commit cd7b1c6eb29785473e3296a6df5792724fb8fb9a Author: Alexandre Frade Date: Sat Jul 24 19:59:01 2021 +0000 Linux 5.10.52-rt47-xanmod1 Signed-off-by: Alexandre Frade commit c10c542ee27bd97ae8951136c6498ee3543690cf Author: Adithya Abraham Philip Date: Fri Jun 11 21:56:10 2021 +0000 net-tcp_bbr: v2: Fix missing ECT markings on retransmits for BBRv2 Adds a new flag TCP_ECN_ECT_PERMANENT that is used by CCAs to indicate that retransmitted packets and pure ACKs must have the ECT bit set. This is a necessary fix for BBRv2, which when using ECN expects ECT to be set even on retransmitted packets and ACKs. Currently CCAs like BBRv2 which can use ECN but don't "need" it do not have a way to indicate that ECT should be set on retransmissions/ACKs. Signed-off-by: Adithya Abraham Philip Signed-off-by: Neal Cardwell commit d26855e81e29ba3cd24fa2e25e8cd32f55dd3270 Author: Alexandre Frade Date: Sat Jul 24 19:53:14 2021 +0000 char/lrng: add capability to store the return IP of the hard interrupt handler for RT Signed-off-by: Alexandre Frade commit 9938e3e54698512c8640ac77db579b4c6120ba34 Author: Stephan Mueller Date: Fri Jun 18 08:26:24 2021 +0200 char/lrng: add power-on and runtime self-tests Parts of the LRNG are already covered by self-tests, including: * Self-test of SP800-90A DRBG provided by the Linux kernel crypto API. * Self-test of the PRNG provided by the Linux kernel crypto API. * Raw noise source data testing including SP800-90B compliant tests when enabling CONFIG_LRNG_HEALTH_TESTS This patch adds the self-tests for the remaining critical functions of the LRNG that are essential to maintain entropy and provide cryptographic strong random numbers. The following self-tests are implemented: * Self-test of the time array maintenance. This test verifies whether the time stamp array management to store multiple values in one integer implements a concatenation of the data. * Self-test of the software hash implementation ensures that this function operates compliant to the FIPS 180-4 specification. The self-test performs a hash operation of a zeroized per-CPU data array. * Self-test of the ChaCha20 DRNG is based on the self-tests that are already present and implemented with the stand-alone user space ChaCha20 DRNG implementation available at [1]. The self-tests cover different use cases of the DRNG seeded with known seed data. The status of the LRNG self-tests is provided with the selftest_status SysFS file. If the file contains a zero, the self-tests passed. The value 0xffffffff means that the self-tests were not executed. Any other value indicates a self-test failure. The self-test may be compiled to panic the system if the self-test fails. All self-tests operate on private state data structures. This implies that none of the self-tests have any impact on the regular LRNG operations. This allows the self-tests to be repeated at runtime by writing anything into the selftest_status SysFS file. [1] https://www.chronox.de/chacha20.html CC: Torsten Duwe CC: "Eric W. Biederman" CC: "Alexander E. Patrakov" CC: "Ahmed S. Darwish" CC: "Theodore Y. Ts'o" CC: Willy Tarreau CC: Matthew Garrett CC: Vito Caputo CC: Andreas Dilger CC: Jan Kara CC: Ray Strode CC: William Jon McCann CC: zhangjs CC: Andy Lutomirski CC: Florian Weimer CC: Lennart Poettering CC: Nicolai Stange CC: Marcelo Henrique Cerri CC: Neil Horman CC: Alexander Lobakin Signed-off-by: Stephan Mueller commit 2d770f8cafac415fa57d7dac86b946c0d1cacf8e Author: Stephan Mueller Date: Fri Jun 18 08:23:31 2021 +0200 char/lrng: add interface for gathering of raw entropy The test interface allows a privileged process to capture the raw unconditioned noise that is collected by the LRNG for statistical analysis. Such testing allows the analysis how much entropy the interrupt noise source provides on a given platform. Extracted noise data is not used to seed the LRNG. This is a test interface and not appropriate for production systems. Yet, the interface is considered to be sufficiently secured for production systems. Access to the data is given through the lrng_raw debugfs file. The data buffer should be multiples of sizeof(u32) to fill the entire buffer. Using the option lrng_testing.boot_test=1 the raw noise of the first 1000 entropy events since boot can be sampled. This test interface allows generating the data required for analysis whether the LRNG is in compliance with SP800-90B sections 3.1.3 and 3.1.4. In addition, the test interface allows gathering of the concatenated raw entropy data to verify that the concatenation works appropriately. This includes sampling of the following raw data: * high-resolution time stamp * Jiffies * IRQ number * IRQ flags * return instruction pointer * interrupt register state * array logic batching the high-resolution time stamp * enabling the runtime configuration of entropy source entropy rates Also, a testing interface to support ACVT of the hash implementation is provided. The reason why only hash testing is supported (as opposed to also provide testing for the DRNG) is the fact that the LRNG software hash implementation contains glue code that may warrant testing in addition to the testing of the software ciphers via the kernel crypto API. Also, for testing the CTR-DRBG, the underlying AES implementation would need to be tested. However, such AES test interface cannot be provided by the LRNG as it has no means to access the AES operation. Finally, the execution duration for processing a time stamp can be obtained with the LRNG raw entropy interface. If a test interface is not compiled, its code is a noop which has no impact on the performance. CC: Torsten Duwe CC: "Eric W. Biederman" CC: "Alexander E. Patrakov" CC: "Ahmed S. Darwish" CC: "Theodore Y. Ts'o" CC: Willy Tarreau CC: Matthew Garrett CC: Vito Caputo CC: Andreas Dilger CC: Jan Kara CC: Ray Strode CC: William Jon McCann CC: zhangjs CC: Andy Lutomirski CC: Florian Weimer CC: Lennart Poettering CC: Nicolai Stange CC: Alexander Lobakin Reviewed-by: Roman Drahtmueller Tested-by: Marcelo Henrique Cerri Tested-by: Neil Horman Signed-off-by: Stephan Mueller commit 522dfffbae6def55c933a87b8145cc2c4870bd49 Author: Stephan Mueller Date: Fri Jun 18 08:17:40 2021 +0200 char/lrng: add SP800-90B compliant health tests Implement health tests for LRNG's slow noise sources as mandated by SP-800-90B The file contains the following health tests: - stuck test: The stuck test calculates the first, second and third discrete derivative of the time stamp to be processed by the hash for the per-CPU entropy pool. Only if all three values are non-zero, the received time delta is considered to be non-stuck. - SP800-90B Repetition Count Test (RCT): The LRNG uses an enhanced version of the RCT specified in SP800-90B section 4.4.1. Instead of counting identical back-to-back values, the input to the RCT is the counting of the stuck values during the processing of received interrupt events. The RCT is applied with alpha=2^-30 compliant to the recommendation of FIPS 140-2 IG 9.8. During the counting operation, the LRNG always calculates the RCT cut-off value of C. If that value exceeds the allowed cut-off value, the LRNG will trigger the health test failure discussed below. An error is logged to the kernel log that such RCT failure occurred. This test is only applied and enforced in FIPS mode, i.e. when the kernel compiled with CONFIG_CONFIG_FIPS is started with fips=1. - SP800-90B Adaptive Proportion Test (APT): The LRNG implements the APT as defined in SP800-90B section 4.4.2. The applied significance level again is alpha=2^-30 compliant to the recommendation of FIPS 140-2 IG 9.8. The aforementioned health tests are applied to the first 1,024 time stamps obtained from interrupt events. In case one error is identified for either the RCT, or the APT, the collected entropy is invalidated and the SP800-90B startup health test is restarted. As long as the SP800-90B startup health test is not completed, all LRNG random number output interfaces that may block will block and not generate any data. This implies that only those potentially blocking interfaces are defined to provide random numbers that are seeded with the interrupt noise source being SP800-90B compliant. All other output interfaces will not be affected by the SP800-90B startup test and thus are not considered SP800-90B compliant. At runtime, the SP800-90B APT and RCT are applied to each time stamp generated for a received interrupt. When either the APT and RCT indicates a noise source failure, the LRNG is reset to a state it has immediately after boot: - all entropy counters are set to zero - the SP800-90B startup tests are re-performed which implies that getrandom(2) would block again until new entropy was collected To summarize, the following rules apply: • SP800-90B compliant output interfaces - /dev/random - getrandom(2) system call - get_random_bytes kernel-internal interface when being triggered by the callback registered with add_random_ready_callback • SP800-90B non-compliant output interfaces - /dev/urandom - get_random_bytes kernel-internal interface called directly - randomize_page kernel-internal interface - get_random_u32 and get_random_u64 kernel-internal interfaces - get_random_u32_wait, get_random_u64_wait, get_random_int_wait, and get_random_long_wait kernel-internal interfaces If either the RCT, or the APT health test fails irrespective whether during initialization or runtime, the following actions occur: 1. The entropy of the entire entropy pool is invalidated. 2. All DRNGs are reset which imply that they are treated as being not seeded and require a reseed during next invocation. 3. The SP800-90B startup health test are initiated with all implications of the startup tests. That implies that from that point on, new events must be observed and its entropy must be inserted into the entropy pool before random numbers are calculated from the entropy pool. Further details on the SP800-90B compliance and the availability of all test tools required to perform all tests mandated by SP800-90B are provided at [1]. The entire health testing code is compile-time configurable. The patch provides a CONFIG_BROKEN configuration of the APT / RCT cutoff values which have a high likelihood to trigger the health test failure. The BROKEN APT cutoff is set to the exact mean of the expected value if the time stamps are equally distributed (512 time stamps divided by 16 possible values due to using the 4 LSB of the time stamp). The BROKEN RCT cutoff value is set to 1 which is likely to be triggered during regular operation. CC: Torsten Duwe CC: "Eric W. Biederman" CC: "Alexander E. Patrakov" CC: "Ahmed S. Darwish" CC: "Theodore Y. Ts'o" CC: Willy Tarreau CC: Matthew Garrett CC: Vito Caputo CC: Andreas Dilger CC: Jan Kara CC: Ray Strode CC: William Jon McCann CC: zhangjs CC: Andy Lutomirski CC: Florian Weimer CC: Lennart Poettering CC: Nicolai Stange CC: Alexander Lobakin Reviewed-by: Roman Drahtmueller Tested-by: Marcelo Henrique Cerri Tested-by: Neil Horman Signed-off-by: Stephan Mueller commit 4538113512b777cf694ff40a380451e03baafaf8 Author: Stephan Mueller Date: Fri Jun 18 08:13:57 2021 +0200 char/lrng: add Jitter RNG fast noise source The Jitter RNG fast noise source implemented as part of the kernel crypto API is queried for 256 bits of entropy at the time the seed buffer managed by the LRNG is about to be filled. CC: Torsten Duwe CC: "Eric W. Biederman" CC: "Alexander E. Patrakov" CC: "Ahmed S. Darwish" CC: "Theodore Y. Ts'o" CC: Willy Tarreau CC: Matthew Garrett CC: Vito Caputo CC: Andreas Dilger CC: Jan Kara CC: Ray Strode CC: William Jon McCann CC: zhangjs CC: Andy Lutomirski CC: Florian Weimer CC: Lennart Poettering CC: Nicolai Stange CC: Alexander Lobakin Reviewed-by: Marcelo Henrique Cerri Tested-by: Marcelo Henrique Cerri Tested-by: Neil Horman Signed-off-by: Stephan Mueller commit 0af815df8e04b939a28af95afd236f517c086be0 Author: Stephan Mueller Date: Wed Sep 16 09:50:27 2020 +0200 crypto: provide access to a static Jitter RNG state To support the LRNG operation which uses the Jitter RNG separately from the kernel crypto API, at a time where potentially the regular memory management is not yet initialized, the Jitter RNG needs to provide a state whose memory is defined at compile time. As only once instance will ever be needed by the LRNG, define once static memory block which is solely to be used by the LRNG. CC: Torsten Duwe CC: "Eric W. Biederman" CC: "Alexander E. Patrakov" CC: "Ahmed S. Darwish" CC: "Theodore Y. Ts'o" CC: Willy Tarreau CC: Matthew Garrett CC: Vito Caputo CC: Andreas Dilger CC: Jan Kara CC: Ray Strode CC: William Jon McCann CC: zhangjs CC: Andy Lutomirski CC: Florian Weimer CC: Lennart Poettering CC: Nicolai Stange CC: Alexander Lobakin Reviewed-by: Roman Drahtmueller Tested-by: Roman Drahtmüller Tested-by: Marcelo Henrique Cerri Tested-by: Neil Horman Signed-off-by: Stephan Mueller commit 9d7012bc3b483c5906639670f0e22e60a6f173f2 Author: Stephan Mueller Date: Fri Jun 18 08:10:53 2021 +0200 char/lrng: add kernel crypto API PRNG extension Add runtime-pluggable support for all PRNGs that are accessible via the kernel crypto API, including hardware PRNGs. The PRNG is selected with the module parameter drng_name where the name must be one that the kernel crypto API can resolve into an RNG. This allows using of the kernel crypto API PRNG implementations that provide an interface to hardware PRNGs. Using this extension, the LRNG uses the hardware PRNGs to generate random numbers. An example is the S390 CPACF support providing such a PRNG. The hash is provided by a kernel crypto API SHASH whose digest size complies with the seedsize of the PRNG. CC: Torsten Duwe CC: "Eric W. Biederman" CC: "Alexander E. Patrakov" CC: "Ahmed S. Darwish" CC: "Theodore Y. Ts'o" CC: Willy Tarreau CC: Matthew Garrett CC: Vito Caputo CC: Andreas Dilger CC: Jan Kara CC: Ray Strode CC: William Jon McCann CC: zhangjs CC: Andy Lutomirski CC: Florian Weimer CC: Lennart Poettering CC: Nicolai Stange CC: Alexander Lobakin Reviewed-by: Marcelo Henrique Cerri Reviewed-by: Roman Drahtmueller Tested-by: Marcelo Henrique Cerri Tested-by: Neil Horman Signed-off-by: Stephan Mueller commit bef0451cff3858f577fb9fea9889700553021414 Author: Stephan Mueller Date: Fri Jun 18 08:09:59 2021 +0200 char/lrng: add SP800-90A DRBG extension Using the LRNG switchable DRNG support, the SP800-90A DRBG extension is implemented. The DRBG uses the kernel crypto API DRBG implementation. In addition, it uses the kernel crypto API SHASH support to provide the hashing operation. The DRBG supports the choice of either a CTR DRBG using AES-256, HMAC DRBG with SHA-512 core or Hash DRBG with SHA-512 core. The used core can be selected with the module parameter lrng_drbg_type. The default is the CTR DRBG. When compiling the DRBG extension statically, the DRBG is loaded at late_initcall stage which implies that with the start of user space, the user space interfaces of getrandom(2), /dev/random and /dev/urandom provide random data produced by an SP800-90A DRBG. CC: Torsten Duwe CC: "Eric W. Biederman" CC: "Alexander E. Patrakov" CC: "Ahmed S. Darwish" CC: "Theodore Y. Ts'o" CC: Willy Tarreau CC: Matthew Garrett CC: Vito Caputo CC: Andreas Dilger CC: Jan Kara CC: Ray Strode CC: William Jon McCann CC: zhangjs CC: Andy Lutomirski CC: Florian Weimer CC: Lennart Poettering CC: Nicolai Stange CC: Alexander Lobakin Reviewed-by: Roman Drahtmueller Tested-by: Marcelo Henrique Cerri Tested-by: Neil Horman Signed-off-by: Stephan Mueller commit d559ec8f87bbbe8ee3b493e45d4c3ae0eb194d9c Author: Stephan Mueller Date: Tue Sep 15 22:17:43 2020 +0200 crypto: drbg - externalize DRBG functions for LRNG This patch allows several DRBG functions to be called by the LRNG kernel code paths outside the drbg.c file. CC: Torsten Duwe CC: "Eric W. Biederman" CC: "Alexander E. Patrakov" CC: "Ahmed S. Darwish" CC: "Theodore Y. Ts'o" CC: Willy Tarreau CC: Matthew Garrett CC: Vito Caputo CC: Andreas Dilger CC: Jan Kara CC: Ray Strode CC: William Jon McCann CC: zhangjs CC: Andy Lutomirski CC: Florian Weimer CC: Lennart Poettering CC: Nicolai Stange CC: Alexander Lobakin Reviewed-by: Roman Drahtmueller Tested-by: Roman Drahtmüller Tested-by: Marcelo Henrique Cerri Tested-by: Neil Horman Signed-off-by: Stephan Mueller commit 9d2a078d66c5c2b11185ce0f55489daa659a55e5 Author: Stephan Mueller Date: Fri Jun 18 08:08:20 2021 +0200 char/lrng: add common generic hash support The LRNG switchable DRNG support also allows the replacement of the hash implementation used as conditioning component. The common generic hash support code provides the required callbacks using the synchronous hash implementations of the kernel crypto API. All synchronous hash implementations supported by the kernel crypto API can be used as part of the LRNG with this generic support. The generic support is intended to be configured by separate switchable DRNG backends. CC: Torsten Duwe CC: "Eric W. Biederman" CC: "Alexander E. Patrakov" CC: "Ahmed S. Darwish" CC: "Theodore Y. Ts'o" CC: Willy Tarreau CC: Matthew Garrett CC: Vito Caputo CC: Andreas Dilger CC: Jan Kara CC: Ray Strode CC: William Jon McCann CC: zhangjs CC: Andy Lutomirski CC: Florian Weimer CC: Lennart Poettering CC: Nicolai Stange CC: Alexander Lobakin CC: "Peter, Matthias" CC: Marcelo Henrique Cerri CC: Neil Horman Signed-off-by: Stephan Mueller commit 583bf88bfba447e9b8a7494f06065a66060a2ece Author: Stephan Mueller Date: Fri Jun 18 08:06:39 2021 +0200 char/lrng: add switchable DRNG support The DRNG switch support allows replacing the DRNG mechanism of the LRNG. The switching support rests on the interface definition of include/linux/lrng.h. A new DRNG is implemented by filling in the interface defined in this header file. In addition to the DRNG, the extension also has to provide a hash implementation that is used to hash the entropy pool for random number extraction. Note: It is permissible to implement a DRNG whose operations may sleep. However, the hash function must not sleep. The switchable DRNG support allows replacing the DRNG at runtime. However, only one DRNG extension is allowed to be loaded at any given time. Before replacing it with another DRNG implementation, the possibly existing DRNG extension must be unloaded. The switchable DRNG extension activates the new DRNG during load time. It is expected, however, that such a DRNG switch would be done only once by an administrator to load the intended DRNG implementation. It is permissible to compile DRNG extensions either as kernel modules or statically. The initialization of the DRNG extension should be performed with a late_initcall to ensure the extension is available when user space starts but after all other initialization completed. The initialization is performed by registering the function call data structure with the lrng_set_drng_cb function. In order to unload the DRNG extension, lrng_set_drng_cb must be invoked with the NULL parameter. The DRNG extension should always provide a security strength that is at least as strong as LRNG_DRNG_SECURITY_STRENGTH_BITS. The hash extension must not sleep and must not maintain a separate state. CC: Torsten Duwe CC: "Eric W. Biederman" CC: "Alexander E. Patrakov" CC: "Ahmed S. Darwish" CC: "Theodore Y. Ts'o" CC: Willy Tarreau CC: Matthew Garrett CC: Vito Caputo CC: Andreas Dilger CC: Jan Kara CC: Ray Strode CC: William Jon McCann CC: zhangjs CC: Andy Lutomirski CC: Florian Weimer CC: Lennart Poettering CC: Nicolai Stange CC: Alexander Lobakin Reviewed-by: Marcelo Henrique Cerri Reviewed-by: Roman Drahtmueller Tested-by: Marcelo Henrique Cerri Tested-by: Neil Horman Signed-off-by: Stephan Mueller commit 48aed63e449bddea6cc1b7a2c4cc4cc04e3d37e5 Author: Stephan Mueller Date: Wed Jun 23 18:44:26 2021 +0200 char/lrng: sysctls and /proc interface The LRNG sysctl interface provides the same controls as the existing /dev/random implementation. These sysctls behave identically and are implemented identically. The goal is to allow a possible merge of the existing /dev/random implementation with this implementation which implies that this patch tries have a very close similarity. Yet, all sysctls are documented at [1]. In addition, it provides the file lrng_type which provides details about the LRNG: - the name of the DRNG that produces the random numbers for /dev/random, /dev/urandom, getrandom(2) - the hash used to produce random numbers from the entropy pool - the number of secondary DRNG instances - indicator whether the LRNG operates SP800-90B compliant - indicator whether a high-resolution timer is identified - only with a high-resolution timer the interrupt noise source will deliver sufficient entropy - indicator whether the LRNG has been minimally seeded (i.e. is the secondary DRNG seeded with at least 128 bits of entropy) - indicator whether the LRNG has been fully seeded (i.e. is the secondary DRNG seeded with at least 256 bits of entropy) [1] https://www.chronox.de/lrng.html CC: Torsten Duwe CC: "Eric W. Biederman" CC: "Alexander E. Patrakov" CC: "Ahmed S. Darwish" CC: "Theodore Y. Ts'o" CC: Willy Tarreau CC: Matthew Garrett CC: Vito Caputo CC: Andreas Dilger CC: Jan Kara CC: Ray Strode CC: William Jon McCann CC: zhangjs CC: Andy Lutomirski CC: Florian Weimer CC: Lennart Poettering CC: Nicolai Stange CC: Alexander Lobakin Reviewed-by: Marcelo Henrique Cerri Reviewed-by: Roman Drahtmueller Tested-by: Marcelo Henrique Cerri Tested-by: Neil Horman Signed-off-by: Stephan Mueller commit a7b9e7a885879c4a6235153353436467083e091e Author: Stephan Mueller Date: Fri Jun 18 08:03:15 2021 +0200 char/lrng: allocate one DRNG instance per NUMA node In order to improve NUMA-locality when serving getrandom(2) requests, allocate one DRNG instance per node. The DRNG instance that is present right from the start of the kernel is reused as the first per-NUMA-node DRNG. For all remaining online NUMA nodes a new DRNG instance is allocated. During boot time, the multiple DRNG instances are seeded sequentially. With this, the first DRNG instance (referenced as the initial DRNG in the code) is completely seeded with 256 bits of entropy before the next DRNG instance is completely seeded. When random numbers are requested, the NUMA-node-local DRNG is checked whether it has been already fully seeded. If this is not the case, the initial DRNG is used to serve the request. CC: Torsten Duwe CC: "Eric W. Biederman" CC: "Alexander E. Patrakov" CC: "Ahmed S. Darwish" CC: "Theodore Y. Ts'o" CC: Willy Tarreau CC: Matthew Garrett CC: Vito Caputo CC: Andreas Dilger CC: Jan Kara CC: Ray Strode CC: William Jon McCann CC: zhangjs CC: Andy Lutomirski CC: Florian Weimer CC: Lennart Poettering CC: Nicolai Stange CC: Eric Biggers CC: Alexander Lobakin Reviewed-by: Marcelo Henrique Cerri Reviewed-by: Roman Drahtmueller Tested-by: Marcelo Henrique Cerri Tested-by: Neil Horman Signed-off-by: Stephan Mueller commit ffec5ea4c78282229357dfcc3018ef855e3ae278 Author: Stephan Mueller Date: Wed Jun 23 18:42:39 2021 +0200 drivers: Introduce the Linux Random Number Generator In an effort to provide a flexible implementation for a random number generator that also delivers entropy during early boot time, allows replacement of the deterministic random number generation mechanism, implement the various components in separate code for easier maintenance, and provide compliance to SP800-90[A|B|C], introduce the Linux Random Number Generator (LRNG) framework. The general design is as follows. Additional implementation details are given in [1]. The LRNG consists of the following components: 1. The LRNG implements a DRNG. The DRNG always generates the requested amount of output. When using the SP800-90A terminology it operates without prediction resistance. The secondary DRNG maintains a counter of how many bytes were generated since last re-seed and a timer of the elapsed time since last re-seed. If either the counter or the timer reaches a threshold, the secondary DRNG is seeded from the entropy pool. In case the Linux kernel detects a NUMA system, one secondary DRNG instance per NUMA node is maintained. 2. The DRNG is seeded by concatenating the data from the following sources: (a) the output of the entropy pool, (b) the Jitter RNG if available and enabled, and (c) the CPU-based noise source such as Intel RDRAND if available and enabled. The entropy estimate of the data of all noise sources are added to form the entropy estimate of the data used to seed the DRNG with. The LRNG ensures, however, that the DRNG after seeding is at maximum the security strength of the DRNG. The LRNG is designed such that none of these noise sources can dominate the other noise sources to provide seed data to the DRNG during due to the following: (a) During boot time, the amount of received interrupts are the trigger points to (re)seed the DRNG. (b) At runtime, the available entropy from the slow noise source is concatenated with a pre-defined amount of data from the fast noise sources. In addition, each DRNG reseed operation triggers external noise source providers to deliver one block of data. 3. The entropy pool accumulates entropy obtained from certain events, which will henceforth be collectively called "slow noise sources". The entropy pool collects noise data from slow noise sources. Any data received by the LRNG from the slow noise sources is inserted into a per-CPU entropy pool using a hash operation that can be changed during runtime. Per default, SHA-256 is used. (a) When an interrupt occurs, the high-resolution time stamp is mixed into the per-CPU entropy pool. This time stamp is credited with heuristically implied entropy. (b) HID event data like the key stroke or the mouse coordinates are mixed into the per-CPU entropy pool. This data is not credited with entropy by the LRNG. (c) Device drivers may provide data that is mixed into an auxiliary pool using the same hash that is used to process the per-CPU entropy pool. This data is not credited with entropy by the LRNG. Any data provided from user space by either writing to /dev/random, /dev/urandom or the IOCTL of RNDADDENTROPY on both device files are always injected into the auxiliary pool. In addition, when a hardware random number generator covered by the Linux kernel HW generator framework wants to deliver random numbers, it is injected into the auxiliary pool as well. HW generator noise source is handled separately from the other noise source due to the fact that the HW generator framework may decide by itself when to deliver data whereas the other noise sources always requested for data driven by the LRNG operation. Similarly any user space provided data is inserted into the entropy pool. When seed data for the DRNG is to be generated, all per-CPU entropy pools and the auxiliary pool are hashed. The message digest forms the new auxiliary pool state. At the same time, this data is used for seeding the DRNG. To speed up the interrupt handling code of the LRNG, the time stamp collected for an interrupt event is truncated to the 8 least significant bits. 64 truncated time stamps are concatenated and then jointly inserted into the per-CPU entropy pool. During boot time, until the fully seeded stage is reached, each time stamp with its 32 least significant bits is are concatenated. When 16 such events are received, they are injected into the per-CPU entropy pool. The LRNG allows the DRNG mechanism to be changed at runtime. Per default, a ChaCha20-based DRNG is used. The ChaCha20-DRNG implemented for the LRNG is also provided as a stand-alone user space deterministic random number generator. The LRNG also offers an SP800-90A DRBG based on the Linux kernel crypto API DRBG implementation. The processing of entropic data from the noise source before injecting them into the DRNG is performed with the following mathematical operations: 1. Truncation: The received time stamps are truncated to 8 least significant bits (or 32 least significant bits during boot time) 2. Concatenation: The received and truncated time stamps as well as auxiliary 32 bit words are concatenated to fill the per-CPU data array that is capable of holding 64 8-bit words. 3. Hashing: A set of concatenated time stamp data received from the interrupts are hashed together with the current existing per-CPU entropy pool state. The resulting message digest is the new per-CPU entropy pool state. 4. Hashing: When new data is added to the auxiliary pool, the data is hashed together with the auxiliary pool to form a new auxiliary pool state. 5. Hashing: A message digest of all per-CPU entropy pools and the auxiliary pool is calculated which forms the new auxiliary pool state. At the same time, this message digest is used to fill the slow noise source output buffer discussed in the following. 6. Truncation: The most-significant bits (MSB) defined by the requested number of bits (commonly equal to the security strength of the DRBG) or the entropy available transported with the buffer (which is the minimum of the message digest size and the available entropy in all entropy pools and the auxiliary pool), whatever is smaller, are obtained from the slow noise source output buffer. 7. Concatenation: The temporary seed buffer used to seed the DRNG is a concatenation of the slow noise source buffer, the Jitter RNG output, the CPU noise source output, and the current time. The DRNG always tries to seed itself with 256 bits of entropy, except during boot. In any case, if the noise sources cannot deliver that amount, the available entropy is used and the DRNG keeps track on how much entropy it was seeded with. The entropy implied by the LRNG available in the entropy pool may be too conservative. To ensure that during boot time all available entropy from the entropy pool is transferred to the DRNG, the hash_df function always generates 256 data bits during boot to seed the DRNG. During boot, the DRNG is seeded as follows: 1. The DRNG is reseeded from the entropy pool and potentially the fast noise sources if the entropy pool has collected at least 32 bits of entropy from the interrupt noise source. The goal of this step is to ensure that the DRNG receives some initial entropy as early as possible. In addition it receives the entropy available from the fast noise sources. 2. The DRNG is reseeded from the entropy pool and potentially the fast noise sources if all noise sources collectively can provide at least 128 bits of entropy. 3. The DRNG is reseeded from the entropy pool and potentially the fast noise sources if all noise sources collectivel can provide at least 256 bits. At the time of the reseeding steps, the DRNG requests as much entropy as is available in order to skip certain steps and reach the seeding level of 256 bits. This may imply that one or more of the aforementioned steps are skipped. In all listed steps, the DRNG is (re)seeded with a number of random bytes from the entropy pool that is at most the amount of entropy present in the entropy pool. This means that when the entropy pool contains 128 or 256 bits of entropy, the DRNG is seeded with that amount of entropy as well. Before the DRNG is seeded with 256 bits of entropy in step 3, requests of random data from /dev/random and the getrandom system call are not processed. The hash operation providing random data from the entropy pools will always require that all entropy sources collectively can deliver at least 128 entropy bits. The DRNG operates as deterministic random number generator with the following properties: * The maximum number of random bytes that can be generated with one DRNG generate operation is limited to 4096 bytes. When longer random numbers are requested, multiple DRNG generate operations are performed. The ChaCha20 DRNG as well as the SP800-90A DRBGs implement an update of their state after completing a generate request for backtracking resistance. * The secondary DRNG is reseeded with whatever entropy is available – in the worst case where no additional entropy can be provided by the noise sources, the DRNG is not re-seeded and continues its operation to try to reseed again after again the expiry of one of these thresholds: - If the last reseeding of the secondary DRNG is more than 600 seconds ago, or - 2^20 DRNG generate operations are performed, whatever comes first, or - the secondary DRNG is forced to reseed before the next generation of random numbers if data has been injected into the LRNG by writing data into /dev/random or /dev/urandom. The chosen values prevent high-volume requests from user space to cause frequent reseeding operations which drag down the performance of the DRNG. With the automatic reseeding after 600 seconds, the LRNG is triggered to reseed itself before the first request after a suspend that put the hardware to sleep for longer than 600 seconds. To support smaller devices including IoT environments, this patch allows reducing the runtime memory footprint of the LRNG at compile time by selecting smaller collection data sizes. When selecting the compilation of a kernel for a small environment, prevent the allocation of a buffer up to 4096 bytes to serve user space requests. In this case, the stack variable of 64 bytes is used to serve all user space requests. The LRNG has the following properties: * internal noise source: interrupts timing with fast boot time seeding * high performance of interrupt handling code: The LRNG impact on the interrupt handling has been reduced to a minimum. On one example system, the LRNG interrupt handling code in its fastest configuration executes within an average 55 cycles whereas the existing /dev/random on the same device takes about 97 cycles when measuring the execution time of add_interrupt_randomness(). * use of almost never contended lock for hashing operation to collect raw entropy supporting concurrency-free use of massive parallel systems - worst case rate of contention is the number of DRNG reseeds, usually: number of NUMA nodes contentions per 5 minutes. * use of standalone ChaCha20 based RNG with the option to use a different DRNG selectable at compile time * instantiate one DRNG per NUMA node * support for runtime switchable output DRNGs * use of runtime-switchable hash for conditioning implementation following widely accepted approach * compile-time selectable collection size * support of small systems by allowing the reduction of the runtime memory needs Further details including the rationale for the design choices and properties of the LRNG together with testing is provided at [1]. In addition, the documentation explains the conducted regression tests to verify that the LRNG is API and ABI compatible with the existing /dev/random implementation. [1] https://www.chronox.de/lrng.html CC: Torsten Duwe CC: "Eric W. Biederman" CC: "Alexander E. Patrakov" CC: "Ahmed S. Darwish" CC: "Theodore Y. Ts'o" CC: Willy Tarreau CC: Matthew Garrett CC: Vito Caputo CC: Andreas Dilger CC: Jan Kara CC: Ray Strode CC: William Jon McCann CC: zhangjs CC: Andy Lutomirski CC: Florian Weimer CC: Lennart Poettering CC: Nicolai Stange CC: Alexander Lobakin Mathematical aspects Reviewed-by: "Peter, Matthias" Reviewed-by: Marcelo Henrique Cerri Reviewed-by: Roman Drahtmueller Tested-by: Marcelo Henrique Cerri Tested-by: Neil Horman Signed-off-by: Stephan Mueller commit a74a01ceec09714482c3520daade260f61c1f337 Merge: 893b3e82b9a1 dad77cf5645e Author: Alexandre Frade Date: Sat Jul 24 18:40:17 2021 +0000 Merge tag 'v5.10.52-rt47' into 5.10-rt Linux 5.10.52-rt47 commit dad77cf5645ec1b7794b4a5042446ffb78c68d34 Author: Steven Rostedt (VMware) Date: Fri Jul 23 14:57:03 2021 -0400 Linux 5.10.52-rt47 commit b03ea4bdca6dabc44e7a6f856a7f4381d8e20cbc Merge: dc5610d093cf 2cd5fe24a7f0 Author: Steven Rostedt (VMware) Date: Fri Jul 23 12:34:46 2021 -0400 Merge tag 'v5.10.52' into v5.10-rt This is the 5.10.52 stable release commit 2cd5fe24a7f025448f19d98c4f4c45ff79ce0784 Author: Greg Kroah-Hartman Date: Tue Jul 20 16:05:59 2021 +0200 Linux 5.10.52 Link: https://lore.kernel.org/r/20210719144940.904087935@linuxfoundation.org Tested-by: Florian Fainelli Link: https://lore.kernel.org/r/20210719184320.888029606@linuxfoundation.org Tested-by: Salvatore Bonaccorso Tested-by: Pavel Machek (CIP) Tested-by: Florian Fainelli Tested-by: Shuah Khan Tested-by: Fox Chen Tested-by: Jon Hunter Tested-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman commit 174c34d9cda1b5818419b8f5a332ced10755e52f Author: Eric Sandeen Date: Tue Jul 13 17:49:23 2021 +0200 seq_file: disallow extremely large seq buffer allocations commit 8cae8cd89f05f6de223d63e6d15e31c8ba9cf53b upstream. There is no reasonable need for a buffer larger than this, and it avoids int overflow pitfalls. Fixes: 058504edd026 ("fs/seq_file: fallback to vmalloc allocation") Suggested-by: Al Viro Reported-by: Qualys Security Advisory Signed-off-by: Eric Sandeen Cc: stable@kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b33aa0dbd72f3af59bd633ccefc4fbcac85faec3 Author: Dan Carpenter Date: Thu Jun 3 15:33:20 2021 +0300 scsi: scsi_dh_alua: Fix signedness bug in alua_rtpg() commit 80927822e8b6be46f488524cd7d5fe683de97fc4 upstream. The "retval" variable needs to be signed for the error handling to work. Link: https://lore.kernel.org/r/YLjMEAFNxOas1mIp@mwanda Fixes: 7e26e3ea0287 ("scsi: scsi_dh_alua: Check for negative result value") Reviewed-by: Martin Wilck Signed-off-by: Dan Carpenter Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit e09c9b558436405407563472f41b0aff437b9c7d Author: Martin Fäcknitz Date: Mon Jul 5 02:03:54 2021 +0200 MIPS: vdso: Invalid GIC access through VDSO [ Upstream commit 47ce8527fbba145a7723685bc9a27d9855e06491 ] Accessing raw timers (currently only CLOCK_MONOTONIC_RAW) through VDSO doesn't return the correct time when using the GIC as clock source. The address of the GIC mapped page is in this case not calculated correctly. The GIC mapped page is calculated from the VDSO data by subtracting PAGE_SIZE: void *get_gic(const struct vdso_data *data) { return (void __iomem *)data - PAGE_SIZE; } However, the data pointer is not page aligned for raw clock sources. This is because the VDSO data for raw clock sources (CS_RAW = 1) is stored after the VDSO data for coarse clock sources (CS_HRES_COARSE = 0). Therefore, only the VDSO data for CS_HRES_COARSE is page aligned: +--------------------+ | | | vd[CS_RAW] | ---+ | vd[CS_HRES_COARSE] | | +--------------------+ | -PAGE_SIZE | | | | GIC mapped page | <--+ | | +--------------------+ When __arch_get_hw_counter() is called with &vd[CS_RAW], get_gic returns the wrong address (somewhere inside the GIC mapped page). The GIC counter values are not returned which results in an invalid time. Fixes: a7f4df4e21dd ("MIPS: VDSO: Add implementations of gettimeofday() and clock_gettime()") Signed-off-by: Martin Fäcknitz Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 20f79ce2b1ab4ead8a5a8742adab962fa7f50143 Author: Randy Dunlap Date: Sun Jul 4 16:02:11 2021 -0700 mips: disable branch profiling in boot/decompress.o [ Upstream commit 97e488073cfca0eea84450169ca4cbfcc64e33e3 ] Use DISABLE_BRANCH_PROFILING for arch/mips/boot/compressed/decompress.o to prevent linkage errors. mips64-linux-ld: arch/mips/boot/compressed/decompress.o: in function `LZ4_decompress_fast_extDict': decompress.c:(.text+0x8c): undefined reference to `ftrace_likely_update' mips64-linux-ld: decompress.c:(.text+0xf4): undefined reference to `ftrace_likely_update' mips64-linux-ld: decompress.c:(.text+0x200): undefined reference to `ftrace_likely_update' mips64-linux-ld: decompress.c:(.text+0x230): undefined reference to `ftrace_likely_update' mips64-linux-ld: decompress.c:(.text+0x320): undefined reference to `ftrace_likely_update' mips64-linux-ld: arch/mips/boot/compressed/decompress.o:decompress.c:(.text+0x3f4): more undefined references to `ftrace_likely_update' follow Fixes: e76e1fdfa8f8 ("lib: add support for LZ4-compressed kernel") Reported-by: kernel test robot Signed-off-by: Randy Dunlap Cc: Thomas Bogendoerfer Cc: linux-mips@vger.kernel.org Cc: Kyungsik Lee Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 4e2764e96a1561d44635eb4d2c27f8b9bd000cd0 Author: Arnd Bergmann Date: Fri Jul 2 16:28:37 2021 +0200 mips: always link byteswap helpers into decompressor [ Upstream commit cddc40f5617e53f97ef019d5b29c1bd6cbb031ec ] My series to clean up the unaligned access implementation across architectures caused some mips randconfig builds to fail with: mips64-linux-ld: arch/mips/boot/compressed/decompress.o: in function `decompress_kernel': decompress.c:(.text.decompress_kernel+0x54): undefined reference to `__bswapsi2' It turns out that this problem has already been fixed for the XZ decompressor but now it also shows up in (at least) LZO and LZ4. From my analysis I concluded that the compiler could always have emitted those calls, but the different implementation allowed it to make otherwise better decisions about not inlining the byteswap, which results in the link error when the out-of-line code is missing. While it could be addressed by adding it to the two decompressor implementations that are known to be affected, but as this only adds 112 bytes to the kernel, the safer choice is to always add them. Fixes: c50ec6787536 ("MIPS: zboot: Fix the build with XZ compression on older GCC versions") Fixes: 0652035a5794 ("asm-generic: unaligned: remove byteshift helpers") Link: https://lore.kernel.org/linux-mm/202106301304.gz2wVY9w-lkp@intel.com/ Link: https://lore.kernel.org/linux-mm/202106260659.TyMe8mjr-lkp@intel.com/ Link: https://lore.kernel.org/linux-mm/202106172016.onWT6Tza-lkp@intel.com/ Link: https://lore.kernel.org/linux-mm/202105231743.JJcALnhS-lkp@intel.com/ Signed-off-by: Arnd Bergmann Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 53c5c2496fc9953ca1e67d3435f7d3f111da86d3 Author: Peter Zijlstra Date: Mon Jun 28 13:24:11 2021 +0200 static_call: Fix static_call_text_reserved() vs __init [ Upstream commit 2bee6d16e4379326b1eea454e68c98b17456769e ] It turns out that static_call_text_reserved() was reporting __init text as being reserved past the time when the __init text was freed and re-used. This is mostly harmless and will at worst result in refusing a kprobe. Fixes: 6333e8f73b83 ("static_call: Avoid kprobes on inline static_call()s") Signed-off-by: Peter Zijlstra (Intel) Signed-off-by: Ingo Molnar Reviewed-by: Masami Hiramatsu Link: https://lore.kernel.org/r/20210628113045.106211657@infradead.org Signed-off-by: Sasha Levin commit 59ae35884c5e6a90e9659f43dda20b0167fc9f8d Author: Peter Zijlstra Date: Mon Jun 28 13:24:10 2021 +0200 jump_label: Fix jump_label_text_reserved() vs __init [ Upstream commit 9e667624c291753b8a5128f620f493d0b5226063 ] It turns out that jump_label_text_reserved() was reporting __init text as being reserved past the time when the __init text was freed and re-used. For a long time, this resulted in, at worst, not being able to kprobe text that happened to land at the re-used address. However a recent commit e7bf1ba97afd ("jump_label, x86: Emit short JMP") made it a fatal mistake because it now needs to read the instruction in order to determine the conflict -- an instruction that's no longer there. Fixes: 4c3ef6d79328 ("jump label: Add jump_label_text_reserved() to reserve jump points") Reported-by: kernel test robot Signed-off-by: Peter Zijlstra (Intel) Signed-off-by: Ingo Molnar Reviewed-by: Masami Hiramatsu Link: https://lore.kernel.org/r/20210628113045.045141693@infradead.org Signed-off-by: Sasha Levin commit 143a6b8ec5c6b6e85d1f3a80d5326a83a914effa Author: Xuewen Yan Date: Wed Jun 30 22:12:04 2021 +0800 sched/uclamp: Ignore max aggregation if rq is idle [ Upstream commit 3e1493f46390618ea78607cb30c58fc19e2a5035 ] When a task wakes up on an idle rq, uclamp_rq_util_with() would max aggregate with rq value. But since there is no task enqueued yet, the values are stale based on the last task that was running. When the new task actually wakes up and enqueued, then the rq uclamp values should reflect that of the newly woken up task effective uclamp values. This is a problem particularly for uclamp_max because it default to 1024. If a task p with uclamp_max = 512 wakes up, then max aggregation would ignore the capping that should apply when this task is enqueued, which is wrong. Fix that by ignoring max aggregation if the rq is idle since in that case the effective uclamp value of the rq will be the ones of the task that will wake up. Fixes: 9d20ad7dfc9a ("sched/uclamp: Add uclamp_util_with()") Signed-off-by: Xuewen Yan Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Valentin Schneider [qias: Changelog] Reviewed-by: Qais Yousef Link: https://lore.kernel.org/r/20210630141204.8197-1-xuewen.yan94@gmail.com Signed-off-by: Sasha Levin commit 43b89ef7bc4aebd6476ad688ae3d0806c10c6375 Author: Christophe JAILLET Date: Sat Jun 12 09:18:34 2021 +0200 scsi: be2iscsi: Fix an error handling path in beiscsi_dev_probe() [ Upstream commit 030e4138d11fced3b831c2761e4cecf347bae99c ] If an error occurs after a pci_enable_pcie_error_reporting() call, it must be undone by a corresponding pci_disable_pcie_error_reporting() call, as already done in the remove function. Link: https://lore.kernel.org/r/77adb02cfea7f1364e5603ecf3930d8597ae356e.1623482155.git.christophe.jaillet@wanadoo.fr Fixes: 3567f36a09d1 ("[SCSI] be2iscsi: Fix AER handling in driver") Signed-off-by: Christophe JAILLET Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit f71f13034f3b8655629f0fea46773f9f5ad638fb Author: Alex Bee Date: Sat Jun 19 14:13:06 2021 +0200 arm64: dts: rockchip: Re-add regulator-always-on for vcc_sdio for rk3399-roc-pc [ Upstream commit eb607cd4957fb0ef97beb2a8293478be6a54240a ] Re-add the regulator-always-on property for vcc_sdio which supplies sdmmc, since it gets disabled during reboot now and the bootrom expects it to be enabled when booting from SD card. This makes rebooting impossible in that case and requires a hard reset to boot again. Fixes: 04a0077fdb19 ("arm64: dts: rockchip: Remove always-on properties from regulator nodes on rk3399-roc-pc.") Signed-off-by: Alex Bee Link: https://lore.kernel.org/r/20210619121306.7740-1-knaerzche@gmail.com Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit b3231050c75ca374c2fdc9d98c6c260e1d22b7ca Author: Alex Bee Date: Sat Jun 19 14:14:46 2021 +0200 arm64: dts: rockchip: Re-add regulator-boot-on, regulator-always-on for vdd_gpu on rk3399-roc-pc [ Upstream commit 06b2818678d9b35102c9816ffaf6893caf306ed0 ] This might be a limitation of either the current panfrost driver devfreq implementation or how the gpu is implemented in RK3399 SoC. The gpu regulator must never get disabled or the registers get (randomly?) inaccessable by the driver. (see all other RK3399 boards) Fixes: ec7d731d81e7 ("arm64: dts: rockchip: Add node for gpu on rk3399-roc-pc") Signed-off-by: Alex Bee Link: https://lore.kernel.org/r/20210619121446.7802-1-knaerzche@gmail.com Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit 9436e9001d403b6974d7533554c98cec6de29a84 Author: Pali Rohár Date: Thu May 20 13:35:20 2021 +0200 firmware: turris-mox-rwtm: show message about HWRNG registration [ Upstream commit fae20160992269431507708fb74c1fd9f3c309c1 ] Currently it is hard to determinate if on Armada 3720 device is HWRNG by running kernel accessible or not. So print information message into dmesg when HWRNG is available and registration was successful. Fixes: 389711b37493 ("firmware: Add Turris Mox rWTM firmware driver") Signed-off-by: Pali Rohár Reviewed-by: Andrew Lunn Signed-off-by: Gregory CLEMENT Signed-off-by: Sasha Levin commit b2a5949a91a735256712cbe144dd01b7a5696898 Author: Pali Rohár Date: Thu May 20 13:35:19 2021 +0200 firmware: turris-mox-rwtm: fail probing when firmware does not support hwrng [ Upstream commit 2eab59cf0d2036a5a9e264f719b71c21ccf679c2 ] When Marvell's rWTM firmware, which does not support the GET_RANDOM command, is used, kernel prints an error message hwrng: no data available every 10 seconds. Fail probing of this driver if the rWTM firmware does not support the GET_RANDOM command. Fixes: 389711b37493 ("firmware: Add Turris Mox rWTM firmware driver") Signed-off-by: Pali Rohár Signed-off-by: Marek Behún Reviewed-by: Andrew Lunn Signed-off-by: Gregory CLEMENT Signed-off-by: Sasha Levin commit ddf380b0941f22db3e95a67f53c42289012a2d0e Author: Marek Behún Date: Thu May 20 13:35:18 2021 +0200 firmware: turris-mox-rwtm: report failures better [ Upstream commit 72f99888944c44de1c899bbe44db1e53bdc9d994 ] Report a notice level message if a command is not supported by the rWTM firmware. This should not be an error, merely a notice, because the firmware can be used on boards that do not have manufacturing information burned. Fixes: 389711b37493 ("firmware: Add Turris Mox rWTM firmware driver") Signed-off-by: Marek Behún Reviewed-by: Pali Rohár Reviewed-by: Andrew Lunn Signed-off-by: Gregory CLEMENT Signed-off-by: Sasha Levin commit 271c12dbeb62e53b10d45fe904b3dc7afb779aae Author: Marek Behún Date: Thu May 20 13:35:17 2021 +0200 firmware: turris-mox-rwtm: fix reply status decoding function [ Upstream commit e34e60253d9272311831daed8a2d967cf80ca3dc ] The status decoding function mox_get_status() currently contains an incorrect check: if the error status is not MBOX_STS_SUCCESS, it always returns -EIO, so the comparison to MBOX_STS_FAIL is never executed and we don't get the actual error code sent by the firmware. Fix this. Signed-off-by: Marek Behún Reviewed-by: Pali Rohár Reviewed-by: Andrew Lunn Fixes: 389711b37493 ("firmware: Add Turris Mox rWTM firmware driver") Signed-off-by: Gregory CLEMENT Signed-off-by: Sasha Levin commit 804aabb509908f42d660e1dd02f973e8efd1b226 Author: Niklas Söderlund Date: Sat Jun 5 10:52:11 2021 +0200 thermal/drivers/rcar_gen3_thermal: Fix coefficient calculations [ Upstream commit 8946187ab57ffd02088e50256c73dd31f49db06d ] The fixed value of 157 used in the calculations are only correct for M3-W, on other Gen3 SoC it should be 167. The constant can be derived correctly from the static TJ_3 constant and the SoC specific TJ_1 value. Update the calculation be correct on all Gen3 SoCs. Fixes: 4eb39f79ef44 ("thermal: rcar_gen3_thermal: Update value of Tj_1") Reported-by: Yoshihiro Shimoda Signed-off-by: Niklas Söderlund Reviewed-by: Yoshihiro Shimoda Reviewed-by: Geert Uytterhoeven Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20210605085211.564909-1-niklas.soderlund+renesas@ragnatech.se Signed-off-by: Sasha Levin commit dae777523234bc8ccd317a85c9ee634df659081d Author: Christoph Niedermaier Date: Wed May 26 12:54:00 2021 +0200 ARM: dts: imx6q-dhcom: Add gpios pinctrl for i2c bus recovery [ Upstream commit ddc873cd3c0af4faad6a00bffda21c3f775126dd ] The i2c bus can freeze at the end of transaction so the bus can no longer work. This scenario is improved by adding scl/sda gpios definitions to implement the i2c bus recovery mechanism. Fixes: 52c7a088badd ("ARM: dts: imx6q: Add support for the DHCOM iMX6 SoM and PDK2") Signed-off-by: Christoph Niedermaier Cc: Shawn Guo Cc: Fabio Estevam Cc: Marek Vasut Cc: NXP Linux Team Cc: kernel@dh-electronics.com To: linux-arm-kernel@lists.infradead.org Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 936446f15aefcae6a2ea85502570cf3bc35a8f52 Author: Christoph Niedermaier Date: Wed May 26 12:53:59 2021 +0200 ARM: dts: imx6q-dhcom: Fix ethernet plugin detection problems [ Upstream commit e2bdd3484890441b9cc2560413a86e8f2aa04157 ] To make the ethernet cable plugin detection reliable the power detection of the smsc phy has been disabled. Fixes: 52c7a088badd ("ARM: dts: imx6q: Add support for the DHCOM iMX6 SoM and PDK2") Signed-off-by: Christoph Niedermaier Cc: Shawn Guo Cc: Fabio Estevam Cc: Marek Vasut Cc: NXP Linux Team Cc: kernel@dh-electronics.com To: linux-arm-kernel@lists.infradead.org Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit f12a456f1c3babcc3015e6fa3aaa32203096da56 Author: Christoph Niedermaier Date: Wed May 26 12:53:58 2021 +0200 ARM: dts: imx6q-dhcom: Fix ethernet reset time properties [ Upstream commit c016c26c1631f539c652b5d82242a3ca402545c1 ] Fix ethernet reset time properties as described in Documentation/devicetree/bindings/net/ethernet-phy.yaml Fixes: 52c7a088badd ("ARM: dts: imx6q: Add support for the DHCOM iMX6 SoM and PDK2") Signed-off-by: Christoph Niedermaier Cc: Shawn Guo Cc: Fabio Estevam Cc: Marek Vasut Cc: NXP Linux Team Cc: kernel@dh-electronics.com To: linux-arm-kernel@lists.infradead.org Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit b1995806d008aca4bc1b2675f1ba99cf733afb8f Author: Chunyan Zhang Date: Wed May 12 17:37:52 2021 +0800 thermal/drivers/sprd: Add missing MODULE_DEVICE_TABLE [ Upstream commit 4d57fd9aeaa013a245bf1fade81e2c30a5efd491 ] MODULE_DEVICE_TABLE is used to extract the device information out of the driver and builds a table when being compiled. If using this macro, kernel can find the driver if available when the device is plugged in, and then loads that driver and initializes the device. Fixes: 554fdbaf19b18 ("thermal: sprd: Add Spreadtrum thermal driver support") Signed-off-by: Chunyan Zhang Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20210512093752.243168-1-zhang.lyra@gmail.com Signed-off-by: Sasha Levin commit 4d9ea285860777011422e5e8a0b3a5f03d117407 Author: Aswath Govindraju Date: Tue Jun 8 10:39:52 2021 +0530 ARM: dts: am437x: align ti,pindir-d0-out-d1-in property with dt-shema [ Upstream commit 9b11fec7345f21995f4ea4bafb0e108b9a620238 ] ti,pindir-d0-out-d1-in property is expected to be of type boolean. Therefore, fix the property accordingly. Fixes: b0b039515445 ("ARM: dts: am43x-epos-evm: set data pin directions for spi0 and spi1") Signed-off-by: Aswath Govindraju Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 6641724d68fd5609ee18da4beb5948736d4db870 Author: Aswath Govindraju Date: Tue Jun 8 10:39:51 2021 +0530 ARM: dts: am335x: align ti,pindir-d0-out-d1-in property with dt-shema [ Upstream commit 414bfe1d26b60ef20b58e36efd5363188a694bab ] ti,pindir-d0-out-d1-in property is expected to be of type boolean. Therefore, fix the property accordingly. Fixes: 444d66fafab8 ("ARM: dts: add spi wifi support to cm-t335") Signed-off-by: Aswath Govindraju Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 0724764c085a3bec805403c7fad822253a96e8c4 Author: Gowtham Tammana Date: Wed Jun 2 17:04:58 2021 -0500 ARM: dts: dra7: Fix duplicate USB4 target module node [ Upstream commit 78b4b165280d3d70e7a217599f0c06a4c0bb11f9 ] With [1] USB4 target-module node got defined in dra74x.dtsi file. However, the earlier definition in [2] was not removed, and this duplication of the target module is causing boot failure on dra74 variant boards - dra7-evm, dra76-evm. USB4 is only present in DRA74x variants, so keeping the entry in dra74x.dtsi and removing it from the top level interconnect hierarchy dra7-l4.dtsi file. This change makes the USB4 target module no longer visible to AM5718, DRA71x and DRA72x so removing references to it in their respective dts files. [1]: commit c7b72abca61ec ("ARM: OMAP2+: Drop legacy platform data for dra7 dwc3") [2]: commit 549fce068a311 ("ARM: dts: dra7: Add l4 interconnect hierarchy and ti-sysc data") Fixes: c7b72abca61ec ("ARM: OMAP2+: Drop legacy platform data for dra7 dwc3") Signed-off-by: Gowtham Tammana Reviewed-by: Grygorii Strashko Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 6cd58375c5326f282a3301f6a08e787a8767d191 Author: Icenowy Zheng Date: Wed Jun 9 16:38:43 2021 +0800 arm64: dts: allwinner: a64-sopine-baseboard: change RGMII mode to TXID [ Upstream commit bd5431b2f9b30a70f6ed964dd5ee9a6d1c397c06 ] Although the schematics of Pine A64-LTS and SoPine Baseboard shows both the RX and TX internal delay are enabled, they're using the same broken RTL8211E chip batch with Pine A64+, so they should use TXID instead, not ID. In addition, by checking the real components soldered on both a SoPine Baseboard and a Pine A64-LTS, RX delay is not enabled (GR69 soldered and GR70 NC) despite the schematics says it's enabled. It's a common situation for Pine64 boards that the NC information on schematics is not the same with the board. So the RGMII delay mode should be TXID on these boards. Fixes: c2b111e59a7b ("arm64: dts: allwinner: A64 Sopine: phy-mode rgmii-id") Signed-off-by: Icenowy Zheng Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20210609083843.463750-1-icenowy@aosc.io Signed-off-by: Sasha Levin commit b5789e23773f4a852fbfe244b63f675e265d3a7f Author: Krzysztof Kozlowski Date: Thu May 27 11:43:22 2021 -0400 memory: fsl_ifc: fix leak of private memory on probe failure [ Upstream commit 8e0d09b1232d0538066c40ed4c13086faccbdff6 ] On probe error the driver should free the memory allocated for private structure. Fix this by using resource-managed allocation. Fixes: a20cbdeffce2 ("powerpc/fsl: Add support for Integrated Flash Controller") Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20210527154322.81253-2-krzysztof.kozlowski@canonical.com Signed-off-by: Sasha Levin commit 8d071d270afba468708faca5f7b6d9e656f75e27 Author: Krzysztof Kozlowski Date: Thu May 27 11:43:21 2021 -0400 memory: fsl_ifc: fix leak of IO mapping on probe failure [ Upstream commit 3b132ab67fc7a358fff35e808fa65d4bea452521 ] On probe error the driver should unmap the IO memory. Smatch reports: drivers/memory/fsl_ifc.c:298 fsl_ifc_ctrl_probe() warn: 'fsl_ifc_ctrl_dev->gregs' not released on lines: 298. Fixes: a20cbdeffce2 ("powerpc/fsl: Add support for Integrated Flash Controller") Reported-by: kernel test robot Reported-by: Dan Carpenter Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20210527154322.81253-1-krzysztof.kozlowski@canonical.com Signed-off-by: Sasha Levin commit 1479998d80279b332a7f90afafad80b2d3d4153e Author: Kishon Vijay Abraham I Date: Thu Jun 3 20:04:24 2021 +0530 arm64: dts: ti: k3-j721e-main: Fix external refclk input to SERDES [ Upstream commit 5c6d0b55b46aeb91355e6a9616decf50a3778c91 ] Rename the external refclk inputs to the SERDES from dummy_cmn_refclk/dummy_cmn_refclk1 to cmn_refclk/cmn_refclk1 respectively. Also move the external refclk DT nodes outside the cbass_main DT node. Since in j721e common processor board, only the cmn_refclk1 is connected to 100MHz clock, fix the clock frequency. Fixes: afd094ebe69f ("arm64: dts: ti: k3-j721e-main: Add WIZ and SERDES PHY nodes") Signed-off-by: Kishon Vijay Abraham I Reviewed-by: Aswath Govindraju Signed-off-by: Nishanth Menon Link: https://lore.kernel.org/r/20210603143427.28735-2-kishon@ti.com Signed-off-by: Sasha Levin commit 668ca468702e233e33b5fffba5aa11c59c2ee852 Author: Geert Uytterhoeven Date: Tue Jun 1 17:12:50 2021 +0200 arm64: dts: renesas: r8a779a0: Drop power-domains property from GIC node [ Upstream commit 1771a33b34421050c7b830f0a8af703178ba9d36 ] "make dtbs_check": arm64/boot/dts/renesas/r8a779a0-falcon.dt.yaml: interrupt-controller@f1000000: 'power-domains' does not match any of the regexes: '^(msi-controller|gic-its|interrupt-controller)@[0-9a-f]+$', '^gic-its@', '^interrupt-controller@[0-9a-f]+$', 'pinctrl-[0-9]+' From schema: Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml Remove the "power-domains" property, as the GIC on R-Car V3U is always-on, and not part of a clock domain. Fixes: 834c310f541839b6 ("arm64: dts: renesas: Add Renesas R8A779A0 SoC support") Signed-off-by: Geert Uytterhoeven Reviewed-by: Yoshihiro Shimoda Link: https://lore.kernel.org/r/a9ae5cbc7c586bf2c6b18ddc665ad7051bd1d206.1622560236.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit 884d09d1f18ca9a8c21ce3b7fe228d6ee858a6c7 Author: Philipp Zabel Date: Mon Jun 7 10:26:15 2021 +0200 reset: bail if try_module_get() fails [ Upstream commit 4fb26fb83f0def3d39c14e268bcd4003aae8fade ] Abort instead of returning a new reset control for a reset controller device that is going to have its module unloaded. Reported-by: Uwe Kleine-König Fixes: 61fc41317666 ("reset: Add reset controller API") Acked-by: Uwe Kleine-König Link: https://lore.kernel.org/r/20210607082615.15160-1-p.zabel@pengutronix.de Signed-off-by: Philipp Zabel Signed-off-by: Sasha Levin commit 8c07e1a8c57c9a405fb238b3efdc575332aa3d73 Author: Rafał Miłecki Date: Wed May 12 15:07:09 2021 +0200 ARM: dts: BCM5301X: Fixup SPI binding [ Upstream commit d5aede3e6dd1b8ca574600a1ecafe1e580c53f2f ] 1. Reorder interrupts 2. Fix typo: s/spi_lr_overhead/spi_lr_overread/ 3. Rename node: s/spi-nor@0/flash@0/ This fixes: arch/arm/boot/dts/bcm4709-buffalo-wxr-1900dhp.dt.yaml: spi@18029200: interrupt-names: 'oneOf' conditional failed, one must be fixed: ['spi_lr_fullness_reached', 'spi_lr_session_aborted', 'spi_lr_impatient', 'spi_lr_session_done', 'spi_lr_overhead', 'mspi_done', 'mspi_halted'] is too long Additional items are not allowed ('spi_lr_session_aborted', 'spi_lr_impatient', 'spi_lr_session_done', 'spi_lr_overhead', 'mspi_done', 'mspi_halted' were unexpected) 'mspi_done' was expected 'spi_l1_intr' was expected 'mspi_halted' was expected 'spi_lr_fullness_reached' was expected 'spi_lr_session_aborted' was expected 'spi_lr_impatient' was expected 'spi_lr_session_done' was expected 'spi_lr_overread' was expected From schema: Documentation/devicetree/bindings/spi/brcm,spi-bcm-qspi.yaml arch/arm/boot/dts/bcm4709-buffalo-wxr-1900dhp.dt.yaml: spi-nor@0: $nodename:0: 'spi-nor@0' does not match '^flash(@.*)?$' From schema: Documentation/devicetree/bindings/mtd/jedec,spi-nor.yaml Signed-off-by: Rafał Miłecki Signed-off-by: Florian Fainelli Signed-off-by: Sasha Levin commit db4e87ab60e8578631c82b7b2c6bdc946eb9676a Author: Nicolas Ferre Date: Fri Jun 4 15:19:25 2021 +0200 dt-bindings: i2c: at91: fix example for scl-gpios [ Upstream commit 92e669017ff1616ba7d8ba3c65f5193bc2a7acbe ] The SCL gpio pin used by I2C bus for recovery needs to be configured as open drain, so fix the binding example accordingly. In relation with fix c5a283802573 ("ARM: dts: at91: Configure I2C SCL gpio as open drain"). Signed-off-by: Nicolas Ferre Fixes: 19e5cef058a0 ("dt-bindings: i2c: at91: document optional bus recovery properties") Signed-off-by: Sasha Levin commit 4b4c61049ec52fc5bf31e5e36c979d543bc4c1e0 Author: Cristian Marussi Date: Tue Jun 1 11:24:17 2021 +0100 firmware: arm_scmi: Reset Rx buffer to max size during async commands [ Upstream commit 0cb7af474e0dbb2f500c67aa62b6db9fafa74de2 ] During an async commands execution the Rx buffer length is at first set to max_msg_sz when the synchronous part of the command is first sent. However once the synchronous part completes the transport layer waits for the delayed response which will be processed using the same xfer descriptor initially allocated. Since synchronous response received at the end of the xfer will shrink the Rx buffer length to the effective payload response length, it needs to be reset again. Raise the Rx buffer length again to max_msg_sz before fetching the delayed response to ensure full response is read correctly from the shared memory. Link: https://lore.kernel.org/r/20210601102421.26581-2-cristian.marussi@arm.com Fixes: 58ecdf03dbb9 ("firmware: arm_scmi: Add support for asynchronous commands and delayed response") Signed-off-by: Cristian Marussi [sudeep.holla: moved reset to scmi_handle_response as it could race with do_xfer_with_response] Signed-off-by: Sudeep Holla Signed-off-by: Sasha Levin commit c381e695cfcddb4bb8c8f1e9fbaaedde5d1994b7 Author: Zhen Lei Date: Thu May 13 21:26:46 2021 +0800 firmware: tegra: Fix error return code in tegra210_bpmp_init() [ Upstream commit 7fea67710e9f6a111a2c9440576f2396ccd92d57 ] When call irq_get_irq_data() to get the IRQ's irq_data failed, an appropriate error code -ENOENT should be returned. However, we directly return 'err', which records the IRQ number instead of the error code. Fixes: 139251fc2208 ("firmware: tegra: add bpmp driver for Tegra210") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit f58a3bc94aaefb0db5c5116823957222ba15ca62 Author: Stephen Boyd Date: Tue Mar 23 19:55:34 2021 -0700 arm64: dts: qcom: trogdor: Add no-hpd to DSI bridge node [ Upstream commit 5f551b5ce55575b14c26933fe9b49365ea246b3d ] We should indicate that we're not using the HPD pin on this device, per the binding document. Otherwise if code in the future wants to enable HPD in the bridge when this property is absent we'll be wasting power powering hpd when we don't use it on trogdor boards. We didn't notice this before because the kernel driver blindly disables hpd, but that won't be true for much longer. Reviewed-by: Laurent Pinchart Reviewed-by: Douglas Anderson Cc: Laurent Pinchart Cc: Douglas Anderson Fixes: 7ec3e67307f8 ("arm64: dts: qcom: sc7180-trogdor: add initial trogdor and lazor dt") Signed-off-by: Stephen Boyd Link: https://lore.kernel.org/r/20210324025534.1837405-1-swboyd@chromium.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit d99524d13df93cfccb06633694100963b0e23e66 Author: Marek Vasut Date: Fri Apr 9 01:00:01 2021 +0200 ARM: dts: stm32: Rework LAN8710Ai PHY reset on DHCOM SoM [ Upstream commit 1cebcf9932ab76102e8cfc555879574693ba8956 ] The Microchip LAN8710Ai PHY requires XTAL1/CLKIN external clock to be enabled when the nRST is toggled according to datasheet Microchip LAN8710A/LAN8710Ai DS00002164B page 35 section 3.8.5.1 Hardware Reset: " A Hardware reset is asserted by driving the nRST input pin low. When driven, nRST should be held low for the minimum time detailed in Section 5.5.3, "Power-On nRST & Configuration Strap Timing," on page 59 to ensure a proper transceiver reset. During a Hardware reset, an external clock must be supplied to the XTAL1/CLKIN signal. " This is accidentally fulfilled in the current setup, where ETHCK_K is used to supply both PHY XTAL1/CLKIN and is also fed back through eth_clk_fb to supply ETHRX clock of the DWMAC. Hence, the DWMAC enables ETHRX clock, that has ETHCK_K as parent, so ETHCK_K clock are also enabled, and then the PHY reset toggles. However, this is not always the case, e.g. in case the PHY XTAL1/CLKIN clock are supplied by some other clock source than ETHCK_K or in case ETHRX clock are not supplied by ETHCK_K. In the later case, ETHCK_K would be kept disabled, while ETHRX clock would be enabled, so the PHY would not be receiving XTAL1/CLKIN clock and the reset would fail. Improve the DT by adding the PHY clock phandle into the PHY node, which then also requires moving the PHY reset GPIO specifier in the same place and that then also requires correct PHY reset GPIO timing, so add that too. A brief note regarding the timing, the datasheet says the reset should stay asserted for at least 100uS and software should wait at least 200nS after deassertion. Set both delays to 500uS which should be plenty. Fixes: 34e0c7847dcf ("ARM: dts: stm32: Add DH Electronics DHCOM STM32MP1 SoM and PDK2 board") Signed-off-by: Marek Vasut Cc: Alexandre Torgue Cc: Patrice Chotard Cc: Patrick Delaunay Cc: linux-stm32@st-md-mailman.stormreply.com To: linux-arm-kernel@lists.infradead.org Signed-off-by: Alexandre Torgue Signed-off-by: Sasha Levin commit 91df7f4a04103b528c8a53b002aa57e47f7602b5 Author: Marek Vasut Date: Thu Oct 8 21:36:18 2020 +0200 ARM: dts: stm32: Connect PHY IRQ line on DH STM32MP1 SoM [ Upstream commit 516728273ddfbf51b3d0fcaac05d26e299a7b456 ] On the production DHCOM STM32MP15xx SoM, the PHY IRQ line is connected to the PI11 pin. Describe it in the DT as well, so the PHY IRQ can be used e.g. to detect cable insertion and removal. Signed-off-by: Marek Vasut Cc: Alexandre Torgue Cc: Maxime Coquelin Cc: Patrice Chotard Cc: Patrick Delaunay Cc: linux-stm32@st-md-mailman.stormreply.com To: linux-arm-kernel@lists.infradead.org Signed-off-by: Alexandre Torgue Signed-off-by: Sasha Levin commit c4218acd688e9279618d2e8c43b2af067c45007a Author: Geert Uytterhoeven Date: Thu Apr 29 14:39:12 2021 +0200 arm64: dts: renesas: r8a7796[01]: Fix OPP table entry voltages [ Upstream commit 659b38203f04f5c3d1dc60f1a3e54b582ad3841c ] Correct the voltages in the "Power Optimized" (<= 1.5 GHz) Cortex-A57 operating point table entries for the R-Car M3-W and M3-W+ SoCs from 0.82V to 0.83V, as per the R-Car Gen3 EC Manual Errata for Revision 0.53. Based on a patch for R-Car M3-W in the BSP by Takeshi Kihara . Fixes: da7e3113344fda50 ("arm64: dts: renesas: r8a7796: Add OPPs table for cpu devices") Fixes: f51746ad7d1ff6b4 ("arm64: dts: renesas: Add Renesas R8A77961 SoC support") Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/b9e9db907514790574429b83d070c823b36085ef.1619699909.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit 305df11389cbc3daa934b1b37d1386bb324b4afb Author: Geert Uytterhoeven Date: Thu May 27 15:42:42 2021 +0200 arm64: dts: renesas: Add missing opp-suspend properties [ Upstream commit 44b615ac9fab16d1552cd8360454077d411e3c35 ] Tag the highest "Power Optimized" (1.5 GHz) Cortex-A57 operating point table entries for the RZ/G2M, R-Car M3-W and M3-W+ SoCs with the "opp-suspend" property. This makes sure the system will enter suspend in the same performance state as it will be resumed by the firmware later, avoiding state inconsistencies after resume. Based on a patch for R-Car M3-W in the BSP by Takeshi Kihara . Fixes: 800037e815b91d8c ("arm64: dts: renesas: r8a774a1: Add operating points") Fixes: da7e3113344fda50 ("arm64: dts: renesas: r8a7796: Add OPPs table for cpu devices") Fixes: f51746ad7d1ff6b4 ("arm64: dts: renesas: Add Renesas R8A77961 SoC support") Signed-off-by: Geert Uytterhoeven Reviewed-by: Niklas Söderlund Link: https://lore.kernel.org/r/45a061c3b0463aac7d10664f47c4afdd999da50d.1619699721.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit 55fd1d3ca578d6851015772a2bc7bebe1bbc97b8 Author: Roger Quadros Date: Wed May 12 21:03:08 2021 +0530 arm64: dts: ti: j7200-main: Enable USB2 PHY RX sensitivity workaround [ Upstream commit a2894d85f44ba3f2bdf5806c8dc62e2ec40c1c09 ] Enable work around feature built into the controller to address issue with RX Sensitivity for USB2 PHY. Fixes: 6197d7139d12 ("arm64: dts: ti: k3-j7200-main: Add USB controller") Signed-off-by: Roger Quadros Signed-off-by: Aswath Govindraju Reviewed-by: Vignesh Raghavendra Signed-off-by: Nishanth Menon Link: https://lore.kernel.org/r/20210512153308.5840-1-a-govindraju@ti.com Signed-off-by: Sasha Levin commit b8d350b4ac1e8ada1252859c4f0451a5ec0f1a0a Author: Geert Uytterhoeven Date: Thu Apr 29 14:41:15 2021 +0200 ARM: dts: r8a7779, marzen: Fix DU clock names [ Upstream commit 6ab8c23096a29b69044209a5925758a6f88bd450 ] "make dtbs_check" complains: arch/arm/boot/dts/r8a7779-marzen.dt.yaml: display@fff80000: clock-names:0: 'du.0' was expected Change the first clock name to match the DT bindings. This has no effect on actual operation, as the Display Unit driver in Linux does not use the first clock name on R-Car H1, but just grabs the first clock. Fixes: 665d79aa47cb3983 ("ARM: shmobile: marzen: Add DU external pixel clock to DT") Signed-off-by: Geert Uytterhoeven Reviewed-by: Laurent Pinchart Link: https://lore.kernel.org/r/9d5e1b371121883b3b3e10a3df43802a29c6a9da.1619699965.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit b02a65061e970671c3afd15a85edcdb6dacf85e4 Author: Valentine Barshak Date: Fri Mar 26 13:10:50 2021 +0100 arm64: dts: renesas: v3msk: Fix memory size [ Upstream commit a422ec20caef6a50cf3c1efa93538888ebd576a6 ] The V3MSK board has 2 GiB RAM according to the datasheet and schematics. Signed-off-by: Valentine Barshak [geert: Verified schematics] Fixes: cc3e267e9bb0ce7f ("arm64: dts: renesas: initial V3MSK board device tree") Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/20210326121050.1578460-1-geert+renesas@glider.be Signed-off-by: Sasha Levin commit ab4d76eb77371af83f8272fbe05bee8154756d0a Author: Dan Carpenter Date: Tue May 11 10:19:26 2021 +0300 rtc: fix snprintf() checking in is_rtc_hctosys() [ Upstream commit 54b909436ede47e0ee07f1765da27ec2efa41e84 ] The scnprintf() function silently truncates the printf() and returns the number bytes that it was able to copy (not counting the NUL terminator). Thus, the highest value it can return here is "NAME_SIZE - 1" and the overflow check is dead code. Fix this by using the snprintf() function which returns the number of bytes that would have been copied if there was enough space and changing the condition from "> NAME_SIZE" to ">= NAME_SIZE". Fixes: 92589c986b33 ("rtc-proc: permit the /proc/driver/rtc device to use other devices") Signed-off-by: Dan Carpenter Signed-off-by: Alexandre Belloni Link: https://lore.kernel.org/r/YJov/pcGmhLi2pEl@mwanda Signed-off-by: Sasha Levin commit e352463654037ddade0987b2f5ab2cc87e80c81f Author: Salvatore Bonaccorso Date: Mon May 24 14:21:11 2021 +0200 ARM: dts: sun8i: h3: orangepi-plus: Fix ethernet phy-mode [ Upstream commit b19d3479f25e8a0ff24df0b46c82e50ef0f900dd ] Commit bbc4d71d6354 ("net: phy: realtek: fix rtl8211e rx/tx delay config") sets the RX/TX delay according to the phy-mode property in the device tree. For the Orange Pi Plus board this is "rgmii", which is the wrong setting. Following the example of a900cac3750b ("ARM: dts: sun7i: a20: bananapro: Fix ethernet phy-mode") the phy-mode is changed to "rgmii-id" which gets the Ethernet working again on this board. Fixes: bbc4d71d6354 ("net: phy: realtek: fix rtl8211e rx/tx delay config") Reported-by: "B.R. Oake" Reported-by: Vagrant Cascadian Link: https://bugs.debian.org/988574 Signed-off-by: Salvatore Bonaccorso Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20210524122111.416885-1-carnil@debian.org Signed-off-by: Sasha Levin commit 3199ff7b9f543fc3530b20a179e6e66455315e1e Author: Zhen Lei Date: Sat May 15 12:00:04 2021 +0800 memory: pl353: Fix error return code in pl353_smc_probe() [ Upstream commit 76e5624f3f9343a621dd3f4006f4e4d9c3f91e33 ] When no child nodes are matched, an appropriate error code -ENODEV should be returned. However, we currently do not explicitly assign this error code to 'err'. As a result, 0 was incorrectly returned. Fixes: fee10bd22678 ("memory: pl353: Add driver for arm pl353 static memory controller") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Link: https://lore.kernel.org/r/20210515040004.6983-1-thunder.leizhen@huawei.com Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit fc7a8347ce49fa3fc419ef3c5fcd546a3cbd777c Author: Zou Wei Date: Wed May 12 11:14:43 2021 +0800 reset: brcmstb: Add missing MODULE_DEVICE_TABLE [ Upstream commit e207457f9045343a24d936fbb67eb4b412f1c6ad ] This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this driver when it is built as an external module. Reported-by: Hulk Robot Fixes: 77750bc089e4 ("reset: Add Broadcom STB SW_INIT reset controller driver") Signed-off-by: Zou Wei Link: https://lore.kernel.org/r/1620789283-15048-1-git-send-email-zou_wei@huawei.com Signed-off-by: Philipp Zabel Signed-off-by: Sasha Levin commit 3f526ea670d85c21bbca8033b0f91a0825a869e7 Author: Krzysztof Kozlowski Date: Fri Apr 23 12:18:15 2021 +0200 memory: atmel-ebi: add missing of_node_put for loop iteration [ Upstream commit 907c5bbb514a4676160e79764522fff56ce3448e ] Early exits from for_each_available_child_of_node() should decrement the node reference counter. Reported by Coccinelle: drivers/memory/atmel-ebi.c:593:1-33: WARNING: Function "for_each_available_child_of_node" should have of_node_put() before return around line 604. Fixes: 6a4ec4cd0888 ("memory: add Atmel EBI (External Bus Interface) driver") Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20210423101815.119341-2-krzysztof.kozlowski@canonical.com Signed-off-by: Sasha Levin commit 84fa4a10631af3672dd51a684d2f658672be735e Author: Krzysztof Kozlowski Date: Fri Apr 23 12:18:14 2021 +0200 memory: stm32-fmc2-ebi: add missing of_node_put for loop iteration [ Upstream commit 2f9dc6a357ff3b82c1e54d29fb5d52b8d4a0c587 ] Early exits from for_each_available_child_of_node() should decrement the node reference counter. Reported by Coccinelle: drivers/memory/stm32-fmc2-ebi.c:1046:1-33: WARNING: Function "for_each_available_child_of_node" should have of_node_put() before return around line 1051. Fixes: 66b8173a197f ("memory: stm32-fmc2-ebi: add STM32 FMC2 EBI controller driver") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Christophe Kerello Link: https://lore.kernel.org/r/20210423101815.119341-1-krzysztof.kozlowski@canonical.com Signed-off-by: Sasha Levin commit c385d93c3c1ab60acd70fe68e8352e95f52a9055 Author: Krzysztof Kozlowski Date: Wed May 5 09:59:41 2021 -0400 ARM: dts: exynos: fix PWM LED max brightness on Odroid XU4 [ Upstream commit fd2f1717966535b7d0b6fe45cf0d79e94330da5f ] There is no "max_brightness" property as pointed out by dtschema: arch/arm/boot/dts/exynos5422-odroidxu4.dt.yaml: led-controller: led-1: 'max-brightness' is a required property Fixes: 6658356014cb ("ARM: dts: Add support Odroid XU4 board for exynos5422-odroidxu4") Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20210505135941.59898-5-krzysztof.kozlowski@canonical.com Signed-off-by: Sasha Levin commit b7016870feead2d05256e7bb0abc78b77f684e98 Author: Krzysztof Kozlowski Date: Wed May 5 09:59:40 2021 -0400 ARM: dts: exynos: fix PWM LED max brightness on Odroid HC1 [ Upstream commit a7e59c84cf2055a1894f45855c8319191f2fa59e ] There is no "max_brightness" property as pointed out by dtschema: arch/arm/boot/dts/exynos5422-odroidhc1.dt.yaml: led-controller: led-1: 'max-brightness' is a required property Fixes: 1ac49427b566 ("ARM: dts: exynos: Add support for Hardkernel's Odroid HC1 board") Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20210505135941.59898-4-krzysztof.kozlowski@canonical.com Signed-off-by: Sasha Levin commit 640105e7c08de8e5d8a1ed5fdc4a5436f77f48af Author: Krzysztof Kozlowski Date: Wed May 5 09:59:39 2021 -0400 ARM: dts: exynos: fix PWM LED max brightness on Odroid XU/XU3 [ Upstream commit 75121e1dc9fe4def41e63d57f6a53749b88006ed ] There is no "max_brightness" property. This brings the intentional brightness reduce of green LED and dtschema checks as well: arch/arm/boot/dts/exynos5410-odroidxu.dt.yaml: led-controller-1: led-1: 'max-brightness' is a required property Fixes: 719f39fec586 ("ARM: dts: exynos5422-odroidxu3: Hook up PWM and use it for LEDs") Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20210505135941.59898-3-krzysztof.kozlowski@canonical.com Signed-off-by: Sasha Levin commit 6870bc426796f764ba89e3c4e022d662da957442 Author: Krzysztof Kozlowski Date: Sun Apr 25 19:49:45 2021 +0200 ARM: exynos: add missing of_node_put for loop iteration [ Upstream commit 48d551bf20858240f38a0276be3016ff379918ac ] Early exits from for_each_compatible_node() should decrement the node reference counter. Reported by Coccinelle: arch/arm/mach-exynos/exynos.c:52:1-25: WARNING: Function "for_each_compatible_node" should have of_node_put() before break around line 58. Fixes: b3205dea8fbf ("ARM: EXYNOS: Map SYSRAM through generic DT bindings") Signed-off-by: Krzysztof Kozlowski Acked-by: Arnd Bergmann Link: https://lore.kernel.org/r/20210425174945.164612-1-krzysztof.kozlowski@canonical.com Signed-off-by: Sasha Levin commit 85dd41383b36c79783ba9abbd16754d3258dc25f Author: Krzysztof Kozlowski Date: Fri May 7 07:28:03 2021 -0400 reset: a10sr: add missing of_match_table reference [ Upstream commit 466ba3c8ff4fae39e455ff8d080b3d5503302765 ] The driver defined of_device_id table but did not use it with of_match_table. This prevents usual matching via devicetree and causes a W=1 warning: drivers/reset/reset-a10sr.c:111:34: warning: ‘a10sr_reset_of_match’ defined but not used [-Wunused-const-variable=] Reported-by: kernel test robot Fixes: 627006820268 ("reset: Add Altera Arria10 SR Reset Controller") Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20210507112803.20012-1-krzysztof.kozlowski@canonical.com Signed-off-by: Philipp Zabel Signed-off-by: Sasha Levin commit 685ec4c0f27c6fc0364e2dc6fbeb9257175f1e9c Author: Geert Uytterhoeven Date: Wed Mar 31 10:15:19 2021 +0200 reset: RESET_INTEL_GW should depend on X86 [ Upstream commit 6ab9d6219f86f0db916105444813aafce626a2f4 ] The Intel Gateway reset controller is only present on Intel Gateway platforms. Hence add a dependency on X86, to prevent asking the user about this driver when configuring a kernel without Intel Gateway support. Fixes: c9aef213e38cde27 ("reset: intel: Add system reset controller driver") Signed-off-by: Geert Uytterhoeven Signed-off-by: Philipp Zabel Signed-off-by: Sasha Levin commit 2ca912471db43c39b0e3450c05deccb6bf46b565 Author: Geert Uytterhoeven Date: Tue Mar 16 14:37:33 2021 +0100 reset: RESET_BRCMSTB_RESCAL should depend on ARCH_BRCMSTB [ Upstream commit 42f6a76fbe85e5243f83a3ed76809b1ebbb7087e ] The Broadcom STB RESCAL reset controller is only present on Broadcom BCM7216 platforms. Hence add a dependency on ARCH_BRCMSTB, to prevent asking the user about this driver when configuring a kernel without BCM7216 support. Also, merely enabling CONFIG_COMPILE_TEST should not enable additional code, and thus should not enable this driver by default. Fixes: 4cf176e52397853e ("reset: Add Broadcom STB RESCAL reset controller") Signed-off-by: Geert Uytterhoeven Acked-by: Florian Fainelli Signed-off-by: Philipp Zabel Signed-off-by: Sasha Levin commit f75cec5c204814713d2d9564160b2c2b68cbabf0 Author: Corentin Labbe Date: Wed Apr 28 18:54:57 2021 +0000 ARM: dts: gemini-rut1xx: remove duplicate ethernet node [ Upstream commit 3d3bb3d27cd371d3edb43eeb1beb8ae4e92a356d ] Two ethernet node was added by commit 95220046a62c ("ARM: dts: Add ethernet to a bunch of platforms") and commit d6d0cef55e5b ("ARM: dts: Add the FOTG210 USB host to Gemini boards") This patch removes the duplicate one. Fixes: d6d0cef55e5b ("ARM: dts: Add the FOTG210 USB host to Gemini boards") Signed-off-by: Corentin Labbe Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit f11508ecc696c54ef1f0495a16326df00f16248e Author: Nathan Chancellor Date: Wed Jul 7 18:07:41 2021 -0700 hexagon: use common DISCARDS macro [ Upstream commit 681ba73c72302214686401e707e2087ed11a6556 ] ld.lld warns that the '.modinfo' section is not currently handled: ld.lld: warning: kernel/built-in.a(workqueue.o):(.modinfo) is being placed in '.modinfo' ld.lld: warning: kernel/built-in.a(printk/printk.o):(.modinfo) is being placed in '.modinfo' ld.lld: warning: kernel/built-in.a(irq/spurious.o):(.modinfo) is being placed in '.modinfo' ld.lld: warning: kernel/built-in.a(rcu/update.o):(.modinfo) is being placed in '.modinfo' The '.modinfo' section was added in commit 898490c010b5 ("moduleparam: Save information about built-in modules in separate file") to the DISCARDS macro but Hexagon has never used that macro. The unification of DISCARDS happened in commit 023bf6f1b8bf ("linker script: unify usage of discard definition") in 2009, prior to Hexagon being added in 2011. Switch Hexagon over to the DISCARDS macro so that anything that is expected to be discarded gets discarded. Link: https://lkml.kernel.org/r/20210521011239.1332345-3-nathan@kernel.org Fixes: e95bf452a9e2 ("Hexagon: Add configuration and makefiles for the Hexagon architecture.") Signed-off-by: Nathan Chancellor Reviewed-by: Nick Desaulniers Acked-by: Brian Cain Cc: David Rientjes Cc: Oliver Glitta Cc: Vlastimil Babka Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit f7121692795c654b52b460a11107a87285bb1dcd Author: Nathan Chancellor Date: Wed Jul 7 18:07:38 2021 -0700 hexagon: handle {,SOFT}IRQENTRY_TEXT in linker script [ Upstream commit 6fef087d0d37ba7dba8f3d75566eb4c256cd6742 ] Patch series "hexagon: Fix build error with CONFIG_STACKDEPOT and select CONFIG_ARCH_WANT_LD_ORPHAN_WARN". This series fixes an error with ARCH=hexagon that was pointed out by the patch "mm/slub: use stackdepot to save stack trace in objects". The first patch fixes that error by handling the '.irqentry.text' and '.softirqentry.text' sections. The second patch switches Hexagon over to the common DISCARDS macro, which should have been done when Hexagon was merged into the tree to match commit 023bf6f1b8bf ("linker script: unify usage of discard definition"). The third patch selects CONFIG_ARCH_WANT_LD_ORPHAN_WARN so that something like this does not happen again. This patch (of 3): Patch "mm/slub: use stackdepot to save stack trace in objects" in -mm selects CONFIG_STACKDEPOT when CONFIG_STACKTRACE_SUPPORT is selected and CONFIG_STACKDEPOT requires IRQENTRY_TEXT and SOFTIRQENTRY_TEXT to be handled after commit 505a0ef15f96 ("kasan: stackdepot: move filter_irq_stacks() to stackdepot.c") due to the use of the __{,soft}irqentry_text_{start,end} section symbols. If those sections are not handled, the build is broken. $ make ARCH=hexagon CROSS_COMPILE=hexagon-linux- LLVM=1 LLVM_IAS=1 defconfig all ... ld.lld: error: undefined symbol: __irqentry_text_start >>> referenced by stackdepot.c >>> stackdepot.o:(filter_irq_stacks) in archive lib/built-in.a >>> referenced by stackdepot.c >>> stackdepot.o:(filter_irq_stacks) in archive lib/built-in.a ld.lld: error: undefined symbol: __irqentry_text_end >>> referenced by stackdepot.c >>> stackdepot.o:(filter_irq_stacks) in archive lib/built-in.a >>> referenced by stackdepot.c >>> stackdepot.o:(filter_irq_stacks) in archive lib/built-in.a ld.lld: error: undefined symbol: __softirqentry_text_start >>> referenced by stackdepot.c >>> stackdepot.o:(filter_irq_stacks) in archive lib/built-in.a >>> referenced by stackdepot.c >>> stackdepot.o:(filter_irq_stacks) in archive lib/built-in.a ld.lld: error: undefined symbol: __softirqentry_text_end >>> referenced by stackdepot.c >>> stackdepot.o:(filter_irq_stacks) in archive lib/built-in.a >>> referenced by stackdepot.c >>> stackdepot.o:(filter_irq_stacks) in archive lib/built-in.a ... Add these sections to the Hexagon linker script so the build continues to work. ld.lld's orphan section warning would have caught this prior to the -mm commit mentioned above: ld.lld: warning: kernel/built-in.a(softirq.o):(.softirqentry.text) is being placed in '.softirqentry.text' ld.lld: warning: kernel/built-in.a(softirq.o):(.softirqentry.text) is being placed in '.softirqentry.text' ld.lld: warning: kernel/built-in.a(softirq.o):(.softirqentry.text) is being placed in '.softirqentry.text' Link: https://lkml.kernel.org/r/20210521011239.1332345-1-nathan@kernel.org Link: https://lkml.kernel.org/r/20210521011239.1332345-2-nathan@kernel.org Link: https://github.com/ClangBuiltLinux/linux/issues/1381 Fixes: 505a0ef15f96 ("kasan: stackdepot: move filter_irq_stacks() to stackdepot.c") Signed-off-by: Nathan Chancellor Reviewed-by: Nick Desaulniers Acked-by: Brian Cain Cc: Oliver Glitta Cc: Vlastimil Babka Cc: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 4aa17d058a9b883bfe88d50fc0fe75e804fef701 Author: Trond Myklebust Date: Sat Jul 3 14:34:20 2021 -0400 NFSv4/pNFS: Don't call _nfs4_pnfs_v3_ds_connect multiple times [ Upstream commit f46f84931a0aa344678efe412d4b071d84d8a805 ] After we grab the lock in nfs4_pnfs_ds_connect(), there is no check for whether or not ds->ds_clp has already been initialised, so we can end up adding the same transports multiple times. Fixes: fc821d59209d ("pnfs/NFSv4.1: Add multipath capabilities to pNFS flexfiles servers over NFSv3") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 885c0cc2acfe2c52253b80c92b53f63cbcbdcf31 Author: Trond Myklebust Date: Fri Jul 2 19:48:41 2021 -0400 NFSv4/pnfs: Fix layoutget behaviour after invalidation [ Upstream commit 0b77f97a7e42adc72bd566ff8cb733ea426f74f6 ] If the layout gets invalidated, we should wait for any outstanding layoutget requests for that layout to complete, and we should resend them only after re-establishing the layout stateid. Fixes: d29b468da4f9 ("pNFS/NFSv4: Improve rejection of out-of-order layouts") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit a668a77e6aedfd3ca2ef6c4a8883e5177bffd905 Author: Trond Myklebust Date: Fri Jul 2 16:37:15 2021 -0400 NFSv4/pnfs: Fix the layout barrier update [ Upstream commit aa95edf309ef31e2df4a37ebf0e5c2ca2a6772ab ] If we have multiple outstanding layoutget requests, the current code to update the layout barrier assumes that the outstanding layout stateids are updated in order. That's not necessarily the case. Instead of using the value of lo->plh_outstanding as a guesstimate for the window of values we need to accept, just wait to update the window until we're processing the last one. The intention here is just to ensure that we don't process 2^31 seqid updates without also updating the barrier. Fixes: 1bcf34fdac5f ("pNFS/NFSv4: Update the layout barrier when we schedule a layoutreturn") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 6ccccc03f87af72353baed617f222542c9de4bb0 Author: Eli Cohen Date: Sun Jun 6 08:31:28 2021 +0300 vdpa/mlx5: Clear vq ready indication upon device reset [ Upstream commit e3aadf2e1614174dc81d52cbb9dabb77913b11c6 ] After device reset, the virtqueues are not ready so clear the ready field. Failing to do so can result in virtio_vdpa failing to load if the device was previously used by vhost_vdpa and the old values are ready. virtio_vdpa expects to find VQs in "not ready" state. Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices") Signed-off-by: Eli Cohen Link: https://lore.kernel.org/r/20210606053128.170399-1-elic@nvidia.com Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Signed-off-by: Sasha Levin commit 0e5f204ea595a7f6d092fdf8aa89dffc2365032c Author: Zhen Lei Date: Wed Jul 7 15:40:51 2021 +0800 ALSA: isa: Fix error return code in snd_cmi8330_probe() [ Upstream commit 31028cbed26a8afa25533a10425ffa2ab794c76c ] When 'SB_HW_16' check fails, the error code -ENODEV instead of 0 should be returned, which is the same as that returned when 'WSS_HW_CMI8330' check fails. Fixes: 43bcd973d6d0 ("[ALSA] Add snd_card_set_generic_dev() call to ISA drivers") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Link: https://lore.kernel.org/r/20210707074051.2663-1-thunder.leizhen@huawei.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 6612c412336c1796014be74a1d33c9188178f629 Author: Trond Myklebust Date: Thu Jun 17 19:26:52 2021 -0400 nfsd: Reduce contention for the nfsd_file nf_rwsem [ Upstream commit 474bc334698df98ce07c890f1898c7e7f389b0c7 ] When flushing out the unstable file writes as part of a COMMIT call, try to perform most of of the data writes and waits outside the semaphore. This means that if the client is sending the COMMIT as part of a memory reclaim operation, then it can continue performing I/O, with contention for the lock occurring only once the data sync is finished. Fixes: 5011af4c698a ("nfsd: Fix stable writes") Signed-off-by: Trond Myklebust Tested-by: Chuck Lever Signed-off-by: J. Bruce Fields Signed-off-by: Sasha Levin commit 89047f0089cd7430e4896fb99ba0f17ade832433 Author: Maurizio Lombardi Date: Fri Jul 2 10:11:21 2021 +0200 nvme-tcp: can't set sk_user_data without write_lock [ Upstream commit 0755d3be2d9bb6ea38598ccd30d6bbaa1a5c3a50 ] The sk_user_data pointer is supposed to be modified only while holding the write_lock "sk_callback_lock", otherwise we could race with other threads and crash the kernel. we can't take the write_lock in nvmet_tcp_state_change() because it would cause a deadlock, but the release_work queue will set the pointer to NULL later so we can simply remove the assignment. Fixes: b5332a9f3f3d ("nvmet-tcp: fix incorrect locking in state_change sk callback") Signed-off-by: Maurizio Lombardi Reviewed-by: Sagi Grimberg Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 4b3fd33f580fe10691b99ef0b1356b9f3607b015 Author: Michael S. Tsirkin Date: Tue Apr 13 01:35:26 2021 -0400 virtio_net: move tx vq operation under tx queue lock [ Upstream commit 5a2f966d0f3fa0ef6dada7ab9eda74cacee96b8a ] It's unsafe to operate a vq from multiple threads. Unfortunately this is exactly what we do when invoking clean tx poll from rx napi. Same happens with napi-tx even without the opportunistic cleaning from the receive interrupt: that races with processing the vq in start_xmit. As a fix move everything that deals with the vq to under tx lock. Fixes: b92f1e6751a6 ("virtio-net: transmit napi") Signed-off-by: Michael S. Tsirkin Signed-off-by: Sasha Levin commit 8795692f0d6ca1e119c608f2706c456a0f6abdab Author: Eli Cohen Date: Sun May 30 12:03:49 2021 +0300 vdpa/mlx5: Fix possible failure in umem size calculation [ Upstream commit 71ab6a7cfbae27f86a3901daab10bfe13b3a1e3a ] umem size is a 32 bit unsigned value so assigning it to an int could cause false failures. Set the calculated value inside the function and modify function name to reflect the fact it updates the size. This bug was found during code review but never had real impact to this date. Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices") Signed-off-by: Eli Cohen Link: https://lore.kernel.org/r/20210530090349.8360-1-elic@nvidia.com Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Signed-off-by: Sasha Levin commit 63272b1ffdb097397f90ae3b5deafa5d449b57a9 Author: Eli Cohen Date: Sun May 30 12:03:17 2021 +0300 vdpa/mlx5: Fix umem sizes assignments on VQ create [ Upstream commit e3011776af16caf423f2c36d0047acd624c274fa ] Fix copy paste bug assigning umem1 size to umem2 and umem3. The issue was discovered when trying to use a 1:1 MR that covers the entire address space where firmware complained that provided sizes are not large enough. 1:1 MRs are required to support virtio_vdpa. Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices") Signed-off-by: Eli Cohen Link: https://lore.kernel.org/r/20210530090317.8284-1-elic@nvidia.com Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Signed-off-by: Sasha Levin commit e22051e7c9f7091256c18829433c6eedaca799a0 Author: Jon Hunter Date: Fri Jun 18 17:02:19 2021 +0100 PCI: tegra194: Fix tegra_pcie_ep_raise_msi_irq() ill-defined shift [ Upstream commit f67092eff2bd40650aad54a1a1910160f41d864a ] tegra_pcie_ep_raise_msi_irq() shifted a signed 32-bit value left by 31 bits. The behavior of this is implementation-defined. Replace the shift by BIT(), which is well-defined. Found by cppcheck: $ cppcheck --enable=all drivers/pci/controller/dwc/pcie-tegra194.c Checking drivers/pci/controller/dwc/pcie-tegra194.c ... drivers/pci/controller/dwc/pcie-tegra194.c:1829:23: portability: Shifting signed 32-bit value by 31 bits is implementation-defined behaviour. See condition at line 1826. [shiftTooManyBitsSigned] appl_writel(pcie, (1 << irq), APPL_MSI_CTRL_1); ^ [bhelgaas: commit log] Link: https://lore.kernel.org/r/20210618160219.303092-1-jonathanh@nvidia.com Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194") Signed-off-by: Jon Hunter Signed-off-by: Lorenzo Pieralisi Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin commit 527bb29eb183cf1339164d2cc5c7b8aca625bb82 Author: Uwe Kleine-König Date: Tue May 25 08:35:27 2021 +0200 pwm: imx1: Don't disable clocks at device remove time [ Upstream commit 1bc6ea31cb41d50302a3c9b401964cf0a88d41f9 ] The .remove() callback disables clocks that were not enabled in .probe(). So just probing and then unbinding the driver results in a clk enable imbalance. So just drop the call to disable the clocks. (Which BTW was also in the wrong order because the call makes the PWM unfunctional and so should have come only after pwmchip_remove()). Fixes: 9f4c8f9607c3 ("pwm: imx: Add ipg clock operation") Signed-off-by: Uwe Kleine-König Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 12d84de59da09da82e2c020de701affcc1e1b11e Author: Martin Blumenstingl Date: Wed Jan 6 14:55:40 2021 +0100 PCI: intel-gw: Fix INTx enable [ Upstream commit 655832d12f2251e04031294f547c86935a0a126d ] The legacy PCI interrupt lines need to be enabled using PCIE_APP_IRNEN bits 13 (INTA), 14 (INTB), 15 (INTC) and 16 (INTD). The old code however was taking (for example) "13" as raw value instead of taking BIT(13). Define the legacy PCI interrupt bits using the BIT() macro and then use these in PCIE_APP_IRN_INT. Link: https://lore.kernel.org/r/20210106135540.48420-1-martin.blumenstingl@googlemail.com Fixes: ed22aaaede44 ("PCI: dwc: intel: PCIe RC controller driver") Signed-off-by: Martin Blumenstingl Signed-off-by: Lorenzo Pieralisi Signed-off-by: Bjorn Helgaas Acked-by: Rahul Tanwar Signed-off-by: Sasha Levin commit b5859dacd29ef10acdb60a068526c5d6f1cac171 Author: Thomas Gleixner Date: Wed Jun 23 14:01:35 2021 +0200 x86/fpu: Limit xstate copy size in xstateregs_set() [ Upstream commit 07d6688b22e09be465652cf2da0da6bf86154df6 ] If the count argument is larger than the xstate size, this will happily copy beyond the end of xstate. Fixes: 91c3dba7dbc1 ("x86/fpu/xstate: Fix PTRACE frames for XSAVES") Signed-off-by: Thomas Gleixner Signed-off-by: Borislav Petkov Reviewed-by: Andy Lutomirski Reviewed-by: Borislav Petkov Link: https://lkml.kernel.org/r/20210623121452.120741557@linutronix.de Signed-off-by: Sasha Levin commit 07b760a7917029cfeaf844584e5583fa563f5005 Author: Thomas Gleixner Date: Wed Jun 23 14:01:28 2021 +0200 x86/fpu: Fix copy_xstate_to_kernel() gap handling [ Upstream commit 9625895011d130033d1bc7aac0d77a9bf68ff8a6 ] The gap handling in copy_xstate_to_kernel() is wrong when XSAVES is in use. Using init_fpstate for copying the init state of features which are not set in the xstate header is only correct for the legacy area, but not for the extended features area because when XSAVES is in use then init_fpstate is in compacted form which means the xstate offsets which are used to copy from init_fpstate are not valid. Fortunately, this is not a real problem today because all extended features in use have an all-zeros init state, but it is wrong nevertheless and with a potentially dynamically sized init_fpstate this would result in an access outside of the init_fpstate. Fix this by keeping track of the last copied state in the target buffer and explicitly zero it when there is a feature or alignment gap. Use the compacted offset when accessing the extended feature space in init_fpstate. As this is not a functional issue on older kernels this is intentionally not tagged for stable. Fixes: b8be15d58806 ("x86/fpu/xstate: Re-enable XSAVES") Signed-off-by: Thomas Gleixner Signed-off-by: Borislav Petkov Reviewed-by: Borislav Petkov Link: https://lkml.kernel.org/r/20210623121451.294282032@linutronix.de Signed-off-by: Sasha Levin commit aa7fccd383de41145accf075d648fd92065dc25a Author: Chao Yu Date: Tue Jun 8 07:31:22 2021 +0800 f2fs: fix to avoid adding tab before doc section [ Upstream commit 3c16dc40aab84bab9cf54c2b61a458bb86b180c3 ] Otherwise whole section after tab will be invisible in compiled html format document. Cc: Mauro Carvalho Chehab Fixes: 89272ca1102e ("docs: filesystems: convert f2fs.txt to ReST") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 607caa080119f4972949fe313481c12b3a50fbbf Author: Sandor Bodo-Merle Date: Tue Jun 22 17:26:30 2021 +0200 PCI: iproc: Support multi-MSI only on uniprocessor kernel [ Upstream commit 2dc0a201d0f59e6818ef443609f0850a32910844 ] The interrupt affinity scheme used by this driver is incompatible with multi-MSI as it implies moving the doorbell address to that of another MSI group. This isn't possible for multi-MSI, as all the MSIs must have the same doorbell address. As such it is restricted to systems with a single CPU. Link: https://lore.kernel.org/r/20210622152630.40842-2-sbodomerle@gmail.com Fixes: fc54bae28818 ("PCI: iproc: Allow allocation of multiple MSIs") Reported-by: Marc Zyngier Signed-off-by: Sandor Bodo-Merle Signed-off-by: Lorenzo Pieralisi Acked-by: Marc Zyngier Acked-by: Pali Rohár Acked-by: Ray Jui Signed-off-by: Sasha Levin commit 54dc6fcce3de6c6efa9a3dfb1e5fb3a0d68df459 Author: Sandor Bodo-Merle Date: Tue Jun 22 17:26:29 2021 +0200 PCI: iproc: Fix multi-MSI base vector number allocation [ Upstream commit e673d697b9a234fc3544ac240e173cef8c82b349 ] Commit fc54bae28818 ("PCI: iproc: Allow allocation of multiple MSIs") introduced multi-MSI support with a broken allocation mechanism (it failed to reserve the proper number of bits from the inner domain). Natural alignment of the base vector number was also not guaranteed. Link: https://lore.kernel.org/r/20210622152630.40842-1-sbodomerle@gmail.com Fixes: fc54bae28818 ("PCI: iproc: Allow allocation of multiple MSIs") Reported-by: Pali Rohár Signed-off-by: Sandor Bodo-Merle Signed-off-by: Lorenzo Pieralisi Acked-by: Marc Zyngier Acked-by: Pali Rohár Acked-by: Ray Jui Signed-off-by: Sasha Levin commit ac2e498ab222121da39a659a5328f10d2d078d87 Author: Zhihao Cheng Date: Fri Jun 18 16:11:03 2021 +0800 ubifs: Set/Clear I_LINKABLE under i_lock for whiteout inode [ Upstream commit a801fcfeef96702fa3f9b22ad56c5eb1989d9221 ] xfstests-generic/476 reports a warning message as below: WARNING: CPU: 2 PID: 30347 at fs/inode.c:361 inc_nlink+0x52/0x70 Call Trace: do_rename+0x502/0xd40 [ubifs] ubifs_rename+0x8b/0x180 [ubifs] vfs_rename+0x476/0x1080 do_renameat2+0x67c/0x7b0 __x64_sys_renameat2+0x6e/0x90 do_syscall_64+0x66/0xe0 entry_SYSCALL_64_after_hwframe+0x44/0xae Following race case can cause this: rename_whiteout(Thread 1) wb_workfn(Thread 2) ubifs_rename do_rename __writeback_single_inode spin_lock(&inode->i_lock) whiteout->i_state |= I_LINKABLE inode->i_state &= ~dirty; ---- How race happens on i_state: (tmp = whiteout->i_state | I_LINKABLE) (tmp = inode->i_state & ~dirty) (whiteout->i_state = tmp) (inode->i_state = tmp) ---- spin_unlock(&inode->i_lock) inc_nlink(whiteout) WARN_ON(!(inode->i_state & I_LINKABLE)) !!! Fix to add i_lock to avoid i_state update race condition. Fixes: 9e0a1fff8db56ea ("ubifs: Implement RENAME_WHITEOUT") Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin commit 4b515308ab875c7e8ada8e606fe0c64762da5ed4 Author: Gao Xiang Date: Fri Jun 18 12:20:55 2021 +0800 nfs: fix acl memory leak of posix_acl_create() [ Upstream commit 1fcb6fcd74a222d9ead54d405842fc763bb86262 ] When looking into another nfs xfstests report, I found acl and default_acl in nfs3_proc_create() and nfs3_proc_mknod() error paths are possibly leaked. Fix them in advance. Fixes: 013cdf1088d7 ("nfs: use generic posix ACL infrastructure for v3 Posix ACLs") Cc: Trond Myklebust Cc: Anna Schumaker Cc: Christoph Hellwig Cc: Joseph Qi Signed-off-by: Gao Xiang Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit b8eace7d3b9c5960d4a4f5d636c044ee26beb2fa Author: NeilBrown Date: Tue Jun 15 11:18:38 2021 +1000 SUNRPC: prevent port reuse on transports which don't request it. [ Upstream commit bc1c56e9bbe92766d017efb5f0a0c71f80da5570 ] If an RPC client is created without RPC_CLNT_CREATE_REUSEPORT, it should not reuse the source port when a TCP connection is re-established. This is currently implemented by preventing the source port being recorded after a successful connection (the call to xs_set_srcport()). However the source port is also recorded after a successful bind in xs_bind(). This may not be needed at all and certainly is not wanted when RPC_CLNT_CREATE_REUSEPORT wasn't requested. So avoid that assignment when xprt.reuseport is not set. With this change, NFSv4.1 and later mounts use a different port number on each connection. This is helpful with some firewalls which don't cope well with port reuse. Signed-off-by: NeilBrown Fixes: e6237b6feb37 ("NFSv4.1: Don't rebind to the same source port when reconnecting to the server") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 5577eece796fe47a4c8aa42422149aab296cf9c0 Author: Wei Yongjun Date: Thu Mar 4 04:59:09 2021 +0000 watchdog: jz4740: Fix return value check in jz4740_wdt_probe() [ Upstream commit 29e85f53fb58b45b9e9276dcdf1f1cb762dd1c9f ] In case of error, the function device_node_to_regmap() returns ERR_PTR() and never returns NULL. The NULL test in the return value check should be replaced with IS_ERR(). Fixes: 6d532143c915 ("watchdog: jz4740: Use regmap provided by TCU driver") Reported-by: Hulk Robot Signed-off-by: Wei Yongjun Acked-by: Paul Cercueil Link: https://lore.kernel.org/r/20210304045909.945799-1-weiyongjun1@huawei.com Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit 3b93d520ac533cadd5b8b4ef25623f744ab54882 Author: Tao Ren Date: Fri Apr 16 20:42:49 2021 -0700 watchdog: aspeed: fix hardware timeout calculation [ Upstream commit e7dc481c92060f9ce872878b0b7a08c24713a7e5 ] Fix hardware timeout calculation in aspeed_wdt_set_timeout function to ensure the reload value does not exceed the hardware limit. Fixes: efa859f7d786 ("watchdog: Add Aspeed watchdog driver") Reported-by: Amithash Prasad Signed-off-by: Tao Ren Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20210417034249.5978-1-rentao.bupt@gmail.com Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit 412ef737be65053e9695e17503aec8821102c067 Author: Zhen Lei Date: Sat May 8 11:33:13 2021 +0800 ubifs: journal: Fix error return code in ubifs_jnl_write_inode() [ Upstream commit a2c2a622d41168f9fea2aa3f76b9fbaa88531aac ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 9ca2d7326444 ("ubifs: Limit number of xattrs per inode") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin commit 6bcc0590cb919bb0c37b554afdaa929528f7bebc Author: Sascha Hauer Date: Wed Jan 20 14:12:53 2021 +0100 ubifs: Fix off-by-one error [ Upstream commit d984bcf5766dbdbe95d325bb8a1b49a996fecfd4 ] An inode is allowed to have ubifs_xattr_max_cnt() xattrs, so we must complain only when an inode has more xattrs, having exactly ubifs_xattr_max_cnt() xattrs is fine. With this the maximum number of xattrs can be created without hitting the "has too many xattrs" warning when removing it. Signed-off-by: Sascha Hauer Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin commit aab881d7f074e302451cfa3d85d30ba6b1cf3e13 Author: Zhen Lei Date: Sat May 8 11:22:39 2021 +0800 um: fix error return code in winch_tramp() [ Upstream commit ccf1236ecac476d9d2704866d9a476c86e387971 ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 89df6bfc0405 ("uml: DEBUG_SHIRQ fixes") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Acked-By: anton.ivanov@cambridgegreys.com Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin commit 9bb3f31b25b2b5f157cd25aa6a259908d339a8c0 Author: Zhen Lei Date: Sat May 8 11:13:54 2021 +0800 um: fix error return code in slip_open() [ Upstream commit b77e81fbe5f5fb4ad9a61ec80f6d1e30b6da093a ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: a3c77c67a443 ("[PATCH] uml: slirp and slip driver cleanups and fixes") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Acked-By: anton.ivanov@cambridgegreys.com Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin commit 0bfb6d49497cca4622106fb977b6e4674fdff5d4 Author: Tong Zhang Date: Sat May 22 00:37:25 2021 -0400 misc: alcor_pci: fix inverted branch condition commit 281e468446994a7672733af2bf941f4110d4a895 upstream. This patch fixes a trivial mistake that I made in the previous attempt in fixing the null bridge issue. The branch condition is inverted and we should call alcor_pci_find_cap_offset() only if bridge is not null. Reported-by: Colin Ian King Fixes: 3ce3e45cc333 ("misc: alcor_pci: fix null-ptr-deref when there is no PCI bridge") Signed-off-by: Tong Zhang Link: https://lore.kernel.org/r/20210522043725.602179-1-ztong0001@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 5c7ef8a3705542136a1e19b070e951f0730b2153 Author: Trond Myklebust Date: Fri Jun 11 13:40:55 2021 -0400 NFSv4: Fix an Oops in pnfs_mark_request_commit() when doing O_DIRECT [ Upstream commit 3731d44bba8e0116b052b1b374476c5f6dd9a456 ] Fix an Oopsable condition in pnfs_mark_request_commit() when we're putting a set of writes on the commit list to reschedule them after a failed pNFS attempt. Fixes: 9c455a8c1e14 ("NFS/pNFS: Clean up pNFS commit operations") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit ff4023d0194263a0827c954f623c314978cf7ddd Author: Trond Myklebust Date: Wed Jun 9 10:04:46 2021 -0400 NFSv4: Initialise connection to the server in nfs4_alloc_client() [ Upstream commit dd99e9f98fbf423ff6d365b37a98e8879170f17c ] Set up the connection to the NFSv4 server in nfs4_alloc_client(), before we've added the struct nfs_client to the net-namespace's nfs_client_list so that a downed server won't cause other mounts to hang in the trunking detection code. Reported-by: Michael Wakabayashi Fixes: 5c6e5b60aae4 ("NFS: Fix an Oops in the pNFS files and flexfiles connection setup to the DS") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 36291fd6279ff8cea85141ce6bfe29614b9ef401 Author: Stephan Gerhold Date: Mon May 17 12:51:12 2021 +0200 power: supply: rt5033_battery: Fix device tree enumeration [ Upstream commit f3076cd8d1d5fa64b5e1fa5affc045c2fc123baa ] The fuel gauge in the RT5033 PMIC has its own I2C bus and interrupt line. Therefore, it is not actually part of the RT5033 MFD and needs its own of_match_table to probe properly. Also, given that it's independent of the MFD, there is actually no need to make the Kconfig depend on MFD_RT5033. Although the driver uses the shared header, there is no compile or runtime dependency on the RT5033 MFD driver. Cc: Beomho Seo Cc: Chanwoo Choi Fixes: b847dd96e659 ("power: rt5033_battery: Add RT5033 Fuel gauge device driver") Signed-off-by: Stephan Gerhold Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit ae56850d36572701778e75f8bce12c52a5c4a694 Author: Krzysztof Wilczyński Date: Thu Jun 3 00:01:12 2021 +0000 PCI/sysfs: Fix dsm_label_utf16s_to_utf8s() buffer overrun [ Upstream commit bdcdaa13ad96f1a530711c29e6d4b8311eff767c ] "utf16s_to_utf8s(..., buf, PAGE_SIZE)" puts up to PAGE_SIZE bytes into "buf" and returns the number of bytes it actually put there. If it wrote PAGE_SIZE bytes, the newline added by dsm_label_utf16s_to_utf8s() would overrun "buf". Reduce the size available for utf16s_to_utf8s() to use so there is always space for the newline. [bhelgaas: reorder patch in series, commit log] Fixes: 6058989bad05 ("PCI: Export ACPI _DSM provided firmware instance number and string name to sysfs") Link: https://lore.kernel.org/r/20210603000112.703037-7-kw@linux.com Reported-by: Joe Perches Signed-off-by: Krzysztof Wilczyński Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin commit 6594d0aa1c2290714dadb363c84f5f0820ef121b Author: Christophe JAILLET Date: Thu May 6 22:46:01 2021 +0200 remoteproc: k3-r5: Fix an error message [ Upstream commit 34c4da6d5dfba48f49f891ebd75bb55999f0c538 ] 'ret' is known to be 0 here. Reorder the code so that the expected error code is printed. Acked-by: Suman Anna Fixes: 6dedbd1d5443 ("remoteproc: k3-r5: Add a remoteproc driver for R5F subsystem") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/d6e29d903b48957bf59c67229d54b0fc215e31ae.1620333870.git.christophe.jaillet@wanadoo.fr Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit d3c150978ead8edf85dbd671bb8f864dd89612b3 Author: Chao Yu Date: Tue May 18 17:54:58 2021 +0800 f2fs: compress: fix to disallow temp extension [ Upstream commit 4a67d9b07ac8dce7f1034e0d887f2f4ee00fe118 ] This patch restricts to configure compress extension as format of: [filename + '.' + extension] rather than: [filename + '.' + extension + (optional: '.' + temp extension)] in order to avoid to enable compression incorrectly: 1. compress_extension=so 2. touch file.soa 3. touch file.so.tmp Fixes: 4c8ff7095bef ("f2fs: support data compression") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 43cefd126450060ff17daf69d02f50994ef70cfe Author: Chao Yu Date: Tue May 18 09:57:54 2021 +0800 f2fs: add MODULE_SOFTDEP to ensure crc32 is included in the initramfs [ Upstream commit 0dd571785d61528d62cdd8aa49d76bc6085152fe ] As marcosfrm reported in bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=213089 Initramfs generators rely on "pre" softdeps (and "depends") to include additional required modules. F2FS does not declare "pre: crc32" softdep. Then every generator (dracut, mkinitcpio...) has to maintain a hardcoded list for this purpose. Hence let's use MODULE_SOFTDEP("pre: crc32") in f2fs code. Fixes: 43b6573bac95 ("f2fs: use cryptoapi crc32 functions") Reported-by: marcosfrm Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 74569cb9ed7bc60e395927f55d3dc3be143a0164 Author: Chang S. Bae Date: Tue May 18 13:03:19 2021 -0700 x86/signal: Detect and prevent an alternate signal stack overflow [ Upstream commit 2beb4a53fc3f1081cedc1c1a198c7f56cc4fc60c ] The kernel pushes context on to the userspace stack to prepare for the user's signal handler. When the user has supplied an alternate signal stack, via sigaltstack(2), it is easy for the kernel to verify that the stack size is sufficient for the current hardware context. Check if writing the hardware context to the alternate stack will exceed it's size. If yes, then instead of corrupting user-data and proceeding with the original signal handler, an immediate SIGSEGV signal is delivered. Refactor the stack pointer check code from on_sig_stack() and use the new helper. While the kernel allows new source code to discover and use a sufficient alternate signal stack size, this check is still necessary to protect binaries with insufficient alternate signal stack size from data corruption. Fixes: c2bc11f10a39 ("x86, AVX-512: Enable AVX-512 States Context Switch") Reported-by: Florian Weimer Suggested-by: Jann Horn Suggested-by: Andy Lutomirski Signed-off-by: Chang S. Bae Signed-off-by: Borislav Petkov Reviewed-by: Len Brown Acked-by: Thomas Gleixner Link: https://lkml.kernel.org/r/20210518200320.17239-6-chang.seok.bae@intel.com Link: https://bugzilla.kernel.org/show_bug.cgi?id=153531 Signed-off-by: Sasha Levin commit f0e905df68d61e430aa2a127c07795aa0bac1060 Author: Chuck Lever Date: Fri May 14 15:55:17 2021 -0400 NFSD: Fix TP_printk() format specifier in nfsd_clid_class [ Upstream commit a948b1142cae66785521a389cab2cce74069b547 ] Since commit 9a6944fee68e ("tracing: Add a verifier to check string pointers for trace events"), which was merged in v5.13-rc1, TP_printk() no longer tacitly supports the "%.*s" format specifier. These are low value tracepoints, so just remove them. Reported-by: David Wysochanski Fixes: dd5e3fbc1f47 ("NFSD: Add tracepoints to the NFSD state management code") Signed-off-by: Chuck Lever Cc: Steven Rostedt Signed-off-by: J. Bruce Fields Signed-off-by: Sasha Levin commit 2830dd2faa538c97a4be1b35e7ebfa9bb873cc48 Author: Chao Yu Date: Tue May 11 18:17:34 2021 +0800 f2fs: atgc: fix to set default age threshold [ Upstream commit 89e53ff1651a61cf2abef9356e2f60d0086215be ] Default age threshold value is missed to set, fix it. Fixes: 093749e296e2 ("f2fs: support age threshold based garbage collection") Reported-by: Sahitya Tummala Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit f6ec306b93dc600a0ab3bb2693568ef1cc5f7f7a Author: Xie Yongji Date: Tue May 25 20:56:22 2021 +0800 virtio_console: Assure used length from device is limited [ Upstream commit d00d8da5869a2608e97cfede094dfc5e11462a46 ] The buf->len might come from an untrusted device. This ensures the value would not exceed the size of the buffer to avoid data corruption or loss. Signed-off-by: Xie Yongji Acked-by: Jason Wang Link: https://lore.kernel.org/r/20210525125622.1203-1-xieyongji@bytedance.com Signed-off-by: Michael S. Tsirkin Signed-off-by: Sasha Levin commit 09a94a89d74fcd57bea948d19f08f602c368ac99 Author: Xie Yongji Date: Mon May 17 16:45:16 2021 +0800 virtio_net: Fix error handling in virtnet_restore() [ Upstream commit 3f2869cace829fb4b80fc53b3ddaa7f4ba9acbf1 ] Do some cleanups in virtnet_restore() when virtnet_cpu_notif_add() failed. Signed-off-by: Xie Yongji Link: https://lore.kernel.org/r/20210517084516.332-1-xieyongji@bytedance.com Acked-by: Jason Wang Signed-off-by: Michael S. Tsirkin Signed-off-by: Sasha Levin commit cd24da0db9f75ca11eaf6060f0ccb90e2f3be3b0 Author: Xie Yongji Date: Mon May 17 16:43:32 2021 +0800 virtio-blk: Fix memory leak among suspend/resume procedure [ Upstream commit b71ba22e7c6c6b279c66f53ee7818709774efa1f ] The vblk->vqs should be freed before we call init_vqs() in virtblk_restore(). Signed-off-by: Xie Yongji Link: https://lore.kernel.org/r/20210517084332.280-1-xieyongji@bytedance.com Acked-by: Jason Wang Signed-off-by: Michael S. Tsirkin Signed-off-by: Sasha Levin commit d420b11666434b00b0146ed266cb991f9f5aa598 Author: Javier Martinez Canillas Date: Tue Jun 8 10:04:09 2021 +0200 PCI: rockchip: Register IRQ handlers after device and data are ready [ Upstream commit 3cf5f7ab230e2b886e493c7a8449ed50e29d2b98 ] An IRQ handler may be called at any time after it is registered, so anything it relies on must be ready before registration. rockchip_pcie_subsys_irq_handler() and rockchip_pcie_client_irq_handler() read registers in the PCIe controller, but we registered them before turning on clocks to the controller. If either is called before the clocks are turned on, the register reads fail and the machine hangs. Similarly, rockchip_pcie_legacy_int_handler() uses rockchip->irq_domain, but we installed it before initializing irq_domain. Register IRQ handlers after their data structures are initialized and clocks are enabled. Found by enabling CONFIG_DEBUG_SHIRQ, which calls the IRQ handler when it is being unregistered. An error during the probe path might cause this unregistration and IRQ handler execution before the device or data structure init has finished. [bhelgaas: commit log] Link: https://lore.kernel.org/r/20210608080409.1729276-1-javierm@redhat.com Reported-by: Peter Robinson Tested-by: Peter Robinson Signed-off-by: Javier Martinez Canillas Signed-off-by: Lorenzo Pieralisi Signed-off-by: Bjorn Helgaas Acked-by: Shawn Lin Signed-off-by: Sasha Levin commit 424fc30298cb5a154ec25a416dd7b911b8bba99d Author: Hans de Goede Date: Wed Jun 30 17:23:16 2021 +0200 ACPI: video: Add quirk for the Dell Vostro 3350 [ Upstream commit 9249c32ec9197e8d34fe5179c9e31668a205db04 ] The Dell Vostro 3350 ACPI video-bus device reports spurious ACPI_VIDEO_NOTIFY_CYCLE events resulting in spurious KEY_SWITCHVIDEOMODE events being reported to userspace (and causing trouble there). Add a quirk setting the report_key_events mask to REPORT_BRIGHTNESS_KEY_EVENTS so that the ACPI_VIDEO_NOTIFY_CYCLE events will be ignored, while still reporting brightness up/down hotkey-presses to userspace normally. BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1911763 Signed-off-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 4f2b140658cd97e1f17e9e8a7ffbe2675184dfe6 Author: Liguang Zhang Date: Tue Jun 29 19:27:48 2021 +0800 ACPI: AMBA: Fix resource name in /proc/iomem [ Upstream commit 7718629432676b5ebd9a32940782fe297a0abf8d ] In function amba_handler_attach(), dev->res.name is initialized by amba_device_alloc. But when address_found is false, dev->res.name is assigned to null value, which leads to wrong resource name display in /proc/iomem, "" is seen for those resources. Signed-off-by: Liguang Zhang Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 9dcc9ad3434869d7413a0220821181b3de1cd396 Author: Uwe Kleine-König Date: Thu Jun 17 11:51:41 2021 +0200 pwm: tegra: Don't modify HW state in .remove callback [ Upstream commit 86f7fa71cd830d18d7ebcaf719dffd5ddfe1acdd ] A consumer is expected to disable a PWM before calling pwm_put(). And if they didn't there is hopefully a good reason (or the consumer needs fixing). Also if disabling an enabled PWM was the right thing to do, this should better be done in the framework instead of in each low level driver. So drop the hardware modification from the .remove() callback. Signed-off-by: Uwe Kleine-König Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 3d82361abd03c37f681b1ceac17d9f1c19255ff7 Author: Zou Wei Date: Wed May 12 11:57:17 2021 +0800 pwm: img: Fix PM reference leak in img_pwm_enable() [ Upstream commit fde25294dfd8e36e4e30b693c27a86232864002a ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to putting operation will result in reference leak here. Fix it by replacing it with pm_runtime_resume_and_get to keep usage counter balanced. Reported-by: Hulk Robot Signed-off-by: Zou Wei Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit b3205768cd1a3a9869500ec27e129f8a71d2152a Author: Philip Yang Date: Mon Jun 21 18:51:26 2021 -0400 drm/amdkfd: fix sysfs kobj leak [ Upstream commit dcdb4d904b4bd3078fe8d4d24b1658560d6078ef ] 3 cases of kobj leak, which causes memory leak: kobj_type must have release() method to free memory from release callback. Don't need NULL default_attrs to init kobj. sysfs files created under kobj_status should be removed with kobj_status as parent kobject. Remove queue sysfs files when releasing queue from process MMU notifier release callback. Signed-off-by: Philip Yang Reviewed-by: Felix Kuehling Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 687875fa9c3b27319985fea40b83677e89e17be4 Author: Zou Wei Date: Sat Jun 5 09:21:41 2021 +0800 power: supply: ab8500: add missing MODULE_DEVICE_TABLE [ Upstream commit dfe52db13ab8d24857a9840ec7ca75eef800c26c ] This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this driver when it is built as an external module. Reported-by: Hulk Robot Signed-off-by: Zou Wei Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit e88d524c662b1851c6d3a67d1c291db1da14bf59 Author: Zou Wei Date: Sat Jun 5 09:21:54 2021 +0800 power: supply: charger-manager: add missing MODULE_DEVICE_TABLE [ Upstream commit 073b5d5b1f9cc94a3eea25279fbafee3f4f5f097 ] This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this driver when it is built as an external module. Reported-by: Hulk Robot Signed-off-by: Zou Wei Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 89786fbc4d1ecea4fe295d9a140d3fc2ff072fe7 Author: Trond Myklebust Date: Tue May 11 23:41:10 2021 -0400 NFS: nfs_find_open_context() may only select open files [ Upstream commit e97bc66377bca097e1f3349ca18ca17f202ff659 ] If a file has already been closed, then it should not be selected to support further I/O. Signed-off-by: Trond Myklebust [Trond: Fix an invalid pointer deref reported by Colin Ian King] Signed-off-by: Sasha Levin commit 0fedfa72aedc6cf1950da2b767cdf0e77e1116f7 Author: Jing Xiangfeng Date: Tue Jun 29 19:59:56 2021 +0800 drm/gma500: Add the missed drm_gem_object_put() in psb_user_framebuffer_create() [ Upstream commit cd8f318fbd266b127ffc93cc4c1eaf9a5196fafb ] psb_user_framebuffer_create() misses to call drm_gem_object_put() in an error path. Add the missed function call to fix it. Signed-off-by: Jing Xiangfeng Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20210629115956.15160-1-jingxiangfeng@huawei.com Signed-off-by: Sasha Levin commit 59d912fe9bb96c1df855a5d1403e780ffc6ee4e0 Author: Jeff Layton Date: Tue May 4 10:08:30 2021 -0400 ceph: remove bogus checks and WARN_ONs from ceph_set_page_dirty [ Upstream commit 22d41cdcd3cfd467a4af074165357fcbea1c37f5 ] The checks for page->mapping are odd, as set_page_dirty is an address_space operation, and I don't see where it would be called on a non-pagecache page. The warning about the page lock also seems bogus. The comment over set_page_dirty() says that it can be called without the page lock in some rare cases. I don't think we want to warn if that's the case. Reported-by: Matthew Wilcox Signed-off-by: Jeff Layton Signed-off-by: Ilya Dryomov Signed-off-by: Sasha Levin commit 3c586f825576c435e65d4c4ee93ace30761c057f Author: Mike Marshall Date: Tue May 18 08:09:13 2021 -0400 orangefs: fix orangefs df output. [ Upstream commit 0fdec1b3c9fbb5e856a40db5993c9eaf91c74a83 ] Orangefs df output is whacky. Walt Ligon suggested this might fix it. It seems way more in line with reality now... Signed-off-by: Mike Marshall Signed-off-by: Sasha Levin commit 6e43cdcbb7152ad440edd61a7af2ec7d088822e3 Author: Zou Wei Date: Wed May 12 12:07:02 2021 +0800 PCI: tegra: Add missing MODULE_DEVICE_TABLE [ Upstream commit 7bf475a4614a9722b9b989e53184a02596cf16d1 ] Add missing MODULE_DEVICE_TABLE definition so we generate correct modalias for automatic loading of this driver when it is built as a module. Link: https://lore.kernel.org/r/1620792422-16535-1-git-send-email-zou_wei@huawei.com Reported-by: Hulk Robot Signed-off-by: Zou Wei Signed-off-by: Lorenzo Pieralisi Signed-off-by: Bjorn Helgaas Reviewed-by: Vidya Sagar Acked-by: Thierry Reding Signed-off-by: Sasha Levin commit 2df1abffc474648af02cb29ba95d98990bfc2e5e Author: Siddharth Gupta Date: Mon Jun 14 19:21:10 2021 -0700 remoteproc: core: Fix cdev remove and rproc del [ Upstream commit 930eec0be20c93a53160c74005a1485a230e6911 ] The rproc_char_device_remove() call currently unmaps the cdev region instead of simply deleting the cdev that was added as a part of the rproc_char_device_add() call. This change fixes that behaviour, and also fixes the order in which device_del() and cdev_del() need to be called. Signed-off-by: Siddharth Gupta Link: https://lore.kernel.org/r/1623723671-5517-4-git-send-email-sidgup@codeaurora.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit f3a56cd3eaf6a3e82060ee7afddb32e94bffdef1 Author: Thomas Gleixner Date: Wed Jun 23 14:02:30 2021 +0200 x86/fpu: Return proper error codes from user access functions [ Upstream commit aee8c67a4faa40a8df4e79316dbfc92d123989c1 ] When *RSTOR from user memory raises an exception, there is no way to differentiate them. That's bad because it forces the slow path even when the failure was not a fault. If the operation raised eg. #GP then going through the slow path is pointless. Use _ASM_EXTABLE_FAULT() which stores the trap number and let the exception fixup return the negated trap number as error. This allows to separate the fast path and let it handle faults directly and avoid the slow path for all other exceptions. Signed-off-by: Thomas Gleixner Signed-off-by: Borislav Petkov Link: https://lkml.kernel.org/r/20210623121457.601480369@linutronix.de Signed-off-by: Sasha Levin commit 39ed17de8c6ff54c7ed4605a4a8e04a2e2f0b82e Author: Jan Kiszka Date: Sun May 30 13:24:23 2021 +0200 watchdog: iTCO_wdt: Account for rebooting on second timeout [ Upstream commit cb011044e34c293e139570ce5c01aed66a34345c ] This was already attempted to fix via 1fccb73011ea: If the BIOS did not enable TCO SMIs, the timer definitely needs to trigger twice in order to cause a reboot. If TCO SMIs are on, as well as SMIs in general, we can continue to assume that the BIOS will perform a reboot on the first timeout. QEMU with its ICH9 and related BIOS falls into the former category, currently taking twice the configured timeout in order to reboot the machine. For iTCO version that fall under turn_SMI_watchdog_clear_off, this is also true and was currently only addressed for v1, irrespective of the turn_SMI_watchdog_clear_off value. Signed-off-by: Jan Kiszka Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/0b8bb307-d08b-41b5-696c-305cdac6789c@siemens.com Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit 9cc9f5de281b4f4e258ee66e04b27deac77b027f Author: Stefan Eichenberger Date: Tue Apr 6 14:12:47 2021 +0200 watchdog: imx_sc_wdt: fix pretimeout [ Upstream commit 854478a381078ee86ae2a7908a934b1ded399130 ] If the WDIOF_PRETIMEOUT flag is not set when registering the device the driver will not show the sysfs entries or register the default governor. By moving the registering after the decision whether pretimeout is supported this gets fixed. Signed-off-by: Stefan Eichenberger Reviewed-by: Guenter Roeck Reviewed-by: Dong Aisheng Link: https://lore.kernel.org/r/20210519080311.142928-1-eichest@gmail.com Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit 66ba9cf929b1c4fabf545bd4c18f6f64e23e46e4 Author: Zou Wei Date: Wed May 12 14:57:56 2021 +0800 watchdog: Fix possible use-after-free by calling del_timer_sync() [ Upstream commit d0212f095ab56672f6f36aabc605bda205e1e0bf ] This driver's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Zou Wei Reviewed-by: Guenter Roeck Acked-by: Vladimir Zapolskiy Link: https://lore.kernel.org/r/1620802676-19701-1-git-send-email-zou_wei@huawei.com Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit a173e3b62cf6dd3c4a0a10c8a82eedfcae81a566 Author: Zou Wei Date: Tue May 11 15:04:51 2021 +0800 watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff() [ Upstream commit 90b7c141132244e8e49a34a4c1e445cce33e07f4 ] This module's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Zou Wei Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/1620716691-108460-1-git-send-email-zou_wei@huawei.com Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit a397cb4576fc2fc802562418b3a50b8f67d60d31 Author: Zou Wei Date: Tue May 11 15:01:35 2021 +0800 watchdog: Fix possible use-after-free in wdt_startup() [ Upstream commit c08a6b31e4917034f0ed0cb457c3bb209576f542 ] This module's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Zou Wei Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/1620716495-108352-1-git-send-email-zou_wei@huawei.com Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit 96c0bf09125e5d58597453b842bb8daa4dfb5e60 Author: Lukas Wunner Date: Sat May 1 10:29:00 2021 +0200 PCI: pciehp: Ignore Link Down/Up caused by DPC [ Upstream commit a97396c6eb13f65bea894dbe7739b2e883d40a3e ] Downstream Port Containment (PCIe r5.0, sec. 6.2.10) disables the link upon an error and attempts to re-enable it when instructed by the DPC driver. A slot which is both DPC- and hotplug-capable is currently powered off by pciehp once DPC is triggered (due to the link change) and powered back up on successful recovery. That's undesirable, the slot should remain powered so the hotplugged device remains bound to its driver. DPC notifies the driver of the error and of successful recovery in pcie_do_recovery() and the driver may then restore the device to working state. Moreover, Sinan points out that turning off slot power by pciehp may foil recovery by DPC: Power off/on is a cold reset concurrently to DPC's warm reset. Sathyanarayanan reports extended delays or failure in link retraining by DPC if pciehp brings down the slot. Fix by detecting whether a Link Down event is caused by DPC and awaiting recovery if so. On successful recovery, ignore both the Link Down and the subsequent Link Up event. Afterwards, check whether the link is down to detect surprise-removal or another DPC event immediately after DPC recovery. Ensure that the corresponding DLLSC event is not ignored by synthesizing it and invoking irq_wake_thread() to trigger a re-run of pciehp_ist(). The IRQ threads of the hotplug and DPC drivers, pciehp_ist() and dpc_handler(), race against each other. If pciehp is faster than DPC, it will wait until DPC recovery completes. Recovery consists of two steps: The first step (waiting for link disablement) is recognizable by pciehp through a set DPC Trigger Status bit. The second step (waiting for link retraining) is recognizable through a newly introduced PCI_DPC_RECOVERING flag. If DPC is faster than pciehp, neither of the two flags will be set and pciehp may glean the recovery status from the new PCI_DPC_RECOVERED flag. The flag is zero if DPC didn't occur at all, hence DLLSC events are not ignored by default. pciehp waits up to 4 seconds before assuming that DPC recovery failed and bringing down the slot. This timeout is not taken from the spec (it doesn't mandate one) but based on a report from Yicong Yang that DPC may take a bit more than 3 seconds on HiSilicon's Kunpeng platform. The timeout is necessary because the DPC Trigger Status bit may never clear: On Root Ports which support RP Extensions for DPC, the DPC driver polls the DPC RP Busy bit for up to 1 second before giving up on DPC recovery. Without the timeout, pciehp would then wait indefinitely for DPC to complete. This commit draws inspiration from previous attempts to synchronize DPC with pciehp: By Sinan Kaya, August 2018: https://lore.kernel.org/linux-pci/20180818065126.77912-1-okaya@kernel.org/ By Ethan Zhao, October 2020: https://lore.kernel.org/linux-pci/20201007113158.48933-1-haifeng.zhao@intel.com/ By Kuppuswamy Sathyanarayanan, March 2021: https://lore.kernel.org/linux-pci/59cb30f5e5ac6d65427ceaadf1012b2ba8dbf66c.1615606143.git.sathyanarayanan.kuppuswamy@linux.intel.com/ Link: https://lore.kernel.org/r/0be565d97438fe2a6d57354b3aa4e8626952a00b.1619857124.git.lukas@wunner.de Reported-by: Sinan Kaya Reported-by: Ethan Zhao Reported-by: Kuppuswamy Sathyanarayanan Tested-by: Kuppuswamy Sathyanarayanan Tested-by: Yicong Yang Signed-off-by: Lukas Wunner Signed-off-by: Bjorn Helgaas Reviewed-by: Kuppuswamy Sathyanarayanan Cc: Dan Williams Cc: Ashok Raj Cc: Keith Busch Signed-off-by: Sasha Levin commit 497064740406cb5de042bcf213ceb05277fcc503 Author: Trond Myklebust Date: Sat May 8 10:01:32 2021 -0400 NFSv4: Fix delegation return in cases where we have to retry [ Upstream commit be20037725d17935ec669044bd2b15bc40c3b5ab ] If we're unable to immediately recover all locks because the server is unable to immediately service our reclaim calls, then we want to retry after we've finished servicing all the other asynchronous delegation returns on our queue. Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit b05c555c8d4d11472a7c0751c31867938e8cd420 Author: Logan Gunthorpe Date: Thu Jun 10 10:06:09 2021 -0600 PCI/P2PDMA: Avoid pci_get_slot(), which may sleep [ Upstream commit 3ec0c3ec2d92c09465534a1ff9c6f9d9506ffef6 ] In order to use upstream_bridge_distance_warn() from a dma_map function, it must not sleep. However, pci_get_slot() takes the pci_bus_sem so it might sleep. In order to avoid this, try to get the host bridge's device from the first element in the device list. It should be impossible for the host bridge's device to go away while references are held on child devices, so the first element should not be able to change and, thus, this should be safe. Introduce a static function called pci_host_bridge_dev() to obtain the host bridge's root device. Link: https://lore.kernel.org/r/20210610160609.28447-7-logang@deltatee.com Signed-off-by: Logan Gunthorpe Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin commit 8e3f27bb7fdd4e79fe83a82dcad47a791f3d58ed Author: Nick Desaulniers Date: Tue Jun 1 20:29:26 2021 +0100 ARM: 9087/1: kprobes: test-thumb: fix for LLVM_IAS=1 [ Upstream commit 8b95a7d90ce8160ac5cffd5bace6e2eba01a871e ] There's a few instructions that GAS infers operands but Clang doesn't; from what I can tell the Arm ARM doesn't say these are optional. F5.1.257 TBB, TBH T1 Halfword variant F5.1.238 STREXD T1 variant F5.1.84 LDREXD T1 variant Link: https://github.com/ClangBuiltLinux/linux/issues/1309 Signed-off-by: Nick Desaulniers Reviewed-by: Jian Cai Signed-off-by: Russell King Signed-off-by: Sasha Levin commit 9d829ca43b081e588083482ecb18bd2bacee8242 Author: Bixuan Cui Date: Sat May 8 11:14:59 2021 +0800 power: reset: gpio-poweroff: add missing MODULE_DEVICE_TABLE [ Upstream commit ed3443fb4df4e140a22f65144546c8a8e1e27f4e ] This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this driver when it is built as an external module. Reported-by: Hulk Robot Signed-off-by: Bixuan Cui Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit efc6443c1abea67bdfbbe72f07e0f879b97baeed Author: Krzysztof Kozlowski Date: Wed May 26 13:20:35 2021 -0400 power: supply: max17042: Do not enforce (incorrect) interrupt trigger type [ Upstream commit 7fbf6b731bca347700e460d94b130f9d734b33e9 ] Interrupt line can be configured on different hardware in different way, even inverted. Therefore driver should not enforce specific trigger type - edge falling - but instead rely on Devicetree to configure it. The Maxim 17047/77693 datasheets describe the interrupt line as active low with a requirement of acknowledge from the CPU therefore the edge falling is not correct. The interrupt line is shared between PMIC and RTC driver, so using level sensitive interrupt is here especially important to avoid races. With an edge configuration in case if first PMIC signals interrupt followed shortly after by the RTC, the interrupt might not be yet cleared/acked thus the second one would not be noticed. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 7667cdc4b7e866aee35591407a54b45944637ffe Author: Long Li Date: Wed May 12 01:06:40 2021 -0700 PCI: hv: Fix a race condition when removing the device [ Upstream commit 94d22763207ac6633612b8d8e0ca4fba0f7aa139 ] On removing the device, any work item (hv_pci_devices_present() or hv_pci_eject_device()) scheduled on workqueue hbus->wq may still be running and race with hv_pci_remove(). This can happen because the host may send PCI_EJECT or PCI_BUS_RELATIONS(2) and decide to rescind the channel immediately after that. Fix this by flushing/destroying the workqueue of hbus before doing hbus remove. Link: https://lore.kernel.org/r/1620806800-30983-1-git-send-email-longli@linuxonhyperv.com Signed-off-by: Long Li Signed-off-by: Lorenzo Pieralisi Reviewed-by: Michael Kelley Signed-off-by: Sasha Levin commit 14016c17282025f474f72c25837fa6587ee6c5e7 Author: Linus Walleij Date: Sun May 23 00:50:41 2021 +0200 power: supply: ab8500: Avoid NULL pointers [ Upstream commit 5bcb5087c9dd3dca1ff0ebd8002c5313c9332b56 ] Sometimes the code will crash because we haven't enabled AC or USB charging and thus not created the corresponding psy device. Fix it by checking that it is there before notifying. Signed-off-by: Linus Walleij Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 0df49cdc7c154e9e852cd6ec68416003d16f994b Author: Randy Dunlap Date: Mon May 17 16:41:17 2021 -0700 PCI: ftpci100: Rename macro name collision [ Upstream commit 5be967d5016ac5ffb9c4d0df51b48441ee4d5ed1 ] PCI_IOSIZE is defined in mach-loongson64/spaces.h, so change the name of the PCI_* macros in pci-ftpci100.c to use FTPCI_* so that they are more localized and won't conflict with other drivers or arches. ../drivers/pci/controller/pci-ftpci100.c:37: warning: "PCI_IOSIZE" redefined 37 | #define PCI_IOSIZE 0x00 | In file included from ../arch/mips/include/asm/addrspace.h:13, ... from ../drivers/pci/controller/pci-ftpci100.c:15: arch/mips/include/asm/mach-loongson64/spaces.h:11: note: this is the location of the previous definition 11 | #define PCI_IOSIZE SZ_16M Suggested-by: Linus Walleij Link: https://lore.kernel.org/r/20210517234117.3660-1-rdunlap@infradead.org Reported-by: kernel test robot Signed-off-by: Randy Dunlap Signed-off-by: Lorenzo Pieralisi Reviewed-by: Linus Walleij Cc: Jiaxun Yang Cc: Linus Walleij Cc: Krzysztof Wilczyński Cc: Thomas Bogendoerfer Cc: linux-mips@vger.kernel.org Signed-off-by: Sasha Levin commit e133435232edbf03345a13b3480c7330b9206319 Author: Uwe Kleine-König Date: Wed Apr 28 11:05:24 2021 +0200 pwm: spear: Don't modify HW state in .remove callback [ Upstream commit b601a18f12383001e7a8da238de7ca1559ebc450 ] A consumer is expected to disable a PWM before calling pwm_put(). And if they didn't there is hopefully a good reason (or the consumer needs fixing). Also if disabling an enabled PWM was the right thing to do, this should better be done in the framework instead of in each low level driver. So drop the hardware modification from the .remove() callback. Signed-off-by: Uwe Kleine-König Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 15a19c5a92926a4f9ab0ce7abf831ac39da59301 Author: Zou Wei Date: Tue May 11 14:17:12 2021 +0800 power: supply: sc2731_charger: Add missing MODULE_DEVICE_TABLE [ Upstream commit 2aac79d14d76879c8e307820b31876e315b1b242 ] This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this driver when it is built as an external module. Reported-by: Hulk Robot Signed-off-by: Zou Wei Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit d7897890bade4f2bfff6a008268cbdca4eb4ed8b Author: Zou Wei Date: Tue May 11 11:37:45 2021 +0800 power: supply: sc27xx: Add missing MODULE_DEVICE_TABLE [ Upstream commit 603fcfb9d4ec1cad8d66d3bb37f3613afa8a661a ] This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this driver when it is built as an external module. Reported-by: Hulk Robot Signed-off-by: Zou Wei Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 6ed9f9899b66e14e705985779085d22c44755a8b Author: Marco Elver Date: Wed Jun 30 18:56:49 2021 -0700 kcov: add __no_sanitize_coverage to fix noinstr for all architectures [ Upstream commit 540540d06e9d9b3769b46d88def90f7e7c002322 ] Until now no compiler supported an attribute to disable coverage instrumentation as used by KCOV. To work around this limitation on x86, noinstr functions have their coverage instrumentation turned into nops by objtool. However, this solution doesn't scale automatically to other architectures, such as arm64, which are migrating to use the generic entry code. Clang [1] and GCC [2] have added support for the attribute recently. [1] https://github.com/llvm/llvm-project/commit/280333021e9550d80f5c1152a34e33e81df1e178 [2] https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=cec4d4a6782c9bd8d071839c50a239c49caca689 The changes will appear in Clang 13 and GCC 12. Add __no_sanitize_coverage for both compilers, and add it to noinstr. Note: In the Clang case, __has_feature(coverage_sanitizer) is only true if the feature is enabled, and therefore we do not require an additional defined(CONFIG_KCOV) (like in the GCC case where __has_attribute(..) is always true) to avoid adding redundant attributes to functions if KCOV is off. That being said, compilers that support the attribute will not generate errors/warnings if the attribute is redundantly used; however, where possible let's avoid it as it reduces preprocessed code size and associated compile-time overheads. [elver@google.com: Implement __has_feature(coverage_sanitizer) in Clang] Link: https://lkml.kernel.org/r/20210527162655.3246381-1-elver@google.com [elver@google.com: add comment explaining __has_feature() in Clang] Link: https://lkml.kernel.org/r/20210527194448.3470080-1-elver@google.com Link: https://lkml.kernel.org/r/20210525175819.699786-1-elver@google.com Signed-off-by: Marco Elver Acked-by: Peter Zijlstra (Intel) Reviewed-by: Miguel Ojeda Reviewed-by: Nathan Chancellor Cc: Nick Desaulniers Cc: Kees Cook Cc: Will Deacon Cc: Ard Biesheuvel Cc: Luc Van Oostenryck Cc: Arvind Sankar Cc: Masahiro Yamada Cc: Sami Tolvanen Cc: Arnd Bergmann Cc: Dmitry Vyukov Cc: Mark Rutland Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit ff53dfb32349642182c077767c9ff86cc9a2017a Author: Dimitri John Ledkov Date: Wed Jun 30 18:56:16 2021 -0700 lib/decompress_unlz4.c: correctly handle zero-padding around initrds. [ Upstream commit 2c484419efc09e7234c667aa72698cb79ba8d8ed ] lz4 compatible decompressor is simple. The format is underspecified and relies on EOF notification to determine when to stop. Initramfs buffer format[1] explicitly states that it can have arbitrary number of zero padding. Thus when operating without a fill function, be extra careful to ensure that sizes less than 4, or apperantly empty chunksizes are treated as EOF. To test this I have created two cpio initrds, first a normal one, main.cpio. And second one with just a single /test-file with content "second" second.cpio. Then i compressed both of them with gzip, and with lz4 -l. Then I created a padding of 4 bytes (dd if=/dev/zero of=pad4 bs=1 count=4). To create four testcase initrds: 1) main.cpio.gzip + extra.cpio.gzip = pad0.gzip 2) main.cpio.lz4 + extra.cpio.lz4 = pad0.lz4 3) main.cpio.gzip + pad4 + extra.cpio.gzip = pad4.gzip 4) main.cpio.lz4 + pad4 + extra.cpio.lz4 = pad4.lz4 The pad4 test-cases replicate the initrd load by grub, as it pads and aligns every initrd it loads. All of the above boot, however /test-file was not accessible in the initrd for the testcase #4, as decoding in lz4 decompressor failed. Also an error message printed which usually is harmless. Whith a patched kernel, all of the above testcases now pass, and /test-file is accessible. This fixes lz4 initrd decompress warning on every boot with grub. And more importantly this fixes inability to load multiple lz4 compressed initrds with grub. This patch has been shipping in Ubuntu kernels since January 2021. [1] ./Documentation/driver-api/early-userspace/buffer-format.rst BugLink: https://bugs.launchpad.net/bugs/1835660 Link: https://lore.kernel.org/lkml/20210114200256.196589-1-xnox@ubuntu.com/ # v0 Link: https://lkml.kernel.org/r/20210513104831.432975-1-dimitri.ledkov@canonical.com Signed-off-by: Dimitri John Ledkov Cc: Kyungsik Lee Cc: Yinghai Lu Cc: Bongkyu Kim Cc: Kees Cook Cc: Sven Schmidt <4sschmid@informatik.uni-hamburg.de> Cc: Rajat Asthana Cc: Nick Terrell Cc: Gao Xiang Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit b85b43c3e4b83e7e6aea76b2450b6d1ea9398bd8 Author: Rashmi A Date: Thu Jun 3 23:52:42 2021 +0530 phy: intel: Fix for warnings due to EMMC clock 175Mhz change in FIP [ Upstream commit 2f2b73a29d2aabf5ad0150856c3e5cb6e04dcfc1 ] Since the EMMC clock was changed from 200Mhz to 175Mhz in FIP, there were some warnings introduced, as the frequency values being checked was still wrt 200Mhz in code. Hence, the frequency checks are now updated based on the current 175Mhz EMMC clock changed in FIP. Spamming kernel log msg: "phy phy-20290000.mmc_phy.2: Unsupported rate: 43750000" Signed-off-by: Rashmi A Reviewed-by: Adrian Hunter Acked-By: Vinod Koul Link: https://lore.kernel.org/r/20210603182242.25733-3-rashmi.a@intel.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit a9d986be494e453a01eb3e5f94c3004990d85b87 Author: Dmitry Torokhov Date: Fri Jun 4 16:27:44 2021 -0700 i2c: core: Disable client irq on reboot/shutdown [ Upstream commit b64210f2f7c11c757432ba3701d88241b2b98fb1 ] If an i2c client receives an interrupt during reboot or shutdown it may be too late to service it by making an i2c transaction on the bus because the i2c controller has already been shutdown. This can lead to system hangs if the i2c controller tries to make a transfer that is doomed to fail because the access to the i2c pins is already shut down, or an iommu translation has been torn down so i2c controller register access doesn't work. Let's simply disable the irq if there isn't a shutdown callback for an i2c client when there is an irq associated with the device. This will make sure that irqs don't come in later than the time that we can handle it. We don't do this if the i2c client device already has a shutdown callback because presumably they're doing the right thing and quieting the device so irqs don't come in after the shutdown callback returns. Reported-by: kernel test robot [swboyd@chromium.org: Dropped newline, added commit text, added interrupt.h for robot build error] Signed-off-by: Stephen Boyd Signed-off-by: Dmitry Torokhov Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 9c6c6570471963e2fe74e72b01854d573a11fe9f Author: Alexander Shishkin Date: Mon Jun 21 18:12:46 2021 +0300 intel_th: Wait until port is in reset before programming it [ Upstream commit ab1afed701d2db7eb35c1a2526a29067a38e93d1 ] Some devices don't drain their pipelines if we don't make sure that the corresponding output port is in reset before programming it for a new trace capture, resulting in bits of old trace appearing in the new trace capture. Fix that by explicitly making sure the reset is asserted before programming new trace capture. Reviewed-by: Andy Shevchenko Signed-off-by: Alexander Shishkin Link: https://lore.kernel.org/r/20210621151246.31891-5-alexander.shishkin@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 45f1de1fff2bb78a6ec5702a61843e5046d59004 Author: Fabio Aiuto Date: Tue Jun 22 15:09:58 2021 +0200 staging: rtl8723bs: fix macro value for 2.4Ghz only device [ Upstream commit 6d490a27e23c5fb79b766530016ab8665169498e ] fix IQK_Matrix_Settings_NUM macro value to 14 which is the max channel number value allowed in a 2.4Ghz device. Acked-by: Hans de Goede Signed-off-by: Fabio Aiuto Link: https://lore.kernel.org/r/0b4a876929949248aa18cb919da3583c65e4ee4e.1624367072.git.fabioaiuto83@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 1f577093c84329cb2df6d3f4a33e627b1b145458 Author: Zou Wei Date: Wed May 12 14:49:18 2021 +0800 leds: turris-omnia: add missing MODULE_DEVICE_TABLE [ Upstream commit 9d0150db97583cfbb6b44cbe02241a1a48f90210 ] This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this driver when it is built as an external module. Reported-by: Hulk Robot Signed-off-by: Zou Wei Signed-off-by: Pavel Machek Signed-off-by: Sasha Levin commit ff8f11860e4376c27a43dd37d171f380906542a0 Author: Takashi Sakamoto Date: Wed Jun 23 16:59:33 2021 +0900 ALSA: firewire-motu: fix detection for S/PDIF source on optical interface in v2 protocol [ Upstream commit fa4db23233eb912234bdfb0b26a38be079c6b5ea ] The devices in protocol version 2 has a register with flag for IEC 60958 signal detection as source of sampling clock without discrimination between coaxial and optical interfaces. On the other hand, current implementation of driver manage to interpret type of signal on optical interface instead. This commit fixes the detection of optical/coaxial interface for S/PDIF signal. Signed-off-by: Takashi Sakamoto Link: https://lore.kernel.org/r/20210623075941.72562-2-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 9ada4baae6393bcb3740a5b4b2d7bb209854b8e5 Author: Geoffrey D. Bennett Date: Tue Jun 22 03:39:18 2021 +0930 ALSA: usb-audio: scarlett2: Fix 6i6 Gen 2 line out descriptions [ Upstream commit c712c6c0ff2d60478582e337185bcdd520a7dc2e ] There are two headphone outputs, and they map to the four analogue outputs. Signed-off-by: Geoffrey D. Bennett Link: https://lore.kernel.org/r/205e5e5348f08ded0cc4da5446f604d4b91db5bf.1624294591.git.g@b4.vu Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit fb7c8bfa2e3ca7dfc966480659961c6266336b2f Author: Jiajun Cao Date: Tue Jun 22 21:19:42 2021 +0800 ALSA: hda: Add IRQ check for platform_get_irq() [ Upstream commit 8c13212443230d03ff25014514ec0d53498c0912 ] The function hda_tegra_first_init() neglects to check the return value after executing platform_get_irq(). hda_tegra_first_init() should check the return value (if negative error number) for errors so as to not pass a negative value to the devm_request_irq(). Fix it by adding a check for the return value irq_id. Signed-off-by: Jiajun Cao Signed-off-by: Xin Tan Reviewed-by: Thierry Reding Link: https://lore.kernel.org/r/20210622131947.94346-1-jjcao20@fudan.edu.cn Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 63c49cfa2f0c6417ee96a8675bd5e36f9e620aa9 Author: Uwe Kleine-König Date: Mon Jun 21 14:21:47 2021 +0200 backlight: lm3630a: Fix return code of .update_status() callback [ Upstream commit b9481a667a90ec739995e85f91f3672ca44d6ffa ] According to .update_status() is supposed to return 0 on success and a negative error code otherwise. Adapt lm3630a_bank_a_update_status() and lm3630a_bank_b_update_status() to actually do it. While touching that also add the error code to the failure message. Signed-off-by: Uwe Kleine-König Reviewed-by: Daniel Thompson Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit 719c45a41cdb6dc937133f147bc1faed7f356bf2 Author: Pierre-Louis Bossart Date: Mon Jun 21 14:40:52 2021 -0500 ASoC: Intel: kbl_da7219_max98357a: shrink platform_id below 20 characters [ Upstream commit 94efd726b947f265bd313605c9f73edec5469d65 ] Sparse throws the following warnings: sound/soc/intel/boards/kbl_da7219_max98357a.c:647:25: error: too long initializer-string for array of char(no space for nul char) Fix by using the 'mx' acronym for Maxim. Signed-off-by: Pierre-Louis Bossart Reviewed-by: Paul Olaru Reviewed-by: Guennadi Liakhovetski Reviewed-by: Rander Wang Link: https://lore.kernel.org/r/20210621194057.21711-6-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 692e16958f48d93496df6ec42d5764ea57081713 Author: Benjamin Herrenschmidt Date: Fri Jun 18 13:49:00 2021 +1000 powerpc/boot: Fixup device-tree on little endian [ Upstream commit c93f80849bdd9b45d834053ae1336e28f0026c84 ] This fixes the core devtree.c functions and the ns16550 UART backend. Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Paul Mackerras Reviewed-by: Segher Boessenkool Acked-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/YMwXrPT8nc4YUdJ9@thinks.paulus.ozlabs.org Signed-off-by: Sasha Levin commit b41cb0e4af0b1fb496e143483c3303beb9257bb0 Author: Yang Yingliang Date: Fri Jun 18 12:38:35 2021 +0800 usb: gadget: hid: fix error return code in hid_bind() [ Upstream commit 88693f770bb09c196b1eb5f06a484a254ecb9924 ] Fix to return a negative error code from the error handling case instead of 0. Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20210618043835.2641360-1-yangyingliang@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 309b44d31667597f0611579e6a863be01129c2a2 Author: Ruslan Bilovol Date: Thu Jun 17 19:27:55 2021 +0300 usb: gadget: f_hid: fix endianness issue with descriptors [ Upstream commit 33cb46c4676d01956811b68a29157ea969a5df70 ] Running sparse checker it shows warning message about incorrect endianness used for descriptor initialization: | f_hid.c:91:43: warning: incorrect type in initializer (different base types) | f_hid.c:91:43: expected restricted __le16 [usertype] bcdHID | f_hid.c:91:43: got int Fixing issue with cpu_to_le16() macro, however this is not a real issue as the value is the same both endians. Cc: Fabien Chouteau Cc: Segiy Stetsyuk Signed-off-by: Ruslan Bilovol Link: https://lore.kernel.org/r/20210617162755.29676-1-ruslan.bilovol@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 16668cc65601a6a084262b80866428aacf17e1c9 Author: Geoffrey D. Bennett Date: Mon Jun 21 02:16:45 2021 +0930 ALSA: usb-audio: scarlett2: Fix scarlett2_*_ctl_put() return values [ Upstream commit c5d8e008032f3cd5f266d552732973a960b0bd4b ] Mixer control put callbacks should return 1 if the value is changed. Fix the sw_hw, level, pad, and button controls accordingly. Signed-off-by: Geoffrey D. Bennett Link: https://lore.kernel.org/r/20210620164645.GA9221@m.b4.vu Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 3005d48b40e51ef8c207f5049669b2fb9e7f9763 Author: Geoffrey D. Bennett Date: Mon Jun 21 02:16:43 2021 +0930 ALSA: usb-audio: scarlett2: Fix data_mutex lock [ Upstream commit 9b5ddea9ce5a68d7d2bedcb69901ac2a86c96c7b ] The private->vol_updated flag was being checked outside of the mutex_lock/unlock() of private->data_mutex leading to the volume data being fetched twice from the device unnecessarily or old volume data being returned. Update scarlett2_*_ctl_get() and include the private->vol_updated flag check inside the critical region. Signed-off-by: Geoffrey D. Bennett Link: https://lore.kernel.org/r/20210620164643.GA9216@m.b4.vu Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 8f075c61ea8d2fbdb3e4dddba5031911924c5da2 Author: Geoffrey D. Bennett Date: Mon Jun 21 02:16:25 2021 +0930 ALSA: usb-audio: scarlett2: Fix 18i8 Gen 2 PCM Input count [ Upstream commit c5210f213456383482b4a77c5310282a89a106b5 ] The 18i8 Gen 2 has 8 PCM Inputs, not 20. Fix the ports entry in s18i8_gen2_info. Signed-off-by: Geoffrey D. Bennett Link: https://lore.kernel.org/r/20210620164625.GA9165@m.b4.vu Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 3b7bd795cbef4de6b7c1aa1702b793d38fb00d2e Author: Takashi Sakamoto Date: Sat Jun 19 17:39:22 2021 +0900 ALSA: bebob: add support for ToneWeal FW66 [ Upstream commit 50ebe56222bfa0911a932930f9229ee5995508d9 ] A user of FFADO project reported the issue of ToneWeal FW66. As a result, the device is identified as one of applications of BeBoB solution. I note that in the report the device returns contradictory result in plug discovery process for audio subunit. Fortunately ALSA BeBoB driver doesn't perform it thus it's likely to handle the device without issues. I receive no reaction to test request for this patch yet, however it would be worth to add support for it. daniel@gibbonmoon:/sys/bus/firewire/devices/fw1$ grep -r . * Binary file config_rom matches dev:244:1 guid:0x0023270002000000 hardware_version:0x000002 is_local:0 model:0x020002 model_name:FW66 power/runtime_active_time:0 power/runtime_active_kids:0 power/runtime_usage:0 power/runtime_status:unsupported power/async:disabled power/runtime_suspended_time:0 power/runtime_enabled:disabled power/control:auto subsystem/drivers_autoprobe:1 uevent:MAJOR=244 uevent:MINOR=1 uevent:DEVNAME=fw1 units:0x00a02d:0x010001 vendor:0x002327 vendor_name:ToneWeal fw1.0/uevent:MODALIAS=ieee1394:ven00002327mo00020002sp0000A02Dver00010001 fw1.0/power/runtime_active_time:0 fw1.0/power/runtime_active_kids:0 fw1.0/power/runtime_usage:0 fw1.0/power/runtime_status:unsupported fw1.0/power/async:disabled fw1.0/power/runtime_suspended_time:0 fw1.0/power/runtime_enabled:disabled fw1.0/power/control:auto fw1.0/model:0x020002 fw1.0/rom_index:15 fw1.0/specifier_id:0x00a02d fw1.0/model_name:FW66 fw1.0/version:0x010001 fw1.0/modalias:ieee1394:ven00002327mo00020002sp0000A02Dver00010001 Cc: Daniel Jozsef Reference: https://lore.kernel.org/alsa-devel/20200119164335.GA11974@workstation/ Signed-off-by: Takashi Sakamoto Link: https://lore.kernel.org/r/20210619083922.16060-1-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 90cd79aa9ac7d8f8a6eea65cc07fe88b451af68a Author: Yizhuo Zhai Date: Sat Jun 19 22:26:50 2021 -0700 Input: hideep - fix the uninitialized use in hideep_nvm_unlock() [ Upstream commit cac7100d4c51c04979dacdfe6c9a5e400d3f0a27 ] Inside function hideep_nvm_unlock(), variable "unmask_code" could be uninitialized if hideep_pgm_r_reg() returns error, however, it is used in the later if statement after an "and" operation, which is potentially unsafe. Signed-off-by: Yizhuo Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit a50b56ffc0c88c15dacab89cf72a1ce912bdfe6e Author: Heiko Carstens Date: Mon Jun 14 22:09:20 2021 +0200 s390/mem_detect: fix tprot() program check new psw handling [ Upstream commit da9057576785aaab52e706e76c0475c85b77ec14 ] The tprot() inline asm temporarily changes the program check new psw to redirect a potential program check on the diag instruction. Restoring of the program check new psw is done in C code behind the inline asm. This can be problematic, especially if the function is inlined, since the compiler can reorder instructions in such a way that a different instruction, which may result in a program check, might be executed before the program check new psw has been restored. To avoid such a scenario move restoring into the inline asm. For consistency reasons move also saving of the original program check new psw into the inline asm. Signed-off-by: Heiko Carstens Signed-off-by: Vasily Gorbik Signed-off-by: Sasha Levin commit 7e1e0235b3db32b190dc7b47434587075580caff Author: Heiko Carstens Date: Mon Jun 14 21:40:43 2021 +0200 s390/mem_detect: fix diag260() program check new psw handling [ Upstream commit 86807f348f418a84970eebb8f9912a7eea16b497 ] The __diag260() inline asm temporarily changes the program check new psw to redirect a potential program check on the diag instruction. Restoring of the program check new psw is done in C code behind the inline asm. This can be problematic, especially if the function is inlined, since the compiler can reorder instructions in such a way that a different instruction, which may result in a program check, might be executed before the program check new psw has been restored. To avoid such a scenario move restoring into the inline asm. For consistency reasons move also saving of the original program check new psw into the inline asm. Signed-off-by: Heiko Carstens Signed-off-by: Vasily Gorbik Signed-off-by: Sasha Levin commit c25be19aa95755daca6a09ea07d932007cdbf60a Author: Heiko Carstens Date: Mon Jun 14 14:49:31 2021 +0200 s390/ipl_parm: fix program check new psw handling [ Upstream commit 88c2510cecb7e2b518e3c4fdf3cf0e13ebe9377c ] The __diag308() inline asm temporarily changes the program check new psw to redirect a potential program check on the diag instruction. Restoring of the program check new psw is done in C code behind the inline asm. This can be problematic, especially if the function is inlined, since the compiler can reorder instructions in such a way that a different instruction, which may result in a program check, might be executed before the program check new psw has been restored. To avoid such a scenario move restoring into the inline asm. For consistency reasons move also saving of the original program check new psw into the inline asm. Signed-off-by: Heiko Carstens Signed-off-by: Vasily Gorbik Signed-off-by: Sasha Levin commit 3794633dfdd86263627459b262ba6ce4c9719bd6 Author: Heiko Carstens Date: Thu Jun 10 17:50:25 2021 +0200 s390/processor: always inline stap() and __load_psw_mask() [ Upstream commit 9c9a915afd90f7534c16a71d1cd44b58596fddf3 ] s390 is the only architecture which makes use of the __no_kasan_or_inline attribute for two functions. Given that both stap() and __load_psw_mask() are very small functions they can and should be always inlined anyway. Therefore get rid of __no_kasan_or_inline and always inline these functions. Signed-off-by: Heiko Carstens Signed-off-by: Vasily Gorbik Signed-off-by: Sasha Levin commit f22649cf90c3b674cc0f1cc4951fddd5e6e2a5e6 Author: Koby Elbaz Date: Wed Jun 9 21:43:52 2021 +0300 habanalabs: remove node from list before freeing the node [ Upstream commit f5eb7bf0c487a212ebda3c1b048fc3ccabacc147 ] fix the following smatch warnings: goya_pin_memory_before_cs() warn: '&userptr->job_node' not removed from list gaudi_pin_memory_before_cs() warn: '&userptr->job_node' not removed from list Signed-off-by: Koby Elbaz Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin commit 25ddb0a42f3a9a498e9b5411a386f6bfd948583b Author: Koby Elbaz Date: Wed May 19 15:16:52 2021 +0300 habanalabs/gaudi: set the correct cpu_id on MME2_QM failure [ Upstream commit b92c637c5f5ef7e3e21dbc7bfa7f1999450f3902 ] This fix was applied since there was an incorrect reported CPU ID to GIC such that an error in MME2 QMAN aliased to be an arriving from DMA0_QM. Signed-off-by: Koby Elbaz Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin commit 3dd2a9daa765e67f9a008c08d6f3fdd82b1f3ae4 Author: Zhen Lei Date: Thu Jun 17 18:37:29 2021 +0800 ASoC: soc-core: Fix the error return code in snd_soc_of_parse_audio_routing() [ Upstream commit 7d3865a10b9ff2669c531d5ddd60bf46b3d48f1e ] When devm_kcalloc() fails, the error code -ENOMEM should be returned instead of -EINVAL. Signed-off-by: Zhen Lei Link: https://lore.kernel.org/r/20210617103729.1918-1-thunder.leizhen@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 8e18158ea7876bb7a57ef727b11a6f58562df1f7 Author: Aneesh Kumar K.V Date: Thu Jun 10 14:06:39 2021 +0530 powerpc/mm/book3s64: Fix possible build error [ Upstream commit 07d8ad6fd8a3d47f50595ca4826f41dbf4f3a0c6 ] Update _tlbiel_pid() such that we can avoid build errors like below when using this function in other places. arch/powerpc/mm/book3s64/radix_tlb.c: In function ‘__radix__flush_tlb_range_psize’: arch/powerpc/mm/book3s64/radix_tlb.c:114:2: warning: ‘asm’ operand 3 probably does not match constraints 114 | asm volatile(PPC_TLBIEL(%0, %4, %3, %2, %1) | ^~~ arch/powerpc/mm/book3s64/radix_tlb.c:114:2: error: impossible constraint in ‘asm’ make[4]: *** [scripts/Makefile.build:271: arch/powerpc/mm/book3s64/radix_tlb.o] Error 1 m With this fix, we can also drop the __always_inline in __radix_flush_tlb_range_psize which was added by commit e12d6d7d46a6 ("powerpc/mm/radix: mark __radix__flush_tlb_range_psize() as __always_inline") Signed-off-by: Aneesh Kumar K.V Reviewed-by: Christophe Leroy Acked-by: Michael Ellerman Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210610083639.387365-1-aneesh.kumar@linux.ibm.com Signed-off-by: Sasha Levin commit ed0b4b56a92256c2bdf56857cdc0bbfcf61edb7c Author: Peter Robinson Date: Sun Jun 13 23:03:26 2021 +0100 gpio: pca953x: Add support for the On Semi pca9655 [ Upstream commit 6d49b3a0f351925b5ea5047166c112b7590b918a ] The On Semi pca9655 is a 16 bit variant of the On Semi pca9654 GPIO expander, with 16 GPIOs and interrupt functionality. Signed-off-by: Peter Robinson [Bartosz: fixed indentation as noted by Andy] Signed-off-by: Bartosz Golaszewski Signed-off-by: Sasha Levin commit b7f4423c7de87893ce5f4e9ca559ad50f9986e4c Author: Athira Rajeev Date: Tue May 25 09:51:42 2021 -0400 selftests/powerpc: Fix "no_handler" EBB selftest [ Upstream commit 45677c9aebe926192e59475b35a1ff35ff2d4217 ] The "no_handler_test" in ebb selftests attempts to read the PMU registers twice via helper function "dump_ebb_state". First dump is just before closing of event and the second invocation is done after closing of the event. The original intention of second dump_ebb_state was to dump the state of registers at the end of the test when the counters are frozen. But this will be achieved with the first call itself since sample period is set to low value and PMU will be frozen by then. Hence patch removes the dump which was done before closing of the event. Reported-by: Shirisha Ganta Signed-off-by: Athira Rajeev Tested-by: Nageswara R Sastry > Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/1621950703-1532-2-git-send-email-atrajeev@linux.vnet.ibm.com Signed-off-by: Sasha Levin commit c7f2112e7ada8ee1a14ee9fb706236dfbbc84bb1 Author: Yang Yingliang Date: Wed Jun 16 10:11:21 2021 +0800 ALSA: ppc: fix error return code in snd_pmac_probe() [ Upstream commit 80b9c1be567c3c6bbe0d4b290af578e630485b5d ] If snd_pmac_tumbler_init() or snd_pmac_tumbler_post_init() fails, snd_pmac_probe() need return error code. Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20210616021121.1991502-1-yangyingliang@huawei.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 1004c52e3c5182a71876108818ef309d6df9dcf7 Author: Michael Kelley Date: Fri Jun 4 10:21:03 2021 -0700 scsi: storvsc: Correctly handle multiple flags in srb_status [ Upstream commit 52e1b3b3daa9d53f0204bf474ee1d4b1beb38234 ] Hyper-V is observed to sometimes set multiple flags in the srb_status, such as ABORTED and ERROR. Current code in storvsc_handle_error() handles only a single flag being set, and does nothing when multiple flags are set. Fix this by changing the case statement into a series of "if" statements testing individual flags. The functionality for handling each flag is unchanged. Link: https://lore.kernel.org/r/1622827263-12516-3-git-send-email-mikelley@microsoft.com Signed-off-by: Michael Kelley Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit b3d3a2466e749168410f92c574d0d0cacd98411b Author: Srinivas Neeli Date: Fri Apr 9 19:38:06 2021 +0530 gpio: zynq: Check return value of irq_get_irq_data [ Upstream commit 35d7b72a632bc7afb15356f44005554af8697904 ] In two different instances the return value of "irq_get_irq_data" API was neither captured nor checked. Fixed it by capturing the return value and then checking for any error. Addresses-Coverity: "returned_null" Signed-off-by: Srinivas Neeli Signed-off-by: Bartosz Golaszewski Signed-off-by: Sasha Levin commit 3d2b0818daa421b1619cf3bf5f2b2a6788cebcf2 Author: Srinivas Neeli Date: Fri Apr 9 19:38:05 2021 +0530 gpio: zynq: Check return value of pm_runtime_get_sync [ Upstream commit a51b2fb94b04ab71e53a71b9fad03fa826941254 ] Return value of "pm_runtime_get_sync" API was neither captured nor checked. Fixed it by capturing the return value and then checking for any warning. Addresses-Coverity: "check_return" Signed-off-by: Srinivas Neeli Signed-off-by: Bartosz Golaszewski Signed-off-by: Sasha Levin commit 71f8d7fbfe8e5c86fc046cf212eabd25d365591a Author: Jaroslav Kysela Date: Mon Jun 14 09:17:46 2021 +0200 ASoC: soc-pcm: fix the return value in dpcm_apply_symmetry() [ Upstream commit 12ffd726824a2f52486f72338b6fd3244b512959 ] In case, where the loops are not executed for a reason, the uninitialized variable 'err' is returned to the caller. Make code fully predictible and assign zero in the declaration. Signed-off-by: Jaroslav Kysela Cc: Mark Brown Cc: Kuninori Morimoto Link: https://lore.kernel.org/r/20210614071746.1787072-1-perex@perex.cz Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 43d1aaa1965f9b58035196dac49b1e1e6c9c25eb Author: Xiyu Yang Date: Thu Jun 10 10:49:20 2021 +0800 iommu/arm-smmu: Fix arm_smmu_device refcount leak in address translation [ Upstream commit 7c8f176d6a3fa18aa0f8875da6f7c672ed2a8554 ] The reference counting issue happens in several exception handling paths of arm_smmu_iova_to_phys_hard(). When those error scenarios occur, the function forgets to decrease the refcount of "smmu" increased by arm_smmu_rpm_get(), causing a refcount leak. Fix this issue by jumping to "out" label when those error scenarios occur. Signed-off-by: Xiyu Yang Signed-off-by: Xin Tan Reviewed-by: Rob Clark Link: https://lore.kernel.org/r/1623293391-17261-1-git-send-email-xiyuyang19@fudan.edu.cn Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit c4007596fbdabc29f858dc2e1990858a146b60b2 Author: Xiyu Yang Date: Thu Jun 10 10:54:29 2021 +0800 iommu/arm-smmu: Fix arm_smmu_device refcount leak when arm_smmu_rpm_get fails [ Upstream commit 1adf30f198c26539a62d761e45af72cde570413d ] arm_smmu_rpm_get() invokes pm_runtime_get_sync(), which increases the refcount of the "smmu" even though the return value is less than 0. The reference counting issue happens in some error handling paths of arm_smmu_rpm_get() in its caller functions. When arm_smmu_rpm_get() fails, the caller functions forget to decrease the refcount of "smmu" increased by arm_smmu_rpm_get(), causing a refcount leak. Fix this issue by calling pm_runtime_resume_and_get() instead of pm_runtime_get_sync() in arm_smmu_rpm_get(), which can keep the refcount balanced in case of failure. Signed-off-by: Xiyu Yang Signed-off-by: Xin Tan Link: https://lore.kernel.org/r/1623293672-17954-1-git-send-email-xiyuyang19@fudan.edu.cn Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit f8763ab3fb866330681715259986abbab673805b Author: Geoff Levand Date: Thu Jun 3 19:17:02 2021 +0000 powerpc/ps3: Add dma_mask to ps3_dma_region [ Upstream commit 9733862e50fdba55e7f1554e4286fcc5302ff28e ] Commit f959dcd6ddfd29235030e8026471ac1b022ad2b0 (dma-direct: Fix potential NULL pointer dereference) added a null check on the dma_mask pointer of the kernel's device structure. Add a dma_mask variable to the ps3_dma_region structure and set the device structure's dma_mask pointer to point to this new variable. Fixes runtime errors like these: # WARNING: Fixes tag on line 10 doesn't match correct format # WARNING: Fixes tag on line 10 doesn't match correct format ps3_system_bus_match:349: dev=8.0(sb_01), drv=8.0(ps3flash): match WARNING: CPU: 0 PID: 1 at kernel/dma/mapping.c:151 .dma_map_page_attrs+0x34/0x1e0 ps3flash sb_01: ps3stor_setup:193: map DMA region failed Signed-off-by: Geoff Levand Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/562d0c9ea0100a30c3b186bcc7adb34b0bbd2cd7.1622746428.git.geoff@infradead.org Signed-off-by: Sasha Levin commit 0e54f8ee6bff85def622bfa29f74569fb824536a Author: Takashi Iwai Date: Tue Jun 8 16:04:37 2021 +0200 ALSA: sb: Fix potential double-free of CSP mixer elements [ Upstream commit c305366a37441c2ac90b08711cb6f032b43672f2 ] snd_sb_qsound_destroy() contains the calls of removing the previously created mixer controls, but it doesn't clear the pointers. As snd_sb_qsound_destroy() itself may be repeatedly called via ioctl, this could lead to double-free potentially. Fix it by clearing the struct fields properly afterwards. Link: https://lore.kernel.org/r/20210608140540.17885-4-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 52d242f2bffef61e6c3bbc7ebbf41c4bf7b010d0 Author: Po-Hsu Lin Date: Tue May 25 10:36:14 2021 +0800 selftests: timers: rtcpie: skip test if default RTC device does not exist [ Upstream commit 0d3e5a057992bdc66e4dca2ca50b77fa4a7bd90e ] This test will require /dev/rtc0, the default RTC device, or one specified by user to run. Since this default RTC is not guaranteed to exist on all of the devices, so check its existence first, otherwise skip this test with the kselftest skip code 4. Without this patch this test will fail like this on a s390x zVM: $ selftests: timers: rtcpie $ /dev/rtc0: No such file or directory not ok 1 selftests: timers: rtcpie # exit=22 With this patch: $ selftests: timers: rtcpie $ Default RTC /dev/rtc0 does not exist. Test Skipped! not ok 9 selftests: timers: rtcpie # SKIP Fixed up change log so "With this patch" text doesn't get dropped. Shuah Khan Signed-off-by: Po-Hsu Lin Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 7b18f26d8277c62aaa8d31ce39f5cdeb48f7f3b0 Author: Fabrice Fontaine Date: Mon May 10 07:31:33 2021 +0200 s390: disable SSP when needed [ Upstream commit 42e8d652438f5ddf04e5dac299cb5e623d113dc0 ] Though -nostdlib is passed in PURGATORY_LDFLAGS and -ffreestanding in KBUILD_CFLAGS_DECOMPRESSOR, -fno-stack-protector must also be passed to avoid linking errors related to undefined references to '__stack_chk_guard' and '__stack_chk_fail' if toolchain enforces -fstack-protector. Fixes - https://gitlab.com/kubu93/buildroot/-/jobs/1247043361 Signed-off-by: Fabrice Fontaine Signed-off-by: Vasily Gorbik Reviewed-by: Alexander Egorenkov Tested-by: Alexander Egorenkov Link: https://lore.kernel.org/r/20210510053133.1220167-1-fontaine.fabrice@gmail.com Signed-off-by: Vasily Gorbik Signed-off-by: Sasha Levin commit 78cddc9aa6be2122da9ee3a4d2fff0be5db08cea Author: Valentin Vidic Date: Tue Apr 27 21:40:10 2021 +0200 s390/sclp_vt220: fix console name to match device [ Upstream commit b7d91d230a119fdcc334d10c9889ce9c5e15118b ] Console name reported in /proc/consoles: ttyS1 -W- (EC p ) 4:65 does not match the char device name: crw--w---- 1 root root 4, 65 May 17 12:18 /dev/ttysclp0 so debian-installer inside a QEMU s390x instance gets confused and fails to start with the following error: steal-ctty: No such file or directory Signed-off-by: Valentin Vidic Link: https://lore.kernel.org/r/20210427194010.9330-1-vvidic@valentin-vidic.from.hr Signed-off-by: Christian Borntraeger Signed-off-by: Vasily Gorbik Signed-off-by: Sasha Levin commit 2f4e7363a998b28f0f6821f4312f402ab3e3f54b Author: Daniel Mack Date: Fri May 28 15:33:20 2021 +0200 serial: tty: uartlite: fix console setup [ Upstream commit d157fca711ad42e75efef3444c83d2e1a17be27a ] Remove the hack to assign the global console_port variable at probe time. This assumption that cons->index is -1 is wrong for systems that specify 'console=' in the cmdline (or 'stdout-path' in dts). Hence, on such system the actual console assignment is ignored, and the first UART that happens to be probed is used as console instead. Move the logic to console_setup() and map the console to the correct port through the array of available ports instead. Signed-off-by: Daniel Mack Link: https://lore.kernel.org/r/20210528133321.1859346-1-daniel@zonque.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit dc9db4629210bec1c6fd6710c3b783b91641d9d2 Author: Zou Wei Date: Thu May 13 16:57:29 2021 +0800 fsi: Add missing MODULE_DEVICE_TABLE [ Upstream commit 19a52178125c1e8b84444d85f2ce34c0964b4a91 ] This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this driver when it is built as an external module. Reported-by: Hulk Robot Signed-off-by: Zou Wei Link: https://lore.kernel.org/r/1620896249-52769-1-git-send-email-zou_wei@huawei.com Signed-off-by: Joel Stanley Signed-off-by: Sasha Levin commit 0c67c2e20366ec4c7a31259a8341a1896c217218 Author: Yufen Yu Date: Mon May 24 05:35:21 2021 -0400 ASoC: img: Fix PM reference leak in img_i2s_in_probe() [ Upstream commit 81aad47278539f02de808bcc8251fed0ad3d6f55 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to putting operation will result in reference leak here. Fix it by replacing it with pm_runtime_resume_and_get to keep usage counter balanced. Reported-by: Hulk Robot Signed-off-by: Yufen Yu Link: https://lore.kernel.org/r/20210524093521.612176-1-yuyufen@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit af8b891cd339863bfc4c8d7581acaed8d30cc280 Author: Tony Lindgren Date: Sat May 22 08:10:01 2021 +0300 mfd: cpcap: Fix cpcap dmamask not set warnings [ Upstream commit 0b7cbe811ca524295ea43d9a4d73d3427e419c54 ] We have started to get a bunch of pointless dmamask not set warnings that makes the output of dmesg -l err,warn hard to read with many extra warnings: cpcap-regulator cpcap-regulator.0: DMA mask not set cpcap_adc cpcap_adc.0: DMA mask not set cpcap_battery cpcap_battery.0: DMA mask not set cpcap-charger cpcap-charger.0: DMA mask not set cpcap-pwrbutton cpcap-pwrbutton.0: DMA mask not set cpcap-led cpcap-led.0: DMA mask not set cpcap-led cpcap-led.1: DMA mask not set cpcap-led cpcap-led.2: DMA mask not set cpcap-led cpcap-led.3: DMA mask not set cpcap-led cpcap-led.4: DMA mask not set cpcap-rtc cpcap-rtc.0: DMA mask not set cpcap-usb-phy cpcap-usb-phy.0: DMA mask not set This seems to have started with commit 4d8bde883bfb ("OF: Don't set default coherent DMA mask"). We have the parent SPI controller use DMA, while CPCAP driver and it's children do not. For audio, the DMA is handled over I2S bus with the McBSP driver. Cc: Carl Philipp Klemm Cc: Ivan Jelincic Cc: Merlijn Wajer Cc: Pavel Machek Cc: Sebastian Reichel Cc: Sicelo A. Mhlongo Signed-off-by: Tony Lindgren Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit d339f6a0d1a1be81070159636643dc64f9177682 Author: Zou Wei Date: Wed May 12 14:33:46 2021 +0800 mfd: da9052/stmpe: Add and modify MODULE_DEVICE_TABLE [ Upstream commit 4700ef326556ed74aba188f12396740a8c1c21dd ] This patch adds/modifies MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this driver when it is built as an external module. Reported-by: Hulk Robot Signed-off-by: Zou Wei Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit 5dd2955565e800d928655dbeb2ddd3861da873aa Author: Mike Christie Date: Tue May 25 13:18:18 2021 -0500 scsi: qedi: Fix cleanup session block/unblock use [ Upstream commit 0c72191da68638a479602dd515b587ada913184a ] Drivers shouldn't be calling block/unblock session for cmd cleanup because the functions can change the session state from under libiscsi. This adds a new a driver level bit so it can block all I/O the host while it drains the card. Link: https://lore.kernel.org/r/20210525181821.7617-26-michael.christie@oracle.com Reviewed-by: Manish Rangankar Signed-off-by: Mike Christie Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 6f36afa1550ab47b82b6b4610468dc7603e067bb Author: Mike Christie Date: Tue May 25 13:18:17 2021 -0500 scsi: qedi: Fix TMF session block/unblock use [ Upstream commit 2819b4ae2873d50fd55292877b0231ec936c3b2e ] Drivers shouldn't be calling block/unblock session for tmf handling because the functions can change the session state from under libiscsi. iscsi_queuecommand's call to iscsi_prep_scsi_cmd_pdu-> iscsi_check_tmf_restrictions will prevent new cmds from being sent to qedi after we've started handling a TMF. So we don't need to try and block it in the driver, and we can remove these block calls. Link: https://lore.kernel.org/r/20210525181821.7617-25-michael.christie@oracle.com Reviewed-by: Manish Rangankar Signed-off-by: Mike Christie Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 57fa983ea736f79cc03b3d51e8b8fb854e452542 Author: Mike Christie Date: Tue May 25 13:18:13 2021 -0500 scsi: qedi: Fix race during abort timeouts [ Upstream commit 2ce002366a3fcc3f9616d4583194f65dde0ad253 ] If the SCSI cmd completes after qedi_tmf_work calls iscsi_itt_to_task then the qedi qedi_cmd->task_id could be freed and used for another cmd. If we then call qedi_iscsi_cleanup_task with that task_id we will be cleaning up the wrong cmd. Wait to release the task_id until the last put has been done on the iscsi_task. Because libiscsi grabs a ref to the task when sending the abort, we know that for the non-abort timeout case that the task_id we are referencing is for the cmd that was supposed to be aborted. A latter commit will fix the case where the abort times out while we are running qedi_tmf_work. Link: https://lore.kernel.org/r/20210525181821.7617-21-michael.christie@oracle.com Reviewed-by: Manish Rangankar Signed-off-by: Mike Christie Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit afa1c8ee7e630c994c1175ea320716b651e57635 Author: Mike Christie Date: Tue May 25 13:18:12 2021 -0500 scsi: qedi: Fix null ref during abort handling [ Upstream commit 5777b7f0f03ce49372203b6521631f62f2810c8f ] If qedi_process_cmd_cleanup_resp finds the cmd it frees the work and sets list_tmf_work to NULL, so qedi_tmf_work should check if list_tmf_work is non-NULL when it wants to force cleanup. Link: https://lore.kernel.org/r/20210525181821.7617-20-michael.christie@oracle.com Reviewed-by: Manish Rangankar Signed-off-by: Mike Christie Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit fa7adae4b577ce04fc26b96cd0e630cfcf62e5e3 Author: Mike Christie Date: Tue May 25 13:18:07 2021 -0500 scsi: iscsi: Fix shost->max_id use [ Upstream commit bdd4aad7ff92ae39c2e93c415bb6761cb8b584da ] The iscsi offload drivers are setting the shost->max_id to the max number of sessions they support. The problem is that max_id is not the max number of targets but the highest identifier the targets can have. To use it to limit the number of targets we need to set it to max sessions - 1, or we can end up with a session we might not have preallocated resources for. Link: https://lore.kernel.org/r/20210525181821.7617-15-michael.christie@oracle.com Reviewed-by: Lee Duncan Signed-off-by: Mike Christie Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 89812e7957ab0746eab66ed6fc49d52bb4dca250 Author: Mike Christie Date: Tue May 25 13:18:06 2021 -0500 scsi: iscsi: Fix conn use after free during resets [ Upstream commit ec29d0ac29be366450a7faffbcf8cba3a6a3b506 ] If we haven't done a unbind target call we can race where iscsi_conn_teardown wakes up the EH thread and then frees the conn while those threads are still accessing the conn ehwait. We can only do one TMF per session so this just moves the TMF fields from the conn to the session. We can then rely on the iscsi_session_teardown->iscsi_remove_session->__iscsi_unbind_session call to remove the target and it's devices, and know after that point there is no device or scsi-ml callout trying to access the session. Link: https://lore.kernel.org/r/20210525181821.7617-14-michael.christie@oracle.com Reviewed-by: Lee Duncan Signed-off-by: Mike Christie Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 21962a5dd6b4021567a12f7b431217a0ee8323d8 Author: Mike Christie Date: Tue May 25 13:18:03 2021 -0500 scsi: iscsi: Add iscsi_cls_conn refcount helpers [ Upstream commit b1d19e8c92cfb0ded180ef3376c20e130414e067 ] There are a couple places where we could free the iscsi_cls_conn while it's still in use. This adds some helpers to get/put a refcount on the struct and converts an exiting user. Subsequent commits will then use the helpers to fix 2 bugs in the eh code. Link: https://lore.kernel.org/r/20210525181821.7617-11-michael.christie@oracle.com Reviewed-by: Lee Duncan Signed-off-by: Mike Christie Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 5ac2428f2b9636b507970ce0ab4e7a71a53daaf1 Author: Chandrakanth Patil Date: Fri May 28 18:43:06 2021 +0530 scsi: megaraid_sas: Handle missing interrupts while re-enabling IRQs [ Upstream commit 9bedd36e9146b34dda4d6994e3aa1d72bc6442c1 ] While reenabling the IRQ after IRQ poll there may be a small window for the firmware to post the replies with interrupts raised. In that case the driver will not see the interrupts which leads to I/O timeout. This issue only happens when there are many I/O completions on a single reply queue. This forces the driver to switch between the interrupt and IRQ context. Make the driver process the reply queue one more time after enabling the IRQ. Link: https://lore.kernel.org/linux-scsi/20201102072746.27410-1-sreekanth.reddy@broadcom.com/ Link: https://lore.kernel.org/r/20210528131307.25683-5-chandrakanth.patil@broadcom.com Cc: Tomas Henzl Reported-by: kernel test robot Signed-off-by: Chandrakanth Patil Signed-off-by: Sumit Saxena Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 422fb12054f42c4c82e3959811afd01bc080821a Author: Kashyap Desai Date: Fri May 28 18:43:05 2021 +0530 scsi: megaraid_sas: Early detection of VD deletion through RaidMap update [ Upstream commit ae6874ba4b43c5a00065f48599811a09d33b873d ] Consider the case where a VD is deleted and the targetID of that VD is assigned to a newly created VD. If the sequence of deletion/addition of VD happens very quickly there is a possibility that second event (VD add) occurs even before the driver processes the first event (VD delete). As event processing is done in deferred context the device list remains the same (but targetID is re-used) so driver will not learn the VD deletion/additon. I/Os meant for the older VD will be directed to new VD which may lead to data corruption. Make driver detect the deleted VD as soon as possible based on the RaidMap update and block further I/O to that device. Link: https://lore.kernel.org/r/20210528131307.25683-4-chandrakanth.patil@broadcom.com Reported-by: kernel test robot Signed-off-by: Kashyap Desai Signed-off-by: Chandrakanth Patil Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 0680db6f41920b2c91c7df3cc9cd5968701a6f74 Author: Chandrakanth Patil Date: Fri May 28 18:43:04 2021 +0530 scsi: megaraid_sas: Fix resource leak in case of probe failure [ Upstream commit b5438f48fdd8e1c3f130d32637511efd32038152 ] The driver doesn't clean up all the allocated resources properly when scsi_add_host(), megasas_start_aen() function fails during the PCI device probe. Clean up all those resources. Link: https://lore.kernel.org/r/20210528131307.25683-3-chandrakanth.patil@broadcom.com Signed-off-by: Chandrakanth Patil Signed-off-by: Sumit Saxena Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit c851de0215eb7e054a0dfa8b70008194e0c93e94 Author: Jiapeng Chong Date: Tue Jun 1 19:07:10 2021 +0800 fs/jfs: Fix missing error code in lmLogInit() [ Upstream commit 492109333c29e1bb16d8732e1d597b02e8e0bf2e ] The error code is missing in this code scenario, add the error code '-EINVAL' to the return value 'rc. Eliminate the follow smatch warning: fs/jfs/jfs_logmgr.c:1327 lmLogInit() warn: missing error code 'rc'. Reported-by: Abaci Robot Signed-off-by: Jiapeng Chong Signed-off-by: Dave Kleikamp Signed-off-by: Sasha Levin commit 7207cd708eb3f59d7f7a7125604512089419a5d8 Author: Hannes Reinecke Date: Tue Apr 27 10:30:11 2021 +0200 scsi: scsi_dh_alua: Check for negative result value [ Upstream commit 7e26e3ea028740f934477ec01ba586ab033c35aa ] scsi_execute() will now return a negative error if there was an error prior to command submission; evaluate that instead if checking for DRIVER_ERROR. [mkp: build fix] Link: https://lore.kernel.org/r/20210427083046.31620-6-hare@suse.de Signed-off-by: Hannes Reinecke Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 6bad74b2b49fa274201e301cb7382d5330dbd267 Author: Hannes Reinecke Date: Tue Apr 27 10:30:09 2021 +0200 scsi: core: Fixup calling convention for scsi_mode_sense() [ Upstream commit 8793613de913e03e7c884f4cc56e350bc716431e ] The description for scsi_mode_sense() claims to return the number of valid bytes on success, which is not what the code does. Additionally there is no gain in returning the SCSI status, as everything the callers do is to check against scsi_result_is_good(), which is what scsi_mode_sense() does already. So change the calling convention to return a standard error code on failure, and 0 on success, and adapt the description and all callers. Link: https://lore.kernel.org/r/20210427083046.31620-4-hare@suse.de Reviewed-by: Bart Van Assche Signed-off-by: Hannes Reinecke Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit b4fd2ab0a91b7ccfa8024a1c3ff7d71904857950 Author: Suganath Prabu S Date: Tue May 18 10:46:23 2021 +0530 scsi: mpt3sas: Fix deadlock while cancelling the running firmware event [ Upstream commit e2fac6c44ae06e58ac02181b048af31195883c31 ] Do not cancel current running firmware event work if the event type is different from MPT3SAS_REMOVE_UNRESPONDING_DEVICES. Otherwise a deadlock can be observed while cancelling the current firmware event work if a hard reset operation is called as part of processing the current event. Link: https://lore.kernel.org/r/20210518051625.1596742-2-suganath-prabu.subramani@broadcom.com Signed-off-by: Suganath Prabu S Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 7a80f71601af015856a0aeb1e3c294037ac3dd32 Author: Christophe JAILLET Date: Tue May 25 21:44:04 2021 +0200 tty: serial: 8250: serial_cs: Fix a memory leak in error handling path [ Upstream commit fad92b11047a748c996ebd6cfb164a63814eeb2e ] In the probe function, if the final 'serial_config()' fails, 'info' is leaking. Add a resource handling path to free this memory. Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/dc25f96b7faebf42e60fe8d02963c941cf4d8124.1621971720.git.christophe.jaillet@wanadoo.fr Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 75452cc776683bda53380ade8a2c42371e136ed0 Author: Yufen Yu Date: Mon May 24 05:38:11 2021 -0400 ALSA: ac97: fix PM reference leak in ac97_bus_remove() [ Upstream commit a38e93302ee25b2ca6f4ee76c6c974cf3637985e ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to putting operation will result in reference leak here. Fix it by replacing it with pm_runtime_resume_and_get to keep usage counter balanced. Reported-by: Hulk Robot Signed-off-by: Yufen Yu Link: https://lore.kernel.org/r/20210524093811.612302-1-yuyufen@huawei.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 664695a754684c5d1dff23e7d1ea650a9dd70801 Author: John Garry Date: Wed May 19 22:31:02 2021 +0800 scsi: core: Cap scsi_host cmd_per_lun at can_queue [ Upstream commit ea2f0f77538c50739b9fb4de4700cee5535e1f77 ] The sysfs handling function sdev_store_queue_depth() enforces that the sdev queue depth cannot exceed shost can_queue. The initial sdev queue depth comes from shost cmd_per_lun. However, the LLDD may manually set cmd_per_lun to be larger than can_queue, which leads to an initial sdev queue depth greater than can_queue. Such an issue was reported in [0], which caused a hang. That has since been fixed in commit fc09acb7de31 ("scsi: scsi_debug: Fix cmd_per_lun, set to max_queue"). Stop this possibly happening for other drivers by capping shost cmd_per_lun at shost can_queue. [0] https://lore.kernel.org/linux-scsi/YHaez6iN2HHYxYOh@T590/ Link: https://lore.kernel.org/r/1621434662-173079-1-git-send-email-john.garry@huawei.com Reviewed-by: Ming Lei Reviewed-by: Bart Van Assche Signed-off-by: John Garry Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 21d8b90cec7e2362f9677cb188ed1dcce06df2b3 Author: James Smart Date: Fri May 14 12:55:56 2021 -0700 scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails to initialize the SGLs [ Upstream commit 5aa615d195f1e142c662cb2253f057c9baec7531 ] The driver is encountering a crash in lpfc_free_iocb_list() while performing initial attachment. Code review found this to be an errant failure path that was taken, jumping to a tag that then referenced structures that were uninitialized. Fix the failure path. Link: https://lore.kernel.org/r/20210514195559.119853-9-jsmart2021@gmail.com Co-developed-by: Justin Tee Signed-off-by: Justin Tee Signed-off-by: James Smart Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 2626d5ed6b5c5e7111e4440e33431180a6897c55 Author: James Smart Date: Fri May 14 12:55:51 2021 -0700 scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology [ Upstream commit e30d55137edef47434c40d7570276a0846fe922c ] An 'unexpected timeout' message may be seen in a point-2-point topology. The message occurs when a PLOGI is received before the driver is notified of FLOGI completion. The FLOGI completion failure causes discovery to be triggered for a second time. The discovery timer is restarted but no new discovery activity is initiated, thus the timeout message eventually appears. In point-2-point, when discovery has progressed before the FLOGI completion is processed, it is not a failure. Add code to FLOGI completion to detect that discovery has progressed and exit the FLOGI handling (noop'ing it). Link: https://lore.kernel.org/r/20210514195559.119853-4-jsmart2021@gmail.com Co-developed-by: Justin Tee Signed-off-by: Justin Tee Signed-off-by: James Smart Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit bb1d1c21494837c733d6dfe3744e58b1ec9a35e2 Author: Sergey Shtylyov Date: Wed May 19 22:20:15 2021 +0300 scsi: hisi_sas: Propagate errors in interrupt_init_v1_hw() [ Upstream commit ab17122e758ef68fb21033e25c041144067975f5 ] After commit 6c11dc060427 ("scsi: hisi_sas: Fix IRQ checks") we have the error codes returned by platform_get_irq() ready for the propagation upsream in interrupt_init_v1_hw() -- that will fix still broken deferred probing. Let's propagate the error codes from devm_request_irq() as well since I don't see the reason to override them with -ENOENT... Link: https://lore.kernel.org/r/49ba93a3-d427-7542-d85a-b74fe1a33a73@omp.ru Acked-by: John Garry Signed-off-by: Sergey Shtylyov Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 024550409022c1d64c4ac9bdc594f3ef4fe5e083 Author: ching Huang Date: Thu May 20 14:55:15 2021 +0800 scsi: arcmsr: Fix doorbell status being updated late on ARC-1886 [ Upstream commit d9a231226f28261a787535e08d0c78669e1ad010 ] It is possible for the IOP to be delayed in updating the doorbell status. The doorbell status should not be 0 so loop until the value changes. Link: https://lore.kernel.org/r/afdfdf7eabecf14632492c4987a6b9ac6312a7ad.camel@areca.com.tw Signed-off-by: ching Huang Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 20c62caf2eaf05580397368bb813dff19f59d0e9 Author: Luiz Sampaio Date: Wed May 19 19:30:44 2021 -0300 w1: ds2438: fixing bug that would always get page0 [ Upstream commit 1f5e7518f063728aee0679c5086b92d8ea429e11 ] The purpose of the w1_ds2438_get_page function is to get the register values at the page passed as the pageno parameter. However, the page0 was hardcoded, such that the function always returned the page0 contents. Fixed so that the function can retrieve any page. Signed-off-by: Luiz Sampaio Link: https://lore.kernel.org/r/20210519223046.13798-5-sampaio.ime@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 8e8d910e9a3a7fba86140aff4924c30955ab228b Author: Chunfeng Yun Date: Wed May 19 14:39:44 2021 +0800 usb: common: usb-conn-gpio: fix NULL pointer dereference of charger [ Upstream commit 880287910b1892ed2cb38977893b947382a09d21 ] When power on system with OTG cable, IDDIG's interrupt arises before the charger registration, it will cause a NULL pointer dereference, fix the issue by registering the power supply before requesting IDDIG/VBUS irq. Signed-off-by: Chunfeng Yun Link: https://lore.kernel.org/r/1621406386-18838-1-git-send-email-chunfeng.yun@mediatek.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit b30a115e4af5e7afe8d49d636744f9978d191aaa Author: Takashi Sakamoto Date: Tue May 18 17:45:47 2021 +0900 Revert "ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro" [ Upstream commit 5d6fb80a142b5994355ce675c517baba6089d199 ] This reverts commit 0edabdfe89581669609eaac5f6a8d0ae6fe95e7f. I've explained that optional FireWire card for d.2 is also built-in to d.2 Pro, however it's wrong. The optional card uses DM1000 ASIC and has 'Mackie DJ Mixer' in its model name of configuration ROM. On the other hand, built-in FireWire card for d.2 Pro and d.4 Pro uses OXFW971 ASIC and has 'd.Pro' in its model name according to manuals and user experiences. The former card is not the card for d.2 Pro. They are similar in appearance but different internally. Signed-off-by: Takashi Sakamoto Link: https://lore.kernel.org/r/20210518084557.102681-2-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 7d7f30cf182e55023fa8fde4c084b2d37c6be69d Author: Takashi Iwai Date: Mon May 17 15:15:43 2021 +0200 ALSA: usx2y: Don't call free_pages_exact() with NULL address [ Upstream commit cae0cf651adccee2c3f376e78f30fbd788d0829f ] Unlike some other functions, we can't pass NULL pointer to free_pages_exact(). Add a proper NULL check for avoiding possible Oops. Link: https://lore.kernel.org/r/20210517131545.27252-10-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit f4997bf6c4486ace3eb9d3a7d1658d82136bb409 Author: Takashi Iwai Date: Mon May 17 15:15:35 2021 +0200 ALSA: usx2y: Avoid camelCase [ Upstream commit bae3ce4942980d5f7b2b9855f4a2db0c00f9dfbd ] For improving readability, convert camelCase fields, variables and functions to the plain names with underscore. Also align the macros to be capital letters. All done via sed, no functional changes. Note that you'll still see many coding style issues even after this patch; the fixes will follow. Link: https://lore.kernel.org/r/20210517131545.27252-2-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 1b1d6aa1a8cf924d31b8941f3dbd7f75b21f2768 Author: Jonathan Cameron Date: Sun May 9 12:33:37 2021 +0100 iio: magn: bmc150: Balance runtime pm + use pm_runtime_resume_and_get() [ Upstream commit 264da512431495e542fcaf56ffe75e7df0e7db74 ] probe() error paths after runtime pm is enabled, should disable it. remove() should not call pm_runtime_put_noidle() as there is no matching get() to have raised the reference count. This case has no affect a the runtime pm core protects against going negative. Whilst here use pm_runtime_resume_and_get() to tidy things up a little. coccicheck script didn't get this one due to complex code structure so found by inspection. Signed-off-by: Jonathan Cameron Cc: Linus Walleij Reviewed-by: Mauro Carvalho Chehab Link: https://lore.kernel.org/r/20210509113354.660190-12-jic23@kernel.org Signed-off-by: Sasha Levin commit 5ecb0acc45e8b554d8849a0b75eae6ac60f7cfaf Author: Jonathan Cameron Date: Sun May 9 12:33:27 2021 +0100 iio: gyro: fxa21002c: Balance runtime pm + use pm_runtime_resume_and_get(). [ Upstream commit 41120ebbb1eb5e9dec93320e259d5b2c93226073 ] In both the probe() error path and remove() pm_runtime_put_noidle() is called which will decrement the runtime pm reference count. However, there is no matching function to have raised the reference count. Not this isn't a fix as the runtime pm core will stop the reference count going negative anyway. An alternative would have been to raise the count in these paths, but it is not clear why that would be necessary. Whilst we are here replace some boilerplate with pm_runtime_resume_and_get() Found using coccicheck script under review at: https://lore.kernel.org/lkml/20210427141946.2478411-1-Julia.Lawall@inria.fr/ Signed-off-by: Jonathan Cameron Reviewed-by: Rui Miguel Silva Reviewed-by: Mauro Carvalho Chehab Link: https://lore.kernel.org/r/20210509113354.660190-2-jic23@kernel.org Signed-off-by: Sasha Levin commit 5f69841c220aa7e43514d8aae494ba02852802cf Author: Arnd Bergmann Date: Sat May 8 00:07:53 2021 +0200 partitions: msdos: fix one-byte get_unaligned() [ Upstream commit 1b1774998b2dec837a57d729d1a22e5eb2d6d206 ] A simplification of get_unaligned() clashes with callers that pass in a character pointer, causing a harmless warning like: block/partitions/msdos.c: In function 'msdos_partition': include/asm-generic/unaligned.h:13:22: warning: 'packed' attribute ignored for field of type 'u8' {aka 'unsigned char'} [-Wattributes] Remove the SYS_IND() macro with the get_unaligned() call and just use the ->ind field directly. Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit a8c3d1a515b9d02dc4d715707776896f6ee74444 Author: Zou Wei Date: Wed May 12 11:54:07 2021 +0800 ASoC: intel/boards: add missing MODULE_DEVICE_TABLE [ Upstream commit a75e5cdf4dd1307bb1541edbb0c008f40896644c ] This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this driver when it is built as an external module. Reported-by: Hulk Robot Signed-off-by: Zou Wei Link: https://lore.kernel.org/r/1620791647-16024-1-git-send-email-zou_wei@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 58f69684ba03e5b0e0a3ae844a845280c0f06309 Author: Tong Zhang Date: Thu May 13 00:07:33 2021 -0400 misc: alcor_pci: fix null-ptr-deref when there is no PCI bridge [ Upstream commit 3ce3e45cc333da707d4d6eb433574b990bcc26f5 ] There is an issue with the ASPM(optional) capability checking function. A device might be attached to root complex directly, in this case, bus->self(bridge) will be NULL, thus priv->parent_pdev is NULL. Since alcor_pci_init_check_aspm(priv->parent_pdev) checks the PCI link's ASPM capability and populate parent_cap_off, which will be used later by alcor_pci_aspm_ctrl() to dynamically turn on/off device, what we can do here is to avoid checking the capability if we are on the root complex. This will make pdev_cap_off 0 and alcor_pci_aspm_ctrl() will simply return when bring called, effectively disable ASPM for the device. [ 1.246492] BUG: kernel NULL pointer dereference, address: 00000000000000c0 [ 1.248731] RIP: 0010:pci_read_config_byte+0x5/0x40 [ 1.253998] Call Trace: [ 1.254131] ? alcor_pci_find_cap_offset.isra.0+0x3a/0x100 [alcor_pci] [ 1.254476] alcor_pci_probe+0x169/0x2d5 [alcor_pci] Co-developed-by: Greg Kroah-Hartman Signed-off-by: Tong Zhang Link: https://lore.kernel.org/r/20210513040732.1310159-1-ztong0001@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit b9c87ce3bc6331f82811a8cf8e930423c22523a3 Author: Lv Yunlong Date: Mon Apr 26 10:06:20 2021 -0700 misc/libmasm/module: Fix two use after free in ibmasm_init_one [ Upstream commit 7272b591c4cb9327c43443f67b8fbae7657dd9ae ] In ibmasm_init_one, it calls ibmasm_init_remote_input_dev(). Inside ibmasm_init_remote_input_dev, mouse_dev and keybd_dev are allocated by input_allocate_device(), and assigned to sp->remote.mouse_dev and sp->remote.keybd_dev respectively. In the err_free_devices error branch of ibmasm_init_one, mouse_dev and keybd_dev are freed by input_free_device(), and return error. Then the execution runs into error_send_message error branch of ibmasm_init_one, where ibmasm_free_remote_input_dev(sp) is called to unregister the freed sp->remote.mouse_dev and sp->remote.keybd_dev. My patch add a "error_init_remote" label to handle the error of ibmasm_init_remote_input_dev(), to avoid the uaf bugs. Signed-off-by: Lv Yunlong Link: https://lore.kernel.org/r/20210426170620.10546-1-lyl2019@mail.ustc.edu.cn Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 4f3c807739e3c98160d6d8ca7e014b4110ba2a5b Author: Michael Walle Date: Wed May 12 16:12:55 2021 +0200 serial: fsl_lpuart: disable DMA for console and fix sysrq [ Upstream commit 8cac2f6eb8548245e6f8fb893fc7f2a714952654 ] SYSRQ doesn't work with DMA. This is because there is no error indication whether a symbol had a framing error or not. Actually, this is not completely correct, there is a bit in the data register which is set in this case, but we'd have to read change the DMA access to 16 bit and we'd need to post process the data, thus make the DMA pointless in the first place. Signed-off-by: Michael Walle Link: https://lore.kernel.org/r/20210512141255.18277-10-michael@walle.cc Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 6942fbc0098123c8401a27e645bd3472d4f1c2ec Author: Sherry Sun Date: Tue Apr 27 10:12:26 2021 +0800 tty: serial: fsl_lpuart: fix the potential risk of division or modulo by zero [ Upstream commit fcb10ee27fb91b25b68d7745db9817ecea9f1038 ] We should be very careful about the register values that will be used for division or modulo operations, althrough the possibility that the UARTBAUD register value is zero is very low, but we had better to deal with the "bad data" of hardware in advance to avoid division or modulo by zero leading to undefined kernel behavior. Signed-off-by: Sherry Sun Link: https://lore.kernel.org/r/20210427021226.27468-1-sherry.sun@nxp.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 35a35909ec19a97965f84bacb86279c4a7e8e65e Author: Paul E. McKenney Date: Mon Apr 5 09:51:05 2021 -0700 rcu: Reject RCU_LOCKDEP_WARN() false positives [ Upstream commit 3066820034b5dd4e89bd74a7739c51c2d6f5e554 ] If another lockdep report runs concurrently with an RCU lockdep report from RCU_LOCKDEP_WARN(), the following sequence of events can occur: 1. debug_lockdep_rcu_enabled() sees that lockdep is enabled when called from (say) synchronize_rcu(). 2. Lockdep is disabled by a concurrent lockdep report. 3. debug_lockdep_rcu_enabled() evaluates its lockdep-expression argument, for example, lock_is_held(&rcu_bh_lock_map). 4. Because lockdep is now disabled, lock_is_held() plays it safe and returns the constant 1. 5. But in this case, the constant 1 is not safe, because invoking synchronize_rcu() under rcu_read_lock_bh() is disallowed. 6. debug_lockdep_rcu_enabled() wrongly invokes lockdep_rcu_suspicious(), resulting in a false-positive splat. This commit therefore changes RCU_LOCKDEP_WARN() to check debug_lockdep_rcu_enabled() after checking the lockdep expression, so that any "safe" returns from lock_is_held() are rejected by debug_lockdep_rcu_enabled(). This requires memory ordering, which is supplied by READ_ONCE(debug_locks). The resulting volatile accesses prevent the compiler from reordering and the fact that only one variable is being accessed prevents the underlying hardware from reordering. The combination works for IA64, which can reorder reads to the same location, but this is defeated by the volatile accesses, which compile to load instructions that provide ordering. Reported-by: syzbot+dde0cc33951735441301@syzkaller.appspotmail.com Reported-by: Matthew Wilcox Reported-by: syzbot+88e4f02896967fe1ab0d@syzkaller.appspotmail.com Reported-by: Thomas Gleixner Suggested-by: Boqun Feng Reviewed-by: Boqun Feng Signed-off-by: Paul E. McKenney Signed-off-by: Sasha Levin commit 23597afbe0967a544c9808f522c6f9b3680e9c23 Author: Frederic Weisbecker Date: Sat Apr 17 15:16:49 2021 +0200 srcu: Fix broken node geometry after early ssp init [ Upstream commit b5befe842e6612cf894cf4a199924ee872d8b7d8 ] An srcu_struct structure that is initialized before rcu_init_geometry() will have its srcu_node hierarchy based on CONFIG_NR_CPUS. Once rcu_init_geometry() is called, this hierarchy is compressed as needed for the actual maximum number of CPUs for this system. Later on, that srcu_struct structure is confused, sometimes referring to its initial CONFIG_NR_CPUS-based hierarchy, and sometimes instead to the new num_possible_cpus() hierarchy. For example, each of its ->mynode fields continues to reference the original leaf rcu_node structures, some of which might no longer exist. On the other hand, srcu_for_each_node_breadth_first() traverses to the new node hierarchy. There are at least two bad possible outcomes to this: 1) a) A callback enqueued early on an srcu_data structure (call it *sdp) is recorded pending on sdp->mynode->srcu_data_have_cbs in srcu_funnel_gp_start() with sdp->mynode pointing to a deep leaf (say 3 levels). b) The grace period ends after rcu_init_geometry() shrinks the nodes level to a single one. srcu_gp_end() walks through the new srcu_node hierarchy without ever reaching the old leaves so the callback is never executed. This is easily reproduced on an 8 CPUs machine with CONFIG_NR_CPUS >= 32 and "rcupdate.rcu_self_test=1". The srcu_barrier() after early tests verification never completes and the boot hangs: [ 5413.141029] INFO: task swapper/0:1 blocked for more than 4915 seconds. [ 5413.147564] Not tainted 5.12.0-rc4+ #28 [ 5413.151927] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 5413.159753] task:swapper/0 state:D stack: 0 pid: 1 ppid: 0 flags:0x00004000 [ 5413.168099] Call Trace: [ 5413.170555] __schedule+0x36c/0x930 [ 5413.174057] ? wait_for_completion+0x88/0x110 [ 5413.178423] schedule+0x46/0xf0 [ 5413.181575] schedule_timeout+0x284/0x380 [ 5413.185591] ? wait_for_completion+0x88/0x110 [ 5413.189957] ? mark_held_locks+0x61/0x80 [ 5413.193882] ? mark_held_locks+0x61/0x80 [ 5413.197809] ? _raw_spin_unlock_irq+0x24/0x50 [ 5413.202173] ? wait_for_completion+0x88/0x110 [ 5413.206535] wait_for_completion+0xb4/0x110 [ 5413.210724] ? srcu_torture_stats_print+0x110/0x110 [ 5413.215610] srcu_barrier+0x187/0x200 [ 5413.219277] ? rcu_tasks_verify_self_tests+0x50/0x50 [ 5413.224244] ? rdinit_setup+0x2b/0x2b [ 5413.227907] rcu_verify_early_boot_tests+0x2d/0x40 [ 5413.232700] do_one_initcall+0x63/0x310 [ 5413.236541] ? rdinit_setup+0x2b/0x2b [ 5413.240207] ? rcu_read_lock_sched_held+0x52/0x80 [ 5413.244912] kernel_init_freeable+0x253/0x28f [ 5413.249273] ? rest_init+0x250/0x250 [ 5413.252846] kernel_init+0xa/0x110 [ 5413.256257] ret_from_fork+0x22/0x30 2) An srcu_struct structure that is initialized before rcu_init_geometry() and used afterward will always have stale rdp->mynode references, resulting in callbacks to be missed in srcu_gp_end(), just like in the previous scenario. This commit therefore causes init_srcu_struct_nodes to initialize the geometry, if needed. This ensures that the srcu_node hierarchy is properly built and distributed from the get-go. Suggested-by: Paul E. McKenney Signed-off-by: Frederic Weisbecker Cc: Boqun Feng Cc: Lai Jiangshan Cc: Neeraj Upadhyay Cc: Josh Triplett Cc: Joel Fernandes Cc: Uladzislau Rezki Signed-off-by: Paul E. McKenney Signed-off-by: Sasha Levin commit 4d395142d96f19cbc6e8a4b3d54c55e9a7bca377 Author: ching Huang Date: Fri Apr 16 11:44:57 2021 +0800 scsi: arcmsr: Fix the wrong CDB payload report to IOP [ Upstream commit 5b8644968d2ca85abb785e83efec36934974b0c2 ] This patch fixes the wrong CDB payload report to IOP. Link: https://lore.kernel.org/r/d2c97df3c817595c6faf582839316209022f70da.camel@areca.com.tw Signed-off-by: ching Huang Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 22d22fef9cbc965449dd30e830b1a47462f76186 Author: Robin Gong Date: Mon Apr 26 16:59:09 2021 +0800 dmaengine: fsl-qdma: check dma_set_mask return value [ Upstream commit f0c07993af0acf5545d5c1445798846565f4f147 ] For fix below warning reported by static code analysis tool like Coverity from Synopsys: Signed-off-by: Robin Gong Addresses-Coverity-ID: 12285639 ("Unchecked return value") Link: https://lore.kernel.org/r/1619427549-20498-1-git-send-email-yibin.gong@nxp.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 32064330708b7bf4122ab163a8c9b29e91afd6b9 Author: Pierre-Louis Bossart Date: Wed May 5 11:36:56 2021 -0500 ASoC: Intel: sof_sdw: add mutual exclusion between PCH DMIC and RT715 [ Upstream commit 35564e2bf94611c3eb51d35362addb3cb394ad54 ] When external RT714/715 devices are used for capture, we don't want the PCH DMICs to be used. Any information provided by the SOF platform driver or DMI quirks will be overridden. Signed-off-by: Pierre-Louis Bossart Reviewed-by: Kai Vehmanen Reviewed-by: Libin Yang Link: https://lore.kernel.org/r/20210505163705.305616-5-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 164a3880a76a24df9555669af72410fc745c233d Author: Yang Yingliang Date: Tue Apr 6 21:11:59 2021 +0800 leds: tlc591xx: fix return value check in tlc591xx_probe() [ Upstream commit ee522bcf026ec82ada793979c3a906274430595a ] After device_get_match_data(), tlc591xx is not checked, add check for it and also check np after dev_of_node. Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: Pavel Machek Signed-off-by: Sasha Levin commit 9ebcc60565f2667a72d1f44289c71e097f632d43 Author: Nikolay Aleksandrov Date: Sun Jul 11 12:56:29 2021 +0300 net: bridge: multicast: fix MRD advertisement router port marking race commit 000b7287b67555fee39d39fff75229dedde0dcbf upstream. When an MRD advertisement is received on a bridge port with multicast snooping enabled, we mark it as a router port automatically, that includes adding that port to the router port list. The multicast lock protects that list, but it is not acquired in the MRD advertisement case leading to a race condition, we need to take it to fix the race. Cc: stable@vger.kernel.org Cc: linus.luessing@c0d3.blue Fixes: 4b3087c7e37f ("bridge: Snoop Multicast Router Advertisements") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 664cc645bdd8ce3f000a5bec0eee0c7289395c27 Author: Nikolay Aleksandrov Date: Sun Jul 11 12:56:28 2021 +0300 net: bridge: multicast: fix PIM hello router port marking race commit 04bef83a3358946bfc98a5ecebd1b0003d83d882 upstream. When a PIM hello packet is received on a bridge port with multicast snooping enabled, we mark it as a router port automatically, that includes adding that port the router port list. The multicast lock protects that list, but it is not acquired in the PIM message case leading to a race condition, we need to take it to fix the race. Cc: stable@vger.kernel.org Fixes: 91b02d3d133b ("bridge: mcast: add router port on PIM hello message") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b3aea76efe90d7676e6965fe2f017d7ffc128b37 Author: Greg Kroah-Hartman Date: Mon Jul 19 15:01:49 2021 +0200 Revert "drm/ast: Remove reference to struct drm_device.pdev" This reverts commit fcb041ca5c7787b096aafc899e45f93583e66cbd which is commit 0ecb51824e838372e01330752503ddf9c0430ef7 upstream. Turns out this was incomplete, as it is missing a dependancy, so drop it from the tree. Link: https://lore.kernel.org/r/CAJn8CcHHKSo7GF29Z1ufXJJpMUzn6+fdvwiqe9=JvgpcfvnbHQ@mail.gmail.com Reported-by: Xiaotian Feng Cc: Thomas Zimmermann Cc: Michael J. Ruhl Cc: KuoHsiang Chou Cc: kernel test robot Cc: Thomas Zimmermann Cc: Dave Airlie Cc: dri-devel@lists.freedesktop.org Signed-off-by: Greg Kroah-Hartman commit b3f8120039d5c33230e4a2cf5cbb30a91aa64bc3 Author: Paul Cercueil Date: Mon Mar 29 18:50:45 2021 +0100 drm/ingenic: Switch IPU plane to type OVERLAY commit 68b433fe6937cfa3f8975d18643d5956254edd6a upstream. It should have been an OVERLAY from the beginning. The documentation stipulates that there should be an unique PRIMARY plane per CRTC. Fixes: fc1acf317b01 ("drm/ingenic: Add support for the IPU") Cc: # 5.8+ Signed-off-by: Paul Cercueil Acked-by: Simon Ser Link: https://patchwork.freedesktop.org/patch/msgid/20210329175046.214629-2-paul@crapouillou.net Signed-off-by: Greg Kroah-Hartman commit 8f6dcc4dd7315b35ec48ddf200f5715bee440e57 Author: Paul Cercueil Date: Sun Jan 24 08:55:52 2021 +0000 drm/ingenic: Fix non-OSD mode commit 7b4957684e5d813fcbdc98144e3cc5c4467b3e2e upstream. Even though the JZ4740 did not have the OSD mode, it had (according to the documentation) two DMA channels, but there is absolutely no information about how to select the second DMA channel. Make the ingenic-drm driver work in non-OSD mode by using the foreground0 plane (which is bound to the DMA0 channel) as the primary plane, instead of the foreground1 plane, which is the primary plane when in OSD mode. Fixes: 3c9bea4ef32b ("drm/ingenic: Add support for OSD mode") Cc: # v5.8+ Signed-off-by: Paul Cercueil Acked-by: Daniel Vetter Tested-by: H. Nikolaus Schaller Link: https://patchwork.freedesktop.org/patch/msgid/20210124085552.29146-5-paul@crapouillou.net Signed-off-by: Greg Kroah-Hartman commit cae871baa4f30608dc2084ca8ddc8f7e49913721 Author: José Roberto de Souza Date: Wed Jun 16 12:44:15 2021 -0700 drm/dp_mst: Add missing drm parameters to recently added call to drm_dbg_kms() commit 24ff3dc18b99c4b912ab1746e803ddb3be5ced4c upstream. Commit 3769e4c0af5b ("drm/dp_mst: Avoid to mess up payload table by ports in stale topology") added to calls to drm_dbg_kms() but it missed the first parameter, the drm device breaking the build. Fixes: 3769e4c0af5b ("drm/dp_mst: Avoid to mess up payload table by ports in stale topology") Cc: Wayne Lin Cc: Lyude Paul Cc: dri-devel@lists.freedesktop.org Cc: stable@vger.kernel.org Signed-off-by: José Roberto de Souza Reviewed-by: Lyude Paul Signed-off-by: Lyude Paul Link: https://patchwork.freedesktop.org/patch/msgid/20210616194415.36926-1-jose.souza@intel.com Signed-off-by: Greg Kroah-Hartman commit 16fb4e9c39b9543efd0c3dbc3dbb8865d090646a Author: Wayne Lin Date: Wed Jun 16 11:55:01 2021 +0800 drm/dp_mst: Avoid to mess up payload table by ports in stale topology commit 3769e4c0af5b82c8ea21d037013cb9564dfaa51f upstream. [Why] After unplug/hotplug hub from the system, userspace might start to clear stale payloads gradually. If we call drm_dp_mst_deallocate_vcpi() to release stale VCPI of those ports which are not relating to current topology, we have chane to wrongly clear active payload table entry for current topology. E.g. We have allocated VCPI 1 in current payload table and we call drm_dp_mst_deallocate_vcpi() to clean VCPI 1 in stale topology. In drm_dp_mst_deallocate_vcpi(), it will call drm_dp_mst_put_payload_id() tp put VCPI 1 and which means ID 1 is available again. Thereafter, if we want to allocate a new payload stream, it will find ID 1 is available by drm_dp_mst_assign_payload_id(). However, ID 1 is being used [How] Check target sink is relating to current topology or not before doing any payload table update. Searching upward to find the target sink's relevant root branch device. If the found root branch device is not the same root of current topology, don't update payload table. Changes since v1: * Change debug macro to use drm_dbg_kms() instead * Amend the commit message to add Cc tag. Signed-off-by: Wayne Lin Cc: stable@vger.kernel.org Signed-off-by: Lyude Paul Link: https://patchwork.freedesktop.org/patch/msgid/20210616035501.3776-3-Wayne.Lin@amd.com Reviewed-by: Lyude Paul Signed-off-by: Greg Kroah-Hartman commit 3462bc8b1a1f1b507804d33d118402235e8a1fab Author: Wayne Lin Date: Wed Jun 16 11:55:00 2021 +0800 drm/dp_mst: Do not set proposed vcpi directly commit 35d3e8cb35e75450f87f87e3d314e2d418b6954b upstream. [Why] When we receive CSN message to notify one port is disconnected, we will implicitly set its corresponding num_slots to 0. Later on, we will eventually call drm_dp_update_payload_part1() to arrange down streams. In drm_dp_update_payload_part1(), we iterate over all proposed_vcpis[] to do the update. Not specific to a target sink only. For example, if we light up 2 monitors, Monitor_A and Monitor_B, and then we unplug Monitor_B. Later on, when we call drm_dp_update_payload_part1() to try to update payload for Monitor_A, we'll also implicitly clean payload for Monitor_B at the same time. And finally, when we try to call drm_dp_update_payload_part1() to clean payload for Monitor_B, we will do nothing at this time since payload for Monitor_B has been cleaned up previously. For StarTech 1to3 DP hub, it seems like if we didn't update DPCD payload ID table then polling for "ACT Handled"(BIT_1 of DPCD 002C0h) will fail and this polling will last for 3 seconds. Therefore, guess the best way is we don't set the proposed_vcpi[] diretly. Let user of these herlper functions to set the proposed_vcpi directly. [How] 1. Revert commit 7617e9621bf2 ("drm/dp_mst: clear time slots for ports invalid") 2. Tackle the issue in previous commit by skipping those trasient proposed VCPIs. These stale VCPIs shoulde be explicitly cleared by user later on. Changes since v1: * Change debug macro to use drm_dbg_kms() instead * Amend the commit message to add Fixed & Cc tags Signed-off-by: Wayne Lin Fixes: 7617e9621bf2 ("drm/dp_mst: clear time slots for ports invalid") Cc: Lyude Paul Cc: Wayne Lin Cc: Maarten Lankhorst Cc: Maxime Ripard Cc: Thomas Zimmermann Cc: dri-devel@lists.freedesktop.org Cc: # v5.5+ Signed-off-by: Lyude Paul Link: https://patchwork.freedesktop.org/patch/msgid/20210616035501.3776-2-Wayne.Lin@amd.com Reviewed-by: Lyude Paul Signed-off-by: Greg Kroah-Hartman commit 087bff9acd2ec6db3f61aceb3224bde90fe0f7f8 Author: Zhen Lei Date: Mon Jul 12 16:55:44 2021 +0800 fbmem: Do not delete the mode that is still in use commit 0af778269a522c988ef0b4188556aba97fb420cc upstream. The execution of fb_delete_videomode() is not based on the result of the previous fbcon_mode_deleted(). As a result, the mode is directly deleted, regardless of whether it is still in use, which may cause UAF. ================================================================== BUG: KASAN: use-after-free in fb_mode_is_equal+0x36e/0x5e0 \ drivers/video/fbdev/core/modedb.c:924 Read of size 4 at addr ffff88807e0ddb1c by task syz-executor.0/18962 CPU: 2 PID: 18962 Comm: syz-executor.0 Not tainted 5.10.45-rc1+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ... Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x137/0x1be lib/dump_stack.c:118 print_address_description+0x6c/0x640 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report+0x13d/0x1e0 mm/kasan/report.c:562 fb_mode_is_equal+0x36e/0x5e0 drivers/video/fbdev/core/modedb.c:924 fbcon_mode_deleted+0x16a/0x220 drivers/video/fbdev/core/fbcon.c:2746 fb_set_var+0x1e1/0xdb0 drivers/video/fbdev/core/fbmem.c:975 do_fb_ioctl+0x4d9/0x6e0 drivers/video/fbdev/core/fbmem.c:1108 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 18960: kasan_save_stack mm/kasan/common.c:48 [inline] kasan_set_track+0x3d/0x70 mm/kasan/common.c:56 kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355 __kasan_slab_free+0x108/0x140 mm/kasan/common.c:422 slab_free_hook mm/slub.c:1541 [inline] slab_free_freelist_hook+0xd6/0x1a0 mm/slub.c:1574 slab_free mm/slub.c:3139 [inline] kfree+0xca/0x3d0 mm/slub.c:4121 fb_delete_videomode+0x56a/0x820 drivers/video/fbdev/core/modedb.c:1104 fb_set_var+0x1f3/0xdb0 drivers/video/fbdev/core/fbmem.c:978 do_fb_ioctl+0x4d9/0x6e0 drivers/video/fbdev/core/fbmem.c:1108 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: 13ff178ccd6d ("fbcon: Call fbcon_mode_deleted/new_modelist directly") Signed-off-by: Zhen Lei Cc: # v5.3+ Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20210712085544.2828-1-thunder.leizhen@huawei.com Signed-off-by: Greg Kroah-Hartman commit 811763e3beb6c922d168e9f509ec593e9240842e Author: Christian Brauner Date: Wed Jul 14 15:47:49 2021 +0200 cgroup: verify that source is a string commit 3b0462726e7ef281c35a7a4ae33e93ee2bc9975b upstream. The following sequence can be used to trigger a UAF: int fscontext_fd = fsopen("cgroup"); int fd_null = open("/dev/null, O_RDONLY); int fsconfig(fscontext_fd, FSCONFIG_SET_FD, "source", fd_null); close_range(3, ~0U, 0); The cgroup v1 specific fs parser expects a string for the "source" parameter. However, it is perfectly legitimate to e.g. specify a file descriptor for the "source" parameter. The fs parser doesn't know what a filesystem allows there. So it's a bug to assume that "source" is always of type fs_value_is_string when it can reasonably also be fs_value_is_file. This assumption in the cgroup code causes a UAF because struct fs_parameter uses a union for the actual value. Access to that union is guarded by the param->type member. Since the cgroup paramter parser didn't check param->type but unconditionally moved param->string into fc->source a close on the fscontext_fd would trigger a UAF during put_fs_context() which frees fc->source thereby freeing the file stashed in param->file causing a UAF during a close of the fd_null. Fix this by verifying that param->type is actually a string and report an error if not. In follow up patches I'll add a new generic helper that can be used here and by other filesystems instead of this error-prone copy-pasta fix. But fixing it in here first makes backporting a it to stable a lot easier. Fixes: 8d2451f4994f ("cgroup1: switch to option-by-option parsing") Reported-by: syzbot+283ce5a46486d6acdbaf@syzkaller.appspotmail.com Cc: Christoph Hellwig Cc: Alexander Viro Cc: Dmitry Vyukov Cc: Cc: syzkaller-bugs Signed-off-by: Christian Brauner Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0728df8048060e9bdedb9dd38c62782ee97184ba Author: Ville Syrjälä Date: Wed Jun 30 19:44:13 2021 +0300 drm/i915/gt: Fix -EDEADLK handling regression commit 2feeb52859fc1ab94cd35b61ada3a6ac4ff24243 upstream. The conversion to ww mutexes failed to address the fence code which already returns -EDEADLK when we run out of fences. Ww mutexes on the other hand treat -EDEADLK as an internal errno value indicating a need to restart the operation due to a deadlock. So now when the fence code returns -EDEADLK the higher level code erroneously restarts everything instead of returning the error to userspace as is expected. To remedy this let's switch the fence code to use a different errno value for this. -ENOBUFS seems like a semi-reasonable unique choice. Apart from igt the only user of this I could find is sna, and even there all we do is dump the current fence registers from debugfs into the X server log. So no user visible functionality is affected. If we really cared about preserving this we could of course convert back to -EDEADLK higher up, but doesn't seem like that's worth the hassle here. Not quite sure which commit specifically broke this, but I'll just attribute it to the general gem ww mutex work. Cc: stable@vger.kernel.org Cc: Maarten Lankhorst Cc: Thomas Hellström Testcase: igt/gem_pread/exhaustion Testcase: igt/gem_pwrite/basic-exhaustion Testcase: igt/gem_fenced_exec_thrash/too-many-fences Fixes: 80f0b679d6f0 ("drm/i915: Add an implementation for i915_gem_ww_ctx locking, v2.") Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20210630164413.25481-1-ville.syrjala@linux.intel.com Reviewed-by: Maarten Lankhorst (cherry picked from commit 78d2ad7eb4e1f0e9cd5d79788446b6092c21d3e0) Signed-off-by: Rodrigo Vivi Signed-off-by: Greg Kroah-Hartman commit 81dd2d60f677bbab622c52711a711f0f43d37458 Author: Matthew Auld Date: Tue Jul 13 14:04:31 2021 +0100 drm/i915/gtt: drop the page table optimisation commit 0abb33bfca0fb74df76aac03e90ce685016ef7be upstream. We skip filling out the pt with scratch entries if the va range covers the entire pt, since we later have to fill it with the PTEs for the object pages anyway. However this might leave open a small window where the PTEs don't point to anything valid for the HW to consume. When for example using 2M GTT pages this fill_px() showed up as being quite significant in perf measurements, and ends up being completely wasted since we ignore the pt and just use the pde directly. Anyway, currently we have our PTE construction split between alloc and insert, which is probably slightly iffy nowadays, since the alloc doesn't actually allocate anything anymore, instead it just sets up the page directories and points the PTEs at the scratch page. Later when we do the insert step we re-program the PTEs again. Better might be to squash the alloc and insert into a single step, then bringing back this optimisation(along with some others) should be possible. Fixes: 14826673247e ("drm/i915: Only initialize partially filled pagetables") Signed-off-by: Matthew Auld Cc: Jon Bloomfield Cc: Chris Wilson Cc: Daniel Vetter Cc: # v4.15+ Reviewed-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20210713130431.2392740-1-matthew.auld@intel.com (cherry picked from commit 8f88ca76b3942d82e2c1cea8735ec368d89ecc15) Signed-off-by: Rodrigo Vivi Signed-off-by: Greg Kroah-Hartman commit 905169794d9c84eef44aaa0c12ac06876049feed Author: Steven Rostedt (VMware) Date: Thu Jul 15 00:02:06 2021 -0400 tracing: Do not reference char * as a string in histograms commit 704adfb5a9978462cd861f170201ae2b5e3d3a80 upstream. The histogram logic was allowing events with char * pointers to be used as normal strings. But it was easy to crash the kernel with: # echo 'hist:keys=filename' > events/syscalls/sys_enter_openat/trigger And open some files, and boom! BUG: unable to handle page fault for address: 00007f2ced0c3280 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 1173fa067 P4D 1173fa067 PUD 1171b6067 PMD 1171dd067 PTE 0 Oops: 0000 [#1] PREEMPT SMP CPU: 6 PID: 1810 Comm: cat Not tainted 5.13.0-rc5-test+ #61 Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v03.03 07/14/2016 RIP: 0010:strlen+0x0/0x20 Code: f6 82 80 2a 0b a9 20 74 11 0f b6 50 01 48 83 c0 01 f6 82 80 2a 0b a9 20 75 ef c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 <80> 3f 00 74 10 48 89 f8 48 83 c0 01 80 38 00 75 f7 48 29 f8 c3 RSP: 0018:ffffbdbf81567b50 EFLAGS: 00010246 RAX: 0000000000000003 RBX: ffff93815cdb3800 RCX: ffff9382401a22d0 RDX: 0000000000000100 RSI: 0000000000000000 RDI: 00007f2ced0c3280 RBP: 0000000000000100 R08: ffff9382409ff074 R09: ffffbdbf81567c98 R10: ffff9382409ff074 R11: 0000000000000000 R12: ffff9382409ff074 R13: 0000000000000001 R14: ffff93815a744f00 R15: 00007f2ced0c3280 FS: 00007f2ced0f8580(0000) GS:ffff93825a800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2ced0c3280 CR3: 0000000107069005 CR4: 00000000001706e0 Call Trace: event_hist_trigger+0x463/0x5f0 ? find_held_lock+0x32/0x90 ? sched_clock_cpu+0xe/0xd0 ? lock_release+0x155/0x440 ? kernel_init_free_pages+0x6d/0x90 ? preempt_count_sub+0x9b/0xd0 ? kernel_init_free_pages+0x6d/0x90 ? get_page_from_freelist+0x12c4/0x1680 ? __rb_reserve_next+0xe5/0x460 ? ring_buffer_lock_reserve+0x12a/0x3f0 event_triggers_call+0x52/0xe0 ftrace_syscall_enter+0x264/0x2c0 syscall_trace_enter.constprop.0+0x1ee/0x210 do_syscall_64+0x1c/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae Where it triggered a fault on strlen(key) where key was the filename. The reason is that filename is a char * to user space, and the histogram code just blindly dereferenced it, with obvious bad results. I originally tried to use strncpy_from_user/kernel_nofault() but found that there's other places that its dereferenced and not worth the effort. Just do not allow "char *" to act like strings. Link: https://lkml.kernel.org/r/20210715000206.025df9d2@rorschach.local.home Cc: Ingo Molnar Cc: Andrew Morton Cc: Masami Hiramatsu Cc: Tzvetomir Stoyanov Cc: stable@vger.kernel.org Acked-by: Namhyung Kim Acked-by: Tom Zanussi Fixes: 79e577cbce4c4 ("tracing: Support string type key properly") Fixes: 5967bd5c4239 ("tracing: Let filter_assign_type() detect FILTER_PTR_STRING") Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman commit e1261c7a846e26e35dff8805f95e1d1412207ea5 Author: Steffen Maier Date: Fri Jul 2 18:09:22 2021 +0200 scsi: zfcp: Report port fc_security as unknown early during remote cable pull commit 8b3bdd99c092bbaeaa7d9eecb1a3e5dc9112002b upstream. On remote cable pull, a zfcp_port keeps its status and only gets ZFCP_STATUS_PORT_LINK_TEST added. Only after an ADISC timeout, we would actually start port recovery and remove ZFCP_STATUS_COMMON_UNBLOCKED which zfcp_sysfs_port_fc_security_show() detected and reported as "unknown" instead of the old and possibly stale zfcp_port->connection_info. Add check for ZFCP_STATUS_PORT_LINK_TEST for timely "unknown" report. Link: https://lore.kernel.org/r/20210702160922.2667874-1-maier@linux.ibm.com Fixes: a17c78460093 ("scsi: zfcp: report FC Endpoint Security in sysfs") Cc: #5.7+ Reviewed-by: Benjamin Block Signed-off-by: Steffen Maier Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit ea518b70ed5e4598c8d706f37fc16f7b06e440bd Author: Tyrel Datwyler Date: Thu Jul 1 13:56:59 2021 -0600 scsi: core: Fix bad pointer dereference when ehandler kthread is invalid commit 93aa71ad7379900e61c8adff6a710a4c18c7c99b upstream. Commit 66a834d09293 ("scsi: core: Fix error handling of scsi_host_alloc()") changed the allocation logic to call put_device() to perform host cleanup with the assumption that IDA removal and stopping the kthread would properly be performed in scsi_host_dev_release(). However, in the unlikely case that the error handler thread fails to spawn, shost->ehandler is set to ERR_PTR(-ENOMEM). The error handler cleanup code in scsi_host_dev_release() will call kthread_stop() if shost->ehandler != NULL which will always be the case whether the kthread was successfully spawned or not. In the case that it failed to spawn this has the nasty side effect of trying to dereference an invalid pointer when kthread_stop() is called. The following splat provides an example of this behavior in the wild: scsi host11: error handler thread failed to spawn, error = -4 Kernel attempted to read user page (10c) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x0000010c Faulting instruction address: 0xc00000000818e9a8 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries Modules linked in: ibmvscsi(+) scsi_transport_srp dm_multipath dm_mirror dm_region hash dm_log dm_mod fuse overlay squashfs loop CPU: 12 PID: 274 Comm: systemd-udevd Not tainted 5.13.0-rc7 #1 NIP: c00000000818e9a8 LR: c0000000089846e8 CTR: 0000000000007ee8 REGS: c000000037d12ea0 TRAP: 0300 Not tainted (5.13.0-rc7) MSR: 800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 28228228 XER: 20040001 CFAR: c0000000089846e4 DAR: 000000000000010c DSISR: 40000000 IRQMASK: 0 GPR00: c0000000089846e8 c000000037d13140 c000000009cc1100 fffffffffffffffc GPR04: 0000000000000001 0000000000000000 0000000000000000 c000000037dc0000 GPR08: 0000000000000000 c000000037dc0000 0000000000000001 00000000fffff7ff GPR12: 0000000000008000 c00000000a049000 c000000037d13d00 000000011134d5a0 GPR16: 0000000000001740 c0080000190d0000 c0080000190d1740 c000000009129288 GPR20: c000000037d13bc0 0000000000000001 c000000037d13bc0 c0080000190b7898 GPR24: c0080000190b7708 0000000000000000 c000000033bb2c48 0000000000000000 GPR28: c000000046b28280 0000000000000000 000000000000010c fffffffffffffffc NIP [c00000000818e9a8] kthread_stop+0x38/0x230 LR [c0000000089846e8] scsi_host_dev_release+0x98/0x160 Call Trace: [c000000033bb2c48] 0xc000000033bb2c48 (unreliable) [c0000000089846e8] scsi_host_dev_release+0x98/0x160 [c00000000891e960] device_release+0x60/0x100 [c0000000087e55c4] kobject_release+0x84/0x210 [c00000000891ec78] put_device+0x28/0x40 [c000000008984ea4] scsi_host_alloc+0x314/0x430 [c0080000190b38bc] ibmvscsi_probe+0x54/0xad0 [ibmvscsi] [c000000008110104] vio_bus_probe+0xa4/0x4b0 [c00000000892a860] really_probe+0x140/0x680 [c00000000892aefc] driver_probe_device+0x15c/0x200 [c00000000892b63c] device_driver_attach+0xcc/0xe0 [c00000000892b740] __driver_attach+0xf0/0x200 [c000000008926f28] bus_for_each_dev+0xa8/0x130 [c000000008929ce4] driver_attach+0x34/0x50 [c000000008928fc0] bus_add_driver+0x1b0/0x300 [c00000000892c798] driver_register+0x98/0x1a0 [c00000000810eb60] __vio_register_driver+0x80/0xe0 [c0080000190b4a30] ibmvscsi_module_init+0x9c/0xdc [ibmvscsi] [c0000000080121d0] do_one_initcall+0x60/0x2d0 [c000000008261abc] do_init_module+0x7c/0x320 [c000000008265700] load_module+0x2350/0x25b0 [c000000008265cb4] __do_sys_finit_module+0xd4/0x160 [c000000008031110] system_call_exception+0x150/0x2d0 [c00000000800d35c] system_call_common+0xec/0x278 Fix this be nulling shost->ehandler when the kthread fails to spawn. Link: https://lore.kernel.org/r/20210701195659.3185475-1-tyreld@linux.ibm.com Fixes: 66a834d09293 ("scsi: core: Fix error handling of scsi_host_alloc()") Cc: stable@vger.kernel.org Reviewed-by: Ming Lei Signed-off-by: Tyrel Datwyler Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 8b2ae2de536cca8ee725add5bccce4abec235880 Author: Lai Jiangshan Date: Tue Jun 29 01:26:32 2021 +0800 KVM: X86: Disable hardware breakpoints unconditionally before kvm_x86->run() commit f85d40160691881a17a397c448d799dfc90987ba upstream. When the host is using debug registers but the guest is not using them nor is the guest in guest-debug state, the kvm code does not reset the host debug registers before kvm_x86->run(). Rather, it relies on the hardware vmentry instruction to automatically reset the dr7 registers which ensures that the host breakpoints do not affect the guest. This however violates the non-instrumentable nature around VM entry and exit; for example, when a host breakpoint is set on vcpu->arch.cr2, Another issue is consistency. When the guest debug registers are active, the host breakpoints are reset before kvm_x86->run(). But when the guest debug registers are inactive, the host breakpoints are delayed to be disabled. The host tracing tools may see different results depending on what the guest is doing. To fix the problems, we clear %db7 unconditionally before kvm_x86->run() if the host has set any breakpoints, no matter if the guest is using them or not. Signed-off-by: Lai Jiangshan Message-Id: <20210628172632.81029-1-jiangshanlai@gmail.com> Cc: stable@vger.kernel.org [Only clear %db7 instead of reloading all debug registers. - Paolo] Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit bedc5d091138f5ee79aebad252a95ad37017039b Author: Vitaly Kuznetsov Date: Mon Jun 28 12:44:20 2021 +0200 KVM: nSVM: Check the value written to MSR_VM_HSAVE_PA commit fce7e152ffc8f89d02a80617b16c7aa1527847c8 upstream. APM states that #GP is raised upon write to MSR_VM_HSAVE_PA when the supplied address is not page-aligned or is outside of "maximum supported physical address for this implementation". page_address_valid() check seems suitable. Also, forcefully page-align the address when it's written from VMM. Signed-off-by: Vitaly Kuznetsov Message-Id: <20210628104425.391276-2-vkuznets@redhat.com> Cc: stable@vger.kernel.org Reviewed-by: Maxim Levitsky [Add comment about behavior for host-provided values. - Paolo] Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 5b779e597cb79e4721d3bdc7eff4be1cd84d3739 Author: Sean Christopherson Date: Wed Jun 23 16:05:49 2021 -0700 KVM: x86/mmu: Do not apply HPA (memory encryption) mask to GPAs commit fc9bf2e087efcd81bda2e52d09616d2a1bf982a8 upstream. Ignore "dynamic" host adjustments to the physical address mask when generating the masks for guest PTEs, i.e. the guest PA masks. The host physical address space and guest physical address space are two different beasts, e.g. even though SEV's C-bit is the same bit location for both host and guest, disabling SME in the host (which clears shadow_me_mask) does not affect the guest PTE->GPA "translation". For non-SEV guests, not dropping bits is the correct behavior. Assuming KVM and userspace correctly enumerate/configure guest MAXPHYADDR, bits that are lost as collateral damage from memory encryption are treated as reserved bits, i.e. KVM will never get to the point where it attempts to generate a gfn using the affected bits. And if userspace wants to create a bogus vCPU, then userspace gets to deal with the fallout of hardware doing odd things with bad GPAs. For SEV guests, not dropping the C-bit is technically wrong, but it's a moot point because KVM can't read SEV guest's page tables in any case since they're always encrypted. Not to mention that the current KVM code is also broken since sme_me_mask does not have to be non-zero for SEV to be supported by KVM. The proper fix would be to teach all of KVM to correctly handle guest private memory, but that's a task for the future. Fixes: d0ec49d4de90 ("kvm/x86/svm: Support Secure Memory Encryption within KVM") Cc: stable@vger.kernel.org Cc: Brijesh Singh Cc: Tom Lendacky Signed-off-by: Sean Christopherson Message-Id: <20210623230552.4027702-5-seanjc@google.com> [Use a new header instead of adding header guards to paging_tmpl.h. - Paolo] Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 1a1a5e4409538d3ca13b6d01c3e25b64cb37cd57 Author: Sean Christopherson Date: Wed Jun 23 16:05:46 2021 -0700 KVM: x86: Use guest MAXPHYADDR from CPUID.0x8000_0008 iff TDP is enabled commit 4bf48e3c0aafd32b960d341c4925b48f416f14a5 upstream. Ignore the guest MAXPHYADDR reported by CPUID.0x8000_0008 if TDP, i.e. NPT, is disabled, and instead use the host's MAXPHYADDR. Per AMD'S APM: Maximum guest physical address size in bits. This number applies only to guests using nested paging. When this field is zero, refer to the PhysAddrSize field for the maximum guest physical address size. Fixes: 24c82e576b78 ("KVM: Sanitize cpuid") Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Message-Id: <20210623230552.4027702-2-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 679837dc0abaa2c6e2a7bcd86483e05eee1d5066 Author: Kefeng Wang Date: Sat Jun 26 15:03:04 2021 +0800 KVM: mmio: Fix use-after-free Read in kvm_vm_ioctl_unregister_coalesced_mmio commit 23fa2e46a5556f787ce2ea1a315d3ab93cced204 upstream. BUG: KASAN: use-after-free in kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:183 Read of size 8 at addr ffff0000c03a2500 by task syz-executor083/4269 CPU: 5 PID: 4269 Comm: syz-executor083 Not tainted 5.10.0 #7 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x2d0 arch/arm64/kernel/stacktrace.c:132 show_stack+0x28/0x34 arch/arm64/kernel/stacktrace.c:196 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x110/0x164 lib/dump_stack.c:118 print_address_description+0x78/0x5c8 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report+0x148/0x1e4 mm/kasan/report.c:562 check_memory_region_inline mm/kasan/generic.c:183 [inline] __asan_load8+0xb4/0xbc mm/kasan/generic.c:252 kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:183 kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739 __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline] invoke_syscall arch/arm64/kernel/syscall.c:48 [inline] el0_svc_common arch/arm64/kernel/syscall.c:158 [inline] do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220 el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367 el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383 el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670 Allocated by task 4269: stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121 kasan_save_stack mm/kasan/common.c:48 [inline] kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc+0xdc/0x120 mm/kasan/common.c:461 kasan_kmalloc+0xc/0x14 mm/kasan/common.c:475 kmem_cache_alloc_trace include/linux/slab.h:450 [inline] kmalloc include/linux/slab.h:552 [inline] kzalloc include/linux/slab.h:664 [inline] kvm_vm_ioctl_register_coalesced_mmio+0x78/0x1cc arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:146 kvm_vm_ioctl+0x7e8/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3746 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739 __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline] invoke_syscall arch/arm64/kernel/syscall.c:48 [inline] el0_svc_common arch/arm64/kernel/syscall.c:158 [inline] do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220 el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367 el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383 el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670 Freed by task 4269: stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121 kasan_save_stack mm/kasan/common.c:48 [inline] kasan_set_track+0x38/0x6c mm/kasan/common.c:56 kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:355 __kasan_slab_free+0x124/0x150 mm/kasan/common.c:422 kasan_slab_free+0x10/0x1c mm/kasan/common.c:431 slab_free_hook mm/slub.c:1544 [inline] slab_free_freelist_hook mm/slub.c:1577 [inline] slab_free mm/slub.c:3142 [inline] kfree+0x104/0x38c mm/slub.c:4124 coalesced_mmio_destructor+0x94/0xa4 arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:102 kvm_iodevice_destructor include/kvm/iodev.h:61 [inline] kvm_io_bus_unregister_dev+0x248/0x280 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:4374 kvm_vm_ioctl_unregister_coalesced_mmio+0x158/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:186 kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739 __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline] invoke_syscall arch/arm64/kernel/syscall.c:48 [inline] el0_svc_common arch/arm64/kernel/syscall.c:158 [inline] do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220 el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367 el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383 el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670 If kvm_io_bus_unregister_dev() return -ENOMEM, we already call kvm_iodevice_destructor() inside this function to delete 'struct kvm_coalesced_mmio_dev *dev' from list and free the dev, but kvm_iodevice_destructor() is called again, it will lead the above issue. Let's check the the return value of kvm_io_bus_unregister_dev(), only call kvm_iodevice_destructor() if the return value is 0. Cc: Paolo Bonzini Cc: kvm@vger.kernel.org Reported-by: Hulk Robot Signed-off-by: Kefeng Wang Message-Id: <20210626070304.143456-1-wangkefeng.wang@huawei.com> Cc: stable@vger.kernel.org Fixes: 5d3c4c79384a ("KVM: Stop looking for coalesced MMIO zones if the bus is destroyed", 2021-04-20) Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 72797ffca1bdc5a21eb829c690623bf5e1199bc4 Author: Paulo Alcantara Date: Mon Jul 12 12:38:24 2021 -0300 cifs: handle reconnect of tcon when there is no cached dfs referral commit 507345b5ae6a57b7ecd7550ff39282ed20de7b8d upstream. When there is no cached DFS referral of tcon->dfs_path, then reconnect to same share. Signed-off-by: Paulo Alcantara (SUSE) Cc: Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit b93f9499427cf15ee39877c43052ed26527e59ff Author: Linus Torvalds Date: Mon Apr 26 10:48:07 2021 -0700 certs: add 'x509_revocation_list' to gitignore commit 81f202315856edb75a371f3376aa3a47543c16f0 upstream. Commit d1f044103dad ("certs: Add ability to preload revocation certs") created a new generated file for revocation certs, but didn't tell git to ignore it. Thus causing unnecessary "git status" noise after a kernel build with CONFIG_SYSTEM_REVOCATION_LIST enabled. Add the proper gitignore magic. Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f68261346518c970aea06e6fb3eb031247340400 Author: Greg Kroah-Hartman Date: Mon Jul 19 09:45:03 2021 +0200 Linux 5.10.51 Link: https://lore.kernel.org/r/20210715182558.381078833@linuxfoundation.org Tested-by: Florian Fainelli Tested-by: Salvatore Bonaccorso Tested-by: Pavel Machek (CIP) Tested-by: Jon Hunter Tested-by: Linux Kernel Functional Testing Link: https://lore.kernel.org/r/20210716182126.028243738@linuxfoundation.org Tested-by: Shuah Khan Tested-by: Hulk Robot Tested-by: Jon Hunter Tested-by: Sudip Mukherjee Tested-by: Pavel Machek (CIP) Tested-by: Guenter Roeck Tested-by: Florian Fainelli Tested-by: Linux Kernel Functional Testing Tested-by: Hulk Robot Signed-off-by: Greg Kroah-Hartman commit 86786603014e0a22d0d6af8e80ae4b8687927048 Author: Chao Yu Date: Fri May 7 18:10:38 2021 +0800 f2fs: fix to avoid racing on fsync_entry_slab by multi filesystem instances commit cad83c968c2ebe97905f900326988ed37146c347 upstream. As syzbot reported, there is an use-after-free issue during f2fs recovery: Use-after-free write at 0xffff88823bc16040 (in kfence-#10): kmem_cache_destroy+0x1f/0x120 mm/slab_common.c:486 f2fs_recover_fsync_data+0x75b0/0x8380 fs/f2fs/recovery.c:869 f2fs_fill_super+0x9393/0xa420 fs/f2fs/super.c:3945 mount_bdev+0x26c/0x3a0 fs/super.c:1367 legacy_get_tree+0xea/0x180 fs/fs_context.c:592 vfs_get_tree+0x86/0x270 fs/super.c:1497 do_new_mount fs/namespace.c:2905 [inline] path_mount+0x196f/0x2be0 fs/namespace.c:3235 do_mount fs/namespace.c:3248 [inline] __do_sys_mount fs/namespace.c:3456 [inline] __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3433 do_syscall_64+0x3f/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae The root cause is multi f2fs filesystem instances can race on accessing global fsync_entry_slab pointer, result in use-after-free issue of slab cache, fixes to init/destroy this slab cache only once during module init/destroy procedure to avoid this issue. Reported-by: syzbot+9d90dad32dd9727ed084@syzkaller.appspotmail.com Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Greg Kroah-Hartman commit 5e4f5138bd8522ebe231a137682d3857209a2c07 Author: Pavel Skripkin Date: Fri Apr 30 21:50:46 2021 +0300 ext4: fix memory leak in ext4_fill_super commit 618f003199c6188e01472b03cdbba227f1dc5f24 upstream. static int kthread(void *_create) will return -ENOMEM or -EINTR in case of internal failure or kthread_stop() call happens before threadfn call. To prevent fancy error checking and make code more straightforward we moved all cleanup code out of kmmpd threadfn. Also, dropped struct mmpd_data at all. Now struct super_block is a threadfn data and struct buffer_head embedded into struct ext4_sb_info. Reported-by: syzbot+d9e482e303930fa4f6ff@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Link: https://lore.kernel.org/r/20210430185046.15742-1-paskripkin@gmail.com Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit 3780348c1a0e14ffefcaf1fc521f815bcaac94b0 Author: Tetsuo Handa Date: Mon Apr 12 22:45:50 2021 +0900 smackfs: restrict bytes count in smk_set_cipso() commit 49ec114a6e62d8d320037ce71c1aaf9650b3cafd upstream. Oops, I failed to update subject line. From 07571157c91b98ce1a4aa70967531e64b78e8346 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Mon, 12 Apr 2021 22:25:06 +0900 Subject: smackfs: restrict bytes count in smk_set_cipso() Commit 7ef4c19d245f3dc2 ("smackfs: restrict bytes count in smackfs write functions") missed that count > SMK_CIPSOMAX check applies to only format == SMK_FIXED24_FMT case. Reported-by: syzbot Signed-off-by: Tetsuo Handa Signed-off-by: Casey Schaufler Signed-off-by: Greg Kroah-Hartman commit 8018936950360f1c503bb385e158cfc5e4945d18 Author: Pavel Skripkin Date: Sun Jun 6 17:24:05 2021 +0300 jfs: fix GPF in diFree commit 9d574f985fe33efd6911f4d752de6f485a1ea732 upstream. Avoid passing inode with JFS_SBI(inode->i_sb)->ipimap == NULL to diFree()[1]. GFP will appear: struct inode *ipimap = JFS_SBI(ip->i_sb)->ipimap; struct inomap *imap = JFS_IP(ipimap)->i_imap; JFS_IP() will return invalid pointer when ipimap == NULL Call Trace: diFree+0x13d/0x2dc0 fs/jfs/jfs_imap.c:853 [1] jfs_evict_inode+0x2c9/0x370 fs/jfs/inode.c:154 evict+0x2ed/0x750 fs/inode.c:578 iput_final fs/inode.c:1654 [inline] iput.part.0+0x3fe/0x820 fs/inode.c:1680 iput+0x58/0x70 fs/inode.c:1670 Reported-and-tested-by: syzbot+0a89a7b56db04c21a656@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Signed-off-by: Dave Kleikamp Signed-off-by: Greg Kroah-Hartman commit fcb041ca5c7787b096aafc899e45f93583e66cbd Author: Thomas Zimmermann Date: Thu Apr 29 12:50:57 2021 +0200 drm/ast: Remove reference to struct drm_device.pdev commit 0ecb51824e838372e01330752503ddf9c0430ef7 upstream. Using struct drm_device.pdev is deprecated. Upcast with to_pci_dev() from struct drm_device.dev to get the PCI device structure. v9: * fix remaining pdev references Signed-off-by: Thomas Zimmermann Reviewed-by: Michael J. Ruhl Fixes: ba4e0339a6a3 ("drm/ast: Fixed CVE for DP501") Cc: KuoHsiang Chou Cc: kernel test robot Cc: Thomas Zimmermann Cc: Dave Airlie Cc: dri-devel@lists.freedesktop.org Link: https://patchwork.freedesktop.org/patch/msgid/20210429105101.25667-2-tzimmermann@suse.de Signed-off-by: Greg Kroah-Hartman commit 3785f3c1e3c77ee5dac7c89399674fa839193330 Author: Zou Wei Date: Tue Jun 8 14:34:08 2021 +0800 pinctrl: mcp23s08: Fix missing unlock on error in mcp23s08_irq() commit 884af72c90016cfccd5717439c86b48702cbf184 upstream. Add the missing unlock before return from function mcp23s08_irq() in the error handling case. v1-->v2: remove the "return IRQ_HANDLED" line Fixes: 897120d41e7a ("pinctrl: mcp23s08: fix race condition in irq handler") Reported-by: Hulk Robot Signed-off-by: Zou Wei Link: https://lore.kernel.org/r/1623134048-56051-1-git-send-email-zou_wei@huawei.com Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit b716ccffbc8dc8f14773d4ae7daadbca6167da2d Author: Mikulas Patocka Date: Mon Jun 21 14:48:29 2021 -0400 dm writecache: write at least 4k when committing commit 867de40c4c23e6d7f89f9ce4272a5d1b1484c122 upstream. SSDs perform badly with sub-4k writes (because they perfrorm read-modify-write internally), so make sure writecache writes at least 4k when committing. Fixes: 991bd8d7bc78 ("dm writecache: commit just one block, not a full page") Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 090588059c30ef1b49b82da96bfaead8f430c48e Author: Yang Yingliang Date: Thu Jul 15 21:18:25 2021 +0800 io_uring: fix clear IORING_SETUP_R_DISABLED in wrong function In commit 3ebba796fa25 ("io_uring: ensure that SQPOLL thread is started for exit"), the IORING_SETUP_R_DISABLED is cleared in io_sq_offload_start(), but when backport it to stable-5.10, IORING_SETUP_R_DISABLED is cleared in __io_req_task_submit(), move clearing IORING_SETUP_R_DISABLED to io_sq_offload_start() to fix this. Fixes: 6cae8095490ca ("io_uring: ensure that SQPOLL thread is started for exit") Signed-off-by: Yang Yingliang Signed-off-by: Greg Kroah-Hartman commit aa57b2d6b37e3630116e39f0f2acc8da0de6faf5 Author: Benjamin Drung Date: Sat Jun 5 22:15:36 2021 +0200 media: uvcvideo: Fix pixel format change for Elgato Cam Link 4K commit 4c6e0976295add7f0ed94d276c04a3d6f1ea8f83 upstream. The Elgato Cam Link 4K HDMI video capture card reports to support three different pixel formats, where the first format depends on the connected HDMI device. ``` $ v4l2-ctl -d /dev/video0 --list-formats-ext ioctl: VIDIOC_ENUM_FMT Type: Video Capture [0]: 'NV12' (Y/CbCr 4:2:0) Size: Discrete 3840x2160 Interval: Discrete 0.033s (29.970 fps) [1]: 'NV12' (Y/CbCr 4:2:0) Size: Discrete 3840x2160 Interval: Discrete 0.033s (29.970 fps) [2]: 'YU12' (Planar YUV 4:2:0) Size: Discrete 3840x2160 Interval: Discrete 0.033s (29.970 fps) ``` Changing the pixel format to anything besides the first pixel format does not work: ``` $ v4l2-ctl -d /dev/video0 --try-fmt-video pixelformat=YU12 Format Video Capture: Width/Height : 3840/2160 Pixel Format : 'NV12' (Y/CbCr 4:2:0) Field : None Bytes per Line : 3840 Size Image : 12441600 Colorspace : sRGB Transfer Function : Rec. 709 YCbCr/HSV Encoding: Rec. 709 Quantization : Default (maps to Limited Range) Flags : ``` User space applications like VLC might show an error message on the terminal in that case: ``` libv4l2: error set_fmt gave us a different result than try_fmt! ``` Depending on the error handling of the user space applications, they might display a distorted video, because they use the wrong pixel format for decoding the stream. The Elgato Cam Link 4K responds to the USB video probe VS_PROBE_CONTROL/VS_COMMIT_CONTROL with a malformed data structure: The second byte contains bFormatIndex (instead of being the second byte of bmHint). The first byte is always zero. The third byte is always 1. The firmware bug was reported to Elgato on 2020-12-01 and it was forwarded by the support team to the developers as feature request. There is no firmware update available since then. The latest firmware for Elgato Cam Link 4K as of 2021-03-23 has MCU 20.02.19 and FPGA 67. Therefore correct the malformed data structure for this device. The change was successfully tested with VLC, OBS, and Chromium using different pixel formats (YUYV, NV12, YU12), resolutions (3840x2160, 1920x1080), and frame rates (29.970 and 59.940 fps). Cc: stable@vger.kernel.org Signed-off-by: Benjamin Drung Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 31874b6b63dd83eb6d5e58264bd6b08c5b39eca6 Author: Johan Hovold Date: Mon May 24 13:09:19 2021 +0200 media: gspca/sunplus: fix zero-length control requests commit b4bb4d425b7b02424afea2dfdcd77b3b4794175e upstream. The direction of the pipe argument must match the request-type direction bit or control requests may fail depending on the host-controller-driver implementation. Control transfers without a data stage are treated as OUT requests by the USB stack and should be using usb_sndctrlpipe(). Failing to do so will now trigger a warning. Fix the single zero-length control request which was using the read-register helper, and update the helper so that zero-length reads fail with an error message instead. Fixes: 6a7eba24e4f0 ("V4L/DVB (8157): gspca: all subdrivers") Cc: stable@vger.kernel.org # 2.6.27 Signed-off-by: Johan Hovold Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit de95c0bd797ac384441b3a5760022886e63e1545 Author: Johan Hovold Date: Fri May 21 15:28:39 2021 +0200 media: gspca/sq905: fix control-request direction commit 53ae298fde7adcc4b1432bce2dbdf8dac54dfa72 upstream. The direction of the pipe argument must match the request-type direction bit or control requests may fail depending on the host-controller-driver implementation. Fix the USB_REQ_SYNCH_FRAME request which erroneously used usb_sndctrlpipe(). Fixes: 27d35fc3fb06 ("V4L/DVB (10639): gspca - sq905: New subdriver.") Cc: stable@vger.kernel.org # 2.6.30 Signed-off-by: Johan Hovold Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit c57bfd8000d7677bf435873b440eec0c47f73a08 Author: Pavel Skripkin Date: Mon May 17 21:18:14 2021 +0200 media: zr364xx: fix memory leak in zr364xx_start_readpipe commit 0a045eac8d0427b64577a24d74bb8347c905ac65 upstream. syzbot reported memory leak in zr364xx driver. The problem was in non-freed urb in case of usb_submit_urb() fail. backtrace: [] kmalloc include/linux/slab.h:561 [inline] [] usb_alloc_urb+0x66/0xe0 drivers/usb/core/urb.c:74 [] zr364xx_start_readpipe+0x78/0x130 drivers/media/usb/zr364xx/zr364xx.c:1022 [] zr364xx_board_init drivers/media/usb/zr364xx/zr364xx.c:1383 [inline] [] zr364xx_probe+0x6a3/0x851 drivers/media/usb/zr364xx/zr364xx.c:1516 [] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 [] really_probe+0x159/0x500 drivers/base/dd.c:576 Fixes: ccbf035ae5de ("V4L/DVB (12278): zr364xx: implement V4L2_CAP_STREAMING") Cc: stable@vger.kernel.org Reported-by: syzbot+af4fa391ef18efdd5f69@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit dbd58d39784451abab29ee624f0f6055e42d8766 Author: Johan Hovold Date: Fri May 21 15:28:38 2021 +0200 media: dtv5100: fix control-request directions commit 8c8b9a9be2afa8bd6a72ad1130532baab9fab89d upstream. The direction of the pipe argument must match the request-type direction bit or control requests may fail depending on the host-controller-driver implementation. Fix the control requests which erroneously used usb_rcvctrlpipe(). Fixes: 8466028be792 ("V4L/DVB (8734): Initial support for AME DTV-5100 USB2.0 DVB-T") Cc: stable@vger.kernel.org # 2.6.28 Signed-off-by: Johan Hovold Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit db317a37229b2dd338c4b9348310ca47e462ca67 Author: Arnd Bergmann Date: Mon Jun 14 12:34:09 2021 +0200 media: subdev: disallow ioctl for saa6588/davinci commit 0a7790be182d32b9b332a37cb4206e24fe94b728 upstream. The saa6588_ioctl() function expects to get called from other kernel functions with a 'saa6588_command' pointer, but I found nothing stops it from getting called from user space instead, which seems rather dangerous. The same thing happens in the davinci vpbe driver with its VENC_GET_FLD command. As a quick fix, add a separate .command() callback pointer for this driver and change the two callers over to that. This change can easily get backported to stable kernels if necessary, but since there are only two drivers, we may want to eventually replace this with a set of more specialized callbacks in the long run. Fixes: c3fda7f835b0 ("V4L/DVB (10537): saa6588: convert to v4l2_subdev.") Cc: stable@vger.kernel.org Signed-off-by: Arnd Bergmann Reviewed-by: Laurent Pinchart Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit e2c1218ddc5f97031159be0bc835a5190893d29d Author: Pali Rohár Date: Fri Jun 25 00:26:20 2021 +0200 PCI: aardvark: Implement workaround for the readback value of VEND_ID commit 7f71a409fe3d9358da07c77f15bb5b7960f12253 upstream. Marvell Armada 3700 Functional Errata, Guidelines, and Restrictions document describes in erratum 4.1 PCIe value of vendor ID (Ref #: 243): The readback value of VEND_ID (RD0070000h [15:0]) is 1B4Bh, while it should read 11ABh. The firmware can write the correct value, 11ABh, through VEND_ID (RD0076044h [15:0]). Implement this workaround in aardvark driver for both PCI vendor id and PCI subsystem vendor id. This change affects and fixes PCI vendor id of emulated PCIe root bridge. After this change emulated PCIe root bridge has correct vendor id. Link: https://lore.kernel.org/r/20210624222621.4776-5-pali@kernel.org Fixes: 8a3ebd8de328 ("PCI: aardvark: Implement emulated root PCI bridge config space") Signed-off-by: Pali Rohár Signed-off-by: Lorenzo Pieralisi Reviewed-by: Marek Behún Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 130919708990b1718dea512a5954c7170706a87e Author: Pali Rohár Date: Thu Jun 24 23:33:43 2021 +0200 PCI: aardvark: Fix checking for PIO Non-posted Request commit 8ceeac307a79f68c0d0c72d6e48b82fa424204ec upstream. PIO_NON_POSTED_REQ for PIO_STAT register is incorrectly defined. Bit 10 in register PIO_STAT indicates the response is to a non-posted request. Link: https://lore.kernel.org/r/20210624213345.3617-2-pali@kernel.org Signed-off-by: Pali Rohár Signed-off-by: Lorenzo Pieralisi Reviewed-by: Marek Behún Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit f147115018aabe71e25a9fd85b1212b81b7ab622 Author: Konstantin Kharlamov Date: Fri May 21 02:55:01 2021 +0300 PCI: Leave Apple Thunderbolt controllers on for s2idle or standby commit 4694ae373dc2114f9a82f6ae15737e65af0c6dea upstream. On Macbook 2013, resuming from suspend-to-idle or standby resulted in the external monitor no longer being detected, a stacktrace, and errors like this in dmesg: pcieport 0000:06:00.0: can't change power state from D3hot to D0 (config space inaccessible) The reason is that we know how to turn power to the Thunderbolt controller *off* via the SXIO/SXFP/SXLF methods, but we don't know how to turn power back on. We have to rely on firmware to turn the power back on. When going to the "suspend-to-idle" or "standby" system sleep states, firmware is not involved either on the suspend side or the resume side, so we can't use SXIO/SXFP/SXLF to turn the power off. Skip SXIO/SXFP/SXLF when firmware isn't involved in suspend, e.g., when we're going to the "suspend-to-idle" or "standby" system sleep states. Fixes: 1df5172c5c25 ("PCI: Suspend/resume quirks for Apple thunderbolt") Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=212767 Link: https://lore.kernel.org/r/20210520235501.917397-1-Hi-Angel@yandex.ru Signed-off-by: Konstantin Kharlamov Signed-off-by: Bjorn Helgaas Reviewed-by: Lukas Wunner Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit ba47e65a5de3e0e8270301a409fc63d3129fdb9e Author: Hou Tao Date: Thu Jun 17 15:45:47 2021 +0800 dm btree remove: assign new_root only when removal succeeds commit b6e58b5466b2959f83034bead2e2e1395cca8aeb upstream. remove_raw() in dm_btree_remove() may fail due to IO read error (e.g. read the content of origin block fails during shadowing), and the value of shadow_spine::root is uninitialized, but the uninitialized value is still assign to new_root in the end of dm_btree_remove(). For dm-thin, the value of pmd->details_root or pmd->root will become an uninitialized value, so if trying to read details_info tree again out-of-bound memory may occur as showed below: general protection fault, probably for non-canonical address 0x3fdcb14c8d7520 CPU: 4 PID: 515 Comm: dmsetup Not tainted 5.13.0-rc6 Hardware name: QEMU Standard PC RIP: 0010:metadata_ll_load_ie+0x14/0x30 Call Trace: sm_metadata_count_is_more_than_one+0xb9/0xe0 dm_tm_shadow_block+0x52/0x1c0 shadow_step+0x59/0xf0 remove_raw+0xb2/0x170 dm_btree_remove+0xf4/0x1c0 dm_pool_delete_thin_device+0xc3/0x140 pool_message+0x218/0x2b0 target_message+0x251/0x290 ctl_ioctl+0x1c4/0x4d0 dm_ctl_ioctl+0xe/0x20 __x64_sys_ioctl+0x7b/0xb0 do_syscall_64+0x40/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixing it by only assign new_root when removal succeeds Signed-off-by: Hou Tao Cc: stable@vger.kernel.org Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 1b5918b087b1dd7bf193340f25ca63c50a277638 Author: Mikulas Patocka Date: Tue Jun 15 13:45:55 2021 -0400 dm writecache: flush origin device when writing and cache is full commit ee55b92a7391bf871939330f662651b54be51b73 upstream. Commit d53f1fafec9d086f1c5166436abefdaef30e0363 ("dm writecache: do direct write if the cache is full") changed dm-writecache, so that it writes directly to the origin device if the cache is full. Unfortunately, it doesn't forward flush requests to the origin device, so that there is a bug where flushes are being ignored. Fix this by adding missing flush forwarding. For PMEM mode, we fix this bug by disabling direct writes to the origin device, because it performs better. Signed-off-by: Mikulas Patocka Fixes: d53f1fafec9d ("dm writecache: do direct write if the cache is full") Cc: stable@vger.kernel.org # v5.7+ Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit cbc03ffec260c28cd177fee143f2fe74cc36ba00 Author: Damien Le Moal Date: Wed May 19 10:26:16 2021 +0900 dm zoned: check zone capacity commit bab68499428ed934f0493ac74197ed6f36204260 upstream. The dm-zoned target cannot support zoned block devices with zones that have a capacity smaller than the zone size (e.g. NVMe zoned namespaces) due to the current chunk zone mapping implementation as it is assumed that zones and chunks have the same size with all blocks usable. If a zoned drive is found to have zones with a capacity different from the zone size, fail the target initialization. Signed-off-by: Damien Le Moal Cc: stable@vger.kernel.org # v5.9+ Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 35c1c4bd2d59ad734129d4e232af9d1098023918 Author: Sai Prakash Ranjan Date: Mon Jun 14 11:59:00 2021 -0600 coresight: tmc-etf: Fix global-out-of-bounds in tmc_update_etf_buffer() commit 5fae8a946ac2df879caf3f79a193d4766d00239b upstream. commit 6f755e85c332 ("coresight: Add helper for inserting synchronization packets") removed trailing '\0' from barrier_pkt array and updated the call sites like etb_update_buffer() to have proper checks for barrier_pkt size before read but missed updating tmc_update_etf_buffer() which still reads barrier_pkt past the array size resulting in KASAN out-of-bounds bug. Fix this by adding a check for barrier_pkt size before accessing like it is done in etb_update_buffer(). BUG: KASAN: global-out-of-bounds in tmc_update_etf_buffer+0x4b8/0x698 Read of size 4 at addr ffffffd05b7d1030 by task perf/2629 Call trace: dump_backtrace+0x0/0x27c show_stack+0x20/0x2c dump_stack+0x11c/0x188 print_address_description+0x3c/0x4a4 __kasan_report+0x140/0x164 kasan_report+0x10/0x18 __asan_report_load4_noabort+0x1c/0x24 tmc_update_etf_buffer+0x4b8/0x698 etm_event_stop+0x248/0x2d8 etm_event_del+0x20/0x2c event_sched_out+0x214/0x6f0 group_sched_out+0xd0/0x270 ctx_sched_out+0x2ec/0x518 __perf_event_task_sched_out+0x4fc/0xe6c __schedule+0x1094/0x16a0 preempt_schedule_irq+0x88/0x170 arm64_preempt_schedule_irq+0xf0/0x18c el1_irq+0xe8/0x180 perf_event_exec+0x4d8/0x56c setup_new_exec+0x204/0x400 load_elf_binary+0x72c/0x18c0 search_binary_handler+0x13c/0x420 load_script+0x500/0x6c4 search_binary_handler+0x13c/0x420 exec_binprm+0x118/0x654 __do_execve_file+0x77c/0xba4 __arm64_compat_sys_execve+0x98/0xac el0_svc_common+0x1f8/0x5e0 el0_svc_compat_handler+0x84/0xb0 el0_svc_compat+0x10/0x50 The buggy address belongs to the variable: barrier_pkt+0x10/0x40 Memory state around the buggy address: ffffffd05b7d0f00: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00 ffffffd05b7d0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffd05b7d1000: 00 00 00 00 00 00 fa fa fa fa fa fa 00 00 00 03 ^ ffffffd05b7d1080: fa fa fa fa 00 02 fa fa fa fa fa fa 03 fa fa fa ffffffd05b7d1100: fa fa fa fa 00 00 00 00 05 fa fa fa fa fa fa fa ================================================================== Link: https://lore.kernel.org/r/20210505093430.18445-1-saiprakash.ranjan@codeaurora.org Fixes: 0c3fc4d5fa26 ("coresight: Add barrier packet for synchronisation") Cc: stable@vger.kernel.org Signed-off-by: Sai Prakash Ranjan Signed-off-by: Suzuki K Poulose Signed-off-by: Mathieu Poirier Link: https://lore.kernel.org/r/20210614175901.532683-6-mathieu.poirier@linaro.org Signed-off-by: Greg Kroah-Hartman commit 048624ad564cb2b52ad4552a7e87942acefe0b3e Author: Jeremy Linton Date: Mon Jun 14 11:59:01 2021 -0600 coresight: Propagate symlink failure commit 51dd19a7e9f8fbbb7cd92b8a357091911eae7f78 upstream. If the symlink is unable to be created, the driver goes ahead and continues device creation. Instead lets propagate the failure, and fail the probe. Link: https://lore.kernel.org/r/20210526204042.2681700-1-jeremy.linton@arm.com Fixes: 8a7365c2d418 ("coresight: Expose device connections via sysfs") Cc: stable@vger.kernel.org Signed-off-by: Jeremy Linton Signed-off-by: Mathieu Poirier Link: https://lore.kernel.org/r/20210614175901.532683-7-mathieu.poirier@linaro.org Signed-off-by: Greg Kroah-Hartman commit 0c2bc1489104abcc738b5762a3de6238fd23ffa5 Author: Lv Yunlong Date: Mon May 24 02:32:05 2021 -0700 ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe commit 9272e5d0028d45a3b45b58c9255e6e0df53f7ad9 upstream. In the out_err_bus_register error branch of tpci200_pci_probe, tpci200->info->cfg_regs is freed by tpci200_uninstall()-> tpci200_unregister()->pci_iounmap(..,tpci200->info->cfg_regs) in the first time. But later, iounmap() is called to free tpci200->info->cfg_regs again. My patch sets tpci200->info->cfg_regs to NULL after tpci200_uninstall() to avoid the double free. Fixes: cea2f7cdff2af ("Staging: ipack/bridges/tpci200: Use the TPCI200 in big endian mode") Cc: stable Acked-by: Samuel Iglesias Gonsalvez Signed-off-by: Lv Yunlong Link: https://lore.kernel.org/r/20210524093205.8333-1-lyl2019@mail.ustc.edu.cn Signed-off-by: Greg Kroah-Hartman commit eb81b5a37dc55e8d8042c81672bf7b0e24ff89e1 Author: Paul Burton Date: Thu Jul 1 10:24:07 2021 -0700 tracing: Resize tgid_map to pid_max, not PID_MAX_DEFAULT commit 4030a6e6a6a4a42ff8c18414c9e0c93e24cc70b8 upstream. Currently tgid_map is sized at PID_MAX_DEFAULT entries, which means that on systems where pid_max is configured higher than PID_MAX_DEFAULT the ftrace record-tgid option doesn't work so well. Any tasks with PIDs higher than PID_MAX_DEFAULT are simply not recorded in tgid_map, and don't show up in the saved_tgids file. In particular since systemd v243 & above configure pid_max to its highest possible 1<<22 value by default on 64 bit systems this renders the record-tgids option of little use. Increase the size of tgid_map to the configured pid_max instead, allowing it to cover the full range of PIDs up to the maximum value of PID_MAX_LIMIT if the system is configured that way. On 64 bit systems with pid_max == PID_MAX_LIMIT this will increase the size of tgid_map from 256KiB to 16MiB. Whilst this 64x increase in memory overhead sounds significant 64 bit systems are presumably best placed to accommodate it, and since tgid_map is only allocated when the record-tgid option is actually used presumably the user would rather it spends sufficient memory to actually record the tgids they expect. The size of tgid_map could also increase for CONFIG_BASE_SMALL=y configurations, but these seem unlikely to be systems upon which people are both configuring a large pid_max and running ftrace with record-tgid anyway. Of note is that we only allocate tgid_map once, the first time that the record-tgid option is enabled. Therefore its size is only set once, to the value of pid_max at the time the record-tgid option is first enabled. If a user increases pid_max after that point, the saved_tgids file will not contain entries for any tasks with pids beyond the earlier value of pid_max. Link: https://lkml.kernel.org/r/20210701172407.889626-2-paulburton@google.com Fixes: d914ba37d714 ("tracing: Add support for recording tgid of tasks") Cc: Ingo Molnar Cc: Joel Fernandes Cc: Signed-off-by: Paul Burton [ Fixed comment coding style ] Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman commit 3cda5b7f4e29701b8e55de6bf53173b593429145 Author: Paul Burton Date: Tue Jun 29 17:34:05 2021 -0700 tracing: Simplify & fix saved_tgids logic commit b81b3e959adb107cd5b36c7dc5ba1364bbd31eb2 upstream. The tgid_map array records a mapping from pid to tgid, where the index of an entry within the array is the pid & the value stored at that index is the tgid. The saved_tgids_next() function iterates over pointers into the tgid_map array & dereferences the pointers which results in the tgid, but then it passes that dereferenced value to trace_find_tgid() which treats it as a pid & does a further lookup within the tgid_map array. It seems likely that the intent here was to skip over entries in tgid_map for which the recorded tgid is zero, but instead we end up skipping over entries for which the thread group leader hasn't yet had its own tgid recorded in tgid_map. A minimal fix would be to remove the call to trace_find_tgid, turning: if (trace_find_tgid(*ptr)) into: if (*ptr) ..but it seems like this logic can be much simpler if we simply let seq_read() iterate over the whole tgid_map array & filter out empty entries by returning SEQ_SKIP from saved_tgids_show(). Here we take that approach, removing the incorrect logic here entirely. Link: https://lkml.kernel.org/r/20210630003406.4013668-1-paulburton@google.com Fixes: d914ba37d714 ("tracing: Add support for recording tgid of tasks") Cc: Ingo Molnar Cc: Joel Fernandes Cc: Signed-off-by: Paul Burton Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman commit 8cc58a6e2c394aa48aa05f600be7d279efbafcd7 Author: Jan Kara Date: Mon Jun 7 13:26:13 2021 +0200 rq-qos: fix missed wake-ups in rq_qos_throttle try two commit 11c7aa0ddea8611007768d3e6b58d45dc60a19e1 upstream. Commit 545fbd0775ba ("rq-qos: fix missed wake-ups in rq_qos_throttle") tried to fix a problem that a process could be sleeping in rq_qos_wait() without anyone to wake it up. However the fix is not complete and the following can still happen: CPU1 (waiter1) CPU2 (waiter2) CPU3 (waker) rq_qos_wait() rq_qos_wait() acquire_inflight_cb() -> fails acquire_inflight_cb() -> fails completes IOs, inflight decreased prepare_to_wait_exclusive() prepare_to_wait_exclusive() has_sleeper = !wq_has_single_sleeper() -> true as there are two sleepers has_sleeper = !wq_has_single_sleeper() -> true io_schedule() io_schedule() Deadlock as now there's nobody to wakeup the two waiters. The logic automatically blocking when there are already sleepers is really subtle and the only way to make it work reliably is that we check whether there are some waiters in the queue when adding ourselves there. That way, we are guaranteed that at least the first process to enter the wait queue will recheck the waiting condition before going to sleep and thus guarantee forward progress. Fixes: 545fbd0775ba ("rq-qos: fix missed wake-ups in rq_qos_throttle") CC: stable@vger.kernel.org Signed-off-by: Jan Kara Link: https://lore.kernel.org/r/20210607112613.25344-1-jack@suse.cz Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit f9fb4986f4d81182f938d16beb4f983fe71212aa Author: Yun Zhou Date: Sat Jun 26 11:21:55 2021 +0800 seq_buf: Fix overflow in seq_buf_putmem_hex() commit d3b16034a24a112bb83aeb669ac5b9b01f744bb7 upstream. There's two variables being increased in that loop (i and j), and i follows the raw data, and j follows what is being written into the buffer. We should compare 'i' to MAX_MEMHEX_BYTES or compare 'j' to HEX_CHARS. Otherwise, if 'j' goes bigger than HEX_CHARS, it will overflow the destination buffer. Link: https://lore.kernel.org/lkml/20210625122453.5e2fe304@oasis.local.home/ Link: https://lkml.kernel.org/r/20210626032156.47889-1-yun.zhou@windriver.com Cc: stable@vger.kernel.org Fixes: 5e3ca0ec76fce ("ftrace: introduce the "hex" output method") Signed-off-by: Yun Zhou Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman commit 418b333afbd55e67f7911868515051e0a7a37658 Author: Ferry Toth Date: Tue May 18 23:27:09 2021 +0200 extcon: intel-mrfld: Sync hardware and software state on init commit ecb5bdff901139850fb3ca3ae2d0cccac045bc52 upstream. extcon driver for Basin Cove PMIC shadows the switch status used for dwc3 DRD to detect a change in the switch position. This change initializes the status at probe time. Cc: stable@vger.kernel.org Fixes: 492929c54791 ("extcon: mrfld: Introduce extcon driver for Basin Cove PMIC") Reviewed-by: Andy Shevchenko Signed-off-by: Ferry Toth Signed-off-by: Chanwoo Choi Signed-off-by: Greg Kroah-Hartman commit af092ec16e06c179632ee69e1e1713308b1e8d7d Author: Kees Cook Date: Wed Jun 23 13:39:29 2021 -0700 selftests/lkdtm: Fix expected text for CR4 pinning commit c2eb472bbe25b3f360990f23b293b3fbadfa4bc0 upstream. The error text for CR4 pinning changed. Update the test to match. Fixes: a13b9d0b9721 ("x86/cpu: Use pinning mask for CR4 bits needing to be 0") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20210623203936.3151093-3-keescook@chromium.org Signed-off-by: Greg Kroah-Hartman commit 0af643fa7e74d6da1bc1676caa8bdbb0e765ce14 Author: Kees Cook Date: Wed Jun 23 13:39:31 2021 -0700 lkdtm/bugs: XFAIL UNALIGNED_LOAD_STORE_WRITE commit a15676ac8f24a9ac5fd881cf17be4be13fa0910a upstream. When built under CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS, this test is expected to fail (i.e. not trip an exception). Fixes: 46d1a0f03d66 ("selftests/lkdtm: Add tests for LKDTM targets") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20210623203936.3151093-5-keescook@chromium.org Signed-off-by: Greg Kroah-Hartman commit baedb1f5a08cda9b8c1e49e5ffe7d5258085e7e6 Author: Christophe JAILLET Date: Fri Jun 11 11:23:21 2021 +0100 nvmem: core: add a missing of_node_put commit 63879e2964bceee2aa5bbe8b99ea58bba28bb64f upstream. 'for_each_child_of_node' performs an of_node_get on each iteration, so a return from the middle of the loop requires an of_node_put. Fixes: e888d445ac33 ("nvmem: resolve cells from DT at registration time") Cc: Signed-off-by: Christophe JAILLET Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20210611102321.11509-1-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman commit f0a079c0ba87e829058469012cb211b8cc388d04 Author: Limeng Date: Wed Apr 7 13:25:25 2021 +0800 mfd: syscon: Free the allocated name field of struct regmap_config commit 56a1188159cb2b87fbcb5a7a7afb38a4dd9db0c1 upstream. The commit 529a1101212a("mfd: syscon: Don't free allocated name for regmap_config") doesn't free the allocated name field of struct regmap_config, but introduce a memory leak. There is another commit 94cc89eb8fa5("regmap: debugfs: Fix handling of name string for debugfs init delays") fixing this debugfs init issue from root cause. With this fixing, the name field in struct regmap_debugfs_node is removed. When initialize debugfs for syscon driver, the name field of struct regmap_config is not used anymore. So, the allocated name field of struct regmap_config is need to be freed directly after regmap initialization to avoid memory leak. Cc: stable@vger.kernel.org Fixes: 529a1101212a("mfd: syscon: Don't free allocated name for regmap_config") Signed-off-by: Meng Li Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman commit a8a2e506ea2f5c6e35d6d407729c184412025a4c Author: Linus Walleij Date: Sun Jun 27 01:47:49 2021 +0200 power: supply: ab8500: Fix an old bug commit f1c74a6c07e76fcb31a4bcc1f437c4361a2674ce upstream. Trying to get the AB8500 charging driver working I ran into a bit of bitrot: we haven't used the driver for a while so errors in refactorings won't be noticed. This one is pretty self evident: use argument to the macro or we end up with a random pointer to something else. Cc: stable@vger.kernel.org Cc: Krzysztof Kozlowski Cc: Marcus Cooper Fixes: 297d716f6260 ("power_supply: Change ownership from driver to core") Signed-off-by: Linus Walleij Signed-off-by: Sebastian Reichel Signed-off-by: Greg Kroah-Hartman commit 38dde03eb239605f428f3f1e4baa73d4933a4cc6 Author: Zhihao Cheng Date: Mon May 31 20:52:09 2021 +0800 ubifs: Fix races between xattr_{set|get} and listxattr operations commit f4e3634a3b642225a530c292fdb1e8a4007507f5 upstream. UBIFS may occur some problems with concurrent xattr_{set|get} and listxattr operations, such as assertion failure, memory corruption, stale xattr value[1]. Fix it by importing a new rw-lock in @ubifs_inode to serilize write operations on xattr, concurrent read operations are still effective, just like ext4. [1] https://lore.kernel.org/linux-mtd/20200630130438.141649-1-houtao1@huawei.com Fixes: 1e51764a3c2ac05a23 ("UBIFS: add new flash file system") Cc: stable@vger.kernel.org # v2.6+ Signed-off-by: Zhihao Cheng Reviewed-by: Sascha Hauer Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 690a11fb4e9f48caa3be21d408d48d08e7619033 Author: Srinivas Pandruvada Date: Mon Jun 28 14:58:03 2021 -0700 thermal/drivers/int340x/processor_thermal: Fix tcc setting commit fe6a6de6692e7f7159c1ff42b07ecd737df712b4 upstream. The following fixes are done for tcc sysfs interface: - TCC is 6 bits only from bit 29-24 - TCC of 0 is valid - When BIT(31) is set, this register is read only - Check for invalid tcc value - Error for negative values Fixes: fdf4f2fb8e899 ("drivers: thermal: processor_thermal_device: Export sysfs interface for TCC offset") Signed-off-by: Srinivas Pandruvada Cc: stable@vger.kernel.org Acked-by: Zhang Rui Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20210628215803.75038-1-srinivas.pandruvada@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit ef5066f95c15c24ec9b1dbbcf33cb17d36742c9c Author: Petr Pavlu Date: Thu May 13 14:26:36 2021 +0200 ipmi/watchdog: Stop watchdog timer when the current action is 'none' commit 2253042d86f57d90a621ac2513a7a7a13afcf809 upstream. When an IPMI watchdog timer is being stopped in ipmi_close() or ipmi_ioctl(WDIOS_DISABLECARD), the current watchdog action is updated to WDOG_TIMEOUT_NONE and _ipmi_set_timeout(IPMI_SET_TIMEOUT_NO_HB) is called to install this action. The latter function ends up invoking __ipmi_set_timeout() which makes the actual 'Set Watchdog Timer' IPMI request. For IPMI 1.0, this operation results in fully stopping the watchdog timer. For IPMI >= 1.5, function __ipmi_set_timeout() always specifies the "don't stop" flag in the prepared 'Set Watchdog Timer' IPMI request. This causes that the watchdog timer has its action correctly updated to 'none' but the timer continues to run. A problem is that IPMI firmware can then still log an expiration event when the configured timeout is reached, which is unexpected because the watchdog timer was requested to be stopped. The patch fixes this problem by not setting the "don't stop" flag in __ipmi_set_timeout() when the current action is WDOG_TIMEOUT_NONE which results in stopping the watchdog timer. This makes the behaviour for IPMI >= 1.5 consistent with IPMI 1.0. It also matches the logic in __ipmi_heartbeat() which does not allow to reset the watchdog if the current action is WDOG_TIMEOUT_NONE as that would start the timer. Signed-off-by: Petr Pavlu Message-Id: <10a41bdc-9c99-089c-8d89-fa98ce5ea080@suse.com> Cc: stable@vger.kernel.org Signed-off-by: Corey Minyard Signed-off-by: Greg Kroah-Hartman commit 7ade84f8df8fa9969f8d37b5122b7d0de20c67a9 Author: Nathan Chancellor Date: Thu Feb 11 12:42:58 2021 -0700 qemu_fw_cfg: Make fw_cfg_rev_attr a proper kobj_attribute commit fca41af18e10318e4de090db47d9fa7169e1bf2f upstream. fw_cfg_showrev() is called by an indirect call in kobj_attr_show(), which violates clang's CFI checking because fw_cfg_showrev()'s second parameter is 'struct attribute', whereas the ->show() member of 'struct kobj_structure' expects the second parameter to be of type 'struct kobj_attribute'. $ cat /sys/firmware/qemu_fw_cfg/rev 3 $ dmesg | grep "CFI failure" [ 26.016832] CFI failure (target: fw_cfg_showrev+0x0/0x8): Fix this by converting fw_cfg_rev_attr to 'struct kobj_attribute' where this would have been caught automatically by the incompatible pointer types compiler warning. Update fw_cfg_showrev() accordingly. Fixes: 75f3e8e47f38 ("firmware: introduce sysfs driver for QEMU's fw_cfg device") Link: https://github.com/ClangBuiltLinux/linux/issues/1299 Signed-off-by: Nathan Chancellor Reviewed-by: Sami Tolvanen Tested-by: Sedat Dilek Reviewed-by: Sami Tolvanen Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Kees Cook Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210211194258.4137998-1-nathan@kernel.org Signed-off-by: Greg Kroah-Hartman commit 02671eda9ab956fece9f26aac2f0df1f26ca2c4d Author: Jesse Brandeburg Date: Fri May 7 11:56:25 2021 -0700 i40e: fix PTP on 5Gb links commit 26b0ce8dd3dd704393dbace4dc416adfeffe531f upstream. As reported by Alex Sergeev, the i40e driver is incrementing the PTP clock at 40Gb speeds when linked at 5Gb. Fix this bug by making sure that the right multiplier is selected when linked at 5Gb. Fixes: 3dbdd6c2f70a ("i40e: Add support for 5Gbps cards") Cc: stable@vger.kernel.org Reported-by: Alex Sergeev Suggested-by: Alex Sergeev Signed-off-by: Jesse Brandeburg Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen Signed-off-by: Greg Kroah-Hartman commit ab9d7c5fc9c6819bd68074e44141410e4c370970 Author: Dmitry Osipenko Date: Sat May 29 18:46:46 2021 +0300 ASoC: tegra: Set driver_name=tegra for all machine drivers commit f6eb84fa596abf28959fc7e0b626f925eb1196c7 upstream. The driver_name="tegra" is now required by the newer ALSA UCMs, otherwise Tegra UCMs don't match by the path/name. All Tegra machine drivers are specifying the card's name, but it has no effect if model name is specified in the device-tree since it overrides the card's name. We need to set the driver_name to "tegra" in order to get a usable lookup path for the updated ALSA UCMs. The new UCM lookup path has a form of driver_name/card_name. The old lookup paths that are based on driver module name continue to work as before. Note that UCM matching never worked for Tegra ASoC drivers if they were compiled as built-in, this is fixed by supporting the new naming scheme. Cc: stable@vger.kernel.org Signed-off-by: Dmitry Osipenko Link: https://lore.kernel.org/r/20210529154649.25936-2-digetx@gmail.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit e0d9beb44abd6c2492697c8234d3840266bbddd5 Author: Russ Weight Date: Mon Jun 14 10:09:03 2021 -0700 fpga: stratix10-soc: Add missing fpga_mgr_free() call commit d9ec9daa20eb8de1efe6abae78c9835ec8ed86f9 upstream. The stratix10-soc driver uses fpga_mgr_create() function and is therefore responsible to call fpga_mgr_free() to release the class driver resources. Add a missing call to fpga_mgr_free in the s10_remove() function. Signed-off-by: Russ Weight Reviewed-by: Xu Yilun Signed-off-by: Moritz Fischer Fixes: e7eef1d7633a ("fpga: add intel stratix10 soc fpga manager driver") Cc: stable Link: https://lore.kernel.org/r/20210614170909.232415-3-mdf@kernel.org Signed-off-by: Greg Kroah-Hartman commit 5a5ebf5d48229b4d227dae8b5eeef996bfce20b6 Author: Samuel Holland Date: Fri May 14 21:14:39 2021 -0500 clocksource/arm_arch_timer: Improve Allwinner A64 timer workaround commit 8b33dfe0ba1c84c1aab2456590b38195837f1e6e upstream. Bad counter reads are experienced sometimes when bit 10 or greater rolls over. Originally, testing showed that at least 10 lower bits would be set to the same value during these bad reads. However, some users still reported time skips. Wider testing revealed that on some chips, occasionally only the lowest 9 bits would read as the anomalous value. During these reads (which still happen only when bit 10), bit 9 would read as the correct value. Reduce the mask by one bit to cover these cases as well. Cc: stable@vger.kernel.org Fixes: c950ca8c35ee ("clocksource/drivers/arch_timer: Workaround for Allwinner A64 timer instability") Reported-by: Roman Stratiienko Signed-off-by: Samuel Holland Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20210515021439.55316-1-samuel@sholland.org Signed-off-by: Greg Kroah-Hartman commit b5e26be407e642dc0ff00fd09387c48d36725a0a Author: Thomas Gleixner Date: Sat Mar 27 22:01:36 2021 +0100 cpu/hotplug: Cure the cpusets trainwreck commit b22afcdf04c96ca58327784e280e10288cfd3303 upstream. Alexey and Joshua tried to solve a cpusets related hotplug problem which is user space visible and results in unexpected behaviour for some time after a CPU has been plugged in and the corresponding uevent was delivered. cpusets delegate the hotplug work (rebuilding cpumasks etc.) to a workqueue. This is done because the cpusets code has already a lock nesting of cgroups_mutex -> cpu_hotplug_lock. A synchronous callback or waiting for the work to finish with cpu_hotplug_lock held can and will deadlock because that results in the reverse lock order. As a consequence the uevent can be delivered before cpusets have consistent state which means that a user space invocation of sched_setaffinity() to move a task to the plugged CPU fails up to the point where the scheduled work has been processed. The same is true for CPU unplug, but that does not create user observable failure (yet). It's still inconsistent to claim that an operation is finished before it actually is and that's the real issue at hand. uevents just make it reliably observable. Obviously the problem should be fixed in cpusets/cgroups, but untangling that is pretty much impossible because according to the changelog of the commit which introduced this 8 years ago: 3a5a6d0c2b03("cpuset: don't nest cgroup_mutex inside get_online_cpus()") the lock order cgroups_mutex -> cpu_hotplug_lock is a design decision and the whole code is built around that. So bite the bullet and invoke the relevant cpuset function, which waits for the work to finish, in _cpu_up/down() after dropping cpu_hotplug_lock and only when tasks are not frozen by suspend/hibernate because that would obviously wait forever. Waiting there with cpu_add_remove_lock, which is protecting the present and possible CPU maps, held is not a problem at all because neither work queues nor cpusets/cgroups have any lockchains related to that lock. Waiting in the hotplug machinery is not problematic either because there are already state callbacks which wait for hardware queues to drain. It makes the operations slightly slower, but hotplug is slow anyway. This ensures that state is consistent before returning from a hotplug up/down operation. It's still inconsistent during the operation, but that's a different story. Add a large comment which explains why this is done and why this is not a dump ground for the hack of the day to work around half thought out locking schemes. Document also the implications vs. hotplug operations and serialization or the lack of it. Thanks to Alexy and Joshua for analyzing why this temporary sched_setaffinity() failure happened. Fixes: 3a5a6d0c2b03("cpuset: don't nest cgroup_mutex inside get_online_cpus()") Reported-by: Alexey Klimov Reported-by: Joshua Baker Signed-off-by: Thomas Gleixner Tested-by: Alexey Klimov Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/87tuowcnv3.ffs@nanos.tec.linutronix.de Signed-off-by: Greg Kroah-Hartman commit a11a457820fbb51abd02e35e13e4775a5daf0cb1 Author: Zhenyu Ye Date: Wed Jun 23 15:05:22 2021 +0800 arm64: tlb: fix the TTL value of tlb_get_level commit 52218fcd61cb42bde0d301db4acb3ffdf3463cc7 upstream. The TTL field indicates the level of page table walk holding the *leaf* entry for the address being invalidated. But currently, the TTL field may be set to an incorrent value in the following stack: pte_free_tlb __pte_free_tlb tlb_remove_table tlb_table_invalidate tlb_flush_mmu_tlbonly tlb_flush In this case, we just want to flush a PTE page, but the tlb->cleared_pmds is set and we get tlb_level = 2 in the tlb_get_level() function. This may cause some unexpected problems. This patch set the TTL field to 0 if tlb->freed_tables is set. The tlb->freed_tables indicates page table pages are freed, not the leaf entry. Cc: # 5.9.x Fixes: c4ab2cbc1d87 ("arm64: tlb: Set the TTL field in flush_tlb_range") Acked-by: Catalin Marinas Reported-by: ZhuRui Signed-off-by: Zhenyu Ye Link: https://lore.kernel.org/r/b80ead47-1f88-3a00-18e1-cacc22f54cc4@huawei.com Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 0afa6ad0c49acc3dd7bb94f0f1e0646a25ccae25 Author: Timo Sigurdsson Date: Mon Jun 14 09:25:39 2021 +0200 ata: ahci_sunxi: Disable DIPM commit f6bca4d91b2ea052e917cca3f9d866b5cc1d500a upstream. DIPM is unsupported or broken on sunxi. Trying to enable the power management policy med_power_with_dipm on an Allwinner A20 SoC based board leads to immediate I/O errors and the attached SATA disk disappears from the /dev filesystem. A reset (power cycle) is required to make the SATA controller or disk work again. The A10 and A20 SoC data sheets and manuals don't mention DIPM at all [1], so it's fair to assume that it's simply not supported. But even if it was, it should be considered broken and best be disabled in the ahci_sunxi driver. [1] https://github.com/allwinner-zh/documents/tree/master/ Fixes: c5754b5220f0 ("ARM: sunxi: Add support for Allwinner SUNXi SoCs sata to ahci_platform") Cc: stable@vger.kernel.org Signed-off-by: Timo Sigurdsson Tested-by: Timo Sigurdsson Link: https://lore.kernel.org/r/20210614072539.3307-1-public_timo.s@silentcreek.de Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 5543f61e2e0cfa7b4a55f10a8a42755930115c2f Author: Christian Löhle Date: Wed May 12 16:03:24 2021 +0000 mmc: core: Allow UHS-I voltage switch for SDSC cards if supported commit 09247e110b2efce3a104e57e887c373e0a57a412 upstream. While initializing an UHS-I SD card, the mmc core first tries to switch to 1.8V I/O voltage, before it continues to change the settings for the bus speed mode. However, the current behaviour in the mmc core is inconsistent and doesn't conform to the SD spec. More precisely, an SD card that supports UHS-I must set both the SD_OCR_CCS bit and the SD_OCR_S18R bit in the OCR register response. When switching to 1.8V I/O the mmc core correctly checks both of the bits, but only the SD_OCR_S18R bit when changing the settings for bus speed mode. Rather than actually fixing the code to confirm to the SD spec, let's deliberately deviate from it by requiring only the SD_OCR_S18R bit for both parts. This enables us to support UHS-I for SDSC cards (outside spec), which is actually being supported by some existing SDSC cards. Moreover, this fixes the inconsistent behaviour. Signed-off-by: Christian Loehle Link: https://lore.kernel.org/r/CWXP265MB26803AE79E0AD5ED083BF2A6C4529@CWXP265MB2680.GBRP265.PROD.OUTLOOK.COM Cc: stable@vger.kernel.org [Ulf: Rewrote commit message and comments to clarify the changes] Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit b53b0ca4a4ec10ec45301ae4352ad1fb438bc765 Author: Wolfram Sang Date: Thu Jun 24 17:16:14 2021 +0200 mmc: core: clear flags before allowing to retune commit 77347eda64ed5c9383961d1de9165f9d0b7d8df6 upstream. It might be that something goes wrong during tuning so the MMC core will immediately trigger a retune. In our case it was: - we sent a tuning block - there was an error so we need to send an abort cmd to the eMMC - the abort cmd had a CRC error - retune was set by the MMC core This lead to a vicious circle causing a performance regression of 75%. So, clear retuning flags before we enable retuning to start with a known cleared state. Reported-by Yoshihiro Shimoda Suggested-by: Adrian Hunter Signed-off-by: Wolfram Sang Acked-by: Adrian Hunter Reviewed-by: Yoshihiro Shimoda Tested-by: Yoshihiro Shimoda Fixes: bd11e8bd03ca ("mmc: core: Flag re-tuning is needed on CRC errors") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210624151616.38770-2-wsa+renesas@sang-engineering.com Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 658f58189a4f56cec0092725d5c592ad8073351d Author: Al Cooper Date: Thu Jun 24 12:30:45 2021 -0400 mmc: sdhci: Fix warning message when accessing RPMB in HS400 mode commit d0244847f9fc5e20df8b7483c8a4717fe0432d38 upstream. When an eMMC device is being run in HS400 mode, any access to the RPMB device will cause the error message "mmc1: Invalid UHS-I mode selected". This happens as a result of tuning being disabled before RPMB access and then re-enabled after the RPMB access is complete. When tuning is re-enabled, the system has to switch from HS400 to HS200 to do the tuning and then back to HS400. As part of sequence to switch from HS400 to HS200 the system is temporarily put into HS mode. When switching to HS mode, sdhci_get_preset_value() is called and does not have support for HS mode and prints the warning message and returns the preset for SDR12. The fix is to add support for MMC and SD HS modes to sdhci_get_preset_value(). This can be reproduced on any system running eMMC in HS400 mode (not HS400ES) by using the "mmc" utility to run the following command: "mmc rpmb read-counter /dev/mmcblk0rpmb". Signed-off-by: Al Cooper Acked-by: Adrian Hunter Fixes: 52983382c74f ("mmc: sdhci: enhance preset value function") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210624163045.33651-1-alcooperx@gmail.com Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 5ced01c0e8552b98f4688a2a773bd01006bedc15 Author: Hans de Goede Date: Mon May 3 11:21:57 2021 +0200 mmc: sdhci-acpi: Disable write protect detection on Toshiba Encore 2 WT8-B commit 94ee6782e045645abd9180ab9369b01293d862bd upstream. On the Toshiba Encore 2 WT8-B the microSD slot always reports the card being write-protected even though microSD cards do not have a write-protect switch at all. Add a new DMI_QUIRK_SD_NO_WRITE_PROTECT quirk entry to sdhci-acpi.c's DMI quirk table for this. Signed-off-by: Hans de Goede Acked-by: Adrian Hunter Link: https://lore.kernel.org/r/20210503092157.5689-1-hdegoede@redhat.com Signed-off-by: Ulf Hansson Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 3f9c2a058e61b8df9fef196ad6180fbf9932ed80 Author: Kees Cook Date: Thu Jun 17 14:33:01 2021 -0700 drm/i915/display: Do not zero past infoframes.vsc commit 07b72960d2b4a087ff2445e286159e69742069cc upstream. intel_dp_vsc_sdp_unpack() was using a memset() size (36, struct dp_sdp) larger than the destination (24, struct drm_dp_vsc_sdp), clobbering fields in struct intel_crtc_state after infoframes.vsc. Use the actual target size for the memset(). Fixes: 1b404b7dbb10 ("drm/i915/dp: Read out DP SDPs") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: José Roberto de Souza Signed-off-by: José Roberto de Souza Link: https://patchwork.freedesktop.org/patch/msgid/20210617213301.1824728-1-keescook@chromium.org (cherry picked from commit c88e2647c5bb45d04dc4302018ebe6ebbf331823) Signed-off-by: Rodrigo Vivi Signed-off-by: Greg Kroah-Hartman commit 8abf5eec0ebdced577916f8cc1e6011871713684 Author: Daniel Vetter Date: Tue Apr 27 11:20:16 2021 +0200 drm/nouveau: Don't set allow_fb_modifiers explicitly commit cee93c028288b9af02919f3bd8593ba61d1e610d upstream. Since commit 890880ddfdbe256083170866e49c87618b706ac7 Author: Paul Kocialkowski Date: Fri Jan 4 09:56:10 2019 +0100 drm: Auto-set allow_fb_modifiers when given modifiers at plane init this is done automatically as part of plane init, if drivers set the modifier list correctly. Which is the case here. Note that this fixes an inconsistency: We've set the cap everywhere, but only nv50+ supports modifiers. Hence cc stable, but not further back then the patch from Paul. Reviewed-by: Lyude Paul Cc: stable@vger.kernel.org # v5.1 + Cc: Pekka Paalanen Signed-off-by: Daniel Vetter Cc: Ben Skeggs Cc: nouveau@lists.freedesktop.org Link: https://patchwork.freedesktop.org/patch/msgid/20210427092018.832258-6-daniel.vetter@ffwll.ch Signed-off-by: Greg Kroah-Hartman commit 42a333ea4b4f6e0eff524d837d4551b2adb0025d Author: Daniel Vetter Date: Tue Apr 27 11:20:12 2021 +0200 drm/arm/malidp: Always list modifiers commit 26c3e7fd5a3499e408915dadae5d5360790aae9a upstream. Even when all we support is linear, make that explicit. Otherwise the uapi is rather confusing. Acked-by: Liviu Dudau Acked-by: Pekka Paalanen Reviewed-by: Lyude Paul Cc: stable@vger.kernel.org Cc: Pekka Paalanen Cc: Liviu Dudau Cc: Brian Starkey Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20210427092018.832258-2-daniel.vetter@ffwll.ch Signed-off-by: Greg Kroah-Hartman commit 0bcc074f90d2531d820d4973a7969dbc8a625429 Author: Daniel Vetter Date: Tue Apr 27 11:20:15 2021 +0200 drm/msm/mdp4: Fix modifier support enabling commit 35cbb8c91e9cf310277d3dfb4d046df8edf2df33 upstream. Setting the cap without the modifier list is very confusing to userspace. Fix that by listing the ones we support explicitly. Stable backport so that userspace can rely on this working in a reasonable way, i.e. that the cap set implies IN_FORMATS is available. Acked-by: Pekka Paalanen Reviewed-by: Lyude Paul Cc: stable@vger.kernel.org Cc: Pekka Paalanen Cc: Rob Clark Cc: Jordan Crouse Cc: Emil Velikov Cc: Sam Ravnborg Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20210427092018.832258-5-daniel.vetter@ffwll.ch Signed-off-by: Greg Kroah-Hartman commit 4d61ddd740416fc06e5edd4ae797655435fd324f Author: Daniel Vetter Date: Tue Apr 13 11:49:01 2021 +0200 drm/tegra: Don't set allow_fb_modifiers explicitly commit be4306ad928fcf736cbe2616b6dd19d91f1bc083 upstream. Since commit 890880ddfdbe256083170866e49c87618b706ac7 Author: Paul Kocialkowski Date: Fri Jan 4 09:56:10 2019 +0100 drm: Auto-set allow_fb_modifiers when given modifiers at plane init this is done automatically as part of plane init, if drivers set the modifier list correctly. Which is the case here. It was slightly inconsistently though, since planes with only linear modifier support haven't listed that explicitly. Fix that, and cc: stable to allow userspace to rely on this. Again don't backport further than where Paul's patch got added. Cc: stable@vger.kernel.org # v5.1 + Cc: Pekka Paalanen Acked-by: Thierry Reding Signed-off-by: Daniel Vetter Cc: Thierry Reding Cc: Jonathan Hunter Cc: linux-tegra@vger.kernel.org Link: https://patchwork.freedesktop.org/patch/msgid/20210413094904.3736372-10-daniel.vetter@ffwll.ch Signed-off-by: Greg Kroah-Hartman commit c6016936171a7b179b2c478ceb7fbd092ee4f9f8 Author: Harry Wentland Date: Thu Apr 22 19:10:52 2021 -0400 drm/amd/display: Reject non-zero src_y and src_x for video planes commit c6c6a712199ab355ce333fa5764a59506bb107c1 upstream. [Why] This hasn't been well tested and leads to complete system hangs on DCN1 based systems, possibly others. The system hang can be reproduced by gesturing the video on the YouTube Android app on ChromeOS into full screen. [How] Reject atomic commits with non-zero drm_plane_state.src_x or src_y values. v2: - Add code comment describing the reason we're rejecting non-zero src_x and src_y - Drop gerrit Change-Id - Add stable CC - Based on amd-staging-drm-next v3: removed trailing whitespace Signed-off-by: Harry Wentland Cc: stable@vger.kernel.org Cc: nicholas.kazlauskas@amd.com Cc: amd-gfx@lists.freedesktop.org Cc: alexander.deucher@amd.com Cc: Roman.Li@amd.com Cc: hersenxs.wu@amd.com Cc: danny.wang@amd.com Reviewed-by: Nicholas Kazlauskas Acked-by: Christian König Reviewed-by: Hersen Wu Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 7d30538894005e69efb2449440c9274d1cfd2928 Author: Maximilian Luz Date: Wed May 12 23:03:16 2021 +0200 pinctrl/amd: Add device HID for new AMD GPIO controller commit 1ca46d3e43569186bd1decfb02a6b4c4ddb4304b upstream. Add device HID AMDI0031 to the AMD GPIO controller driver match table. This controller can be found on Microsoft Surface Laptop 4 devices and seems similar enough that we can just copy the existing AMDI0030 entry. Cc: # 5.10+ Tested-by: Sachi King Signed-off-by: Maximilian Luz Link: https://lore.kernel.org/r/20210512210316.1982416-1-luzmaximilian@gmail.com Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit b13574fa83ac55a9c3aa7f075ef5db62b444f7b5 Author: Guchun Chen Date: Mon Jun 28 17:03:48 2021 +0800 drm/amd/display: fix incorrrect valid irq check commit e38ca7e422791a4d1c01e56dbf7f9982db0ed365 upstream. valid DAL irq should be < DAL_IRQ_SOURCES_NUMBER. Signed-off-by: Guchun Chen Reviewed-and-tested-by: Evan Quan Reviewed-by: Harry Wentland Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 3c8216b3503ab891221fca7cadb0de6969e33878 Author: Thomas Hebb Date: Sun Apr 18 19:03:04 2021 -0700 drm/rockchip: dsi: remove extra component_del() call commit b354498bbe65c917d521b3b56317ddc9ab217425 upstream. commit cf6d100dd238 ("drm/rockchip: dsi: add dual mipi support") added this devcnt field and call to component_del(). However, these both appear to be erroneous changes left over from an earlier version of the patch. In the version merged, nothing ever modifies devcnt, meaning component_del() runs unconditionally and in addition to the component_del() calls in dw_mipi_dsi_rockchip_host_detach(). The second call fails to delete anything and produces a warning in dmesg. If we look at the previous version of the patch[1], however, we see that it had logic to calculate devcnt and call component_add() in certain situations. This was removed in v6, and the fact that the deletion code was not appears to have been an oversight. [1] https://patchwork.kernel.org/project/dri-devel/patch/20180821140515.22246-8-heiko@sntech.de/ Fixes: cf6d100dd238 ("drm/rockchip: dsi: add dual mipi support") Cc: stable@vger.kernel.org Signed-off-by: Thomas Hebb Signed-off-by: Heiko Stuebner Link: https://patchwork.freedesktop.org/patch/msgid/201385acb0eeb5dfb037afdc6a94bfbcdab97f99.1618797778.git.tommyhebb@gmail.com Signed-off-by: Greg Kroah-Hartman commit 2998599fb16cd99b0384d2517bbd409a233a9695 Author: Lyude Paul Date: Fri Apr 30 18:34:27 2021 -0400 drm/dp: Handle zeroed port counts in drm_dp_read_downstream_info() commit 205bb69a90363541a634a662a599fddb95956524 upstream. While the DP specification isn't entirely clear on if this should be allowed or not, some branch devices report having downstream ports present while also reporting a downstream port count of 0. So to avoid breaking those devices, we need to handle this in drm_dp_read_downstream_info(). So, to do this we assume there's no downstream port info when the downstream port count is 0. Signed-off-by: Lyude Paul Tested-by: Jérôme de Bretagne Bugzilla: https://gitlab.freedesktop.org/drm/intel/-/issues/3416 Fixes: 3d3721ccb18a ("drm/i915/dp: Extract drm_dp_read_downstream_info()") Cc: # v5.10+ Reviewed-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20210430223428.10514-1-lyude@redhat.com Signed-off-by: Greg Kroah-Hartman commit 98bd09d928b370bf5d72a920974db7310404839c Author: Maxime Ripard Date: Fri May 7 17:05:09 2021 +0200 drm/vc4: hdmi: Prevent clock unbalance commit 5b006000423667ef0f55721fc93e477b31f22d28 upstream. Since we fixed the hooks to disable the encoder at boot, we now have an unbalanced clk_disable call at boot since we never enabled them in the first place. Let's mimic the state of the hardware and enable the clocks at boot if the controller is enabled to get the use-count right. Cc: # v5.10+ Fixes: 09c438139b8f ("drm/vc4: hdmi: Implement finer-grained hooks") Signed-off-by: Maxime Ripard Reviewed-by: Dave Stevenson Link: https://patchwork.freedesktop.org/patch/msgid/20210507150515.257424-7-maxime@cerno.tech Signed-off-by: Greg Kroah-Hartman commit a2b8835cb4d1cdae988a12f148896ea28e9820df Author: Maxime Ripard Date: Fri May 7 17:05:05 2021 +0200 drm/vc4: crtc: Skip the TXP commit 47a50743031ad4138050ae6d266ddd3dfe845ead upstream. The vc4_set_crtc_possible_masks is meant to run over all the encoders and then set their possible_crtcs mask to their associated pixelvalve. However, since the commit 39fcb2808376 ("drm/vc4: txp: Turn the TXP into a CRTC of its own"), the TXP has been turned to a CRTC and encoder of its own, and while it does indeed register an encoder, it no longer has an associated pixelvalve. The code will thus run over the TXP encoder and set a bogus possible_crtcs mask, overriding the one set in the TXP bind function. In order to fix this, let's skip any virtual encoder. Cc: # v5.9+ Fixes: 39fcb2808376 ("drm/vc4: txp: Turn the TXP into a CRTC of its own") Acked-by: Thomas Zimmermann Signed-off-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20210507150515.257424-3-maxime@cerno.tech Signed-off-by: Greg Kroah-Hartman commit 293e520d2043533647700c3240554b1fbf77ee59 Author: Maxime Ripard Date: Fri May 7 17:05:04 2021 +0200 drm/vc4: txp: Properly set the possible_crtcs mask commit bf6de8e61509f3c957d7f75f017b18d40a18a950 upstream. The current code does a binary OR on the possible_crtcs variable of the TXP encoder, while we want to set it to that value instead. Cc: # v5.9+ Fixes: 39fcb2808376 ("drm/vc4: txp: Turn the TXP into a CRTC of its own") Acked-by: Thomas Zimmermann Signed-off-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20210507150515.257424-2-maxime@cerno.tech Signed-off-by: Greg Kroah-Hartman commit 0d50d93d05d6571347f3ab9d28d0b80e5d142d81 Author: Tiezhu Yang Date: Mon Jun 28 10:53:06 2021 -0400 drm/radeon: Call radeon_suspend_kms() in radeon_pci_shutdown() for Loongson64 commit c1bfd74bfef77bcefc88d12eaf8996c0dfd51331 upstream. On the Loongson64 platform used with Radeon GPU, shutdown or reboot failed when console=tty is in the boot cmdline. radeon_suspend_kms() puts the hw in the suspend state, especially set fb state as FBINFO_STATE_SUSPENDED: if (fbcon) { console_lock(); radeon_fbdev_set_suspend(rdev, 1); console_unlock(); } Then avoid to do any more fb operations in the related functions: if (p->state != FBINFO_STATE_RUNNING) return; So call radeon_suspend_kms() in radeon_pci_shutdown() for Loongson64 to fix this issue, it looks like some kind of workaround like powerpc. Co-developed-by: Jianmin Lv Signed-off-by: Jianmin Lv Signed-off-by: Tiezhu Yang Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 7aa28f2f67421d7ba9957275bc211a7782238f31 Author: Jing Xiangfeng Date: Tue Jun 29 19:44:55 2021 +0800 drm/radeon: Add the missed drm_gem_object_put() in radeon_user_framebuffer_create() commit 9ba85914c36c8fed9bf3e8b69c0782908c1247b7 upstream. radeon_user_framebuffer_create() misses to call drm_gem_object_put() in an error path. Add the missed function call to fix it. Reviewed-by: Christian König Signed-off-by: Jing Xiangfeng Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 2674ffcad0aef41425e1a4a40d3508caed989a1a Author: Aaron Liu Date: Fri Jun 25 13:50:19 2021 +0800 drm/amdgpu: enable sdma0 tmz for Raven/Renoir(V2) commit e2329e74a615cc58b25c42b7aa1477a5e3f6a435 upstream. Without driver loaded, SDMA0_UTCL1_PAGE.TMZ_ENABLE is set to 1 by default for all asic. On Raven/Renoir, the sdma goldsetting changes SDMA0_UTCL1_PAGE.TMZ_ENABLE to 0. This patch restores SDMA0_UTCL1_PAGE.TMZ_ENABLE to 1. Signed-off-by: Aaron Liu Acked-by: Luben Tuikov Acked-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 8f933b27cbf1cd176f0a73ddeae19fae5e9bc189 Author: Joseph Greathouse Date: Tue Jun 29 21:08:52 2021 -0500 drm/amdgpu: Update NV SIMD-per-CU to 2 commit aa6158112645aae514982ad8d56df64428fcf203 upstream. Navi series GPUs have 2 SIMDs per CU (and then 2 CUs per WGP). The NV enum headers incorrectly listed this as 4, which later meant we were incorrectly reporting the number of SIMDs in the HSA topology. This could cause problems down the line for user-space applications that want to launch a fixed amount of work to each SIMD. Signed-off-by: Joseph Greathouse Reviewed-by: Alex Deucher Reviewed-by: Felix Kuehling Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 97ebbfe445cd695250ff0ede4fa6e9e5257e2221 Author: Haren Myneni Date: Thu Jun 17 13:29:05 2021 -0700 powerpc/powernv/vas: Release reference to tgid during window close commit 91cdbb955aa94ee0841af4685be40937345d29b8 upstream. The kernel handles the NX fault by updating CSB or sending signal to process. In multithread applications, children can open VAS windows and can exit without closing them. But the parent can continue to send NX requests with these windows. To prevent pid reuse, reference will be taken on pid and tgid when the window is opened and release them during window close. The current code is not releasing the tgid reference which can cause pid leak and this patch fixes the issue. Fixes: db1c08a740635 ("powerpc/vas: Take reference to PID and mm for user space windows") Cc: stable@vger.kernel.org # 5.8+ Reported-by: Nicholas Piggin Signed-off-by: Haren Myneni Reviewed-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/6020fc4d444864fe20f7dcdc5edfe53e67480a1c.camel@linux.ibm.com Signed-off-by: Greg Kroah-Hartman commit a024e88f8ab79a7b7e15337096d4f5f77edc6a49 Author: Nathan Chancellor Date: Fri May 28 11:27:52 2021 -0700 powerpc/barrier: Avoid collision with clang's __lwsync macro commit 015d98149b326e0f1f02e44413112ca8b4330543 upstream. A change in clang 13 results in the __lwsync macro being defined as __builtin_ppc_lwsync, which emits 'lwsync' or 'msync' depending on what the target supports. This breaks the build because of -Werror in arch/powerpc, along with thousands of warnings: In file included from arch/powerpc/kernel/pmc.c:12: In file included from include/linux/bug.h:5: In file included from arch/powerpc/include/asm/bug.h:109: In file included from include/asm-generic/bug.h:20: In file included from include/linux/kernel.h:12: In file included from include/linux/bitops.h:32: In file included from arch/powerpc/include/asm/bitops.h:62: arch/powerpc/include/asm/barrier.h:49:9: error: '__lwsync' macro redefined [-Werror,-Wmacro-redefined] #define __lwsync() __asm__ __volatile__ (stringify_in_c(LWSYNC) : : :"memory") ^ :308:9: note: previous definition is here #define __lwsync __builtin_ppc_lwsync ^ 1 error generated. Undefine this macro so that the runtime patching introduced by commit 2d1b2027626d ("powerpc: Fixup lwsync at runtime") continues to work properly with clang and the build no longer breaks. Cc: stable@vger.kernel.org Signed-off-by: Nathan Chancellor Reviewed-by: Nick Desaulniers Signed-off-by: Michael Ellerman Link: https://github.com/ClangBuiltLinux/linux/issues/1386 Link: https://github.com/llvm/llvm-project/commit/62b5df7fe2b3fda1772befeda15598fbef96a614 Link: https://lore.kernel.org/r/20210528182752.1852002-1-nathan@kernel.org Signed-off-by: Greg Kroah-Hartman commit d2e52d4664097a6c1f591d869ec594bd7a0d4925 Author: Christophe Leroy Date: Thu Jul 1 11:17:08 2021 +0000 powerpc/mm: Fix lockup on kernel exec fault commit cd5d5e602f502895e47e18cd46804d6d7014e65c upstream. The powerpc kernel is not prepared to handle exec faults from kernel. Especially, the function is_exec_fault() will return 'false' when an exec fault is taken by kernel, because the check is based on reading current->thread.regs->trap which contains the trap from user. For instance, when provoking a LKDTM EXEC_USERSPACE test, current->thread.regs->trap is set to SYSCALL trap (0xc00), and the fault taken by the kernel is not seen as an exec fault by set_access_flags_filter(). Commit d7df2443cd5f ("powerpc/mm: Fix spurious segfaults on radix with autonuma") made it clear and handled it properly. But later on commit d3ca587404b3 ("powerpc/mm: Fix reporting of kernel execute faults") removed that handling, introducing test based on error_code. And here is the problem, because on the 603 all upper bits of SRR1 get cleared when the TLB instruction miss handler bails out to ISI. Until commit cbd7e6ca0210 ("powerpc/fault: Avoid heavy search_exception_tables() verification"), an exec fault from kernel at a userspace address was indirectly caught by the lack of entry for that address in the exception tables. But after that commit the kernel mainly relies on KUAP or on core mm handling to catch wrong user accesses. Here the access is not wrong, so mm handles it. It is a minor fault because PAGE_EXEC is not set, set_access_flags_filter() should set PAGE_EXEC and voila. But as is_exec_fault() returns false as explained in the beginning, set_access_flags_filter() bails out without setting PAGE_EXEC flag, which leads to a forever minor exec fault. As the kernel is not prepared to handle such exec faults, the thing to do is to fire in bad_kernel_fault() for any exec fault taken by the kernel, as it was prior to commit d3ca587404b3. Fixes: d3ca587404b3 ("powerpc/mm: Fix reporting of kernel execute faults") Cc: stable@vger.kernel.org # v4.14+ Signed-off-by: Christophe Leroy Acked-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/024bb05105050f704743a0083fe3548702be5706.1625138205.git.christophe.leroy@csgroup.eu Signed-off-by: Greg Kroah-Hartman commit 4ad382bc4abca717fe2e3203a2bdc9770b34e8aa Author: Mike Christie Date: Tue Jul 13 17:18:37 2021 +0800 scsi: iscsi: Fix iSCSI cls conn state commit 0dcf8febcb7b9d42bec98bc068e01d1a6ea578b8 upstream. In commit 9e67600ed6b8 ("scsi: iscsi: Fix race condition between login and sync thread") I missed that libiscsi was now setting the iSCSI class state, and that patch ended up resetting the state during conn stoppage and using the wrong state value during ep_disconnect. This patch moves the setting of the class state to the class module and then fixes the two issues above. Link: https://lore.kernel.org/r/20210406171746.5016-1-michael.christie@oracle.com Fixes: 9e67600ed6b8 ("scsi: iscsi: Fix race condition between login and sync thread") Cc: Gulam Mohamed Signed-off-by: Mike Christie Signed-off-by: Martin K. Petersen Signed-off-by: Hanjun Guo Signed-off-by: Greg Kroah-Hartman commit 221b7e1e76fb02a02a31001b253011a2725eb1ac Author: Gulam Mohamed Date: Tue Jul 13 17:18:36 2021 +0800 scsi: iscsi: Fix race condition between login and sync thread commit 9e67600ed6b8565da4b85698ec659b5879a6c1c6 upstream. A kernel panic was observed due to a timing issue between the sync thread and the initiator processing a login response from the target. The session reopen can be invoked both from the session sync thread when iscsid restarts and from iscsid through the error handler. Before the initiator receives the response to a login, another reopen request can be sent from the error handler/sync session. When the initial login response is subsequently processed, the connection has been closed and the socket has been released. To fix this a new connection state, ISCSI_CONN_BOUND, is added: - Set the connection state value to ISCSI_CONN_DOWN upon iscsi_if_ep_disconnect() and iscsi_if_stop_conn() - Set the connection state to the newly created value ISCSI_CONN_BOUND after bind connection (transport->bind_conn()) - In iscsi_set_param(), return -ENOTCONN if the connection state is not either ISCSI_CONN_BOUND or ISCSI_CONN_UP Link: https://lore.kernel.org/r/20210325093248.284678-1-gulam.mohamed@oracle.com Reviewed-by: Mike Christie Signed-off-by: Gulam Mohamed Signed-off-by: Martin K. Petersen Signed-off-by: Hanjun Guo Signed-off-by: Greg Kroah-Hartman commit 9073188835081a433821ede2b34741c4aec6bcb4 Author: Jens Axboe Date: Tue Jul 13 17:18:35 2021 +0800 io_uring: convert io_buffer_idr to XArray commit 9e15c3a0ced5a61f320b989072c24983cb1620c1 upstream. Like we did for the personality idr, convert the IO buffer idr to use XArray. This avoids a use-after-free on removal of entries, since idr doesn't like doing so from inside an iterator, and it nicely reduces the amount of code we need to support this feature. Fixes: 5a2e745d4d43 ("io_uring: buffer registration infrastructure") Cc: stable@vger.kernel.org Cc: Matthew Wilcox Cc: yangerkun Reported-by: Hulk Robot Signed-off-by: Jens Axboe Signed-off-by: Hanjun Guo Signed-off-by: Greg Kroah-Hartman commit c5a50a220a41dbde66ec001f50a25f52cd0a00eb Author: Matthew Wilcox (Oracle) Date: Tue Jul 13 17:18:34 2021 +0800 io_uring: Convert personality_idr to XArray commit 61cf93700fe6359552848ed5e3becba6cd760efa upstream. You can't call idr_remove() from within a idr_for_each() callback, but you can call xa_erase() from an xa_for_each() loop, so switch the entire personality_idr from the IDR to the XArray. This manifests as a use-after-free as idr_for_each() attempts to walk the rest of the node after removing the last entry from it. Fixes: 071698e13ac6 ("io_uring: allow registering credentials") Cc: stable@vger.kernel.org # 5.6+ Reported-by: yangerkun Signed-off-by: Matthew Wilcox (Oracle) [Pavel: rebased (creds load was moved into io_init_req())] Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/7ccff36e1375f2b0ebf73d957f037b43becc0dde.1615212806.git.asml.silence@gmail.com Signed-off-by: Jens Axboe Signed-off-by: Hanjun Guo Signed-off-by: Greg Kroah-Hartman commit cb2985feb11816d351840651530f620abf860fae Author: Yejune Deng Date: Tue Jul 13 17:18:33 2021 +0800 io_uring: simplify io_remove_personalities() commit 0bead8cd39b9c9c7c4e902018ccf129107ac50ef upstream. The function io_remove_personalities() is very similar to io_unregister_personality(),so implement io_remove_personalities() calling io_unregister_personality(). Signed-off-by: Yejune Deng Reviewed-by: Pavel Begunkov Signed-off-by: Jens Axboe Signed-off-by: Hanjun Guo Signed-off-by: Greg Kroah-Hartman commit 7d4f96158852d2722e00a6bd2e77a883b0bf61ce Author: Oscar Salvador Date: Tue Jul 13 17:18:32 2021 +0800 mm,hwpoison: return -EBUSY when migration fails commit 3f4b815a439adfb8f238335612c4b28bc10084d8 upstream. Currently, we return -EIO when we fail to migrate the page. Migrations' failures are rather transient as they can happen due to several reasons, e.g: high page refcount bump, mapping->migrate_page failing etc. All meaning that at that time the page could not be migrated, but that has nothing to do with an EIO error. Let us return -EBUSY instead, as we do in case we failed to isolate the page. While are it, let us remove the "ret" print as its value does not change. Link: https://lkml.kernel.org/r/20201209092818.30417-1-osalvador@suse.de Signed-off-by: Oscar Salvador Acked-by: Naoya Horiguchi Acked-by: Vlastimil Babka Cc: David Hildenbrand Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Hanjun Guo Signed-off-by: Greg Kroah-Hartman commit fd6625a1ec40f8c3bd56805cfab56ea461585293 Author: Mauricio Faria de Oliveira Date: Mon Feb 22 12:41:23 2021 -0300 loop: fix I/O error on fsync() in detached loop devices commit 4ceddce55eb35d15b0f87f5dcf6f0058fd15d3a4 upstream. There's an I/O error on fsync() in a detached loop device if it has been previously attached. The issue is write cache is enabled in the attach path in loop_configure() but it isn't disabled in the detach path; thus it remains enabled in the block device regardless of whether it is attached or not. Now fsync() can get an I/O request that will just be failed later in loop_queue_rq() as device's state is not 'Lo_bound'. So, disable write cache in the detach path. Do so based on the queue flag, not the loop device flag for read-only (used to enable) as the queue flag can be changed via sysfs even on read-only loop devices (e.g., losetup -r.) Test-case: # DEV=/dev/loop7 # IMG=/tmp/image # truncate --size 1M $IMG # losetup $DEV $IMG # losetup -d $DEV Before: # strace -e fsync parted -s $DEV print 2>&1 | grep fsync fsync(3) = -1 EIO (Input/output error) Warning: Error fsyncing/closing /dev/loop7: Input/output error [ 982.529929] blk_update_request: I/O error, dev loop7, sector 0 op 0x1:(WRITE) flags 0x800 phys_seg 0 prio class 0 After: # strace -e fsync parted -s $DEV print 2>&1 | grep fsync fsync(3) = 0 Co-developed-by: Eric Desrochers Signed-off-by: Eric Desrochers Signed-off-by: Mauricio Faria de Oliveira Tested-by: Gabriel Krisman Bertazi Reviewed-by: Ming Lei Signed-off-by: Jens Axboe Signed-off-by: Hanjun Guo Signed-off-by: Greg Kroah-Hartman commit 88f0bc830c52f7c6015ea5b174997466ea208c3e Author: Cameron Nemo Date: Tue May 4 16:36:13 2021 +0800 arm64: dts: rockchip: Enable USB3 for rk3328 Rock64 commit bbac8bd65f5402281cb7b0452c1c5f367387b459 upstream. Enable USB3 nodes for the rk3328-based PINE Rock64 board. The separate power regulator is not added as it is controlled by the same GPIO line as the existing VBUS regulators, so it is already enabled. Also there is no port representation to tie the regulator to. [wens@csie.org: Rebased onto v5.12] Signed-off-by: Cameron Nemo [wens@csie.org: Rewrote commit message] Signed-off-by: Chen-Yu Tsai Link: https://lore.kernel.org/r/20210504083616.9654-2-wens@kernel.org Signed-off-by: Heiko Stuebner Signed-off-by: Greg Kroah-Hartman commit 421aff50af5e4cdc56b3ac8d6b670e09697bc8ac Author: Cameron Nemo Date: Tue Feb 9 20:23:49 2021 +0100 arm64: dts: rockchip: add rk3328 dwc3 usb controller node commit 44dd5e2106dc2fd01697b539085818d1d1c58df0 upstream. RK3328 SoCs have one USB 3.0 OTG controller which uses DWC_USB3 core's general architecture. It can act as static xHCI host controller, static device controller, USB 3.0/2.0 OTG basing on ID of USB3.0 PHY. Signed-off-by: William Wu Signed-off-by: Cameron Nemo Signed-off-by: Johan Jonker Signed-off-by: Heiko Stuebner Link: https://lore.kernel.org/r/20210209192350.7130-7-jbx6244@gmail.com Signed-off-by: Heiko Stuebner Signed-off-by: Greg Kroah-Hartman commit 8eb12fa96bc519607929d4681aa7ee9601f76feb Author: Dan Carpenter Date: Tue Dec 8 09:52:57 2020 +0200 ath11k: unlock on error path in ath11k_mac_op_add_interface() commit 59ec8e2fa5aaed6afd18d5362dc131aab92406e7 upstream. These error paths need to drop the &ar->conf_mutex before returning. Fixes: 690ace20ff79 ("ath11k: peer delete synchronization with firmware") Signed-off-by: Dan Carpenter Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/X85sVGVP/0XvlrEJ@mwanda Signed-off-by: Nobuhiro Iwamatsu (CIP) Signed-off-by: Greg Kroah-Hartman commit 9706c53433467ba3bc664d78b1e820e411cf59c7 Author: Paul Cercueil Date: Fri Jun 25 11:49:29 2021 +0100 MIPS: MT extensions are not available on MIPS32r1 commit cad065ed8d8831df67b9754cc4437ed55d8b48c0 upstream. MIPS MT extensions were added with the MIPS 34K processor, which was based on the MIPS32r2 ISA. This fixes a build error when building a generic kernel for a MIPS32r1 CPU. Fixes: c434b9f80b09 ("MIPS: Kconfig: add MIPS_GENERIC_KERNEL symbol") Cc: stable@vger.kernel.org # v5.9 Signed-off-by: Paul Cercueil Signed-off-by: Thomas Bogendoerfer Signed-off-by: Greg Kroah-Hartman commit 6cf2e905b1a03f0aeff64537aedee933e5bfe563 Author: Xiaochen Shen Date: Thu May 27 17:31:53 2021 +0800 selftests/resctrl: Fix incorrect parsing of option "-t" commit 1421ec684a43379b2aa3cfda20b03d38282dc990 upstream. Resctrl test suite accepts command line argument "-t" to specify the unit tests to run in the test list (e.g., -t mbm,mba,cmt,cat) as documented in the help. When calling strtok() to parse the option, the incorrect delimiters argument ":\t" is used. As a result, passing "-t mbm,mba,cmt,cat" throws an invalid option error. Fix this by using delimiters argument "," instead of ":\t" for parsing of unit tests list. At the same time, remove the unnecessary "spaces" between the unit tests in help documentation to prevent confusion. Fixes: 790bf585b0ee ("selftests/resctrl: Add Cache Allocation Technology (CAT) selftest") Fixes: 78941183d1b1 ("selftests/resctrl: Add Cache QoS Monitoring (CQM) selftest") Fixes: ecdbb911f22d ("selftests/resctrl: Add MBM test") Fixes: 034c7678dd2c ("selftests/resctrl: Add README for resctrl tests") Cc: stable@vger.kernel.org Signed-off-by: Xiaochen Shen Reviewed-by: Tony Luck Signed-off-by: Shuah Khan Signed-off-by: Greg Kroah-Hartman commit 10f8fca6761bd8aa030ad80f9a75c0191689c6b7 Author: Nick Desaulniers Date: Mon Jun 28 14:50:26 2021 -0700 MIPS: set mips32r5 for virt extensions [ Upstream commit c994a3ec7ecc8bd2a837b2061e8a76eb8efc082b ] Clang's integrated assembler only accepts these instructions when the cpu is set to mips32r5. With this change, we can assemble malta_defconfig with Clang via `make LLVM_IAS=1`. Link: https://github.com/ClangBuiltLinux/linux/issues/763 Reported-by: Dmitry Golovin Signed-off-by: Nick Desaulniers Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit ff4762bcb95ea9d1427c9c2dc6e434b0fd93a64e Author: zhanglianjie Date: Mon Jun 28 17:11:05 2021 +0800 MIPS: loongsoon64: Reserve memory below starting pfn to prevent Oops [ Upstream commit 6817c944430d00f71ccaa9c99ff5b0096aeb7873 ] The cause of the problem is as follows: 1. when cat /sys/devices/system/memory/memory0/valid_zones, test_pages_in_a_zone() will be called. 2. test_pages_in_a_zone() finds the zone according to stat_pfn = 0. The smallest pfn of the numa node in the mips architecture is 128, and the page corresponding to the previous 0~127 pfn is not initialized (page->flags is 0xFFFFFFFF) 3. The nid and zonenum obtained using page_zone(pfn_to_page(0)) are out of bounds in the corresponding array, &NODE_DATA(page_to_nid(page))->node_zones[page_zonenum(page)], access to the out-of-bounds zone member variables appear abnormal, resulting in Oops. Therefore, it is necessary to keep the page between 0 and the minimum pfn to prevent Oops from appearing. Signed-off-by: zhanglianjie Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 6ef81a5c0e22233e13c748e813c54d3bf0145782 Author: Marcelo Ricardo Leitner Date: Mon Jun 28 16:13:42 2021 -0300 sctp: add size validation when walking chunks [ Upstream commit 50619dbf8db77e98d821d615af4f634d08e22698 ] The first chunk in a packet is ensured to be present at the beginning of sctp_rcv(), as a packet needs to have at least 1 chunk. But the second one, may not be completely available and ch->length can be over uninitialized memory. Fix here is by only trying to walk on the next chunk if there is enough to hold at least the header, and then proceed with the ch->length validation that is already there. Reported-by: Ilja Van Sprundel Signed-off-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit d4dbef7046e24669278eba4455e9e8053ead6ba0 Author: Marcelo Ricardo Leitner Date: Mon Jun 28 16:13:41 2021 -0300 sctp: validate from_addr_param return [ Upstream commit 0c5dc070ff3d6246d22ddd931f23a6266249e3db ] Ilja reported that, simply putting it, nothing was validating that from_addr_param functions were operating on initialized memory. That is, the parameter itself was being validated by sctp_walk_params, but it doesn't check for types and their specific sizes and it could be a 0-length one, causing from_addr_param to potentially work over the next parameter or even uninitialized memory. The fix here is to, in all calls to from_addr_param, check if enough space is there for the wanted IP address type. Reported-by: Ilja Van Sprundel Signed-off-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit e83f312114a01b0a76a85e26a475bc780fd35d23 Author: gushengxian Date: Sat Jun 26 04:56:06 2021 -0700 flow_offload: action should not be NULL when it is referenced [ Upstream commit 9ea3e52c5bc8bb4a084938dc1e3160643438927a ] "action" should not be NULL when it is referenced. Signed-off-by: gushengxian <13145886936@163.com> Signed-off-by: gushengxian Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a61af0114118147a52757bd4738f897099f3c846 Author: Rustam Kovhaev Date: Sat Jun 26 11:11:56 2021 -0700 bpf: Fix false positive kmemleak report in bpf_ringbuf_area_alloc() [ Upstream commit ccff81e1d028bbbf8573d3364a87542386c707bf ] kmemleak scans struct page, but it does not scan the page content. If we allocate some memory with kmalloc(), then allocate page with alloc_page(), and if we put kmalloc pointer somewhere inside that page, kmemleak will report kmalloc pointer as a false positive. We can instruct kmemleak to scan the memory area by calling kmemleak_alloc() and kmemleak_free(), but part of struct bpf_ringbuf is mmaped to user space, and if struct bpf_ringbuf changes we would have to revisit and review size argument in kmemleak_alloc(), because we do not want kmemleak to scan the user space memory. Let's simplify things and use kmemleak_not_leak() here. For posterity, also adding additional prior analysis from Andrii: I think either kmemleak or syzbot are misreporting this. I've added a bunch of printks around all allocations performed by BPF ringbuf. [...] On repro side I get these two warnings: [vmuser@archvm bpf]$ sudo ./repro BUG: memory leak unreferenced object 0xffff88810d538c00 (size 64): comm "repro", pid 2140, jiffies 4294692933 (age 14.540s) hex dump (first 32 bytes): 00 af 19 04 00 ea ff ff c0 ae 19 04 00 ea ff ff ................ 80 ae 19 04 00 ea ff ff c0 29 2e 04 00 ea ff ff .........)...... backtrace: [<0000000077bfbfbd>] __bpf_map_area_alloc+0x31/0xc0 [<00000000587fa522>] ringbuf_map_alloc.cold.4+0x48/0x218 [<0000000044d49e96>] __do_sys_bpf+0x359/0x1d90 [<00000000f601d565>] do_syscall_64+0x2d/0x40 [<0000000043d3112a>] entry_SYSCALL_64_after_hwframe+0x44/0xae BUG: memory leak unreferenced object 0xffff88810d538c80 (size 64): comm "repro", pid 2143, jiffies 4294699025 (age 8.448s) hex dump (first 32 bytes): 80 aa 19 04 00 ea ff ff 00 ab 19 04 00 ea ff ff ................ c0 ab 19 04 00 ea ff ff 80 44 28 04 00 ea ff ff .........D(..... backtrace: [<0000000077bfbfbd>] __bpf_map_area_alloc+0x31/0xc0 [<00000000587fa522>] ringbuf_map_alloc.cold.4+0x48/0x218 [<0000000044d49e96>] __do_sys_bpf+0x359/0x1d90 [<00000000f601d565>] do_syscall_64+0x2d/0x40 [<0000000043d3112a>] entry_SYSCALL_64_after_hwframe+0x44/0xae Note that both reported leaks (ffff88810d538c80 and ffff88810d538c00) correspond to pages array bpf_ringbuf is allocating and tracking properly internally. Note also that syzbot repro doesn't close FD of created BPF ringbufs, and even when ./repro itself exits with error, there are still two forked processes hanging around in my system. So clearly ringbuf maps are alive at that point. So reporting any memory leak looks weird at that point, because that memory is being used by active referenced BPF ringbuf. It's also a question why repro doesn't clean up its forks. But if I do a `pkill repro`, I do see that all the allocated memory is /properly/ cleaned up [and the] "leaks" are deallocated properly. BTW, if I add close() right after bpf() syscall in syzbot repro, I see that everything is immediately deallocated, like designed. And no memory leak is reported. So I don't think the problem is anywhere in bpf_ringbuf code, rather in the leak detection and/or repro itself. Reported-by: syzbot+5d895828587f49e7fe9b@syzkaller.appspotmail.com Signed-off-by: Rustam Kovhaev [ Daniel: also included analysis from Andrii to the commit log ] Signed-off-by: Daniel Borkmann Tested-by: syzbot+5d895828587f49e7fe9b@syzkaller.appspotmail.com Cc: Dmitry Vyukov Cc: Andrii Nakryiko Link: https://lore.kernel.org/bpf/CAEf4BzYk+dqs+jwu6VKXP-RttcTEGFe+ySTGWT9CRNkagDiJVA@mail.gmail.com Link: https://lore.kernel.org/lkml/YNTAqiE7CWJhOK2M@nuc10 Link: https://lore.kernel.org/lkml/20210615101515.GC26027@arm.com Link: https://syzkaller.appspot.com/bug?extid=5d895828587f49e7fe9b Link: https://lore.kernel.org/bpf/20210626181156.1873604-1-rkovhaev@gmail.com Signed-off-by: Sasha Levin commit 20285dc2711c96a7fc1a72707823c580702edde6 Author: Odin Ugedal Date: Thu Jun 24 13:18:15 2021 +0200 sched/fair: Ensure _sum and _avg values stay consistent [ Upstream commit 1c35b07e6d3986474e5635be566e7bc79d97c64d ] The _sum and _avg values are in general sync together with the PELT divider. They are however not always completely in perfect sync, resulting in situations where _sum gets to zero while _avg stays positive. Such situations are undesirable. This comes from the fact that PELT will increase period_contrib, also increasing the PELT divider, without updating _sum and _avg values to stay in perfect sync where (_sum == _avg * divider). However, such PELT change will never lower _sum, making it impossible to end up in a situation where _sum is zero and _avg is not. Therefore, we need to ensure that when subtracting load outside PELT, that when _sum is zero, _avg is also set to zero. This occurs when (_sum < _avg * divider), and the subtracted (_avg * divider) is bigger or equal to the current _sum, while the subtracted _avg is smaller than the current _avg. Reported-by: Sachin Sant Reported-by: Naresh Kamboju Signed-off-by: Odin Ugedal Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Vincent Guittot Tested-by: Sachin Sant Link: https://lore.kernel.org/r/20210624111815.57937-1-odin@uged.al Signed-off-by: Sasha Levin commit e2296a4365f2e60b8e70425d83181e6c0f0d7a63 Author: Tim Jiang Date: Tue Jun 1 17:57:10 2021 +0800 Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca btsoc. [ Upstream commit 4f00bfb372674d586c4a261bfc595cbce101fbb6 ] This is btsoc timing issue, after host start to downloading bt firmware, ep2 need time to switch from function acl to function dfu, so host add 20ms delay as workaround. Signed-off-by: Tim Jiang Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 8d7a3989c14de6a2cac975d85c0ec79df0eacccd Author: Tedd Ho-Jeong An Date: Wed May 26 10:36:22 2021 -0700 Bluetooth: mgmt: Fix the command returns garbage parameter value [ Upstream commit 02ce2c2c24024aade65a8d91d6a596651eaf2d0a ] When the Get Device Flags command fails, it returns the error status with the parameters filled with the garbage values. Although the parameters are not used, it is better to fill with zero than the random values. Signed-off-by: Tedd Ho-Jeong An Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 05298f1733c6fc5d05b05113e20ee373076edd99 Author: Hilda Wu Date: Fri May 14 11:19:01 2021 +0800 Bluetooth: btusb: Add support USB ALT 3 for WBS [ Upstream commit e848dbd364aca44c9d23c04bef964fab79e2b34f ] Because mSBC frames do not need to be aligned to the SCO packet boundary. Using USB ALT 3 let HCI payload >= 60 bytes, let mSBC data satisfy 60 Bytes avoid payload unaligned situation and fixed some headset no voise issue. USB Alt 3 supported also need HFP support transparent MTU in 72 Bytes. Signed-off-by: Hilda Wu Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit cc49ab24ec3799f5bc91338fdec81f672a0c5deb Author: Luiz Augusto von Dentz Date: Wed May 19 13:41:51 2021 -0700 Bluetooth: L2CAP: Fix invalid access on ECRED Connection response [ Upstream commit de895b43932cb47e69480540be7eca289af24f23 ] The use of l2cap_chan_del is not safe under a loop using list_for_each_entry. Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 79a313086426841359d47413274a2140ae6cfd57 Author: Luiz Augusto von Dentz Date: Wed May 19 13:41:50 2021 -0700 Bluetooth: L2CAP: Fix invalid access if ECRED Reconfigure fails [ Upstream commit 1fa20d7d4aad02206e84b74915819fbe9f81dab3 ] The use of l2cap_chan_del is not safe under a loop using list_for_each_entry. Reported-by: Dan Carpenter Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit c4a9967e4d0961f53cf12b7c666fed6a7c2df783 Author: Daniel Lenski Date: Tue May 18 10:25:46 2021 -0700 Bluetooth: btusb: Add a new QCA_ROME device (0cf3:e500) [ Upstream commit 0324d19cb99804d99e42c990b8b1e191575a091b ] This patch adds the 0cf3:e500 Bluetooth device (from a QCA9377 board) as a QCA_ROME device. It appears to be functionally identical to another device ID, also from a QCA9377 board, which was previously marked as QCA_ROME in 0a03f98b98c201191e3ba15a0e33f46d8660e1fd ("Bluetooth: Add a new 04ca:3015 QCA_ROME device"). Without this patch, the WiFi side of the QCA9377 board is slow or unusable when the Bluetooth side is in use. See https://askubuntu.com/a/1137852 for another report of QCA_ROME fixing this issue for this device ID. /sys/kernel/debug/usb/devices: T: Bus=05 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=12 MxCh= 0 D: Ver= 2.01 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0cf3 ProdID=e500 Rev= 0.01 C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms Signed-off-by: Daniel Lenski Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 60789afc02f592b8d91217b60930e7a76271ae07 Author: Kai-Heng Feng Date: Fri May 14 15:14:52 2021 +0800 Bluetooth: Shutdown controller after workqueues are flushed or cancelled [ Upstream commit 0ea9fd001a14ebc294f112b0361a4e601551d508 ] Rfkill block and unblock Intel USB Bluetooth [8087:0026] may make it stops working: [ 509.691509] Bluetooth: hci0: HCI reset during shutdown failed [ 514.897584] Bluetooth: hci0: MSFT filter_enable is already on [ 530.044751] usb 3-10: reset full-speed USB device number 5 using xhci_hcd [ 545.660350] usb 3-10: device descriptor read/64, error -110 [ 561.283530] usb 3-10: device descriptor read/64, error -110 [ 561.519682] usb 3-10: reset full-speed USB device number 5 using xhci_hcd [ 566.686650] Bluetooth: hci0: unexpected event for opcode 0x0500 [ 568.752452] Bluetooth: hci0: urb 0000000096cd309b failed to resubmit (113) [ 578.797955] Bluetooth: hci0: Failed to read MSFT supported features (-110) [ 586.286565] Bluetooth: hci0: urb 00000000c522f633 failed to resubmit (113) [ 596.215302] Bluetooth: hci0: Failed to read MSFT supported features (-110) Or kernel panics because other workqueues already freed skb: [ 2048.663763] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 2048.663775] #PF: supervisor read access in kernel mode [ 2048.663779] #PF: error_code(0x0000) - not-present page [ 2048.663782] PGD 0 P4D 0 [ 2048.663787] Oops: 0000 [#1] SMP NOPTI [ 2048.663793] CPU: 3 PID: 4491 Comm: rfkill Tainted: G W 5.13.0-rc1-next-20210510+ #20 [ 2048.663799] Hardware name: HP HP EliteBook 850 G8 Notebook PC/8846, BIOS T76 Ver. 01.01.04 12/02/2020 [ 2048.663801] RIP: 0010:__skb_ext_put+0x6/0x50 [ 2048.663814] Code: 8b 1b 48 85 db 75 db 5b 41 5c 5d c3 be 01 00 00 00 e8 de 13 c0 ff eb e7 be 02 00 00 00 e8 d2 13 c0 ff eb db 0f 1f 44 00 00 55 <8b> 07 48 89 e5 83 f8 01 74 14 b8 ff ff ff ff f0 0f c1 07 83 f8 01 [ 2048.663819] RSP: 0018:ffffc1d105b6fd80 EFLAGS: 00010286 [ 2048.663824] RAX: 0000000000000000 RBX: ffff9d9ac5649000 RCX: 0000000000000000 [ 2048.663827] RDX: ffffffffc0d1daf6 RSI: 0000000000000206 RDI: 0000000000000000 [ 2048.663830] RBP: ffffc1d105b6fd98 R08: 0000000000000001 R09: ffff9d9ace8ceac0 [ 2048.663834] R10: ffff9d9ace8ceac0 R11: 0000000000000001 R12: ffff9d9ac5649000 [ 2048.663838] R13: 0000000000000000 R14: 00007ffe0354d650 R15: 0000000000000000 [ 2048.663843] FS: 00007fe02ab19740(0000) GS:ffff9d9e5f8c0000(0000) knlGS:0000000000000000 [ 2048.663849] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2048.663853] CR2: 0000000000000000 CR3: 0000000111a52004 CR4: 0000000000770ee0 [ 2048.663856] PKRU: 55555554 [ 2048.663859] Call Trace: [ 2048.663865] ? skb_release_head_state+0x5e/0x80 [ 2048.663873] kfree_skb+0x2f/0xb0 [ 2048.663881] btusb_shutdown_intel_new+0x36/0x60 [btusb] [ 2048.663905] hci_dev_do_close+0x48c/0x5e0 [bluetooth] [ 2048.663954] ? __cond_resched+0x1a/0x50 [ 2048.663962] hci_rfkill_set_block+0x56/0xa0 [bluetooth] [ 2048.664007] rfkill_set_block+0x98/0x170 [ 2048.664016] rfkill_fop_write+0x136/0x1e0 [ 2048.664022] vfs_write+0xc7/0x260 [ 2048.664030] ksys_write+0xb1/0xe0 [ 2048.664035] ? exit_to_user_mode_prepare+0x37/0x1c0 [ 2048.664042] __x64_sys_write+0x1a/0x20 [ 2048.664048] do_syscall_64+0x40/0xb0 [ 2048.664055] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 2048.664060] RIP: 0033:0x7fe02ac23c27 [ 2048.664066] Code: 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 [ 2048.664070] RSP: 002b:00007ffe0354d638 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 2048.664075] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fe02ac23c27 [ 2048.664078] RDX: 0000000000000008 RSI: 00007ffe0354d650 RDI: 0000000000000003 [ 2048.664081] RBP: 0000000000000000 R08: 0000559b05998440 R09: 0000559b05998440 [ 2048.664084] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003 [ 2048.664086] R13: 0000000000000000 R14: ffffffff00000000 R15: 00000000ffffffff So move the shutdown callback to a place where workqueues are either flushed or cancelled to resolve the issue. Signed-off-by: Kai-Heng Feng Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 5147d86c4a5b54d9b9a3d74ee764fddbd76586ee Author: Kiran K Date: Thu Apr 8 22:31:59 2021 +0530 Bluetooth: Fix alt settings for incoming SCO with transparent coding format [ Upstream commit 06d213d8a89a6f55b708422c3dda2b22add10748 ] For incoming SCO connection with transparent coding format, alt setting of CVSD is getting applied instead of Transparent. Before fix: < HCI Command: Accept Synchron.. (0x01|0x0029) plen 21 #2196 [hci0] 321.342548 Address: 1C:CC:D6:E2:EA:80 (Xiaomi Communications Co Ltd) Transmit bandwidth: 8000 Receive bandwidth: 8000 Max latency: 13 Setting: 0x0003 Input Coding: Linear Input Data Format: 1's complement Input Sample Size: 8-bit # of bits padding at MSB: 0 Air Coding Format: Transparent Data Retransmission effort: Optimize for link quality (0x02) Packet type: 0x003f HV1 may be used HV2 may be used HV3 may be used EV3 may be used EV4 may be used EV5 may be used > HCI Event: Command Status (0x0f) plen 4 #2197 [hci0] 321.343585 Accept Synchronous Connection Request (0x01|0x0029) ncmd 1 Status: Success (0x00) > HCI Event: Synchronous Connect Comp.. (0x2c) plen 17 #2198 [hci0] 321.351666 Status: Success (0x00) Handle: 257 Address: 1C:CC:D6:E2:EA:80 (Xiaomi Communications Co Ltd) Link type: eSCO (0x02) Transmission interval: 0x0c Retransmission window: 0x04 RX packet length: 60 TX packet length: 60 Air mode: Transparent (0x03) ........ > SCO Data RX: Handle 257 flags 0x00 dlen 48 #2336 [hci0] 321.383655 < SCO Data TX: Handle 257 flags 0x00 dlen 60 #2337 [hci0] 321.389558 > SCO Data RX: Handle 257 flags 0x00 dlen 48 #2338 [hci0] 321.393615 > SCO Data RX: Handle 257 flags 0x00 dlen 48 #2339 [hci0] 321.393618 > SCO Data RX: Handle 257 flags 0x00 dlen 48 #2340 [hci0] 321.393618 < SCO Data TX: Handle 257 flags 0x00 dlen 60 #2341 [hci0] 321.397070 > SCO Data RX: Handle 257 flags 0x00 dlen 48 #2342 [hci0] 321.403622 > SCO Data RX: Handle 257 flags 0x00 dlen 48 #2343 [hci0] 321.403625 > SCO Data RX: Handle 257 flags 0x00 dlen 48 #2344 [hci0] 321.403625 > SCO Data RX: Handle 257 flags 0x00 dlen 48 #2345 [hci0] 321.403625 < SCO Data TX: Handle 257 flags 0x00 dlen 60 #2346 [hci0] 321.404569 < SCO Data TX: Handle 257 flags 0x00 dlen 60 #2347 [hci0] 321.412091 > SCO Data RX: Handle 257 flags 0x00 dlen 48 #2348 [hci0] 321.413626 > SCO Data RX: Handle 257 flags 0x00 dlen 48 #2349 [hci0] 321.413630 > SCO Data RX: Handle 257 flags 0x00 dlen 48 #2350 [hci0] 321.413630 < SCO Data TX: Handle 257 flags 0x00 dlen 60 #2351 [hci0] 321.419674 After fix: < HCI Command: Accept Synchronou.. (0x01|0x0029) plen 21 #309 [hci0] 49.439693 Address: 1C:CC:D6:E2:EA:80 (Xiaomi Communications Co Ltd) Transmit bandwidth: 8000 Receive bandwidth: 8000 Max latency: 13 Setting: 0x0003 Input Coding: Linear Input Data Format: 1's complement Input Sample Size: 8-bit # of bits padding at MSB: 0 Air Coding Format: Transparent Data Retransmission effort: Optimize for link quality (0x02) Packet type: 0x003f HV1 may be used HV2 may be used HV3 may be used EV3 may be used EV4 may be used EV5 may be used > HCI Event: Command Status (0x0f) plen 4 #310 [hci0] 49.440308 Accept Synchronous Connection Request (0x01|0x0029) ncmd 1 Status: Success (0x00) > HCI Event: Synchronous Connect Complete (0x2c) plen 17 #311 [hci0] 49.449308 Status: Success (0x00) Handle: 257 Address: 1C:CC:D6:E2:EA:80 (Xiaomi Communications Co Ltd) Link type: eSCO (0x02) Transmission interval: 0x0c Retransmission window: 0x04 RX packet length: 60 TX packet length: 60 Air mode: Transparent (0x03) < SCO Data TX: Handle 257 flags 0x00 dlen 60 #312 [hci0] 49.450421 < SCO Data TX: Handle 257 flags 0x00 dlen 60 #313 [hci0] 49.457927 > HCI Event: Max Slots Change (0x1b) plen 3 #314 [hci0] 49.460345 Handle: 256 Max slots: 5 < SCO Data TX: Handle 257 flags 0x00 dlen 60 #315 [hci0] 49.465453 > SCO Data RX: Handle 257 flags 0x00 dlen 60 #316 [hci0] 49.470502 > SCO Data RX: Handle 257 flags 0x00 dlen 60 #317 [hci0] 49.470519 < SCO Data TX: Handle 257 flags 0x00 dlen 60 #318 [hci0] 49.472996 > SCO Data RX: Handle 257 flags 0x00 dlen 60 #319 [hci0] 49.480412 < SCO Data TX: Handle 257 flags 0x00 dlen 60 #320 [hci0] 49.480492 < SCO Data TX: Handle 257 flags 0x00 dlen 60 #321 [hci0] 49.487989 > SCO Data RX: Handle 257 flags 0x00 dlen 60 #322 [hci0] 49.490303 < SCO Data TX: Handle 257 flags 0x00 dlen 60 #323 [hci0] 49.495496 > SCO Data RX: Handle 257 flags 0x00 dlen 60 #324 [hci0] 49.500304 > SCO Data RX: Handle 257 flags 0x00 dlen 60 #325 [hci0] 49.500311 Signed-off-by: Kiran K Signed-off-by: Lokendra Singh Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 8f939b4c25630e7a8190fc463964eb6e31cf97ae Author: Yu Liu Date: Mon Apr 19 16:53:30 2021 -0700 Bluetooth: Fix the HCI to MGMT status conversion table [ Upstream commit 4ef36a52b0e47c80bbfd69c0cce61c7ae9f541ed ] 0x2B, 0x31 and 0x33 are reserved for future use but were not present in the HCI to MGMT conversion table, this caused the conversion to be incorrect for the HCI status code greater than 0x2A. Reviewed-by: Miao-chen Chou Signed-off-by: Yu Liu Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 5f5f8022c1aaa5e184bf2a3ce130a821e9a1684b Author: mark-yw.chen Date: Mon Apr 12 23:06:26 2021 +0800 Bluetooth: btusb: Fixed too many in-token issue for Mediatek Chip. [ Upstream commit 8454ed9ff9647e31e061fb5eb2e39ce79bc5e960 ] This patch reduce in-token during download patch procedure. Don't submit urb for polling event before sending hci command. Signed-off-by: mark-yw.chen Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 3d08b5917984f737f32d5bee9737b9075c3895c6 Author: Gerd Rausch Date: Thu Jun 24 11:55:31 2021 -0700 RDMA/cma: Fix rdma_resolve_route() memory leak [ Upstream commit 74f160ead74bfe5f2b38afb4fcf86189f9ff40c9 ] Fix a memory leak when "mda_resolve_route() is called more than once on the same "rdma_cm_id". This is possible if cma_query_handler() triggers the RDMA_CM_EVENT_ROUTE_ERROR flow which puts the state machine back and allows rdma_resolve_route() to be called again. Link: https://lore.kernel.org/r/f6662b7b-bdb7-2706-1e12-47c61d3474b6@oracle.com Signed-off-by: Gerd Rausch Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit a8585fdf42b5f066f05cb12f122c382dc668cd7e Author: Jakub Kicinski Date: Wed Jun 23 14:44:38 2021 -0700 net: ip: avoid OOM kills with large UDP sends over loopback [ Upstream commit 6d123b81ac615072a8525c13c6c41b695270a15d ] Dave observed number of machines hitting OOM on the UDP send path. The workload seems to be sending large UDP packets over loopback. Since loopback has MTU of 64k kernel will try to allocate an skb with up to 64k of head space. This has a good chance of failing under memory pressure. What's worse if the message length is <32k the allocation may trigger an OOM killer. This is entirely avoidable, we can use an skb with page frags. af_unix solves a similar problem by limiting the head length to SKB_MAX_ALLOC. This seems like a good and simple approach. It means that UDP messages > 16kB will now use fragments if underlying device supports SG, if extra allocator pressure causes regressions in real workloads we can switch to trying the large allocation first and falling back. v4: pre-calculate all the additions to alloclen so we can be sure it won't go over order-2 Reported-by: Dave Jones Signed-off-by: Jakub Kicinski Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 04177aa99a932746c55249ba3494f332ae3312dd Author: Sean Young Date: Wed Jun 23 22:37:54 2021 +0100 media, bpf: Do not copy more entries than user space requested [ Upstream commit 647d446d66e493d23ca1047fa8492b0269674530 ] The syscall bpf(BPF_PROG_QUERY, &attr) should use the prog_cnt field to see how many entries user space provided and return ENOSPC if there are more programs than that. Before this patch, this is not checked and ENOSPC is never returned. Note that one lirc device is limited to 64 bpf programs, and user space I'm aware of -- ir-keytable -- always gives enough space for 64 entries already. However, we should not copy program ids than are requested. Signed-off-by: Sean Young Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20210623213754.632-1-sean@mess.org Signed-off-by: Sasha Levin commit d8bb134d808c7ed778df1f9bb71e51bad55d7a81 Author: Max Gurtovoy Date: Mon May 24 11:52:15 2021 +0300 IB/isert: Align target max I/O size to initiator size [ Upstream commit 109d19a5eb3ddbdb87c43bfd4bcf644f4569da64 ] Since the Linux iser initiator default max I/O size set to 512KB and since there is no handshake procedure for this size in iser protocol, set the default max IO size of the target to 512KB as well. For changing the default values, there is a module parameter for both drivers. Link: https://lore.kernel.org/r/20210524085215.29005-1-mgurtovoy@nvidia.com Reviewed-by: Alaa Hleihel Reviewed-by: Israel Rukshin Signed-off-by: Max Gurtovoy Acked-by: Sagi Grimberg Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit d330f5f8dff7c14a5e7476d47ae24b2c435d8ab2 Author: Weilun Du Date: Thu May 6 11:05:29 2021 -0700 mac80211_hwsim: add concurrent channels scanning support over virtio [ Upstream commit 626c30f9e77354301ff9162c3bdddaf92d9b5cf3 ] This fixed the crash when setting channels to 2 or more when communicating over virtio. Signed-off-by: Weilun Du Link: https://lore.kernel.org/r/20210506180530.3418576-1-wdu@google.com Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 97f067722669bb276cd915bfa49bce5067245084 Author: Johannes Berg Date: Thu Jun 10 22:08:16 2021 +0200 mac80211: consider per-CPU statistics if present [ Upstream commit d656a4c6ead6c3f252b2f2532bc9735598f7e317 ] If we have been keeping per-CPU statistics, consider them regardless of USES_RSS, because we may not actually fill those, for example in non-fast-RX cases when the connection is not compatible with fast-RX. If we didn't fill them, the additional data will be zero and not affect anything, and if we did fill them then it's more correct to consider them. This fixes an issue in mesh mode where some statistics are not updated due to USES_RSS being set, but fast-RX isn't used. Reported-by: Thiraviyam Mariyappan Link: https://lore.kernel.org/r/20210610220814.13b35f5797c5.I511e9b33c5694e0d6cef4b6ae755c873d7c22124@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 1b728869a13470e4c25e8faf0dbb95a009c6850b Author: Ping-Ke Shih Date: Wed Jun 9 15:59:44 2021 +0800 cfg80211: fix default HE tx bitrate mask in 2G band [ Upstream commit 9df66d5b9f45c39b3925d16e8947cc10009b186d ] In 2G band, a HE sta can only supports HT and HE, but not supports VHT. In this case, default HE tx bitrate mask isn't filled, when we use iw to set bitrates without any parameter. Signed-off-by: Ping-Ke Shih Link: https://lore.kernel.org/r/20210609075944.51130-1-pkshih@realtek.com Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 0a7ba5d373f11513d40563538843d9f0e4bde812 Author: Gustavo A. R. Silva Date: Thu Apr 22 15:00:32 2021 -0500 wireless: wext-spy: Fix out-of-bounds warning [ Upstream commit e93bdd78406da9ed01554c51e38b2a02c8ef8025 ] Fix the following out-of-bounds warning: net/wireless/wext-spy.c:178:2: warning: 'memcpy' offset [25, 28] from the object at 'threshold' is out of the bounds of referenced subobject 'low' with type 'struct iw_quality' at offset 20 [-Warray-bounds] The problem is that the original code is trying to copy data into a couple of struct members adjacent to each other in a single call to memcpy(). This causes a legitimate compiler warning because memcpy() overruns the length of &threshold.low and &spydata->spy_thr_low. As these are just a couple of struct members, fix this by using direct assignments, instead of memcpy(). This helps with the ongoing efforts to globally enable -Warray-bounds and get us closer to being able to tighten the FORTIFY_SOURCE routines on memcpy(). Link: https://github.com/KSPP/linux/issues/109 Reported-by: kernel test robot Signed-off-by: Gustavo A. R. Silva Reviewed-by: Kees Cook Link: https://lore.kernel.org/r/20210422200032.GA168995@embeddedor Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit c1ad55b6a1f4980ba002b40c332f0c4c85d3f2a0 Author: Íñigo Huguet Date: Mon Jun 21 17:32:36 2021 +0200 sfc: error code if SRIOV cannot be disabled [ Upstream commit 1ebe4feb8b442884f5a28d2437040096723dd1ea ] If SRIOV cannot be disabled during device removal or module unloading, return error code so it can be logged properly in the calling function. Note that this can only happen if any VF is currently attached to a guest using Xen, but not with vfio/KVM. Despite that in that case the VFs won't work properly with PF removed and/or the module unloaded, I have let it as is because I don't know what side effects may have changing it, and also it seems to be the same that other drivers are doing in this situation. In the case of being called during SRIOV reconfiguration, the behavior hasn't changed because the function is called with force=false. Signed-off-by: Íñigo Huguet Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1013dc896d99b4bb7ae8b9a65f78f8be96f17386 Author: Íñigo Huguet Date: Mon Jun 21 17:32:35 2021 +0200 sfc: avoid double pci_remove of VFs [ Upstream commit 45423cff1db66cf0993e8a9bd0ac93e740149e49 ] If pci_remove was called for a PF with VFs, the removal of the VFs was called twice from efx_ef10_sriov_fini: one directly with pci_driver->remove and another implicit by calling pci_disable_sriov, which also perform the VFs remove. This was leading to crashing the kernel on the second attempt. Given that pci_disable_sriov already calls to pci remove function, get rid of the direct call to pci_driver->remove from the driver. 2 different ways to trigger the bug: - Create one or more VFs, then attach the PF to a virtual machine (at least with qemu/KVM) - Create one or more VFs, then remove the PF with: echo 1 > /sys/bus/pci/devices/PF_PCI_ID/remove Removing sfc module does not trigger the error, at least for me, because it removes the VF first, and then the PF. Example of a log with the error: list_del corruption, ffff967fd20a8ad0->next is LIST_POISON1 (dead000000000100) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:47! [...trimmed...] RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x4c [...trimmed...] Call Trace: efx_dissociate+0x1f/0x140 [sfc] efx_pci_remove+0x27/0x150 [sfc] pci_device_remove+0x3b/0xc0 device_release_driver_internal+0x103/0x1f0 pci_stop_bus_device+0x69/0x90 pci_stop_and_remove_bus_device+0xe/0x20 pci_iov_remove_virtfn+0xba/0x120 sriov_disable+0x2f/0xe0 efx_ef10_pci_sriov_disable+0x52/0x80 [sfc] ? pcie_aer_is_native+0x12/0x40 efx_ef10_sriov_fini+0x72/0x110 [sfc] efx_pci_remove+0x62/0x150 [sfc] pci_device_remove+0x3b/0xc0 device_release_driver_internal+0x103/0x1f0 unbind_store+0xf6/0x130 kernfs_fop_write+0x116/0x190 vfs_write+0xa5/0x1a0 ksys_write+0x4f/0xb0 do_syscall_64+0x5b/0x1a0 entry_SYSCALL_64_after_hwframe+0x65/0xca Signed-off-by: Íñigo Huguet Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 7cd6986f2de51858a0d3182f8ef331452fb48d70 Author: Johannes Berg Date: Fri Jun 18 11:01:17 2021 +0300 iwlwifi: pcie: fix context info freeing [ Upstream commit 26d18c75a7496c4c52b0b6789e713dc76ebfbc87 ] After firmware alive, iwl_trans_pcie_gen2_fw_alive() is called to free the context info. However, on gen3 that will then free the context info with the wrong size. Since we free this allocation later, let it stick around until the device is stopped for now, freeing some of it earlier is a separate change. Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20210618105614.afb63fb8cbc1.If4968db8e09f4ce2a1d27a6d750bca3d132d7d70@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit b98ec6d8b34df572f9e38518c86bb41f59b2ae83 Author: Johannes Berg Date: Fri Jun 18 11:01:16 2021 +0300 iwlwifi: pcie: free IML DMA memory allocation [ Upstream commit 310f60f53a86eba680d9bc20a371e13b06a5f903 ] In the case of gen3 devices with image loader (IML) support, we were leaking the IML DMA allocation and never freeing it. Fix that. Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20210618105614.07e117dbedb7.I7bb9ebbe0617656986c2a598ea5e827b533bd3b9@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 78eadadff3d1c380ebed9dbe67114441f3db1c4f Author: Shaul Triebitz Date: Thu Jun 17 10:08:45 2021 +0300 iwlwifi: mvm: fix error print when session protection ends [ Upstream commit 976ac0af7ba2c5424bc305b926c0807d96fdcc83 ] When the session protection ends and the Driver is not associated or a beacon was not heard, the Driver prints "No beacons heard...". That's confusing for the case where not associated. Change the print when not associated to "Not associated...". Signed-off-by: Shaul Triebitz Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20210617100544.41a5a5a894fa.I9eabb76e7a3a7f4abbed8f2ef918f1df8e825726@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 1e1bb1efd60e343b17b44558c67c5c5a671ea437 Author: Johannes Berg Date: Sat Jun 12 14:32:38 2021 +0300 iwlwifi: mvm: don't change band on bound PHY contexts [ Upstream commit 8835a64f74c46baebfc946cd5a2c861b866ebcee ] When we have a P2P Device active, we attempt to only change the PHY context it uses when we get a new remain-on-channel, if the P2P Device is the only user of the PHY context. This is fine if we're switching within a band, but if we're switching bands then the switch implies a removal and re-add of the PHY context, which isn't permitted by the firmware while it's bound to an interface. Fix the code to skip the unbind/release/... cycle only if the band doesn't change (or we have old devices that can switch the band on the fly as well.) Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20210612142637.e9ac313f70f3.I713b9d109957df7e7d9ed0861d5377ce3f8fccd3@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 1df36030393ae3e101913b69b66d08156d2dc08f Author: Xiao Yang Date: Mon Jun 21 15:14:56 2021 +0800 RDMA/rxe: Don't overwrite errno from ib_umem_get() [ Upstream commit 20ec0a6d6016aa28b9b3299be18baef1a0f91cd2 ] rxe_mr_init_user() always returns the fixed -EINVAL when ib_umem_get() fails so it's hard for user to know which actual error happens in ib_umem_get(). For example, ib_umem_get() will return -EOPNOTSUPP when trying to pin pages on a DAX file. Return actual error as mlx4/mlx5 does. Link: https://lore.kernel.org/r/20210621071456.4259-1-ice_yangxiao@163.com Signed-off-by: Xiao Yang Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit ee33c042f492a4771683c830e23227b23e88fda0 Author: Longpeng(Mike) Date: Mon Jun 21 14:26:01 2021 +0800 vsock: notify server to shutdown when client has pending signal [ Upstream commit c7ff9cff70601ea19245d997bb977344663434c7 ] The client's sk_state will be set to TCP_ESTABLISHED if the server replay the client's connect request. However, if the client has pending signal, its sk_state will be set to TCP_CLOSE without notify the server, so the server will hold the corrupt connection. client server 1. sk_state=TCP_SYN_SENT | 2. call ->connect() | 3. wait reply | | 4. sk_state=TCP_ESTABLISHED | 5. insert to connected list | 6. reply to the client 7. sk_state=TCP_ESTABLISHED | 8. insert to connected list | 9. *signal pending* <--------------------- the user kill client 10. sk_state=TCP_CLOSE | client is exiting... | 11. call ->release() | virtio_transport_close if (!(sk->sk_state == TCP_ESTABLISHED || sk->sk_state == TCP_CLOSING)) return true; *return at here, the server cannot notice the connection is corrupt* So the client should notify the peer in this case. Cc: David S. Miller Cc: Jakub Kicinski Cc: Jorgen Hansen Cc: Norbert Slusarek Cc: Andra Paraschiv Cc: Colin Ian King Cc: David Brazdil Cc: Alexander Popov Suggested-by: Stefano Garzarella Link: https://lkml.org/lkml/2021/5/17/418 Signed-off-by: lixianming Signed-off-by: Longpeng(Mike) Reviewed-by: Stefano Garzarella Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 38bc2ebf344c35f1fe0a70ec1acd962d319cdaa8 Author: Zheyu Ma Date: Sun Jun 20 15:24:15 2021 +0000 atm: nicstar: register the interrupt handler in the right place [ Upstream commit 70b639dc41ad499384e41e106fce72e36805c9f2 ] Because the error handling is sequential, the application of resources should be carried out in the order of error handling, so the operation of registering the interrupt handler should be put in front, so as not to free the unregistered interrupt handler during error handling. This log reveals it: [ 3.438724] Trying to free already-free IRQ 23 [ 3.439060] WARNING: CPU: 5 PID: 1 at kernel/irq/manage.c:1825 free_irq+0xfb/0x480 [ 3.440039] Modules linked in: [ 3.440257] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 5.12.4-g70e7f0549188-dirty #142 [ 3.440793] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 3.441561] RIP: 0010:free_irq+0xfb/0x480 [ 3.441845] Code: 6e 08 74 6f 4d 89 f4 e8 c3 78 09 00 4d 8b 74 24 18 4d 85 f6 75 e3 e8 b4 78 09 00 8b 75 c8 48 c7 c7 a0 ac d5 85 e8 95 d7 f5 ff <0f> 0b 48 8b 75 c0 4c 89 ff e8 87 c5 90 03 48 8b 43 40 4c 8b a0 80 [ 3.443121] RSP: 0000:ffffc90000017b50 EFLAGS: 00010086 [ 3.443483] RAX: 0000000000000000 RBX: ffff888107c6f000 RCX: 0000000000000000 [ 3.443972] RDX: 0000000000000000 RSI: ffffffff8123f301 RDI: 00000000ffffffff [ 3.444462] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000003 [ 3.444950] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 [ 3.444994] R13: ffff888107dc0000 R14: ffff888104f6bf00 R15: ffff888107c6f0a8 [ 3.444994] FS: 0000000000000000(0000) GS:ffff88817bd40000(0000) knlGS:0000000000000000 [ 3.444994] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3.444994] CR2: 0000000000000000 CR3: 000000000642e000 CR4: 00000000000006e0 [ 3.444994] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 3.444994] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 3.444994] Call Trace: [ 3.444994] ns_init_card_error+0x18e/0x250 [ 3.444994] nicstar_init_one+0x10d2/0x1130 [ 3.444994] local_pci_probe+0x4a/0xb0 [ 3.444994] pci_device_probe+0x126/0x1d0 [ 3.444994] ? pci_device_remove+0x100/0x100 [ 3.444994] really_probe+0x27e/0x650 [ 3.444994] driver_probe_device+0x84/0x1d0 [ 3.444994] ? mutex_lock_nested+0x16/0x20 [ 3.444994] device_driver_attach+0x63/0x70 [ 3.444994] __driver_attach+0x117/0x1a0 [ 3.444994] ? device_driver_attach+0x70/0x70 [ 3.444994] bus_for_each_dev+0xb6/0x110 [ 3.444994] ? rdinit_setup+0x40/0x40 [ 3.444994] driver_attach+0x22/0x30 [ 3.444994] bus_add_driver+0x1e6/0x2a0 [ 3.444994] driver_register+0xa4/0x180 [ 3.444994] __pci_register_driver+0x77/0x80 [ 3.444994] ? uPD98402_module_init+0xd/0xd [ 3.444994] nicstar_init+0x1f/0x75 [ 3.444994] do_one_initcall+0x7a/0x3d0 [ 3.444994] ? rdinit_setup+0x40/0x40 [ 3.444994] ? rcu_read_lock_sched_held+0x4a/0x70 [ 3.444994] kernel_init_freeable+0x2a7/0x2f9 [ 3.444994] ? rest_init+0x2c0/0x2c0 [ 3.444994] kernel_init+0x13/0x180 [ 3.444994] ? rest_init+0x2c0/0x2c0 [ 3.444994] ? rest_init+0x2c0/0x2c0 [ 3.444994] ret_from_fork+0x1f/0x30 [ 3.444994] Kernel panic - not syncing: panic_on_warn set ... [ 3.444994] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 5.12.4-g70e7f0549188-dirty #142 [ 3.444994] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 3.444994] Call Trace: [ 3.444994] dump_stack+0xba/0xf5 [ 3.444994] ? free_irq+0xfb/0x480 [ 3.444994] panic+0x155/0x3ed [ 3.444994] ? __warn+0xed/0x150 [ 3.444994] ? free_irq+0xfb/0x480 [ 3.444994] __warn+0x103/0x150 [ 3.444994] ? free_irq+0xfb/0x480 [ 3.444994] report_bug+0x119/0x1c0 [ 3.444994] handle_bug+0x3b/0x80 [ 3.444994] exc_invalid_op+0x18/0x70 [ 3.444994] asm_exc_invalid_op+0x12/0x20 [ 3.444994] RIP: 0010:free_irq+0xfb/0x480 [ 3.444994] Code: 6e 08 74 6f 4d 89 f4 e8 c3 78 09 00 4d 8b 74 24 18 4d 85 f6 75 e3 e8 b4 78 09 00 8b 75 c8 48 c7 c7 a0 ac d5 85 e8 95 d7 f5 ff <0f> 0b 48 8b 75 c0 4c 89 ff e8 87 c5 90 03 48 8b 43 40 4c 8b a0 80 [ 3.444994] RSP: 0000:ffffc90000017b50 EFLAGS: 00010086 [ 3.444994] RAX: 0000000000000000 RBX: ffff888107c6f000 RCX: 0000000000000000 [ 3.444994] RDX: 0000000000000000 RSI: ffffffff8123f301 RDI: 00000000ffffffff [ 3.444994] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000003 [ 3.444994] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 [ 3.444994] R13: ffff888107dc0000 R14: ffff888104f6bf00 R15: ffff888107c6f0a8 [ 3.444994] ? vprintk_func+0x71/0x110 [ 3.444994] ns_init_card_error+0x18e/0x250 [ 3.444994] nicstar_init_one+0x10d2/0x1130 [ 3.444994] local_pci_probe+0x4a/0xb0 [ 3.444994] pci_device_probe+0x126/0x1d0 [ 3.444994] ? pci_device_remove+0x100/0x100 [ 3.444994] really_probe+0x27e/0x650 [ 3.444994] driver_probe_device+0x84/0x1d0 [ 3.444994] ? mutex_lock_nested+0x16/0x20 [ 3.444994] device_driver_attach+0x63/0x70 [ 3.444994] __driver_attach+0x117/0x1a0 [ 3.444994] ? device_driver_attach+0x70/0x70 [ 3.444994] bus_for_each_dev+0xb6/0x110 [ 3.444994] ? rdinit_setup+0x40/0x40 [ 3.444994] driver_attach+0x22/0x30 [ 3.444994] bus_add_driver+0x1e6/0x2a0 [ 3.444994] driver_register+0xa4/0x180 [ 3.444994] __pci_register_driver+0x77/0x80 [ 3.444994] ? uPD98402_module_init+0xd/0xd [ 3.444994] nicstar_init+0x1f/0x75 [ 3.444994] do_one_initcall+0x7a/0x3d0 [ 3.444994] ? rdinit_setup+0x40/0x40 [ 3.444994] ? rcu_read_lock_sched_held+0x4a/0x70 [ 3.444994] kernel_init_freeable+0x2a7/0x2f9 [ 3.444994] ? rest_init+0x2c0/0x2c0 [ 3.444994] kernel_init+0x13/0x180 [ 3.444994] ? rest_init+0x2c0/0x2c0 [ 3.444994] ? rest_init+0x2c0/0x2c0 [ 3.444994] ret_from_fork+0x1f/0x30 [ 3.444994] Dumping ftrace buffer: [ 3.444994] (ftrace buffer empty) [ 3.444994] Kernel Offset: disabled [ 3.444994] Rebooting in 1 seconds.. Signed-off-by: Zheyu Ma Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 90efb7f1006a7feb274937ba1cb131711f9c057e Author: Zheyu Ma Date: Sun Jun 20 15:24:14 2021 +0000 atm: nicstar: use 'dma_free_coherent' instead of 'kfree' [ Upstream commit 6a1e5a4af17e440dd82a58a2c5f40ff17a82b722 ] When 'nicstar_init_one' fails, 'ns_init_card_error' will be executed for error handling, but the correct memory free function should be used, otherwise it will cause an error. Since 'card->rsq.org' and 'card->tsq.org' are allocated using 'dma_alloc_coherent' function, they should be freed using 'dma_free_coherent'. Fix this by using 'dma_free_coherent' instead of 'kfree' This log reveals it: [ 3.440294] kernel BUG at mm/slub.c:4206! [ 3.441059] invalid opcode: 0000 [#1] PREEMPT SMP PTI [ 3.441430] CPU: 2 PID: 1 Comm: swapper/0 Not tainted 5.12.4-g70e7f0549188-dirty #141 [ 3.441986] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 3.442780] RIP: 0010:kfree+0x26a/0x300 [ 3.443065] Code: e8 3a c3 b9 ff e9 d6 fd ff ff 49 8b 45 00 31 db a9 00 00 01 00 75 4d 49 8b 45 00 a9 00 00 01 00 75 0a 49 8b 45 08 a8 01 75 02 <0f> 0b 89 d9 b8 00 10 00 00 be 06 00 00 00 48 d3 e0 f7 d8 48 63 d0 [ 3.443396] RSP: 0000:ffffc90000017b70 EFLAGS: 00010246 [ 3.443396] RAX: dead000000000100 RBX: 0000000000000000 RCX: 0000000000000000 [ 3.443396] RDX: 0000000000000000 RSI: ffffffff85d3df94 RDI: ffffffff85df38e6 [ 3.443396] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000001 [ 3.443396] R10: 0000000000000000 R11: 0000000000000001 R12: ffff888107dc0000 [ 3.443396] R13: ffffea00001f0100 R14: ffff888101a8bf00 R15: ffff888107dc0160 [ 3.443396] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) knlGS:0000000000000000 [ 3.443396] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3.443396] CR2: 0000000000000000 CR3: 000000000642e000 CR4: 00000000000006e0 [ 3.443396] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 3.443396] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 3.443396] Call Trace: [ 3.443396] ns_init_card_error+0x12c/0x220 [ 3.443396] nicstar_init_one+0x10d2/0x1130 [ 3.443396] local_pci_probe+0x4a/0xb0 [ 3.443396] pci_device_probe+0x126/0x1d0 [ 3.443396] ? pci_device_remove+0x100/0x100 [ 3.443396] really_probe+0x27e/0x650 [ 3.443396] driver_probe_device+0x84/0x1d0 [ 3.443396] ? mutex_lock_nested+0x16/0x20 [ 3.443396] device_driver_attach+0x63/0x70 [ 3.443396] __driver_attach+0x117/0x1a0 [ 3.443396] ? device_driver_attach+0x70/0x70 [ 3.443396] bus_for_each_dev+0xb6/0x110 [ 3.443396] ? rdinit_setup+0x40/0x40 [ 3.443396] driver_attach+0x22/0x30 [ 3.443396] bus_add_driver+0x1e6/0x2a0 [ 3.443396] driver_register+0xa4/0x180 [ 3.443396] __pci_register_driver+0x77/0x80 [ 3.443396] ? uPD98402_module_init+0xd/0xd [ 3.443396] nicstar_init+0x1f/0x75 [ 3.443396] do_one_initcall+0x7a/0x3d0 [ 3.443396] ? rdinit_setup+0x40/0x40 [ 3.443396] ? rcu_read_lock_sched_held+0x4a/0x70 [ 3.443396] kernel_init_freeable+0x2a7/0x2f9 [ 3.443396] ? rest_init+0x2c0/0x2c0 [ 3.443396] kernel_init+0x13/0x180 [ 3.443396] ? rest_init+0x2c0/0x2c0 [ 3.443396] ? rest_init+0x2c0/0x2c0 [ 3.443396] ret_from_fork+0x1f/0x30 [ 3.443396] Modules linked in: [ 3.443396] Dumping ftrace buffer: [ 3.443396] (ftrace buffer empty) [ 3.458593] ---[ end trace 3c6f8f0d8ef59bcd ]--- [ 3.458922] RIP: 0010:kfree+0x26a/0x300 [ 3.459198] Code: e8 3a c3 b9 ff e9 d6 fd ff ff 49 8b 45 00 31 db a9 00 00 01 00 75 4d 49 8b 45 00 a9 00 00 01 00 75 0a 49 8b 45 08 a8 01 75 02 <0f> 0b 89 d9 b8 00 10 00 00 be 06 00 00 00 48 d3 e0 f7 d8 48 63 d0 [ 3.460499] RSP: 0000:ffffc90000017b70 EFLAGS: 00010246 [ 3.460870] RAX: dead000000000100 RBX: 0000000000000000 RCX: 0000000000000000 [ 3.461371] RDX: 0000000000000000 RSI: ffffffff85d3df94 RDI: ffffffff85df38e6 [ 3.461873] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000001 [ 3.462372] R10: 0000000000000000 R11: 0000000000000001 R12: ffff888107dc0000 [ 3.462871] R13: ffffea00001f0100 R14: ffff888101a8bf00 R15: ffff888107dc0160 [ 3.463368] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) knlGS:0000000000000000 [ 3.463949] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3.464356] CR2: 0000000000000000 CR3: 000000000642e000 CR4: 00000000000006e0 [ 3.464856] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 3.465356] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 3.465860] Kernel panic - not syncing: Fatal exception [ 3.466370] Dumping ftrace buffer: [ 3.466616] (ftrace buffer empty) [ 3.466871] Kernel Offset: disabled [ 3.467122] Rebooting in 1 seconds.. Signed-off-by: Zheyu Ma Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1d304c7ddd360f3299c7db2dcc25bc216f0c52b7 Author: Fugang Duan Date: Mon Jun 21 14:27:37 2021 +0800 net: fec: add ndo_select_queue to fix TX bandwidth fluctuations [ Upstream commit 52c4a1a85f4b346c39c896c0168f4a843b3385ff ] As we know that AVB is enabled by default, and the ENET IP design is queue 0 for best effort, queue 1&2 for AVB Class A&B. Bandwidth of each queue 1&2 set in driver is 50%, TX bandwidth fluctuated when selecting tx queues randomly with FEC_QUIRK_HAS_AVB quirk available. This patch adds ndo_select_queue callback to select queues for transmitting to fix this issue. It will always return queue 0 if this is not a vlan packet, and return queue 1 or 2 based on priority of vlan packet. You may complain that in fact we only use single queue for trasmitting if we are not targeted to VLAN. Yes, but seems we have no choice, since AVB is enabled when the driver probed, we can't switch this feature dynamicly. After compare multiple queues to single queue, TX throughput almost no improvement. One way we can implemet is to configure the driver to multiple queues with Round-robin scheme by default. Then add ndo_setup_tc callback to enable/disable AVB feature for users. Unfortunately, ENET AVB IP seems not follow the standard 802.1Qav spec. We only can program DMAnCFG[IDLE_SLOPE] field to calculate bandwidth fraction. And idle slope is restricted to certain valus (a total of 19). It's far away from CBS QDisc implemented in Linux TC framework. If you strongly suggest to do this, I think we only can support limited numbers of bandwidth and reject others, but it's really urgly and wried. With this patch, VLAN tagged packets route to queue 0/1/2 based on vlan priority; VLAN untagged packets route to queue 0. Tested-by: Frieder Schrempf Reported-by: Frieder Schrempf Signed-off-by: Fugang Duan Signed-off-by: Joakim Zhang Reported-by: kernel test robot Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c7a31ae63e2c9f2c0968a21c6cbe6898efa7ce44 Author: Huang Pei Date: Fri Jun 11 15:09:46 2021 +0800 MIPS: add PMD table accounting into MIPS'pmd_alloc_one [ Upstream commit ed914d48b6a1040d1039d371b56273d422c0081e ] This fixes Page Table accounting bug. MIPS is the ONLY arch just defining __HAVE_ARCH_PMD_ALLOC_ONE alone. Since commit b2b29d6d011944 (mm: account PMD tables like PTE tables), "pmd_free" in asm-generic with PMD table accounting and "pmd_alloc_one" in MIPS without PMD table accounting causes PageTable accounting number negative, which read by global_zone_page_state(), always returns 0. Signed-off-by: Huang Pei Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 50ce920fe113007c6ee3eb8ee10f295012d85bc1 Author: Pascal Terjan Date: Sat Apr 24 18:29:59 2021 +0100 rtl8xxxu: Fix device info for RTL8192EU devices [ Upstream commit c240b044edefa3c3af4014a4030e017dd95b59a1 ] Based on 2001:3319 and 2357:0109 which I used to test the fix and 0bda:818b and 2357:0108 for which I found efuse dumps online. == 2357:0109 == === Before === Vendor: Realtek Product: \x03802.11n NI Serial: === After === Vendor: Realtek Product: 802.11n NIC Serial not available. == 2001:3319 == === Before === Vendor: Realtek Product: Wireless N Serial: no USB Adap === After === Vendor: Realtek Product: Wireless N Nano USB Adapter Serial not available. Signed-off-by: Pascal Terjan Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210424172959.1559890-1-pterjan@google.com Signed-off-by: Sasha Levin commit a10e871b73b466fca570533636cd69a5d0bf5d24 Author: Ryder Lee Date: Sat Jun 12 02:04:20 2021 +0800 mt76: mt7915: fix IEEE80211_HE_PHY_CAP7_MAX_NC for station mode [ Upstream commit 2707ff4dd7b1479dbd44ebb3c74788084cc95245 ] The value of station mode is always 0. Fixed: 00b2e16e0063 ("mt76: mt7915: add TxBF capabilities") Signed-off-by: Ryder Lee Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 4cd713e48c272a80af935424afaa607ea125aed4 Author: xinhui pan Date: Tue Jun 15 15:11:07 2021 +0800 drm/amdkfd: Walk through list with dqm lock hold [ Upstream commit 56f221b6389e7ab99c30bbf01c71998ae92fc584 ] To avoid any list corruption. Signed-off-by: xinhui pan Reviewed-by: Felix Kuehling Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit a2122e07920456e5d43f32e61d52be59634ddcab Author: Stanley.Yang Date: Wed Jun 16 21:14:01 2021 +0800 drm/amdgpu: fix bad address translation for sienna_cichlid [ Upstream commit 6ec598cc9dfbf40433e94a2ed1a622e3ef80268b ] Signed-off-by: Stanley.Yang Reviewed-by: Hawking Zhang Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 932be4cf2ba2cb8799c74f625f9e5a77027ed683 Author: Pavel Begunkov Date: Thu Jun 17 18:13:59 2021 +0100 io_uring: fix false WARN_ONCE [ Upstream commit e6ab8991c5d0b0deae0961dc22c0edd1dee328f5 ] WARNING: CPU: 1 PID: 11749 at fs/io-wq.c:244 io_wqe_wake_worker fs/io-wq.c:244 [inline] WARNING: CPU: 1 PID: 11749 at fs/io-wq.c:244 io_wqe_enqueue+0x7f6/0x910 fs/io-wq.c:751 A WARN_ON_ONCE() in io_wqe_wake_worker() can be triggered by a valid userspace setup. Replace it with pr_warn. Reported-by: syzbot+ea2f1484cffe5109dc10@syzkaller.appspotmail.com Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/f7ede342c3342c4c26668f5168e2993e38bbd99c.1623949695.git.asml.silence@gmail.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 92a9fb51e5ecd009081a1c311ea90afe83379438 Author: Yang Yingliang Date: Thu Jun 17 16:02:07 2021 +0800 net: sched: fix error return code in tcf_del_walker() [ Upstream commit 55d96f72e8ddc0a294e0b9c94016edbb699537e1 ] When nla_put_u32() fails, 'ret' could be 0, it should return error code in tcf_del_walker(). Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit d2801d111829406489484f906635260a484b05cf Author: Yang Yingliang Date: Thu Jun 17 13:11:19 2021 +0800 net: ipa: Add missing of_node_put() in ipa_firmware_load() [ Upstream commit b244163f2c45c12053cb0291c955f892e79ed8a9 ] This node pointer is returned by of_parse_phandle() with refcount incremented in this function. of_node_put() on it before exiting this function. Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Acked-by: Alex Elder Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 5cc0cf735f13b9021b33e14941fc4c719da14384 Author: Jian Shen Date: Thu Jun 17 11:37:11 2021 +0800 net: fix mistake path for netdev_features_strings [ Upstream commit 2d8ea148e553e1dd4e80a87741abdfb229e2b323 ] Th_strings arrays netdev_features_strings, tunable_strings, and phy_tunable_strings has been moved to file net/ethtool/common.c. So fixes the comment. Signed-off-by: Jian Shen Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 891db094a0aa80061eb72daf0422a1776144de92 Author: Felix Fietkau Date: Fri May 7 14:07:53 2021 +0200 mt76: mt7615: fix fixed-rate tx status reporting [ Upstream commit ec8f1a90d006f7cedcf86ef19fd034a406a213d6 ] Rely on the txs fixed-rate bit instead of info->control.rates Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 090b06b25afe7675811ec4ac330cc5076d8f4a00 Author: Jacob Keller Date: Thu May 6 08:40:05 2021 -0700 ice: mark PTYPE 2 as reserved [ Upstream commit 0c526d440f76676733cb470b454db9d5507a3a50 ] The entry for PTYPE 2 in the ice_ptype_lkup table incorrectly states that this is an L2 packet with no payload. According to the datasheet, this PTYPE is actually unused and reserved. Fix the lookup entry to indicate this is an unused entry that is reserved. Signed-off-by: Jacob Keller Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit b88a907830432ae133c4a798e8b17e90e43bee7a Author: Jacob Keller Date: Thu May 6 08:40:04 2021 -0700 ice: fix incorrect payload indicator on PTYPE [ Upstream commit 638a0c8c8861cb8a3b54203e632ea5dcc23d8ca5 ] The entry for PTYPE 90 indicates that the payload is layer 3. This does not match the specification in the datasheet which indicates the packet is a MAC, IPv6, UDP packet, with a payload in layer 4. Fix the lookup table to match the data sheet. Signed-off-by: Jacob Keller Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 2e66c36f1308071094c9c8fba53b2a14bee5d74c Author: Daniel Borkmann Date: Wed Jun 16 11:25:11 2021 +0200 bpf: Fix up register-based shifts in interpreter to silence KUBSAN [ Upstream commit 28131e9d933339a92f78e7ab6429f4aaaa07061c ] syzbot reported a shift-out-of-bounds that KUBSAN observed in the interpreter: [...] UBSAN: shift-out-of-bounds in kernel/bpf/core.c:1420:2 shift exponent 255 is too large for 64-bit type 'long long unsigned int' CPU: 1 PID: 11097 Comm: syz-executor.4 Not tainted 5.12.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327 ___bpf_prog_run.cold+0x19/0x56c kernel/bpf/core.c:1420 __bpf_prog_run32+0x8f/0xd0 kernel/bpf/core.c:1735 bpf_dispatcher_nop_func include/linux/bpf.h:644 [inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:624 [inline] bpf_prog_run_clear_cb include/linux/filter.h:755 [inline] run_filter+0x1a1/0x470 net/packet/af_packet.c:2031 packet_rcv+0x313/0x13e0 net/packet/af_packet.c:2104 dev_queue_xmit_nit+0x7c2/0xa90 net/core/dev.c:2387 xmit_one net/core/dev.c:3588 [inline] dev_hard_start_xmit+0xad/0x920 net/core/dev.c:3609 __dev_queue_xmit+0x2121/0x2e00 net/core/dev.c:4182 __bpf_tx_skb net/core/filter.c:2116 [inline] __bpf_redirect_no_mac net/core/filter.c:2141 [inline] __bpf_redirect+0x548/0xc80 net/core/filter.c:2164 ____bpf_clone_redirect net/core/filter.c:2448 [inline] bpf_clone_redirect+0x2ae/0x420 net/core/filter.c:2420 ___bpf_prog_run+0x34e1/0x77d0 kernel/bpf/core.c:1523 __bpf_prog_run512+0x99/0xe0 kernel/bpf/core.c:1737 bpf_dispatcher_nop_func include/linux/bpf.h:644 [inline] bpf_test_run+0x3ed/0xc50 net/bpf/test_run.c:50 bpf_prog_test_run_skb+0xabc/0x1c50 net/bpf/test_run.c:582 bpf_prog_test_run kernel/bpf/syscall.c:3127 [inline] __do_sys_bpf+0x1ea9/0x4f00 kernel/bpf/syscall.c:4406 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae [...] Generally speaking, KUBSAN reports from the kernel should be fixed. However, in case of BPF, this particular report caused concerns since the large shift is not wrong from BPF point of view, just undefined. In the verifier, K-based shifts that are >= {64,32} (depending on the bitwidth of the instruction) are already rejected. The register-based cases were not given their content might not be known at verification time. Ideas such as verifier instruction rewrite with an additional AND instruction for the source register were brought up, but regularly rejected due to the additional runtime overhead they incur. As Edward Cree rightly put it: Shifts by more than insn bitness are legal in the BPF ISA; they are implementation-defined behaviour [of the underlying architecture], rather than UB, and have been made legal for performance reasons. Each of the JIT backends compiles the BPF shift operations to machine instructions which produce implementation-defined results in such a case; the resulting contents of the register may be arbitrary but program behaviour as a whole remains defined. Guard checks in the fast path (i.e. affecting JITted code) will thus not be accepted. The case of division by zero is not truly analogous here, as division instructions on many of the JIT-targeted architectures will raise a machine exception / fault on division by zero, whereas (to the best of my knowledge) none will do so on an out-of-bounds shift. Given the KUBSAN report only affects the BPF interpreter, but not JITs, one solution is to add the ANDs with 63 or 31 into ___bpf_prog_run(). That would make the shifts defined, and thus shuts up KUBSAN, and the compiler would optimize out the AND on any CPU that interprets the shift amounts modulo the width anyway (e.g., confirmed from disassembly that on x86-64 and arm64 the generated interpreter code is the same before and after this fix). The BPF interpreter is slow path, and most likely compiled out anyway as distros select BPF_JIT_ALWAYS_ON to avoid speculative execution of BPF instructions by the interpreter. Given the main argument was to avoid sacrificing performance, the fact that the AND is optimized away from compiler for mainstream archs helps as well as a solution moving forward. Also add a comment on LSH/RSH/ARSH translation for JIT authors to provide guidance when they see the ___bpf_prog_run() interpreter code and use it as a model for a new JIT backend. Reported-by: syzbot+bed360704c521841c85d@syzkaller.appspotmail.com Reported-by: Kurt Manucredo Signed-off-by: Eric Biggers Co-developed-by: Eric Biggers Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Acked-by: Andrii Nakryiko Tested-by: syzbot+bed360704c521841c85d@syzkaller.appspotmail.com Cc: Edward Cree Link: https://lore.kernel.org/bpf/0000000000008f912605bd30d5d7@google.com Link: https://lore.kernel.org/bpf/bac16d8d-c174-bdc4-91bd-bfa62b410190@gmail.com Signed-off-by: Sasha Levin commit 0e72b151e394106ad3e3d5bebd1118952970047a Author: Amber Lin Date: Mon Jun 7 14:46:21 2021 -0400 drm/amdkfd: Fix circular lock in nocpsch path [ Upstream commit a7b2451d31cfa2e8aeccf3b35612ce33f02371fc ] Calling free_mqd inside of destroy_queue_nocpsch_locked can cause a circular lock. destroy_queue_nocpsch_locked is called under a DQM lock, which is taken in MMU notifiers, potentially in FS reclaim context. Taking another lock, which is BO reservation lock from free_mqd, while causing an FS reclaim inside the DQM lock creates a problematic circular lock dependency. Therefore move free_mqd out of destroy_queue_nocpsch_locked and call it after unlocking DQM. Signed-off-by: Amber Lin Reviewed-by: Felix Kuehling Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit cd29db48bb65e53efe4b05c75e575c5f1af5ddaf Author: Jonathan Kim Date: Fri Jun 11 13:36:34 2021 -0400 drm/amdkfd: fix circular locking on get_wave_state [ Upstream commit 63f6e01237257e7226efc5087f3f0b525d320f54 ] get_wave_state acquires the mmap_lock on copy_to_user but so do mmu_notifiers. mmu_notifiers allows dqm locking so do get_wave_state outside the dqm_lock to prevent circular locking. v2: squash in unused variable removal. Signed-off-by: Jonathan Kim Reviewed-by: Felix Kuehling Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 9d21abc8fd200f978a2ae51af59eb9eea091ce27 Author: Zou Wei Date: Wed May 12 11:05:14 2021 +0800 cw1200: add missing MODULE_DEVICE_TABLE [ Upstream commit dd778f89225cd258e8f0fed2b7256124982c8bb5 ] This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this driver when it is built as an external module. Reported-by: Hulk Robot Signed-off-by: Zou Wei Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/1620788714-14300-1-git-send-email-zou_wei@huawei.com Signed-off-by: Sasha Levin commit c5e4a10d7bd5d4f419d8b9705dff60cf69b302a1 Author: Lee Gibson Date: Wed Apr 28 12:55:08 2021 +0100 wl1251: Fix possible buffer overflow in wl1251_cmd_scan [ Upstream commit d10a87a3535cce2b890897914f5d0d83df669c63 ] Function wl1251_cmd_scan calls memcpy without checking the length. Harden by checking the length is within the maximum allowed size. Signed-off-by: Lee Gibson Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210428115508.25624-1-leegib@gmail.com Signed-off-by: Sasha Levin commit 5a3d373c4a3370cefc93c269084c761717fb1558 Author: Tony Lindgren Date: Thu Jun 3 09:28:14 2021 +0300 wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP [ Upstream commit 11ef6bc846dcdce838f0b00c5f6a562c57e5d43b ] At least on wl12xx, reading the MAC after boot can fail with a warning at drivers/net/wireless/ti/wlcore/sdio.c:78 wl12xx_sdio_raw_read. The failed call comes from wl12xx_get_mac() that wlcore_nvs_cb() calls after request_firmware_work_func(). After the error, no wireless interface is created. Reloading the wl12xx module makes the interface work. Turns out the wlan controller can be in a low-power ELP state after the boot from the bootloader or kexec, and needs to be woken up first. Let's wake the hardware and add a sleep after that similar to wl12xx_pre_boot() is already doing. Note that a similar issue could exist for wl18xx, but I have not seen it so far. And a search for wl18xx_get_mac and wl12xx_sdio_raw_read did not produce similar errors. Cc: Carl Philipp Klemm Signed-off-by: Tony Lindgren Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210603062814.19464-1-tony@atomide.com Signed-off-by: Sasha Levin commit ad7083a95d8ac29acdca83942997dd4014c4149d Author: Mikulas Patocka Date: Sun Jun 6 16:13:16 2021 -0400 dm writecache: commit just one block, not a full page [ Upstream commit 991bd8d7bc78966b4dc427b53a144f276bffcd52 ] Some architectures have pages larger than 4k and committing a full page causes needless overhead. Fix this by writing a single block when committing the superblock. Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit 57f7ed25bd1672a51c2d9cd15c9714c0dfc56062 Author: Steffen Klassert Date: Mon Jun 7 15:21:49 2021 +0200 xfrm: Fix error reporting in xfrm_state_construct. [ Upstream commit 6fd06963fa74197103cdbb4b494763127b3f2f34 ] When memory allocation for XFRMA_ENCAP or XFRMA_COADDR fails, the error will not be reported because the -ENOMEM assignment to the err variable is overwritten before. Fix this by moving these two in front of the function so that memory allocation failures will be reported. Reported-by: Tobias Brunner Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin commit a5f8862967c453aff5b32883d1b6be8e2009e4f0 Author: Mark Yacoub Date: Fri Jun 4 13:01:07 2021 -0400 drm/amd/display: Verify Gamma & Degamma LUT sizes in amdgpu_dm_atomic_check [ Upstream commit 03fc4cf45d30533d54f0f4ebc02aacfa12f52ce2 ] For each CRTC state, check the size of Gamma and Degamma LUTs so unexpected and larger sizes wouldn't slip through. TEST: IGT:kms_color::pipe-invalid-gamma-lut-sizes v2: fix assignments in if clauses, Mark's email. Reviewed-by: Harry Wentland Signed-off-by: Mark Yacoub Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit db3c3643d55eede8e771e59df59dcc96c98f030a Author: Heiner Kallweit Date: Thu Jun 10 22:56:59 2021 +0200 r8169: avoid link-up interrupt issue on RTL8106e if user enables ASPM [ Upstream commit 1ee8856de82faec9bc8bd0f2308a7f27e30ba207 ] It has been reported that on RTL8106e the link-up interrupt may be significantly delayed if the user enables ASPM L1. Per default ASPM is disabled. The change leaves L1 enabled on the PCIe link (thus still allowing to reach higher package power saving states), but the NIC won't actively trigger it. Reported-by: Koba Ko Tested-by: Koba Ko Signed-off-by: Heiner Kallweit Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f38371821c252e917e0184bfe558ebe816571f66 Author: Minchan Kim Date: Wed Jun 9 09:37:17 2021 -0700 selinux: use __GFP_NOWARN with GFP_NOWAIT in the AVC [ Upstream commit 648f2c6100cfa18e7dfe43bc0b9c3b73560d623c ] In the field, we have seen lots of allocation failure from the call path below. 06-03 13:29:12.999 1010315 31557 31557 W Binder : 31542_2: page allocation failure: order:0, mode:0x800(GFP_NOWAIT), nodemask=(null),cpuset=background,mems_allowed=0 ... ... 06-03 13:29:12.999 1010315 31557 31557 W Call trace: 06-03 13:29:12.999 1010315 31557 31557 W : dump_backtrace.cfi_jt+0x0/0x8 06-03 13:29:12.999 1010315 31557 31557 W : dump_stack+0xc8/0x14c 06-03 13:29:12.999 1010315 31557 31557 W : warn_alloc+0x158/0x1c8 06-03 13:29:12.999 1010315 31557 31557 W : __alloc_pages_slowpath+0x9d8/0xb80 06-03 13:29:12.999 1010315 31557 31557 W : __alloc_pages_nodemask+0x1c4/0x430 06-03 13:29:12.999 1010315 31557 31557 W : allocate_slab+0xb4/0x390 06-03 13:29:12.999 1010315 31557 31557 W : ___slab_alloc+0x12c/0x3a4 06-03 13:29:12.999 1010315 31557 31557 W : kmem_cache_alloc+0x358/0x5e4 06-03 13:29:12.999 1010315 31557 31557 W : avc_alloc_node+0x30/0x184 06-03 13:29:12.999 1010315 31557 31557 W : avc_update_node+0x54/0x4f0 06-03 13:29:12.999 1010315 31557 31557 W : avc_has_extended_perms+0x1a4/0x460 06-03 13:29:12.999 1010315 31557 31557 W : selinux_file_ioctl+0x320/0x3d0 06-03 13:29:12.999 1010315 31557 31557 W : __arm64_sys_ioctl+0xec/0x1fc 06-03 13:29:12.999 1010315 31557 31557 W : el0_svc_common+0xc0/0x24c 06-03 13:29:12.999 1010315 31557 31557 W : el0_svc+0x28/0x88 06-03 13:29:12.999 1010315 31557 31557 W : el0_sync_handler+0x8c/0xf0 06-03 13:29:12.999 1010315 31557 31557 W : el0_sync+0x1a4/0x1c0 .. .. 06-03 13:29:12.999 1010315 31557 31557 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO) 06-03 13:29:12.999 1010315 31557 31557 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0 06-03 13:29:12.999 1010315 31557 31557 W node 0 : slabs: 57, objs: 2907, free: 0 06-03 13:29:12.999 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO) 06-03 13:29:12.999 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0 06-03 13:29:12.999 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0 06-03 13:29:12.999 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO) 06-03 13:29:12.999 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0 06-03 13:29:12.999 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0 06-03 13:29:12.999 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO) 06-03 13:29:12.999 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0 06-03 13:29:12.999 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0 06-03 13:29:13.000 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO) 06-03 13:29:13.000 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0 06-03 13:29:13.000 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0 06-03 13:29:13.000 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO) 06-03 13:29:13.000 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0 06-03 13:29:13.000 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0 06-03 13:29:13.000 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO) 06-03 13:29:13.000 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0 06-03 13:29:13.000 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0 06-03 13:29:13.000 10230 30892 30892 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO) 06-03 13:29:13.000 10230 30892 30892 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0 06-03 13:29:13.000 10230 30892 30892 W node 0 : slabs: 57, objs: 2907, free: 0 06-03 13:29:13.000 10230 30892 30892 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO) 06-03 13:29:13.000 10230 30892 30892 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0 Based on [1], selinux is tolerate for failure of memory allocation. Then, use __GFP_NOWARN together. [1] 476accbe2f6e ("selinux: use GFP_NOWAIT in the AVC kmem_caches") Signed-off-by: Minchan Kim [PM: subj fix, line wraps, normalized commit refs] Signed-off-by: Paul Moore Signed-off-by: Sasha Levin commit 0a244be95bca64fabc89e3358674bfa04b17d314 Author: Yang Yingliang Date: Thu Jun 10 16:02:43 2021 +0800 fjes: check return value after calling platform_get_resource() [ Upstream commit f18c11812c949553d2b2481ecaa274dd51bed1e7 ] It will cause null-ptr-deref if platform_get_resource() returns NULL, we need check the return value. Signed-off-by: Yang Yingliang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 378c156f9dd0f0e758513c38e33311ae3e5540b2 Author: Nirmoy Das Date: Tue Jun 8 13:23:44 2021 +0200 drm/amdkfd: use allowed domain for vmbo validation [ Upstream commit bc05716d4fdd065013633602c5960a2bf1511b9c ] Fixes handling when page tables are in system memory. v3: remove struct amdgpu_vm_parser. v2: remove unwanted variable. change amdgpu_amdkfd_validate instead of amdgpu_amdkfd_bo_validate. Signed-off-by: Nirmoy Das Reviewed-by: Christian König Reviewed-by: Felix Kuehling Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit fb3b4bcdd3bc1f1ca1e13650ceeed7ed37fe7ad1 Author: Yang Yingliang Date: Wed Jun 9 21:25:15 2021 +0800 net: sgi: ioc3-eth: check return value after calling platform_get_resource() [ Upstream commit db8f7be1e1d64fbf113a456ef94534fbf5e9a9af ] It will cause null-ptr-deref if platform_get_resource() returns NULL, we need check the return value. Signed-off-by: Yang Yingliang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit e613f67f1b518df102bf56241188b71cdbeb9a50 Author: Amit Cohen Date: Tue Jun 8 15:44:09 2021 +0300 selftests: Clean forgotten resources as part of cleanup() [ Upstream commit e67dfb8d15deb33c425d0b0ee22f2e5eef54c162 ] Several tests do not set some ports down as part of their cleanup(), resulting in IPv6 link-local addresses and associated routes not being deleted. These leaks were found using a BPF tool that monitors ASIC resources. Solve this by setting the ports down at the end of the tests. Signed-off-by: Amit Cohen Reviewed-by: Petr Machata Signed-off-by: Ido Schimmel Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 8a4318c14ace3ecdd2d0b73a84a7f3b334b357bc Author: Joakim Zhang Date: Tue Jun 8 11:15:35 2021 +0800 net: phy: realtek: add delay to fix RXC generation issue [ Upstream commit 6813cc8cfdaf401476e1a007cec8ae338cefa573 ] PHY will delay about 11.5ms to generate RXC clock when switching from power down to normal operation. Read/write registers would also cause RXC become unstable and stop for a while during this process. Realtek engineer suggests 15ms or more delay can workaround this issue. Signed-off-by: Joakim Zhang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c71de31b2e0f4ef71cc69ba841aeac12519b3607 Author: Wesley Chalmers Date: Wed Apr 28 18:38:54 2021 -0400 drm/amd/display: Fix off-by-one error in DML [ Upstream commit e4e3678260e9734f6f41b4325aac0b171833a618 ] [WHY] For DCN30 and later, there is no data in DML arrays indexed by state at index num_states. Signed-off-by: Wesley Chalmers Reviewed-by: Dmytro Laktyushkin Acked-by: Stylon Wang Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit afa06442d23d32e95e3336cf8ff366bdd8d590ee Author: Wesley Chalmers Date: Thu May 20 12:12:48 2021 -0400 drm/amd/display: Set DISPCLK_MAX_ERRDET_CYCLES to 7 [ Upstream commit 3577e1678772ce3ede92af3a75b44a4b76f9b4ad ] [WHY] DISPCLK_MAX_ERRDET_CYCLES must be 7 to prevent connection loss when changing DENTIST_DISPCLK_WDIVIDER from 126 to 127 and back. Signed-off-by: Wesley Chalmers Reviewed-by: Dmytro Laktyushkin Acked-by: Stylon Wang Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 02f444321b3a0f3f94e34329f8aafa814c45b8e4 Author: Vladimir Stempen Date: Wed May 19 13:55:46 2021 -0400 drm/amd/display: Release MST resources on switch from MST to SST [ Upstream commit 3f8518b60c10aa96f3efa38a967a0b4eb9211ac0 ] [why] When OS overrides training link training parameters for MST device to SST mode, MST resources are not released and leak of the resource may result crash and incorrect MST discovery during following hot plugs. [how] Retaining sink object to be reused by SST link and releasing MST resources. Signed-off-by: Vladimir Stempen Reviewed-by: Wenjing Liu Acked-by: Stylon Wang Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 01d6a693196595d356f0f5e42ab155c293470676 Author: Roman Li Date: Fri May 21 10:20:25 2021 -0400 drm/amd/display: Update scaling settings on modeset [ Upstream commit c521fc316d12fb9ea7b7680e301d673bceda922e ] [Why] We update scaling settings when scaling mode has been changed. However when changing mode from native resolution the scaling mode previously set gets ignored. [How] Perform scaling settings update on modeset. Signed-off-by: Roman Li Reviewed-by: Nicholas Kazlauskas Acked-by: Stylon Wang Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 57c63b47d6f188b44d93d1602bd24d8d9a9131f6 Author: Nikola Cornij Date: Tue May 18 12:33:12 2021 -0400 drm/amd/display: Fix DCN 3.01 DSCCLK validation [ Upstream commit 346cf627fb27c0fea63a041cedbaa4f31784e504 ] [why] DSCCLK validation is not necessary because DSCCLK is derrived from DISPCLK, therefore if DISPCLK validation passes, DSCCLK is valid, too. Doing DSCLK validation in addition to DISPCLK leads to modes being wrongly rejected when DSCCLK was incorrectly set outside of DML. [how] Remove DSCCLK validation because it's implicitly validated under DISPCLK Signed-off-by: Nikola Cornij Reviewed-by: Dmytro Laktyushkin Acked-by: Stylon Wang Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 8e4da401425bae82131087b71e862f3adfb22b60 Author: Yang Yingliang Date: Mon Jun 7 23:02:59 2021 +0800 net: moxa: Use devm_platform_get_and_ioremap_resource() [ Upstream commit 35cba15a504bf4f585bb9d78f47b22b28a1a06b2 ] Use devm_platform_get_and_ioremap_resource() to simplify code and avoid a null-ptr-deref by checking 'res' in it. Signed-off-by: Yang Yingliang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 278dc34b711227be81073b3d81ba81341c520842 Author: Yang Yingliang Date: Mon Jun 7 22:55:21 2021 +0800 net: micrel: check return value after calling platform_get_resource() [ Upstream commit 20f1932e2282c58cb5ac59517585206cf5b385ae ] It will cause null-ptr-deref if platform_get_resource() returns NULL, we need check the return value. Signed-off-by: Yang Yingliang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit ce1307ec621bafc1f8263935179d301359c99585 Author: Yang Yingliang Date: Mon Jun 7 22:36:02 2021 +0800 net: mvpp2: check return value after calling platform_get_resource() [ Upstream commit 0bb51a3a385790a4be20085494cf78f70dadf646 ] It will cause null-ptr-deref if platform_get_resource() returns NULL, we need check the return value. Signed-off-by: Yang Yingliang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 49b3a7f38a9b359c9ac245d75ec2f072bf766f47 Author: Yang Yingliang Date: Mon Jun 7 21:38:37 2021 +0800 net: bcmgenet: check return value after calling platform_get_resource() [ Upstream commit 74325bf0104573c6dfce42837139aeef3f34be76 ] It will cause null-ptr-deref if platform_get_resource() returns NULL, we need check the return value. Signed-off-by: Yang Yingliang Acked-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 92820a12823e0c2f799367439e4ac4810c2e24f8 Author: Yang Yingliang Date: Sat Jun 5 10:31:48 2021 +0800 net: mscc: ocelot: check return value after calling platform_get_resource() [ Upstream commit f1fe19c2cb3fdc92a614cf330ced1613f8f1a681 ] It will cause null-ptr-deref if platform_get_resource() returns NULL, we need check the return value. Signed-off-by: Yang Yingliang Reviewed-by: Vladimir Oltean Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f3b96f4b6b2d8726c5382b3e429b85369939c04c Author: Xianting Tian Date: Sat Jun 5 11:31:00 2021 -0400 virtio_net: Remove BUG() to avoid machine dead [ Upstream commit 85eb1389458d134bdb75dad502cc026c3753a619 ] We should not directly BUG() when there is hdr error, it is better to output a print when such error happens. Currently, the caller of xmit_skb() already did it. Signed-off-by: Xianting Tian Reviewed-by: Leon Romanovsky Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 87c39048ec7f1f102f8ae232823c52d39c7e3f8c Author: Paul M Stillwell Jr Date: Wed Mar 31 14:17:06 2021 -0700 ice: fix clang warning regarding deadcode.DeadStores [ Upstream commit 7e94090ae13e1ae5fe8bd3a9cd08136260bb7039 ] clang generates deadcode.DeadStores warnings when a variable is used to read a value, but then that value isn't used later in the code. Fix this warning. Signed-off-by: Paul M Stillwell Jr Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit e352556acef980029679cbbe417ea3c4b08a6e0c Author: Liwei Song Date: Mon Apr 19 17:31:06 2021 +0800 ice: set the value of global config lock timeout longer [ Upstream commit fb3612840d4f587a0af9511a11d7989d1fa48206 ] It may need hold Global Config Lock a longer time when download DDP package file, extend the timeout value to 5000ms to ensure that download can be finished before other AQ command got time to run, this will fix the issue below when probe the device, 5000ms is a test value that work with both Backplane and BreakoutCable NVM image: ice 0000:f4:00.0: VSI 12 failed lan queue config, error ICE_ERR_CFG ice 0000:f4:00.0: Failed to delete VSI 12 in FW - error: ICE_ERR_AQ_TIMEOUT ice 0000:f4:00.0: probe failed due to setup PF switch: -12 ice: probe of 0000:f4:00.0 failed with error -12 Signed-off-by: Liwei Song Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit b5f2982e06096ebeafe43edf47052e2ab7661279 Author: Radim Pavlik Date: Tue Jun 1 10:48:18 2021 +0000 pinctrl: mcp23s08: fix race condition in irq handler [ Upstream commit 897120d41e7afd9da435cb00041a142aeeb53c07 ] Checking value of MCP_INTF in mcp23s08_irq suggests that the handler may be called even when there is no interrupt pending. But the actual interrupt could happened between reading MCP_INTF and MCP_GPIO. In this situation we got nothing from MCP_INTF, but the event gets acknowledged on the expander by reading MCP_GPIO. This leads to losing events. Fix the problem by not reading any register until we see something in MCP_INTF. The error was reproduced and fix tested on MCP23017. Signed-off-by: Radim Pavlik Link: https://lore.kernel.org/r/AM7PR06MB6769E1183F68DEBB252F665ABA3E9@AM7PR06MB6769.eurprd06.prod.outlook.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit a4a86400c68c5228ebcd4d255063d4599d4243e4 Author: Horatiu Vultur Date: Fri Jun 4 12:37:47 2021 +0200 net: bridge: mrp: Update ring transitions. [ Upstream commit fcb34635854a5a5814227628867ea914a9805384 ] According to the standard IEC 62439-2, the number of transitions needs to be counted for each transition 'between' ring state open and ring state closed and not from open state to closed state. Therefore fix this for both ring and interconnect ring. Signed-off-by: Horatiu Vultur Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit cc4f0a9d5aa1b5abffb2366a0b37c37806362fe8 Author: Damien Le Moal Date: Wed May 26 06:24:54 2021 +0900 dm: Fix dm_accept_partial_bio() relative to zone management commands [ Upstream commit 6842d264aa5205da338b6dcc6acfa2a6732558f1 ] Fix dm_accept_partial_bio() to actually check that zone management commands are not passed as explained in the function documentation comment. Also, since a zone append operation cannot be split, add REQ_OP_ZONE_APPEND as a forbidden command. White lines are added around the group of BUG_ON() calls to make the code more legible. Signed-off-by: Damien Le Moal Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit 939f750215b89d2cc774a85a6810286aec0f5718 Author: Mikulas Patocka Date: Wed May 26 10:29:45 2021 -0400 dm writecache: don't split bios when overwriting contiguous cache content [ Upstream commit ee50cc19d80e9b9a8283d1fb517a778faf2f6899 ] If dm-writecache overwrites existing cached data, it splits the incoming bio into many block-sized bios. The I/O scheduler does merge these bios into one large request but this needless splitting and merging causes performance degradation. Fix this by avoiding bio splitting if the cache target area that is being overwritten is contiguous. Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit 65e780667cf39f54154c6d95e40fd650bd0a31c5 Author: Joe Thornber Date: Tue Apr 13 09:03:49 2021 +0100 dm space maps: don't reset space map allocation cursor when committing [ Upstream commit 5faafc77f7de69147d1e818026b9a0cbf036a7b2 ] Current commit code resets the place where the search for free blocks will begin back to the start of the metadata device. There are a couple of repercussions to this: - The first allocation after the commit is likely to take longer than normal as it searches for a free block in an area that is likely to have very few free blocks (if any). - Any free blocks it finds will have been recently freed. Reusing them means we have fewer old copies of the metadata to aid recovery from hardware error. Fix these issues by leaving the cursor alone, only resetting when the search hits the end of the metadata device. Signed-off-by: Joe Thornber Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit 313d9f25804c0024568f8863ec48f25a273e14c9 Author: Jiapeng Chong Date: Tue Jun 1 19:07:49 2021 +0800 RDMA/cxgb4: Fix missing error code in create_qp() [ Upstream commit aeb27bb76ad8197eb47890b1ff470d5faf8ec9a5 ] The error code is missing in this code scenario so 0 will be returned. Add the error code '-EINVAL' to the return value 'ret'. Eliminates the follow smatch warning: drivers/infiniband/hw/cxgb4/qp.c:298 create_qp() warn: missing error code 'ret'. Link: https://lore.kernel.org/r/1622545669-20625-1-git-send-email-jiapeng.chong@linux.alibaba.com Reported-by: Abaci Robot Signed-off-by: Jiapeng Chong Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit f9c67c179e3b2e4daefa5fb208ddcb13b5728864 Author: Yuchung Cheng Date: Wed Jun 2 17:51:21 2021 -0700 net: tcp better handling of reordering then loss cases [ Upstream commit a29cb6914681a55667436a9eb7a42e28da8cf387 ] This patch aims to improve the situation when reordering and loss are ocurring in the same flight of packets. Previously the reordering would first induce a spurious recovery, then the subsequent ACK may undo the cwnd (based on the timestamps e.g.). However the current loss recovery does not proceed to invoke RACK to install a reordering timer. If some packets are also lost, this may lead to a long RTO-based recovery. An example is https://groups.google.com/g/bbr-dev/c/OFHADvJbTEI The solution is to after reverting the recovery, always invoke RACK to either mount the RACK timer to fast retransmit after the reordering window, or restarts the recovery if new loss is identified. Hence it is possible the sender may go from Recovery to Disorder/Open to Recovery again in one ACK. Reported-by: mingkun bian Signed-off-by: Yuchung Cheng Signed-off-by: Neal Cardwell Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 8fa6473a61ecc9972ad543d8ba1d927d442d1f67 Author: Jiansong Chen Date: Thu May 13 10:56:50 2021 +0800 drm/amdgpu: remove unsafe optimization to drop preamble ib [ Upstream commit 7d9c70d23550eb86a1bec1954ccaa8d6ec3a3328 ] Take the situation with gfxoff, the optimization may cause corrupt CE ram contents. In addition emit_cntxcntl callback has similar optimization which firmware can handle properly even for power feature. Signed-off-by: Jiansong Chen Reviewed-by: Hawking Zhang Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit c5b518f4b98dbb2bc31b6a55e6aaa1e0e2948f2e Author: Kees Cook Date: Fri May 28 10:53:54 2021 -0700 drm/amd/display: Avoid HDCP over-read and corruption [ Upstream commit 06888d571b513cbfc0b41949948def6cb81021b2 ] Instead of reading the desired 5 bytes of the actual target field, the code was reading 8. This could result in a corrupted value if the trailing 3 bytes were non-zero, so instead use an appropriately sized and zero-initialized bounce buffer, and read only 5 bytes before casting to u64. Signed-off-by: Kees Cook Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 3c172f6e444bad7e1967021c86d9b7de9def5199 Author: Paul Cercueil Date: Sun May 30 18:17:59 2021 +0100 MIPS: ingenic: Select CPU_SUPPORTS_CPUFREQ && MIPS_EXTERNAL_TIMER [ Upstream commit eb3849370ae32b571e1f9a63ba52c61adeaf88f7 ] The clock driving the XBurst CPUs in Ingenic SoCs is integer divided from the main PLL. As such, it is possible to control the frequency of the CPU, either by changing the divider, or by changing the rate of the main PLL. The XBurst CPUs also lack the CP0 timer; the TCU, a separate piece of hardware in the SoC, provides this functionality. Signed-off-by: Paul Cercueil Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 0903ac8f09c6ccbb2da16c38625b894c87c8d3ed Author: Paul Cercueil Date: Sun May 30 18:17:57 2021 +0100 MIPS: cpu-probe: Fix FPU detection on Ingenic JZ4760(B) [ Upstream commit fc52f92a653215fbd6bc522ac5311857b335e589 ] Ingenic JZ4760 and JZ4760B do have a FPU, but the config registers don't report it. Force the FPU detection in case the processor ID match the JZ4760(B) one. Signed-off-by: Paul Cercueil Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 8f939b79579715b195dc3ad36669707fce6853ee Author: Willy Tarreau Date: Sat May 29 13:07:46 2021 +0200 ipv6: use prandom_u32() for ID generation [ Upstream commit 62f20e068ccc50d6ab66fdb72ba90da2b9418c99 ] This is a complement to commit aa6dd211e4b1 ("inet: use bigger hash table for IP ID generation"), but focusing on some specific aspects of IPv6. Contary to IPv4, IPv6 only uses packet IDs with fragments, and with a minimum MTU of 1280, it's much less easy to force a remote peer to produce many fragments to explore its ID sequence. In addition packet IDs are 32-bit in IPv6, which further complicates their analysis. On the other hand, it is often easier to choose among plenty of possible source addresses and partially work around the bigger hash table the commit above permits, which leaves IPv6 partially exposed to some possibilities of remote analysis at the risk of weakening some protocols like DNS if some IDs can be predicted with a good enough probability. Given the wide range of permitted IDs, the risk of collision is extremely low so there's no need to rely on the positive increment algorithm that is shared with the IPv4 code via ip_idents_reserve(). We have a fast PRNG, so let's simply call prandom_u32() and be done with it. Performance measurements at 10 Gbps couldn't show any difference with the previous code, even when using a single core, because due to the large fragments, we're limited to only ~930 kpps at 10 Gbps and the cost of the random generation is completely offset by other operations and by the network transfer time. In addition, this change removes the need to update a shared entry in the idents table so it may even end up being slightly faster on large scale systems where this matters. The risk of at least one collision here is about 1/80 million among 10 IDs, 1/850k among 100 IDs, and still only 1/8.5k among 1000 IDs, which remains very low compared to IPv4 where all IDs are reused every 4 to 80ms on a 10 Gbps flow depending on packet sizes. Reported-by: Amit Klein Signed-off-by: Willy Tarreau Reviewed-by: Eric Dumazet Link: https://lore.kernel.org/r/20210529110746.6796-1-w@1wt.eu Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit c92298d228f61589dd21657af2bea95fc866b813 Author: Xie Yongji Date: Mon May 31 21:58:52 2021 +0800 virtio-net: Add validation for used length [ Upstream commit ad993a95c508417acdeb15244109e009e50d8758 ] This adds validation for used length (might come from an untrusted device) to avoid data corruption or loss. Signed-off-by: Xie Yongji Acked-by: Jason Wang Link: https://lore.kernel.org/r/20210531135852.113-1-xieyongji@bytedance.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 5e039a80a76bccef979137747b0da1bd734ee868 Author: Yu Kuai Date: Mon May 31 21:56:22 2021 +0800 drm: bridge: cdns-mhdp8546: Fix PM reference leak in [ Upstream commit f674555ee5444c8987dfea0922f1cf6bf0c12847 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to putting operation will result in reference leak here. Fix it by replacing it with pm_runtime_resume_and_get to keep usage counter balanced. Reported-by: Hulk Robot Signed-off-by: Yu Kuai Reviewed-by: Robert Foss Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20210531135622.3348252-1-yukuai3@huawei.com Signed-off-by: Sasha Levin commit d1eaf4cb440841fa0f463bc1b52fa458fbd3e3b8 Author: Dmitry Osipenko Date: Sun May 16 19:30:35 2021 +0300 clk: tegra: Ensure that PLLU configuration is applied properly [ Upstream commit a7196048cd5168096c2c4f44a3939d7a6dcd06b9 ] The PLLU (USB) consists of the PLL configuration itself and configuration of the PLLU outputs. The PLLU programming is inconsistent on T30 vs T114, where T114 immediately bails out if PLLU is enabled and T30 re-enables a potentially already enabled PLL (left after bootloader) and then fully reprograms it, which could be unsafe to do. The correct way should be to skip enabling of the PLL if it's already enabled and then apply configuration to the outputs. This patch doesn't fix any known problems, it's a minor improvement. Acked-by: Thierry Reding Signed-off-by: Dmitry Osipenko Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit dc5bacea9462cf8e17340eb666e6c4d4b9a1e4bd Author: Dmitry Osipenko Date: Sun May 16 19:30:34 2021 +0300 clk: tegra: Fix refcounting of gate clocks [ Upstream commit c592c8a28f5821e880ac6675781cd8a151b0737c ] The refcounting of the gate clocks has a bug causing the enable_refcnt to underflow when unused clocks are disabled. This happens because clk provider erroneously bumps the refcount if clock is enabled at a boot time, which it shouldn't be doing, and it does this only for the gate clocks, while peripheral clocks are using the same gate ops and the peripheral clocks are missing the initial bump. Hence the refcount of the peripheral clocks is 0 when unused clocks are disabled and then the counter is decremented further by the gate ops, causing the integer underflow. Fix this problem by removing the erroneous bump and by implementing the disable_unused() callback, which disables the unused gates properly. The visible effect of the bug is such that the unused clocks are never gated if a loaded kernel module grabs the unused clocks and starts to use them. In practice this shouldn't cause any real problems for the drivers and boards supported by the kernel today. Acked-by: Thierry Reding Signed-off-by: Dmitry Osipenko Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 315988817aa770044fbb9e16af5c0dd9344da188 Author: Gioh Kim Date: Fri May 28 13:30:03 2021 +0200 RDMA/rtrs: Change MAX_SESS_QUEUE_DEPTH [ Upstream commit 3a98ea7041b7d18ac356da64823c2ba2f8391b3e ] Max IB immediate data size is 2^28 (MAX_IMM_PAYL_BITS) and the minimum chunk size is 4096 (2^12). Therefore the maximum sess_queue_depth is 65536 (2^16). Link: https://lore.kernel.org/r/20210528113018.52290-6-jinpu.wang@ionos.com Signed-off-by: Gioh Kim Signed-off-by: Jack Wang Reported-by: kernel test robot Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 4f6a0f31c62764ad57545d86fca8499afe42555b Author: Vladimir Oltean Date: Thu May 27 18:59:59 2021 +0300 net: stmmac: the XPCS obscures a potential "PHY not found" error [ Upstream commit 4751d2aa321f2828d8c5d2f7ce4ed18a01e47f46 ] stmmac_mdio_register() has logic to search for PHYs on the MDIO bus and assign them IRQ lines, as well as to set priv->plat->phy_addr. If no PHY is found, the "found" variable remains set to 0 and the function errors out. After the introduction of commit f213bbe8a9d6 ("net: stmmac: Integrate it with DesignWare XPCS"), the "found" variable was immediately reused for searching for a PCS on the same MDIO bus. This can result in 2 types of potential problems (none of them seems to be seen on the only Intel system that sets has_xpcs = true, otherwise it would have been reported): 1. If a PCS is found but a PHY is not, then the code happily exits with no error. One might say "yes, but this is not possible, because of_mdiobus_register will probe a PHY for all MDIO addresses, including for the XPCS, so if an XPCS exists, then a PHY certainly exists too". Well, that is not true, see intel_mgbe_common_data(): /* Ensure mdio bus scan skips intel serdes and pcs-xpcs */ plat->mdio_bus_data->phy_mask = 1 << INTEL_MGBE_ADHOC_ADDR; plat->mdio_bus_data->phy_mask |= 1 << INTEL_MGBE_XPCS_ADDR; 2. A PHY is found but an MDIO device with the XPCS PHY ID isn't, and in that case, the error message will be "No PHY found". Confusing. Signed-off-by: Vladimir Oltean Link: https://lore.kernel.org/r/20210527155959.3270478-1-olteanv@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit a7d608bb786cb46d4b2f2071d2a8c4d327225d01 Author: Alex Bee Date: Fri May 28 15:05:52 2021 +0200 drm: rockchip: add missing registers for RK3066 [ Upstream commit 742203cd56d150eb7884eb45abb7d9dbc2bdbf04 ] Add dither_up, dsp_lut_en and data_blank registers to enable their respective functionality for RK3066's VOP. While at that also fix .rb_swap and .format registers for all windows, which have to be set though RK3066_SYS_CTRL1 register. Also remove .scl from win1: Scaling is only supported on the primary plane. Signed-off-by: Alex Bee Signed-off-by: Heiko Stuebner Link: https://patchwork.freedesktop.org/patch/msgid/20210528130554.72191-4-knaerzche@gmail.com Signed-off-by: Sasha Levin commit d89ea206e99c551d95f5c16a48fda6cb889935c5 Author: Alex Bee Date: Fri May 28 15:05:51 2021 +0200 drm: rockchip: add missing registers for RK3188 [ Upstream commit ab64b448a175b8a5a4bd323b8f74758c2574482c ] Add dither_up, dsp_lut_en and data_blank registers to enable their respective functionality for RK3188's VOP. While at that also fix .dsp_blank register which is (only) set with BIT24 (same as RK3066) Signed-off-by: Alex Bee Signed-off-by: Heiko Stuebner Link: https://patchwork.freedesktop.org/patch/msgid/20210528130554.72191-3-knaerzche@gmail.com Signed-off-by: Sasha Levin commit e54b4a534845d21a30d30f46508297ecd6dbf1a1 Author: Eli Cohen Date: Mon May 3 14:39:58 2021 +0300 net/mlx5: Fix lag port remapping logic [ Upstream commit 8613641063617c1dfc731b403b3ee4935ef15f87 ] Fix the logic so that if both ports netdevices are enabled or disabled, use the trivial mapping without swapping. If only one of the netdevice's tx is enabled, use it to remap traffic to that port. Signed-off-by: Eli Cohen Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 62137d1ae5f851df13e127ce16968164a19d3b26 Author: Huy Nguyen Date: Tue Dec 15 10:58:54 2020 -0600 net/mlx5e: IPsec/rep_tc: Fix rep_tc_update_skb drops IPsec packet [ Upstream commit c07274ab1ab2c38fb128e32643c22c89cb319384 ] rep_tc copy REG_C1 to REG_B. IPsec crypto utilizes the whole REG_B register with BIT31 as IPsec marker. rep_tc_update_skb drops IPsec because it thought REG_B contains bad value. In previous patch, BIT 31 of REG_C1 is reserved for IPsec. Skip the rep_tc_update_skb if BIT31 of REG_B is set. Signed-off-by: Huy Nguyen Signed-off-by: Raed Salem Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 219150485d73acd7c31c5efac318bc9312251103 Author: Kuninori Morimoto Date: Thu May 27 13:36:38 2021 +0900 clk: renesas: r8a77995: Add ZA2 clock [ Upstream commit 790c06cc5df263cdaff748670cc65958c81b0951 ] R-Car D3 ZA2 clock is from PLL0D3 or S0, and it can be controlled by ZA2CKCR. It is needed for R-Car Sound, but is not used so far. Using default settings is very enough at this point. This patch adds it by DEF_FIXED(). Signed-off-by: Kuninori Morimoto Link: https://lore.kernel.org/r/87pmxclrmy.wl-kuninori.morimoto.gx@renesas.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 0680344d713195e1dc67e597bca8bb97b1498a21 Author: Zou Wei Date: Mon May 24 15:21:02 2021 +0800 drm/bridge: cdns: Fix PM reference leak in cdns_dsi_transfer() [ Upstream commit 33f90f27e1c5ccd648d3e78a1c28be9ee8791cf1 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to putting operation will result in reference leak here. Fix it by replacing it with pm_runtime_resume_and_get to keep usage counter balanced. Reported-by: Hulk Robot Signed-off-by: Zou Wei Reviewed-by: Robert Foss Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/1621840862-106024-1-git-send-email-zou_wei@huawei.com Signed-off-by: Sasha Levin commit 95f8ce9f18cb30d7d9b6b63a278bbfea6befac2d Author: Jesse Brandeburg Date: Thu Mar 25 17:38:29 2021 -0700 igb: fix assignment on big endian machines [ Upstream commit b514958dd1a3bd57638b0e63b8e5152b1960e6aa ] The igb driver was trying hard to be sparse correct, but somehow ended up converting a variable into little endian order and then tries to OR something with it. A much plainer way of doing things is to leave all variables and OR operations in CPU (non-endian) mode, and then convert to little endian only once, which is what this change does. This probably fixes a bug that might have been seen only on big endian systems. Signed-off-by: Jesse Brandeburg Tested-by: Dave Switzer Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 66d593aa3aea4dc2ed81d7b73caba9fd59b883ef Author: Jesse Brandeburg Date: Thu Mar 25 17:38:28 2021 -0700 igb: handle vlan types with checker enabled [ Upstream commit c7cbfb028b95360403d579c47aaaeef1ff140964 ] The sparse build (C=2) finds some issues with how the driver dealt with the (very difficult) hardware that in some generations uses little-endian, and in others uses big endian, for the VLAN field. The code as written picks __le16 as a type and for some hardware revisions we override it to __be16 as done in this patch. This impacted the VF driver as well so fix it there too. Also change the vlan_tci assignment to override the sparse warning without changing functionality. Signed-off-by: Jesse Brandeburg Tested-by: Dave Switzer Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit ffb865715a0fe32700bf854d1dc840fc2cafcc0a Author: Jesse Brandeburg Date: Thu Mar 25 17:38:24 2021 -0700 e100: handle eeprom as little endian [ Upstream commit d4ef55288aa2e1b76033717242728ac98ddc4721 ] Sparse tool was warning on some implicit conversions from little endian data read from the EEPROM on the e100 cards. Fix these by being explicit about the conversions using le16_to_cpu(). Signed-off-by: Jesse Brandeburg Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit f06ea024c176fe44ec7f5746bcddcfab07e21758 Author: Zou Wei Date: Mon May 24 15:20:54 2021 +0800 drm/vc4: hdmi: Fix PM reference leak in vc4_hdmi_encoder_pre_crtc_co() [ Upstream commit 5e4322a8b266bc9f5ee7ea4895f661c01dbd7cb3 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to putting operation will result in reference leak here. Fix it by replacing it with pm_runtime_resume_and_get to keep usage counter balanced. Reported-by: Hulk Robot Signed-off-by: Zou Wei Signed-off-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/1621840854-105978-1-git-send-email-zou_wei@huawei.com Signed-off-by: Sasha Levin commit 48c96d5bacc0fb87e6d516564ec3cee66f274c53 Author: Mateusz Kwiatkowski Date: Thu May 20 17:03:41 2021 +0200 drm/vc4: Fix clock source for VEC PixelValve on BCM2711 [ Upstream commit fc7a8abcee2225d6279ff785d33e24d70c738c6e ] On the BCM2711 (Raspberry Pi 4), the VEC is actually connected to output 2 of pixelvalve3. NOTE: This contradicts the Broadcom docs, but has been empirically tested and confirmed by Raspberry Pi firmware devs. Signed-off-by: Mateusz Kwiatkowski Signed-off-by: Maxime Ripard Reviewed-by: Dave Stevenson Link: https://patchwork.freedesktop.org/patch/msgid/20210520150344.273900-2-maxime@cerno.tech Signed-off-by: Sasha Levin commit 21bf1414580c36ffc8d8de043beb3508cf812238 Author: Arturo Giusti Date: Tue May 18 12:34:57 2021 +0200 udf: Fix NULL pointer dereference in udf_symlink function [ Upstream commit fa236c2b2d4436d9f19ee4e5d5924e90ffd7bb43 ] In function udf_symlink, epos.bh is assigned with the value returned by udf_tgetblk. The function udf_tgetblk is defined in udf/misc.c and returns the value of sb_getblk function that could be NULL. Then, epos.bh is used without any check, causing a possible NULL pointer dereference when sb_getblk fails. This fix adds a check to validate the value of epos.bh. Link: https://bugzilla.kernel.org/show_bug.cgi?id=213083 Signed-off-by: Arturo Giusti Signed-off-by: Jan Kara Signed-off-by: Sasha Levin commit 0687411e2a8858262de2fc4a1d576016fd77292e Author: Andrey Grodzovsky Date: Wed May 19 10:14:07 2021 -0400 drm/sched: Avoid data corruptions [ Upstream commit 0b10ab80695d61422337ede6ff496552d8ace99d ] Wait for all dependencies of a job to complete before killing it to avoid data corruptions. Signed-off-by: Andrey Grodzovsky Reviewed-by: Christian König Link: https://patchwork.freedesktop.org/patch/msgid/20210519141407.88444-1-andrey.grodzovsky@amd.com Signed-off-by: Sasha Levin commit 5ed8c298b2e140c640af8813a490fb4d77165e97 Author: Andrey Grodzovsky Date: Wed May 12 10:26:45 2021 -0400 drm/scheduler: Fix hang when sched_entity released [ Upstream commit c61cdbdbffc169dc7f1e6fe94dfffaf574fe672a ] Problem: If scheduler is already stopped by the time sched_entity is released and entity's job_queue not empty I encountred a hang in drm_sched_entity_flush. This is because drm_sched_entity_is_idle never becomes false. Fix: In drm_sched_fini detach all sched_entities from the scheduler's run queues. This will satisfy drm_sched_entity_is_idle. Also wakeup all those processes stuck in sched_entity flushing as the scheduler main thread which wakes them up is stopped by now. v2: Reverse order of drm_sched_rq_remove_entity and marking s_entity as stopped to prevent reinserion back to rq due to race. v3: Drop drm_sched_rq_remove_entity, only modify entity->stopped and check for it in drm_sched_entity_is_idle Signed-off-by: Andrey Grodzovsky Reviewed-by: Christian König Link: https://patchwork.freedesktop.org/patch/msgid/20210512142648.666476-14-andrey.grodzovsky@amd.com Signed-off-by: Sasha Levin commit 73ac001f060b300785483500837d0b5e0180a620 Author: Bixuan Cui Date: Sat May 8 11:15:02 2021 +0800 pinctrl: equilibrium: Add missing MODULE_DEVICE_TABLE [ Upstream commit d7f444499d6faf9a6ae3b27ec094109528d2b9a7 ] This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this driver when it is built as an external module. Reported-by: Hulk Robot Signed-off-by: Bixuan Cui Link: https://lore.kernel.org/r/20210508031502.53637-1-cuibixuan@huawei.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 1b832bd77799dc20884ecfea06100433c82d69d3 Author: Davide Caratti Date: Wed May 19 15:17:21 2021 +0200 net/sched: cls_api: increase max_reclassify_loop [ Upstream commit 05ff8435e50569a0a6b95e5ceaea43696e8827ab ] modern userspace applications, like OVN, can configure the TC datapath to "recirculate" packets several times. If more than 4 "recirculation" rules are configured, packets can be dropped by __tcf_classify(). Changing the maximum number of reclassifications (from 4 to 16) should be sufficient to prevent drops in most use cases, and guard against loops at the same time. Signed-off-by: Davide Caratti Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6ceb0182b087e64b754e3bfbcb4d71d2a51cb052 Author: Vladimir Oltean Date: Tue May 18 20:49:24 2021 +0300 net: mdio: provide shim implementation of devm_of_mdiobus_register [ Upstream commit 86544c3de6a2185409c5a3d02f674ea223a14217 ] Similar to the way in which of_mdiobus_register() has a fallback to the non-DT based mdiobus_register() when CONFIG_OF is not set, we can create a shim for the device-managed devm_of_mdiobus_register() which calls devm_mdiobus_register() and discards the struct device_node *. In particular, this solves a build issue with the qca8k DSA driver which uses devm_of_mdiobus_register and can be compiled without CONFIG_OF. Reported-by: Randy Dunlap Signed-off-by: Vladimir Oltean Acked-by: Randy Dunlap # build-tested Reviewed-by: Andrew Lunn Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit d2d17ca924f4360c262fab9f4515d04d2a3c4e08 Author: Xie Yongji Date: Mon May 17 16:49:12 2021 +0800 drm/virtio: Fix double free on probe failure [ Upstream commit cec7f1774605a5ef47c134af62afe7c75c30b0ee ] The virtio_gpu_init() will free vgdev and vgdev->vbufs on failure. But such failure will be caught by virtio_gpu_probe() and then virtio_gpu_release() will be called to do some cleanup which will free vgdev and vgdev->vbufs again. So let's set dev->dev_private to NULL to avoid double free. Signed-off-by: Xie Yongji Link: http://patchwork.freedesktop.org/patch/msgid/20210517084913.403-2-xieyongji@bytedance.com Signed-off-by: Gerd Hoffmann Signed-off-by: Sasha Levin commit 69a71b59b18c321b59b347328483a70438bf9456 Author: Pavel Skripkin Date: Mon May 17 15:15:45 2021 +0300 reiserfs: add check for invalid 1st journal block [ Upstream commit a149127be52fa7eaf5b3681a0317a2bbb772d5a9 ] syzbot reported divide error in reiserfs. The problem was in incorrect journal 1st block. Syzbot's reproducer manualy generated wrong superblock with incorrect 1st block. In journal_init() wasn't any checks about this particular case. For example, if 1st journal block is before superblock 1st block, it can cause zeroing important superblock members in do_journal_end(). Link: https://lore.kernel.org/r/20210517121545.29645-1-paskripkin@gmail.com Reported-by: syzbot+0ba9909df31c6a36974d@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Signed-off-by: Jan Kara Signed-off-by: Sasha Levin commit c5073100dc4f671b4460f4653453a08f46ad7e91 Author: Zou Wei Date: Wed May 12 14:45:55 2021 +0800 drm/bridge: lt9611: Add missing MODULE_DEVICE_TABLE [ Upstream commit 8d0b1fe81e18eb66a2d4406386760795fe0d77d9 ] This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this driver when it is built as an external module. Reported-by: Hulk Robot Signed-off-by: Zou Wei Reviewed-by: Robert Foss Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/1620801955-19188-1-git-send-email-zou_wei@huawei.com Signed-off-by: Sasha Levin commit b5713dac19168234029efa281b46266417ab51ec Author: Ansuel Smith Date: Fri May 14 23:03:50 2021 +0200 net: mdio: ipq8064: add regmap config to disable REGCACHE [ Upstream commit b097bea10215315e8ee17f88b4c1bbb521b1878c ] mdio drivers should not use REGCHACHE. Also disable locking since it's handled by the mdio users and regmap is always accessed atomically. Signed-off-by: Ansuel Smith Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c0dd36bcb67fdabc23a0f4fa79e543bffbf980c2 Author: Wang Li Date: Sat Apr 10 03:48:41 2021 +0000 drm/mediatek: Fix PM reference leak in mtk_crtc_ddp_hw_init() [ Upstream commit 69777e6ca396f0a7e1baff40fcad4a9d3d445b7a ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to putting operation will result in reference leak here. Fix it by replacing it with pm_runtime_resume_and_get to keep usage counter balanced. Reported-by: Hulk Robot Signed-off-by: Wang Li Signed-off-by: Chun-Kuang Hu Signed-off-by: Sasha Levin commit 3393405257ed27f5b13b75faf1842e1b083c6f7b Author: Sebastian Andrzej Siewior Date: Wed May 12 23:43:24 2021 +0200 net: Treat __napi_schedule_irqoff() as __napi_schedule() on PREEMPT_RT [ Upstream commit 8380c81d5c4fced6f4397795a5ae65758272bbfd ] __napi_schedule_irqoff() is an optimized version of __napi_schedule() which can be used where it is known that interrupts are disabled, e.g. in interrupt-handlers, spin_lock_irq() sections or hrtimer callbacks. On PREEMPT_RT enabled kernels this assumptions is not true. Force- threaded interrupt handlers and spinlocks are not disabling interrupts and the NAPI hrtimer callback is forced into softirq context which runs with interrupts enabled as well. Chasing all usage sites of __napi_schedule_irqoff() is a whack-a-mole game so make __napi_schedule_irqoff() invoke __napi_schedule() for PREEMPT_RT kernels. The callers of ____napi_schedule() in the networking core have been audited and are correct on PREEMPT_RT kernels as well. Reported-by: Juri Lelli Signed-off-by: Sebastian Andrzej Siewior Reviewed-by: Thomas Gleixner Reviewed-by: Juri Lelli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a7f7c42e31157d1f0871d6a8e1a0b73a6b4ea785 Author: Zou Wei Date: Wed May 12 15:00:24 2021 +0800 atm: nicstar: Fix possible use-after-free in nicstar_cleanup() [ Upstream commit 34e7434ba4e97f4b85c1423a59b2922ba7dff2ea ] This module's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Zou Wei Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b7ee9ae1e0cf55a037c4a99af2acc5d78cb7802d Author: Zou Wei Date: Tue May 11 14:58:53 2021 +0800 mISDN: fix possible use-after-free in HFC_cleanup() [ Upstream commit 009fc857c5f6fda81f2f7dd851b2d54193a8e733 ] This module's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Zou Wei Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit e759ff76ebbbfcdcf83b6634c54dc47828573d8b Author: Zou Wei Date: Tue May 11 14:53:36 2021 +0800 atm: iphase: fix possible use-after-free in ia_module_exit() [ Upstream commit 1c72e6ab66b9598cac741ed397438a52065a8f1f ] This module's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Zou Wei Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 2292d9691ce90feac6ca04bcbfd71c7ecce24f2b Author: Bibo Mao Date: Mon Jun 29 21:15:32 2020 +0800 hugetlb: clear huge pte during flush function on mips platform [ Upstream commit 33ae8f801ad8bec48e886d368739feb2816478f2 ] If multiple threads are accessing the same huge page at the same time, hugetlb_cow will be called if one thread write the COW huge page. And function huge_ptep_clear_flush is called to notify other threads to clear the huge pte tlb entry. The other threads clear the huge pte tlb entry and reload it from page table, the reload huge pte entry may be old. This patch fixes this issue on mips platform, and it clears huge pte entry before notifying other threads to flush current huge page entry, it is similar with other architectures. Signed-off-by: Bibo Mao Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit a74872106e7878e57008b06974cf0237d5be6024 Author: Dinghao Liu Date: Thu Apr 15 15:33:38 2021 +0800 clk: renesas: rcar-usb2-clock-sel: Fix error handling in .probe() [ Upstream commit a20a40a8bbc2cf4b29d7248ea31e974e9103dd7f ] The error handling paths after pm_runtime_get_sync() have no refcount decrement, which leads to refcount leak. Signed-off-by: Dinghao Liu Link: https://lore.kernel.org/r/20210415073338.22287-1-dinghao.liu@zju.edu.cn [geert: Remove now unused variable priv] Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 3ca86d44b9023cd96c893d6dd90aacbca90e4d74 Author: Dmytro Laktyushkin Date: Mon Apr 19 17:50:53 2021 -0400 drm/amd/display: fix use_max_lb flag for 420 pixel formats [ Upstream commit 8809a7a4afe90ad9ffb42f72154d27e7c47551ae ] Right now the flag simply selects memory config 0 when flag is true however 420 modes benefit more from memory config 3. Signed-off-by: Dmytro Laktyushkin Reviewed-by: Aric Cyr Acked-by: Stylon Wang Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 5953b984c3e4c9bd0cce0675932174f9a08f5a38 Author: Andy Shevchenko Date: Mon May 10 19:39:30 2021 +0300 net: pch_gbe: Use proper accessors to BE data in pch_ptp_match() [ Upstream commit 443ef39b499cc9c6635f83238101f1bb923e9326 ] Sparse is not happy about handling of strict types in pch_ptp_match(): .../pch_gbe_main.c:158:33: warning: incorrect type in argument 2 (different base types) .../pch_gbe_main.c:158:33: expected unsigned short [usertype] uid_hi .../pch_gbe_main.c:158:33: got restricted __be16 [usertype] .../pch_gbe_main.c:158:45: warning: incorrect type in argument 3 (different base types) .../pch_gbe_main.c:158:45: expected unsigned int [usertype] uid_lo .../pch_gbe_main.c:158:45: got restricted __be32 [usertype] .../pch_gbe_main.c:158:56: warning: incorrect type in argument 4 (different base types) .../pch_gbe_main.c:158:56: expected unsigned short [usertype] seqid .../pch_gbe_main.c:158:56: got restricted __be16 [usertype] Fix that by switching to use proper accessors to BE data. Reported-by: kernel test robot Signed-off-by: Andy Shevchenko Tested-by: Flavio Suligoi Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit fb960728f8f1c11a1db2ed8749423d3b1d67cf5a Author: Liu Ying Date: Fri Apr 23 17:26:41 2021 +0800 drm/bridge: nwl-dsi: Force a full modeset when crtc_state->active is changed to be true [ Upstream commit 3afb2a28fa2404d11cce1956a003f2aaca4da421 ] This patch replaces ->mode_fixup() with ->atomic_check() so that a full modeset can be requested from there when crtc_state->active is changed to be true(which implies only connector's DPMS is brought out of "Off" status, though not necessarily). Bridge functions are added or changed to accommodate the ->atomic_check() callback. That full modeset is needed by the up-coming patch which gets MIPI DSI controller and PHY ready in ->mode_set(), because it makes sure ->mode_set() and ->atomic_disable() are called in pairs. Cc: Andrzej Hajda Cc: Neil Armstrong Cc: Robert Foss Cc: Laurent Pinchart Cc: Jonas Karlman Cc: Jernej Skrabec Cc: David Airlie Cc: Daniel Vetter Cc: Guido Günther Cc: Robert Chiras Cc: NXP Linux Team Signed-off-by: Liu Ying Reviewed-by: Neil Armstrong Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/1619170003-4817-2-git-send-email-victor.liu@nxp.com Signed-off-by: Sasha Levin commit 796554d3d68fe9fa05f55ecd98c82961a62212e7 Author: Dan Carpenter Date: Wed Apr 21 13:18:03 2021 +0300 drm/vc4: fix argument ordering in vc4_crtc_get_margins() [ Upstream commit e590c2b03a6143ba93ddad306bc9eaafa838c020 ] Cppcheck complains that the declaration doesn't match the function definition. Obviously "left" should come before "right". The caller and the function implementation are done this way, it's just the declaration which is wrong so this doesn't affect runtime. Reported-by: kernel test robot Signed-off-by: Dan Carpenter Signed-off-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/YH/720FD978TPhHp@mwanda Signed-off-by: Sasha Levin commit b025bc07c94770ab5ca68a8b2ead12628c2a0698 Author: Jack Zhang Date: Tue Apr 27 17:08:47 2021 +0800 drm/amd/amdgpu/sriov disable all ip hw status by default [ Upstream commit 95ea3dbc4e9548d35ab6fbf67675cef8c293e2f5 ] Disable all ip's hw status to false before any hw_init. Only set it to true until its hw_init is executed. The old 5.9 branch has this change but somehow the 5.11 kernrel does not have this fix. Without this change, sriov tdr have gfx IB test fail. Signed-off-by: Jack Zhang Review-by: Emily Deng Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit fb7479d64d77a3bb0ee992f9e450cf52d56c6b2c Author: Brandon Syu Date: Fri Apr 9 14:47:46 2021 +0800 drm/amd/display: fix HDCP reset sequence on reinitialize [ Upstream commit 99c248c41c2199bd34232ce8e729d18c4b343b64 ] [why] When setup is called after hdcp has already setup, it would cause to disable HDCP flow won’t execute. [how] Don't clean up hdcp content to be 0. Signed-off-by: Brandon Syu Reviewed-by: Wenjing Liu Acked-by: Wayne Lin Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit d055669e669ad488b298465dbe8ff5e2a14c437a Author: KuoHsiang Chou Date: Wed Apr 21 16:58:59 2021 +0800 drm/ast: Fixed CVE for DP501 [ Upstream commit ba4e0339a6a33e2ba341703ce14ae8ca203cb2f1 ] [Bug][DP501] If ASPEED P2A (PCI to AHB) bridge is disabled and disallowed for CVE_2019_6260 item3, and then the monitor's EDID is unable read through Parade DP501. The reason is the DP501's FW is mapped to BMC addressing space rather than Host addressing space. The resolution is that using "pci_iomap_range()" maps to DP501's FW that stored on the end of FB (Frame Buffer). In this case, FrameBuffer reserves the last 2MB used for the image of DP501. Signed-off-by: KuoHsiang Chou Reported-by: kernel test robot Signed-off-by: Thomas Zimmermann Link: https://patchwork.freedesktop.org/patch/msgid/20210421085859.17761-1-kuohsiang_chou@aspeedtech.com Signed-off-by: Sasha Levin commit 95c3133bc8eb0013708027ba47f4728ccf7b94fd Author: Thomas Zimmermann Date: Thu Apr 15 13:00:39 2021 +0200 drm/zte: Don't select DRM_KMS_FB_HELPER [ Upstream commit a50e74bec1d17e95275909660c6b43ffe11ebcf0 ] Selecting DRM_FBDEV_EMULATION will include the correct settings for fbdev emulation. Drivers should not override this. Signed-off-by: Thomas Zimmermann Acked-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20210415110040.23525-4-tzimmermann@suse.de Signed-off-by: Sasha Levin commit b60ae0fab550050f6bb66844207539a46998f43e Author: Thomas Zimmermann Date: Thu Apr 15 13:00:38 2021 +0200 drm/mxsfb: Don't select DRM_KMS_FB_HELPER [ Upstream commit 13b29cc3a722c2c0bc9ab9f72f9047d55d08a2f9 ] Selecting DRM_FBDEV_EMULATION will include the correct settings for fbdev emulation. Drivers should not override this. Signed-off-by: Thomas Zimmermann Acked-by: Stefan Agner Acked-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20210415110040.23525-3-tzimmermann@suse.de Signed-off-by: Sasha Levin commit 43b0742ef44c30f202afbf8355e9326710af9ca1 Author: Greg Kroah-Hartman Date: Wed Jul 14 16:56:55 2021 +0200 Linux 5.10.50 Link: https://lore.kernel.org/r/20210712060843.180606720@linuxfoundation.org Tested-by: Pavel Machek (CIP) Tested-by: Jon Hunter Tested-by: Florian Fainelli Tested-by: Fox Chen Link: https://lore.kernel.org/r/20210712184832.376480168@linuxfoundation.org Tested-by: Fox Chen Tested-by: Guenter Roeck Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Florian Fainelli Tested-by: Jon Hunter Tested-by: Sudip Mukherjee Tested-by: Salvatore Bonaccorso Tested-by: Hulk Robot Signed-off-by: Greg Kroah-Hartman commit bdf4d33e8342b90386156204e1da0cdfdb4bf146 Author: Valentin Schneider Date: Wed Jul 7 19:38:31 2021 +0100 powerpc/preempt: Don't touch the idle task's preempt_count during hotplug commit 2c669ef6979c370f98d4b876e54f19613c81e075 upstream. Powerpc currently resets a CPU's idle task preempt_count to 0 before said task starts executing the secondary startup routine (and becomes an idle task proper). This conflicts with commit f1a0a376ca0c ("sched/core: Initialize the idle task with preemption disabled"). which initializes all of the idle tasks' preempt_count to PREEMPT_DISABLED during smp_init(). Note that this was superfluous before said commit, as back then the hotplug machinery would invoke init_idle() via idle_thread_get(), which would have already reset the CPU's idle task's preempt_count to PREEMPT_ENABLED. Get rid of this preempt_count write. Fixes: f1a0a376ca0c ("sched/core: Initialize the idle task with preemption disabled") Reported-by: Bharata B Rao Signed-off-by: Valentin Schneider Tested-by: Guenter Roeck Tested-by: Bharata B Rao Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210707183831.2106509-1-valentin.schneider@arm.com Signed-off-by: Greg Kroah-Hartman commit 9b07d817f7999745cca4c10c523ccc8b8536c6d5 Author: Joerg Roedel Date: Mon Jun 7 14:49:05 2021 +0200 iommu/dma: Fix compile warning in 32-bit builds commit 7154cbd31c2069726cf730b0ed94e2e79a221602 upstream. Compiling the recent dma-iommu changes under 32-bit x86 triggers this compile warning: drivers/iommu/dma-iommu.c:249:5: warning: format ‘%llx’ expects argument of type ‘long long unsigned int’, but argument 3 has type ‘phys_addr_t’ {aka ‘unsigned int’} [-Wformat=] The reason is that %llx is used to print a variable of type phys_addr_t. Fix it by using the correct %pa format specifier for phys_addr_t. Cc: Srinath Mannam Cc: Robin Murphy Cc: Oza Pawandeep Fixes: 571f316074a20 ("iommu/dma: Fix IOVA reserve dma ranges") Signed-off-by: Joerg Roedel Link: https://lore.kernel.org/r/20210607124905.27525-1-joro@8bytes.org Signed-off-by: Greg Kroah-Hartman commit 0855952ed4f1a6861fbb0e5d684efd447d7347c9 Author: Yang Yingliang Date: Wed May 26 22:38:05 2021 +0800 cred: add missing return error code when set_cred_ucounts() failed commit 5e6b8a50a7cec5686ee2c4bda1d49899c79a7eae upstream. If set_cred_ucounts() failed, we need return the error code. Fixes: 905ae01c4ae2 ("Add a reference to ucounts for each cred") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Link: https://lkml.kernel.org/r/20210526143805.2549649-1-yangyingliang@huawei.com Reviewed-by: Alexey Gladkov Signed-off-by: Eric W. Biederman Signed-off-by: Greg Kroah-Hartman commit ce04375e2d9b9e84d7d1e7b79ac29071e075c5d5 Author: Valentin Schneider Date: Wed Jul 7 17:33:38 2021 +0100 s390: preempt: Fix preempt_count initialization commit 6a942f5780545ebd11aca8b3ac4b163397962322 upstream. S390's init_idle_preempt_count(p, cpu) doesn't actually let us initialize the preempt_count of the requested CPU's idle task: it unconditionally writes to the current CPU's. This clearly conflicts with idle_threads_init(), which intends to initialize *all* the idle tasks, including their preempt_count (or their CPU's, if the arch uses a per-CPU preempt_count). Unfortunately, it seems the way s390 does things doesn't let us initialize every possible CPU's preempt_count early on, as the pages where this resides are only allocated when a CPU is brought up and are freed when it is brought down. Let the arch-specific code set a CPU's preempt_count when its lowcore is allocated, and turn init_idle_preempt_count() into an empty stub. Fixes: f1a0a376ca0c ("sched/core: Initialize the idle task with preemption disabled") Reported-by: Guenter Roeck Signed-off-by: Valentin Schneider Tested-by: Guenter Roeck Reviewed-by: Heiko Carstens Link: https://lore.kernel.org/r/20210707163338.1623014-1-valentin.schneider@arm.com Signed-off-by: Vasily Gorbik Signed-off-by: Greg Kroah-Hartman commit e4a577d617914293ece95b74c51530327f53bd2a Author: Wei Yongjun Date: Wed Jun 2 11:36:45 2021 +0000 crypto: qce - fix error return code in qce_skcipher_async_req_handle() commit a8bc4f5e7a72e4067f5afd7e98b61624231713ca upstream. Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 1339a7c3ba05 ("crypto: qce: skcipher: Fix incorrect sg count for dma transfers") Reported-by: Hulk Robot Signed-off-by: Wei Yongjun Reviewed-by: Thara Gopinath Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit fb0c0a04e4243d39e6dc973efa63e139d2bedfdf Author: Quat Le Date: Tue Jun 29 08:58:26 2021 -0700 scsi: core: Retry I/O for Notify (Enable Spinup) Required error commit 104739aca4488909175e9e31d5cd7d75b82a2046 upstream. If the device is power-cycled, it takes time for the initiator to transmit the periodic NOTIFY (ENABLE SPINUP) SAS primitive, and for the device to respond to the primitive to become ACTIVE. Retry the I/O request to allow the device time to become ACTIVE. Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210629155826.48441-1-quat.le@oracle.com Reviewed-by: Bart Van Assche Signed-off-by: Quat Le Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 2b541b6c7432adb6cff21727515a7d94c037c30d Author: Mauro Carvalho Chehab Date: Tue May 11 17:03:21 2021 +0200 media: exynos4-is: remove a now unused integer commit 29dd19e3ac7b2a8671ebeac02859232ce0e34f58 upstream. The usage of pm_runtime_resume_and_get() removed the need of a temporary integer. So, drop it. Fixes: 59f96244af94 ("media: exynos4-is: fix pm_runtime_get_sync() usage count") Reported-by: Stephen Rothwell Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 2b58f5154a8f50b6d1efd6665bf53e40429cd570 Author: Johan Hovold Date: Fri May 21 15:30:26 2021 +0200 mmc: vub3000: fix control-request direction commit 3c0bb3107703d2c58f7a0a7a2060bb57bc120326 upstream. The direction of the pipe argument must match the request-type direction bit or control requests may fail depending on the host-controller-driver implementation. Fix the SET_ROM_WAIT_STATES request which erroneously used usb_rcvctrlpipe(). Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver") Cc: stable@vger.kernel.org # 3.0 Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20210521133026.17296-1-johan@kernel.org Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 39ac3e19451603fc6db52f617a72ed09312e2d44 Author: Bean Huo Date: Tue May 4 22:32:09 2021 +0200 mmc: block: Disable CMDQ on the ioctl path commit 70b52f09080565030a530a784f1c9948a7f48ca3 upstream. According to the eMMC Spec: "When command queuing is enabled (CMDQ Mode En bit in CMDQ_MODE_EN field is set to ‘1’) class 11 commands are the only method through which data transfer tasks can be issued. Existing data transfer commands, namely CMD18/CMD17 and CMD25/CMD24, are not supported when command queuing is enabled." which means if CMDQ is enabled, the FFU commands will not be supported. To fix this issue, just simply disable CMDQ on the ioctl path, and re-enable CMDQ once ioctl request is completed. Tested-by: Michael Brunner Signed-off-by: Bean Huo Acked-by: Adrian Hunter Fixes: 1e8e55b67030 (mmc: block: Add CQE support) Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210504203209.361597-1-huobean@gmail.com Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit a75457f63086500d0182c0cb664e2e35d85d5dab Author: Pavel Begunkov Date: Wed Jun 9 12:07:25 2021 +0100 io_uring: fix blocking inline submission commit 976517f162a05f4315b2373fd11585c395506259 upstream. There is a complaint against sys_io_uring_enter() blocking if it submits stdin reads. The problem is in __io_file_supports_async(), which sees that it's a cdev and allows it to be processed inline. Punt char devices using generic rules of io_file_supports_async(), including checking for presence of *_iter() versions of rw callbacks. Apparently, it will affect most of cdevs with some exceptions like null and zero devices. Cc: stable@vger.kernel.org Reported-by: Birk Hirdman Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/d60270856b8a4560a639ef5f76e55eb563633599.1623236455.git.asml.silence@gmail.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit c98d9318dc99bf8822708dbab3f3ace946df7fe9 Author: Long Li Date: Mon Jun 7 12:34:05 2021 -0700 block: return the correct bvec when checking for gaps commit c9c9762d4d44dcb1b2ba90cfb4122dc11ceebf31 upstream. After commit 07173c3ec276 ("block: enable multipage bvecs"), a bvec can have multiple pages. But bio_will_gap() still assumes one page bvec while checking for merging. If the pages in the bvec go across the seg_boundary_mask, this check for merging can potentially succeed if only the 1st page is tested, and can fail if all the pages are tested. Later, when SCSI builds the SG list the same check for merging is done in __blk_segment_map_sg_merge() with all the pages in the bvec tested. This time the check may fail if the pages in bvec go across the seg_boundary_mask (but tested okay in bio_will_gap() earlier, so those BIOs were merged). If this check fails, we end up with a broken SG list for drivers assuming the SG list not having offsets in intermediate pages. This results in incorrect pages written to the disk. Fix this by returning the multi-page bvec when testing gaps for merging. Cc: Jens Axboe Cc: Johannes Thumshirn Cc: Pavel Begunkov Cc: Ming Lei Cc: Tejun Heo Cc: "Matthew Wilcox (Oracle)" Cc: Jeffle Xu Cc: linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org Fixes: 07173c3ec276 ("block: enable multipage bvecs") Signed-off-by: Long Li Reviewed-by: Ming Lei Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/1623094445-22332-1-git-send-email-longli@linuxonhyperv.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 51c19f4a62129bca096df760c7690833958ce9cf Author: Wei Yongjun Date: Wed May 19 14:16:57 2021 +0000 erofs: fix error return code in erofs_read_superblock() commit 0508c1ad0f264a24c4643701823a45f6c9bd8146 upstream. 'ret' will be overwritten to 0 if erofs_sb_has_sb_chksum() return true, thus 0 will return in some error handling cases. Fix to return negative error code -EINVAL instead of 0. Link: https://lore.kernel.org/r/20210519141657.3062715-1-weiyongjun1@huawei.com Fixes: b858a4844cfb ("erofs: support superblock checksum") Cc: stable # 5.5+ Reported-by: Hulk Robot Signed-off-by: Wei Yongjun Reviewed-by: Gao Xiang Reviewed-by: Chao Yu Signed-off-by: Gao Xiang Signed-off-by: Greg Kroah-Hartman commit 97cbddc8a2bc62fe27fd3ca7be52abf3c675a4a6 Author: Jarkko Sakkinen Date: Wed Jun 9 16:26:19 2021 +0300 tpm: Replace WARN_ONCE() with dev_err_once() in tpm_tis_status() commit 0178f9d0f60ba07e09bab57381a3ef18e2c1fd7f upstream. Do not tear down the system when getting invalid status from a TPM chip. This can happen when panic-on-warn is used. Instead, introduce TPM_TIS_INVALID_STATUS bitflag and use it to trigger once the error reporting per chip. In addition, print out the value of TPM_STS for improved forensics. Link: https://lore.kernel.org/keyrings/YKzlTR1AzUigShtZ@kroah.com/ Fixes: 55707d531af6 ("tpm_tis: Add a check for invalid status") Cc: stable@vger.kernel.org Signed-off-by: Jarkko Sakkinen Reviewed-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit b5a2b5b64237b9d1bdb002ff96b5f3b8e142b2b2 Author: Eric Biggers Date: Sat Jun 5 00:50:33 2021 -0700 fscrypt: fix derivation of SipHash keys on big endian CPUs commit 2fc2b430f559fdf32d5d1dd5ceaa40e12fb77bdf upstream. Typically, the cryptographic APIs that fscrypt uses take keys as byte arrays, which avoids endianness issues. However, siphash_key_t is an exception. It is defined as 'u64 key[2];', i.e. the 128-bit key is expected to be given directly as two 64-bit words in CPU endianness. fscrypt_derive_dirhash_key() and fscrypt_setup_iv_ino_lblk_32_key() forgot to take this into account. Therefore, the SipHash keys used to index encrypted+casefolded directories differ on big endian vs. little endian platforms, as do the SipHash keys used to hash inode numbers for IV_INO_LBLK_32-encrypted directories. This makes such directories non-portable between these platforms. Fix this by always using the little endian order. This is a breaking change for big endian platforms, but this should be fine in practice since these features (encrypt+casefold support, and the IV_INO_LBLK_32 flag) aren't known to actually be used on any big endian platforms yet. Fixes: aa408f835d02 ("fscrypt: derive dirhash key for casefolded directories") Fixes: e3b1078bedd3 ("fscrypt: add support for IV_INO_LBLK_32 policies") Cc: # v5.6+ Link: https://lore.kernel.org/r/20210605075033.54424-1-ebiggers@kernel.org Signed-off-by: Eric Biggers Signed-off-by: Greg Kroah-Hartman commit 089057af71d7456040aaf5e708d70d1537154f96 Author: Eric Biggers Date: Thu May 27 16:52:36 2021 -0700 fscrypt: don't ignore minor_hash when hash is 0 commit 77f30bfcfcf484da7208affd6a9e63406420bf91 upstream. When initializing a no-key name, fscrypt_fname_disk_to_usr() sets the minor_hash to 0 if the (major) hash is 0. This doesn't make sense because 0 is a valid hash code, so we shouldn't ignore the filesystem-provided minor_hash in that case. Fix this by removing the special case for 'hash == 0'. This is an old bug that appears to have originated when the encryption code in ext4 and f2fs was moved into fs/crypto/. The original ext4 and f2fs code passed the hash by pointer instead of by value. So 'if (hash)' actually made sense then, as it was checking whether a pointer was NULL. But now the hashes are passed by value, and filesystems just pass 0 for any hashes they don't have. There is no need to handle this any differently from the hashes actually being 0. It is difficult to reproduce this bug, as it only made a difference in the case where a filename's 32-bit major hash happened to be 0. However, it probably had the largest chance of causing problems on ubifs, since ubifs uses minor_hash to do lookups of no-key names, in addition to using it as a readdir cookie. ext4 only uses minor_hash as a readdir cookie, and f2fs doesn't use minor_hash at all. Fixes: 0b81d0779072 ("fs crypto: move per-file encryption from f2fs tree to fs/crypto") Cc: # v4.6+ Link: https://lore.kernel.org/r/20210527235236.2376556-1-ebiggers@kernel.org Signed-off-by: Eric Biggers Signed-off-by: Greg Kroah-Hartman commit b9c3b485593e07ed217cb6970d6c651558e4afb1 Author: Sibi Sankar Date: Wed Jun 16 23:12:58 2021 +0530 mailbox: qcom-ipcc: Fix IPCC mbox channel exhaustion commit d6fbfdbc12745ce24bcd348dbf7e652353b3e59c upstream. Fix IPCC (Inter-Processor Communication Controller) channel exhaustion by setting the channel private data to NULL on mbox shutdown. Err Logs: remoteproc: MBA booted without debug policy, loading mpss remoteproc: glink-edge: failed to acquire IPC channel remoteproc: failed to probe subdevices for remoteproc: -16 Fixes: fa74a0257f45 ("mailbox: Add support for Qualcomm IPCC") Signed-off-by: Sibi Sankar Cc: stable@vger.kernel.org Reviewed-by: Bjorn Andersson Reviewed-by: Manivannan Sadhasivam Signed-off-by: Jassi Brar Signed-off-by: Greg Kroah-Hartman commit 2a7c96c2e238820a5268769b6fef50a24eb574ce Author: Varun Prakash Date: Wed Apr 14 18:09:09 2021 +0530 scsi: target: cxgbit: Unmap DMA buffer before calling target_execute_cmd() commit 6ecdafaec79d4b3388a5b017245f23a0ff9d852d upstream. Instead of calling dma_unmap_sg() after completing WRITE I/O, call dma_unmap_sg() before calling target_execute_cmd() to sync the DMA buffer. Link: https://lore.kernel.org/r/1618403949-3443-1-git-send-email-varun@chelsio.com Cc: # 5.4+ Signed-off-by: Varun Prakash Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit e2e615e6317bf610159bab4eb8fa9b4d9ec2c010 Author: Javed Hasan Date: Thu Jun 3 03:14:03 2021 -0700 scsi: fc: Correct RHBA attributes length commit 40445fd2c9fa427297acdfcc2c573ff10493f209 upstream. As per the FC-GS-5 specification, attribute lengths of node_name and manufacturer should in range of "4 to 64 Bytes" only. Link: https://lore.kernel.org/r/20210603101404.7841-2-jhasan@marvell.com Fixes: e721eb0616f6 ("scsi: scsi_transport_fc: Match HBA Attribute Length with HBAAPI V2.0 definitions") CC: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Javed Hasan Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 5c6956e66404a7cf2def6947adc937a471716f17 Author: Namjae Jeon Date: Fri Jun 11 09:40:24 2021 +0900 exfat: handle wrong stream entry size in exfat_readdir() commit 1e5654de0f51890f88abd409ebf4867782431e81 upstream. The compatibility issue between linux exfat and exfat of some camera company was reported from Florian. In their exfat, if the number of files exceeds any limit, the DataLength in stream entry of the directory is no longer updated. So some files created from camera does not show in linux exfat. because linux exfat doesn't allow that cpos becomes larger than DataLength of stream entry. This patch check DataLength in stream entry only if the type is ALLOC_NO_FAT_CHAIN and add the check ensure that dentry offset does not exceed max dentries size(256 MB) to avoid the circular FAT chain issue. Fixes: ca06197382bd ("exfat: add directory operations") Cc: stable@vger.kernel.org # v5.9 Reported-by: Florian Cramer Reviewed-by: Sungjong Seo Tested-by: Chris Down Signed-off-by: Namjae Jeon Signed-off-by: Greg Kroah-Hartman commit b6a41435c832830754ed298e9ae2eaf13e74e88f Author: Guo Ren Date: Tue May 4 14:08:44 2021 +0800 csky: syscache: Fixup duplicate cache flush [ Upstream commit 6ea42c84f33368eb3fe1ec1bff8d7cb1a5c7b07a ] The current csky logic of sys_cacheflush is wrong, it'll cause icache flush call dcache flush again. Now fixup it with a conditional "break & fallthrough". Fixes: 997153b9a75c ("csky: Add flush_icache_mm to defer flush icache all") Fixes: 0679d29d3e23 ("csky: fix syscache.c fallthrough warning") Acked-by: Randy Dunlap Co-Developed-by: Randy Dunlap Signed-off-by: Guo Ren Cc: Arnd Bergmann Signed-off-by: Sasha Levin commit 3483e1a41ca0e7be090b5134d1aff4b291a4ad53 Author: Randy Dunlap Date: Sun Apr 11 09:41:04 2021 -0700 csky: fix syscache.c fallthrough warning [ Upstream commit 0679d29d3e2351a1c3049c26a63ce1959cad5447 ] This case of the switch statement falls through to the following case. This appears to be on purpose, so declare it as OK. ../arch/csky/mm/syscache.c: In function '__do_sys_cacheflush': ../arch/csky/mm/syscache.c:17:3: warning: this statement may fall through [-Wimplicit-fallthrough=] 17 | flush_icache_mm_range(current->mm, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 18 | (unsigned long)addr, | ~~~~~~~~~~~~~~~~~~~~ 19 | (unsigned long)addr + bytes); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../arch/csky/mm/syscache.c:20:2: note: here 20 | case DCACHE: | ^~~~ Fixes: 997153b9a75c ("csky: Add flush_icache_mm to defer flush icache all") Signed-off-by: Randy Dunlap Signed-off-by: Guo Ren Cc: linux-csky@vger.kernel.org Cc: Arnd Bergmann Signed-off-by: Sasha Levin commit 8ff266de8906e20d6555bae24900f76021310129 Author: Arnaldo Carvalho de Melo Date: Thu Jul 1 14:20:58 2021 -0300 perf llvm: Return -ENOMEM when asprintf() fails [ Upstream commit c435c166dcf526ac827bc964d82cc0d5e7a1fd0b ] Zhihao sent a patch but it made llvm__compile_bpf() return what asprintf() returns on error, which is just -1, but since this function returns -errno, fix it by returning -ENOMEM for this case instead. Fixes: cb76371441d098 ("perf llvm: Allow passing options to llc ...") Fixes: 5eab5a7ee032ac ("perf llvm: Display eBPF compiling command ...") Reported-by: Hulk Robot Reported-by: Zhihao Cheng Cc: Alexei Starovoitov Cc: Andrii Nakryiko Cc: Daniel Borkmann Cc: Ingo Molnar Cc: Jiri Olsa Cc: Nathan Chancellor Cc: Nick Desaulniers Cc: Peter Zijlstra Cc: Yu Kuai Cc: clang-built-linux@googlegroups.com Link: http://lore.kernel.org/lkml/20210609115945.2193194-1-chengzhihao1@huawei.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 58fa4b36abf62d1baf45a06fc63a7ea7bf345603 Author: Dave Hansen Date: Wed Jun 30 18:56:59 2021 -0700 selftests/vm/pkeys: refill shadow register after implicit kernel write [ Upstream commit 6039ca254979694c5362dfebadd105e286c397bb ] The pkey test code keeps a "shadow" of the pkey register around. This ensures that any bugs which might write to the register can be caught more quickly. Generally, userspace has a good idea when the kernel is going to write to the register. For instance, alloc_pkey() is passed a permission mask. The caller of alloc_pkey() can update the shadow based on the return value and the mask. But, the kernel can also modify the pkey register in a more sneaky way. For mprotect(PROT_EXEC) mappings, the kernel will allocate a pkey and write the pkey register to create an execute-only mapping. The kernel never tells userspace what key it uses for this. This can cause the test to fail with messages like: protection_keys_64.2: pkey-helpers.h:132: _read_pkey_reg: Assertion `pkey_reg == shadow_pkey_reg' failed. because the shadow was not updated with the new kernel-set value. Forcibly update the shadow value immediately after an mprotect(). Link: https://lkml.kernel.org/r/20210611164200.EF76AB73@viggo.jf.intel.com Fixes: 6af17cf89e99 ("x86/pkeys/selftests: Add PROT_EXEC test") Signed-off-by: Dave Hansen Signed-off-by: Thomas Gleixner Tested-by: Aneesh Kumar K.V Cc: Ram Pai Cc: Sandipan Das Cc: Florian Weimer Cc: "Desnes A. Nunes do Rosario" Cc: Ingo Molnar Cc: Thiago Jung Bauermann Cc: Michael Ellerman Cc: Michal Hocko Cc: Michal Suchanek Cc: Shuah Khan Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 1dd18fda3eec7cc920d2b6e5075f851f117a265e Author: Dave Hansen Date: Wed Jun 30 18:56:56 2021 -0700 selftests/vm/pkeys: handle negative sys_pkey_alloc() return code [ Upstream commit bf68294a2ec39ed7fec6a5b45d52034e6983157a ] The alloc_pkey() sefltest function wraps the sys_pkey_alloc() system call. On success, it updates its "shadow" register value because sys_pkey_alloc() updates the real register. But, the success check is wrong. pkey_alloc() considers any non-zero return code to indicate success where the pkey register will be modified. This fails to take negative return codes into account. Consider only a positive return value as a successful call. Link: https://lkml.kernel.org/r/20210611164157.87AB4246@viggo.jf.intel.com Fixes: 5f23f6d082a9 ("x86/pkeys: Add self-tests") Reported-by: Thomas Gleixner Signed-off-by: Dave Hansen Tested-by: Aneesh Kumar K.V Cc: Ram Pai Cc: Sandipan Das Cc: Florian Weimer Cc: "Desnes A. Nunes do Rosario" Cc: Ingo Molnar Cc: Thiago Jung Bauermann Cc: Michael Ellerman Cc: Michal Hocko Cc: Michal Suchanek Cc: Shuah Khan Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 92125cb8835c761c0e8d298c842003ce6445646e Author: Dave Hansen Date: Wed Jun 30 18:56:53 2021 -0700 selftests/vm/pkeys: fix alloc_random_pkey() to make it really, really random [ Upstream commit f36ef407628835a7d7fb3d235b1f1aac7022d9a3 ] Patch series "selftests/vm/pkeys: Bug fixes and a new test". There has been a lot of activity on the x86 front around the XSAVE architecture which is used to context-switch processor state (among other things). In addition, AMD has recently joined the protection keys club by adding processor support for PKU. The AMD implementation helped uncover a kernel bug around the PKRU "init state", which actually applied to Intel's implementation but was just harder to hit. This series adds a test which is expected to help find this class of bug both on AMD and Intel. All the work around pkeys on x86 also uncovered a few bugs in the selftest. This patch (of 4): The "random" pkey allocation code currently does the good old: srand((unsigned int)time(NULL)); *But*, it unfortunately does this on every random pkey allocation. There may be thousands of these a second. time() has a one second resolution. So, each time alloc_random_pkey() is called, the PRNG is *RESET* to time(). This is nasty. Normally, if you do: srand(); foo = rand(); bar = rand(); You'll be quite guaranteed that 'foo' and 'bar' are different. But, if you do: srand(1); foo = rand(); srand(1); bar = rand(); You are quite guaranteed that 'foo' and 'bar' are the *SAME*. The recent "fix" effectively forced the test case to use the same "random" pkey for the whole test, unless the test run crossed a second boundary. Only run srand() once at program startup. This explains some very odd and persistent test failures I've been seeing. Link: https://lkml.kernel.org/r/20210611164153.91B76FB8@viggo.jf.intel.com Link: https://lkml.kernel.org/r/20210611164155.192D00FF@viggo.jf.intel.com Fixes: 6e373263ce07 ("selftests/vm/pkeys: fix alloc_random_pkey() to make it really random") Signed-off-by: Dave Hansen Signed-off-by: Thomas Gleixner Tested-by: Aneesh Kumar K.V Cc: Ram Pai Cc: Sandipan Das Cc: Florian Weimer Cc: "Desnes A. Nunes do Rosario" Cc: Ingo Molnar Cc: Thiago Jung Bauermann Cc: Michael Ellerman Cc: Michal Hocko Cc: Michal Suchanek Cc: Shuah Khan Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 456554040e5af2b047551ff62c4d483df7a900db Author: Trent Piepho Date: Wed Jun 30 18:55:49 2021 -0700 lib/math/rational.c: fix divide by zero [ Upstream commit 65a0d3c14685663ba111038a35db70f559e39336 ] If the input is out of the range of the allowed values, either larger than the largest value or closer to zero than the smallest non-zero allowed value, then a division by zero would occur. In the case of input too large, the division by zero will occur on the first iteration. The best result (largest allowed value) will be found by always choosing the semi-convergent and excluding the denominator based limit when finding it. In the case of the input too small, the division by zero will occur on the second iteration. The numerator based semi-convergent should not be calculated to avoid the division by zero. But the semi-convergent vs previous convergent test is still needed, which effectively chooses between 0 (the previous convergent) vs the smallest allowed fraction (best semi-convergent) as the result. Link: https://lkml.kernel.org/r/20210525144250.214670-1-tpiepho@gmail.com Fixes: 323dd2c3ed0 ("lib/math/rational.c: fix possible incorrect result from rational fractions helper") Signed-off-by: Trent Piepho Reported-by: Yiyuan Guo Reviewed-by: Andy Shevchenko Cc: Oskar Schirmer Cc: Daniel Latypov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 787f4e7a7d4b5b87a4cee3bfb56fe02c9cd4dfae Author: Miaohe Lin Date: Wed Jun 30 18:50:39 2021 -0700 mm/z3fold: use release_z3fold_page_locked() to release locked z3fold page [ Upstream commit 28473d91ff7f686d58047ff55f2fa98ab59114a4 ] We should use release_z3fold_page_locked() to release z3fold page when it's locked, although it looks harmless to use release_z3fold_page() now. Link: https://lkml.kernel.org/r/20210619093151.1492174-7-linmiaohe@huawei.com Fixes: dcf5aedb24f8 ("z3fold: stricter locking and more careful reclaim") Signed-off-by: Miaohe Lin Reviewed-by: Vitaly Wool Cc: Hillf Danton Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 0fe11b79c281850a58a0ec7cff78277b3ee63f62 Author: Miaohe Lin Date: Wed Jun 30 18:50:36 2021 -0700 mm/z3fold: fix potential memory leak in z3fold_destroy_pool() [ Upstream commit dac0d1cfda56472378d330b1b76b9973557a7b1d ] There is a memory leak in z3fold_destroy_pool() as it forgets to free_percpu pool->unbuddied. Call free_percpu for pool->unbuddied to fix this issue. Link: https://lkml.kernel.org/r/20210619093151.1492174-6-linmiaohe@huawei.com Fixes: d30561c56f41 ("z3fold: use per-cpu unbuddied lists") Signed-off-by: Miaohe Lin Reviewed-by: Vitaly Wool Cc: Hillf Danton Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 555dffa4842b8df0d144d1862500ea5503c19209 Author: Ralph Campbell Date: Mon Dec 14 19:11:58 2020 -0800 include/linux/huge_mm.h: remove extern keyword [ Upstream commit ebfe1b8f6ea5d83d8c1aa18ddd8ede432a7414e7 ] The external function definitions don't need the "extern" keyword. Remove them so future changes don't copy the function definition style. Link: https://lkml.kernel.org/r/20201106235135.32109-1-rcampbell@nvidia.com Signed-off-by: Ralph Campbell Reviewed-by: Christoph Hellwig Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit ebd6a295b580cd793a6d0c09b1ea81b718dc2dec Author: Mike Kravetz Date: Wed Jun 30 18:48:31 2021 -0700 hugetlb: remove prep_compound_huge_page cleanup [ Upstream commit 48b8d744ea841b8adf8d07bfe7a2d55f22e4d179 ] Patch series "Fix prep_compound_gigantic_page ref count adjustment". These patches address the possible race between prep_compound_gigantic_page and __page_cache_add_speculative as described by Jann Horn in [1]. The first patch simply removes the unnecessary/obsolete helper routine prep_compound_huge_page to make the actual fix a little simpler. The second patch is the actual fix and has a detailed explanation in the commit message. This potential issue has existed for almost 10 years and I am unaware of anyone actually hitting the race. I did not cc stable, but would be happy to squash the patches and send to stable if anyone thinks that is a good idea. [1] https://lore.kernel.org/linux-mm/CAG48ez23q0Jy9cuVnwAe7t_fdhMk2S7N5Hdi-GLcCeq5bsfLxw@mail.gmail.com/ This patch (of 2): I could not think of a reliable way to recreate the issue for testing. Rather, I 'simulated errors' to exercise all the error paths. The routine prep_compound_huge_page is a simple wrapper to call either prep_compound_gigantic_page or prep_compound_page. However, it is only called from gather_bootmem_prealloc which only processes gigantic pages. Eliminate the routine and call prep_compound_gigantic_page directly. Link: https://lkml.kernel.org/r/20210622021423.154662-1-mike.kravetz@oracle.com Link: https://lkml.kernel.org/r/20210622021423.154662-2-mike.kravetz@oracle.com Signed-off-by: Mike Kravetz Cc: Andrea Arcangeli Cc: Jan Kara Cc: Jann Horn Cc: John Hubbard Cc: "Kirill A . Shutemov" Cc: Matthew Wilcox Cc: Michal Hocko Cc: Youquan Song Cc: Muchun Song Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 2e16ad561143b97df021016e1835e5ea72ad499a Author: Yanfei Xu Date: Wed Feb 24 12:07:22 2021 -0800 mm/hugetlb: remove redundant check in preparing and destroying gigantic page [ Upstream commit 5291c09b3edb657f23c1939750c702ba2d74932f ] Gigantic page is a compound page and its order is more than 1. Thus it must be available for hpage_pincount. Let's remove the redundant check for gigantic page. Link: https://lkml.kernel.org/r/20210202112002.73170-1-yanfei.xu@windriver.com Signed-off-by: Yanfei Xu Reviewed-by: Mike Kravetz Reviewed-by: David Hildenbrand Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 0da83a815d33e39a29391c13de3462b9b6115350 Author: Miaohe Lin Date: Wed Feb 24 12:07:01 2021 -0800 mm/hugetlb: use helper huge_page_order and pages_per_huge_page [ Upstream commit c78a7f3639932c48b4e1d329fc80fd26aa1a2fa3 ] Since commit a5516438959d ("hugetlb: modular state for hugetlb page size"), we can use huge_page_order to access hstate->order and pages_per_huge_page to fetch the pages per huge page. But gather_bootmem_prealloc() forgot to use it. Link: https://lkml.kernel.org/r/20210114114435.40075-1-linmiaohe@huawei.com Signed-off-by: Miaohe Lin Reviewed-by: David Hildenbrand Reviewed-by: Mike Kravetz Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 31be4ea35c8243d4021f2a6c8c2977183c355694 Author: Miaohe Lin Date: Wed Jun 30 18:47:57 2021 -0700 mm/huge_memory.c: don't discard hugepage if other processes are mapping it [ Upstream commit babbbdd08af98a59089334eb3effbed5a7a0cf7f ] If other processes are mapping any other subpages of the hugepage, i.e. in pte-mapped thp case, page_mapcount() will return 1 incorrectly. Then we would discard the page while other processes are still mapping it. Fix it by using total_mapcount() which can tell whether other processes are still mapping it. Link: https://lkml.kernel.org/r/20210511134857.1581273-6-linmiaohe@huawei.com Fixes: b8d3c4c3009d ("mm/huge_memory.c: don't split THP page when MADV_FREE syscall is called") Reviewed-by: Yang Shi Signed-off-by: Miaohe Lin Cc: Alexey Dobriyan Cc: "Aneesh Kumar K . V" Cc: Anshuman Khandual Cc: David Hildenbrand Cc: Hugh Dickins Cc: Johannes Weiner Cc: Kirill A. Shutemov Cc: Matthew Wilcox Cc: Minchan Kim Cc: Ralph Campbell Cc: Rik van Riel Cc: Song Liu Cc: William Kucharski Cc: Zi Yan Cc: Mike Kravetz Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit b65597377b7b690efaaa1c9f4875ded8b4c46212 Author: Miaohe Lin Date: Wed Jun 30 18:47:50 2021 -0700 mm/huge_memory.c: add missing read-only THP checking in transparent_hugepage_enabled() [ Upstream commit e6be37b2e7bddfe0c76585ee7c7eee5acc8efeab ] Since commit 99cb0dbd47a1 ("mm,thp: add read-only THP support for (non-shmem) FS"), read-only THP file mapping is supported. But it forgot to add checking for it in transparent_hugepage_enabled(). To fix it, we add checking for read-only THP file mapping and also introduce helper transhuge_vma_enabled() to check whether thp is enabled for specified vma to reduce duplicated code. We rename transparent_hugepage_enabled to transparent_hugepage_active to make the code easier to follow as suggested by David Hildenbrand. [linmiaohe@huawei.com: define transhuge_vma_enabled next to transhuge_vma_suitable] Link: https://lkml.kernel.org/r/20210514093007.4117906-1-linmiaohe@huawei.com Link: https://lkml.kernel.org/r/20210511134857.1581273-4-linmiaohe@huawei.com Fixes: 99cb0dbd47a1 ("mm,thp: add read-only THP support for (non-shmem) FS") Signed-off-by: Miaohe Lin Reviewed-by: Yang Shi Cc: Alexey Dobriyan Cc: "Aneesh Kumar K . V" Cc: Anshuman Khandual Cc: David Hildenbrand Cc: Hugh Dickins Cc: Johannes Weiner Cc: Kirill A. Shutemov Cc: Matthew Wilcox Cc: Minchan Kim Cc: Ralph Campbell Cc: Rik van Riel Cc: Song Liu Cc: William Kucharski Cc: Zi Yan Cc: Mike Kravetz Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit aa41f7a2a6812007bed071d617cb53296f2c3693 Author: Miaohe Lin Date: Wed Jun 30 18:47:43 2021 -0700 mm/huge_memory.c: remove dedicated macro HPAGE_CACHE_INDEX_MASK [ Upstream commit b2bd53f18bb7f7cfc91b3bb527d7809376700a8e ] Patch series "Cleanup and fixup for huge_memory:, v3. This series contains cleanups to remove dedicated macro and remove unnecessary tlb_remove_page_size() for huge zero pmd. Also this adds missing read-only THP checking for transparent_hugepage_enabled() and avoids discarding hugepage if other processes are mapping it. More details can be found in the respective changelogs. Thi patch (of 5): Rewrite the pgoff checking logic to remove macro HPAGE_CACHE_INDEX_MASK which is only used here to simplify the code. Link: https://lkml.kernel.org/r/20210511134857.1581273-1-linmiaohe@huawei.com Link: https://lkml.kernel.org/r/20210511134857.1581273-2-linmiaohe@huawei.com Signed-off-by: Miaohe Lin Reviewed-by: Yang Shi Reviewed-by: Anshuman Khandual Reviewed-by: David Hildenbrand Cc: Zi Yan Cc: William Kucharski Cc: Matthew Wilcox Cc: "Aneesh Kumar K . V" Cc: Ralph Campbell Cc: Song Liu Cc: Kirill A. Shutemov Cc: Rik van Riel Cc: Johannes Weiner Cc: Minchan Kim Cc: Hugh Dickins Cc: Alexey Dobriyan Cc: Mike Kravetz Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 9b0b9edea1d3a08bb448465b27569b1f378900e5 Author: Aneesh Kumar K.V Date: Wed Feb 24 12:07:32 2021 -0800 mm/pmem: avoid inserting hugepage PTE entry with fsdax if hugepage support is disabled [ Upstream commit bae84953815793f68ddd8edeadd3f4e32676a2c8 ] Differentiate between hardware not supporting hugepages and user disabling THP via 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' For the devdax namespace, the kernel handles the above via the supported_alignment attribute and failing to initialize the namespace if the namespace align value is not supported on the platform. For the fsdax namespace, the kernel will continue to initialize the namespace. This can result in the kernel creating a huge pte entry even though the hardware don't support the same. We do want hugepage support with pmem even if the end-user disabled THP via sysfs file (/sys/kernel/mm/transparent_hugepage/enabled). Hence differentiate between hardware/firmware lacking support vs user-controlled disable of THP and prevent a huge fault if the hardware lacks hugepage support. Link: https://lkml.kernel.org/r/20210205023956.417587-1-aneesh.kumar@linux.ibm.com Signed-off-by: Aneesh Kumar K.V Reviewed-by: Dan Williams Cc: "Kirill A . Shutemov" Cc: Jan Kara Cc: David Hildenbrand Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 0885ea1d4759adaf62404e49c570b740ec27ad1f Author: Alex Williamson Date: Mon Jun 28 14:08:12 2021 -0600 vfio/pci: Handle concurrent vma faults [ Upstream commit 6a45ece4c9af473555f01f0f8b97eba56e3c7d0d ] io_remap_pfn_range() will trigger a BUG_ON if it encounters a populated pte within the mapping range. This can occur because we map the entire vma on fault and multiple faults can be blocked behind the vma_lock. This leads to traces like the one reported below. We can use our vma_list to test whether a given vma is mapped to avoid this issue. [ 1591.733256] kernel BUG at mm/memory.c:2177! [ 1591.739515] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP [ 1591.747381] Modules linked in: vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv680_mii(O) [ 1591.760536] CPU: 2 PID: 227 Comm: lcore-worker-2 Tainted: G O 5.11.0-rc3+ #1 [ 1591.770735] Hardware name: , BIOS HixxxxFPGA 1P B600 V121-1 [ 1591.778872] pstate: 40400009 (nZcv daif +PAN -UAO -TCO BTYPE=--) [ 1591.786134] pc : remap_pfn_range+0x214/0x340 [ 1591.793564] lr : remap_pfn_range+0x1b8/0x340 [ 1591.799117] sp : ffff80001068bbd0 [ 1591.803476] x29: ffff80001068bbd0 x28: 0000042eff6f0000 [ 1591.810404] x27: 0000001100910000 x26: 0000001300910000 [ 1591.817457] x25: 0068000000000fd3 x24: ffffa92f1338e358 [ 1591.825144] x23: 0000001140000000 x22: 0000000000000041 [ 1591.832506] x21: 0000001300910000 x20: ffffa92f141a4000 [ 1591.839520] x19: 0000001100a00000 x18: 0000000000000000 [ 1591.846108] x17: 0000000000000000 x16: ffffa92f11844540 [ 1591.853570] x15: 0000000000000000 x14: 0000000000000000 [ 1591.860768] x13: fffffc0000000000 x12: 0000000000000880 [ 1591.868053] x11: ffff0821bf3d01d0 x10: ffff5ef2abd89000 [ 1591.875932] x9 : ffffa92f12ab0064 x8 : ffffa92f136471c0 [ 1591.883208] x7 : 0000001140910000 x6 : 0000000200000000 [ 1591.890177] x5 : 0000000000000001 x4 : 0000000000000001 [ 1591.896656] x3 : 0000000000000000 x2 : 0168044000000fd3 [ 1591.903215] x1 : ffff082126261880 x0 : fffffc2084989868 [ 1591.910234] Call trace: [ 1591.914837] remap_pfn_range+0x214/0x340 [ 1591.921765] vfio_pci_mmap_fault+0xac/0x130 [vfio_pci] [ 1591.931200] __do_fault+0x44/0x12c [ 1591.937031] handle_mm_fault+0xcc8/0x1230 [ 1591.942475] do_page_fault+0x16c/0x484 [ 1591.948635] do_translation_fault+0xbc/0xd8 [ 1591.954171] do_mem_abort+0x4c/0xc0 [ 1591.960316] el0_da+0x40/0x80 [ 1591.965585] el0_sync_handler+0x168/0x1b0 [ 1591.971608] el0_sync+0x174/0x180 [ 1591.978312] Code: eb1b027f 540000c0 f9400022 b4fffe02 (d4210000) Fixes: 11c4cd07ba11 ("vfio-pci: Fault mmaps to enable vma tracking") Reported-by: Zeng Tao Suggested-by: Zeng Tao Link: https://lore.kernel.org/r/162497742783.3883260.3282953006487785034.stgit@omen Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit 363d85bfaec135979dd685a72cf64a84ec8cbd80 Author: Pali Rohár Date: Fri Jun 25 00:49:04 2021 +0200 arm64: dts: marvell: armada-37xx: Fix reg for standard variant of UART [ Upstream commit 2cbfdedef39fb5994b8f1e1df068eb8440165975 ] UART1 (standard variant with DT node name 'uart0') has register space 0x12000-0x12018 and not whole size 0x200. So fix also this in example. Signed-off-by: Pali Rohár Fixes: c737abc193d1 ("arm64: dts: marvell: Fix A37xx UART0 register size") Link: https://lore.kernel.org/r/20210624224909.6350-6-pali@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 347af865b6a20d2f498644f612c0e09d2eeba199 Author: Pali Rohár Date: Fri Jun 25 00:49:02 2021 +0200 serial: mvebu-uart: correctly calculate minimal possible baudrate [ Upstream commit deeaf963569a0d9d1b08babb771f61bb501a5704 ] For default (x16) scheme which is currently used by mvebu-uart.c driver, maximal divisor of UART base clock is 1023*16. Therefore there is limit for minimal supported baudrate. This change calculate it correctly and prevents setting invalid divisor 0 into hardware registers. Signed-off-by: Pali Rohár Fixes: 68a0db1d7da2 ("serial: mvebu-uart: add function to change baudrate") Link: https://lore.kernel.org/r/20210624224909.6350-4-pali@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 9ad82f0412c04f7cf8a8522a5dca633a0c40135a Author: Pali Rohár Date: Fri Jun 25 00:49:01 2021 +0200 serial: mvebu-uart: do not allow changing baudrate when uartclk is not available [ Upstream commit ecd6b010d81f97b06b2f64d2d4f50ebf5acddaa9 ] Testing mvuart->clk for non-error is not enough as mvuart->clk may contain valid clk pointer but when clk_prepare_enable(mvuart->clk) failed then port->uartclk is zero. When mvuart->clk is not available then port->uartclk is zero too. Parent clock rate port->uartclk is needed to calculate UART clock divisor and without it is not possible to change baudrate. So fix test condition when it is possible to change baudrate. Signed-off-by: Pali Rohár Fixes: 68a0db1d7da2 ("serial: mvebu-uart: add function to change baudrate") Link: https://lore.kernel.org/r/20210624224909.6350-3-pali@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit dd6d4e92e7240ed92583eacf097289a13d971d73 Author: Christophe JAILLET Date: Thu Jun 24 20:49:36 2021 +0200 ALSA: firewire-lib: Fix 'amdtp_domain_start()' when no AMDTP_OUT_STREAM stream is found [ Upstream commit 0cbbeaf370221fc469c95945dd3c1198865c5fe4 ] The intent here is to return an error code if we don't find what we are looking for in the 'list_for_each_entry()' loop. 's' is not NULL if the list is empty or if we scan the complete list. Introduce a new 'found' variable to handle such cases. Fixes: 60dd49298ec5 ("ALSA: firewire-lib: handle several AMDTP streams in callback handler of IRQ target") Signed-off-by: Christophe JAILLET Acked-by: Takashi Sakamoto Link: https://lore.kernel.org/r/9c9a53a4905984a570ba5672cbab84f2027dedc1.1624560484.git.christophe.jaillet@wanadoo.fr Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 53fa3ba8085e71ade16e4077c3acdf2e703d6158 Author: Vaibhav Jain Date: Thu May 13 14:53:49 2021 +0530 powerpc/papr_scm: Make 'perf_stats' invisible if perf-stats unavailable [ Upstream commit ed78f56e1271f108e8af61baeba383dcd77adbec ] In case performance stats for an nvdimm are not available, reading the 'perf_stats' sysfs file returns an -ENOENT error. A better approach is to make the 'perf_stats' file entirely invisible to indicate that performance stats for an nvdimm are unavailable. So this patch updates 'papr_nd_attribute_group' to add a 'is_visible' callback implemented as newly introduced 'papr_nd_attribute_visible()' that returns an appropriate mode in case performance stats aren't supported in a given nvdimm. Also the initialization of 'papr_scm_priv.stat_buffer_len' is moved from papr_scm_nvdimm_init() to papr_scm_probe() so that it value is available when 'papr_nd_attribute_visible()' is called during nvdimm initialization. Even though 'perf_stats' attribute is available since v5.9, there are no known user-space tools/scripts that are dependent on presence of its sysfs file. Hence I dont expect any user-space breakage with this patch. Fixes: 2d02bf835e57 ("powerpc/papr_scm: Fetch nvdimm performance stats from PHYP") Signed-off-by: Vaibhav Jain Reviewed-by: Dan Williams Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210513092349.285021-1-vaibhav@linux.ibm.com Signed-off-by: Sasha Levin commit 04db493fc7464d73ef98a32a647ca5d4d3a9d1ae Author: Nicholas Piggin Date: Tue Jun 22 15:30:36 2021 +1000 powerpc/64s: Fix copy-paste data exposure into newly created tasks [ Upstream commit f35d2f249ef05b9671e7898f09ad89aa78f99122 ] copy-paste contains implicit "copy buffer" state that can contain arbitrary user data (if the user process executes a copy instruction). This could be snooped by another process if a context switch hits while the state is live. So cp_abort is executed on context switch to clear out possible sensitive data and prevent the leak. cp_abort is done after the low level _switch(), which means it is never reached by newly created tasks, so they could snoop on this buffer between their first and second context switch. Fix this by doing the cp_abort before calling _switch. Add some comments which should make the issue harder to miss. Fixes: 07d2a628bc000 ("powerpc/64s: Avoid cpabort in context switch when possible") Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210622053036.474678-1-npiggin@gmail.com Signed-off-by: Sasha Levin commit ac08ba518c6cb18902427a7072234375d3c6862e Author: Andy Shevchenko Date: Wed Jun 16 16:43:03 2021 +0300 powerpc/papr_scm: Properly handle UUID types and API [ Upstream commit 0e8554b5d7801b0aebc6c348a0a9f7706aa17b3b ] Parse to and export from UUID own type, before dereferencing. This also fixes wrong comment (Little Endian UUID is something else) and should eliminate the direct strict types assignments. Fixes: 43001c52b603 ("powerpc/papr_scm: Use ibm,unit-guid as the iset cookie") Fixes: 259a948c4ba1 ("powerpc/pseries/scm: Use a specific endian format for storing uuid from the device tree") Signed-off-by: Andy Shevchenko Reviewed-by: Aneesh Kumar K.V Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210616134303.58185-1-andriy.shevchenko@linux.intel.com Signed-off-by: Sasha Levin commit d3358c66ee5607b17bb0831edbff1b27ffe4979b Author: Nicholas Piggin Date: Wed Jun 23 14:12:45 2021 +1000 powerpc: Offline CPU in stop_this_cpu() [ Upstream commit bab26238bbd44d5a4687c0a64fd2c7f2755ea937 ] printk_safe_flush_on_panic() has special lock breaking code for the case where we panic()ed with the console lock held. It relies on panic IPI causing other CPUs to mark themselves offline. Do as most other architectures do. This effectively reverts commit de6e5d38417e ("powerpc: smp_send_stop do not offline stopped CPUs"), unfortunately it may result in some false positive warnings, but the alternative is more situations where we can crash without getting messages out. Fixes: de6e5d38417e ("powerpc: smp_send_stop do not offline stopped CPUs") Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210623041245.865134-1-npiggin@gmail.com Signed-off-by: Sasha Levin commit 9443acbd251f366804b20a27be72ba67df532cb1 Author: Vignesh Raghavendra Date: Tue Jun 22 20:27:04 2021 +0530 serial: 8250: 8250_omap: Fix possible interrupt storm on K3 SoCs [ Upstream commit b67e830d38fa9335d927fe67e812e3ed81b4689c ] On K3 family of SoCs (which includes AM654 SoC), it is observed that RX TIMEOUT is signalled after RX FIFO has been drained, in which case a dummy read of RX FIFO is required to clear RX TIMEOUT condition. Otherwise, this would lead to an interrupt storm. Fix this by introducing UART_RX_TIMEOUT_QUIRK flag and doing a dummy read in IRQ handler when RX TIMEOUT is reported with no data in RX FIFO. Fixes: be70874498f3 ("serial: 8250_omap: Add support for AM654 UART controller") Reported-by: Jan Kiszka Tested-by: Jan Kiszka Signed-off-by: Vignesh Raghavendra Link: https://lore.kernel.org/r/20210622145704.11168-1-vigneshr@ti.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e0e3e0b7dabf9399983c763325bfcd163833085f Author: Vignesh Raghavendra Date: Thu Oct 29 10:49:30 2020 +0530 serial: 8250: 8250_omap: Disable RX interrupt after DMA enable [ Upstream commit 439c7183e5b97952bba1747f5ffc4dea45a6a18b ] UARTs on TI SoCs prior to J7200 don't provide independent control over RX FIFO not empty interrupt (RHR_IT) and RX timeout interrupt. Starting with J7200 SoC, its possible to disable RHR_IT independent of RX timeout interrupt using bit 2 of IER2 register. So disable RHR_IT once RX DMA is started so as to avoid spurious interrupt being raised when data is in the RX FIFO but is yet to be drained by DMA (a known errata in older SoCs). Signed-off-by: Vignesh Raghavendra Link: https://lore.kernel.org/r/20201029051930.7097-1-vigneshr@ti.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 786461739ac4bcd87218478920ade53c7ca04ce9 Author: Krzysztof Kozlowski Date: Wed Jun 23 15:43:15 2021 +0200 selftests/ftrace: fix event-no-pid on 1-core machine [ Upstream commit 07b60713b57a8f952d029a2b6849d003d9c16108 ] When running event-no-pid test on small machines (e.g. cloud 1-core instance), other events might not happen: + cat trace + cnt=0 + [ 0 -eq 0 ] + fail No other events were recorded [15] event tracing - restricts events based on pid notrace filtering [FAIL] Schedule a simple sleep task to be sure that some other process events get recorded. Fixes: ebed9628f5c2 ("selftests/ftrace: Add test to test new set_event_notrace_pid file") Signed-off-by: Krzysztof Kozlowski Acked-by: Steven Rostedt (VMware) Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 57e49a0bc4b3887d1e3db2d3073f2a6934f87e16 Author: Christophe JAILLET Date: Fri May 21 13:21:01 2021 +0200 leds: ktd2692: Fix an error handling path [ Upstream commit ee78b9360e14c276f5ceaa4a0d06f790f04ccdad ] In 'ktd2692_parse_dt()', if an error occurs after a successful 'regulator_enable()' call, we should call 'regulator_enable()'. This is the same in 'ktd2692_probe()', if an error occurs after a successful 'ktd2692_parse_dt()' call. Instead of adding 'regulator_enable()' in several places, implement a resource managed solution and simplify the remove function accordingly. Fixes: b7da8c5c725c ("leds: Add ktd2692 flash LED driver") Signed-off-by: Christophe JAILLET Signed-off-by: Pavel Machek Signed-off-by: Sasha Levin commit 53cb671592efe10c993674bc7657e19192471679 Author: Zhen Lei Date: Sat May 15 11:06:46 2021 +0800 leds: as3645a: Fix error return code in as3645a_parse_node() [ Upstream commit 96a30960a2c5246c8ffebe8a3c9031f9df094d97 ] Return error code -ENODEV rather than '0' when the indicator node can not be found. Fixes: a56ba8fbcb55 ("media: leds: as3645a: Add LED flash class driver") Reported-by: Hulk Robot Acked-by: Sakari Ailus Signed-off-by: Zhen Lei Signed-off-by: Pavel Machek Signed-off-by: Sasha Levin commit f3bf888507f0e7f6daf39e3cf0cefa2edf963778 Author: Shengjiu Wang Date: Tue Jun 22 20:31:24 2021 +0800 ASoC: fsl_spdif: Fix unexpected interrupt after suspend [ Upstream commit a7a0a2feb957e446b2bcf732f245ba04fc8b6314 ] When system enter suspend, the machine driver suspend callback function will be called, then the cpu driver trigger callback (SNDRV_PCM_TRIGGER_SUSPEND) be called, it would disable the interrupt. But the machine driver suspend and cpu dai driver suspend order maybe changed, the cpu dai driver's suspend callback is called before machine driver's suppend callback, then the interrupt is not cleared successfully in trigger callback. So need to clear interrupts in cpu dai driver's suspend callback to avoid such issue. Fixes: 9cb2b3796e08 ("ASoC: fsl_spdif: Add pm runtime function") Signed-off-by: Shengjiu Wang Reviewed-by: Fabio Estevam Link: https://lore.kernel.org/r/1624365084-7934-1-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 2938ffd56895ab8432dee406ccfeca5076d74f1d Author: Libin Yang Date: Wed May 5 11:37:02 2021 -0500 ASoC: Intel: sof_sdw: add SOF_RT715_DAI_ID_FIX for AlderLake [ Upstream commit 81cd42e5174ba7918edd3d006406ce21ebaa8507 ] AlderLake needs the flag SOF_RT715_DAI_ID_FIX if it is using the rt715 DMIC. Reviewed-by: Bard Liao Signed-off-by: Libin Yang Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20210505163705.305616-11-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 5f2dfce8d8bc8484f0add19dbedb5d5a077adcdd Author: Chung-Chiang Cheng Date: Fri Jun 18 15:59:25 2021 +0800 configfs: fix memleak in configfs_release_bin_file [ Upstream commit 3c252b087de08d3cb32468b54a158bd7ad0ae2f7 ] When reading binary attributes in progress, buffer->bin_buffer is setup in configfs_read_bin_file() but never freed. Fixes: 03607ace807b4 ("configfs: implement binary attributes") Signed-off-by: Chung-Chiang Cheng [hch: move the vfree rather than duplicating it] Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit e30e636447fd6d08908777818dfbc4fcbcd3f66a Author: Codrin Ciubotariu Date: Fri Jun 18 18:07:41 2021 +0300 ASoC: atmel-i2s: Fix usage of capture and playback at the same time [ Upstream commit 3b7961a326f8a7e03f54a19f02fedae8d488b80f ] For both capture and playback streams to work at the same time, only the needed values from a register need to be updated. Also, clocks should be enabled only when the first stream is started and stopped when there is no running stream. Fixes: b543e467d1a9 ("ASoC: atmel-i2s: add driver for the new Atmel I2S controller") Signed-off-by: Codrin Ciubotariu Link: https://lore.kernel.org/r/20210618150741.401739-2-codrin.ciubotariu@microchip.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit af497961abef0e787a867476cd9c03d5b8c552db Author: Nicholas Piggin Date: Tue May 18 00:03:55 2021 +1000 powerpc/powernv: Fix machine check reporting of async store errors [ Upstream commit 3729e0ec59a20825bd4c8c70996b2df63915e1dd ] POWER9 and POWER10 asynchronous machine checks due to stores have their cause reported in SRR1 but SRR1[42] is set, which in other cases indicates DSISR cause. Check for these cases and clear SRR1[42], so the cause matching uses the i-side (SRR1) table. Fixes: 7b9f71f974a1 ("powerpc/64s: POWER9 machine check handler") Fixes: 201220bb0e8c ("powerpc/powernv: Machine check handler for POWER10") Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210517140355.2325406-1-npiggin@gmail.com Signed-off-by: Sasha Levin commit f8d223f80ac6654e4b8c50a2a3afbd07dabfd679 Author: Marek Szyprowski Date: Fri Apr 23 22:46:24 2021 +0200 extcon: max8997: Add missing modalias string [ Upstream commit dc11fc2991e9efbceef93912b83e333d2835fb19 ] The platform device driver name is "max8997-muic", so advertise it properly in the modalias string. This fixes automated module loading when this driver is compiled as a module. Fixes: b76668ba8a77 ("Extcon: add MAX8997 extcon driver") Signed-off-by: Marek Szyprowski Signed-off-by: Chanwoo Choi Signed-off-by: Sasha Levin commit e16fcc83748a25107dd2deb047b1db2aa6420fdf Author: Stephan Gerhold Date: Mon May 31 15:34:35 2021 +0200 extcon: sm5502: Drop invalid register write in sm5502_reg_data [ Upstream commit d25b224f8e5507879b36a769a6d1324cf163466c ] When sm5502_init_dev_type() iterates over sm5502_reg_data to initialize the registers it is limited by ARRAY_SIZE(sm5502_reg_data). There is no need to add another empty element to sm5502_reg_data. Having the additional empty element in sm5502_reg_data will just result in writing 0xff to register 0x00, which does not really make sense. Fixes: 914b881f9452 ("extcon: sm5502: Add support new SM5502 extcon device driver") Signed-off-by: Stephan Gerhold Signed-off-by: Chanwoo Choi Signed-off-by: Sasha Levin commit 25c7efb3875a0ffd66608d9011fbd93902a6f6aa Author: Christophe JAILLET Date: Sat Jun 5 15:17:43 2021 +0200 phy: ti: dm816x: Fix the error handling path in 'dm816x_usb_phy_probe() [ Upstream commit f7eedcb8539ddcbb6fe7791f1b4ccf43f905c72f ] Add an error handling path in the probe to release some resources, as already done in the remove function. Fixes: 609adde838f4 ("phy: Add a driver for dm816x USB PHY") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/ac5136881f6bdec50be19b3bf73b3bc1b15ef1f1.1622898974.git.christophe.jaillet@wanadoo.fr Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 6398fc0e57ec4cbe0e1907d65bd7c5ae578fa5b7 Author: Kunihiko Hayashi Date: Mon Jun 7 12:50:42 2021 +0900 phy: uniphier-pcie: Fix updating phy parameters [ Upstream commit 4a90bbb478dbf18ecdec9dcf8eb708e319d24264 ] The current driver uses a value from register TEST_O as the original value for register TEST_I, though, the value is overwritten by "param", so there is a bug that the original value isn't no longer used. The value of TEST_O[7:0] should be masked with "mask", replaced with "param", and placed in the bitfield TESTI_DAT_MASK as new TEST_I value. Fixes: c6d9b1324159 ("phy: socionext: add PCIe PHY driver support") Signed-off-by: Kunihiko Hayashi Link: https://lore.kernel.org/r/1623037842-19363-1-git-send-email-hayashi.kunihiko@socionext.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit a4b7c0af613f54c0ee0adb9a6e803244ab341ebd Author: Richard Fitzgerald Date: Fri Jun 18 15:47:45 2021 +0100 soundwire: stream: Fix test for DP prepare complete [ Upstream commit 3d3e88e336338834086278236d42039f3cde50e1 ] In sdw_prep_deprep_slave_ports(), after the wait_for_completion() the DP prepare status register is read. If this indicates that the port is now prepared, the code should continue with the port setup. It is irrelevant whether the wait_for_completion() timed out if the port is now ready. The previous implementation would always fail if the wait_for_completion() timed out, even if the port was reporting successful prepare. This patch also fixes a minor bug where the return from sdw_read() was not checked for error - any error code with LSBits clear could be misinterpreted as a successful port prepare. Fixes: 79df15b7d37c ("soundwire: Add helpers for ports operations") Signed-off-by: Richard Fitzgerald Reviewed-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20210618144745.30629-1-rf@opensource.cirrus.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit b0be06493e73993a46c232b5d51903e729cc8549 Author: Zhen Lei Date: Fri May 14 16:13:00 2021 +0800 scsi: mpt3sas: Fix error return value in _scsih_expander_add() [ Upstream commit d6c2ce435ffe23ef7f395ae76ec747414589db46 ] When an expander does not contain any 'phys', an appropriate error code -1 should be returned, as done elsewhere in this function. However, we currently do not explicitly assign this error code to 'rc'. As a result, 0 was incorrectly returned. Link: https://lore.kernel.org/r/20210514081300.6650-1-thunder.leizhen@huawei.com Fixes: f92363d12359 ("[SCSI] mpt3sas: add new driver supporting 12GB SAS") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit f51088868b16781a8832dc73ed25881dc0611442 Author: Christophe JAILLET Date: Sat Jun 12 07:39:51 2021 +0200 habanalabs: Fix an error handling path in 'hl_pci_probe()' [ Upstream commit 3002f467a0b0a70aec01d9f446da4ac8c6fda10b ] If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it must be undone by a corresponding 'pci_disable_pcie_error_reporting()' call, as already done in the remove function. Fixes: 2e5eda4681f9 ("habanalabs: PCIe Advanced Error Reporting support") Signed-off-by: Christophe JAILLET Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin commit c183b55ed7e5f59b2c509b7bc5b853e7c3b9e9e4 Author: Yang Yingliang Date: Tue Jun 1 20:58:14 2021 +0800 mtd: rawnand: marvell: add missing clk_disable_unprepare() on error in marvell_nfc_resume() [ Upstream commit ae94c49527aa9bd3b563349adc4b5617747ca6bd ] Add clk_disable_unprepare() on error path in marvell_nfc_resume(). Fixes: bd9c3f9b3c00 ("mtd: rawnand: marvell: add suspend and resume hooks") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20210601125814.3260364-1-yangyingliang@huawei.com Signed-off-by: Sasha Levin commit f929d21af75d96b2417b266012cc94f7201cb5d3 Author: Geert Uytterhoeven Date: Wed Jun 16 11:27:44 2021 +0200 of: Fix truncation of memory sizes on 32-bit platforms [ Upstream commit 2892d8a00d23d511a0591ac4b2ff3f050ae1f004 ] Variable "size" has type "phys_addr_t", which can be either 32-bit or 64-bit on 32-bit systems, while "unsigned long" is always 32-bit on 32-bit systems. Hence the cast in (unsigned long)size / SZ_1M may truncate a 64-bit size to 32-bit, as casts have a higher operator precedence than divisions. Fix this by inverting the order of the cast and division, which should be safe for memory blocks smaller than 4 PiB. Note that the division is actually a shift, as SZ_1M is a power-of-two constant, hence there is no need to use div_u64(). While at it, use "%lu" to format "unsigned long". Fixes: e8d9d1f5485b52ec ("drivers: of: add initialization code for static reserved memory") Fixes: 3f0c8206644836e4 ("drivers: of: add initialization code for dynamic reserved memory") Signed-off-by: Geert Uytterhoeven Acked-by: Marek Szyprowski Link: https://lore.kernel.org/r/4a1117e72d13d26126f57be034c20dac02f1e915.1623835273.git.geert+renesas@glider.be Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit db45ea876743ecfc17cdb28073eada5b5576b81b Author: Richard Fitzgerald Date: Wed Jun 16 14:56:04 2021 +0100 ASoC: cs42l42: Correct definition of CS42L42_ADC_PDN_MASK [ Upstream commit fac165f22ac947b55407cd3a60a2a9824f905235 ] The definition of CS42L42_ADC_PDN_MASK was incorrectly defined as the HP_PDN bit. Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec") Signed-off-by: Richard Fitzgerald Link: https://lore.kernel.org/r/20210616135604.19363-1-rf@opensource.cirrus.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 55bb225c08787f0c9601fe52c4eec07be097ab80 Author: Jonathan Cameron Date: Sun Jun 13 16:23:01 2021 +0100 iio: prox: isl29501: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 92babc9938ebbf4050f2fba774836f7edc16a570 ] Add __aligned(8) to ensure the buffer passed to iio_push_to_buffers_with_timestamp() is suitable for the naturally aligned timestamp that will be inserted. Here an explicit structure is not used, because the holes would necessitate the addition of an explict memset(), to avoid a kernel data leak, making for a less minimal fix. Fixes: 1c28799257bc ("iio: light: isl29501: Add support for the ISL29501 ToF sensor.") Signed-off-by: Jonathan Cameron Cc: Mathieu Othacehe Reviewed-by: Nuno Sá Link: https://lore.kernel.org/r/20210613152301.571002-9-jic23@kernel.org Signed-off-by: Sasha Levin commit 49739675048d372946c1ef136c466d5675eba9f0 Author: Jonathan Cameron Date: Sun Jun 13 16:23:00 2021 +0100 iio: light: vcnl4035: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit ec90b52c07c0403a6db60d752484ec08d605ead0 ] Add __aligned(8) to ensure the buffer passed to iio_push_to_buffers_with_timestamp() is suitable for the naturally aligned timestamp that will be inserted. Here an explicit structure is not used, because the holes would necessitate the addition of an explict memset(), to avoid a potential kernel data leak, making for a less minimal fix. Fixes: 55707294c4eb ("iio: light: Add support for vishay vcnl4035") Signed-off-by: Jonathan Cameron Cc: Parthiban Nallathambi Reviewed-by: Nuno Sá Link: https://lore.kernel.org/r/20210613152301.571002-8-jic23@kernel.org Signed-off-by: Sasha Levin commit c850b52e47aa108758f032df916e34f82d1d46f9 Author: Maciej W. Rozycki Date: Thu Jun 10 20:38:34 2021 +0200 serial: 8250: Actually allow UPF_MAGIC_MULTIPLIER baud rates [ Upstream commit 78bcae8616ac277d6cb7f38e211493948ed73e30 ] Support for magic baud rate divisors of 32770 and 32769 used with SMSC Super I/O chips for extra baud rates of 230400 and 460800 respectively where base rate is 115200[1] has been added around Linux 2.5.64, which predates our repo history, but the origin could be identified as commit 2a717aad772f ("Merge with Linux 2.5.64.") with the old MIPS/Linux repo also at: . Code that is now in `serial8250_do_get_divisor' was added back then to `serial8250_get_divisor', but that code would only ever trigger if one of the higher baud rates was actually requested, and that cannot ever happen, because the earlier call to `serial8250_get_baud_rate' never returns them. This is because it calls `uart_get_baud_rate' with the maximum requested being the base rate, that is clk/16 or 115200 for SMSC chips at their nominal clock rate. Fix it then and allow UPF_MAGIC_MULTIPLIER baud rates to be selected, by requesting the maximum baud rate of clk/4 rather than clk/16 if the flag has been set. Also correct the minimum baud rate, observing that these ports only support actual (non-magic) divisors of up to 32767 only. References: [1] "FDC37M81x, PC98/99 Compliant Enhanced Super I/O Controller with Keyboard/Mouse Wake-Up", Standard Microsystems Corporation, Rev. 03/27/2000, Table 31 - "Baud Rates", p. 77 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Maciej W. Rozycki Link: https://lore.kernel.org/r/alpine.DEB.2.21.2105190412280.29169@angie.orcam.me.uk Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 5db39ad3fa322dd14add2957708cb36d599b52af Author: Sergio Paracuellos Date: Mon Jun 14 12:06:17 2021 +0200 staging: mt7621-dts: fix pci address for PCI memory range [ Upstream commit 5b4f167ef3555ec4c334a8dc89c1b44bb2c6bff5 ] Driver code call 'devm_of_pci_get_host_bridge_resources' to get resources and properly fill 'bridge->windows' and 'bridge->dma_ranges'. After parsing the ranges and store as resources, at the end it makes a call to pci function 'pci_add_resource_offset' to set the offset for the memory resource. To calculate offset, resource start address subtracts pci address of the range. MT7621 does not need any offset for the memory resource. Moreover, setting an offset got into 'WARN_ON' calls from pci devices driver code. Until now memory range pci_addr was being '0x00000000' and res->start is '0x60000000' but becase pci controller driver was manually setting resources and adding them using pci function 'pci_add_resource' where a zero is passed as offset, things was properly working. Since PCI_IOBASE is defined now for ralink we don't set nothing manually anymore so we have to properly fix PCI address for this range to make things work and the new pci address must be set to '0x60000000'. Doing in this way the subtract result obtain zero as offset and pci device driver code properly works. Fixes: d59578da2bb8 ("staging: mt7621-dts: add dts files") Signed-off-by: Sergio Paracuellos Link: https://lore.kernel.org/r/20210614100617.28753-4-sergio.paracuellos@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit c5cd4b74fd8a51d6104b8801269dd47f98f84842 Author: Junhao He Date: Mon Jun 14 11:58:57 2021 -0600 coresight: core: Fix use of uninitialized pointer [ Upstream commit d777a8991847729ec4e2a13fcad58c2b00bb19dc ] Currently the pointer "sink" might be checked before initialized. Fix this by initializing this pointer. Link: https://lore.kernel.org/r/1620912469-52222-2-git-send-email-liuqi115@huawei.com Fixes: 6d578258b955 ("coresight: Make sysfs functional on topologies with per core sink") Signed-off-by: Junhao He Signed-off-by: Qi Liu Signed-off-by: Suzuki K Poulose Signed-off-by: Mathieu Poirier Link: https://lore.kernel.org/r/20210614175901.532683-3-mathieu.poirier@linaro.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 58c0621c44a5a6edd1f522baf0504762c8860ee0 Author: Pavel Skripkin Date: Mon Jun 14 01:00:19 2021 +0300 staging: rtl8712: fix memory leak in rtl871x_load_fw_cb [ Upstream commit e02a3b945816a77702a2769a70ef5f9b06e49d54 ] There is a leak in rtl8712 driver. The problem was in non-freed adapter data if firmware load failed. This leak can be reproduced with this code: https://syzkaller.appspot.com/text?tag=ReproC&x=16612f02d00000, Autoload must fail (to not hit memory leak reported by syzkaller) There are 2 possible ways how rtl871x_load_fw_cb() and r871xu_dev_remove() can be called (in case of fw load error). 1st case: r871xu_dev_remove() then rtl871x_load_fw_cb() In this case r871xu_dev_remove() will wait for completion and then will jump to the end, because rtl871x_load_fw_cb() set intfdata to NULL: if (pnetdev) { struct _adapter *padapter = netdev_priv(pnetdev); /* never exit with a firmware callback pending */ wait_for_completion(&padapter->rtl8712_fw_ready); pnetdev = usb_get_intfdata(pusb_intf); usb_set_intfdata(pusb_intf, NULL); if (!pnetdev) goto firmware_load_fail; ... clean up code here ... } 2nd case: rtl871x_load_fw_cb() then r871xu_dev_remove() In this case pnetdev (from code snippet above) will be zero (because rtl871x_load_fw_cb() set it to NULL) And clean up code won't be executed again. So, in all cases we need to free adapted data in rtl871x_load_fw_cb(), because disconnect function cannot take care of it. And there won't be any race conditions, because complete() call happens after setting intfdata to NULL. In previous patch I moved out free_netdev() from r8712_free_drv_sw() and that's why now it's possible to free adapter data and then call complete. Fixes: 8c213fa59199 ("staging: r8712u: Use asynchronous firmware loading") Signed-off-by: Pavel Skripkin Link: https://lore.kernel.org/r/81e68fe0194499cc2e7692d35bc4dcf167827d8f.1623620630.git.paskripkin@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit bf5d6f69798187d55c2db92717cba6e095cb92b2 Author: Pavel Skripkin Date: Mon Jun 14 01:00:13 2021 +0300 staging: rtl8712: fix error handling in r871xu_drv_init [ Upstream commit d1d3e3cdfda8eb91f0e24be7ec8be1e6e01b3a1c ] Previous error handling path was unique for all possible errors and there was unnecessary branching. Also, one step for freeing drv_sw was missing. All these problems was fixed by restructuring error handling path. Also, moved out free_netdev() from r8712_free_drv_sw() for correct error handling. Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel") Signed-off-by: Pavel Skripkin Link: https://lore.kernel.org/r/febb00f72354449bb4d305f373d6d2f47e539ab4.1623620630.git.paskripkin@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 7bc3fa5db49503a145ec7b0bd50a8c5ab4f9f9b9 Author: Dan Carpenter Date: Mon Jun 14 12:58:36 2021 +0300 staging: gdm724x: check for overflow in gdm_lte_netif_rx() [ Upstream commit 7002b526f4ff1f6da34356e67085caafa6be383a ] This code assumes that "len" is at least 62 bytes, but we need a check to prevent a read overflow. Fixes: 61e121047645 ("staging: gdm7240: adding LTE USB driver") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/YMcoTPsCYlhh2TQo@mwanda Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit f93737061067f95af5e8058793e8bcac95473588 Author: Dan Carpenter Date: Mon Jun 14 12:55:35 2021 +0300 staging: gdm724x: check for buffer overflow in gdm_lte_multi_sdu_pkt() [ Upstream commit 4a36e160856db8a8ddd6a3d2e5db5a850ab87f82 ] There needs to be a check to verify that we don't read beyond the end of "buf". This function is called from do_rx(). The "buf" is the USB transfer_buffer and "len" is "urb->actual_length". Fixes: 61e121047645 ("staging: gdm7240: adding LTE USB driver") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/YMcnl4zCwGWGDVMG@mwanda Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 14106b90e147bd7084d3641f55cd20ad08a88537 Author: Shengjiu Wang Date: Fri Jun 11 14:18:38 2021 +0800 ASoC: fsl_spdif: Fix error handler with pm_runtime_enable [ Upstream commit 28108d71ee11a7232e1102effab3361049dcd3b8 ] There is error message when defer probe happens: fsl-spdif-dai 2dab0000.spdif: Unbalanced pm_runtime_enable! Fix the error handler with pm_runtime_enable and add fsl_spdif_remove() for pm_runtime_disable. Fixes: 9cb2b3796e08 ("ASoC: fsl_spdif: Add pm runtime function") Signed-off-by: Shengjiu Wang Link: https://lore.kernel.org/r/1623392318-26304-1-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 9cf11dca57a5db964af61cac5a784985dd6a7507 Author: Jonathan Cameron Date: Sun Jun 13 16:22:59 2021 +0100 iio: light: vcnl4000: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit dce793c0ab00c35039028fdcd5ce123805a01361 ] Add __aligned(8) to ensure the buffer passed to iio_push_to_buffers_with_timestamp() is suitable for the naturally aligned timestamp that will be inserted. Here an explicit structure is not used, because the holes would necessitate the addition of an explict memset(), to avoid a kernel data leak, making for a less minimal fix. Found during an audit of all callers of iio_push_to_buffers_with_timestamp() Fixes: 8fe78d5261e7 ("iio: vcnl4000: Add buffer support for VCNL4010/20.") Signed-off-by: Jonathan Cameron Cc: Mathieu Othacehe Reviewed-by: Nuno Sá Link: https://lore.kernel.org/r/20210613152301.571002-7-jic23@kernel.org Signed-off-by: Sasha Levin commit 8c85c0f8cbff0825f38ea631d3dff34e31c6573a Author: Jonathan Cameron Date: Sun Jun 13 16:22:58 2021 +0100 iio: magn: rm3100: Fix alignment of buffer in iio_push_to_buffers_with_timestamp() [ Upstream commit b8f939fd20690623cb24845a563e7bc1e4a21482 ] Add __aligned(8) to ensure the buffer passed to iio_push_to_buffers_with_timestamp() is suitable for the naturally aligned timestamp that will be inserted. Here an explicit structure is not used, because this buffer is used in a non-trivial way for data repacking. Fixes: 121354b2eceb ("iio: magnetometer: Add driver support for PNI RM3100") Signed-off-by: Jonathan Cameron Cc: Song Qiang Reviewed-by: Nuno Sá Link: https://lore.kernel.org/r/20210613152301.571002-6-jic23@kernel.org Signed-off-by: Sasha Levin commit c923e9effe50b0a83e74e1940afbecef5456bfda Author: Jonathan Cameron Date: Sun Jun 13 16:22:57 2021 +0100 iio: adc: ti-ads8688: Fix alignment of buffer in iio_push_to_buffers_with_timestamp() [ Upstream commit 61fa5dfa5f52806f5ce37a0ba5712c271eb22f98 ] Add __aligned(8) to ensure the buffer passed to iio_push_to_buffers_with_timestamp() is suitable for the naturally aligned timestamp that will be inserted. Fixes: f214ff521fb1 ("iio: ti-ads8688: Update buffer allocation for timestamps") Signed-off-by: Jonathan Cameron Reviewed-by: Nuno Sá Link: https://lore.kernel.org/r/20210613152301.571002-5-jic23@kernel.org Signed-off-by: Sasha Levin commit 15634d6dced145be64a909b25333a4ab045b734a Author: Jonathan Cameron Date: Sun Jun 13 16:22:56 2021 +0100 iio: adc: mxs-lradc: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 6a6be221b8bd561b053f0701ec752a5ed9007f69 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Add a comment on why the buffer is the size it is as not immediately obvious. Found during an audit of all calls of this function. Fixes: 6dd112b9f85e ("iio: adc: mxs-lradc: Add support for ADC driver") Signed-off-by: Jonathan Cameron Cc: Andreas Klinger Reviewed-by: Nuno Sá Link: https://lore.kernel.org/r/20210613152301.571002-4-jic23@kernel.org Signed-off-by: Sasha Levin commit a6a1e347c7a0106de4b73b76312b008c128f4620 Author: Jonathan Cameron Date: Sun Jun 13 16:22:55 2021 +0100 iio: adc: hx711: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit afe2a789fbf7acd1a05407fc7839cc08d23825e3 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of this function. Fixes: d3bf60450d47 ("iio: hx711: add triggered buffer support") Signed-off-by: Jonathan Cameron Cc: Andreas Klinger Reviewed-by: Nuno Sá Link: https://lore.kernel.org/r/20210613152301.571002-3-jic23@kernel.org Signed-off-by: Sasha Levin commit 2abfdd61324cb51a8bc2ae0445a91f21095fdb1f Author: Jonathan Cameron Date: Sun Jun 13 16:22:54 2021 +0100 iio: adc: at91-sama5d2: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 8f884758966259fa8c50c137ac6d4ce9bb7859db ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of this function. Fixes: 5e1a1da0f8c9 ("iio: adc: at91-sama5d2_adc: add hw trigger and buffer support") Signed-off-by: Jonathan Cameron Cc: Eugen Hristev Reviewed-by: Nuno Sá Link: https://lore.kernel.org/r/20210613152301.571002-2-jic23@kernel.org Signed-off-by: Sasha Levin commit 2abfa5294717df154e345df77d58b794f8c9d5ba Author: Mika Westerberg Date: Mon Jun 7 13:37:46 2021 +0300 thunderbolt: Bond lanes only when dual_link_port != NULL in alloc_dev_default() [ Upstream commit a0d36fa1065901f939b04587a09c65303a64ac88 ] We should not dereference ->dual_link_port if it is NULL and lane bonding is requested. For this reason move lane bonding configuration happen inside the block where ->dual_link_port != NULL. Fixes: 54509f5005ca ("thunderbolt: Add KUnit tests for path walking") Reported-by: kernel test robot Reported-by: Dan Carpenter Reviewed-by: Yehezkel Bernat Signed-off-by: Mika Westerberg Signed-off-by: Sasha Levin commit 36f60700f966627088a67c31c719a50c8e875315 Author: Andy Shevchenko Date: Tue Jun 8 01:17:56 2021 +0300 eeprom: idt_89hpesx: Restore printing the unsupported fwnode name [ Upstream commit e0db3deea73ba418bf5dc21f5a4e32ca87d16dde ] When iterating over child firmware nodes restore printing the name of ones that are not supported. While at it, refactor loop body to clearly show that we stop at the first match. Fixes: db15d73e5f0e ("eeprom: idt_89hpesx: Support both ACPI and OF probing") Cc: Huy Duong Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210607221757.81465-2-andy.shevchenko@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit fc8ab06001721adffeab289d29838a0dfd0811c2 Author: Andy Shevchenko Date: Tue Jun 8 01:17:55 2021 +0300 eeprom: idt_89hpesx: Put fwnode in matching case during ->probe() [ Upstream commit 3f6ee1c095156a74ab2df605af13020f1ce3e600 ] device_get_next_child_node() bumps a reference counting of a returned variable. We have to balance it whenever we return to the caller. Fixes: db15d73e5f0e ("eeprom: idt_89hpesx: Support both ACPI and OF probing") Cc: Huy Duong Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210607221757.81465-1-andy.shevchenko@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit c7188d19989b2349943e92d3953be50f1032189d Author: Clément Lassieur Date: Thu Jun 3 17:59:21 2021 +0200 usb: dwc2: Don't reset the core after setting turnaround time [ Upstream commit aafe93516b8567ab5864e1f4cd3eeabc54fb0e5a ] Every time the hub signals a reset while we (device) are hsotg->connected, dwc2_hsotg_core_init_disconnected() is called, which in turn calls dwc2_hs_phy_init(). GUSBCFG.USBTrdTim is cleared upon Core Soft Reset, so if hsotg->params.phy_utmi_width is 8-bit, the value of GUSBCFG.USBTrdTim (the default one: 0x5, corresponding to 16-bit) is always different from hsotg->params.phy_utmi_width, thus dwc2_core_reset() is called every time (usbcfg != usbcfg_old), which causes 2 issues: 1) The call to dwc2_core_reset() does another reset 300us after the initial Chirp K of the first reset (which should last at least Tuch = 1ms), and messes up the High-speed Detection Handshake: both hub and device drive current into the D+ and D- lines at the same time. 2) GUSBCFG.USBTrdTim is cleared by the second reset, so its value is always the default one (0x5). Setting GUSBCFG.USBTrdTim after the potential call to dwc2_core_reset() fixes both issues. It is now set even when select_phy is false because the cost of the Core Soft Reset is removed. Fixes: 1e868545f2bb ("usb: dwc2: gadget: Move gadget phy init into core phy init") Signed-off-by: Clément Lassieur Link: https://lore.kernel.org/r/20210603155921.940651-1-clement@lassieur.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 8aa1cb46b72e2a6cb6345ffdb696fff412c0cd48 Author: Andrew Gabbasov Date: Thu Jun 3 12:15:07 2021 -0500 usb: gadget: f_fs: Fix setting of device and driver data cross-references [ Upstream commit ecfbd7b9054bddb12cea07fda41bb3a79a7b0149 ] FunctionFS device structure 'struct ffs_dev' and driver data structure 'struct ffs_data' are bound to each other with cross-reference pointers 'ffs_data->private_data' and 'ffs_dev->ffs_data'. While the first one is supposed to be valid through the whole life of 'struct ffs_data' (and while 'struct ffs_dev' exists non-freed), the second one is cleared in 'ffs_closed()' (called from 'ffs_data_reset()' or the last 'ffs_data_put()'). This can be called several times, alternating in different order with 'ffs_free_inst()', that, if possible, clears the other cross-reference. As a result, different cases of these calls order may leave stale cross-reference pointers, used when the pointed structure is already freed. Even if it occasionally doesn't cause kernel crash, this error is reported by KASAN-enabled kernel configuration. For example, the case [last 'ffs_data_put()' - 'ffs_free_inst()'] was fixed by commit cdafb6d8b8da ("usb: gadget: f_fs: Fix use-after-free in ffs_free_inst"). The other case ['ffs_data_reset()' - 'ffs_free_inst()' - 'ffs_data_put()'] now causes KASAN reported error [1], when 'ffs_data_reset()' clears 'ffs_dev->ffs_data', then 'ffs_free_inst()' frees the 'struct ffs_dev', but can't clear 'ffs_data->private_data', which is then accessed in 'ffs_closed()' called from 'ffs_data_put()'. This happens since 'ffs_dev->ffs_data' reference is cleared too early. Moreover, one more use case, when 'ffs_free_inst()' is called immediately after mounting FunctionFS device (that is before the descriptors are written and 'ffs_ready()' is called), and then 'ffs_data_reset()' or 'ffs_data_put()' is called from accessing "ep0" file or unmounting the device. This causes KASAN error report like [2], since 'ffs_dev->ffs_data' is not yet set when 'ffs_free_inst()' can't properly clear 'ffs_data->private_data', that is later accessed to freed structure. Fix these (and may be other) cases of stale pointers access by moving setting and clearing of the mentioned cross-references to the single places, setting both of them when 'struct ffs_data' is created and bound to 'struct ffs_dev', and clearing both of them when one of the structures is destroyed. It seems convenient to make this pointer initialization and structures binding in 'ffs_acquire_dev()' and make pointers clearing in 'ffs_release_dev()'. This required some changes in these functions parameters and return types. Also, 'ffs_release_dev()' calling requires some cleanup, fixing minor issues, like (1) 'ffs_release_dev()' is not called if 'ffs_free_inst()' is called without unmounting the device, and "release_dev" callback is not called at all, or (2) "release_dev" callback is called before "ffs_closed" callback on unmounting, which seems to be not correctly nested with "acquire_dev" and "ffs_ready" callbacks. Make this cleanup togther with other mentioned 'ffs_release_dev()' changes. [1] ================================================================== root@rcar-gen3:~# mkdir /dev/cfs root@rcar-gen3:~# mkdir /dev/ffs root@rcar-gen3:~# modprobe libcomposite root@rcar-gen3:~# mount -t configfs none /dev/cfs root@rcar-gen3:~# mkdir /dev/cfs/usb_gadget/g1 root@rcar-gen3:~# mkdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs [ 64.340664] file system registered root@rcar-gen3:~# mount -t functionfs ffs /dev/ffs root@rcar-gen3:~# cd /dev/ffs root@rcar-gen3:/dev/ffs# /home/root/ffs-test ffs-test: info: ep0: writing descriptors (in v2 format) [ 83.181442] read descriptors [ 83.186085] read strings ffs-test: info: ep0: writing strings ffs-test: dbg: ep1: starting ffs-test: dbg: ep2: starting ffs-test: info: ep1: starts ffs-test: info: ep2: starts ffs-test: info: ep0: starts ^C root@rcar-gen3:/dev/ffs# cd /home/root/ root@rcar-gen3:~# rmdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs [ 98.935061] unloading root@rcar-gen3:~# umount /dev/ffs [ 102.734301] ================================================================== [ 102.742059] BUG: KASAN: use-after-free in ffs_release_dev+0x64/0xa8 [usb_f_fs] [ 102.749683] Write of size 1 at addr ffff0004d46ff549 by task umount/2997 [ 102.756709] [ 102.758311] CPU: 0 PID: 2997 Comm: umount Not tainted 5.13.0-rc4+ #8 [ 102.764971] Hardware name: Renesas Salvator-X board based on r8a77951 (DT) [ 102.772179] Call trace: [ 102.774779] dump_backtrace+0x0/0x330 [ 102.778653] show_stack+0x20/0x2c [ 102.782152] dump_stack+0x11c/0x1ac [ 102.785833] print_address_description.constprop.0+0x30/0x274 [ 102.791862] kasan_report+0x14c/0x1c8 [ 102.795719] __asan_report_store1_noabort+0x34/0x58 [ 102.800840] ffs_release_dev+0x64/0xa8 [usb_f_fs] [ 102.805801] ffs_fs_kill_sb+0x50/0x84 [usb_f_fs] [ 102.810663] deactivate_locked_super+0xa0/0xf0 [ 102.815339] deactivate_super+0x98/0xac [ 102.819378] cleanup_mnt+0xd0/0x1b0 [ 102.823057] __cleanup_mnt+0x1c/0x28 [ 102.826823] task_work_run+0x104/0x180 [ 102.830774] do_notify_resume+0x458/0x14e0 [ 102.835083] work_pending+0xc/0x5f8 [ 102.838762] [ 102.840357] Allocated by task 2988: [ 102.844032] kasan_save_stack+0x28/0x58 [ 102.848071] kasan_set_track+0x28/0x3c [ 102.852016] ____kasan_kmalloc+0x84/0x9c [ 102.856142] __kasan_kmalloc+0x10/0x1c [ 102.860088] __kmalloc+0x214/0x2f8 [ 102.863678] kzalloc.constprop.0+0x14/0x20 [usb_f_fs] [ 102.868990] ffs_alloc_inst+0x8c/0x208 [usb_f_fs] [ 102.873942] try_get_usb_function_instance+0xf0/0x164 [libcomposite] [ 102.880629] usb_get_function_instance+0x64/0x68 [libcomposite] [ 102.886858] function_make+0x128/0x1ec [libcomposite] [ 102.892185] configfs_mkdir+0x330/0x590 [configfs] [ 102.897245] vfs_mkdir+0x12c/0x1bc [ 102.900835] do_mkdirat+0x180/0x1d0 [ 102.904513] __arm64_sys_mkdirat+0x80/0x94 [ 102.908822] invoke_syscall+0xf8/0x25c [ 102.912772] el0_svc_common.constprop.0+0x150/0x1a0 [ 102.917891] do_el0_svc+0xa0/0xd4 [ 102.921386] el0_svc+0x24/0x34 [ 102.924613] el0_sync_handler+0xcc/0x154 [ 102.928743] el0_sync+0x198/0x1c0 [ 102.932238] [ 102.933832] Freed by task 2996: [ 102.937144] kasan_save_stack+0x28/0x58 [ 102.941181] kasan_set_track+0x28/0x3c [ 102.945128] kasan_set_free_info+0x28/0x4c [ 102.949435] ____kasan_slab_free+0x104/0x118 [ 102.953921] __kasan_slab_free+0x18/0x24 [ 102.958047] slab_free_freelist_hook+0x148/0x1f0 [ 102.962897] kfree+0x318/0x440 [ 102.966123] ffs_free_inst+0x164/0x2d8 [usb_f_fs] [ 102.971075] usb_put_function_instance+0x84/0xa4 [libcomposite] [ 102.977302] ffs_attr_release+0x18/0x24 [usb_f_fs] [ 102.982344] config_item_put+0x140/0x1a4 [configfs] [ 102.987486] configfs_rmdir+0x3fc/0x518 [configfs] [ 102.992535] vfs_rmdir+0x114/0x234 [ 102.996122] do_rmdir+0x274/0x2b0 [ 102.999617] __arm64_sys_unlinkat+0x94/0xc8 [ 103.004015] invoke_syscall+0xf8/0x25c [ 103.007961] el0_svc_common.constprop.0+0x150/0x1a0 [ 103.013080] do_el0_svc+0xa0/0xd4 [ 103.016575] el0_svc+0x24/0x34 [ 103.019801] el0_sync_handler+0xcc/0x154 [ 103.023930] el0_sync+0x198/0x1c0 [ 103.027426] [ 103.029020] The buggy address belongs to the object at ffff0004d46ff500 [ 103.029020] which belongs to the cache kmalloc-128 of size 128 [ 103.042079] The buggy address is located 73 bytes inside of [ 103.042079] 128-byte region [ffff0004d46ff500, ffff0004d46ff580) [ 103.054236] The buggy address belongs to the page: [ 103.059262] page:0000000021aa849b refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0004d46fee00 pfn:0x5146fe [ 103.070437] head:0000000021aa849b order:1 compound_mapcount:0 [ 103.076456] flags: 0x8000000000010200(slab|head|zone=2) [ 103.081948] raw: 8000000000010200 fffffc0013521a80 0000000d0000000d ffff0004c0002300 [ 103.090052] raw: ffff0004d46fee00 000000008020001e 00000001ffffffff 0000000000000000 [ 103.098150] page dumped because: kasan: bad access detected [ 103.103985] [ 103.105578] Memory state around the buggy address: [ 103.110602] ffff0004d46ff400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 103.118161] ffff0004d46ff480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 103.125726] >ffff0004d46ff500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 103.133284] ^ [ 103.139120] ffff0004d46ff580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 103.146679] ffff0004d46ff600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 103.154238] ================================================================== [ 103.161792] Disabling lock debugging due to kernel taint [ 103.167319] Unable to handle kernel paging request at virtual address 0037801d6000018e [ 103.175406] Mem abort info: [ 103.178457] ESR = 0x96000004 [ 103.181609] EC = 0x25: DABT (current EL), IL = 32 bits [ 103.187020] SET = 0, FnV = 0 [ 103.190185] EA = 0, S1PTW = 0 [ 103.193417] Data abort info: [ 103.196385] ISV = 0, ISS = 0x00000004 [ 103.200315] CM = 0, WnR = 0 [ 103.203366] [0037801d6000018e] address between user and kernel address ranges [ 103.210611] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 103.216231] Modules linked in: usb_f_fs libcomposite configfs ath9k_htc led_class mac80211 libarc4 ath9k_common ath9k_hw ath cfg80211 aes_ce_blk sata_rc4 [ 103.259233] CPU: 0 PID: 2997 Comm: umount Tainted: G B 5.13.0-rc4+ #8 [ 103.267031] Hardware name: Renesas Salvator-X board based on r8a77951 (DT) [ 103.273951] pstate: 00000005 (nzcv daif -PAN -UAO -TCO BTYPE=--) [ 103.280001] pc : ffs_data_clear+0x138/0x370 [usb_f_fs] [ 103.285197] lr : ffs_data_clear+0x124/0x370 [usb_f_fs] [ 103.290385] sp : ffff800014777a80 [ 103.293725] x29: ffff800014777a80 x28: ffff0004d7649c80 x27: 0000000000000000 [ 103.300931] x26: ffff800014777fb0 x25: ffff60009aec9394 x24: ffff0004d7649ca4 [ 103.308136] x23: 1fffe0009a3d063a x22: dfff800000000000 x21: ffff0004d1e831d0 [ 103.315340] x20: e1c000eb00000bb4 x19: ffff0004d1e83000 x18: 0000000000000000 [ 103.322545] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 103.329748] x14: 0720072007200720 x13: 0720072007200720 x12: 1ffff000012ef658 [ 103.336952] x11: ffff7000012ef658 x10: 0720072007200720 x9 : ffff800011322648 [ 103.344157] x8 : ffff800014777818 x7 : ffff80000977b2c7 x6 : 0000000000000000 [ 103.351359] x5 : 0000000000000001 x4 : ffff7000012ef659 x3 : 0000000000000001 [ 103.358562] x2 : 0000000000000000 x1 : 1c38001d6000018e x0 : e1c000eb00000c70 [ 103.365766] Call trace: [ 103.368235] ffs_data_clear+0x138/0x370 [usb_f_fs] [ 103.373076] ffs_data_reset+0x20/0x304 [usb_f_fs] [ 103.377829] ffs_data_closed+0x1ec/0x244 [usb_f_fs] [ 103.382755] ffs_fs_kill_sb+0x70/0x84 [usb_f_fs] [ 103.387420] deactivate_locked_super+0xa0/0xf0 [ 103.391905] deactivate_super+0x98/0xac [ 103.395776] cleanup_mnt+0xd0/0x1b0 [ 103.399299] __cleanup_mnt+0x1c/0x28 [ 103.402906] task_work_run+0x104/0x180 [ 103.406691] do_notify_resume+0x458/0x14e0 [ 103.410823] work_pending+0xc/0x5f8 [ 103.414351] Code: b4000a54 9102f280 12000802 d343fc01 (38f66821) [ 103.420490] ---[ end trace 57b43a50e8244f57 ]--- Segmentation fault root@rcar-gen3:~# ================================================================== [2] ================================================================== root@rcar-gen3:~# mkdir /dev/ffs root@rcar-gen3:~# modprobe libcomposite root@rcar-gen3:~# root@rcar-gen3:~# mount -t configfs none /dev/cfs root@rcar-gen3:~# mkdir /dev/cfs/usb_gadget/g1 root@rcar-gen3:~# mkdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs [ 54.766480] file system registered root@rcar-gen3:~# mount -t functionfs ffs /dev/ffs root@rcar-gen3:~# rmdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs [ 63.197597] unloading root@rcar-gen3:~# cat /dev/ffs/ep0 cat: read error:[ 67.213506] ================================================================== [ 67.222095] BUG: KASAN: use-after-free in ffs_data_clear+0x70/0x370 [usb_f_fs] [ 67.229699] Write of size 1 at addr ffff0004c26e974a by task cat/2994 [ 67.236446] [ 67.238045] CPU: 0 PID: 2994 Comm: cat Not tainted 5.13.0-rc4+ #8 [ 67.244431] Hardware name: Renesas Salvator-X board based on r8a77951 (DT) [ 67.251624] Call trace: [ 67.254212] dump_backtrace+0x0/0x330 [ 67.258081] show_stack+0x20/0x2c [ 67.261579] dump_stack+0x11c/0x1ac [ 67.265260] print_address_description.constprop.0+0x30/0x274 [ 67.271286] kasan_report+0x14c/0x1c8 [ 67.275143] __asan_report_store1_noabort+0x34/0x58 [ 67.280265] ffs_data_clear+0x70/0x370 [usb_f_fs] [ 67.285220] ffs_data_reset+0x20/0x304 [usb_f_fs] [ 67.290172] ffs_data_closed+0x240/0x244 [usb_f_fs] [ 67.295305] ffs_ep0_release+0x40/0x54 [usb_f_fs] [ 67.300256] __fput+0x304/0x580 [ 67.303576] ____fput+0x18/0x24 [ 67.306893] task_work_run+0x104/0x180 [ 67.310846] do_notify_resume+0x458/0x14e0 [ 67.315154] work_pending+0xc/0x5f8 [ 67.318834] [ 67.320429] Allocated by task 2988: [ 67.324105] kasan_save_stack+0x28/0x58 [ 67.328144] kasan_set_track+0x28/0x3c [ 67.332090] ____kasan_kmalloc+0x84/0x9c [ 67.336217] __kasan_kmalloc+0x10/0x1c [ 67.340163] __kmalloc+0x214/0x2f8 [ 67.343754] kzalloc.constprop.0+0x14/0x20 [usb_f_fs] [ 67.349066] ffs_alloc_inst+0x8c/0x208 [usb_f_fs] [ 67.354017] try_get_usb_function_instance+0xf0/0x164 [libcomposite] [ 67.360705] usb_get_function_instance+0x64/0x68 [libcomposite] [ 67.366934] function_make+0x128/0x1ec [libcomposite] [ 67.372260] configfs_mkdir+0x330/0x590 [configfs] [ 67.377320] vfs_mkdir+0x12c/0x1bc [ 67.380911] do_mkdirat+0x180/0x1d0 [ 67.384589] __arm64_sys_mkdirat+0x80/0x94 [ 67.388899] invoke_syscall+0xf8/0x25c [ 67.392850] el0_svc_common.constprop.0+0x150/0x1a0 [ 67.397969] do_el0_svc+0xa0/0xd4 [ 67.401464] el0_svc+0x24/0x34 [ 67.404691] el0_sync_handler+0xcc/0x154 [ 67.408819] el0_sync+0x198/0x1c0 [ 67.412315] [ 67.413909] Freed by task 2993: [ 67.417220] kasan_save_stack+0x28/0x58 [ 67.421257] kasan_set_track+0x28/0x3c [ 67.425204] kasan_set_free_info+0x28/0x4c [ 67.429513] ____kasan_slab_free+0x104/0x118 [ 67.434001] __kasan_slab_free+0x18/0x24 [ 67.438128] slab_free_freelist_hook+0x148/0x1f0 [ 67.442978] kfree+0x318/0x440 [ 67.446205] ffs_free_inst+0x164/0x2d8 [usb_f_fs] [ 67.451156] usb_put_function_instance+0x84/0xa4 [libcomposite] [ 67.457385] ffs_attr_release+0x18/0x24 [usb_f_fs] [ 67.462428] config_item_put+0x140/0x1a4 [configfs] [ 67.467570] configfs_rmdir+0x3fc/0x518 [configfs] [ 67.472626] vfs_rmdir+0x114/0x234 [ 67.476215] do_rmdir+0x274/0x2b0 [ 67.479710] __arm64_sys_unlinkat+0x94/0xc8 [ 67.484108] invoke_syscall+0xf8/0x25c [ 67.488055] el0_svc_common.constprop.0+0x150/0x1a0 [ 67.493175] do_el0_svc+0xa0/0xd4 [ 67.496671] el0_svc+0x24/0x34 [ 67.499896] el0_sync_handler+0xcc/0x154 [ 67.504024] el0_sync+0x198/0x1c0 [ 67.507520] [ 67.509114] The buggy address belongs to the object at ffff0004c26e9700 [ 67.509114] which belongs to the cache kmalloc-128 of size 128 [ 67.522171] The buggy address is located 74 bytes inside of [ 67.522171] 128-byte region [ffff0004c26e9700, ffff0004c26e9780) [ 67.534328] The buggy address belongs to the page: [ 67.539355] page:000000003177a217 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5026e8 [ 67.549175] head:000000003177a217 order:1 compound_mapcount:0 [ 67.555195] flags: 0x8000000000010200(slab|head|zone=2) [ 67.560687] raw: 8000000000010200 fffffc0013037100 0000000c00000002 ffff0004c0002300 [ 67.568791] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 [ 67.576890] page dumped because: kasan: bad access detected [ 67.582725] [ 67.584318] Memory state around the buggy address: [ 67.589343] ffff0004c26e9600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.596903] ffff0004c26e9680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 67.604463] >ffff0004c26e9700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.612022] ^ [ 67.617860] ffff0004c26e9780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 67.625421] ffff0004c26e9800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.632981] ================================================================== [ 67.640535] Disabling lock debugging due to kernel taint File descriptor[ 67.646100] Unable to handle kernel paging request at virtual address fabb801d4000018d in bad state [ 67.655456] Mem abort info: [ 67.659619] ESR = 0x96000004 [ 67.662801] EC = 0x25: DABT (current EL), IL = 32 bits [ 67.668225] SET = 0, FnV = 0 [ 67.671375] EA = 0, S1PTW = 0 [ 67.674613] Data abort info: [ 67.677587] ISV = 0, ISS = 0x00000004 [ 67.681522] CM = 0, WnR = 0 [ 67.684588] [fabb801d4000018d] address between user and kernel address ranges [ 67.691849] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 67.697470] Modules linked in: usb_f_fs libcomposite configfs ath9k_htc led_class mac80211 libarc4 ath9k_common ath9k_hw ath cfg80211 aes_ce_blk crypto_simd cryptd aes_ce_cipher ghash_ce gf128mul sha2_ce sha1_ce evdev sata_rcar libata xhci_plat_hcd scsi_mod xhci_hcd rene4 [ 67.740467] CPU: 0 PID: 2994 Comm: cat Tainted: G B 5.13.0-rc4+ #8 [ 67.748005] Hardware name: Renesas Salvator-X board based on r8a77951 (DT) [ 67.754924] pstate: 00000005 (nzcv daif -PAN -UAO -TCO BTYPE=--) [ 67.760974] pc : ffs_data_clear+0x138/0x370 [usb_f_fs] [ 67.766178] lr : ffs_data_clear+0x124/0x370 [usb_f_fs] [ 67.771365] sp : ffff800014767ad0 [ 67.774706] x29: ffff800014767ad0 x28: ffff800009cf91c0 x27: ffff0004c54861a0 [ 67.781913] x26: ffff0004dc90b288 x25: 1fffe00099ec10f5 x24: 00000000000a801d [ 67.789118] x23: 1fffe00099f6953a x22: dfff800000000000 x21: ffff0004cfb4a9d0 [ 67.796322] x20: d5e000ea00000bb1 x19: ffff0004cfb4a800 x18: 0000000000000000 [ 67.803526] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 67.810730] x14: 0720072007200720 x13: 0720072007200720 x12: 1ffff000028ecefa [ 67.817934] x11: ffff7000028ecefa x10: 0720072007200720 x9 : ffff80001132c014 [ 67.825137] x8 : ffff8000147677d8 x7 : ffff8000147677d7 x6 : 0000000000000000 [ 67.832341] x5 : 0000000000000001 x4 : ffff7000028ecefb x3 : 0000000000000001 [ 67.839544] x2 : 0000000000000005 x1 : 1abc001d4000018d x0 : d5e000ea00000c6d [ 67.846748] Call trace: [ 67.849218] ffs_data_clear+0x138/0x370 [usb_f_fs] [ 67.854058] ffs_data_reset+0x20/0x304 [usb_f_fs] [ 67.858810] ffs_data_closed+0x240/0x244 [usb_f_fs] [ 67.863736] ffs_ep0_release+0x40/0x54 [usb_f_fs] [ 67.868488] __fput+0x304/0x580 [ 67.871665] ____fput+0x18/0x24 [ 67.874837] task_work_run+0x104/0x180 [ 67.878622] do_notify_resume+0x458/0x14e0 [ 67.882754] work_pending+0xc/0x5f8 [ 67.886282] Code: b4000a54 9102f280 12000802 d343fc01 (38f66821) [ 67.892422] ---[ end trace 6d7cedf53d7abbea ]--- Segmentation fault root@rcar-gen3:~# ================================================================== Fixes: 4b187fceec3c ("usb: gadget: FunctionFS: add devices management code") Fixes: 3262ad824307 ("usb: gadget: f_fs: Stop ffs_closed NULL pointer dereference") Fixes: cdafb6d8b8da ("usb: gadget: f_fs: Fix use-after-free in ffs_free_inst") Reported-by: Bhuvanesh Surachari Tested-by: Eugeniu Rosca Reviewed-by: Eugeniu Rosca Signed-off-by: Andrew Gabbasov Link: https://lore.kernel.org/r/20210603171507.22514-1-andrew_gabbasov@mentor.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit d4d3cd4c76994f55ea7747b9934d103d25977964 Author: Christophe JAILLET Date: Sun Jun 6 16:31:09 2021 +0200 ASoC: mediatek: mtk-btcvsd: Fix an error handling path in 'mtk_btcvsd_snd_probe()' [ Upstream commit b6052c3c7a78f5e2b9756c92ef77c0b56435f107 ] If an error occurs after a successful 'of_iomap()' call, it must be undone by a corresponding 'iounmap()' call, as already done in the remove function. While at it, remove the useless initialization of 'ret' at the beginning of the function. Fixes: 4bd8597dc36c ("ASoC: mediatek: add btcvsd driver") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/0c2ba562c3364e61bfbd5b3013a99dfa0d9045d7.1622989685.git.christophe.jaillet@wanadoo.fr Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 92a30a90d69ae0c0b44ef4ef2636b675c21f1acf Author: Bard Liao Date: Mon Jun 7 17:22:37 2021 -0500 ASoC: rt5682-sdw: set regcache_cache_only false before reading RT5682_DEVICE_ID [ Upstream commit c0372bc873dd29f325ee908351e0bd5b08d4d608 ] RT5682_DEVICE_ID is a volatile register, we can not read it in cache only mode. Fixes: 03f6fc6de919 ("ASoC: rt5682: Add the soundwire support") Signed-off-by: Bard Liao Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20210607222239.582139-14-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 696cfb25679452721215c193ba6f72eebfe7a842 Author: Shuming Fan Date: Mon Jan 11 17:27:40 2021 +0800 ASoC: rt5682: fix getting the wrong device id when the suspend_stress_test [ Upstream commit 867f8d18df4f5ccd6c2daf4441a6adeca0b9725b ] This patch will be the workaround to fix getting the wrong device ID on the rare chance. It seems like something unstable when the system resumes. e.g. the bus clock This patch tries to read the device ID to check several times. After the test, the driver will get the correct device ID the second time. Signed-off-by: Shuming Fan Link: https://lore.kernel.org/r/20210111092740.9128-1-shumingf@realtek.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 8ef111db5e077c09529b9446e41d893663d04d60 Author: Pierre-Louis Bossart Date: Mon Jun 7 17:22:34 2021 -0500 ASoC: rt715-sdw: use first_hw_init flag on resume [ Upstream commit dbc07517ab173688ef11234d1099bc1e24e4f14b ] The intent of the status check on resume was to verify if a SoundWire peripheral reported ATTACHED before waiting for the initialization to complete. This is required to avoid timeouts that will happen with 'ghost' devices that are exposed in the platform firmware but are not populated in hardware. Unfortunately we used 'hw_init' instead of 'first_hw_init'. Due to another error, the resume operation never timed out, but the volume settings were not properly restored. BugLink: https://github.com/thesofproject/linux/issues/2908 BugLink: https://github.com/thesofproject/linux/issues/2637 Fixes: d1ede0641b05e ('ASoC: rt715: add RT715 codec driver') Signed-off-by: Pierre-Louis Bossart Reviewed-by: Guennadi Liakhovetski Reviewed-by: Bard Liao Link: https://lore.kernel.org/r/20210607222239.582139-11-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 36dc6957f70f1e4a4732b43e23d1df8492efba01 Author: Pierre-Louis Bossart Date: Mon Jun 7 17:22:32 2021 -0500 ASoC: rt711-sdw: use first_hw_init flag on resume [ Upstream commit a0897ebca669f09a2e02206a9c48a738af655329 ] The intent of the status check on resume was to verify if a SoundWire peripheral reported ATTACHED before waiting for the initialization to complete. This is required to avoid timeouts that will happen with 'ghost' devices that are exposed in the platform firmware but are not populated in hardware. Unfortunately we used 'hw_init' instead of 'first_hw_init'. Due to another error, the resume operation never timed out, but the volume settings were not properly restored. BugLink: https://github.com/thesofproject/linux/issues/2908 BugLink: https://github.com/thesofproject/linux/issues/2637 Fixes: 320b8b0d13b81 ('ASoC: rt711: add rt711 codec driver') Signed-off-by: Pierre-Louis Bossart Reviewed-by: Guennadi Liakhovetski Reviewed-by: Bard Liao Link: https://lore.kernel.org/r/20210607222239.582139-9-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit de77f9d92c3beb94526aef98d1d5c9b631419562 Author: Pierre-Louis Bossart Date: Mon Jun 7 17:22:30 2021 -0500 ASoC: rt700-sdw: use first_hw_init flag on resume [ Upstream commit a9e54e5fbe396b546771cf77b43ce7c75e212278 ] The intent of the status check on resume was to verify if a SoundWire peripheral reported ATTACHED before waiting for the initialization to complete. This is required to avoid timeouts that will happen with 'ghost' devices that are exposed in the platform firmware but are not populated in hardware. Unfortunately we used 'hw_init' instead of 'first_hw_init'. Due to another error, the resume operation never timed out, but the volume settings were not properly restored. BugLink: https://github.com/thesofproject/linux/issues/2908 BugLink: https://github.com/thesofproject/linux/issues/2637 Fixes: 7d2a5f9ae41e3 ('ASoC: rt700: add rt700 codec driver') Signed-off-by: Pierre-Louis Bossart Reviewed-by: Guennadi Liakhovetski Reviewed-by: Bard Liao Link: https://lore.kernel.org/r/20210607222239.582139-7-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit e1456cba8e3629faa47d917f0c90689e02595d37 Author: Pierre-Louis Bossart Date: Mon Jun 7 17:22:29 2021 -0500 ASoC: rt5682-sdw: use first_hw_init flag on resume [ Upstream commit 5361a42114689f875a9748299cadb4b1adbee6f4 ] The intent of the status check on resume was to verify if a SoundWire peripheral reported ATTACHED before waiting for the initialization to complete. This is required to avoid timeouts that will happen with 'ghost' devices that are exposed in the platform firmware but are not populated in hardware. Unfortunately we used 'hw_init' instead of 'first_hw_init'. Due to another error, the resume operation never timed out, but the volume settings were not properly restored. BugLink: https://github.com/thesofproject/linux/issues/2908 BugLink: https://github.com/thesofproject/linux/issues/2637 Fixes: 03f6fc6de9192 ('ASoC: rt5682: Add the soundwire support') Signed-off-by: Pierre-Louis Bossart Reviewed-by: Guennadi Liakhovetski Reviewed-by: Bard Liao Link: https://lore.kernel.org/r/20210607222239.582139-6-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 16674ae3b2377852a200209be7e755a7cf1f1785 Author: Pierre-Louis Bossart Date: Mon Jun 7 17:22:27 2021 -0500 ASoC: rt1308-sdw: use first_hw_init flag on resume [ Upstream commit 30e102dab5fad1db71684f8ac5e1ac74e49da06d ] The intent of the status check on resume was to verify if a SoundWire peripheral reported ATTACHED before waiting for the initialization to complete. This is required to avoid timeouts that will happen with 'ghost' devices that are exposed in the platform firmware but are not populated in hardware. Unfortunately we used 'hw_init' instead of 'first_hw_init'. Due to another error, the resume operation never timed out, but the volume settings were not properly restored. BugLink: https://github.com/thesofproject/linux/issues/2908 BugLink: https://github.com/thesofproject/linux/issues/2637 Fixes: a87a6653a28c0 ('ASoC: rt1308-sdw: add rt1308 SdW amplifier driver') Signed-off-by: Pierre-Louis Bossart Reviewed-by: Guennadi Liakhovetski Reviewed-by: Bard Liao Link: https://lore.kernel.org/r/20210607222239.582139-4-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit dc152164128717fb0828a268f4b7fe8c5e821e85 Author: Pierre-Louis Bossart Date: Mon Jun 7 17:22:26 2021 -0500 ASoC: max98373-sdw: use first_hw_init flag on resume [ Upstream commit bf881170311ea74ff30c3be0be8fb097132ce696 ] The intent of the status check on resume was to verify if a SoundWire peripheral reported ATTACHED before waiting for the initialization to complete. This is required to avoid timeouts that will happen with 'ghost' devices that are exposed in the platform firmware but are not populated in hardware. Unfortunately we used 'hw_init' instead of 'first_hw_init'. Due to another error, the resume operation never timed out, but the volume settings were not properly restored. This patch renames the status flag to 'first_hw_init' for consistency with other drivers. BugLink: https://github.com/thesofproject/linux/issues/2637 Fixes: 56a5b7910e96 ('ASoC: codecs: max98373: add SoundWire support') Signed-off-by: Pierre-Louis Bossart Reviewed-by: Guennadi Liakhovetski Reviewed-by: Bard Liao Link: https://lore.kernel.org/r/20210607222239.582139-3-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 45a3d00eafb7112a1ee62c842124d750f6ff5551 Author: Srinath Mannam Date: Mon Sep 14 12:53:19 2020 +0530 iommu/dma: Fix IOVA reserve dma ranges [ Upstream commit 571f316074a203e979ea90211d9acf423dfe5f46 ] Fix IOVA reserve failure in the case when address of first memory region listed in dma-ranges is equal to 0x0. Fixes: aadad097cd46f ("iommu/dma: Reserve IOVA for PCIe inaccessible DMA address") Signed-off-by: Srinath Mannam Reviewed-by: Robin Murphy Tested-by: Sven Peter Link: https://lore.kernel.org/r/20200914072319.6091-1-srinath.mannam@broadcom.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit ad736838155c997a06c4da0b1309d96667ae61fa Author: Kees Cook Date: Wed May 26 20:25:37 2021 -0700 selftests: splice: Adjust for handler fallback removal [ Upstream commit 6daf076b717d189f4d02a303d45edd5732341ec1 ] Some pseudo-filesystems do not have an explicit splice fops since adding commit 36e2c7421f02 ("fs: don't allow splice read/write without explicit ops"), and now will reject attempts to use splice() in those filesystem paths. Reported-by: kernel test robot Link: https://lore.kernel.org/lkml/202009181443.C2179FB@keescook/ Fixes: 36e2c7421f02 ("fs: don't allow splice read/write without explicit ops") Cc: Christoph Hellwig Cc: Shuah Khan Cc: linux-kselftest@vger.kernel.org Signed-off-by: Kees Cook Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 045c29902fbe435c2645c3c577842d25b873a30b Author: Randy Dunlap Date: Thu May 27 17:24:20 2021 -0700 s390: appldata depends on PROC_SYSCTL [ Upstream commit 5d3516b3647621d5a1180672ea9e0817fb718ada ] APPLDATA_BASE should depend on PROC_SYSCTL instead of PROC_FS. Building with PROC_FS but not PROC_SYSCTL causes a build error, since appldata_base.c uses data and APIs from fs/proc/proc_sysctl.c. arch/s390/appldata/appldata_base.o: in function `appldata_generic_handler': appldata_base.c:(.text+0x192): undefined reference to `sysctl_vals' Fixes: c185b783b099 ("[S390] Remove config options.") Signed-off-by: Randy Dunlap Cc: Heiko Carstens Cc: Vasily Gorbik Cc: Christian Borntraeger Cc: linux-s390@vger.kernel.org Signed-off-by: Vasily Gorbik Link: https://lore.kernel.org/r/20210528002420.17634-1-rdunlap@infradead.org Signed-off-by: Vasily Gorbik Signed-off-by: Sasha Levin commit 485b1c02b543fff54b0c33243d95b1a7f4fe06de Author: Niklas Schnelle Date: Fri Feb 19 12:00:52 2021 +0100 s390: enable HAVE_IOREMAP_PROT [ Upstream commit d460bb6c6417588dd8b0907d34f69b237918812a ] In commit b02002cc4c0f ("s390/pci: Implement ioremap_wc/prot() with MIO") we implemented both ioremap_wc() and ioremap_prot() however until now we had not set HAVE_IOREMAP_PROT in Kconfig, do so now. This also requires implementing pte_pgprot() as this is used in the generic_access_phys() code enabled by CONFIG_HAVE_IOREMAP_PROT. As with ioremap_wc() we need to take the MMIO Write Back bit index into account. Moreover since the pgprot value returned from pte_pgprot() is to be used for mappings into kernel address space we must make sure that it uses appropriate kernel page table protection bits. In particular a pgprot value originally coming from userspace could have the _PAGE_PROTECT bit set to enable fault based dirty bit accounting which would then make the mapping inaccessible when used in kernel address space. Fixes: b02002cc4c0f ("s390/pci: Implement ioremap_wc/prot() with MIO") Reviewed-by: Gerald Schaefer Signed-off-by: Niklas Schnelle Signed-off-by: Vasily Gorbik Signed-off-by: Sasha Levin commit d65f69deac5cf916cc27762bccde8c8874421cae Author: Heiko Carstens Date: Thu Dec 10 22:30:09 2020 +0100 s390/irq: select HAVE_IRQ_EXIT_ON_IRQ_STACK [ Upstream commit 9ceed9988a8e6a1656ed2bdaa30501cf0f3dd925 ] irq_exit() is always called on async stack. Therefore select HAVE_IRQ_EXIT_ON_IRQ_STACK and get a tiny optimization in invoke_softirq(). Signed-off-by: Heiko Carstens Signed-off-by: Sasha Levin commit d8fe62cb919cebf3c66784535e62332fd4e75529 Author: Alexander Monakov Date: Tue May 4 13:22:20 2021 +0300 iommu/amd: Fix extended features logging [ Upstream commit 4b21a503adf597773e4b37db05db0e9b16a81d53 ] print_iommu_info prints the EFR register and then the decoded list of features on a separate line: pci 0000:00:00.2: AMD-Vi: Extended features (0x206d73ef22254ade): PPR X2APIC NX GT IA GA PC GA_vAPIC The second line is emitted via 'pr_cont', which causes it to have a different ('warn') loglevel compared to the previous line ('info'). Commit 9a295ff0ffc9 attempted to rectify this by removing the newline from the pci_info format string, but this doesn't work, as pci_info calls implicitly append a newline anyway. Printing the decoded features on the same line would make it quite long. Instead, change pci_info() to pr_info() to omit PCI bus location info, which is also shown in the preceding message. This results in: pci 0000:00:00.2: AMD-Vi: Found IOMMU cap 0x40 AMD-Vi: Extended features (0x206d73ef22254ade): PPR X2APIC NX GT IA GA PC GA_vAPIC AMD-Vi: Interrupt remapping enabled Fixes: 9a295ff0ffc9 ("iommu/amd: Print extended features in one line to fix divergent log levels") Link: https://lore.kernel.org/lkml/alpine.LNX.2.20.13.2104112326460.11104@monopod.intra.ispras.ru Signed-off-by: Alexander Monakov Cc: Paul Menzel Cc: Joerg Roedel Cc: Suravee Suthikulpanit Cc: iommu@lists.linux-foundation.org Reviewed-by: Paul Menzel Link: https://lore.kernel.org/r/20210504102220.1793-1-amonakov@ispras.ru Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit bd95a3e159a0dd42a38df1192402d9cfe2840aba Author: Zhen Lei Date: Fri May 28 16:26:14 2021 +0800 visorbus: fix error return code in visorchipset_init() [ Upstream commit ce52ec5beecc1079c251f60e3973b3758f60eb59 ] Commit 1366a3db3dcf ("staging: unisys: visorbus: visorchipset_init clean up gotos") assigns the initial value -ENODEV to the local variable 'err', and the first several error branches will return this value after "goto error". But commit f1f537c2e7f5 ("staging: unisys: visorbus: Consolidate controlvm channel creation.") overwrites 'err' in the middle of the way. As a result, some error branches do not successfully return the initial value -ENODEV of 'err', but return 0. In addition, when kzalloc() fails, -ENOMEM should be returned instead of -ENODEV. Fixes: f1f537c2e7f5 ("staging: unisys: visorbus: Consolidate controlvm channel creation.") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Link: https://lore.kernel.org/r/20210528082614.9337-1-thunder.leizhen@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e5a3a3108f0668728cd43023230c39cd700fa320 Author: Joachim Fenkes Date: Fri Jul 24 16:45:18 2020 +0930 fsi/sbefifo: Fix reset timeout [ Upstream commit 9ab1428dfe2c66b51e0b41337cd0164da0ab6080 ] On BMCs with lower timer resolution than 1ms, msleep(1) will take way longer than 1ms, so looping 10k times won't wait for 10s but significantly longer. Fix this by using jiffies like the rest of the code. Fixes: 9f4a8a2d7f9d ("fsi/sbefifo: Add driver for the SBE FIFO") Signed-off-by: Joachim Fenkes Link: https://lore.kernel.org/r/20200724071518.430515-3-joel@jms.id.au Signed-off-by: Joel Stanley Signed-off-by: Sasha Levin commit 4a95eb0c800eb71720b4186bec56941208c750d1 Author: Joachim Fenkes Date: Fri Jul 24 16:45:17 2020 +0930 fsi/sbefifo: Clean up correct FIFO when receiving reset request from SBE [ Upstream commit 95152433e46fdb36652ebdbea442356a16ae1fa6 ] When the SBE requests a reset via the down FIFO, that is also the FIFO we should go and reset ;) Fixes: 9f4a8a2d7f9d ("fsi/sbefifo: Add driver for the SBE FIFO") Signed-off-by: Joachim Fenkes Signed-off-by: Joel Stanley Link: https://lore.kernel.org/r/20200724071518.430515-2-joel@jms.id.au Signed-off-by: Joel Stanley Signed-off-by: Sasha Levin commit 719c4db394edb0aeecb2eb91558abb8cdccac173 Author: Eddie James Date: Tue Feb 9 11:12:32 2021 -0600 fsi: occ: Don't accept response from un-initialized OCC [ Upstream commit 8a4659be08576141f47d47d94130eb148cb5f0df ] If the OCC is not initialized and responds as such, the driver should continue waiting for a valid response until the timeout expires. Signed-off-by: Eddie James Reviewed-by: Joel Stanley Fixes: 7ed98dddb764 ("fsi: Add On-Chip Controller (OCC) driver") Link: https://lore.kernel.org/r/20210209171235.20624-2-eajames@linux.ibm.com Signed-off-by: Joel Stanley Signed-off-by: Sasha Levin commit af3d7f9e266bb03b103b197f3909c213bcb81362 Author: Eddie James Date: Mon Mar 29 10:13:44 2021 -0500 fsi: scom: Reset the FSI2PIB engine for any error [ Upstream commit a5c317dac5567206ca7b6bc9d008dd6890c8bced ] The error bits in the FSI2PIB status are only cleared by a reset. So the driver needs to perform a reset after seeing any of the FSI2PIB errors, otherwise subsequent operations will also look like failures. Fixes: 6b293258cded ("fsi: scom: Major overhaul") Signed-off-by: Eddie James Reviewed-by: Joel Stanley Link: https://lore.kernel.org/r/20210329151344.14246-1-eajames@linux.ibm.com Signed-off-by: Joel Stanley Signed-off-by: Sasha Levin commit 446eed9c855e83dfcd3237388912171a8a9c761a Author: Colin Ian King Date: Thu Jun 3 13:28:12 2021 +0100 fsi: core: Fix return of error values on failures [ Upstream commit 910810945707fe9877ca86a0dca4e585fd05e37b ] Currently the cfam_read and cfam_write functions return the provided number of bytes given in the count parameter and not the error return code in variable rc, hence all failures of read/writes are being silently ignored. Fix this by returning the error code in rc. Addresses-Coverity: ("Unused value") Fixes: d1dcd6782576 ("fsi: Add cfam char devices") Signed-off-by: Colin Ian King Reviewed-by: Jeremy Kerr Link: https://lore.kernel.org/r/20210603122812.83587-1-colin.king@canonical.com Signed-off-by: Joel Stanley Signed-off-by: Sasha Levin commit d22bef41017b4edfb0111c30f8bc476c17b5d720 Author: Andreas Kemnade Date: Sat May 15 22:55:18 2021 +0200 mfd: rn5t618: Fix IRQ trigger by changing it to level mode [ Upstream commit a1649a5260631979c68e5b2012f60f90300e646f ] During more massive generation of interrupts, the IRQ got stuck, and the subdevices did not see any new interrupts. That happens especially at wonky USB supply in combination with ADC reads. To fix that trigger the IRQ at level low instead of falling edge. Fixes: 0c81604516af ("mfd: rn5t618: Add IRQ support") Signed-off-by: Andreas Kemnade Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit 9b8bfdbc7e611a5b0ed45ef34c18ecfb42e66b25 Author: Randy Dunlap Date: Mon May 3 19:32:18 2021 -0700 mfd: mp2629: Select MFD_CORE to fix build error [ Upstream commit a933272041d852a1ef1c85f0c18b93e9999a41fa ] MFD_MP2629 should select MFD_CORE to a prevent build error: ERROR: modpost: "devm_mfd_add_devices" [drivers/mfd/mp2629.ko] undefined! Fixes: 06081646450e ("mfd: mp2629: Add support for mps battery charger") Signed-off-by: Randy Dunlap Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit 68f2f83f6fb6d95f88298d53bbcaff3faac7fdaa Author: Mike Christie Date: Tue May 25 13:18:09 2021 -0500 scsi: iscsi: Flush block work before unblock [ Upstream commit 7ce9fc5ecde0d8bd64c29baee6c5e3ce7074ec9a ] We set the max_active iSCSI EH works to 1, so all work is going to execute in order by default. However, userspace can now override this in sysfs. If max_active > 1, we can end up with the block_work on CPU1 and iscsi_unblock_session running the unblock_work on CPU2 and the session and target/device state will end up out of sync with each other. This adds a flush of the block_work in iscsi_unblock_session. Link: https://lore.kernel.org/r/20210525181821.7617-17-michael.christie@oracle.com Fixes: 1d726aa6ef57 ("scsi: iscsi: Optimize work queue flush use") Reviewed-by: Lee Duncan Signed-off-by: Mike Christie Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit b5371faa0667426f3ced9f19e942d8df249b23f4 Author: Randy Dunlap Date: Sat May 29 16:48:57 2021 -0700 scsi: FlashPoint: Rename si_flags field [ Upstream commit 4d431153e751caa93f3b7e6f6313446974e92253 ] The BusLogic driver has build errors on ia64 due to a name collision (in the #included FlashPoint.c file). Rename the struct field in struct sccb_mgr_info from si_flags to si_mflags (manager flags) to mend the build. This is the first problem. There are 50+ others after this one: In file included from ../include/uapi/linux/signal.h:6, from ../include/linux/signal_types.h:10, from ../include/linux/sched.h:29, from ../include/linux/hardirq.h:9, from ../include/linux/interrupt.h:11, from ../drivers/scsi/BusLogic.c:27: ../arch/ia64/include/uapi/asm/siginfo.h:15:27: error: expected ':', ',', ';', '}' or '__attribute__' before '.' token 15 | #define si_flags _sifields._sigfault._flags | ^ ../drivers/scsi/FlashPoint.c:43:6: note: in expansion of macro 'si_flags' 43 | u16 si_flags; | ^~~~~~~~ In file included from ../drivers/scsi/BusLogic.c:51: ../drivers/scsi/FlashPoint.c: In function 'FlashPoint_ProbeHostAdapter': ../drivers/scsi/FlashPoint.c:1076:11: error: 'struct sccb_mgr_info' has no member named '_sifields' 1076 | pCardInfo->si_flags = 0x0000; | ^~ ../drivers/scsi/FlashPoint.c:1079:12: error: 'struct sccb_mgr_info' has no member named '_sifields' Link: https://lore.kernel.org/r/20210529234857.6870-1-rdunlap@infradead.org Fixes: 391e2f25601e ("[SCSI] BusLogic: Port driver to 64-bit.") Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: Christoph Hellwig Cc: Jens Axboe Cc: Hannes Reinecke Cc: Khalid Aziz Cc: Khalid Aziz Reported-by: kernel test robot Reviewed-by: Hannes Reinecke Signed-off-by: Randy Dunlap Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 0b2f74111344e9d10fc4cd72ae727e4e78013332 Author: Andy Shevchenko Date: Mon May 10 12:50:40 2021 +0300 leds: lp50xx: Put fwnode in error case during ->probe() [ Upstream commit f1e1d532da7e6ef355528a22fb97d9a8fbf76c4e ] fwnode_for_each_child_node() bumps a reference counting of a returned variable. We have to balance it whenever we return to the caller. OTOH, the successful iteration will drop reference count under the hood, no need to do it twice. Fixes: 242b81170fb8 ("leds: lp50xx: Add the LP50XX family of the RGB LED driver") Cc: Dan Murphy Signed-off-by: Andy Shevchenko Signed-off-by: Pavel Machek Signed-off-by: Sasha Levin commit 5f7bda9ba8d73c84b176de96579c9719efa196e4 Author: Andy Shevchenko Date: Mon May 10 12:50:39 2021 +0300 leds: lm3697: Don't spam logs when probe is deferred [ Upstream commit 807553f8bf4afa673750e52905e0f9488179112f ] When requesting GPIO line the probe can be deferred. In such case don't spam logs with an error message. This can be achieved by switching to dev_err_probe(). Fixes: 5c1d824cda9f ("leds: lm3697: Introduce the lm3697 driver") Cc: Dan Murphy Signed-off-by: Andy Shevchenko Signed-off-by: Pavel Machek Signed-off-by: Sasha Levin commit 8fc7d4a3f039db7efeb13627a8922b592e2c7edd Author: Andy Shevchenko Date: Mon May 10 12:50:35 2021 +0300 leds: lm3692x: Put fwnode in any case during ->probe() [ Upstream commit f55db1c7fadc2a29c9fa4ff3aec98dbb111f2206 ] device_get_next_child_node() bumps a reference counting of a returned variable. We have to balance it whenever we return to the caller. Fixes: 9a5c1c64ac0a ("leds: lm3692x: Change DT calls to fwnode calls") Cc: Dan Murphy Signed-off-by: Andy Shevchenko Signed-off-by: Pavel Machek Signed-off-by: Sasha Levin commit c54ad49e2ff7ac04ead4693b928df1332d9a6a59 Author: Andy Shevchenko Date: Mon May 10 12:50:33 2021 +0300 leds: lm36274: Put fwnode in error case during ->probe() [ Upstream commit 3c5f655c44bb65cb7e3c219d08c130ce5fa45d7f ] device_get_next_child_node() bumps a reference counting of a returned variable. We have to balance it whenever we return to the caller. In the older code the same is implied with device_for_each_child_node(). Fixes: 11e1bbc116a7 ("leds: lm36274: Introduce the TI LM36274 LED driver") Fixes: a448fcf19c9c ("leds: lm36274: don't iterate through children since there is only one") Cc: Dan Murphy Cc: Marek Behún Signed-off-by: Andy Shevchenko Signed-off-by: Pavel Machek Signed-off-by: Sasha Levin commit 1ed913317166d117640252c299f8132ded3bc10d Author: Andy Shevchenko Date: Mon May 10 12:50:31 2021 +0300 leds: lm3532: select regmap I2C API [ Upstream commit 99be74f61cb0292b518f5e6d7e5c6611555c2ec7 ] Regmap APIs should be selected, otherwise link can fail ERROR: modpost: "__devm_regmap_init_i2c" [drivers/leds/leds-lm3532.ko] undefined! Fixes: bc1b8492c764 ("leds: lm3532: Introduce the lm3532 LED driver") Cc: Dan Murphy Signed-off-by: Andy Shevchenko Signed-off-by: Pavel Machek Signed-off-by: Sasha Levin commit b504e279e5029f9b5e0e1f4f68f8fd6675d48ff6 Author: Andy Shevchenko Date: Mon May 10 12:50:18 2021 +0300 leds: class: The -ENOTSUPP should never be seen by user space [ Upstream commit 0ac40af86077982a5346dbc9655172d2775d6b08 ] Drop the bogus error code and let of_led_get() to take care about absent of_node. Fixes: e389240ad992 ("leds: Add managed API to get a LED from a device driver") Cc: Jean-Jacques Hiblot Signed-off-by: Andy Shevchenko Signed-off-by: Pavel Machek Signed-off-by: Sasha Levin commit 58279b341b9422d73bee1b10a7fa7f4dca006142 Author: Christophe JAILLET Date: Tue May 25 20:51:57 2021 +0200 tty: nozomi: Fix the error handling path of 'nozomi_card_init()' [ Upstream commit 6ae7d0f5a92b9619f6e3c307ce56b2cefff3f0e9 ] The error handling path is broken and we may un-register things that have never been registered. Update the loops index accordingly. Fixes: 9842c38e9176 ("kfifo: fix warn_unused_result") Suggested-by: Dan Carpenter Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/e28c2e92c7475da25b03d022ea2d6dcf1ba807a2.1621968629.git.christophe.jaillet@wanadoo.fr Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 28c947b07263f3bcb018656c41edbebc8d705446 Author: Christophe JAILLET Date: Fri May 21 20:22:15 2021 +0200 firmware: stratix10-svc: Fix a resource leak in an error handling path [ Upstream commit d99247f9b542533ddbf87a3481a05473b8e48194 ] If an error occurs after a successful 'kfifo_alloc()' call, it must be undone by a corresponding 'kfifo_free()' call, as already done in the remove function. While at it, move the 'platform_device_put()' call to this new error handling path and explicitly return 0 in the success path. Fixes: b5dc75c915cd ("firmware: stratix10-svc: extend svc to support new RSU features") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/0ca3f3ab139c53e846804455a1e7599ee8ae896a.1621621271.git.christophe.jaillet@wanadoo.fr Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 1e1b9cd400953888f0577cd331711528bc6f2919 Author: Yu Kuai Date: Fri May 21 20:06:17 2021 +0800 char: pcmcia: error out if 'num_bytes_read' is greater than 4 in set_protocol() [ Upstream commit 37188559c610f1b7eec83c8e448936c361c578de ] Theoretically, it will cause index out of bounds error if 'num_bytes_read' is greater than 4. As we expect it(and was tested) never to be greater than 4, error out if it happens. Fixes: c1986ee9bea3 ("[PATCH] New Omnikey Cardman 4000 driver") Signed-off-by: Yu Kuai Link: https://lore.kernel.org/r/20210521120617.138396-1-yukuai3@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 5a766253e3053f827d454730ea9f77aba1d59621 Author: Dave Stevenson Date: Tue May 25 23:57:37 2021 +0200 staging: mmal-vchiq: Fix incorrect static vchiq_instance. [ Upstream commit afc023da53e46b88552822f2fe035c7129c505a2 ] For some reason lost in history function vchiq_mmal_init used a static variable for storing the vchiq_instance. This value is retrieved from vchiq per instance, so worked fine until you try to call vchiq_mmal_init multiple times concurrently when things then go wrong. This seemed to happen quite frequently if using the cutdown firmware (no MMAL or VCSM services running) as the vchiq_connect then failed, and one or other vchiq_shutdown was working on an invalid handle. Remove the static so that each caller gets a unique vchiq_instance. Fixes: 7b3ad5abf027 ("staging: Import the BCM2835 MMAL-based V4L2 camera driver.") Signed-off-by: Dave Stevenson Signed-off-by: Stefan Wahren Link: https://lore.kernel.org/r/1621979857-26754-1-git-send-email-stefan.wahren@i2se.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit cf05986cc4de00c522439620fbec1bbc2e5d1d5d Author: Miquel Raynal Date: Wed May 26 11:32:41 2021 +0200 mtd: rawnand: arasan: Ensure proper configuration for the asserted target [ Upstream commit b5437c7b682c9a505065b4ab4716cdc951dc3c7c ] The controller being always asserting one CS or the other, there is no need to actually select the right target before doing a page read/write. However, the anfc_select_target() helper actually also changes the timing configuration and clock in the case were two different NAND chips with different timing requirements would be used. In this situation, we must ensure proper configuration of the controller by calling it. As a consequence of this change, the anfc_select_target() helper is being moved earlier in the driver. Fixes: 88ffef1b65cf ("mtd: rawnand: arasan: Support the hardware BCH ECC engine") Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20210526093242.183847-4-miquel.raynal@bootlin.com Signed-off-by: Sasha Levin commit 2f8824f556a3ebea9840c53326e55cc183316611 Author: Corentin Labbe Date: Thu May 20 11:48:50 2021 +0000 mtd: partitions: redboot: seek fis-index-block in the right node [ Upstream commit 237960880960863fb41888763d635b384cffb104 ] fis-index-block is seeked in the master node and not in the partitions node. For following binding and current usage, the driver need to check the partitions subnode. Fixes: c0e118c8a1a3 ("mtd: partitions: Add OF support to RedBoot partitions") Signed-off-by: Corentin Labbe Reviewed-by: Linus Walleij Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20210520114851.1274609-1-clabbe@baylibre.com Signed-off-by: Sasha Levin commit a16eae11f004fa193865f2858514996069b3fca0 Author: Adrian Hunter Date: Tue May 25 12:51:03 2021 +0300 perf scripting python: Fix tuple_set_u64() [ Upstream commit d04c1ff0b3ddd5c0fbbe640996c8eaad279ed1c5 ] tuple_set_u64() produces a signed value instead of an unsigned value. That works for database export but not other cases. Rename to tuple_set_d64() for database export and fix tuple_set_u64(). Fixes: df919b400ad3f ("perf scripting python: Extend interface to export data in a database-friendly way") Signed-off-by: Adrian Hunter Cc: Andi Kleen Cc: Jiri Olsa Signed-off-by: Arnaldo Carvalho de Melo Link: https://lore.kernel.org/r/20210525095112.1399-2-adrian.hunter@intel.com Signed-off-by: Sasha Levin commit 201b975c164398dfb0875e834529c303c95bc54e Author: Zhen Lei Date: Mon May 24 11:52:42 2021 -0700 Input: hil_kbd - fix error return code in hil_dev_connect() [ Upstream commit d9b576917a1d0efa293801a264150a1b37691617 ] Return error code -EINVAL rather than '0' when the combo devices are not supported. Fixes: fa71c605c2bb ("Input: combine hil_kbd and hil_ptr drivers") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Link: https://lore.kernel.org/r/20210515030053.6824-1-thunder.leizhen@huawei.com Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 000c70680d2ffcde948e963d6b953b3c097257e8 Author: Kuninori Morimoto Date: Mon May 24 15:12:09 2021 +0900 ASoC: rsnd: tidyup loop on rsnd_adg_clk_query() [ Upstream commit cf9d5c6619fadfc41cf8f5154cb990cc38e3da85 ] commit 06e8f5c842f2d ("ASoC: rsnd: don't call clk_get_rate() under atomic context") used saved clk_rate, thus for_each_rsnd_clk() is no longer needed. This patch fixes it. Fixes: 06e8f5c842f2d ("ASoC: rsnd: don't call clk_get_rate() under atomic context") Signed-off-by: Kuninori Morimoto Link: https://lore.kernel.org/r/87v978oe2u.wl-kuninori.morimoto.gx@renesas.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 2e1d76c3b90feb8e6decfa88daf3aba4b2dceee0 Author: Andy Shevchenko Date: Mon May 10 12:57:16 2021 +0300 backlight: lm3630a_bl: Put fwnode in error case during ->probe() [ Upstream commit 6d1c32dbedd7d7e7372aa38033ec8782c39f6379 ] device_for_each_child_node() bumps a reference counting of a returned variable. We have to balance it whenever we return to the caller. Cc: Brian Masney Cc: Dan Murphy Fixes: 8fbce8efe15cd ("backlight: lm3630a: Add firmware node support") Signed-off-by: Andy Shevchenko Reviewed-by: Brian Masney Reviewed-by: Daniel Thompson Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit d4ebf352a7d7910c772977c7ef4f3697114809c8 Author: Yang Yingliang Date: Tue May 18 12:45:14 2021 +0800 ASoC: hisilicon: fix missing clk_disable_unprepare() on error in hi6210_i2s_startup() [ Upstream commit 375904e3931955fcf0a847f029b2492a117efc43 ] After calling clk_prepare_enable(), clk_disable_unprepare() need be called when calling clk_set_rate() failed. Fixes: 0bf750f4cbe1 ("ASoC: hisilicon: Add hi6210 i2s audio driver") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20210518044514.607010-1-yangyingliang@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 2541d78f783237b9f92d1b562f594021e68b86c4 Author: Yang Yingliang Date: Tue May 18 15:58:47 2021 +0800 ASoC: rk3328: fix missing clk_disable_unprepare() on error in rk3328_platform_probe() [ Upstream commit d14eece945a8068a017995f7512ea2beac21e34b ] Fix the missing clk_disable_unprepare() before return from rk3328_platform_probe() in the error handling case. Fixes: c32759035ad2 ("ASoC: rockchip: support ACODEC for rk3328") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20210518075847.1116983-1-yangyingliang@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 246b4f1e2050cbda8d385c5141f5b7f09284b4b1 Author: Jonathan Cameron Date: Sat May 1 18:13:48 2021 +0100 iio: potentiostat: lmp91000: Fix alignment of buffer in iio_push_to_buffers_with_timestamp() [ Upstream commit 8979b67ec61abc232636400ee8c758a16a73c95f ] Add __aligned(8) to ensure the buffer passed to iio_push_to_buffers_with_timestamp() is suitable for the naturally aligned timestamp that will be inserted. Here structure is not used, because this buffer is also used elsewhere in the driver. Fixes: 67e17300dc1d ("iio: potentiostat: add LMP91000 support") Signed-off-by: Jonathan Cameron Cc: Matt Ranostay Acked-by: Matt Ranostay Link: https://lore.kernel.org/r/20210501171352.512953-8-jic23@kernel.org Signed-off-by: Sasha Levin commit 71dbba0b9525d98cb82afa3d976ea98d630df615 Author: Jonathan Cameron Date: Sat May 1 18:13:47 2021 +0100 iio: cros_ec_sensors: Fix alignment of buffer in iio_push_to_buffers_with_timestamp() [ Upstream commit 8dea228b174ac9637b567e5ef54f4c40db4b3c41 ] The samples buffer is passed to iio_push_to_buffers_with_timestamp() which requires a buffer aligned to 8 bytes as it is assumed that the timestamp will be naturally aligned if present. Fixes tag is inaccurate but prior to that likely manual backporting needed (for anything before 4.18) Earlier than that the include file to fix is drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.h: commit 974e6f02e27 ("iio: cros_ec_sensors_core: Add common functions for the ChromeOS EC Sensor Hub.") present since kernel stable 4.10. (Thanks to Gwendal for tracking this down) Fixes: 5a0b8cb46624c ("iio: cros_ec: Move cros_ec_sensors_core.h in /include") Signed-off-by: Jonathan Cameron Reviewed-by: Gwendal Grignou commit 1fa3107759b7ad44e8888529645c38616bdfd6db Author: Jonathan Cameron Date: Sat May 1 18:13:46 2021 +0100 iio: chemical: atlas: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit b0f5d8db7348a6ce5cdd79fba46ebc91eebc8fd9 ] Variable location for the timestamp, so just use __aligned(8) to ensure it is always possible to naturally align it. Found during an audit of all calls of uses of iio_push_to_buffers_with_timestamp() Fixes tag is not accurate, but it will need manual backporting beyond that point if anyone cares. Fixes: 0d15190f53b4 ("iio: chemical: atlas-ph-sensor: rename atlas-ph-sensor to atlas-sensor") Signed-off-by: Jonathan Cameron Cc: Matt Ranostay Acked-by: Matt Ranostay Link: https://lore.kernel.org/r/20210501171352.512953-6-jic23@kernel.org Signed-off-by: Sasha Levin commit 93a5538d5012da56b6093aae08d2408b80910611 Author: Jonathan Cameron Date: Sat May 1 18:01:21 2021 +0100 iio: light: tcs3472: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit df2f37cffd6ed486d613e7ee22aadc8e49ae2dd3 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of uses of iio_push_to_buffers_with_timestamp(). Fixes tag is not strictly accurate as prior to that patch there was potentially an unaligned write. However, any backport past there will need to be done manually. Fixes: 0624bf847dd0 ("iio:tcs3472: Use iio_push_to_buffers_with_timestamp()") Signed-off-by: Jonathan Cameron Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-20-jic23@kernel.org Signed-off-by: Sasha Levin commit daecb8c0a17cb8170651e976d146c28e70569da7 Author: Jonathan Cameron Date: Sat May 1 18:01:20 2021 +0100 iio: light: tcs3414: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit ff08fbc22ab32ccc6690c21b0e5e1d402dcc076f ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of uses of iio_push_to_buffers_with_timestamp() Fixes: a244e7b57f0f ("iio: Add driver for AMS/TAOS tcs3414 digital color sensor") Signed-off-by: Jonathan Cameron Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-19-jic23@kernel.org Signed-off-by: Sasha Levin commit 293b8246a07ecfbe79534bf9684dca2ac3ff9822 Author: Jonathan Cameron Date: Sat May 1 18:01:19 2021 +0100 iio: light: isl29125: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 3d4725194de6935dba2ad7c9cc075c885008f747 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of uses of iio_push_to_buffers_with_timestamp() Fixes: 6c25539cbc46 ("iio: Add Intersil isl29125 digital color light sensor driver") Signed-off-by: Jonathan Cameron Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-18-jic23@kernel.org Signed-off-by: Sasha Levin commit f960139a3c49c7cec2dec4e201004aed61700a8f Author: Jonathan Cameron Date: Sat May 1 18:01:18 2021 +0100 iio: magn: bmc150: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 7692088f72865c41b6b531fd09486ee99a5da930 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of uses of iio_push_to_buffers_with_timestamp() Fixes: c91746a2361d ("iio: magn: Add support for BMC150 magnetometer") Signed-off-by: Jonathan Cameron Cc: Stephan Gerhold Cc: Linus Walleij Reviewed-by: Linus Walleij Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-17-jic23@kernel.org Signed-off-by: Sasha Levin commit e5e102f4b562733ad5208b406a9ddf8d163b6e34 Author: Jonathan Cameron Date: Sat May 1 18:01:17 2021 +0100 iio: magn: hmc5843: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 1ef2f51e9fe424ccecca5bb0373d71b900c2cd41 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of uses of iio_push_to_buffers_with_timestamp() Fixes: 7247645f6865 ("iio: hmc5843: Move hmc5843 out of staging") Signed-off-by: Jonathan Cameron Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-16-jic23@kernel.org Signed-off-by: Sasha Levin commit 4613232e0b1f5371fbd9e248c55fba66f0c06055 Author: Jonathan Cameron Date: Sat May 1 18:01:16 2021 +0100 iio: prox: as3935: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 37eb8d8c64f2ecb3a5521ba1cc1fad973adfae41 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of uses of iio_push_to_buffers_with_timestamp() Fixes: 37b1ba2c68cf ("iio: proximity: as3935: fix buffer stack trashing") Signed-off-by: Jonathan Cameron Cc: Matt Ranostay Acked-by: Matt Ranostay Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-15-jic23@kernel.org Signed-off-by: Sasha Levin commit ab16be53b29678297e0a99d7dfd23bdf7b059419 Author: Jonathan Cameron Date: Sat May 1 18:01:15 2021 +0100 iio: prox: pulsed-light: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 679cc377a03ff1944491eafc7355c1eb1fad4109 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of uses of iio_push_to_buffers_with_timestamp() Fixes: cb119d535083 ("iio: proximity: add support for PulsedLight LIDAR") Signed-off-by: Jonathan Cameron Cc: Matt Ranostay Acked-by: Matt Ranostay Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-14-jic23@kernel.org Signed-off-by: Sasha Levin commit 8e23dd6236deceb1cd8285dc01a25b7d288fbfc0 Author: Jonathan Cameron Date: Sat May 1 18:01:14 2021 +0100 iio: prox: srf08: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 19f1a254fe4949fff1e67db386409f48cf438bd7 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of uses of iio_push_to_buffers_with_timestamp() Fixes: 78f839029e1d ("iio: distance: srf08: add IIO driver for us ranger") Signed-off-by: Jonathan Cameron Cc: Andreas Klinger Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-13-jic23@kernel.org Signed-off-by: Sasha Levin commit c61ac1f83b3246d895a63d60ac68d6c2781b8672 Author: Jonathan Cameron Date: Sat May 1 18:01:13 2021 +0100 iio: humidity: am2315: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit f4ca2e2595d9fee65d5ce0d218b22ce00e5b2915 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of uses of iio_push_to_buffers_with_timestamp() Fixes: 0d96d5ead3f7 ("iio: humidity: Add triggered buffer support for AM2315") Signed-off-by: Jonathan Cameron Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-12-jic23@kernel.org Signed-off-by: Sasha Levin commit 8ea878287ccc8974394f6bb40b5c59d632b7ca49 Author: Jonathan Cameron Date: Sat May 1 18:01:12 2021 +0100 iio: gyro: bmg160: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 06778d881f3798ce93ffbbbf801234292250b598 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of uses of iio_push_to_buffers_with_timestamp() Fixes: 13426454b649 ("iio: bmg160: Separate i2c and core driver") Signed-off-by: Jonathan Cameron Cc: Stephan Gerhold Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-11-jic23@kernel.org Signed-off-by: Sasha Levin commit 718a67a9093212f19d56e64ad15cd7db270dd435 Author: Jonathan Cameron Date: Sat May 1 18:01:11 2021 +0100 iio: adc: vf610: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 7765dfaa22ea08abf0c175e7553826ba2a939632 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of uses of iio_push_to_buffers_with_timestamp() Fixes: 0010d6b44406 ("iio: adc: vf610: Add IIO buffer support for Vybrid ADC") Signed-off-by: Jonathan Cameron Cc: Stefan-Gabriel Mirea Cc: Sanchayan Maity Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-10-jic23@kernel.org Signed-off-by: Sasha Levin commit df5343bd59cdb4bdaadaecda13edff368f62d5b1 Author: Jonathan Cameron Date: Sat May 1 18:01:10 2021 +0100 iio: adc: ti-ads1015: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit d85d71dd1ab67eaa7351f69fec512d8f09d164e1 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of this function. Fixes: ecc24e72f437 ("iio: adc: Add TI ADS1015 ADC driver support") Signed-off-by: Jonathan Cameron Cc: Daniel Baluta Cc: Andy Shevchenko Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-9-jic23@kernel.org Signed-off-by: Sasha Levin commit f0bc78df4a0444df0a50545539b9c1930172f2d3 Author: Jonathan Cameron Date: Sat May 1 18:01:09 2021 +0100 iio: accel: stk8ba50: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 334883894bc1e145a1e0f5de1b0d1b6a1133f0e6 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of this function. Fixes: db6a19b8251f ("iio: accel: Add trigger support for STK8BA50") Signed-off-by: Jonathan Cameron Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-8-jic23@kernel.org Signed-off-by: Sasha Levin commit cd62282a51cb306f5450cc4dc6919697de1330ce Author: Jonathan Cameron Date: Sat May 1 18:01:08 2021 +0100 iio: accel: stk8312: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit f40a71ffec808e7e51848f63f0c0d3c32d65081b ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of this function. Fixes: 95c12bba51c3 ("iio: accel: Add buffer mode for Sensortek STK8312") Signed-off-by: Jonathan Cameron Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-7-jic23@kernel.org Signed-off-by: Sasha Levin commit 638ba5aa15ac979ea549ddc7d6780fb9746c7f07 Author: Jonathan Cameron Date: Sat May 1 18:01:07 2021 +0100 iio: accel: mxc4005: Fix overread of data and alignment issue. [ Upstream commit f65802284a3a337510d7f8f916c97d66c74f2e71 ] The bulk read size is based on the size of an array that also has space for the timestamp alongside the channels. Fix that and also fix alignment of the buffer passed to iio_push_to_buffers_with_timestamp. Found during an audit of all calls to this function. Fixes: 1ce0eda0f757 ("iio: mxc4005: add triggered buffer mode for mxc4005") Signed-off-by: Jonathan Cameron Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-6-jic23@kernel.org Signed-off-by: Sasha Levin commit 0d220d40b3f3a43931d7ed9b961b37c70774f264 Author: Jonathan Cameron Date: Sat May 1 18:01:06 2021 +0100 iio: accel: kxcjk-1013: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 3ab3aa2e7bd57497f9a7c6275c00dce237d2c9ba ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of this function. Fixes: 1a4fbf6a9286 ("iio: accel: kxcjk1013 3-axis accelerometer driver") Signed-off-by: Jonathan Cameron Cc: Srinivas Pandruvada Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-5-jic23@kernel.org Signed-off-by: Sasha Levin commit 9eb5fb66b6f4873055e669f00377786248a16a7d Author: Jonathan Cameron Date: Sat May 1 18:01:05 2021 +0100 iio: accel: hid: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit c6559bf796ccdb3a0c79db846af96c8f7046880b ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Note this matches what was done in all the other hid sensor drivers. This one was missed previously due to an extra level of indirection. Found during an audit of all calls of this function. Fixes: a96cd0f901ee ("iio: accel: hid-sensor-accel-3d: Add timestamp") Signed-off-by: Jonathan Cameron Cc: Srinivas Pandruvada Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-4-jic23@kernel.org Signed-off-by: Sasha Levin commit 4b362443dc214e5332223467e76d1d1de57d9a98 Author: Jonathan Cameron Date: Sat May 1 18:01:04 2021 +0100 iio: accel: bma220: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 151dbf0078da98206817ee0b87d499035479ef11 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of this function. Fixes: 194dc4c71413 ("iio: accel: Add triggered buffer support for BMA220") Signed-off-by: Jonathan Cameron Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-3-jic23@kernel.org Signed-off-by: Sasha Levin commit 3cca4db5f73310d03c4b31c4d6f820452ce9f2a0 Author: Jonathan Cameron Date: Sat May 1 18:01:03 2021 +0100 iio: accel: bma180: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit fc36da3131a747a9367a05caf06de19be1bcc972 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of this function. Fixes: b9a6a237ffc9 ("iio:bma180: Drop _update_scan_mode()") Signed-off-by: Jonathan Cameron Cc: Peter Meerwald Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-2-jic23@kernel.org Signed-off-by: Sasha Levin commit 2edfba8a55b59df7a3bd005f79bd1312efc684bd Author: Nuno Sa Date: Tue Apr 27 10:54:49 2021 +0200 iio: adis16475: do not return ints in irq handlers [ Upstream commit 00a72db718fa198da3946286dcad222399ccd4fb ] On an IRQ handler we should not return normal error codes as 'irqreturn_t' is expected. This is done by jumping to the 'check_burst32' label where we return 'IRQ_HANDLED'. Note that it is fine to do the burst32 check in this error path. If we have proper settings to apply burst32, we might just do the setup now so that the next sample already uses it. Fixes: fff7352bf7a3c ("iio: imu: Add support for adis16475") Reviewed-by: Alexandru Ardelean Signed-off-by: Nuno Sa Link: https://lore.kernel.org/r/20210427085454.30616-2-nuno.sa@analog.com Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 92efd6396e4b0545ddc77765cdcc26ca65dea203 Author: Nuno Sa Date: Thu Apr 22 12:19:04 2021 +0200 iio: adis16400: do not return ints in irq handlers [ Upstream commit ab3df79782e7d8a27a58576c9b4e8c6c4879ad79 ] On an IRQ handler we should not return normal error codes as 'irqreturn_t' is expected. Not necessary to apply to stable as the original check cannot fail and as such the bug cannot actually occur. Fixes: 5eda3550a3cc1 ("staging:iio:adis16400: Preallocate transfer message") Reviewed-by: Alexandru Ardelean Signed-off-by: Nuno Sa Link: https://lore.kernel.org/r/20210422101911.135630-3-nuno.sa@analog.com Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 2e41116e6eb8796d51ca39ff93c7c570a187bcf4 Author: Nuno Sa Date: Thu Apr 22 12:19:03 2021 +0200 iio: adis_buffer: do not return ints in irq handlers [ Upstream commit d877539ad8e8fdde9af69887055fec6402be1a13 ] On an IRQ handler we should not return normal error codes as 'irqreturn_t' is expected. Not necessarily stable material as the old check cannot fail, so it's a bug we can not hit. Fixes: ccd2b52f4ac69 ("staging:iio: Add common ADIS library") Reviewed-by: Alexandru Ardelean Signed-off-by: Nuno Sa Link: https://lore.kernel.org/r/20210422101911.135630-2-nuno.sa@analog.com Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 67d88b7bf62db226e1f712368288eee17b41d802 Author: Arnd Bergmann Date: Sat May 8 00:07:55 2021 +0200 mwifiex: re-fix for unaligned accesses [ Upstream commit 8f4e3d48bb50765ab27ae5bebed2595b20de80a1 ] A patch from 2017 changed some accesses to DMA memory to use get_unaligned_le32() and similar interfaces, to avoid problems with doing unaligned accesson uncached memory. However, the change in the mwifiex_pcie_alloc_sleep_cookie_buf() function ended up changing the size of the access instead, as it operates on a pointer to u8. Change this function back to actually access the entire 32 bits. Note that the pointer is aligned by definition because it came from dma_alloc_coherent(). Fixes: 92c70a958b0b ("mwifiex: fix for unaligned reads") Acked-by: Kalle Valo Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit 460bee90091ddeadc38837fbbd25e45b7cd695b2 Author: Christophe JAILLET Date: Sun May 9 19:22:33 2021 +0200 tty: nozomi: Fix a resource leak in an error handling function [ Upstream commit 31a9a318255960d32ae183e95d0999daf2418608 ] A 'request_irq()' call is not balanced by a corresponding 'free_irq()' in the error handling path, as already done in the remove function. Add it. Fixes: 9842c38e9176 ("kfifo: fix warn_unused_result") Reviewed-by: Jiri Slaby Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/4f0d2b3038e82f081d370ccb0cade3ad88463fe7.1620580838.git.christophe.jaillet@wanadoo.fr Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit f5186bd17f3b37a7b6c85da5c0b6acb8d29ed264 Author: Dan Carpenter Date: Thu Apr 29 10:19:22 2021 +0300 serial: 8250_omap: fix a timeout loop condition [ Upstream commit d7e325aaa8c3593b5a572b583ecad79e95f32e7f ] This loop ends on -1 so the error message will never be printed. Fixes: 4bcf59a5dea0 ("serial: 8250: 8250_omap: Account for data in flight during DMA teardown") Reviewed-by: Alexander Sverdlin Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/YIpd+kOpXKMpEXPf@mwanda Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 5dcff72fe42a194852a132fe70018be5eddd00af Author: Michael Walle Date: Wed May 12 16:12:52 2021 +0200 serial: fsl_lpuart: remove RTSCTS handling from get_mctrl() [ Upstream commit e60c2991f18bf221fa9908ff10cb24eaedaa9bae ] The wrong code in set_mctrl() was already removed in commit 2b30efe2e88a ("tty: serial: lpuart: Remove unnecessary code from set_mctrl"), but the code in get_mctrl() wasn't removed. It will not return the state of the RTS or CTS line but whether automatic flow control is enabled, which is wrong for the get_mctrl(). Thus remove it. Fixes: 2b30efe2e88a ("tty: serial: lpuart: Remove unnecessary code from set_mctrl") Signed-off-by: Michael Walle Link: https://lore.kernel.org/r/20210512141255.18277-7-michael@walle.cc Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 685d53abc9187824d52ab7eaa2d65eeed60f860b Author: Michael Walle Date: Wed May 12 16:12:47 2021 +0200 serial: fsl_lpuart: don't modify arbitrary data on lpuart32 [ Upstream commit ccf08fd1204bcb5311cc10aea037c71c6e74720a ] lpuart_rx_dma_startup() is used for both the 8 bit and the 32 bit version of the LPUART. Modify the UARTCR only for the 8 bit version. Fixes: f4eef224a09f ("serial: fsl_lpuart: add sysrq support when using dma") Signed-off-by: Michael Walle Link: https://lore.kernel.org/r/20210512141255.18277-2-michael@walle.cc Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 728f23e53c65a90440fe16b270cdff4401433c38 Author: Paul E. McKenney Date: Wed Mar 31 10:59:05 2021 -0700 rcu: Invoke rcu_spawn_core_kthreads() from rcu_spawn_gp_kthread() [ Upstream commit 8e4b1d2bc198e34b48fc7cc3a3c5a2fcb269e271 ] Currently, rcu_spawn_core_kthreads() is invoked via an early_initcall(), which works, except that rcu_spawn_gp_kthread() is also invoked via an early_initcall() and rcu_spawn_core_kthreads() relies on adjustments to kthread_prio that are carried out by rcu_spawn_gp_kthread(). There is no guaranttee of ordering among early_initcall() handlers, and thus no guarantee that kthread_prio will be properly checked and range-limited at the time that rcu_spawn_core_kthreads() needs it. In most cases, this bug is harmless. After all, the only reason that rcu_spawn_gp_kthread() adjusts the value of kthread_prio is if the user specified a nonsensical value for this boot parameter, which experience indicates is rare. Nevertheless, a bug is a bug. This commit therefore causes the rcu_spawn_core_kthreads() function to be invoked directly from rcu_spawn_gp_kthread() after any needed adjustments to kthread_prio have been carried out. Fixes: 48d07c04b4cc ("rcu: Enable elimination of Tree-RCU softirq processing") Signed-off-by: Paul E. McKenney Signed-off-by: Sasha Levin commit 66111dfe22b10284c517674bf69c844e1d8b6e73 Author: Stephen Boyd Date: Sat May 8 00:51:50 2021 -0700 ASoC: rt5682: Disable irq on shutdown [ Upstream commit 47bcb1c7108363418cd578283333d72e310dfeaa ] We cancel the work queues, and reset the device on shutdown, but the irq isn't disabled so the work queues could be queued again. Let's disable the irq during shutdown so that we don't have to worry about this device trying to do anything anymore. This fixes a problem seen where the i2c bus is shutdown at reboot but this device irq still comes in and tries to make another i2c transaction when the bus doesn't work. Cc: Jairaj Arava Cc: Sathyanarayana Nujella Cc: Pierre-Louis Bossart Cc: Shuming Fan Cc: Ranjani Sridharan Fixes: 45a2702ce109 ("ASoC: rt5682: Fix panic in rt5682_jack_detect_handler happening during system shutdown") Signed-off-by: Stephen Boyd Link: https://lore.kernel.org/r/20210508075151.1626903-1-swboyd@chromium.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 8b195380cd07da6591a3c7887b6ccf843fbaac20 Author: Andy Shevchenko Date: Mon May 3 20:21:11 2021 +0300 staging: fbtft: Don't spam logs when probe is deferred [ Upstream commit 37667f6e57712cef5652fa67f1cbd1299e204d94 ] When requesting GPIO line the probe can be deferred. In such case don't spam logs with an error message. This can be achieved by switching to dev_err_probe(). Fixes: c440eee1a7a1 ("Staging: fbtft: Switch to the gpio descriptor interface") Cc: Nishad Kamdar Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210503172114.27891-3-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 7a42f3c30dfe3d51fa7d1a70b669243d9b34a38d Author: Andy Shevchenko Date: Mon May 3 20:21:10 2021 +0300 staging: fbtft: Rectify GPIO handling [ Upstream commit ec03c2104365ead0a33627c05e685093eed3eaef ] The infamous commit c440eee1a7a1 ("Staging: staging: fbtft: Switch to the GPIO descriptor interface") broke GPIO handling completely. It has already four commits to rectify and it seems not enough. In order to fix the mess here we: 1) Set default to "inactive" for all requested pins 2) Fix CS#, RD#, and WR# pins polarity since it's active low and GPIO descriptor interface takes it into consideration from the Device Tree or ACPI 3) Consolidate chip activation (CS# assertion) under default ->reset() callback To summarize the expectations about polarity for GPIOs: RD# Low WR# Low CS# Low RESET# Low DC or RS High RW High Data 0 .. 15 High See also Adafruit learning course [1] for the example of the schematics. While at it, drop unneeded NULL checks, since GPIO API is tolerant to that. [1]: https://learn.adafruit.com/adafruit-2-8-and-3-2-color-tft-touchscreen-breakout-v2/downloads Fixes: 92e3e884887c ("Staging: fbtft: Fix GPIO handling") Fixes: b918d1c27066 ("Staging: fbtft: Fix reset assertion when using gpio descriptor") Fixes: dbc4f989c878 ("Staging: fbtft: Fix probing of gpio descriptor") Fixes: c440eee1a7a1 ("Staging: fbtft: Switch to the gpio descriptor interface") Cc: Jan Sebastian Götte Cc: Nishad Kamdar Reviewed-by: Phil Reid Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210503172114.27891-2-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit d8c1504cf1a0cd71b0619aaf3176c6f81ca3af60 Author: Wei Li Date: Tue Jun 29 22:14:20 2021 +0800 MIPS: Fix PKMAP with 32-bit MIPS huge page support [ Upstream commit cf02ce742f09188272bcc8b0e62d789eb671fc4c ] When 32-bit MIPS huge page support is enabled, we halve the number of pointers a PTE page holds, making its last half go to waste. Correspondingly, we should halve the number of kmap entries, as we just initialized only a single pte table for that in pagetable_init(). Fixes: 35476311e529 ("MIPS: Add partial 32-bit huge page support") Signed-off-by: Wei Li Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit a23ba98e91ffda5a1dc84bd904fe698002f96474 Author: Leon Romanovsky Date: Tue Jun 29 09:49:33 2021 +0300 RDMA/core: Always release restrack object [ Upstream commit 3d8287544223a3d2f37981c1f9ffd94d0b5e9ffc ] Change location of rdma_restrack_del() to fix the bug where task_struct was acquired but not released, causing to resource leak. ucma_create_id() { ucma_alloc_ctx(); rdma_create_user_id() { rdma_restrack_new(); rdma_restrack_set_name() { rdma_restrack_attach_task.part.0(); <--- task_struct was gotten } } ucma_destroy_private_ctx() { ucma_put_ctx(); rdma_destroy_id() { _destroy_id() <--- id_priv was freed } } } Fixes: 889d916b6f8a ("RDMA/core: Don't access cm_id after its destruction") Link: https://lore.kernel.org/r/073ec27acb943ca8b6961663c47c5abe78a5c8cc.1624948948.git.leonro@nvidia.com Reported-by: Pavel Skripkin Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit a938d4e8c6995e7d15854c9b7df060af58fc5653 Author: Leon Romanovsky Date: Tue Jun 29 11:51:38 2021 +0300 RDMA/mlx5: Don't access NULL-cleared mpi pointer [ Upstream commit 4a754d7637026b42b0c9ba5787ad5ee3bc2ff77f ] The "dev->port[i].mp.mpi" is set to NULL during mlx5_ib_unbind_slave_port() execution, however that field is needed to add device to unaffiliated list. Such flow causes to the following kernel panic while unloading mlx5_ib module in multi-port mode, hence the device should be added to the list prior to unbind call. RPC: Unregistered rdma transport module. RPC: Unregistered rdma backchannel transport module. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] SMP NOPTI CPU: 4 PID: 1904 Comm: modprobe Not tainted 5.13.0-rc7_for_upstream_min_debug_2021_06_24_12_08 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5_ib_cleanup_multiport_master+0x18b/0x2d0 [mlx5_ib] Code: 00 04 0f 85 c4 00 00 00 48 89 df e8 ef fa ff ff 48 8b 83 40 0d 00 00 48 8b 15 b9 e8 05 00 4a 8b 44 28 20 48 89 05 ad e8 05 00 <48> c7 00 d0 57 c5 a0 48 89 50 08 48 89 02 39 ab 88 0a 00 00 0f 86 RSP: 0018:ffff888116ee3df8 EFLAGS: 00010296 RAX: 0000000000000000 RBX: ffff8881154f6000 RCX: 0000000000000080 RDX: ffffffffa0c557d0 RSI: ffff88810b69d200 RDI: 000000000002d8a0 RBP: 0000000000000002 R08: ffff888110780408 R09: 0000000000000000 R10: ffff88812452e1c0 R11: fffffffffff7e028 R12: 0000000000000000 R13: 0000000000000080 R14: ffff888102c58000 R15: 0000000000000000 FS: 00007f884393a740(0000) GS:ffff8882f5a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000001249f6004 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: mlx5_ib_stage_init_cleanup+0x16/0xd0 [mlx5_ib] __mlx5_ib_remove+0x33/0x90 [mlx5_ib] mlx5r_remove+0x22/0x30 [mlx5_ib] auxiliary_bus_remove+0x18/0x30 __device_release_driver+0x177/0x220 driver_detach+0xc4/0x100 bus_remove_driver+0x58/0xd0 auxiliary_driver_unregister+0x12/0x20 mlx5_ib_cleanup+0x13/0x897 [mlx5_ib] __x64_sys_delete_module+0x154/0x230 ? exit_to_user_mode_prepare+0x104/0x140 do_syscall_64+0x3f/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f8842e095c7 Code: 73 01 c3 48 8b 0d d9 48 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a9 48 2c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffc68f6e758 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 RAX: ffffffffffffffda RBX: 00005638207929c0 RCX: 00007f8842e095c7 RDX: 0000000000000000 RSI: 0000000000000800 RDI: 0000563820792a28 RBP: 00005638207929c0 R08: 00007ffc68f6d701 R09: 0000000000000000 R10: 00007f8842e82880 R11: 0000000000000206 R12: 0000563820792a28 R13: 0000000000000001 R14: 0000563820792a28 R15: 00007ffc68f6fb40 Modules linked in: xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter overlay rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_ipoib ib_cm ib_umad mlx5_ib(-) mlx4_ib ib_uverbs ib_core mlx4_en mlx4_core mlx5_core ptp pps_core [last unloaded: rpcrdma] CR2: 0000000000000000 ---[ end trace a0bb7e20804e9e9b ]--- Fixes: 7ce6095e3bff ("RDMA/mlx5: Don't add slave port to unaffiliated list") Link: https://lore.kernel.org/r/899ac1b33a995be5ec0e16a4765c4e43c2b1ba5b.1624956444.git.leonro@nvidia.com Reviewed-by: Itay Aveksis Reviewed-by: Maor Gottlieb Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit c6965316d6845bf8a02822c5529d8be3858045ff Author: Menglong Dong Date: Sun Jun 27 23:37:44 2021 -0700 net: tipc: fix FB_MTU eat two pages [ Upstream commit 0c6de0c943dbb42831bf7502eb5c007f71e752d2 ] FB_MTU is used in 'tipc_msg_build()' to alloc smaller skb when memory allocation fails, which can avoid unnecessary sending failures. The value of FB_MTU now is 3744, and the data size will be: (3744 + SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) + \ SKB_DATA_ALIGN(BUF_HEADROOM + BUF_TAILROOM + 3)) which is larger than one page(4096), and two pages will be allocated. To avoid it, replace '3744' with a calculation: (PAGE_SIZE - SKB_DATA_ALIGN(BUF_OVERHEAD) - \ SKB_DATA_ALIGN(sizeof(struct skb_shared_info))) What's more, alloc_skb_fclone() will call SKB_DATA_ALIGN for data size, and it's not necessary to make alignment for buf_size in tipc_buf_acquire(). So, just remove it. Fixes: 4c94cc2d3d57 ("tipc: fall back to smaller MTU if allocation of local send skb fails") Signed-off-by: Menglong Dong Acked-by: Jon Maloy Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1148952dc660a90cead35fb89770f7369cf70ded Author: Pavel Skripkin Date: Fri Jun 25 23:23:48 2021 +0300 net: sched: fix warning in tcindex_alloc_perfect_hash [ Upstream commit 3f2db250099f46988088800052cdf2332c7aba61 ] Syzbot reported warning in tcindex_alloc_perfect_hash. The problem was in too big cp->hash, which triggers warning in kmalloc. Since cp->hash comes from userspace, there is no need to warn if value is not correct Fixes: b9a24bb76bf6 ("net_sched: properly handle failure case of tcf_exts_init()") Reported-and-tested-by: syzbot+1071ad60cd7df39fdadb@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Acked-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 4476568069c996f71db39843fa44c9f373f17fde Author: Vadim Fedorenko Date: Fri Jun 25 19:21:39 2021 +0300 net: lwtunnel: handle MTU calculation in forwading [ Upstream commit fade56410c22cacafb1be9f911a0afd3701d8366 ] Commit 14972cbd34ff ("net: lwtunnel: Handle fragmentation") moved fragmentation logic away from lwtunnel by carry encap headroom and use it in output MTU calculation. But the forwarding part was not covered and created difference in MTU for output and forwarding and further to silent drops on ipv4 forwarding path. Fix it by taking into account lwtunnel encap headroom. The same commit also introduced difference in how to treat RTAX_MTU in IPv4 and IPv6 where latter explicitly removes lwtunnel encap headroom from route MTU. Make IPv4 version do the same. Fixes: 14972cbd34ff ("net: lwtunnel: Handle fragmentation") Suggested-by: David Ahern Signed-off-by: Vadim Fedorenko Reviewed-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6939c39a4106199877f93c96d931cff45c0d1dad Author: Muchun Song Date: Fri Apr 2 17:11:45 2021 +0800 writeback: fix obtain a reference to a freeing memcg css [ Upstream commit 8b0ed8443ae6458786580d36b7d5f8125535c5d4 ] The caller of wb_get_create() should pin the memcg, because wb_get_create() relies on this guarantee. The rcu read lock only can guarantee that the memcg css returned by css_from_id() cannot be released, but the reference of the memcg can be zero. rcu_read_lock() memcg_css = css_from_id() wb_get_create(memcg_css) cgwb_create(memcg_css) // css_get can change the ref counter from 0 back to 1 css_get(memcg_css) rcu_read_unlock() Fix it by holding a reference to the css before calling wb_get_create(). This is not a problem I encountered in the real world. Just the result of a code review. Fixes: 682aa8e1a6a1 ("writeback: implement unlocked_inode_to_wb transaction and use it for stat updates") Link: https://lore.kernel.org/r/20210402091145.80635-1-songmuchun@bytedance.com Signed-off-by: Muchun Song Acked-by: Michal Hocko Acked-by: Tejun Heo Signed-off-by: Jan Kara Signed-off-by: Sasha Levin commit 4c3e839bfde595022f955fe1021faae163b6fa6e Author: Robert Hancock Date: Thu Mar 25 13:26:39 2021 -0600 clk: si5341: Update initialization magic [ Upstream commit 3c9b49b0031aefb81adfdba5ab0ddf3ca3a2cdc9 ] Update the default register settings to include the VCO_RESET_CALCODE settings (set by the SiLabs ClockBuilder software but not described in the datasheet). Also update part of the initialization sequence to match ClockBuilder and the datasheet. Fixes: 3044a860fd ("clk: Add Si5341/Si5340 driver") Signed-off-by: Robert Hancock Link: https://lore.kernel.org/r/20210325192643.2190069-6-robert.hancock@calian.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 55aaba36d7188a1aae5052fccecac976f55d1d56 Author: Robert Hancock Date: Thu Mar 25 13:26:38 2021 -0600 clk: si5341: Check for input clock presence and PLL lock on startup [ Upstream commit 71dcc4d1f7d2ad97ff7ab831281bc6893ff713a2 ] After initializing the device, wait for it to report that the input clock is present and the PLL has locked before declaring success. Fixes: 3044a860fd ("clk: Add Si5341/Si5340 driver") Signed-off-by: Robert Hancock Link: https://lore.kernel.org/r/20210325192643.2190069-5-robert.hancock@calian.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 42ac32d834aa4cd36e7e41523bb4dae22668043c Author: Robert Hancock Date: Thu Mar 25 13:26:37 2021 -0600 clk: si5341: Avoid divide errors due to bogus register contents [ Upstream commit 78f6f406026d688868223d5dbeb197a4f7e9a9fd ] If the Si5341 is being initially programmed and has no stored NVM configuration, some of the register contents may contain unexpected values, such as zeros, which could cause divide by zero errors during driver initialization. Trap errors caused by zero registers or zero clock rates which could result in divide errors later in the code. Fixes: 3044a860fd ("clk: Add Si5341/Si5340 driver") Signed-off-by: Robert Hancock Link: https://lore.kernel.org/r/20210325192643.2190069-4-robert.hancock@calian.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 043637617d51871bb324a30422615433caf709c3 Author: Robert Hancock Date: Thu Mar 25 13:26:36 2021 -0600 clk: si5341: Wait for DEVICE_READY on startup [ Upstream commit 6e7d2de1e000d36990923ed80d2e78dfcb545cee ] The Si5341 datasheet warns that before accessing any other registers, including the PAGE register, we need to wait for the DEVICE_READY register to indicate the device is ready, or the process of the device loading its state from NVM can be corrupted. Wait for DEVICE_READY on startup before continuing initialization. This is done using a raw I2C register read prior to setting up regmap to avoid any potential unwanted automatic PAGE register accesses from regmap at this stage. Fixes: 3044a860fd ("clk: Add Si5341/Si5340 driver") Signed-off-by: Robert Hancock Link: https://lore.kernel.org/r/20210325192643.2190069-3-robert.hancock@calian.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 29746bd0f765f0d2f77b5f6de6050e60007fefe7 Author: Jonathan Marek Date: Tue Jun 8 22:28:52 2021 -0400 clk: qcom: clk-alpha-pll: fix CAL_L write in alpha_pll_fabia_prepare [ Upstream commit 7f54bf2640e877c8a9b4cc7e2b29f82e3ca1a284 ] Caught this when looking at alpha-pll code. Untested but it is clear that this was intended to write to PLL_CAL_L_VAL and not PLL_ALPHA_VAL. Fixes: 691865bad627 ("clk: qcom: clk-alpha-pll: Add support for Fabia PLL calibration") Signed-off-by: Jonathan Marek Link: https://lore.kernel.org/r/20210609022852.4151-1-jonathan@marek.ca Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 94221679ee0586fbafda62b5126b902459400f3c Author: Cristian Ciocaltea Date: Thu Jun 10 23:05:24 2021 +0300 clk: actions: Fix AHPPREDIV-H-AHB clock chain on Owl S500 SoC [ Upstream commit fd90b5b9045274360b12cea0f2ce50f3bcfb25cc ] There are a few issues with the setup of the Actions Semi Owl S500 SoC's clock chain involving AHPPREDIV, H and AHB clocks: * AHBPREDIV clock is defined as a muxer only, although it also acts as a divider. * H clock is using a wrong divider register offset * AHB is defined as a multi-rate factor clock, but it is actually just a fixed pass clock. Let's provide the following fixes: * Change AHBPREDIV clock to an ungated OWL_COMP_DIV definition. * Use the correct register shift value in the OWL_DIVIDER definition for H clock * Drop the unneeded 'ahb_factor_table[]' and change AHB clock to an ungated OWL_COMP_FIXED_FACTOR definition. Fixes: ed6b4795ece4 ("clk: actions: Add clock driver for S500 SoC") Signed-off-by: Cristian Ciocaltea Link: https://lore.kernel.org/r/21c1abd19a7089b65a34852ac6513961be88cbe1.1623354574.git.cristian.ciocaltea@gmail.com Reviewed-by: Manivannan Sadhasivam Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit f3b6df5dfd7201d3f21fa4ab85137b71460a33ef Author: Cristian Ciocaltea Date: Thu Jun 10 23:05:23 2021 +0300 clk: actions: Fix bisp_factor_table based clocks on Owl S500 SoC [ Upstream commit a8f1f03caa51aa7a69c671aa87c475034db7d368 ] The following clocks of the Actions Semi Owl S500 SoC have been defined to use a shared clock factor table 'bisp_factor_table[]': DE[1-2], VCE, VDE, BISP, SENSOR[0-1] There are several issues involved in this approach: * 'bisp_factor_table[]' describes the configuration of a regular 8-rates divider, so its usage is redundant. Additionally, judging by the BISP clock context, it is incomplete since it maps only 8 out of 12 possible entries. * The clocks mentioned above are not identical in terms of the available rates, therefore cannot rely on the same factor table. Specifically, BISP and SENSOR* are standard 12-rate dividers so their configuration should rely on a proper clock div table, while VCE and VDE require a factor table that is a actually a subset of the one needed for DE[1-2] clocks. Let's fix this by implementing the following: * Add new factor tables 'de_factor_table' and 'hde_factor_table' to properly handle DE[1-2], VCE and VDE clocks. * Add a common div table 'std12rate_div_table' for BISP and SENSOR[0-1] clocks converted to OWL_COMP_DIV. * Drop the now unused 'bisp_factor_table[]'. Additionally, drop the CLK_IGNORE_UNUSED flag for SENSOR[0-1] since there is no reason to always keep ON those clocks. Fixes: ed6b4795ece4 ("clk: actions: Add clock driver for S500 SoC") Signed-off-by: Cristian Ciocaltea Reviewed-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/e675820a46cd9930d8d576c6cae61d41c1a8416f.1623354574.git.cristian.ciocaltea@gmail.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit ced193bc0851794cdf6f07bb3a4ce0ec7ddaf4dc Author: Cristian Ciocaltea Date: Thu Jun 10 23:05:22 2021 +0300 clk: actions: Fix SD clocks factor table on Owl S500 SoC [ Upstream commit fe1f71e338d77814da3ef44e9f64d32981a6ccdf ] Drop the unsupported entries in the factor table used for the SD[0-2] clocks definitions on the Actions Semi Owl S500 SoC. Fixes: ed6b4795ece4 ("clk: actions: Add clock driver for S500 SoC") Signed-off-by: Cristian Ciocaltea Reviewed-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/196c948d708a22b8198c95f064a0f6b6820f9980.1623354574.git.cristian.ciocaltea@gmail.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 12d2d6fd11c119902eb9b4456f2ab3b365e0813a Author: Cristian Ciocaltea Date: Thu Jun 10 23:05:21 2021 +0300 clk: actions: Fix UART clock dividers on Owl S500 SoC [ Upstream commit 2dca2a619a907579e3e65e7c1789230c2b912e88 ] Use correct divider registers for the Actions Semi Owl S500 SoC's UART clocks. Fixes: ed6b4795ece4 ("clk: actions: Add clock driver for S500 SoC") Signed-off-by: Cristian Ciocaltea Reviewed-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/4714d05982b19ac5fec2ed74f54be42d8238e392.1623354574.git.cristian.ciocaltea@gmail.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 7d97522e6e35b04daaaa1820de3f19cb79944407 Author: Luiz Augusto von Dentz Date: Tue Jun 22 20:59:02 2021 -0700 Bluetooth: Fix handling of HCI_LE_Advertising_Set_Terminated event [ Upstream commit 23837a6d7a1a61818ed94a6b8af552d6cf7d32d5 ] Error status of this event means that it has ended due reasons other than a connection: 'If advertising has terminated as a result of the advertising duration elapsing, the Status parameter shall be set to the error code Advertising Timeout (0x3C).' 'If advertising has terminated because the Max_Extended_Advertising_Events was reached, the Status parameter shall be set to the error code Limit Reached (0x43).' Fixes: acf0aeae431a0 ("Bluetooth: Handle ADv set terminated event") Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 4f5fc3be2cca7ae2c7697cfd97f17a1dd70de993 Author: Luiz Augusto von Dentz Date: Wed Jun 9 11:09:27 2021 -0700 Bluetooth: Fix Set Extended (Scan Response) Data [ Upstream commit c9ed0a7077306f9d41d74fb006ab5dbada8349c5 ] These command do have variable length and the length can go up to 251, so this changes the struct to not use a fixed size and then when creating the PDU only the actual length of the data send to the controller. Fixes: a0fb3726ba551 ("Bluetooth: Use Set ext adv/scan rsp data if controller supports") Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit c5fedfcc2046ab8b67befdf78ebd34ad561088b3 Author: Luiz Augusto von Dentz Date: Fri Nov 13 16:44:33 2020 -0800 Bluetooth: Fix not sending Set Extended Scan Response [ Upstream commit a76a0d365077711594ce200a9553ed6d1ff40276 ] Current code is actually failing on the following tests of mgmt-tester because get_adv_instance_scan_rsp_len did not account for flags that cause scan response data to be included resulting in non-scannable instance when in fact it should be scannable. Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann Signed-off-by: Johan Hedberg Signed-off-by: Sasha Levin commit a2dcad039e45713c45168be53ebace6e1e0cfd0a Author: Luiz Augusto von Dentz Date: Fri May 28 11:45:02 2021 -0700 Bluetooth: mgmt: Fix slab-out-of-bounds in tlv_data_is_valid [ Upstream commit 799acb9347915bfe4eac0ff2345b468f0a1ca207 ] This fixes parsing of LTV entries when the length is 0. Found with: tools/mgmt-tester -s "Add Advertising - Success (ScRsp only)" Add Advertising - Success (ScRsp only) - run Sending Add Advertising (0x003e) Test condition added, total 1 [ 11.004577] ================================================================== [ 11.005292] BUG: KASAN: slab-out-of-bounds in tlv_data_is_valid+0x87/0xe0 [ 11.005984] Read of size 1 at addr ffff888002c695b0 by task mgmt-tester/87 [ 11.006711] [ 11.007176] [ 11.007429] Allocated by task 87: [ 11.008151] [ 11.008438] The buggy address belongs to the object at ffff888002c69580 [ 11.008438] which belongs to the cache kmalloc-64 of size 64 [ 11.010526] The buggy address is located 48 bytes inside of [ 11.010526] 64-byte region [ffff888002c69580, ffff888002c695c0) [ 11.012423] The buggy address belongs to the page: [ 11.013291] [ 11.013544] Memory state around the buggy address: [ 11.014359] ffff888002c69480: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 11.015453] ffff888002c69500: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 11.016232] >ffff888002c69580: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 11.017010] ^ [ 11.017547] ffff888002c69600: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 11.018296] ffff888002c69680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 11.019116] ================================================================== Fixes: 2bb36870e8cb2 ("Bluetooth: Unify advertising instance flags check") Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit d28e780431b5b15635cc82559ddd94e57b4bfd1f Author: Petr Oros Date: Fri Jun 25 10:27:45 2021 +0200 Revert "be2net: disable bh with spin_lock in be_process_mcc" [ Upstream commit d6765985a42a660f078896d5c5b27f97c580a490 ] Patch was based on wrong presumption that be_poll can be called only from bh context. It reintroducing old regression (also reverted) and causing deadlock when we use netconsole with benet in bonding. Old revert: commit 072a9c486004 ("netpoll: revert 6bdb7fe3104 and fix be_poll() instead") [ 331.269715] bond0: (slave enp0s7f0): Releasing backup interface [ 331.270121] CPU: 4 PID: 1479 Comm: ifenslave Not tainted 5.13.0-rc7+ #2 [ 331.270122] Call Trace: [ 331.270122] [c00000001789f200] [c0000000008c505c] dump_stack+0x100/0x174 (unreliable) [ 331.270124] [c00000001789f240] [c008000001238b9c] be_poll+0x64/0xe90 [be2net] [ 331.270125] [c00000001789f330] [c000000000d1e6e4] netpoll_poll_dev+0x174/0x3d0 [ 331.270127] [c00000001789f400] [c008000001bc167c] bond_poll_controller+0xb4/0x130 [bonding] [ 331.270128] [c00000001789f450] [c000000000d1e624] netpoll_poll_dev+0xb4/0x3d0 [ 331.270129] [c00000001789f520] [c000000000d1ed88] netpoll_send_skb+0x448/0x470 [ 331.270130] [c00000001789f5d0] [c0080000011f14f8] write_msg+0x180/0x1b0 [netconsole] [ 331.270131] [c00000001789f640] [c000000000230c0c] console_unlock+0x54c/0x790 [ 331.270132] [c00000001789f7b0] [c000000000233098] vprintk_emit+0x2d8/0x450 [ 331.270133] [c00000001789f810] [c000000000234758] vprintk+0xc8/0x270 [ 331.270134] [c00000001789f850] [c000000000233c28] printk+0x40/0x54 [ 331.270135] [c00000001789f870] [c000000000ccf908] __netdev_printk+0x150/0x198 [ 331.270136] [c00000001789f910] [c000000000ccfdb4] netdev_info+0x68/0x94 [ 331.270137] [c00000001789f950] [c008000001bcbd70] __bond_release_one+0x188/0x6b0 [bonding] [ 331.270138] [c00000001789faa0] [c008000001bcc6f4] bond_do_ioctl+0x42c/0x490 [bonding] [ 331.270139] [c00000001789fb60] [c000000000d0d17c] dev_ifsioc+0x17c/0x400 [ 331.270140] [c00000001789fbc0] [c000000000d0db70] dev_ioctl+0x390/0x890 [ 331.270141] [c00000001789fc10] [c000000000c7c76c] sock_do_ioctl+0xac/0x1b0 [ 331.270142] [c00000001789fc90] [c000000000c7ffac] sock_ioctl+0x31c/0x6e0 [ 331.270143] [c00000001789fd60] [c0000000005b9728] sys_ioctl+0xf8/0x150 [ 331.270145] [c00000001789fdb0] [c0000000000336c0] system_call_exception+0x160/0x2f0 [ 331.270146] [c00000001789fe10] [c00000000000d35c] system_call_common+0xec/0x278 [ 331.270147] --- interrupt: c00 at 0x7fffa6c6ec00 [ 331.270147] NIP: 00007fffa6c6ec00 LR: 0000000105c4185c CTR: 0000000000000000 [ 331.270148] REGS: c00000001789fe80 TRAP: 0c00 Not tainted (5.13.0-rc7+) [ 331.270148] MSR: 800000000280f033 CR: 28000428 XER: 00000000 [ 331.270155] IRQMASK: 0 [ 331.270156] GPR00: 0000000000000036 00007fffd494d5b0 00007fffa6d57100 0000000000000003 [ 331.270158] GPR04: 0000000000008991 00007fffd494d6d0 0000000000000008 00007fffd494f28c [ 331.270161] GPR08: 0000000000000003 0000000000000000 0000000000000000 0000000000000000 [ 331.270164] GPR12: 0000000000000000 00007fffa6dfa220 0000000000000000 0000000000000000 [ 331.270167] GPR16: 0000000105c44880 0000000000000000 0000000105c60088 0000000105c60318 [ 331.270170] GPR20: 0000000105c602c0 0000000105c44560 0000000000000000 0000000000000000 [ 331.270172] GPR24: 00007fffd494dc50 00007fffd494d6a8 0000000105c60008 00007fffd494d6d0 [ 331.270175] GPR28: 00007fffd494f27e 0000000105c6026c 00007fffd494f284 0000000000000000 [ 331.270178] NIP [00007fffa6c6ec00] 0x7fffa6c6ec00 [ 331.270178] LR [0000000105c4185c] 0x105c4185c [ 331.270179] --- interrupt: c00 This reverts commit d0d006a43e9a7a796f6f178839c92fcc222c564d. Fixes: d0d006a43e9a7a ("be2net: disable bh with spin_lock in be_process_mcc") Signed-off-by: Petr Oros Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 342b06b600bf662dc10ea9b6cee107122c57f68a Author: Bailey Forrest Date: Thu Jun 24 19:55:41 2021 -0700 gve: Fix swapped vars when fetching max queues [ Upstream commit 1db1a862a08f85edc36aad091236ac9b818e949e ] Fixes: 893ce44df565 ("gve: Add basic driver framework for Compute Engine Virtual NIC") Signed-off-by: Bailey Forrest Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 11044f8c2c9f50e6de833f330d94fa27719c47c4 Author: Håkon Bugge Date: Tue Jun 22 16:13:27 2021 +0200 RDMA/cma: Fix incorrect Packet Lifetime calculation [ Upstream commit e84045eab69c625bc0b0bf24d8e05bc65da1eed1 ] An approximation for the PacketLifeTime is half the local ACK timeout. The encoding for both timers are logarithmic. If the local ACK timeout is set, but zero, it means the timer is disabled. In this case, we choose the CMA_IBOE_PACKET_LIFETIME value, since 50% of infinite makes no sense. Before this commit, the PacketLifeTime became 255 if local ACK timeout was zero (not running). Fixed by explicitly testing for timeout being zero. Fixes: e1ee1e62bec4 ("RDMA/cma: Use ACK timeout for RoCE packetLifeTime") Link: https://lore.kernel.org/r/1624371207-26710-1-git-send-email-haakon.bugge@oracle.com Signed-off-by: Håkon Bugge Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit fc2ea819b96efe25b4af369bfbbc885c0c485bf7 Author: Gary Lin Date: Wed Jun 23 12:09:18 2021 +0800 bpfilter: Specify the log level for the kmsg message [ Upstream commit a196fa78a26571359740f701cf30d774eb8a72cb ] Per the kmsg document [0], if we don't specify the log level with a prefix "" in the message string, the default log level will be applied to the message. Since the default level could be warning(4), this would make the log utility such as journalctl treat the message, "Started bpfilter", as a warning. To avoid confusion, this commit adds the prefix "<5>" to make the message always a notice. [0] https://www.kernel.org/doc/Documentation/ABI/testing/dev-kmsg Fixes: 36c4357c63f3 ("net: bpfilter: print umh messages to /dev/kmsg") Reported-by: Martin Loviska Signed-off-by: Gary Lin Signed-off-by: Daniel Borkmann Acked-by: Dmitrii Banshchikov Link: https://lore.kernel.org/bpf/20210623040918.8683-1-glin@suse.com Signed-off-by: Sasha Levin commit 4228c00e1408f4075ce3c28e014e7759c5343c73 Author: Vladimir Oltean Date: Thu Jun 24 18:52:07 2021 +0300 net: dsa: sja1105: fix NULL pointer dereference in sja1105_reload_cbs() [ Upstream commit be7f62eebaff2f86c1467a2d33930a0a7a87675b ] priv->cbs is an array of priv->info->num_cbs_shapers elements of type struct sja1105_cbs_entry which only get allocated if CONFIG_NET_SCH_CBS is enabled. However, sja1105_reload_cbs() is called from sja1105_static_config_reload() which in turn is called for any of the items in sja1105_reset_reasons, therefore during the normal runtime of the driver and not just from a code path which can be triggered by the tc-cbs offload. The sja1105_reload_cbs() function does not contain a check whether the priv->cbs array is NULL or not, it just assumes it isn't and proceeds to iterate through the credit-based shaper elements. This leads to a NULL pointer dereference. The solution is to return success if the priv->cbs array has not been allocated, since sja1105_reload_cbs() has nothing to do. Fixes: 4d7525085a9b ("net: dsa: sja1105: offload the Credit-Based Shaper qdisc") Signed-off-by: Vladimir Oltean Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 393d48b3dec0be5c1dd1435fd363087a1cb288e0 Author: Sasha Neftin Date: Thu Jun 24 12:02:48 2021 -0700 e1000e: Check the PCIm state [ Upstream commit 2e7256f12cdb16eaa2515b6231d665044a07c51a ] Complete to commit def4ec6dce393e ("e1000e: PCIm function state support") Check the PCIm state only on CSME systems. There is no point to do this check on non CSME systems. This patch fixes a generation a false-positive warning: "Error in exiting dmoff" Fixes: def4ec6dce39 ("e1000e: PCIm function state support") Signed-off-by: Sasha Neftin Tested-by: Dvora Fuxbrumer Signed-off-by: Tony Nguyen Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit cebff3d9f74fe1bb7dab9fb57747d1a5679c5ed3 Author: Eric Dumazet Date: Thu Jun 24 03:07:20 2021 -0700 ipv6: fix out-of-bound access in ip6_parse_tlv() [ Upstream commit 624085a31c1ad6a80b1e53f686bf6ee92abbf6e8 ] First problem is that optlen is fetched without checking there is more than one byte to parse. Fix this by taking care of IPV6_TLV_PAD1 before fetching optlen (under appropriate sanity checks against len) Second problem is that IPV6_TLV_PADN checks of zero padding are performed before the check of remaining length. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Fixes: c1412fce7ecc ("net/ipv6/exthdrs.c: Strict PadN option checking") Signed-off-by: Eric Dumazet Cc: Paolo Abeni Cc: Tom Herbert Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9e753c47b905f068c4477387ff29a4c7124f3e97 Author: Antoine Tenart Date: Thu Jun 24 11:38:30 2021 +0200 net: atlantic: fix the macsec key length [ Upstream commit d67fb4772d9a6cfd10f1109f0e7b1e6eb58c8e16 ] The key length used to store the macsec key was set to MACSEC_KEYID_LEN (16), which is an issue as: - This was never meant to be the key length. - The key length can be > 16. Fix this by using MACSEC_MAX_KEY_LEN instead (the max length accepted in uAPI). Fixes: 27736563ce32 ("net: atlantic: MACSec egress offload implementation") Fixes: 9ff40a751a6f ("net: atlantic: MACSec ingress offload implementation") Reported-by: Lior Nahmanson Signed-off-by: Antoine Tenart Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1c95d4d432c36902e81a854eddc26d6cb59e8e0e Author: Antoine Tenart Date: Thu Jun 24 11:38:29 2021 +0200 net: phy: mscc: fix macsec key length [ Upstream commit c309217f91f2d2097c2a0a832d9bff50b88c81dc ] The key length used to store the macsec key was set to MACSEC_KEYID_LEN (16), which is an issue as: - This was never meant to be the key length. - The key length can be > 16. Fix this by using MACSEC_MAX_KEY_LEN instead (the max length accepted in uAPI). Fixes: 28c5107aa904 ("net: phy: mscc: macsec support") Reported-by: Lior Nahmanson Signed-off-by: Antoine Tenart Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 711a28d24d0761e39820e2a6776ef8f12637ff3b Author: Antoine Tenart Date: Thu Jun 24 11:38:28 2021 +0200 net: macsec: fix the length used to copy the key for offloading [ Upstream commit 1f7fe5121127e037b86592ba42ce36515ea0e3f7 ] The key length used when offloading macsec to Ethernet or PHY drivers was set to MACSEC_KEYID_LEN (16), which is an issue as: - This was never meant to be the key length. - The key length can be > 16. Fix this by using MACSEC_MAX_KEY_LEN to store the key (the max length accepted in uAPI) and secy->key_len to copy it. Fixes: 3cf3227a21d1 ("net: macsec: hardware offloading infrastructure") Reported-by: Lior Nahmanson Signed-off-by: Antoine Tenart Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c764f2d899b26eb2001358498eea5b1df031c18e Author: Håkon Bugge Date: Tue Jun 22 15:39:57 2021 +0200 RDMA/cma: Protect RMW with qp_mutex [ Upstream commit ca0c448d2b9f43e3175835d536853854ef544e22 ] The struct rdma_id_private contains three bit-fields, tos_set, timeout_set, and min_rnr_timer_set. These are set by accessor functions without any synchronization. If two or all accessor functions are invoked in close proximity in time, there will be Read-Modify-Write from several contexts to the same variable, and the result will be intermittent. Fixed by protecting the bit-fields by the qp_mutex in the accessor functions. The consumer of timeout_set and min_rnr_timer_set is in rdma_init_qp_attr(), which is called with qp_mutex held for connected QPs. Explicit locking is added for the consumers of tos and tos_set. This commit depends on ("RDMA/cma: Remove unnecessary INIT->INIT transition"), since the call to rdma_init_qp_attr() from cma_init_conn_qp() does not hold the qp_mutex. Fixes: 2c1619edef61 ("IB/cma: Define option to set ack timeout and pack tos_set") Fixes: 3aeffc46afde ("IB/cma: Introduce rdma_set_min_rnr_timer()") Link: https://lore.kernel.org/r/1624369197-24578-3-git-send-email-haakon.bugge@oracle.com Signed-off-by: Håkon Bugge Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit d52ceed8452614c46dcdb701c1386902d09a1cfa Author: Sukadev Bhattiprolu Date: Wed Jun 23 21:13:15 2021 -0700 ibmvnic: free tx_pool if tso_pool alloc fails [ Upstream commit f6ebca8efa52e4ae770f0325d618e7bcf08ada0c ] Free tx_pool and clear it, if allocation of tso_pool fails. release_tx_pools() assumes we have both tx and tso_pools if ->tx_pool is non-NULL. If allocation of tso_pool fails in init_tx_pools(), the assumption will not be true and we would end up dereferencing ->tx_buff, ->free_map fields from a NULL pointer. Fixes: 3205306c6b8d ("ibmvnic: Update TX pool initialization routine") Signed-off-by: Sukadev Bhattiprolu Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f25accc4fd4d56bda6125ef4e52629b3fb44d1af Author: Sukadev Bhattiprolu Date: Wed Jun 23 21:13:14 2021 -0700 ibmvnic: set ltb->buff to NULL after freeing [ Upstream commit 552a33729f1a7cc5115d0752064fe9abd6e3e336 ] free_long_term_buff() checks ltb->buff to decide whether we have a long term buffer to free. So set ltb->buff to NULL afer freeing. While here, also clear ->map_id, fix up some coding style and log an error. Fixes: 9c4eaabd1bb39 ("Check CRQ command return codes") Signed-off-by: Sukadev Bhattiprolu Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 3f85d2ca323f54861c27a3890b4d3e9b4a9eee2c Author: Dany Madden Date: Wed Jun 23 21:13:11 2021 -0700 Revert "ibmvnic: remove duplicate napi_schedule call in open function" [ Upstream commit 2ca220f92878470c6ba03f9946e412323093cc94 ] This reverts commit 7c451f3ef676c805a4b77a743a01a5c21a250a73. When a vnic interface is taken down and then up, connectivity is not restored. We bisected it to this commit. Reverting this commit until we can fully investigate the issue/benefit of the change. Fixes: 7c451f3ef676 ("ibmvnic: remove duplicate napi_schedule call in open function") Reported-by: Cristobal Forno Reported-by: Abdul Haleem Signed-off-by: Dany Madden Signed-off-by: Sukadev Bhattiprolu Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit cad22e48cabe00e055c6ae7999fc3487e422471c Author: Jan Sokolowski Date: Fri Jun 11 12:01:41 2021 +0200 i40e: Fix missing rtnl locking when setting up pf switch [ Upstream commit 956e759d5f8e0859e86b951a8779c60af633aafd ] A recent change that made i40e use new udp_tunnel infrastructure uses a method that expects to be called under rtnl lock. However, not all codepaths do the lock prior to calling i40e_setup_pf_switch. Fix that by adding additional rtnl locking and unlocking. Fixes: 40a98cb6f01f ("i40e: convert to new udp_tunnel infrastructure") Signed-off-by: Jan Sokolowski Signed-off-by: Mateusz Palczewski Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit d9a5d19706eada82bbeaa1706b09583b3abb7e62 Author: Mateusz Palczewski Date: Wed Mar 10 11:12:54 2021 +0000 i40e: Fix autoneg disabling for non-10GBaseT links [ Upstream commit 9262793e59f0423437166a879a73d056b1fe6f9a ] Disabling autonegotiation was allowed only for 10GBaseT PHY. The condition was changed to check if link media type is BaseT. Fixes: 3ce12ee9d8f9 ("i40e: Fix order of checks when enabling/disabling autoneg in ethtool") Reviewed-by: Aleksandr Loktionov Reviewed-by: Karen Sornek Signed-off-by: Dawid Lukwinski Signed-off-by: Mateusz Palczewski Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 88819239e9fd66cdd303e5290b27d004db3cf5b7 Author: Dinghao Liu Date: Sun Feb 28 19:50:58 2021 +0800 i40e: Fix error handling in i40e_vsi_open [ Upstream commit 9c04cfcd4aad232e36306cdc5c74cd9fc9148a7e ] When vsi->type == I40E_VSI_FDIR, we have caught the return value of i40e_vsi_request_irq() but without further handling. Check and execute memory clean on failure just like the other i40e_vsi_request_irq(). Fixes: 8a9eb7d3cbcab ("i40e: rework fdir setup and teardown") Signed-off-by: Dinghao Liu Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit aefa9277440886b8b17c258669b86bef8379a3a1 Author: Maciej Żenczykowski Date: Wed Jun 16 17:09:51 2021 -0700 bpf: Do not change gso_size during bpf_skb_change_proto() [ Upstream commit 364745fbe981a4370f50274475da4675661104df ] This is technically a backwards incompatible change in behaviour, but I'm going to argue that it is very unlikely to break things, and likely to fix *far* more then it breaks. In no particular order, various reasons follow: (a) I've long had a bug assigned to myself to debug a super rare kernel crash on Android Pixel phones which can (per stacktrace) be traced back to BPF clat IPv6 to IPv4 protocol conversion causing some sort of ugly failure much later on during transmit deep in the GSO engine, AFAICT precisely because of this change to gso_size, though I've never been able to manually reproduce it. I believe it may be related to the particular network offload support of attached USB ethernet dongle being used for tethering off of an IPv6-only cellular connection. The reason might be we end up with more segments than max permitted, or with a GSO packet with only one segment... (either way we break some assumption and hit a BUG_ON) (b) There is no check that the gso_size is > 20 when reducing it by 20, so we might end up with a negative (or underflowing) gso_size or a gso_size of 0. This can't possibly be good. Indeed this is probably somehow exploitable (or at least can result in a kernel crash) by delivering crafted packets and perhaps triggering an infinite loop or a divide by zero... As a reminder: gso_size (MSS) is related to MTU, but not directly derived from it: gso_size/MSS may be significantly smaller then one would get by deriving from local MTU. And on some NICs (which do loose MTU checking on receive, it may even potentially be larger, for example my work pc with 1500 MTU can receive 1520 byte frames [and sometimes does due to bugs in a vendor plat46 implementation]). Indeed even just going from 21 to 1 is potentially problematic because it increases the number of segments by a factor of 21 (think DoS, or some other crash due to too many segments). (c) It's always safe to not increase the gso_size, because it doesn't result in the max packet size increasing. So the skb_increase_gso_size() call was always unnecessary for correctness (and outright undesirable, see later). As such the only part which is potentially dangerous (ie. could cause backwards compatibility issues) is the removal of the skb_decrease_gso_size() call. (d) If the packets are ultimately destined to the local device, then there is absolutely no benefit to playing around with gso_size. It only matters if the packets will egress the device. ie. we're either forwarding, or transmitting from the device. (e) This logic only triggers for packets which are GSO. It does not trigger for skbs which are not GSO. It will not convert a non-GSO MTU sized packet into a GSO packet (and you don't even know what the MTU is, so you can't even fix it). As such your transmit path must *already* be able to handle an MTU 20 bytes larger then your receive path (for IPv4 to IPv6 translation) - and indeed 28 bytes larger due to IPv4 fragments. Thus removing the skb_decrease_gso_size() call doesn't actually increase the size of the packets your transmit side must be able to handle. ie. to handle non-GSO max-MTU packets, the IPv4/IPv6 device/ route MTUs must already be set correctly. Since for example with an IPv4 egress MTU of 1500, IPv4 to IPv6 translation will already build 1520 byte IPv6 frames, so you need a 1520 byte device MTU. This means if your IPv6 device's egress MTU is 1280, your IPv4 route must be 1260 (and actually 1252, because of the need to handle fragments). This is to handle normal non-GSO packets. Thus the reduction is simply not needed for GSO packets, because when they're correctly built, they will already be the right size. (f) TSO/GSO should be able to exactly undo GRO: the number of packets (TCP segments) should not be modified, so that TCP's MSS counting works correctly (this matters for congestion control). If protocol conversion changes the gso_size, then the number of TCP segments may increase or decrease. Packet loss after protocol conversion can result in partial loss of MSS segments that the sender sent. How's the sending TCP stack going to react to receiving ACKs/SACKs in the middle of the segments it sent? (g) skb_{decrease,increase}_gso_size() are already no-ops for GSO_BY_FRAGS case (besides triggering WARN_ON_ONCE). This means you already cannot guarantee that gso_size (and thus resulting packet MTU) is changed. ie. you must assume it won't be changed. (h) changing gso_size is outright buggy for UDP GSO packets, where framing matters (I believe that's also the case for SCTP, but it's already excluded by [g]). So the only remaining case is TCP, which also doesn't want it (see [f]). (i) see also the reasoning on the previous attempt at fixing this (commit fa7b83bf3b156c767f3e4a25bbf3817b08f3ff8e) which shows that the current behaviour causes TCP packet loss: In the forwarding path GRO -> BPF 6 to 4 -> GSO for TCP traffic, the coalesced packet payload can be > MSS, but < MSS + 20. bpf_skb_proto_6_to_4() will upgrade the MSS and it can be > the payload length. After then tcp_gso_segment checks for the payload length if it is <= MSS. The condition is causing the packet to be dropped. tcp_gso_segment(): [...] mss = skb_shinfo(skb)->gso_size; if (unlikely(skb->len <= mss)) goto out; [...] Thus changing the gso_size is simply a very bad idea. Increasing is unnecessary and buggy, and decreasing can go negative. Fixes: 6578171a7ff0 ("bpf: add bpf_skb_change_proto helper") Signed-off-by: Maciej Żenczykowski Signed-off-by: Daniel Borkmann Cc: Dongseok Yi Cc: Willem de Bruijn Link: https://lore.kernel.org/bpf/CANP3RGfjLikQ6dg=YpBU0OeHvyv7JOki7CyOUS9modaXAi-9vQ@mail.gmail.com Link: https://lore.kernel.org/bpf/20210617000953.2787453-2-zenczykowski@gmail.com Signed-off-by: Sasha Levin commit 0dac8b0ad01676845078face9af8e62c724209ae Author: Norbert Slusarek Date: Sun Jun 20 14:38:42 2021 +0200 can: j1939: j1939_sk_setsockopt(): prevent allocation of j1939 filter for optlen == 0 [ Upstream commit aaf473d0100f64abc88560e2bea905805bcf2a8e ] If optval != NULL and optlen == 0 are specified for SO_J1939_FILTER in j1939_sk_setsockopt(), memdup_sockptr() will return ZERO_PTR for 0 size allocation. The new filter will be mistakenly assigned ZERO_PTR. This patch checks for optlen != 0 and filter will be assigned NULL in case of optlen == 0. Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") Link: https://lore.kernel.org/r/20210620123842.117975-1-nslusarek@gmx.net Signed-off-by: Norbert Slusarek Acked-by: Oleksij Rempel Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 2d58a38275d274b299714fb2ddef4b426e84aa49 Author: Eric Dumazet Date: Wed Jun 23 08:27:00 2021 -0700 ipv6: exthdrs: do not blindly use init_net [ Upstream commit bcc3f2a829b9edbe3da5fb117ee5a63686d31834 ] I see no reason why max_dst_opts_cnt and max_hbh_opts_cnt are fetched from the initial net namespace. The other sysctls (max_dst_opts_len & max_hbh_opts_len) are in fact already using the current ns. Note: it is not clear why ipv6_destopt_rcv() use two ways to get to the netns : 1) dev_net(dst->dev) Originally used to increment IPSTATS_MIB_INHDRERRORS 2) dev_net(skb->dev) Tom used this variant in his patch. Maybe this calls to use ipv6_skb_net() instead ? Fixes: 47d3d7ac656a ("ipv6: Implement limits on Hop-by-Hop and Destination options") Signed-off-by: Eric Dumazet Cc: Tom Herbert Cc: Coco Li Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b559d003f03c521428bc07ffa9cb3de0c5312c4a Author: Jian-Hong Pan Date: Wed Jun 23 11:28:03 2021 +0800 net: bcmgenet: Fix attaching to PYH failed on RPi 4B [ Upstream commit b2ac9800cfe0f8da16abc4e74e003440361c112e ] The Broadcom UniMAC MDIO bus from mdio-bcm-unimac module comes too late. So, GENET cannot find the ethernet PHY on UniMAC MDIO bus. This leads GENET fail to attach the PHY as following log: bcmgenet fd580000.ethernet: GENET 5.0 EPHY: 0x0000 ... could not attach to PHY bcmgenet fd580000.ethernet eth0: failed to connect to PHY uart-pl011 fe201000.serial: no DMA platform data libphy: bcmgenet MII bus: probed ... unimac-mdio unimac-mdio.-19: Broadcom UniMAC MDIO bus This patch adds the soft dependency to load mdio-bcm-unimac module before genet module to avoid the issue. Fixes: 9a4e79697009 ("net: bcmgenet: utilize generic Broadcom UniMAC MDIO controller driver") Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=213485 Signed-off-by: Jian-Hong Pan Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 514c96bf65ce07670367ead0181e1c031360a8f8 Author: Ping-Ke Shih Date: Wed Jun 23 21:48:25 2021 +0800 mac80211: remove iwlwifi specific workaround NDPs of null_response [ Upstream commit 744757e46bf13ec3a7b3507d17ab3faab9516d43 ] Remove the remaining workaround that is not removed by the commit e41eb3e408de ("mac80211: remove iwlwifi specific workaround that broke sta NDP tx") Fixes: 41cbb0f5a295 ("mac80211: add support for HE") Signed-off-by: Ping-Ke Shih Link: https://lore.kernel.org/r/20210623134826.10318-1-pkshih@realtek.com Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 1b3985aa53d07dbab46c04e3b6416e06cc7e6638 Author: Zhen Lei Date: Mon May 10 14:38:05 2021 +0800 drm/msm/dpu: Fix error return code in dpu_mdss_init() [ Upstream commit e020ac961ce5d038de66dc7f6ffca98899e9a3f3 ] The error code returned by platform_get_irq() is stored in 'irq', it's forgotten to be copied to 'ret' before being returned. As a result, the value 0 of 'ret' is returned incorrectly. After the above fix is completed, initializing the local variable 'ret' to 0 is no longer needed, remove it. In addition, when dpu_mdss_init() is successfully returned, the value of 'ret' is always 0. Therefore, replace "return ret" with "return 0" to make the code clearer. Fixes: 070e64dc1bbc ("drm/msm/dpu: Convert to a chained irq chip") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Link: https://lore.kernel.org/r/20210510063805.3262-2-thunder.leizhen@huawei.com Reviewed-by: Stephen Boyd Reviewed-by: Dmitry Baryshkov Signed-off-by: Dmitry Baryshkov Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit 134a561aee5072cab0207511f1224bcca5890d8e Author: Zhen Lei Date: Sat May 8 10:28:36 2021 +0800 drm/msm: Fix error return code in msm_drm_init() [ Upstream commit a1c9b1e3bdd6d8dc43c18699772fb6cf4497d45a ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 7f9743abaa79 ("drm/msm: validate display and event threads") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Link: https://lore.kernel.org/r/20210508022836.1777-1-thunder.leizhen@huawei.com Reviewed-by: Dmitry Baryshkov Signed-off-by: Dmitry Baryshkov Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit f97b9c4c075985015c92901c88c99c0f18cbd4c4 Author: John Fastabend Date: Wed Jun 16 15:55:00 2021 -0700 bpf: Fix null ptr deref with mixed tail calls and subprogs [ Upstream commit 7506d211b932870155bcb39e3dd9e39fab45a7c7 ] The sub-programs prog->aux->poke_tab[] is populated in jit_subprogs() and then used when emitting 'BPF_JMP|BPF_TAIL_CALL' insn->code from the individual JITs. The poke_tab[] to use is stored in the insn->imm by the code adding it to that array slot. The JIT then uses imm to find the right entry for an individual instruction. In the x86 bpf_jit_comp.c this is done by calling emit_bpf_tail_call_direct with the poke_tab[] of the imm value. However, we observed the below null-ptr-deref when mixing tail call programs with subprog programs. For this to happen we just need to mix bpf-2-bpf calls and tailcalls with some extra calls or instructions that would be patched later by one of the fixup routines. So whats happening? Before the fixup_call_args() -- where the jit op is done -- various code patching is done by do_misc_fixups(). This may increase the insn count, for example when we patch map_lookup_up using map_gen_lookup hook. This does two things. First, it means the instruction index, insn_idx field, of a tail call instruction will move by a 'delta'. In verifier code, struct bpf_jit_poke_descriptor desc = { .reason = BPF_POKE_REASON_TAIL_CALL, .tail_call.map = BPF_MAP_PTR(aux->map_ptr_state), .tail_call.key = bpf_map_key_immediate(aux), .insn_idx = i + delta, }; Then subprog start values subprog_info[i].start will be updated with the delta and any poke descriptor index will also be updated with the delta in adjust_poke_desc(). If we look at the adjust subprog starts though we see its only adjusted when the delta occurs before the new instructions, /* NOTE: fake 'exit' subprog should be updated as well. */ for (i = 0; i <= env->subprog_cnt; i++) { if (env->subprog_info[i].start <= off) continue; Earlier subprograms are not changed because their start values are not moved. But, adjust_poke_desc() does the offset + delta indiscriminately. The result is poke descriptors are potentially corrupted. Then in jit_subprogs() we only populate the poke_tab[] when the above insn_idx is less than the next subprogram start. From above we corrupted our insn_idx so we might incorrectly assume a poke descriptor is not used in a subprogram omitting it from the subprogram. And finally when the jit runs it does the deref of poke_tab when emitting the instruction and crashes with below. Because earlier step omitted the poke descriptor. The fix is straight forward with above context. Simply move same logic from adjust_subprog_starts() into adjust_poke_descs() and only adjust insn_idx when needed. [ 82.396354] bpf_testmod: version magic '5.12.0-rc2alu+ SMP preempt mod_unload ' should be '5.12.0+ SMP preempt mod_unload ' [ 82.623001] loop10: detected capacity change from 0 to 8 [ 88.487424] ================================================================== [ 88.487438] BUG: KASAN: null-ptr-deref in do_jit+0x184a/0x3290 [ 88.487455] Write of size 8 at addr 0000000000000008 by task test_progs/5295 [ 88.487471] CPU: 7 PID: 5295 Comm: test_progs Tainted: G I 5.12.0+ #386 [ 88.487483] Hardware name: Dell Inc. Precision 5820 Tower/002KVM, BIOS 1.9.2 01/24/2019 [ 88.487490] Call Trace: [ 88.487498] dump_stack+0x93/0xc2 [ 88.487515] kasan_report.cold+0x5f/0xd8 [ 88.487530] ? do_jit+0x184a/0x3290 [ 88.487542] do_jit+0x184a/0x3290 ... [ 88.487709] bpf_int_jit_compile+0x248/0x810 ... [ 88.487765] bpf_check+0x3718/0x5140 ... [ 88.487920] bpf_prog_load+0xa22/0xf10 Fixes: a748c6975dea3 ("bpf: propagate poke descriptors to subprograms") Reported-by: Jussi Maki Signed-off-by: John Fastabend Signed-off-by: Alexei Starovoitov Reviewed-by: Daniel Borkmann Signed-off-by: Sasha Levin commit 56c31bc9aabec5ca5f6be8415303a3e67b2229b6 Author: Eric Dumazet Date: Mon Jun 21 11:02:44 2021 -0700 ieee802154: hwsim: avoid possible crash in hwsim_del_edge_nl() [ Upstream commit 0303b30375dff5351a79cc2c3c87dfa4fda29bed ] Both MAC802154_HWSIM_ATTR_RADIO_ID and MAC802154_HWSIM_ATTR_RADIO_EDGE must be present to avoid a crash. Fixes: f25da51fdc38 ("ieee802154: hwsim: add replacement for fakelb") Signed-off-by: Eric Dumazet Cc: Alexander Aring Cc: Stefan Schmidt Reported-by: syzbot Acked-by: Alexander Aring Link: https://lore.kernel.org/r/20210621180244.882076-1-eric.dumazet@gmail.com Signed-off-by: Stefan Schmidt Signed-off-by: Sasha Levin commit 71a345ede51a075628e46684b906891e21d81a3d Author: Dongliang Mu Date: Wed Jun 16 10:09:01 2021 +0800 ieee802154: hwsim: Fix memory leak in hwsim_add_one [ Upstream commit 28a5501c3383f0e6643012c187b7c2027ef42aea ] No matter from hwsim_remove or hwsim_del_radio_nl, hwsim_del fails to remove the entry in the edges list. Take the example below, phy0, phy1 and e0 will be deleted, resulting in e1 not freed and accessed in the future. hwsim_phys | ------------------------------ | | phy0 (edges) phy1 (edges) ----> e1 (idx = 1) ----> e0 (idx = 0) Fix this by deleting and freeing all the entries in the edges list between hwsim_edge_unsubscribe_me and list_del(&phy->list). Reported-by: syzbot+b80c9959009a9325cdff@syzkaller.appspotmail.com Fixes: 1c9f4a3fce77 ("ieee802154: hwsim: fix rcu handling") Signed-off-by: Dongliang Mu Acked-by: Alexander Aring Link: https://lore.kernel.org/r/20210616020901.2759466-1-mudongliangabcd@gmail.com Signed-off-by: Stefan Schmidt Signed-off-by: Sasha Levin commit 4b44486b8bfd131e935d706a490ca40cf713f4e7 Author: Marcelo Ricardo Leitner Date: Tue Jun 22 12:05:00 2021 -0300 tc-testing: fix list handling [ Upstream commit b4fd096cbb871340be837491fa1795864a48b2d9 ] python lists don't have an 'add' method, but 'append'. Fixes: 14e5175e9e04 ("tc-testing: introduce scapyPlugin for basic traffic") Signed-off-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 997285646a9c8455fe09128717ccd18275dd7118 Author: Vignesh Raghavendra Date: Tue Jun 22 20:08:57 2021 +0530 net: ti: am65-cpsw-nuss: Fix crash when changing number of TX queues [ Upstream commit ce8eb4c728ef40b554b4f3d8963f11ed44502e00 ] When changing number of TX queues using ethtool: # ethtool -L eth0 tx 1 [ 135.301047] Unable to handle kernel paging request at virtual address 00000000af5d0000 [...] [ 135.525128] Call trace: [ 135.525142] dma_release_from_dev_coherent+0x2c/0xb0 [ 135.525148] dma_free_attrs+0x54/0xe0 [ 135.525156] k3_cppi_desc_pool_destroy+0x50/0xa0 [ 135.525164] am65_cpsw_nuss_remove_tx_chns+0x88/0xdc [ 135.525171] am65_cpsw_set_channels+0x3c/0x70 [...] This is because k3_cppi_desc_pool_destroy() which is called after k3_udma_glue_release_tx_chn() in am65_cpsw_nuss_remove_tx_chns() references struct device that is unregistered at the end of k3_udma_glue_release_tx_chn() Therefore the right order is to call k3_cppi_desc_pool_destroy() and destroy desc pool before calling k3_udma_glue_release_tx_chn(). Fix this throughout the driver. Fixes: 93a76530316a ("net: ethernet: ti: introduce am65x/j721e gigabit eth subsystem driver") Signed-off-by: Vignesh Raghavendra Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6610d5a73b6f9a30a7398f88a9bf09105476f83d Author: Miao Wang Date: Tue Jun 22 12:24:50 2021 +0800 net/ipv4: swap flow ports when validating source [ Upstream commit c69f114d09891adfa3e301a35d9e872b8b7b5a50 ] When doing source address validation, the flowi4 struct used for fib_lookup should be in the reverse direction to the given skb. fl4_dport and fl4_sport returned by fib4_rules_early_flow_dissect should thus be swapped. Fixes: 5a847a6e1477 ("net/ipv4: Initialize proto and ports in flow struct") Signed-off-by: Miao Wang Reviewed-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c3fcfc4e369be3901f1bbf8e3bf2d9e426bf097b Author: Jakub Kicinski Date: Mon Jun 21 18:52:54 2021 -0700 ip6_tunnel: fix GRE6 segmentation [ Upstream commit a6e3f2985a80ef6a45a17d2d9d9151f17ea3ce07 ] Commit 6c11fbf97e69 ("ip6_tunnel: add MPLS transmit support") moved assiging inner_ipproto down from ipxip6_tnl_xmit() to its callee ip6_tnl_xmit(). The latter is also used by GRE. Since commit 38720352412a ("gre: Use inner_proto to obtain inner header protocol") GRE had been depending on skb->inner_protocol during segmentation. It sets it in gre_build_header() and reads it in gre_gso_segment(). Changes to ip6_tnl_xmit() overwrite the protocol, resulting in GSO skbs getting dropped. Note that inner_protocol is a union with inner_ipproto, GRE uses the former while the change switched it to the latter (always setting it to just IPPROTO_GRE). Restore the original location of skb_set_inner_ipproto(), it is unclear why it was moved in the first place. Fixes: 6c11fbf97e69 ("ip6_tunnel: add MPLS transmit support") Signed-off-by: Jakub Kicinski Tested-by: Vadim Fedorenko Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 162e75687e9052f275496246d003abd82355b6ed Author: Eric Dumazet Date: Mon Jun 21 07:44:17 2021 -0700 vxlan: add missing rcu_read_lock() in neigh_reduce() [ Upstream commit 85e8b032d6ebb0f698a34dd22c2f13443d905888 ] syzbot complained in neigh_reduce(), because rcu_read_lock_bh() is treated differently than rcu_read_lock() WARNING: suspicious RCU usage 5.13.0-rc6-syzkaller #0 Not tainted ----------------------------- include/net/addrconf.h:313 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 3 locks held by kworker/0:0/5: #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline] #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic_long_set include/asm-generic/atomic-long.h:41 [inline] #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:617 [inline] #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline] #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x871/0x1600 kernel/workqueue.c:2247 #1: ffffc90000ca7da8 ((work_completion)(&port->wq)){+.+.}-{0:0}, at: process_one_work+0x8a5/0x1600 kernel/workqueue.c:2251 #2: ffffffff8bf795c0 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x1da/0x3130 net/core/dev.c:4180 stack backtrace: CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.13.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events ipvlan_process_multicast Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 __in6_dev_get include/net/addrconf.h:313 [inline] __in6_dev_get include/net/addrconf.h:311 [inline] neigh_reduce drivers/net/vxlan.c:2167 [inline] vxlan_xmit+0x34d5/0x4c30 drivers/net/vxlan.c:2919 __netdev_start_xmit include/linux/netdevice.h:4944 [inline] netdev_start_xmit include/linux/netdevice.h:4958 [inline] xmit_one net/core/dev.c:3654 [inline] dev_hard_start_xmit+0x1eb/0x920 net/core/dev.c:3670 __dev_queue_xmit+0x2133/0x3130 net/core/dev.c:4246 ipvlan_process_multicast+0xa99/0xd70 drivers/net/ipvlan/ipvlan_core.c:287 process_one_work+0x98d/0x1600 kernel/workqueue.c:2276 worker_thread+0x64c/0x1120 kernel/workqueue.c:2422 kthread+0x3b1/0x4a0 kernel/kthread.c:313 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Fixes: f564f45c4518 ("vxlan: add ipv6 proxy support") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6cd23b5f401756899480f16f2c05891af1529c46 Author: Po-Hao Huang Date: Mon Apr 26 09:32:52 2021 +0800 rtw88: 8822c: fix lc calibration timing [ Upstream commit 05684fd583e1acc34dddea283838fbfbed4904a0 ] Before this patch, we use value from 2 seconds ago to decide whether we should do lc calibration. Although this don't happen frequently, fix flow to the way it should be. Fixes: 7ae7784ec2a8 ("rtw88: 8822c: add LC calibration for RTL8822C") Signed-off-by: Po-Hao Huang Signed-off-by: Ping-Ke Shih Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210426013252.5665-3-pkshih@realtek.com Signed-off-by: Sasha Levin commit db2386fa4342495c1b26a7f2694a235656c9b8ea Author: Luca Coelho Date: Sat Jun 12 14:32:40 2021 +0300 iwlwifi: increase PNVM load timeout [ Upstream commit 5cc816ef9db1fe03f73e56e9d8f118add9c6efe4 ] The FW has a watchdog of 200ms in the PNVM load flow, so the driver should have a slightly higher timeout. Change the timeout from 100ms to 250ms. Signed-off-by: Luca Coelho Fixes: 70d3ca86b025 ("iwlwifi: mvm: ring the doorbell and wait for PNVM load completion") Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20210612142637.ba22aec1e2be.I36bfadc28c480f4fc57266c075a79e8ea4a6934f@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 78e6587585d878aefc7ad31464b23bda3b3cacf0 Author: Ayush Sawal Date: Tue Jun 22 09:25:31 2021 +0530 xfrm: Fix xfrm offload fallback fail case [ Upstream commit dd72fadf2186fc8a6018f97fe72f4d5ca05df440 ] In case of xfrm offload, if xdo_dev_state_add() of driver returns -EOPNOTSUPP, xfrm offload fallback is failed. In xfrm state_add() both xso->dev and xso->real_dev are initialized to dev and when err(-EOPNOTSUPP) is returned only xso->dev is set to null. So in this scenario the condition in func validate_xmit_xfrm(), if ((x->xso.dev != dev) && (x->xso.real_dev == dev)) return skb; returns true, due to which skb is returned without calling esp_xmit() below which has fallback code. Hence the CRYPTO_FALLBACK is failing. So fixing this with by keeping x->xso.real_dev as NULL when err is returned in func xfrm_dev_state_add(). Fixes: bdfd2d1fa79a ("bonding/xfrm: use real_dev instead of slave_dev") Signed-off-by: Ayush Sawal Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin commit 5c8e5feceaf3e269d7aef271e9a794d5dbc1dbf1 Author: Eric Dumazet Date: Mon Jun 21 10:54:49 2021 -0700 pkt_sched: sch_qfq: fix qfq_change_class() error path [ Upstream commit 0cd58e5c53babb9237b741dbef711f0a9eb6d3fd ] If qfq_change_class() is unable to allocate memory for qfq_aggregate, it frees the class that has been inserted in the class hash table, but does not unhash it. Defer the insertion after the problematic allocation. BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:884 [inline] BUG: KASAN: use-after-free in qdisc_class_hash_insert+0x200/0x210 net/sched/sch_api.c:731 Write of size 8 at addr ffff88814a534f10 by task syz-executor.4/31478 CPU: 0 PID: 31478 Comm: syz-executor.4 Not tainted 5.13.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:233 __kasan_report mm/kasan/report.c:419 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:436 hlist_add_head include/linux/list.h:884 [inline] qdisc_class_hash_insert+0x200/0x210 net/sched/sch_api.c:731 qfq_change_class+0x96c/0x1990 net/sched/sch_qfq.c:489 tc_ctl_tclass+0x514/0xe50 net/sched/sch_api.c:2113 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5564 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504 netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1929 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4665d9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fdc7b5f0188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9 RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 RBP: 00007fdc7b5f01d0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002 R13: 00007ffcf7310b3f R14: 00007fdc7b5f0300 R15: 0000000000022000 Allocated by task 31445: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:428 [inline] ____kasan_kmalloc mm/kasan/common.c:507 [inline] ____kasan_kmalloc mm/kasan/common.c:466 [inline] __kasan_kmalloc+0x9b/0xd0 mm/kasan/common.c:516 kmalloc include/linux/slab.h:556 [inline] kzalloc include/linux/slab.h:686 [inline] qfq_change_class+0x705/0x1990 net/sched/sch_qfq.c:464 tc_ctl_tclass+0x514/0xe50 net/sched/sch_api.c:2113 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5564 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504 netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1929 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 31445: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:357 ____kasan_slab_free mm/kasan/common.c:360 [inline] ____kasan_slab_free mm/kasan/common.c:325 [inline] __kasan_slab_free+0xfb/0x130 mm/kasan/common.c:368 kasan_slab_free include/linux/kasan.h:212 [inline] slab_free_hook mm/slub.c:1583 [inline] slab_free_freelist_hook+0xdf/0x240 mm/slub.c:1608 slab_free mm/slub.c:3168 [inline] kfree+0xe5/0x7f0 mm/slub.c:4212 qfq_change_class+0x10fb/0x1990 net/sched/sch_qfq.c:518 tc_ctl_tclass+0x514/0xe50 net/sched/sch_api.c:2113 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5564 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504 netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1929 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88814a534f00 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 16 bytes inside of 128-byte region [ffff88814a534f00, ffff88814a534f80) The buggy address belongs to the page: page:ffffea0005294d00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14a534 flags: 0x57ff00000000200(slab|node=1|zone=2|lastcpupid=0x7ff) raw: 057ff00000000200 ffffea00004fee00 0000000600000006 ffff8880110418c0 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 29797, ts 604817765317, free_ts 604810151744 prep_new_page mm/page_alloc.c:2358 [inline] get_page_from_freelist+0x1033/0x2b60 mm/page_alloc.c:3994 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5200 alloc_pages+0x18c/0x2a0 mm/mempolicy.c:2272 alloc_slab_page mm/slub.c:1646 [inline] allocate_slab+0x2c5/0x4c0 mm/slub.c:1786 new_slab mm/slub.c:1849 [inline] new_slab_objects mm/slub.c:2595 [inline] ___slab_alloc+0x4a1/0x810 mm/slub.c:2758 __slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2798 slab_alloc_node mm/slub.c:2880 [inline] slab_alloc mm/slub.c:2922 [inline] __kmalloc+0x315/0x330 mm/slub.c:4050 kmalloc include/linux/slab.h:561 [inline] kzalloc include/linux/slab.h:686 [inline] __register_sysctl_table+0x112/0x1090 fs/proc/proc_sysctl.c:1318 mpls_dev_sysctl_register+0x1b7/0x2d0 net/mpls/af_mpls.c:1421 mpls_add_dev net/mpls/af_mpls.c:1472 [inline] mpls_dev_notify+0x214/0x8b0 net/mpls/af_mpls.c:1588 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2121 call_netdevice_notifiers_extack net/core/dev.c:2133 [inline] call_netdevice_notifiers net/core/dev.c:2147 [inline] register_netdevice+0x106b/0x1500 net/core/dev.c:10312 veth_newlink+0x585/0xac0 drivers/net/veth.c:1547 __rtnl_newlink+0x1062/0x1710 net/core/rtnetlink.c:3452 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3500 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1298 [inline] free_pcp_prepare+0x223/0x300 mm/page_alloc.c:1342 free_unref_page_prepare mm/page_alloc.c:3250 [inline] free_unref_page+0x12/0x1d0 mm/page_alloc.c:3298 __vunmap+0x783/0xb60 mm/vmalloc.c:2566 free_work+0x58/0x70 mm/vmalloc.c:80 process_one_work+0x98d/0x1600 kernel/workqueue.c:2276 worker_thread+0x64c/0x1120 kernel/workqueue.c:2422 kthread+0x3b1/0x4a0 kernel/kthread.c:313 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Memory state around the buggy address: ffff88814a534e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88814a534e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88814a534f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88814a534f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88814a535000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Fixes: 462dbc9101acd ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b2ce4ebdd9a8ea547cdec026305efb3821ae1ba7 Author: Pablo Neira Ayuso Date: Sat Jun 19 01:25:14 2021 +0200 netfilter: nf_tables_offload: check FLOW_DISSECTOR_KEY_BASIC in VLAN transfer logic [ Upstream commit ea45fdf82cc90430bb7c280e5e53821e833782c5 ] The VLAN transfer logic should actually check for FLOW_DISSECTOR_KEY_BASIC, not FLOW_DISSECTOR_KEY_CONTROL. Moreover, do not fallback to case 2) .n_proto is set to 802.1q or 802.1ad, if FLOW_DISSECTOR_KEY_BASIC is unset. Fixes: 783003f3bb8a ("netfilter: nftables_offload: special ethertype handling for VLAN") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 581e37ad5c0a7b7735764d8a4239bd412a6f9577 Author: Jakub Kicinski Date: Fri Jun 18 13:34:06 2021 -0700 tls: prevent oversized sendfile() hangs by ignoring MSG_MORE [ Upstream commit d452d48b9f8b1a7f8152d33ef52cfd7fe1735b0a ] We got multiple reports that multi_chunk_sendfile test case from tls selftest fails. This was sort of expected, as the original fix was never applied (see it in the first Link:). The test in question uses sendfile() with count larger than the size of the underlying file. This will make splice set MSG_MORE on all sendpage calls, meaning TLS will never close and flush the last partial record. Eric seem to have addressed a similar problem in commit 35f9c09fe9c7 ("tcp: tcp_sendpages() should call tcp_push() once") by introducing MSG_SENDPAGE_NOTLAST. Unlike MSG_MORE MSG_SENDPAGE_NOTLAST is not set on the last call of a "pipefull" of data (PIPE_DEF_BUFFERS == 16, so every 16 pages or whenever we run out of data). Having a break every 16 pages should be fine, TLS can pack exactly 4 pages into a record, so for aligned reads there should be no difference, unaligned may see one extra record per sendpage(). Sticking to TCP semantics seems preferable to modifying splice, but we can revisit it if real life scenarios show a regression. Reported-by: Vadim Fedorenko Reported-by: Seth Forshee Link: https://lore.kernel.org/netdev/1591392508-14592-1-git-send-email-pooja.trivedi@stackpath.com/ Fixes: 3c4d7559159b ("tls: kernel TLS support") Signed-off-by: Jakub Kicinski Tested-by: Seth Forshee Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit e7c3ae47978f97f528d95b0c86de51896e78d9f0 Author: Yunsheng Lin Date: Thu Jun 17 09:04:14 2021 +0800 net: sched: add barrier to ensure correct ordering for lockless qdisc [ Upstream commit 89837eb4b2463c556a123437f242d6c2bc62ce81 ] The spin_trylock() was assumed to contain the implicit barrier needed to ensure the correct ordering between STATE_MISSED setting/clearing and STATE_MISSED checking in commit a90c57f2cedd ("net: sched: fix packet stuck problem for lockless qdisc"). But it turns out that spin_trylock() only has load-acquire semantic, for strongly-ordered system(like x86), the compiler barrier implicitly contained in spin_trylock() seems enough to ensure the correct ordering. But for weakly-orderly system (like arm64), the store-release semantic is needed to ensure the correct ordering as clear_bit() and test_bit() is store operation, see queued_spin_lock(). So add the explicit barrier to ensure the correct ordering for the above case. Fixes: a90c57f2cedd ("net: sched: fix packet stuck problem for lockless qdisc") Signed-off-by: Yunsheng Lin Acked-by: Jakub Kicinski Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit ca9b5ab7910cdc4dd02219ebfe7e468709bbafac Author: Antoine Tenart Date: Fri Jun 18 17:15:53 2021 +0200 vrf: do not push non-ND strict packets with a source LLA through packet taps again [ Upstream commit 603113c514e95c3350598bc3cccbd03af7ea4ab2 ] Non-ND strict packets with a source LLA go through the packet taps again, while non-ND strict packets with other source addresses do not, and we can see a clone of those packets on the vrf interface (we should not). This is due to a series of changes: Commit 6f12fa775530[1] made non-ND strict packets not being pushed again in the packet taps. This changed with commit 205704c618af[2] for those packets having a source LLA, as they need a lookup with the orig_iif. The issue now is those packets do not skip the 'vrf_ip6_rcv' function to the end (as the ones without a source LLA) and go through the check to call packet taps again. This check was changed by commit 6f12fa775530[1] and do not exclude non-strict packets anymore. Packets matching 'need_strict && !is_ndisc && is_ll_src' are now being sent through the packet taps again. This can be seen by dumping packets on the vrf interface. Fix this by having the same code path for all non-ND strict packets and selectively lookup with the orig_iif for those with a source LLA. This has the effect to revert to the pre-205704c618af[2] condition, which should also be easier to maintain. [1] 6f12fa775530 ("vrf: mark skb for multicast or link-local as enslaved to VRF") [2] 205704c618af ("vrf: packets with lladdr src needs dst at input with orig_iif when needs strict") Fixes: 205704c618af ("vrf: packets with lladdr src needs dst at input with orig_iif when needs strict") Cc: Stephen Suryaputra Reported-by: Paolo Abeni Signed-off-by: Antoine Tenart Reviewed-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit e72d9e4b980758e4bb18707f3bc26b90d47920c4 Author: Pavel Skripkin Date: Fri Jun 18 19:14:47 2021 +0300 net: ethernet: ezchip: fix error handling [ Upstream commit 0de449d599594f5472e00267d651615c7f2c6c1d ] As documented at drivers/base/platform.c for platform_get_irq: * Gets an IRQ for a platform device and prints an error message if finding the * IRQ fails. Device drivers should check the return value for errors so as to * not pass a negative integer value to the request_irq() APIs. So, the driver should check that platform_get_irq() return value is _negative_, not that it's equal to zero, because -ENXIO (return value from request_irq() if irq was not found) will pass this check and it leads to passing negative irq to request_irq() Fixes: 0dd077093636 ("NET: Add ezchip ethernet driver") Signed-off-by: Pavel Skripkin Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 161f8b73da68918ccfe8210c9f1a497e8a5e84da Author: Pavel Skripkin Date: Fri Jun 18 19:14:31 2021 +0300 net: ethernet: ezchip: fix UAF in nps_enet_remove [ Upstream commit e4b8700e07a86e8eab6916aa5c5ba99042c34089 ] priv is netdev private data, but it is used after free_netdev(). It can cause use-after-free when accessing priv pointer. So, fix it by moving free_netdev() after netif_napi_del() call. Fixes: 0dd077093636 ("NET: Add ezchip ethernet driver") Signed-off-by: Pavel Skripkin Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f026d82211a2214cdb15b4253e4dc0f663188a90 Author: Pavel Skripkin Date: Fri Jun 18 17:57:31 2021 +0300 net: ethernet: aeroflex: fix UAF in greth_of_remove [ Upstream commit e3a5de6d81d8b2199935c7eb3f7d17a50a7075b7 ] static int greth_of_remove(struct platform_device *of_dev) { ... struct greth_private *greth = netdev_priv(ndev); ... unregister_netdev(ndev); free_netdev(ndev); of_iounmap(&of_dev->resource[0], greth->regs, resource_size(&of_dev->resource[0])); ... } greth is netdev private data, but it is used after free_netdev(). It can cause use-after-free when accessing greth pointer. So, fix it by moving free_netdev() after of_iounmap() call. Fixes: d4c41139df6e ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver") Signed-off-by: Pavel Skripkin Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6a8c7c5c0773062dcd1bdcc347f7a4a329fc9fe0 Author: Lorenzo Bianconi Date: Tue Apr 27 12:07:14 2021 +0200 mt76: mt7615: fix NULL pointer dereference in tx_prepare_skb() [ Upstream commit 8d3cdc1bbb1d355f0ebef973175ae5fd74286feb ] Fix theoretical NULL pointer dereference in mt7615_tx_prepare_skb and mt7663_usb_sdio_tx_prepare_skb routines. This issue has been identified by code analysis. Fixes: 6aa4ed7927f11 ("mt76: mt7615: implement DMA support for MT7622") Fixes: 4bb586bc33b98 ("mt76: mt7663u: sync probe sampling with rate configuration") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 6987ee9bf0a2c06e0f19c0c2fdd340aec4260970 Author: Lorenzo Bianconi Date: Tue Apr 27 12:05:00 2021 +0200 mt76: fix possible NULL pointer dereference in mt76_tx [ Upstream commit d7400a2f3e295b8cee692c7a66e10f60015a3c37 ] Even if this is not a real issue since mt76_tx is never run with wcid set to NULL, fix a theoretical NULL pointer dereference in mt76_tx routine Fixes: db9f11d3433f7 ("mt76: store wcid tx rate info in one u32 reduce locking") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit e717f974ceedb8d045cf6c9ceed69289e545571c Author: Wang Hai Date: Wed Jun 16 12:25:34 2021 +0800 samples/bpf: Fix the error return code of xdp_redirect's main() [ Upstream commit 7c6090ee2a7b3315410cfc83a94c3eb057407b25 ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. If bpf_map_update_elem() failed, main() should return a negative error. Fixes: 832622e6bd18 ("xdp: sample program for new bpf_redirect helper") Signed-off-by: Wang Hai Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20210616042534.315097-1-wanghai38@huawei.com Signed-off-by: Sasha Levin commit 79bf8f04cececfe0c0ff9c07023e04c91f31c7f1 Author: Wang Hai Date: Wed Jun 16 12:23:24 2021 +0800 samples/bpf: Fix Segmentation fault for xdp_redirect command [ Upstream commit 85102ba58b4125ebad941d7555c3c248b23efd16 ] A Segmentation fault error is caused when the following command is executed. $ sudo ./samples/bpf/xdp_redirect lo Segmentation fault This command is missing a device as an argument, resulting in out-of-bounds access from argv. If the number of devices for the xdp_redirect parameter is not 2, we should report an error and exit. Fixes: 24251c264798 ("samples/bpf: add option for native and skb mode for redirect apps") Signed-off-by: Wang Hai Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20210616042324.314832-1-wanghai38@huawei.com Signed-off-by: Sasha Levin commit fcd8d6371a469aae96367f82a14870e4beef8b2f Author: Jack Wang Date: Mon Jun 14 11:03:33 2021 +0200 RDMA/rtrs-srv: Set minimal max_send_wr and max_recv_wr [ Upstream commit 5e91eabf66c854f16ca2e954e5c68939bc81601e ] Currently rtrs when create_qp use a coarse numbers (bigger in general), which leads to hardware create more resources which only waste memory with no benefits. For max_send_wr, we don't really need alway max_qp_wr size when creating qp, reduce it to cq_size. For max_recv_wr, cq_size is enough. With the patch when sess_queue_depth=128, per session (2 paths) memory consumption reduced from 188 MB to 65MB When always_invalidate is enabled, we need send more wr, so treat it special. Fixes: 9cb837480424e ("RDMA/rtrs: server: main functionality") Link: https://lore.kernel.org/r/20210614090337.29557-2-jinpu.wang@ionos.com Signed-off-by: Jack Wang Reviewed-by: Md Haris Iqbal Signed-off-by: Gioh Kim Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit a9355b201d160aa777d1480911c9ee5c7deeb88b Author: Tony Ambardar Date: Thu Jun 17 23:14:04 2021 -0700 bpf: Fix libelf endian handling in resolv_btfids [ Upstream commit 61e8aeda9398925f8c6fc290585bdd9727d154c4 ] The vmlinux ".BTF_ids" ELF section is declared in btf_ids.h to hold a list of zero-filled BTF IDs, which is then patched at link-time with correct values by resolv_btfids. The section is flagged as "allocable" to preclude compression, but notably the section contents (BTF IDs) are untyped. When patching the BTF IDs, resolve_btfids writes in host-native endianness and relies on libelf for any required translation on reading and updating vmlinux. However, since the type of the .BTF_ids section content defaults to ELF_T_BYTE (i.e. unsigned char), no translation occurs. This results in incorrect patched values when cross-compiling to non-native endianness, and can manifest as kernel Oops and test failures which are difficult to troubleshoot [1]. Explicitly set the type of patched data to ELF_T_WORD, the architecture- neutral ELF type corresponding to the u32 BTF IDs. This enables libelf to transparently perform any needed endian conversions. Fixes: fbbb68de80a4 ("bpf: Add resolve_btfids tool to resolve BTF IDs in ELF object") Signed-off-by: Tony Ambardar Signed-off-by: Daniel Borkmann Acked-by: Jiri Olsa Cc: Frank Eigler Cc: Mark Wielaard Cc: Jiri Olsa Cc: Yonghong Song Link: https://lore.kernel.org/bpf/CAPGftE_eY-Zdi3wBcgDfkz_iOr1KF10n=9mJHm1_a_PykcsoeA@mail.gmail.com [1] Link: https://lore.kernel.org/bpf/20210618061404.818569-1-Tony.Ambardar@gmail.com Signed-off-by: Sasha Levin commit 607706027c89bf6dd7d205a14a1e60929a8f6173 Author: Magnus Karlsson Date: Fri Jun 18 09:58:05 2021 +0200 xsk: Fix broken Tx ring validation [ Upstream commit f654fae47e83e56b454fbbfd0af0a4f232e356d6 ] Fix broken Tx ring validation for AF_XDP. The commit under the Fixes tag, fixed an off-by-one error in the validation but introduced another error. Descriptors are now let through even if they straddle a chunk boundary which they are not allowed to do in aligned mode. Worse is that they are let through even if they straddle the end of the umem itself, tricking the kernel to read data outside the allowed umem region which might or might not be mapped at all. Fix this by reintroducing the old code, but subtract the length by one to fix the off-by-one error that the original patch was addressing. The test chunk != chunk_end makes sure packets do not straddle chunk boundraries. Note that packets of zero length are allowed in the interface, therefore the test if the length is non-zero. Fixes: ac31565c2193 ("xsk: Fix for xp_aligned_validate_desc() when len == chunk_size") Signed-off-by: Magnus Karlsson Signed-off-by: Daniel Borkmann Reviewed-by: Xuan Zhuo Acked-by: Björn Töpel Link: https://lore.kernel.org/bpf/20210618075805.14412-1-magnus.karlsson@gmail.com Signed-off-by: Sasha Levin commit cd7877a39f05c6945653f36b6d9e618018c27121 Author: Magnus Karlsson Date: Thu Jun 17 11:22:55 2021 +0200 xsk: Fix missing validation for skb and unaligned mode [ Upstream commit 2f99619820c2269534eb2c0cde44870313c6d353 ] Fix a missing validation of a Tx descriptor when executing in skb mode and the umem is in unaligned mode. A descriptor could point to a buffer straddling the end of the umem, thus effectively tricking the kernel to read outside the allowed umem region. This could lead to a kernel crash if that part of memory is not mapped. In zero-copy mode, the descriptor validation code rejects such descriptors by checking a bit in the DMA address that tells us if the next page is physically contiguous or not. For the last page in the umem, this bit is not set, therefore any descriptor pointing to a packet straddling this last page boundary will be rejected. However, the skb path does not use this bit since it copies out data and can do so to two different pages. (It also does not have the array of DMA address, so it cannot even store this bit.) The code just returned that the packet is always physically contiguous. But this is unfortunately also returned for the last page in the umem, which means that packets that cross the end of the umem are being allowed, which they should not be. Fix this by introducing a check for this in the SKB path only, not penalizing the zero-copy path. Fixes: 2b43470add8c ("xsk: Introduce AF_XDP buffer allocation API") Signed-off-by: Magnus Karlsson Signed-off-by: Daniel Borkmann Acked-by: Björn Töpel Link: https://lore.kernel.org/bpf/20210617092255.3487-1-magnus.karlsson@gmail.com Signed-off-by: Sasha Levin commit 89621945b69804722031769a9221c7b4d7210a63 Author: Daniel Xu Date: Wed Jun 16 14:52:11 2021 -0700 selftests/bpf: Whitelist test_progs.h from .gitignore [ Upstream commit 809ed84de8b3f2fd7b1d06efb94bf98fd318a7d7 ] Somehow test_progs.h was being included by the existing rule: /test_progs* This is bad because: 1) test_progs.h is a checked in file 2) grep-like tools like ripgrep[0] respect gitignore and test_progs.h was being hidden from searches [0]: https://github.com/BurntSushi/ripgrep Fixes: 74b5a5968fe8 ("selftests/bpf: Replace test_progs and test_maps w/ general rule") Signed-off-by: Daniel Xu Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/a46f64944bf678bc652410ca6028d3450f4f7f4b.1623880296.git.dxu@dxuuu.xyz Signed-off-by: Sasha Levin commit 49c25a1a8dc5b32b331bc1c851245cebb9391b85 Author: Bob Pearson Date: Fri Jun 4 18:05:59 2021 -0500 RDMA/rxe: Fix qp reference counting for atomic ops [ Upstream commit 15ae1375ea91ae2dee6f12d71a79d8c0a10a30bf ] Currently the rdma_rxe driver attempts to protect atomic responder resources by taking a reference to the qp which is only freed when the resource is recycled for a new read or atomic operation. This means that in normal circumstances there is almost always an extra qp reference once an atomic operation has been executed which prevents cleaning up the qp and associated pd and cqs when the qp is destroyed. This patch removes the call to rxe_add_ref() in send_atomic_ack() and the call to rxe_drop_ref() in free_rd_atomic_resource(). If the qp is destroyed while a peer is retrying an atomic op it will cause the operation to fail which is acceptable. Link: https://lore.kernel.org/r/20210604230558.4812-1-rpearsonhpe@gmail.com Reported-by: Zhu Yanjun Fixes: 86af61764151 ("IB/rxe: remove unnecessary skb_clone") Signed-off-by: Bob Pearson Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 58da10487a1e16a4d30540c7e8b650d2d631296e Author: Pablo Neira Ayuso Date: Fri Jun 11 19:26:56 2021 +0200 netfilter: nft_tproxy: restrict support to TCP and UDP transport protocols [ Upstream commit 52f0f4e178c757b3d356087376aad8bd77271828 ] Add unfront check for TCP and UDP packets before performing further processing. Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit ed3d4988349e969ccab5e3a571aac36b87144105 Author: Pablo Neira Ayuso Date: Thu Jun 10 20:20:31 2021 +0200 netfilter: nft_osf: check for TCP packet before further processing [ Upstream commit 8f518d43f89ae00b9cf5460e10b91694944ca1a8 ] The osf expression only supports for TCP packets, add a upfront sanity check to skip packet parsing if this is not a TCP packet. Fixes: b96af92d6eaf ("netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf") Signed-off-by: Pablo Neira Ayuso Reported-by: kernel test robot Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit cf28cb51f01b4b7b713ca416661576448f8eee7e Author: Pablo Neira Ayuso Date: Thu Jun 10 20:20:30 2021 +0200 netfilter: nft_exthdr: check for IPv6 packet before further processing [ Upstream commit cdd73cc545c0fb9b1a1f7b209f4f536e7990cff4 ] ipv6_find_hdr() does not validate that this is an IPv6 packet. Add a sanity check for calling ipv6_find_hdr() to make sure an IPv6 packet is passed for parsing. Fixes: 96518518cc41 ("netfilter: add nftables") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 8f6714f3c12b827c2e46f17999c9535bad1a6f07 Author: Leon Romanovsky Date: Mon May 31 19:04:44 2021 +0300 RDMA/mlx5: Don't add slave port to unaffiliated list [ Upstream commit 7ce6095e3bff8e20ce018b050960b527e298f7df ] The mlx5_ib_bind_slave_port() doesn't remove multiport device from the unaffiliated list, but mlx5_ib_unbind_slave_port() did it. This unbalanced flow caused to the situation where mlx5_ib_unaffiliated_port_list was changed during iteration. Fixes: 32f69e4be269 ("{net, IB}/mlx5: Manage port association for multiport RoCE") Link: https://lore.kernel.org/r/2726e6603b1e6ecfe76aa5a12a063af72173bcf7.1622477058.git.leonro@nvidia.com Reported-by: Dan Carpenter Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit a158ee32d4aae622d3f36f7e798151917b86dcc1 Author: Liu Shixin Date: Tue Jun 15 10:14:44 2021 +0800 netlabel: Fix memory leak in netlbl_mgmt_add_common [ Upstream commit b8f6b0522c298ae9267bd6584e19b942a0636910 ] Hulk Robot reported memory leak in netlbl_mgmt_add_common. The problem is non-freed map in case of netlbl_domhsh_add() failed. BUG: memory leak unreferenced object 0xffff888100ab7080 (size 96): comm "syz-executor537", pid 360, jiffies 4294862456 (age 22.678s) hex dump (first 32 bytes): 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ fe 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................ backtrace: [<0000000008b40026>] netlbl_mgmt_add_common.isra.0+0xb2a/0x1b40 [<000000003be10950>] netlbl_mgmt_add+0x271/0x3c0 [<00000000c70487ed>] genl_family_rcv_msg_doit.isra.0+0x20e/0x320 [<000000001f2ff614>] genl_rcv_msg+0x2bf/0x4f0 [<0000000089045792>] netlink_rcv_skb+0x134/0x3d0 [<0000000020e96fdd>] genl_rcv+0x24/0x40 [<0000000042810c66>] netlink_unicast+0x4a0/0x6a0 [<000000002e1659f0>] netlink_sendmsg+0x789/0xc70 [<000000006e43415f>] sock_sendmsg+0x139/0x170 [<00000000680a73d7>] ____sys_sendmsg+0x658/0x7d0 [<0000000065cbb8af>] ___sys_sendmsg+0xf8/0x170 [<0000000019932b6c>] __sys_sendmsg+0xd3/0x190 [<00000000643ac172>] do_syscall_64+0x37/0x90 [<000000009b79d6dc>] entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: 63c416887437 ("netlabel: Add network address selectors to the NetLabel/LSM domain mapping") Reported-by: Hulk Robot Signed-off-by: Liu Shixin Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 28e8df0c65a6c74a42d6ae75cd16970e0ebb307c Author: Seevalamuthu Mariappan Date: Tue May 25 15:30:28 2021 +0200 ath11k: send beacon template after vdev_start/restart during csa [ Upstream commit 979ebc54cf13bd1e3eb6e21766d208d5de984fb8 ] Firmware has added assert if beacon template is received after vdev_down. Firmware expects beacon template after vdev_start and before vdev_up. This change is needed to support MBSSID EMA cases in firmware. Hence, Change the sequence in ath11k as expected from firmware. This new change is not causing any issues with older firmware. Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1.r3-00011-QCAHKSWPL_SILICONZ-1 Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1.r4-00008-QCAHKSWPL_SILICONZ-1 Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") Signed-off-by: Seevalamuthu Mariappan [sven@narfation.org: added tested-on/fixes information] Signed-off-by: Sven Eckelmann Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210525133028.2805615-1-sven@narfation.org Signed-off-by: Sasha Levin commit 48b69f31de82355f3b3d7192e346f47cfcd471a7 Author: Yang Li Date: Tue May 25 18:46:17 2021 +0800 ath10k: Fix an error code in ath10k_add_interface() [ Upstream commit e9ca70c735ce66fc6a0e02c8b6958434f74ef8de ] When the code execute this if statement, the value of ret is 0. However, we can see from the ath10k_warn() log that the value of ret should be -EINVAL. Clean up smatch warning: drivers/net/wireless/ath/ath10k/mac.c:5596 ath10k_add_interface() warn: missing error code 'ret' Reported-by: Abaci Robot Fixes: ccec9038c721 ("ath10k: enable raw encap mode and software crypto engine") Signed-off-by: Yang Li Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/1621939577-62218-1-git-send-email-yang.lee@linux.alibaba.com Signed-off-by: Sasha Levin commit e0727a61b0aac8c9960122cdae18a95b94dbfbd3 Author: Christophe JAILLET Date: Sat May 22 11:50:54 2021 +0200 ath11k: Fix an error handling path in ath11k_core_fetch_board_data_api_n() [ Upstream commit 515bda1d1e51c64edf2a384a58801f85a80a3f2d ] All error paths but this one 'goto err' in order to release some resources. Fix this. Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") Signed-off-by: Christophe JAILLET Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/e959eb544f3cb04258507d8e25a6f12eab126bde.1621676864.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit a54e9166e7881e849d0bbf4ce533742b8c5c86ab Author: Hang Zhang Date: Fri May 21 15:32:38 2021 -0700 cw1200: Revert unnecessary patches that fix unreal use-after-free bugs [ Upstream commit 3f60f4685699aa6006e58e424637e8e413e0a94d ] A previous commit 4f68ef64cd7f ("cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan()") tried to fix a seemingly use-after-free bug between cw1200_bss_info_changed() and cw1200_hw_scan(), where the former frees a sk_buff pointed to by frame.skb, and the latter accesses the sk_buff pointed to by frame.skb. However, this issue should be a false alarm because: (1) "frame.skb" is not a shared variable between the above two functions, because "frame" is a local function variable, each of the two functions has its own local "frame" - they just happen to have the same variable name. (2) the sk_buff(s) pointed to by these two "frame.skb" are also two different object instances, they are individually allocated by different dev_alloc_skb() within the two above functions. To free one object instance will not invalidate the access of another different one. Based on these facts, the previous commit should be unnecessary. Moreover, it also introduced a missing unlock which was addressed in a subsequent commit 51c8d24101c7 ("cw1200: fix missing unlock on error in cw1200_hw_scan()"). Now that the original use-after-free is unreal, these two commits should be reverted. This patch performs the reversion. Fixes: 4f68ef64cd7f ("cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan()") Fixes: 51c8d24101c7 ("cw1200: fix missing unlock on error in cw1200_hw_scan()") Signed-off-by: Hang Zhang Acked-by: Jia-Ju Bai Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210521223238.25020-1-zh.nvgt@gmail.com Signed-off-by: Sasha Levin commit 30efdcaca32a5732f8000c328df91510de81f59e Author: Christophe JAILLET Date: Wed May 12 22:58:30 2021 +0200 brcmsmac: mac80211_if: Fix a resource leak in an error handling path [ Upstream commit 9a25344d5177c2b9285532236dc3d10a091f39a8 ] If 'brcms_attach()' fails, we must undo the previous 'ieee80211_alloc_hw()' as already done in the remove function. Fixes: 5b435de0d786 ("net: wireless: add brcm80211 drivers") Signed-off-by: Christophe JAILLET Acked-by: Arend van Spriel Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/8fbc171a1a493b38db5a6f0873c6021fca026a6c.1620852921.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit 5d452eafbd2e15170b2cb1b5a7ee1a1587ff772d Author: Tong Tiangen Date: Tue Jun 1 18:01:28 2021 +0800 brcmfmac: Fix a double-free in brcmf_sdio_bus_reset [ Upstream commit 7ea7a1e05c7ff5ffc9f9ec1f0849f6ceb7fcd57c ] brcmf_sdiod_remove has been called inside brcmf_sdiod_probe when fails, so there's no need to call another one. Otherwise, sdiodev->freezer would be double freed. Fixes: 7836102a750a ("brcmfmac: reset SDIO bus on a firmware crash") Signed-off-by: Tong Tiangen Reviewed-by: Arend van Spriel Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210601100128.69561-1-tongtiangen@huawei.com Signed-off-by: Sasha Levin commit 5b8d0b0727f62f827a2f35409fa57068dc39d700 Author: Alvin Šipraga Date: Thu May 6 13:20:12 2021 +0000 brcmfmac: correctly report average RSSI in station info [ Upstream commit 9a1590934d9a02e570636432b93052c0c035f31f ] The rx_lastpkt_rssi field provided by the firmware is suitable for NL80211_STA_INFO_{SIGNAL,CHAIN_SIGNAL}, while the rssi field is an average. Fix up the assignments and set the correct STA_INFO bits. This lets userspace know that the average RSSI is part of the station info. Fixes: cae355dc90db ("brcmfmac: Add RSSI information to get_station.") Signed-off-by: Alvin Šipraga Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210506132010.3964484-2-alsi@bang-olufsen.dk Signed-off-by: Sasha Levin commit db4de88d439ec463f048c427e8b046ff1301bf77 Author: Alvin Šipraga Date: Thu May 6 13:20:12 2021 +0000 brcmfmac: fix setting of station info chains bitmask [ Upstream commit feb45643762172110cb3a44f99dd54304f33b711 ] The sinfo->chains field is a bitmask for filled values in chain_signal and chain_signal_avg, not a count. Treat it as such so that the driver can properly report per-chain RSSI information. Before (MIMO mode): $ iw dev wlan0 station dump ... signal: -51 [-51] dBm After (MIMO mode): $ iw dev wlan0 station dump ... signal: -53 [-53, -54] dBm Fixes: cae355dc90db ("brcmfmac: Add RSSI information to get_station.") Signed-off-by: Alvin Šipraga Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210506132010.3964484-1-alsi@bang-olufsen.dk Signed-off-by: Sasha Levin commit 80ad538a87e2ca8922fd16f0af9f8346b3c1a117 Author: Zhen Lei Date: Sat May 15 15:29:49 2021 +0800 ssb: Fix error return code in ssb_bus_scan() [ Upstream commit 77a0989baa427dbd242c5784d05a53ca3d197d43 ] Fix to return -EINVAL from the error handling case instead of 0, as done elsewhere in this function. Fixes: 61e115a56d1a ("[SSB]: add Sonics Silicon Backplane bus support") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Acked-by: Michael Büsch Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210515072949.7151-1-thunder.leizhen@huawei.com Signed-off-by: Sasha Levin commit 0147e6ccb818a271d56dd75d50ca28bb30af5628 Author: Bryan O'Donoghue Date: Sat Jun 5 18:33:47 2021 +0100 wcn36xx: Move hal_buf allocation to devm_kmalloc in probe [ Upstream commit ef48667557c53d4b51a1ee3090eab7699324c9de ] Right now wcn->hal_buf is allocated in wcn36xx_start(). This is a problem since we should have setup all of the buffers we required by the time ieee80211_register_hw() is called. struct ieee80211_ops callbacks may run prior to mac_start() and therefore wcn->hal_buf must be initialized. This is easily remediated by moving the allocation to probe() taking the opportunity to tidy up freeing memory by using devm_kmalloc(). Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware") Signed-off-by: Bryan O'Donoghue Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210605173347.2266003-1-bryan.odonoghue@linaro.org Signed-off-by: Sasha Levin commit 581098969c1ae3383ef92d1fa883b9b0bcaaa279 Author: Lucas Stach Date: Fri May 28 20:01:35 2021 +0200 clk: imx8mq: remove SYS PLL 1/2 clock gates [ Upstream commit c586f53ae159c6c1390f093a1ec94baef2df9f3a ] Remove the PLL clock gates as the allowing to gate the sys1_pll_266m breaks the uSDHC module which is sporadically unable to enumerate devices after this change. Also it makes AMP clock management harder with no obvious benefit to Linux, so just revert the change. Link: https://lore.kernel.org/r/20210528180135.1640876-1-l.stach@pengutronix.de Fixes: b04383b6a558 ("clk: imx8mq: Define gates for pll1/2 fixed dividers") Signed-off-by: Lucas Stach Reviewed-by: Abel Vesa Signed-off-by: Abel Vesa Signed-off-by: Sasha Levin commit da8904c46569bdc7a44d917c2e950dddbc4c0b91 Author: Dongliang Mu Date: Fri Jun 11 09:58:12 2021 +0800 ieee802154: hwsim: Fix possible memory leak in hwsim_subscribe_all_others [ Upstream commit ab372c2293f5d0b279f31c8d768566ea37602dc9 ] In hwsim_subscribe_all_others, the error handling code performs incorrectly if the second hwsim_alloc_edge fails. When this issue occurs, it goes to sub_fail, without cleaning the edges allocated before. Fixes: f25da51fdc38 ("ieee802154: hwsim: add replacement for fakelb") Signed-off-by: Dongliang Mu Acked-by: Alexander Aring Link: https://lore.kernel.org/r/20210611015812.1626999-1-mudongliangabcd@gmail.com Signed-off-by: Stefan Schmidt Signed-off-by: Sasha Levin commit 7142f92412c18e9fdd6d88220ba19e88cc1688f6 Author: Randy Dunlap Date: Mon May 31 17:41:28 2021 +0300 wireless: carl9170: fix LEDS build errors & warnings [ Upstream commit 272fdc0c4542fad173b44965be02a16d6db95499 ] kernel test robot reports over 200 build errors and warnings that are due to this Kconfig problem when CARL9170=m, MAC80211=y, and LEDS_CLASS=m. WARNING: unmet direct dependencies detected for MAC80211_LEDS Depends on [n]: NET [=y] && WIRELESS [=y] && MAC80211 [=y] && (LEDS_CLASS [=m]=y || LEDS_CLASS [=m]=MAC80211 [=y]) Selected by [m]: - CARL9170_LEDS [=y] && NETDEVICES [=y] && WLAN [=y] && WLAN_VENDOR_ATH [=y] && CARL9170 [=m] CARL9170_LEDS selects MAC80211_LEDS even though its kconfig dependencies are not met. This happens because 'select' does not follow any Kconfig dependency chains. Fix this by making CARL9170_LEDS depend on MAC80211_LEDS, where the latter supplies any needed dependencies on LEDS_CLASS. Fixes: 1d7e1e6b1b8ed ("carl9170: Makefile, Kconfig files and MAINTAINERS") Signed-off-by: Randy Dunlap Reported-by: kernel test robot Cc: Kalle Valo Cc: Christian Lamparter Cc: linux-wireless@vger.kernel.org Cc: Arnd Bergmann Suggested-by: Christian Lamparter Acked-by: Arnd Bergmann Acked-by: Christian Lamparter Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210530031134.23274-1-rdunlap@infradead.org Signed-off-by: Sasha Levin commit ecb6797501cb0e2ad4c6d764ad4f7bb9efd120e4 Author: Yang Yingliang Date: Mon May 31 17:41:28 2021 +0300 ath10k: add missing error return code in ath10k_pci_probe() [ Upstream commit e2783e2f39ba99178dedfc1646d5cc0979d1bab3 ] When chip_id is not supported, the resources will be freed on path err_unsupported, these resources will also be freed when calling ath10k_pci_remove(), it will cause double free, so return -ENODEV when it doesn't support the device with wrong chip_id. Fixes: c0c378f9907c ("ath10k: remove target soc ps code") Fixes: 7505f7c3ec1d ("ath10k: create a chip revision whitelist") Fixes: f8914a14623a ("ath10k: restore QCA9880-AR1A (v1) detection") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210522105822.1091848-3-yangyingliang@huawei.com Signed-off-by: Sasha Levin commit 668c0663d6dd86a77dfd5021964457523a510047 Author: Yang Yingliang Date: Mon May 31 17:41:28 2021 +0300 ath10k: go to path err_unsupported when chip id is not supported [ Upstream commit 9e88dd431d2345acdb7a549f3e88aaf4c2a307a1 ] When chip id is not supported, it go to path err_unsupported to print the error message. Fixes: f8914a14623a ("ath10k: restore QCA9880-AR1A (v1) detection") Signed-off-by: Yang Yingliang Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210522105822.1091848-2-yangyingliang@huawei.com Signed-off-by: Sasha Levin commit 4654f1fc3019b9ecc969fa3b60a4270c01bbea89 Author: Zhihao Cheng Date: Wed Jun 9 19:59:16 2021 +0800 tools/bpftool: Fix error return code in do_batch() [ Upstream commit ca16b429f39b4ce013bfa7e197f25681e65a2a42 ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 668da745af3c2 ("tools: bpftool: add support for quotations ...") Reported-by: Hulk Robot Signed-off-by: Zhihao Cheng Signed-off-by: Andrii Nakryiko Reviewed-by: Quentin Monnet Link: https://lore.kernel.org/bpf/20210609115916.2186872-1-chengzhihao1@huawei.com Signed-off-by: Sasha Levin commit 1ccbb552e3d2064b7c43c2bb9fa71306b6c28f9f Author: Colin Ian King Date: Tue Jun 8 17:13:13 2021 +0100 drm: qxl: ensure surf.data is ininitialized [ Upstream commit fbbf23ddb2a1cc0c12c9f78237d1561c24006f50 ] The object surf is not fully initialized and the uninitialized field surf.data is being copied by the call to qxl_bo_create via the call to qxl_gem_object_create. Set surf.data to zero to ensure garbage data from the stack is not being copied. Addresses-Coverity: ("Uninitialized scalar variable") Fixes: f64122c1f6ad ("drm: add new QXL driver. (v1.4)") Signed-off-by: Colin Ian King Link: http://patchwork.freedesktop.org/patch/msgid/20210608161313.161922-1-colin.king@canonical.com Signed-off-by: Gerd Hoffmann Signed-off-by: Sasha Levin commit bdc16fe9df1743e9198363ddeb0cf3d9975a05c1 Author: Luca Ceresoli Date: Thu May 27 23:16:47 2021 +0200 clk: vc5: fix output disabling when enabling a FOD [ Upstream commit fc336ae622df0ec114dbe5551a4d2760c535ecd0 ] On 5P49V6965, when an output is enabled we enable the corresponding FOD. When this happens for the first time, and specifically when writing register VC5_OUT_DIV_CONTROL in vc5_clk_out_prepare(), all other outputs are stopped for a short time and then restarted. According to Renesas support this is intended: "The reason for that is VC6E has synced up all output function". This behaviour can be disabled at least on VersaClock 6E devices, of which only the 5P49V6965 is currently implemented by this driver. This requires writing bit 7 (bypass_sync{1..4}) in register 0x20..0x50. Those registers are named "Unused Factory Reserved Register", and the bits are documented as "Skip VDDO verification", which does not clearly explain the relation to FOD sync. However according to Renesas support as well as my testing setting this bit does prevent disabling of all clock outputs when enabling a FOD. See "VersaClock ® 6E Family Register Descriptions and Programming Guide" (August 30, 2018), Table 116 "Power Up VDD check", page 58: https://www.renesas.com/us/en/document/mau/versaclock-6e-family-register-descriptions-and-programming-guide Signed-off-by: Luca Ceresoli Reviewed-by: Adam Ford Link: https://lore.kernel.org/r/20210527211647.1520720-1-luca@lucaceresoli.net Fixes: 2bda748e6ad8 ("clk: vc5: Add support for IDT VersaClock 5P49V6965") Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 43b7f1dec6c0b63e8287c554a806d0aa6fea6bfc Author: Maxime Ripard Date: Mon May 24 15:18:51 2021 +0200 drm/vc4: hdmi: Fix error path of hpd-gpios [ Upstream commit e075a7811977ff51c917a65ed1896e08231d2615 ] If the of_get_named_gpio_flags call fails in vc4_hdmi_bind, we jump to the err_unprepare_hsm label. That label will then call pm_runtime_disable and put_device on the DDC device. We just retrieved the DDC device, so the latter is definitely justified. However at that point we still haven't called pm_runtime_enable, so the call to pm_runtime_disable is not supposed to be there. Fixes: 10ee275cb12f ("drm/vc4: prepare for CEC support") Signed-off-by: Maxime Ripard Reviewed-by: Linus Walleij Link: https://patchwork.freedesktop.org/patch/msgid/20210524131852.263883-1-maxime@cerno.tech Signed-off-by: Sasha Levin commit 756679a123bc4a38b73e72a2f1427865f47bee21 Author: Kees Cook Date: Thu Jun 3 18:40:55 2021 -0700 drm/pl111: Actually fix CONFIG_VEXPRESS_CONFIG depends [ Upstream commit 4e566003571244f508408f59ce78f6ac2ccdba8e ] VEXPRESS_CONFIG needs to either be missing, built-in, or modular when pl111 is modular. Update the Kconfig to reflect the need. Fixes: 4dc7c97d04dc ("drm/pl111: depend on CONFIG_VEXPRESS_CONFIG") Signed-off-by: Kees Cook Reviewed-by: Linus Walleij Acked-by: Rob Herring Signed-off-by: Linus Walleij Link: https://patchwork.freedesktop.org/patch/msgid/20210604014055.4060521-1-keescook@chromium.org Signed-off-by: Sasha Levin commit 87890e1113e6dbc0987901e9bec879c8e8db9426 Author: Kamal Heib Date: Thu Jun 3 12:01:12 2021 +0300 RDMA/rxe: Fix failure during driver load [ Upstream commit 32a25f2ea690dfaace19f7a3a916f5d7e1ddafe8 ] To avoid the following failure when trying to load the rdma_rxe module while IPv6 is disabled, add a check for EAFNOSUPPORT and ignore the failure, also delete the needless debug print from rxe_setup_udp_tunnel(). $ modprobe rdma_rxe modprobe: ERROR: could not insert 'rdma_rxe': Operation not permitted Fixes: dfdd6158ca2c ("IB/rxe: Fix kernel panic in udp_setup_tunnel") Link: https://lore.kernel.org/r/20210603090112.36341-1-kamalheib1@gmail.com Reported-by: Yi Zhang Signed-off-by: Kamal Heib Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit c5db39c4dfda3c321f08db43f469e63caaa82101 Author: Kees Cook Date: Wed Jun 2 14:52:52 2021 -0700 drm/pl111: depend on CONFIG_VEXPRESS_CONFIG [ Upstream commit 4dc7c97d04dcaa9f19482f70dcfdbeb52cc7193f ] Avoid randconfig build failures by requiring VEXPRESS_CONFIG: aarch64-linux-gnu-ld: drivers/gpu/drm/pl111/pl111_versatile.o: in function `pl111_vexpress_clcd_init': pl111_versatile.c:(.text+0x220): undefined reference to `devm_regmap_init_vexpress_config' Fixes: 826fc86b5903 ("drm: pl111: Move VExpress setup into versatile init") Signed-off-by: Kees Cook Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20210602215252.695994-4-keescook@chromium.org Signed-off-by: Sasha Levin commit 42800fcff3f917af59371bc1cea3093f72c7714d Author: Leon Romanovsky Date: Wed May 19 11:37:31 2021 +0300 RDMA/core: Sanitize WQ state received from the userspace [ Upstream commit f97442887275d11c88c2899e720fe945c1f61488 ] The mlx4 and mlx5 implemented differently the WQ input checks. Instead of duplicating mlx4 logic in the mlx5, let's prepare the input in the central place. The mlx5 implementation didn't check for validity of state input. It is not real bug because our FW checked that, but still worth to fix. Fixes: f213c0527210 ("IB/uverbs: Add WQ support") Link: https://lore.kernel.org/r/ac41ad6a81b095b1a8ad453dcf62cf8d3c5da779.1621413310.git.leonro@nvidia.com Reported-by: Jiapeng Chong Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit c470dd34c682a5d64067ac4955d3080656204ac6 Author: Boris Sukholitko Date: Tue Jun 1 15:30:50 2021 +0300 net/sched: act_vlan: Fix modify to allow 0 [ Upstream commit 9c5eee0afca09cbde6bd00f77876754aaa552970 ] Currently vlan modification action checks existence of vlan priority by comparing it to 0. Therefore it is impossible to modify existing vlan tag to have priority 0. For example, the following tc command will change the vlan id but will not affect vlan priority: tc filter add dev eth1 ingress matchall action vlan modify id 300 \ priority 0 pipe mirred egress redirect dev eth2 The incoming packet on eth1: ethertype 802.1Q (0x8100), vlan 200, p 4, ethertype IPv4 will be changed to: ethertype 802.1Q (0x8100), vlan 300, p 4, ethertype IPv4 although the user has intended to have p == 0. The fix is to add tcfv_push_prio_exists flag to struct tcf_vlan_params and rely on it when deciding to set the priority. Fixes: 45a497f2d149a4a8061c (net/sched: act_vlan: Introduce TCA_VLAN_ACT_MODIFY vlan action) Signed-off-by: Boris Sukholitko Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6a56913355504ed772a11e129304f4c934a3c6ff Author: Xin Long Date: Sat May 29 16:23:18 2021 -0400 xfrm: remove the fragment check for ipv6 beet mode [ Upstream commit eebd49a4ffb420a991c606e54aa3c9f02857a334 ] In commit 68dc022d04eb ("xfrm: BEET mode doesn't support fragments for inner packets"), it tried to fix the issue that in TX side the packet is fragmented before the ESP encapping while in the RX side the fragments always get reassembled before decapping with ESP. This is not true for IPv6. IPv6 is different, and it's using exthdr to save fragment info, as well as the ESP info. Exthdrs are added in TX and processed in RX both in order. So in the above case, the ESP decapping will be done earlier than the fragment reassembling in TX side. Here just remove the fragment check for the IPv6 inner packets to recover the fragments support for BEET mode. Fixes: 68dc022d04eb ("xfrm: BEET mode doesn't support fragments for inner packets") Reported-by: Xiumei Mu Signed-off-by: Xin Long Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin commit 9fddbe9495ad022f051d4ca9640788c80c92ad07 Author: Dmitry Osipenko Date: Sun May 16 19:30:33 2021 +0300 clk: tegra30: Use 300MHz for video decoder by default [ Upstream commit 56bb7c28ad00e7bcfc851c4e183c42d148d3ad4e ] The 600MHz is a too high clock rate for some SoC versions for the video decoder hardware and this may cause stability issues. Use 300MHz for the video decoder by default, which is supported by all hardware versions. Fixes: ed1a2459e20c ("clk: tegra: Add Tegra20/30 EMC clock implementation") Acked-by: Thierry Reding Signed-off-by: Dmitry Osipenko Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 48bcd756aff69432c55e19dbc5eb45b02a4b96a4 Author: Zhen Lei Date: Fri May 28 16:55:55 2021 +0800 ehea: fix error return code in ehea_restart_qps() [ Upstream commit 015dbf5662fd689d581c0bc980711b073ca09a1a ] Fix to return -EFAULT from the error handling case instead of 0, as done elsewhere in this function. By the way, when get_zeroed_page() fails, directly return -ENOMEM to simplify code. Fixes: 2c69448bbced ("ehea: DLPAR memory add fix") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Link: https://lore.kernel.org/r/20210528085555.9390-1-thunder.leizhen@huawei.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 6cbc167bc13259ab9bee9b39b85726f15332a4e3 Author: Gioh Kim Date: Fri May 28 13:30:18 2021 +0200 RDMA/rtrs-clt: Fix memory leak of not-freed sess->stats and stats->pcpu_stats [ Upstream commit 7ecd7e290bee0ab9cf75b79a367a4cc113cf8292 ] sess->stats and sess->stats->pcpu_stats objects are freed when sysfs entry is removed. If something wrong happens and session is closed before sysfs entry is created, sess->stats and sess->stats->pcpu_stats objects are not freed. This patch adds freeing of them at three places: 1. When client uses wrong address and session creation fails. 2. When client fails to create a sysfs entry. 3. When client adds wrong address via sysfs add_path. Fixes: 215378b838df0 ("RDMA/rtrs: client: sysfs interface functions") Link: https://lore.kernel.org/r/20210528113018.52290-21-jinpu.wang@ionos.com Signed-off-by: Gioh Kim Signed-off-by: Jack Wang Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 6569ae1deb6c3702084630868d7d1c69a5231a6f Author: Md Haris Iqbal Date: Fri May 28 13:30:17 2021 +0200 RDMA/rtrs-clt: Check if the queue_depth has changed during a reconnection [ Upstream commit 5b73b799c25c68a4703cd6c5ac4518006d9865b8 ] The queue_depth is a module parameter for rtrs_server. It is used on the client side to determing the queue_depth of the request queue for the RNBD virtual block device. During a reconnection event for an already mapped device, in case the rtrs_server module queue_depth has changed, fail the reconnect attempt. Also stop further auto reconnection attempts. A manual reconnect via sysfs has to be triggerred. Fixes: 6a98d71daea18 ("RDMA/rtrs: client: main functionality") Link: https://lore.kernel.org/r/20210528113018.52290-20-jinpu.wang@ionos.com Signed-off-by: Md Haris Iqbal Signed-off-by: Gioh Kim Signed-off-by: Jack Wang Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 8651ad0e29682bb27785948c9b59b9683af7c90c Author: Jack Wang Date: Fri May 28 13:30:16 2021 +0200 RDMA/rtrs-srv: Fix memory leak when having multiple sessions [ Upstream commit 6bb97a2c1aa5278a30d49abb6186d50c34c207e2 ] Gioh notice memory leak below unreferenced object 0xffff8880acda2000 (size 2048): comm "kworker/4:1", pid 77, jiffies 4295062871 (age 1270.730s) hex dump (first 32 bytes): 00 20 da ac 80 88 ff ff 00 20 da ac 80 88 ff ff . ....... ...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000e85d85b5>] rtrs_srv_rdma_cm_handler+0x8e5/0xa90 [rtrs_server] [<00000000e31a988a>] cma_ib_req_handler+0xdc5/0x2b50 [rdma_cm] [<000000000eb02c5b>] cm_process_work+0x2d/0x100 [ib_cm] [<00000000e1650ca9>] cm_req_handler+0x11bc/0x1c40 [ib_cm] [<000000009c28818b>] cm_work_handler+0xe65/0x3cf2 [ib_cm] [<000000002b53eaa1>] process_one_work+0x4bc/0x980 [<00000000da3499fb>] worker_thread+0x78/0x5c0 [<00000000167127a4>] kthread+0x191/0x1e0 [<0000000060802104>] ret_from_fork+0x3a/0x50 unreferenced object 0xffff88806d595d90 (size 8): comm "kworker/4:1H", pid 131, jiffies 4295062972 (age 1269.720s) hex dump (first 8 bytes): 62 6c 61 00 6b 6b 6b a5 bla.kkk. backtrace: [<000000004447d253>] kstrdup+0x2e/0x60 [<0000000047259793>] kobject_set_name_vargs+0x2f/0xb0 [<00000000c2ee3bc8>] dev_set_name+0xab/0xe0 [<000000002b6bdfb1>] rtrs_srv_create_sess_files+0x260/0x290 [rtrs_server] [<0000000075d87bd7>] rtrs_srv_info_req_done+0x71b/0x960 [rtrs_server] [<00000000ccdf1bb5>] __ib_process_cq+0x94/0x100 [ib_core] [<00000000cbcb60cb>] ib_cq_poll_work+0x32/0xc0 [ib_core] [<000000002b53eaa1>] process_one_work+0x4bc/0x980 [<00000000da3499fb>] worker_thread+0x78/0x5c0 [<00000000167127a4>] kthread+0x191/0x1e0 [<0000000060802104>] ret_from_fork+0x3a/0x50 unreferenced object 0xffff88806d6bb100 (size 256): comm "kworker/4:1H", pid 131, jiffies 4295062972 (age 1269.720s) hex dump (first 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ff ff ff ff ff ff ff ff 00 59 4d 86 ff ff ff ff .........YM..... backtrace: [<00000000a18a11e4>] device_add+0x74d/0xa00 [<00000000a915b95f>] rtrs_srv_create_sess_files.cold+0x49/0x1fe [rtrs_server] [<0000000075d87bd7>] rtrs_srv_info_req_done+0x71b/0x960 [rtrs_server] [<00000000ccdf1bb5>] __ib_process_cq+0x94/0x100 [ib_core] [<00000000cbcb60cb>] ib_cq_poll_work+0x32/0xc0 [ib_core] [<000000002b53eaa1>] process_one_work+0x4bc/0x980 [<00000000da3499fb>] worker_thread+0x78/0x5c0 [<00000000167127a4>] kthread+0x191/0x1e0 [<0000000060802104>] ret_from_fork+0x3a/0x50 The problem is we increase device refcount by get_device in process_info_req for each path, but only does put_deice for last path, which lead to memory leak. To fix it, it also calls put_device when dev_ref is not 0. Fixes: e2853c49477d1 ("RDMA/rtrs-srv-sysfs: fix missing put_device") Link: https://lore.kernel.org/r/20210528113018.52290-19-jinpu.wang@ionos.com Signed-off-by: Gioh Kim Signed-off-by: Jack Wang Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit e7df73088443c84d82d1fe02495cf811ddc871c1 Author: Gioh Kim Date: Fri May 28 13:30:15 2021 +0200 RDMA/rtrs-srv: Fix memory leak of unfreed rtrs_srv_stats object [ Upstream commit 2371c40354509746e4a4dad09a752e027a30f148 ] When closing a session, currently the rtrs_srv_stats object in the closing session is freed by kobject release. But if it failed to create a session by various reasons, it must free the rtrs_srv_stats object directly because kobject is not created yet. This problem is found by kmemleak as below: 1. One client machine maps /dev/nullb0 with session name 'bla': root@test1:~# echo "sessname=bla path=ip:192.168.122.190 \ device_path=/dev/nullb0" > /sys/devices/virtual/rnbd-client/ctl/map_device 2. Another machine failed to create a session with the same name 'bla': root@test2:~# echo "sessname=bla path=ip:192.168.122.190 \ device_path=/dev/nullb1" > /sys/devices/virtual/rnbd-client/ctl/map_device -bash: echo: write error: Connection reset by peer 3. The kmemleak on server machine reported an error: unreferenced object 0xffff888033cdc800 (size 128): comm "kworker/2:1", pid 83, jiffies 4295086585 (age 2508.680s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000a72903b2>] __alloc_sess+0x1d4/0x1250 [rtrs_server] [<00000000d1e5321e>] rtrs_srv_rdma_cm_handler+0xc31/0xde0 [rtrs_server] [<00000000bb2f6e7e>] cma_ib_req_handler+0xdc5/0x2b50 [rdma_cm] [<00000000e896235d>] cm_process_work+0x2d/0x100 [ib_cm] [<00000000b6866c5f>] cm_req_handler+0x11bc/0x1c40 [ib_cm] [<000000005f5dd9aa>] cm_work_handler+0xe65/0x3cf2 [ib_cm] [<00000000610151e7>] process_one_work+0x4bc/0x980 [<00000000541e0f77>] worker_thread+0x78/0x5c0 [<00000000423898ca>] kthread+0x191/0x1e0 [<000000005a24b239>] ret_from_fork+0x3a/0x50 Fixes: 39c2d639ca183 ("RDMA/rtrs-srv: Set .release function for rtrs srv device during device init") Link: https://lore.kernel.org/r/20210528113018.52290-18-jinpu.wang@ionos.com Signed-off-by: Gioh Kim Signed-off-by: Md Haris Iqbal Signed-off-by: Jack Wang Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit f03d4c12965e1ce454f02572268c9a849fc593b8 Author: Gioh Kim Date: Fri May 28 13:30:13 2021 +0200 RDMA/rtrs: Do not reset hb_missed_max after re-connection [ Upstream commit 64bce1ee978491a779eb31098b21c57d4e431d6a ] When re-connecting, it resets hb_missed_max to 0. Before the first re-connecting, client will trigger re-connection when it gets hb-ack more than 5 times. But after the first re-connecting, clients will do re-connection whenever it does not get hb-ack because hb_missed_max is 0. There is no need to reset hb_missed_max when re-connecting. hb_missed_max should be kept until closing the session. Fixes: c0894b3ea69d3 ("RDMA/rtrs: core: lib functions shared between client and server modules") Link: https://lore.kernel.org/r/20210528113018.52290-16-jinpu.wang@ionos.com Signed-off-by: Gioh Kim Signed-off-by: Jack Wang Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit bd4df557aeefe2853ca6dd81af484a1e8902d5dd Author: Md Haris Iqbal Date: Fri May 28 13:30:10 2021 +0200 RDMA/rtrs-clt: Check state of the rtrs_clt_sess before reading its stats [ Upstream commit 41db63a7efe1c8c2dd282c1849a6ebfbbedbaf67 ] When get_next_path_min_inflight is called to select the next path, it iterates over the list of available rtrs_clt_sess (paths). It then reads the number of inflight IOs for that path to select one which has the least inflight IO. But it may so happen that rtrs_clt_sess (path) is no longer in the connected state because closing or error recovery paths can change the status of the rtrs_clt_Sess. For example, the client sent the heart-beat and did not get the response, it would change the session status and stop IO processing. The added checking of this patch can prevent accessing the broken path and generating duplicated error messages. It is ok if the status is changed after checking the status because the error recovery path does not free memory and only tries to reconnection. And also it is ok if the session is closed after checking the status because closing the session changes the session status and flush all IO beforing free memory. If the session is being accessed for IO processing, the closing session will wait. Fixes: 6a98d71daea18 ("RDMA/rtrs: client: main functionality") Link: https://lore.kernel.org/r/20210528113018.52290-13-jinpu.wang@ionos.com Signed-off-by: Md Haris Iqbal Reviewed-by: Gioh Kim Signed-off-by: Gioh Kim Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 067b6631315ded7c34817403ca35732888d749a1 Author: Bart Van Assche Date: Sun May 23 21:12:10 2021 -0700 RDMA/srp: Fix a recently introduced memory leak [ Upstream commit 7ec2e27a3afff64c96bfe7a77685c33619db84be ] Only allocate a memory registration list if it will be used and if it will be freed. Link: https://lore.kernel.org/r/20210524041211.9480-5-bvanassche@acm.org Reviewed-by: Max Gurtovoy Fixes: f273ad4f8d90 ("RDMA/srp: Remove support for FMR memory registration") Signed-off-by: Bart Van Assche Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 116d5cdfacff50a9a8bfcc2dfd16b4bbb270f261 Author: Jianguo Wu Date: Thu May 27 16:54:26 2021 -0700 mptcp: generate subflow hmac after mptcp_finish_join() [ Upstream commit 0a4d8e96e4fd687af92b961d5cdcea0fdbde05fe ] For outgoing subflow join, when recv SYNACK, in subflow_finish_connect(), the mptcp_finish_join() may return false in some cases, and send a RESET to remote, and no local hmac is required. So generate subflow hmac after mptcp_finish_join(). Fixes: ec3edaa7ca6c ("mptcp: Add handling of outgoing MP_JOIN requests") Signed-off-by: Jianguo Wu Signed-off-by: Mat Martineau Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 284e741c4e2ad9e0cba84dc63c3692c83f1e4b3d Author: Jianguo Wu Date: Thu May 27 16:54:24 2021 -0700 mptcp: fix pr_debug in mptcp_token_new_connect [ Upstream commit 2f1af441fd5dd5caf0807bb19ce9bbf9325ce534 ] After commit 2c5ebd001d4f ("mptcp: refactor token container"), pr_debug() is called before mptcp_crypto_key_gen_sha() in mptcp_token_new_connect(), so the output local_key, token and idsn are 0, like: MPTCP: ssk=00000000f6b3c4a2, local_key=0, token=0, idsn=0 Move pr_debug() after mptcp_crypto_key_gen_sha(). Fixes: 2c5ebd001d4f ("mptcp: refactor token container") Acked-by: Paolo Abeni Signed-off-by: Jianguo Wu Signed-off-by: Mat Martineau Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit eee0f7d399b683d856ff5b1b2627306ec32f703e Author: Colin Ian King Date: Tue Sep 15 17:20:49 2020 +0100 drm/rockchip: cdn-dp: fix sign extension on an int multiply for a u64 result [ Upstream commit ce0cb93a5adb283f577cd4661f511047b5e39028 ] The variable bit_per_pix is a u8 and is promoted in the multiplication to an int type and then sign extended to a u64. If the result of the int multiplication is greater than 0x7fffffff then the upper 32 bits will be set to 1 as a result of the sign extension. Avoid this by casting tu_size_reg to u64 to avoid sign extension and also a potential overflow. Fixes: 1a0f7ed3abe2 ("drm/rockchip: cdn-dp: add cdn DP support for rk3399") Signed-off-by: Colin Ian King Reviewed-by: Guenter Roeck Signed-off-by: Heiko Stuebner Link: https://patchwork.freedesktop.org/patch/msgid/20200915162049.36434-1-colin.king@canonical.com Signed-off-by: Sasha Levin commit 75db503c9cc7344eac8aba8d54e31db8656b1293 Author: Christophe JAILLET Date: Sat May 1 17:13:16 2021 +0200 drm/rockchip: lvds: Fix an error handling path [ Upstream commit 3dfa159f6b0c054eb63673fbf643a5f2cc862e63 ] 'ret' is know to be 0 a this point. Checking the return value of 'phy_init()' and 'phy_set_mode()' was intended instead. So add the missing assignments. Fixes: cca1705c3d89 ("drm/rockchip: lvds: Add PX30 support") Signed-off-by: Christophe JAILLET Signed-off-by: Heiko Stuebner Link: https://patchwork.freedesktop.org/patch/msgid/248220d4815dc8c8088cebfab7d6df5f70518438.1619881852.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit 59eb7193bef2f82e9be23a264e96880a3f1a1739 Author: Thomas Hebb Date: Sun Apr 18 19:04:10 2021 -0700 drm/rockchip: dsi: move all lane config except LCDC mux to bind() [ Upstream commit 43c2de1002d2b70fb5941fa14e97a34e3dc214d4 ] When we first enable the DSI encoder, we currently program some per-chip configuration that we look up in rk3399_chip_data based on the device tree compatible we match. This data configures various parameters of the MIPI lanes, including on RK3399 whether DSI1 is slaved to DSI0 in a dual-mode configuration. It also selects which LCDC (i.e. VOP) to scan out from. This causes a problem in RK3399 dual-mode configurations, though: panel prepare() callbacks run before the encoder gets enabled and expect to be able to write commands to the DSI bus, but the bus isn't fully functional until the lane and master/slave configuration have been programmed. As a result, dual-mode panels (and possibly others too) fail to turn on when the rockchipdrm driver is initially loaded. Because the LCDC mux is the only thing we don't know until enable time (and is the only thing that can ever change), we can actually move most of the initialization to bind() and get it out of the way early. That's what this change does. (Rockchip's 4.4 BSP kernel does it in mode_set(), which also avoids the issue, but bind() seems like the more correct place to me.) Tested on a Google Scarlet board (Acer Chromebook Tab 10), which has a Kingdisplay KD097D04 dual-mode panel. Prior to this change, the panel's backlight would turn on but no image would appear when initially loading rockchipdrm. If I kept rockchipdrm loaded and reloaded the panel driver, it would come on. With this change, the panel successfully turns on during initial rockchipdrm load as expected. Fixes: 2d4f7bdafd70 ("drm/rockchip: dsi: migrate to use dw-mipi-dsi bridge driver") Signed-off-by: Thomas Hebb Tested-by: Jonathan Liu Signed-off-by: Heiko Stuebner Link: https://patchwork.freedesktop.org/patch/msgid/55fe7f3454d8c91dc3837ba5aa741d4a0e67378f.1618797813.git.tommyhebb@gmail.com Signed-off-by: Sasha Levin commit 40492ebd29e1aeda8269c7217a649b8dbbf4d5e9 Author: Yang Yingliang Date: Wed May 19 21:49:28 2021 +0800 drm/rockchip: cdn-dp-core: add missing clk_disable_unprepare() on error in cdn_dp_grf_write() [ Upstream commit ae41d925c75b53798f289c69ee8d9f7d36432f6d ] After calling clk_prepare_enable(), clk_disable_unprepare() need be called when calling regmap_write() failed. Fixes: 1a0f7ed3abe2 ("drm/rockchip: cdn-dp: add cdn DP support for rk3399") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: Heiko Stuebner Link: https://patchwork.freedesktop.org/patch/msgid/20210519134928.2696617-1-yangyingliang@huawei.com Signed-off-by: Sasha Levin commit ef61b0826c81497b581eaacde39b6d95fee2ac09 Author: Alex Bee Date: Fri May 28 15:05:54 2021 +0200 drm: rockchip: set alpha_en to 0 if it is not used [ Upstream commit 046e0db975695540c9d9898cdbf0b60533d28afb ] alpha_en should be set to 0 if it is not used, i.e. to disable alpha blending if it was enabled before and should be disabled now. Fixes: 2aae8ed1f390 ("drm/rockchip: Add per-pixel alpha support for the PX30 VOP") Signed-off-by: Alex Bee Signed-off-by: Heiko Stuebner Link: https://patchwork.freedesktop.org/patch/msgid/20210528130554.72191-6-knaerzche@gmail.com Signed-off-by: Sasha Levin commit 7902ee2faefa2c5a4cbc1b8a5f7e6f11d57f2814 Author: Yang Yingliang Date: Sat May 22 20:02:46 2021 +0800 net: ftgmac100: add missing error return code in ftgmac100_probe() [ Upstream commit 52af13a41489d7bbc1932d17583eff6e5fffc820 ] The variables will be free on path err_phy_connect, it should return error code, or it will cause double free when calling ftgmac100_remove(). Fixes: bd466c3fb5a4 ("net/faraday: Support NCSI mode") Fixes: 39bfab8844a0 ("net: ftgmac100: Add support for DT phy-handle property") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 28b3837b405fb517be5cb16b820f094bddd2bf71 Author: Jerome Brunet Date: Thu Apr 29 11:03:25 2021 +0200 clk: meson: g12a: fix gp0 and hifi ranges [ Upstream commit bc794f8c56abddf709f1f84fcb2a3c9e7d9cc9b4 ] While some SoC samples are able to lock with a PLL factor of 55, others samples can't. ATM, a minimum of 60 appears to work on all the samples I have tried. Even with 60, it sometimes takes a long time for the PLL to eventually lock. The documentation says that the minimum rate of these PLLs DCO should be 3GHz, a factor of 125. Let's use that to be on the safe side. With factor range changed, the PLL seems to lock quickly (enough) so far. It is still unclear if the range was the only reason for the delay. Fixes: 085a4ea93d54 ("clk: meson: g12a: add peripheral clock controller") Signed-off-by: Jerome Brunet Acked-by: Neil Armstrong Link: https://lore.kernel.org/r/20210429090325.60970-1-jbrunet@baylibre.com Signed-off-by: Sasha Levin commit 27e9e0c4681633c1108dc2c0ad982606cb442724 Author: Wei Yongjun Date: Wed May 19 15:58:52 2021 +0000 net: qrtr: ns: Fix error return code in qrtr_ns_init() [ Upstream commit a49e72b3bda73d36664a084e47da9727a31b8095 ] Fix to return a negative error code -ENOMEM from the error handling case instead of 0, as done elsewhere in this function. Fixes: c6e08d6251f3 ("net: qrtr: Allocate workqueue before kernel_bind") Reported-by: Hulk Robot Signed-off-by: Wei Yongjun Reviewed-by: Manivannan Sadhasivam Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 40b701707ebfc7f362fdbf3fdf7c2803e86fa552 Author: Thomas Hellstrom Date: Tue May 4 23:57:37 2021 -0400 drm/vmwgfx: Fix cpu updates of coherent multisample surfaces [ Upstream commit 88509f698c4e38e287e016e86a0445547824135c ] In cases where the dirty linear memory range spans multiple sample sheets in a surface, the dirty surface region is incorrectly computed. To do this correctly and in an optimized fashion we would have to compute the dirty region of each sample sheet and compute the union of those regions. But assuming that cpu writing to a multisample surface is rather a corner case than a common case, just set the dirty region to the full surface. This fixes OpenGL piglit errors with SVGA_FORCE_COHERENT=1 and the piglit test: fbo-depthstencil blit default_fb -samples=2 -auto Fixes: 9ca7d19ff8ba ("drm/vmwgfx: Add surface dirty-tracking callbacks") Signed-off-by: Thomas Hellstrom Reviewed-by: Charmaine Lee Reviewed-by: Roland Scheidegger Signed-off-by: Zack Rusin Link: https://patchwork.freedesktop.org/patch/msgid/20210505035740.286923-4-zackr@vmware.com Signed-off-by: Sasha Levin commit a8e85ed08858d0f34b20e5a8cc8063b2e34e019d Author: Thomas Hellstrom Date: Tue May 4 23:57:36 2021 -0400 drm/vmwgfx: Mark a surface gpu-dirty after the SVGA3dCmdDXGenMips command [ Upstream commit 75156a887b6cea6e09d83ec19f4ebfd7c86265f0 ] The SVGA3dCmdDXGenMips command uses a shader-resource view to access the underlying surface. Normally accesses using that view-type are not dirtying the underlying surface, but that particular command is an exception. Mark the surface gpu-dirty after a SVGA3dCmdDXGenMips command has been submitted. This fixes the piglit getteximage-formats test run with SVGA_FORCE_COHERENT=1 Fixes: a9f58c456e9d ("drm/vmwgfx: Be more restrictive when dirtying resources") Signed-off-by: Thomas Hellstrom Reviewed-by: Charmaine Lee Reviewed-by: Roland Scheidegger Signed-off-by: Zack Rusin Link: https://patchwork.freedesktop.org/patch/msgid/20210505035740.286923-3-zackr@vmware.com Signed-off-by: Sasha Levin commit 8f2b15ec3bec7b9fe8e80e21d6d6be74e8a33525 Author: Geert Uytterhoeven Date: Fri Apr 30 14:31:01 2021 +0200 pinctrl: renesas: r8a77990: JTAG pins do not have pull-down capabilities [ Upstream commit 702a5fa2fe4d7e7f28fed92a170b540acfff9d34 ] Hence remove the SH_PFC_PIN_CFG_PULL_DOWN flags from their pin descriptions. Fixes: 83f6941a42a5e773 ("pinctrl: sh-pfc: r8a77990: Add bias pinconf support") Signed-off-by: Geert Uytterhoeven Reviewed-by: Niklas Söderlund Link: https://lore.kernel.org/r/da4b2d69955840a506412f1e8099607a0da97ecc.1619785375.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit 6f4718c134003e87cbf9e65d8e21fd450e99e9e1 Author: Geert Uytterhoeven Date: Fri Apr 30 14:31:00 2021 +0200 pinctrl: renesas: r8a7796: Add missing bias for PRESET# pin [ Upstream commit 2cee31cd49733e89dfedf4f68a56839fc2e42040 ] R-Car Gen3 Hardware Manual Errata for Rev. 0.52 of Nov 30, 2016, added the configuration bit for bias pull-down control for the PRESET# pin on R-Car M3-W. Add driver support for controlling pull-down on this pin. Fixes: 2d40bd24274d2577 ("pinctrl: sh-pfc: r8a7796: Add bias pinconf support") Signed-off-by: Geert Uytterhoeven Reviewed-by: Niklas Söderlund Link: https://lore.kernel.org/r/c479de5b3f235c2f7d5faea9e7e08e6fccb135df.1619785375.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit 2d487941ee598e94155d0e70c2a49c4554743f3c Author: Andy Shevchenko Date: Mon May 10 19:39:27 2021 +0300 net: pch_gbe: Propagate error from devm_gpio_request_one() [ Upstream commit 9e3617a7b84512bf96c04f9cf82d1a7257d33794 ] If GPIO controller is not available yet we need to defer the probe of GBE until provider will become available. While here, drop GPIOF_EXPORT because it's deprecated and may not be available. Fixes: f1a26fdf5944 ("pch_gbe: Add MinnowBoard support") Signed-off-by: Andy Shevchenko Tested-by: Flavio Suligoi Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 2f9f23c43a70878aa5b3ab51e7b3e1cc63bf7899 Author: Andy Shevchenko Date: Mon May 10 12:58:05 2021 +0300 net: mvpp2: Put fwnode in error case during ->probe() [ Upstream commit 71f0891c84dfdc448736082ab0a00acd29853896 ] In each iteration fwnode_for_each_available_child_node() bumps a reference counting of a loop variable followed by dropping in on a next iteration, Since in error case the loop is broken, we have to drop a reference count by ourselves. Do it for port_fwnode in error case during ->probe(). Fixes: 248122212f68 ("net: mvpp2: use device_*/fwnode_* APIs instead of of_*") Cc: Marcin Wojtas Signed-off-by: Andy Shevchenko Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b3fecbf60ebcb0f1aab33c133330b924d27bb7c4 Author: Christophe JAILLET Date: Thu May 6 20:57:05 2021 +0200 video: fbdev: imxfb: Fix an error message [ Upstream commit 767d724a160eb1cd00c86fb8c2e21fa1ab3c37ac ] 'ret' is known to be 0 here. No error code is available, so just remove it from the error message. Fixes: 72330b0eeefc ("i.MX Framebuffer: Use readl/writel instead of direct pointer deref") Reviewed-by: Uwe Kleine-König Signed-off-by: Christophe JAILLET Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/d7b25026f82659da3c6f7159eea480faa9d738be.1620327302.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit 1655266d91eda6e8effd02dbdd2b633501dcb6b9 Author: Takashi Iwai Date: Wed Apr 21 19:04:58 2021 +0200 drm/ast: Fix missing conversions to managed API [ Upstream commit 9ea172a9a3f4a7c5e876469509fc18ddefc7d49d ] The commit 7cbb93d89838 ("drm/ast: Use managed pci functions") converted a few PCI accessors to the managed API and dropped the manual pci_iounmap() calls, but it seems to have forgotten converting pci_iomap() to the managed one. It resulted in the leftover resources after the driver unbind. Let's fix them. Fixes: 7cbb93d89838 ("drm/ast: Use managed pci functions") Signed-off-by: Takashi Iwai Signed-off-by: Thomas Zimmermann Link: https://patchwork.freedesktop.org/patch/msgid/20210421170458.21178-1-tiwai@suse.de Signed-off-by: Sasha Levin commit 5885fce7b43919406b32d1c942c9b496aac3abbc Author: Yingjie Wang Date: Thu Apr 8 17:57:20 2021 -0700 drm/amd/dc: Fix a missing check bug in dm_dp_mst_detect() [ Upstream commit 655c0ed19772d92c9665ed08bdc5202acc096dda ] In dm_dp_mst_detect(), We should check whether or not @connector has been unregistered from userspace. If the connector is unregistered, we should return disconnected status. Fixes: 4562236b3bc0 ("drm/amd/dc: Add dc display driver (v2)") Signed-off-by: Yingjie Wang Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 0cd39c96574d19e234cee971868c82c3769c2ee6 Author: Douglas Anderson Date: Fri Apr 16 15:39:24 2021 -0700 drm/bridge: Fix the stop condition of drm_bridge_chain_pre_enable() [ Upstream commit bab5cca7e609952b069a550e39fe4893149fb658 ] The drm_bridge_chain_pre_enable() is not the proper opposite of drm_bridge_chain_post_disable(). It continues along the chain to _before_ the starting bridge. Let's fix that. Fixes: 05193dc38197 ("drm/bridge: Make the bridge chain a double-linked list") Signed-off-by: Douglas Anderson Reviewed-by: Andrzej Hajda Reviewed-by: Laurent Pinchart Link: https://patchwork.freedesktop.org/patch/msgid/20210416153909.v4.1.If62a003f76a2bc4ccc6c53565becc05d2aad4430@changeid Signed-off-by: Sasha Levin commit 45415d1f99291d81ee945912d4e1d61c43cf0283 Author: Robert Foss Date: Mon Apr 19 11:01:24 2021 +0200 drm/bridge/sii8620: fix dependency on extcon [ Upstream commit 08319adbdde15ef7cee1970336f63461254baa2a ] The DRM_SIL_SII8620 kconfig has a weak `imply` dependency on EXTCON, which causes issues when sii8620 is built as a builtin and EXTCON is built as a module. The symptoms are 'undefined reference' errors caused by the symbols in EXTCON not being available to the sii8620 driver. Fixes: 688838442147 ("drm/bridge/sii8620: use micro-USB cable detection logic to detect MHL") Reported-by: kernel test robot Signed-off-by: Robert Foss Reviewed-by: Randy Dunlap Link: https://patchwork.freedesktop.org/patch/msgid/20210419090124.153560-1-robert.foss@linaro.org Signed-off-by: Sasha Levin commit 1de9425286f19c3d0ff2e7bcd24d17d1bf42e5ee Author: Sabrina Dubroca Date: Fri Apr 16 11:27:59 2021 +0200 xfrm: xfrm_state_mtu should return at least 1280 for ipv6 [ Upstream commit b515d2637276a3810d6595e10ab02c13bfd0b63a ] Jianwen reported that IPv6 Interoperability tests are failing in an IPsec case where one of the links between the IPsec peers has an MTU of 1280. The peer generates a packet larger than this MTU, the router replies with a "Packet too big" message indicating an MTU of 1280. When the peer tries to send another large packet, xfrm_state_mtu returns 1280 - ipsec_overhead, which causes ip6_setup_cork to fail with EINVAL. We can fix this by forcing xfrm_state_mtu to return IPV6_MIN_MTU when IPv6 is used. After going through IPsec, the packet will then be fragmented to obey the actual network's PMTU, just before leaving the host. Currently, TFC padding is capped to PMTU - overhead to avoid fragementation: after padding and encapsulation, we still fit within the PMTU. That behavior is preserved in this patch. Fixes: 91657eafb64b ("xfrm: take net hdr len into account for esp payload size calculation") Reported-by: Jianwen Ji Signed-off-by: Sabrina Dubroca Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin commit 10f32b8c9eb892c3c0e7671c12c3a8d24dfacfc0 Author: Liu Shixin Date: Mon Jun 28 19:42:33 2021 -0700 mm/page_alloc: fix counting of managed_pages [ Upstream commit f7ec104458e00d27a190348ac3a513f3df3699a4 ] commit f63661566fad ("mm/page_alloc.c: clear out zone->lowmem_reserve[] if the zone is empty") clears out zone->lowmem_reserve[] if zone is empty. But when zone is not empty and sysctl_lowmem_reserve_ratio[i] is set to zero, zone_managed_pages(zone) is not counted in the managed_pages either. This is inconsistent with the description of lowmem_reserve, so fix it. Link: https://lkml.kernel.org/r/20210527125707.3760259-1-liushixin2@huawei.com Fixes: f63661566fad ("mm/page_alloc.c: clear out zone->lowmem_reserve[] if the zone is empty") Signed-off-by: Liu Shixin Reported-by: yangerkun Reviewed-by: Baoquan He Acked-by: David Hildenbrand Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit d7deea31ed6fd0b173e76166d0598604ac86fb65 Author: Lorenzo Stoakes Date: Mon Dec 14 19:11:22 2020 -0800 mm: page_alloc: refactor setup_per_zone_lowmem_reserve() [ Upstream commit 470c61d70299b1826f56ff5fede10786798e3c14 ] setup_per_zone_lowmem_reserve() iterates through each zone setting zone->lowmem_reserve[j] = 0 (where j is the zone's index) then iterates backwards through all preceding zones, setting lower_zone->lowmem_reserve[j] = sum(managed pages of higher zones) / lowmem_reserve_ratio[idx] for each (where idx is the lower zone's index). If the lower zone has no managed pages or its ratio is 0 then all of its lowmem_reserve[] entries are effectively zeroed. As these arrays are only assigned here and all lowmem_reserve[] entries for index < this zone's index are implicitly assumed to be 0 (as these are specifically output in show_free_areas() and zoneinfo_show_print() for example) there is no need to additionally zero index == this zone's index too. This patch avoids zeroing unnecessarily. Rather than iterating through zones and setting lowmem_reserve[j] for each lower zone this patch reverse the process and populates each zone's lowmem_reserve[] values in ascending order. This clarifies what is going on especially in the case of zero managed pages or ratio which is now explicitly shown to clear these values. Link: https://lkml.kernel.org/r/20201129162758.115907-1-lstoakes@gmail.com Signed-off-by: Lorenzo Stoakes Cc: Baoquan He Cc: Michal Hocko Cc: Nicholas Piggin Cc: Vlastimil Babka Cc: Roman Gushchin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 5458985533ba8860d6f0b08304ae90b1d7ec970a Author: Waiman Long Date: Mon Jun 28 19:37:34 2021 -0700 mm: memcg/slab: properly set up gfp flags for objcg pointer array [ Upstream commit 41eb5df1cbc9b302fc263ad7c9f38cfc38b4df61 ] Patch series "mm: memcg/slab: Fix objcg pointer array handling problem", v4. Since the merging of the new slab memory controller in v5.9, the page structure stores a pointer to objcg pointer array for slab pages. When the slab has no used objects, it can be freed in free_slab() which will call kfree() to free the objcg pointer array in memcg_alloc_page_obj_cgroups(). If it happens that the objcg pointer array is the last used object in its slab, that slab may then be freed which may caused kfree() to be called again. With the right workload, the slab cache may be set up in a way that allows the recursive kfree() calling loop to nest deep enough to cause a kernel stack overflow and panic the system. In fact, we have a reproducer that can cause kernel stack overflow on a s390 system involving kmalloc-rcl-256 and kmalloc-rcl-128 slabs with the following kfree() loop recursively called 74 times: [ 285.520739] [<000000000ec432fc>] kfree+0x4bc/0x560 [ 285.520740] [<000000000ec43466>] __free_slab+0xc6/0x228 [ 285.520741] [<000000000ec41fc2>] __slab_free+0x3c2/0x3e0 [ 285.520742] [<000000000ec432fc>] kfree+0x4bc/0x560 : While investigating this issue, I also found an issue on the allocation side. If the objcg pointer array happen to come from the same slab or a circular dependency linkage is formed with multiple slabs, those affected slabs can never be freed again. This patch series addresses these two issues by introducing a new set of kmalloc-cg- caches split from kmalloc- caches. The new set will only contain non-reclaimable and non-dma objects that are accounted in memory cgroups whereas the old set are now for unaccounted objects only. By making this split, all the objcg pointer arrays will come from the kmalloc- caches, but those caches will never hold any objcg pointer array. As a result, deeply nested kfree() call and the unfreeable slab problems are now gone. This patch (of 4): Since the merging of the new slab memory controller in v5.9, the page structure may store a pointer to obj_cgroup pointer array for slab pages. Currently, only the __GFP_ACCOUNT bit is masked off. However, the array is not readily reclaimable and doesn't need to come from the DMA buffer. So those GFP bits should be masked off as well. Do the flag bit clearing at memcg_alloc_page_obj_cgroups() to make sure that it is consistently applied no matter where it is called. Link: https://lkml.kernel.org/r/20210505200610.13943-1-longman@redhat.com Link: https://lkml.kernel.org/r/20210505200610.13943-2-longman@redhat.com Fixes: 286e04b8ed7a ("mm: memcg/slab: allocate obj_cgroups for non-root slab pages") Signed-off-by: Waiman Long Reviewed-by: Shakeel Butt Acked-by: Roman Gushchin Reviewed-by: Vlastimil Babka Cc: Johannes Weiner Cc: Michal Hocko Cc: Vladimir Davydov Cc: Christoph Lameter Cc: Pekka Enberg Cc: David Rientjes Cc: Joonsoo Kim Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 8e4af3917bfc5e82f8010417c12b755ef256fa5e Author: Miaohe Lin Date: Mon Jun 28 19:36:57 2021 -0700 mm/shmem: fix shmem_swapin() race with swapoff [ Upstream commit 2efa33fc7f6ec94a3a538c1a264273c889be2b36 ] When I was investigating the swap code, I found the below possible race window: CPU 1 CPU 2 ----- ----- shmem_swapin swap_cluster_readahead if (likely(si->flags & (SWP_BLKDEV | SWP_FS_OPS))) { swapoff .. si->swap_file = NULL; .. struct inode *inode = si->swap_file->f_mapping->host;[oops!] Close this race window by using get/put_swap_device() to guard against concurrent swapoff. Link: https://lkml.kernel.org/r/20210426123316.806267-5-linmiaohe@huawei.com Fixes: 8fd2e0b505d1 ("mm: swap: check if swap backing device is congested or not") Signed-off-by: Miaohe Lin Reviewed-by: "Huang, Ying" Cc: Dennis Zhou Cc: Tim Chen Cc: Hugh Dickins Cc: Johannes Weiner Cc: Michal Hocko Cc: Joonsoo Kim Cc: Alex Shi Cc: Matthew Wilcox Cc: Minchan Kim Cc: Wei Yang Cc: Yang Shi Cc: David Hildenbrand Cc: Yu Zhao Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit a5dcdfe4cb4a5311568202289595ed6436212ca9 Author: Miaohe Lin Date: Mon Jun 28 19:36:50 2021 -0700 swap: fix do_swap_page() race with swapoff [ Upstream commit 2799e77529c2a25492a4395db93996e3dacd762d ] When I was investigating the swap code, I found the below possible race window: CPU 1 CPU 2 ----- ----- do_swap_page if (data_race(si->flags & SWP_SYNCHRONOUS_IO) swap_readpage if (data_race(sis->flags & SWP_FS_OPS)) { swapoff .. p->swap_file = NULL; .. struct file *swap_file = sis->swap_file; struct address_space *mapping = swap_file->f_mapping;[oops!] Note that for the pages that are swapped in through swap cache, this isn't an issue. Because the page is locked, and the swap entry will be marked with SWAP_HAS_CACHE, so swapoff() can not proceed until the page has been unlocked. Fix this race by using get/put_swap_device() to guard against concurrent swapoff. Link: https://lkml.kernel.org/r/20210426123316.806267-3-linmiaohe@huawei.com Fixes: 0bcac06f27d7 ("mm,swap: skip swapcache for swapin of synchronous device") Signed-off-by: Miaohe Lin Reviewed-by: "Huang, Ying" Cc: Alex Shi Cc: David Hildenbrand Cc: Dennis Zhou Cc: Hugh Dickins Cc: Johannes Weiner Cc: Joonsoo Kim Cc: Matthew Wilcox Cc: Michal Hocko Cc: Minchan Kim Cc: Tim Chen Cc: Wei Yang Cc: Yang Shi Cc: Yu Zhao Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 29ae2c9c9ccc57993c17ee2db159496ba2e99dfe Author: Anshuman Khandual Date: Mon Jun 28 19:35:10 2021 -0700 mm/debug_vm_pgtable: ensure THP availability via has_transparent_hugepage() [ Upstream commit 65ac1a60a57e2c55f2ac37f27095f6b012295e81 ] On certain platforms, THP support could not just be validated via the build option CONFIG_TRANSPARENT_HUGEPAGE. Instead has_transparent_hugepage() also needs to be called upon to verify THP runtime support. Otherwise the debug test will just run into unusable THP helpers like in the case of a 4K hash config on powerpc platform [1]. This just moves all pfn_pmd() and pfn_pud() after THP runtime validation with has_transparent_hugepage() which prevents the mentioned problem. [1] https://bugzilla.kernel.org/show_bug.cgi?id=213069 Link: https://lkml.kernel.org/r/1621397588-19211-1-git-send-email-anshuman.khandual@arm.com Fixes: 787d563b8642 ("mm/debug_vm_pgtable: fix kernel crash by checking for THP support") Signed-off-by: Anshuman Khandual Cc: Aneesh Kumar K.V Cc: Christophe Leroy Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 7abf6e5763541d49f3342f26e119c6a21d45191d Author: Anshuman Khandual Date: Wed Feb 24 12:01:36 2021 -0800 mm/debug_vm_pgtable/basic: iterate over entire protection_map[] [ Upstream commit 2e326c07bbe1eabeece4047ab5972ef34b15679b ] Currently the basic tests just validate various page table transformations after starting with vm_get_page_prot(VM_READ|VM_WRITE|VM_EXEC) protection. Instead scan over the entire protection_map[] for better coverage. It also makes sure that all these basic page table tranformations checks hold true irrespective of the starting protection value for the page table entry. There is also a slight change in the debug print format for basic tests to capture the protection value it is being tested with. The modified output looks something like [pte_basic_tests ]: Validating PTE basic () [pte_basic_tests ]: Validating PTE basic (read) [pte_basic_tests ]: Validating PTE basic (write) [pte_basic_tests ]: Validating PTE basic (read|write) [pte_basic_tests ]: Validating PTE basic (exec) [pte_basic_tests ]: Validating PTE basic (read|exec) [pte_basic_tests ]: Validating PTE basic (write|exec) [pte_basic_tests ]: Validating PTE basic (read|write|exec) [pte_basic_tests ]: Validating PTE basic (shared) [pte_basic_tests ]: Validating PTE basic (read|shared) [pte_basic_tests ]: Validating PTE basic (write|shared) [pte_basic_tests ]: Validating PTE basic (read|write|shared) [pte_basic_tests ]: Validating PTE basic (exec|shared) [pte_basic_tests ]: Validating PTE basic (read|exec|shared) [pte_basic_tests ]: Validating PTE basic (write|exec|shared) [pte_basic_tests ]: Validating PTE basic (read|write|exec|shared) This adds a missing argument 'struct mm_struct *' in pud_basic_tests() test . This never got exposed before as PUD based THP is available only on X86 platform where mm_pmd_folded(mm) call gets macro replaced without requiring the mm_struct i.e __is_defined(__PAGETABLE_PMD_FOLDED). Link: https://lkml.kernel.org/r/1611137241-26220-3-git-send-email-anshuman.khandual@arm.com Signed-off-by: Anshuman Khandual Tested-by: Gerald Schaefer [s390] Reviewed-by: Steven Price Suggested-by: Catalin Marinas Cc: Christophe Leroy Cc: Gerald Schaefer Cc: Paul Walmsley Cc: Vineet Gupta Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 27634d63ca586cf143c0e87fc003612a22ccc869 Author: Anshuman Khandual Date: Wed Feb 24 12:01:32 2021 -0800 mm/debug_vm_pgtable/basic: add validation for dirtiness after write protect [ Upstream commit bb5c47ced46797409f4791d0380db3116d93134c ] Patch series "mm/debug_vm_pgtable: Some minor updates", v3. This series contains some cleanups and new test suggestions from Catalin from an earlier discussion. https://lore.kernel.org/linux-mm/20201123142237.GF17833@gaia/ This patch (of 2): This adds validation tests for dirtiness after write protect conversion for each page table level. There are two new separate test types involved here. The first test ensures that a given page table entry does not become dirty after pxx_wrprotect(). This is important for platforms like arm64 which transfers and drops the hardware dirty bit (!PTE_RDONLY) to the software dirty bit while making it an write protected one. This test ensures that no fresh page table entry could be created with hardware dirty bit set. The second test ensures that a given page table entry always preserve the dirty information across pxx_wrprotect(). This adds two previously missing PUD level basic tests and while here fixes pxx_wrprotect() related typos in the documentation file. Link: https://lkml.kernel.org/r/1611137241-26220-1-git-send-email-anshuman.khandual@arm.com Link: https://lkml.kernel.org/r/1611137241-26220-2-git-send-email-anshuman.khandual@arm.com Signed-off-by: Anshuman Khandual Suggested-by: Catalin Marinas Tested-by: Gerald Schaefer [s390] Cc: Christophe Leroy Cc: Gerald Schaefer Cc: Vineet Gupta Cc: Paul Walmsley Cc: Steven Price Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit c872674da72415a41159ed97e8965890f102488e Author: Jan Kara Date: Mon Jun 28 19:35:04 2021 -0700 dax: fix ENOMEM handling in grab_mapping_entry() [ Upstream commit 1a14e3779dd58c16b30e56558146e5cc850ba8b0 ] grab_mapping_entry() has a bug in handling of ENOMEM condition. Suppose we have a PMD entry at index i which we are downgrading to a PTE entry. grab_mapping_entry() will set pmd_downgrade to true, lock the entry, clear the entry in xarray, and decrement mapping->nrpages. The it will call: entry = dax_make_entry(pfn_to_pfn_t(0), flags); dax_lock_entry(xas, entry); which inserts new PTE entry into xarray. However this may fail allocating the new node. We handle this by: if (xas_nomem(xas, mapping_gfp_mask(mapping) & ~__GFP_HIGHMEM)) goto retry; however pmd_downgrade stays set to true even though 'entry' returned from get_unlocked_entry() will be NULL now. And we will go again through the downgrade branch. This is mostly harmless except that mapping->nrpages is decremented again and we temporarily have an invalid entry stored in xarray. Fix the problem by setting pmd_downgrade to false each time we lookup the entry we work with so that it matches the entry we found. Link: https://lkml.kernel.org/r/20210622160015.18004-1-jack@suse.cz Fixes: b15cd800682f ("dax: Convert page fault handlers to XArray") Signed-off-by: Jan Kara Reviewed-by: Dan Williams Cc: Matthew Wilcox Cc: "Aneesh Kumar K.V" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit c015295b28d63971f09a3061d9abefd131df7c73 Author: Dan Carpenter Date: Mon Jun 28 19:34:01 2021 -0700 ocfs2: fix snprintf() checking [ Upstream commit 54e948c60cc843b6e84dc44496edc91f51d2a28e ] The snprintf() function returns the number of bytes which would have been printed if the buffer was large enough. In other words it can return ">= remain" but this code assumes it returns "== remain". The run time impact of this bug is not very severe. The next iteration through the loop would trigger a WARN() when we pass a negative limit to snprintf(). We would then return success instead of -E2BIG. The kernel implementation of snprintf() will never return negatives so there is no need to check and I have deleted that dead code. Link: https://lkml.kernel.org/r/20210511135350.GV1955@kadam Fixes: a860f6eb4c6a ("ocfs2: sysfile interfaces for online file check") Fixes: 74ae4e104dfc ("ocfs2: Create stack glue sysfs files.") Signed-off-by: Dan Carpenter Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Gang He Cc: Jun Piao Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 512106ae2355813a5eb84e8dc908628d52856890 Author: Ming Lei Date: Fri Jun 25 10:02:48 2021 +0800 blk-mq: update hctx->dispatch_busy in case of real scheduler [ Upstream commit cb9516be7708a2a18ec0a19fe3a225b5b3bc92c7 ] Commit 6e6fcbc27e77 ("blk-mq: support batching dispatch in case of io") starts to support io batching submission by using hctx->dispatch_busy. However, blk_mq_update_dispatch_busy() isn't changed to update hctx->dispatch_busy in that commit, so fix the issue by updating hctx->dispatch_busy in case of real scheduler. Reported-by: Jan Kara Reviewed-by: Jan Kara Fixes: 6e6fcbc27e77 ("blk-mq: support batching dispatch in case of io") Signed-off-by: Ming Lei Link: https://lore.kernel.org/r/20210625020248.1630497-1-ming.lei@redhat.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 3e33b1329c61c58ebed90e9780ab14684f5f7438 Author: Rafael J. Wysocki Date: Tue Jun 22 21:11:39 2021 +0200 cpufreq: Make cpufreq_online() call driver->offline() on errors [ Upstream commit 3b7180573c250eb6e2a7eec54ae91f27472332ea ] In the CPU removal path the ->offline() callback provided by the driver is always invoked before ->exit(), but in the cpufreq_online() error path it is not, so ->exit() is expected to somehow know the context in which it has been called and act accordingly. That is less than straightforward, so make cpufreq_online() invoke the driver's ->offline() callback, if present, on errors before ->exit() too. This only potentially affects intel_pstate. Fixes: 91a12e91dc39 ("cpufreq: Allow light-weight tear down and bring up of CPUs") Signed-off-by: Rafael J. Wysocki Acked-by: Viresh Kumar Signed-off-by: Sasha Levin commit cc0b1776fd1d98599e3053dd9ebe5786336735e9 Author: Nathan Chancellor Date: Tue Jun 22 18:38:01 2021 -0700 ACPI: bgrt: Fix CFI violation [ Upstream commit f37ccf8fce155d08ae2a4fb3db677911ced0c21a ] clang's Control Flow Integrity requires that every indirect call has a valid target, which is based on the type of the function pointer. The *_show() functions in this file are written as if they will be called from dev_attr_show(); however, they will be called from sysfs_kf_seq_show() because the files were created by sysfs_create_group() and the sysfs ops are based on kobj_sysfs_ops because of kobject_add_and_create(). Because the *_show() functions do not match the type of the show() member in struct kobj_attribute, there is a CFI violation. $ cat /sys/firmware/acpi/bgrt/{status,type,version,{x,y}offset}} 1 0 1 522 307 $ dmesg | grep "CFI failure" [ 267.761825] CFI failure (target: type_show.d5e1ad21498a5fd14edbc5c320906598.cfi_jt+0x0/0x8): [ 267.762246] CFI failure (target: xoffset_show.d5e1ad21498a5fd14edbc5c320906598.cfi_jt+0x0/0x8): [ 267.762584] CFI failure (target: status_show.d5e1ad21498a5fd14edbc5c320906598.cfi_jt+0x0/0x8): [ 267.762973] CFI failure (target: yoffset_show.d5e1ad21498a5fd14edbc5c320906598.cfi_jt+0x0/0x8): [ 267.763330] CFI failure (target: version_show.d5e1ad21498a5fd14edbc5c320906598.cfi_jt+0x0/0x8): Convert these functions to the type of the show() member in struct kobj_attribute so that there is no more CFI violation. Because these functions are all so similar, combine them into a macro. Fixes: d1ff4b1cdbab ("ACPI: Add support for exposing BGRT data") Link: https://github.com/ClangBuiltLinux/linux/issues/1406 Signed-off-by: Nathan Chancellor Reviewed-by: Kees Cook Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 3cbe01ac28a8ee52b40a8d0db0392493ed855c20 Author: Dwaipayan Ray Date: Thu Dec 17 18:15:36 2020 +0530 ACPI: Use DEVICE_ATTR_ macros [ Upstream commit 0f39ee8324e75c9d370e84a61323ceb194641a18 ] Instead of open coding DEVICE_ATTR(), use the DEVICE_ATTR_RW(), DEVICE_ATTR_RO() and DEVICE_ATTR_WO() macros wherever possible. This required a few functions to be renamed but the functionality itself is unchanged. Signed-off-by: Dwaipayan Ray Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit d3dd2fe2743fbc83f7d15ab6932e5fba8b4b3d26 Author: Zhang Yi Date: Sat Jun 19 17:37:00 2021 +0800 blk-wbt: make sure throttle is enabled properly [ Upstream commit 76a8040817b4b9c69b53f9b326987fa891b4082a ] After commit a79050434b45 ("blk-rq-qos: refactor out common elements of blk-wbt"), if throttle was disabled by wbt_disable_default(), we could not enable again, fix this by set enable_state back to WBT_STATE_ON_DEFAULT. Fixes: a79050434b45 ("blk-rq-qos: refactor out common elements of blk-wbt") Signed-off-by: Zhang Yi Link: https://lore.kernel.org/r/20210619093700.920393-3-yi.zhang@huawei.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 1c2f21a8a0c23cbd9f03a8a31393d250c6122b42 Author: Zhang Yi Date: Sat Jun 19 17:36:59 2021 +0800 blk-wbt: introduce a new disable state to prevent false positive by rwb_enabled() [ Upstream commit 1d0903d61e9645c6330b94247b96dd873dfc11c8 ] Now that we disable wbt by simply zero out rwb->wb_normal in wbt_disable_default() when switch elevator to bfq, but it's not safe because it will become false positive if we change queue depth. If it become false positive between wbt_wait() and wbt_track() when submit write request, it will lead to drop rqw->inflight to -1 in wbt_done(), which will end up trigger IO hung. Fix this issue by introduce a new state which mean the wbt was disabled. Fixes: a79050434b45 ("blk-rq-qos: refactor out common elements of blk-wbt") Signed-off-by: Zhang Yi Link: https://lore.kernel.org/r/20210619093700.920393-2-yi.zhang@huawei.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit e0afab5181d0801b270233af18f2db88d75824f7 Author: Xiaofei Tan Date: Fri Jun 11 20:37:07 2021 +0800 ACPI: APEI: fix synchronous external aborts in user-mode [ Upstream commit ccb5ecdc2ddeaff744ee075b54cdff8a689e8fa7 ] Before commit 8fcc4ae6faf8 ("arm64: acpi: Make apei_claim_sea() synchronise with APEI's irq work"), do_sea() would unconditionally signal the affected task from the arch code. Since that change, the GHES driver sends the signals. This exposes a problem as errors the GHES driver doesn't understand or doesn't handle effectively are silently ignored. It will cause the errors get taken again, and circulate endlessly. User-space task get stuck in this loop. Existing firmware on Kunpeng9xx systems reports cache errors with the 'ARM Processor Error' CPER records. Do memory failure handling for ARM Processor Error Section just like for Memory Error Section. Fixes: 8fcc4ae6faf8 ("arm64: acpi: Make apei_claim_sea() synchronise with APEI's irq work") Signed-off-by: Xiaofei Tan Reviewed-by: James Morse [ rjw: Subject edit ] Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit f626452df805bb4e69501bd9eac6a6c9866e4e2f Author: Matti Vaittinen Date: Tue Jun 8 13:10:31 2021 +0300 extcon: extcon-max8997: Fix IRQ freeing at error path [ Upstream commit 610bdc04830a864115e6928fc944f1171dfff6f3 ] If reading MAX8997_MUIC_REG_STATUS1 fails at probe the driver exits without freeing the requested IRQs. Free the IRQs prior returning if reading the status fails. Fixes: 3e34c8198960 ("extcon: max8997: Avoid forcing UART path on drive probe") Signed-off-by: Matti Vaittinen Reviewed-by: Hans de Goede Acked-by: Chanwoo Choi Link: https://lore.kernel.org/r/27ee4a48ee775c3f8c9d90459c18b6f2b15edc76.1623146580.git.matti.vaittinen@fi.rohmeurope.com Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 45b399e309f5aed3a4e8538b1fa86d808af6e6fb Author: Tony Lindgren Date: Thu Apr 15 11:55:06 2021 +0300 clocksource/drivers/timer-ti-dm: Save and restore timer TIOCP_CFG [ Upstream commit 9517c577f9f722270584cfb1a7b4e1354e408658 ] As we are using cpu_pm to save and restore context, we must also save and restore the timer sysconfig register TIOCP_CFG. This is needed because we are not calling PM runtime functions at all with cpu_pm. Fixes: b34677b0999a ("clocksource/drivers/timer-ti-dm: Implement cpu_pm notifier for context save and restore") Cc: Aaro Koskinen Cc: Adam Ford Cc: Andreas Kemnade Cc: Lokesh Vutla Cc: Peter Ujfalusi Signed-off-by: Tony Lindgren Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20210415085506.56828-1-tony@atomide.com Signed-off-by: Sasha Levin commit 0317b728d8aee5cb065b5fbe9f99c97954bf2b4a Author: Christoph Hellwig Date: Tue Jun 8 18:13:27 2021 +0200 mark pstore-blk as broken [ Upstream commit d07f3b081ee632268786601f55e1334d1f68b997 ] pstore-blk just pokes directly into the pagecache for the block device without going through the file operations for that by faking up it's own file operations that do not match the block device ones. As this breaks the control of the block layer of it's page cache, and even now just works by accident only the best thing is to just disable this driver. Fixes: 17639f67c1d6 ("pstore/blk: Introduce backend for block devices") Signed-off-by: Christoph Hellwig Link: https://lore.kernel.org/r/20210608161327.1537919-1-hch@lst.de Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 296fbe2608d2d9cfc77f36165692fa3a1ac0b97f Author: Krzysztof Wilczyński Date: Thu Jun 3 17:12:01 2021 +0000 ACPI: sysfs: Fix a buffer overrun problem with description_show() [ Upstream commit 888be6067b97132c3992866bbcf647572253ab3f ] Currently, a device description can be obtained using ACPI, if the _STR method exists for a particular device, and then exposed to the userspace via a sysfs object as a string value. If the _STR method is available for a given device then the data (usually a Unicode string) is read and stored in a buffer (of the ACPI_TYPE_BUFFER type) with a pointer to said buffer cached in the struct acpi_device_pnp for later access. The description_show() function is responsible for exposing the device description to the userspace via a corresponding sysfs object and internally calls the utf16s_to_utf8s() function with a pointer to the buffer that contains the Unicode string so that it can be converted from UTF16 encoding to UTF8 and thus allowing for the value to be safely stored and later displayed. When invoking the utf16s_to_utf8s() function, the description_show() function also sets a limit of the data that can be saved into a provided buffer as a result of the character conversion to be a total of PAGE_SIZE, and upon completion, the utf16s_to_utf8s() function returns an integer value denoting the number of bytes that have been written into the provided buffer. Following the execution of the utf16s_to_utf8s() a newline character will be added at the end of the resulting buffer so that when the value is read in the userspace through the sysfs object then it would include newline making it more accessible when working with the sysfs file system in the shell, etc. Normally, this wouldn't be a problem, but if the function utf16s_to_utf8s() happens to return the number of bytes written to be precisely PAGE_SIZE, then we would overrun the buffer and write the newline character outside the allotted space which can have undefined consequences or result in a failure. To fix this buffer overrun, ensure that there always is enough space left for the newline character to be safely appended. Fixes: d1efe3c324ea ("ACPI: Add new sysfs interface to export device description") Signed-off-by: Krzysztof Wilczyński Reviewed-by: Bjorn Helgaas Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit ce47ae8961ddb641b9a4513343fdf7f4d9305a6f Author: Mario Limonciello Date: Fri May 28 11:02:34 2021 -0500 nvme-pci: look for StorageD3Enable on companion ACPI device instead [ Upstream commit e21e0243e7b0f1c2a21d21f4d115f7b37175772a ] The documentation around the StorageD3Enable property hints that it should be made on the PCI device. This is where newer AMD systems set the property and it's required for S0i3 support. So rather than look for nodes of the root port only present on Intel systems, switch to the companion ACPI device for all systems. David Box from Intel indicated this should work on Intel as well. Link: https://lore.kernel.org/linux-nvme/YK6gmAWqaRmvpJXb@google.com/T/#m900552229fa455867ee29c33b854845fce80ba70 Link: https://docs.microsoft.com/en-us/windows-hardware/design/component-guidelines/power-management-for-storage-hardware-devices-intro Fixes: df4f9bc4fb9c ("nvme-pci: add support for ACPI StorageD3Enable property") Suggested-by: Liang Prike Acked-by: Raul E Rangel Signed-off-by: Mario Limonciello Reviewed-by: David E. Box Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 3ffe41f25f21352331fd1fb753133c47f68b0acf Author: Ming Lei Date: Tue May 11 23:22:33 2021 +0800 block: avoid double io accounting for flush request [ Upstream commit 84da7acc3ba53af26f15c4b0ada446127b7a7836 ] For flush request, rq->end_io() may be called two times, one is from timeout handling(blk_mq_check_expired()), another is from normal completion(__blk_mq_end_request()). Move blk_account_io_flush() after flush_rq->ref drops to zero, so io accounting can be done just once for flush request. Fixes: b68663186577 ("block: add iostat counters for flush requests") Reviewed-by: Bart Van Assche Reviewed-by: Christoph Hellwig Tested-by: John Garry Signed-off-by: Ming Lei Link: https://lore.kernel.org/r/20210511152236.763464-2-ming.lei@redhat.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 17e77feaddd6cdcb5c656ee4441c42d76562867b Author: Rafael J. Wysocki Date: Fri May 14 21:08:51 2021 +0200 ACPI: PM / fan: Put fan device IDs into separate header file [ Upstream commit b9370dceabb7841c5e65ce4ee4405b9db5231fc4 ] The ACPI fan device IDs are shared between the fan driver and the device power management code. The former is modular, so it needs to include the table of device IDs for module autoloading and the latter needs that list to avoid attaching the generic ACPI PM domain to fan devices (which doesn't make sense) possibly before the fan driver module is loaded. Unfortunately, that requires the list of fan device IDs to be updated in two places which is prone to mistakes, so put it into a symbol definition in a separate header file so there is only one copy of it in case it needs to be updated again in the future. Fixes: b9ea0bae260f ("ACPI: PM: Avoid attaching ACPI PM domain to certain devices") Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 4dcb59d6a288d941b08a285206bd7a38206708c9 Author: YueHaibing Date: Fri May 14 14:48:43 2021 +0800 PM / devfreq: Add missing error code in devfreq_add_device() [ Upstream commit 18b380ed61f892ed06838d1f1a5124d966292ed3 ] Set err code in the error path before jumping to the end of the function. Fixes: 4dc3bab8687f ("PM / devfreq: Add support delayed timer for polling mode") Signed-off-by: YueHaibing Signed-off-by: Chanwoo Choi Signed-off-by: Sasha Levin commit a61f8a2e45bec63fd3fb875ed18fed5cab456044 Author: Philipp Zabel Date: Mon Mar 22 15:44:08 2021 +0100 media: video-mux: Skip dangling endpoints [ Upstream commit 95778c2d0979618e3349b1d2324ec282a5a6adbf ] i.MX6 device tree include files contain dangling endpoints for the board device tree writers' convenience. These are still included in many existing device trees. Treat dangling endpoints as non-existent to support them. Signed-off-by: Philipp Zabel Signed-off-by: Hans Verkuil Fixes: 612b385efb1e ("media: video-mux: Create media links in bound notifier") Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 62c666805af470690464b56fff00a424a2ded23e Author: Ezequiel Garcia Date: Mon Jan 18 02:52:45 2021 +0100 media: v4l2-async: Clean v4l2_async_notifier_add_fwnode_remote_subdev [ Upstream commit c1cf3d896d124e3e00794f9bfbde49f0fc279e3f ] Change v4l2_async_notifier_add_fwnode_remote_subdev semantics so it allocates the struct v4l2_async_subdev pointer. This makes the API consistent: the v4l2-async subdevice addition functions have now a unified usage model. This model is simpler, as it makes v4l2-async responsible for the allocation and release of the subdevice descriptor, and no longer something the driver has to worry about. On the user side, the change makes the API simpler for the drivers to use and less error-prone. Signed-off-by: Ezequiel Garcia Reviewed-by: Laurent Pinchart Signed-off-by: Sakari Ailus Reviewed-by: Helen Koike Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 6bfcb6178925b1fd28c102e53d403091b8f49396 Author: Zhaoyang Huang Date: Fri Jun 11 08:29:34 2021 +0800 psi: Fix race between psi_trigger_create/destroy [ Upstream commit 8f91efd870ea5d8bc10b0fcc9740db51cd4c0c83 ] Race detected between psi_trigger_destroy/create as shown below, which cause panic by accessing invalid psi_system->poll_wait->wait_queue_entry and psi_system->poll_timer->entry->next. Under this modification, the race window is removed by initialising poll_wait and poll_timer in group_init which are executed only once at beginning. psi_trigger_destroy() psi_trigger_create() mutex_lock(trigger_lock); rcu_assign_pointer(poll_task, NULL); mutex_unlock(trigger_lock); mutex_lock(trigger_lock); if (!rcu_access_pointer(group->poll_task)) { timer_setup(poll_timer, poll_timer_fn, 0); rcu_assign_pointer(poll_task, task); } mutex_unlock(trigger_lock); synchronize_rcu(); del_timer_sync(poll_timer); <-- poll_timer has been reinitialized by psi_trigger_create() So, trigger_lock/RCU correctly protects destruction of group->poll_task but misses this race affecting poll_timer and poll_wait. Fixes: 461daba06bdc ("psi: eliminate kthread_worker from psi trigger scheduling mechanism") Co-developed-by: ziwei.dai Signed-off-by: ziwei.dai Co-developed-by: ke.wang Signed-off-by: ke.wang Signed-off-by: Zhaoyang Huang Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Suren Baghdasaryan Acked-by: Johannes Weiner Link: https://lkml.kernel.org/r/1623371374-15664-1-git-send-email-huangzhaoyang@gmail.com Signed-off-by: Sasha Levin commit 8d7debe74475b47b68b2690417cc6f961c9bc93d Author: Herbert Xu Date: Thu Jun 17 15:57:12 2021 +0800 crypto: nx - Fix RCU warning in nx842_OF_upd_status [ Upstream commit 2a96726bd0ccde4f12b9b9a9f61f7b1ac5af7e10 ] The function nx842_OF_upd_status triggers a sparse RCU warning when it directly dereferences the RCU-protected devdata. This appears to be an accident as there was another variable of the same name that was passed in from the caller. After it was removed (because the main purpose of using it, to update the status member was itself removed) the global variable unintenionally stood in as its replacement. This patch restores the devdata parameter. Fixes: 90fd73f912f0 ("crypto: nx - remove pSeries NX 'status' field") Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit c43082d284fa15079c3ca22583fd76f50fe4e5d4 Author: Mirko Vogt Date: Mon Jun 14 16:45:07 2021 +0200 spi: spi-sun6i: Fix chipselect/clock bug [ Upstream commit 0d7993b234c9fad8cb6bec6adfaa74694ba85ecb ] The current sun6i SPI implementation initializes the transfer too early, resulting in SCK going high before the transfer. When using an additional (gpio) chipselect with sun6i, the chipselect is asserted at a time when clock is high, making the SPI transfer fail. This is due to SUN6I_GBL_CTL_BUS_ENABLE being written into SUN6I_GBL_CTL_REG at an early stage. Moving that to the transfer function, hence, right before the transfer starts, mitigates that problem. Fixes: 3558fe900e8af (spi: sunxi: Add Allwinner A31 SPI controller driver) Signed-off-by: Mirko Vogt Signed-off-by: Ralf Schlatterbeck Link: https://lore.kernel.org/r/20210614144507.y3udezjfbko7eavv@runtux.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit f18f7a2276979e1ce3183152d560ca89ef97e73f Author: Peter Zijlstra Date: Thu Jun 17 20:57:19 2021 +0200 lockdep/selftests: Fix selftests vs PROVE_RAW_LOCK_NESTING [ Upstream commit c0c2c0dad6a06e0c05e9a52d65f932bd54364c97 ] When PROVE_RAW_LOCK_NESTING=y many of the selftests FAILED because HARDIRQ context is out-of-bounds for spinlocks. Instead make the default hardware context the threaded hardirq context, which preserves the old locking rules. The wait-type specific locking selftests will have a non-threaded HARDIRQ variant. Fixes: de8f5e4f2dc1 ("lockdep: Introduce wait-type checks") Signed-off-by: Peter Zijlstra (Intel) Tested-by: Joerg Roedel Link: https://lore.kernel.org/r/20210617190313.322096283@infradead.org Signed-off-by: Sasha Levin commit fca9e784a36c48091a21b0dc85c0b61a810e7346 Author: Peter Zijlstra Date: Thu Jun 17 20:57:18 2021 +0200 lockdep: Fix wait-type for empty stack [ Upstream commit f8b298cc39f0619544c607eaef09fd0b2afd10f3 ] Even the very first lock can violate the wait-context check, consider the various IRQ contexts. Fixes: de8f5e4f2dc1 ("lockdep: Introduce wait-type checks") Signed-off-by: Peter Zijlstra (Intel) Tested-by: Joerg Roedel Link: https://lore.kernel.org/r/20210617190313.256987481@infradead.org Signed-off-by: Sasha Levin commit ca47a4fa8996e9469302257af66ad3073942a013 Author: Qais Yousef Date: Thu Jun 17 17:51:55 2021 +0100 sched/uclamp: Fix uclamp_tg_restrict() [ Upstream commit 0213b7083e81f4acd69db32cb72eb4e5f220329a ] Now cpu.uclamp.min acts as a protection, we need to make sure that the uclamp request of the task is within the allowed range of the cgroup, that is it is clamp()'ed correctly by tg->uclamp[UCLAMP_MIN] and tg->uclamp[UCLAMP_MAX]. As reported by Xuewen [1] we can have some corner cases where there's inversion between uclamp requested by task (p) and the uclamp values of the taskgroup it's attached to (tg). Following table demonstrates 2 corner cases: | p | tg | effective -----------+-----+------+----------- CASE 1 -----------+-----+------+----------- uclamp_min | 60% | 0% | 60% -----------+-----+------+----------- uclamp_max | 80% | 50% | 50% -----------+-----+------+----------- CASE 2 -----------+-----+------+----------- uclamp_min | 0% | 30% | 30% -----------+-----+------+----------- uclamp_max | 20% | 50% | 20% -----------+-----+------+----------- With this fix we get: | p | tg | effective -----------+-----+------+----------- CASE 1 -----------+-----+------+----------- uclamp_min | 60% | 0% | 50% -----------+-----+------+----------- uclamp_max | 80% | 50% | 50% -----------+-----+------+----------- CASE 2 -----------+-----+------+----------- uclamp_min | 0% | 30% | 30% -----------+-----+------+----------- uclamp_max | 20% | 50% | 30% -----------+-----+------+----------- Additionally uclamp_update_active_tasks() must now unconditionally update both UCLAMP_MIN/MAX because changing the tg's UCLAMP_MAX for instance could have an impact on the effective UCLAMP_MIN of the tasks. | p | tg | effective -----------+-----+------+----------- old -----------+-----+------+----------- uclamp_min | 60% | 0% | 50% -----------+-----+------+----------- uclamp_max | 80% | 50% | 50% -----------+-----+------+----------- *new* -----------+-----+------+----------- uclamp_min | 60% | 0% | *60%* -----------+-----+------+----------- uclamp_max | 80% |*70%* | *70%* -----------+-----+------+----------- [1] https://lore.kernel.org/lkml/CAB8ipk_a6VFNjiEnHRHkUMBKbA+qzPQvhtNjJ_YNzQhqV_o8Zw@mail.gmail.com/ Fixes: 0c18f2ecfcc2 ("sched/uclamp: Fix wrong implementation of cpu.uclamp.min") Reported-by: Xuewen Yan Signed-off-by: Qais Yousef Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20210617165155.3774110-1-qais.yousef@arm.com Signed-off-by: Sasha Levin commit aea030cefc591a1429f857990c732ec86ef67874 Author: Vincent Donnefort Date: Mon Jun 21 11:37:52 2021 +0100 sched/rt: Fix Deadline utilization tracking during policy change [ Upstream commit d7d607096ae6d378b4e92d49946d22739c047d4c ] DL keeps track of the utilization on a per-rq basis with the structure avg_dl. This utilization is updated during task_tick_dl(), put_prev_task_dl() and set_next_task_dl(). However, when the current running task changes its policy, set_next_task_dl() which would usually take care of updating the utilization when the rq starts running DL tasks, will not see a such change, leaving the avg_dl structure outdated. When that very same task will be dequeued later, put_prev_task_dl() will then update the utilization, based on a wrong last_update_time, leading to a huge spike in the DL utilization signal. The signal would eventually recover from this issue after few ms. Even if no DL tasks are run, avg_dl is also updated in __update_blocked_others(). But as the CPU capacity depends partly on the avg_dl, this issue has nonetheless a significant impact on the scheduler. Fix this issue by ensuring a load update when a running task changes its policy to DL. Fixes: 3727e0e ("sched/dl: Add dl_rq utilization tracking") Signed-off-by: Vincent Donnefort Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Vincent Guittot Link: https://lore.kernel.org/r/1624271872-211872-3-git-send-email-vincent.donnefort@arm.com Signed-off-by: Sasha Levin commit c576472a051a9975e2433de6c80ed27acea2d6f9 Author: Vincent Donnefort Date: Mon Jun 21 11:37:51 2021 +0100 sched/rt: Fix RT utilization tracking during policy change [ Upstream commit fecfcbc288e9f4923f40fd23ca78a6acdc7fdf6c ] RT keeps track of the utilization on a per-rq basis with the structure avg_rt. This utilization is updated during task_tick_rt(), put_prev_task_rt() and set_next_task_rt(). However, when the current running task changes its policy, set_next_task_rt() which would usually take care of updating the utilization when the rq starts running RT tasks, will not see a such change, leaving the avg_rt structure outdated. When that very same task will be dequeued later, put_prev_task_rt() will then update the utilization, based on a wrong last_update_time, leading to a huge spike in the RT utilization signal. The signal would eventually recover from this issue after few ms. Even if no RT tasks are run, avg_rt is also updated in __update_blocked_others(). But as the CPU capacity depends partly on the avg_rt, this issue has nonetheless a significant impact on the scheduler. Fix this issue by ensuring a load update when a running task changes its policy to RT. Fixes: 371bf427 ("sched/rt: Add rt_rq utilization tracking") Signed-off-by: Vincent Donnefort Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Vincent Guittot Link: https://lore.kernel.org/r/1624271872-211872-2-git-send-email-vincent.donnefort@arm.com Signed-off-by: Sasha Levin commit 67f66d48bd10b8944a7961806bb31954872773e3 Author: Joerg Roedel Date: Fri Jun 18 13:54:09 2021 +0200 x86/sev: Split up runtime #VC handler for correct state tracking [ Upstream commit be1a5408868af341f61f93c191b5e346ee88c82a ] Split up the #VC handler code into a from-user and a from-kernel part. This allows clean and correct state tracking, as the #VC handler needs to enter NMI-state when raised from kernel mode and plain IRQ state when raised from user-mode. Fixes: 62441a1fb532 ("x86/sev-es: Correctly track IRQ states in runtime #VC handler") Suggested-by: Peter Zijlstra Signed-off-by: Joerg Roedel Signed-off-by: Borislav Petkov Acked-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20210618115409.22735-3-joro@8bytes.org Signed-off-by: Sasha Levin commit 2e1003f3ee77f85f63a32d6d5b99ab85b1b4dfa5 Author: Joerg Roedel Date: Fri Jun 18 13:54:08 2021 +0200 x86/sev: Make sure IRQs are disabled while GHCB is active [ Upstream commit d187f217335dba2b49fc9002aab2004e04acddee ] The #VC handler only cares about IRQs being disabled while the GHCB is active, as it must not be interrupted by something which could cause another #VC while it holds the GHCB (NMI is the exception for which the backup GHCB exits). Make sure nothing interrupts the code path while the GHCB is active by making sure that callers of __sev_{get,put}_ghcb() have disabled interrupts upfront. [ bp: Massage commit message. ] Signed-off-by: Joerg Roedel Signed-off-by: Borislav Petkov Acked-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20210618115409.22735-2-joro@8bytes.org Signed-off-by: Sasha Levin commit eefebcda89a8d865f117449d387953f1f715d421 Author: David Sterba Date: Tue Jul 7 18:38:05 2020 +0200 btrfs: clear log tree recovering status if starting transaction fails [ Upstream commit 1aeb6b563aea18cd55c73cf666d1d3245a00f08c ] When a log recovery is in progress, lots of operations have to take that into account, so we keep this status per tree during the operation. Long time ago error handling revamp patch 79787eaab461 ("btrfs: replace many BUG_ONs with proper error handling") removed clearing of the status in an error branch. Add it back as was intended in e02119d5a7b4 ("Btrfs: Add a write ahead tree log to optimize synchronous operations"). There are probably no visible effects, log replay is done only during mount and if it fails all structures are cleared so the stale status won't be kept. Fixes: 79787eaab461 ("btrfs: replace many BUG_ONs with proper error handling") Reviewed-by: Qu Wenruo Reviewed-by: Anand Jain Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit aec3a574c632e06b06d5f6fd731ddf57997372df Author: Axel Lin Date: Sun Jun 20 21:27:15 2021 +0800 regulator: hi655x: Fix pass wrong pointer to config.driver_data [ Upstream commit 61eb1b24f9e4f4e0725aa5f8164a932c933f3339 ] Current code sets config.driver_data to a zero initialized regulator which is obviously wrong. Fix it. Fixes: 4618119b9be5 ("regulator: hi655x: enable regulator for hi655x PMIC") Signed-off-by: Axel Lin Link: https://lore.kernel.org/r/20210620132715.60215-1-axel.lin@ingics.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 96275c8f6c58235c3710bb7e3aec5a875d98a1c3 Author: Alexandru Elisei Date: Fri Jun 18 11:51:39 2021 +0100 KVM: arm64: Don't zero the cycle count register when PMCR_EL0.P is set [ Upstream commit 2a71fabf6a1bc9162a84e18d6ab991230ca4d588 ] According to ARM DDI 0487G.a, page D13-3895, setting the PMCR_EL0.P bit to 1 has the following effect: "Reset all event counters accessible in the current Exception level, not including PMCCNTR_EL0, to zero." Similar behaviour is described for AArch32 on page G8-7022. Make it so. Fixes: c01d6a18023b ("KVM: arm64: pmu: Only handle supported event counters") Signed-off-by: Alexandru Elisei Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20210618105139.83795-1-alexandru.elisei@arm.com Signed-off-by: Sasha Levin commit e5154bf2177cd408c5077b0e3533e84b0a010130 Author: Tuan Phan Date: Thu Jun 17 09:08:49 2021 -0700 perf/arm-cmn: Fix invalid pointer when access dtc object sharing the same IRQ number [ Upstream commit 4e16f283edc289820e9b2d6f617ed8e514ee8396 ] When multiple dtcs share the same IRQ number, the irq_friend which used to refer to dtc object gets calculated incorrect which leads to invalid pointer. Fixes: 0ba64770a2f2 ("perf: Add Arm CMN-600 PMU driver") Signed-off-by: Tuan Phan Reviewed-by: Robin Murphy Link: https://lore.kernel.org/r/1623946129-3290-1-git-send-email-tuanphan@os.amperecomputing.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 31dcfec19dd08c2fb5be0190ac30101dc9815e45 Author: Kai Huang Date: Tue Jun 15 12:57:09 2021 +1200 KVM: x86/mmu: Fix return value in tdp_mmu_map_handle_target_level() [ Upstream commit 57a3e96d6d17ae5ac9861ef34af024a627f1c3bb ] Currently tdp_mmu_map_handle_target_level() returns 0, which is RET_PF_RETRY, when page fault is actually fixed. This makes kvm_tdp_mmu_map() also return RET_PF_RETRY in this case, instead of RET_PF_FIXED. Fix by initializing ret to RET_PF_FIXED. Note that kvm_mmu_page_fault() resumes guest on both RET_PF_RETRY and RET_PF_FIXED, which means in practice returning the two won't make difference, so this fix alone won't be necessary for stable tree. Fixes: bb18842e2111 ("kvm: x86/mmu: Add TDP MMU PF handler") Reviewed-by: Sean Christopherson Reviewed-by: Ben Gardon Signed-off-by: Kai Huang Message-Id: Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 64d31137b1a6e97137de5edc766aa7cfff19b7ed Author: Sean Christopherson Date: Wed Jun 9 16:42:23 2021 -0700 KVM: nVMX: Don't clobber nested MMU's A/D status on EPTP switch [ Upstream commit 272b0a998d084e7667284bdd2d0c675c6a2d11de ] Drop bogus logic that incorrectly clobbers the accessed/dirty enabling status of the nested MMU on an EPTP switch. When nested EPT is enabled, walk_mmu points at L2's _legacy_ page tables, not L1's EPT for L2. This is likely a benign bug, as mmu->ept_ad is never consumed (since the MMU is not a nested EPT MMU), and stuffing mmu_role.base.ad_disabled will never propagate into future shadow pages since the nested MMU isn't used to map anything, just to walk L2's page tables. Note, KVM also does a full MMU reload, i.e. the guest_mmu will be recreated using the new EPTP, and thus any change in A/D enabling will be properly recognized in the relevant MMU. Fixes: 41ab93727467 ("KVM: nVMX: Emulate EPTP switching for the L1 hypervisor") Signed-off-by: Sean Christopherson Message-Id: <20210609234235.1244004-4-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit bac38bd7c458b17eded5cb6d50446bf7c9e46daa Author: Sean Christopherson Date: Wed Jun 9 16:42:22 2021 -0700 KVM: nVMX: Ensure 64-bit shift when checking VMFUNC bitmap [ Upstream commit 0e75225dfa4c5d5d51291f54a3d2d5895bad38da ] Use BIT_ULL() instead of an open-coded shift to check whether or not a function is enabled in L1's VMFUNC bitmap. This is a benign bug as KVM supports only bit 0, and will fail VM-Enter if any other bits are set, i.e. bits 63:32 are guaranteed to be zero. Note, "function" is bounded by hardware as VMFUNC will #UD before taking a VM-Exit if the function is greater than 63. Before: if ((vmcs12->vm_function_control & (1 << function)) == 0) 0x000000000001a916 <+118>: mov $0x1,%eax 0x000000000001a91b <+123>: shl %cl,%eax 0x000000000001a91d <+125>: cltq 0x000000000001a91f <+127>: and 0x128(%rbx),%rax After: if (!(vmcs12->vm_function_control & BIT_ULL(function & 63))) 0x000000000001a955 <+117>: mov 0x128(%rbx),%rdx 0x000000000001a95c <+124>: bt %rax,%rdx Fixes: 27c42a1bb867 ("KVM: nVMX: Enable VMFUNC for the L1 hypervisor") Signed-off-by: Sean Christopherson Message-Id: <20210609234235.1244004-3-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit b2c5af71ce4b6e21f6af9fa292e72fd4662a2490 Author: Sean Christopherson Date: Wed Jun 9 16:42:21 2021 -0700 KVM: nVMX: Sync all PGDs on nested transition with shadow paging [ Upstream commit 07ffaf343e34b555c9e7ea39a9c81c439a706f13 ] Trigger a full TLB flush on behalf of the guest on nested VM-Enter and VM-Exit when VPID is disabled for L2. kvm_mmu_new_pgd() syncs only the current PGD, which can theoretically leave stale, unsync'd entries in a previous guest PGD, which could be consumed if L2 is allowed to load CR3 with PCID_NOFLUSH=1. Rename KVM_REQ_HV_TLB_FLUSH to KVM_REQ_TLB_FLUSH_GUEST so that it can be utilized for its obvious purpose of emulating a guest TLB flush. Note, there is no change the actual TLB flush executed by KVM, even though the fast PGD switch uses KVM_REQ_TLB_FLUSH_CURRENT. When VPID is disabled for L2, vpid02 is guaranteed to be '0', and thus nested_get_vpid02() will return the VPID that is shared by L1 and L2. Generate the request outside of kvm_mmu_new_pgd(), as getting the common helper to correctly identify which requested is needed is quite painful. E.g. using KVM_REQ_TLB_FLUSH_GUEST when nested EPT is in play is wrong as a TLB flush from the L1 kernel's perspective does not invalidate EPT mappings. And, by using KVM_REQ_TLB_FLUSH_GUEST, nVMX can do future simplification by moving the logic into nested_vmx_transition_tlb_flush(). Fixes: 41fab65e7c44 ("KVM: nVMX: Skip MMU sync on nested VMX transition when possible") Signed-off-by: Sean Christopherson Message-Id: <20210609234235.1244004-2-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 5ac406b81c0de766cc1615a1b3f441eab69326fc Author: Guenter Roeck Date: Wed May 26 08:40:16 2021 -0700 hwmon: (max31790) Fix fan speed reporting for fan7..12 [ Upstream commit cbbf244f0515af3472084f22b6213121b4a63835 ] Fans 7..12 do not have their own set of configuration registers. So far the code ignored that and read beyond the end of the configuration register range to get the tachometer period. This resulted in more or less random fan speed values for those fans. The datasheet is quite vague when it comes to defining the tachometer period for fans 7..12. Experiments confirm that the period is the same for both fans associated with a given set of configuration registers. Fixes: 54187ff9d766 ("hwmon: (max31790) Convert to use new hwmon registration API") Fixes: 195a4b4298a7 ("hwmon: Driver for Maxim MAX31790") Cc: Jan Kundrát Reviewed-by: Jan Kundrát Cc: Václav Kubernát Reviewed-by: Jan Kundrát Signed-off-by: Guenter Roeck Link: https://lore.kernel.org/r/20210526154022.3223012-2-linux@roeck-us.net Signed-off-by: Sasha Levin commit e02d52b7e9c5b22149f5dcc0b7761236e0451d95 Author: Guenter Roeck Date: Sat May 8 09:50:25 2021 -0700 hwmon: (max31722) Remove non-standard ACPI device IDs [ Upstream commit 97387c2f06bcfd79d04a848d35517b32ee6dca7c ] Valid Maxim Integrated ACPI device IDs would start with MXIM, not with MAX1. On top of that, ACPI device IDs reflecting chip names are almost always invalid. Remove the invalid ACPI IDs. Fixes: 04e1e70afec6 ("hwmon: (max31722) Add support for MAX31722/MAX31723 temperature sensors") Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit 5c00e994978d038109541d92041af757bbd46e06 Author: Guenter Roeck Date: Sat May 8 09:44:50 2021 -0700 hwmon: (lm70) Revert "hwmon: (lm70) Add support for ACPI" [ Upstream commit ac61c8aae446b9c0fe18981fe721d4a43e283ad6 ] This reverts commit b58bd4c6dfe709646ed9efcbba2a70643f9bc873. None of the ACPI IDs introduced with the reverted patch is a valid ACPI device ID. Any ACPI users of this driver are advised to use PRP0001 and a devicetree-compatible device identification. Fixes: b58bd4c6dfe7 ("hwmon: (lm70) Add support for ACPI") Cc: Andrej Picej Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit 5cfc66b4545066b42407fa2501a9017519151df1 Author: Stephen Boyd Date: Fri Jan 22 19:44:27 2021 -0800 hwmon: (lm70) Use device_get_match_data() [ Upstream commit 6e09d75513d2670b7ab91ab3584fc5bcf2675a75 ] Use the more modern API to get the match data out of the of match table. This saves some code, lines, and nicely avoids referencing the match table when it is undefined with configurations where CONFIG_OF=n. Signed-off-by: Stephen Boyd Cc: Arnd Bergmann Cc: Geert Uytterhoeven Cc: Jean Delvare Cc: Guenter Roeck Cc: Rob Herring Cc: Frank Rowand Cc: [robh: rework to use device_get_match_data()] Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit c9f8416e43f834c5273e99d7a29ddb653458716c Author: Dillon Min Date: Wed May 26 17:18:32 2021 +0200 media: s5p-g2d: Fix a memory leak on ctx->fh.m2m_ctx [ Upstream commit 5d11e6aad1811ea293ee2996cec9124f7fccb661 ] The m2m_ctx resources was allocated by v4l2_m2m_ctx_init() in g2d_open() should be freed from g2d_release() when it's not used. Fix it Fixes: 918847341af0 ("[media] v4l: add G2D driver for s5p device family") Signed-off-by: Dillon Min Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 921d2518dbbab58c0ca4c4c7c34a9c9ef36ff4b7 Author: Arnd Bergmann Date: Mon Jun 14 12:34:05 2021 +0200 media: subdev: remove VIDIOC_DQEVENT_TIME32 handling [ Upstream commit 765ba251d2522e2a0daa2f0793fd0f0ce34816ec ] Converting the VIDIOC_DQEVENT_TIME32/VIDIOC_DQEVENT32/ VIDIOC_DQEVENT32_TIME32 arguments to the canonical form is done in common code, but for some reason I ended up adding another conversion helper to subdev_do_ioctl() as well. I must have concluded that this does not go through the common conversion, but it has done that since the ioctl handler was first added. I assume this one is harmless as there should be no way to arrive here from user space if CONFIG_COMPAT_32BIT_TIME is set, but since it is dead code, it should just get removed. On a 64-bit architecture, as well as a 32-bit architecture without CONFIG_COMPAT_32BIT_TIME, handling this command is a mistake, and the kernel should return an error. Fixes: 1a6c0b36dd19 ("media: v4l2-core: fix VIDIOC_DQEVENT for time64 ABI") Signed-off-by: Arnd Bergmann Reviewed-by: Laurent Pinchart Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit bb5e089df7008e452ad96a169dac221246cc2644 Author: Anshuman Khandual Date: Tue Jun 15 15:02:58 2021 +0530 arm64/mm: Fix ttbr0 values stored in struct thread_info for software-pan [ Upstream commit 9163f01130304fab1f74683d7d44632da7bda637 ] When using CONFIG_ARM64_SW_TTBR0_PAN, a task's thread_info::ttbr0 must be the TTBR0_EL1 value used to run userspace. With 52-bit PAs, the PA must be packed into the TTBR using phys_to_ttbr(), but we forget to do this in some of the SW PAN code. Thus, if the value is installed into TTBR0_EL1 (as may happen in the uaccess routines), this could result in UNPREDICTABLE behaviour. Since hardware with 52-bit PA support almost certainly has HW PAN, which will be used in preference, this shouldn't be a practical issue, but let's fix this for consistency. Cc: Catalin Marinas Cc: Will Deacon Cc: Mark Rutland Cc: James Morse Cc: linux-arm-kernel@lists.infradead.org Cc: linux-kernel@vger.kernel.org Fixes: 529c4b05a3cb ("arm64: handle 52-bit addresses in TTBR") Signed-off-by: Anshuman Khandual Reviewed-by: Catalin Marinas Link: https://lore.kernel.org/r/1623749578-11231-1-git-send-email-anshuman.khandual@arm.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 8d6acfe80da165cfc9a6fadee7d73f8fd67a43ea Author: Mark Rutland Date: Tue Nov 3 10:22:29 2020 +0000 arm64: consistently use reserved_pg_dir [ Upstream commit 833be850f1cabd0e3b5337c0fcab20a6e936dd48 ] Depending on configuration options and specific code paths, we either use the empty_zero_page or the configuration-dependent reserved_ttbr0 as a reserved value for TTBR{0,1}_EL1. To simplify this code, let's always allocate and use the same reserved_pg_dir, replacing reserved_ttbr0. Note that this is allocated (and hence pre-zeroed), and is also marked as read-only in the kernel Image mapping. Keeping this separate from the empty_zero_page potentially helps with robustness as the empty_zero_page is used in a number of cases where a failure to map it read-only could allow it to become corrupted. The (presently unused) swapper_pg_end symbol is also removed, and comments are added wherever we rely on the offsets between the pre-allocated pg_dirs to keep these cases easily identifiable. Signed-off-by: Mark Rutland Cc: Will Deacon Link: https://lore.kernel.org/r/20201103102229.8542-1-mark.rutland@arm.com Signed-off-by: Catalin Marinas Signed-off-by: Sasha Levin commit f1f30b3373df2e5ab96dd3781df5c02e5366f845 Author: Zhen Lei Date: Sat May 8 10:03:21 2021 +0800 mmc: usdhi6rol0: fix error return code in usdhi6_probe() [ Upstream commit 2f9ae69e5267f53e89e296fccee291975a85f0eb ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 75fa9ea6e3c0 ("mmc: add a driver for the Renesas usdhi6rol0 SD/SDIO host controller") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Link: https://lore.kernel.org/r/20210508020321.1677-1-thunder.leizhen@huawei.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit cd909ebb7315f0a30dd2f5effe526b724cb94453 Author: Hongbo Li Date: Fri Jun 4 14:30:35 2021 +0800 crypto: sm2 - fix a memory leak in sm2 [ Upstream commit 5cd259ca5d466f65ffd21e2e2fa00fb648a8c555 ] SM2 module alloc ec->Q in sm2_set_pub_key(), when doing alg test in test_akcipher_one(), it will set public key for every test vector, and don't free ec->Q. This will cause a memory leak. This patch alloc ec->Q in sm2_ec_ctx_init(). Fixes: ea7ecb66440b ("crypto: sm2 - introduce OSCCA SM2 asymmetric cipher algorithm") Signed-off-by: Hongbo Li Reviewed-by: Tianjia Zhang Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit d598b8b77b17cf1f62659c62998e05992eb998d4 Author: Tianjia Zhang Date: Thu Oct 15 17:24:41 2020 +0800 crypto: sm2 - remove unnecessary reset operations [ Upstream commit 1bc608b4655b8b1491fb100f4cf4f15ae64a8698 ] This is an algorithm optimization. The reset operation when setting the public key is repeated and redundant, so remove it. At the same time, `sm2_ecc_os2ec()` is optimized to make the function more simpler and more in line with the Linux code style. Signed-off-by: Tianjia Zhang Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit deef40c47e66a41c45dac93481e3b3751ab85123 Author: Hangbin Liu Date: Thu Jun 3 01:53:40 2021 -0400 crypto: x86/curve25519 - fix cpu feature checking logic in mod_exit [ Upstream commit 1b82435d17774f3eaab35dce239d354548aa9da2 ] In curve25519_mod_init() the curve25519_alg will be registered only when (X86_FEATURE_BMI2 && X86_FEATURE_ADX). But in curve25519_mod_exit() it still checks (X86_FEATURE_BMI2 || X86_FEATURE_ADX) when do crypto unregister. This will trigger a BUG_ON in crypto_unregister_alg() as alg->cra_refcnt is 0 if the cpu only supports one of X86_FEATURE_BMI2 and X86_FEATURE_ADX. Fixes: 07b586fe0662 ("crypto: x86/curve25519 - replace with formally verified implementation") Signed-off-by: Hangbin Liu Reviewed-by: Jason A. Donenfeld Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit bc50c403859f379ddeed86eefe4e7a5d6c1548f2 Author: Zhang Qilong Date: Tue Jun 1 22:51:18 2021 +0800 crypto: omap-sham - Fix PM reference leak in omap sham ops [ Upstream commit ca323b2c61ec321eb9f2179a405b9c34cdb4f553 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to putting operation will result in reference leak here. We fix it by replacing it with pm_runtime_resume_and_get to keep usage counter balanced. Fixes: 604c31039dae4 ("crypto: omap-sham - Check for return value from pm_runtime_get_sync") Signed-off-by: Zhang Qilong Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 615f2f5e7eb82ff64f8a5c778b09766b0da96ebd Author: Tong Tiangen Date: Tue Jun 1 18:01:55 2021 +0800 crypto: nitrox - fix unchecked variable in nitrox_register_interrupts [ Upstream commit 57c126661f50b884d3812e7db6e00f2e778eccfb ] Function nitrox_register_interrupts leaves variable 'nr_vecs' unchecked, which would be use as kcalloc parameter later. Fixes: 5155e118dda9 ("crypto: cavium/nitrox - use pci_alloc_irq_vectors() while enabling MSI-X.") Signed-off-by: Tong Tiangen Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 5d4cb7c3943686e0dede90fdbb110431623402ff Author: Axel Lin Date: Mon Jun 7 22:29:07 2021 +0800 regulator: fan53880: Fix vsel_mask setting for FAN53880_BUCK [ Upstream commit 2e11737a772b95c6587df73f216eec1762431432 ] According to the datasheet: REGISTER DETAILS − 0x02 BUCK, BUCK_OUT is BIT0 ~ BIT7. So vsel_mask for FAN53880_BUCK should be 0xFF. Fixes: e6dea51e2d41 ("regulator: fan53880: Add initial support") Signed-off-by: Axel Lin Link: https://lore.kernel.org/r/20210607142907.1599905-1-axel.lin@ingics.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 082d977b46889b11e3cd70314247c2746b2075b2 Author: Gustavo A. R. Silva Date: Wed Mar 10 19:40:43 2021 -0600 media: siano: Fix out-of-bounds warnings in smscore_load_firmware_family2() [ Upstream commit 13dfead49db07225335d4f587a560a2210391a1a ] Rename struct sms_msg_data4 to sms_msg_data5 and increase the size of its msg_data array from 4 to 5 elements. Notice that at some point the 5th element of msg_data is being accessed in function smscore_load_firmware_family2(): 1006 trigger_msg->msg_data[4] = 4; /* Task ID */ Also, there is no need for the object _trigger_msg_ of type struct sms_msg_data *, when _msg_ can be used, directly. Notice that msg_data in struct sms_msg_data is a one-element array, which causes multiple out-of-bounds warnings when accessing beyond its first element in function smscore_load_firmware_family2(): 992 struct sms_msg_data *trigger_msg = 993 (struct sms_msg_data *) msg; 994 995 pr_debug("sending MSG_SMS_SWDOWNLOAD_TRIGGER_REQ\n"); 996 SMS_INIT_MSG(&msg->x_msg_header, 997 MSG_SMS_SWDOWNLOAD_TRIGGER_REQ, 998 sizeof(struct sms_msg_hdr) + 999 sizeof(u32) * 5); 1000 1001 trigger_msg->msg_data[0] = firmware->start_address; 1002 /* Entry point */ 1003 trigger_msg->msg_data[1] = 6; /* Priority */ 1004 trigger_msg->msg_data[2] = 0x200; /* Stack size */ 1005 trigger_msg->msg_data[3] = 0; /* Parameter */ 1006 trigger_msg->msg_data[4] = 4; /* Task ID */ even when enough dynamic memory is allocated for _msg_: 929 /* PAGE_SIZE buffer shall be enough and dma aligned */ 930 msg = kmalloc(PAGE_SIZE, GFP_KERNEL | coredev->gfp_buf_flags); but as _msg_ is casted to (struct sms_msg_data *): 992 struct sms_msg_data *trigger_msg = 993 (struct sms_msg_data *) msg; the out-of-bounds warnings are actually valid and should be addressed. Fix this by declaring object _msg_ of type struct sms_msg_data5 *, which contains a 5-elements array, instead of just 4. And use _msg_ directly, instead of creating object trigger_msg. This helps with the ongoing efforts to enable -Warray-bounds by fixing the following warnings: CC [M] drivers/media/common/siano/smscoreapi.o drivers/media/common/siano/smscoreapi.c: In function ‘smscore_load_firmware_family2’: drivers/media/common/siano/smscoreapi.c:1003:24: warning: array subscript 1 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds] 1003 | trigger_msg->msg_data[1] = 6; /* Priority */ | ~~~~~~~~~~~~~~~~~~~~~^~~ In file included from drivers/media/common/siano/smscoreapi.c:12: drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’ 619 | u32 msg_data[1]; | ^~~~~~~~ drivers/media/common/siano/smscoreapi.c:1004:24: warning: array subscript 2 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds] 1004 | trigger_msg->msg_data[2] = 0x200; /* Stack size */ | ~~~~~~~~~~~~~~~~~~~~~^~~ In file included from drivers/media/common/siano/smscoreapi.c:12: drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’ 619 | u32 msg_data[1]; | ^~~~~~~~ drivers/media/common/siano/smscoreapi.c:1005:24: warning: array subscript 3 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds] 1005 | trigger_msg->msg_data[3] = 0; /* Parameter */ | ~~~~~~~~~~~~~~~~~~~~~^~~ In file included from drivers/media/common/siano/smscoreapi.c:12: drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’ 619 | u32 msg_data[1]; | ^~~~~~~~ drivers/media/common/siano/smscoreapi.c:1006:24: warning: array subscript 4 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds] 1006 | trigger_msg->msg_data[4] = 4; /* Task ID */ | ~~~~~~~~~~~~~~~~~~~~~^~~ In file included from drivers/media/common/siano/smscoreapi.c:12: drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’ 619 | u32 msg_data[1]; | ^~~~~~~~ Fixes: 018b0c6f8acb ("[media] siano: make load firmware logic to work with newer firmwares") Co-developed-by: Kees Cook Signed-off-by: Kees Cook Signed-off-by: Gustavo A. R. Silva Signed-off-by: Sasha Levin commit 52734fb99e69eabc1d5764dd37ae86db4451a923 Author: Randy Dunlap Date: Wed May 26 17:12:51 2021 -0700 m68k: atari: Fix ATARI_KBD_CORE kconfig unmet dependency warning [ Upstream commit c1367ee016e3550745315fb9a2dd1e4ce02cdcf6 ] Since the code for ATARI_KBD_CORE does not use drivers/input/keyboard/ code, just move ATARI_KBD_CORE to arch/m68k/Kconfig.machine to remove the dependency on INPUT_KEYBOARD. Removes this kconfig warning: WARNING: unmet direct dependencies detected for ATARI_KBD_CORE Depends on [n]: !UML && INPUT [=y] && INPUT_KEYBOARD [=n] Selected by [y]: - MOUSE_ATARI [=y] && !UML && INPUT [=y] && INPUT_MOUSE [=y] && ATARI [=y] Fixes: c04cb856e20a ("m68k: Atari keyboard and mouse support.") Signed-off-by: Randy Dunlap Suggested-by: Geert Uytterhoeven Suggested-by: Michael Schmitz Acked-by: Dmitry Torokhov Link: https://lore.kernel.org/r/20210527001251.8529-1-rdunlap@infradead.org Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit b54a0f7926bd82747f44babf326dc7512bca2b8e Author: Johan Hovold Date: Mon May 24 13:09:18 2021 +0200 media: gspca/gl860: fix zero-length control requests [ Upstream commit 8ed339f23d41e21660a389adf2e7b2966d457ff6 ] The direction of the pipe argument must match the request-type direction bit or control requests may fail depending on the host-controller-driver implementation. Control transfers without a data stage are treated as OUT requests by the USB stack and should be using usb_sndctrlpipe(). Failing to do so will now trigger a warning. Fix the gl860_RTx() helper so that zero-length control reads fail with an error message instead. Note that there are no current callers that would trigger this. Fixes: 4f7cb8837cec ("V4L/DVB (12954): gspca - gl860: Addition of GL860 based webcams") Signed-off-by: Johan Hovold Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 0109910cbdd850e3b9416e7ae04a6859579df86e Author: Zhen Lei Date: Sat May 15 08:58:30 2021 +0200 media: tc358743: Fix error return code in tc358743_probe_of() [ Upstream commit a6b1e7093f0a099571fc8836ab4a589633f956a8 ] When the CSI bps per lane is not in the valid range, an appropriate error code -EINVAL should be returned. However, we currently do not explicitly assign this error code to 'ret'. As a result, 0 was incorrectly returned. Fixes: 256148246852 ("[media] tc358743: support probe from device tree") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 5091f2738d78a9267616d5740ebf70ce44bd4881 Author: Dan Carpenter Date: Fri May 14 16:20:38 2021 +0200 media: au0828: fix a NULL vs IS_ERR() check [ Upstream commit 8f2e452730d2bcd59fe05246f0e19a4c52e0012d ] The media_device_usb_allocate() function returns error pointers when it's enabled and something goes wrong. It can return NULL as well, but only if CONFIG_MEDIA_CONTROLLER is disabled so that doesn't apply here. Fixes: 812658d88d26 ("media: change au0828 to use Media Device Allocator API") Signed-off-by: Dan Carpenter Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 31157148a591e6b52ecd0c318ea909b20fc21e4c Author: Lv Yunlong Date: Sun May 9 10:12:31 2021 +0200 media: exynos4-is: Fix a use after free in isp_video_release [ Upstream commit 01fe904c9afd26e79c1f73aa0ca2e3d785e5e319 ] In isp_video_release, file->private_data is freed via _vb2_fop_release()->v4l2_fh_release(). But the freed file->private_data is still used in v4l2_fh_is_singular_file() ->v4l2_fh_is_singular(file->private_data), which is a use after free bug. My patch uses a variable 'is_singular_file' to avoid the uaf. v3: https://lore.kernel.org/patchwork/patch/1419058/ Fixes: 34947b8aebe3f ("[media] exynos4-is: Add the FIMC-IS ISP capture DMA driver") Signed-off-by: Lv Yunlong Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 2a91d7cc425cef1dd43311e092accc34f20661f9 Author: Ezequiel Garcia Date: Wed May 5 14:23:45 2021 +0200 media: rkvdec: Fix .buf_prepare [ Upstream commit ba1ed4ae760a81caf39f54232e089d95157a0dba ] The driver should only set the payload on .buf_prepare if the buffer is CAPTURE type. If an OUTPUT buffer has a zero bytesused set by userspace then v4l2-core will set it to buffer length. If we overwrite bytesused for OUTPUT buffers, too, then vb2_get_plane_payload() will return incorrect value which might be then written to hw registers by the driver in rkvdec-h264.c. [Changed the comment and used V4L2_TYPE_IS_CAPTURE macro] Fixes: cd33c830448ba ("media: rkvdec: Add the rkvdec driver") Signed-off-by: Ezequiel Garcia Signed-off-by: Adrian Ratiu Signed-off-by: Andrzej Pietrasiewicz Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 5a3ac10611d68e92d9889e75be4c7041339dbda8 Author: Randy Dunlap Date: Mon May 24 15:41:50 2021 -0700 locking/lockdep: Reduce LOCKDEP dependency list [ Upstream commit b8e00abe7d9fe21dd13609e2e3a707e38902b105 ] Some arches (um, sparc64, riscv, xtensa) cause a Kconfig warning for LOCKDEP. These arch-es select LOCKDEP_SUPPORT but they are not listed as one of the arch-es that LOCKDEP depends on. Since (16) arch-es define the Kconfig symbol LOCKDEP_SUPPORT if they intend to have LOCKDEP support, replace the awkward list of arch-es that LOCKDEP depends on with the LOCKDEP_SUPPORT symbol. But wait. LOCKDEP_SUPPORT is included in LOCK_DEBUGGING_SUPPORT, which is already a dependency here, so LOCKDEP_SUPPORT is redundant and not needed. That leaves the FRAME_POINTER dependency, but it is part of an expression like this: depends on (A && B) && (FRAME_POINTER || B') where B' is a dependency of B so if B is true then B' is true and the value of FRAME_POINTER does not matter. Thus we can also delete the FRAME_POINTER dependency. Fixes this kconfig warning: (for um, sparc64, riscv, xtensa) WARNING: unmet direct dependencies detected for LOCKDEP Depends on [n]: DEBUG_KERNEL [=y] && LOCK_DEBUGGING_SUPPORT [=y] && (FRAME_POINTER [=n] || MIPS || PPC || S390 || MICROBLAZE || ARM || ARC || X86) Selected by [y]: - PROVE_LOCKING [=y] && DEBUG_KERNEL [=y] && LOCK_DEBUGGING_SUPPORT [=y] - LOCK_STAT [=y] && DEBUG_KERNEL [=y] && LOCK_DEBUGGING_SUPPORT [=y] - DEBUG_LOCK_ALLOC [=y] && DEBUG_KERNEL [=y] && LOCK_DEBUGGING_SUPPORT [=y] Fixes: 7d37cb2c912d ("lib: fix kconfig dependency on ARCH_WANT_FRAME_POINTERS") Signed-off-by: Randy Dunlap Signed-off-by: Peter Zijlstra (Intel) Acked-by: Waiman Long Link: https://lkml.kernel.org/r/20210524224150.8009-1-rdunlap@infradead.org Signed-off-by: Sasha Levin commit 1328decacd3127b3ea3d6cf2e23be5d22e3cf459 Author: Sergey Shtylyov Date: Sat Mar 20 23:32:38 2021 +0300 pata_ep93xx: fix deferred probing [ Upstream commit 5c8121262484d99bffb598f39a0df445cecd8efb ] The driver overrides the error codes returned by platform_get_irq() to -ENXIO, so if it returns -EPROBE_DEFER, the driver would fail the probe permanently instead of the deferred probing. Propagate the error code upstream, as it should have been done from the start... Fixes: 2fff27512600 ("PATA host controller driver for ep93xx") Signed-off-by: Sergey Shtylyov Link: https://lore.kernel.org/r/509fda88-2e0d-2cc7-f411-695d7e94b136@omprussia.ru Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit bab207d3524e9e7fcdd09a430f278f96ed47cc5f Author: Christophe JAILLET Date: Thu May 6 07:38:56 2021 +0200 media: rc: i2c: Fix an error message [ Upstream commit 9c87ae1a0dbeb5794957421157fd266d38a869b4 ] 'ret' is known to be 1 here. In fact 'i' is expected instead. Store the return value of 'i2c_master_recv()' in 'ret' so that the error message print the correct error code. Fixes: acaa34bf06e9 ("media: rc: implement zilog transmitter") Signed-off-by: Christophe JAILLET Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit a9d02976e9bac2232f6d09dde77ccff7db105521 Author: Christophe JAILLET Date: Sun May 16 08:58:04 2021 +0200 crypto: ccp - Fix a resource leak in an error handling path [ Upstream commit a6f8e68e238a15bb15f1726b35c695136c64eaba ] If an error occurs after calling 'sp_get_irqs()', 'sp_free_irqs()' must be called as already done in the error handling path. Fixes: f4d18d656f88 ("crypto: ccp - Abstract interrupt registeration") Signed-off-by: Christophe JAILLET Acked-by: John Allen Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit c3285441b4cd9b7ab759dfcb3164e4825656326c Author: Suman Anna Date: Fri May 14 11:12:43 2021 -0500 crypto: sa2ul - Fix pm_runtime enable in sa_ul_probe() [ Upstream commit 5c8552325e013cbdabc443cd1f1b4d03c4a2e64e ] The pm_runtime APIs added first in commit 7694b6ca649f ("crypto: sa2ul - Add crypto driver") are not unwound properly and was fixed up partially in commit 13343badae09 ("crypto: sa2ul - Fix PM reference leak in sa_ul_probe()"). This fixed up the pm_runtime usage count but not the state. Fix this properly. Fixes: 13343badae09 ("crypto: sa2ul - Fix PM reference leak in sa_ul_probe()") Signed-off-by: Suman Anna Reviewed-by: Tero Kristo Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 8ac033d9c45133912dcee956dc51237fd3ead104 Author: Suman Anna Date: Fri May 14 11:12:42 2021 -0500 crypto: sa2ul - Fix leaks on failure paths with sa_dma_init() [ Upstream commit 4c0716ee1d973f6504d13f0e8d4d10350c85ad37 ] The sa_dma_init() function doesn't release the requested dma channels on all failure paths. Any failure in this function also ends up leaking the dma pool created in sa_init_mem() in the sa_ul_probe() function. Fix all of these issues. Fixes: 7694b6ca649f ("crypto: sa2ul - Add crypto driver") Signed-off-by: Suman Anna Reviewed-by: Tero Kristo Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit c0ec4ac436383f7431196e2603e4e0dcb0710a78 Author: Joe Richey Date: Fri May 21 01:58:42 2021 -0700 x86/elf: Use _BITUL() macro in UAPI headers [ Upstream commit d06aca989c243dd9e5d3e20aa4e5c2ecfdd07050 ] Replace BIT() in x86's UAPI header with _BITUL(). BIT() is not defined in the UAPI headers and its usage may cause userspace build errors. Fixes: 742c45c3ecc9 ("x86/elf: Enumerate kernel FSGSBASE capability in AT_HWCAP2") Signed-off-by: Joe Richey Signed-off-by: Borislav Petkov Link: https://lkml.kernel.org/r/20210521085849.37676-2-joerichey94@gmail.com Signed-off-by: Sasha Levin commit 912d16a2d730b98b8c9099a2d934dfc691a0a9c2 Author: Mimi Zohar Date: Mon Apr 26 18:13:45 2021 -0400 evm: fix writing /evm overflow [ Upstream commit 49219d9b8785ba712575c40e48ce0f7461254626 ] EVM_SETUP_COMPLETE is defined as 0x80000000, which is larger than INT_MAX. The "-fno-strict-overflow" compiler option properly prevents signaling EVM that the EVM policy setup is complete. Define and read an unsigned int. Fixes: f00d79750712 ("EVM: Allow userspace to signal an RSA key has been loaded") Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin commit 403577f75d5c433d056a67e61a042cb5ca86c730 Author: Sergey Shtylyov Date: Tue May 18 23:38:54 2021 +0300 pata_octeon_cf: avoid WARN_ON() in ata_host_activate() [ Upstream commit bfc1f378c8953e68ccdbfe0a8c20748427488b80 ] Iff platform_get_irq() fails (or returns IRQ0) and thus the polling mode has to be used, ata_host_activate() hits the WARN_ON() due to 'irq_handler' parameter being non-NULL if the polling mode is selected. Let's only set the pointer to the driver's IRQ handler if platform_get_irq() returns a valid IRQ # -- this should avoid the unnecessary WARN_ON()... Fixes: 43f01da0f279 ("MIPS/OCTEON/ata: Convert pata_octeon_cf.c to use device tree.") Signed-off-by: Sergey Shtylyov Link: https://lore.kernel.org/r/3a241167-f84d-1d25-5b9b-be910afbe666@omp.ru Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 5f9aaaaac816c249ce192f512daf86dc7fb0dddd Author: Josh Poimboeuf Date: Tue May 18 18:59:15 2021 -0500 kbuild: Fix objtool dependency for 'OBJECT_FILES_NON_STANDARD_ := n' [ Upstream commit 8852c552402979508fdc395ae07aa8761aa46045 ] "OBJECT_FILES_NON_STANDARD_vma.o := n" has a dependency bug. When objtool source is updated, the affected object doesn't get re-analyzed by objtool. Peter's new variable-sized jump label feature relies on objtool rewriting the object file. Otherwise the system can fail to boot. That effectively upgrades this minor dependency issue to a major bug. The problem is that variables in prerequisites are expanded early, during the read-in phase. The '$(objtool_dep)' variable indirectly uses '$@', which isn't yet available when the target prerequisites are evaluated. Use '.SECONDEXPANSION:' which causes '$(objtool_dep)' to be expanded in a later phase, after the target-specific '$@' variable has been defined. Fixes: b9ab5ebb14ec ("objtool: Add CONFIG_STACK_VALIDATION option") Fixes: ab3257042c26 ("jump_label, x86: Allow short NOPs") Reported-by: Matthew Wilcox Signed-off-by: Josh Poimboeuf Signed-off-by: Sasha Levin commit 37481ad72d96d78325d213ccbf8791b70089fa4d Author: Qais Yousef Date: Mon May 10 15:50:32 2021 +0100 sched/uclamp: Fix locking around cpu_util_update_eff() [ Upstream commit 93b73858701fd01de26a4a874eb95f9b7156fd4b ] cpu_cgroup_css_online() calls cpu_util_update_eff() without holding the uclamp_mutex or rcu_read_lock() like other call sites, which is a mistake. The uclamp_mutex is required to protect against concurrent reads and writes that could update the cgroup hierarchy. The rcu_read_lock() is required to traverse the cgroup data structures in cpu_util_update_eff(). Surround the caller with the required locks and add some asserts to better document the dependency in cpu_util_update_eff(). Fixes: 7226017ad37a ("sched/uclamp: Fix a bug in propagating uclamp value in new cgroups") Reported-by: Quentin Perret Signed-off-by: Qais Yousef Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20210510145032.1934078-3-qais.yousef@arm.com Signed-off-by: Sasha Levin commit 6c2b3d565fca65b07cae4c24b1a4ee9fa65d0297 Author: Qais Yousef Date: Mon May 10 15:50:31 2021 +0100 sched/uclamp: Fix wrong implementation of cpu.uclamp.min [ Upstream commit 0c18f2ecfcc274a4bcc1d122f79ebd4001c3b445 ] cpu.uclamp.min is a protection as described in cgroup-v2 Resource Distribution Model Documentation/admin-guide/cgroup-v2.rst which means we try our best to preserve the minimum performance point of tasks in this group. See full description of cpu.uclamp.min in the cgroup-v2.rst. But the current implementation makes it a limit, which is not what was intended. For example: tg->cpu.uclamp.min = 20% p0->uclamp[UCLAMP_MIN] = 0 p1->uclamp[UCLAMP_MIN] = 50% Previous Behavior (limit): p0->effective_uclamp = 0 p1->effective_uclamp = 20% New Behavior (Protection): p0->effective_uclamp = 20% p1->effective_uclamp = 50% Which is inline with how protections should work. With this change the cgroup and per-task behaviors are the same, as expected. Additionally, we remove the confusing relationship between cgroup and !user_d