commit 1e5515fad109ca86da9f2e9cb2b7edd3d439191c Author: Alexandre Frade Date: Sat Jun 5 00:36:07 2021 +0000 Linux 5.10.41-rt42-xanmod1 Signed-off-by: Alexandre Frade commit 0ca48aad77bc7471f1620034e829b8eeaababae1 Merge: 0e719302d064 c7395ea35c92 Author: Alexandre Frade Date: Sat Jun 5 00:35:30 2021 +0000 Merge tag 'v5.10.41-rt42' into 5.10-rt Linux 5.10.41-rt42 commit c7395ea35c9252962899b2f7914456549d11bd96 Author: Steven Rostedt (VMware) Date: Fri Jun 4 18:54:48 2021 -0400 Linux 5.10.41-rt42 commit 5a6531497cddbcc885811f2ce9e3195815b84e5a Merge: a1a0592d5022 33069919e2dc Author: Steven Rostedt (VMware) Date: Thu Jun 3 11:34:04 2021 -0400 Merge tag 'v5.10.41' into v5.10-rt This is the 5.10.41 stable release commit a1a0592d5022a4f01146541ead7e3f3b21a7d565 Author: Steven Rostedt (VMware) Date: Thu Jun 3 11:32:50 2021 -0400 Linux 5.10.40-rt41 commit a1e52b01c513f2fbf9356d70b45ed10aae693932 Merge: 3f92907f1815 4068786a8690 Author: Steven Rostedt (VMware) Date: Thu Jun 3 11:32:24 2021 -0400 Merge tag 'v5.10.40' into v5.10-rt This is the 5.10.40 stable release Conflicts: kernel/ptrace.c Signed-off-by: Steven Rostedt (VMware) commit 3f92907f1815b27b6f6665753aa191ade50b1624 Author: Steven Rostedt (VMware) Date: Thu Jun 3 10:56:17 2021 -0400 Linux 5.10.38-rt40 commit 8e3346338b33aa3d260d15f7db01b7853437ea8f Merge: e4eb257a89aa 689e89aee55c Author: Steven Rostedt (VMware) Date: Thu Jun 3 10:50:09 2021 -0400 Merge tag 'v5.10.38' into v5.10-rt This is the 5.10.38 stable release Conflicts: arch/arm64/kernel/entry.S Signed-off-by: Steven Rostedt (VMware) commit 33069919e2dce440d3b8cd101b18f37bb35bdddf Author: Greg Kroah-Hartman Date: Fri May 28 13:17:44 2021 +0200 Linux 5.10.41 Link: https://lore.kernel.org/r/20210527151139.242182390@linuxfoundation.org Tested-by: Jon Hunter Tested-by: Fox Chen Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Florian Fainelli Reviewed-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Signed-off-by: Greg Kroah-Hartman commit b34cb7ac32cc8e5471dc773180ea9ae676b1a745 Author: Dongliang Mu Date: Sat May 15 07:29:06 2021 +0800 NFC: nci: fix memory leak in nci_allocate_device commit e0652f8bb44d6294eeeac06d703185357f25d50b upstream. nfcmrvl_disconnect fails to free the hci_dev field in struct nci_dev. Fix this by freeing hci_dev in nci_free_device. BUG: memory leak unreferenced object 0xffff888111ea6800 (size 1024): comm "kworker/1:0", pid 19, jiffies 4294942308 (age 13.580s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 60 fd 0c 81 88 ff ff .........`...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<000000004bc25d43>] kmalloc include/linux/slab.h:552 [inline] [<000000004bc25d43>] kzalloc include/linux/slab.h:682 [inline] [<000000004bc25d43>] nci_hci_allocate+0x21/0xd0 net/nfc/nci/hci.c:784 [<00000000c59cff92>] nci_allocate_device net/nfc/nci/core.c:1170 [inline] [<00000000c59cff92>] nci_allocate_device+0x10b/0x160 net/nfc/nci/core.c:1132 [<00000000006e0a8e>] nfcmrvl_nci_register_dev+0x10a/0x1c0 drivers/nfc/nfcmrvl/main.c:153 [<000000004da1b57e>] nfcmrvl_probe+0x223/0x290 drivers/nfc/nfcmrvl/usb.c:345 [<00000000d506aed9>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 [<00000000bc632c92>] really_probe+0x159/0x4a0 drivers/base/dd.c:554 [<00000000f5009125>] driver_probe_device+0x84/0x100 drivers/base/dd.c:740 [<000000000ce658ca>] __device_attach_driver+0xee/0x110 drivers/base/dd.c:846 [<000000007067d05f>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:431 [<00000000f8e13372>] __device_attach+0x122/0x250 drivers/base/dd.c:914 [<000000009cf68860>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:491 [<00000000359c965a>] device_add+0x5be/0xc30 drivers/base/core.c:3109 [<00000000086e4bd3>] usb_set_configuration+0x9d9/0xb90 drivers/usb/core/message.c:2164 [<00000000ca036872>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238 [<00000000d40d36f6>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293 [<00000000bc632c92>] really_probe+0x159/0x4a0 drivers/base/dd.c:554 Reported-by: syzbot+19bcfc64a8df1318d1c3@syzkaller.appspotmail.com Fixes: 11f54f228643 ("NFC: nci: Add HCI over NCI protocol support") Signed-off-by: Dongliang Mu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8d11e6ae4304a575543e5ed4cc9a20a06d34297b Author: Dave Rigby Date: Thu Feb 18 16:56:54 2021 +0000 perf unwind: Set userdata for all __report_module() paths commit 4e1481445407b86a483616c4542ffdc810efb680 upstream. When locating the DWARF module for a given address, __find_debuginfo() requires a 'struct dso' passed via the userdata argument. However, this field is only set in __report_module() if the module is found in via dwfl_addrmodule(), not if it is found later via dwfl_report_elf(). Set userdata irrespective of how the DWARF module was found, as long as we found a module. Fixes: bf53fc6b5f41 ("perf unwind: Fix separate debug info files when using elfutils' libdw's unwinder") Signed-off-by: Dave Rigby Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=211801 Acked-by: Jan Kratochvil Acked-by: Jiri Olsa Link: https://lore.kernel.org/linux-perf-users/20210218165654.36604-1-d.rigby@me.com/ Signed-off-by: Arnaldo Carvalho de Melo Cc: "Tommi Rantala" Signed-off-by: Greg Kroah-Hartman commit 53eaf28c056d99a636970b06d5f9916b52973297 Author: Jan Kratochvil Date: Fri Dec 4 09:17:02 2020 -0300 perf unwind: Fix separate debug info files when using elfutils' libdw's unwinder commit bf53fc6b5f415cddc7118091cb8fd6a211b2320d upstream. elfutils needs to be provided main binary and separate debug info file respectively. Providing separate debug info file instead of the main binary is not sufficient. One needs to try both supplied filename and its possible cache by its build-id depending on the use case. Signed-off-by: Jan Kratochvil Tested-by: Jiri Olsa Cc: Adrian Hunter Cc: David Ahern Cc: Ian Rogers Cc: Namhyung Kim Signed-off-by: Arnaldo Carvalho de Melo Cc: "Tommi Rantala" Signed-off-by: Greg Kroah-Hartman commit 514883ebac77ff9939da92e268b24a71c9fe4e05 Author: Wanpeng Li Date: Tue May 4 17:27:30 2021 -0700 KVM: x86: Defer vtime accounting 'til after IRQ handling commit 160457140187c5fb127b844e5a85f87f00a01b14 upstream. Defer the call to account guest time until after servicing any IRQ(s) that happened in the guest or immediately after VM-Exit. Tick-based accounting of vCPU time relies on PF_VCPU being set when the tick IRQ handler runs, and IRQs are blocked throughout the main sequence of vcpu_enter_guest(), including the call into vendor code to actually enter and exit the guest. This fixes a bug where reported guest time remains '0', even when running an infinite loop in the guest: https://bugzilla.kernel.org/show_bug.cgi?id=209831 Fixes: 87fa7f3e98a131 ("x86/kvm: Move context tracking where it belongs") Suggested-by: Thomas Gleixner Co-developed-by: Sean Christopherson Signed-off-by: Wanpeng Li Signed-off-by: Sean Christopherson Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210505002735.1684165-4-seanjc@google.com Signed-off-by: Greg Kroah-Hartman commit 77068304b30f553b05934224146813d3cdcaa12c Author: Wanpeng Li Date: Tue May 4 17:27:29 2021 -0700 context_tracking: Move guest exit vtime accounting to separate helpers commit 88d8220bbf06dd8045b2ac4be1046290eaa7773a upstream. Provide separate vtime accounting functions for guest exit instead of open coding the logic within the context tracking code. This will allow KVM x86 to handle vtime accounting slightly differently when using tick-based accounting. Suggested-by: Thomas Gleixner Signed-off-by: Wanpeng Li Co-developed-by: Sean Christopherson Signed-off-by: Sean Christopherson Signed-off-by: Thomas Gleixner Reviewed-by: Christian Borntraeger Link: https://lore.kernel.org/r/20210505002735.1684165-3-seanjc@google.com Signed-off-by: Greg Kroah-Hartman commit 5ae5e3f05831b7629cd33be0a8591905f0898599 Author: Wanpeng Li Date: Tue May 4 17:27:28 2021 -0700 context_tracking: Move guest exit context tracking to separate helpers commit 866a6dadbb027b2955a7ae00bab9705d382def12 upstream. Provide separate context tracking helpers for guest exit, the standalone helpers will be called separately by KVM x86 in later patches to fix tick-based accounting. Suggested-by: Thomas Gleixner Signed-off-by: Wanpeng Li Co-developed-by: Sean Christopherson Signed-off-by: Sean Christopherson Signed-off-by: Thomas Gleixner Link: https://lore.kernel.org/r/20210505002735.1684165-2-seanjc@google.com Signed-off-by: Greg Kroah-Hartman commit 27acfd11ba179b746f55077edf9750f8f7cb1cb6 Author: Daniel Borkmann Date: Tue May 4 08:58:25 2021 +0000 bpf: No need to simulate speculative domain for immediates commit a7036191277f9fa68d92f2071ddc38c09b1e5ee5 upstream. In 801c6058d14a ("bpf: Fix leakage of uninitialized bpf stack under speculation") we replaced masking logic with direct loads of immediates if the register is a known constant. Given in this case we do not apply any masking, there is also no reason for the operation to be truncated under the speculative domain. Therefore, there is also zero reason for the verifier to branch-off and simulate this case, it only needs to do it for unknown but bounded scalars. As a side-effect, this also enables few test cases that were previously rejected due to simulation under zero truncation. Signed-off-by: Daniel Borkmann Reviewed-by: Piotr Krysiuk Acked-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman commit c87ef240a8bbbda5913fac1e84209d224c1aaf50 Author: Daniel Borkmann Date: Fri May 21 10:19:22 2021 +0000 bpf: Fix mask direction swap upon off reg sign change commit bb01a1bba579b4b1c5566af24d95f1767859771e upstream. Masking direction as indicated via mask_to_left is considered to be calculated once and then used to derive pointer limits. Thus, this needs to be placed into bpf_sanitize_info instead so we can pass it to sanitize_ptr_alu() call after the pointer move. Piotr noticed a corner case where the off reg causes masking direction change which then results in an incorrect final aux->alu_limit. Fixes: 7fedb63a8307 ("bpf: Tighten speculative pointer arithmetic mask") Reported-by: Piotr Krysiuk Signed-off-by: Daniel Borkmann Reviewed-by: Piotr Krysiuk Acked-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman commit 4e2c7b297431457663a90d4186e666b61d5da86c Author: Daniel Borkmann Date: Fri May 21 10:17:36 2021 +0000 bpf: Wrap aux data inside bpf_sanitize_info container commit 3d0220f6861d713213b015b582e9f21e5b28d2e0 upstream. Add a container structure struct bpf_sanitize_info which holds the current aux info, and update call-sites to sanitize_ptr_alu() to pass it in. This is needed for passing in additional state later on. Signed-off-by: Daniel Borkmann Reviewed-by: Piotr Krysiuk Acked-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman commit 4068786a86905a7a358b9fe1327a480f08fb6a40 Author: Greg Kroah-Hartman Date: Wed May 26 12:06:57 2021 +0200 Linux 5.10.40 Link: https://lore.kernel.org/r/20210524152332.844251980@linuxfoundation.org Tested-by: Fox Chen Tested-by: Florian Fainelli Tested-by: Shuah Khan Tested-by: Jason Self Tested-by: Linux Kernel Functional Testing Tested-by: Jon Hunter Tested-by: Sudip Mukherjee Tested-by: Pavel Machek (CIP) Tested-by: Salvatore Bonaccorso Tested-by: Guenter Roeck Tested-by: Hulk Robot Signed-off-by: Greg Kroah-Hartman commit d8d261c7cfb3a5dd921b4aeeb944718afc3f3961 Author: Luiz Augusto von Dentz Date: Wed Mar 10 14:13:08 2021 -0800 Bluetooth: SMP: Fail if remote and local public keys are identical commit 6d19628f539fccf899298ff02ee4c73e4bf6df3f upstream. This fails the pairing procedure when both remote and local non-debug public keys are identical. Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman commit e8c34789f1b8662d4f79b9a64dc8be630d24841d Author: Anirudh Rayabharam Date: Mon May 17 00:57:14 2021 +0530 video: hgafb: correctly handle card detect failure during probe commit 02625c965239b71869326dd0461615f27307ecb3 upstream. The return value of hga_card_detect() is not properly handled causing the probe to succeed even though hga_card_detect() failed. Since probe succeeds, hgafb_open() can be called which will end up operating on an unmapped hga_vram. This results in an out-of-bounds access as reported by kernel test robot [1]. To fix this, correctly detect failure of hga_card_detect() by checking for a non-zero error code. [1]: https://lore.kernel.org/lkml/20210516150019.GB25903@xsang-OptiPlex-9020/ Fixes: dc13cac4862c ("video: hgafb: fix potential NULL pointer dereference") Cc: stable Reported-by: kernel test robot Reviewed-by: Igor Matheus Andrade Torrente Signed-off-by: Anirudh Rayabharam Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/20210516192714.25823-1-mail@anirudhrb.com Signed-off-by: Greg Kroah-Hartman commit ed9fdd4c6f03e613403d03ee46bd41a2a3ed9211 Author: Hou Pu Date: Thu May 13 21:04:10 2021 +0800 nvmet: use new ana_log_size instead the old one commit e181811bd04d874fe48bbfa1165a82068b58144d upstream. The new ana_log_size should be used instead of the old one. Or kernel NULL pointer dereference will happen like below: [ 38.957849][ T69] BUG: kernel NULL pointer dereference, address: 000000000000003c [ 38.975550][ T69] #PF: supervisor write access in kernel mode [ 38.975955][ T69] #PF: error_code(0x0002) - not-present page [ 38.976905][ T69] PGD 0 P4D 0 [ 38.979388][ T69] Oops: 0002 [#1] SMP NOPTI [ 38.980488][ T69] CPU: 0 PID: 69 Comm: kworker/0:2 Not tainted 5.12.0+ #54 [ 38.981254][ T69] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 38.982502][ T69] Workqueue: events nvme_loop_execute_work [ 38.985219][ T69] RIP: 0010:memcpy_orig+0x68/0x10f [ 38.986203][ T69] Code: 83 c2 20 eb 44 48 01 d6 48 01 d7 48 83 ea 20 0f 1f 00 48 83 ea 20 4c 8b 46 f8 4c 8b 4e f0 4c 8b 56 e8 4c 8b 5e e0 48 8d 76 e0 <4c> 89 47 f8 4c 89 4f f0 4c 89 57 e8 4c 89 5f e0 48 8d 7f e0 73 d2 [ 38.987677][ T69] RSP: 0018:ffffc900001b7d48 EFLAGS: 00000287 [ 38.987996][ T69] RAX: 0000000000000020 RBX: 0000000000000024 RCX: 0000000000000010 [ 38.988327][ T69] RDX: ffffffffffffffe4 RSI: ffff8881084bc004 RDI: 0000000000000044 [ 38.988620][ T69] RBP: 0000000000000024 R08: 0000000100000000 R09: 0000000000000000 [ 38.988991][ T69] R10: 0000000100000000 R11: 0000000000000001 R12: 0000000000000024 [ 38.989289][ T69] R13: ffff8881084bc000 R14: 0000000000000000 R15: 0000000000000024 [ 38.989845][ T69] FS: 0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 [ 38.990234][ T69] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 38.990490][ T69] CR2: 000000000000003c CR3: 00000001085b2000 CR4: 00000000000006f0 [ 38.991105][ T69] Call Trace: [ 38.994157][ T69] sg_copy_buffer+0xb8/0xf0 [ 38.995357][ T69] nvmet_copy_to_sgl+0x48/0x6d [ 38.995565][ T69] nvmet_execute_get_log_page_ana+0xd4/0x1cb [ 38.995792][ T69] nvmet_execute_get_log_page+0xc9/0x146 [ 38.995992][ T69] nvme_loop_execute_work+0x3e/0x44 [ 38.996181][ T69] process_one_work+0x1c3/0x3c0 [ 38.996393][ T69] worker_thread+0x44/0x3d0 [ 38.996600][ T69] ? cancel_delayed_work+0x90/0x90 [ 38.996804][ T69] kthread+0xf7/0x130 [ 38.996961][ T69] ? kthread_create_worker_on_cpu+0x70/0x70 [ 38.997171][ T69] ret_from_fork+0x22/0x30 [ 38.997705][ T69] Modules linked in: [ 38.998741][ T69] CR2: 000000000000003c [ 39.000104][ T69] ---[ end trace e719927b609d0fa0 ]--- Fixes: 5e1f689913a4 ("nvme-multipath: fix double initialization of ANA state") Signed-off-by: Hou Pu Signed-off-by: Christoph Hellwig Cc: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit d28aa3c157363f23a476d3bea87335f1ac016a67 Author: Joerg Roedel Date: Fri Mar 12 13:38:23 2021 +0100 x86/boot/compressed/64: Check SEV encryption in the 32-bit boot-path commit fef81c86262879d4b1176ef51a834c15b805ebb9 upstream. Check whether the hypervisor reported the correct C-bit when running as an SEV guest. Using a wrong C-bit position could be used to leak sensitive data from the guest to the hypervisor. Signed-off-by: Joerg Roedel Signed-off-by: Borislav Petkov Link: https://lkml.kernel.org/r/20210312123824.306-8-joro@8bytes.org Signed-off-by: Greg Kroah-Hartman commit 0296c9057adee577bf53f7e91f6b1178e23aeb44 Author: Francois Gervais Date: Wed Mar 10 16:10:26 2021 -0500 rtc: pcf85063: fallback to parent of_node commit 03531606ef4cda25b629f500d1ffb6173b805c05 upstream. The rtc device node is always NULL. Since v5.12-rc1-dontuse/3c9ea42802a1fbf7ef29660ff8c6e526c58114f6 this will lead to a NULL pointer dereference. To fix this use the parent node which is the i2c client node as set by devm_rtc_allocate_device(). Using the i2c client node seems to be what other similar drivers do e.g. rtc-pcf8563.c. Signed-off-by: Francois Gervais Signed-off-by: Alexandre Belloni Link: https://lore.kernel.org/r/20210310211026.27299-1-fgervais@distech-controls.com Signed-off-by: Greg Kroah-Hartman commit 7b994b03f1de4475dc261a0ff057751fdd0d2bfa Author: Christoph Hellwig Date: Thu Apr 29 14:18:53 2021 +0200 nvme-multipath: fix double initialization of ANA state commit 5e1f689913a4498e3081093670ef9d85b2c60920 upstream. nvme_init_identify and thus nvme_mpath_init can be called multiple times and thus must not overwrite potentially initialized or in-use fields. Split out a helper for the basic initialization when the controller is initialized and make sure the init_identify path does not blindly change in-use data structures. Fixes: 0d0b660f214d ("nvme: add ANA support") Reported-by: Martin Wilck Signed-off-by: Christoph Hellwig Reviewed-by: Keith Busch Reviewed-by: Sagi Grimberg Reviewed-by: Hannes Reinecke Signed-off-by: Greg Kroah-Hartman commit e2c26ddd4e8565c54068d827da09bfabdf9d82de Author: Jan Beulich Date: Thu May 20 13:42:42 2021 +0200 x86/Xen: swap NX determination and GDT setup on BSP commit ae897fda4f507e4b239f0bdfd578b3688ca96fb4 upstream. xen_setup_gdt(), via xen_load_gdt_boot(), wants to adjust page tables. For this to work when NX is not available, x86_configure_nx() needs to be called first. [jgross] Note that this is a revert of 36104cb9012a82e73 ("x86/xen: Delay get_cpu_cap until stack canary is established"), which is possible now that we no longer support running as PV guest in 32-bit mode. Cc: # 5.9 Fixes: 36104cb9012a82e73 ("x86/xen: Delay get_cpu_cap until stack canary is established") Reported-by: Olaf Hering Signed-off-by: Jan Beulich Reviewed-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman Link: https://lore.kernel.org/r/12a866b0-9e89-59f7-ebeb-a2a6cec0987a@suse.com Signed-off-by: Juergen Gross commit d5c4605e9e1cf8f505df29fe21a091fa3edf2d2a Author: Mike Rapoport Date: Sun May 9 12:11:02 2021 +0300 openrisc: mm/init.c: remove unused memblock_region variable in map_ram() commit 4eff124347191d1548eb4e14e20e77513dcbd0fe upstream. Kernel test robot reports: cppcheck possible warnings: (new ones prefixed by >>, may not real problems) >> arch/openrisc/mm/init.c:125:10: warning: Uninitialized variable: region [uninitvar] region->base, region->base + region->size); ^ Replace usage of memblock_region fields with 'start' and 'end' variables that are initialized in for_each_mem_range() and remove the declaration of region. Fixes: b10d6bca8720 ("arch, drivers: replace for_each_membock() with for_each_mem_range()") Reported-by: kernel test robot Signed-off-by: Mike Rapoport Signed-off-by: Stafford Horne Signed-off-by: Greg Kroah-Hartman commit 585d8425e504c124817c962c4accb433d97c71ac Author: Simon Rettberg Date: Mon Apr 26 16:11:24 2021 +0200 drm/i915/gt: Disable HiZ Raw Stall Optimization on broken gen7 commit 023dfa9602f561952c0e19d74f66614a56d7e57a upstream. When resetting CACHE_MODE registers, don't enable HiZ Raw Stall Optimization on Ivybridge GT1 and Baytrail, as it causes severe glitches when rendering any kind of 3D accelerated content. This optimization is disabled on these platforms by default according to official documentation from 01.org. Fixes: ef99a60ffd9b ("drm/i915/gt: Clear CACHE_MODE prior to clearing residuals") BugLink: https://gitlab.freedesktop.org/drm/intel/-/issues/3081 BugLink: https://gitlab.freedesktop.org/drm/intel/-/issues/3404 BugLink: https://gitlab.freedesktop.org/drm/intel/-/issues/3071 Reviewed-by: Manuel Bentele Signed-off-by: Simon Rettberg Reviewed-by: Dave Airlie Signed-off-by: Rodrigo Vivi [Rodrigo removed invalid Fixes line] Link: https://patchwork.freedesktop.org/patch/msgid/20210426161124.2b7fd708@dellnichtsogutkiste (cherry picked from commit 929b734ad34b717d6a1b8de97f53bb5616040147) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit eb46907f99d633834c02d8225ad4ab31ef0b85f6 Author: Tetsuo Handa Date: Sat May 15 03:00:37 2021 +0000 tty: vt: always invoke vc->vc_sw->con_resize callback commit ffb324e6f874121f7dce5bdae5e05d02baae7269 upstream. syzbot is reporting OOB write at vga16fb_imageblit() [1], for resize_screen() from ioctl(VT_RESIZE) returns 0 without checking whether requested rows/columns fit the amount of memory reserved for the graphical screen if current mode is KD_GRAPHICS. ---------- #include #include #include #include #include #include int main(int argc, char *argv[]) { const int fd = open("/dev/char/4:1", O_RDWR); struct vt_sizes vt = { 0x4100, 2 }; ioctl(fd, KDSETMODE, KD_GRAPHICS); ioctl(fd, VT_RESIZE, &vt); ioctl(fd, KDSETMODE, KD_TEXT); return 0; } ---------- Allow framebuffer drivers to return -EINVAL, by moving vc->vc_mode != KD_GRAPHICS check from resize_screen() to fbcon_resize(). Link: https://syzkaller.appspot.com/bug?extid=1f29e126cf461c4de3b3 [1] Reported-by: syzbot Suggested-by: Linus Torvalds Signed-off-by: Tetsuo Handa Tested-by: syzbot Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a14ca25d4f2310f4b95b8f095135a69fdefb8261 Author: Maciej W. Rozycki Date: Thu May 13 11:51:50 2021 +0200 vt: Fix character height handling with VT_RESIZEX commit 860dafa902595fb5f1d23bbcce1215188c3341e6 upstream. Restore the original intent of the VT_RESIZEX ioctl's `v_clin' parameter which is the number of pixel rows per character (cell) rather than the height of the font used. For framebuffer devices the two values are always the same, because the former is inferred from the latter one. For VGA used as a true text mode device these two parameters are independent from each other: the number of pixel rows per character is set in the CRT controller, while font height is in fact hardwired to 32 pixel rows and fonts of heights below that value are handled by padding their data with blanks when loaded to hardware for use by the character generator. One can change the setting in the CRT controller and it will update the screen contents accordingly regardless of the font loaded. The `v_clin' parameter is used by the `vgacon' driver to set the height of the character cell and then the cursor position within. Make the parameter explicit then, by defining a new `vc_cell_height' struct member of `vc_data', set it instead of `vc_font.height' from `v_clin' in the VT_RESIZEX ioctl, and then use it throughout the `vgacon' driver except where actual font data is accessed which as noted above is independent from the CRTC setting. This way the framebuffer console driver is free to ignore the `v_clin' parameter as irrelevant, as it always should have, avoiding any issues attempts to give the parameter a meaning there could have caused, such as one that has led to commit 988d0763361b ("vt_ioctl: make VT_RESIZEX behave like VT_RESIZE"): "syzbot is reporting UAF/OOB read at bit_putcs()/soft_cursor() [1][2], for vt_resizex() from ioctl(VT_RESIZEX) allows setting font height larger than actual font height calculated by con_font_set() from ioctl(PIO_FONT). Since fbcon_set_font() from con_font_set() allocates minimal amount of memory based on actual font height calculated by con_font_set(), use of vt_resizex() can cause UAF/OOB read for font data." The problem first appeared around Linux 2.5.66 which predates our repo history, but the origin could be identified with the old MIPS/Linux repo also at: as commit 9736a3546de7 ("Merge with Linux 2.5.66."), where VT_RESIZEX code in `vt_ioctl' was updated as follows: if (clin) - video_font_height = clin; + vc->vc_font.height = clin; making the parameter apply to framebuffer devices as well, perhaps due to the use of "font" in the name of the original `video_font_height' variable. Use "cell" in the new struct member then to avoid ambiguity. References: [1] https://syzkaller.appspot.com/bug?id=32577e96d88447ded2d3b76d71254fb855245837 [2] https://syzkaller.appspot.com/bug?id=6b8355d27b2b94fb5cedf4655e3a59162d9e48e3 Signed-off-by: Maciej W. Rozycki Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org # v2.6.12+ Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 8026eb8242bcc3fa54a068050a6dbb5769226122 Author: Maciej W. Rozycki Date: Thu May 13 11:51:45 2021 +0200 vt_ioctl: Revert VT_RESIZEX parameter handling removal commit a90c275eb144c1b755f04769e1f29d832d6daeaf upstream. Revert the removal of code handling extra VT_RESIZEX ioctl's parameters beyond those that VT_RESIZE supports, fixing a functional regression causing `svgatextmode' not to resize the VT anymore. As a consequence of the reverted change when the video adapter is reprogrammed from the original say 80x25 text mode using a 9x16 character cell (720x400 pixel resolution) to say 80x37 text mode and the same character cell (720x592 pixel resolution), the VT geometry does not get updated and only upper two thirds of the screen are used for the VT, and the lower part remains blank. The proportions change according to text mode geometries chosen. Revert the change verbatim then, bringing back previous VT resizing. Signed-off-by: Maciej W. Rozycki Fixes: 988d0763361b ("vt_ioctl: make VT_RESIZEX behave like VT_RESIZE") Cc: stable@vger.kernel.org # v5.10+ Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a3de46844f343d884efa42b505d8350143447d77 Author: Maciej W. Rozycki Date: Thu May 13 11:51:41 2021 +0200 vgacon: Record video mode changes with VT_RESIZEX commit d4d0ad57b3865795c4cde2fb5094c594c2e8f469 upstream. Fix an issue with VGA console font size changes made after the initial video text mode has been changed with a user tool like `svgatextmode' calling the VT_RESIZEX ioctl. As it stands in that case the original screen geometry continues being used to validate further VT resizing. Consequently when the video adapter is firstly reprogrammed from the original say 80x25 text mode using a 9x16 character cell (720x400 pixel resolution) to say 80x37 text mode and the same character cell (720x592 pixel resolution), and secondly the CRTC character cell updated to 9x8 (by loading a suitable font with the KD_FONT_OP_SET request of the KDFONTOP ioctl), the VT geometry does not get further updated from 80x37 and only upper half of the screen is used for the VT, with the lower half showing rubbish corresponding to whatever happens to be there in the video memory that maps to that part of the screen. Of course the proportions change according to text mode geometries and font sizes chosen. Address the problem then, by updating the text mode geometry defaults rather than checking against them whenever the VT is resized via a user ioctl. Signed-off-by: Maciej W. Rozycki Fixes: e400b6ec4ede ("vt/vgacon: Check if screen resize request comes from userspace") Cc: stable@vger.kernel.org # v2.6.24+ Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 8e0d302e7e518cf6260db991aaee17da65fb25cf Author: Igor Matheus Andrade Torrente Date: Mon May 3 13:57:06 2021 +0200 video: hgafb: fix potential NULL pointer dereference commit dc13cac4862cc68ec74348a80b6942532b7735fa upstream. The return of ioremap if not checked, and can lead to a NULL to be assigned to hga_vram. Potentially leading to a NULL pointer dereference. The fix adds code to deal with this case in the error label and changes how the hgafb_probe handles the return of hga_card_detect. Cc: Ferenc Bakonyi Cc: Bartlomiej Zolnierkiewicz Cc: stable Signed-off-by: Igor Matheus Andrade Torrente Link: https://lore.kernel.org/r/20210503115736.2104747-40-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 98404acf0a20ca7dcbc4500d3e8d6edebd55024a Author: Tom Seewald Date: Mon May 3 13:56:52 2021 +0200 qlcnic: Add null check after calling netdev_alloc_skb commit 84460f01cba382553199bc1361f69a872d5abed4 upstream. The function qlcnic_dl_lb_test() currently calls netdev_alloc_skb() without checking afterwards that the allocation succeeded. Fix this by checking if the skb is NULL and returning an error in such a case. Breaking out of the loop if the skb is NULL is not correct as no error would be reported to the caller and no message would be printed for the user. Cc: David S. Miller Cc: stable Signed-off-by: Tom Seewald Link: https://lore.kernel.org/r/20210503115736.2104747-26-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 865ec95a77f7ff3480c9a0ab1da3336c943e5846 Author: Phillip Potter Date: Mon May 3 13:56:36 2021 +0200 leds: lp5523: check return value of lp5xx_read and jump to cleanup code commit 6647f7a06eb030a2384ec71f0bb2e78854afabfe upstream. Check return value of lp5xx_read and if non-zero, jump to code at end of the function, causing lp5523_stop_all_engines to be executed before returning the error value up the call chain. This fixes the original commit (248b57015f35) which was reverted due to the University of Minnesota problems. Cc: stable Acked-by: Jacek Anaszewski Signed-off-by: Phillip Potter Link: https://lore.kernel.org/r/20210503115736.2104747-10-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 33a9ff900b9b03997aabf0dba887b11f93c2f47c Author: Darrick J. Wong Date: Wed Apr 28 15:25:34 2021 -0700 ics932s401: fix broken handling of errors when word reading fails commit a73b6a3b4109ce2ed01dbc51a6c1551a6431b53c upstream. In commit b05ae01fdb89, someone tried to make the driver handle i2c read errors by simply zeroing out the register contents, but for some reason left unaltered the code that sets the cached register value the function call return value. The original patch was authored by a member of the Underhanded Mangle-happy Nerds, I'm not terribly surprised. I don't have the hardware anymore so I can't test this, but it seems like a pretty obvious API usage fix to me... Fixes: b05ae01fdb89 ("misc/ics932s401: Add a missing check to i2c_smbus_read_word_data") Signed-off-by: Darrick J. Wong Link: https://lore.kernel.org/r/20210428222534.GJ3122264@magnolia Cc: stable Signed-off-by: Greg Kroah-Hartman commit e81f94a71b0070b1cdc65b619892fa53220853b8 Author: Greg Kroah-Hartman Date: Mon May 3 13:56:40 2021 +0200 net: rtlwifi: properly check for alloc_workqueue() failure commit 30b0e0ee9d02b97b68705c46b41444786effc40c upstream. If alloc_workqueue() fails, properly catch this and propagate the error to the calling functions, so that the devuce initialization will properly error out. Cc: Kalle Valo Cc: Bryan Brattlof Cc: stable Link: https://lore.kernel.org/r/20210503115736.2104747-14-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit f9f59f4ca2d83e314b8e7ad89f76457db88cb581 Author: Phillip Potter Date: Mon May 3 13:56:58 2021 +0200 scsi: ufs: handle cleanup correctly on devm_reset_control_get error commit 2f4a784f40f8d337d6590e2e93f46429052e15ac upstream. Move ufshcd_set_variant call in ufs_hisi_init_common to common error section at end of the function, and then jump to this from the error checking statements for both devm_reset_control_get and ufs_hisi_get_resource. This fixes the original commit (63a06181d7ce) which was reverted due to the University of Minnesota problems. Suggested-by: Greg Kroah-Hartman Cc: Avri Altman Cc: Martin K. Petersen Cc: stable Signed-off-by: Phillip Potter Link: https://lore.kernel.org/r/20210503115736.2104747-32-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 0eb496c3c103b2dcb830aa245b69cd27f4fc70b9 Author: Anirudh Rayabharam Date: Mon May 3 13:56:48 2021 +0200 net: stmicro: handle clk_prepare() failure during init commit 0c32a96d000f260b5ebfabb4145a86ae1cd71847 upstream. In case clk_prepare() fails, capture and propagate the error code up the stack. If regulator_enable() was called earlier, properly unwind it by calling regulator_disable(). Signed-off-by: Anirudh Rayabharam Cc: David S. Miller Cc: stable Link: https://lore.kernel.org/r/20210503115736.2104747-22-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit c89c9a291149468b42292718047e5e891a517b97 Author: Du Cheng Date: Mon May 3 13:56:50 2021 +0200 ethernet: sun: niu: fix missing checks of niu_pci_eeprom_read() commit e6e337708c22f80824b82d4af645f20715730ad0 upstream. niu_pci_eeprom_read() may fail, so add checks to its return value and propagate the error up the callstack. An examination of the callstack up to niu_pci_eeprom_read shows that: niu_pci_eeprom_read() // returns int niu_pci_vpd_scan_props() // returns int niu_pci_vpd_fetch() // returns *void* niu_get_invariants() // returns int since niu_pci_vpd_fetch() returns void which breaks the bubbling up, change its return type to int so that error is propagated upwards. Signed-off-by: Du Cheng Cc: Shannon Nelson Cc: David S. Miller Cc: stable Link: https://lore.kernel.org/r/20210503115736.2104747-24-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 17e22164d6c52b8c46bbf9195a6413f8d52d8a8b Author: Greg Kroah-Hartman Date: Mon May 3 13:56:49 2021 +0200 Revert "niu: fix missing checks of niu_pci_eeprom_read" commit 7930742d6a0ff091c85b92ef4e076432d8d8cb79 upstream. This reverts commit 26fd962bde0b15e54234fe762d86bc0349df1de4. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. The change here was incorrect. While it is nice to check if niu_pci_eeprom_read() succeeded or not when using the data, any error that might have happened was not propagated upwards properly, causing the kernel to assume that these reads were successful, which results in invalid data in the buffer that was to contain the successfully read data. Cc: Kangjie Lu Cc: Shannon Nelson Cc: David S. Miller Fixes: 26fd962bde0b ("niu: fix missing checks of niu_pci_eeprom_read") Cc: stable Link: https://lore.kernel.org/r/20210503115736.2104747-23-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit c794f7851c5d9c578e9020a3c6c166a1c340704f Author: Greg Kroah-Hartman Date: Mon May 3 13:56:51 2021 +0200 Revert "qlcnic: Avoid potential NULL pointer dereference" commit b95b57dfe7a142bf2446548eb7f49340fd73e78b upstream. This reverts commit 5bf7295fe34a5251b1d241b9736af4697b590670. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. This commit does not properly detect if an error happens because the logic after this loop will not detect that there was a failed allocation. Cc: Aditya Pakki Cc: David S. Miller Fixes: 5bf7295fe34a ("qlcnic: Avoid potential NULL pointer dereference") Cc: stable Link: https://lore.kernel.org/r/20210503115736.2104747-25-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 5e4fd74089b1b1dae146016b031e483970c88642 Author: Greg Kroah-Hartman Date: Mon May 3 13:56:39 2021 +0200 Revert "rtlwifi: fix a potential NULL pointer dereference" commit 68c5634c4a7278672a3bed00eb5646884257c413 upstream. This reverts commit 765976285a8c8db3f0eb7f033829a899d0c2786e. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. This commit is not correct, it should not have used unlikely() and is not propagating the error properly to the calling function, so it should be reverted at this point in time. Also, if the check failed, the work queue was still assumed to be allocated, so further accesses would have continued to fail, meaning this patch does nothing to solve the root issues at all. Cc: Kangjie Lu Cc: Kalle Valo Cc: Bryan Brattlof Fixes: 765976285a8c ("rtlwifi: fix a potential NULL pointer dereference") Cc: stable Link: https://lore.kernel.org/r/20210503115736.2104747-13-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 951ed241e228fbf38bf67079c5e0124b1397424e Author: Greg Kroah-Hartman Date: Mon May 3 13:56:30 2021 +0200 Revert "media: rcar_drif: fix a memory disclosure" commit 3e465fc3846734e9489273d889f19cc17b4cf4bd upstream. This reverts commit d39083234c60519724c6ed59509a2129fd2aed41. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, it was determined that this commit is not needed at all as the media core already prevents memory disclosure on this codepath, so just drop the extra memset happening here. Cc: Kangjie Lu Cc: Geert Uytterhoeven Cc: Hans Verkuil Cc: Mauro Carvalho Chehab Fixes: d39083234c60 ("media: rcar_drif: fix a memory disclosure") Cc: stable Reviewed-by: Mauro Carvalho Chehab Reviewed-by: Fabrizio Castro Link: https://lore.kernel.org/r/20210503115736.2104747-4-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 566086409511904a4ac6796e2cbf0f8729157aaf Author: Greg Kroah-Hartman Date: Thu May 6 16:00:47 2021 +0200 cdrom: gdrom: initialize global variable at init time commit 9183f01b5e6e32eb3f17b5f3f8d5ad5ac9786c49 upstream. As Peter points out, if we were to disconnect and then reconnect this driver from a device, the "global" state of the device would contain odd values and could cause problems. Fix this up by just initializing the whole thing to 0 at probe() time. Ideally this would be a per-device variable, but given the age and the total lack of users of it, that would require a lot of s/./->/g changes for really no good reason. Reported-by: Peter Rosin Cc: Jens Axboe Reviewed-by: Peter Rosin Link: https://lore.kernel.org/r/YJP2j6AU82MqEY2M@kroah.com Signed-off-by: Greg Kroah-Hartman commit 9285808072d4aeabdf710187acae5e09e71157e4 Author: Atul Gopinathan Date: Mon May 3 13:56:54 2021 +0200 cdrom: gdrom: deallocate struct gdrom_unit fields in remove_gdrom commit d03d1021da6fe7f46efe9f2a7335564e7c9db5ab upstream. The fields, "toc" and "cd_info", of "struct gdrom_unit gd" are allocated in "probe_gdrom()". Prevent a memory leak by making sure "gd.cd_info" is deallocated in the "remove_gdrom()" function. Also prevent double free of the field "gd.toc" by moving it from the module's exit function to "remove_gdrom()". This is because, in "probe_gdrom()", the function makes sure to deallocate "gd.toc" in case of any errors, so the exit function invoked later would again free "gd.toc". The patch also maintains consistency by deallocating the above mentioned fields in "remove_gdrom()" along with another memory allocated field "gd.disk". Suggested-by: Jens Axboe Cc: Peter Rosin Cc: stable Signed-off-by: Atul Gopinathan Link: https://lore.kernel.org/r/20210503115736.2104747-28-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 3d2a4fb91122e1a728ef9af16af6c37dbd36c997 Author: Greg Kroah-Hartman Date: Mon May 3 13:56:53 2021 +0200 Revert "gdrom: fix a memory leak bug" commit 257343d3ed557f11d580d0b7c515dc154f64a42b upstream. This reverts commit 093c48213ee37c3c3ff1cf5ac1aa2a9d8bc66017. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. Because of this, all submissions from this group must be reverted from the kernel tree and will need to be re-reviewed again to determine if they actually are a valid fix. Until that work is complete, remove this change to ensure that no problems are being introduced into the codebase. Cc: Wenwen Wang Cc: Peter Rosin Cc: Jens Axboe Fixes: 093c48213ee3 ("gdrom: fix a memory leak bug") Cc: stable Link: https://lore.kernel.org/r/20210503115736.2104747-27-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 64ae556541a39d9f5548bc933e8d579f02b1ebed Author: Greg Kroah-Hartman Date: Mon May 3 13:56:57 2021 +0200 Revert "scsi: ufs: fix a missing check of devm_reset_control_get" commit 4d427b408c4c2ff1676966c72119a3a559f8e39b upstream. This reverts commit 63a06181d7ce169d09843645c50fea1901bc9f0a. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. The original commit is incorrect, it does not properly clean up on the error path, so I'll keep the revert and fix it up properly with a follow-on patch. Cc: Kangjie Lu Cc: Avri Altman Cc: Martin K. Petersen Fixes: 63a06181d7ce ("scsi: ufs: fix a missing check of devm_reset_control_get") Cc: stable Link: https://lore.kernel.org/r/20210503115736.2104747-31-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 61b9bc3091a5532ac526e89140a2cf418885fb87 Author: Greg Kroah-Hartman Date: Mon May 3 13:57:15 2021 +0200 Revert "ecryptfs: replace BUG_ON with error handling code" commit e1436df2f2550bc89d832ffd456373fdf5d5b5d7 upstream. This reverts commit 2c2a7552dd6465e8fde6bc9cccf8d66ed1c1eb72. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. The original commit log for this change was incorrect, no "error handling code" was added, things will blow up just as badly as before if any of these cases ever were true. As this BUG_ON() never fired, and most of these checks are "obviously" never going to be true, let's just revert to the original code for now until this gets unwound to be done correctly in the future. Cc: Aditya Pakki Fixes: 2c2a7552dd64 ("ecryptfs: replace BUG_ON with error handling code") Cc: stable Acked-by: Tyler Hicks Link: https://lore.kernel.org/r/20210503115736.2104747-49-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 6003d373bf2f15cb8b8bb59c27cf014ff5239b4c Author: Greg Kroah-Hartman Date: Mon May 3 13:57:33 2021 +0200 Revert "video: imsttfb: fix potential NULL pointer dereferences" commit ed04fe8a0e87d7b5ea17d47f4ac9ec962b24814a upstream. This reverts commit 1d84353d205a953e2381044953b7fa31c8c9702d. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. The original commit here, while technically correct, did not fully handle all of the reported issues that the commit stated it was fixing, so revert it until it can be "fixed" fully. Note, ioremap() probably will never fail for old hardware like this, and if anyone actually used this hardware (a PowerMac era PCI display card), they would not be using fbdev anymore. Cc: Kangjie Lu Cc: Aditya Pakki Cc: Finn Thain Cc: Bartlomiej Zolnierkiewicz Reviewed-by: Rob Herring Fixes: 1d84353d205a ("video: imsttfb: fix potential NULL pointer dereferences") Cc: stable Link: https://lore.kernel.org/r/20210503115736.2104747-67-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 4baaa4946d72069a21ee7c088f37340b97e6588e Author: Greg Kroah-Hartman Date: Mon May 3 13:56:31 2021 +0200 Revert "hwmon: (lm80) fix a missing check of bus read in lm80 probe" commit 99ae3417672a6d4a3bf68d4fc43d7c6ca074d477 upstream. This reverts commit 9aa3aa15f4c2f74f47afd6c5db4b420fadf3f315. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, it was determined that this commit is not needed at all so just revert it. Also, the call to lm80_init_client() was not properly handled, so if error handling is needed in the lm80_probe() function, then it should be done properly, not half-baked like the commit being reverted here did. Cc: Kangjie Lu Fixes: 9aa3aa15f4c2 ("hwmon: (lm80) fix a missing check of bus read in lm80 probe") Cc: stable Acked-by: Guenter Roeck Link: https://lore.kernel.org/r/20210503115736.2104747-5-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 03c5d02c38d4dcfebc191e5cf5b24f095c50c5df Author: Greg Kroah-Hartman Date: Mon May 3 13:56:35 2021 +0200 Revert "leds: lp5523: fix a missing check of return value of lp55xx_read" commit 8d1beda5f11953ffe135a5213287f0b25b4da41b upstream. This reverts commit 248b57015f35c94d4eae2fdd8c6febf5cd703900. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. The original commit does not properly unwind if there is an error condition so it needs to be reverted at this point in time. Cc: Kangjie Lu Cc: Jacek Anaszewski Cc: stable Fixes: 248b57015f35 ("leds: lp5523: fix a missing check of return value of lp55xx_read") Link: https://lore.kernel.org/r/20210503115736.2104747-9-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 059031afcdc1c8e32a327dd31d3f5b0cfbcdc074 Author: Greg Kroah-Hartman Date: Mon May 3 13:56:47 2021 +0200 Revert "net: stmicro: fix a missing check of clk_prepare" commit bee1b0511844c8c79fccf1f2b13472393b6b91f7 upstream. This reverts commit f86a3b83833e7cfe558ca4d70b64ebc48903efec. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. The original commit causes a memory leak when it is trying to claim it is properly handling errors. Revert this change and fix it up properly in a follow-on commit. Cc: Kangjie Lu Cc: David S. Miller Fixes: f86a3b83833e ("net: stmicro: fix a missing check of clk_prepare") Cc: stable Link: https://lore.kernel.org/r/20210503115736.2104747-21-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit d88f05cecefda12f33a47af80a8944d8972f84f5 Author: Greg Kroah-Hartman Date: Mon May 3 13:57:05 2021 +0200 Revert "video: hgafb: fix potential NULL pointer dereference" commit 58c0cc2d90f1e37c4eb63ae7f164c83830833f78 upstream. This reverts commit ec7f6aad57ad29e4e66cc2e18e1e1599ddb02542. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. This patch "looks" correct, but the driver keeps on running and will fail horribly right afterward if this error condition ever trips. So points for trying to resolve an issue, but a huge NEGATIVE value for providing a "fake" fix for the problem as nothing actually got resolved at all. I'll go fix this up properly... Cc: Kangjie Lu Cc: Aditya Pakki Cc: Ferenc Bakonyi Cc: Bartlomiej Zolnierkiewicz Fixes: ec7f6aad57ad ("video: hgafb: fix potential NULL pointer dereference") Cc: stable Link: https://lore.kernel.org/r/20210503115736.2104747-39-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit fae4f4debf2b5770bc1ac3a5ef7a5d106d922064 Author: Arnd Bergmann Date: Fri May 14 16:00:08 2021 +0200 kcsan: Fix debugfs initcall return type commit 976aac5f882989e4f6c1b3a7224819bf0e801c6a upstream. clang with CONFIG_LTO_CLANG points out that an initcall function should return an 'int' due to the changes made to the initcall macros in commit 3578ad11f3fb ("init: lto: fix PREL32 relocations"): kernel/kcsan/debugfs.c:274:15: error: returning 'void' from a function with incompatible result type 'int' late_initcall(kcsan_debugfs_init); ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~ include/linux/init.h:292:46: note: expanded from macro 'late_initcall' #define late_initcall(fn) __define_initcall(fn, 7) Fixes: e36299efe7d7 ("kcsan, debugfs: Move debugfs file creation out of early init") Cc: stable Reviewed-by: Greg Kroah-Hartman Reviewed-by: Marco Elver Reviewed-by: Nathan Chancellor Reviewed-by: Miguel Ojeda Signed-off-by: Arnd Bergmann Signed-off-by: Paul E. McKenney Signed-off-by: Greg Kroah-Hartman commit 2a61f0ccb756f966f7d04aa149635c843f821ad3 Author: Mikulas Patocka Date: Mon May 10 14:49:05 2021 -0400 dm snapshot: fix crash with transient storage and zero chunk size commit c699a0db2d62e3bbb7f0bf35c87edbc8d23e3062 upstream. The following commands will crash the kernel: modprobe brd rd_size=1048576 dmsetup create o --table "0 `blockdev --getsize /dev/ram0` snapshot-origin /dev/ram0" dmsetup create s --table "0 `blockdev --getsize /dev/ram0` snapshot /dev/ram0 /dev/ram1 N 0" The reason is that when we test for zero chunk size, we jump to the label bad_read_metadata without setting the "r" variable. The function snapshot_ctr destroys all the structures and then exits with "r == 0". The kernel then crashes because it falsely believes that snapshot_ctr succeeded. In order to fix the bug, we set the variable "r" to -EINVAL. Signed-off-by: Mikulas Patocka Cc: stable@vger.kernel.org Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 4528c0c323085e645b8765913b4a7fd42cf49b65 Author: Varad Gautam Date: Sat May 22 17:41:49 2021 -0700 ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry commit a11ddb37bf367e6b5239b95ca759e5389bb46048 upstream. do_mq_timedreceive calls wq_sleep with a stack local address. The sender (do_mq_timedsend) uses this address to later call pipelined_send. This leads to a very hard to trigger race where a do_mq_timedreceive call might return and leave do_mq_timedsend to rely on an invalid address, causing the following crash: RIP: 0010:wake_q_add_safe+0x13/0x60 Call Trace: __x64_sys_mq_timedsend+0x2a9/0x490 do_syscall_64+0x80/0x680 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f5928e40343 The race occurs as: 1. do_mq_timedreceive calls wq_sleep with the address of `struct ext_wait_queue` on function stack (aliased as `ewq_addr` here) - it holds a valid `struct ext_wait_queue *` as long as the stack has not been overwritten. 2. `ewq_addr` gets added to info->e_wait_q[RECV].list in wq_add, and do_mq_timedsend receives it via wq_get_first_waiter(info, RECV) to call __pipelined_op. 3. Sender calls __pipelined_op::smp_store_release(&this->state, STATE_READY). Here is where the race window begins. (`this` is `ewq_addr`.) 4. If the receiver wakes up now in do_mq_timedreceive::wq_sleep, it will see `state == STATE_READY` and break. 5. do_mq_timedreceive returns, and `ewq_addr` is no longer guaranteed to be a `struct ext_wait_queue *` since it was on do_mq_timedreceive's stack. (Although the address may not get overwritten until another function happens to touch it, which means it can persist around for an indefinite time.) 6. do_mq_timedsend::__pipelined_op() still believes `ewq_addr` is a `struct ext_wait_queue *`, and uses it to find a task_struct to pass to the wake_q_add_safe call. In the lucky case where nothing has overwritten `ewq_addr` yet, `ewq_addr->task` is the right task_struct. In the unlucky case, __pipelined_op::wake_q_add_safe gets handed a bogus address as the receiver's task_struct causing the crash. do_mq_timedsend::__pipelined_op() should not dereference `this` after setting STATE_READY, as the receiver counterpart is now free to return. Change __pipelined_op to call wake_q_add_safe on the receiver's task_struct returned by get_task_struct, instead of dereferencing `this` which sits on the receiver's stack. As Manfred pointed out, the race potentially also exists in ipc/msg.c::expunge_all and ipc/sem.c::wake_up_sem_queue_prepare. Fix those in the same way. Link: https://lkml.kernel.org/r/20210510102950.12551-1-varad.gautam@suse.com Fixes: c5b2cbdbdac563 ("ipc/mqueue.c: update/document memory barriers") Fixes: 8116b54e7e23ef ("ipc/sem.c: document and update memory barriers") Fixes: 0d97a82ba830d8 ("ipc/msg.c: update and document memory barriers") Signed-off-by: Varad Gautam Reported-by: Matthias von Faber Acked-by: Davidlohr Bueso Acked-by: Manfred Spraul Cc: Christian Brauner Cc: Oleg Nesterov Cc: "Eric W. Biederman" Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 63a5b384477006602d671b8b1fe68084a875e002 Author: Jan Beulich Date: Tue May 18 18:14:07 2021 +0200 xen-pciback: reconfigure also from backend watch handler commit c81d3d24602540f65256f98831d0a25599ea6b87 upstream. When multiple PCI devices get assigned to a guest right at boot, libxl incrementally populates the backend tree. The writes for the first of the devices trigger the backend watch. In turn xen_pcibk_setup_backend() will set the XenBus state to Initialised, at which point no further reconfigures would happen unless a device got hotplugged. Arrange for reconfigure to also get triggered from the backend watch handler. Signed-off-by: Jan Beulich Cc: stable@vger.kernel.org Reviewed-by: Boris Ostrovsky Link: https://lore.kernel.org/r/2337cbd6-94b9-4187-9862-c03ea12e0c61@suse.com Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit c196031f4fd9a866b7ce9e8da0efd3fa16dd6734 Author: Jan Beulich Date: Tue May 18 18:13:42 2021 +0200 xen-pciback: redo VF placement in the virtual topology commit 4ba50e7c423c29639878c00573288869aa627068 upstream. The commit referenced below was incomplete: It merely affected what would get written to the vdev- xenstore node. The guest would still find the function at the original function number as long as __xen_pcibk_get_pci_dev() wouldn't be in sync. The same goes for AER wrt __xen_pcibk_get_pcifront_dev(). Undo overriding the function to zero and instead make sure that VFs at function zero remain alone in their slot. This has the added benefit of improving overall capacity, considering that there's only a total of 32 slots available right now (PCI segment and bus can both only ever be zero at present). Fixes: 8a5248fe10b1 ("xen PV passthru: assign SR-IOV virtual functions to separate virtual slots") Signed-off-by: Jan Beulich Cc: stable@vger.kernel.org Reviewed-by: Boris Ostrovsky Link: https://lore.kernel.org/r/8def783b-404c-3452-196d-3f3fd4d72c9e@suse.com Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit d047ec8730b2c56037989b29a461dcd5387c400f Author: Daniel Beer Date: Sat Apr 24 20:16:52 2021 +1200 mmc: sdhci-pci-gli: increase 1.8V regulator wait commit a1149a6c06ee094a6e62886b0c0e8e66967a728a upstream. Inserting an SD-card on an Intel NUC10i3FNK4 (which contains a GL9755) results in the message: mmc0: 1.8V regulator output did not become stable Following this message, some cards work (sometimes), but most cards fail with EILSEQ. This behaviour is observed on Debian 10 running kernel 4.19.188, but also with 5.8.18 and 5.11.15. The driver currently waits 5ms after switching on the 1.8V regulator for it to become stable. Increasing this to 10ms gets rid of the warning about stability, but most cards still fail. Increasing it to 20ms gets some cards working (a 32GB Samsung micro SD works, a 128GB ADATA doesn't). At 50ms, the ADATA works most of the time, and at 100ms both cards work reliably. Signed-off-by: Daniel Beer Acked-by: Ben Chuang Fixes: e51df6ce668a ("mmc: host: sdhci-pci: Add Genesys Logic GL975x support") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210424081652.GA16047@nyquist.nev Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 343208ffe92fc662104e08e9f5760c59d11554fd Author: Nicholas Piggin Date: Thu May 20 21:19:31 2021 +1000 powerpc/64s/syscall: Fix ptrace syscall info with scv syscalls commit d72500f992849d31ebae8f821a023660ddd0dcc2 upstream. The scv implementation missed updating syscall return value and error value get/set functions to deal with the changed register ABI. This broke ptrace PTRACE_GET_SYSCALL_INFO as well as some kernel auditing and tracing functions. Fix. tools/testing/selftests/ptrace/get_syscall_info now passes when scv is used. Fixes: 7fa95f9adaee ("powerpc/64s: system call support for scv/rfscv instructions") Cc: stable@vger.kernel.org # v5.9+ Reported-by: "Dmitry V. Levin" Signed-off-by: Nicholas Piggin Reviewed-by: Dmitry V. Levin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210520111931.2597127-2-npiggin@gmail.com Signed-off-by: Greg Kroah-Hartman commit 105345b909d8cf1ce4a8a648bee75eef099bc0c9 Author: Nicholas Piggin Date: Thu May 20 21:19:30 2021 +1000 powerpc/64s/syscall: Use pt_regs.trap to distinguish syscall ABI difference between sc and scv syscalls commit 5665bc35c1ed917ac8fd06cb651317bb47a65b10 upstream. The sc and scv 0 system calls have different ABI conventions, and ptracers need to know which system call type is being used if they want to look at the syscall registers. Document that pt_regs.trap can be used for this, and fix one in-tree user to work with scv 0 syscalls. Fixes: 7fa95f9adaee ("powerpc/64s: system call support for scv/rfscv instructions") Cc: stable@vger.kernel.org # v5.9+ Reported-by: "Dmitry V. Levin" Suggested-by: "Dmitry V. Levin" Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210520111931.2597127-1-npiggin@gmail.com Signed-off-by: Greg Kroah-Hartman commit 3708b7a9c28c296bf909e713dc64ba10888ff92d Author: Guchun Chen Date: Mon May 17 16:38:00 2021 +0800 drm/amdgpu: update sdma golden setting for Navi12 commit 77194d8642dd4cb7ea8ced77bfaea55610574c38 upstream. Current golden setting is out of date. Signed-off-by: Guchun Chen Reviewed-by: Kenneth Feng Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit e32cb1057faa4566319b32c9da487e2bc786e95f Author: Guchun Chen Date: Mon May 17 16:35:40 2021 +0800 drm/amdgpu: update gc golden setting for Navi12 commit 99c45ba5799d6b938bd9bd20edfeb6f3e3e039b9 upstream. Current golden setting is out of date. Signed-off-by: Guchun Chen Reviewed-by: Kenneth Feng Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 0c47929fd836da046e9d704d97ddd1f37230fd36 Author: Changfeng Date: Fri May 14 15:28:25 2021 +0800 drm/amdgpu: disable 3DCGCG on picasso/raven1 to avoid compute hang commit dbd1003d1252db5973dddf20b24bb0106ac52aa2 upstream. There is problem with 3DCGCG firmware and it will cause compute test hang on picasso/raven1. It needs to disable 3DCGCG in driver to avoid compute hang. Signed-off-by: Changfeng Reviewed-by: Alex Deucher Reviewed-by: Huang Rui Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 93ba55c14d70b47361d429769383cdd1e2ba9379 Author: Yi Li Date: Fri May 14 14:40:39 2021 +0800 drm/amdgpu: Fix GPU TLB update error when PAGE_SIZE > AMDGPU_PAGE_SIZE commit d53751568359e5b3ffb859b13cbd79dc77a571f1 upstream. When PAGE_SIZE is larger than AMDGPU_PAGE_SIZE, the number of GPU TLB entries which need to update in amdgpu_map_buffer() should be multiplied by AMDGPU_GPU_PAGES_IN_CPU_PAGE (PAGE_SIZE / AMDGPU_PAGE_SIZE). Reviewed-by: Christian König Signed-off-by: Yi Li Signed-off-by: Huacai Chen Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 367c90f2bc1be8932ba2afdc5ce3209417fcdd46 Author: Joerg Roedel Date: Wed May 19 15:52:45 2021 +0200 x86/sev-es: Forward page-faults which happen during emulation commit c25bbdb564060adaad5c3a8a10765c13487ba6a3 upstream. When emulating guest instructions for MMIO or IOIO accesses, the #VC handler might get a page-fault and will not be able to complete. Forward the page-fault in this case to the correct handler instead of killing the machine. Fixes: 0786138c78e7 ("x86/sev-es: Add a Runtime #VC Exception Handler") Signed-off-by: Joerg Roedel Signed-off-by: Borislav Petkov Cc: stable@vger.kernel.org # v5.10+ Link: https://lkml.kernel.org/r/20210519135251.30093-3-joro@8bytes.org Signed-off-by: Greg Kroah-Hartman commit 5af89eeb7414609be69626df0b80e9699ce3af13 Author: Joerg Roedel Date: Wed May 19 15:52:46 2021 +0200 x86/sev-es: Use __put_user()/__get_user() for data accesses commit 4954f5b8ef0baf70fe978d1a99a5f70e4dd5c877 upstream. The put_user() and get_user() functions do checks on the address which is passed to them. They check whether the address is actually a user-space address and whether its fine to access it. They also call might_fault() to indicate that they could fault and possibly sleep. All of these checks are neither wanted nor needed in the #VC exception handler, which can be invoked from almost any context and also for MMIO instructions from kernel space on kernel memory. All the #VC handler wants to know is whether a fault happened when the access was tried. This is provided by __put_user()/__get_user(), which just do the access no matter what. Also add comments explaining why __get_user() and __put_user() are the best choice here and why it is safe to use them in this context. Also explain why copy_to/from_user can't be used. In addition, also revert commit 7024f60d6552 ("x86/sev-es: Handle string port IO to kernel memory properly") because using __get_user()/__put_user() fixes the same problem while the above commit introduced several problems: 1) It uses access_ok() which is only allowed in task context. 2) It uses memcpy() which has no fault handling at all and is thus unsafe to use here. [ bp: Fix up commit ID of the reverted commit above. ] Fixes: f980f9c31a92 ("x86/sev-es: Compile early handler code into kernel image") Signed-off-by: Joerg Roedel Signed-off-by: Borislav Petkov Cc: stable@vger.kernel.org # v5.10+ Link: https://lkml.kernel.org/r/20210519135251.30093-4-joro@8bytes.org Signed-off-by: Greg Kroah-Hartman commit be4cba71b2d068f783ede32775212ef4da3238c4 Author: Joerg Roedel Date: Wed May 19 15:52:44 2021 +0200 x86/sev-es: Don't return NULL from sev_es_get_ghcb() commit b250f2f7792d15bcde98e0456781e2835556d5fa upstream. sev_es_get_ghcb() is called from several places but only one of them checks the return value. The reaction to returning NULL is always the same: calling panic() and kill the machine. Instead of adding checks to all call sites, move the panic() into the function itself so that it will no longer return NULL. Fixes: 0786138c78e7 ("x86/sev-es: Add a Runtime #VC Exception Handler") Signed-off-by: Joerg Roedel Signed-off-by: Borislav Petkov Cc: stable@vger.kernel.org # v5.10+ Link: https://lkml.kernel.org/r/20210519135251.30093-2-joro@8bytes.org Signed-off-by: Greg Kroah-Hartman commit e7174da8c45ba180c04b76fa675c89de1c658b08 Author: Tom Lendacky Date: Mon May 17 12:42:33 2021 -0500 x86/sev-es: Invalidate the GHCB after completing VMGEXIT commit a50c5bebc99c525e7fbc059988c6a5ab8680cb76 upstream. Since the VMGEXIT instruction can be issued from userspace, invalidate the GHCB after performing VMGEXIT processing in the kernel. Invalidation is only required after userspace is available, so call vc_ghcb_invalidate() from sev_es_put_ghcb(). Update vc_ghcb_invalidate() to additionally clear the GHCB exit code so that it is always presented as 0 when VMGEXIT has been issued by anything else besides the kernel. Fixes: 0786138c78e79 ("x86/sev-es: Add a Runtime #VC Exception Handler") Signed-off-by: Tom Lendacky Signed-off-by: Borislav Petkov Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/5a8130462e4f0057ee1184509cd056eedd78742b.1621273353.git.thomas.lendacky@amd.com Signed-off-by: Greg Kroah-Hartman commit 193e02196fad992568b980f28b03e1f4807019eb Author: Tom Lendacky Date: Mon May 17 12:42:32 2021 -0500 x86/sev-es: Move sev_es_put_ghcb() in prep for follow on patch commit fea63d54f7a3e74f8ab489a8b82413a29849a594 upstream. Move the location of sev_es_put_ghcb() in preparation for an update to it in a follow-on patch. This will better highlight the changes being made to the function. No functional change. Fixes: 0786138c78e79 ("x86/sev-es: Add a Runtime #VC Exception Handler") Signed-off-by: Tom Lendacky Signed-off-by: Borislav Petkov Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/8c07662ec17d3d82e5c53841a1d9e766d3bdbab6.1621273353.git.thomas.lendacky@amd.com Signed-off-by: Greg Kroah-Hartman commit 9b942cb2d92e625f262027ebc091a627a9424823 Author: Sagi Grimberg Date: Mon May 17 14:07:45 2021 -0700 nvme-tcp: fix possible use-after-completion commit 825619b09ad351894d2c6fb6705f5b3711d145c7 upstream. Commit db5ad6b7f8cd ("nvme-tcp: try to send request in queue_rq context") added a second context that may perform a network send. This means that now RX and TX are not serialized in nvme_tcp_io_work and can run concurrently. While there is correct mutual exclusion in the TX path (where the send_mutex protect the queue socket send activity) RX activity, and more specifically request completion may run concurrently. This means we must guarantee that any mutation of the request state related to its lifetime, bytes sent must not be accessed when a completion may have possibly arrived back (and processed). The race may trigger when a request completion arrives, processed _and_ reused as a fresh new request, exactly in the (relatively short) window between the last data payload sent and before the request iov_iter is advanced. Consider the following race: 1. 16K write request is queued 2. The nvme command and the data is sent to the controller (in-capsule or solicited by r2t) 3. After the last payload is sent but before the req.iter is advanced, the controller sends back a completion. 4. The completion is processed, the request is completed, and reused to transfer a new request (write or read) 5. The new request is queued, and the driver reset the request parameters (nvme_tcp_setup_cmd_pdu). 6. Now context in (2) resumes execution and advances the req.iter ==> use-after-completion as this is already a new request. Fix this by making sure the request is not advanced after the last data payload send, knowing that a completion may have arrived already. An alternative solution would have been to delay the request completion or state change waiting for reference counting on the TX path, but besides adding atomic operations to the hot-path, it may present challenges in multi-stage R2T scenarios where a r2t handler needs to be deferred to an async execution. Reported-by: Narayan Ayalasomayajula Tested-by: Anil Mishra Reviewed-by: Keith Busch Cc: stable@vger.kernel.org # v5.8+ Signed-off-by: Sagi Grimberg Signed-off-by: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit e4be6846532204028de5108e286e35e399f8167f Author: Greg Kroah-Hartman Date: Mon May 3 13:56:32 2021 +0200 Revert "serial: mvebu-uart: Fix to avoid a potential NULL pointer dereference" commit 754f39158441f4c0d7a8255209dd9a939f08ce80 upstream. This reverts commit 32f47179833b63de72427131169809065db6745e. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be not be needed at all as the change was useless because this function can only be called when of_match_device matched on something. So it should be reverted. Cc: Aditya Pakki Cc: stable Fixes: 32f47179833b ("serial: mvebu-uart: Fix to avoid a potential NULL pointer dereference") Acked-by: Jiri Slaby Link: https://lore.kernel.org/r/20210503115736.2104747-6-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 1ba7a534a9e43e26a501151310e19fd93654c5d6 Author: Anirudh Rayabharam Date: Mon May 3 13:57:12 2021 +0200 rapidio: handle create_workqueue() failure commit 69ce3ae36dcb03cdf416b0862a45369ddbf50fdf upstream. In case create_workqueue() fails, release all resources and return -ENOMEM to caller to avoid potential NULL pointer deref later. Move up the create_workequeue() call to return early and avoid unwinding the call to riocm_rx_fill(). Cc: Alexandre Bounine Cc: Matt Porter Cc: Andrew Morton Cc: Linus Torvalds Cc: stable Signed-off-by: Anirudh Rayabharam Link: https://lore.kernel.org/r/20210503115736.2104747-46-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 961ae8cbe8934f2abb32aa1e762a246f64f971cd Author: Greg Kroah-Hartman Date: Mon May 3 13:57:11 2021 +0200 Revert "rapidio: fix a NULL pointer dereference when create_workqueue() fails" commit 5e68b86c7b7c059c0f0ec4bf8adabe63f84a61eb upstream. This reverts commit 23015b22e47c5409620b1726a677d69e5cd032ba. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. The original commit has a memory leak on the error path here, it does not clean up everything properly. Cc: Kangjie Lu Cc: Alexandre Bounine Cc: Matt Porter Cc: Andrew Morton Cc: Linus Torvalds Fixes: 23015b22e47c ("rapidio: fix a NULL pointer dereference when create_workqueue() fails") Cc: stable Link: https://lore.kernel.org/r/20210503115736.2104747-45-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit d84b5e912212b05f6b5bde9f682046accfbe0354 Author: Christophe JAILLET Date: Sun May 9 09:13:03 2021 +0200 uio_hv_generic: Fix a memory leak in error handling paths commit 3ee098f96b8b6c1a98f7f97915f8873164e6af9d upstream. If 'vmbus_establish_gpadl()' fails, the (recv|send)_gpadl will not be updated and 'hv_uio_cleanup()' in the error handling path will not be able to free the corresponding buffer. In such a case, we need to free the buffer explicitly. Fixes: cdfa835c6e5e ("uio_hv_generic: defer opening vmbus until first use") Cc: stable Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/4fdaff557deef6f0475d02ba7922ddbaa1ab08a6.1620544055.git.christophe.jaillet@wanadoo.fr Signed-off-by: Greg Kroah-Hartman commit b044f5108e4b563c5b3349b438ae1493d045046d Author: Elia Devito Date: Tue May 11 14:46:49 2021 +0200 ALSA: hda/realtek: Add fixup for HP Spectre x360 15-df0xxx commit f2be77fee648ddd6d0d259d3527344ba0120e314 upstream. Fixup to enable all 4 speaker on HP Spectre x360 15-df0xxx and probably on similar models. 0x14 pin config override is required to enable all speakers and alc285-speaker2-to-dac1 fixup to enable volume adjustment. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=189331 Signed-off-by: Elia Devito Cc: Link: https://lore.kernel.org/r/20210511124651.4802-1-eliadevito@gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 8add3dce391bab24f84d189735fb5c8bbfb479c6 Author: Takashi Iwai Date: Tue May 4 14:18:32 2021 +0200 ALSA: hda/realtek: Add fixup for HP OMEN laptop commit 5d84b5318d860c9d80ca5dfae0e971ede53b4921 upstream. HP OMEN dc0019-ur with codec SSID 103c:84da requires the pin config overrides and the existing mic/mute LED setup. This patch implements those in the fixup table. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=212733 Cc: Link: https://lore.kernel.org/r/20210504121832.4558-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 01dbb91d85894e9b9e749e17b3ce1c9c82df956c Author: Takashi Iwai Date: Tue May 4 10:20:57 2021 +0200 ALSA: hda/realtek: Fix silent headphone output on ASUS UX430UA commit 8eedd3a70a70f51fa963f3ad7fa97afd0c75bd44 upstream. It was reported that the headphone output on ASUS UX430UA (SSID 1043:1740) with ALC295 codec is silent while the speaker works. After the investigation, it turned out that the DAC assignment has to be fixed on this machine; unlike others, it expects DAC 0x02 to be assigned to the speaker pin 0x07 while DAC 0x03 to headphone pin 0x21. This patch provides a fixup for the fixed DAC/pin mapping for this device. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=212933 Cc: Link: https://lore.kernel.org/r/20210504082057.6913-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit cfa55927478a3d367c582a83c1c4b80d76a37e41 Author: PeiSen Hou Date: Fri May 14 12:50:48 2021 +0200 ALSA: hda/realtek: Add some CLOVE SSIDs of ALC293 commit 1d5cfca286178ce81fb0c8a5f5777ef123cd69e4 upstream. Fix "use as headset mic, without its own jack detect" problen. Signed-off-by: PeiSen Hou Cc: Link: https://lore.kernel.org/r/d0746eaf29f248a5acc30313e3ba4f99@realtek.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit f693d0e72c4df68b77fb3d0f439dc9ee97332dfa Author: Hui Wang Date: Fri May 7 10:44:52 2021 +0800 ALSA: hda/realtek: reset eapd coeff to default value for alc287 commit 8822702f6e4c8917c83ba79e0ebf2c8c218910d4 upstream. Ubuntu users reported an audio bug on the Lenovo Yoga Slim 7 14IIL05, he installed dual OS (Windows + Linux), if he booted to the Linux from Windows, the Speaker can't work well, it has crackling noise, if he poweroff the machine first after Windows, the Speaker worked well. Before rebooting or shutdown from Windows, the Windows changes the codec eapd coeff value, but the BIOS doesn't re-initialize its value, when booting into the Linux from Windows, the eapd coeff value is not correct. To fix it, set the codec default value to that coeff register in the alsa driver. BugLink: http://bugs.launchpad.net/bugs/1925057 Suggested-by: Kailang Yang Cc: Signed-off-by: Hui Wang Link: https://lore.kernel.org/r/20210507024452.8300-1-hui.wang@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 78a37c03c65c0853286c63da72288da0703629b3 Author: Takashi Sakamoto Date: Thu May 13 21:56:50 2021 +0900 ALSA: firewire-lib: fix check for the size of isochronous packet payload commit 395f41e2cdac63e7581fb9574e5ac0f02556e34a upstream. The check for size of isochronous packet payload just cares of the size of IR context payload without the size of CIP header. Cc: Fixes: f11453c7cc01 ("ALSA: firewire-lib: use 16 bytes IR context header to separate CIP header") Signed-off-by: Takashi Sakamoto Link: https://lore.kernel.org/r/20210513125652.110249-4-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 00e5aa3f2116d82eb9b3f2f9eb06245ece506edb Author: Greg Kroah-Hartman Date: Mon May 3 13:57:01 2021 +0200 Revert "ALSA: sb8: add a check for request_region" commit 94f88309f201821073f57ae6005caefa61bf7b7e upstream. This reverts commit dcd0feac9bab901d5739de51b3f69840851f8919. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. The original commit message for this change was incorrect as the code path can never result in a NULL dereference, alluding to the fact that whatever tool was used to "find this" is broken. It's just an optional resource reservation, so removing this check is fine. Cc: Kangjie Lu Acked-by: Takashi Iwai Fixes: dcd0feac9bab ("ALSA: sb8: add a check for request_region") Cc: stable Link: https://lore.kernel.org/r/20210503115736.2104747-35-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 42796eb7c4851fdfa6ef41f8bb5b685403d5a721 Author: Daniel Cordova A Date: Fri May 7 12:31:16 2021 -0500 ALSA: hda: fixup headset for ASUS GU502 laptop commit c1b55029493879f5bd585ff79f326e71f0bc05e3 upstream. The GU502 requires a few steps to make headset i/o works properly: pincfg, verbs to unmute headphone out and callback to toggle output between speakers and headphone using jack. Signed-off-by: Daniel Cordova A Cc: Link: https://lore.kernel.org/r/20210507173116.12043-1-danesc87@gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 2cc051b6a4823c26a07f73b764d35d2d38423b88 Author: Takashi Sakamoto Date: Thu May 13 21:56:49 2021 +0900 ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro commit 0edabdfe89581669609eaac5f6a8d0ae6fe95e7f upstream. Mackie d.2 has an extension card for IEEE 1394 communication, which uses BridgeCo DM1000 ASIC. On the other hand, Mackie d.4 Pro has built-in function for IEEE 1394 communication by Oxford Semiconductor OXFW971, according to schematic diagram available in Mackie website. Although I misunderstood that Mackie d.2 Pro would be also a model with OXFW971, it's wrong. Mackie d.2 Pro is a model which includes the extension card as factory settings. This commit fixes entries in Kconfig and comment in ALSA OXFW driver. Cc: Fixes: fd6f4b0dc167 ("ALSA: bebob: Add skelton for BeBoB based devices") Fixes: ec4dba5053e1 ("ALSA: oxfw: Add support for Behringer/Mackie devices") Signed-off-by: Takashi Sakamoto Link: https://lore.kernel.org/r/20210513125652.110249-3-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit e5ffa75afb5bda172508deb47866127b0cf90cbf Author: Takashi Iwai Date: Mon May 10 17:06:59 2021 +0200 ALSA: usb-audio: Validate MS endpoint descriptors commit e84749a78dc82bc545f12ce009e3dbcc2c5a8a91 upstream. snd_usbmidi_get_ms_info() may access beyond the border when a malformed descriptor is passed. This patch adds the sanity checks of the given MS endpoint descriptors, and skips invalid ones. Reported-by: syzbot+6bb23a5d5548b93c94aa@syzkaller.appspotmail.com Cc: Link: https://lore.kernel.org/r/20210510150659.17710-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ad7f8cced3783704b44f377b658eb858078d48f7 Author: Takashi Sakamoto Date: Thu May 13 21:56:51 2021 +0900 ALSA: firewire-lib: fix calculation for size of IR context payload commit 1be4f21d9984fa9835fae5411a29465dc5aece6f upstream. The quadlets for CIP header is handled as a part of IR context header, thus it doesn't join in IR context payload. However current calculation includes the quadlets in IR context payload. Cc: Fixes: f11453c7cc01 ("ALSA: firewire-lib: use 16 bytes IR context header to separate CIP header") Signed-off-by: Takashi Sakamoto Link: https://lore.kernel.org/r/20210513125652.110249-5-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 3d063d6ce1d2e2001c3678facf5a691c00305d3b Author: Takashi Sakamoto Date: Thu May 13 21:56:48 2021 +0900 ALSA: dice: fix stream format at middle sampling rate for Alesis iO 26 commit 1b6604896e78969baffc1b6cc6bc175f95929ac4 upstream. Alesis iO 26 FireWire has two pairs of digital optical interface. It delivers PCM frames from the interfaces by second isochronous packet streaming. Although both of the interfaces are available at 44.1/48.0 kHz, first one of them is only available at 88.2/96.0 kHz. It reduces the number of PCM samples to 4 in Multi Bit Linear Audio data channel of data blocks on the second isochronous packet streaming. This commit fixes hardcoded stream formats. Cc: Fixes: 28b208f600a3 ("ALSA: dice: add parameters of stream formats for models produced by Alesis") Signed-off-by: Takashi Sakamoto Link: https://lore.kernel.org/r/20210513125652.110249-2-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit f42cf1e7b86b4b93179c8891bdb276200bedfa15 Author: Takashi Iwai Date: Tue May 18 10:39:39 2021 +0200 ALSA: line6: Fix racy initialization of LINE6 MIDI commit 05ca447630334c323c9e2b788b61133ab75d60d3 upstream. The initialization of MIDI devices that are found on some LINE6 drivers are currently done in a racy way; namely, the MIDI buffer instance is allocated and initialized in each private_init callback while the communication with the interface is already started via line6_init_cap_control() call before that point. This may lead to Oops in line6_data_received() when a spurious event is received, as reported by syzkaller. This patch moves the MIDI initialization to line6_init_cap_control() as well instead of the too-lately-called private_init for avoiding the race. Also this reduces slightly more lines, so it's a win-win change. Reported-by: syzbot+0d2b3feb0a2887862e06@syzkallerlkml..appspotmail.com Link: https://lore.kernel.org/r/000000000000a4be9405c28520de@google.com Link: https://lore.kernel.org/r/20210517132725.GA50495@hyeyoo Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com> Cc: Link: https://lore.kernel.org/r/20210518083939.1927-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 214a9836697c3c75e03b21f2ba4a3818efad1d74 Author: Takashi Sakamoto Date: Thu May 13 21:56:52 2021 +0900 ALSA: firewire-lib: fix amdtp_packet tracepoints event for packet_index field commit 814b43127f4ac69332e809152e30773941438aff upstream. The snd_firewire_lib:amdtp_packet tracepoints event includes index of packet processed in a context handling. However in IR context, it is not calculated as expected. Cc: Fixes: 753e717986c2 ("ALSA: firewire-lib: use packet descriptor for IR context") Signed-off-by: Takashi Sakamoto Link: https://lore.kernel.org/r/20210513125652.110249-6-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 1e94ffd074dddc288b1f33933e95cf4fc7dfc263 Author: Takashi Iwai Date: Sun May 16 18:17:55 2021 +0200 ALSA: intel8x0: Don't update period unless prepared commit c1f0616124c455c5c762b6f123e40bba5df759e6 upstream. The interrupt handler of intel8x0 calls snd_intel8x0_update() whenever the hardware sets the corresponding status bit for each stream. This works fine for most cases as long as the hardware behaves properly. But when the hardware gives a wrong bit set, this leads to a zero- division Oops, and reportedly, this seems what happened on a VM. For fixing the crash, this patch adds a internal flag indicating that the stream is ready to be updated, and check it (as well as the flag being in suspended) to ignore such spurious update. Cc: Reported-and-tested-by: Sergey Senozhatsky Link: https://lore.kernel.org/r/s5h5yzi7uh0.wl-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit e227c60aa9ecb99a167e0c3642d5af50b498c456 Author: Takashi Sakamoto Date: Tue May 18 10:26:12 2021 +0900 ALSA: dice: fix stream format for TC Electronic Konnekt Live at high sampling transfer frequency commit 4c6fe8c547e3c9e8c15dabdd23c569ee0df3adb1 upstream. At high sampling transfer frequency, TC Electronic Konnekt Live transfers/receives 6 audio data frames in multi bit linear audio data channel of data block in CIP payload. Current hard-coded stream format is wrong. Cc: Fixes: f1f0f330b1d0 ("ALSA: dice: add parameters of stream formats for models produced by TC Electronic") Signed-off-by: Takashi Sakamoto Link: https://lore.kernel.org/r/20210518012612.37268-1-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 1b2b4d68172b5265e5f27ca5a4679e01eb34d15c Author: Hsin-Yi Wang Date: Tue Apr 20 21:30:50 2021 +0800 misc: eeprom: at24: check suspend status before disable regulator commit 2962484dfef8dbb7f9059822bc26ce8a04d0e47c upstream. cd5676db0574 ("misc: eeprom: at24: support pm_runtime control") disables regulator in runtime suspend. If runtime suspend is called before regulator disable, it will results in regulator unbalanced disabling. Fixes: cd5676db0574 ("misc: eeprom: at24: support pm_runtime control") Cc: stable Acked-by: Bartosz Golaszewski Signed-off-by: Hsin-Yi Wang Link: https://lore.kernel.org/r/20210420133050.377209-1-hsinyi@chromium.org Signed-off-by: Greg Kroah-Hartman commit 42d35af922468fa42f46656b0e45e02f06e01fe6 Author: Ronnie Sahlberg Date: Wed May 19 08:40:11 2021 +1000 cifs: fix memory leak in smb2_copychunk_range commit d201d7631ca170b038e7f8921120d05eec70d7c5 upstream. When using smb2_copychunk_range() for large ranges we will run through several iterations of a loop calling SMB2_ioctl() but never actually free the returned buffer except for the final iteration. This leads to memory leaks everytime a large copychunk is requested. Fixes: 9bf0c9cd4314 ("CIFS: Fix SMB2/SMB3 Copy offload support (refcopy) for large files") Cc: Reviewed-by: Aurelien Aptel Signed-off-by: Ronnie Sahlberg Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 56001dda032f84116c3b16d5140d64d77ae5a367 Author: Josef Bacik Date: Thu Apr 29 10:51:34 2021 -0400 btrfs: avoid RCU stalls while running delayed iputs commit 71795ee590111e3636cc3c148289dfa9fa0a5fc3 upstream. Generally a delayed iput is added when we might do the final iput, so usually we'll end up sleeping while processing the delayed iputs naturally. However there's no guarantee of this, especially for small files. In production we noticed 5 instances of RCU stalls while testing a kernel release overnight across 1000 machines, so this is relatively common: host count: 5 rcu: INFO: rcu_sched self-detected stall on CPU rcu: ....: (20998 ticks this GP) idle=59e/1/0x4000000000000002 softirq=12333372/12333372 fqs=3208 (t=21031 jiffies g=27810193 q=41075) NMI backtrace for cpu 1 CPU: 1 PID: 1713 Comm: btrfs-cleaner Kdump: loaded Not tainted 5.6.13-0_fbk12_rc1_5520_gec92bffc1ec9 #1 Call Trace: dump_stack+0x50/0x70 nmi_cpu_backtrace.cold.6+0x30/0x65 ? lapic_can_unplug_cpu.cold.30+0x40/0x40 nmi_trigger_cpumask_backtrace+0xba/0xca rcu_dump_cpu_stacks+0x99/0xc7 rcu_sched_clock_irq.cold.90+0x1b2/0x3a3 ? trigger_load_balance+0x5c/0x200 ? tick_sched_do_timer+0x60/0x60 ? tick_sched_do_timer+0x60/0x60 update_process_times+0x24/0x50 tick_sched_timer+0x37/0x70 __hrtimer_run_queues+0xfe/0x270 hrtimer_interrupt+0xf4/0x210 smp_apic_timer_interrupt+0x5e/0x120 apic_timer_interrupt+0xf/0x20 RIP: 0010:queued_spin_lock_slowpath+0x17d/0x1b0 RSP: 0018:ffffc9000da5fe48 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 RAX: 0000000000000000 RBX: ffff889fa81d0cd8 RCX: 0000000000000029 RDX: ffff889fff86c0c0 RSI: 0000000000080000 RDI: ffff88bfc2da7200 RBP: ffff888f2dcdd768 R08: 0000000001040000 R09: 0000000000000000 R10: 0000000000000001 R11: ffffffff82a55560 R12: ffff88bfc2da7200 R13: 0000000000000000 R14: ffff88bff6c2a360 R15: ffffffff814bd870 ? kzalloc.constprop.57+0x30/0x30 list_lru_add+0x5a/0x100 inode_lru_list_add+0x20/0x40 iput+0x1c1/0x1f0 run_delayed_iput_locked+0x46/0x90 btrfs_run_delayed_iputs+0x3f/0x60 cleaner_kthread+0xf2/0x120 kthread+0x10b/0x130 Fix this by adding a cond_resched_lock() to the loop processing delayed iputs so we can avoid these sort of stalls. CC: stable@vger.kernel.org # 4.9+ Reviewed-by: Rik van Riel Signed-off-by: Josef Bacik Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit e022914f206c10b57e15112e8e1769869cf2aa13 Author: Alexey Kardashevskiy Date: Thu May 20 13:29:19 2021 +1000 powerpc: Fix early setup to make early_ioremap() work [ Upstream commit e2f5efd0f0e229bd110eab513e7c0331d61a4649 ] The immediate problem is that after commit 0bd3f9e953bd ("powerpc/legacy_serial: Use early_ioremap()") the kernel silently reboots on some systems. The reason is that early_ioremap() returns broken addresses as it uses slot_virt[] array which initialized with offsets from FIXADDR_TOP == IOREMAP_END+FIXADDR_SIZE == KERN_IO_END - FIXADDR_SIZ + FIXADDR_SIZE == __kernel_io_end which is 0 when early_ioremap_setup() is called. __kernel_io_end is initialized little bit later in early_init_mmu(). This fixes the initialization by swapping early_ioremap_setup() and early_init_mmu(). Fixes: 265c3491c4bc ("powerpc: Add support for GENERIC_EARLY_IOREMAP") Signed-off-by: Alexey Kardashevskiy Reviewed-by: Christophe Leroy [mpe: Drop unrelated cleanup & cleanup change log] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210520032919.358935-1-aik@ozlabs.ru Signed-off-by: Sasha Levin commit e354e3744b0b6f1e9436bc90480fa4e60db1bca8 Author: Zqiang Date: Mon May 17 11:40:05 2021 +0800 locking/mutex: clear MUTEX_FLAGS if wait_list is empty due to signal [ Upstream commit 3a010c493271f04578b133de977e0e5dd2848cea ] When a interruptible mutex locker is interrupted by a signal without acquiring this lock and removed from the wait queue. if the mutex isn't contended enough to have a waiter put into the wait queue again, the setting of the WAITER bit will force mutex locker to go into the slowpath to acquire the lock every time, so if the wait queue is empty, the WAITER bit need to be clear. Fixes: 040a0a371005 ("mutex: Add support for wound/wait style locks") Suggested-by: Peter Zijlstra Signed-off-by: Zqiang Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20210517034005.30828-1-qiang.zhang@windriver.com Signed-off-by: Sasha Levin commit 5dfed1be0e9c2ffeaecbfe6adab970c600d0e156 Author: Leo Yan Date: Wed May 12 20:09:37 2021 +0800 locking/lockdep: Correct calling tracepoints [ Upstream commit 89e70d5c583c55088faa2201d397ee30a15704aa ] The commit eb1f00237aca ("lockdep,trace: Expose tracepoints") reverses tracepoints for lock_contended() and lock_acquired(), thus the ftrace log shows the wrong locking sequence that "acquired" event is prior to "contended" event: -0 [001] d.s3 20803.501685: lock_acquire: 0000000008b91ab4 &sg_policy->update_lock -0 [001] d.s3 20803.501686: lock_acquired: 0000000008b91ab4 &sg_policy->update_lock -0 [001] d.s3 20803.501689: lock_contended: 0000000008b91ab4 &sg_policy->update_lock -0 [001] d.s3 20803.501690: lock_release: 0000000008b91ab4 &sg_policy->update_lock This patch fixes calling tracepoints for lock_contended() and lock_acquired(). Fixes: eb1f00237aca ("lockdep,trace: Expose tracepoints") Signed-off-by: Leo Yan Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20210512120937.90211-1-leo.yan@linaro.org Signed-off-by: Sasha Levin commit 075becedce372422239a39488adddcb9f6334d50 Author: Like Xu Date: Fri Apr 30 13:22:46 2021 +0800 perf/x86: Avoid touching LBR_TOS MSR for Arch LBR [ Upstream commit 3317c26a4b413b41364f2c4b83c778c6aba1576d ] The Architecture LBR does not have MSR_LBR_TOS (0x000001c9). In a guest that should support Architecture LBR, check_msr() will be a non-related check for the architecture MSR 0x0 (IA32_P5_MC_ADDR) that is also not supported by KVM. The failure will cause x86_pmu.lbr_nr = 0, thereby preventing the initialization of the guest Arch LBR. Fix it by avoiding this extraneous check in intel_pmu_init() for Arch LBR. Fixes: 47125db27e47 ("perf/x86/intel/lbr: Support Architectural LBR") Signed-off-by: Like Xu [peterz: simpler still] Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20210430052247.3079672-1-like.xu@linux.intel.com Signed-off-by: Sasha Levin commit e207bbf555bd644da1c82765df4d5c9b8354880f Author: Daniel Wagner Date: Wed May 12 16:50:05 2021 +0200 nvmet: seset ns->file when open fails [ Upstream commit 85428beac80dbcace5b146b218697c73e367dcf5 ] Reset the ns->file value to NULL also in the error case in nvmet_file_ns_enable(). The ns->file variable points either to file object or contains the error code after the filp_open() call. This can lead to following problem: When the user first setups an invalid file backend and tries to enable the ns, it will fail. Then the user switches over to a bdev backend and enables successfully the ns. The first received I/O will crash the system because the IO backend is chosen based on the ns->file value: static u16 nvmet_parse_io_cmd(struct nvmet_req *req) { [...] if (req->ns->file) return nvmet_file_parse_io_cmd(req); return nvmet_bdev_parse_io_cmd(req); } Reported-by: Enzo Matsumiya Signed-off-by: Daniel Wagner Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 6f08af55ea5471d7d9474f6fc38500ff5f3d1b6a Author: Oleg Nesterov Date: Wed May 12 15:33:08 2021 +0200 ptrace: make ptrace() fail if the tracee changed its pid unexpectedly [ Upstream commit dbb5afad100a828c97e012c6106566d99f041db6 ] Suppose we have 2 threads, the group-leader L and a sub-theread T, both parked in ptrace_stop(). Debugger tries to resume both threads and does ptrace(PTRACE_CONT, T); ptrace(PTRACE_CONT, L); If the sub-thread T execs in between, the 2nd PTRACE_CONT doesn not resume the old leader L, it resumes the post-exec thread T which was actually now stopped in PTHREAD_EVENT_EXEC. In this case the PTHREAD_EVENT_EXEC event is lost, and the tracer can't know that the tracee changed its pid. This patch makes ptrace() fail in this case until debugger does wait() and consumes PTHREAD_EVENT_EXEC which reports old_pid. This affects all ptrace requests except the "asynchronous" PTRACE_INTERRUPT/KILL. The patch doesn't add the new PTRACE_ option to not complicate the API, and I _hope_ this won't cause any noticeable regression: - If debugger uses PTRACE_O_TRACEEXEC and the thread did an exec and the tracer does a ptrace request without having consumed the exec event, it's 100% sure that the thread the ptracer thinks it is targeting does not exist anymore, or isn't the same as the one it thinks it is targeting. - To some degree this patch adds nothing new. In the scenario above ptrace(L) can fail with -ESRCH if it is called after the execing sub-thread wakes the leader up and before it "steals" the leader's pid. Test-case: #include #include #include #include #include #include #include #include void *tf(void *arg) { execve("/usr/bin/true", NULL, NULL); assert(0); return NULL; } int main(void) { int leader = fork(); if (!leader) { kill(getpid(), SIGSTOP); pthread_t th; pthread_create(&th, NULL, tf, NULL); for (;;) pause(); return 0; } waitpid(leader, NULL, WSTOPPED); ptrace(PTRACE_SEIZE, leader, 0, PTRACE_O_TRACECLONE | PTRACE_O_TRACEEXEC); waitpid(leader, NULL, 0); ptrace(PTRACE_CONT, leader, 0,0); waitpid(leader, NULL, 0); int status, thread = waitpid(-1, &status, 0); assert(thread > 0 && thread != leader); assert(status == 0x80137f); ptrace(PTRACE_CONT, thread, 0,0); /* * waitid() because waitpid(leader, &status, WNOWAIT) does not * report status. Why ???? * * Why WEXITED? because we have another kernel problem connected * to mt-exec. */ siginfo_t info; assert(waitid(P_PID, leader, &info, WSTOPPED|WEXITED|WNOWAIT) == 0); assert(info.si_pid == leader && info.si_status == 0x0405); /* OK, it sleeps in ptrace(PTRACE_EVENT_EXEC == 0x04) */ assert(ptrace(PTRACE_CONT, leader, 0,0) == -1); assert(errno == ESRCH); assert(leader == waitpid(leader, &status, WNOHANG)); assert(status == 0x04057f); assert(ptrace(PTRACE_CONT, leader, 0,0) == 0); return 0; } Signed-off-by: Oleg Nesterov Reported-by: Simon Marchi Acked-by: "Eric W. Biederman" Acked-by: Pedro Alves Acked-by: Simon Marchi Acked-by: Jan Kratochvil Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit eeafd6489d2cee1a7b0edbc7709445efec017418 Author: Nicholas Piggin Date: Sat May 8 20:14:52 2021 +1000 powerpc/pseries: Fix hcall tracing recursion in pv queued spinlocks [ Upstream commit 2c8c89b95831f46a2fb31a8d0fef4601694023ce ] The paravit queued spinlock slow path adds itself to the queue then calls pv_wait to wait for the lock to become free. This is implemented by calling H_CONFER to donate cycles. When hcall tracing is enabled, this H_CONFER call can lead to a spin lock being taken in the tracing code, which will result in the lock to be taken again, which will also go to the slow path because it queues behind itself and so won't ever make progress. An example trace of a deadlock: __pv_queued_spin_lock_slowpath trace_clock_global ring_buffer_lock_reserve trace_event_buffer_lock_reserve trace_event_buffer_reserve trace_event_raw_event_hcall_exit __trace_hcall_exit plpar_hcall_norets_trace __pv_queued_spin_lock_slowpath trace_clock_global ring_buffer_lock_reserve trace_event_buffer_lock_reserve trace_event_buffer_reserve trace_event_raw_event_rcu_dyntick rcu_irq_exit irq_exit __do_irq call_do_irq do_IRQ hardware_interrupt_common_virt Fix this by introducing plpar_hcall_norets_notrace(), and using that to make SPLPAR virtual processor dispatching hcalls by the paravirt spinlock code. Signed-off-by: Nicholas Piggin Reviewed-by: Naveen N. Rao Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210508101455.1578318-2-npiggin@gmail.com Signed-off-by: Sasha Levin commit d53738cd4855d2240e2b73f0da89ab676c5319c4 Author: Yang Yingliang Date: Sat May 22 17:41:53 2021 -0700 tools/testing/selftests/exec: fix link error [ Upstream commit 4d1cd3b2c5c1c32826454de3a18c6183238d47ed ] Fix the link error by adding '-static': gcc -Wall -Wl,-z,max-page-size=0x1000 -pie load_address.c -o /home/yang/linux/tools/testing/selftests/exec/load_address_4096 /usr/bin/ld: /tmp/ccopEGun.o: relocation R_AARCH64_ADR_PREL_PG_HI21 against symbol `stderr@@GLIBC_2.17' which may bind externally can not be used when making a shared object; recompile with -fPIC /usr/bin/ld: /tmp/ccopEGun.o(.text+0x158): unresolvable R_AARCH64_ADR_PREL_PG_HI21 relocation against symbol `stderr@@GLIBC_2.17' /usr/bin/ld: final link failed: bad value collect2: error: ld returned 1 exit status make: *** [Makefile:25: tools/testing/selftests/exec/load_address_4096] Error 1 Link: https://lkml.kernel.org/r/20210514092422.2367367-1-yangyingliang@huawei.com Fixes: 206e22f01941 ("tools/testing/selftests: add self-test for verifying load alignment") Signed-off-by: Yang Yingliang Cc: Chris Kennelly Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 7cf4decefa0558ca000f1b6f01336e211b9ed052 Author: Dan Carpenter Date: Fri May 14 17:18:10 2021 +0300 RDMA/uverbs: Fix a NULL vs IS_ERR() bug [ Upstream commit 463a3f66473b58d71428a1c3ce69ea52c05440e5 ] The uapi_get_object() function returns error pointers, it never returns NULL. Fixes: 149d3845f4a5 ("RDMA/uverbs: Add a method to introspect handles in a context") Link: https://lore.kernel.org/r/YJ6Got+U7lz+3n9a@mwanda Signed-off-by: Dan Carpenter Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit c62c907ccc63b5ba59609ceecda1b04998d41962 Author: Maor Gottlieb Date: Wed May 19 11:41:32 2021 +0300 RDMA/mlx5: Fix query DCT via DEVX [ Upstream commit cfa3b797118eda7d68f9ede9b1a0279192aca653 ] When executing DEVX command to query QP object, we need to take the QP type from the mlx5_ib_qp struct which hold the driver specific QP types as well, such as DC. Fixes: 34613eb1d2ad ("IB/mlx5: Enable modify and query verbs objects via DEVX") Link: https://lore.kernel.org/r/6eee15d63f09bb70787488e0cf96216e2957f5aa.1621413654.git.leonro@nvidia.com Reviewed-by: Yishai Hadas Signed-off-by: Maor Gottlieb Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 0cf036a0d325200e6c27b90908e51195bbc557b1 Author: Hans de Goede Date: Tue May 18 14:50:27 2021 +0200 platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios [ Upstream commit 3a53587423d25c87af4b4126a806a0575104b45e ] init_dell_smbios_wmi() only registers the dell_smbios_wmi_driver on systems where the Dell WMI interface is supported. While exit_dell_smbios_wmi() unregisters it unconditionally, this leads to the following oops: [ 175.722921] ------------[ cut here ]------------ [ 175.722925] Unexpected driver unregister! [ 175.722939] WARNING: CPU: 1 PID: 3630 at drivers/base/driver.c:194 driver_unregister+0x38/0x40 ... [ 175.723089] Call Trace: [ 175.723094] cleanup_module+0x5/0xedd [dell_smbios] ... [ 175.723148] ---[ end trace 064c34e1ad49509d ]--- Make the unregister happen on the same condition the register happens to fix this. Cc: Mario Limonciello Fixes: 1a258e670434 ("platform/x86: dell-smbios-wmi: Add new WMI dispatcher driver") Signed-off-by: Hans de Goede Reviewed-by: Mario Limonciello Reviewed-by: Mark Gross Link: https://lore.kernel.org/r/20210518125027.21824-1-hdegoede@redhat.com Signed-off-by: Sasha Levin commit b8ff3221771a5a335cd795bfc6d5eba70b220b8f Author: Hans de Goede Date: Wed May 12 14:55:23 2021 +0200 platform/x86: intel_int0002_vgpio: Only call enable_irq_wake() when using s2idle [ Upstream commit b68e182a3062e326b891f47152a3a1b84abccf0f ] Commit 871f1f2bcb01 ("platform/x86: intel_int0002_vgpio: Only implement irq_set_wake on Bay Trail") stopped passing irq_set_wake requests on to the parents IRQ because this was breaking suspend (causing immediate wakeups) on an Asus E202SA. This workaround for the Asus E202SA is causing wakeup by USB keyboard to not work on other devices with Airmont CPU cores such as the Medion Akoya E1239T. In hindsight the problem with the Asus E202SA has nothing to do with Silvermont vs Airmont CPU cores, so the differentiation between the 2 types of CPU cores introduced by the previous fix is wrong. The real issue at hand is s2idle vs S3 suspend where the suspend is mostly handled by firmware. The parent IRQ for the INT0002 device is shared with the ACPI SCI and the real problem is that the INT0002 code should not be messing with the wakeup settings of that IRQ when suspend/resume is being handled by the firmware. Note that on systems which support both s2idle and S3 suspend, which suspend method to use can be changed at runtime. This patch fixes both the Asus E202SA spurious wakeups issue as well as the wakeup by USB keyboard not working on the Medion Akoya E1239T issue. These are both fixed by replacing the old workaround with delaying the enable_irq_wake(parent_irq) call till system-suspend time and protecting it with a !pm_suspend_via_firmware() check so that we still do not call it on devices using firmware-based (S3) suspend such as the Asus E202SA. Note rather then adding #ifdef CONFIG_PM_SLEEP, this commit simply adds a "depends on PM_SLEEP" to the Kconfig since this drivers whole purpose is to deal with wakeup events, so using it without CONFIG_PM_SLEEP makes no sense. Cc: Maxim Mikityanskiy Fixes: 871f1f2bcb01 ("platform/x86: intel_int0002_vgpio: Only implement irq_set_wake on Bay Trail") Signed-off-by: Hans de Goede Reviewed-by: Andy Shevchenko Reviewed-by: Rafael J. Wysocki Link: https://lore.kernel.org/r/20210512125523.55215-2-hdegoede@redhat.com Signed-off-by: Sasha Levin commit 2d6168fa6bc66014e9a27c304a6f65c416468fc2 Author: Liming Sun Date: Fri May 7 20:30:12 2021 -0400 platform/mellanox: mlxbf-tmfifo: Fix a memory barrier issue [ Upstream commit 1c0e5701c5e792c090aef0e5b9b8923c334d9324 ] The virtio framework uses wmb() when updating avail->idx. It guarantees the write order, but not necessarily loading order for the code accessing the memory. This commit adds a load barrier after reading the avail->idx to make sure all the data in the descriptor is visible. It also adds a barrier when returning the packet to virtio framework to make sure read/writes are visible to the virtio code. Fixes: 1357dfd7261f ("platform/mellanox: Add TmFifo driver for Mellanox BlueField Soc") Signed-off-by: Liming Sun Reviewed-by: Vadim Pasternak Link: https://lore.kernel.org/r/1620433812-17911-1-git-send-email-limings@nvidia.com Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 753927b802f63e4fe042c856412dae8806dcd587 Author: James Smart Date: Mon May 10 21:56:35 2021 -0700 nvme-fc: clear q_live at beginning of association teardown [ Upstream commit a7d139145a6640172516b193abf6d2398620aa14 ] The __nvmf_check_ready() routine used to bounce all filesystem io if the controller state isn't LIVE. However, a later patch changed the logic so that it rejection ends up being based on the Q live check. The FC transport has a slightly different sequence from rdma and tcp for shutting down queues/marking them non-live. FC marks its queue non-live after aborting all ios and waiting for their termination, leaving a rather large window for filesystem io to continue to hit the transport. Unfortunately this resulted in filesystem I/O or applications seeing I/O errors. Change the FC transport to mark the queues non-live at the first sign of teardown for the association (when I/O is initially terminated). Fixes: 73a5379937ec ("nvme-fabrics: allow to queue requests for live queues") Signed-off-by: James Smart Reviewed-by: Sagi Grimberg Reviewed-by: Himanshu Madhani Reviewed-by: Hannes Reinecke Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 33ebdee80e409f39459bd219ef675434288ba1f0 Author: Keith Busch Date: Mon May 17 15:36:43 2021 -0700 nvme-tcp: rerun io_work if req_list is not empty [ Upstream commit a0fdd1418007f83565d3f2e04b47923ba93a9b8c ] A possible race condition exists where the request to send data is enqueued from nvme_tcp_handle_r2t()'s will not be observed by nvme_tcp_send_all() if it happens to be running. The driver relies on io_work to send the enqueued request when it is runs again, but the concurrently running nvme_tcp_send_all() may not have released the send_mutex at that time. If no future commands are enqueued to re-kick the io_work, the request will timeout in the SEND_H2C state, resulting in a timeout error like: nvme nvme0: queue 1: timeout request 0x3 type 6 Ensure the io_work continues to run as long as the req_list is not empty. Fixes: db5ad6b7f8cdd ("nvme-tcp: try to send request in queue_rq context") Signed-off-by: Keith Busch Reviewed-by: Sagi Grimberg Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 9c980795ccd77e8abec33dd6fe28dfe1c4083e65 Author: Wu Bo Date: Wed May 19 13:01:10 2021 +0800 nvme-loop: fix memory leak in nvme_loop_create_ctrl() [ Upstream commit 03504e3b54cc8118cc26c064e60a0b00c2308708 ] When creating loop ctrl in nvme_loop_create_ctrl(), if nvme_init_ctrl() fails, the loop ctrl should be freed before jumping to the "out" label. Fixes: 3a85a5de29ea ("nvme-loop: add a NVMe loopback host driver") Signed-off-by: Wu Bo Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 4720f29acb3fe67aa8aa71e6b675b079d193aaeb Author: Wu Bo Date: Wed May 19 13:01:09 2021 +0800 nvmet: fix memory leak in nvmet_alloc_ctrl() [ Upstream commit fec356a61aa3d3a66416b4321f1279e09e0f256f ] When creating ctrl in nvmet_alloc_ctrl(), if the cntlid_min is larger than cntlid_max of the subsystem, and jumps to the "out_free_changed_ns_list" label, but the ctrl->sqs lack of be freed. Fix this by jumping to the "out_free_sqs" label. Fixes: 94a39d61f80f ("nvmet: make ctrl-id configurable") Signed-off-by: Wu Bo Reviewed-by: Sagi Grimberg Reviewed-by: Chaitanya Kulkarni Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 737ccd21342c9c073a1638496dc70dfde9a0274f Author: Amit Date: Sun Nov 15 14:19:51 2020 +0200 nvmet: remove unused ctrl->cqs [ Upstream commit 6d65aeab7bf6e83e75f53cfdbdb84603e52e1182 ] remove unused cqs from nvmet_ctrl struct this will reduce the allocated memory. Signed-off-by: Amit Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit bd538f2f136fe5463458351a5ae045ed0a201cae Author: Shay Drory Date: Tue May 11 08:48:28 2021 +0300 RDMA/core: Don't access cm_id after its destruction [ Upstream commit 889d916b6f8a48b8c9489fffcad3b78eedd01a51 ] restrack should only be attached to a cm_id while the ID has a valid device pointer. It is set up when the device is first loaded, but not cleared when the device is removed. There is also two copies of the device pointer, one private and one in the public API, and these were left out of sync. Make everything go to NULL together and manipulate restrack right around the device assignments. Found by syzcaller: BUG: KASAN: wild-memory-access in __list_del include/linux/list.h:112 [inline] BUG: KASAN: wild-memory-access in __list_del_entry include/linux/list.h:135 [inline] BUG: KASAN: wild-memory-access in list_del include/linux/list.h:146 [inline] BUG: KASAN: wild-memory-access in cma_cancel_listens drivers/infiniband/core/cma.c:1767 [inline] BUG: KASAN: wild-memory-access in cma_cancel_operation drivers/infiniband/core/cma.c:1795 [inline] BUG: KASAN: wild-memory-access in cma_cancel_operation+0x1f4/0x4b0 drivers/infiniband/core/cma.c:1783 Write of size 8 at addr dead000000000108 by task syz-executor716/334 CPU: 0 PID: 334 Comm: syz-executor716 Not tainted 5.11.0+ #271 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0xbe/0xf9 lib/dump_stack.c:120 __kasan_report mm/kasan/report.c:400 [inline] kasan_report.cold+0x5f/0xd5 mm/kasan/report.c:413 __list_del include/linux/list.h:112 [inline] __list_del_entry include/linux/list.h:135 [inline] list_del include/linux/list.h:146 [inline] cma_cancel_listens drivers/infiniband/core/cma.c:1767 [inline] cma_cancel_operation drivers/infiniband/core/cma.c:1795 [inline] cma_cancel_operation+0x1f4/0x4b0 drivers/infiniband/core/cma.c:1783 _destroy_id+0x29/0x460 drivers/infiniband/core/cma.c:1862 ucma_close_id+0x36/0x50 drivers/infiniband/core/ucma.c:185 ucma_destroy_private_ctx+0x58d/0x5b0 drivers/infiniband/core/ucma.c:576 ucma_close+0x91/0xd0 drivers/infiniband/core/ucma.c:1797 __fput+0x169/0x540 fs/file_table.c:280 task_work_run+0xb7/0x100 kernel/task_work.c:140 exit_task_work include/linux/task_work.h:30 [inline] do_exit+0x7da/0x17f0 kernel/exit.c:825 do_group_exit+0x9e/0x190 kernel/exit.c:922 __do_sys_exit_group kernel/exit.c:933 [inline] __se_sys_exit_group kernel/exit.c:931 [inline] __x64_sys_exit_group+0x2d/0x30 kernel/exit.c:931 do_syscall_64+0x2d/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: 255d0c14b375 ("RDMA/cma: rdma_bind_addr() leaks a cma_dev reference count") Link: https://lore.kernel.org/r/3352ee288fe34f2b44220457a29bfc0548686363.1620711734.git.leonro@nvidia.com Signed-off-by: Shay Drory Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 75bdfe7837322788eca2aa321f6160e35361ff41 Author: Maor Gottlieb Date: Tue May 11 08:48:29 2021 +0300 RDMA/mlx5: Recover from fatal event in dual port mode [ Upstream commit 97f30d324ce6645a4de4ffb71e4ae9b8ca36ff04 ] When there is fatal event on the slave port, the device is marked as not active. We need to mark it as active again when the slave is recovered to regain full functionality. Fixes: d69a24e03659 ("IB/mlx5: Move IB event processing onto a workqueue") Link: https://lore.kernel.org/r/8906754455bb23019ef223c725d2c0d38acfb80b.1620711734.git.leonro@nvidia.com Signed-off-by: Maor Gottlieb Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 8170c2039cc168348e2b481dec137b5cab83177a Author: Zhen Lei Date: Fri May 14 17:09:52 2021 +0800 scsi: qla2xxx: Fix error return code in qla82xx_write_flash_dword() [ Upstream commit 5cb289bf2d7c34ca1abd794ce116c4f19185a1d4 ] Fix to return a negative error code from the error handling case instead of 0 as done elsewhere in this function. Link: https://lore.kernel.org/r/20210514090952.6715-1-thunder.leizhen@huawei.com Fixes: a9083016a531 ("[SCSI] qla2xxx: Add ISP82XX support.") Reported-by: Hulk Robot Reviewed-by: Himanshu Madhani Signed-off-by: Zhen Lei Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit a6362a737572f66051deb7637f3f77ddf7a4402f Author: Javed Hasan Date: Wed May 12 00:25:33 2021 -0700 scsi: qedf: Add pointer checks in qedf_update_link_speed() [ Upstream commit 73578af92a0fae6609b955fcc9113e50e413c80f ] The following trace was observed: [ 14.042059] Call Trace: [ 14.042061] [ 14.042068] qedf_link_update+0x144/0x1f0 [qedf] [ 14.042117] qed_link_update+0x5c/0x80 [qed] [ 14.042135] qed_mcp_handle_link_change+0x2d2/0x410 [qed] [ 14.042155] ? qed_set_ptt+0x70/0x80 [qed] [ 14.042170] ? qed_set_ptt+0x70/0x80 [qed] [ 14.042186] ? qed_rd+0x13/0x40 [qed] [ 14.042205] qed_mcp_handle_events+0x437/0x690 [qed] [ 14.042221] ? qed_set_ptt+0x70/0x80 [qed] [ 14.042239] qed_int_sp_dpc+0x3a6/0x3e0 [qed] [ 14.042245] tasklet_action_common.isra.14+0x5a/0x100 [ 14.042250] __do_softirq+0xe4/0x2f8 [ 14.042253] irq_exit+0xf7/0x100 [ 14.042255] do_IRQ+0x7f/0xd0 [ 14.042257] common_interrupt+0xf/0xf [ 14.042259] API qedf_link_update() is getting called from QED but by that time shost_data is not initialised. This results in a NULL pointer dereference when we try to dereference shost_data while updating supported_speeds. Add a NULL pointer check before dereferencing shost_data. Link: https://lore.kernel.org/r/20210512072533.23618-1-jhasan@marvell.com Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.") Reviewed-by: Himanshu Madhani Signed-off-by: Javed Hasan Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 3f04b4f87f32f1bdb18b965b50a3df4213782be6 Author: Bart Van Assche Date: Thu May 13 09:49:12 2021 -0700 scsi: ufs: core: Increase the usable queue depth [ Upstream commit d0b2b70eb12e9ffaf95e11b16b230a4e015a536c ] With the current implementation of the UFS driver active_queues is 1 instead of 0 if all UFS request queues are idle. That causes hctx_may_queue() to divide the queue depth by 2 when queueing a request and hence reduces the usable queue depth. The shared tag set code in the block layer keeps track of the number of active request queues. blk_mq_tag_busy() is called before a request is queued onto a hwq and blk_mq_tag_idle() is called some time after the hwq became idle. blk_mq_tag_idle() is called from inside blk_mq_timeout_work(). Hence, blk_mq_tag_idle() is only called if a timer is associated with each request that is submitted to a request queue that shares a tag set with another request queue. Adds a blk_mq_start_request() call in ufshcd_exec_dev_cmd(). This doubles the queue depth on my test setup from 16 to 32. In addition to increasing the usable queue depth, also fix the documentation of the 'timeout' parameter in the header above ufshcd_exec_dev_cmd(). Link: https://lore.kernel.org/r/20210513164912.5683-1-bvanassche@acm.org Fixes: 7252a3603015 ("scsi: ufs: Avoid busy-waiting by eliminating tag conflicts") Cc: Can Guo Cc: Alim Akhtar Cc: Avri Altman Cc: Stanley Chu Cc: Bean Huo Cc: Adrian Hunter Reviewed-by: Can Guo Signed-off-by: Bart Van Assche Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 2ee4d79c364914989c80de382c0b1a7259a7e4b3 Author: Leon Romanovsky Date: Tue May 11 10:26:03 2021 +0300 RDMA/rxe: Clear all QP fields if creation failed [ Upstream commit 67f29896fdc83298eed5a6576ff8f9873f709228 ] rxe_qp_do_cleanup() relies on valid pointer values in QP for the properly created ones, but in case rxe_qp_from_init() failed it was filled with garbage and caused tot the following error. refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 12560 at lib/refcount.c:28 refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28 Modules linked in: CPU: 1 PID: 12560 Comm: syz-executor.4 Not tainted 5.12.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28 Code: e9 db fe ff ff 48 89 df e8 2c c2 ea fd e9 8a fe ff ff e8 72 6a a7 fd 48 c7 c7 e0 b2 c1 89 c6 05 dc 3a e6 09 01 e8 ee 74 fb 04 <0f> 0b e9 af fe ff ff 0f 1f 84 00 00 00 00 00 41 56 41 55 41 54 55 RSP: 0018:ffffc900097ceba8 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000040000 RSI: ffffffff815bb075 RDI: fffff520012f9d67 RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815b4eae R11: 0000000000000000 R12: ffff8880322a4800 R13: ffff8880322a4940 R14: ffff888033044e00 R15: 0000000000000000 FS: 00007f6eb2be3700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fdbe5d41000 CR3: 000000001d181000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __refcount_sub_and_test include/linux/refcount.h:283 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] kref_put include/linux/kref.h:64 [inline] rxe_qp_do_cleanup+0x96f/0xaf0 drivers/infiniband/sw/rxe/rxe_qp.c:805 execute_in_process_context+0x37/0x150 kernel/workqueue.c:3327 rxe_elem_release+0x9f/0x180 drivers/infiniband/sw/rxe/rxe_pool.c:391 kref_put include/linux/kref.h:65 [inline] rxe_create_qp+0x2cd/0x310 drivers/infiniband/sw/rxe/rxe_verbs.c:425 _ib_create_qp drivers/infiniband/core/core_priv.h:331 [inline] ib_create_named_qp+0x2ad/0x1370 drivers/infiniband/core/verbs.c:1231 ib_create_qp include/rdma/ib_verbs.h:3644 [inline] create_mad_qp+0x177/0x2d0 drivers/infiniband/core/mad.c:2920 ib_mad_port_open drivers/infiniband/core/mad.c:3001 [inline] ib_mad_init_device+0xd6f/0x1400 drivers/infiniband/core/mad.c:3092 add_client_context+0x405/0x5e0 drivers/infiniband/core/device.c:717 enable_device_and_get+0x1cd/0x3b0 drivers/infiniband/core/device.c:1331 ib_register_device drivers/infiniband/core/device.c:1413 [inline] ib_register_device+0x7c7/0xa50 drivers/infiniband/core/device.c:1365 rxe_register_device+0x3d5/0x4a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1147 rxe_add+0x12fe/0x16d0 drivers/infiniband/sw/rxe/rxe.c:247 rxe_net_add+0x8c/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:503 rxe_newlink drivers/infiniband/sw/rxe/rxe.c:269 [inline] rxe_newlink+0xb7/0xe0 drivers/infiniband/sw/rxe/rxe.c:250 nldev_newlink+0x30e/0x550 drivers/infiniband/core/nldev.c:1555 rdma_nl_rcv_msg+0x36d/0x690 drivers/infiniband/core/netlink.c:195 rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] rdma_nl_rcv+0x2ee/0x430 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: 8700e3e7c485 ("Soft RoCE driver") Link: https://lore.kernel.org/r/7bf8d548764d406dbbbaf4b574960ebfd5af8387.1620717918.git.leonro@nvidia.com Reported-by: syzbot+36a7f280de4e11c6f04e@syzkaller.appspotmail.com Signed-off-by: Leon Romanovsky Reviewed-by: Zhu Yanjun Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 66ab7fcdac34b890017f04f391507ef5b2b89a13 Author: Leon Romanovsky Date: Mon May 10 17:46:00 2021 +0300 RDMA/core: Prevent divide-by-zero error triggered by the user [ Upstream commit 54d87913f147a983589923c7f651f97de9af5be1 ] The user_entry_size is supplied by the user and later used as a denominator to calculate number of entries. The zero supplied by the user will trigger the following divide-by-zero error: divide error: 0000 [#1] SMP KASAN PTI CPU: 4 PID: 497 Comm: c_repro Not tainted 5.13.0-rc1+ #281 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:ib_uverbs_handler_UVERBS_METHOD_QUERY_GID_TABLE+0x1b1/0x510 Code: 87 59 03 00 00 e8 9f ab 1e ff 48 8d bd a8 00 00 00 e8 d3 70 41 ff 44 0f b7 b5 a8 00 00 00 e8 86 ab 1e ff 31 d2 4c 89 f0 31 ff <49> f7 f5 48 89 d6 48 89 54 24 10 48 89 04 24 e8 1b ad 1e ff 48 8b RSP: 0018:ffff88810416f828 EFLAGS: 00010246 RAX: 0000000000000008 RBX: 1ffff1102082df09 RCX: ffffffff82183f3d RDX: 0000000000000000 RSI: ffff888105f2da00 RDI: 0000000000000000 RBP: ffff88810416fa98 R08: 0000000000000001 R09: ffffed102082df5f R10: ffff88810416faf7 R11: ffffed102082df5e R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000008 R15: ffff88810416faf0 FS: 00007f5715efa740(0000) GS:ffff88811a700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000840 CR3: 000000010c2e0001 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? ib_uverbs_handler_UVERBS_METHOD_INFO_HANDLES+0x4b0/0x4b0 ib_uverbs_cmd_verbs+0x1546/0x1940 ib_uverbs_ioctl+0x186/0x240 __x64_sys_ioctl+0x38a/0x1220 do_syscall_64+0x3f/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: 9f85cbe50aa0 ("RDMA/uverbs: Expose the new GID query API to user space") Link: https://lore.kernel.org/r/b971cc70a8b240a8b5eda33c99fa0558a0071be2.1620657876.git.leonro@nvidia.com Reviewed-by: Jason Gunthorpe Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 15357010e0e155b61bb60bddcd6dad6c0430eabc Author: Leon Romanovsky Date: Sun May 9 14:41:38 2021 +0300 RDMA/siw: Release xarray entry [ Upstream commit a3d83276d98886879b5bf7b30b7c29882754e4df ] The xarray entry is allocated in siw_qp_add(), but release was missed in case zero-sized SQ was discovered. Fixes: 661f385961f0 ("RDMA/siw: Fix handling of zero-sized Read and Receive Queues.") Link: https://lore.kernel.org/r/f070b59d5a1114d5a4e830346755c2b3f141cde5.1620560472.git.leonro@nvidia.com Signed-off-by: Leon Romanovsky Reviewed-by: Bernard Metzler Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit b83b491927677a897f741dce092caa391e8deff2 Author: Leon Romanovsky Date: Sun May 9 14:39:21 2021 +0300 RDMA/siw: Properly check send and receive CQ pointers [ Upstream commit a568814a55a0e82bbc7c7b51333d0c38e8fb5520 ] The check for the NULL of pointer received from container_of() is incorrect by definition as it points to some offset from NULL. Change such check with proper NULL check of SIW QP attributes. Fixes: 303ae1cdfdf7 ("rdma/siw: application interface") Link: https://lore.kernel.org/r/a7535a82925f6f4c1f062abaa294f3ae6e54bdd2.1620560310.git.leonro@nvidia.com Signed-off-by: Leon Romanovsky Reviewed-by: Bernard Metzler Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit c39a190d834dee504a09ef8b54786cc43c9e3568 Author: Rijo Thomas Date: Wed Apr 14 23:08:27 2021 +0530 tee: amdtee: unload TA only when its refcount becomes 0 [ Upstream commit 9f015b3765bf593b3ed5d3b588e409dc0ffa9f85 ] Same Trusted Application (TA) can be loaded in multiple TEE contexts. If it is a single instance TA, the TA should not get unloaded from AMD Secure Processor, while it is still in use in another TEE context. Therefore reference count TA and unload it when the count becomes zero. Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver") Reviewed-by: Devaraj Rangasamy Signed-off-by: Rijo Thomas Acked-by: Dan Carpenter Signed-off-by: Jens Wiklander Signed-off-by: Sasha Levin commit 12de3ff989358fc20110e1ea53ba17fb1a79630d Author: Christophe JAILLET Date: Fri Apr 23 17:09:28 2021 +0200 openrisc: Fix a memory leak [ Upstream commit c019d92457826bb7b2091c86f36adb5de08405f9 ] 'setup_find_cpu_node()' take a reference on the node it returns. This reference must be decremented when not needed anymore, or there will be a leak. Add the missing 'of_node_put(cpu)'. Note that 'setup_cpuinfo()' that also calls this function already has a correct 'of_node_put(cpu)' at its end. Fixes: 9d02a4283e9c ("OpenRISC: Boot code") Signed-off-by: Christophe JAILLET Signed-off-by: Stafford Horne Signed-off-by: Sasha Levin commit 4dcb3aa4a5ad6f9f89a8ad34df8dc39c77e87c1e Author: Dan Carpenter Date: Thu Apr 22 12:02:29 2021 +0300 firmware: arm_scpi: Prevent the ternary sign expansion bug [ Upstream commit d9cd78edb2e6b7e26747c0ec312be31e7ef196fe ] How the type promotion works in ternary expressions is a bit tricky. The problem is that scpi_clk_get_val() returns longs, "ret" is a int which holds a negative error code, and le32_to_cpu() is an unsigned int. We want the negative error code to be cast to a negative long. But because le32_to_cpu() is an u32 then "ret" is type promoted to u32 and becomes a high positive and then it is promoted to long and it is still a high positive value. Fix this by getting rid of the ternary. Link: https://lore.kernel.org/r/YIE7pdqV/h10tEAK@mwanda Fixes: 8cb7cf56c9fe ("firmware: add support for ARM System Control and Power Interface(SCPI) protocol") Reviewed-by: Cristian Marussi Signed-off-by: Dan Carpenter [sudeep.holla: changed to return 0 as clock rate on error] Signed-off-by: Sudeep Holla Signed-off-by: Sasha Levin commit b561d56bcd16ef44705d4e92f1e9c4d5e63f157f Author: Greg Kroah-Hartman Date: Sat May 22 11:40:55 2021 +0200 Linux 5.10.39 Link: https://lore.kernel.org/r/20210520092053.559923764@linuxfoundation.org Tested-by: Pavel Machek (CIP) Tested-by: Fox Chen Link: https://lore.kernel.org/r/20210520152240.517446848@linuxfoundation.org Tested-by: Shuah Khan Tested-by: Guenter Roeck Tested-by: Jason Self Tested-by: Florian Fainelli Tested-by: Linux Kernel Functional Testing Tested-by: Jon Hunter Tested-by: Fox Chen Tested-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman commit 090466aeb6a039d24a8f05415f1bdf91330635a4 Author: Andy Shevchenko Date: Wed Dec 9 13:50:17 2020 +0200 scripts: switch explicitly to Python 3 commit 51839e29cb5954470ea4db7236ef8c3d77a6e0bb upstream. Some distributions are about to switch to Python 3 support only. This means that /usr/bin/python, which is Python 2, is not available anymore. Hence, switch scripts to use Python 3 explicitly. Signed-off-by: Andy Shevchenko Signed-off-by: Masahiro Yamada Signed-off-by: Greg Kroah-Hartman commit 6ae514b8a8eb675df9d746693726a72d46f2391d Author: Finn Behrens Date: Mon Nov 23 15:15:33 2020 +0100 tweewide: Fix most Shebang lines commit c25ce589dca10d64dde139ae093abc258a32869c upstream. Change every shebang which does not need an argument to use /usr/bin/env. This is needed as not every distro has everything under /usr/bin, sometimes not even bash. Signed-off-by: Finn Behrens Signed-off-by: Masahiro Yamada Signed-off-by: Greg Kroah-Hartman commit ccecbcc9c574cde035a126e3f716764f473decb5 Author: Eric Dumazet Date: Wed Mar 31 14:38:11 2021 -0700 ipv6: remove extra dev_hold() for fallback tunnels commit 0d7a7b2014b1a499a0fe24c9f3063d7856b5aaaf upstream. My previous commits added a dev_hold() in tunnels ndo_init(), but forgot to remove it from special functions setting up fallback tunnels. Fallback tunnels do call their respective ndo_init() This leads to various reports like : unregister_netdevice: waiting for ip6gre0 to become free. Usage count = 2 Fixes: 48bb5697269a ("ip6_tunnel: sit: proper dev_{hold|put} in ndo_[un]init methods") Fixes: 6289a98f0817 ("sit: proper dev_{hold|put} in ndo_[un]init methods") Fixes: 40cb881b5aaa ("ip6_vti: proper dev_{hold|put} in ndo_[un]init methods") Fixes: 7f700334be9a ("ip6_gre: proper dev_{hold|put} in ndo_[un]init methods") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 019c426b5360bc28b6e0f0c366c4122fe6e7320b Author: Eric Dumazet Date: Mon Mar 29 23:45:51 2021 -0700 ip6_tunnel: sit: proper dev_{hold|put} in ndo_[un]init methods commit 48bb5697269a7cbe5194dbb044dc38c517e34c58 upstream. Same reasons than for the previous commits : 6289a98f0817 ("sit: proper dev_{hold|put} in ndo_[un]init methods") 40cb881b5aaa ("ip6_vti: proper dev_{hold|put} in ndo_[un]init methods") 7f700334be9a ("ip6_gre: proper dev_{hold|put} in ndo_[un]init methods") After adopting CONFIG_PCPU_DEV_REFCNT=n option, syzbot was able to trigger a warning [1] Issue here is that: - all dev_put() should be paired with a corresponding prior dev_hold(). - A driver doing a dev_put() in its ndo_uninit() MUST also do a dev_hold() in its ndo_init(), only when ndo_init() is returning 0. Otherwise, register_netdevice() would call ndo_uninit() in its error path and release a refcount too soon. [1] WARNING: CPU: 1 PID: 21059 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31 Modules linked in: CPU: 1 PID: 21059 Comm: syz-executor.4 Not tainted 5.12.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31 Code: 1d 6a 5a e8 09 31 ff 89 de e8 8d 1a ab fd 84 db 75 e0 e8 d4 13 ab fd 48 c7 c7 a0 e1 c1 89 c6 05 4a 5a e8 09 01 e8 2e 36 fb 04 <0f> 0b eb c4 e8 b8 13 ab fd 0f b6 1d 39 5a e8 09 31 ff 89 de e8 58 RSP: 0018:ffffc900025aefe8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000040000 RSI: ffffffff815c51f5 RDI: fffff520004b5def RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815bdf8e R11: 0000000000000000 R12: ffff888023488568 R13: ffff8880254e9000 R14: 00000000dfd82cfd R15: ffff88802ee2d7c0 FS: 00007f13bc590700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f0943e74000 CR3: 0000000025273000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __refcount_dec include/linux/refcount.h:344 [inline] refcount_dec include/linux/refcount.h:359 [inline] dev_put include/linux/netdevice.h:4135 [inline] ip6_tnl_dev_uninit+0x370/0x3d0 net/ipv6/ip6_tunnel.c:387 register_netdevice+0xadf/0x1500 net/core/dev.c:10308 ip6_tnl_create2+0x1b5/0x400 net/ipv6/ip6_tunnel.c:263 ip6_tnl_newlink+0x312/0x580 net/ipv6/ip6_tunnel.c:2052 __rtnl_newlink+0x1062/0x1710 net/core/rtnetlink.c:3443 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3491 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5553 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: 919067cc845f ("net: add CONFIG_PCPU_DEV_REFCNT") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3c24dbd358bf130da47034ffdb36c4610ed4a92a Author: Eric Dumazet Date: Mon Mar 29 12:25:22 2021 -0700 sit: proper dev_{hold|put} in ndo_[un]init methods commit 6289a98f0817a4a457750d6345e754838eae9439 upstream. After adopting CONFIG_PCPU_DEV_REFCNT=n option, syzbot was able to trigger a warning [1] Issue here is that: - all dev_put() should be paired with a corresponding prior dev_hold(). - A driver doing a dev_put() in its ndo_uninit() MUST also do a dev_hold() in its ndo_init(), only when ndo_init() is returning 0. Otherwise, register_netdevice() would call ndo_uninit() in its error path and release a refcount too soon. Fixes: 919067cc845f ("net: add CONFIG_PCPU_DEV_REFCNT") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b18b1548cb4e4cb1e9223dc2594838d4a815e705 Author: Eric Dumazet Date: Mon Mar 29 11:39:51 2021 -0700 ip6_gre: proper dev_{hold|put} in ndo_[un]init methods commit 7f700334be9aeb91d5d86ef9ad2d901b9b453e9b upstream. After adopting CONFIG_PCPU_DEV_REFCNT=n option, syzbot was able to trigger a warning [1] Issue here is that: - all dev_put() should be paired with a corresponding dev_hold(), and vice versa. - A driver doing a dev_put() in its ndo_uninit() MUST also do a dev_hold() in its ndo_init(), only when ndo_init() is returning 0. Otherwise, register_netdevice() would call ndo_uninit() in its error path and release a refcount too soon. ip6_gre for example (among others problematic drivers) has to use dev_hold() in ip6gre_tunnel_init_common() instead of from ip6gre_newlink_common(), covering both ip6gre_tunnel_init() and ip6gre_tap_init()/ Note that ip6gre_tunnel_init_common() is not called from ip6erspan_tap_init() thus we also need to add a dev_hold() there, as ip6erspan_tunnel_uninit() does call dev_put() [1] refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 0 PID: 8422 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31 Modules linked in: CPU: 1 PID: 8422 Comm: syz-executor854 Not tainted 5.12.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31 Code: 1d 6a 5a e8 09 31 ff 89 de e8 8d 1a ab fd 84 db 75 e0 e8 d4 13 ab fd 48 c7 c7 a0 e1 c1 89 c6 05 4a 5a e8 09 01 e8 2e 36 fb 04 <0f> 0b eb c4 e8 b8 13 ab fd 0f b6 1d 39 5a e8 09 31 ff 89 de e8 58 RSP: 0018:ffffc900018befd0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff88801ef19c40 RSI: ffffffff815c51f5 RDI: fffff52000317dec RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815bdf8e R11: 0000000000000000 R12: ffff888018cf4568 R13: ffff888018cf4c00 R14: ffff8880228f2000 R15: ffffffff8d659b80 FS: 00000000014eb300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055d7bf2b3138 CR3: 0000000014933000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __refcount_dec include/linux/refcount.h:344 [inline] refcount_dec include/linux/refcount.h:359 [inline] dev_put include/linux/netdevice.h:4135 [inline] ip6gre_tunnel_uninit+0x3d7/0x440 net/ipv6/ip6_gre.c:420 register_netdevice+0xadf/0x1500 net/core/dev.c:10308 ip6gre_newlink_common.constprop.0+0x158/0x410 net/ipv6/ip6_gre.c:1984 ip6gre_newlink+0x275/0x7a0 net/ipv6/ip6_gre.c:2017 __rtnl_newlink+0x1062/0x1710 net/core/rtnetlink.c:3443 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3491 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5553 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 Fixes: 919067cc845f ("net: add CONFIG_PCPU_DEV_REFCNT") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0473032821e64bc4dd30f918b4a8332698447bdd Author: Yannick Vignon Date: Thu May 6 16:33:12 2021 +0200 net: stmmac: Do not enable RX FIFO overflow interrupts [ Upstream commit 8a7cb245cf28cb3e541e0d6c8624b95d079e155b ] The RX FIFO overflows when the system is not able to process all received packets and they start accumulating (first in the DMA queue in memory, then in the FIFO). An interrupt is then raised for each overflowing packet and handled in stmmac_interrupt(). This is counter-productive, since it brings the system (or more likely, one CPU core) to its knees to process the FIFO overflow interrupts. stmmac_interrupt() handles overflow interrupts by writing the rx tail ptr into the corresponding hardware register (according to the MAC spec, this has the effect of restarting the MAC DMA). However, without freeing any rx descriptors, the DMA stops right away, and another overflow interrupt is raised as the FIFO overflows again. Since the DMA is already restarted at the end of stmmac_rx_refill() after freeing descriptors, disabling FIFO overflow interrupts and the corresponding handling code has no side effect, and eliminates the interrupt storm when the RX FIFO overflows. Signed-off-by: Yannick Vignon Link: https://lore.kernel.org/r/20210506143312.20784-1-yannick.vignon@oss.nxp.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 1fb05a3f1f209185ba3e4d175e6749d654468927 Author: Zqiang Date: Thu May 6 18:03:40 2021 -0700 lib: stackdepot: turn depot_lock spinlock to raw_spinlock [ Upstream commit 78564b9434878d686c5f88c4488b20cccbcc42bc ] In RT system, the spin_lock will be replaced by sleepable rt_mutex lock, in __call_rcu(), disable interrupts before calling kasan_record_aux_stack(), will trigger this calltrace: BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:951 in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 19, name: pgdatinit0 Call Trace: ___might_sleep.cold+0x1b2/0x1f1 rt_spin_lock+0x3b/0xb0 stack_depot_save+0x1b9/0x440 kasan_save_stack+0x32/0x40 kasan_record_aux_stack+0xa5/0xb0 __call_rcu+0x117/0x880 __exit_signal+0xafb/0x1180 release_task+0x1d6/0x480 exit_notify+0x303/0x750 do_exit+0x678/0xcf0 kthread+0x364/0x4f0 ret_from_fork+0x22/0x30 Replace spinlock with raw_spinlock. Link: https://lkml.kernel.org/r/20210329084009.27013-1-qiang.zhang@windriver.com Signed-off-by: Zqiang Reported-by: Andrew Halaney Cc: Alexander Potapenko Cc: Gustavo A. R. Silva Cc: Vijayanand Jitta Cc: Vinayak Menon Cc: Yogesh Lal Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 7da9368f915121df0aadcdeb9968a19a625701d3 Author: yangerkun Date: Thu Apr 1 15:18:07 2021 +0800 block: reexpand iov_iter after read/write [ Upstream commit cf7b39a0cbf6bf57aa07a008d46cf695add05b4c ] We get a bug: BUG: KASAN: slab-out-of-bounds in iov_iter_revert+0x11c/0x404 lib/iov_iter.c:1139 Read of size 8 at addr ffff0000d3fb11f8 by task CPU: 0 PID: 12582 Comm: syz-executor.2 Not tainted 5.10.0-00843-g352c8610ccd2 #2 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x2d0 arch/arm64/kernel/stacktrace.c:132 show_stack+0x28/0x34 arch/arm64/kernel/stacktrace.c:196 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x110/0x164 lib/dump_stack.c:118 print_address_description+0x78/0x5c8 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report+0x148/0x1e4 mm/kasan/report.c:562 check_memory_region_inline mm/kasan/generic.c:183 [inline] __asan_load8+0xb4/0xbc mm/kasan/generic.c:252 iov_iter_revert+0x11c/0x404 lib/iov_iter.c:1139 io_read fs/io_uring.c:3421 [inline] io_issue_sqe+0x2344/0x2d64 fs/io_uring.c:5943 __io_queue_sqe+0x19c/0x520 fs/io_uring.c:6260 io_queue_sqe+0x2a4/0x590 fs/io_uring.c:6326 io_submit_sqe fs/io_uring.c:6395 [inline] io_submit_sqes+0x4c0/0xa04 fs/io_uring.c:6624 __do_sys_io_uring_enter fs/io_uring.c:9013 [inline] __se_sys_io_uring_enter fs/io_uring.c:8960 [inline] __arm64_sys_io_uring_enter+0x190/0x708 fs/io_uring.c:8960 __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline] invoke_syscall arch/arm64/kernel/syscall.c:48 [inline] el0_svc_common arch/arm64/kernel/syscall.c:158 [inline] do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:227 el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367 el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383 el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670 Allocated by task 12570: stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121 kasan_save_stack mm/kasan/common.c:48 [inline] kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc+0xdc/0x120 mm/kasan/common.c:461 kasan_kmalloc+0xc/0x14 mm/kasan/common.c:475 __kmalloc+0x23c/0x334 mm/slub.c:3970 kmalloc include/linux/slab.h:557 [inline] __io_alloc_async_data+0x68/0x9c fs/io_uring.c:3210 io_setup_async_rw fs/io_uring.c:3229 [inline] io_read fs/io_uring.c:3436 [inline] io_issue_sqe+0x2954/0x2d64 fs/io_uring.c:5943 __io_queue_sqe+0x19c/0x520 fs/io_uring.c:6260 io_queue_sqe+0x2a4/0x590 fs/io_uring.c:6326 io_submit_sqe fs/io_uring.c:6395 [inline] io_submit_sqes+0x4c0/0xa04 fs/io_uring.c:6624 __do_sys_io_uring_enter fs/io_uring.c:9013 [inline] __se_sys_io_uring_enter fs/io_uring.c:8960 [inline] __arm64_sys_io_uring_enter+0x190/0x708 fs/io_uring.c:8960 __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline] invoke_syscall arch/arm64/kernel/syscall.c:48 [inline] el0_svc_common arch/arm64/kernel/syscall.c:158 [inline] do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:227 el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367 el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383 el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670 Freed by task 12570: stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121 kasan_save_stack mm/kasan/common.c:48 [inline] kasan_set_track+0x38/0x6c mm/kasan/common.c:56 kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:355 __kasan_slab_free+0x124/0x150 mm/kasan/common.c:422 kasan_slab_free+0x10/0x1c mm/kasan/common.c:431 slab_free_hook mm/slub.c:1544 [inline] slab_free_freelist_hook mm/slub.c:1577 [inline] slab_free mm/slub.c:3142 [inline] kfree+0x104/0x38c mm/slub.c:4124 io_dismantle_req fs/io_uring.c:1855 [inline] __io_free_req+0x70/0x254 fs/io_uring.c:1867 io_put_req_find_next fs/io_uring.c:2173 [inline] __io_queue_sqe+0x1fc/0x520 fs/io_uring.c:6279 __io_req_task_submit+0x154/0x21c fs/io_uring.c:2051 io_req_task_submit+0x2c/0x44 fs/io_uring.c:2063 task_work_run+0xdc/0x128 kernel/task_work.c:151 get_signal+0x6f8/0x980 kernel/signal.c:2562 do_signal+0x108/0x3a4 arch/arm64/kernel/signal.c:658 do_notify_resume+0xbc/0x25c arch/arm64/kernel/signal.c:722 work_pending+0xc/0x180 blkdev_read_iter can truncate iov_iter's count since the count + pos may exceed the size of the blkdev. This will confuse io_read that we have consume the iovec. And once we do the iov_iter_revert in io_read, we will trigger the slab-out-of-bounds. Fix it by reexpand the count with size has been truncated. blkdev_write_iter can trigger the problem too. Signed-off-by: yangerkun Acked-by: Pavel Begunkov Link: https://lore.kernel.org/r/20210401071807.3328235-1-yangerkun@huawei.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 87f627a0280b94754bc9fa5634c7a7cf3752817c Author: Hui Wang Date: Tue May 4 15:39:17 2021 +0800 ALSA: hda: generic: change the DAC ctl name for LO+SPK or LO+HP [ Upstream commit f48652bbe3ae62ba2835a396b7e01f063e51c4cd ] Without this change, the DAC ctl's name could be changed only when the machine has both Speaker and Headphone, but we met some machines which only has Lineout and Headhpone, and the Lineout and Headphone share the Audio Mixer0 and DAC0, the ctl's name is set to "Front". On most of machines, the "Front" is used for Speaker only or Lineout only, but on this machine it is shared by Lineout and Headphone, This introduces an issue in the pipewire and pulseaudio, suppose users want the Headphone to be on and the Speaker/Lineout to be off, they could turn off the "Front", this works on most of the machines, but on this machine, the "Front" couldn't be turned off otherwise the headphone will be off too. Here we do some change to let the ctl's name change to "Headphone+LO" on this machine, and pipewire and pulseaudio already could handle "Headphone+LO" and "Speaker+LO". (https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/747) BugLink: http://bugs.launchpad.net/bugs/804178 Signed-off-by: Hui Wang Link: https://lore.kernel.org/r/20210504073917.22406-1-hui.wang@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 027926f4ff864e0cde03a4e72babb511c7454394 Author: Íñigo Huguet Date: Wed May 5 14:54:50 2021 +0200 net:CXGB4: fix leak if sk_buff is not used [ Upstream commit 52bfcdd87e83d9e69d22da5f26b1512ffc81deed ] An sk_buff is allocated to send a flow control message, but it's not sent in all cases: in case the state is not appropiate to send it or if it can't be enqueued. In the first of these 2 cases, the sk_buff was discarded but not freed, producing a memory leak. Signed-off-by: Íñigo Huguet Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9284b702c8e0e46be9de45feef52c226ae26e52d Author: Hans de Goede Date: Thu Apr 1 18:27:40 2021 +0200 gpiolib: acpi: Add quirk to ignore EC wakeups on Dell Venue 10 Pro 5055 [ Upstream commit da91ece226729c76f60708efc275ebd4716ad089 ] Like some other Bay and Cherry Trail SoC based devices the Dell Venue 10 Pro 5055 has an embedded-controller which uses ACPI GPIO events to report events instead of using the standard ACPI EC interface for this. The EC interrupt is only used to report battery-level changes and it keeps doing this while the system is suspended, causing the system to not stay suspended. Add an ignore-wake quirk for the GPIO pin used by the EC to fix the spurious wakeups from suspend. Signed-off-by: Hans de Goede Acked-by: Andy Shevchenko Signed-off-by: Andy Shevchenko Signed-off-by: Sasha Levin commit 1ce34fb34b99424d9d6614c520534534c16729e2 Author: Rodrigo Siqueira Date: Tue Apr 13 20:06:04 2021 -0400 drm/amd/display: Fix two cursor duplication when using overlay [ Upstream commit 16e9b3e58bc3fce7391539e0eb3fd167cbf9951f ] Our driver supports overlay planes, and as expected, some userspace compositor takes advantage of these features. If the userspace is not enabling the cursor, they can use multiple planes as they please. Nevertheless, we start to have constraints when userspace tries to enable hardware cursor with various planes. Basically, we cannot draw the cursor at the same size and position on two separated pipes since it uses extra bandwidth and DML only run with one cursor. For those reasons, when we enable hardware cursor and multiple planes, our driver should accept variations like the ones described below: +-------------+ +--------------+ | +---------+ | | | | |Primary | | | Primary | | | | | | Overlay | | +---------+ | | | |Overlay | | | +-------------+ +--------------+ In this scenario, we can have the desktop UI in the overlay and some other framebuffer attached to the primary plane (e.g., video). However, userspace needs to obey some rules and avoid scenarios like the ones described below (when enabling hw cursor): +--------+ |Overlay | +-------------+ +-----+-------+ +-| |--+ | +--------+ | +--------+ | | +--------+ | | |Overlay | | |Overlay | | | | | | | | | | | | | | +--------+ | +--------+ | | | | Primary | | Primary | | Primary | +-------------+ +-------------+ +-------------+ +-------------+ +-------------+ | +--------+ | Primary | | |Overlay | | | | | | | | | +--------+ | +--------+ | | Primary | | |Overlay | | +-------------+ +-| |--+ +--------+ If the userspace violates some of the above scenarios, our driver needs to reject the commit; otherwise, we can have unexpected behavior. Since we don't have a proper driver validation for the above case, we can see some problems like a duplicate cursor in applications that use multiple planes. This commit fixes the cursor issue and others by adding adequate verification for multiple planes. Change since V1 (Harry and Sean): - Remove cursor verification from the equation. Cc: Louis Li Cc: Nicholas Kazlauskas Cc: Harry Wentland Cc: Hersen Wu Cc: Sean Paul Signed-off-by: Rodrigo Siqueira Reviewed-by: Harry Wentland Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 3851a86c3da8d5360449439fd344b0dd25ca523d Author: Keith Busch Date: Wed Apr 28 21:25:58 2021 -0700 nvmet: remove unsupported command noise [ Upstream commit 4a20342572f66c5b20a1ee680f5ac0a13703748f ] Nothing can stop a host from submitting invalid commands. The target just needs to respond with an appropriate status, but that's not a target error. Demote invalid command messages to the debug level so these events don't spam the kernel logs. Reported-by: Yi Zhang Signed-off-by: Keith Busch Reviewed-by: Klaus Jensen Reviewed-by: Chaitanya Kulkarni Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 86587f35cba979c2d55376d08a9d553d846e84a5 Author: Phillip Potter Date: Sun May 2 22:34:42 2021 +0100 net: hsr: check skb can contain struct hsr_ethhdr in fill_frame_info [ Upstream commit 2e9f60932a2c19e8a11b4a69d419f107024b05a0 ] Check at start of fill_frame_info that the MAC header in the supplied skb is large enough to fit a struct hsr_ethhdr, as otherwise this is not a valid HSR frame. If it is too small, return an error which will then cause the callers to clean up the skb. Fixes a KMSAN-found uninit-value bug reported by syzbot at: https://syzkaller.appspot.com/bug?id=f7e9b601f1414f814f7602a82b6619a8d80bce3f Reported-by: syzbot+e267bed19bfc5478fb33@syzkaller.appspotmail.com Signed-off-by: Phillip Potter Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 82646b1844a21473129c5e8c381a087e1f59a22a Author: Zhang Zhengming Date: Wed Apr 28 22:38:14 2021 +0800 bridge: Fix possible races between assigning rx_handler_data and setting IFF_BRIDGE_PORT bit [ Upstream commit 59259ff7a81b9eb6213891c6451221e567f8f22f ] There is a crash in the function br_get_link_af_size_filtered, as the port_exists(dev) is true and the rx_handler_data of dev is NULL. But the rx_handler_data of dev is correct saved in vmcore. The oops looks something like: ... pc : br_get_link_af_size_filtered+0x28/0x1c8 [bridge] ... Call trace: br_get_link_af_size_filtered+0x28/0x1c8 [bridge] if_nlmsg_size+0x180/0x1b0 rtnl_calcit.isra.12+0xf8/0x148 rtnetlink_rcv_msg+0x334/0x370 netlink_rcv_skb+0x64/0x130 rtnetlink_rcv+0x28/0x38 netlink_unicast+0x1f0/0x250 netlink_sendmsg+0x310/0x378 sock_sendmsg+0x4c/0x70 __sys_sendto+0x120/0x150 __arm64_sys_sendto+0x30/0x40 el0_svc_common+0x78/0x130 el0_svc_handler+0x38/0x78 el0_svc+0x8/0xc In br_add_if(), we found there is no guarantee that assigning rx_handler_data to dev->rx_handler_data will before setting the IFF_BRIDGE_PORT bit of priv_flags. So there is a possible data competition: CPU 0: CPU 1: (RCU read lock) (RTNL lock) rtnl_calcit() br_add_slave() if_nlmsg_size() br_add_if() br_get_link_af_size_filtered() -> netdev_rx_handler_register ... // The order is not guaranteed ... -> dev->priv_flags |= IFF_BRIDGE_PORT; // The IFF_BRIDGE_PORT bit of priv_flags has been set -> if (br_port_exists(dev)) { // The dev->rx_handler_data has NOT been assigned -> p = br_port_get_rcu(dev); .... -> rcu_assign_pointer(dev->rx_handler_data, rx_handler_data); ... Fix it in br_get_link_af_size_filtered, using br_port_get_check_rcu() and checking the return value. Signed-off-by: Zhang Zhengming Reviewed-by: Zhao Lei Reviewed-by: Wang Xiaogang Suggested-by: Nikolay Aleksandrov Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit dcbc4e33804c31bc303d989f43bed32c7307787f Author: Darren Powell Date: Wed Apr 7 00:34:35 2021 -0400 amdgpu/pm: Prevent force of DCEFCLK on NAVI10 and SIENNA_CICHLID [ Upstream commit b117b3964f38a988cb79825950dbd607c02237f3 ] Writing to dcefclk causes the gpu to become unresponsive, and requires a reboot. Patch ignores a .force_clk_levels(SMU_DCEFCLK) call and issues an info message. Signed-off-by: Darren Powell Reviewed-by: Kenneth Feng Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit d47d0d1a1fb2cddbc322a7ff19ccfc127cb561c5 Author: Bodo Stroesser Date: Fri Apr 23 17:01:23 2021 +0200 scsi: target: tcmu: Return from tcmu_handle_completions() if cmd_id not found [ Upstream commit 9814b55cde0588b6d9bc496cee43f87316cbc6f1 ] If tcmu_handle_completions() finds an invalid cmd_id while looping over cmd responses from userspace it sets TCMU_DEV_BIT_BROKEN and breaks the loop. This means that it does further handling for the tcmu device. Skip that handling by replacing 'break' with 'return'. Additionally change tcmu_handle_completions() from unsigned int to bool, since the value used in return already is bool. Link: https://lore.kernel.org/r/20210423150123.24468-1-bostroesser@gmail.com Signed-off-by: Bodo Stroesser Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 3611ce2f23a4be659eae66da2ee7acafd6e5b267 Author: Jeff Layton Date: Thu Apr 1 13:55:11 2021 -0400 ceph: don't allow access to MDS-private inodes [ Upstream commit d4f6b31d721779d91b5e2f8072478af73b196c34 ] The MDS reserves a set of inodes for its own usage, and these should never be accessible to clients. Add a new helper to vet a proposed inode number against that range, and complain loudly and refuse to create or look it up if it's in it. Also, ensure that the MDS doesn't try to delegate inodes that are in that range or lower. Print a warning if it does, and don't save the range in the xarray. URL: https://tracker.ceph.com/issues/49922 Signed-off-by: Jeff Layton Reviewed-by: Xiubo Li Signed-off-by: Ilya Dryomov Signed-off-by: Sasha Levin commit db275714dd506db541f4a17f1549a2ec7f8d3ef6 Author: Jeff Layton Date: Mon Mar 1 07:38:01 2021 -0500 ceph: don't clobber i_snap_caps on non-I_NEW inode [ Upstream commit d3c51ae1b8cce5bdaf91a1ce32b33cf5626075dc ] We want the snapdir to mirror the non-snapped directory's attributes for most things, but i_snap_caps represents the caps granted on the snapshot directory by the MDS itself. A misbehaving MDS could issue different caps for the snapdir and we lose them here. Only reset i_snap_caps when the inode is I_NEW. Also, move the setting of i_op and i_fop inside the if block since they should never change anyway. Reported-by: Al Viro Signed-off-by: Jeff Layton Signed-off-by: Ilya Dryomov Signed-off-by: Sasha Levin commit 2783c34d54309ed88e2960b230fa75db301beefe Author: Jeff Layton Date: Thu Jan 21 18:05:37 2021 -0500 ceph: fix fscache invalidation [ Upstream commit 10a7052c7868bc7bc72d947f5aac6f768928db87 ] Ensure that we invalidate the fscache whenever we invalidate the pagecache. Signed-off-by: Jeff Layton Signed-off-by: Ilya Dryomov Signed-off-by: Sasha Levin commit f8adfb1d370f035e1790a3d1a5e8a99ff0687bdd Author: James Smart Date: Wed Apr 21 16:44:33 2021 -0700 scsi: lpfc: Fix illegal memory access on Abort IOCBs [ Upstream commit e1364711359f3ced054bda9920477c8bf93b74c5 ] In devloss timer handler and in backend calls to terminate remote port I/O, there is logic to walk through all active IOCBs and validate them to potentially trigger an abort request. This logic is causing illegal memory accesses which leads to a crash. Abort IOCBs, which may be on the list, do not have an associated lpfc_io_buf struct. The driver is trying to map an lpfc_io_buf struct on the IOCB and which results in a bogus address thus the issue. Fix by skipping over ABORT IOCBs (CLOSE IOCBs are ABORTS that don't send ABTS) in the IOCB scan logic. Link: https://lore.kernel.org/r/20210421234433.102079-1-jsmart2021@gmail.com Co-developed-by: Justin Tee Signed-off-by: Justin Tee Signed-off-by: James Smart Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 0195e2813aac69154cf064e1c9ec0fc187fb65c0 Author: Nathan Chancellor Date: Thu Mar 25 15:38:06 2021 -0700 riscv: Workaround mcount name prior to clang-13 [ Upstream commit 7ce04771503074a7de7f539cc43f5e1b385cb99b ] Prior to clang 13.0.0, the RISC-V name for the mcount symbol was "mcount", which differs from the GCC version of "_mcount", which results in the following errors: riscv64-linux-gnu-ld: init/main.o: in function `__traceiter_initcall_level': main.c:(.text+0xe): undefined reference to `mcount' riscv64-linux-gnu-ld: init/main.o: in function `__traceiter_initcall_start': main.c:(.text+0x4e): undefined reference to `mcount' riscv64-linux-gnu-ld: init/main.o: in function `__traceiter_initcall_finish': main.c:(.text+0x92): undefined reference to `mcount' riscv64-linux-gnu-ld: init/main.o: in function `.LBB32_28': main.c:(.text+0x30c): undefined reference to `mcount' riscv64-linux-gnu-ld: init/main.o: in function `free_initmem': main.c:(.text+0x54c): undefined reference to `mcount' This has been corrected in https://reviews.llvm.org/D98881 but the minimum supported clang version is 10.0.1. To avoid build errors and to gain a working function tracer, adjust the name of the mcount symbol for older versions of clang in mount.S and recordmcount.pl. Link: https://github.com/ClangBuiltLinux/linux/issues/1331 Signed-off-by: Nathan Chancellor Reviewed-by: Nick Desaulniers Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit 52b7b9ad63dad081511c6d96c9ee773e58707f36 Author: Nathan Chancellor Date: Thu Mar 25 15:38:05 2021 -0700 scripts/recordmcount.pl: Fix RISC-V regex for clang [ Upstream commit 2f095504f4b9cf75856d6a9cf90299cf75aa46c5 ] Clang can generate R_RISCV_CALL_PLT relocations to _mcount: $ llvm-objdump -dr build/riscv/init/main.o | rg mcount 000000000000000e: R_RISCV_CALL_PLT _mcount 000000000000004e: R_RISCV_CALL_PLT _mcount After this, the __start_mcount_loc section is properly generated and function tracing still works. Link: https://github.com/ClangBuiltLinux/linux/issues/1331 Signed-off-by: Nathan Chancellor Reviewed-by: Fangrui Song Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit b6b7f7ed7f96912c2dd96ab3151be765692b78ba Author: Nathan Chancellor Date: Thu Mar 25 14:51:56 2021 -0700 riscv: Use $(LD) instead of $(CC) to link vDSO [ Upstream commit 7f3d349065d0c643f7f7013fbf9bc9f2c90b675f ] Currently, the VDSO is being linked through $(CC). This does not match how the rest of the kernel links objects, which is through the $(LD) variable. When linking with clang, there are a couple of warnings about flags that will not be used during the link: clang-12: warning: argument unused during compilation: '-no-pie' [-Wunused-command-line-argument] clang-12: warning: argument unused during compilation: '-pg' [-Wunused-command-line-argument] '-no-pie' was added in commit 85602bea297f ("RISC-V: build vdso-dummy.o with -no-pie") to override '-pie' getting added to the ld command from distribution versions of GCC that enable PIE by default. It is technically no longer needed after commit c2c81bb2f691 ("RISC-V: Fix the VDSO symbol generaton for binutils-2.35+"), which removed vdso-dummy.o in favor of generating vdso-syms.S from vdso.so with $(NM) but this also resolves the issue in case it ever comes back due to having full control over the $(LD) command. '-pg' is for function tracing, it is not used during linking as clang states. These flags could be removed/filtered to fix the warnings but it is easier to just match the rest of the kernel and use $(LD) directly for linking. See commits fe00e50b2db8 ("ARM: 8858/1: vdso: use $(LD) instead of $(CC) to link VDSO") 691efbedc60d ("arm64: vdso: use $(LD) instead of $(CC) to link VDSO") 2ff906994b6c ("MIPS: VDSO: Use $(LD) instead of $(CC) to link VDSO") 2b2a25845d53 ("s390/vdso: Use $(LD) instead of $(CC) to link vDSO") for more information. The flags are converted to linker flags and '--eh-frame-hdr' is added to match what is added by GCC implicitly, which can be seen by adding '-v' to GCC's invocation. Additionally, since this area is being modified, use the $(OBJCOPY) variable instead of an open coded $(CROSS_COMPILE)objcopy so that the user's choice of objcopy binary is respected. Link: https://github.com/ClangBuiltLinux/linux/issues/803 Link: https://github.com/ClangBuiltLinux/linux/issues/970 Signed-off-by: Nathan Chancellor Reviewed-by: Fangrui Song Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit 6a40e3f9a803d958ea497bc8522b33597b763b5c Author: Prashant Malani Date: Tue Apr 20 21:21:09 2021 -0700 platform/chrome: cros_ec_typec: Add DP mode check [ Upstream commit c5bb32f57bf3a30ed03be51f7be0840325ba8b4a ] There are certain transitional situations where the dp_mode field in the PD_CONTROL response might not be populated with the right DP pin assignment value yet. Add a check for that to avoid sending an invalid value to the Type C mode switch. Signed-off-by: Prashant Malani Signed-off-by: Enric Balletbo i Serra Link: https://lore.kernel.org/r/20210421042108.2002-1-pmalani@chromium.org Signed-off-by: Sasha Levin commit b01b7999f49e9f9a4278442c0af73b8777f68f2c Author: Manivannan Sadhasivam Date: Wed Apr 14 04:41:16 2021 +0100 ARM: 9075/1: kernel: Fix interrupted SMC calls [ Upstream commit 57ac51667d8cd62731223d687e5fe7b41c502f89 ] On Qualcomm ARM32 platforms, the SMC call can return before it has completed. If this occurs, the call can be restarted, but it requires using the returned session ID value from the interrupted SMC call. The ARM32 SMCC code already has the provision to add platform specific quirks for things like this. So let's make use of it and add the Qualcomm specific quirk (ARM_SMCCC_QUIRK_QCOM_A6) used by the QCOM_SCM driver. This change is similar to the below one added for ARM64 a while ago: commit 82bcd087029f ("firmware: qcom: scm: Fix interrupted SCM calls") Without this change, the Qualcomm ARM32 platforms like SDX55 will return -EINVAL for SMC calls used for modem firmware loading and validation. Signed-off-by: Manivannan Sadhasivam Reviewed-by: Bjorn Andersson Signed-off-by: Russell King Signed-off-by: Sasha Levin commit 2f06cd6d9c6a477b1afd6a8beda3df9ec618009b Author: Johannes Berg Date: Mon Mar 15 23:47:31 2021 +0100 um: Disable CONFIG_GCOV with MODULES [ Upstream commit ad3d19911632debc886ef4a992d41d6de7927006 ] CONFIG_GCOV doesn't work with modules, and for various reasons it cannot work, see also https://lore.kernel.org/r/d36ea54d8c0a8dd706826ba844a6f27691f45d55.camel@sipsolutions.net Make CONFIG_GCOV depend on !MODULES to avoid anyone running into issues there. This also means we need not export the gcov symbols. Signed-off-by: Johannes Berg Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin commit 91628cfd70d0cf0bf0268a00af1277929a5542be Author: Johannes Berg Date: Fri Mar 5 21:43:15 2021 +0100 um: Mark all kernel symbols as local [ Upstream commit d5027ca63e0e778b641cf23e3f5c6d6212cf412b ] Ritesh reported a bug [1] against UML, noting that it crashed on startup. The backtrace shows the following (heavily redacted): (gdb) bt ... #26 0x0000000060015b5d in sem_init () at ipc/sem.c:268 #27 0x00007f89906d92f7 in ?? () from /lib/x86_64-linux-gnu/libcom_err.so.2 #28 0x00007f8990ab8fb2 in call_init (...) at dl-init.c:72 ... #40 0x00007f89909bf3a6 in nss_load_library (...) at nsswitch.c:359 ... #44 0x00007f8990895e35 in _nss_compat_getgrnam_r (...) at nss_compat/compat-grp.c:486 #45 0x00007f8990968b85 in __getgrnam_r [...] #46 0x00007f89909d6b77 in grantpt [...] #47 0x00007f8990a9394e in __GI_openpty [...] #48 0x00000000604a1f65 in openpty_cb (...) at arch/um/os-Linux/sigio.c:407 #49 0x00000000604a58d0 in start_idle_thread (...) at arch/um/os-Linux/skas/process.c:598 #50 0x0000000060004a3d in start_uml () at arch/um/kernel/skas/process.c:45 #51 0x00000000600047b2 in linux_main (...) at arch/um/kernel/um_arch.c:334 #52 0x000000006000574f in main (...) at arch/um/os-Linux/main.c:144 indicating that the UML function openpty_cb() calls openpty(), which internally calls __getgrnam_r(), which causes the nsswitch machinery to get started. This loads, through lots of indirection that I snipped, the libcom_err.so.2 library, which (in an unknown function, "??") calls sem_init(). Now, of course it wants to get libpthread's sem_init(), since it's linked against libpthread. However, the dynamic linker looks up that symbol against the binary first, and gets the kernel's sem_init(). Hajime Tazaki noted that "objcopy -L" can localize a symbol, so the dynamic linker wouldn't do the lookup this way. I tried, but for some reason that didn't seem to work. Doing the same thing in the linker script instead does seem to work, though I cannot entirely explain - it *also* works if I just add "VERSION { { global: *; }; }" instead, indicating that something else is happening that I don't really understand. It may be that explicitly doing that marks them with some kind of empty version, and that's different from the default. Explicitly marking them with a version breaks kallsyms, so that doesn't seem to be possible. Marking all the symbols as local seems correct, and does seem to address the issue, so do that. Also do it for static link, nsswitch libraries could still be loaded there. [1] https://bugs.debian.org/983379 Reported-by: Ritesh Raj Sarraf Signed-off-by: Johannes Berg Acked-By: Anton Ivanov Tested-By: Ritesh Raj Sarraf Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin commit d35891cbb1d4af48393ae2c6a45c6530d798c64c Author: Trond Myklebust Date: Thu Mar 25 20:46:36 2021 -0400 NFS: NFS_INO_REVAL_PAGECACHE should mark the change attribute invalid [ Upstream commit 50c7a7994dd20af56e4d47e90af10bab71b71001 ] When we're looking to revalidate the page cache, we should just ensure that we mark the change attribute invalid. Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 87264fb5abacb90597a9def2856c6e91a6e05627 Author: Hans de Goede Date: Fri Apr 9 22:29:49 2021 -0700 Input: silead - add workaround for x86 BIOS-es which bring the chip up in a stuck state [ Upstream commit e479187748a8f151a85116a7091c599b121fdea5 ] Some buggy BIOS-es bring up the touchscreen-controller in a stuck state where it blocks the I2C bus. Specifically this happens on the Jumper EZpad 7 tablet model. After much poking at this problem I have found that the following steps are necessary to unstuck the chip / bus: 1. Turn off the Silead chip. 2. Try to do an I2C transfer with the chip, this will fail in response to which the I2C-bus-driver will call: i2c_recover_bus() which will unstuck the I2C-bus. Note the unstuck-ing of the I2C bus only works if we first drop the chip of the bus by turning it off. 3. Turn the chip back on. On the x86/ACPI systems were this problem is seen, step 1. and 3. require making ACPI calls and dealing with ACPI Power Resources. This commit adds a workaround which runtime-suspends the chip to turn it off, leaving it up to the ACPI subsystem to deal with all the ACPI specific details. There is no good way to detect this bug, so the workaround gets activated by a new "silead,stuck-controller-bug" boolean device-property. Since this is only used on x86/ACPI, this will be set by model specific device-props set by drivers/platform/x86/touchscreen_dmi.c. Therefor this new device-property is not documented in the DT-bindings. Dmesg will contain the following messages on systems where the workaround is activated: [ 54.309029] silead_ts i2c-MSSL1680:00: [Firmware Bug]: Stuck I2C bus: please ignore the next 'controller timed out' error [ 55.373593] i2c_designware 808622C1:04: controller timed out [ 55.582186] silead_ts i2c-MSSL1680:00: Silead chip ID: 0x80360000 Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20210405202745.16777-1-hdegoede@redhat.com Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit c2742ef47574dd8afc479689674d98417c3e60dd Author: Hans de Goede Date: Fri Apr 9 22:29:07 2021 -0700 Input: elants_i2c - do not bind to i2c-hid compatible ACPI instantiated devices [ Upstream commit 65299e8bfb24774e6340e93ae49f6626598917c8 ] Several users have been reporting that elants_i2c gives several errors during probe and that their touchscreen does not work on their Lenovo AMD based laptops with a touchscreen with a ELAN0001 ACPI hardware-id: [ 0.550596] elants_i2c i2c-ELAN0001:00: i2c-ELAN0001:00 supply vcc33 not found, using dummy regulator [ 0.551836] elants_i2c i2c-ELAN0001:00: i2c-ELAN0001:00 supply vccio not found, using dummy regulator [ 0.560932] elants_i2c i2c-ELAN0001:00: elants_i2c_send failed (77 77 77 77): -121 [ 0.562427] elants_i2c i2c-ELAN0001:00: software reset failed: -121 [ 0.595925] elants_i2c i2c-ELAN0001:00: elants_i2c_send failed (77 77 77 77): -121 [ 0.597974] elants_i2c i2c-ELAN0001:00: software reset failed: -121 [ 0.621893] elants_i2c i2c-ELAN0001:00: elants_i2c_send failed (77 77 77 77): -121 [ 0.622504] elants_i2c i2c-ELAN0001:00: software reset failed: -121 [ 0.632650] elants_i2c i2c-ELAN0001:00: elants_i2c_send failed (4d 61 69 6e): -121 [ 0.634256] elants_i2c i2c-ELAN0001:00: boot failed: -121 [ 0.699212] elants_i2c i2c-ELAN0001:00: invalid 'hello' packet: 00 00 ff ff [ 1.630506] elants_i2c i2c-ELAN0001:00: Failed to read fw id: -121 [ 1.645508] elants_i2c i2c-ELAN0001:00: unknown packet 00 00 ff ff Despite these errors, the elants_i2c driver stays bound to the device (it returns 0 from its probe method despite the errors), blocking the i2c-hid driver from binding. Manually unbinding the elants_i2c driver and binding the i2c-hid driver makes the touchscreen work. Check if the ACPI-fwnode for the touchscreen contains one of the i2c-hid compatiblity-id strings and if it has the I2C-HID spec's DSM to get the HID descriptor address, If it has both then make elants_i2c not bind, so that the i2c-hid driver can bind. This assumes that non of the (older) elan touchscreens which actually need the elants_i2c driver falsely advertise an i2c-hid compatiblity-id + DSM in their ACPI-fwnodes. If some of them actually do have this false advertising, then this change may lead to regressions. While at it also drop the unnecessary DEVICE_NAME prefixing of the "I2C check functionality error", dev_err already outputs the driver-name. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207759 Acked-by: Benjamin Tissoires Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20210405202756.16830-1-hdegoede@redhat.com Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 4800a98bcfe472a5cde5ac51830884d707a46fcc Author: Dinghao Liu Date: Thu Apr 8 15:26:58 2021 +0800 PCI: tegra: Fix runtime PM imbalance in pex_ep_event_pex_rst_deassert() [ Upstream commit 5859c926d1f052ee61b5815b14658875c14f6243 ] pm_runtime_get_sync() will increase the runtime PM counter even it returns an error. Thus a pairing decrement is needed to prevent refcount leak. Fix this by replacing this API with pm_runtime_resume_and_get(), which will not change the runtime PM counter on error. Link: https://lore.kernel.org/r/20210408072700.15791-1-dinghao.liu@zju.edu.cn Signed-off-by: Dinghao Liu Signed-off-by: Lorenzo Pieralisi Acked-by: Thierry Reding Signed-off-by: Sasha Levin commit dd6ba896ffa7e26872fe2daaf3abd25b66f47bd1 Author: Feilong Lin Date: Thu Mar 25 15:26:00 2021 +0800 ACPI / hotplug / PCI: Fix reference count leak in enable_slot() [ Upstream commit 3bbfd319034ddce59e023837a4aa11439460509b ] In enable_slot(), if pci_get_slot() returns NULL, we clear the SLOT_ENABLED flag. When pci_get_slot() finds a device, it increments the device's reference count. In this case, we did not call pci_dev_put() to decrement the reference count, so the memory of the device (struct pci_dev type) will eventually leak. Call pci_dev_put() to decrement its reference count when pci_get_slot() returns a PCI device. Link: https://lore.kernel.org/r/b411af88-5049-a1c6-83ac-d104a1f429be@huawei.com Signed-off-by: Feilong Lin Signed-off-by: Zhiqiang Liu Signed-off-by: Bjorn Helgaas Reviewed-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit ec324393a63cfd28e2182a3efd52c93766b6dcd0 Author: louis.wang Date: Wed Feb 24 13:25:53 2021 +0100 ARM: 9066/1: ftrace: pause/unpause function graph tracer in cpu_suspend() [ Upstream commit 8252ca87c7a2111502ee13994956f8c309faad7f ] Enabling function_graph tracer on ARM causes kernel panic, because the function graph tracer updates the "return address" of a function in order to insert a trace callback on function exit, it saves the function's original return address in a return trace stack, but cpu_suspend() may not return through the normal return path. cpu_suspend() will resume directly via the cpu_resume path, but the return trace stack has been set-up by the subfunctions of cpu_suspend(), which makes the "return address" inconsistent with cpu_suspend(). This patch refers to Commit de818bd4522c40ea02a81b387d2fa86f989c9623 ("arm64: kernel: pause/unpause function graph tracer in cpu_suspend()"), fixes the issue by pausing/resuming the function graph tracer on the thread executing cpu_suspend(), so that the function graph tracer state is kept consistent across functions that enter power down states and never return by effectively disabling graph tracer while they are executing. Signed-off-by: louis.wang Signed-off-by: Russell King Signed-off-by: Sasha Levin commit 3029ef71ab227af7c0ffb7956c2da4b1882aa23b Author: Gustavo Pimentel Date: Thu Feb 18 20:04:06 2021 +0100 dmaengine: dw-edma: Fix crash on loading/unloading driver [ Upstream commit e970dcc4bd8e0a1376e794fc81d41d0fc98262dd ] When the driver is compiled as a module and loaded if we try to unload it, the Kernel shows a crash log. This Kernel crash is due to the dma_async_device_unregister() call done after deleting the channels, this patch fixes this issue. Signed-off-by: Gustavo Pimentel Link: https://lore.kernel.org/r/4aa850c035cf7ee488f1d3fb6dee0e37be0dce0a.1613674948.git.gustavo.pimentel@synopsys.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 13a2ca80d792d978252863bc010c2b3a0ac6ec30 Author: Arnd Bergmann Date: Mon Mar 8 16:24:47 2021 +0100 PCI: thunder: Fix compile testing [ Upstream commit 16f7ae5906dfbeff54f74ec75d0563bb3a87ab0b ] Compile-testing these drivers is currently broken. Enabling it causes a couple of build failures though: drivers/pci/controller/pci-thunder-ecam.c:119:30: error: shift count >= width of type [-Werror,-Wshift-count-overflow] drivers/pci/controller/pci-thunder-pem.c:54:2: error: implicit declaration of function 'writeq' [-Werror,-Wimplicit-function-declaration] drivers/pci/controller/pci-thunder-pem.c:392:8: error: implicit declaration of function 'acpi_get_rc_resources' [-Werror,-Wimplicit-function-declaration] Fix them with the obvious one-line changes. Link: https://lore.kernel.org/r/20210308152501.2135937-2-arnd@kernel.org Signed-off-by: Arnd Bergmann Signed-off-by: Bjorn Helgaas Reviewed-by: Kuppuswamy Sathyanarayanan Reviewed-by: Robert Richter Signed-off-by: Sasha Levin commit a36703d08c83b1488a2f2922f0dc4263125ccd2d Author: Eric Dumazet Date: Fri Apr 2 06:26:02 2021 -0700 virtio_net: Do not pull payload in skb->head [ Upstream commit 0f6925b3e8da0dbbb52447ca8a8b42b371aac7db ] Xuan Zhuo reported that commit 3226b158e67c ("net: avoid 32 x truesize under-estimation for tiny skbs") brought a ~10% performance drop. The reason for the performance drop was that GRO was forced to chain sk_buff (using skb_shinfo(skb)->frag_list), which uses more memory but also cause packet consumers to go over a lot of overhead handling all the tiny skbs. It turns out that virtio_net page_to_skb() has a wrong strategy : It allocates skbs with GOOD_COPY_LEN (128) bytes in skb->head, then copies 128 bytes from the page, before feeding the packet to GRO stack. This was suboptimal before commit 3226b158e67c ("net: avoid 32 x truesize under-estimation for tiny skbs") because GRO was using 2 frags per MSS, meaning we were not packing MSS with 100% efficiency. Fix is to pull only the ethernet header in page_to_skb() Then, we change virtio_net_hdr_to_skb() to pull the missing headers, instead of assuming they were already pulled by callers. This fixes the performance regression, but could also allow virtio_net to accept packets with more than 128bytes of headers. Many thanks to Xuan Zhuo for his report, and his tests/help. Fixes: 3226b158e67c ("net: avoid 32 x truesize under-estimation for tiny skbs") Reported-by: Xuan Zhuo Link: https://www.spinics.net/lists/netdev/msg731397.html Co-Developed-by: Xuan Zhuo Signed-off-by: Xuan Zhuo Signed-off-by: Eric Dumazet Cc: "Michael S. Tsirkin" Cc: Jason Wang Cc: virtualization@lists.linux-foundation.org Acked-by: Jason Wang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit cbb397b673bdd2ba36599ba39af67a483c5cf17c Author: Arnd Bergmann Date: Mon Mar 22 17:44:29 2021 +0100 isdn: capi: fix mismatched prototypes commit 5ee7d4c7fbc9d3119a20b1c77d34003d1f82ac26 upstream. gcc-11 complains about a prototype declaration that is different from the function definition: drivers/isdn/capi/kcapi.c:724:44: error: argument 2 of type ‘u8 *’ {aka ‘unsigned char *’} declared as a pointer [-Werror=array-parameter=] 724 | u16 capi20_get_manufacturer(u32 contr, u8 *buf) | ~~~~^~~ In file included from drivers/isdn/capi/kcapi.c:13: drivers/isdn/capi/kcapi.h:62:43: note: previously declared as an array ‘u8[64]’ {aka ‘unsigned char[64]’} 62 | u16 capi20_get_manufacturer(u32 contr, u8 buf[CAPI_MANUFACTURER_LEN]); | ~~~^~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/isdn/capi/kcapi.c:790:38: error: argument 2 of type ‘u8 *’ {aka ‘unsigned char *’} declared as a pointer [-Werror=array-parameter=] 790 | u16 capi20_get_serial(u32 contr, u8 *serial) | ~~~~^~~~~~ In file included from drivers/isdn/capi/kcapi.c:13: drivers/isdn/capi/kcapi.h:64:37: note: previously declared as an array ‘u8[8]’ {aka ‘unsigned char[8]’} 64 | u16 capi20_get_serial(u32 contr, u8 serial[CAPI_SERIAL_LEN]); | ~~~^~~~~~~~~~~~~~~~~~~~~~~ Change the definition to make them match. Signed-off-by: Arnd Bergmann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a60855366be53dfaf185fdb8fad59ff0a5a0ff0a Author: Kaixu Xia Date: Wed Nov 4 13:24:04 2020 +0800 cxgb4: Fix the -Wmisleading-indentation warning commit ea8146c6845799142aa4ee2660741c215e340cdf upstream. Fix the gcc warning: drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c:2673:9: warning: this 'for' clause does not guard... [-Wmisleading-indentation] 2673 | for (i = 0; i < n; ++i) \ Reported-by: Tosk Robot Signed-off-by: Kaixu Xia Link: https://lore.kernel.org/r/1604467444-23043-1-git-send-email-kaixuxia@tencent.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit c6034b618c1abc0084c12c6514fdae184d70df94 Author: Arnd Bergmann Date: Mon Mar 22 17:42:26 2021 +0100 usb: sl811-hcd: improve misleading indentation commit 8460f6003a1d2633737b89c4f69d6f4c0c7c65a3 upstream. gcc-11 now warns about a confusingly indented code block: drivers/usb/host/sl811-hcd.c: In function ‘sl811h_hub_control’: drivers/usb/host/sl811-hcd.c:1291:9: error: this ‘if’ clause does not guard... [-Werror=misleading-indentation] 1291 | if (*(u16*)(buf+2)) /* only if wPortChange is interesting */ | ^~ drivers/usb/host/sl811-hcd.c:1295:17: note: ...this statement, but the latter is misleadingly indented as if it were guarded by the ‘if’ 1295 | break; Rewrite this to use a single if() block with the __is_defined() macro. Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20210322164244.827589-1-arnd@kernel.org Signed-off-by: Greg Kroah-Hartman commit c2e7c260371d07e3d3c556626d8e797fa75220dc Author: Arnd Bergmann Date: Mon Mar 22 17:43:03 2021 +0100 kgdb: fix gcc-11 warning on indentation commit 40cc3a80bb42587db1e6ae21d6f3090582d33e89 upstream. gcc-11 starts warning about misleading indentation inside of macros: drivers/misc/kgdbts.c: In function ‘kgdbts_break_test’: drivers/misc/kgdbts.c:103:9: error: this ‘if’ clause does not guard... [-Werror=misleading-indentation] 103 | if (verbose > 1) \ | ^~ drivers/misc/kgdbts.c:200:9: note: in expansion of macro ‘v2printk’ 200 | v2printk("kgdbts: breakpoint complete\n"); | ^~~~~~~~ drivers/misc/kgdbts.c:105:17: note: ...this statement, but the latter is misleadingly indented as if it were guarded by the ‘if’ 105 | touch_nmi_watchdog(); \ | ^~~~~~~~~~~~~~~~~~ The code looks correct to me, so just reindent it for readability. Fixes: e8d31c204e36 ("kgdb: add kgdb internal test suite") Acked-by: Daniel Thompson Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20210322164308.827846-1-arnd@kernel.org Signed-off-by: Greg Kroah-Hartman commit b6795cdc268bd416a2a3a90e1d4e5c59fba410fb Author: Arnd Bergmann Date: Tue Mar 23 14:16:28 2021 +0100 airo: work around stack usage warning commit 7909a590eba6d021f104958857cbc4f0089daceb upstream. gcc-11 with KASAN on 32-bit arm produces a warning about a function that needs a lot of stack space: drivers/net/wireless/cisco/airo.c: In function 'setup_card.constprop': drivers/net/wireless/cisco/airo.c:3960:1: error: the frame size of 1512 bytes is larger than 1400 bytes [-Werror=frame-larger-than=] Most of this is from a single large structure that could be dynamically allocated or moved into the per-device structure. However, as the callers all seem to have a fairly well bounded call chain, the easiest change is to pull out the part of the function that needs the large variables into a separate function and mark that as noinline_for_stack. This does not reduce the total stack usage, but it gets rid of the warning and requires minimal changes otherwise. Signed-off-by: Arnd Bergmann Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210323131634.2669455-1-arnd@kernel.org Signed-off-by: Greg Kroah-Hartman commit 80e414e7cf7da60f2986ac07e15f5d4b01c3493e Author: Linus Torvalds Date: Sat May 8 11:30:22 2021 -0700 drm/i915/display: fix compiler warning about array overrun commit fec4d42724a1bf3dcba52307e55375fdb967b852 upstream. intel_dp_check_mst_status() uses a 14-byte array to read the DPRX Event Status Indicator data, but then passes that buffer at offset 10 off as an argument to drm_dp_channel_eq_ok(). End result: there are only 4 bytes remaining of the buffer, yet drm_dp_channel_eq_ok() wants a 6-byte buffer. gcc-11 correctly warns about this case: drivers/gpu/drm/i915/display/intel_dp.c: In function ‘intel_dp_check_mst_status’: drivers/gpu/drm/i915/display/intel_dp.c:3491:22: warning: ‘drm_dp_channel_eq_ok’ reading 6 bytes from a region of size 4 [-Wstringop-overread] 3491 | !drm_dp_channel_eq_ok(&esi[10], intel_dp->lane_count)) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/i915/display/intel_dp.c:3491:22: note: referencing argument 1 of type ‘const u8 *’ {aka ‘const unsigned char *’} In file included from drivers/gpu/drm/i915/display/intel_dp.c:38: include/drm/drm_dp_helper.h:1466:6: note: in a call to function ‘drm_dp_channel_eq_ok’ 1466 | bool drm_dp_channel_eq_ok(const u8 link_status[DP_LINK_STATUS_SIZE], | ^~~~~~~~~~~~~~~~~~~~ 6:14 elapsed This commit just extends the original array by 2 zero-initialized bytes, avoiding the warning. There may be some underlying bug in here that caused this confusion, but this is at least no worse than the existing situation that could use random data off the stack. Cc: Jani Nikula Cc: Ville Syrjälä Cc: Joonas Lahtinen Cc: Rodrigo Vivi Cc: Daniel Vetter Cc: Dave Airlie Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ee387de3cab151d7a37066b3310c46a3edad7471 Author: Arnd Bergmann Date: Mon Mar 22 17:45:36 2021 +0100 x86/msr: Fix wr/rdmsr_safe_regs_on_cpu() prototypes commit 396a66aa1172ef2b78c21651f59b40b87b2e5e1e upstream. gcc-11 warns about mismatched prototypes here: arch/x86/lib/msr-smp.c:255:51: error: argument 2 of type ‘u32 *’ {aka ‘unsigned int *’} declared as a pointer [-Werror=array-parameter=] 255 | int rdmsr_safe_regs_on_cpu(unsigned int cpu, u32 *regs) | ~~~~~^~~~ arch/x86/include/asm/msr.h:347:50: note: previously declared as an array ‘u32[8]’ {aka ‘unsigned int[8]’} GCC is right here - fix up the types. [ mingo: Twiddled the changelog. ] Signed-off-by: Arnd Bergmann Signed-off-by: Ingo Molnar Link: https://lore.kernel.org/r/20210322164541.912261-1-arnd@kernel.org Signed-off-by: Greg Kroah-Hartman commit 689e89aee55c565fe90fcdf8a7e53f2f976c5946 Author: Greg Kroah-Hartman Date: Wed May 19 10:13:20 2021 +0200 Linux 5.10.38 Tested-by: Florian Fainelli Tested-by: Fox Chen Tested-by: Jon Hunter Tested-by: Salvatore Bonaccorso Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Jason Self Tested-by: Joel Stanley Tested-by: Hulk Robot Tested-by: Sudip Mukherjee Tested-by: Linux Kernel Functional Testing Tested-by: Guenter Roeck Link: https://lore.kernel.org/r/20210517140305.140529752@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit ed350825e89a3d23f5d88110c8dd32ac167894ad Author: Kuninori Morimoto Date: Thu Apr 8 13:28:47 2021 +0900 ASoC: rsnd: check all BUSIF status when error commit a4856e15e58b54977f1c0c0299309ad4d1f13365 upstream. commit 66c705d07d784 ("SoC: rsnd: add interrupt support for SSI BUSIF buffer") adds __rsnd_ssi_interrupt() checks for BUSIF status, but is using "break" at for loop. This means it is not checking all status. Let's check all BUSIF status. Fixes: commit 66c705d07d784 ("SoC: rsnd: add interrupt support for SSI BUSIF buffer") Signed-off-by: Kuninori Morimoto Link: https://lore.kernel.org/r/874kgh1jsw.wl-kuninori.morimoto.gx@renesas.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit cd709c8e06b6356c820297f583070884c60186c9 Author: Christoph Hellwig Date: Fri Apr 9 11:46:12 2021 +0200 nvme: do not try to reconfigure APST when the controller is not live commit 53fe2a30bc168db9700e00206d991ff934973cf1 upstream. Do not call nvme_configure_apst when the controller is not live, given that nvme_configure_apst will fail due the lack of an admin queue when the controller is being torn down and nvme_set_latency_tolerance is called from dev_pm_qos_hide_latency_tolerance. Fixes: 510a405d945b("nvme: fix memory leak for power latency tolerance") Reported-by: Peng Liu Signed-off-by: Christoph Hellwig Reviewed-by: Keith Busch Signed-off-by: Greg Kroah-Hartman commit 054add24a869ab82b0211c5308c479b7ad5d64a1 Author: Arnd Bergmann Date: Fri Apr 9 22:12:05 2021 +0200 ext4: fix debug format string warning commit fcdf3c34b7abdcbb49690c94c7fa6ce224dc9749 upstream. Using no_printk() for jbd_debug() revealed two warnings: fs/jbd2/recovery.c: In function 'fc_do_one_pass': fs/jbd2/recovery.c:256:30: error: format '%d' expects a matching 'int' argument [-Werror=format=] 256 | jbd_debug(3, "Processing fast commit blk with seq %d"); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ fs/ext4/fast_commit.c: In function 'ext4_fc_replay_add_range': fs/ext4/fast_commit.c:1732:30: error: format '%d' expects argument of type 'int', but argument 2 has type 'long unsigned int' [-Werror=format=] 1732 | jbd_debug(1, "Converting from %d to %d %lld", The first one was added incorrectly, and was also missing a few newlines in debug output, and the second one happened when the type of an argument changed. Reported-by: kernel test robot Fixes: d556435156b7 ("jbd2: avoid -Wempty-body warnings") Fixes: 6db074618969 ("ext4: use BIT() macro for BH_** state bits") Fixes: 5b849b5f96b4 ("jbd2: fast commit recovery path") Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20210409201211.1866633-1-arnd@kernel.org Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit c5dffd422145ee12ae0cd4a1aaf7b8c83624468a Author: Kees Cook Date: Mon Apr 5 14:39:59 2021 -0700 debugfs: Make debugfs_allow RO after init commit 312723a0b34d6d110aa4427a982536bb36ab8471 upstream. Since debugfs_allow is only set at boot time during __init, make it read-only after being set. Fixes: a24c6f7bc923 ("debugfs: Add access restriction option") Cc: Peter Enderborg Reviewed-by: Peter Enderborg Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20210405213959.3079432-1-keescook@chromium.org Signed-off-by: Greg Kroah-Hartman commit 81cb4f36d62c37ee0c81c57718b4afe12e2bece6 Author: Zhen Lei Date: Thu Apr 22 17:08:57 2021 +0800 dt-bindings: serial: 8250: Remove duplicated compatible strings commit a7277a73984114b38dcb62c8548850800ffe864e upstream. The compatible strings "mediatek,*" appears two times, remove one of them. Fixes: e69f5dc623f9 ("dt-bindings: serial: Convert 8250 to json-schema") Signed-off-by: Zhen Lei Link: https://lore.kernel.org/r/20210422090857.583-1-thunder.leizhen@huawei.com Signed-off-by: Rob Herring Signed-off-by: Greg Kroah-Hartman commit c1514ad24c3e6e2beac1f0338f0d8fa2cfaee5f6 Author: Geert Uytterhoeven Date: Thu Apr 29 14:45:52 2021 +0200 dt-bindings: media: renesas,vin: Make resets optional on R-Car Gen1 commit 7935bb56e21b2add81149f4def8e59b4133fe57c upstream. The "resets" property is not present on R-Car Gen1 SoCs. Supporting it would require migrating from renesas,cpg-clocks to renesas,cpg-mssr. Fixes: 905fc6b1bfb4a631 ("dt-bindings: rcar-vin: Convert bindings to json-schema") Signed-off-by: Geert Uytterhoeven Reviewed-by: Niklas Söderlund Link: https://lore.kernel.org/r/217c8197efaee7d803b22d433abb0ea8e33b84c6.1619700314.git.geert+renesas@glider.be Signed-off-by: Rob Herring Signed-off-by: Greg Kroah-Hartman commit c4e3d8cf615bf651ef39e24210e73700187244dd Author: Qii Wang Date: Sat Apr 17 14:46:50 2021 +0800 i2c: mediatek: Fix send master code at more than 1MHz commit 63ce8e3df8f6deca2da52eaf064751ad4018b46e upstream. There are some omissions in the previous patch about replacing I2C_MAX_FAST_MODE__FREQ with I2C_MAX_FAST_MODE_PLUS_FREQ and need to fix it. Fixes: b44658e755b5("i2c: mediatek: Send i2c master code at more than 1MHz") Signed-off-by: Qii Wang Signed-off-by: Wolfram Sang Signed-off-by: Greg Kroah-Hartman commit 667627fa85a8bf02024319028b6c3121b3b494f0 Author: Fabio Estevam Date: Sat Mar 20 13:21:52 2021 +0100 media: rkvdec: Remove of_match_ptr() commit c2357dd9cbafc8ed37156e32c24884cfa8380b2f upstream. When building with CONFIG_OF not set, the following clang build warning is seen: >> drivers/staging/media/rkvdec/rkvdec.c:967:34: warning: unused variable 'of_rkvdec_match' [-Wunused-const-variable] Fix the warning by removing the unnecessary of_match_ptr(). Reported-by: kernel test robot Fixes: cd33c830448b ("media: rkvdec: Add the rkvdec driver") Signed-off-by: Fabio Estevam Reviewed-by: Ezequiel Garcia Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit b0402e78535169d178c86a5800c32f7a299d73fd Author: Paweł Chmiel Date: Sat Oct 24 17:43:46 2020 +0200 clk: exynos7: Mark aclk_fsys1_200 as critical commit 34138a59b92c1a30649a18ec442d2e61f3bc34dd upstream. This clock must be always enabled to allow access to any registers in fsys1 CMU. Until proper solution based on runtime PM is applied (similar to what was done for Exynos5433), mark that clock as critical so it won't be disabled. It was observed on Samsung Galaxy S6 device (based on Exynos7420), where UFS module is probed before pmic used to power that device. In this case defer probe was happening and that clock was disabled by UFS driver, causing whole boot to hang on next CMU access. Fixes: 753195a749a6 ("clk: samsung: exynos7: Correct CMU_FSYS1 clocks names") Signed-off-by: Paweł Chmiel Acked-by: Krzysztof Kozlowski Link: https://lore.kernel.org/linux-clk/20201024154346.9589-1-pawel.mikolaj.chmiel@gmail.com [s.nawrocki: Added comment in the code] Signed-off-by: Sylwester Nawrocki Signed-off-by: Greg Kroah-Hartman commit 805c990a9c54b9451d3daff640b850909c31ab9d Author: Stéphane Marchesin Date: Thu Apr 29 03:10:21 2021 +0000 drm/i915: Fix crash in auto_retire commit 402be8a101190969fc7ff122d07e262df86e132b upstream. The retire logic uses the 2 lower bits of the pointer to the retire function to store flags. However, the auto_retire function is not guaranteed to be aligned to a multiple of 4, which causes crashes as we jump to the wrong address, for example like this: 2021-04-24T18:03:53.804300Z WARNING kernel: [ 516.876901] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI 2021-04-24T18:03:53.804310Z WARNING kernel: [ 516.876906] CPU: 7 PID: 146 Comm: kworker/u16:6 Tainted: G U 5.4.105-13595-g3cd84167b2df #1 2021-04-24T18:03:53.804311Z WARNING kernel: [ 516.876907] Hardware name: Google Volteer2/Volteer2, BIOS Google_Volteer2.13672.76.0 02/22/2021 2021-04-24T18:03:53.804312Z WARNING kernel: [ 516.876911] Workqueue: events_unbound active_work 2021-04-24T18:03:53.804313Z WARNING kernel: [ 516.876914] RIP: 0010:auto_retire+0x1/0x20 2021-04-24T18:03:53.804314Z WARNING kernel: [ 516.876916] Code: e8 01 f2 ff ff eb 02 31 db 48 89 d8 5b 5d c3 0f 1f 44 00 00 55 48 89 e5 f0 ff 87 c8 00 00 00 0f 88 ab 47 4a 00 31 c0 5d c3 0f <1f> 44 00 00 55 48 89 e5 f0 ff 8f c8 00 00 00 0f 88 9a 47 4a 00 74 2021-04-24T18:03:53.804319Z WARNING kernel: [ 516.876918] RSP: 0018:ffff9b4d809fbe38 EFLAGS: 00010286 2021-04-24T18:03:53.804320Z WARNING kernel: [ 516.876919] RAX: 0000000000000007 RBX: ffff927915079600 RCX: 0000000000000007 2021-04-24T18:03:53.804320Z WARNING kernel: [ 516.876921] RDX: ffff9b4d809fbe40 RSI: 0000000000000286 RDI: ffff927915079600 2021-04-24T18:03:53.804321Z WARNING kernel: [ 516.876922] RBP: ffff9b4d809fbe68 R08: 8080808080808080 R09: fefefefefefefeff 2021-04-24T18:03:53.804321Z WARNING kernel: [ 516.876924] R10: 0000000000000010 R11: ffffffff92e44bd8 R12: ffff9279150796a0 2021-04-24T18:03:53.804322Z WARNING kernel: [ 516.876925] R13: ffff92791c368180 R14: ffff927915079640 R15: 000000001c867605 2021-04-24T18:03:53.804323Z WARNING kernel: [ 516.876926] FS: 0000000000000000(0000) GS:ffff92791ffc0000(0000) knlGS:0000000000000000 2021-04-24T18:03:53.804323Z WARNING kernel: [ 516.876928] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 2021-04-24T18:03:53.804324Z WARNING kernel: [ 516.876929] CR2: 0000239514955000 CR3: 00000007f82da001 CR4: 0000000000760ee0 2021-04-24T18:03:53.804325Z WARNING kernel: [ 516.876930] PKRU: 55555554 2021-04-24T18:03:53.804325Z WARNING kernel: [ 516.876931] Call Trace: 2021-04-24T18:03:53.804326Z WARNING kernel: [ 516.876935] __active_retire+0x77/0xcf 2021-04-24T18:03:53.804326Z WARNING kernel: [ 516.876939] process_one_work+0x1da/0x394 2021-04-24T18:03:53.804327Z WARNING kernel: [ 516.876941] worker_thread+0x216/0x375 2021-04-24T18:03:53.804327Z WARNING kernel: [ 516.876944] kthread+0x147/0x156 2021-04-24T18:03:53.804335Z WARNING kernel: [ 516.876946] ? pr_cont_work+0x58/0x58 2021-04-24T18:03:53.804335Z WARNING kernel: [ 516.876948] ? kthread_blkcg+0x2e/0x2e 2021-04-24T18:03:53.804336Z WARNING kernel: [ 516.876950] ret_from_fork+0x1f/0x40 2021-04-24T18:03:53.804336Z WARNING kernel: [ 516.876952] Modules linked in: cdc_mbim cdc_ncm cdc_wdm xt_cgroup rfcomm cmac algif_hash algif_skcipher af_alg xt_MASQUERADE uinput snd_soc_rt5682_sdw snd_soc_rt5682 snd_soc_max98373_sdw snd_soc_max98373 snd_soc_rl6231 regmap_sdw snd_soc_sof_sdw snd_soc_hdac_hdmi snd_soc_dmic snd_hda_codec_hdmi snd_sof_pci snd_sof_intel_hda_common intel_ipu6_psys snd_sof_xtensa_dsp soundwire_intel soundwire_generic_allocation soundwire_cadence snd_sof_intel_hda snd_sof snd_soc_hdac_hda snd_soc_acpi_intel_match snd_soc_acpi snd_hda_ext_core soundwire_bus snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hwdep snd_hda_core intel_ipu6_isys videobuf2_dma_contig videobuf2_v4l2 videobuf2_common videobuf2_memops mei_hdcp intel_ipu6 ov2740 ov8856 at24 sx9310 dw9768 v4l2_fwnode cros_ec_typec intel_pmc_mux roles acpi_als typec fuse iio_trig_sysfs cros_ec_light_prox cros_ec_lid_angle cros_ec_sensors cros_ec_sensors_core industrialio_triggered_buffer cros_ec_sensors_ring kfifo_buf industrialio cros_ec_sensorhub 2021-04-24T18:03:53.804337Z WARNING kernel: [ 516.876972] cdc_ether usbnet iwlmvm lzo_rle lzo_compress iwl7000_mac80211 iwlwifi zram cfg80211 r8152 mii btusb btrtl btintel btbcm bluetooth ecdh_generic ecc joydev 2021-04-24T18:03:53.804337Z EMERG kernel: [ 516.879169] gsmi: Log Shutdown Reason 0x03 This change fixes this by aligning the function. Signed-off-by: Stéphane Marchesin Fixes: 229007e02d69 ("drm/i915: Wrap i915_active in a simple kreffed struct") Signed-off-by: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/20210429031021.1218091-1-marcheu@chromium.org (cherry picked from commit ca419f407b43cc89942ebc297c7a63d94abbcae4) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit cd47b861d2251235f5e2ef6a31930d71c147c387 Author: Tvrtko Ursulin Date: Thu Apr 29 09:35:29 2021 +0100 drm/i915/overlay: Fix active retire callback alignment commit a915fe5e9601c632417ef5261af70788d7d23a8a upstream. __i915_active_call annotation is required on the retire callback to ensure correct function alignment. Signed-off-by: Tvrtko Ursulin Fixes: a21ce8ad12d2 ("drm/i915/overlay: Switch to using i915_active tracking") Cc: Chris Wilson Cc: Matthew Auld Reviewed-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20210429083530.849546-1-tvrtko.ursulin@linux.intel.com (cherry picked from commit d8e44e4dd221ee283ea60a6fb87bca08807aa0ab) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit a67c80dcb4031c2188fd68e57e1b3b67077b69ce Author: Ville Syrjälä Date: Wed Apr 21 18:33:59 2021 +0300 drm/i915: Read C0DRB3/C1DRB3 as 16 bits again commit 04d019961fd15de92874575536310243a0d4c5c5 upstream. We've defined C0DRB3/C1DRB3 as 16 bit registers, so access them as such. Fixes: 1c8242c3a4b2 ("drm/i915: Use unchecked writes for setting up the fences") Reviewed-by: Chris Wilson Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20210421153401.13847-3-ville.syrjala@linux.intel.com (cherry picked from commit f765a5b48c667bdada5e49d5e0f23f8c0687b21b) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 17928443db88bfafbf20b700cf2f65e722d67f6d Author: Lv Yunlong Date: Mon Apr 26 05:43:40 2021 -0700 drm/i915/gt: Fix a double free in gen8_preallocate_top_level_pdp commit ea995218dddba171fecd05496c69617c5ef3c5b8 upstream. Our code analyzer reported a double free bug. In gen8_preallocate_top_level_pdp, pde and pde->pt.base are allocated via alloc_pd(vm) with one reference. If pin_pt_dma() failed, pde->pt.base is freed by i915_gem_object_put() with a reference dropped. Then free_pd calls free_px() defined in intel_ppgtt.c, which calls i915_gem_object_put() to put pde->pt.base again. As pde->pt.base is protected by refcount, so the second put will not free pde->pt.base actually. But, maybe it is better to remove the first put? Fixes: 82adf901138cc ("drm/i915/gt: Shrink i915_page_directory's slab bucket") Signed-off-by: Lv Yunlong Reviewed-by: Matthew Auld Signed-off-by: Matthew Auld Link: https://patchwork.freedesktop.org/patch/msgid/20210426124340.4238-1-lyl2019@mail.ustc.edu.cn (cherry picked from commit ac69496fe65cca0611d5917b7d232730ff605bc7) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 20530f7fde75c44721e4a7465d3179147180339f Author: Greg Kroah-Hartman Date: Mon Apr 5 11:48:52 2021 +0200 kobject_uevent: remove warning in init_uevent_argv() commit b4104180a2efb85f55e1ba1407885c9421970338 upstream. syzbot can trigger the WARN() in init_uevent_argv() which isn't the nicest as the code does properly recover and handle the error. So change the WARN() call to pr_warn() and provide some more information on what the buffer size that was needed. Link: https://lore.kernel.org/r/20201107082206.GA19079@kroah.com Cc: "Rafael J. Wysocki" Cc: linux-kernel@vger.kernel.org Reported-by: syzbot+92340f7b2b4789907fdb@syzkaller.appspotmail.com Signed-off-by: Greg Kroah-Hartman Link: https://lore.kernel.org/r/20210405094852.1348499-1-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 6ece86e9e88fb1e557ce1ef58e14d1d729aae59f Author: Badhri Jagan Sridharan Date: Wed Apr 14 22:01:21 2021 -0700 usb: typec: tcpm: Fix error while calculating PPS out values commit 374157ff88ae1a7f7927331cbc72c1ec11994e8a upstream. "usb: typec: tcpm: Address incorrect values of tcpm psy for pps supply" introduced a regression for req_out_volt and req_op_curr calculation. req_out_volt should consider the newly calculated max voltage instead of previously accepted max voltage by the port partner. Likewise, req_op_curr should consider the newly calculated max current instead of previously accepted max current by the port partner. Fixes: e3a072022487 ("usb: typec: tcpm: Address incorrect values of tcpm psy for pps supply") Reviewed-by: Guenter Roeck Signed-off-by: Badhri Jagan Sridharan Link: https://lore.kernel.org/r/20210415050121.1928298-1-badhri@google.com Signed-off-by: Greg Kroah-Hartman commit 5d2f09c44ff28ac792e24e8f2ff9e29ba210fcb4 Author: Ard Biesheuvel Date: Mon May 10 06:21:11 2021 -0700 ARM: 9027/1: head.S: explicitly map DT even if it lives in the first physical section commit 10fce53c0ef8f6e79115c3d9e0d7ea1338c3fa37 upstream The early ATAGS/DT mapping code uses SECTION_SHIFT to mask low order bits of R2, and decides that no ATAGS/DTB were provided if the resulting value is 0x0. This means that on systems where DRAM starts at 0x0 (such as Raspberry Pi), no explicit mapping of the DT will be created if R2 points into the first 1 MB section of memory. This was not a problem before, because the decompressed kernel is loaded at the base of DRAM and mapped using sections as well, and so as long as the DT is referenced via a virtual address that uses the same translation (the linear map, in this case), things work fine. However, commit 7a1be318f579 ("9012/1: move device tree mapping out of linear region") changes this, and now the DT is referenced via a virtual address that is disjoint from the linear mapping of DRAM, and so we need the early code to create the DT mapping unconditionally. So let's create the early DT mapping for any value of R2 != 0x0. Reported-by: "kernelci.org bot" Reviewed-by: Linus Walleij Signed-off-by: Ard Biesheuvel Signed-off-by: Russell King Signed-off-by: Florian Fainelli Signed-off-by: Greg Kroah-Hartman commit ac421c7f90c84362b6500eccaf4277b7122cc90a Author: Ard Biesheuvel Date: Mon May 10 06:21:10 2021 -0700 ARM: 9020/1: mm: use correct section size macro to describe the FDT virtual address commit fc2933c133744305236793025b00c2f7d258b687 upstream Commit 149a3ffe62b9dbc3 ("9012/1: move device tree mapping out of linear region") created a permanent, read-only section mapping of the device tree blob provided by the firmware, and added a set of macros to get the base and size of the virtually mapped FDT based on the physical address. However, while the mapping code uses the SECTION_SIZE macro correctly, the macros use PMD_SIZE instead, which means something entirely different on ARM when using short descriptors, and is therefore not the right quantity to use here. So replace PMD_SIZE with SECTION_SIZE. While at it, change the names of the macro and its parameter to clarify that it returns the virtual address of the start of the FDT, based on the physical address in memory. Tested-by: Joel Stanley Tested-by: Marek Szyprowski Signed-off-by: Ard Biesheuvel Signed-off-by: Russell King Signed-off-by: Florian Fainelli Signed-off-by: Greg Kroah-Hartman commit 1eb77569029da382924fda0f23ecaea8e10acac6 Author: Ard Biesheuvel Date: Mon May 10 06:21:09 2021 -0700 ARM: 9012/1: move device tree mapping out of linear region commit 7a1be318f5795cb66fa0dc86b3ace427fe68057f upstream On ARM, setting up the linear region is tricky, given the constraints around placement and alignment of the memblocks, and how the kernel itself as well as the DT are placed in physical memory. Let's simplify matters a bit, by moving the device tree mapping to the top of the address space, right between the end of the vmalloc region and the start of the the fixmap region, and create a read-only mapping for it that is independent of the size of the linear region, and how it is organized. Since this region was formerly used as a guard region, which will now be populated fully on LPAE builds by this read-only mapping (which will still be able to function as a guard region for stray writes), bump the start of the [underutilized] fixmap region by 512 KB as well, to ensure that there is always a proper guard region here. Doing so still leaves ample room for the fixmap space, even with NR_CPUS set to its maximum value of 32. Tested-by: Linus Walleij Reviewed-by: Linus Walleij Reviewed-by: Nicolas Pitre Signed-off-by: Ard Biesheuvel Signed-off-by: Russell King Signed-off-by: Florian Fainelli Signed-off-by: Greg Kroah-Hartman commit 6cdbafc2addd0a7c4e710a29b3ed2a8610add13a Author: Ard Biesheuvel Date: Mon May 10 06:21:08 2021 -0700 ARM: 9011/1: centralize phys-to-virt conversion of DT/ATAGS address commit e9a2f8b599d0bc22a1b13e69527246ac39c697b4 upstream Before moving the DT mapping out of the linear region, let's prepare for this change by removing all the phys-to-virt translations of the __atags_pointer variable, and perform this translation only once at setup time. Tested-by: Linus Walleij Reviewed-by: Linus Walleij Acked-by: Nicolas Pitre Signed-off-by: Ard Biesheuvel Signed-off-by: Russell King Signed-off-by: Florian Fainelli Signed-off-by: Greg Kroah-Hartman commit 6d5fda434b1f46c22ce3cde04729005dfb2eb2d6 Author: Tony Lindgren Date: Tue Mar 23 09:43:26 2021 +0200 clocksource/drivers/timer-ti-dm: Handle dra7 timer wrap errata i940 commit 25de4ce5ed02994aea8bc111d133308f6fd62566 upstream. There is a timer wrap issue on dra7 for the ARM architected timer. In a typical clock configuration the timer fails to wrap after 388 days. To work around the issue, we need to use timer-ti-dm percpu timers instead. Let's configure dmtimer3 and 4 as percpu timers by default, and warn about the issue if the dtb is not configured properly. Let's do this as a single patch so it can be backported to v5.8 and later kernels easily. Note that this patch depends on earlier timer-ti-dm systimer posted mode fixes, and a preparatory clockevent patch "clocksource/drivers/timer-ti-dm: Prepare to handle dra7 timer wrap issue". For more information, please see the errata for "AM572x Sitara Processors Silicon Revisions 1.1, 2.0": https://www.ti.com/lit/er/sprz429m/sprz429m.pdf The concept is based on earlier reference patches done by Tero Kristo and Keerthy. Cc: Keerthy Cc: Tero Kristo Signed-off-by: Tony Lindgren Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20210323074326.28302-3-tony@atomide.com Signed-off-by: Greg Kroah-Hartman commit 06470de53e4f95fd8f2e608115dbac440ccf9007 Author: Tony Lindgren Date: Tue Mar 23 09:43:25 2021 +0200 clocksource/drivers/timer-ti-dm: Prepare to handle dra7 timer wrap issue commit 3efe7a878a11c13b5297057bfc1e5639ce1241ce upstream. There is a timer wrap issue on dra7 for the ARM architected timer. In a typical clock configuration the timer fails to wrap after 388 days. To work around the issue, we need to use timer-ti-dm timers instead. Let's prepare for adding support for percpu timers by adding a common dmtimer_clkevt_init_common() and call it from dmtimer_clockevent_init(). This patch makes no intentional functional changes. Signed-off-by: Tony Lindgren Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20210323074326.28302-2-tony@atomide.com Signed-off-by: Greg Kroah-Hartman commit 462049cfb342c4f5e8344452a205207fc5575f1b Author: Maciej W. Rozycki Date: Thu Apr 22 22:36:12 2021 +0200 MIPS: Avoid handcoded DIVU in `__div64_32' altogether commit 25ab14cbe9d1b66fda44c71a2db7582a31b6f5cd upstream. Remove the inline asm with a DIVU instruction from `__div64_32' and use plain C code for the intended DIVMOD calculation instead. GCC is smart enough to know that both the quotient and the remainder are calculated with single DIVU, so with ISAs up to R5 the same instruction is actually produced with overall similar code. For R6 compiled code will work, but separate DIVU and MODU instructions will be produced, which are also interlocked, so scalar implementations will likely not perform as well as older ISAs with their asynchronous MD unit. Likely still faster then the generic algorithm though. This removes a compilation error for R6 however where the original DIVU instruction is not supported anymore and the MDU accumulator registers have been removed and consequently GCC complains as to a constraint it cannot find a register for: In file included from ./include/linux/math.h:5, from ./include/linux/kernel.h:13, from mm/page-writeback.c:15: ./include/linux/math64.h: In function 'div_u64_rem': ./arch/mips/include/asm/div64.h:76:17: error: inconsistent operand constraints in an 'asm' 76 | __asm__("divu $0, %z1, %z2" \ | ^~~~~~~ ./include/asm-generic/div64.h:245:25: note: in expansion of macro '__div64_32' 245 | __rem = __div64_32(&(n), __base); \ | ^~~~~~~~~~ ./include/linux/math64.h:91:22: note: in expansion of macro 'do_div' 91 | *remainder = do_div(dividend, divisor); | ^~~~~~ This has passed correctness verification with test_div64 and reduced the module's average execution time down to 1.0404s from 1.0445s with R3400 @40MHz. The module's MIPS I machine code has also shrunk by 12 bytes or 3 instructions. Signed-off-by: Maciej W. Rozycki Signed-off-by: Thomas Bogendoerfer Signed-off-by: Greg Kroah-Hartman commit d17af8b19d99c400a484427c88f973e6b1f842aa Author: Maciej W. Rozycki Date: Tue Apr 20 04:50:48 2021 +0200 MIPS: Avoid DIVU in `__div64_32' is result would be zero commit c1d337d45ec0a802299688e17d568c4e3a585895 upstream. We already check the high part of the divident against zero to avoid the costly DIVU instruction in that case, needed to reduce the high part of the divident, so we may well check against the divisor instead and set the high part of the quotient to zero right away. We need to treat the high part the divident in that case though as the remainder that would be calculated by the DIVU instruction we avoided. This has passed correctness verification with test_div64 and reduced the module's average execution time down to 1.0445s and 0.2619s from 1.0668s and 0.2629s respectively for an R3400 CPU @40MHz and a 5Kc CPU @160MHz. Signed-off-by: Maciej W. Rozycki Signed-off-by: Thomas Bogendoerfer Signed-off-by: Greg Kroah-Hartman commit d2abb95bb1a438c8bcf2a7d1249ba5b94fe1e950 Author: Maciej W. Rozycki Date: Tue Apr 20 04:50:40 2021 +0200 MIPS: Reinstate platform `__div64_32' handler commit c49f71f60754acbff37505e1d16ca796bf8a8140 upstream. Our current MIPS platform `__div64_32' handler is inactive, because it is incorrectly only enabled for 64-bit configurations, for which generic `do_div' code does not call it anyway. The handler is not suitable for being called from there though as it only calculates 32 bits of the quotient under the assumption the 64-bit divident has been suitably reduced. Code for such reduction used to be there, however it has been incorrectly removed with commit c21004cd5b4c ("MIPS: Rewrite to work with gcc 4.4.0."), which should have only updated an obsoleted constraint for an inline asm involving $hi and $lo register outputs, while possibly wiring the original MIPS variant of the `do_div' macro as `__div64_32' handler for the generic `do_div' implementation Correct the handler as follows then: - Revert most of the commit referred, however retaining the current formatting, except for the final two instructions of the inline asm sequence, which the original commit missed. Omit the original 64-bit parts though. - Rename the original `do_div' macro to `__div64_32'. Use the combined `x' constraint referring to the MD accumulator as a whole, replacing the original individual `h' and `l' constraints used for $hi and $lo registers respectively, of which `h' has been obsoleted with GCC 4.4. Update surrounding code accordingly. We have since removed support for GCC versions before 4.9, so no need for a special arrangement here; GCC has supported the `x' constraint since forever anyway, or at least going back to 1991. - Rename the `__base' local variable in `__div64_32' to `__radix' to avoid a conflict with a local variable in `do_div'. - Actually enable this code for 32-bit rather than 64-bit configurations by qualifying it with BITS_PER_LONG being 32 instead of 64. Include for this macro rather than as we don't need anything else. - Finally include last rather than first. This has passed correctness verification with test_div64 and reduced the module's average execution time down to 1.0668s and 0.2629s from 2.1529s and 0.5647s respectively for an R3400 CPU @40MHz and a 5Kc CPU @160MHz. For a reference 64-bit `do_div' code where we have the DDIVU instruction available to do the whole calculation right away averages at 0.0660s for the latter CPU. Fixes: c21004cd5b4c ("MIPS: Rewrite to work with gcc 4.4.0.") Reported-by: Huacai Chen Signed-off-by: Maciej W. Rozycki Cc: stable@vger.kernel.org # v2.6.30+ Signed-off-by: Thomas Bogendoerfer Signed-off-by: Greg Kroah-Hartman commit cfddf6a685e3bbdba0c9976563810ecb118fa516 Author: Matthew Wilcox (Oracle) Date: Fri May 14 17:27:24 2021 -0700 mm: fix struct page layout on 32-bit systems commit 9ddb3c14afba8bc5950ed297f02d4ae05ff35cd1 upstream. 32-bit architectures which expect 8-byte alignment for 8-byte integers and need 64-bit DMA addresses (arm, mips, ppc) had their struct page inadvertently expanded in 2019. When the dma_addr_t was added, it forced the alignment of the union to 8 bytes, which inserted a 4 byte gap between 'flags' and the union. Fix this by storing the dma_addr_t in one or two adjacent unsigned longs. This restores the alignment to that of an unsigned long. We always store the low bits in the first word to prevent the PageTail bit from being inadvertently set on a big endian platform. If that happened, get_user_pages_fast() racing against a page which was freed and reallocated to the page_pool could dereference a bogus compound_head(), which would be hard to trace back to this cause. Link: https://lkml.kernel.org/r/20210510153211.1504886-1-willy@infradead.org Fixes: c25fff7171be ("mm: add dma_addr_t to struct page") Signed-off-by: Matthew Wilcox (Oracle) Acked-by: Ilias Apalodimas Acked-by: Jesper Dangaard Brouer Acked-by: Vlastimil Babka Tested-by: Matteo Croce Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 89bd620798704a8805fc9db0d71d7f812cf5b3d2 Author: Lu Baolu Date: Sat Mar 20 10:54:12 2021 +0800 iommu/vt-d: Remove WO permissions on second-level paging entries commit eea53c5816889ee8b64544fa2e9311a81184ff9c upstream. When the first level page table is used for IOVA translation, it only supports Read-Only and Read-Write permissions. The Write-Only permission is not supported as the PRESENT bit (implying Read permission) should always set. When using second level, we still give separate permissions that allows WriteOnly which seems inconsistent and awkward. We want to have consistent behavior. After moving to 1st level, we don't want things to work sometimes, and break if we use 2nd level for the same mappings. Hence remove this configuration. Suggested-by: Ashok Raj Fixes: b802d070a52a1 ("iommu/vt-d: Use iova over first level") Signed-off-by: Lu Baolu Link: https://lore.kernel.org/r/20210320025415.641201-3-baolu.lu@linux.intel.com Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 0160f627929c8b8b5efcd513e12ca014a5a99e35 Author: Lu Baolu Date: Fri Jan 15 08:42:02 2021 +0800 iommu/vt-d: Preset Access/Dirty bits for IOVA over FL commit a8ce9ebbecdfda3322bbcece6b3b25888217f8e3 upstream. The Access/Dirty bits in the first level page table entry will be set whenever a page table entry was used for address translation or write permission was successfully translated. This is always true when using the first-level page table for kernel IOVA. Instead of wasting hardware cycles to update the certain bits, it's better to set them up at the beginning. Suggested-by: Ashok Raj Signed-off-by: Lu Baolu Link: https://lore.kernel.org/r/20210115004202.953965-1-baolu.lu@linux.intel.com Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit a282b76166b13496967c70bd61ea8f03609d8a76 Author: Greg Kroah-Hartman Date: Mon May 17 11:54:48 2021 +0200 Revert "iommu/vt-d: Preset Access/Dirty bits for IOVA over FL" This reverts commit 416fa531c8160151090206a51b829b9218b804d9 which is commit a8ce9ebbecdfda3322bbcece6b3b25888217f8e3 upstream as it was backported incorrectly and is causing problems for some systems. Reported-by: Wolfgang Müller Reported-by: Charles Wright Reported-by: Christoph Biedl Cc: Ashok Raj Cc: Lu Baolu Cc: Joerg Roedel Cc: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit c1f2d0beab5c9dc4e4f0e1b4b046679fd239db6a Author: Greg Kroah-Hartman Date: Mon May 17 11:54:37 2021 +0200 Revert "iommu/vt-d: Remove WO permissions on second-level paging entries" This reverts commit c848416cc05afc1589edba04fe00b85c2f797ee3 which is eea53c5816889ee8b64544fa2e9311a81184ff9c upstream. Another iommu patch was backported incorrectly, causing problems, so drop this as well for the moment. Reported-by: Wolfgang Müller Cc: Ashok Raj Cc: Lu Baolu Cc: Joerg Roedel Cc: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 31f29749ee970c251b3a7e5b914108425940d089 Author: Sean Christopherson Date: Tue May 4 10:17:24 2021 -0700 KVM: VMX: Disable preemption when probing user return MSRs commit 5104d7ffcf24749939bea7fdb5378d186473f890 upstream. Disable preemption when probing a user return MSR via RDSMR/WRMSR. If the MSR holds a different value per logical CPU, the WRMSR could corrupt the host's value if KVM is preempted between the RDMSR and WRMSR, and then rescheduled on a different CPU. Opportunistically land the helper in common x86, SVM will use the helper in a future commit. Fixes: 4be534102624 ("KVM: VMX: Initialize vmx->guest_msrs[] right after allocation") Cc: stable@vger.kernel.org Cc: Xiaoyao Li Signed-off-by: Sean Christopherson Message-Id: <20210504171734.1434054-6-seanjc@google.com> Reviewed-by: Jim Mattson Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 79abde761e05ea1cb5996d458c0d31f0d80813f1 Author: Sean Christopherson Date: Tue May 4 10:17:20 2021 -0700 KVM: VMX: Do not advertise RDPID if ENABLE_RDTSCP control is unsupported commit 8aec21c04caa2000f91cf8822ae0811e4b0c3971 upstream. Clear KVM's RDPID capability if the ENABLE_RDTSCP secondary exec control is unsupported. Despite being enumerated in a separate CPUID flag, RDPID is bundled under the same VMCS control as RDTSCP and will #UD in VMX non-root if ENABLE_RDTSCP is not enabled. Fixes: 41cd02c6f7f6 ("kvm: x86: Expose RDPID in KVM_GET_SUPPORTED_CPUID") Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Message-Id: <20210504171734.1434054-2-seanjc@google.com> Reviewed-by: Jim Mattson Reviewed-by: Reiji Watanabe Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit c8bf64e3fb77cc19bad146fbe26651985b117194 Author: Vitaly Kuznetsov Date: Mon May 3 17:08:51 2021 +0200 KVM: nVMX: Always make an attempt to map eVMCS after migration commit f5c7e8425f18fdb9bdb7d13340651d7876890329 upstream. When enlightened VMCS is in use and nested state is migrated with vmx_get_nested_state()/vmx_set_nested_state() KVM can't map evmcs page right away: evmcs gpa is not 'struct kvm_vmx_nested_state_hdr' and we can't read it from VP assist page because userspace may decide to restore HV_X64_MSR_VP_ASSIST_PAGE after restoring nested state (and QEMU, for example, does exactly that). To make sure eVMCS is mapped /vmx_set_nested_state() raises KVM_REQ_GET_NESTED_STATE_PAGES request. Commit f2c7ef3ba955 ("KVM: nSVM: cancel KVM_REQ_GET_NESTED_STATE_PAGES on nested vmexit") added KVM_REQ_GET_NESTED_STATE_PAGES clearing to nested_vmx_vmexit() to make sure MSR permission bitmap is not switched when an immediate exit from L2 to L1 happens right after migration (caused by a pending event, for example). Unfortunately, in the exact same situation we still need to have eVMCS mapped so nested_sync_vmcs12_to_shadow() reflects changes in VMCS12 to eVMCS. As a band-aid, restore nested_get_evmcs_page() when clearing KVM_REQ_GET_NESTED_STATE_PAGES in nested_vmx_vmexit(). The 'fix' is far from being ideal as we can't easily propagate possible failures and even if we could, this is most likely already too late to do so. The whole 'KVM_REQ_GET_NESTED_STATE_PAGES' idea for mapping eVMCS after migration seems to be fragile as we diverge too much from the 'native' path when vmptr loading happens on vmx_set_nested_state(). Fixes: f2c7ef3ba955 ("KVM: nSVM: cancel KVM_REQ_GET_NESTED_STATE_PAGES on nested vmexit") Signed-off-by: Vitaly Kuznetsov Message-Id: <20210503150854.1144255-2-vkuznets@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 2f86dd3d2bcfda3e14e8ee734e970dc05287d5fc Author: Sean Christopherson Date: Tue May 4 10:17:23 2021 -0700 KVM: x86: Move RDPID emulation intercept to its own enum commit 2183de4161b90bd3851ccd3910c87b2c9adfc6ed upstream. Add a dedicated intercept enum for RDPID instead of piggybacking RDTSCP. Unlike VMX's ENABLE_RDTSCP, RDPID is not bound to SVM's RDTSCP intercept. Fixes: fb6d4d340e05 ("KVM: x86: emulate RDPID") Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Message-Id: <20210504171734.1434054-5-seanjc@google.com> Reviewed-by: Jim Mattson Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit abbf8c99a9e12182c350e93cb808de4599a2f701 Author: Sean Christopherson Date: Tue May 4 10:17:21 2021 -0700 KVM: x86: Emulate RDPID only if RDTSCP is supported commit 85d0011264da24be08ae907d7f29983a597ca9b1 upstream. Do not advertise emulation support for RDPID if RDTSCP is unsupported. RDPID emulation subtly relies on MSR_TSC_AUX to exist in hardware, as both vmx_get_msr() and svm_get_msr() will return an error if the MSR is unsupported, i.e. ctxt->ops->get_msr() will fail and the emulator will inject a #UD. Note, RDPID emulation also relies on RDTSCP being enabled in the guest, but this is a KVM bug and will eventually be fixed. Fixes: fb6d4d340e05 ("KVM: x86: emulate RDPID") Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Message-Id: <20210504171734.1434054-3-seanjc@google.com> Reviewed-by: Jim Mattson Reviewed-by: Reiji Watanabe Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 8a7027f011c5127d2c6e756425a831445f763f0c Author: Juergen Gross Date: Fri Apr 23 07:40:38 2021 +0200 xen/gntdev: fix gntdev_mmap() error exit path commit 970655aa9b42461f8394e4457307005bdeee14d9 upstream. Commit d3eeb1d77c5d0af ("xen/gntdev: use mmu_interval_notifier_insert") introduced an error in gntdev_mmap(): in case the call of mmu_interval_notifier_insert_locked() fails the exit path should not call mmu_interval_notifier_remove(), as this might result in NULL dereferences. One reason for failure is e.g. a signal pending for the running process. Fixes: d3eeb1d77c5d0af ("xen/gntdev: use mmu_interval_notifier_insert") Cc: stable@vger.kernel.org Reported-by: Marek Marczykowski-Górecki Tested-by: Marek Marczykowski-Górecki Signed-off-by: Juergen Gross Reviewed-by: Luca Fancellu Link: https://lore.kernel.org/r/20210423054038.26696-1-jgross@suse.com Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit 652c9689f58900bcae9585f3c38d6596700898f0 Author: Oliver Neukum Date: Mon Apr 26 11:26:22 2021 +0200 cdc-wdm: untangle a circular dependency between callback and softint commit 18abf874367456540846319574864e6ff32752e2 upstream. We have a cycle of callbacks scheduling works which submit URBs with those callbacks. This needs to be blocked, stopped and unblocked to untangle the circle. Signed-off-by: Oliver Neukum Link: https://lore.kernel.org/r/20210426092622.20433-1-oneukum@suse.com Cc: stable Signed-off-by: Greg Kroah-Hartman commit 12d16c24f35f98f9dc083035a9a6d8dcf59fe198 Author: Colin Ian King Date: Fri May 7 19:30:41 2021 +0100 iio: tsl2583: Fix division by a zero lux_val commit af0e1871d79cfbb91f732d2c6fa7558e45c31038 upstream. The lux_val returned from tsl2583_get_lux can potentially be zero, so check for this to avoid a division by zero and an overflowed gain_trim_val. Fixes clang scan-build warning: drivers/iio/light/tsl2583.c:345:40: warning: Either the condition 'lux_val<0' is redundant or there is division by zero at line 345. [zerodivcond] Fixes: ac4f6eee8fe8 ("staging: iio: TAOS tsl258x: Device driver") Signed-off-by: Colin Ian King Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit e8c6852bdba2995a9ed278e793a50159f53fa879 Author: Dmitry Osipenko Date: Fri Apr 23 05:09:59 2021 +0300 iio: gyro: mpu3050: Fix reported temperature value commit f73c730774d88a14d7b60feee6d0e13570f99499 upstream. The raw temperature value is a 16-bit signed integer. The sign casting is missing in the code, which results in a wrong temperature reported by userspace tools, fix it. Cc: stable@vger.kernel.org Fixes: 3904b28efb2c ("iio: gyro: Add driver for the MPU-3050 gyroscope") Datasheet: https://www.cdiweb.com/datasheets/invensense/mpu-3000a.pdf Tested-by: Maxim Schwalm # Asus TF700T Tested-by: Svyatoslav Ryhel # Asus TF201 Reported-by: Svyatoslav Ryhel Reviewed-by: Andy Shevchenko Reviewed-by: Linus Walleij Signed-off-by: Dmitry Osipenko Acked-by: Jean-Baptiste Maneyrol Link: https://lore.kernel.org/r/20210423020959.5023-1-digetx@gmail.com Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 70698dda4bcab9ff1b8df0c657130ef2894f25b1 Author: Sandeep Singh Date: Wed May 12 11:08:16 2021 +0300 xhci: Add reset resume quirk for AMD xhci controller. commit 3c128781d8da463761495aaf8898c9ecb4e71528 upstream. One of AMD xhci controller require reset on resume. Occasionally AMD xhci controller does not respond to Stop endpoint command. Once the issue happens controller goes into bad state and in that case controller needs to be reset. Cc: Signed-off-by: Sandeep Singh Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/20210512080816.866037-6-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 9d9526cc3c01866943fb8f5b71ca0a767d16b1c3 Author: Christophe JAILLET Date: Wed May 12 11:08:14 2021 +0300 xhci: Do not use GFP_KERNEL in (potentially) atomic context commit dda32c00c9a0fa103b5d54ef72c477b7aa993679 upstream. 'xhci_urb_enqueue()' is passed a 'mem_flags' argument, because "URBs may be submitted in interrupt context" (see comment related to 'usb_submit_urb()' in 'drivers/usb/core/urb.c') So this flag should be used in all the calling chain. Up to now, 'xhci_check_maxpacket()' which is only called from 'xhci_urb_enqueue()', uses GFP_KERNEL. Be safe and pass the mem_flags to this function as well. Fixes: ddba5cd0aeff ("xhci: Use command structures when queuing commands on the command ring") Cc: Signed-off-by: Christophe JAILLET Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/20210512080816.866037-4-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit ca043cc02a88b893c8f43da03ef94fd3e8a711d0 Author: Abhijeet Rao Date: Wed May 12 11:08:12 2021 +0300 xhci-pci: Allow host runtime PM as default for Intel Alder Lake xHCI commit b813511135e8b84fa741afdfbab4937919100bef upstream. In the same way as Intel Tiger Lake TCSS (Type-C Subsystem) the Alder Lake TCSS xHCI needs to be runtime suspended whenever possible to allow the TCSS hardware block to enter D3cold and thus save energy. Cc: stable@vger.kernel.org Signed-off-by: Abhijeet Rao Signed-off-by: Nikunj A. Dadhania Signed-off-by: Azhar Shaikh Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/20210512080816.866037-2-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit fa4b1363256d2b0456a68e969fd416804726ef45 Author: Andy Shevchenko Date: Wed May 5 01:23:37 2021 +0300 usb: typec: ucsi: Put fwnode in any case during ->probe() commit b9a0866a5bdf6a4643a52872ada6be6184c6f4f2 upstream. device_for_each_child_node() bumps a reference counting of a returned variable. We have to balance it whenever we return to the caller. Fixes: c1b0bc2dabfa ("usb: typec: Add support for UCSI interface") Cc: Heikki Krogerus Reviewed-by: Heikki Krogerus Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210504222337.3151726-1-andy.shevchenko@gmail.com Cc: stable Signed-off-by: Greg Kroah-Hartman commit e5366bea0277425e1868ba20eeb27c879d5a6e2d Author: Jack Pham Date: Mon May 3 00:46:11 2021 -0700 usb: typec: ucsi: Retrieve all the PDOs instead of just the first 4 commit 1f4642b72be79757f050924a9b9673b6a02034bc upstream. commit 4dbc6a4ef06d ("usb: typec: ucsi: save power data objects in PD mode") introduced retrieval of the PDOs when connected to a PD-capable source. But only the first 4 PDOs are received since that is the maximum number that can be fetched at a time given the MESSAGE_IN length limitation (16 bytes). However, as per the PD spec a connected source may advertise up to a maximum of 7 PDOs. If such a source is connected it's possible the PPM could have negotiated a power contract with one of the PDOs at index greater than 4, and would be reflected in the request data object's (RDO) object position field. This would result in an out-of-bounds access when the rdo_index() is used to index into the src_pdos array in ucsi_psy_get_voltage_now(). With the help of the UBSAN -fsanitize=array-bounds checker enabled this exact issue is revealed when connecting to a PD source adapter that advertise 5 PDOs and the PPM enters a contract having selected the 5th one. [ 151.545106][ T70] Unexpected kernel BRK exception at EL1 [ 151.545112][ T70] Internal error: BRK handler: f2005512 [#1] PREEMPT SMP ... [ 151.545499][ T70] pc : ucsi_psy_get_prop+0x208/0x20c [ 151.545507][ T70] lr : power_supply_show_property+0xc0/0x328 ... [ 151.545542][ T70] Call trace: [ 151.545544][ T70] ucsi_psy_get_prop+0x208/0x20c [ 151.545546][ T70] power_supply_uevent+0x1a4/0x2f0 [ 151.545550][ T70] dev_uevent+0x200/0x384 [ 151.545555][ T70] kobject_uevent_env+0x1d4/0x7e8 [ 151.545557][ T70] power_supply_changed_work+0x174/0x31c [ 151.545562][ T70] process_one_work+0x244/0x6f0 [ 151.545564][ T70] worker_thread+0x3e0/0xa64 We can resolve this by instead retrieving and storing up to the maximum of 7 PDOs in the con->src_pdos array. This would involve two calls to the GET_PDOS command. Fixes: 992a60ed0d5e ("usb: typec: ucsi: register with power_supply class") Fixes: 4dbc6a4ef06d ("usb: typec: ucsi: save power data objects in PD mode") Cc: stable@vger.kernel.org Reported-and-tested-by: Subbaraman Narayanamurthy Reviewed-by: Heikki Krogerus Signed-off-by: Jack Pham Link: https://lore.kernel.org/r/20210503074611.30973-1-jackp@codeaurora.org Signed-off-by: Greg Kroah-Hartman commit 9bd96a2e77fd71b39bfa3f710f6001f94da57c51 Author: Wesley Cheng Date: Fri May 7 10:55:19 2021 -0700 usb: dwc3: gadget: Return success always for kick transfer in ep queue commit 18ffa988dbae69cc6e9949cddd9606f6fe533894 upstream. If an error is received when issuing a start or update transfer command, the error handler will stop all active requests (including the current USB request), and call dwc3_gadget_giveback() to notify function drivers of the requests which have been stopped. Avoid returning an error for kick transfer during EP queue, to remove duplicate cleanup operations on the request being queued. Fixes: 8d99087c2db8 ("usb: dwc3: gadget: Properly handle failed kick_transfer") cc: stable@vger.kernel.org Signed-off-by: Wesley Cheng Link: https://lore.kernel.org/r/1620410119-24971-1-git-send-email-wcheng@codeaurora.org Signed-off-by: Greg Kroah-Hartman commit 45f37f54e7c16e2981ba3a847c0778fd561888c3 Author: Jack Pham Date: Wed Apr 28 02:01:10 2021 -0700 usb: dwc3: gadget: Enable suspend events commit d1d90dd27254c44d087ad3f8b5b3e4fff0571f45 upstream. commit 72704f876f50 ("dwc3: gadget: Implement the suspend entry event handler") introduced (nearly 5 years ago!) an interrupt handler for U3/L1-L2 suspend events. The problem is that these events aren't currently enabled in the DEVTEN register so the handler is never even invoked. Fix this simply by enabling the corresponding bit in dwc3_gadget_enable_irq() using the same revision check as found in the handler. Fixes: 72704f876f50 ("dwc3: gadget: Implement the suspend entry event handler") Acked-by: Felipe Balbi Signed-off-by: Jack Pham Cc: stable Link: https://lore.kernel.org/r/20210428090111.3370-1-jackp@codeaurora.org Signed-off-by: Greg Kroah-Hartman commit 9238492b9a8402d388c9fe370d3cbee838f97c3a Author: Chunfeng Yun Date: Wed May 12 10:07:38 2021 +0800 usb: core: hub: fix race condition about TRSMRCY of resume commit 975f94c7d6c306b833628baa9aec3f79db1eb3a1 upstream. This may happen if the port becomes resume status exactly when usb_port_resume() gets port status, it still need provide a TRSMCRY time before access the device. CC: Reported-by: Tianping Fang Acked-by: Alan Stern Signed-off-by: Chunfeng Yun Link: https://lore.kernel.org/r/20210512020738.52961-1-chunfeng.yun@mediatek.com Signed-off-by: Greg Kroah-Hartman commit 45ad6b592e644c1c3c4d0858a891cf977c5a10b7 Author: Phil Elwell Date: Thu May 6 12:22:00 2021 +0100 usb: dwc2: Fix gadget DMA unmap direction commit 75a41ce46bae6cbe7d3bb2584eb844291d642874 upstream. The dwc2 gadget support maps and unmaps DMA buffers as necessary. When mapping and unmapping it uses the direction of the endpoint to select the direction of the DMA transfer, but this fails for Control OUT transfers because the unmap occurs after the endpoint direction has been reversed for the status phase. A possible solution would be to unmap the buffer before the direction is changed, but a safer, less invasive fix is to remember the buffer direction independently of the endpoint direction. Fixes: fe0b94abcdf6 ("usb: dwc2: gadget: manage ep0 state in software") Acked-by: Minas Harutyunyan Cc: stable Signed-off-by: Phil Elwell Link: https://lore.kernel.org/r/20210506112200.2893922-1-phil@raspberrypi.com Signed-off-by: Greg Kroah-Hartman commit 7ad9256b49a6240f5344cfb0a069a7c9dba99567 Author: Maximilian Luz Date: Wed May 12 11:08:15 2021 +0300 usb: xhci: Increase timeout for HC halt commit ca09b1bea63ab83f4cca3a2ae8bc4f597ec28851 upstream. On some devices (specifically the SC8180x based Surface Pro X with QCOM04A6) HC halt / xhci_halt() times out during boot. Manually binding the xhci-hcd driver at some point later does not exhibit this behavior. To work around this, double XHCI_MAX_HALT_USEC, which also resolves this issue. Cc: Signed-off-by: Maximilian Luz Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/20210512080816.866037-5-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 42bb80ae01657b8201ea8b5fa6ac96e272429383 Author: Ferry Toth Date: Sun Apr 25 17:09:47 2021 +0200 usb: dwc3: pci: Enable usb2-gadget-lpm-disable for Intel Merrifield commit 04357fafea9c7ed34525eb9680c760245c3bb958 upstream. On Intel Merrifield LPM is causing host to reset port after a timeout. By disabling LPM entirely this is prevented. Fixes: 066c09593454 ("usb: dwc3: pci: Enable extcon driver for Intel Merrifield") Reviewed-by: Andy Shevchenko Signed-off-by: Ferry Toth Cc: stable Link: https://lore.kernel.org/r/20210425150947.5862-1-ftoth@exalondelft.nl Signed-off-by: Greg Kroah-Hartman commit 95e3da5b53baae5a75567be9b0449953d08545e2 Author: Marcel Hamer Date: Tue Apr 27 14:21:18 2021 +0200 usb: dwc3: omap: improve extcon initialization commit e17b02d4970913233d543c79c9c66e72cac05bdd upstream. When extcon is used in combination with dwc3, it is assumed that the dwc3 registers are untouched and as such are only configured if VBUS is valid or ID is tied to ground. In case VBUS is not valid or ID is floating, the registers are not configured as such during driver initialization, causing a wrong default state during boot. If the registers are not in a default state, because they are for instance touched by a boot loader, this can cause for a kernel error. Signed-off-by: Marcel Hamer Link: https://lore.kernel.org/r/20210427122118.1948340-1-marcel@solidxs.se Cc: stable Signed-off-by: Greg Kroah-Hartman commit 3a96437f6bf85fa64e933cc100445f9278cee1ff Author: Bart Van Assche Date: Thu May 13 10:15:29 2021 -0700 blk-mq: Swap two calls in blk_mq_exit_queue() [ Upstream commit 630ef623ed26c18a457cdc070cf24014e50129c2 ] If a tag set is shared across request queues (e.g. SCSI LUNs) then the block layer core keeps track of the number of active request queues in tags->active_queues. blk_mq_tag_busy() and blk_mq_tag_idle() update that atomic counter if the hctx flag BLK_MQ_F_TAG_QUEUE_SHARED is set. Make sure that blk_mq_exit_queue() calls blk_mq_tag_idle() before that flag is cleared by blk_mq_del_queue_tag_set(). Cc: Christoph Hellwig Cc: Ming Lei Cc: Hannes Reinecke Fixes: 0d2602ca30e4 ("blk-mq: improve support for shared tags maps") Signed-off-by: Bart Van Assche Reviewed-by: Ming Lei Link: https://lore.kernel.org/r/20210513171529.7977-1-bvanassche@acm.org Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit c9c1ed08c174c2fa88fe1badbb876a7317a8224f Author: Ming Lei Date: Fri May 14 10:20:52 2021 +0800 blk-mq: plug request for shared sbitmap [ Upstream commit 03f26d8f11403295de445b6e4e0e57ac57755791 ] In case of shared sbitmap, request won't be held in plug list any more sine commit 32bc15afed04 ("blk-mq: Facilitate a shared sbitmap per tagset"), this way makes request merge from flush plug list & batching submission not possible, so cause performance regression. Yanhui reports performance regression when running sequential IO test(libaio, 16 jobs, 8 depth for each job) in VM, and the VM disk is emulated with image stored on xfs/megaraid_sas. Fix the issue by recovering original behavior to allow to hold request in plug list. Cc: Yanhui Ma Cc: John Garry Cc: Bart Van Assche Cc: kashyap.desai@broadcom.com Fixes: 32bc15afed04 ("blk-mq: Facilitate a shared sbitmap per tagset") Signed-off-by: Ming Lei Link: https://lore.kernel.org/r/20210514022052.1047665-1-ming.lei@redhat.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit cde4b55cfb24522dcbba80bbdb0c082303e76c43 Author: Sun Ke Date: Wed May 12 19:43:30 2021 +0800 nbd: Fix NULL pointer in flush_workqueue [ Upstream commit 79ebe9110fa458d58f1fceb078e2068d7ad37390 ] Open /dev/nbdX first, the config_refs will be 1 and the pointers in nbd_device are still null. Disconnect /dev/nbdX, then reference a null recv_workq. The protection by config_refs in nbd_genl_disconnect is useless. [ 656.366194] BUG: kernel NULL pointer dereference, address: 0000000000000020 [ 656.368943] #PF: supervisor write access in kernel mode [ 656.369844] #PF: error_code(0x0002) - not-present page [ 656.370717] PGD 10cc87067 P4D 10cc87067 PUD 1074b4067 PMD 0 [ 656.371693] Oops: 0002 [#1] SMP [ 656.372242] CPU: 5 PID: 7977 Comm: nbd-client Not tainted 5.11.0-rc5-00040-g76c057c84d28 #1 [ 656.373661] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 [ 656.375904] RIP: 0010:mutex_lock+0x29/0x60 [ 656.376627] Code: 00 0f 1f 44 00 00 55 48 89 fd 48 83 05 6f d7 fe 08 01 e8 7a c3 ff ff 48 83 05 6a d7 fe 08 01 31 c0 65 48 8b 14 25 00 6d 01 00 48 0f b1 55 d [ 656.378934] RSP: 0018:ffffc900005eb9b0 EFLAGS: 00010246 [ 656.379350] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 656.379915] RDX: ffff888104cf2600 RSI: ffffffffaae8f452 RDI: 0000000000000020 [ 656.380473] RBP: 0000000000000020 R08: 0000000000000000 R09: ffff88813bd6b318 [ 656.381039] R10: 00000000000000c7 R11: fefefefefefefeff R12: ffff888102710b40 [ 656.381599] R13: ffffc900005eb9e0 R14: ffffffffb2930680 R15: ffff88810770ef00 [ 656.382166] FS: 00007fdf117ebb40(0000) GS:ffff88813bd40000(0000) knlGS:0000000000000000 [ 656.382806] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 656.383261] CR2: 0000000000000020 CR3: 0000000100c84000 CR4: 00000000000006e0 [ 656.383819] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 656.384370] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 656.384927] Call Trace: [ 656.385111] flush_workqueue+0x92/0x6c0 [ 656.385395] nbd_disconnect_and_put+0x81/0xd0 [ 656.385716] nbd_genl_disconnect+0x125/0x2a0 [ 656.386034] genl_family_rcv_msg_doit.isra.0+0x102/0x1b0 [ 656.386422] genl_rcv_msg+0xfc/0x2b0 [ 656.386685] ? nbd_ioctl+0x490/0x490 [ 656.386954] ? genl_family_rcv_msg_doit.isra.0+0x1b0/0x1b0 [ 656.387354] netlink_rcv_skb+0x62/0x180 [ 656.387638] genl_rcv+0x34/0x60 [ 656.387874] netlink_unicast+0x26d/0x590 [ 656.388162] netlink_sendmsg+0x398/0x6c0 [ 656.388451] ? netlink_rcv_skb+0x180/0x180 [ 656.388750] ____sys_sendmsg+0x1da/0x320 [ 656.389038] ? ____sys_recvmsg+0x130/0x220 [ 656.389334] ___sys_sendmsg+0x8e/0xf0 [ 656.389605] ? ___sys_recvmsg+0xa2/0xf0 [ 656.389889] ? handle_mm_fault+0x1671/0x21d0 [ 656.390201] __sys_sendmsg+0x6d/0xe0 [ 656.390464] __x64_sys_sendmsg+0x23/0x30 [ 656.390751] do_syscall_64+0x45/0x70 [ 656.391017] entry_SYSCALL_64_after_hwframe+0x44/0xa9 To fix it, just add if (nbd->recv_workq) to nbd_disconnect_and_put(). Fixes: e9e006f5fcf2 ("nbd: fix max number of supported devs") Signed-off-by: Sun Ke Reviewed-by: Josef Bacik Link: https://lore.kernel.org/r/20210512114331.1233964-2-sunke32@huawei.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit a9fc163514d209e038cc447590e1057a125367f7 Author: Chao Yu Date: Mon May 10 17:30:32 2021 +0800 f2fs: compress: fix to assign cc.cluster_idx correctly [ Upstream commit 8bfbfb0ddd706b1ce2e89259ecc45f192c0ec2bf ] In f2fs_destroy_compress_ctx(), after f2fs_destroy_compress_ctx(), cc.cluster_idx will be cleared w/ NULL_CLUSTER, f2fs_cluster_blocks() may check wrong cluster metadata, fix it. Fixes: 4c8ff7095bef ("f2fs: support data compression") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 5639b73fd3bc6fc8ca72e3a9ac15aacaabd7ebff Author: Chao Yu Date: Mon May 10 17:30:31 2021 +0800 f2fs: compress: fix race condition of overwrite vs truncate [ Upstream commit a949dc5f2c5cfe0c910b664650f45371254c0744 ] pos_fsstress testcase complains a panic as belew: ------------[ cut here ]------------ kernel BUG at fs/f2fs/compress.c:1082! invalid opcode: 0000 [#1] SMP PTI CPU: 4 PID: 2753477 Comm: kworker/u16:2 Tainted: G OE 5.12.0-rc1-custom #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 Workqueue: writeback wb_workfn (flush-252:16) RIP: 0010:prepare_compress_overwrite+0x4c0/0x760 [f2fs] Call Trace: f2fs_prepare_compress_overwrite+0x5f/0x80 [f2fs] f2fs_write_cache_pages+0x468/0x8a0 [f2fs] f2fs_write_data_pages+0x2a4/0x2f0 [f2fs] do_writepages+0x38/0xc0 __writeback_single_inode+0x44/0x2a0 writeback_sb_inodes+0x223/0x4d0 __writeback_inodes_wb+0x56/0xf0 wb_writeback+0x1dd/0x290 wb_workfn+0x309/0x500 process_one_work+0x220/0x3c0 worker_thread+0x53/0x420 kthread+0x12f/0x150 ret_from_fork+0x22/0x30 The root cause is truncate() may race with overwrite as below, so that one reference count left in page can not guarantee the page attaching in mapping tree all the time, after truncation, later find_lock_page() may return NULL pointer. - prepare_compress_overwrite - f2fs_pagecache_get_page - unlock_page - f2fs_setattr - truncate_setsize - truncate_inode_page - delete_from_page_cache - find_lock_page Fix this by avoiding referencing updated page. Fixes: 4c8ff7095bef ("f2fs: support data compression") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 72b0f3077ebdc83336fb48f381cbd84eb04a017e Author: Chao Yu Date: Thu May 6 17:00:43 2021 +0800 f2fs: compress: fix to free compress page correctly [ Upstream commit a12cc5b423d4f36dc1a1ea3911e49cf9dff43898 ] In error path of f2fs_write_compressed_pages(), it needs to call f2fs_compress_free_page() to release temporary page. Fixes: 5e6bbde95982 ("f2fs: introduce mempool for {,de}compress intermediate page allocation") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 64f3410c7bfc389b1a58611d0799f4a36ce4b6b5 Author: Michal Kalderon Date: Thu May 6 10:08:19 2021 +0300 nvmet-rdma: Fix NULL deref when SEND is completed with error [ Upstream commit 8cc365f9559b86802afc0208389f5c8d46b4ad61 ] When running some traffic and taking down the link on peer, a retry counter exceeded error is received. This leads to nvmet_rdma_error_comp which tried accessing the cq_context to obtain the queue. The cq_context is no longer valid after the fix to use shared CQ mechanism and should be obtained similar to how it is obtained in other functions from the wc->qp. [ 905.786331] nvmet_rdma: SEND for CQE 0x00000000e3337f90 failed with status transport retry counter exceeded (12). [ 905.832048] BUG: unable to handle kernel NULL pointer dereference at 0000000000000048 [ 905.839919] PGD 0 P4D 0 [ 905.842464] Oops: 0000 1 SMP NOPTI [ 905.846144] CPU: 13 PID: 1557 Comm: kworker/13:1H Kdump: loaded Tainted: G OE --------- - - 4.18.0-304.el8.x86_64 #1 [ 905.872135] RIP: 0010:nvmet_rdma_error_comp+0x5/0x1b [nvmet_rdma] [ 905.878259] Code: 19 4f c0 e8 89 b3 a5 f6 e9 5b e0 ff ff 0f b7 75 14 4c 89 ea 48 c7 c7 08 1a 4f c0 e8 71 b3 a5 f6 e9 4b e0 ff ff 0f 1f 44 00 00 <48> 8b 47 48 48 85 c0 74 08 48 89 c7 e9 98 bf 49 00 e9 c3 e3 ff ff [ 905.897135] RSP: 0018:ffffab601c45fe28 EFLAGS: 00010246 [ 905.902387] RAX: 0000000000000065 RBX: ffff9e729ea2f800 RCX: 0000000000000000 [ 905.909558] RDX: 0000000000000000 RSI: ffff9e72df9567c8 RDI: 0000000000000000 [ 905.916731] RBP: ffff9e729ea2b400 R08: 000000000000074d R09: 0000000000000074 [ 905.923903] R10: 0000000000000000 R11: ffffab601c45fcc0 R12: 0000000000000010 [ 905.931074] R13: 0000000000000000 R14: 0000000000000010 R15: ffff9e729ea2f400 [ 905.938247] FS: 0000000000000000(0000) GS:ffff9e72df940000(0000) knlGS:0000000000000000 [ 905.938249] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 905.950067] nvmet_rdma: SEND for CQE 0x00000000c7356cca failed with status transport retry counter exceeded (12). [ 905.961855] CR2: 0000000000000048 CR3: 000000678d010004 CR4: 00000000007706e0 [ 905.961855] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 905.961856] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 905.961857] PKRU: 55555554 [ 906.010315] Call Trace: [ 906.012778] __ib_process_cq+0x89/0x170 [ib_core] [ 906.017509] ib_cq_poll_work+0x26/0x80 [ib_core] [ 906.022152] process_one_work+0x1a7/0x360 [ 906.026182] ? create_worker+0x1a0/0x1a0 [ 906.030123] worker_thread+0x30/0x390 [ 906.033802] ? create_worker+0x1a0/0x1a0 [ 906.037744] kthread+0x116/0x130 [ 906.040988] ? kthread_flush_work_fn+0x10/0x10 [ 906.045456] ret_from_fork+0x1f/0x40 Fixes: ca0f1a8055be2 ("nvmet-rdma: use new shared CQ mechanism") Signed-off-by: Shai Malin Signed-off-by: Michal Kalderon Reviewed-by: Sagi Grimberg Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit c98ecfb1829642daa063a541d81dc8384fda924b Author: Chaitanya Kulkarni Date: Thu May 6 18:51:35 2021 -0700 nvmet: fix inline bio check for bdev-ns [ Upstream commit 608a969046e6e0567d05a166be66c77d2dd8220b ] When handling rw commands, for inline bio case we only consider transfer size. This works well when req->sg_cnt fits into the req->inline_bvec, but it will result in the warning in __bio_add_page() when req->sg_cnt > NVMET_MAX_INLINE_BVEC. Consider an I/O size 32768 and first page is not aligned to the page boundary, then I/O is split in following manner :- [ 2206.256140] nvmet: sg->length 3440 sg->offset 656 [ 2206.256144] nvmet: sg->length 4096 sg->offset 0 [ 2206.256148] nvmet: sg->length 4096 sg->offset 0 [ 2206.256152] nvmet: sg->length 4096 sg->offset 0 [ 2206.256155] nvmet: sg->length 4096 sg->offset 0 [ 2206.256159] nvmet: sg->length 4096 sg->offset 0 [ 2206.256163] nvmet: sg->length 4096 sg->offset 0 [ 2206.256166] nvmet: sg->length 4096 sg->offset 0 [ 2206.256170] nvmet: sg->length 656 sg->offset 0 Now the req->transfer_size == NVMET_MAX_INLINE_DATA_LEN i.e. 32768, but the req->sg_cnt is (9) > NVMET_MAX_INLINE_BIOVEC which is (8). This will result in the following warning message :- nvmet_bdev_execute_rw() bio_add_page() __bio_add_page() WARN_ON_ONCE(bio_full(bio, len)); This scenario is very hard to reproduce on the nvme-loop transport only with rw commands issued with the passthru IOCTL interface from the host application and the data buffer is allocated with the malloc() and not the posix_memalign(). Fixes: 73383adfad24 ("nvmet: don't split large I/Os unconditionally") Signed-off-by: Chaitanya Kulkarni Reviewed-by: Sagi Grimberg Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit f8ae879b776c28fb8fc47ae97c4ad45edac0be24 Author: Chaitanya Kulkarni Date: Mon Jan 11 20:26:16 2021 -0800 nvmet: add lba to sect conversion helpers [ Upstream commit 193fcf371f9e3705c14a0bf1d4bfc44af0f7c124 ] In this preparation patch, we add helpers to convert lbas to sectors & sectors to lba. This is needed to eliminate code duplication in the ZBD backend. Use these helpers in the block device backend. Signed-off-by: Chaitanya Kulkarni Reviewed-by: Damien Le Moal Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 54dbe2d2c1fcabf650c7a8b747601da355cd7f9f Author: Omar Sandoval Date: Mon May 10 17:05:35 2021 -0700 kyber: fix out of bounds access when preempted [ Upstream commit efed9a3337e341bd0989161b97453b52567bc59d ] __blk_mq_sched_bio_merge() gets the ctx and hctx for the current CPU and passes the hctx to ->bio_merge(). kyber_bio_merge() then gets the ctx for the current CPU again and uses that to get the corresponding Kyber context in the passed hctx. However, the thread may be preempted between the two calls to blk_mq_get_ctx(), and the ctx returned the second time may no longer correspond to the passed hctx. This "works" accidentally most of the time, but it can cause us to read garbage if the second ctx came from an hctx with more ctx's than the first one (i.e., if ctx->index_hw[hctx->type] > hctx->nr_ctx). This manifested as this UBSAN array index out of bounds error reported by Jakub: UBSAN: array-index-out-of-bounds in ../kernel/locking/qspinlock.c:130:9 index 13106 is out of range for type 'long unsigned int [128]' Call Trace: dump_stack+0xa4/0xe5 ubsan_epilogue+0x5/0x40 __ubsan_handle_out_of_bounds.cold.13+0x2a/0x34 queued_spin_lock_slowpath+0x476/0x480 do_raw_spin_lock+0x1c2/0x1d0 kyber_bio_merge+0x112/0x180 blk_mq_submit_bio+0x1f5/0x1100 submit_bio_noacct+0x7b0/0x870 submit_bio+0xc2/0x3a0 btrfs_map_bio+0x4f0/0x9d0 btrfs_submit_data_bio+0x24e/0x310 submit_one_bio+0x7f/0xb0 submit_extent_page+0xc4/0x440 __extent_writepage_io+0x2b8/0x5e0 __extent_writepage+0x28d/0x6e0 extent_write_cache_pages+0x4d7/0x7a0 extent_writepages+0xa2/0x110 do_writepages+0x8f/0x180 __writeback_single_inode+0x99/0x7f0 writeback_sb_inodes+0x34e/0x790 __writeback_inodes_wb+0x9e/0x120 wb_writeback+0x4d2/0x660 wb_workfn+0x64d/0xa10 process_one_work+0x53a/0xa80 worker_thread+0x69/0x5b0 kthread+0x20b/0x240 ret_from_fork+0x1f/0x30 Only Kyber uses the hctx, so fix it by passing the request_queue to ->bio_merge() instead. BFQ and mq-deadline just use that, and Kyber can map the queues itself to avoid the mismatch. Fixes: a6088845c2bf ("block: kyber: make kyber more friendly with merging") Reported-by: Jakub Kicinski Signed-off-by: Omar Sandoval Link: https://lore.kernel.org/r/c7598605401a48d5cfeadebb678abd10af22b83f.1620691329.git.osandov@fb.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit e2381174daeae0ca35eddffef02dcc8de8c1ef8a Author: Christophe JAILLET Date: Sat May 8 09:23:09 2021 +0200 ACPI: scan: Fix a memory leak in an error handling path [ Upstream commit 0c8bd174f0fc131bc9dfab35cd8784f59045da87 ] If 'acpi_device_set_name()' fails, we must free 'acpi_device_bus_id->bus_id' or there is a (potential) memory leak. Fixes: eb50aaf960e3 ("ACPI: scan: Use unique number for instance_no") Signed-off-by: Christophe JAILLET Reviewed-by: Andy Shevchenko Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit a8dc16bbfe29c49987b77ed9240b1f54e5af539b Author: Christophe JAILLET Date: Tue May 4 22:26:29 2021 +0200 usb: musb: Fix an error message [ Upstream commit d9ff1096a840dddea3d5cfa2149ff7da9f499fb2 ] 'ret' is known to be 0 here. Initialize 'ret' with the expected error code before using it. Fixes: 0990366bab3c ("usb: musb: Add support for MediaTek musb controller") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/69f514dc7134e3c917cad208e73cc650cb9e2bd6.1620159879.git.christophe.jaillet@wanadoo.fr Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 550473900f80945cb1a48c6d252d9da41ddc48ec Author: Eddie James Date: Thu Apr 29 10:13:36 2021 -0500 hwmon: (occ) Fix poll rate limiting [ Upstream commit 5216dff22dc2bbbbe6f00335f9fd2879670e753b ] The poll rate limiter time was initialized at zero. This breaks the comparison in time_after if jiffies is large. Switch to storing the next update time rather than the previous time, and initialize the time when the device is probed. Fixes: c10e753d43eb ("hwmon (occ): Add sensor types and versions") Signed-off-by: Eddie James Link: https://lore.kernel.org/r/20210429151336.18980-1-eajames@linux.ibm.com Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit 0becd19b211aab0a0b017fb5fe584431482eab0a Author: Christophe JAILLET Date: Thu May 6 22:39:10 2021 +0200 usb: fotg210-hcd: Fix an error message [ Upstream commit a60a34366e0d09ca002c966dd7c43a68c28b1f82 ] 'retval' is known to be -ENODEV here. This is a hard-coded default error code which is not useful in the error message. Moreover, another error message is printed at the end of the error handling path. The corresponding error code (-ENOMEM) is more informative. So remove simplify the first error message. While at it, also remove the useless initialization of 'retval'. Fixes: 7d50195f6c50 ("usb: host: Faraday fotg210-hcd driver") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/94531bcff98e46d4f9c20183a90b7f47f699126c.1620333419.git.christophe.jaillet@wanadoo.fr Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 2c3b4375e1189acaed2d831df9b46057daa71b4f Author: Alexandru Ardelean Date: Wed Apr 14 11:49:55 2021 +0300 iio: hid-sensors: select IIO_TRIGGERED_BUFFER under HID_SENSOR_IIO_TRIGGER [ Upstream commit 7061803522ee7876df1ca18cdd1e1551f761352d ] During commit 067fda1c065ff ("iio: hid-sensors: move triggered buffer setup into hid_sensor_setup_trigger"), the iio_triggered_buffer_{setup,cleanup}() functions got moved under the hid-sensor-trigger module. The above change works fine, if any of the sensors get built. However, when only the common hid-sensor-trigger module gets built (and none of the drivers), then the IIO_TRIGGERED_BUFFER symbol isn't selected/enforced. Previously, each driver would enforce/select the IIO_TRIGGERED_BUFFER symbol. With this change the HID_SENSOR_IIO_TRIGGER (for the hid-sensor-trigger module) will enforce that IIO_TRIGGERED_BUFFER gets selected. All HID sensor drivers select the HID_SENSOR_IIO_TRIGGER symbol. So, this change removes the IIO_TRIGGERED_BUFFER enforcement from each driver. Fixes: 067fda1c065ff ("iio: hid-sensors: move triggered buffer setup into hid_sensor_setup_trigger") Reported-by: Thomas Deutschmann Cc: Srinivas Pandruvada Signed-off-by: Alexandru Ardelean Acked-by: Srinivas Pandruvada Link: https://lore.kernel.org/r/20210414084955.260117-1-aardelean@deviqon.com Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 020fe6f80f4f1cc672687cdb59d438f8c031ef70 Author: Dinghao Liu Date: Mon Apr 12 13:32:02 2021 +0800 iio: proximity: pulsedlight: Fix rumtime PM imbalance on error [ Upstream commit a2fa9242e89f27696515699fe0f0296bf1ac1815 ] When lidar_write_control() fails, a pairing PM usage counter decrement is needed to keep the counter balanced. Fixes: 4ac4e086fd8c5 ("iio: pulsedlight-lidar-lite: add runtime PM") Signed-off-by: Dinghao Liu Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210412053204.4889-1-dinghao.liu@zju.edu.cn Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 9db8ba3cac0523308d70ac23739374d5af5c77a6 Author: Dinghao Liu Date: Wed Apr 7 11:49:27 2021 +0800 iio: light: gp2ap002: Fix rumtime PM imbalance on error [ Upstream commit 8edb79af88efc6e49e735f9baf61d9f0748b881f ] When devm_request_threaded_irq() fails, we should decrease the runtime PM counter to keep the counter balanced. But when iio_device_register() fails, we need not to decrease it because we have already decreased it before. Signed-off-by: Dinghao Liu Reviewed-by: Linus Walleij Fixes: 97d642e23037 ("iio: light: Add a driver for Sharp GP2AP002x00F") Link: https://lore.kernel.org/r/20210407034927.16882-1-dinghao.liu@zju.edu.cn Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 1ea775021282d90e1d08d696b7ab54aa75d688e5 Author: Jack Pham Date: Sat May 1 02:35:58 2021 -0700 usb: dwc3: gadget: Free gadget structure only after freeing endpoints [ Upstream commit bb9c74a5bd1462499fe5ccb1e3c5ac40dcfa9139 ] As part of commit e81a7018d93a ("usb: dwc3: allocate gadget structure dynamically") the dwc3_gadget_release() was added which will free the dwc->gadget structure upon the device's removal when usb_del_gadget_udc() is called in dwc3_gadget_exit(). However, simply freeing the gadget results a dangling pointer situation: the endpoints created in dwc3_gadget_init_endpoints() have their dep->endpoint.ep_list members chained off the list_head anchored at dwc->gadget->ep_list. Thus when dwc->gadget is freed, the first dwc3_ep in the list now has a dangling prev pointer and likewise for the next pointer of the dwc3_ep at the tail of the list. The dwc3_gadget_free_endpoints() that follows will result in a use-after-free when it calls list_del(). This was caught by enabling KASAN and performing a driver unbind. The recent commit 568262bf5492 ("usb: dwc3: core: Add shutdown callback for dwc3") also exposes this as a panic during shutdown. There are a few possibilities to fix this. One could be to perform a list_del() of the gadget->ep_list itself which removes it from the rest of the dwc3_ep chain. Another approach is what this patch does, by splitting up the usb_del_gadget_udc() call into its separate "del" and "put" components. This allows dwc3_gadget_free_endpoints() to be called before the gadget is finally freed with usb_put_gadget(). Fixes: e81a7018d93a ("usb: dwc3: allocate gadget structure dynamically") Reviewed-by: Peter Chen Signed-off-by: Jack Pham Link: https://lore.kernel.org/r/20210501093558.7375-1-jackp@codeaurora.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 26c777470d576d427c1f8efccfd1bd86cdfec7f8 Author: Jiri Olsa Date: Sat May 8 22:50:20 2021 +0200 perf tools: Fix dynamic libbpf link [ Upstream commit ad1237c30d975535a669746496cbed136aa5a045 ] Justin reported broken build with LIBBPF_DYNAMIC=1. When linking libbpf dynamically we need to use perf's hashmap object, because it's not exported in libbpf.so (only in libbpf.a). Following build is now passing: $ make LIBBPF_DYNAMIC=1 BUILD: Doing 'make -j8' parallel build ... $ ldd perf | grep libbpf libbpf.so.0 => /lib64/libbpf.so.0 (0x00007fa7630db000) Fixes: eee19501926d ("perf tools: Grab a copy of libbpf's hashmap") Reported-by: Justin M. Forbes Signed-off-by: Jiri Olsa Cc: Alexander Shishkin Cc: Ian Rogers Cc: Mark Rutland Cc: Michael Petlan Cc: Namhyung Kim Cc: Peter Zijlstra Link: http://lore.kernel.org/lkml/20210508205020.617984-1-jolsa@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 1d8d7e02f6d0a70793f1c450c008b72979252f5f Author: Zhen Lei Date: Sat May 8 10:19:13 2021 +0800 xen/unpopulated-alloc: fix error return code in fill_list() [ Upstream commit dbc03e81586fc33e4945263fd6e09e22eb4b980f ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: a4574f63edc6 ("mm/memremap_pages: convert to 'struct range'") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Reviewed-by: Juergen Gross Link: https://lore.kernel.org/r/20210508021913.1727-1-thunder.leizhen@huawei.com Signed-off-by: Juergen Gross Signed-off-by: Sasha Levin commit 0581225726765a66ff3adc88d8f5df3e72cbd556 Author: Dan Williams Date: Mon Dec 14 19:07:21 2020 -0800 xen/unpopulated-alloc: consolidate pgmap manipulation [ Upstream commit 3a250629d7325f27b278dad1aaf44eab00090e76 ] Cleanup fill_list() to keep all the pgmap manipulations in a single location of the function. Update the exit unwind path accordingly. Link: http://lore.kernel.org/r/6186fa28-d123-12db-6171-a75cb6e615a5@oracle.com Link: https://lkml.kernel.org/r/160272253442.3136502.16683842453317773487.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Dan Williams Reported-by: Boris Ostrovsky Cc: Juergen Gross Cc: Stefano Stabellini Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 9eaa10be0c08d99e8d5e6063f670b2f6e1e3f02b Author: Vivek Goyal Date: Wed Apr 28 15:03:14 2021 -0400 dax: Wake up all waiters after invalidating dax entry [ Upstream commit 237388320deffde7c2d65ed8fc9eef670dc979b3 ] I am seeing missed wakeups which ultimately lead to a deadlock when I am using virtiofs with DAX enabled and running "make -j". I had to mount virtiofs as rootfs and also reduce to dax window size to 256M to reproduce the problem consistently. So here is the problem. put_unlocked_entry() wakes up waiters only if entry is not null as well as !dax_is_conflict(entry). But if I call multiple instances of invalidate_inode_pages2() in parallel, then I can run into a situation where there are waiters on this index but nobody will wake these waiters. invalidate_inode_pages2() invalidate_inode_pages2_range() invalidate_exceptional_entry2() dax_invalidate_mapping_entry_sync() __dax_invalidate_entry() { xas_lock_irq(&xas); entry = get_unlocked_entry(&xas, 0); ... ... dax_disassociate_entry(entry, mapping, trunc); xas_store(&xas, NULL); ... ... put_unlocked_entry(&xas, entry); xas_unlock_irq(&xas); } Say a fault in in progress and it has locked entry at offset say "0x1c". Now say three instances of invalidate_inode_pages2() are in progress (A, B, C) and they all try to invalidate entry at offset "0x1c". Given dax entry is locked, all tree instances A, B, C will wait in wait queue. When dax fault finishes, say A is woken up. It will store NULL entry at index "0x1c" and wake up B. When B comes along it will find "entry=0" at page offset 0x1c and it will call put_unlocked_entry(&xas, 0). And this means put_unlocked_entry() will not wake up next waiter, given the current code. And that means C continues to wait and is not woken up. This patch fixes the issue by waking up all waiters when a dax entry has been invalidated. This seems to fix the deadlock I am facing and I can make forward progress. Reported-by: Sergio Lopez Fixes: ac401cc78242 ("dax: New fault locking") Reviewed-by: Jan Kara Suggested-by: Dan Williams Signed-off-by: Vivek Goyal Link: https://lore.kernel.org/r/20210428190314.1865312-4-vgoyal@redhat.com Signed-off-by: Dan Williams Signed-off-by: Sasha Levin commit e9e70b78e163f768aee90f621566a5b7055fce17 Author: Vivek Goyal Date: Wed Apr 28 15:03:13 2021 -0400 dax: Add a wakeup mode parameter to put_unlocked_entry() [ Upstream commit 4c3d043d271d4d629aa2328796cdfc96b37d3b3c ] As of now put_unlocked_entry() always wakes up next waiter. In next patches we want to wake up all waiters at one callsite. Hence, add a parameter to the function. This patch does not introduce any change of behavior. Reviewed-by: Greg Kurz Reviewed-by: Jan Kara Suggested-by: Dan Williams Signed-off-by: Vivek Goyal Link: https://lore.kernel.org/r/20210428190314.1865312-3-vgoyal@redhat.com Signed-off-by: Dan Williams Signed-off-by: Sasha Levin commit b93d3410e789b027dd6845362a8738d58382194a Author: Vivek Goyal Date: Wed Apr 28 15:03:12 2021 -0400 dax: Add an enum for specifying dax wakup mode [ Upstream commit 698ab77aebffe08b312fbcdddeb0e8bd08b78717 ] Dan mentioned that he is not very fond of passing around a boolean true/false to specify if only next waiter should be woken up or all waiters should be woken up. He instead prefers that we introduce an enum and make it very explicity at the callsite itself. Easier to read code. This patch should not introduce any change of behavior. Reviewed-by: Greg Kurz Reviewed-by: Jan Kara Suggested-by: Dan Williams Signed-off-by: Vivek Goyal Link: https://lore.kernel.org/r/20210428190314.1865312-2-vgoyal@redhat.com Signed-off-by: Dan Williams Signed-off-by: Sasha Levin commit b9c663dc9a83c655853bc56c99fc747fe1c72e98 Author: Thomas Gleixner Date: Thu May 6 15:21:37 2021 +0200 KVM: x86: Prevent deadlock against tk_core.seq [ Upstream commit 3f804f6d201ca93adf4c3df04d1bfd152c1129d6 ] syzbot reported a possible deadlock in pvclock_gtod_notify(): CPU 0 CPU 1 write_seqcount_begin(&tk_core.seq); pvclock_gtod_notify() spin_lock(&pool->lock); queue_work(..., &pvclock_gtod_work) ktime_get() spin_lock(&pool->lock); do { seq = read_seqcount_begin(tk_core.seq) ... } while (read_seqcount_retry(&tk_core.seq, seq); While this is unlikely to happen, it's possible. Delegate queue_work() to irq_work() which postpones it until the tk_core.seq write held region is left and interrupts are reenabled. Fixes: 16e8d74d2da9 ("KVM: x86: notifier for clocksource changes") Reported-by: syzbot+6beae4000559d41d80f8@syzkaller.appspotmail.com Signed-off-by: Thomas Gleixner Message-Id: <87h7jgm1zy.ffs@nanos.tec.linutronix.de> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 8aa7227a5d9b4ff8ea42bf653fbf8c08d7744e9d Author: Thomas Gleixner Date: Wed May 5 23:48:17 2021 +0200 KVM: x86: Cancel pvclock_gtod_work on module removal [ Upstream commit 594b27e677b35f9734b1969d175ebc6146741109 ] Nothing prevents the following: pvclock_gtod_notify() queue_work(system_long_wq, &pvclock_gtod_work); ... remove_module(kvm); ... work_queue_run() pvclock_gtod_work() <- UAF Ditto for any other operation on that workqueue list head which touches pvclock_gtod_work after module removal. Cancel the work in kvm_arch_exit() to prevent that. Fixes: 16e8d74d2da9 ("KVM: x86: notifier for clocksource changes") Signed-off-by: Thomas Gleixner Message-Id: <87czu4onry.ffs@nanos.tec.linutronix.de> Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 1fe269372244a1a9b7f7a3f7de929d744e7207f8 Author: Kuogee Hsieh Date: Wed Apr 21 16:37:36 2021 -0700 drm/msm/dp: initialize audio_comp when audio starts [ Upstream commit f2f46b878777e0d3f885c7ddad48f477b4dea247 ] Initialize audio_comp when audio starts and wait for audio_comp at dp_display_disable(). This will take care of both dongle unplugged and display off (suspend) cases. Changes in v2: -- add dp_display_signal_audio_start() Changes in v3: -- restore dp_display_handle_plugged_change() at dp_hpd_unplug_handle(). Changes in v4: -- none Signed-off-by: Kuogee Hsieh Reviewed-by: Stephen Boyd Tested-by: Stephen Boyd Fixes: c703d5789590 ("drm/msm/dp: trigger unplug event in msm_dp_display_disable") Link: https://lore.kernel.org/r/1619048258-8717-3-git-send-email-khsieh@codeaurora.org Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit 2e0ce36d0bf695477f7ce42a0bb3ab09aee7c89c Author: Wanpeng Li Date: Wed Apr 28 19:08:02 2021 +0800 KVM: LAPIC: Accurately guarantee busy wait for timer to expire when using hv_timer [ Upstream commit d981dd15498b188636ec5a7d8ad485e650f63d8d ] Commit ee66e453db13d (KVM: lapic: Busy wait for timer to expire when using hv_timer) tries to set ktime->expired_tscdeadline by checking ktime->hv_timer_in_use since lapic timer oneshot/periodic modes which are emulated by vmx preemption timer also get advanced, they leverage the same vmx preemption timer logic with tsc-deadline mode. However, ktime->hv_timer_in_use is cleared before apic_timer_expired() handling, let's delay this clearing in preemption-disabled region. Fixes: ee66e453db13d ("KVM: lapic: Busy wait for timer to expire when using hv_timer") Reviewed-by: Sean Christopherson Signed-off-by: Wanpeng Li Message-Id: <1619608082-4187-1-git-send-email-wanpengli@tencent.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit ce7639252357be0e1f93a77abd6d81f39c800a91 Author: Benjamin Segall Date: Thu Apr 29 16:22:34 2021 +0000 kvm: exit halt polling on need_resched() as well commit 262de4102c7bb8e59f26a967a8ffe8cce85cc537 upstream. single_task_running() is usually more general than need_resched() but CFS_BANDWIDTH throttling will use resched_task() when there is just one task to get the task to block. This was causing long-need_resched warnings and was likely allowing VMs to overrun their quota when halt polling. Signed-off-by: Ben Segall Signed-off-by: Venkatesh Srinivas Message-Id: <20210429162233.116849-1-venkateshs@chromium.org> Signed-off-by: Paolo Bonzini Cc: stable@vger.kernel.org Reviewed-by: Jim Mattson Signed-off-by: Greg Kroah-Hartman commit 970c978d0591866249607255924fe4a8542684b8 Author: Ville Syrjälä Date: Wed Apr 21 18:33:58 2021 +0300 drm/i915: Avoid div-by-zero on gen2 commit 4819d16d91145966ce03818a95169df1fd56b299 upstream. Gen2 tiles are 2KiB in size so i915_gem_object_get_tile_row_size() can in fact return <4KiB, which leads to div-by-zero here. Avoid that. Not sure i915_gem_object_get_tile_row_size() is entirely sane anyway since it doesn't account for the different tile layouts on i8xx/i915... I'm not able to hit this before commit 6846895fde05 ("drm/i915: Replace PIN_NONFAULT with calls to PIN_NOEVICT") and it looks like I also need to run recent version of Mesa. With those in place xonotic trips on this quite easily on my 85x. Cc: stable@vger.kernel.org Reviewed-by: Chris Wilson Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20210421153401.13847-2-ville.syrjala@linux.intel.com (cherry picked from commit ed52c62d386f764194e0184fdb905d5f24194cae) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 86cd6072157c3ac6ce8eb3376e19c99b20ecb6b6 Author: David Ward Date: Mon May 10 05:30:39 2021 -0400 drm/amd/display: Initialize attribute for hdcp_srm sysfs file commit fe1c97d008f86f672f0e9265f180c22451ca3b9f upstream. It is stored in dynamically allocated memory, so sysfs_bin_attr_init() must be called to initialize it. (Note: "initialization" only sets the .attr.key member in this struct; it does not change the value of any other members.) Otherwise, when CONFIG_DEBUG_LOCK_ALLOC=y this message appears during boot: BUG: key ffff9248900cd148 has not been registered! Fixes: 9037246bb2da ("drm/amd/display: Add sysfs interface for set/get srm") Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1586 Reported-by: Mikhail Gavrilov Signed-off-by: David Ward Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 5a6fe45a3a7ff7627c699dbf833d8e256ba695ac Author: Kai-Heng Feng Date: Fri Apr 30 12:56:56 2021 +0800 drm/radeon/dpm: Disable sclk switching on Oland when two 4K 60Hz monitors are connected commit 227545b9a08c68778ddd89428f99c351fc9315ac upstream. Screen flickers rapidly when two 4K 60Hz monitors are in use. This issue doesn't happen when one monitor is 4K 60Hz (pixelclock 594MHz) and another one is 4K 30Hz (pixelclock 297MHz). The issue is gone after setting "power_dpm_force_performance_level" to "high". Following the indication, we found that the issue occurs when sclk is too low. So resolve the issue by disabling sclk switching when there are two monitors requires high pixelclock (> 297MHz). v2: - Only apply the fix to Oland. Signed-off-by: Kai-Heng Feng Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit bccb7dd137adea29ba406a936445dccc078e36cb Author: Filipe Manana Date: Tue Apr 27 11:27:20 2021 +0100 btrfs: fix race leading to unpersisted data and metadata on fsync commit 626e9f41f7c281ba3e02843702f68471706aa6d9 upstream. When doing a fast fsync on a file, there is a race which can result in the fsync returning success to user space without logging the inode and without durably persisting new data. The following example shows one possible scenario for this: $ mkfs.btrfs -f /dev/sdc $ mount /dev/sdc /mnt $ touch /mnt/bar $ xfs_io -f -c "pwrite -S 0xab 0 1M" -c "fsync" /mnt/baz # Now we have: # file bar == inode 257 # file baz == inode 258 $ mv /mnt/baz /mnt/foo # Now we have: # file bar == inode 257 # file foo == inode 258 $ xfs_io -c "pwrite -S 0xcd 0 1M" /mnt/foo # fsync bar before foo, it is important to trigger the race. $ xfs_io -c "fsync" /mnt/bar $ xfs_io -c "fsync" /mnt/foo # After this: # inode 257, file bar, is empty # inode 258, file foo, has 1M filled with 0xcd # Replay the log: $ mount /dev/sdc /mnt # After this point file foo should have 1M filled with 0xcd and not 0xab The following steps explain how the race happens: 1) Before the first fsync of inode 258, when it has the "baz" name, its ->logged_trans is 0, ->last_sub_trans is 0 and ->last_log_commit is -1. The inode also has the full sync flag set; 2) After the first fsync, we set inode 258 ->logged_trans to 6, which is the generation of the current transaction, and set ->last_log_commit to 0, which is the current value of ->last_sub_trans (done at btrfs_log_inode()). The full sync flag is cleared from the inode during the fsync. The log sub transaction that was committed had an ID of 0 and when we synced the log, at btrfs_sync_log(), we incremented root->log_transid from 0 to 1; 3) During the rename: We update inode 258, through btrfs_update_inode(), and that causes its ->last_sub_trans to be set to 1 (the current log transaction ID), and ->last_log_commit remains with a value of 0. After updating inode 258, because we have previously logged the inode in the previous fsync, we log again the inode through the call to btrfs_log_new_name(). This results in updating the inode's ->last_log_commit from 0 to 1 (the current value of its ->last_sub_trans). The ->last_sub_trans of inode 257 is updated to 1, which is the ID of the next log transaction; 4) Then a buffered write against inode 258 is made. This leaves the value of ->last_sub_trans as 1 (the ID of the current log transaction, stored at root->log_transid); 5) Then an fsync against inode 257 (or any other inode other than 258), happens. This results in committing the log transaction with ID 1, which results in updating root->last_log_commit to 1 and bumping root->log_transid from 1 to 2; 6) Then an fsync against inode 258 starts. We flush delalloc and wait only for writeback to complete, since the full sync flag is not set in the inode's runtime flags - we do not wait for ordered extents to complete. Then, at btrfs_sync_file(), we call btrfs_inode_in_log() before the ordered extent completes. The call returns true: static inline bool btrfs_inode_in_log(...) { bool ret = false; spin_lock(&inode->lock); if (inode->logged_trans == generation && inode->last_sub_trans <= inode->last_log_commit && inode->last_sub_trans <= inode->root->last_log_commit) ret = true; spin_unlock(&inode->lock); return ret; } generation has a value of 6 (fs_info->generation), ->logged_trans also has a value of 6 (set when we logged the inode during the first fsync and when logging it during the rename), ->last_sub_trans has a value of 1, set during the rename (step 3), ->last_log_commit also has a value of 1 (set in step 3) and root->last_log_commit has a value of 1, which was set in step 5 when fsyncing inode 257. As a consequence we don't log the inode, any new extents and do not sync the log, resulting in a data loss if a power failure happens after the fsync and before the current transaction commits. Also, because we do not log the inode, after a power failure the mtime and ctime of the inode do not match those we had before. When the ordered extent completes before we call btrfs_inode_in_log(), then the call returns false and we log the inode and sync the log, since at the end of ordered extent completion we update the inode and set ->last_sub_trans to 2 (the value of root->log_transid) and ->last_log_commit to 1. This problem is found after removing the check for the emptiness of the inode's list of modified extents in the recent commit 209ecbb8585bf6 ("btrfs: remove stale comment and logic from btrfs_inode_in_log()"), added in the 5.13 merge window. However checking the emptiness of the list is not really the way to solve this problem, and was never intended to, because while that solves the problem for COW writes, the problem persists for NOCOW writes because in that case the list is always empty. In the case of NOCOW writes, even though we wait for the writeback to complete before returning from btrfs_sync_file(), we end up not logging the inode, which has a new mtime/ctime, and because we don't sync the log, we never issue disk barriers (send REQ_PREFLUSH to the device) since that only happens when we sync the log (when we write super blocks at btrfs_sync_log()). So effectively, for a NOCOW case, when we return from btrfs_sync_file() to user space, we are not guaranteeing that the data is durably persisted on disk. Also, while the example above uses a rename exchange to show how the problem happens, it is not the only way to trigger it. An alternative could be adding a new hard link to inode 258, since that also results in calling btrfs_log_new_name() and updating the inode in the log. An example reproducer using the addition of a hard link instead of a rename operation: $ mkfs.btrfs -f /dev/sdc $ mount /dev/sdc /mnt $ touch /mnt/bar $ xfs_io -f -c "pwrite -S 0xab 0 1M" -c "fsync" /mnt/foo $ ln /mnt/foo /mnt/foo_link $ xfs_io -c "pwrite -S 0xcd 0 1M" /mnt/foo $ xfs_io -c "fsync" /mnt/bar $ xfs_io -c "fsync" /mnt/foo # Replay the log: $ mount /dev/sdc /mnt # After this point file foo often has 1M filled with 0xab and not 0xcd The reasons leading to the final fsync of file foo, inode 258, not persisting the new data are the same as for the previous example with a rename operation. So fix by never skipping logging and log syncing when there are still any ordered extents in flight. To avoid making the conditional if statement that checks if logging an inode is needed harder to read, place all the logic into an helper function with separate if statements to make it more manageable and easier to read. A test case for fstests will follow soon. For NOCOW writes, the problem existed before commit b5e6c3e170b770 ("btrfs: always wait on ordered extents at fsync time"), introduced in kernel 4.19, then it went away with that commit since we started to always wait for ordered extent completion before logging. The problem came back again once the fast fsync path was changed again to avoid waiting for ordered extent completion, in commit 487781796d3022 ("btrfs: make fast fsyncs wait only for writeback"), added in kernel 5.10. However, for COW writes, the race only happens after the recent commit 209ecbb8585bf6 ("btrfs: remove stale comment and logic from btrfs_inode_in_log()"), introduced in the 5.13 merge window. For NOCOW writes, the bug existed before that commit. So tag 5.10+ as the release for stable backports. CC: stable@vger.kernel.org # 5.10+ Signed-off-by: Filipe Manana Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit d6d66dbd5adc41b7469bf7ae87e7f8cc4006a28f Author: Catalin Marinas Date: Fri May 14 10:50:01 2021 +0100 arm64: Fix race condition on PG_dcache_clean in __sync_icache_dcache() commit 588a513d34257fdde95a9f0df0202e31998e85c6 upstream. To ensure that instructions are observable in a new mapping, the arm64 set_pte_at() implementation cleans the D-cache and invalidates the I-cache to the PoU. As an optimisation, this is only done on executable mappings and the PG_dcache_clean page flag is set to avoid future cache maintenance on the same page. When two different processes map the same page (e.g. private executable file or shared mapping) there's a potential race on checking and setting PG_dcache_clean via set_pte_at() -> __sync_icache_dcache(). While on the fault paths the page is locked (PG_locked), mprotect() does not take the page lock. The result is that one process may see the PG_dcache_clean flag set but the I/D cache maintenance not yet performed. Avoid test_and_set_bit(PG_dcache_clean) in favour of separate test_bit() and set_bit(). In the rare event of a race, the cache maintenance is done twice. Signed-off-by: Catalin Marinas Cc: Cc: Will Deacon Cc: Steven Price Reviewed-by: Steven Price Acked-by: Will Deacon Link: https://lore.kernel.org/r/20210514095001.13236-1-catalin.marinas@arm.com Signed-off-by: Catalin Marinas Signed-off-by: Greg Kroah-Hartman commit d3bab7cbadfb9abef9c5df2c54eac23dba4241a7 Author: Peter Collingbourne Date: Fri May 7 11:59:05 2021 -0700 arm64: mte: initialize RGSR_EL1.SEED in __cpu_setup commit 37a8024d265564eba680575df6421f19db21dfce upstream. A valid implementation choice for the ChooseRandomNonExcludedTag() pseudocode function used by IRG is to behave in the same way as with GCR_EL1.RRND=0. This would mean that RGSR_EL1.SEED is used as an LFSR which must have a non-zero value in order for IRG to properly produce pseudorandom numbers. However, RGSR_EL1 is reset to an UNKNOWN value on soft reset and thus may reset to 0. Therefore we must initialize RGSR_EL1.SEED to a non-zero value in order to ensure that IRG behaves as expected. Signed-off-by: Peter Collingbourne Fixes: 3b714d24ef17 ("arm64: mte: CPU feature detection and initial sysreg configuration") Cc: # 5.10 Link: https://linux-review.googlesource.com/id/I2b089b6c7d6f17ee37e2f0db7df5ad5bcc04526c Acked-by: Mark Rutland Link: https://lore.kernel.org/r/20210507185905.1745402-1-pcc@google.com Signed-off-by: Catalin Marinas Signed-off-by: Greg Kroah-Hartman commit 70748bba55658f4bf61ba1686fec9879ca6559c9 Author: Tejun Heo Date: Tue May 11 21:38:36 2021 -0400 blk-iocost: fix weight updates of inner active iocgs commit e9f4eee9a0023ba22db9560d4cc6ee63f933dae8 upstream. When the weight of an active iocg is updated, weight_updated() is called which in turn calls __propagate_weights() to update the active and inuse weights so that the effective hierarchical weights are update accordingly. The current implementation is incorrect for inner active nodes. For an active leaf iocg, inuse can be any value between 1 and active and the difference represents how much the iocg is donating. When weight is updated, as long as inuse is clamped between 1 and the new weight, we're alright and this is what __propagate_weights() currently implements. However, that's not how an active inner node's inuse is set. An inner node's inuse is solely determined by the ratio between the sums of inuse's and active's of its children - ie. they're results of propagating the leaves' active and inuse weights upwards. __propagate_weights() incorrectly applies the same clamping as for a leaf when an active inner node's weight is updated. Consider a hierarchy which looks like the following with saturating workloads in AA and BB. R / \ A B | | AA BB 1. For both A and B, active=100, inuse=100, hwa=0.5, hwi=0.5. 2. echo 200 > A/io.weight 3. __propagate_weights() update A's active to 200 and leave inuse at 100 as it's already between 1 and the new active, making A:active=200, A:inuse=100. As R's active_sum is updated along with A's active, A:hwa=2/3, B:hwa=1/3. However, because the inuses didn't change, the hwi's remain unchanged at 0.5. 4. The weight of A is now twice that of B but AA and BB still have the same hwi of 0.5 and thus are doing the same amount of IOs. Fix it by making __propgate_weights() always calculate the inuse of an active inner iocg based on the ratio of child_inuse_sum to child_active_sum. Signed-off-by: Tejun Heo Reported-by: Dan Schatzberg Fixes: 7caa47151ab2 ("blkcg: implement blk-iocost") Cc: stable@vger.kernel.org # v5.4+ Link: https://lore.kernel.org/r/YJsxnLZV1MnBcqjj@slm.duckdns.org Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 014868616d48cfee2d966a8b16e2d5e120c8dab3 Author: Peter Xu Date: Fri May 14 17:27:04 2021 -0700 mm/hugetlb: fix F_SEAL_FUTURE_WRITE commit 22247efd822e6d263f3c8bd327f3f769aea9b1d9 upstream. Patch series "mm/hugetlb: Fix issues on file sealing and fork", v2. Hugh reported issue with F_SEAL_FUTURE_WRITE not applied correctly to hugetlbfs, which I can easily verify using the memfd_test program, which seems that the program is hardly run with hugetlbfs pages (as by default shmem). Meanwhile I found another probably even more severe issue on that hugetlb fork won't wr-protect child cow pages, so child can potentially write to parent private pages. Patch 2 addresses that. After this series applied, "memfd_test hugetlbfs" should start to pass. This patch (of 2): F_SEAL_FUTURE_WRITE is missing for hugetlb starting from the first day. There is a test program for that and it fails constantly. $ ./memfd_test hugetlbfs memfd-hugetlb: CREATE memfd-hugetlb: BASIC memfd-hugetlb: SEAL-WRITE memfd-hugetlb: SEAL-FUTURE-WRITE mmap() didn't fail as expected Aborted (core dumped) I think it's probably because no one is really running the hugetlbfs test. Fix it by checking FUTURE_WRITE also in hugetlbfs_file_mmap() as what we do in shmem_mmap(). Generalize a helper for that. Link: https://lkml.kernel.org/r/20210503234356.9097-1-peterx@redhat.com Link: https://lkml.kernel.org/r/20210503234356.9097-2-peterx@redhat.com Fixes: ab3948f58ff84 ("mm/memfd: add an F_SEAL_FUTURE_WRITE seal to memfd") Signed-off-by: Peter Xu Reported-by: Hugh Dickins Reviewed-by: Mike Kravetz Cc: Joel Fernandes (Google) Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit fe5c0a63ad22cc61498f2bc3164449a233e8c774 Author: Peter Collingbourne Date: Fri May 14 17:27:27 2021 -0700 kasan: fix unit tests with CONFIG_UBSAN_LOCAL_BOUNDS enabled commit f649dc0e0d7b509c75570ee403723660f5b72ec7 upstream. These tests deliberately access these arrays out of bounds, which will cause the dynamic local bounds checks inserted by CONFIG_UBSAN_LOCAL_BOUNDS to fail and panic the kernel. To avoid this problem, access the arrays via volatile pointers, which will prevent the compiler from being able to determine the array bounds. These accesses use volatile pointers to char (char *volatile) rather than the more conventional pointers to volatile char (volatile char *) because we want to prevent the compiler from making inferences about the pointer itself (i.e. its array bounds), not the data that it refers to. Link: https://lkml.kernel.org/r/20210507025915.1464056-1-pcc@google.com Link: https://linux-review.googlesource.com/id/I90b1713fbfa1bf68ff895aef099ea77b98a7c3b9 Signed-off-by: Peter Collingbourne Tested-by: Alexander Potapenko Reviewed-by: Andrey Konovalov Cc: Peter Collingbourne Cc: George Popescu Cc: Elena Petrova Cc: Evgenii Stepanov Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 140cfd9980124aecb6c03ef2e69c72d0548744de Author: Axel Rasmussen Date: Fri May 14 17:27:19 2021 -0700 userfaultfd: release page in error path to avoid BUG_ON commit 7ed9d238c7dbb1fdb63ad96a6184985151b0171c upstream. Consider the following sequence of events: 1. Userspace issues a UFFD ioctl, which ends up calling into shmem_mfill_atomic_pte(). We successfully account the blocks, we shmem_alloc_page(), but then the copy_from_user() fails. We return -ENOENT. We don't release the page we allocated. 2. Our caller detects this error code, tries the copy_from_user() after dropping the mmap_lock, and retries, calling back into shmem_mfill_atomic_pte(). 3. Meanwhile, let's say another process filled up the tmpfs being used. 4. So shmem_mfill_atomic_pte() fails to account blocks this time, and immediately returns - without releasing the page. This triggers a BUG_ON in our caller, which asserts that the page should always be consumed, unless -ENOENT is returned. To fix this, detect if we have such a "dangling" page when accounting fails, and if so, release it before returning. Link: https://lkml.kernel.org/r/20210428230858.348400-1-axelrasmussen@google.com Fixes: cb658a453b93 ("userfaultfd: shmem: avoid leaking blocks and used blocks in UFFDIO_COPY") Signed-off-by: Axel Rasmussen Reported-by: Hugh Dickins Acked-by: Hugh Dickins Reviewed-by: Peter Xu Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 2ed1d90162a0c0683ecbe0c4802187fa22d641c3 Author: Phillip Lougher Date: Fri May 14 17:27:16 2021 -0700 squashfs: fix divide error in calculate_skip() commit d6e621de1fceb3b098ebf435ef7ea91ec4838a1a upstream. Sysbot has reported a "divide error" which has been identified as being caused by a corrupted file_size value within the file inode. This value has been corrupted to a much larger value than expected. Calculate_skip() is passed i_size_read(inode) >> msblk->block_log. Due to the file_size value corruption this overflows the int argument/variable in that function, leading to the divide error. This patch changes the function to use u64. This will accommodate any unexpectedly large values due to corruption. The value returned from calculate_skip() is clamped to be never more than SQUASHFS_CACHED_BLKS - 1, or 7. So file_size corruption does not lead to an unexpectedly large return result here. Link: https://lkml.kernel.org/r/20210507152618.9447-1-phillip@squashfs.org.uk Signed-off-by: Phillip Lougher Reported-by: Reported-by: Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit adbd8a2a8cc05d9e501f93e5c95c59307874cc99 Author: Jouni Roivas Date: Fri May 14 17:27:33 2021 -0700 hfsplus: prevent corruption in shrinking truncate commit c3187cf32216313fb316084efac4dab3a8459b1d upstream. I believe there are some issues introduced by commit 31651c607151 ("hfsplus: avoid deadlock on file truncation") HFS+ has extent records which always contains 8 extents. In case the first extent record in catalog file gets full, new ones are allocated from extents overflow file. In case shrinking truncate happens to middle of an extent record which locates in extents overflow file, the logic in hfsplus_file_truncate() was changed so that call to hfs_brec_remove() is not guarded any more. Right action would be just freeing the extents that exceed the new size inside extent record by calling hfsplus_free_extents(), and then check if the whole extent record should be removed. However since the guard (blk_cnt > start) is now after the call to hfs_brec_remove(), this has unfortunate effect that the last matching extent record is removed unconditionally. To reproduce this issue, create a file which has at least 10 extents, and then perform shrinking truncate into middle of the last extent record, so that the number of remaining extents is not under or divisible by 8. This causes the last extent record (8 extents) to be removed totally instead of truncating into middle of it. Thus this causes corruption, and lost data. Fix for this is simply checking if the new truncated end is below the start of this extent record, making it safe to remove the full extent record. However call to hfs_brec_remove() can't be moved to it's previous place since we're dropping ->tree_lock and it can cause a race condition and the cached info being invalidated possibly corrupting the node data. Another issue is related to this one. When entering into the block (blk_cnt > start) we are not holding the ->tree_lock. We break out from the loop not holding the lock, but hfs_find_exit() does unlock it. Not sure if it's possible for someone else to take the lock under our feet, but it can cause hard to debug errors and premature unlocking. Even if there's no real risk of it, the locking should still always be kept in balance. Thus taking the lock now just before the check. Link: https://lkml.kernel.org/r/20210429165139.3082828-1-jouni.roivas@tuxera.com Fixes: 31651c607151f ("hfsplus: avoid deadlock on file truncation") Signed-off-by: Jouni Roivas Reviewed-by: Anton Altaparmakov Cc: Anatoly Trosinenko Cc: Viacheslav Dubeyko Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d2e3590ca39ccfd8a5a46d8c7f095cb6c7b9ae92 Author: Michael Ellerman Date: Thu May 6 14:49:59 2021 +1000 powerpc/64s: Fix crashes when toggling entry flush barrier commit aec86b052df6541cc97c5fca44e5934cbea4963b upstream. The entry flush mitigation can be enabled/disabled at runtime via a debugfs file (entry_flush), which causes the kernel to patch itself to enable/disable the relevant mitigations. However depending on which mitigation we're using, it may not be safe to do that patching while other CPUs are active. For example the following crash: sleeper[15639]: segfault (11) at c000000000004c20 nip c000000000004c20 lr c000000000004c20 Shows that we returned to userspace with a corrupted LR that points into the kernel, due to executing the partially patched call to the fallback entry flush (ie. we missed the LR restore). Fix it by doing the patching under stop machine. The CPUs that aren't doing the patching will be spinning in the core of the stop machine logic. That is currently sufficient for our purposes, because none of the patching we do is to that code or anywhere in the vicinity. Fixes: f79643787e0a ("powerpc/64s: flush L1D on kernel entry") Cc: stable@vger.kernel.org # v5.10+ Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210506044959.1298123-2-mpe@ellerman.id.au Signed-off-by: Greg Kroah-Hartman commit 51570beeb448c8db24dc6588202dcabc6b259d1b Author: Michael Ellerman Date: Thu May 6 14:49:58 2021 +1000 powerpc/64s: Fix crashes when toggling stf barrier commit 8ec7791bae1327b1c279c5cd6e929c3b12daaf0a upstream. The STF (store-to-load forwarding) barrier mitigation can be enabled/disabled at runtime via a debugfs file (stf_barrier), which causes the kernel to patch itself to enable/disable the relevant mitigations. However depending on which mitigation we're using, it may not be safe to do that patching while other CPUs are active. For example the following crash: User access of kernel address (c00000003fff5af0) - exploit attempt? (uid: 0) segfault (11) at c00000003fff5af0 nip 7fff8ad12198 lr 7fff8ad121f8 code 1 code: 40820128 e93c00d0 e9290058 7c292840 40810058 38600000 4bfd9a81 e8410018 code: 2c030006 41810154 3860ffb6 e9210098 7d295279 39400000 40820a3c Shows that we returned to userspace without restoring the user r13 value, due to executing the partially patched STF exit code. Fix it by doing the patching under stop machine. The CPUs that aren't doing the patching will be spinning in the core of the stop machine logic. That is currently sufficient for our purposes, because none of the patching we do is to that code or anywhere in the vicinity. Fixes: a048a07d7f45 ("powerpc/64s: Add support for a store forwarding barrier at kernel entry/exit") Cc: stable@vger.kernel.org # v4.17+ Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210506044959.1298123-1-mpe@ellerman.id.au Signed-off-by: Greg Kroah-Hartman commit cb3e286f22ff369d656b2d1f93508216af32ee9e Author: Vladimir Isaev Date: Tue Apr 27 15:13:54 2021 +0300 ARC: mm: Use max_high_pfn as a HIGHMEM zone border commit 1d5e4640e5df15252398c1b621f6bd432f2d7f17 upstream. Commit 4af22ded0ecf ("arc: fix memory initialization for systems with two memory banks") fixed highmem, but for the PAE case it causes bug messages: | BUG: Bad page state in process swapper pfn:80000 | page:(ptrval) refcount:0 mapcount:1 mapping:00000000 index:0x0 pfn:0x80000 flags: 0x0() | raw: 00000000 00000100 00000122 00000000 00000000 00000000 00000000 00000000 | raw: 00000000 | page dumped because: nonzero mapcount | Modules linked in: | CPU: 0 PID: 0 Comm: swapper Not tainted 5.12.0-rc5-00003-g1e43c377a79f #1 This is because the fix expects highmem to be always less than lowmem and uses min_low_pfn as an upper zone border for highmem. max_high_pfn should be ok for both highmem and highmem+PAE cases. Fixes: 4af22ded0ecf ("arc: fix memory initialization for systems with two memory banks") Signed-off-by: Vladimir Isaev Cc: Mike Rapoport Cc: stable@vger.kernel.org #5.8 onwards Signed-off-by: Vineet Gupta Signed-off-by: Greg Kroah-Hartman commit 969de0f6599e2c6fe1d39aaabaead865a76fc0b7 Author: Vladimir Isaev Date: Tue Apr 27 15:12:37 2021 +0300 ARC: mm: PAE: use 40-bit physical page mask commit c5f756d8c6265ebb1736a7787231f010a3b782e5 upstream. 32-bit PAGE_MASK can not be used as a mask for physical addresses when PAE is enabled. PAGE_MASK_PHYS must be used for physical addresses instead of PAGE_MASK. Without this, init gets SIGSEGV if pte_modify was called: | potentially unexpected fatal signal 11. | Path: /bin/busybox | CPU: 0 PID: 1 Comm: init Not tainted 5.12.0-rc5-00003-g1e43c377a79f-dirty | Insn could not be fetched | @No matching VMA found | ECR: 0x00040000 EFA: 0x00000000 ERET: 0x00000000 | STAT: 0x80080082 [IE U ] BTA: 0x00000000 | SP: 0x5f9ffe44 FP: 0x00000000 BLK: 0xaf3d4 | LPS: 0x000d093e LPE: 0x000d0950 LPC: 0x00000000 | r00: 0x00000002 r01: 0x5f9fff14 r02: 0x5f9fff20 | ... | Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b Signed-off-by: Vladimir Isaev Reported-by: kernel test robot Cc: Vineet Gupta Cc: stable@vger.kernel.org Signed-off-by: Vineet Gupta Signed-off-by: Greg Kroah-Hartman commit af9e5364c617d25f34d11c90f6bc7e8f16c63804 Author: Vineet Gupta Date: Fri Apr 23 12:16:25 2021 -0700 ARC: entry: fix off-by-one error in syscall number validation commit 3433adc8bd09fc9f29b8baddf33b4ecd1ecd2cdc upstream. We have NR_syscall syscalls from [0 .. NR_syscall-1]. However the check for invalid syscall number is "> NR_syscall" as opposed to >=. This off-by-one error erronesously allows "NR_syscall" to be treated as valid syscall causeing out-of-bounds access into syscall-call table ensuing a crash (holes within syscall table have a invalid-entry handler but this is beyond the array implementing the table). This problem showed up on v5.6 kernel when testing glibc 2.33 (v5.10 kernel capable, includng faccessat2 syscall 439). The v5.6 kernel has NR_syscalls=439 (0 to 438). Due to the bug, 439 passed by glibc was not handled as -ENOSYS but processed leading to a crash. Link: https://github.com/foss-for-synopsys-dwc-arc-processors/linux/issues/48 Reported-by: Shahab Vahedi Cc: Signed-off-by: Vineet Gupta Signed-off-by: Greg Kroah-Hartman commit 23ecfe7f2c1f399eda6233809f9b8f550f7c7c38 Author: Chao Yu Date: Tue Nov 10 09:24:36 2020 +0800 f2fs: avoid unneeded data copy in f2fs_ioc_move_range() [ Upstream commit 3a1b9eaf727b4ab84ebf059e09c38fc6a53e5614 ] Fields in struct f2fs_move_range won't change in f2fs_ioc_move_range(), let's avoid copying this structure's data to userspace. Signed-off-by: Chao Yu Reviewed-by: Eric Biggers Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 758fd227ed84cb208a5e9eec9ad9f17e87e2d0f1 Author: Paolo Abeni Date: Thu May 6 17:16:38 2021 -0700 mptcp: fix splat when closing unaccepted socket [ Upstream commit 578c18eff1627d6a911f08f4cf351eca41fdcc7d ] If userspace exits before calling accept() on a listener that had at least one new connection ready, we get: Attempt to release TCP socket in state 8 This happens because the mptcp socket gets cloned when the TCP connection is ready, but the socket is never exposed to userspace. The client additionally sends a DATA_FIN, which brings connection into CLOSE_WAIT state. This in turn prevents the orphan+state reset fixup in mptcp_sock_destruct() from doing its job. Fixes: 3721b9b64676b ("mptcp: Track received DATA_FIN sequence number and add related helpers") Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/185 Tested-by: Florian Westphal Signed-off-by: Paolo Abeni Signed-off-by: Mat Martineau Link: https://lore.kernel.org/r/20210507001638.225468-1-mathew.j.martineau@linux.intel.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit b8cf51a36da2c3e21f72c5de171fc778f187b807 Author: Mateusz Palczewski Date: Tue Apr 13 14:43:07 2021 +0000 i40e: Fix PHY type identifiers for 2.5G and 5G adapters [ Upstream commit 15395ec4685bd45a43d1b54b8fd9846b87e2c621 ] Unlike other supported adapters, 2.5G and 5G use different PHY type identifiers for reading/writing PHY settings and for reading link status. This commit introduces separate PHY identifiers for these two operation types. Fixes: 2e45d3f4677a ("i40e: Add support for X710 B/P & SFP+ cards") Signed-off-by: Dawid Lukwinski Signed-off-by: Mateusz Palczewski Reviewed-by: Aleksandr Loktionov Tested-by: Dave Switzer Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 06ef93b776f7fc81d706b19e984f8a4e1f50e80f Author: Jaroslaw Gawin Date: Tue Apr 13 14:19:40 2021 +0000 i40e: fix the restart auto-negotiation after FEC modified [ Upstream commit 61343e6da7810de81d6b826698946ae4f9070819 ] When FEC mode was changed the link didn't know it because the link was not reset and new parameters were not negotiated. Set a flag 'I40E_AQ_PHY_ENABLE_ATOMIC_LINK' in 'abilities' to restart the link and make it run with the new settings. Fixes: 1d96340196f1 ("i40e: Add support FEC configuration for Fortville 25G") Signed-off-by: Jaroslaw Gawin Signed-off-by: Mateusz Palczewski Tested-by: Dave Switzer Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 829a713450b8fb127cbabfc1244c1d8179ec5107 Author: Yunjian Wang Date: Mon Apr 12 22:41:18 2021 +0800 i40e: Fix use-after-free in i40e_client_subtask() [ Upstream commit 38318f23a7ef86a8b1862e5e8078c4de121960c3 ] Currently the call to i40e_client_del_instance frees the object pf->cinst, however pf->cinst->lan_info is being accessed after the free. Fix this by adding the missing return. Addresses-Coverity: ("Read from pointer after free") Fixes: 7b0b1a6d0ac9 ("i40e: Disable iWARP VSI PETCP_ENA flag on netdev down events") Signed-off-by: Yunjian Wang Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 2692bf13e646b06343b8f7b48536a7270757f77e Author: Magnus Karlsson Date: Mon Apr 26 13:14:01 2021 +0200 i40e: fix broken XDP support [ Upstream commit ae4393dfd472b194c90d75d2123105fb5ed59b04 ] Commit 12738ac4754e ("i40e: Fix sparse errors in i40e_txrx.c") broke XDP support in the i40e driver. That commit was fixing a sparse error in the code by introducing a new variable xdp_res instead of overloading this into the skb pointer. The problem is that the code later uses the skb pointer in if statements and these where not extended to also test for the new xdp_res variable. Fix this by adding the correct tests for xdp_res in these places. The skb pointer was used to store the result of the XDP program by overloading the results in the error pointer ERR_PTR(-result). Therefore, the allocation failure test that used to only test for !skb now need to be extended to also consider !xdp_res. i40e_cleanup_headers() had a check that based on the skb value being an error pointer, i.e. a result from the XDP program != XDP_PASS, and if so start to process a new packet immediately, instead of populating skb fields and sending the skb to the stack. This check is not needed anymore, since we have added an explicit test for xdp_res being set and if so just do continue to pick the next packet from the NIC. Fixes: 12738ac4754e ("i40e: Fix sparse errors in i40e_txrx.c") Acked-by: Jesper Dangaard Brouer Tested-by: Jesper Dangaard Brouer Reported-by: Jesper Dangaard Brouer Reviewed-by: Maciej Fijalkowski Signed-off-by: Magnus Karlsson Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 72b49dd116ca00a46a11d5a4d8d7987f05ed9cd7 Author: Eric Dumazet Date: Thu May 6 05:53:23 2021 -0700 netfilter: nftables: avoid overflows in nft_hash_buckets() [ Upstream commit a54754ec9891830ba548e2010c889e3c8146e449 ] Number of buckets being stored in 32bit variables, we have to ensure that no overflows occur in nft_hash_buckets() syzbot injected a size == 0x40000000 and reported: UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 shift exponent 64 is too large for 64-bit type 'long unsigned int' CPU: 1 PID: 29539 Comm: syz-executor.4 Not tainted 5.12.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327 __roundup_pow_of_two include/linux/log2.h:57 [inline] nft_hash_buckets net/netfilter/nft_set_hash.c:411 [inline] nft_hash_estimate.cold+0x19/0x1e net/netfilter/nft_set_hash.c:652 nft_select_set_ops net/netfilter/nf_tables_api.c:3586 [inline] nf_tables_newset+0xe62/0x3110 net/netfilter/nf_tables_api.c:4322 nfnetlink_rcv_batch+0xa09/0x24b0 net/netfilter/nfnetlink.c:488 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:612 [inline] nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:630 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 Fixes: 0ed6389c483d ("netfilter: nf_tables: rename set implementations") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit f665dedeedc93089fd5cf3c9405fdfe5f72502ad Author: David Hildenbrand Date: Thu May 6 18:05:16 2021 -0700 kernel/resource: make walk_mem_res() find all busy IORESOURCE_MEM resources [ Upstream commit 3c9c797534364593b73ba6ab060a014af8934721 ] It used to be true that we can have system RAM (IORESOURCE_SYSTEM_RAM | IORESOURCE_BUSY) only on the first level in the resource tree. However, this is no longer holds for driver-managed system RAM (i.e., added via dax/kmem and virtio-mem), which gets added on lower levels, for example, inside device containers. IORESOURCE_SYSTEM_RAM is defined as IORESOURCE_MEM | IORESOURCE_SYSRAM and just a special type of IORESOURCE_MEM. The function walk_mem_res() only considers the first level and is used in arch/x86/mm/ioremap.c:__ioremap_check_mem() only. We currently fail to identify System RAM added by dax/kmem and virtio-mem as "IORES_MAP_SYSTEM_RAM", for example, allowing for remapping of such "normal RAM" in __ioremap_caller(). Let's find all IORESOURCE_MEM | IORESOURCE_BUSY resources, making the function behave similar to walk_system_ram_res(). Link: https://lkml.kernel.org/r/20210325115326.7826-3-david@redhat.com Fixes: ebf71552bb0e ("virtio-mem: Add parent resource for all added "System RAM"") Fixes: c221c0b0308f ("device-dax: "Hotplug" persistent memory for use like normal RAM") Signed-off-by: David Hildenbrand Reviewed-by: Dan Williams Cc: Greg Kroah-Hartman Cc: Dan Williams Cc: Daniel Vetter Cc: Andy Shevchenko Cc: Mauro Carvalho Chehab Cc: Dave Young Cc: Baoquan He Cc: Vivek Goyal Cc: Dave Hansen Cc: Keith Busch Cc: Michal Hocko Cc: Qian Cai Cc: Oscar Salvador Cc: Eric Biederman Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Borislav Petkov Cc: "H. Peter Anvin" Cc: Tom Lendacky Cc: Brijesh Singh Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 1ec19325527112c6e99ded2e83beda996d8ebd60 Author: David Hildenbrand Date: Thu May 6 18:05:12 2021 -0700 kernel/resource: make walk_system_ram_res() find all busy IORESOURCE_SYSTEM_RAM resources [ Upstream commit 97f61c8f44ec9020708b97a51188170add4f3084 ] Patch series "kernel/resource: make walk_system_ram_res() and walk_mem_res() search the whole tree", v2. Playing with kdump+virtio-mem I noticed that kexec_file_load() does not consider System RAM added via dax/kmem and virtio-mem when preparing the elf header for kdump. Looking into the details, the logic used in walk_system_ram_res() and walk_mem_res() seems to be outdated. walk_system_ram_range() already does the right thing, let's change walk_system_ram_res() and walk_mem_res(), and clean up. Loading a kdump kernel via "kexec -p -s" ... will result in the kdump kernel to also dump dax/kmem and virtio-mem added System RAM now. Note: kexec-tools on x86-64 also have to be updated to consider this memory in the kexec_load() case when processing /proc/iomem. This patch (of 3): It used to be true that we can have system RAM (IORESOURCE_SYSTEM_RAM | IORESOURCE_BUSY) only on the first level in the resource tree. However, this is no longer holds for driver-managed system RAM (i.e., added via dax/kmem and virtio-mem), which gets added on lower levels, for example, inside device containers. We have two users of walk_system_ram_res(), which currently only consideres the first level: a) kernel/kexec_file.c:kexec_walk_resources() -- We properly skip IORESOURCE_SYSRAM_DRIVER_MANAGED resources via locate_mem_hole_callback(), so even after this change, we won't be placing kexec images onto dax/kmem and virtio-mem added memory. No change. b) arch/x86/kernel/crash.c:fill_up_crash_elf_data() -- we're currently not adding relevant ranges to the crash elf header, resulting in them not getting dumped via kdump. This change fixes loading a crashkernel via kexec_file_load() and including dax/kmem and virtio-mem added System RAM in the crashdump on x86-64. Note that e.g,, arm64 relies on memblock data and, therefore, always considers all added System RAM already. Let's find all IORESOURCE_SYSTEM_RAM | IORESOURCE_BUSY resources, making the function behave like walk_system_ram_range(). Link: https://lkml.kernel.org/r/20210325115326.7826-1-david@redhat.com Link: https://lkml.kernel.org/r/20210325115326.7826-2-david@redhat.com Fixes: ebf71552bb0e ("virtio-mem: Add parent resource for all added "System RAM"") Fixes: c221c0b0308f ("device-dax: "Hotplug" persistent memory for use like normal RAM") Signed-off-by: David Hildenbrand Reviewed-by: Dan Williams Acked-by: Baoquan He Cc: Greg Kroah-Hartman Cc: Dan Williams Cc: Daniel Vetter Cc: Andy Shevchenko Cc: Mauro Carvalho Chehab Cc: Dave Young Cc: Baoquan He Cc: Vivek Goyal Cc: Dave Hansen Cc: Keith Busch Cc: Michal Hocko Cc: Qian Cai Cc: Oscar Salvador Cc: Eric Biederman Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Borislav Petkov Cc: "H. Peter Anvin" Cc: Tom Lendacky Cc: Brijesh Singh Cc: "Eric W. Biederman" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 0886bb143cbbc8eafe1bb7598f90de14a3cb7ac2 Author: Jia-Ju Bai Date: Thu May 6 18:04:38 2021 -0700 kernel: kexec_file: fix error return code of kexec_calculate_store_digests() [ Upstream commit 31d82c2c787d5cf65fedd35ebbc0c1bd95c1a679 ] When vzalloc() returns NULL to sha_regions, no error return code of kexec_calculate_store_digests() is assigned. To fix this bug, ret is assigned with -ENOMEM in this case. Link: https://lkml.kernel.org/r/20210309083904.24321-1-baijiaju1990@gmail.com Fixes: a43cac0d9dc2 ("kexec: split kexec_file syscall code to kexec_file.c") Signed-off-by: Jia-Ju Bai Reported-by: TOTE Robot Acked-by: Baoquan He Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit d43be02fc40b87b88426251e62f02b3bf55c99ee Author: Colin Ian King Date: Thu May 6 18:02:10 2021 -0700 fs/proc/generic.c: fix incorrect pde_is_permanent check [ Upstream commit f4bf74d82915708208bc9d0c9bd3f769f56bfbec ] Currently the pde_is_permanent() check is being run on root multiple times rather than on the next proc directory entry. This looks like a copy-paste error. Fix this by replacing root with next. Addresses-Coverity: ("Copy-paste error") Link: https://lkml.kernel.org/r/20210318122633.14222-1-colin.king@canonical.com Fixes: d919b33dafb3 ("proc: faster open/read/close with "permanent" files") Signed-off-by: Colin Ian King Acked-by: Christian Brauner Reviewed-by: Alexey Dobriyan Cc: Greg Kroah-Hartman Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit f89b408d506e99583de2c56f32574b4c31cfb343 Author: Odin Ugedal Date: Sat May 1 16:19:50 2021 +0200 sched/fair: Fix unfairness caused by missing load decay [ Upstream commit 0258bdfaff5bd13c4d2383150b7097aecd6b6d82 ] This fixes an issue where old load on a cfs_rq is not properly decayed, resulting in strange behavior where fairness can decrease drastically. Real workloads with equally weighted control groups have ended up getting a respective 99% and 1%(!!) of cpu time. When an idle task is attached to a cfs_rq by attaching a pid to a cgroup, the old load of the task is attached to the new cfs_rq and sched_entity by attach_entity_cfs_rq. If the task is then moved to another cpu (and therefore cfs_rq) before being enqueued/woken up, the load will be moved to cfs_rq->removed from the sched_entity. Such a move will happen when enforcing a cpuset on the task (eg. via a cgroup) that force it to move. The load will however not be removed from the task_group itself, making it look like there is a constant load on that cfs_rq. This causes the vruntime of tasks on other sibling cfs_rq's to increase faster than they are supposed to; causing severe fairness issues. If no other task is started on the given cfs_rq, and due to the cpuset it would not happen, this load would never be properly unloaded. With this patch the load will be properly removed inside update_blocked_averages. This also applies to tasks moved to the fair scheduling class and moved to another cpu, and this path will also fix that. For fork, the entity is queued right away, so this problem does not affect that. This applies to cases where the new process is the first in the cfs_rq, issue introduced 3d30544f0212 ("sched/fair: Apply more PELT fixes"), and when there has previously been load on the cgroup but the cgroup was removed from the leaflist due to having null PELT load, indroduced in 039ae8bcf7a5 ("sched/fair: Fix O(nr_cgroups) in the load balancing path"). For a simple cgroup hierarchy (as seen below) with two equally weighted groups, that in theory should get 50/50 of cpu time each, it often leads to a load of 60/40 or 70/30. parent/ cg-1/ cpu.weight: 100 cpuset.cpus: 1 cg-2/ cpu.weight: 100 cpuset.cpus: 1 If the hierarchy is deeper (as seen below), while keeping cg-1 and cg-2 equally weighted, they should still get a 50/50 balance of cpu time. This however sometimes results in a balance of 10/90 or 1/99(!!) between the task groups. $ ps u -C stress USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 18568 1.1 0.0 3684 100 pts/12 R+ 13:36 0:00 stress --cpu 1 root 18580 99.3 0.0 3684 100 pts/12 R+ 13:36 0:09 stress --cpu 1 parent/ cg-1/ cpu.weight: 100 sub-group/ cpu.weight: 1 cpuset.cpus: 1 cg-2/ cpu.weight: 100 sub-group/ cpu.weight: 10000 cpuset.cpus: 1 This can be reproduced by attaching an idle process to a cgroup and moving it to a given cpuset before it wakes up. The issue is evident in many (if not most) container runtimes, and has been reproduced with both crun and runc (and therefore docker and all its "derivatives"), and with both cgroup v1 and v2. Fixes: 3d30544f0212 ("sched/fair: Apply more PELT fixes") Fixes: 039ae8bcf7a5 ("sched/fair: Fix O(nr_cgroups) in the load balancing path") Signed-off-by: Odin Ugedal Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Vincent Guittot Link: https://lkml.kernel.org/r/20210501141950.23622-2-odin@uged.al Signed-off-by: Sasha Levin commit f7347c85490b92dd144fa1fba9e1eca501656ab3 Author: Quentin Perret Date: Fri Apr 30 15:14:12 2021 +0000 sched: Fix out-of-bound access in uclamp [ Upstream commit 6d2f8909a5fabb73fe2a63918117943986c39b6c ] Util-clamp places tasks in different buckets based on their clamp values for performance reasons. However, the size of buckets is currently computed using a rounding division, which can lead to an off-by-one error in some configurations. For instance, with 20 buckets, the bucket size will be 1024/20=51. A task with a clamp of 1024 will be mapped to bucket id 1024/51=20. Sadly, correct indexes are in range [0,19], hence leading to an out of bound memory access. Clamp the bucket id to fix the issue. Fixes: 69842cba9ace ("sched/uclamp: Add CPU's clamp buckets refcounting") Suggested-by: Qais Yousef Signed-off-by: Quentin Perret Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Vincent Guittot Reviewed-by: Dietmar Eggemann Link: https://lkml.kernel.org/r/20210430151412.160913-1-qperret@google.com Signed-off-by: Sasha Levin commit 26359d362c93bdca3038f7f70d28d5ed46222a03 Author: Marc Kleine-Budde Date: Wed May 5 13:32:27 2021 +0200 can: m_can: m_can_tx_work_queue(): fix tx_skb race condition [ Upstream commit e04b2cfe61072c7966e1a5fb73dd1feb30c206ed ] The m_can_start_xmit() function checks if the cdev->tx_skb is NULL and returns with NETDEV_TX_BUSY in case tx_sbk is not NULL. There is a race condition in the m_can_tx_work_queue(), where first the skb is send to the driver and then the case tx_sbk is set to NULL. A TX complete IRQ might come in between and wake the queue, which results in tx_skb not being cleared yet. Fixes: f524f829b75a ("can: m_can: Create a m_can platform framework") Tested-by: Torin Cooper-Bennun Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit eecb4df8ec9f896b19ee05bfa632ac6c1dcd8f21 Author: Frieder Schrempf Date: Wed May 5 09:14:15 2021 +0200 can: mcp251x: fix resume from sleep before interface was brought up [ Upstream commit 03c427147b2d3e503af258711af4fc792b89b0af ] Since 8ce8c0abcba3 the driver queues work via priv->restart_work when resuming after suspend, even when the interface was not previously enabled. This causes a null dereference error as the workqueue is only allocated and initialized in mcp251x_open(). To fix this we move the workqueue init to mcp251x_can_probe() as there is no reason to do it later and repeat it whenever mcp251x_open() is called. Fixes: 8ce8c0abcba3 ("can: mcp251x: only reset hardware as required") Link: https://lore.kernel.org/r/17d5d714-b468-482f-f37a-482e3d6df84e@kontron.de Signed-off-by: Frieder Schrempf Reviewed-by: Andy Shevchenko [mkl: fix error handling in mcp251x_stop()] Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 02140d9d2712aadc0f39c0b8c9bed71180fafaf2 Author: Marc Kleine-Budde Date: Sun May 2 11:34:34 2021 +0200 can: mcp251xfd: mcp251xfd_probe(): add missing can_rx_offload_del() in error path [ Upstream commit 4376ea42db8bfcac2bc3a30bba93917244a8c2d4 ] This patch adds the missing can_rx_offload_del(), that must be called if mcp251xfd_register() fails. Fixes: 55e5b97f003e ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN") Link: https://lore.kernel.org/r/20210504091838.1109047-1-mkl@pengutronix.de Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 2c784a500f5edd337258b0fdb2f31bc9abde1a23 Author: Pablo Neira Ayuso Date: Wed May 5 23:06:43 2021 +0200 netfilter: nftables: Fix a memleak from userdata error path in new objects [ Upstream commit 85dfd816fabfc16e71786eda0a33a7046688b5b0 ] Release object name if userdata allocation fails. Fixes: b131c96496b3 ("netfilter: nf_tables: add userdata support for nft_object") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 403ccad066ecf63f83e25d3f701d6f39cc0a9f7d Author: Pablo Neira Ayuso Date: Wed May 5 22:25:24 2021 +0200 netfilter: nfnetlink_osf: Fix a missing skb_header_pointer() NULL check [ Upstream commit 5e024c325406470d1165a09c6feaf8ec897936be ] Do not assume that the tcph->doff field is correct when parsing for TCP options, skb_header_pointer() might fail to fetch these bits. Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit cee6592d444ac61acd55aad6386e29e13ba545df Author: Cong Wang Date: Wed May 5 12:40:48 2021 -0700 smc: disallow TCP_ULP in smc_setsockopt() [ Upstream commit 8621436671f3a4bba5db57482e1ee604708bf1eb ] syzbot is able to setup kTLS on an SMC socket which coincidentally uses sk_user_data too. Later, kTLS treats it as psock so triggers a refcnt warning. The root cause is that smc_setsockopt() simply calls TCP setsockopt() which includes TCP_ULP. I do not think it makes sense to setup kTLS on top of SMC sockets, so we should just disallow this setup. It is hard to find a commit to blame, but we can apply this patch since the beginning of TCP_ULP. Reported-and-tested-by: syzbot+b54a1ce86ba4a623b7f0@syzkaller.appspotmail.com Fixes: 734942cc4ea6 ("tcp: ULP infrastructure") Cc: John Fastabend Signed-off-by: Karsten Graul Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit d6c635a8cc6a0ed93444a43124ff752475ed0680 Author: Maciej Żenczykowski Date: Wed May 5 09:58:31 2021 -0700 net: fix nla_strcmp to handle more then one trailing null character [ Upstream commit 2c16db6c92b0ee4aa61e88366df82169e83c3f7e ] Android userspace has been using TCA_KIND with a char[IFNAMESIZ] many-null-terminated buffer containing the string 'bpf'. This works on 4.19 and ceases to work on 5.10. I'm not entirely sure what fixes tag to use, but I think the issue was likely introduced in the below mentioned 5.4 commit. Reported-by: Nucca Chen Cc: Cong Wang Cc: David Ahern Cc: David S. Miller Cc: Jakub Kicinski Cc: Jamal Hadi Salim Cc: Jiri Pirko Cc: Jiri Pirko Fixes: 62794fc4fbf5 ("net_sched: add max len check for TCA_KIND") Change-Id: I66dc281f165a2858fc29a44869a270a2d698a82b Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 26b7924707a499168bf82a6cbb3c5753d7739941 Author: Fernando Fernandez Mancera Date: Wed May 5 00:47:14 2021 +0200 ethtool: fix missing NLM_F_MULTI flag when dumping [ Upstream commit cf754ae331be7cc192b951756a1dd031e9ed978a ] When dumping the ethtool information from all the interfaces, the netlink reply should contain the NLM_F_MULTI flag. This flag allows userspace tools to identify that multiple messages are expected. Link: https://bugzilla.redhat.com/1953847 Fixes: 365f9ae4ee36 ("ethtool: fix genlmsg_put() failure handling in ethnl_default_dumpit()") Signed-off-by: Fernando Fernandez Mancera Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 673422b97ef3766f944fed2dd1742a5cd351a61a Author: Pavel Tatashin Date: Tue May 4 18:38:49 2021 -0700 mm/gup: check for isolation errors [ Upstream commit 6e7f34ebb8d25d71ce7f4580ba3cbfc10b895580 ] It is still possible that we pin movable CMA pages if there are isolation errors and cma_page_list stays empty when we check again. Check for isolation errors, and return success only when there are no isolation errors, and cma_page_list is empty after checking. Because isolation errors are transient, we retry indefinitely. Link: https://lkml.kernel.org/r/20210215161349.246722-5-pasha.tatashin@soleen.com Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Signed-off-by: Pavel Tatashin Reviewed-by: Jason Gunthorpe Cc: Dan Williams Cc: David Hildenbrand Cc: David Rientjes Cc: Ingo Molnar Cc: Ira Weiny Cc: James Morris Cc: Jason Gunthorpe Cc: John Hubbard Cc: Joonsoo Kim Cc: Matthew Wilcox Cc: Mel Gorman Cc: Michal Hocko Cc: Michal Hocko Cc: Mike Kravetz Cc: Oscar Salvador Cc: Peter Zijlstra Cc: Sasha Levin Cc: Steven Rostedt (VMware) Cc: Tyler Hicks Cc: Vlastimil Babka Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 096c9482cea201aef3fc7f532fcc209f51cbdefd Author: Pavel Tatashin Date: Tue May 4 18:38:46 2021 -0700 mm/gup: return an error on migration failure [ Upstream commit f0f4463837da17a89d965dcbe4e411629dbcf308 ] When migration failure occurs, we still pin pages, which means that we may pin CMA movable pages which should never be the case. Instead return an error without pinning pages when migration failure happens. No need to retry migrating, because migrate_pages() already retries 10 times. Link: https://lkml.kernel.org/r/20210215161349.246722-4-pasha.tatashin@soleen.com Signed-off-by: Pavel Tatashin Reviewed-by: Jason Gunthorpe Cc: Dan Williams Cc: David Hildenbrand Cc: David Rientjes Cc: Ingo Molnar Cc: Ira Weiny Cc: James Morris Cc: Jason Gunthorpe Cc: John Hubbard Cc: Joonsoo Kim Cc: Matthew Wilcox Cc: Mel Gorman Cc: Michal Hocko Cc: Michal Hocko Cc: Mike Kravetz Cc: Oscar Salvador Cc: Peter Zijlstra Cc: Sasha Levin Cc: Steven Rostedt (VMware) Cc: Tyler Hicks Cc: Vlastimil Babka Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 7df511ef376df54e837f3f92c8c15bd71218917f Author: Pavel Tatashin Date: Tue May 4 18:38:42 2021 -0700 mm/gup: check every subpage of a compound page during isolation [ Upstream commit 83c02c23d0747a7bdcd71f99a538aacec94b146c ] When pages are isolated in check_and_migrate_movable_pages() we skip compound number of pages at a time. However, as Jason noted, it is not necessary correct that pages[i] corresponds to the pages that we skipped. This is because it is possible that the addresses in this range had split_huge_pmd()/split_huge_pud(), and these functions do not update the compound page metadata. The problem can be reproduced if something like this occurs: 1. User faulted huge pages. 2. split_huge_pmd() was called for some reason 3. User has unmapped some sub-pages in the range 4. User tries to longterm pin the addresses. The resulting pages[i] might end-up having pages which are not compound size page aligned. Link: https://lkml.kernel.org/r/20210215161349.246722-3-pasha.tatashin@soleen.com Fixes: aa712399c1e8 ("mm/gup: speed up check_and_migrate_cma_pages() on huge page") Signed-off-by: Pavel Tatashin Reported-by: Jason Gunthorpe Reviewed-by: Jason Gunthorpe Cc: Dan Williams Cc: David Hildenbrand Cc: David Rientjes Cc: Ingo Molnar Cc: Ira Weiny Cc: James Morris Cc: Jason Gunthorpe Cc: John Hubbard Cc: Joonsoo Kim Cc: Matthew Wilcox Cc: Mel Gorman Cc: Michal Hocko Cc: Michal Hocko Cc: Mike Kravetz Cc: Oscar Salvador Cc: Peter Zijlstra Cc: Sasha Levin Cc: Steven Rostedt (VMware) Cc: Tyler Hicks Cc: Vlastimil Babka Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 87c4e386b6125ac302c622abb0a833ace3d537ae Author: Miaohe Lin Date: Tue May 4 18:37:45 2021 -0700 ksm: fix potential missing rmap_item for stable_node [ Upstream commit c89a384e2551c692a9fe60d093fd7080f50afc51 ] When removing rmap_item from stable tree, STABLE_FLAG of rmap_item is cleared with head reserved. So the following scenario might happen: For ksm page with rmap_item1: cmp_and_merge_page stable_node->head = &migrate_nodes; remove_rmap_item_from_tree, but head still equal to stable_node; try_to_merge_with_ksm_page failed; return; For the same ksm page with rmap_item2, stable node migration succeed this time. The stable_node->head does not equal to migrate_nodes now. For ksm page with rmap_item1 again: cmp_and_merge_page stable_node->head != &migrate_nodes && rmap_item->head == stable_node return; We would miss the rmap_item for stable_node and might result in failed rmap_walk_ksm(). Fix this by set rmap_item->head to NULL when rmap_item is removed from stable tree. Link: https://lkml.kernel.org/r/20210330140228.45635-5-linmiaohe@huawei.com Fixes: 4146d2d673e8 ("ksm: make !merge_across_nodes migration safe") Signed-off-by: Miaohe Lin Cc: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit aa0d6d1d3e77ead8c69df0ed69942dea4416e8d2 Author: Miaohe Lin Date: Tue May 4 18:37:10 2021 -0700 mm/migrate.c: fix potential indeterminate pte entry in migrate_vma_insert_page() [ Upstream commit 34f5e9b9d1990d286199084efa752530ee3d8297 ] If the zone device page does not belong to un-addressable device memory, the variable entry will be uninitialized and lead to indeterminate pte entry ultimately. Fix this unexpected case and warn about it. Link: https://lkml.kernel.org/r/20210325131524.48181-4-linmiaohe@huawei.com Fixes: df6ad69838fc ("mm/device-public-memory: device memory cache coherent with CPU") Signed-off-by: Miaohe Lin Reviewed-by: David Hildenbrand Cc: Alistair Popple Cc: Jerome Glisse Cc: Rafael Aquini Cc: Yang Shi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 9639a754cce5f1ef884c4392f7d9449041944644 Author: Miaohe Lin Date: Tue May 4 18:34:38 2021 -0700 mm/hugeltb: handle the error case in hugetlb_fix_reserve_counts() [ Upstream commit da56388c4397878a65b74f7fe97760f5aa7d316b ] A rare out of memory error would prevent removal of the reserve map region for a page. hugetlb_fix_reserve_counts() handles this rare case to avoid dangling with incorrect counts. Unfortunately, hugepage_subpool_get_pages and hugetlb_acct_memory could possibly fail too. We should correctly handle these cases. Link: https://lkml.kernel.org/r/20210410072348.20437-5-linmiaohe@huawei.com Fixes: b5cec28d36f5 ("hugetlbfs: truncate_hugepages() takes a range of pages") Signed-off-by: Miaohe Lin Cc: Feilong Lin Cc: Mike Kravetz Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 14d45fb5a3fcae53df9ee0fe1e16e5c686778731 Author: Miaohe Lin Date: Tue May 4 18:33:46 2021 -0700 khugepaged: fix wrong result value for trace_mm_collapse_huge_page_isolate() [ Upstream commit 74e579bf231a337ab3786d59e64bc94f45ca7b3f ] In writable and !referenced case, the result value should be SCAN_LACK_REFERENCED_PAGE for trace_mm_collapse_huge_page_isolate() instead of default 0 (SCAN_FAIL) here. Link: https://lkml.kernel.org/r/20210306032947.35921-5-linmiaohe@huawei.com Fixes: 7d2eba0557c1 ("mm: add tracepoint for scanning pages") Signed-off-by: Miaohe Lin Acked-by: Kirill A. Shutemov Cc: Dan Carpenter Cc: Ebru Akagunduz Cc: Mike Kravetz Cc: Rik van Riel Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 51524fa8b5f7b879ba569227738375d283b79382 Author: Mark Rutland Date: Wed Apr 28 12:15:55 2021 +0100 arm64: entry: always set GIC_PRIO_PSR_I_SET during entry [ Upstream commit 4d6a38da8e79e94cbd1344aa90876f0f805db705 ] Zenghui reports that booting a kernel with "irqchip.gicv3_pseudo_nmi=1" on the command line hits a warning during kernel entry, due to the way we manipulate the PMR. Early in the entry sequence, we call lockdep_hardirqs_off() to inform lockdep that interrupts have been masked (as the HW sets DAIF wqhen entering an exception). Architecturally PMR_EL1 is not affected by exception entry, and we don't set GIC_PRIO_PSR_I_SET in the PMR early in the exception entry sequence, so early in exception entry the PMR can indicate that interrupts are unmasked even though they are masked by DAIF. If DEBUG_LOCKDEP is selected, lockdep_hardirqs_off() will check that interrupts are masked, before we set GIC_PRIO_PSR_I_SET in any of the exception entry paths, and hence lockdep_hardirqs_off() will WARN() that something is amiss. We can avoid this by consistently setting GIC_PRIO_PSR_I_SET during exception entry so that kernel code sees a consistent environment. We must also update local_daif_inherit() to undo this, as currently only touches DAIF. For other paths, local_daif_restore() will update both DAIF and the PMR. With this done, we can remove the existing special cases which set this later in the entry code. We always use (GIC_PRIO_IRQON | GIC_PRIO_PSR_I_SET) for consistency with local_daif_save(), as this will warn if it ever encounters (GIC_PRIO_IRQOFF | GIC_PRIO_PSR_I_SET), and never sets this itself. This matches the gic_prio_kentry_setup that we have to retain for ret_to_user. The original splat from Zenghui's report was: | DEBUG_LOCKS_WARN_ON(!irqs_disabled()) | WARNING: CPU: 3 PID: 125 at kernel/locking/lockdep.c:4258 lockdep_hardirqs_off+0xd4/0xe8 | Modules linked in: | CPU: 3 PID: 125 Comm: modprobe Tainted: G W 5.12.0-rc8+ #463 | Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 | pstate: 604003c5 (nZCv DAIF +PAN -UAO -TCO BTYPE=--) | pc : lockdep_hardirqs_off+0xd4/0xe8 | lr : lockdep_hardirqs_off+0xd4/0xe8 | sp : ffff80002a39bad0 | pmr_save: 000000e0 | x29: ffff80002a39bad0 x28: ffff0000de214bc0 | x27: ffff0000de1c0400 x26: 000000000049b328 | x25: 0000000000406f30 x24: ffff0000de1c00a0 | x23: 0000000020400005 x22: ffff8000105f747c | x21: 0000000096000044 x20: 0000000000498ef9 | x19: ffff80002a39bc88 x18: ffffffffffffffff | x17: 0000000000000000 x16: ffff800011c61eb0 | x15: ffff800011700a88 x14: 0720072007200720 | x13: 0720072007200720 x12: 0720072007200720 | x11: 0720072007200720 x10: 0720072007200720 | x9 : ffff80002a39bad0 x8 : ffff80002a39bad0 | x7 : ffff8000119f0800 x6 : c0000000ffff7fff | x5 : ffff8000119f07a8 x4 : 0000000000000001 | x3 : 9bcdab23f2432800 x2 : ffff800011730538 | x1 : 9bcdab23f2432800 x0 : 0000000000000000 | Call trace: | lockdep_hardirqs_off+0xd4/0xe8 | enter_from_kernel_mode.isra.5+0x7c/0xa8 | el1_abort+0x24/0x100 | el1_sync_handler+0x80/0xd0 | el1_sync+0x6c/0x100 | __arch_clear_user+0xc/0x90 | load_elf_binary+0x9fc/0x1450 | bprm_execve+0x404/0x880 | kernel_execve+0x180/0x188 | call_usermodehelper_exec_async+0xdc/0x158 | ret_from_fork+0x10/0x18 Fixes: 23529049c684 ("arm64: entry: fix non-NMI user<->kernel transitions") Fixes: 7cd1ea1010ac ("arm64: entry: fix non-NMI kernel<->kernel transitions") Fixes: f0cd5ac1e4c5 ("arm64: entry: fix NMI {user, kernel}->kernel transitions") Fixes: 2a9b3e6ac69a ("arm64: entry: fix EL1 debug transitions") Link: https://lore.kernel.org/r/f4012761-026f-4e51-3a0c-7524e434e8b3@huawei.com Signed-off-by: Mark Rutland Reported-by: Zenghui Yu Cc: Marc Zyngier Cc: Will Deacon Acked-by: Marc Zyngier Link: https://lore.kernel.org/r/20210428111555.50880-1-mark.rutland@arm.com Signed-off-by: Catalin Marinas Signed-off-by: Sasha Levin commit c9f43423c41efe151621a37c8cbeb9c9aeefc02a Author: Marc Zyngier Date: Mon Mar 15 11:56:27 2021 +0000 arm64: entry: factor irq triage logic into macros [ Upstream commit 9eb563cdabe1d583c262042d5d44cc256f644543 ] In subsequent patches we'll allow an FIQ handler to be registered, and FIQ exceptions will need to be triaged very similarly to IRQ exceptions. So that we can reuse the existing logic, this patch factors the IRQ triage logic out into macros that can be reused for FIQ. The macros are named to follow the elX_foo_handler scheme used by the C exception handlers. For consistency with other top-level exception handlers, the kernel_entry/kernel_exit logic is not moved into the macros. As FIQ will use a different C handler, this handler name is provided as an argument to the macros. There should be no functional change as a result of this patch. Signed-off-by: Marc Zyngier [Mark: rework macros, commit message, rebase before DAIF rework] Signed-off-by: Mark Rutland Tested-by: Hector Martin Cc: James Morse Cc: Thomas Gleixner Cc: Will Deacon Acked-by: Will Deacon Link: https://lore.kernel.org/r/20210315115629.57191-5-mark.rutland@arm.com Signed-off-by: Catalin Marinas Signed-off-by: Sasha Levin commit 93dcaa8cba6561f796bcc1d53e57b1e4c9ab33cc Author: Kees Cook Date: Sun May 2 22:06:08 2021 -0700 drm/radeon: Avoid power table parsing memory leaks [ Upstream commit c69f27137a38d24301a6b659454a91ad85dff4aa ] Avoid leaving a hanging pre-allocated clock_info if last mode is invalid, and avoid heap corruption if no valid modes are found. Bug: https://bugzilla.kernel.org/show_bug.cgi?id=211537 Fixes: 6991b8f2a319 ("drm/radeon/kms: fix segfault in pm rework") Signed-off-by: Kees Cook Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 79208af94738664b554df27d7d24f85fa02020c0 Author: Kees Cook Date: Sun May 2 22:06:07 2021 -0700 drm/radeon: Fix off-by-one power_state index heap overwrite [ Upstream commit 5bbf219328849e83878bddb7c226d8d42e84affc ] An out of bounds write happens when setting the default power state. KASAN sees this as: [drm] radeon: 512M of GTT memory ready. [drm] GART: num cpu pages 131072, num gpu pages 131072 ================================================================== BUG: KASAN: slab-out-of-bounds in radeon_atombios_parse_power_table_1_3+0x1837/0x1998 [radeon] Write of size 4 at addr ffff88810178d858 by task systemd-udevd/157 CPU: 0 PID: 157 Comm: systemd-udevd Not tainted 5.12.0-E620 #50 Hardware name: eMachines eMachines E620 /Nile , BIOS V1.03 09/30/2008 Call Trace: dump_stack+0xa5/0xe6 print_address_description.constprop.0+0x18/0x239 kasan_report+0x170/0x1a8 radeon_atombios_parse_power_table_1_3+0x1837/0x1998 [radeon] radeon_atombios_get_power_modes+0x144/0x1888 [radeon] radeon_pm_init+0x1019/0x1904 [radeon] rs690_init+0x76e/0x84a [radeon] radeon_device_init+0x1c1a/0x21e5 [radeon] radeon_driver_load_kms+0xf5/0x30b [radeon] drm_dev_register+0x255/0x4a0 [drm] radeon_pci_probe+0x246/0x2f6 [radeon] pci_device_probe+0x1aa/0x294 really_probe+0x30e/0x850 driver_probe_device+0xe6/0x135 device_driver_attach+0xc1/0xf8 __driver_attach+0x13f/0x146 bus_for_each_dev+0xfa/0x146 bus_add_driver+0x2b3/0x447 driver_register+0x242/0x2c1 do_one_initcall+0x149/0x2fd do_init_module+0x1ae/0x573 load_module+0x4dee/0x5cca __do_sys_finit_module+0xf1/0x140 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae Without KASAN, this will manifest later when the kernel attempts to allocate memory that was stomped, since it collides with the inline slab freelist pointer: invalid opcode: 0000 [#1] SMP NOPTI CPU: 0 PID: 781 Comm: openrc-run.sh Tainted: G W 5.10.12-gentoo-E620 #2 Hardware name: eMachines eMachines E620 /Nile , BIOS V1.03 09/30/2008 RIP: 0010:kfree+0x115/0x230 Code: 89 c5 e8 75 ea ff ff 48 8b 00 0f ba e0 09 72 63 e8 1f f4 ff ff 41 89 c4 48 8b 45 00 0f ba e0 10 72 0a 48 8b 45 08 a8 01 75 02 <0f> 0b 44 89 e1 48 c7 c2 00 f0 ff ff be 06 00 00 00 48 d3 e2 48 c7 RSP: 0018:ffffb42f40267e10 EFLAGS: 00010246 RAX: ffffd61280ee8d88 RBX: 0000000000000004 RCX: 000000008010000d RDX: 4000000000000000 RSI: ffffffffba1360b0 RDI: ffffd61280ee8d80 RBP: ffffd61280ee8d80 R08: ffffffffb91bebdf R09: 0000000000000000 R10: ffff8fe2c1047ac8 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000100 FS: 00007fe80eff6b68(0000) GS:ffff8fe339c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe80eec7bc0 CR3: 0000000038012000 CR4: 00000000000006f0 Call Trace: __free_fdtable+0x16/0x1f put_files_struct+0x81/0x9b do_exit+0x433/0x94d do_group_exit+0xa6/0xa6 __x64_sys_exit_group+0xf/0xf do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7fe80ef64bea Code: Unable to access opcode bytes at RIP 0x7fe80ef64bc0. RSP: 002b:00007ffdb1c47528 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fe80ef64bea RDX: 00007fe80ef64f60 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 00007fe80ee2c620 R11: 0000000000000246 R12: 00007fe80eff41e0 R13: 00000000ffffffff R14: 0000000000000024 R15: 00007fe80edf9cd0 Modules linked in: radeon(+) ath5k(+) snd_hda_codec_realtek ... Use a valid power_state index when initializing the "flags" and "misc" and "misc2" fields. Bug: https://bugzilla.kernel.org/show_bug.cgi?id=211537 Reported-by: Erhard F. Fixes: a48b9b4edb8b ("drm/radeon/kms/pm: add asic specific callbacks for getting power state (v2)") Fixes: 79daedc94281 ("drm/radeon/kms: minor pm cleanups") Signed-off-by: Kees Cook Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit f551068f5f32d66d226ffd256a2ce8eb87f24d02 Author: Ramesh Babu B Date: Tue May 4 21:12:41 2021 +0530 net: stmmac: Clear receive all(RA) bit when promiscuous mode is off [ Upstream commit 4c7a94286ef7ac7301d633f17519fb1bb89d7550 ] In promiscuous mode Receive All bit is set in GMAC packet filter register, but outside promiscuous mode Receive All bit is not cleared, which resulted in all network packets are received when toggle (ON/OFF) the promiscuous mode. Fixes: e0f9956a3862 ("net: stmmac: Add option for VLAN filter fail queue enable") Signed-off-by: Ramesh Babu B Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 340de910d65e71a67a28eac0402d49b0c30eca9c Author: Xuan Zhuo Date: Wed Apr 28 17:44:24 2021 +0800 xsk: Fix for xp_aligned_validate_desc() when len == chunk_size [ Upstream commit ac31565c21937eee9117e43c9cd34f557f6f1cb8 ] When desc->len is equal to chunk_size, it is legal. But when the xp_aligned_validate_desc() got chunk_end from desc->addr + desc->len pointing to the next chunk during the check, it caused the check to fail. This problem was first introduced in bbff2f321a86 ("xsk: new descriptor addressing scheme"). Later in 2b43470add8c ("xsk: Introduce AF_XDP buffer allocation API") this piece of code was moved into the new function called xp_aligned_validate_desc(). This function was then moved into xsk_queue.h via 26062b185eee ("xsk: Explicitly inline functions and move definitions"). Fixes: bbff2f321a86 ("xsk: new descriptor addressing scheme") Signed-off-by: Xuan Zhuo Signed-off-by: Daniel Borkmann Acked-by: Magnus Karlsson Link: https://lore.kernel.org/bpf/20210428094424.54435-1-xuanzhuo@linux.alibaba.com Signed-off-by: Sasha Levin commit 75ea982469035153cd494337b0de0f09b8e5bdf2 Author: Pablo Neira Ayuso Date: Fri Apr 30 14:00:13 2021 +0200 netfilter: xt_SECMARK: add new revision to fix structure layout [ Upstream commit c7d13358b6a2f49f81a34aa323a2d0878a0532a2 ] This extension breaks when trying to delete rules, add a new revision to fix this. Fixes: 5e6874cdb8de ("[SECMARK]: Add xtables SECMARK target") Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit db5f1c6f776d7f02e490ba2943d388a0b6140949 Author: Xin Long Date: Mon May 3 04:41:20 2021 +0800 sctp: fix a SCTP_MIB_CURRESTAB leak in sctp_sf_do_dupcook_b [ Upstream commit f282df0391267fb2b263da1cc3233aa6fb81defc ] Normally SCTP_MIB_CURRESTAB is always incremented once asoc enter into ESTABLISHED from the state < ESTABLISHED and decremented when the asoc is being deleted. However, in sctp_sf_do_dupcook_b(), the asoc's state can be changed to ESTABLISHED from the state >= ESTABLISHED where it shouldn't increment SCTP_MIB_CURRESTAB. Otherwise, one asoc may increment MIB_CURRESTAB multiple times but only decrement once at the end. I was able to reproduce it by using scapy to do the 4-way shakehands, after that I replayed the COOKIE-ECHO chunk with 'peer_vtag' field changed to different values, and SCTP_MIB_CURRESTAB was incremented multiple times and never went back to 0 even when the asoc was freed. This patch is to fix it by only incrementing SCTP_MIB_CURRESTAB when the state < ESTABLISHED in sctp_sf_do_dupcook_b(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Marcelo Ricardo Leitner Signed-off-by: Xin Long Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 7afdd6aba95c8a526038e7abe283eeac3e4320f1 Author: Lv Yunlong Date: Sun May 2 04:58:18 2021 -0700 ethernet:enic: Fix a use after free bug in enic_hard_start_xmit [ Upstream commit 643001b47adc844ae33510c4bb93c236667008a3 ] In enic_hard_start_xmit, it calls enic_queue_wq_skb(). Inside enic_queue_wq_skb, if some error happens, the skb will be freed by dev_kfree_skb(skb). But the freed skb is still used in skb_tx_timestamp(skb). My patch makes enic_queue_wq_skb() return error and goto spin_unlock() incase of error. The solution is provided by Govind. See https://lkml.org/lkml/2021/4/30/961. Fixes: fb7516d42478e ("enic: add sw timestamp support") Signed-off-by: Lv Yunlong Acked-by: Govindarajulu Varadarajan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 3d808916d256b49b971b55eebedece7b34e1d6a2 Author: Md Haris Iqbal Date: Wed Apr 28 08:13:58 2021 +0200 block/rnbd-clt: Check the return value of the function rtrs_clt_query [ Upstream commit 1056ad829ec43f9b705b507c2093b05e2088b0b7 ] In case none of the paths are in connected state, the function rtrs_clt_query returns an error. In such a case, error out since the values in the rtrs_attrs structure would be garbage. Fixes: f7a7a5c228d45 ("block/rnbd: client: main functionality") Signed-off-by: Md Haris Iqbal Reviewed-by: Guoqing Jiang Signed-off-by: Jack Wang Signed-off-by: Gioh Kim Link: https://lore.kernel.org/r/20210428061359.206794-4-gi-oh.kim@ionos.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit c1a90296a9b5dad2afaf7f3802f4c8e9e8410c3d Author: Md Haris Iqbal Date: Wed Apr 28 08:13:56 2021 +0200 block/rnbd-clt: Change queue_depth type in rnbd_clt_session to size_t [ Upstream commit 80d43cbd46155744ee450d2476ee4fcf2917ae9b ] The member queue_depth in the structure rnbd_clt_session is read from the rtrs client side using the function rtrs_clt_query, which in turn is read from the rtrs_clt structure. It should really be of type size_t. Fixes: 90426e89f54db ("block/rnbd: client: private header with client structs and functions") Signed-off-by: Md Haris Iqbal Reviewed-by: Guoqing Jiang Signed-off-by: Gioh Kim Link: https://lore.kernel.org/r/20210428061359.206794-2-gi-oh.kim@ionos.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 4aae6eb6af7d1ac2ee5762077892185884d8f169 Author: Brendan Jackman Date: Thu Apr 29 13:05:10 2021 +0000 libbpf: Fix signed overflow in ringbuf_process_ring [ Upstream commit 2a30f9440640c418bcfbea9b2b344d268b58e0a2 ] One of our benchmarks running in (Google-internal) CI pushes data through the ringbuf faster htan than userspace is able to consume it. In this case it seems we're actually able to get >INT_MAX entries in a single ring_buffer__consume() call. ASAN detected that cnt overflows in this case. Fix by using 64-bit counter internally and then capping the result to INT_MAX before converting to the int return type. Do the same for the ring_buffer__poll(). Fixes: bf99c936f947 (libbpf: Add BPF ring buffer support) Signed-off-by: Brendan Jackman Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20210429130510.1621665-1-jackmanb@google.com Signed-off-by: Sasha Levin commit 60bb2cecf47f642dcd5e51fc7cb3d7b29d670424 Author: Baptiste Lepers Date: Sat May 1 14:10:51 2021 +1000 sunrpc: Fix misplaced barrier in call_decode [ Upstream commit f8f7e0fb22b2e75be55f2f0c13e229e75b0eac07 ] Fix a misplaced barrier in call_decode. The struct rpc_rqst is modified as follows by xprt_complete_rqst: req->rq_private_buf.len = copied; /* Ensure all writes are done before we update */ /* req->rq_reply_bytes_recvd */ smp_wmb(); req->rq_reply_bytes_recvd = copied; And currently read as follows by call_decode: smp_rmb(); // misplaced if (!req->rq_reply_bytes_recvd) goto out; req->rq_rcv_buf.len = req->rq_private_buf.len; This patch places the smp_rmb after the if to ensure that rq_reply_bytes_recvd and rq_private_buf.len are read in order. Fixes: 9ba828861c56a ("SUNRPC: Don't try to parse incomplete RPC messages") Signed-off-by: Baptiste Lepers Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 208af7ffc3519723a344fd94a3ec6c3a5c0ea55f Author: Anup Patel Date: Thu Apr 15 14:25:22 2021 +0530 RISC-V: Fix error code returned by riscv_hartid_to_cpuid() [ Upstream commit 533b4f3a789d49574e7ae0f6ececed153f651f97 ] We should return a negative error code upon failure in riscv_hartid_to_cpuid() instead of NR_CPUS. This is also aligned with all uses of riscv_hartid_to_cpuid() which expect negative error code upon failure. Fixes: 6825c7a80f18 ("RISC-V: Add logical CPU indexing for RISC-V") Fixes: f99fb607fb2b ("RISC-V: Use Linux logical CPU number instead of hartid") Signed-off-by: Anup Patel Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit f01988ecf3654f805282dce2d3bb9afe68d2691e Author: Xin Long Date: Sat May 1 04:02:58 2021 +0800 sctp: do asoc update earlier in sctp_sf_do_dupcook_a [ Upstream commit 35b4f24415c854cd718ccdf38dbea6297f010aae ] There's a panic that occurs in a few of envs, the call trace is as below: [] general protection fault, ... 0x29acd70f1000a: 0000 [#1] SMP PTI [] RIP: 0010:sctp_ulpevent_notify_peer_addr_change+0x4b/0x1fa [sctp] [] sctp_assoc_control_transport+0x1b9/0x210 [sctp] [] sctp_do_8_2_transport_strike.isra.16+0x15c/0x220 [sctp] [] sctp_cmd_interpreter.isra.21+0x1231/0x1a10 [sctp] [] sctp_do_sm+0xc3/0x2a0 [sctp] [] sctp_generate_timeout_event+0x81/0xf0 [sctp] This is caused by a transport use-after-free issue. When processing a duplicate COOKIE-ECHO chunk in sctp_sf_do_dupcook_a(), both COOKIE-ACK and SHUTDOWN chunks are allocated with the transort from the new asoc. However, later in the sideeffect machine, the old asoc is used to send them out and old asoc's shutdown_last_sent_to is set to the transport that SHUTDOWN chunk attached to in sctp_cmd_setup_t2(), which actually belongs to the new asoc. After the new_asoc is freed and the old asoc T2 timeout, the old asoc's shutdown_last_sent_to that is already freed would be accessed in sctp_sf_t2_timer_expire(). Thanks Alexander and Jere for helping dig into this issue. To fix it, this patch is to do the asoc update first, then allocate the COOKIE-ACK and SHUTDOWN chunks with the 'updated' old asoc. This would make more sense, as a chunk from an asoc shouldn't be sent out with another asoc. We had fixed quite a few issues caused by this. Fixes: 145cb2f7177d ("sctp: Fix bundling of SHUTDOWN with COOKIE-ACK") Reported-by: Alexander Sverdlin Reported-by: syzbot+bbe538efd1046586f587@syzkaller.appspotmail.com Reported-by: Michal Tesar Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 65084886c6ee5f7f4e9cbe7afc79fb0243ab4099 Author: Yufeng Mo Date: Fri Apr 30 17:06:22 2021 +0800 net: hns3: disable phy loopback setting in hclge_mac_start_phy [ Upstream commit 472497d0bdae890a896013332a0b673f9acdf2bf ] If selftest and reset are performed at the same time, the phy loopback setting may be still in enable state after the reset, and device cannot link up. So fix this issue by disabling phy loopback before phy_start(). Fixes: 256727da7395 ("net: hns3: Add MDIO support to HNS3 Ethernet driver for hip08 SoC") Signed-off-by: Yufeng Mo Signed-off-by: Huazhong Tan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 5aa957e2b5fce76c1e8c845cf5ea1022fe1fd178 Author: Peng Li Date: Fri Apr 30 17:06:20 2021 +0800 net: hns3: use netif_tx_disable to stop the transmit queue [ Upstream commit b416e872be06fdace3c36cf5210130509d0f0e72 ] Currently, netif_tx_stop_all_queues() is used to ensure that the xmit is not running, but for the concurrent case it will not take effect, since netif_tx_stop_all_queues() just sets a flag without locking to indicate that the xmit queue(s) should not be run. So use netif_tx_disable() to replace netif_tx_stop_all_queues(), it takes the xmit queue lock while marking the queue stopped. Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC") Signed-off-by: Peng Li Signed-off-by: Huazhong Tan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 90120c475dd7267541db416ce9490257f0bb15f7 Author: Hao Chen Date: Fri Apr 30 17:06:19 2021 +0800 net: hns3: fix for vxlan gpe tx checksum bug [ Upstream commit 905416f18fe74bdd4de91bf94ef5a790a36e4b99 ] When skb->ip_summed is CHECKSUM_PARTIAL, for non-tunnel udp packet, which has a dest port as the IANA assigned, the hardware is expected to do the checksum offload, but the hardware whose version is below V3 will not do the checksum offload when udp dest port is 4790. So fixes it by doing the checksum in software for this case. Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC") Signed-off-by: Hao Chen Signed-off-by: Huazhong Tan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 7a476a8a9cb69096ea37c8f71ec3455a4be3c948 Author: Jian Shen Date: Thu Apr 29 16:34:52 2021 +0800 net: hns3: add check for HNS3_NIC_STATE_INITED in hns3_reset_notify_up_enet() [ Upstream commit b4047aac4ec1066bab6c71950623746d7bcf7154 ] In some cases, the device is not initialized because reset failed. If another task calls hns3_reset_notify_up_enet() before reset retry, it will cause an error since uninitialized pointer access. So add check for HNS3_NIC_STATE_INITED before calling hns3_nic_net_open() in hns3_reset_notify_up_enet(). Fixes: bb6b94a896d4 ("net: hns3: Add reset interface implementation in client") Signed-off-by: Jian Shen Signed-off-by: Huazhong Tan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit bd4d527ea5f757dba64a05368b691fd0e6378654 Author: Yufeng Mo Date: Thu Apr 29 16:34:51 2021 +0800 net: hns3: initialize the message content in hclge_get_link_mode() [ Upstream commit 568a54bdf70b143f3e0befa298e22ad469ffc732 ] The message sent to VF should be initialized, otherwise random value of some contents may cause improper processing by the target. So add a initialization to message in hclge_get_link_mode(). Fixes: 9194d18b0577 ("net: hns3: fix the problem that the supported port is empty") Signed-off-by: Yufeng Mo Signed-off-by: Huazhong Tan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 5d326e253501868538da2c7ac602ef797b3720b1 Author: Yufeng Mo Date: Thu Apr 29 16:34:50 2021 +0800 net: hns3: fix incorrect configuration for igu_egu_hw_err [ Upstream commit 2867298dd49ee84214b8721521dc7a5a6382520c ] According to the UM, the type and enable status of igu_egu_hw_err should be configured separately. Currently, the type field is incorrect when disable this error. So fix it by configuring these two fields separately. Fixes: bf1faf9415dd ("net: hns3: Add enable and process hw errors from IGU, EGU and NCSI") Signed-off-by: Yufeng Mo Signed-off-by: Huazhong Tan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 494ade7aba117f8054f78addc5c36f1a622b17e8 Author: Nobuhiro Iwamatsu Date: Tue Apr 20 11:39:17 2021 +0900 rtc: ds1307: Fix wday settings for rx8130 [ Upstream commit 204756f016726a380bafe619438ed979088bd04a ] rx8130 wday specifies the bit position, not BCD. Fixes: ee0981be7704 ("rtc: ds1307: Add support for Epson RX8130CE") Signed-off-by: Nobuhiro Iwamatsu Signed-off-by: Alexandre Belloni Link: https://lore.kernel.org/r/20210420023917.1949066-1-nobuhiro1.iwamatsu@toshiba.co.jp Signed-off-by: Sasha Levin commit 5515b85e1a010153cb1fcba2290612540f94ce70 Author: Can Guo Date: Sun Apr 25 20:48:40 2021 -0700 scsi: ufs: core: Narrow down fast path in system suspend path [ Upstream commit ce4f62f9dd8cf43ac044045ed598a0b80ef33890 ] If spm_lvl is set to 0 or 1, when system suspend kicks start and HBA is runtime active, system suspend may just bail without doing anything (the fast path), leaving other contexts still running, e.g., clock gating and clock scaling. When system resume kicks start, concurrency can happen between ufshcd_resume() and these contexts, leading to various stability issues. Add a check against HBA's runtime state and allowing fast path only if HBA is runtime suspended, otherwise let system suspend go ahead call ufshcd_suspend(). This will guarantee that these contexts are stopped by either runtime suspend or system suspend. Link: https://lore.kernel.org/r/1619408921-30426-4-git-send-email-cang@codeaurora.org Fixes: 0b257734344a ("scsi: ufs: optimize system suspend handling") Reviewed-by: Daejun Park Signed-off-by: Can Guo Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit e8295def80b7b318b6c2b3b10e6aa8fc5b1140f2 Author: Can Guo Date: Sun Apr 25 20:48:39 2021 -0700 scsi: ufs: core: Cancel rpm_dev_flush_recheck_work during system suspend [ Upstream commit 637822e63b79ee8a729f7ba2645a26cf5a524ee4 ] During ufs system suspend, leaving rpm_dev_flush_recheck_work running or pending is risky because concurrency may happen between system suspend/resume and runtime resume routine. Fix this by cancelling rpm_dev_flush_recheck_work synchronously during system suspend. Link: https://lore.kernel.org/r/1619408921-30426-3-git-send-email-cang@codeaurora.org Fixes: 51dd905bd2f6 ("scsi: ufs: Fix WriteBooster flush during runtime suspend") Reviewed-by: Daejun Park Signed-off-by: Can Guo Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 591602738e00f7f62befda6866266676cbc53eca Author: Can Guo Date: Sun Apr 25 20:48:38 2021 -0700 scsi: ufs: core: Do not put UFS power into LPM if link is broken [ Upstream commit 23043dd87b153d02eaf676e752d32429be5e5126 ] During resume, if link is broken due to AH8 failure, make sure ufshcd_resume() does not put UFS power back into LPM. Link: https://lore.kernel.org/r/1619408921-30426-2-git-send-email-cang@codeaurora.org Fixes: 4db7a2360597 ("scsi: ufs: Fix concurrency of error handler and other error recovery paths") Reviewed-by: Daejun Park Signed-off-by: Can Guo Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 429ac0fb8375ba2ded1097c4c564b512d3615cce Author: Anastasia Kovaleva Date: Thu Apr 22 18:34:14 2021 +0300 scsi: qla2xxx: Prevent PRLI in target mode [ Upstream commit fcb16d9a8ecf1e9bfced0fc654ea4e2caa7517f4 ] In a case when the initiator in P2P mode by some circumstances does not send PRLI, the target, in a case when the target port's WWPN is less than initiator's, changes the discovery state in DSC_GNL. When gnl completes it sends PRLI to the initiator. Usually the initiator in P2P mode always sends PRLI. We caught this issue on Linux stable v5.4.6 https://www.spinics.net/lists/stable/msg458515.html. Fix this particular corner case in the behaviour of the P2P mod target login state machine. Link: https://lore.kernel.org/r/20210422153414.4022-1-a.kovaleva@yadro.com Fixes: a9ed06d4e640 ("scsi: qla2xxx: Allow PLOGI in target mode") Reviewed-by: Roman Bolshakov Reviewed-by: Himanshu Madhani Signed-off-by: Anastasia Kovaleva Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit bf45c9fe99aa8003d2703f1bd353f956dea47e40 Author: Jeff Layton Date: Fri Mar 26 09:21:53 2021 -0400 ceph: fix inode leak on getattr error in __fh_to_dentry [ Upstream commit 1775c7ddacfcea29051c67409087578f8f4d751b ] Fixes: 878dabb64117 ("ceph: don't return -ESTALE if there's still an open file") Signed-off-by: Jeff Layton Reviewed-by: Xiubo Li Signed-off-by: Ilya Dryomov Signed-off-by: Sasha Levin commit a01572e21f0941a1c8b7d39369fec3bd9b7e5e85 Author: Claire Chang Date: Thu Apr 22 16:14:53 2021 +0800 swiotlb: Fix the type of index [ Upstream commit 95b079d8215b83b37fa59341fda92fcb9392f14a ] Fix the type of index from unsigned int to int since find_slots() might return -1. Fixes: 26a7e094783d ("swiotlb: refactor swiotlb_tbl_map_single") Reviewed-by: Christoph Hellwig Signed-off-by: Claire Chang Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Sasha Levin commit 04dad2ca1f5e460296b983d332cff642055c4def Author: Chuck Lever Date: Mon Apr 19 14:02:54 2021 -0400 xprtrdma: rpcrdma_mr_pop() already does list_del_init() [ Upstream commit 1363e6388c363d0433f9aa4e2f33efe047572687 ] The rpcrdma_mr_pop() earlier in the function has already cleared out mr_list, so it must not be done again in the error path. Fixes: 847568942f93 ("xprtrdma: Remove fr_state") Signed-off-by: Chuck Lever Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit eddae8be7944096419c2ae29477a45f767d0fcd4 Author: Chuck Lever Date: Mon Apr 19 14:02:41 2021 -0400 xprtrdma: Fix cwnd update ordering [ Upstream commit 35d8b10a25884050bb3b0149b62c3818ec59f77c ] After a reconnect, the reply handler is opening the cwnd (and thus enabling more RPC Calls to be sent) /before/ rpcrdma_post_recvs() can post enough Receive WRs to receive their replies. This causes an RNR and the new connection is lost immediately. The race is most clearly exposed when KASAN and disconnect injection are enabled. This slows down rpcrdma_rep_create() enough to allow the send side to post a bunch of RPC Calls before the Receive completion handler can invoke ib_post_recv(). Fixes: 2ae50ad68cd7 ("xprtrdma: Close window between waking RPC senders and posting Receives") Signed-off-by: Chuck Lever Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 89a31bf85c7b99e8f501f5b8559577983017e27e Author: Chuck Lever Date: Mon Apr 19 14:02:03 2021 -0400 xprtrdma: Avoid Receive Queue wrapping [ Upstream commit 32e6b68167f1d446111c973d57e6f52aee11897a ] Commit e340c2d6ef2a ("xprtrdma: Reduce the doorbell rate (Receive)") increased the number of Receive WRs that are posted by the client, but did not increase the size of the Receive Queue allocated during transport set-up. This is usually not an issue because RPCRDMA_BACKWARD_WRS is defined as (32) when SUNRPC_BACKCHANNEL is defined. In cases where it isn't, there is a real risk of Receive Queue wrapping. Fixes: e340c2d6ef2a ("xprtrdma: Reduce the doorbell rate (Receive)") Signed-off-by: Chuck Lever Reviewed-by: Tom Talpey Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit b22e8f427c3de299c47350caae2a4f80f6d7eb61 Author: Uwe Kleine-König Date: Tue Apr 20 11:51:17 2021 +0200 pwm: atmel: Fix duty cycle calculation in .get_state() [ Upstream commit 453e8b3d8e36ddcb283b3d1698864a03ea45599a ] The CDTY register contains the number of inactive cycles. .apply() does this correctly, however .get_state() got this wrong. Fixes: 651b510a74d4 ("pwm: atmel: Implement .get_state()") Signed-off-by: Uwe Kleine-König Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 0a9decf2dd4d859bdc791165abc2b646a85dd00f Author: Dan Carpenter Date: Thu Apr 22 12:14:37 2021 +0300 SUNRPC: fix ternary sign expansion bug in tracing [ Upstream commit cb579086536f6564f5846f89808ec394ef8b8621 ] This code is supposed to pass negative "err" values for tracing but it passes positive values instead. The problem is that the trace_svcsock_tcp_send() function takes a long but "err" is an int and "sent" is a u32. The negative is first type promoted to u32 so it becomes a high positive then it is promoted to long and it stays positive. Fix this by casting "err" directly to long. Fixes: 998024dee197 ("SUNRPC: Add more svcsock tracepoints") Signed-off-by: Dan Carpenter Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit dd41a0e515322221954258e2fd27b726bef6383a Author: Dave Jiang Date: Thu Apr 15 16:37:57 2021 -0700 dmaengine: idxd: fix cdev setup and free device lifetime issues [ Upstream commit 04922b7445a1950b86f130a1fe8c52cc27b3e30b ] The char device setup and cleanup has device lifetime issues regarding when parts are initialized and cleaned up. The initialization of struct device is done incorrectly. device_initialize() needs to be called on the 'struct device' and then additional changes can be added. The ->release() function needs to be setup via device_type before dev_set_name() to allow proper cleanup. The change re-parents the cdev under the wq->conf_dev to get natural reference inheritance. No known dependency on the old device path exists. Reported-by: Jason Gunthorpe Fixes: 42d279f9137a ("dmaengine: idxd: add char driver to expose submission portal to userland") Signed-off-by: Dave Jiang Reviewed-by: Dan Williams Link: https://lore.kernel.org/r/161852987721.2203940.1478218825576630810.stgit@djiang5-desk3.ch.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 975c4b2b997659c47dfae1d8073cf4370f96e598 Author: Dave Jiang Date: Thu Apr 15 16:37:10 2021 -0700 dmaengine: idxd: fix dma device lifetime [ Upstream commit 397862855619271296e46d10f7dfa7bafe71eb81 ] The devm managed lifetime is incompatible with 'struct device' objects that resides in idxd context. This is one of the series that clean up the idxd driver 'struct device' lifetime. Remove embedding of dma_device and dma_chan in idxd since it's not the only interface that idxd will use. The freeing of the dma_device will be managed by the ->release() function. Reported-by: Jason Gunthorpe Fixes: bfe1d56091c1 ("dmaengine: idxd: Init and probe for Intel data accelerators") Signed-off-by: Dave Jiang Reviewed-by: Dan Williams Link: https://lore.kernel.org/r/161852983001.2203940.14817017492384561719.stgit@djiang5-desk3.ch.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 5756f757c72501ef1a16f5f63f940623044180e9 Author: Colin Ian King Date: Thu Apr 15 12:06:54 2021 +0100 dmaengine: idxd: Fix potential null dereference on pointer status [ Upstream commit 28ac8e03c43dfc6a703aa420d18222540b801120 ] There are calls to idxd_cmd_exec that pass a null status pointer however a recent commit has added an assignment to *status that can end up with a null pointer dereference. The function expects a null status pointer sometimes as there is a later assignment to *status where status is first null checked. Fix the issue by null checking status before making the assignment. Addresses-Coverity: ("Explicit null dereferenced") Fixes: 89e3becd8f82 ("dmaengine: idxd: check device state before issue command") Signed-off-by: Colin Ian King Acked-by: Dave Jiang Link: https://lore.kernel.org/r/20210415110654.1941580-1-colin.king@canonical.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 0f9d467ff1396c66f64e9bd2de3ec25bfc10b7a0 Author: Michael Walle Date: Wed Apr 14 10:40:06 2021 +0200 rtc: fsl-ftm-alarm: add MODULE_TABLE() [ Upstream commit 7fcb86185978661c9188397d474f90364745b8d9 ] The module doesn't load automatically. Fix it by adding the missing MODULE_TABLE(). Fixes: 7b0b551dbc1e ("rtc: fsl-ftm-alarm: add FTM alarm driver") Signed-off-by: Michael Walle Signed-off-by: Alexandre Belloni Link: https://lore.kernel.org/r/20210414084006.17933-1-michael@walle.cc Signed-off-by: Sasha Levin commit 90e8fa8bdfb38fa4c8425dbb92985441cb7467c0 Author: J. Bruce Fields Date: Fri Apr 16 14:00:14 2021 -0400 nfsd: ensure new clients break delegations [ Upstream commit 217fd6f625af591e2866bebb8cda778cf85bea2e ] If nfsd already has an open file that it plans to use for IO from another, it may not need to do another vfs open, but it still may need to break any delegations in case the existing opens are for another client. Symptoms are that we may incorrectly fail to break a delegation on a write open from a different client, when the delegation-holding client already has a write open. Fixes: 28df3d1539de ("nfsd: clients don't need to break their own delegations") Signed-off-by: J. Bruce Fields Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit b4bf335acaccd6de239bb00c1edebbb8612761e6 Author: Trond Myklebust Date: Thu Apr 15 15:09:41 2021 -0400 NFSv4.x: Don't return NFS4ERR_NOMATCHING_LAYOUT if we're unmounting [ Upstream commit 8926cc8302819be9e67f70409ed001ecb2c924a9 ] If the NFS super block is being unmounted, then we currently may end up telling the server that we've forgotten the layout while it is actually still in use by the client. In that case, just assume that the client will soon return the layout anyway, and so return NFS4ERR_DELAY in response to the layout recall. Fixes: 58ac3e59235f ("NFSv4/pnfs: Clean up nfs_layout_find_inode()") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 5d254e17ca86fb51d9e5030578636d8bb0649a60 Author: Guangqing Zhu Date: Sun Apr 4 20:54:31 2021 +0800 thermal/drivers/tsens: Fix missing put_device error [ Upstream commit f4136863e8899fa0554343201b78b9e197c78a78 ] Fixes coccicheck error: drivers/thermal/qcom/tsens.c:759:4-10: ERROR: missing put_device; call of_find_device_by_node on line 715, but without a corresponding object release within this function. Fixes: a7ff82976122 ("drivers: thermal: tsens: Merge tsens-common.c into tsens.c") Signed-off-by: Guangqing Zhu Reviewed-by: Bjorn Andersson Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20210404125431.12208-1-zhuguangqing83@gmail.com Signed-off-by: Sasha Levin commit 4f86a0a5eb6158048040d8a8ffb112c92caa013f Author: Chris Dion Date: Sun Apr 4 21:29:26 2021 -0400 SUNRPC: Handle major timeout in xprt_adjust_timeout() [ Upstream commit 09252177d5f924f404551b4b4eded5daa7f04a3a ] Currently if a major timeout value is reached, but the minor value has not been reached, an ETIMEOUT will not be sent back to the caller. This can occur if the v4 server is not responding to requests and retrans is configured larger than the default of two. For example, A TCP mount with a configured timeout value of 50 and a retransmission count of 3 to a v4 server which is not responding: 1. Initial value and increment set to 5s, maxval set to 20s, retries at 3 2. Major timeout is set to 20s, minor timeout set to 5s initially 3. xport_adjust_timeout() is called after 5s, retry with 10s timeout, minor timeout is bumped to 10s 4. And again after another 10s, 15s total time with minor timeout set to 15s 5. After 20s total time xport_adjust_timeout is called as major timeout is reached, but skipped because the minor timeout is not reached - After this time the cpu spins continually calling xport_adjust_timeout() and returning 0 for 10 seconds. As seen on perf sched: 39243.913182 [0005] mount.nfs[3794] 4607.938 0.017 9746.863 6. This continues until the 15s minor timeout condition is reached (in this case for 10 seconds). After which the ETIMEOUT is processed back to the caller, the cpu spinning stops, and normal operations continue Fixes: 7de62bc09fe6 ("SUNRPC dont update timeout value on connection reset") Signed-off-by: Chris Dion Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 8efd19bf754b14c9456e60db57af72c52c28f636 Author: Chuck Lever Date: Wed Mar 31 16:03:08 2021 -0400 SUNRPC: Remove trace_xprt_transmit_queued [ Upstream commit 6cf23783f750634e10daeede48b0f5f5d64ebf3a ] This tracepoint can crash when dereferencing snd_task because when some transports connect, they put a cookie in that field instead of a pointer to an rpc_task. BUG: KASAN: use-after-free in trace_event_raw_event_xprt_writelock_event+0x141/0x18e [sunrpc] Read of size 2 at addr ffff8881a83bd3a0 by task git/331872 CPU: 11 PID: 331872 Comm: git Tainted: G S 5.12.0-rc2-00007-g3ab6e585a7f9 #1453 Hardware name: Supermicro SYS-6028R-T/X10DRi, BIOS 1.1a 10/16/2015 Call Trace: dump_stack+0x9c/0xcf print_address_description.constprop.0+0x18/0x239 kasan_report+0x174/0x1b0 trace_event_raw_event_xprt_writelock_event+0x141/0x18e [sunrpc] xprt_prepare_transmit+0x8e/0xc1 [sunrpc] call_transmit+0x4d/0xc6 [sunrpc] Fixes: 9ce07ae5eb1d ("SUNRPC: Replace dprintk() call site in xprt_prepare_transmit") Signed-off-by: Chuck Lever Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 7b906077fd990b1888a5bd49ffb1782077ca6509 Author: Chuck Lever Date: Wed Mar 31 13:22:14 2021 -0400 SUNRPC: Move fault injection call sites [ Upstream commit 7638e0bfaed1b653d3ca663e560e9ffb44bb1030 ] I've hit some crashes that occur in the xprt_rdma_inject_disconnect path. It appears that, for some provides, rdma_disconnect() can take so long that the transport can disconnect and release its hardware resources while rdma_disconnect() is still running, resulting in a UAF in the provider. The transport's fault injection method may depend on the stability of transport data structures. That means it needs to be invoked only from contexts that hold the transport write lock. Fixes: 4a0682583988 ("SUNRPC: Transport fault injection") Signed-off-by: Chuck Lever Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit bfeb4e607d00a01586116a134f4090ceb23a4eb3 Author: Olga Kornievskaia Date: Wed Mar 31 15:30:25 2021 -0400 NFSv4.2 fix handling of sr_eof in SEEK's reply [ Upstream commit 73f5c88f521a630ea1628beb9c2d48a2e777a419 ] Currently the client ignores the value of the sr_eof of the SEEK operation. According to the spec, if the server didn't find the requested extent and reached the end of the file, the server would return sr_eof=true. In case the request for DATA and no data was found (ie in the middle of the hole), then the lseek expects that ENXIO would be returned. Fixes: 1c6dcbe5ceff8 ("NFS: Implement SEEK") Signed-off-by: Olga Kornievskaia Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 1fbea60ea658ab887fb899532d783732b04e53e6 Author: Nikola Livic Date: Mon Mar 29 11:56:49 2021 +0300 pNFS/flexfiles: fix incorrect size check in decode_nfs_fh() [ Upstream commit ed34695e15aba74f45247f1ee2cf7e09d449f925 ] We (adam zabrocki, alexander matrosov, alexander tereshkin, maksym bazalii) observed the check: if (fh->size > sizeof(struct nfs_fh)) should not use the size of the nfs_fh struct which includes an extra two bytes from the size field. struct nfs_fh { unsigned short size; unsigned char data[NFS_MAXFHSIZE]; } but should determine the size from data[NFS_MAXFHSIZE] so the memcpy will not write 2 bytes beyond destination. The proposed fix is to compare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs code base. Fixes: d67ae825a59d ("pnfs/flexfiles: Add the FlexFile Layout Driver") Signed-off-by: Nikola Livic Signed-off-by: Dan Carpenter Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit fd65cac30d45305848f0ea1591b3cf011e3dd25a Author: Yang Yingliang Date: Wed Mar 31 16:40:12 2021 +0800 PCI: endpoint: Fix missing destroy_workqueue() [ Upstream commit acaef7981a218813e3617edb9c01837808de063c ] Add the missing destroy_workqueue() before return from pci_epf_test_init() in the error handling case and add destroy_workqueue() in pci_epf_test_exit(). Link: https://lore.kernel.org/r/20210331084012.2091010-1-yangyingliang@huawei.com Fixes: 349e7a85b25fa ("PCI: endpoint: functions: Add an EP function to test PCI") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: Lorenzo Pieralisi Signed-off-by: Sasha Levin commit d21a5950cca69d5ac199f011752c90e171f6c5d1 Author: Trond Myklebust Date: Mon Mar 29 16:46:05 2021 -0400 NFS: Deal correctly with attribute generation counter overflow [ Upstream commit 9fdbfad1777cb4638f489eeb62d85432010c0031 ] We need to use unsigned long subtraction and then convert to signed in order to deal correcly with C overflow rules. Fixes: f5062003465c ("NFS: Set an attribute barrier on all updates") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit cbc868ea28a8db2daab63cfb4d8c08ccafda5c10 Author: Trond Myklebust Date: Sun Mar 28 18:17:14 2021 -0400 NFSv4.2: Always flush out writes in nfs42_proc_fallocate() [ Upstream commit 99f23783224355e7022ceea9b8d9f62c0fd01bd8 ] Whether we're allocating or delallocating space, we should flush out the pending writes in order to avoid races with attribute updates. Fixes: 1e564d3dbd68 ("NFSv4.2: Fix a race in nfs42_proc_deallocate()") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit a09afbb63620e9e36fd2a0c1536fb5a93be99c8f Author: Trond Myklebust Date: Sun Mar 28 18:12:03 2021 -0400 NFS: Fix attribute bitmask in _nfs42_proc_fallocate() [ Upstream commit e99812e1382f0bfb6149393262bc70645c9f537a ] We can't use nfs4_fattr_bitmap as a bitmask, because it hasn't been filtered to represent the attributes supported by the server. Instead, let's revert to using server->cache_consistency_bitmask after adding in the missing SPACE_USED attribute. Fixes: 913eca1aea87 ("NFS: Fallocate should use the nfs4_fattr_bitmap") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit ce2b470addedf54ca508f024006a8f8e00c60864 Author: Trond Myklebust Date: Thu Mar 25 18:15:36 2021 -0400 NFS: nfs4_bitmask_adjust() must not change the server global bitmasks [ Upstream commit 332d1a0373be32a3a3c152756bca45ff4f4e11b5 ] As currently set, the calls to nfs4_bitmask_adjust() will end up overwriting the contents of the nfs_server cache_consistency_bitmask field. The intention here should be to modify a private copy of that mask in the close/delegreturn/write arguments. Fixes: 76bd5c016ef4 ("NFSv4: make cache consistency bitmask dynamic") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 0627cbc9b8752382213fb87cfc6984b537146096 Author: Jia-Ju Bai Date: Sat Mar 6 05:36:24 2021 -0800 rpmsg: qcom_glink_native: fix error return code of qcom_glink_rx_data() [ Upstream commit 26594c6bbb60c6bc87e3762a86ceece57d164c66 ] When idr_find() returns NULL to intent, no error return code of qcom_glink_rx_data() is assigned. To fix this bug, ret is assigned with -ENOENT in this case. Fixes: 64f95f87920d ("rpmsg: glink: Use the local intents when receiving data") Reported-by: TOTE Robot Signed-off-by: Jia-Ju Bai Link: https://lore.kernel.org/r/20210306133624.17237-1-baijiaju1990@gmail.com Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit b59194c7ca29cbfa29426aadc07ca043437178bc Author: Chao Yu Date: Fri Apr 2 17:22:23 2021 +0800 f2fs: fix to avoid accessing invalid fio in f2fs_allocate_data_block() [ Upstream commit 25ae837e61dee712b4b1df36602ebfe724b2a0b6 ] Callers may pass fio parameter with NULL value to f2fs_allocate_data_block(), so we should make sure accessing fio's field after fio's validation check. Fixes: f608c38c59c6 ("f2fs: clean up parameter of f2fs_allocate_data_block()") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 1fd6a0641040330eff8042b2ca9c4a2142dd237f Author: Yi Zhuang Date: Wed Mar 31 17:34:14 2021 +0800 f2fs: Fix a hungtask problem in atomic write [ Upstream commit be1ee45d51384161681ecf21085a42d316ae25f7 ] In the cache writing process, if it is an atomic file, increase the page count of F2FS_WB_CP_DATA, otherwise increase the page count of F2FS_WB_DATA. When you step into the hook branch due to insufficient memory in f2fs_write_begin, f2fs_drop_inmem_pages_all will be called to traverse all atomic inodes and clear the FI_ATOMIC_FILE mark of all atomic files. In f2fs_drop_inmem_pages,first acquire the inmem_lock , revoke all the inmem_pages, and then clear the FI_ATOMIC_FILE mark. Before this mark is cleared, other threads may hold inmem_lock to add inmem_pages to the inode that has just been emptied inmem_pages, and increase the page count of F2FS_WB_CP_DATA. When the IO returns, it is found that the FI_ATOMIC_FILE flag is cleared by f2fs_drop_inmem_pages_all, and f2fs_is_atomic_file returns false,which causes the page count of F2FS_WB_DATA to be decremented. The page count of F2FS_WB_CP_DATA cannot be cleared. Finally, hungtask is triggered in f2fs_wait_on_all_pages because get_pages will never return zero. process A: process B: f2fs_drop_inmem_pages_all ->f2fs_drop_inmem_pages of inode#1 ->mutex_lock(&fi->inmem_lock) ->__revoke_inmem_pages of inode#1 f2fs_ioc_commit_atomic_write ->mutex_unlock(&fi->inmem_lock) ->f2fs_commit_inmem_pages of inode#1 ->mutex_lock(&fi->inmem_lock) ->__f2fs_commit_inmem_pages ->f2fs_do_write_data_page ->f2fs_outplace_write_data ->do_write_page ->f2fs_submit_page_write ->inc_page_count(sbi, F2FS_WB_CP_DATA ) ->mutex_unlock(&fi->inmem_lock) ->spin_lock(&sbi->inode_lock[ATOMIC_FILE]); ->clear_inode_flag(inode, FI_ATOMIC_FILE) ->spin_unlock(&sbi->inode_lock[ATOMIC_FILE]) f2fs_write_end_io ->dec_page_count(sbi, F2FS_WB_DATA ); We can fix the problem by putting the action of clearing the FI_ATOMIC_FILE mark into the inmem_lock lock. This operation can ensure that no one will submit the inmem pages before the FI_ATOMIC_FILE mark is cleared, so that there will be no atomic writes waiting for writeback. Fixes: 57864ae5ce3a ("f2fs: limit # of inmemory pages") Signed-off-by: Yi Zhuang Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 98ccee81fe9640eb646aa7f983b75a5419a43577 Author: Chao Yu Date: Fri Mar 26 09:46:22 2021 +0800 f2fs: fix to cover __allocate_new_section() with curseg_lock [ Upstream commit 823d13e12b6cbaef2f6e5d63c648643e7bc094dd ] In order to avoid race with f2fs_do_replace_block(). Fixes: f5a53edcf01e ("f2fs: support aligned pinned file") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 105155a8146ddb54c119d8318964eef3859d109d Author: Chao Yu Date: Wed Mar 24 11:18:28 2021 +0800 f2fs: fix to avoid touching checkpointed data in get_victim() [ Upstream commit 61461fc921b756ae16e64243f72af2bfc2e620db ] In CP disabling mode, there are two issues when using LFS or SSR | AT_SSR mode to select victim: 1. LFS is set to find source section during GC, the victim should have no checkpointed data, since after GC, section could not be set free for reuse. Previously, we only check valid chpt blocks in current segment rather than section, fix it. 2. SSR | AT_SSR are set to find target segment for writes which can be fully filled by checkpointed and newly written blocks, we should never select such segment, otherwise it can cause panic or data corruption during allocation, potential case is described as below: a) target segment has 'n' (n < 512) ckpt valid blocks b) GC migrates 'n' valid blocks to other segment (segment is still in dirty list) c) GC migrates '512 - n' blocks to target segment (segment has 'n' cp_vblocks and '512 - n' vblocks) d) If GC selects target segment via {AT,}SSR allocator, however there is no free space in targe segment. Fixes: 4354994f097d ("f2fs: checkpoint disabling") Fixes: 093749e296e2 ("f2fs: support age threshold based garbage collection") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit bbed83d7060e07a5d309104d25a00f0a24441428 Author: Shradha Todi Date: Wed Mar 24 15:46:09 2021 +0530 PCI: endpoint: Fix NULL pointer dereference for ->get_features() [ Upstream commit 6613bc2301ba291a1c5a90e1dc24cf3edf223c03 ] get_features ops of pci_epc_ops may return NULL, causing NULL pointer dereference in pci_epf_test_alloc_space function. Let us add a check for pci_epc_feature pointer in pci_epf_test_bind before we access it to avoid any such NULL pointer dereference and return -ENOTSUPP in case pci_epc_feature is not found. When the patch is not applied and EPC features is not implemented in the platform driver, we see the following dump due to kernel NULL pointer dereference. Call trace: pci_epf_test_bind+0xf4/0x388 pci_epf_bind+0x3c/0x80 pci_epc_epf_link+0xa8/0xcc configfs_symlink+0x1a4/0x48c vfs_symlink+0x104/0x184 do_symlinkat+0x80/0xd4 __arm64_sys_symlinkat+0x1c/0x24 el0_svc_common.constprop.3+0xb8/0x170 el0_svc_handler+0x70/0x88 el0_svc+0x8/0x640 Code: d2800581 b9403ab9 f9404ebb 8b394f60 (f9400400) ---[ end trace a438e3c5a24f9df0 ]--- Link: https://lore.kernel.org/r/20210324101609.79278-1-shradha.t@samsung.com Fixes: 2c04c5b8eef79 ("PCI: pci-epf-test: Use pci_epc_get_features() to get EPC features") Signed-off-by: Sriram Dash Signed-off-by: Shradha Todi Signed-off-by: Lorenzo Pieralisi Reviewed-by: Pankaj Dubey Reviewed-by: Kishon Vijay Abraham I Signed-off-by: Sasha Levin commit d5e85b92b4574aac500153bc55a287f0b6947b50 Author: Kishon Vijay Abraham I Date: Tue Feb 2 01:27:56 2021 +0530 PCI: endpoint: Make *_free_bar() to return error codes on failure [ Upstream commit 0e27aeccfa3d1bab7c6a29fb8e6fcedbad7b09a8 ] Modify pci_epc_get_next_free_bar() and pci_epc_get_first_free_bar() to return error values if there are no free BARs available. Link: https://lore.kernel.org/r/20210201195809.7342-5-kishon@ti.com Signed-off-by: Kishon Vijay Abraham I Signed-off-by: Lorenzo Pieralisi Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin commit d98bfd4cc25886bb5691321df6735c6772e834de Author: Kishon Vijay Abraham I Date: Tue Feb 2 01:27:55 2021 +0530 PCI: endpoint: Add helper API to get the 'next' unreserved BAR [ Upstream commit fa8fef0e104a23efe568b835d9e7e188d1d97610 ] Add an API to get the next unreserved BAR starting from a given BAR number that can be used by the endpoint function. Link: https://lore.kernel.org/r/20210201195809.7342-4-kishon@ti.com Signed-off-by: Kishon Vijay Abraham I Signed-off-by: Lorenzo Pieralisi Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin commit 5974766170d8debdc970f9cf9e3dca6be40f8440 Author: Kishon Vijay Abraham I Date: Tue Feb 2 01:27:54 2021 +0530 PCI: endpoint: Make *_get_first_free_bar() take into account 64 bit BAR [ Upstream commit 959a48d0eac0321948c9f3d1707ba22c100e92d5 ] pci_epc_get_first_free_bar() uses only "reserved_bar" member in epc_features to get the first unreserved BAR. However if the reserved BAR is also a 64-bit BAR, then the next BAR shouldn't be returned (since 64-bit BAR uses two BARs). Make pci_epc_get_first_free_bar() take into account 64 bit BAR while returning the first free unreserved BAR. Link: https://lore.kernel.org/r/20210201195809.7342-3-kishon@ti.com Signed-off-by: Kishon Vijay Abraham I Signed-off-by: Lorenzo Pieralisi Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin commit 8c8f7c49930dd93f5eb0653baed6f165a2e7601c Author: Chao Yu Date: Wed Mar 24 11:24:33 2021 +0800 f2fs: fix to update last i_size if fallocate partially succeeds [ Upstream commit 88f2cfc5fa90326edb569b4a81bb38ed4dcd3108 ] In the case of expanding pinned file, map.m_lblk and map.m_len will update in each round of section allocation, so in error path, last i_size will be calculated with wrong m_lblk and m_len, fix it. Fixes: f5a53edcf01e ("f2fs: support aligned pinned file") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 74d2b0e74c3f5bccfe71e3466356f4a08a0bc73e Author: Chao Yu Date: Fri Mar 5 17:56:01 2021 +0800 f2fs: fix to align to section for fallocate() on pinned file [ Upstream commit e1175f02291141bbd924fc578299305fcde35855 ] Now, fallocate() on a pinned file only allocates blocks which aligns to segment rather than section, so GC may try to migrate pinned file's block, and after several times of failure, pinned file's block could be migrated to other place, however user won't be aware of such condition, and then old obsolete block address may be readed/written incorrectly. To avoid such condition, let's try to allocate pinned file's blocks with section alignment. Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 630146203108bf6b8934eec0dfdb3e46dcb917de Author: Zhen Lei Date: Thu Feb 18 03:00:05 2021 +0100 ARM: 9064/1: hw_breakpoint: Do not directly check the event's overflow_handler hook [ Upstream commit a506bd5756290821a4314f502b4bafc2afcf5260 ] The commit 1879445dfa7b ("perf/core: Set event's default ::overflow_handler()") set a default event->overflow_handler in perf_event_alloc(), and replace the check event->overflow_handler with is_default_overflow_handler(), but one is missing. Currently, the bp->overflow_handler can not be NULL. As a result, enable_single_step() is always not invoked. Comments from Zhen Lei: https://patchwork.kernel.org/project/linux-arm-kernel/patch/20210207105934.2001-1-thunder.leizhen@huawei.com/ Fixes: 1879445dfa7b ("perf/core: Set event's default ::overflow_handler()") Signed-off-by: Zhen Lei Cc: Wang Nan Acked-by: Will Deacon Signed-off-by: Russell King Signed-off-by: Sasha Levin commit ee93cdcbe0b553b6c1e457ad33c64dd90600ad97 Author: Dmitry Baryshkov Date: Mon Jan 25 02:28:26 2021 +0300 PCI: Release OF node in pci_scan_device()'s error path [ Upstream commit c99e755a4a4c165cad6effb39faffd0f3377c02d ] In pci_scan_device(), if pci_setup_device() fails for any reason, the code will not release device's of_node by calling pci_release_of_node(). Fix that by calling the release function. Fixes: 98d9f30c820d ("pci/of: Match PCI devices to OF nodes dynamically") Link: https://lore.kernel.org/r/20210124232826.1879-1-dmitry.baryshkov@linaro.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Bjorn Helgaas Reviewed-by: Leon Romanovsky Signed-off-by: Sasha Levin commit c5c0ede221d768c600b7154d0afee05cb3554d86 Author: Pali Rohár Date: Wed Mar 3 15:22:02 2021 +0100 PCI: iproc: Fix return value of iproc_msi_irq_domain_alloc() [ Upstream commit 1e83130f01b04c16579ed5a5e03d729bcffc4c5d ] IRQ domain alloc function should return zero on success. Non-zero value indicates failure. Link: https://lore.kernel.org/r/20210303142202.25780-1-pali@kernel.org Fixes: fc54bae28818 ("PCI: iproc: Allow allocation of multiple MSIs") Signed-off-by: Pali Rohár Signed-off-by: Lorenzo Pieralisi Reviewed-by: Krzysztof Wilczyński Acked-by: Ray Jui Acked-by: Marc Zyngier Signed-off-by: Sasha Levin commit 1ce0d1d3656b50bca56c8ff2688235eb5348f841 Author: Bjorn Andersson Date: Fri Mar 12 15:20:02 2021 -0800 remoteproc: qcom_q6v5_mss: Validate p_filesz in ELF loader [ Upstream commit 3d2ee78906af5f08d499d6aa3aa504406fa38106 ] Analog to the issue in the common mdt_loader code the MSS ELF loader does not validate that p_filesz bytes will fit in the memory region and that the loaded segments are not truncated. Fix this in the same way as proposed for the mdt_loader. Reviewed-by: Mathieu Poirier Fixes: 135b9e8d1cd8 ("remoteproc: qcom_q6v5_mss: Validate modem blob firmware size before load") Link: https://lore.kernel.org/r/20210312232002.3466791-1-bjorn.andersson@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 2ec65063e45ab5faa775c1516026c653cff7f066 Author: Sibi Sankar Date: Wed Nov 4 12:33:41 2020 +0530 remoteproc: qcom_q6v5_mss: Replace ioremap with memremap [ Upstream commit 04ff5d19cf6e2f9dbdf137c0c6eb44934d46a99c ] Fix the sparse warnings reported by the kernel test bot by replacing ioremap calls with memremap. Reviewed-by: Bjorn Andersson Reported-by: kernel test robot Signed-off-by: Sibi Sankar Link: https://lore.kernel.org/r/1604473422-29639-1-git-send-email-sibis@codeaurora.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 2d6d5b4fc498f2e429ae5b6439780ae5d900a3f9 Author: Colin Ian King Date: Thu Mar 4 09:21:18 2021 +0000 f2fs: fix a redundant call to f2fs_balance_fs if an error occurs [ Upstream commit 28e18ee636ba28532dbe425540af06245a0bbecb ] The uninitialized variable dn.node_changed does not get set when a call to f2fs_get_node_page fails. This uninitialized value gets used in the call to f2fs_balance_fs() that may or not may not balances dirty node and dentry pages depending on the uninitialized state of the variable. Fix this by only calling f2fs_balance_fs if err is not set. Thanks to Jaegeuk Kim for suggesting an appropriate fix. Addresses-Coverity: ("Uninitialized scalar variable") Fixes: 2a3407607028 ("f2fs: call f2fs_balance_fs only when node was changed") Signed-off-by: Colin Ian King Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 1c20a4896409f5ca1c770e1880c33d0a28a8b10f Author: Chao Yu Date: Sat Feb 20 17:35:41 2021 +0800 f2fs: fix panic during f2fs_resize_fs() [ Upstream commit 3ab0598e6d860ef49d029943ba80f627c15c15d6 ] f2fs_resize_fs() hangs in below callstack with testcase: - mkfs 16GB image & mount image - dd 8GB fileA - dd 8GB fileB - sync - rm fileA - sync - resize filesystem to 8GB kernel BUG at segment.c:2484! Call Trace: allocate_segment_by_default+0x92/0xf0 [f2fs] f2fs_allocate_data_block+0x44b/0x7e0 [f2fs] do_write_page+0x5a/0x110 [f2fs] f2fs_outplace_write_data+0x55/0x100 [f2fs] f2fs_do_write_data_page+0x392/0x850 [f2fs] move_data_page+0x233/0x320 [f2fs] do_garbage_collect+0x14d9/0x1660 [f2fs] free_segment_range+0x1f7/0x310 [f2fs] f2fs_resize_fs+0x118/0x330 [f2fs] __f2fs_ioctl+0x487/0x3680 [f2fs] __x64_sys_ioctl+0x8e/0xd0 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The root cause is we forgot to check that whether we have enough space in resized filesystem to store all valid blocks in before-resizing filesystem, then allocator will run out-of-space during block migration in free_segment_range(). Fixes: b4b10061ef98 ("f2fs: refactor resize_fs to avoid meta updates in progress") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 81ba1634d1b61cd4023a470c8f4d48375ec35fa2 Author: Chao Yu Date: Sat Feb 20 17:35:40 2021 +0800 f2fs: fix to allow migrating fully valid segment [ Upstream commit 7dede88659df38f96128ab3922c50dde2d29c574 ] F2FS_IOC_FLUSH_DEVICE/F2FS_IOC_RESIZE_FS needs to migrate all blocks of target segment to other place, no matter the segment has partially or fully valid blocks. However, after commit 803e74be04b3 ("f2fs: stop GC when the victim becomes fully valid"), we may skip migration due to target segment is fully valid, result in failing the ioctl interface, fix this. Fixes: 803e74be04b3 ("f2fs: stop GC when the victim becomes fully valid") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit de2041d92d2af85382442795030f35a8c3fd248c Author: Chao Yu Date: Tue Nov 10 09:24:37 2020 +0800 f2fs: fix compat F2FS_IOC_{MOVE,GARBAGE_COLLECT}_RANGE [ Upstream commit 34178b1bc4b5c936eab3adb4835578093095a571 ] Eric reported a ioctl bug in below link: https://lore.kernel.org/linux-f2fs-devel/20201103032234.GB2875@sol.localdomain/ That said, on some 32-bit architectures, u64 has only 32-bit alignment, notably i386 and x86_32, so that size of struct f2fs_gc_range compiled in x86_32 is 20 bytes, however the size in x86_64 is 24 bytes, binary compiled in x86_32 can not call F2FS_IOC_GARBAGE_COLLECT_RANGE successfully due to mismatched value of ioctl command in between binary and f2fs module, similarly, F2FS_IOC_MOVE_RANGE will fail too. In this patch we introduce two ioctls for compatibility of above special 32-bit binary: - F2FS_IOC32_GARBAGE_COLLECT_RANGE - F2FS_IOC32_MOVE_RANGE Reported-by: Eric Biggers Signed-off-by: Chao Yu Reviewed-by: Eric Biggers Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit b7ff0885de7ebf70a0fdd0378a118bbda5fbd1d6 Author: Chao Yu Date: Mon Nov 2 14:21:31 2020 +0800 f2fs: move ioctl interface definitions to separated file [ Upstream commit fa4320cefb8537a70cc28c55d311a1f569697cd3 ] Like other filesystem does, we introduce a new file f2fs.h in path of include/uapi/linux/, and move f2fs-specified ioctl interface definitions to that file, after then, in order to use those definitions, userspace developer only need to include the new header file rather than copy & paste definitions from fs/f2fs/f2fs.h. Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 997d24a932a9b6e2040f39a8dd76e873e6519a1c Author: Jia-Ju Bai Date: Wed Mar 10 04:24:23 2021 -0800 thermal: thermal_of: Fix error return code of thermal_of_populate_bind_params() [ Upstream commit 45c7eaeb29d67224db4ba935deb575586a1fda09 ] When kcalloc() returns NULL to __tcbp or of_count_phandle_with_args() returns zero or -ENOENT to count, no error return code of thermal_of_populate_bind_params() is assigned. To fix these bugs, ret is assigned with -ENOMEM and -ENOENT in these cases, respectively. Fixes: a92bab8919e3 ("of: thermal: Allow multiple devices to share cooling map") Reported-by: TOTE Robot Signed-off-by: Jia-Ju Bai Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20210310122423.3266-1-baijiaju1990@gmail.com Signed-off-by: Sasha Levin commit a1b5fecedfa914cbd7984a4974473ec2146f1b60 Author: David Ward Date: Sun Apr 18 09:46:57 2021 -0400 ASoC: rt286: Make RT286_SET_GPIO_* readable and writable [ Upstream commit cd8499d5c03ba260e3191e90236d0e5f6b147563 ] The GPIO configuration cannot be applied if the registers are inaccessible. This prevented the headset mic from working on the Dell XPS 13 9343. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=114171 Signed-off-by: David Ward Link: https://lore.kernel.org/r/20210418134658.4333-5-david.ward@gatech.edu Reviewed-by: Pierre-Louis Bossart Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 5b66867966bc04652d85d58b8500a22b99aa5dad Author: Petr Mladek Date: Thu Apr 29 22:54:33 2021 -0700 watchdog: fix barriers when printing backtraces from all CPUs [ Upstream commit 9f113bf760ca90d709f8f89a733d10abb1f04a83 ] Any parallel softlockup reports are skipped when one CPU is already printing backtraces from all CPUs. The exclusive rights are synchronized using one bit in soft_lockup_nmi_warn. There is also one memory barrier that does not make much sense. Use two barriers on the right location to prevent mixing two reports. [pmladek@suse.com: use bit lock operations to prevent multiple soft-lockup reports] Link: https://lkml.kernel.org/r/YFSVsLGVWMXTvlbk@alley Link: https://lkml.kernel.org/r/20210311122130.6788-6-pmladek@suse.com Signed-off-by: Petr Mladek Acked-by: Peter Zijlstra (Intel) Cc: Ingo Molnar Cc: Laurence Oberman Cc: Michal Hocko Cc: Thomas Gleixner Cc: Vincent Whitchurch Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit a68c246065b6042bfdb9177527fcf0e8f93dff3d Author: Petr Mladek Date: Thu Apr 29 22:54:30 2021 -0700 watchdog/softlockup: remove logic that tried to prevent repeated reports [ Upstream commit 1bc503cb4a2638fb1c57801a7796aca57845ce63 ] The softlockup detector does some gymnastic with the variable soft_watchdog_warn. It was added by the commit 58687acba59266735ad ("lockup_detector: Combine nmi_watchdog and softlockup detector"). The purpose is not completely clear. There are the following clues. They describe the situation how it looked after the above mentioned commit: 1. The variable was checked with a comment "only warn once". 2. The variable was set when softlockup was reported. It was cleared only when the CPU was not longer in the softlockup state. 3. watchdog_touch_ts was not explicitly updated when the softlockup was reported. Without this variable, the report would normally be printed again during every following watchdog_timer_fn() invocation. The logic has got even more tangled up by the commit ed235875e2ca98 ("kernel/watchdog.c: print traces for all cpus on lockup detection"). After this commit, soft_watchdog_warn is set only when softlockup_all_cpu_backtrace is enabled. But multiple reports from all CPUs are prevented by a new variable soft_lockup_nmi_warn. Conclusion: The variable probably never worked as intended. In each case, it has not worked last many years because the softlockup was reported repeatedly after the full period defined by watchdog_thresh. The reason is that watchdog gets touched in many known slow paths, for example, in printk_stack_address(). This code is called also when printing the softlockup report. It means that the watchdog timestamp gets updated after each report. Solution: Simply remove the logic. People want the periodic report anyway. Link: https://lkml.kernel.org/r/20210311122130.6788-5-pmladek@suse.com Signed-off-by: Petr Mladek Cc: Ingo Molnar Cc: Laurence Oberman Cc: Michal Hocko Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Vincent Whitchurch Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 9413b1ee3858fc91198c3f68c4de254cc2e47d78 Author: Petr Mladek Date: Thu Apr 29 22:54:23 2021 -0700 watchdog: explicitly update timestamp when reporting softlockup [ Upstream commit c9ad17c991492f4390f42598f6ab0531f87eed07 ] The softlockup situation might stay for a long time or even forever. When it happens, the softlockup debug messages are printed in regular intervals defined by get_softlockup_thresh(). There is a mystery. The repeated message is printed after the full interval that is defined by get_softlockup_thresh(). But the timer callback is called more often as defined by sample_period. The code looks like the soflockup should get reported in every sample_period when it was once behind the thresh. It works only by chance. The watchdog is touched when printing the stall report, for example, in printk_stack_address(). Make the behavior clear and predictable by explicitly updating the timestamp in watchdog_timer_fn() when the report gets printed. Link: https://lkml.kernel.org/r/20210311122130.6788-3-pmladek@suse.com Signed-off-by: Petr Mladek Cc: Ingo Molnar Cc: Laurence Oberman Cc: Michal Hocko Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Vincent Whitchurch Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 018655f8758a4a9307d5cfd01e47cfbc134df325 Author: Petr Mladek Date: Thu Apr 29 22:54:20 2021 -0700 watchdog: rename __touch_watchdog() to a better descriptive name [ Upstream commit 7c0012f522c802d25be102bafe54f333168e6119 ] Patch series "watchdog/softlockup: Report overall time and some cleanup", v2. I dug deep into the softlockup watchdog history when time permitted this year. And reworked the patchset that fixed timestamps and cleaned up the code[2]. I split it into very small steps and did even more code clean up. The result looks quite strightforward and I am pretty confident with the changes. [1] v2: https://lore.kernel.org/r/20201210160038.31441-1-pmladek@suse.com [2] v1: https://lore.kernel.org/r/20191024114928.15377-1-pmladek@suse.com This patch (of 6): There are many touch_*watchdog() functions. They are called in situations where the watchdog could report false positives or create unnecessary noise. For example, when CPU is entering idle mode, a virtual machine is stopped, or a lot of messages are printed in the atomic context. These functions set SOFTLOCKUP_RESET instead of a real timestamp. It allows to call them even in a context where jiffies might be outdated. For example, in an atomic context. The real timestamp is set by __touch_watchdog() that is called from the watchdog timer callback. Rename this callback to update_touch_ts(). It better describes the effect and clearly distinguish is from the other touch_*watchdog() functions. Another motivation is that two timestamps are going to be used. One will be used for the total softlockup time. The other will be used to measure time since the last report. The new function name will help to distinguish which timestamp is being updated. Link: https://lkml.kernel.org/r/20210311122130.6788-1-pmladek@suse.com Link: https://lkml.kernel.org/r/20210311122130.6788-2-pmladek@suse.com Signed-off-by: Petr Mladek Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Peter Zijlstra Cc: Laurence Oberman Cc: Vincent Whitchurch Cc: Michal Hocko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 1dc55c3a486224a32081b277ed9715cf6b7a3cbc Author: Sergei Trofimovich Date: Thu Apr 29 22:53:48 2021 -0700 ia64: module: fix symbolizer crash on fdescr [ Upstream commit 99e729bd40fb3272fa4b0140839d5e957b58588a ] Noticed failure as a crash on ia64 when tried to symbolize all backtraces collected by page_owner=on: $ cat /sys/kernel/debug/page_owner CPU: 1 PID: 2074 Comm: cat Not tainted 5.12.0-rc4 #226 Hardware name: hp server rx3600, BIOS 04.03 04/08/2008 ip is at dereference_module_function_descriptor+0x41/0x100 Crash happens at dereference_module_function_descriptor() due to use-after-free when dereferencing ".opd" section header. All section headers are already freed after module is laoded successfully. To keep symbolizer working the change stores ".opd" address and size after module is relocated to a new place and before section headers are discarded. To make similar errors less obscure module_finalize() now zeroes out all variables relevant to module loading only. Link: https://lkml.kernel.org/r/20210403074803.3309096-1-slyfox@gentoo.org Signed-off-by: Sergei Trofimovich Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 602795e247d1b2ef9ac4687ee3cc11cec88b2980 Author: Michael Chan Date: Sun Apr 25 13:45:25 2021 -0400 bnxt_en: Add PCI IDs for Hyper-V VF devices. [ Upstream commit 7fbf359bb2c19c824cbb1954020680824f6ee5a5 ] Support VF device IDs used by the Hyper-V hypervisor. Reviewed-by: Vasundhara Volam Reviewed-by: Andy Gospodarek Signed-off-by: Edwin Peer Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit d0736af81151cb6213825034da0e09a7e4ad20ea Author: Masahiro Yamada Date: Fri Mar 26 03:54:09 2021 +0900 kbuild: generate Module.symvers only when vmlinux exists [ Upstream commit 69bc8d386aebbd91a6bb44b6d33f77c8dfa9ed8c ] The external module build shows the following warning if Module.symvers is missing in the kernel tree. WARNING: Symbol version dump "Module.symvers" is missing. Modules may not have dependencies or modversions. I think this is an important heads-up because the resulting modules may not work as expected. This happens when you did not build the entire kernel tree, for example, you might have prepared the minimal setups for external modules by 'make defconfig && make modules_preapre'. A problem is that 'make modules' creates Module.symvers even without vmlinux. In this case, that warning is suppressed since Module.symvers already exists in spite of its incomplete content. The incomplete (i.e. invalid) Module.symvers should not be created. This commit changes the second pass of modpost to dump symbols into modules-only.symvers. The final Module.symvers is created by concatenating vmlinux.symvers and modules-only.symvers if both exist. Module.symvers is supposed to collect symbols from both vmlinux and modules. It might be a bit confusing, and I am not quite sure if it is an official interface, but presumably it is difficult to rename it because some tools (e.g. kmod) parse it. Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin commit 9401b7ff91f9f28901c3aaffc71751fcbae756cc Author: Petr Machata Date: Fri Apr 23 14:19:48 2021 +0200 selftests: mlxsw: Fix mausezahn invocation in ERSPAN scale test [ Upstream commit 1233898ab758cbcf5f6fea10b8dd16a0b2c24fab ] The mirror_gre_scale test creates as many ERSPAN sessions as the underlying chip supports, and tests that they all work. In order to determine that it issues a stream of ICMP packets and checks if they are mirrored as expected. However, the mausezahn invocation missed the -6 flag to identify the use of IPv6 protocol, and was sending ICMP messages over IPv6, as opposed to ICMP6. It also didn't pass an explicit source IP address, which apparently worked at some point in the past, but does not anymore. To fix these issues, extend the function mirror_test() in mirror_lib by detecting the IPv6 protocol addresses, and using a different ICMP scheme. Fix __mirror_gre_test() in the selftest itself to pass a source IP address. Signed-off-by: Petr Machata Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit dfa0e8461e99924a75cb0e03134475cf3b92c2a7 Author: Petr Machata Date: Fri Apr 23 14:19:47 2021 +0200 selftests: mlxsw: Increase the tolerance of backlog buildup [ Upstream commit dda7f4fa55839baeb72ae040aeaf9ccf89d3e416 ] The intention behind this test is to make sure that qdisc limit is correctly projected to the HW. However, first, due to rounding in the qdisc, and then in the driver, the number cannot actually be accurate. And second, the approach to testing this is to oversubscribe the port with traffic generated on the same switch. The actual backlog size therefore fluctuates. In practice, this test proved to be noisier than the rest, and spuriously fails every now and then. Increase the tolerance to 10 % to avoid these issues. Signed-off-by: Petr Machata Acked-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 99d9989ee53bd8c75d113c9b8039724ddec5a929 Author: Felix Fietkau Date: Thu Apr 22 22:20:54 2021 -0700 net: ethernet: mtk_eth_soc: fix RX VLAN offload [ Upstream commit 3f57d8c40fea9b20543cab4da12f4680d2ef182c ] The VLAN ID in the rx descriptor is only valid if the RX_DMA_VTAG bit is set. Fixes frames wrongly marked with VLAN tags. Signed-off-by: Felix Fietkau [Ilya: fix commit message] Signed-off-by: Ilya Lipnitskiy Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 320c50ff84a0fa8243b92184376e316db8a95c9a Author: Stefan Assmann Date: Tue Mar 9 15:41:42 2021 +0100 iavf: remove duplicate free resources calls [ Upstream commit 1a0e880b028f97478dc689e2900b312741d0d772 ] Both iavf_free_all_tx_resources() and iavf_free_all_rx_resources() have already been called in the very same function. Remove the duplicate calls. Signed-off-by: Stefan Assmann Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 6289b028b5e21974b1761206d4c49d88a766a5af Author: Alexey Kardashevskiy Date: Mon Mar 1 17:36:53 2021 +1100 powerpc/iommu: Annotate nested lock for lockdep [ Upstream commit cc7130bf119add37f36238343a593b71ef6ecc1e ] The IOMMU table is divided into pools for concurrent mappings and each pool has a separate spinlock. When taking the ownership of an IOMMU group to pass through a device to a VM, we lock these spinlocks which triggers a false negative warning in lockdep (below). This fixes it by annotating the large pool's spinlock as a nest lock which makes lockdep not complaining when locking nested locks if the nest lock is locked already. === WARNING: possible recursive locking detected 5.11.0-le_syzkaller_a+fstn1 #100 Not tainted -------------------------------------------- qemu-system-ppc/4129 is trying to acquire lock: c0000000119bddb0 (&(p->lock)/1){....}-{2:2}, at: iommu_take_ownership+0xac/0x1e0 but task is already holding lock: c0000000119bdd30 (&(p->lock)/1){....}-{2:2}, at: iommu_take_ownership+0xac/0x1e0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&(p->lock)/1); lock(&(p->lock)/1); === Signed-off-by: Alexey Kardashevskiy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210301063653.51003-1-aik@ozlabs.ru Signed-off-by: Sasha Levin commit bece6aea3653729d517299f9c5e83bf7d23319cd Author: Lee Gibson Date: Mon Apr 19 15:58:42 2021 +0100 qtnfmac: Fix possible buffer overflow in qtnf_event_handle_external_auth [ Upstream commit 130f634da1af649205f4a3dd86cbe5c126b57914 ] Function qtnf_event_handle_external_auth calls memcpy without checking the length. A user could control that length and trigger a buffer overflow. Fix by checking the length is within the maximum allowed size. Signed-off-by: Lee Gibson Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210419145842.345787-1-leegib@gmail.com Signed-off-by: Sasha Levin commit ededc7325dc204db4cfdfe9325c5543f0d9a5c05 Author: Gustavo A. R. Silva Date: Wed Apr 14 18:45:15 2021 -0500 wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join [ Upstream commit bb43e5718d8f1b46e7a77e7b39be3c691f293050 ] Fix the following out-of-bounds warnings by adding a new structure wl3501_req instead of duplicating the same members in structure wl3501_join_req and wl3501_scan_confirm: arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [39, 108] from the object at 'sig' is out of the bounds of referenced subobject 'beacon_period' with type 'short unsigned int' at offset 36 [-Warray-bounds] arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [25, 95] from the object at 'sig' is out of the bounds of referenced subobject 'beacon_period' with type 'short unsigned int' at offset 22 [-Warray-bounds] Refactor the code, accordingly: $ pahole -C wl3501_req drivers/net/wireless/wl3501_cs.o struct wl3501_req { u16 beacon_period; /* 0 2 */ u16 dtim_period; /* 2 2 */ u16 cap_info; /* 4 2 */ u8 bss_type; /* 6 1 */ u8 bssid[6]; /* 7 6 */ struct iw_mgmt_essid_pset ssid; /* 13 34 */ struct iw_mgmt_ds_pset ds_pset; /* 47 3 */ struct iw_mgmt_cf_pset cf_pset; /* 50 8 */ struct iw_mgmt_ibss_pset ibss_pset; /* 58 4 */ struct iw_mgmt_data_rset bss_basic_rset; /* 62 10 */ /* size: 72, cachelines: 2, members: 10 */ /* last cacheline: 8 bytes */ }; $ pahole -C wl3501_join_req drivers/net/wireless/wl3501_cs.o struct wl3501_join_req { u16 next_blk; /* 0 2 */ u8 sig_id; /* 2 1 */ u8 reserved; /* 3 1 */ struct iw_mgmt_data_rset operational_rset; /* 4 10 */ u16 reserved2; /* 14 2 */ u16 timeout; /* 16 2 */ u16 probe_delay; /* 18 2 */ u8 timestamp[8]; /* 20 8 */ u8 local_time[8]; /* 28 8 */ struct wl3501_req req; /* 36 72 */ /* size: 108, cachelines: 2, members: 10 */ /* last cacheline: 44 bytes */ }; $ pahole -C wl3501_scan_confirm drivers/net/wireless/wl3501_cs.o struct wl3501_scan_confirm { u16 next_blk; /* 0 2 */ u8 sig_id; /* 2 1 */ u8 reserved; /* 3 1 */ u16 status; /* 4 2 */ char timestamp[8]; /* 6 8 */ char localtime[8]; /* 14 8 */ struct wl3501_req req; /* 22 72 */ /* --- cacheline 1 boundary (64 bytes) was 30 bytes ago --- */ u8 rssi; /* 94 1 */ /* size: 96, cachelines: 2, members: 8 */ /* padding: 1 */ /* last cacheline: 32 bytes */ }; The problem is that the original code is trying to copy data into a bunch of struct members adjacent to each other in a single call to memcpy(). Now that a new struct wl3501_req enclosing all those adjacent members is introduced, memcpy() doesn't overrun the length of &sig.beacon_period and &this->bss_set[i].beacon_period, because the address of the new struct object _req_ is used as the destination, instead. This helps with the ongoing efforts to globally enable -Warray-bounds and get us closer to being able to tighten the FORTIFY_SOURCE routines on memcpy(). Link: https://github.com/KSPP/linux/issues/109 Reported-by: kernel test robot Signed-off-by: Gustavo A. R. Silva Reviewed-by: Kees Cook Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/1fbaf516da763b50edac47d792a9145aa4482e29.1618442265.git.gustavoars@kernel.org Signed-off-by: Sasha Levin commit 83a7ed5b891cd2afec3f4bf8ffa641b6acb18fb2 Author: Gustavo A. R. Silva Date: Wed Apr 14 18:43:19 2021 -0500 wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt [ Upstream commit 820aa37638a252b57967bdf4038a514b1ab85d45 ] Fix the following out-of-bounds warnings by enclosing structure members daddr and saddr into new struct addr, in structures wl3501_md_req and wl3501_md_ind: arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [18, 23] from the object at 'sig' is out of the bounds of referenced subobject 'daddr' with type 'u8[6]' {aka 'unsigned char[6]'} at offset 11 [-Warray-bounds] arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [18, 23] from the object at 'sig' is out of the bounds of referenced subobject 'daddr' with type 'u8[6]' {aka 'unsigned char[6]'} at offset 11 [-Warray-bounds] Refactor the code, accordingly: $ pahole -C wl3501_md_req drivers/net/wireless/wl3501_cs.o struct wl3501_md_req { u16 next_blk; /* 0 2 */ u8 sig_id; /* 2 1 */ u8 routing; /* 3 1 */ u16 data; /* 4 2 */ u16 size; /* 6 2 */ u8 pri; /* 8 1 */ u8 service_class; /* 9 1 */ struct { u8 daddr[6]; /* 10 6 */ u8 saddr[6]; /* 16 6 */ } addr; /* 10 12 */ /* size: 22, cachelines: 1, members: 8 */ /* last cacheline: 22 bytes */ }; $ pahole -C wl3501_md_ind drivers/net/wireless/wl3501_cs.o struct wl3501_md_ind { u16 next_blk; /* 0 2 */ u8 sig_id; /* 2 1 */ u8 routing; /* 3 1 */ u16 data; /* 4 2 */ u16 size; /* 6 2 */ u8 reception; /* 8 1 */ u8 pri; /* 9 1 */ u8 service_class; /* 10 1 */ struct { u8 daddr[6]; /* 11 6 */ u8 saddr[6]; /* 17 6 */ } addr; /* 11 12 */ /* size: 24, cachelines: 1, members: 9 */ /* padding: 1 */ /* last cacheline: 24 bytes */ }; The problem is that the original code is trying to copy data into a couple of arrays adjacent to each other in a single call to memcpy(). Now that a new struct _addr_ enclosing those two adjacent arrays is introduced, memcpy() doesn't overrun the length of &sig.daddr[0] and &sig.daddr, because the address of the new struct object _addr_ is used, instead. This helps with the ongoing efforts to globally enable -Warray-bounds and get us closer to being able to tighten the FORTIFY_SOURCE routines on memcpy(). Link: https://github.com/KSPP/linux/issues/109 Reported-by: kernel test robot Reviewed-by: Kees Cook Signed-off-by: Gustavo A. R. Silva Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/d260fe56aed7112bff2be5b4d152d03ad7b78e78.1618442265.git.gustavoars@kernel.org Signed-off-by: Sasha Levin commit f3a5dee0f30c898cc9273265d5f5b6bac94d49e8 Author: Sean Christopherson Date: Tue Apr 6 15:49:45 2021 -0700 crypto: ccp: Free SEV device if SEV init fails [ Upstream commit b61a9071dc72a3c709192c0c00ab87c2b3de1d94 ] Free the SEV device if later initialization fails. The memory isn't technically leaked as it's tracked in the top-level device's devres list, but unless the top-level device is removed, the memory won't be freed and is effectively leaked. Signed-off-by: Sean Christopherson Message-Id: <20210406224952.4177376-2-seanjc@google.com> Reviewed-by: Brijesh Singh Acked-by: Tom Lendacky Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 22ab352fcab7e6f4a5dd1a919b4b47b137ff507b Author: Felix Fietkau Date: Thu Apr 15 21:07:53 2021 +0200 mt76: mt7615: fix entering driver-own state on mt7663 [ Upstream commit 5c7d374444afdeb9dd534a37c4f6c13af032da0c ] Fixes hardware wakeup issues Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 5b02d6efdb1bd2c4b06224067c2a8280f6fa0b79 Author: Jinzhou Su Date: Tue Apr 20 16:17:14 2021 +0800 drm/amdgpu: Add mem sync flag for IB allocated by SA [ Upstream commit 5c88e3b86a88f14efa0a3ddd28641c6ff49fb9c4 ] The buffer of SA bo will be used by many cases. So it's better to invalidate the cache of indirect buffer allocated by SA before commit the IB. Signed-off-by: Jinzhou Su Reviewed-by: Christian König Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 8be5e713f725c9072cc2a4433d6ea8bae9fffbf3 Author: Dingchen (David) Zhang Date: Mon Jan 25 18:05:50 2021 -0500 drm/amd/display: add handling for hdcp2 rx id list validation [ Upstream commit 4ccf9446b2a3615615045346c97f8a1e2a16568a ] [why] the current implementation of hdcp2 rx id list validation does not have handler/checker for invalid message status, e.g. HMAC, the V parameter calculated from PSP not matching the V prime from Rx. [how] return a generic FAILURE for any message status not SUCCESS or REVOKED. Signed-off-by: Dingchen (David) Zhang Reviewed-by: Bhawanpreet Lakha Acked-by: Aurabindo Pillai Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit fa9952e854c4e083f83894d99f7410541dbccc80 Author: Robin Singh Date: Mon Dec 14 19:14:48 2020 -0500 drm/amd/display: fixed divide by zero kernel crash during dsc enablement [ Upstream commit 19cc1f3829567e7dca21c1389ea6407b8f5efab4 ] [why] During dsc enable, a divide by zero condition triggered the kernel crash. [how] An IGT test, which enable the DSC, was crashing at the time of restore the default dsc status, becaue of h_totals value becoming 0. So add a check before divide condition. If h_total is zero, gracefully ignore and set the default value. kernel panic log: [ 128.758827] divide error: 0000 [#1] PREEMPT SMP NOPTI [ 128.762714] CPU: 5 PID: 4562 Comm: amd_dp_dsc Tainted: G W 5.4.19-android-x86_64 #1 [ 128.769728] Hardware name: ADVANCED MICRO DEVICES, INC. Mauna/Mauna, BIOS WMN0B13N Nov 11 2020 [ 128.777695] RIP: 0010:hubp2_vready_at_or_After_vsync+0x37/0x7a [amdgpu] [ 128.785707] Code: 80 02 00 00 48 89 f3 48 8b 7f 08 b ...... [ 128.805696] RSP: 0018:ffffad8f82d43628 EFLAGS: 00010246 ...... [ 128.857707] CR2: 00007106d8465000 CR3: 0000000426530000 CR4: 0000000000140ee0 [ 128.865695] Call Trace: [ 128.869712] hubp3_setup+0x1f/0x7f [amdgpu] [ 128.873705] dcn20_update_dchubp_dpp+0xc8/0x54a [amdgpu] [ 128.877706] dcn20_program_front_end_for_ctx+0x31d/0x463 [amdgpu] [ 128.885706] dc_commit_state+0x3d2/0x658 [amdgpu] [ 128.889707] amdgpu_dm_atomic_commit_tail+0x4b3/0x1e7c [amdgpu] [ 128.897699] ? dm_read_reg_func+0x41/0xb5 [amdgpu] [ 128.901707] ? dm_read_reg_func+0x41/0xb5 [amdgpu] [ 128.905706] ? __is_insn_slot_addr+0x43/0x48 [ 128.909706] ? fill_plane_buffer_attributes+0x29e/0x3dc [amdgpu] [ 128.917705] ? dm_plane_helper_prepare_fb+0x255/0x284 [amdgpu] [ 128.921700] ? usleep_range+0x7c/0x7c [ 128.925705] ? preempt_count_sub+0xf/0x18 [ 128.929706] ? _raw_spin_unlock_irq+0x13/0x24 [ 128.933732] ? __wait_for_common+0x11e/0x18f [ 128.937705] ? _raw_spin_unlock_irq+0x13/0x24 [ 128.941706] ? __wait_for_common+0x11e/0x18f [ 128.945705] commit_tail+0x8b/0xd2 [drm_kms_helper] [ 128.949707] drm_atomic_helper_commit+0xd8/0xf5 [drm_kms_helper] [ 128.957706] amdgpu_dm_atomic_commit+0x337/0x360 [amdgpu] [ 128.961705] ? drm_atomic_check_only+0x543/0x68d [drm] [ 128.969705] ? drm_atomic_set_property+0x760/0x7af [drm] [ 128.973704] ? drm_mode_atomic_ioctl+0x6f3/0x85a [drm] [ 128.977705] drm_mode_atomic_ioctl+0x6f3/0x85a [drm] [ 128.985705] ? drm_atomic_set_property+0x7af/0x7af [drm] [ 128.989706] drm_ioctl_kernel+0x82/0xda [drm] [ 128.993706] drm_ioctl+0x225/0x319 [drm] [ 128.997707] ? drm_atomic_set_property+0x7af/0x7af [drm] [ 129.001706] ? preempt_count_sub+0xf/0x18 [ 129.005713] amdgpu_drm_ioctl+0x4b/0x76 [amdgpu] [ 129.009705] vfs_ioctl+0x1d/0x2a [ 129.013705] do_vfs_ioctl+0x419/0x43d [ 129.017707] ksys_ioctl+0x52/0x71 [ 129.021707] __x64_sys_ioctl+0x16/0x19 [ 129.025706] do_syscall_64+0x78/0x85 [ 129.029705] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Signed-off-by: Robin Singh Reviewed-by: Harry Wentland Reviewed-by: Robin Singh Acked-by: Aurabindo Pillai Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit d98b03bfd0c7a4d19825f611afd620c4a77e9093 Author: Michael Ellerman Date: Sun Apr 18 23:54:13 2021 +1000 powerpc/pseries: Stop calling printk in rtas_stop_self() [ Upstream commit ed8029d7b472369a010a1901358567ca3b6dbb0d ] RCU complains about us calling printk() from an offline CPU: ============================= WARNING: suspicious RCU usage 5.12.0-rc7-02874-g7cf90e481cb8 #1 Not tainted ----------------------------- kernel/locking/lockdep.c:3568 RCU-list traversed in non-reader section!! other info that might help us debug this: RCU used illegally from offline CPU! rcu_scheduler_active = 2, debug_locks = 1 no locks held by swapper/0/0. stack backtrace: CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.12.0-rc7-02874-g7cf90e481cb8 #1 Call Trace: dump_stack+0xec/0x144 (unreliable) lockdep_rcu_suspicious+0x124/0x144 __lock_acquire+0x1098/0x28b0 lock_acquire+0x128/0x600 _raw_spin_lock_irqsave+0x6c/0xc0 down_trylock+0x2c/0x70 __down_trylock_console_sem+0x60/0x140 vprintk_emit+0x1a8/0x4b0 vprintk_func+0xcc/0x200 printk+0x40/0x54 pseries_cpu_offline_self+0xc0/0x120 arch_cpu_idle_dead+0x54/0x70 do_idle+0x174/0x4a0 cpu_startup_entry+0x38/0x40 rest_init+0x268/0x388 start_kernel+0x748/0x790 start_here_common+0x1c/0x614 Which happens because by the time we get to rtas_stop_self() we are already offline. In addition the message can be spammy, and is not that helpful for users, so remove it. Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210418135413.1204031-1-mpe@ellerman.id.au Signed-off-by: Sasha Levin commit 799c3950680a748355bc62f835ab5608b99c2288 Author: Yaqi Chen Date: Fri Apr 16 23:48:03 2021 +0800 samples/bpf: Fix broken tracex1 due to kprobe argument change [ Upstream commit 137733d08f4ab14a354dacaa9a8fc35217747605 ] >From commit c0bbbdc32feb ("__netif_receive_skb_core: pass skb by reference"), the first argument passed into __netif_receive_skb_core has changed to reference of a skb pointer. This commit fixes by using bpf_probe_read_kernel. Signed-off-by: Yaqi Chen Signed-off-by: Alexei Starovoitov Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20210416154803.37157-1-chendotjs@gmail.com Signed-off-by: Sasha Levin commit d4b0dc31df991d347ff4be55db8e43f95ab75868 Author: Du Cheng Date: Sat Apr 17 07:30:46 2021 +0800 net: sched: tapr: prevent cycle_time == 0 in parse_taprio_schedule [ Upstream commit ed8157f1ebf1ae81a8fa2653e3f20d2076fad1c9 ] There is a reproducible sequence from the userland that will trigger a WARN_ON() condition in taprio_get_start_time, which causes kernel to panic if configured as "panic_on_warn". Catch this condition in parse_taprio_schedule to prevent this condition. Reported as bug on syzkaller: https://syzkaller.appspot.com/bug?extid=d50710fd0873a9c6b40c Reported-by: syzbot+d50710fd0873a9c6b40c@syzkaller.appspotmail.com Signed-off-by: Du Cheng Acked-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 05916c62f54a9ae714beca5f97d28e8753b2782e Author: Gustavo A. R. Silva Date: Fri Apr 16 15:15:40 2021 -0500 ethtool: ioctl: Fix out-of-bounds warning in store_link_ksettings_for_user() [ Upstream commit c1d9e34e11281a8ba1a1c54e4db554232a461488 ] Fix the following out-of-bounds warning: net/ethtool/ioctl.c:492:2: warning: 'memcpy' offset [49, 84] from the object at 'link_usettings' is out of the bounds of referenced subobject 'base' with type 'struct ethtool_link_settings' at offset 0 [-Warray-bounds] The problem is that the original code is trying to copy data into a some struct members adjacent to each other in a single call to memcpy(). This causes a legitimate compiler warning because memcpy() overruns the length of &link_usettings.base. Fix this by directly using &link_usettings and _from_ as destination and source addresses, instead. This helps with the ongoing efforts to globally enable -Warray-bounds and get us closer to being able to tighten the FORTIFY_SOURCE routines on memcpy(). Link: https://github.com/KSPP/linux/issues/109 Reported-by: kernel test robot Signed-off-by: Gustavo A. R. Silva Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b506357ab8bb63259d4eb578d052d7e1ef0b679f Author: David Ward Date: Sun Apr 18 09:46:58 2021 -0400 ASoC: rt286: Generalize support for ALC3263 codec [ Upstream commit aa2f9c12821e6a4ba1df4fb34a3dbc6a2a1ee7fe ] The ALC3263 codec on the XPS 13 9343 is also found on the Latitude 13 7350 and Venue 11 Pro 7140. They require the same handling for the combo jack to work with a headset: GPIO pin 6 must be set. The HDA driver always sets this pin on the ALC3263, which it distinguishes by the codec vendor/device ID 0x10ec0288 and PCI subsystem vendor ID 0x1028 (Dell). The ASoC driver does not use PCI, so adapt this check to use DMI to determine if Dell is the system vendor. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=150601 BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=205961 Signed-off-by: David Ward Reviewed-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20210418134658.4333-6-david.ward@gatech.edu Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 33eee468f83ac609dfe9333ee814491fb6d68c5b Author: Srikar Dronamraju Date: Thu Apr 1 21:12:00 2021 +0530 powerpc/smp: Set numa node before updating mask [ Upstream commit 6980d13f0dd189846887bbbfa43793d9a41768d3 ] Geethika reported a trace when doing a dlpar CPU add. ------------[ cut here ]------------ WARNING: CPU: 152 PID: 1134 at kernel/sched/topology.c:2057 CPU: 152 PID: 1134 Comm: kworker/152:1 Not tainted 5.12.0-rc5-master #5 Workqueue: events cpuset_hotplug_workfn NIP: c0000000001cfc14 LR: c0000000001cfc10 CTR: c0000000007e3420 REGS: c0000034a08eb260 TRAP: 0700 Not tainted (5.12.0-rc5-master+) MSR: 8000000000029033 CR: 28828422 XER: 00000020 CFAR: c0000000001fd888 IRQMASK: 0 #012GPR00: c0000000001cfc10 c0000034a08eb500 c000000001f35400 0000000000000027 #012GPR04: c0000035abaa8010 c0000035abb30a00 0000000000000027 c0000035abaa8018 #012GPR08: 0000000000000023 c0000035abaaef48 00000035aa540000 c0000035a49dffe8 #012GPR12: 0000000028828424 c0000035bf1a1c80 0000000000000497 0000000000000004 #012GPR16: c00000000347a258 0000000000000140 c00000000203d468 c000000001a1a490 #012GPR20: c000000001f9c160 c0000034adf70920 c0000034aec9fd20 0000000100087bd3 #012GPR24: 0000000100087bd3 c0000035b3de09f8 0000000000000030 c0000035b3de09f8 #012GPR28: 0000000000000028 c00000000347a280 c0000034aefe0b00 c0000000010a2a68 NIP [c0000000001cfc14] build_sched_domains+0x6a4/0x1500 LR [c0000000001cfc10] build_sched_domains+0x6a0/0x1500 Call Trace: [c0000034a08eb500] [c0000000001cfc10] build_sched_domains+0x6a0/0x1500 (unreliable) [c0000034a08eb640] [c0000000001d1e6c] partition_sched_domains_locked+0x3ec/0x530 [c0000034a08eb6e0] [c0000000002936d4] rebuild_sched_domains_locked+0x524/0xbf0 [c0000034a08eb7e0] [c000000000296bb0] rebuild_sched_domains+0x40/0x70 [c0000034a08eb810] [c000000000296e74] cpuset_hotplug_workfn+0x294/0xe20 [c0000034a08ebc30] [c000000000178dd0] process_one_work+0x300/0x670 [c0000034a08ebd10] [c0000000001791b8] worker_thread+0x78/0x520 [c0000034a08ebda0] [c000000000185090] kthread+0x1a0/0x1b0 [c0000034a08ebe10] [c00000000000ccec] ret_from_kernel_thread+0x5c/0x70 Instruction dump: 7d2903a6 4e800421 e8410018 7f67db78 7fe6fb78 7f45d378 7f84e378 7c681b78 3c62ff1a 3863c6f8 4802dc35 60000000 <0fe00000> 3920fff4 f9210070 e86100a0 ---[ end trace 532d9066d3d4d7ec ]--- Some of the per-CPU masks use cpu_cpu_mask as a filter to limit the search for related CPUs. On a dlpar add of a CPU, update cpu_cpu_mask before updating the per-CPU masks. This will ensure the cpu_cpu_mask is updated correctly before its used in setting the masks. Setting the numa_node will ensure that when cpu_cpu_mask() gets called, the correct node number is used. This code movement helped fix the above call trace. Reported-by: Geetika Moolchandani Signed-off-by: Srikar Dronamraju Reviewed-by: Nathan Lynch Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210401154200.150077-1-srikar@linux.vnet.ibm.com Signed-off-by: Sasha Levin commit 245f5ab5ce5226aaaa5173c59e5fa89ea4219b41 Author: Gustavo A. R. Silva Date: Fri Apr 16 14:31:51 2021 -0500 flow_dissector: Fix out-of-bounds warning in __skb_flow_bpf_to_target() [ Upstream commit 1e3d976dbb23b3fce544752b434bdc32ce64aabc ] Fix the following out-of-bounds warning: net/core/flow_dissector.c:835:3: warning: 'memcpy' offset [33, 48] from the object at 'flow_keys' is out of the bounds of referenced subobject 'ipv6_src' with type '__u32[4]' {aka 'unsigned int[4]'} at offset 16 [-Warray-bounds] The problem is that the original code is trying to copy data into a couple of struct members adjacent to each other in a single call to memcpy(). So, the compiler legitimately complains about it. As these are just a couple of members, fix this by copying each one of them in separate calls to memcpy(). This helps with the ongoing efforts to globally enable -Warray-bounds and get us closer to being able to tighten the FORTIFY_SOURCE routines on memcpy(). Link: https://github.com/KSPP/linux/issues/109 Reported-by: kernel test robot Signed-off-by: Gustavo A. R. Silva Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit d5716625f185be6960732694eb9d37bca9073464 Author: Gustavo A. R. Silva Date: Fri Apr 16 14:12:36 2021 -0500 sctp: Fix out-of-bounds warning in sctp_process_asconf_param() [ Upstream commit e5272ad4aab347dde5610c0aedb786219e3ff793 ] Fix the following out-of-bounds warning: net/sctp/sm_make_chunk.c:3150:4: warning: 'memcpy' offset [17, 28] from the object at 'addr' is out of the bounds of referenced subobject 'v4' with type 'struct sockaddr_in' at offset 0 [-Warray-bounds] This helps with the ongoing efforts to globally enable -Warray-bounds and get us closer to being able to tighten the FORTIFY_SOURCE routines on memcpy(). Link: https://github.com/KSPP/linux/issues/109 Reported-by: kernel test robot Signed-off-by: Gustavo A. R. Silva Reviewed-by: Kees Cook Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 136b0261f119884cc8662e7d10866166a877cbd3 Author: Kai Vehmanen Date: Fri Apr 16 16:11:57 2021 +0300 ALSA: hda/hdmi: fix race in handling acomp ELD notification at resume [ Upstream commit 0c37e2eb6b83e375e8a654d01598292d5591fc65 ] When snd-hda-codec-hdmi is used with ASoC HDA controller like SOF (acomp used for ELD notifications), display connection change done during suspend, can be lost due to following sequence of events: 1. system in S3 suspend 2. DP/HDMI receiver connected 3. system resumed 4. HDA controller resumed, but card->deferred_resume_work not complete 5. acomp eld_notify callback 6. eld_notify ignored as power state is not CTL_POWER_D0 7. HDA resume deferred work completed, power state set to CTL_POWER_D0 This results in losing the notification, and the jack state reported to user-space is not correct. The check on step 6 was added in commit 8ae743e82f0b ("ALSA: hda - Skip ELD notification during system suspend"). It would seem with the deferred resume logic in ASoC core, this check is not safe. Fix the issue by modifying the check to use "dev.power.power_state.event" instead of ALSA specific card power state variable. BugLink: https://github.com/thesofproject/linux/issues/2825 Suggested-by: Takashi Iwai Signed-off-by: Kai Vehmanen Link: https://lore.kernel.org/r/20210416131157.1881366-1-kai.vehmanen@linux.intel.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 4ac5823083fa08edfd80808eb1437a343567b49f Author: Vamshi Krishna Gopal Date: Thu Apr 15 12:50:09 2021 -0500 ASoC: Intel: sof_sdw: add quirk for new ADL-P Rvp [ Upstream commit d25bbe80485f8bcbbeb91a2a6cd8798c124b27b7 ] Add quirks for jack detection, rt711 DAI and DMIC Reviewed-by: Bard Liao Reviewed-by: Kai Vehmanen Signed-off-by: Vamshi Krishna Gopal Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20210415175013.192862-6-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit e3a2982bf63fc00e42d46a6f8cd4e964cf11d438 Author: Takashi Iwai Date: Fri Apr 16 10:12:11 2021 +0200 ALSA: hda/realtek: Add quirk for Lenovo Ideapad S740 [ Upstream commit 26928ca1f06aab4361eb5adbe7ef3b5c82f13cf2 ] Lenovo Ideapad S740 requires quite a few COEF setups to make its speakers working. The verb table was provided from Ryan Prescott as the result of investigation via qemu: https://github.com/ryanprescott/realtek-verb-tools/wiki/How-to-sniff-verbs-from-a-Windows-sound-driver BugLink: https://github.com/thesofproject/linux/issues/2748 Tested-by: Ryan Prescott Link: https://lore.kernel.org/r/20210416081211.20059-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit cc1956f8b278d72df4bf81eee934afc01d15fe5a Author: Mihai Moldovan Date: Thu Apr 15 09:28:03 2021 +0200 kconfig: nconf: stop endless search loops [ Upstream commit 8c94b430b9f6213dec84e309bb480a71778c4213 ] If the user selects the very first entry in a page and performs a search-up operation, or selects the very last entry in a page and performs a search-down operation that will not succeed (e.g., via [/]asdfzzz[Up Arrow]), nconf will never terminate searching the page. The reason is that in this case, the starting point will be set to -1 or n, which is then translated into (n - 1) (i.e., the last entry of the page) or 0 (i.e., the first entry of the page) and finally the search begins. This continues to work fine until the index reaches 0 or (n - 1), at which point it will be decremented to -1 or incremented to n, but not checked against the starting point right away. Instead, it's wrapped around to the bottom or top again, after which the starting point check occurs... and naturally fails. My original implementation added another check for -1 before wrapping the running index variable around, but Masahiro Yamada pointed out that the actual issue is that the comparison point (starting point) exceeds bounds (i.e., the [0,n-1] interval) in the first place and that, instead, the starting point should be fixed. This has the welcome side-effect of also fixing the case where the starting point was n while searching down, which also lead to an infinite loop. OTOH, this code is now essentially all his work. Amazingly, nobody seems to have been hit by this for 11 years - or at the very least nobody bothered to debug and fix this. Signed-off-by: Mihai Moldovan Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin commit 06b0037e6f02e79172d97c823f50ee2362183d0e Author: Yonghong Song Date: Tue Apr 13 08:34:13 2021 -0700 selftests: Set CC to clang in lib.mk if LLVM is set [ Upstream commit 26e6dd1072763cd5696b75994c03982dde952ad9 ] selftests/bpf/Makefile includes lib.mk. With the following command make -j60 LLVM=1 LLVM_IAS=1 <=== compile kernel make -j60 -C tools/testing/selftests/bpf LLVM=1 LLVM_IAS=1 V=1 some files are still compiled with gcc. This patch fixed lib.mk issue which sets CC to gcc in all cases. Signed-off-by: Yonghong Song Signed-off-by: Alexei Starovoitov Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20210413153413.3027426-1-yhs@fb.com Signed-off-by: Sasha Levin commit f9bc5e3f3f756d9a55fe950f975748d51130dcca Author: Anthony Wang Date: Wed Mar 31 11:03:35 2021 -0400 drm/amd/display: Force vsync flip when reconfiguring MPCC [ Upstream commit 56d63782af9bbd1271bff1422a6a013123eade4d ] [Why] Underflow observed when disabling PIP overlay in-game when vsync is disabled, due to OTC master lock not working with game pipe which is immediate flip. [How] When performing a full update, override flip_immediate value to false for all planes, so that flip occurs on vsync. Signed-off-by: Anthony Wang Acked-by: Bindu Ramamurthy Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 63e9abe35df9415b8d47d9c20358e46251b13e8f Author: Suravee Suthikulpanit Date: Fri Apr 9 03:58:48 2021 -0500 iommu/amd: Remove performance counter pre-initialization test [ Upstream commit 994d6608efe4a4c8834bdc5014c86f4bc6aceea6 ] In early AMD desktop/mobile platforms (during 2013), when the IOMMU Performance Counter (PMC) support was first introduced in commit 30861ddc9cca ("perf/x86/amd: Add IOMMU Performance Counter resource management"), there was a HW bug where the counters could not be accessed. The result was reading of the counter always return zero. At the time, the suggested workaround was to add a test logic prior to initializing the PMC feature to check if the counters can be programmed and read back the same value. This has been working fine until the more recent desktop/mobile platforms start enabling power gating for the PMC, which prevents access to the counters. This results in the PMC support being disabled unnecesarily. Unfortunatly, there is no documentation of since which generation of hardware the original PMC HW bug was fixed. Although, it was fixed soon after the first introduction of the PMC. Base on this, we assume that the buggy platforms are less likely to be in used, and it should be relatively safe to remove this legacy logic. Link: https://lore.kernel.org/linux-iommu/alpine.LNX.3.20.13.2006030935570.3181@monopod.intra.ispras.ru/ Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201753 Cc: Tj (Elloe Linux) Cc: Shuah Khan Cc: Alexander Monakov Cc: David Coe Cc: Paul Menzel Signed-off-by: Suravee Suthikulpanit Tested-by: Shuah Khan Link: https://lore.kernel.org/r/20210409085848.3908-3-suravee.suthikulpanit@amd.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 1097ecf826bcfc961eb4d93eb6ce58ec8c066b68 Author: Paul Menzel Date: Fri Apr 9 03:58:47 2021 -0500 Revert "iommu/amd: Fix performance counter initialization" [ Upstream commit 715601e4e36903a653cd4294dfd3ed0019101991 ] This reverts commit 6778ff5b21bd8e78c8bd547fd66437cf2657fd9b. The original commit tries to address an issue, where PMC power-gating causing the IOMMU PMC pre-init test to fail on certain desktop/mobile platforms where the power-gating is normally enabled. There have been several reports that the workaround still does not guarantee to work, and can add up to 100 ms (on the worst case) to the boot process on certain platforms such as the MSI B350M MORTAR with AMD Ryzen 3 2200G. Therefore, revert this commit as a prelude to removing the pre-init test. Link: https://lore.kernel.org/linux-iommu/alpine.LNX.3.20.13.2006030935570.3181@monopod.intra.ispras.ru/ Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201753 Cc: Tj (Elloe Linux) Cc: Shuah Khan Cc: Alexander Monakov Cc: David Coe Signed-off-by: Paul Menzel Signed-off-by: Suravee Suthikulpanit Link: https://lore.kernel.org/r/20210409085848.3908-2-suravee.suthikulpanit@amd.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit a027e6155bb4d7e9e8ad89838f52ab629de26fe5 Author: Kuninori Morimoto Date: Thu Apr 8 13:28:38 2021 +0900 ASoC: rsnd: call rsnd_ssi_master_clk_start() from rsnd_ssi_init() [ Upstream commit a122a116fc6d8fcf2f202dcd185173a54268f239 ] Current rsnd needs to call .prepare (P) for clock settings, .trigger for playback start (S) and stop (E). It should be called as below from SSI point of view. P -> S -> E -> P -> S -> E -> ... But, if you used MIXer, below case might happen (2) 1: P -> S ---> E -> ... 2: P ----> S -> ... (1) (3) P(1) setups clock, but E(2) resets it. and starts playback (3). In such case, it will reports "SSI parent/child should use same rate". rsnd_ssi_master_clk_start() which is the main function at (P) was called from rsnd_ssi_init() (= S) before, but was moved by below patch to rsnd_soc_dai_prepare() (= P) to avoid using clk_get_rate() which shouldn't be used under atomic context. commit 4d230d1271064 ("ASoC: rsnd: fixup not to call clk_get/set under non-atomic") Because of above patch, rsnd_ssi_master_clk_start() is now called at (P) which is for non atomic context. But (P) is assuming that spin lock is *not* used. One issue now is rsnd_ssi_master_clk_start() is checking ssi->xxx which should be protected by spin lock. After above patch, adg.c had below patch for other reasons. commit 06e8f5c842f2d ("ASoC: rsnd: don't call clk_get_rate() under atomic context") clk_get_rate() is used at probe() timing by this patch. In other words, rsnd_ssi_master_clk_start() is no longer using clk_get_rate() any more. This means we can call it from rsnd_ssi_init() (= S) again which is protected by spin lock. This patch re-move it to under spin lock, and solves 1. checking ssi->xxx without spin lock issue. 2. clk setting / device start / device stop race condition. Reported-by: Linh Phung T. Y. Signed-off-by: Kuninori Morimoto Link: https://lore.kernel.org/r/875z0x1jt5.wl-kuninori.morimoto.gx@renesas.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit cc748965313bddd16944cebd71276d170a65a62f Author: Vaibhav Jain Date: Sun Apr 4 22:01:48 2021 +0530 powerpc/mm: Add cond_resched() while removing hpte mappings [ Upstream commit a5d6a3e73acbd619dd5b7b831762b755f9e2db80 ] While removing large number of mappings from hash page tables for large memory systems as soft-lockup is reported because of the time spent inside htap_remove_mapping() like one below: watchdog: BUG: soft lockup - CPU#8 stuck for 23s! NIP plpar_hcall+0x38/0x58 LR pSeries_lpar_hpte_invalidate+0x68/0xb0 Call Trace: 0x1fffffffffff000 (unreliable) pSeries_lpar_hpte_removebolted+0x9c/0x230 hash__remove_section_mapping+0xec/0x1c0 remove_section_mapping+0x28/0x3c arch_remove_memory+0xfc/0x150 devm_memremap_pages_release+0x180/0x2f0 devm_action_release+0x30/0x50 release_nodes+0x28c/0x300 device_release_driver_internal+0x16c/0x280 unbind_store+0x124/0x170 drv_attr_store+0x44/0x60 sysfs_kf_write+0x64/0x90 kernfs_fop_write+0x1b0/0x290 __vfs_write+0x3c/0x70 vfs_write+0xd4/0x270 ksys_write+0xdc/0x130 system_call+0x5c/0x70 Fix this by adding a cond_resched() to the loop in htap_remove_mapping() that issues hcall to remove hpte mapping. The call to cond_resched() is issued every HZ jiffies which should prevent the soft-lockup from being reported. Suggested-by: Aneesh Kumar K.V Signed-off-by: Vaibhav Jain Reviewed-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210404163148.321346-1-vaibhav@linux.ibm.com Signed-off-by: Sasha Levin commit 26f98b2d97a883159fae5b41bfedd5b17c093161 Author: Johannes Berg Date: Tue Mar 30 16:24:58 2021 +0300 iwlwifi: pcie: make cfg vs. trans_cfg more robust [ Upstream commit 48a5494d6a4cb5812f0640d9515f1876ffc7a013 ] If we (for example) have a trans_cfg entry in the PCI IDs table, but then don't find a full cfg entry for it in the info table, we fall through to the code that treats the PCI ID table entry as a full cfg entry. This obviously causes crashes later, e.g. when trying to build the firmware name string. Avoid such crashes by using the low bit of the pointer as a tag for trans_cfg entries (automatically using a macro that checks the type when assigning) and then checking that before trying to use the data as a full entry - if it's just a partial entry at that point, fail. Since we're adding some macro magic, also check that the type is in fact either struct iwl_cfg_trans_params or struct iwl_cfg, failing compilation ("initializer element is not constant") if it isn't. Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20210330162204.6f69fe6e4128.I921d4ae20ef5276716baeeeda0b001cf25b9b968@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 2bfc47dec5b8b13b16dbab1a266ab9de387ca59b Author: Miklos Szeredi Date: Wed Apr 14 10:40:58 2021 +0200 cuse: prevent clone [ Upstream commit 8217673d07256b22881127bf50dce874d0e51653 ] For cloned connections cuse_channel_release() will be called more than once, resulting in use after free. Prevent device cloning for CUSE, which does not make sense at this point, and highly unlikely to be used in real life. Signed-off-by: Miklos Szeredi Signed-off-by: Sasha Levin commit 2c20c7d96e45fd9642fe6d12486cda9ef80661df Author: Miklos Szeredi Date: Wed Apr 14 10:40:58 2021 +0200 virtiofs: fix userns [ Upstream commit 0a7419c68a45d2d066b996be5087aa2d07ce80eb ] get_user_ns() is done twice (once in virtio_fs_get_tree() and once in fuse_conn_init()), resulting in a reference leak. Also looks better to use fsc->user_ns (which *should* be the current_user_ns() at this point). Signed-off-by: Miklos Szeredi Signed-off-by: Sasha Levin commit 87fe0ca09b2632656a6b193a16e6b458695b5c67 Author: Vivek Goyal Date: Tue Apr 6 10:07:06 2021 -0400 fuse: invalidate attrs when page writeback completes [ Upstream commit 3466958beb31a8e9d3a1441a34228ed088b84f3e ] In fuse when a direct/write-through write happens we invalidate attrs because that might have updated mtime/ctime on server and cached mtime/ctime will be stale. What about page writeback path. Looks like we don't invalidate attrs there. To be consistent, invalidate attrs in writeback path as well. Only exception is when writeback_cache is enabled. In that case we strust local mtime/ctime and there is no need to invalidate attrs. Recently users started experiencing failure of xfstests generic/080, geneirc/215 and generic/614 on virtiofs. This happened only newer "stat" utility and not older one. This patch fixes the issue. So what's the root cause of the issue. Here is detailed explanation. generic/080 test does mmap write to a file, closes the file and then checks if mtime has been updated or not. When file is closed, it leads to flushing of dirty pages (and that should update mtime/ctime on server). But we did not explicitly invalidate attrs after writeback finished. Still generic/080 passed so far and reason being that we invalidated atime in fuse_readpages_end(). This is called in fuse_readahead() path and always seems to trigger before mmaped write. So after mmaped write when lstat() is called, it sees that atleast one of the fields being asked for is invalid (atime) and that results in generating GETATTR to server and mtime/ctime also get updated and test passes. But newer /usr/bin/stat seems to have moved to using statx() syscall now (instead of using lstat()). And statx() allows it to query only ctime or mtime (and not rest of the basic stat fields). That means when querying for mtime, fuse_update_get_attr() sees that mtime is not invalid (only atime is invalid). So it does not generate a new GETATTR and fill stat with cached mtime/ctime. And that means updated mtime is not seen by xfstest and tests start failing. Invalidating attrs after writeback completion should solve this problem in a generic manner. Signed-off-by: Vivek Goyal Signed-off-by: Miklos Szeredi Signed-off-by: Sasha Levin commit f1c230d75b47a7f368bf1ef2af7444b5def1ef48 Author: Shayne Chen Date: Thu Apr 1 10:31:29 2021 +0800 mt76: mt7915: fix txpower init for TSSI off chips [ Upstream commit a226ccd04c479ccd23d6927c64bad1b441707f70 ] Fix incorrect txpower init value for TSSI off chips which causes too small txpower. Signed-off-by: Shayne Chen Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 7eb1e84cfe2813467eae7cafad55c591a57a8780 Author: David Bauer Date: Sun Feb 7 16:09:17 2021 +0100 mt76: mt76x0: disable GTK offloading [ Upstream commit 4b36cc6b390f18dbc59a45fb4141f90d7dfe2b23 ] When operating two VAP on a MT7610 with encryption (PSK2, SAE, OWE), only the first one to be created will transmit properly encrypteded frames. All subsequently created VAPs will sent out frames with the payload left unencrypted, breaking multicast traffic (ICMP6 NDP) and potentially disclosing information to a third party. Disable GTK offloading and encrypt these frames in software to circumvent this issue. THis only seems to be necessary on MT7610 chips, as MT7612 is not affected from our testing. Signed-off-by: David Bauer Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit bbd3d0014cc4e8bfd15631140e46d4ea2f224efa Author: Sander Vanheule Date: Tue Feb 2 09:59:53 2021 +0100 mt76: mt7615: support loading EEPROM for MT7613BE [ Upstream commit 858ebf446bee7d5077bd99488aae617908c3f4fe ] EEPROM blobs for MT7613BE radios start with (little endian) 0x7663, which is also the PCI device ID for this device. The EEPROM is required for the radio to work at useful power levels, otherwise only the lowest power level is available. Suggested-by: Georgi Vlaev Tested-by: Stijn Segers Signed-off-by: Sander Vanheule Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 32b3e7e303bd4d4de3dcea0b3eef6d80788e250e Author: Po-Hao Huang Date: Fri Mar 19 13:42:16 2021 +0800 rtw88: 8822c: add LC calibration for RTL8822C [ Upstream commit 7ae7784ec2a812c07d2ca91a6538ef2470154fb6 ] Fix power tracking issue by replacing unnecessary IQ calibration with LC calibration. When thermal difference exceeds limitation, let RF circuit adjsut its characteristic to fit in current environment. Signed-off-by: Po-Hao Huang Signed-off-by: Ping-Ke Shih Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210319054218.3319-6-pkshih@realtek.com Signed-off-by: Sasha Levin commit 28c2a1d650885a6855c495262c6957723bbfac17 Author: Krzysztof Kozlowski Date: Thu Apr 8 21:50:29 2021 +0200 pinctrl: samsung: use 'int' for register masks in Exynos [ Upstream commit fa0c10a5f3a49130dd11281aa27e7e1c8654abc7 ] The Special Function Registers on all Exynos SoC, including ARM64, are 32-bit wide, so entire driver uses matching functions like readl() or writel(). On 64-bit ARM using unsigned long for register masks: 1. makes little sense as immediately after bitwise operation it will be cast to 32-bit value when calling writel(), 2. is actually error-prone because it might promote other operands to 64-bit. Addresses-Coverity: Unintentional integer overflow Signed-off-by: Krzysztof Kozlowski Reviewed-by: Sylwester Nawrocki Link: https://lore.kernel.org/r/20210408195029.69974-1-krzysztof.kozlowski@canonical.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 2eac474900d352ee8d4bdcd4f32fbec06b4dfc61 Author: Emmanuel Grumbach Date: Thu Apr 8 14:31:25 2021 +0200 mac80211: clear the beacon's CRC after channel switch [ Upstream commit d6843d1ee283137723b4a8c76244607ce6db1951 ] After channel switch, we should consider any beacon with a CSA IE as a new switch. If the CSA IE is a leftover from before the switch that the AP forgot to remove, we'll get a CSA-to-Self. This caused issues in iwlwifi where the firmware saw a beacon with a CSA-to-Self with mode = 1 on the new channel after a switch. The firmware considered this a new switch and closed its queues. Since the beacon didn't change between before and after the switch, we wouldn't handle it (the CRC is the same) and we wouldn't let the firmware open its queues again or disconnect if the CSA IE stays for too long. Clear the CRC valid state after we switch to make sure that we handle the beacon and handle the CSA IE as required. Signed-off-by: Emmanuel Grumbach Link: https://lore.kernel.org/r/20210408143124.b9e68aa98304.I465afb55ca2c7d59f7bf610c6046a1fd732b4c28@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 437a4746e47e17bbc7b33931187528514ad9e1aa Author: Mike Marciniszyn Date: Mon Mar 29 09:54:09 2021 -0400 IB/hfi1: Correct oversized ring allocation [ Upstream commit b536d4b2a279733f440c911dc831764690b90050 ] The completion ring for tx is using the wrong size to size the ring, oversizing the ring by two orders of magniture. Correct the allocation size and use kcalloc_node() to allocate the ring. Fix mistaken GFP defines in similar allocations. Link: https://lore.kernel.org/r/1617026056-50483-4-git-send-email-dennis.dalessandro@cornelisnetworks.com Reviewed-by: Kaike Wan Signed-off-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit d7592a5c376bf80d8839d4554784f0b85eac3642 Author: Suzuki K Poulose Date: Mon Apr 5 17:42:57 2021 +0100 coresight: Do not scan for graph if none is present [ Upstream commit 2b921b671a8d29c2adb255a86409aad1e3267309 ] If a graph node is not found for a given node, of_get_next_endpoint() will emit the following error message : OF: graph: no port node found in / If the given component doesn't have any explicit connections (e.g, ETE) we could simply ignore the graph parsing. As for any legacy component where this is mandatory, the device will not be usable as before this patch. Updating the DT bindings to Yaml and enabling the schema checks can detect such issues with the DT. Cc: Mike Leach Cc: Leo Yan Signed-off-by: Suzuki K Poulose Link: https://lore.kernel.org/r/20210405164307.1720226-11-suzuki.poulose@arm.com Signed-off-by: Mathieu Poirier Signed-off-by: Sasha Levin commit 8f7806174fdbc90688a4159e07ec348f0a171572 Author: Tiezhu Yang Date: Tue Apr 6 17:25:12 2021 +0800 MIPS: Loongson64: Use _CACHE_UNCACHED instead of _CACHE_UNCACHED_ACCELERATED [ Upstream commit 5e65c52ec716af6e8f51dacdaeb4a4d872249af1 ] Loongson64 processors have a writecombine issue that maybe failed to write back framebuffer used with ATI Radeon or AMD GPU at times, after commit 8a08e50cee66 ("drm: Permit video-buffers writecombine mapping for MIPS"), there exists some errors such as blurred screen and lockup, and so on. [ 60.958721] radeon 0000:03:00.0: ring 0 stalled for more than 10079msec [ 60.965315] radeon 0000:03:00.0: GPU lockup (current fence id 0x0000000000000112 last fence id 0x000000000000011d on ring 0) [ 60.976525] radeon 0000:03:00.0: ring 3 stalled for more than 10086msec [ 60.983156] radeon 0000:03:00.0: GPU lockup (current fence id 0x0000000000000374 last fence id 0x00000000000003a8 on ring 3) As discussed earlier [1], it might be better to disable writecombine on the CPU detection side because the root cause is unknown now. Actually, this patch is a temporary solution to just make it work well, it is not a proper and final solution, I hope someone will have a better solution to fix this issue in the future. [1] https://lore.kernel.org/patchwork/patch/1285542/ Signed-off-by: Tiezhu Yang Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 2c098ad786d36a7e0027f3f33330b07a39de3ea6 Author: Bence Csókás Date: Wed Mar 31 19:19:20 2021 +0000 i2c: Add I2C_AQ_NO_REP_START adapter quirk [ Upstream commit aca01415e076aa96cca0f801f4420ee5c10c660d ] This quirk signifies that the adapter cannot do a repeated START, it always issues a STOP condition after transfers. Suggested-by: Wolfram Sang Signed-off-by: Bence Csókás Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit c6d2f8ffb145765b635f1fbcb3832578aaa8309a Author: Hans de Goede Date: Fri Apr 2 16:07:45 2021 +0200 ASoC: rt5670: Add a quirk for the Dell Venue 10 Pro 5055 [ Upstream commit 84cb0d5581b6a7bd5d96013f67e9f2eb0c7b4378 ] Add a quirk with the jack-detect and dmic settings necessary to make jack-detect and the builtin mic work on Dell Venue 10 Pro 5055 tablets. Signed-off-by: Hans de Goede Acked-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20210402140747.174716-5-hdegoede@redhat.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 6c9b2de448126fe65d5d3476d2f6fba3f004d195 Author: mark-yw.chen Date: Mon Mar 29 01:18:33 2021 +0800 Bluetooth: btusb: Enable quirk boolean flag for Mediatek Chip. [ Upstream commit 27e554a4fcd84e499bf0a82122b8c4c3f1de38b6 ] Adding support LE scatternet and WBS for Mediatek Chip Signed-off-by: mark-yw.chen Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit c87b052deaa85f173a0bd34f3fdf1adb894f72a8 Author: Paul M Stillwell Jr Date: Tue Mar 2 10:12:05 2021 -0800 ice: handle increasing Tx or Rx ring sizes [ Upstream commit 2ec5638559c13b923250eccf495d2a033fccb3e7 ] There is an issue when the Tx or Rx ring size increases using 'ethtool -L ...' where the new rings don't get the correct ITR values because when we rebuild the VSI we don't know that some of the rings may be new. Fix this by looking at the original number of rings and determining if the rings in ice_vsi_rebuild_set_coalesce() were not present in the original rings received in ice_vsi_rebuild_get_coalesce(). Also change the code to return an error if we can't allocate memory for the coalesce data in ice_vsi_rebuild(). Signed-off-by: Paul M Stillwell Jr Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit eb28709c07a67825c146636a4013aba775bbc12d Author: Hans de Goede Date: Thu Mar 25 23:10:54 2021 +0100 ASoC: Intel: bytcr_rt5640: Add quirk for the Chuwi Hi8 tablet [ Upstream commit 875c40eadf6ac6644c0f71842a4f30dd9968d281 ] The Chuwi Hi8 tablet is using an analog mic on IN1 and has its jack-detect connected to JD2_IN4N, instead of using the default IN3 for its internal mic and JD1_IN4P for jack-detect. It also only has 1 speaker. Add a quirk applying the correct settings for this configuration. Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20210325221054.22714-1-hdegoede@redhat.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 7bd851a6d3696edd7813f8dd88b8c30feb36fe7f Author: Eric Dumazet Date: Mon Mar 29 12:12:54 2021 -0700 ip6_vti: proper dev_{hold|put} in ndo_[un]init methods [ Upstream commit 40cb881b5aaa0b69a7d93dec8440d5c62dae299f ] After adopting CONFIG_PCPU_DEV_REFCNT=n option, syzbot was able to trigger a warning [1] Issue here is that: - all dev_put() should be paired with a corresponding prior dev_hold(). - A driver doing a dev_put() in its ndo_uninit() MUST also do a dev_hold() in its ndo_init(), only when ndo_init() is returning 0. Otherwise, register_netdevice() would call ndo_uninit() in its error path and release a refcount too soon. Therefore, we need to move dev_hold() call from vti6_tnl_create2() to vti6_dev_init_gen() [1] WARNING: CPU: 0 PID: 15951 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31 Modules linked in: CPU: 0 PID: 15951 Comm: syz-executor.3 Not tainted 5.12.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31 Code: 1d 6a 5a e8 09 31 ff 89 de e8 8d 1a ab fd 84 db 75 e0 e8 d4 13 ab fd 48 c7 c7 a0 e1 c1 89 c6 05 4a 5a e8 09 01 e8 2e 36 fb 04 <0f> 0b eb c4 e8 b8 13 ab fd 0f b6 1d 39 5a e8 09 31 ff 89 de e8 58 RSP: 0018:ffffc90001eaef28 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000040000 RSI: ffffffff815c51f5 RDI: fffff520003d5dd7 RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815bdf8e R11: 0000000000000000 R12: ffff88801bb1c568 R13: ffff88801f69e800 R14: 00000000ffffffff R15: ffff888050889d40 FS: 00007fc79314e700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f1c1ff47108 CR3: 0000000020fd5000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __refcount_dec include/linux/refcount.h:344 [inline] refcount_dec include/linux/refcount.h:359 [inline] dev_put include/linux/netdevice.h:4135 [inline] vti6_dev_uninit+0x31a/0x360 net/ipv6/ip6_vti.c:297 register_netdevice+0xadf/0x1500 net/core/dev.c:10308 vti6_tnl_create2+0x1b5/0x400 net/ipv6/ip6_vti.c:190 vti6_newlink+0x9d/0xd0 net/ipv6/ip6_vti.c:1020 __rtnl_newlink+0x1062/0x1710 net/core/rtnetlink.c:3443 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3491 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5553 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x331/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmmsg+0x195/0x470 net/socket.c:2490 __do_sys_sendmmsg net/socket.c:2519 [inline] __se_sys_sendmmsg net/socket.c:2516 [inline] __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2516 Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b502a6a440667da6b9854ca14bbdac0fca458c58 Author: Yunsheng Lin Date: Mon Mar 29 11:57:50 2021 +0800 net: hns3: add handling for xmit skb with recursive fraglist [ Upstream commit d5d5e0193ee8f88efbbc7f1471087255657bc19a ] Currently hns3 driver only handle the xmit skb with one level of fraglist skb, add handling for multi level by calling hns3_tx_bd_num() recursively when calculating bd num and calling hns3_fill_skb_to_desc() recursively when filling tx desc. When the skb has a fraglist level of 24, the skb is simply dropped and stats.max_recursion_level is added to record the error. Move the stat handling from hns3_nic_net_xmit() to hns3_nic_maybe_stop_tx() in order to handle different error stat and add the 'max_recursion_level' and 'hw_limitation' stat. Note that the max recursive level as 24 is chose according to below: commit 48a1df65334b ("skbuff: return -EMSGSIZE in skb_to_sgvec to prevent overflow"). And that we are not able to find a testcase to verify the recursive fraglist case, so Fixes tag is not provided. Reported-by: Barry Song Signed-off-by: Yunsheng Lin Signed-off-by: Huazhong Tan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c56804f431db385d4564aee4582ac46520d44434 Author: Guangbin Huang Date: Mon Mar 29 11:57:47 2021 +0800 net: hns3: remediate a potential overflow risk of bd_num_list [ Upstream commit a2ee6fd28a190588e142ad8ea9d40069cd3c9f98 ] The array size of bd_num_list is a fixed value, it may have potential overflow risk when array size of hclge_dfx_bd_offset_list is greater than that fixed value. So modify bd_num_list as a pointer and allocate memory for it according to array size of hclge_dfx_bd_offset_list. Signed-off-by: Guangbin Huang Signed-off-by: Huazhong Tan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 286b3ff9fd98eadeea5fde7985d464254c43064a Author: Christophe Leroy Date: Fri Mar 12 12:50:25 2021 +0000 powerpc/32: Statically initialise first emergency context [ Upstream commit a4719f5bb6d7dc220bffdc1b9f5ce5eaa5543581 ] The check of the emergency context initialisation in vmap_stack_overflow is buggy for the SMP case, as it compares r1 with 0 while in the SMP case r1 is offseted by the CPU id. Instead of fixing it, just perform static initialisation of the first emergency context. Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/4a67ba422be75713286dca0c86ee0d3df2eb6dfa.1615552867.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit b9f9313c7501cb4fd7a7aac5c9a524b521079d58 Author: Russell Currey Date: Tue Feb 23 17:02:27 2021 +1000 selftests/powerpc: Fix L1D flushing tests for Power10 [ Upstream commit 3a72c94ebfb1f171eba0715998010678a09ec796 ] The rfi_flush and entry_flush selftests work by using the PM_LD_MISS_L1 perf event to count L1D misses. The value of this event has changed over time: - Power7 uses 0x400f0 - Power8 and Power9 use both 0x400f0 and 0x3e054 - Power10 uses only 0x3e054 Rather than relying on raw values, configure perf to count L1D read misses in the most explicit way available. This fixes the selftests to work on systems without 0x400f0 as PM_LD_MISS_L1, and should change no behaviour for systems that the tests already worked on. The only potential downside is that referring to a specific perf event requires PMU support implemented in the kernel for that platform. Signed-off-by: Russell Currey Acked-by: Daniel Axtens Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210223070227.2916871-1-ruscur@russell.cc Signed-off-by: Sasha Levin commit 2033dde6aa0198b828b53b05011b59fe3902ef04 Author: Archie Pusaka Date: Tue Mar 23 16:32:20 2021 +0800 Bluetooth: check for zapped sk before connecting [ Upstream commit 3af70b39fa2d415dc86c370e5b24ddb9fdacbd6f ] There is a possibility of receiving a zapped sock on l2cap_sock_connect(). This could lead to interesting crashes, one such case is tearing down an already tore l2cap_sock as is happened with this call trace: __dump_stack lib/dump_stack.c:15 [inline] dump_stack+0xc4/0x118 lib/dump_stack.c:56 register_lock_class kernel/locking/lockdep.c:792 [inline] register_lock_class+0x239/0x6f6 kernel/locking/lockdep.c:742 __lock_acquire+0x209/0x1e27 kernel/locking/lockdep.c:3105 lock_acquire+0x29c/0x2fb kernel/locking/lockdep.c:3599 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:137 [inline] _raw_spin_lock_bh+0x38/0x47 kernel/locking/spinlock.c:175 spin_lock_bh include/linux/spinlock.h:307 [inline] lock_sock_nested+0x44/0xfa net/core/sock.c:2518 l2cap_sock_teardown_cb+0x88/0x2fb net/bluetooth/l2cap_sock.c:1345 l2cap_chan_del+0xa3/0x383 net/bluetooth/l2cap_core.c:598 l2cap_chan_close+0x537/0x5dd net/bluetooth/l2cap_core.c:756 l2cap_chan_timeout+0x104/0x17e net/bluetooth/l2cap_core.c:429 process_one_work+0x7e3/0xcb0 kernel/workqueue.c:2064 worker_thread+0x5a5/0x773 kernel/workqueue.c:2196 kthread+0x291/0x2a6 kernel/kthread.c:211 ret_from_fork+0x4e/0x80 arch/x86/entry/entry_64.S:604 Signed-off-by: Archie Pusaka Reported-by: syzbot+abfc0f5e668d4099af73@syzkaller.appspotmail.com Reviewed-by: Alain Michaud Reviewed-by: Abhishek Pandit-Subedi Reviewed-by: Guenter Roeck Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 6421cdfbb6fba9c3ac8e62ad8d3697e4a4e74e0d Author: Nikolay Aleksandrov Date: Mon Mar 22 17:45:27 2021 +0200 net: bridge: when suppression is enabled exclude RARP packets [ Upstream commit 0353b4a96b7a9f60fe20d1b3ebd4931a4085f91c ] Recently we had an interop issue where RARP packets got suppressed with bridge neigh suppression enabled, but the check in the code was meant to suppress GARP. Exclude RARP packets from it which would allow some VMWare setups to work, to quote the report: "Those RARP packets usually get generated by vMware to notify physical switches when vMotion occurs. vMware may use random sip/tip or just use sip=tip=0. So the RARP packet sometimes get properly flooded by the vtep and other times get dropped by the logic" Reported-by: Amer Abdalamer Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit fccb35bbf75f50b00a059b61ed38b2497dc50199 Author: Vladimir Oltean Date: Sun Mar 21 23:05:48 2021 +0200 net/sched: cls_flower: use ntohs for struct flow_dissector_key_ports [ Upstream commit 6215afcb9a7e35cef334dc0ae7f998cc72c8465f ] A make W=1 build complains that: net/sched/cls_flower.c:214:20: warning: cast from restricted __be16 net/sched/cls_flower.c:214:20: warning: incorrect type in argument 1 (different base types) net/sched/cls_flower.c:214:20: expected unsigned short [usertype] val net/sched/cls_flower.c:214:20: got restricted __be16 [usertype] dst This is because we use htons on struct flow_dissector_key_ports members src and dst, which are defined as __be16, so they are already in network byte order, not host. The byte swap function for the other direction should have been used. Because htons and ntohs do the same thing (either both swap, or none does), this change has no functional effect except to silence the warnings. Signed-off-by: Vladimir Oltean Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a019b8d7dfd53018e6a7204e1e1d3858f208c964 Author: Tetsuo Handa Date: Mon Mar 22 07:52:07 2021 +0900 Bluetooth: initialize skb_queue_head at l2cap_chan_create() [ Upstream commit be8597239379f0f53c9710dd6ab551bbf535bec6 ] syzbot is hitting "INFO: trying to register non-static key." message [1], for "struct l2cap_chan"->tx_q.lock spinlock is not yet initialized when l2cap_chan_del() is called due to e.g. timeout. Since "struct l2cap_chan"->lock mutex is initialized at l2cap_chan_create() immediately after "struct l2cap_chan" is allocated using kzalloc(), let's as well initialize "struct l2cap_chan"->{tx_q,srej_q}.lock spinlocks there. [1] https://syzkaller.appspot.com/bug?extid=fadfba6a911f6bf71842 Reported-and-tested-by: syzbot Signed-off-by: Tetsuo Handa Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit e0dc9e93f7fd908351d66acac6f3e71699d58ec8 Author: Archie Pusaka Date: Mon Mar 22 14:02:15 2021 +0800 Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default [ Upstream commit 3a9d54b1947ecea8eea9a902c0b7eb58a98add8a ] Currently l2cap_chan_set_defaults() reset chan->conf_state to zero. However, there is a flag CONF_NOT_COMPLETE which is set when creating the l2cap_chan. It is suggested that the flag should be cleared when l2cap_chan is ready, but when l2cap_chan_set_defaults() is called, l2cap_chan is not yet ready. Therefore, we must set this flag as the default. Example crash call trace: __dump_stack lib/dump_stack.c:15 [inline] dump_stack+0xc4/0x118 lib/dump_stack.c:56 panic+0x1c6/0x38b kernel/panic.c:117 __warn+0x170/0x1b9 kernel/panic.c:471 warn_slowpath_fmt+0xc7/0xf8 kernel/panic.c:494 debug_print_object+0x175/0x193 lib/debugobjects.c:260 debug_object_assert_init+0x171/0x1bf lib/debugobjects.c:614 debug_timer_assert_init kernel/time/timer.c:629 [inline] debug_assert_init kernel/time/timer.c:677 [inline] del_timer+0x7c/0x179 kernel/time/timer.c:1034 try_to_grab_pending+0x81/0x2e5 kernel/workqueue.c:1230 cancel_delayed_work+0x7c/0x1c4 kernel/workqueue.c:2929 l2cap_clear_timer+0x1e/0x41 include/net/bluetooth/l2cap.h:834 l2cap_chan_del+0x2d8/0x37e net/bluetooth/l2cap_core.c:640 l2cap_chan_close+0x532/0x5d8 net/bluetooth/l2cap_core.c:756 l2cap_sock_shutdown+0x806/0x969 net/bluetooth/l2cap_sock.c:1174 l2cap_sock_release+0x64/0x14d net/bluetooth/l2cap_sock.c:1217 __sock_release+0xda/0x217 net/socket.c:580 sock_close+0x1b/0x1f net/socket.c:1039 __fput+0x322/0x55c fs/file_table.c:208 ____fput+0x17/0x19 fs/file_table.c:244 task_work_run+0x19b/0x1d3 kernel/task_work.c:115 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0xe4c/0x204a kernel/exit.c:766 do_group_exit+0x291/0x291 kernel/exit.c:891 get_signal+0x749/0x1093 kernel/signal.c:2396 do_signal+0xa5/0xcdb arch/x86/kernel/signal.c:737 exit_to_usermode_loop arch/x86/entry/common.c:243 [inline] prepare_exit_to_usermode+0xed/0x235 arch/x86/entry/common.c:277 syscall_return_slowpath+0x3a7/0x3b3 arch/x86/entry/common.c:348 int_ret_from_sys_call+0x25/0xa3 Signed-off-by: Archie Pusaka Reported-by: syzbot+338f014a98367a08a114@syzkaller.appspotmail.com Reviewed-by: Alain Michaud Reviewed-by: Abhishek Pandit-Subedi Reviewed-by: Guenter Roeck Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit b972f345a17a25bad9dcc0631d3e10bb0fb707fe Author: Takashi Sakamoto Date: Sun Mar 21 12:28:31 2021 +0900 ALSA: bebob: enable to deliver MIDI messages for multiple ports [ Upstream commit d2b6f15bc18ac8fbce25398290774c21f5b2cd44 ] Current implementation of bebob driver doesn't correctly handle the case that the device has multiple MIDI ports. The cause is the number of MIDI conformant data channels is passed to AM824 data block processing layer. This commit fixes the bug. Signed-off-by: Takashi Sakamoto Link: https://lore.kernel.org/r/20210321032831.340278-4-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit d398f25007d57663bf439691ab5c4bde0e1fc864 Author: Tong Zhang Date: Sun Mar 21 11:38:40 2021 -0400 ALSA: rme9652: don't disable if not enabled [ Upstream commit f57a741874bb6995089020e97a1dcdf9b165dcbe ] rme9652 wants to disable a not enabled pci device, which makes kernel throw a warning. Make sure the device is enabled before calling disable. [ 1.751595] snd_rme9652 0000:00:03.0: disabling already-disabled device [ 1.751605] WARNING: CPU: 0 PID: 174 at drivers/pci/pci.c:2146 pci_disable_device+0x91/0xb0 [ 1.759968] Call Trace: [ 1.760145] snd_rme9652_card_free+0x76/0xa0 [snd_rme9652] [ 1.760434] release_card_device+0x4b/0x80 [snd] [ 1.760679] device_release+0x3b/0xa0 [ 1.760874] kobject_put+0x94/0x1b0 [ 1.761059] put_device+0x13/0x20 [ 1.761235] snd_card_free+0x61/0x90 [snd] [ 1.761454] snd_rme9652_probe+0x3be/0x700 [snd_rme9652] Suggested-by: Takashi Iwai Signed-off-by: Tong Zhang Link: https://lore.kernel.org/r/20210321153840.378226-4-ztong0001@gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 9df07b0661e7793e54464f9f115eba25397d0d5c Author: Tong Zhang Date: Sun Mar 21 11:38:39 2021 -0400 ALSA: hdspm: don't disable if not enabled [ Upstream commit 790f5719b85e12e10c41753b864e74249585ed08 ] hdspm wants to disable a not enabled pci device, which makes kernel throw a warning. Make sure the device is enabled before calling disable. [ 1.786391] snd_hdspm 0000:00:03.0: disabling already-disabled device [ 1.786400] WARNING: CPU: 0 PID: 182 at drivers/pci/pci.c:2146 pci_disable_device+0x91/0xb0 [ 1.795181] Call Trace: [ 1.795320] snd_hdspm_card_free+0x58/0xa0 [snd_hdspm] [ 1.795595] release_card_device+0x4b/0x80 [snd] [ 1.795860] device_release+0x3b/0xa0 [ 1.796072] kobject_put+0x94/0x1b0 [ 1.796260] put_device+0x13/0x20 [ 1.796438] snd_card_free+0x61/0x90 [snd] [ 1.796659] snd_hdspm_probe+0x97b/0x1440 [snd_hdspm] Suggested-by: Takashi Iwai Signed-off-by: Tong Zhang Link: https://lore.kernel.org/r/20210321153840.378226-3-ztong0001@gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit a950cd8cb05d358fcbcd84c1a0c4760351adc82a Author: Tong Zhang Date: Sun Mar 21 11:38:38 2021 -0400 ALSA: hdsp: don't disable if not enabled [ Upstream commit 507cdb9adba006a7798c358456426e1aea3d9c4f ] hdsp wants to disable a not enabled pci device, which makes kernel throw a warning. Make sure the device is enabled before calling disable. [ 1.758292] snd_hdsp 0000:00:03.0: disabling already-disabled device [ 1.758327] WARNING: CPU: 0 PID: 180 at drivers/pci/pci.c:2146 pci_disable_device+0x91/0xb0 [ 1.766985] Call Trace: [ 1.767121] snd_hdsp_card_free+0x94/0xf0 [snd_hdsp] [ 1.767388] release_card_device+0x4b/0x80 [snd] [ 1.767639] device_release+0x3b/0xa0 [ 1.767838] kobject_put+0x94/0x1b0 [ 1.768027] put_device+0x13/0x20 [ 1.768207] snd_card_free+0x61/0x90 [snd] [ 1.768430] snd_hdsp_probe+0x524/0x5e0 [snd_hdsp] Suggested-by: Takashi Iwai Signed-off-by: Tong Zhang Link: https://lore.kernel.org/r/20210321153840.378226-2-ztong0001@gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit faed3150a4368d8c199d3d93340410af672c2237 Author: Wolfram Sang Date: Fri Mar 12 12:57:34 2021 +0100 i2c: bail out early when RDWR parameters are wrong [ Upstream commit 71581562ee36032d2d574a9b23ad4af6d6a64cf7 ] The buggy parameters currently get caught later, but emit a noisy WARN. Userspace should not be able to trigger this, so add similar checks much earlier. Also avoids some unneeded code paths, of course. Apply kernel coding stlye to a comment while here. Reported-by: syzbot+ffb0b3ffa6cfbc7d7b3f@syzkaller.appspotmail.com Tested-by: syzbot+ffb0b3ffa6cfbc7d7b3f@syzkaller.appspotmail.com Signed-off-by: Wolfram Sang Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 18df2bc13b1f0bce0338ccc77b184a2fa6a6645e Author: Ayush Garg Date: Wed Mar 17 16:52:14 2021 +0530 Bluetooth: Fix incorrect status handling in LE PHY UPDATE event [ Upstream commit 87df8bcccd2cede62dfb97dc3d4ca1fe66cb4f83 ] Skip updation of tx and rx PHYs values, when PHY Update event's status is not successful. Signed-off-by: Ayush Garg Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 879a96d817ed7268712ed65e6551ed4654d86ce8 Author: Mikhail Durnev Date: Tue Mar 16 14:47:35 2021 +1000 ASoC: rsnd: core: Check convert rate in rsnd_hw_params [ Upstream commit 19c6a63ced5e07e40f3a5255cb1f0fe0d3be7b14 ] snd_pcm_hw_params_set_rate_near can return incorrect sample rate in some cases, e.g. when the backend output rate is set to some value higher than 48000 Hz and the input rate is 8000 Hz. So passing the value returned by snd_pcm_hw_params_set_rate_near to snd_pcm_hw_params will result in "FSO/FSI ratio error" and playing no audio at all while the userland is not properly notified about the issue. If SRC is unable to convert the requested sample rate to the sample rate the backend is using, then the requested sample rate should be adjusted in rsnd_hw_params. The userland will be notified about that change in the returned hw_params structure. Signed-off-by: Mikhail Durnev Link: https://lore.kernel.org/r/1615870055-13954-1-git-send-email-mikhail_durnev@mentor.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit a2aeb5de26c1800e530b29e9a157c92c5a827293 Author: Jonathan McDowell Date: Sat Mar 13 13:18:26 2021 +0000 net: stmmac: Set FIFO sizes for ipq806x [ Upstream commit e127906b68b49ddb3ecba39ffa36a329c48197d3 ] Commit eaf4fac47807 ("net: stmmac: Do not accept invalid MTU values") started using the TX FIFO size to verify what counts as a valid MTU request for the stmmac driver. This is unset for the ipq806x variant. Looking at older patches for this it seems the RX + TXs buffers can be up to 8k, so set appropriately. (I sent this as an RFC patch in June last year, but received no replies. I've been running with this on my hardware (a MikroTik RB3011) since then with larger MTUs to support both the internal qca8k switch and VLANs with no problems. Without the patch it's impossible to set the larger MTU required to support this.) Signed-off-by: Jonathan McDowell Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c0a62a441bbdd2cb90c6e366f185d32f554f840b Author: Maxim Mikityanskiy Date: Fri Jan 29 18:43:31 2021 +0200 net/mlx5e: Use net_prefetchw instead of prefetchw in MPWQE TX datapath [ Upstream commit 991b2654605b455a94dac73e14b23480e7e20991 ] Commit e20f0dbf204f ("net/mlx5e: RX, Add a prefetch command for small L1_CACHE_BYTES") switched to using net_prefetchw at all places in mlx5e. In the same time frame, commit 5af75c747e2a ("net/mlx5e: Enhanced TX MPWQE for SKBs") added one more usage of prefetchw. When these two changes were merged, this new occurrence of prefetchw wasn't replaced with net_prefetchw. This commit fixes this last occurrence of prefetchw in mlx5e_tx_mpwqe_session_start, making the same change that was done in mlx5e_xdp_mpwqe_session_start. Signed-off-by: Maxim Mikityanskiy Reviewed-by: Saeed Mahameed Reviewed-by: Tariq Toukan Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 2d17c58a3a4f8dc4e7e770ebcdf4041eff67560f Author: Hans de Goede Date: Fri Mar 12 12:48:50 2021 +0100 ASoC: Intel: bytcr_rt5640: Enable jack-detect support on Asus T100TAF [ Upstream commit b7c7203a1f751348f35fc4bcb157572d303f7573 ] The Asus T100TAF uses the same jack-detect settings as the T100TA, this has been confirmed on actual hardware. Add these settings to the T100TAF quirks to enable jack-detect support on the T100TAF. Signed-off-by: Hans de Goede Acked-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20210312114850.13832-1-hdegoede@redhat.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 3d1bede85632a6330bacb77a90eeeb5a956a78d0 Author: Hoang Le Date: Thu Mar 11 10:33:22 2021 +0700 tipc: convert dest node's address to network order [ Upstream commit 1980d37565061ab44bdc2f9e4da477d3b9752e81 ] (struct tipc_link_info)->dest is in network order (__be32), so we must convert the value to network order before assigning. The problem detected by sparse: net/tipc/netlink_compat.c:699:24: warning: incorrect type in assignment (different base types) net/tipc/netlink_compat.c:699:24: expected restricted __be32 [usertype] dest net/tipc/netlink_compat.c:699:24: got int Acked-by: Jon Maloy Signed-off-by: Hoang Le Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a407b5881686a3c08902d54d958e28f7bad4070a Author: Alexander Aring Date: Mon Mar 1 17:05:19 2021 -0500 fs: dlm: flush swork on shutdown [ Upstream commit eec054b5a7cfe6d1f1598a323b05771ee99857b5 ] This patch fixes the flushing of send work before shutdown. The function cancel_work_sync() is not the right workqueue functionality to use here as it would cancel the work if the work queues itself. In cases of EAGAIN in send() for dlm message we need to be sure that everything is send out before. The function flush_work() will ensure that every send work is be done inclusive in EAGAIN cases. Signed-off-by: Alexander Aring Signed-off-by: David Teigland Signed-off-by: Sasha Levin commit ff58d1c72edfc000b3a4ec9d5c963023ef869999 Author: Alexander Aring Date: Mon Mar 1 17:05:17 2021 -0500 fs: dlm: check on minimum msglen size [ Upstream commit 710176e8363f269c6ecd73d203973b31ace119d3 ] This patch adds an additional check for minimum dlm header size which is an invalid dlm message and signals a broken stream. A msglen field cannot be less than the dlm header size because the field is inclusive header lengths. Signed-off-by: Alexander Aring Signed-off-by: David Teigland Signed-off-by: Sasha Levin commit ca973d2aeaf70c15e6663be3f71ba1b17a127051 Author: Alexander Aring Date: Mon Mar 1 17:05:12 2021 -0500 fs: dlm: add errno handling to check callback [ Upstream commit 8aa9540b49e0833feba75dbf4f45babadd0ed215 ] This allows to return individual errno values for the config attribute check callback instead of returning invalid argument only. Signed-off-by: Alexander Aring Signed-off-by: David Teigland Signed-off-by: Sasha Levin commit 06d59d21cb05765e72a53b53a86c6be106bece88 Author: Alexander Aring Date: Mon Mar 1 17:05:08 2021 -0500 fs: dlm: fix debugfs dump [ Upstream commit 92c48950b43f4a767388cf87709d8687151a641f ] This patch fixes the following message which randomly pops up during glocktop call: seq_file: buggy .next function table_seq_next did not update position index The issue is that seq_read_iter() in fs/seq_file.c also needs an increment of the index in an non next record case as well which this patch fixes otherwise seq_read_iter() will print out the above message. Signed-off-by: Alexander Aring Signed-off-by: David Teigland Signed-off-by: Sasha Levin commit bd6017a942b9343c1e6a99eef9c64fa264a1a53b Author: Pradeep Kumar Chitrapu Date: Thu Feb 18 10:27:08 2021 -0800 ath11k: fix thermal temperature read [ Upstream commit e3de5bb7ac1a4cb262f8768924fd3ef6182b10bb ] Fix dangling pointer in thermal temperature event which causes incorrect temperature read. Tested-on: IPQ8074 AHB WLAN.HK.2.4.0.1-00041-QCAHKSWPL_SILICONZ-1 Signed-off-by: Pradeep Kumar Chitrapu Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210218182708.8844-1-pradeepc@codeaurora.org Signed-off-by: Sasha Levin commit 21756f878e827784213df136e678fed0ce9f0e30 Author: David Matlack Date: Thu May 6 15:24:43 2021 +0000 kvm: Cap halt polling at kvm->max_halt_poll_ns commit 258785ef08b323bddd844b4926a32c2b2045a1b0 upstream. When growing halt-polling, there is no check that the poll time exceeds the per-VM limit. It's possible for vcpu->halt_poll_ns to grow past kvm->max_halt_poll_ns and stay there until a halt which takes longer than kvm->halt_poll_ns. Signed-off-by: David Matlack Signed-off-by: Venkatesh Srinivas Message-Id: <20210506152442.4010298-1-venkateshs@chromium.org> Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 53d7eed0315a7e6eaf8664c11c123095cf356ece Author: Rafael J. Wysocki Date: Wed Apr 21 19:40:56 2021 +0200 cpufreq: intel_pstate: Use HWP if enabled by platform firmware commit e5af36b2adb858e982d78d41d7363d05d951a19a upstream. It turns out that there are systems where HWP is enabled during initialization by the platform firmware (BIOS), but HWP EPP support is not advertised. After commit 7aa1031223bc ("cpufreq: intel_pstate: Avoid enabling HWP if EPP is not supported") intel_pstate refuses to use HWP on those systems, but the fallback PERF_CTL interface does not work on them either because of enabled HWP, and once enabled, HWP cannot be disabled. Consequently, the users of those systems cannot control CPU performance scaling. Address this issue by making intel_pstate use HWP unconditionally if it is enabled already when the driver starts. Fixes: 7aa1031223bc ("cpufreq: intel_pstate: Avoid enabling HWP if EPP is not supported") Reported-by: Srinivas Pandruvada Tested-by: Srinivas Pandruvada Signed-off-by: Rafael J. Wysocki Cc: 5.9+ # 5.9+ Signed-off-by: Greg Kroah-Hartman commit 182f1f72af2e6803f1470a7e16a76ef0c63cc124 Author: Tony Lindgren Date: Wed May 5 14:09:15 2021 +0300 PM: runtime: Fix unpaired parent child_count for force_resume commit c745253e2a691a40c66790defe85c104a887e14a upstream. As pm_runtime_need_not_resume() relies also on usage_count, it can return a different value in pm_runtime_force_suspend() compared to when called in pm_runtime_force_resume(). Different return values can happen if anything calls PM runtime functions in between, and causes the parent child_count to increase on every resume. So far I've seen the issue only for omapdrm that does complicated things with PM runtime calls during system suspend for legacy reasons: omap_atomic_commit_tail() for omapdrm.0 dispc_runtime_get() wakes up 58000000.dss as it's the dispc parent dispc_runtime_resume() rpm_resume() increases parent child_count dispc_runtime_put() won't idle, PM runtime suspend blocked pm_runtime_force_suspend() for 58000000.dss, !pm_runtime_need_not_resume() __update_runtime_status() system suspended pm_runtime_force_resume() for 58000000.dss, pm_runtime_need_not_resume() pm_runtime_enable() only called because of pm_runtime_need_not_resume() omap_atomic_commit_tail() for omapdrm.0 dispc_runtime_get() wakes up 58000000.dss as it's the dispc parent dispc_runtime_resume() rpm_resume() increases parent child_count dispc_runtime_put() won't idle, PM runtime suspend blocked ... rpm_suspend for 58000000.dss but parent child_count is now unbalanced Let's fix the issue by adding a flag for needs_force_resume and use it in pm_runtime_force_resume() instead of pm_runtime_need_not_resume(). Additionally omapdrm system suspend could be simplified later on to avoid lots of unnecessary PM runtime calls and the complexity it adds. The driver can just use internal functions that are shared between the PM runtime and system suspend related functions. Fixes: 4918e1f87c5f ("PM / runtime: Rework pm_runtime_force_suspend/resume()") Signed-off-by: Tony Lindgren Reviewed-by: Ulf Hansson Tested-by: Tomi Valkeinen Cc: 4.16+ # 4.16+ Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit e97da47e9be04b6cc98451bd6cac779d1f1a74dc Author: Sumeet Pawnikar Date: Tue May 11 23:31:42 2021 +0530 ACPI: PM: Add ACPI ID of Alder Lake Fan commit 2404b8747019184002823dba7d2f0ecf89d802b7 upstream. Add a new unique fan ACPI device ID for Alder Lake to support it in acpi_dev_pm_attach() function. Fixes: 38748bcb940e ("ACPI: DPTF: Support Alder Lake") Signed-off-by: Sumeet Pawnikar Acked-by: Zhang Rui Cc: 5.10+ # 5.10+ Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit bfccc4eade2bec1493f891ebcd3c6751eee971c9 Author: Lai Jiangshan Date: Tue May 4 21:50:14 2021 +0200 KVM/VMX: Invoke NMI non-IST entry instead of IST entry commit a217a6593cec8b315d4c2f344bae33660b39b703 upstream. In VMX, the host NMI handler needs to be invoked after NMI VM-Exit. Before commit 1a5488ef0dcf6 ("KVM: VMX: Invoke NMI handler via indirect call instead of INTn"), this was done by INTn ("int $2"). But INTn microcode is relatively expensive, so the commit reworked NMI VM-Exit handling to invoke the kernel handler by function call. But this missed a detail. The NMI entry point for direct invocation is fetched from the IDT table and called on the kernel stack. But on 64-bit the NMI entry installed in the IDT expects to be invoked on the IST stack. It relies on the "NMI executing" variable on the IST stack to work correctly, which is at a fixed position in the IST stack. When the entry point is unexpectedly called on the kernel stack, the RSP-addressed "NMI executing" variable is obviously also on the kernel stack and is "uninitialized" and can cause the NMI entry code to run in the wrong way. Provide a non-ist entry point for VMX which shares the C-function with the regular NMI entry and invoke the new asm entry point instead. On 32-bit this just maps to the regular NMI entry point as 32-bit has no ISTs and is not affected. [ tglx: Made it independent for backporting, massaged changelog ] Fixes: 1a5488ef0dcf6 ("KVM: VMX: Invoke NMI handler via indirect call instead of INTn") Signed-off-by: Lai Jiangshan Signed-off-by: Thomas Gleixner Tested-by: Lai Jiangshan Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/87r1imi8i1.ffs@nanos.tec.linutronix.de Signed-off-by: Greg Kroah-Hartman commit 21f317826e170c1cf03944d7ce7b9142c238fb71 Author: Sean Christopherson Date: Thu Jan 14 16:40:51 2021 -0800 KVM: x86/mmu: Remove the defunct update_pte() paging hook commit c5e2184d1544f9e56140791eff1a351bea2e63b9 upstream. Remove the update_pte() shadow paging logic, which was obsoleted by commit 4731d4c7a077 ("KVM: MMU: out of sync shadow core"), but never removed. As pointed out by Yu, KVM never write protects leaf page tables for the purposes of shadow paging, and instead marks their associated shadow page as unsync so that the guest can write PTEs at will. The update_pte() path, which predates the unsync logic, optimizes COW scenarios by refreshing leaf SPTEs when they are written, as opposed to zapping the SPTE, restarting the guest, and installing the new SPTE on the subsequent fault. Since KVM no longer write-protects leaf page tables, update_pte() is unreachable and can be dropped. Reported-by: Yu Zhang Signed-off-by: Sean Christopherson Message-Id: <20210115004051.4099250-1-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 53171e68a509f185d38c6df9fb9727e3ca90348c Author: Jarkko Sakkinen Date: Mon May 10 15:28:31 2021 +0300 tpm, tpm_tis: Reserve locality in tpm_tis_resume() commit 8a2d296aaebadd68d9c1f6908667df1d1c84c051 upstream. Reserve locality in tpm_tis_resume(), as it could be unsert after waking up from a sleep state. Cc: stable@vger.kernel.org Cc: Lino Sanfilippo Reported-by: Hans de Goede Fixes: a3fbfae82b4c ("tpm: take TPM chip power gating out of tpm_transmit()") Signed-off-by: Jarkko Sakkinen Signed-off-by: Greg Kroah-Hartman commit 923866165610d831fe6f5e53379bd57dfa553697 Author: Jarkko Sakkinen Date: Mon May 10 15:28:30 2021 +0300 tpm, tpm_tis: Extend locality handling to TPM2 in tpm_tis_gen_interrupt() commit e630af7dfb450d1c00c30077314acf33032ff9e4 upstream. The earlier fix (linked) only partially fixed the locality handling bug in tpm_tis_gen_interrupt(), i.e. only for TPM 1.x. Extend the locality handling to cover TPM2. Cc: Hans de Goede Cc: stable@vger.kernel.org Link: https://lore.kernel.org/linux-integrity/20210220125534.20707-1-jarkko@kernel.org/ Fixes: a3fbfae82b4c ("tpm: take TPM chip power gating out of tpm_transmit()") Reported-by: Lino Sanfilippo Signed-off-by: Jarkko Sakkinen Tested-by: Lino Sanfilippo Signed-off-by: Greg Kroah-Hartman commit 8fe5a459186a2895041e97ae8c265d79725aaed5 Author: Zhen Lei Date: Wed May 12 21:39:26 2021 +0800 tpm: fix error return code in tpm2_get_cc_attrs_tbl() commit 1df83992d977355177810c2b711afc30546c81ce upstream. If the total number of commands queried through TPM2_CAP_COMMANDS is different from that queried through TPM2_CC_GET_CAPABILITY, it indicates an unknown error. In this case, an appropriate error code -EFAULT should be returned. However, we currently do not explicitly assign this error code to 'rc'. As a result, 0 was incorrectly returned. Cc: stable@vger.kernel.org Fixes: 58472f5cd4f6("tpm: validate TPM 2.0 commands") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Greg Kroah-Hartman commit 31c9a4b24d86cbb36ff0d7a085725a3b4f0138c8 Author: Colin Ian King Date: Fri Apr 30 12:37:24 2021 +0100 KEYS: trusted: Fix memory leak on object td commit 83a775d5f9bfda95b1c295f95a3a041a40c7f321 upstream. Two error return paths are neglecting to free allocated object td, causing a memory leak. Fix this by returning via the error return path that securely kfree's td. Fixes clang scan-build warning: security/keys/trusted-keys/trusted_tpm1.c:496:10: warning: Potential memory leak [unix.Malloc] Cc: stable@vger.kernel.org Fixes: 5df16caada3f ("KEYS: trusted: Fix incorrect handling of tpm_get_random()") Signed-off-by: Colin Ian King Reviewed-by: Nick Desaulniers Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Greg Kroah-Hartman commit e97bd1e03e6ef58ec47ee7f085f8c14ed6329cf7 Author: Greg Kroah-Hartman Date: Fri May 14 09:50:46 2021 +0200 Linux 5.10.37 Tested-by: Florian Fainelli Tested-by: Salvatore Bonaccorso Tested-by: Jon Hunter Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Jason Self Tested-by: Fox Chen Tested-by: Sudip Mukherjee Reported-by: Linux Kernel Functional Testing Tested-by: Hulk Robot Link: https://lore.kernel.org/r/20210512144819.664462530@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 42f1b8653f85924743ea5b57b051a4e1f05b5e43 Author: Xin Long Date: Mon May 3 05:11:42 2021 +0800 sctp: delay auto_asconf init until binding the first addr commit 34e5b01186858b36c4d7c87e1a025071e8e2401f upstream. As Or Cohen described: If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock held and sp->do_auto_asconf is true, then an element is removed from the auto_asconf_splist without any proper locking. This can happen in the following functions: 1. In sctp_accept, if sctp_sock_migrate fails. 2. In inet_create or inet6_create, if there is a bpf program attached to BPF_CGROUP_INET_SOCK_CREATE which denies creation of the sctp socket. This patch is to fix it by moving the auto_asconf init out of sctp_init_sock(), by which inet_create()/inet6_create() won't need to operate it in sctp_destroy_sock() when calling sk_common_release(). It also makes more sense to do auto_asconf init while binding the first addr, as auto_asconf actually requires an ANY addr bind, see it in sctp_addr_wq_timeout_handler(). This addresses CVE-2021-23133. Fixes: 610236587600 ("bpf: Add new cgroup attach type to enable sock modifications") Reported-by: Or Cohen Signed-off-by: Xin Long Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 14919cdf68d03ae59d52fb78e4f998996333e629 Author: Xin Long Date: Mon May 3 05:11:41 2021 +0800 Revert "net/sctp: fix race condition in sctp_destroy_sock" commit 01bfe5e8e428b475982a98a46cca5755726f3f7f upstream. This reverts commit b166a20b07382b8bc1dcee2a448715c9c2c81b5b. This one has to be reverted as it introduced a dead lock, as syzbot reported: CPU0 CPU1 ---- ---- lock(&net->sctp.addr_wq_lock); lock(slock-AF_INET6); lock(&net->sctp.addr_wq_lock); lock(slock-AF_INET6); CPU0 is the thread of sctp_addr_wq_timeout_handler(), and CPU1 is that of sctp_close(). The original issue this commit fixed will be fixed in the next patch. Reported-by: syzbot+959223586843e69a2674@syzkaller.appspotmail.com Signed-off-by: Xin Long Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 41f1aed56de5b478002e98c3572664e592666f13 Author: Arnd Bergmann Date: Wed May 5 23:12:42 2021 +0200 smp: Fix smp_call_function_single_async prototype commit 1139aeb1c521eb4a050920ce6c64c36c4f2a3ab7 upstream. As of commit 966a967116e6 ("smp: Avoid using two cache lines for struct call_single_data"), the smp code prefers 32-byte aligned call_single_data objects for performance reasons, but the block layer includes an instance of this structure in the main 'struct request' that is more senstive to size than to performance here, see 4ccafe032005 ("block: unalign call_single_data in struct request"). The result is a violation of the calling conventions that clang correctly points out: block/blk-mq.c:630:39: warning: passing 8-byte aligned argument to 32-byte aligned parameter 2 of 'smp_call_function_single_async' may result in an unaligned pointer access [-Walign-mismatch] smp_call_function_single_async(cpu, &rq->csd); It does seem that the usage of the call_single_data without cache line alignment should still be allowed by the smp code, so just change the function prototype so it accepts both, but leave the default alignment unchanged for the other users. This seems better to me than adding a local hack to shut up an otherwise correct warning in the caller. Signed-off-by: Arnd Bergmann Signed-off-by: Peter Zijlstra (Intel) Acked-by: Jens Axboe Link: https://lkml.kernel.org/r/20210505211300.3174456-1-arnd@kernel.org [nc: Fix conflicts, modify rq_csd_init] Signed-off-by: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman commit 6c1ea8bee75df8fe2184a50fcd0f70bf82986f42 Author: Jonathon Reinhart Date: Sat May 1 04:28:22 2021 -0400 net: Only allow init netns to set default tcp cong to a restricted algo commit 8d432592f30fcc34ef5a10aac4887b4897884493 upstream. tcp_set_default_congestion_control() is netns-safe in that it writes to &net->ipv4.tcp_congestion_control, but it also sets ca->flags |= TCP_CONG_NON_RESTRICTED which is not namespaced. This has the unintended side-effect of changing the global net.ipv4.tcp_allowed_congestion_control sysctl, despite the fact that it is read-only: 97684f0970f6 ("net: Make tcp_allowed_congestion_control readonly in non-init netns") Resolve this netns "leak" by only allowing the init netns to set the default algorithm to one that is restricted. This restriction could be removed if tcp_allowed_congestion_control were namespace-ified in the future. This bug was uncovered with https://github.com/JonathonReinhart/linux-netns-sysctl-verify Fixes: 6670e1524477 ("tcp: Namespace-ify sysctl_tcp_default_congestion_control") Signed-off-by: Jonathon Reinhart Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2281df0b0226610e235f49ed75bf6ad57cb04762 Author: Catalin Marinas Date: Thu Jan 7 14:40:08 2021 +0000 arm64: Remove arm64_dma32_phys_limit and its uses commit d78050ee35440d7879ed94011c52994b8932e96e upstream. With the introduction of a dynamic ZONE_DMA range based on DT or IORT information, there's no need for CMA allocations from the wider ZONE_DMA32 since on most platforms ZONE_DMA will cover the 32-bit addressable range. Remove the arm64_dma32_phys_limit and set arm64_dma_phys_limit to cover the smallest DMA range required on the platform. CMA allocation and crashkernel reservation now go in the dynamically sized ZONE_DMA, allowing correct functionality on RPi4. Signed-off-by: Catalin Marinas Cc: Chen Zhou Reviewed-by: Nicolas Saenz Julienne Tested-by: Nicolas Saenz Julienne # On RPi4B Cc: Kefeng Wang Signed-off-by: Greg Kroah-Hartman commit 00d9f429af039a76a301c1eb7b9e617e9caaf7d2 Author: Andrii Nakryiko Date: Tue May 4 16:38:00 2021 -0700 bpf: Prevent writable memory-mapping of read-only ringbuf pages commit 04ea3086c4d73da7009de1e84962a904139af219 upstream. Only the very first page of BPF ringbuf that contains consumer position counter is supposed to be mapped as writeable by user-space. Producer position is read-only and can be modified only by the kernel code. BPF ringbuf data pages are read-only as well and are not meant to be modified by user-code to maintain integrity of per-record headers. This patch allows to map only consumer position page as writeable and everything else is restricted to be read-only. remap_vmalloc_range() internally adds VM_DONTEXPAND, so all the established memory mappings can't be extended, which prevents any future violations through mremap()'ing. Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") Reported-by: Ryota Shiga (Flatt Security) Reported-by: Thadeu Lima de Souza Cascardo Signed-off-by: Andrii Nakryiko Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman commit 1ca284f0867079a34f52a6f811747695828166c6 Author: Thadeu Lima de Souza Cascardo Date: Tue Apr 27 10:12:12 2021 -0300 bpf, ringbuf: Deny reserve of buffers larger than ringbuf commit 4b81ccebaeee885ab1aa1438133f2991e3a2b6ea upstream. A BPF program might try to reserve a buffer larger than the ringbuf size. If the consumer pointer is way ahead of the producer, that would be successfully reserved, allowing the BPF program to read or write out of the ringbuf allocated area. Reported-by: Ryota Shiga (Flatt Security) Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") Signed-off-by: Thadeu Lima de Souza Cascardo Signed-off-by: Daniel Borkmann Acked-by: Andrii Nakryiko Acked-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman commit 282bfc8848eaa195d5e994bb700f2c7afb7eb3e6 Author: Daniel Borkmann Date: Mon May 10 13:10:44 2021 +0000 bpf: Fix alu32 const subreg bound tracking on bitwise operations commit 049c4e13714ecbca567b4d5f6d563f05d431c80e upstream. Fix a bug in the verifier's scalar32_min_max_*() functions which leads to incorrect tracking of 32 bit bounds for the simulation of and/or/xor bitops. When both the src & dst subreg is a known constant, then the assumption is that scalar_min_max_*() will take care to update bounds correctly. However, this is not the case, for example, consider a register R2 which has a tnum of 0xffffffff00000000, meaning, lower 32 bits are known constant and in this case of value 0x00000001. R2 is then and'ed with a register R3 which is a 64 bit known constant, here, 0x100000002. What can be seen in line '10:' is that 32 bit bounds reach an invalid state where {u,s}32_min_value > {u,s}32_max_value. The reason is scalar32_min_max_*() delegates 32 bit bounds updates to scalar_min_max_*(), however, that really only takes place when both the 64 bit src & dst register is a known constant. Given scalar32_min_max_*() is intended to be designed as closely as possible to scalar_min_max_*(), update the 32 bit bounds in this situation through __mark_reg32_known() which will set all {u,s}32_{min,max}_value to the correct constant, which is 0x00000000 after the fix (given 0x00000001 & 0x00000002 in 32 bit space). This is possible given var32_off already holds the final value as dst_reg->var_off is updated before calling scalar32_min_max_*(). Before fix, invalid tracking of R2: [...] 9: R0_w=inv1337 R1=ctx(id=0,off=0,imm=0) R2_w=inv(id=0,smin_value=-9223372036854775807 (0x8000000000000001),smax_value=9223372032559808513 (0x7fffffff00000001),umin_value=1,umax_value=0xffffffff00000001,var_off=(0x1; 0xffffffff00000000),s32_min_value=1,s32_max_value=1,u32_min_value=1,u32_max_value=1) R3_w=inv4294967298 R10=fp0 9: (5f) r2 &= r3 10: R0_w=inv1337 R1=ctx(id=0,off=0,imm=0) R2_w=inv(id=0,smin_value=0,smax_value=4294967296 (0x100000000),umin_value=0,umax_value=0x100000000,var_off=(0x0; 0x100000000),s32_min_value=1,s32_max_value=0,u32_min_value=1,u32_max_value=0) R3_w=inv4294967298 R10=fp0 [...] After fix, correct tracking of R2: [...] 9: R0_w=inv1337 R1=ctx(id=0,off=0,imm=0) R2_w=inv(id=0,smin_value=-9223372036854775807 (0x8000000000000001),smax_value=9223372032559808513 (0x7fffffff00000001),umin_value=1,umax_value=0xffffffff00000001,var_off=(0x1; 0xffffffff00000000),s32_min_value=1,s32_max_value=1,u32_min_value=1,u32_max_value=1) R3_w=inv4294967298 R10=fp0 9: (5f) r2 &= r3 10: R0_w=inv1337 R1=ctx(id=0,off=0,imm=0) R2_w=inv(id=0,smin_value=0,smax_value=4294967296 (0x100000000),umin_value=0,umax_value=0x100000000,var_off=(0x0; 0x100000000),s32_min_value=0,s32_max_value=0,u32_min_value=0,u32_max_value=0) R3_w=inv4294967298 R10=fp0 [...] Fixes: 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") Fixes: 2921c90d4718 ("bpf: Fix a verifier failure with xor") Reported-by: Manfred Paul (@_manfp) Reported-by: Thadeu Lima de Souza Cascardo Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman commit f76e0829bbabf358ae3309b43ed18e0d32295c86 Author: David Howells Date: Fri Apr 30 13:47:08 2021 +0100 afs: Fix speculative status fetches [ Upstream commit 22650f148126571be1098d34160eb4931fc77241 ] The generic/464 xfstest causes kAFS to emit occasional warnings of the form: kAFS: vnode modified {100055:8a} 30->31 YFS.StoreData64 (c=6015) This indicates that the data version received back from the server did not match the expected value (the DV should be incremented monotonically for each individual modification op committed to a vnode). What is happening is that a lookup call is doing a bulk status fetch speculatively on a bunch of vnodes in a directory besides getting the status of the vnode it's actually interested in. This is racing with a StoreData operation (though it could also occur with, say, a MakeDir op). On the client, a modification operation locks the vnode, but the bulk status fetch only locks the parent directory, so no ordering is imposed there (thereby avoiding an avenue to deadlock). On the server, the StoreData op handler doesn't lock the vnode until it's received all the request data, and downgrades the lock after committing the data until it has finished sending change notifications to other clients - which allows the status fetch to occur before it has finished. This means that: - a status fetch can access the target vnode either side of the exclusive section of the modification - the status fetch could start before the modification, yet finish after, and vice-versa. - the status fetch and the modification RPCs can complete in either order. - the status fetch can return either the before or the after DV from the modification. - the status fetch might regress the locally cached DV. Some of these are handled by the previous fix[1], but that's not sufficient because it checks the DV it received against the DV it cached at the start of the op, but the DV might've been updated in the meantime by a locally generated modification op. Fix this by the following means: (1) Keep track of when we're performing a modification operation on a vnode. This is done by marking vnode parameters with a 'modification' note that causes the AFS_VNODE_MODIFYING flag to be set on the vnode for the duration. (2) Alter the speculation race detection to ignore speculative status fetches if either the vnode is marked as being modified or the data version number is not what we expected. Note that whilst the "vnode modified" warning does get recovered from as it causes the client to refetch the status at the next opportunity, it will also invalidate the pagecache, so changes might get lost. Fixes: a9e5c87ca744 ("afs: Fix speculative status fetch going out of order wrt to modifications") Reported-by: Marc Dionne Signed-off-by: David Howells Tested-and-reviewed-by: Marc Dionne cc: linux-afs@lists.infradead.org Link: https://lore.kernel.org/r/160605082531.252452.14708077925602709042.stgit@warthog.procyon.org.uk/ [1] Link: https://lore.kernel.org/linux-fsdevel/161961335926.39335.2552653972195467566.stgit@warthog.procyon.org.uk/ # v1 Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 949e7c5f4957cd19670daa21d0ffc93c5d314446 Author: Jane Chu Date: Thu Apr 29 23:02:19 2021 -0700 mm/memory-failure: unnecessary amount of unmapping [ Upstream commit 4d75136be8bf3ae01b0bc3e725b2cdc921e103bd ] It appears that unmap_mapping_range() actually takes a 'size' as its third argument rather than a location, the current calling fashion causes unnecessary amount of unmapping to occur. Link: https://lkml.kernel.org/r/20210420002821.2749748-1-jane.chu@oracle.com Fixes: 6100e34b2526e ("mm, memory_failure: Teach memory_failure() about dev_pagemap pages") Signed-off-by: Jane Chu Reviewed-by: Dan Williams Reviewed-by: Naoya Horiguchi Cc: Dave Jiang Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 62d96faa74c8b00f79f84ef1d2b7c438735fdcc3 Author: Wang Wensheng Date: Thu Apr 29 22:57:58 2021 -0700 mm/sparse: add the missing sparse_buffer_fini() in error branch [ Upstream commit 2284f47fe9fe2ed2ef619e5474e155cfeeebd569 ] sparse_buffer_init() and sparse_buffer_fini() should appear in pair, or a WARN issue would be through the next time sparse_buffer_init() runs. Add the missing sparse_buffer_fini() in error branch. Link: https://lkml.kernel.org/r/20210325113155.118574-1-wangwensheng4@huawei.com Fixes: 85c77f791390 ("mm/sparse: add new sparse_init_nid() and sparse_init()") Signed-off-by: Wang Wensheng Reviewed-by: David Hildenbrand Reviewed-by: Oscar Salvador Cc: Pavel Tatashin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 31df8bc4d3feca9f9c6b2cd06fd64a111ae1a0e6 Author: Muchun Song Date: Thu Apr 29 22:56:39 2021 -0700 mm: memcontrol: slab: fix obtain a reference to a freeing memcg [ Upstream commit 9f38f03ae8d5f57371b71aa6b4275765b65454fd ] Patch series "Use obj_cgroup APIs to charge kmem pages", v5. Since Roman's series "The new cgroup slab memory controller" applied. All slab objects are charged with the new APIs of obj_cgroup. The new APIs introduce a struct obj_cgroup to charge slab objects. It prevents long-living objects from pinning the original memory cgroup in the memory. But there are still some corner objects (e.g. allocations larger than order-1 page on SLUB) which are not charged with the new APIs. Those objects (include the pages which are allocated from buddy allocator directly) are charged as kmem pages which still hold a reference to the memory cgroup. E.g. We know that the kernel stack is charged as kmem pages because the size of the kernel stack can be greater than 2 pages (e.g. 16KB on x86_64 or arm64). If we create a thread (suppose the thread stack is charged to memory cgroup A) and then move it from memory cgroup A to memory cgroup B. Because the kernel stack of the thread hold a reference to the memory cgroup A. The thread can pin the memory cgroup A in the memory even if we remove the cgroup A. If we want to see this scenario by using the following script. We can see that the system has added 500 dying cgroups (This is not a real world issue, just a script to show that the large kmallocs are charged as kmem pages which can pin the memory cgroup in the memory). #!/bin/bash cat /proc/cgroups | grep memory cd /sys/fs/cgroup/memory echo 1 > memory.move_charge_at_immigrate for i in range{1..500} do mkdir kmem_test echo $$ > kmem_test/cgroup.procs sleep 3600 & echo $$ > cgroup.procs echo `cat kmem_test/cgroup.procs` > cgroup.procs rmdir kmem_test done cat /proc/cgroups | grep memory This patchset aims to make those kmem pages to drop the reference to memory cgroup by using the APIs of obj_cgroup. Finally, we can see that the number of the dying cgroups will not increase if we run the above test script. This patch (of 7): The rcu_read_lock/unlock only can guarantee that the memcg will not be freed, but it cannot guarantee the success of css_get (which is in the refill_stock when cached memcg changed) to memcg. rcu_read_lock() memcg = obj_cgroup_memcg(old) __memcg_kmem_uncharge(memcg) refill_stock(memcg) if (stock->cached != memcg) // css_get can change the ref counter from 0 back to 1. css_get(&memcg->css) rcu_read_unlock() This fix is very like the commit: eefbfa7fd678 ("mm: memcg/slab: fix use after free in obj_cgroup_charge") Fix this by holding a reference to the memcg which is passed to the __memcg_kmem_uncharge() before calling __memcg_kmem_uncharge(). Link: https://lkml.kernel.org/r/20210319163821.20704-1-songmuchun@bytedance.com Link: https://lkml.kernel.org/r/20210319163821.20704-2-songmuchun@bytedance.com Fixes: 3de7d4f25a74 ("mm: memcg/slab: optimize objcg stock draining") Signed-off-by: Muchun Song Reviewed-by: Shakeel Butt Acked-by: Roman Gushchin Acked-by: Johannes Weiner Cc: Michal Hocko Cc: Vladimir Davydov Cc: Xiongchun Duan Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 2e95bc6cfed1dc5888d8bbc8773a8fa171dbc062 Author: Nikolay Borisov Date: Wed Feb 24 12:00:58 2021 -0800 mm/sl?b.c: remove ctor argument from kmem_cache_flags [ Upstream commit 3754000872188e3e4713d9d847fe3c615a47c220 ] This argument hasn't been used since e153362a50a3 ("slub: Remove objsize check in kmem_cache_flags()") so simply remove it. Link: https://lkml.kernel.org/r/20210126095733.974665-1-nborisov@suse.com Signed-off-by: Nikolay Borisov Reviewed-by: Miaohe Lin Reviewed-by: Vlastimil Babka Acked-by: Christoph Lameter Acked-by: David Rientjes Cc: Pekka Enberg Cc: Joonsoo Kim Cc: Vlastimil Babka Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 618fa6a35c798557c63f971cbaac1d9296fd88af Author: Dan Carpenter Date: Thu Apr 29 22:54:15 2021 -0700 kfifo: fix ternary sign extension bugs [ Upstream commit 926ee00ea24320052b46745ef4b00d91c05bd03d ] The intent with this code was to return negative error codes but instead it returns positives. The problem is how type promotion works with ternary operations. These functions return long, "ret" is an int and "copied" is a u32. The negative error code is first cast to u32 so it becomes a high positive and then cast to long where it's still a positive. We could fix this by declaring "ret" as a ssize_t but let's just get rid of the ternaries instead. Link: https://lkml.kernel.org/r/YIE+/cK1tBzSuQPU@mwanda Fixes: 5bf2b19320ec ("kfifo: add example files to the kernel sample directory") Signed-off-by: Dan Carpenter Cc: Stefani Seibold Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit c02dd80655fd76556ebe5ef0288b4e67b38026f7 Author: Sergei Trofimovich Date: Thu Apr 29 22:53:39 2021 -0700 ia64: fix EFI_DEBUG build [ Upstream commit e3db00b79d74caaf84cd9e1d4927979abfd0d7c9 ] When enabled local debugging via `#define EFI_DEBUG 1` noticed build failure: arch/ia64/kernel/efi.c:564:8: error: 'i' undeclared (first use in this function) While at it fixed benign string format mismatches visible only when EFI_DEBUG is enabled: arch/ia64/kernel/efi.c:589:11: warning: format '%lx' expects argument of type 'long unsigned int', but argument 5 has type 'u64' {aka 'long long unsigned int'} [-Wformat=] Link: https://lkml.kernel.org/r/20210328212246.685601-1-slyfox@gentoo.org Fixes: 14fb42090943559 ("efi: Merge EFI system table revision and vendor checks") Signed-off-by: Sergei Trofimovich Cc: Ard Biesheuvel Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit c6b7e0b1ab8781f410b196f6a74a93e3ec90fdcf Author: Leo Yan Date: Wed Apr 28 20:09:14 2021 +0800 perf session: Add swap operation for event TIME_CONV [ Upstream commit 050ffc449008eeeafc187dec337d9cf1518f89bc ] Since commit d110162cafc8 ("perf tsc: Support cap_user_time_short for event TIME_CONV"), the event PERF_RECORD_TIME_CONV has extended the data structure for clock parameters. To be backwards-compatible, this patch adds a dedicated swap operation for the event PERF_RECORD_TIME_CONV, based on checking if the event contains field "time_cycles", it can support both for the old and new event formats. Fixes: d110162cafc8 ("perf tsc: Support cap_user_time_short for event TIME_CONV") Signed-off-by: Leo Yan Acked-by: Adrian Hunter Cc: Alexander Shishkin Cc: Gustavo A. R. Silva Cc: Ingo Molnar Cc: Jiri Olsa Cc: Kan Liang Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Steve MacLean Cc: Yonatan Goldschmidt Link: https://lore.kernel.org/r/20210428120915.7123-4-leo.yan@linaro.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 86941f8bd46ae1ddb41239ab93d0d4959a416260 Author: Leo Yan Date: Wed Apr 28 20:09:13 2021 +0800 perf jit: Let convert_timestamp() to be backwards-compatible [ Upstream commit aa616f5a8a2d22a179d5502ebd85045af66fa656 ] Commit d110162cafc80dad ("perf tsc: Support cap_user_time_short for event TIME_CONV") supports the extended parameters for event TIME_CONV, but it broke the backwards compatibility, so any perf data file with old event format fails to convert timestamp. This patch introduces a helper event_contains() to check if an event contains a specific member or not. For the backwards-compatibility, if the event size confirms the extended parameters are supported in the event TIME_CONV, then copies these parameters. Committer notes: To make this compiler backwards compatible add this patch: - struct perf_tsc_conversion tc = { 0 }; + struct perf_tsc_conversion tc = { .time_shift = 0, }; Fixes: d110162cafc8 ("perf tsc: Support cap_user_time_short for event TIME_CONV") Signed-off-by: Leo Yan Acked-by: Adrian Hunter Cc: Alexander Shishkin Cc: Gustavo A. R. Silva Cc: Ingo Molnar Cc: Jiri Olsa Cc: Kan Liang Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Steve MacLean Cc: Yonatan Goldschmidt Link: https://lore.kernel.org/r/20210428120915.7123-3-leo.yan@linaro.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit fe07408afba2b594bcc7d1b636193294d5c7972d Author: Leo Yan Date: Wed Apr 28 20:09:12 2021 +0800 perf tools: Change fields type in perf_record_time_conv [ Upstream commit e1d380ea8b00db4bb14d1f513000d4b62aa9d3f0 ] C standard claims "An object declared as type _Bool is large enough to store the values 0 and 1", bool type size can be 1 byte or larger than 1 byte. Thus it's uncertian for bool type size with different compilers. This patch changes the bool type in structure perf_record_time_conv to __u8 type, and pads extra bytes for 8-byte alignment; this can give reliable structure size. Fixes: d110162cafc8 ("perf tsc: Support cap_user_time_short for event TIME_CONV") Suggested-by: Adrian Hunter Signed-off-by: Leo Yan Acked-by: Adrian Hunter Cc: Alexander Shishkin Cc: Gustavo A. R. Silva Cc: Ingo Molnar Cc: Jiri Olsa Cc: Kan Liang Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Steve MacLean Cc: Yonatan Goldschmidt Link: https://lore.kernel.org/r/20210428120915.7123-2-leo.yan@linaro.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 3bce718d977bc6b3098d1de7d3cd7fe99a6df6cb Author: Lv Yunlong Date: Tue Apr 27 09:22:58 2021 -0700 net:nfc:digital: Fix a double free in digital_tg_recv_dep_req [ Upstream commit 75258586793efc521e5dd52a5bf6c7a4cf7002be ] In digital_tg_recv_dep_req, it calls nfc_tm_data_received(..,resp). If nfc_tm_data_received() failed, the callee will free the resp via kfree_skb() and return error. But in the exit branch, the resp will be freed again. My patch sets resp to NULL if nfc_tm_data_received() failed, to avoid the double free. Fixes: 1c7a4c24fbfd9 ("NFC Digital: Add target NFC-DEP support") Signed-off-by: Lv Yunlong Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit e2c34cacff7b2a7491fb32134ca8771dcef83713 Author: Linus Lüssing Date: Sun Apr 25 17:27:35 2021 +0200 net: bridge: mcast: fix broken length + header check for MRDv6 Adv. [ Upstream commit 99014088156cd78867d19514a0bc771c4b86b93b ] The IPv6 Multicast Router Advertisements parsing has the following two issues: For one thing, ICMPv6 MRD Advertisements are smaller than ICMPv6 MLD messages (ICMPv6 MRD Adv.: 8 bytes vs. ICMPv6 MLDv1/2: >= 24 bytes, assuming MLDv2 Reports with at least one multicast address entry). When ipv6_mc_check_mld_msg() tries to parse an Multicast Router Advertisement its MLD length check will fail - and it will wrongly return -EINVAL, even if we have a valid MRD Advertisement. With the returned -EINVAL the bridge code will assume a broken packet and will wrongly discard it, potentially leading to multicast packet loss towards multicast routers. The second issue is the MRD header parsing in br_ip6_multicast_mrd_rcv(): It wrongly checks for an ICMPv6 header immediately after the IPv6 header (IPv6 next header type). However according to RFC4286, section 2 all MRD messages contain a Router Alert option (just like MLD). So instead there is an IPv6 Hop-by-Hop option for the Router Alert between the IPv6 and ICMPv6 header, again leading to the bridge wrongly discarding Multicast Router Advertisements. To fix these two issues, introduce a new return value -ENODATA to ipv6_mc_check_mld() to indicate a valid ICMPv6 packet with a hop-by-hop option which is not an MLD but potentially an MRD packet. This also simplifies further parsing in the bridge code, as ipv6_mc_check_mld() already fully checks the ICMPv6 header and hop-by-hop option. These issues were found and fixed with the help of the mrdisc tool (https://github.com/troglobit/mrdisc). Fixes: 4b3087c7e37f ("bridge: Snoop Multicast Router Advertisements") Signed-off-by: Linus Lüssing Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f5ce59707d6a26ed98061d0640a0eaf8e7125bdc Author: Lv Yunlong Date: Mon Apr 26 07:06:14 2021 -0700 RDMA/bnxt_re: Fix a double free in bnxt_qplib_alloc_res [ Upstream commit 34b39efa5ae82fc0ad0acc27653c12a56328dbbe ] In bnxt_qplib_alloc_res, it calls bnxt_qplib_alloc_dpi_tbl(). Inside bnxt_qplib_alloc_dpi_tbl, dpit->dbr_bar_reg_iomem is freed via pci_iounmap() in unmap_io error branch. After the callee returns err code, bnxt_qplib_alloc_res calls bnxt_qplib_free_res()->bnxt_qplib_free_dpi_tbl() in the fail branch. Then dpit->dbr_bar_reg_iomem is freed in the second time by pci_iounmap(). My patch set dpit->dbr_bar_reg_iomem to NULL after it is freed by pci_iounmap() in the first time, to avoid the double free. Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") Link: https://lore.kernel.org/r/20210426140614.6722-1-lyl2019@mail.ustc.edu.cn Signed-off-by: Lv Yunlong Reviewed-by: Leon Romanovsky Acked-by: Devesh Sharma Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 608a4b90ece039940e9425ee2b39c8beff27e00c Author: Lv Yunlong Date: Sun Apr 25 18:16:47 2021 -0700 RDMA/siw: Fix a use after free in siw_alloc_mr [ Upstream commit 3093ee182f01689b89e9f8797b321603e5de4f63 ] Our code analyzer reported a UAF. In siw_alloc_mr(), it calls siw_mr_add_mem(mr,..). In the implementation of siw_mr_add_mem(), mem is assigned to mr->mem and then mem is freed via kfree(mem) if xa_alloc_cyclic() failed. Here, mr->mem still point to a freed object. After, the execution continue up to the err_out branch of siw_alloc_mr, and the freed mr->mem is used in siw_mr_drop_mem(mr). My patch moves "mr->mem = mem" behind the if (xa_alloc_cyclic(..)<0) {} section, to avoid the uaf. Fixes: 2251334dcac9 ("rdma/siw: application buffer management") Link: https://lore.kernel.org/r/20210426011647.3561-1-lyl2019@mail.ustc.edu.cn Signed-off-by: Lv Yunlong Reviewed-by: Bernard Metzler Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 4394be0a1866fb78a4dfe0ea38e29c4ed107b890 Author: Daniel Borkmann Date: Fri Apr 23 13:59:55 2021 +0000 bpf: Fix propagation of 32 bit unsigned bounds from 64 bit bounds [ Upstream commit 10bf4e83167cc68595b85fd73bb91e8f2c086e36 ] Similarly as b02709587ea3 ("bpf: Fix propagation of 32-bit signed bounds from 64-bit bounds."), we also need to fix the propagation of 32 bit unsigned bounds from 64 bit counterparts. That is, really only set the u32_{min,max}_value when /both/ {umin,umax}_value safely fit in 32 bit space. For example, the register with a umin_value == 1 does /not/ imply that u32_min_value is also equal to 1, since umax_value could be much larger than 32 bit subregister can hold, and thus u32_min_value is in the interval [0,1] instead. Before fix, invalid tracking result of R2_w=inv1: [...] 5: R0_w=inv1337 R1=ctx(id=0,off=0,imm=0) R2_w=inv(id=0) R10=fp0 5: (35) if r2 >= 0x1 goto pc+1 [...] // goto path 7: R0=inv1337 R1=ctx(id=0,off=0,imm=0) R2=inv(id=0,umin_value=1) R10=fp0 7: (b6) if w2 <= 0x1 goto pc+1 [...] // goto path 9: R0=inv1337 R1=ctx(id=0,off=0,imm=0) R2=inv(id=0,smin_value=-9223372036854775807,smax_value=9223372032559808513,umin_value=1,umax_value=18446744069414584321,var_off=(0x1; 0xffffffff00000000),s32_min_value=1,s32_max_value=1,u32_max_value=1) R10=fp0 9: (bc) w2 = w2 10: R0=inv1337 R1=ctx(id=0,off=0,imm=0) R2_w=inv1 R10=fp0 [...] After fix, correct tracking result of R2_w=inv(id=0,umax_value=1,var_off=(0x0; 0x1)): [...] 5: R0_w=inv1337 R1=ctx(id=0,off=0,imm=0) R2_w=inv(id=0) R10=fp0 5: (35) if r2 >= 0x1 goto pc+1 [...] // goto path 7: R0=inv1337 R1=ctx(id=0,off=0,imm=0) R2=inv(id=0,umin_value=1) R10=fp0 7: (b6) if w2 <= 0x1 goto pc+1 [...] // goto path 9: R0=inv1337 R1=ctx(id=0,off=0,imm=0) R2=inv(id=0,smax_value=9223372032559808513,umax_value=18446744069414584321,var_off=(0x0; 0xffffffff00000001),s32_min_value=0,s32_max_value=1,u32_max_value=1) R10=fp0 9: (bc) w2 = w2 10: R0=inv1337 R1=ctx(id=0,off=0,imm=0) R2_w=inv(id=0,umax_value=1,var_off=(0x0; 0x1)) R10=fp0 [...] Thus, same issue as in b02709587ea3 holds for unsigned subregister tracking. Also, align __reg64_bound_u32() similarly to __reg64_bound_s32() as done in b02709587ea3 to make them uniform again. Fixes: 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") Reported-by: Manfred Paul (@_manfp) Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 183d9ebd449c20658a1aaf580f311140bbc7421d Author: Andrii Nakryiko Date: Mon Apr 26 12:29:49 2021 -0700 selftests/bpf: Fix core_reloc test runner [ Upstream commit bede0ebf0be87e9678103486a77f39e0334c6791 ] Fix failed tests checks in core_reloc test runner, which allowed failing tests to pass quietly. Also add extra check to make sure that expected to fail test cases with invalid names are caught as test failure anyway, as this is not an expected failure mode. Also fix mislabeled probed vs direct bitfield test cases. Fixes: 124a892d1c41 ("selftests/bpf: Test TYPE_EXISTS and TYPE_SIZE CO-RE relocations") Reported-by: Lorenz Bauer Signed-off-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov Acked-by: Lorenz Bauer Link: https://lore.kernel.org/bpf/20210426192949.416837-6-andrii@kernel.org Signed-off-by: Sasha Levin commit 0257a0a5ffb70ea2210aa15c4515223c9358da4e Author: Andrii Nakryiko Date: Mon Apr 26 12:29:48 2021 -0700 selftests/bpf: Fix field existence CO-RE reloc tests [ Upstream commit 5a30eb23922b52f33222c6729b6b3ff1c37a6c66 ] Negative field existence cases for have a broken assumption that FIELD_EXISTS CO-RE relo will fail for fields that match the name but have incompatible type signature. That's not how CO-RE relocations generally behave. Types and fields that match by name but not by expected type are treated as non-matching candidates and are skipped. Error later is reported if no matching candidate was found. That's what happens for most relocations, but existence relocations (FIELD_EXISTS and TYPE_EXISTS) are more permissive and they are designed to return 0 or 1, depending if a match is found. This allows to handle name-conflicting but incompatible types in BPF code easily. Combined with ___flavor suffixes, it's possible to handle pretty much any structural type changes in kernel within the compiled once BPF source code. So, long story short, negative field existence test cases are invalid in their assumptions, so this patch reworks them into a single consolidated positive case that doesn't match any of the fields. Fixes: c7566a69695c ("selftests/bpf: Add field existence CO-RE relocs tests") Reported-by: Lorenz Bauer Signed-off-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov Acked-by: Lorenz Bauer Link: https://lore.kernel.org/bpf/20210426192949.416837-5-andrii@kernel.org Signed-off-by: Sasha Levin commit 3769c54d341cf94b7e289b070c8fa5d1f57b2029 Author: Andrii Nakryiko Date: Mon Apr 26 12:29:47 2021 -0700 selftests/bpf: Fix BPF_CORE_READ_BITFIELD() macro [ Upstream commit 0f20615d64ee2ad5e2a133a812382d0c4071589b ] Fix BPF_CORE_READ_BITFIELD() macro used for reading CO-RE-relocatable bitfields. Missing breaks in a switch caused 8-byte reads always. This can confuse libbpf because it does strict checks that memory load size corresponds to the original size of the field, which in this case quite often would be wrong. After fixing that, we run into another problem, which quite subtle, so worth documenting here. The issue is in Clang optimization and CO-RE relocation interactions. Without that asm volatile construct (also known as barrier_var()), Clang will re-order BYTE_OFFSET and BYTE_SIZE relocations and will apply BYTE_OFFSET 4 times for each switch case arm. This will result in the same error from libbpf about mismatch of memory load size and original field size. I.e., if we were reading u32, we'd still have *(u8 *), *(u16 *), *(u32 *), and *(u64 *) memory loads, three of which will fail. Using barrier_var() forces Clang to apply BYTE_OFFSET relocation first (and once) to calculate p, after which value of p is used without relocation in each of switch case arms, doing appropiately-sized memory load. Here's the list of relevant relocations and pieces of generated BPF code before and after this patch for test_core_reloc_bitfields_direct selftests. BEFORE ===== #45: core_reloc: insn #160 --> [5] + 0:5: byte_sz --> struct core_reloc_bitfields.u32 #46: core_reloc: insn #167 --> [5] + 0:5: byte_off --> struct core_reloc_bitfields.u32 #47: core_reloc: insn #174 --> [5] + 0:5: byte_off --> struct core_reloc_bitfields.u32 #48: core_reloc: insn #178 --> [5] + 0:5: byte_off --> struct core_reloc_bitfields.u32 #49: core_reloc: insn #182 --> [5] + 0:5: byte_off --> struct core_reloc_bitfields.u32 157: 18 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 r2 = 0 ll 159: 7b 12 20 01 00 00 00 00 *(u64 *)(r2 + 288) = r1 160: b7 02 00 00 04 00 00 00 r2 = 4 ; BYTE_SIZE relocation here ^^^ 161: 66 02 07 00 03 00 00 00 if w2 s> 3 goto +7 162: 16 02 0d 00 01 00 00 00 if w2 == 1 goto +13 163: 16 02 01 00 02 00 00 00 if w2 == 2 goto +1 164: 05 00 12 00 00 00 00 00 goto +18 0000000000000528 : 165: 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 r1 = 0 ll 167: 69 11 08 00 00 00 00 00 r1 = *(u16 *)(r1 + 8) ; BYTE_OFFSET relo here w/ WRONG size ^^^^^^^^^^^^^^^^ 168: 05 00 0e 00 00 00 00 00 goto +14 0000000000000548 : 169: 16 02 0a 00 04 00 00 00 if w2 == 4 goto +10 170: 16 02 01 00 08 00 00 00 if w2 == 8 goto +1 171: 05 00 0b 00 00 00 00 00 goto +11 0000000000000560 : 172: 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 r1 = 0 ll 174: 79 11 08 00 00 00 00 00 r1 = *(u64 *)(r1 + 8) ; BYTE_OFFSET relo here w/ WRONG size ^^^^^^^^^^^^^^^^ 175: 05 00 07 00 00 00 00 00 goto +7 0000000000000580 : 176: 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 r1 = 0 ll 178: 71 11 08 00 00 00 00 00 r1 = *(u8 *)(r1 + 8) ; BYTE_OFFSET relo here w/ WRONG size ^^^^^^^^^^^^^^^^ 179: 05 00 03 00 00 00 00 00 goto +3 00000000000005a0 : 180: 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 r1 = 0 ll 182: 61 11 08 00 00 00 00 00 r1 = *(u32 *)(r1 + 8) ; BYTE_OFFSET relo here w/ RIGHT size ^^^^^^^^^^^^^^^^ 00000000000005b8 : 183: 67 01 00 00 20 00 00 00 r1 <<= 32 184: b7 02 00 00 00 00 00 00 r2 = 0 185: 16 02 02 00 00 00 00 00 if w2 == 0 goto +2 186: c7 01 00 00 20 00 00 00 r1 s>>= 32 187: 05 00 01 00 00 00 00 00 goto +1 00000000000005e0 : 188: 77 01 00 00 20 00 00 00 r1 >>= 32 AFTER ===== #30: core_reloc: insn #132 --> [5] + 0:5: byte_off --> struct core_reloc_bitfields.u32 #31: core_reloc: insn #134 --> [5] + 0:5: byte_sz --> struct core_reloc_bitfields.u32 129: 18 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 r2 = 0 ll 131: 7b 12 20 01 00 00 00 00 *(u64 *)(r2 + 288) = r1 132: b7 01 00 00 08 00 00 00 r1 = 8 ; BYTE_OFFSET relo here ^^^ ; no size check for non-memory dereferencing instructions 133: 0f 12 00 00 00 00 00 00 r2 += r1 134: b7 03 00 00 04 00 00 00 r3 = 4 ; BYTE_SIZE relocation here ^^^ 135: 66 03 05 00 03 00 00 00 if w3 s> 3 goto +5 136: 16 03 09 00 01 00 00 00 if w3 == 1 goto +9 137: 16 03 01 00 02 00 00 00 if w3 == 2 goto +1 138: 05 00 0a 00 00 00 00 00 goto +10 0000000000000458 : 139: 69 21 00 00 00 00 00 00 r1 = *(u16 *)(r2 + 0) ; NO CO-RE relocation here ^^^^^^^^^^^^^^^^ 140: 05 00 08 00 00 00 00 00 goto +8 0000000000000468 : 141: 16 03 06 00 04 00 00 00 if w3 == 4 goto +6 142: 16 03 01 00 08 00 00 00 if w3 == 8 goto +1 143: 05 00 05 00 00 00 00 00 goto +5 0000000000000480 : 144: 79 21 00 00 00 00 00 00 r1 = *(u64 *)(r2 + 0) ; NO CO-RE relocation here ^^^^^^^^^^^^^^^^ 145: 05 00 03 00 00 00 00 00 goto +3 0000000000000490 : 146: 71 21 00 00 00 00 00 00 r1 = *(u8 *)(r2 + 0) ; NO CO-RE relocation here ^^^^^^^^^^^^^^^^ 147: 05 00 01 00 00 00 00 00 goto +1 00000000000004a0 : 148: 61 21 00 00 00 00 00 00 r1 = *(u32 *)(r2 + 0) ; NO CO-RE relocation here ^^^^^^^^^^^^^^^^ 00000000000004a8 : 149: 67 01 00 00 20 00 00 00 r1 <<= 32 150: b7 02 00 00 00 00 00 00 r2 = 0 151: 16 02 02 00 00 00 00 00 if w2 == 0 goto +2 152: c7 01 00 00 20 00 00 00 r1 s>>= 32 153: 05 00 01 00 00 00 00 00 goto +1 00000000000004d0 : 154: 77 01 00 00 20 00 00 00 r1 >>= 323 Fixes: ee26dade0e3b ("libbpf: Add support for relocatable bitfields") Signed-off-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov Acked-by: Lorenz Bauer Link: https://lore.kernel.org/bpf/20210426192949.416837-4-andrii@kernel.org Signed-off-by: Sasha Levin commit 9dc373f74097edd0e35f3393d6248eda8d1ba99d Author: Lv Yunlong Date: Mon Apr 26 09:06:25 2021 -0700 net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send [ Upstream commit 6d72e7c767acbbdd44ebc7d89c6690b405b32b57 ] In emac_mac_tx_buf_send, it calls emac_tx_fill_tpd(..,skb,..). If some error happens in emac_tx_fill_tpd(), the skb will be freed via dev_kfree_skb(skb) in error branch of emac_tx_fill_tpd(). But the freed skb is still used via skb->len by netdev_sent_queue(,skb->len). As i observed that emac_tx_fill_tpd() haven't modified the value of skb->len, thus my patch assigns skb->len to 'len' before the possible free and use 'len' instead of skb->len later. Fixes: b9b17debc69d2 ("net: emac: emac gigabit ethernet controller driver") Signed-off-by: Lv Yunlong Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 8fcdfa71ba6a1baa7bff73353b914df2a15b1bb8 Author: Sean Christopherson Date: Wed Apr 21 19:38:31 2021 -0700 KVM: VMX: Intercept FS/GS_BASE MSR accesses for 32-bit KVM [ Upstream commit dbdd096a5a74b94f6b786a47baef2085859b0dce ] Disable pass-through of the FS and GS base MSRs for 32-bit KVM. Intel's SDM unequivocally states that the MSRs exist if and only if the CPU supports x86-64. FS_BASE and GS_BASE are mostly a non-issue; a clever guest could opportunistically use the MSRs without issue. KERNEL_GS_BASE is a bigger problem, as a clever guest would subtly be broken if it were migrated, as KVM disallows software access to the MSRs, and unlike the direct variants, KERNEL_GS_BASE needs to be explicitly migrated as it's not captured in the VMCS. Fixes: 25c5f225beda ("KVM: VMX: Enable MSR Bitmap feature") Signed-off-by: Sean Christopherson Message-Id: <20210422023831.3473491-1-seanjc@google.com> [*NOT* for stable kernels. - Paolo] Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 4fcaad2b7dac3f16704f8118c7e481024ddbd3ed Author: Michael Chan Date: Fri Apr 23 18:13:19 2021 -0400 bnxt_en: Fix RX consumer index logic in the error path. [ Upstream commit bbd6f0a948139970f4a615dff189d9a503681a39 ] In bnxt_rx_pkt(), the RX buffers are expected to complete in order. If the RX consumer index indicates an out of order buffer completion, it means we are hitting a hardware bug and the driver will abort all remaining RX packets and reset the RX ring. The RX consumer index that we pass to bnxt_discard_rx() is not correct. We should be passing the current index (tmp_raw_cons) instead of the old index (raw_cons). This bug can cause us to be at the wrong index when trying to abort the next RX packet. It can crash like this: #0 [ffff9bbcdf5c39a8] machine_kexec at ffffffff9b05e007 #1 [ffff9bbcdf5c3a00] __crash_kexec at ffffffff9b111232 #2 [ffff9bbcdf5c3ad0] panic at ffffffff9b07d61e #3 [ffff9bbcdf5c3b50] oops_end at ffffffff9b030978 #4 [ffff9bbcdf5c3b78] no_context at ffffffff9b06aaf0 #5 [ffff9bbcdf5c3bd8] __bad_area_nosemaphore at ffffffff9b06ae2e #6 [ffff9bbcdf5c3c28] bad_area_nosemaphore at ffffffff9b06af24 #7 [ffff9bbcdf5c3c38] __do_page_fault at ffffffff9b06b67e #8 [ffff9bbcdf5c3cb0] do_page_fault at ffffffff9b06bb12 #9 [ffff9bbcdf5c3ce0] page_fault at ffffffff9bc015c5 [exception RIP: bnxt_rx_pkt+237] RIP: ffffffffc0259cdd RSP: ffff9bbcdf5c3d98 RFLAGS: 00010213 RAX: 000000005dd8097f RBX: ffff9ba4cb11b7e0 RCX: ffffa923cf6e9000 RDX: 0000000000000fff RSI: 0000000000000627 RDI: 0000000000001000 RBP: ffff9bbcdf5c3e60 R8: 0000000000420003 R9: 000000000000020d R10: ffffa923cf6ec138 R11: ffff9bbcdf5c3e83 R12: ffff9ba4d6f928c0 R13: ffff9ba4cac28080 R14: ffff9ba4cb11b7f0 R15: ffff9ba4d5a30000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 Fixes: a1b0e4e684e9 ("bnxt_en: Improve RX consumer index validity check.") Reviewed-by: Pavan Chebbi Reviewed-by: Andy Gospodarek Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1625872f012c8ccdcbd77ed14102f9f4cb6ed907 Author: Danielle Ratson Date: Fri Apr 23 14:19:45 2021 +0200 selftests: mlxsw: Remove a redundant if statement in tc_flower_scale test [ Upstream commit 1f1c92139e36223b89d8140f2b72f75e79baf8bd ] Currently, the error return code of the failure condition is lost after using an if statement, so the test doesn't fail when it should. Remove the if statement that separates the condition and the error code check, so the test won't always pass. Fixes: abfce9e062021 ("selftests: mlxsw: Reduce running time using offload indication") Reported-by: Ido Schimmel Signed-off-by: Danielle Ratson Reviewed-by: Petr Machata Signed-off-by: Petr Machata Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 8ebdce8fe0b0da1ac6147c945c1c42ba2f772e24 Author: Petr Machata Date: Fri Apr 23 14:19:43 2021 +0200 selftests: net: mirror_gre_vlan_bridge_1q: Make an FDB entry static [ Upstream commit c8d0260cdd96fdccdef0509c4160e28a1012a5d7 ] The FDB roaming test installs a destination MAC address on the wrong interface of an FDB database and tests whether the mirroring fails, because packets are sent to the wrong port. The test by mistake installs the FDB entry as local. This worked previously, because drivers were notified of local FDB entries in the same way as of static entries. However that has been fixed in the commit 6ab4c3117aec ("net: bridge: don't notify switchdev for local FDB addresses"), and local entries are not notified anymore. As a result, the HW is not reconfigured for the FDB roam, and mirroring keeps working, failing the test. To fix the issue, mark the FDB entry as static. Fixes: 9c7c8a82442c ("selftests: forwarding: mirror_gre_vlan_bridge_1q: Add more tests") Signed-off-by: Petr Machata Reviewed-by: Ido Schimmel Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 71ad9260c001b217d704cda88ecea251b2d367da Author: Phillip Potter Date: Fri Apr 23 00:49:45 2021 +0100 net: geneve: modify IP header check in geneve6_xmit_skb and geneve_xmit_skb [ Upstream commit d13f048dd40e8577260cd43faea8ec9b77520197 ] Modify the header size check in geneve6_xmit_skb and geneve_xmit_skb to use pskb_inet_may_pull rather than pskb_network_may_pull. This fixes two kernel selftest failures introduced by the commit introducing the checks: IPv4 over geneve6: PMTU exceptions IPv4 over geneve6: PMTU exceptions - nexthop objects It does this by correctly accounting for the fact that IPv4 packets may transit over geneve IPv6 tunnels (and vice versa), and still fixes the uninit-value bug fixed by the original commit. Reported-by: kernel test robot Fixes: 6628ddfec758 ("net: geneve: check skb is large enough for IPv4/IPv6 header") Suggested-by: Sabrina Dubroca Signed-off-by: Phillip Potter Acked-by: Sabrina Dubroca Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1fc61844b6a2011627cfa58a82c6f5fed208b084 Author: Kunihiko Hayashi Date: Fri Apr 23 02:31:49 2021 +0900 arm64: dts: uniphier: Change phy-mode to RGMII-ID to enable delay pins for RTL8211E [ Upstream commit dcabb06bf127b3e0d3fbc94a2b65dd56c2725851 ] UniPhier LD20 and PXs3 boards have RTL8211E ethernet phy, and the phy have the RX/TX delays of RGMII interface using pull-ups on the RXDLY and TXDLY pins. After the commit bbc4d71d6354 ("net: phy: realtek: fix rtl8211e rx/tx delay config"), the delays are working correctly, however, "rgmii" means no delay and the phy doesn't work. So need to set the phy-mode to "rgmii-id" to show that RX/TX delays are enabled. Fixes: c73730ee4c9a ("arm64: dts: uniphier: add AVE ethernet node") Signed-off-by: Kunihiko Hayashi Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0ae610556f238df7a36e4ffb0066ef0b6c71aecc Author: Kunihiko Hayashi Date: Fri Apr 23 02:31:48 2021 +0900 ARM: dts: uniphier: Change phy-mode to RGMII-ID to enable delay pins for RTL8211E [ Upstream commit 9ba585cc5b56ea14a453ba6be9bdb984ed33471a ] UniPhier PXs2 boards have RTL8211E ethernet phy, and the phy have the RX/TX delays of RGMII interface using pull-ups on the RXDLY and TXDLY pins. After the commit bbc4d71d6354 ("net: phy: realtek: fix rtl8211e rx/tx delay config"), the delays are working correctly, however, "rgmii" means no delay and the phy doesn't work. So need to set the phy-mode to "rgmii-id" to show that RX/TX delays are enabled. Fixes: e3cc931921d2 ("ARM: dts: uniphier: add AVE ethernet node") Signed-off-by: Kunihiko Hayashi Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 66b1cfc0cd87a3c087fed66c24a3c7422d33dffe Author: Dan Carpenter Date: Thu Apr 22 12:10:28 2021 +0300 bnxt_en: fix ternary sign extension bug in bnxt_show_temp() [ Upstream commit 27537929f30d3136a71ef29db56127a33c92dad7 ] The problem is that bnxt_show_temp() returns long but "rc" is an int and "len" is a u32. With ternary operations the type promotion is quite tricky. The negative "rc" is first promoted to u32 and then to long so it ends up being a high positive value instead of a a negative as we intended. Fix this by removing the ternary. Fixes: d69753fa1ecb ("bnxt_en: return proper error codes in bnxt_show_temp") Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9f722ef596fefec48cd7105025bd5ff4a29cc968 Author: Arnd Bergmann Date: Thu Apr 22 15:35:11 2021 +0200 net: enetc: fix link error again [ Upstream commit 74c97ea3b61e4ce149444f904ee8d4fc7073505b ] A link time bug that I had fixed before has come back now that another sub-module was added to the enetc driver: ERROR: modpost: "enetc_ierb_register_pf" [drivers/net/ethernet/freescale/enetc/fsl-enetc.ko] undefined! The problem is that the enetc Makefile is not actually used for the ierb module if that is the only built-in driver in there and everything else is a loadable module. Fix it by always entering the directory this time, regardless of which symbols are configured. This should reliably fix the problem and prevent it from coming back another time. Fixes: 112463ddbe82 ("net: dsa: felix: fix link error") Fixes: e7d48e5fbf30 ("net: enetc: add a mini driver for the Integrated Endpoint Register Block") Signed-off-by: Arnd Bergmann Acked-by: Vladimir Oltean Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit bfcb5a8cc7b669a30e3950fc9c2a421e3244dbc8 Author: Maxim Kochetkov Date: Thu Apr 22 13:46:44 2021 +0300 net: phy: marvell: fix m88e1111_set_downshift [ Upstream commit e7679c55a7249f1315256cfc672d53e84072e223 ] Changing downshift params without software reset has no effect, so call genphy_soft_reset() after change downshift params. As the datasheet says: Changes to these bits are disruptive to the normal operation therefore, any changes to these registers must be followed by software reset to take effect. Fixes: 5c6bc5199b5d ("net: phy: marvell: add downshift support for M88E1111") Signed-off-by: Maxim Kochetkov Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1157d01e04d90dde889b6bd5342df33b5db39949 Author: Maxim Kochetkov Date: Thu Apr 22 13:46:43 2021 +0300 net: phy: marvell: fix m88e1011_set_downshift [ Upstream commit 990875b299b8612aeb85cb2e2751796f1add65ff ] Changing downshift params without software reset has no effect, so call genphy_soft_reset() after change downshift params. As the datasheet says: Changes to these bits are disruptive to the normal operation therefore, any changes to these registers must be followed by software reset to take effect. Fixes: 911af5e149bb ("net: phy: marvell: fix downshift function naming") Signed-off-by: Maxim Kochetkov Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit be631825652f1731e291a3aab3c56dc00bb3b91c Author: Christophe Leroy Date: Wed Apr 21 17:24:03 2021 +0000 powerpc/52xx: Fix an invalid ASM expression ('addi' used instead of 'add') [ Upstream commit 8a87a507714386efc39c3ae6fa24d4f79846b522 ] AS arch/powerpc/platforms/52xx/lite5200_sleep.o arch/powerpc/platforms/52xx/lite5200_sleep.S: Assembler messages: arch/powerpc/platforms/52xx/lite5200_sleep.S:184: Warning: invalid register expression In the following code, 'addi' is wrong, has to be 'add' /* local udelay in sram is needed */ udelay: /* r11 - tb_ticks_per_usec, r12 - usecs, overwrites r13 */ mullw r12, r12, r11 mftb r13 /* start */ addi r12, r13, r12 /* end */ Fixes: ee983079ce04 ("[POWERPC] MPC5200 low power mode") Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/cb4cec9131c8577803367f1699209a7e104cec2a.1619025821.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit e06a532f31c4c435153d24f2279825a4684e3f1c Author: Athira Rajeev Date: Thu Mar 4 01:40:15 2021 -0500 powerpc/perf: Fix the threshold event selection for memory events in power10 [ Upstream commit 66d9b7492887d34c711bc05b36c22438acba51b4 ] Memory events (mem-loads and mem-stores) currently use the threshold event selection as issue to finish. Power10 supports issue to complete as part of thresholding which is more appropriate for mem-loads and mem-stores. Hence fix the event code for memory events to use issue to complete. Fixes: a64e697cef23 ("powerpc/perf: power10 Performance Monitoring support") Signed-off-by: Athira Rajeev Reviewed-by: Madhavan Srinivasan Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/1614840015-1535-1-git-send-email-atrajeev@linux.vnet.ibm.com Signed-off-by: Sasha Levin commit b6b894e7a27e52a9032a7eaace538538830d4b9e Author: Colin Ian King Date: Mon Apr 19 15:14:05 2021 +0100 wlcore: Fix buffer overrun by snprintf due to incorrect buffer size [ Upstream commit a9a4c080deb33f44e08afe35f4ca4bb9ece89f4e ] The size of the buffer than can be written to is currently incorrect, it is always the size of the entire buffer even though the snprintf is writing as position pos into the buffer. Fix this by setting the buffer size to be the number of bytes left in the buffer, namely sizeof(buf) - pos. Addresses-Coverity: ("Out-of-bounds access") Fixes: 7b0e2c4f6be3 ("wlcore: fix overlapping snprintf arguments in debugfs") Signed-off-by: Colin Ian King Reviewed-by: Arnd Bergmann Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210419141405.180582-1-colin.king@canonical.com Signed-off-by: Sasha Levin commit 1cce33fe59f095c6198de32e5fcda36e703dfddb Author: Shuah Khan Date: Tue Apr 6 17:02:28 2021 -0600 ath10k: Fix ath10k_wmi_tlv_op_pull_peer_stats_info() unlock without lock [ Upstream commit eaaf52e4b866f265eb791897d622961293fd48c1 ] ath10k_wmi_tlv_op_pull_peer_stats_info() could try to unlock RCU lock winthout locking it first when peer reason doesn't match the valid cases for this function. Add a default case to return without unlocking. Fixes: 09078368d516 ("ath10k: hold RCU lock when calling ieee80211_find_sta_by_ifaddr()") Reported-by: Pavel Machek Signed-off-by: Shuah Khan Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210406230228.31301-1-skhan@linuxfoundation.org Signed-off-by: Sasha Levin commit 8bb054fb336f4250002fff4e0b075221c05c3c65 Author: Lv Yunlong Date: Mon Mar 29 05:01:54 2021 -0700 ath10k: Fix a use after free in ath10k_htc_send_bundle [ Upstream commit 8392df5d7e0b6a7d21440da1fc259f9938f4dec3 ] In ath10k_htc_send_bundle, the bundle_skb could be freed by dev_kfree_skb_any(bundle_skb). But the bundle_skb is used later by bundle_skb->len. As skb_len = bundle_skb->len, my patch replaces bundle_skb->len to skb_len after the bundle_skb was freed. Fixes: c8334512f3dd1 ("ath10k: add htt TX bundle for sdio") Signed-off-by: Lv Yunlong Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210329120154.8963-1-lyl2019@mail.ustc.edu.cn Signed-off-by: Sasha Levin commit 0f98e1ea970cdb7395f4d4964ac7d19955268006 Author: Toke Høiland-Jørgensen Date: Fri Mar 26 19:08:19 2021 +0100 ath9k: Fix error check in ath9k_hw_read_revisions() for PCI devices [ Upstream commit 7dd9a40fd6e0d0f1fd8e1931c007e080801dfdce ] When the error check in ath9k_hw_read_revisions() was added, it checked for -EIO which is what ath9k_regread() in the ath9k_htc driver uses. However, for plain ath9k, the register read function uses ioread32(), which just returns -1 on error. So if such a read fails, it still gets passed through and ends up as a weird mac revision in the log output. Fix this by changing ath9k_regread() to return -1 on error like ioread32() does, and fix the error check to look for that instead of -EIO. Fixes: 2f90c7e5d094 ("ath9k: Check for errors when reading SREV register") Signed-off-by: Toke Høiland-Jørgensen Reviewed-by: Lorenzo Bianconi Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210326180819.142480-1-toke@redhat.com Signed-off-by: Sasha Levin commit 4b9fb2c9039a206d37f215936a4d5bee7b1bf9cd Author: Christophe Leroy Date: Tue Apr 20 13:32:48 2021 +0000 powerpc/64: Fix the definition of the fixmap area [ Upstream commit 9ccba66d4d2aff9a3909aa77d57ea8b7cc166f3c ] At the time being, the fixmap area is defined at the top of the address space or just below KASAN. This definition is not valid for PPC64. For PPC64, use the top of the I/O space. Because of circular dependencies, it is not possible to include asm/fixmap.h in asm/book3s/64/pgtable.h , so define a fixed size AREA at the top of the I/O space for fixmap and ensure during build that the size is big enough. Fixes: 265c3491c4bc ("powerpc: Add support for GENERIC_EARLY_IOREMAP") Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/0d51620eacf036d683d1a3c41328f69adb601dc0.1618925560.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit c5ebaca402f5c5bd61ac8316feb2aa3a0be4d4a8 Author: Shay Drory Date: Sun Apr 18 16:55:54 2021 +0300 RDMA/core: Add CM to restrack after successful attachment to a device [ Upstream commit cb5cd0ea4eb3ce338a593a5331ddb4986ae20faa ] The device attach triggers addition of CM_ID to the restrack DB. However, when error occurs, we releasing this device, but defer CM_ID release. This causes to the situation where restrack sees CM_ID that is not valid anymore. As a solution, add the CM_ID to the resource tracking DB only after the attachment is finished. Found by syzcaller: infiniband syz0: added syz_tun rdma_rxe: ignoring netdev event = 10 for syz_tun infiniband syz0: set down infiniband syz0: ib_query_port failed (-19) restrack: ------------[ cut here ]------------ infiniband syz0: BUG: RESTRACK detected leak of resources restrack: User CM_ID object allocated by syz-executor716 is not freed restrack: ------------[ cut here ]------------ Fixes: b09c4d701220 ("RDMA/restrack: Improve readability in task name management") Link: https://lore.kernel.org/r/ab93e56ba831eac65c322b3256796fa1589ec0bb.1618753862.git.leonro@nvidia.com Signed-off-by: Shay Drory Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 63c61d26e3fbee4d4f7a420f3cc5b93f52c3459f Author: Bob Pearson Date: Tue Apr 20 22:59:53 2021 -0500 RDMA/rxe: Fix a bug in rxe_fill_ip_info() [ Upstream commit 45062f441590810772959d8e1f2b24ba57ce1bd9 ] Fix a bug in rxe_fill_ip_info() which was attempting to convert from RDMA_NETWORK_XXX to RXE_NETWORK_XXX. .._IPV6 should have mapped to .._IPV6 not .._IPV4. Fixes: edebc8407b88 ("RDMA/rxe: Fix small problem in network_type patch") Link: https://lore.kernel.org/r/20210421035952.4892-1-rpearson@hpe.com Suggested-by: Frank Zago Signed-off-by: Bob Pearson Acked-by: Zhu Yanjun Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 7fe12d6db3f04b4c95a24532046a115443e70f5a Author: Martin Schiller Date: Wed Apr 21 07:50:47 2021 +0200 net: phy: intel-xway: enable integrated led functions [ Upstream commit 357a07c26697a770d39d28b6b111f978deb4017d ] The Intel xway phys offer the possibility to deactivate the integrated LED function and to control the LEDs manually. If this was set by the bootloader, it must be ensured that the integrated LED function is enabled for all LEDs when loading the driver. Before commit 6e2d85ec0559 ("net: phy: Stop with excessive soft reset") the LEDs were enabled by a soft-reset of the PHY (using genphy_soft_reset). Initialize the XWAY_MDIO_LED with it's default value (which is applied during a soft reset) instead of adding back the soft reset. This brings back the default LED configuration while still preventing an excessive amount of soft resets. Fixes: 6e2d85ec0559 ("net: phy: Stop with excessive soft reset") Signed-off-by: Martin Schiller Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit cf49a91faa7db78ab156b784ec44a74cb3a210d7 Author: Yoshihiro Shimoda Date: Wed Apr 21 13:52:46 2021 +0900 net: renesas: ravb: Fix a stuck issue when a lot of frames are received [ Upstream commit 5718458b092bf6bf4482c5df32affba3c3259517 ] When a lot of frames were received in the short term, the driver caused a stuck of receiving until a new frame was received. For example, the following command from other device could cause this issue. $ sudo ping -f -l 1000 -c 1000 The previous code always cleared the interrupt flag of RX but checks the interrupt flags in ravb_poll(). So, ravb_poll() could not call ravb_rx() in the next time until a new RX frame was received if ravb_rx() returned true. To fix the issue, always calls ravb_rx() regardless the interrupt flags condition. Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") Signed-off-by: Yoshihiro Shimoda Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 01dab91200dc6edda96d9694a4ff7afb025f9590 Author: Ong Boon Leong Date: Wed Apr 21 17:11:49 2021 +0800 net: stmmac: fix TSO and TBS feature enabling during driver open [ Upstream commit 5e6038b88a5718910dd74b949946d9d9cee9a041 ] TSO and TBS cannot co-exist and current implementation requires two fixes: 1) stmmac_open() does not need to call stmmac_enable_tbs() because the MAC is reset in stmmac_init_dma_engine() anyway. 2) Inside stmmac_hw_setup(), we should call stmmac_enable_tso() for TX Q that is _not_ configured for TBS. Fixes: 579a25a854d4 ("net: stmmac: Initial support for TBS") Signed-off-by: Ong Boon Leong Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 64753ac1e43e3a1d1e0a467b2d51f18956f71be7 Author: Yinjun Zhang Date: Wed Apr 21 11:24:15 2021 +0200 nfp: devlink: initialize the devlink port attribute "lanes" [ Upstream commit 90b669d65d99a3ee6965275269967cdee4da106e ] The number of lanes of devlink port should be correctly initialized when registering the port, so that the input check when running "devlink port split count " can pass. Fixes: a21cf0a8330b ("devlink: Add a new devlink port lanes attribute and pass to netlink") Signed-off-by: Yinjun Zhang Signed-off-by: Louis Peens Signed-off-by: Simon Horman Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit e606073b77a3c4a6f3f6b013deef36f75aef5737 Author: Sean Christopherson Date: Tue Apr 6 15:49:46 2021 -0700 crypto: ccp: Detect and reject "invalid" addresses destined for PSP [ Upstream commit 74c1f1366eb7714b8b211554f6c5cee315ff3fbc ] Explicitly reject using pointers that are not virt_to_phys() friendly as the source for SEV commands that are sent to the PSP. The PSP works with physical addresses, and __pa()/virt_to_phys() will not return the correct address in these cases, e.g. for a vmalloc'd pointer. At best, the bogus address will cause the command to fail, and at worst lead to system instability. While it's unlikely that callers will deliberately use a bad pointer for SEV buffers, a caller can easily use a vmalloc'd pointer unknowingly when running with CONFIG_VMAP_STACK=y as it's not obvious that putting the command buffers on the stack would be bad. The command buffers are relative small and easily fit on the stack, and the APIs to do not document that the incoming pointer must be a physically contiguous, __pa() friendly pointer. Cc: Brijesh Singh Cc: Borislav Petkov Cc: Tom Lendacky Cc: Christophe Leroy Fixes: 200664d5237f ("crypto: ccp: Add Secure Encrypted Virtualization (SEV) command support") Signed-off-by: Sean Christopherson Message-Id: <20210406224952.4177376-3-seanjc@google.com> Reviewed-by: Brijesh Singh Acked-by: Tom Lendacky Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 4fa28c807da54c1d720b3cc12e48eb9bea1e2c8f Author: Ryder Lee Date: Tue Apr 13 13:34:56 2021 +0800 mt76: mt7615: fix memleak when mt7615_unregister_device() [ Upstream commit 8ab31da7b89f71c4c2defcca989fab7b42f87d71 ] mt7615_tx_token_put() should get call before mt76_free_pending_txwi(). Fixes: a6275e934605 ("mt76: mt7615: reset token when mac_reset happens") Signed-off-by: Ryder Lee Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 9ed951f416435c9bc1293c8f08b6d625cc334860 Author: Colin Ian King Date: Tue Apr 20 18:16:14 2021 +0100 net: davinci_emac: Fix incorrect masking of tx and rx error channel [ Upstream commit d83b8aa5207d81f9f6daec9888390f079cc5db3f ] The bit-masks used for the TXERRCH and RXERRCH (tx and rx error channels) are incorrect and always lead to a zero result. The mask values are currently the incorrect post-right shifted values, fix this by setting them to the currect values. (I double checked these against the TMS320TCI6482 data sheet, section 5.30, page 127 to ensure I had the correct mask values for the TXERRCH and RXERRCH fields in the MACSTATUS register). Addresses-Coverity: ("Operands don't affect result") Fixes: a6286ee630f6 ("net: Add TI DaVinci EMAC driver") Signed-off-by: Colin Ian King Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0ce6052802be2cb61a57b753e41301339c88c839 Author: Vadym Kochan Date: Tue Apr 20 16:31:51 2021 +0300 net: marvell: prestera: fix port event handling on init [ Upstream commit 333980481b99edb24ebd5d1a53af70a15d9146de ] For some reason there might be a crash during ports creation if port events are handling at the same time because fw may send initial port event with down state. The crash points to cancel_delayed_work() which is called when port went is down. Currently I did not find out the real cause of the issue, so fixed it by cancel port stats work only if previous port's state was up & runnig. The following is the crash which can be triggered: [ 28.311104] Unable to handle kernel paging request at virtual address 000071775f776600 [ 28.319097] Mem abort info: [ 28.321914] ESR = 0x96000004 [ 28.324996] EC = 0x25: DABT (current EL), IL = 32 bits [ 28.330350] SET = 0, FnV = 0 [ 28.333430] EA = 0, S1PTW = 0 [ 28.336597] Data abort info: [ 28.339499] ISV = 0, ISS = 0x00000004 [ 28.343362] CM = 0, WnR = 0 [ 28.346354] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000100bf7000 [ 28.352842] [000071775f776600] pgd=0000000000000000, p4d=0000000000000000 [ 28.359695] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 28.365310] Modules linked in: prestera_pci(+) prestera uio_pdrv_genirq [ 28.372005] CPU: 0 PID: 1291 Comm: kworker/0:1H Not tainted 5.11.0-rc4 #1 [ 28.378846] Hardware name: DNI AmazonGo1 A7040 board (DT) [ 28.384283] Workqueue: prestera_fw_wq prestera_fw_evt_work_fn [prestera_pci] [ 28.391413] pstate: 60000085 (nZCv daIf -PAN -UAO -TCO BTYPE=--) [ 28.397468] pc : get_work_pool+0x48/0x60 [ 28.401442] lr : try_to_grab_pending+0x6c/0x1b0 [ 28.406018] sp : ffff80001391bc60 [ 28.409358] x29: ffff80001391bc60 x28: 0000000000000000 [ 28.414725] x27: ffff000104fc8b40 x26: ffff80001127de88 [ 28.420089] x25: 0000000000000000 x24: ffff000106119760 [ 28.425452] x23: ffff00010775dd60 x22: ffff00010567e000 [ 28.430814] x21: 0000000000000000 x20: ffff80001391bcb0 [ 28.436175] x19: ffff00010775deb8 x18: 00000000000000c0 [ 28.441537] x17: 0000000000000000 x16: 000000008d9b0e88 [ 28.446898] x15: 0000000000000001 x14: 00000000000002ba [ 28.452261] x13: 80a3002c00000002 x12: 00000000000005f4 [ 28.457622] x11: 0000000000000030 x10: 000000000000000c [ 28.462985] x9 : 000000000000000c x8 : 0000000000000030 [ 28.468346] x7 : ffff800014400000 x6 : ffff000106119758 [ 28.473708] x5 : 0000000000000003 x4 : ffff00010775dc60 [ 28.479068] x3 : 0000000000000000 x2 : 0000000000000060 [ 28.484429] x1 : 000071775f776600 x0 : ffff00010775deb8 [ 28.489791] Call trace: [ 28.492259] get_work_pool+0x48/0x60 [ 28.495874] cancel_delayed_work+0x38/0xb0 [ 28.500011] prestera_port_handle_event+0x90/0xa0 [prestera] [ 28.505743] prestera_evt_recv+0x98/0xe0 [prestera] [ 28.510683] prestera_fw_evt_work_fn+0x180/0x228 [prestera_pci] [ 28.516660] process_one_work+0x1e8/0x360 [ 28.520710] worker_thread+0x44/0x480 [ 28.524412] kthread+0x154/0x160 [ 28.527670] ret_from_fork+0x10/0x38 [ 28.531290] Code: a8c17bfd d50323bf d65f03c0 9278dc21 (f9400020) [ 28.537429] ---[ end trace 5eced933df3a080b ]--- Fixes: 501ef3066c89 ("net: marvell: prestera: Add driver for Prestera family ASIC devices") Signed-off-by: Vadym Kochan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b605673b523fe33abeafb2136759bcbc9c1e6ebf Author: Stefano Garzarella Date: Tue Apr 20 13:07:27 2021 +0200 vsock/virtio: free queued packets when closing socket [ Upstream commit 8432b8114957235f42e070a16118a7f750de9d39 ] As reported by syzbot [1], there is a memory leak while closing the socket. We partially solved this issue with commit ac03046ece2b ("vsock/virtio: free packets during the socket release"), but we forgot to drain the RX queue when the socket is definitely closed by the scheduled work. To avoid future issues, let's use the new virtio_transport_remove_sock() to drain the RX queue before removing the socket from the af_vsock lists calling vsock_remove_sock(). [1] https://syzkaller.appspot.com/bug?extid=24452624fc4c571eedd9 Fixes: ac03046ece2b ("vsock/virtio: free packets during the socket release") Reported-and-tested-by: syzbot+24452624fc4c571eedd9@syzkaller.appspotmail.com Signed-off-by: Stefano Garzarella Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 5231d17eb9d004f5721358c11cac01244c5c9c88 Author: Edward Cree Date: Tue Apr 20 13:29:35 2021 +0100 sfc: ef10: fix TX queue lookup in TX event handling [ Upstream commit 172e269edfce34bac7c61c15551816bda4b0f140 ] We're starting from a TXQ label, not a TXQ type, so efx_channel_get_tx_queue() is inappropriate. This worked by chance, because labels and types currently match on EF10, but we shouldn't rely on that. Fixes: 12804793b17c ("sfc: decouple TXQ type from label") Signed-off-by: Edward Cree Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 7459bb5943285b025bc1d16ea7c57bb5a09e1b8e Author: Colin Ian King Date: Tue Apr 20 14:47:19 2021 +0100 ALSA: usb: midi: don't return -ENOMEM when usb_urb_ep_type_check fails [ Upstream commit cfd577acb769301b19c31361d45ae1f145318b7a ] Currently when the call to usb_urb_ep_type_check fails (returning -EINVAL) the error return path returns -ENOMEM via the exit label "error". Other uses of the same error exit label set the err variable to -ENOMEM but this is not being used. I believe the original intent was for the error exit path to return the value in err rather than the hard coded -ENOMEM, so return this rather than the hard coded -ENOMEM. Addresses-Coverity: ("Unused value") Fixes: 738d9edcfd44 ("ALSA: usb-audio: Add sanity checks for invalid EPs") Signed-off-by: Colin Ian King Link: https://lore.kernel.org/r/20210420134719.381409-1-colin.king@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 312c5ce349426ad4771571ce0442f31a4045184d Author: Sindhu Devale Date: Thu Apr 15 19:21:04 2021 -0500 RDMA/i40iw: Fix error unwinding when i40iw_hmc_sd_one fails [ Upstream commit 783a11bf2400e5d5c42a943c3083dc0330751842 ] When i40iw_hmc_sd_one fails, chunk is freed without the deletion of chunk entry in the PBLE info list. Fix it by adding the chunk entry to the PBLE info list only after successful addition of SD in i40iw_hmc_sd_one. This fixes a static checker warning reported here: https://lore.kernel.org/linux-rdma/YHV4CFXzqTm23AOZ@mwanda/ Fixes: 9715830157be ("i40iw: add pble resource files") Link: https://lore.kernel.org/r/20210416002104.323-1-shiraz.saleem@intel.com Reported-by: Dan Carpenter Signed-off-by: Sindhu Devale Signed-off-by: Shiraz Saleem Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 45b84abb47a9c7d05d046e93e8a3769ebee25dfa Author: Potnuri Bharat Teja Date: Thu Apr 15 20:44:22 2021 +0530 RDMA/cxgb4: add missing qpid increment [ Upstream commit 3a6684385928d00b29acac7658a5ae1f2a44494c ] missing qpid increment leads to skipping few qpids while allocating QP. This eventually leads to adapter running out of qpids after establishing fewer connections than it actually supports. Current patch increments the qpid correctly. Fixes: cfdda9d76436 ("RDMA/cxgb4: Add driver for Chelsio T4 RNIC") Link: https://lore.kernel.org/r/20210415151422.9139-1-bharat@chelsio.com Signed-off-by: Potnuri Bharat Teja Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit da54cc2549399072b95926dbe9dc44546c297e75 Author: Alexander Lobakin Date: Mon Apr 19 12:53:06 2021 +0000 gro: fix napi_gro_frags() Fast GRO breakage due to IP alignment check [ Upstream commit 7ad18ff6449cbd6beb26b53128ddf56d2685aa93 ] Commit 38ec4944b593 ("gro: ensure frag0 meets IP header alignment") did the right thing, but missed the fact that napi_gro_frags() logics calls for skb_gro_reset_offset() *before* pulling Ethernet header to the skb linear space. That said, the introduced check for frag0 address being aligned to 4 always fails for it as Ethernet header is obviously 14 bytes long, and in case with NET_IP_ALIGN its start is not aligned to 4. Fix this by adding @nhoff argument to skb_gro_reset_offset() which tells if an IP header is placed right at the start of frag0 or not. This restores Fast GRO for napi_gro_frags() that became very slow after the mentioned commit, and preserves the introduced check to avoid silent unaligned accesses. From v1 [0]: - inline tiny skb_gro_reset_offset() to let the code be optimized more efficively (esp. for the !NET_IP_ALIGN case) (Eric); - pull in Reviewed-by from Eric. [0] https://lore.kernel.org/netdev/20210418114200.5839-1-alobakin@pm.me Fixes: 38ec4944b593 ("gro: ensure frag0 meets IP header alignment") Reviewed-by: Eric Dumazet Signed-off-by: Alexander Lobakin Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 257f38e78aa3545a1c4637e0cd942d39b486e71f Author: Linus Walleij Date: Sun Apr 18 20:28:53 2021 +0200 net: ethernet: ixp4xx: Set the DMA masks explicitly [ Upstream commit 8d892d60941b00c86d2029c8a99db24ab4979673 ] The former fix only papered over the actual problem: the ethernet core expects the netdev .dev member to have the proper DMA masks set, or there will be BUG_ON() triggered in kernel/dma/mapping.c. Fix this by simply copying dma_mask and dma_mask_coherent from the parent device. Fixes: e45d0fad4a5f ("net: ethernet: ixp4xx: Use parent dev for DMA pool") Signed-off-by: Linus Walleij Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 78d8b34751cf3c61b8dcd6ac40b0fc453de3c6a3 Author: Florent Revest Date: Mon Apr 19 17:52:41 2021 +0200 libbpf: Initialize the bpf_seq_printf parameters array field by field [ Upstream commit 83cd92b46484aa8f64cdc0bff8ac6940d1f78519 ] When initializing the __param array with a one liner, if all args are const, the initial array value will be placed in the rodata section but because libbpf does not support relocation in the rodata section, any pointer in this array will stay NULL. Fixes: c09add2fbc5a ("tools/libbpf: Add bpf_iter support") Signed-off-by: Florent Revest Signed-off-by: Alexei Starovoitov Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20210419155243.1632274-5-revest@chromium.org Signed-off-by: Sasha Levin commit b9e719698fc498551e7a580fea45dde07eb96f58 Author: Stefano Garzarella Date: Fri Apr 16 12:44:16 2021 +0200 vsock/vmci: log once the failed queue pair allocation [ Upstream commit e16edc99d658cd41c60a44cc14d170697aa3271f ] VMCI feature is not supported in conjunction with the vSphere Fault Tolerance (FT) feature. VMware Tools can repeatedly try to create a vsock connection. If FT is enabled the kernel logs is flooded with the following messages: qp_alloc_hypercall result = -20 Could not attach to queue pair with -20 "qp_alloc_hypercall result = -20" was hidden by commit e8266c4c3307 ("VMCI: Stop log spew when qp allocation isn't possible"), but "Could not attach to queue pair with -20" is still there flooding the log. Since the error message can be useful in some cases, print it only once. Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") Signed-off-by: Stefano Garzarella Reviewed-by: Jorgen Hansen Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit bc2e5321d7f11b9a972110b303ea7172959b9def Author: Pablo Neira Ayuso Date: Mon Apr 12 14:20:55 2021 +0200 netfilter: nftables_offload: special ethertype handling for VLAN [ Upstream commit 783003f3bb8a565326e89d18bbd948ad8ffc816a ] The nftables offload parser sets FLOW_DISSECTOR_KEY_BASIC .n_proto to the ethertype field in the ethertype frame. However: - FLOW_DISSECTOR_KEY_BASIC .n_proto field always stores either IPv4 or IPv6 ethertypes. - FLOW_DISSECTOR_KEY_VLAN .vlan_tpid stores either the 802.1q and 802.1ad ethertypes. Same as for FLOW_DISSECTOR_KEY_CVLAN. This function adjusts the flow dissector to handle two scenarios: 1) FLOW_DISSECTOR_KEY_VLAN .vlan_tpid is set to 802.1q or 802.1ad. Then, transfer: - the .n_proto field to FLOW_DISSECTOR_KEY_VLAN .tpid. - the original FLOW_DISSECTOR_KEY_VLAN .tpid to the FLOW_DISSECTOR_KEY_CVLAN .tpid - the original FLOW_DISSECTOR_KEY_CVLAN .tpid to the .n_proto field. 2) .n_proto is set to 802.1q or 802.1ad. Then, transfer: - the .n_proto field to FLOW_DISSECTOR_KEY_VLAN .tpid. - the original FLOW_DISSECTOR_KEY_VLAN .tpid to the .n_proto field. Fixes: a82055af5959 ("netfilter: nft_payload: add VLAN offload support") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit a7eb38aacc81623f338d6c6f19604ace2fe4ec15 Author: Pablo Neira Ayuso Date: Mon Apr 12 14:20:15 2021 +0200 netfilter: nftables_offload: VLAN id needs host byteorder in flow dissector [ Upstream commit ff4d90a89d3d4d9814e0a2696509a7d495be4163 ] The flow dissector representation expects the VLAN id in host byteorder. Add the NFT_OFFLOAD_F_NETWORK2HOST flag to swap the bytes from nft_cmp. Fixes: a82055af5959 ("netfilter: nft_payload: add VLAN offload support") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit cf2de861b2794f98363072e078ac9375d8e8f83e Author: Pablo Neira Ayuso Date: Mon Apr 12 14:11:39 2021 +0200 netfilter: nft_payload: fix C-VLAN offload support [ Upstream commit 14c20643ef9457679cc6934d77adc24296505214 ] - add another struct flow_dissector_key_vlan for C-VLAN - update layer 3 dependency to allow to match on IPv4/IPv6 Fixes: 89d8fd44abfb ("netfilter: nft_payload: add C-VLAN offload support") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 1dd5ac62c0d44cdda819ba757d2348914b958deb Author: Lv Yunlong Date: Fri Apr 2 11:26:27 2021 -0700 mwl8k: Fix a double Free in mwl8k_probe_hw [ Upstream commit a8e083ee8e2a6c94c29733835adae8bf5b832748 ] In mwl8k_probe_hw, hw->priv->txq is freed at the first time by dma_free_coherent() in the call chain: if(!priv->ap_fw)->mwl8k_init_txqs(hw)->mwl8k_txq_init(hw, i). Then in err_free_queues of mwl8k_probe_hw, hw->priv->txq is freed at the second time by mwl8k_txq_deinit(hw, i)->dma_free_coherent(). My patch set txq->txd to NULL after the first free to avoid the double free. Fixes: a66098daacee2 ("mwl8k: Marvell TOPDOG wireless driver") Signed-off-by: Lv Yunlong Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210402182627.4256-1-lyl2019@mail.ustc.edu.cn Signed-off-by: Sasha Levin commit 87299aad6278c69ee3b8288a357f6696ff387862 Author: Qii Wang Date: Sat Apr 17 14:46:51 2021 +0800 i2c: mediatek: Fix wrong dma sync flag [ Upstream commit 3186b880447ad3cc9b6487fa626a71d64b831524 ] The right flag is apdma_sync when apdma remove hand-shake signel. Fixes: 05f6f7271a38 ("i2c: mediatek: Fix apdma and i2c hand-shake timeout") Signed-off-by: Qii Wang Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 232598e99fadeb0394a5b0759a05c9fae108e815 Author: Sergey Shtylyov Date: Sat Apr 17 22:05:05 2021 +0300 i2c: sh7760: fix IRQ error path [ Upstream commit 92dfb27240fea2776f61c5422472cb6defca7767 ] While adding the invalid IRQ check after calling platform_get_irq(), I managed to overlook that the driver has a complex error path in its probe() method, thus a simple *return* couldn't be used. Use a proper *goto* instead! Fixes: e5b2e3e74201 ("i2c: sh7760: add IRQ check") Signed-off-by: Sergey Shtylyov Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit d204db4fe6acfea7b62fa397c587281399fbd8af Author: Arnd Bergmann Date: Tue Mar 23 13:57:14 2021 +0100 wlcore: fix overlapping snprintf arguments in debugfs [ Upstream commit 7b0e2c4f6be3ec68bf807c84e985e81c21404cd1 ] gcc complains about undefined behavior in calling snprintf() with the same buffer as input and output: drivers/net/wireless/ti/wl18xx/debugfs.c: In function 'diversity_num_of_packets_per_ant_read': drivers/net/wireless/ti/wl18xx/../wlcore/debugfs.h:86:3: error: 'snprintf' argument 4 overlaps destination object 'buf' [-Werror=restrict] 86 | snprintf(buf, sizeof(buf), "%s[%d] = %d\n", \ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 87 | buf, i, stats->sub.name[i]); \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/wireless/ti/wl18xx/debugfs.c:24:2: note: in expansion of macro 'DEBUGFS_FWSTATS_FILE_ARRAY' 24 | DEBUGFS_FWSTATS_FILE_ARRAY(a, b, c, wl18xx_acx_statistics) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/wireless/ti/wl18xx/debugfs.c:159:1: note: in expansion of macro 'WL18XX_DEBUGFS_FWSTATS_FILE_ARRAY' 159 | WL18XX_DEBUGFS_FWSTATS_FILE_ARRAY(diversity, num_of_packets_per_ant, There are probably other ways of handling the debugfs file, without using on-stack buffers, but a simple workaround here is to remember the current position in the buffer and just keep printing in there. Fixes: bcca1bbdd412 ("wlcore: add debugfs macro to help print fw statistics arrays") Signed-off-by: Arnd Bergmann Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210323125723.1961432-1-arnd@kernel.org Signed-off-by: Sasha Levin commit c0aa320ac617db728f4a9d1afe000708d481a097 Author: Ping-Ke Shih Date: Fri Feb 19 13:26:07 2021 +0800 rtlwifi: 8821ae: upgrade PHY and RF parameters [ Upstream commit 18fb0bedb5fc2fddc057dbe48b7360a6ffda34b3 ] The signal strength of 5G is quite low, so user can't connect to an AP far away. New parameters with new format and its parser are updated by the commit 84d26fda52e2 ("rtlwifi: Update 8821ae new phy parameters and its parser."), but some parameters are missing. Use this commit to update to the novel parameters that use new format. Fixes: 84d26fda52e2 ("rtlwifi: Update 8821ae new phy parameters and its parser") Signed-off-by: Ping-Ke Shih Tested-by: Kai-Heng Feng Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210219052607.7323-1-pkshih@realtek.com Signed-off-by: Sasha Levin commit e9bd1af4c038061c67789e298067478c79cedb2b Author: David Edmondson Date: Thu Mar 18 12:08:37 2021 +0000 KVM: x86: dump_vmcs should not assume GUEST_IA32_EFER is valid [ Upstream commit d9e46d344e62a0d56fd86a8289db5bed8a57c92e ] If the VM entry/exit controls for loading/saving MSR_EFER are either not available (an older processor or explicitly disabled) or not used (host and guest values are the same), reading GUEST_IA32_EFER from the VMCS returns an inaccurate value. Because of this, in dump_vmcs() don't use GUEST_IA32_EFER to decide whether to print the PDPTRs - always do so if the fields exist. Fixes: 4eb64dce8d0a ("KVM: x86: dump VMCS on invalid entry") Signed-off-by: David Edmondson Message-Id: <20210318120841.133123-2-david.edmondson@oracle.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit bf6476152a0a084038b12b9d770e32717f54a6ab Author: Srikar Dronamraju Date: Thu Apr 15 17:39:32 2021 +0530 powerpc/smp: Reintroduce cpu_core_mask [ Upstream commit c47f892d7aa62765bf0689073f75990b4517a4cf ] Daniel reported that with Commit 4ca234a9cbd7 ("powerpc/smp: Stop updating cpu_core_mask") QEMU was unable to set single NUMA node SMP topologies such as: -smp 8,maxcpus=8,cores=2,threads=2,sockets=2 i.e he expected 2 sockets in one NUMA node. The above commit helped to reduce boot time on Large Systems for example 4096 vCPU single socket QEMU instance. PAPR is silent on having more than one socket within a NUMA node. cpu_core_mask and cpu_cpu_mask for any CPU would be same unless the number of sockets is different from the number of NUMA nodes. One option is to reintroduce cpu_core_mask but use a slightly different method to arrive at the cpu_core_mask. Previously each CPU's chip-id would be compared with all other CPU's chip-id to verify if both the CPUs were related at the chip level. Now if a CPU 'A' is found related / (unrelated) to another CPU 'B', all the thread siblings of 'A' and thread siblings of 'B' are automatically marked as related / (unrelated). Also if a platform doesn't support ibm,chip-id property, i.e its cpu_to_chip_id returns -1, cpu_core_map holds a copy of cpu_cpu_mask(). Fixes: 4ca234a9cbd7 ("powerpc/smp: Stop updating cpu_core_mask") Reported-by: Daniel Henrique Barboza Signed-off-by: Srikar Dronamraju Tested-by: Daniel Henrique Barboza Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210415120934.232271-2-srikar@linux.vnet.ibm.com Signed-off-by: Sasha Levin commit af39f070c8b050424b3228add787f9a79a26b9a8 Author: Tyrel Datwyler Date: Thu Feb 11 12:24:35 2021 -0600 powerpc/pseries: extract host bridge from pci_bus prior to bus removal [ Upstream commit 38d0b1c9cec71e6d0f3bddef0bbce41d05a3e796 ] The pci_bus->bridge reference may no longer be valid after pci_bus_remove() resulting in passing a bad value to device_unregister() for the associated bridge device. Store the host_bridge reference in a separate variable prior to pci_bus_remove(). Fixes: 7340056567e3 ("powerpc/pci: Reorder pci bus/bridge unregistration during PHB removal") Signed-off-by: Tyrel Datwyler Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210211182435.47968-1-tyreld@linux.ibm.com Signed-off-by: Sasha Levin commit 8dfd7329ad0ba49b3681afd19142696434b8e67a Author: Ilya Lipnitskiy Date: Tue Apr 13 20:12:37 2021 -0700 MIPS: pci-legacy: stop using of_pci_range_to_resource [ Upstream commit 3ecb9dc1581eebecaee56decac70e35365260866 ] Mirror commit aeba3731b150 ("powerpc/pci: Fix IO space breakage after of_pci_range_to_resource() change"). Most MIPS platforms do not define PCI_IOBASE, nor implement pci_address_to_pio(). Moreover, IO_SPACE_LIMIT is 0xffff for most MIPS platforms. of_pci_range_to_resource passes the _start address_ of the IO range into pci_address_to_pio, which then checks it against IO_SPACE_LIMIT and fails, because for MIPS platforms that use pci-legacy (pci-lantiq, pci-rt3883, pci-mt7620), IO ranges start much higher than 0xffff. In fact, pci-mt7621 in staging already works around this problem, see commit 09dd629eeabb ("staging: mt7621-pci: fix io space and properly set resource limits") So just stop using of_pci_range_to_resource, which does not work for MIPS. Fixes PCI errors like: pci_bus 0000:00: root bus resource [io 0xffffffff] Fixes: 0b0b0893d49b ("of/pci: Fix the conversion of IO ranges into IO resources") Signed-off-by: Ilya Lipnitskiy Cc: Liviu Dudau Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit cabed6027a5b8ba2d382c4391cbc7fed8cbdb86b Author: Dan Carpenter Date: Wed Apr 14 08:59:22 2021 +0300 drm/amd/pm: fix error code in smu_set_power_limit() [ Upstream commit bbdfe5aaef3c1d5c5e62fa235ef13f064e4c1c17 ] We should return -EINVAL instead of success if the "limit" is too high. Fixes: e098bc9612c2 ("drm/amd/pm: optimize the power related source code layout") Signed-off-by: Dan Carpenter Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 486642baea695e59b742f18fc7b0e309d3e9793f Author: Vitaly Chikunov Date: Wed Apr 14 21:27:23 2021 +0300 perf beauty: Fix fsconfig generator [ Upstream commit 2e1daee14e67fbf9b27280b974e2c680a22cabea ] After gnulib update sed stopped matching `[[:space:]]*+' as before, causing the following compilation error: In file included from builtin-trace.c:719: trace/beauty/generated/fsconfig_arrays.c:2:3: error: expected expression before ']' token 2 | [] = "", | ^ trace/beauty/generated/fsconfig_arrays.c:2:3: error: array index in initializer not of integer type trace/beauty/generated/fsconfig_arrays.c:2:3: note: (near initialization for 'fsconfig_cmds') Fix this by correcting the regular expression used in the generator. Also, clean up the script by removing redundant egrep, xargs, and printf invocations. Committer testing: Continues to work: $ cat tools/perf/trace/beauty/fsconfig.sh #!/bin/sh # SPDX-License-Identifier: LGPL-2.1 if [ $# -ne 1 ] ; then linux_header_dir=tools/include/uapi/linux else linux_header_dir=$1 fi linux_mount=${linux_header_dir}/mount.h printf "static const char *fsconfig_cmds[] = {\n" ms='[[:space:]]*' sed -nr "s/^${ms}FSCONFIG_([[:alnum:]_]+)${ms}=${ms}([[:digit:]]+)${ms},.*/\t[\2] = \"\1\",/p" \ ${linux_mount} printf "};\n" $ tools/perf/trace/beauty/fsconfig.sh static const char *fsconfig_cmds[] = { [0] = "SET_FLAG", [1] = "SET_STRING", [2] = "SET_BINARY", [3] = "SET_PATH", [4] = "SET_PATH_EMPTY", [5] = "SET_FD", [6] = "CMD_CREATE", [7] = "CMD_RECONFIGURE", }; $ Fixes: d35293004a5e4 ("perf beauty: Add generator for fsconfig's 'cmd' arg values") Signed-off-by: Vitaly Chikunov Co-authored-by: Dmitry V. Levin Tested-by: Arnaldo Carvalho de Melo Link: http://lore.kernel.org/lkml/20210414182723.1670663-1-vt@altlinux.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 0df2770ad33b28cacd7cd243039af447eed0ed65 Author: Paul Menzel Date: Mon Apr 12 20:01:41 2021 +0200 iommu/amd: Put newline after closing bracket in warning [ Upstream commit 304c73ba69459d4c18c2a4b843be6f5777b4b85c ] Currently, on the Dell OptiPlex 5055 the EFR mismatch warning looks like below. [ 1.479774] smpboot: CPU0: AMD Ryzen 5 PRO 1500 Quad-Core Processor (family: 0x17, model: 0x1, stepping: 0x1) […] [ 2.507370] AMD-Vi: [Firmware Warn]: EFR mismatch. Use IVHD EFR (0xf77ef22294ada : 0x400f77ef22294ada ). Add the newline after the `).`, so it’s on one line. Fixes: a44092e326d4 ("iommu/amd: Use IVHD EFR for early initialization of IOMMU features") Cc: iommu@lists.linux-foundation.org Cc: Suravee Suthikulpanit Cc: Brijesh Singh Cc: Robert Richter Signed-off-by: Paul Menzel Link: https://lore.kernel.org/r/20210412180141.29605-1-pmenzel@molgen.mpg.de Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit a1c1de90cd28dc16b7799fe82836a736a68527cf Author: Dan Carpenter Date: Wed Apr 14 09:01:38 2021 +0300 drm/i915/gvt: Fix error code in intel_gvt_init_device() [ Upstream commit 329328ec6a87f2c1275f50d979d55513de458409 ] The intel_gvt_init_vgpu_type_groups() function is only called from intel_gvt_init_device(). If it fails then the intel_gvt_init_device() prints the error code and propagates it back again. That's a bug because false is zero/success. The fix is to modify it to return zero or negative error codes and make everything consistent. Fixes: c5d71cb31723 ("drm/i915/gvt: Move vGPU type related code into gvt file") Signed-off-by: Dan Carpenter Signed-off-by: Zhenyu Wang Link: http://patchwork.freedesktop.org/patch/msgid/YHaFQtk/DIVYK1u5@mwanda Reviewed-by: Zhenyu Wang Signed-off-by: Sasha Levin commit 2b3ae007c6394446562f9ba2e5043fb209ab3fb0 Author: Eric Dumazet Date: Wed Apr 14 12:36:44 2021 -0700 net/packet: remove data races in fanout operations [ Upstream commit 94f633ea8ade8418634d152ad0931133338226f6 ] af_packet fanout uses RCU rules to ensure f->arr elements are not dismantled before RCU grace period. However, it lacks rcu accessors to make sure KCSAN and other tools wont detect data races. Stupid compilers could also play games. Fixes: dc99f600698d ("packet: Add fanout support.") Signed-off-by: Eric Dumazet Reported-by: "Gong, Sishuai" Cc: Willem de Bruijn Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 3a1c395703bef879cc13b4b02530db72d2c3aeb6 Author: Tanner Love Date: Fri Nov 6 13:07:40 2020 -0500 net/packet: make packet_fanout.arr size configurable up to 64K [ Upstream commit 9c661b0b85444e426d3f23250305eeb16f6ffe88 ] One use case of PACKET_FANOUT is lockless reception with one socket per CPU. 256 is a practical limit on increasingly many machines. Increase PACKET_FANOUT_MAX to 64K. Expand setsockopt PACKET_FANOUT to take an extra argument max_num_members. Also explicitly define a fanout_args struct, instead of implicitly casting to an integer. This documents the API and simplifies the control flow. If max_num_members is not specified or is set to 0, then 256 is used, same as before. Signed-off-by: Tanner Love Signed-off-by: Willem de Bruijn Reviewed-by: Eric Dumazet Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit d10c5162b4931a48bf95783e67c380f2af3397cd Author: Colin Ian King Date: Tue Apr 6 17:53:46 2021 +0100 net/mlx5: Fix bit-wise and with zero [ Upstream commit 82c3ba31c370b6001cbf90689e98da1fb6f26aef ] The bit-wise and of the action field with MLX5_ACCEL_ESP_ACTION_DECRYPT is incorrect as MLX5_ACCEL_ESP_ACTION_DECRYPT is zero and not intended to be a bit-flag. Fix this by using the == operator as was originally intended. Addresses-Coverity: ("Logically dead code") Fixes: 7dfee4b1d79e ("net/mlx5: IPsec, Refactor SA handle creation and destruction") Signed-off-by: Colin Ian King Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit d97d22bda17aba6d24814fb96033bcc03d1a88a8 Author: Shengjiu Wang Date: Wed Apr 14 14:33:43 2021 +0800 ASoC: ak5558: correct reset polarity [ Upstream commit 0b93bbc977af55fd10687f2c96c807cba95cb927 ] Reset (aka power off) happens when the reset gpio is made active. The reset gpio is GPIO_ACTIVE_LOW Fixes: 920884777480 ("ASoC: ak5558: Add support for AK5558 ADC driver") Signed-off-by: Shengjiu Wang Link: https://lore.kernel.org/r/1618382024-31725-1-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c1f98096113352eb13b3c620832d7c716fe4c626 Author: Cédric Le Goater Date: Wed Mar 31 16:45:12 2021 +0200 powerpc/xive: Fix xmon command "dxi" [ Upstream commit 33e4bc5946432a4ac173fd08e8e30a13ab94d06d ] When under xmon, the "dxi" command dumps the state of the XIVE interrupts. If an interrupt number is specified, only the state of the associated XIVE interrupt is dumped. This form of the command lacks an irq_data parameter which is nevertheless used by xmon_xive_get_irq_config(), leading to an xmon crash. Fix that by doing a lookup in the system IRQ mapping to query the IRQ descriptor data. Invalid interrupt numbers, or not belonging to the XIVE IRQ domain, OPAL event interrupt number for instance, should be caught by the previous query done at the firmware level. Fixes: 97ef27507793 ("powerpc/xive: Fix xmon support on the PowerNV platform") Reported-by: kernel test robot Reported-by: Dan Carpenter Signed-off-by: Cédric Le Goater Tested-by: Greg Kurz Reviewed-by: Greg Kurz Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210331144514.892250-8-clg@kaod.org Signed-off-by: Sasha Levin commit e2724bed6481df2b9598e6728c457b4d69bfc06b Author: Cédric Le Goater Date: Wed Mar 31 16:45:10 2021 +0200 powerpc/xive: Drop check on irq_data in xive_core_debug_show() [ Upstream commit a74ce5926b20cd0e6d624a9b2527073a96dfed7f ] When looping on IRQ descriptor, irq_data is always valid. Fixes: 930914b7d528 ("powerpc/xive: Add a debugfs file to dump internal XIVE state") Reported-by: kernel test robot Reported-by: Dan Carpenter Signed-off-by: Cédric Le Goater Reviewed-by: Greg Kurz Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210331144514.892250-6-clg@kaod.org Signed-off-by: Sasha Levin commit a38b77899c2c8a97b3d700df308a83a2715876ba Author: Sergey Shtylyov Date: Sat Apr 10 23:25:10 2021 +0300 i2c: sh7760: add IRQ check [ Upstream commit e5b2e3e742015dd2aa6bc7bcef2cb59b2de1221c ] The driver neglects to check the result of platform_get_irq()'s call and blithely passes the negative error codes to devm_request_irq() (which takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding an original error code. Stop calling devm_request_irq() with invalid IRQ #s. Fixes: a26c20b1fa6d ("i2c: Renesas SH7760 I2C master driver") Signed-off-by: Sergey Shtylyov Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 4b8177766a8ba001845635f5c09064da900bdf99 Author: Sergey Shtylyov Date: Sat Apr 10 23:23:33 2021 +0300 i2c: rcar: add IRQ check [ Upstream commit 147178cf03a6dcb337e703d4dacd008683022a58 ] The driver neglects to check the result of platform_get_irq()'s call and blithely passes the negative error codes to devm_request_irq() (which takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding an original error code. Stop calling devm_request_irq() with the invalid IRQ #s. Fixes: 6ccbe607132b ("i2c: add Renesas R-Car I2C driver") Signed-off-by: Sergey Shtylyov Reviewed-by: Geert Uytterhoeven Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 1ac4f7a260175c72fa9e814fb44635d8c8f53c61 Author: Wolfram Sang Date: Wed Dec 23 18:21:54 2020 +0100 i2c: rcar: protect against supurious interrupts on V3U [ Upstream commit 9c975c432bc0aa53a90438fc80b369cb35134a48 ] V3U creates spurious interrupts which we need to handle. This costs time until BUS_PHASE_DATA can be activated which is problematic for Gen2 SoCs and earlier. Because of this we introduce two interrupt handlers here which will call a generic main irq function once the timing critical stuff is done. Signed-off-by: Wolfram Sang Reviewed-by: Niklas Söderlund Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 11e2b2b6f6b92a94de9ce6f37451045b73eb4385 Author: Wolfram Sang Date: Wed Dec 23 18:21:53 2020 +0100 i2c: rcar: make sure irq is not threaded on Gen2 and earlier [ Upstream commit 24c6d4bc563881539d2cd4433e502436ad87d512 ] Ensure this irq runs as fast as possible. Signed-off-by: Wolfram Sang Reviewed-by: Niklas Söderlund Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit f41d2bfef5386a0b9c404c9c7c728f2047a64499 Author: Sergey Shtylyov Date: Sat Apr 10 23:20:49 2021 +0300 i2c: mlxbf: add IRQ check [ Upstream commit 0d3bf53e897dce943b98d975bbde77156af6cd81 ] The driver neglects to check the result of platform_get_irq()'s call and blithely passes the negative error codes to devm_request_irq() (which takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding an original error code. Stop calling devm_request_irq() with invalid IRQ #s. Fixes: b5b5b32081cd ("i2c: mlxbf: I2C SMBus driver for Mellanox BlueField SoC") Signed-off-by: Sergey Shtylyov Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit c6eea11b5cb6e33e47794c7ebfa05d354381d758 Author: Sergey Shtylyov Date: Sat Apr 10 23:18:31 2021 +0300 i2c: jz4780: add IRQ check [ Upstream commit c5e5f7a8d931fb4beba245bdbc94734175fda9de ] The driver neglects to check the result of platform_get_irq()'s call and blithely passes the negative error codes to devm_request_irq() (which takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding an original error code. Stop calling devm_request_irq() with invalid IRQ #s. Fixes: ba92222ed63a ("i2c: jz4780: Add i2c bus controller driver for Ingenic JZ4780") Signed-off-by: Sergey Shtylyov Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit ab6d6cae0aa1f6439ddcefa788daaea244efadcb Author: Sergey Shtylyov Date: Sat Apr 10 23:16:41 2021 +0300 i2c: emev2: add IRQ check [ Upstream commit bb6129c32867baa7988f7fd2066cf18ed662d240 ] The driver neglects to check the result of platform_get_irq()'s call and blithely passes the negative error codes to devm_request_irq() (which takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding an original error code. Stop calling devm_request_irq() with invalid IRQ #s. Fixes: 5faf6e1f58b4 ("i2c: emev2: add driver") Signed-off-by: Sergey Shtylyov Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 6f291ab1776e4f912b50c1ffce963c9e01cf5a3b Author: Sergey Shtylyov Date: Sat Apr 10 23:14:35 2021 +0300 i2c: cadence: add IRQ check [ Upstream commit 5581c2c5d02bc63a0edb53e061c8e97cd490646e ] The driver neglects to check the result of platform_get_irq()'s call and blithely passes the negative error codes to devm_request_irq() (which takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding an original error code. Stop calling devm_request_irq() with invalid IRQ #s. Fixes: df8eb5691c48 ("i2c: Add driver for Cadence I2C controller") Signed-off-by: Sergey Shtylyov Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit c977426db644ba476938125597947979e8aba725 Author: Qinglang Miao Date: Tue Dec 1 17:31:46 2020 +0800 i2c: xiic: fix reference leak when pm_runtime_get_sync fails [ Upstream commit a85c5c7a3aa8041777ff691400b4046e56149fd3 ] The PM reference count is not expected to be incremented on return in xiic_xfer and xiic_i2c_remove. However, pm_runtime_get_sync will increment the PM reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced. Fixes: 10b17004a74c ("i2c: xiic: Fix the clocking across bind unbind") Reported-by: Hulk Robot Signed-off-by: Qinglang Miao Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit c323b270a52a26aa8038a4d1fd9a850904a41166 Author: Qinglang Miao Date: Tue Dec 1 17:31:45 2020 +0800 i2c: stm32f7: fix reference leak when pm_runtime_get_sync fails [ Upstream commit 2c662660ce2bd3b09dae21a9a9ac9395e1e6c00b ] The PM reference count is not expected to be incremented on return in these stm32f7_i2c_xx serious functions. However, pm_runtime_get_sync will increment the PM reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced. Fixes: ea6dd25deeb5 ("i2c: stm32f7: add PM_SLEEP suspend/resume support") Reported-by: Hulk Robot Signed-off-by: Qinglang Miao Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit e547640cee7981fd751d2c9cde3a61bdb678b755 Author: Qinglang Miao Date: Tue Dec 1 17:31:44 2020 +0800 i2c: sprd: fix reference leak when pm_runtime_get_sync fails [ Upstream commit 3a4f326463117cee3adcb72999ca34a9aaafda93 ] The PM reference count is not expected to be incremented on return in sprd_i2c_master_xfer() and sprd_i2c_remove(). However, pm_runtime_get_sync will increment the PM reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced. Fixes: 8b9ec0719834 ("i2c: Add Spreadtrum I2C controller driver") Reported-by: Hulk Robot Signed-off-by: Qinglang Miao Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 8c0a2009fb20d98fd1aaab172ecaed39379d8b8d Author: Qinglang Miao Date: Tue Dec 1 17:31:43 2020 +0800 i2c: omap: fix reference leak when pm_runtime_get_sync fails [ Upstream commit 780f629741257ed6c54bd3eb53b57f648eabf200 ] The PM reference count is not expected to be incremented on return in omap_i2c_probe() and omap_i2c_remove(). However, pm_runtime_get_sync will increment the PM reference count even failed. Forgetting to putting operation will result in a reference leak here. I Replace it with pm_runtime_resume_and_get to keep usage counter balanced. What's more, error path 'err_free_mem' seems not like a proper name any more. So I change the name to err_disable_pm and move pm_runtime_disable below, for pm_runtime of 'pdev->dev' should be disabled when pm_runtime_resume_and_get fails. Fixes: 3b0fb97c8dc4 ("I2C: OMAP: Handle error check for pm runtime") Reported-by: Hulk Robot Signed-off-by: Qinglang Miao Reviewed-by: Grygorii Strashko Reviewed-by: Vignesh Raghavendra Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 3a0cdd336d92c429b51a79bf4f64b17eafa0325d Author: Qinglang Miao Date: Tue Dec 1 17:31:41 2020 +0800 i2c: imx: fix reference leak when pm_runtime_get_sync fails [ Upstream commit 47ff617217ca6a13194fcb35c6c3a0c57c080693 ] In i2c_imx_xfer() and i2c_imx_remove(), the pm reference count is not expected to be incremented on return. However, pm_runtime_get_sync will increment pm reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced. Fixes: 3a5ee18d2a32 ("i2c: imx: implement master_xfer_atomic callback") Reported-by: Hulk Robot Signed-off-by: Qinglang Miao Reviewed-by: Oleksij Rempel Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit cc49d206414240483bb93ffa3d80243e6a776916 Author: Qinglang Miao Date: Tue Dec 1 17:31:40 2020 +0800 i2c: imx-lpi2c: fix reference leak when pm_runtime_get_sync fails [ Upstream commit 278e5bbdb9a94fa063c0f9bcde2479d0b8042462 ] The PM reference count is not expected to be incremented on return in lpi2c_imx_master_enable. However, pm_runtime_get_sync will increment the PM reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced. Fixes: 13d6eb20fc79 ("i2c: imx-lpi2c: add runtime pm support") Reported-by: Hulk Robot Signed-off-by: Qinglang Miao Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit e80ae8bde41266d3b8bf012460b6593851766006 Author: Qinglang Miao Date: Tue Dec 1 17:31:39 2020 +0800 i2c: img-scb: fix reference leak when pm_runtime_get_sync fails [ Upstream commit 223125e37af8a641ea4a09747a6a52172fc4b903 ] The PM reference count is not expected to be incremented on return in functions img_i2c_xfer and img_i2c_init. However, pm_runtime_get_sync will increment the PM reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced. Fixes: 93222bd9b966 ("i2c: img-scb: Add runtime PM") Reported-by: Hulk Robot Signed-off-by: Qinglang Miao Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 30410519328c94367e561fd878e5f0d3a0303585 Author: Qinglang Miao Date: Tue Dec 1 17:31:17 2020 +0800 i2c: cadence: fix reference leak when pm_runtime_get_sync fails [ Upstream commit 23ceb8462dc6f4b4decdb5536a7e5fc477cdf0b6 ] The PM reference count is not expected to be incremented on return in functions cdns_i2c_master_xfer and cdns_reg_slave. However, pm_runtime_get_sync will increment pm usage counter even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced. Fixes: 7fa32329ca03 ("i2c: cadence: Move to sensible power management") Reported-by: Hulk Robot Signed-off-by: Qinglang Miao Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit b64415c6b3476cf9fa4d0aea3807065b8403a937 Author: Gioh Kim Date: Mon Apr 12 10:40:02 2021 +0200 RDMA/rtrs-clt: destroy sysfs after removing session from active list [ Upstream commit 7f4a8592ff29f19c5a2ca549d0973821319afaad ] A session can be removed dynamically by sysfs interface "remove_path" that eventually calls rtrs_clt_remove_path_from_sysfs function. The current rtrs_clt_remove_path_from_sysfs first removes the sysfs interfaces and frees sess->stats object. Second it removes the session from the active list. Therefore some functions could access non-connected session and access the freed sess->stats object even-if they check the session status before accessing the session. For instance rtrs_clt_request and get_next_path_min_inflight check the session status and try to send IO to the session. The session status could be changed when they are trying to send IO but they could not catch the change and update the statistics information in sess->stats object, and generate use-after-free problem. (see: "RDMA/rtrs-clt: Check state of the rtrs_clt_sess before reading its stats") This patch changes the rtrs_clt_remove_path_from_sysfs to remove the session from the active session list and then destroy the sysfs interfaces. Each function still should check the session status because closing or error recovery paths can change the status. Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality") Link: https://lore.kernel.org/r/20210412084002.33582-1-gi-oh.kim@ionos.com Signed-off-by: Gioh Kim Reviewed-by: Jack Wang Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 6a07e5e39d4fb5f7a5b7feb6299701e1565c2083 Author: Wang Wensheng Date: Thu Apr 8 11:31:32 2021 +0000 RDMA/srpt: Fix error return code in srpt_cm_req_recv() [ Upstream commit 6bc950beff0c440ac567cdc4e7f4542a9920953d ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: db7683d7deb2 ("IB/srpt: Fix login-related race conditions") Link: https://lore.kernel.org/r/20210408113132.87250-1-wangwensheng4@huawei.com Reported-by: Hulk Robot Signed-off-by: Wang Wensheng Reviewed-by: Bart Van Assche Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 4601bcc6410c12947bf9b5e5ff8f1930f82d0cfa Author: Colin Ian King Date: Fri Apr 9 14:07:26 2021 +0100 net: thunderx: Fix unintentional sign extension issue [ Upstream commit e701a25840360706fe4cf5de0015913ca19c274b ] The shifting of the u8 integers rq->caching by 26 bits to the left will be promoted to a 32 bit signed int and then sign-extended to a u64. In the event that rq->caching is greater than 0x1f then all then all the upper 32 bits of the u64 end up as also being set because of the int sign-extension. Fix this by casting the u8 values to a u64 before the 26 bit left shift. Addresses-Coverity: ("Unintended sign extension") Fixes: 4863dea3fab0 ("net: Adding support for Cavium ThunderX network controller") Signed-off-by: Colin Ian King Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6a61307e58abd1b802fcf1edd6f6c556f0c7f2d8 Author: Colin Ian King Date: Fri Apr 9 12:08:57 2021 +0100 cxgb4: Fix unintentional sign extension issues [ Upstream commit dd2c79677375c37f8f9f8d663eb4708495d595ef ] The shifting of the u8 integers f->fs.nat_lip[] by 24 bits to the left will be promoted to a 32 bit signed int and then sign-extended to a u64. In the event that the top bit of the u8 is set then all then all the upper 32 bits of the u64 end up as also being set because of the sign-extension. Fix this by casting the u8 values to a u64 before the 24 bit left shift. Addresses-Coverity: ("Unintended sign extension") Fixes: 12b276fbf6e0 ("cxgb4: add support to create hash filters") Signed-off-by: Colin Ian King Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 52fd8005a2391ad88587ec79536e9cceb3d899cb Author: Wang Wensheng Date: Thu Apr 8 11:31:37 2021 +0000 RDMA/bnxt_re: Fix error return code in bnxt_qplib_cq_process_terminal() [ Upstream commit 22efb0a8d130c6379c1eb64cbace1542b27e37ff ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") Link: https://lore.kernel.org/r/20210408113137.97202-1-wangwensheng4@huawei.com Reported-by: Hulk Robot Signed-off-by: Wang Wensheng Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit afb738b74447966912c55bc620caa2811f200292 Author: Wang Wensheng Date: Thu Apr 8 11:31:40 2021 +0000 IB/hfi1: Fix error return code in parse_platform_config() [ Upstream commit 4c7d9c69adadfc31892c7e8e134deb3546552106 ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 7724105686e7 ("IB/hfi1: add driver files") Link: https://lore.kernel.org/r/20210408113140.103032-1-wangwensheng4@huawei.com Reported-by: Hulk Robot Signed-off-by: Wang Wensheng Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit a12d75f5dcfbeb0557c79b036c780606dce99d60 Author: Wang Wensheng Date: Thu Apr 8 11:31:35 2021 +0000 RDMA/qedr: Fix error return code in qedr_iw_connect() [ Upstream commit 10dd83dbcd157baf7a78a09ddb2f84c627bc7f1d ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 82af6d19d8d9 ("RDMA/qedr: Fix synchronization methods and memory leaks in qedr") Link: https://lore.kernel.org/r/20210408113135.92165-1-wangwensheng4@huawei.com Reported-by: Hulk Robot Signed-off-by: Wang Wensheng Acked-by: Michal Kalderon  Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 0f8528c78fc8b49314c1b5f87ff770d0841e54c5 Author: Amir Goldstein Date: Sun Apr 11 12:22:23 2021 +0300 ovl: invalidate readdir cache on changes to dir with origin [ Upstream commit 65cd913ec9d9d71529665924c81015b7ab7d9381 ] The test in ovl_dentry_version_inc() was out-dated and did not include the case where readdir cache is used on a non-merge dir that has origin xattr, indicating that it may contain leftover whiteouts. To make the code more robust, use the same helper ovl_dir_is_real() to determine if readdir cache should be used and if readdir cache should be invalidated. Fixes: b79e05aaa166 ("ovl: no direct iteration for dir with origin xattr") Link: https://lore.kernel.org/linux-unionfs/CAOQ4uxht70nODhNHNwGFMSqDyOKLXOKrY0H6g849os4BQ7cokA@mail.gmail.com/ Cc: Chris Murphy Signed-off-by: Amir Goldstein Signed-off-by: Miklos Szeredi Signed-off-by: Sasha Levin commit 082fa65bf60a51a8ac199b31d39b42737d42382a Author: Nicholas Piggin Date: Mon Apr 12 11:48:34 2021 +1000 KVM: PPC: Book3S HV P9: Restore host CTRL SPR after guest exit [ Upstream commit 5088eb4092df12d701af8e0e92860b7186365279 ] The host CTRL (runlatch) value is not restored after guest exit. The host CTRL should always be 1 except in CPU idle code, so this can result in the host running with runlatch clear, and potentially switching to a different vCPU which then runs with runlatch clear as well. This has little effect on P9 machines, CTRL is only responsible for some PMU counter logic in the host and so other than corner cases of software relying on that, or explicitly reading the runlatch value (Linux does not appear to be affected but it's possible non-Linux guests could be), there should be no execution correctness problem, though it could be used as a covert channel between guests. There may be microcontrollers, firmware or monitoring tools that sample the runlatch value out-of-band, however since the register is writable by guests, these values would (should) not be relied upon for correct operation of the host, so suboptimal performance or incorrect reporting should be the worst problem. Fixes: 95a6432ce9038 ("KVM: PPC: Book3S HV: Streamlined guest entry/exit path on P9 for radix guests") Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210412014845.1517916-2-npiggin@gmail.com Signed-off-by: Sasha Levin commit de4e60382b90d816fce41577c66f2dce25943cfd Author: Sean Wang Date: Thu Mar 4 21:25:23 2021 +0800 mt76: mt7663s: fix the possible device hang in high traffic [ Upstream commit 45247a85614b49b07b9dc59a4e6783b17e766ff2 ] Use the additional memory barrier to ensure the skb list up-to-date between the skb producer and consumer to avoid the invalid skb content written into sdio controller and then cause device hang due to mcu assert caught by WR_TIMEOUT_INT. Fixes: 1522ff731f84 ("mt76: mt7663s: introduce sdio tx aggregation") Signed-off-by: Sean Wang Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 188dfc470263c0fccdbaf96098643d1e4db2d3e9 Author: Sean Wang Date: Thu Mar 4 21:25:22 2021 +0800 mt76: mt7663s: make all of packets 4-bytes aligned in sdio tx aggregation [ Upstream commit 455ae5aabcc72fed7e5c803d59d122415500dc08 ] Each packet should be padded with the additional zero to become 4-bytes alignment in sdio tx aggregation. Fixes: 1522ff731f84 ("mt76: mt7663s: introduce sdio tx aggregation") Signed-off-by: Sean Wang Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit bf08637d32e6fae886ca2977bc3988dc652b40f2 Author: Ryder Lee Date: Tue Feb 23 22:00:36 2021 +0800 mt76: mt7915: fix mib stats counter reporting to mac80211 [ Upstream commit 2b35050a321865859fd2f12a3c18ed7be27858c9 ] In order to properly report MIB counters to mac80211, resets stats in mt7915_get_stats routine() and hold mt76 mutex accessing MIB counters. Sum up MIB counters in mt7915_mac_update_mib_stats routine. Fixes: e57b7901469f ("mt76: add mac80211 driver for MT7915 PCIe-based chipsets") Signed-off-by: Ryder Lee Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 0b39be51626d0782ab2d98549d3a25658f4522a6 Author: Lorenzo Bianconi Date: Tue Feb 23 11:42:49 2021 +0100 mt76: mt7615: fix mib stats counter reporting to mac80211 [ Upstream commit 2eb6f6c437745bce46bd7a8f3a22a732d5b9becb ] In order to properly report MIB counters to mac80211, resets stats in mt7615_get_stats routine and hold mt76 mutex accessing MIB counters. Sum up MIB counters in mt7615_mac_update_mib_stats routine. Fixes: c388d8584bc83 ("mt76: mt7615: add a get_stats() callback") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 2da92db47f074c31077e4e5e9169af9c3e60e882 Author: Lorenzo Bianconi Date: Mon Feb 22 02:14:36 2021 +0100 mt76: mt7915: fix aggr len debugfs node [ Upstream commit 9fb9d755fae20b5ad62ef8b4e9289e5baea2c6fc ] Similar to mt7921, fix 802.11 aggr len debugfs reporting for mt7915 driver. Fixes: e57b7901469fc ("mt76: add mac80211 driver for MT7915 PCIe-based chipsets") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 4e7914ce23306b28d377ec395e00e5fde0e6f96e Author: Felix Fietkau Date: Sat Feb 13 18:44:10 2021 +0100 mt76: mt7915: fix tx skb dma unmap [ Upstream commit 7dcf3c04f0aca746517a77433b33d40868ca4749 ] The first pointer in the txp needs to be unmapped as well, otherwise it will leak DMA mapping entries Reported-by: Ben Greear Fixes: 27d5c528a7ca ("mt76: fix double DMA unmap of the first buffer on 7615/7915") Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 75bc5f779a7664d1fc19cb915039439c6e58bb94 Author: Felix Fietkau Date: Sat Feb 13 18:42:15 2021 +0100 mt76: mt7615: fix tx skb dma unmap [ Upstream commit ebee7885bb12a8fe2c2f9bac87dbd87a05b645f9 ] The first pointer in the txp needs to be unmapped as well, otherwise it will leak DMA mapping entries Fixes: 27d5c528a7ca ("mt76: fix double DMA unmap of the first buffer on 7615/7915") Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 3443c54c41718f9aa4785e0388dce7ccddffaac7 Author: Colin Ian King Date: Thu Feb 25 18:32:41 2021 +0000 mt7601u: fix always true expression [ Upstream commit 87fce88658ba047ae62e83497d3f3c5dc22fa6f9 ] Currently the expression ~nic_conf1 is always true because nic_conf1 is a u16 and according to 6.5.3.3 of the C standard the ~ operator promotes the u16 to an integer before flipping all the bits. Thus the top 16 bits of the integer result are all set so the expression is always true. If the intention was to flip all the bits of nic_conf1 then casting the integer result back to a u16 is a suitabel fix. Interestingly static analyzers seem to thing a bitwise ! should be used instead of ~ for this scenario, so I think the original intent of the expression may need some extra consideration. Addresses-Coverity: ("Logical vs. bitwise operator") Fixes: c869f77d6abb ("add mt7601u driver") Signed-off-by: Colin Ian King Acked-by: Jakub Kicinski Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210225183241.1002129-1-colin.king@canonical.com Signed-off-by: Sasha Levin commit 00792f31a330cb5da7ae35dba6a2e9d8c6211c83 Author: Dan Carpenter Date: Mon Mar 15 12:23:37 2021 +0300 rtw88: Fix an error code in rtw_debugfs_set_rsvd_page() [ Upstream commit c9eaee0c2ec6b1002044fb698cdfb5d9ef4ed28c ] The sscanf() function returns the number of matches (0 or 1 in this case). It doesn't return error codes. We should return -EINVAL if the string is invalid Fixes: c376c1fc87b7 ("rtw88: add h2c command in debugfs") Signed-off-by: Dan Carpenter Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/YE8nmatMDBDDWkjq@mwanda Signed-off-by: Sasha Levin commit 80cff3e1167021d5c5d821ef267b7b79eeec8865 Author: Colin Ian King Date: Fri Apr 9 10:27:34 2021 -0700 xfs: fix return of uninitialized value in variable error [ Upstream commit 3b6dd9a9aeeada19d0c820ff68e979243a888bb6 ] A previous commit removed a call to xfs_attr3_leaf_read that assigned an error return code to variable error. We now have a few early error return paths to label 'out' that return error if error is set; however error now is uninitialized so potentially garbage is being returned. Fix this by setting error to zero to restore the original behaviour where error was zero at the label 'restart'. Addresses-Coverity: ("Uninitialized scalar variable") Fixes: 07120f1abdff ("xfs: Add xfs_has_attr and subroutines") Signed-off-by: Colin Ian King Reviewed-by: Brian Foster Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Signed-off-by: Sasha Levin commit b07520a55f10a226a03341e56b781ec8b9543b49 Author: Smita Koralahalli Date: Tue Apr 6 16:59:41 2021 -0500 perf vendor events amd: Fix broken L2 Cache Hits from L2 HWPF metric [ Upstream commit 86c2bc3da769124e3e856b6e9457be3667c30919 ] Commit 08ed77e414ab2342 ("perf vendor events amd: Add recommended events") added the hits event "L2 Cache Hits from L2 HWPF" with the same metric expression as the accesses event "L2 Cache Accesses from L2 HWPF": $ perf list --details ... l2_cache_accesses_from_l2_hwpf [L2 Cache Accesses from L2 HWPF] [l2_pf_hit_l2 + l2_pf_miss_l2_hit_l3 + l2_pf_miss_l2_l3] l2_cache_hits_from_l2_hwpf [L2 Cache Hits from L2 HWPF] [l2_pf_hit_l2 + l2_pf_miss_l2_hit_l3 + l2_pf_miss_l2_l3] ... This was wrong and led to counting hits the same as accesses. Section 2.1.15.2 "Performance Measurement" of "PPR for AMD Family 17h Model 31h B0 - 55803 Rev 0.54 - Sep 12, 2019", documents the hits event with EventCode 0x70 which is the same as l2_pf_hit_l2. Fix this, and massage the description for l2_pf_hit_l2 as the hits event is now the duplicate of l2_pf_hit_l2. AMD recommends using the recommended event over other events if the duplicate exists and maintain both for consistency. Hence, l2_cache_hits_from_l2_hwpf should override l2_pf_hit_l2. Before: # perf stat -M l2_cache_accesses_from_l2_hwpf,l2_cache_hits_from_l2_hwpf sleep 1 Performance counter stats for 'sleep 1': 1,436 l2_pf_miss_l2_l3 # 11114.00 l2_cache_accesses_from_l2_hwpf # 11114.00 l2_cache_hits_from_l2_hwpf 4,482 l2_pf_hit_l2 5,196 l2_pf_miss_l2_hit_l3 1.001765339 seconds time elapsed After: # perf stat -M l2_cache_accesses_from_l2_hwpf sleep 1 Performance counter stats for 'sleep 1': 1,477 l2_pf_miss_l2_l3 # 10442.00 l2_cache_accesses_from_l2_hwpf 3,978 l2_pf_hit_l2 4,987 l2_pf_miss_l2_hit_l3 1.001491186 seconds time elapsed # perf stat -e l2_cache_hits_from_l2_hwpf sleep 1 Performance counter stats for 'sleep 1': 3,983 l2_cache_hits_from_l2_hwpf 1.001329970 seconds time elapsed Note the difference in performance counter values for the accesses versus the hits after the fix, and the hits event now counting the same as l2_pf_hit_l2. Fixes: 08ed77e414ab ("perf vendor events amd: Add recommended events") Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=206537 Reviewed-by: Robert Richter Signed-off-by: Smita Koralahalli Tested-by: Arnaldo Carvalho de Melo # On a 3900X Cc: Alexander Shishkin Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Kim Phillips Cc: Mark Rutland Cc: Martin Liška Cc: Michael Petlan Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Vijay Thakkar Cc: linux-perf-users@vger.kernel.org Link: https://lore.kernel.org/r/20210406215944.113332-2-Smita.KoralahalliChannabasappa@amd.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 08c75d4b76828479d220958ba8eb4bfaadbd0a71 Author: Johannes Berg Date: Thu Apr 8 14:31:50 2021 +0200 mac80211: bail out if cipher schemes are invalid [ Upstream commit db878e27a98106a70315d264cc92230d84009e72 ] If any of the cipher schemes specified by the driver are invalid, bail out and fail the registration rather than just warning. Otherwise, we might later crash when we try to use the invalid cipher scheme, e.g. if the hdr_len is (significantly) less than the pn_offs + pn_len, we'd have an out-of-bounds access in RX validation. Fixes: 2475b1cc0d52 ("mac80211: add generic cipher scheme support") Link: https://lore.kernel.org/r/20210408143149.38a3a13a1b19.I6b7f5790fa0958ed8049cf02ac2a535c61e9bc96@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit e00f32c2c97be1072b43bebe7fa4652f6fea73c4 Author: Randy Dunlap Date: Sun Apr 4 12:26:23 2021 -0700 powerpc: iommu: fix build when neither PCI or IBMVIO is set [ Upstream commit b27dadecdf9102838331b9a0b41ffc1cfe288154 ] When neither CONFIG_PCI nor CONFIG_IBMVIO is set/enabled, iommu.c has a build error. The fault injection code is not useful in that kernel config, so make the FAIL_IOMMU option depend on PCI || IBMVIO. Prevents this build error (warning escalated to error): ../arch/powerpc/kernel/iommu.c:178:30: error: 'fail_iommu_bus_notifier' defined but not used [-Werror=unused-variable] 178 | static struct notifier_block fail_iommu_bus_notifier = { Fixes: d6b9a81b2a45 ("powerpc: IOMMU fault injection") Reported-by: kernel test robot Suggested-by: Michael Ellerman Signed-off-by: Randy Dunlap Acked-by: Randy Dunlap # build-tested Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210404192623.10697-1-rdunlap@infradead.org Signed-off-by: Sasha Levin commit 8ce329c6898373a1db399961feaeeaa4811cc511 Author: Athira Rajeev Date: Tue Apr 6 12:16:01 2021 -0400 powerpc/perf: Fix PMU constraint check for EBB events [ Upstream commit 10f8f96179ecc7f69c927f6d231f6d02736cea83 ] The power PMU group constraints includes check for EBB events to make sure all events in a group must agree on EBB. This will prevent scheduling EBB and non-EBB events together. But in the existing check, settings for constraint mask and value is interchanged. Patch fixes the same. Before the patch, PMU selftest "cpu_event_pinned_vs_ebb_test" fails with below in dmesg logs. This happens because EBB event gets enabled along with a non-EBB cpu event. [35600.453346] cpu_event_pinne[41326]: illegal instruction (4) at 10004a18 nip 10004a18 lr 100049f8 code 1 in cpu_event_pinned_vs_ebb_test[10000000+10000] Test results after the patch: $ ./pmu/ebb/cpu_event_pinned_vs_ebb_test test: cpu_event_pinned_vs_ebb tags: git_version:v5.12-rc5-93-gf28c3125acd3-dirty Binding to cpu 8 EBB Handler is at 0x100050c8 read error on event 0x7fffe6bd4040! PM_RUN_INST_CMPL: result 9872 running/enabled 37930432 success: cpu_event_pinned_vs_ebb This bug was hidden by other logic until commit 1908dc911792 (perf: Tweak perf_event_attr::exclusive semantics). Fixes: 4df489991182 ("powerpc/perf: Add power8 EBB support") Reported-by: Thadeu Lima de Souza Cascardo Signed-off-by: Athira Rajeev [mpe: Mention commit 1908dc911792] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/1617725761-1464-1-git-send-email-atrajeev@linux.vnet.ibm.com Signed-off-by: Sasha Levin commit 84c0762633f2a7ac8399e6b97d3b9bb8e6e1d50f Author: Jordan Niethe Date: Mon Feb 8 14:29:56 2021 +1100 powerpc/64s: Fix pte update for kernel memory on radix [ Upstream commit b8b2f37cf632434456182e9002d63cbc4cccc50c ] When adding a PTE a ptesync is needed to order the update of the PTE with subsequent accesses otherwise a spurious fault may be raised. radix__set_pte_at() does not do this for performance gains. For non-kernel memory this is not an issue as any faults of this kind are corrected by the page fault handler. For kernel memory these faults are not handled. The current solution is that there is a ptesync in flush_cache_vmap() which should be called when mapping from the vmalloc region. However, map_kernel_page() does not call flush_cache_vmap(). This is troublesome in particular for code patching with Strict RWX on radix. In do_patch_instruction() the page frame that contains the instruction to be patched is mapped and then immediately patched. With no ordering or synchronization between setting up the PTE and writing to the page it is possible for faults. As the code patching is done using __put_user_asm_goto() the resulting fault is obscured - but using a normal store instead it can be seen: BUG: Unable to handle kernel data access on write at 0xc008000008f24a3c Faulting instruction address: 0xc00000000008bd74 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV Modules linked in: nop_module(PO+) [last unloaded: nop_module] CPU: 4 PID: 757 Comm: sh Tainted: P O 5.10.0-rc5-01361-ge3c1b78c8440-dirty #43 NIP: c00000000008bd74 LR: c00000000008bd50 CTR: c000000000025810 REGS: c000000016f634a0 TRAP: 0300 Tainted: P O (5.10.0-rc5-01361-ge3c1b78c8440-dirty) MSR: 9000000000009033 CR: 44002884 XER: 00000000 CFAR: c00000000007c68c DAR: c008000008f24a3c DSISR: 42000000 IRQMASK: 1 This results in the kind of issue reported here: https://lore.kernel.org/linuxppc-dev/15AC5B0E-A221-4B8C-9039-FA96B8EF7C88@lca.pw/ Chris Riedl suggested a reliable way to reproduce the issue: $ mount -t debugfs none /sys/kernel/debug $ (while true; do echo function > /sys/kernel/debug/tracing/current_tracer ; echo nop > /sys/kernel/debug/tracing/current_tracer ; done) & Turning ftrace on and off does a large amount of code patching which in usually less then 5min will crash giving a trace like: ftrace-powerpc: (____ptrval____): replaced (4b473b11) != old (60000000) ------------[ ftrace bug ]------------ ftrace failed to modify [] napi_busy_loop+0xc/0x390 actual: 11:3b:47:4b Setting ftrace call site to call ftrace function ftrace record flags: 80000001 (1) expected tramp: c00000000006c96c ------------[ cut here ]------------ WARNING: CPU: 4 PID: 809 at kernel/trace/ftrace.c:2065 ftrace_bug+0x28c/0x2e8 Modules linked in: nop_module(PO-) [last unloaded: nop_module] CPU: 4 PID: 809 Comm: sh Tainted: P O 5.10.0-rc5-01360-gf878ccaf250a #1 NIP: c00000000024f334 LR: c00000000024f330 CTR: c0000000001a5af0 REGS: c000000004c8b760 TRAP: 0700 Tainted: P O (5.10.0-rc5-01360-gf878ccaf250a) MSR: 900000000282b033 CR: 28008848 XER: 20040000 CFAR: c0000000001a9c98 IRQMASK: 0 GPR00: c00000000024f330 c000000004c8b9f0 c000000002770600 0000000000000022 GPR04: 00000000ffff7fff c000000004c8b6d0 0000000000000027 c0000007fe9bcdd8 GPR08: 0000000000000023 ffffffffffffffd8 0000000000000027 c000000002613118 GPR12: 0000000000008000 c0000007fffdca00 0000000000000000 0000000000000000 GPR16: 0000000023ec37c5 0000000000000000 0000000000000000 0000000000000008 GPR20: c000000004c8bc90 c0000000027a2d20 c000000004c8bcd0 c000000002612fe8 GPR24: 0000000000000038 0000000000000030 0000000000000028 0000000000000020 GPR28: c000000000ff1b68 c000000000bf8e5c c00000000312f700 c000000000fbb9b0 NIP ftrace_bug+0x28c/0x2e8 LR ftrace_bug+0x288/0x2e8 Call Trace: ftrace_bug+0x288/0x2e8 (unreliable) ftrace_modify_all_code+0x168/0x210 arch_ftrace_update_code+0x18/0x30 ftrace_run_update_code+0x44/0xc0 ftrace_startup+0xf8/0x1c0 register_ftrace_function+0x4c/0xc0 function_trace_init+0x80/0xb0 tracing_set_tracer+0x2a4/0x4f0 tracing_set_trace_write+0xd4/0x130 vfs_write+0xf0/0x330 ksys_write+0x84/0x140 system_call_exception+0x14c/0x230 system_call_common+0xf0/0x27c To fix this when updating kernel memory PTEs using ptesync. Fixes: f1cb8f9beba8 ("powerpc/64s/radix: avoid ptesync after set_pte and ptep_set_access_flags") Signed-off-by: Jordan Niethe Reviewed-by: Nicholas Piggin [mpe: Tidy up change log slightly] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210208032957.1232102-1-jniethe5@gmail.com Signed-off-by: Sasha Levin commit 8fac4bd3674ffdb85f835cf497888fbb913e40a3 Author: Mike Marciniszyn Date: Mon Mar 29 09:54:14 2021 -0400 IB/hfi1: Use kzalloc() for mmu_rb_handler allocation [ Upstream commit ca5f72568e034e1295a7ae350b1f786fcbfb2848 ] The code currently assumes that the mmu_notifier struct embedded in mmu_rb_handler only contains two fields. There are now extra fields: struct mmu_notifier { struct hlist_node hlist; const struct mmu_notifier_ops *ops; struct mm_struct *mm; struct rcu_head rcu; unsigned int users; }; Given that there in no init for the mmu_notifier, a kzalloc() should be used to insure that any newly added fields are given a predictable initial value of zero. Fixes: 06e0ffa69312 ("IB/hfi1: Re-factor MMU notification code") Link: https://lore.kernel.org/r/1617026056-50483-9-git-send-email-dennis.dalessandro@cornelisnetworks.com Reviewed-by: Adam Goldman Signed-off-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit f9e9df72dc08873fccfc688fe19b85e93655f052 Author: Colin Ian King Date: Wed Apr 7 11:12:48 2021 +0100 liquidio: Fix unintented sign extension of a left shift of a u16 [ Upstream commit 298b58f00c0f86868ea717426beb5c1198772f81 ] The macro CN23XX_PEM_BAR1_INDEX_REG is being used to shift oct->pcie_port (a u16) left 24 places. There are two subtle issues here, first the shift gets promoted to an signed int and then sign extended to a u64. If oct->pcie_port is 0x80 or more then the upper bits get sign extended to 1. Secondly shfiting a u16 24 bits will lead to an overflow so it needs to be cast to a u64 for all the bits to not overflow. It is entirely possible that the u16 port value is never large enough for this to fail, but it is useful to fix unintended overflows such as this. Fix this by casting the port parameter to the macro to a u64 before the shift. Addresses-Coverity: ("Unintended sign extension") Fixes: 5bc67f587ba7 ("liquidio: CN23XX register definitions") Signed-off-by: Colin Ian King Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c87df56d28a6b51389b37a7bff71b7048afad801 Author: Krzysztof Kozlowski Date: Wed Apr 7 11:20:27 2021 +0200 ASoC: simple-card: fix possible uninitialized single_cpu local variable [ Upstream commit fa74c223b6fd78a5314b4c61b9abdbed3c2185b4 ] The 'single_cpu' local variable is assigned by asoc_simple_parse_dai() and later used in a asoc_simple_canonicalize_cpu() call, assuming the entire function did not exit on errors. However the first function returns 0 if passed device_node is NULL, thus leaving the variable uninitialized and reporting success. Addresses-Coverity: Uninitialized scalar variable Fixes: 8f7f298a3337 ("ASoC: simple-card-utils: separate asoc_simple_card_parse_dai()") Signed-off-by: Krzysztof Kozlowski Acked-by: Sameer Pujar Link: https://lore.kernel.org/r/20210407092027.60769-1-krzysztof.kozlowski@canonical.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 325e8f9edf72adfcb84ee52e6cf15efad7f8b629 Author: Alexandru Elisei Date: Wed Apr 7 15:48:57 2021 +0100 KVM: arm64: Initialize VCPU mdcr_el2 before loading it [ Upstream commit 263d6287da1433aba11c5b4046388f2cdf49675c ] When a VCPU is created, the kvm_vcpu struct is initialized to zero in kvm_vm_ioctl_create_vcpu(). On VHE systems, the first time vcpu.arch.mdcr_el2 is loaded on hardware is in vcpu_load(), before it is set to a sensible value in kvm_arm_setup_debug() later in the run loop. The result is that KVM executes for a short time with MDCR_EL2 set to zero. This has several unintended consequences: * Setting MDCR_EL2.HPMN to 0 is constrained unpredictable according to ARM DDI 0487G.a, page D13-3820. The behavior specified by the architecture in this case is for the PE to behave as if MDCR_EL2.HPMN is set to a value less than or equal to PMCR_EL0.N, which means that an unknown number of counters are now disabled by MDCR_EL2.HPME, which is zero. * The host configuration for the other debug features controlled by MDCR_EL2 is temporarily lost. This has been harmless so far, as Linux doesn't use the other fields, but that might change in the future. Let's avoid both issues by initializing the VCPU's mdcr_el2 field in kvm_vcpu_vcpu_first_run_init(), thus making sure that the MDCR_EL2 register has a consistent value after each vcpu_load(). Fixes: d5a21bcc2995 ("KVM: arm64: Move common VHE/non-VHE trap config in separate functions") Signed-off-by: Alexandru Elisei Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20210407144857.199746-3-alexandru.elisei@arm.com Signed-off-by: Sasha Levin commit 348f68ae40c836a864a2eb36728f686525e3b16d Author: Hans de Goede Date: Sun Apr 4 10:04:29 2021 +0200 HID: lenovo: Map mic-mute button to KEY_F20 instead of KEY_MICMUTE [ Upstream commit 617103246cfd19af837e4cb614ba9f877c4f7779 ] Mapping the mic-mute button to KEY_MICMUTE is technically correct but KEY_MICMUTE translates to a scancode of 256 (248 + 8) under X, which does not fit in 8 bits, so it does not work. Because of this userspace is expecting KEY_F20 instead, theoretically KEY_MICMUTE should work under Wayland but even there it does not work, because the desktop-environment is listening only for KEY_F20 and not for KEY_MICMUTE. Fixes: bc04b37ea0ec ("HID: lenovo: Add ThinkPad 10 Ultrabook Keyboard support") Reviewed-by: Marek Behún Signed-off-by: Hans de Goede Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 9b14027e4cc21d6f7673b5c21169c35d9363a456 Author: Hans de Goede Date: Sun Apr 4 10:04:26 2021 +0200 HID: lenovo: Check hid_get_drvdata() returns non NULL in lenovo_event() [ Upstream commit 34348a8661e3cd67dcf6938f08c8bb77522301f7 ] The HID lenovo probe function only attaches drvdata to one of the USB interfaces, but lenovo_event() will get called for all USB interfaces to which hid-lenovo is bound. This allows a malicious device to fake being a device handled by hid-lenovo, which generates events for which lenovo_event() has special handling (and thus dereferences hid_get_drvdata()) on another interface triggering a NULL pointer exception. Add a check for hid_get_drvdata() returning NULL, avoiding this possible NULL pointer exception. Fixes: bc04b37ea0ec ("HID: lenovo: Add ThinkPad 10 Ultrabook Keyboard support") Reviewed-by: Marek Behún Signed-off-by: Hans de Goede Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 5ccdc6dd62666e64b38f18686c0e4f68b541c876 Author: Hans de Goede Date: Sun Apr 4 10:04:25 2021 +0200 HID: lenovo: Fix lenovo_led_set_tp10ubkbd() error handling [ Upstream commit 658d04e6eb6be1601ae95d7bee92bbf4096cdc1e ] Fix the following issues with lenovo_led_set_tp10ubkbd() error handling: 1. On success hid_hw_raw_request() returns the number of bytes sent. So we should check for (ret != 3) rather then for (ret != 0). 2. Actually propagate errors to the caller. 3. Since the LEDs are part of an USB keyboard-dock the mute LEDs can go away at any time. Don't log an error when ret == -ENODEV and set the LED_HW_PLUGGABLE flag to avoid errors getting logged when the USB gets disconnected. Fixes: bc04b37ea0ec ("HID: lenovo: Add ThinkPad 10 Ultrabook Keyboard support") Reviewed-by: Marek Behún Signed-off-by: Hans de Goede Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 29bfd0446a2cd89d02e21d13058f09dc07a98742 Author: Hans de Goede Date: Sun Apr 4 10:04:24 2021 +0200 HID: lenovo: Use brightness_set_blocking callback for setting LEDs brightness [ Upstream commit bbf62645255f120bc2e7488c237e3f04da42ec70 ] The lenovo_led_brightness_set function may sleep, so we should have the the led_class_dev's brightness_set_blocking callback point to it, rather then the regular brightness_set callback. When toggled through sysfs this is not a problem, but the brightness_set callback may be called from atomic context when using LED-triggers. Fixes: bc04b37ea0ec ("HID: lenovo: Add ThinkPad 10 Ultrabook Keyboard support") Reviewed-by: Marek Behún Acked-by: Pavel Machek Signed-off-by: Hans de Goede Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 716132e00ce159759f00f7e2238651b1130e30a1 Author: Takashi Iwai Date: Tue Apr 6 13:35:34 2021 +0200 ALSA: usb-audio: Add error checks for usb_driver_claim_interface() calls [ Upstream commit 5fb45414ae03421255593fd5556aa2d1d82303aa ] There are a few calls of usb_driver_claim_interface() but all of those miss the proper error checks, as reported by Coverity. This patch adds those missing checks. Along with it, replace the magic pointer with -1 with a constant USB_AUDIO_IFACE_UNUSED for better readability. Reported-by: coverity-bot Addresses-Coverity-ID: 1475943 ("Error handling issues") Addresses-Coverity-ID: 1475944 ("Error handling issues") Addresses-Coverity-ID: 1475945 ("Error handling issues") Fixes: b1ce7ba619d9 ("ALSA: usb-audio: claim autodetected PCM interfaces all at once") Fixes: e5779998bf8b ("ALSA: usb-audio: refactor code") Link: https://lore.kernel.org/r/202104051059.FB7F3016@keescook Link: https://lore.kernel.org/r/20210406113534.30455-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit e759105d459bf53e4f471c65c01972146ba86879 Author: Lu Baolu Date: Sat Mar 20 10:54:13 2021 +0800 iommu/vt-d: Invalidate PASID cache when root/context entry changed [ Upstream commit c0474a606ecb9326227b4d68059942f9db88a897 ] When the Intel IOMMU is operating in the scalable mode, some information from the root and context table may be used to tag entries in the PASID cache. Software should invalidate the PASID-cache when changing root or context table entries. Suggested-by: Ashok Raj Fixes: 7373a8cc38197 ("iommu/vt-d: Setup context and enable RID2PASID support") Signed-off-by: Lu Baolu Link: https://lore.kernel.org/r/20210320025415.641201-4-baolu.lu@linux.intel.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit c848416cc05afc1589edba04fe00b85c2f797ee3 Author: Lu Baolu Date: Sat Mar 20 10:54:12 2021 +0800 iommu/vt-d: Remove WO permissions on second-level paging entries [ Upstream commit eea53c5816889ee8b64544fa2e9311a81184ff9c ] When the first level page table is used for IOVA translation, it only supports Read-Only and Read-Write permissions. The Write-Only permission is not supported as the PRESENT bit (implying Read permission) should always set. When using second level, we still give separate permissions that allows WriteOnly which seems inconsistent and awkward. We want to have consistent behavior. After moving to 1st level, we don't want things to work sometimes, and break if we use 2nd level for the same mappings. Hence remove this configuration. Suggested-by: Ashok Raj Fixes: b802d070a52a1 ("iommu/vt-d: Use iova over first level") Signed-off-by: Lu Baolu Link: https://lore.kernel.org/r/20210320025415.641201-3-baolu.lu@linux.intel.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 416fa531c8160151090206a51b829b9218b804d9 Author: Lu Baolu Date: Fri Jan 15 08:42:02 2021 +0800 iommu/vt-d: Preset Access/Dirty bits for IOVA over FL [ Upstream commit a8ce9ebbecdfda3322bbcece6b3b25888217f8e3 ] The Access/Dirty bits in the first level page table entry will be set whenever a page table entry was used for address translation or write permission was successfully translated. This is always true when using the first-level page table for kernel IOVA. Instead of wasting hardware cycles to update the certain bits, it's better to set them up at the beginning. Suggested-by: Ashok Raj Signed-off-by: Lu Baolu Link: https://lore.kernel.org/r/20210115004202.953965-1-baolu.lu@linux.intel.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 32737c3a2669f95ec46e8711f866e050ac2b6be3 Author: Lu Baolu Date: Sat Mar 20 10:54:11 2021 +0800 iommu/vt-d: Report the right page fault address [ Upstream commit 03d205094af45bca4f8e0498c461a893aa3ec6d9 ] The Address field of the Page Request Descriptor only keeps bit [63:12] of the offending address. Convert it to a full address before reporting it to device drivers. Fixes: eb8d93ea3c1d3 ("iommu/vt-d: Report page request faults for guest SVA") Signed-off-by: Lu Baolu Link: https://lore.kernel.org/r/20210320025415.641201-2-baolu.lu@linux.intel.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit eb0530d71c78f77ab52e65ea629317186eda170f Author: Lu Baolu Date: Tue Mar 30 10:11:45 2021 +0800 iommu/vt-d: Report right snoop capability when using FL for IOVA [ Upstream commit 6c00612d0cba10f7d0917cf1f73c945003ed4cd7 ] The Intel VT-d driver checks wrong register to report snoop capablility when using first level page table for GPA to HPA translation. This might lead the IOMMU driver to say that it supports snooping control, but in reality, it does not. Fix this by always setting PASID-table-entry.PGSNP whenever a pasid entry is setting up for GPA to HPA translation so that the IOMMU driver could report snoop capability as long as it runs in the scalable mode. Fixes: b802d070a52a1 ("iommu/vt-d: Use iova over first level") Suggested-by: Rajesh Sankaran Suggested-by: Kevin Tian Suggested-by: Ashok Raj Signed-off-by: Lu Baolu Link: https://lore.kernel.org/r/20210330021145.13824-1-baolu.lu@linux.intel.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 620aa5821aaa2636d1675c72ab89ee1f26ee4fa1 Author: Xiang Chen Date: Thu Mar 25 11:38:24 2021 +0800 iommu: Fix a boundary issue to avoid performance drop [ Upstream commit 3431c3f660a39f6ced954548a59dba6541ce3eb1 ] After the change of patch ("iommu: Switch gather->end to the inclusive end"), the performace drops from 1600+K IOPS to 1200K in our kunpeng ARM64 platform. We find that the range [start1, end1) actually is joint from the range [end1, end2), but it is considered as disjoint after the change, so it needs more times of TLB sync, and spends more time on it. So fix the boundary issue to avoid performance drop. Fixes: 862c3715de8f ("iommu: Switch gather->end to the inclusive end") Signed-off-by: Xiang Chen Acked-by: Will Deacon Link: https://lore.kernel.org/r/1616643504-120688-1-git-send-email-chenxiang66@hisilicon.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit c96f7eb59b7e9f0ba7aace13169fe67e39e3adfa Author: Lu Baolu Date: Sat Mar 20 10:41:56 2021 +0800 iommu/vt-d: Don't set then clear private data in prq_event_thread() [ Upstream commit 1d421058c815d54113d9afdf6db3f995c788cf0d ] The VT-d specification (section 7.6) requires that the value in the Private Data field of a Page Group Response Descriptor must match the value in the Private Data field of the respective Page Request Descriptor. The private data field of a page group response descriptor is set then immediately cleared in prq_event_thread(). This breaks the rule defined by the VT-d specification. Fix it by moving clearing code up. Fixes: 5b438f4ba315d ("iommu/vt-d: Support page request in scalable mode") Cc: Jacob Pan Reviewed-by: Liu Yi L Signed-off-by: Lu Baolu Link: https://lore.kernel.org/r/20210320024156.640798-1-baolu.lu@linux.intel.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit e0c7b956162b09a2c46623a99ef4f9b3332f4725 Author: Álvaro Fernández Rojas Date: Sun Mar 14 17:43:46 2021 +0100 mips: bmips: fix syscon-reboot nodes [ Upstream commit cde58b861a1d365568588adda59d42351c0c4ad3 ] Commit a23c4134955e added the clock controller nodes, incorrectly changing the syscon-reboot nodes addresses. Fixes: a23c4134955e ("MIPS: BMIPS: add clock controller nodes") Signed-off-by: Álvaro Fernández Rojas Acked-by: Florian Fainelli Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 3cf9fac71b7903065719d4743772d6302367b6fe Author: Salil Mehta Date: Mon Apr 5 18:28:25 2021 +0100 net: hns3: Limiting the scope of vector_ring_chain variable [ Upstream commit d392ecd1bc29ae15b0e284d5f732c2d36f244271 ] Limiting the scope of the variable vector_ring_chain to the block where it is used. Fixes: 424eb834a9be ("net: hns3: Unified HNS3 {VF|PF} Ethernet Driver for hip08 SoC") Signed-off-by: Salil Mehta Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit db574a60c48236addd86113da86f1343078ee4fc Author: Dan Carpenter Date: Fri Apr 2 14:44:42 2021 +0300 nfc: pn533: prevent potential memory corruption [ Upstream commit ca4d4c34ae9aa5c3c0da76662c5e549d2fc0cc86 ] If the "type_a->nfcid_len" is too large then it would lead to memory corruption in pn533_target_found_type_a() when we do: memcpy(nfc_tgt->nfcid1, tgt_type_a->nfcid_data, nfc_tgt->nfcid1_len); Fixes: c3b1e1e8a76f ("NFC: Export NFCID1 from pn533") Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a16f02187d9d1f351b1b43d6cbd4f297b6518c2c Author: Håkon Bugge Date: Mon Mar 22 14:35:32 2021 +0100 RDMA/core: Fix corrupted SL on passive side [ Upstream commit 194f64a3cad3ab9e381e996a13089de3215d1887 ] On RoCE systems, a CM REQ contains a Primary Hop Limit > 1 and Primary Subnet Local is zero. In cm_req_handler(), the cm_process_routed_req() function is called. Since the Primary Subnet Local value is zero in the request, and since this is RoCE (Primary Local LID is permissive), the following statement will be executed: IBA_SET(CM_REQ_PRIMARY_SL, req_msg, wc->sl); This corrupts SL in req_msg if it was different from zero. In other words, a request to setup a connection using an SL != zero, will not be honored, and a connection using SL zero will be created instead. Fixed by not calling cm_process_routed_req() on RoCE systems, the cm_process_route_req() is only for IB anyhow. Fixes: 3971c9f6dbf2 ("IB/cm: Add interim support for routed paths") Link: https://lore.kernel.org/r/1616420132-31005-1-git-send-email-haakon.bugge@oracle.com Signed-off-by: Håkon Bugge Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 556e75a0ae034e8850adaa12f305de615439b724 Author: Andrew Scull Date: Thu Mar 18 14:33:07 2021 +0000 bug: Remove redundant condition check in report_bug [ Upstream commit 3ad1a6cb0abc63d036fc866bd7c2c5983516dec5 ] report_bug() will return early if it cannot find a bug corresponding to the provided address. The subsequent test for the bug will always be true so remove it. Fixes: 1b4cfe3c0a30d ("lib/bug.c: exclude non-BUG/WARN exceptions from report_bug()") Signed-off-by: Andrew Scull Cc: Peter Zijlstra Cc: "Steven Rostedt (VMware)" Reviewed-by: Steven Rostedt (VMware) Acked-by: Will Deacon Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20210318143311.839894-2-ascull@google.com Signed-off-by: Sasha Levin commit faba97afdbb9d3ae4f4829603dc6513f0ad133b6 Author: Yang Yingliang Date: Wed Mar 31 16:36:02 2021 +0800 net/tipc: fix missing destroy_workqueue() on error in tipc_crypto_start() [ Upstream commit ac1db7acea67777be1ba86e36e058c479eab6508 ] Add the missing destroy_workqueue() before return from tipc_crypto_start() in the error handling case. Fixes: 1ef6f7c9390f ("tipc: add automatic session key exchange") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit fd26f3a07e7397bf2cb23a7792874c8767a18db3 Author: Michael Ellerman Date: Tue Mar 16 12:09:38 2021 +1100 powerpc/pseries: Only register vio drivers if vio bus exists [ Upstream commit 11d92156f7a862091009d7655d19c1e7de37fc7a ] The vio bus is a fake bus, which we use on pseries LPARs (guests) to discover devices provided by the hypervisor. There's no need or sense in creating the vio bus on bare metal systems. Which is why commit 4336b9337824 ("powerpc/pseries: Make vio and ibmebus initcalls pseries specific") made the initialisation of the vio bus only happen in LPARs. However as a result of that commit we now see errors at boot on bare metal systems: Driver 'hvc_console' was unable to register with bus_type 'vio' because the bus was not initialized. Driver 'tpm_ibmvtpm' was unable to register with bus_type 'vio' because the bus was not initialized. This happens because those drivers are built-in, and are calling vio_register_driver(). It in turn calls driver_register() with a reference to vio_bus_type, but we haven't registered vio_bus_type with the driver core. Fix it by also guarding vio_register_driver() with a check to see if we are on pseries. Fixes: 4336b9337824 ("powerpc/pseries: Make vio and ibmebus initcalls pseries specific") Reported-by: Paul Menzel Signed-off-by: Michael Ellerman Tested-by: Paul Menzel Reviewed-by: Tyrel Datwyler Link: https://lore.kernel.org/r/20210316010938.525657-1-mpe@ellerman.id.au Signed-off-by: Sasha Levin commit 4877c4a52339f897de94cd15a98f69f33cacdf46 Author: Paolo Abeni Date: Tue Mar 30 12:28:52 2021 +0200 udp: never accept GSO_FRAGLIST packets [ Upstream commit 78352f73dc5047f3f744764cc45912498c52f3c9 ] Currently the UDP protocol delivers GSO_FRAGLIST packets to the sockets without the expected segmentation. This change addresses the issue introducing and maintaining a couple of new fields to explicitly accept SKB_GSO_UDP_L4 or GSO_FRAGLIST packets. Additionally updates udp_unexpected_gso() accordingly. UDP sockets enabling UDP_GRO stil keep accept_udp_fraglist zeroed. v1 -> v2: - use 2 bits instead of a whole GSO bitmask (Willem) Fixes: 9fd1ff5d2ac7 ("udp: Support UDP fraglist GRO/GSO.") Signed-off-by: Paolo Abeni Reviewed-by: Willem de Bruijn Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c45cb22a5500c6f45fa6e966400f6afd51e685ad Author: Andre Edich Date: Mon Mar 29 11:45:36 2021 +0200 net: phy: lan87xx: fix access to wrong register of LAN87xx [ Upstream commit fdb5cc6ab3b6a1c0122d3644a63ef9dc7a610d35 ] The function lan87xx_config_aneg_ext was introduced to configure LAN95xxA but as well writes to undocumented register of LAN87xx. This fix prevents that access. The function lan87xx_config_aneg_ext gets more suitable for the new behavior name. Reported-by: Måns Rullgård Fixes: 05b35e7eb9a1 ("smsc95xx: add phylib support") Signed-off-by: Andre Edich Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 897c095c7e9ea3c20875f7d6ff626f8455d3324e Author: Jia Zhou Date: Tue Mar 30 13:19:23 2021 +0200 ALSA: core: remove redundant spin_lock pair in snd_card_disconnect [ Upstream commit abc21649b3e5c34b143bf86f0c78e33d5815e250 ] modification in commit 2a3f7221acdd ("ALSA: core: Fix card races between register and disconnect") resulting in this problem. Fixes: 2a3f7221acdd ("ALSA: core: Fix card races between register and disconnect") Signed-off-by: Jia Zhou Signed-off-by: Yi Wang Link: https://lore.kernel.org/r/1616989007-34429-1-git-send-email-wang.yi59@zte.com.cn Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit afb3416c4fef5c4e18808c9328e01967b2a2a501 Author: Álvaro Fernández Rojas Date: Wed Mar 24 09:19:02 2021 +0100 gpio: guard gpiochip_irqchip_add_domain() with GPIOLIB_IRQCHIP [ Upstream commit 9c7d24693d864f90b27aad5d15fbfe226c02898b ] The current code doesn't check if GPIOLIB_IRQCHIP is enabled, which results in a compilation error when trying to build gpio-regmap if CONFIG_GPIOLIB_IRQCHIP isn't enabled. Fixes: 6a45b0e2589f ("gpiolib: Introduce gpiochip_irqchip_add_domain()") Suggested-by: Michael Walle Signed-off-by: Álvaro Fernández Rojas Reviewed-by: Linus Walleij Reviewed-by: Michael Walle Acked-by: Bartosz Golaszewski Link: https://lore.kernel.org/r/20210324081923.20379-2-noltari@gmail.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 9becf957e0b0bb16afc206315c233346c6fd4aaa Author: Tiezhu Yang Date: Thu Mar 25 20:50:01 2021 +0800 MIPS/bpf: Enable bpf_probe_read{, str}() on MIPS again [ Upstream commit 66633abd0642f1e89d26e15f36fb13d3a1c535ff ] After commit 0ebeea8ca8a4 ("bpf: Restrict bpf_probe_read{, str}() only to archs where they work"), bpf_probe_read{, str}() functions were no longer available on MIPS, so there exist some errors when running bpf program: root@linux:/home/loongson/bcc# python examples/tracing/task_switch.py bpf: Failed to load program: Invalid argument [...] 11: (85) call bpf_probe_read#4 unknown func bpf_probe_read#4 [...] Exception: Failed to load BPF program count_sched: Invalid argument ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE should be restricted to archs with non-overlapping address ranges, but they can overlap in EVA mode on MIPS, so select ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE if !EVA in arch/mips/Kconfig, otherwise the bpf old helper bpf_probe_read() will not be available. This is similar with the commit d195b1d1d119 ("powerpc/bpf: Enable bpf_probe_read{, str}() on powerpc again"). Fixes: 0ebeea8ca8a4 ("bpf: Restrict bpf_probe_read{, str}() only to archs where they work") Signed-off-by: Tiezhu Yang Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 19c990c9fad3eaafbf3d7dbc9c8f62679ab63726 Author: Chen Huang Date: Sat Mar 27 09:49:00 2021 +0000 powerpc: Fix HAVE_HARDLOCKUP_DETECTOR_ARCH build configuration [ Upstream commit 4fe529449d85e78972fa327999961ecc83a0b6db ] When compiling the powerpc with the SMP disabled, it shows the issue: arch/powerpc/kernel/watchdog.c: In function ‘watchdog_smp_panic’: arch/powerpc/kernel/watchdog.c:177:4: error: implicit declaration of function ‘smp_send_nmi_ipi’; did you mean ‘smp_send_stop’? [-Werror=implicit-function-declaration] 177 | smp_send_nmi_ipi(c, wd_lockup_ipi, 1000000); | ^~~~~~~~~~~~~~~~ | smp_send_stop cc1: all warnings being treated as errors make[2]: *** [scripts/Makefile.build:273: arch/powerpc/kernel/watchdog.o] Error 1 make[1]: *** [scripts/Makefile.build:534: arch/powerpc/kernel] Error 2 make: *** [Makefile:1980: arch/powerpc] Error 2 make: *** Waiting for unfinished jobs.... We found that powerpc used ipi to implement hardlockup watchdog, so the HAVE_HARDLOCKUP_DETECTOR_ARCH should depend on the SMP. Fixes: 2104180a5369 ("powerpc/64s: implement arch-specific hardlockup watchdog") Reported-by: Hulk Robot Signed-off-by: Chen Huang Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210327094900.938555-1-chenhuang5@huawei.com Signed-off-by: Sasha Levin commit 499b3ceb17ad37942f03dee8736e4ff2c4763a46 Author: Lv Yunlong Date: Mon Mar 22 09:13:25 2021 -0700 IB/isert: Fix a use after free in isert_connect_request [ Upstream commit adb76a520d068a54ee5ca82e756cf8e5a47363a4 ] The device is got by isert_device_get() with refcount is 1, and is assigned to isert_conn by isert_conn->device = device. When isert_create_qp() failed, device will be freed with isert_device_put(). Later, the device is used in isert_free_login_buf(isert_conn) by the isert_conn->device->ib_device statement. Free the device in the correct order. Fixes: ae9ea9ed38c9 ("iser-target: Split some logic in isert_connect_request to routines") Link: https://lore.kernel.org/r/20210322161325.7491-1-lyl2019@mail.ustc.edu.cn Signed-off-by: Lv Yunlong Acked-by: Sagi Grimberg Reviewed-by: Leon Romanovsky Reviewed-by: Max Gurtovoy Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 78f537c0054a485d4e3dfb69866e2611a4bcc5c9 Author: Maor Gottlieb Date: Thu Mar 18 15:51:23 2021 +0200 RDMA/mlx5: Fix drop packet rule in egress table [ Upstream commit c73700806d4e430d182c2be069d230076818a99a ] Initial drop action support missed that drop action can be added to egress flow tables as well. Add the missing support. This requires making sure that dest_type isn't set to PORT which in turn exposes a possibility of passing dst while indicating number of dsts as zero. Explicitly check for number of dsts and pass the appropriate pointer. Fixes: f29de9eee782 ("RDMA/mlx5: Add support for drop action in DV steering") Link: https://lore.kernel.org/r/20210318135123.680759-1-leon@kernel.org Reviewed-by: Mark Bloch Signed-off-by: Maor Gottlieb Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 4ff081701b3ddbec417412638168f922527cf4df Author: Zhen Lei Date: Wed Mar 24 16:16:03 2021 +0800 iommu/arm-smmu-v3: add bit field SFM into GERROR_ERR_MASK [ Upstream commit 655c447c97d7fe462e6cd9e15809037be028bc70 ] In arm_smmu_gerror_handler(), the value of the SMMU_GERROR register is filtered by GERROR_ERR_MASK. However, the GERROR_ERR_MASK does not contain the SFM bit. As a result, the subsequent error processing is not performed when only the SFM error occurs. Fixes: 48ec83bcbcf5 ("iommu/arm-smmu: Add initial driver support for ARM SMMUv3 devices") Reported-by: Rui Zhu Signed-off-by: Zhen Lei Link: https://lore.kernel.org/r/20210324081603.1074-1-thunder.leizhen@huawei.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 9681d50a70b277349b1e8c39e72a08bf02a222c1 Author: Shengjiu Wang Date: Wed Mar 3 11:07:42 2021 +0800 ASoC: wm8960: Remove bitclk relax condition in wm8960_configure_sysclk [ Upstream commit 99067c07e8d877035f6249d194a317c78b7d052d ] The call sequence in wm8960_configure_clocking is ret = wm8960_configure_sysclk(); if (ret >= 0) goto configure_clock; .... ret = wm8960_configure_pll(); configure_clock: ... wm8960_configure_sysclk is called before wm8960_configure_pll, as there is bitclk relax on both functions, so wm8960_configure_sysclk always return success, then wm8960_configure_pll() never be called. With this case: aplay -Dhw:0,0 -d 5 -r 48000 -f S24_LE -c 2 audio48k24b2c.wav the required bitclk is 48000 * 24 * 2 = 2304000, bitclk got from wm8960_configure_sysclk is 3072000, but if go to wm8960_configure_pll. it can get correct bitclk 2304000. So bitclk relax condition should be removed in wm8960_configure_sysclk, then wm8960_configure_pll can be called, and there is also bitclk relax function in wm8960_configure_pll. Fixes: 3c01b9ee2ab9 ("ASoC: codec: wm8960: Relax bit clock computation") Signed-off-by: Shengjiu Wang Signed-off-by: Daniel Baluta Acked-by: Charles Keepax Link: https://lore.kernel.org/r/1614740862-30196-1-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0f69f9596ba0b1a22c0a9db5b7772dc86f3c577e Author: Huang Pei Date: Wed Mar 24 11:24:51 2021 +0800 MIPS: loongson64: fix bug when PAGE_SIZE > 16KB [ Upstream commit 509d36a941a3466b78d4377913623d210b162458 ] When page size larger than 16KB, arguments "vaddr + size(16KB)" in "ioremap_page_range(vaddr, vaddr + size,...)" called by "add_legacy_isa_io" is not page-aligned. As loongson64 needs at least page size 16KB to get rid of cache alias, and "vaddr" is 64KB-aligned, and 64KB is largest page size supported, rounding "size" up to PAGE_SIZE is enough for all page size supported. Fixes: 6d0068ad15e4 ("MIPS: Loongson64: Process ISA Node in DeviceTree") Signed-off-by: Huang Pei Acked-by: Jiaxun Yang Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit da40d5fec5d70e5018523fc78243e5102d86731b Author: Hanna Hawa Date: Fri Mar 19 17:21:33 2021 +0200 pinctrl: pinctrl-single: fix pcs_pin_dbg_show() when bits_per_mux is not zero [ Upstream commit bd85125ea88513f637a62a72e8949c579c5c0a87 ] A System Error (SError, followed by kernel panic) was detected when trying to print the supported pins in a pinctrl device which supports multiple pins per register. This change fixes the pcs_pin_dbg_show() in pinctrl-single driver when bits_per_mux is not zero. In addition move offset calculation and pin offset in register to common function. Fixes: 4e7e8017a80e ("pinctrl: pinctrl-single: enhance to configure multiple pins of different modules") Signed-off-by: Hanna Hawa Reviewed-by: Andy Shevchenko Reviewed-by: Tony Lindgren Reviewed-by: Drew Fustini Link: https://lore.kernel.org/r/20210319152133.28705-4-hhhawa@amazon.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 353fcebf49e24e87e7634fec1ef21c75cb571396 Author: Hanna Hawa Date: Fri Mar 19 17:21:32 2021 +0200 pinctrl: pinctrl-single: remove unused parameter [ Upstream commit 8fa2ea202b13b6da81e26c399ff1d87488398453 ] Remove unused parameter 'pin_pos' from pcs_add_pin(). Signed-off-by: Hanna Hawa Reviewed-by: Tony Lindgren Reviewed-by: Drew Fustini Link: https://lore.kernel.org/r/20210319152133.28705-3-hhhawa@amazon.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit a273c27d7255fc527023edeb528386d1b64bedf5 Author: Eric Dumazet Date: Wed Mar 24 14:53:37 2021 -0700 inet: use bigger hash table for IP ID generation [ Upstream commit aa6dd211e4b1dde9d5dc25d699d35f789ae7eeba ] In commit 73f156a6e8c1 ("inetpeer: get rid of ip_id_count") I used a very small hash table that could be abused by patient attackers to reveal sensitive information. Switch to a dynamic sizing, depending on RAM size. Typical big hosts will now use 128x more storage (2 MB) to get a similar increase in security and reduction of hash collisions. As a bonus, use of alloc_large_system_hash() spreads allocated memory among all NUMA nodes. Fixes: 73f156a6e8c1 ("inetpeer: get rid of ip_id_count") Reported-by: Amit Klein Signed-off-by: Eric Dumazet Cc: Willy Tarreau Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6b4b3b84049f0755b30cb5fafc47430f0962ccd2 Author: Li Huafei Date: Wed Mar 3 11:28:24 2021 +0800 ima: Fix the error code for restoring the PCR value [ Upstream commit 7990ccafaa37dc6d8bb095d4d7cd997e8903fd10 ] In ima_restore_measurement_list(), hdr[HDR_PCR].data is pointing to a buffer of type u8, which contains the dumped 32-bit pcr value. Currently, only the least significant byte is used to restore the pcr value. We should convert hdr[HDR_PCR].data to a pointer of type u32 before fetching the value to restore the correct pcr value. Fixes: 47fdee60b47f ("ima: use ima_parse_buf() to parse measurements headers") Signed-off-by: Li Huafei Reviewed-by: Roberto Sassu Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin commit 536175f0065cb49da7caf245e9352b341894c46a Author: Huang Pei Date: Tue Mar 23 10:34:02 2021 +0800 MIPS: fix local_irq_{disable,enable} in asmmacro.h [ Upstream commit 05c4e2721d7af0df7bc1378a23712a0fd16947b5 ] commit ba9196d2e005 ("MIPS: Make DIEI support as a config option") use CPU_HAS_DIEI to indicate whether di/ei is implemented correctly, without this patch, "local_irq_disable" from entry.S in 3A1000 (with buggy di/ei) lose protection of commit e97c5b609880 ("MIPS: Make irqflags.h functions preempt-safe for non-mipsr2 cpus") Fixes: ba9196d2e005 ("MIPS: Make DIEI support as a config option") Signed-off-by: Huang Pei Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 4c45556db31c58e25c7e9e9c396c8a1ac8a936e8 Author: Nathan Chancellor Date: Tue Mar 2 13:08:29 2021 -0700 powerpc/prom: Mark identical_pvr_fixup as __init [ Upstream commit 1ef1dd9c7ed27b080445e1576e8a05957e0e4dfc ] If identical_pvr_fixup() is not inlined, there are two modpost warnings: WARNING: modpost: vmlinux.o(.text+0x54e8): Section mismatch in reference from the function identical_pvr_fixup() to the function .init.text:of_get_flat_dt_prop() The function identical_pvr_fixup() references the function __init of_get_flat_dt_prop(). This is often because identical_pvr_fixup lacks a __init annotation or the annotation of of_get_flat_dt_prop is wrong. WARNING: modpost: vmlinux.o(.text+0x551c): Section mismatch in reference from the function identical_pvr_fixup() to the function .init.text:identify_cpu() The function identical_pvr_fixup() references the function __init identify_cpu(). This is often because identical_pvr_fixup lacks a __init annotation or the annotation of identify_cpu is wrong. identical_pvr_fixup() calls two functions marked as __init and is only called by a function marked as __init so it should be marked as __init as well. At the same time, remove the inline keywork as it is not necessary to inline this function. The compiler is still free to do so if it feels it is worthwhile since commit 889b3c1245de ("compiler: remove CONFIG_OPTIMIZE_INLINING entirely"). Fixes: 14b3d926a22b ("[POWERPC] 4xx: update 440EP(x)/440GR(x) identical PVR issue workaround") Signed-off-by: Nathan Chancellor Signed-off-by: Michael Ellerman Link: https://github.com/ClangBuiltLinux/linux/issues/1316 Link: https://lore.kernel.org/r/20210302200829.2680663-1-nathan@kernel.org Signed-off-by: Sasha Levin commit 494327b777f6d9fe30de68638130df99348b4941 Author: Nathan Chancellor Date: Tue Mar 2 12:50:14 2021 -0700 powerpc/fadump: Mark fadump_calculate_reserve_size as __init [ Upstream commit fbced1546eaaab57a32e56c974ea8acf10c6abd8 ] If fadump_calculate_reserve_size() is not inlined, there is a modpost warning: WARNING: modpost: vmlinux.o(.text+0x5196c): Section mismatch in reference from the function fadump_calculate_reserve_size() to the function .init.text:parse_crashkernel() The function fadump_calculate_reserve_size() references the function __init parse_crashkernel(). This is often because fadump_calculate_reserve_size lacks a __init annotation or the annotation of parse_crashkernel is wrong. fadump_calculate_reserve_size() calls parse_crashkernel(), which is marked as __init and fadump_calculate_reserve_size() is called from within fadump_reserve_mem(), which is also marked as __init. Mark fadump_calculate_reserve_size() as __init to fix the section mismatch. Additionally, remove the inline keyword as it is not necessary to inline this function; the compiler is still free to do so if it feels it is worthwhile since commit 889b3c1245de ("compiler: remove CONFIG_OPTIMIZE_INLINING entirely"). Fixes: 11550dc0a00b ("powerpc/fadump: reuse crashkernel parameter for fadump memory reservation") Signed-off-by: Nathan Chancellor Signed-off-by: Michael Ellerman Link: https://github.com/ClangBuiltLinux/linux/issues/1300 Link: https://lore.kernel.org/r/20210302195013.2626335-1-nathan@kernel.org Signed-off-by: Sasha Levin commit 454fb207476b34daa26fca1692eacd763b0adea9 Author: KP Singh Date: Fri Mar 19 19:21:17 2021 +0000 libbpf: Add explicit padding to btf_dump_emit_type_decl_opts [ Upstream commit ea24b19562fe5f72c78319dbb347b701818956d9 ] Similar to https://lore.kernel.org/bpf/20210313210920.1959628-2-andrii@kernel.org/ When DECLARE_LIBBPF_OPTS is used with inline field initialization, e.g: DECLARE_LIBBPF_OPTS(btf_dump_emit_type_decl_opts, opts, .field_name = var_ident, .indent_level = 2, .strip_mods = strip_mods, ); and compiled in debug mode, the compiler generates code which leaves the padding uninitialized and triggers errors within libbpf APIs which require strict zero initialization of OPTS structs. Adding anonymous padding field fixes the issue. Fixes: 9f81654eebe8 ("libbpf: Expose BTF-to-C type declaration emitting API") Suggested-by: Andrii Nakryiko Signed-off-by: KP Singh Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20210319192117.2310658-1-kpsingh@kernel.org Signed-off-by: Sasha Levin commit 87520507b1ae99121e2090856ddf26be5ce51ea1 Author: Andrii Nakryiko Date: Thu Mar 18 12:40:34 2021 -0700 selftests/bpf: Re-generate vmlinux.h and BPF skeletons if bpftool changed [ Upstream commit cab62c37be057379a2a17b1b2eacd9dcba1e14dc ] Trigger vmlinux.h and BPF skeletons re-generation if detected that bpftool was re-compiled. Otherwise full `make clean` is required to get updated skeletons, if bpftool is modified. Fixes: acbd06206bbb ("selftests/bpf: Add vmlinux.h selftest exercising tracing of syscalls") Signed-off-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20210318194036.3521577-11-andrii@kernel.org Signed-off-by: Sasha Levin commit ee06efc811eadd897ee7ab3dc44dde66235f808d Author: Jacob Pan Date: Tue Mar 2 02:13:59 2021 -0800 iommu/vt-d: Reject unsupported page request modes [ Upstream commit 78a523fe73b81b4447beb2d6c78c9fafae24eebb ] When supervisor/privilige mode SVM is used, we bind init_mm.pgd with a supervisor PASID. There should not be any page fault for init_mm. Execution request with DMA read is also not supported. This patch checks PRQ descriptor for both unsupported configurations, reject them both with invalid responses. Fixes: 1c4f88b7f1f92 ("iommu/vt-d: Shared virtual address in scalable mode") Acked-by: Lu Baolu Signed-off-by: Jacob Pan Link: https://lore.kernel.org/r/1614680040-1989-4-git-send-email-jacob.jun.pan@linux.intel.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit b60e13c306884e18c17498ca62353645bced9138 Author: Shameer Kolothum Date: Wed Mar 3 17:36:11 2021 +0000 iommu: Check dev->iommu in iommu_dev_xxx functions [ Upstream commit b9abb19fa5fd2d8a4be61c6cd4b2a48aa1a17f9c ] The device iommu probe/attach might have failed leaving dev->iommu to NULL and device drivers may still invoke these functions resulting in a crash in iommu vendor driver code. Hence make sure we check that. Fixes: a3a195929d40 ("iommu: Add APIs for multiple domains per device") Signed-off-by: Shameer Kolothum Reviewed-by: Robin Murphy Link: https://lore.kernel.org/r/20210303173611.520-1-shameerali.kolothum.thodi@huawei.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 3d15bf2b2c93dd606da7a3c163a56ef91d802463 Author: Andrii Nakryiko Date: Sat Mar 13 13:09:18 2021 -0800 bpftool: Fix maybe-uninitialized warnings [ Upstream commit 4bbb3583687051ef99966ddaeb1730441b777d40 ] Somehow when bpftool is compiled in -Og mode, compiler produces new warnings about possibly uninitialized variables. Fix all the reported problems. Fixes: 2119f2189df1 ("bpftool: add C output format option to btf dump subcommand") Signed-off-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20210313210920.1959628-3-andrii@kernel.org Signed-off-by: Sasha Levin commit b1ed7a57175082024eed73259dbd97d7f5d888fc Author: Andrii Nakryiko Date: Sat Mar 13 13:09:17 2021 -0800 libbpf: Add explicit padding to bpf_xdp_set_link_opts [ Upstream commit dde7b3f5f2f458297aeccfd4783e53ab8ca046db ] Adding such anonymous padding fixes the issue with uninitialized portions of bpf_xdp_set_link_opts when using LIBBPF_DECLARE_OPTS macro with inline field initialization: DECLARE_LIBBPF_OPTS(bpf_xdp_set_link_opts, opts, .old_fd = -1); When such code is compiled in debug mode, compiler is generating code that leaves padding bytes uninitialized, which triggers error inside libbpf APIs that do strict zero initialization checks for OPTS structs. Adding anonymous padding field fixes the issue. Fixes: bd5ca3ef93cd ("libbpf: Add function to set link XDP fd while specifying old program") Signed-off-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20210313210920.1959628-2-andrii@kernel.org Signed-off-by: Sasha Levin commit f72e3d81c622cea69d04ea8f9e69adeaf73ef89c Author: Xie He Date: Wed Mar 10 23:23:09 2021 -0800 net: lapbether: Prevent racing when checking whether the netif is running [ Upstream commit 5acd0cfbfbb5a688da1bfb1a2152b0c855115a35 ] There are two "netif_running" checks in this driver. One is in "lapbeth_xmit" and the other is in "lapbeth_rcv". They serve to make sure that the LAPB APIs called in these functions are called before "lapb_unregister" is called by the "ndo_stop" function. However, these "netif_running" checks are unreliable, because it's possible that immediately after "netif_running" returns true, "ndo_stop" is called (which causes "lapb_unregister" to be called). This patch adds locking to make sure "lapbeth_xmit" and "lapbeth_rcv" can reliably check and ensure the netif is running while doing their work. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Xie He Acked-by: Martin Schiller Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 7cc0ba67883c6c8d3bddb283f56c167fc837a555 Author: Jiri Kosina Date: Tue Mar 16 15:08:00 2021 +0100 Bluetooth: avoid deadlock between hci_dev->lock and socket lock [ Upstream commit 17486960d79b900c45e0bb8fbcac0262848582ba ] Commit eab2404ba798 ("Bluetooth: Add BT_PHY socket option") added a dependency between socket lock and hci_dev->lock that could lead to deadlock. It turns out that hci_conn_get_phy() is not in any way relying on hdev being immutable during the runtime of this function, neither does it even look at any of the members of hdev, and as such there is no need to hold that lock. This fixes the lockdep splat below: ====================================================== WARNING: possible circular locking dependency detected 5.12.0-rc1-00026-g73d464503354 #10 Not tainted ------------------------------------------------------ bluetoothd/1118 is trying to acquire lock: ffff8f078383c078 (&hdev->lock){+.+.}-{3:3}, at: hci_conn_get_phy+0x1c/0x150 [bluetooth] but task is already holding lock: ffff8f07e831d920 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: l2cap_sock_getsockopt+0x8b/0x610 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}: lock_sock_nested+0x72/0xa0 l2cap_sock_ready_cb+0x18/0x70 [bluetooth] l2cap_config_rsp+0x27a/0x520 [bluetooth] l2cap_sig_channel+0x658/0x1330 [bluetooth] l2cap_recv_frame+0x1ba/0x310 [bluetooth] hci_rx_work+0x1cc/0x640 [bluetooth] process_one_work+0x244/0x5f0 worker_thread+0x3c/0x380 kthread+0x13e/0x160 ret_from_fork+0x22/0x30 -> #2 (&chan->lock#2/1){+.+.}-{3:3}: __mutex_lock+0xa3/0xa10 l2cap_chan_connect+0x33a/0x940 [bluetooth] l2cap_sock_connect+0x141/0x2a0 [bluetooth] __sys_connect+0x9b/0xc0 __x64_sys_connect+0x16/0x20 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae -> #1 (&conn->chan_lock){+.+.}-{3:3}: __mutex_lock+0xa3/0xa10 l2cap_chan_connect+0x322/0x940 [bluetooth] l2cap_sock_connect+0x141/0x2a0 [bluetooth] __sys_connect+0x9b/0xc0 __x64_sys_connect+0x16/0x20 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae -> #0 (&hdev->lock){+.+.}-{3:3}: __lock_acquire+0x147a/0x1a50 lock_acquire+0x277/0x3d0 __mutex_lock+0xa3/0xa10 hci_conn_get_phy+0x1c/0x150 [bluetooth] l2cap_sock_getsockopt+0x5a9/0x610 [bluetooth] __sys_getsockopt+0xcc/0x200 __x64_sys_getsockopt+0x20/0x30 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae other info that might help us debug this: Chain exists of: &hdev->lock --> &chan->lock#2/1 --> sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP); lock(&chan->lock#2/1); lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP); lock(&hdev->lock); *** DEADLOCK *** 1 lock held by bluetoothd/1118: #0: ffff8f07e831d920 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: l2cap_sock_getsockopt+0x8b/0x610 [bluetooth] stack backtrace: CPU: 3 PID: 1118 Comm: bluetoothd Not tainted 5.12.0-rc1-00026-g73d464503354 #10 Hardware name: LENOVO 20K5S22R00/20K5S22R00, BIOS R0IET38W (1.16 ) 05/31/2017 Call Trace: dump_stack+0x7f/0xa1 check_noncircular+0x105/0x120 ? __lock_acquire+0x147a/0x1a50 __lock_acquire+0x147a/0x1a50 lock_acquire+0x277/0x3d0 ? hci_conn_get_phy+0x1c/0x150 [bluetooth] ? __lock_acquire+0x2e1/0x1a50 ? lock_is_held_type+0xb4/0x120 ? hci_conn_get_phy+0x1c/0x150 [bluetooth] __mutex_lock+0xa3/0xa10 ? hci_conn_get_phy+0x1c/0x150 [bluetooth] ? lock_acquire+0x277/0x3d0 ? mark_held_locks+0x49/0x70 ? mark_held_locks+0x49/0x70 ? hci_conn_get_phy+0x1c/0x150 [bluetooth] hci_conn_get_phy+0x1c/0x150 [bluetooth] l2cap_sock_getsockopt+0x5a9/0x610 [bluetooth] __sys_getsockopt+0xcc/0x200 __x64_sys_getsockopt+0x20/0x30 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fb73df33eee Code: 48 8b 0d 85 0f 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 52 0f 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007fffcfbbbf08 EFLAGS: 00000203 ORIG_RAX: 0000000000000037 RAX: ffffffffffffffda RBX: 0000000000000019 RCX: 00007fb73df33eee RDX: 000000000000000e RSI: 0000000000000112 RDI: 0000000000000018 RBP: 0000000000000000 R08: 00007fffcfbbbf44 R09: 0000000000000000 R10: 00007fffcfbbbf3c R11: 0000000000000203 R12: 0000000000000000 R13: 0000000000000018 R14: 0000000000000000 R15: 0000556fcefc70d0 Fixes: eab2404ba798 ("Bluetooth: Add BT_PHY socket option") Signed-off-by: Jiri Kosina Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 5cce890e5dc656433c4cd0a07c5aecff4b74da5e Author: Sean Christopherson Date: Thu Feb 25 12:47:30 2021 -0800 KVM: x86/mmu: Retry page faults that hit an invalid memslot [ Upstream commit e0c378684b6545ad2d4403bb701d0ac4932b4e95 ] Retry page faults (re-enter the guest) that hit an invalid memslot instead of treating the memslot as not existing, i.e. handling the page fault as an MMIO access. When deleting a memslot, SPTEs aren't zapped and the TLBs aren't flushed until after the memslot has been marked invalid. Handling the invalid slot as MMIO means there's a small window where a page fault could replace a valid SPTE with an MMIO SPTE. The legacy MMU handles such a scenario cleanly, but the TDP MMU assumes such behavior is impossible (see the BUG() in __handle_changed_spte()). There's really no good reason why the legacy MMU should allow such a scenario, and closing this hole allows for additional cleanups. Fixes: 2f2fad0897cb ("kvm: x86/mmu: Add functions to handle changed TDP SPTEs") Cc: Ben Gardon Signed-off-by: Sean Christopherson Message-Id: <20210225204749.1512652-6-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit cd6e679b8d1d493cc65067260e690bdc99542172 Author: Marcus Folkesson Date: Wed Feb 24 17:37:06 2021 +0100 wilc1000: write value to WILC_INTR2_ENABLE register [ Upstream commit e21b6e5a54628cd3935f200049d4430c25c54e03 ] Write the value instead of reading it twice. Fixes: c5c77ba18ea6 ("staging: wilc1000: Add SDIO/SPI 802.11 driver") Signed-off-by: Marcus Folkesson Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210224163706.519658-1-marcus.folkesson@gmail.com Signed-off-by: Sasha Levin commit 0d74db1457872be4e272652996a7d86c07f20e76 Author: Mark Zhang Date: Thu Mar 4 14:45:17 2021 +0200 RDMA/mlx5: Fix mlx5 rates to IB rates map [ Upstream commit 6fe6e568639859db960c8fcef19a2ece1c2d7eae ] Correct the map between mlx5 rates and corresponding ib rates, as they don't always have a fixed offset between them. Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") Link: https://lore.kernel.org/r/20210304124517.1100608-4-leon@kernel.org Signed-off-by: Mark Zhang Reviewed-by: Maor Gottlieb Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 4ebb3b797a6369ae329e2aed64c5edbe3375dde9 Author: Cezary Rojewski Date: Mon Jan 25 12:54:41 2021 +0100 ASoC: Intel: Skylake: Compile when any configuration is selected [ Upstream commit 1b99d50b9709a2cddaba4a7faf1862b4f7bec865 ] Skylake is dependent on SND_SOC_INTEL_SKYLAKE (aka "all SST platforms") whereas selecting specific configuration such as KBL-only will not cause driver code to compile. Switch to SND_SOC_INTEL_SKYLAKE_COMMON dependency so selecting any configuration causes the driver to be built. Reported-by: Kai-Heng Feng Suggested-by: Amadeusz Sławiński Fixes: 35bc99aaa1a3 ("ASoC: Intel: Skylake: Add more platform granularity") Signed-off-by: Cezary Rojewski Link: https://lore.kernel.org/r/20210125115441.10383-1-cezary.rojewski@intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 5fb733e250c0a2ab55e06400560f3ab998922545 Author: Colin Ian King Date: Fri Feb 26 18:56:53 2021 +0000 ASoC: Intel: boards: sof-wm8804: add check for PLL setting [ Upstream commit 1730ef62874dbdc53dc2abfa430f09f0b304bafc ] Currently the return from snd_soc_dai_set_pll is not checking for failure, this is the only driver in the kernel that ignores this, so it probably should be added for sake of completeness. Fix this by adding an error return check. Addresses-Coverity: ("Unchecked return value") Fixes: f139546fb7d4 ("ASoC: Intel: boards: sof-wm8804: support for Hifiberry Digiplus boards") Signed-off-by: Colin Ian King Acked-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20210226185653.1071321-1-colin.king@canonical.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit b3222026dde78bd3698df8f064bb6196635e9b36 Author: Arnaldo Carvalho de Melo Date: Mon Mar 8 11:17:51 2021 -0300 perf symbols: Fix dso__fprintf_symbols_by_name() to return the number of printed chars [ Upstream commit 210e4c89ef61432040c6cd828fefa441f4887186 ] The 'ret' variable was initialized to zero but then it was not updated from the fprintf() return, fix it. Reported-by: Yang Li cc: Alexander Shishkin cc: Ingo Molnar cc: Jiri Olsa cc: Mark Rutland cc: Namhyung Kim Cc: Peter Zijlstra Cc: Srikar Dronamraju Fixes: 90f18e63fbd00513 ("perf symbols: List symbols in a dso in ascending name order") Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 56027a2e75e684de4b68881155f3a833e0d8e365 Author: Maxim Mikityanskiy Date: Sun Feb 7 16:47:40 2021 +0200 HID: plantronics: Workaround for double volume key presses [ Upstream commit f567d6ef8606fb427636e824c867229ecb5aefab ] Plantronics Blackwire 3220 Series (047f:c056) sends HID reports twice for each volume key press. This patch adds a quirk to hid-plantronics for this product ID, which will ignore the second volume key press if it happens within 5 ms from the last one that was handled. The patch was tested on the mentioned model only, it shouldn't affect other models, however, this quirk might be needed for them too. Auto-repeat (when a key is held pressed) is not affected, because the rate is about 3 times per second, which is far less frequent than once in 5 ms. Fixes: 81bb773faed7 ("HID: plantronics: Update to map volume up/down controls") Signed-off-by: Maxim Mikityanskiy Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 613f9d1f1587e1365bcf9a81a5ed009d9e36e648 Author: Alexander Lobakin Date: Thu Feb 18 20:50:31 2021 +0000 xsk: Respect device's headroom and tailroom on generic xmit path [ Upstream commit 3914d88f7608e6c2e80e344474fa289370c32451 ] xsk_generic_xmit() allocates a new skb and then queues it for xmitting. The size of new skb's headroom is desc->len, so it comes to the driver/device with no reserved headroom and/or tailroom. Lots of drivers need some headroom (and sometimes tailroom) to prepend (and/or append) some headers or data, e.g. CPU tags, device-specific headers/descriptors (LSO, TLS etc.), and if case of no available space skb_cow_head() will reallocate the skb. Reallocations are unwanted on fast-path, especially when it comes to XDP, so generic XSK xmit should reserve the spaces declared in dev->needed_headroom and dev->needed tailroom to avoid them. Note on max(NET_SKB_PAD, L1_CACHE_ALIGN(dev->needed_headroom)): Usually, output functions reserve LL_RESERVED_SPACE(dev), which consists of dev->hard_header_len + dev->needed_headroom, aligned by 16. However, on XSK xmit hard header is already here in the chunk, so hard_header_len is not needed. But it'd still be better to align data up to cacheline, while reserving no less than driver requests for headroom. NET_SKB_PAD here is to double-insure there will be no reallocations even when the driver advertises no needed_headroom, but in fact need it (not so rare case). Fixes: 35fcde7f8deb ("xsk: support for Tx") Signed-off-by: Alexander Lobakin Signed-off-by: Daniel Borkmann Acked-by: Magnus Karlsson Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20210218204908.5455-5-alobakin@pm.me Signed-off-by: Sasha Levin commit 5378c92425f3dfdc6306de98ad9ad9edfe98880a Author: Lv Yunlong Date: Mon Apr 26 07:32:29 2021 -0700 drivers/block/null_blk/main: Fix a double free in null_init. [ Upstream commit 72ce11ddfa4e9e1879103581a60b7e34547eaa0a ] In null_init, null_add_dev(dev) is called. In null_add_dev, it calls null_free_zoned_dev(dev) to free dev->zones via kvfree(dev->zones) in out_cleanup_zone branch and returns err. Then null_init accept the err code and then calls null_free_dev(dev). But in null_free_dev(dev), dev->zones is freed again by null_free_zoned_dev(). My patch set dev->zones to NULL in null_free_zoned_dev() after kvfree(dev->zones) is called, to avoid the double free. Fixes: 2984c8684f962 ("nullb: factor disk parameters") Signed-off-by: Lv Yunlong Link: https://lore.kernel.org/r/20210426143229.7374-1-lyl2019@mail.ustc.edu.cn Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 94f1bdf01b39306916b6ec917989c9a477b089f6 Author: Waiman Long Date: Thu Apr 15 15:54:26 2021 -0400 sched/debug: Fix cgroup_path[] serialization [ Upstream commit ad789f84c9a145f8a18744c0387cec22ec51651e ] The handling of sysrq key can be activated by echoing the key to /proc/sysrq-trigger or via the magic key sequence typed into a terminal that is connected to the system in some way (serial, USB or other mean). In the former case, the handling is done in a user context. In the latter case, it is likely to be in an interrupt context. Currently in print_cpu() of kernel/sched/debug.c, sched_debug_lock is taken with interrupt disabled for the whole duration of the calls to print_*_stats() and print_rq() which could last for the quite some time if the information dump happens on the serial console. If the system has many cpus and the sched_debug_lock is somehow busy (e.g. parallel sysrq-t), the system may hit a hard lockup panic depending on the actually serial console implementation of the system. The purpose of sched_debug_lock is to serialize the use of the global cgroup_path[] buffer in print_cpu(). The rests of the printk calls don't need serialization from sched_debug_lock. Calling printk() with interrupt disabled can still be problematic if multiple instances are running. Allocating a stack buffer of PATH_MAX bytes is not feasible because of the limited size of the kernel stack. The solution implemented in this patch is to allow only one caller at a time to use the full size group_path[], while other simultaneous callers will have to use shorter stack buffers with the possibility of path name truncation. A "..." suffix will be printed if truncation may have happened. The cgroup path name is provided for informational purpose only, so occasional path name truncation should not be a big problem. Fixes: efe25c2c7b3a ("sched: Reinstate group names in /proc/sched_debug") Suggested-by: Peter Zijlstra Signed-off-by: Waiman Long Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20210415195426.6677-1-longman@redhat.com Signed-off-by: Sasha Levin commit cbbc13b115b8f18e0a714d89f87fbdc499acfe2d Author: Pavel Begunkov Date: Thu Apr 15 13:07:39 2021 +0100 io_uring: fix overflows checks in provide buffers [ Upstream commit 38134ada0ceea3e848fe993263c0ff6207fd46e7 ] Colin reported before possible overflow and sign extension problems in io_provide_buffers_prep(). As Linus pointed out previous attempt did nothing useful, see d81269fecb8ce ("io_uring: fix provide_buffers sign extension"). Do that with help of check__overflow helpers. And fix struct io_provide_buf::len type, as it doesn't make much sense to keep it signed. Reported-by: Colin Ian King Fixes: efe68c1ca8f49 ("io_uring: validate the full range of provided buffers for access") Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/46538827e70fce5f6cdb50897cff4cacc490f380.1618488258.git.asml.silence@gmail.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit db4645fbae17092b54efe48eda89f812c12406cd Author: Nathan Chancellor Date: Wed Apr 14 17:11:12 2021 -0700 perf/amd/uncore: Fix sysfs type mismatch [ Upstream commit 5deac80d4571dffb51f452f0027979d72259a1b9 ] dev_attr_show() calls the __uncore_*_show() functions via an indirect call but their type does not currently match the type of the show() member in 'struct device_attribute', resulting in a Control Flow Integrity violation. $ cat /sys/devices/amd_l3/format/umask config:8-15 $ dmesg | grep "CFI failure" [ 1258.174653] CFI failure (target: __uncore_umask_show...): Update the type in the DEFINE_UNCORE_FORMAT_ATTR macro to match 'struct device_attribute' so that there is no more CFI violation. Fixes: 06f2c24584f3 ("perf/amd/uncore: Prepare to scale for more attributes that vary per family") Signed-off-by: Nathan Chancellor Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20210415001112.3024673-2-nathan@kernel.org Signed-off-by: Sasha Levin commit c8a54b4d66575a4000e7e0c2872faa78ea38a4c2 Author: Nathan Chancellor Date: Wed Apr 14 17:11:11 2021 -0700 x86/events/amd/iommu: Fix sysfs type mismatch [ Upstream commit de5bc7b425d4c27ae5faa00ea7eb6b9780b9a355 ] dev_attr_show() calls _iommu_event_show() via an indirect call but _iommu_event_show()'s type does not currently match the type of the show() member in 'struct device_attribute', resulting in a Control Flow Integrity violation. $ cat /sys/devices/amd_iommu_1/events/mem_dte_hit csource=0x0a $ dmesg | grep "CFI failure" [ 3526.735140] CFI failure (target: _iommu_event_show...): Change _iommu_event_show() and 'struct amd_iommu_event_desc' to 'struct device_attribute' so that there is no more CFI violation. Fixes: 7be6296fdd75 ("perf/x86/amd: AMD IOMMU Performance Counter PERF uncore PMU implementation") Signed-off-by: Nathan Chancellor Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20210415001112.3024673-1-nathan@kernel.org Signed-off-by: Sasha Levin commit d5149a487f2dcb2a048db7a1f68cbc1adf1ba45e Author: Dan Carpenter Date: Fri Apr 9 14:08:17 2021 +0300 HSI: core: fix resource leaks in hsi_add_client_from_dt() [ Upstream commit 5c08b0f75575648032f309a6f58294453423ed93 ] If some of the allocations fail between the dev_set_name() and the device_register() then the name will not be freed. Fix this by moving dev_set_name() directly in front of the call to device_register(). Fixes: a2aa24734d9d ("HSI: Add common DT binding for HSI client devices") Signed-off-by: Dan Carpenter Reviewed-by: Jason Gunthorpe Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 38c1f8ebb3737c59ec1ae9e46e7d8b436de52f43 Author: Jernej Skrabec Date: Mon Apr 12 17:43:49 2021 +0200 media: cedrus: Fix H265 status definitions [ Upstream commit 147d211cc9b4d753148d1640a1758b25edfbf437 ] Some of the H265 status flags are wrong. Redefine them to corespond to Allwinner CedarC open source userspace library. Only one of these flags is actually used and new value also matches value used in libvdpau-sunxi library, which is proven to be working. Note that wrong (old) value in right circumstances (in combination with another H265 decoding bug) causes driver lock up. With this fix decoding is still broken (green output) but at least driver doesn't lock up. Fixes: 86caab29da78 ("media: cedrus: Add HEVC/H.265 decoding support") Signed-off-by: Jernej Skrabec Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit a11497b3bb7546db5a982ccf8bc36a1f30aa4a6f Author: Niklas Cassel Date: Fri Apr 9 20:12:55 2021 +0200 nvme-pci: don't simple map sgl when sgls are disabled [ Upstream commit e51183be1fa96dc6d3cd11b3c25a0f595807315e ] According to the module parameter description for sgl_threshold, a value of 0 means that SGLs are disabled. If SGLs are disabled, we should respect that, even for the case where the request is made up of a single physical segment. Fixes: 297910571f08 ("nvme-pci: optimize mapping single segment requests using SGLs") Signed-off-by: Niklas Cassel Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit b2c55f81c1d16978de9ef43dac9f20dc91eb9302 Author: Elad Grupi Date: Wed Mar 31 17:13:14 2021 +0800 nvmet-tcp: fix a segmentation fault during io parsing error [ Upstream commit bdaf13279192c60b2b1fc99badef53b494fec055 ] In case there is an io that contains inline data and it goes to parsing error flow, command response will free command and iov before clearing the data on the socket buffer. This will delay the command response until receive flow is completed. Fixes: 872d26a391da ("nvmet-tcp: add NVMe over TCP target driver") Signed-off-by: Elad Grupi Signed-off-by: Hou Pu Reviewed-by: Sagi Grimberg Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 2842b91ac7a5a53edcaa3fb36c14b4fb34ff3024 Author: Fabrice Gasnier Date: Wed Mar 3 18:51:35 2021 +0100 mfd: stm32-timers: Avoid clearing auto reload register [ Upstream commit 4917e498c6894ba077867aff78f82cffd5ffbb5c ] The ARR register is cleared unconditionally upon probing, after the maximum value has been read. This initial condition is rather not intuitive, when considering the counter child driver. It rather expects the maximum value by default: - The counter interface shows a zero value by default for 'ceiling' attribute. - Enabling the counter without any prior configuration makes it doesn't count. The reset value of ARR register is the maximum. So Choice here is to backup it, and restore it then, instead of clearing its value. It also fixes the initial condition seen by the counter driver. Fixes: d0f949e220fd ("mfd: Add STM32 Timers driver") Signed-off-by: Fabrice Gasnier Acked-by: William Breathitt Gray Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit cadbba5ec8952c518af2850fed43d319a8bac140 Author: Orson Zhai Date: Fri Mar 19 14:15:35 2021 +0800 mailbox: sprd: Introduce refcnt when clients requests/free channels [ Upstream commit 9468ab84032f96496e998cfa173cd1d0ac316bcd ] Unisoc mailbox has no way to be enabled/disabled for any single channel. They can only be set to startup or shutdown as a whole device at same time. Add a variable to count references to avoid mailbox FIFO being reset unexpectedly when clients are requesting or freeing channels. Also add a lock to dismiss possible conflicts from register r/w in different startup or shutdown threads. And fix the crash problem when early interrupts come from channel which has not been requested by client yet. Fixes: ca27fc26cd22 ("mailbox: sprd: Add Spreadtrum mailbox driver") Signed-off-by: Orson Zhai Reviewed-by: Baolin Wang Signed-off-by: Jassi Brar Signed-off-by: Sasha Levin commit b42ec774db50430cf0c97d675f42067595a25408 Author: Brian King Date: Mon Apr 12 18:10:09 2021 -0600 scsi: ibmvfc: Fix invalid state machine BUG_ON() [ Upstream commit 15cfef8623a449d40d16541687afd58e78033be3 ] This fixes an issue hitting the BUG_ON() in ibmvfc_do_work(). When going through a host action of IBMVFC_HOST_ACTION_RESET, we change the action to IBMVFC_HOST_ACTION_TGT_DEL, then drop the host lock, and reset the CRQ, which changes the host state to IBMVFC_NO_CRQ. If, prior to setting the host state to IBMVFC_NO_CRQ, ibmvfc_init_host() is called, it can then end up changing the host action to IBMVFC_HOST_ACTION_INIT. If we then change the host state to IBMVFC_NO_CRQ, we will then hit the BUG_ON(). Make a couple of changes to avoid this. Leave the host action to be IBMVFC_HOST_ACTION_RESET or IBMVFC_HOST_ACTION_REENABLE until after we drop the host lock and reset or reenable the CRQ. Also harden the host state machine to ensure we cannot leave the reset / reenable state until we've finished processing the reset or reenable. Link: https://lore.kernel.org/r/20210413001009.902400-1-tyreld@linux.ibm.com Fixes: 73ee5d867287 ("[SCSI] ibmvfc: Fix soft lockup on resume") Signed-off-by: Brian King [tyreld: added fixes tag] Signed-off-by: Tyrel Datwyler [mkp: fix comment checkpatch warnings] Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 5129ec347a89075f16fa5896143ca4b5cbdbc47c Author: Sergey Shtylyov Date: Tue Mar 30 20:45:12 2021 +0300 scsi: sni_53c710: Add IRQ check [ Upstream commit 1160d61bc51e87e509cfaf9da50a0060f67b6de4 ] The driver neglects to check the result of platform_get_irq()'s call and blithely passes the negative error codes to request_irq() (which takes *unsigned* IRQ #s), causing it to fail with -EINVAL (overridden by -ENODEV further below). Stop calling request_irq() with the invalid IRQ #s. Link: https://lore.kernel.org/r/8f4b8fa5-8251-b977-70a1-9099bcb4bb17@omprussia.ru Fixes: c27d85f3f3c5 ("[SCSI] SNI RM 53c710 driver") Signed-off-by: Sergey Shtylyov Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 79ee30433357cdf71500526e308ae70bfae08bc4 Author: Sergey Shtylyov Date: Tue Mar 30 20:44:08 2021 +0300 scsi: sun3x_esp: Add IRQ check [ Upstream commit 14b321380eb333c82853d7d612d0995f05f88fdc ] The driver neglects to check the result of platform_get_irq()'s call and blithely passes the negative error codes to request_irq() (which takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding the real error code. Stop calling request_irq() with the invalid IRQ #s. Link: https://lore.kernel.org/r/363eb4c8-a3bf-4dc9-2a9e-90f349030a15@omprussia.ru Fixes: 0bb67f181834 ("[SCSI] sun3x_esp: convert to esp_scsi") Signed-off-by: Sergey Shtylyov Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 18e729d21f26fd7e4c719de39d6efc8b074e71ff Author: Sergey Shtylyov Date: Tue Mar 30 20:43:23 2021 +0300 scsi: jazz_esp: Add IRQ check [ Upstream commit 38fca15c29db6ed06e894ac194502633e2a7d1fb ] The driver neglects to check the result of platform_get_irq()'s call and blithely passes the negative error codes to request_irq() (which takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding the real error code. Stop calling request_irq() with the invalid IRQ #s. Link: https://lore.kernel.org/r/594aa9ae-2215-49f6-f73c-33bd38989912@omprussia.ru Fixes: 352e921f0dd4 ("[SCSI] jazz_esp: converted to use esp_core") Signed-off-by: Sergey Shtylyov Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 7d81167e513fa15d41a9bdadb7436e8ef7fc01b9 Author: Sergey Shtylyov Date: Sat Apr 3 23:43:55 2021 +0300 scsi: hisi_sas: Fix IRQ checks [ Upstream commit 6c11dc060427e07ca144eacaccd696106b361b06 ] Commit df2d8213d9e3 ("hisi_sas: use platform_get_irq()") failed to take into account that irq_of_parse_and_map() and platform_get_irq() have a different way of indicating an error: the former returns 0 and the latter returns a negative error code. Fix up the IRQ checks! Link: https://lore.kernel.org/r/810f26d3-908b-1d6b-dc5c-40019726baca@omprussia.ru Fixes: df2d8213d9e3 ("hisi_sas: use platform_get_irq()") Acked-by: John Garry Signed-off-by: Sergey Shtylyov Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit aa83f32d40e2d01d23e1c67abbce4712c861c8fc Author: Sergey Shtylyov Date: Mon Mar 29 23:50:58 2021 +0300 scsi: ufs: ufshcd-pltfrm: Fix deferred probing [ Upstream commit 339c9b63cc7ce779ce45c675bf709cb58b807fc3 ] The driver overrides the error codes returned by platform_get_irq() to -ENODEV, so if it returns -EPROBE_DEFER, the driver would fail the probe permanently instead of the deferred probing. Propagate the error code upstream as it should have been done from the start... Link: https://lore.kernel.org/r/420364ca-614a-45e3-4e35-0e0653c7bc53@omprussia.ru Fixes: 2953f850c3b8 ("[SCSI] ufs: use devres functions for ufshcd") Signed-off-by: Sergey Shtylyov Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 4e5e08975521d4a9b46afab0b44f116f0056d07f Author: Colin Ian King Date: Wed Apr 7 14:58:40 2021 +0100 scsi: pm80xx: Fix potential infinite loop [ Upstream commit 40fa7394a1ad5706e795823276f2e394cca145d0 ] The for-loop iterates with a u8 loop counter i and compares this with the loop upper limit of pm8001_ha->max_q_num which is a u32 type. There is a potential infinite loop if pm8001_ha->max_q_num is larger than the u8 loop counter. Fix this by making the loop counter the same type as pm8001_ha->max_q_num. [mkp: this is purely theoretical, max_q_num is currently limited to 64] Link: https://lore.kernel.org/r/20210407135840.494747-1-colin.king@canonical.com Fixes: 65df7d1986a1 ("scsi: pm80xx: Fix chip initialization failure") Addresses-Coverity: ("Infinite loop") Reviewed-by: Johannes Thumshirn Signed-off-by: Colin Ian King Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit a613887c4126bdde28280e2de340e44f2604c728 Author: Igor Pylypiv Date: Tue Apr 6 11:05:33 2021 -0700 scsi: pm80xx: Increase timeout for pm80xx mpi_uninit_check() [ Upstream commit 3f744a14f331f56703a9d74e86520db045f11831 ] The mpi_uninit_check() takes longer for inbound doorbell register to be cleared. Increase the timeout substantially so that the driver does not fail to load. Previously, the inbound doorbell wait time was mistakenly increased in the mpi_init_check() instead of mpi_uninit_check(). It is okay to leave the mpi_init_check() wait time as-is as these are timeout values and if there is a failure, waiting longer is not an issue. Link: https://lore.kernel.org/r/20210406180534.1924345-2-ipylypiv@google.com Fixes: e90e236250e9 ("scsi: pm80xx: Increase timeout for pm80xx mpi_uninit_check") Reviewed-by: Vishakha Channapattan Acked-by: Jack Wang Signed-off-by: Igor Pylypiv Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit d3d3735858e0cb25e50109288a95083a593d1e89 Author: Colin Ian King Date: Fri Apr 9 10:01:03 2021 +0100 clk: uniphier: Fix potential infinite loop [ Upstream commit f6b1340dc751a6caa2a0567b667d0f4f4172cd58 ] The for-loop iterates with a u8 loop counter i and compares this with the loop upper limit of num_parents that is an int type. There is a potential infinite loop if num_parents is larger than the u8 loop counter. Fix this by making the loop counter the same type as num_parents. Also make num_parents an unsigned int to match the return type of the call to clk_hw_get_num_parents. Addresses-Coverity: ("Infinite loop") Fixes: 734d82f4a678 ("clk: uniphier: add core support code for UniPhier clock driver") Signed-off-by: Colin Ian King Reviewed-by: Masahiro Yamada Link: https://lore.kernel.org/r/20210409090104.629722-1-colin.king@canonical.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit c360228ecfb110f78291d94f403f94a276fca42a Author: Yingjie Wang Date: Tue Apr 6 20:10:04 2021 -0700 drm/radeon: Fix a missing check bug in radeon_dp_mst_detect() [ Upstream commit 25315ebfaefcffd126a266116b37bb8a3d1c4620 ] In radeon_dp_mst_detect(), We should check whether or not @connector has been unregistered from userspace. If the connector is unregistered, we should return disconnected status. Fixes: 9843ead08f18 ("drm/radeon: add DisplayPort MST support (v2)") Signed-off-by: Yingjie Wang Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit a6d56760eaba4a1a24d5aaa802bbc4f6aff1edf9 Author: Nirmoy Das Date: Wed Mar 17 11:38:11 2021 +0100 drm/amd/display: use GFP_ATOMIC in dcn20_resource_construct [ Upstream commit 3bb1105071fb974e3e3ca2f92ddfd69c81285ab6 ] Replace GFP_KERNEL with GFP_ATOMIC as dcn20_resource_construct() can't sleep. Partially fixes: https://bugzilla.kernel.org/show_bug.cgi?id=212311 as dcn20_resource_construct() also calls into SMU functions which does mutex_lock(). Reviewed-by: Harry Wentland Signed-off-by: Nirmoy Das Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 3968d95f31165cfe6eb4c1a2954d419bcedd5a08 Author: Chen Hui Date: Fri Apr 9 16:23:52 2021 +0800 clk: qcom: apss-ipq-pll: Add missing MODULE_DEVICE_TABLE [ Upstream commit d0a859edda46b45baeab9687d173102300d76e2b ] CONFIG_IPQ_APSS_PLL is tristate option and therefore this driver can be compiled as a module. This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this driver when it is built as an external module. Fixes: ecd2bacfbbc4 ("clk: qcom: Add ipq apss pll driver") Signed-off-by: Chen Hui Reviewed-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20210409082352.233810-4-clare.chenhui@huawei.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit edc6a44bcc49fd6d7050da1ef5fbbf661d28116b Author: Chen Hui Date: Fri Apr 9 16:23:51 2021 +0800 clk: qcom: a53-pll: Add missing MODULE_DEVICE_TABLE [ Upstream commit 790b516ada10a4dcc0f0a56dc0ced475d86d5820 ] CONFIG_QCOM_A53PLL is tristate option and therefore this driver can be compiled as a module. This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this driver when it is built as an external module. Fixes: 0c6ab1b8f894 ("clk: qcom: Add A53 PLL support") Signed-off-by: Chen Hui Reviewed-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20210409082352.233810-3-clare.chenhui@huawei.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit a6596d71a63544a6171cd0b9abaed8745ada7c65 Author: Dan Carpenter Date: Tue Mar 30 12:31:52 2021 +0300 drm: xlnx: zynqmp: fix a memset in zynqmp_dp_train() [ Upstream commit 5842ab76bbfadb37eaea91e53c1efe34ae504e4a ] The dp->train_set[] for this driver is only two characters, not four so this memsets too much. Fortunately, this ends up corrupting a struct hole and not anything important. Fixes: d76271d22694 ("drm: xlnx: DRM/KMS driver for Xilinx ZynqMP DisplayPort Subsystem") Signed-off-by: Dan Carpenter Reviewed-by: Michal Simek Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/YGLwCBMotnrKZu6P@mwanda Signed-off-by: Sasha Levin commit fc076f40c8594442eaae57317236ae27345dfdb5 Author: Quanyang Wang Date: Tue Apr 6 23:31:31 2021 +0800 clk: zynqmp: pll: add set_pll_mode to check condition in zynqmp_pll_enable [ Upstream commit 394cdb69a3c30b33524cf1204afe5cceaba69cdc ] If there is a IOCTL_SET_PLL_FRAC_MODE request sent to ATF ever, we shouldn't skip invoking PM_CLOCK_ENABLE fn even though this pll has been enabled. In ATF implementation, it will only assign the mode to the variable (struct pm_pll *)pll->mode when handling IOCTL_SET_PLL_FRAC_MODE call. Invoking PM_CLOCK_ENABLE can force ATF send request to PWU to set the pll mode to PLL's register. There is a scenario that happens in enabling VPLL_INT(clk_id:96): 1) VPLL_INT has been enabled during booting. 2) A driver calls clk_set_rate and according to the rate, the VPLL_INT should be set to FRAC mode. Then zynqmp_pll_set_mode is called to pass IOCTL_SET_PLL_FRAC_MODE to ATF. Note that at this point ATF just stores the mode to a variable. 3) This driver calls clk_prepare_enable and zynqmp_pll_enable is called to try to enable VPLL_INT pll. Because of 1), the function zynqmp_pll_enable just returns without doing anything after checking that this pll has been enabled. In the scenario above, the pll mode of VPLL_INT will never be set successfully. So adding set_pll_mode to check condition to fix it. Fixes: 3fde0e16d016 ("drivers: clk: Add ZynqMP clock driver") Signed-off-by: Quanyang Wang Tested-by: Laurent Pinchart Link: https://lore.kernel.org/r/20210406153131.601701-1-quanyang.wang@windriver.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 9c91a014a3b5a6969beb5fdbc96150a71d3a6a0b Author: Quanyang Wang Date: Tue Apr 6 23:40:15 2021 +0800 clk: zynqmp: move zynqmp_pll_set_mode out of round_rate callback [ Upstream commit d7fd3f9f53df8bb2212dff70f66f12cae0e1a653 ] The round_rate callback should only perform rate calculation and not involve calling zynqmp_pll_set_mode to change the pll mode. So let's move zynqmp_pll_set_mode out of round_rate and to set_rate callback. Fixes: 3fde0e16d016 ("drivers: clk: Add ZynqMP clock driver") Reported-by: Laurent Pinchart Signed-off-by: Quanyang Wang Link: https://lore.kernel.org/r/20210406154015.602779-1-quanyang.wang@windriver.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit b29d6a435e0f9a8a65dc9b435572a21a79914d91 Author: Jason Gunthorpe Date: Tue Apr 6 16:40:25 2021 -0300 vfio/mdev: Do not allow a mdev_type to have a NULL parent pointer [ Upstream commit b5a1f8921d5040bb788492bf33a66758021e4be5 ] There is a small race where the parent is NULL even though the kobj has already been made visible in sysfs. For instance the attribute_group is made visible in sysfs_create_files() and the mdev_type_attr_show() does: ret = attr->show(kobj, type->parent->dev, buf); Which will crash on NULL parent. Move the parent setup to before the type pointer leaves the stack frame. Fixes: 7b96953bc640 ("vfio: Mediated device Core driver") Reviewed-by: Christoph Hellwig Reviewed-by: Kevin Tian Reviewed-by: Max Gurtovoy Reviewed-by: Cornelia Huck Signed-off-by: Jason Gunthorpe Message-Id: <2-v2-d36939638fc6+d54-vfio2_jgg@nvidia.com> Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit 87856f9af04eaacf9848710625a4ffee1d020fa9 Author: Jason Gunthorpe Date: Tue Mar 30 09:53:06 2021 -0600 vfio/pci: Re-order vfio_pci_probe() [ Upstream commit 4aeec3984ddc853f7c65903bde472ffdef738bae ] vfio_add_group_dev() must be called only after all of the private data in vdev is fully setup and ready, otherwise there could be races with user space instantiating a device file descriptor and starting to call ops. For instance vfio_pci_reflck_attach() sets vdev->reflck and vfio_pci_open(), called by fops open, unconditionally derefs it, which will crash if things get out of order. Fixes: cc20d7999000 ("vfio/pci: Introduce VF token") Fixes: e309df5b0c9e ("vfio/pci: Parallelize device open and release") Fixes: 6eb7018705de ("vfio-pci: Move idle devices to D3hot power state") Fixes: ecaa1f6a0154 ("vfio-pci: Add VGA arbiter client") Reviewed-by: Christoph Hellwig Reviewed-by: Max Gurtovoy Reviewed-by: Kevin Tian Reviewed-by: Cornelia Huck Reviewed-by: Eric Auger Signed-off-by: Jason Gunthorpe Message-Id: <8-v3-225de1400dfc+4e074-vfio1_jgg@nvidia.com> Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit dad86dd76b8be4aad71091345d20617ee7da9298 Author: Jason Gunthorpe Date: Tue Mar 30 09:53:06 2021 -0600 vfio/pci: Move VGA and VF initialization to functions [ Upstream commit 61e90817482871b614133c0f20feb1aba2faec86 ] vfio_pci_probe() is quite complicated, with optional VF and VGA sub components. Move these into clear init/uninit functions and have a linear flow in probe/remove. This fixes a few little buglets: - vfio_pci_remove() is in the wrong order, vga_client_register() removes a notifier and is after kfree(vdev), but the notifier refers to vdev, so it can use after free in a race. - vga_client_register() can fail but was ignored Organize things so destruction order is the reverse of creation order. Fixes: ecaa1f6a0154 ("vfio-pci: Add VGA arbiter client") Reviewed-by: Christoph Hellwig Reviewed-by: Kevin Tian Reviewed-by: Max Gurtovoy Reviewed-by: Cornelia Huck Reviewed-by: Eric Auger Signed-off-by: Jason Gunthorpe Message-Id: <7-v3-225de1400dfc+4e074-vfio1_jgg@nvidia.com> Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit daa72300c996a089e04bbb9a39d668c2459e7d05 Author: Jason Gunthorpe Date: Tue Mar 30 09:53:06 2021 -0600 vfio/fsl-mc: Re-order vfio_fsl_mc_probe() [ Upstream commit 2b1fe162e584a88ec7f12a651a2a50f94dd8cfac ] vfio_add_group_dev() must be called only after all of the private data in vdev is fully setup and ready, otherwise there could be races with user space instantiating a device file descriptor and starting to call ops. For instance vfio_fsl_mc_reflck_attach() sets vdev->reflck and vfio_fsl_mc_open(), called by fops open, unconditionally derefs it, which will crash if things get out of order. This driver started life with the right sequence, but two commits added stuff after vfio_add_group_dev(). Fixes: 2e0d29561f59 ("vfio/fsl-mc: Add irq infrastructure for fsl-mc devices") Fixes: f2ba7e8c947b ("vfio/fsl-mc: Added lock support in preparation for interrupt handling") Co-developed-by: Diana Craciun OSS Signed-off-by: Jason Gunthorpe Message-Id: <5-v3-225de1400dfc+4e074-vfio1_jgg@nvidia.com> Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit d0702c665e6b9896b85ac3b330217cf54aff7814 Author: Hans Verkuil Date: Sat Mar 27 12:27:40 2021 +0100 media: v4l2-ctrls.c: fix race condition in hdl->requests list [ Upstream commit be7e8af98f3af729aa9f08b1053f9533a5cceb91 ] When a request is re-inited it will release all control handler objects that are still in the request. It does that by unbinding and putting all those objects. When the object is unbound the obj->req pointer is set to NULL, and the object's unbind op is called. When the object it put the object's release op is called to free the memory. For a request object that contains a control handler that means that v4l2_ctrl_handler_free() is called in the release op. A control handler used in a request has a pointer to the main control handler that is created by the driver and contains the current state of all controls. If the device is unbound (due to rmmod or a forced unbind), then that main handler is freed, again by calling v4l2_ctrl_handler_free(), and any outstanding request objects that refer to that main handler have to be unbound and put as well. It does that by this test: if (!hdl->req_obj.req && !list_empty(&hdl->requests)) { I.e. the handler has no pointer to a request, so is the main handler, and one or more request objects refer to this main handler. However, this test is wrong since hdl->req_obj.req is actually NULL when re-initing a request (the object unbind will set req to NULL), and the only reason this seemingly worked is that the requests list is typically empty since the request's unbind op will remove the handler from the requests list. But if another thread is at the same time adding a new control to a request, then there is a race condition where one thread is removing a control handler object from the requests list and another thread is adding one. The result is that hdl->requests is no longer empty and the code thinks that a main handler is being freed instead of a control handler that is part of a request. There are two bugs here: first the test for hdl->req_obj.req: this should be hdl->req_obj.ops since only the main control handler will have a NULL pointer there. The second is that adding or deleting request objects from the requests list of the main handler isn't protected by taking the main handler's lock. Signed-off-by: Hans Verkuil Reported-by: John Cox Fixes: 6fa6f831f095 ("media: v4l2-ctrls: add core request support") Tested-by: John Cox Reported-by: John Cox Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 2d49873b49dc7bcf56d545af38781c0cb362cf1c Author: Lad Prabhakar Date: Thu Mar 11 10:52:05 2021 +0100 media: i2c: imx219: Balance runtime PM use-count [ Upstream commit dd90caa0111e178b52b21e56364bc2244a3973b3 ] Move incrementing/decrementing runtime PM count to imx219_start_streaming()/imx219_stop_streaming() functions respectively. This fixes an issue of unbalanced runtime PM count in resume callback error path where streaming is stopped and runtime PM count is left unbalanced. Fixes: 1283b3b8f82b9 ("media: i2c: Add driver for Sony IMX219 sensor") Reported-by: Pavel Machek Signed-off-by: Lad Prabhakar Reviewed-by: Laurent Pinchart Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 0050c97941353219e000275707ccade7e1f91ec6 Author: Lad Prabhakar Date: Thu Mar 11 10:52:04 2021 +0100 media: i2c: imx219: Move out locking/unlocking of vflip and hflip controls from imx219_set_stream [ Upstream commit 745d4612d2c853c00abadbf69799c8aee7f99c39 ] Move out locking/unlocking of vflip and hflip controls from imx219_set_stream() to the imx219_start_streaming()/ imx219_stop_streaming() respectively. This fixes an issue in resume callback error path where streaming is stopped and the controls are left in locked state. Fixes: 1283b3b8f82b9 ("media: i2c: Add driver for Sony IMX219 sensor") Reported-by: Pavel Machek Signed-off-by: Lad Prabhakar Reviewed-by: Laurent Pinchart Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 59dd4fe0ae032ea616ecf2be2a24196e77b9155b Author: Hannes Reinecke Date: Sat Dec 5 16:29:01 2020 +0100 nvme: retrigger ANA log update if group descriptor isn't found [ Upstream commit dd8f7fa908f66dd44abcd83cbb50410524b9f8ef ] If ANA is enabled but no ANA group descriptor is found when creating a new namespace the ANA log is most likely out of date, so trigger a re-read. The namespace will be tagged with the NS_ANA_PENDING flag to exclude it from path selection until the ANA log has been re-read. Fixes: 32acab3181c7 ("nvme: implement multipath access to nvme subsystems") Reported-by: Martin George Signed-off-by: Hannes Reinecke Reviewed-by: Keith Busch Reviewed-by: Sagi Grimberg Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 20719538c49f0847dec24966a105e65600ed7f93 Author: Ricardo Rivera-Matos Date: Wed Feb 10 16:56:46 2021 -0600 power: supply: bq25980: Move props from battery node [ Upstream commit 04722cec1436c732d39153ce6ae2ebf71ac3ade7 ] Currently POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT and POWER_SUPPLY_PROP_CONSTANT_CHARGE_VOLTAGE are exposed on the battery node and this is incorrect. This patch exposes both of them on the charger node rather than the battery node. Fixes: 5069185fc18e ("power: supply: bq25980: Add support for the BQ259xx family") Signed-off-by: Ricardo Rivera-Matos Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 9e33e261b4d62a33616a16b6fda57123b1ee9c4d Author: Adam Ford Date: Sat Mar 13 06:28:17 2021 -0600 clk: imx: Fix reparenting of UARTs not associated with stdout [ Upstream commit 379c9a24cc239000b1dec53db02fe17a86947423 ] Most if not all i.MX SoC's call a function which enables all UARTS. This is a problem for users who need to re-parent the clock source, because any attempt to change the parent results in an busy error due to the fact that the clocks have been enabled already. clk: failed to reparent uart1 to sys_pll1_80m: -16 Instead of pre-initializing all UARTS, scan the device tree to see which UART clocks are associated to stdout, and only enable those UART clocks if it's needed early. This will move initialization of the remaining clocks until after the parenting of the clocks. When the clocks are shutdown, this mechanism will also disable any clocks that were pre-initialized. Fixes: 9461f7b33d11c ("clk: fix CLK_SET_RATE_GATE with clock rate protection") Suggested-by: Aisheng Dong Signed-off-by: Adam Ford Reviewed-by: Abel Vesa Tested-by: Ahmad Fatoum Signed-off-by: Abel Vesa Signed-off-by: Sasha Levin commit 60ade0d56b06537a28884745059b3801c78e03bc Author: Sagi Grimberg Date: Sun Mar 21 00:08:49 2021 -0700 nvmet-tcp: fix incorrect locking in state_change sk callback [ Upstream commit b5332a9f3f3d884a1b646ce155e664cc558c1722 ] We are not changing anything in the TCP connection state so we should not take a write_lock but rather a read lock. This caused a deadlock when running nvmet-tcp and nvme-tcp on the same system, where state_change callbacks on the host and on the controller side have causal relationship and made lockdep report on this with blktests: ================================ WARNING: inconsistent lock state 5.12.0-rc3 #1 Tainted: G I -------------------------------- inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-R} usage. nvme/1324 [HC0[0]:SC0[0]:HE1:SE1] takes: ffff888363151000 (clock-AF_INET){++-?}-{2:2}, at: nvme_tcp_state_change+0x21/0x150 [nvme_tcp] {IN-SOFTIRQ-W} state was registered at: __lock_acquire+0x79b/0x18d0 lock_acquire+0x1ca/0x480 _raw_write_lock_bh+0x39/0x80 nvmet_tcp_state_change+0x21/0x170 [nvmet_tcp] tcp_fin+0x2a8/0x780 tcp_data_queue+0xf94/0x1f20 tcp_rcv_established+0x6ba/0x1f00 tcp_v4_do_rcv+0x502/0x760 tcp_v4_rcv+0x257e/0x3430 ip_protocol_deliver_rcu+0x69/0x6a0 ip_local_deliver_finish+0x1e2/0x2f0 ip_local_deliver+0x1a2/0x420 ip_rcv+0x4fb/0x6b0 __netif_receive_skb_one_core+0x162/0x1b0 process_backlog+0x1ff/0x770 __napi_poll.constprop.0+0xa9/0x5c0 net_rx_action+0x7b3/0xb30 __do_softirq+0x1f0/0x940 do_softirq+0xa1/0xd0 __local_bh_enable_ip+0xd8/0x100 ip_finish_output2+0x6b7/0x18a0 __ip_queue_xmit+0x706/0x1aa0 __tcp_transmit_skb+0x2068/0x2e20 tcp_write_xmit+0xc9e/0x2bb0 __tcp_push_pending_frames+0x92/0x310 inet_shutdown+0x158/0x300 __nvme_tcp_stop_queue+0x36/0x270 [nvme_tcp] nvme_tcp_stop_queue+0x87/0xb0 [nvme_tcp] nvme_tcp_teardown_admin_queue+0x69/0xe0 [nvme_tcp] nvme_do_delete_ctrl+0x100/0x10c [nvme_core] nvme_sysfs_delete.cold+0x8/0xd [nvme_core] kernfs_fop_write_iter+0x2c7/0x460 new_sync_write+0x36c/0x610 vfs_write+0x5c0/0x870 ksys_write+0xf9/0x1d0 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae irq event stamp: 10687 hardirqs last enabled at (10687): [] _raw_spin_unlock_irqrestore+0x2d/0x40 hardirqs last disabled at (10686): [] _raw_spin_lock_irqsave+0x68/0x90 softirqs last enabled at (10684): [] __do_softirq+0x608/0x940 softirqs last disabled at (10649): [] do_softirq+0xa1/0xd0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(clock-AF_INET); lock(clock-AF_INET); *** DEADLOCK *** 5 locks held by nvme/1324: #0: ffff8884a01fe470 (sb_writers#4){.+.+}-{0:0}, at: ksys_write+0xf9/0x1d0 #1: ffff8886e435c090 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x216/0x460 #2: ffff888104d90c38 (kn->active#255){++++}-{0:0}, at: kernfs_remove_self+0x22d/0x330 #3: ffff8884634538d0 (&queue->queue_lock){+.+.}-{3:3}, at: nvme_tcp_stop_queue+0x52/0xb0 [nvme_tcp] #4: ffff888363150d30 (sk_lock-AF_INET){+.+.}-{0:0}, at: inet_shutdown+0x59/0x300 stack backtrace: CPU: 26 PID: 1324 Comm: nvme Tainted: G I 5.12.0-rc3 #1 Hardware name: Dell Inc. PowerEdge R640/06NR82, BIOS 2.10.0 11/12/2020 Call Trace: dump_stack+0x93/0xc2 mark_lock_irq.cold+0x2c/0xb3 ? verify_lock_unused+0x390/0x390 ? stack_trace_consume_entry+0x160/0x160 ? lock_downgrade+0x100/0x100 ? save_trace+0x88/0x5e0 ? _raw_spin_unlock_irqrestore+0x2d/0x40 mark_lock+0x530/0x1470 ? mark_lock_irq+0x1d10/0x1d10 ? enqueue_timer+0x660/0x660 mark_usage+0x215/0x2a0 __lock_acquire+0x79b/0x18d0 ? tcp_schedule_loss_probe.part.0+0x38c/0x520 lock_acquire+0x1ca/0x480 ? nvme_tcp_state_change+0x21/0x150 [nvme_tcp] ? rcu_read_unlock+0x40/0x40 ? tcp_mtu_probe+0x1ae0/0x1ae0 ? kmalloc_reserve+0xa0/0xa0 ? sysfs_file_ops+0x170/0x170 _raw_read_lock+0x3d/0xa0 ? nvme_tcp_state_change+0x21/0x150 [nvme_tcp] nvme_tcp_state_change+0x21/0x150 [nvme_tcp] ? sysfs_file_ops+0x170/0x170 inet_shutdown+0x189/0x300 __nvme_tcp_stop_queue+0x36/0x270 [nvme_tcp] nvme_tcp_stop_queue+0x87/0xb0 [nvme_tcp] nvme_tcp_teardown_admin_queue+0x69/0xe0 [nvme_tcp] nvme_do_delete_ctrl+0x100/0x10c [nvme_core] nvme_sysfs_delete.cold+0x8/0xd [nvme_core] kernfs_fop_write_iter+0x2c7/0x460 new_sync_write+0x36c/0x610 ? new_sync_read+0x600/0x600 ? lock_acquire+0x1ca/0x480 ? rcu_read_unlock+0x40/0x40 ? lock_is_held_type+0x9a/0x110 vfs_write+0x5c0/0x870 ksys_write+0xf9/0x1d0 ? __ia32_sys_read+0xa0/0xa0 ? lockdep_hardirqs_on_prepare.part.0+0x198/0x340 ? syscall_enter_from_user_mode+0x27/0x70 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: 872d26a391da ("nvmet-tcp: add NVMe over TCP target driver") Reported-by: Yi Zhang Signed-off-by: Sagi Grimberg Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit a3ea59d0952547b17eb62a65fde1902715718b65 Author: Sagi Grimberg Date: Sun Mar 21 00:08:48 2021 -0700 nvme-tcp: block BH in sk state_change sk callback [ Upstream commit 8b73b45d54a14588f86792869bfb23098ea254cb ] The TCP stack can run from process context for a long time so we should disable BH here. Fixes: 3f2304f8c6d6 ("nvme-tcp: add NVMe over TCP host driver") Signed-off-by: Sagi Grimberg Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 7456cc7c9fd5e551f462287b0d105e8cd1ffc9ec Author: Kenta.Tada@sony.com Date: Sun Mar 21 15:52:19 2021 +0000 seccomp: Fix CONFIG tests for Seccomp_filters [ Upstream commit 64bdc0244054f7d4bb621c8b4455e292f4e421bc ] Strictly speaking, seccomp filters are only used when CONFIG_SECCOMP_FILTER. This patch fixes the condition to enable "Seccomp_filters" in /proc/$pid/status. Signed-off-by: Kenta Tada Fixes: c818c03b661c ("seccomp: Report number of loaded filters in /proc/$pid/status") Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/OSBPR01MB26772D245E2CF4F26B76A989F5669@OSBPR01MB2677.jpnprd01.prod.outlook.com Signed-off-by: Sasha Levin commit 4f53ef0f7841b015c39698590b39fc98b209cbbc Author: Sergey Shtylyov Date: Mon Mar 15 23:15:06 2021 +0300 ata: libahci_platform: fix IRQ check [ Upstream commit b30d0040f06159de97ad9c0b1536f47250719d7d ] Iff platform_get_irq() returns 0, ahci_platform_init_host() would return 0 early (as if the call was successful). Override IRQ0 with -EINVAL instead as the 'libata' regards 0 as "no IRQ" (thus polling) anyway... Fixes: c034640a32f8 ("ata: libahci: properly propagate return value of platform_get_irq()") Signed-off-by: Sergey Shtylyov Link: https://lore.kernel.org/r/4448c8cc-331f-2915-0e17-38ea34e251c8@omprussia.ru Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 6187fa25029442a9379f3c58828aae00cda30d9a Author: Sergey Shtylyov Date: Sun Mar 28 00:13:49 2021 +0300 sata_mv: add IRQ checks [ Upstream commit e6471a65fdd5efbb8dd2732dd0f063f960685ceb ] The function mv_platform_probe() neglects to check the results of the calls to platform_get_irq() and irq_of_parse_and_map() and blithely passes them to ata_host_activate() -- while the latter only checks for IRQ0 (treating it as a polling mode indicattion) and passes the negative values to devm_request_irq() causing it to fail as it takes unsigned values for the IRQ #... Add to mv_platform_probe() the proper IRQ checks to pass the positive IRQ #s to ata_host_activate(), propagate upstream the negative error codes, and override the IRQ0 with -EINVAL (as we don't want the polling mode). Fixes: f351b2d638c3 ("sata_mv: Support SoC controllers") Signed-off-by: Sergey Shtylyov Link: https://lore.kernel.org/r/51436f00-27a1-e20b-c21b-0e817e0a7c86@omprussia.ru Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit f87689e71604670660a43ad202fc3b5eca212345 Author: Sergey Shtylyov Date: Thu Mar 25 23:51:10 2021 +0300 pata_ipx4xx_cf: fix IRQ check [ Upstream commit e379b40cc0f179403ce0b82b7e539f635a568da5 ] The driver's probe() method is written as if platform_get_irq() returns 0 on error, while actually it returns a negative error code (with all the other values considered valid IRQs). Rewrite the driver's IRQ checking code to pass the positive IRQ #s to ata_host_activate(), propagate errors upstream, and treat IRQ0 as error, returning -EINVAL, as the libata code treats 0 as an indication that polling should be used anyway... Fixes: 0df0d0a0ea9f ("[libata] ARM: add ixp4xx PATA driver") Signed-off-by: Sergey Shtylyov Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit d1bb0316f507db27646f077f76e9e373ee3b8e9d Author: Sergey Shtylyov Date: Thu Mar 25 23:50:24 2021 +0300 pata_arasan_cf: fix IRQ check [ Upstream commit c7e8f404d56b99c80990b19a402c3f640d74be05 ] The driver's probe() method is written as if platform_get_irq() returns 0 on error, while actually it returns a negative error code (with all the other values considered valid IRQs). Rewrite the driver's IRQ checking code to pass the positive IRQ #s to ata_host_activate(), propagate upstream -EPROBE_DEFER, and set up the driver to polling mode on (negative) errors and IRQ0 (libata treats IRQ #0 as a polling mode anyway)... Fixes: a480167b23ef ("pata_arasan_cf: Adding support for arasan compact flash host controller") Signed-off-by: Sergey Shtylyov Acked-by: Viresh Kumar Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 0ad91dc7ea8e8f537316df5d78ce0a644548fc53 Author: Ilya Leoshkevich Date: Wed Mar 3 01:44:20 2021 +0100 selftests: fix prepending $(OUTPUT) to $(TEST_PROGS) [ Upstream commit cb4969e6f9f5ee12521aec764fa3d4bbd91bc797 ] Currently the following command produces an error message: linux# make kselftest TARGETS=bpf O=/mnt/linux-build # selftests: bpf: test_libbpf.sh # ./test_libbpf.sh: line 23: ./test_libbpf_open: No such file or directory # test_libbpf: failed at file test_l4lb.o # selftests: test_libbpf [FAILED] The error message might not affect the return code of make, therefore one needs to grep make output in order to detect it. This is not the only instance of the same underlying problem; any test with more than one element in $(TEST_PROGS) fails the same way. Another example: linux# make O=/mnt/linux-build TARGETS=splice kselftest [...] # ./short_splice_read.sh: 15: ./splice_read: not found # FAIL: /sys/module/test_module/sections/.init.text 2 not ok 2 selftests: splice: short_splice_read.sh # exit=1 The current logic prepends $(OUTPUT) only to the first member of $(TEST_PROGS). After that, run_one() does cd `dirname $TEST` For all tests except the first one, `dirname $TEST` is ., which means they cannot access the files generated in $(OUTPUT). Fix by using $(addprefix) to prepend $(OUTPUT)/ to each member of $(TEST_PROGS). Fixes: 1a940687e424 ("selftests: lib.mk: copy test scripts and test files for make O=dir run") Signed-off-by: Ilya Leoshkevich Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 296da2049f2a84f6a63017e8f8f1114cdb6bc8f7 Author: Masami Hiramatsu Date: Thu Mar 25 19:08:31 2021 +0900 x86/kprobes: Fix to check non boostable prefixes correctly [ Upstream commit 6dd3b8c9f58816a1354be39559f630cd1bd12159 ] There are 2 bugs in the can_boost() function because of using x86 insn decoder. Since the insn->opcode never has a prefix byte, it can not find CS override prefix in it. And the insn->attr is the attribute of the opcode, thus inat_is_address_size_prefix( insn->attr) always returns false. Fix those by checking each prefix bytes with for_each_insn_prefix loop and getting the correct attribute for each prefix byte. Also, this removes unlikely, because this is a slow path. Fixes: a8d11cd0714f ("kprobes/x86: Consolidate insn decoder users for copying code") Signed-off-by: Masami Hiramatsu Signed-off-by: Ingo Molnar Link: https://lore.kernel.org/r/161666691162.1120877.2808435205294352583.stgit@devnote2 Signed-off-by: Sasha Levin commit e2ff41d2ee4d73971ecf8f703540c1e880e8c9a7 Author: kernel test robot Date: Mon Mar 22 19:21:39 2021 +0100 of: overlay: fix for_each_child.cocci warnings [ Upstream commit c4d74f0f978ed5ceee62cd3f6708081042e582a1 ] Function "for_each_child_of_node" should have of_node_put() before goto. Generated by: scripts/coccinelle/iterators/for_each_child.cocci Fixes: 82c2d81361ec ("coccinelle: iterators: Add for_each_child.cocci script") CC: Sumera Priyadarsini Reported-by: kernel test robot Signed-off-by: kernel test robot Signed-off-by: Julia Lawall Reviewed-by: Frank Rowand Tested-by: Frank Rowand Link: https://lore.kernel.org/r/alpine.DEB.2.22.394.2103221918450.2918@hadrien Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit c272c735a1e298e7dfe517cfa4225f6d0ecfccc5 Author: Felix Kuehling Date: Mon Mar 8 22:15:42 2021 -0500 drm/amdkfd: fix build error with AMD_IOMMU_V2=m [ Upstream commit 1e87068570a2cc4db5f95a881686add71729e769 ] Using 'imply AMD_IOMMU_V2' does not guarantee that the driver can link against the exported functions. If the GPU driver is built-in but the IOMMU driver is a loadable module, the kfd_iommu.c file is indeed built but does not work: x86_64-linux-ld: drivers/gpu/drm/amd/amdkfd/kfd_iommu.o: in function `kfd_iommu_bind_process_to_device': kfd_iommu.c:(.text+0x516): undefined reference to `amd_iommu_bind_pasid' x86_64-linux-ld: drivers/gpu/drm/amd/amdkfd/kfd_iommu.o: in function `kfd_iommu_unbind_process': kfd_iommu.c:(.text+0x691): undefined reference to `amd_iommu_unbind_pasid' x86_64-linux-ld: drivers/gpu/drm/amd/amdkfd/kfd_iommu.o: in function `kfd_iommu_suspend': kfd_iommu.c:(.text+0x966): undefined reference to `amd_iommu_set_invalidate_ctx_cb' x86_64-linux-ld: kfd_iommu.c:(.text+0x97f): undefined reference to `amd_iommu_set_invalid_ppr_cb' x86_64-linux-ld: kfd_iommu.c:(.text+0x9a4): undefined reference to `amd_iommu_free_device' x86_64-linux-ld: drivers/gpu/drm/amd/amdkfd/kfd_iommu.o: in function `kfd_iommu_resume': kfd_iommu.c:(.text+0xa9a): undefined reference to `amd_iommu_init_device' x86_64-linux-ld: kfd_iommu.c:(.text+0xadc): undefined reference to `amd_iommu_set_invalidate_ctx_cb' x86_64-linux-ld: kfd_iommu.c:(.text+0xaff): undefined reference to `amd_iommu_set_invalid_ppr_cb' x86_64-linux-ld: kfd_iommu.c:(.text+0xc72): undefined reference to `amd_iommu_bind_pasid' x86_64-linux-ld: kfd_iommu.c:(.text+0xe08): undefined reference to `amd_iommu_set_invalidate_ctx_cb' x86_64-linux-ld: kfd_iommu.c:(.text+0xe26): undefined reference to `amd_iommu_set_invalid_ppr_cb' x86_64-linux-ld: kfd_iommu.c:(.text+0xe42): undefined reference to `amd_iommu_free_device' Use IS_REACHABLE to only build IOMMU-V2 support if the amd_iommu symbols are reachable by the amdkfd driver. Output a warning if they are not, because that may not be what the user was expecting. Fixes: 64d1c3a43a6f ("drm/amdkfd: Centralize IOMMUv2 code and make it conditional") Reported-by: Arnd Bergmann Signed-off-by: Felix Kuehling Reviewed-by: Christian König Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit d218c7a0284f6b92a7b82d2e19706e18663b4193 Author: Dan Carpenter Date: Mon Dec 14 12:53:31 2020 +0100 media: atomisp: Fix use after free in atomisp_alloc_css_stat_bufs() [ Upstream commit ba11bbf303fafb33989e95473e409f6ab412b18d ] The "s3a_buf" is freed along with all the other items on the "asd->s3a_stats" list. It leads to a double free and a use after free. Link: https://lore.kernel.org/linux-media/X9dSO3RGf7r0pq2k@mwanda Fixes: ad85094b293e ("Revert "media: staging: atomisp: Remove driver"") Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 1f743e8d582b3d3a1456840a81fe7e923b321845 Author: Colin Ian King Date: Wed Oct 7 14:16:28 2020 +0200 media: m88rs6000t: avoid potential out-of-bounds reads on arrays [ Upstream commit 9baa3d64e8e2373ddd11c346439e5dfccb2cbb0d ] There a 3 array for-loops that don't check the upper bounds of the index into arrays and this may lead to potential out-of-bounds reads. Fix this by adding array size upper bounds checks to be full safe. Addresses-Coverity: ("Out-of-bounds read") Link: https://lore.kernel.org/linux-media/20201007121628.20676-1-colin.king@canonical.com Fixes: 333829110f1d ("[media] m88rs6000t: add new dvb-s/s2 tuner for integrated chip M88RS6000") Signed-off-by: Colin Ian King Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 96498fbb7b14fcbd63cd9ed7cd2cd546fa6ff450 Author: Souptick Joarder Date: Sun Sep 27 17:08:04 2020 +0200 media: atomisp: Fixed error handling path [ Upstream commit 16a5dcf7fbc2f5cd10c1e6264262bfa3832fb7d5 ] Inside alloc_user_pages() based on flag value either pin_user_pages() or get_user_pages_fast() will be called. However, these API might fail. But free_user_pages() called in error handling path doesn't bother about return value and will try to unpin bo->pgnr pages, which is incorrect. Fix this by passing the page_nr to free_user_pages(). If page_nr > 0 pages will be unpinned based on bo->mem_type. This will also take care of non error handling path. allocation") Link: https://lore.kernel.org/linux-media/1601219284-13275-1-git-send-email-jrdr.linux@gmail.com Fixes: 14a638ab96c5 ("media: atomisp: use pin_user_pages() for memory Signed-off-by: Souptick Joarder Cc: John Hubbard Cc: Ira Weiny Reviewed-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit cc4cc2fb5aaf9adb83c02211eb13b16cfcb7ba64 Author: Colin Ian King Date: Wed Sep 2 18:58:52 2020 +0200 media: [next] staging: media: atomisp: fix memory leak of object flash [ Upstream commit 6045b01dd0e3cd3759eafe7f290ed04c957500b1 ] In the case where the call to lm3554_platform_data_func returns an error there is a memory leak on the error return path of object flash. Fix this by adding an error return path that will free flash and rename labels fail2 to fail3 and fail1 to fail2. Link: https://lore.kernel.org/linux-media/20200902165852.201155-1-colin.king@canonical.com Fixes: 9289cdf39992 ("staging: media: atomisp: Convert to GPIO descriptors") Signed-off-by: Colin Ian King Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 99ce023bb8bb7084b6216e9eea0242eb9b826ca2 Author: Liu Ying Date: Thu Mar 11 06:53:47 2021 +0100 media: docs: Fix data organization of MEDIA_BUS_FMT_RGB101010_1X30 [ Upstream commit c451ee146d449bbe39835fc3d9007b7f06332415 ] The media bus bit width of MEDIA_BUS_FMT_RGB101010_1X30 is 30. So, 'Bit31' and 'Bit30' cells for the 'MEDIA_BUS_FMT_RGB101010_1X30' row should be spaces instead of '0's. Fixes: 54f38fcae536 ("media: docs: move uAPI book to userspace-api/media") Signed-off-by: Liu Ying Reviewed-by: Laurent Pinchart Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 757d5d54ca71cc696341d18bd180f6a42d3e0f8e Author: Wei Yongjun Date: Mon Mar 8 13:28:02 2021 +0100 media: m88ds3103: fix return value check in m88ds3103_probe() [ Upstream commit e61f9ea271933d987ab895c689fa37744f6fc27f ] In case of error, the function i2c_new_dummy_device() returns ERR_PTR() and never returns NULL. The NULL test in the return value check should be replaced with IS_ERR(). Fixes: e6089feca460 ("media: m88ds3103: Add support for ds3103b demod") Reported-by: Hulk Robot Signed-off-by: Wei Yongjun Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 697af15095fc8b63a6bd1a1855d2a3126d3bffce Author: Jia-Ju Bai Date: Sat Mar 6 15:15:28 2021 +0100 media: platform: sunxi: sun6i-csi: fix error return code of sun6i_video_start_streaming() [ Upstream commit f3d384e36630e2a552d874e422835606d9cf230a ] When sun6i_video_remote_subdev() returns NULL to subdev, no error return code of sun6i_video_start_streaming() is assigned. To fix this bug, ret is assigned with -EINVAL in this case. Reported-by: TOTE Robot Signed-off-by: Jia-Ju Bai Fixes: 5cc7522d8965 ("media: sun6i: Add support for Allwinner CSI V3s") Acked-by: Chen-Yu Tsai Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 00b68a7478343afdf83f30c43e64db5296057030 Author: Christophe JAILLET Date: Thu Jan 28 21:22:34 2021 +0100 media: venus: core: Fix some resource leaks in the error path of 'venus_probe()' [ Upstream commit 5a465c5391a856a0c1e9554964d660676c35d1b2 ] If an error occurs after a successful 'of_icc_get()' call, it must be undone. Use 'devm_of_icc_get()' instead of 'of_icc_get()' to avoid the leak. Update the remove function accordingly and axe the now unneeded 'icc_put()' calls. Fixes: 32f0a6ddc8c9 ("media: venus: Use on-chip interconnect API") Signed-off-by: Christophe JAILLET Signed-off-by: Stanimir Varbanov Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 0741a8f2e5b05174899b97f2809c3884c600cebe Author: Noralf Trønnes Date: Sat Mar 13 12:25:44 2021 +0100 drm/probe-helper: Check epoch counter in output_poll_execute() [ Upstream commit dc659a4e852b591771fc2e5abb60f4455b0cf316 ] drm_helper_hpd_irq_event() checks the epoch counter to determine connector status change. This was introduced in commit 5186421cbfe2 ("drm: Introduce epoch counter to drm_connector"). Do the same for output_poll_execute() so it can detect other changes beside connection status value changes. v2: - Add Fixes tag (Daniel) Fixes: 5186421cbfe2 ("drm: Introduce epoch counter to drm_connector") Reviewed-by: Daniel Vetter Signed-off-by: Noralf Trønnes Link: https://patchwork.freedesktop.org/patch/msgid/20210313112545.37527-3-noralf@tronnes.org Signed-off-by: Sasha Levin commit a59d01384c80a8a4392665802df57c3df20055f5 Author: Jae Hyun Yoo Date: Mon Dec 21 23:32:25 2020 +0100 media: aspeed: fix clock handling logic [ Upstream commit 3536169f8531c2c5b153921dc7d1ac9fd570cda7 ] Video engine uses eclk and vclk for its clock sources and its reset control is coupled with eclk so the current clock enabling sequence works like below. Enable eclk De-assert Video Engine reset 10ms delay Enable vclk It introduces improper reset on the Video Engine hardware and eventually the hardware generates unexpected DMA memory transfers that can corrupt memory region in random and sporadic patterns. This issue is observed very rarely on some specific AST2500 SoCs but it causes a critical kernel panic with making a various shape of signature so it's extremely hard to debug. Moreover, the issue is observed even when the video engine is not actively used because udevd turns on the video engine hardware for a short time to make a query in every boot. To fix this issue, this commit changes the clock handling logic to make the reset de-assertion triggered after enabling both eclk and vclk. Also, it adds clk_unprepare call for a case when probe fails. clk: ast2600: fix reset settings for eclk and vclk Video engine reset setting should be coupled with eclk to match it with the setting for previous Aspeed SoCs which is defined in clk-aspeed.c since all Aspeed SoCs are sharing a single video engine driver. Also, reset bit 6 is defined as 'Video Engine' reset in datasheet so it should be de-asserted when eclk is enabled. This commit fixes the setting. Fixes: d2b4387f3bdf ("media: platform: Add Aspeed Video Engine driver") Signed-off-by: Jae Hyun Yoo Reviewed-by: Joel Stanley Reviewed-by: Eddie James Fixes: d3d04f6c330a ("clk: Add support for AST2600 SoC") Reviewed-by: Joel Stanley Acked-by: Stephen Boyd Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 29eb741801b3d06ec31241c9837eb91c802c68b5 Author: Dafna Hirschfeld Date: Wed Dec 9 17:15:10 2020 +0100 media: rkisp1: rsz: crash fix when setting src format [ Upstream commit cbe8373ca7e7cbb4b263b6bf222ccc19f5e119d2 ] When setting the source media bus code in the resizer, we first check that the current media bus code in the source is yuv encoded format. This is done by retrieving the data from the formats list of the isp entity. This cause a crash when the media bus code on the source is YUYV8_1_5X8 which is not supported by the isp entity. Instead we should test the sink format of the resizer which is guaranteed to be supported by the isp entity. Fixes: 251b6eebb6c49 ("media: staging: rkisp1: rsz: Add support to more YUV encoded mbus codes on src pad") Signed-off-by: Dafna Hirschfeld Acked-by: Helen Koike Tested-by: Sebastian Fricke Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 38f9456ef5a2576cbca10a4ff3557ff247f5ab8a Author: Yang Yingliang Date: Tue Nov 17 03:50:41 2020 +0100 media: omap4iss: return error code when omap4iss_get() failed [ Upstream commit 8938c48fa25b491842ece9eb38f0bea0fcbaca44 ] If omap4iss_get() failed, it need return error code in iss_probe(). Fixes: 59f0ad807681 ("[media] v4l: omap4iss: Add support for OMAP4...") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 3ad6a6288c88a61d20fd7a589e4da6972c8e152e Author: Tasos Sahanidis Date: Wed Mar 3 19:52:53 2021 +0100 media: saa7146: use sg_dma_len when building pgtable [ Upstream commit e56429b09d5e0802b86f84ec7c24025886c9f88b ] The new AMD IOMMU DMA implementation concatenates sglist entries under certain conditions, and because saa7146 accessed the length member directly, it did not support this scenario. This fixes IO_PAGE_FAULTs by using the sg_dma_len macro. Fixes: be62dbf554c5 ("iommu/amd: Convert AMD iommu driver to the dma-iommu api") Signed-off-by: Tasos Sahanidis Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit a250df336aa5fb2028e2baeab7822bbfa251048a Author: Tasos Sahanidis Date: Wed Mar 3 19:30:18 2021 +0100 media: saa7134: use sg_dma_len when building pgtable [ Upstream commit 4e1cb753c04d74e06d7ca826ea0bcb02526af03e ] The new AMD IOMMU DMA implementation concatenates sglist entries under certain conditions, and because saa7134 accessed the length member directly, it did not support this scenario. This fixes IO_PAGE_FAULTs and choppy DMA audio by using the sg_dma_len macro. Fixes: be62dbf554c5 ("iommu/amd: Convert AMD iommu driver to the dma-iommu api") Signed-off-by: Tasos Sahanidis Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 385470a358a6ae84f0eb5250d995102815074e04 Author: Colin Ian King Date: Thu Feb 25 16:43:27 2021 +0100 media: vivid: fix assignment of dev->fbuf_out_flags [ Upstream commit 5cde22fcc7271812a7944c47b40100df15908358 ] Currently the chroma_flags and alpha_flags are being zero'd with a bit-wise mask and the following statement should be bit-wise or'ing in the new flag bits but instead is making a direct assignment. Fix this by using the |= operator rather than an assignment. Addresses-Coverity: ("Unused value") Fixes: ef834f7836ec ("[media] vivid: add the video capture and output parts") Signed-off-by: Colin Ian King Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 7d81aff2895354806a4f42dd0ae3e497c48750d1 Author: Zhouyi Zhou Date: Mon Jan 11 09:08:59 2021 +0800 rcu: Remove spurious instrumentation_end() in rcu_nmi_enter() [ Upstream commit 6494ccb93271bee596a12db32ff44867d5be2321 ] In rcu_nmi_enter(), there is an erroneous instrumentation_end() in the second branch of the "if" statement. Oddly enough, "objtool check -f vmlinux.o" fails to complain because it is unable to correctly cover all cases. Instead, objtool visits the third branch first, which marks following trace_rcu_dyntick() as visited. This commit therefore removes the spurious instrumentation_end(). Fixes: 04b25a495bd6 ("rcu: Mark rcu_nmi_enter() call to rcu_cleanup_after_idle() noinstr") Reported-by Neeraj Upadhyay Signed-off-by: Zhouyi Zhou Signed-off-by: Paul E. McKenney Signed-off-by: Sasha Levin commit 95f4e9f33b707787b990017cdfc9ff72cde7f3a5 Author: David Howells Date: Wed Feb 10 08:59:52 2021 +0000 afs: Fix updating of i_mode due to 3rd party change [ Upstream commit 6e1eb04a87f954eb06a89ee6034c166351dfff6e ] Fix afs_apply_status() to mask off the irrelevant bits from status->mode when OR'ing them into i_mode. This can happen when a 3rd party chmod occurs. Also fix afs_inode_init_from_status() to mask off the mode bits when initialising i_mode. Fixes: 260a980317da ("[AFS]: Add "directory write" support.") Reported-by: Al Viro Signed-off-by: David Howells Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit 80862cbf76c2646f709a57c4517aefe0b094c774 Author: Valentin Schneider Date: Thu Feb 25 17:56:56 2021 +0000 sched/fair: Fix shift-out-of-bounds in load_balance() [ Upstream commit 39a2a6eb5c9b66ea7c8055026303b3aa681b49a5 ] Syzbot reported a handful of occurrences where an sd->nr_balance_failed can grow to much higher values than one would expect. A successful load_balance() resets it to 0; a failed one increments it. Once it gets to sd->cache_nice_tries + 3, this *should* trigger an active balance, which will either set it to sd->cache_nice_tries+1 or reset it to 0. However, in case the to-be-active-balanced task is not allowed to run on env->dst_cpu, then the increment is done without any further modification. This could then be repeated ad nauseam, and would explain the absurdly high values reported by syzbot (86, 149). VincentG noted there is value in letting sd->cache_nice_tries grow, so the shift itself should be fixed. That means preventing: """ If the value of the right operand is negative or is greater than or equal to the width of the promoted left operand, the behavior is undefined. """ Thus we need to cap the shift exponent to BITS_PER_TYPE(typeof(lefthand)) - 1. I had a look around for other similar cases via coccinelle: @expr@ position pos; expression E1; expression E2; @@ ( E1 >> E2@pos | E1 >> E2@pos ) @cst depends on expr@ position pos; expression expr.E1; constant cst; @@ ( E1 >> cst@pos | E1 << cst@pos ) @script:python depends on !cst@ pos << expr.pos; exp << expr.E2; @@ # Dirty hack to ignore constexpr if exp.upper() != exp: coccilib.report.print_report(pos[0], "Possible UB shift here") The only other match in kernel/sched is rq_clock_thermal() which employs sched_thermal_decay_shift, and that exponent is already capped to 10, so that one is fine. Fixes: 5a7f55590467 ("sched/fair: Relax constraint on task's load during load balance") Reported-by: syzbot+d7581744d5fd27c9fbe1@syzkaller.appspotmail.com Signed-off-by: Valentin Schneider Signed-off-by: Peter Zijlstra (Intel) Signed-off-by: Ingo Molnar Link: http://lore.kernel.org/r/000000000000ffac1205b9a2112f@google.com Signed-off-by: Sasha Levin commit ef8a039012596d6ae7b4115292b585a4a06d9288 Author: Linus Walleij Date: Thu Mar 4 01:41:38 2021 +0100 drm/mcde/panel: Inverse misunderstood flag [ Upstream commit d0c5ac04e7feedbc069f26f4dcbf35b521ae7fc5 ] A recent patch renaming MIPI_DSI_MODE_EOT_PACKET to MIPI_DSI_MODE_NO_EOT_PACKET brought to light the misunderstanding in the current MCDE driver and all its associated panel drivers that MIPI_DSI_MODE_EOT_PACKET would mean "use EOT packet" when in fact it means the reverse. Fix it up by implementing the flag right in the MCDE DSI driver and remove the flag from panels that actually want the EOT packet. Suggested-by: Nicolas Boichat Signed-off-by: Linus Walleij Reviewed-by: Nicolas Boichat Fixes: 5fc537bfd000 ("drm/mcde: Add new driver for ST-Ericsson MCDE") Fixes: 899f24ed8d3a ("drm/panel: Add driver for Novatek NT35510-based panels") Fixes: ac1d6d74884e ("drm/panel: Add driver for Samsung S6D16D0 panel") Fixes: 435e06c06cb2 ("drm/panel: s6e63m0: Add DSI transport") Fixes: 8152c2bfd780 ("drm/panel: Add driver for Sony ACX424AKP panel") Link: https://patchwork.freedesktop.org/patch/msgid/20210304004138.1785057-1-linus.walleij@linaro.org Signed-off-by: Sasha Levin commit 403c4528e5887af3deb9838cb77a557631d1e138 Author: Dan Carpenter Date: Tue Mar 2 14:15:48 2021 +0300 drm/amd/display: Fix off by one in hdmi_14_process_transaction() [ Upstream commit 8e6fafd5a22e7a2eb216f5510db7aab54cc545c1 ] The hdcp_i2c_offsets[] array did not have an entry for HDCP_MESSAGE_ID_WRITE_CONTENT_STREAM_TYPE so it led to an off by one read overflow. I added an entry and copied the 0x0 value for the offset from similar code in drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c. I also declared several of these arrays as having HDCP_MESSAGE_ID_MAX entries. This doesn't change the code, but it's just a belt and suspenders approach to try future proof the code. Fixes: 4c283fdac08a ("drm/amd/display: Add HDCP module") Reviewed-by: Bhawanpreet Lakha Signed-off-by: Dan Carpenter Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 9f075cb08822f080e10656631ab27c38ad3487a3 Author: Marek Vasut Date: Wed Jan 27 12:07:56 2021 +0100 drm/stm: Fix bus_flags handling [ Upstream commit 99e360442f223dd40fc23ae07c7a263836fd27e6 ] The drm_display_mode_to_videomode() does not populate DISPLAY_FLAGS_DE_LOW or DISPLAY_FLAGS_PIXDATA_NEGEDGE flags in struct videomode. Therefore, no matter what polarity the next bridge or display might require, these flags are never set, and thus the LTDC GCR_DEPOL and GCR_PCPOL bits are never set and the LTDC behaves as if both DISPLAY_FLAGS_PIXDATA_POSEDGE and DISPLAY_FLAGS_DE_HIGH were always set. The fix for this problem is taken almost verbatim from MXSFB driver. In case there is a bridge attached to the LTDC, the bridge might have extra polarity requirements, so extract bus_flags from the bridge and use them for LTDC configuration. Otherwise, extract bus_flags from the connector, which is the display. Fixes: b759012c5fa7 ("drm/stm: Add STM32 LTDC driver") Signed-off-by: Marek Vasut Signed-off-by: Yannick Fertre Cc: Alexandre Torgue Cc: Antonio Borneo Cc: Benjamin Gaignard Cc: Maxime Coquelin Cc: Philippe Cornu Cc: Sam Ravnborg Cc: Vincent Abriou Cc: Yannick Fertre Cc: linux-arm-kernel@lists.infradead.org Cc: linux-stm32@st-md-mailman.stormreply.com To: dri-devel@lists.freedesktop.org Tested-by: Yannick Fertre Signed-off-by: Philippe Cornu Link: https://patchwork.freedesktop.org/patch/msgid/20210127110756.125570-1-marex@denx.de Signed-off-by: Sasha Levin commit 1de265ad3c3ca877cfcd4dd1155a6fc35462fbd0 Author: Quanyang Wang Date: Tue Feb 9 16:24:15 2021 +0800 drm/tilcdc: send vblank event when disabling crtc [ Upstream commit f1a75f4dd8edf272b6b7cdccf6ba6254ec9d15fa ] When run xrandr to change resolution on Beaglebone Black board, it will print the error information: root@beaglebone:~# xrandr -display :0 --output HDMI-1 --mode 720x400 [drm:drm_crtc_commit_wait] *ERROR* flip_done timed out [drm:drm_atomic_helper_wait_for_dependencies] *ERROR* [CRTC:32:tilcdc crtc] commit wait timed out [drm:drm_crtc_commit_wait] *ERROR* flip_done timed out [drm:drm_atomic_helper_wait_for_dependencies] *ERROR* [CONNECTOR:34:HDMI-A-1] commit wait timed out [drm:drm_crtc_commit_wait] *ERROR* flip_done timed out [drm:drm_atomic_helper_wait_for_dependencies] *ERROR* [PLANE:31:plane-0] commit wait timed out tilcdc 4830e000.lcdc: already pending page flip! This is because there is operation sequence as below: drm_atomic_connector_commit_dpms(mode is DRM_MODE_DPMS_OFF): ... drm_atomic_helper_setup_commit <- init_completion(commit_A->flip_done) drm_atomic_helper_commit_tail tilcdc_crtc_atomic_disable tilcdc_plane_atomic_update <- drm_crtc_send_vblank_event in tilcdc_crtc_irq is skipped since tilcdc_crtc->enabled is 0 tilcdc_crtc_atomic_flush <- drm_crtc_send_vblank_event is skipped since crtc->state->event is set to be NULL in tilcdc_plane_atomic_update drm_mode_setcrtc: ... drm_atomic_helper_setup_commit <- init_completion(commit_B->flip_done) drm_atomic_helper_wait_for_dependencies drm_crtc_commit_wait <- wait for commit_A->flip_done completing Just as shown above, the steps which could complete commit_A->flip_done are all skipped and commit_A->flip_done will never be completed. This will result a time-out ERROR when drm_crtc_commit_wait check the commit_A->flip_done. So add drm_crtc_send_vblank_event in tilcdc_crtc_atomic_disable to complete commit_A->flip_done. Fixes: cb345decb4d2 ("drm/tilcdc: Use standard drm_atomic_helper_commit") Signed-off-by: Quanyang Wang Reviewed-by: Jyri Sarha Tested-by: Jyri Sarha Signed-off-by: Jyri Sarha Link: https://patchwork.freedesktop.org/patch/msgid/20210209082415.382602-1-quanyang.wang@windriver.com Signed-off-by: Sasha Levin commit 8e81ff6d512ed4da5ee854e50fc2d35dbdee7465 Author: Dan Carpenter Date: Fri Apr 23 09:39:19 2021 +0930 soc: aspeed: fix a ternary sign expansion bug [ Upstream commit 5ffa828534036348fa90fb3079ccc0972d202c4a ] The intent here was to return negative error codes but it actually returns positive values. The problem is that type promotion with ternary operations is quite complicated. "ret" is an int. "copied" is a u32. And the snoop_file_read() function returns long. What happens is that "ret" is cast to u32 and becomes positive then it's cast to long and it's still positive. Fix this by removing the ternary so that "ret" is type promoted directly to long. Fixes: 3772e5da4454 ("drivers/misc: Aspeed LPC snoop output using misc chardev") Signed-off-by: Dan Carpenter Signed-off-by: Joel Stanley Reviewed-by: Patrick Venture Link: https://lore.kernel.org/r/YIE90PSXsMTa2Y8n@mwanda Link: https://lore.kernel.org/r/20210423000919.1249474-1-joel@jms.id.au' Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit bbe9de67ac5bcbcbfc83ae31e9947bdb76fe46bd Author: Paul Durrant Date: Tue Feb 2 17:56:59 2021 +0000 xen-blkback: fix compatibility bug with single page rings [ Upstream commit d75e7f63b7c95c527cde42efb5d410d7f961498f ] Prior to commit 4a8c31a1c6f5 ("xen/blkback: rework connect_ring() to avoid inconsistent xenstore 'ring-page-order' set by malicious blkfront"), the behaviour of xen-blkback when connecting to a frontend was: - read 'ring-page-order' - if not present then expect a single page ring specified by 'ring-ref' - else expect a ring specified by 'ring-refX' where X is between 0 and 1 << ring-page-order This was correct behaviour, but was broken by the afforementioned commit to become: - read 'ring-page-order' - if not present then expect a single page ring (i.e. ring-page-order = 0) - expect a ring specified by 'ring-refX' where X is between 0 and 1 << ring-page-order - if that didn't work then see if there's a single page ring specified by 'ring-ref' This incorrect behaviour works most of the time but fails when a frontend that sets 'ring-page-order' is unloaded and replaced by one that does not because, instead of reading 'ring-ref', xen-blkback will read the stale 'ring-ref0' left around by the previous frontend will try to map the wrong grant reference. This patch restores the original behaviour. Fixes: 4a8c31a1c6f5 ("xen/blkback: rework connect_ring() to avoid inconsistent xenstore 'ring-page-order' set by malicious blkfront") Signed-off-by: Paul Durrant Reviewed-by: Dongli Zhang Reviewed-by: "Roger Pau Monné" Link: https://lore.kernel.org/r/20210202175659.18452-1-paul@xen.org Signed-off-by: Juergen Gross Signed-off-by: Sasha Levin commit 565e7c98d3328050b5eecc7f0a2ea3681c15657d Author: Dario Binacchi Date: Sun Apr 18 11:47:05 2021 +0200 serial: omap: fix rs485 half-duplex filtering [ Upstream commit e2a5e8448e7393e96ccde346c68764b40a52cc10 ] Data received during half-duplex transmission must be filtered. If the target device responds quickly, emptying the FIFO at the end of the transmission can erase not only the echo characters but also part of the response message. By keeping the receive interrupt enabled even during transmission, it allows you to filter each echo character and only in a number equal to those transmitted. The issue was generated by a target device that started responding 240us later having received a request in communication at 115200bps. Sometimes, some messages received by the target were missing some of the first bytes. Fixes: 3a13884abea0 ("tty/serial: omap: empty the RX FIFO at the end of half-duplex TX") Signed-off-by: Dario Binacchi Link: https://lore.kernel.org/r/20210418094705.27014-1-dariobin@libero.it Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 9c3e2ad20b0c42f490273a517bec26269487c19a Author: Dario Binacchi Date: Thu Apr 15 23:09:45 2021 +0200 serial: omap: don't disable rs485 if rts gpio is missing [ Upstream commit 45f6b6db53c80787b79044629b062dfcf2da71ec ] There are rs485 transceivers (e.g. MAX13487E/MAX13488E) which automatically disable or enable the driver and receiver to keep the bus in the correct state. In these cases we don't need a GPIO for flow control. Fixes: 4a0ac0f55b18 ("OMAP: add RS485 support") Signed-off-by: Dario Binacchi Link: https://lore.kernel.org/r/20210415210945.25863-1-dariobin@libero.it Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 927162c7133ffbd3ccea3d6f4b9867842f6b9e06 Author: Tetsuo Handa Date: Thu Apr 15 09:22:22 2021 +0900 ttyprintk: Add TTY hangup callback. [ Upstream commit c0070e1e60270f6a1e09442a9ab2335f3eaeaad2 ] syzbot is reporting hung task due to flood of tty_warn(tty, "%s: tty->count = 1 port count = %d\n", __func__, port->count); message [1], for ioctl(TIOCVHANGUP) prevents tty_port_close() from decrementing port->count due to tty_hung_up_p() == true. ---------- #include #include #include #include #include int main(int argc, char *argv[]) { int i; int fd[10]; for (i = 0; i < 10; i++) fd[i] = open("/dev/ttyprintk", O_WRONLY); ioctl(fd[0], TIOCVHANGUP); for (i = 0; i < 10; i++) close(fd[i]); close(open("/dev/ttyprintk", O_WRONLY)); return 0; } ---------- When TTY hangup happens, port->count needs to be reset via "struct tty_operations"->hangup callback. [1] https://syzkaller.appspot.com/bug?id=39ea6caa479af471183997376dc7e90bc7d64a6a Reported-by: syzbot Reported-by: syzbot Tested-by: syzbot Signed-off-by: Tetsuo Handa Fixes: 24b4b67d17c308aa ("add ttyprintk driver") Link: https://lore.kernel.org/r/17e0652d-89b7-c8c0-fb53-e7566ac9add4@i-love.sakura.ne.jp Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 62bb46f51f916d25c5ee7178d52baf4a80c5bf55 Author: Artur Petrosyan Date: Fri Apr 16 16:47:14 2021 +0400 usb: dwc2: Fix hibernation between host and device modes. [ Upstream commit 24d209dba5a3959b2ebde7cf3ad40c8015e814cf ] When core is in hibernation in host mode and a device cable was connected then driver exited from device hibernation. However, registers saved for host mode and when exited from device hibernation register restore would be done for device register which was wrong because there was no device registers stored to restore. - Added dwc_handle_gpwrdn_disc_det() function which handles gpwrdn disconnect detect flow and exits hibernation without restoring the registers. - Updated exiting from hibernation in GPWRDN_STS_CHGINT with calling dwc_handle_gpwrdn_disc_det() function. Here no register is restored which is the solution described above. Fixes: 65c9c4c6b01f ("usb: dwc2: Add dwc2_handle_gpwrdn_intr() handler") Acked-by: Minas Harutyunyan Signed-off-by: Artur Petrosyan Signed-off-by: Minas Harutyunyan Link: https://lore.kernel.org/r/20210416124715.75355A005D@mailhost.synopsys.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 7bf9d7286cf26c86f07e01eead54c1faa2fd29aa Author: Artur Petrosyan Date: Fri Apr 16 16:47:06 2021 +0400 usb: dwc2: Fix host mode hibernation exit with remote wakeup flow. [ Upstream commit c2db8d7b9568b10e014af83b3c15e39929e3579e ] Added setting "port_connect_status_change" flag to "1" in order to re-enumerate, because after exit from hibernation port connection status is not detected. Fixes: c5c403dc4336 ("usb: dwc2: Add host/device hibernation functions") Acked-by: Minas Harutyunyan Signed-off-by: Artur Petrosyan Link: https://lore.kernel.org/r/20210416124707.5EEC2A005D@mailhost.synopsys.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 1789737ca9f1855251d8d2953b03df6f68da45a7 Author: Chris von Recklinghausen Date: Tue Apr 20 08:57:39 2021 -0400 PM: hibernate: x86: Use crc32 instead of md5 for hibernation e820 integrity check [ Upstream commit f5d1499ae2096d7ea301023c4cc54e427300eb0a ] Hibernation fails on a system in fips mode because md5 is used for the e820 integrity check and is not available. Use crc32 instead. The check is intended to detect whether the E820 memory map provided by the firmware after cold boot unexpectedly differs from the one that was in use when the hibernation image was created. In this case, the hibernation image cannot be restored, as it may cover memory regions that are no longer available to the OS. A non-cryptographic checksum such as CRC-32 is sufficient to detect such inadvertent deviations. Fixes: 62a03defeabd ("PM / hibernate: Verify the consistent of e820 memory map by md5 digest") Reviewed-by: Eric Biggers Tested-by: Dexuan Cui Reviewed-by: Dexuan Cui Signed-off-by: Chris von Recklinghausen [ rjw: Subject edit ] Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 8b4d4bd1f1ce21f74e1af561b74538e5c98ea603 Author: Michael Kelley Date: Mon Apr 19 21:48:09 2021 -0700 Drivers: hv: vmbus: Increase wait time for VMbus unload [ Upstream commit 77db0ec8b7764cb9b09b78066ebfd47b2c0c1909 ] When running in Azure, disks may be connected to a Linux VM with read/write caching enabled. If a VM panics and issues a VMbus UNLOAD request to Hyper-V, the response is delayed until all dirty data in the disk cache is flushed. In extreme cases, this flushing can take 10's of seconds, depending on the disk speed and the amount of dirty data. If kdump is configured for the VM, the current 10 second timeout in vmbus_wait_for_unload() may be exceeded, and the UNLOAD complete message may arrive well after the kdump kernel is already running, causing problems. Note that no problem occurs if kdump is not enabled because Hyper-V waits for the cache flush before doing a reboot through the BIOS/UEFI code. Fix this problem by increasing the timeout in vmbus_wait_for_unload() to 100 seconds. Also output periodic messages so that if anyone is watching the serial console, they won't think the VM is completely hung. Fixes: 911e1987efc8 ("Drivers: hv: vmbus: Add timeout to vmbus_wait_for_unload") Signed-off-by: Michael Kelley Reviewed-by: Vitaly Kuznetsov Link: https://lore.kernel.org/r/1618894089-126662-1-git-send-email-mikelley@microsoft.com Signed-off-by: Wei Liu Signed-off-by: Sasha Levin commit 816fbc17cbe8e666a861fc637771d19a69b6de12 Author: Paul Fertser Date: Fri Apr 16 13:29:04 2021 +0300 hwmon: (pmbus/pxe1610) don't bail out when not all pages are active [ Upstream commit f025314306ae17a3fdaf2874d7e878ce19cea363 ] Certain VRs might be configured to use only the first output channel and so the mode for the second will be 0. Handle this gracefully. Fixes: b9fa0a3acfd8 ("hwmon: (pmbus/core) Add support for vid mode detection per page bases") Signed-off-by: Paul Fertser Link: https://lore.kernel.org/r/20210416102926.13614-1-fercerpav@gmail.com Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit ee9bc379e43c949f65c8b55bd6cc4de7d62cf1c6 Author: Ingo Molnar Date: Tue Apr 20 09:47:42 2021 +0200 x86/platform/uv: Fix !KEXEC build failure [ Upstream commit c2209ea55612efac75de0a58ef5f7394fae7fa0f ] When KEXEC is disabled, the UV build fails: arch/x86/platform/uv/uv_nmi.c:875:14: error: ‘uv_nmi_kexec_failed’ undeclared (first use in this function) Since uv_nmi_kexec_failed is only defined in the KEXEC_CORE #ifdef branch, this code cannot ever have been build tested: if (main) pr_err("UV: NMI kdump: KEXEC not supported in this kernel\n"); atomic_set(&uv_nmi_kexec_failed, 1); Nor is this use possible in uv_handle_nmi(): atomic_set(&uv_nmi_kexec_failed, 0); These bugs were introduced in this commit: d0a9964e9873: ("x86/platform/uv: Implement simple dump failover if kdump fails") Which added the uv_nmi_kexec_failed assignments to !KEXEC code, while making the definition KEXEC-only - apparently without testing the !KEXEC case. Instead of complicating the #ifdef maze, simplify the code by requiring X86_UV to depend on KEXEC_CORE. This pattern is present in other architectures as well. ( We'll remove the untested, 7 years old !KEXEC complications from the file in a separate commit. ) Fixes: d0a9964e9873: ("x86/platform/uv: Implement simple dump failover if kdump fails") Signed-off-by: Ingo Molnar Cc: Mike Travis Cc: linux-kernel@vger.kernel.org Signed-off-by: Sasha Levin commit 5980a3b9c933408bc22b0e349b78c3ebd7cbf880 Author: Quanyang Wang Date: Fri Apr 16 08:46:52 2021 +0800 spi: spi-zynqmp-gqspi: return -ENOMEM if dma_map_single fails [ Upstream commit 126bdb606fd2802454e6048caef1be3e25dd121e ] The spi controller supports 44-bit address space on AXI in DMA mode, so set dma_addr_t width to 44-bit to avoid using a swiotlb mapping. In addition, if dma_map_single fails, it should return immediately instead of continuing doing the DMA operation which bases on invalid address. This fixes the following crash which occurs in reading a big block from flash: [ 123.633577] zynqmp-qspi ff0f0000.spi: swiotlb buffer is full (sz: 4194304 bytes), total 32768 (slots), used 0 (slots) [ 123.644230] zynqmp-qspi ff0f0000.spi: ERR:rxdma:memory not mapped [ 123.784625] Unable to handle kernel paging request at virtual address 00000000003fffc0 [ 123.792536] Mem abort info: [ 123.795313] ESR = 0x96000145 [ 123.798351] EC = 0x25: DABT (current EL), IL = 32 bits [ 123.803655] SET = 0, FnV = 0 [ 123.806693] EA = 0, S1PTW = 0 [ 123.809818] Data abort info: [ 123.812683] ISV = 0, ISS = 0x00000145 [ 123.816503] CM = 1, WnR = 1 [ 123.819455] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000805047000 [ 123.825887] [00000000003fffc0] pgd=0000000803b45003, p4d=0000000803b45003, pud=0000000000000000 [ 123.834586] Internal error: Oops: 96000145 [#1] PREEMPT SMP Fixes: 1c26372e5aa9 ("spi: spi-zynqmp-gqspi: Update driver to use spi-mem framework") Signed-off-by: Quanyang Wang Link: https://lore.kernel.org/r/20210416004652.2975446-6-quanyang.wang@windriver.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 1231279389b5e638bc3b66b9741c94077aed4b5a Author: Quanyang Wang Date: Fri Apr 16 08:46:51 2021 +0800 spi: spi-zynqmp-gqspi: fix use-after-free in zynqmp_qspi_exec_op [ Upstream commit a2c5bedb2d55dd27c642c7b9fb6886d7ad7bdb58 ] When handling op->addr, it is using the buffer "tmpbuf" which has been freed. This will trigger a use-after-free KASAN warning. Let's use temporary variables to store op->addr.val and op->cmd.opcode to fix this issue. Fixes: 1c26372e5aa9 ("spi: spi-zynqmp-gqspi: Update driver to use spi-mem framework") Signed-off-by: Quanyang Wang Link: https://lore.kernel.org/r/20210416004652.2975446-5-quanyang.wang@windriver.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit fa3a26b43760f0601351fc9c07f284cf9967de42 Author: Quanyang Wang Date: Fri Apr 16 08:46:49 2021 +0800 spi: spi-zynqmp-gqspi: fix hang issue when suspend/resume [ Upstream commit 799f923f0a66a9c99f0a3eaa078b306db7a8b33a ] After calling platform_set_drvdata(pdev, xqspi) in probe, the return value of dev_get_drvdata(dev) is a pointer to struct zynqmp_qspi but not struct spi_controller. A wrong structure type passing to the functions spi_controller_suspend/resume will hang the system. And we should check the return value of spi_controller_suspend, if an error is returned, return it to PM subsystem to stop suspend. Also, GQSPI_EN_MASK should be written to GQSPI_EN_OFST to enable the spi controller in zynqmp_qspi_resume since it was disabled in zynqmp_qspi_suspend before. Fixes: 1c26372e5aa9 ("spi: spi-zynqmp-gqspi: Update driver to use spi-mem framework") Signed-off-by: Quanyang Wang Link: https://lore.kernel.org/r/20210416004652.2975446-3-quanyang.wang@windriver.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 24159580abcc6a7054d1d82343697261e1a27e2e Author: Quanyang Wang Date: Fri Apr 16 08:46:48 2021 +0800 spi: spi-zynqmp-gqspi: fix clk_enable/disable imbalance issue [ Upstream commit c6bdae08012b2ca3e94f3a41ef4ca8cfe7c9ab6f ] The clks "pclk" and "ref_clk" are enabled twice during the probe. The first time is in the function zynqmp_qspi_probe and the second time is in zynqmp_qspi_setup_op which is called by devm_spi_register_controller. Then calling zynqmp_qspi_remove (rmmod this module) to disable these clks will trigger a warning as below: [ 309.124604] Unpreparing enabled qspi_ref [ 309.128641] WARNING: CPU: 1 PID: 537 at drivers/clk/clk.c:824 clk_core_unprepare+0x108/0x110 Since pm_runtime works now, clks can be enabled/disabled by calling zynqmp_runtime_suspend/resume. So we don't need to enable these clks explicitly in zynqmp_qspi_setup_op. Remove them to fix this issue. And remove clk enabling/disabling in zynqmp_qspi_resume because there is no spi transfer operation so enabling ref_clk is redundant meanwhile pclk is not disabled for it is shared with other peripherals. Furthermore replace clk_enable/disable with clk_prepare_enable and clk_disable_unprepare in runtime_suspend/resume functions. Fixes: 1c26372e5aa9 ("spi: spi-zynqmp-gqspi: Update driver to use spi-mem framework") Signed-off-by: Quanyang Wang Link: https://lore.kernel.org/r/20210416004652.2975446-2-quanyang.wang@windriver.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit d5c7b42c9f56ca46b286daa537d181bd7f69214f Author: Dan Carpenter Date: Tue Apr 13 13:50:04 2021 +0300 Drivers: hv: vmbus: Use after free in __vmbus_open() [ Upstream commit 3e9bf43f7f7a46f21ec071cb47be92d0874c48da ] The "open_info" variable is added to the &vmbus_connection.chn_msg_list, but the error handling frees "open_info" without removing it from the list. This will result in a use after free. First remove it from the list, and then free it. Fixes: 6f3d791f3006 ("Drivers: hv: vmbus: Fix rescind handling issues") Signed-off-by: Dan Carpenter Reviewed-by: Andrea Parri Link: https://lore.kernel.org/r/YHV3XLCot6xBS44r@mwanda Signed-off-by: Wei Liu Signed-off-by: Sasha Levin commit b49bdd70b337b0a34892dc40b8d5c6210ecc64e7 Author: Eddie James Date: Tue Apr 13 14:43:06 2021 -0500 ARM: dts: aspeed: Rainier: Fix humidity sensor bus address [ Upstream commit 1d5d46a1adafafce2b0c9105eab563709c84e3db ] The si7021 was incorrectly placed at 0x20 on i2c bus 7. It is at 0x40. Fixes: 9c44db7096e0 ("ARM: dts: aspeed: rainier: Add i2c devices") Signed-off-by: Eddie James Reviewed-by: Joel Stanley Signed-off-by: Joel Stanley Signed-off-by: Sasha Levin commit fe310fd19ff138f602cb837470243f1b048d1856 Author: Steffen Dirkwinkel Date: Mon Apr 12 15:30:06 2021 +0200 platform/x86: pmc_atom: Match all Beckhoff Automation baytrail boards with critclk_systems DMI table [ Upstream commit d21e5abd3a005253eb033090aab2e43bce090d89 ] pmc_plt_clk* clocks are used for ethernet controllers, so need to stay turned on. This adds the affected board family to critclk_systems DMI table, so the clocks are marked as CLK_CRITICAL and not turned off. This replaces the previously listed boards with a match for the whole device family CBxx63. CBxx63 matches only baytrail devices. There are new affected boards that would otherwise need to be listed. There are unaffected boards in the family, but having the clocks turned on is not an issue. Fixes: 648e921888ad ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL") Reviewed-by: Andy Shevchenko Signed-off-by: Steffen Dirkwinkel Link: https://lore.kernel.org/r/20210412133006.397679-1-linux-kernel-dev@beckhoff.com Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 09a119a2d4c05c98fab63d3976caa813b4a370a8 Author: James Bottomley Date: Wed Jan 27 11:06:15 2021 -0800 security: keys: trusted: fix TPM2 authorizations [ Upstream commit de66514d934d70ce73c302ce0644b54970fc7196 ] In TPM 1.2 an authorization was a 20 byte number. The spec actually recommended you to hash variable length passwords and use the sha1 hash as the authorization. Because the spec doesn't require this hashing, the current authorization for trusted keys is a 40 digit hex number. For TPM 2.0 the spec allows the passing in of variable length passwords and passphrases directly, so we should allow that in trusted keys for ease of use. Update the 'blobauth' parameter to take this into account, so we can now use plain text passwords for the keys. so before keyctl add trusted kmk "new 32 blobauth=f572d396fae9206628714fb2ce00f72e94f2258fkeyhandle=81000001" @u after we will accept both the old hex sha1 form as well as a new directly supplied password: keyctl add trusted kmk "new 32 blobauth=hello keyhandle=81000001" @u Since a sha1 hex code must be exactly 40 bytes long and a direct password must be 20 or less, we use the length as the discriminator for which form is input. Note this is both and enhancement and a potential bug fix. The TPM 2.0 spec requires us to strip leading zeros, meaning empyty authorization is a zero length HMAC whereas we're currently passing in 20 bytes of zeros. A lot of TPMs simply accept this as OK, but the Microsoft TPM emulator rejects it with TPM_RC_BAD_AUTH, so this patch makes the Microsoft TPM emulator work with trusted keys. Fixes: 0fe5480303a1 ("keys, trusted: seal/unseal with TPM 2.0 chips") Signed-off-by: James Bottomley Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Sasha Levin commit 7bb63ed88189a55d1d618264dafbe37a1f285b56 Author: Krzysztof Kozlowski Date: Wed Apr 7 17:45:35 2021 +0200 memory: samsung: exynos5422-dmc: handle clk_set_parent() failure [ Upstream commit 132c17c3ff878c7beaba51bdd275d5cc654c0e33 ] clk_set_parent() can fail and ignoring such case could lead to invalid clock setup for given frequency. Addresses-Coverity: Unchecked return value Fixes: 6e7674c3c6df ("memory: Add DMC driver for Exynos5422") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Lukasz Luba Link: https://lore.kernel.org/r/20210407154535.70756-1-krzysztof.kozlowski@canonical.com Signed-off-by: Sasha Levin commit 71bcc1b4a1743534d8abdcb57ff912e6bc390438 Author: Krzysztof Kozlowski Date: Wed Apr 7 17:43:57 2021 +0200 memory: renesas-rpc-if: fix possible NULL pointer dereference of resource [ Upstream commit 59e27d7c94aa02da039b000d33c304c179395801 ] The platform_get_resource_byname() can return NULL which would be immediately dereferenced by resource_size(). Instead dereference it after validating the resource. Addresses-Coverity: Dereference null return value Fixes: ca7d8b980b67 ("memory: add Renesas RPC-IF driver") Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20210407154357.70200-1-krzysztof.kozlowski@canonical.com Signed-off-by: Sasha Levin commit 73585b2714db72c69c462fc0b1119c33cb2d181a Author: Wei Yongjun Date: Mon Apr 12 16:00:25 2021 +0000 spi: spi-zynqmp-gqspi: Fix missing unlock on error in zynqmp_qspi_exec_op() [ Upstream commit 6043357263fbe2df0bf0736d971ad5dce7d19dc1 ] Add the missing unlock before return from function zynqmp_qspi_exec_op() in the error handling case. Fixes: a0f65be6e880 ("spi: spi-zynqmp-gqspi: add mutex locking for exec_op") Reported-by: Hulk Robot Signed-off-by: Wei Yongjun Link: https://lore.kernel.org/r/20210412160025.194171-1-weiyongjun1@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 58ee5a0de192f698b136128154b32773d946ec47 Author: Liam Howlett Date: Wed Apr 7 20:00:45 2021 +0000 m68k: Add missing mmap_read_lock() to sys_cacheflush() [ Upstream commit f829b4b212a315b912cb23fd10aaf30534bb5ce9 ] When the superuser flushes the entire cache, the mmap_read_lock() is not taken, but mmap_read_unlock() is called. Add the missing mmap_read_lock() call. Fixes: cd2567b6850b1648 ("m68k: call find_vma with the mmap_sem held in sys_cacheflush()") Signed-off-by: Liam R. Howlett Reviewed-by: Matthew Wilcox (Oracle) Link: https://lore.kernel.org/r/20210407200032.764445-1-Liam.Howlett@Oracle.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 99d2fa2daf6da877e85c0ee8dd3a3a1fc4194b64 Author: Ye Bin Date: Thu Apr 8 19:23:05 2021 +0800 usbip: vudc: fix missing unlock on error in usbip_sockfd_store() [ Upstream commit 1d08ed588c6a85a35a24c82eb4cf0807ec2b366a ] Add the missing unlock before return from function usbip_sockfd_store() in the error handling case. Fixes: bd8b82042269 ("usbip: vudc synchronize sysfs code paths") Reported-by: Hulk Robot Acked-by: Shuah Khan Signed-off-by: Ye Bin Link: https://lore.kernel.org/r/20210408112305.1022247-1-yebin10@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 99a29899e3a3bf62fbffbdf2d0c6b2d8efc12f65 Author: Ayush Sawal Date: Sat Apr 3 00:55:48 2021 +0530 crypto: chelsio - Read rxchannel-id from firmware [ Upstream commit 16a9874fe468855e8ddd72883ca903f706d0a9d0 ] The rxchannel id is updated by the driver using the port no value, but this does not ensure that the value is correct. So now rx channel value is obtained from etoc channel map value. Fixes: 567be3a5d227 ("crypto: chelsio - Use multiple txq/rxq per...") Signed-off-by: Ayush Sawal Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit c703ef8289dce715a012d038412030b49bfbf049 Author: Dan Carpenter Date: Fri Apr 9 14:01:57 2021 +0300 node: fix device cleanups in error handling code [ Upstream commit 4ce535ec0084f0d712317cb99d383cad3288e713 ] We can't use kfree() to free device managed resources so the kfree(dev) is against the rules. It's easier to write this code if we open code the device_register() as a device_initialize() and device_add(). That way if dev_set_name() set name fails we can call put_device() and it will clean up correctly. Fixes: acc02a109b04 ("node: Add memory-side caching attributes") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/YHA0JUra+F64+NpB@mwanda Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 190a2f24aed6546b98469b413306dc73d201df06 Author: He Ying Date: Tue Apr 6 05:42:00 2021 -0400 firmware: qcom-scm: Fix QCOM_SCM configuration [ Upstream commit 2954a6f12f250890ec2433cec03ba92784d613e8 ] When CONFIG_QCOM_SCM is y and CONFIG_HAVE_ARM_SMCCC is not set, compiling errors are encountered as follows: drivers/firmware/qcom_scm-smc.o: In function `__scm_smc_do_quirk': qcom_scm-smc.c:(.text+0x36): undefined reference to `__arm_smccc_smc' drivers/firmware/qcom_scm-legacy.o: In function `scm_legacy_call': qcom_scm-legacy.c:(.text+0xe2): undefined reference to `__arm_smccc_smc' drivers/firmware/qcom_scm-legacy.o: In function `scm_legacy_call_atomic': qcom_scm-legacy.c:(.text+0x1f0): undefined reference to `__arm_smccc_smc' Note that __arm_smccc_smc is defined when HAVE_ARM_SMCCC is y. So add dependency on HAVE_ARM_SMCCC in QCOM_SCM configuration. Fixes: 916f743da354 ("firmware: qcom: scm: Move the scm driver to drivers/firmware") Reported-by: Hulk Robot Signed-off-by: He Ying Link: https://lore.kernel.org/r/20210406094200.60952-1-heying24@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 26882a15ed238749a14551cdc855551392fe9f84 Author: Johan Hovold Date: Wed Apr 7 11:52:08 2021 +0200 serial: core: return early on unsupported ioctls [ Upstream commit 79c5966cec7b148199386ef9933c31b999379065 ] Drivers can return -ENOIOCTLCMD when an ioctl is not recognised to tell the upper layers to continue looking for a handler. This is not the case for the RS485 and ISO7816 ioctls whose handlers should return -ENOTTY directly in case a serial driver does not implement the corresponding methods. Fixes: a5f276f10ff7 ("serial_core: Handle TIOC[GS]RS485 ioctls.") Fixes: ad8c0eaa0a41 ("tty/serial_core: add ISO7816 infrastructure") Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20210407095208.31838-9-johan@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 1d9cde4ddf6cd76aa20e1100c8885b80b65ca78c Author: Johan Hovold Date: Wed Apr 7 11:52:03 2021 +0200 tty: fix return value for unsupported termiox ioctls [ Upstream commit 8871de06ff78e9333d86c87d7071452b690e7c9b ] Drivers should return -ENOTTY ("Inappropriate I/O control operation") when an ioctl isn't supported, while -EINVAL is used for invalid arguments. Support for termiox was added by commit 1d65b4a088de ("tty: Add termiox") in 2008 but no driver support ever followed and it was recently ripped out by commit e0efb3168d34 ("tty: Remove dead termiox code"). Fix the return value for the unsupported termiox ioctls, which have always returned -EINVAL, by explicitly returning -ENOTTY rather than removing them completely and falling back to the default unrecognised- ioctl handling. Fixes: 1d65b4a088de ("tty: Add termiox") Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20210407095208.31838-4-johan@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit eef2158b0c44baa8cd9855091b1d99a35e16afdb Author: Jann Horn Date: Thu Dec 3 03:03:31 2020 +0100 tty: Remove dead termiox code [ Upstream commit e0efb3168d34dc8c8c72718672b8902e40efff8f ] set_termiox() and the TCGETX handler bail out with -EINVAL immediately if ->termiox is NULL, but there are no code paths that can set ->termiox to a non-NULL pointer; and no such code paths seem to have existed since the termiox mechanism was introduced back in commit 1d65b4a088de ("tty: Add termiox") in v2.6.28. Similarly, no driver actually implements .set_termiox; and it looks like no driver ever has. Delete this dead code; but leave the definition of struct termiox in the UAPI headers intact. Signed-off-by: Jann Horn Link: https://lore.kernel.org/r/20201203020331.2394754-1-jannh@google.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit aa7f103da301897d61159c37945af5a37a6e85c4 Author: Johan Hovold Date: Wed Apr 7 11:52:02 2021 +0200 tty: fix return value for unsupported ioctls [ Upstream commit 1b8b20868a6d64cfe8174a21b25b74367bdf0560 ] Drivers should return -ENOTTY ("Inappropriate I/O control operation") when an ioctl isn't supported, while -EINVAL is used for invalid arguments. Fix up the TIOCMGET, TIOCMSET and TIOCGICOUNT helpers which returned -EINVAL when a tty driver did not implement the corresponding operations. Note that the TIOCMGET and TIOCMSET helpers predate git and do not get a corresponding Fixes tag below. Fixes: d281da7ff6f7 ("tty: Make tiocgicount a handler") Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20210407095208.31838-3-johan@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit bd8fa4ef36cafa76f992ee138c7d9e67f14a2ca1 Author: Johan Hovold Date: Wed Apr 7 11:52:01 2021 +0200 tty: actually undefine superseded ASYNC flags [ Upstream commit d09845e98a05850a8094ea8fd6dd09a8e6824fff ] Some kernel-internal ASYNC flags have been superseded by tty-port flags and should no longer be used by kernel drivers. Fix the misspelled "__KERNEL__" compile guards which failed their sole purpose to break out-of-tree drivers that have not yet been updated. Fixes: 5c0517fefc92 ("tty: core: Undefine ASYNC_* flags superceded by TTY_PORT* flags") Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20210407095208.31838-2-johan@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 45c7e5c1428f9795745b4451b9e95b30bdd41412 Author: Johan Hovold Date: Thu Apr 8 15:16:02 2021 +0200 USB: cdc-acm: fix TIOCGSERIAL implementation [ Upstream commit 496960274153bdeb9d1f904ff1ea875cef8232c1 ] TIOCSSERIAL is a horrid, underspecified, legacy interface which for most serial devices is only useful for setting the close_delay and closing_wait parameters. The xmit_fifo_size parameter could be used to set the hardware transmit fifo size of a legacy UART when it could not be detected, but the interface is limited to eight bits and should be left unset when it is not used. Similarly, baud_base could be used to set the UART base clock when it could not be detected, but might as well be left unset when it is not known (which is the case for CDC). Fix the cdc-acm TIOCGSERIAL implementation by dropping its custom interpretation of the unused xmit_fifo_size and baud_base fields, which overflowed the former with the URB buffer size and set the latter to the current line speed. Also return the port line number, which is the only other value used besides the close parameters. Note that the current line speed can still be retrieved through the standard termios interfaces. Fixes: 18c75720e667 ("USB: allow users to run setserial with cdc-acm") Acked-by: Oliver Neukum Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20210408131602.27956-4-johan@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 4425c2f32ac9fc7d3699084134a55672361d2fc3 Author: Johan Hovold Date: Thu Apr 8 15:16:01 2021 +0200 USB: cdc-acm: fix unprivileged TIOCCSERIAL [ Upstream commit dd5619582d60007139f0447382d2839f4f9e339b ] TIOCSSERIAL is a horrid, underspecified, legacy interface which for most serial devices is only useful for setting the close_delay and closing_wait parameters. A non-privileged user has only ever been able to set the since long deprecated ASYNC_SPD flags and trying to change any other *supported* feature should result in -EPERM being returned. Setting the current values for any supported features should return success. Fix the cdc-acm implementation which instead indicated that the TIOCSSERIAL ioctl was not even implemented when a non-privileged user set the current values. Fixes: ba2d8ce9db0a ("cdc-acm: implement TIOCSSERIAL to avoid blocking close(2)") Acked-by: Oliver Neukum Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20210408131602.27956-3-johan@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e38a77c48aa02e0d58a366466c430b8fd9efb887 Author: Colin Ian King Date: Tue Apr 6 19:45:10 2021 +0100 usb: gadget: r8a66597: Add missing null check on return from platform_get_resource [ Upstream commit 9c2076090c2815fe7c49676df68dde7e60a9b9fc ] The call to platform_get_resource can potentially return a NULL pointer on failure, so add this check and return -EINVAL if it fails. Fixes: c41442474a26 ("usb: gadget: R8A66597 peripheral controller support.") Signed-off-by: Colin Ian King Addresses-Coverity: ("Dereference null return") Link: https://lore.kernel.org/r/20210406184510.433497-1-colin.king@canonical.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit ce02e58ddf8658a4c3bed2296f32a5873b3f7cce Author: Wang Li Date: Fri Apr 9 09:54:30 2021 +0000 spi: fsl-lpspi: Fix PM reference leak in lpspi_prepare_xfer_hardware() [ Upstream commit a03675497970a93fcf25d81d9d92a59c2d7377a7 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to putting operation will result in reference leak here. Fix it by replacing it with pm_runtime_resume_and_get to keep usage counter balanced. Fixes: 944c01a889d9 ("spi: lpspi: enable runtime pm for lpspi") Reported-by: Hulk Robot Signed-off-by: Wang Li Link: https://lore.kernel.org/r/20210409095430.29868-1-wangli74@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit cbe254a1fdce3b7ebb9a2a2f04ce35e04fa9b1f6 Author: Quanyang Wang Date: Thu Apr 8 12:02:23 2021 +0800 spi: spi-zynqmp-gqspi: fix incorrect operating mode in zynqmp_qspi_read_op [ Upstream commit 41d310930084502433fcb3c4baf219e7424b7734 ] When starting a read operation, we should call zynqmp_qspi_setuprxdma first to set xqspi->mode according to xqspi->bytes_to_receive and to calculate correct xqspi->dma_rx_bytes. Then in the function zynqmp_qspi_fillgenfifo, generate the appropriate command with operating mode and bytes to transfer, and fill the GENFIFO with the command to perform the read operation. Calling zynqmp_qspi_fillgenfifo before zynqmp_qspi_setuprxdma will result in incorrect transfer length and operating mode. So change the calling order to fix this issue. Fixes: 1c26372e5aa9 ("spi: spi-zynqmp-gqspi: Update driver to use spi-mem framework") Signed-off-by: Quanyang Wang Reviewed-by: Amit Kumar Mahapatra Link: https://lore.kernel.org/r/20210408040223.23134-5-quanyang.wang@windriver.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 314469666791be52fabd2f9a2026b4e388aaedfb Author: Quanyang Wang Date: Thu Apr 8 12:02:22 2021 +0800 spi: spi-zynqmp-gqspi: transmit dummy circles by using the controller's internal functionality [ Upstream commit 8ad07d79bd56a531990a1a3f3f1c0eb19d2de806 ] There is a data corruption issue that occurs in the reading operation (cmd:0x6c) when transmitting common data as dummy circles. The gqspi controller has the functionality to send dummy clock circles. When writing data with the fields [receive, transmit, data_xfer] = [0,0,1] to the Generic FIFO, and configuring the correct SPI mode, the controller will transmit dummy circles. So let's switch to hardware dummy cycles transfer to fix this issue. Fixes: 1c26372e5aa9 ("spi: spi-zynqmp-gqspi: Update driver to use spi-mem framework") Signed-off-by: Quanyang Wang Reviewed-by: Amit Kumar Mahapatra Link: https://lore.kernel.org/r/20210408040223.23134-4-quanyang.wang@windriver.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 6bd307eb518d56360ca58410e0e45b5716890ed0 Author: Quanyang Wang Date: Thu Apr 8 12:02:21 2021 +0800 spi: spi-zynqmp-gqspi: add mutex locking for exec_op [ Upstream commit a0f65be6e880a14d3445b75e7dc03d7d015fc922 ] The spi-mem framework has no locking to prevent ctlr->mem_ops->exec_op from concurrency. So add the locking to zynqmp_qspi_exec_op. Fixes: 1c26372e5aa9 ("spi: spi-zynqmp-gqspi: Update driver to use spi-mem framework") Signed-off-by: Quanyang Wang Reviewed-by: Amit Kumar Mahapatra Link: https://lore.kernel.org/r/20210408040223.23134-3-quanyang.wang@windriver.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c164328f57c4263499c5f5ce3493e7319eb039cb Author: Quanyang Wang Date: Thu Apr 8 12:02:20 2021 +0800 spi: spi-zynqmp-gqspi: use wait_for_completion_timeout to make zynqmp_qspi_exec_op not interruptible [ Upstream commit a16bff68b75fd082d36aa0b14b540bd7a3ebebbd ] When Ctrl+C occurs during the process of zynqmp_qspi_exec_op, the function wait_for_completion_interruptible_timeout will return a non-zero value -ERESTARTSYS immediately. This will disrupt the SPI memory operation because the data transmitting may begin before the command or address transmitting completes. Use wait_for_completion_timeout to prevent the process from being interruptible. This patch fixes the error as below: root@xilinx-zynqmp:~# flash_erase /dev/mtd3 0 0 Erasing 4 Kibyte @ 3d000 -- 4 % complete (Press Ctrl+C) [ 169.581911] zynqmp-qspi ff0f0000.spi: Chip select timed out [ 170.585907] zynqmp-qspi ff0f0000.spi: Chip select timed out [ 171.589910] zynqmp-qspi ff0f0000.spi: Chip select timed out [ 172.593910] zynqmp-qspi ff0f0000.spi: Chip select timed out [ 173.597907] zynqmp-qspi ff0f0000.spi: Chip select timed out [ 173.603480] spi-nor spi0.0: Erase operation failed. [ 173.608368] spi-nor spi0.0: Attempted to modify a protected sector. Fixes: 1c26372e5aa9 ("spi: spi-zynqmp-gqspi: Update driver to use spi-mem framework") Signed-off-by: Quanyang Wang Reviewed-by: Amit Kumar Mahapatra Link: https://lore.kernel.org/r/20210408040223.23134-2-quanyang.wang@windriver.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 36cf347de9c4079df90735f5fafb7adfe21f2570 Author: Pali Rohár Date: Thu Apr 8 13:42:21 2021 +0200 cpufreq: armada-37xx: Fix determining base CPU frequency [ Upstream commit 8bad3bf23cbc40abe1d24cec08a114df6facf858 ] When current CPU load is not L0 then loading armada-37xx-cpufreq.ko driver fails with following error: # modprobe armada-37xx-cpufreq [ 502.702097] Unsupported CPU frequency 250 MHz This issue was partially fixed by commit 8db82563451f ("cpufreq: armada-37xx: fix frequency calculation for opp"), but only for calculating CPU frequency for opp. Fix this also for determination of base CPU frequency. Signed-off-by: Pali Rohár Acked-by: Gregory CLEMENT Tested-by: Tomasz Maciej Nowak Tested-by: Anders Trier Olesen Tested-by: Philip Soares Fixes: 92ce45fb875d ("cpufreq: Add DVFS support for Armada 37xx") Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit 2f412fba2749887c7cd7850ff15054d4854b6bf8 Author: Pali Rohár Date: Thu Apr 8 13:42:20 2021 +0200 cpufreq: armada-37xx: Fix driver cleanup when registration failed [ Upstream commit 92963903a8e11b9576eb7249f8e81eefa93b6f96 ] Commit 8db82563451f ("cpufreq: armada-37xx: fix frequency calculation for opp") changed calculation of frequency passed to the dev_pm_opp_add() function call. But the code for dev_pm_opp_remove() function call was not updated, so the driver cleanup phase does not work when registration fails. This fixes the issue by using the same frequency in both calls. Signed-off-by: Pali Rohár Acked-by: Gregory CLEMENT Tested-by: Tomasz Maciej Nowak Tested-by: Anders Trier Olesen Tested-by: Philip Soares Fixes: 8db82563451f ("cpufreq: armada-37xx: fix frequency calculation for opp") Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit 6d7507243e05d3ec2d7ba6d17b180f36e86110e8 Author: Pali Rohár Date: Thu Apr 8 13:42:19 2021 +0200 clk: mvebu: armada-37xx-periph: Fix workaround for switching from L1 to L0 [ Upstream commit e93033aff684641f71a436ca7a9d2a742126baaf ] When CPU frequency is at 250 MHz and set_rate() is called with 500 MHz (L1) quickly followed by a call with 1 GHz (L0), the CPU does not necessarily stay in L1 for at least 20ms as is required by Marvell errata. This situation happens frequently with the ondemand cpufreq governor and can be also reproduced with userspace governor. In most cases it causes CPU to crash. This change fixes the above issue and ensures that the CPU always stays in L1 for at least 20ms when switching from any state to L0. Signed-off-by: Marek Behún Signed-off-by: Pali Rohár Acked-by: Stephen Boyd Acked-by: Gregory CLEMENT Tested-by: Tomasz Maciej Nowak Tested-by: Anders Trier Olesen Tested-by: Philip Soares Fixes: 61c40f35f5cd ("clk: mvebu: armada-37xx-periph: Fix switching CPU rate from 300Mhz to 1.2GHz") Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit a7ddbc86e4e4d591f105cf0706e5a2ee65a62aa5 Author: Pali Rohár Date: Thu Apr 8 13:42:18 2021 +0200 clk: mvebu: armada-37xx-periph: Fix switching CPU freq from 250 Mhz to 1 GHz [ Upstream commit 4decb9187589f61fe9fc2bc4d9b01160b0a610c5 ] It was observed that the workaround introduced by commit 61c40f35f5cd ("clk: mvebu: armada-37xx-periph: Fix switching CPU rate from 300Mhz to 1.2GHz") when base CPU frequency is 1.2 GHz is also required when base CPU frequency is 1 GHz. Otherwise switching CPU frequency directly from L2 (250 MHz) to L0 (1 GHz) causes a crash. When base CPU frequency is just 800 MHz no crashed were observed during switch from L2 to L0. Signed-off-by: Pali Rohár Acked-by: Stephen Boyd Acked-by: Gregory CLEMENT Tested-by: Tomasz Maciej Nowak Tested-by: Anders Trier Olesen Tested-by: Philip Soares Fixes: 2089dc33ea0e ("clk: mvebu: armada-37xx-periph: add DVFS support for cpu clocks") Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit ce4b8f58b6119d9490dfdf090bc29ad2ce12267e Author: Pali Rohár Date: Thu Apr 8 13:42:17 2021 +0200 cpufreq: armada-37xx: Fix the AVS value for load L1 [ Upstream commit d118ac2062b5b8331c8768ac81e016617e0996ee ] The original CPU voltage value for load L1 is too low for Armada 37xx SoC when base CPU frequency is 1000 or 1200 MHz. It leads to instabilities where CPU gets stuck soon after dynamic voltage scaling from load L1 to L0. Update the CPU voltage value for load L1 accordingly when base frequency is 1000 or 1200 MHz. The minimal L1 value for base CPU frequency 1000 MHz is updated from the original 1.05V to 1.108V and for 1200 MHz is updated to 1.155V. This minimal L1 value is used only in the case when it is lower than value for L0. This change fixes CPU instability issues on 1 GHz and 1.2 GHz variants of Espressobin and 1 GHz Turris Mox. Marvell previously for 1 GHz variant of Espressobin provided a patch [1] suitable only for their Marvell Linux kernel 4.4 fork which workarounded this issue. Patch forced CPU voltage value to 1.108V in all loads. But such change does not fix CPU instability issues on 1.2 GHz variants of Armada 3720 SoC. During testing we come to the conclusion that using 1.108V as minimal value for L1 load makes 1 GHz variants of Espressobin and Turris Mox boards stable. And similarly 1.155V for 1.2 GHz variant of Espressobin. These two values 1.108V and 1.155V are documented in Armada 3700 Hardware Specifications as typical initial CPU voltage values. Discussion about this issue is also at the Armbian forum [2]. [1] - https://github.com/MarvellEmbeddedProcessors/linux-marvell/commit/dc33b62c90696afb6adc7dbcc4ebbd48bedec269 [2] - https://forum.armbian.com/topic/10429-how-to-make-espressobin-v7-stable/ Signed-off-by: Pali Rohár Acked-by: Gregory CLEMENT Tested-by: Tomasz Maciej Nowak Tested-by: Anders Trier Olesen Tested-by: Philip Soares Fixes: 1c3528232f4b ("cpufreq: armada-37xx: Add AVS support") Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit cccc3f18fcb5d0da6446941f9aff11dcdc62aa1f Author: Marek Behún Date: Thu Apr 8 13:42:16 2021 +0200 clk: mvebu: armada-37xx-periph: remove .set_parent method for CPU PM clock [ Upstream commit 4e435a9dd26c46ac018997cc0562d50b1a96f372 ] Remove the .set_parent method in clk_pm_cpu_ops. This method was supposed to be needed by the armada-37xx-cpufreq driver, but was never actually called due to wrong assumptions in the cpufreq driver. After this was fixed in the cpufreq driver, this method is not needed anymore. Signed-off-by: Marek Behún Acked-by: Stephen Boyd Acked-by: Gregory CLEMENT Tested-by: Pali Rohár Tested-by: Tomasz Maciej Nowak Tested-by: Anders Trier Olesen Tested-by: Philip Soares Fixes: 2089dc33ea0e ("clk: mvebu: armada-37xx-periph: add DVFS support for cpu clocks") Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit a13b110e7c9e0dc2edcc7a19d4255fc88abd83cc Author: Marek Behún Date: Thu Apr 8 13:42:15 2021 +0200 cpufreq: armada-37xx: Fix setting TBG parent for load levels [ Upstream commit 22592df194e31baf371906cc720da38fa0ab68f5 ] With CPU frequency determining software [1] we have discovered that after this driver does one CPU frequency change, the base frequency of the CPU is set to the frequency of TBG-A-P clock, instead of the TBG that is parent to the CPU. This can be reproduced on EspressoBIN and Turris MOX: cd /sys/devices/system/cpu/cpufreq/policy0 echo powersave >scaling_governor echo performance >scaling_governor Running the mhz tool before this driver is loaded reports 1000 MHz, and after loading the driver and executing commands above the tool reports 800 MHz. The change of TBG clock selector is supposed to happen in function armada37xx_cpufreq_dvfs_setup. Before the function returns, it does this: parent = clk_get_parent(clk); clk_set_parent(clk, parent); The armada-37xx-periph clock driver has the .set_parent method implemented correctly for this, so if the method was actually called, this would work. But since the introduction of the common clock framework in commit b2476490ef11 ("clk: introduce the common clock..."), the clk_set_parent function checks whether the parent is actually changing, and if the requested new parent is same as the old parent (which is obviously the case for the code above), the .set_parent method is not called at all. This patch fixes this issue by filling the correct TBG clock selector directly in the armada37xx_cpufreq_dvfs_setup during the filling of other registers at the same address. But the determination of CPU TBG index cannot be done via the common clock framework, therefore we need to access the North Bridge Peripheral Clock registers directly in this driver. [1] https://github.com/wtarreau/mhz Signed-off-by: Marek Behún Acked-by: Gregory CLEMENT Tested-by: Pali Rohár Tested-by: Tomasz Maciej Nowak Tested-by: Anders Trier Olesen Tested-by: Philip Soares Fixes: 92ce45fb875d ("cpufreq: Add DVFS support for Armada 37xx") Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit 1faf7e6199b8f3874f1b0e3d046931ecb4925a5a Author: Lv Yunlong Date: Fri Apr 2 10:13:48 2021 -0700 crypto: qat - Fix a double free in adf_create_ring [ Upstream commit f7cae626cabb3350b23722b78fe34dd7a615ca04 ] In adf_create_ring, if the callee adf_init_ring() failed, the callee will free the ring->base_addr by dma_free_coherent() and return -EFAULT. Then adf_create_ring will goto err and the ring->base_addr will be freed again in adf_cleanup_ring(). My patch sets ring->base_addr to NULL after the first freed to avoid the double free. Fixes: a672a9dc872ec ("crypto: qat - Intel(R) QAT transport code") Signed-off-by: Lv Yunlong Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 0e596b3734649041ed77edc86a23c0442bbe062b Author: Colin Ian King Date: Thu Apr 1 16:28:39 2021 +0100 crypto: sa2ul - Fix memory leak of rxd [ Upstream commit 854b7737199848a91f6adfa0a03cf6f0c46c86e8 ] There are two error return paths that are not freeing rxd and causing memory leaks. Fix these. Addresses-Coverity: ("Resource leak") Fixes: 00c9211f60db ("crypto: sa2ul - Fix DMA mapping API usage") Signed-off-by: Colin Ian King Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 2c67a9333da9d0a3b87310e0d116b7c9070c7b00 Author: Colin Ian King Date: Thu Apr 1 16:18:27 2021 +0100 crypto: sun8i-ss - Fix memory leak of pad [ Upstream commit 50274b01ac1689b1a3f6bc4b5b3dbf361a55dd3a ] It appears there are several failure return paths that don't seem to be free'ing pad. Fix these. Addresses-Coverity: ("Resource leak") Fixes: d9b45418a917 ("crypto: sun8i-ss - support hash algorithms") Signed-off-by: Colin Ian King Acked-by: Corentin Labbe Tested-by: Corentin Labbe Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 2e57ffdb569602c7b5e574281de7d51a0b519b52 Author: Corentin Labbe Date: Mon Mar 29 22:12:00 2021 +0200 crypto: allwinner - add missing CRYPTO_ prefix [ Upstream commit ac1af1a788b2002eb9d6f5ca6054517ad27f1930 ] Some CONFIG select miss CRYPTO_. Reported-by: Chen-Yu Tsai Fixes: 56f6d5aee88d1 ("crypto: sun8i-ce - support hash algorithms") Fixes: d9b45418a9177 ("crypto: sun8i-ss - support hash algorithms") Signed-off-by: Corentin Labbe Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit ac0fc2de8ad10fcc5469a6cc770b0d2247a7db11 Author: Nathan Chancellor Date: Wed Apr 7 14:30:48 2021 -0700 ACPI: CPPC: Replace cppc_attr with kobj_attribute [ Upstream commit 2bc6262c6117dd18106d5aa50d53e945b5d99c51 ] All of the CPPC sysfs show functions are called via indirect call in kobj_attr_show(), where they should be of type ssize_t (*show)(struct kobject *kobj, struct kobj_attribute *attr, char *buf); because that is the type of the ->show() member in 'struct kobj_attribute' but they are actually of type ssize_t (*show)(struct kobject *kobj, struct attribute *attr, char *buf); because of the ->show() member in 'struct cppc_attr', resulting in a Control Flow Integrity violation [1]. $ cat /sys/devices/system/cpu/cpu0/acpi_cppc/highest_perf 3400 $ dmesg | grep "CFI failure" [ 175.970559] CFI failure (target: show_highest_perf+0x0/0x8): As far as I can tell, the only difference between 'struct cppc_attr' and 'struct kobj_attribute' aside from the type of the attr parameter is the type of the count parameter in the ->store() member (ssize_t vs. size_t), which does not actually matter because all of these nodes are read-only. Eliminate 'struct cppc_attr' in favor of 'struct kobj_attribute' to fix the violation. [1]: https://lore.kernel.org/r/20210401233216.2540591-1-samitolvanen@google.com/ Fixes: 158c998ea44b ("ACPI / CPPC: add sysfs support to compute delivered performance") Link: https://github.com/ClangBuiltLinux/linux/issues/1343 Signed-off-by: Nathan Chancellor Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit e65c287c9bd8fee5cdb9b70831c272831920f49a Author: He Ying Date: Tue Apr 6 08:33:28 2021 -0400 cpuidle: Fix ARM_QCOM_SPM_CPUIDLE configuration [ Upstream commit 498ba2a8a2756694b6f3888857426dbc8a5e6b6c ] When CONFIG_ARM_QCOM_SPM_CPUIDLE is y and CONFIG_MMU is not set, compiling errors are encountered as follows: drivers/cpuidle/cpuidle-qcom-spm.o: In function `spm_dev_probe': cpuidle-qcom-spm.c:(.text+0x140): undefined reference to `cpu_resume_arm' cpuidle-qcom-spm.c:(.text+0x148): undefined reference to `cpu_resume_arm' Note that cpu_resume_arm is defined when MMU is set. So, add dependency on MMU in ARM_QCOM_SPM_CPUIDLE configuration. Fixes: a871be6b8eee ("cpuidle: Convert Qualcomm SPM driver to a generic CPUidle driver") Reported-by: Hulk Robot Signed-off-by: He Ying Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20210406123328.92904-1-heying24@huawei.com Signed-off-by: Sasha Levin commit 8316ec23bdd0384b6ebbc53f98edcf784dce3019 Author: YueHaibing Date: Fri Apr 2 14:14:22 2021 +0800 PM: runtime: Replace inline function pm_runtime_callbacks_present() [ Upstream commit 953c1fd96b1a70bcbbfb10973c2126eba8d891c7 ] Commit 9a7875461fd0 ("PM: runtime: Replace pm_runtime_callbacks_present()") forgot to change the inline version. Fixes: 9a7875461fd0 ("PM: runtime: Replace pm_runtime_callbacks_present()") Signed-off-by: YueHaibing Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit d97cb4365747fdd36a7eacee2b89a80e6785ea97 Author: Bjorn Andersson Date: Thu Jan 7 15:25:26 2021 -0800 soc: qcom: mdt_loader: Detect truncated read of segments [ Upstream commit 0648c55e3a21ccd816e99b6600d6199fbf39d23a ] Given that no validation of how much data the firmware loader read in for a given segment truncated segment files would best case result in a hash verification failure, without any indication of what went wrong. Improve this by validating that the firmware loader did return the amount of data requested. Fixes: 445c2410a449 ("soc: qcom: mdt_loader: Use request_firmware_into_buf()") Reviewed-by: Sibi Sankar Link: https://lore.kernel.org/r/20210107232526.716989-1-bjorn.andersson@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit ab86e5145f61ad8f47a81b2d3a39ea7c6a54ad8b Author: Bjorn Andersson Date: Thu Jan 7 15:31:19 2021 -0800 soc: qcom: mdt_loader: Validate that p_filesz < p_memsz [ Upstream commit 84168d1b54e76a1bcb5192991adde5176abe02e3 ] The code validates that segments of p_memsz bytes of a segment will fit in the provided memory region, but does not validate that p_filesz bytes will, which means that an incorrectly crafted ELF header might write beyond the provided memory region. Fixes: 051fb70fd4ea ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5") Reviewed-by: Sibi Sankar Link: https://lore.kernel.org/r/20210107233119.717173-1-bjorn.andersson@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 078362f495a0c5477f52fe2dff404fd5aa3dd9e1 Author: Yang Yingliang Date: Thu Apr 1 22:03:50 2021 +0800 spi: fsl: add missing iounmap() on error in of_fsl_spi_probe() [ Upstream commit 5fed9fe5b41aea58e5b32be506dc50c9ab9a0e4d ] Add the missing iounmap() before return from of_fsl_spi_probe() in the error handling case. Fixes: 0f0581b24bd0 ("spi: fsl: Convert to use CS GPIO descriptors") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20210401140350.1677925-1-yangyingliang@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c7fabe372a9031acd00498bc718ce27c253abfd1 Author: William A. Kennington III Date: Wed Apr 7 02:55:27 2021 -0700 spi: Fix use-after-free with devm_spi_alloc_* [ Upstream commit 794aaf01444d4e765e2b067cba01cc69c1c68ed9 ] We can't rely on the contents of the devres list during spi_unregister_controller(), as the list is already torn down at the time we perform devres_find() for devm_spi_release_controller. This causes devices registered with devm_spi_alloc_{master,slave}() to be mistakenly identified as legacy, non-devm managed devices and have their reference counters decremented below 0. ------------[ cut here ]------------ WARNING: CPU: 1 PID: 660 at lib/refcount.c:28 refcount_warn_saturate+0x108/0x174 [] (refcount_warn_saturate) from [] (kobject_put+0x90/0x98) [] (kobject_put) from [] (put_device+0x20/0x24) r4:b6700140 [] (put_device) from [] (devm_spi_release_controller+0x3c/0x40) [] (devm_spi_release_controller) from [] (release_nodes+0x84/0xc4) r5:b6700180 r4:b6700100 [] (release_nodes) from [] (devres_release_all+0x5c/0x60) r8:b1638c54 r7:b117ad94 r6:b1638c10 r5:b117ad94 r4:b163dc10 [] (devres_release_all) from [] (__device_release_driver+0x144/0x1ec) r5:b117ad94 r4:b163dc10 [] (__device_release_driver) from [] (device_driver_detach+0x84/0xa0) r9:00000000 r8:00000000 r7:b117ad94 r6:b163dc54 r5:b1638c10 r4:b163dc10 [] (device_driver_detach) from [] (unbind_store+0xe4/0xf8) Instead, determine the devm allocation state as a flag on the controller which is guaranteed to be stable during cleanup. Fixes: 5e844cc37a5c ("spi: Introduce device-managed SPI controller allocation") Signed-off-by: William A. Kennington III Link: https://lore.kernel.org/r/20210407095527.2771582-1-wak@google.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 1de36911689c192aa1c20682102ceb956b5372c0 Author: Wei Yongjun Date: Mon Mar 8 12:30:31 2021 +0000 clocksource/drivers/ingenic_ost: Fix return value check in ingenic_ost_probe() [ Upstream commit 2a65f7e2772613debd03fa2492e76a635aa04545 ] In case of error, the function device_node_to_regmap() returns ERR_PTR() and never returns NULL. The NULL test in the return value check should be replaced with IS_ERR(). Fixes: ca7b72b5a5f2 ("clocksource: Add driver for the Ingenic JZ47xx OST") Reported-by: Hulk Robot Signed-off-by: Wei Yongjun Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20210308123031.2285083-1-weiyongjun1@huawei.com Signed-off-by: Sasha Levin commit edfcc1835958392c0eaad85e6c0cb0b302fe3695 Author: Tony Lindgren Date: Thu Mar 4 09:21:35 2021 +0200 clocksource/drivers/timer-ti-dm: Add missing set_state_oneshot_stopped [ Upstream commit ac4daf737674b4d29e19b7c300caff3bcf7160d8 ] To avoid spurious timer interrupts when KTIME_MAX is used, we need to configure set_state_oneshot_stopped(). Although implementing this is optional, it still affects things like power management for the extra timer interrupt. For more information, please see commit 8fff52fd5093 ("clockevents: Introduce CLOCK_EVT_STATE_ONESHOT_STOPPED state") and commit cf8c5009ee37 ("clockevents/drivers/arm_arch_timer: Implement ->set_state_oneshot_stopped()"). Fixes: 52762fbd1c47 ("clocksource/drivers/timer-ti-dm: Add clockevent and clocksource support") Signed-off-by: Tony Lindgren Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20210304072135.52712-4-tony@atomide.com Signed-off-by: Sasha Levin commit 410a1da7ee0e062c373ca71bdf77749d9248847c Author: Tony Lindgren Date: Thu Mar 4 09:21:33 2021 +0200 clocksource/drivers/timer-ti-dm: Fix posted mode status check order [ Upstream commit 212709926c5493a566ca4086ad4f4b0d4e66b553 ] When the timer is configured in posted mode, we need to check the write- posted status register (TWPS) before writing to the register. We now check TWPS after the write starting with commit 52762fbd1c47 ("clocksource/drivers/timer-ti-dm: Add clockevent and clocksource support"). For example, in the TRM for am571x the following is documented in chapter "22.2.4.13.1.1 Write Posting Synchronization Mode": "For each register, a status bit is provided in the timer write-posted status (TWPS) register. In this mode, it is mandatory that software check this status bit before any write access. If a write is attempted to a register with a previous access pending, the previous access is discarded without notice." The regression happened when I updated the code to use standard read/write accessors for the driver instead of using __omap_dm_timer_load_start(). We have__omap_dm_timer_load_start() check the TWPS status correctly using __omap_dm_timer_write(). Fixes: 52762fbd1c47 ("clocksource/drivers/timer-ti-dm: Add clockevent and clocksource support") Signed-off-by: Tony Lindgren Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20210304072135.52712-2-tony@atomide.com Signed-off-by: Sasha Levin commit 0681c62d1ea2eba43aa8efb03708f7c3334fd863 Author: Dong Aisheng Date: Tue Mar 23 15:20:08 2021 +0800 PM / devfreq: Use more accurate returned new_freq as resume_freq [ Upstream commit 62453f1ba5d5def9d58e140a50f3f168f028da38 ] Use the more accurate returned new_freq as resume_freq. It's the same as how devfreq->previous_freq was updated. Fixes: 83f8ca45afbf0 ("PM / devfreq: add support for suspend/resume of a devfreq device") Signed-off-by: Dong Aisheng Signed-off-by: Chanwoo Choi Signed-off-by: Sasha Levin commit 165b71a98c5a6c30379f00d7e96190c6b447d67c Author: Qinglang Miao Date: Wed Nov 25 14:50:34 2020 +0800 soc: qcom: pdr: Fix error return code in pdr_register_listener [ Upstream commit 769738fc49bb578e05d404b481a9241d18147d86 ] Fix to return the error code -EREMOTEIO from pdr_register_listener rather than 0. Fixes: fbe639b44a82 ("soc: qcom: Introduce Protection Domain Restart helpers") Reported-by: Hulk Robot Signed-off-by: Qinglang Miao Link: https://lore.kernel.org/r/20201125065034.154217-1-miaoqinglang@huawei.com Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 49f71d50cb30f2192f3a92e7ddf76b6b4463169d Author: Johan Hovold Date: Wed Apr 7 12:23:24 2021 +0200 staging: greybus: uart: fix unprivileged TIOCCSERIAL [ Upstream commit 60c6b305c11b5fd167ce5e2ce42f3a9098c388f0 ] TIOCSSERIAL is a horrid, underspecified, legacy interface which for most serial devices is only useful for setting the close_delay and closing_wait parameters. A non-privileged user has only ever been able to set the since long deprecated ASYNC_SPD flags and trying to change any other *supported* feature should result in -EPERM being returned. Setting the current values for any supported features should return success. Fix the greybus implementation which instead indicated that the TIOCSSERIAL ioctl was not even implemented when a non-privileged user set the current values. Fixes: e68453ed28c5 ("greybus: uart-gb: now builds, more framework added") Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20210407102334.32361-7-johan@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 2c3ce3d84e80a4adcabed21b299058ff0b184212 Author: Johan Hovold Date: Wed Apr 7 12:23:22 2021 +0200 staging: fwserial: fix TIOCGSERIAL implementation [ Upstream commit 5e84a66f3682af4f177bb24bb2ad5135c51f764a ] TIOCSSERIAL is a horrid, underspecified, legacy interface which for most serial devices is only useful for setting the close_delay and closing_wait parameters. The xmit_fifo_size parameter could be used to set the hardware transmit fifo size of a legacy UART when it could not be detected, but the interface is limited to eight bits and should be left unset when not used. Fix the fwserial implementation by dropping its custom interpretation of the unused xmit_fifo_size field, which was overflowed with the driver FIFO size. Also leave the type and flags fields unset as these cannot be changed. The close_delay and closing_wait parameters returned by TIOCGSERIAL are specified in centiseconds. The driver does not yet support changing closing_wait, but let's report back the default value actually used (30 seconds). Fixes: 7355ba3445f2 ("staging: fwserial: Add TTY-over-Firewire serial driver") Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20210407102334.32361-5-johan@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e08a24ae25b325ecb443340f290d3ff6418b7560 Author: Johan Hovold Date: Wed Apr 7 12:23:21 2021 +0200 staging: fwserial: fix TIOCSSERIAL implementation [ Upstream commit a7eaaa9d1032e68669bb479496087ba8fc155ab6 ] TIOCSSERIAL is a horrid, underspecified, legacy interface which for most serial devices is only useful for setting the close_delay and closing_wait parameters. A non-privileged user has only ever been able to set the since long deprecated ASYNC_SPD flags and trying to change any other *supported* feature should result in -EPERM being returned. Setting the current values for any supported features should return success. Fix the fwserial implementation which was returning -EPERM also for a privileged user when trying to change certain unsupported parameters, and instead return success consistently. Fixes: 7355ba3445f2 ("staging: fwserial: Add TTY-over-Firewire serial driver") Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20210407102334.32361-4-johan@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 40d622b31bafc64a83f0992f7be2e90576f950e7 Author: Colin Ian King Date: Wed Apr 7 16:03:08 2021 +0100 staging: rtl8192u: Fix potential infinite loop [ Upstream commit f9b9263a25dc3d2eaaa829e207434db6951ca7bc ] The for-loop iterates with a u8 loop counter i and compares this with the loop upper limit of riv->ieee80211->LinkDetectInfo.SlotNum that is a u16 type. There is a potential infinite loop if SlotNum is larger than the u8 loop counter. Fix this by making the loop counter the same type as SlotNum. Addresses-Coverity: ("Infinite loop") Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging") Signed-off-by: Colin Ian King Link: https://lore.kernel.org/r/20210407150308.496623-1-colin.king@canonical.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit ab727e601cb50e76691566617681aa6a6651e7d6 Author: Ian Abbott Date: Wed Apr 7 15:01:38 2021 +0100 staging: comedi: tests: ni_routes_test: Fix compilation error [ Upstream commit 6db58ed2b2d9bb1792eace4f9aa70e8bdd730ffc ] The `ni_routes_test` module is not currently selectable using the Kconfig files, but can be built by specifying `CONFIG_COMEDI_TESTS=m` on the "make" command line. It currently fails to compile due to an extra parameter added to the `ni_assign_device_routes` function by commit e3b7ce73c578 ("staging: comedi: ni_routes: Allow alternate board name for routes"). Fix it by supplying the value `NULL` for the added `alt_board_name` parameter (which specifies that there is no alternate board name). Fixes: e3b7ce73c578 ("staging: comedi: ni_routes: Allow alternate board name for routes") Cc: Spencer E. Olson Signed-off-by: Ian Abbott Link: https://lore.kernel.org/r/20210407140142.447250-2-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 16ed454e10a8eaa0616a1fbfe8830633c4169855 Author: Arnd Bergmann Date: Tue Mar 23 14:18:35 2021 +0100 irqchip/gic-v3: Fix OF_BAD_ADDR error handling [ Upstream commit 8e13d96670a4c050d4883e6743a9e9858e5cfe10 ] When building with extra warnings enabled, clang points out a mistake in the error handling: drivers/irqchip/irq-gic-v3-mbi.c:306:21: error: result of comparison of constant 18446744073709551615 with expression of type 'phys_addr_t' (aka 'unsigned int') is always false [-Werror,-Wtautological-constant-out-of-range-compare] if (mbi_phys_base == OF_BAD_ADDR) { Truncate the constant to the same type as the variable it gets compared to, to shut make the check work and void the warning. Fixes: 505287525c24 ("irqchip/gic-v3: Add support for Message Based Interrupts as an MSI controller") Signed-off-by: Arnd Bergmann Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20210323131842.2773094-1-arnd@kernel.org Signed-off-by: Sasha Levin commit b1d1f644ed9e2fb9e2b3e6bee413e45e74ee022d Author: Lv Yunlong Date: Fri Apr 2 23:09:05 2021 -0700 mtd: rawnand: gpmi: Fix a double free in gpmi_nand_init [ Upstream commit 076de75de1e53160e9b099f75872c1f9adf41a0b ] If the callee gpmi_alloc_dma_buffer() failed to alloc memory for this->raw_buffer, gpmi_free_dma_buffer() will be called to free this->auxiliary_virt. But this->auxiliary_virt is still a non-NULL and valid ptr. Then gpmi_alloc_dma_buffer() returns err and gpmi_free_dma_buffer() is called again to free this->auxiliary_virt in err_out. This causes a double free. As gpmi_free_dma_buffer() has already called in gpmi_alloc_dma_buffer's error path, so it should return err directly instead of releasing the dma buffer again. Fixes: 4d02423e9afe6 ("mtd: nand: gpmi: Fix gpmi_nand_init() error path") Signed-off-by: Lv Yunlong Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20210403060905.5251-1-lyl2019@mail.ustc.edu.cn Signed-off-by: Sasha Levin commit 4b465576f02ac0946ca9de3f726a5280fe855925 Author: Alexandru Ardelean Date: Wed Mar 24 20:27:46 2021 +0200 iio: adc: Kconfig: make AD9467 depend on ADI_AXI_ADC symbol [ Upstream commit 194eafc9c1d49b53b59de9821fb63d423344cae3 ] Because a dependency on HAS_IOMEM and OF was added for the ADI AXI ADC driver, this makes the AD9467 driver have some build/dependency issues when OF is disabled (typically on ACPI archs like x86). This is because the selection of the AD9467 enforces the ADI_AXI_ADC symbol which is blocked by the OF (and potentially HAS_IOMEM) being disabled. To fix this, we make the AD9467 driver depend on the ADI_AXI_ADC symbol. The AD9467 driver cannot operate on it's own. It requires the ADI AXI ADC driver to stream data (or some similar IIO interface). So, the fix here is to make the AD9467 symbol depend on the ADI_AXI_ADC symbol. At some point this could become it's own subgroup of high-speed ADCs. Fixes: be24c65e9fa24 ("iio: adc: adi-axi-adc: add proper Kconfig dependencies") Reported-by: Randy Dunlap Signed-off-by: Alexandru Ardelean Acked-by: Randy Dunlap Link: https://lore.kernel.org/r/20210324182746.9337-1-aardelean@deviqon.com Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 11e708c19bdd521e2a2aa42c8ad1d731b12122bd Author: Stephen Boyd Date: Tue Feb 23 13:45:36 2021 -0800 firmware: qcom_scm: Workaround lack of "is available" call on SC7180 [ Upstream commit 257f2935cbbf14b16912c635fcd8ff43345c953b ] Some SC7180 firmwares don't implement the QCOM_SCM_INFO_IS_CALL_AVAIL API, so we can't probe the calling convention. We detect the legacy calling convention on these firmwares, because the availability call always fails and legacy is the fallback. This leads to problems where the rmtfs driver fails to probe, because it tries to assign memory with a bad calling convention, which then leads to modem failing to load and all networking, even wifi, to fail. Ouch! Let's force the calling convention to be what it always is on this SoC, i.e. arm64. Of course, the calling convention is not the same thing as implementing the QCOM_SCM_INFO_IS_CALL_AVAIL API. The absence of the "is this call available" API from the firmware means that any call to __qcom_scm_is_call_available() fails. This is OK for now though because none of the calls that are checked for existence are implemented on firmware running on sc7180. If such a call needs to be checked for existence in the future, we presume that firmware will implement this API and then things will "just work". Cc: Elliot Berman Cc: Brian Masney Cc: Stephan Gerhold Cc: Jeffrey Hugo Cc: Douglas Anderson Fixes: 9a434cee773a ("firmware: qcom_scm: Dynamically support SMCCC and legacy conventions") Signed-off-by: Stephen Boyd Link: https://lore.kernel.org/r/20210223214539.1336155-4-swboyd@chromium.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 89d449867c5d0c033bde951a598763aaefd0e2fa Author: Stephen Boyd Date: Tue Feb 23 13:45:35 2021 -0800 firmware: qcom_scm: Reduce locking section for __get_convention() [ Upstream commit f6ea568f0ddcdfad52807110ed8983e610f0e03b ] We shouldn't need to hold this spinlock here around the entire SCM call into the firmware and back. Instead, we should be able to query the firmware, potentially in parallel with other CPUs making the same convention detection firmware call, and then grab the lock to update the calling convention detected. The convention doesn't change at runtime so calling into firmware more than once is possibly wasteful but simpler. Besides, this is the slow path, not the fast path where we've already detected the convention used. More importantly, this allows us to add more logic here to workaround the case where the firmware call to check for availability isn't implemented in the firmware at all. In that case we can check the firmware node compatible string and force a calling convention. Note that we remove the 'has_queried' logic that is repeated twice. That could lead to the calling convention being printed multiple times to the kernel logs if the bool is true but __query_convention() is running on multiple CPUs. We also shorten the time where the lock is held, but we keep the lock held around the printk because it doesn't seem hugely important to drop it for that. Cc: Elliot Berman Cc: Brian Masney Cc: Stephan Gerhold Cc: Jeffrey Hugo Cc: Douglas Anderson Fixes: 9a434cee773a ("firmware: qcom_scm: Dynamically support SMCCC and legacy conventions") Signed-off-by: Stephen Boyd Link: https://lore.kernel.org/r/20210223214539.1336155-3-swboyd@chromium.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 2ceac2b6c87caa5a5eaa84f53c0d7f73824144ff Author: Stephen Boyd Date: Tue Feb 23 13:45:34 2021 -0800 firmware: qcom_scm: Make __qcom_scm_is_call_available() return bool [ Upstream commit 9d11af8b06a811c5c4878625f51ce109e2af4e80 ] Make __qcom_scm_is_call_available() return bool instead of int. The function has "is" in the name, so it should return a bool to indicate the truth of the call being available. Unfortunately, it can return a number < 0 which also looks "true", but not all callers expect that and thus they think a call is available when really the check to see if the call is available failed to figure it out. Reviewed-by: Bjorn Andersson Cc: Elliot Berman Cc: Brian Masney Cc: Stephan Gerhold Cc: Jeffrey Hugo Cc: Douglas Anderson Fixes: 0f206514749b ("scsi: firmware: qcom_scm: Add support for programming inline crypto keys") Fixes: 0434a4061471 ("firmware: qcom: scm: add support to restore secure config to qcm_scm-32") Fixes: b0a1614fb1f5 ("firmware: qcom: scm: add OCMEM lock/unlock interface") Signed-off-by: Stephen Boyd Link: https://lore.kernel.org/r/20210223214539.1336155-2-swboyd@chromium.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 1dfb26df15fc7036a74221d43de7427f74293dae Author: Finn Thain Date: Tue Mar 30 18:37:51 2021 +1100 m68k: mvme147,mvme16x: Don't wipe PCC timer config bits [ Upstream commit 43262178c043032e7c42d00de44c818ba05f9967 ] Don't clear the timer 1 configuration bits when clearing the interrupt flag and counter overflow. As Michael reported, "This results in no timer interrupts being delivered after the first. Initialization then hangs in calibrate_delay as the jiffies counter is not updated." On mvme16x, enable the timer after requesting the irq, consistent with mvme147. Cc: Michael Pavone Fixes: 7529b90d051e ("m68k: mvme147: Handle timer counter overflow") Fixes: 19999a8b8782 ("m68k: mvme16x: Handle timer counter overflow") Reported-and-tested-by: Michael Pavone Signed-off-by: Finn Thain Link: https://lore.kernel.org/r/4fdaa113db089b8fb607f7dd818479f8cdcc4547.1617089871.git.fthain@telegraphics.com.au Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 7c468deae306d0cbbd539408c26cfec04c66159a Author: Rander Wang Date: Wed Mar 31 08:46:10 2021 +0800 soundwire: stream: fix memory leak in stream config error path [ Upstream commit 48f17f96a81763c7c8bf5500460a359b9939359f ] When stream config is failed, master runtime will release all slave runtime in the slave_rt_list, but slave runtime is not added to the list at this time. This patch frees slave runtime in the config error path to fix the memory leak. Fixes: 89e590535f32 ("soundwire: Add support for SoundWire stream management") Signed-off-by: Rander Wang Reviewed-by: Keyon Jie Reviewed-by: Guennadi Liakhovetski Reviewed-by: Pierre-Louis Bossart Signed-off-by: Bard Liao Link: https://lore.kernel.org/r/20210331004610.12242-1-yung-chuan.liao@linux.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit aa531c6c51e7b5caf800e2ec1c992309e22b38d1 Author: gexueyuan Date: Wed Mar 31 11:10:56 2021 +0800 memory: pl353: fix mask of ECC page_size config register [ Upstream commit 25dcca7fedcd4e31cb368ad846bfd738c0c6307c ] The mask for page size of ECC Configuration Register should be 0x3, according to the datasheet of PL353 smc. Fixes: fee10bd22678 ("memory: pl353: Add driver for arm pl353 static memory controller") Signed-off-by: gexueyuan Link: https://lore.kernel.org/r/20210331031056.5326-1-gexueyuan@gmail.com Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 0256f4205c141bd67db50a3b1dde341dff375873 Author: Andy Shevchenko Date: Wed Mar 31 18:05:25 2021 +0300 driver core: platform: Declare early_platform_cleanup() prototype [ Upstream commit 1768289b44bae847612751d418fc5c5e680b5e5c ] Compiler is not happy: CC drivers/base/platform.o drivers/base/platform.c:1557:20: warning: no previous prototype for ‘early_platform_cleanup’ [-Wmissing-prototypes] 1557 | void __weak __init early_platform_cleanup(void) { } | ^~~~~~~~~~~~~~~~~~~~~~ Declare early_platform_cleanup() prototype in the header to make everyone happy. Fixes: eecd37e105f0 ("drivers: Fix boot problem on SuperH") Cc: Guenter Roeck Reviewed-by: Guenter Roeck Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210331150525.59223-1-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 100a5c76e5d2f781395372790443ba30135da8a4 Author: Ravi Kumar Bokka Date: Tue Mar 30 12:12:34 2021 +0100 drivers: nvmem: Fix voltage settings for QTI qfprom-efuse [ Upstream commit 9ec4f4b0e9fd3ad4b9a38bddb75b516ea09f4628 ] QFPROM controller hardware requires 1.8V min for fuse blowing. So, this change sets the voltage to 1.8V, required to blow the fuse for qfprom-efuse controller. To disable fuse blowing, we set the voltage to 0V since this may be a shared rail and may be able to run at a lower rate when we're not blowing fuses. Fixes: 93b4e49f8c86 ("nvmem: qfprom: Add fuse blowing support") Reported-by: Douglas Anderson Suggested-by: Douglas Anderson Reviewed-by: Douglas Anderson Signed-off-by: Ravi Kumar Bokka Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20210330111241.19401-4-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 409ab5a9d8096d610225cff6324f6dcacda4ce7e Author: Yang Yingliang Date: Tue Mar 30 21:01:59 2021 +0800 USB: gadget: udc: fix wrong pointer passed to IS_ERR() and PTR_ERR() [ Upstream commit 2e3d055bf27d70204cae349335a62a4f9b7c165a ] IS_ERR() and PTR_ERR() use wrong pointer, it should be udc->virt_addr, fix it. Fixes: 1b9f35adb0ff ("usb: gadget: udc: Add Synopsys UDC Platform driver") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20210330130159.1051979-1-yangyingliang@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 4b6b771a6d3f3456d58f25693e967226dcd2de99 Author: Tao Ren Date: Tue Mar 30 21:58:31 2021 -0700 usb: gadget: aspeed: fix dma map failure [ Upstream commit bd4d607044b961cecbf8c4c2f3bb5da4fb156993 ] Currently the virtual port_dev device is passed to DMA API, and this is wrong because the device passed to DMA API calls must be the actual hardware device performing the DMA. The patch replaces usb_gadget_map_request/usb_gadget_unmap_request APIs with usb_gadget_map_request_by_dev/usb_gadget_unmap_request_by_dev APIs so the DMA capable platform device can be passed to the DMA APIs. The patch fixes below backtrace detected on Facebook AST2500 OpenBMC platforms: [<80106550>] show_stack+0x20/0x24 [<80106868>] dump_stack+0x28/0x30 [<80823540>] __warn+0xfc/0x110 [<8011ac30>] warn_slowpath_fmt+0xb0/0xc0 [<8011ad44>] dma_map_page_attrs+0x24c/0x314 [<8016a27c>] usb_gadget_map_request_by_dev+0x100/0x1e4 [<805cedd8>] usb_gadget_map_request+0x1c/0x20 [<805cefbc>] ast_vhub_epn_queue+0xa0/0x1d8 [<7f02f710>] usb_ep_queue+0x48/0xc4 [<805cd3e8>] ecm_do_notify+0xf8/0x248 [<7f145920>] ecm_set_alt+0xc8/0x1d0 [<7f145c34>] composite_setup+0x680/0x1d30 [<7f00deb8>] ast_vhub_ep0_handle_setup+0xa4/0x1bc [<7f02ee94>] ast_vhub_dev_irq+0x58/0x84 [<7f0309e0>] ast_vhub_irq+0xb0/0x1c8 [<7f02e118>] __handle_irq_event_percpu+0x50/0x19c [<8015e5bc>] handle_irq_event_percpu+0x38/0x8c [<8015e758>] handle_irq_event+0x38/0x4c Fixes: 7ecca2a4080c ("usb/gadget: Add driver for Aspeed SoC virtual hub") Reviewed-by: Joel Stanley Signed-off-by: Tao Ren Link: https://lore.kernel.org/r/20210331045831.28700-1-rentao.bupt@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 36babddef7821a6b4ab6037d5ab8904d1a02a873 Author: Giovanni Cabiddu Date: Thu Mar 25 08:34:18 2021 +0000 crypto: qat - fix error path in adf_isr_resource_alloc() [ Upstream commit 83dc1173d73f80cbce2fee4d308f51f87b2f26ae ] The function adf_isr_resource_alloc() is not unwinding correctly in case of error. This patch fixes the error paths and propagate the errors to the caller. Fixes: 7afa232e76ce ("crypto: qat - Intel(R) QAT DH895xcc accelerator") Signed-off-by: Giovanni Cabiddu Reviewed-by: Marco Chiappero Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit bbd61fa05cd6deaf541837cb998fc642cafa3fff Author: Arnd Bergmann Date: Mon Mar 22 18:05:15 2021 +0100 crypto: poly1305 - fix poly1305_core_setkey() declaration [ Upstream commit 8d195e7a8ada68928f2aedb2c18302a4518fe68e ] gcc-11 points out a mismatch between the declaration and the definition of poly1305_core_setkey(): lib/crypto/poly1305-donna32.c:13:67: error: argument 2 of type ‘const u8[16]’ {aka ‘const unsigned char[16]’} with mismatched bound [-Werror=array-parameter=] 13 | void poly1305_core_setkey(struct poly1305_core_key *key, const u8 raw_key[16]) | ~~~~~~~~~^~~~~~~~~~~ In file included from lib/crypto/poly1305-donna32.c:11: include/crypto/internal/poly1305.h:21:68: note: previously declared as ‘const u8 *’ {aka ‘const unsigned char *’} 21 | void poly1305_core_setkey(struct poly1305_core_key *key, const u8 *raw_key); This is harmless in principle, as the calling conventions are the same, but the more specific prototype allows better type checking in the caller. Change the declaration to match the actual function definition. The poly1305_simd_init() is a bit suspicious here, as it previously had a 32-byte argument type, but looks like it needs to take the 16-byte POLY1305_BLOCK_SIZE array instead. Fixes: 1c08a104360f ("crypto: poly1305 - add new 32 and 64-bit generic versions") Signed-off-by: Arnd Bergmann Reviewed-by: Ard Biesheuvel Reviewed-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 821ff1d44fe3c10db27834a97c1f93667a037a21 Author: Olga Kornievskaia Date: Tue Mar 30 15:03:59 2021 -0400 NFSv4.2: fix copy stateid copying for the async copy [ Upstream commit e739b12042b6b079a397a3c234f96c09d1de0b40 ] This patch fixes Dan Carpenter's report that the static checker found a problem where memcpy() was copying into too small of a buffer. Reported-by: Dan Carpenter Fixes: e0639dc5805a ("NFSD introduce async copy feature") Signed-off-by: Olga Kornievskaia Signed-off-by: Chuck Lever Reviewed-by: Dai Ngo Signed-off-by: Sasha Levin commit 74bcea1a608ec3818aafbcfcb9f18cba24474134 Author: Chuck Lever Date: Mon Nov 30 16:17:40 2020 -0500 NFSD: Fix sparse warning in nfs4proc.c [ Upstream commit eb162e1772f85231dabc789fb4bfea63d2d9df79 ] linux/fs/nfsd/nfs4proc.c:1542:24: warning: incorrect type in assignment (different base types) linux/fs/nfsd/nfs4proc.c:1542:24: expected restricted __be32 [assigned] [usertype] status linux/fs/nfsd/nfs4proc.c:1542:24: got int Clean-up: The dup_copy_fields() function returns only zero, so make it return void for now, and get rid of the return code check. Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit c9df2c56f50247db30d4b2e0d5948cc74e3e7f7c Author: Fabien Parent Date: Tue Feb 23 23:18:26 2021 +0100 arm64: dts: mediatek: fix reset GPIO level on pumpkin [ Upstream commit a7dceafed43a4a610d340da3703653cca2c50c1d ] The tca6416 chip is active low. Fix the reset-gpios value. Fixes: e2a8fa1e0faa ("arm64: dts: mediatek: fix tca6416 reset GPIOs in pumpkin") Signed-off-by: Fabien Parent Link: https://lore.kernel.org/r/20210223221826.2063911-1-fparent@baylibre.com Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit 53191c1d78b1b6c8f0ff730a286a3e1e5e8a1e47 Author: Geert Uytterhoeven Date: Mon Feb 8 16:02:52 2021 +0100 phy: marvell: ARMADA375_USBCLUSTER_PHY should not default to y, unconditionally [ Upstream commit 6cb17707aad869de163d7bf42c253caf501be4e2 ] Merely enabling CONFIG_COMPILE_TEST should not enable additional code. To fix this, restrict the automatic enabling of ARMADA375_USBCLUSTER_PHY to MACH_ARMADA_375, and ask the user in case of compile-testing. Fixes: eee47538ec1f2619 ("phy: add support for USB cluster on the Armada 375 SoC") Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/20210208150252.424706-1-geert+renesas@glider.be Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 6cca7cc213d6187ccfa963e933999114b880533a Author: Kishon Vijay Abraham I Date: Wed Mar 10 17:38:36 2021 +0530 phy: ti: j721e-wiz: Delete "clk_div_sel" clk provider during cleanup [ Upstream commit 7e52a39f1942b771213678c56002ce90a2f126d2 ] commit 091876cc355d ("phy: ti: j721e-wiz: Add support for WIZ module present in TI J721E SoC") modeled both MUX clocks and DIVIDER clocks in wiz. However during cleanup, it removed only the MUX clock provider. Remove the DIVIDER clock provider here. Fixes: 091876cc355d ("phy: ti: j721e-wiz: Add support for WIZ module present in TI J721E SoC") Signed-off-by: Kishon Vijay Abraham I Link: https://lore.kernel.org/r/20210310120840.16447-3-kishon@ti.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 1e337097fe10bcb8f5b261b7b688b1f9a39101c3 Author: Srinivas Kandagatla Date: Tue Mar 9 10:48:16 2021 +0000 soundwire: bus: Fix device found flag correctly [ Upstream commit f03690f4f6992225d05dbd1171212e5be5a370dd ] found flag is used to indicate SoundWire devices that are both enumerated on the bus and available in the device list. However this flag is not reset correctly after one iteration, This could miss some of the devices that are enumerated on the bus but not in device list. So reset this correctly to fix this issue! Fixes: d52d7a1be02c ("soundwire: Add Slave status handling helpers") Signed-off-by: Srinivas Kandagatla Reviewed-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20210309104816.20350-1-srinivas.kandagatla@linaro.org Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 00f6abd3509b1d70d0ab0fbe65ce5685cebed8be Author: Pan Bian Date: Thu Jan 21 03:49:07 2021 -0800 bus: qcom: Put child node before return [ Upstream commit ac6ad7c2a862d682bb584a4bc904d89fa7721af8 ] Put child node before return to fix potential reference count leak. Generally, the reference count of child is incremented and decremented automatically in the macro for_each_available_child_of_node() and should be decremented manually if the loop is broken in loop body. Reviewed-by: Linus Walleij Fixes: 335a12754808 ("bus: qcom: add EBI2 driver") Signed-off-by: Pan Bian Link: https://lore.kernel.org/r/20210121114907.109267-1-bianpan2016@163.com Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 6a4d2f863ab8b6340df14e38c44d2ff0f9c6d27c Author: Yoshihiro Shimoda Date: Thu Mar 25 13:19:49 2021 +0900 arm64: dts: renesas: r8a779a0: Fix PMU interrupt [ Upstream commit bbbf6db5a0b56199702bb225132831bced2eee41 ] Should use PPI No.7 for the PMU. Otherwise, the perf command didn't show any information. Fixes: 834c310f5418 ("arm64: dts: renesas: Add Renesas R8A779A0 SoC support") Signed-off-by: Yoshihiro Shimoda Link: https://lore.kernel.org/r/20210325041949.925777-1-yoshihiro.shimoda.uh@renesas.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 7b6552719c0ccbbea29dde4be141da54fdb5877e Author: Michael Walle Date: Wed Mar 3 16:57:35 2021 +0100 mtd: require write permissions for locking and badblock ioctls [ Upstream commit 1e97743fd180981bef5f01402342bb54bf1c6366 ] MEMLOCK, MEMUNLOCK and OTPLOCK modify protection bits. Thus require write permission. Depending on the hardware MEMLOCK might even be write-once, e.g. for SPI-NOR flashes with their WP# tied to GND. OTPLOCK is always write-once. MEMSETBADBLOCK modifies the bad block table. Fixes: f7e6b19bc764 ("mtd: properly check all write ioctls for permissions") Signed-off-by: Michael Walle Reviewed-by: Greg Kroah-Hartman Acked-by: Rafał Miłecki Acked-by: Richard Weinberger Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20210303155735.25887-1-michael@walle.cc Signed-off-by: Sasha Levin commit 45eb038029b93877db88297127cd002d0bac940f Author: dillon min Date: Fri Mar 26 19:15:02 2021 +0800 dt-bindings: serial: stm32: Use 'type: object' instead of false for 'additionalProperties' [ Upstream commit 9f299d3264c67a892af87337dbaa0bdd20830c0c ] To use additional properties 'bluetooth' on serial, need replace false with 'type: object' for 'additionalProperties' to make it as a node, else will run into dtbs_check warnings. 'arch/arm/boot/dts/stm32h750i-art-pi.dt.yaml: serial@40004800: 'bluetooth' does not match any of the regexes: 'pinctrl-[0-9]+' Fixes: af1c2d81695b ("dt-bindings: serial: Convert STM32 UART to json-schema") Reported-by: kernel test robot Tested-by: Valentin Caron Signed-off-by: dillon min Reviewed-by: Rob Herring Link: https://lore.kernel.org/r/1616757302-7889-8-git-send-email-dillon.minfei@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 42c9f39a72229f31e447f5fe5269b9114e64e2c1 Author: Christophe JAILLET Date: Sat Mar 27 08:38:53 2021 +0100 usb: gadget: s3c: Fix the error handling path in 's3c2410_udc_probe()' [ Upstream commit e5242861ec6a0bce25b4cd10af0fc8a508fd067d ] Some 'clk_prepare_enable()' and 'clk_get()' must be undone in the error handling path of the probe function, as already done in the remove function. Fixes: 3fc154b6b813 ("USB Gadget driver for Samsung s3c2410 ARM SoC") Signed-off-by: Christophe JAILLET Reviewed-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/2bee52e4ce968f48b4c32545cf8f3b2ab825ba82.1616830026.git.christophe.jaillet@wanadoo.fr Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 0764c91011c56ff4f4681a4052193a6026762de8 Author: Christophe JAILLET Date: Sat Mar 27 08:36:50 2021 +0100 usb: gadget: s3c: Fix incorrect resources releasing [ Upstream commit 42067ccd9eb2077979ac3ce8b7b95c694bd09e14 ] Since commit 188db4435ac6 ("usb: gadget: s3c: use platform resources"), 'request_mem_region()' and 'ioremap()' are no more used, so they don't need to be undone in the error handling path of the probe and in the remove function. Remove these calls and the unneeded 'rsrc_start' and 'rsrc_len' global variables. Fixes: 188db4435ac6 ("usb: gadget: s3c: use platform resources") Signed-off-by: Christophe JAILLET Reviewed-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/b317638464f188159bd8eea44427dd359e480625.1616830026.git.christophe.jaillet@wanadoo.fr Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit b33c05d6bf6f07a2ed4084b29d613dffa0e254ce Author: Fabian Vogt Date: Wed Mar 24 15:11:15 2021 +0100 fotg210-udc: Complete OUT requests on short packets [ Upstream commit 75bb93be0027123b5db6cbcce89eb62f0f6b3c5b ] A short packet indicates the end of a transfer and marks the request as complete. Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver") Signed-off-by: Fabian Vogt Link: https://lore.kernel.org/r/20210324141115.9384-8-fabian@ritter-vogt.de Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 7d5ff493219c89a8bc7891a231c8678eca4f17b1 Author: Fabian Vogt Date: Wed Mar 24 15:11:14 2021 +0100 fotg210-udc: Don't DMA more than the buffer can take [ Upstream commit 3e7c2510bdfe89a9ec223dd7acd6bfc8bb1cbeb6 ] Before this, it wrote as much as available into the buffer, even if it didn't fit. Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver") Signed-off-by: Fabian Vogt Link: https://lore.kernel.org/r/20210324141115.9384-7-fabian@ritter-vogt.de Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e06d4a0c39bfcf323d647e240b61fe3672eb0285 Author: Fabian Vogt Date: Wed Mar 24 15:11:12 2021 +0100 fotg210-udc: Mask GRP2 interrupts we don't handle [ Upstream commit 9aee3a23d6455200702f3a57e731fa11e8408667 ] Currently it leaves unhandled interrupts unmasked, but those are never acked. In the case of a "device idle" interrupt, this leads to an effectively frozen system until plugging it in. Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver") Signed-off-by: Fabian Vogt Link: https://lore.kernel.org/r/20210324141115.9384-5-fabian@ritter-vogt.de Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 3515fd226ea0ab2bdb9955de879e6361d5c424aa Author: Fabian Vogt Date: Wed Mar 24 15:11:11 2021 +0100 fotg210-udc: Remove a dubious condition leading to fotg210_done [ Upstream commit c7f755b243494d6043aadcd9a2989cb157958b95 ] When the EP0 IN request was not completed but less than a packet sent, it would complete the request successfully. That doesn't make sense and can't really happen as fotg210_start_dma always sends min(length, maxpkt) bytes. Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver") Signed-off-by: Fabian Vogt Link: https://lore.kernel.org/r/20210324141115.9384-4-fabian@ritter-vogt.de Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 36df13916de9a7555aad1eb35b659f95c528d144 Author: Fabian Vogt Date: Wed Mar 24 15:11:10 2021 +0100 fotg210-udc: Fix EP0 IN requests bigger than two packets [ Upstream commit 078ba935651e149c92c41161e0322e3372cc2705 ] For a 134 Byte packet, it sends the first two 64 Byte packets just fine, but then notice that less than a packet is remaining and call fotg210_done without actually sending the rest. Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver") Signed-off-by: Fabian Vogt Link: https://lore.kernel.org/r/20210324141115.9384-3-fabian@ritter-vogt.de Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 01c66e83402478652e98c44df9a1489263cbcd38 Author: Fabian Vogt Date: Wed Mar 24 15:11:09 2021 +0100 fotg210-udc: Fix DMA on EP0 for length > max packet size [ Upstream commit 755915fc28edfc608fa89a163014acb2f31c1e19 ] For a 75 Byte request, it would send the first 64 separately, then detect that the remaining 11 Byte fit into a single DMA, but due to this bug set the length to the original 75 Bytes. This leads to a DMA failure (which is ignored...) and the request completes without the remaining bytes having been sent. Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver") Signed-off-by: Fabian Vogt Link: https://lore.kernel.org/r/20210324141115.9384-2-fabian@ritter-vogt.de Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 1f50392650ae794a1aea41c213c6a3e1c824413c Author: Tong Zhang Date: Thu Mar 18 23:40:00 2021 -0400 crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init [ Upstream commit 8609f5cfdc872fc3a462efa6a3eca5cb1e2f6446 ] ADF_STATUS_PF_RUNNING is (only) used and checked by adf_vf2pf_shutdown() before calling adf_iov_putmsg()->mutex_lock(vf2pf_lock), however the vf2pf_lock is initialized in adf_dev_init(), which can fail and when it fail, the vf2pf_lock is either not initialized or destroyed, a subsequent use of vf2pf_lock will cause issue. To fix this issue, only set this flag if adf_dev_init() returns 0. [ 7.178404] BUG: KASAN: user-memory-access in __mutex_lock.isra.0+0x1ac/0x7c0 [ 7.180345] Call Trace: [ 7.182576] mutex_lock+0xc9/0xd0 [ 7.183257] adf_iov_putmsg+0x118/0x1a0 [intel_qat] [ 7.183541] adf_vf2pf_shutdown+0x4d/0x7b [intel_qat] [ 7.183834] adf_dev_shutdown+0x172/0x2b0 [intel_qat] [ 7.184127] adf_probe+0x5e9/0x600 [qat_dh895xccvf] Signed-off-by: Tong Zhang Reviewed-by: Andy Shevchenko Fixes: 25c6ffb249f6 ("crypto: qat - check if PF is running") Acked-by: Giovanni Cabiddu Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit b50967781767a1dc3b4d574234b2d0d34dda9b69 Author: Tong Zhang Date: Thu Mar 18 23:39:59 2021 -0400 crypto: qat - don't release uninitialized resources [ Upstream commit b66accaab3791e15ac99c92f236d0d3a6d5bd64e ] adf_vf_isr_resource_alloc() is not unwinding correctly when error happens and it want to release uninitialized resources. To fix this, only release initialized resources. [ 1.792845] Trying to free already-free IRQ 11 [ 1.793091] WARNING: CPU: 0 PID: 182 at kernel/irq/manage.c:1821 free_irq+0x202/0x380 [ 1.801340] Call Trace: [ 1.801477] adf_vf_isr_resource_free+0x32/0xb0 [intel_qat] [ 1.801785] adf_vf_isr_resource_alloc+0x14d/0x150 [intel_qat] [ 1.802105] adf_dev_init+0xba/0x140 [intel_qat] Signed-off-by: Tong Zhang Reviewed-by: Andy Shevchenko Fixes: dd0f368398ea ("crypto: qat - Add qat dh895xcc VF driver") Acked-by: Giovanni Cabiddu Signed-off-by: Herbert Xu Signed-off-by