers; like before, helpers need the whole stack range to be initialized to begin with. All the stack slots are in range are considered scalars after the write; variable-offset register spills are not tracked. For reads, all the stack slots in the variable range needs to be initialized (but see above about what writes do), otherwise the read is rejected. All register spilled in stack slots that might be read are marked as having been read, however reads through such pointers don't do register filling; the target register will always be either a scalar or a constant zero. Signed-off-by: Andrei Matei Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20210207011027.676572-2-andreimatei1@gmail.com Signed-off-by: Sasha Levin commit f79efcb0075a20633cbf9b47759f2c0d538f78d8 Author: Yonghong Song Date: Wed Dec 9 17:33:49 2020 -0800 bpf: Permits pointers on stack for helper calls [ Upstream commit cd17d38f8b28f808c368121041c0a4fa91757e0d ] Currently, when checking stack memory accessed by helper calls, for spills, only PTR_TO_BTF_ID and SCALAR_VALUE are allowed. Song discovered an issue where the below bpf program int dump_task(struct bpf_iter__task *ctx) { struct seq_file *seq = ctx->meta->seq; static char[] info = "abc"; BPF_SEQ_PRINTF(seq, "%s\n", info); return 0; } may cause a verifier failure. The verifier output looks like: ; struct seq_file *seq = ctx->meta->seq; 1: (79) r1 = *(u64 *)(r1 +0) ; BPF_SEQ_PRINTF(seq, "%s\n", info); 2: (18) r2 = 0xffff9054400f6000 4: (7b) *(u64 *)(r10 -8) = r2 5: (bf) r4 = r10 ; 6: (07) r4 += -8 ; BPF_SEQ_PRINTF(seq, "%s\n", info); 7: (18) r2 = 0xffff9054400fe000 9: (b4) w3 = 4 10: (b4) w5 = 8 11: (85) call bpf_seq_printf#126 R1_w=ptr_seq_file(id=0,off=0,imm=0) R2_w=map_value(id=0,off=0,ks=4,vs=4,imm=0) R3_w=inv4 R4_w=fp-8 R5_w=inv8 R10=fp0 fp-8_w=map_value last_idx 11 first_idx 0 regs=8 stack=0 before 10: (b4) w5 = 8 regs=8 stack=0 before 9: (b4) w3 = 4 invalid indirect read from stack off -8+0 size 8 Basically, the verifier complains the map_value pointer at "fp-8" location. To fix the issue, if env->allow_ptr_leaks is true, let us also permit pointers on the stack to be accessible by the helper. Reported-by: Song Liu Suggested-by: Alexei Starovoitov Signed-off-by: Yonghong Song Signed-off-by: Daniel Borkmann Acked-by: Song Liu Link: https://lore.kernel.org/bpf/20201210013349.943719-1-yhs@fb.com Signed-off-by: Sasha Levin commit edc5d16013895b42ac9fb67542d99b9689c11ac2 Author: Andre Przywara Date: Wed Apr 14 11:47:40 2021 +0100 arm64: dts: allwinner: Revert SD card CD GPIO for Pine64-LTS [ Upstream commit 4d09ccc4a81e7de6b002482af554d8b5626f5041 ] Commit 941432d00768 ("arm64: dts: allwinner: Drop non-removable from SoPine/LTS SD card") enabled the card detect GPIO for the SOPine module, along the way with the Pine64-LTS, which share the same base .dtsi. This was based on the observation that the Pine64-LTS has as "push-push" SD card socket, and that the schematic mentions the card detect GPIO. After having received two reports about failing SD card access with that patch, some more research and polls on that subject revealed that there are at least two different versions of the Pine64-LTS out there: - On some boards (including mine) the card detect pin is "stuck" at high, regardless of an microSD card being inserted or not. - On other boards the card-detect is working, but is active-high, by virtue of an explicit inverter circuit, as shown in the schematic. To cover all versions of the board out there, and don't take any chances, let's revert the introduction of the active-low CD GPIO, but let's use the broken-cd property for the Pine64-LTS this time. That should avoid regressions and should work for everyone, even allowing SD card changes now. The SOPine card detect has proven to be working, so let's keep that GPIO in place. Fixes: 941432d00768 ("arm64: dts: allwinner: Drop non-removable from SoPine/LTS SD card") Reported-by: Michael Weiser Reported-by: Daniel Kulesz Suggested-by: Chen-Yu Tsai Signed-off-by: Andre Przywara Tested-by: Michael Weiser Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20210414104740.31497-1-andre.przywara@arm.com Signed-off-by: Sasha Levin commit 83d93d05376a807e0fccc60788193ced671fbf40 Author: Andy Shevchenko Date: Thu Apr 15 16:03:56 2021 +0300 pinctrl: core: Show pin numbers for the controllers with base = 0 [ Upstream commit 482715ff0601c836152b792f06c353464d826b9b ] The commit f1b206cf7c57 ("pinctrl: core: print gpio in pins debugfs file") enabled GPIO pin number and label in debugfs for pin controller. However, it limited that feature to the chips where base is positive number. This, in particular, excluded chips where base is 0 for the historical or backward compatibility reasons. Refactor the code to include the latter as well. Fixes: f1b206cf7c57 ("pinctrl: core: print gpio in pins debugfs file") Cc: Drew Fustini Signed-off-by: Andy Shevchenko Tested-by: Drew Fustini Reviewed-by: Drew Fustini Link: https://lore.kernel.org/r/20210415130356.15885-1-andriy.shevchenko@linux.intel.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit fc2454cc0c4bbf3ab7556c8b38e042c6c7651e42 Author: Christoph Hellwig Date: Wed Apr 21 18:05:02 2021 +0200 block: return -EBUSY when there are open partitions in blkdev_reread_part [ Upstream commit 68e6582e8f2dc32fd2458b9926564faa1fb4560e ] The switch to go through blkdev_get_by_dev means we now ignore the return value from bdev_disk_changed in __blkdev_get. Add a manual check to restore the old semantics. Fixes: 4601b4b130de ("block: reopen the device in blkdev_reread_part") Reported-by: Karel Zak Signed-off-by: Christoph Hellwig Link: https://lore.kernel.org/r/20210421160502.447418-1-hch@lst.de Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 2bbd8aafde362e2d2bb3af3ce2ea400c3860073f Author: Yuanyuan Zhong Date: Mon Apr 12 17:17:59 2021 -0600 pinctrl: lewisburg: Update number of pins in community [ Upstream commit 196d941753297d0ca73c563ccd7d00be049ec226 ] When updating pin names for Intel Lewisburg, the numbers of pins were left behind. Update them accordingly. Fixes: e66ff71fd0db ("pinctrl: lewisburg: Update pin list according to v1.1v6") Signed-off-by: Yuanyuan Zhong Signed-off-by: Andy Shevchenko Signed-off-by: Sasha Levin commit a8cd07e4400d66c3304a38c5796a41c10ad76743 Author: Eli Cohen Date: Sun Apr 11 11:36:46 2021 +0300 vdpa/mlx5: Set err = -ENOMEM in case dma_map_sg_attrs fails [ Upstream commit be286f84e33da1a7f83142b64dbd86f600e73363 ] Set err = -ENOMEM if dma_map_sg_attrs() fails so the function reutrns error. Fixes: 94abbccdf291 ("vdpa/mlx5: Add shared memory registration code") Signed-off-by: Eli Cohen Reported-by: kernel test robot Reported-by: Dan Carpenter Link: https://lore.kernel.org/r/20210411083646.910546-1-elic@nvidia.com Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Reviewed-by: Stefano Garzarella Signed-off-by: Sasha Levin commit bf84ef2dd2ccdcd8f2658476d34b51455f970ce4 Author: James Bottomley Date: Wed Apr 21 15:42:47 2021 -0700 KEYS: trusted: Fix TPM reservation for seal/unseal [ Upstream commit 9d5171eab462a63e2fbebfccf6026e92be018f20 ] The original patch 8c657a0590de ("KEYS: trusted: Reserve TPM for seal and unseal operations") was correct on the mailing list: https://lore.kernel.org/linux-integrity/20210128235621.127925-4-jarkko@kernel.org/ But somehow got rebased so that the tpm_try_get_ops() in tpm2_seal_trusted() got lost. This causes an imbalanced put of the TPM ops and causes oopses on TIS based hardware. This fix puts back the lost tpm_try_get_ops() Fixes: 8c657a0590de ("KEYS: trusted: Reserve TPM for seal and unseal operations") Reported-by: Mimi Zohar Acked-by: Mimi Zohar Signed-off-by: James Bottomley Signed-off-by: Sasha Levin commit 9857fccd653c0d820d45be5baea64ab731f4557e Author: Tony Lindgren Date: Sat Apr 17 11:38:39 2021 +0300 gpio: omap: Save and restore sysconfig [ Upstream commit ddd8d94ca31e768c76cf8bfe34ba7b10136b3694 ] As we are using cpu_pm to save and restore context, we must also save and restore the GPIO sysconfig register. This is needed because we are not calling PM runtime functions at all with cpu_pm. We need to save the sysconfig on idle as it's value can get reconfigured by PM runtime and can be different from the init time value. Device specific flags like "ti,no-idle-on-init" can affect the init value. Fixes: b764a5863fd8 ("gpio: omap: Remove custom PM calls and use cpu_pm instead") Cc: Aaro Koskinen Cc: Adam Ford Cc: Andreas Kemnade Cc: Grygorii Strashko Cc: Peter Ujfalusi Signed-off-by: Tony Lindgren Acked-by: Grygorii Strashko Signed-off-by: Bartosz Golaszewski Signed-off-by: Sasha Levin commit 71777492b745837481630c751111eeb19bb589cf Author: Xie Yongji Date: Mon Apr 12 17:55:12 2021 +0800 vhost-vdpa: protect concurrent access to vhost device iotlb commit a9d064524fc3cf463b3bb14fa63de78aafb40dab upstream. Protect vhost device iotlb by vhost_dev->mutex. Otherwise, it might cause corruption of the list and interval tree in struct vhost_iotlb if userspace sends the VHOST_IOTLB_MSG_V2 message concurrently. Fixes: 4c8cf318("vhost: introduce vDPA-based backend") Cc: stable@vger.kernel.org Signed-off-by: Xie Yongji Acked-by: Jason Wang Reviewed-by: Stefano Garzarella Link: https://lore.kernel.org/r/20210412095512.178-1-xieyongji@bytedance.com Signed-off-by: Michael S. Tsirkin Signed-off-by: Greg Kroah-Hartman commit aea70bd5a45591de27aac367af94d184892c06ab Author: Greg Kroah-Hartman Date: Wed Apr 21 13:01:00 2021 +0200 Linux 5.10.32 Tested-by: Fox Chen Tested-By: Patrick McCormick Tested-by: Salvatore Bonaccorso Tested-by: Florian Fainelli Tested-by: Pavel Machek (CIP) Tested-by: Jason Self Tested-by: Shuah Khan Tested-by: Jon Hunter Tested-by: Linux Kernel Functional Testing Tested-by: Sudip Mukherjee Tested-by: Andrei Rabusov Tested-by: Hulk Robot Link: https://lore.kernel.org/r/20210419130527.791982064@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 6ac98ee9cb7c62d2990e984b0df4d443a7769bc2 Author: Pali Rohár Date: Mon Apr 12 18:57:39 2021 +0200 net: phy: marvell: fix detection of PHY on Topaz switches commit 1fe976d308acb6374c899a4ee8025a0a016e453e upstream. Since commit fee2d546414d ("net: phy: marvell: mv88e6390 temperature sensor reading"), Linux reports the temperature of Topaz hwmon as constant -75°C. This is because switches from the Topaz family (88E6141 / 88E6341) have the address of the temperature sensor register different from Peridot. This address is instead compatible with 88E1510 PHYs, as was used for Topaz before the above mentioned commit. Create a new mapping table between switch family and PHY ID for families which don't have a model number. And define PHY IDs for Topaz and Peridot families. Create a new PHY ID and a new PHY driver for Topaz's internal PHY. The only difference from Peridot's PHY driver is the HWMON probing method. Prior this change Topaz's internal PHY is detected by kernel as: PHY [...] driver [Marvell 88E6390] (irq=63) And afterwards as: PHY [...] driver [Marvell 88E6341 Family] (irq=63) Signed-off-by: Pali Rohár BugLink: https://github.com/globalscaletechnologies/linux/issues/1 Fixes: fee2d546414d ("net: phy: marvell: mv88e6390 temperature sensor reading") Reviewed-by: Marek Behún Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fbe6603e7cabad8a203a764300531e9ca811317a Author: Daniel Borkmann Date: Wed Mar 24 11:25:39 2021 +0100 bpf: Move sanitize_val_alu out of op switch commit f528819334881fd622fdadeddb3f7edaed8b7c9b upstream. Add a small sanitize_needed() helper function and move sanitize_val_alu() out of the main opcode switch. In upcoming work, we'll move sanitize_ptr_alu() as well out of its opcode switch so this helps to streamline both. Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman commit 7723d3243857ab20f6450cfbbd765d8594e5e308 Author: Daniel Borkmann Date: Tue Mar 23 09:30:01 2021 +0100 bpf: Improve verifier error messages for users commit a6aaece00a57fa6f22575364b3903dfbccf5345d upstream. Consolidate all error handling and provide more user-friendly error messages from sanitize_ptr_alu() and sanitize_val_alu(). Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman commit 55565c30790839b40311c270a8b1a437ae9b2769 Author: Daniel Borkmann Date: Tue Mar 23 09:04:10 2021 +0100 bpf: Rework ptr_limit into alu_limit and add common error path commit b658bbb844e28f1862867f37e8ca11a8e2aa94a3 upstream. Small refactor with no semantic changes in order to consolidate the max ptr_limit boundary check. Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman commit 496e2fabbbe37c9d2991646114f87c9a11a47bd9 Author: Catalin Marinas Date: Fri Apr 9 18:37:10 2021 +0100 arm64: mte: Ensure TIF_MTE_ASYNC_FAULT is set atomically commit 2decad92f4731fac9755a083fcfefa66edb7d67d upstream. The entry from EL0 code checks the TFSRE0_EL1 register for any asynchronous tag check faults in user space and sets the TIF_MTE_ASYNC_FAULT flag. This is not done atomically, potentially racing with another CPU calling set_tsk_thread_flag(). Replace the non-atomic ORR+STR with an STSET instruction. While STSET requires ARMv8.1 and an assembler that understands LSE atomics, the MTE feature is part of ARMv8.5 and already requires an updated assembler. Signed-off-by: Catalin Marinas Fixes: 637ec831ea4f ("arm64: mte: Handle synchronous and asynchronous tag check faults") Cc: # 5.10.x Reported-by: Will Deacon Cc: Will Deacon Cc: Vincenzo Frascino Cc: Mark Rutland Link: https://lore.kernel.org/r/20210409173710.18582-1-catalin.marinas@arm.com Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit cada2ed0bb706c91b1e40fe1bb40673bc9b3cd95 Author: Fredrik Strupe Date: Mon Apr 5 21:52:05 2021 +0100 ARM: 9071/1: uprobes: Don't hook on thumb instructions commit d2f7eca60b29006285d57c7035539e33300e89e5 upstream. Since uprobes is not supported for thumb, check that the thumb bit is not set when matching the uprobes instruction hooks. The Arm UDF instructions used for uprobes triggering (UPROBE_SWBP_ARM_INSN and UPROBE_SS_ARM_INSN) coincidentally share the same encoding as a pair of unallocated 32-bit thumb instructions (not UDF) when the condition code is 0b1111 (0xf). This in effect makes it possible to trigger the uprobes functionality from thumb, and at that using two unallocated instructions which are not permanently undefined. Signed-off-by: Fredrik Strupe Cc: stable@vger.kernel.org Fixes: c7edc9e326d5 ("ARM: add uprobes support") Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 480d875f12424a86fd710e8762ed1e23b7f02572 Author: Daniel Borkmann Date: Mon Mar 22 15:45:52 2021 +0100 bpf: Move off_reg into sanitize_ptr_alu [ Upstream commit 6f55b2f2a1178856c19bbce2f71449926e731914 ] Small refactor to drag off_reg into sanitize_ptr_alu(), so we later on can use off_reg for generalizing some of the checks for all pointer types. Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 589fd9684dfafee37c60abde4ca3c0af723be3b3 Author: Daniel Borkmann Date: Tue Mar 23 08:51:02 2021 +0100 bpf: Ensure off_reg has no mixed signed bounds for all types [ Upstream commit 24c109bb1537c12c02aeed2d51a347b4d6a9b76e ] The mixed signed bounds check really belongs into retrieve_ptr_limit() instead of outside of it in adjust_ptr_min_max_vals(). The reason is that this check is not tied to PTR_TO_MAP_VALUE only, but to all pointer types that we handle in retrieve_ptr_limit() and given errors from the latter propagate back to adjust_ptr_min_max_vals() and lead to rejection of the program, it's a better place to reside to avoid anything slipping through for future types. The reason why we must reject such off_reg is that we otherwise would not be able to derive a mask, see details in 9d7eceede769 ("bpf: restrict unknown scalars of mixed signed bounds for unprivileged"). Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit b2df20c0f19f9f4f82fa1b1fdd0c8b22c6fc76b5 Author: Heiner Kallweit Date: Wed Apr 14 10:47:10 2021 +0200 r8169: don't advertise pause in jumbo mode [ Upstream commit 453a77894efa4d9b6ef9644d74b9419c47ac427c ] It has been reported [0] that using pause frames in jumbo mode impacts performance. There's no available chip documentation, but vendor drivers r8168 and r8125 don't advertise pause in jumbo mode. So let's do the same, according to Roman it fixes the issue. [0] https://bugzilla.kernel.org/show_bug.cgi?id=212617 Fixes: 9cf9b84cc701 ("r8169: make use of phy_set_asym_pause") Reported-by: Roman Mamedov Tested-by: Roman Mamedov Signed-off-by: Heiner Kallweit Cc: stable@vger.kernel.org Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 154fb9cb3e6fe9030b9336c07e132ab776919fc2 Author: Heiner Kallweit Date: Sat Jan 9 23:01:18 2021 +0100 r8169: tweak max read request size for newer chips also in jumbo mtu mode [ Upstream commit 5e00e16cb98935bcf06f51931876d898c226f65c ] So far we don't increase the max read request size if we switch to jumbo mode before bringing up the interface for the first time. Let's change this. Signed-off-by: Heiner Kallweit Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 7f64753835a78c7d2cc2932a5808ef3b7fd4c050 Author: Reiji Watanabe Date: Tue Apr 13 15:47:40 2021 +0000 KVM: VMX: Don't use vcpu->run->internal.ndata as an array index [ Upstream commit 04c4f2ee3f68c9a4bf1653d15f1a9a435ae33f7a ] __vmx_handle_exit() uses vcpu->run->internal.ndata as an index for an array access. Since vcpu->run is (can be) mapped to a user address space with a writer permission, the 'ndata' could be updated by the user process at anytime (the user process can set it to outside the bounds of the array). So, it is not safe that __vmx_handle_exit() uses the 'ndata' that way. Fixes: 1aa561b1a4c0 ("kvm: x86: Add "last CPU" to some KVM_EXIT information") Signed-off-by: Reiji Watanabe Reviewed-by: Jim Mattson Message-Id: <20210413154739.490299-1-reijiw@google.com> Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit c670ff84fac9c92c4260b359f24fff1312b98218 Author: Sean Christopherson Date: Fri Nov 6 17:03:12 2020 +0800 KVM: VMX: Convert vcpu_vmx.exit_reason to a union [ Upstream commit 8e53324021645f820a01bf8aa745711c802c8542 ] Convert vcpu_vmx.exit_reason from a u32 to a union (of size u32). The full VM_EXIT_REASON field is comprised of a 16-bit basic exit reason in bits 15:0, and single-bit modifiers in bits 31:16. Historically, KVM has only had to worry about handling the "failed VM-Entry" modifier, which could only be set in very specific flows and required dedicated handling. I.e. manually stripping the FAILED_VMENTRY bit was a somewhat viable approach. But even with only a single bit to worry about, KVM has had several bugs related to comparing a basic exit reason against the full exit reason store in vcpu_vmx. Upcoming Intel features, e.g. SGX, will add new modifier bits that can be set on more or less any VM-Exit, as opposed to the significantly more restricted FAILED_VMENTRY, i.e. correctly handling everything in one-off flows isn't scalable. Tracking exit reason in a union forces code to explicitly choose between consuming the full exit reason and the basic exit, and is a convenient way to document and access the modifiers. No functional change intended. Cc: Xiaoyao Li Signed-off-by: Sean Christopherson Signed-off-by: Chenyi Qiang Message-Id: <20201106090315.18606-2-chenyi.qiang@intel.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 4f3ff11204eac0ee23acf64deecb3bad7b0db0c6 Author: Daniel Borkmann Date: Tue Mar 23 08:32:59 2021 +0100 bpf: Use correct permission flag for mixed signed bounds arithmetic [ Upstream commit 9601148392520e2e134936e76788fc2a6371e7be ] We forbid adding unknown scalars with mixed signed bounds due to the spectre v1 masking mitigation. Hence this also needs bypass_spec_v1 flag instead of allow_ptr_leaks. Fixes: 2c78ee898d8f ("bpf: Implement CAP_BPF") Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 8d7906c548aa4b781e7bd916cd4f451452ad925d Author: Jernej Skrabec Date: Tue Mar 30 20:42:18 2021 +0200 arm64: dts: allwinner: h6: beelink-gs1: Remove ext. 32 kHz osc reference [ Upstream commit 7a2f6e69e9c1060a7a09c1f8322ccb8d942b3078 ] Although every Beelink GS1 seems to have external 32768 Hz oscillator, it works only on one from four tested. There are more reports of RTC issues elsewhere, like Armbian forum. One Beelink GS1 owner read RTC osc status register on Android which shipped with the box. Reported value indicated problems with external oscillator. In order to fix RTC and related issues (HDMI-CEC and suspend/resume with Crust) on all boards, switch to internal oscillator. Fixes: 32507b868119 ("arm64: dts: allwinner: h6: Move ext. oscillator to board DTs") Signed-off-by: Jernej Skrabec Tested-by: Clément Péron Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20210330184218.279738-1-jernej.skrabec@siol.net Signed-off-by: Sasha Levin commit 286c39d08664e5036ca6750ecfac6b68985b6703 Author: Andre Przywara Date: Tue Mar 16 14:42:19 2021 +0000 arm64: dts: allwinner: Fix SD card CD GPIO for SOPine systems [ Upstream commit 3dd4ce4185df6798dcdcc3669bddb35899d7d5e1 ] Commit 941432d00768 ("arm64: dts: allwinner: Drop non-removable from SoPine/LTS SD card") enabled the card detect GPIO for the SOPine module, along the way with the Pine64-LTS, which share the same base .dtsi. However while both boards indeed have a working CD GPIO on PF6, the polarity is different: the SOPine modules uses a "push-pull" socket, which has an active-high switch, while the Pine64-LTS use the more traditional push-push socket and the common active-low switch. Fix the polarity in the sopine.dtsi, and overwrite it in the LTS board .dts, to make the SD card work again on systems using SOPine modules. Fixes: 941432d00768 ("arm64: dts: allwinner: Drop non-removable from SoPine/LTS SD card") Reported-by: Ashley Signed-off-by: Andre Przywara Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20210316144219.5973-1-andre.przywara@arm.com Signed-off-by: Sasha Levin commit 4f90db2e92d2d4930c85cb2138b452510eab189c Author: Tony Lindgren Date: Wed Mar 31 09:27:41 2021 +0300 ARM: OMAP2+: Fix uninitialized sr_inst [ Upstream commit fc85dc42a38405099f97aa2af709fe9504a82508 ] Fix uninitialized sr_inst. Fixes: fbfa463be8dc ("ARM: OMAP2+: Fix smartreflex init regression after dropping legacy data") Reported-by: kernel test robot Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 1fc087fdb98d556b416c82ed6e3964a30885f47a Author: Russell King Date: Thu Mar 25 10:26:21 2021 +0000 ARM: footbridge: fix PCI interrupt mapping [ Upstream commit 30e3b4f256b4e366a61658c294f6a21b8626dda7 ] Since commit 30fdfb929e82 ("PCI: Add a call to pci_assign_irq() in pci_device_probe()"), the PCI code will call the IRQ mapping function whenever a PCI driver is probed. If these are marked as __init, this causes an oops if a PCI driver is loaded or bound after the kernel has initialised. Fixes: 30fdfb929e82 ("PCI: Add a call to pci_assign_irq() in pci_device_probe()") Signed-off-by: Russell King Signed-off-by: Sasha Levin commit 11a718ef953f7d175e26908f8d584257aa0af898 Author: Vladimir Murzin Date: Thu Mar 11 13:32:16 2021 +0100 ARM: 9069/1: NOMMU: Fix conversion for_each_membock() to for_each_mem_range() [ Upstream commit 45c2f70cba3a7eff34574103b2e2b901a5f771aa ] for_each_mem_range() uses a loop variable, yet looking into code it is not just iteration counter but more complex entity which encodes information about memblock. Thus condition i == 0 looks fragile. Indeed, it broke boot of R-class platforms since it never took i == 0 path (due to i was set to 1). Fix that with restoring original flag check. Fixes: b10d6bca8720 ("arch, drivers: replace for_each_membock() with for_each_mem_range()") Signed-off-by: Vladimir Murzin Acked-by: Mike Rapoport Signed-off-by: Russell King Signed-off-by: Sasha Levin commit a13d4a1228abc42f05233f3212fdf139e2d720db Author: Tony Lindgren Date: Wed Mar 24 12:23:58 2021 +0200 ARM: OMAP2+: Fix warning for omap_init_time_of() [ Upstream commit a3efe3f6d0eb64363f74af4b0e8ba6d19415cef2 ] Fix warning: no previous prototype for 'omap_init_time_of'. Fixes: e69b4e1a7577 ("ARM: OMAP2+: Add omap_init_time_of()") Reported-by: kernel test robot Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 9143158a6bd35839ddd0cc723b1576aa8b3c632d Author: Eric Dumazet Date: Tue Apr 13 05:41:35 2021 -0700 gro: ensure frag0 meets IP header alignment commit 38ec4944b593fd90c5ef42aaaa53e66ae5769d04 upstream. After commit 0f6925b3e8da ("virtio_net: Do not pull payload in skb->head") Guenter Roeck reported one failure in his tests using sh architecture. After much debugging, we have been able to spot silent unaligned accesses in inet_gro_receive() The issue at hand is that upper networking stacks assume their header is word-aligned. Low level drivers are supposed to reserve NET_IP_ALIGN bytes before the Ethernet header to make that happen. This patch hardens skb_gro_reset_offset() to not allow frag0 fast-path if the fragment is not properly aligned. Some arches like x86, arm64 and powerpc do not care and define NET_IP_ALIGN as 0, this extra check will be a NOP for them. Note that if frag0 is not used, GRO will call pskb_may_pull() as many times as needed to pull network and transport headers. Fixes: 0f6925b3e8da ("virtio_net: Do not pull payload in skb->head") Fixes: 78a478d0efd9 ("gro: Inline skb_gro_header and cache frag0 virtual address") Signed-off-by: Eric Dumazet Reported-by: Guenter Roeck Cc: Xuan Zhuo Cc: "Michael S. Tsirkin" Cc: Jason Wang Acked-by: Michael S. Tsirkin Tested-by: Guenter Roeck Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fd766f792a561a5c07fa2b5bd6d71315961e3ec3 Author: Vinay Kumar Yadav Date: Thu Apr 15 13:17:48 2021 +0530 ch_ktls: do not send snd_una update to TCB in middle commit e8a4155567b3c903f49cbf89b8017e9cc22c4fe4 upstream. snd_una update should not be done when the same skb is being sent out.chcr_short_record_handler() sends it again even though SND_UNA update is already sent for the skb in chcr_ktls_xmit(), which causes mismatch in un-acked TCP seq number, later causes problem in sending out complete record. Fixes: 429765a149f1 ("chcr: handle partial end part of a record") Signed-off-by: Vinay Kumar Yadav Signed-off-by: Rohit Maheshwari Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 65bdd564b387c228518f1d5a50e099475f474561 Author: Vinay Kumar Yadav Date: Thu Apr 15 13:17:47 2021 +0530 ch_ktls: tcb close causes tls connection failure commit 21d8c25e3f4b9052a471ced8f47b531956eb9963 upstream. HW doesn't need marking TCB closed. This TCB state change sometimes causes problem to the new connection which gets the same tid. Fixes: 34aba2c45024 ("cxgb4/chcr : Register to tls add and del callback") Signed-off-by: Vinay Kumar Yadav Signed-off-by: Rohit Maheshwari Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5f3c278035c0922b5747117028346fcd83410c24 Author: Vinay Kumar Yadav Date: Thu Apr 15 13:17:46 2021 +0530 ch_ktls: fix device connection close commit bc16efd2430652f894ae34b1de5eccc3bf0d2810 upstream. When sge queue is full and chcr_ktls_xmit_wr_complete() returns failure, skb is not freed if it is not the last tls record in this skb, causes refcount never gets freed and tls_dev_del() never gets called on this connection. Fixes: 5a4b9fe7fece ("cxgb4/chcr: complete record tx handling") Signed-off-by: Vinay Kumar Yadav Signed-off-by: Rohit Maheshwari Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8d5a9dbd2116a852f8f0f91f6fbc42a0afe1091f Author: Vinay Kumar Yadav Date: Thu Apr 15 13:17:45 2021 +0530 ch_ktls: Fix kernel panic commit 1a73e427b824133940c2dd95ebe26b6dce1cbf10 upstream. Taking page refcount is not ideal and causes kernel panic sometimes. It's better to take tx_ctx lock for the complete skb transmit, to avoid page cleanup if ACK received in middle. Fixes: 5a4b9fe7fece ("cxgb4/chcr: complete record tx handling") Signed-off-by: Vinay Kumar Yadav Signed-off-by: Rohit Maheshwari Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 976da1b08784d1e70bf3c103bf00c3d8af27d067 Author: Lijun Pan Date: Wed Apr 14 02:46:16 2021 -0500 ibmvnic: remove duplicate napi_schedule call in open function commit 7c451f3ef676c805a4b77a743a01a5c21a250a73 upstream. Remove the unnecessary napi_schedule() call in __ibmvnic_open() since interrupt_rx() calls napi_schedule_prep/__napi_schedule during every receive interrupt. Fixes: ed651a10875f ("ibmvnic: Updated reset handling") Signed-off-by: Lijun Pan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 008885a880dc212af351894b010f714f252da00b Author: Lijun Pan Date: Wed Apr 14 02:46:15 2021 -0500 ibmvnic: remove duplicate napi_schedule call in do_reset function commit d3a6abccbd272aea7dc2c6f984bb5a2c11278e44 upstream. During adapter reset, do_reset/do_hard_reset calls ibmvnic_open(), which will calls napi_schedule if previous state is VNIC_CLOSED (i.e, the reset case, and "ifconfig down" case). So there is no need for do_reset to call napi_schedule again at the end of the function though napi_schedule will neglect the request if napi is already scheduled. Fixes: ed651a10875f ("ibmvnic: Updated reset handling") Signed-off-by: Lijun Pan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 685bc730e3a9c89532cbeb452756177eebdc07eb Author: Lijun Pan Date: Wed Apr 14 02:46:14 2021 -0500 ibmvnic: avoid calling napi_disable() twice commit 0775ebc4cf8554bdcd2c212669a0868ab68df5c0 upstream. __ibmvnic_open calls napi_disable without checking whether NAPI polling has already been disabled or not. This could cause napi_disable being called twice, which could generate deadlock. For example, the first napi_disable will spin until NAPI_STATE_SCHED is cleared by napi_complete_done, then set it again. When napi_disable is called the second time, it will loop infinitely because no dev->poll will be running to clear NAPI_STATE_SCHED. To prevent above scenario from happening, call ibmvnic_napi_disable() which checks if napi is disabled or not before calling napi_disable. Fixes: bfc32f297337 ("ibmvnic: Move resource initialization to its own routine") Suggested-by: Thomas Falcon Signed-off-by: Lijun Pan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e154b5060aa14601a894d9820d8d3f031c7c1565 Author: John Paul Adrian Glaubitz Date: Fri Apr 16 15:46:12 2021 -0700 ia64: tools: remove inclusion of ia64-specific version of errno.h header commit 17786fea414393813b56e33a1a01b2dfa03c0915 upstream. There is no longer an ia64-specific version of the errno.h header below arch/ia64/include/uapi/asm/, so trying to build tools/bpf fails with: CC /usr/src/linux/tools/bpf/bpftool/btf_dumper.o In file included from /usr/src/linux/tools/include/linux/err.h:8, from btf_dumper.c:11: /usr/src/linux/tools/include/uapi/asm/errno.h:13:10: fatal error: ../../../arch/ia64/include/uapi/asm/errno.h: No such file or directory 13 | #include "../../../arch/ia64/include/uapi/asm/errno.h" | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ compilation terminated. Thus, just remove the inclusion of the ia64-specific errno.h so that the build will use the generic errno.h header on this target which was used there anyway as the ia64-specific errno.h was just a wrapper for the generic header. Fixes: c25f867ddd00 ("ia64: remove unneeded uapi asm-generic wrappers") Signed-off-by: John Paul Adrian Glaubitz Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f8f01fc8c653aa151b6f9f69f9e0ef527aeb5c69 Author: Randy Dunlap Date: Fri Apr 16 15:46:06 2021 -0700 ia64: remove duplicate entries in generic_defconfig commit 19d000d93303e05bd7b1326e3de9df05a41b25b5 upstream. Fix ia64 generic_defconfig duplicate entries, as warned by: arch/ia64/configs/generic_defconfig: warning: override: reassigning to symbol ATA: => 58 arch/ia64/configs/generic_defconfig: warning: override: reassigning to symbol ATA_PIIX: => 59 These 2 symbols still have the same value as in the removed lines. Link: https://lkml.kernel.org/r/20210411020255.18052-1-rdunlap@infradead.org Fixes: c331649e6371 ("ia64: Use libata instead of the legacy ide driver in defconfigs") Signed-off-by: Randy Dunlap Reported-by: Geert Uytterhoeven Reviewed-by: Christoph Hellwig Cc: Tony Luck Cc: Fenghua Yu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 1aec111c944fc0d29ba48385d56d229f4f8bac90 Author: Jakub Kicinski Date: Tue Apr 13 20:46:14 2021 -0700 ethtool: pause: make sure we init driver stats commit 16756d3e77ad58cd07e36cbed724aa13ae5a0278 upstream. The intention was for pause statistics to not be reported when driver does not have the relevant callback (only report an empty netlink nest). What happens currently we report all 0s instead. Make sure statistics are initialized to "not set" (which is -1) so the dumping code skips them. Fixes: 9a27a33027f2 ("ethtool: add standard pause stats") Signed-off-by: Jakub Kicinski Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 44ef38c0a2b37975e7677ad7f23271a006564908 Author: Jason Xing Date: Wed Apr 14 10:34:28 2021 +0800 i40e: fix the panic when running bpf in xdpdrv mode commit 4e39a072a6a0fc422ba7da5e4336bdc295d70211 upstream. Fix this panic by adding more rules to calculate the value of @rss_size_max which could be used in allocating the queues when bpf is loaded, which, however, could cause the failure and then trigger the NULL pointer of vsi->rx_rings. Prio to this fix, the machine doesn't care about how many cpus are online and then allocates 256 queues on the machine with 32 cpus online actually. Once the load of bpf begins, the log will go like this "failed to get tracking for 256 queues for VSI 0 err -12" and this "setup of MAIN VSI failed". Thus, I attach the key information of the crash-log here. BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 RIP: 0010:i40e_xdp+0xdd/0x1b0 [i40e] Call Trace: [2160294.717292] ? i40e_reconfig_rss_queues+0x170/0x170 [i40e] [2160294.717666] dev_xdp_install+0x4f/0x70 [2160294.718036] dev_change_xdp_fd+0x11f/0x230 [2160294.718380] ? dev_disable_lro+0xe0/0xe0 [2160294.718705] do_setlink+0xac7/0xe70 [2160294.719035] ? __nla_parse+0xed/0x120 [2160294.719365] rtnl_newlink+0x73b/0x860 Fixes: 41c445ff0f48 ("i40e: main driver core") Co-developed-by: Shujin Li Signed-off-by: Shujin Li Signed-off-by: Jason Xing Reviewed-by: Jesse Brandeburg Acked-by: Jesper Dangaard Brouer Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 35d7491e2f77ce480097cabcaf93ed409e916e12 Author: Jonathon Reinhart Date: Tue Apr 13 03:08:48 2021 -0400 net: Make tcp_allowed_congestion_control readonly in non-init netns commit 97684f0970f6e112926de631fdd98d9693c7e5c1 upstream. Currently, tcp_allowed_congestion_control is global and writable; writing to it in any net namespace will leak into all other net namespaces. tcp_available_congestion_control and tcp_allowed_congestion_control are the only sysctls in ipv4_net_table (the per-netns sysctl table) with a NULL data pointer; their handlers (proc_tcp_available_congestion_control and proc_allowed_congestion_control) have no other way of referencing a struct net. Thus, they operate globally. Because ipv4_net_table does not use designated initializers, there is no easy way to fix up this one "bad" table entry. However, the data pointer updating logic shouldn't be applied to NULL pointers anyway, so we instead force these entries to be read-only. These sysctls used to exist in ipv4_table (init-net only), but they were moved to the per-net ipv4_net_table, presumably without realizing that tcp_allowed_congestion_control was writable and thus introduced a leak. Because the intent of that commit was only to know (i.e. read) "which congestion algorithms are available or allowed", this read-only solution should be sufficient. The logic added in recent commit 31c4d2f160eb: ("net: Ensure net namespace isolation of sysctls") does not and cannot check for NULL data pointers, because other table entries (e.g. /proc/sys/net/netfilter/nf_log/) have .data=NULL but use other methods (.extra2) to access the struct net. Fixes: 9cb8e048e5d9 ("net/ipv4/sysctl: show tcp_{allowed, available}_congestion_control in non-initial netns") Signed-off-by: Jonathon Reinhart Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 76af8126a6e4d982c8f42dc2e64f0ffdf4b6255a Author: Christophe Leroy Date: Fri Apr 16 15:46:20 2021 -0700 mm: ptdump: fix build failure commit 458376913d86bed2fb781b4952eb6861675ef3be upstream. READ_ONCE() cannot be used for reading PTEs. Use ptep_get() instead, to avoid the following errors: CC mm/ptdump.o In file included from : mm/ptdump.c: In function 'ptdump_pte_entry': include/linux/compiler_types.h:320:38: error: call to '__compiletime_assert_207' declared with attribute error: Unsupported access size for {READ,WRITE}_ONCE(). 320 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) | ^ include/linux/compiler_types.h:301:4: note: in definition of macro '__compiletime_assert' 301 | prefix ## suffix(); \ | ^~~~~~ include/linux/compiler_types.h:320:2: note: in expansion of macro '_compiletime_assert' 320 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) | ^~~~~~~~~~~~~~~~~~~ include/asm-generic/rwonce.h:36:2: note: in expansion of macro 'compiletime_assert' 36 | compiletime_assert(__native_word(t) || sizeof(t) == sizeof(long long), \ | ^~~~~~~~~~~~~~~~~~ include/asm-generic/rwonce.h:49:2: note: in expansion of macro 'compiletime_assert_rwonce_type' 49 | compiletime_assert_rwonce_type(x); \ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ mm/ptdump.c:114:14: note: in expansion of macro 'READ_ONCE' 114 | pte_t val = READ_ONCE(*pte); | ^~~~~~~~~ make[2]: *** [mm/ptdump.o] Error 1 See commit 481e980a7c19 ("mm: Allow arches to provide ptep_get()") and commit c0e1c8c22beb ("powerpc/8xx: Provide ptep_get() with 16k pages") for details. Link: https://lkml.kernel.org/r/912b349e2bcaa88939904815ca0af945740c6bd4.1618478922.git.christophe.leroy@csgroup.eu Fixes: 30d621f6723b ("mm: add generic ptdump") Signed-off-by: Christophe Leroy Cc: Steven Price Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 33f3dab42ae2b40898743de7c66ca8bfbb015aa0 Author: Hristo Venev Date: Mon Apr 12 20:41:17 2021 +0300 net: ip6_tunnel: Unregister catch-all devices commit 941ea91e87a6e879ed82dad4949f6234f2702bec upstream. Similarly to the sit case, we need to remove the tunnels with no addresses that have been moved to another network namespace. Fixes: 0bd8762824e73 ("ip6tnl: add x-netns support") Signed-off-by: Hristo Venev Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ea0340e632ba60030aa3eda422cdb90c9fe7983e Author: Hristo Venev Date: Mon Apr 12 20:41:16 2021 +0300 net: sit: Unregister catch-all devices commit 610f8c0fc8d46e0933955ce13af3d64484a4630a upstream. A sit interface created without a local or a remote address is linked into the `sit_net::tunnels_wc` list of its original namespace. When deleting a network namespace, delete the devices that have been moved. The following script triggers a null pointer dereference if devices linked in a deleted `sit_net` remain: for i in `seq 1 30`; do ip netns add ns-test ip netns exec ns-test ip link add dev veth0 type veth peer veth1 ip netns exec ns-test ip link add dev sit$i type sit dev veth0 ip netns exec ns-test ip link set dev sit$i netns $$ ip netns del ns-test done for i in `seq 1 30`; do ip link del dev sit$i done Fixes: 5e6700b3bf98f ("sit: add support of x-netns") Signed-off-by: Hristo Venev Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 154ac84d497aa30459e39af4111dd45100759806 Author: Christophe JAILLET Date: Sun Apr 11 11:02:08 2021 +0200 net: davicom: Fix regulator not turned off on failed probe commit 31457db3750c0b0ed229d836f2609fdb8a5b790e upstream. When the probe fails, we must disable the regulator that was previously enabled. This patch is a follow-up to commit ac88c531a5b3 ("net: davicom: Fix regulator not turned off on failed probe") which missed one case. Fixes: 7994fe55a4a2 ("dm9000: Add regulator and reset support to dm9000") Signed-off-by: Christophe JAILLET Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e072247938a8551187f1ad3f9f928d968c96fd0c Author: Aya Levin Date: Sun Apr 11 09:33:12 2021 +0300 net/mlx5e: Fix setting of RS FEC mode commit 7a320c9db3e73fb6c4f9a331087df9df18767221 upstream. Change register setting from bit number to bit mask. Fixes: b5ede32d3329 ("net/mlx5e: Add support for FEC modes based on 50G per lane links") Signed-off-by: Aya Levin Reviewed-by: Eran Ben Elisha Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit dc1732baa9da5b68621586bf8636ebbc27dc62d2 Author: Eric Dumazet Date: Fri Apr 9 08:49:39 2021 -0700 netfilter: nft_limit: avoid possible divide error in nft_limit_init commit b895bdf5d643b6feb7c60856326dd4feb6981560 upstream. div_u64() divides u64 by u32. nft_limit_init() wants to divide u64 by u64, use the appropriate math function (div64_u64) divide error: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8390 Comm: syz-executor188 Not tainted 5.12.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:div_u64_rem include/linux/math64.h:28 [inline] RIP: 0010:div_u64 include/linux/math64.h:127 [inline] RIP: 0010:nft_limit_init+0x2a2/0x5e0 net/netfilter/nft_limit.c:85 Code: ef 4c 01 eb 41 0f 92 c7 48 89 de e8 38 a5 22 fa 4d 85 ff 0f 85 97 02 00 00 e8 ea 9e 22 fa 4c 0f af f3 45 89 ed 31 d2 4c 89 f0 <49> f7 f5 49 89 c6 e8 d3 9e 22 fa 48 8d 7d 48 48 b8 00 00 00 00 00 RSP: 0018:ffffc90009447198 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000200000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff875152e6 RDI: 0000000000000003 RBP: ffff888020f80908 R08: 0000200000000000 R09: 0000000000000000 R10: ffffffff875152d8 R11: 0000000000000000 R12: ffffc90009447270 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 000000000097a300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200001c4 CR3: 0000000026a52000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: nf_tables_newexpr net/netfilter/nf_tables_api.c:2675 [inline] nft_expr_init+0x145/0x2d0 net/netfilter/nf_tables_api.c:2713 nft_set_elem_expr_alloc+0x27/0x280 net/netfilter/nf_tables_api.c:5160 nf_tables_newset+0x1997/0x3150 net/netfilter/nf_tables_api.c:4321 nfnetlink_rcv_batch+0x85a/0x21b0 net/netfilter/nfnetlink.c:456 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:580 [inline] nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:598 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: c26844eda9d4 ("netfilter: nf_tables: Fix nft limit burst handling") Fixes: 3e0f64b7dd31 ("netfilter: nft_limit: fix packet ratelimiting") Signed-off-by: Eric Dumazet Diagnosed-by: Luigi Rizzo Reported-by: syzbot Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit cda5507d234fe6564a30e27436cb7758d1d3fccd Author: wenxu Date: Fri Apr 9 13:33:48 2021 +0800 net/mlx5e: fix ingress_ifindex check in mlx5e_flower_parse_meta commit e3e0f9b279705154b951d579dc3d8b7041710e24 upstream. In the nft_offload there is the mate flow_dissector with no ingress_ifindex but with ingress_iftype that only be used in the software. So if the mask of ingress_ifindex in meta is 0, this meta check should be bypass. Fixes: 6d65bc64e232 ("net/mlx5e: Add mlx5e_flower_parse_meta support") Signed-off-by: wenxu Acked-by: Pablo Neira Ayuso Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit 40ed1d29f1511a4c5bbd064bc2c097887a3b7443 Author: Claudiu Beznea Date: Wed Apr 14 14:20:29 2021 +0300 net: macb: fix the restore of cmp registers commit a714e27ea8bdee2b238748029d31472d0a65b611 upstream. Commit a14d273ba159 ("net: macb: restore cmp registers on resume path") introduces the restore of CMP registers on resume path. In case the IP doesn't support type 2 screeners (zero on DCFG8 register) the struct macb::rx_fs_list::list is not initialized and thus the list_for_each_entry(item, &bp->rx_fs_list.list, list) loop introduced in commit a14d273ba159 ("net: macb: restore cmp registers on resume path") will access an uninitialized list leading to crash. Thus, initialize the struct macb::rx_fs_list::list without taking into account if the IP supports type 2 screeners or not. Fixes: a14d273ba159 ("net: macb: restore cmp registers on resume path") Signed-off-by: Claudiu Beznea Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7f8e59c4c5e5142e3f0d78f8f01b523027bbf151 Author: Ciara Loftus Date: Thu Apr 8 05:20:09 2021 +0000 libbpf: Fix potential NULL pointer dereference commit afd0be7299533bb2e2b09104399d8a467ecbd2c5 upstream. Wait until after the UMEM is checked for null to dereference it. Fixes: 43f1bc1efff1 ("libbpf: Restore umem state after socket create failure") Signed-off-by: Ciara Loftus Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20210408052009.7844-1-ciara.loftus@intel.com Signed-off-by: Greg Kroah-Hartman commit 7824d5a9935a8093627565be4bade0bb112bd6d9 Author: Florian Westphal Date: Wed Apr 7 21:43:40 2021 +0200 netfilter: arp_tables: add pre_exit hook for table unregister commit d163a925ebbc6eb5b562b0f1d72c7e817aa75c40 upstream. Same problem that also existed in iptables/ip(6)tables, when arptable_filter is removed there is no longer a wait period before the table/ruleset is free'd. Unregister the hook in pre_exit, then remove the table in the exit function. This used to work correctly because the old nf_hook_unregister API did unconditional synchronize_net. The per-net hook unregister function uses call_rcu instead. Fixes: b9e69e127397 ("netfilter: xtables: don't hook tables by default") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 4d26865974fb3106422a356283a996399eac0fbd Author: Florian Westphal Date: Wed Apr 7 21:43:39 2021 +0200 netfilter: bridge: add pre_exit hooks for ebtable unregistration commit 7ee3c61dcd28bf6e290e06ad382f13511dc790e9 upstream. Just like ip/ip6/arptables, the hooks have to be removed, then synchronize_rcu() has to be called to make sure no more packets are being processed before the ruleset data is released. Place the hook unregistration in the pre_exit hook, then call the new ebtables pre_exit function from there. Years ago, when first netns support got added for netfilter+ebtables, this used an older (now removed) netfilter hook unregister API, that did a unconditional synchronize_rcu(). Now that all is done with call_rcu, ebtable_{filter,nat,broute} pernet exit handlers may free the ebtable ruleset while packets are still in flight. This can only happens on module removal, not during netns exit. The new function expects the table name, not the table struct. This is because upcoming patch set (targeting -next) will remove all net->xt.{nat,filter,broute}_table instances, this makes it necessary to avoid external references to those member variables. The existing APIs will be converted, so follow the upcoming scheme of passing name + hook type instead. Fixes: aee12a0a3727e ("ebtables: remove nf_hook_register usage") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit eb82199e377ad606a2c055435628142504f2b4be Author: Vaibhav Jain Date: Fri Apr 2 14:55:55 2021 +0530 libnvdimm/region: Fix nvdimm_has_flush() to handle ND_REGION_ASYNC commit a2948b17f6b936fc52f86c0f92c46d2f91928b79 upstream. In case a platform doesn't provide explicit flush-hints but provides an explicit flush callback via ND_REGION_ASYNC region flag, then nvdimm_has_flush() still returns '0' indicating that writes do not require flushing. This happens on PPC64 with patch at [1] applied, where 'deep_flush' of a region was denied even though an explicit flush function was provided. Fix this by adding a condition to nvdimm_has_flush() to test for the ND_REGION_ASYNC flag on the region and see if a 'region->flush' callback is assigned. Link: http://lore.kernel.org/r/161703936121.36.7260632399582101498.stgit@e1fbed493c87 [1] Fixes: c5d4355d10d4 ("libnvdimm: nd_region flush callback support") Reported-by: Shivaprasad G Bhat Signed-off-by: Vaibhav Jain Link: https://lore.kernel.org/r/20210402092555.208590-1-vaibhav@linux.ibm.com Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit a2af8a0f38e48e0f496870735cd931b69b78f481 Author: Colin Ian King Date: Wed Mar 31 15:46:28 2021 +0100 ice: Fix potential infinite loop when using u8 loop counter commit ef963ae427aa4669905e0a96b3bd9d44dc85db32 upstream. A for-loop is using a u8 loop counter that is being compared to a u32 cmp_dcbcfg->numapp to check for the end of the loop. If cmp_dcbcfg->numapp is larger than 255 then the counter j will wrap around to zero and hence an infinite loop occurs. Fix this by making counter j the same type as cmp_dcbcfg->numapp. Addresses-Coverity: ("Infinite loop") Fixes: aeac8ce864d9 ("ice: Recognize 860 as iSCSI port in CEE mode") Signed-off-by: Colin Ian King Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen Signed-off-by: Greg Kroah-Hartman commit 783645e65b5774d794a60b606e8801a00e11eda3 Author: Pablo Neira Ayuso Date: Wed Mar 31 01:04:45 2021 +0200 netfilter: conntrack: do not print icmpv6 as unknown via /proc commit fbea31808ca124dd73ff6bb1e67c9af4607c3e32 upstream. /proc/net/nf_conntrack shows icmpv6 as unknown. Fixes: 09ec82f5af99 ("netfilter: conntrack: remove protocol name from l4proto struct") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 394c81e36e494a0de229103b9ab7a8f437729148 Author: Pablo Neira Ayuso Date: Tue Mar 30 16:24:11 2021 +0200 netfilter: flowtable: fix NAT IPv6 offload mangling commit 0e07e25b481aa021e4b48085ecb8a049e9614510 upstream. Fix out-of-bound access in the address array. Fixes: 5c27d8d76ce8 ("netfilter: nf_flow_table_offload: add IPv6 support") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit be07581aacae7cd0a073afae8e8862032f794309 Author: Yongxin Liu Date: Mon Mar 22 15:14:48 2021 +0800 ixgbe: fix unbalanced device enable/disable in suspend/resume commit debb9df311582c83fe369baa35fa4b92e8a9c58a upstream. pci_disable_device() called in __ixgbe_shutdown() decreases dev->enable_cnt by 1. pci_enable_device_mem() which increases dev->enable_cnt by 1, was removed from ixgbe_resume() in commit 6f82b2558735 ("ixgbe: use generic power management"). This caused unbalanced increase/decrease. So add pci_enable_device_mem() back. Fix the following call trace. ixgbe 0000:17:00.1: disabling already-disabled device Call Trace: __ixgbe_shutdown+0x10a/0x1e0 [ixgbe] ixgbe_suspend+0x32/0x70 [ixgbe] pci_pm_suspend+0x87/0x160 ? pci_pm_freeze+0xd0/0xd0 dpm_run_callback+0x42/0x170 __device_suspend+0x114/0x460 async_suspend+0x1f/0xa0 async_run_entry_fn+0x3c/0xf0 process_one_work+0x1dd/0x410 worker_thread+0x34/0x3f0 ? cancel_delayed_work+0x90/0x90 kthread+0x14c/0x170 ? kthread_park+0x90/0x90 ret_from_fork+0x1f/0x30 Fixes: 6f82b2558735 ("ixgbe: use generic power management") Signed-off-by: Yongxin Liu Tested-by: Dave Switzer Signed-off-by: Tony Nguyen Signed-off-by: Greg Kroah-Hartman commit 0ef9919a06a36a9ee87d80ee2749c5afe832be5d Author: Jolly Shah Date: Thu Mar 18 15:56:32 2021 -0700 scsi: libsas: Reset num_scatter if libata marks qc as NODATA commit 176ddd89171ddcf661862d90c5d257877f7326d6 upstream. When the cache_type for the SCSI device is changed, the SCSI layer issues a MODE_SELECT command. The caching mode details are communicated via a request buffer associated with the SCSI command with data direction set as DMA_TO_DEVICE (scsi_mode_select()). When this command reaches the libata layer, as a part of generic initial setup, libata layer sets up the scatterlist for the command using the SCSI command (ata_scsi_qc_new()). This command is then translated by the libata layer into ATA_CMD_SET_FEATURES (ata_scsi_mode_select_xlat()). The libata layer treats this as a non-data command (ata_mselect_caching()), since it only needs an ATA taskfile to pass the caching on/off information to the device. It does not need the scatterlist that has been setup, so it does not perform dma_map_sg() on the scatterlist (ata_qc_issue()). Unfortunately, when this command reaches the libsas layer (sas_ata_qc_issue()), libsas layer sees it as a non-data command with a scatterlist. It cannot extract the correct DMA length since the scatterlist has not been mapped with dma_map_sg() for a DMA operation. When this partially constructed SAS task reaches pm80xx LLDD, it results in the following warning: "pm80xx_chip_sata_req 6058: The sg list address start_addr=0x0000000000000000 data_len=0x0end_addr_high=0xffffffff end_addr_low=0xffffffff has crossed 4G boundary" Update libsas to handle ATA non-data commands separately so num_scatter and total_xfer_len remain 0. Link: https://lore.kernel.org/r/20210318225632.2481291-1-jollys@google.com Fixes: 53de092f47ff ("scsi: libsas: Set data_dir as DMA_NONE if libata marks qc as NODATA") Tested-by: Luo Jiaxing Reviewed-by: John Garry Signed-off-by: Jolly Shah Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 6a70ab9769cd266dc02c634d0bcb36e5ea8b03c7 Author: Kefeng Wang Date: Mon Mar 29 11:13:07 2021 +0800 riscv: Fix spelling mistake "SPARSEMEM" to "SPARSMEM" commit 199fc6b8dee7d6d50467a57e0dc7e3e1b7d59966 upstream. There is a spelling mistake when SPARSEMEM Kconfig copy. Fixes: a5406a7ff56e ("riscv: Correct SPARSEMEM configuration") Cc: stable@vger.kernel.org Signed-off-by: Kefeng Wang Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit f66d695c06f4d788e1ff01778e4e72f8d19474de Author: Christian A. Ehrhardt Date: Mon Apr 12 23:41:24 2021 +0200 vfio/pci: Add missing range check in vfio_pci_mmap commit 909290786ea335366e21d7f1ed5812b90f2f0a92 upstream. When mmaping an extra device region verify that the region index derived from the mmap offset is valid. Fixes: a15b1883fee1 ("vfio_pci: Allow mapping extra regions") Cc: stable@vger.kernel.org Signed-off-by: Christian A. Ehrhardt Message-Id: <20210412214124.GA241759@lisa.in-ulm.de> Reviewed-by: David Gibson Reviewed-by: Cornelia Huck Signed-off-by: Alex Williamson Signed-off-by: Greg Kroah-Hartman commit e6177990e17d0b8126701fc8db877bc921caea16 Author: Nathan Chancellor Date: Tue Apr 13 17:08:04 2021 -0700 arm64: alternatives: Move length validation in alternative_{insn, endif} commit 22315a2296f4c251fa92aec45fbbae37e9301b6c upstream. After commit 2decad92f473 ("arm64: mte: Ensure TIF_MTE_ASYNC_FAULT is set atomically"), LLVM's integrated assembler fails to build entry.S: :5:7: error: expected assembly-time absolute expression .org . - (664b-663b) + (662b-661b) ^ :6:7: error: expected assembly-time absolute expression .org . - (662b-661b) + (664b-663b) ^ The root cause is LLVM's assembler has a one-pass design, meaning it cannot figure out these instruction lengths when the .org directive is outside of the subsection that they are in, which was changed by the .arch_extension directive added in the above commit. Apply the same fix from commit 966a0acce2fc ("arm64/alternatives: move length validation inside the subsection") to the alternative_endif macro, shuffling the .org directives so that the length validation happen will always happen in the same subsections. alternative_insn has not shown any issue yet but it appears that it could have the same issue in the future so just preemptively change it. Fixes: f7b93d42945c ("arm64/alternatives: use subsections for replacement sequences") Cc: # 5.8.x Link: https://github.com/ClangBuiltLinux/linux/issues/1347 Signed-off-by: Nathan Chancellor Reviewed-by: Sami Tolvanen Tested-by: Sami Tolvanen Reviewed-by: Nick Desaulniers Tested-by: Nick Desaulniers Link: https://lore.kernel.org/r/20210414000803.662534-1-nathan@kernel.org Signed-off-by: Catalin Marinas Signed-off-by: Greg Kroah-Hartman commit e2931f05eb328e167bd39369dd738f9840bf4f39 Author: Peter Collingbourne Date: Thu Apr 1 09:51:10 2021 -0700 arm64: fix inline asm in load_unaligned_zeropad() commit 185f2e5f51c2029efd9dd26cceb968a44fe053c6 upstream. The inline asm's addr operand is marked as input-only, however in the case where an exception is taken it may be modified by the BIC instruction on the exception path. Fix the problem by using a temporary register as the destination register for the BIC instruction. Signed-off-by: Peter Collingbourne Cc: stable@vger.kernel.org Link: https://linux-review.googlesource.com/id/I84538c8a2307d567b4f45bb20b715451005f9617 Link: https://lore.kernel.org/r/20210401165110.3952103-1-pcc@google.com Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 957f83a138f152af5bcec0555bd9b6c612b9212f Author: Linus Torvalds Date: Sat Apr 17 09:27:04 2021 -0700 readdir: make sure to verify directory entry for legacy interfaces too commit 0c93ac69407d63a85be0129aa55ffaec27ffebd3 upstream. This does the directory entry name verification for the legacy "fillonedir" (and compat) interface that goes all the way back to the dark ages before we had a proper dirent, and the readdir() system call returned just a single entry at a time. Nobody should use this interface unless you still have binaries from 1991, but let's do it right. This came up during discussions about unsafe_copy_to_user() and proper checking of all the inputs to it, as the networking layer is looking to use it in a few new places. So let's make sure the _old_ users do it all right and proper, before we add new ones. See also commit 8a23eb804ca4 ("Make filldir[64]() verify the directory entry filename is valid") which did the proper modern interfaces that people actually use. It had a note: Note that I didn't bother adding the checks to any legacy interfaces that nobody uses. which this now corrects. Note that we really don't care about POSIX and the presense of '/' in a directory entry, but verify_dirent_name() also ends up doing the proper name length verification which is what the input checking discussion was about. [ Another option would be to remove the support for this particular very old interface: any binaries that use it are likely a.out binaries, and they will no longer run anyway since we removed a.out binftm support in commit eac616557050 ("x86: Deprecate a.out support"). But I'm not sure which came first: getdents() or ELF support, so let's pretend somebody might still have a working binary that uses the legacy readdir() case.. ] Link: https://lore.kernel.org/lkml/CAHk-=wjbvzCAhAtvG0d81W5o0-KT5PPTHhfJ5ieDFq+bGtgOYg@mail.gmail.com/ Acked-by: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 2b8308741cf5ccc972d6c80d07501f91a592b6e2 Author: Jaegeuk Kim Date: Wed Apr 14 08:28:28 2021 -0700 dm verity fec: fix misaligned RS roots IO commit 8ca7cab82bda4eb0b8064befeeeaa38106cac637 upstream. commit df7b59ba9245 ("dm verity: fix FEC for RS roots unaligned to block size") introduced the possibility for misaligned roots IO relative to the underlying device's logical block size. E.g. Android's default RS roots=2 results in dm_bufio->block_size=1024, which causes the following EIO if the logical block size of the device is 4096, given v->data_dev_block_bits=12: E sd 0 : 0:0:0: [sda] tag#30 request not aligned to the logical block size E blk_update_request: I/O error, dev sda, sector 10368424 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0 E device-mapper: verity-fec: 254:8: FEC 9244672: parity read failed (block 18056): -5 Fix this by onlu using f->roots for dm_bufio blocksize IFF it is aligned to v->data_dev_block_bits. Fixes: df7b59ba9245 ("dm verity: fix FEC for RS roots unaligned to block size") Cc: stable@vger.kernel.org Signed-off-by: Jaegeuk Kim Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 18ba387261ea5e66c95f8686209d34b17208f40d Author: Ping Cheng Date: Thu Mar 11 11:30:09 2021 -0800 HID: wacom: set EV_KEY and EV_ABS only for non-HID_GENERIC type of devices commit 276559d8d02c2709281578976ca2f53bc62063d4 upstream. Valid HID_GENERIC type of devices set EV_KEY and EV_ABS by wacom_map_usage. When *_input_capabilities are reached, those devices should already have their proper EV_* set. EV_KEY and EV_ABS only need to be set for non-HID_GENERIC type of devices in *_input_capabilities. Devices that don't support HID descitoprs will pass back to hid-input for registration without being accidentally rejected by the introduction of patch: "Input: refuse to register absolute devices without absinfo" Fixes: 6ecfe51b4082 ("Input: refuse to register absolute devices without absinfo") Signed-off-by: Ping Cheng Reviewed-by: Jason Gerecke Tested-by: Juan Garrido CC: stable@vger.kernel.org Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit dedf75aec8fc36cb358dd1a50a0c096bf4fb9d74 Author: Arnd Bergmann Date: Tue Mar 23 09:56:34 2021 -0700 Input: i8042 - fix Pegatron C15B ID entry commit daa58c8eec0a65ac8e2e77ff3ea8a233d8eec954 upstream. The Zenbook Flip entry that was added overwrites a previous one because of a typo: In file included from drivers/input/serio/i8042.h:23, from drivers/input/serio/i8042.c:131: drivers/input/serio/i8042-x86ia64io.h:591:28: error: initialized field overwritten [-Werror=override-init] 591 | .matches = { | ^ drivers/input/serio/i8042-x86ia64io.h:591:28: note: (near initialization for 'i8042_dmi_noselftest_table[0].matches') Add the missing separator between the two. Fixes: b5d6e7ab7fe7 ("Input: i8042 - add ASUS Zenbook Flip to noselftest list") Signed-off-by: Arnd Bergmann Reviewed-by: Hans de Goede Reviewed-by: Marcos Paulo de Souza Link: https://lore.kernel.org/r/20210323130623.2302402-1-arnd@kernel.org Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 8b978750dcd2d0facf49603736ec8c23cbbf412d Author: Caleb Connolly Date: Sun Mar 7 15:12:22 2021 -0800 Input: s6sy761 - fix coordinate read bit shift commit 30b3f68715595dee7fe4d9bd91a2252c3becdf0a upstream. The touch coordinate register contains the following: byte 3 byte 2 byte 1 +--------+--------+ +-----------------+ +-----------------+ | | | | | | | | X[3:0] | Y[3:0] | | Y[11:4] | | X[11:4] | | | | | | | | +--------+--------+ +-----------------+ +-----------------+ Bytes 2 and 1 need to be shifted left by 4 bits, the least significant nibble of each is stored in byte 3. Currently they are only being shifted by 3 causing the reported coordinates to be incorrect. This matches downstream examples, and has been confirmed on my device (OnePlus 7 Pro). Fixes: 0145a7141e59 ("Input: add support for the Samsung S6SY761 touchscreen") Signed-off-by: Caleb Connolly Reviewed-by: Andi Shyti Link: https://lore.kernel.org/r/20210305185710.225168-1-caleb@connolly.tech Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 955da2b5cd9855b186f14b71ddb1703d5144193c Author: Julian Braha Date: Fri Apr 9 13:27:47 2021 -0700 lib: fix kconfig dependency on ARCH_WANT_FRAME_POINTERS [ Upstream commit 7d37cb2c912dc5c25ffac784a4f9b98c06c6bd08 ] When LATENCYTOP, LOCKDEP, or FAULT_INJECTION_STACKTRACE_FILTER is enabled and ARCH_WANT_FRAME_POINTERS is disabled, Kbuild gives a warning such as: WARNING: unmet direct dependencies detected for FRAME_POINTER Depends on [n]: DEBUG_KERNEL [=y] && (M68K || UML || SUPERH) || ARCH_WANT_FRAME_POINTERS [=n] || MCOUNT [=n] Selected by [y]: - LATENCYTOP [=y] && DEBUG_KERNEL [=y] && STACKTRACE_SUPPORT [=y] && PROC_FS [=y] && !MIPS && !PPC && !S390 && !MICROBLAZE && !ARM && !ARC && !X86 Depending on ARCH_WANT_FRAME_POINTERS causes a recursive dependency error. ARCH_WANT_FRAME_POINTERS is to be selected by the architecture, and is not supposed to be overridden by other config options. Link: https://lkml.kernel.org/r/20210329165329.27994-1-julianbraha@gmail.com Signed-off-by: Julian Braha Cc: Andreas Schwab Cc: Geert Uytterhoeven Cc: Necip Fazil Yildiran Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 024f9d048000d2fd92040ba85c5513d1abbfeaa4 Author: A. Cody Schuffelen Date: Thu Mar 18 13:04:19 2021 -0700 virt_wifi: Return micros for BSS TSF values [ Upstream commit b57aa17f07c9270e576ef7df09f142978b5a75f0 ] cfg80211_inform_bss expects to receive a TSF value, but is given the time since boot in nanoseconds. TSF values are expected to be at microsecond scale rather than nanosecond scale. Signed-off-by: A. Cody Schuffelen Link: https://lore.kernel.org/r/20210318200419.1421034-1-schuffelen@google.com Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit cc413b375c6d95e68a4629cb1ba9d099de78ebb9 Author: Seevalamuthu Mariappan Date: Fri Mar 19 19:48:52 2021 +0530 mac80211: clear sta->fast_rx when STA removed from 4-addr VLAN [ Upstream commit dd0b45538146cb6a54d6da7663b8c3afd16ebcfd ] In some race conditions, with more clients and traffic configuration, below crash is seen when making the interface down. sta->fast_rx wasn't cleared when STA gets removed from 4-addr AP_VLAN interface. The crash is due to try accessing 4-addr AP_VLAN interface's net_device (fast_rx->dev) which has been deleted already. Resolve this by clearing sta->fast_rx pointer when STA removes from a 4-addr VLAN. [ 239.449529] Unable to handle kernel NULL pointer dereference at virtual address 00000004 [ 239.449531] pgd = 80204000 ... [ 239.481496] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.60 #227 [ 239.481591] Hardware name: Generic DT based system [ 239.487665] task: be05b700 ti: be08e000 task.ti: be08e000 [ 239.492360] PC is at get_rps_cpu+0x2d4/0x31c [ 239.497823] LR is at 0xbe08fc54 ... [ 239.778574] [<80739740>] (get_rps_cpu) from [<8073cb10>] (netif_receive_skb_internal+0x8c/0xac) [ 239.786722] [<8073cb10>] (netif_receive_skb_internal) from [<8073d578>] (napi_gro_receive+0x48/0xc4) [ 239.795267] [<8073d578>] (napi_gro_receive) from [] (ieee80211_mark_rx_ba_filtered_frames+0xbcc/0x12d4 [mac80211]) [ 239.804776] [] (ieee80211_mark_rx_ba_filtered_frames [mac80211]) from [] (ieee80211_rx_napi+0x7b8/0x8c8 [mac8 0211]) [ 239.815857] [] (ieee80211_rx_napi [mac80211]) from [] (ath11k_dp_process_rx+0x7bc/0x8c8 [ath11k]) [ 239.827757] [] (ath11k_dp_process_rx [ath11k]) from [] (ath11k_dp_service_srng+0x2c0/0x2e0 [ath11k]) [ 239.838484] [] (ath11k_dp_service_srng [ath11k]) from [<7f55b7dc>] (ath11k_ahb_ext_grp_napi_poll+0x20/0x84 [ath11k_ahb] ) [ 239.849419] [<7f55b7dc>] (ath11k_ahb_ext_grp_napi_poll [ath11k_ahb]) from [<8073ce1c>] (net_rx_action+0xe0/0x28c) [ 239.860945] [<8073ce1c>] (net_rx_action) from [<80324868>] (__do_softirq+0xe4/0x228) [ 239.871269] [<80324868>] (__do_softirq) from [<80324c48>] (irq_exit+0x98/0x108) [ 239.879080] [<80324c48>] (irq_exit) from [<8035c59c>] (__handle_domain_irq+0x90/0xb4) [ 239.886114] [<8035c59c>] (__handle_domain_irq) from [<8030137c>] (gic_handle_irq+0x50/0x94) [ 239.894100] [<8030137c>] (gic_handle_irq) from [<803024c0>] (__irq_svc+0x40/0x74) Signed-off-by: Seevalamuthu Mariappan Link: https://lore.kernel.org/r/1616163532-3881-1-git-send-email-seevalam@codeaurora.org Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 2e08d9a56838c4fd1effbc0be4ff0660d29986dd Author: Guenter Roeck Date: Mon Apr 5 21:29:22 2021 -0700 pcnet32: Use pci_resource_len to validate PCI resource [ Upstream commit 66c3f05ddc538ee796321210c906b6ae6fc0792a ] pci_resource_start() is not a good indicator to determine if a PCI resource exists or not, since the resource may start at address 0. This is seen when trying to instantiate the driver in qemu for riscv32 or riscv64. pci 0000:00:01.0: reg 0x10: [io 0x0000-0x001f] pci 0000:00:01.0: reg 0x14: [mem 0x00000000-0x0000001f] ... pcnet32: card has no PCI IO resources, aborting Use pci_resouce_len() instead. Signed-off-by: Guenter Roeck Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 248b9b61b9513aa8c73a81c54f6825a1f0c6268c Author: Alexander Aring Date: Sun Apr 4 20:30:52 2021 -0400 net: ieee802154: forbid monitor for add llsec seclevel [ Upstream commit 9ec87e322428d4734ac647d1a8e507434086993d ] This patch forbids to add llsec seclevel for monitor interfaces which we don't support yet. Otherwise we will access llsec mib which isn't initialized for monitors. Signed-off-by: Alexander Aring Link: https://lore.kernel.org/r/20210405003054.256017-14-aahringo@redhat.com Signed-off-by: Stefan Schmidt Signed-off-by: Sasha Levin commit b97c7bc42d8de60b201135c246a8156999729a20 Author: Alexander Aring Date: Sun Apr 4 20:30:51 2021 -0400 net: ieee802154: stop dump llsec seclevels for monitors [ Upstream commit 4c9b4f55ad1f5a4b6206ac4ea58f273126d21925 ] This patch stops dumping llsec seclevels for monitors which we don't support yet. Otherwise we will access llsec mib which isn't initialized for monitors. Signed-off-by: Alexander Aring Link: https://lore.kernel.org/r/20210405003054.256017-13-aahringo@redhat.com Signed-off-by: Stefan Schmidt Signed-off-by: Sasha Levin commit ab9f9a1d5874960ddf2faeecf567ef2c15eaf82d Author: Alexander Aring Date: Sun Apr 4 20:30:50 2021 -0400 net: ieee802154: forbid monitor for del llsec devkey [ Upstream commit 6fb8045319ef172dc88a8142e7f8b58c7608137e ] This patch forbids to del llsec devkey for monitor interfaces which we don't support yet. Otherwise we will access llsec mib which isn't initialized for monitors. Signed-off-by: Alexander Aring Link: https://lore.kernel.org/r/20210405003054.256017-12-aahringo@redhat.com Signed-off-by: Stefan Schmidt Signed-off-by: Sasha Levin commit 4846c2debb2ca32585d4274c02893c4153b68159 Author: Alexander Aring Date: Sun Apr 4 20:30:49 2021 -0400 net: ieee802154: forbid monitor for add llsec devkey [ Upstream commit a347b3b394868fef15b16f143719df56184be81d ] This patch forbids to add llsec devkey for monitor interfaces which we don't support yet. Otherwise we will access llsec mib which isn't initialized for monitors. Signed-off-by: Alexander Aring Link: https://lore.kernel.org/r/20210405003054.256017-11-aahringo@redhat.com Signed-off-by: Stefan Schmidt Signed-off-by: Sasha Levin commit 07714229e0e2e9ad8ea19582ad3c41578ccb8c4c Author: Alexander Aring Date: Sun Apr 4 20:30:48 2021 -0400 net: ieee802154: stop dump llsec devkeys for monitors [ Upstream commit 080d1a57a94d93e70f84b7a360baa351388c574f ] This patch stops dumping llsec devkeys for monitors which we don't support yet. Otherwise we will access llsec mib which isn't initialized for monitors. Signed-off-by: Alexander Aring Link: https://lore.kernel.org/r/20210405003054.256017-10-aahringo@redhat.com Signed-off-by: Stefan Schmidt Signed-off-by: Sasha Levin commit 4c1775d6ea86e7b72f6bd2028e226c1389d0b2cd Author: Alexander Aring Date: Sun Apr 4 20:30:47 2021 -0400 net: ieee802154: forbid monitor for del llsec dev [ Upstream commit ad8f9de1f3566686af35b1c6b43240726541da61 ] This patch forbids to del llsec dev for monitor interfaces which we don't support yet. Otherwise we will access llsec mib which isn't initialized for monitors. Signed-off-by: Alexander Aring Link: https://lore.kernel.org/r/20210405003054.256017-9-aahringo@redhat.com Signed-off-by: Stefan Schmidt Signed-off-by: Sasha Levin commit 813b13155d14c4cdcaf8085c3d2f0ff9cec60f53 Author: Alexander Aring Date: Sun Apr 4 20:30:46 2021 -0400 net: ieee802154: forbid monitor for add llsec dev [ Upstream commit 5303f956b05a2886ff42890908156afaec0f95ac ] This patch forbids to add llsec dev for monitor interfaces which we don't support yet. Otherwise we will access llsec mib which isn't initialized for monitors. Signed-off-by: Alexander Aring Link: https://lore.kernel.org/r/20210405003054.256017-8-aahringo@redhat.com Signed-off-by: Stefan Schmidt Signed-off-by: Sasha Levin commit 2f80452951b5380680d4cd32d9165aa218037eaf Author: Alexander Aring Date: Sun Apr 4 20:30:45 2021 -0400 net: ieee802154: stop dump llsec devs for monitors [ Upstream commit 5582d641e6740839c9b83efd1fbf9bcd00b6f5fc ] This patch stops dumping llsec devs for monitors which we don't support yet. Otherwise we will access llsec mib which isn't initialized for monitors. Signed-off-by: Alexander Aring Link: https://lore.kernel.org/r/20210405003054.256017-7-aahringo@redhat.com Signed-off-by: Stefan Schmidt Signed-off-by: Sasha Levin commit 08744a622faab1fb4501479bf45a33a334237ec1 Author: Alexander Aring Date: Sun Apr 4 20:30:44 2021 -0400 net: ieee802154: forbid monitor for del llsec key [ Upstream commit b6e2949544a183f590ae6f3ef2d1aaaa2c44e38a ] This patch forbids to del llsec key for monitor interfaces which we don't support yet. Otherwise we will access llsec mib which isn't initialized for monitors. Signed-off-by: Alexander Aring Link: https://lore.kernel.org/r/20210405003054.256017-6-aahringo@redhat.com Signed-off-by: Stefan Schmidt Signed-off-by: Sasha Levin commit 7edf4d2baa8a19a829475c2fbe0a9f42c628385a Author: Alexander Aring Date: Sun Apr 4 20:30:43 2021 -0400 net: ieee802154: forbid monitor for add llsec key [ Upstream commit 08470c5453339369bd3d590c4cbb0b5961cdcbb6 ] This patch forbids to add llsec key for monitor interfaces which we don't support yet. Otherwise we will access llsec mib which isn't initialized for monitors. Signed-off-by: Alexander Aring Link: https://lore.kernel.org/r/20210405003054.256017-5-aahringo@redhat.com Signed-off-by: Stefan Schmidt Signed-off-by: Sasha Levin commit c09075df5e4da2a6d60b63d70aa8df6268205500 Author: Alexander Aring Date: Sun Apr 4 20:30:42 2021 -0400 net: ieee802154: stop dump llsec keys for monitors [ Upstream commit fb3c5cdf88cd504ef11d59e8d656f4bc896c6922 ] This patch stops dumping llsec keys for monitors which we don't support yet. Otherwise we will access llsec mib which isn't initialized for monitors. Signed-off-by: Alexander Aring Link: https://lore.kernel.org/r/20210405003054.256017-4-aahringo@redhat.com Signed-off-by: Stefan Schmidt Signed-off-by: Sasha Levin commit 8b9485b651d4e62574ea22bff5ca898c5ab9f12c Author: Matt Chen Date: Fri Mar 26 12:57:19 2021 +0200 iwlwifi: add support for Qu with AX201 device [ Upstream commit 97195d3cad852063208a1cd4f4d073459547a415 ] Add this specific Samsung AX201 sku to driver so it can be detected and initialized successfully. Signed-off-by: Matt Chen Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/iwlwifi.20210326125611.30b622037714.Id9fd709cf1c8261c097bbfd7453f6476077dcafc@changeid Signed-off-by: Sasha Levin commit c836374bacfa5093a50cd2ecb650e9517fc06914 Author: Martin Wilck Date: Thu Apr 1 11:11:05 2021 +0200 scsi: scsi_transport_srp: Don't block target in SRP_PORT_LOST state [ Upstream commit 5cd0f6f57639c5afbb36100c69281fee82c95ee7 ] rport_dev_loss_timedout() sets the rport state to SRP_PORT_LOST and the SCSI target state to SDEV_TRANSPORT_OFFLINE. If this races with srp_reconnect_work(), a warning is printed: Mar 27 18:48:07 ictm1604s01h4 kernel: dev_loss_tmo expired for SRP port-18:1 / host18. Mar 27 18:48:07 ictm1604s01h4 kernel: ------------[ cut here ]------------ Mar 27 18:48:07 ictm1604s01h4 kernel: scsi_internal_device_block(18:0:0:100) failed: ret = -22 Mar 27 18:48:07 ictm1604s01h4 kernel: Call Trace: Mar 27 18:48:07 ictm1604s01h4 kernel: ? scsi_target_unblock+0x50/0x50 [scsi_mod] Mar 27 18:48:07 ictm1604s01h4 kernel: starget_for_each_device+0x80/0xb0 [scsi_mod] Mar 27 18:48:07 ictm1604s01h4 kernel: target_block+0x24/0x30 [scsi_mod] Mar 27 18:48:07 ictm1604s01h4 kernel: device_for_each_child+0x57/0x90 Mar 27 18:48:07 ictm1604s01h4 kernel: srp_reconnect_rport+0xe4/0x230 [scsi_transport_srp] Mar 27 18:48:07 ictm1604s01h4 kernel: srp_reconnect_work+0x40/0xc0 [scsi_transport_srp] Avoid this by not trying to block targets for rports in SRP_PORT_LOST state. Link: https://lore.kernel.org/r/20210401091105.8046-1-mwilck@suse.com Reviewed-by: Bart Van Assche Signed-off-by: Martin Wilck Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit d9fc084067f58786149a2ae4139475a44f2a475f Author: Alexander Shiyan Date: Fri Apr 2 11:14:05 2021 +0300 ASoC: fsl_esai: Fix TDM slot setup for I2S mode [ Upstream commit e7a48c710defa0e0fef54d42b7d9e4ab596e2761 ] When using the driver in I2S TDM mode, the fsl_esai_startup() function rewrites the number of slots previously set by the fsl_esai_set_dai_tdm_slot() function to 2. To fix this, let's use the saved slot count value or, if TDM is not used and the number of slots is not set, the driver will use the default value (2), which is set by fsl_esai_probe(). Signed-off-by: Alexander Shiyan Acked-by: Nicolin Chen Link: https://lore.kernel.org/r/20210402081405.9892-1-shc_work@mail.ru Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 79ef0e6c0cf8453298b4ec921c8c0e50a392eb7e Author: Rob Clark Date: Wed Mar 24 18:23:52 2021 -0700 drm/msm: Fix a5xx/a6xx timestamps [ Upstream commit 9fbd3088351b92e8c2cef6e37a39decb12a8d5bb ] They were reading a counter that was configured to ALWAYS_COUNT (ie. cycles that the GPU is doing something) rather than ALWAYS_ON. This isn't the thing that userspace is looking for. Signed-off-by: Rob Clark Acked-by: Jordan Crouse Message-Id: <20210325012358.1759770-2-robdclark@gmail.com> Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit d61238aa64827e2171f324f46f5b75bfab8a4cd4 Author: Arnd Bergmann Date: Mon Mar 8 16:34:21 2021 +0100 ARM: omap1: fix building with clang IAS [ Upstream commit 28399a5a6d569c9bdb612345e4933046ca37cde5 ] The clang integrated assembler fails to build one file with a complex asm instruction: arch/arm/mach-omap1/ams-delta-fiq-handler.S:249:2: error: invalid instruction, any one of the following would fix this: mov r10, #(1 << (((NR_IRQS_LEGACY + 12) - NR_IRQS_LEGACY) % 32)) @ set deferred_fiq bit ^ arch/arm/mach-omap1/ams-delta-fiq-handler.S:249:2: note: instruction requires: armv6t2 mov r10, #(1 << (((NR_IRQS_LEGACY + 12) - NR_IRQS_LEGACY) % 32)) @ set deferred_fiq bit ^ arch/arm/mach-omap1/ams-delta-fiq-handler.S:249:2: note: instruction requires: thumb2 mov r10, #(1 << (((NR_IRQS_LEGACY + 12) - NR_IRQS_LEGACY) % 32)) @ set deferred_fiq bit ^ The problem is that 'NR_IRQS_LEGACY' is not defined here. Apparently gas does not care because we first add and then subtract this number, leading to the immediate value to be the same regardless of the specific definition of NR_IRQS_LEGACY. Neither the way that 'gas' just silently builds this file, nor the way that clang IAS makes nonsensical suggestions for how to fix it is great. Fortunately there is an easy fix, which is to #include the header that contains the definition. Signed-off-by: Arnd Bergmann Acked-by: Tony Lindgren Link: https://lore.kernel.org/r/20210308153430.2530616-1-arnd@kernel.org' Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit 505c48942f04072f7b005c30d35ebf149f50afd7 Author: Arnd Bergmann Date: Tue Mar 23 14:18:05 2021 +0100 ARM: keystone: fix integer overflow warning [ Upstream commit 844b85dda2f569943e1e018fdd63b6f7d1d6f08e ] clang warns about an impossible condition when building with 32-bit phys_addr_t: arch/arm/mach-keystone/keystone.c:79:16: error: result of comparison of constant 51539607551 with expression of type 'phys_addr_t' (aka 'unsigned int') is always false [-Werror,-Wtautological-constant-out-of-range-compare] mem_end > KEYSTONE_HIGH_PHYS_END) { ~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~ arch/arm/mach-keystone/keystone.c:78:16: error: result of comparison of constant 34359738368 with expression of type 'phys_addr_t' (aka 'unsigned int') is always true [-Werror,-Wtautological-constant-out-of-range-compare] if (mem_start < KEYSTONE_HIGH_PHYS_START || ~~~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~ Change the temporary variable to a fixed-size u64 to avoid the warning. Signed-off-by: Arnd Bergmann Reviewed-by: Nathan Chancellor Acked-by: Santosh Shilimkar Link: https://lore.kernel.org/r/20210323131814.2751750-1-arnd@kernel.org' Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit 0d0ad98bee393429d27a519907938c30fec7ca80 Author: Tong Zhu Date: Fri Mar 19 14:33:37 2021 -0400 neighbour: Disregard DEAD dst in neigh_update [ Upstream commit d47ec7a0a7271dda08932d6208e4ab65ab0c987c ] After a short network outage, the dst_entry is timed out and put in DST_OBSOLETE_DEAD. We are in this code because arp reply comes from this neighbour after network recovers. There is a potential race condition that dst_entry is still in DST_OBSOLETE_DEAD. With that, another neighbour lookup causes more harm than good. In best case all packets in arp_queue are lost. This is counterproductive to the original goal of finding a better path for those packets. I observed a worst case with 4.x kernel where a dst_entry in DST_OBSOLETE_DEAD state is associated with loopback net_device. It leads to an ethernet header with all zero addresses. A packet with all zero source MAC address is quite deadly with mac80211, ath9k and 802.11 block ack. It fails ieee80211_find_sta_by_ifaddr in ath9k (xmit.c). Ath9k flushes tx queue (ath_tx_complete_aggr). BAW (block ack window) is not updated. BAW logic is damaged and ath9k transmission is disabled. Signed-off-by: Tong Zhu Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 7a1cd9044da449f389b9a8b45da7f3c0eff77757 Author: Lv Yunlong Date: Mon Mar 22 18:46:56 2021 -0700 gpu/xen: Fix a use after free in xen_drm_drv_init [ Upstream commit 52762efa2b256ed1c5274e5177cbd52ee11a2f6a ] In function displback_changed, has the call chain displback_connect(front_info)->xen_drm_drv_init(front_info). We can see that drm_info is assigned to front_info->drm_info and drm_info is freed in fail branch in xen_drm_drv_init(). Later displback_disconnect(front_info) is called and it calls xen_drm_drv_fini(front_info) cause a use after free by drm_info = front_info->drm_info statement. My patch has done two things. First fixes the fail label which drm_info = kzalloc() failed and still free the drm_info. Second sets front_info->drm_info to NULL to avoid uaf. Signed-off-by: Lv Yunlong Reviewed-by: Oleksandr Andrushchenko Signed-off-by: Oleksandr Andrushchenko Link: https://patchwork.freedesktop.org/patch/msgid/20210323014656.10068-1-lyl2019@mail.ustc.edu.cn Signed-off-by: Sasha Levin commit bfb5a1523f17944d0a488862da2aba57f24a95b2 Author: Ryan Lee Date: Wed Mar 24 20:35:54 2021 -0700 ASoC: max98373: Added 30ms turn on/off time delay [ Upstream commit 3a27875e91fb9c29de436199d20b33f9413aea77 ] Amp requires 10 ~ 30ms for the power ON and OFF. Added 30ms delay for stability. Signed-off-by: Ryan Lee Link: https://lore.kernel.org/r/20210325033555.29377-2-ryans.lee@maximintegrated.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 58d59d9ae56f87ae82af2d4e204a1c05a0ce9bdb Author: Ryan Lee Date: Wed Mar 24 20:35:53 2021 -0700 ASoC: max98373: Changed amp shutdown register as volatile [ Upstream commit a23f9099ff1541f15704e96b784d3846d2a4483d ] 0x20FF(amp global enable) register was defined as non-volatile, but it is not. Overheating, overcurrent can cause amp shutdown in hardware. 'regmap_write' compare register readback value before writing to avoid same value writing. 'regmap_read' just read cache not actual hardware value for the non-volatile register. When amp is internally shutdown by some reason, next 'AMP ON' command can be ignored because regmap think amp is already ON. Signed-off-by: Ryan Lee Link: https://lore.kernel.org/r/20210325033555.29377-1-ryans.lee@maximintegrated.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit b2f8476193eb5b963912c671ed32020a47b3ebbe Author: Xin Long Date: Fri Mar 19 18:27:58 2021 +0800 xfrm: BEET mode doesn't support fragments for inner packets [ Upstream commit 68dc022d04eb0fd60a540e242dcb11ec1bee07e2 ] BEET mode replaces the IP(6) Headers with new IP(6) Headers when sending packets. However, when it's a fragment before the replacement, currently kernel keeps the fragment flag and replace the address field then encaps it with ESP. It would cause in RX side the fragments to get reassembled before decapping with ESP, which is incorrect. In Xiumei's testing, these fragments went over an xfrm interface and got encapped with ESP in the device driver, and the traffic was broken. I don't have a good way to fix it, but only to warn this out in dmesg. Reported-by: Xiumei Mu Signed-off-by: Xin Long Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin commit 806addaf8dfd91aa986db213306e1671d699745b Author: Jiri Kosina Date: Tue Mar 2 11:26:55 2021 +0100 iwlwifi: Fix softirq/hardirq disabling in iwl_pcie_enqueue_hcmd() [ Upstream commit 2800aadc18a64c96b051bcb7da8a7df7d505db3f ] It's possible for iwl_pcie_enqueue_hcmd() to be called with hard IRQs disabled (e.g. from LED core). We can't enable BHs in such a situation. Turn the unconditional BH-enable/BH-disable code into hardirq-disable/conditional-enable. This fixes the warning below. WARNING: CPU: 1 PID: 1139 at kernel/softirq.c:178 __local_bh_enable_ip+0xa5/0xf0 CPU: 1 PID: 1139 Comm: NetworkManager Not tainted 5.12.0-rc1-00004-gb4ded168af79 #7 Hardware name: LENOVO 20K5S22R00/20K5S22R00, BIOS R0IET38W (1.16 ) 05/31/2017 RIP: 0010:__local_bh_enable_ip+0xa5/0xf0 Code: f7 69 e8 ee 23 14 00 fb 66 0f 1f 44 00 00 65 8b 05 f0 f4 f7 69 85 c0 74 3f 48 83 c4 08 5b c3 65 8b 05 9b fe f7 69 85 c0 75 8e <0f> 0b eb 8a 48 89 3c 24 e8 4e 20 14 00 48 8b 3c 24 eb 91 e8 13 4e RSP: 0018:ffffafd580b13298 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000201 RCX: 0000000000000000 RDX: 0000000000000003 RSI: 0000000000000201 RDI: ffffffffc1272389 RBP: ffff96517ae4c018 R08: 0000000000000001 R09: 0000000000000000 R10: ffffafd580b13178 R11: 0000000000000001 R12: ffff96517b060000 R13: 0000000000000000 R14: ffffffff80000000 R15: 0000000000000001 FS: 00007fc604ebefc0(0000) GS:ffff965267480000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055fb3fef13b2 CR3: 0000000109112004 CR4: 00000000003706e0 Call Trace: ? _raw_spin_unlock_bh+0x1f/0x30 iwl_pcie_enqueue_hcmd+0x5d9/0xa00 [iwlwifi] iwl_trans_txq_send_hcmd+0x6c/0x430 [iwlwifi] iwl_trans_send_cmd+0x88/0x170 [iwlwifi] ? lock_acquire+0x277/0x3d0 iwl_mvm_send_cmd+0x32/0x80 [iwlmvm] iwl_mvm_led_set+0xc2/0xe0 [iwlmvm] ? led_trigger_event+0x46/0x70 led_trigger_event+0x46/0x70 ieee80211_do_open+0x5c5/0xa20 [mac80211] ieee80211_open+0x67/0x90 [mac80211] __dev_open+0xd4/0x150 __dev_change_flags+0x19e/0x1f0 dev_change_flags+0x23/0x60 do_setlink+0x30d/0x1230 ? lock_is_held_type+0xb4/0x120 ? __nla_validate_parse.part.7+0x57/0xcb0 ? __lock_acquire+0x2e1/0x1a50 __rtnl_newlink+0x560/0x910 ? __lock_acquire+0x2e1/0x1a50 ? __lock_acquire+0x2e1/0x1a50 ? lock_acquire+0x277/0x3d0 ? sock_def_readable+0x5/0x290 ? lock_is_held_type+0xb4/0x120 ? find_held_lock+0x2d/0x90 ? sock_def_readable+0xb3/0x290 ? lock_release+0x166/0x2a0 ? lock_is_held_type+0x90/0x120 rtnl_newlink+0x47/0x70 rtnetlink_rcv_msg+0x25c/0x470 ? netlink_deliver_tap+0x97/0x3e0 ? validate_linkmsg+0x350/0x350 netlink_rcv_skb+0x50/0x100 netlink_unicast+0x1b2/0x280 netlink_sendmsg+0x336/0x450 sock_sendmsg+0x5b/0x60 ____sys_sendmsg+0x1ed/0x250 ? copy_msghdr_from_user+0x5c/0x90 ___sys_sendmsg+0x88/0xd0 ? lock_is_held_type+0xb4/0x120 ? find_held_lock+0x2d/0x90 ? lock_release+0x166/0x2a0 ? __fget_files+0xfe/0x1d0 ? __sys_sendmsg+0x5e/0xa0 __sys_sendmsg+0x5e/0xa0 ? lockdep_hardirqs_on_prepare+0xd9/0x170 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fc605c9572d Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 da ee ff ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 33 44 89 c7 48 89 44 24 08 e8 2e ef ff ff 48 RSP: 002b:00007fffc83789f0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000055ef468570c0 RCX: 00007fc605c9572d RDX: 0000000000000000 RSI: 00007fffc8378a30 RDI: 000000000000000c RBP: 0000000000000010 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 00007fffc8378b80 R14: 00007fffc8378b7c R15: 0000000000000000 irq event stamp: 170785 hardirqs last enabled at (170783): [] __local_bh_enable_ip+0x82/0xf0 hardirqs last disabled at (170784): [] _raw_read_lock_irqsave+0x8d/0x90 softirqs last enabled at (170782): [] iwl_pcie_enqueue_hcmd+0x5d9/0xa00 [iwlwifi] softirqs last disabled at (170785): [] iwl_pcie_enqueue_hcmd+0x116/0xa00 [iwlwifi] Signed-off-by: Jiri Kosina Tested-by: Sedat Dilek # LLVM/Clang v12.0.0-rc3 Acked-by: Luca Coelho Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/nycvar.YFH.7.76.2103021125430.12405@cbobk.fhfr.pm Signed-off-by: Sasha Levin commit b448a6a2fc5aa7c36403ebfb2dcbf767d3b01eb4 Author: Wang Qing Date: Mon Mar 1 20:05:48 2021 +0800 arc: kernel: Return -EFAULT if copy_to_user() fails [ Upstream commit 46e152186cd89d940b26726fff11eb3f4935b45a ] The copy_to_user() function returns the number of bytes remaining to be copied, but we want to return -EFAULT if the copy doesn't complete. Signed-off-by: Wang Qing Signed-off-by: Vineet Gupta Signed-off-by: Sasha Levin commit f12e8cf6b18013146741e5075983726f7a00903b Author: Tetsuo Handa Date: Sun Mar 21 15:49:13 2021 +0900 lockdep: Add a missing initialization hint to the "INFO: Trying to register non-static key" message [ Upstream commit 3a85969e9d912d5dd85362ee37b5f81266e00e77 ] Since this message is printed when dynamically allocated spinlocks (e.g. kzalloc()) are used without initialization (e.g. spin_lock_init()), suggest to developers to check whether initialization functions for objects were called, before making developers wonder what annotation is missing. [ mingo: Minor tweaks to the message. ] Signed-off-by: Tetsuo Handa Signed-off-by: Ingo Molnar Link: https://lore.kernel.org/r/20210321064913.4619-1-penguin-kernel@I-love.SAKURA.ne.jp Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit a55de4f0d1d43c0955bb7ac4f64854dfe8ce5900 Author: Tony Lindgren Date: Mon Mar 8 11:30:45 2021 +0200 ARM: dts: Fix moving mmc devices with aliases for omap4 & 5 [ Upstream commit 77335a040178a0456d4eabc8bf17a7ca3ee4a327 ] Fix moving mmc devices with dts aliases as discussed on the lists. Without this we now have internal eMMC mmc1 show up as mmc2 compared to the earlier order of devices. Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 9f399a9d70066c2a122e8062a2eea31b0c7bec6f Author: Tony Lindgren Date: Mon Mar 8 11:26:25 2021 +0200 ARM: dts: Drop duplicate sha2md5_fck to fix clk_disable race [ Upstream commit 140a776833957539c84301dbdb4c3013876de118 ] We have a duplicate legacy clock defined for sha2md5_fck that can sometimes race with clk_disable() with the dts configured clock for OMAP4_SHA2MD5_CLKCTRL when unused clocks are disabled during boot causing an "Unhandled fault: imprecise external abort". Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit f338b8fffd7532f92af0eb8e1366867f8ba2a574 Author: Rafael J. Wysocki Date: Tue Apr 13 16:01:00 2021 +0200 ACPI: x86: Call acpi_boot_table_init() after acpi_table_upgrade() [ Upstream commit 6998a8800d73116187aad542391ce3b2dd0f9e30 ] Commit 1a1c130ab757 ("ACPI: tables: x86: Reserve memory occupied by ACPI tables") attempted to address an issue with reserving the memory occupied by ACPI tables, but it broke the initrd-based table override mechanism relied on by multiple users. To restore the initrd-based ACPI table override functionality, move the acpi_boot_table_init() invocation in setup_arch() on x86 after the acpi_table_upgrade() one. Fixes: 1a1c130ab757 ("ACPI: tables: x86: Reserve memory occupied by ACPI tables") Reported-by: Hans de Goede Tested-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit e5eb9757fe4c2392e069246ae78badc573af1833 Author: Dave Jiang Date: Mon Apr 12 09:02:36 2021 -0700 dmaengine: idxd: fix wq cleanup of WQCFG registers [ Upstream commit ea9aadc06a9f10ad20a90edc0a484f1147d88a7a ] A pre-release silicon erratum workaround where wq reset does not clear WQCFG registers was leaked into upstream code. Use wq reset command instead of blasting the MMIO region. This also address an issue where we clobber registers in future devices. Fixes: da32b28c95a7 ("dmaengine: idxd: cleanup workqueue config after disabling") Reported-by: Shreenivaas Devarajan Signed-off-by: Dave Jiang Link: https://lore.kernel.org/r/161824330020.881560.16375921906426627033.stgit@djiang5-desk3.ch.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 4c59c5c8668e673a829bdfb9e79a41c4a0547540 Author: Dan Carpenter Date: Tue Mar 23 16:19:59 2021 +0300 dmaengine: plx_dma: add a missing put_device() on error path [ Upstream commit 07503e6aefe4a6efd777062191944a14f03b3a18 ] Add a missing put_device(&pdev->dev) if the call to dma_async_device_register(dma); fails. Fixes: 905ca51e63be ("dmaengine: plx-dma: Introduce PLX DMA engine PCI driver skeleton") Signed-off-by: Dan Carpenter Reviewed-by: Logan Gunthorpe Link: https://lore.kernel.org/r/YFnq/0IQzixtAbC1@mwanda Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit ac030f5c5680e02cf7ff5f12b6319ef7069d9749 Author: Lv Yunlong Date: Tue Mar 30 18:44:58 2021 -0700 dmaengine: Fix a double free in dma_async_device_register [ Upstream commit ea45b6008f8095db0cc09ad6e03c7785c2986197 ] In the first list_for_each_entry() macro of dma_async_device_register, it gets the chan from list and calls __dma_async_device_channel_register (..,chan). We can see that chan->local is allocated by alloc_percpu() and it is freed chan->local by free_percpu(chan->local) when __dma_async_device_channel_register() failed. But after __dma_async_device_channel_register() failed, the caller will goto err_out and freed the chan->local in the second time by free_percpu(). The cause of this problem is forget to set chan->local to NULL when chan->local was freed in __dma_async_device_channel_register(). My patch sets chan->local to NULL when the callee failed to avoid double free. Fixes: d2fb0a0438384 ("dmaengine: break out channel registration") Signed-off-by: Lv Yunlong Reviewed-by: Dave Jiang Link: https://lore.kernel.org/r/20210331014458.3944-1-lyl2019@mail.ustc.edu.cn Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 56f9c04893fb29616183d3bd64b4182312d75065 Author: Andy Shevchenko Date: Wed Mar 24 16:17:57 2021 +0200 dmaengine: dw: Make it dependent to HAS_IOMEM [ Upstream commit 88cd1d6191b13689094310c2405394e4ce36d061 ] Some architectures do not provide devm_*() APIs. Hence make the driver dependent on HAVE_IOMEM. Fixes: dbde5c2934d1 ("dw_dmac: use devm_* functions to simplify code") Reported-by: kernel test robot Signed-off-by: Andy Shevchenko Acked-by: Viresh Kumar Link: https://lore.kernel.org/r/20210324141757.24710-1-andriy.shevchenko@linux.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 4ecf25595273203010bc8318c4aee60ad64037ae Author: Dave Jiang Date: Wed Apr 7 12:59:47 2021 -0700 dmaengine: idxd: fix wq size store permission state [ Upstream commit 0fff71c5a311e1264988179f7dcc217fda15fadd ] WQ size can only be changed when the device is disabled. Current code allows change when device is enabled but wq is disabled. Change the check to detect device state. Fixes: c52ca478233c ("dmaengine: idxd: add configuration component of driver") Signed-off-by: Dave Jiang Link: https://lore.kernel.org/r/161782558755.107710.18138252584838406025.stgit@djiang5-desk3.ch.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit db23b7b5ca3ebba735df3f9bff0ae0caedce71ec Author: Dave Jiang Date: Mon Mar 22 16:37:29 2021 -0700 dmaengine: idxd: fix opcap sysfs attribute output [ Upstream commit ea6a5735d2a61b938a302eb3629272342a9e7c46 ] The operation capability register is 256bits. The current output only prints out the first 64bits. Fix to output the entire 256bits. The current code omits operation caps from IAX devices. Fixes: c52ca478233c ("dmaengine: idxd: add configuration component of driver") Reported-by: Lucas Van Signed-off-by: Dave Jiang Link: https://lore.kernel.org/r/161645624963.2003736.829798666998490151.stgit@djiang5-desk3.ch.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 0e3f14755111522018c0e325d1ce768dd609641a Author: Dave Jiang Date: Mon Mar 22 16:36:25 2021 -0700 dmaengine: idxd: fix delta_rec and crc size field for completion record [ Upstream commit 4ac823e9cd85f66da274c951d21bf9f6b714b729 ] The delta_rec_size and crc_val in the completion record should be 32bits and not 16bits. Fixes: bfe1d56091c1 ("dmaengine: idxd: Init and probe for Intel data accelerators") Reported-by: Nikhil Rao Signed-off-by: Dave Jiang Link: https://lore.kernel.org/r/161645618572.2003490.14466173451736323035.stgit@djiang5-desk3.ch.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit a5ad12d5d69c63af289a37f05187a0c6fe93553d Author: Dave Jiang Date: Tue Feb 16 17:13:42 2021 -0700 dmaengine: idxd: Fix clobbering of SWERR overflow bit on writeback [ Upstream commit ea941ac294d75d0ace50797aebf0056f6f8f7a7f ] Current code blindly writes over the SWERR and the OVERFLOW bits. Write back the bits actually read instead so the driver avoids clobbering the OVERFLOW bit that comes after the register is read. Fixes: bfe1d56091c1 ("dmaengine: idxd: Init and probe for Intel data accelerators") Reported-by: Sanjay Kumar Signed-off-by: Dave Jiang Link: https://lore.kernel.org/r/161352082229.3511254.1002151220537623503.stgit@djiang5-desk3.ch.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit f567fde02baa8f3d9fe5699f202faf125f96bd0f Author: Matti Vaittinen Date: Mon Mar 29 14:41:12 2021 +0300 gpio: sysfs: Obey valid_mask [ Upstream commit 23cf00ddd2e1aacf1873e43f5e0c519c120daf7a ] Do not allow exporting GPIOs which are set invalid by the driver's valid mask. Fixes: 726cb3ba4969 ("gpiolib: Support 'gpio-reserved-ranges' property") Signed-off-by: Matti Vaittinen Reviewed-by: Andy Shevchenko Signed-off-by: Bartosz Golaszewski Signed-off-by: Sasha Levin commit dfed481e62e55ebaf4f20a3172a6f77567ff8502 Author: Fabian Vogt Date: Tue Mar 23 10:45:55 2021 -0700 Input: nspire-keypad - enable interrupts only when opened [ Upstream commit 69d5ff3e9e51e23d5d81bf48480aa5671be67a71 ] The driver registers an interrupt handler in _probe, but didn't configure them until later when the _open function is called. In between, the keypad can fire an IRQ due to touchpad activity, which the handler ignores. This causes the kernel to disable the interrupt, blocking the keypad from working. Fix this by disabling interrupts before registering the handler. Additionally, disable them in _close, so that they're only enabled while open. Fixes: fc4f31461892 ("Input: add TI-Nspire keypad support") Signed-off-by: Fabian Vogt Link: https://lore.kernel.org/r/3383725.iizBOSrK1V@linux-e202.suse.de Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit b80ea54e1e715223b336d4e794775b7c42218f9a Author: Hauke Mehrtens Date: Tue Mar 9 01:01:07 2021 +0100 mtd: rawnand: mtk: Fix WAITRDY break condition and timeout [ Upstream commit 2fb164f0ce95e504e2688b4f984893c29ebd19ab ] This fixes NAND_OP_WAITRDY_INSTR operation in the driver. Without this change the driver waits till the system is busy, but we should wait till the busy flag is cleared. The readl_poll_timeout() function gets a break condition, not a wait condition. In addition fix the timeout. The timeout_ms is given in ms, but the readl_poll_timeout() function takes the timeout in us. Multiple the given timeout by 1000 to convert it. Without this change, the driver does not work at all, it doesn't even identify the NAND chip. Fixes: 5197360f9e09 ("mtd: rawnand: mtk: Convert the driver to exec_op()") Signed-off-by: Hauke Mehrtens Reviewed-by: Boris Brezillon Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20210309000107.1368404-1-hauke@hauke-m.de Signed-off-by: Sasha Levin commit 5a627026be4a17e5b9db23558cd28e62b2cbc66e Author: Or Cohen Date: Tue Apr 13 21:10:31 2021 +0300 net/sctp: fix race condition in sctp_destroy_sock commit b166a20b07382b8bc1dcee2a448715c9c2c81b5b upstream. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock held and sp->do_auto_asconf is true, then an element is removed from the auto_asconf_splist without any proper locking. This can happen in the following functions: 1. In sctp_accept, if sctp_sock_migrate fails. 2. In inet_create or inet6_create, if there is a bpf program attached to BPF_CGROUP_INET_SOCK_CREATE which denies creation of the sctp socket. The bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock instead of sctp_close. This addresses CVE-2021-23133. Reported-by: Or Cohen Reviewed-by: Xin Long Fixes: 610236587600 ("bpf: Add new cgroup attach type to enable sock modifications") Signed-off-by: Or Cohen Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 65f1995ea1e930674e76c5888b4643581e11434c Author: Greg Kroah-Hartman Date: Fri Apr 16 11:43:22 2021 +0200 Linux 5.10.31 Tested-by: Salvatore Bonaccorso Tested-by: Pavel Machek (CIP) Tested-by: Andrei Rabusov Tested-by: Shuah Khan Tested-by: Jason Self Tested-by: Florian Fainelli Tested-by: Jon Hunter Link: https://lore.kernel.org/r/20210415144413.165663182@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit ceee49ca34bf141f853d14ca2d8fdcf919875a6a Author: Juergen Gross Date: Mon Apr 12 08:28:45 2021 +0200 xen/events: fix setting irq affinity The backport of upstream patch 25da4618af240fbec61 ("xen/events: don't unmask an event channel when an eoi is pending") introduced a regression for stable kernels 5.10 and older: setting IRQ affinity for IRQs related to interdomain events would no longer work, as moving the IRQ to its new cpu was not included in the irq_ack callback for those events. Fix that by adding the needed call. Note that kernels 5.11 and later don't need the explicit moving of the IRQ to the target cpu in the irq_ack callback, due to a rework of the affinity setting in kernel 5.11. Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit 9d9facd32d89f737605c7135cee7f8189959d098 Author: Russell King Date: Sun Jan 10 10:58:32 2021 +0000 net: sfp: cope with SFPs that set both LOS normal and LOS inverted commit 624407d2cf14ff58e53bf4b2af9595c4f21d606e upstream. The SFP MSA defines two option bits in byte 65 to indicate how the Rx_LOS signal on SFP pin 8 behaves: bit 2 - Loss of Signal implemented, signal inverted from standard definition in SFP MSA (often called "Signal Detect"). bit 1 - Loss of Signal implemented, signal as defined in SFP MSA (often called "Rx_LOS"). Clearly, setting both bits results in a meaningless situation: it would mean that LOS is implemented in both the normal sense (1 = signal loss) and inverted sense (0 = signal loss). Unfortunately, there are modules out there which set both bits, which will be initially interpret as "inverted" sense, and then, if the LOS signal changes state, we will toggle between LINK_UP and WAIT_LOS states. Change our LOS handling to give well defined behaviour: only interpret these bits as meaningful if exactly one is set, otherwise treat it as if LOS is not implemented. Signed-off-by: Russell King Reviewed-by: Andrew Lunn Link: https://lore.kernel.org/r/E1kyYQa-0004iR-CU@rmk-PC.armlinux.org.uk Signed-off-by: Jakub Kicinski Cc: Pali Rohár Signed-off-by: Greg Kroah-Hartman commit 2a60ab2dab3df84e6d6690ac7a23e1d921b25a36 Author: Russell King Date: Wed Dec 9 11:22:54 2020 +0000 net: sfp: relax bitrate-derived mode check commit 7a77233ec6d114322e2c4f71b4e26dbecd9ea8a7 upstream. Do not check the encoding when deriving 1000BASE-X from the bitrate when no other modes are discovered. Some GPON modules (VSOL V2801F and CarlitoxxPro CPGOS03-0490 v2.0) indicate NRZ encoding with a 1200Mbaud bitrate, but should be driven with 1000BASE-X on the host side. Tested-by: Pali Rohár Reviewed-by: Andrew Lunn Signed-off-by: Russell King Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cd8ce27e6caaee47a6d4212e6d9b82e28969cf40 Author: Arnaldo Carvalho de Melo Date: Fri Mar 5 10:02:09 2021 -0300 perf map: Tighten snprintf() string precision to pass gcc check on some 32-bit arches commit 77d02bd00cea9f1a87afe58113fa75b983d6c23a upstream. Noticed on a debian:experimental mips and mipsel cross build build environment: perfbuilder@ec265a086e9b:~$ mips-linux-gnu-gcc --version | head -1 mips-linux-gnu-gcc (Debian 10.2.1-3) 10.2.1 20201224 perfbuilder@ec265a086e9b:~$ CC /tmp/build/perf/util/map.o util/map.c: In function 'map__new': util/map.c:109:5: error: '%s' directive output may be truncated writing between 1 and 2147483645 bytes into a region of size 4096 [-Werror=format-truncation=] 109 | "%s/platforms/%s/arch-%s/usr/lib/%s", | ^~ In file included from /usr/mips-linux-gnu/include/stdio.h:867, from util/symbol.h:11, from util/map.c:2: /usr/mips-linux-gnu/include/bits/stdio2.h:67:10: note: '__builtin___snprintf_chk' output 32 or more bytes (assuming 4294967321) into a destination of size 4096 67 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 68 | __bos (__s), __fmt, __va_arg_pack ()); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors Since we have the lenghts for what lands in that place, use it to give the compiler more info and make it happy. Signed-off-by: Arnaldo Carvalho de Melo Cc: Anders Roxell Signed-off-by: Greg Kroah-Hartman commit 1f3b9000cb44318b0de40a0f495a5a708cd9be6e Author: Florian Westphal Date: Wed Apr 7 21:38:57 2021 +0200 netfilter: x_tables: fix compat match/target pad out-of-bound write commit b29c457a6511435960115c0f548c4360d5f4801d upstream. xt_compat_match/target_from_user doesn't check that zeroing the area to start of next rule won't write past end of allocated ruleset blob. Remove this code and zero the entire blob beforehand. Reported-by: syzbot+cfc0247ac173f597aaaa@syzkaller.appspotmail.com Reported-by: Andy Nguyen Fixes: 9fa492cdc160c ("[NETFILTER]: x_tables: simplify compat API") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 5402a67ac4033e2dceec118286ca1c453f682669 Author: Pavel Begunkov Date: Fri Nov 20 17:10:28 2020 +0000 block: don't ignore REQ_NOWAIT for direct IO [ Upstream commit f8b78caf21d5bc3fcfc40c18898f9d52ed1451a5 ] If IOCB_NOWAIT is set on submission, then that needs to get propagated to REQ_NOWAIT on the block side. Otherwise we completely lose this information, and any issuer of IOCB_NOWAIT IO will potentially end up blocking on eg request allocation on the storage side. Signed-off-by: Pavel Begunkov Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit efa7b6e4017aeccc0d7595e110f2d69a26332b2c Author: Zihao Yu Date: Wed Mar 17 16:17:25 2021 +0800 riscv,entry: fix misaligned base for excp_vect_table [ Upstream commit ac8d0b901f0033b783156ab2dc1a0e73ec42409b ] In RV64, the size of each entry in excp_vect_table is 8 bytes. If the base of the table is not 8-byte aligned, loading an entry in the table will raise a misaligned exception. Although such exception will be handled by opensbi/bbl, this still causes performance degradation. Signed-off-by: Zihao Yu Reviewed-by: Anup Patel Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit 6fbdce3cde97896ff4c2fb99e5d4bba45297a178 Author: Jens Axboe Date: Thu Apr 1 08:38:34 2021 -0600 io_uring: don't mark S_ISBLK async work as unbounded [ Upstream commit 4b982bd0f383db9132e892c0c5144117359a6289 ] S_ISBLK is marked as unbounded work for async preparation, because it doesn't match S_ISREG. That is incorrect, as any read/write to a block device is also a bounded operation. Fix it up and ensure that S_ISBLK isn't marked unbounded. Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 5d4600017beeab73e0d5550f9485564fba66b460 Author: Damien Le Moal Date: Thu Apr 1 07:52:44 2021 +0900 null_blk: fix command timeout completion handling [ Upstream commit de3510e52b0a398261271455562458003b8eea62 ] Memory backed or zoned null block devices may generate actual request timeout errors due to the submission path being blocked on memory allocation or zone locking. Unlike fake timeouts or injected timeouts, the request submission path will call blk_mq_complete_request() or blk_mq_end_request() for these real timeout errors, causing a double completion and use after free situation as the block layer timeout handler executes blk_mq_rq_timed_out() and __blk_mq_free_request() in blk_mq_check_expired(). This problem often triggers a NULL pointer dereference such as: BUG: kernel NULL pointer dereference, address: 0000000000000050 RIP: 0010:blk_mq_sched_mark_restart_hctx+0x5/0x20 ... Call Trace: dd_finish_request+0x56/0x80 blk_mq_free_request+0x37/0x130 null_handle_cmd+0xbf/0x250 [null_blk] ? null_queue_rq+0x67/0xd0 [null_blk] blk_mq_dispatch_rq_list+0x122/0x850 __blk_mq_do_dispatch_sched+0xbb/0x2c0 __blk_mq_sched_dispatch_requests+0x13d/0x190 blk_mq_sched_dispatch_requests+0x30/0x60 __blk_mq_run_hw_queue+0x49/0x90 process_one_work+0x26c/0x580 worker_thread+0x55/0x3c0 ? process_one_work+0x580/0x580 kthread+0x134/0x150 ? kthread_create_worker_on_cpu+0x70/0x70 ret_from_fork+0x1f/0x30 This problem very often triggers when running the full btrfs xfstests on a memory-backed zoned null block device in a VM with limited amount of memory. Avoid this by executing blk_mq_complete_request() in null_timeout_rq() only for commands that are marked for a fake timeout completion using the fake_timeout boolean in struct null_cmd. For timeout errors injected through debugfs, the timeout handler will execute blk_mq_complete_request()i as before. This is safe as the submission path does not execute complete requests in this case. In null_timeout_rq(), also make sure to set the command error field to BLK_STS_TIMEOUT and to propagate this error through to the request completion. Reported-by: Johannes Thumshirn Signed-off-by: Damien Le Moal Tested-by: Johannes Thumshirn Reviewed-by: Johannes Thumshirn Link: https://lore.kernel.org/r/20210331225244.126426-1-damien.lemoal@wdc.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit b1f6c6f39bd6a47edcedf2532491ba26b212ecb3 Author: Matthew Wilcox (Oracle) Date: Thu Apr 1 07:46:49 2021 -0400 idr test suite: Create anchor before launching throbber [ Upstream commit 094ffbd1d8eaa27ed426feb8530cb1456348b018 ] The throbber could race with creation of the anchor entry and cause the IDR to have zero entries in it, which would cause the test to fail. Signed-off-by: Matthew Wilcox (Oracle) Signed-off-by: Sasha Levin commit 9a7552daa93bf38f6975cb47f6f726d3e2b81a60 Author: Matthew Wilcox (Oracle) Date: Thu Apr 1 07:44:48 2021 -0400 idr test suite: Take RCU read lock in idr_find_test_1 [ Upstream commit 703586410da69eb40062e64d413ca33bd735917a ] When run on a single CPU, this test would frequently access already-freed memory. Due to timing, this bug never showed up on multi-CPU tests. Reported-by: Chris von Recklinghausen Signed-off-by: Matthew Wilcox (Oracle) Signed-off-by: Sasha Levin commit edd822b6924154c84383c3a9a513a7c9b7c98fd8 Author: Matthew Wilcox (Oracle) Date: Wed Mar 31 14:59:19 2021 -0400 radix tree test suite: Register the main thread with the RCU library [ Upstream commit 1bb4bd266cf39fd2fa711f2d265c558b92df1119 ] Several test runners register individual worker threads with the RCU library, but neglect to register the main thread, which can lead to objects being freed while the main thread is in what appears to be an RCU critical section. Reported-by: Chris von Recklinghausen Signed-off-by: Matthew Wilcox (Oracle) Signed-off-by: Sasha Levin commit 1d2310d95fb8e29e69ebfc038919c968fbbdcb64 Author: Yufen Yu Date: Wed Mar 31 07:53:59 2021 -0400 block: only update parent bi_status when bio fail [ Upstream commit 3edf5346e4f2ce2fa0c94651a90a8dda169565ee ] For multiple split bios, if one of the bio is fail, the whole should return error to application. But we found there is a race between bio_integrity_verify_fn and bio complete, which return io success to application after one of the bio fail. The race as following: split bio(READ) kworker nvme_complete_rq blk_update_request //split error=0 bio_endio bio_integrity_endio queue_work(kintegrityd_wq, &bip->bip_work); bio_integrity_verify_fn bio_endio //split bio __bio_chain_endio if (!parent->bi_status) nvme_irq blk_update_request //parent error=7 req_bio_endio bio->bi_status = 7 //parent bio parent->bi_status = 0 parent->bi_end_io() // return bi_status=0 The bio has been split as two: split and parent. When split bio completed, it depends on kworker to do endio, while bio_integrity_verify_fn have been interrupted by parent bio complete irq handler. Then, parent bio->bi_status which have been set in irq handler will overwrite by kworker. In fact, even without the above race, we also need to conside the concurrency beteen mulitple split bio complete and update the same parent bi_status. Normally, multiple split bios will be issued to the same hctx and complete from the same irq vector. But if we have updated queue map between multiple split bios, these bios may complete on different hw queue and different irq vector. Then the concurrency update parent bi_status may cause the final status error. Suggested-by: Keith Busch Signed-off-by: Yufen Yu Reviewed-by: Ming Lei Link: https://lore.kernel.org/r/20210331115359.1125679-1-yuyufen@huawei.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit d99e22c0ea747d6a5b1a06e0787d3643e452c9d0 Author: Matthew Wilcox (Oracle) Date: Thu Nov 19 08:32:31 2020 -0500 XArray: Fix splitting to non-zero orders [ Upstream commit 3012110d71f41410932924e1d188f9eb57f1f824 ] Splitting an order-4 entry into order-2 entries would leave the array containing pointers to 000040008000c000 instead of 000044448888cccc. This is a one-character fix, but enhance the test suite to check this case. Reported-by: Zi Yan Signed-off-by: Matthew Wilcox (Oracle) Signed-off-by: Sasha Levin commit 9576dd89554e39f1c6dcb377ff2a961269d2eaac Author: Mikko Perttunen Date: Mon Mar 29 16:38:27 2021 +0300 gpu: host1x: Use different lock classes for each client [ Upstream commit a24f98176d1efae2c37d3438c57a624d530d9c33 ] To avoid false lockdep warnings, give each client lock a different lock class, passed from the initialization site by macro. Signed-off-by: Mikko Perttunen Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 39af2f472f21b4cdcfe9a7289856bec8b6498143 Author: Dmitry Osipenko Date: Tue Mar 2 16:15:06 2021 +0300 drm/tegra: dc: Don't set PLL clock to 0Hz [ Upstream commit f8fb97c915954fc6de6513cdf277103b5c6df7b3 ] RGB output doesn't allow to change parent clock rate of the display and PCLK rate is set to 0Hz in this case. The tegra_dc_commit_state() shall not set the display clock to 0Hz since this change propagates to the parent clock. The DISP clock is defined as a NODIV clock by the tegra-clk driver and all NODIV clocks use the CLK_SET_RATE_PARENT flag. This bug stayed unnoticed because by default PLLP is used as the parent clock for the display controller and PLLP silently skips the erroneous 0Hz rate changes because it always has active child clocks that don't permit rate changes. The PLLP isn't acceptable for some devices that we want to upstream (like Samsung Galaxy Tab and ASUS TF700T) due to a display panel clock rate requirements that can't be fulfilled by using PLLP and then the bug pops up in this case since parent clock is set to 0Hz, killing the display output. Don't touch DC clock if pclk=0 in order to fix the problem. Signed-off-by: Dmitry Osipenko Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit e4a0956574c741ca183084b9cd8f3bccec8dbd56 Author: Stefan Raspl Date: Thu Mar 25 13:29:49 2021 +0100 tools/kvm_stat: Add restart delay [ Upstream commit 75f94ecbd0dfd2ac4e671f165f5ae864b7301422 ] If this service is enabled and the system rebooted, Systemd's initial attempt to start this unit file may fail in case the kvm module is not loaded. Since we did not specify a delay for the retries, Systemd restarts with a minimum delay a number of times before giving up and disabling the service. Which means a subsequent kvm module load will have kvm running without monitoring. Adding a delay to fix this. Signed-off-by: Stefan Raspl Message-Id: <20210325122949.1433271-1-raspl@linux.ibm.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 1dcb3ebc24164c0b5d3b13696d80bf163e16b664 Author: Steven Rostedt (VMware) Date: Tue Mar 30 09:58:38 2021 -0400 ftrace: Check if pages were allocated before calling free_pages() [ Upstream commit 59300b36f85f254260c81d9dd09195fa49eb0f98 ] It is possible that on error pg->size can be zero when getting its order, which would return a -1 value. It is dangerous to pass in an order of -1 to free_pages(). Check if order is greater than or equal to zero before calling free_pages(). Link: https://lore.kernel.org/lkml/20210330093916.432697c7@gandalf.local.home/ Reported-by: Abaci Robot Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Sasha Levin commit 6c6d58322079f94d58e22eda1166240181ac3270 Author: Bob Peterson Date: Thu Mar 25 08:51:13 2021 -0400 gfs2: report "already frozen/thawed" errors [ Upstream commit ff132c5f93c06bd4432bbab5c369e468653bdec4 ] Before this patch, gfs2's freeze function failed to report an error when the target file system was already frozen as it should (and as generic vfs function freeze_super does. Similarly, gfs2's thaw function failed to report an error when trying to thaw a file system that is not frozen, as vfs function thaw_super does. The errors were checked, but it always returned a 0 return code. This patch adds the missing error return codes to gfs2 freeze and thaw. Signed-off-by: Bob Peterson Signed-off-by: Andreas Gruenbacher Signed-off-by: Sasha Levin commit 870c8df1d192142c1289f38c9278b6b48442f927 Author: Arnd Bergmann Date: Wed Mar 24 17:47:41 2021 +0100 drm/imx: imx-ldb: fix out of bounds array access warning [ Upstream commit 33ce7f2f95cabb5834cf0906308a5cb6103976da ] When CONFIG_OF is disabled, building with 'make W=1' produces warnings about out of bounds array access: drivers/gpu/drm/imx/imx-ldb.c: In function 'imx_ldb_set_clock.constprop': drivers/gpu/drm/imx/imx-ldb.c:186:8: error: array subscript -22 is below array bounds of 'struct clk *[4]' [-Werror=array-bounds] Add an error check before the index is used, which helps with the warning, as well as any possible other error condition that may be triggered at runtime. The warning could be fixed by adding a Kconfig depedency on CONFIG_OF, but Liu Ying points out that the driver may hit the out-of-bounds problem at runtime anyway. Signed-off-by: Arnd Bergmann Reviewed-by: Liu Ying Signed-off-by: Philipp Zabel Signed-off-by: Sasha Levin commit 5b50468a2d4d89804e2d5109a8eb89ede2f8c116 Author: Suzuki K Poulose Date: Tue Mar 23 12:06:30 2021 +0000 KVM: arm64: Disable guest access to trace filter controls [ Upstream commit a354a64d91eec3e0f8ef0eed575b480fd75b999c ] Disable guest access to the Trace Filter control registers. We do not advertise the Trace filter feature to the guest (ID_AA64DFR0_EL1: TRACE_FILT is cleared) already, but the guest can still access the TRFCR_EL1 unless we trap it. This will also make sure that the guest cannot fiddle with the filtering controls set by a nvhe host. Cc: Marc Zyngier Cc: Will Deacon Cc: Mark Rutland Cc: Catalin Marinas Signed-off-by: Suzuki K Poulose Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20210323120647.454211-3-suzuki.poulose@arm.com Signed-off-by: Sasha Levin commit fa0c0dce589dfec205077bd79090fd6aaea2a1d2 Author: Suzuki K Poulose Date: Tue Mar 23 12:06:29 2021 +0000 KVM: arm64: Hide system instruction access to Trace registers [ Upstream commit 1d676673d665fd2162e7e466dcfbe5373bfdb73e ] Currently we advertise the ID_AA6DFR0_EL1.TRACEVER for the guest, when the trace register accesses are trapped (CPTR_EL2.TTA == 1). So, the guest will get an undefined instruction, if trusts the ID registers and access one of the trace registers. Lets be nice to the guest and hide the feature to avoid unexpected behavior. Even though this can be done at KVM sysreg emulation layer, we do this by removing the TRACEVER from the sanitised feature register field. This is fine as long as the ETM drivers can handle the individual trace units separately, even when there are differences among the CPUs. Cc: Will Deacon Cc: Catalin Marinas Cc: Mark Rutland Signed-off-by: Suzuki K Poulose Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20210323120647.454211-2-suzuki.poulose@arm.com Signed-off-by: Sasha Levin commit 57fb08fb9a254655e5105fbe4c1a45112c50b4c7 Author: Andrew Price Date: Mon Mar 15 12:24:00 2021 +0000 gfs2: Flag a withdraw if init_threads() fails [ Upstream commit 62dd0f98a0e5668424270b47a0c2e973795faba7 ] Interrupting mount with ^C quickly enough can cause the kthread_run() calls in gfs2's init_threads() to fail and the error path leads to a deadlock on the s_umount rwsem. The abridged chain of events is: [mount path] get_tree_bdev() sget_fc() alloc_super() down_write_nested(&s->s_umount, SINGLE_DEPTH_NESTING); [acquired] gfs2_fill_super() gfs2_make_fs_rw() init_threads() kthread_run() ( Interrupted ) [Error path] gfs2_gl_hash_clear() flush_workqueue(glock_workqueue) wait_for_completion() [workqueue context] glock_work_func() run_queue() do_xmote() freeze_go_sync() freeze_super() down_write(&sb->s_umount) [deadlock] In freeze_go_sync() there is a gfs2_withdrawn() check that we can use to make sure freeze_super() is not called in the error path, so add a gfs2_withdraw_delayed() call when init_threads() fails. Ref: https://bugzilla.kernel.org/show_bug.cgi?id=212231 Reported-by: Alexander Aring Signed-off-by: Andrew Price Signed-off-by: Andreas Gruenbacher Signed-off-by: Sasha Levin commit 9b57ecb01b43f50c93b33a19155618357f98cbfc Author: Jia-Ju Bai Date: Mon Mar 8 15:09:15 2021 +0200 interconnect: core: fix error return code of icc_link_destroy() [ Upstream commit 715ea61532e731c62392221238906704e63d75b6 ] When krealloc() fails and new is NULL, no error return code of icc_link_destroy() is assigned. To fix this bug, ret is assigned with -ENOMEM hen new is NULL. Reported-by: TOTE Robot Signed-off-by: Jia-Ju Bai Link: https://lore.kernel.org/r/20210306132857.17020-1-baijiaju1990@gmail.com Signed-off-by: Georgi Djakov Signed-off-by: Sasha Levin