commit 3882a559850709cca5ccf3c398dfc0ce41d08b9c Author: Alexandre Frade Date: Sun Feb 13 14:10:22 2022 +0000 Linux 5.15.21-rt30-xanmod1 Signed-off-by: Alexandre Frade commit 2209f420c36d5c10486ae650ee338812eb49c78c Author: Felix Fietkau Date: Sat Dec 5 15:07:03 2015 +0100 mac80211: ignore AP power level when tx power type is "fixed" In some cases a user might want to connect to a far away access point, which announces a low tx power limit. Using the AP's power limit can make the connection significantly more unstable or even impossible, and mac80211 currently provides no way to disable this behavior. To fix this, use the currently unused distinction between limited and fixed tx power to decide whether a remote AP's power limit should be accepted. Signed-off-by: Felix Fietkau commit aa30a4180c903c3d9b1afaf8c01e0f564108051e Author: Steven Barrett Date: Sat Jul 4 21:28:54 2020 -0500 openrgb: Deduplicate piix4 setup for HUDSON2/KERNCZ SMBUS In the original OpenRGB patches, the initialization code for CZ secondary SMBus controllers was copied. Later, an upstream commit landed in 5.7 stable that combined the initialization code for both primary/secondary smbus channels. Combine the initialization code ahead of time so upstream merges correctly with OpenRGB. Fixes: https://github.com/zen-kernel/zen-kernel/issues/176 commit 672d1c451bc7d4c73e5e3947753f8e1a16f730e3 Merge: 18a93506b481 d6b72436d0aa Author: Alexandre Frade Date: Sun Feb 13 13:45:18 2022 +0000 Merge tag 'v5.15.21-rt30' into 5.15-rt Linux 5.15.21-rt30 commit d6b72436d0aa760a7c15f12baa9dfaddc10e9014 Author: Clark Williams Date: Mon Feb 7 09:13:37 2022 -0600 Linux 5.15.21-rt30 Signed-off-by: Clark Williams commit 9578161d53b9938548a5f5c98fab10164af205cb Merge: b8ff8fbc1099 f01ed5defb04 Author: Clark Williams Date: Mon Feb 7 09:05:18 2022 -0600 Merge tag 'v5.15.21' into v5.15-rt This is the 5.15.21 stable release commit f01ed5defb047936f8d518a6423ac6571bf61bc8 Author: Greg Kroah-Hartman Date: Sat Feb 5 19:21:09 2022 +0100 Linux 5.15.21 Signed-off-by: Greg Kroah-Hartman commit 2b2f53331b3ae717875cd74b35149c0e5a6726a5 Author: Greg Kroah-Hartman Date: Sat Feb 5 19:01:29 2022 +0100 Revert "drm/vc4: hdmi: Make sure the device is powered with CEC" again This reverts commit fbe1e801bc1fa0a4c34a5284abf6ad0ef887cdfc which is commit 20b0dfa86bef0e80b41b0e5ac38b92f23b6f27f9 upstream. It wasn't applied correctly, something went wrong with an attempt to fix it up again, so just revert the whole thing to be back at a clean state. Reported-by: Guenter Roeck Link: https://lore.kernel.org/r/20220205171238.GA3073350@roeck-us.net Reported-by: Alexey Khoroshilov Link: https://lore.kernel.org/r/Yf5lNIJnvhP4ajam@kroah.com Cc: Dave Stevenson Cc: Maxime Ripard Signed-off-by: Greg Kroah-Hartman commit a03d2f9f82bd4bbfc211a4ca4a3a72f81268e803 Author: Greg Kroah-Hartman Date: Sat Feb 5 19:01:20 2022 +0100 Revert "drm/vc4: hdmi: Make sure the device is powered with CEC" This reverts commit d5e81e3a3e0b15964a86c19b5c27397676d6fc1b which is commit 20b0dfa86bef0e80b41b0e5ac38b92f23b6f27f9 upstream. It wasn't applied correctly, something went wrong with an attempt to fix it up again, so just revert the whole thing to be back at a clean state. Reported-by: Guenter Roeck Link: https://lore.kernel.org/r/20220205171238.GA3073350@roeck-us.net Reported-by: Alexey Khoroshilov Link: https://lore.kernel.org/r/Yf5lNIJnvhP4ajam@kroah.com Cc: Dave Stevenson Cc: Maxime Ripard Signed-off-by: Greg Kroah-Hartman commit 8deae2f4172c61cca90b96b7c82bb97d064ae2bd Author: Greg Kroah-Hartman Date: Sat Feb 5 12:38:59 2022 +0100 Linux 5.15.20 Link: https://lore.kernel.org/r/20220204091915.247906930@linuxfoundation.org Tested-by: Bagas Sanjaya Tested-by: Jon Hunter Tested-by: Florian Fainelli Tested-by: Shuah Khan Tested-by: Guenter Roeck Tested-by: Ron Economos Tested-by: Justin M. Forbes Tested-by: Fox Chen Tested-by: Slade Watkins Tested-by: Linux Kernel Functional Testing Signed-off-by: Greg Kroah-Hartman commit e6b678c1a3673de6a5d2f4e22bb725a086a0701a Author: Christoph Fritz Date: Wed Jan 12 19:33:21 2022 +0100 ovl: fix NULL pointer dereference in copy up warning commit 4ee7e4a6c9b298da44029ed9ec8ed23ae49cc209 upstream. This patch is fixing a NULL pointer dereference to get a recently introduced warning message working. Fixes: 5b0a414d06c3 ("ovl: fix filattr copy-up failure") Signed-off-by: Christoph Fritz Cc: # v5.15 Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit c3d81231ab84db96fe80f78e9432c285da1ab86c Author: Eric Dumazet Date: Tue Feb 1 10:46:40 2022 -0800 tcp: add missing tcp_skb_can_collapse() test in tcp_shift_skb_data() commit b67985be400969578d4d4b17299714c0e5d2c07b upstream. tcp_shift_skb_data() might collapse three packets into a larger one. P_A, P_B, P_C -> P_ABC Historically, it used a single tcp_skb_can_collapse_to(P_A) call, because it was enough. In commit 85712484110d ("tcp: coalesce/collapse must respect MPTCP extensions"), this call was replaced by a call to tcp_skb_can_collapse(P_A, P_B) But the now needed test over P_C has been missed. This probably broke MPTCP. Then later, commit 9b65b17db723 ("net: avoid double accounting for pure zerocopy skbs") added an extra condition to tcp_skb_can_collapse(), but the missing call from tcp_shift_skb_data() is also breaking TCP zerocopy, because P_A and P_C might have different skb_zcopy_pure() status. Fixes: 85712484110d ("tcp: coalesce/collapse must respect MPTCP extensions") Fixes: 9b65b17db723 ("net: avoid double accounting for pure zerocopy skbs") Signed-off-by: Eric Dumazet Cc: Mat Martineau Cc: Talal Ahmad Cc: Arjun Roy Cc: Willem de Bruijn Acked-by: Soheil Hassas Yeganeh Acked-by: Paolo Abeni Link: https://lore.kernel.org/r/20220201184640.756716-1-eric.dumazet@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 34321180b94dbcd12abc130eb48c4ce67a3408aa Author: Eric Dumazet Date: Mon Jan 31 18:23:58 2022 -0800 af_packet: fix data-race in packet_setsockopt / packet_setsockopt commit e42e70ad6ae2ae511a6143d2e8da929366e58bd9 upstream. When packet_setsockopt( PACKET_FANOUT_DATA ) reads po->fanout, no lock is held, meaning that another thread can change po->fanout. Given that po->fanout can only be set once during the socket lifetime (it is only cleared from fanout_release()), we can use READ_ONCE()/WRITE_ONCE() to document the race. BUG: KCSAN: data-race in packet_setsockopt / packet_setsockopt write to 0xffff88813ae8e300 of 8 bytes by task 14653 on cpu 0: fanout_add net/packet/af_packet.c:1791 [inline] packet_setsockopt+0x22fe/0x24a0 net/packet/af_packet.c:3931 __sys_setsockopt+0x209/0x2a0 net/socket.c:2180 __do_sys_setsockopt net/socket.c:2191 [inline] __se_sys_setsockopt net/socket.c:2188 [inline] __x64_sys_setsockopt+0x62/0x70 net/socket.c:2188 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae read to 0xffff88813ae8e300 of 8 bytes by task 14654 on cpu 1: packet_setsockopt+0x691/0x24a0 net/packet/af_packet.c:3935 __sys_setsockopt+0x209/0x2a0 net/socket.c:2180 __do_sys_setsockopt net/socket.c:2191 [inline] __se_sys_setsockopt net/socket.c:2188 [inline] __x64_sys_setsockopt+0x62/0x70 net/socket.c:2188 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae value changed: 0x0000000000000000 -> 0xffff888106f8c000 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 14654 Comm: syz-executor.3 Not tainted 5.16.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Fixes: 47dceb8ecdc1 ("packet: add classic BPF fanout mode") Signed-off-by: Eric Dumazet Cc: Willem de Bruijn Reported-by: syzbot Link: https://lore.kernel.org/r/20220201022358.330621-1-eric.dumazet@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 03f42c8ef64a6ea4920e147a01d5bccf4aecd779 Author: Sasha Neftin Date: Tue Dec 7 13:23:42 2021 +0200 e1000e: Handshake with CSME starts from ADL platforms commit cad014b7b5a6897d8c4fad13e2888978bfb7a53f upstream. Handshake with CSME/AMT on none provisioned platforms during S0ix flow is not supported on TGL platform and can cause to HW unit hang. Update the handshake with CSME flow to start from the ADL platform. Fixes: 3e55d231716e ("e1000e: Add handshake with the CSME to support S0ix") Signed-off-by: Sasha Neftin Tested-by: Nechama Kraus Signed-off-by: Tony Nguyen Signed-off-by: Greg Kroah-Hartman commit 6be234917788255d286f805b4601065648107fe4 Author: Tianchen Ding Date: Tue Jan 18 18:05:18 2022 +0800 cpuset: Fix the bug that subpart_cpus updated wrongly in update_cpumask() commit c80d401c52a2d1baf2a5afeb06f0ffe678e56d23 upstream. subparts_cpus should be limited as a subset of cpus_allowed, but it is updated wrongly by using cpumask_andnot(). Use cpumask_and() instead to fix it. Fixes: ee8dde0cd2ce ("cpuset: Add new v2 cpuset.sched.partition flag") Signed-off-by: Tianchen Ding Reviewed-by: Waiman Long Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit def5e7070079b2a214b3b1a2fbec623e6fbfe34a Author: Eric Dumazet Date: Mon Jan 31 17:21:06 2022 -0800 rtnetlink: make sure to refresh master_dev/m_ops in __rtnl_newlink() commit c6f6f2444bdbe0079e41914a35081530d0409963 upstream. While looking at one unrelated syzbot bug, I found the replay logic in __rtnl_newlink() to potentially trigger use-after-free. It is better to clear master_dev and m_ops inside the loop, in case we have to replay it. Fixes: ba7d49b1f0f8 ("rtnetlink: provide api for getting and setting slave info") Signed-off-by: Eric Dumazet Cc: Jiri Pirko Link: https://lore.kernel.org/r/20220201012106.216495-1-eric.dumazet@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit f36cacd6c933183c1a8827d5987cf2cfc0a44c76 Author: Eric Dumazet Date: Mon Jan 31 09:20:18 2022 -0800 net: sched: fix use-after-free in tc_new_tfilter() commit 04c2a47ffb13c29778e2a14e414ad4cb5a5db4b5 upstream. Whenever tc_new_tfilter() jumps back to replay: label, we need to make sure @q and @chain local variables are cleared again, or risk use-after-free as in [1] For consistency, apply the same fix in tc_ctl_chain() BUG: KASAN: use-after-free in mini_qdisc_pair_swap+0x1b9/0x1f0 net/sched/sch_generic.c:1581 Write of size 8 at addr ffff8880985c4b08 by task syz-executor.4/1945 CPU: 0 PID: 1945 Comm: syz-executor.4 Not tainted 5.17.0-rc1-syzkaller-00495-gff58831fa02d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 mini_qdisc_pair_swap+0x1b9/0x1f0 net/sched/sch_generic.c:1581 tcf_chain_head_change_item net/sched/cls_api.c:372 [inline] tcf_chain0_head_change.isra.0+0xb9/0x120 net/sched/cls_api.c:386 tcf_chain_tp_insert net/sched/cls_api.c:1657 [inline] tcf_chain_tp_insert_unique net/sched/cls_api.c:1707 [inline] tc_new_tfilter+0x1e67/0x2350 net/sched/cls_api.c:2086 rtnetlink_rcv_msg+0x80d/0xb80 net/core/rtnetlink.c:5583 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] netlink_unicast+0x539/0x7e0 net/netlink/af_netlink.c:1343 netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:705 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:725 ____sys_sendmsg+0x331/0x810 net/socket.c:2413 ___sys_sendmsg+0xf3/0x170 net/socket.c:2467 __sys_sendmmsg+0x195/0x470 net/socket.c:2553 __do_sys_sendmmsg net/socket.c:2582 [inline] __se_sys_sendmmsg net/socket.c:2579 [inline] __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2579 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f2647172059 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f2645aa5168 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 00007f2647285100 RCX: 00007f2647172059 RDX: 040000000000009f RSI: 00000000200002c0 RDI: 0000000000000006 RBP: 00007f26471cc08d R08: 0000000000000000 R09: 0000000000000000 R10: 9e00000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffb3f7f02f R14: 00007f2645aa5300 R15: 0000000000022000 Allocated by task 1944: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] ____kasan_kmalloc mm/kasan/common.c:515 [inline] ____kasan_kmalloc mm/kasan/common.c:474 [inline] __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524 kmalloc_node include/linux/slab.h:604 [inline] kzalloc_node include/linux/slab.h:726 [inline] qdisc_alloc+0xac/0xa10 net/sched/sch_generic.c:941 qdisc_create.constprop.0+0xce/0x10f0 net/sched/sch_api.c:1211 tc_modify_qdisc+0x4c5/0x1980 net/sched/sch_api.c:1660 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5592 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] netlink_unicast+0x539/0x7e0 net/netlink/af_netlink.c:1343 netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:705 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:725 ____sys_sendmsg+0x331/0x810 net/socket.c:2413 ___sys_sendmsg+0xf3/0x170 net/socket.c:2467 __sys_sendmmsg+0x195/0x470 net/socket.c:2553 __do_sys_sendmmsg net/socket.c:2582 [inline] __se_sys_sendmmsg net/socket.c:2579 [inline] __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2579 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 3609: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free+0x130/0x160 mm/kasan/common.c:328 kasan_slab_free include/linux/kasan.h:236 [inline] slab_free_hook mm/slub.c:1728 [inline] slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1754 slab_free mm/slub.c:3509 [inline] kfree+0xcb/0x280 mm/slub.c:4562 rcu_do_batch kernel/rcu/tree.c:2527 [inline] rcu_core+0x7b8/0x1540 kernel/rcu/tree.c:2778 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 Last potentially related work creation: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 __kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348 __call_rcu kernel/rcu/tree.c:3026 [inline] call_rcu+0xb1/0x740 kernel/rcu/tree.c:3106 qdisc_put_unlocked+0x6f/0x90 net/sched/sch_generic.c:1109 tcf_block_release+0x86/0x90 net/sched/cls_api.c:1238 tc_new_tfilter+0xc0d/0x2350 net/sched/cls_api.c:2148 rtnetlink_rcv_msg+0x80d/0xb80 net/core/rtnetlink.c:5583 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] netlink_unicast+0x539/0x7e0 net/netlink/af_netlink.c:1343 netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:705 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:725 ____sys_sendmsg+0x331/0x810 net/socket.c:2413 ___sys_sendmsg+0xf3/0x170 net/socket.c:2467 __sys_sendmmsg+0x195/0x470 net/socket.c:2553 __do_sys_sendmmsg net/socket.c:2582 [inline] __se_sys_sendmmsg net/socket.c:2579 [inline] __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2579 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff8880985c4800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 776 bytes inside of 1024-byte region [ffff8880985c4800, ffff8880985c4c00) The buggy address belongs to the page: page:ffffea0002617000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x985c0 head:ffffea0002617000 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888010c41dc0 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 1941, ts 1038999441284, free_ts 1033444432829 prep_new_page mm/page_alloc.c:2434 [inline] get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389 alloc_pages+0x1aa/0x310 mm/mempolicy.c:2271 alloc_slab_page mm/slub.c:1799 [inline] allocate_slab mm/slub.c:1944 [inline] new_slab+0x28a/0x3b0 mm/slub.c:2004 ___slab_alloc+0x87c/0xe90 mm/slub.c:3018 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3105 slab_alloc_node mm/slub.c:3196 [inline] slab_alloc mm/slub.c:3238 [inline] __kmalloc+0x2fb/0x340 mm/slub.c:4420 kmalloc include/linux/slab.h:586 [inline] kzalloc include/linux/slab.h:715 [inline] __register_sysctl_table+0x112/0x1090 fs/proc/proc_sysctl.c:1335 neigh_sysctl_register+0x2c8/0x5e0 net/core/neighbour.c:3787 devinet_sysctl_register+0xb1/0x230 net/ipv4/devinet.c:2618 inetdev_init+0x286/0x580 net/ipv4/devinet.c:278 inetdev_event+0xa8a/0x15d0 net/ipv4/devinet.c:1532 notifier_call_chain+0xb5/0x200 kernel/notifier.c:84 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1919 call_netdevice_notifiers_extack net/core/dev.c:1931 [inline] call_netdevice_notifiers net/core/dev.c:1945 [inline] register_netdevice+0x1073/0x1500 net/core/dev.c:9698 veth_newlink+0x59c/0xa90 drivers/net/veth.c:1722 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1352 [inline] free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404 free_unref_page_prepare mm/page_alloc.c:3325 [inline] free_unref_page+0x19/0x690 mm/page_alloc.c:3404 release_pages+0x748/0x1220 mm/swap.c:956 tlb_batch_pages_flush mm/mmu_gather.c:50 [inline] tlb_flush_mmu_free mm/mmu_gather.c:243 [inline] tlb_flush_mmu+0xe9/0x6b0 mm/mmu_gather.c:250 zap_pte_range mm/memory.c:1441 [inline] zap_pmd_range mm/memory.c:1490 [inline] zap_pud_range mm/memory.c:1519 [inline] zap_p4d_range mm/memory.c:1540 [inline] unmap_page_range+0x1d1d/0x2a30 mm/memory.c:1561 unmap_single_vma+0x198/0x310 mm/memory.c:1606 unmap_vmas+0x16b/0x2f0 mm/memory.c:1638 exit_mmap+0x201/0x670 mm/mmap.c:3178 __mmput+0x122/0x4b0 kernel/fork.c:1114 mmput+0x56/0x60 kernel/fork.c:1135 exit_mm kernel/exit.c:507 [inline] do_exit+0xa3c/0x2a30 kernel/exit.c:793 do_group_exit+0xd2/0x2f0 kernel/exit.c:935 __do_sys_exit_group kernel/exit.c:946 [inline] __se_sys_exit_group kernel/exit.c:944 [inline] __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:944 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Memory state around the buggy address: ffff8880985c4a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880985c4a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880985c4b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880985c4b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880985c4c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Fixes: 470502de5bdb ("net: sched: unlock rules update API") Signed-off-by: Eric Dumazet Cc: Vlad Buslov Cc: Jiri Pirko Cc: Cong Wang Reported-by: syzbot Link: https://lore.kernel.org/r/20220131172018.3704490-1-eric.dumazet@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 60765e43e40fbf7a1df828116172440510fcc3e4 Author: Dan Carpenter Date: Fri Jan 28 22:57:01 2022 +0300 fanotify: Fix stale file descriptor in copy_event_to_user() commit ee12595147ac1fbfb5bcb23837e26dd58d94b15d upstream. This code calls fd_install() which gives the userspace access to the fd. Then if copy_info_records_to_user() fails it calls put_unused_fd(fd) but that will not release it and leads to a stale entry in the file descriptor table. Generally you can't trust the fd after a call to fd_install(). The fix is to delay the fd_install() until everything else has succeeded. Fortunately it requires CAP_SYS_ADMIN to reach this code so the security impact is less. Fixes: f644bc449b37 ("fanotify: fix copy_event_to_user() fid error clean up") Link: https://lore.kernel.org/r/20220128195656.GA26981@kili Signed-off-by: Dan Carpenter Reviewed-by: Mathias Krause Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit db6fd92316a254be2097556f01bccecf560e53ce Author: Shyam Sundar S K Date: Thu Jan 27 14:50:03 2022 +0530 net: amd-xgbe: Fix skb data length underflow commit 5aac9108a180fc06e28d4e7fb00247ce603b72ee upstream. There will be BUG_ON() triggered in include/linux/skbuff.h leading to intermittent kernel panic, when the skb length underflow is detected. Fix this by dropping the packet if such length underflows are seen because of inconsistencies in the hardware descriptors. Fixes: 622c36f143fc ("amd-xgbe: Fix jumbo MTU processing on newer hardware") Suggested-by: Tom Lendacky Signed-off-by: Shyam Sundar S K Acked-by: Tom Lendacky Link: https://lore.kernel.org/r/20220127092003.2812745-1-Shyam-sundar.S-k@amd.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 8cb5afa71033a065164f7988500fa7130ce4f152 Author: Raju Rangoju Date: Thu Jan 27 11:32:22 2022 +0530 net: amd-xgbe: ensure to reset the tx_timer_active flag commit 7674b7b559b683478c3832527c59bceb169e701d upstream. Ensure to reset the tx_timer_active flag in xgbe_stop(), otherwise a port restart may result in tx timeout due to uncleared flag. Fixes: c635eaacbf77 ("amd-xgbe: Remove Tx coalescing") Co-developed-by: Sudheesh Mavila Signed-off-by: Sudheesh Mavila Signed-off-by: Raju Rangoju Acked-by: Tom Lendacky Link: https://lore.kernel.org/r/20220127060222.453371-1-Raju.Rangoju@amd.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit b82364abc54b19829b26459989d2781fc4822c28 Author: Karen Sornek Date: Wed Jan 12 10:19:47 2022 +0100 i40e: Fix reset path while removing the driver commit 6533e558c6505e94c3e0ed4281ed5e31ec985f4d upstream. Fix the crash in kernel while dereferencing the NULL pointer, when the driver is unloaded and simultaneously the VSI rings are being stopped. The hardware requires 50msec in order to finish RX queues disable. For this purpose the driver spins in mdelay function for the operation to be completed. For example changing number of queues which requires reset would fail in the following call stack: 1) i40e_prep_for_reset 2) i40e_pf_quiesce_all_vsi 3) i40e_quiesce_vsi 4) i40e_vsi_close 5) i40e_down 6) i40e_vsi_stop_rings 7) i40e_vsi_control_rx -> disable requires the delay of 50msecs 8) continue back in i40e_down function where i40e_clean_tx_ring(vsi->tx_rings[i]) is going to crash When the driver was spinning vsi_release called i40e_vsi_free_arrays where the vsi->tx_rings resources were freed and the pointer was set to NULL. Fixes: 5b6d4a7f20b0 ("i40e: Fix crash during removing i40e driver") Signed-off-by: Slawomir Laba Signed-off-by: Sylwester Dziedziuch Signed-off-by: Karen Sornek Tested-by: Gurucharan G Signed-off-by: Tony Nguyen Signed-off-by: Greg Kroah-Hartman commit 047fc3396cc65cc70124e2951576175b8ad9929c Author: Jedrzej Jagielski Date: Tue Dec 14 10:08:22 2021 +0000 i40e: Fix reset bw limit when DCB enabled with 1 TC commit 3d2504663c41104b4359a15f35670cfa82de1bbf upstream. There was an AQ error I40E_AQ_RC_EINVAL when trying to reset bw limit as part of bw allocation setup. This was caused by trying to reset bw limit with DCB enabled. Bw limit should not be reset when DCB is enabled. The code was relying on the pf->flags to check if DCB is enabled but if only 1 TC is available this flag will not be set even though DCB is enabled. Add a check for number of TC and if it is 1 don't try to reset bw limit even if pf->flags shows DCB as disabled. Fixes: fa38e30ac73f ("i40e: Fix for Tx timeouts when interface is brought up if DCB is enabled") Suggested-by: Alexander Lobakin # Flatten the condition Signed-off-by: Sylwester Dziedziuch Signed-off-by: Jedrzej Jagielski Reviewed-by: Alexander Lobakin Tested-by: Imam Hassan Reza Biswas Signed-off-by: Tony Nguyen Signed-off-by: Greg Kroah-Hartman commit 86186352e36db1dc8906c855fae41f2a966f3bca Author: Georgi Valkov Date: Tue Feb 1 08:16:18 2022 +0100 ipheth: fix EOVERFLOW in ipheth_rcvbulk_callback commit 63e4b45c82ed1bde979da7052229a4229ce9cabf upstream. When rx_buf is allocated we need to account for IPHETH_IP_ALIGN, which reduces the usable size by 2 bytes. Otherwise we have 1512 bytes usable instead of 1514, and if we receive more than 1512 bytes, ipheth_rcvbulk_callback is called with status -EOVERFLOW, after which the driver malfunctiones and all communication stops. Resolves ipheth 2-1:4.2: ipheth_rcvbulk_callback: urb status: -75 Fixes: f33d9e2b48a3 ("usbnet: ipheth: fix connectivity with iOS 14") Signed-off-by: Georgi Valkov Tested-by: Jan Kiszka Link: https://lore.kernel.org/all/B60B8A4B-92A0-49B3-805D-809A2433B46C@abv.bg/ Link: https://lore.kernel.org/all/24851bd2769434a5fc24730dce8e8a984c5a4505.1643699778.git.jan.kiszka@siemens.com/ Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 5ca77e0c50805f1274f4f6fbe53804e72e747229 Author: Maor Dickman Date: Sun Jan 30 16:00:41 2022 +0200 net/mlx5: E-Switch, Fix uninitialized variable modact commit d8e5883d694bb053b19c4142a2d1f43a34f6fe2c upstream. The variable modact is not initialized before used in command modify header allocation which can cause command to fail. Fix by initializing modact with zeros. Addresses-Coverity: ("Uninitialized scalar variable") Fixes: 8f1e0b97cc70 ("net/mlx5: E-Switch, Mark miss packets with new chain id mapping") Signed-off-by: Maor Dickman Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit 0ca746e2996bded0ced5e7d59e5e2bd39b0a7c95 Author: Roi Dayan Date: Mon Jan 24 13:56:26 2022 +0200 net/mlx5: Bridge, Fix devlink deadlock on net namespace deletion commit 880b517691908fb753019b9b27cd082e7617debd upstream. When changing mode to switchdev, rep bridge init registered to netdevice notifier holds the devlink lock and then takes pernet_ops_rwsem. At that time deleting a netns holds pernet_ops_rwsem and then takes the devlink lock. Example sequence is: $ ip netns add foo $ devlink dev eswitch set pci/0000:00:08.0 mode switchdev & $ ip netns del foo deleting netns trace: [ 1185.365555] ? devlink_pernet_pre_exit+0x74/0x1c0 [ 1185.368331] ? mutex_lock_io_nested+0x13f0/0x13f0 [ 1185.370984] ? xt_find_table+0x40/0x100 [ 1185.373244] ? __mutex_lock+0x24a/0x15a0 [ 1185.375494] ? net_generic+0xa0/0x1c0 [ 1185.376844] ? wait_for_completion_io+0x280/0x280 [ 1185.377767] ? devlink_pernet_pre_exit+0x74/0x1c0 [ 1185.378686] devlink_pernet_pre_exit+0x74/0x1c0 [ 1185.379579] ? devlink_nl_cmd_get_dumpit+0x3a0/0x3a0 [ 1185.380557] ? xt_find_table+0xda/0x100 [ 1185.381367] cleanup_net+0x372/0x8e0 changing mode to switchdev trace: [ 1185.411267] down_write+0x13a/0x150 [ 1185.412029] ? down_write_killable+0x180/0x180 [ 1185.413005] register_netdevice_notifier+0x1e/0x210 [ 1185.414000] mlx5e_rep_bridge_init+0x181/0x360 [mlx5_core] [ 1185.415243] mlx5e_uplink_rep_enable+0x269/0x480 [mlx5_core] [ 1185.416464] ? mlx5e_uplink_rep_disable+0x210/0x210 [mlx5_core] [ 1185.417749] mlx5e_attach_netdev+0x232/0x400 [mlx5_core] [ 1185.418906] mlx5e_netdev_attach_profile+0x15b/0x1e0 [mlx5_core] [ 1185.420172] mlx5e_netdev_change_profile+0x15a/0x1d0 [mlx5_core] [ 1185.421459] mlx5e_vport_rep_load+0x557/0x780 [mlx5_core] [ 1185.422624] ? mlx5e_stats_grp_vport_rep_num_stats+0x10/0x10 [mlx5_core] [ 1185.424006] mlx5_esw_offloads_rep_load+0xdb/0x190 [mlx5_core] [ 1185.425277] esw_offloads_enable+0xd74/0x14a0 [mlx5_core] Fix this by registering rep bridges for per net netdev notifier instead of global one, which operats on the net namespace without holding the pernet_ops_rwsem. Fixes: 19e9bfa044f3 ("net/mlx5: Bridge, add offload infrastructure") Signed-off-by: Roi Dayan Reviewed-by: Vlad Buslov Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit 5d575586c4b320796e9b0bde69065a8a52cd6a7e Author: Maxim Mikityanskiy Date: Tue Jan 18 13:31:54 2022 +0200 net/mlx5e: Don't treat small ceil values as unlimited in HTB offload commit 736dfe4e68b868829a1e89dfef4a44c1580d4478 upstream. The hardware spec defines max_average_bw == 0 as "unlimited bandwidth". max_average_bw is calculated as `ceil / BYTES_IN_MBIT`, which can become 0 when ceil is small, leading to an undesired effect of having no bandwidth limit. This commit fixes it by rounding up small values of ceil to 1 Mbit/s. Fixes: 214baf22870c ("net/mlx5e: Support HTB offload") Signed-off-by: Maxim Mikityanskiy Reviewed-by: Tariq Toukan Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit f232acbb786ffa43f3b91a48333447e1ab55c2c9 Author: Dima Chumak Date: Mon Jan 17 15:32:16 2022 +0200 net/mlx5: Fix offloading with ESWITCH_IPV4_TTL_MODIFY_ENABLE commit 55b2ca702cfa744a9eb108915996a2294da47e71 upstream. Only prio 1 is supported for nic mode when there is no ignore flow level support in firmware. But for switchdev mode, which supports fixed number of statically pre-allocated prios, this restriction is not relevant so it can be relaxed. Fixes: d671e109bd85 ("net/mlx5: Fix tc max supported prio for nic mode") Signed-off-by: Dima Chumak Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit 60c48abf62ca57428f66ed25b982593b57c656c3 Author: Gal Pressman Date: Sun Jan 16 09:07:22 2022 +0200 net/mlx5e: Fix module EEPROM query commit 4a08a131351e375a2969b98e46df260ed04dcba7 upstream. When querying the module EEPROM, there was a misusage of the 'offset' variable vs the 'query.offset' field. Fix that by always using 'offset' and assigning its value to 'query.offset' right before the mcia register read call. While at it, the cross-pages read size adjustment was changed to be more intuitive. Fixes: e19b0a3474ab ("net/mlx5: Refactor module EEPROM query") Reported-by: Wang Yugui Signed-off-by: Gal Pressman Reviewed-by: Maxim Mikityanskiy Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit f895ebeb44d09d02674cfdd0cfc2bf687603918c Author: Maher Sanalla Date: Thu Jan 13 15:48:48 2022 +0200 net/mlx5: Use del_timer_sync in fw reset flow of halting poll commit 3c5193a87b0fea090aa3f769d020337662d87b5e upstream. Substitute del_timer() with del_timer_sync() in fw reset polling deactivation flow, in order to prevent a race condition which occurs when del_timer() is called and timer is deactivated while another process is handling the timer interrupt. A situation that led to the following call trace: RIP: 0010:run_timer_softirq+0x137/0x420 recalibrate_cpu_khz+0x10/0x10 ktime_get+0x3e/0xa0 ? sched_clock_cpu+0xb/0xc0 __do_softirq+0xf5/0x2ea irq_exit_rcu+0xc1/0xf0 sysvec_apic_timer_interrupt+0x9e/0xc0 asm_sysvec_apic_timer_interrupt+0x12/0x20 Fixes: 38b9f903f22b ("net/mlx5: Handle sync reset request event") Signed-off-by: Maher Sanalla Reviewed-by: Moshe Shemesh Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit fe70126da6063c29ca161cdec7ad1dae9af836b3 Author: Maor Dickman Date: Thu Jan 13 15:11:42 2022 +0200 net/mlx5e: Fix handling of wrong devices during bond netevent commit ec41332e02bd0acf1f24206867bb6a02f5877a62 upstream. Current implementation of bond netevent handler only check if the handled netdev is VF representor and it missing a check if the VF representor is on the same phys device of the bond handling the netevent. Fix by adding the missing check and optimizing the check if the netdev is VF representor so it will not access uninitialized private data and crashes. BUG: kernel NULL pointer dereference, address: 000000000000036c PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI Workqueue: eth3bond0 bond_mii_monitor [bonding] RIP: 0010:mlx5e_is_uplink_rep+0xc/0x50 [mlx5_core] RSP: 0018:ffff88812d69fd60 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8881cf800000 RCX: 0000000000000000 RDX: ffff88812d69fe10 RSI: 000000000000001b RDI: ffff8881cf800880 RBP: ffff8881cf800000 R08: 00000445cabccf2b R09: 0000000000000008 R10: 0000000000000004 R11: 0000000000000008 R12: ffff88812d69fe10 R13: 00000000fffffffe R14: ffff88820c0f9000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88846fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000036c CR3: 0000000103d80006 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: mlx5e_eswitch_uplink_rep+0x31/0x40 [mlx5_core] mlx5e_rep_is_lag_netdev+0x94/0xc0 [mlx5_core] mlx5e_rep_esw_bond_netevent+0xeb/0x3d0 [mlx5_core] raw_notifier_call_chain+0x41/0x60 call_netdevice_notifiers_info+0x34/0x80 netdev_lower_state_changed+0x4e/0xa0 bond_mii_monitor+0x56b/0x640 [bonding] process_one_work+0x1b9/0x390 worker_thread+0x4d/0x3d0 ? rescuer_thread+0x350/0x350 kthread+0x124/0x150 ? set_kthread_struct+0x40/0x40 ret_from_fork+0x1f/0x30 Fixes: 7e51891a237f ("net/mlx5e: Use netdev events to set/del egress acl forward-to-vport rule") Signed-off-by: Maor Dickman Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit e882123e6e64a4c5ae6f099170f535c9ad4574d4 Author: Vlad Buslov Date: Thu Jan 6 18:45:26 2022 +0200 net/mlx5: Bridge, ensure dev_name is null-terminated commit 350d9a823734b5a7e767cddc3bdde5f0bcbb7ff4 upstream. Even though net_device->name is guaranteed to be null-terminated string of size<=IFNAMSIZ, the test robot complains that return value of netdev_name() can be larger: In file included from include/trace/define_trace.h:102, from drivers/net/ethernet/mellanox/mlx5/core/esw/diag/bridge_tracepoint.h:113, from drivers/net/ethernet/mellanox/mlx5/core/esw/bridge.c:12: drivers/net/ethernet/mellanox/mlx5/core/esw/diag/bridge_tracepoint.h: In function 'trace_event_raw_event_mlx5_esw_bridge_fdb_template': >> drivers/net/ethernet/mellanox/mlx5/core/esw/diag/bridge_tracepoint.h:24:29: warning: 'strncpy' output may be truncated copying 16 bytes from a string of length 20 [-Wstringop-truncation] 24 | strncpy(__entry->dev_name, | ^~~~~~~~~~~~~~~~~~~~~~~~~~ 25 | netdev_name(fdb->dev), | ~~~~~~~~~~~~~~~~~~~~~~ 26 | IFNAMSIZ); | ~~~~~~~~~ This is caused by the fact that default value of IFNAMSIZ is 16, while placeholder value that is returned by netdev_name() for unnamed net devices is larger than that. The offending code is in a tracing function that is only called for mlx5 representors, so there is no straightforward way to reproduce the issue but let's fix it for correctness sake by replacing strncpy() with strscpy() to ensure that resulting string is always null-terminated. Fixes: 9724fd5d9c2a ("net/mlx5: Bridge, add tracepoints") Reported-by: kernel test robot Signed-off-by: Vlad Buslov Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit c4e3cf1a8e484c139d5a6375f30e38aa9a0f8064 Author: Vlad Buslov Date: Thu Jan 6 16:40:18 2022 +0200 net/mlx5: Bridge, take rtnl lock in init error handler commit 04f8c12f031fcd0ffa0c72822eb665ceb2c872e7 upstream. The mlx5_esw_bridge_cleanup() is expected to be called with rtnl lock taken, which is true for mlx5e_rep_bridge_cleanup() function but not for error handling code in mlx5e_rep_bridge_init(). Add missing rtnl lock/unlock calls and extend both mlx5_esw_bridge_cleanup() and its dual function mlx5_esw_bridge_init() with ASSERT_RTNL() to verify the invariant from now on. Fixes: 7cd6a54a8285 ("net/mlx5: Bridge, handle FDB events") Fixes: 19e9bfa044f3 ("net/mlx5: Bridge, add offload infrastructure") Signed-off-by: Vlad Buslov Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit 490292d0894636cf210991f782bf7d9968d556aa Author: Raed Salem Date: Thu Dec 2 17:49:01 2021 +0200 net/mlx5e: IPsec: Fix tunnel mode crypto offload for non TCP/UDP traffic commit de47db0cf7f4a9c555ad204e06baa70b50a70d08 upstream. IPsec Tunnel mode crypto offload software parser (SWP) setting in data path currently always set the inner L4 offset regardless of the encapsulated L4 header type and whether it exists in the first place, this breaks non TCP/UDP traffic as such. Set the SWP inner L4 offset only when the IPsec tunnel encapsulated L4 header protocol is TCP/UDP. While at it fix inner ip protocol read for setting MLX5_ETH_WQE_SWP_INNER_L4_UDP flag to address the case where the ip header protocol is IPv6. Fixes: f1267798c980 ("net/mlx5: Fix checksum issue of VXLAN and IPsec crypto offload") Signed-off-by: Raed Salem Reviewed-by: Maor Dickman Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit 6dfc954efb98438b46e1906bddc5d4f7dc950f4c Author: J. Bruce Fields Date: Tue Jan 18 17:00:51 2022 -0500 lockd: fix failure to cleanup client locks commit d19a7af73b5ecaac8168712d18be72b9db166768 upstream. In my testing, we're sometimes hitting the request->fl_flags & FL_EXISTS case in posix_lock_inode, presumably just by random luck since we're not actually initializing fl_flags here. This probably didn't matter before commit 7f024fcd5c97 ("Keep read and write fds with each nlm_file") since we wouldn't previously unlock unless we knew there were locks. But now it causes lockd to give up on removing more locks. We could just initialize fl_flags, but really it seems dubious to be calling vfs_lock_file with random values in some of the fields. Fixes: 7f024fcd5c97 ("Keep read and write fds with each nlm_file") Signed-off-by: J. Bruce Fields [ cel: fixed checkpatch.pl nit ] Signed-off-by: Chuck Lever Signed-off-by: Greg Kroah-Hartman commit cb5864bf93b26c867e53c4f1cdace12e9805ec6d Author: J. Bruce Fields Date: Tue Jan 18 17:00:16 2022 -0500 lockd: fix server crash on reboot of client holding lock commit 6e7f90d163afa8fc2efd6ae318e7c20156a5621f upstream. I thought I was iterating over the array when actually the iteration is over the values contained in the array? Ugh, keep it simple. Symptoms were a null deference in vfs_lock_file() when an NFSv3 client that previously held a lock came back up and sent a notify. Reported-by: Jonathan Woithe Fixes: 7f024fcd5c97 ("Keep read and write fds with each nlm_file") Signed-off-by: J. Bruce Fields Signed-off-by: Chuck Lever Signed-off-by: Greg Kroah-Hartman commit 559bc6ec873ad5ad96063526f12656c5ade32b7d Author: Miklos Szeredi Date: Fri Jan 14 16:57:56 2022 +0100 ovl: don't fail copy up if no fileattr support on upper commit 94fd19752b28aa66c98e7991734af91dfc529f8f upstream. Christoph Fritz is reporting that failure to copy up fileattr when upper doesn't support fileattr or xattr results in a regression. Return success in these failure cases; this reverts overlayfs to the old behavior. Add a pr_warn_once() in these cases to still let the user know about the copy up failures. Reported-by: Christoph Fritz Fixes: 72db82115d2b ("ovl: copy up sync/noatime fileattr flags") Cc: # v5.15 Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 9341457fdd0d93b0dcdaa23d947686a650681388 Author: John Hubbard Date: Tue Feb 1 19:23:17 2022 -0800 Revert "mm/gup: small refactoring: simplify try_grab_page()" commit c36c04c2e132fc39f6b658bf607aed4425427fd7 upstream. This reverts commit 54d516b1d62ff8f17cee2da06e5e4706a0d00b8a That commit did a refactoring that effectively combined fast and slow gup paths (again). And that was again incorrect, for two reasons: a) Fast gup and slow gup get reference counts on pages in different ways and with different goals: see Linus' writeup in commit cd1adf1b63a1 ("Revert "mm/gup: remove try_get_page(), call try_get_compound_head() directly""), and b) try_grab_compound_head() also has a specific check for "FOLL_LONGTERM && !is_pinned(page)", that assumes that the caller can fall back to slow gup. This resulted in new failures, as recently report by Will McVicker [1]. But (a) has problems too, even though they may not have been reported yet. So just revert this. Link: https://lore.kernel.org/r/20220131203504.3458775-1-willmcvicker@google.com [1] Fixes: 54d516b1d62f ("mm/gup: small refactoring: simplify try_grab_page()") Reported-and-tested-by: Will McVicker Cc: Christoph Hellwig Cc: Minchan Kim Cc: Matthew Wilcox Cc: Christian Borntraeger Cc: Heiko Carstens Cc: Vasily Gorbik Cc: stable@vger.kernel.org # 5.15 Signed-off-by: John Hubbard Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4b1c32bfaa02255a5df602b41587174004996477 Author: Eric W. Biederman Date: Thu Jan 20 11:04:01 2022 -0600 cgroup-v1: Require capabilities to set release_agent commit 24f6008564183aa120d07c03d9289519c2fe02af upstream. The cgroup release_agent is called with call_usermodehelper. The function call_usermodehelper starts the release_agent with a full set fo capabilities. Therefore require capabilities when setting the release_agaent. Reported-by: Tabitha Sable Tested-by: Tabitha Sable Fixes: 81a6a5cdd2c5 ("Task Control Groups: automatic userspace notification of idle cgroups") Cc: stable@vger.kernel.org # v2.6.24+ Signed-off-by: "Eric W. Biederman" Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit d5e81e3a3e0b15964a86c19b5c27397676d6fc1b Author: Maxime Ripard Date: Thu Aug 19 15:59:30 2021 +0200 drm/vc4: hdmi: Make sure the device is powered with CEC Commit 20b0dfa86bef0e80b41b0e5ac38b92f23b6f27f9 upstream. The original commit depended on a rework commit (724fc856c09e ("drm/vc4: hdmi: Split the CEC disable / enable functions in two")) that (rightfully) didn't reach stable. However, probably because the context changed, when the patch was applied to stable the pm_runtime_put called got moved to the end of the vc4_hdmi_cec_adap_enable function (that would have become vc4_hdmi_cec_disable with the rework) to vc4_hdmi_cec_init. This means that at probe time, we now drop our reference to the clocks and power domains and thus end up with a CPU hang when the CPU tries to access registers. The call to pm_runtime_resume_and_get() is also problematic since the .adap_enable CEC hook is called both to enable and to disable the controller. That means that we'll now call pm_runtime_resume_and_get() at disable time as well, messing with the reference counting. The behaviour we should have though would be to have pm_runtime_resume_and_get() called when the CEC controller is enabled, and pm_runtime_put when it's disabled. We need to move things around a bit to behave that way, but it aligns stable with upstream. Cc: # 5.10.x Cc: # 5.15.x Cc: # 5.16.x Reported-by: Michael Stapelberg Signed-off-by: Maxime Ripard Signed-off-by: Greg Kroah-Hartman commit dffeeca9268b221063c7a5a75719299b324c1acf Author: Alex Elder Date: Wed Jan 12 07:30:12 2022 -0600 net: ipa: prevent concurrent replenish commit 998c0bd2b3715244da7639cc4e6a2062cb79c3f4 upstream. We have seen cases where an endpoint RX completion interrupt arrives while replenishing for the endpoint is underway. This causes another instance of replenishing to begin as part of completing the receive transaction. If this occurs it can lead to transaction corruption. Use a new flag to ensure only one replenish instance for an endpoint executes at a time. Fixes: 84f9bd12d46db ("soc: qcom: ipa: IPA endpoints") Signed-off-by: Alex Elder Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5f4ed9829617466fd960c25a4d34f19a912911c4 Author: Alex Elder Date: Wed Jan 12 07:30:11 2022 -0600 net: ipa: use a bitmap for endpoint replenish_enabled commit c1aaa01dbf4cef95af3e04a5a43986c290e06ea3 upstream. Define a new replenish_flags bitmap to contain Boolean flags associated with an endpoint's replenishing state. Replace the replenish_enabled field with a flag in that bitmap. This is to prepare for the next patch, which adds another flag. Signed-off-by: Alex Elder Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ee782b802ee05ee0987f406eaa1aea34a3ac32fc Author: Paolo Abeni Date: Thu Jan 20 16:35:29 2022 -0800 selftests: mptcp: fix ipv6 routing setup commit 9846921dba4936d92f7608315b5d1e0a8ec3a538 upstream. MPJ ipv6 selftests currently lack per link route to the server net. Additionally, ipv6 subflows endpoints are created without any interface specified. The end-result is that in ipv6 self-tests subflows are created all on the same link, leading to expected delays and sporadic self-tests failures. Fix the issue by adding the missing setup bits. Fixes: 523514ed0a99 ("selftests: mptcp: add ADD_ADDR IPv6 test cases") Reported-and-tested-by: Geliang Tang Signed-off-by: Paolo Abeni Signed-off-by: Mat Martineau Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 1db58c6584a72102e98af2e600ea184ddaf2b8af Author: Lukas Wunner Date: Wed Nov 17 23:22:09 2021 +0100 PCI: pciehp: Fix infinite loop in IRQ handler upon power fault commit 23584c1ed3e15a6f4bfab8dc5a88d94ab929ee12 upstream. The Power Fault Detected bit in the Slot Status register differs from all other hotplug events in that it is sticky: It can only be cleared after turning off slot power. Per PCIe r5.0, sec. 6.7.1.8: If a power controller detects a main power fault on the hot-plug slot, it must automatically set its internal main power fault latch [...]. The main power fault latch is cleared when software turns off power to the hot-plug slot. The stickiness used to cause interrupt storms and infinite loops which were fixed in 2009 by commits 5651c48cfafe ("PCI pciehp: fix power fault interrupt storm problem") and 99f0169c17f3 ("PCI: pciehp: enable software notification on empty slots"). Unfortunately in 2020 the infinite loop issue was inadvertently reintroduced by commit 8edf5332c393 ("PCI: pciehp: Fix MSI interrupt race"): The hardirq handler pciehp_isr() clears the PFD bit until pciehp's power_fault_detected flag is set. That happens in the IRQ thread pciehp_ist(), which never learns of the event because the hardirq handler is stuck in an infinite loop. Fix by setting the power_fault_detected flag already in the hardirq handler. Link: https://bugzilla.kernel.org/show_bug.cgi?id=214989 Link: https://lore.kernel.org/linux-pci/DM8PR11MB5702255A6A92F735D90A4446868B9@DM8PR11MB5702.namprd11.prod.outlook.com Fixes: 8edf5332c393 ("PCI: pciehp: Fix MSI interrupt race") Link: https://lore.kernel.org/r/66eaeef31d4997ceea357ad93259f290ededecfd.1637187226.git.lukas@wunner.de Reported-by: Joseph Bao Tested-by: Joseph Bao Signed-off-by: Lukas Wunner Signed-off-by: Bjorn Helgaas Cc: stable@vger.kernel.org # v4.19+ Cc: Stuart Hayes Signed-off-by: Greg Kroah-Hartman commit b8ff8fbc109935ae00a6e2420a58a898ed29c4bb Author: Clark Williams Date: Fri Feb 4 08:37:39 2022 -0600 Linux 5.15.19-rt29 Signed-off-by: Clark Williams commit 0d28d198fc9550710d62f81f382d2318f6f827c4 Merge: 62a9fa1bad28 47cccb1eb2fe Author: Clark Williams Date: Fri Feb 4 07:17:38 2022 -0600 Merge tag 'v5.15.19' into v5.15-rt This is the 5.15.19 stable release commit 47cccb1eb2fec6c639261847ff4fea1e2c2656aa Author: Greg Kroah-Hartman Date: Tue Feb 1 17:27:16 2022 +0100 Linux 5.15.19 Link: https://lore.kernel.org/r/20220131105229.959216821@linuxfoundation.org Tested-by: Jon Hunter Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Bagas Sanjaya Tested-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman commit a9739362c7b5bb61736e40d90a3364acf66b3ae3 Author: Geert Uytterhoeven Date: Mon Nov 22 14:21:38 2021 +0100 mtd: rawnand: mpc5121: Remove unused variable in ads5121_select_chip() commit 33a0da68fb073360d36ce1a0e852f75fede7c21e upstream. drivers/mtd/nand/raw/mpc5121_nfc.c: In function ‘ads5121_select_chip’: drivers/mtd/nand/raw/mpc5121_nfc.c:294:19: warning: unused variable ‘mtd’ [-Wunused-variable] 294 | struct mtd_info *mtd = nand_to_mtd(nand); | ^~~ Fixes: 758b56f58b66bebc ("mtd: rawnand: Pass a nand_chip object to chip->select_chip()") Signed-off-by: Geert Uytterhoeven Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20211122132138.3899138-1-geert@linux-m68k.org Cc: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 4633a79ff8bc82770486a063a08b55e5162521d8 Author: OGAWA Hirofumi Date: Sun Jan 9 18:36:43 2022 +0900 block: Fix wrong offset in bio_truncate() commit 3ee859e384d453d6ac68bfd5971f630d9fa46ad3 upstream. bio_truncate() clears the buffer outside of last block of bdev, however current bio_truncate() is using the wrong offset of page. So it can return the uninitialized data. This happened when both of truncated/corrupted FS and userspace (via bdev) are trying to read the last of bdev. Reported-by: syzbot+ac94ae5f68b84197f41c@syzkaller.appspotmail.com Signed-off-by: OGAWA Hirofumi Reviewed-by: Ming Lei Link: https://lore.kernel.org/r/875yqt1c9g.fsf@mail.parknet.co.jp Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 3d7b7272ce9deb7157670f584274f37d8b12f81f Author: Amir Goldstein Date: Thu Jan 20 23:53:04 2022 +0200 fsnotify: invalidate dcache before IN_DELETE event commit a37d9a17f099072fe4d3a9048b0321978707a918 upstream. Apparently, there are some applications that use IN_DELETE event as an invalidation mechanism and expect that if they try to open a file with the name reported with the delete event, that it should not contain the content of the deleted file. Commit 49246466a989 ("fsnotify: move fsnotify_nameremove() hook out of d_delete()") moved the fsnotify delete hook before d_delete() so fsnotify will have access to a positive dentry. This allowed a race where opening the deleted file via cached dentry is now possible after receiving the IN_DELETE event. To fix the regression, create a new hook fsnotify_delete() that takes the unlinked inode as an argument and use a helper d_delete_notify() to pin the inode, so we can pass it to fsnotify_delete() after d_delete(). Backporting hint: this regression is from v5.3. Although patch will apply with only trivial conflicts to v5.4 and v5.10, it won't build, because fsnotify_delete() implementation is different in each of those versions (see fsnotify_link()). A follow up patch will fix the fsnotify_unlink/rmdir() calls in pseudo filesystem that do not need to call d_delete(). Link: https://lore.kernel.org/r/20220120215305.282577-1-amir73il@gmail.com Reported-by: Ivan Delalande Link: https://lore.kernel.org/linux-fsdevel/YeNyzoDM5hP5LtGW@visor/ Fixes: 49246466a989 ("fsnotify: move fsnotify_nameremove() hook out of d_delete()") Cc: stable@vger.kernel.org # v5.3+ Signed-off-by: Amir Goldstein Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit e8421a9d7bb39ee7a386fd7bc6b3b913fe78ae5e Author: Dmitry V. Levin Date: Mon Jan 3 04:24:02 2022 +0300 usr/include/Makefile: add linux/nfc.h to the compile-test coverage commit 10756dc5b02bff370ddd351d7744bc99ada659c2 upstream. As linux/nfc.h userspace compilation was finally fixed by commits 79b69a83705e ("nfc: uapi: use kernel size_t to fix user-space builds") and 7175f02c4e5f ("uapi: fix linux/nfc.h userspace compilation errors"), there is no need to keep the compile-test exception for it in usr/include/Makefile. Signed-off-by: Dmitry V. Levin Signed-off-by: Masahiro Yamada Signed-off-by: Greg Kroah-Hartman commit c571505aa0fcbb52fc30d45ae12857e0fa1cefbd Author: Robert Hancock Date: Thu Jan 27 16:15:00 2022 -0600 usb: dwc3: xilinx: fix uninitialized return value commit b470947c3672f7eb7c4c271d510383d896831cc2 upstream. A previous patch to skip part of the initialization when a USB3 PHY was not present could result in the return value being uninitialized in that case, causing spurious probe failures. Initialize ret to 0 to avoid this. Fixes: 9678f3361afc ("usb: dwc3: xilinx: Skip resets and USB3 register settings for USB2.0 mode") Cc: Reviewed-by: Nathan Chancellor Signed-off-by: Robert Hancock Link: https://lore.kernel.org/r/20220127221500.177021-1-robert.hancock@calian.com Signed-off-by: Greg Kroah-Hartman commit 442414e8c4745e2be807866e5c775d3b780a775a Author: Suren Baghdasaryan Date: Sat Jan 29 13:41:20 2022 -0800 psi: fix "defined but not used" warnings when CONFIG_PROC_FS=n commit 44585f7bc0cb01095bc2ad4258049c02bbad21ef upstream. When CONFIG_PROC_FS is disabled psi code generates the following warnings: kernel/sched/psi.c:1364:30: warning: 'psi_cpu_proc_ops' defined but not used [-Wunused-const-variable=] 1364 | static const struct proc_ops psi_cpu_proc_ops = { | ^~~~~~~~~~~~~~~~ kernel/sched/psi.c:1355:30: warning: 'psi_memory_proc_ops' defined but not used [-Wunused-const-variable=] 1355 | static const struct proc_ops psi_memory_proc_ops = { | ^~~~~~~~~~~~~~~~~~~ kernel/sched/psi.c:1346:30: warning: 'psi_io_proc_ops' defined but not used [-Wunused-const-variable=] 1346 | static const struct proc_ops psi_io_proc_ops = { | ^~~~~~~~~~~~~~~ Make definitions of these structures and related functions conditional on CONFIG_PROC_FS config. Link: https://lkml.kernel.org/r/20220119223940.787748-3-surenb@google.com Fixes: 0e94682b73bf ("psi: introduce psi monitor") Signed-off-by: Suren Baghdasaryan Reported-by: kernel test robot Acked-by: Johannes Weiner Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 949c4c188955f2cf486ae776aed142c10d15cedf Author: Suren Baghdasaryan Date: Sat Jan 29 13:41:17 2022 -0800 psi: fix "no previous prototype" warnings when CONFIG_CGROUPS=n commit 51e50fbd3efc6064c30ed73a5e009018b36e290a upstream. When CONFIG_CGROUPS is disabled psi code generates the following warnings: kernel/sched/psi.c:1112:21: warning: no previous prototype for 'psi_trigger_create' [-Wmissing-prototypes] 1112 | struct psi_trigger *psi_trigger_create(struct psi_group *group, | ^~~~~~~~~~~~~~~~~~ kernel/sched/psi.c:1182:6: warning: no previous prototype for 'psi_trigger_destroy' [-Wmissing-prototypes] 1182 | void psi_trigger_destroy(struct psi_trigger *t) | ^~~~~~~~~~~~~~~~~~~ kernel/sched/psi.c:1249:10: warning: no previous prototype for 'psi_trigger_poll' [-Wmissing-prototypes] 1249 | __poll_t psi_trigger_poll(void **trigger_ptr, | ^~~~~~~~~~~~~~~~ Change the declarations of these functions in the header to provide the prototypes even when they are unused. Link: https://lkml.kernel.org/r/20220119223940.787748-2-surenb@google.com Fixes: 0e94682b73bf ("psi: introduce psi monitor") Signed-off-by: Suren Baghdasaryan Reported-by: kernel test robot Acked-by: Johannes Weiner Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit fd26531855e62fa210015dcd493e1c8c3814aea1 Author: Namhyung Kim Date: Mon Jan 24 11:58:08 2022 -0800 perf/core: Fix cgroup event list management commit c5de60cd622a2607c043ba65e25a6e9998a369f9 upstream. The active cgroup events are managed in the per-cpu cgrp_cpuctx_list. This list is only accessed from current cpu and not protected by any locks. But from the commit ef54c1a476ae ("perf: Rework perf_event_exit_event()"), it's possible to access (actually modify) the list from another cpu. In the perf_remove_from_context(), it can remove an event from the context without an IPI when the context is not active. This is not safe with cgroup events which can have some active events in the context even if ctx->is_active is 0 at the moment. The target cpu might be in the middle of list iteration at the same time. If the event is enabled when it's about to be closed, it might call perf_cgroup_event_disable() and list_del() with the cgrp_cpuctx_list on a different cpu. This resulted in a crash due to an invalid list pointer access during the cgroup list traversal on the cpu which the event belongs to. Let's fallback to IPI to access the cgrp_cpuctx_list from that cpu. Similarly, perf_install_in_context() should use IPI for the cgroup events too. Fixes: ef54c1a476ae ("perf: Rework perf_event_exit_event()") Signed-off-by: Namhyung Kim Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20220124195808.2252071-1-namhyung@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit cba7bdc0472040550e2e573dac0f0f02b9aac7b3 Author: Marc Kleine-Budde Date: Fri Jan 14 18:47:41 2022 +0100 dt-bindings: can: tcan4x5x: fix mram-cfg RX FIFO config commit 17a30422621c0e04cb6060d20d7edcefd7463347 upstream. This tcan4x5x only comes with 2K of MRAM, a RX FIFO with a dept of 32 doesn't fit into the MRAM. Use a depth of 16 instead. Fixes: 4edd396a1911 ("dt-bindings: can: tcan4x5x: Add DT bindings for TCAN4x5X driver") Link: https://lore.kernel.org/all/20220119062951.2939851-1-mkl@pengutronix.de Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit e905e1b65ce997bdf5bed4b5eb8c14ec26cbf0ed Author: Sander Vanheule Date: Sun Jan 9 15:54:33 2022 +0100 irqchip/realtek-rtl: Fix off-by-one in routing commit 91351b5dd0fd494eb2d85e1bb6aca77b067447e0 upstream. There is an offset between routing values (1..6) and the connected MIPS CPU interrupts (2..7), but no distinction was made between these two values. This issue was previously hidden during testing, because an interrupt mapping was used where for each required interrupt another (unused) routing was configured, with an offset of +1. Offset the CPU IRQ numbers by -1 to retrieve the correct routing value. Fixes: 9f3a0f34b84a ("irqchip: Add support for Realtek RTL838x/RTL839x interrupt controller") Signed-off-by: Sander Vanheule Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/177b920aa8d8610615692d0e657e509f363c85ca.1641739718.git.sander@svanheule.net Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit f67594cbf3c8e6226b7e15ba978f5213bba8a75a Author: Sander Vanheule Date: Sun Jan 9 15:54:32 2022 +0100 irqchip/realtek-rtl: Map control data to virq commit 291e79c7e2eb6fdc016453597b78482e06199d0f upstream. The driver assigned the irqchip and irq handler to the hardware irq, instead of the virq. This is incorrect, and only worked because these irq numbers happened to be the same on the devices used for testing the original driver. Fixes: 9f3a0f34b84a ("irqchip: Add support for Realtek RTL838x/RTL839x interrupt controller") Signed-off-by: Sander Vanheule Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/4b4936606480265db47df152f00bc2ed46340599.1641739718.git.sander@svanheule.net Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit bcea886771c3f22a590c8c8b9139a107bd7f1e1c Author: Brian Gix Date: Wed Nov 24 12:16:28 2021 -0800 Bluetooth: refactor malicious adv data check commit 899663be5e75dc0174dc8bda0b5e6826edf0b29a upstream. Check for out-of-bound read was being performed at the end of while num_reports loop, and would fill journal with false positives. Added check to beginning of loop processing so that it doesn't get checked after ptr has been advanced. Signed-off-by: Brian Gix Signed-off-by: Marcel Holtmann Cc: syphyr Signed-off-by: Greg Kroah-Hartman commit c5e216e880fa6f2cd9d4a6541269377657163098 Author: Tim Yi Date: Thu Jan 27 15:49:53 2022 +0800 net: bridge: vlan: fix memory leak in __allowed_ingress [ Upstream commit fd20d9738395cf8e27d0a17eba34169699fccdff ] When using per-vlan state, if vlan snooping and stats are disabled, untagged or priority-tagged ingress frame will go to check pvid state. If the port state is forwarding and the pvid state is not learning/forwarding, untagged or priority-tagged frame will be dropped but skb memory is not freed. Should free skb when __allowed_ingress returns false. Fixes: a580c76d534c ("net: bridge: vlan: add per-vlan state") Signed-off-by: Tim Yi Acked-by: Nikolay Aleksandrov Link: https://lore.kernel.org/r/20220127074953.12632-1-tim.yi@pica8.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 8861857ccc9dcfb7f30980f494689d517b75731d Author: Eric Dumazet Date: Wed Jan 26 17:34:04 2022 -0800 ipv4: remove sparse error in ip_neigh_gw4() [ Upstream commit 3c42b2019863b327caa233072c50739d4144dd16 ] ./include/net/route.h:373:48: warning: incorrect type in argument 2 (different base types) ./include/net/route.h:373:48: expected unsigned int [usertype] key ./include/net/route.h:373:48: got restricted __be32 [usertype] daddr Fixes: 5c9f7c1dfc2e ("ipv4: Add helpers for neigh lookup for nexthop") Signed-off-by: Eric Dumazet Reviewed-by: David Ahern Link: https://lore.kernel.org/r/20220127013404.1279313-1-eric.dumazet@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit d887a33724eca80319b603602f80603167f80db4 Author: Eric Dumazet Date: Wed Jan 26 17:10:21 2022 -0800 ipv4: tcp: send zero IPID in SYNACK messages [ Upstream commit 970a5a3ea86da637471d3cd04d513a0755aba4bf ] In commit 431280eebed9 ("ipv4: tcp: send zero IPID for RST and ACK sent in SYN-RECV and TIME-WAIT state") we took care of some ctl packets sent by TCP. It turns out we need to use a similar strategy for SYNACK packets. By default, they carry IP_DF and IPID==0, but there are ways to ask them to use the hashed IP ident generator and thus be used to build off-path attacks. (Ref: Off-Path TCP Exploits of the Mixed IPID Assignment) One of this way is to force (before listener is started) echo 1 >/proc/sys/net/ipv4/ip_no_pmtu_disc Another way is using forged ICMP ICMP_FRAG_NEEDED with a very small MTU (like 68) to force a false return from ip_dont_fragment() In this patch, ip_build_and_send_pkt() uses the following heuristics. 1) Most SYNACK packets are smaller than IPV4_MIN_MTU and therefore can use IP_DF regardless of the listener or route pmtu setting. 2) In case the SYNACK packet is bigger than IPV4_MIN_MTU, we use prandom_u32() generator instead of the IPv4 hashed ident one. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet Reported-by: Ray Che Reviewed-by: David Ahern Cc: Geoff Alexander Cc: Willy Tarreau Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 4d0bd948ee86f40e4f1f01cf5f8fc791661097be Author: Eric Dumazet Date: Wed Jan 26 16:51:16 2022 -0800 ipv4: raw: lock the socket in raw_bind() [ Upstream commit 153a0d187e767c68733b8e9f46218eb1f41ab902 ] For some reason, raw_bind() forgot to lock the socket. BUG: KCSAN: data-race in __ip4_datagram_connect / raw_bind write to 0xffff8881170d4308 of 4 bytes by task 5466 on cpu 0: raw_bind+0x1b0/0x250 net/ipv4/raw.c:739 inet_bind+0x56/0xa0 net/ipv4/af_inet.c:443 __sys_bind+0x14b/0x1b0 net/socket.c:1697 __do_sys_bind net/socket.c:1708 [inline] __se_sys_bind net/socket.c:1706 [inline] __x64_sys_bind+0x3d/0x50 net/socket.c:1706 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae read to 0xffff8881170d4308 of 4 bytes by task 5468 on cpu 1: __ip4_datagram_connect+0xb7/0x7b0 net/ipv4/datagram.c:39 ip4_datagram_connect+0x2a/0x40 net/ipv4/datagram.c:89 inet_dgram_connect+0x107/0x190 net/ipv4/af_inet.c:576 __sys_connect_file net/socket.c:1900 [inline] __sys_connect+0x197/0x1b0 net/socket.c:1917 __do_sys_connect net/socket.c:1927 [inline] __se_sys_connect net/socket.c:1924 [inline] __x64_sys_connect+0x3d/0x50 net/socket.c:1924 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae value changed: 0x00000000 -> 0x0003007f Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 5468 Comm: syz-executor.5 Not tainted 5.17.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 2387357199a096a332d9533822e606a511808cb6 Author: Nikolay Aleksandrov Date: Wed Jan 26 15:10:25 2022 +0200 net: bridge: vlan: fix single net device option dumping [ Upstream commit dcb2c5c6ca9b9177f04abaf76e5a983d177c9414 ] When dumping vlan options for a single net device we send the same entries infinitely because user-space expects a 0 return at the end but we keep returning skb->len and restarting the dump on retry. Fix it by returning the value from br_vlan_dump_dev() if it completed or there was an error. The only case that must return skb->len is when the dump was incomplete and needs to continue (-EMSGSIZE). Reported-by: Benjamin Poirier Fixes: 8dcea187088b ("net: bridge: vlan: add rtm definitions and dump support") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit e406345f8a26af5963936bc3aca32534adc30f16 Author: Guillaume Nault Date: Wed Jan 26 16:38:52 2022 +0100 Revert "ipv6: Honor all IPv6 PIO Valid Lifetime values" [ Upstream commit 36268983e90316b37000a005642af42234dabb36 ] This reverts commit b75326c201242de9495ff98e5d5cff41d7fc0d9d. This commit breaks Linux compatibility with USGv6 tests. The RFC this commit was based on is actually an expired draft: no published RFC currently allows the new behaviour it introduced. Without full IETF endorsement, the flash renumbering scenario this patch was supposed to enable is never going to work, as other IPv6 equipements on the same LAN will keep the 2 hours limit. Fixes: b75326c20124 ("ipv6: Honor all IPv6 PIO Valid Lifetime values") Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1ac025f24b89cfcb31184f8da8186c815c5f977c Author: Catherine Sullivan Date: Tue Jan 25 16:38:43 2022 -0800 gve: Fix GFP flags when allocing pages [ Upstream commit a92f7a6feeb3884c69c1c7c1f13bccecb2228ad0 ] Use GFP_ATOMIC when allocating pages out of the hotpath, continue to use GFP_KERNEL when allocating pages during setup. GFP_KERNEL will allow blocking which allows it to succeed more often in a low memory enviornment but in the hotpath we do not want to allow the allocation to block. Fixes: f5cedc84a30d2 ("gve: Add transmit and receive support") Signed-off-by: Catherine Sullivan Signed-off-by: David Awogbemila Link: https://lore.kernel.org/r/20220126003843.3584521-1-awogbemila@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 35b092d3b57f47af50b6e5da77bb73fc4e66c704 Author: Xiubo Li Date: Wed Jan 12 12:29:04 2022 +0800 ceph: put the requests/sessions when it fails to alloc memory [ Upstream commit 89d43d0551a848e70e63d9ba11534aaeabc82443 ] When failing to allocate the sessions memory we should make sure the req1 and req2 and the sessions get put. And also in case the max_sessions decreased so when kreallocate the new memory some sessions maybe missed being put. And if the max_sessions is 0 krealloc will return ZERO_SIZE_PTR, which will lead to a distinct access fault. URL: https://tracker.ceph.com/issues/53819 Fixes: e1a4541ec0b9 ("ceph: flush the mdlog before waiting on unsafe reqs") Signed-off-by: Xiubo Li Reviewed-by: Venky Shankar Reviewed-by: Jeff Layton Signed-off-by: Ilya Dryomov Signed-off-by: Sasha Levin commit 0536379e9d9dd59504a2ccd6338cd87a2eb25653 Author: Sean Christopherson Date: Tue Jan 25 22:17:25 2022 +0000 KVM: selftests: Don't skip L2's VMCALL in SMM test for SVM guest [ Upstream commit 4cf3d3ebe8794c449af3e0e8c1d790c97e461d20 ] Don't skip the vmcall() in l2_guest_code() prior to re-entering L2, doing so will result in L2 running to completion, popping '0' off the stack for RET, jumping to address '0', and ultimately dying with a triple fault shutdown. It's not at all obvious why the test re-enters L2 and re-executes VMCALL, but presumably it serves a purpose. The VMX path doesn't skip vmcall(), and the test can't possibly have passed on SVM, so just do what VMX does. Fixes: d951b2210c1a ("KVM: selftests: smm_test: Test SMM enter from L2") Cc: Maxim Levitsky Signed-off-by: Sean Christopherson Message-Id: <20220125221725.2101126-1-seanjc@google.com> Reviewed-by: Vitaly Kuznetsov Tested-by: Vitaly Kuznetsov Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 9b6be5b1a05309253d19fbefd6c412e4d9e4dc7a Author: Dave Airlie Date: Thu Jan 20 14:05:27 2022 +1000 Revert "drm/ast: Support 1600x900 with 108MHz PCLK" [ Upstream commit 76cea3d95513fe40000d06a3719c4bb6b53275e2 ] This reverts commit 9bb7b689274b67ecb3641e399e76f84adc627df1. This caused a regression reported to Red Hat. Fixes: 9bb7b689274b ("drm/ast: Support 1600x900 with 108MHz PCLK") Signed-off-by: Dave Airlie Signed-off-by: Thomas Zimmermann Link: https://patchwork.freedesktop.org/patch/msgid/20220120040527.552068-1-airlied@gmail.com Signed-off-by: Sasha Levin commit 1714199af7ec0a70c4ab10fc620ea9902d7f3ee0 Author: Maxim Mikityanskiy Date: Tue Jan 25 12:06:54 2022 +0200 sch_htb: Fail on unsupported parameters when offload is requested [ Upstream commit 429c3be8a5e2695b5b92a6a12361eb89eb185495 ] The current implementation of HTB offload doesn't support some parameters. Instead of ignoring them, actively return the EINVAL error when they are set to non-defaults. As this patch goes to stable, the driver API is not changed here. If future drivers support more offload parameters, the checks can be moved to the driver side. Note that the buffer and cbuffer parameters are also not supported, but the tc userspace tool assigns some default values derived from rate and ceil, and identifying these defaults in sch_htb would be unreliable, so they are still ignored. Fixes: d03b195b5aa0 ("sch_htb: Hierarchical QoS hardware offload") Reported-by: Jakub Kicinski Signed-off-by: Maxim Mikityanskiy Reviewed-by: Tariq Toukan Link: https://lore.kernel.org/r/20220125100654.424570-1-maximmi@nvidia.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 3e662ceb3e6d3e3fb15430612c69b8af8d5014aa Author: Yufeng Mo Date: Tue Jan 25 15:03:12 2022 +0800 net: hns3: handle empty unknown interrupt for VF [ Upstream commit 2f61353cd2f789a4229b6f5c1c24a40a613357bb ] Since some interrupt states may be cleared by hardware, the driver may receive an empty interrupt. Currently, the VF driver directly disables the vector0 interrupt in this case. As a result, the VF is unavailable. Therefore, the vector0 interrupt should be enabled in this case. Fixes: b90fcc5bd904 ("net: hns3: add reset handling for VF when doing Core/Global/IMP reset") Signed-off-by: Yufeng Mo Signed-off-by: Guangbin Huang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 925181ea76b52fc247b622aa855a0cb094d683a5 Author: Toke Høiland-Jørgensen Date: Mon Jan 24 15:35:29 2022 +0100 net: cpsw: Properly initialise struct page_pool_params [ Upstream commit c63003e3d99761afb280add3b30de1cf30fa522b ] The cpsw driver didn't properly initialise the struct page_pool_params before calling page_pool_create(), which leads to crashes after the struct has been expanded with new parameters. The second Fixes tag below is where the buggy code was introduced, but because the code was moved around this patch will only apply on top of the commit in the first Fixes tag. Fixes: c5013ac1dd0e ("net: ethernet: ti: cpsw: move set of common functions in cpsw_priv") Fixes: 9ed4050c0d75 ("net: ethernet: ti: cpsw: add XDP support") Reported-by: Colin Foster Signed-off-by: Toke Høiland-Jørgensen Tested-by: Colin Foster Acked-by: Jesper Dangaard Brouer Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0690c3943ed0fa76654e600eca38cde6a13c87ac Author: Hangyu Hua Date: Mon Jan 24 11:29:54 2022 +0800 yam: fix a memory leak in yam_siocdevprivate() [ Upstream commit 29eb31542787e1019208a2e1047bb7c76c069536 ] ym needs to be free when ym->cmd != SIOCYAMSMCS. Fixes: 0781168e23a2 ("yam: fix a missing-check bug") Signed-off-by: Hangyu Hua Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 4d5c2dfbc120be82f1b9cced3606d2edc4ec7538 Author: Rob Clark Date: Thu Jan 13 08:32:13 2022 -0800 drm/msm/a6xx: Add missing suspend_count increment [ Upstream commit 860a7b2a87b7c743154824d0597b6c3eb3b53154 ] Reported-by: Danylo Piliaiev Fixes: 3ab1c5cc3939 ("drm/msm: Add param for userspace to query suspend count") Signed-off-by: Rob Clark Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20220113163215.215367-1-robdclark@gmail.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 8f069f6dde518dfebe86e848508c07e497bd9298 Author: José Expósito Date: Sun Jan 9 20:24:31 2022 +0100 drm/msm/dpu: invalid parameter check in dpu_setup_dspp_pcc [ Upstream commit 170b22234d5495f5e0844246e23f004639ee89ba ] The function performs a check on the "ctx" input parameter, however, it is used before the check. Initialize the "base" variable after the sanity check to avoid a possible NULL pointer dereference. Fixes: 4259ff7ae509e ("drm/msm/dpu: add support for pcc color block in dpu driver") Addresses-Coverity-ID: 1493866 ("Null pointer dereference") Signed-off-by: José Expósito Link: https://lore.kernel.org/r/20220109192431.135949-1-jose.exposito89@gmail.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 13bd31390cae1397c94dd7b97d8103bb5d587b9b Author: Miaoqian Lin Date: Fri Jan 7 08:50:22 2022 +0000 drm/msm/hdmi: Fix missing put_device() call in msm_hdmi_get_phy [ Upstream commit 774fe0cd838d1b1419d41ab4ea0613c80d4ecbd7 ] The reference taken by 'of_find_device_by_node()' must be released when not needed anymore. Add the corresponding 'put_device()' in the error handling path. Fixes: e00012b256d4 ("drm/msm/hdmi: Make HDMI core get its PHY") Signed-off-by: Miaoqian Lin Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20220107085026.23831-1-linmq006@gmail.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 03a91f9fa93b55685601548f882df8d0e2eecc29 Author: Marc Kleine-Budde Date: Fri Jan 14 18:50:54 2022 +0100 can: tcan4x5x: regmap: fix max register value [ Upstream commit e59986de5ff701494e14c722b78b6e6d513e0ab5 ] The MRAM of the tcan4x5x has a size of 2K and starts at 0x8000. There are no further registers in the tcan4x5x making 0x87fc the biggest addressable register. This patch fixes the max register value of the regmap config from 0x8ffc to 0x87fc. Fixes: 6e1caaf8ed22 ("can: tcan4x5x: fix max register value") Link: https://lore.kernel.org/all/20220119064011.2943292-1-mkl@pengutronix.de Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit d0a56e4ebc6be488055e4a51f22ead4cb60df6bd Author: Michael Kelley Date: Sun Jan 16 11:18:31 2022 -0800 video: hyperv_fb: Fix validation of screen resolution [ Upstream commit 9ff5549b1d1d3c3a9d71220d44bd246586160f1d ] In the WIN10 version of the Synthetic Video protocol with Hyper-V, Hyper-V reports a list of supported resolutions as part of the protocol negotiation. The driver calculates the maximum width and height from the list of resolutions, and uses those maximums to validate any screen resolution specified in the video= option on the kernel boot line. This method of validation is incorrect. For example, the list of supported resolutions could contain 1600x1200 and 1920x1080, both of which fit in an 8 Mbyte frame buffer. But calculating the max width and height yields 1920 and 1200, and 1920x1200 resolution does not fit in an 8 Mbyte frame buffer. Unfortunately, this resolution is accepted, causing a kernel fault when the driver accesses memory outside the frame buffer. Instead, validate the specified screen resolution by calculating its size, and comparing against the frame buffer size. Delete the code for calculating the max width and height from the list of resolutions, since these max values have no use. Also add the frame buffer size to the info message to aid in understanding why a resolution might be rejected. Fixes: 67e7cdb4829d ("video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host") Signed-off-by: Michael Kelley Reviewed-by: Haiyang Zhang Acked-by: Helge Deller Link: https://lore.kernel.org/r/1642360711-2335-1-git-send-email-mikelley@microsoft.com Signed-off-by: Wei Liu Signed-off-by: Sasha Levin commit 38f0bdd548fd2ef5d481b88d8a2bfef968452e34 Author: Wen Gu Date: Sat Jan 22 17:43:09 2022 +0800 net/smc: Transitional solution for clcsock race issue [ Upstream commit c0bf3d8a943b6f2e912b7c1de03e2ef28e76f760 ] We encountered a crash in smc_setsockopt() and it is caused by accessing smc->clcsock after clcsock was released. BUG: kernel NULL pointer dereference, address: 0000000000000020 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 50309 Comm: nginx Kdump: loaded Tainted: G E 5.16.0-rc4+ #53 RIP: 0010:smc_setsockopt+0x59/0x280 [smc] Call Trace: __sys_setsockopt+0xfc/0x190 __x64_sys_setsockopt+0x20/0x30 do_syscall_64+0x34/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f16ba83918e This patch tries to fix it by holding clcsock_release_lock and checking whether clcsock has already been released before access. In case that a crash of the same reason happens in smc_getsockopt() or smc_switch_to_fallback(), this patch also checkes smc->clcsock in them too. And the caller of smc_switch_to_fallback() will identify whether fallback succeeds according to the return value. Fixes: fd57770dd198 ("net/smc: wait for pending work before clcsock release_sock") Link: https://lore.kernel.org/lkml/5dd7ffd1-28e2-24cc-9442-1defec27375e@linux.ibm.com/T/ Signed-off-by: Wen Gu Acked-by: Karsten Graul Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit fdcdc94b3d350ba53659021c43bc3904a374a887 Author: Sukadev Bhattiprolu Date: Fri Jan 21 18:59:20 2022 -0800 ibmvnic: don't spin in tasklet [ Upstream commit 48079e7fdd0269d66b1d7d66ae88bd03162464ad ] ibmvnic_tasklet() continuously spins waiting for responses to all capability requests. It does this to avoid encountering an error during initialization of the vnic. However if there is a bug in the VIOS and we do not receive a response to one or more queries the tasklet ends up spinning continuously leading to hard lock ups. If we fail to receive a message from the VIOS it is reasonable to timeout the login attempt rather than spin indefinitely in the tasklet. Fixes: 249168ad07cd ("ibmvnic: Make CRQ interrupt tasklet wait for all capabilities crqs") Signed-off-by: Sukadev Bhattiprolu Reviewed-by: Dany Madden Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit d4435164be133e936060be9a5fdcd3bdee8e664c Author: Sukadev Bhattiprolu Date: Fri Jan 21 18:59:19 2022 -0800 ibmvnic: init ->running_cap_crqs early [ Upstream commit 151b6a5c06b678687f64f2d9a99fd04d5cd32b72 ] We use ->running_cap_crqs to determine when the ibmvnic_tasklet() should send out the next protocol message type. i.e when we get back responses to all our QUERY_CAPABILITY CRQs we send out REQUEST_CAPABILITY crqs. Similiary, when we get responses to all the REQUEST_CAPABILITY crqs, we send out the QUERY_IP_OFFLOAD CRQ. We currently increment ->running_cap_crqs as we send out each CRQ and have the ibmvnic_tasklet() send out the next message type, when this running_cap_crqs count drops to 0. This assumes that all the CRQs of the current type were sent out before the count drops to 0. However it is possible that we send out say 6 CRQs, get preempted and receive all the 6 responses before we send out the remaining CRQs. This can result in ->running_cap_crqs count dropping to zero before all messages of the current type were sent and we end up sending the next protocol message too early. Instead initialize the ->running_cap_crqs upfront so the tasklet will only send the next protocol message after all responses are received. Use the cap_reqs local variable to also detect any discrepancy (either now or in future) in the number of capability requests we actually send. Currently only send_query_cap() is affected by this behavior (of sending next message early) since it is called from the worker thread (during reset) and from application thread (during ->ndo_open()) and they can be preempted. send_request_cap() is only called from the tasklet which processes CRQ responses sequentially, is not be affected. But to maintain the existing symmtery with send_query_capability() we update send_request_capability() also. Fixes: 249168ad07cd ("ibmvnic: Make CRQ interrupt tasklet wait for all capabilities crqs") Signed-off-by: Sukadev Bhattiprolu Reviewed-by: Dany Madden Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit aa6ae2341a8ffc13cb5ca18601c8c543ac5381a7 Author: Sukadev Bhattiprolu Date: Fri Jan 21 18:59:18 2022 -0800 ibmvnic: Allow extra failures before disabling [ Upstream commit db9f0e8bf79e6da7068b5818fea0ffd9d0d4b4da ] If auto-priority-failover (APF) is enabled and there are at least two backing devices of different priorities, some resets like fail-over, change-param etc can cause at least two back to back failovers. (Failover from high priority backing device to lower priority one and then back to the higher priority one if that is still functional). Depending on the timimg of the two failovers it is possible to trigger a "hard" reset and for the hard reset to fail due to failovers. When this occurs, the driver assumes that the network is unstable and disables the VNIC for a 60-second "settling time". This in turn can cause the ethtool command to fail with "No such device" while the vnic automatically recovers a little while later. Given that it's possible to have two back to back failures, allow for extra failures before disabling the vnic for the settling time. Fixes: f15fde9d47b8 ("ibmvnic: delay next reset if hard reset fails") Signed-off-by: Sukadev Bhattiprolu Reviewed-by: Dany Madden Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9ae4cd5de2a5ecb87b7dc5dd4157ca3bdae9919d Author: Jakub Kicinski Date: Fri Jan 21 16:57:31 2022 -0800 ipv4: fix ip option filtering for locally generated fragments [ Upstream commit 27a8caa59babb96c5890569e131bc0eb6d45daee ] During IP fragmentation we sanitize IP options. This means overwriting options which should not be copied with NOPs. Only the first fragment has the original, full options. ip_fraglist_prepare() copies the IP header and options from previous fragment to the next one. Commit 19c3401a917b ("net: ipv4: place control buffer handling away from fragmentation iterators") moved sanitizing options before ip_fraglist_prepare() which means options are sanitized and then overwritten again with the old values. Fixing this is not enough, however, nor did the sanitization work prior to aforementioned commit. ip_options_fragment() (which does the sanitization) uses ipcb->opt.optlen for the length of the options. ipcb->opt of fragments is not populated (it's 0), only the head skb has the state properly built. So even when called at the right time ip_options_fragment() does nothing. This seems to date back all the way to v2.5.44 when the fast path for pre-fragmented skbs had been introduced. Prior to that ip_options_build() would have been called for every fragment (in fact ever since v2.5.44 the fragmentation handing in ip_options_build() has been dead code, I'll clean it up in -next). In the original patch (see Link) caixf mentions fixing the handling for fragments other than the second one, but I'm not sure how _any_ fragment could have had their options sanitized with the code as it stood. Tested with python (MTU on lo lowered to 1000 to force fragmentation): import socket s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.setsockopt(socket.IPPROTO_IP, socket.IP_OPTIONS, bytearray([7,4,5,192, 20|0x80,4,1,0])) s.sendto(b'1'*2000, ('127.0.0.1', 1234)) Before: IP (tos 0x0, ttl 64, id 1053, offset 0, flags [+], proto UDP (17), length 996, options (RR [bad length 4] [bad ptr 5] 192.148.4.1,,RA value 256)) localhost.36500 > localhost.search-agent: UDP, length 2000 IP (tos 0x0, ttl 64, id 1053, offset 968, flags [+], proto UDP (17), length 996, options (RR [bad length 4] [bad ptr 5] 192.148.4.1,,RA value 256)) localhost > localhost: udp IP (tos 0x0, ttl 64, id 1053, offset 1936, flags [none], proto UDP (17), length 100, options (RR [bad length 4] [bad ptr 5] 192.148.4.1,,RA value 256)) localhost > localhost: udp After: IP (tos 0x0, ttl 96, id 42549, offset 0, flags [+], proto UDP (17), length 996, options (RR [bad length 4] [bad ptr 5] 192.148.4.1,,RA value 256)) localhost.51607 > localhost.search-agent: UDP, bad length 2000 > 960 IP (tos 0x0, ttl 96, id 42549, offset 968, flags [+], proto UDP (17), length 996, options (NOP,NOP,NOP,NOP,RA value 256)) localhost > localhost: udp IP (tos 0x0, ttl 96, id 42549, offset 1936, flags [none], proto UDP (17), length 100, options (NOP,NOP,NOP,NOP,RA value 256)) localhost > localhost: udp RA (20 | 0x80) is now copied as expected, RR (7) is "NOPed out". Link: https://lore.kernel.org/netdev/20220107080559.122713-1-ooppublic@163.com/ Fixes: 19c3401a917b ("net: ipv4: place control buffer handling away from fragmentation iterators") Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: caixf Signed-off-by: Jakub Kicinski Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 28aaed966e76807a71de79dd40a8eee9042374dd Author: Athira Rajeev Date: Sat Jan 22 09:04:29 2022 +0530 powerpc/perf: Fix power_pmu_disable to call clear_pmi_irq_pending only if PMI is pending [ Upstream commit fb6433b48a178d4672cb26632454ee0b21056eaa ] Running selftest with CONFIG_PPC_IRQ_SOFT_MASK_DEBUG enabled in kernel triggered below warning: [ 172.851380] ------------[ cut here ]------------ [ 172.851391] WARNING: CPU: 8 PID: 2901 at arch/powerpc/include/asm/hw_irq.h:246 power_pmu_disable+0x270/0x280 [ 172.851402] Modules linked in: dm_mod bonding nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables rfkill nfnetlink sunrpc xfs libcrc32c pseries_rng xts vmx_crypto uio_pdrv_genirq uio sch_fq_codel ip_tables ext4 mbcache jbd2 sd_mod t10_pi sg ibmvscsi ibmveth scsi_transport_srp fuse [ 172.851442] CPU: 8 PID: 2901 Comm: lost_exception_ Not tainted 5.16.0-rc5-03218-g798527287598 #2 [ 172.851451] NIP: c00000000013d600 LR: c00000000013d5a4 CTR: c00000000013b180 [ 172.851458] REGS: c000000017687860 TRAP: 0700 Not tainted (5.16.0-rc5-03218-g798527287598) [ 172.851465] MSR: 8000000000029033 CR: 48004884 XER: 20040000 [ 172.851482] CFAR: c00000000013d5b4 IRQMASK: 1 [ 172.851482] GPR00: c00000000013d5a4 c000000017687b00 c000000002a10600 0000000000000004 [ 172.851482] GPR04: 0000000082004000 c0000008ba08f0a8 0000000000000000 00000008b7ed0000 [ 172.851482] GPR08: 00000000446194f6 0000000000008000 c00000000013b118 c000000000d58e68 [ 172.851482] GPR12: c00000000013d390 c00000001ec54a80 0000000000000000 0000000000000000 [ 172.851482] GPR16: 0000000000000000 0000000000000000 c000000015d5c708 c0000000025396d0 [ 172.851482] GPR20: 0000000000000000 0000000000000000 c00000000a3bbf40 0000000000000003 [ 172.851482] GPR24: 0000000000000000 c0000008ba097400 c0000000161e0d00 c00000000a3bb600 [ 172.851482] GPR28: c000000015d5c700 0000000000000001 0000000082384090 c0000008ba0020d8 [ 172.851549] NIP [c00000000013d600] power_pmu_disable+0x270/0x280 [ 172.851557] LR [c00000000013d5a4] power_pmu_disable+0x214/0x280 [ 172.851565] Call Trace: [ 172.851568] [c000000017687b00] [c00000000013d5a4] power_pmu_disable+0x214/0x280 (unreliable) [ 172.851579] [c000000017687b40] [c0000000003403ac] perf_pmu_disable+0x4c/0x60 [ 172.851588] [c000000017687b60] [c0000000003445e4] __perf_event_task_sched_out+0x1d4/0x660 [ 172.851596] [c000000017687c50] [c000000000d1175c] __schedule+0xbcc/0x12a0 [ 172.851602] [c000000017687d60] [c000000000d11ea8] schedule+0x78/0x140 [ 172.851608] [c000000017687d90] [c0000000001a8080] sys_sched_yield+0x20/0x40 [ 172.851615] [c000000017687db0] [c0000000000334dc] system_call_exception+0x18c/0x380 [ 172.851622] [c000000017687e10] [c00000000000c74c] system_call_common+0xec/0x268 The warning indicates that MSR_EE being set(interrupt enabled) when there was an overflown PMC detected. This could happen in power_pmu_disable since it runs under interrupt soft disable condition ( local_irq_save ) and not with interrupts hard disabled. commit 2c9ac51b850d ("powerpc/perf: Fix PMU callbacks to clear pending PMI before resetting an overflown PMC") intended to clear PMI pending bit in Paca when disabling the PMU. It could happen that PMC gets overflown while code is in power_pmu_disable callback function. Hence add a check to see if PMI pending bit is set in Paca before clearing it via clear_pmi_pending. Fixes: 2c9ac51b850d ("powerpc/perf: Fix PMU callbacks to clear pending PMI before resetting an overflown PMC") Reported-by: Sachin Sant Signed-off-by: Athira Rajeev Tested-by: Sachin Sant Reviewed-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220122033429.25395-1-atrajeev@linux.vnet.ibm.com Signed-off-by: Sasha Levin commit b9dc12e481c0e20ee762fb7a3668c08acf8b2e7c Author: Dan Carpenter Date: Fri Jan 21 14:55:43 2022 +0300 hwmon: (adt7470) Prevent divide by zero in adt7470_fan_write() [ Upstream commit c1ec0cabc36718efc7fe8b4157d41b82d08ec1d2 ] The "val" variable is controlled by the user and comes from hwmon_attr_store(). The FAN_RPM_TO_PERIOD() macro divides by "val" so a zero will crash the system. Check for that and return -EINVAL. Negatives are also invalid so return -EINVAL for those too. Fixes: fc958a61ff6d ("hwmon: (adt7470) Convert to devm_hwmon_device_register_with_info API") Signed-off-by: Dan Carpenter Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit 774a6ef81458b86d0034dc663c9e5622879f81ea Author: Guenter Roeck Date: Mon Jan 10 23:23:31 2022 -0800 hwmon: (lm90) Fix sysfs and udev notifications [ Upstream commit d379880d9adb9f1ada3f1266aa49ea2561328e08 ] sysfs and udev notifications need to be sent to the _alarm attributes, not to the value attributes. Fixes: 94dbd23ed88c ("hwmon: (lm90) Use hwmon_notify_event()") Cc: Dmitry Osipenko Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit f4a61d7989d561a64a0513cd76ca860fd93c657d Author: Guenter Roeck Date: Fri Jan 7 11:05:23 2022 -0800 hwmon: (lm90) Mark alert as broken for MAX6654 [ Upstream commit a53fff96f35763d132a36c620b183fdf11022d7a ] Experiments with MAX6654 show that its alert function is broken, similar to other chips supported by the lm90 driver. Mark it accordingly. Fixes: 229d495d8189 ("hwmon: (lm90) Add max6654 support to lm90 driver") Cc: Josh Lehan Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit ccdf90878b8ba53ebd7236e2edf363ae30847a4c Author: Guenter Roeck Date: Sat Jan 8 11:37:19 2022 -0800 hwmon: (lm90) Re-enable interrupts after alert clears [ Upstream commit bc341a1a98827925082e95db174734fc8bd68af6 ] If alert handling is broken, interrupts are disabled after an alert and re-enabled after the alert clears. However, if there is an interrupt handler, this does not apply if alerts were originally disabled and enabled when the driver was loaded. In that case, interrupts will stay disabled after an alert was handled though the alert handler even after the alert condition clears. Address the situation by always re-enabling interrupts after the alert condition clears if there is an interrupt handler. Fixes: 2abdc357c55d9 ("hwmon: (lm90) Unmask hardware interrupt") Cc: Dmitry Osipenko Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit da20522eba44f6bdf72f755519246c30b8d172ac Author: Yanming Liu Date: Thu Jan 20 04:20:52 2022 +0800 Drivers: hv: balloon: account for vmbus packet header in max_pkt_size [ Upstream commit 96d9d1fa5cd505078534113308ced0aa56d8da58 ] Commit adae1e931acd ("Drivers: hv: vmbus: Copy packets sent by Hyper-V out of the ring buffer") introduced a notion of maximum packet size in vmbus channel and used that size to initialize a buffer holding all incoming packet along with their vmbus packet header. hv_balloon uses the default maximum packet size VMBUS_DEFAULT_MAX_PKT_SIZE which matches its maximum message size, however vmbus_open expects this size to also include vmbus packet header. This leads to 4096 bytes dm_unballoon_request messages being truncated to 4080 bytes. When the driver tries to read next packet it starts from a wrong read_index, receives garbage and prints a lot of "Unhandled message: type: " in dmesg. Allocate the buffer with HV_HYP_PAGE_SIZE more bytes to make room for the header. Fixes: adae1e931acd ("Drivers: hv: vmbus: Copy packets sent by Hyper-V out of the ring buffer") Suggested-by: Michael Kelley (LINUX) Suggested-by: Andrea Parri (Microsoft) Signed-off-by: Yanming Liu Reviewed-by: Michael Kelley Reviewed-by: Andrea Parri (Microsoft) Link: https://lore.kernel.org/r/20220119202052.3006981-1-yanminglr@gmail.com Signed-off-by: Wei Liu Signed-off-by: Sasha Levin commit 82cc3382e34e2254453cdfc0e0c3190357e27eed Author: Dylan Yudaken Date: Fri Jan 21 04:38:56 2022 -0800 io_uring: fix bug in slow unregistering of nodes [ Upstream commit b36a2050040b2d839bdc044007cdd57101d7f881 ] In some cases io_rsrc_ref_quiesce will call io_rsrc_node_switch_start, and then immediately flush the delayed work queue &ctx->rsrc_put_work. However the percpu_ref_put does not immediately destroy the node, it will be called asynchronously via RCU. That ends up with io_rsrc_node_ref_zero only being called after rsrc_put_work has been flushed, and so the process ends up sleeping for 1 second unnecessarily. This patch executes the put code immediately if we are busy quiescing. Fixes: 4a38aed2a0a7 ("io_uring: batch reap of dead file registrations") Signed-off-by: Dylan Yudaken Link: https://lore.kernel.org/r/20220121123856.3557884-1-dylany@fb.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit fa005a5c5d4dc1eb1bcf99761fc1f678bfd46a08 Author: Mihai Carabas Date: Wed Jan 19 18:14:27 2022 +0200 efi/libstub: arm64: Fix image check alignment at entry [ Upstream commit e9b7c3a4263bdcfd31bc3d03d48ce0ded7a94635 ] The kernel is aligned at SEGMENT_SIZE and this is the size populated in the PE headers: arch/arm64/kernel/efi-header.S: .long SEGMENT_ALIGN // SectionAlignment EFI_KIMG_ALIGN is defined as: (SEGMENT_ALIGN > THREAD_ALIGN ? SEGMENT_ALIGN : THREAD_ALIGN) So it depends on THREAD_ALIGN. On newer builds this message started to appear even though the loader is taking into account the PE header (which is stating SEGMENT_ALIGN). Fixes: c32ac11da3f8 ("efi/libstub: arm64: Double check image alignment at entry") Signed-off-by: Mihai Carabas Signed-off-by: Ard Biesheuvel Signed-off-by: Sasha Levin commit 42ff00c23b16bf397eb467bd2f66e48c1a0040dc Author: David Howells Date: Fri Jan 21 23:12:58 2022 +0000 rxrpc: Adjust retransmission backoff [ Upstream commit 2c13c05c5ff4b9fc907b07f7311821910ebaaf8a ] Improve retransmission backoff by only backing off when we retransmit data packets rather than when we set the lost ack timer. To this end: (1) In rxrpc_resend(), use rxrpc_get_rto_backoff() when setting the retransmission timer and only tell it that we are retransmitting if we actually have things to retransmit. Note that it's possible for the retransmission algorithm to race with the processing of a received ACK, so we may see no packets needing retransmission. (2) In rxrpc_send_data_packet(), don't bump the backoff when setting the ack_lost_at timer, as it may then get bumped twice. With this, when looking at one particular packet, the retransmission intervals were seen to be 1.5ms, 2ms, 3ms, 5ms, 9ms, 17ms, 33ms, 71ms, 136ms, 264ms, 544ms, 1.088s, 2.1s, 4.2s and 8.3s. Fixes: c410bf01933e ("rxrpc: Fix the excessive initial retransmission timeout") Suggested-by: Marc Dionne Signed-off-by: David Howells Reviewed-by: Marc Dionne Tested-by: Marc Dionne cc: linux-afs@lists.infradead.org Link: https://lore.kernel.org/r/164138117069.2023386.17446904856843997127.stgit@warthog.procyon.org.uk/ Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 437b6b3bd88ca698dca10747d85480a74f6d15ca Author: Subbaraya Sundeep Date: Fri Jan 21 12:04:46 2022 +0530 octeontx2-pf: Forward error codes to VF [ Upstream commit a8db854be28622a2477cb21cdf7f829adbb2c42d ] PF forwards its VF messages to AF and corresponding replies from AF to VF. AF sets proper error code in the replies after processing message requests. Currently PF checks the error codes in replies and sends invalid message to VF. This way VF lacks the information of error code set by AF for its messages. This patch changes that such that PF simply forwards AF replies so that VF can handle error codes. Fixes: d424b6c02415 ("octeontx2-pf: Enable SRIOV and added VF mbox handling") Signed-off-by: Subbaraya Sundeep Signed-off-by: Sunil Goutham Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 689620df208088281e627c0d9f64fc532265dff8 Author: Geetha sowjanya Date: Fri Jan 21 12:04:45 2022 +0530 octeontx2-af: cn10k: Do not enable RPM loopback for LPC interfaces [ Upstream commit df66b6ebc5dcf7253e35a640b9ec4add54195c25 ] Internal looback is not supported to low rate LPCS interface like SGMII/QSGMII. Hence don't allow to enable for such interfaces. Fixes: 3ad3f8f93c81 ("octeontx2-af: cn10k: MAC internal loopback support") Signed-off-by: Geetha sowjanya Signed-off-by: Subbaraya Sundeep Signed-off-by: Sunil Goutham Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 35dd0b7e5a13dec6a7623c8db7c57c59f9110ffb Author: Geetha sowjanya Date: Fri Jan 21 12:04:44 2022 +0530 octeontx2-af: Increase link credit restore polling timeout [ Upstream commit 1581d61b42d985cefe7b71eea67ab3bfcbf34d0f ] It's been observed that sometimes link credit restore takes a lot of time than the current timeout. This patch increases the default timeout value and return the proper error value on failure. Fixes: 1c74b89171c3 ("octeontx2-af: Wait for TX link idle for credits change") Signed-off-by: Geetha sowjanya Signed-off-by: Subbaraya Sundeep Signed-off-by: Sunil Goutham Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f13bf41cbe2d1dbf9ede3569bd5d75353ab68f01 Author: Hariprasad Kelam Date: Fri Sep 17 18:40:24 2021 +0530 octeontx2-af: verify CQ context updates [ Upstream commit 14e94f9445a9e91d460f5d4b519f8892c3fb14bb ] As per HW errata AQ modification to CQ could be discarded on heavy traffic. This patch implements workaround for the same after each CQ write by AQ check whether the requested fields (except those which HW can update eg: avg_level) are properly updated or not. If CQ context is not updated then perform AQ write again. Signed-off-by: Hariprasad Kelam Signed-off-by: Sunil Goutham Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 4070cf004da3b9f6a6395d62fe3d24b38ae1a3ef Author: Geetha sowjanya Date: Fri Jan 21 12:04:43 2022 +0530 octeontx2-pf: cn10k: Ensure valid pointers are freed to aura [ Upstream commit c5d731c54a17677939bd59ee8be4ed74d7485ba4 ] While freeing SQB pointers to aura, driver first memcpy to target address and then triggers lmtst operation to free pointer to the aura. We need to ensure(by adding dmb barrier)that memcpy is finished before pointers are freed to the aura. This patch also adds the missing sq context structure entry in debugfs. Fixes: ef6c8da71eaf ("octeontx2-pf: cn10K: Reserve LMTST lines per core") Signed-off-by: Geetha sowjanya Signed-off-by: Subbaraya Sundeep Signed-off-by: Sunil Goutham Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a332a1050ac662ea2f768ef9a802195d97130806 Author: Geetha sowjanya Date: Fri Jan 21 12:04:41 2022 +0530 octeontx2-af: Retry until RVU block reset complete [ Upstream commit 03ffbc9914bd1130fba464f0a41c01372e5fc359 ] Few RVU blocks like SSO require more time for reset on some silicons. Hence retrying the block reset until success. Fixes: c0fa2cff8822c ("octeontx2-af: Handle return value in block reset") Signed-off-by: Geetha sowjanya Signed-off-by: Subbaraya Sundeep Signed-off-by: Sunil Goutham Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b578044bf4dee7e62e2f6ce1a2415831b1c1f76e Author: Sunil Goutham Date: Fri Jan 21 12:04:40 2022 +0530 octeontx2-af: Fix LBK backpressure id count [ Upstream commit 00bfe94e388fe12bfd0d4f6361b1b1343374ff5b ] In rvu_nix_get_bpid() lbk_bpid_cnt is being read from wrong register. Due to this backpressure enable is failing for LBK VF32 onwards. This patch fixes that. Fixes: fe1939bb2340 ("octeontx2-af: Add SDP interface support") Signed-off-by: Sunil Goutham Signed-off-by: Subbaraya Sundeep Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 77c5abff9330dc4acac2758b0134110e894c25a3 Author: Subbaraya Sundeep Date: Fri Jan 21 12:04:39 2022 +0530 octeontx2-af: Do not fixup all VF action entries [ Upstream commit d225c449ab2be25273a3674f476c6c0b57c50254 ] AF modifies all the rules destined for VF to use the action same as default RSS action. This fixup was needed because AF only installs default rules with RSS action. But the action in rules installed by a PF for its VFs should not be changed by this fixup. This is because action can be drop or direct to queue as specified by user(ntuple filters). This patch fixes that problem. Fixes: 967db3529eca ("octeontx2-af: add support for multicast/promisc packet") Signed-off-by: Subbaraya Sundeep Signed-off-by: Naveen Mamindlapalli Signed-off-by: Sunil Goutham Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit aefaccd19379d6c4620269a162bfb88ff687f289 Author: Marek Behún Date: Wed Jan 19 17:27:48 2022 +0100 phylib: fix potential use-after-free [ Upstream commit cbda1b16687580d5beee38273f6241ae3725960c ] Commit bafbdd527d56 ("phylib: Add device reset GPIO support") added call to phy_device_reset(phydev) after the put_device() call in phy_detach(). The comment before the put_device() call says that the phydev might go away with put_device(). Fix potential use-after-free by calling phy_device_reset() before put_device(). Fixes: bafbdd527d56 ("phylib: Add device reset GPIO support") Signed-off-by: Marek Behún Reviewed-by: Andrew Lunn Link: https://lore.kernel.org/r/20220119162748.32418-1-kabel@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 82688a07cc025f5242f0b03db5e790a63bb54f14 Author: Yuji Ishikawa Date: Wed Jan 19 13:46:48 2022 +0900 net: stmmac: dwmac-visconti: Fix clock configuration for RMII mode [ Upstream commit 0959bc4bd4206433ed101a1332a23e93ad16ec77 ] Bit pattern of the ETHER_CLOCK_SEL register for RMII/MII mode should be fixed. Also, some control bits should be modified with a specific sequence. Fixes: b38dd98ff8d0 ("net: stmmac: Add Toshiba Visconti SoCs glue driver") Signed-off-by: Yuji Ishikawa Reviewed-by: Nobuhiro Iwamatsu Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 27e249cafa4fb35ad28fe9952b93ca515c16f52c Author: Yuji Ishikawa Date: Wed Jan 19 13:46:47 2022 +0900 net: stmmac: dwmac-visconti: Fix bit definitions for ETHER_CLK_SEL [ Upstream commit 1ba1a4a90fa416a6f389206416c5f488cf8b1543 ] just 0 should be used to represent cleared bits * ETHER_CLK_SEL_DIV_SEL_20 * ETHER_CLK_SEL_TX_CLK_EXT_SEL_IN * ETHER_CLK_SEL_RX_CLK_EXT_SEL_IN * ETHER_CLK_SEL_TX_CLK_O_TX_I * ETHER_CLK_SEL_RMII_CLK_SEL_IN Fixes: b38dd98ff8d0 ("net: stmmac: Add Toshiba Visconti SoCs glue driver") Signed-off-by: Yuji Ishikawa Reviewed-by: Nobuhiro Iwamatsu Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 36c7e4f4a3ec57ed663011e7b3acd77f3becfa9d Author: Robert Hancock Date: Tue Jan 18 15:52:43 2022 -0600 net: phy: broadcom: hook up soft_reset for BCM54616S [ Upstream commit d15c7e875d44367005370e6a82e8f3a382a04f9b ] A problem was encountered with the Bel-Fuse 1GBT-SFP05 SFP module (which is a 1 Gbps copper module operating in SGMII mode with an internal BCM54616S PHY device) using the Xilinx AXI Ethernet MAC core, where the module would work properly on the initial insertion or boot of the device, but after the device was rebooted, the link would either only come up at 100 Mbps speeds or go up and down erratically. I found no meaningful changes in the PHY configuration registers between the working and non-working boots, but the status registers seemed to have a lot of error indications set on the SERDES side of the device on the non-working boot. I suspect the problem is that whatever happens on the SGMII link when the device is rebooted and the FPGA logic gets reloaded ends up putting the module's onboard PHY into a bad state. Since commit 6e2d85ec0559 ("net: phy: Stop with excessive soft reset") the genphy_soft_reset call is not made automatically by the PHY core unless the callback is explicitly specified in the driver structure. For most of these Broadcom devices, there is probably a hardware reset that gets asserted to reset the PHY during boot, however for SFP modules (where the BCM54616S is commonly found) no such reset line exists, so if the board keeps the SFP cage powered up across a reboot, it will end up with no reset occurring during reboots. Hook up the genphy_soft_reset callback for BCM54616S to ensure that a PHY reset is performed before the device is initialized. This appears to fix the issue with erratic operation after a reboot with this SFP module. Fixes: 6e2d85ec0559 ("net: phy: Stop with excessive soft reset") Signed-off-by: Robert Hancock Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 58e81159b4f7ce89d69d350c1dcebca763f587ac Author: Vincent Guittot Date: Tue Jan 11 14:46:56 2022 +0100 sched/pelt: Relax the sync of util_sum with util_avg [ Upstream commit 98b0d890220d45418cfbc5157b3382e6da5a12ab ] Rick reported performance regressions in bugzilla because of cpu frequency being lower than before: https://bugzilla.kernel.org/show_bug.cgi?id=215045 He bisected the problem to: commit 1c35b07e6d39 ("sched/fair: Ensure _sum and _avg values stay consistent") This commit forces util_sum to be synced with the new util_avg after removing the contribution of a task and before the next periodic sync. By doing so util_sum is rounded to its lower bound and might lost up to LOAD_AVG_MAX-1 of accumulated contribution which has not yet been reflected in util_avg. Instead of always setting util_sum to the low bound of util_avg, which can significantly lower the utilization of root cfs_rq after propagating the change down into the hierarchy, we revert the change of util_sum and propagate the difference. In addition, we also check that cfs's util_sum always stays above the lower bound for a given util_avg as it has been observed that sched_entity's util_sum is sometimes above cfs one. Fixes: 1c35b07e6d39 ("sched/fair: Ensure _sum and _avg values stay consistent") Reported-by: Rick Yiu Signed-off-by: Vincent Guittot Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Dietmar Eggemann Tested-by: Sachin Sant Link: https://lkml.kernel.org/r/20220111134659.24961-2-vincent.guittot@linaro.org Signed-off-by: Sasha Levin commit 767060539ac4fe683300a9004e7956b1f6dbd657 Author: Peter Zijlstra Date: Mon Dec 20 13:19:52 2021 +0100 perf: Fix perf_event_read_local() time [ Upstream commit 09f5e7dc7ad705289e1b1ec065439aa3c42951c4 ] Time readers that cannot take locks (due to NMI etc..) currently make use of perf_event::shadow_ctx_time, which, for that event gives: time' = now + (time - timestamp) or, alternatively arranged: time' = time + (now - timestamp) IOW, the progression of time since the last time the shadow_ctx_time was updated. There's problems with this: A) the shadow_ctx_time is per-event, even though the ctx_time it reflects is obviously per context. The direct concequence of this is that the context needs to iterate all events all the time to keep the shadow_ctx_time in sync. B) even with the prior point, the context itself might not be active meaning its time should not advance to begin with. C) shadow_ctx_time isn't consistently updated when ctx_time is There are 3 users of this stuff, that suffer differently from this: - calc_timer_values() - perf_output_read() - perf_event_update_userpage() /* A */ - perf_event_read_local() /* A,B */ In particular, perf_output_read() doesn't suffer at all, because it's sample driven and hence only relevant when the event is actually running. This same was supposed to be true for perf_event_update_userpage(), after all self-monitoring implies the context is active *HOWEVER*, as per commit f79256532682 ("perf/core: fix userpage->time_enabled of inactive events") this goes wrong when combined with counter overcommit, in that case those events that do not get scheduled when the context becomes active (task events typically) miss out on the EVENT_TIME update and ENABLED time is inflated (for a little while) with the time the context was inactive. Once the event gets rotated in, this gets corrected, leading to a non-monotonic timeflow. perf_event_read_local() made things even worse, it can request time at any point, suffering all the problems perf_event_update_userpage() does and more. Because while perf_event_update_userpage() is limited by the context being active, perf_event_read_local() users have no such constraint. Therefore, completely overhaul things and do away with perf_event::shadow_ctx_time. Instead have regular context time updates keep track of this offset directly and provide perf_event_time_now() to complement perf_event_time(). perf_event_time_now() will, in adition to being context wide, also take into account if the context is active. For inactive context, it will not advance time. This latter property means the cgroup perf_cgroup_info context needs to grow addition state to track this. Additionally, since all this is strictly per-cpu, we can use barrier() to order context activity vs context time. Fixes: 7d9285e82db5 ("perf/bpf: Extend the perf_event_read_local() interface, a.k.a. "bpf: perf event change needed for subsequent bpf helpers"") Signed-off-by: Peter Zijlstra (Intel) Tested-by: Song Liu Tested-by: Namhyung Kim Link: https://lkml.kernel.org/r/YcB06DasOBtU0b00@hirez.programming.kicks-ass.net Signed-off-by: Sasha Levin commit 498e6604a3aeadbbb8013375c00c4b76527f91fc Author: Nicholas Piggin Date: Mon Jan 17 23:44:03 2022 +1000 powerpc/64s: Mask SRR0 before checking against the masked NIP [ Upstream commit aee101d7b95a03078945681dd7f7ea5e4a1e7686 ] Commit 314f6c23dd8d ("powerpc/64s: Mask NIP before checking against SRR0") masked off the low 2 bits of the NIP value in the interrupt stack frame in case they are non-zero and mis-compare against a SRR0 register value of a CPU which always reads back 0 from the 2 low bits which are reserved. This now causes the opposite problem that an implementation which does implement those bits in SRR0 will mis-compare against the masked NIP value in which they have been cleared. QEMU is one such implementation, and this is allowed by the architecture. This can be triggered by sigfuz by setting low bits of PT_NIP in the signal context. Fix this for now by masking the SRR0 bits as well. Cleaner is probably to sanitise these values before putting them in registers or stack, but this is the quick and backportable fix. Fixes: 314f6c23dd8d ("powerpc/64s: Mask NIP before checking against SRR0") Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220117134403.2995059-1-npiggin@gmail.com Signed-off-by: Sasha Levin commit 3dc90add0ca9b3cfd9a35d95f80a92c79c11f07e Author: Florian Westphal Date: Thu Jan 13 21:37:58 2022 +0100 netfilter: conntrack: don't increment invalid counter on NF_REPEAT [ Upstream commit 830af2eba40327abec64325a5b08b1e85c37a2e0 ] The packet isn't invalid, REPEAT means we're trying again after cleaning out a stale connection, e.g. via tcp tracker. This caused increases of invalid stat counter in a test case involving frequent connection reuse, even though no packet is actually invalid. Fixes: 56a62e2218f5 ("netfilter: conntrack: fix NF_REPEAT handling") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 3bfbc00587dc883eaed383558ae512a351c2cd09 Author: Naveen N. Rao Date: Thu Jan 6 17:15:12 2022 +0530 powerpc64/bpf: Limit 'ldbrx' to processors compliant with ISA v2.06 [ Upstream commit 3f5f766d5f7f95a69a630da3544a1a0cee1cdddf ] Johan reported the below crash with test_bpf on ppc64 e5500: test_bpf: #296 ALU_END_FROM_LE 64: 0x0123456789abcdef -> 0x67452301 jited:1 Oops: Exception in kernel mode, sig: 4 [#1] BE PAGE_SIZE=4K SMP NR_CPUS=24 QEMU e500 Modules linked in: test_bpf(+) CPU: 0 PID: 76 Comm: insmod Not tainted 5.14.0-03771-g98c2059e008a-dirty #1 NIP: 8000000000061c3c LR: 80000000006dea64 CTR: 8000000000061c18 REGS: c0000000032d3420 TRAP: 0700 Not tainted (5.14.0-03771-g98c2059e008a-dirty) MSR: 0000000080089000 CR: 88002822 XER: 20000000 IRQMASK: 0 <...> NIP [8000000000061c3c] 0x8000000000061c3c LR [80000000006dea64] .__run_one+0x104/0x17c [test_bpf] Call Trace: .__run_one+0x60/0x17c [test_bpf] (unreliable) .test_bpf_init+0x6a8/0xdc8 [test_bpf] .do_one_initcall+0x6c/0x28c .do_init_module+0x68/0x28c .load_module+0x2460/0x2abc .__do_sys_init_module+0x120/0x18c .system_call_exception+0x110/0x1b8 system_call_common+0xf0/0x210 --- interrupt: c00 at 0x101d0acc <...> ---[ end trace 47b2bf19090bb3d0 ]--- Illegal instruction The illegal instruction turned out to be 'ldbrx' emitted for BPF_FROM_[L|B]E, which was only introduced in ISA v2.06. Guard use of the same and implement an alternative approach for older processors. Fixes: 156d0e290e969c ("powerpc/ebpf/jit: Implement JIT compiler for extended BPF") Reported-by: Johan Almbladh Signed-off-by: Naveen N. Rao Tested-by: Johan Almbladh Acked-by: Johan Almbladh Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/d1e51c6fdf572062cf3009a751c3406bda01b832.1641468127.git.naveen.n.rao@linux.vnet.ibm.com Signed-off-by: Sasha Levin commit d66377ed9a206632d6f6d2a88a0094c8f635e3d0 Author: Chuck Lever Date: Thu Jan 13 12:20:36 2022 -0500 SUNRPC: Don't dereference xprt->snd_task if it's a cookie [ Upstream commit aed28b7a2d620cb5cd0c554cb889075c02e25e8e ] Fixes: e26d9972720e ("SUNRPC: Clean up scheduling of autoclose") Signed-off-by: Chuck Lever Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit 8ea839e3a59edac64dbcf0f88e1c95eeea76ac42 Author: Chuck Lever Date: Sat Oct 16 18:02:38 2021 -0400 SUNRPC: Use BIT() macro in rpc_show_xprt_state() [ Upstream commit 76497b1adb89175eee85afc437f08a68247314b3 ] Clean up: BIT() is preferred over open-coding the shift. Signed-off-by: Chuck Lever Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 19d4d09c2f163d90ed6bfea778f9bc4f70a3c534 Author: Marc Zyngier Date: Fri Jan 14 08:57:58 2022 +0000 KVM: arm64: pkvm: Use the mm_ops indirection for cache maintenance [ Upstream commit 094d00f8ca58c5d29b25e23b4daaed1ff1f13b41 ] CMOs issued from EL2 cannot directly use the kernel helpers, as EL2 doesn't have a mapping of the guest pages. Oops. Instead, use the mm_ops indirection to use helpers that will perform a mapping at EL2 and allow the CMO to be effective. Fixes: 25aa28691bb9 ("KVM: arm64: Move guest CMOs to the fault handlers") Reviewed-by: Quentin Perret Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20220114125038.1336965-1-maz@kernel.org Signed-off-by: Sasha Levin commit ee062665fbaef1a5d9092acdc156c0e3fde114a6 Author: Trond Myklebust Date: Wed Dec 15 16:38:16 2021 -0500 NFS: Ensure the server has an up to date ctime before renaming [ Upstream commit 6ff9d99bb88faebf134ca668842349d9718e5464 ] Renaming a file is required by POSIX to update the file ctime, so ensure that the file data is synced to disk so that we don't clobber the updated ctime by writing back after creating the hard link. Fixes: f2c2c552f119 ("NFS: Move delegation recall into the NFSv4 callback for rename_setup()") Signed-off-by: Trond Myklebust Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit 7a784c2eaae868ddd57cd2a6d7f307e5d504dea7 Author: Trond Myklebust Date: Wed Dec 15 16:38:15 2021 -0500 NFS: Ensure the server has an up to date ctime before hardlinking [ Upstream commit 204975036b34f55237bc44c8a302a88468ef21b5 ] Creating a hard link is required by POSIX to update the file ctime, so ensure that the file data is synced to disk so that we don't clobber the updated ctime by writing back after creating the hard link. Fixes: 9f7682728728 ("NFS: Move the delegation return down into nfs4_proc_link()") Signed-off-by: Trond Myklebust Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit fe36a67e82c846eeaceeae2b6c281ccab2e8239a Author: Eric Dumazet Date: Thu Jan 20 09:41:12 2022 -0800 ipv6: annotate accesses to fn->fn_sernum commit aafc2e3285c2d7a79b7ee15221c19fbeca7b1509 upstream. struct fib6_node's fn_sernum field can be read while other threads change it. Add READ_ONCE()/WRITE_ONCE() annotations. Do not change existing smp barriers in fib6_get_cookie_safe() and __fib6_update_sernum_upto_root() syzbot reported: BUG: KCSAN: data-race in fib6_clean_node / inet6_csk_route_socket write to 0xffff88813df62e2c of 4 bytes by task 1920 on cpu 1: fib6_clean_node+0xc2/0x260 net/ipv6/ip6_fib.c:2178 fib6_walk_continue+0x38e/0x430 net/ipv6/ip6_fib.c:2112 fib6_walk net/ipv6/ip6_fib.c:2160 [inline] fib6_clean_tree net/ipv6/ip6_fib.c:2240 [inline] __fib6_clean_all+0x1a9/0x2e0 net/ipv6/ip6_fib.c:2256 fib6_flush_trees+0x6c/0x80 net/ipv6/ip6_fib.c:2281 rt_genid_bump_ipv6 include/net/net_namespace.h:488 [inline] addrconf_dad_completed+0x57f/0x870 net/ipv6/addrconf.c:4230 addrconf_dad_work+0x908/0x1170 process_one_work+0x3f6/0x960 kernel/workqueue.c:2307 worker_thread+0x616/0xa70 kernel/workqueue.c:2454 kthread+0x1bf/0x1e0 kernel/kthread.c:359 ret_from_fork+0x1f/0x30 read to 0xffff88813df62e2c of 4 bytes by task 15701 on cpu 0: fib6_get_cookie_safe include/net/ip6_fib.h:285 [inline] rt6_get_cookie include/net/ip6_fib.h:306 [inline] ip6_dst_store include/net/ip6_route.h:234 [inline] inet6_csk_route_socket+0x352/0x3c0 net/ipv6/inet6_connection_sock.c:109 inet6_csk_xmit+0x91/0x1e0 net/ipv6/inet6_connection_sock.c:121 __tcp_transmit_skb+0x1323/0x1840 net/ipv4/tcp_output.c:1402 tcp_transmit_skb net/ipv4/tcp_output.c:1420 [inline] tcp_write_xmit+0x1450/0x4460 net/ipv4/tcp_output.c:2680 __tcp_push_pending_frames+0x68/0x1c0 net/ipv4/tcp_output.c:2864 tcp_push+0x2d9/0x2f0 net/ipv4/tcp.c:725 mptcp_push_release net/mptcp/protocol.c:1491 [inline] __mptcp_push_pending+0x46c/0x490 net/mptcp/protocol.c:1578 mptcp_sendmsg+0x9ec/0xa50 net/mptcp/protocol.c:1764 inet6_sendmsg+0x5f/0x80 net/ipv6/af_inet6.c:643 sock_sendmsg_nosec net/socket.c:705 [inline] sock_sendmsg net/socket.c:725 [inline] kernel_sendmsg+0x97/0xd0 net/socket.c:745 sock_no_sendpage+0x84/0xb0 net/core/sock.c:3086 inet_sendpage+0x9d/0xc0 net/ipv4/af_inet.c:834 kernel_sendpage+0x187/0x200 net/socket.c:3492 sock_sendpage+0x5a/0x70 net/socket.c:1007 pipe_to_sendpage+0x128/0x160 fs/splice.c:364 splice_from_pipe_feed fs/splice.c:418 [inline] __splice_from_pipe+0x207/0x500 fs/splice.c:562 splice_from_pipe fs/splice.c:597 [inline] generic_splice_sendpage+0x94/0xd0 fs/splice.c:746 do_splice_from fs/splice.c:767 [inline] direct_splice_actor+0x80/0xa0 fs/splice.c:936 splice_direct_to_actor+0x345/0x650 fs/splice.c:891 do_splice_direct+0x106/0x190 fs/splice.c:979 do_sendfile+0x675/0xc40 fs/read_write.c:1245 __do_sys_sendfile64 fs/read_write.c:1310 [inline] __se_sys_sendfile64 fs/read_write.c:1296 [inline] __x64_sys_sendfile64+0x102/0x140 fs/read_write.c:1296 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae value changed: 0x0000026f -> 0x00000271 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 15701 Comm: syz-executor.2 Not tainted 5.16.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 The Fixes tag I chose is probably arbitrary, I do not think we need to backport this patch to older kernels. Fixes: c5cff8561d2d ("ipv6: add rcu grace period before freeing fib6_node") Signed-off-by: Eric Dumazet Reported-by: syzbot Link: https://lore.kernel.org/r/20220120174112.1126644-1-eric.dumazet@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 56480fb10b976581a363fd168dc2e4fbee87a1a7 Author: José Expósito Date: Sun Jan 16 19:18:44 2022 +0100 drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable commit 5e761a2287234bc402ba7ef07129f5103bcd775c upstream. The function performs a check on the "phy" input parameter, however, it is used before the check. Initialize the "dev" variable after the sanity check to avoid a possible NULL pointer dereference. Fixes: 5c8290284402b ("drm/msm/dsi: Split PHY drivers to separate files") Addresses-Coverity-ID: 1493860 ("Null pointer dereference") Signed-off-by: José Expósito Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20220116181844.7400-1-jose.exposito89@gmail.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Greg Kroah-Hartman commit 0069c2331be061668afb758f8dfc84dd160a57b8 Author: Miaoqian Lin Date: Thu Dec 30 07:09:40 2021 +0000 drm/msm/dsi: Fix missing put_device() call in dsi_get_phy commit c04c3148ca12227d92f91b355b4538cc333c9922 upstream. If of_find_device_by_node() succeeds, dsi_get_phy() doesn't a corresponding put_device(). Thus add put_device() to fix the exception handling. Fixes: ec31abf ("drm/msm/dsi: Separate PHY to another platform device") Signed-off-by: Miaoqian Lin Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20211230070943.18116-1-linmq006@gmail.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Greg Kroah-Hartman commit 971754f4681c4c9b042c49f094e1f1d7bbdc608c Author: Xianting Tian Date: Wed Jan 12 20:33:34 2022 +0800 drm/msm: Fix wrong size calculation commit 0a727b459ee39bd4c5ced19d6024258ac87b6b2e upstream. For example, memory-region in .dts as below, reg = <0x0 0x50000000 0x0 0x20000000> We can get below values, struct resource r; r.start = 0x50000000; r.end = 0x6fffffff; So the size should be: size = r.end - r.start + 1 = 0x20000000 Signed-off-by: Xianting Tian Fixes: 072f1f9168ed ("drm/msm: add support for "stolen" mem") Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20220112123334.749776-1-xianting.tian@linux.alibaba.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit d70d2aa49acebb936f38e38c10f4b0c1590c8c98 Author: Jianguo Wu Date: Fri Jan 21 17:15:31 2022 +0800 net-procfs: show net devices bound packet types commit 1d10f8a1f40b965d449e8f2d5ed7b96a7c138b77 upstream. After commit:7866a621043f ("dev: add per net_device packet type chains"), we can not get packet types that are bound to a specified net device by /proc/net/ptype, this patch fix the regression. Run "tcpdump -i ens192 udp -nns0" Before and after apply this patch: Before: [root@localhost ~]# cat /proc/net/ptype Type Device Function 0800 ip_rcv 0806 arp_rcv 86dd ipv6_rcv After: [root@localhost ~]# cat /proc/net/ptype Type Device Function ALL ens192 tpacket_rcv 0800 ip_rcv 0806 arp_rcv 86dd ipv6_rcv v1 -> v2: - fix the regression rather than adding new /proc API as suggested by Stephen Hemminger. Fixes: 7866a621043f ("dev: add per net_device packet type chains") Signed-off-by: Jianguo Wu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d7396948cf389b3107fa9365fca5043e19e0e0c5 Author: Trond Myklebust Date: Thu Jan 6 18:24:03 2022 -0500 NFSv4: nfs_atomic_open() can race when looking up a non-regular file commit 1751fc1db36f6f411709e143d5393f92d12137a9 upstream. If the file type changes back to being a regular file on the server between the failed OPEN and our LOOKUP, then we need to re-run the OPEN. Fixes: 0dd2b474d0b6 ("nfs: implement i_op->atomic_open()") Signed-off-by: Trond Myklebust Signed-off-by: Anna Schumaker Signed-off-by: Greg Kroah-Hartman commit 4c36ca387af4a9b5d775e46a6cb9dc2d151bf057 Author: Trond Myklebust Date: Thu Jan 6 18:24:02 2022 -0500 NFSv4: Handle case where the lookup of a directory fails commit ac795161c93699d600db16c1a8cc23a65a1eceaf upstream. If the application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() will punt to doing a regular lookup. If the server then returns a regular file, we will happily return a file descriptor with uninitialised open state. The fix is to return the expected ENOTDIR error in these cases. Reported-by: Lyu Tao Fixes: 0dd2b474d0b6 ("nfs: implement i_op->atomic_open()") Signed-off-by: Trond Myklebust Signed-off-by: Anna Schumaker Signed-off-by: Greg Kroah-Hartman commit 72edb228b420efa70ced62593ca05b92c6496b2c Author: Guenter Roeck Date: Thu Jan 6 11:48:52 2022 -0800 hwmon: (lm90) Reduce maximum conversion rate for G781 [ Upstream commit a66c5ed539277b9f2363bbace0dba88b85b36c26 ] According to its datasheet, G781 supports a maximum conversion rate value of 8 (62.5 ms). However, chips labeled G781 and G780 were found to only support a maximum conversion rate value of 7 (125 ms). On the other side, chips labeled G781-1 and G784 were found to support a conversion rate value of 8. There is no known means to distinguish G780 from G781 or G784; all chips report the same manufacturer ID and chip revision. Setting the conversion rate register value to 8 on chips not supporting it causes unexpected behavior since the real conversion rate is set to 0 (16 seconds) if a value of 8 is written into the conversion rate register. Limit the conversion rate register value to 7 for all G78x chips to avoid the problem. Fixes: ae544f64cc7b ("hwmon: (lm90) Add support for GMT G781") Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit dee686cbfdd13ca022f20be344a14f595a93f303 Author: Eric Dumazet Date: Wed Jan 26 17:10:22 2022 -0800 ipv4: avoid using shared IP generator for connected sockets commit 23f57406b82de51809d5812afd96f210f8b627f3 upstream. ip_select_ident_segs() has been very conservative about using the connected socket private generator only for packets with IP_DF set, claiming it was needed for some VJ compression implementations. As mentioned in this referenced document, this can be abused. (Ref: Off-Path TCP Exploits of the Mixed IPID Assignment) Before switching to pure random IPID generation and possibly hurt some workloads, lets use the private inet socket generator. Not only this will remove one vulnerability, this will also improve performance of TCP flows using pmtudisc==IP_PMTUDISC_DONT Fixes: 73f156a6e8c1 ("inetpeer: get rid of ip_id_count") Signed-off-by: Eric Dumazet Reviewed-by: David Ahern Reported-by: Ray Che Cc: Willy Tarreau Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit eeb0c916b0f861d1687f528a75e13e8808a970cf Author: Xin Long Date: Sat Jan 22 06:40:56 2022 -0500 ping: fix the sk_bound_dev_if match in ping_lookup commit 2afc3b5a31f9edf3ef0f374f5d70610c79c93a42 upstream. When 'ping' changes to use PING socket instead of RAW socket by: # sysctl -w net.ipv4.ping_group_range="0 100" the selftests 'router_broadcast.sh' will fail, as such command # ip vrf exec vrf-h1 ping -I veth0 198.51.100.255 -b can't receive the response skb by the PING socket. It's caused by mismatch of sk_bound_dev_if and dif in ping_rcv() when looking up the PING socket, as dif is vrf-h1 if dif's master was set to vrf-h1. This patch is to fix this regression by also checking the sk_bound_dev_if against sdif so that the packets can stil be received even if the socket is not bound to the vrf device but to the real iif. Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") Reported-by: Hangbin Liu Signed-off-by: Xin Long Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 4d647a2b607423951d4fd22acc33f21c476f4dc5 Author: Guenter Roeck Date: Fri Jan 7 11:11:00 2022 -0800 hwmon: (lm90) Mark alert as broken for MAX6680 commit 94746b0ba479743355e0d3cc1cb9cfe3011fb8be upstream. Experiments with MAX6680 and MAX6681 show that the alert function of those chips is broken, similar to other chips supported by the lm90 driver. Mark it accordingly. Fixes: 4667bcb8d8fc ("hwmon: (lm90) Introduce chip parameter structure") Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 38cfdc0ef4745bda3227629c86d72288d5a141a2 Author: Guenter Roeck Date: Fri Jan 7 12:36:41 2022 -0800 hwmon: (lm90) Mark alert as broken for MAX6646/6647/6649 commit f614629f9c1080dcc844a8430e3fb4c37ebbf05d upstream. Experiments with MAX6646 and MAX6648 show that the alert function of those chips is broken, similar to other chips supported by the lm90 driver. Mark it accordingly. Fixes: 4667bcb8d8fc ("hwmon: (lm90) Introduce chip parameter structure") Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit e43669c77cb3a742b7d84ecdc7c68c4167a7709b Author: Congyu Liu Date: Tue Jan 18 14:20:13 2022 -0500 net: fix information leakage in /proc/net/ptype commit 47934e06b65637c88a762d9c98329ae6e3238888 upstream. In one net namespace, after creating a packet socket without binding it to a device, users in other net namespaces can observe the new `packet_type` added by this packet socket by reading `/proc/net/ptype` file. This is minor information leakage as packet socket is namespace aware. Add a net pointer in `packet_type` to keep the net namespace of of corresponding packet socket. In `ptype_seq_show`, this net pointer must be checked when it is not NULL. Fixes: 2feb27dbe00c ("[NETNS]: Minor information leak via /proc/net/ptype file.") Signed-off-by: Congyu Liu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 1515e72aae803fc6b466adf918e71c4e4c9d5b3d Author: sparkhuang Date: Wed Dec 15 10:08:23 2021 +0100 ARM: 9170/1: fix panic when kasan and kprobe are enabled commit 8b59b0a53c840921b625378f137e88adfa87647e upstream. arm32 uses software to simulate the instruction replaced by kprobe. some instructions may be simulated by constructing assembly functions. therefore, before executing instruction simulation, it is necessary to construct assembly function execution environment in C language through binding registers. after kasan is enabled, the register binding relationship will be destroyed, resulting in instruction simulation errors and causing kernel panic. the kprobe emulate instruction function is distributed in three files: actions-common.c actions-arm.c actions-thumb.c, so disable KASAN when compiling these files. for example, use kprobe insert on cap_capable+20 after kasan enabled, the cap_capable assembly code is as follows: : e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} e1a05000 mov r5, r0 e280006c add r0, r0, #108 ; 0x6c e1a04001 mov r4, r1 e1a06002 mov r6, r2 e59fa090 ldr sl, [pc, #144] ; ebfc7bf8 bl c03aa4b4 <__asan_load4> e595706c ldr r7, [r5, #108] ; 0x6c e2859014 add r9, r5, #20 ...... The emulate_ldr assembly code after enabling kasan is as follows: c06f1384 : e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} e282803c add r8, r2, #60 ; 0x3c e1a05000 mov r5, r0 e7e37855 ubfx r7, r5, #16, #4 e1a00008 mov r0, r8 e1a09001 mov r9, r1 e1a04002 mov r4, r2 ebf35462 bl c03c6530 <__asan_load4> e357000f cmp r7, #15 e7e36655 ubfx r6, r5, #12, #4 e205a00f and sl, r5, #15 0a000001 beq c06f13bc e0840107 add r0, r4, r7, lsl #2 ebf3545c bl c03c6530 <__asan_load4> e084010a add r0, r4, sl, lsl #2 ebf3545a bl c03c6530 <__asan_load4> e2890010 add r0, r9, #16 ebf35458 bl c03c6530 <__asan_load4> e5990010 ldr r0, [r9, #16] e12fff30 blx r0 e356000f cm r6, #15 1a000014 bne c06f1430 e1a06000 mov r6, r0 e2840040 add r0, r4, #64 ; 0x40 ...... when running in emulate_ldr to simulate the ldr instruction, panic occurred, and the log is as follows: Unable to handle kernel NULL pointer dereference at virtual address 00000090 pgd = ecb46400 [00000090] *pgd=2e0fa003, *pmd=00000000 Internal error: Oops: 206 [#1] SMP ARM PC is at cap_capable+0x14/0xb0 LR is at emulate_ldr+0x50/0xc0 psr: 600d0293 sp : ecd63af8 ip : 00000004 fp : c0a7c30c r10: 00000000 r9 : c30897f4 r8 : ecd63cd4 r7 : 0000000f r6 : 0000000a r5 : e59fa090 r4 : ecd63c98 r3 : c06ae294 r2 : 00000000 r1 : b7611300 r0 : bf4ec008 Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user Control: 32c5387d Table: 2d546400 DAC: 55555555 Process bash (pid: 1643, stack limit = 0xecd60190) (cap_capable) from (kprobe_handler+0x218/0x340) (kprobe_handler) from (kprobe_trap_handler+0x24/0x48) (kprobe_trap_handler) from (do_undefinstr+0x13c/0x364) (do_undefinstr) from (__und_svc_finish+0x0/0x30) (__und_svc_finish) from (cap_capable+0x18/0xb0) (cap_capable) from (cap_vm_enough_memory+0x38/0x48) (cap_vm_enough_memory) from (security_vm_enough_memory_mm+0x48/0x6c) (security_vm_enough_memory_mm) from (copy_process.constprop.5+0x16b4/0x25c8) (copy_process.constprop.5) from (_do_fork+0xe8/0x55c) (_do_fork) from (SyS_clone+0x1c/0x24) (SyS_clone) from (__sys_trace_return+0x0/0x10) Code: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7) Fixes: 35aa1df43283 ("ARM kprobes: instruction single-stepping support") Fixes: 421015713b30 ("ARM: 9017/2: Enable KASan for ARM") Signed-off-by: huangshaobo Acked-by: Ard Biesheuvel Signed-off-by: Russell King (Oracle) Signed-off-by: Greg Kroah-Hartman commit 88e32f7b37a0fce0aa6ee97f5fe546c3f2c0e21c Author: Ido Schimmel Date: Thu Jan 20 10:05:46 2022 +0200 ipv6_tunnel: Rate limit warning messages commit 6cee105e7f2ced596373951d9ea08dacc3883c68 upstream. The warning messages can be invoked from the data path for every packet transmitted through an ip6gre netdev, leading to high CPU utilization. Fix that by rate limiting the messages. Fixes: 09c6bbf090ec ("[IPV6]: Do mandatory IPv6 tunnel endpoint checks in realtime") Reported-by: Maksym Yaremchuk Tested-by: Maksym Yaremchuk Signed-off-by: Ido Schimmel Reviewed-by: Amit Cohen Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit b11e34f7bab21df36f02a5e54fb69e858c09a65d Author: John Meneghini Date: Fri Jan 14 23:00:44 2022 -0500 scsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put() commit 847f9ea4c5186fdb7b84297e3eeed9e340e83fce upstream. The bnx2fc_destroy() functions are removing the interface before calling destroy_work. This results multiple WARNings from sysfs_remove_group() as the controller rport device attributes are removed too early. Replace the fcoe_port's destroy_work queue. It's not needed. The problem is easily reproducible with the following steps. Example: $ dmesg -w & $ systemctl enable --now fcoe $ fipvlan -s -c ens2f1 $ fcoeadm -d ens2f1.802 [ 583.464488] host2: libfc: Link down on port (7500a1) [ 583.472651] bnx2fc: 7500a1 - rport not created Yet!! [ 583.490468] ------------[ cut here ]------------ [ 583.538725] sysfs group 'power' not found for kobject 'rport-2:0-0' [ 583.568814] WARNING: CPU: 3 PID: 192 at fs/sysfs/group.c:279 sysfs_remove_group+0x6f/0x80 [ 583.607130] Modules linked in: dm_service_time 8021q garp mrp stp llc bnx2fc cnic uio rpcsec_gss_krb5 auth_rpcgss nfsv4 ... [ 583.942994] CPU: 3 PID: 192 Comm: kworker/3:2 Kdump: loaded Not tainted 5.14.0-39.el9.x86_64 #1 [ 583.984105] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013 [ 584.016535] Workqueue: fc_wq_2 fc_rport_final_delete [scsi_transport_fc] [ 584.050691] RIP: 0010:sysfs_remove_group+0x6f/0x80 [ 584.074725] Code: ff 5b 48 89 ef 5d 41 5c e9 ee c0 ff ff 48 89 ef e8 f6 b8 ff ff eb d1 49 8b 14 24 48 8b 33 48 c7 c7 ... [ 584.162586] RSP: 0018:ffffb567c15afdc0 EFLAGS: 00010282 [ 584.188225] RAX: 0000000000000000 RBX: ffffffff8eec4220 RCX: 0000000000000000 [ 584.221053] RDX: ffff8c1586ce84c0 RSI: ffff8c1586cd7cc0 RDI: ffff8c1586cd7cc0 [ 584.255089] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb567c15afc00 [ 584.287954] R10: ffffb567c15afbf8 R11: ffffffff8fbe7f28 R12: ffff8c1486326400 [ 584.322356] R13: ffff8c1486326480 R14: ffff8c1483a4a000 R15: 0000000000000004 [ 584.355379] FS: 0000000000000000(0000) GS:ffff8c1586cc0000(0000) knlGS:0000000000000000 [ 584.394419] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 584.421123] CR2: 00007fe95a6f7840 CR3: 0000000107674002 CR4: 00000000000606e0 [ 584.454888] Call Trace: [ 584.466108] device_del+0xb2/0x3e0 [ 584.481701] device_unregister+0x13/0x60 [ 584.501306] bsg_unregister_queue+0x5b/0x80 [ 584.522029] bsg_remove_queue+0x1c/0x40 [ 584.541884] fc_rport_final_delete+0xf3/0x1d0 [scsi_transport_fc] [ 584.573823] process_one_work+0x1e3/0x3b0 [ 584.592396] worker_thread+0x50/0x3b0 [ 584.609256] ? rescuer_thread+0x370/0x370 [ 584.628877] kthread+0x149/0x170 [ 584.643673] ? set_kthread_struct+0x40/0x40 [ 584.662909] ret_from_fork+0x22/0x30 [ 584.680002] ---[ end trace 53575ecefa942ece ]--- Link: https://lore.kernel.org/r/20220115040044.1013475-1-jmeneghi@redhat.com Fixes: 0cbf32e1681d ("[SCSI] bnx2fc: Avoid calling bnx2fc_if_destroy with unnecessary locks") Tested-by: Guangwu Zhang Co-developed-by: Maurizio Lombardi Signed-off-by: Maurizio Lombardi Signed-off-by: John Meneghini Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 9c2ece4852a628dadb716e3596e6c9c3aa198b3f Author: Yang Yingliang Date: Tue Jan 11 09:24:41 2022 +0800 scsi: elx: efct: Don't use GFP_KERNEL under spin lock commit 61263b3a11a2594b4e898f166c31162236182b5c upstream. GFP_KERNEL/GFP_DMA can't be used under a spin lock. According the comment, els_ios_lock is used to protect els ios list so we can move down the spin lock to avoid using this flag under the lock. Link: https://lore.kernel.org/r/20220111012441.3232527-1-yangyingliang@huawei.com Fixes: 8f406ef72859 ("scsi: elx: libefc: Extended link Service I/O handling") Reported-by: Hulk Robot Reviewed-by: James Smart Signed-off-by: Yang Yingliang Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit daf9ac79e75b1e396c3c4f2113d5344e3ce27dcb Author: Matthias Kaehlcke Date: Mon Jan 10 10:47:37 2022 -0800 rpmsg: char: Fix race between the release of rpmsg_eptdev and cdev commit 7a534ae89e34e9b51acb5a63dd0f88308178b46a upstream. struct rpmsg_eptdev contains a struct cdev. The current code frees the rpmsg_eptdev struct in rpmsg_eptdev_destroy(), but the cdev is a managed object, therefore its release is not predictable and the rpmsg_eptdev could be freed before the cdev is entirely released. The cdev_device_add/del() API was created to address this issue (see commit '233ed09d7fda ("chardev: add helper function to register char devs with a struct device")'), use it instead of cdev add/del(). Fixes: c0cdc19f84a4 ("rpmsg: Driver for user space endpoint interface") Suggested-by: Bjorn Andersson Signed-off-by: Matthias Kaehlcke Reviewed-by: Mathieu Poirier Reviewed-by: Stephen Boyd Reviewed-by: Bjorn Andersson Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220110104706.v6.2.Idde68b05b88d4a2e6e54766c653f3a6d9e419ce6@changeid Signed-off-by: Greg Kroah-Hartman commit 85aba11a8ea92a8eef2de95ebbe063086fd62d9c Author: Sujit Kautkar Date: Mon Jan 10 10:47:36 2022 -0800 rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev commit b7fb2dad571d1e21173c06cef0bced77b323990a upstream. struct rpmsg_ctrldev contains a struct cdev. The current code frees the rpmsg_ctrldev struct in rpmsg_ctrldev_release_device(), but the cdev is a managed object, therefore its release is not predictable and the rpmsg_ctrldev could be freed before the cdev is entirely released, as in the backtrace below. [ 93.625603] ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x7c [ 93.636115] WARNING: CPU: 0 PID: 12 at lib/debugobjects.c:488 debug_print_object+0x13c/0x1b0 [ 93.644799] Modules linked in: veth xt_cgroup xt_MASQUERADE rfcomm algif_hash algif_skcipher af_alg uinput ip6table_nat fuse uvcvideo videobuf2_vmalloc venus_enc venus_dec videobuf2_dma_contig hci_uart btandroid btqca snd_soc_rt5682_i2c bluetooth qcom_spmi_temp_alarm snd_soc_rt5682v [ 93.715175] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.4.163-lockdep #26 [ 93.723855] Hardware name: Google Lazor (rev3 - 8) with LTE (DT) [ 93.730055] Workqueue: events kobject_delayed_cleanup [ 93.735271] pstate: 60c00009 (nZCv daif +PAN +UAO) [ 93.740216] pc : debug_print_object+0x13c/0x1b0 [ 93.744890] lr : debug_print_object+0x13c/0x1b0 [ 93.749555] sp : ffffffacf5bc7940 [ 93.752978] x29: ffffffacf5bc7940 x28: dfffffd000000000 [ 93.758448] x27: ffffffacdb11a800 x26: dfffffd000000000 [ 93.763916] x25: ffffffd0734f856c x24: dfffffd000000000 [ 93.769389] x23: 0000000000000000 x22: ffffffd0733c35b0 [ 93.774860] x21: ffffffd0751994a0 x20: ffffffd075ec27c0 [ 93.780338] x19: ffffffd075199100 x18: 00000000000276e0 [ 93.785814] x17: 0000000000000000 x16: dfffffd000000000 [ 93.791291] x15: ffffffffffffffff x14: 6e6968207473696c [ 93.796768] x13: 0000000000000000 x12: ffffffd075e2b000 [ 93.802244] x11: 0000000000000001 x10: 0000000000000000 [ 93.807723] x9 : d13400dff1921900 x8 : d13400dff1921900 [ 93.813200] x7 : 0000000000000000 x6 : 0000000000000000 [ 93.818676] x5 : 0000000000000080 x4 : 0000000000000000 [ 93.824152] x3 : ffffffd0732a0fa4 x2 : 0000000000000001 [ 93.829628] x1 : ffffffacf5bc7580 x0 : 0000000000000061 [ 93.835104] Call trace: [ 93.837644] debug_print_object+0x13c/0x1b0 [ 93.841963] __debug_check_no_obj_freed+0x25c/0x3c0 [ 93.846987] debug_check_no_obj_freed+0x18/0x20 [ 93.851669] slab_free_freelist_hook+0xbc/0x1e4 [ 93.856346] kfree+0xfc/0x2f4 [ 93.859416] rpmsg_ctrldev_release_device+0x78/0xb8 [ 93.864445] device_release+0x84/0x168 [ 93.868310] kobject_cleanup+0x12c/0x298 [ 93.872356] kobject_delayed_cleanup+0x10/0x18 [ 93.876948] process_one_work+0x578/0x92c [ 93.881086] worker_thread+0x804/0xcf8 [ 93.884963] kthread+0x2a8/0x314 [ 93.888303] ret_from_fork+0x10/0x18 The cdev_device_add/del() API was created to address this issue (see commit '233ed09d7fda ("chardev: add helper function to register char devs with a struct device")'), use it instead of cdev add/del(). Fixes: c0cdc19f84a4 ("rpmsg: Driver for user space endpoint interface") Signed-off-by: Sujit Kautkar Signed-off-by: Matthias Kaehlcke Reviewed-by: Mathieu Poirier Reviewed-by: Bjorn Andersson Reviewed-by: Stephen Boyd Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220110104706.v6.1.Iaac908f3e3149a89190ce006ba166e2d3fd247a3@changeid Signed-off-by: Greg Kroah-Hartman commit a1f7aa8d60bf8234f5fa4678f556192380afd281 Author: Linyu Yuan Date: Mon Jan 10 20:43:28 2022 +0800 usb: roles: fix include/linux/usb/role.h compile issue commit 945c37ed564770c78dfe6b9f08bed57a1b4e60ef upstream. when CONFIG_USB_ROLE_SWITCH is not defined, add usb_role_switch_find_by_fwnode() definition which return NULL. Fixes: c6919d5e0cd1 ("usb: roles: Add usb_role_switch_find_by_fwnode()") Signed-off-by: Linyu Yuan Link: https://lore.kernel.org/r/1641818608-25039-1-git-send-email-quic_linyyuan@quicinc.com Signed-off-by: Greg Kroah-Hartman commit d22045c802836b8de3a649c55ffa61e54fe2bd6c Author: Joe Damato Date: Wed Dec 8 17:56:33 2021 -0800 i40e: fix unsigned stat widths commit 3b8428b84539c78fdc8006c17ebd25afd4722d51 upstream. Change i40e_update_vsi_stats and struct i40e_vsi to use u64 fields to match the width of the stats counters in struct i40e_rx_queue_stats. Update debugfs code to use the correct format specifier for u64. Fixes: 41c445ff0f48 ("i40e: main driver core") Signed-off-by: Joe Damato Reported-by: kernel test robot Tested-by: Gurucharan G Signed-off-by: Tony Nguyen Signed-off-by: Greg Kroah-Hartman commit d49582860d33237d1a595545455a0069457fdadb Author: Karen Sornek Date: Thu Dec 2 12:52:01 2021 +0100 i40e: Fix for failed to init adminq while VF reset commit 0f344c8129a5337dae50e31b817dd50a60ff238c upstream. Fix for failed to init adminq: -53 while VF is resetting via MAC address changing procedure. Added sync module to avoid reading deadbeef value in reinit adminq during software reset. Without this patch it is possible to trigger VF reset procedure during reinit adminq. This resulted in an incorrect reading of value from the AQP registers and generated the -53 error. Fixes: 5c3c48ac6bf5 ("i40e: implement virtual device interface") Signed-off-by: Grzegorz Szczurek Signed-off-by: Karen Sornek Tested-by: Konrad Jankowski Signed-off-by: Tony Nguyen Signed-off-by: Greg Kroah-Hartman commit 00eddb0e4ea115154581d1049507a996acfc2d3e Author: Sylwester Dziedziuch Date: Fri Nov 26 11:11:22 2021 +0100 i40e: Fix queues reservation for XDP commit 92947844b8beee988c0ce17082b705c2f75f0742 upstream. When XDP was configured on a system with large number of CPUs and X722 NIC there was a call trace with NULL pointer dereference. i40e 0000:87:00.0: failed to get tracking for 256 queues for VSI 0 err -12 i40e 0000:87:00.0: setup of MAIN VSI failed BUG: kernel NULL pointer dereference, address: 0000000000000000 RIP: 0010:i40e_xdp+0xea/0x1b0 [i40e] Call Trace: ? i40e_reconfig_rss_queues+0x130/0x130 [i40e] dev_xdp_install+0x61/0xe0 dev_xdp_attach+0x18a/0x4c0 dev_change_xdp_fd+0x1e6/0x220 do_setlink+0x616/0x1030 ? ahci_port_stop+0x80/0x80 ? ata_qc_issue+0x107/0x1e0 ? lock_timer_base+0x61/0x80 ? __mod_timer+0x202/0x380 rtnl_setlink+0xe5/0x170 ? bpf_lsm_binder_transaction+0x10/0x10 ? security_capable+0x36/0x50 rtnetlink_rcv_msg+0x121/0x350 ? rtnl_calcit.isra.0+0x100/0x100 netlink_rcv_skb+0x50/0xf0 netlink_unicast+0x1d3/0x2a0 netlink_sendmsg+0x22a/0x440 sock_sendmsg+0x5e/0x60 __sys_sendto+0xf0/0x160 ? __sys_getsockname+0x7e/0xc0 ? _copy_from_user+0x3c/0x80 ? __sys_setsockopt+0xc8/0x1a0 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f83fa7a39e0 This was caused by PF queue pile fragmentation due to flow director VSI queue being placed right after main VSI. Because of this main VSI was not able to resize its queue allocation for XDP resulting in no queues allocated for main VSI when XDP was turned on. Fix this by always allocating last queue in PF queue pile for a flow director VSI. Fixes: 41c445ff0f48 ("i40e: main driver core") Fixes: 74608d17fe29 ("i40e: add support for XDP_TX action") Signed-off-by: Sylwester Dziedziuch Signed-off-by: Mateusz Palczewski Reviewed-by: Maciej Fijalkowski Tested-by: Kiran Bhandare Signed-off-by: Tony Nguyen Signed-off-by: Greg Kroah-Hartman commit 98b70add75762331dc936fe9b3712087d18d533d Author: Jedrzej Jagielski Date: Fri Nov 5 11:17:00 2021 +0000 i40e: Fix issue when maximum queues is exceeded commit d701658a50a471591094b3eb3961b4926cc8f104 upstream. Before this patch VF interface vanished when maximum queue number was exceeded. Driver tried to add next queues even if there was not enough space. PF sent incorrect number of queues to the VF when there were not enough of them. Add an additional condition introduced to check available space in 'qp_pile' before proceeding. This condition makes it impossible to add queues if they number is greater than the number resulting from available space. Also add the search for free space in PF queue pair piles. Without this patch VF interfaces are not seen when available space for queues has been exceeded and following logs appears permanently in dmesg: "Unable to get VF config (-32)". "VF 62 failed opcode 3, retval: -5" "Unable to get VF config due to PF error condition, not retrying" Fixes: 7daa6bf3294e ("i40e: driver core headers") Fixes: 41c445ff0f48 ("i40e: main driver core") Signed-off-by: Jaroslaw Gawin Signed-off-by: Slawomir Laba Signed-off-by: Jedrzej Jagielski Tested-by: Konrad Jankowski Signed-off-by: Tony Nguyen Signed-off-by: Greg Kroah-Hartman commit d12f5a7c48a93020827a2681cc96a1c1a6325829 Author: Jedrzej Jagielski Date: Thu Oct 28 13:51:14 2021 +0000 i40e: Increase delay to 1 s after global EMP reset commit 9b13bd53134c9ddd544a790125199fdbdb505e67 upstream. Recently simplified i40e_rebuild causes that FW sometimes is not ready after NVM update, the ping does not return. Increase the delay in case of EMP reset. Old delay of 300 ms was introduced for specific cards for 710 series. Now it works for all the cards and delay was increased. Fixes: 1fa51a650e1d ("i40e: Add delay after EMP reset for firmware to recover") Signed-off-by: Arkadiusz Kubalewski Signed-off-by: Jedrzej Jagielski Tested-by: Gurucharan G Signed-off-by: Tony Nguyen Signed-off-by: Greg Kroah-Hartman commit c894d2f9fd536c4dfc750cd1fe9c6bcd42a422dc Author: Christophe Leroy Date: Wed Dec 22 13:07:31 2021 +0000 powerpc/32: Fix boot failure with GCC latent entropy plugin commit bba496656a73fc1d1330b49c7f82843836e9feb1 upstream. Boot fails with GCC latent entropy plugin enabled. This is due to early boot functions trying to access 'latent_entropy' global data while the kernel is not relocated at its final destination yet. As there is no way to tell GCC to use PTRRELOC() to access it, disable latent entropy plugin in early_32.o and feature-fixups.o and code-patching.o Fixes: 38addce8b600 ("gcc-plugins: Add latent_entropy plugin") Cc: stable@vger.kernel.org # v4.9+ Reported-by: Erhard Furtner Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://bugzilla.kernel.org/show_bug.cgi?id=215217 Link: https://lore.kernel.org/r/2bac55483b8daf5b1caa163a45fa5f9cdbe18be4.1640178426.git.christophe.leroy@csgroup.eu Signed-off-by: Greg Kroah-Hartman commit db37befafa536d1eed293fa5765ad781c3152071 Author: Christophe Leroy Date: Mon Jan 10 15:29:25 2022 +0000 powerpc/32s: Fix kasan_init_region() for KASAN commit d37823c3528e5e0705fc7746bcbc2afffb619259 upstream. It has been reported some configuration where the kernel doesn't boot with KASAN enabled. This is due to wrong BAT allocation for the KASAN area: ---[ Data Block Address Translation ]--- 0: 0xc0000000-0xcfffffff 0x00000000 256M Kernel rw m 1: 0xd0000000-0xdfffffff 0x10000000 256M Kernel rw m 2: 0xe0000000-0xefffffff 0x20000000 256M Kernel rw m 3: 0xf8000000-0xf9ffffff 0x2a000000 32M Kernel rw m 4: 0xfa000000-0xfdffffff 0x2c000000 64M Kernel rw m A BAT must have both virtual and physical addresses alignment matching the size of the BAT. This is not the case for BAT 4 above. Fix kasan_init_region() by using block_size() function that is in book3s32/mmu.c. To be able to reuse it here, make it non static and change its name to bat_block_size() in order to avoid name conflict with block_size() defined in Also reuse find_free_bat() to avoid an error message from setbat() when no BAT is available. And allocate memory outside of linear memory mapping to avoid wasting that precious space. With this change we get correct alignment for BATs and KASAN shadow memory is allocated outside the linear memory space. ---[ Data Block Address Translation ]--- 0: 0xc0000000-0xcfffffff 0x00000000 256M Kernel rw 1: 0xd0000000-0xdfffffff 0x10000000 256M Kernel rw 2: 0xe0000000-0xefffffff 0x20000000 256M Kernel rw 3: 0xf8000000-0xfbffffff 0x7c000000 64M Kernel rw 4: 0xfc000000-0xfdffffff 0x7a000000 32M Kernel rw Fixes: 7974c4732642 ("powerpc/32s: Implement dedicated kasan_init_region()") Cc: stable@vger.kernel.org Reported-by: Maxime Bizon Signed-off-by: Christophe Leroy Tested-by: Maxime Bizon Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/7a50ef902494d1325227d47d33dada01e52e5518.1641818726.git.christophe.leroy@csgroup.eu Signed-off-by: Greg Kroah-Hartman commit 569c81c077eb8a22d84825f2ef1cd7fd4327d241 Author: Christophe Leroy Date: Fri Nov 26 13:40:35 2021 +0100 powerpc/32s: Allocate one 256k IBAT instead of two consecutives 128k IBATs commit 37eb7ca91b692e8e49e7dd50158349a6c8fb5b09 upstream. Today we have the following IBATs allocated: ---[ Instruction Block Address Translation ]--- 0: 0xc0000000-0xc03fffff 0x00000000 4M Kernel x m 1: 0xc0400000-0xc05fffff 0x00400000 2M Kernel x m 2: 0xc0600000-0xc06fffff 0x00600000 1M Kernel x m 3: 0xc0700000-0xc077ffff 0x00700000 512K Kernel x m 4: 0xc0780000-0xc079ffff 0x00780000 128K Kernel x m 5: 0xc07a0000-0xc07bffff 0x007a0000 128K Kernel x m 6: - 7: - The two 128K should be a single 256K instead. When _etext is not aligned to 128Kbytes, the system will allocate all necessary BATs to the lower 128Kbytes boundary, then allocate an additional 128Kbytes BAT for the remaining block. Instead, align the top to 128Kbytes so that the function directly allocates a 256Kbytes last block: ---[ Instruction Block Address Translation ]--- 0: 0xc0000000-0xc03fffff 0x00000000 4M Kernel x m 1: 0xc0400000-0xc05fffff 0x00400000 2M Kernel x m 2: 0xc0600000-0xc06fffff 0x00600000 1M Kernel x m 3: 0xc0700000-0xc077ffff 0x00700000 512K Kernel x m 4: 0xc0780000-0xc07bffff 0x00780000 256K Kernel x m 5: - 6: - 7: - Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/ab58b296832b0ec650e2203200e060adbcb2677d.1637930421.git.christophe.leroy@csgroup.eu Signed-off-by: Greg Kroah-Hartman commit 190753f63fc090d0c88e7beec9b60351a3708037 Author: Tony Luck Date: Fri Jan 21 09:47:38 2022 -0800 x86/cpu: Add Xeon Icelake-D to list of CPUs that support PPIN commit e464121f2d40eabc7d11823fb26db807ce945df4 upstream. Missed adding the Icelake-D CPU to the list. It uses the same MSRs to control and read the inventory number as all the other models. Fixes: dc6b025de95b ("x86/mce: Add Xeon Icelake to list of CPUs that support PPIN") Reported-by: Ailin Xu Signed-off-by: Tony Luck Signed-off-by: Borislav Petkov Cc: Link: https://lore.kernel.org/r/20220121174743.1875294-2-tony.luck@intel.com Signed-off-by: Greg Kroah-Hartman commit 98ccfec9eae6ac4175779a2e44899529b6a4d7e3 Author: Yazen Ghannam Date: Mon Jan 17 16:13:28 2022 +0000 x86/MCE/AMD: Allow thresholding interface updates after init commit 1f52b0aba6fd37653416375cb8a1ca673acf8d5f upstream. Changes to the AMD Thresholding sysfs code prevents sysfs writes from updating the underlying registers once CPU init is completed, i.e. "threshold_banks" is set. Allow the registers to be updated if the thresholding interface is already initialized or if in the init path. Use the "set_lvt_off" value to indicate if running in the init path, since this value is only set during init. Fixes: a037f3ca0ea0 ("x86/mce/amd: Make threshold bank setting hotplug robust") Signed-off-by: Yazen Ghannam Signed-off-by: Borislav Petkov Cc: Link: https://lore.kernel.org/r/20220117161328.19148-1-yazen.ghannam@amd.com Signed-off-by: Greg Kroah-Hartman commit 74e88eceb0afeec4d000d0d63df27b1363fd0a77 Author: Bjorn Helgaas Date: Wed Jan 26 09:40:01 2022 -0600 PCI/sysfs: Find shadow ROM before static attribute initialization commit 66d28b21fe6b3da8d1e9f0a7ba38bc61b6c547e1 upstream. Ville reported that the sysfs "rom" file for VGA devices disappeared after 527139d738d7 ("PCI/sysfs: Convert "rom" to static attribute"). Prior to 527139d738d7, FINAL fixups, including pci_fixup_video() where we find shadow ROMs, were run before pci_create_sysfs_dev_files() created the sysfs "rom" file. After 527139d738d7, "rom" is a static attribute and is created before FINAL fixups are run, so we didn't create "rom" files for shadow ROMs: acpi_pci_root_add ... pci_scan_single_device pci_device_add pci_fixup_video # <-- new HEADER fixup device_add ... if (grp->is_visible()) pci_dev_rom_attr_is_visible # after 527139d738d7 pci_bus_add_devices pci_bus_add_device pci_fixup_device(pci_fixup_final) pci_fixup_video # <-- previous FINAL fixup pci_create_sysfs_dev_files if (pci_resource_len(pdev, PCI_ROM_RESOURCE)) sysfs_create_bin_file("rom") # before 527139d738d7 Change pci_fixup_video() to be a HEADER fixup so it runs before sysfs static attributes are initialized. Rename the Loongson pci_fixup_radeon() to pci_fixup_video() and make its dmesg logging identical to the others since it is doing the same job. Link: https://lore.kernel.org/r/YbxqIyrkv3GhZVxx@intel.com Fixes: 527139d738d7 ("PCI/sysfs: Convert "rom" to static attribute") Link: https://lore.kernel.org/r/20220126154001.16895-1-helgaas@kernel.org Reported-by: Ville Syrjälä Tested-by: Ville Syrjälä Signed-off-by: Bjorn Helgaas Cc: stable@vger.kernel.org # v5.13+ Cc: Huacai Chen Cc: Jiaxun Yang Cc: Thomas Bogendoerfer Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Borislav Petkov Cc: Dave Hansen Cc: Krzysztof Wilczyński Signed-off-by: Greg Kroah-Hartman commit cef9335c465d26830a39a4da10c6801265079985 Author: Mathieu Desnoyers Date: Mon Jan 17 15:30:10 2022 -0500 sched/membarrier: Fix membarrier-rseq fence command missing from query bitmask commit 809232619f5b15e31fb3563985e705454f32621f upstream. The membarrier command MEMBARRIER_CMD_QUERY allows querying the available membarrier commands. When the membarrier-rseq fence commands were added, a new MEMBARRIER_CMD_PRIVATE_EXPEDITED_RSEQ_BITMASK was introduced with the intent to expose them with the MEMBARRIER_CMD_QUERY command, the but it was never added to MEMBARRIER_CMD_BITMASK. The membarrier-rseq fence commands are therefore not wired up with the query command. Rename MEMBARRIER_CMD_PRIVATE_EXPEDITED_RSEQ_BITMASK to MEMBARRIER_PRIVATE_EXPEDITED_RSEQ_BITMASK (the bitmask is not a command per-se), and change the erroneous MEMBARRIER_CMD_REGISTER_PRIVATE_EXPEDITED_RSEQ_BITMASK (which does not actually exist) to MEMBARRIER_CMD_REGISTER_PRIVATE_EXPEDITED_RSEQ. Wire up MEMBARRIER_PRIVATE_EXPEDITED_RSEQ_BITMASK in MEMBARRIER_CMD_BITMASK. Fixing this allows discovering availability of the membarrier-rseq fence feature. Fixes: 2a36ab717e8f ("rseq/membarrier: Add MEMBARRIER_CMD_PRIVATE_EXPEDITED_RSEQ") Signed-off-by: Mathieu Desnoyers Signed-off-by: Peter Zijlstra (Intel) Cc: # 5.10+ Link: https://lkml.kernel.org/r/20220117203010.30129-1-mathieu.desnoyers@efficios.com Signed-off-by: Greg Kroah-Hartman commit 61296272db59c38ed5f6a5dd1108a268300925ec Author: Joseph Qi Date: Sat Jan 29 13:41:27 2022 -0800 ocfs2: fix a deadlock when commit trans commit ddf4b773aa40790dfa936bd845c18e735a49c61c upstream. commit 6f1b228529ae introduces a regression which can deadlock as follows: Task1: Task2: jbd2_journal_commit_transaction ocfs2_test_bg_bit_allocatable spin_lock(&jh->b_state_lock) jbd_lock_bh_journal_head __jbd2_journal_remove_checkpoint spin_lock(&jh->b_state_lock) jbd2_journal_put_journal_head jbd_lock_bh_journal_head Task1 and Task2 lock bh->b_state and jh->b_state_lock in different order, which finally result in a deadlock. So use jbd2_journal_[grab|put]_journal_head instead in ocfs2_test_bg_bit_allocatable() to fix it. Link: https://lkml.kernel.org/r/20220121071205.100648-3-joseph.qi@linux.alibaba.com Fixes: 6f1b228529ae ("ocfs2: fix race between searching chunks and release journal_head from buffer_head") Signed-off-by: Joseph Qi Reported-by: Gautham Ananthakrishna Tested-by: Gautham Ananthakrishna Reported-by: Saeed Mirzamohammadi Cc: "Theodore Ts'o" Cc: Andreas Dilger Cc: Changwei Ge Cc: Gang He Cc: Joel Becker Cc: Jun Piao Cc: Junxiao Bi Cc: Mark Fasheh Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9f71d68fa813419afbbf7ec31c48bcf6eee26a94 Author: Joseph Qi Date: Sat Jan 29 13:41:23 2022 -0800 jbd2: export jbd2_journal_[grab|put]_journal_head commit 4cd1103d8c66b2cdb7e64385c274edb0ac5e8887 upstream. Patch series "ocfs2: fix a deadlock case". This fixes a deadlock case in ocfs2. We firstly export jbd2 symbols jbd2_journal_[grab|put]_journal_head as preparation and later use them in ocfs2 insread of jbd_[lock|unlock]_bh_journal_head to fix the deadlock. This patch (of 2): This exports symbols jbd2_journal_[grab|put]_journal_head, which will be used outside modules, e.g. ocfs2. Link: https://lkml.kernel.org/r/20220121071205.100648-2-joseph.qi@linux.alibaba.com Signed-off-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Gang He Cc: Jun Piao Cc: Andreas Dilger Cc: Gautham Ananthakrishna Cc: Saeed Mirzamohammadi Cc: "Theodore Ts'o" Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4ca8a0bc83543a0d29a7f5a8b1e8ef3c23dab242 Author: Peter Collingbourne Date: Sat Jan 29 13:41:14 2022 -0800 mm, kasan: use compare-exchange operation to set KASAN page tag commit 27fe73394a1c6d0b07fa4d95f1bca116d1cc66e9 upstream. It has been reported that the tag setting operation on newly-allocated pages can cause the page flags to be corrupted when performed concurrently with other flag updates as a result of the use of non-atomic operations. Fix the problem by using a compare-exchange loop to update the tag. Link: https://lkml.kernel.org/r/20220120020148.1632253-1-pcc@google.com Link: https://linux-review.googlesource.com/id/I456b24a2b9067d93968d43b4bb3351c0cec63101 Fixes: 2813b9c02962 ("kasan, mm, arm64: tag non slab memory allocated via pagealloc") Signed-off-by: Peter Collingbourne Reviewed-by: Andrey Konovalov Cc: Peter Zijlstra Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 28b346571edda1320523d9e36676563735b94c3f Author: Sing-Han Chen Date: Wed Jan 12 17:41:43 2022 +0800 ucsi_ccg: Check DEV_INT bit only when starting CCG4 commit 825911492eb15bf8bb7fb94bc0c0421fe7a6327d upstream. CCGx clears Bit 0:Device Interrupt in the INTR_REG if CCGx is reset successfully. However, there might be a chance that other bits in INTR_REG are not cleared due to internal data queued in PPM. This case misleads the driver that CCGx reset failed. The commit checks bit 0 in INTR_REG and ignores other bits. The ucsi driver would reset PPM later. Fixes: 247c554a14aa ("usb: typec: ucsi: add support for Cypress CCGx") Cc: stable@vger.kernel.org Reviewed-by: Heikki Krogerus Signed-off-by: Sing-Han Chen Signed-off-by: Wayne Chang Link: https://lore.kernel.org/r/20220112094143.628610-1-waynec@nvidia.com Signed-off-by: Greg Kroah-Hartman commit 3cdaeb85ed1e2e9962361e9b95142cfa1497d300 Author: Badhri Jagan Sridharan Date: Fri Jan 21 17:55:20 2022 -0800 usb: typec: tcpm: Do not disconnect when receiving VSAFE0V commit 746f96e7d6f7a276726860f696671766bfb24cf0 upstream. With some chargers, vbus might momentarily raise above VSAFE5V and fall back to 0V causing VSAFE0V to be triggered. This will will report a VBUS off event causing TCPM to transition to SNK_UNATTACHED state where it should be waiting in either SNK_ATTACH_WAIT or SNK_DEBOUNCED state. This patch makes TCPM avoid VSAFE0V events while in SNK_ATTACH_WAIT or SNK_DEBOUNCED state. Stub from the spec: "4.5.2.2.4.2 Exiting from AttachWait.SNK State A Sink shall transition to Unattached.SNK when the state of both the CC1 and CC2 pins is SNK.Open for at least tPDDebounce. A DRP shall transition to Unattached.SRC when the state of both the CC1 and CC2 pins is SNK.Open for at least tPDDebounce." [23.194131] CC1: 0 -> 0, CC2: 0 -> 5 [state SNK_UNATTACHED, polarity 0, connected] [23.201777] state change SNK_UNATTACHED -> SNK_ATTACH_WAIT [rev3 NONE_AMS] [23.209949] pending state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED @ 170 ms [rev3 NONE_AMS] [23.300579] VBUS off [23.300668] state change SNK_ATTACH_WAIT -> SNK_UNATTACHED [rev3 NONE_AMS] [23.301014] VBUS VSAFE0V [23.301111] Start toggling Fixes: 28b43d3d746b8 ("usb: typec: tcpm: Introduce vsafe0v for vbus") Cc: stable@vger.kernel.org Acked-by: Heikki Krogerus Signed-off-by: Badhri Jagan Sridharan Link: https://lore.kernel.org/r/20220122015520.332507-2-badhri@google.com Signed-off-by: Greg Kroah-Hartman commit 6b71fad7c86896f4eb5cb04c1d9f25da05c2bf22 Author: Badhri Jagan Sridharan Date: Fri Jan 21 17:55:19 2022 -0800 usb: typec: tcpm: Do not disconnect while receiving VBUS off commit 90b8aa9f5b09edae6928c0561f933fec9f7a9987 upstream. With some chargers, vbus might momentarily raise above VSAFE5V and fall back to 0V before tcpm gets to read port->tcpc->get_vbus. This will will report a VBUS off event causing TCPM to transition to SNK_UNATTACHED where it should be waiting in either SNK_ATTACH_WAIT or SNK_DEBOUNCED state. This patch makes TCPM avoid vbus off events while in SNK_ATTACH_WAIT or SNK_DEBOUNCED state. Stub from the spec: "4.5.2.2.4.2 Exiting from AttachWait.SNK State A Sink shall transition to Unattached.SNK when the state of both the CC1 and CC2 pins is SNK.Open for at least tPDDebounce. A DRP shall transition to Unattached.SRC when the state of both the CC1 and CC2 pins is SNK.Open for at least tPDDebounce." [23.194131] CC1: 0 -> 0, CC2: 0 -> 5 [state SNK_UNATTACHED, polarity 0, connected] [23.201777] state change SNK_UNATTACHED -> SNK_ATTACH_WAIT [rev3 NONE_AMS] [23.209949] pending state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED @ 170 ms [rev3 NONE_AMS] [23.300579] VBUS off [23.300668] state change SNK_ATTACH_WAIT -> SNK_UNATTACHED [rev3 NONE_AMS] [23.301014] VBUS VSAFE0V [23.301111] Start toggling Fixes: f0690a25a140b8 ("staging: typec: USB Type-C Port Manager (tcpm)") Cc: stable@vger.kernel.org Acked-by: Heikki Krogerus Signed-off-by: Badhri Jagan Sridharan Link: https://lore.kernel.org/r/20220122015520.332507-1-badhri@google.com Signed-off-by: Greg Kroah-Hartman commit a1399fe6d3bab689900d85b34ebce8313662eb1d Author: Xu Yang Date: Thu Jan 13 17:29:43 2022 +0800 usb: typec: tcpci: don't touch CC line if it's Vconn source commit 5638b0dfb6921f69943c705383ff40fb64b987f2 upstream. With the AMS and Collision Avoidance, tcpm often needs to change the CC's termination. When one CC line is sourcing Vconn, if we still change its termination, the voltage of the another CC line is likely to be fluctuant and unstable. Therefore, we should verify whether a CC line is sourcing Vconn before changing its termination and only change the termination that is not a Vconn line. This can be done by reading the Vconn Present bit of POWER_ STATUS register. To determine the polarity, we can read the Plug Orientation bit of TCPC_CONTROL register. Since Vconn can only be sourced if Plug Orientation is set. Fixes: 0908c5aca31e ("usb: typec: tcpm: AMS and Collision Avoidance") cc: Reviewed-by: Guenter Roeck Acked-by: Heikki Krogerus Signed-off-by: Xu Yang Link: https://lore.kernel.org/r/20220113092943.752372-1-xu.yang_2@nxp.com Signed-off-by: Greg Kroah-Hartman commit 9340226388c66a7e090ebb00e91ed64a753b6c26 Author: Alan Stern Date: Mon Jan 24 15:23:45 2022 -0500 USB: core: Fix hang in usb_kill_urb by adding memory barriers commit 26fbe9772b8c459687930511444ce443011f86bf upstream. The syzbot fuzzer has identified a bug in which processes hang waiting for usb_kill_urb() to return. It turns out the issue is not unlinking the URB; that works just fine. Rather, the problem arises when the wakeup notification that the URB has completed is not received. The reason is memory-access ordering on SMP systems. In outline form, usb_kill_urb() and __usb_hcd_giveback_urb() operating concurrently on different CPUs perform the following actions: CPU 0 CPU 1 ---------------------------- --------------------------------- usb_kill_urb(): __usb_hcd_giveback_urb(): ... ... atomic_inc(&urb->reject); atomic_dec(&urb->use_count); ... ... wait_event(usb_kill_urb_queue, atomic_read(&urb->use_count) == 0); if (atomic_read(&urb->reject)) wake_up(&usb_kill_urb_queue); Confining your attention to urb->reject and urb->use_count, you can see that the overall pattern of accesses on CPU 0 is: write urb->reject, then read urb->use_count; whereas the overall pattern of accesses on CPU 1 is: write urb->use_count, then read urb->reject. This pattern is referred to in memory-model circles as SB (for "Store Buffering"), and it is well known that without suitable enforcement of the desired order of accesses -- in the form of memory barriers -- it is entirely possible for one or both CPUs to execute their reads ahead of their writes. The end result will be that sometimes CPU 0 sees the old un-decremented value of urb->use_count while CPU 1 sees the old un-incremented value of urb->reject. Consequently CPU 0 ends up on the wait queue and never gets woken up, leading to the observed hang in usb_kill_urb(). The same pattern of accesses occurs in usb_poison_urb() and the failure pathway of usb_hcd_submit_urb(). The problem is fixed by adding suitable memory barriers. To provide proper memory-access ordering in the SB pattern, a full barrier is required on both CPUs. The atomic_inc() and atomic_dec() accesses themselves don't provide any memory ordering, but since they are present, we can use the optimized smp_mb__after_atomic() memory barrier in the various routines to obtain the desired effect. This patch adds the necessary memory barriers. CC: Reported-and-tested-by: syzbot+76629376e06e2c2ad626@syzkaller.appspotmail.com Signed-off-by: Alan Stern Link: https://lore.kernel.org/r/Ye8K0QYee0Q0Nna2@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman commit 1cd3a86107f6278dd7289e57e6e0a923fb0a6dc9 Author: Robert Hancock Date: Tue Jan 25 18:02:51 2022 -0600 usb: dwc3: xilinx: Fix error handling when getting USB3 PHY commit 2cc9b1c93b1c4caa2d971856c0780fb5f7d04692 upstream. The code that looked up the USB3 PHY was ignoring all errors other than EPROBE_DEFER in an attempt to handle the PHY not being present. Fix and simplify the code by using devm_phy_optional_get and dev_err_probe so that a missing PHY is not treated as an error and unexpected errors are handled properly. Fixes: 84770f028fab ("usb: dwc3: Add driver for Xilinx platforms") Cc: stable Signed-off-by: Robert Hancock Link: https://lore.kernel.org/r/20220126000253.1586760-3-robert.hancock@calian.com Signed-off-by: Greg Kroah-Hartman commit 72d338bc467f7687a9c49328bad3a90b0629cdbe Author: Robert Hancock Date: Tue Jan 25 18:02:50 2022 -0600 usb: dwc3: xilinx: Skip resets and USB3 register settings for USB2.0 mode commit 9678f3361afc27a3124cd2824aec0227739986fb upstream. It appears that the PIPE clock should not be selected when only USB 2.0 is being used in the design and no USB 3.0 reference clock is used. Also, the core resets are not required if a USB3 PHY is not in use, and will break things if USB3 is actually used but the PHY entry is not listed in the device tree. Skip core resets and register settings that are only required for USB3 mode when no USB3 PHY is specified in the device tree. Fixes: 84770f028fab ("usb: dwc3: Add driver for Xilinx platforms") Cc: stable Signed-off-by: Robert Hancock Link: https://lore.kernel.org/r/20220126000253.1586760-2-robert.hancock@calian.com Signed-off-by: Greg Kroah-Hartman commit 897d462d4d15dd932313644a151cba76e8b98709 Author: Pawel Laszczak Date: Tue Jan 11 10:07:37 2022 +0100 usb: cdnsp: Fix segmentation fault in cdns_lost_power function commit 79aa3e19fe8f5be30e846df8a436bfe306e8b1a6 upstream. CDNSP driver read not initialized cdns->otg_v0_regs which lead to segmentation fault. Patch fixes this issue. Fixes: 2cf2581cd229 ("usb: cdns3: add power lost support for system resume") cc: Signed-off-by: Pawel Laszczak Link: https://lore.kernel.org/r/20220111090737.10345-1-pawell@gli-login.cadence.com Signed-off-by: Greg Kroah-Hartman commit 27980463256060aaef8db0ddfcf40fd2342b96e8 Author: Pavankumar Kondeti Date: Sat Jan 22 08:33:22 2022 +0530 usb: gadget: f_sourcesink: Fix isoc transfer for USB_SPEED_SUPER_PLUS commit 904edf8aeb459697129be5fde847e2a502f41fd9 upstream. Currently when gadget enumerates in super speed plus, the isoc endpoint request buffer size is not calculated correctly. Fix this by checking the gadget speed against USB_SPEED_SUPER_PLUS and update the request buffer size. Fixes: 90c4d05780d4 ("usb: fix various gadgets null ptr deref on 10gbps cabling.") Cc: stable Signed-off-by: Pavankumar Kondeti Link: https://lore.kernel.org/r/1642820602-20619-1-git-send-email-quic_pkondeti@quicinc.com Signed-off-by: Greg Kroah-Hartman commit 42865e5544dab9ebe0c21f263f7a3aac1256c489 Author: Jon Hunter Date: Mon Jan 17 15:00:39 2022 +0000 usb: common: ulpi: Fix crash in ulpi_match() commit 2e3dd4a6246945bf84ea6f478365d116e661554c upstream. Commit 7495af930835 ("ARM: multi_v7_defconfig: Enable drivers for DragonBoard 410c") enables the CONFIG_PHY_QCOM_USB_HS for the ARM multi_v7_defconfig. Enabling this Kconfig is causing the kernel to crash on the Tegra20 Ventana platform in the ulpi_match() function. The Qualcomm USB HS PHY driver that is enabled by CONFIG_PHY_QCOM_USB_HS, registers a ulpi_driver but this driver does not provide an 'id_table', so when ulpi_match() is called on the Tegra20 Ventana platform, it crashes when attempting to deference the id_table pointer which is not valid. The Qualcomm USB HS PHY driver uses device-tree for matching the ULPI driver with the device and so fix this crash by using device-tree for matching if the id_table is not valid. Fixes: ef6a7bcfb01c ("usb: ulpi: Support device discovery via DT") Cc: stable Signed-off-by: Jon Hunter Link: https://lore.kernel.org/r/20220117150039.44058-1-jonathanh@nvidia.com Signed-off-by: Greg Kroah-Hartman commit d5755832a1e47f5d8773f0776e211ecd4e02da72 Author: Frank Li Date: Mon Jan 10 11:27:38 2022 -0600 usb: xhci-plat: fix crash when suspend if remote wake enable commit 9df478463d9feb90dae24f183383961cf123a0ec upstream. Crashed at i.mx8qm platform when suspend if enable remote wakeup Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP Modules linked in: CPU: 2 PID: 244 Comm: kworker/u12:6 Not tainted 5.15.5-dirty #12 Hardware name: Freescale i.MX8QM MEK (DT) Workqueue: events_unbound async_run_entry_fn pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : xhci_disable_hub_port_wake.isra.62+0x60/0xf8 lr : xhci_disable_hub_port_wake.isra.62+0x34/0xf8 sp : ffff80001394bbf0 x29: ffff80001394bbf0 x28: 0000000000000000 x27: ffff00081193b578 x26: ffff00081193b570 x25: 0000000000000000 x24: 0000000000000000 x23: ffff00081193a29c x22: 0000000000020001 x21: 0000000000000001 x20: 0000000000000000 x19: ffff800014e90490 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000002 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000960 x9 : ffff80001394baa0 x8 : ffff0008145d1780 x7 : ffff0008f95b8e80 x6 : 000000001853b453 x5 : 0000000000000496 x4 : 0000000000000000 x3 : ffff00081193a29c x2 : 0000000000000001 x1 : 0000000000000000 x0 : ffff000814591620 Call trace: xhci_disable_hub_port_wake.isra.62+0x60/0xf8 xhci_suspend+0x58/0x510 xhci_plat_suspend+0x50/0x78 platform_pm_suspend+0x2c/0x78 dpm_run_callback.isra.25+0x50/0xe8 __device_suspend+0x108/0x3c0 The basic flow: 1. run time suspend call xhci_suspend, xhci parent devices gate the clock. 2. echo mem >/sys/power/state, system _device_suspend call xhci_suspend 3. xhci_suspend call xhci_disable_hub_port_wake, which access register, but clock already gated by run time suspend. This problem was hidden by power domain driver, which call run time resume before it. But the below commit remove it and make this issue happen. commit c1df456d0f06e ("PM: domains: Don't runtime resume devices at genpd_prepare()") This patch call run time resume before suspend to make sure clock is on before access register. Reviewed-by: Peter Chen Cc: stable Signed-off-by: Frank Li Testeb-by: Abel Vesa Link: https://lore.kernel.org/r/20220110172738.31686-1-Frank.Li@nxp.com Signed-off-by: Greg Kroah-Hartman commit a93284827cb287f2a76dee6080aff76d525a2bff Author: Alan Stern Date: Mon Jan 24 15:14:40 2022 -0500 usb-storage: Add unusual-devs entry for VL817 USB-SATA bridge commit 5b67b315037250a61861119683e7fcb509deea25 upstream. Two people have reported (and mentioned numerous other reports on the web) that VIA's VL817 USB-SATA bridge does not work with the uas driver. Typical log messages are: [ 3606.232149] sd 14:0:0:0: [sdg] tag#2 uas_zap_pending 0 uas-tag 1 inflight: CMD [ 3606.232154] sd 14:0:0:0: [sdg] tag#2 CDB: Write(16) 8a 00 00 00 00 00 18 0c c9 80 00 00 00 80 00 00 [ 3606.306257] usb 4-4.4: reset SuperSpeed Plus Gen 2x1 USB device number 11 using xhci_hcd [ 3606.328584] scsi host14: uas_eh_device_reset_handler success Surprisingly, the devices do seem to work okay for some other people. The cause of the differing behaviors is not known. In the hope of getting the devices to work for the most users, even at the possible cost of degraded performance for some, this patch adds an unusual_devs entry for the VL817 to block it from binding to the uas driver by default. Users will be able to override this entry by means of a module parameter, if they want. CC: Reported-by: DocMAX Reported-and-tested-by: Thomas Weißschuh Signed-off-by: Alan Stern Link: https://lore.kernel.org/r/Ye8IsK2sjlEv1rqU@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman commit 209a523dea930c79efbfc365f0b291fcb47a189c Author: Greg Kroah-Hartman Date: Thu Jan 27 08:33:04 2022 +0100 kbuild: remove include/linux/cyclades.h from header file check commit d1ad2721b1eb05d54e81393a7ebc332d4a35c68f upstream. The file now rightfully throws up a big warning that it should never be included, so remove it from the header_check test. Fixes: f23653fe6447 ("tty: Partially revert the removal of the Cyclades public API") Cc: stable Cc: Masahiro Yamada Cc: "Maciej W. Rozycki" Reported-by: Stephen Rothwell Reported-by: kernel test robot Link: https://lore.kernel.org/r/20220127073304.42399-1-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit fa5180351abe936b0de626f255fa7828fbabf385 Author: Cameron Williams Date: Mon Jan 24 09:42:23 2022 +0000 tty: Add support for Brainboxes UC cards. commit 152d1afa834c84530828ee031cf07a00e0fc0b8c upstream. This commit adds support for the some of the Brainboxes PCI range of cards, including the UC-101, UC-235/246, UC-257, UC-268, UC-275/279, UC-302, UC-310, UC-313, UC-320/324, UC-346, UC-357, UC-368 and UC-420/431. Signed-off-by: Cameron Williams Cc: stable Link: https://lore.kernel.org/r/AM5PR0202MB2564688493F7DD9B9C610827C45E9@AM5PR0202MB2564.eurprd02.prod.outlook.com Signed-off-by: Greg Kroah-Hartman commit b51afdc797fe75c6efa229a19ec797046b7d047d Author: Maciej W. Rozycki Date: Wed Jan 26 09:22:54 2022 +0000 tty: Partially revert the removal of the Cyclades public API commit f23653fe64479d96910bfda2b700b1af17c991ac upstream. Fix a user API regression introduced with commit f76edd8f7ce0 ("tty: cyclades, remove this orphan"), which removed a part of the API and caused compilation errors for user programs using said part, such as GCC 9 in its libsanitizer component[1]: .../libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc:160:10: fatal error: linux/cyclades.h: No such file or directory 160 | #include | ^~~~~~~~~~~~~~~~~~ compilation terminated. make[4]: *** [Makefile:664: sanitizer_platform_limits_posix.lo] Error 1 As the absolute minimum required bring `struct cyclades_monitor' and ioctl numbers back then so as to make the library build again. Add a preprocessor warning as to the obsolescence of the features provided. References: [1] GCC PR sanitizer/100379, "cyclades.h is removed from linux kernel header files", Fixes: f76edd8f7ce0 ("tty: cyclades, remove this orphan") Cc: stable@vger.kernel.org # v5.13+ Reviewed-by: Christoph Hellwig Signed-off-by: Maciej W. Rozycki Link: https://lore.kernel.org/r/alpine.DEB.2.20.2201260733430.11348@tpp.orcam.me.uk Signed-off-by: Greg Kroah-Hartman commit ff79be505ad858dacf43772733e4a33c805317de Author: daniel.starke@siemens.com Date: Thu Jan 20 02:18:57 2022 -0800 tty: n_gsm: fix SW flow control encoding/handling commit 8838b2af23caf1ff0610caef2795d6668a013b2d upstream. n_gsm is based on the 3GPP 07.010 and its newer version is the 3GPP 27.010. See https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1516 The changes from 07.010 to 27.010 are non-functional. Therefore, I refer to the newer 27.010 here. Chapter 5.2.7.3 states that DC1 (XON) and DC3 (XOFF) are the control characters defined in ISO/IEC 646. These shall be quoted if seen in the data stream to avoid interpretation as flow control characters. ISO/IEC 646 refers to the set of ISO standards described as the ISO 7-bit coded character set for information interchange. Its final version is also known as ITU T.50. See https://www.itu.int/rec/T-REC-T.50-199209-I/en To abide the standard it is needed to quote DC1 and DC3 correctly if these are seen as data bytes and not as control characters. The current implementation already tries to enforce this but fails to catch all defined cases. 3GPP 27.010 chapter 5.2.7.3 clearly states that the most significant bit shall be ignored for DC1 and DC3 handling. The current implementation handles only the case with the most significant bit set 0. Cases in which DC1 and DC3 have the most significant bit set 1 are left unhandled. This patch fixes this by masking the data bytes with ISO_IEC_646_MASK (only the 7 least significant bits set 1) before comparing them with XON (a.k.a. DC1) and XOFF (a.k.a. DC3) when testing which byte values need quotation via byte stuffing. Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") Cc: stable@vger.kernel.org Signed-off-by: Daniel Starke Link: https://lore.kernel.org/r/20220120101857.2509-1-daniel.starke@siemens.com Signed-off-by: Greg Kroah-Hartman commit 775fcd69038aa51f0690507cce4ed52fbfd53508 Author: Valentin Caron Date: Tue Jan 11 17:44:41 2022 +0100 serial: stm32: fix software flow control transfer commit 037b91ec7729524107982e36ec4b40f9b174f7a2 upstream. x_char is ignored by stm32_usart_start_tx() when xmit buffer is empty. Fix start_tx condition to allow x_char to be sent. Fixes: 48a6092fb41f ("serial: stm32-usart: Add STM32 USART Driver") Cc: stable Signed-off-by: Erwan Le Ray Signed-off-by: Valentin Caron Link: https://lore.kernel.org/r/20220111164441.6178-3-valentin.caron@foss.st.com Signed-off-by: Greg Kroah-Hartman commit f79903783db1129123262fc08c1ee842b423f276 Author: Robert Hancock Date: Wed Jan 12 13:42:14 2022 -0600 serial: 8250: of: Fix mapped region size when using reg-offset property commit d06b1cf28297e27127d3da54753a3a01a2fa2f28 upstream. 8250_of supports a reg-offset property which is intended to handle cases where the device registers start at an offset inside the region of memory allocated to the device. The Xilinx 16550 UART, for which this support was initially added, requires this. However, the code did not adjust the overall size of the mapped region accordingly, causing the driver to request an area of memory past the end of the device's allocation. For example, if the UART was allocated an address of 0xb0130000, size of 0x10000 and reg-offset of 0x1000 in the device tree, the region of memory reserved was b0131000-b0140fff, which caused the driver for the region starting at b0140000 to fail to probe. Fix this by subtracting reg-offset from the mapped region size. Fixes: b912b5e2cfb3 ([POWERPC] Xilinx: of_serial support for Xilinx uart 16550.) Cc: stable Signed-off-by: Robert Hancock Link: https://lore.kernel.org/r/20220112194214.881844-1-robert.hancock@calian.com Signed-off-by: Greg Kroah-Hartman commit f0cb78064e1c1246394aeddbbf619198dd4ce980 Author: Jochen Mades Date: Sat Jan 23 05:10:14 2021 +0100 serial: pl011: Fix incorrect rs485 RTS polarity on set_mctrl commit 62f676ff7898f6c1bd26ce014564773a3dc00601 upstream. Commit 8d479237727c ("serial: amba-pl011: add RS485 support") sought to keep RTS deasserted on set_mctrl if rs485 is enabled. However it did so only if deasserted RTS polarity is high. Fix it in case it's low. Fixes: 8d479237727c ("serial: amba-pl011: add RS485 support") Cc: stable@vger.kernel.org # v5.15+ Cc: Lino Sanfilippo Signed-off-by: Jochen Mades [lukas: copyedit commit message, add stable designation] Signed-off-by: Lukas Wunner Link: https://lore.kernel.org/r/85fa3323ba8c307943969b7343e23f34c3e652ba.1642909284.git.lukas@wunner.de Signed-off-by: Greg Kroah-Hartman commit 965bc27251f0eee9bb23c06dc708015630c97d1a Author: Mike Snitzer Date: Fri Jan 28 10:58:41 2022 -0500 dm: properly fix redundant bio-based IO accounting commit b879f915bc48a18d4f4462729192435bb0f17052 upstream. Record the start_time for a bio but defer the starting block core's IO accounting until after IO is submitted using bio_start_io_acct_time(). This approach avoids the need to mess around with any of the individual IO stats in response to a bio_split() that follows bio submission. Reported-by: Bud Brown Reviewed-by: Christoph Hellwig Cc: stable@vger.kernel.org Depends-on: e45c47d1f94e ("block: add bio_start_io_acct_time() to control start_time") Signed-off-by: Mike Snitzer Link: https://lore.kernel.org/r/20220128155841.39644-4-snitzer@redhat.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 4cca3e3ef21da10eaa23410ce8ee953fa66c1f8b Author: Mike Snitzer Date: Fri Jan 28 10:58:39 2022 -0500 block: add bio_start_io_acct_time() to control start_time commit e45c47d1f94e0cc7b6b079fdb4bcce2995e2adc4 upstream. bio_start_io_acct_time() interface is like bio_start_io_acct() that allows start_time to be passed in. This gives drivers the ability to defer starting accounting until after IO is issued (but possibily not entirely due to bio splitting). Reviewed-by: Christoph Hellwig Signed-off-by: Mike Snitzer Link: https://lore.kernel.org/r/20220128155841.39644-2-snitzer@redhat.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 86125006d88dae6945d557059336319b76f2287c Author: Mike Snitzer Date: Fri Jan 28 10:58:40 2022 -0500 dm: revert partial fix for redundant bio-based IO accounting commit f524d9c95fab54783d0038f7a3e8c014d5b56857 upstream. Reverts a1e1cb72d9649 ("dm: fix redundant IO accounting for bios that need splitting") because it was too narrow in scope (only addressed redundant 'sectors[]' accounting and not ios, nsecs[], etc). Cc: stable@vger.kernel.org Signed-off-by: Mike Snitzer Link: https://lore.kernel.org/r/20220128155841.39644-3-snitzer@redhat.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit c0af639c1adc50296e25c7754f3269c724268efa Author: Nicholas Piggin Date: Sat Jan 22 20:55:30 2022 +1000 KVM: PPC: Book3S HV Nested: Fix nested HFSCR being clobbered with multiple vCPUs commit 22f7ff0dea9491e90b6fe808ed40c30bd791e5c2 upstream. The L0 is storing HFSCR requested by the L1 for the L2 in struct kvm_nested_guest when the L1 requests a vCPU enter L2. kvm_nested_guest is not a per-vCPU structure. Hilarity ensues. Fix it by moving the nested hfscr into the vCPU structure together with the other per-vCPU nested fields. Fixes: 8b210a880b35 ("KVM: PPC: Book3S HV Nested: Make nested HFSCR state accessible") Cc: stable@vger.kernel.org # v5.15+ Signed-off-by: Nicholas Piggin Reviewed-by: Fabiano Rosas Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220122105530.3477250-1-npiggin@gmail.com Signed-off-by: Greg Kroah-Hartman commit e668b527a259617f82ff83a0af008139900fe2f7 Author: Like Xu Date: Wed Jan 26 17:22:26 2022 +0000 KVM: x86: Sync the states size with the XCR0/IA32_XSS at, any time commit 05a9e065059e566f218f8778c4d17ee75db56c55 upstream. XCR0 is reset to 1 by RESET but not INIT and IA32_XSS is zeroed by both RESET and INIT. The kvm_set_msr_common()'s handling of MSR_IA32_XSS also needs to update kvm_update_cpuid_runtime(). In the above cases, the size in bytes of the XSAVE area containing all states enabled by XCR0 or (XCRO | IA32_XSS) needs to be updated. For simplicity and consistency, existing helpers are used to write values and call kvm_update_cpuid_runtime(), and it's not exactly a fast path. Fixes: a554d207dc46 ("KVM: X86: Processor States following Reset or INIT") Cc: stable@vger.kernel.org Signed-off-by: Like Xu Signed-off-by: Sean Christopherson Message-Id: <20220126172226.2298529-4-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 096779d440871fc7ed54b6dae66c2e0286bf3b99 Author: Like Xu Date: Wed Jan 26 17:22:25 2022 +0000 KVM: x86: Update vCPU's runtime CPUID on write to MSR_IA32_XSS commit 4c282e51e4450b94680d6ca3b10f830483b1f243 upstream. Do a runtime CPUID update for a vCPU if MSR_IA32_XSS is written, as the size in bytes of the XSAVE area is affected by the states enabled in XSS. Fixes: 203000993de5 ("kvm: vmx: add MSR logic for XSAVES") Cc: stable@vger.kernel.org Signed-off-by: Like Xu [sean: split out as a separate patch, adjust Fixes tag] Signed-off-by: Sean Christopherson Message-Id: <20220126172226.2298529-3-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 5afeafcc59bbcd3506f47a6dda8263f5b43533cb Author: Xiaoyao Li Date: Wed Jan 26 17:22:24 2022 +0000 KVM: x86: Keep MSR_IA32_XSS unchanged for INIT commit be4f3b3f82271c3193ce200a996dc70682c8e622 upstream. It has been corrected from SDM version 075 that MSR_IA32_XSS is reset to zero on Power up and Reset but keeps unchanged on INIT. Fixes: a554d207dc46 ("KVM: X86: Processor States following Reset or INIT") Cc: stable@vger.kernel.org Signed-off-by: Xiaoyao Li Signed-off-by: Sean Christopherson Message-Id: <20220126172226.2298529-2-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit e302786233e6bc512986d007c96458ccf5ca21c7 Author: Sean Christopherson Date: Tue Jan 25 22:03:58 2022 +0000 KVM: x86: Forcibly leave nested virt when SMM state is toggled commit f7e570780efc5cec9b2ed1e0472a7da14e864fdb upstream. Forcibly leave nested virtualization operation if userspace toggles SMM state via KVM_SET_VCPU_EVENTS or KVM_SYNC_X86_EVENTS. If userspace forces the vCPU out of SMM while it's post-VMXON and then injects an SMI, vmx_enter_smm() will overwrite vmx->nested.smm.vmxon and end up with both vmxon=false and smm.vmxon=false, but all other nVMX state allocated. Don't attempt to gracefully handle the transition as (a) most transitions are nonsencial, e.g. forcing SMM while L2 is running, (b) there isn't sufficient information to handle all transitions, e.g. SVM wants access to the SMRAM save state, and (c) KVM_SET_VCPU_EVENTS must precede KVM_SET_NESTED_STATE during state restore as the latter disallows putting the vCPU into L2 if SMM is active, and disallows tagging the vCPU as being post-VMXON in SMM if SMM is not active. Abuse of KVM_SET_VCPU_EVENTS manifests as a WARN and memory leak in nVMX due to failure to free vmcs01's shadow VMCS, but the bug goes far beyond just a memory leak, e.g. toggling SMM on while L2 is active puts the vCPU in an architecturally impossible state. WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline] WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656 Modules linked in: CPU: 1 PID: 3606 Comm: syz-executor725 Not tainted 5.17.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline] RIP: 0010:free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656 Code: <0f> 0b eb b3 e8 8f 4d 9f 00 e9 f7 fe ff ff 48 89 df e8 92 4d 9f 00 Call Trace: kvm_arch_vcpu_destroy+0x72/0x2f0 arch/x86/kvm/x86.c:11123 kvm_vcpu_destroy arch/x86/kvm/../../../virt/kvm/kvm_main.c:441 [inline] kvm_destroy_vcpus+0x11f/0x290 arch/x86/kvm/../../../virt/kvm/kvm_main.c:460 kvm_free_vcpus arch/x86/kvm/x86.c:11564 [inline] kvm_arch_destroy_vm+0x2e8/0x470 arch/x86/kvm/x86.c:11676 kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1217 [inline] kvm_put_kvm+0x4fa/0xb00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1250 kvm_vm_release+0x3f/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1273 __fput+0x286/0x9f0 fs/file_table.c:311 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0xb29/0x2a30 kernel/exit.c:806 do_group_exit+0xd2/0x2f0 kernel/exit.c:935 get_signal+0x4b0/0x28c0 kernel/signal.c:2862 arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868 handle_signal_work kernel/entry/common.c:148 [inline] exit_to_user_mode_loop kernel/entry/common.c:172 [inline] exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae Cc: stable@vger.kernel.org Reported-by: syzbot+8112db3ab20e70d50c31@syzkaller.appspotmail.com Signed-off-by: Sean Christopherson Message-Id: <20220125220358.2091737-1-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 6f3e157e21b24d38c4a5d76cc40ddd4fdeb74d18 Author: Denis Valeev Date: Sat Jan 22 23:13:57 2022 +0300 KVM: x86: nSVM: skip eax alignment check for non-SVM instructions commit 47c28d436f409f5b009dc82bd82d4971088aa391 upstream. The bug occurs on #GP triggered by VMware backdoor when eax value is unaligned. eax alignment check should not be applied to non-SVM instructions because it leads to incorrect omission of the instructions emulation. Apply the alignment check only to SVM instructions to fix. Fixes: d1cba6c92237 ("KVM: x86: nSVM: test eax for 4K alignment for GP errata workaround") Signed-off-by: Denis Valeev Message-Id: Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 575656560897a018de5bd4264f8ba49763be2376 Author: Sean Christopherson Date: Thu Jan 20 01:07:13 2022 +0000 KVM: SVM: Don't intercept #GP for SEV guests commit 0b0be065b7563ac708aaa9f69dd4941c80b3446d upstream. Never intercept #GP for SEV guests as reading SEV guest private memory will return cyphertext, i.e. emulating on #GP can't work as intended. Cc: stable@vger.kernel.org Cc: Tom Lendacky Cc: Brijesh Singh Signed-off-by: Sean Christopherson Reviewed-by: Liam Merwick Message-Id: <20220120010719.711476-4-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 3470722fac229594182d7c2b46041323560b1924 Author: Sean Christopherson Date: Thu Jan 20 01:07:11 2022 +0000 KVM: SVM: Never reject emulation due to SMAP errata for !SEV guests commit 55467fcd55b89c622e62b4afe60ac0eb2fae91f2 upstream. Always signal that emulation is possible for !SEV guests regardless of whether or not the CPU provided a valid instruction byte stream. KVM can read all guest state (memory and registers) for !SEV guests, i.e. can fetch the code stream from memory even if the CPU failed to do so because of the SMAP errata. Fixes: 05d5a4863525 ("KVM: SVM: Workaround errata#1096 (insn_len maybe zero on SMAP violation)") Cc: stable@vger.kernel.org Cc: Tom Lendacky Cc: Brijesh Singh Signed-off-by: Sean Christopherson Reviewed-by: Liam Merwick Message-Id: <20220120010719.711476-2-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 54b3439c8e70e0bcfea59aeef9dd98908cbbf655 Author: Wanpeng Li Date: Tue Jan 25 01:17:00 2022 -0800 KVM: LAPIC: Also cancel preemption timer during SET_LAPIC commit 35fe7cfbab2e81f1afb23fc4212210b1de6d9633 upstream. The below warning is splatting during guest reboot. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1931 at arch/x86/kvm/x86.c:10322 kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm] CPU: 0 PID: 1931 Comm: qemu-system-x86 Tainted: G I 5.17.0-rc1+ #5 RIP: 0010:kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm] Call Trace: kvm_vcpu_ioctl+0x279/0x710 [kvm] __x64_sys_ioctl+0x83/0xb0 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fd39797350b This can be triggered by not exposing tsc-deadline mode and doing a reboot in the guest. The lapic_shutdown() function which is called in sys_reboot path will not disarm the flying timer, it just masks LVTT. lapic_shutdown() clears APIC state w/ LVT_MASKED and timer-mode bit is 0, this can trigger timer-mode switch between tsc-deadline and oneshot/periodic, which can result in preemption timer be cancelled in apic_update_lvtt(). However, We can't depend on this when not exposing tsc-deadline mode and oneshot/periodic modes emulated by preemption timer. Qemu will synchronise states around reset, let's cancel preemption timer under KVM_SET_LAPIC. Signed-off-by: Wanpeng Li Message-Id: <1643102220-35667-1-git-send-email-wanpengli@tencent.com> Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 548f20b39ec91fdd97194a84a0d9b2f68715762a Author: Bas Nieuwenhuizen Date: Mon Jan 24 01:23:35 2022 +0100 drm/amd/display: Fix FP start/end for dcn30_internal_validate_bw. commit 72a8d87b87270bff0c0b2fed4d59c48d0dd840d7 upstream. It calls populate_dml_pipes which uses doubles to initialize the scale_ratio_depth params. Mirrors the dcn20 logic. Cc: stable@vger.kernel.org Signed-off-by: Bas Nieuwenhuizen Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 73740f948252e424a01465155d8737bceae23653 Author: Manasi Navare Date: Mon Oct 4 04:59:13 2021 -0700 drm/atomic: Add the crtc to affected crtc only if uapi.enable = true commit 5ec1cebd59300ddd26dbaa96c17c508764eef911 upstream. In case of a modeset where a mode gets split across multiple CRTCs in the driver specific implementation (bigjoiner in i915) we wrongly count the affected CRTCs based on the drm_crtc_mask and indicate the stolen CRTC as an affected CRTC in atomic_check_only(). This triggers a warning since affected CRTCs doent match requested CRTC. To fix this in such bigjoiner configurations, we should only increment affected crtcs if that CRTC is enabled in UAPI not if it is just used internally in the driver to split the mode. v3: Add the same uapi crtc_state->enable check in requested crtc calc (Ville) Cc: Ville Syrjälä Cc: Simon Ser Cc: Pekka Paalanen Cc: Daniel Stone Cc: Daniel Vetter Cc: dri-devel@lists.freedesktop.org Cc: # v5.11+ Fixes: 919c2299a893 ("drm/i915: Enable bigjoiner") Signed-off-by: Manasi Navare Reviewed-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20211004115913.23889-1-manasi.d.navare@intel.com Signed-off-by: Greg Kroah-Hartman commit 473aed10d16dbcb2236bc0d1ea651adc534d2c00 Author: Lucas Stach Date: Thu Jan 6 19:10:21 2022 +0100 drm/etnaviv: relax submit size limits commit e3d26528e083e612314d4dcd713f3d5a26143ddc upstream. While all userspace tried to limit commandstreams to 64K in size, a bug in the Mesa driver lead to command streams of up to 128K being submitted. Allow those to avoid breaking existing userspace. Fixes: 6dfa2fab8ddd ("drm/etnaviv: limit submit sizes") Cc: stable@vger.kernel.org Signed-off-by: Lucas Stach Reviewed-by: Christian Gmeiner Signed-off-by: Greg Kroah-Hartman commit b7bfc2c6cdd28fc250f5f8c3177293342bfe14a5 Author: Kan Liang Date: Tue Jan 11 10:20:38 2022 -0800 perf/x86/intel: Add a quirk for the calculation of the number of counters on Alder Lake commit 7fa981cad216e9f64f49e22112f610c0bfed91bc upstream. For some Alder Lake machine with all E-cores disabled in a BIOS, the below warning may be triggered. [ 2.010766] hw perf events fixed 5 > max(4), clipping! Current perf code relies on the CPUID leaf 0xA and leaf 7.EDX[15] to calculate the number of the counters and follow the below assumption. For a hybrid configuration, the leaf 7.EDX[15] (X86_FEATURE_HYBRID_CPU) is set. The leaf 0xA only enumerate the common counters. Linux perf has to manually add the extra GP counters and fixed counters for P-cores. For a non-hybrid configuration, the X86_FEATURE_HYBRID_CPU should not be set. The leaf 0xA enumerates all counters. However, that's not the case when all E-cores are disabled in a BIOS. Although there are only P-cores in the system, the leaf 7.EDX[15] (X86_FEATURE_HYBRID_CPU) is still set. But the leaf 0xA is updated to enumerate all counters of P-cores. The inconsistency triggers the warning. Several software ways were considered to handle the inconsistency. - Drop the leaf 0xA and leaf 7.EDX[15] CPUID enumeration support. Hardcode the number of counters. This solution may be a problem for virtualization. A hypervisor cannot control the number of counters in a Linux guest via changing the guest CPUID enumeration anymore. - Find another CPUID bit that is also updated with E-cores disabled. There may be a problem in the virtualization environment too. Because a hypervisor may disable the feature/CPUID bit. - The P-cores have a maximum of 8 GP counters and 4 fixed counters on ADL. The maximum number can be used to detect the case. This solution is implemented in this patch. Fixes: ee72a94ea4a6 ("perf/x86/intel: Fix fixed counter check warning for some Alder Lake") Reported-by: Damjan Marion (damarion) Reported-by: Chan Edison Signed-off-by: Kan Liang Signed-off-by: Peter Zijlstra (Intel) Tested-by: Damjan Marion (damarion) Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/1641925238-149288-1-git-send-email-kan.liang@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 1b4abcd997ade5cc0eac40cbb0c510015aa6fa0f Author: Zhengjun Xing Date: Thu Dec 23 22:48:26 2021 +0800 perf/x86/intel/uncore: Fix CAS_COUNT_WRITE issue for ICX commit 96fd2e89fba1aaada6f4b1e5d25a9d9ecbe1943d upstream. The user recently report a perf issue in the ICX platform, when test by perf event “uncore_imc_x/cas_count_write”,the write bandwidth is always very small (only 0.38MB/s), it is caused by the wrong "umask" for the "cas_count_write" event. When double-checking, find "cas_count_read" also is wrong. The public document for ICX uncore: 3rd Gen Intel® Xeon® Processor Scalable Family, Codename Ice Lake,Uncore Performance Monitoring Reference Manual, Revision 1.00, May 2021 On 2.4.7, it defines Unit Masks for CAS_COUNT: RD b00001111 WR b00110000 So corrected both "cas_count_read" and "cas_count_write" for ICX. Old settings: hswep_uncore_imc_events INTEL_UNCORE_EVENT_DESC(cas_count_read, "event=0x04,umask=0x03") INTEL_UNCORE_EVENT_DESC(cas_count_write, "event=0x04,umask=0x0c") New settings: snr_uncore_imc_events INTEL_UNCORE_EVENT_DESC(cas_count_read, "event=0x04,umask=0x0f") INTEL_UNCORE_EVENT_DESC(cas_count_write, "event=0x04,umask=0x30") Fixes: 2b3b76b5ec67 ("perf/x86/intel/uncore: Add Ice Lake server uncore support") Signed-off-by: Zhengjun Xing Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Adrian Hunter Reviewed-by: Kan Liang Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20211223144826.841267-1-zhengjun.xing@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit b8140d7733e003926ac7eef645bce259323cb7be Author: Christophe Leroy Date: Fri Jan 14 11:26:25 2022 +0000 powerpc/audit: Fix syscall_get_arch() commit 252745240ba0ae774d2f80c5e185ed59fbc4fb41 upstream. Commit 770cec16cdc9 ("powerpc/audit: Simplify syscall_get_arch()") and commit 898a1ef06ad4 ("powerpc/audit: Avoid unneccessary #ifdef in syscall_get_arguments()") replaced test_tsk_thread_flag(task, TIF_32BIT)) by is_32bit_task(). But is_32bit_task() applies on current task while be want the test done on task 'task' So add a new macro is_tsk_32bit_task() to check any task. Fixes: 770cec16cdc9 ("powerpc/audit: Simplify syscall_get_arch()") Fixes: 898a1ef06ad4 ("powerpc/audit: Avoid unneccessary #ifdef in syscall_get_arguments()") Cc: stable@vger.kernel.org Reported-by: Dmitry V. Levin Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/c55cddb8f65713bf5859ed675d75a50cb37d5995.1642159570.git.christophe.leroy@csgroup.eu Signed-off-by: Greg Kroah-Hartman commit d3e4c61e143e69671803ef3f52140cf7a7258ee7 Author: Suren Baghdasaryan Date: Tue Jan 11 15:23:09 2022 -0800 psi: Fix uaf issue when psi trigger is destroyed while being polled commit a06247c6804f1a7c86a2e5398a4c1f1db1471848 upstream. With write operation on psi files replacing old trigger with a new one, the lifetime of its waitqueue is totally arbitrary. Overwriting an existing trigger causes its waitqueue to be freed and pending poll() will stumble on trigger->event_wait which was destroyed. Fix this by disallowing to redefine an existing psi trigger. If a write operation is used on a file descriptor with an already existing psi trigger, the operation will fail with EBUSY error. Also bypass a check for psi_disabled in the psi_trigger_destroy as the flag can be flipped after the trigger is created, leading to a memory leak. Fixes: 0e94682b73bf ("psi: introduce psi monitor") Reported-by: syzbot+cdb5dd11c97cc532efad@syzkaller.appspotmail.com Suggested-by: Linus Torvalds Analyzed-by: Eric Biggers Signed-off-by: Suren Baghdasaryan Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Eric Biggers Acked-by: Johannes Weiner Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20220111232309.1786347-1-surenb@google.com Signed-off-by: Greg Kroah-Hartman commit b17cb93dda1dcdc9737c8b334e850c18dc6b0b7d Author: Sean Christopherson Date: Thu Jan 20 01:07:12 2022 +0000 Revert "KVM: SVM: avoid infinite loop on NPF from bad address" commit 31c25585695abdf03d6160aa6d829e855b256329 upstream. Revert a completely broken check on an "invalid" RIP in SVM's workaround for the DecodeAssists SMAP errata. kvm_vcpu_gfn_to_memslot() obviously expects a gfn, i.e. operates in the guest physical address space, whereas RIP is a virtual (not even linear) address. The "fix" worked for the problematic KVM selftest because the test identity mapped RIP. Fully revert the hack instead of trying to translate RIP to a GPA, as the non-SEV case is now handled earlier, and KVM cannot access guest page tables to translate RIP. This reverts commit e72436bc3a5206f95bb384e741154166ddb3202e. Fixes: e72436bc3a52 ("KVM: SVM: avoid infinite loop on NPF from bad address") Reported-by: Liam Merwick Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Reviewed-by: Liam Merwick Message-Id: <20220120010719.711476-3-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit e6023ab8c729b9edb99c6bc5f0169f474deeabe5 Author: Amir Goldstein Date: Thu Jan 20 23:53:05 2022 +0200 fsnotify: fix fsnotify hooks in pseudo filesystems commit 29044dae2e746949ad4b9cbdbfb248994d1dcdb4 upstream. Commit 49246466a989 ("fsnotify: move fsnotify_nameremove() hook out of d_delete()") moved the fsnotify delete hook before d_delete() so fsnotify will have access to a positive dentry. This allowed a race where opening the deleted file via cached dentry is now possible after receiving the IN_DELETE event. To fix the regression in pseudo filesystems, convert d_delete() calls to d_drop() (see commit 46c46f8df9aa ("devpts_pty_kill(): don't bother with d_delete()") and move the fsnotify hook after d_drop(). Add a missing fsnotify_unlink() hook in nfsdfs that was found during the audit of fsnotify hooks in pseudo filesystems. Note that the fsnotify hooks in simple_recursive_removal() follow d_invalidate(), so they require no change. Link: https://lore.kernel.org/r/20220120215305.282577-2-amir73il@gmail.com Reported-by: Ivan Delalande Link: https://lore.kernel.org/linux-fsdevel/YeNyzoDM5hP5LtGW@visor/ Fixes: 49246466a989 ("fsnotify: move fsnotify_nameremove() hook out of d_delete()") Cc: stable@vger.kernel.org # v5.3+ Signed-off-by: Amir Goldstein Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit 2aac1eda4638e1be3530eaa3b69f3147d88ea2e6 Author: Jeff Layton Date: Wed Jan 26 12:36:49 2022 -0500 ceph: set pool_ns in new inode layout for async creates commit 4584a768f22b7669cdebabc911543621ac661341 upstream. Dan reported that he was unable to write to files that had been asynchronously created when the client's OSD caps are restricted to a particular namespace. The issue is that the layout for the new inode is only partially being filled. Ensure that we populate the pool_ns_data and pool_ns_len in the iinfo before calling ceph_fill_inode. Cc: stable@vger.kernel.org URL: https://tracker.ceph.com/issues/54013 Fixes: 9a8d03ca2e2c ("ceph: attempt to do async create when possible") Reported-by: Dan van der Ster Signed-off-by: Jeff Layton Reviewed-by: Ilya Dryomov Signed-off-by: Ilya Dryomov Signed-off-by: Greg Kroah-Hartman commit 36d433ae3242aa714176378850e6d1a5a3e78f18 Author: Jeff Layton Date: Tue Jan 25 15:39:16 2022 -0500 ceph: properly put ceph_string reference after async create attempt commit 932a9b5870d38b87ba0a9923c804b1af7d3605b9 upstream. The reference acquired by try_prep_async_create is currently leaked. Ensure we put it. Cc: stable@vger.kernel.org Fixes: 9a8d03ca2e2c ("ceph: attempt to do async create when possible") Signed-off-by: Jeff Layton Reviewed-by: Ilya Dryomov Signed-off-by: Ilya Dryomov Signed-off-by: Greg Kroah-Hartman commit 4e5dcbedd48dcce9a02e035684a6765035a08da7 Author: Tom Zanussi Date: Thu Jan 27 15:44:18 2022 -0600 tracing: Don't inc err_log entry count if entry allocation fails commit 67ab5eb71b37b55f7c5522d080a1b42823351776 upstream. tr->n_err_log_entries should only be increased if entry allocation succeeds. Doing it when it fails won't cause any problems other than wasting an entry, but should be fixed anyway. Link: https://lkml.kernel.org/r/cad1ab28f75968db0f466925e7cba5970cec6c29.1643319703.git.zanussi@kernel.org Cc: stable@vger.kernel.org Fixes: 2f754e771b1a6 ("tracing: Don't inc err_log entry count if entry allocation fails") Signed-off-by: Tom Zanussi Signed-off-by: Steven Rostedt (Google) Signed-off-by: Greg Kroah-Hartman commit e33fa4a46ee22de88a700e2e3d033da8214a5175 Author: Xiaoke Wang Date: Tue Jan 25 12:07:15 2022 +0800 tracing/histogram: Fix a potential memory leak for kstrdup() commit e629e7b525a179e29d53463d992bdee759c950fb upstream. kfree() is missing on an error path to free the memory allocated by kstrdup(): p = param = kstrdup(data->params[i], GFP_KERNEL); So it is better to free it via kfree(p). Link: https://lkml.kernel.org/r/tencent_C52895FD37802832A3E5B272D05008866F0A@qq.com Cc: stable@vger.kernel.org Fixes: d380dcde9a07c ("tracing: Fix now invalid var_ref_vals assumption in trace action") Signed-off-by: Xiaoke Wang Signed-off-by: Steven Rostedt (Google) Signed-off-by: Greg Kroah-Hartman commit fb9b60bbda5536dd268dcf00ca38a1f241ebb28b Author: Greg Kroah-Hartman Date: Thu Jan 13 19:44:20 2022 +0100 PM: wakeup: simplify the output logic of pm_show_wakelocks() commit c9d967b2ce40d71e968eb839f36c936b8a9cf1ea upstream. The buffer handling in pm_show_wakelocks() is tricky, and hopefully correct. Ensure it really is correct by using sysfs_emit_at() which handles all of the tricky string handling logic in a PAGE_SIZE buffer for us automatically as this is a sysfs file being read from. Reviewed-by: Lee Jones Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 3df52448978802ae15dcebf66beba1029df957b4 Author: Ard Biesheuvel Date: Wed Jan 12 11:14:13 2022 +0100 efi: runtime: avoid EFIv2 runtime services on Apple x86 machines commit f5390cd0b43c2e54c7cf5506c7da4a37c5cef746 upstream. Aditya reports [0] that his recent MacbookPro crashes in the firmware when using the variable services at runtime. The culprit appears to be a call to QueryVariableInfo(), which we did not use to call on Apple x86 machines in the past as they only upgraded from EFI v1.10 to EFI v2.40 firmware fairly recently, and QueryVariableInfo() (along with UpdateCapsule() et al) was added in EFI v2.00. The only runtime service introduced in EFI v2.00 that we actually use in Linux is QueryVariableInfo(), as the capsule based ones are optional, generally not used at runtime (all the LVFS/fwupd firmware update infrastructure uses helper EFI programs that invoke capsule update at boot time, not runtime), and not implemented by Apple machines in the first place. QueryVariableInfo() is used to 'safely' set variables, i.e., only when there is enough space. This prevents machines with buggy firmwares from corrupting their NVRAMs when they run out of space. Given that Apple machines have been using EFI v1.10 services only for the longest time (the EFI v2.0 spec was released in 2006, and Linux support for the newly introduced runtime services was added in 2011, but the MacbookPro12,1 released in 2015 still claims to be EFI v1.10 only), let's avoid the EFI v2.0 ones on all Apple x86 machines. [0] https://lore.kernel.org/all/6D757C75-65B1-468B-842D-10410081A8E4@live.com/ Cc: Cc: Jeremy Kerr Cc: Matthew Garrett Reported-by: Aditya Garg Tested-by: Orlando Chamberlain Signed-off-by: Ard Biesheuvel Tested-by: Aditya Garg Link: https://bugzilla.kernel.org/show_bug.cgi?id=215277 Signed-off-by: Greg Kroah-Hartman commit cbf96c58e28b1fece9630102781a93ff32c347f7 Author: Jan Kara Date: Mon Jan 17 18:22:13 2022 +0100 udf: Fix NULL ptr deref when converting from inline format commit 7fc3b7c2981bbd1047916ade327beccb90994eee upstream. udf_expand_file_adinicb() calls directly ->writepage to write data expanded into a page. This however misses to setup inode for writeback properly and so we can crash on inode->i_wb dereference when submitting page for IO like: BUG: kernel NULL pointer dereference, address: 0000000000000158 #PF: supervisor read access in kernel mode ... __folio_start_writeback+0x2ac/0x350 __block_write_full_page+0x37d/0x490 udf_expand_file_adinicb+0x255/0x400 [udf] udf_file_write_iter+0xbe/0x1b0 [udf] new_sync_write+0x125/0x1c0 vfs_write+0x28e/0x400 Fix the problem by marking the page dirty and going through the standard writeback path to write the page. Strictly speaking we would not even have to write the page but we want to catch e.g. ENOSPC errors early. Reported-by: butt3rflyh4ck CC: stable@vger.kernel.org Fixes: 52ebea749aae ("writeback: make backing_dev_info host cgroup-specific bdi_writebacks") Reviewed-by: Christoph Hellwig Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit 2ea17d25be51ed8ea9fa59a66c9152d3c5ba0c7a Author: Jan Kara Date: Tue Jan 18 09:57:25 2022 +0100 udf: Restore i_lenAlloc when inode expansion fails commit ea8569194b43f0f01f0a84c689388542c7254a1f upstream. When we fail to expand inode from inline format to a normal format, we restore inode to contain the original inline formatting but we forgot to set i_lenAlloc back. The mismatch between i_lenAlloc and i_size was then causing further problems such as warnings and lost data down the line. Reported-by: butt3rflyh4ck CC: stable@vger.kernel.org Fixes: 7e49b6f2480c ("udf: Convert UDF to new truncate calling sequence") Reviewed-by: Christoph Hellwig Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit 172aa3b811824e4472042d259b4f5fe22df3a85f Author: Steffen Maier Date: Tue Jan 18 17:58:03 2022 +0100 scsi: zfcp: Fix failed recovery on gone remote port with non-NPIV FCP devices commit 8c9db6679be4348b8aae108e11d4be2f83976e30 upstream. Suppose we have an environment with a number of non-NPIV FCP devices (virtual HBAs / FCP devices / zfcp "adapter"s) sharing the same physical FCP channel (HBA port) and its I_T nexus. Plus a number of storage target ports zoned to such shared channel. Now one target port logs out of the fabric causing an RSCN. Zfcp reacts with an ADISC ELS and subsequent port recovery depending on the ADISC result. This happens on all such FCP devices (in different Linux images) concurrently as they all receive a copy of this RSCN. In the following we look at one of those FCP devices. Requests other than FSF_QTCB_FCP_CMND can be slow until they get a response. Depending on which requests are affected by slow responses, there are different recovery outcomes. Here we want to fix failed recoveries on port or adapter level by avoiding recovery requests that can be slow. We need the cached N_Port_ID for the remote port "link" test with ADISC. Just before sending the ADISC, we now intentionally forget the old cached N_Port_ID. The idea is that on receiving an RSCN for a port, we have to assume that any cached information about this port is stale. This forces a fresh new GID_PN [FC-GS] nameserver lookup on any subsequent recovery for the same port. Since we typically can still communicate with the nameserver efficiently, we now reach steady state quicker: Either the nameserver still does not know about the port so we stop recovery, or the nameserver already knows the port potentially with a new N_Port_ID and we can successfully and quickly perform open port recovery. For the one case, where ADISC returns successfully, we re-initialize port->d_id because that case does not involve any port recovery. This also solves a problem if the storage WWPN quickly logs into the fabric again but with a different N_Port_ID. Such as on virtual WWPN takeover during target NPIV failover. [https://www.redbooks.ibm.com/abstracts/redp5477.html] In that case the RSCN from the storage FDISC was ignored by zfcp and we could not successfully recover the failover. On some later failback on the storage, we could have been lucky if the virtual WWPN got the same old N_Port_ID from the SAN switch as we still had cached. Then the related RSCN triggered a successful port reopen recovery. However, there is no guarantee to get the same N_Port_ID on NPIV FDISC. Even though NPIV-enabled FCP devices are not affected by this problem, this code change optimizes recovery time for gone remote ports as a side effect. The timely drop of cached N_Port_IDs prevents unnecessary slow open port attempts. While the problem might have been in code before v2.6.32 commit 799b76d09aee ("[SCSI] zfcp: Decouple gid_pn requests from erp") this fix depends on the gid_pn_work introduced with that commit, so we mark it as culprit to satisfy fix dependencies. Note: Point-to-point remote port is already handled separately and gets its N_Port_ID from the cached peer_d_id. So resetting port->d_id in general does not affect PtP. Link: https://lore.kernel.org/r/20220118165803.3667947-1-maier@linux.ibm.com Fixes: 799b76d09aee ("[SCSI] zfcp: Decouple gid_pn requests from erp") Cc: #2.6.32+ Suggested-by: Benjamin Block Reviewed-by: Benjamin Block Signed-off-by: Steffen Maier Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 348a8501e6029f9308ea7675edfa645b5e669c9e Author: Eric W. Biederman Date: Mon Jan 24 12:46:50 2022 -0600 ucount: Make get_ucount a safe get_user replacement commit f9d87929d451d3e649699d0f1d74f71f77ad38f5 upstream. When the ucount code was refactored to create get_ucount it was missed that some of the contexts in which a rlimit is kept elevated can be the only reference to the user/ucount in the system. Ordinary ucount references exist in places that also have a reference to the user namspace, but in POSIX message queues, the SysV shm code, and the SIGPENDING code there is no independent user namespace reference. Inspection of the the user_namespace show no instance of circular references between struct ucounts and the user_namespace. So hold a reference from struct ucount to i's user_namespace to resolve this problem. Link: https://lore.kernel.org/lkml/YZV7Z+yXbsx9p3JN@fixkernel.com/ Reported-by: Qian Cai Reported-by: Mathias Krause Tested-by: Mathias Krause Reviewed-by: Mathias Krause Reviewed-by: Alexey Gladkov Fixes: d64696905554 ("Reimplement RLIMIT_SIGPENDING on top of ucounts") Fixes: 6e52a9f0532f ("Reimplement RLIMIT_MSGQUEUE on top of ucounts") Fixes: d7c9e99aee48 ("Reimplement RLIMIT_MEMLOCK on top of ucounts") Cc: stable@vger.kernel.org Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman commit 2dc0a8e0129fb0d4ac6a8be0e7e746633dbff722 Author: Naveen N. Rao Date: Thu Jan 6 17:15:07 2022 +0530 powerpc/bpf: Update ldimm64 instructions during extra pass commit f9320c49993ca3c0ec0f9a7026b313735306bb8b upstream. These instructions are updated after the initial JIT, so redo codegen during the extra pass. Rename bpf_jit_fixup_subprog_calls() to clarify that this is more than just subprog calls. Fixes: 69c087ba6225b5 ("bpf: Add bpf_for_each_map_elem() helper") Cc: stable@vger.kernel.org # v5.15 Signed-off-by: Naveen N. Rao Tested-by: Jiri Olsa Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/7cc162af77ba918eb3ecd26ec9e7824bc44b1fae.1641468127.git.naveen.n.rao@linux.vnet.ibm.com Signed-off-by: Greg Kroah-Hartman commit 2f262cadff57424e81e43bbccd381ae166da7a4b Author: Naveen N. Rao Date: Thu Jan 6 17:15:06 2022 +0530 powerpc32/bpf: Fix codegen for bpf-to-bpf calls commit fab07611fb2e6a15fac05c4583045ca5582fd826 upstream. Pad instructions emitted for BPF_CALL so that the number of instructions generated does not change for different function addresses. This is especially important for calls to other bpf functions, whose address will only be known during extra pass. Fixes: 51c66ad849a703 ("powerpc/bpf: Implement extended BPF on PPC32") Cc: stable@vger.kernel.org # v5.13+ Signed-off-by: Naveen N. Rao Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/52d8fe51f7620a6f27f377791564d79d75463576.1641468127.git.naveen.n.rao@linux.vnet.ibm.com Signed-off-by: Greg Kroah-Hartman commit 0bcd484587b3b3092e448d27dc369e347e1810c3 Author: Naveen N. Rao Date: Thu Jan 6 17:15:05 2022 +0530 bpf: Guard against accessing NULL pt_regs in bpf_get_task_stack() commit b992f01e66150fc5e90be4a96f5eb8e634c8249e upstream. task_pt_regs() can return NULL on powerpc for kernel threads. This is then used in __bpf_get_stack() to check for user mode, resulting in a kernel oops. Guard against this by checking return value of task_pt_regs() before trying to obtain the call chain. Fixes: fa28dcb82a38f8 ("bpf: Introduce helper bpf_get_task_stack()") Cc: stable@vger.kernel.org # v5.9+ Signed-off-by: Naveen N. Rao Acked-by: Daniel Borkmann Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/d5ef83c361cc255494afd15ff1b4fb02a36e1dcf.1641468127.git.naveen.n.rao@linux.vnet.ibm.com Signed-off-by: Greg Kroah-Hartman commit cfd2a7f8deaa6c86bcb12dad82a8b8a871d8aff2 Author: Christian Borntraeger Date: Mon Jan 17 18:40:32 2022 +0100 s390/nmi: handle vector validity failures for KVM guests commit f094a39c6ba168f2df1edfd1731cca377af5f442 upstream. The machine check validity bit tells about the context. If a KVM guest was running the bit tells about the guest validity and the host state is not affected. As a guest can disable the guest validity this might result in unwanted host errors on machine checks. Cc: stable@vger.kernel.org Fixes: c929500d7a5a ("s390/nmi: s390: New low level handling for machine check happening in guest") Signed-off-by: Christian Borntraeger Reviewed-by: Heiko Carstens Signed-off-by: Heiko Carstens Signed-off-by: Greg Kroah-Hartman commit c058e1ae9dd516cbc8b6a38dc6d67d70479dfbbf Author: Christian Borntraeger Date: Thu Jan 13 11:44:19 2022 +0100 s390/nmi: handle guarded storage validity failures for KVM guests commit 1ea1d6a847d2b1d17fefd9196664b95f052a0775 upstream. machine check validity bits reflect the state of the machine check. If a guest does not make use of guarded storage, the validity bit might be off. We can not use the host CR bit to decide if the validity bit must be on. So ignore "invalid" guarded storage controls for KVM guests in the host and rely on the machine check being forwarded to the guest. If no other errors happen from a host perspective everything is fine and no process must be killed and the host can continue to run. Cc: stable@vger.kernel.org Fixes: c929500d7a5a ("s390/nmi: s390: New low level handling for machine check happening in guest") Reported-by: Carsten Otte Signed-off-by: Christian Borntraeger Tested-by: Carsten Otte Reviewed-by: Heiko Carstens Signed-off-by: Heiko Carstens Signed-off-by: Greg Kroah-Hartman commit 4abcb06fdcb29ae150ab8ae6a7c34cb9a921fe97 Author: Vasily Gorbik Date: Thu Jan 20 16:23:19 2022 +0100 s390/hypfs: include z/VM guests with access control group set commit 663d34c8df98740f1e90241e78e456d00b3c6cad upstream. Currently if z/VM guest is allowed to retrieve hypervisor performance data globally for all guests (privilege class B) the query is formed in a way to include all guests but the group name is left empty. This leads to that z/VM guests which have access control group set not being included in the results (even local vm). Change the query group identifier from empty to "any" to retrieve information about all guests from any groups (or without a group set). Cc: stable@vger.kernel.org Fixes: 31cb4bd31a48 ("[S390] Hypervisor filesystem (s390_hypfs) for z/VM") Reviewed-by: Gerald Schaefer Signed-off-by: Vasily Gorbik Signed-off-by: Greg Kroah-Hartman commit 2025d5cb381e4bf8fecc78015da6ef6168f9ace8 Author: Ilya Leoshkevich Date: Wed Jan 19 19:26:37 2022 +0100 s390/module: fix loading modules with a lot of relocations commit f3b7e73b2c6619884351a3a0a7468642f852b8a2 upstream. If the size of the PLT entries generated by apply_rela() exceeds 64KiB, the first ones can no longer reach __jump_r1 with brc. Fix by using brcl. An alternative solution is to add a __jump_r1 copy after every 64KiB, however, the space savings are quite small and do not justify the additional complexity. Fixes: f19fbd5ed642 ("s390: introduce execute-trampolines for branches") Cc: stable@vger.kernel.org Reported-by: Andrea Righi Signed-off-by: Ilya Leoshkevich Reviewed-by: Heiko Carstens Cc: Vasily Gorbik Cc: Christian Borntraeger Signed-off-by: Heiko Carstens Signed-off-by: Greg Kroah-Hartman commit a3aa4850b37b1bc61014080a87864d0ff7beebd3 Author: Marc Zyngier Date: Fri Jan 21 18:42:07 2022 +0000 KVM: arm64: Use shadow SPSR_EL1 when injecting exceptions on !VHE commit 278583055a237270fac70518275ba877bf9e4013 upstream. Injecting an exception into a guest with non-VHE is risky business. Instead of writing in the shadow register for the switch code to restore it, we override the CPU register instead. Which gets overriden a few instructions later by said restore code. The result is that although the guest correctly gets the exception, it will return to the original context in some random state, depending on what was there the first place... Boo. Fix the issue by writing to the shadow register. The original code is absolutely fine on VHE, as the state is already loaded, and writing to the shadow register in that case would actually be a bug. Fixes: bb666c472ca2 ("KVM: arm64: Inject AArch64 exceptions from HYP") Cc: stable@vger.kernel.org Signed-off-by: Marc Zyngier Reviewed-by: Fuad Tabba Link: https://lore.kernel.org/r/20220121184207.423426-1-maz@kernel.org Signed-off-by: Greg Kroah-Hartman commit d9505958e1eecaa264c3bb352080d885dbbb031f Author: Ard Biesheuvel Date: Tue Jan 18 19:32:17 2022 +0100 ARM: 9180/1: Thumb2: align ALT_UP() sections in modules sufficiently commit 9f80ccda53b9417236945bc7ece4b519037df74d upstream. When building for Thumb2, the .alt.smp.init sections that are emitted by the ALT_UP() patching code may not be 32-bit aligned, even though the fixup_smp_on_up() routine expects that. This results in alignment faults at module load time, which need to be fixed up by the fault handler. So let's align those sections explicitly, and prevent this from occurring. Cc: Signed-off-by: Ard Biesheuvel Signed-off-by: Russell King (Oracle) Signed-off-by: Greg Kroah-Hartman commit cbab3cac94c69b95543c636bc1895701dfd3a00d Author: Ard Biesheuvel Date: Tue Jan 18 13:45:09 2022 +0100 ARM: 9179/1: uaccess: avoid alignment faults in copy_[from|to]_kernel_nofault commit 15420269b02a63ed8c1841905d8b8b2403246004 upstream. The helpers that are used to implement copy_from_kernel_nofault() and copy_to_kernel_nofault() cast a void* to a pointer to a wider type, which may result in alignment faults on ARM if the compiler decides to use double-word or multiple-word load/store instructions. Only configurations that define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y are affected, given that commit 2423de2e6f4d ("ARM: 9115/1: mm/maccess: fix unaligned copy_{from,to}_kernel_nofault") ensures that dst and src are sufficiently aligned otherwise. So use the unaligned accessors for accessing dst and src in cases where they may be misaligned. Cc: # depends on 2423de2e6f4d Fixes: 2df4c9a741a0 ("ARM: 9112/1: uaccess: add __{get,put}_kernel_nofault") Reviewed-by: Arnd Bergmann Signed-off-by: Ard Biesheuvel Signed-off-by: Russell King (Oracle) Signed-off-by: Greg Kroah-Hartman commit e826ab1857177d1678f299a8d6860ec6f0fdd58f Author: Mohammad Athari Bin Ismail Date: Wed Jan 26 17:47:23 2022 +0800 net: stmmac: skip only stmmac_ptp_register when resume from suspend commit 0735e639f129dff455aeb91da291f5c578cc33db upstream. When resume from suspend, besides skipping PTP registration, it also skipping PTP HW initialization. This could cause PTP clock not able to operate properly when resume from suspend. To fix this, only stmmac_ptp_register() is skipped when resume from suspend. Fixes: fe1319291150 ("stmmac: Don't init ptp again when resume from suspend/hibernation") Cc: # 5.15.x Signed-off-by: Mohammad Athari Bin Ismail Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9ef5a86d447a87e91295784cf917be6ef390a80b Author: Mohammad Athari Bin Ismail Date: Wed Jan 26 17:47:22 2022 +0800 net: stmmac: configure PTP clock source prior to PTP initialization commit 94c82de43e01ef5747a95e4a590880de863fe423 upstream. For Intel platform, it is required to configure PTP clock source prior PTP initialization in MAC. So, need to move ptp_clk_freq_config execution from stmmac_ptp_register() to stmmac_init_ptp(). Fixes: 76da35dc99af ("stmmac: intel: Add PSE and PCH PTP clock source selection") Cc: # 5.15.x Signed-off-by: Mohammad Athari Bin Ismail Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 30705f1f012ccd2232dade49cabac894d34580da Author: Marek Behún Date: Wed Jan 19 17:44:55 2022 +0100 net: sfp: ignore disabled SFP node commit 2148927e6ed43a1667baf7c2ae3e0e05a44b51a0 upstream. Commit ce0aa27ff3f6 ("sfp: add sfp-bus to bridge between network devices and sfp cages") added code which finds SFP bus DT node even if the node is disabled with status = "disabled". Because of this, when phylink is created, it ends with non-null .sfp_bus member, even though the SFP module is not probed (because the node is disabled). We need to ignore disabled SFP bus node. Fixes: ce0aa27ff3f6 ("sfp: add sfp-bus to bridge between network devices and sfp cages") Signed-off-by: Marek Behún Cc: stable@vger.kernel.org # 2203cbf2c8b5 ("net: sfp: move fwnode parsing into sfp-bus layer") Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5e32b05c38610b5ab7591bd7097001054680fe82 Author: Marc Kleine-Budde Date: Fri Jan 14 15:35:01 2022 +0100 can: m_can: m_can_fifo_{read,write}: don't read or write from/to FIFO if length is 0 commit db72589c49fd260bfc99c7160c079675bc7417af upstream. In order to optimize FIFO access, especially on m_can cores attached to slow busses like SPI, in patch | e39381770ec9 ("can: m_can: Disable IRQs on FIFO bus errors") bulk read/write support has been added to the m_can_fifo_{read,write} functions. That change leads to the tcan driver to call regmap_bulk_{read,write}() with a length of 0 (for CAN frames with 0 data length). regmap treats this as an error: | tcan4x5x spi1.0 tcan4x5x0: FIFO write returned -22 This patch fixes the problem by not calling the cdev->ops->{read,write)_fifo() in case of a 0 length read/write. Fixes: e39381770ec9 ("can: m_can: Disable IRQs on FIFO bus errors") Link: https://lore.kernel.org/all/20220114155751.2651888-1-mkl@pengutronix.de Cc: stable@vger.kernel.org Cc: Matt Kline Cc: Chandrasekar Ramakrishnan Reported-by: Michael Anochin Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 62a9fa1bad289c27d3975321b83aaf2f91d466a1 Author: Clark Williams Date: Sun Jan 30 14:59:52 2022 -0600 Linux 5.15.18-rt28 Signed-off-by: Clark Williams commit e879d7726281d52a5aacda4cfb6fad0e1b8c7222 Merge: 72992291c431 9c43548a7fb8 Author: Clark Williams Date: Sun Jan 30 14:45:21 2022 -0600 Merge tag 'v5.15.18' into v5.15-rt This is the 5.15.18 stable release Signed-off-by: Clark Williams Conflicts: kernel/sched/psi.c commit 9c43548a7fb8220b13b0ff980989b44f37d54138 Author: Greg Kroah-Hartman Date: Sat Jan 29 10:58:25 2022 +0100 Linux 5.15.18 Link: https://lore.kernel.org/r/20220127180259.078563735@linuxfoundation.org Tested-by: Florian Fainelli Tested-by: Shuah Khan Tested-by: Ron Economos Tested-by: Linux Kernel Functional Testing Tested-by: Jon Hunter Tested-by: Sudip Mukherjee Tested-by: Guenter Roeck Tested-by: Fox Chen Signed-off-by: Greg Kroah-Hartman commit 6066977961fc6f437bc064f628cf9b0e4571c56c Author: Mathias Krause Date: Thu Jan 27 18:34:19 2022 +1000 drm/vmwgfx: Fix stale file descriptors on failed usercopy commit a0f90c8815706981c483a652a6aefca51a5e191c upstream. A failing usercopy of the fence_rep object will lead to a stale entry in the file descriptor table as put_unused_fd() won't release it. This enables userland to refer to a dangling 'file' object through that still valid file descriptor, leading to all kinds of use-after-free exploitation scenarios. Fix this by deferring the call to fd_install() until after the usercopy has succeeded. Fixes: c906965dee22 ("drm/vmwgfx: Add export fence to file descriptor support") Signed-off-by: Mathias Krause Signed-off-by: Zack Rusin Signed-off-by: Dave Airlie Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9c82ce59362672e0e5b38cff1e9dbdb52ec62b4f Author: Russell King Date: Fri Nov 5 16:50:45 2021 +0000 arm64/bpf: Remove 128MB limit for BPF JIT programs commit b89ddf4cca43f1269093942cf5c4e457fd45c335 upstream. Commit 91fc957c9b1d ("arm64/bpf: don't allocate BPF JIT programs in module memory") restricts BPF JIT program allocation to a 128MB region to ensure BPF programs are still in branching range of each other. However this restriction should not apply to the aarch64 JIT, since BPF_JMP | BPF_CALL are implemented as a 64-bit move into a register and then a BLR instruction - which has the effect of being able to call anything without proximity limitation. The practical reason to relax this restriction on JIT memory is that 128MB of JIT memory can be quickly exhausted, especially where PAGE_SIZE is 64KB - one page is needed per program. In cases where seccomp filters are applied to multiple VMs on VM launch - such filters are classic BPF but converted to BPF - this can severely limit the number of VMs that can be launched. In a world where we support BPF JIT always on, turning off the JIT isn't always an option either. Fixes: 91fc957c9b1d ("arm64/bpf: don't allocate BPF JIT programs in module memory") Suggested-by: Ard Biesheuvel Signed-off-by: Russell King Signed-off-by: Daniel Borkmann Tested-by: Alan Maguire Link: https://lore.kernel.org/bpf/1636131046-5982-2-git-send-email-alan.maguire@oracle.com Reviewed-by: Tom Saeger Signed-off-by: Greg Kroah-Hartman commit 7b6577cf9fe48d24d82df9362a077396a9d5cb27 Author: Harry Wentland Date: Tue Jan 4 10:45:41 2022 -0500 drm/amdgpu: Use correct VIEWPORT_DIMENSION for DCN2 commit dc5d4aff2e99c312df8abbe1ee9a731d2913bc1b upstream. For some reason this file isn't using the appropriate register headers for DCN headers, which means that on DCN2 we're getting the VIEWPORT_DIMENSION offset wrong. This means that we're not correctly carving out the framebuffer memory correctly for a framebuffer allocated by EFI and therefore see corruption when loading amdgpu before the display driver takes over control of the framebuffer scanout. Fix this by checking the DCE_HWIP and picking the correct offset accordingly. Long-term we should expose this info from DC as GMC shouldn't need to know about DCN registers. Cc: stable@vger.kernel.org Signed-off-by: Harry Wentland Reviewed-by: Huang Rui Acked-by: Christian König Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Mario Limonciello Signed-off-by: Greg Kroah-Hartman commit 145407e54fd15fd2a87ee7d6c66077e614036a9b Author: Jan Kara Date: Mon Jan 10 19:19:23 2022 +0100 select: Fix indefinitely sleeping task in poll_schedule_timeout() commit 68514dacf2715d11b91ca50d88de047c086fea9c upstream. A task can end up indefinitely sleeping in do_select() -> poll_schedule_timeout() when the following race happens: TASK1 (thread1) TASK2 TASK1 (thread2) do_select() setup poll_wqueues table with 'fd' write data to 'fd' pollwake() table->triggered = 1 closes 'fd' thread1 is waiting for poll_schedule_timeout() - sees table->triggered table->triggered = 0 return -EINTR loop back in do_select() But at this point when TASK1 loops back, the fdget() in the setup of poll_wqueues fails. So now so we never find 'fd' is ready for reading and sleep in poll_schedule_timeout() indefinitely. Treat an fd that got closed as a fd on which some event happened. This makes sure cannot block indefinitely in do_select(). Another option would be to return -EBADF in this case but that has a potential of subtly breaking applications that excercise this behavior and it happens to work for them. So returning fd as active seems like a safer choice. Suggested-by: Linus Torvalds CC: stable@vger.kernel.org Signed-off-by: Jan Kara Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c3156dbd5082c65b84936c8de47149799dee3ef8 Author: Paul E. McKenney Date: Fri Sep 17 15:04:48 2021 -0700 rcu: Tighten rcu_advance_cbs_nowake() checks commit 614ddad17f22a22e035e2ea37a04815f50362017 upstream. Currently, rcu_advance_cbs_nowake() checks that a grace period is in progress, however, that grace period could end just after the check. This commit rechecks that a grace period is still in progress while holding the rcu_node structure's lock. The grace period cannot end while the current CPU's rcu_node structure's ->lock is held, thus avoiding false positives from the WARN_ON_ONCE(). As Daniel Vacek noted, it is not necessary for the rcu_node structure to have a CPU that has not yet passed through its quiescent state. Tested-by: Guillaume Morin Signed-off-by: Paul E. McKenney Signed-off-by: Greg Kroah-Hartman commit 6ebe994b54a63f78e7bba65ac5ebaca7dfa88526 Author: Shakeel Butt Date: Fri Jan 14 14:05:39 2022 -0800 memcg: better bounds on the memcg stats updates commit 5b3be698a872c490dbed524f3e2463701ab21339 upstream. Commit 11192d9c124d ("memcg: flush stats only if updated") added tracking of memcg stats updates which is used by the readers to flush only if the updates are over a certain threshold. However each individual update can correspond to a large value change for a given stat. For example adding or removing a hugepage to an LRU changes the stat by thp_nr_pages (512 on x86_64). Treating the update related to THP as one can keep the stat off, in theory, by (thp_nr_pages * nr_cpus * CHARGE_BATCH) before flush. To handle such scenarios, this patch adds consideration of the stat update value as well instead of just the update event. In addition let the asyn flusher unconditionally flush the stats to put time limit on the stats skew and hopefully a lot less readers would need to flush. Link: https://lkml.kernel.org/r/20211118065350.697046-1-shakeelb@google.com Signed-off-by: Shakeel Butt Cc: Johannes Weiner Cc: Michal Hocko Cc: "Michal Koutný" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Ivan Babrou Signed-off-by: Greg Kroah-Hartman commit 6c8076660d9cc281dbb0445c3967f1e1641f5115 Author: Shakeel Butt Date: Fri Nov 5 13:37:34 2021 -0700 memcg: unify memcg stat flushing commit fd25a9e0e23b995fd0ba5e2f00a1099452cbc3cf upstream. The memcg stats can be flushed in multiple context and potentially in parallel too. For example multiple parallel user space readers for memcg stats will contend on the rstat locks with each other. There is no need for that. We just need one flusher and everyone else can benefit. In addition after aa48e47e3906 ("memcg: infrastructure to flush memcg stats") the kernel periodically flush the memcg stats from the root, so, the other flushers will potentially have much less work to do. Link: https://lkml.kernel.org/r/20211001190040.48086-2-shakeelb@google.com Signed-off-by: Shakeel Butt Acked-by: Johannes Weiner Cc: Michal Hocko Cc: "Michal Koutný" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Ivan Babrou Signed-off-by: Greg Kroah-Hartman commit 7182935bd5ae2b7f747d6feb2b56b918ab26647c Author: Shakeel Butt Date: Fri Nov 5 13:37:31 2021 -0700 memcg: flush stats only if updated commit 11192d9c124d58d66449b163ed0d2cdff03761a1 upstream. At the moment, the kernel flushes the memcg stats on every refault and also on every reclaim iteration. Although rstat maintains per-cpu update tree but on the flush the kernel still has to go through all the cpu rstat update tree to check if there is anything to flush. This patch adds the tracking on the stats update side to make flush side more clever by skipping the flush if there is no update. The stats update codepath is very sensitive performance wise for many workloads and benchmarks. So, we can not follow what the commit aa48e47e3906 ("memcg: infrastructure to flush memcg stats") did which was triggering async flush through queue_work() and caused a lot performance regression reports. That got reverted by the commit 1f828223b799 ("memcg: flush lruvec stats in the refault"). In this patch we kept the stats update codepath very minimal and let the stats reader side to flush the stats only when the updates are over a specific threshold. For now the threshold is (nr_cpus * CHARGE_BATCH). To evaluate the impact of this patch, an 8 GiB tmpfs file is created on a system with swap-on-zram and the file was pushed to swap through memory.force_empty interface. On reading the whole file, the memcg stat flush in the refault code path is triggered. With this patch, we observed 63% reduction in the read time of 8 GiB file. Link: https://lkml.kernel.org/r/20211001190040.48086-1-shakeelb@google.com Signed-off-by: Shakeel Butt Acked-by: Johannes Weiner Cc: Michal Hocko Reviewed-by: "Michal Koutný" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Ivan Babrou Signed-off-by: Greg Kroah-Hartman commit 2691be41fede058092c84455e3d52232e08a5990 Author: Manish Chopra Date: Tue Jan 25 10:57:49 2022 -0800 bnx2x: Invalidate fastpath HSI version for VFs commit 802d4d207e75d7208ff75adb712b556c1e91cf1c upstream Commit 0a6890b9b4df ("bnx2x: Utilize FW 7.13.15.0.") added validation for fastpath HSI versions for different client init which was not meant for SR-IOV VF clients, which resulted in firmware asserts when running VF clients with different fastpath HSI version. This patch along with the new firmware support in patch #1 fixes this behavior in order to not validate fastpath HSI version for the VFs. Fixes: 0a6890b9b4df ("bnx2x: Utilize FW 7.13.15.0.") Signed-off-by: Manish Chopra Signed-off-by: Prabhakar Kushwaha Signed-off-by: Alok Prasad Signed-off-by: Ariel Elior Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 66e1791cbeedce631dbad32bfb974c7f910fc8df Author: Manish Chopra Date: Tue Jan 25 10:57:48 2022 -0800 bnx2x: Utilize firmware 7.13.21.0 commit b7a49f73059fe6147b6b78e8f674ce0d21237432 upstream This new firmware addresses few important issues and enhancements as mentioned below - - Support direct invalidation of FP HSI Ver per function ID, required for invalidating FP HSI Ver prior to each VF start, as there is no VF start - BRB hardware block parity error detection support for the driver - Fix the FCOE underrun flow - Fix PSOD during FCoE BFS over the NIC ports after preboot driver - Maintains backward compatibility This patch incorporates this new firmware 7.13.21.0 in bnx2x driver. Signed-off-by: Manish Chopra Signed-off-by: Prabhakar Kushwaha Signed-off-by: Alok Prasad Signed-off-by: Ariel Elior Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b168b1a0397ea64afc852e8f639be5bd920a79d9 Author: Pavel Begunkov Date: Sun Jan 9 00:53:22 2022 +0000 io_uring: fix not released cached task refs commit 3cc7fdb9f90a25ae92250bf9e6cf3b9556b230e9 upstream. tctx_task_work() may get run after io_uring cancellation and so there will be no one to put cached in tctx task refs that may have been added back by tw handlers using inline completion infra, Call io_uring_drop_tctx_refs() at the end of the main tw handler to release them. Cc: stable@vger.kernel.org # 5.15+ Reported-by: Lukas Bulwahn Fixes: e98e49b2bbf7 ("io_uring: extend task put optimisations") Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/69f226b35fbdb996ab799a8bbc1c06bf634ccec1.1641688805.git.asml.silence@gmail.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit f71c91ed1d4b4bfbbb55327b04dcc32b2d970f62 Author: Mario Limonciello Date: Fri Jan 7 15:40:10 2022 -0600 drm/amd/display: reset dcn31 SMU mailbox on failures commit 83293f7f3d15fc56e86bd5067a2c88b6b233ac3a upstream. Otherwise future commands may fail as well leading to downstream problems that look like they stemmed from a timeout the first time but really didn't. Signed-off-by: Mario Limonciello Reviewed-by: Nicholas Kazlauskas Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 8a17a077e7e9ecce25c95dbdb27843d2d6c2f0f7 Author: Tvrtko Ursulin Date: Tue Oct 19 13:27:10 2021 +0100 drm/i915: Flush TLBs before releasing backing store commit 7938d61591d33394a21bdd7797a245b65428f44c upstream. We need to flush TLBs before releasing backing store otherwise userspace is able to encounter stale entries if a) it is not declaring access to certain buffers and b) it races with the backing store release from a such undeclared execution already executing on the GPU in parallel. The approach taken is to mark any buffer objects which were ever bound to the GPU and to trigger a serialized TLB flush when their backing store is released. Alternatively the flushing could be done on VMA unbind, at which point we would be able to ascertain whether there is potential a parallel GPU execution (which could race), but essentially it boils down to paying the cost of TLB flushes potentially needlessly at VMA unbind time (when the backing store is not known to be going away so not needed for safety), versus potentially needlessly at backing store relase time (since we at that point cannot tell whether there is anything executing on the GPU which uses that object). Thereforce simplicity of implementation has been chosen for now with scope to benchmark and refine later as required. Signed-off-by: Tvrtko Ursulin Reported-by: Sushma Venkatesh Reddy Reviewed-by: Daniel Vetter Acked-by: Dave Airlie Cc: Daniel Vetter Cc: Jon Bloomfield Cc: Joonas Lahtinen Cc: Jani Nikula Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e8a2995c6076721d496d9458e13142caa7ba8753 Author: Greg Kroah-Hartman Date: Thu Jan 27 11:05:44 2022 +0100 Linux 5.15.17 Link: https://lore.kernel.org/r/20220124184100.867127425@linuxfoundation.org Tested-by: Shuah Khan Tested-by: Ron Economos Link: https://lore.kernel.org/r/20220125155423.959812122@linuxfoundation.org Tested-by: Florian Fainelli Tested-by: Jon Hunter Tested-by: Shuah Khan Tested-by: Justin M. Forbes Tested-by: Ron Economos Tested-by: Linux Kernel Functional Testing Tested-by: Sudip Mukherjee Tested-by: Alan Maguire Reviewed-by: Tom Saeger Tested-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 4ea9b8ed6459db9c55d303d1709551e3d8fdf539 Author: Mauro Carvalho Chehab Date: Thu Jan 6 01:41:02 2022 +0100 scripts: sphinx-pre-install: Fix ctex support on Debian commit 87d6576ddf8ac25f36597bc93ca17f6628289c16 upstream. The name of the package with ctexhook.sty is different on Debian/Ubuntu. Reported-by: Akira Yokosawa Signed-off-by: Mauro Carvalho Chehab Tested-by: Akira Yokosawa Link: https://lore.kernel.org/r/63882425609a2820fac78f5e94620abeb7ed5f6f.1641429634.git.mchehab@kernel.org Signed-off-by: Jonathan Corbet Signed-off-by: Greg Kroah-Hartman commit 21c9a4d2cdd4a20946e1ac925f9be6e23ded6ab6 Author: Mauro Carvalho Chehab Date: Mon Jan 3 22:01:57 2022 +0100 scripts: sphinx-pre-install: add required ctex dependency commit 7baab965896eaeea60a54b8fe742feea2f79060f upstream. After a change meant to fix support for oriental characters (Chinese, Japanese, Korean), ctex stylesheet is now a requirement for PDF output. Reported-by: Christoph Hellwig Signed-off-by: Mauro Carvalho Chehab Link: https://lore.kernel.org/r/165aa6167f21e3892a6e308688c93c756e94f4e0.1641243581.git.mchehab@kernel.org Signed-off-by: Jonathan Corbet Signed-off-by: Greg Kroah-Hartman commit ffd8fd2faf4725ac94895494a4d67f13756a9438 Author: Andrey Konovalov Date: Wed Jan 19 18:09:28 2022 -0800 lib/test_meminit: destroy cache in kmem_cache_alloc_bulk() test commit e073e5ef90298d2d6e5e7f04b545a0815e92110c upstream. Make do_kmem_cache_size_bulk() destroy the cache it creates. Link: https://lkml.kernel.org/r/aced20a94bf04159a139f0846e41d38a1537debb.1640018297.git.andreyknvl@google.com Fixes: 03a9349ac0e0 ("lib/test_meminit: add a kmem_cache_alloc_bulk() test") Signed-off-by: Andrey Konovalov Reviewed-by: Marco Elver Cc: Alexander Potapenko Cc: Dmitry Vyukov Cc: Andrey Ryabinin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 8d8f479e08a36672d3d36b79caee55e04ec3f065 Author: Moshe Tal Date: Sun Jan 16 19:39:29 2022 +0200 bonding: Fix extraction of ports from the packet headers commit 429e3d123d9a50cc9882402e40e0ac912d88cfcf upstream. Wrong hash sends single stream to multiple output interfaces. The offset calculation was relative to skb->head, fix it to be relative to skb->data. Fixes: a815bde56b15 ("net, bonding: Refactor bond_xmit_hash for use with xdp_buff") Reviewed-by: Jussi Maki Reviewed-by: Saeed Mahameed Reviewed-by: Gal Pressman Signed-off-by: Moshe Tal Acked-by: Jay Vosburgh Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 52b66f818916600098c7ea954d749f2307770d9f Author: Alistair Popple Date: Fri Jan 14 14:09:31 2022 -0800 mm/hmm.c: allow VM_MIXEDMAP to work with hmm_range_fault commit 87c01d57fa23de82fff593a7d070933d08755801 upstream. hmm_range_fault() can be used instead of get_user_pages() for devices which allow faulting however unlike get_user_pages() it will return an error when used on a VM_MIXEDMAP range. To make hmm_range_fault() more closely match get_user_pages() remove this restriction. This requires dealing with the !ARCH_HAS_PTE_SPECIAL case in hmm_vma_handle_pte(). Rather than replicating the logic of vm_normal_page() call it directly and do a check for the zero pfn similar to what get_user_pages() currently does. Also add a test to hmm selftest to verify functionality. Link: https://lkml.kernel.org/r/20211104012001.2555676-1-apopple@nvidia.com Fixes: da4c3c735ea4 ("mm/hmm/mirror: helper to snapshot CPU page table") Signed-off-by: Alistair Popple Reviewed-by: Jason Gunthorpe Cc: Jerome Glisse Cc: John Hubbard Cc: Zi Yan Cc: Ralph Campbell Cc: Felix Kuehling Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 42de0446a142354f98caa3cdf8f930ca1cac7b14 Author: Miaoqian Lin Date: Fri Jan 14 06:57:24 2022 +0000 lib82596: Fix IRQ check in sni_82596_probe commit 99218cbf81bf21355a3de61cd46a706d36e900e6 upstream. platform_get_irq() returns negative error number instead 0 on failure. And the doc of platform_get_irq() provides a usage example: int irq = platform_get_irq(pdev, 0); if (irq < 0) return irq; Fix the check of return value to catch errors correctly. Fixes: 115978859272 ("i825xx: Move the Intel 82586/82593/82596 based drivers") Signed-off-by: Miaoqian Lin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8d1e3f319160363d9d77af51cbe2765d187587fc Author: Matthias Schiffer Date: Thu Jan 13 09:19:18 2022 +0100 scripts/dtc: dtx_diff: remove broken example from help text commit d8adf5b92a9d2205620874d498c39923ecea8749 upstream. dtx_diff suggests to use <(...) syntax to pipe two inputs into it, but this has never worked: The /proc/self/fds/... paths passed by the shell will fail the `[ -f "${dtx}" ] && [ -r "${dtx}" ]` check in compile_to_dts, but even with this check removed, the function cannot work: hexdump will eat up the DTB magic, making the subsequent dtc call fail, as a pipe cannot be rewound. Simply remove this broken example, as there is already an alternative one that works fine. Fixes: 10eadc253ddf ("dtc: create tool to diff device trees") Signed-off-by: Matthias Schiffer Reviewed-by: Frank Rowand Signed-off-by: Rob Herring Link: https://lore.kernel.org/r/20220113081918.10387-1-matthias.schiffer@ew.tq-group.com Signed-off-by: Greg Kroah-Hartman commit 46210f5051898d02e87b3bd0ae87aafa9b4180d5 Author: Maxim Mikityanskiy Date: Wed Jan 12 12:28:05 2022 +0200 sch_api: Don't skip qdisc attach on ingress commit de2d807b294d3d2ce5e59043ae2634016765d076 upstream. The attach callback of struct Qdisc_ops is used by only a few qdiscs: mq, mqprio and htb. qdisc_graft() contains the following logic (pseudocode): if (!qdisc->ops->attach) { if (ingress) do ingress stuff; else do egress stuff; } if (!ingress) { ... if (qdisc->ops->attach) qdisc->ops->attach(qdisc); } else { ... } As we see, the attach callback is not called if the qdisc is being attached to ingress (TC_H_INGRESS). That wasn't a problem for mq and mqprio, since they contain a check that they are attached to TC_H_ROOT, and they can't be attached to TC_H_INGRESS anyway. However, the commit cited below added the attach callback to htb. It is needed for the hardware offload, but in the non-offload mode it simulates the "do egress stuff" part of the pseudocode above. The problem is that when htb is attached to ingress, neither "do ingress stuff" nor attach() is called. It results in an inconsistency, and the following message is printed to dmesg: unregister_netdevice: waiting for lo to become free. Usage count = 2 This commit addresses the issue by running "do ingress stuff" in the ingress flow even in the attach callback is present, which is fine, because attach isn't going to be called afterwards. The bug was found by syzbot and reported by Eric. Fixes: d03b195b5aa0 ("sch_htb: Hierarchical QoS hardware offload") Signed-off-by: Maxim Mikityanskiy Reported-by: Eric Dumazet Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 814527dbc101590b05bf7335cf762eaeb8ada4c2 Author: Sam Protsenko Date: Sun Nov 21 18:56:36 2021 +0200 dt-bindings: watchdog: Require samsung,syscon-phandle for Exynos7 commit 33950f9a36aca55c2b1e6062d9b29f3e97f91c40 upstream. Exynos7 watchdog driver is clearly indicating that its dts node must define syscon phandle property. That was probably forgotten, so add it. Signed-off-by: Sam Protsenko Fixes: 2b9366b66967 ("watchdog: s3c2410_wdt: Add support for Watchdog device on Exynos7") Reviewed-by: Krzysztof Kozlowski Reviewed-by: Rob Herring Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20211107202943.8859-2-semen.protsenko@linaro.org Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Greg Kroah-Hartman commit 34aa30c8ff902b672b3ae9551f5b7479828ffd7a Author: Alexander Stein Date: Sun Dec 19 10:41:55 2021 +0100 dt-bindings: display: meson-vpu: Add missing amlogic,canvas property commit 640f35b871d29cd685ce0ea0762636381beeb98a upstream. This property was already mentioned in the old textual bindings amlogic,meson-vpu.txt, but got dropped during conversion. Adding it back similar to amlogic,gx-vdec.yaml. Fixes: 6b9ebf1e0e67 ("dt-bindings: display: amlogic, meson-vpu: convert to yaml") Signed-off-by: Alexander Stein Acked-by: Rob Herring Reviewed-by: Neil Armstrong Reviewed-by: Martin Blumenstingl Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20211219094155.177206-1-alexander.stein@mailbox.org Signed-off-by: Greg Kroah-Hartman commit 3f219ebc9f63c70eb4097cbb8059d1fe0330ed93 Author: Alexander Stein Date: Thu Dec 23 13:24:32 2021 +0100 dt-bindings: display: meson-dw-hdmi: add missing sound-name-prefix property commit 22bf4047d26980807611b7e2030803db375afd87 upstream. This is used in meson-gx and meson-g12. Add the property to the binding. This fixes the dtschema warning: hdmi-tx@c883a000: 'sound-name-prefix' does not match any of the regexes: 'pinctrl-[0-9]+' Signed-off-by: Alexander Stein Fixes: 376bf52deef5 ("dt-bindings: display: amlogic, meson-dw-hdmi: convert to yaml") Acked-by: Neil Armstrong Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20211223122434.39378-2-alexander.stein@mailbox.org Signed-off-by: Greg Kroah-Hartman commit e829e487f193559f61dfdb5ccbcab3769251d921 Author: Tom Rix Date: Tue Jan 18 05:41:10 2022 -0800 net: mscc: ocelot: fix using match before it is set commit baa59504c1cd0cca7d41954a45ee0b3dc78e41a0 upstream. Clang static analysis reports this issue ocelot_flower.c:563:8: warning: 1st function call argument is an uninitialized value !is_zero_ether_addr(match.mask->dst)) { ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The variable match is used before it is set. So move the block. Fixes: 75944fda1dfe ("net: mscc: ocelot: offload ingress skbedit and vlan actions to VCAP IS1") Signed-off-by: Tom Rix Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f864b6130498e6c688bcb2a41fa3afbae6b12fa3 Author: Claudiu Beznea Date: Tue Jan 18 13:08:12 2022 +0200 net: phy: micrel: use kszphy_suspend()/kszphy_resume for irq aware devices commit f1131b9c23fb4a3540a774828ff49f421619f902 upstream. On a setup with KSZ9131 and MACB drivers it happens on suspend path, from time to time, that the PHY interrupt arrives after PHY and MACB were suspended (PHY via genphy_suspend(), MACB via macb_suspend()). In this case the phy_read() at the beginning of kszphy_handle_interrupt() will fail (as MACB driver is suspended at this time) leading to phy_error() being called and a stack trace being displayed on console. To solve this .suspend/.resume functions for all KSZ devices implementing .handle_interrupt were replaced with kszphy_suspend()/kszphy_resume() which disable/enable interrupt before/after calling genphy_suspend()/genphy_resume(). The fix has been adapted for all KSZ devices which implements .handle_interrupt but it has been tested only on KSZ9131. Fixes: 59ca4e58b917 ("net: phy: micrel: implement generic .handle_interrupt() callback") Signed-off-by: Claudiu Beznea Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ed27539e5a4b1ab255b9d73b4ca8c12716c0d817 Author: Ard Biesheuvel Date: Tue Jan 18 11:22:04 2022 +0100 net: cpsw: avoid alignment faults by taking NET_IP_ALIGN into account commit 1771afd47430f5e95c9c3a2e3a8a63e67402d3fe upstream. Both versions of the CPSW driver declare a CPSW_HEADROOM_NA macro that takes NET_IP_ALIGN into account, but fail to use it appropriately when storing incoming packets in memory. This results in the IPv4 source and destination addresses to appear misaligned in memory, which causes aligment faults that need to be fixed up in software. So let's switch from CPSW_HEADROOM to CPSW_HEADROOM_NA where needed. This gets rid of any alignment faults on the RX path on a Beaglebone White. Fixes: 9ed4050c0d75 ("net: ethernet: ti: cpsw: add XDP support") Cc: Grygorii Strashko Cc: Ilias Apalodimas Signed-off-by: Ard Biesheuvel Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d1a29a4e334b82c5a95cfe24d9480ee44f19c83f Author: Russell King (Oracle) Date: Mon Jan 17 14:52:33 2022 +0000 net: sfp: fix high power modules without diagnostic monitoring commit 5765cee119bf5a36c94d20eceb37c445508934be upstream. Commit 7cfa9c92d0a3 ("net: sfp: avoid power switch on address-change modules") unintetionally changed the semantics for high power modules without the digital diagnostics monitoring. We repeatedly attempt to read the power status from the non-existing 0xa2 address in a futile hope this failure is temporary: [ 8.856051] sfp sfp-eth3: module NTT 0000000000000000 rev 0000 sn 0000000000000000 dc 160408 [ 8.865843] mvpp2 f4000000.ethernet eth3: switched to inband/1000base-x link mode [ 8.873469] sfp sfp-eth3: Failed to read EEPROM: -5 [ 8.983251] sfp sfp-eth3: Failed to read EEPROM: -5 [ 9.103250] sfp sfp-eth3: Failed to read EEPROM: -5 We previosuly assumed such modules were powered up in the correct mode, continuing without further configuration as long as the required power class was supported by the host. Restore this behaviour, while preserving the intent of subsequent patches to avoid the "Address Change Sequence not supported" warning if we are not going to be accessing the DDM address. Fixes: 7cfa9c92d0a3 ("net: sfp: avoid power switch on address-change modules") Reported-by: 照山周一郎 Tested-by: 照山周一郎 Signed-off-by: Russell King (Oracle) Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a2faa4a272621a92ab82f69936443ac8af5c9ddc Author: Horatiu Vultur Date: Mon Jan 17 13:53:00 2022 +0100 net: ocelot: Fix the call to switchdev_bridge_port_offload commit c0b7f7d7e0ad44f35745c01964b3fa2833e298cb upstream. In the blamed commit, the call to the function switchdev_bridge_port_offload was passing the wrong argument for atomic_nb. It was ocelot_netdevice_nb instead of ocelot_swtchdev_nb. This patch fixes this issue. Fixes: 4e51bf44a03af6 ("net: bridge: move the switchdev object replay helpers to "push" mode") Signed-off-by: Horatiu Vultur Reviewed-by: Vladimir Oltean Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f8df88d6d10cdc728c6c9a5036a91e0339638188 Author: Tom Rix Date: Sat Jan 15 09:49:18 2022 -0800 net: ethernet: mtk_eth_soc: fix error checking in mtk_mac_config() commit 214b3369ab9b0a6f28d6c970220c209417edbc65 upstream. Clang static analysis reports this problem mtk_eth_soc.c:394:7: warning: Branch condition evaluates to a garbage value if (err) ^~~ err is not initialized and only conditionally set. So intitialize err. Fixes: 7e538372694b ("net: ethernet: mediatek: Re-add support SGMII") Signed-off-by: Tom Rix Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c2d55304dba82b4852883012b785c97d1a884c9b Author: Slark Xiao Date: Sat Jan 15 10:34:30 2022 +0800 net: wwan: Fix MRU mismatch issue which may lead to data connection lost commit f542cdfa3083a309e3caafbbdf41490c4935492a upstream. In pci_generic.c there is a 'mru_default' in struct mhi_pci_dev_info. This value shall be used for whole mhi if it's given a value for a specific product. But in function mhi_net_rx_refill_work(), it's still using hard code value MHI_DEFAULT_MRU. 'mru_default' shall have higher priority than MHI_DEFAULT_MRU. And after checking, this change could help fix a data connection lost issue. Fixes: 5c2c85315948 ("bus: mhi: pci-generic: configurable network interface MRU") Signed-off-by: Shujun Wang Signed-off-by: Slark Xiao Reviewed-by: Loic Poulain Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5715614a9da8c3daa48273c63682000839f6cadb Author: Sergey Shtylyov Date: Thu Jan 13 22:46:07 2022 +0300 bcmgenet: add WOL IRQ check commit 9deb48b53e7f4056c2eaa2dc2ee3338df619e4f6 upstream. The driver neglects to check the result of platform_get_irq_optional()'s call and blithely passes the negative error codes to devm_request_irq() (which takes *unsigned* IRQ #), causing it to fail with -EINVAL. Stop calling devm_request_irq() with the invalid IRQ #s. Fixes: 8562056f267d ("net: bcmgenet: request Wake-on-LAN interrupt") Signed-off-by: Sergey Shtylyov Acked-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 784ea1478f4dd8d86d07f45dfb0bd57f7ff9ed18 Author: Vladimir Oltean Date: Wed Jan 12 22:21:27 2022 +0200 net: mscc: ocelot: don't let phylink re-enable TX PAUSE on the NPI port commit 33cb0ff30cff104e753f7882c99e54cf67ea7903 upstream. Since commit b39648079db4 ("net: mscc: ocelot: disable flow control on NPI interface"), flow control should be disabled on the DSA CPU port when used in NPI mode. However, the commit blamed in the Fixes: tag below broke this, because it allowed felix_phylink_mac_link_up() to overwrite SYS_PAUSE_CFG_PAUSE_ENA for the DSA CPU port. This issue became noticeable since the device tree update from commit 8fcea7be5736 ("arm64: dts: ls1028a: mark internal links between Felix and ENETC as capable of flow control"). The solution is to check whether this is the currently configured NPI port from ocelot_phylink_mac_link_up(), and to not modify the statically disabled PAUSE frame transmission if it is. When the port is configured for lossless mode as opposed to tail drop mode, but the link partner (DSA master) doesn't observe the transmitted PAUSE frames, the switch termination throughput is much worse, as can be seen below. Before: root@debian:~# iperf3 -c 192.168.100.2 Connecting to host 192.168.100.2, port 5201 [ 5] local 192.168.100.1 port 37504 connected to 192.168.100.2 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 28.4 MBytes 238 Mbits/sec 357 22.6 KBytes [ 5] 1.00-2.00 sec 33.6 MBytes 282 Mbits/sec 426 19.8 KBytes [ 5] 2.00-3.00 sec 34.0 MBytes 285 Mbits/sec 343 21.2 KBytes [ 5] 3.00-4.00 sec 32.9 MBytes 276 Mbits/sec 354 22.6 KBytes [ 5] 4.00-5.00 sec 32.3 MBytes 271 Mbits/sec 297 18.4 KBytes ^C[ 5] 5.00-5.06 sec 2.05 MBytes 270 Mbits/sec 45 19.8 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-5.06 sec 163 MBytes 271 Mbits/sec 1822 sender [ 5] 0.00-5.06 sec 0.00 Bytes 0.00 bits/sec receiver After: root@debian:~# iperf3 -c 192.168.100.2 Connecting to host 192.168.100.2, port 5201 [ 5] local 192.168.100.1 port 49470 connected to 192.168.100.2 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 112 MBytes 941 Mbits/sec 259 143 KBytes [ 5] 1.00-2.00 sec 110 MBytes 920 Mbits/sec 329 144 KBytes [ 5] 2.00-3.00 sec 112 MBytes 936 Mbits/sec 255 144 KBytes [ 5] 3.00-4.00 sec 110 MBytes 927 Mbits/sec 355 105 KBytes [ 5] 4.00-5.00 sec 110 MBytes 926 Mbits/sec 350 156 KBytes [ 5] 5.00-6.00 sec 110 MBytes 925 Mbits/sec 305 148 KBytes [ 5] 6.00-7.00 sec 110 MBytes 924 Mbits/sec 320 143 KBytes [ 5] 7.00-8.00 sec 110 MBytes 925 Mbits/sec 273 97.6 KBytes [ 5] 8.00-9.00 sec 109 MBytes 913 Mbits/sec 299 141 KBytes [ 5] 9.00-10.00 sec 110 MBytes 922 Mbits/sec 287 146 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 1.08 GBytes 926 Mbits/sec 3032 sender [ 5] 0.00-10.00 sec 1.08 GBytes 925 Mbits/sec receiver Fixes: de274be32cb2 ("net: dsa: felix: set TX flow control according to the phylink_mac_link_up resolution") Reported-by: Xiaoliang Yang Signed-off-by: Vladimir Oltean Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b4e6455d7ffc60a2803b4794f01631c9d27e0b1e Author: Kevin Bracey Date: Wed Jan 12 19:02:10 2022 +0200 net_sched: restore "mpu xxx" handling commit fb80445c438c78b40b547d12b8d56596ce4ccfeb upstream. commit 56b765b79e9a ("htb: improved accuracy at high rates") broke "overhead X", "linklayer atm" and "mpu X" attributes. "overhead X" and "linklayer atm" have already been fixed. This restores the "mpu X" handling, as might be used by DOCSIS or Ethernet shaping: tc class add ... htb rate X overhead 4 mpu 64 The code being fixed is used by htb, tbf and act_police. Cake has its own mpu handling. qdisc_calculate_pkt_len still uses the size table containing values adjusted for mpu by user space. iproute2 tc has always passed mpu into the kernel via a tc_ratespec structure, but the kernel never directly acted on it, merely stored it so that it could be read back by `tc class show`. Rather, tc would generate length-to-time tables that included the mpu (and linklayer) in their construction, and the kernel used those tables. Since v3.7, the tables were no longer used. Along with "mpu", this also broke "overhead" and "linklayer" which were fixed in 01cb71d2d47b ("net_sched: restore "overhead xxx" handling", v3.10) and 8a8e3d84b171 ("net_sched: restore "linklayer atm" handling", v3.11). "overhead" was fixed by simply restoring use of tc_ratespec::overhead - this had originally been used by the kernel but was initially omitted from the new non-table-based calculations. "linklayer" had been handled in the table like "mpu", but the mode was not originally passed in tc_ratespec. The new implementation was made to handle it by getting new versions of tc to pass the mode in an extended tc_ratespec, and for older versions of tc the table contents were analysed at load time to deduce linklayer. As "mpu" has always been given to the kernel in tc_ratespec, accompanying the mpu-based table, we can restore system functionality with no userspace change by making the kernel act on the tc_ratespec value. Fixes: 56b765b79e9a ("htb: improved accuracy at high rates") Signed-off-by: Kevin Bracey Cc: Eric Dumazet Cc: Jiri Pirko Cc: Vimalkumar Link: https://lore.kernel.org/r/20220112170210.1014351-1-kevin@bracey.fi Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 75a09b8d02084edf325f24c24a7c08338831b5a4 Author: Alex Elder Date: Wed Jan 12 07:30:10 2022 -0600 net: ipa: fix atomic update in ipa_endpoint_replenish() commit 6c0e3b5ce94947b311348c367db9e11dcb2ccc93 upstream. In ipa_endpoint_replenish(), if an error occurs when attempting to replenish a receive buffer, we just quit and try again later. In that case we increment the backlog count to reflect that the attempt was unsuccessful. Then, if the add_one flag was true we increment the backlog again. This second increment is not included in the backlog local variable though, and its value determines whether delayed work should be scheduled. This is a bug. Fix this by determining whether 1 or 2 should be added to the backlog before adding it in a atomic_add_return() call. Reviewed-by: Matthias Kaehlcke Fixes: 84f9bd12d46db ("soc: qcom: ipa: IPA endpoints") Signed-off-by: Alex Elder Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f1d206181f19b00b275b258fea1418718a2f4173 Author: Jie Wang Date: Wed Jan 12 20:54:18 2022 +0800 net: bonding: fix bond_xmit_broadcast return value error bug commit 4e5bd03ae34652cd932ab4c91c71c511793df75c upstream. In Linux bonding scenario, one packet is copied to several copies and sent by all slave device of bond0 in mode 3(broadcast mode). The mode 3 xmit function bond_xmit_broadcast() only ueses the last slave device's tx result as the final result. In this case, if the last slave device is down, then it always return NET_XMIT_DROP, even though the other slave devices xmit success. It may cause the tx statistics error, and cause the application (e.g. scp) consider the network is unreachable. For example, use the following command to configure server A. echo 3 > /sys/class/net/bond0/bonding/mode ifconfig bond0 up ifenslave bond0 eth0 eth1 ifconfig bond0 192.168.1.125 ifconfig eth0 up ifconfig eth1 down The slave device eth0 and eth1 are connected to server B(192.168.1.107). Run the ping 192.168.1.107 -c 3 -i 0.2 command, the following information is displayed. PING 192.168.1.107 (192.168.1.107) 56(84) bytes of data. 64 bytes from 192.168.1.107: icmp_seq=1 ttl=64 time=0.077 ms 64 bytes from 192.168.1.107: icmp_seq=2 ttl=64 time=0.056 ms 64 bytes from 192.168.1.107: icmp_seq=3 ttl=64 time=0.051 ms 192.168.1.107 ping statistics 0 packets transmitted, 3 received Actually, the slave device eth0 of the bond successfully sends three ICMP packets, but the result shows that 0 packets are transmitted. Also if we use scp command to get remote files, the command end with the following printings. ssh_exchange_identification: read: Connection timed out So this patch modifies the bond_xmit_broadcast to return NET_XMIT_SUCCESS if one slave device in the bond sends packets successfully. If all slave devices send packets fail, the discarded packets stats is increased. The skb is released when there is no slave device in the bond or the last slave device is down. Fixes: ae46f184bc1f ("bonding: propagate transmit status") Signed-off-by: Jie Wang Signed-off-by: Guangbin Huang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 62009fa50c1a70a291f8f72a66b08449a03ea50e Author: Miroslav Lichvar Date: Tue Jan 11 16:10:53 2022 +0100 net: fix sock_timestamping_bind_phc() to release device commit 2a4d75bfe41232608f5596a6d1369f92ccb20817 upstream. Don't forget to release the device in sock_timestamping_bind_phc() after it was used to get the vclock indices. Fixes: d463126e23f1 ("net: sock: extend SO_TIMESTAMPING for PHC binding") Signed-off-by: Miroslav Lichvar Cc: Yangbo Lu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 55d613f5d4c26ac8e5c5addc4d2dd4e876016750 Author: David Heidelberg Date: Sat Oct 30 12:04:12 2021 +0200 arm64: dts: qcom: msm8996: drop not documented adreno properties commit c41910f257a22dc406c60d8826b4a3b5398003a3 upstream. These properties aren't documented nor implemented in the driver. Drop them. Fixes warnings as: $ make dtbs_check DT_SCHEMA_FILES=Documentation/devicetree/bindings/display/msm/gpu.yaml ... arch/arm64/boot/dts/qcom/msm8996-mtp.dt.yaml: gpu@b00000: 'qcom,gpu-quirk-fault-detect-mask', 'qcom,gpu-quirk-two-pass-use-wfi' do not match any of the regexes: 'pinctrl-[0-9]+' From schema: Documentation/devicetree/bindings/display/msm/gpu.yaml ... Fixes: 69cc3114ab0f ("arm64: dts: Add Adreno GPU definitions") Signed-off-by: David Heidelberg Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20211030100413.28370-1-david@ixit.cz Signed-off-by: Greg Kroah-Hartman commit 795ad139ed915f7ef726490a3be86cd559f3ee05 Author: Leon Romanovsky Date: Sun Nov 28 14:14:46 2021 +0200 devlink: Remove misleading internal_flags from health reporter dump commit e9538f8270db24d272659e15841854c7ea11119e upstream. DEVLINK_CMD_HEALTH_REPORTER_DUMP_GET command doesn't have .doit callback and has no use in internal_flags at all. Remove this misleading assignment. Fixes: e44ef4e4516c ("devlink: Hang reporter's dump method on a dumpit cb") Signed-off-by: Leon Romanovsky Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 228a7024ed8a9e269b45ea12171c2265baaf50cc Author: Zechuan Chen Date: Tue Dec 28 19:13:38 2021 +0800 perf probe: Fix ppc64 'perf probe add events failed' case commit 4624f199327a704dd1069aca1c3cadb8f2a28c6f upstream. Because of commit bf794bf52a80c627 ("powerpc/kprobes: Fix kallsyms lookup across powerpc ABIv1 and ABIv2"), in ppc64 ABIv1, our perf command eliminates the need to use the prefix "." at the symbol name. But when the command "perf probe -a schedule" is executed on ppc64 ABIv1, it obtains two symbol address information through /proc/kallsyms, for example: cat /proc/kallsyms | grep -w schedule c000000000657020 T .schedule c000000000d4fdb8 D schedule The symbol "D schedule" is not a function symbol, and perf will print: "p:probe/schedule _text+13958584"Failed to write event: Invalid argument Therefore, when searching symbols from map and adding probe point for them, a symbol type check is added. If the type of symbol is not a function, skip it. Fixes: bf794bf52a80c627 ("powerpc/kprobes: Fix kallsyms lookup across powerpc ABIv1 and ABIv2") Signed-off-by: Zechuan Chen Acked-by: Masami Hiramatsu Cc: Alexander Shishkin Cc: Ingo Molnar Cc: Jianlin Lv Cc: Jin Yao Cc: Jiri Olsa Cc: Mark Rutland Cc: Michael Ellerman Cc: Namhyung Kim Cc: Naveen N. Rao Cc: Peter Zijlstra Cc: Ravi Bangoria Cc: Yang Jihong Link: https://lore.kernel.org/r/20211228111338.218602-1-chenzechuan1@huawei.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit 115b85125624457bfc859ea2b6d9a9366535ff53 Author: Uwe Kleine-König Date: Fri Dec 3 22:05:44 2021 +0100 perf tools: Drop requirement for libstdc++.so for libopencsd check commit ed17b1914978eddb2b01f2d34577f1c82518c650 upstream. It's possible to link against libopencsd_c_api without having libstdc++.so available, only libstdc++.so.6.0.28 (or whatever version is in use) needs to be available. The same holds true for libopencsd.so. When -lstdc++ (or -lopencsd) is explicitly passed to the linker however the .so file must be available. So wrap adding the dependencies into a check for static linking that actually requires adding them all. The same construct is already used for some other tests in the same file to reduce dependencies in the dynamic linking case. Fixes: 573cf5c9a152 ("perf build: Add missing -lstdc++ when linking with libopencsd") Reviewed-by: James Clark Signed-off-by: Uwe Kleine-König Cc: Adrian Bunk Cc: Alexander Shishkin Cc: Branislav Rankov Cc: Diederik de Haas Cc: Jiri Olsa Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: https://lore.kernel.org/all/20211203210544.1137935-1-uwe@kleine-koenig.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit e73f737a6e71e863dc46dff5061b2ca4543ba84b Author: Tudor Ambarus Date: Wed Dec 15 13:01:13 2021 +0200 dmaengine: at_xdmac: Fix at_xdmac_lld struct definition commit 912f7c6f7fac273f40e621447cf17d14b50d6e5b upstream. The hardware channel next descriptor view structure contains just fields of 32 bits, while dma_addr_t can be of type u64 or u32 depending on CONFIG_ARCH_DMA_ADDR_T_64BIT. Force u32 to comply with what the hardware expects. Fixes: e1f7c9eee707 ("dmaengine: at_xdmac: creation of the atmel eXtended DMA Controller driver") Signed-off-by: Tudor Ambarus Link: https://lore.kernel.org/r/20211215110115.191749-11-tudor.ambarus@microchip.com Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit b81e898073c24cb4fb9a5946d44d605197df92a2 Author: Tudor Ambarus Date: Wed Dec 15 13:01:12 2021 +0200 dmaengine: at_xdmac: Fix lld view setting commit 1385eb4d14d447cc5d744bc2ac34f43be66c9963 upstream. AT_XDMAC_CNDC_NDVIEW_NDV3 was set even for AT_XDMAC_MBR_UBC_NDV2, because of the wrong bit handling. Fix it. Fixes: ee0fe35c8dcd ("dmaengine: xdmac: Handle descriptor's view 3 registers") Signed-off-by: Tudor Ambarus Link: https://lore.kernel.org/r/20211215110115.191749-10-tudor.ambarus@microchip.com Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit fb8f0e827af24f8abf503fa6a0cb4917e95ca04c Author: Tudor Ambarus Date: Wed Dec 15 13:01:10 2021 +0200 dmaengine: at_xdmac: Fix concurrency over xfers_list commit 18deddea9184b62941395889ff7659529c877326 upstream. Since tx_submit can be called from a hard IRQ, xfers_list must be protected with a lock to avoid concurency on the list's elements. Since at_xdmac_handle_cyclic() is called from a tasklet, spin_lock_irq is enough to protect from a hard IRQ. Fixes: e1f7c9eee707 ("dmaengine: at_xdmac: creation of the atmel eXtended DMA Controller driver") Signed-off-by: Tudor Ambarus Link: https://lore.kernel.org/r/20211215110115.191749-8-tudor.ambarus@microchip.com Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit 5a8547fc3c215c0efa7c24c09da5dea1288f14a1 Author: Tudor Ambarus Date: Wed Dec 15 13:01:06 2021 +0200 dmaengine: at_xdmac: Print debug message after realeasing the lock commit 5edc24ac876a928f36f407a0fcdb33b94a3a210f upstream. It is desirable to do the prints without the lock held if possible, so move the print after the lock is released. Fixes: e1f7c9eee707 ("dmaengine: at_xdmac: creation of the atmel eXtended DMA Controller driver") Signed-off-by: Tudor Ambarus Link: https://lore.kernel.org/r/20211215110115.191749-4-tudor.ambarus@microchip.com Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit da1875fd4c255a7b3313b2f9cc3befd33cb84a3f Author: Tudor Ambarus Date: Wed Dec 15 13:01:05 2021 +0200 dmaengine: at_xdmac: Start transfer for cyclic channels in issue_pending commit e6af9b05bec63cd4d1de2a33968cd0be2a91282a upstream. Cyclic channels must too call issue_pending in order to start a transfer. Start the transfer in issue_pending regardless of the type of channel. This wrongly worked before, because in the past the transfer was started at tx_submit level when only a desc in the transfer list. Fixes: e1f7c9eee707 ("dmaengine: at_xdmac: creation of the atmel eXtended DMA Controller driver") Signed-off-by: Tudor Ambarus Link: https://lore.kernel.org/r/20211215110115.191749-3-tudor.ambarus@microchip.com Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit 45e0d51850313f769436552a2ff65e613b70db1d Author: Tudor Ambarus Date: Wed Dec 15 13:01:04 2021 +0200 dmaengine: at_xdmac: Don't start transactions at tx_submit level commit bccfb96b59179d4f96cbbd1ddff8fac6d335eae4 upstream. tx_submit is supposed to push the current transaction descriptor to a pending queue, waiting for issue_pending() to be called. issue_pending() must start the transfer, not tx_submit(), thus remove at_xdmac_start_xfer() from at_xdmac_tx_submit(). Clients of at_xdmac that assume that tx_submit() starts the transfer must be updated and call dma_async_issue_pending() if they miss to call it (one example is atmel_serial). As the at_xdmac_start_xfer() is now called only from at_xdmac_advance_work() when !at_xdmac_chan_is_enabled(), the at_xdmac_chan_is_enabled() check is no longer needed in at_xdmac_start_xfer(), thus remove it. Fixes: e1f7c9eee707 ("dmaengine: at_xdmac: creation of the atmel eXtended DMA Controller driver") Signed-off-by: Tudor Ambarus Link: https://lore.kernel.org/r/20211215110115.191749-2-tudor.ambarus@microchip.com Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit e127c17af30ec7cf57e6bcf2fc33974b5ef9480f Author: Adrian Hunter Date: Wed Jan 12 10:50:57 2022 +0200 perf script: Fix hex dump character output commit 62942e9fda9fd1def10ffcbd5e1c025b3c9eec17 upstream. Using grep -C with perf script -D can give erroneous results as grep loses lines due to non-printable characters, for example, below the 0020, 0060 and 0070 lines are missing: $ perf script -D | grep -C10 AUX | head . 0010: 08 00 00 00 00 00 00 00 1f 00 00 00 00 00 00 00 ................ . 0030: 01 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 ................ . 0040: 00 08 00 00 00 00 00 00 02 00 00 00 00 00 00 00 ................ . 0050: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ . 0080: 02 00 00 00 00 00 00 00 1b 00 00 00 00 00 00 00 ................ . 0090: 00 00 00 00 00 00 00 00 ........ 0 0 0x450 [0x98]: PERF_RECORD_AUXTRACE_INFO type: 1 PMU Type 8 Time Shift 31 perf's isprint() is a custom implementation from the kernel, but the kernel's _ctype appears to include characters from Latin-1 Supplement which is not compatible with, for example, UTF-8. Fix by checking also isascii(). After: $ tools/perf/perf script -D | grep -C10 AUX | head . 0010: 08 00 00 00 00 00 00 00 1f 00 00 00 00 00 00 00 ................ . 0020: 03 84 32 2f 00 00 00 00 63 7c 4f d2 fa ff ff ff ..2/....c|O..... . 0030: 01 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 ................ . 0040: 00 08 00 00 00 00 00 00 02 00 00 00 00 00 00 00 ................ . 0050: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ . 0060: 00 02 00 00 00 00 00 00 00 c0 03 00 00 00 00 00 ................ . 0070: e2 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 ................ . 0080: 02 00 00 00 00 00 00 00 1b 00 00 00 00 00 00 00 ................ . 0090: 00 00 00 00 00 00 00 00 ........ Fixes: 3052ba56bcb58904 ("tools perf: Move from sane_ctype.h obtained from git to the Linux's original") Signed-off-by: Adrian Hunter Cc: Jiri Olsa Link: http://lore.kernel.org/lkml/20220112085057.277205-1-adrian.hunter@intel.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit 48a46df6d5428898c9a7abe618168fea185d3bd3 Author: Guillaume Nault Date: Mon Jan 10 14:43:11 2022 +0100 libcxgb: Don't accidentally set RTO_ONLINK in cxgb_find_route() commit a915deaa9abe4fb3a440312c954253a6a733608e upstream. Mask the ECN bits before calling ip_route_output_ports(). The tos variable might be passed directly from an IPv4 header, so it may have the last ECN bit set. This interferes with the route lookup process as ip_route_output_key_hash() interpretes this bit specially (to restrict the route scope). Found by code inspection, compile tested only. Fixes: 804c2f3e36ef ("libcxgb,iw_cxgb4,cxgbit: add cxgb_find_route()") Signed-off-by: Guillaume Nault Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 09c0535c768de9429a15c522007dfc8e96a428f8 Author: Guillaume Nault Date: Mon Jan 10 14:43:09 2022 +0100 gre: Don't accidentally set RTO_ONLINK in gre_fill_metadata_dst() commit f7716b318568b22fbf0e3be99279a979e217cf71 upstream. Mask the ECN bits before initialising ->flowi4_tos. The tunnel key may have the last ECN bit set, which will interfere with the route lookup process as ip_route_output_key_hash() interpretes this bit specially (to restrict the route scope). Found by code inspection, compile tested only. Fixes: 962924fa2b7a ("ip_gre: Refactor collect metatdata mode tunnel xmit to ip_md_tunnel_xmit") Signed-off-by: Guillaume Nault Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 63bc14d6e2615e9f89f7110c97ad6e6433379007 Author: Eli Cohen Date: Wed Jan 5 13:46:41 2022 +0200 vdpa/mlx5: Restore cur_num_vqs in case of failure in change_num_qps() commit 37e07e705888e4c3502f204e9c6785c9c2d6d86a upstream. Restore ndev->cur_num_vqs to the original value in case change_num_qps() fails. Fixes: 52893733f2c5 ("vdpa/mlx5: Add multiqueue support") Reviewed-by: Si-Wei Liu Acked-by: Jason Wang Signed-off-by: Eli Cohen Link: https://lore.kernel.org/r/20220105114646.577224-10-elic@nvidia.com Signed-off-by: Michael S. Tsirkin Signed-off-by: Greg Kroah-Hartman commit 786e608e97b91227b069517fac6118dfc1ad2c95 Author: Guillaume Nault Date: Mon Jan 10 14:43:06 2022 +0100 xfrm: Don't accidentally set RTO_ONLINK in decode_session4() commit 23e7b1bfed61e301853b5e35472820d919498278 upstream. Similar to commit 94e2238969e8 ("xfrm4: strip ECN bits from tos field"), clear the ECN bits from iph->tos when setting ->flowi4_tos. This ensures that the last bit of ->flowi4_tos is cleared, so ip_route_output_key_hash() isn't going to restrict the scope of the route lookup. Use ~INET_ECN_MASK instead of IPTOS_RT_MASK, because we have no reason to clear the high order bits. Found by code inspection, compile tested only. Fixes: 4da3089f2b58 ("[IPSEC]: Use TOS when doing tunnel lookups") Signed-off-by: Guillaume Nault Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 6dc6e9f9d94de22f021491c8cf83d8ca9f63a046 Author: Johannes Berg Date: Fri Dec 10 09:06:11 2021 +0200 iwlwifi: fix Bz NMI behaviour commit fdfde0cb79264f88992e72b5a056a3a3284fcaad upstream. Contrary to what was stated before, the hardware hasn't changed the bits here yet. In any case, the new CSR is also directly (lower 16 bits) connected to UREG_DOORBELL_TO_ISR6, so if it still changes the changes would be there. Adjust the code and comments accordingly. Signed-off-by: Johannes Berg Fixes: 6c0795f1a524 ("iwlwifi: implement Bz NMI behaviour") Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20211210090244.75b6207536e3.I7d170a48a9096e6b7269c3a9f447c326f929b171@changeid Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit 31428796ca4b00cc10fda059ac24eb0be61778d5 Author: Eric Dumazet Date: Tue Jan 18 03:43:40 2022 -0800 netns: add schedule point in ops_exit_list() commit 2836615aa22de55b8fca5e32fe1b27a67cda625e upstream. When under stress, cleanup_net() can have to dismantle netns in big numbers. ops_exit_list() currently calls many helpers [1] that have no schedule point, and we can end up with soft lockups, particularly on hosts with many cpus. Even for moderate amount of netns processed by cleanup_net() this patch avoids latency spikes. [1] Some of these helpers like fib_sync_up() and fib_sync_down_dev() are very slow because net/ipv4/fib_semantics.c uses host-wide hash tables, and ifindex is used as the only input of two hash functions. ifindexes tend to be the same for all netns (lo.ifindex==1 per instance) This will be fixed in a separate patch. Fixes: 72ad937abd0a ("net: Add support for batching network namespace cleanups") Signed-off-by: Eric Dumazet Cc: Eric W. Biederman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 958cbb139ec4a58cc2a9652e72e9c54882da0682 Author: Eric Dumazet Date: Thu Jan 13 01:22:29 2022 -0800 inet: frags: annotate races around fqdir->dead and fqdir->high_thresh commit 91341fa0003befd097e190ec2a4bf63ad957c49a upstream. Both fields can be read/written without synchronization, add proper accessors and documentation. Fixes: d5dd88794a13 ("inet: fix various use-after-free in defrags units") Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0288b85d750e9466c0ab295c25e1c903f21d924f Author: Eric W. Biederman Date: Mon Jan 3 11:32:36 2022 -0600 taskstats: Cleanup the use of task->exit_code commit 1b5a42d9c85f0e731f01c8d1129001fd8531a8a0 upstream. In the function bacct_add_task the code reading task->exit_code was introduced in commit f3cef7a99469 ("[PATCH] csa: basic accounting over taskstats"), and it is not entirely clear what the taskstats interface is trying to return as only returning the exit_code of the first task in a process doesn't make a lot of sense. As best as I can figure the intent is to return task->exit_code after a task exits. The field is returned with per task fields, so the exit_code of the entire process is not wanted. Only the value of the first task is returned so this is not a useful way to get the per task ptrace stop code. The ordinary case of returning this value is returning after a task exits, which also precludes use for getting a ptrace value. It is common to for the first task of a process to also be the last task of a process so this field may have done something reasonable by accident in testing. Make ac_exitcode a reliable per task value by always returning it for every exited task. Setting ac_exitcode in a sensible mannter makes it possible to continue to provide this value going forward. Cc: Balbir Singh Fixes: f3cef7a99469 ("[PATCH] csa: basic accounting over taskstats") Link: https://lkml.kernel.org/r/20220103213312.9144-5-ebiederm@xmission.com Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman commit be82a92c46bc9b80781f6bcfba7ffcc527c1bfee Author: Michael S. Tsirkin Date: Thu Jan 6 07:57:46 2022 -0500 virtio_ring: mark ring unused on error commit 1861ba626ae9b98136f3e504208cdef6b29cd3ec upstream. A recently added error path does not mark ring unused when exiting on OOM, which will lead to BUG on the next entry in debug builds. TODO: refactor code so we have START_USE and END_USE in the same function. Fixes: fc6d70f40b3d ("virtio_ring: check desc == NULL when using indirect with packed") Cc: "Xuan Zhuo" Cc: Jiasheng Jiang Reviewed-by: Xuan Zhuo Signed-off-by: Michael S. Tsirkin Signed-off-by: Greg Kroah-Hartman commit 0d3334c47a2eb0088432e38f91b8689b2c2762e2 Author: Eli Cohen Date: Thu Dec 30 16:20:24 2021 +0200 vdpa/mlx5: Fix wrong configuration of virtio_version_1_0 commit 97143b70aa847f2b0a1f959dde126b76ff7b5376 upstream. Remove overriding of virtio_version_1_0 which forced the virtqueue object to version 1. Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices") Signed-off-by: Eli Cohen Link: https://lore.kernel.org/r/20211230142024.142979-1-elic@nvidia.com Signed-off-by: Michael S. Tsirkin Reviewed-by: Parav Pandit Acked-by: Jason Wang Reviewed-by: Si-Wei Liu Signed-off-by: Greg Kroah-Hartman commit 087d45cd0f1a53b06cc41d9d3cd48ed0bbae43ab Author: Laurence de Bruxelles Date: Sat Jan 1 15:41:49 2022 +0000 rtc: pxa: fix null pointer dereference commit 34127b3632b21e5c391756e724b1198eb9917981 upstream. With the latest stable kernel versions the rtc on the PXA based Zaurus does not work, when booting I see the following kernel messages: pxa-rtc pxa-rtc: failed to find rtc clock source pxa-rtc pxa-rtc: Unable to init SA1100 RTC sub-device pxa-rtc: probe of pxa-rtc failed with error -2 hctosys: unable to open rtc device (rtc0) I think this is because commit f2997775b111 ("rtc: sa1100: fix possible race condition") moved the allocation of the rtc_device struct out of sa1100_rtc_init and into sa1100_rtc_probe. This means that pxa_rtc_probe also needs to do allocation for the rtc_device struct, otherwise sa1100_rtc_init will try to dereference a null pointer. This patch adds that allocation by copying how sa1100_rtc_probe in drivers/rtc/rtc-sa1100.c does it; after the IRQs are set up a managed rtc_device is allocated. I've tested this patch with `qemu-system-arm -machine akita` and with a real Zaurus SL-C1000 applied to 4.19, 5.4, and 5.10. Signed-off-by: Laurence de Bruxelles Fixes: f2997775b111 ("rtc: sa1100: fix possible race condition") Signed-off-by: Alexandre Belloni Link: https://lore.kernel.org/r/20220101154149.12026-1-lfdebrux@gmail.com Signed-off-by: Greg Kroah-Hartman commit 4c979e88b658aba2a08433a8043c685672b5c915 Author: Dmitry Torokhov Date: Fri Jan 7 12:09:36 2022 -0800 HID: vivaldi: fix handling devices not using numbered reports commit 3fe6acd4dc922237b30e55473c9349c6ce0690f3 upstream. Unfortunately details of USB HID transport bled into HID core and handling of numbered/unnumbered reports is quite a mess, with hid_report_len() calculating the length according to USB rules, and hid_hw_raw_request() adding report ID to the buffer for both numbered and unnumbered reports. Untangling it all requres a lot of changes in HID, so for now let's handle this in the driver. [jkosina@suse.cz: microoptimize field->report->id to report->id] Fixes: 14c9c014babe ("HID: add vivaldi HID driver") Signed-off-by: Dmitry Torokhov Tested-by: Stephen Boyd # CoachZ Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit b81f33f1fc3819a10d96c71dcb37d838d781bb21 Author: Johannes Berg Date: Mon Sep 13 10:17:29 2021 +0200 um: gitignore: Add kernel/capflags.c commit 4b86366fdfbedec42f8f7ee037775f2839921d34 upstream. This file is generated, we should ignore it. Fixes: d8fb32f4790f ("um: Add support for host CPU flags and alignment") Signed-off-by: Johannes Berg Acked-By: anton.ivanov@cambridgegreys.com Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit fe17064738ad7d4b547388e29ad7553ec9e254d8 Author: Yury Norov Date: Sat Aug 14 14:16:57 2021 -0700 bitops: protect find_first_{,zero}_bit properly commit b7ec62d7ee0f0b8af6ba190501dff7f9ee6545ca upstream. find_first_bit() and find_first_zero_bit() are not protected with ifdefs as other functions in find.h. It causes build errors on some platforms if CONFIG_GENERIC_FIND_FIRST_BIT is enabled. Signed-off-by: Yury Norov Fixes: 2cc7b6a44ac2 ("lib: add fast path for find_first_*_bit() and find_last_bit()") Reported-by: kernel test robot Tested-by: Wolfram Sang Signed-off-by: Greg Kroah-Hartman commit 6ad2daa516deafc6d6527d7f6450499340cf4064 Author: Robert Hancock Date: Tue Jan 18 15:41:32 2022 -0600 net: axienet: increase default TX ring size to 128 commit 2d19c3fd80178160dd505ccd7fed1643831227a5 upstream. With previous changes to make the driver handle the TX ring size more correctly, the default TX ring size of 64 appears to significantly bottleneck TX performance to around 600 Mbps on a 1 Gbps link on ZynqMP. Increasing this to 128 seems to bring performance up to near line rate and shouldn't cause excess bufferbloat (this driver doesn't yet support modern byte-based queue management). Fixes: 8a3b7a252dca9 ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver") Signed-off-by: Robert Hancock Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4928dd5990ea0ec8c9ffdb66663303862aca33c7 Author: Robert Hancock Date: Tue Jan 18 15:41:31 2022 -0600 net: axienet: fix for TX busy handling commit bb193e3db8b86a63f26889c99e14fd30c9ebd72a upstream. Network driver documentation indicates we should be avoiding returning NETDEV_TX_BUSY from ndo_start_xmit in normal cases, since it requires the packets to be requeued. Instead the queue should be stopped after a packet is added to the TX ring when there may not be enough room for an additional one. Also, when TX ring entries are completed, we should only wake the queue if we know there is room for another full maximally fragmented packet. Print a warning if there is insufficient space at the start of start_xmit, since this should no longer happen. Combined with increasing the default TX ring size (in a subsequent patch), this appears to recover the TX performance lost by previous changes to actually manage the TX ring state properly. Fixes: 8a3b7a252dca9 ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver") Signed-off-by: Robert Hancock Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a530eb5ac606d21ca4908ab95ec4c29812ff5865 Author: Robert Hancock Date: Tue Jan 18 15:41:30 2022 -0600 net: axienet: fix number of TX ring slots for available check commit aba57a823d2985a2cc8c74a2535f3a88e68d9424 upstream. The check for the number of available TX ring slots was off by 1 since a slot is required for the skb header as well as each fragment. This could result in overwriting a TX ring slot that was still in use. Fixes: 8a3b7a252dca9 ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver") Signed-off-by: Robert Hancock Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6342bde86b5af9744a63fe6165e34454c1eb400b Author: Robert Hancock Date: Tue Jan 18 15:41:29 2022 -0600 net: axienet: Fix TX ring slot available check commit 996defd7f8b5dafc1d480b7585c7c62437f80c3c upstream. The check for whether a TX ring slot was available was incorrect, since a slot which had been loaded with transmit data but the device had not started transmitting would be treated as available, potentially causing non-transmitted slots to be overwritten. The control field in the descriptor should be checked, rather than the status field (which may only be updated when the device completes the entry). Fixes: 8a3b7a252dca9 ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver") Signed-off-by: Robert Hancock Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b9d67f0a6dc06be8a93e673c5c88a3d51006e42f Author: Robert Hancock Date: Tue Jan 18 15:41:28 2022 -0600 net: axienet: limit minimum TX ring size commit 70f5817deddbc6ef3faa35841cab83c280cc653a upstream. The driver will not work properly if the TX ring size is set to below MAX_SKB_FRAGS + 1 since it needs to hold at least one full maximally fragmented packet in the TX ring. Limit setting the ring size to below this value. Fixes: 8b09ca823ffb4 ("net: axienet: Make RX/TX ring sizes configurable") Signed-off-by: Robert Hancock Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e8893b1f8899b6fa161b83ee93e8cc04e17df1e6 Author: Robert Hancock Date: Tue Jan 18 15:41:27 2022 -0600 net: axienet: add missing memory barriers commit 95978df6fa328df619c15312e65ece469c2be2d2 upstream. This driver was missing some required memory barriers: Use dma_rmb to ensure we see all updates to the descriptor after we see that an entry has been completed. Use wmb and rmb to avoid stale descriptor status between the TX path and TX complete IRQ path. Fixes: 8a3b7a252dca9 ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver") Signed-off-by: Robert Hancock Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 07a6ec97c1ef56c4ef1e5187af2edcfe7afec8f8 Author: Robert Hancock Date: Tue Jan 18 15:41:26 2022 -0600 net: axienet: reset core on initialization prior to MDIO access commit 04cc2da39698efd7eb2e30c112538922d26f848e upstream. In some cases where the Xilinx Ethernet core was used in 1000Base-X or SGMII modes, which use the internal PCS/PMA PHY, and the MGT transceiver clock source for the PCS was not running at the time the FPGA logic was loaded, the core would come up in a state where the PCS could not be found on the MDIO bus. To fix this, the Ethernet core (including the PCS) should be reset after enabling the clocks, prior to attempting to access the PCS using of_mdio_find_device. Fixes: 1a02556086fc (net: axienet: Properly handle PCS/PMA PHY for 1000BaseX mode) Signed-off-by: Robert Hancock Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9b7f3e6adc157aa10ac5ca1fa6d3c85f400b43b2 Author: Robert Hancock Date: Tue Jan 18 15:41:25 2022 -0600 net: axienet: Wait for PhyRstCmplt after core reset commit b400c2f4f4c53c86594dd57098970d97d488bfde upstream. When resetting the device, wait for the PhyRstCmplt bit to be set in the interrupt status register before continuing initialization, to ensure that the core is actually ready. When using an external PHY, this also ensures we do not start trying to access the PHY while it is still in reset. The PHY reset is initiated by the core reset which is triggered just above, but remains asserted for 5ms after the core is reset according to the documentation. The MgtRdy bit could also be waited for, but unfortunately when using 7-series devices, the bit does not appear to work as documented (it seems to behave as some sort of link state indication and not just an indication the transceiver is ready) so it can't really be relied on for this purpose. Fixes: 8a3b7a252dca9 ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver") Signed-off-by: Robert Hancock Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 712224b86247f84e6f3922fd206c5e5943ac077d Author: Robert Hancock Date: Tue Jan 18 15:41:24 2022 -0600 net: axienet: increase reset timeout commit 2e5644b1bab2ccea9cfc7a9520af95b94eb0dbf1 upstream. The previous timeout of 1ms was too short to handle some cases where the core is reset just after the input clocks were started, which will be introduced in an upcoming patch. Increase the timeout to 50ms. Also simplify the reset timeout checking to use read_poll_timeout. Fixes: 8a3b7a252dca9 ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver") Signed-off-by: Robert Hancock Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 25b1d0df9483fb25b732c6b75caf2a60371ffb5f Author: Wen Gu Date: Sun Jan 16 15:43:42 2022 +0800 net/smc: Fix hung_task when removing SMC-R devices commit 56d99e81ecbc997a5f984684d0eeb583992b2072 upstream. A hung_task is observed when removing SMC-R devices. Suppose that a link group has two active links(lnk_A, lnk_B) associated with two different SMC-R devices(dev_A, dev_B). When dev_A is removed, the link group will be removed from smc_lgr_list and added into lgr_linkdown_list. lnk_A will be cleared and smcibdev(A)->lnk_cnt will reach to zero. However, when dev_B is removed then, the link group can't be found in smc_lgr_list and lnk_B won't be cleared, making smcibdev->lnk_cnt never reaches zero, which causes a hung_task. This patch fixes this issue by restoring the implementation of smc_smcr_terminate_all() to what it was before commit 349d43127dac ("net/smc: fix kernel panic caused by race of smc_sock"). The original implementation also satisfies the intention that make sure QP destroy earlier than CQ destroy because we will always wait for smcibdev->lnk_cnt reaches zero, which guarantees QP has been destroyed. Fixes: 349d43127dac ("net/smc: fix kernel panic caused by race of smc_sock") Signed-off-by: Wen Gu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 405d639ac41103e5637c3de129195fb10562639a Author: Miaoqian Lin Date: Fri Jan 14 06:51:24 2022 +0000 gpio: idt3243x: Fix IRQ check in idt_gpio_probe commit 30fee1d7462a446ade399c0819717a830cbdca69 upstream. platform_get_irq() returns negative error number instead 0 on failure. And the doc of platform_get_irq() provides a usage example: int irq = platform_get_irq(pdev, 0); if (irq < 0) return irq; Fix the check of return value to catch errors correctly. Fixes: 4195926aedca ("gpio: Add support for IDT 79RC3243x GPIO controller") Signed-off-by: Miaoqian Lin Reviewed-by: Linus Walleij Signed-off-by: Bartosz Golaszewski Signed-off-by: Greg Kroah-Hartman commit 4928241698e168794448e49c5d114f1534c46d39 Author: Miaoqian Lin Date: Fri Jan 14 06:48:20 2022 +0000 gpio: mpc8xxx: Fix IRQ check in mpc8xxx_probe commit 0b39536cc699db6850c426db7f9cb45923de40c5 upstream. platform_get_irq() returns negative error number instead 0 on failure. And the doc of platform_get_irq() provides a usage example: int irq = platform_get_irq(pdev, 0); if (irq < 0) return irq; Fix the check of return value to catch errors correctly. Fixes: 76c47d1449fc ("gpio: mpc8xxx: Add ACPI support") Signed-off-by: Miaoqian Lin Reviewed-by: Linus Walleij Signed-off-by: Bartosz Golaszewski Signed-off-by: Greg Kroah-Hartman commit e7525b3b9edaa6b5b8fdc84a9daf16d704011200 Author: John Keeping Date: Fri Nov 26 15:13:52 2021 +0000 pinctrl/rockchip: fix gpio device creation commit bceb6732f3fd2a55d8f2e518cced1c7555e216b6 upstream. GPIO nodes are not themselves busses, so passing rockchip_bank_match here is wrong. Passing NULL instead uses the standard bus match table which is more appropriate. devm_of_platform_populate() shows that this is the normal way to call of_platform_populate() from a device driver, so in order to match that more closely also add the pinctrl device as the parent for the newly created GPIO controllers. Specifically, using the wrong match here can break dynamic GPIO hogs as marking the GPIO bank as a bus means that of_platform_notify() will set OF_POPULATED on new child nodes and if this happens before of_gpio_notify() is called then the new hog will be skipped as OF_POPULATED is already set. Fixes: 9ce9a02039de ("pinctrl/rockchip: drop the gpio related codes") Signed-off-by: John Keeping Link: https://lore.kernel.org/r/20211126151352.1509583-1-john@metanate.com Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 8fc3bd2c347ba23fa9dbc25be4f82c0b761e9399 Author: Robert Hancock Date: Wed Jan 12 14:38:16 2022 -0600 clk: si5341: Fix clock HW provider cleanup commit 49a8f2bc8d88702783c7e163ec84374e9a022f71 upstream. The call to of_clk_add_hw_provider was not undone on remove or on probe failure, which could cause an oops on a subsequent attempt to retrieve clocks for the removed device. Switch to the devm version of the function to avoid this issue. Fixes: 3044a860fd09 ("clk: Add Si5341/Si5340 driver") Signed-off-by: Robert Hancock Link: https://lore.kernel.org/r/20220112203816.1784610-1-robert.hancock@calian.com Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 4919c073780614df6f996ac33309fbbf2f67b199 Author: Stephen Boyd Date: Thu Dec 9 17:34:05 2021 -0800 clk: Emit a stern warning with writable debugfs enabled commit 489a71964f9d74e697a12cd0ace20ed829eb1f93 upstream. We don't want vendors to be enabling this part of the clk code and shipping it to customers. Exposing the ability to change clk frequencies and parents via debugfs is potentially damaging to the system if folks don't know what they're doing. Emit a strong warning so that the message is clear: don't enable this outside of development systems. Fixes: 37215da5553e ("clk: Add support for setting clk_rate via debugfs") Cc: Geert Uytterhoeven Link: https://lore.kernel.org/r/20211210014237.2130300-1-sboyd@kernel.org Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 3872d146f2b093982e62c6f1f2c4e8f71eed4050 Author: Eric Dumazet Date: Fri Jan 14 08:43:28 2022 -0800 af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress commit 9d6d7f1cb67cdee15f1a0e85aacfb924e0e02435 upstream. wait_for_unix_gc() reads unix_tot_inflight & gc_in_progress without synchronization. Adds READ_ONCE()/WRITE_ONCE() and their associated comments to better document the intent. BUG: KCSAN: data-race in unix_inflight / wait_for_unix_gc write to 0xffffffff86e2b7c0 of 4 bytes by task 9380 on cpu 0: unix_inflight+0x1e8/0x260 net/unix/scm.c:63 unix_attach_fds+0x10c/0x1e0 net/unix/scm.c:121 unix_scm_to_skb net/unix/af_unix.c:1674 [inline] unix_dgram_sendmsg+0x679/0x16b0 net/unix/af_unix.c:1817 unix_seqpacket_sendmsg+0xcc/0x110 net/unix/af_unix.c:2258 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg net/socket.c:724 [inline] ____sys_sendmsg+0x39a/0x510 net/socket.c:2409 ___sys_sendmsg net/socket.c:2463 [inline] __sys_sendmmsg+0x267/0x4c0 net/socket.c:2549 __do_sys_sendmmsg net/socket.c:2578 [inline] __se_sys_sendmmsg net/socket.c:2575 [inline] __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2575 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae read to 0xffffffff86e2b7c0 of 4 bytes by task 9375 on cpu 1: wait_for_unix_gc+0x24/0x160 net/unix/garbage.c:196 unix_dgram_sendmsg+0x8e/0x16b0 net/unix/af_unix.c:1772 unix_seqpacket_sendmsg+0xcc/0x110 net/unix/af_unix.c:2258 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg net/socket.c:724 [inline] ____sys_sendmsg+0x39a/0x510 net/socket.c:2409 ___sys_sendmsg net/socket.c:2463 [inline] __sys_sendmmsg+0x267/0x4c0 net/socket.c:2549 __do_sys_sendmmsg net/socket.c:2578 [inline] __se_sys_sendmmsg net/socket.c:2575 [inline] __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2575 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae value changed: 0x00000002 -> 0x00000004 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 9375 Comm: syz-executor.1 Not tainted 5.16.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Fixes: 9915672d4127 ("af_unix: limit unix_tot_inflight") Signed-off-by: Eric Dumazet Reported-by: syzbot Link: https://lore.kernel.org/r/20220114164328.2038499-1-eric.dumazet@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit cb697a36f41550f4401e3a575684e205fa94169f Author: Dan Carpenter Date: Sat Nov 27 17:10:27 2021 +0300 crypto: octeontx2 - uninitialized variable in kvf_limits_store() commit 0ea275df84c389e910a3575a9233075118c173ee upstream. If kstrtoint() fails then "lfs_num" is uninitialized and the warning doesn't make any sense. Just delete it. Fixes: 8ec8015a3168 ("crypto: octeontx2 - add support to process the crypto request") Signed-off-by: Dan Carpenter Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 2d7d3b6da85e219abed247a63a4754f04376e2fa Author: Chao Yu Date: Sun Dec 12 20:28:12 2021 +0800 f2fs: fix to check available space of CP area correctly in update_ckpt_flags() commit b702c83e2eaa2fa2d72e957c55c0321535cc8b9f upstream. Otherwise, nat_bit area may be persisted across boundary of CP area during nat_bit rebuilding. Fixes: 94c821fb286b ("f2fs: rebuild nat_bits during umount") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Greg Kroah-Hartman commit 0789b9b3492264e4bbe212b688866117d14df0c8 Author: Chao Yu Date: Sat Dec 11 21:27:36 2021 +0800 f2fs: fix to reserve space for IO align feature commit 300a842937fbcfb5a189cea9ba15374fdb0b5c6b upstream. https://bugzilla.kernel.org/show_bug.cgi?id=204137 With below script, we will hit panic during new segment allocation: DISK=bingo.img MOUNT_DIR=/mnt/f2fs dd if=/dev/zero of=$DISK bs=1M count=105 mkfs.f2fe -a 1 -o 19 -t 1 -z 1 -f -q $DISK mount -t f2fs $DISK $MOUNT_DIR -o "noinline_dentry,flush_merge,noextent_cache,mode=lfs,io_bits=7,fsync_mode=strict" for (( i = 0; i < 4096; i++ )); do name=`head /dev/urandom | tr -dc A-Za-z0-9 | head -c 10` mkdir $MOUNT_DIR/$name done umount $MOUNT_DIR rm $DISK commit 56dabe87c4aadb58d4855ad734d74787cdca10d8 Author: Hyeong-Jun Kim Date: Fri Dec 10 13:30:12 2021 +0900 f2fs: compress: fix potential deadlock of compress file commit 7377e853967ba45bf409e3b5536624d2cbc99f21 upstream. There is a potential deadlock between writeback process and a process performing write_begin() or write_cache_pages() while trying to write same compress file, but not compressable, as below: [Process A] - doing checkpoint [Process B] [Process C] f2fs_write_cache_pages() - lock_page() [all pages in cluster, 0-31] - f2fs_write_multi_pages() - f2fs_write_raw_pages() - f2fs_write_single_data_page() - f2fs_do_write_data_page() - return -EAGAIN [f2fs_trylock_op() failed] - unlock_page(page) [e.g., page 0] - generic_perform_write() - f2fs_write_begin() - f2fs_prepare_compress_overwrite() - prepare_compress_overwrite() - lock_page() [e.g., page 0] - lock_page() [e.g., page 1] - lock_page(page) [e.g., page 0] Since there is no compress process, it is no longer necessary to hold locks on every pages in cluster within f2fs_write_raw_pages(). This patch changes f2fs_write_raw_pages() to release all locks first and then perform write same as the non-compress file in f2fs_write_cache_pages(). Fixes: 4c8ff7095bef ("f2fs: support data compression") Signed-off-by: Hyeong-Jun Kim Signed-off-by: Sungjong Seo Signed-off-by: Youngjin Gil Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Greg Kroah-Hartman commit b653ee5c4136e74ad083d93eaa7cf9d633fdf8ea Author: Chao Yu Date: Mon Dec 6 22:44:20 2021 +0800 f2fs: fix to avoid panic in is_alive() if metadata is inconsistent commit f6db43076d190d9bf75559dec28e18b9d12e4ce5 upstream. As report by Wenqing Liu in bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=215231 If we enable CONFIG_F2FS_CHECK_FS config, and with fuzzed image attached in above link, we will encounter panic when executing below script: 1. mkdir mnt 2. mount -t f2fs tmp1.img mnt 3. touch tmp F2FS-fs (loop11): mismatched blkaddr 5765 (source_blkaddr 1) in seg 3 kernel BUG at fs/f2fs/gc.c:1042! do_garbage_collect+0x90f/0xa80 [f2fs] f2fs_gc+0x294/0x12a0 [f2fs] f2fs_balance_fs+0x2c5/0x7d0 [f2fs] f2fs_create+0x239/0xd90 [f2fs] lookup_open+0x45e/0xa90 open_last_lookups+0x203/0x670 path_openat+0xae/0x490 do_filp_open+0xbc/0x160 do_sys_openat2+0x2f1/0x500 do_sys_open+0x5e/0xa0 __x64_sys_openat+0x28/0x40 Previously, f2fs tries to catch data inconcistency exception in between SSA and SIT table during GC, however once the exception is caught, it will call f2fs_bug_on to hang kernel, it's not needed, instead, let's set SBI_NEED_FSCK flag and skip migrating current block. Fixes: bbf9f7d90f21 ("f2fs: Fix indefinite loop in f2fs_gc()") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Greg Kroah-Hartman commit 92804f969524346dabcc2d061022e58850e5714c Author: Fengnan Chang Date: Fri Nov 26 18:19:19 2021 +0800 f2fs: fix remove page failed in invalidate compress pages commit d1917865a7906baf6b687e15e8e6195a295a3992 upstream. Since compress inode not a regular file, generic_error_remove_page in f2fs_invalidate_compress_pages will always be failed, set compress inode as a regular file to fix it. Fixes: 6ce19aff0b8c ("f2fs: compress: add compress_inode to cache compressed blocks") Signed-off-by: Fengnan Chang Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Greg Kroah-Hartman commit 28e36db0617c7b52c6a1138a1c8560a1f28151d5 Author: Zack Rusin Date: Wed Dec 15 13:41:47 2021 -0500 drm/vmwgfx: Remove unused compile options commit 50ca8cc7c0fdd9ab16b8b66ffb301fface101fac upstream. Before the driver had screen targets support we had to disable explicit bringup of its infrastructure because it was breaking screen objects support. Since the implementation of screen targets landed there hasn't been a reason to explicitly disable it and the options were never used. Remove of all that unused code. Signed-off-by: Zack Rusin Fixes: d80efd5cb3de ("drm/vmwgfx: Initial DX support") Reviewed-by: Martin Krastev Link: https://patchwork.freedesktop.org/patch/msgid/20211215184147.3688785-3-zack@kde.org (cherry picked from commit 11343099d5ae6c7411da1425b6b162c89fb5bf10) Signed-off-by: Thomas Zimmermann Signed-off-by: Greg Kroah-Hartman commit f468282f3de0679c17b1c53622731c31826fdbe9 Author: Zack Rusin Date: Wed Dec 15 13:41:46 2021 -0500 drm/vmwgfx: Remove explicit transparent hugepages support commit bc701a28c74e78d7b5aa2b8628cb3608d4785d14 upstream. Old versions of the svga device used to export virtual vram, handling of which was optimized on top of transparent hugepages support. Only very old devices (OpenGL 2.1 support and earlier) used this code and at this point performance differences are negligible. Because the code requires very old hardware versions to run it has been largely untested and unused for a long time. Furthermore removal of the ttm hugepages support in: commit 0d979509539e ("drm/ttm: remove ttm_bo_vm_insert_huge()") broke the coherency mode in vmwgfx when running with hugepages. Fixes: 0d979509539e ("drm/ttm: remove ttm_bo_vm_insert_huge()") Signed-off-by: Zack Rusin Cc: Jason Gunthorpe Cc: Thomas Hellström Cc: Christian König Cc: Daniel Vetter Reviewed-by: Martin Krastev Reviewed-by: Maaz Mombasawala Link: https://patchwork.freedesktop.org/patch/msgid/20211215184147.3688785-2-zack@kde.org (cherry picked from commit 49d535d64d52945e2c874f380705675e20a02b6a) Signed-off-by: Thomas Zimmermann Signed-off-by: Greg Kroah-Hartman commit 42b777c6aef95bc0e053e4fd3686b4b041851010 Author: Geert Uytterhoeven Date: Fri Dec 17 13:49:24 2021 +0100 riscv: dts: microchip: mpfs: Drop empty chosen node commit 53ef07326ad0d6ae7fefded22bc53b427d542761 upstream. It does not make sense to have an (empty) chosen node in an SoC-specific .dtsi, as chosen is meant for system-specific configuration. It is already provided in microchip-mpfs-icicle-kit.dts anyway. Fixes: 0fa6107eca4186ad ("RISC-V: Initial DTS for Microchip ICICLE board") Signed-off-by: Geert Uytterhoeven Reviewed-by: Conor Dooley Tested-by: Conor Dooley Reviewed-by: Krzysztof Kozlowski Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit fc1d427d15aac401c4940f07f152885cb74ca3bc Author: Miaoqian Lin Date: Thu Jan 20 12:18:12 2022 +0000 parisc: pdc_stable: Fix memory leak in pdcs_register_pathentries commit d24846a4246b6e61ecbd036880a4adf61681d241 upstream. kobject_init_and_add() takes reference even when it fails. According to the doc of kobject_init_and_add(): If this function returns an error, kobject_put() must be called to properly clean up the memory associated with the object. Fix memory leak by calling kobject_put(). Fixes: 73f368cf679b ("Kobject: change drivers/parisc/pdc_stable.c to use kobject_init_and_add") Signed-off-by: Miaoqian Lin Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit 911b5ba7c54fd8195d2e969ff3ba14715331f1c7 Author: Tobias Waldekranz Date: Tue Jan 18 22:50:53 2022 +0100 net/fsl: xgmac_mdio: Fix incorrect iounmap when removing module commit 3f7c239c7844d2044ed399399d97a5f1c6008e1b upstream. As reported by sparse: In the remove path, the driver would attempt to unmap its own priv pointer - instead of the io memory that it mapped in probe. Fixes: 9f35a7342cff ("net/fsl: introduce Freescale 10G MDIO driver") Signed-off-by: Tobias Waldekranz Reviewed-by: Andrew Lunn Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit fa456d92c4b72d8e440bf920fd1ece53a0be4905 Author: Tobias Waldekranz Date: Tue Jan 18 22:50:50 2022 +0100 net/fsl: xgmac_mdio: Add workaround for erratum A-009885 commit 6198c722019774d38018457a8bfb9ba3ed8c931e upstream. Once an MDIO read transaction is initiated, we must read back the data register within 16 MDC cycles after the transaction completes. Outside of this window, reads may return corrupt data. Therefore, disable local interrupts in the critical section, to maximize the probability that we can satisfy this requirement. Fixes: d55ad2967d89 ("powerpc/mpc85xx: Create dts components for the FSL QorIQ DPAA FMan") Signed-off-by: Tobias Waldekranz Reviewed-by: Andrew Lunn Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 0cba6beb9645f482521192740aeed90367a21cf4 Author: Guillaume Nault Date: Mon Jan 10 14:43:14 2022 +0100 mlx5: Don't accidentally set RTO_ONLINK before mlx5e_route_lookup_ipv4_get() commit 48d67543e01d73292e0bb66d3f10fc422e79e031 upstream. Mask the ECN bits before calling mlx5e_route_lookup_ipv4_get(). The tunnel key might have the last ECN bit set. This interferes with the route lookup process as ip_route_output_key_hash() interpretes this bit specially (to restrict the route scope). Found by code inspection, compile tested only. Fixes: c7b9038d8af6 ("net/mlx5e: TC preparation refactoring for routing update event") Fixes: 9a941117fb76 ("net/mlx5e: Maximize ip tunnel key usage on the TC offloading path") Signed-off-by: Guillaume Nault Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 6c923b0f74ae737ebc2e9d45c543b1babcde9212 Author: Eric Dumazet Date: Wed Jan 19 02:04:12 2022 -0800 ipv4: avoid quadratic behavior in netns dismantle commit d07418afea8f1d9896aaf9dc5ae47ac4f45b220c upstream. net/ipv4/fib_semantics.c uses an hash table of 256 slots, keyed by device ifindexes: fib_info_devhash[DEVINDEX_HASHSIZE] Problem is that with network namespaces, devices tend to use the same ifindex. lo device for instance has a fixed ifindex of one, for all network namespaces. This means that hosts with thousands of netns spend a lot of time looking at some hash buckets with thousands of elements, notably at netns dismantle. Simply add a per netns perturbation (net_hash_mix()) to spread elements more uniformely. Also change fib_devindex_hashfn() to use more entropy. Fixes: aa79e66eee5d ("net: Make ifindex generation per-net namespace") Signed-off-by: Eric Dumazet Reviewed-by: David Ahern Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 4bcc304e4255952eb92c1cd2ad8761248dd6263c Author: Eric Dumazet Date: Sun Jan 16 01:02:20 2022 -0800 ipv4: update fib_info_cnt under spinlock protection commit 0a6e6b3c7db6c34e3d149f09cd714972f8753e3f upstream. In the past, free_fib_info() was supposed to be called under RTNL protection. This eventually was no longer the case. Instead of enforcing RTNL it seems we simply can move fib_info_cnt changes to occur when fib_info_lock is held. v2: David Laight suggested to update fib_info_cnt only when an entry is added/deleted to/from the hash table, as fib_info_cnt is used to make sure hash table size is optimal. BUG: KCSAN: data-race in fib_create_info / free_fib_info write to 0xffffffff86e243a0 of 4 bytes by task 26429 on cpu 0: fib_create_info+0xe78/0x3440 net/ipv4/fib_semantics.c:1428 fib_table_insert+0x148/0x10c0 net/ipv4/fib_trie.c:1224 fib_magic+0x195/0x1e0 net/ipv4/fib_frontend.c:1087 fib_add_ifaddr+0xd0/0x2e0 net/ipv4/fib_frontend.c:1109 fib_netdev_event+0x178/0x510 net/ipv4/fib_frontend.c:1466 notifier_call_chain kernel/notifier.c:83 [inline] raw_notifier_call_chain+0x53/0xb0 kernel/notifier.c:391 __dev_notify_flags+0x1d3/0x3b0 dev_change_flags+0xa2/0xc0 net/core/dev.c:8872 do_setlink+0x810/0x2410 net/core/rtnetlink.c:2719 rtnl_group_changelink net/core/rtnetlink.c:3242 [inline] __rtnl_newlink net/core/rtnetlink.c:3396 [inline] rtnl_newlink+0xb10/0x13b0 net/core/rtnetlink.c:3506 rtnetlink_rcv_msg+0x745/0x7e0 net/core/rtnetlink.c:5571 netlink_rcv_skb+0x14e/0x250 net/netlink/af_netlink.c:2496 rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:5589 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x5fc/0x6c0 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x726/0x840 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg net/socket.c:724 [inline] ____sys_sendmsg+0x39a/0x510 net/socket.c:2409 ___sys_sendmsg net/socket.c:2463 [inline] __sys_sendmsg+0x195/0x230 net/socket.c:2492 __do_sys_sendmsg net/socket.c:2501 [inline] __se_sys_sendmsg net/socket.c:2499 [inline] __x64_sys_sendmsg+0x42/0x50 net/socket.c:2499 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae read to 0xffffffff86e243a0 of 4 bytes by task 31505 on cpu 1: free_fib_info+0x35/0x80 net/ipv4/fib_semantics.c:252 fib_info_put include/net/ip_fib.h:575 [inline] nsim_fib4_rt_destroy drivers/net/netdevsim/fib.c:294 [inline] nsim_fib4_rt_replace drivers/net/netdevsim/fib.c:403 [inline] nsim_fib4_rt_insert drivers/net/netdevsim/fib.c:431 [inline] nsim_fib4_event drivers/net/netdevsim/fib.c:461 [inline] nsim_fib_event drivers/net/netdevsim/fib.c:881 [inline] nsim_fib_event_work+0x15ca/0x2cf0 drivers/net/netdevsim/fib.c:1477 process_one_work+0x3fc/0x980 kernel/workqueue.c:2298 process_scheduled_works kernel/workqueue.c:2361 [inline] worker_thread+0x7df/0xa70 kernel/workqueue.c:2447 kthread+0x2c7/0x2e0 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 value changed: 0x00000d2d -> 0x00000d2e Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 31505 Comm: kworker/1:21 Not tainted 5.16.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events nsim_fib_event_work Fixes: 48bb9eb47b27 ("netdevsim: fib: Add dummy implementation for FIB offload") Signed-off-by: Eric Dumazet Reported-by: syzbot Cc: David Laight Cc: Ido Schimmel Cc: Jiri Pirko Reviewed-by: Ido Schimmel Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c2a957a6f25242ff03a5b5039e0468450aae4896 Author: German Gomez Date: Tue Jan 18 14:40:54 2022 +0000 perf evsel: Override attr->sample_period for non-libpfm4 events commit 3606c0e1a1050d397ad759a62607e419fd8b0ccb upstream. A previous patch preventing "attr->sample_period" values from being overridden in pfm events changed a related behaviour in arm-spe. Before said patch: perf record -c 10000 -e arm_spe_0// -- sleep 1 Would yield an SPE event with period=10000. After the patch, the period in "-c 10000" was being ignored because the arm-spe code initializes sample_period to a non-zero value. This patch restores the previous behaviour for non-libpfm4 events. Fixes: ae5dcc8abe31 (“perf record: Prevent override of attr->sample_period for libpfm4 events”) Reported-by: Chase Conklin Signed-off-by: German Gomez Cc: Alexander Shishkin Cc: Ian Rogers Cc: Jiri Olsa Cc: John Fastabend Cc: KP Singh Cc: Mark Rutland Cc: Martin KaFai Lau Cc: Namhyung Kim Cc: Song Liu Cc: Stephane Eranian Cc: Yonghong Song Cc: bpf@vger.kernel.org Cc: netdev@vger.kernel.org Link: http://lore.kernel.org/lkml/20220118144054.2541-1-german.gomez@arm.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit 95429d6b64b1f6ed5fff4b91b9f8eb5fbf337c0d Author: Daniel Borkmann Date: Fri Jan 14 13:58:36 2022 +0000 bpf: Mark PTR_TO_FUNC register initially with zero offset commit d400a6cf1c8a57cdf10f35220ead3284320d85ff upstream. Similar as with other pointer types where we use ldimm64, clear the register content to zero first, and then populate the PTR_TO_FUNC type and subprogno number. Currently this is not done, and leads to reuse of stale register tracking data. Given for special ldimm64 cases we always clear the register offset, make it common for all cases, so it won't be forgotten in future. Fixes: 69c087ba6225 ("bpf: Add bpf_for_each_map_elem() helper") Signed-off-by: Daniel Borkmann Acked-by: John Fastabend Acked-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman commit 20ceec871b66f8d9fec11ee8bc6b98755049c760 Author: Yafang Shao Date: Sat Jan 8 13:46:23 2022 +0000 bpf: Fix mount source show for bpffs commit 1e9d74660d4df625b0889e77018f9e94727ceacd upstream. We noticed our tc ebpf tools can't start after we upgrade our in-house kernel version from 4.19 to 5.10. That is because of the behaviour change in bpffs caused by commit d2935de7e4fd ("vfs: Convert bpf to use the new mount API"). In our tc ebpf tools, we do strict environment check. If the environment is not matched, we won't allow to start the ebpf progs. One of the check is whether bpffs is properly mounted. The mount information of bpffs in kernel-4.19 and kernel-5.10 are as follows: - kernel 4.19 $ mount -t bpf bpffs /sys/fs/bpf $ mount -t bpf bpffs on /sys/fs/bpf type bpf (rw,relatime) - kernel 5.10 $ mount -t bpf bpffs /sys/fs/bpf $ mount -t bpf none on /sys/fs/bpf type bpf (rw,relatime) The device name in kernel-5.10 is displayed as none instead of bpffs, then our environment check fails. Currently we modify the tools to adopt to the kernel behaviour change, but I think we'd better change the kernel code to keep the behavior consistent. After this change, the mount information will be displayed the same with the behavior in kernel-4.19, for example: $ mount -t bpf bpffs /sys/fs/bpf $ mount -t bpf bpffs on /sys/fs/bpf type bpf (rw,relatime) Fixes: d2935de7e4fd ("vfs: Convert bpf to use the new mount API") Suggested-by: Daniel Borkmann Signed-off-by: Yafang Shao Signed-off-by: Daniel Borkmann Acked-by: Christian Brauner Cc: David Howells Cc: Al Viro Link: https://lore.kernel.org/bpf/20220108134623.32467-1-laoar.shao@gmail.com Signed-off-by: Greg Kroah-Hartman commit b87b59633e358f15e782df96f41733b228c06023 Author: Toke Høiland-Jørgensen Date: Fri Jan 7 23:11:13 2022 +0100 xdp: check prog type before updating BPF link commit 382778edc8262b7535f00523e9eb22edba1b9816 upstream. The bpf_xdp_link_update() function didn't check the program type before updating the program, which made it possible to install any program type as an XDP program, which is obviously not good. Syzbot managed to trigger this by swapping in an LWT program on the XDP hook which would crash in a helper call. Fix this by adding a check and bailing out if the types don't match. Fixes: 026a4c28e1db ("bpf, xdp: Implement LINK_UPDATE for BPF XDP link") Reported-by: syzbot+983941aa85af6ded1fd9@syzkaller.appspotmail.com Acked-by: Andrii Nakryiko Signed-off-by: Toke Høiland-Jørgensen Link: https://lore.kernel.org/r/20220107221115.326171-1-toke@redhat.com Signed-off-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman commit b46b0ef69d07b17d084c1fee14a738354201b0f0 Author: Quentin Monnet Date: Wed Nov 10 11:46:30 2021 +0000 bpftool: Fix indent in option lists in the documentation commit 986dec18bbf41f50edc2e0aa4ac5ef8e0f64f328 upstream. Mixed indentation levels in the lists of options in bpftool's documentation produces some unexpected results. For the "bpftool" man page, it prints a warning: $ make -C bpftool.8 GEN bpftool.8 :26: (ERROR/3) Unexpected indentation. For other pages, there is no warning, but it results in a line break appearing in the option lists in the generated man pages. RST paragraphs should have a uniform indentation level. Let's fix it. Fixes: c07ba629df97 ("tools: bpftool: Update and synchronise option list in doc and help msg") Fixes: 8cc8c6357c8f ("tools: bpftool: Document and add bash completion for -L, -B options") Signed-off-by: Quentin Monnet Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20211110114632.24537-5-quentin@isovalent.com Signed-off-by: Greg Kroah-Hartman commit 220ee6f3b4608f16777a6ac190ed084100d8bfda Author: Quentin Monnet Date: Wed Nov 10 11:46:28 2021 +0000 bpftool: Remove inclusion of utilities.mak from Makefiles commit 48f5aef4c458c19ab337eed8c95a6486cc014aa3 upstream. Bpftool's Makefile, and the Makefile for its documentation, both include scripts/utilities.mak, but they use none of the items defined in this file. Remove the includes. Fixes: 71bb428fe2c1 ("tools: bpf: add bpftool") Signed-off-by: Quentin Monnet Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20211110114632.24537-3-quentin@isovalent.com Signed-off-by: Greg Kroah-Hartman commit adb344f551d6607c79de030c140e582ad4c917af Author: Maxime Ripard Date: Mon Oct 25 16:11:07 2021 +0200 drm/vc4: crtc: Copy assigned channel to the CRTC commit eeb6ab4639590130d25670204ab7b6011333d685 upstream. Accessing the crtc->state pointer from outside the modesetting context is not allowed. We thus need to copy whatever we need from the KMS state to our structure in order to access it. In VC4, a number of users of that pointers have crept in over the years, and the previous commits removed them all but the HVS channel a CRTC has been assigned. Let's move this channel in struct vc4_crtc at atomic_begin() time, drop it from our private state structure, and remove our use of crtc->state from our vblank handler entirely. Link: https://lore.kernel.org/all/YWgteNaNeaS9uWDe@phenom.ffwll.local/ Link: https://lore.kernel.org/r/20211025141113.702757-4-maxime@cerno.tech Fixes: 87ebcd42fb7b ("drm/vc4: crtc: Assign output to channel automatically") Acked-by: Daniel Vetter Signed-off-by: Maxime Ripard Signed-off-by: Greg Kroah-Hartman commit d26a90d362d966a66fec4a0c3da7545426bbc783 Author: Maxime Ripard Date: Mon Oct 25 16:11:06 2021 +0200 drm/vc4: Fix non-blocking commit getting stuck forever commit 0c250c150c74a90db298bf2a8bcd0a1dabed2e2f upstream. In some situation, we can end up being stuck on a non-blocking that went through properly. The situation that seems to trigger it reliably is to first start a non-blocking commit, and then right after, and before we had any vblank interrupt), start a blocking commit. This will lead to the first commit workqueue to be scheduled, setup the display, while the second commit is waiting for the first one to be completed. The vblank interrupt will then be raised, vc4_crtc_handle_vblank() will run and will compare the active dlist in the HVS channel to the one associated with the crtc->state. However, at that point, the second commit is waiting using drm_atomic_helper_wait_for_dependencies that occurs after drm_atomic_helper_swap_state has been called, so crtc->state points to the second commit state. vc4_crtc_handle_vblank() will compare the two dlist addresses and since they don't match will ignore the interrupt. The vblank event will never be reported, and the first and second commit will wait for the first commit completion until they timeout. The underlying reason is that it was never safe to do so. Indeed, accessing the ->state pointer access synchronization is based on ownership guarantees that can only occur within the functions and hooks defined as part of the KMS framework, and obviously the irq handler isn't one of them. The rework to move to generic helpers only uncovered the underlying issue. However, since the code path between drm_atomic_helper_wait_for_dependencies() and drm_atomic_helper_wait_for_vblanks() is serialised and we can't get two commits in that path at the same time, we can work around this issue by setting a variable associated to struct drm_crtc to the dlist we expect, and then using it from the vc4_crtc_handle_vblank() function. Since that state is shared with the modesetting path, we also need to introduce a spinlock to protect the code shared between the interrupt handler and the modesetting path, protecting only our new variable for now. Link: https://lore.kernel.org/all/YWgteNaNeaS9uWDe@phenom.ffwll.local/ Link: https://lore.kernel.org/r/20211025141113.702757-3-maxime@cerno.tech Fixes: 56d1fe0979dc ("drm/vc4: Make pageflip completion handling more robust.") Acked-by: Daniel Vetter Signed-off-by: Maxime Ripard Signed-off-by: Greg Kroah-Hartman commit d2cbb24cf66e15835496645741fb842e088ceaaa Author: Maxime Ripard Date: Mon Oct 25 16:11:05 2021 +0200 drm/vc4: crtc: Drop feed_txp from state commit a16c66401fd831f70a02d33e9bcaac585637c29f upstream. Accessing the crtc->state pointer from outside the modesetting context is not allowed. We thus need to copy whatever we need from the KMS state to our structure in order to access it. In VC4, a number of users of that pointers have crept in over the years, the first one being whether or not the downstream controller of the pixelvalve is our writeback controller. Fortunately for us, Since commit 39fcb2808376 ("drm/vc4: txp: Turn the TXP into a CRTC of its own") this is no longer something that can change from one commit to the other and is hardcoded. Let's set this flag in struct vc4_crtc if we happen to be the TXP, and drop the flag from our private state structure. Link: https://lore.kernel.org/all/YWgteNaNeaS9uWDe@phenom.ffwll.local/ Link: https://lore.kernel.org/r/20211025141113.702757-2-maxime@cerno.tech Fixes: 008095e065a8 ("drm/vc4: Add support for the transposer block") Acked-by: Daniel Vetter Signed-off-by: Maxime Ripard Signed-off-by: Greg Kroah-Hartman commit b157f4bf1fc63e99be3a79d683959884a20faf2f Author: Ye Bin Date: Mon Nov 29 09:26:59 2021 +0800 block: Fix fsync always failed if once failed commit 8a7518931baa8ea023700987f3db31cb0a80610b upstream. We do test with inject error fault base on v4.19, after test some time we found sync /dev/sda always failed. [root@localhost] sync /dev/sda sync: error syncing '/dev/sda': Input/output error scsi log as follows: [19069.812296] sd 0:0:0:0: [sda] tag#64 Send: scmd 0x00000000d03a0b6b [19069.812302] sd 0:0:0:0: [sda] tag#64 CDB: Synchronize Cache(10) 35 00 00 00 00 00 00 00 00 00 [19069.812533] sd 0:0:0:0: [sda] tag#64 Done: SUCCESS Result: hostbyte=DID_OK driverbyte=DRIVER_OK [19069.812536] sd 0:0:0:0: [sda] tag#64 CDB: Synchronize Cache(10) 35 00 00 00 00 00 00 00 00 00 [19069.812539] sd 0:0:0:0: [sda] tag#64 scsi host busy 1 failed 0 [19069.812542] sd 0:0:0:0: Notifying upper driver of completion (result 0) [19069.812546] sd 0:0:0:0: [sda] tag#64 sd_done: completed 0 of 0 bytes [19069.812549] sd 0:0:0:0: [sda] tag#64 0 sectors total, 0 bytes done. [19069.812564] print_req_error: I/O error, dev sda, sector 0 ftrace log as follows: rep-306069 [007] .... 19654.923315: block_bio_queue: 8,0 FWS 0 + 0 [rep] rep-306069 [007] .... 19654.923333: block_getrq: 8,0 FWS 0 + 0 [rep] kworker/7:1H-250 [007] .... 19654.923352: block_rq_issue: 8,0 FF 0 () 0 + 0 [kworker/7:1H] -0 [007] ..s. 19654.923562: block_rq_complete: 8,0 FF () 18446744073709551615 + 0 [0] -0 [007] d.s. 19654.923576: block_rq_complete: 8,0 WS () 0 + 0 [-5] As 8d6996630c03 introduce 'fq->rq_status', this data only update when 'flush_rq' reference count isn't zero. If flush request once failed and record error code in 'fq->rq_status'. If there is no chance to update 'fq->rq_status',then do fsync will always failed. To address this issue reset 'fq->rq_status' after return error code to upper layer. Fixes: 8d6996630c03("block: fix null pointer dereference in blk_mq_rq_timed_out()") Signed-off-by: Ye Bin Reviewed-by: Ming Lei Link: https://lore.kernel.org/r/20211129012659.1553733-1-yebin10@huawei.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 269fbc268633c1ee7da992dd9c58890d9906d120 Author: Jens Axboe Date: Thu Jan 20 10:28:13 2022 -0700 block: fix async_depth sysfs interface for mq-deadline commit 46cdc45acb089c811d9a54fd50af33b96e5fae9d upstream. A previous commit added this feature, but it inadvertently used the wrong variable to show/store the setting from/to, victimized by copy/paste. Fix it up so that the async_depth sysfs interface reads and writes from the right setting. Fixes: 07757588e507 ("block/mq-deadline: Reserve 25% of scheduler tags for synchronous requests") Link: https://bugzilla.kernel.org/show_bug.cgi?id=215485 Reviewed-by: Bart Van Assche Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 1e95e6dab0d17826631b37f3c3bdb62d57d43b4f Author: Tobias Waldekranz Date: Tue Jan 18 22:50:52 2022 +0100 powerpc/fsl/dts: Enable WA for erratum A-009885 on fman3l MDIO buses commit 0d375d610fa96524e2ee2b46830a46a7bfa92a9f upstream. This block is used in (at least) T1024 and T1040, including their variants like T1023 etc. Fixes: d55ad2967d89 ("powerpc/mpc85xx: Create dts components for the FSL QorIQ DPAA FMan") Signed-off-by: Tobias Waldekranz Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 696733774b2f03ed7c774735416bb343a86041e9 Author: Anders Roxell Date: Tue Dec 7 12:02:28 2021 +0100 powerpc/cell: Fix clang -Wimplicit-fallthrough warning commit e89257e28e844f5d1d39081bb901d9f1183a7705 upstream. Clang warns: arch/powerpc/platforms/cell/pervasive.c:81:2: error: unannotated fall-through between switch labels case SRR1_WAKEEE: ^ arch/powerpc/platforms/cell/pervasive.c:81:2: note: insert 'break;' to avoid fall-through case SRR1_WAKEEE: ^ break; 1 error generated. Clang is more pedantic than GCC, which does not warn when failing through to a case that is just break or return. Clang's version is more in line with the kernel's own stance in deprecated.rst. Add athe missing break to silence the warning. Fixes: 6e83985b0f6e ("powerpc/cbe: Do not process external or decremeter interrupts from sreset") Reported-by: Naresh Kamboju Signed-off-by: Anders Roxell Reviewed-by: Nathan Chancellor Reviewed-by: Arnd Bergmann Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20211207110228.698956-1-anders.roxell@linaro.org Signed-off-by: Greg Kroah-Hartman commit 3feb292a03d157ec2f04b47793a92db7a8a391ae Author: Moshe Shemesh Date: Sun Dec 5 11:20:59 2021 +0200 Revert "net/mlx5: Add retry mechanism to the command entry index allocation" commit 4f6626b0e140867fd6d5a2e9d4ceaef97f10f46a upstream. This reverts commit 410bd754cd73c4a2ac3856d9a03d7b08f9c906bf. The reverted commit had added a retry mechanism to the command entry index allocation. The previous patch ensures that there is a free command entry index once the command work handler holds the command semaphore. Thus the retry mechanism is not needed. Fixes: 410bd754cd73 ("net/mlx5: Add retry mechanism to the command entry index allocation") Signed-off-by: Moshe Shemesh Reviewed-by: Eran Ben Elisha Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit b8b4a083ab94bfadc742bbc2f023534b602a01c2 Author: Amelie Delaunay Date: Mon Dec 20 17:58:27 2021 +0100 dmaengine: stm32-mdma: fix STM32_MDMA_CTBR_TSEL_MASK commit e7f110889a87307fb0fed408a5dee1707796ca04 upstream. This patch fixes STM32_MDMA_CTBR_TSEL_MASK, which is [5:0], not [7:0]. Fixes: a4ffb13c8946 ("dmaengine: Add STM32 MDMA driver") Signed-off-by: Amelie Delaunay Link: https://lore.kernel.org/r/20211220165827.1238097-1-amelie.delaunay@foss.st.com Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit 7de812fc6be4c191dadc4a4b4c3a070413a281c6 Author: Chengguang Xu Date: Sat Dec 18 19:23:20 2021 +0800 RDMA/rxe: Fix a typo in opcode name commit 8d1cfb884e881efd69a3be4ef10772c71cb22216 upstream. There is a redundant ']' in the name of opcode IB_OPCODE_RC_SEND_MIDDLE, so just fix it. Fixes: 8700e3e7c485 ("Soft RoCE driver") Link: https://lore.kernel.org/r/20211218112320.3558770-1-cgxu519@mykernel.net Signed-off-by: Chengguang Xu Acked-by: Zhu Yanjun Reviewed-by: Bob Pearson Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit 779ff1e23450b37c164dabe80ed070cf2e388927 Author: Yixing Liu Date: Mon Dec 6 21:36:52 2021 +0800 RDMA/hns: Modify the mapping attribute of doorbell to device commit 39d5534b1302189c809e90641ffae8cbdc42a8fc upstream. It is more general for ARM device drivers to use the device attribute to map PCI BAR spaces. Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver") Link: https://lore.kernel.org/r/20211206133652.27476-1-liangwenpeng@huawei.com Signed-off-by: Yixing Liu Signed-off-by: Wenpeng Liang Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit dcb7718a80736bfffed7362493a931040c8a78da Author: Dave Jiang Date: Tue Dec 14 13:15:17 2021 -0700 dmaengine: idxd: fix wq settings post wq disable commit 0f225705cf6536826318180831e18a74595efc8d upstream. By the spec, wq size and group association is not changeable unless device is disabled. Exclude clearing the shadow copy on wq disable/reset. This allows wq type to be changed after disable to be re-enabled. Move the size and group association to its own cleanup and only call it during device disable. Fixes: 0dcfe41e9a4c ("dmanegine: idxd: cleanup all device related bits after disabling device") Reported-by: Lucas Van Tested-by: Lucas Van Signed-off-by: Dave Jiang Link: https://lore.kernel.org/r/163951291732.2987775.13576571320501115257.stgit@djiang5-desk3.ch.intel.com Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit d87eb22b94f6068b159412c4e7a3e446f3da7953 Author: Kunihiko Hayashi Date: Tue Dec 14 13:42:43 2021 +0900 dmaengine: uniphier-xdmac: Fix type of address variables commit 105a8c525675bb7d4d64871f9b2edf39460de881 upstream. The variables src_addr and dst_addr handle DMA addresses, so these should be declared as dma_addr_t. Fixes: 667b9251440b ("dmaengine: uniphier-xdmac: Add UniPhier external DMA controller driver") Signed-off-by: Kunihiko Hayashi Link: https://lore.kernel.org/r/1639456963-10232-1-git-send-email-hayashi.kunihiko@socionext.com Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit 60390c2242d6c70c7004f3261f86242742167ad2 Author: Håkon Bugge Date: Tue Nov 23 11:06:18 2021 +0100 RDMA/cma: Remove open coding of overflow checking for private_data_len commit 8d0d2b0f41b1b2add8a30dbd816051a964efa497 upstream. The existing tests are a little hard to comprehend. Use check_add_overflow() instead. Fixes: 04ded1672402 ("RDMA/cma: Verify private data length") Link: https://lore.kernel.org/r/1637661978-18770-1-git-send-email-haakon.bugge@oracle.com Signed-off-by: Håkon Bugge Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit 0dc4db8abccf266390b81b72064191f876e55876 Author: Miaoqian Lin Date: Wed Dec 22 07:09:30 2021 +0000 scsi: ufs: ufs-mediatek: Fix error checking in ufs_mtk_init_va09_pwr_ctrl() commit 3ba880a12df5aa4488c18281701b5b1bc3d4531a upstream. The function regulator_get() returns an error pointer. Use IS_ERR() to validate the return value. Link: https://lore.kernel.org/r/20211222070930.9449-1-linmq006@gmail.com Fixes: cf137b3ea49a ("scsi: ufs-mediatek: Support VA09 regulator operations") Signed-off-by: Miaoqian Lin Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 46f6dda2a6fc46339832a71036dff6f36b368597 Author: Bart Van Assche Date: Mon Nov 29 11:46:00 2021 -0800 scsi: core: Show SCMD_LAST in text form commit 3369046e54ca8f82e0cb17740643da2d80d3cfa8 upstream. The SCSI debugfs code supports showing information about pending commands, including translating SCSI command flags from numeric into text format. Also convert the SCMD_LAST flag from numeric into text form. Link: https://lore.kernel.org/r/20211129194609.3466071-4-bvanassche@acm.org Fixes: 8930a6c20791 ("scsi: core: add support for request batching") Signed-off-by: Bart Van Assche Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 53b2ad98d2bb6c2d020cb4bd7e2d406bb310b0e7 Author: Luiz Augusto von Dentz Date: Mon Nov 1 15:14:41 2021 -0700 Bluetooth: hci_sync: Fix not setting adv set duration commit f16a491c65d9eb19398b25aefc10c2d3313d17b3 upstream. 10bbffa3e88e attempted to fix the use of rotation duration as advertising duration but it didn't change the if condition which still uses the duration instead of the timeout. Fixes: 10bbffa3e88e ("Bluetooth: Fix using advertising instance duration as timeout") Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman commit 7055782bc72217c9f6662e592f99e4b318bc0b88 Author: Markus Reichl Date: Thu Jan 13 21:01:11 2022 +0100 net: usb: Correct reset handling of smsc95xx commit 0bf3885324a8599e3af4c7379b8d4f621c9bbffa upstream. On boards with LAN9514 and no preconfigured MAC address we don't get an ip address from DHCP after commit a049a30fc27c ("net: usb: Correct PHY handling of smsc95xx") anymore. Adding an explicit reset before starting the phy fixes the issue. [1] https://lore.kernel.org/netdev/199eebbd6b97f52b9119c9fa4fd8504f8a34de18.camel@collabora.com/ From: Gabriel Hojda Fixes: a049a30fc27c ("net: usb: Correct PHY handling of smsc95xx") Signed-off-by: Gabriel Hojda Signed-off-by: Markus Reichl Tested-by: Alexander Stein Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a15a5eabae418ff91ebce8de3f6815433b49ad1d Author: Mark Chen Date: Tue Dec 7 01:33:43 2021 +0800 Bluetooth: btusb: Return error code when getting patch status failed commit 995d948cf2e45834275f07afc1c9881a9902e73c upstream. If there are failure cases in getting patch status, it should return the error code (-EIO). Fixes: fc342c4dc4087 ("Bluetooth: btusb: Add protocol support for MediaTek MT7921U USB devices") Co-developed-by: Sean Wang Signed-off-by: Sean Wang Signed-off-by: Mark Chen Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman commit 9e2d8d9c0e330f3af0c43c8362bf0e5d9f5f1137 Author: Randy Dunlap Date: Tue Jan 18 19:39:05 2022 -0800 Documentation: fix firewire.rst ABI file path error commit b0ac702f3329cdc8a06dcaac73183d4b5a2b942d upstream. Adjust the path of the ABI files for firewire.rst to prevent a documentation build error. Prevents this problem: Sphinx parallel build error: docutils.utils.SystemMessage: Documentation/driver-api/firewire.rst:22: (SEVERE/4) Problems with "include" directive path: InputError: [Errno 2] No such file or directory: '../Documentation/driver-api/ABI/stable/firewire-cdev'. Fixes: 2f4830ef96d2 ("FireWire: add driver-api Introduction section") Signed-off-by: Randy Dunlap Tested-by: Akira Yokosawa Link: https://lore.kernel.org/r/20220119033905.4779-1-rdunlap@infradead.org Signed-off-by: Jonathan Corbet Signed-off-by: Greg Kroah-Hartman commit b791ffcb23c90285140fd3aba7e04ac850183487 Author: Lukas Bulwahn Date: Thu Dec 30 18:19:40 2021 +0100 Documentation: refer to config RANDOMIZE_BASE for kernel address-space randomization commit 82ca67321f55a8d1da6ac3ed611da3c32818bb37 upstream. The config RANDOMIZE_SLAB does not exist, the authors probably intended to refer to the config RANDOMIZE_BASE, which provides kernel address-space randomization. They probably just confused SLAB with BASE (these two four-letter words coincidentally share three common letters), as they also point out the config SLAB_FREELIST_RANDOM as further randomization within the same sentence. Fix the reference of the config for kernel address-space randomization to the config that provides that. Fixes: 6e88559470f5 ("Documentation: Add section about CPU vulnerabilities for Spectre") Signed-off-by: Lukas Bulwahn Link: https://lore.kernel.org/r/20211230171940.27558-1-lukas.bulwahn@gmail.com Signed-off-by: Jonathan Corbet Signed-off-by: Greg Kroah-Hartman commit 63e9fdd76ccae77466ca306acb981bd4d701dc93 Author: Alexandre Ghiti Date: Thu Dec 16 10:44:23 2021 +0100 Documentation, arch: Remove leftovers from CIFS_WEAK_PW_HASH commit 2ac7069ad7647cd1d9ca5b08765a1e116e13cdc4 upstream. This config was removed so remove all references to it. Fixes: 76a3c92ec9e0 ("cifs: remove support for NTLM and weaker authentication algorithms") Signed-off-by: Alexandre Ghiti Reviewed-by: Steve French Acked-by: Arnd Bergmann [arch/arm/configs] Acked-by: Thomas Bogendoerfer Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 2644d43268da13adad2a7ec3ea2d303db62a4082 Author: Alexandre Ghiti Date: Thu Dec 16 10:44:22 2021 +0100 Documentation, arch: Remove leftovers from raw device commit 473dcf0ffc31ce1135cd10578e7e06698cf51f4a upstream. Raw device interface was removed so remove all references to configs related to it. Fixes: 603e4922f1c8 ("remove the raw driver") Signed-off-by: Alexandre Ghiti Acked-by: Arnd Bergmann [arch/arm/configs] Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 6bcac3149e9449883e9cbaa3b40cffe8896fdaf3 Author: Sakari Ailus Date: Wed Dec 1 14:59:31 2021 +0200 Documentation: ACPI: Fix data node reference documentation commit a11174952205d082f1658fab4314f0caf706e0a8 upstream. The data node reference documentation was missing a package that must contain the property values, instead property name and multiple values being present in a single package. This is not aligned with the _DSD spec. Fix it by adding the package for the values. Also add the missing "reg" properties to two numbered nodes. Fixes: b10134a3643d ("ACPI: property: Document hierarchical data extension references") Signed-off-by: Sakari Ailus Reviewed-by: Andy Shevchenko Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit d4aa8cd70b3fd9fe9565feff5a4a746bf515d6d9 Author: Daniel Thompson Date: Thu Nov 18 10:09:52 2021 +0000 Documentation: dmaengine: Correctly describe dmatest with channel unset commit c61d7b2ef141abf81140756b45860a2306f395a2 upstream. Currently the documentation states that channels must be configured before running the dmatest. This has not been true since commit 6b41030fdc79 ("dmaengine: dmatest: Restore default for channel"). Fix accordingly. Fixes: 6b41030fdc79 ("dmaengine: dmatest: Restore default for channel") Signed-off-by: Daniel Thompson Link: https://lore.kernel.org/r/20211118100952.27268-3-daniel.thompson@linaro.org Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit 1d4f0d707d35f3e1779a4e95cbc79b24320c9ab9 Author: Mike Leach Date: Wed Nov 17 16:42:20 2021 +0000 Documentation: coresight: Fix documentation issue commit 66bd1333abd7fa191f13b929c9119d6cd3df27b0 upstream. Fix the description of the directories and attributes used in cs_etm as used by perf. Drop the references to the 'configurations' sub-directory which had been removed in an earlier version of the patchset. Fixes: f71cd93d5ea4 ("Documentation: coresight: Add documentation for CoreSight config") Reported-by: German Gomex Signed-off-by: Mike Leach Link: https://lore.kernel.org/r/20211117164220.14883-1-mike.leach@linaro.org Signed-off-by: Mathieu Poirier Signed-off-by: Greg Kroah-Hartman commit aceb8d70f7aa351c1bbf49f24f29d25e11d0aa47 Author: Randy Dunlap Date: Sun Nov 7 18:19:23 2021 +0000 media: correct MEDIA_TEST_SUPPORT help text commit 09f4d1513267d0ab712f5d29e7bd136535748709 upstream. Fix grammar/wording in the help text for MEDIA_TEST_SUPPORT. Fixes: 4b32216adb01 ("media: split test drivers from platform directory") Signed-off-by: Randy Dunlap Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit fbe1e801bc1fa0a4c34a5284abf6ad0ef887cdfc Author: Maxime Ripard Date: Thu Aug 19 15:59:30 2021 +0200 drm/vc4: hdmi: Make sure the device is powered with CEC commit 20b0dfa86bef0e80b41b0e5ac38b92f23b6f27f9 upstream. Similarly to what we encountered with the detect hook with DRM, nothing actually prevents any of the CEC callback from being run while the HDMI output is disabled. However, this is an issue since any register access to the controller when it's powered down will result in a silent hang. Let's make sure we run the runtime_pm hooks when the CEC adapter is opened and closed by the userspace to avoid that issue. Fixes: 15b4511a4af6 ("drm/vc4: add HDMI CEC support") Reviewed-by: Dave Stevenson Signed-off-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20210819135931.895976-6-maxime@cerno.tech Signed-off-by: Greg Kroah-Hartman commit 31a5bdbe4a68e7d1e9dba536d5ff64c08cb7d57d Author: Suresh Udipi Date: Fri Aug 13 17:07:56 2021 +0200 media: rcar-csi2: Optimize the selection PHTW register commit 549cc89cd09a85aaa16dc07ef3db811d5cf9bcb1 upstream. PHTW register is selected based on default bit rate from Table[1]. for the bit rates less than or equal to 250. Currently first value of default bit rate which is greater than or equal to the caculated mbps is selected. This selection can be further improved by selecting the default bit rate which is nearest to the calculated value. [1] specs r19uh0105ej0200-r-car-3rd-generation.pdf [Table 25.12] Fixes: 769afd212b16 ("media: rcar-csi2: add Renesas R-Car MIPI CSI-2 receiver driver") Signed-off-by: Suresh Udipi Signed-off-by: Michael Rodin Reviewed-by: Niklas Söderlund Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit c8e0c2cf2dd42ae2a545a6b42ef883bf3ed7155b Author: Marc Kleine-Budde Date: Fri Apr 23 11:26:56 2021 +0200 can: mcp251xfd: mcp251xfd_tef_obj_read(): fix typo in error message commit 99e7cc3b3f85d9a583ab83f386315c59443509ae upstream. This patch fixes a typo in the error message in mcp251xfd_tef_obj_read(), if trying to read too many objects. Link: https://lore.kernel.org/all/20220105154300.1258636-3-mkl@pengutronix.de Fixes: 55e5b97f003e ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN") Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 1844b8ae85ac22563b92cffafaf18f528416a3b0 Author: Ben Hutchings Date: Mon Jun 18 23:55:40 2018 +0100 firmware: Update Kconfig help text for Google firmware commit d185a3466f0cd5af8f1c5c782c53bc0e6f2e7136 upstream. The help text for GOOGLE_FIRMWARE states that it should only be enabled when building a kernel for Google's own servers. However, many of the drivers dependent on it are also useful on Chromebooks or on any platform using coreboot. Update the help text to reflect this double duty. Fixes: d384d6f43d1e ("firmware: google memconsole: Add coreboot support") Reviewed-by: Julius Werner Signed-off-by: Ben Hutchings Link: https://lore.kernel.org/r/20180618225540.GD14131@decadent.org.uk Signed-off-by: Greg Kroah-Hartman commit 3252ca8b667396aef16e856ba9cf32a04cdbb2d6 Author: Baruch Siach Date: Thu Dec 30 18:31:53 2021 +0200 of: base: Improve argument length mismatch error commit 5d05b811b5acb92fc581a7b328b36646c86f5ab9 upstream. The cells_name field of of_phandle_iterator might be NULL. Use the phandle name instead. With this change instead of: OF: /soc/pinctrl@1000000: (null) = 3 found 2 We get: OF: /soc/pinctrl@1000000: phandle pinctrl@1000000 needs 3, found 2 Which is a more helpful messages making DT debugging easier. In this particular example the phandle name looks like duplicate of the same node name. But note that the first node is the parent node (it->parent), while the second is the phandle target (it->node). They happen to be the same in the case that triggered this improvement. See commit 72cb4c48a46a ("arm64: dts: qcom: ipq6018: Fix gpio-ranges property"). Signed-off-by: Baruch Siach Signed-off-by: Rob Herring Link: https://lore.kernel.org/r/f6a68e0088a552ea9dfd4d8e3b5b586d92594738.1640881913.git.baruch@tkos.co.il Signed-off-by: Greg Kroah-Hartman commit f22f67b43775fffb09f371ea861779cdbbb763ec Author: Christian König Date: Mon Jan 17 10:31:26 2022 +0100 drm/radeon: fix error handling in radeon_driver_open_kms commit 4722f463896cc0ef1a6f1c3cb2e171e949831249 upstream. The return value was never initialized so the cleanup code executed when it isn't even necessary. Just add proper error handling. Fixes: ab50cb9df889 ("drm/radeon/radeon_kms: Fix a NULL pointer dereference in radeon_driver_open_kms()") Signed-off-by: Christian König Tested-by: Jan Stancek Tested-by: Borislav Petkov Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 16c436fa4f748c6d5a65acf749e6054801784a2f Author: Aaron Ma Date: Tue Sep 28 12:05:43 2021 +0300 ath11k: qmi: avoid error messages when dma allocation fails commit b9b5948cdd7bc8d9fa31c78cbbb04382c815587f upstream. qmi tries to allocate a large contiguous dma memory at first, on the AMD Ryzen platform it fails, then retries with small slices. So set flag GFP_NOWARN to avoid flooding dmesg. Signed-off-by: Aaron Ma Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210823063258.37747-1-aaron.ma@canonical.com Cc: "Limonciello, Mario" Signed-off-by: Greg Kroah-Hartman commit cb77c81d347980f029e2e1ccdb80eb550d50eaf1 Author: Nikita Yushchenko Date: Sun Jan 9 18:34:59 2022 +0300 tracing/osnoise: Properly unhook events if start_per_cpu_kthreads() fails commit 0878355b51f5f26632e652c848a8e174bb02d22d upstream. If start_per_cpu_kthreads() called from osnoise_workload_start() returns error, event hooks are left in broken state: unhook_irq_events() called but unhook_thread_events() and unhook_softirq_events() not called, and trace_osnoise_callback_enabled flag not cleared. On the next tracer enable, hooks get not installed due to trace_osnoise_callback_enabled flag. And on the further tracer disable an attempt to remove non-installed hooks happened, hitting a WARN_ON_ONCE() in tracepoint_remove_func(). Fix the error path by adding the missing part of cleanup. While at this, introduce osnoise_unhook_events() to avoid code duplication between this error path and normal tracer disable. Link: https://lkml.kernel.org/r/20220109153459.3701773-1-nikita.yushchenko@virtuozzo.com Cc: stable@vger.kernel.org Fixes: bce29ac9ce0b ("trace: Add osnoise tracer") Acked-by: Daniel Bristot de Oliveira Signed-off-by: Nikita Yushchenko Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 0d99b0a7c329b972d40f8f136576931673d4b261 Author: Theodore Ts'o Date: Wed Jan 5 23:59:56 2022 -0500 ext4: don't use the orphan list when migrating an inode commit 6eeaf88fd586f05aaf1d48cb3a139d2a5c6eb055 upstream. We probably want to remove the indirect block to extents migration feature after a deprecation window, but until then, let's fix a potential data loss problem caused by the fact that we put the tmp_inode on the orphan list. In the unlikely case where we crash and do a journal recovery, the data blocks belonging to the inode being migrated are also represented in the tmp_inode on the orphan list --- and so its data blocks will get marked unallocated, and available for reuse. Instead, stop putting the tmp_inode on the oprhan list. So in the case where we crash while migrating the inode, we'll leak an inode, which is not a disaster. It will be easily fixed the next time we run fsck, and it's better than potentially having blocks getting claimed by two different files, and losing data as a result. Signed-off-by: Theodore Ts'o Reviewed-by: Lukas Czerner Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman commit e58742f46afc5d89f1f9b122627b4d81a31be9bd Author: Zhang Yi Date: Sat Dec 25 17:09:37 2021 +0800 ext4: fix an use-after-free issue about data=journal writeback mode commit 5c48a7df91499e371ef725895b2e2d21a126e227 upstream. Our syzkaller report an use-after-free issue that accessing the freed buffer_head on the writeback page in __ext4_journalled_writepage(). The problem is that if there was a truncate racing with the data=journalled writeback procedure, the writeback length could become zero and bget_one() refuse to get buffer_head's refcount, then the truncate procedure release buffer once we drop page lock, finally, the last ext4_walk_page_buffers() trigger the use-after-free problem. sync truncate ext4_sync_file() file_write_and_wait_range() ext4_setattr(0) inode->i_size = 0 ext4_writepage() len = 0 __ext4_journalled_writepage() page_bufs = page_buffers(page) ext4_walk_page_buffers(bget_one) <- does not get refcount do_invalidatepage() free_buffer_head() ext4_walk_page_buffers(page_bufs) <- trigger use-after-free After commit bdf96838aea6 ("ext4: fix race between truncate and __ext4_journalled_writepage()"), we have already handled the racing case, so the bget_one() and bput_one() are not needed. So this patch simply remove these hunk, and recheck the i_size to make it safe. Fixes: bdf96838aea6 ("ext4: fix race between truncate and __ext4_journalled_writepage()") Signed-off-by: Zhang Yi Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20211225090937.712867-1-yi.zhang@huawei.com Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit 0a3624bfdc00b4886e82a4acdab6738d974f739d Author: Ye Bin Date: Fri Dec 24 18:03:41 2021 +0800 ext4: fix null-ptr-deref in '__ext4_journal_ensure_credits' commit 298b5c521746d69c07beb2757292fb5ccc1b0f85 upstream. We got issue as follows when run syzkaller test: [ 1901.130043] EXT4-fs error (device vda): ext4_remount:5624: comm syz-executor.5: Abort forced by user [ 1901.130901] Aborting journal on device vda-8. [ 1901.131437] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.16: Detected aborted journal [ 1901.131566] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.11: Detected aborted journal [ 1901.132586] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.18: Detected aborted journal [ 1901.132751] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.9: Detected aborted journal [ 1901.136149] EXT4-fs error (device vda) in ext4_reserve_inode_write:6035: Journal has aborted [ 1901.136837] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-fuzzer: Detected aborted journal [ 1901.136915] ================================================================== [ 1901.138175] BUG: KASAN: null-ptr-deref in __ext4_journal_ensure_credits+0x74/0x140 [ext4] [ 1901.138343] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.13: Detected aborted journal [ 1901.138398] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.1: Detected aborted journal [ 1901.138808] Read of size 8 at addr 0000000000000000 by task syz-executor.17/968 [ 1901.138817] [ 1901.138852] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.30: Detected aborted journal [ 1901.144779] CPU: 1 PID: 968 Comm: syz-executor.17 Not tainted 4.19.90-vhulk2111.1.0.h893.eulerosv2r10.aarch64+ #1 [ 1901.146479] Hardware name: linux,dummy-virt (DT) [ 1901.147317] Call trace: [ 1901.147552] dump_backtrace+0x0/0x2d8 [ 1901.147898] show_stack+0x28/0x38 [ 1901.148215] dump_stack+0xec/0x15c [ 1901.148746] kasan_report+0x108/0x338 [ 1901.149207] __asan_load8+0x58/0xb0 [ 1901.149753] __ext4_journal_ensure_credits+0x74/0x140 [ext4] [ 1901.150579] ext4_xattr_delete_inode+0xe4/0x700 [ext4] [ 1901.151316] ext4_evict_inode+0x524/0xba8 [ext4] [ 1901.151985] evict+0x1a4/0x378 [ 1901.152353] iput+0x310/0x428 [ 1901.152733] do_unlinkat+0x260/0x428 [ 1901.153056] __arm64_sys_unlinkat+0x6c/0xc0 [ 1901.153455] el0_svc_common+0xc8/0x320 [ 1901.153799] el0_svc_handler+0xf8/0x160 [ 1901.154265] el0_svc+0x10/0x218 [ 1901.154682] ================================================================== This issue may happens like this: Process1 Process2 ext4_evict_inode ext4_journal_start ext4_truncate ext4_ind_truncate ext4_free_branches ext4_ind_truncate_ensure_credits ext4_journal_ensure_credits_fn ext4_journal_restart handle->h_transaction = NULL; mount -o remount,abort /mnt -> trigger JBD abort start_this_handle -> will return failed ext4_xattr_delete_inode ext4_journal_ensure_credits ext4_journal_ensure_credits_fn __ext4_journal_ensure_credits jbd2_handle_buffer_credits journal = handle->h_transaction->t_journal; ->null-ptr-deref Now, indirect truncate process didn't handle error. To solve this issue maybe simply add check handle is abort in '__ext4_journal_ensure_credits' is enough, and i also think this is necessary. Cc: stable@kernel.org Signed-off-by: Ye Bin Link: https://lore.kernel.org/r/20211224100341.3299128-1-yebin10@huawei.com Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit c857769622f3647f973bb75a8a040e694f498a93 Author: Sebastian Andrzej Siewior Date: Thu Dec 23 17:44:36 2021 +0100 ext4: destroy ext4_fc_dentry_cachep kmemcache on module removal commit ab047d516dea72f011c15c04a929851e4d053109 upstream. The kmemcache for ext4_fc_dentry_cachep remains registered after module removal. Destroy ext4_fc_dentry_cachep kmemcache on module removal. Fixes: aa75f4d3daaeb ("ext4: main fast-commit commit path") Signed-off-by: Sebastian Andrzej Siewior Reviewed-by: Lukas Czerner Reviewed-by: Harshad Shirwadkar Link: https://lore.kernel.org/r/20211110134640.lyku5vklvdndw6uk@linutronix.de Link: https://lore.kernel.org/r/YbiK3JetFFl08bd7@linutronix.de Link: https://lore.kernel.org/r/20211223164436.2628390-1-bigeasy@linutronix.de Signed-off-by: Theodore Ts'o Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman commit 95fb4c496a7abebb50ba49b0bbba9de6d8466fa7 Author: Xin Yin Date: Thu Dec 23 11:23:37 2021 +0800 ext4: fast commit may miss tracking unwritten range during ftruncate commit 9725958bb75cdfa10f2ec11526fdb23e7485e8e4 upstream. If use FALLOC_FL_KEEP_SIZE to alloc unwritten range at bottom, the inode->i_size will not include the unwritten range. When call ftruncate with fast commit enabled, it will miss to track the unwritten range. Change to trace the full range during ftruncate. Signed-off-by: Xin Yin Reviewed-by: Harshad Shirwadkar Link: https://lore.kernel.org/r/20211223032337.5198-3-yinxin.x@bytedance.com Signed-off-by: Theodore Ts'o Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman commit 82034851e93bfb1407129b09ad1d1f3392be486e Author: Xin Yin Date: Thu Dec 23 11:23:36 2021 +0800 ext4: use ext4_ext_remove_space() for fast commit replay delete range commit 0b5b5a62b945a141e64011b2f90ee7e46f14be98 upstream. For now ,we use ext4_punch_hole() during fast commit replay delete range procedure. But it will be affected by inode->i_size, which may not correct during fast commit replay procedure. The following test will failed. -create & write foo (len 1000K) -falloc FALLOC_FL_ZERO_RANGE foo (range 400K - 600K) -create & fsync bar -falloc FALLOC_FL_PUNCH_HOLE foo (range 300K-500K) -fsync foo -crash before a full commit After the fast_commit reply procedure, the range 400K-500K will not be removed. Because in this case, when calling ext4_punch_hole() the inode->i_size is 0, and it just retruns with doing nothing. Change to use ext4_ext_remove_space() instead of ext4_punch_hole() to remove blocks of inode directly. Signed-off-by: Xin Yin Reviewed-by: Harshad Shirwadkar Link: https://lore.kernel.org/r/20211223032337.5198-2-yinxin.x@bytedance.com Signed-off-by: Theodore Ts'o Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman commit efbb6fcced2d0cb9b8dc604fd13ccdd76d50bbfb Author: Ye Bin Date: Thu Dec 23 09:55:06 2021 +0800 ext4: Fix BUG_ON in ext4_bread when write quota data commit 380a0091cab482489e9b19e07f2a166ad2b76d5c upstream. We got issue as follows when run syzkaller: [ 167.936972] EXT4-fs error (device loop0): __ext4_remount:6314: comm rep: Abort forced by user [ 167.938306] EXT4-fs (loop0): Remounting filesystem read-only [ 167.981637] Assertion failure in ext4_getblk() at fs/ext4/inode.c:847: '(EXT4_SB(inode->i_sb)->s_mount_state & EXT4_FC_REPLAY) || handle != NULL || create == 0' [ 167.983601] ------------[ cut here ]------------ [ 167.984245] kernel BUG at fs/ext4/inode.c:847! [ 167.984882] invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI [ 167.985624] CPU: 7 PID: 2290 Comm: rep Tainted: G B 5.16.0-rc5-next-20211217+ #123 [ 167.986823] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 [ 167.988590] RIP: 0010:ext4_getblk+0x17e/0x504 [ 167.989189] Code: c6 01 74 28 49 c7 c0 a0 a3 5c 9b b9 4f 03 00 00 48 c7 c2 80 9c 5c 9b 48 c7 c6 40 b6 5c 9b 48 c7 c7 20 a4 5c 9b e8 77 e3 fd ff <0f> 0b 8b 04 244 [ 167.991679] RSP: 0018:ffff8881736f7398 EFLAGS: 00010282 [ 167.992385] RAX: 0000000000000094 RBX: 1ffff1102e6dee75 RCX: 0000000000000000 [ 167.993337] RDX: 0000000000000001 RSI: ffffffff9b6e29e0 RDI: ffffed102e6dee66 [ 167.994292] RBP: ffff88816a076210 R08: 0000000000000094 R09: ffffed107363fa09 [ 167.995252] R10: ffff88839b1fd047 R11: ffffed107363fa08 R12: ffff88816a0761e8 [ 167.996205] R13: 0000000000000000 R14: 0000000000000021 R15: 0000000000000001 [ 167.997158] FS: 00007f6a1428c740(0000) GS:ffff88839b000000(0000) knlGS:0000000000000000 [ 167.998238] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 167.999025] CR2: 00007f6a140716c8 CR3: 0000000133216000 CR4: 00000000000006e0 [ 167.999987] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 168.000944] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 168.001899] Call Trace: [ 168.002235] [ 168.007167] ext4_bread+0xd/0x53 [ 168.007612] ext4_quota_write+0x20c/0x5c0 [ 168.010457] write_blk+0x100/0x220 [ 168.010944] remove_free_dqentry+0x1c6/0x440 [ 168.011525] free_dqentry.isra.0+0x565/0x830 [ 168.012133] remove_tree+0x318/0x6d0 [ 168.014744] remove_tree+0x1eb/0x6d0 [ 168.017346] remove_tree+0x1eb/0x6d0 [ 168.019969] remove_tree+0x1eb/0x6d0 [ 168.022128] qtree_release_dquot+0x291/0x340 [ 168.023297] v2_release_dquot+0xce/0x120 [ 168.023847] dquot_release+0x197/0x3e0 [ 168.024358] ext4_release_dquot+0x22a/0x2d0 [ 168.024932] dqput.part.0+0x1c9/0x900 [ 168.025430] __dquot_drop+0x120/0x190 [ 168.025942] ext4_clear_inode+0x86/0x220 [ 168.026472] ext4_evict_inode+0x9e8/0xa22 [ 168.028200] evict+0x29e/0x4f0 [ 168.028625] dispose_list+0x102/0x1f0 [ 168.029148] evict_inodes+0x2c1/0x3e0 [ 168.030188] generic_shutdown_super+0xa4/0x3b0 [ 168.030817] kill_block_super+0x95/0xd0 [ 168.031360] deactivate_locked_super+0x85/0xd0 [ 168.031977] cleanup_mnt+0x2bc/0x480 [ 168.033062] task_work_run+0xd1/0x170 [ 168.033565] do_exit+0xa4f/0x2b50 [ 168.037155] do_group_exit+0xef/0x2d0 [ 168.037666] __x64_sys_exit_group+0x3a/0x50 [ 168.038237] do_syscall_64+0x3b/0x90 [ 168.038751] entry_SYSCALL_64_after_hwframe+0x44/0xae In order to reproduce this problem, the following conditions need to be met: 1. Ext4 filesystem with no journal; 2. Filesystem image with incorrect quota data; 3. Abort filesystem forced by user; 4. umount filesystem; As in ext4_quota_write: ... if (EXT4_SB(sb)->s_journal && !handle) { ext4_msg(sb, KERN_WARNING, "Quota write (off=%llu, len=%llu)" " cancelled because transaction is not started", (unsigned long long)off, (unsigned long long)len); return -EIO; } ... We only check handle if NULL when filesystem has journal. There is need check handle if NULL even when filesystem has no journal. Signed-off-by: Ye Bin Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20211223015506.297766-1-yebin10@huawei.com Signed-off-by: Theodore Ts'o Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman commit fd86fd7119fbcd430ef8ad0a19255e72f2e16683 Author: Luís Henriques Date: Tue Dec 14 17:50:58 2021 +0000 ext4: set csum seed in tmp inode while migrating to extents commit e81c9302a6c3c008f5c30beb73b38adb0170ff2d upstream. When migrating to extents, the temporary inode will have it's own checksum seed. This means that, when swapping the inodes data, the inode checksums will be incorrect. This can be fixed by recalculating the extents checksums again. Or simply by copying the seed into the temporary inode. Link: https://bugzilla.kernel.org/show_bug.cgi?id=213357 Reported-by: Jeroen van Wolffelaar Signed-off-by: Luís Henriques Link: https://lore.kernel.org/r/20211214175058.19511-1-lhenriques@suse.de Signed-off-by: Theodore Ts'o Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman commit 50bc43bc1ce0821e7042ab5ffb7a943e0ef854ba Author: Xin Yin Date: Tue Dec 21 10:28:39 2021 +0800 ext4: fix fast commit may miss tracking range for FALLOC_FL_ZERO_RANGE commit 5e4d0eba1ccaf19f93222abdeda5a368be141785 upstream. when call falloc with FALLOC_FL_ZERO_RANGE, to set an range to unwritten, which has been already initialized. If the range is align to blocksize, fast commit will not track range for this change. Also track range for unwritten range in ext4_map_blocks(). Signed-off-by: Xin Yin Reviewed-by: Harshad Shirwadkar Link: https://lore.kernel.org/r/20211221022839.374606-1-yinxin.x@bytedance.com Signed-off-by: Theodore Ts'o Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman commit 85cc4554eea845ae0a1b06f43df6b566ff6776d2 Author: Harshad Shirwadkar Date: Wed Dec 1 08:34:21 2021 -0800 ext4: initialize err_blk before calling __ext4_get_inode_loc commit c27c29c6af4f3f4ce925a2111c256733c5a5b430 upstream. It is not guaranteed that __ext4_get_inode_loc will definitely set err_blk pointer when it returns EIO. To avoid using uninitialized variables, let's first set err_blk to 0. Reported-by: Dan Carpenter Signed-off-by: Harshad Shirwadkar Link: https://lore.kernel.org/r/20211201163421.2631661-1-harshads@google.com Signed-off-by: Theodore Ts'o Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman commit 2d221d9b17fa3065ba7c3afd8ff0a8e1f2818497 Author: Chunguang Xu Date: Tue Nov 23 09:17:57 2021 +0800 ext4: fix a possible ABBA deadlock due to busy PA commit 8c80fb312d7abf8bcd66cca1d843a80318a2c522 upstream. We found on older kernel (3.10) that in the scenario of insufficient disk space, system may trigger an ABBA deadlock problem, it seems that this problem still exists in latest kernel, try to fix it here. The main process triggered by this problem is that task A occupies the PA and waits for the jbd2 transaction finish, the jbd2 transaction waits for the completion of task B's IO (plug_list), but task B waits for the release of PA by task A to finish discard, which indirectly forms an ABBA deadlock. The related calltrace is as follows: Task A vfs_write ext4_mb_new_blocks() ext4_mb_mark_diskspace_used() JBD2 jbd2_journal_get_write_access() -> jbd2_journal_commit_transaction() ->schedule() filemap_fdatawait() | | | Task B | | do_unlinkat() | | ext4_evict_inode() | | jbd2_journal_begin_ordered_truncate() | | filemap_fdatawrite_range() | | ext4_mb_new_blocks() | -ext4_mb_discard_group_preallocations() <----- Here, try to cancel ext4_mb_discard_group_preallocations() internal retry due to PA busy, and do a limited number of retries inside ext4_mb_discard_preallocations(), which can circumvent the above problems, but also has some advantages: 1. Since the PA is in a busy state, if other groups have free PAs, keeping the current PA may help to reduce fragmentation. 2. Continue to traverse forward instead of waiting for the current group PA to be released. In most scenarios, the PA discard time can be reduced. However, in the case of smaller free space, if only a few groups have space, then due to multiple traversals of the group, it may increase CPU overhead. But in contrast, I feel that the overall benefit is better than the cost. Signed-off-by: Chunguang Xu Reported-by: kernel test robot Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/1637630277-23496-1-git-send-email-brookxu.cn@gmail.com Signed-off-by: Theodore Ts'o Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman commit bca8a2bfbdd0ebf13828d48c6e1acc2f658e04e1 Author: Jan Kara Date: Thu Oct 7 17:53:35 2021 +0200 ext4: make sure quota gets properly shutdown on error commit 15fc69bbbbbc8c72e5f6cc4e1be0f51283c5448e upstream. When we hit an error when enabling quotas and setting inode flags, we do not properly shutdown quota subsystem despite returning error from Q_QUOTAON quotactl. This can lead to some odd situations like kernel using quota file while it is still writeable for userspace. Make sure we properly cleanup the quota subsystem in case of error. Signed-off-by: Jan Kara Cc: stable@kernel.org Link: https://lore.kernel.org/r/20211007155336.12493-2-jack@suse.cz Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit 8ffe9ad9f5efc14a0d7a706ba3b8ee616b682872 Author: Jan Kara Date: Thu Oct 7 17:53:36 2021 +0200 ext4: make sure to reset inode lockdep class when quota enabling fails commit 4013d47a5307fdb5c13370b5392498b00fedd274 upstream. When we succeed in enabling some quota type but fail to enable another one with quota feature, we correctly disable all enabled quota types. However we forget to reset i_data_sem lockdep class. When the inode gets freed and reused, it will inherit this lockdep class (i_data_sem is initialized only when a slab is created) and thus eventually lockdep barfs about possible deadlocks. Reported-and-tested-by: syzbot+3b6f9218b1301ddda3e2@syzkaller.appspotmail.com Signed-off-by: Jan Kara Cc: stable@kernel.org Link: https://lore.kernel.org/r/20211007155336.12493-3-jack@suse.cz Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit 5237c93d58c3723e99a03f2d3305145d67dfebe0 Author: Filipe Manana Date: Thu Dec 16 15:00:32 2021 +0000 btrfs: respect the max size in the header when activating swap file commit c2f822635df873c510bda6fb7fd1b10b7c31be2d upstream. If we extended the size of a swapfile after its header was created (by the mkswap utility) and then try to activate it, we will map the entire file when activating the swap file, instead of limiting to the max size defined in the swap file's header. Currently test case generic/643 from fstests fails because we do not respect that size limit defined in the swap file's header. So fix this by not mapping file ranges beyond the max size defined in the swap header. This is the same type of bug that iomap used to have, and was fixed in commit 36ca7943ac18ae ("mm/swap: consider max pages in iomap_swapfile_add_extent"). Fixes: ed46ff3d423780 ("Btrfs: support swap files") CC: stable@vger.kernel.org # 5.4+ Reviewed-and-tested-by: Josef Bacik Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 724d9fa55cbea7ed9e61500da0f13a1dd660bd6c Author: Josef Bacik Date: Wed Nov 24 14:14:24 2021 -0500 btrfs: check the root node for uptodate before returning it commit 120de408e4b97504a2d9b5ca534b383de2c73d49 upstream. Now that we clear the extent buffer uptodate if we fail to write it out we need to check to see if our root node is uptodate before we search down it. Otherwise we could return stale data (or potentially corrupt data that was caught by the write verification step) and think that the path is OK to search down. CC: stable@vger.kernel.org # 5.4+ Reviewed-by: Nikolay Borisov Signed-off-by: Josef Bacik Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit ef383621b12512b241dc0d01ecdb2285d2437fbc Author: Filipe Manana Date: Wed Oct 27 18:30:25 2021 +0100 btrfs: fix deadlock between quota enable and other quota operations commit 232796df8c1437c41d308d161007f0715bac0a54 upstream. When enabling quotas, we attempt to commit a transaction while holding the mutex fs_info->qgroup_ioctl_lock. This can result on a deadlock with other quota operations such as: - qgroup creation and deletion, ioctl BTRFS_IOC_QGROUP_CREATE; - adding and removing qgroup relations, ioctl BTRFS_IOC_QGROUP_ASSIGN. This is because these operations join a transaction and after that they attempt to lock the mutex fs_info->qgroup_ioctl_lock. Acquiring that mutex after joining or starting a transaction is a pattern followed everywhere in qgroups, so the quota enablement operation is the one at fault here, and should not commit a transaction while holding that mutex. Fix this by making the transaction commit while not holding the mutex. We are safe from two concurrent tasks trying to enable quotas because we are serialized by the rw semaphore fs_info->subvol_sem at btrfs_ioctl_quota_ctl(), which is the only call site for enabling quotas. When this deadlock happens, it produces a trace like the following: INFO: task syz-executor:25604 blocked for more than 143 seconds. Not tainted 5.15.0-rc6 #4 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:24800 pid:25604 ppid: 24873 flags:0x00004004 Call Trace: context_switch kernel/sched/core.c:4940 [inline] __schedule+0xcd9/0x2530 kernel/sched/core.c:6287 schedule+0xd3/0x270 kernel/sched/core.c:6366 btrfs_commit_transaction+0x994/0x2e90 fs/btrfs/transaction.c:2201 btrfs_quota_enable+0x95c/0x1790 fs/btrfs/qgroup.c:1120 btrfs_ioctl_quota_ctl fs/btrfs/ioctl.c:4229 [inline] btrfs_ioctl+0x637e/0x7b70 fs/btrfs/ioctl.c:5010 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f86920b2c4d RSP: 002b:00007f868f61ac58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f86921d90a0 RCX: 00007f86920b2c4d RDX: 0000000020005e40 RSI: 00000000c0109428 RDI: 0000000000000008 RBP: 00007f869212bd80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f86921d90a0 R13: 00007fff6d233e4f R14: 00007fff6d233ff0 R15: 00007f868f61adc0 INFO: task syz-executor:25628 blocked for more than 143 seconds. Not tainted 5.15.0-rc6 #4 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:29080 pid:25628 ppid: 24873 flags:0x00004004 Call Trace: context_switch kernel/sched/core.c:4940 [inline] __schedule+0xcd9/0x2530 kernel/sched/core.c:6287 schedule+0xd3/0x270 kernel/sched/core.c:6366 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6425 __mutex_lock_common kernel/locking/mutex.c:669 [inline] __mutex_lock+0xc96/0x1680 kernel/locking/mutex.c:729 btrfs_remove_qgroup+0xb7/0x7d0 fs/btrfs/qgroup.c:1548 btrfs_ioctl_qgroup_create fs/btrfs/ioctl.c:4333 [inline] btrfs_ioctl+0x683c/0x7b70 fs/btrfs/ioctl.c:5014 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Reported-by: Hao Sun Link: https://lore.kernel.org/linux-btrfs/CACkBjsZQF19bQ1C6=yetF3BvL10OSORpFUcWXTP6HErshDB4dQ@mail.gmail.com/ Fixes: 340f1aa27f36 ("btrfs: qgroups: Move transaction management inside btrfs_quota_enable/disable") CC: stable@vger.kernel.org # 4.19 Reviewed-by: Qu Wenruo Signed-off-by: Filipe Manana Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 9c1154f395cb4c24996829b0dfafa78754702729 Author: Nicolas Dichtel Date: Mon Nov 22 11:33:13 2021 +0100 xfrm: fix dflt policy check when there is no policy configured commit ec3bb890817e4398f2d46e12e2e205495b116be9 upstream. When there is no policy configured on the system, the default policy is checked in xfrm_route_forward. However, it was done with the wrong direction (XFRM_POLICY_FWD instead of XFRM_POLICY_OUT). The default policy for XFRM_POLICY_FWD was checked just before, with a call to xfrm[46]_policy_check(). CC: stable@vger.kernel.org Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy") Signed-off-by: Nicolas Dichtel Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman commit 491c3ae9fbb6eecdc880aef608d35f28fc7481d3 Author: Ghalem Boudour Date: Fri Nov 19 18:20:16 2021 +0100 xfrm: fix policy lookup for ipv6 gre packets commit bcf141b2eb551b3477b24997ebc09c65f117a803 upstream. On egress side, xfrm lookup is called from __gre6_xmit() with the fl6_gre_key field not initialized leading to policies selectors check failure. Consequently, gre packets are sent without encryption. On ingress side, INET6_PROTO_NOPOLICY was set, thus packets were not checked against xfrm policies. Like for egress side, fl6_gre_key should be correctly set, this is now done in decode_session6(). Fixes: c12b395a4664 ("gre: Support GRE over IPv6") Cc: stable@vger.kernel.org Signed-off-by: Ghalem Boudour Signed-off-by: Nicolas Dichtel Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman commit 9473abe5b5bff6c34e8cda352c4b5ce6a7bc82aa Author: Pali Rohár Date: Wed Nov 24 16:59:44 2021 +0100 PCI: pci-bridge-emul: Set PCI_STATUS_CAP_LIST for PCIe device commit 3be9d243b21724d49b65043d4520d688b6040b36 upstream. Since all PCI Express device Functions are required to implement the PCI Express Capability structure, Capabilities List bit in PCI Status Register must be hardwired to 1b. Capabilities Pointer register (which is already set by pci-bride-emul.c driver) is valid only when Capabilities List is set to 1b. Link: https://lore.kernel.org/r/20211124155944.1290-7-pali@kernel.org Fixes: 23a5fba4d941 ("PCI: Introduce PCI bridge emulated config space common logic") Signed-off-by: Pali Rohár Signed-off-by: Lorenzo Pieralisi Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit d4e0d674b42dfb87f556c2a7caf2e9b3defb1477 Author: Pali Rohár Date: Wed Nov 24 16:59:43 2021 +0100 PCI: pci-bridge-emul: Correctly set PCIe capabilities commit 1f1050c5e1fefb34ac90a506b43e9da803b5f8f7 upstream. Older mvebu hardware provides PCIe Capability structure only in version 1. New mvebu and aardvark hardware provides it in version 2. So do not force version to 2 in pci_bridge_emul_init() and rather allow drivers to set correct version. Drivers need to set version in pcie_conf.cap field without overwriting PCI_CAP_LIST_ID register. Both drivers (mvebu and aardvark) do not provide slot support yet, so do not set PCI_EXP_FLAGS_SLOT flag. Link: https://lore.kernel.org/r/20211124155944.1290-6-pali@kernel.org Fixes: 23a5fba4d941 ("PCI: Introduce PCI bridge emulated config space common logic") Signed-off-by: Pali Rohár Signed-off-by: Lorenzo Pieralisi Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 9624d1eb4d1f5136183ee9aed1b3eb075f8fdf6b Author: Pali Rohár Date: Wed Nov 24 16:59:42 2021 +0100 PCI: pci-bridge-emul: Fix definitions of reserved bits commit 12998087d9f48b66965b97412069c7826502cd7e upstream. Some bits in PCI_EXP registers are reserved for non-root ports. Driver pci-bridge-emul.c implements PCIe Root Port device therefore it should not allow setting reserved bits of registers. Properly define non-reserved bits for all PCI_EXP registers. Link: https://lore.kernel.org/r/20211124155944.1290-5-pali@kernel.org Fixes: 23a5fba4d941 ("PCI: Introduce PCI bridge emulated config space common logic") Signed-off-by: Pali Rohár Signed-off-by: Lorenzo Pieralisi Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit b1445d865b054b3de4b1bdcdb2ca8f98c4a32cc6 Author: Pali Rohár Date: Wed Nov 24 16:59:40 2021 +0100 PCI: pci-bridge-emul: Properly mark reserved PCIe bits in PCI config space commit 7b067ac63a5730d2fae18399fed7e45f23d36912 upstream. Some bits in PCI config space are reserved when device is PCIe. Properly define behavior of PCI registers for PCIe emulated bridge and ensure that it would not be possible change these reserved bits. Link: https://lore.kernel.org/r/20211124155944.1290-3-pali@kernel.org Fixes: 23a5fba4d941 ("PCI: Introduce PCI bridge emulated config space common logic") Signed-off-by: Pali Rohár Signed-off-by: Lorenzo Pieralisi Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 15cf508331ef025c55ad5759517584232a6792fc Author: Pali Rohár Date: Wed Nov 24 16:59:39 2021 +0100 PCI: pci-bridge-emul: Make expansion ROM Base Address register read-only commit 1c1a3b4d3e86b997a313ffb297c1129540882859 upstream. If expansion ROM is unsupported (which is the case of pci-bridge-emul.c driver) then ROM Base Address register must be implemented as read-only register that return 0 when read, same as for unused Base Address registers. Link: https://lore.kernel.org/r/20211124155944.1290-2-pali@kernel.org Fixes: 23a5fba4d941 ("PCI: Introduce PCI bridge emulated config space common logic") Signed-off-by: Pali Rohár Signed-off-by: Lorenzo Pieralisi Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit c2451a37174cf3d701f4b0345efbe28179202820 Author: Hans de Goede Date: Fri Dec 17 15:17:09 2021 +0100 PCI: pciehp: Use down_read/write_nested(reset_lock) to fix lockdep errors commit 085a9f43433f30cbe8a1ade62d9d7827c3217f4d upstream. Use down_read_nested() and down_write_nested() when taking the ctrl->reset_lock rw-sem, passing the number of PCIe hotplug controllers in the path to the PCI root bus as lock subclass parameter. This fixes the following false-positive lockdep report when unplugging a Lenovo X1C8 from a Lenovo 2nd gen TB3 dock: pcieport 0000:06:01.0: pciehp: Slot(1): Link Down pcieport 0000:06:01.0: pciehp: Slot(1): Card not present ============================================ WARNING: possible recursive locking detected 5.16.0-rc2+ #621 Not tainted -------------------------------------------- irq/124-pciehp/86 is trying to acquire lock: ffff8e5ac4299ef8 (&ctrl->reset_lock){.+.+}-{3:3}, at: pciehp_check_presence+0x23/0x80 but task is already holding lock: ffff8e5ac4298af8 (&ctrl->reset_lock){.+.+}-{3:3}, at: pciehp_ist+0xf3/0x180 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&ctrl->reset_lock); lock(&ctrl->reset_lock); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by irq/124-pciehp/86: #0: ffff8e5ac4298af8 (&ctrl->reset_lock){.+.+}-{3:3}, at: pciehp_ist+0xf3/0x180 #1: ffffffffa3b024e8 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pciehp_unconfigure_device+0x31/0x110 #2: ffff8e5ac1ee2248 (&dev->mutex){....}-{3:3}, at: device_release_driver+0x1c/0x40 stack backtrace: CPU: 4 PID: 86 Comm: irq/124-pciehp Not tainted 5.16.0-rc2+ #621 Hardware name: LENOVO 20U90SIT19/20U90SIT19, BIOS N2WET30W (1.20 ) 08/26/2021 Call Trace: dump_stack_lvl+0x59/0x73 __lock_acquire.cold+0xc5/0x2c6 lock_acquire+0xb5/0x2b0 down_read+0x3e/0x50 pciehp_check_presence+0x23/0x80 pciehp_runtime_resume+0x5c/0xa0 device_for_each_child+0x45/0x70 pcie_port_device_runtime_resume+0x20/0x30 pci_pm_runtime_resume+0xa7/0xc0 __rpm_callback+0x41/0x110 rpm_callback+0x59/0x70 rpm_resume+0x512/0x7b0 __pm_runtime_resume+0x4a/0x90 __device_release_driver+0x28/0x240 device_release_driver+0x26/0x40 pci_stop_bus_device+0x68/0x90 pci_stop_bus_device+0x2c/0x90 pci_stop_and_remove_bus_device+0xe/0x20 pciehp_unconfigure_device+0x6c/0x110 pciehp_disable_slot+0x5b/0xe0 pciehp_handle_presence_or_link_change+0xc3/0x2f0 pciehp_ist+0x179/0x180 This lockdep warning is triggered because with Thunderbolt, hotplug ports are nested. When removing multiple devices in a daisy-chain, each hotplug port's reset_lock may be acquired recursively. It's never the same lock, so the lockdep splat is a false positive. Because locks at the same hierarchy level are never acquired recursively, a per-level lockdep class is sufficient to fix the lockdep warning. The choice to use one lockdep subclass per pcie-hotplug controller in the path to the root-bus was made to conserve class keys because their number is limited and the complexity grows quadratically with number of keys according to Documentation/locking/lockdep-design.rst. Link: https://lore.kernel.org/linux-pci/20190402021933.GA2966@mit.edu/ Link: https://lore.kernel.org/linux-pci/de684a28-9038-8fc6-27ca-3f6f2f6400d7@redhat.com/ Link: https://lore.kernel.org/r/20211217141709.379663-1-hdegoede@redhat.com Link: https://bugzilla.kernel.org/show_bug.cgi?id=208855 Reported-by: "Theodore Ts'o" Signed-off-by: Hans de Goede Signed-off-by: Bjorn Helgaas Reviewed-by: Lukas Wunner Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 0a04b6a0f7f41c0361242105cd77f9afab44f59b Author: Rob Herring Date: Mon Nov 29 11:36:37 2021 -0600 PCI: xgene: Fix IB window setup commit c7a75d07827a1f33d566e18e6098379cc2a0c2b2 upstream. Commit 6dce5aa59e0b ("PCI: xgene: Use inbound resources for setup") broke PCI support on XGene. The cause is the IB resources are now sorted in address order instead of being in DT dma-ranges order. The result is which inbound registers are used for each region are swapped. I don't know the details about this h/w, but it appears that IB region 0 registers can't handle a size greater than 4GB. In any case, limiting the size for region 0 is enough to get back to the original assignment of dma-ranges to regions. Link: https://lore.kernel.org/all/CA+enf=v9rY_xnZML01oEgKLmvY1NGBUUhnSJaETmXtDtXfaczA@mail.gmail.com/ Link: https://lore.kernel.org/r/20211129173637.303201-1-robh@kernel.org Fixes: 6dce5aa59e0b ("PCI: xgene: Use inbound resources for setup") Reported-by: Stéphane Graber Tested-by: Stéphane Graber Signed-off-by: Rob Herring Signed-off-by: Lorenzo Pieralisi Reviewed-by: Krzysztof Wilczyński Cc: stable@vger.kernel.org # v5.5+ Signed-off-by: Greg Kroah-Hartman commit 077fe9d865604fcab3238afeaa7408cc1635bc39 Author: José Roberto de Souza Date: Thu Jan 13 08:04:37 2022 -0800 drm/i915/display/ehl: Update voltage swing table commit ef3ac01564067a4337bb798b8eddc6ea7b78fd10 upstream. EHL table was recently updated with some minor fixes. BSpec: 21257 Cc: stable@vger.kernel.org Cc: Clint Taylor Signed-off-by: José Roberto de Souza Reviewed-by: Clint Taylor Link: https://patchwork.freedesktop.org/patch/msgid/20220113160437.49059-1-jose.souza@intel.com (cherry picked from commit 5ec7baef52c367cdbda964aa662f7135c25bab1f) Signed-off-by: Tvrtko Ursulin Signed-off-by: Greg Kroah-Hartman commit c3a9e0e701dfd087b0044c3598bffe880262c066 Author: Alex Deucher Date: Wed Jan 12 22:38:51 2022 -0500 drm/amdgpu: don't do resets on APUs which don't support it commit e8309d50e97851ff135c4e33325d37b032666b94 upstream. It can cause a hang. This is normally not enabled for GPU hangs on these asics, but was recently enabled for handling aborted suspends. This causes hangs on some platforms on suspend. Fixes: daf8de0874ab5b ("drm/amdgpu: always reset the asic in suspend (v2)") Cc: stable@vger.kernel.org Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1858 Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 99d41076c26099899dedacd690f5d0f3f470565c Author: James Smart Date: Fri Dec 3 16:26:38 2021 -0800 scsi: lpfc: Fix lpfc_force_rscn ndlp kref imbalance commit 7576d48c64f36f6fea9df2882f710a474fa35f40 upstream. Issuing lpfc_force_rscn twice results in an ndlp kref use-after-free call trace. A prior patch reworked the get/put handling by ensuring nlp_get was done before WQE submission and a put was done in the completion path. Unfortunately, the issue_els_rscn path had a piece of legacy code that did a nlp_put, causing an imbalance on the ref counts. Fixed by removing the unnecessary legacy code snippet. Link: https://lore.kernel.org/r/20211204002644.116455-4-jsmart2021@gmail.com Fixes: 4430f7fd09ec ("scsi: lpfc: Rework locations of ndlp reference taking") Cc: # v5.11+ Co-developed-by: Justin Tee Signed-off-by: Justin Tee Signed-off-by: James Smart Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 56fc6cb5d59a90e926be994e2532df44f6c4349d Author: Nicholas Piggin Date: Thu Dec 16 20:33:42 2021 +1000 powerpc/64s/radix: Fix huge vmap false positive commit 467ba14e1660b52a2f9338b484704c461bd23019 upstream. pmd_huge() is defined to false when HUGETLB_PAGE is not configured, but the vmap code still installs huge PMDs. This leads to false bad PMD errors when vunmapping because it is not seen as a huge PTE, and the bad PMD check catches it. The end result may not be much more serious than some bad pmd warning messages, because the pmd_none_or_clear_bad() does what we wanted and clears the huge PTE anyway. Fix this by checking pmd_is_leaf(), which checks for a PTE regardless of config options. The whole huge/large/leaf stuff is a tangled mess but that's kernel-wide and not something we can improve much in arch/powerpc code. pmd_page(), pud_page(), etc., called by vmalloc_to_page() on huge vmaps can similarly trigger a false VM_BUG_ON when CONFIG_HUGETLB_PAGE=n, so those checks are adjusted. The checks were added by commit d6eacedd1f0e ("powerpc/book3s: Use config independent helpers for page table walk"), while implementing a similar fix for other page table walking functions. Fixes: d909f9109c30 ("powerpc/64s/radix: Enable HAVE_ARCH_HUGE_VMAP") Cc: stable@vger.kernel.org # v5.3+ Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20211216103342.609192-1-npiggin@gmail.com Signed-off-by: Greg Kroah-Hartman commit 46df3013a5c2a34b02476fc6840bb6d63868207a Author: John David Anglin Date: Wed Dec 22 16:01:31 2021 +0000 parisc: Fix lpa and lpa_user defines commit db19c6f1a2a353cc8dec35b4789733a3cf6e2838 upstream. While working on the rewrite to the light-weight syscall and futex code, I experimented with using a hash index based on the user physical address of atomic variable. This exposed two problems with the lpa and lpa_user defines. Because of the copy instruction, the pa argument needs to be an early clobber argument. This prevents gcc from allocating the va and pa arguments to the same register. Secondly, the lpa instruction can cause a page fault so we need to catch exceptions. Signed-off-by: John David Anglin Fixes: 116d753308cf ("parisc: Use lpa instruction to load physical addresses in driver code") Signed-off-by: Helge Deller Cc: stable@vger.kernel.org # v5.2+ Signed-off-by: Greg Kroah-Hartman commit 95df03b471d9061c94340241eb9507bf9493febd Author: Brian Norris Date: Wed Nov 3 13:52:00 2021 -0700 drm/bridge: analogix_dp: Make PSR-exit block less commit c4c6ef229593366ab593d4d424addc7025b54a76 upstream. Prior to commit 6c836d965bad ("drm/rockchip: Use the helpers for PSR"), "PSR exit" used non-blocking analogix_dp_send_psr_spd(). The refactor started using the blocking variant, for a variety of reasons -- quoting Sean Paul's potentially-faulty memory: """ - To avoid racing a subsequent PSR entry (if exit takes a long time) - To avoid racing disable/modeset - We're not displaying new content while exiting PSR anyways, so there is minimal utility in allowing frames to be submitted - We're lying to userspace telling them frames are on the screen when we're just dropping them on the floor """ However, I'm finding that this blocking transition is causing upwards of 60+ ms of unneeded latency on PSR-exit, to the point that initial cursor movements when leaving PSR are unbearably jumpy. It turns out that we need to meet in the middle somewhere: Sean is right that we were "lying to userspace" with a non-blocking PSR-exit, but the new blocking behavior is also waiting too long: According to the eDP specification, the sink device must support PSR entry transitions from both state 4 (ACTIVE_RESYNC) and state 0 (INACTIVE). It also states that in ACTIVE_RESYNC, "the Sink device must display the incoming active frames from the Source device with no visible glitches and/or artifacts." Thus, for our purposes, we only need to wait for ACTIVE_RESYNC before moving on; we are ready to display video, and subsequent PSR-entry is safe. Tested on a Samsung Chromebook Plus (i.e., Rockchip RK3399 Gru Kevin), where this saves about 60ms of latency, for PSR-exit that used to take about 80ms. Fixes: 6c836d965bad ("drm/rockchip: Use the helpers for PSR") Cc: Cc: Zain Wang Cc: Tomasz Figa Cc: Heiko Stuebner Cc: Sean Paul Signed-off-by: Brian Norris Reviewed-by: Sean Paul Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20211103135112.v3.1.I67612ea073c3306c71b46a87be894f79707082df@changeid Signed-off-by: Greg Kroah-Hartman commit d2a6d606e6d35e3f53cee13b406c5c7e6a5df86a Author: Ilia Mirkin Date: Sun Mar 7 12:48:53 2021 -0500 drm/nouveau/kms/nv04: use vzalloc for nv04_display commit bd6e07e72f37f34535bec7eebc807e5fcfe37b43 upstream. The struct is giant, and triggers an order-7 allocation (512K). There is no reason for this to be kmalloc-type memory, so switch to vmalloc. This should help loading nouveau on low-memory and/or long-running systems. Reported-by: Nathan E. Egge Signed-off-by: Ilia Mirkin Cc: stable@vger.kernel.org Signed-off-by: Ben Skeggs Reviewed-by: Karol Herbst Signed-off-by: Karol Herbst Link: https://gitlab.freedesktop.org/drm/nouveau/-/merge_requests/10 Signed-off-by: Greg Kroah-Hartman commit 3bf997ec299cdf7280b2039806e5e1d847df111a Author: Yizhuo Zhai Date: Fri Dec 17 20:22:23 2021 -0800 drm/amd/display: Fix the uninitialized variable in enable_stream_features() commit 0726ed3065eeb910f9cea0c933bc021a848e00b3 upstream. In function enable_stream_features(), the variable "old_downspread.raw" could be uninitialized if core_link_read_dpcd() fails, however, it is used in the later if statement, and further, core_link_write_dpcd() may write random value, which is potentially unsafe. Fixes: 6016cd9dba0f ("drm/amd/display: add helper for enabling mst stream features") Cc: stable@vger.kernel.org Signed-off-by: Yizhuo Zhai Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 2de6ce5836513f0bfe61d0948d8eb25f1417e7bd Author: Lucas Stach Date: Fri Dec 17 11:59:28 2021 +0100 drm/etnaviv: limit submit sizes commit 6dfa2fab8ddd46faa771a102672176bee7a065de upstream. Currently we allow rediculous amounts of kernel memory being allocated via the etnaviv GEM_SUBMIT ioctl, which is a pretty easy DoS vector. Put some reasonable limits in to fix this. The commandstream size is limited to 64KB, which was already a soft limit on older kernels after which the kernel only took submits on a best effort base, so there is no userspace that tries to submit commandstreams larger than this. Even if the whole commandstream is a single incrementing address load, the size limit also limits the number of potential relocs and referenced buffers to slightly under 64K, so use the same limit for those arguments. The performance monitoring infrastructure currently supports less than 50 performance counter signals, so limiting them to 128 on a single submit seems like a reasonably future-proof number for now. This number can be bumped if needed without breaking the interface. Cc: stable@vger.kernel.org Reported-by: Dan Carpenter Signed-off-by: Lucas Stach Reviewed-by: Christian Gmeiner Signed-off-by: Greg Kroah-Hartman commit a04da77f444a3e1945966f403a3007a671ecff9d Author: Dmitry Osipenko Date: Wed Dec 1 02:23:17 2021 +0300 drm/tegra: submit: Add missing pm_runtime_mark_last_busy() commit a21115dd38c6cf396ba39aefd561e7903ca6149d upstream. Runtime PM auto-suspension doesn't work without pm_runtime_mark_last_busy(), add it. Cc: Reviewed-by: Ulf Hansson Signed-off-by: Dmitry Osipenko Signed-off-by: Thierry Reding Signed-off-by: Greg Kroah-Hartman commit b8902d5ab431f9ac9a3a787e527bc2ec10e4d02a Author: Sakari Ailus Date: Wed Dec 1 14:59:29 2021 +0200 device property: Fix fwnode_graph_devcon_match() fwnode leak commit 4a7f4110f79163fd53ea65438041994ed615e3af upstream. For each endpoint it encounters, fwnode_graph_devcon_match() checks whether the endpoint's remote port parent device is available. If it is not, it ignores the endpoint but does not put the reference to the remote endpoint port parent fwnode. For available devices the fwnode handle reference is put as expected. Put the reference for unavailable devices now. Fixes: 637e9e52b185 ("device connection: Find device connections also from device graphs") Cc: 5.1+ # 5.1+ Signed-off-by: Sakari Ailus Reviewed-by: Andy Shevchenko Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 9d28671017047af1ca14d00c946f02e0fd871ff4 Author: Alexander Gordeev Date: Thu Nov 4 07:14:44 2021 +0100 s390/mm: fix 2KB pgtable release race commit c2c224932fd0ee6854d6ebfc8d059c2bcad86606 upstream. There is a race on concurrent 2KB-pgtables release paths when both upper and lower halves of the containing parent page are freed, one via page_table_free_rcu() + __tlb_remove_table(), and the other via page_table_free(). The race might lead to a corruption as result of remove of list item in page_table_free() concurrently with __free_page() in __tlb_remove_table(). Let's assume first the lower and next the upper 2KB-pgtables are freed from a page. Since both halves of the page are allocated the tracking byte (bits 24-31 of the page _refcount) has value of 0x03 initially: CPU0 CPU1 ---- ---- page_table_free_rcu() // lower half { // _refcount[31..24] == 0x03 ... atomic_xor_bits(&page->_refcount, 0x11U << (0 + 24)); // _refcount[31..24] <= 0x12 ... table = table | (1U << 0); tlb_remove_table(tlb, table); } ... __tlb_remove_table() { // _refcount[31..24] == 0x12 mask = _table & 3; // mask <= 0x01 ... page_table_free() // upper half { // _refcount[31..24] == 0x12 ... atomic_xor_bits( &page->_refcount, 1U << (1 + 24)); // _refcount[31..24] <= 0x10 // mask <= 0x10 ... atomic_xor_bits(&page->_refcount, mask << (4 + 24)); // _refcount[31..24] <= 0x00 // mask <= 0x00 ... if (mask != 0) // == false break; fallthrough; ... if (mask & 3) // == false ... else __free_page(page); list_del(&page->lru); ^^^^^^^^^^^^^^^^^^ RACE! ^^^^^^^^^^^^^^^^^^^^^ } ... } The problem is page_table_free() releases the page as result of lower nibble unset and __tlb_remove_table() observing zero too early. With this update page_table_free() will use the similar logic as page_table_free_rcu() + __tlb_remove_table(), and mark the fragment as pending for removal in the upper nibble until after the list_del(). In other words, the parent page is considered as unreferenced and safe to release only when the lower nibble is cleared already and unsetting a bit in upper nibble results in that nibble turned zero. Cc: stable@vger.kernel.org Suggested-by: Vlastimil Babka Reviewed-by: Gerald Schaefer Signed-off-by: Alexander Gordeev Signed-off-by: Heiko Carstens Signed-off-by: Greg Kroah-Hartman commit b5498bbba0d3072675d0391ebcc28e618944b105 Author: Ilan Peer Date: Fri Dec 10 09:06:21 2021 +0200 iwlwifi: mvm: Increase the scan timeout guard to 30 seconds commit ced50f1133af12f7521bb777fcf4046ca908fb77 upstream. With the introduction of 6GHz channels the scan guard timeout should be adjusted to account for the following extreme case: - All 6GHz channels are scanned passively: 58 channels. - The scan is fragmented with the following parameters: 3 fragments, 95 TUs suspend time, 44 TUs maximal out of channel time. The above would result with scan time of more than 24 seconds. Thus, set the timeout to 30 seconds. Cc: stable@vger.kernel.org Signed-off-by: Ilan Peer Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20211210090244.3c851b93aef5.I346fa2e1d79220a6770496e773c6f87a2ad9e6c4@changeid Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit 9e87229ff6514db20f2e0a3902124029efc5f527 Author: Christophe JAILLET Date: Sat Oct 16 08:44:28 2021 +0200 remoteproc: imx_rproc: Fix a resource leak in the remove function commit 4da96175014be67c846fd274eace08066e525d75 upstream. 'priv->workqueue' is destroyed in the error handling path of the probe but not in the remove function. Add the missing call to release some resources. Cc: stable Fixes: 2df7062002d0 ("remoteproc: imx_proc: enable virtio/mailbox") Signed-off-by: Christophe JAILLET Reviewed-by: Peng Fan Tested-by: Peng Fan Link: https://lore.kernel.org/r/d28ca94a4031bd7297d47c2164e18885a5a6ec19.1634366546.git.christophe.jaillet@wanadoo.fr Signed-off-by: Mathieu Poirier Signed-off-by: Greg Kroah-Hartman commit 74c0c6483b63c528b3da39bf689e30fb4f45ae5f Author: Steven Rostedt Date: Fri Jan 7 17:56:56 2022 -0500 tracing: Have syscall trace events use trace_event_buffer_lock_reserve() commit 3e2a56e6f639492311e0a8533f0a7aed60816308 upstream. Currently, the syscall trace events call trace_buffer_lock_reserve() directly, which means that it misses out on some of the filtering optimizations provided by the helper function trace_event_buffer_lock_reserve(). Have the syscall trace events call that instead, as it was missed when adding the update to use the temp buffer when filtering. Link: https://lkml.kernel.org/r/20220107225839.823118570@goodmis.org Cc: stable@vger.kernel.org Cc: Ingo Molnar Cc: Andrew Morton Cc: Tom Zanussi Reviewed-by: Masami Hiramatsu Fixes: 0fc1b09ff1ff4 ("tracing: Use temp buffer when filtering events") Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 40022b3682d527908946f699df09849d366065bc Author: Xiangyang Zhang Date: Fri Jan 7 23:02:42 2022 +0800 tracing/kprobes: 'nmissed' not showed correctly for kretprobe commit dfea08a2116fe327f79d8f4d4b2cf6e0c88be11f upstream. The 'nmissed' column of the 'kprobe_profile' file for kretprobe is not showed correctly, kretprobe can be skipped by two reasons, shortage of kretprobe_instance which is counted by tk->rp.nmissed, and kprobe itself is missed by some reason, so to show the sum. Link: https://lkml.kernel.org/r/20220107150242.5019-1-xyz.sun.ok@gmail.com Cc: stable@vger.kernel.org Fixes: 4a846b443b4e ("tracing/kprobes: Cleanup kprobe tracer code") Acked-by: Masami Hiramatsu Signed-off-by: Xiangyang Zhang Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 95c7ba00353f89f81ad94037d69feee2546830c7 Author: Andrey Ryabinin Date: Mon Nov 15 19:46:06 2021 +0300 sched/cpuacct: Fix user/system in shown cpuacct.usage* commit dd02d4234c9a2214a81c57a16484304a1a51872a upstream. cpuacct has 2 different ways of accounting and showing user and system times. The first one uses cpuacct_account_field() to account times and cpuacct.stat file to expose them. And this one seems to work ok. The second one is uses cpuacct_charge() function for accounting and set of cpuacct.usage* files to show times. Despite some attempts to fix it in the past it still doesn't work. Sometimes while running KVM guest the cpuacct_charge() accounts most of the guest time as system time. This doesn't match with user&system times shown in cpuacct.stat or proc//stat. Demonstration: # git clone https://github.com/aryabinin/kvmsample # make # mkdir /sys/fs/cgroup/cpuacct/test # echo $$ > /sys/fs/cgroup/cpuacct/test/tasks # ./kvmsample & # for i in {1..5}; do cat /sys/fs/cgroup/cpuacct/test/cpuacct.usage_sys; sleep 1; done 1976535645 2979839428 3979832704 4983603153 5983604157 Use cpustats accounted in cpuacct_account_field() as the source of user/sys times for cpuacct.usage* files. Make cpuacct_charge() to account only summary execution time. Fixes: d740037fac70 ("sched/cpuacct: Split usage accounting into user_usage and sys_usage") Signed-off-by: Andrey Ryabinin Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Daniel Jordan Acked-by: Tejun Heo Cc: Link: https://lore.kernel.org/r/20211115164607.23784-3-arbn@yandex-team.com Signed-off-by: Greg Kroah-Hartman commit b48450843f57f0ed982d6330dac47c95642a4bfc Author: Andrey Ryabinin Date: Mon Nov 15 19:46:04 2021 +0300 cputime, cpuacct: Include guest time in user time in cpuacct.stat commit 9731698ecb9c851f353ce2496292ff9fcea39dff upstream. cpuacct.stat in no-root cgroups shows user time without guest time included int it. This doesn't match with user time shown in root cpuacct.stat and /proc//stat. This also affects cgroup2's cpu.stat in the same way. Make account_guest_time() to add user time to cgroup's cpustat to fix this. Fixes: ef12fefabf94 ("cpuacct: add per-cgroup utime/stime statistics") Signed-off-by: Andrey Ryabinin Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Daniel Jordan Acked-by: Tejun Heo Cc: Link: https://lore.kernel.org/r/20211115164607.23784-1-arbn@yandex-team.com Signed-off-by: Greg Kroah-Hartman commit 6f52d2531f30e838b1c70ccf6b535b220bb98908 Author: Lukas Wunner Date: Sat Dec 18 10:58:56 2021 +0100 serial: Fix incorrect rs485 polarity on uart open commit d3b3404df318504ec084213ab1065b73f49b0f1d upstream. Commit a6845e1e1b78 ("serial: core: Consider rs485 settings to drive RTS") sought to deassert RTS when opening an rs485-enabled uart port. That way, the transceiver does not occupy the bus until it transmits data. Unfortunately, the commit mixed up the logic and *asserted* RTS instead of *deasserting* it: The commit amended uart_port_dtr_rts(), which raises DTR and RTS when opening an rs232 port. "Raising" actually means lowering the signal that's coming out of the uart, because an rs232 transceiver not only changes a signal's voltage level, it also *inverts* the signal. See the simplified schematic in the MAX232 datasheet for an example: https://www.ti.com/lit/ds/symlink/max232.pdf So, to raise RTS on an rs232 port, TIOCM_RTS is *set* in port->mctrl and that results in the signal being driven low. In contrast to rs232, the signal level for rs485 Transmit Enable is the identity, not the inversion: If the transceiver expects a "high" RTS signal for Transmit Enable, the signal coming out of the uart must also be high, so TIOCM_RTS must be *cleared* in port->mctrl. The commit did the exact opposite, but it's easy to see why given the confusing semantics of rs232 and rs485. Fix it. Fixes: a6845e1e1b78 ("serial: core: Consider rs485 settings to drive RTS") Cc: stable@vger.kernel.org # v4.14+ Cc: Rafael Gago Castano Cc: Jan Kiszka Cc: Su Bao Cheng Signed-off-by: Lukas Wunner Link: https://lore.kernel.org/r/9395767847833f2f3193c49cde38501eeb3b5669.1639821059.git.lukas@wunner.de Signed-off-by: Greg Kroah-Hartman commit 3ec632bc0a4aa8c8c909c57ec1785ed02d880c60 Author: Xie Yongji Date: Mon Nov 22 17:05:31 2021 +0800 fuse: Pass correct lend value to filemap_write_and_wait_range() commit e388164ea385f04666c4633f5dc4f951fca71890 upstream. The acceptable maximum value of lend parameter in filemap_write_and_wait_range() is LLONG_MAX rather than -1. And there is also some logic depending on LLONG_MAX check in write_cache_pages(). So let's pass LLONG_MAX to filemap_write_and_wait_range() in fuse_writeback_range() instead. Fixes: 59bda8ecee2f ("fuse: flush extending writes") Signed-off-by: Xie Yongji Cc: # v5.15 Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 2884aac078745798419f74cfc13025558e718541 Author: Christophe JAILLET Date: Tue Dec 28 22:09:17 2021 +0100 HID: magicmouse: Fix an error handling path in magicmouse_probe() commit 33812fc7c8d77a43b7e2bf36a0d5a57c277a4b0c upstream. If the timer introduced by the commit below is started, then it must be deleted in the error handling of the probe. Otherwise it would trigger once the driver is no more. Fixes: 0b91b4e4dae6 ("HID: magicmouse: Report battery level over USB") Signed-off-by: Christophe JAILLET Tested-by: José Expósito Reported-by: Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 00e3d58f50a875343124bcf5a9637520a492b0d1 Author: Xiao Ni Date: Fri Dec 10 17:31:15 2021 +0800 md: Move alloc/free acct bioset in to personality commit 0c031fd37f69deb0cd8c43bbfcfccd62ebd7e952 upstream. bioset acct is only needed for raid0 and raid5. Therefore, md_run only allocates it for raid0 and raid5. However, this does not cover personality takeover, which may cause uninitialized bioset. For example, the following repro steps: mdadm -CR /dev/md0 -l1 -n2 /dev/loop0 /dev/loop1 mdadm --wait /dev/md0 mkfs.xfs /dev/md0 mdadm /dev/md0 --grow -l5 mount /dev/md0 /mnt causes panic like: [ 225.933939] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 225.934903] #PF: supervisor instruction fetch in kernel mode [ 225.935639] #PF: error_code(0x0010) - not-present page [ 225.936361] PGD 0 P4D 0 [ 225.936677] Oops: 0010 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN PTI [ 225.937525] CPU: 27 PID: 1133 Comm: mount Not tainted 5.16.0-rc3+ #706 [ 225.938416] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-2.module_el8.4.0+547+a85d02ba 04/01/2014 [ 225.939922] RIP: 0010:0x0 [ 225.940289] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. [ 225.941196] RSP: 0018:ffff88815897eff0 EFLAGS: 00010246 [ 225.941897] RAX: 0000000000000000 RBX: 0000000000092800 RCX: ffffffff81370a39 [ 225.942813] RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 0000000000092800 [ 225.943772] RBP: 1ffff1102b12fe04 R08: fffffbfff0b43c01 R09: fffffbfff0b43c01 [ 225.944807] R10: ffffffff85a1e007 R11: fffffbfff0b43c00 R12: ffff88810eaaaf58 [ 225.945757] R13: 0000000000000000 R14: ffff88810eaaafb8 R15: ffff88815897f040 [ 225.946709] FS: 00007ff3f2505080(0000) GS:ffff888fb5e00000(0000) knlGS:0000000000000000 [ 225.947814] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 225.948556] CR2: ffffffffffffffd6 CR3: 000000015aa5a006 CR4: 0000000000370ee0 [ 225.949537] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 225.950455] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 225.951414] Call Trace: [ 225.951787] [ 225.952120] mempool_alloc+0xe5/0x250 [ 225.952625] ? mempool_resize+0x370/0x370 [ 225.953187] ? rcu_read_lock_sched_held+0xa1/0xd0 [ 225.953862] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 225.954464] ? sched_clock_cpu+0x15/0x120 [ 225.955019] ? find_held_lock+0xac/0xd0 [ 225.955564] bio_alloc_bioset+0x1ed/0x2a0 [ 225.956080] ? lock_downgrade+0x3a0/0x3a0 [ 225.956644] ? bvec_alloc+0xc0/0xc0 [ 225.957135] bio_clone_fast+0x19/0x80 [ 225.957651] raid5_make_request+0x1370/0x1b70 [ 225.958286] ? sched_clock_cpu+0x15/0x120 [ 225.958797] ? __lock_acquire+0x8b2/0x3510 [ 225.959339] ? raid5_get_active_stripe+0xce0/0xce0 [ 225.959986] ? lock_is_held_type+0xd8/0x130 [ 225.960528] ? rcu_read_lock_sched_held+0xa1/0xd0 [ 225.961135] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 225.961703] ? sched_clock_cpu+0x15/0x120 [ 225.962232] ? lock_release+0x27a/0x6c0 [ 225.962746] ? do_wait_intr_irq+0x130/0x130 [ 225.963302] ? lock_downgrade+0x3a0/0x3a0 [ 225.963815] ? lock_release+0x6c0/0x6c0 [ 225.964348] md_handle_request+0x342/0x530 [ 225.964888] ? set_in_sync+0x170/0x170 [ 225.965397] ? blk_queue_split+0x133/0x150 [ 225.965988] ? __blk_queue_split+0x8b0/0x8b0 [ 225.966524] ? submit_bio_checks+0x3b2/0x9d0 [ 225.967069] md_submit_bio+0x127/0x1c0 [...] Fix this by moving alloc/free of acct bioset to pers->run and pers->free. While we are on this, properly handle md_integrity_register() error in raid0_run(). Fixes: daee2024715d (md: check level before create and exit io_acct_set) Cc: stable@vger.kernel.org Acked-by: Guoqing Jiang Signed-off-by: Xiao Ni Signed-off-by: Song Liu Signed-off-by: Greg Kroah-Hartman commit c77edcd242b44970fdd3c1dd219617565261fb04 Author: Oleksandr Andrushchenko Date: Fri Dec 10 11:28:17 2021 +0200 xen/gntdev: fix unmap notification order commit ce2f46f3531a03781181b7f4bd1ff9f8c5086e7e upstream. While working with Xen's libxenvchan library I have faced an issue with unmap notifications sent in wrong order if both UNMAP_NOTIFY_SEND_EVENT and UNMAP_NOTIFY_CLEAR_BYTE were requested: first we send an event channel notification and then clear the notification byte which renders in the below inconsistency (cli_live is the byte which was requested to be cleared on unmap): [ 444.514243] gntdev_put_map UNMAP_NOTIFY_SEND_EVENT map->notify.event 6 libxenvchan_is_open cli_live 1 [ 444.515239] __unmap_grant_pages UNMAP_NOTIFY_CLEAR_BYTE at 14 Thus it is not possible to reliably implement the checks like - wait for the notification (UNMAP_NOTIFY_SEND_EVENT) - check the variable (UNMAP_NOTIFY_CLEAR_BYTE) because it is possible that the variable gets checked before it is cleared by the kernel. To fix that we need to re-order the notifications, so the variable is first gets cleared and then the event channel notification is sent. With this fix I can see the correct order of execution: [ 54.522611] __unmap_grant_pages UNMAP_NOTIFY_CLEAR_BYTE at 14 [ 54.537966] gntdev_put_map UNMAP_NOTIFY_SEND_EVENT map->notify.event 6 libxenvchan_is_open cli_live 0 Cc: stable@vger.kernel.org Signed-off-by: Oleksandr Andrushchenko Reviewed-by: Boris Ostrovsky Link: https://lore.kernel.org/r/20211210092817.580718-1-andr2000@gmail.com Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit 0d9b780cb385cc4f7d2f86a575656837030dc9a9 Author: Kunihiko Hayashi Date: Wed Dec 22 13:48:12 2021 +0900 spi: uniphier: Fix a bug that doesn't point to private data correctly commit 80bb73a9fbcde4ecc55e12f10c73fabbe68a24d1 upstream. In uniphier_spi_remove(), there is a wrong code to get private data from the platform device, so the driver can't be removed properly. The driver should get spi_master from the platform device and retrieve the private data from it. Cc: Fixes: 5ba155a4d4cc ("spi: add SPI controller driver for UniPhier SoC") Signed-off-by: Kunihiko Hayashi Link: https://lore.kernel.org/r/1640148492-32178-1-git-send-email-hayashi.kunihiko@socionext.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit e53802534cd25fc1dd6a5391aa9f686f6c73dc2a Author: Dmitry Osipenko Date: Wed Nov 24 22:01:04 2021 +0300 mfd: tps65910: Set PWR_OFF bit during driver probe commit 7620ad0bdfac1efff4a1228cd36ae62a9d8206b0 upstream. The PWR_OFF bit needs to be set in order to power off properly, without hanging PMIC. This bit needs to be set early in order to allow thermal protection of NVIDIA Terga SoCs to power off hardware properly, otherwise a battery re-plug may be needed on some devices to recover after the hang. Cc: Signed-off-by: Dmitry Osipenko Tested-by: Svyatoslav Ryhel # ASUS TF201 Signed-off-by: Lee Jones Link: https://lore.kernel.org/r/20211124190104.23554-1-digetx@gmail.com Signed-off-by: Greg Kroah-Hartman commit e6b11d8fc5481867126cb1ec8d64014e2a56a257 Author: Patrick Williams Date: Thu Dec 23 09:49:31 2021 -0600 tpm: fix NPE on probe for missing device commit 84cc69589700b90a4c8d27b481a51fce8cca6051 upstream. When using the tpm_tis-spi driver on a system missing the physical TPM, a null pointer exception was observed. [ 0.938677] Unable to handle kernel NULL pointer dereference at virtual address 00000004 [ 0.939020] pgd = 10c753cb [ 0.939237] [00000004] *pgd=00000000 [ 0.939808] Internal error: Oops: 5 [#1] SMP ARM [ 0.940157] CPU: 0 PID: 48 Comm: kworker/u4:1 Not tainted 5.15.10-dd1e40c #1 [ 0.940364] Hardware name: Generic DT based system [ 0.940601] Workqueue: events_unbound async_run_entry_fn [ 0.941048] PC is at tpm_tis_remove+0x28/0xb4 [ 0.941196] LR is at tpm_tis_core_init+0x170/0x6ac This is due to an attempt in 'tpm_tis_remove' to use the drvdata, which was not initialized in 'tpm_tis_core_init' prior to the first error. Move the initialization of drvdata earlier so 'tpm_tis_remove' has access to it. Signed-off-by: Patrick Williams Fixes: 79ca6f74dae0 ("tpm: fix Atmel TPM crash caused by too frequent queries") Cc: stable@vger.kernel.org Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Greg Kroah-Hartman commit c90732a58cd1d678487fc62483e98f6f9de2a56c Author: Lino Sanfilippo Date: Mon Dec 20 16:06:35 2021 +0100 tpm: fix potential NULL pointer access in tpm_del_char_device commit eabad7ba2c752392ae50f24a795093fb115b686d upstream. Some SPI controller drivers unregister the controller in the shutdown handler (e.g. BCM2835). If such a controller is used with a TPM 2 slave chip->ops may be accessed when it is already NULL: At system shutdown the pre-shutdown handler tpm_class_shutdown() shuts down TPM 2 and sets chip->ops to NULL. Then at SPI controller unregistration tpm_tis_spi_remove() is called and eventually calls tpm_del_char_device() which tries to shut down TPM 2 again. Thereby it accesses chip->ops again: (tpm_del_char_device calls tpm_chip_start which calls tpm_clk_enable which calls chip->ops->clk_enable). Avoid the NULL pointer access by testing if chip->ops is valid and skipping the TPM 2 shutdown procedure in case it is NULL. Cc: stable@vger.kernel.org Signed-off-by: Lino Sanfilippo Fixes: 39d0099f9439 ("powerpc/pseries: Add shutdown() to vio_driver and vio_bus") Reviewed-by: Stefan Berger Tested-by: Stefan Berger Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Greg Kroah-Hartman commit 277c60c9e9ebd4e9ad05ef0855be4f876deb1a97 Author: Petr Cvachoucek Date: Mon Aug 30 21:20:37 2021 +0200 ubifs: Error path in ubifs_remount_rw() seems to wrongly free write buffers commit 3fea4d9d160186617ff40490ae01f4f4f36b28ff upstream. it seems freeing the write buffers in the error path of the ubifs_remount_rw() is wrong. It leads later to a kernel oops like this: [10016.431274] UBIFS (ubi0:0): start fixing up free space [10090.810042] UBIFS (ubi0:0): free space fixup complete [10090.814623] UBIFS error (ubi0:0 pid 512): ubifs_remount_fs: cannot spawn "ubifs_bgt0_0", error -4 [10101.915108] UBIFS (ubi0:0): background thread "ubifs_bgt0_0" started, PID 517 [10105.275498] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030 [10105.284352] Mem abort info: [10105.287160] ESR = 0x96000006 [10105.290252] EC = 0x25: DABT (current EL), IL = 32 bits [10105.295592] SET = 0, FnV = 0 [10105.298652] EA = 0, S1PTW = 0 [10105.301848] Data abort info: [10105.304723] ISV = 0, ISS = 0x00000006 [10105.308573] CM = 0, WnR = 0 [10105.311564] user pgtable: 4k pages, 48-bit VAs, pgdp=00000000f03d1000 [10105.318034] [0000000000000030] pgd=00000000f6cee003, pud=00000000f4884003, pmd=0000000000000000 [10105.326783] Internal error: Oops: 96000006 [#1] PREEMPT SMP [10105.332355] Modules linked in: ath10k_pci ath10k_core ath mac80211 libarc4 cfg80211 nvme nvme_core cryptodev(O) [10105.342468] CPU: 3 PID: 518 Comm: touch Tainted: G O 5.4.3 #1 [10105.349517] Hardware name: HYPEX CPU (DT) [10105.353525] pstate: 40000005 (nZcv daif -PAN -UAO) [10105.358324] pc : atomic64_try_cmpxchg_acquire.constprop.22+0x8/0x34 [10105.364596] lr : mutex_lock+0x1c/0x34 [10105.368253] sp : ffff000075633aa0 [10105.371563] x29: ffff000075633aa0 x28: 0000000000000001 [10105.376874] x27: ffff000076fa80c8 x26: 0000000000000004 [10105.382185] x25: 0000000000000030 x24: 0000000000000000 [10105.387495] x23: 0000000000000000 x22: 0000000000000038 [10105.392807] x21: 000000000000000c x20: ffff000076fa80c8 [10105.398119] x19: ffff000076fa8000 x18: 0000000000000000 [10105.403429] x17: 0000000000000000 x16: 0000000000000000 [10105.408741] x15: 0000000000000000 x14: fefefefefefefeff [10105.414052] x13: 0000000000000000 x12: 0000000000000fe0 [10105.419364] x11: 0000000000000fe0 x10: ffff000076709020 [10105.424675] x9 : 0000000000000000 x8 : 00000000000000a0 [10105.429986] x7 : ffff000076fa80f4 x6 : 0000000000000030 [10105.435297] x5 : 0000000000000000 x4 : 0000000000000000 [10105.440609] x3 : 0000000000000000 x2 : ffff00006f276040 [10105.445920] x1 : ffff000075633ab8 x0 : 0000000000000030 [10105.451232] Call trace: [10105.453676] atomic64_try_cmpxchg_acquire.constprop.22+0x8/0x34 [10105.459600] ubifs_garbage_collect+0xb4/0x334 [10105.463956] ubifs_budget_space+0x398/0x458 [10105.468139] ubifs_create+0x50/0x180 [10105.471712] path_openat+0x6a0/0x9b0 [10105.475284] do_filp_open+0x34/0x7c [10105.478771] do_sys_open+0x78/0xe4 [10105.482170] __arm64_sys_openat+0x1c/0x24 [10105.486180] el0_svc_handler+0x84/0xc8 [10105.489928] el0_svc+0x8/0xc [10105.492808] Code: 52800013 17fffffb d2800003 f9800011 (c85ffc05) [10105.498903] ---[ end trace 46b721d93267a586 ]--- To reproduce the problem: 1. Filesystem initially mounted read-only, free space fixup flag set. 2. mount -o remount,rw 3. it takes some time (free space fixup running) ... try to terminate running mount by CTRL-C ... does not respond, only after free space fixup is complete ... then "ubifs_remount_fs: cannot spawn "ubifs_bgt0_0", error -4" 4. mount -o remount,rw ... now finished instantly (fixup already done). 5. Create file or just unmount the filesystem and we get the oops. Cc: Fixes: b50b9f408502 ("UBIFS: do not free write-buffers when in R/O mode") Signed-off-by: Petr Cvachoucek Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit d6b6324c3c173a1bc33a5534a650dc3b4a8e58f0 Author: Meng Li Date: Mon Nov 1 11:13:53 2021 +0800 crypto: caam - replace this_cpu_ptr with raw_cpu_ptr commit efd21e10fc3bf4c6da122470a5ae89ec4ed8d180 upstream. When enable the kernel debug config, there is below calltrace detected: BUG: using smp_processor_id() in preemptible [00000000] code: cryptomgr_test/339 caller is debug_smp_processor_id+0x20/0x30 CPU: 9 PID: 339 Comm: cryptomgr_test Not tainted 5.10.63-yocto-standard #1 Hardware name: NXP Layerscape LX2160ARDB (DT) Call trace: dump_backtrace+0x0/0x1a0 show_stack+0x24/0x30 dump_stack+0xf0/0x13c check_preemption_disabled+0x100/0x110 debug_smp_processor_id+0x20/0x30 dpaa2_caam_enqueue+0x10c/0x25c ...... cryptomgr_test+0x38/0x60 kthread+0x158/0x164 ret_from_fork+0x10/0x38 According to the comment in commit ac5d15b4519f("crypto: caam/qi2 - use affine DPIOs "), because preemption is no longer disabled while trying to enqueue an FQID, it might be possible to run the enqueue on a different CPU(due to migration, when in process context), however this wouldn't be a functionality issue. But there will be above calltrace when enable kernel debug config. So, replace this_cpu_ptr with raw_cpu_ptr to avoid above call trace. Fixes: ac5d15b4519f ("crypto: caam/qi2 - use affine DPIOs") Cc: stable@vger.kernel.org Signed-off-by: Meng Li Reviewed-by: Horia Geantă Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 5c91102702f7f3cb8eb127f04d3c91c666818d2c Author: Marek Vasut Date: Mon Dec 20 20:50:22 2021 +0100 crypto: stm32/crc32 - Fix kernel BUG triggered in probe() commit 29009604ad4e3ef784fd9b9fef6f23610ddf633d upstream. The include/linux/crypto.h struct crypto_alg field cra_driver_name description states "Unique name of the transformation provider. " ... " this contains the name of the chip or provider and the name of the transformation algorithm." In case of the stm32-crc driver, field cra_driver_name is identical for all registered transformation providers and set to the name of the driver itself, which is incorrect. This patch fixes it by assigning a unique cra_driver_name to each registered transformation provider. The kernel crash is triggered when the driver calls crypto_register_shashes() which calls crypto_register_shash(), which calls crypto_register_alg(), which calls __crypto_register_alg(), which returns -EEXIST, which is propagated back through this call chain. Upon -EEXIST from crypto_register_shash(), the crypto_register_shashes() starts unregistering the providers back, and calls crypto_unregister_shash(), which calls crypto_unregister_alg(), and this is where the BUG() triggers due to incorrect cra_refcnt. Fixes: b51dbe90912a ("crypto: stm32 - Support for STM32 CRC32 crypto module") Signed-off-by: Marek Vasut Cc: # 4.12+ Cc: Alexandre Torgue Cc: Fabien Dessenne Cc: Herbert Xu Cc: Lionel Debieve Cc: Nicolas Toromanoff Cc: linux-arm-kernel@lists.infradead.org Cc: linux-stm32@st-md-mailman.stormreply.com To: linux-crypto@vger.kernel.org Acked-by: Nicolas Toromanoff Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 7f429ce71edb7a32264520d59ee0930f000c9c9c Author: Heiner Kallweit Date: Fri Dec 17 10:03:30 2021 +0100 crypto: omap-aes - Fix broken pm_runtime_and_get() usage commit c2aec59be093bd44627bc4f6bc67e4614a93a7b6 upstream. This fix is basically the same as 3d6b661330a7 ("crypto: stm32 - Revert broken pm_runtime_resume_and_get changes"), just for the omap driver. If the return value isn't used, then pm_runtime_get_sync() has to be used for ensuring that the usage count is balanced. Fixes: 1f34cc4a8da3 ("crypto: omap-aes - Fix PM reference leak on omap-aes.c") Cc: stable@vger.kernel.org Signed-off-by: Heiner Kallweit Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 8b6d58859e8fb26a718aba4417a2611a02e4e628 Author: Zhu Lingshan Date: Wed Dec 1 16:12:55 2021 +0800 ifcvf/vDPA: fix misuse virtio-net device config size for blk dev commit 0f420c383a2bb414ebccedf9289b5b815f1295fe upstream. This commit fixes a misuse of virtio-net device config size issue for virtio-block devices. A new member config_size in struct ifcvf_hw is introduced and would be initialized through vdpa_dev_add() to record correct device config size. To be more generic, rename ifcvf_hw.net_config to ifcvf_hw.dev_config, the helpers ifcvf_read/write_net_config() to ifcvf_read/write_dev_config() Signed-off-by: Zhu Lingshan Reported-and-suggested-by: Stefano Garzarella Reviewed-by: Stefano Garzarella Fixes: 6ad31d162a4e ("vDPA/ifcvf: enable Intel C5000X-PL virtio-block for vDPA") Cc: Link: https://lore.kernel.org/r/20211201081255.60187-1-lingshan.zhu@intel.com Signed-off-by: Michael S. Tsirkin Signed-off-by: Greg Kroah-Hartman commit e2b53845a9395d596cbbb31c773cabe9d74fe55e Author: Arnaud Pouliquen Date: Mon Dec 6 20:07:58 2021 +0100 rpmsg: core: Clean up resources on announce_create failure. commit 8066c615cb69b7da8a94f59379847b037b3a5e46 upstream. During the rpmsg_dev_probe, if rpdev->ops->announce_create returns an error, the rpmsg device and default endpoint should be freed before exiting the function. Fixes: 5e619b48677c ("rpmsg: Split rpmsg core and virtio backend") Suggested-by: Bjorn Andersson Signed-off-by: Arnaud Pouliquen Reviewed-by: Bjorn Andersson Cc: stable Link: https://lore.kernel.org/r/20211206190758.10004-1-arnaud.pouliquen@foss.st.com Signed-off-by: Mathieu Poirier Signed-off-by: Greg Kroah-Hartman commit 591a1e2ef0f11cb37fb8ebb6479885229425e784 Author: Andrew Lunn Date: Mon Jan 3 18:11:32 2022 +0100 udp6: Use Segment Routing Header for dest address if present [ Upstream commit 222a011efc839ca1f51bf89fe7a2b3705fa55ccd ] When finding the socket to report an error on, if the invoking packet is using Segment Routing, the IPv6 destination address is that of an intermediate router, not the end destination. Extract the ultimate destination address from the segment address. This change allows traceroute to function in the presence of Segment Routing. Signed-off-by: Andrew Lunn Reviewed-by: David Ahern Reviewed-by: Willem de Bruijn Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit af58dbc08ea3e736a47394da75d9c849a18e606c Author: Andrew Lunn Date: Mon Jan 3 18:11:31 2022 +0100 icmp: ICMPV6: Examine invoking packet for Segment Route Headers. [ Upstream commit e41294408c56c68ea0f269d757527bf33b39118a ] RFC8754 says: ICMP error packets generated within the SR domain are sent to source nodes within the SR domain. The invoking packet in the ICMP error message may contain an SRH. Since the destination address of a packet with an SRH changes as each segment is processed, it may not be the destination used by the socket or application that generated the invoking packet. For the source of an invoking packet to process the ICMP error message, the ultimate destination address of the IPv6 header may be required. The following logic is used to determine the destination address for use by protocol-error handlers. * Walk all extension headers of the invoking IPv6 packet to the routing extension header preceding the upper-layer header. - If routing header is type 4 Segment Routing Header (SRH) o The SID at Segment List[0] may be used as the destination address of the invoking packet. Mangle the skb so the network header points to the invoking packet inside the ICMP packet. The seg6 helpers can then be used on the skb to find any segment routing headers. If found, mark this fact in the IPv6 control block of the skb, and store the offset into the packet of the SRH. Then restore the skb back to its old state. Signed-off-by: Andrew Lunn Reviewed-by: David Ahern Reviewed-by: Willem de Bruijn Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 85b3b307471ef1f9fa093ada115a67373952b6ac Author: Andrew Lunn Date: Mon Jan 3 18:11:30 2022 +0100 seg6: export get_srh() for ICMP handling [ Upstream commit fa55a7d745de2d10489295b0674a403e2a5d490d ] An ICMP error message can contain in its message body part of an IPv6 packet which invoked the error. Such a packet might contain a segment router header. Export get_srh() so the ICMP code can make use of it. Since his changes the scope of the function from local to global, add the seg6_ prefix to keep the namespace clean. And move it into seg6.c so it is always available, not just when IPV6_SEG6_LWTUNNEL is enabled. Signed-off-by: Andrew Lunn Reviewed-by: David Ahern Reviewed-by: Willem de Bruijn Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit bcb86df40f96b90fbbd5c96cfbcc744ee4a362d1 Author: Conor Dooley Date: Fri Dec 17 09:33:12 2021 +0000 mailbox: change mailbox-mpfs compatible string [ Upstream commit f10b1fc0161cd99e54c5687fcc63368aa255e05e ] The Polarfire SoC is currently using two different compatible string prefixes. Fix this by changing "polarfire-soc-*" strings to "mpfs-*" in its system controller in order to match the compatible string used in the soc binding and device tree. Signed-off-by: Conor Dooley Reviewed-by: Geert Uytterhoeven Signed-off-by: Jassi Brar Signed-off-by: Sasha Levin commit d543ba3a61d7788b3c6ba5684364aa5dc89619da Author: Miaoqian Lin Date: Fri Dec 24 08:21:03 2021 +0000 phy: mediatek: Fix missing check in mtk_mipi_tx_probe [ Upstream commit 399c91c3f30531593e5ff6ca7b53f47092128669 ] The of_device_get_match_data() function may return NULL. Add check to prevent potential null dereference. Signed-off-by: Miaoqian Lin Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20211224082103.7658-1-linmq006@gmail.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 5895474d218265645a24ecaf4afe6413c39bdb82 Author: Ohad Sharabi Date: Mon Nov 22 12:23:51 2021 +0200 habanalabs: skip read fw errors if dynamic descriptor invalid [ Upstream commit 4fac990f604e6c10538026835a8a30f3c1b6fcf5 ] Reporting FW errors involves reading of the error registers. In case we have a corrupted FW descriptor we cannot do that since the dynamic scratchpad is potentially corrupted as well and may cause kernel crush when attempting access to a corrupted register offset. Signed-off-by: Ohad Sharabi Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin commit 8f23743e1978162c0925dc718e42fe56d3518614 Author: Tzung-Bi Shih Date: Fri Dec 24 14:47:17 2021 +0800 ASoC: mediatek: mt8183: fix device_node leak [ Upstream commit cb006006fe6221f092fadaffd3f219288304c9ad ] Fixes the device_node leak. Signed-off-by: Tzung-Bi Shih Link: https://lore.kernel.org/r/20211224064719.2031210-3-tzungbi@google.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 61274c00d8e8eab6d5bbf7b19f70a44561858e06 Author: Tzung-Bi Shih Date: Fri Dec 24 14:47:16 2021 +0800 ASoC: mediatek: mt8173: fix device_node leak [ Upstream commit 493433785df0075afc0c106ab65f10a605d0b35d ] Fixes the device_node leak. Signed-off-by: Tzung-Bi Shih Link: https://lore.kernel.org/r/20211224064719.2031210-2-tzungbi@google.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit ab23ed0a7c8cc2f8175c5818fc37d656130e9c55 Author: Chunfeng Yun Date: Sat Dec 18 16:27:59 2021 +0800 phy: phy-mtk-tphy: add support efuse setting [ Upstream commit 6f2b033cb883f64ad084a75f13634242c7e179a6 ] Due to some SoCs have a bit shift issue that will drop a bit for usb3 phy or pcie phy, fix it by adding software efuse reading and setting, but only support it optionally for version 2/3. Signed-off-by: Chunfeng Yun Link: https://lore.kernel.org/r/20211218082802.5256-2-chunfeng.yun@mediatek.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 286c6f7b28fab19d649c2e1f3bc18fdecdbadfe5 Author: Tzung-Bi Shih Date: Tue Dec 14 12:00:28 2021 +0800 ASoC: mediatek: mt8192-mt6359: fix device_node leak [ Upstream commit 4e28491a7a198c668437f2be8a91a76aa52f20eb ] The of_parse_phandle() document: >>> Use of_node_put() on it when done. The driver didn't call of_node_put(). Fixes the leak. Signed-off-by: Tzung-Bi Shih Link: https://lore.kernel.org/r/20211214040028.2992627-1-tzungbi@google.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 5b03322abb61591f9a8a10ff07340f2d9670b813 Author: Sreekanth Reddy Date: Mon Dec 20 19:41:58 2021 +0530 scsi: mpi3mr: Fixes around reply request queues [ Upstream commit 243bcc8efdb1f44b1a1d415e6821a246714c68ce ] Set reply queue depth of 1K for B0 and 4K for A0. While freeing the segmented request queues use the actual queue depth that is used while creating them. Link: https://lore.kernel.org/r/20211220141159.16117-25-sreekanth.reddy@broadcom.com Signed-off-by: Sreekanth Reddy Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit f325446b5a18da23790bd86f83853a3542d5146e Author: Christoph Hellwig Date: Wed Dec 22 10:08:42 2021 +0100 scsi: sr: Don't use GFP_DMA [ Upstream commit d94d94969a4ba07a43d62429c60372320519c391 ] The allocated buffers are used as a command payload, for which the block layer and/or DMA API do the proper bounce buffering if needed. Link: https://lore.kernel.org/r/20211222090842.920724-1-hch@lst.de Reported-by: Baoquan He Reviewed-by: Baoquan He Signed-off-by: Christoph Hellwig Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 6af33b200b7fa4e53431a96a6b405873f6426ae2 Author: Tianjia Zhang Date: Thu Dec 16 17:50:14 2021 +0800 MIPS: Octeon: Fix build errors using clang [ Upstream commit 95339b70677dc6f9a2d669c4716058e71b8dc1c7 ] A large number of the following errors is reported when compiling with clang: cvmx-bootinfo.h:326:3: error: adding 'int' to a string does not append to the string [-Werror,-Wstring-plus-int] ENUM_BRD_TYPE_CASE(CVMX_BOARD_TYPE_NULL) ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cvmx-bootinfo.h:321:20: note: expanded from macro 'ENUM_BRD_TYPE_CASE' case x: return(#x + 16); /* Skip CVMX_BOARD_TYPE_ */ ~~~^~~~ cvmx-bootinfo.h:326:3: note: use array indexing to silence this warning cvmx-bootinfo.h:321:20: note: expanded from macro 'ENUM_BRD_TYPE_CASE' case x: return(#x + 16); /* Skip CVMX_BOARD_TYPE_ */ ^ Follow the prompts to use the address operator '&' to fix this error. Signed-off-by: Tianjia Zhang Reviewed-by: Nathan Chancellor Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 843fff4287a56b3a20c834bd817f7c9eeaeba605 Author: Michael Ellerman Date: Thu Dec 9 22:59:44 2021 +1100 selftests/powerpc: Add a test of sigreturning to the kernel [ Upstream commit a8968521cfdc3e339fe69473d6632e0aa8d7202a ] We have a general signal fuzzer, sigfuz, which can modify the MSR & NIP before sigreturn. But the chance of it hitting a kernel address and also clearing MSR_PR is fairly slim. So add a specific test of sigreturn to a kernel address, both with and without attempting to clear MSR_PR (which the kernel must block). Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20211209115944.4062384-1-mpe@ellerman.id.au Signed-off-by: Sasha Levin commit 845a5a4a8fd9805827e045089f5dca01a573f36c Author: Lakshmi Sowjanya D Date: Wed Dec 15 17:12:01 2021 +0200 i2c: designware-pci: Fix to change data types of hcnt and lcnt parameters [ Upstream commit d52097010078c1844348dc0e467305e5f90fd317 ] The data type of hcnt and lcnt in the struct dw_i2c_dev is of type u16. It's better to have same data type in struct dw_scl_sda_cfg as well. Reported-by: Wolfram Sang Signed-off-by: Lakshmi Sowjanya D Signed-off-by: Andy Shevchenko Signed-off-by: Jarkko Nikula Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 23606176a3b4fe2c63121d098da7fc7180dad4d1 Author: Marc Zyngier Date: Thu Dec 16 14:32:27 2021 +0000 irqchip/gic-v4: Disable redistributors' view of the VPE table at boot time [ Upstream commit 79a7f77b9b154d572bd9d2f1eecf58c4d018d8e2 ] Jay Chen reported that using a kdump kernel on a GICv4.1 system results in a RAS error being delivered when the secondary kernel configures the ITS's view of the new VPE table. As it turns out, that's because each RD still has a pointer to the previous instance of the VPE table, and that particular implementation is very upset by seeing two bits of the HW that should point to the same table with different values. To solve this, let's invalidate any reference that any RD has to the VPE table when discovering the RDs. The ITS can then be programmed as expected. Reported-by: Jay Chen Signed-off-by: Marc Zyngier Cc: Lorenzo Pieralisi Link: https://lore.kernel.org/r/20211214064716.21407-1-jkchen@linux.alibaba.com Link: https://lore.kernel.org/r/20211216144804.1578566-1-maz@kernel.org Signed-off-by: Sasha Levin commit e8ffc355c7d67c63461859242a2aac3aa80ca00b Author: Ye Guojin Date: Tue Nov 16 08:10:51 2021 +0000 MIPS: OCTEON: add put_device() after of_find_device_by_node() [ Upstream commit 858779df1c0787d3fec827fb705708df9ebdb15b ] This was found by coccicheck: ./arch/mips/cavium-octeon/octeon-platform.c, 332, 1-7, ERROR missing put_device; call of_find_device_by_node on line 324, but without a corresponding object release within this function. ./arch/mips/cavium-octeon/octeon-platform.c, 395, 1-7, ERROR missing put_device; call of_find_device_by_node on line 387, but without a corresponding object release within this function. ./arch/mips/cavium-octeon/octeon-usb.c, 512, 3-9, ERROR missing put_device; call of_find_device_by_node on line 515, but without a corresponding object release within this function. ./arch/mips/cavium-octeon/octeon-usb.c, 543, 1-7, ERROR missing put_device; call of_find_device_by_node on line 515, but without a corresponding object release within this function. Reported-by: Zeal Robot Signed-off-by: Ye Guojin Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 9de7569942cc7960755d21e61661b7b7ba4757da Author: Jan Kara Date: Tue Dec 14 11:04:29 2021 +0100 udf: Fix error handling in udf_new_inode() [ Upstream commit f05f2429eec60851b98bdde213de31dab697c01b ] When memory allocation of iinfo or block allocation fails, already allocated struct udf_inode_info gets freed with iput() and udf_evict_inode() may look at inode fields which are not properly initialized. Fix it by marking inode bad before dropping reference to it in udf_new_inode(). Reported-by: syzbot+9ca499bb57a2b9e4c652@syzkaller.appspotmail.com Signed-off-by: Jan Kara Signed-off-by: Sasha Levin commit 625be247e81249ec92d8bf8db17e6ee724c48099 Author: Hari Bathini Date: Tue Dec 7 16:07:19 2021 +0530 powerpc/fadump: Fix inaccurate CPU state info in vmcore generated with panic [ Upstream commit 06e629c25daa519be620a8c17359ae8fc7a2e903 ] In panic path, fadump is triggered via a panic notifier function. Before calling panic notifier functions, smp_send_stop() gets called, which stops all CPUs except the panic'ing CPU. Commit 8389b37dffdc ("powerpc: stop_this_cpu: remove the cpu from the online map.") and again commit bab26238bbd4 ("powerpc: Offline CPU in stop_this_cpu()") started marking CPUs as offline while stopping them. So, if a kernel has either of the above commits, vmcore captured with fadump via panic path would not process register data for all CPUs except the panic'ing CPU. Sample output of crash-utility with such vmcore: # crash vmlinux vmcore ... KERNEL: vmlinux DUMPFILE: vmcore [PARTIAL DUMP] CPUS: 1 DATE: Wed Nov 10 09:56:34 EST 2021 UPTIME: 00:00:42 LOAD AVERAGE: 2.27, 0.69, 0.24 TASKS: 183 NODENAME: XXXXXXXXX RELEASE: 5.15.0+ VERSION: #974 SMP Wed Nov 10 04:18:19 CST 2021 MACHINE: ppc64le (2500 Mhz) MEMORY: 8 GB PANIC: "Kernel panic - not syncing: sysrq triggered crash" PID: 3394 COMMAND: "bash" TASK: c0000000150a5f80 [THREAD_INFO: c0000000150a5f80] CPU: 1 STATE: TASK_RUNNING (PANIC) crash> p -x __cpu_online_mask __cpu_online_mask = $1 = { bits = {0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0} } crash> crash> crash> p -x __cpu_active_mask __cpu_active_mask = $2 = { bits = {0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0} } crash> While this has been the case since fadump was introduced, the issue was not identified for two probable reasons: - In general, the bulk of the vmcores analyzed were from crash due to exception. - The above did change since commit 8341f2f222d7 ("sysrq: Use panic() to force a crash") started using panic() instead of deferencing NULL pointer to force a kernel crash. But then commit de6e5d38417e ("powerpc: smp_send_stop do not offline stopped CPUs") stopped marking CPUs as offline till kernel commit bab26238bbd4 ("powerpc: Offline CPU in stop_this_cpu()") reverted that change. To ensure post processing register data of all other CPUs happens as intended, let panic() function take the crash friendly path (read crash_smp_send_stop()) with the help of crash_kexec_post_notifiers option. Also, as register data for all CPUs is captured by f/w, skip IPI callbacks here for fadump, to avoid any complications in finding the right backtraces. Signed-off-by: Hari Bathini Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20211207103719.91117-2-hbathini@linux.ibm.com Signed-off-by: Sasha Levin commit 953cacfaf36af33599a1142cccf799bd13c46c3d Author: Hari Bathini Date: Tue Dec 7 16:07:18 2021 +0530 powerpc: handle kdump appropriately with crash_kexec_post_notifiers option [ Upstream commit 219572d2fc4135b5ce65c735d881787d48b10e71 ] Kdump can be triggered after panic_notifers since commit f06e5153f4ae2 ("kernel/panic.c: add "crash_kexec_post_notifiers" option for kdump after panic_notifers") introduced crash_kexec_post_notifiers option. But using this option would mean smp_send_stop(), that marks all other CPUs as offline, gets called before kdump is triggered. As a result, kdump routines fail to save other CPUs' registers. To fix this, kdump friendly crash_smp_send_stop() function was introduced with kernel commit 0ee59413c967 ("x86/panic: replace smp_send_stop() with kdump friendly version in panic path"). Override this kdump friendly weak function to handle crash_kexec_post_notifiers option appropriately on powerpc. Reported-by: kernel test robot Signed-off-by: Hari Bathini [Fixed signature of crash_stop_this_cpu() - reported by lkp@intel.com] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20211207103719.91117-1-hbathini@linux.ibm.com Signed-off-by: Sasha Levin commit 6a0a06c9b1938001cd4ef68575e2e994f676ad53 Author: Thadeu Lima de Souza Cascardo Date: Tue Dec 7 10:05:57 2021 -0300 selftests/powerpc/spectre_v2: Return skip code when miss_percent is high [ Upstream commit 3c42e9542050d49610077e083c7c3f5fd5e26820 ] A mis-match between reported and actual mitigation is not restricted to the Vulnerable case. The guest might also report the mitigation as "Software count cache flush" and the host will still mitigate with branch cache disabled. So, instead of skipping depending on the detected mitigation, simply skip whenever the detected miss_percent is the expected one for a fully mitigated system, that is, above 95%. Signed-off-by: Thadeu Lima de Souza Cascardo Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20211207130557.40566-1-cascardo@canonical.com Signed-off-by: Sasha Levin commit e7dd8ba6fc8439bb2c4cebc042a8fdb8ea58eea1 Author: Christophe Leroy Date: Mon Sep 27 17:12:39 2021 +0200 powerpc/40x: Map 32Mbytes of memory at startup [ Upstream commit 06e7cbc29e97b4713b4ea6def04ae8501a7d1a59 ] As reported by Carlo, 16Mbytes is not enough with modern kernels that tend to be a bit big, so map another 16M page at boot. Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/89b5f974a7fa5011206682cd092e2c905530ff46.1632755552.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit 7e6c8ff5c21cd6d612e934eebfdf5a276f067896 Author: Nathan Chancellor Date: Wed Dec 8 09:56:17 2021 -0700 MIPS: Loongson64: Use three arguments for slti [ Upstream commit f2c6c22fa83ab2577619009057b3ebcb5305bb03 ] LLVM's integrated assembler does not support 'slti , ': :16:12: error: invalid operand for instruction slti $12, (0x6300 | 0x0008) ^ arch/mips/kernel/head.S:86:2: note: while in macro instantiation kernel_entry_setup # cpu specific setup ^ :16:12: error: invalid operand for instruction slti $12, (0x6300 | 0x0008) ^ arch/mips/kernel/head.S:150:2: note: while in macro instantiation smp_slave_setup ^ To increase compatibility with LLVM's integrated assembler, use the full form of 'slti , , ', which matches the rest of arch/mips/. This does not result in any change for GNU as. Link: https://github.com/ClangBuiltLinux/linux/issues/1526 Reported-by: Ryutaroh Matsumoto Signed-off-by: Nathan Chancellor Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 8774f9824c2cc35809c6230ccf224e8f665609c1 Author: Takashi Iwai Date: Tue Dec 7 17:51:46 2021 +0100 ALSA: seq: Set upper limit of processed events [ Upstream commit 6fadb494a638d8b8a55864ecc6ac58194f03f327 ] Currently ALSA sequencer core tries to process the queued events as much as possible when they become dispatchable. If applications try to queue too massive events to be processed at the very same timing, the sequencer core would still try to process such all events, either in the interrupt context or via some notifier; in either away, it might be a cause of RCU stall or such problems. As a potential workaround for those problems, this patch adds the upper limit of the amount of events to be processed. The remaining events are processed in the next batch, so they won't be lost. For the time being, it's limited up to 1000 events per queue, which should be high enough for any normal usages. Reported-by: Zqiang Reported-by: syzbot+bb950e68b400ab4f65f8@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/20211102033222.3849-1-qiang.zhang1211@gmail.com Link: https://lore.kernel.org/r/20211207165146.2888-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit b693e737e080d13b31e4d2d62d6b745542747b7d Author: James Smart Date: Fri Dec 3 16:26:40 2021 -0800 scsi: lpfc: Trigger SLI4 firmware dump before doing driver cleanup [ Upstream commit 7dd2e2a923173d637c272e483966be8e96a72b64 ] Extraneous teardown routines are present in the firmware dump path causing altered states in firmware captures. When a firmware dump is requested via sysfs, trigger the dump immediately without tearing down structures and changing adapter state. The driver shall rely on pre-existing firmware error state clean up handlers to restore the adapter. Link: https://lore.kernel.org/r/20211204002644.116455-6-jsmart2021@gmail.com Co-developed-by: Justin Tee Signed-off-by: Justin Tee Signed-off-by: James Smart Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 5b91e80b631c5ea55abfc6ff89ab26fb2edd9dc3 Author: James Smart Date: Fri Dec 3 16:26:36 2021 -0800 scsi: lpfc: Fix leaked lpfc_dmabuf mbox allocations with NPIV [ Upstream commit f0d3919697492950f57a26a1093aee53880d669d ] During rmmod testing, messages appeared indicating lpfc_mbuf_pool entries were still busy. This situation was only seen doing rmmod after at least 1 vport (NPIV) instance was created and destroyed. The number of messages scaled with the number of vports created. When a vport is created, it can receive a PLOGI from another initiator Nport. When this happens, the driver prepares to ack the PLOGI and prepares an RPI for registration (via mbx cmd) which includes an mbuf allocation. During the unsolicited PLOGI processing and after the RPI preparation, the driver recognizes it is one of the vport instances and decides to reject the PLOGI. During the LS_RJT preparation for the PLOGI, the mailbox struct allocated for RPI registration is freed, but the mbuf that was also allocated is not released. Fix by freeing the mbuf with the mailbox struct in the LS_RJT path. As part of the code review to figure the issue out a couple of other areas where found that also would not have released the mbuf. Those are cleaned up as well. Link: https://lore.kernel.org/r/20211204002644.116455-2-jsmart2021@gmail.com Co-developed-by: Justin Tee Signed-off-by: Justin Tee Signed-off-by: James Smart Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit ef9e3ecacb756857338992ec868478d0ebcdaae9 Author: Bart Van Assche Date: Fri Dec 3 15:19:47 2021 -0800 scsi: ufs: Fix a kernel crash during shutdown [ Upstream commit 3489c34bd02b73a72646037d673a122a53cee174 ] Fix the following kernel crash: Unable to handle kernel paging request at virtual address ffffffc91e735000 Call trace: __queue_work+0x26c/0x624 queue_work_on+0x6c/0xf0 ufshcd_hold+0x12c/0x210 __ufshcd_wl_suspend+0xc0/0x400 ufshcd_wl_shutdown+0xb8/0xcc device_shutdown+0x184/0x224 kernel_restart+0x4c/0x124 __arm64_sys_reboot+0x194/0x264 el0_svc_common+0xc8/0x1d4 do_el0_svc+0x30/0x8c el0_svc+0x20/0x30 el0_sync_handler+0x84/0xe4 el0_sync+0x1bc/0x1c0 Fix this crash by ungating the clock before destroying the work queue on which clock gating work is queued. Link: https://lore.kernel.org/r/20211203231950.193369-15-bvanassche@acm.org Tested-by: Bean Huo Reviewed-by: Bean Huo Signed-off-by: Bart Van Assche Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit d90d496a999ed1e7909e8e24f452c0b7b444a636 Author: Stephan Gerhold Date: Mon Dec 6 12:45:42 2021 +0100 interconnect: qcom: rpm: Prevent integer overflow in rate [ Upstream commit a7d9436a6c85fcb8843c910fd323dcd7f839bf63 ] Using icc-rpm on ARM32 currently results in clk_set_rate() errors during boot, e.g. "bus clk_set_rate error: -22". This is very similar to commit 7381e27b1e56 ("interconnect: qcom: msm8974: Prevent integer overflow in rate") where the u64 is converted to a signed long during clock rate rounding, resulting in an overflow on 32-bit platforms. Let's fix it similarly by making sure that the rate does not exceed LONG_MAX. Such high clock rates will surely result in the maximum frequency of the bus anyway. Signed-off-by: Stephan Gerhold Link: https://lore.kernel.org/r/20211206114542.45325-1-stephan@gerhold.net Signed-off-by: Georgi Djakov Signed-off-by: Sasha Levin commit efd507bed1b4ba0f32ece009c34e462392e6de7c Author: Christoph Hellwig Date: Mon Nov 29 11:21:35 2021 +0100 dm: fix alloc_dax error handling in alloc_dev [ Upstream commit d751939235b9b7bc4af15f90a3e99288a8b844a7 ] Make sure ->dax_dev is NULL on error so that the cleanup path doesn't trip over an ERR_PTR. Reported-by: Dan Williams Signed-off-by: Christoph Hellwig Link: https://lore.kernel.org/r/20211129102203.2243509-2-hch@lst.de Signed-off-by: Dan Williams Signed-off-by: Sasha Levin commit 78d56d075464315fefa8842c35d34219b5490ae1 Author: Srinivas Kandagatla Date: Tue Nov 30 13:39:09 2021 +0000 nvmem: core: set size for sysfs bin file [ Upstream commit 86192251033308bb42f1e9813c962989d8ed07ec ] For some reason we never set the size for nvmem sysfs binary file. Set this. Reported-by: Gilles BULOZ Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20211130133909.6154-1-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit fea0e4b49dd2bfc28347e20f4e7a41dd2bd872cc Author: Christophe Leroy Date: Fri Nov 26 18:06:46 2021 +0100 w1: Misuse of get_user()/put_user() reported by sparse [ Upstream commit 33dc3e3e99e626ce51f462d883b05856c6c30b1d ] sparse warnings: (new ones prefixed by >>) >> drivers/w1/slaves/w1_ds28e04.c:342:13: sparse: sparse: incorrect type in initializer (different address spaces) @@ expected char [noderef] __user *_pu_addr @@ got char *buf @@ drivers/w1/slaves/w1_ds28e04.c:342:13: sparse: expected char [noderef] __user *_pu_addr drivers/w1/slaves/w1_ds28e04.c:342:13: sparse: got char *buf >> drivers/w1/slaves/w1_ds28e04.c:356:13: sparse: sparse: incorrect type in initializer (different address spaces) @@ expected char const [noderef] __user *_gu_addr @@ got char const *buf @@ drivers/w1/slaves/w1_ds28e04.c:356:13: sparse: expected char const [noderef] __user *_gu_addr drivers/w1/slaves/w1_ds28e04.c:356:13: sparse: got char const *buf The buffer buf is a failsafe buffer in kernel space, it's not user memory hence doesn't deserve the use of get_user() or put_user(). Access 'buf' content directly. Link: https://lore.kernel.org/lkml/202111190526.K5vb7NWC-lkp@intel.com/T/ Reported-by: kernel test robot Signed-off-by: Christophe Leroy Link: https://lore.kernel.org/r/d14ed8d71ad4372e6839ae427f91441d3ba0e94d.1637946316.git.christophe.leroy@csgroup.eu Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit d58837197d20546e567631d257c585433c72aa77 Author: Alexey Kardashevskiy Date: Wed Sep 1 18:45:50 2021 +1000 KVM: PPC: Book3S: Suppress failed alloc warning in H_COPY_TOFROM_GUEST [ Upstream commit 792020907b11c6f9246c21977cab3bad985ae4b6 ] H_COPY_TOFROM_GUEST is an hcall for an upper level VM to access its nested VMs memory. The userspace can trigger WARN_ON_ONCE(!(gfp & __GFP_NOWARN)) in __alloc_pages() by constructing a tiny VM which only does H_COPY_TOFROM_GUEST with a too big GPR9 (number of bytes to copy). This silences the warning by adding __GFP_NOWARN. Spotted by syzkaller. Signed-off-by: Alexey Kardashevskiy Reviewed-by: Fabiano Rosas Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210901084550.1658699-1-aik@ozlabs.ru Signed-off-by: Sasha Levin commit a0a4d7a23d18c2953d76d26dedf82a74a1943177 Author: Alexey Kardashevskiy Date: Wed Sep 1 18:45:12 2021 +1000 KVM: PPC: Book3S: Suppress warnings when allocating too big memory slots [ Upstream commit 511d25d6b789fffcb20a3eb71899cf974a31bd9d ] The userspace can trigger "vmalloc size %lu allocation failure: exceeds total pages" via the KVM_SET_USER_MEMORY_REGION ioctl. This silences the warning by checking the limit before calling vzalloc() and returns ENOMEM if failed. This does not call underlying valloc helpers as __vmalloc_node() is only exported when CONFIG_TEST_VMALLOC_MODULE and __vmalloc_node_range() is not exported at all. Spotted by syzkaller. Signed-off-by: Alexey Kardashevskiy [mpe: Use 'size' for the variable rather than 'cb'] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210901084512.1658628-1-aik@ozlabs.ru Signed-off-by: Sasha Levin commit 9170beaeffe4bc232042fd7e1cff921a27fde536 Author: Christophe Leroy Date: Tue Nov 30 10:32:42 2021 +0100 powerpc/powermac: Add missing lockdep_register_key() [ Upstream commit df1f679d19edb9eeb67cc2f96b29375f21991945 ] KeyWest i2c @0xf8001003 irq 42 /uni-n@f8000000/i2c@f8001000 BUG: key c2d00cbc has not been registered! ------------[ cut here ]------------ DEBUG_LOCKS_WARN_ON(1) WARNING: CPU: 0 PID: 1 at kernel/locking/lockdep.c:4801 lockdep_init_map_type+0x4c0/0xb4c Modules linked in: CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.5-gentoo-PowerMacG4 #9 NIP: c01a9428 LR: c01a9428 CTR: 00000000 REGS: e1033cf0 TRAP: 0700 Not tainted (5.15.5-gentoo-PowerMacG4) MSR: 00029032 CR: 24002002 XER: 00000000 GPR00: c01a9428 e1033db0 c2d1cf20 00000016 00000004 00000001 c01c0630 e1033a73 GPR08: 00000000 00000000 00000000 e1033db0 24002004 00000000 f8729377 00000003 GPR16: c1829a9c 00000000 18305357 c1416fc0 c1416f80 c006ac60 c2d00ca8 c1416f00 GPR24: 00000000 c21586f0 c2160000 00000000 c2d00cbc c2170000 c216e1a0 c2160000 NIP [c01a9428] lockdep_init_map_type+0x4c0/0xb4c LR [c01a9428] lockdep_init_map_type+0x4c0/0xb4c Call Trace: [e1033db0] [c01a9428] lockdep_init_map_type+0x4c0/0xb4c (unreliable) [e1033df0] [c1c177b8] kw_i2c_add+0x334/0x424 [e1033e20] [c1c18294] pmac_i2c_init+0x9ec/0xa9c [e1033e80] [c1c1a790] smp_core99_probe+0xbc/0x35c [e1033eb0] [c1c03cb0] kernel_init_freeable+0x190/0x5a4 [e1033f10] [c000946c] kernel_init+0x28/0x154 [e1033f30] [c0035148] ret_from_kernel_thread+0x14/0x1c Add missing lockdep_register_key() Reported-by: Erhard Furtner Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/69e4f55565bb45ebb0843977801b245af0c666fe.1638264741.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit af0e9677f6e6050343ae381f753e65bd11ecdfb8 Author: Martin Blumenstingl Date: Sun Oct 31 14:50:06 2021 +0100 clk: meson: gxbb: Fix the SDM_EN bit for MPLL0 on GXBB [ Upstream commit ff54938dd190d85f740b9bf9dde59b550936b621 ] There are reports that 48kHz audio does not work on the WeTek Play 2 (which uses a GXBB SoC), while 44.1kHz audio works fine on the same board. There are also reports of 48kHz audio working fine on GXL and GXM SoCs, which are using an (almost) identical AIU (audio controller). Experimenting has shown that MPLL0 is causing this problem. In the .dts we have by default: assigned-clocks = <&clkc CLKID_MPLL0>, <&clkc CLKID_MPLL1>, <&clkc CLKID_MPLL2>; assigned-clock-rates = <294912000>, <270950400>, <393216000>; The MPLL0 rate is divisible by 48kHz without remainder and the MPLL1 rate is divisible by 44.1kHz without remainder. Swapping these two clock rates "fixes" 48kHz audio but breaks 44.1kHz audio. Everything looks normal when looking at the info provided by the common clock framework while playing 48kHz audio (via I2S with mclk-fs = 256): mpll_prediv 1 1 0 2000000000 mpll0_div 1 1 0 294909641 mpll0 1 1 0 294909641 cts_amclk_sel 1 1 0 294909641 cts_amclk_div 1 1 0 12287902 cts_amclk 1 1 0 12287902 meson-clk-msr however shows that the actual MPLL0 clock is off by more than 38MHz: mp0_out 333322917 +/-10416Hz The rate seen by meson-clk-msr is very close to what we would get when SDM (the fractional part) was ignored: (2000000000Hz * 16384) / ((16384 * 6) = 333.33MHz If SDM was considered the we should get close to: (2000000000Hz * 16384) / ((16384 * 6) + 12808) = 294.9MHz Further experimenting shows that HHI_MPLL_CNTL7[15] does not have any effect on the rate of MPLL0 as seen my meson-clk-msr (regardless of whether that bit is zero or one the rate is always the same according to meson-clk-msr). Using HHI_MPLL_CNTL[25] on the other hand as SDM_EN results in SDM being considered for the rate output by the hardware. The rate - as seen by meson-clk-msr - matches with what we expect when SDM_EN is enabled (fractional part is being considered, resulting in a 294.9MHz output) or disable (fractional part being ignored, resulting in a 333.33MHz output). Reported-by: Christian Hewitt Tested-by: Christian Hewitt Signed-off-by: Martin Blumenstingl Signed-off-by: Jerome Brunet Link: https://lore.kernel.org/r/20211031135006.1508796-1-martin.blumenstingl@googlemail.com Signed-off-by: Sasha Levin commit 95abac60d96d75d7fea3648cea55b38fb17e18fb Author: Joakim Tjernlund Date: Thu May 11 14:20:33 2017 +0200 i2c: mpc: Correct I2C reset procedure [ Upstream commit ebe82cf92cd4825c3029434cabfcd2f1780e64be ] Current I2C reset procedure is broken in two ways: 1) It only generate 1 START instead of 9 STARTs and STOP. 2) It leaves the bus Busy so every I2C xfer after the first fixup calls the reset routine again, for every xfer there after. This fixes both errors. Signed-off-by: Joakim Tjernlund Acked-by: Scott Wood Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit f374976a7e4d5906991fea69c303e3c6e0003697 Author: Michael Ellerman Date: Wed Nov 24 20:32:53 2021 +1100 powerpc/smp: Move setup_profiling_timer() under CONFIG_PROFILING [ Upstream commit a4ac0d249a5db80e79d573db9e4ad29354b643a8 ] setup_profiling_timer() is only needed when CONFIG_PROFILING is enabled. Fixes the following W=1 warning when CONFIG_PROFILING=n: linux/arch/powerpc/kernel/smp.c:1638:5: error: no previous prototype for ‘setup_profiling_timer’ Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20211124093254.1054750-5-mpe@ellerman.id.au Signed-off-by: Sasha Levin commit be9313f755a7bfa02230b15731d07074d5255ecb Author: Heiner Kallweit Date: Sun Nov 7 22:57:00 2021 +0100 i2c: i801: Don't silently correct invalid transfer size [ Upstream commit effa453168a7eeb8a562ff4edc1dbf9067360a61 ] If an invalid block size is provided, reject it instead of silently changing it to a supported value. Especially critical I see the case of a write transfer with block length 0. In this case we have no guarantee that the byte we would write is valid. When silently reducing a read to 32 bytes then we don't return an error and the caller may falsely assume that we returned the full requested data. If this change should break any (broken) caller, then I think we should fix the caller. Signed-off-by: Heiner Kallweit Reviewed-by: Jean Delvare Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit b8526a5003d6c444b4e6e4d9598d735099c76366 Author: Ye Guojin Date: Wed Nov 10 00:29:10 2021 +0000 ASoC: imx-hdmi: add put_device() after of_find_device_by_node() [ Upstream commit f670b274f7f6f4b2722d7f08d0fddf606a727e92 ] This was found by coccicheck: ./sound/soc/fsl/imx-hdmi.c,209,1-7,ERROR missing put_device; call of_find_device_by_node on line 119, but without a corresponding object release within this function. Reported-by: Zeal Robot Signed-off-by: Ye Guojin Link: https://lore.kernel.org/r/20211110002910.134915-1-ye.guojin@zte.com.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 52ce10c1878cf4583306fa2a2880d6f482c35cc7 Author: Nicholas Piggin Date: Wed Nov 10 12:50:53 2021 +1000 powerpc/watchdog: Fix missed watchdog reset due to memory ordering race [ Upstream commit 5dad4ba68a2483fc80d70b9dc90bbe16e1f27263 ] It is possible for all CPUs to miss the pending cpumask becoming clear, and then nobody resetting it, which will cause the lockup detector to stop working. It will eventually expire, but watchdog_smp_panic will avoid doing anything if the pending mask is clear and it will never be reset. Order the cpumask clear vs the subsequent test to close this race. Add an extra check for an empty pending mask when the watchdog fires and finds its bit still clear, to try to catch any other possible races or bugs here and keep the watchdog working. The extra test in arch_touch_nmi_watchdog is required to prevent the new warning from firing off. Signed-off-by: Nicholas Piggin Reviewed-by: Laurent Dufour Debugged-by: Laurent Dufour Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20211110025056.2084347-2-npiggin@gmail.com Signed-off-by: Sasha Levin commit aa8c270145290f72d1d2caf5aa5d4b9fa6be4a11 Author: Julia Lawall Date: Fri Nov 20 20:33:23 2015 +0000 powerpc/btext: add missing of_node_put [ Upstream commit a1d2b210ffa52d60acabbf7b6af3ef7e1e69cda0 ] for_each_node_by_type performs an of_node_get on each iteration, so a break out of the loop requires an of_node_put. A simplified version of the semantic patch that fixes this problem is as follows (http://coccinelle.lip6.fr): // @@ local idexpression n; expression e; @@ for_each_node_by_type(n,...) { ... ( of_node_put(n); | e = n | + of_node_put(n); ? break; ) ... } ... when != n // Signed-off-by: Julia Lawall Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/1448051604-25256-6-git-send-email-Julia.Lawall@lip6.fr Signed-off-by: Sasha Levin commit efe379f92d5f827e9707fa277a286cbf14f4ee32 Author: Julia Lawall Date: Fri Nov 20 21:33:24 2015 +0100 powerpc/cell: add missing of_node_put [ Upstream commit a841fd009e51c8c0a8f07c942e9ab6bb48da8858 ] for_each_node_by_name performs an of_node_get on each iteration, so a break out of the loop requires an of_node_put. A simplified version of the semantic patch that fixes this problem is as follows (http://coccinelle.lip6.fr): // @@ expression e,e1; local idexpression n; @@ for_each_node_by_name(n, e1) { ... when != of_node_put(n) when != e = n ( return n; | + of_node_put(n); ? return ...; ) ... } // Signed-off-by: Julia Lawall Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/1448051604-25256-7-git-send-email-Julia.Lawall@lip6.fr Signed-off-by: Sasha Levin commit 179ecdf5c08919c81a41ddfa20a00150c0f095cb Author: Julia Lawall Date: Fri Nov 20 20:33:21 2015 +0000 powerpc/powernv: add missing of_node_put [ Upstream commit 7d405a939ca960162eb30c1475759cb2fdf38f8c ] for_each_compatible_node performs an of_node_get on each iteration, so a break out of the loop requires an of_node_put. A simplified version of the semantic patch that fixes this problem is as follows (http://coccinelle.lip6.fr): // @@ local idexpression n; expression e; @@ for_each_compatible_node(n,...) { ... ( of_node_put(n); | e = n | + of_node_put(n); ? break; ) ... } ... when != n // Signed-off-by: Julia Lawall Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/1448051604-25256-4-git-send-email-Julia.Lawall@lip6.fr Signed-off-by: Sasha Levin commit 5203c7027fdd70967e3b7fb5c0e258891cb69388 Author: Julia Lawall Date: Fri Nov 20 20:33:19 2015 +0000 powerpc/6xx: add missing of_node_put [ Upstream commit f6e82647ff71d427d4148964b71f239fba9d7937 ] for_each_compatible_node performs an of_node_get on each iteration, so a break out of the loop requires an of_node_put. A simplified version of the semantic patch that fixes this problem is as follows (http://coccinelle.lip6.fr): // @@ expression e; local idexpression n; @@ @@ local idexpression n; expression e; @@ for_each_compatible_node(n,...) { ... ( of_node_put(n); | e = n | + of_node_put(n); ? break; ) ... } ... when != n // Signed-off-by: Julia Lawall Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/1448051604-25256-2-git-send-email-Julia.Lawall@lip6.fr Signed-off-by: Sasha Levin commit 992a9eafb1ecce5b714e6c00522389dcbc29237e Author: Ingo Molnar Date: Wed Jan 5 01:35:58 2022 +0100 x86/kbuild: Enable CONFIG_KALLSYMS_ALL=y in the defconfigs [ Upstream commit b6aa86cff44cf099299d3a5e66348cb709cd7964 ] Most distro kernels have this option enabled, to improve debug output. Lockdep also selects it. Enable this in the defconfig kernel as well, to make it more representative of what people are using on x86. Signed-off-by: Ingo Molnar Link: https://lore.kernel.org/r/YdTn7gssoMVDMgMw@gmail.com Signed-off-by: Sasha Levin commit 67de7d5ae29b13aa259132101a2e6e4efb3432ad Author: Marc Kleine-Budde Date: Fri Jan 7 14:29:15 2022 +0100 can: flexcan: add more quirks to describe RX path capabilities [ Upstream commit c5c88591040ee7d84d037328eed9019d3ffab821 ] Most flexcan IP cores support 2 RX modes: - FIFO - mailbox Some IP core versions cannot receive CAN RTR messages via mailboxes. This patch adds quirks to document this. This information will be used in a later patch to switch from FIFO to more performant mailbox mode at the expense of losing the ability to receive RTR messages. This trade off is beneficial in certain use cases. Link: https://lore.kernel.org/all/20220107193105.1699523-5-mkl@pengutronix.de Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit cf0649500913f55420e54349a942906657e218a6 Author: Marc Kleine-Budde Date: Thu Jan 6 12:45:46 2022 +0100 can: flexcan: rename RX modes [ Upstream commit 34ea4e1c99f1f177f87e4ae7896caef238dd741a ] Most flexcan IP cores support 2 RX modes: - FIFO - mailbox The names for these modes were chosen to reflect the name of the rx-offload mode they are using. The name of the RX modes should better reflect their difference with regards the flexcan IP core. So this patch renames the various occurrences of OFF_FIFO to RX_FIFO and OFF_TIMESTAMP to RX_MAILBOX: | FLEXCAN_TX_MB_RESERVED_OFF_FIFO -> FLEXCAN_TX_MB_RESERVED_RX_FIFO | FLEXCAN_TX_MB_RESERVED_OFF_TIMESTAMP -> FLEXCAN_TX_MB_RESERVED_RX_MAILBOX | FLEXCAN_QUIRK_USE_OFF_TIMESTAMP -> FLEXCAN_QUIRK_USE_RX_MAILBOX Link: https://lore.kernel.org/all/20220107193105.1699523-4-mkl@pengutronix.de Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit e719eeb508855db929ea92a9a8fdfd5767f0a80b Author: Dario Binacchi Date: Tue Jan 4 14:20:25 2022 +0100 can: flexcan: allow to change quirks at runtime [ Upstream commit 01bb4dccd92b4dc21f6af3312e5696924e371111 ] This is a preparation patch for the upcoming support to change the rx-rtr capability via the ethtool API. Link: https://lore.kernel.org/all/20220107193105.1699523-3-mkl@pengutronix.de Signed-off-by: Dario Binacchi Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit b9d50e591133a139fb7e5cfeb53fea2b27e16e18 Author: John David Anglin Date: Wed Dec 22 16:52:26 2021 +0000 parisc: Avoid calling faulthandler_disabled() twice [ Upstream commit 9e9d4b460f23bab61672eae397417d03917d116c ] In handle_interruption(), we call faulthandler_disabled() to check whether the fault handler is not disabled. If the fault handler is disabled, we immediately call do_page_fault(). It then calls faulthandler_disabled(). If disabled, do_page_fault() attempts to fixup the exception by jumping to no_context: no_context: if (!user_mode(regs) && fixup_exception(regs)) { return; } parisc_terminate("Bad Address (null pointer deref?)", regs, code, address); Apart from the error messages, the two blocks of code perform the same function. We can avoid two calls to faulthandler_disabled() by a simple revision to the code in handle_interruption(). Note: I didn't try to fix the formatting of this code block. Signed-off-by: John David Anglin Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 4e2e5a033e93ec8805f2584e900a6bea4016ef5b Author: Maor Dickman Date: Thu Dec 9 14:03:01 2021 +0200 net/mlx5e: Unblock setting vid 0 for VF in case PF isn't eswitch manager [ Upstream commit 7846665d3504812acaebf920d1141851379a7f37 ] When using libvirt to passthrough VF to VM it will always set the VF vlan to 0 even if user didn’t request it, this will cause libvirt to fail to boot in case the PF isn't eswitch owner. Example of such case is the DPU host PF which isn't eswitch manager, so any attempt to passthrough VF of it using libvirt will fail. Fix it by not returning error in case set VF vlan is called with vid 0. Signed-off-by: Maor Dickman Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit d24e3a126b2ea91e69f34c9487c6cddde84fa5b9 Author: Maher Sanalla Date: Wed Jan 5 14:50:11 2022 +0200 net/mlx5: Update log_max_qp value to FW max capability [ Upstream commit f79a609ea6bf54ad2d2c24e4de4524288b221666 ] log_max_qp in driver's default profile #2 was set to 18, but FW actually supports 17 at the most - a situation that led to the concerning print when the driver is loaded: "log_max_qp value in current profile is 18, changing to HCA capabaility limit (17)" The expected behavior from mlx5_profile #2 is to match the maximum FW capability in regards to log_max_qp. Thus, log_max_qp in profile #2 is initialized to a defined static value (0xff) - which basically means that when loading this profile, log_max_qp value will be what the currently installed FW supports at most. Signed-off-by: Maher Sanalla Reviewed-by: Maor Gottlieb Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 8c751aac0b64fb52743ac5deffc3ce85bbe1482b Author: Jason A. Donenfeld Date: Wed Dec 29 22:10:05 2021 +0100 random: do not throw away excess input to crng_fast_load [ Upstream commit 73c7733f122e8d0107f88655a12011f68f69e74b ] When crng_fast_load() is called by add_hwgenerator_randomness(), we currently will advance to crng_init==1 once we've acquired 64 bytes, and then throw away the rest of the buffer. Usually, that is not a problem: When add_hwgenerator_randomness() gets called via EFI or DT during setup_arch(), there won't be any IRQ randomness. Therefore, the 64 bytes passed by EFI exactly matches what is needed to advance to crng_init==1. Usually, DT seems to pass 64 bytes as well -- with one notable exception being kexec, which hands over 128 bytes of entropy to the kexec'd kernel. In that case, we'll advance to crng_init==1 once 64 of those bytes are consumed by crng_fast_load(), but won't continue onward feeding in bytes to progress to crng_init==2. This commit fixes the issue by feeding any leftover bytes into the next phase in add_hwgenerator_randomness(). [linux@dominikbrodowski.net: rewrite commit message] Signed-off-by: Dominik Brodowski Signed-off-by: Jason A. Donenfeld Signed-off-by: Sasha Levin commit 0e7d8e930aba6a5b84d00713553f001fa06206f2 Author: Lukas Wunner Date: Sun Jan 2 18:52:44 2022 +0100 serial: core: Keep mctrl register state and cached copy in sync [ Upstream commit 93a770b7e16772530196674ffc79bb13fa927dc6 ] struct uart_port contains a cached copy of the Modem Control signals. It is used to skip register writes in uart_update_mctrl() if the new signal state equals the old signal state. It also avoids a register read to obtain the current state of output signals. When a uart_port is registered, uart_configure_port() changes signal state but neglects to keep the cached copy in sync. That may cause a subsequent register write to be incorrectly skipped. Fix it before it trips somebody up. This behavior has been present ever since the serial core was introduced in 2002: https://git.kernel.org/history/history/c/33c0d1b0c3eb So far it was never an issue because the cached copy is initialized to 0 by kzalloc() and when uart_configure_port() is executed, at most DTR has been set by uart_set_options() or sunsu_console_setup(). Therefore, a stable designation seems unnecessary. Signed-off-by: Lukas Wunner Link: https://lore.kernel.org/r/bceeaba030b028ed810272d55d5fc6f3656ddddb.1641129752.git.lukas@wunner.de Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 5b452507d5e768bd051d65188a50f35c4000b864 Author: Lukas Wunner Date: Sun Jan 2 18:45:44 2022 +0100 serial: pl011: Drop CR register reset on set_termios [ Upstream commit e368cc656fd6d0075f1c3ab9676e2001451e3e04 ] pl011_set_termios() briefly resets the CR register to zero, thereby glitching DTR/RTS signals. With rs485 this may result in the bus being occupied for no reason. Where does this register write originate from? The PL011 driver was forked from the PL010 driver in 2004: https://git.kernel.org/history/history/c/157c0342e591 Until this commit, the PL010 driver's IRQ handler ambauart_int() modified the CR register without holding the port spinlock. ambauart_set_termios() also modified that register. To prevent concurrent read-modify-writes by the IRQ handler and to prevent transmission while changing baudrate, ambauart_set_termios() had to disable interrupts. On the PL010, that is achieved by writing zero to the CR register. However, on the PL011, interrupts are disabled in the IMSC register, not in the CR register. Additionally, the commit amended both the PL010 and PL011 driver to acquire the port spinlock in the IRQ handler, obviating the need to disable interrupts in ->set_termios(). So the CR register write is obsolete for two reasons. Drop it. Cc: Russell King Signed-off-by: Lukas Wunner Link: https://lore.kernel.org/r/f49f945375f5ccb979893c49f1129f51651ac738.1641129062.git.lukas@wunner.de Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 9201e1dd5aee66f093af9e1f035c916d396f0c93 Author: Lukas Wunner Date: Sun Jan 2 18:42:44 2022 +0100 serial: pl010: Drop CR register reset on set_termios [ Upstream commit 08a0c6dff91c965e39905cf200d22db989203ccb ] pl010_set_termios() briefly resets the CR register to zero. Where does this register write come from? The PL010 driver's IRQ handler ambauart_int() originally modified the CR register without holding the port spinlock. ambauart_set_termios() also modified that register. To prevent concurrent read-modify-writes by the IRQ handler and to prevent transmission while changing baudrate, ambauart_set_termios() had to disable interrupts. That is achieved by writing zero to the CR register. However in 2004 the PL010 driver was amended to acquire the port spinlock in the IRQ handler, obviating the need to disable interrupts in ->set_termios(): https://git.kernel.org/history/history/c/157c0342e591 That rendered the CR register write obsolete. Drop it. Cc: Russell King Signed-off-by: Lukas Wunner Link: https://lore.kernel.org/r/fcaff16e5b1abb4cc3da5a2879ac13f278b99ed0.1641128728.git.lukas@wunner.de Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 7828830235cbd6e57ba21ca74a4d1d9bfe41508c Author: Konrad Dybcio Date: Thu Dec 30 03:34:42 2021 +0100 regulator: qcom_smd: Align probe function with rpmh-regulator [ Upstream commit 14e2976fbabdacb01335d7f91eeebbc89c67ddb1 ] The RPMh regulator driver is much newer and gets more attention, which in consequence makes it do a few things better. Update qcom_smd-regulator's probe function to mimic what rpmh-regulator does to address a couple of issues: - Probe defer now works correctly, before it used to, well, kinda just die.. This fixes reliable probing on (at least) PM8994, because Linux apparently cannot deal with supply map dependencies yet.. - Regulator data is now matched more sanely: regulator data is matched against each individual regulator node name and throwing an -EINVAL if data is missing, instead of just assuming everything is fine and iterating over all subsequent array members. - status = "disabled" will now work for disabling individual regulators in DT. Previously it didn't seem to do much if anything at all. Signed-off-by: Konrad Dybcio Link: https://lore.kernel.org/r/20211230023442.1123424-1-konrad.dybcio@somainline.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 59caf131b18cb6534f013e5c4614e988d599508d Author: Russell King (Oracle) Date: Tue Jan 4 16:38:31 2022 +0000 net: gemini: allow any RGMII interface mode [ Upstream commit 4e4f325a0a55907b14f579e6b1a38c53755e3de2 ] The four RGMII interface modes take care of the required RGMII delay configuration at the PHY and should not be limited by the network MAC driver. Sadly, gemini was only permitting RGMII mode with no delays, which would require the required delay to be inserted via PCB tracking or by the MAC. However, there are designs that require the PHY to add the delay, which is impossible without Gemini permitting the other three PHY interface modes. Fix the driver to allow these. Signed-off-by: Russell King (Oracle) Reviewed-by: Linus Walleij Tested-by: Corentin Labbe Link: https://lore.kernel.org/r/E1n4mpT-002PLd-Ha@rmk-PC.armlinux.org.uk Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 00bf5ce4bf9a28caf92197b087850233bbe9407a Author: Russell King (Oracle) Date: Tue Jan 4 16:38:19 2022 +0000 net: phy: marvell: configure RGMII delays for 88E1118 [ Upstream commit f22725c95ececb703c3f741e8f946d23705630b7 ] Corentin Labbe reports that the SSI 1328 does not work when allowing the PHY to operate at gigabit speeds, but does work with the generic PHY driver. This appears to be because m88e1118_config_init() writes a fixed value to the MSCR register, claiming that this is to enable 1G speeds. However, this always sets bits 4 and 5, enabling RGMII transmit and receive delays. The suspicion is that the original board this was added for required the delays to make 1G speeds work. Add the necessary configuration for RGMII delays for the 88E1118 to bring this into line with the requirements for RGMII support, and thus make the SSI 1328 work. Corentin Labbe has tested this on gemini-ssi1328 and gemini-ns2502. Reported-by: Corentin Labbe Tested-by: Corentin Labbe Signed-off-by: Russell King (Oracle) Reviewed-by: Andrew Lunn Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 5b2fd3370e7ff358e3e778244ea8f6a5b1e8c131 Author: Danielle Ratson Date: Wed Jan 5 12:22:27 2022 +0200 mlxsw: pci: Avoid flow control for EMAD packets [ Upstream commit d43e4271747ace01a27a49a97a397cb4219f6487 ] Locally generated packets ingress the device through its CPU port. When the CPU port is congested and there are not enough credits in its headroom buffer, packets can be dropped. While this might be acceptable for data packets that traverse the network, configuration packets exchanged between the host and the device (EMADs) should not be subjected to this flow control. The "sdq_lp" bit in the SDQ (Send Descriptor Queue) context allows the host to instruct the device to treat packets sent on this queue as "local processing" and always process them, regardless of the state of the CPU port's headroom. Add the definition of this bit and set it for the dedicated SDQ reserved for the transmission of EMAD packets. This makes the "local processing" bit in the WQE (Work Queue Element) redundant, so clear it. Signed-off-by: Danielle Ratson Signed-off-by: Ido Schimmel Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0415b84eee93ce7c9ec4471a738ce533f3b22cc2 Author: Jiri Olsa Date: Tue Jan 4 13:10:30 2022 +0100 bpf/selftests: Fix namespace mount setup in tc_redirect [ Upstream commit 5e22dd18626726028a93ff1350a8a71a00fd843d ] The tc_redirect umounts /sys in the new namespace, which can be mounted as shared and cause global umount. The lazy umount also takes down mounted trees under /sys like debugfs, which won't be available after sysfs mounts again and could cause fails in other tests. # cat /proc/self/mountinfo | grep debugfs 34 23 0:7 / /sys/kernel/debug rw,nosuid,nodev,noexec,relatime shared:14 - debugfs debugfs rw # cat /proc/self/mountinfo | grep sysfs 23 86 0:22 / /sys rw,nosuid,nodev,noexec,relatime shared:2 - sysfs sysfs rw # mount | grep debugfs debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime) # ./test_progs -t tc_redirect #164 tc_redirect:OK Summary: 1/4 PASSED, 0 SKIPPED, 0 FAILED # mount | grep debugfs # cat /proc/self/mountinfo | grep debugfs # cat /proc/self/mountinfo | grep sysfs 25 86 0:22 / /sys rw,relatime shared:2 - sysfs sysfs rw Making the sysfs private under the new namespace so the umount won't trigger the global sysfs umount. Reported-by: Hangbin Liu Signed-off-by: Jiri Olsa Signed-off-by: Daniel Borkmann Cc: Jussi Maki Link: https://lore.kernel.org/bpf/20220104121030.138216-1-jolsa@kernel.org Signed-off-by: Sasha Levin commit 1674124a885575fcb54d37e7ac90e1e15696b945 Author: Joe Thornber Date: Fri Dec 10 13:49:53 2021 +0000 dm space map common: add bounds check to sm_ll_lookup_bitmap() [ Upstream commit cba23ac158db7f3cd48a923d6861bee2eb7a2978 ] Corrupted metadata could warrant returning error from sm_ll_lookup_bitmap(). Signed-off-by: Joe Thornber Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit b5aee20b53163c9cfa810012ad073a25d96f6161 Author: Joe Thornber Date: Fri Dec 10 13:44:13 2021 +0000 dm btree: add a defensive bounds check to insert_at() [ Upstream commit 85bca3c05b6cca31625437eedf2060e846c4bbad ] Corrupt metadata could trigger an out of bounds write. Signed-off-by: Joe Thornber Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit 3c3417b013cf1173d040f5225c918d7ebb4a6643 Author: Ping-Ke Shih Date: Mon Jan 3 09:36:21 2022 +0800 mac80211: allow non-standard VHT MCS-10/11 [ Upstream commit 04be6d337d37400ad5b3d5f27ca87645ee5a18a3 ] Some AP can possibly try non-standard VHT rate and mac80211 warns and drops packets, and leads low TCP throughput. Rate marked as a VHT rate but data is invalid: MCS: 10, NSS: 2 WARNING: CPU: 1 PID: 7817 at net/mac80211/rx.c:4856 ieee80211_rx_list+0x223/0x2f0 [mac8021 Since commit c27aa56a72b8 ("cfg80211: add VHT rate entries for MCS-10 and MCS-11") has added, mac80211 adds this support as well. After this patch, throughput is good and iw can get the bitrate: rx bitrate: 975.1 MBit/s VHT-MCS 10 80MHz short GI VHT-NSS 2 or rx bitrate: 1083.3 MBit/s VHT-MCS 11 80MHz short GI VHT-NSS 2 Buglink: https://bugzilla.suse.com/show_bug.cgi?id=1192891 Reported-by: Goldwyn Rodrigues Signed-off-by: Ping-Ke Shih Link: https://lore.kernel.org/r/20220103013623.17052-1-pkshih@realtek.com Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 2d1c1df9c899075d24bb698d55032cae6ae4c154 Author: Florian Fainelli Date: Mon Jan 3 11:40:24 2022 -0800 net: mdio: Demote probed message to debug print [ Upstream commit 7590fc6f80ac2cbf23e6b42b668bbeded070850b ] On systems with large numbers of MDIO bus/muxes the message indicating that a given MDIO bus has been successfully probed is repeated for as many buses we have, which can eat up substantial boot time for no reason, demote to a debug print. Reported-by: Maxime Bizon Signed-off-by: Florian Fainelli Reviewed-by: Andrew Lunn Link: https://lore.kernel.org/r/20220103194024.2620-1-f.fainelli@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit a3fdfe36c36a0656749baefefd3b66b6cd63474d Author: Josef Bacik Date: Fri Nov 5 16:45:35 2021 -0400 btrfs: remove BUG_ON(!eie) in find_parent_nodes [ Upstream commit 9f05c09d6baef789726346397438cca4ec43c3ee ] If we're looking for leafs that point to a data extent we want to record the extent items that point at our bytenr. At this point we have the reference and we know for a fact that this leaf should have a reference to our bytenr. However if there's some sort of corruption we may not find any references to our leaf, and thus could end up with eie == NULL. Replace this BUG_ON() with an ASSERT() and then return -EUCLEAN for the mortals. Signed-off-by: Josef Bacik Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit b667d77ca70cac65a2f7470714b5b255e24bf840 Author: Josef Bacik Date: Fri Nov 5 16:45:34 2021 -0400 btrfs: remove BUG_ON() in find_parent_nodes() [ Upstream commit fcba0120edf88328524a4878d1d6f4ad39f2ec81 ] We search for an extent entry with .offset = -1, which shouldn't be a thing, but corruption happens. Add an ASSERT() for the developers, return -EUCLEAN for mortals. Signed-off-by: Josef Bacik Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit d70ce75d1d283953062ca96bd1a6830f4f37443c Author: Mario Limonciello Date: Fri Dec 24 09:04:58 2021 +0800 ACPI: CPPC: Check present CPUs for determining _CPC is valid [ Upstream commit 2aeca6bd02776d7f56a49a32be0dd184f204d888 ] As this is a static check, it should be based upon what is currently present on the system. This makes probeing more deterministic. While local APIC flags field (lapic_flags) of cpu core in MADT table is 0, then the cpu core won't be enabled. In this case, _CPC won't be found in this core, and return back to _CPC invalid with walking through possible cpus (include disable cpus). This is not expected, so switch to check present CPUs instead. Reported-by: Jinzhou Su Signed-off-by: Mario Limonciello Signed-off-by: Huang Rui Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit dd7c1a93025284d244bb5b00108b7417df00e1df Author: Thomas Weißschuh Date: Wed Dec 22 22:20:14 2021 +0100 ACPI: battery: Add the ThinkPad "Not Charging" quirk [ Upstream commit e96c1197aca628f7d2480a1cc3214912b40b3414 ] The EC/ACPI firmware on Lenovo ThinkPads used to report a status of "Unknown" when the battery is between the charge start and charge stop thresholds. On Windows, it reports "Not Charging" so the quirk has been added to also report correctly. Now the "status" attribute returns "Not Charging" when the battery on ThinkPads is not physicaly charging. Signed-off-by: Thomas Weißschuh Reviewed-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit e4066c05d3327b530bb00d11d3492bac1e69982d Author: Marina Nikolic Date: Tue Dec 14 20:57:53 2021 +0800 amdgpu/pm: Make sysfs pm attributes as read-only for VFs [ Upstream commit 11c9cc95f818f0f187e9b579a7f136f532b42445 ] == Description == Setting values of pm attributes through sysfs should not be allowed in SRIOV mode. These calls will not be processed by FW anyway, but error handling on sysfs level should be improved. == Changes == This patch prohibits performing of all set commands in SRIOV mode on sysfs level. It offers better error handling as calls that are not allowed will not be propagated further. == Test == Writing to any sysfs file in passthrough mode will succeed. Writing to any sysfs file in ONEVF mode will yield error: "calling process does not have sufficient permission to execute a command". Signed-off-by: Marina Nikolic Acked-by: Evan Quan Reviewed-by: Lijo Lazar Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 493b87970061f044c5cf795cfd1d679d114844ed Author: Zongmin Zhou Date: Wed Dec 15 17:23:37 2021 +0800 drm/amdgpu: fixup bad vram size on gmc v8 [ Upstream commit 11544d77e3974924c5a9c8a8320b996a3e9b2f8b ] Some boards(like RX550) seem to have garbage in the upper 16 bits of the vram size register. Check for this and clamp the size properly. Fixes boards reporting bogus amounts of vram. after add this patch,the maximum GPU VRAM size is 64GB, otherwise only 64GB vram size will be used. Signed-off-by: Zongmin Zhou Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 1ee70b4c5406711c563a8146b96e079592a4e0b9 Author: AngeloGioacchino Del Regno Date: Thu Dec 16 13:57:44 2021 +0100 mmc: mtk-sd: Use readl_poll_timeout instead of open-coded polling [ Upstream commit ffaea6ebfe9ce06ebb3a54811a47688f2b0893cd ] Replace all instances of open-coded while loops for polling registers with calls to readl_poll_timeout() and, while at it, also fix some possible infinite loop instances. Signed-off-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20211216125748.179602-1-angelogioacchino.delregno@collabora.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit dcedcbe177397122582e9e09b2ada9fdf9596409 Author: Kirill A. Shutemov Date: Wed Dec 22 17:33:51 2021 +0100 ACPICA: Hardware: Do not flush CPU cache when entering S4 and S5 [ Upstream commit 1d4e0b3abb168b2ee1eca99c527cffa1b80b6161 ] ACPICA commit 3dd7e1f3996456ef81bfe14cba29860e8d42949e According to ACPI 6.4, Section 16.2, the CPU cache flushing is required on entering to S1, S2, and S3, but the ACPICA code flushes the CPU cache regardless of the sleep state. Blind cache flush on entering S5 causes problems for TDX. Flushing happens with WBINVD that is not supported in the TDX environment. TDX only supports S5 and adjusting ACPICA code to conform to the spec more strictly fixes the issue. Link: https://github.com/acpica/acpica/commit/3dd7e1f3 Signed-off-by: Kirill A. Shutemov [ rjw: Subject and changelog edits ] Signed-off-by: Rafael J. Wysocki Signed-off-by: Bob Moore Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit a4c7a12027f2fc4dc6346a24fd3ab829e97955a3 Author: Sudeep Holla Date: Wed Dec 22 17:31:54 2021 +0100 ACPICA: Fix wrong interpretation of PCC address [ Upstream commit 9a3b8655db1ada31c82189ae13f40eb25da48c35 ] ACPICA commit 41be6afacfdaec2dba3a5ed368736babc2a7aa5c With the PCC Opregion in the firmware and we are hitting below kernel crash: -->8 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 Workqueue: pm pm_runtime_work pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __memcpy+0x54/0x260 lr : acpi_ex_write_data_to_field+0xb8/0x194 Call trace: __memcpy+0x54/0x260 acpi_ex_store_object_to_node+0xa4/0x1d4 acpi_ex_store+0x44/0x164 acpi_ex_opcode_1A_1T_1R+0x25c/0x508 acpi_ds_exec_end_op+0x1b4/0x44c acpi_ps_parse_loop+0x3a8/0x614 acpi_ps_parse_aml+0x90/0x2f4 acpi_ps_execute_method+0x11c/0x19c acpi_ns_evaluate+0x1ec/0x2b0 acpi_evaluate_object+0x170/0x2b0 acpi_device_set_power+0x118/0x310 acpi_dev_suspend+0xd4/0x180 acpi_subsys_runtime_suspend+0x28/0x38 __rpm_callback+0x74/0x328 rpm_suspend+0x2d8/0x624 pm_runtime_work+0xa4/0xb8 process_one_work+0x194/0x25c worker_thread+0x260/0x49c kthread+0x14c/0x30c ret_from_fork+0x10/0x20 Code: f9000006 f81f80a7 d65f03c0 361000c2 (b9400026) ---[ end trace 24d8a032fa77b68a ]--- The reason for the crash is that the PCC channel index passed via region.address in acpi_ex_store_object_to_node is interpreted as the channel subtype incorrectly. Assuming the PCC op_region support is not used by any other type, let us remove the subtype check as the AML has no access to the subtype information. Once we remove it, the kernel crash disappears and correctly complains about missing PCC Opregion handler. ACPI Error: No handler for Region [PFRM] ((____ptrval____)) [PCC] (20210730/evregion-130) ACPI Error: Region PCC (ID=10) has no handler (20210730/exfldio-261) ACPI Error: Aborting method \_SB.ETH0._PS3 due to previous error (AE_NOT_EXIST) (20210730/psparse-531) Link: https://github.com/acpica/acpica/commit/41be6afa Signed-off-by: Sudeep Holla Signed-off-by: Bob Moore Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 2718d4a8d632054c987ee3f9cf465fab8c67e05a Author: Rafael J. Wysocki Date: Wed Dec 22 17:31:05 2021 +0100 ACPICA: Executer: Fix the REFCLASS_REFOF case in acpi_ex_opcode_1A_0T_1R() [ Upstream commit 24ea5f90ec9548044a6209685c5010edd66ffe8f ] ACPICA commit d984f12041392fa4156b52e2f7e5c5e7bc38ad9e If Operand[0] is a reference of the ACPI_REFCLASS_REFOF class, acpi_ex_opcode_1A_0T_1R () calls acpi_ns_get_attached_object () to obtain return_desc which may require additional resolution with the help of acpi_ex_read_data_from_field (). If the latter fails, the reference counter of the original return_desc is decremented which is incorrect, because acpi_ns_get_attached_object () does not increment the reference counter of the object returned by it. This issue may lead to premature deletion of the attached object while it is still attached and a use-after-free and crash in the host OS. For example, this may happen when on evaluation of ref_of() a local region field where there is no registered handler for the given Operation Region. Fix it by making acpi_ex_opcode_1A_0T_1R () return Status right away after a acpi_ex_read_data_from_field () failure. Link: https://github.com/acpica/acpica/commit/d984f120 Link: https://github.com/acpica/acpica/pull/685 Reported-by: Lenny Szubowicz Signed-off-by: Rafael J. Wysocki Signed-off-by: Bob Moore Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 3c3b033d170d93536a5416016e572d46c3a0c7b5 Author: Rafael J. Wysocki Date: Wed Dec 22 17:29:45 2021 +0100 ACPICA: Utilities: Avoid deleting the same object twice in a row [ Upstream commit 1cdfe9e346b4c5509ffe19ccde880fd259d9f7a3 ] ACPICA commit c11af67d8f7e3d381068ce7771322f2b5324d687 If original_count is 0 in acpi_ut_update_ref_count (), acpi_ut_delete_internal_obj () is invoked for the target object, which is incorrect, because that object has been deleted once already and the memory allocated to store it may have been reclaimed and allocated for a different purpose by the host OS. Moreover, a confusing debug message following the "Reference Count is already zero, cannot decrement" warning is printed in that case. To fix this issue, make acpi_ut_update_ref_count () return after finding that original_count is 0 and printing the above warning. Link: https://github.com/acpica/acpica/commit/c11af67d Link: https://github.com/acpica/acpica/pull/652 Reported-by: Mark Asselstine Signed-off-by: Rafael J. Wysocki Signed-off-by: Bob Moore Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 78cc8a75303fadaae15305f60ff6001ff5e08d2c Author: Mark Langsdorf Date: Wed Dec 22 16:57:34 2021 +0100 ACPICA: actypes.h: Expand the ACPI_ACCESS_ definitions [ Upstream commit f81bdeaf816142e0729eea0cc84c395ec9673151 ] ACPICA commit bc02c76d518135531483dfc276ed28b7ee632ce1 The current ACPI_ACCESS_*_WIDTH defines do not provide a way to test that size is small enough to not cause an overflow when applied to a 32-bit integer. Rather than adding more magic numbers, add ACPI_ACCESS_*_SHIFT, ACPI_ACCESS_*_MAX, and ACPI_ACCESS_*_DEFAULT #defines and redefine ACPI_ACCESS_*_WIDTH in terms of the new #defines. This was inititally reported on Linux where a size of 102 in ACPI_ACCESS_BIT_WIDTH caused an overflow error in the SPCR initialization code. Link: https://github.com/acpica/acpica/commit/bc02c76d Signed-off-by: Mark Langsdorf Signed-off-by: Bob Moore Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 8c641409536dbcd4e1bf8e3704f85de1fa78b05f Author: Kyeong Yoo Date: Tue Jul 4 16:22:38 2017 +1200 jffs2: GC deadlock reading a page that is used in jffs2_write_begin() [ Upstream commit aa39cc675799bc92da153af9a13d6f969c348e82 ] GC task can deadlock in read_cache_page() because it may attempt to release a page that is actually allocated by another task in jffs2_write_begin(). The reason is that in jffs2_write_begin() there is a small window a cache page is allocated for use but not set Uptodate yet. This ends up with a deadlock between two tasks: 1) A task (e.g. file copy) - jffs2_write_begin() locks a cache page - jffs2_write_end() tries to lock "alloc_sem" from jffs2_reserve_space() <-- STUCK 2) GC task (jffs2_gcd_mtd3) - jffs2_garbage_collect_pass() locks "alloc_sem" - try to lock the same cache page in read_cache_page() <-- STUCK So to avoid this deadlock, hold "alloc_sem" in jffs2_write_begin() while reading data in a cache page. Signed-off-by: Kyeong Yoo Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin commit 46241ec22925290e1f5d894de3ba7280fd4865f2 Author: Lucas Stach Date: Wed Dec 22 01:17:28 2021 +0100 drm/etnaviv: consider completed fence seqno in hang check [ Upstream commit cdd156955f946beaa5f3a00d8ccf90e5a197becc ] Some GPU heavy test programs manage to trigger the hangcheck quite often. If there are no other GPU users in the system and the test program exhibits a very regular structure in the commandstreams that are being submitted, we can end up with two distinct submits managing to trigger the hangcheck with the FE in a very similar address range. This leads the hangcheck to believe that the GPU is stuck, while in reality the GPU is already busy working on a different job. To avoid those spurious GPU resets, also remember and consider the last completed fence seqno in the hang check. Reported-by: Joerg Albert Signed-off-by: Lucas Stach Reviewed-by: Christian Gmeiner Signed-off-by: Sasha Levin commit 2b68b42a5d05b236e0eef29266ca8fa1f92a2d5f Author: Antony Antony Date: Wed Dec 22 14:11:18 2021 +0100 xfrm: rate limit SA mapping change message to user space [ Upstream commit 4e484b3e969b52effd95c17f7a86f39208b2ccf4 ] Kernel generates mapping change message, XFRM_MSG_MAPPING, when a source port chage is detected on a input state with UDP encapsulation set. Kernel generates a message for each IPsec packet with new source port. For a high speed flow per packet mapping change message can be excessive, and can overload the user space listener. Introduce rate limiting for XFRM_MSG_MAPPING message to the user space. The rate limiting is configurable via netlink, when adding a new SA or updating it. Use the new attribute XFRMA_MTIMER_THRESH in seconds. v1->v2 change: update xfrm_sa_len() v2->v3 changes: use u32 insted unsigned long to reduce size of struct xfrm_state fix xfrm_ompat size Reported-by: kernel test robot accept XFRM_MSG_MAPPING only when XFRMA_ENCAP is present Co-developed-by: Thomas Egerer Signed-off-by: Thomas Egerer Signed-off-by: Antony Antony Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin commit 74f1c807c679776da8c13be8ee53e1244eeedb43 Author: Luiz Augusto von Dentz Date: Wed Dec 22 12:22:01 2021 -0800 Bluetooth: vhci: Set HCI_QUIRK_VALID_LE_STATES [ Upstream commit cfb4c313be670fd4bd09650216620fa4514cdb93 ] This set HCI_QUIRK_VALID_LE_STATES quirk which is required for the likes of experimental LE simultaneous roles. Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit e6e03a16eba4e197b4ec26097664e49f62096d27 Author: Tedd Ho-Jeong An Date: Mon Dec 13 23:32:14 2021 -0800 Bluetooth: btintel: Add missing quirks and msft ext for legacy bootloader [ Upstream commit 3547a008c8962df2175db1e78b80f27e027ec549 ] This patch add missing HCI quirks and MSFT extension for legacy bootloader when it is running in the operational firmware. Signed-off-by: Tedd Ho-Jeong An Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 0863e7e0ceb5f7dfb09b936c860f8e3404bc0d3b Author: Ben Greear Date: Thu Sep 3 12:52:54 2020 -0700 ath11k: Fix napi related hang [ Upstream commit d943fdad7589653065be0e20aadc6dff37725ed4 ] Similar to the same bug in ath10k, a napi disable w/out it being enabled will hang forever. I believe I saw this while trying rmmod after driver had some failure on startup. Fix it by keeping state on whether napi is enabled or not. And, remove un-used napi pointer in ath11k driver base struct. Signed-off-by: Ben Greear Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200903195254.29379-1-greearb@candelatech.com Signed-off-by: Sasha Levin commit 617a9e6da974aac26523f9ebb5a00f6672cbd60d Author: Randy Dunlap Date: Sun Sep 12 23:12:52 2021 -0700 um: registers: Rename function names to avoid conflicts and build problems [ Upstream commit 077b7320942b64b0da182aefd83c374462a65535 ] The function names init_registers() and restore_registers() are used in several net/ethernet/ and gpu/drm/ drivers for other purposes (not calls to UML functions), so rename them. This fixes multiple build errors. Signed-off-by: Randy Dunlap Cc: Jeff Dike Cc: Richard Weinberger Cc: Anton Ivanov Cc: linux-um@lists.infradead.org Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin commit f75868e020a1d03f87d49e9cd2cc349a45249f29 Author: Tetsuo Handa Date: Fri Dec 17 23:51:25 2021 +0900 block: check minor range in device_add_disk() [ Upstream commit e338924bd05d6e71574bc13e310c89e10e49a8a5 ] ioctl(fd, LOOP_CTL_ADD, 1048576) causes sysfs: cannot create duplicate filename '/dev/block/7:0' message because such request is treated as if ioctl(fd, LOOP_CTL_ADD, 0) due to MINORMASK == 1048575. Verify that all minor numbers for that device fit in the minor range. Reported-by: wangyangbo Signed-off-by: Tetsuo Handa Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/b1b19379-23ee-5379-0eb5-94bf5f79f1b4@i-love.sakura.ne.jp Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 892805138cb49f0db59c44f38c6998d8a2137fce Author: Hector Martin Date: Thu Dec 16 01:10:44 2021 +0900 mmc: sdhci-pci-gli: GL9755: Support for CD/WP inversion on OF platforms [ Upstream commit 189f1d9bc3a5ea3e442e119e4a5deda63da8c462 ] This is required on some Apple ARM64 laptops using this controller. As is typical on DT platforms, pull these quirks from the device tree using the standard mmc bindings. See Documentation/devicetree/bindings/mmc/mmc-controller.yaml Acked-by: Adrian Hunter Signed-off-by: Hector Martin Link: https://lore.kernel.org/r/20211215161045.38843-2-marcan@marcan.st Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 0c3f9c13796ea054e4683a506a404168d8456a21 Author: Luca Coelho Date: Sun Dec 19 13:28:34 2021 +0200 iwlwifi: pcie: make sure prph_info is set when treating wakeup IRQ [ Upstream commit 459fc0f2c6b0f6e280bfa0f230c100c9dfe3a199 ] In some rare cases when the HW is in a bad state, we may get this interrupt when prph_info is not set yet. Then we will try to dereference it to check the sleep_notif element, which will cause an oops. Fix that by ignoring the interrupt if prph_info is not set yet. Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20211219132536.0537aa562313.I183bb336345b9b3da196ba9e596a6f189fbcbd09@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit ec53a638c18e087a7b1ffd8008541ff63129e52f Author: Avraham Stern Date: Sun Dec 19 13:28:31 2021 +0200 iwlwifi: mvm: fix AUX ROC removal [ Upstream commit f0337cb48f3bf5f0bbccc985d8a0a8c4aa4934b7 ] When IWL_UCODE_TLV_CAPA_SESSION_PROT_CMD is set, removing a time event always tries to cancel session protection. However, AUX ROC does not use session protection so it was never removed. As a result, if the driver tries to allocate another AUX ROC event right after cancelling the first one, it will fail with a warning. In addition, the time event data passed to iwl_mvm_remove_aux_roc_te() is incorrect. Fix it. Signed-off-by: Avraham Stern Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20211219132536.915e1f69f062.Id837e917f1c2beaca7c1eb33333d622548918a76@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit abce9e05089e91c1c1008ebfd2bfc3aa0f2e1298 Author: Ilan Peer Date: Sun Dec 19 12:18:16 2021 +0200 iwlwifi: mvm: Fix calculation of frame length [ Upstream commit 40a0b38d7a7f91a6027287e0df54f5f547e8d27e ] The RADA might include in the Rx frame the MIC and CRC bytes. These bytes should be removed for non monitor interfaces and should not be passed to mac80211. Fix the Rx processing to remove the extra bytes on non monitor cases. Signed-off-by: Ilan Peer Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20211219121514.098be12c801e.I1d81733d8a75b84c3b20eb6e0d14ab3405ca6a86@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 58d53fe49a5dfbd9204c6d605bff4c99f7549256 Author: Johannes Berg Date: Fri Dec 10 11:12:45 2021 +0200 iwlwifi: remove module loading failure message [ Upstream commit 6518f83ffa51131daaf439b66094f684da3fb0ae ] When CONFIG_DEBUG_TEST_DRIVER_REMOVE is set, iwlwifi crashes when the opmode module cannot be loaded, due to completing the completion before using drv->dev, which can then already be freed. Fix this by removing the (fairly useless) message. Moving the completion later causes a deadlock instead, so that's not an option. Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/20211210091245.289008-2-luca@coelho.fi Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit e23f075d77987de4215c8e0696f28bcc707506f7 Author: Johannes Berg Date: Fri Dec 10 11:12:42 2021 +0200 iwlwifi: fix leaks/bad data after failed firmware load [ Upstream commit ab07506b0454bea606095951e19e72c282bfbb42 ] If firmware load fails after having loaded some parts of the firmware, e.g. the IML image, then this would leak. For the host command list we'd end up running into a WARN on the next attempt to load another firmware image. Fix this by calling iwl_dealloc_ucode() on failures, and make that also clear the data so we start fresh on the next round. Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20211210110539.1f742f0eb58a.I1315f22f6aa632d94ae2069f85e1bca5e734dce0@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 73a32ee6daefbcbc2d2a6d20c7c27e06a7441f05 Author: Changcheng Deng Date: Thu Nov 25 01:43:11 2021 +0000 PM: AVS: qcom-cpr: Use div64_ul instead of do_div [ Upstream commit 92c550f9ffd2884bb5def52b5c0485a35e452784 ] do_div() does a 64-by-32 division. Here the divisor is an unsigned long which on some platforms is 64 bit wide. So use div64_ul instead of do_div to avoid a possible truncation. Reported-by: Zeal Robot Signed-off-by: Changcheng Deng Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20211125014311.45942-1-deng.changcheng@zte.com.cn Signed-off-by: Sasha Levin commit 9a9669e757354d5ab2be775481048ba6591258f5 Author: Po-Hao Huang Date: Fri Dec 17 09:27:08 2021 +0800 rtw88: 8822c: update rx settings to prevent potential hw deadlock [ Upstream commit c1afb26727d9e507d3e17a9890e7aaf7fc85cd55 ] These settings enables mac to detect and recover when rx fifo circuit deadlock occurs. Previous version missed this, so we fix it. Signed-off-by: Po-Hao Huang Signed-off-by: Ping-Ke Shih Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20211217012708.8623-1-pkshih@realtek.com Signed-off-by: Sasha Levin commit 38d8d8a882745f87c6a0f54549734241a5818d37 Author: Zekun Shen Date: Thu Oct 28 18:21:42 2021 -0400 ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream [ Upstream commit 6ce708f54cc8d73beca213cec66ede5ce100a781 ] Large pkt_len can lead to out-out-bound memcpy. Current ath9k_hif_usb_rx_stream allows combining the content of two urb inputs to one pkt. The first input can indicate the size of the pkt. Any remaining size is saved in hif_dev->rx_remain_len. While processing the next input, memcpy is used with rx_remain_len. 4-byte pkt_len can go up to 0xffff, while a single input is 0x4000 maximum in size (MAX_RX_BUF_SIZE). Thus, the patch adds a check for pkt_len which must not exceed 2 * MAX_RX_BUG_SIZE. BUG: KASAN: slab-out-of-bounds in ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc] Read of size 46393 at addr ffff888018798000 by task kworker/0:1/23 CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 5.6.0 #63 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014 Workqueue: events request_firmware_work_func Call Trace: dump_stack+0x76/0xa0 print_address_description.constprop.0+0x16/0x200 ? ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc] ? ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc] __kasan_report.cold+0x37/0x7c ? ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc] kasan_report+0xe/0x20 check_memory_region+0x15a/0x1d0 memcpy+0x20/0x50 ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc] ? hif_usb_mgmt_cb+0x2d9/0x2d9 [ath9k_htc] ? _raw_spin_lock_irqsave+0x7b/0xd0 ? _raw_spin_trylock_bh+0x120/0x120 ? __usb_unanchor_urb+0x12f/0x210 __usb_hcd_giveback_urb+0x1e4/0x380 usb_giveback_urb_bh+0x241/0x4f0 ? __hrtimer_run_queues+0x316/0x740 ? __usb_hcd_giveback_urb+0x380/0x380 tasklet_action_common.isra.0+0x135/0x330 __do_softirq+0x18c/0x634 irq_exit+0x114/0x140 smp_apic_timer_interrupt+0xde/0x380 apic_timer_interrupt+0xf/0x20 I found the bug using a custome USBFuzz port. It's a research work to fuzz USB stack/drivers. I modified it to fuzz ath9k driver only, providing hand-crafted usb descriptors to QEMU. After fixing the value of pkt_tag to ATH_USB_RX_STREAM_MODE_TAG in QEMU emulation, I found the KASAN report. The bug is triggerable whenever pkt_len is above two MAX_RX_BUG_SIZE. I used the same input that crashes to test the driver works when applying the patch. Signed-off-by: Zekun Shen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/YXsidrRuK6zBJicZ@10-18-43-117.dynapool.wireless.nyu.edu Signed-off-by: Sasha Levin commit 735aefae7b68025cd04c482a940c0f6fc6797a63 Author: Tetsuo Handa Date: Tue Sep 21 22:06:26 2021 +0900 ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet() [ Upstream commit 8b3046abc99eefe11438090bcc4ec3a3994b55d0 ] syzbot is reporting lockdep warning at ath9k_wmi_event_tasklet() followed by kernel panic at get_htc_epid_queue() from ath9k_htc_tx_get_packet() from ath9k_htc_txstatus() [1], for ath9k_wmi_event_tasklet(WMI_TXSTATUS_EVENTID) depends on spin_lock_init() from ath9k_init_priv() being already completed. Since ath9k_wmi_event_tasklet() is set by ath9k_init_wmi() from ath9k_htc_probe_device(), it is possible that ath9k_wmi_event_tasklet() is called via tasklet interrupt before spin_lock_init() from ath9k_init_priv() from ath9k_init_device() from ath9k_htc_probe_device() is called. Let's hold ath9k_wmi_event_tasklet(WMI_TXSTATUS_EVENTID) no-op until ath9k_tx_init() completes. Link: https://syzkaller.appspot.com/bug?extid=31d54c60c5b254d6f75b [1] Reported-by: syzbot Signed-off-by: Tetsuo Handa Tested-by: syzbot Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/77b76ac8-2bee-6444-d26c-8c30858b8daa@i-love.sakura.ne.jp Signed-off-by: Sasha Levin commit 6eedec710840104c190f51d45a57daf34216b90e Author: Tetsuo Handa Date: Tue Sep 21 22:06:23 2021 +0900 ath9k_htc: fix NULL pointer dereference at ath9k_htc_rxep() [ Upstream commit b0ec7e55fce65f125bd1d7f02e2dc4de62abee34 ] syzbot is reporting lockdep warning followed by kernel panic at ath9k_htc_rxep() [1], for ath9k_htc_rxep() depends on ath9k_rx_init() being already completed. Since ath9k_htc_rxep() is set by ath9k_htc_connect_svc(WMI_BEACON_SVC) from ath9k_init_htc_services(), it is possible that ath9k_htc_rxep() is called via timer interrupt before ath9k_rx_init() from ath9k_init_device() is called. Since we can't call ath9k_init_device() before ath9k_init_htc_services(), let's hold ath9k_htc_rxep() no-op until ath9k_rx_init() completes. Link: https://syzkaller.appspot.com/bug?extid=4d2d56175b934b9a7bf9 [1] Reported-by: syzbot Signed-off-by: Tetsuo Handa Tested-by: syzbot Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/2b88f416-b2cb-7a18-d688-951e6dc3fe92@i-love.sakura.ne.jp Signed-off-by: Sasha Levin commit 243ab93501e6fc13d376673e26ab240a82bbcffa Author: Felix Fietkau Date: Thu Nov 25 10:42:12 2021 +0100 mt76: mt7615: improve wmm index allocation [ Upstream commit 70fb028707c8871ef9e56b3ffa3d895e14956cc4 ] Typically all AP interfaces on a PHY will share the same WMM settings, while sta/mesh interfaces will usually inherit the settings from a remote device. In order minimize the likelihood of conflicting WMM settings, make all AP interfaces share one slot, and all non-AP interfaces another one. This also fixes running multiple AP interfaces on MT7613, which only has 3 WMM slots. Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 9d39145c49d09a8c2dcfd7b1aea162ee960b25b2 Author: Xing Song Date: Fri Nov 19 14:37:06 2021 +0800 mt76: do not pass the received frame with decryption error [ Upstream commit dd28dea52ad9376d2b243a8981726646e1f60b1a ] MAC80211 doesn't care any decryption error in 802.3 path, so received frame will be dropped if HW tell us that the cipher configuration is not matched as well as the header has been translated to 802.3. This case only appears when IEEE80211_FCTL_PROTECTED is 0 and cipher suit is not none in the corresponding HW entry. The received frame is only reported to monitor interface if HW decryption block tell us there is ICV error or CCMP/BIP/WPI MIC error. Note in this case the reported frame is decrypted 802.11 frame and the payload may be malformed due to mismatched key. Signed-off-by: Xing Song Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 3a1ef2b1233879e6ceb42b5ad33403c173a68d20 Author: Peter Chiu Date: Mon Nov 1 10:01:13 2021 +0800 mt76: mt7615: fix possible deadlock while mt7615_register_ext_phy() [ Upstream commit 8c55516de3f9b76b9d9444e7890682ec2efc809f ] ieee80211_register_hw() is called with rtnl_lock held, and this could be caused lockdep from a work item that's on a workqueue that is flushed with the rtnl held. Move mt7615_register_ext_phy() outside the init_work(). Signed-off-by: Peter Chiu Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit a09dc6c4638f92ad8046bbbd9df8dbde23ec426a Author: Kai-Heng Feng Date: Wed Dec 15 20:01:06 2021 +0800 usb: hub: Add delay for SuperSpeed hub resume to let links transit to U0 [ Upstream commit 00558586382891540c59c9febc671062425a6e47 ] When a new USB device gets plugged to nested hubs, the affected hub, which connects to usb 2-1.4-port2, doesn't report there's any change, hence the nested hubs go back to runtime suspend like nothing happened: [ 281.032951] usb usb2: usb wakeup-resume [ 281.032959] usb usb2: usb auto-resume [ 281.032974] hub 2-0:1.0: hub_resume [ 281.033011] usb usb2-port1: status 0263 change 0000 [ 281.033077] hub 2-0:1.0: state 7 ports 4 chg 0000 evt 0000 [ 281.049797] usb 2-1: usb wakeup-resume [ 281.069800] usb 2-1: Waited 0ms for CONNECT [ 281.069810] usb 2-1: finish resume [ 281.070026] hub 2-1:1.0: hub_resume [ 281.070250] usb 2-1-port4: status 0203 change 0000 [ 281.070272] usb usb2-port1: resume, status 0 [ 281.070282] hub 2-1:1.0: state 7 ports 4 chg 0010 evt 0000 [ 281.089813] usb 2-1.4: usb wakeup-resume [ 281.109792] usb 2-1.4: Waited 0ms for CONNECT [ 281.109801] usb 2-1.4: finish resume [ 281.109991] hub 2-1.4:1.0: hub_resume [ 281.110147] usb 2-1.4-port2: status 0263 change 0000 [ 281.110234] usb 2-1-port4: resume, status 0 [ 281.110239] usb 2-1-port4: status 0203, change 0000, 10.0 Gb/s [ 281.110266] hub 2-1.4:1.0: state 7 ports 4 chg 0000 evt 0000 [ 281.110426] hub 2-1.4:1.0: hub_suspend [ 281.110565] usb 2-1.4: usb auto-suspend, wakeup 1 [ 281.130998] hub 2-1:1.0: hub_suspend [ 281.137788] usb 2-1: usb auto-suspend, wakeup 1 [ 281.142935] hub 2-0:1.0: state 7 ports 4 chg 0000 evt 0000 [ 281.177828] usb 2-1: usb wakeup-resume [ 281.197839] usb 2-1: Waited 0ms for CONNECT [ 281.197850] usb 2-1: finish resume [ 281.197984] hub 2-1:1.0: hub_resume [ 281.198203] usb 2-1-port4: status 0203 change 0000 [ 281.198228] usb usb2-port1: resume, status 0 [ 281.198237] hub 2-1:1.0: state 7 ports 4 chg 0010 evt 0000 [ 281.217835] usb 2-1.4: usb wakeup-resume [ 281.237834] usb 2-1.4: Waited 0ms for CONNECT [ 281.237845] usb 2-1.4: finish resume [ 281.237990] hub 2-1.4:1.0: hub_resume [ 281.238067] usb 2-1.4-port2: status 0263 change 0000 [ 281.238148] usb 2-1-port4: resume, status 0 [ 281.238152] usb 2-1-port4: status 0203, change 0000, 10.0 Gb/s [ 281.238166] hub 2-1.4:1.0: state 7 ports 4 chg 0000 evt 0000 [ 281.238385] hub 2-1.4:1.0: hub_suspend [ 281.238523] usb 2-1.4: usb auto-suspend, wakeup 1 [ 281.258076] hub 2-1:1.0: hub_suspend [ 281.265744] usb 2-1: usb auto-suspend, wakeup 1 [ 281.285976] hub 2-0:1.0: hub_suspend [ 281.285988] usb usb2: bus auto-suspend, wakeup 1 USB 3.2 spec, 9.2.5.4 "Changing Function Suspend State" says that "If the link is in a non-U0 state, then the device must transition the link to U0 prior to sending the remote wake message", but the hub only transits the link to U0 after signaling remote wakeup. So be more forgiving and use a 20ms delay to let the link transit to U0 for remote wakeup. Suggested-by: Alan Stern Acked-by: Alan Stern Signed-off-by: Kai-Heng Feng Link: https://lore.kernel.org/r/20211215120108.336597-1-kai.heng.feng@canonical.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 79235edc66cbb891a845b4b7d9f210ae6bd18057 Author: Rafael J. Wysocki Date: Thu Dec 16 20:32:15 2021 +0100 cpufreq: Fix initialization of min and max frequency QoS requests [ Upstream commit 521223d8b3ec078f670c7c35a1a04b1b2af07966 ] The min and max frequency QoS requests in the cpufreq core are initialized to whatever the current min and max frequency values are at the init time, but if any of these values change later (for example, cpuinfo.max_freq is updated by the driver), these initial request values will be limiting the CPU frequency unnecessarily unless they are changed by user space via sysfs. To address this, initialize min_freq_req and max_freq_req to FREQ_QOS_MIN_DEFAULT_VALUE and FREQ_QOS_MAX_DEFAULT_VALUE, respectively, so they don't really limit anything until user space updates them. Reported-by: Srinivas Pandruvada Tested-by: Srinivas Pandruvada Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit fddbdd20c8e0bbc813bebebf82216a9bef22d29a Author: Rafael J. Wysocki Date: Fri Dec 10 17:10:13 2021 +0100 PM: runtime: Add safety net to supplier device release [ Upstream commit d1579e61192e0e686faa4208500ef4c3b529b16c ] Because refcount_dec_not_one() returns true if the target refcount becomes saturated, it is generally unsafe to use its return value as a loop termination condition, but that is what happens when a device link's supplier device is released during runtime PM suspend operations and on device link removal. To address this, introduce pm_runtime_release_supplier() to be used in the above cases which will check the supplier device's runtime PM usage counter in addition to the refcount_dec_not_one() return value, so the loop can be terminated in case the rpm_active refcount value becomes invalid, and update the code in question to use it as appropriate. This change is not expected to have any visible functional impact. Reported-by: Peter Zijlstra Signed-off-by: Rafael J. Wysocki Acked-by: Greg Kroah-Hartman Acked-by: Peter Zijlstra (Intel) Signed-off-by: Sasha Levin commit 4586d164c319a81aa98169bb863de5c3112f13e5 Author: Weili Qian Date: Sat Dec 11 16:17:19 2021 +0800 crypto: hisilicon/hpre - fix memory leak in hpre_curve25519_src_init() [ Upstream commit 51fa916b81e5f406a74f14a31a3a228c3cc060ad ] hpre_curve25519_src_init() allocates memory for 'ptr' before calling memcmp(). If memcmp() returns 0, the function will return '-EINVAL' without freeing memory. Signed-off-by: Weili Qian Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit c0713b3017a8057819173830dc273c8fec4b0b77 Author: Peter Gonda Date: Tue Dec 7 15:33:03 2021 -0800 crypto: ccp - Move SEV_INIT retry for corrupted data [ Upstream commit e423b9d75e779d921e6adf5ac3d0b59400d6ba7e ] Move the data corrupted retry of SEV_INIT into the __sev_platform_init_locked() function. This is for upcoming INIT_EX support as well as helping direct callers of __sev_platform_init_locked() which currently do not support the retry. Signed-off-by: Peter Gonda Reviewed-by: Marc Orr Acked-by: David Rientjes Acked-by: Tom Lendacky Acked-by: Brijesh Singh Cc: Tom Lendacky Cc: Brijesh Singh Cc: Marc Orr Cc: Joerg Roedel Cc: Herbert Xu Cc: David Rientjes Cc: John Allen Cc: "David S. Miller" Cc: Paolo Bonzini Cc: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit a8186a100978cbae3266facef51b4c66e12608fa Author: Thierry Reding Date: Tue Dec 7 14:28:29 2021 +0100 arm64: tegra: Adjust length of CCPLEX cluster MMIO region [ Upstream commit 2b14cbd643feea5fc17c6e8bead4e71088c69acd ] The Tegra186 CCPLEX cluster register region is 4 MiB is length, not 4 MiB - 1. This was likely presumed to be the "limit" rather than length. Fix it up. Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 77e5d1974a1baa433b47b2f6e576112b77f4621f Author: Biwen Li Date: Tue Dec 14 03:32:38 2021 -0600 arm64: dts: ls1028a-qds: move rtc node to the correct i2c bus [ Upstream commit cbe9d948eadfe352ad45495a7cc5bf20a1b29d90 ] The i2c rtc is on i2c2 bus not i2c1 bus, so fix it in dts. Signed-off-by: Biwen Li Signed-off-by: Li Yang Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit d978295bb551ba98a92c6cd0d0edfdf5cd2e082f Author: Paul Moore Date: Mon Dec 13 15:45:20 2021 -0500 audit: ensure userspace is penalized the same as the kernel when under pressure [ Upstream commit 8f110f530635af44fff1f4ee100ecef0bac62510 ] Due to the audit control mutex necessary for serializing audit userspace messages we haven't been able to block/penalize userspace processes that attempt to send audit records while the system is under audit pressure. The result is that privileged userspace applications have a priority boost with respect to audit as they are not bound by the same audit queue throttling as the other tasks on the system. This patch attempts to restore some balance to the system when under audit pressure by blocking these privileged userspace tasks after they have finished their audit processing, and dropped the audit control mutex, but before they return to userspace. Reported-by: Gaosheng Cui Tested-by: Gaosheng Cui Reviewed-by: Richard Guy Briggs Signed-off-by: Paul Moore Signed-off-by: Sasha Levin commit 305f07b93d34d292432251e9963bf232db38d67a Author: Jingwen Chen Date: Tue Dec 14 11:50:39 2021 +0800 drm/amd/amdgpu: fix gmc bo pin count leak in SRIOV [ Upstream commit 948e7ce01413b71395723aaf846015062aea3a43 ] [Why] gmc bo will be pinned during loading amdgpu and reset in SRIOV while only unpinned in unload amdgpu [How] add amdgpu_in_reset and sriov judgement to skip pin bo v2: fix wrong judgement Signed-off-by: Jingwen Chen Reviewed-by: Horace Chen Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 8662d0c6a36807093aed34b17b930484fd4bf22f Author: Jingwen Chen Date: Tue Dec 14 11:31:16 2021 +0800 drm/amd/amdgpu: fix psp tmr bo pin count leak in SRIOV [ Upstream commit 85dfc1d692c9434c37842e610be37cd4ae4e0081 ] [Why] psp tmr bo will be pinned during loading amdgpu and reset in SRIOV while only unpinned in unload amdgpu [How] add amdgpu_in_reset and sriov judgement to skip pin bo v2: fix wrong judgement Signed-off-by: Jingwen Chen Reviewed-by: Horace Chen Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 29d6a92af56d953e238869834b860d6be00f61ed Author: Ulf Hansson Date: Wed Nov 10 18:17:09 2021 +0100 mmc: core: Fixup storing of OCR for MMC_QUIRK_NONSTD_SDIO [ Upstream commit 8c3e5b74b9e2146f564905e50ca716591c76d4f1 ] The mmc core takes a specific path to support initializing of a non-standard SDIO card. This is triggered by looking for the card-quirk, MMC_QUIRK_NONSTD_SDIO. In mmc_sdio_init_card() this gets rather messy, as it causes the code to bail out earlier, compared to the usual path. This leads to that the OCR doesn't get saved properly in card->ocr. Fortunately, only omap_hsmmc has been using the MMC_QUIRK_NONSTD_SDIO and is dealing with the issue, by assigning a hardcoded value (0x80) to card->ocr from an ->init_card() ops. To make the behaviour consistent, let's instead rely on the core to save the OCR in card->ocr during initialization. Reported-by: H. Nikolaus Schaller Signed-off-by: Ulf Hansson Signed-off-by: H. Nikolaus Schaller Link: https://lore.kernel.org/r/e7936cff7fc24d187ef2680d3b4edb0ade58f293.1636564631.git.hns@goldelico.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 384a5e27a44f4bc76815a18391751d2243e91c21 Author: Biju Das Date: Wed Nov 3 13:26:46 2021 +0100 mmc: tmio: reinit card irqs in reset routine [ Upstream commit e315b1f3a170f368da5618f8a598e68880302ed1 ] Refactor the code so that card detect irqs are always reenabled after a reset. This avoids doing it manually all over the code or forgetting to do this in the future. Reported-by: Wolfram Sang Signed-off-by: Biju Das [wsa: added a comment when 'native_hotplug' has to be set] Signed-off-by: Wolfram Sang Link: https://lore.kernel.org/r/20211103122646.64422-1-wsa+renesas@sang-engineering.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit c3d14b3585b78a007ee99066698655662c61e4bd Author: Zhou Qingyang Date: Fri Dec 3 16:40:30 2021 +0100 media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach() [ Upstream commit 3af86b046933ba513d08399dba0d4d8b50d607d0 ] In hexium_attach(dev, info), saa7146_vv_init() is called to allocate a new memory for dev->vv_data. saa7146_vv_release() will be called on failure of saa7146_register_device(). There is a dereference of dev->vv_data in saa7146_vv_release(), which could lead to a NULL pointer dereference on failure of saa7146_vv_init(). Fix this bug by adding a check of saa7146_vv_init(). This bug was found by a static analyzer. The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. Builds with CONFIG_VIDEO_HEXIUM_GEMINI=m show no new warnings, and our static analyzer no longer warns about this code. Link: https://lore.kernel.org/linux-media/20211203154030.111210-1-zhou1615@umn.edu Signed-off-by: Zhou Qingyang Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 84155d2b06060e13655495d295f70d39f5dd7144 Author: Mikhail Rudenko Date: Sun Oct 10 19:54:57 2021 +0200 media: rockchip: rkisp1: use device name for debugfs subdir name [ Upstream commit c2611e479f5d9b05108270e1ab423955486b4457 ] While testing Rockchip RK3399 with both ISPs enabled, a dmesg error was observed: ``` [ 15.559141] debugfs: Directory 'rkisp1' with parent '/' already present! ``` Fix it by using the device name for the debugfs subdirectory name instead of the driver name, thus preventing name collision. Link: https://lore.kernel.org/linux-media/20211010175457.438627-1-mike.rudenko@gmail.com Signed-off-by: Mikhail Rudenko Reviewed-by: Ezequiel Garcia Reviewed-by: Kieran Bingham Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 87d0b8170234464822eb5cad16552145c5801faf Author: Sean Young Date: Tue Nov 30 23:58:19 2021 +0100 media: igorplugusb: receiver overflow should be reported [ Upstream commit 8fede658e7ddb605bbd68ed38067ddb0af033db4 ] Without this, some IR will be missing mid-stream and we might decode something which never really occurred. Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 26d516434d1c4af2e49305676612cdc81fe5b8a4 Author: Alistair Francis Date: Wed Dec 8 22:40:44 2021 +1000 HID: i2c-hid-of: Expose the touchscreen-inverted properties [ Upstream commit b60d3c803d7603432a08aeaf988aff53b3a5ec64 ] Allow the touchscreen-inverted-x/y device tree properties to control the HID_QUIRK_X_INVERT/HID_QUIRK_Y_INVERT quirks for the hid-input device. Signed-off-by: Alistair Francis Acked-by: Rob Herring [bentiss: silence checkpatch warnings] Signed-off-by: Benjamin Tissoires Link: https://lore.kernel.org/r/20211208124045.61815-3-alistair@alistair23.me Signed-off-by: Sasha Levin commit bc13af2535e550e2b7d0c6b57ca7549aa495425f Author: Alistair Francis Date: Wed Dec 8 22:40:43 2021 +1000 HID: quirks: Allow inverting the absolute X/Y values [ Upstream commit fd8d135b2c5e88662f2729e034913f183455a667 ] Add a HID_QUIRK_X_INVERT/HID_QUIRK_Y_INVERT quirk that can be used to invert the X/Y values. Signed-off-by: Alistair Francis [bentiss: silence checkpatch warning] Signed-off-by: Benjamin Tissoires Link: https://lore.kernel.org/r/20211208124045.61815-2-alistair@alistair23.me Signed-off-by: Sasha Levin commit 4a635b9d5ba5f691e378f7ec20e11b7b04f07a45 Author: Felix Kuehling Date: Tue Dec 7 20:23:14 2021 -0500 drm/amdkfd: Fix error handling in svm_range_add [ Upstream commit 726be40607264b180a2b336c81e1dcff941de618 ] Add null-pointer check after the last svm_range_new call. This was originally reported by Zhou Qingyang based on a static analyzer. To avoid duplicating the unwinding code from svm_range_handle_overlap, I merged the two functions into one. Signed-off-by: Felix Kuehling Cc: Zhou Qingyang Reviewed-by: Philip Yang Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 684815ff760b6d997d8f4c1a4b5cb7173dacc42f Author: Paolo Abeni Date: Tue Nov 30 11:08:06 2021 +0100 bpf: Do not WARN in bpf_warn_invalid_xdp_action() [ Upstream commit 2cbad989033bff0256675c38f96f5faab852af4b ] The WARN_ONCE() in bpf_warn_invalid_xdp_action() can be triggered by any bugged program, and even attaching a correct program to a NIC not supporting the given action. The resulting splat, beyond polluting the logs, fouls automated tools: e.g. a syzkaller reproducers using an XDP program returning an unsupported action will never pass validation. Replace the WARN_ONCE with a less intrusive pr_warn_once(). Signed-off-by: Paolo Abeni Signed-off-by: Daniel Borkmann Acked-by: Toke Høiland-Jørgensen Link: https://lore.kernel.org/bpf/016ceec56e4817ebb2a9e35ce794d5c917df572c.1638189075.git.pabeni@redhat.com Signed-off-by: Sasha Levin commit 451ee28aed9d02c54b12c8b8e845d9a0463c84f9 Author: David Gow Date: Tue Nov 2 00:30:13 2021 -0700 kunit: Don't crash if no parameters are generated [ Upstream commit 37dbb4c7c7442dbfc9b651e4ddd4afe30b26afc9 ] It's possible that a parameterised test could end up with zero parameters. At the moment, the test function will nevertheless be called with NULL as the parameter. Instead, don't try to run the test code, and just mark the test as SKIPped. Reported-by: Daniel Latypov Signed-off-by: David Gow Reviewed-by: Daniel Latypov Reviewed-by: Brendan Higgins Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 584d9e3e74590ce9f0a6f422feb9d64241ed7f99 Author: Suresh Kumar Date: Mon Dec 13 11:17:09 2021 +0530 net: bonding: debug: avoid printing debug logs when bond is not notifying peers [ Upstream commit fee32de284ac277ba434a2d59f8ce46528ff3946 ] Currently "bond_should_notify_peers: slave ..." messages are printed whenever "bond_should_notify_peers" function is called. +++ Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 Dec 12 12:33:26 node1 kernel: bond0: (slave enp0s25): Received LACPDU on port 1 Dec 12 12:33:26 node1 kernel: bond0: (slave enp0s25): Rx Machine: Port=1, Last State=6, Curr State=6 Dec 12 12:33:26 node1 kernel: bond0: (slave enp0s25): partner sync=1 Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 ... Dec 12 12:33:30 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 Dec 12 12:33:30 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 Dec 12 12:33:30 node1 kernel: bond0: (slave enp4s3): Received LACPDU on port 2 Dec 12 12:33:30 node1 kernel: bond0: (slave enp4s3): Rx Machine: Port=2, Last State=6, Curr State=6 Dec 12 12:33:30 node1 kernel: bond0: (slave enp4s3): partner sync=1 Dec 12 12:33:30 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 Dec 12 12:33:30 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 Dec 12 12:33:30 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 +++ This is confusing and can also clutter up debug logs. Print logs only when the peer notification happens. Signed-off-by: Suresh Kumar Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0f962554d016ba305f6ebe14f07e2d34a314706b Author: Borislav Petkov Date: Tue Nov 2 11:14:48 2021 +0100 x86/mce: Mark mce_read_aux() noinstr [ Upstream commit db6c996d6ce45dfb44891f0824a65ecec216f47a ] Fixes vmlinux.o: warning: objtool: do_machine_check()+0x681: call to mce_read_aux() leaves .noinstr.text section Signed-off-by: Borislav Petkov Link: https://lore.kernel.org/r/20211208111343.8130-10-bp@alien8.de Signed-off-by: Sasha Levin commit b26d3a8f826df29c01f27bbb05932fc899c8e271 Author: Borislav Petkov Date: Mon Nov 1 16:43:33 2021 +0100 x86/mce: Mark mce_end() noinstr [ Upstream commit b4813539d37fa31fed62cdfab7bd2dd8929c5b2e ] It is called by the #MC handler which is noinstr. Fixes vmlinux.o: warning: objtool: do_machine_check()+0xbd6: call to memset() leaves .noinstr.text section Signed-off-by: Borislav Petkov Link: https://lore.kernel.org/r/20211208111343.8130-9-bp@alien8.de Signed-off-by: Sasha Levin commit f166c0b3ac1cd033b419372acc6f12c612351de6 Author: Borislav Petkov Date: Mon Nov 1 13:39:35 2021 +0100 x86/mce: Mark mce_panic() noinstr [ Upstream commit 3c7ce80a818fa7950be123cac80cd078e5ac1013 ] And allow instrumentation inside it because it does calls to other facilities which will not be tagged noinstr. Fixes vmlinux.o: warning: objtool: do_machine_check()+0xc73: call to mce_panic() leaves .noinstr.text section Signed-off-by: Borislav Petkov Link: https://lore.kernel.org/r/20211208111343.8130-8-bp@alien8.de Signed-off-by: Sasha Levin commit f2bde2aeb1aea77b56d151b293a03cd5b1a19d07 Author: Borislav Petkov Date: Wed Oct 13 09:07:19 2021 +0200 x86/mce: Allow instrumentation during task work queueing [ Upstream commit 4fbce464db81a42f9a57ee242d6150ec7f996415 ] Fixes vmlinux.o: warning: objtool: do_machine_check()+0xdb1: call to queue_task_work() leaves .noinstr.text section Signed-off-by: Borislav Petkov Link: https://lore.kernel.org/r/20211208111343.8130-6-bp@alien8.de Signed-off-by: Sasha Levin commit 3903e62795309c8cd041191f506941aa3fe2c548 Author: Alex Elder Date: Fri Dec 10 16:31:22 2021 -0600 ARM: dts: qcom: sdx55: fix IPA interconnect definitions [ Upstream commit c0d6316c238b1bd743108bd4b08eda364f47c7c9 ] The first two interconnects defined for IPA on the SDX55 SoC are really two parts of what should be represented as a single path between IPA and system memory. Fix this by combining the "memory-a" and "memory-b" interconnects into a single "memory" interconnect. Reported-by: David Heidelberg Tested-by: Manivannan Sadhasivam Signed-off-by: Alex Elder Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f6d165a8fa04ecf29b87d2ace13e2bd2439658c8 Author: Baochen Qiang Date: Thu Dec 9 09:19:49 2021 +0800 ath11k: Avoid false DEADLOCK warning reported by lockdep [ Upstream commit 767c94caf0efad136157110787fe221b74cb5c8a ] With CONFIG_LOCKDEP=y and CONFIG_DEBUG_SPINLOCK=y, lockdep reports below warning: [ 166.059415] ============================================ [ 166.059416] WARNING: possible recursive locking detected [ 166.059418] 5.15.0-wt-ath+ #10 Tainted: G W O [ 166.059420] -------------------------------------------- [ 166.059421] kworker/0:2/116 is trying to acquire lock: [ 166.059423] ffff9905f2083160 (&srng->lock){+.-.}-{2:2}, at: ath11k_hal_reo_cmd_send+0x20/0x490 [ath11k] [ 166.059440] but task is already holding lock: [ 166.059442] ffff9905f2083230 (&srng->lock){+.-.}-{2:2}, at: ath11k_dp_process_reo_status+0x95/0x2d0 [ath11k] [ 166.059491] other info that might help us debug this: [ 166.059492] Possible unsafe locking scenario: [ 166.059493] CPU0 [ 166.059494] ---- [ 166.059495] lock(&srng->lock); [ 166.059498] lock(&srng->lock); [ 166.059500] *** DEADLOCK *** [ 166.059501] May be due to missing lock nesting notation [ 166.059502] 3 locks held by kworker/0:2/116: [ 166.059504] #0: ffff9905c0081548 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x1f6/0x660 [ 166.059511] #1: ffff9d2400a5fe68 ((debug_obj_work).work){+.+.}-{0:0}, at: process_one_work+0x1f6/0x660 [ 166.059517] #2: ffff9905f2083230 (&srng->lock){+.-.}-{2:2}, at: ath11k_dp_process_reo_status+0x95/0x2d0 [ath11k] [ 166.059532] stack backtrace: [ 166.059534] CPU: 0 PID: 116 Comm: kworker/0:2 Kdump: loaded Tainted: G W O 5.15.0-wt-ath+ #10 [ 166.059537] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0059.2019.1112.1124 11/12/2019 [ 166.059539] Workqueue: events free_obj_work [ 166.059543] Call Trace: [ 166.059545] [ 166.059547] dump_stack_lvl+0x56/0x7b [ 166.059552] __lock_acquire+0xb9a/0x1a50 [ 166.059556] lock_acquire+0x1e2/0x330 [ 166.059560] ? ath11k_hal_reo_cmd_send+0x20/0x490 [ath11k] [ 166.059571] _raw_spin_lock_bh+0x33/0x70 [ 166.059574] ? ath11k_hal_reo_cmd_send+0x20/0x490 [ath11k] [ 166.059584] ath11k_hal_reo_cmd_send+0x20/0x490 [ath11k] [ 166.059594] ath11k_dp_tx_send_reo_cmd+0x3f/0x130 [ath11k] [ 166.059605] ath11k_dp_rx_tid_del_func+0x221/0x370 [ath11k] [ 166.059618] ath11k_dp_process_reo_status+0x22f/0x2d0 [ath11k] [ 166.059632] ? ath11k_dp_service_srng+0x2ea/0x2f0 [ath11k] [ 166.059643] ath11k_dp_service_srng+0x2ea/0x2f0 [ath11k] [ 166.059655] ath11k_pci_ext_grp_napi_poll+0x1c/0x70 [ath11k_pci] [ 166.059659] __napi_poll+0x28/0x230 [ 166.059664] net_rx_action+0x285/0x310 [ 166.059668] __do_softirq+0xe6/0x4d2 [ 166.059672] irq_exit_rcu+0xd2/0xf0 [ 166.059675] common_interrupt+0xa5/0xc0 [ 166.059678] [ 166.059679] [ 166.059680] asm_common_interrupt+0x1e/0x40 [ 166.059683] RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70 [ 166.059686] Code: 83 c7 18 e8 2a 95 43 ff 48 89 ef e8 22 d2 43 ff 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 63 2e 40 ff 65 8b 05 8c 59 97 5c 85 c0 74 0a 5b 5d c3 e8 00 6a [ 166.059689] RSP: 0018:ffff9d2400a5fca0 EFLAGS: 00000206 [ 166.059692] RAX: 0000000000000002 RBX: 0000000000000200 RCX: 0000000000000006 [ 166.059694] RDX: 0000000000000000 RSI: ffffffffa404879b RDI: 0000000000000001 [ 166.059696] RBP: ffff9905c0053000 R08: 0000000000000001 R09: 0000000000000001 [ 166.059698] R10: ffff9d2400a5fc50 R11: 0000000000000001 R12: ffffe186c41e2840 [ 166.059700] R13: 0000000000000001 R14: ffff9905c78a1c68 R15: 0000000000000001 [ 166.059704] free_debug_processing+0x257/0x3d0 [ 166.059708] ? free_obj_work+0x1f5/0x250 [ 166.059712] __slab_free+0x374/0x5a0 [ 166.059718] ? kmem_cache_free+0x2e1/0x370 [ 166.059721] ? free_obj_work+0x1f5/0x250 [ 166.059724] kmem_cache_free+0x2e1/0x370 [ 166.059727] free_obj_work+0x1f5/0x250 [ 166.059731] process_one_work+0x28b/0x660 [ 166.059735] ? process_one_work+0x660/0x660 [ 166.059738] worker_thread+0x37/0x390 [ 166.059741] ? process_one_work+0x660/0x660 [ 166.059743] kthread+0x176/0x1a0 [ 166.059746] ? set_kthread_struct+0x40/0x40 [ 166.059749] ret_from_fork+0x22/0x30 [ 166.059754] Since these two lockes are both initialized in ath11k_hal_srng_setup, they are assigned with the same key. As a result lockdep suspects that the task is trying to acquire the same lock (due to same key) while already holding it, and thus reports the DEADLOCK warning. However as they are different spinlock instances, the warning is false positive. On the other hand, even no dead lock indeed, this is a major issue for upstream regression testing as it disables lockdep functionality. Fix it by assigning separate lock class key for each srng->lock. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1 Signed-off-by: Baochen Qiang Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20211209011949.151472-1-quic_bqiang@quicinc.com Signed-off-by: Sasha Levin commit 271842c326bb18fd7bb8f90c34c8a03e7783e5b9 Author: Heiko Carstens Date: Tue Nov 30 13:25:46 2021 +0100 selftests/ftrace: make kprobe profile testcase description unique [ Upstream commit e5992f373c6eed6d09e5858e9623df1259b3ce30 ] Commit 32f6e5da83c7 ("selftests/ftrace: Add kprobe profile testcase") added a new kprobes testcase, but has a description which does not describe what the test case is doing and is duplicating the description of another test case. Therefore change the test case description, so it is unique and then allows easily to tell which test case actually passed or failed. Reported-by: Alexander Egorenkov Signed-off-by: Heiko Carstens Acked-by: Masami Hiramatsu Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 8bb1290e90504203c2909113e1af1828948b1b7a Author: Iwona Winiarska Date: Sat Dec 4 18:10:27 2021 +0100 gpio: aspeed-sgpio: Convert aspeed_sgpio.lock to raw_spinlock [ Upstream commit ab39d6988dd53f354130438d8afa5596a2440fed ] The gpio-aspeed-sgpio driver implements an irq_chip which need to be invoked from hardirq context. Since spin_lock() can sleep with PREEMPT_RT, it is no longer legal to invoke it while interrupts are disabled. This also causes lockdep to complain about: [ 25.919465] [ BUG: Invalid wait context ] because aspeed_sgpio.lock (spin_lock_t) is taken under irq_desc.lock (raw_spinlock_t). Let's use of raw_spinlock_t instead of spinlock_t. Signed-off-by: Iwona Winiarska Signed-off-by: Bartosz Golaszewski Signed-off-by: Sasha Levin commit d9332eab23381364b70e13eb17e7bf0a709504c5 Author: Iwona Winiarska Date: Sat Dec 4 18:10:26 2021 +0100 gpio: aspeed: Convert aspeed_gpio.lock to raw_spinlock [ Upstream commit 61a7904b6ace99b1bde0d0e867fa3097f5c8cee2 ] The gpio-aspeed driver implements an irq_chip which need to be invoked from hardirq context. Since spin_lock() can sleep with PREEMPT_RT, it is no longer legal to invoke it while interrupts are disabled. This also causes lockdep to complain about: [ 0.649797] [ BUG: Invalid wait context ] because aspeed_gpio.lock (spin_lock_t) is taken under irq_desc.lock (raw_spinlock_t). Let's use of raw_spinlock_t instead of spinlock_t. Signed-off-by: Iwona Winiarska Signed-off-by: Bartosz Golaszewski Signed-off-by: Sasha Levin commit 3c2a24aa3412660b63041014864c53a6a5860f15 Author: Russell King (Oracle) Date: Wed Dec 8 11:36:30 2021 +0000 net: phy: prefer 1000baseT over 1000baseKX [ Upstream commit f20f94f7f52c4685c81754f489ffcc72186e8bdb ] The PHY settings table is supposed to be sorted by descending match priority - in other words, earlier entries are preferred over later entries. The order of 1000baseKX/Full and 1000baseT/Full is such that we prefer 1000baseKX/Full over 1000baseT/Full, but 1000baseKX/Full is a lot rarer than 1000baseT/Full, and thus is much less likely to be preferred. This causes phylink problems - it means a fixed link specifying a speed of 1G and full duplex gets an ethtool linkmode of 1000baseKX/Full rather than 1000baseT/Full as would be expected - and since we offer userspace a software emulation of a conventional copper PHY, we want to offer copper modes in preference to anything else. However, we do still want to allow the rarer modes as well. Hence, let's reorder these two modes to prefer copper. Tested-by: Tom Lendacky Signed-off-by: Russell King (Oracle) Reviewed-by: Andrew Lunn Reported-by: Florian Fainelli Link: https://lore.kernel.org/r/E1muvFO-00F6jY-1K@rmk-PC.armlinux.org.uk Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 0abd3f9903fae6ecf8db3c89a459971fe7925499 Author: Antoine Tenart Date: Tue Dec 7 15:57:24 2021 +0100 net-sysfs: update the queue counts in the unregistration path [ Upstream commit d7dac083414eb5bb99a6d2ed53dc2c1b405224e5 ] When updating Rx and Tx queue kobjects, the queue count should always be updated to match the queue kobjects count. This was not done in the net device unregistration path, fix it. Tracking all queue count updates will allow in a following up patch to detect illegal updates. Signed-off-by: Antoine Tenart Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit f7bae4d4595dee71ae08738149d9c0096f45c391 Author: Sebastian Gottschall Date: Wed May 5 15:58:06 2021 +0700 ath10k: Fix tx hanging [ Upstream commit e8a91863eba3966a447d2daa1526082d52b5db2a ] While running stress tests in roaming scenarios (switching ap's every 5 seconds, we discovered a issue which leads to tx hangings of exactly 5 seconds while or after scanning for new accesspoints. We found out that this hanging is triggered by ath10k_mac_wait_tx_complete since the empty_tx_wq was not wake when the num_tx_pending counter reaches zero. To fix this, we simply move the wake_up call to htt_tx_dec_pending, since this call was missed on several locations within the ath10k code. Signed-off-by: Sebastian Gottschall Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210505085806.11474-1-s.gottschall@dd-wrt.com Signed-off-by: Sasha Levin commit 21b07b470a4077ab6e8f13e0af6abf89ca6a4de9 Author: Wen Gong Date: Tue Dec 7 17:23:36 2021 +0200 ath11k: avoid deadlock by change ieee80211_queue_work for regd_update_work [ Upstream commit ed05c7cf1286d7e31e7623bce55ff135723591bf ] When enable debug config, it print below warning while shut down wlan interface shuh as run "ifconfig wlan0 down". The reason is because ar->regd_update_work is ran once, and it is will call wiphy_lock(ar->hw->wiphy) in function ath11k_regd_update() which is running in workqueue of ieee80211_local queued by ieee80211_queue_work(). Another thread from "ifconfig wlan0 down" will also accuqire the lock by wiphy_lock(sdata->local->hw.wiphy) in function ieee80211_stop(), and then it call ieee80211_stop_device() to flush_workqueue(local->workqueue), this will wait the workqueue of ieee80211_local finished. Then deadlock will happen easily if the two thread run meanwhile. Below warning disappeared after this change. [ 914.088798] ath11k_pci 0000:05:00.0: mac remove interface (vdev 0) [ 914.088806] ath11k_pci 0000:05:00.0: mac stop 11d scan [ 914.088810] ath11k_pci 0000:05:00.0: mac stop 11d vdev id 0 [ 914.088827] ath11k_pci 0000:05:00.0: htc ep 2 consumed 1 credits (total 0) [ 914.088841] ath11k_pci 0000:05:00.0: send 11d scan stop vdev id 0 [ 914.088849] ath11k_pci 0000:05:00.0: htc insufficient credits ep 2 required 1 available 0 [ 914.088856] ath11k_pci 0000:05:00.0: htc insufficient credits ep 2 required 1 available 0 [ 914.096434] ath11k_pci 0000:05:00.0: rx ce pipe 2 len 16 [ 914.096442] ath11k_pci 0000:05:00.0: htc ep 2 got 1 credits (total 1) [ 914.096481] ath11k_pci 0000:05:00.0: htc ep 2 consumed 1 credits (total 0) [ 914.096491] ath11k_pci 0000:05:00.0: WMI vdev delete id 0 [ 914.111598] ath11k_pci 0000:05:00.0: rx ce pipe 2 len 16 [ 914.111628] ath11k_pci 0000:05:00.0: htc ep 2 got 1 credits (total 1) [ 914.114659] ath11k_pci 0000:05:00.0: rx ce pipe 2 len 20 [ 914.114742] ath11k_pci 0000:05:00.0: htc rx completion ep 2 skb pK-error [ 914.115977] ath11k_pci 0000:05:00.0: vdev delete resp for vdev id 0 [ 914.116685] ath11k_pci 0000:05:00.0: vdev 00:03:7f:29:61:11 deleted, vdev_id 0 [ 914.117583] ====================================================== [ 914.117592] WARNING: possible circular locking dependency detected [ 914.117600] 5.16.0-rc1-wt-ath+ #1 Tainted: G OE [ 914.117611] ------------------------------------------------------ [ 914.117618] ifconfig/2805 is trying to acquire lock: [ 914.117628] ffff9c00a62bb548 ((wq_completion)phy0){+.+.}-{0:0}, at: flush_workqueue+0x87/0x470 [ 914.117674] but task is already holding lock: [ 914.117682] ffff9c00baea07d0 (&rdev->wiphy.mtx){+.+.}-{4:4}, at: ieee80211_stop+0x38/0x180 [mac80211] [ 914.117872] which lock already depends on the new lock. [ 914.117880] the existing dependency chain (in reverse order) is: [ 914.117888] -> #3 (&rdev->wiphy.mtx){+.+.}-{4:4}: [ 914.117910] __mutex_lock+0xa0/0x9c0 [ 914.117930] mutex_lock_nested+0x1b/0x20 [ 914.117944] reg_process_self_managed_hints+0x3a/0xb0 [cfg80211] [ 914.118093] wiphy_regulatory_register+0x47/0x80 [cfg80211] [ 914.118229] wiphy_register+0x84f/0x9c0 [cfg80211] [ 914.118353] ieee80211_register_hw+0x6b1/0xd90 [mac80211] [ 914.118486] ath11k_mac_register+0x6af/0xb60 [ath11k] [ 914.118550] ath11k_core_qmi_firmware_ready+0x383/0x4a0 [ath11k] [ 914.118598] ath11k_qmi_driver_event_work+0x347/0x4a0 [ath11k] [ 914.118656] process_one_work+0x228/0x670 [ 914.118669] worker_thread+0x4d/0x440 [ 914.118680] kthread+0x16d/0x1b0 [ 914.118697] ret_from_fork+0x22/0x30 [ 914.118714] -> #2 (rtnl_mutex){+.+.}-{4:4}: [ 914.118736] __mutex_lock+0xa0/0x9c0 [ 914.118751] mutex_lock_nested+0x1b/0x20 [ 914.118767] rtnl_lock+0x17/0x20 [ 914.118783] ath11k_regd_update+0x15a/0x260 [ath11k] [ 914.118841] ath11k_regd_update_work+0x15/0x20 [ath11k] [ 914.118897] process_one_work+0x228/0x670 [ 914.118909] worker_thread+0x4d/0x440 [ 914.118920] kthread+0x16d/0x1b0 [ 914.118934] ret_from_fork+0x22/0x30 [ 914.118948] -> #1 ((work_completion)(&ar->regd_update_work)){+.+.}-{0:0}: [ 914.118972] process_one_work+0x1fa/0x670 [ 914.118984] worker_thread+0x4d/0x440 [ 914.118996] kthread+0x16d/0x1b0 [ 914.119010] ret_from_fork+0x22/0x30 [ 914.119023] -> #0 ((wq_completion)phy0){+.+.}-{0:0}: [ 914.119045] __lock_acquire+0x146d/0x1cf0 [ 914.119057] lock_acquire+0x19b/0x360 [ 914.119067] flush_workqueue+0xae/0x470 [ 914.119084] ieee80211_stop_device+0x3b/0x50 [mac80211] [ 914.119260] ieee80211_do_stop+0x5d7/0x830 [mac80211] [ 914.119409] ieee80211_stop+0x45/0x180 [mac80211] [ 914.119557] __dev_close_many+0xb3/0x120 [ 914.119573] __dev_change_flags+0xc3/0x1d0 [ 914.119590] dev_change_flags+0x29/0x70 [ 914.119605] devinet_ioctl+0x653/0x810 [ 914.119620] inet_ioctl+0x193/0x1e0 [ 914.119631] sock_do_ioctl+0x4d/0xf0 [ 914.119649] sock_ioctl+0x262/0x340 [ 914.119665] __x64_sys_ioctl+0x96/0xd0 [ 914.119678] do_syscall_64+0x3d/0xd0 [ 914.119694] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 914.119709] other info that might help us debug this: [ 914.119717] Chain exists of: (wq_completion)phy0 --> rtnl_mutex --> &rdev->wiphy.mtx [ 914.119745] Possible unsafe locking scenario: [ 914.119752] CPU0 CPU1 [ 914.119758] ---- ---- [ 914.119765] lock(&rdev->wiphy.mtx); [ 914.119778] lock(rtnl_mutex); [ 914.119792] lock(&rdev->wiphy.mtx); [ 914.119807] lock((wq_completion)phy0); [ 914.119819] *** DEADLOCK *** [ 914.119827] 2 locks held by ifconfig/2805: [ 914.119837] #0: ffffffffba3dc010 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock+0x17/0x20 [ 914.119872] #1: ffff9c00baea07d0 (&rdev->wiphy.mtx){+.+.}-{4:4}, at: ieee80211_stop+0x38/0x180 [mac80211] [ 914.120039] stack backtrace: [ 914.120048] CPU: 0 PID: 2805 Comm: ifconfig Tainted: G OE 5.16.0-rc1-wt-ath+ #1 [ 914.120064] Hardware name: LENOVO 418065C/418065C, BIOS 83ET63WW (1.33 ) 07/29/2011 [ 914.120074] Call Trace: [ 914.120084] [ 914.120094] dump_stack_lvl+0x73/0xa4 [ 914.120119] dump_stack+0x10/0x12 [ 914.120135] print_circular_bug.isra.44+0x221/0x2e0 [ 914.120165] check_noncircular+0x106/0x150 [ 914.120203] __lock_acquire+0x146d/0x1cf0 [ 914.120215] ? __lock_acquire+0x146d/0x1cf0 [ 914.120245] lock_acquire+0x19b/0x360 [ 914.120259] ? flush_workqueue+0x87/0x470 [ 914.120286] ? lockdep_init_map_type+0x6b/0x250 [ 914.120310] flush_workqueue+0xae/0x470 [ 914.120327] ? flush_workqueue+0x87/0x470 [ 914.120344] ? lockdep_hardirqs_on+0xd7/0x150 [ 914.120391] ieee80211_stop_device+0x3b/0x50 [mac80211] [ 914.120565] ? ieee80211_stop_device+0x3b/0x50 [mac80211] [ 914.120736] ieee80211_do_stop+0x5d7/0x830 [mac80211] [ 914.120906] ieee80211_stop+0x45/0x180 [mac80211] [ 914.121060] __dev_close_many+0xb3/0x120 [ 914.121081] __dev_change_flags+0xc3/0x1d0 [ 914.121109] dev_change_flags+0x29/0x70 [ 914.121131] devinet_ioctl+0x653/0x810 [ 914.121149] ? __might_fault+0x77/0x80 [ 914.121179] inet_ioctl+0x193/0x1e0 [ 914.121194] ? inet_ioctl+0x193/0x1e0 [ 914.121218] ? __might_fault+0x77/0x80 [ 914.121238] ? _copy_to_user+0x68/0x80 [ 914.121266] sock_do_ioctl+0x4d/0xf0 [ 914.121283] ? inet_stream_connect+0x60/0x60 [ 914.121297] ? sock_do_ioctl+0x4d/0xf0 [ 914.121329] sock_ioctl+0x262/0x340 [ 914.121347] ? sock_ioctl+0x262/0x340 [ 914.121362] ? exit_to_user_mode_prepare+0x13b/0x280 [ 914.121388] ? syscall_enter_from_user_mode+0x20/0x50 [ 914.121416] __x64_sys_ioctl+0x96/0xd0 [ 914.121430] ? br_ioctl_call+0x90/0x90 [ 914.121445] ? __x64_sys_ioctl+0x96/0xd0 [ 914.121465] do_syscall_64+0x3d/0xd0 [ 914.121482] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 914.121497] RIP: 0033:0x7f0ed051737b [ 914.121513] Code: 0f 1e fa 48 8b 05 15 3b 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e5 3a 0d 00 f7 d8 64 89 01 48 [ 914.121527] RSP: 002b:00007fff7be38b98 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 [ 914.121544] RAX: ffffffffffffffda RBX: 00007fff7be38ba0 RCX: 00007f0ed051737b [ 914.121555] RDX: 00007fff7be38ba0 RSI: 0000000000008914 RDI: 0000000000000004 [ 914.121566] RBP: 00007fff7be38c60 R08: 000000000000000a R09: 0000000000000001 [ 914.121576] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000fffffffe [ 914.121586] R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000000 [ 914.121620] Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1 Signed-off-by: Wen Gong Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20211201071745.17746-2-quic_wgong@quicinc.com Signed-off-by: Sasha Levin commit bcf404b305f43c7ee93a2c24e4a4b049d81327cb Author: Wander Lairson Costa Date: Wed Nov 10 11:37:45 2021 -0300 rcutorture: Avoid soft lockup during cpu stall [ Upstream commit 5ff7c9f9d7e3e0f6db5b81945fa11b69d62f433a ] If we use the module stall_cpu option, we may get a soft lockup warning in case we also don't pass the stall_cpu_block option. Introduce the stall_no_softlockup option to avoid a soft lockup on cpu stall even if we don't use the stall_cpu_block option. Signed-off-by: Wander Lairson Costa Signed-off-by: Paul E. McKenney Signed-off-by: Sasha Levin commit d63ddcee9ff3454a14f440ae684afcdbdc03fcf3 Author: Shaul Triebitz Date: Sat Dec 4 13:10:47 2021 +0200 iwlwifi: mvm: avoid clearing a just saved session protection id [ Upstream commit 8e967c137df3b236d2075f9538cb888129425d1a ] When scheduling a session protection the id is saved but then it may be cleared when calling iwl_mvm_te_clear_data (if a previous session protection is currently active). Fix it by saving the id after calling iwl_mvm_te_clear_data. Signed-off-by: Shaul Triebitz Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20211204130722.b0743a588d14.I098fef6677d0dab3ef1b6183ed206a10bab01eb2@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 59b49457fbd870b4d033159698c452f7248b57b1 Author: Johannes Berg Date: Sat Dec 4 08:35:45 2021 +0200 iwlwifi: mvm: synchronize with FW after multicast commands [ Upstream commit db66abeea3aefed481391ecc564fb7b7fb31d742 ] If userspace installs a lot of multicast groups very quickly, then we may run out of command queue space as we send the updates in an asynchronous fashion (due to locking concerns), and the CPU can create them faster than the firmware can process them. This is true even when mac80211 has a work struct that gets scheduled. Fix this by synchronizing with the firmware after sending all those commands - outside of the iteration we can send a synchronous echo command that just has the effect of the CPU waiting for the prior asynchronous commands to finish. This also will cause fewer of the commands to be sent to the firmware overall, because the work will only run once when rescheduled multiple times while it's running. Link: https://bugzilla.kernel.org/show_bug.cgi?id=213649 Suggested-by: Emmanuel Grumbach Reported-by: Maximilian Ernestus Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20211204083238.51aea5b79ea4.I88a44798efda16e9fe480fb3e94224931d311b29@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit b52954c7798ecc2b833a68d20181e5efa5561453 Author: Kieran Bingham Date: Thu Nov 4 22:40:25 2021 +0000 arm64: dts: renesas: Fix thermal bindings [ Upstream commit 82ce79391d0ec25ec8aaae3c0617b71048ff0836 ] The binding node names for the thermal zones are not successfully validated by the dt-schemas. Fix the validation by changing from sensor-thermalN or thermal-sensor-N to sensorN-thermal. Provide node labels of the form sensorN_thermal to ensure consistency with the other platform implementations. Signed-off-by: Kieran Bingham Reviewed-by: Niklas Söderlund Link: https://lore.kernel.org/r/20211104224033.3997504-1-kieran.bingham+renesas@ideasonboard.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 2f804823b5b75b4b1b8d8a8fc14114e3bb8ca635 Author: Mika Westerberg Date: Sun Nov 14 16:07:11 2021 +0200 thunderbolt: Runtime PM activate both ends of the device link [ Upstream commit f3380cac0c0b3a6f49ab161e2a057c363962f48d ] If protocol tunnels are already up when the driver is loaded, for instance if the boot firmware implements connection manager of its own, runtime PM reference count of the consumer devices behind the tunnel might have been increased already before the device link is created but the supplier device runtime PM reference count is not. This leads to a situation where the supplier (the Thunderbolt driver) can runtime suspend even if it should not because the corresponding protocol tunnel needs to be up causing the devices to be removed from the corresponding native bus. Prevent this from happening by making both sides of the link runtime PM active briefly. The pm_runtime_put() for the consumer (PCIe root/downstream port, xHCI) then allows it to runtime suspend again but keeps the supplier runtime resumed the whole time it is runtime active. Signed-off-by: Mika Westerberg Reviewed-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 0c044e39d52abfbb4cb43dbc5a09c1dc1ed24648 Author: Mauro Carvalho Chehab Date: Mon Dec 6 15:34:19 2021 +0100 media: m920x: don't use stack on USB reads [ Upstream commit a2ab06d7c4d6bfd0b545a768247a70463e977e27 ] Using stack-allocated pointers for USB message data don't work. This driver is almost OK with that, except for the I2C read logic. Fix it by using a temporary read buffer, just like on all other calls to m920x_read(). Link: https://lore.kernel.org/all/ccc99e48-de4f-045e-0fe4-61e3118e3f74@mida.se/ Reported-by: rkardell@mida.se Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 6aaff2d7c9d52ae523ca318639c7dc74e751dc88 Author: Tsuchiya Yuto Date: Wed Dec 1 15:19:04 2021 +0100 media: atomisp: fix "variable dereferenced before check 'asd'" [ Upstream commit ac56760a8bbb4e654b2fd54e5de79dd5d72f937d ] There are two occurrences where the variable 'asd' is dereferenced before check. Fix this issue by using the variable after the check. Link: https://lore.kernel.org/linux-media/20211122074122.GA6581@kili/ Link: https://lore.kernel.org/linux-media/20211201141904.47231-1-kitakar@gmail.com Reported-by: Dan Carpenter Signed-off-by: Tsuchiya Yuto Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit a2e962b2d8b072f965abbd3b2f37984f0e7b2714 Author: Zhou Qingyang Date: Tue Nov 30 17:25:49 2021 +0100 media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach() [ Upstream commit 348df8035301dd212e3cc2860efe4c86cb0d3303 ] In hexium_attach(dev, info), saa7146_vv_init() is called to allocate a new memory for dev->vv_data. In hexium_detach(), saa7146_vv_release() will be called and there is a dereference of dev->vv_data in saa7146_vv_release(), which could lead to a NULL pointer dereference on failure of saa7146_vv_init() according to the following logic. Both hexium_attach() and hexium_detach() are callback functions of the variable 'extension', so there exists a possible call chain directly from hexium_attach() to hexium_detach(): hexium_attach(dev, info) -- fail to alloc memory to dev->vv_data | in saa7146_vv_init(). | | hexium_detach() -- a dereference of dev->vv_data in saa7146_vv_release() Fix this bug by adding a check of saa7146_vv_init(). This bug was found by a static analyzer. The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. Builds with CONFIG_VIDEO_HEXIUM_ORION=m show no new warnings, and our static analyzer no longer warns about this code. Signed-off-by: Zhou Qingyang Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit d747b4831d5f1e16a8377b8895c1fb4ec419ca25 Author: Niklas Söderlund Date: Fri Nov 26 00:02:57 2021 +0100 media: rcar-vin: Update format alignment constraints [ Upstream commit da6911f330d40cfe115a37249e47643eff555e82 ] This change fixes two issues with the size constraints for buffers. - There is no width alignment constraint for RGB formats. Prior to this change they were treated as YUV and as a result were more restricted than needed. Add a new check to differentiate between the two. - The minimum width and height supported is 5x2, not 2x4, this is an artifact from the driver's soc-camera days. Fix this incorrect assumption. Signed-off-by: Niklas Söderlund Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 1c9bbda87cdc199e18a04c656e326eec140838ee Author: James Hilliard Date: Sun Nov 14 09:52:36 2021 +0100 media: uvcvideo: Increase UVC_CTRL_CONTROL_TIMEOUT to 5 seconds. [ Upstream commit c8ed7d2f614cd8b315981d116c7a2fb01829500d ] Some uvc devices appear to require the maximum allowed USB timeout for GET_CUR/SET_CUR requests. So lets just bump the UVC control timeout to 5 seconds which is the same as the usb ctrl get/set defaults: USB_CTRL_GET_TIMEOUT 5000 USB_CTRL_SET_TIMEOUT 5000 It fixes the following runtime warnings: Failed to query (GET_CUR) UVC control 11 on unit 2: -110 (exp. 1). Failed to query (SET_CUR) UVC control 3 on unit 2: -110 (exp. 2). Signed-off-by: James Hilliard Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 4d6a98ce80f6fd34f8c3034602bc53e219b6d9f1 Author: Laurent Pinchart Date: Mon Nov 29 03:10:46 2021 +0200 drm: rcar-du: Fix CRTC timings when CMM is used [ Upstream commit f0ce591dc9a97067c6e783a2eaccd22c5476144d ] When the CMM is enabled, an offset of 25 pixels must be subtracted from the HDS (horizontal display start) and HDE (horizontal display end) registers. Fix the timings calculation, and take this into account in the mode validation. This fixes a visible horizontal offset in the image with VGA monitors. HDMI monitors seem to be generally more tolerant to incorrect timings, but may be affected too. Signed-off-by: Laurent Pinchart Signed-off-by: Sasha Levin commit 30bd6733ef960e02fcbac7f2bedb9df1830a5a7d Author: Joerg Roedel Date: Thu Dec 2 16:32:25 2021 +0100 x86/mm: Flush global TLB when switching to trampoline page-table [ Upstream commit 71d5049b053876afbde6c3273250b76935494ab2 ] Move the switching code into a function so that it can be re-used and add a global TLB flush. This makes sure that usage of memory which is not mapped in the trampoline page-table is reliably caught. Also move the clearing of CR4.PCIDE before the CR3 switch because the cr4_clear_bits() function will access data not mapped into the trampoline page-table. Signed-off-by: Joerg Roedel Signed-off-by: Borislav Petkov Link: https://lore.kernel.org/r/20211202153226.22946-4-joro@8bytes.org Signed-off-by: Sasha Levin commit 1b4422befeba0cb77149ca6a0907077f65f788d1 Author: Xiongwei Song Date: Tue Nov 16 21:10:33 2021 +0800 floppy: Add max size check for user space request [ Upstream commit 545a32498c536ee152331cd2e7d2416aa0f20e01 ] We need to check the max request size that is from user space before allocating pages. If the request size exceeds the limit, return -EINVAL. This check can avoid the warning below from page allocator. WARNING: CPU: 3 PID: 16525 at mm/page_alloc.c:5344 current_gfp_context include/linux/sched/mm.h:195 [inline] WARNING: CPU: 3 PID: 16525 at mm/page_alloc.c:5344 __alloc_pages+0x45d/0x500 mm/page_alloc.c:5356 Modules linked in: CPU: 3 PID: 16525 Comm: syz-executor.3 Not tainted 5.15.0-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 RIP: 0010:__alloc_pages+0x45d/0x500 mm/page_alloc.c:5344 Code: be c9 00 00 00 48 c7 c7 20 4a 97 89 c6 05 62 32 a7 0b 01 e8 74 9a 42 07 e9 6a ff ff ff 0f 0b e9 a0 fd ff ff 40 80 e5 3f eb 88 <0f> 0b e9 18 ff ff ff 4c 89 ef 44 89 e6 45 31 ed e8 1e 76 ff ff e9 RSP: 0018:ffffc90023b87850 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 1ffff92004770f0b RCX: dffffc0000000000 RDX: 0000000000000000 RSI: 0000000000000033 RDI: 0000000000010cc1 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 R10: ffffffff81bb4686 R11: 0000000000000001 R12: ffffffff902c1960 R13: 0000000000000033 R14: 0000000000000000 R15: ffff88804cf64a30 FS: 0000000000000000(0000) GS:ffff88802cd00000(0063) knlGS:00000000f44b4b40 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 000000002c921000 CR3: 000000004f507000 CR4: 0000000000150ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: alloc_pages+0x1a7/0x300 mm/mempolicy.c:2191 __get_free_pages+0x8/0x40 mm/page_alloc.c:5418 raw_cmd_copyin drivers/block/floppy.c:3113 [inline] raw_cmd_ioctl drivers/block/floppy.c:3160 [inline] fd_locked_ioctl+0x12e5/0x2820 drivers/block/floppy.c:3528 fd_ioctl drivers/block/floppy.c:3555 [inline] fd_compat_ioctl+0x891/0x1b60 drivers/block/floppy.c:3869 compat_blkdev_ioctl+0x3b8/0x810 block/ioctl.c:662 __do_compat_sys_ioctl+0x1c7/0x290 fs/ioctl.c:972 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c Reported-by: syzbot+23a02c7df2cf2bc93fa2@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/20211116131033.27685-1-sxwjean@me.com Signed-off-by: Xiongwei Song Signed-off-by: Denis Efremov Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit eeefb3436d42d5ee8186adee8855c1cd27c9fb95 Author: Neal Liu Date: Fri Nov 26 18:00:21 2021 +0800 usb: uhci: add aspeed ast2600 uhci support [ Upstream commit 554abfe2eadec97d12c71d4a69da1518478f69eb ] Enable ast2600 uhci quirks. Signed-off-by: Neal Liu Link: https://lore.kernel.org/r/20211126100021.2331024-1-neal_liu@aspeedtech.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 750f28d69b99a3584c809918f280b6c55842eae2 Author: Kishon Vijay Abraham I Date: Fri Nov 26 14:15:55 2021 +0530 arm64: dts: ti: j721e-main: Fix 'dtbs_check' in serdes_ln_ctrl node [ Upstream commit 3f92a5be6084b77f764a8bbb881ac0d12cb9e863 ] Fix 'dtbs_check' in serdes_ln_ctrl (mux@4080) node by changing the node name to mux-controller@4080. Signed-off-by: Kishon Vijay Abraham I Reviewed-by: Aswath Govindraju Signed-off-by: Vignesh Raghavendra Link: https://lore.kernel.org/r/20211126084555.17797-3-kishon@ti.com Signed-off-by: Sasha Levin commit e785275d780e4034c73234cbd9fdd5a0fa40ee26 Author: Kishon Vijay Abraham I Date: Fri Nov 26 14:15:54 2021 +0530 arm64: dts: ti: j7200-main: Fix 'dtbs_check' serdes_ln_ctrl node [ Upstream commit 4d3984906397581dc0ccb6a02bf16b6ff82c9192 ] Fix 'dtbs_check' in serdes_ln_ctrl (serdes-ln-ctrl@4080) node by changing the node name to mux-controller@4080. Signed-off-by: Kishon Vijay Abraham I Reviewed-by: Aswath Govindraju Signed-off-by: Vignesh Raghavendra Link: https://lore.kernel.org/r/20211126084555.17797-2-kishon@ti.com Signed-off-by: Sasha Levin commit 94168f47f9b15284ffb14a8cce23e8fe3b0fe939 Author: Hans de Goede Date: Mon Nov 22 18:05:33 2021 +0100 ACPI / x86: Add not-present quirk for the PCI0.SDHB.BRC1 device on the GPD win [ Upstream commit 57d2dbf710d832841872fb15ebb79429cab90fae ] The GPD win and its sibling the GPD pocket (99% the same electronics in a different case) use a PCI wifi card. But the ACPI tables on both variants contain a bug where the SDIO MMC controller for SDIO wifi cards is enabled despite this. This SDIO MMC controller has a PCI0.SDHB.BRC1 child-device which _PS3 method sets a GPIO causing the PCI wifi card to turn off. At the moment there is a pretty ugly kludge in the sdhci-acpi.c code, just to work around the bug in the DSDT of this single design. This can be solved cleaner/simply with a quirk overriding the _STA return of the broken PCI0.SDHB.BRC1 PCI0.SDHB.BRC1 child with a status value of 0, so that its power_manageable flag gets cleared, avoiding this problem. Note that even though it is not used, the _STA method for the MMC controller is deliberately not overridden. If the status of the MMC controller were forced to 0 it would never get suspended, which would cause these mini-laptops to not reach S0i3 level when suspended. Signed-off-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 10f2c10c0e2073a17f10d5929425a079a8f32827 Author: Hans de Goede Date: Mon Nov 22 18:05:32 2021 +0100 ACPI / x86: Allow specifying acpi_device_override_status() quirks by path [ Upstream commit ba46e42e925b5d09b4e441f8de3db119cc7df58f ] Not all ACPI-devices have a HID + UID, allow specifying quirks for acpi_device_override_status() by path too. Note this moves the path/HID+UID check to after the CPU + DMI checks since the path lookup is somewhat costly. This way this lookup is only done on devices where the other checks match. Signed-off-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 91f918b7885fb7757bf498a310cc65d71d3e6f72 Author: Hans de Goede Date: Mon Nov 22 18:05:31 2021 +0100 ACPI: Change acpi_device_always_present() into acpi_device_override_status() [ Upstream commit 1a68b346a2c9969c05e80a3b99a9ab160b5655c0 ] Currently, acpi_bus_get_status() calls acpi_device_always_present() to allow platform quirks to override the _STA return to report that a device is present (status = ACPI_STA_DEFAULT) independent of the _STA return. In some cases it might also be useful to have the opposite functionality and have a platform quirk which marks a device as not present (status = 0) to work around ACPI table bugs. Change acpi_device_always_present() into a more generic acpi_device_override_status() function to allow this. Signed-off-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 1fd897834b772db18b5831797f3ec8d90e914124 Author: Hans de Goede Date: Mon Nov 22 18:05:30 2021 +0100 ACPI / x86: Drop PWM2 device on Lenovo Yoga Book from always present table [ Upstream commit d431dfb764b145369be820fcdfd50f2159b9bbc2 ] It turns out that there is a WMI object which controls the PWM2 device used for the keyboard backlight and that WMI object also provides some other useful functionality. The upcoming lenovo-yogabook-wmi driver will offer both backlight control and the other functionality, so there no longer is a need to have the lpss-pwm driver binding to PWM2 for backlight control; and this is now actually undesirable because this will cause both the WMI code and the lpss-pwm driver to poke at the same PWM controller. Drop the always-present quirk for the PWM2 ACPI-device, so that the lpss-pwm controller will no longer bind to it. Signed-off-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 2518f943a18e27dce8ad0c5af430acb9d1c21b43 Author: Zack Rusin Date: Fri Nov 5 15:38:45 2021 -0400 drm/vmwgfx: Introduce a new placement for MOB page tables [ Upstream commit f6be23264bbac88d1e2bb39658e1b8a397e3f46d ] For larger (bigger than a page) and noncontiguous mobs we have to create page tables that allow the host to find the memory. Those page tables just used regular system memory. Unfortunately in TTM those BO's are not allowed to be busy thus can't be fenced and we have to fence those bo's because we don't want to destroy the page tables while the host is still executing the command buffers which might be accessing them. To solve it we introduce a new placement VMW_PL_SYSTEM which is very similar to TTM_PL_SYSTEM except that it allows fencing. This fixes kernel oops'es during unloading of the driver (and pci hot remove/add) which were caused by busy BO's in TTM_PL_SYSTEM being present in the delayed deletion list in TTM (TTM_PL_SYSTEM manager is destroyed before the delayed deletions are executed) Signed-off-by: Zack Rusin Reviewed-by: Martin Krastev Cc: Christian König Cc: Thomas Hellström Link: https://patchwork.freedesktop.org/patch/msgid/20211105193845.258816-5-zackr@vmware.com Signed-off-by: Sasha Levin commit ff74a49da07b402b898f63244096c857ae454bf5 Author: Zack Rusin Date: Fri Nov 5 15:38:43 2021 -0400 drm/vmwgfx: Release ttm memory if probe fails [ Upstream commit 28b5f3b6121b7db2a44be499cfca0b6b801588b6 ] The ttm mem global state was leaking if the vmwgfx driver load failed. In case of a driver load failure we have to make sure we also release the ttm mem global state. Signed-off-by: Zack Rusin Reviewed-by: Martin Krastev Link: https://patchwork.freedesktop.org/patch/msgid/20211105193845.258816-3-zackr@vmware.com Signed-off-by: Sasha Levin commit f168858f60962161a32e94acddc5a241327f70aa Author: Adam Ward Date: Mon Nov 29 22:10:12 2021 +0000 regulator: da9121: Prevent current limit change when enabled [ Upstream commit 24f0853228f3b98f1ef08d5824376c69bb8124d2 ] Prevent changing current limit when enabled as a precaution against possibile instability due to tight integration with switching cycle Signed-off-by: Adam Ward Link: https://lore.kernel.org/r/52ee682476004a1736c1e0293358987319c1c415.1638223185.git.Adam.Ward.opensource@diasemi.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 34b1e259b1f5a39787fd04a7f1e526e413d8647a Author: Mansur Alisha Shaik Date: Mon Nov 8 06:48:51 2021 +0100 media: venus: avoid calling core_clk_setrate() concurrently during concurrent video sessions [ Upstream commit 91f2b7d269e5c885c38c7ffa261f5276bd42f907 ] In existing implementation, core_clk_setrate() is getting called concurrently in concurrent video sessions. Before the previous call to core_clk_setrate returns, new call to core_clk_setrate is invoked from another video session running concurrently. This results in latest calculated frequency being set (higher/lower) instead of actual frequency required for that video session. It also results in stability crashes mention below. These resources are specific to video core, hence keeping under core lock would ensure that they are estimated for all running video sessions and called once for the video core. Crash logs: [ 1.900089] WARNING: CPU: 4 PID: 1 at drivers/opp/debugfs.c:33 opp_debug_remove_one+0x2c/0x48 [ 1.908493] Modules linked in: [ 1.911524] CPU: 4 PID: 1 Comm: swapper/0 Not tainted 5.10.67 #35 f8edb8c30cf2dd6838495dd9ef9be47af7f5f60c [ 1.921036] Hardware name: Qualcomm Technologies, Inc. sc7280 IDP SKU2 platform (DT) [ 1.928673] pstate: 60800009 (nZCv daif -PAN +UAO -TCO BTYPE=--) [ 1.934608] pc : opp_debug_remove_one+0x2c/0x48 [ 1.939080] lr : opp_debug_remove_one+0x2c/0x48 [ 1.943560] sp : ffffffc011d7b7f0 [ 1.946836] pmr_save: 000000e0 [ 1.949854] x29: ffffffc011d7b7f0 x28: ffffffc010733bbc [ 1.955104] x27: ffffffc010733ba8 x26: ffffff8083cedd00 [ 1.960355] x25: 0000000000000001 x24: 0000000000000000 [ 1.965603] x23: ffffff8083cc2878 x22: ffffff8083ceb900 [ 1.970852] x21: ffffff8083ceb910 x20: ffffff8083cc2800 [ 1.976101] x19: ffffff8083ceb900 x18: 00000000ffff0a10 [ 1.981352] x17: ffffff80837a5620 x16: 00000000000000ec [ 1.986601] x15: ffffffc010519ad4 x14: 0000000000000003 [ 1.991849] x13: 0000000000000004 x12: 0000000000000001 [ 1.997100] x11: c0000000ffffdfff x10: 00000000ffffffff [ 2.002348] x9 : d2627c580300dc00 x8 : d2627c580300dc00 [ 2.007596] x7 : 0720072007200720 x6 : ffffff80802ecf00 [ 2.012845] x5 : 0000000000190004 x4 : 0000000000000000 [ 2.018094] x3 : ffffffc011d7b478 x2 : ffffffc011d7b480 [ 2.023343] x1 : 00000000ffffdfff x0 : 0000000000000017 [ 2.028594] Call trace: [ 2.031022] opp_debug_remove_one+0x2c/0x48 [ 2.035160] dev_pm_opp_put+0x94/0xb0 [ 2.038780] _opp_remove_all+0x7c/0xc8 [ 2.042486] _opp_remove_all_static+0x54/0x7c [ 2.046796] dev_pm_opp_remove_table+0x74/0x98 [ 2.051183] devm_pm_opp_of_table_release+0x18/0x24 [ 2.056001] devm_action_release+0x1c/0x28 [ 2.060053] release_nodes+0x23c/0x2b8 [ 2.063760] devres_release_group+0xcc/0xd0 [ 2.067900] component_bind+0xac/0x168 [ 2.071608] component_bind_all+0x98/0x124 [ 2.075664] msm_drm_bind+0x1e8/0x678 [ 2.079287] try_to_bring_up_master+0x60/0x134 [ 2.083674] component_master_add_with_match+0xd8/0x120 [ 2.088834] msm_pdev_probe+0x20c/0x2a0 [ 2.092629] platform_drv_probe+0x9c/0xbc [ 2.096598] really_probe+0x11c/0x46c [ 2.100217] driver_probe_device+0x8c/0xf0 [ 2.104270] device_driver_attach+0x54/0x78 [ 2.108407] __driver_attach+0x48/0x148 [ 2.112201] bus_for_each_dev+0x88/0xd4 [ 2.115998] driver_attach+0x2c/0x38 [ 2.119534] bus_add_driver+0x10c/0x200 [ 2.123330] driver_register+0x6c/0x104 [ 2.127122] __platform_driver_register+0x4c/0x58 [ 2.131767] msm_drm_register+0x6c/0x70 [ 2.135560] do_one_initcall+0x64/0x23c [ 2.139357] do_initcall_level+0xac/0x15c [ 2.143321] do_initcalls+0x5c/0x9c [ 2.146778] do_basic_setup+0x2c/0x38 [ 2.150401] kernel_init_freeable+0xf8/0x15c [ 2.154622] kernel_init+0x1c/0x11c [ 2.158079] ret_from_fork+0x10/0x30 [ 2.161615] ---[ end trace a2cc45a0f784b212 ]--- [ 2.166272] Removing OPP: 300000000 Signed-off-by: Mansur Alisha Shaik Signed-off-by: Stanimir Varbanov Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 371a75dfaadb5eb608d9987754c571272bd44610 Author: Sriram R Date: Thu Nov 25 15:00:14 2021 +0530 ath11k: Avoid NULL ptr access during mgmt tx cleanup [ Upstream commit a93789ae541c7d5c1c2a4942013adb6bcc5e2848 ] Currently 'ar' reference is not added in skb_cb during WMI mgmt tx. Though this is generally not used during tx completion callbacks, on interface removal the remaining idr cleanup callback uses the ar ptr from skb_cb from mgmt txmgmt_idr. Hence fill them during tx call for proper usage. Also free the skb which is missing currently in these callbacks. Crash_info: [19282.489476] Unable to handle kernel NULL pointer dereference at virtual address 00000000 [19282.489515] pgd = 91eb8000 [19282.496702] [00000000] *pgd=00000000 [19282.502524] Internal error: Oops: 5 [#1] PREEMPT SMP ARM [19282.783728] PC is at ath11k_mac_vif_txmgmt_idr_remove+0x28/0xd8 [ath11k] [19282.789170] LR is at idr_for_each+0xa0/0xc8 Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-00729-QCAHKSWPL_SILICONZ-3 v2 Signed-off-by: Sriram R Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/1637832614-13831-1-git-send-email-quic_srirrama@quicinc.com Signed-off-by: Sasha Levin commit dbba81756c1b7a8e7a6df443f863d8da11c2054b Author: Zekun Shen Date: Fri Oct 29 16:19:23 2021 -0400 rsi: Fix out-of-bounds read in rsi_read_pkt() [ Upstream commit f1cb3476e48b60c450ec3a1d7da0805bffc6e43a ] rsi_get_* functions rely on an offset variable from usb input. The size of usb input is RSI_MAX_RX_USB_PKT_SIZE(3000), while 2-byte offset can be up to 0xFFFF. Thus a large offset can cause out-of-bounds read. The patch adds a bound checking condition when rcv_pkt_len is 0, indicating it's USB. It's unclear whether this is triggerable from other type of bus. The following check might help in that case. offset > rcv_pkt_len - FRAME_DESC_SZ The bug is trigerrable with conpromised/malfunctioning USB devices. I tested the patch with the crashing input and got no more bug report. Attached is the KASAN report from fuzzing. BUG: KASAN: slab-out-of-bounds in rsi_read_pkt+0x42e/0x500 [rsi_91x] Read of size 2 at addr ffff888019439fdb by task RX-Thread/227 CPU: 0 PID: 227 Comm: RX-Thread Not tainted 5.6.0 #66 Call Trace: dump_stack+0x76/0xa0 print_address_description.constprop.0+0x16/0x200 ? rsi_read_pkt+0x42e/0x500 [rsi_91x] ? rsi_read_pkt+0x42e/0x500 [rsi_91x] __kasan_report.cold+0x37/0x7c ? rsi_read_pkt+0x42e/0x500 [rsi_91x] kasan_report+0xe/0x20 rsi_read_pkt+0x42e/0x500 [rsi_91x] rsi_usb_rx_thread+0x1b1/0x2fc [rsi_usb] ? rsi_probe+0x16a0/0x16a0 [rsi_usb] ? _raw_spin_lock_irqsave+0x7b/0xd0 ? _raw_spin_trylock_bh+0x120/0x120 ? __wake_up_common+0x10b/0x520 ? rsi_probe+0x16a0/0x16a0 [rsi_usb] kthread+0x2b5/0x3b0 ? kthread_create_on_node+0xd0/0xd0 ret_from_fork+0x22/0x40 Reported-by: Brendan Dolan-Gavitt Signed-off-by: Zekun Shen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/YXxXS4wgu2OsmlVv@10-18-43-117.dynapool.wireless.nyu.edu Signed-off-by: Sasha Levin commit bac512a0f3fe611d076566328067bd430f0d888c Author: Zekun Shen Date: Fri Oct 29 15:49:03 2021 -0400 rsi: Fix use-after-free in rsi_rx_done_handler() [ Upstream commit b07e3c6ebc0c20c772c0f54042e430acec2945c3 ] When freeing rx_cb->rx_skb, the pointer is not set to NULL, a later rsi_rx_done_handler call will try to read the freed address. This bug will very likley lead to double free, although detected early as use-after-free bug. The bug is triggerable with a compromised/malfunctional usb device. After applying the patch, the same input no longer triggers the use-after-free. Attached is the kasan report from fuzzing. BUG: KASAN: use-after-free in rsi_rx_done_handler+0x354/0x430 [rsi_usb] Read of size 4 at addr ffff8880188e5930 by task modprobe/231 Call Trace: dump_stack+0x76/0xa0 print_address_description.constprop.0+0x16/0x200 ? rsi_rx_done_handler+0x354/0x430 [rsi_usb] ? rsi_rx_done_handler+0x354/0x430 [rsi_usb] __kasan_report.cold+0x37/0x7c ? dma_direct_unmap_page+0x90/0x110 ? rsi_rx_done_handler+0x354/0x430 [rsi_usb] kasan_report+0xe/0x20 rsi_rx_done_handler+0x354/0x430 [rsi_usb] __usb_hcd_giveback_urb+0x1e4/0x380 usb_giveback_urb_bh+0x241/0x4f0 ? __usb_hcd_giveback_urb+0x380/0x380 ? apic_timer_interrupt+0xa/0x20 tasklet_action_common.isra.0+0x135/0x330 __do_softirq+0x18c/0x634 ? handle_irq_event+0xcd/0x157 ? handle_edge_irq+0x1eb/0x7b0 irq_exit+0x114/0x140 do_IRQ+0x91/0x1e0 common_interrupt+0xf/0xf Reported-by: Brendan Dolan-Gavitt Signed-off-by: Zekun Shen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/YXxQL/vIiYcZUu/j@10-18-43-117.dynapool.wireless.nyu.edu Signed-off-by: Sasha Levin commit b2762757f4e484f8a164546f93aca82568d87649 Author: Zekun Shen Date: Sat Oct 30 22:42:50 2021 -0400 mwifiex: Fix skb_over_panic in mwifiex_usb_recv() [ Upstream commit 04d80663f67ccef893061b49ec8a42ff7045ae84 ] Currently, with an unknown recv_type, mwifiex_usb_recv just return -1 without restoring the skb. Next time mwifiex_usb_rx_complete is invoked with the same skb, calling skb_put causes skb_over_panic. The bug is triggerable with a compromised/malfunctioning usb device. After applying the patch, skb_over_panic no longer shows up with the same input. Attached is the panic report from fuzzing. skbuff: skb_over_panic: text:000000003bf1b5fa len:2048 put:4 head:00000000dd6a115b data:000000000a9445d8 tail:0x844 end:0x840 dev: kernel BUG at net/core/skbuff.c:109! invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 0 PID: 198 Comm: in:imklog Not tainted 5.6.0 #60 RIP: 0010:skb_panic+0x15f/0x161 Call Trace: ? mwifiex_usb_rx_complete+0x26b/0xfcd [mwifiex_usb] skb_put.cold+0x24/0x24 mwifiex_usb_rx_complete+0x26b/0xfcd [mwifiex_usb] __usb_hcd_giveback_urb+0x1e4/0x380 usb_giveback_urb_bh+0x241/0x4f0 ? __hrtimer_run_queues+0x316/0x740 ? __usb_hcd_giveback_urb+0x380/0x380 tasklet_action_common.isra.0+0x135/0x330 __do_softirq+0x18c/0x634 irq_exit+0x114/0x140 smp_apic_timer_interrupt+0xde/0x380 apic_timer_interrupt+0xf/0x20 Reported-by: Brendan Dolan-Gavitt Signed-off-by: Zekun Shen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/YX4CqjfRcTa6bVL+@Zekuns-MBP-16.fios-router.home Signed-off-by: Sasha Levin commit bed51dafd5442c5c0e3e77d2891aebee05c1ba56 Author: Stephan Müller Date: Sun Nov 21 15:14:20 2021 +0100 crypto: jitter - consider 32 LSB for APT [ Upstream commit 552d03a223eda3df84526ab2c1f4d82e15eaee7a ] The APT compares the current time stamp with a pre-set value. The current code only considered the 4 LSB only. Yet, after reviews by mathematicians of the user space Jitter RNG version >= 3.1.0, it was concluded that the APT can be calculated on the 32 LSB of the time delta. Thi change is applied to the kernel. This fixes a bug where an AMD EPYC fails this test as its RDTSC value contains zeros in the LSB. The most appropriate fix would have been to apply a GCD calculation and divide the time stamp by the GCD. Yet, this is a significant code change that will be considered for a future update. Note, tests showed that constantly the GCD always was 32 on these systems, i.e. the 5 LSB were always zero (thus failing the APT since it only considered the 4 LSB for its calculation). Signed-off-by: Stephan Mueller Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 0c3df095fab62e22b018e1c455f75c25062b4a32 Author: Chengfeng Ye Date: Fri Nov 5 06:45:07 2021 -0700 HSI: core: Fix return freed object in hsi_new_client [ Upstream commit a1ee1c08fcd5af03187dcd41dcab12fd5b379555 ] cl is freed on error of calling device_register, but this object is return later, which will cause uaf issue. Fix it by return NULL on error. Signed-off-by: Chengfeng Ye Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 8c124608bf46dc450cbe71dc713aa82159349bd2 Author: Hans de Goede Date: Thu Nov 25 21:30:10 2021 +0100 gpiolib: acpi: Do not set the IRQ type if the IRQ is already in use [ Upstream commit bdfd6ab8fdccd8b138837efff66f4a1911496378 ] If the IRQ is already in use, then acpi_dev_gpio_irq_get_by() really should not change the type underneath the current owner. I specifically hit an issue with this an a Chuwi Hi8 Super (CWI509) Bay Trail tablet, when the Boot OS selection in the BIOS is set to Android. In this case _STA for a MAX17047 ACPI I2C device wrongly returns 0xf and the _CRS resources for this device include a GpioInt pointing to a GPIO already in use by an _AEI handler, with a different type then specified in the _CRS for the MAX17047 device. Leading to the acpi_dev_gpio_irq_get() call done by the i2c-core-acpi.c code changing the type breaking the _AEI handler. Now this clearly is a bug in the DSDT of this tablet (in Android mode), but in general calling irq_set_irq_type() on an IRQ which already is in use seems like a bad idea. Signed-off-by: Hans de Goede Signed-off-by: Andy Shevchenko Signed-off-by: Sasha Levin commit c6d9c77a19d0a46ee1bb4ae9d952f4f9347ef07f Author: Fugang Duan Date: Thu Nov 25 10:03:49 2021 +0800 tty: serial: imx: disable UCR4_OREN in .stop_rx() instead of .shutdown() [ Upstream commit 028e083832b06fdeeb290e1e57dc1f6702c4c215 ] The UCR4_OREN should be disabled before disabling the uart receiver in .stop_rx() instead of in the .shutdown(). Otherwise, if we have the overrun error during the receiver disable process, the overrun interrupt will keep trigging until we disable the OREN interrupt in the .shutdown(), because the ORE status can only be cleared when read the rx FIFO or reset the controller. Although the called time between the receiver disable and OREN disable in .shutdown() is very short, there is still the risk of endless interrupt during this short period of time. So here change to disable OREN before the receiver been disabled in .stop_rx(). Signed-off-by: Fugang Duan Signed-off-by: Sherry Sun Link: https://lore.kernel.org/r/20211125020349.4980-1-sherry.sun@nxp.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 93306292b7760a446392b7f2a24d260224e204b5 Author: Jiri Slaby Date: Thu Nov 18 08:31:09 2021 +0100 mxser: keep only !tty test in ISR [ Upstream commit 274ab58dc2b460cc474ffc7ccfcede4b2be1a3f5 ] The others are superfluous with tty refcounting in place now. And they are racy in fact: * tty_port_initialized() reports false for a small moment after interrupts are enabled. * closing is 1 while the port is still alive. The queues are flushed later during close anyway. So there is no need for this special handling. Actually, the ISR should not flush the queues. It should behave as every other driver, just queue the chars into tty buffer and go on. But this will be changed later. There is still a lot code depending on having tty in ISR (and not only tty_port). Signed-off-by: Jiri Slaby Link: https://lore.kernel.org/r/20211118073125.12283-4-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 405856460d3e7aefb7c1aef047ec88fc4ef2e2a5 Author: Martyn Welch Date: Thu Nov 25 10:53:02 2021 +0000 drm/bridge: megachips: Ensure both bridges are probed before registration [ Upstream commit 11632d4aa2b3f126790e81a4415d6c23103cf8bb ] In the configuration used by the b850v3, the STDP2690 is used to read EDID data whilst it's the STDP4028 which can detect when monitors are connected. This can result in problems at boot with monitors connected when the STDP4028 is probed first, a monitor is detected and an attempt is made to read the EDID data before the STDP2690 has probed: [ 3.795721] Unable to handle kernel NULL pointer dereference at virtual address 00000018 [ 3.803845] pgd = (ptrval) [ 3.806581] [00000018] *pgd=00000000 [ 3.810180] Internal error: Oops: 5 [#1] SMP ARM [ 3.814813] Modules linked in: [ 3.817879] CPU: 0 PID: 64 Comm: kworker/u4:1 Not tainted 5.15.0 #1 [ 3.824161] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) [ 3.830705] Workqueue: events_unbound deferred_probe_work_func [ 3.836565] PC is at stdp2690_get_edid+0x44/0x19c [ 3.841286] LR is at ge_b850v3_lvds_get_modes+0x2c/0x5c [ 3.846526] pc : [<805eae10>] lr : [<805eb138>] psr: 80000013 [ 3.852802] sp : 81c359d0 ip : 7dbb550b fp : 81c35a1c [ 3.858037] r10: 81c73840 r9 : 81c73894 r8 : 816d9800 [ 3.863270] r7 : 00000000 r6 : 81c34000 r5 : 00000000 r4 : 810c35f0 [ 3.869808] r3 : 80e3e294 r2 : 00000080 r1 : 00000cc0 r0 : 81401180 [ 3.876349] Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none [ 3.883499] Control: 10c5387d Table: 1000404a DAC: 00000051 [ 3.889254] Register r0 information: slab kmem_cache start 81401180 pointer offset 0 [ 3.897034] Register r1 information: non-paged memory [ 3.902097] Register r2 information: non-paged memory [ 3.907160] Register r3 information: non-slab/vmalloc memory [ 3.912832] Register r4 information: non-slab/vmalloc memory [ 3.918503] Register r5 information: NULL pointer [ 3.923217] Register r6 information: non-slab/vmalloc memory [ 3.928887] Register r7 information: NULL pointer [ 3.933601] Register r8 information: slab kmalloc-1k start 816d9800 pointer offset 0 size 1024 [ 3.942244] Register r9 information: slab kmalloc-2k start 81c73800 pointer offset 148 size 2048 [ 3.951058] Register r10 information: slab kmalloc-2k start 81c73800 pointer offset 64 size 2048 [ 3.959873] Register r11 information: non-slab/vmalloc memory [ 3.965632] Register r12 information: non-paged memory [ 3.970781] Process kworker/u4:1 (pid: 64, stack limit = 0x(ptrval)) [ 3.977148] Stack: (0x81c359d0 to 0x81c36000) [ 3.981517] 59c0: 80b2b668 80b2b5bc 000002e2 0000034e [ 3.989712] 59e0: 81c35a8c 816d98e8 81c35a14 7dbb550b 805bfcd0 810c35f0 81c73840 824addc0 [ 3.997906] 5a00: 00001000 816d9800 81c73894 81c73840 81c35a34 81c35a20 805eb138 805eadd8 [ 4.006099] 5a20: 810c35f0 00000045 81c35adc 81c35a38 80594188 805eb118 80d7c788 80dd1848 [ 4.014292] 5a40: 00000000 81c35a50 80dca950 811194d3 80dca7c4 80dca944 80dca91c 816d9800 [ 4.022485] 5a60: 81c34000 81c760a8 816d9800 80c58c98 810c35f0 816d98e8 00001000 00001000 [ 4.030678] 5a80: 00000000 00000000 8017712c 81c60000 00000002 00000001 00000000 00000000 [ 4.038870] 5aa0: 816d9900 816d9900 00000000 7dbb550b 805c700c 00000008 826282c8 826282c8 [ 4.047062] 5ac0: 00001000 81e1ce40 00001000 00000002 81c35bf4 81c35ae0 805d9694 80593fc0 [ 4.055255] 5ae0: 8017a970 80179ad8 00000179 00000000 81c35bcc 81c35b00 80177108 8017a950 [ 4.063447] 5b00: 00000000 81c35b10 81c34000 00000000 81004fd8 81010a38 00000000 00000059 [ 4.071639] 5b20: 816d98d4 81fbb718 00000013 826282c8 8017a940 81c35b40 81134448 00000400 [ 4.079831] 5b40: 00000178 00000000 e063b9c1 00000000 c2000049 00000040 00000000 00000008 [ 4.088024] 5b60: 82628300 82628380 00000000 00000000 81c34000 00000000 81fbb700 82628340 [ 4.096216] 5b80: 826283c0 00001000 00000000 00000010 816d9800 826282c0 801766f8 00000000 [ 4.104408] 5ba0: 00000000 81004fd8 00000049 00000000 00000000 00000001 80dcf940 80178de4 [ 4.112601] 5bc0: 81c35c0c 7dbb550b 80178de4 81fbb700 00000010 00000010 810c35f4 81e1ce40 [ 4.120793] 5be0: 81c40908 0000000c 81c35c64 81c35bf8 805a7f18 805d94a0 81c35c3c 816d9800 [ 4.128985] 5c00: 00000010 81c34000 81c35c2c 81c35c18 8012fce0 805be90c 81c35c3c 81c35c28 [ 4.137178] 5c20: 805be90c 80173210 81fbb600 81fbb6b4 81c35c5c 7dbb550b 81c35c64 81fbb700 [ 4.145370] 5c40: 816d9800 00000010 810c35f4 81e1ce40 81c40908 0000000c 81c35c84 81c35c68 [ 4.153565] 5c60: 805a8c78 805a7ed0 816d9800 81fbb700 00000010 00000000 81c35cac 81c35c88 [ 4.161758] 5c80: 805a8dc4 805a8b68 816d9800 00000000 816d9800 00000000 8179f810 810c42d0 [ 4.169950] 5ca0: 81c35ccc 81c35cb0 805e47b0 805a8d18 824aa240 81e1ea80 81c40908 81126b60 [ 4.178144] 5cc0: 81c35d14 81c35cd0 8060db1c 805e46cc 81c35d14 81c35ce0 80dd90f8 810c4d58 [ 4.186338] 5ce0: 80dd90dc 81fe9740 fffffffe 81fe9740 81e1ea80 00000000 810c4d6c 80c4b95c [ 4.194531] 5d00: 80dd9a3c 815c6810 81c35d34 81c35d18 8060dc9c 8060d8fc 8246b440 815c6800 [ 4.202724] 5d20: 815c6810 eefd8e00 81c35d44 81c35d38 8060dd80 8060dbec 81c35d6c 81c35d48 [ 4.210918] 5d40: 805e98a4 8060dd70 00000000 815c6810 810c45b0 81126e90 81126e90 80dd9a3c [ 4.219112] 5d60: 81c35d8c 81c35d70 80619574 805e9808 815c6810 00000000 810c45b0 81126e90 [ 4.227305] 5d80: 81c35db4 81c35d90 806168dc 80619514 80625df0 80623c80 815c6810 810c45b0 [ 4.235498] 5da0: 81c35e6c 815c6810 81c35dec 81c35db8 80616d04 80616800 81c35de4 81c35dc8 [ 4.243691] 5dc0: 808382b0 80b2f444 8116e310 8116e314 81c35e6c 815c6810 00000003 80dd9a3c [ 4.251884] 5de0: 81c35e14 81c35df0 80616ec8 80616c60 00000001 810c45b0 81c35e6c 815c6810 [ 4.260076] 5e00: 00000001 80dd9a3c 81c35e34 81c35e18 80617338 80616e90 00000000 81c35e6c [ 4.268269] 5e20: 80617284 81c34000 81c35e64 81c35e38 80614730 80617290 81c35e64 8171a06c [ 4.276461] 5e40: 81e220b8 7dbb550b 815c6810 81c34000 815c6854 81126e90 81c35e9c 81c35e68 [ 4.284654] 5e60: 8061673c 806146a8 8060f5e0 815c6810 00000001 7dbb550b 00000000 810c5080 [ 4.292847] 5e80: 810c5320 815c6810 81126e90 00000000 81c35eac 81c35ea0 80617554 80616650 [ 4.301040] 5ea0: 81c35ecc 81c35eb0 80615694 80617544 810c5080 810c5080 810c5094 81126e90 [ 4.309233] 5ec0: 81c35efc 81c35ed0 80615c6c 8061560c 80615bc0 810c50c0 817eeb00 81412800 [ 4.317425] 5ee0: 814c3000 00000000 814c300d 81119a60 81c35f3c 81c35f00 80141488 80615bcc [ 4.325618] 5f00: 81c60000 81c34000 81c35f24 81c35f18 80143078 817eeb00 81412800 817eeb18 [ 4.333811] 5f20: 81412818 81003d00 00000088 81412800 81c35f74 81c35f40 80141a48 80141298 [ 4.342005] 5f40: 81c35f74 81c34000 801481ac 817efa40 817efc00 801417d8 817eeb00 00000000 [ 4.350199] 5f60: 815a7e7c 81c34000 81c35fac 81c35f78 80149b1c 801417e4 817efc20 817efc20 [ 4.358391] 5f80: ffffe000 817efa40 801499a8 00000000 00000000 00000000 00000000 00000000 [ 4.366583] 5fa0: 00000000 81c35fb0 80100130 801499b4 00000000 00000000 00000000 00000000 [ 4.374774] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 4.382966] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000 [ 4.391155] Backtrace: [ 4.393613] [<805eadcc>] (stdp2690_get_edid) from [<805eb138>] (ge_b850v3_lvds_get_modes+0x2c/0x5c) [ 4.402691] r10:81c73840 r9:81c73894 r8:816d9800 r7:00001000 r6:824addc0 r5:81c73840 [ 4.410534] r4:810c35f0 [ 4.413073] [<805eb10c>] (ge_b850v3_lvds_get_modes) from [<80594188>] (drm_helper_probe_single_connector_modes+0x1d4/0x84c) [ 4.424240] r5:00000045 r4:810c35f0 [ 4.427822] [<80593fb4>] (drm_helper_probe_single_connector_modes) from [<805d9694>] (drm_client_modeset_probe+0x200/0x1384) [ 4.439074] r10:00000002 r9:00001000 r8:81e1ce40 r7:00001000 r6:826282c8 r5:826282c8 [ 4.446917] r4:00000008 [ 4.449455] [<805d9494>] (drm_client_modeset_probe) from [<805a7f18>] (__drm_fb_helper_initial_config_and_unlock+0x54/0x5b4) [ 4.460713] r10:0000000c r9:81c40908 r8:81e1ce40 r7:810c35f4 r6:00000010 r5:00000010 [ 4.468556] r4:81fbb700 [ 4.471095] [<805a7ec4>] (__drm_fb_helper_initial_config_and_unlock) from [<805a8c78>] (drm_fbdev_client_hotplug+0x11c/0x1b0) [ 4.482434] r10:0000000c r9:81c40908 r8:81e1ce40 r7:810c35f4 r6:00000010 r5:816d9800 [ 4.490276] r4:81fbb700 [ 4.492814] [<805a8b5c>] (drm_fbdev_client_hotplug) from [<805a8dc4>] (drm_fbdev_generic_setup+0xb8/0x1a4) [ 4.502494] r7:00000000 r6:00000010 r5:81fbb700 r4:816d9800 [ 4.508160] [<805a8d0c>] (drm_fbdev_generic_setup) from [<805e47b0>] (imx_drm_bind+0xf0/0x130) [ 4.516805] r7:810c42d0 r6:8179f810 r5:00000000 r4:816d9800 [ 4.522474] [<805e46c0>] (imx_drm_bind) from [<8060db1c>] (try_to_bring_up_master+0x22c/0x2f0) [ 4.531116] r7:81126b60 r6:81c40908 r5:81e1ea80 r4:824aa240 [ 4.536783] [<8060d8f0>] (try_to_bring_up_master) from [<8060dc9c>] (__component_add+0xbc/0x184) [ 4.545597] r10:815c6810 r9:80dd9a3c r8:80c4b95c r7:810c4d6c r6:00000000 r5:81e1ea80 [ 4.553440] r4:81fe9740 [ 4.555980] [<8060dbe0>] (__component_add) from [<8060dd80>] (component_add+0x1c/0x20) [ 4.563921] r7:eefd8e00 r6:815c6810 r5:815c6800 r4:8246b440 [ 4.569589] [<8060dd64>] (component_add) from [<805e98a4>] (dw_hdmi_imx_probe+0xa8/0xe8) [ 4.577702] [<805e97fc>] (dw_hdmi_imx_probe) from [<80619574>] (platform_probe+0x6c/0xc8) [ 4.585908] r9:80dd9a3c r8:81126e90 r7:81126e90 r6:810c45b0 r5:815c6810 r4:00000000 [ 4.593662] [<80619508>] (platform_probe) from [<806168dc>] (really_probe+0xe8/0x460) [ 4.601524] r7:81126e90 r6:810c45b0 r5:00000000 r4:815c6810 [ 4.607191] [<806167f4>] (really_probe) from [<80616d04>] (__driver_probe_device+0xb0/0x230) [ 4.615658] r7:815c6810 r6:81c35e6c r5:810c45b0 r4:815c6810 [ 4.621326] [<80616c54>] (__driver_probe_device) from [<80616ec8>] (driver_probe_device+0x44/0xe0) [ 4.630313] r9:80dd9a3c r8:00000003 r7:815c6810 r6:81c35e6c r5:8116e314 r4:8116e310 [ 4.638068] [<80616e84>] (driver_probe_device) from [<80617338>] (__device_attach_driver+0xb4/0x12c) [ 4.647227] r9:80dd9a3c r8:00000001 r7:815c6810 r6:81c35e6c r5:810c45b0 r4:00000001 [ 4.654981] [<80617284>] (__device_attach_driver) from [<80614730>] (bus_for_each_drv+0x94/0xd8) [ 4.663794] r7:81c34000 r6:80617284 r5:81c35e6c r4:00000000 [ 4.669461] [<8061469c>] (bus_for_each_drv) from [<8061673c>] (__device_attach+0xf8/0x190) [ 4.677753] r7:81126e90 r6:815c6854 r5:81c34000 r4:815c6810 [ 4.683419] [<80616644>] (__device_attach) from [<80617554>] (device_initial_probe+0x1c/0x20) [ 4.691971] r8:00000000 r7:81126e90 r6:815c6810 r5:810c5320 r4:810c5080 [ 4.698681] [<80617538>] (device_initial_probe) from [<80615694>] (bus_probe_device+0x94/0x9c) [ 4.707318] [<80615600>] (bus_probe_device) from [<80615c6c>] (deferred_probe_work_func+0xac/0xf0) [ 4.716305] r7:81126e90 r6:810c5094 r5:810c5080 r4:810c5080 [ 4.721973] [<80615bc0>] (deferred_probe_work_func) from [<80141488>] (process_one_work+0x1fc/0x54c) [ 4.731139] r10:81119a60 r9:814c300d r8:00000000 r7:814c3000 r6:81412800 r5:817eeb00 [ 4.738981] r4:810c50c0 r3:80615bc0 [ 4.742563] [<8014128c>] (process_one_work) from [<80141a48>] (worker_thread+0x270/0x570) [ 4.750765] r10:81412800 r9:00000088 r8:81003d00 r7:81412818 r6:817eeb18 r5:81412800 [ 4.758608] r4:817eeb00 [ 4.761147] [<801417d8>] (worker_thread) from [<80149b1c>] (kthread+0x174/0x190) [ 4.768574] r10:81c34000 r9:815a7e7c r8:00000000 r7:817eeb00 r6:801417d8 r5:817efc00 [ 4.776417] r4:817efa40 [ 4.778955] [<801499a8>] (kthread) from [<80100130>] (ret_from_fork+0x14/0x24) [ 4.786201] Exception stack(0x81c35fb0 to 0x81c35ff8) [ 4.791266] 5fa0: 00000000 00000000 00000000 00000000 [ 4.799459] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 4.807651] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 4.814279] r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:801499a8 [ 4.822120] r4:817efa40 [ 4.824664] Code: e3a02080 e593001c e3a01d33 e3a05000 (e5979018) Split the registration from the STDP4028 probe routine and only perform registration once both the STDP4028 and STDP2690 have probed. Signed-off-by: Martyn Welch CC: Peter Senna Tschudin CC: Martyn Welch CC: Neil Armstrong CC: Robert Foss CC: Laurent Pinchart CC: Jonas Karlman CC: Jernej Skrabec Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/43552c3404e8fdf92d8bc5658fac24e9f03c2c57.1637836606.git.martyn.welch@collabora.com Signed-off-by: Sasha Levin commit 58d33532664c1580beeb127ffe771a7739fb63d3 Author: Martin Leung Date: Fri Nov 12 17:59:31 2021 -0500 drm/amd/display: add else to avoid double destroy clk_mgr [ Upstream commit 11dff0e871037a6ad978e52f826a2eb7f5fb274a ] [Why & How] when changing some code we accidentally changed else if-> if. reverting that. Reviewed-by: Aric Cyr Acked-by: Qingqing Zhuo Signed-off-by: Martin Leung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit ae93accee3177fe36e136e749fc7f2616f2bf2d3 Author: Danielle Ratson Date: Tue Nov 23 09:54:47 2021 +0200 mlxsw: pci: Add shutdown method in PCI driver [ Upstream commit c1020d3cf4752f61a6a413f632ea2ce2370e150d ] On an arm64 platform with the Spectrum ASIC, after loading and executing a new kernel via kexec, the following trace [1] is observed. This seems to be caused by the fact that the device is not properly shutdown before executing the new kernel. Fix this by implementing a shutdown method which mirrors the remove method, as recommended by the kexec maintainer [2][3]. [1] BUG: Bad page state in process devlink pfn:22f73d page:fffffe00089dcf40 refcount:-1 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x2ffff00000000000() raw: 2ffff00000000000 0000000000000000 ffffffff089d0201 0000000000000000 raw: 0000000000000000 0000000000000000 ffffffffffffffff 0000000000000000 page dumped because: nonzero _refcount Modules linked in: CPU: 1 PID: 16346 Comm: devlink Tainted: G B 5.8.0-rc6-custom-273020-gac6b365b1bf5 #44 Hardware name: Marvell Armada 7040 TX4810M (DT) Call trace: dump_backtrace+0x0/0x1d0 show_stack+0x1c/0x28 dump_stack+0xbc/0x118 bad_page+0xcc/0xf8 check_free_page_bad+0x80/0x88 __free_pages_ok+0x3f8/0x418 __free_pages+0x38/0x60 kmem_freepages+0x200/0x2a8 slab_destroy+0x28/0x68 slabs_destroy+0x60/0x90 ___cache_free+0x1b4/0x358 kfree+0xc0/0x1d0 skb_free_head+0x2c/0x38 skb_release_data+0x110/0x1a0 skb_release_all+0x2c/0x38 consume_skb+0x38/0x130 __dev_kfree_skb_any+0x44/0x50 mlxsw_pci_rdq_fini+0x8c/0xb0 mlxsw_pci_queue_fini.isra.0+0x28/0x58 mlxsw_pci_queue_group_fini+0x58/0x88 mlxsw_pci_aqs_fini+0x2c/0x60 mlxsw_pci_fini+0x34/0x50 mlxsw_core_bus_device_unregister+0x104/0x1d0 mlxsw_devlink_core_bus_device_reload_down+0x2c/0x48 devlink_reload+0x44/0x158 devlink_nl_cmd_reload+0x270/0x290 genl_rcv_msg+0x188/0x2f0 netlink_rcv_skb+0x5c/0x118 genl_rcv+0x3c/0x50 netlink_unicast+0x1bc/0x278 netlink_sendmsg+0x194/0x390 __sys_sendto+0xe0/0x158 __arm64_sys_sendto+0x2c/0x38 el0_svc_common.constprop.0+0x70/0x168 do_el0_svc+0x28/0x88 el0_sync_handler+0x88/0x190 el0_sync+0x140/0x180 [2] https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1195432.html [3] https://patchwork.kernel.org/project/linux-scsi/patch/20170212214920.28866-1-anton@ozlabs.org/#20116693 Cc: Eric Biederman Signed-off-by: Danielle Ratson Signed-off-by: Ido Schimmel Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b019927f1c4aa1daabdb7f332180e301c218ae37 Author: Jan Kiszka Date: Mon Jun 21 20:08:28 2021 +0200 soc: ti: pruss: fix referenced node in error message [ Upstream commit 8aa35e0bb5eaa42bac415ad0847985daa7b4890c ] So far, "(null)" is reported for the node that is missing clocks. Signed-off-by: Jan Kiszka Acked-by: Suman Anna Signed-off-by: Nishanth Menon Link: https://lore.kernel.org/r/d6e24953-ea89-fd1c-6e16-7a0142118054@siemens.com Signed-off-by: Sasha Levin commit f94cf1cb17963905910c2adc332ebb9e44e7fa4b Author: Alex Deucher Date: Wed Nov 10 10:23:25 2021 -0500 drm/amdgpu/display: set vblank_disable_immediate for DC [ Upstream commit 92020e81ddbeac351ea4a19bcf01743f32b9c800 ] Disable vblanks immediately to save power. I think this was missed when we merged DC support. Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1781 Reviewed-by: Harry Wentland Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 1fffa8ffd62fc511d4447b793641252c4743e81c Author: Yang Li Date: Mon Nov 15 16:10:19 2021 +0800 drm/amd/display: check top_pipe_to_program pointer [ Upstream commit a689e8d1f80012f90384ebac9dcfac4201f9f77e ] Clang static analysis reports this error drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc.c:2870:7: warning: Dereference of null pointer [clang-analyzer-core.NullDereference] if (top_pipe_to_program->stream_res.tg->funcs->lock_doublebuffer_enable) { ^ top_pipe_to_program being NULL is caught as an error But then it is used to report the error. So add a check before using it. Reported-by: Abaci Robot Signed-off-by: Yang Li Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 5e0f1c68da1e92ec598d3d547ae456e74412825a Author: Lukas Bulwahn Date: Thu Oct 28 16:19:33 2021 +0200 ARM: imx: rename DEBUG_IMX21_IMX27_UART to DEBUG_IMX27_UART [ Upstream commit b0100bce4ff82ec1ccd3c1f3d339fd2df6a81784 ] Since commit 4b563a066611 ("ARM: imx: Remove imx21 support"), the config DEBUG_IMX21_IMX27_UART is really only debug support for IMX27. So, rename this option to DEBUG_IMX27_UART and adjust dependencies in Kconfig and rename the definitions to IMX27 as further clean-up. This issue was discovered with ./scripts/checkkconfigsymbols.py, which reported that DEBUG_IMX21_IMX27_UART depends on the non-existing config SOC_IMX21. Signed-off-by: Lukas Bulwahn Reviewed-by: Arnd Bergmann Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit b16e928b6a30126f11fcb0030ca9ded6b29062ff Author: Marek Vasut Date: Sat Oct 16 23:05:47 2021 +0200 soc: imx: gpcv2: Synchronously suspend MIX domains [ Upstream commit f756f435f7dd823f2d4bd593ce1bf3168def1308 ] In case the following power domain sequence happens, iMX8M Mini always hangs: gpumix:on -> gpu:on -> gpu:off -> gpu:on This is likely due to another quirk of the GPC block. This situation can be prevented by always synchronously powering off both the domain and MIX domain. Make it so. This turns the aforementioned sequence into: gpumix:on -> gpu:on -> gpu:off -> gpumix:off -> gpumix:on -> gpu:on Signed-off-by: Marek Vasut Cc: Frieder Schrempf Cc: Lucas Stach Cc: NXP Linux Team Cc: Peng Fan Cc: Shawn Guo Acked-by: Lucas Stach Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit f573eda00b394d9c784452c6be1b88b2571aa480 Author: Konrad Dybcio Date: Sun Nov 14 02:27:45 2021 +0100 arm64: dts: qcom: sm8350: Shorten camera-thermal-bottom name [ Upstream commit f52dd33943ca5f84ae76890f352f6d9e12512c3f ] Thermal zone names should not be longer than 20 names, which is indicated by a message at boot. Change "camera-thermal-bottom" to "cam-thermal-bottom" to fix it. Signed-off-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20211114012755.112226-6-konrad.dybcio@somainline.org Signed-off-by: Sasha Levin commit c41c4bc61db250d8793424e73c2686bb89ff6b7b Author: Dinh Nguyen Date: Tue Oct 12 14:07:06 2021 -0500 EDAC/synopsys: Use the quirk for version instead of ddr version [ Upstream commit bd1d6da17c296bd005bfa656952710d256e77dd3 ] Version 2.40a supports DDR_ECC_INTR_SUPPORT for a quirk, so use that quirk to determine a call to setup_address_map(). Signed-off-by: Dinh Nguyen Signed-off-by: Borislav Petkov Reviewed-by: Michal Simek Link: https://lkml.kernel.org/r/20211012190709.1504152-1-dinguyen@kernel.org Signed-off-by: Sasha Levin commit 342aa207c9dafd9bfd0ce2ae12754a4d50543581 Author: Yang Li Date: Thu Nov 18 17:48:03 2021 +0800 ethernet: renesas: Use div64_ul instead of do_div [ Upstream commit d9f31aeaa1e5aefa68130878af3c3513d41c1e2d ] do_div() does a 64-by-32 division. Here the divisor is an unsigned long which on some platforms is 64 bit wide. So use div64_ul instead of do_div to avoid a possible truncation. Eliminate the following coccicheck warning: ./drivers/net/ethernet/renesas/ravb_main.c:2492:1-7: WARNING: do_div() does a 64-by-32 division, please consider using div64_ul instead. Reported-by: Abaci Robot Signed-off-by: Yang Li Reviewed-by: Geert Uytterhoeven Reviewed-by: Sergey Shtylyov Link: https://lore.kernel.org/r/1637228883-100100-1-git-send-email-yang.lee@linux.alibaba.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit a111f8e113c76efe7c9b3feffb4d487240d61286 Author: Andrii Nakryiko Date: Wed Nov 17 11:41:13 2021 -0800 libbpf: Accommodate DWARF/compiler bug with duplicated structs [ Upstream commit efdd3eb8015e7447095f02a26eaabd164cd18004 ] According to [0], compilers sometimes might produce duplicate DWARF definitions for exactly the same struct/union within the same compilation unit (CU). We've had similar issues with identical arrays and handled them with a similar workaround in 6b6e6b1d09aa ("libbpf: Accomodate DWARF/compiler bug with duplicated identical arrays"). Do the same for struct/union by ensuring that two structs/unions are exactly the same, down to the integer values of field referenced type IDs. Solving this more generically (allowing referenced types to be equivalent, but using different type IDs, all within a single CU) requires a huge complexity increase to handle many-to-many mappings between canonidal and candidate type graphs. Before we invest in that, let's see if this approach handles all the instances of this issue in practice. Thankfully it's pretty rare, it seems. [0] https://lore.kernel.org/bpf/YXr2NFlJTAhHdZqq@krava/ Reported-by: Jiri Olsa Signed-off-by: Andrii Nakryiko Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20211117194114.347675-1-andrii@kernel.org Signed-off-by: Sasha Levin commit 299951bd1ef99087213709782a368ef2ce06dadf Author: Zheyu Ma Date: Tue May 11 10:00:03 2021 +0100 media: b2c2: Add missing check in flexcop_pci_isr: [ Upstream commit b13203032e679674c7c518f52a7ec0801ca3a829 ] A out-of-bounds bug can be triggered by an interrupt, the reason for this bug is the lack of checking of register values. In flexcop_pci_isr, the driver reads value from a register and uses it as a dma address. Finally, this address will be passed to the count parameter of find_next_packet. If this value is larger than the size of dma, the index of buffer will be out-of-bounds. Fix this by adding a check after reading the value of the register. The following KASAN report reveals it: BUG: KASAN: slab-out-of-bounds in find_next_packet drivers/media/dvb-core/dvb_demux.c:528 [inline] BUG: KASAN: slab-out-of-bounds in _dvb_dmx_swfilter drivers/media/dvb-core/dvb_demux.c:572 [inline] BUG: KASAN: slab-out-of-bounds in dvb_dmx_swfilter+0x3fa/0x420 drivers/media/dvb-core/dvb_demux.c:603 Read of size 1 at addr ffff8880608c00a0 by task swapper/2/0 CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.19.177-gdba4159c14ef #25 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xec/0x156 lib/dump_stack.c:118 print_address_description+0x78/0x290 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x25b/0x380 mm/kasan/report.c:412 __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:430 find_next_packet drivers/media/dvb-core/dvb_demux.c:528 [inline] _dvb_dmx_swfilter drivers/media/dvb-core/dvb_demux.c:572 [inline] dvb_dmx_swfilter+0x3fa/0x420 drivers/media/dvb-core/dvb_demux.c:603 flexcop_pass_dmx_data+0x2e/0x40 drivers/media/common/b2c2/flexcop.c:167 flexcop_pci_isr+0x3d1/0x5d0 drivers/media/pci/b2c2/flexcop-pci.c:212 __handle_irq_event_percpu+0xfb/0x770 kernel/irq/handle.c:149 handle_irq_event_percpu+0x79/0x150 kernel/irq/handle.c:189 handle_irq_event+0xac/0x140 kernel/irq/handle.c:206 handle_fasteoi_irq+0x232/0x5c0 kernel/irq/chip.c:725 generic_handle_irq_desc include/linux/irqdesc.h:155 [inline] handle_irq+0x230/0x3a0 arch/x86/kernel/irq_64.c:87 do_IRQ+0xa7/0x1e0 arch/x86/kernel/irq.c:247 common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:670 RIP: 0010:native_safe_halt+0x28/0x30 arch/x86/include/asm/irqflags.h:61 Code: 00 00 55 be 04 00 00 00 48 c7 c7 00 62 2f 8c 48 89 e5 e8 fb 31 e8 f8 8b 05 75 4f 8e 03 85 c0 7e 07 0f 00 2d 8a 61 66 00 fb f4 <5d> c3 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 RSP: 0018:ffff88806b71fcc8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffde RAX: 0000000000000000 RBX: ffffffff8bde44c8 RCX: ffffffff88a11285 RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff8c2f6200 RBP: ffff88806b71fcc8 R08: fffffbfff185ec40 R09: fffffbfff185ec40 R10: 0000000000000001 R11: fffffbfff185ec40 R12: 0000000000000002 R13: ffffffff8be9d6e0 R14: 0000000000000000 R15: 0000000000000000 arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline] default_idle+0x6f/0x360 arch/x86/kernel/process.c:557 arch_cpu_idle+0xf/0x20 arch/x86/kernel/process.c:548 default_idle_call+0x3b/0x60 kernel/sched/idle.c:93 cpuidle_idle_call kernel/sched/idle.c:153 [inline] do_idle+0x2ab/0x3c0 kernel/sched/idle.c:263 cpu_startup_entry+0xcb/0xe0 kernel/sched/idle.c:369 start_secondary+0x3b8/0x4e0 arch/x86/kernel/smpboot.c:271 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243 Allocated by task 1: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:553 kasan_slab_alloc+0x11/0x20 mm/kasan/kasan.c:490 slab_post_alloc_hook mm/slab.h:445 [inline] slab_alloc_node mm/slub.c:2741 [inline] slab_alloc mm/slub.c:2749 [inline] kmem_cache_alloc+0xeb/0x280 mm/slub.c:2754 kmem_cache_zalloc include/linux/slab.h:699 [inline] __kernfs_new_node+0xe2/0x6f0 fs/kernfs/dir.c:633 kernfs_new_node+0x9a/0x120 fs/kernfs/dir.c:693 __kernfs_create_file+0x5f/0x340 fs/kernfs/file.c:992 sysfs_add_file_mode_ns+0x22a/0x4e0 fs/sysfs/file.c:306 create_files fs/sysfs/group.c:63 [inline] internal_create_group+0x34e/0xc30 fs/sysfs/group.c:147 sysfs_create_group fs/sysfs/group.c:173 [inline] sysfs_create_groups+0x9c/0x140 fs/sysfs/group.c:200 driver_add_groups+0x3e/0x50 drivers/base/driver.c:129 bus_add_driver+0x3a5/0x790 drivers/base/bus.c:684 driver_register+0x1cd/0x410 drivers/base/driver.c:170 __pci_register_driver+0x197/0x200 drivers/pci/pci-driver.c:1411 cx88_audio_pci_driver_init+0x23/0x25 drivers/media/pci/cx88/cx88-alsa.c: 1017 do_one_initcall+0xe0/0x610 init/main.c:884 do_initcall_level init/main.c:952 [inline] do_initcalls init/main.c:960 [inline] do_basic_setup init/main.c:978 [inline] kernel_init_freeable+0x4d0/0x592 init/main.c:1145 kernel_init+0x18/0x190 init/main.c:1062 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8880608c0000 which belongs to the cache kernfs_node_cache of size 160 The buggy address is located 0 bytes to the right of 160-byte region [ffff8880608c0000, ffff8880608c00a0) The buggy address belongs to the page: page:ffffea0001823000 count:1 mapcount:0 mapping:ffff88806bed1e00 index:0x0 compound_mapcount: 0 flags: 0x100000000008100(slab|head) raw: 0100000000008100 dead000000000100 dead000000000200 ffff88806bed1e00 raw: 0000000000000000 0000000000240024 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880608bff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880608c0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8880608c0080: 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00 00 ^ ffff8880608c0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880608c0180: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ================================================================== Link: https://lore.kernel.org/linux-media/1620723603-30912-1-git-send-email-zheyuma97@gmail.com Reported-by: Zheyu Ma Signed-off-by: Zheyu Ma Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 3396b7cf1478b4776c10c7548ffcd621b64f4131 Author: José Expósito Date: Thu Nov 18 08:29:53 2021 +0100 HID: apple: Do not reset quirks when the Fn key is not found [ Upstream commit a5fe7864d8ada170f19cc47d176bf8260ffb4263 ] When a keyboard without a function key is detected, instead of removing all quirks, remove only the APPLE_HAS_FN quirk. Signed-off-by: José Expósito Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit e6ad399596bd234be4722022146e33e15c7e424d Author: José Expósito Date: Thu Nov 18 17:52:08 2021 +0100 HID: magicmouse: Report battery level over USB [ Upstream commit 0b91b4e4dae63cd43871fc2012370b86ee588f91 ] When connected over USB, the Apple Magic Mouse 2 and the Apple Magic Trackpad 2 register multiple interfaces, one of them is used to report the battery level. However, unlike when connected over Bluetooth, the battery level is not reported automatically and it is required to fetch it manually. Fix the battery report descriptor and add a timer to fetch the battery level. Signed-off-by: José Expósito Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit c350fcc74035f48ee5a7226faee7079dd0ce9565 Author: Hans de Goede Date: Sat Nov 6 14:02:27 2021 +0100 drm: panel-orientation-quirks: Add quirk for the Lenovo Yoga Book X91F/L [ Upstream commit bc30c3b0c8a1904d83d5f0d60fb8650a334b207b ] The Lenovo Yoga Book X91F/L uses a panel which has been mounted 90 degrees rotated. Add a quirk for this. Cc: Yauhen Kharuzhy Signed-off-by: Hans de Goede Acked-by: Simon Ser Tested-by: Yauhen Kharuzhy Link: https://patchwork.freedesktop.org/patch/msgid/20211106130227.11927-1-hdegoede@redhat.com Signed-off-by: Sasha Levin commit d168123f1388882bf5b41d07e5534a319f5fff1a Author: Brian Chen Date: Wed Nov 10 21:33:12 2021 +0000 psi: Fix PSI_MEM_FULL state when tasks are in memstall and doing reclaim [ Upstream commit cb0e52b7748737b2cf6481fdd9b920ce7e1ebbdf ] We've noticed cases where tasks in a cgroup are stalled on memory but there is little memory FULL pressure since tasks stay on the runqueue in reclaim. A simple example involves a single threaded program that keeps leaking and touching large amounts of memory. It runs in a cgroup with swap enabled, memory.high set at 10M and cpu.max ratio set at 5%. Though there is significant CPU pressure and memory SOME, there is barely any memory FULL since the task enters reclaim and stays on the runqueue. However, this memory-bound task is effectively stalled on memory and we expect memory FULL to match memory SOME in this scenario. The code is confused about memstall && running, thinking there is a stalled task and a productive task when there's only one task: a reclaimer that's counted as both. To fix this, we redefine the condition for PSI_MEM_FULL to check that all running tasks are in an active memstall instead of checking that there are no running tasks. case PSI_MEM_FULL: - return unlikely(tasks[NR_MEMSTALL] && !tasks[NR_RUNNING]); + return unlikely(tasks[NR_MEMSTALL] && + tasks[NR_RUNNING] == tasks[NR_MEMSTALL_RUNNING]); This will capture reclaimers. It will also capture tasks that called psi_memstall_enter() and are about to sleep, but this should be negligible noise. Signed-off-by: Brian Chen Signed-off-by: Peter Zijlstra (Intel) Acked-by: Johannes Weiner Link: https://lore.kernel.org/r/20211110213312.310243-1-brianchen118@gmail.com Signed-off-by: Sasha Levin commit 07888a4fbcf23dd79c2e361ded5b9bd98e881a7f Author: Pavankumar Kondeti Date: Fri Nov 12 15:54:40 2021 +0530 usb: gadget: f_fs: Use stream_open() for endpoint files [ Upstream commit c76ef96fc00eb398c8fc836b0eb2f82bcc619dc7 ] Function fs endpoint file operations are synchronized via an interruptible mutex wait. However we see threads that do ep file operations concurrently are getting blocked for the mutex lock in __fdget_pos(). This is an uninterruptible wait and we see hung task warnings and kernel panic if hung_task_panic systcl is enabled if host does not send/receive the data for long time. The reason for threads getting blocked in __fdget_pos() is due to the file position protection introduced by the commit 9c225f2655e3 ("vfs: atomic f_pos accesses as per POSIX"). Since function fs endpoint files does not have the notion of the file position, switch to the stream mode. This will bypass the file position mutex and threads will be blocked in interruptible state for the function fs mutex. It should not affects user space as we are only changing the task state changes the task state from UNINTERRUPTIBLE to INTERRUPTIBLE while waiting for the USB transfers to be finished. However there is a slight change to the O_NONBLOCK behavior. Earlier threads that are using O_NONBLOCK are also getting blocked inside fdget_pos(). Now they reach to function fs and error code is returned. The non blocking behavior is actually honoured now. Reviewed-by: John Keeping Signed-off-by: Pavankumar Kondeti Link: https://lore.kernel.org/r/1636712682-1226-1-git-send-email-quic_pkondeti@quicinc.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 7171e60715a695f4c62c434e6df94b38965de3ec Author: Haimin Zhang Date: Sat Nov 13 11:53:20 2021 -0500 USB: ehci_brcm_hub_control: Improve port index sanitizing [ Upstream commit 9933698f6119886c110750e67c10ac66f12b730f ] Due to (wIndex & 0xff) - 1 can get an integer greater than 15, this can cause array index to be out of bounds since the size of array port_status is 15. This change prevents a possible out-of-bounds pointer computation by forcing the use of a valid port number. Reported-by: TCS Robot Signed-off-by: Haimin Zhang Signed-off-by: Alan Stern Link: https://lore.kernel.org/r/20211113165320.GA59686@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 432acc8ad2443807d59c51acf5058a1f14b55566 Author: Amjad Ouled-Ameur Date: Fri Nov 12 17:28:26 2021 +0100 usb: dwc3: meson-g12a: fix shared reset control use [ Upstream commit 4ce3b45704d5ef46fb4b28083c8aba6716fabf3b ] reset_control_(de)assert() calls are called on a shared reset line when reset_control_reset has been used. This is not allowed by the reset framework. Use reset_control_rearm() call in suspend() and remove() as a way to state that the resource is no longer used, hence the shared reset line may be triggered again by other devices. Use reset_control_rearm() also in case probe fails after reset() has been called. reset_control_rearm() keeps use of triggered_count sane in the reset framework, use of reset_control_reset() on shared reset line should be balanced with reset_control_rearm(). Signed-off-by: Amjad Ouled-Ameur Reported-by: Jerome Brunet Link: https://lore.kernel.org/r/20211112162827.128319-3-aouledameur@baylibre.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 79a3d8f1882d5ba1d221c0baef8f6d5d365ee509 Author: Baochen Qiang Date: Tue Oct 26 09:16:05 2021 +0800 ath11k: Fix crash caused by uninitialized TX ring [ Upstream commit 273703ebdb01b6c5f1aaf4b98fb57b177609055c ] Commit 31582373a4a8 ("ath11k: Change number of TCL rings to one for QCA6390") avoids initializing the other entries of dp->tx_ring cause the corresponding TX rings on QCA6390/WCN6855 are not used, but leaves those ring masks in ath11k_hw_ring_mask_qca6390.tx unchanged. Normally this is OK because we will only get interrupts from the first TX ring on these chips and thus only the first entry of dp->tx_ring is involved. In case of one MSI vector, all DP rings share the same IRQ. For each interrupt, all rings have to be checked, which means the other entries of dp->tx_ring are involved. However since they are not initialized, system crashes. Fix this issue by simply removing those ring masks. crash stack: [ 102.907438] BUG: kernel NULL pointer dereference, address: 0000000000000028 [ 102.907447] #PF: supervisor read access in kernel mode [ 102.907451] #PF: error_code(0x0000) - not-present page [ 102.907453] PGD 1081f0067 P4D 1081f0067 PUD 1081f1067 PMD 0 [ 102.907460] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI [ 102.907465] CPU: 0 PID: 3511 Comm: apt-check Kdump: loaded Tainted: G E 5.15.0-rc4-wt-ath+ #20 [ 102.907470] Hardware name: AMD Celadon-RN/Celadon-RN, BIOS RCD1005E 10/08/2020 [ 102.907472] RIP: 0010:ath11k_dp_tx_completion_handler+0x201/0x830 [ath11k] [ 102.907497] Code: 3c 24 4e 8d ac 37 10 04 00 00 4a 8d bc 37 68 04 00 00 48 89 3c 24 48 63 c8 89 83 84 18 00 00 48 c1 e1 05 48 03 8b 78 18 00 00 <8b> 51 08 89 d6 83 e6 07 89 74 24 24 83 fe 03 74 04 85 f6 75 63 41 [ 102.907501] RSP: 0000:ffff9b7340003e08 EFLAGS: 00010202 [ 102.907505] RAX: 0000000000000001 RBX: ffff8e21530c0100 RCX: 0000000000000020 [ 102.907508] RDX: 0000000000000000 RSI: 00000000fffffe00 RDI: ffff8e21530c1938 [ 102.907511] RBP: ffff8e21530c0000 R08: 0000000000000001 R09: 0000000000000000 [ 102.907513] R10: ffff8e2145534c10 R11: 0000000000000001 R12: ffff8e21530c2938 [ 102.907515] R13: ffff8e21530c18e0 R14: 0000000000000100 R15: ffff8e21530c2978 [ 102.907518] FS: 00007f5d4297e740(0000) GS:ffff8e243d600000(0000) knlGS:0000000000000000 [ 102.907521] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 102.907524] CR2: 0000000000000028 CR3: 00000001034ea000 CR4: 0000000000350ef0 [ 102.907527] Call Trace: [ 102.907531] [ 102.907537] ath11k_dp_service_srng+0x5c/0x2f0 [ath11k] [ 102.907556] ath11k_pci_ext_grp_napi_poll+0x21/0x70 [ath11k_pci] [ 102.907562] __napi_poll+0x2c/0x160 [ 102.907570] net_rx_action+0x251/0x310 [ 102.907576] __do_softirq+0x107/0x2fc [ 102.907585] irq_exit_rcu+0x74/0x90 [ 102.907593] common_interrupt+0x83/0xa0 [ 102.907600] [ 102.907601] asm_common_interrupt+0x1e/0x40 Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1 Signed-off-by: Baochen Qiang Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20211026011605.58615-1-quic_bqiang@quicinc.com Signed-off-by: Sasha Levin commit f1d85deaf343044ce4d2bb4983f9797df4f798c0 Author: Mauro Carvalho Chehab Date: Thu Nov 11 23:04:09 2021 +0000 media: atomisp: handle errors at sh_css_create_isp_params() [ Upstream commit 58043dbf6d1ae9deab4f5aa1e039c70112017682 ] The succ var tracks memory allocation erros on this function. Fix it, in order to stop this W=1 Werror in clang: drivers/staging/media/atomisp/pci/sh_css_params.c:2430:7: error: variable 'succ' set but not used [-Werror,-Wunused-but-set-variable] bool succ = true; ^ Reviewed-by: Nathan Chancellor Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit bab93d53661778f788c48a57ec1b8f64cec72735 Author: Linus Lüssing Date: Sun Oct 31 22:30:12 2021 +0100 batman-adv: allow netlink usage in unprivileged containers [ Upstream commit 9057d6c23e7388ee9d037fccc9a7bc8557ce277b ] Currently, creating a batman-adv interface in an unprivileged LXD container and attaching secondary interfaces to it with "ip" or "batctl" works fine. However all batctl debug and configuration commands fail: root@container:~# batctl originators Error received: Operation not permitted root@container:~# batctl orig_interval 1000 root@container:~# batctl orig_interval 2000 root@container:~# batctl orig_interval 1000 To fix this change the generic netlink permissions from GENL_ADMIN_PERM to GENL_UNS_ADMIN_PERM. This way a batman-adv interface is fully maintainable as root from within a user namespace, from an unprivileged container. All except one batman-adv netlink setting are per interface and do not leak information or change settings from the host system and are therefore save to retrieve or modify as root from within an unprivileged container. "batctl routing_algo" / BATADV_CMD_GET_ROUTING_ALGOS is the only exception: It provides the batman-adv kernel module wide default routing algorithm. However it is read-only from netlink and an unprivileged container is still not allowed to modify /sys/module/batman_adv/parameters/routing_algo. Instead it is advised to use the newly introduced "batctl if create routing_algo RA_NAME" / IFLA_BATADV_ALGO_NAME to set the routing algorithm on interface creation, which already works fine in an unprivileged container. Cc: Tycho Andersen Signed-off-by: Linus Lüssing Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich Signed-off-by: Sasha Levin commit 5a47ca7f78944fd2d56113fc36cca97d1e25704f Author: Wan Jiabing Date: Sun Oct 17 21:45:03 2021 -0400 ARM: shmobile: rcar-gen2: Add missing of_node_put() [ Upstream commit 85744f2d938c5f3cfc44cb6533c157469634da93 ] Fix following coccicheck warning: ./arch/arm/mach-shmobile/regulator-quirk-rcar-gen2.c:156:1-33: Function for_each_matching_node_and_match should have of_node_put() before break and goto. Early exits from for_each_matching_node_and_match() should decrement the node reference counter. Signed-off-by: Wan Jiabing Link: https://lore.kernel.org/r/20211018014503.7598-1-wanjiabing@vivo.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 75272f75eddf15294a301cadab6f594153831c26 Author: Mauro Carvalho Chehab Date: Wed Nov 10 12:59:11 2021 +0000 media: atomisp: check before deference asd variable [ Upstream commit 71665d816214124d6bc4eb80314ac8f84ecacd78 ] The asd->isp was referenced before checking if asd is not NULL. This fixes this warning: ../drivers/staging/media/atomisp/pci/atomisp_cmd.c:5548 atomisp_set_fmt_to_snr() warn: variable dereferenced before check 'asd' (see line 5540) While here, avoid getting the pipe pointer twice. Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 8335807ce3132c6ff95af77685c54b66de80893b Author: Hans de Goede Date: Sun Nov 7 17:15:48 2021 +0000 media: atomisp-ov2680: Fix ov2680_set_fmt() clobbering the exposure [ Upstream commit 4492289c31364d28c2680b43b18883385a5d216c ] Now that we restore the default or last user set exposure setting on power_up() there is no need for the registers written by ov2680_set_fmt() to write to the exposure register. Not doing so fixes the exposure always being reset to the value from the res->regs array after a set_fmt(). Link: https://lore.kernel.org/linux-media/20211107171549.267583-11-hdegoede@redhat.com Signed-off-by: Hans de Goede Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit f04b8bdddf7a56308f3be018c6beb6af9a8fc0de Author: Mauro Carvalho Chehab Date: Fri Oct 29 08:09:39 2021 +0100 media: atomisp: set per-device's default mode [ Upstream commit 2c45e343c581091835c9047ed5298518aa133163 ] The atomisp driver originally used the s_parm command to initialize the run_mode type to the driver. So, before start setting up the streaming, s_parm should be called. So, even having 5 "normal" video devices, one meant to be used for each type, the run_mode was actually selected when s_parm is called. Without setting the run mode, applications that don't call VIDIOC_SET_PARM with a custom atomisp parameters won't work, as the pipeline won't be set: atomisp-isp2 0000:00:03.0: can't create streams atomisp-isp2 0000:00:03.0: __get_frame_info 1600x1200 (padded to 0) returned -22 However, commit 8a7c5594c020 ("media: v4l2-ioctl: clear fields in s_parm") broke support for it, with a good reason, as drivers shoudn't be extending the API for their own purposes. So, as an step to allow generic apps to use this driver, put the device's run_mode in preview after open. After this patch, using v4l2grab starts to work on preview mode (/dev/video2): $ v4l2grab -f YUYV -x 1600 -y 1200 -d /dev/video2 -n 1 -u $ feh out000.pnm So, let's just setup the default run_mode that each video devnode should assume, setting it at open() time. Reported-by: Tsuchiya Yuto Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit d4c0cb23e5b368e9df953948456aa15a0b19f18d Author: Mauro Carvalho Chehab Date: Thu Nov 4 11:45:27 2021 +0000 media: atomisp: fix try_fmt logic [ Upstream commit c9e9094c4e42124af909b2f5f6ded0498e0854ac ] The internal try_fmt logic is not meant to provide everything that the V4L2 API should provide. Also, it doesn't decrement the pads that are used only internally by the driver, but aren't part of the device's output. Fix it. Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 7be59e8a666098367574f927c3ba4a8754f419f4 Author: Ben Skeggs Date: Wed Feb 24 19:29:52 2021 +1000 drm/nouveau/pmu/gm200-: avoid touching PMU outside of DEVINIT/PREOS/ACR [ Upstream commit 1d2271d2fb85e54bfc9630a6c30ac0feb9ffb983 ] There have been reports of the WFI timing out on some boards, and a patch was proposed to just remove it. This stuff is rather fragile, and I believe the WFI might be needed with our FW prior to GM200. However, we probably should not be touching PMU during init on GPUs where we depend on NVIDIA FW, outside of limited circumstances, so this should be a somewhat safer change that achieves the desired result. Reported-by: Diego Viola Signed-off-by: Ben Skeggs Reviewed-by: Karol Herbst Signed-off-by: Karol Herbst Link: https://gitlab.freedesktop.org/drm/nouveau/-/merge_requests/10 Signed-off-by: Sasha Levin commit 0dedaf16ca439667e06c75df97563d20d00c3feb Author: Neil Armstrong Date: Fri Oct 29 15:59:47 2021 +0200 drm/bridge: dw-hdmi: handle ELD when DRM_BRIDGE_ATTACH_NO_CONNECTOR [ Upstream commit 3f2532d65a571ca02258b547b5b68ab2e9406fdb ] The current ELD handling takes the internal connector ELD buffer and shares it to the I2S and AHB sub-driver. But with DRM_BRIDGE_ATTACH_NO_CONNECTOR, the connector is created elsewhere (or not), and an eventual connector is known only if the bridge chain up to a connector is enabled. The current dw-hdmi code gets the current connector from atomic_enable() so use the already stored connector pointer and replace the buffer pointer with a callback returning the current connector ELD buffer. Since a connector is not always available, either pass an empty ELD to the alsa HDMI driver or don't call snd_pcm_hw_constraint_eld() in AHB driver. Reported-by: Martin Blumenstingl Signed-off-by: Neil Armstrong [narmstrong: fixed typo in commit log] Acked-by: Jernej Skrabec Link: https://patchwork.freedesktop.org/patch/msgid/20211029135947.3022875-1-narmstrong@baylibre.com Signed-off-by: Sasha Levin commit fbcd1e9f8a4306cea72195292658ab51f7722b98 Author: Zekun Shen Date: Thu Oct 28 18:37:49 2021 -0400 ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply [ Upstream commit ae80b6033834342601e99f74f6a62ff5092b1cee ] Unexpected WDCMSG_TARGET_START replay can lead to null-ptr-deref when ar->tx_cmd->odata is NULL. The patch adds a null check to prevent such case. KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] ar5523_cmd+0x46a/0x581 [ar5523] ar5523_probe.cold+0x1b7/0x18da [ar5523] ? ar5523_cmd_rx_cb+0x7a0/0x7a0 [ar5523] ? __pm_runtime_set_status+0x54a/0x8f0 ? _raw_spin_trylock_bh+0x120/0x120 ? pm_runtime_barrier+0x220/0x220 ? __pm_runtime_resume+0xb1/0xf0 usb_probe_interface+0x25b/0x710 really_probe+0x209/0x5d0 driver_probe_device+0xc6/0x1b0 device_driver_attach+0xe2/0x120 I found the bug using a custome USBFuzz port. It's a research work to fuzz USB stack/drivers. I modified it to fuzz ath9k driver only, providing hand-crafted usb descriptors to QEMU. After fixing the code (fourth byte in usb packet) to WDCMSG_TARGET_START, I got the null-ptr-deref bug. I believe the bug is triggerable whenever cmd->odata is NULL. After patching, I tested with the same input and no longer see the KASAN report. This was NOT tested on a real device. Signed-off-by: Zekun Shen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/YXsmPQ3awHFLuAj2@10-18-43-117.dynapool.wireless.nyu.edu Signed-off-by: Sasha Levin commit 1f1161c9bb4783ab7ab081e225d4b65407bd1ef4 Author: Andrii Nakryiko Date: Sun Nov 7 08:55:21 2021 -0800 selftests/bpf: Fix bpf_object leak in skb_ctx selftest [ Upstream commit 8c7a95520184b6677ca6075e12df9c208d57d088 ] skb_ctx selftest didn't close bpf_object implicitly allocated by bpf_prog_test_load() helper. Fix the problem by explicitly calling bpf_object__close() at the end of the test. Signed-off-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov Reviewed-by: Hengqi Chen Link: https://lore.kernel.org/bpf/20211107165521.9240-10-andrii@kernel.org Signed-off-by: Sasha Levin commit 57d3ec1106fcbde49083adbb7feb8930d1a787a2 Author: Andrii Nakryiko Date: Sun Nov 7 08:55:20 2021 -0800 selftests/bpf: Destroy XDP link correctly [ Upstream commit f91231eeeed752119f49eb6620cae44ec745a007 ] bpf_link__detach() was confused with bpf_link__destroy() and leaves leaked FD in the process. Fix the problem. Signed-off-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov Reviewed-by: Hengqi Chen Link: https://lore.kernel.org/bpf/20211107165521.9240-9-andrii@kernel.org Signed-off-by: Sasha Levin commit 7ffd2af8085c845f6935fe93768812439ce3b14b Author: Andrii Nakryiko Date: Sun Nov 7 08:55:15 2021 -0800 selftests/bpf: Fix memory leaks in btf_type_c_dump() helper [ Upstream commit 8ba285874913da21ca39a46376e9cc5ce0f45f94 ] Free up memory and resources used by temporary allocated memstream and btf_dump instance. Signed-off-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov Reviewed-by: Hengqi Chen Link: https://lore.kernel.org/bpf/20211107165521.9240-4-andrii@kernel.org Signed-off-by: Sasha Levin commit 9c46c1f1d2acc00151bd92959634fef74641c7e6 Author: Qiang Yu Date: Sun Oct 31 12:16:04 2021 +0800 drm/lima: fix warning when CONFIG_DEBUG_SG=y & CONFIG_DMA_API_DEBUG=y [ Upstream commit 89636a06fa2ee7826a19c39c19a9bc99ab9340a9 ] Otherwise get following warning: DMA-API: lima 1c40000.gpu: mapping sg segment longer than device claims to support [len=4149248] [max=65536] See: https://gitlab.freedesktop.org/mesa/mesa/-/issues/5496 Reviewed-by: Vasily Khoruzhick Reported-by: Roman Stratiienko Signed-off-by: Qiang Yu Link: https://patchwork.freedesktop.org/patch/msgid/20211031041604.187216-1-yuq825@gmail.com Signed-off-by: Sasha Levin commit 5dc41e6caecc2c66646600f85f69f6f9982ee087 Author: Alexander Aring Date: Tue Nov 2 15:17:24 2021 -0400 fs: dlm: filter user dlm messages for kernel locks [ Upstream commit 6c2e3bf68f3e5e5a647aa52be246d5f552d7496d ] This patch fixes the following crash by receiving a invalid message: [ 160.672220] ================================================================== [ 160.676206] BUG: KASAN: user-memory-access in dlm_user_add_ast+0xc3/0x370 [ 160.679659] Read of size 8 at addr 00000000deadbeef by task kworker/u32:13/319 [ 160.681447] [ 160.681824] CPU: 10 PID: 319 Comm: kworker/u32:13 Not tainted 5.14.0-rc2+ #399 [ 160.683472] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.14.0-1.module+el8.6.0+12648+6ede71a5 04/01/2014 [ 160.685574] Workqueue: dlm_recv process_recv_sockets [ 160.686721] Call Trace: [ 160.687310] dump_stack_lvl+0x56/0x6f [ 160.688169] ? dlm_user_add_ast+0xc3/0x370 [ 160.689116] kasan_report.cold.14+0x116/0x11b [ 160.690138] ? dlm_user_add_ast+0xc3/0x370 [ 160.690832] dlm_user_add_ast+0xc3/0x370 [ 160.691502] _receive_unlock_reply+0x103/0x170 [ 160.692241] _receive_message+0x11df/0x1ec0 [ 160.692926] ? rcu_read_lock_sched_held+0xa1/0xd0 [ 160.693700] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 160.694427] ? lock_acquire+0x175/0x400 [ 160.695058] ? do_purge.isra.51+0x200/0x200 [ 160.695744] ? lock_acquired+0x360/0x5d0 [ 160.696400] ? lock_contended+0x6a0/0x6a0 [ 160.697055] ? lock_release+0x21d/0x5e0 [ 160.697686] ? lock_is_held_type+0xe0/0x110 [ 160.698352] ? lock_is_held_type+0xe0/0x110 [ 160.699026] ? ___might_sleep+0x1cc/0x1e0 [ 160.699698] ? dlm_wait_requestqueue+0x94/0x140 [ 160.700451] ? dlm_process_requestqueue+0x240/0x240 [ 160.701249] ? down_write_killable+0x2b0/0x2b0 [ 160.701988] ? do_raw_spin_unlock+0xa2/0x130 [ 160.702690] dlm_receive_buffer+0x1a5/0x210 [ 160.703385] dlm_process_incoming_buffer+0x726/0x9f0 [ 160.704210] receive_from_sock+0x1c0/0x3b0 [ 160.704886] ? dlm_tcp_shutdown+0x30/0x30 [ 160.705561] ? lock_acquire+0x175/0x400 [ 160.706197] ? rcu_read_lock_sched_held+0xa1/0xd0 [ 160.706941] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 160.707681] process_recv_sockets+0x32/0x40 [ 160.708366] process_one_work+0x55e/0xad0 [ 160.709045] ? pwq_dec_nr_in_flight+0x110/0x110 [ 160.709820] worker_thread+0x65/0x5e0 [ 160.710423] ? process_one_work+0xad0/0xad0 [ 160.711087] kthread+0x1ed/0x220 [ 160.711628] ? set_kthread_struct+0x80/0x80 [ 160.712314] ret_from_fork+0x22/0x30 The issue is that we received a DLM message for a user lock but the destination lock is a kernel lock. Note that the address which is trying to derefence is 00000000deadbeef, which is in a kernel lock lkb->lkb_astparam, this field should never be derefenced by the DLM kernel stack. In case of a user lock lkb->lkb_astparam is lkb->lkb_ua (memory is shared by a union field). The struct lkb_ua will be handled by the DLM kernel stack but on a kernel lock it will contain invalid data and ends in most likely crashing the kernel. It can be reproduced with two cluster nodes. node 2: dlm_tool join test echo "862 fooobaar 1 2 1" > /sys/kernel/debug/dlm/test_locks echo "862 3 1" > /sys/kernel/debug/dlm/test_waiters node 1: dlm_tool join test python: foo = DLM(h_cmd=3, o_nextcmd=1, h_nodeid=1, h_lockspace=0x77222027, \ m_type=7, m_flags=0x1, m_remid=0x862, m_result=0xFFFEFFFE) newFile = open("/sys/kernel/debug/dlm/comms/2/rawmsg", "wb") newFile.write(bytes(foo)) Signed-off-by: Alexander Aring Signed-off-by: David Teigland Signed-off-by: Sasha Levin commit 41966cae91f1446449fba546f870e62eb39904aa Author: Archie Pusaka Date: Thu Oct 28 19:17:25 2021 +0800 Bluetooth: Fix removing adv when processing cmd complete [ Upstream commit 2128939fe2e771645dd88e1938c27fdf96bd1cd0 ] If we remove one instance of adv using Set Extended Adv Enable, there is a possibility of issue occurs when processing the Command Complete event. Especially, the adv_info might not be found since we already remove it in hci_req_clear_adv_instance() -> hci_remove_adv_instance(). If that's the case, we will mistakenly proceed to remove all adv instances instead of just one single instance. This patch fixes the issue by checking the content of the HCI command instead of checking whether the adv_info is found. Signed-off-by: Archie Pusaka Reviewed-by: Sonny Sasaka Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin commit 57347363de0bc55adb5dbb3f2f5739f3f38d9b63 Author: Brian Norris Date: Thu Sep 23 17:33:55 2021 -0700 drm/panel: Delete panel on mipi_dsi_attach() failure [ Upstream commit 9bf7123bb07f98dc76acb5daa91248e6f95713cb ] Many DSI panel drivers fail to clean up their panel references on mipi_dsi_attach() failure, so we're leaving a dangling drm_panel reference to freed memory. Clean that up on failure. Noticed by inspection, after seeing similar problems on other drivers. Therefore, I'm not marking Fixes/stable. Signed-off-by: Brian Norris Signed-off-by: Sam Ravnborg Link: https://patchwork.freedesktop.org/patch/msgid/20210923173336.3.If9e74fa9b1d6eaa9e0e5b95b2b957b992740251c@changeid Signed-off-by: Sasha Levin commit 493c7d56ac22bcea643750ffb8dcbda8a62b5472 Author: Wei Yongjun Date: Wed Oct 13 16:55:01 2021 +0800 Bluetooth: Fix memory leak of hci device [ Upstream commit 75d9b8559ac36e059238ee4f8e33cd86086586ba ] Fault injection test reported memory leak of hci device as follows: unreferenced object 0xffff88800b858000 (size 8192): comm "kworker/0:2", pid 167, jiffies 4294955747 (age 557.148s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de .............N.. backtrace: [<0000000070eb1059>] kmem_cache_alloc_trace mm/slub.c:3208 [<00000000015eb521>] hci_alloc_dev_priv include/linux/slab.h:591 [<00000000dcfc1e21>] bpa10x_probe include/net/bluetooth/hci_core.h:1240 [<000000005d3028c7>] usb_probe_interface drivers/usb/core/driver.c:397 [<00000000cbac9243>] really_probe drivers/base/dd.c:517 [<0000000024cab3f0>] __driver_probe_device drivers/base/dd.c:751 [<00000000202135cb>] driver_probe_device drivers/base/dd.c:782 [<000000000761f2bc>] __device_attach_driver drivers/base/dd.c:899 [<00000000f7d63134>] bus_for_each_drv drivers/base/bus.c:427 [<00000000c9551f0b>] __device_attach drivers/base/dd.c:971 [<000000007f79bd16>] bus_probe_device drivers/base/bus.c:487 [<000000007bb8b95a>] device_add drivers/base/core.c:3364 [<000000009564d9ea>] usb_set_configuration drivers/usb/core/message.c:2171 [<00000000e4657087>] usb_generic_driver_probe drivers/usb/core/generic.c:239 [<0000000071ede518>] usb_probe_device drivers/usb/core/driver.c:294 [<00000000cbac9243>] really_probe drivers/base/dd.c:517 hci_alloc_dev() do not init the device's flag. And hci_free_dev() using put_device() to free the memory allocated for this device, but it calls just put_device(dev) only in case of HCI_UNREGISTER flag is set, So any error handing before hci_register_dev() success will cause memory leak. To avoid this behaviour we can using kfree() to release dev before hci_register_dev() success. Signed-off-by: Wei Yongjun Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit d86db46b5cf5f02dc8c54da3b31d90e3dc7b02cd Author: Wei Yongjun Date: Wed Oct 13 16:55:46 2021 +0800 Bluetooth: Fix debugfs entry leak in hci_register_dev() [ Upstream commit 5a4bb6a8e981d3d0d492aa38412ee80b21033177 ] Fault injection test report debugfs entry leak as follows: debugfs: Directory 'hci0' with parent 'bluetooth' already present! When register_pm_notifier() failed in hci_register_dev(), the debugfs create by debugfs_create_dir() do not removed in the error handing path. Add the remove debugfs code to fix it. Signed-off-by: Wei Yongjun Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit b03b18f0d1e913e4f9b9f251f6791962b3c781e9 Author: Merlijn Wajer Date: Sun Dec 12 23:40:07 2021 +0100 leds: lp55xx: initialise output direction from dts [ Upstream commit 9e87a8da747bf72365abb79e6f64fcca955b4f56 ] Commit a5d3d1adc95f ("leds: lp55xx: Initialize enable GPIO direction to output") attempts to fix this, but the fix did not work since at least for the Nokia N900 the value needs to be set to HIGH, per the device tree. So rather than hardcoding the value to a potentially invalid value for some devices, let's set direction in lp55xx_init_device. Fixes: a5d3d1adc95f ("leds: lp55xx: Initialize enable GPIO direction to output") Fixes: 92a81562e695 ("leds: lp55xx: Add multicolor framework support to lp55xx") Fixes: ac219bf3c9bd ("leds: lp55xx: Convert to use GPIO descriptors") Signed-off-by: Merlijn Wajer Reviewed-by: Linus Walleij Signed-off-by: Pavel Machek Signed-off-by: Sasha Levin commit bc8c07fcb49212f125c2a35e2dff25d98d15163b Author: Sicelo A. Mhlongo Date: Sun Dec 12 23:40:06 2021 +0100 ARM: dts: omap3-n900: Fix lp5523 for multi color [ Upstream commit e9af026a3b24f59d7af4609f73e0ef60a4d6d516 ] Since the LED multicolor framework support was added in commit 92a81562e695 ("leds: lp55xx: Add multicolor framework support to lp55xx") LEDs on this platform stopped working. Fixes: 92a81562e695 ("leds: lp55xx: Add multicolor framework support to lp55xx") Fixes: ac219bf3c9bd ("leds: lp55xx: Convert to use GPIO descriptors") Signed-off-by: Merlijn Wajer Signed-off-by: Sicelo A. Mhlongo Signed-off-by: Pavel Machek Signed-off-by: Sasha Levin commit 55f8559ba8d354acc1896a129133b5a3d61453f1 Author: jason-jh.lin Date: Thu Dec 23 22:51:55 2021 +0800 mailbox: fix gce_num of mt8192 driver data [ Upstream commit 35ca43710f792ce183312fdc7e4b2bb0b721a173 ] Because mt8192 only have 1 gce, the gce_num should be 1. Fixes: 85dfdbfc13ea ("mailbox: cmdq: add multi-gce clocks support for mt8195") Signed-off-by: jason-jh.lin Reviewed-by: Matthias Brugger Signed-off-by: Jassi Brar Signed-off-by: Sasha Levin commit 38e9447399ff98c94f8a57951319fa8d56014759 Author: Paul Cercueil Date: Fri Jan 7 18:57:22 2022 +0000 MIPS: compressed: Fix build with ZSTD compression [ Upstream commit c5c7440fe7f74645940d5c9e2c49cd7efb706a4f ] Fix the following build issues: mips64el-linux-ld: arch/mips/boot/compressed/decompress.o: in function `FSE_buildDTable_internal': decompress.c:(.text.FSE_buildDTable_internal+0x2cc): undefined reference to `__clzdi2' mips64el-linux-ld: arch/mips/boot/compressed/decompress.o: in function `BIT_initDStream': decompress.c:(.text.BIT_initDStream+0x7c): undefined reference to `__clzdi2' mips64el-linux-ld: decompress.c:(.text.BIT_initDStream+0x158): undefined reference to `__clzdi2' mips64el-linux-ld: arch/mips/boot/compressed/decompress.o: in function `ZSTD_buildFSETable_body_default.constprop.0': decompress.c:(.text.ZSTD_buildFSETable_body_default.constprop.0+0x2a8): undefined reference to `__clzdi2' mips64el-linux-ld: arch/mips/boot/compressed/decompress.o: in function `FSE_readNCount_body_default': decompress.c:(.text.FSE_readNCount_body_default+0x130): undefined reference to `__ctzdi2' mips64el-linux-ld: decompress.c:(.text.FSE_readNCount_body_default+0x1a4): undefined reference to `__ctzdi2' mips64el-linux-ld: decompress.c:(.text.FSE_readNCount_body_default+0x2e4): undefined reference to `__clzdi2' mips64el-linux-ld: arch/mips/boot/compressed/decompress.o: in function `HUF_readStats_body_default': decompress.c:(.text.HUF_readStats_body_default+0x184): undefined reference to `__clzdi2' mips64el-linux-ld: decompress.c:(.text.HUF_readStats_body_default+0x1b4): undefined reference to `__clzdi2' mips64el-linux-ld: arch/mips/boot/compressed/decompress.o: in function `ZSTD_DCtx_getParameter': decompress.c:(.text.ZSTD_DCtx_getParameter+0x60): undefined reference to `__clzdi2' Fixes: a510b616131f ("MIPS: Add support for ZSTD-compressed kernels") Reported-by: kernel test robot Reported-by: Nick Terrell Signed-off-by: Paul Cercueil Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 925b35b54583129c5addae509885428bfbfe8fa9 Author: Paul Cercueil Date: Fri Nov 19 17:50:52 2021 +0000 MIPS: boot/compressed/: add __ashldi3 to target for ZSTD compression [ Upstream commit fbf3bce458214bb971d3d571515b3b129eac290b ] Just like before with __bswapdi2(), for MIPS pre-boot when CONFIG_KERNEL_ZSTD=y the decompressor function will use __ashldi3(), so the object file should be added to the target object file. Fixes these build errors: mipsel-linux-ld: arch/mips/boot/compressed/decompress.o: in function `FSE_buildDTable_internal': decompress.c:(.text.FSE_buildDTable_internal+0x48): undefined reference to `__ashldi3' mipsel-linux-ld: arch/mips/boot/compressed/decompress.o: in function `FSE_decompress_wksp_body_default': decompress.c:(.text.FSE_decompress_wksp_body_default+0xa8): undefined reference to `__ashldi3' mipsel-linux-ld: arch/mips/boot/compressed/decompress.o: in function `ZSTD_getFrameHeader_advanced': decompress.c:(.text.ZSTD_getFrameHeader_advanced+0x134): undefined reference to `__ashldi3' Signed-off-by: Paul Cercueil Reviewed-by: Randy Dunlap Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit c19b9b755482162bab71a63a639d6df2fce90add Author: Stephen Boyd Date: Fri Jan 7 11:42:32 2022 -0800 of/fdt: Don't worry about non-memory region overlap for no-map [ Upstream commit da17d6905d29ddcdc04b2fdc37ed8cf1e8437cc8 ] In commit 8a5a75e5e9e5 ("of/fdt: Make sure no-map does not remove already reserved regions") we returned -EBUSY when trying to mark regions as no-map when they intersect with reserved memory. The goal was to find bad no-map reserved memory DT nodes that would unmap the kernel text/data sections. The problem is the reserved memory check will still trigger if the DT has a /memreserve/ that completely subsumes the no-map memory carveouts in the reserved memory node _and_ that region is also not part of the memory reg property. For example in sc7180.dtsi we have the following reserved-memory and memory node: memory@80000000 { /* We expect the bootloader to fill in the size */ reg = <0 0x80000000 0 0>; }; smem_mem: memory@80900000 { reg = <0x0 0x80900000 0x0 0x200000>; no-map; }; and the memreserve filled in by the bootloader is /memreserve/ 0x80800000 0x400000; while the /memory node is transformed into memory@80000000 { /* The bootloader fills in the size, and adds another region */ reg = <0 0x80000000 0 0x00800000>, <0 0x80c00000 0 0x7f200000>; }; The smem region is doubly reserved via /memreserve/ and by not being part of the /memory reg property. This leads to the following warning printed at boot. OF: fdt: Reserved memory: failed to reserve memory for node 'memory@80900000': base 0x0000000080900000, size 2 MiB Otherwise nothing really goes wrong because the smem region is not going to be mapped by the kernel's direct linear mapping given that it isn't part of the memory node. Therefore, let's only consider this to be a problem if we're trying to mark a region as no-map and it is actually memory that we're intending to keep out of the kernel's direct mapping but it's already been reserved. Acked-by: Mike Rapoport Cc: Douglas Anderson Cc: Nicolas Boichat Cc: Quentin Perret Cc: Jan Kiszka Fixes: 8a5a75e5e9e5 ("of/fdt: Make sure no-map does not remove already reserved regions") Signed-off-by: Stephen Boyd Signed-off-by: Rob Herring Link: https://lore.kernel.org/r/20220107194233.2793146-1-swboyd@chromium.org Signed-off-by: Sasha Levin commit dc4e2dbe6171f1c163507164d525a6aa1a1745a2 Author: Baruch Siach Date: Thu Dec 30 18:31:52 2021 +0200 of: base: Fix phandle argument length mismatch error message [ Upstream commit 94a4950a4acff39b5847cc1fee4f65e160813493 ] The cell_count field of of_phandle_iterator is the number of cells we expect in the phandle arguments list when cells_name is missing. The error message should show the number of cells we actually see. Fixes: af3be70a3211 ("of: Improve of_phandle_iterator_next() error message") Cc: Florian Fainelli Signed-off-by: Baruch Siach Signed-off-by: Rob Herring Link: https://lore.kernel.org/r/96519ac55be90a63fa44afe01480c30d08535465.1640881913.git.baruch@tkos.co.il Signed-off-by: Sasha Levin commit 91dcfc658d38ad6e434c8957dc29d157e753d3aa Author: Conor Dooley Date: Thu Dec 23 15:42:44 2021 +0000 clk: bm1880: remove kfrees on static allocations [ Upstream commit c861c1be3897845313a0df47804b1db37c7052e1 ] bm1880_clk_unregister_pll & bm1880_clk_unregister_div both try to free statically allocated variables, so remove those kfrees. For example, if we take L703 kfree(div_hw): - div_hw is a bm1880_div_hw_clock pointer - in bm1880_clk_register_plls this is pointed to an element of arg1: struct bm1880_div_hw_clock *clks - in the probe, where bm1880_clk_register_plls is called arg1 is bm1880_div_clks, defined on L371: static struct bm1880_div_hw_clock bm1880_div_clks[] Signed-off-by: Conor Dooley Fixes: 1ab4601da55b ("clk: Add common clock driver for BM1880 SoC") Link: https://lore.kernel.org/r/20211223154244.1024062-1-conor.dooley@microchip.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 8f5e866cbb97fd959a027ee185da3df7b16c5084 Author: Shengjiu Wang Date: Wed Jan 5 19:08:03 2022 +0800 ASoC: fsl_asrc: refine the check of available clock divider [ Upstream commit 320386343451ab6a3577e0ee200dac56a6182944 ] According to RM, the clock divider range is from 1 to 8, clock prescaling ratio may be any power of 2 from 1 to 128. So the supported divider is not all the value between 1 and 1024, just limited value in that range. Create table for the supported divder and add function to check the clock divider is available by comparing with the table. Fixes: d0250cf4f2ab ("ASoC: fsl_asrc: Add an option to select internal ratio mode") Signed-off-by: Shengjiu Wang Link: https://lore.kernel.org/r/1641380883-20709-1-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0cd1ef3f7b898b7bb30e0ef0c475764b4007195a Author: Shengjiu Wang Date: Tue Jan 4 18:40:35 2022 +0800 ASoC: imx-card: improve the sound quality for low rate [ Upstream commit 3969341813eb56d2dfc39bb64229359a6ae3c195 ] According to RM, on auto mode: For codec AK4458 and AK4497, the lowest ratio of MLCK/FS is 256 if sample rate is 8kHz-48kHz, For codec AK5558, the lowest ratio of MLCK/FS is 512 if sample rate is 8kHz-48kHz. With these setting the sound quality for 8kHz-48kHz can be improved. Fixes: aa736700f42f ("ASoC: imx-card: Add imx-card machine driver") Signed-off-by: Shengjiu Wang Link: https://lore.kernel.org/r/1641292835-19085-4-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit edc07df0df20f0ae9944c4e141ea48458d0cbdd1 Author: Shengjiu Wang Date: Tue Jan 4 18:40:34 2022 +0800 ASoC: imx-card: Fix mclk calculation issue for akcodec [ Upstream commit f331ae5fa59fbfb748317b290648fc3f1a50d932 ] Transfer the refined slots and slot_width to akcodec_get_mclk_rate() for mclk calculation, otherwise the mclk frequency does not match with the slots and slot_width for S16_LE format, because the default slot_width is 32. Fixes: aa736700f42f ("ASoC: imx-card: Add imx-card machine driver") Signed-off-by: Shengjiu Wang Link: https://lore.kernel.org/r/1641292835-19085-3-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 6bedc3b3d13015fb618533b1ecbd2de6cb0070ca Author: Shengjiu Wang Date: Tue Jan 4 18:40:33 2022 +0800 ASoC: imx-card: Need special setting for ak4497 on i.MX8MQ [ Upstream commit 3349b3d0c63b8b6fcca58156d72407f0b2e101ac ] The SAI on i.MX8MQ don't support one2one ratio for mclk:bclk, so the mclk frequency exceeds the supported range of codec for the case that sample rate is larger than 705kHZ and format is S32_LE. Update the supported width for such case. Fixes: aa736700f42f ("ASoC: imx-card: Add imx-card machine driver") Signed-off-by: Shengjiu Wang Link: https://lore.kernel.org/r/1641292835-19085-2-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 35816546936d7487e1e54ce717da6f9c399cda17 Author: Taniya Das Date: Mon Dec 20 22:13:56 2021 +0530 clk: qcom: gcc-sc7280: Mark gcc_cfg_noc_lpass_clk always enabled [ Upstream commit 9c337073d9d81a145434b22f42dc3128ecd17730 ] The gcc cfg noc lpass clock is required to be always enabled for the LPASS core and audio drivers to be functional. Fixes: a3cc092196ef ("clk: qcom: Add Global Clock controller (GCC) driver for SC7280") Signed-off-by: Taniya Das Link: https://lore.kernel.org/r/1640018638-19436-4-git-send-email-tdas@codeaurora.org Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 60037a56e08b5b1e353d96269163965460a888f7 Author: Kamal Heib Date: Mon Dec 20 17:25:30 2021 +0200 RDMA/cxgb4: Set queue pair state when being queried [ Upstream commit e375b9c92985e409c4bb95dd43d34915ea7f5e28 ] The API for ib_query_qp requires the driver to set cur_qp_state on return, add the missing set. Fixes: 67bbc05512d8 ("RDMA/cxgb4: Add query_qp support") Link: https://lore.kernel.org/r/20211220152530.60399-1-kamalheib1@gmail.com Signed-off-by: Kamal Heib Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 32faa4c17a566cfd0de6df91cc51baafdb266b30 Author: Christian A. Ehrhardt Date: Fri Dec 31 14:44:32 2021 +0100 ALSA: hda/cs8409: Fix Jack detection after resume [ Upstream commit 57f234248ff925d88caedf4019ec84e6ecb83909 ] The suspend code unconditionally sets ->hp_jack_in and ->mic_jack_in to zero but without reporting this status change to the HDA core. To compensate for this, always assume a status change on the first unsol event after boot or resume. Fixes: 424e531b47f8 ("ALSA: hda/cs8409: Ensure Type Detection is only run on startup when necessary") Signed-off-by: Christian A. Ehrhardt Link: https://lore.kernel.org/r/20211231134432.atwmuzeceqiklcoa@cae.in-ulm.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit b624b5b2fe028ac28023e36c82b718ddd4a4c00a Author: Christian A. Ehrhardt Date: Fri Dec 31 14:12:21 2021 +0100 ALSA: hda/cs8409: Increase delay during jack detection [ Upstream commit 8cd07657177006b67cc1610e4466cc75ad781c05 ] Commit c8b4f0865e82 reduced delays related to cs42l42 jack detection. However, the change was too aggressive. As a result internal speakers on DELL Inspirion 3501 are not detected. Increase the delay in cs42l42_run_jack_detect() a bit. Fixes: c8b4f0865e82 ("ALSA: hda/cs8409: Remove unnecessary delays") Signed-off-by: Christian A. Ehrhardt Link: https://lore.kernel.org/r/20211231131221.itwotyfk5qomn7n6@cae.in-ulm.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 65b517f4e0c65c80a9006eabc5ad418998690404 Author: Alyssa Ross Date: Tue Jan 4 13:22:16 2022 +0000 ASoC: fsl_mqs: fix MODULE_ALIAS [ Upstream commit 9f3d45318dd9e739ed62e4218839a7a824d3cced ] modprobe can't handle spaces in aliases. Fixes: 9e28f6532c61 ("ASoC: fsl_mqs: Add MQS component driver") Signed-off-by: Alyssa Ross Link: https://lore.kernel.org/r/20220104132218.1690103-1-hi@alyssa.is Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit ef9893bb73e75d1dae8680a6b755d370569113d7 Author: Ammar Faizi Date: Sun Dec 26 20:54:02 2021 +0700 powerpc/xive: Add missing null check after calling kmalloc [ Upstream commit 18dbfcdedc802f9500b2c29794f22a31d27639c0 ] Commit 930914b7d528fc ("powerpc/xive: Add a debugfs file to dump internal XIVE state") forgot to add a null check. Add it. Fixes: 930914b7d528fc6b0249bffc00564100bcf6ef75 ("powerpc/xive: Add a debugfs file to dump internal XIVE state") Signed-off-by: Ammar Faizi Reviewed-by: Cédric Le Goater Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20211226135314.251221-1-ammar.faizi@intel.com Signed-off-by: Sasha Levin commit f1750bf326908ca210b49a5a630306820217362e Author: Randy Dunlap Date: Tue Dec 28 16:05:53 2021 -0800 mips: bcm63xx: add support for clk_set_parent() [ Upstream commit 6f03055d508ff4feb8db02ba3df9303a1db8d381 ] The MIPS BMC63XX subarch does not provide/support clk_set_parent(). This causes build errors in a few drivers, so add a simple implementation of that function so that callers of it will build without errors. Fixes these build errors: ERROR: modpost: "clk_set_parent" [sound/soc/jz4740/snd-soc-jz4740-i2s.ko] undefined! ERROR: modpost: "clk_set_parent" [sound/soc/atmel/snd-soc-atmel-i2s.ko] undefined! Fixes: e7300d04bd08 ("MIPS: BCM63xx: Add support for the Broadcom BCM63xx family of SOCs." ) Signed-off-by: Randy Dunlap Reviewed-by: Jonathan Cameron Acked-by: Florian Fainelli Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit b88fea46621da1649dcd99712d39d6ab880a86fb Author: Randy Dunlap Date: Tue Dec 28 16:03:45 2021 -0800 mips: lantiq: add support for clk_set_parent() [ Upstream commit 76f66dfd60dc5d2f9dec22d99091fea1035c5d03 ] Provide a simple implementation of clk_set_parent() in the lantiq subarch so that callers of it will build without errors. Fixes these build errors: ERROR: modpost: "clk_set_parent" [sound/soc/jz4740/snd-soc-jz4740-i2s.ko] undefined! ERROR: modpost: "clk_set_parent" [sound/soc/atmel/snd-soc-atmel-i2s.ko] undefined! Fixes: 171bb2f19ed6 ("MIPS: Lantiq: Add initial support for Lantiq SoCs") Signed-off-by: Randy Dunlap Reported-by: kernel test robot --to=linux-mips@vger.kernel.org --cc="John Crispin " --cc="Jonathan Cameron " --cc="Russell King " --cc="Andy Shevchenko " --cc=alsa-devel@alsa-project.org --to="Thomas Bogendoerfer " Reviewed-by: Jonathan Cameron Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit a92e8b510fb4b1cfaebe65cdf5d1b8423fb03712 Author: Sameer Pujar Date: Thu Dec 23 17:23:51 2021 +0530 arm64: tegra: Remove non existent Tegra194 reset [ Upstream commit 146b3a77af8091cabbd1decc51d67799e69682d2 ] Tegra194 does not really have "hda2codec_2x" related reset. Hence drop this entry to reflect actual HW. Fixes: 4878cc0c9fab ("arm64: tegra: Add HDA controller on Tegra194") Signed-off-by: Sameer Pujar Link: https://lore.kernel.org/r/1640260431-11613-4-git-send-email-spujar@nvidia.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 78926da03360c3dbba0ccad8f934a8f7f5a29cc7 Author: Trevor Wu Date: Thu Dec 30 16:47:30 2021 +0800 ASoC: mediatek: mt8195: correct pcmif BE dai control flow [ Upstream commit 2355028c0c54c03afb66c589347f1dc9f6fe2e38 ] Originally, the conditions for preventing reentry are not correct. dai->component->active is not the state specifically for pcmif dai, so it is not a correct condition to indicate the status of pcmif dai. On the other hand, snd_soc_dai_stream_actvie() in prepare ops for both playback and capture possibly return true at the first entry when these two streams are opened at the same time. In the patch, I refer to the implementation in mt8192-dai-pcm.c. Clock and enabling bit for PCMIF are managed by DAPM, and the condition for prepare ops is replaced by the status of dai widget. Fixes: 1f95c019115c ("ASoC: mediatek: mt8195: support pcm in platform driver") Signed-off-by: Trevor Wu Link: https://lore.kernel.org/r/20211230084731.31372-2-trevor.wu@mediatek.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 1cf0a19e33ad7f3b435d99b52ab41ce4feb892a5 Author: Wei Yongjun Date: Tue Dec 28 12:55:22 2021 +0000 misc: lattice-ecp3-config: Fix task hung when firmware load failed [ Upstream commit fcee5ce50bdb21116711e38635e3865594af907e ] When firmware load failed, kernel report task hung as follows: INFO: task xrun:5191 blocked for more than 147 seconds. Tainted: G W 5.16.0-rc5-next-20211220+ #11 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:xrun state:D stack: 0 pid: 5191 ppid: 270 flags:0x00000004 Call Trace: __schedule+0xc12/0x4b50 kernel/sched/core.c:4986 schedule+0xd7/0x260 kernel/sched/core.c:6369 (discriminator 1) schedule_timeout+0x7aa/0xa80 kernel/time/timer.c:1857 wait_for_completion+0x181/0x290 kernel/sched/completion.c:85 lattice_ecp3_remove+0x32/0x40 drivers/misc/lattice-ecp3-config.c:221 spi_remove+0x72/0xb0 drivers/spi/spi.c:409 lattice_ecp3_remove() wait for signals from firmware loading, but when load failed, firmware_load() does not send this signal. This cause device remove hung. Fix it by sending signal even if load failed. Fixes: 781551df57c7 ("misc: Add Lattice ECP3 FPGA configuration via SPI") Reported-by: Hulk Robot Signed-off-by: Wei Yongjun Link: https://lore.kernel.org/r/20211228125522.3122284-1-weiyongjun1@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit a17f93a1f0a5255d76ad879b971d23d2d6908165 Author: Jiasheng Jiang Date: Tue Dec 28 11:40:26 2021 +0800 ASoC: samsung: idma: Check of ioremap return value [ Upstream commit 3ecb46755eb85456b459a1a9f952c52986bce8ec ] Because of the potential failure of the ioremap(), the buf->area could be NULL. Therefore, we need to check it and return -ENOMEM in order to transfer the error. Fixes: f09aecd50f39 ("ASoC: SAMSUNG: Add I2S0 internal dma driver") Signed-off-by: Jiasheng Jiang Reviewed-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20211228034026.1659385-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 8b5d69613b1297ca1cdc011ab4361b961b5b3f1b Author: Swapnil Jakhade Date: Thu Dec 23 07:01:33 2021 +0100 phy: cadence: Sierra: Fix to get correct parent for mux clocks [ Upstream commit da08aab940092a050a4fb2857ed9479d2b0e03c4 ] Fix get_parent() callback to return the correct index of the parent for PLL_CMNLC1 clock. Add a separate table of register values corresponding to the parent index for PLL_CMNLC1. Update set_parent() callback accordingly. Fixes: 28081b72859f ("phy: cadence: Sierra: Model PLL_CMNLC and PLL_CMNLC1 as clocks (mux clocks)") Signed-off-by: Swapnil Jakhade Reviewed-by: Aswath Govindraju Link: https://lore.kernel.org/r/20211223060137.9252-12-sjakhade@cadence.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit fca58a434425dc831cc8c0da192117d38f05b092 Author: Michael Ellerman Date: Wed Dec 22 00:51:00 2021 +1100 powerpc/64s: Use EMIT_WARN_ENTRY for SRR debug warnings [ Upstream commit fd1eaaaaa6864b5fb8f99880fcefb49760b8fe4e ] When CONFIG_PPC_RFI_SRR_DEBUG=y we check the SRR values before returning from interrupts. This is done in asm using EMIT_BUG_ENTRY, and passing BUGFLAG_WARNING. However that fails to create an exception table entry for the warning, and so do_program_check() fails the exception table search and proceeds to call _exception(), resulting in an oops like: Oops: Exception in kernel mode, sig: 5 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries Modules linked in: CPU: 2 PID: 1204 Comm: sigreturn_unali Tainted: P 5.16.0-rc2-00194-g91ca3d4f77c5 #12 NIP: c00000000000c5b0 LR: 0000000000000000 CTR: 0000000000000000 ... NIP [c00000000000c5b0] system_call_common+0x150/0x268 LR [0000000000000000] 0x0 Call Trace: [c00000000db73e10] [c00000000000c558] system_call_common+0xf8/0x268 (unreliable) ... Instruction dump: 7cc803a6 888d0931 2c240000 4082001c 38800000 988d0931 e8810170 e8a10178 7c9a03a6 7cbb03a6 7d7a02a6 e9810170 <7f0b6088> 7d7b02a6 e9810178 7f0b6088 We should instead use EMIT_WARN_ENTRY, which creates an exception table entry for the warning, allowing the warning to be correctly recognised, and the code to resume after printing the warning. Note however that because this warning is buried deep in the interrupt return path, we are not able to recover from it (due to MSR_RI being clear), so we still end up in die() with an unrecoverable exception. Fixes: 59dc5bfca0cb ("powerpc/64s: avoid reloading (H)SRR registers if they are still valid") Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20211221135101.2085547-2-mpe@ellerman.id.au Signed-off-by: Sasha Levin commit 5bb2d955e81bcba9cfb3a4880c6c4f0e5f25b524 Author: Michael Ellerman Date: Wed Dec 22 00:50:59 2021 +1100 powerpc/64s: Mask NIP before checking against SRR0 [ Upstream commit 314f6c23dd8d417281eb9e8a516dd98036f2e7b3 ] When CONFIG_PPC_RFI_SRR_DEBUG=y we check that NIP and SRR0 match when returning from interrupts. This can trigger falsely if NIP has either of its two low bits set via sigreturn or ptrace, while SRR0 has its low two bits masked in hardware. As a quick fix make sure to mask the low bits before doing the check. Fixes: 59dc5bfca0cb ("powerpc/64s: avoid reloading (H)SRR registers if they are still valid") Reported-by: Sachin Sant Signed-off-by: Michael Ellerman Tested-by: Sachin Sant Link: https://lore.kernel.org/r/20211221135101.2085547-1-mpe@ellerman.id.au Signed-off-by: Sasha Levin commit 38accfd85e41b7ca547c5a7d4866bbc1462950cb Author: Jiasheng Jiang Date: Wed Dec 22 09:51:57 2021 +0800 ASoC: mediatek: Check for error clk pointer [ Upstream commit 9de2b9286a6dd16966959b3cb34fc2ddfd39213e ] Yes, you are right and now the return code depending on the init_clks(). Fixes: 6078c651947a ("soc: mediatek: Refine scpsys to support multiple platform") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20211222015157.1025853-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 799b2c6cd7b6e8790edbe0c02c87f43d64bff89f Author: Ryuta NAKANISHI Date: Wed Dec 22 14:19:29 2021 +0900 phy: uniphier-usb3ss: fix unintended writing zeros to PHY register [ Upstream commit 898c7a9ec81620125f2463714a0f4dea18ad6e54 ] Similar to commit 4a90bbb478db ("phy: uniphier-pcie: Fix updating phy parameters"), in function uniphier_u3ssphy_set_param(), unintentionally write zeros to other fields when writing PHY registers. Fixes: 5ab43d0f8697 ("phy: socionext: add USB3 PHY driver for UniPhier SoC") Signed-off-by: Ryuta NAKANISHI Signed-off-by: Kunihiko Hayashi Link: https://lore.kernel.org/r/1640150369-4134-1-git-send-email-hayashi.kunihiko@socionext.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit af8cab36bfb8b6836daf1b9a94a8bc211fe6f207 Author: Alan Stern Date: Mon Dec 20 19:21:26 2021 +0800 scsi: block: pm: Always set request queue runtime active in blk_post_runtime_resume() [ Upstream commit 6e1fcab00a23f7fe9f4fe9704905a790efa1eeab ] John Garry reported a deadlock that occurs when trying to access a runtime-suspended SATA device. For obscure reasons, the rescan procedure causes the link to be hard-reset, which disconnects the device. The rescan tries to carry out a runtime resume when accessing the device. scsi_rescan_device() holds the SCSI device lock and won't release it until it can put commands onto the device's block queue. This can't happen until the queue is successfully runtime-resumed or the device is unregistered. But the runtime resume fails because the device is disconnected, and __scsi_remove_device() can't do the unregistration because it can't get the device lock. The best way to resolve this deadlock appears to be to allow the block queue to start running again even after an unsuccessful runtime resume. The idea is that the driver or the SCSI error handler will need to be able to use the queue to resolve the runtime resume failure. This patch removes the err argument to blk_post_runtime_resume() and makes the routine act as though the resume was successful always. This fixes the deadlock. Link: https://lore.kernel.org/r/1639999298-244569-4-git-send-email-chenxiang66@hisilicon.com Fixes: e27829dc92e5 ("scsi: serialize ->rescan against ->remove") Reported-and-tested-by: John Garry Reviewed-by: Bart Van Assche Signed-off-by: Alan Stern Signed-off-by: Xiang Chen Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit e421973fbe6e9490e3cf3ee2ab38a739928243d0 Author: Pingfan Liu Date: Wed Dec 15 10:13:48 2021 +0800 efi: apply memblock cap after memblock_add() [ Upstream commit b398123bff3bcbc1facb0f29bf6e7b9f1bc55931 ] On arm64, during kdump kernel saves vmcore, it runs into the following bug: ... [ 15.148919] usercopy: Kernel memory exposure attempt detected from SLUB object 'kmem_cache_node' (offset 0, size 4096)! [ 15.159707] ------------[ cut here ]------------ [ 15.164311] kernel BUG at mm/usercopy.c:99! [ 15.168482] Internal error: Oops - BUG: 0 [#1] SMP [ 15.173261] Modules linked in: xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce sbsa_gwdt ast i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec drm_ttm_helper ttm drm nvme nvme_core xgene_hwmon i2c_designware_platform i2c_designware_core dm_mirror dm_region_hash dm_log dm_mod overlay squashfs zstd_decompress loop [ 15.206186] CPU: 0 PID: 542 Comm: cp Not tainted 5.16.0-rc4 #1 [ 15.212006] Hardware name: GIGABYTE R272-P30-JG/MP32-AR0-JG, BIOS F12 (SCP: 1.5.20210426) 05/13/2021 [ 15.221125] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 15.228073] pc : usercopy_abort+0x9c/0xa0 [ 15.232074] lr : usercopy_abort+0x9c/0xa0 [ 15.236070] sp : ffff8000121abba0 [ 15.239371] x29: ffff8000121abbb0 x28: 0000000000003000 x27: 0000000000000000 [ 15.246494] x26: 0000000080000400 x25: 0000ffff885c7000 x24: 0000000000000000 [ 15.253617] x23: 000007ff80400000 x22: ffff07ff80401000 x21: 0000000000000001 [ 15.260739] x20: 0000000000001000 x19: ffff07ff80400000 x18: ffffffffffffffff [ 15.267861] x17: 656a626f2042554c x16: 53206d6f72662064 x15: 6574636574656420 [ 15.274983] x14: 74706d6574746120 x13: 2129363930342065 x12: 7a6973202c302074 [ 15.282105] x11: ffffc8b041d1b148 x10: 00000000ffff8000 x9 : ffffc8b04012812c [ 15.289228] x8 : 00000000ffff7fff x7 : ffffc8b041d1b148 x6 : 0000000000000000 [ 15.296349] x5 : 0000000000000000 x4 : 0000000000007fff x3 : 0000000000000000 [ 15.303471] x2 : 0000000000000000 x1 : ffff07ff8c064800 x0 : 000000000000006b [ 15.310593] Call trace: [ 15.313027] usercopy_abort+0x9c/0xa0 [ 15.316677] __check_heap_object+0xd4/0xf0 [ 15.320762] __check_object_size.part.0+0x160/0x1e0 [ 15.325628] __check_object_size+0x2c/0x40 [ 15.329711] copy_oldmem_page+0x7c/0x140 [ 15.333623] read_from_oldmem.part.0+0xfc/0x1c0 [ 15.338142] __read_vmcore.constprop.0+0x23c/0x350 [ 15.342920] read_vmcore+0x28/0x34 [ 15.346309] proc_reg_read+0xb4/0xf0 [ 15.349871] vfs_read+0xb8/0x1f0 [ 15.353088] ksys_read+0x74/0x100 [ 15.356390] __arm64_sys_read+0x28/0x34 ... This bug introduced by commit b261dba2fdb2 ("arm64: kdump: Remove custom linux,usable-memory-range handling"), which moves memblock_cap_memory_range() to fdt, but it breaches the rules that memblock_cap_memory_range() should come after memblock_add() etc as said in commit e888fa7bb882 ("memblock: Check memory add/cap ordering"). As a consequence, the virtual address set up by copy_oldmem_page() does not bail out from the test of virt_addr_valid() in check_heap_object(), and finally hits the BUG_ON(). Since memblock allocator has no idea about when the memblock is fully populated, while efi_init() is aware, so tackling this issue by calling the interface early_init_dt_check_for_usable_mem_range() exposed by of/fdt. Fixes: b261dba2fdb2 ("arm64: kdump: Remove custom linux,usable-memory-range handling") Signed-off-by: Pingfan Liu Cc: Rob Herring Cc: Zhen Lei Cc: Catalin Marinas Cc: Will Deacon Cc: Andrew Morton Cc: Mike Rapoport Cc: Geert Uytterhoeven Cc: Frank Rowand Cc: Ard Biesheuvel Cc: Nick Terrell Cc: linux-arm-kernel@lists.infradead.org To: devicetree@vger.kernel.org To: linux-efi@vger.kernel.org Acked-by: Ard Biesheuvel Signed-off-by: Rob Herring Link: https://lore.kernel.org/r/20211215021348.8766-1-kernelfans@gmail.com Signed-off-by: Sasha Levin commit 77d37071811be224062eae8e63308c24afe96449 Author: Zhen Lei Date: Tue Dec 14 12:01:56 2021 +0800 of: fdt: Aggregate the processing of "linux,usable-memory-range" [ Upstream commit 8347b41748c3019157312fbe7f8a6792ae396eb7 ] Currently, we parse the "linux,usable-memory-range" property in early_init_dt_scan_chosen(), to obtain the specified memory range of the crash kernel. We then reserve the required memory after early_init_dt_scan_memory() has identified all available physical memory. Because the two pieces of code are separated far, the readability and maintainability are reduced. So bring them together. Suggested-by: Rob Herring Signed-off-by: Zhen Lei (change the prototype of early_init_dt_check_for_usable_mem_range(), in order to use it outside) Signed-off-by: Pingfan Liu Tested-by: Dave Kleikamp Acked-by: John Donnelly Reviewed-by: Rob Herring Cc: Catalin Marinas Cc: Will Deacon Cc: linux-arm-kernel@lists.infradead.org To: devicetree@vger.kernel.org To: linux-efi@vger.kernel.org Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit 073d9a2237b1e9a54ea1b928bfcdfd30afaa0ad8 Author: Trevor Wu Date: Thu Dec 16 10:24:24 2021 +0800 ASoC: mediatek: mt8195: correct default value [ Upstream commit 30e693ee82d20361f2caacca3b68c79e1a7cb16c ] mt8195_cg_patch is used to reset the default value of audio cg, so the register value could be consistent with CCF reference count. Nevertheless, AUDIO_TOP_CON1[1:0] is used to control an internal mux, and it's expected to keep the default value 0. This patch corrects the default value in case an unexpected behavior happens in the future. Fixes: 6746cc8582599 ("ASoC: mediatek: mt8195: add platform driver") Signed-off-by: Trevor Wu Link: https://lore.kernel.org/r/20211216022424.28470-1-trevor.wu@mediatek.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit ef0af09d411386754d049e468025b4b3216869aa Author: Xiongfeng Wang Date: Fri Dec 17 15:30:55 2021 +0000 iommu/iova: Fix race between FQ timeout and teardown [ Upstream commit d7061627d701c90e1cac1e1e60c45292f64f3470 ] It turns out to be possible for hotplugging out a device to reach the stage of tearing down the device's group and default domain before the domain's flush queue has drained naturally. At this point, it is then possible for the timeout to expire just before the del_timer() call in free_iova_flush_queue(), such that we then proceed to free the FQ resources while fq_flush_timeout() is still accessing them on another CPU. Crashes due to this have been observed in the wild while removing NVMe devices. Close the race window by using del_timer_sync() to safely wait for any active timeout handler to finish before we start to free things. We already avoid any locking in free_iova_flush_queue() since the FQ is supposed to be inactive anyway, so the potential deadlock scenario does not apply. Fixes: 9a005a800ae8 ("iommu/iova: Add flush timer") Reviewed-by: John Garry Signed-off-by: Xiongfeng Wang [ rm: rewrite commit message ] Signed-off-by: Robin Murphy Link: https://lore.kernel.org/r/0a365e5b07f14b7344677ad6a9a734966a8422ce.1639753638.git.robin.murphy@arm.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 56c3b723859416be3c5bb3b86cab7f8fc8087868 Author: Cezary Rojewski Date: Thu Dec 16 12:57:39 2021 +0100 ASoC: Intel: catpt: Test dmaengine_submit() result before moving on [ Upstream commit 2a9a72e290d4a4741e673f86b9fba9bfb319786d ] After calling dmaengine_submit(), the submitted transfer descriptor belongs to the DMA engine. Pointer to that descriptor may no longer be valid after the call and should be tested before awaiting transfer completion. Reported-by: Kevin Tian Suggested-by: Dave Jiang Fixes: 4fac9b31d0b9 ("ASoC: Intel: Add catpt base members") Signed-off-by: Cezary Rojewski Link: https://lore.kernel.org/r/20211216115743.2130622-2-cezary.rojewski@intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 9bc6d3abccbfd46ca22488201622c0b42e68c347 Author: Maxim Levitsky Date: Tue Nov 23 18:10:38 2021 +0200 iommu/amd: Remove useless irq affinity notifier [ Upstream commit 575f5cfb13c84f324f9898383fa4a5694e53c9ef ] iommu->intcapxt_notify field is no longer used after a switch to a separate domain was done Fixes: d1adcfbb520c ("iommu/amd: Fix IOMMU interrupt generation in X2APIC mode") Signed-off-by: Maxim Levitsky Link: https://lore.kernel.org/r/20211123161038.48009-6-mlevitsk@redhat.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 7e7e12092a6670e9b487b059f608b07daae26147 Author: Maxim Levitsky Date: Tue Nov 23 18:10:37 2021 +0200 iommu/amd: X2apic mode: mask/unmask interrupts on suspend/resume [ Upstream commit 1980105e3cfc2215c75b4f6b172661d675c467d1 ] Use IRQCHIP_MASK_ON_SUSPEND to make the core irq code to mask the iommu interrupt on suspend and unmask it on the resume. Since now the unmask function updates the INTX settings, that will restore them on resume from s3/s4. Since IRQCHIP_MASK_ON_SUSPEND is only effective for interrupts which are not wakeup sources, remove IRQCHIP_SKIP_SET_WAKE flag and instead implement a dummy .irq_set_wake which doesn't allow the interrupt to become a wakeup source. Fixes: 66929812955bb ("iommu/amd: Add support for X2APIC IOMMU interrupts") Signed-off-by: Maxim Levitsky Link: https://lore.kernel.org/r/20211123161038.48009-5-mlevitsk@redhat.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 88c62a000be5e80f84758c510b7ac414de83d379 Author: Maxim Levitsky Date: Tue Nov 23 18:10:36 2021 +0200 iommu/amd: X2apic mode: setup the INTX registers on mask/unmask [ Upstream commit 4691f79d62a637958f7b5f55c232a65399500b7a ] This is more logically correct and will also allow us to to use mask/unmask logic to restore INTX setttings after the resume from s3/s4. Fixes: 66929812955bb ("iommu/amd: Add support for X2APIC IOMMU interrupts") Signed-off-by: Maxim Levitsky Link: https://lore.kernel.org/r/20211123161038.48009-4-mlevitsk@redhat.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 0210cbc1efa3939bf86a43949781b801c553afcb Author: Maxim Levitsky Date: Tue Nov 23 18:10:35 2021 +0200 iommu/amd: X2apic mode: re-enable after resume [ Upstream commit 01b297a48a26bcb96769505ac948db4603b72bd1 ] Otherwise it is guaranteed to not work after the resume... Fixes: 66929812955bb ("iommu/amd: Add support for X2APIC IOMMU interrupts") Signed-off-by: Maxim Levitsky Link: https://lore.kernel.org/r/20211123161038.48009-3-mlevitsk@redhat.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit fd77922c94e4dd16b4bcf1a0fcd52eb928bf75b9 Author: Maxim Levitsky Date: Tue Nov 23 18:10:34 2021 +0200 iommu/amd: Restore GA log/tail pointer on host resume [ Upstream commit a8d4a37d1bb93608501d0d0545f902061152669a ] This will give IOMMU GA log a chance to work after resume from s3/s4. Fixes: 8bda0cfbdc1a6 ("iommu/amd: Detect and initialize guest vAPIC log") Signed-off-by: Maxim Levitsky Link: https://lore.kernel.org/r/20211123161038.48009-2-mlevitsk@redhat.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 86bcde384570b22c5633160d4a735ba01ff61181 Author: Arnd Bergmann Date: Mon Nov 22 23:21:58 2021 +0100 dmaengine: pxa/mmp: stop referencing config->slave_id [ Upstream commit 134c37fa250a87a7e77c80a7c59ae16c462e46e0 ] The last driver referencing the slave_id on Marvell PXA and MMP platforms was the SPI driver, but this stopped doing so a long time ago, so the TODO from the earlier patch can no be removed. Fixes: b729bf34535e ("spi/pxa2xx: Don't use slave_id of dma_slave_config") Fixes: 13b3006b8ebd ("dma: mmp_pdma: add filter function") Signed-off-by: Arnd Bergmann Acked-by: Mark Brown Link: https://lore.kernel.org/r/20211122222203.4103644-7-arnd@kernel.org Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit b1f659597761e93041b284bb183c4029bcfdab47 Author: Lukas Bulwahn Date: Mon Dec 13 12:16:42 2021 +0100 mips: fix Kconfig reference to PHYS_ADDR_T_64BIT [ Upstream commit a670c82d9ca4f1e7385d9d6f26ff41a50fbdd944 ] Commit d4a451d5fc84 ("arch: remove the ARCH_PHYS_ADDR_T_64BIT config symbol") removes config ARCH_PHYS_ADDR_T_64BIT with all instances of that config refactored appropriately. Since then, it is recommended to use the config PHYS_ADDR_T_64BIT instead. Commit 171543e75272 ("MIPS: Disallow CPU_SUPPORTS_HUGEPAGES for XPA,EVA") introduces the expression "!(32BIT && (ARCH_PHYS_ADDR_T_64BIT || EVA))" for config CPU_SUPPORTS_HUGEPAGES, which unintentionally refers to the non-existing symbol ARCH_PHYS_ADDR_T_64BIT instead of the intended PHYS_ADDR_T_64BIT. Fix this Kconfig reference to the intended PHYS_ADDR_T_64BIT. This issue was identified with the script ./scripts/checkkconfigsymbols.py. I then reported it on the mailing list and Paul confirmed the mistake in the linked email thread. Link: https://lore.kernel.org/lkml/H8IU3R.H5QVNRA077PT@crapouillou.net/ Suggested-by: Paul Cercueil Fixes: 171543e75272 ("MIPS: Disallow CPU_SUPPORTS_HUGEPAGES for XPA,EVA") Signed-off-by: Lukas Bulwahn Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit f345281019b29f3340414b34fc86deb2b2b46a53 Author: Lukas Bulwahn Date: Mon Dec 13 12:16:35 2021 +0100 mips: add SYS_HAS_CPU_MIPS64_R5 config for MIPS Release 5 support [ Upstream commit fd4eb90b164442cb1e9909f7845e12a0835ac699 ] Commit ab7c01fdc3cf ("mips: Add MIPS Release 5 support") adds the two configs CPU_MIPS32_R5 and CPU_MIPS64_R5, which depend on the corresponding SYS_HAS_CPU_MIPS32_R5 and SYS_HAS_CPU_MIPS64_R5, respectively. The config SYS_HAS_CPU_MIPS32_R5 was already introduced with commit c5b367835cfc ("MIPS: Add support for XPA."); the config SYS_HAS_CPU_MIPS64_R5, however, was never introduced. Hence, ./scripts/checkkconfigsymbols.py warns: SYS_HAS_CPU_MIPS64_R5 Referencing files: arch/mips/Kconfig, arch/mips/include/asm/cpu-type.h Add the definition for config SYS_HAS_CPU_MIPS64_R5 under the assumption that SYS_HAS_CPU_MIPS64_R5 follows the same pattern as the existing SYS_HAS_CPU_MIPS32_R5 and SYS_HAS_CPU_MIPS64_R6. Fixes: ab7c01fdc3cf ("mips: Add MIPS Release 5 support") Signed-off-by: Lukas Bulwahn Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit cfb6756aea7e8f2464b543ec1ab2e143d5321270 Author: Dillon Min Date: Tue Oct 26 15:11:21 2021 +0800 clk: stm32: Fix ltdc's clock turn off by clk_disable_unused() after system enter shell [ Upstream commit 6fc058a72f3b7b07fc4de6d66ad1f68951b00f6e ] stm32's clk driver register two ltdc gate clk to clk core by clk_hw_register_gate() and clk_hw_register_composite() first: 'stm32f429_gates[]', clk name is 'ltdc', which no user to use. second: 'stm32f429_aux_clk[]', clk name is 'lcd-tft', used by ltdc driver both of them point to the same offset of stm32's RCC register. after kernel enter console, clk core turn off ltdc's clk as 'stm32f429_gates[]' is no one to use. but, actually 'stm32f429_aux_clk[]' is in use. stm32f469/746/769 have the same issue, fix it. Fixes: daf2d117cbca ("clk: stm32f4: Add lcd-tft clock") Link: https://lore.kernel.org/linux-arm-kernel/1590564453-24499-7-git-send-email-dillon.minfei@gmail.com/ Link: https://lore.kernel.org/lkml/CAPTRvHkf0cK_4ZidM17rPo99gWDmxgqFt4CDUjqFFwkOeQeFDg@mail.gmail.com/ Signed-off-by: Dillon Min Reviewed-by: Patrice Chotard Acked-by: Gabriel Fernandez Acked-by: Stephen Boyd Link: https://lore.kernel.org/r/1635232282-3992-10-git-send-email-dillon.minfei@gmail.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit e7962a878b38bdc153035e07bb4d3b81d33eb405 Author: Frank Rowand Date: Sun Dec 12 16:18:52 2021 -0600 of: unittest: 64 bit dma address test requires arch support [ Upstream commit 9fd4cf5d3571b27d746b8ead494a3f051485b679 ] If an architecture does not support 64 bit dma addresses then testing for an expected dma address >= 0x100000000 will fail. Fixes: e0d072782c73 ("dma-mapping: introduce DMA range map, supplanting dma_pfn_offset") Signed-off-by: Frank Rowand Signed-off-by: Rob Herring Link: https://lore.kernel.org/r/20211212221852.233295-1-frowand.list@gmail.com Signed-off-by: Sasha Levin commit d00393b2c3549f1ebfc74417ecde252f93df9064 Author: Jim Quinlan Date: Fri Dec 10 13:46:35 2021 -0500 of: unittest: fix warning on PowerPC frame size warning [ Upstream commit a8d61a9112ad0c9216ab45d050991e07bc4f3408 ] The struct device variable "dev_bogus" was triggering this warning on a PowerPC build: drivers/of/unittest.c: In function 'of_unittest_dma_ranges_one.constprop': [...] >> The frame size of 1424 bytes is larger than 1024 bytes [-Wframe-larger-than=] This variable is now dynamically allocated. Fixes: e0d072782c734 ("dma-mapping: introduce DMA range map, supplanting dma_pfn_offset") Reported-by: kernel test robot Signed-off-by: Jim Quinlan Reviewed-by: Christoph Hellwig Reviewed-by: Frank Rowand Reviewed-by: Florian Fainelli Signed-off-by: Rob Herring Link: https://lore.kernel.org/r/20211210184636.7273-2-jim2101024@gmail.com Signed-off-by: Sasha Levin commit e91edc3b443c398a2ba3d5b5d7fb0728b9ae3ac4 Author: Jiasheng Jiang Date: Wed Dec 15 11:15:50 2021 +0800 ASoC: rt5663: Handle device_property_read_u32_array error codes [ Upstream commit 2167c0b205960607fb136b4bb3c556a62be1569a ] The return value of device_property_read_u32_array() is not always 0. To catch the exception in case that devm_kzalloc failed and the rt5663->imp_table was NULL, which caused the failure of device_property_read_u32_array. Fixes: 450f0f6a8fb4 ("ASoC: rt5663: Add the manual offset field to compensate the DC offset") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20211215031550.70702-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 45f4e3c7587782e30d61c3769b35634ea05f8a71 Author: Avihai Horon Date: Thu Dec 9 15:16:07 2021 +0200 RDMA/cma: Let cma_resolve_ib_dev() continue search even after empty entry [ Upstream commit 20679094a0161c94faf77e373fa3f7428a8e14bd ] Currently, when cma_resolve_ib_dev() searches for a matching GID it will stop searching after encountering the first empty GID table entry. This behavior is wrong since neither IB nor RoCE spec enforce tightly packed GID tables. For example, when the matching valid GID entry exists at index N, and if a GID entry is empty at index N-1, cma_resolve_ib_dev() will fail to find the matching valid entry. Fix it by making cma_resolve_ib_dev() continue searching even after encountering missing entries. Fixes: f17df3b0dede ("RDMA/cma: Add support for AF_IB to rdma_resolve_addr()") Link: https://lore.kernel.org/r/b7346307e3bb396c43d67d924348c6c496493991.1639055490.git.leonro@nvidia.com Signed-off-by: Avihai Horon Reviewed-by: Mark Zhang Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 8d76d0e4880d0843238f8b22d0be045e7a3d291d Author: Avihai Horon Date: Thu Dec 9 15:16:06 2021 +0200 RDMA/core: Let ib_find_gid() continue search even after empty entry [ Upstream commit 483d805191a23191f8294bbf9b4e94836f5d92e4 ] Currently, ib_find_gid() will stop searching after encountering the first empty GID table entry. This behavior is wrong since neither IB nor RoCE spec enforce tightly packed GID tables. For example, when a valid GID entry exists at index N, and if a GID entry is empty at index N-1, ib_find_gid() will fail to find the valid entry. Fix it by making ib_find_gid() continue searching even after encountering missing entries. Fixes: 5eb620c81ce3 ("IB/core: Add helpers for uncached GID and P_Key searches") Link: https://lore.kernel.org/r/e55d331b96cecfc2cf19803d16e7109ea966882d.1639055490.git.leonro@nvidia.com Signed-off-by: Avihai Horon Reviewed-by: Mark Zhang Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit b77f233986b3099d8216c9fd466b99cb65503e7f Author: Rob Clark Date: Mon Nov 8 09:17:23 2021 -0800 iommu/arm-smmu-qcom: Fix TTBR0 read [ Upstream commit c31112fbd4077a51a14ff338038c82e9571dc821 ] It is a 64b register, lets not lose the upper bits. Fixes: ab5df7b953d8 ("iommu/arm-smmu-qcom: Add an adreno-smmu-priv callback to get pagefault info") Signed-off-by: Rob Clark Reviewed-by: Bjorn Andersson Link: https://lore.kernel.org/r/20211108171724.470973-1-robdclark@gmail.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 2b78e026b455a7a28941786bb4dad7503e1d1a51 Author: Christophe Leroy Date: Wed Dec 8 17:36:52 2021 +0000 powerpc/powermac: Add additional missing lockdep_register_key() [ Upstream commit b149d5d45ac9171ed699a256f026c8ebef901112 ] Commit df1f679d19ed ("powerpc/powermac: Add missing lockdep_register_key()") fixed a problem that was causing a WARNING. There are two other places in the same file with the same problem originating from commit 9e607f72748d ("i2c_powermac: shut up lockdep warning"). Add missing lockdep_register_key() Fixes: 9e607f72748d ("i2c_powermac: shut up lockdep warning") Reported-by: Erhard Furtner Signed-off-by: Christophe Leroy Depends-on: df1f679d19ed ("powerpc/powermac: Add missing lockdep_register_key()") Signed-off-by: Michael Ellerman Link: https://bugzilla.kernel.org/show_bug.cgi?id=200055 Link: https://lore.kernel.org/r/2c7e421874e21b2fb87813d768cf662f630c2ad4.1638984999.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit db3e0d59f1c88db975a15c6f461208ba541ec5f0 Author: Thomas Gleixner Date: Mon Dec 6 23:27:26 2021 +0100 PCI/MSI: Fix pci_irq_vector()/pci_irq_get_affinity() [ Upstream commit 29bbc35e29d9b6347780dcacde2deb4b39344167 ] pci_irq_vector() and pci_irq_get_affinity() use the list position to find the MSI-X descriptor at a given index. That's correct for the normal case where the entry number is the same as the list position. But it's wrong for cases where MSI-X was allocated with an entries array describing sparse entry numbers into the hardware message descriptor table. That's inconsistent at best. Make it always check the entry number because that's what the zero base index really means. This change won't break existing users which use a sparse entries array for allocation because these users retrieve the Linux interrupt number from the entries array after allocation and none of them uses pci_irq_vector() or pci_irq_get_affinity(). Fixes: aff171641d18 ("PCI: Provide sensible IRQ vector alloc/free routines") Signed-off-by: Thomas Gleixner Tested-by: Juergen Gross Reviewed-by: Jason Gunthorpe Acked-by: Bjorn Helgaas Link: https://lore.kernel.org/r/20211206210223.929792157@linutronix.de Signed-off-by: Sasha Levin commit 1526f0ae4949491247a66ff5cc15149fc4c4ff92 Author: Kamal Heib Date: Mon Dec 6 22:13:14 2021 +0200 RDMA/qedr: Fix reporting max_{send/recv}_wr attrs [ Upstream commit b1a4da64bfc189510e08df1ccb1c589e667dc7a3 ] Fix the wrongly reported max_send_wr and max_recv_wr attributes for user QP by making sure to save their valuse on QP creation, so when query QP is called the attributes will be reported correctly. Fixes: cecbcddf6461 ("qedr: Add support for QP verbs") Link: https://lore.kernel.org/r/20211206201314.124947-1-kamalheib1@gmail.com Signed-off-by: Kamal Heib Acked-by: Michal Kalderon  Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit f10876654e82400109990748c1e51d05b9020d9a Author: Bart Van Assche Date: Fri Dec 3 15:19:39 2021 -0800 scsi: ufs: Fix race conditions related to driver data [ Upstream commit 21ad0e49085deb22c094f91f9da57319a97188e4 ] The driver data pointer must be set before any callbacks are registered that use that pointer. Hence move the initialization of that pointer from after the ufshcd_init() call to inside ufshcd_init(). Link: https://lore.kernel.org/r/20211203231950.193369-7-bvanassche@acm.org Fixes: 3b1d05807a9a ("[SCSI] ufs: Segregate PCI Specific Code") Reported-by: Alexey Dobriyan Tested-by: Bean Huo Reviewed-by: Bean Huo Signed-off-by: Bart Van Assche Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit c9f350ade563ce87d97ff9c756640ed83e0cce46 Author: Bart Van Assche Date: Fri Dec 3 15:19:34 2021 -0800 scsi: core: Fix scsi_device_max_queue_depth() [ Upstream commit 4bc3bffc1a885eb5cb259e4a25146a4c7b1034e3 ] The comment above scsi_device_max_queue_depth() and also the description of commit ca4453213951 ("scsi: core: Make sure sdev->queue_depth is <= max(shost->can_queue, 1024)") contradict the implementation of the function scsi_device_max_queue_depth(). Additionally, the maximum queue depth of a SCSI LUN never exceeds host->can_queue. Fix scsi_device_max_queue_depth() by changing max_t() into min_t(). Link: https://lore.kernel.org/r/20211203231950.193369-2-bvanassche@acm.org Fixes: ca4453213951 ("scsi: core: Make sure sdev->queue_depth is <= max(shost->can_queue, 1024)") Cc: Hannes Reinecke Cc: Sumanesh Samanta Tested-by: Bean Huo Reviewed-by: Ming Lei Reviewed-by: Bean Huo Signed-off-by: Bart Van Assche Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 3db62f98b49fdafd5a5a8153a525b2e570a54e74 Author: Hector Martin Date: Sat Nov 20 12:13:43 2021 +0900 iommu/io-pgtable-arm: Fix table descriptor paddr formatting [ Upstream commit 9abe2ac834851a7d0b0756e295cf7a292c45ca53 ] Table descriptors were being installed without properly formatting the address using paddr_to_iopte, which does not match up with the iopte_deref in __arm_lpae_map. This is incorrect for the LPAE pte format, as it does not handle the high bits properly. This was found on Apple T6000 DARTs, which require a new pte format (different shift); adding support for that to paddr_to_iopte/iopte_to_paddr caused it to break badly, as even <48-bit addresses would end up incorrect in that case. Fixes: 6c89928ff7a0 ("iommu/io-pgtable-arm: Support 52-bit physical address") Acked-by: Robin Murphy Signed-off-by: Hector Martin Link: https://lore.kernel.org/r/20211120031343.88034-1-marcan@marcan.st Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 004d84063fa22ef983ade4edfd970474aa0f86c3 Author: Lu Baolu Date: Mon Nov 8 14:13:49 2021 +0800 iommu: Extend mutex lock scope in iommu_probe_device() [ Upstream commit 556f99ac886635e8da15528995f06d1d7028cfca ] Extend the scope of holding group->mutex so that it can cover the default domain check/attachment and direct mappings of reserved regions. Cc: Ashish Mhetre Fixes: 211ff31b3d33b ("iommu: Fix race condition during default domain allocation") Signed-off-by: Lu Baolu Link: https://lore.kernel.org/r/20211108061349.1985579-1-baolu.lu@linux.intel.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 37fb3dec665c7c9295ac86d5be078fea945ed9ba Author: Stafford Horne Date: Sat Dec 4 07:10:18 2021 +0900 openrisc: Add clone3 ABI wrapper [ Upstream commit 433fe39f674d58bc7a3e8254a5d2ffc290b7e04e ] Like fork and clone the clone3 syscall needs a wrapper to save callee saved registers, which is required by the OpenRISC ABI. This came up after auditing code following a discussion with Rob Landley and Arnd Bergmann [0]. Tested with the clone3 kselftests and there were no issues. [0] https://lore.kernel.org/all/41206fc7-f8ce-98aa-3718-ba3e1431e320@landley.net/T/#m9c0cdb2703813b9df4da04cf6b30de1f1aa89944 Fixes: 07e83dfbe16c ("openrisc: Enable the clone3 syscall") Cc: Rob Landley Cc: Arnd Bergmann Signed-off-by: Stafford Horne Signed-off-by: Sasha Levin commit 7a9ad4aceb0226b391c9d3b8e4ac2e7d438b6bde Author: Todd Kjos Date: Tue Nov 30 10:51:50 2021 -0800 binder: avoid potential data leakage when copying txn [ Upstream commit 6d98eb95b450a75adb4516a1d33652dc78d2b20c ] Transactions are copied from the sender to the target first and objects like BINDER_TYPE_PTR and BINDER_TYPE_FDA are then fixed up. This means there is a short period where the sender's version of these objects are visible to the target prior to the fixups. Instead of copying all of the data first, copy data only after any needed fixups have been applied. Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") Reviewed-by: Martijn Coenen Acked-by: Christian Brauner Signed-off-by: Todd Kjos Link: https://lore.kernel.org/r/20211130185152.437403-3-tkjos@google.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit f9848823d4e8c2c88bc9975a5d0e4810678b639c Author: Todd Kjos Date: Tue Nov 30 10:51:49 2021 -0800 binder: fix handling of error during copy [ Upstream commit fe6b1869243f23a485a106c214bcfdc7aa0ed593 ] If a memory copy function fails to copy the whole buffer, a positive integar with the remaining bytes is returned. In binder_translate_fd_array() this can result in an fd being skipped due to the failed copy, but the loop continues processing fds since the early return condition expects a negative integer on error. Fix by returning "ret > 0 ? -EINVAL : ret" to handle this case. Fixes: bb4a2e48d510 ("binder: return errors from buffer copy functions") Suggested-by: Dan Carpenter Acked-by: Christian Brauner Signed-off-by: Todd Kjos Link: https://lore.kernel.org/r/20211130185152.437403-2-tkjos@google.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 695ca3e0e24b03c36ba089bbb445e2867f97a07c Author: Kees Cook Date: Fri Dec 3 00:42:06 2021 -0800 char/mwave: Adjust io port register size [ Upstream commit f5912cc19acd7c24b2dbf65a6340bf194244f085 ] Using MKWORD() on a byte-sized variable results in OOB read. Expand the size of the reserved area so both MKWORD and MKBYTE continue to work without overflow. Silences this warning on a -Warray-bounds build: drivers/char/mwave/3780i.h:346:22: error: array subscript 'short unsigned int[0]' is partly outside array bounds of 'DSP_ISA_SLAVE_CONTROL[1]' [-Werror=array-bounds] 346 | #define MKWORD(var) (*((unsigned short *)(&var))) | ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/char/mwave/3780i.h:356:40: note: in definition of macro 'OutWordDsp' 356 | #define OutWordDsp(index,value) outw(value,usDspBaseIO+index) | ^~~~~ drivers/char/mwave/3780i.c:373:41: note: in expansion of macro 'MKWORD' 373 | OutWordDsp(DSP_IsaSlaveControl, MKWORD(rSlaveControl)); | ^~~~~~ drivers/char/mwave/3780i.c:358:31: note: while referencing 'rSlaveControl' 358 | DSP_ISA_SLAVE_CONTROL rSlaveControl; | ^~~~~~~~~~~~~ Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20211203084206.3104326-1-keescook@chromium.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 356b4ed3ea706d97d135884c35818bf80b9ea7f8 Author: Andy Shevchenko Date: Thu Nov 25 23:27:27 2021 +0200 misc: at25: Make driver OF independent again [ Upstream commit 5b557298d7d09cce04e0565a535fbca63661724a ] The commit f60e7074902a ("misc: at25: Make use of device property API") made a good job by enabling the driver for non-OF platforms, but the recent commit 604288bc6196 ("nvmem: eeprom: at25: fix type compiler warnings") brought that back. Restore greatness of the driver once again. Fixes: eab61fb1cc2e ("nvmem: eeprom: at25: fram discovery simplification") Fixes: fd307a4ad332 ("nvmem: prepare basics for FRAM support") Acked-by: Arnd Bergmann Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20211125212729.86585-2-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit ee22462a419b4c5892855ff6fdee8c57c10a7fbf Author: Takashi Iwai Date: Thu Dec 2 09:38:33 2021 +0100 ALSA: usb-audio: Drop superfluous '0' in Presonus Studio 1810c's ID [ Upstream commit 1e583aef12aa74afd37c1418255cc4b74e023236 ] The vendor ID of Presonus Studio 1810c had a superfluous '0' in its USB ID. Drop it. Fixes: 8dc5efe3d17c ("ALSA: usb-audio: Add support for Presonus Studio 1810c") Link: https://lore.kernel.org/r/20211202083833.17784-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 6f90ccd962269d4fdb9451bee08aef733eeddcf1 Author: Bixuan Cui Date: Wed Dec 1 16:58:54 2021 +0800 ALSA: oss: fix compile error when OSS_DEBUG is enabled [ Upstream commit 8e7daf318d97f25e18b2fc7eb5909e34cd903575 ] Fix compile error when OSS_DEBUG is enabled: sound/core/oss/pcm_oss.c: In function 'snd_pcm_oss_set_trigger': sound/core/oss/pcm_oss.c:2055:10: error: 'substream' undeclared (first use in this function); did you mean 'csubstream'? pcm_dbg(substream->pcm, "pcm_oss: trigger = 0x%x\n", trigger); ^ Fixes: 61efcee8608c ("ALSA: oss: Use standard printk helpers") Signed-off-by: Bixuan Cui Link: https://lore.kernel.org/r/1638349134-110369-1-git-send-email-cuibixuan@linux.alibaba.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit cf9b8de20168ddeb261a1e2d4f918d3c0d502fc5 Author: Waiman Long Date: Thu Nov 18 14:14:36 2021 -0500 clocksource: Avoid accidental unstable marking of clocksources [ Upstream commit c86ff8c55b8ae68837b2fa59dc0c203907e9a15f ] Since commit db3a34e17433 ("clocksource: Retry clock read if long delays detected") and commit 2e27e793e280 ("clocksource: Reduce clocksource-skew threshold"), it is found that tsc clocksource fallback to hpet can sometimes happen on both Intel and AMD systems especially when they are running stressful benchmarking workloads. Of the 23 systems tested with a v5.14 kernel, 10 of them have switched to hpet clock source during the test run. The result of falling back to hpet is a drastic reduction of performance when running benchmarks. For example, the fio performance tests can drop up to 70% whereas the iperf3 performance can drop up to 80%. 4 hpet fallbacks happened during bootup. They were: [ 8.749399] clocksource: timekeeping watchdog on CPU13: hpet read-back delay of 263750ns, attempt 4, marking unstable [ 12.044610] clocksource: timekeeping watchdog on CPU19: hpet read-back delay of 186166ns, attempt 4, marking unstable [ 17.336941] clocksource: timekeeping watchdog on CPU28: hpet read-back delay of 182291ns, attempt 4, marking unstable [ 17.518565] clocksource: timekeeping watchdog on CPU34: hpet read-back delay of 252196ns, attempt 4, marking unstable Other fallbacks happen when the systems were running stressful benchmarks. For example: [ 2685.867873] clocksource: timekeeping watchdog on CPU117: hpet read-back delay of 57269ns, attempt 4, marking unstable [46215.471228] clocksource: timekeeping watchdog on CPU8: hpet read-back delay of 61460ns, attempt 4, marking unstable Commit 2e27e793e280 ("clocksource: Reduce clocksource-skew threshold"), changed the skew margin from 100us to 50us. I think this is too small and can easily be exceeded when running some stressful workloads on a thermally stressed system. So it is switched back to 100us. Even a maximum skew margin of 100us may be too small in for some systems when booting up especially if those systems are under thermal stress. To eliminate the case that the large skew is due to the system being too busy slowing down the reading of both the watchdog and the clocksource, an extra consecutive read of watchdog clock is being done to check this. The consecutive watchdog read delay is compared against WATCHDOG_MAX_SKEW/2. If the delay exceeds the limit, we assume that the system is just too busy. A warning will be printed to the console and the clock skew check is skipped for this round. Fixes: db3a34e17433 ("clocksource: Retry clock read if long delays detected") Fixes: 2e27e793e280 ("clocksource: Reduce clocksource-skew threshold") Signed-off-by: Waiman Long Signed-off-by: Paul E. McKenney Signed-off-by: Sasha Levin commit e3e6b74fad2df4114dd80f1be51742e0f683cfce Author: Christophe Leroy Date: Tue Nov 30 09:42:37 2021 +0100 powerpc/32s: Fix shift-out-of-bounds in KASAN init [ Upstream commit af11dee4361b3519981fa04d014873f9d9edd6ac ] ================================================================================ UBSAN: shift-out-of-bounds in arch/powerpc/mm/kasan/book3s_32.c:22:23 shift exponent -1 is negative CPU: 0 PID: 0 Comm: swapper Not tainted 5.15.5-gentoo-PowerMacG4 #9 Call Trace: [c214be60] [c0ba0048] dump_stack_lvl+0x80/0xb0 (unreliable) [c214be80] [c0b99288] ubsan_epilogue+0x10/0x5c [c214be90] [c0b98fe0] __ubsan_handle_shift_out_of_bounds+0x94/0x138 [c214bf00] [c1c0f010] kasan_init_region+0xd8/0x26c [c214bf30] [c1c0ed84] kasan_init+0xc0/0x198 [c214bf70] [c1c08024] setup_arch+0x18/0x54c [c214bfc0] [c1c037f0] start_kernel+0x90/0x33c [c214bff0] [00003610] 0x3610 ================================================================================ This happens when the directly mapped memory is a power of 2. Fix it by checking the shift and set the result to 0 when shift is -1 Fixes: 7974c4732642 ("powerpc/32s: Implement dedicated kasan_init_region()") Reported-by: Erhard Furtner Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://bugzilla.kernel.org/show_bug.cgi?id=215169 Link: https://lore.kernel.org/r/15cbc3439d4ad988b225e2119ec99502a5cc6ad3.1638261744.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit 2d17ab8874bc57e903d0256aaa17bd8bdb590c91 Author: Christophe Leroy Date: Tue Nov 30 11:10:43 2021 +0100 powerpc/modules: Don't WARN on first module allocation attempt [ Upstream commit f1797e4de1146009c888bcf8b6bb6648d55394f1 ] module_alloc() first tries to allocate module text within 24 bits direct jump from kernel text, and tries a wider allocation if first one fails. When first allocation fails the following is observed in kernel logs: vmap allocation for size 2400256 failed: use vmalloc= to increase size systemd-udevd: vmalloc error: size 2395133, vm_struct allocation failed, mode:0xcc0(GFP_KERNEL), nodemask=(null) CPU: 0 PID: 127 Comm: systemd-udevd Tainted: G W 5.15.5-gentoo-PowerMacG4 #9 Call Trace: [e2a53a50] [c0ba0048] dump_stack_lvl+0x80/0xb0 (unreliable) [e2a53a70] [c0540128] warn_alloc+0x11c/0x2b4 [e2a53b50] [c0531be8] __vmalloc_node_range+0xd8/0x64c [e2a53c10] [c00338c0] module_alloc+0xa0/0xac [e2a53c40] [c027a368] load_module+0x2ae0/0x8148 [e2a53e30] [c027fc78] sys_finit_module+0xfc/0x130 [e2a53f30] [c0035098] ret_from_syscall+0x0/0x28 ... Add __GFP_NOWARN flag to first allocation so that no warning appears when it fails. Reported-by: Erhard Furtner Fixes: 2ec13df16704 ("powerpc/modules: Load modules closer to kernel text") Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/93c9b84d6ec76aaf7b4f03468e22433a6d308674.1638267035.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit fadcafa3959281ce2d96feedece8c75c3f95f8a5 Author: Athira Rajeev Date: Wed Jul 21 01:48:29 2021 -0400 powerpc/perf: Fix PMU callbacks to clear pending PMI before resetting an overflown PMC [ Upstream commit 2c9ac51b850d84ee496b0a5d832ce66d411ae552 ] Running perf fuzzer showed below in dmesg logs: "Can't find PMC that caused IRQ" This means a PMU exception happened, but none of the PMC's (Performance Monitor Counter) were found to be overflown. There are some corner cases that clears the PMCs after PMI gets masked. In such cases, the perf interrupt handler will not find the active PMC values that had caused the overflow and thus leads to this message while replaying. Case 1: PMU Interrupt happens during replay of other interrupts and counter values gets cleared by PMU callbacks before replay: During replay of interrupts like timer, __do_irq() and doorbell exception, we conditionally enable interrupts via may_hard_irq_enable(). This could potentially create a window to generate a PMI. Since irq soft mask is set to ALL_DISABLED, the PMI will get masked here. We could get IPIs run before perf interrupt is replayed and the PMU events could be deleted or stopped. This will change the PMU SPR values and resets the counters. Snippet of ftrace log showing PMU callbacks invoked in __do_irq(): -0 [051] dns. 132025441306354: __do_irq <-call_do_irq -0 [051] dns. 132025441306430: irq_enter <-__do_irq -0 [051] dns. 132025441306503: irq_enter_rcu <-__do_irq -0 [051] dnH. 132025441306599: xive_get_irq <-__do_irq <<>> -0 [051] dnH. 132025441307770: generic_smp_call_function_single_interrupt <-smp_ipi_demux_relaxed -0 [051] dnH. 132025441307839: flush_smp_call_function_queue <-smp_ipi_demux_relaxed -0 [051] dnH. 132025441308057: _raw_spin_lock <-event_function -0 [051] dnH. 132025441308206: power_pmu_disable <-perf_pmu_disable -0 [051] dnH. 132025441308337: power_pmu_del <-event_sched_out -0 [051] dnH. 132025441308407: power_pmu_read <-power_pmu_del -0 [051] dnH. 132025441308477: read_pmc <-power_pmu_read -0 [051] dnH. 132025441308590: isa207_disable_pmc <-power_pmu_del -0 [051] dnH. 132025441308663: write_pmc <-power_pmu_del -0 [051] dnH. 132025441308787: power_pmu_event_idx <-perf_event_update_userpage -0 [051] dnH. 132025441308859: rcu_read_unlock_strict <-perf_event_update_userpage -0 [051] dnH. 132025441308975: power_pmu_enable <-perf_pmu_enable <<>> -0 [051] dnH. 132025441311108: irq_exit <-__do_irq -0 [051] dns. 132025441311319: performance_monitor_exception <-replay_soft_interrupts Case 2: PMI's masked during local_* operations, example local_add(). If the local_add() operation happens within a local_irq_save(), replay of PMI will be during local_irq_restore(). Similar to case 1, this could also create a window before replay where PMU events gets deleted or stopped. Fix it by updating the PMU callback function power_pmu_disable() to check for pending perf interrupt. If there is an overflown PMC and pending perf interrupt indicated in paca, clear the PMI bit in paca to drop that sample. Clearing of PMI bit is done in power_pmu_disable() since disable is invoked before any event gets deleted/stopped. With this fix, if there are more than one event running in the PMU, there is a chance that we clear the PMI bit for the event which is not getting deleted/stopped. The other events may still remain active. Hence to make sure we don't drop valid sample in such cases, another check is added in power_pmu_enable. This checks if there is an overflown PMC found among the active events and if so enable back the PMI bit. Two new helper functions are introduced to clear/set the PMI, ie clear_pmi_irq_pending() and set_pmi_irq_pending(). Helper function pmi_irq_pending() is introduced to give a warning if there is pending PMI bit in paca, but no PMC is overflown. Also there are corner cases which result in performance monitor interrupts being triggered during power_pmu_disable(). This happens since PMXE bit is not cleared along with disabling of other MMCR0 bits in the pmu_disable. Such PMI's could leave the PMU running and could trigger PMI again which will set MMCR0 PMAO bit. This could lead to spurious interrupts in some corner cases. Example, a timer after power_pmu_del() which will re-enable interrupts and triggers a PMI again since PMAO bit is still set. But fails to find valid overflow since PMC was cleared in power_pmu_del(). Fix that by disabling PMXE along with disabling of other MMCR0 bits in power_pmu_disable(). We can't just replay PMI any time. Hence this approach is preferred rather than replaying PMI before resetting overflown PMC. Patch also documents core-book3s on a race condition which can trigger these PMC messages during idle path in PowerNV. Fixes: f442d004806e ("powerpc/64s: Add support to mask perf interrupts and replay them") Reported-by: Nageswara R Sastry Suggested-by: Nicholas Piggin Suggested-by: Madhavan Srinivasan Signed-off-by: Athira Rajeev Tested-by: Nageswara R Sastry Reviewed-by: Nicholas Piggin [mpe: Make pmi_irq_pending() return bool, reflow/reword some comments] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/1626846509-1350-2-git-send-email-atrajeev@linux.vnet.ibm.com Signed-off-by: Sasha Levin commit c15d1468f339cc872a5901f337a087ca862a180a Author: Niklas Söderlund Date: Tue Nov 9 11:30:45 2021 +0100 dt-bindings: thermal: Fix definition of cooling-maps contribution property [ Upstream commit 49bcb1506f2e095262c01bda7fd1c0db524c91e2 ] When converting the thermal-zones bindings to yaml the definition of the contribution property changed. The intention is the same, an integer value expressing a ratio of a sum on how much cooling is provided by the device to the zone. But after the conversion the integer value is limited to the range 0 to 100 and expressed as a percentage. This is problematic for two reasons. - This do not match how the binding is used. Out of the 18 files that make use of the property only two (ste-dbx5x0.dtsi and ste-hrefv60plus.dtsi) sets it at a value that satisfy the binding, 100. The remaining 16 files set the value higher and fail to validate. - Expressing the value as a percentage instead of a ratio of the sum is confusing as there is nothing to enforce the sum in the zone is not greater then 100. This patch restore the pre yaml conversion description and removes the value limitation allowing the usage of the bindings to validate. Fixes: 1202a442a31fd2e5 ("dt-bindings: thermal: Add yaml bindings for thermal zones") Reported-by: Kieran Bingham Signed-off-by: Niklas Söderlund Link: https://lore.kernel.org/r/20211109103045.1403686-1-niklas.soderlund+renesas@ragnatech.se Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit 9de9858d7bf0d6920e3612bef798fefead9ca10b Author: Thomas Gleixner Date: Wed Nov 24 23:40:01 2021 +0100 ALSA: hda: Make proper use of timecounter [ Upstream commit 6dd21ad81bf96478db3403b1bbe251c0612d0431 ] HDA uses a timecounter to read a hardware clock running at 24 MHz. The conversion factor is set with a mult value of 125 and a shift value of 0, which is not converting the hardware clock to nanoseconds, it is converting to 1/3 nanoseconds because the conversion factor from 24Mhz to nanoseconds is 125/3. The usage sites divide the "nanoseconds" value returned by timecounter_read() by 3 to get a real nanoseconds value. There is a lengthy comment in azx_timecounter_init() explaining this choice. That comment makes blatantly wrong assumptions about how timecounters work and what can overflow. The comment says: * Applying the 1/3 factor as part of the multiplication * requires at least 20 bits for a decent precision, however * overflows occur after about 4 hours or less, not a option. timecounters operate on time deltas between two readouts of a clock and use the mult/shift pair to calculate a precise nanoseconds value: delta_nsec = (delta_clock * mult) >> shift; The fractional part is also taken into account and preserved to prevent accumulated rounding errors. For details see cyclecounter_cyc2ns(). The mult/shift pair has to be chosen so that the multiplication of the maximum expected delta value does not result in a 64bit overflow. As the counter wraps around on 32bit, the maximum observable delta between two reads is (1 << 32) - 1 which is about 178.9 seconds. That in turn means the maximum multiplication factor which fits into an u32 will not cause a 64bit overflow ever because it's guaranteed that: ((1 << 32) - 1) ^ 2 < (1 << 64) The resulting correct multiplication factor is 2796202667 and the shift value is 26, i.e. 26 bit precision. The overflow of the multiplication would happen exactly at a clock readout delta of 6597069765 which is way after the wrap around of the hardware clock at around 274.8 seconds which is off from the claimed 4 hours by more than an order of magnitude. If the counter ever wraps around the last read value then the calculation is off by the number of wrap arounds times 178.9 seconds because the overflow cannot be observed. Use clocks_calc_mult_shift(), which calculates the most accurate mult/shift pair based on the given clock frequency, and remove the bogus comment along with the divisions at the readout sites. Fixes: 5d890f591d15 ("ALSA: hda: support for wallclock timestamps") Signed-off-by: Thomas Gleixner Reviewed-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/871r35kwji.ffs@tglx Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit a2e525d618012a7070af633e138e235d2065909a Author: Jack Wang Date: Wed Nov 24 09:10:40 2021 +0100 RDMA/rtrs-clt: Fix the initial value of min_latency [ Upstream commit 925cac6358677d3d64f9b25f205eeb3d31c9f7f8 ] The type of min_latency is ktime_t, so use KTIME_MAX to initialize the initial value. Fixes: dc3b66a0ce70 ("RDMA/rtrs-clt: Add a minimum latency multipath policy") Link: https://lore.kernel.org/r/20211124081040.19533-1-jinpu.wang@ionos.com Signed-off-by: Jack Wang Reviewed-by: Guoqing Jiang Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 278df2c08602cfc7f1db74394d93c12e4fe4cbd1 Author: Lukas Bulwahn Date: Thu Nov 25 10:51:58 2021 +0100 ASoC: codecs: wcd938x: add SND_SOC_WCD938_SDW to codec list instead [ Upstream commit 2039cc1da4bee1fd0df644e26b28ed769cd32a81 ] Commit 045442228868 ("ASoC: codecs: wcd938x: add audio routing and Kconfig") adds SND_SOC_WCD937X, which does not exist, and SND_SOC_WCD938X, which seems not really to be the intended config to be selected, but only a supporting config symbol to the actual config SND_SOC_WCD938X_SDW for the codec. Add SND_SOC_WCD938_SDW to the list instead of SND_SOC_WCD93{7,8}X. The issue was identified with ./scripts/checkkconfigsymbols.py. Fixes: 045442228868 ("ASoC: codecs: wcd938x: add audio routing and Kconfig") Signed-off-by: Lukas Bulwahn Link: https://lore.kernel.org/r/20211125095158.8394-3-lukas.bulwahn@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit dc240056731286b6808d6d9d1f89bb8276e9f477 Author: Lukas Bulwahn Date: Thu Nov 25 10:51:57 2021 +0100 ASoC: uniphier: drop selecting non-existing SND_SOC_UNIPHIER_AIO_DMA [ Upstream commit 49f893253ab43566e34332a969324531fea463f6 ] Commit f37fe2f9987b ("ASoC: uniphier: add support for UniPhier AIO common driver") adds configs SND_SOC_UNIPHIER_{LD11,PXS2}, which select the non-existing config SND_SOC_UNIPHIER_AIO_DMA. Hence, ./scripts/checkkconfigsymbols.py warns: SND_SOC_UNIPHIER_AIO_DMA Referencing files: sound/soc/uniphier/Kconfig Probably, there is actually no further config intended to be selected here. So, just drop selecting the non-existing config. Fixes: f37fe2f9987b ("ASoC: uniphier: add support for UniPhier AIO common driver") Signed-off-by: Lukas Bulwahn Link: https://lore.kernel.org/r/20211125095158.8394-2-lukas.bulwahn@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 49a237c73a78bebf7d683ce4b3159e07bf6b786e Author: Peiwei Hu Date: Fri Nov 19 17:12:18 2021 +0800 powerpc/prom_init: Fix improper check of prom_getprop() [ Upstream commit 869fb7e5aecbc163003f93f36dcc26d0554319f6 ] prom_getprop() can return PROM_ERROR. Binary operator can not identify it. Fixes: 94d2dde738a5 ("[POWERPC] Efika: prune fixups and make them more carefull") Signed-off-by: Peiwei Hu Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/tencent_BA28CC6897B7C95A92EB8C580B5D18589105@qq.com Signed-off-by: Sasha Levin commit e459a89df303944c918cf57bc8a22bb1b4674846 Author: Adam Ford Date: Wed Nov 17 07:32:02 2021 -0600 clk: imx8mn: Fix imx8mn_clko1_sels [ Upstream commit 570727e9acfac1c2330a01dd5e1272e9c3acec08 ] When attempting to use sys_pll1_80m as the parent for clko1, the system hangs. This is due to the fact that the source select for sys_pll1_80m was incorrectly pointing to m7_alt_pll_clk, which doesn't yet exist. According to Rev 3 of the TRM, The imx8mn_clko1_sels also incorrectly references an osc_27m which does not exist, nor does an entry for source select bits 010b. Fix both by inserting a dummy clock into the missing space in the table and renaming the incorrectly name clock with dummy. Fixes: 96d6392b54db ("clk: imx: Add support for i.MX8MN clock driver") Signed-off-by: Adam Ford Reviewed-by: Fabio Estevam Link: https://lore.kernel.org/r/20211117133202.775633-1-aford173@gmail.com Signed-off-by: Abel Vesa Signed-off-by: Sasha Levin commit 6b0335e66b51dc6057edb02ebdb8836684e4a8db Author: Lad Prabhakar Date: Wed Nov 17 11:50:59 2021 +0000 clk: renesas: rzg2l: propagate return value of_genpd_add_provider_simple() [ Upstream commit 33748744f15a110a233b6ae0380f476006e770f0 ] of_genpd_add_provider_simple() might fail, this patch makes sure we check the return value of of_genpd_add_provider_simple() by propagating the return value to the caller of rzg2l_cpg_add_clk_domain(). Fixes: ef3c613ccd68a ("clk: renesas: Add CPG core wrapper for RZ/G2L SoC") Signed-off-by: Lad Prabhakar Link: https://lore.kernel.org/r/20211117115101.28281-3-prabhakar.mahadev-lad.rj@bp.renesas.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 02beeed3928f7eabbeb7f1a49c6eaa6f2a215218 Author: Lad Prabhakar Date: Wed Nov 17 11:50:58 2021 +0000 clk: renesas: rzg2l: Check return value of pm_genpd_init() [ Upstream commit 27527a3d3b162e4512798c058c0e8a216c721187 ] Make sure we check the return value of pm_genpd_init() which might fail. Also add a devres action to remove the power-domain in-case the probe callback fails further down in the code flow. Fixes: ef3c613ccd68a ("clk: renesas: Add CPG core wrapper for RZ/G2L SoC") Signed-off-by: Lad Prabhakar Link: https://lore.kernel.org/r/20211117115101.28281-2-prabhakar.mahadev-lad.rj@bp.renesas.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit a0b4447677ddf293ba2d85960cbfc2cfff75c283 Author: Igor Pylypiv Date: Mon Nov 1 16:28:24 2021 -0700 scsi: pm80xx: Update WARN_ON check in pm8001_mpi_build_cmd() [ Upstream commit 606c54ae975ad3af540b505b46b55a687501711f ] Starting from commit 05c6c029a44d ("scsi: pm80xx: Increase number of supported queues") driver initializes only max_q_num queues. Do not use an invalid queue if the WARN_ON condition is true. Link: https://lore.kernel.org/r/20211101232825.2350233-4-ipylypiv@google.com Fixes: 7640e1eb8c5d ("scsi: pm80xx: Make mpi_build_cmd locking consistent") Reviewed-by: Vishakha Channapattan Acked-by: Jack Wang Signed-off-by: Igor Pylypiv Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 4a1723367f5e632cf0b40f134bd3cd8aea9d26a8 Author: Kamal Heib Date: Wed Nov 17 16:59:54 2021 +0200 RDMA/hns: Validate the pkey index [ Upstream commit 2a67fcfa0db6b4075515bd23497750849b88850f ] Before query pkey, make sure that the queried index is valid. Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver") Link: https://lore.kernel.org/r/20211117145954.123893-1-kamalheib1@gmail.com Signed-off-by: Kamal Heib Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 8fe8161c50f4de73d56274a90247e84aba624046 Author: Christophe JAILLET Date: Fri Nov 12 09:59:04 2021 +0100 RDMA/bnxt_re: Scan the whole bitmap when checking if "disabling RCFW with pending cmd-bit" [ Upstream commit a917dfb66c0a1fa1caacf3d71edcafcab48e6ff0 ] The 'cmdq->cmdq_bitmap' bitmap is 'rcfw->cmdq_depth' bits long. The size stored in 'cmdq->bmap_size' is the size of the bitmap in bytes. Remove this erroneous 'bmap_size' and use 'rcfw->cmdq_depth' directly in 'bnxt_qplib_disable_rcfw_channel()'. Otherwise some error messages may be missing. Other uses of 'cmdq_bitmap' already take into account 'rcfw->cmdq_depth' directly. Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") Link: https://lore.kernel.org/r/47ed717c3070a1d0f53e7b4c768a4fd11caf365d.1636707421.git.christophe.jaillet@wanadoo.fr Signed-off-by: Christophe JAILLET Acked-by: Selvin Xavier Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit ec085da3437ba5f8752be304de214183222c38e7 Author: Takashi Iwai Date: Tue Nov 16 08:24:59 2021 +0100 ALSA: hda: Fix potential deadlock at codec unbinding [ Upstream commit 7206998f578d5553989bc01ea2e544b622e79539 ] When a codec is unbound dynamically via sysfs while its stream is in use, we may face a potential deadlock at the proc remove or a UAF. This happens since the hda_pcm is managed by a linked list, as it handles the hda_pcm object release via kref. When a PCM is opened at the unbinding time, the release of hda_pcm gets delayed and it ends up with the close of the PCM stream releasing the associated hda_pcm object of its own. The hda_pcm destructor contains the PCM device release that includes the removal of procfs entries. And, this removal has the sync of the close of all in-use files -- which would never finish because it's called from the PCM file descriptor itself, i.e. it's trying to shoot its foot. For addressing the deadlock above, this patch changes the way to manage and release the hda_pcm object. The kref of hda_pcm is dropped, and instead a simple refcount is introduced in hda_codec for keeping the track of the active PCM streams, and at each PCM open and close, this refcount is adjusted accordingly. At unbinding, the driver calls snd_device_disconnect() for each PCM stream, then synchronizes with the refcount finish, and finally releases the object resources. Fixes: bbbc7e8502c9 ("ALSA: hda - Allocate hda_pcm objects dynamically") Link: https://lore.kernel.org/r/20211116072459.18930-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 1b378f59bc86b39aa6594877405f6aaf96cd05fe Author: Takashi Iwai Date: Tue Nov 16 08:13:14 2021 +0100 ALSA: hda: Add missing rwsem around snd_ctl_remove() calls [ Upstream commit 80bd64af75b4bb11c0329bc66c35da2ddfb66d88 ] snd_ctl_remove() has to be called with card->controls_rwsem held (when called after the card instantiation). This patch add the missing rwsem calls around it. Fixes: d13bd412dce2 ("ALSA: hda - Manage kcontrol lists") Link: https://lore.kernel.org/r/20211116071314.15065-3-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 9b9f32c0c744da046fa30b807364de797f8bdbeb Author: Takashi Iwai Date: Tue Nov 16 08:13:13 2021 +0100 ALSA: PCM: Add missing rwsem around snd_ctl_remove() calls [ Upstream commit 5471e9762e1af4b7df057a96bfd46cc250979b88 ] snd_ctl_remove() has to be called with card->controls_rwsem held (when called after the card instantiation). This patch add the missing rwsem calls around it. Fixes: a8ff48cb7083 ("ALSA: pcm: Free chmap at PCM free callback, too") Link: https://lore.kernel.org/r/20211116071314.15065-2-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 19eebde28fc68141580aa40931ea1b637e6a2de8 Author: Takashi Iwai Date: Tue Nov 16 08:13:12 2021 +0100 ALSA: jack: Add missing rwsem around snd_ctl_remove() calls [ Upstream commit 06764dc931848c3a9bc01a63bbf76a605408bb54 ] snd_ctl_remove() has to be called with card->controls_rwsem held (when called after the card instantiation). This patch add the missing rwsem calls around it. Fixes: 9058cbe1eed2 ("ALSA: jack: implement kctl creating for jack devices") Link: https://lore.kernel.org/r/20211116071314.15065-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 03c2fbca897393619632d0839366365c6f75cbf5 Author: Pierre-Louis Bossart Date: Wed Oct 27 10:18:16 2021 +0800 ASoC: Intel: sof_sdw: fix jack detection on HP Spectre x360 convertible [ Upstream commit 0527b19fa4f390a6054612e1fa1dd4f8efc96739 ] Tests on device show the JD2 mode does not work at all, the 'Headphone Jack' and 'Headset Mic Jack' are shown as 'on' always. JD1 seems to be the better option, with at least a change between the two cases. Jack not plugged-in: [root@fedora ~]# amixer -Dhw:0 cget numid=12 numid=12,iface=CARD,name='Headphone Jack' ; type=BOOLEAN,access=r-------,values=1 : values=off [root@fedora ~]# amixer -Dhw:0 cget numid=13 numid=13,iface=CARD,name='Headset Mic Jack' ; type=BOOLEAN,access=r-------,values=1 : values=off Jack plugged-in: [root@fedora ~]# amixer -Dhw:0 cget numid=13 numid=13,iface=CARD,name='Headset Mic Jack' ; type=BOOLEAN,access=r-------,values=1 : values=on [root@fedora ~]# amixer -Dhw:0 cget numid=13 numid=13,iface=CARD,name='Headset Mic Jack' ; type=BOOLEAN,access=r-------,values=1 : values=on The 'Headset Mic Jack' is updated with a delay which seems normal with additional calibration needed. Fixes: d92e279dee56 ('ASoC: Intel: sof_sdw: add quirk for HP Spectre x360 convertible') Signed-off-by: Pierre-Louis Bossart Reviewed-by: Ranjani Sridharan Signed-off-by: Bard Liao Link: https://lore.kernel.org/r/20211027021824.24776-3-yung-chuan.liao@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 4846b55a2cd9314ebb8f70a37f8826fce1ceba2f Author: Jan Kara Date: Fri Nov 12 16:22:02 2021 +0100 ext4: avoid trim error on fs with small groups [ Upstream commit 173b6e383d2a204c9921ffc1eca3b87aa2106c33 ] A user reported FITRIM ioctl failing for him on ext4 on some devices without apparent reason. After some debugging we've found out that these devices (being LVM volumes) report rather large discard granularity of 42MB and the filesystem had 1k blocksize and thus group size of 8MB. Because ext4 FITRIM implementation puts discard granularity into minlen, ext4_trim_fs() declared the trim request as invalid. However just silently doing nothing seems to be a more appropriate reaction to such combination of parameters since user did not specify anything wrong. CC: Lukas Czerner Fixes: 5c2ed62fd447 ("ext4: Adjust minlen with discard_granularity in the FITRIM ioctl") Signed-off-by: Jan Kara Link: https://lore.kernel.org/r/20211112152202.26614-1-jack@suse.cz Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 0d3bbe7eb15ee3b7fb7027fcdfa40ab86391deba Author: Pavel Skripkin Date: Fri Jan 7 01:57:16 2022 +0300 net: mcs7830: handle usb read errors properly [ Upstream commit d668769eb9c52b150753f1653f7f5a0aeb8239d2 ] Syzbot reported uninit value in mcs7830_bind(). The problem was in missing validation check for bytes read via usbnet_read_cmd(). usbnet_read_cmd() internally calls usb_control_msg(), that returns number of bytes read. Code should validate that requested number of bytes was actually read. So, this patch adds missing size validation check inside mcs7830_get_reg() to prevent uninit value bugs Reported-and-tested-by: syzbot+003c0a286b9af5412510@syzkaller.appspotmail.com Fixes: 2a36d7083438 ("USB: driver for mcs7830 (aka DeLOCK) USB ethernet adapter") Signed-off-by: Pavel Skripkin Reviewed-by: Arnd Bergmann Link: https://lore.kernel.org/r/20220106225716.7425-1-paskripkin@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 86971970aeed561131e1f65ce063220c8a3f5832 Author: Edwin Peer Date: Sun Jan 9 18:54:44 2022 -0500 bnxt_en: use firmware provided max timeout for messages [ Upstream commit bce9a0b7900836df223ab638090df0cb8430d9e8 ] Some older devices cannot accommodate the 40 seconds timeout cap for long running commands (such as NVRAM commands) due to hardware limitations. Allow these devices to request more time for these long running commands, but print a warning, since the longer timeout may cause the hung task watchdog to trigger. In the case of a firmware update operation, this is preferable to failing outright. v2: Use bp->hwrm_cmd_max_timeout directly without the constants. Fixes: 881d8353b05e ("bnxt_en: Add an upper bound for all firmware command timeouts.") Signed-off-by: Edwin Peer Signed-off-by: Michael Chan Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit e685851f04561ca0ebf534db4cbfa3056f34307d Author: Edwin Peer Date: Fri Oct 29 03:47:48 2021 -0400 bnxt_en: move coredump functions into dedicated file [ Upstream commit b032228e58ea2477955058ad4d70a636ce1dec51 ] Change bnxt_get_coredump() and bnxt_get_coredump_length() to non-static functions. Signed-off-by: Edwin Peer Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a2037e7e4d02c0b9d8714ab1a712b4e57792b22f Author: Edwin Peer Date: Fri Oct 29 03:47:47 2021 -0400 bnxt_en: Refactor coredump functions [ Upstream commit 9a575c8c25ae2372112db6d6b3e553cd90e9f02b ] The coredump functionality will be used by devlink health. Refactor these functions that get coredump and coredump length. There is no functional change, but the following checkpatch warnings were addressed: - strscpy is preferred over strlcpy. - sscanf results should be checked, with an additional warning. Signed-off-by: Edwin Peer Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 57214d92a69f6cc8eaf466b65be25eba495a96b8 Author: Nathan Chancellor Date: Mon Dec 27 12:17:57 2021 -0700 iwlwifi: mvm: Use div_s64 instead of do_div in iwl_mvm_ftm_rtt_smoothing() [ Upstream commit 4ccdcc8ffd955490feec05380223db6a48961eb5 ] When building ARCH=arm allmodconfig: drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c: In function ‘iwl_mvm_ftm_rtt_smoothing’: ./include/asm-generic/div64.h:222:35: error: comparison of distinct pointer types lacks a cast [-Werror] 222 | (void)(((typeof((n)) *)0) == ((uint64_t *)0)); \ | ^~ drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c:1070:9: note: in expansion of macro ‘do_div’ 1070 | do_div(rtt_avg, 100); | ^~~~~~ do_div() has to be used with an unsigned 64-bit integer dividend but rtt_avg is a signed 64-bit integer. div_s64() expects a signed 64-bit integer dividend and signed 32-bit divisor, which fits this scenario, so use that function here to fix the warning. Fixes: 8b0f92549f2c ("iwlwifi: mvm: fix 32-bit build in FTM") Signed-off-by: Nathan Chancellor Link: https://lore.kernel.org/r/20211227191757.2354329-1-nathan@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit cf2ce93a7afa96659c5980ae114c5f2ee3510a8d Author: Paul Blakey Date: Thu Jan 6 17:38:04 2022 +0200 net: openvswitch: Fix ct_state nat flags for conns arriving from tc [ Upstream commit 6f022c2ddbcefaee79502ce5386dfe351d457070 ] Netfilter conntrack maintains NAT flags per connection indicating whether NAT was configured for the connection. Openvswitch maintains NAT flags on the per packet flow key ct_state field, indicating whether NAT was actually executed on the packet. When a packet misses from tc to ovs the conntrack NAT flags are set. However, NAT was not necessarily executed on the packet because the connection's state might still be in NEW state. As such, openvswitch wrongly assumes that NAT was executed and sets an incorrect flow key NAT flags. Fix this, by flagging to openvswitch which NAT was actually done in act_ct via tc_skb_ext and tc_skb_cb to the openvswitch module, so the packet flow key NAT flags will be correctly set. Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct") Signed-off-by: Paul Blakey Acked-by: Jamal Hadi Salim Link: https://lore.kernel.org/r/20220106153804.26451-1-paulb@nvidia.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit e7b33ff6439ac071ade78b49d3a9dd6519ddb78d Author: Paul Blakey Date: Tue Dec 14 19:24:35 2021 +0200 net: openvswitch: Fix matching zone id for invalid conns arriving from tc [ Upstream commit 635d448a1cce4b4ebee52b351052c70434fa90ea ] Zone id is not restored if we passed ct and ct rejected the connection, as there is no ct info on the skb. Save the zone from tc skb cb to tc skb extension and pass it on to ovs, use that info to restore the zone id for invalid connections. Fixes: d29334c15d33 ("net/sched: act_api: fix miss set post_ct for ovs after do conntrack in act_ct") Signed-off-by: Paul Blakey Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit a006c84824634fd13f442cd57c1217cc2b1aedbd Author: Paul Blakey Date: Tue Dec 14 19:24:34 2021 +0200 net/sched: flow_dissector: Fix matching on zone id for invalid conns [ Upstream commit 3849595866166b23bf6a0cb9ff87e06423167f67 ] If ct rejects a flow, it removes the conntrack info from the skb. act_ct sets the post_ct variable so the dissector will see this case as an +tracked +invalid state, but the zone id is lost with the conntrack info. To restore the zone id on such cases, set the last executed zone, via the tc control block, when passing ct, and read it back in the dissector if there is no ct info on the skb (invalid connection). Fixes: 7baf2429a1a9 ("net/sched: cls_flower add CT_FLAGS_INVALID flag support") Signed-off-by: Paul Blakey Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 3a4ecdfc0cf49f5d5536cd244052b251f8c63365 Author: Dominik Brodowski Date: Sun Jan 9 10:02:51 2022 +0100 pcmcia: fix setting of kthread task states [ Upstream commit fbb3485f1f931102d8ba606f1c28123f5b48afa3 ] We need to set TASK_INTERRUPTIBLE before calling kthread_should_stop(). Otherwise, kthread_stop() might see that the pccardd thread is still in TASK_RUNNING state and fail to wake it up. Additionally, we only need to set the state back to TASK_RUNNING if kthread_should_stop() breaks the loop. Cc: Greg Kroah-Hartman Reported-by: Al Viro Reviewed-by: Matthew Wilcox (Oracle) Fixes: d3046ba809ce ("pcmcia: fix a boot time warning in pcmcia cs code") Signed-off-by: Dominik Brodowski Signed-off-by: Sasha Levin commit 4a71828b273865ddde1a04473be2786d1fb48e3b Author: Lad Prabhakar Date: Thu Jan 6 11:48:00 2022 +0000 can: rcar_canfd: rcar_canfd_channel_probe(): make sure we free CAN network device [ Upstream commit 72b1e360572f9fa7d08ee554f1da29abce23f288 ] Make sure we free CAN network device in the error path. There are several jumps to fail label after allocating the CAN network device successfully. This patch places the free_candev() under fail label so that in failure path a jump to fail label frees the CAN network device. Fixes: 76e9353a80e9 ("can: rcar_canfd: Add support for RZ/G2L family") Link: https://lore.kernel.org/all/20220106114801.20563-1-prabhakar.mahadev-lad.rj@bp.renesas.com Reported-by: Pavel Machek Signed-off-by: Lad Prabhakar Reviewed-by: Kieran Bingham Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 61970e8b5d78eb4a59ce75748dd7f2965f5edf93 Author: Jiasheng Jiang Date: Fri Dec 24 10:13:24 2021 +0800 can: xilinx_can: xcan_probe(): check for error irq [ Upstream commit c6564c13dae25cd7f8e1de5127b4da4500ee5844 ] For the possible failure of the platform_get_irq(), the returned irq could be error number and will finally cause the failure of the request_irq(). Consider that platform_get_irq() can now in certain cases return -EPROBE_DEFER, and the consequences of letting request_irq() effectively convert that into -EINVAL, even at probe time rather than later on. So it might be better to check just now. Fixes: b1201e44f50b ("can: xilinx CAN controller support") Link: https://lore.kernel.org/all/20211224021324.1447494-1-jiasheng@iscas.ac.cn Signed-off-by: Jiasheng Jiang Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit b8609cb64101a3b6c21560999264f12eb5f6330e Author: Marc Kleine-Budde Date: Sat Jan 8 21:57:51 2022 +0100 can: softing: softing_startstop(): fix set but not used variable warning [ Upstream commit 370d988cc529598ebaec6487d4f84c2115dc696b ] In the function softing_startstop() the variable error_reporting is assigned but not used. The code that uses this variable is commented out. Its stated that the functionality is not finally verified. To fix the warning: | drivers/net/can/softing/softing_fw.c:424:9: error: variable 'error_reporting' set but not used [-Werror,-Wunused-but-set-variable] remove the comment, activate the code, but add a "0 &&" to the if expression and rely on the optimizer rather than the preprocessor to remove the code. Link: https://lore.kernel.org/all/20220109103126.1872833-1-mkl@pengutronix.de Fixes: 03fd3cf5a179 ("can: add driver for Softing card") Cc: Kurt Van Dijck Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit deb81894f56e8063d471465f42e09afbb5779baf Author: Christophe Jaillet Date: Sat Nov 6 17:42:04 2021 +0100 tpm_tis: Fix an error handling path in 'tpm_tis_core_init()' [ Upstream commit e96d52822f5ac0a25de78f95cd23421bcbc93584 ] Commit 79ca6f74dae0 ("tpm: fix Atmel TPM crash caused by too frequent queries") has moved some code around without updating the error handling path. This is now pointless to 'goto out_err' when neither 'clk_enable()' nor 'ioremap()' have been called yet. Make a direct return instead to avoid undoing things that have not been done. Fixes: 79ca6f74dae0 ("tpm: fix Atmel TPM crash caused by too frequent queries") Signed-off-by: Christophe Jaillet Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Sasha Levin commit ea1fd8364c9fbe0dfad677fd23d0ff240c3c7a7f Author: Chen Jun Date: Wed Oct 13 06:25:56 2021 +0000 tpm: add request_locality before write TPM_INT_ENABLE [ Upstream commit 0ef333f5ba7f24f5d8478425c163d3097f1c7afd ] Locality is not appropriately requested before writing the int mask. Add the missing boilerplate. Fixes: e6aef069b6e9 ("tpm_tis: convert to using locality callbacks") Signed-off-by: Chen Jun Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Sasha Levin commit 8609525ee0ee7796403e4555514215ef4722a19d Author: Marc Kleine-Budde Date: Tue Oct 19 17:05:25 2021 +0200 can: mcp251xfd: add missing newline to printed strings [ Upstream commit 3bd9d8ce6f8c5c43ee2f1106021db0f98882cc75 ] This patch adds the missing newline to printed strings. Fixes: 55e5b97f003e ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN") Link: https://lore.kernel.org/all/20220105154300.1258636-4-mkl@pengutronix.de Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit f5b7e80e25c484639afb9689d9b39dcb3662f817 Author: Vladimir Oltean Date: Fri Jan 7 18:43:32 2022 +0200 net: mscc: ocelot: fix incorrect balancing with down LAG ports [ Upstream commit a14e6b69f393d651913edcbe4ec0dec27b8b4b40 ] Assuming the test setup described here: https://patchwork.kernel.org/project/netdevbpf/cover/20210205130240.4072854-1-vladimir.oltean@nxp.com/ (swp1 and swp2 are in bond0, and bond0 is in a bridge with swp0) it can be seen that when swp1 goes down (on either board A or B), then traffic that should go through that port isn't forwarded anywhere. A dump of the PGID table shows the following: PGID_DST[0] = ports 0 PGID_DST[1] = ports 1 PGID_DST[2] = ports 2 PGID_DST[3] = ports 3 PGID_DST[4] = ports 4 PGID_DST[5] = ports 5 PGID_DST[6] = no ports PGID_AGGR[0] = ports 0, 1, 2, 3, 4, 5 PGID_AGGR[1] = ports 0, 1, 2, 3, 4, 5 PGID_AGGR[2] = ports 0, 1, 2, 3, 4, 5 PGID_AGGR[3] = ports 0, 1, 2, 3, 4, 5 PGID_AGGR[4] = ports 0, 1, 2, 3, 4, 5 PGID_AGGR[5] = ports 0, 1, 2, 3, 4, 5 PGID_AGGR[6] = ports 0, 1, 2, 3, 4, 5 PGID_AGGR[7] = ports 0, 1, 2, 3, 4, 5 PGID_AGGR[8] = ports 0, 1, 2, 3, 4, 5 PGID_AGGR[9] = ports 0, 1, 2, 3, 4, 5 PGID_AGGR[10] = ports 0, 1, 2, 3, 4, 5 PGID_AGGR[11] = ports 0, 1, 2, 3, 4, 5 PGID_AGGR[12] = ports 0, 1, 2, 3, 4, 5 PGID_AGGR[13] = ports 0, 1, 2, 3, 4, 5 PGID_AGGR[14] = ports 0, 1, 2, 3, 4, 5 PGID_AGGR[15] = ports 0, 1, 2, 3, 4, 5 PGID_SRC[0] = ports 1, 2 PGID_SRC[1] = ports 0 PGID_SRC[2] = ports 0 PGID_SRC[3] = no ports PGID_SRC[4] = no ports PGID_SRC[5] = no ports PGID_SRC[6] = ports 0, 1, 2, 3, 4, 5 Whereas a "good" PGID configuration for that setup should have looked like this: PGID_DST[0] = ports 0 PGID_DST[1] = ports 1, 2 PGID_DST[2] = ports 1, 2 PGID_DST[3] = ports 3 PGID_DST[4] = ports 4 PGID_DST[5] = ports 5 PGID_DST[6] = no ports PGID_AGGR[0] = ports 0, 2, 3, 4, 5 PGID_AGGR[1] = ports 0, 2, 3, 4, 5 PGID_AGGR[2] = ports 0, 2, 3, 4, 5 PGID_AGGR[3] = ports 0, 2, 3, 4, 5 PGID_AGGR[4] = ports 0, 2, 3, 4, 5 PGID_AGGR[5] = ports 0, 2, 3, 4, 5 PGID_AGGR[6] = ports 0, 2, 3, 4, 5 PGID_AGGR[7] = ports 0, 2, 3, 4, 5 PGID_AGGR[8] = ports 0, 2, 3, 4, 5 PGID_AGGR[9] = ports 0, 2, 3, 4, 5 PGID_AGGR[10] = ports 0, 2, 3, 4, 5 PGID_AGGR[11] = ports 0, 2, 3, 4, 5 PGID_AGGR[12] = ports 0, 2, 3, 4, 5 PGID_AGGR[13] = ports 0, 2, 3, 4, 5 PGID_AGGR[14] = ports 0, 2, 3, 4, 5 PGID_AGGR[15] = ports 0, 2, 3, 4, 5 PGID_SRC[0] = ports 1, 2 PGID_SRC[1] = ports 0 PGID_SRC[2] = ports 0 PGID_SRC[3] = no ports PGID_SRC[4] = no ports PGID_SRC[5] = no ports PGID_SRC[6] = ports 0, 1, 2, 3, 4, 5 In other words, in the "bad" configuration, the attempt is to remove the inactive swp1 from the destination ports via PGID_DST. But when a MAC table entry is learned, it is learned towards PGID_DST 1, because that is the logical port id of the LAG itself (it is equal to the lowest numbered member port). So when swp1 becomes inactive, if we set PGID_DST[1] to contain just swp1 and not swp2, the packet will not have any chance to reach the destination via swp2. The "correct" way to remove swp1 as a destination is via PGID_AGGR (remove swp1 from the aggregation port groups for all aggregation codes). This means that PGID_DST[1] and PGID_DST[2] must still contain both swp1 and swp2. This makes the MAC table still treat packets destined towards the single-port LAG as "multicast", and the inactive ports are removed via the aggregation code tables. The change presented here is a design one: the ocelot_get_bond_mask() function used to take an "only_active_ports" argument. We don't need that. The only call site that specifies only_active_ports=true, ocelot_set_aggr_pgids(), must retrieve the entire bonding mask, because it must program that into PGID_DST. Additionally, it must also clear the inactive ports from the bond mask here, which it can't do if bond_mask just contains the active ports: ac = ocelot_read_rix(ocelot, ANA_PGID_PGID, i); ac &= ~bond_mask; <---- here /* Don't do division by zero if there was no active * port. Just make all aggregation codes zero. */ if (num_active_ports) ac |= BIT(aggr_idx[i % num_active_ports]); ocelot_write_rix(ocelot, ac, ANA_PGID_PGID, i); So it becomes the responsibility of ocelot_set_aggr_pgids() to take ocelot_port->lag_tx_active into consideration when populating the aggr_idx array. Fixes: 23ca3b727ee6 ("net: mscc: ocelot: rebalance LAGs on link up/down events") Signed-off-by: Vladimir Oltean Link: https://lore.kernel.org/r/20220107164332.402133-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 5aff6ae24b3904a074b4f81baf19b492a73c1231 Author: Fabio Estevam Date: Fri Jan 7 13:33:07 2022 -0300 regmap: Call regmap_debugfs_exit() prior to _init() [ Upstream commit 530792efa6cb86f5612ff093333fec735793b582 ] Since commit cffa4b2122f5 ("regmap: debugfs: Fix a memory leak when calling regmap_attach_dev"), the following debugfs error is seen on i.MX boards: debugfs: Directory 'dummy-iomuxc-gpr@20e0000' with parent 'regmap' already present! In the attempt to fix the memory leak, the above commit added a NULL check for map->debugfs_name. For the first debufs entry, map->debugfs_name is NULL and then the new name is allocated via kasprintf(). For the second debugfs entry, map->debugfs_name() is no longer NULL, so it will keep using the old entry name and the duplicate name error is seen. Quoting Mark Brown: "That means that if the device gets freed we'll end up with the old debugfs file hanging around pointing at nothing. ... To be more explicit this means we need a call to regmap_debugfs_exit() which will clean up all the existing debugfs stuff before we loose references to it." Call regmap_debugfs_exit() prior to regmap_debugfs_init() to fix the problem. Tested on i.MX6Q and i.MX6SX boards. Fixes: cffa4b2122f5 ("regmap: debugfs: Fix a memory leak when calling regmap_attach_dev") Suggested-by: Mark Brown Signed-off-by: Fabio Estevam Link: https://lore.kernel.org/r/20220107163307.335404-1-festevam@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit af5dcf968ebe69bd8c24ba7359aae002f8b4cdd9 Author: Dan Carpenter Date: Fri Jan 7 10:12:10 2022 +0300 netrom: fix api breakage in nr_setsockopt() [ Upstream commit dc35616e6c2907b0c0c391a205802d8880f7fd85 ] This needs to copy an unsigned int from user space instead of a long to avoid breaking user space with an API change. I have updated all the integer overflow checks from ULONG to UINT as well. This is a slight API change but I do not expect it to affect anything in real life. Fixes: 3087a6f36ee0 ("netrom: fix copying in user data in nr_setsockopt") Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 7b9986a0425a83dc763222667ceb67036ac15640 Author: Dan Carpenter Date: Fri Jan 7 10:13:12 2022 +0300 ax25: uninitialized variable in ax25_setsockopt() [ Upstream commit 9371937092d5fd502032c1bb4475b36b39b1f1b3 ] The "opt" variable is unsigned long but we only copy 4 bytes from the user so the lower 4 bytes are uninitialized. I have changed the integer overflow checks from ULONG to UINT as well. This is a slight API change but I don't expect it to break anything. Fixes: a7b75c5a8c41 ("net: pass a sockptr_t into ->setsockopt") Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c48c7678739d11e9982a435b9eb9fb0d68431129 Author: Subbaraya Sundeep Date: Fri Jan 7 12:00:29 2022 +0530 octeontx2-af: Increment ptp refcount before use [ Upstream commit 93440f4888cf049dbd22b41aaf94d2e2153b3eb8 ] Before using the ptp pci device by AF driver increment the reference count of it. Fixes: a8b90c9d26d6 ("octeontx2-af: Add PTP device id for CN10K and 95O silcons") Signed-off-by: Subbaraya Sundeep Signed-off-by: Sunil Goutham Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit aac0b364904fe81c8c16b7def3a28eaaef327e20 Author: Miaoqian Lin Date: Fri Jan 7 07:54:24 2022 +0000 spi: spi-meson-spifc: Add missing pm_runtime_disable() in meson_spifc_probe [ Upstream commit 69c1b87516e327a60b39f96b778fe683259408bf ] If the probe fails, we should use pm_runtime_disable() to balance pm_runtime_enable(). Add missing pm_runtime_disable() for meson_spifc_probe. Fixes: c3e4bc5434d2 ("spi: meson: Add support for Amlogic Meson SPIFC") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220107075424.7774-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit e1652f70e8964218c916ae4b6da3056b8f3c6e11 Author: Geliang Tang Date: Thu Jan 6 14:06:37 2022 -0800 mptcp: fix a DSS option writing error [ Upstream commit 110b6d1fe98fd7af9893992459b651594d789293 ] 'ptr += 1;' was omitted in the original code. If the DSS is the last option -- which is what we have most of the time -- that's not an issue. But it is if we need to send something else after like a RM_ADDR or an MP_PRIO. Fixes: 1bff1e43a30e ("mptcp: optimize out option generation") Reviewed-by: Matthieu Baerts Signed-off-by: Geliang Tang Signed-off-by: Mat Martineau Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 72aba03ba836c7b72b29cbec1c8ddc61b57edada Author: Matthieu Baerts Date: Thu Jan 6 14:06:36 2022 -0800 mptcp: fix opt size when sending DSS + MP_FAIL [ Upstream commit 04fac2cae9422a3401c172571afbcfdd58fa5c7e ] When these two options had to be sent -- which is not common -- the DSS size was not being taken into account in the remaining size. Additionally in this situation, the reported size was only the one of the MP_FAIL which can cause issue if at the end, we need to write more in the TCP options than previously said. Here we use a dedicated variable for MP_FAIL size to keep the WARN_ON_ONCE() just after. Fixes: c25aeb4e0953 ("mptcp: MP_FAIL suboption sending") Acked-and-tested-by: Geliang Tang Signed-off-by: Matthieu Baerts Signed-off-by: Mat Martineau Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c310df0eabe5667028c2979d93a31a52cf33d0f2 Author: Paolo Abeni Date: Thu Jan 6 16:20:20 2022 -0800 mptcp: fix per socket endpoint accounting [ Upstream commit f7d6a237d7422809d458d754016de2844017cb4d ] Since full-mesh endpoint support, the reception of a single ADD_ADDR option can cause multiple subflows creation. When such option is accepted we increment 'add_addr_accepted' by one. When we received a paired RM_ADDR option, we deleted all the relevant subflows, decrementing 'add_addr_accepted' by one for each of them. We have a similar issue for 'local_addr_used' Fix them moving the pm endpoint accounting outside the subflow traversal. Fixes: 1a0d6136c5f0 ("mptcp: local addresses fullmesh") Signed-off-by: Paolo Abeni Signed-off-by: Mat Martineau Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit abe4b2c214ea83a89716288956f88b85b33bd04f Author: Dan Carpenter Date: Fri Jan 7 10:16:44 2022 +0300 Bluetooth: L2CAP: uninitialized variables in l2cap_sock_setsockopt() [ Upstream commit 2b70d4f9b20635ac328836e50d183632e1930f94 ] The "opt" variable is a u32, but on some paths only the top bytes were initialized and the others contained random stack data. Fixes: a7b75c5a8c41 ("net: pass a sockptr_t into ->setsockopt") Signed-off-by: Dan Carpenter Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit b918c668d2954461eeaa8f2409e61bca92dcb324 Author: Zizhuang Deng Date: Thu Dec 30 15:03:31 2021 +0800 lib/mpi: Add the return value check of kcalloc() [ Upstream commit dd827abe296fe4249b2f8c9b95f72f814ea8348c ] Add the return value check of kcalloc() to avoid potential NULL ptr dereference. Fixes: a8ea8bdd9df9 ("lib/mpi: Extend the MPI library") Signed-off-by: Zizhuang Deng Reviewed-by: Tianjia Zhang Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit d73d81447c6651904dd4a9e3fd88651ff174c1b7 Author: Moshe Shemesh Date: Sun Dec 5 12:07:49 2021 +0200 net/mlx5: Set command entry semaphore up once got index free [ Upstream commit 8e715cd613a1e872b9d918e912d90b399785761a ] Avoid a race where command work handler may fail to allocate command entry index, by holding the command semaphore down till command entry index is being freed. Fixes: 410bd754cd73 ("net/mlx5: Add retry mechanism to the command entry index allocation") Signed-off-by: Moshe Shemesh Reviewed-by: Eran Ben Elisha Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 266e6a36546f0734a2a3ee9b4422c9d5b942c707 Author: Maor Dickman Date: Mon Jan 3 15:04:18 2022 +0200 net/mlx5e: Sync VXLAN udp ports during uplink representor profile change [ Upstream commit 07f6dc4024ea1d2314b9c8b81fd4e492864fcca1 ] Currently during NIC profile disablement all VXLAN udp ports offloaded to the HW are flushed and during its enablement the driver send notification to the stack to inform the core that the entire UDP tunnel port state has been lost, uplink representor doesn't have the same behavior which can cause VXLAN udp ports offload to be in bad state while moving between modes while VXLAN interface exist. Fixed by aligning the uplink representor profile behavior to the NIC behavior. Fixes: 84db66124714 ("net/mlx5e: Move set vxlan nic info to profile init") Signed-off-by: Maor Dickman Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit fbe5f19824baacaeb3aff38a4841d70e0d0da1bc Author: Shay Drory Date: Thu Dec 30 08:54:08 2021 +0200 net/mlx5: Fix access to sf_dev_table on allocation failure [ Upstream commit a1c7c49c2091926962f8c1c866d386febffec5d8 ] Even when SF devices are supported, the SF device table allocation can still fail. In such case mlx5_sf_dev_supported still reports true, but SF device table is invalid. This can result in NULL table access. Hence, fix it by adding NULL table check. Fixes: 1958fc2f0712 ("net/mlx5: SF, Add auxiliary device driver") Signed-off-by: Shay Drory Reviewed-by: Parav Pandit Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 7c1f9797e1b55cb14e9e9bcb817b39d06e021fc8 Author: Paul Blakey Date: Wed Jun 16 10:55:56 2021 +0300 net/mlx5e: Fix matching on modified inner ip_ecn bits [ Upstream commit b6dfff21a170af5c695ebaa153b7f5e297ddca03 ] Tunnel device follows RFC 6040, and during decapsulation inner ip_ecn might change depending on inner and outer ip_ecn as follows: +---------+----------------------------------------+ |Arriving | Arriving Outer Header | | Inner +---------+---------+---------+----------+ | Header | Not-ECT | ECT(0) | ECT(1) | CE | +---------+---------+---------+---------+----------+ | Not-ECT | Not-ECT | Not-ECT | Not-ECT | | | ECT(0) | ECT(0) | ECT(0) | ECT(1) | CE* | | ECT(1) | ECT(1) | ECT(1) | ECT(1)* | CE* | | CE | CE | CE | CE | CE | +---------+---------+---------+---------+----------+ Cells marked above are changed from original inner packet ip_ecn value. Tc then matches on the modified inner ip_ecn, but hw offload which matches the inner ip_ecn value before decap, will fail. Fix that by mapping all the cases of outer and inner ip_ecn matching, and only supporting cases where we know inner wouldn't be changed by decap, or in the outer ip_ecn=CE case, inner ip_ecn didn't matter. Fixes: bcef735c59f2 ("net/mlx5e: Offload TC matching on tos/ttl for ip tunnels") Signed-off-by: Paul Blakey Reviewed-by: Oz Shlomo Reviewed-by: Eli Cohen Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 46a8a5a42984928914c20d6c8b33d2c8a3cdbd27 Author: Aya Levin Date: Sun Oct 24 16:52:23 2021 +0300 Revert "net/mlx5e: Block offload of outer header csum for GRE tunnel" [ Upstream commit 01c3fd113ef50490ffd43f78f347ef6bb008510b ] This reverts commit 54e1217b90486c94b26f24dcee1ee5ef5372f832. Although the NIC doesn't support offload of outer header CSUM, using gso_partial_features allows offloading the tunnel's segmentation. The driver relies on the stack CSUM calculation of the outer header. For this, NETIF_F_GSO_GRE_CSUM must be a member of the device's features. Fixes: 54e1217b9048 ("net/mlx5e: Block offload of outer header csum for GRE tunnel") Signed-off-by: Aya Levin Reviewed-by: Gal Pressman Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit a8176f18ab5fa6e7a59a23309f4ee5a4b19890a5 Author: Aya Levin Date: Sun Oct 24 11:47:41 2021 +0300 Revert "net/mlx5e: Block offload of outer header csum for UDP tunnels" [ Upstream commit 64050cdad0983ad8060e33c3f4b5aee2366bcebd ] This reverts commit 6d6727dddc7f93fcc155cb8d0c49c29ae0e71122. Although the NIC doesn't support offload of outer header CSUM, using gso_partial_features allows offloading the tunnel's segmentation. The driver relies on the stack CSUM calculation of the outer header. For this, NETIF_F_GSO_UDP_TUNNEL_CSUM must be a member of the device's features. Fixes: 6d6727dddc7f ("net/mlx5e: Block offload of outer header csum for UDP tunnels") Signed-off-by: Aya Levin Reviewed-by: Gal Pressman Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 44008999815b9485eca28d09cb4975f4b84b3f68 Author: Maor Dickman Date: Thu Dec 30 11:20:10 2021 +0200 net/mlx5e: Don't block routes with nexthop objects in SW [ Upstream commit 9e72a55a3c9d54b38a704bb7292d984574a81d9d ] Routes with nexthop objects is currently not supported by multipath offload and any attempts to use it is blocked, however this also block adding SW routes with nexthop. Resolve this by returning NOTIFY_DONE instead of an error which will allow such a route to be created in SW but not offloaded. This fix also solve an issue which block adding such routes on different devices due to missing check if the route FIB device is one of multipath devices. Fixes: 6a87afc072c3 ("mlx5: Fail attempts to use routes with nexthop objects") Signed-off-by: Maor Dickman Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 360cbb1c3ec71e9b92f4bdb3455349914b911bd4 Author: Maor Dickman Date: Wed Dec 29 16:10:41 2021 +0200 net/mlx5e: Fix wrong usage of fib_info_nh when routes with nexthop objects are used [ Upstream commit 885751eb1b01d276e38f57d78c583e4ce006c5ed ] Creating routes with nexthop objects while in switchdev mode leads to access to un-allocated memory and trigger bellow call trace due to hitting WARN_ON. This is caused due to illegal usage of fib_info_nh in TC tunnel FIB event handling to resolve the FIB device while fib_info built in with nexthop. Fixed by ignoring attempts to use nexthop objects with routes until support can be properly added. WARNING: CPU: 1 PID: 1724 at include/net/nexthop.h:468 mlx5e_tc_tun_fib_event+0x448/0x570 [mlx5_core] CPU: 1 PID: 1724 Comm: ip Not tainted 5.15.0_for_upstream_min_debug_2021_11_09_02_04 #1 RIP: 0010:mlx5e_tc_tun_fib_event+0x448/0x570 [mlx5_core] RSP: 0018:ffff8881349f7910 EFLAGS: 00010202 RAX: ffff8881492f1980 RBX: ffff8881349f79e8 RCX: 0000000000000000 RDX: ffff8881349f79e8 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff8881349f7950 R08: 00000000000000fe R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000000 R12: ffff88811e9d0000 R13: ffff88810eb62000 R14: ffff888106710268 R15: 0000000000000018 FS: 00007f1d5ca6e800(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffedba44ff8 CR3: 0000000129808004 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: atomic_notifier_call_chain+0x42/0x60 call_fib_notifiers+0x21/0x40 fib_table_insert+0x479/0x6d0 ? try_charge_memcg+0x480/0x6d0 inet_rtm_newroute+0x65/0xb0 rtnetlink_rcv_msg+0x2af/0x360 ? page_add_file_rmap+0x13/0x130 ? do_set_pte+0xcd/0x120 ? rtnl_calcit.isra.0+0x120/0x120 netlink_rcv_skb+0x4e/0xf0 netlink_unicast+0x1ee/0x2b0 netlink_sendmsg+0x22e/0x460 sock_sendmsg+0x33/0x40 ____sys_sendmsg+0x1d1/0x1f0 ___sys_sendmsg+0xab/0xf0 ? __mod_memcg_lruvec_state+0x40/0x60 ? __mod_lruvec_page_state+0x95/0xd0 ? page_add_new_anon_rmap+0x4e/0xf0 ? __handle_mm_fault+0xec6/0x1470 __sys_sendmsg+0x51/0x90 ? internal_get_user_pages_fast+0x480/0xa10 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: 8914add2c9e5 ("net/mlx5e: Handle FIB events to update tunnel endpoint device") Signed-off-by: Maor Dickman Reviewed-by: Vlad Buslov Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 423bf4c1ea8afd2e58178cf033a7d3b96d9f05cc Author: Aya Levin Date: Thu Dec 23 14:38:28 2021 +0200 net/mlx5e: Fix page DMA map/unmap attributes [ Upstream commit 0b7cfa4082fbf550595bc0e40f05614bd83bf0cd ] Driver initiates DMA sync, hence it may skip CPU sync. Add DMA_ATTR_SKIP_CPU_SYNC as input attribute both to dma_map_page and dma_unmap_page to avoid redundant sync with the CPU. When forcing the device to work with SWIOTLB, the extra sync might cause data corruption. The driver unmaps the whole page while the hardware used just a part of the bounce buffer. So syncing overrides the entire page with bounce buffer that only partially contains real data. Fixes: bc77b240b3c5 ("net/mlx5e: Add fragmented memory support for RX multi packet WQE") Fixes: db05815b36cb ("net/mlx5e: Add XSK zero-copy support") Signed-off-by: Aya Levin Reviewed-by: Gal Pressman Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 6d818695065df8466e67e02e3e120408fa1a592b Author: Huang Rui Date: Thu Jan 6 15:43:06 2022 +0800 x86, sched: Fix undefined reference to init_freq_invariance_cppc() build error [ Upstream commit 6c4ab1b86dac3954d15c00c1a6396d60a1023fab ] The init_freq_invariance_cppc function is implemented in smpboot and depends on CONFIG_SMP. MODPOST vmlinux.symvers MODINFO modules.builtin.modinfo GEN modules.builtin LD .tmp_vmlinux.kallsyms1 ld: drivers/acpi/cppc_acpi.o: in function `acpi_cppc_processor_probe': /home/ray/brahma3/linux/drivers/acpi/cppc_acpi.c:819: undefined reference to `init_freq_invariance_cppc' make: *** [Makefile:1161: vmlinux] Error 1 See https://lore.kernel.org/lkml/484af487-7511-647e-5c5b-33d4429acdec@infradead.org/. Fixes: 41ea667227ba ("x86, sched: Calculate frequency invariance for AMD systems") Reported-by: kernel test robot Reported-by: Randy Dunlap Reported-by: Stephen Rothwell Signed-off-by: Huang Rui [ rjw: Subject edits ] Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit f7e2f374799ff87cc0734cb3efe1a168aae77d8e Author: Valentin Caron Date: Tue Jan 4 19:24:42 2022 +0100 serial: stm32: move tx dma terminate DMA to shutdown [ Upstream commit 56a23f9319e86e1d62a109896e2c7e52c414e67d ] Terminate DMA transaction and clear CR3_DMAT when shutdown is requested, instead of when remove is requested. If DMA transfer is not stopped in shutdown ops, driver will fail to start a new DMA transfer after next startup ops. Fixes: 3489187204eb ("serial: stm32: adding dma support") Signed-off-by: Erwan Le Ray Signed-off-by: Valentin Caron Link: https://lore.kernel.org/r/20220104182445.4195-2-valentin.caron@foss.st.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 8209b0b395aaed26779286d7caa735277217353d Author: Alyssa Ross Date: Tue Jan 4 13:10:28 2022 +0000 serial: liteuart: fix MODULE_ALIAS [ Upstream commit 556172fabd226ba14b70c1740d0826a4717473dc ] modprobe can't handle spaces in aliases. Fixes: 1da81e5562fa ("drivers/tty/serial: add LiteUART driver") Signed-off-by: Alyssa Ross Link: https://lore.kernel.org/r/20220104131030.1674733-1-hi@alyssa.is Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 71db96193317626954073c24344d5cf4759e0af3 Author: Miaoqian Lin Date: Fri Dec 31 08:04:25 2021 +0000 drivers/firmware: Add missing platform_device_put() in sysfb_create_simplefb [ Upstream commit 0589e8889dce8e0f0ea5bbf757f38865e2a469c1 ] Add the missing platform_device_put() before return from sysfb_create_simplefb() in the error handling case. Fixes: 8633ef82f101 ("drivers/firmware: consolidate EFI framebuffer setup for all arches") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20211231080431.15385-1-linmq006@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 1850a403bd0b9b61dffcf6afa2fefe6db9a49fd4 Author: Michal Suchanek Date: Tue Jan 4 18:05:05 2022 +0100 debugfs: lockdown: Allow reading debugfs files that are not world readable [ Upstream commit 358fcf5ddbec4e6706405847d6a666f5933a6c25 ] When the kernel is locked down the kernel allows reading only debugfs files with mode 444. Mode 400 is also valid but is not allowed. Make the 444 into a mask. Fixes: 5496197f9b08 ("debugfs: Restrict debugfs when the kernel is locked down") Signed-off-by: Michal Suchanek Link: https://lore.kernel.org/r/20220104170505.10248-1-msuchanek@suse.de Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 0fc97f944245de471cbabf637fd84036939e009a Author: José Expósito Date: Wed Jan 5 18:29:15 2022 +0100 HID: hid-uclogic-params: Invalid parameter check in uclogic_params_frame_init_v1_buttonpad [ Upstream commit aa320fdbbbb482c19100f51461bd0069753ce3d7 ] The function performs a check on the hdev input parameters, however, it is used before the check. Initialize the udev variable after the sanity check to avoid a possible NULL pointer dereference. Fixes: 9614219e9310e ("HID: uclogic: Extract tablet parameter discovery into a module") Addresses-Coverity-ID: 1443763 ("Null pointer dereference") Signed-off-by: José Expósito Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit fc8a47ed624bd29b0ae91fbd96019274c87870cc Author: José Expósito Date: Wed Jan 5 18:29:14 2022 +0100 HID: hid-uclogic-params: Invalid parameter check in uclogic_params_huion_init [ Upstream commit ff6b548afe4d9d1ff3a0f6ef79e8cbca25d8f905 ] The function performs a check on its input parameters, however, the hdev parameter is used before the check. Initialize the stack variables after checking the input parameters to avoid a possible NULL pointer dereference. Fixes: 9614219e9310e ("HID: uclogic: Extract tablet parameter discovery into a module") Addresses-Coverity-ID: 1443804 ("Null pointer dereference") Signed-off-by: José Expósito Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 964e6a78cb1df2ca1a4ec92bd6159ff93483032d Author: José Expósito Date: Wed Jan 5 18:29:13 2022 +0100 HID: hid-uclogic-params: Invalid parameter check in uclogic_params_get_str_desc [ Upstream commit 0a94131d6920916ccb6a357037c535533af08819 ] The function performs a check on the hdev input parameters, however, it is used before the check. Initialize the udev variable after the sanity check to avoid a possible NULL pointer dereference. Fixes: 9614219e9310e ("HID: uclogic: Extract tablet parameter discovery into a module") Addresses-Coverity-ID: 1443827 ("Null pointer dereference") Signed-off-by: José Expósito Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 621aade97324398e74e8cd921fc02fc015e1d606 Author: José Expósito Date: Wed Jan 5 18:29:12 2022 +0100 HID: hid-uclogic-params: Invalid parameter check in uclogic_params_init [ Upstream commit f364c571a5c77e96de2d32062ff019d6b8d2e2bc ] The function performs a check on its input parameters, however, the hdev parameter is used before the check. Initialize the stack variables after checking the input parameters to avoid a possible NULL pointer dereference. Fixes: 9614219e9310e ("HID: uclogic: Extract tablet parameter discovery into a module") Addresses-Coverity-ID: 1443831 ("Null pointer dereference") Signed-off-by: José Expósito Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 78e8660e9d909702d5d17660c46360bcd57e80ba Author: Pavel Hofman Date: Wed Jan 5 11:46:43 2022 +0100 usb: gadget: u_audio: Subdevice 0 for capture ctls [ Upstream commit 601a5bc1aeef772ab1f47582fd322957799f5ab5 ] Both capture and playback alsa devices use subdevice 0. Yet capture-side ctls are defined for subdevice 1. The patch sets subdevice 0 for them. Fixes: 02de698ca812 ("usb: gadget: u_audio: add bi-directional volume and mute support") Signed-off-by: Pavel Hofman Link: https://lore.kernel.org/r/20220105104643.90125-1-pavel.hofman@ivitera.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e3e610612234ff17eeaa8363a4003f170583e354 Author: John Keeping Date: Thu Jan 6 11:57:31 2022 +0000 usb: dwc2: gadget: initialize max_speed from params [ Upstream commit 92ef98a4caacad6d4a1490dda45d81ae5ccf5bc9 ] DWC2 may be paired with a full-speed PHY which is not capable of high-speed operation. Report this correctly to the gadget core by setting max_speed from the core parameters. Prior to commit 5324bad66f09f ("usb: dwc2: gadget: implement udc_set_speed()") this didn't cause the hardware to be configured incorrectly, although the speed may have been reported incorrectly. But after that commit params.speed is updated based on a value passed in by the gadget core which may set it to a faster speed than is supported by the hardware. Initialising the max_speed parameter ensures the speed passed to dwc2_gadget_set_speed() will be one supported by the hardware. Fixes: 5324bad66f09f ("usb: dwc2: gadget: implement udc_set_speed()") Acked-by: Minas Harutyunyan Signed-off-by: John Keeping Link: https://lore.kernel.org/r/20220106115731.1473909-1-john@metanate.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 85a75d45f7155ce3b4ea99f2fc5f2acd952bf921 Author: Dinh Nguyen Date: Tue Jan 4 07:59:22 2022 -0600 usb: dwc2: do not gate off the hardware if it does not support clock gating [ Upstream commit 34146c68083f1aef6709196b3dc888c1ceffd357 ] We should not be clearing the HCD_FLAG_HW_ACCESSIBLE bit if the hardware does not support clock gating. Fixes: 50fb0c128b6e ("usb: dwc2: Add clock gating entering flow by system suspend") Acked-by: Minas Harutyunyan Signed-off-by: Dinh Nguyen Link: https://lore.kernel.org/r/20220104135922.734776-1-dinguyen@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 5157828d3975768b53a51cdf569203b953184022 Author: Miaoqian Lin Date: Wed Dec 22 11:18:23 2021 +0000 usb: dwc3: qcom: Fix NULL vs IS_ERR checking in dwc3_qcom_probe [ Upstream commit b52fe2dbb3e655eb1483000adfab68a219549e13 ] Since the acpi_create_platform_device() function may return error pointers, dwc3_qcom_create_urs_usb_platdev() function may return error pointers too. Using IS_ERR_OR_NULL() to check the return value to fix this. Fixes: c25c210f590e ("usb: dwc3: qcom: add URS Host support for sdm845 ACPI boot") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20211222111823.22887-1-linmq006@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit db7d1a2e0609d473335a908df9780ecd65853e1d Author: Wen Gu Date: Thu Jan 6 20:42:08 2022 +0800 net/smc: Reset conn->lgr when link group registration fails [ Upstream commit 36595d8ad46d9e4c41cc7c48c4405b7c3322deac ] SMC connections might fail to be registered in a link group due to unable to find a usable link during its creation. As a result, smc_conn_create() will return a failure and most resources related to the connection won't be applied or initialized, such as conn->abort_work or conn->lnk. If smc_conn_free() is invoked later, it will try to access the uninitialized resources related to the connection, thus causing a warning or crash. This patch tries to fix this by resetting conn->lgr to NULL if an abnormal exit occurs in smc_lgr_register_conn(), thus avoiding the access to uninitialized resources in smc_conn_free(). Meanwhile, the new created link group should be terminated if smc connections can't be registered in it. So smc_lgr_cleanup_early() is modified to take care of link group only and invoked to terminate unusable link group by smc_conn_create(). The call to smc_conn_free() is moved out from smc_lgr_cleanup_early() to smc_conn_abort(). Fixes: 56bc3b2094b4 ("net/smc: assign link to a new connection") Suggested-by: Karsten Graul Signed-off-by: Wen Gu Acked-by: Karsten Graul Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9186e6ba52af11ba7b5f432aa2321f36e00ad721 Author: Miaoqian Lin Date: Fri Dec 24 08:02:49 2021 +0000 Bluetooth: hci_qca: Fix NULL vs IS_ERR_OR_NULL check in qca_serdev_probe [ Upstream commit 6845667146a28c09b5dfc401c1ad112374087944 ] The function devm_gpiod_get_index() return error pointers on error. Thus devm_gpiod_get_index_optional() could return NULL and error pointers. The same as devm_gpiod_get_optional() function. Using IS_ERR_OR_NULL() check to catch error pointers. Fixes: 77131dfe ("Bluetooth: hci_qca: Replace devm_gpiod_get() with devm_gpiod_get_optional()") Signed-off-by: Miaoqian Lin Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit ede559376794a204e86667dd36b1401987e3b084 Author: Jiasheng Jiang Date: Fri Dec 24 10:53:18 2021 +0800 Bluetooth: hci_bcm: Check for error irq [ Upstream commit b38cd3b42fba66cc538edb9cf77e07881f43f8e2 ] For the possible failure of the platform_get_irq(), the returned irq could be error number and will finally cause the failure of the request_irq(). Consider that platform_get_irq() can now in certain cases return -EPROBE_DEFER, and the consequences of letting request_irq() effectively convert that into -EINVAL, even at probe time rather than later on. So it might be better to check just now. Fixes: 0395ffc1ee05 ("Bluetooth: hci_bcm: Add PM for BCM devices") Signed-off-by: Jiasheng Jiang Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 3983254b43c24d871acc5e732fee872606d445b9 Author: Jiasheng Jiang Date: Thu Jan 6 18:04:10 2022 +0800 fsl/fman: Check for null pointer after calling devm_ioremap [ Upstream commit d5a73ec96cc57cf67e51b12820fc2354e7ca46f8 ] As the possible failure of the allocation, the devm_ioremap() may return NULL pointer. Take tgec_initialization() as an example. If allocation fails, the params->base_addr will be NULL pointer and will be assigned to tgec->regs in tgec_config(). Then it will cause the dereference of NULL pointer in set_mac_address(), which is called by tgec_init(). Therefore, it should be better to add the sanity check after the calling of the devm_ioremap(). Fixes: 3933961682a3 ("fsl/fman: Add FMan MAC driver") Signed-off-by: Jiasheng Jiang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c154574b84a5798258aea42a5398ccc13057d548 Author: Jiasheng Jiang Date: Tue Jan 4 23:06:28 2022 +0800 staging: greybus: audio: Check null pointer [ Upstream commit 2e81948177d769106754085c3e03534e6cc1f623 ] As the possible alloc failure of devm_kcalloc(), it could return null pointer. Therefore, 'strings' should be checked and return NULL if alloc fails to prevent the dereference of the NULL pointer. Also, the caller should also deal with the return value of the gb_generate_enum_strings() and return -ENOMEM if returns NULL. Moreover, because the memory allocated with devm_kzalloc() will be freed automatically when the last reference to the device is dropped, the 'gbe' in gbaudio_tplg_create_enum_kctl() and gbaudio_tplg_create_enum_ctl() do not need to free manually. But the 'control' in gbaudio_tplg_create_widget() and gbaudio_tplg_process_kcontrols() has a specially error handle to cleanup. So it should be better to cleanup 'control' when fails. Fixes: e65579e335da ("greybus: audio: topology: Enable enumerated control support") Reviewed-by: Alex Elder Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220104150628.1987906-1-jiasheng@iscas.ac.cn Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 4a308769df64bfcaea7a398e9c548386f9b6a075 Author: Dan Carpenter Date: Thu Jan 6 14:57:54 2022 +0300 rocker: fix a sleeping in atomic bug [ Upstream commit 43d012123122cc69feacab55b71369f386c19566 ] This code is holding the &ofdpa->flow_tbl_lock spinlock so it is not allowed to sleep. That means we have to pass the OFDPA_OP_FLAG_NOWAIT flag to ofdpa_flow_tbl_del(). Fixes: 936bd486564a ("rocker: use FIB notifications instead of switchdev calls") Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 5f54a0355802cfcd3e868541417b55c81b05e54e Author: Eric Dumazet Date: Wed Jan 5 03:48:42 2022 -0800 ppp: ensure minimum packet size in ppp_write() [ Upstream commit 44073187990d5629804ce0627525f6ea5cfef171 ] It seems pretty clear ppp layer assumed user space would always be kind to provide enough data in their write() to a ppp device. This patch makes sure user provides at least 2 bytes. It adds PPP_PROTO_LEN macro that could replace in net-next many occurrences of hard-coded 2 value. I replaced only one occurrence to ease backports to stable kernels. The bug manifests in the following report: BUG: KMSAN: uninit-value in ppp_send_frame+0x28d/0x27c0 drivers/net/ppp/ppp_generic.c:1740 ppp_send_frame+0x28d/0x27c0 drivers/net/ppp/ppp_generic.c:1740 __ppp_xmit_process+0x23e/0x4b0 drivers/net/ppp/ppp_generic.c:1640 ppp_xmit_process+0x1fe/0x480 drivers/net/ppp/ppp_generic.c:1661 ppp_write+0x5cb/0x5e0 drivers/net/ppp/ppp_generic.c:513 do_iter_write+0xb0c/0x1500 fs/read_write.c:853 vfs_writev fs/read_write.c:924 [inline] do_writev+0x645/0xe00 fs/read_write.c:967 __do_sys_writev fs/read_write.c:1040 [inline] __se_sys_writev fs/read_write.c:1037 [inline] __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae Uninit was created at: slab_post_alloc_hook mm/slab.h:524 [inline] slab_alloc_node mm/slub.c:3251 [inline] __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974 kmalloc_reserve net/core/skbuff.c:354 [inline] __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 alloc_skb include/linux/skbuff.h:1126 [inline] ppp_write+0x11d/0x5e0 drivers/net/ppp/ppp_generic.c:501 do_iter_write+0xb0c/0x1500 fs/read_write.c:853 vfs_writev fs/read_write.c:924 [inline] do_writev+0x645/0xe00 fs/read_write.c:967 __do_sys_writev fs/read_write.c:1040 [inline] __se_sys_writev fs/read_write.c:1037 [inline] __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet Cc: Paul Mackerras Cc: linux-ppp@vger.kernel.org Reported-by: syzbot Acked-by: Guillaume Nault Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit ff53c861e97e89a19c1643b3e104d737eb02568d Author: Miroslav Lichvar Date: Wed Jan 5 11:33:26 2022 +0100 net: fix SOF_TIMESTAMPING_BIND_PHC to work with multiple sockets [ Upstream commit 007747a984ea5e895b7d8b056b24ebf431e1e71d ] When multiple sockets using the SOF_TIMESTAMPING_BIND_PHC flag received a packet with a hardware timestamp (e.g. multiple PTP instances in different PTP domains using the UDPv4/v6 multicast or L2 transport), the timestamps received on some sockets were corrupted due to repeated conversion of the same timestamp (by the same or different vclocks). Fix ptp_convert_timestamp() to not modify the shared skb timestamp and return the converted timestamp as a ktime_t instead. If the conversion fails, return 0 to not confuse the application with timestamps corresponding to an unexpected PHC. Fixes: d7c088265588 ("net: socket: support hardware timestamp conversion to PHC bound") Signed-off-by: Miroslav Lichvar Cc: Yangbo Lu Cc: Richard Cochran Acked-by: Richard Cochran Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 29a0827b749151dae6271410332fb9d0a33923d7 Author: Florian Westphal Date: Wed Jan 5 14:19:54 2022 +0100 netfilter: nft_set_pipapo: allocate pcpu scratch maps on clone [ Upstream commit 23c54263efd7cb605e2f7af72717a2a951999217 ] This is needed in case a new transaction is made that doesn't insert any new elements into an already existing set. Else, after second 'nft -f ruleset.txt', lookups in such a set will fail because ->lookup() encounters raw_cpu_ptr(m->scratch) == NULL. For the initial rule load, insertion of elements takes care of the allocation, but for rule reloads this isn't guaranteed: we might not have additions to the set. Fixes: 3c4287f62044a90e ("nf_tables: Add set type for arbitrary concatenation of ranges") Reported-by: etkaar Signed-off-by: Florian Westphal Reviewed-by: Stefano Brivio Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 500193142a20346e7be674a59b674e4c5e8dc1ae Author: Pablo Neira Ayuso Date: Wed Jan 5 16:09:57 2022 +0100 netfilter: nft_payload: do not update layer 4 checksum when mangling fragments [ Upstream commit 4e1860a3863707e8177329c006d10f9e37e097a8 ] IP fragments do not come with the transport header, hence skip bogus layer 4 checksum updates. Fixes: 1814096980bb ("netfilter: nft_payload: layer 4 checksum adjustment for pseudoheader fields") Reported-and-tested-by: Steffen Weinreich Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 2db60bb564056e87a9985ce866f250b7847efd81 Author: Kuniyuki Iwashima Date: Tue Jan 4 10:31:48 2022 +0900 bpf: Fix SO_RCVBUF/SO_SNDBUF handling in _bpf_setsockopt(). [ Upstream commit 04c350b1ae6bdb12b84009a4d0bf5ab4e621c47b ] The commit 4057765f2dee ("sock: consistent handling of extreme SO_SNDBUF/SO_RCVBUF values") added a change to prevent underflow in setsockopt() around SO_SNDBUF/SO_RCVBUF. This patch adds the same change to _bpf_setsockopt(). Fixes: 4057765f2dee ("sock: consistent handling of extreme SO_SNDBUF/SO_RCVBUF values") Signed-off-by: Kuniyuki Iwashima Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20220104013153.97906-2-kuniyu@amazon.co.jp Signed-off-by: Sasha Levin commit 2fbd466952728c088cb1b430256afa8d5c58615b Author: Kris Van Hees Date: Wed Jan 5 16:01:50 2022 -0500 bpf: Fix verifier support for validation of async callbacks [ Upstream commit a5bebc4f00dee47113eed48098c68e88b5ba70e8 ] Commit bfc6bb74e4f1 ("bpf: Implement verifier support for validation of async callbacks.") added support for BPF_FUNC_timer_set_callback to the __check_func_call() function. The test in __check_func_call() is flaweed because it can mis-interpret a regular BPF-to-BPF pseudo-call as a BPF_FUNC_timer_set_callback callback call. Consider the conditional in the code: if (insn->code == (BPF_JMP | BPF_CALL) && insn->imm == BPF_FUNC_timer_set_callback) { The BPF_FUNC_timer_set_callback has value 170. This means that if you have a BPF program that contains a pseudo-call with an instruction delta of 170, this conditional will be found to be true by the verifier, and it will interpret the pseudo-call as a callback. This leads to a mess with the verification of the program because it makes the wrong assumptions about the nature of this call. Solution: include an explicit check to ensure that insn->src_reg == 0. This ensures that calls cannot be mis-interpreted as an async callback call. Fixes: bfc6bb74e4f1 ("bpf: Implement verifier support for validation of async callbacks.") Signed-off-by: Kris Van Hees Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20220105210150.GH1559@oracle.com Signed-off-by: Sasha Levin commit a65df848dbe083bfe1c01200b6b5038083824872 Author: Daniel Borkmann Date: Wed Jan 5 11:35:13 2022 -0800 bpf: Don't promote bogus looking registers after null check. [ Upstream commit e60b0d12a95dcf16a63225cead4541567f5cb517 ] If we ever get to a point again where we convert a bogus looking _or_null typed register containing a non-zero fixed or variable offset, then lets not reset these bounds to zero since they are not and also don't promote the register to a type, but instead leave it as _or_null. Converting to a unknown register could be an avenue as well, but then if we run into this case it would allow to leak a kernel pointer this way. Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") Signed-off-by: Daniel Borkmann Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 073f7fb020b52832ab5a05d48fe1c9f73345652b Author: John Fastabend Date: Tue Jan 4 13:46:45 2022 -0800 bpf, sockmap: Fix double bpf_prog_put on error case in map_link [ Upstream commit 218d747a4142f281a256687bb513a135c905867b ] sock_map_link() is called to update a sockmap entry with a sk. But, if the sock_map_init_proto() call fails then we return an error to the map_update op against the sockmap. In the error path though we need to cleanup psock and dec the refcnt on any programs associated with the map, because we refcnt them early in the update process to ensure they are pinned for the psock. (This avoids a race where user deletes programs while also updating the map with new socks.) In current code we do the prog refcnt dec explicitely by calling bpf_prog_put() when the program was found in the map. But, after commit '38207a5e81230' in this error path we've already done the prog to psock assignment so the programs have a reference from the psock as well. This then causes the psock tear down logic, invoked by sk_psock_put() in the error path, to similarly call bpf_prog_put on the programs there. To be explicit this logic does the prog->psock assignment: if (msg_*) psock_set_prog(...) Then the error path under the out_progs label does a similar check and dec with: if (msg_*) bpf_prog_put(...) And the teardown logic sk_psock_put() does ... psock_set_prog(msg_*, NULL) ... triggering another bpf_prog_put(...). Then KASAN gives us this splat, found by syzbot because we've created an inbalance between bpf_prog_inc and bpf_prog_put calling put twice on the program. BUG: KASAN: vmalloc-out-of-bounds in __bpf_prog_put kernel/bpf/syscall.c:1812 [inline] BUG: KASAN: vmalloc-out-of-bounds in __bpf_prog_put kernel/bpf/syscall.c:1812 [inline] kernel/bpf/syscall.c:1829 BUG: KASAN: vmalloc-out-of-bounds in bpf_prog_put+0x8c/0x4f0 kernel/bpf/syscall.c:1829 kernel/bpf/syscall.c:1829 Read of size 8 at addr ffffc90000e76038 by task syz-executor020/3641 To fix clean up error path so it doesn't try to do the bpf_prog_put in the error path once progs are assigned then it relies on the normal psock tear down logic to do complete cleanup. For completness we also cover the case whereh sk_psock_init_strp() fails, but this is not expected because it indicates an incorrect socket type and should be caught earlier. Fixes: 38207a5e8123 ("bpf, sockmap: Attach map progs to psock early for feature probes") Reported-by: syzbot+bb73e71cf4b8fd376a4f@syzkaller.appspotmail.com Signed-off-by: John Fastabend Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20220104214645.290900-1-john.fastabend@gmail.com Signed-off-by: Sasha Levin commit f26349213d975300dbfb0104cc03f7a760ccf2de Author: John Fastabend Date: Tue Jan 4 12:59:18 2022 -0800 bpf, sockmap: Fix return codes from tcp_bpf_recvmsg_parser() [ Upstream commit 5b2c5540b8110eea0d67a78fb0ddb9654c58daeb ] Applications can be confused slightly because we do not always return the same error code as expected, e.g. what the TCP stack normally returns. For example on a sock err sk->sk_err instead of returning the sock_error we return EAGAIN. This usually means the application will 'try again' instead of aborting immediately. Another example, when a shutdown event is received we should immediately abort instead of waiting for data when the user provides a timeout. These tend to not be fatal, applications usually recover, but introduces bogus errors to the user or introduces unexpected latency. Before 'c5d2177a72a16' we fell back to the TCP stack when no data was available so we managed to catch many of the cases here, although with the extra latency cost of calling tcp_msg_wait_data() first. To fix lets duplicate the error handling in TCP stack into tcp_bpf so that we get the same error codes. These were found in our CI tests that run applications against sockmap and do longer lived testing, at least compared to test_sockmap that does short-lived ping/pong tests, and in some of our test clusters we deploy. Its non-trivial to do these in a shorter form CI tests that would be appropriate for BPF selftests, but we are looking into it so we can ensure this keeps working going forward. As a preview one idea is to pull in the packetdrill testing which catches some of this. Fixes: c5d2177a72a16 ("bpf, sockmap: Fix race in ingress receive verdict with redirect to self") Signed-off-by: John Fastabend Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20220104205918.286416-1-john.fastabend@gmail.com Signed-off-by: Sasha Levin commit a1c2d9a513e560864575325b5a316db64ac100fb Author: Xin Xiong Date: Thu Dec 23 10:48:12 2021 +0800 netfilter: ipt_CLUSTERIP: fix refcount leak in clusterip_tg_check() [ Upstream commit d94a69cb2cfa77294921aae9afcfb866e723a2da ] The issue takes place in one error path of clusterip_tg_check(). When memcmp() returns nonzero, the function simply returns the error code, forgetting to decrease the reference count of a clusterip_config object, which is bumped earlier by clusterip_config_find_get(). This may incur reference count leak. Fix this issue by decrementing the refcount of the object in specific error path. Fixes: 06aa151ad1fc74 ("netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set") Signed-off-by: Xin Xiong Signed-off-by: Xiyu Yang Signed-off-by: Xin Tan Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 21bdddc9648b9b44868e496103adfa16d55aaf69 Author: Vladimir Oltean Date: Wed Jan 5 15:18:11 2022 +0200 net: dsa: fix incorrect function pointer check for MRP ring roles [ Upstream commit ff91e1b68490b97c18c649b769618815eb945f11 ] The cross-chip notifier boilerplate code meant to check the presence of ds->ops->port_mrp_add_ring_role before calling it, but checked ds->ops->port_mrp_add instead, before calling ds->ops->port_mrp_add_ring_role. Therefore, a driver which implements one operation but not the other would trigger a NULL pointer dereference. There isn't any such driver in DSA yet, so there is no reason to backport the change. Issue found through code inspection. Cc: Horatiu Vultur Fixes: c595c4330da0 ("net: dsa: add MRP support") Signed-off-by: Vladimir Oltean Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6dab20da69f9b92ebbdd8beed45002ecb3c83cda Author: Daniel Golle Date: Tue Jan 4 12:06:22 2022 +0000 net: ethernet: mtk_eth_soc: fix return values and refactor MDIO ops [ Upstream commit eda80b249df7bbc7b3dd13907343a3e59bfc57fd ] Instead of returning -1 (-EPERM) when MDIO bus is stuck busy while writing or 0xffff if it happens while reading, return the appropriate -ETIMEDOUT. Also fix return type to int instead of u32. Refactor functions to use bitfield helpers instead of having various masking and shifting constants in the code, which also results in the register definitions in the header file being more obviously related to what is stated in the MediaTek's Reference Manual. Fixes: 656e705243fd0 ("net-next: mediatek: add support for MT7623 ethernet") Signed-off-by: Daniel Golle Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 10f849d3e563f0b443cdc38ff9e4000ec12ca432 Author: Raed Salem Date: Mon Jan 3 13:19:29 2022 +0200 net/xfrm: IPsec tunnel mode fix inner_ipproto setting in sec_path [ Upstream commit 45a98ef4922def8c679ca7c454403d1957fe70e7 ] The inner_ipproto saves the inner IP protocol of the plain text packet. This allows vendor's IPsec feature making offload decision at skb's features_check and configuring hardware at ndo_start_xmit, current code implenetation did not handle the case where IPsec is used in tunnel mode. Fix by handling the case when IPsec is used in tunnel mode by reading the protocol of the plain text packet IP protocol. Fixes: fa4535238fb5 ("net/xfrm: Add inner_ipproto into sec_path") Signed-off-by: Raed Salem Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin commit 4849eca4fc6fc35fdf3e667110fd8156fe77f90a Author: Jiasheng Jiang Date: Mon Dec 20 16:38:11 2021 +0800 power: reset: mt6397: Check for null res pointer [ Upstream commit 1c1348bf056dee665760a3bd1cd30b0be7554fc2 ] The return value of platform_get_resource() needs to be checked. To avoid use of error pointer in case that there is no suitable resource. Fixes: d28c74c10751 ("power: reset: add driver for mt6323 poweroff") Signed-off-by: Jiasheng Jiang Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit a3b31433147bc793d2adccccecde804ec8e17a57 Author: Zhou Qingyang Date: Wed Dec 1 02:11:40 2021 +0800 pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in nonstatic_find_mem_region() [ Upstream commit 977d2e7c63c3d04d07ba340b39987742e3241554 ] In nonstatic_find_mem_region(), pcmcia_make_resource() is assigned to res and used in pci_bus_alloc_resource(). There a dereference of res in pci_bus_alloc_resource(), which could lead to a NULL pointer dereference on failure of pcmcia_make_resource(). Fix this bug by adding a check of res. This bug was found by a static analyzer. The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. Builds with CONFIG_PCCARD_NONSTATIC=y show no new warnings, and our static analyzer no longer warns about this code. Fixes: 49b1153adfe1 ("pcmcia: move all pcmcia_resource_ops providers into one module") Signed-off-by: Zhou Qingyang Signed-off-by: Dominik Brodowski Signed-off-by: Sasha Levin commit 7756cb45dbfe65af431c555e30e9a030272b4f45 Author: Zhou Qingyang Date: Wed Dec 1 00:59:23 2021 +0800 pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in __nonstatic_find_io_region() [ Upstream commit ca0fe0d7c35c97528bdf621fdca75f13157c27af ] In __nonstatic_find_io_region(), pcmcia_make_resource() is assigned to res and used in pci_bus_alloc_resource(). There is a dereference of res in pci_bus_alloc_resource(), which could lead to a NULL pointer dereference on failure of pcmcia_make_resource(). Fix this bug by adding a check of res. This bug was found by a static analyzer. The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. Builds with CONFIG_PCCARD_NONSTATIC=y show no new warnings, and our static analyzer no longer warns about this code. Fixes: 49b1153adfe1 ("pcmcia: move all pcmcia_resource_ops providers into one module") Signed-off-by: Zhou Qingyang [linux@dominikbrodowski.net: Fix typo in commit message] Signed-off-by: Dominik Brodowski Signed-off-by: Sasha Levin commit 5d2fd6fff8e49e4f5542b5f38fde308268927d9f Author: Hans de Goede Date: Thu Dec 30 12:57:47 2021 +0100 ACPI: scan: Create platform device for BCM4752 and LNV4752 ACPI nodes [ Upstream commit f85196bdd5a50da74670250564740fc852b3c239 ] BCM4752 and LNV4752 ACPI nodes describe a Broadcom 4752 GPS module attached to an UART of the system. The GPS modules talk a custom protocol which only works with a closed- source Android gpsd daemon which knows this protocol. The ACPI nodes also describe GPIOs to turn the GPS on/off these are handled by the net/rfkill/rfkill-gpio.c code. This handling predates the addition of enumeration of ACPI instantiated serdevs to the kernel and was broken by that addition, because the ACPI scan code now no longer instantiates platform_device-s for these nodes. Rename the i2c_multi_instantiate_ids HID list to ignore_serial_bus_ids and add the BCM4752 and LNV4752 HIDs, so that rfkill-gpio gets a platform_device to bind to again; and so that a tty cdev for gpsd gets created for these. Fixes: e361d1f85855 ("ACPI / scan: Fix enumeration for special UART devices") Signed-off-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 0a9b1fb2a7784aa469c36db2483c7adbe154ac93 Author: Lad Prabhakar Date: Fri Dec 24 14:29:09 2021 +0000 serial: 8250_bcm7271: Propagate error codes from brcmuart_probe() [ Upstream commit c195438f1e84de8fa46b4f5264d12379bee6e9a1 ] In case of failures brcmuart_probe() always returned -ENODEV, this isn't correct for example platform_get_irq_byname() may return -EPROBE_DEFER to handle such cases propagate error codes in brcmuart_probe() in case of failures. Fixes: 41a469482de25 ("serial: 8250: Add new 8250-core based Broadcom STB driver") Acked-by: Florian Fainelli Signed-off-by: Lad Prabhakar Link: https://lore.kernel.org/r/20211224142917.6966-4-prabhakar.mahadev-lad.rj@bp.renesas.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit deb0c71e0b26031c962278313d33a4867b9a1e19 Author: Pavel Begunkov Date: Wed Dec 15 22:08:44 2021 +0000 io_uring: remove double poll on poll update [ Upstream commit e840b4baf3cfb37e2ead4f649a45bb78178677ff ] Before updating a poll request we should remove it from poll queues, including the double poll entry. Fixes: b69de288e913 ("io_uring: allow events and user_data update of running poll requests") Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/ac39e7f80152613603b8a6cc29a2b6063ac2434f.1639605189.git.asml.silence@gmail.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 8d3d1c365a8925d25d586170e3efb54d4b2fa373 Author: Zhang Zixun Date: Mon Dec 27 22:02:49 2021 +0100 x86/mce/inject: Avoid out-of-bounds write when setting flags [ Upstream commit de768416b203ac84e02a757b782a32efb388476f ] A contrived zero-length write, for example, by using write(2): ... ret = write(fd, str, 0); ... to the "flags" file causes: BUG: KASAN: stack-out-of-bounds in flags_write Write of size 1 at addr ffff888019be7ddf by task writefile/3787 CPU: 4 PID: 3787 Comm: writefile Not tainted 5.16.0-rc7+ #12 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 due to accessing buf one char before its start. Prevent such out-of-bounds access. [ bp: Productize into a proper patch. Link below is the next best thing because the original mail didn't get archived on lore. ] Fixes: 0451d14d0561 ("EDAC, mce_amd_inj: Modify flags attribute to use string arguments") Signed-off-by: Zhang Zixun Signed-off-by: Borislav Petkov Link: https://lore.kernel.org/linux-edac/YcnePfF1OOqoQwrX@zn.tnic/ Signed-off-by: Sasha Levin commit 4f1096828ececd4f9fd508eaf0aded64af994f4c Author: Arseny Demidov Date: Sun Dec 19 13:22:39 2021 +0300 hwmon: (mr75203) fix wrong power-up delay value [ Upstream commit a8d6d4992ad9d92356619ac372906bd29687bb46 ] In the file mr75203.c we have a macro named POWER_DELAY_CYCLE_256, the correct value should be 0x100. The register ip_tmr is expressed in units of IP clk cycles, in accordance with the datasheet. Typical power-up delays for Temperature Sensor are 256 cycles i.e. 0x100. Fixes: 9d823351a337 ("hwmon: Add hardware monitoring driver for Moortec MR75203 PVT controller") Signed-off-by: Arseny Demidov Link: https://lore.kernel.org/r/20211219102239.1112-1-a.demidov@yadro.com Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit a96546df99ea0851b6839c35ac129c535f0b2d97 Author: Marijn Suijten Date: Fri Dec 24 12:34:50 2021 +0100 regulator: qcom-labibb: OCP interrupts are not a failure while disabled [ Upstream commit d27bb69dc83f00f86a830298c967052cded6e784 ] Receiving the Over-Current Protection interrupt while the regulator is disabled does not count as unhandled/failure (IRQ_NONE, or 0 as it were) but a "fake event", usually due to inrush as the is regulator about to be enabled. Fixes: 390af53e0411 ("regulator: qcom-labibb: Implement short-circuit and over-current IRQs") Signed-off-by: Marijn Suijten Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20211224113450.107958-1-marijn.suijten@somainline.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 78cafdf7d219bd10b365fc1a6a9da67daf0a1d62 Author: Dan Carpenter Date: Fri Dec 17 10:13:32 2021 +0300 crypto: octeontx2 - prevent underflow in get_cores_bmap() [ Upstream commit 10371b6212bb682f13247733d6b76b91b2b80f9a ] If we're going to cap "eng_grp->g->engs_num" upper bounds then we should cap the lower bounds as well. Fixes: 43ac0b824f1c ("crypto: octeontx2 - load microcode and create engine groups") Signed-off-by: Dan Carpenter Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 910e5e8ac5de270d9f1bebe095ec262ce387cc0a Author: Nathan Chancellor Date: Wed Dec 22 09:30:41 2021 -0700 x86/boot/compressed: Move CLANG_FLAGS to beginning of KBUILD_CFLAGS [ Upstream commit 5fe392ff9d1f7254a1fbb3f72d9893088e4d23eb ] When cross compiling i386_defconfig on an arm64 host with clang, there are a few instances of '-Waddress-of-packed-member' and '-Wgnu-variable-sized-type-not-at-end' in arch/x86/boot/compressed/, which should both be disabled with the cc-disable-warning calls in that directory's Makefile, which indicates that cc-disable-warning is failing at the point of testing these flags. The cc-disable-warning calls fail because at the point that the flags are tested, KBUILD_CFLAGS has '-march=i386' without $(CLANG_FLAGS), which has the '--target=' flag to tell clang what architecture it is targeting. Without the '--target=' flag, the host architecture (arm64) is used and i386 is not a valid value for '-march=' in that case. This error can be seen by adding some logging to try-run: clang-14: error: the clang compiler does not support '-march=i386' Invoking the compiler has to succeed prior to calling cc-option or cc-disable-warning in order to accurately test whether or not the flag is supported; if it doesn't, the requested flag can never be added to the compiler flags. Move $(CLANG_FLAGS) to the beginning of KBUILD_FLAGS so that any new flags that might be added in the future can be accurately tested. Fixes: d5cbd80e302d ("x86/boot: Add $(CLANG_FLAGS) to compressed KBUILD_CFLAGS") Signed-off-by: Nathan Chancellor Signed-off-by: Borislav Petkov Link: https://lore.kernel.org/r/20211222163040.1961481-1-nathan@kernel.org Signed-off-by: Sasha Levin commit 5639dcfc688943abe1c7d13d685e670e9a0056b4 Author: Panicker Harish Date: Wed Dec 22 12:59:05 2021 +0530 Bluetooth: hci_qca: Stop IBS timer during BT OFF [ Upstream commit df1e5c51492fd93ffc293acdcc6f00698d19fedc ] The IBS timers are not stopped properly once BT OFF is triggered. we could see IBS commands being sent along with version command, so stopped IBS timers while Bluetooth is off. Fixes: 3e4be65eb82c ("Bluetooth: hci_qca: Add poweroff support during hci down for wcn3990") Signed-off-by: Panicker Harish Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 03dae5e3362e20fc726c730e270d1ab75ffd7083 Author: Clément Léger Date: Mon Dec 20 22:05:33 2021 +0100 software node: fix wrong node passed to find nargs_prop [ Upstream commit c5fc5ba8b6b7bebc05e45036a33405b4c5036c2f ] nargs_prop refers to a property located in the reference that is found within the nargs property. Use the correct reference node in call to property_entry_read_int_array() to retrieve the correct nargs value. Fixes: b06184acf751 ("software node: Add software_node_get_reference_args()") Signed-off-by: Clément Léger Reviewed-by: Sakari Ailus Reviewed-by: Daniel Scally Acked-by: Heikki Krogerus Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 7a4e6e087813c0245ce49ba9178034c1431a1fc3 Author: Marijn Suijten Date: Mon Nov 15 21:34:59 2021 +0100 backlight: qcom-wled: Respect enabled-strings in set_brightness [ Upstream commit ec961cf3241153e0f27d850f1bf0f172e7d27a21 ] The hardware is capable of controlling any non-contiguous sequence of LEDs specified in the DT using qcom,enabled-strings as u32 array, and this also follows from the DT-bindings documentation. The numbers specified in this array represent indices of the LED strings that are to be enabled and disabled. Its value is appropriately used to setup and enable string modules, but completely disregarded in the set_brightness paths which only iterate over the number of strings linearly. Take an example where only string 2 is enabled with qcom,enabled_strings=<2>: this string is appropriately enabled but subsequent brightness changes would have only touched the zero'th brightness register because num_strings is 1 here. This is simply addressed by looking up the string for this index in the enabled_strings array just like the other codepaths that iterate over num_strings. Likewise enabled_strings is now also used in the autodetection path for consistent behaviour: when a list of strings is specified in DT only those strings will be probed for autodetection, analogous to how the number of strings that need to be probed is already bound by qcom,num-strings. After all autodetection uses the set_brightness helpers to set an initial value, which could otherwise end up changing brightness on a different set of strings. Fixes: 775d2ffb4af6 ("backlight: qcom-wled: Restructure the driver for WLED3") Fixes: 03b2b5e86986 ("backlight: qcom-wled: Add support for WLED4 peripheral") Signed-off-by: Marijn Suijten Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: Daniel Thompson Signed-off-by: Lee Jones Link: https://lore.kernel.org/r/20211115203459.1634079-10-marijn.suijten@somainline.org Signed-off-by: Sasha Levin commit 7abe05ef6648409b4866a7cfd0e481b553fa9b8b Author: Marijn Suijten Date: Mon Nov 15 21:34:53 2021 +0100 backlight: qcom-wled: Use cpu_to_le16 macro to perform conversion [ Upstream commit 0a139358548968b2ff308257b4fbeec7badcc3e1 ] The kernel already provides appropriate primitives to perform endianness conversion which should be used in favour of manual bit-wrangling. Signed-off-by: Marijn Suijten Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: Daniel Thompson Signed-off-by: Lee Jones Link: https://lore.kernel.org/r/20211115203459.1634079-4-marijn.suijten@somainline.org Signed-off-by: Sasha Levin commit 18a8dd081b8161d3421a4ebaea3b3bd9f8631b05 Author: Marijn Suijten Date: Mon Nov 15 21:34:55 2021 +0100 backlight: qcom-wled: Override default length with qcom,enabled-strings [ Upstream commit 2b4b49602f9feca7b7a84eaa33ad9e666c8aa695 ] The length of qcom,enabled-strings as property array is enough to determine the number of strings to be enabled, without needing to set qcom,num-strings to override the default number of strings when less than the default (which is also the maximum) is provided in DT. This also introduces an extra warning when qcom,num-strings is set, denoting that it is not necessary to set both anymore. It is usually more concise to set just qcom,num-length when a zero-based, contiguous range of strings is needed (the majority of the cases), or to only set qcom,enabled-strings when a specific set of indices is desired. Fixes: 775d2ffb4af6 ("backlight: qcom-wled: Restructure the driver for WLED3") Signed-off-by: Marijn Suijten Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: Daniel Thompson Signed-off-by: Lee Jones Link: https://lore.kernel.org/r/20211115203459.1634079-6-marijn.suijten@somainline.org Signed-off-by: Sasha Levin commit 37b61692f27b61d2c3d3ca3e7f444f5e8c6631bf Author: Marijn Suijten Date: Mon Nov 15 21:34:54 2021 +0100 backlight: qcom-wled: Fix off-by-one maximum with default num_strings [ Upstream commit 5ada78b26f935f8751852dffa24f6b545b1d2517 ] When not specifying num-strings in the DT the default is used, but +1 is added to it which turns WLED3 into 4 and WLED4/5 into 5 strings instead of 3 and 4 respectively, causing out-of-bounds reads and register read/writes. This +1 exists for a deficiency in the DT parsing code, and is simply omitted entirely - solving this oob issue - by parsing the property separately much like qcom,enabled-strings. This also enables more stringent checks on the maximum value when qcom,enabled-strings is provided in the DT, by parsing num-strings after enabled-strings to allow it to check against (and in a subsequent patch override) the length of enabled-strings: it is invalid to set num-strings higher than that. The DT currently utilizes it to get around an incorrect fixed read of four elements from that array (has been addressed in a prior patch) by setting a lower num-strings where desired. Fixes: 93c64f1ea1e8 ("leds: add Qualcomm PM8941 WLED driver") Signed-off-by: Marijn Suijten Reviewed-By: AngeloGioacchino Del Regno Reviewed-by: Daniel Thompson Signed-off-by: Lee Jones Link: https://lore.kernel.org/r/20211115203459.1634079-5-marijn.suijten@somainline.org Signed-off-by: Sasha Levin commit 219c7d18be5a818a830521aef397b8ad1846daaf Author: Marijn Suijten Date: Mon Nov 15 21:34:52 2021 +0100 backlight: qcom-wled: Pass number of elements to read to read_u32_array [ Upstream commit e29e24bdabfeddbf8b1a4ecac1af439a85150438 ] of_property_read_u32_array takes the number of elements to read as last argument. This does not always need to be 4 (sizeof(u32)) but should instead be the size of the array in DT as read just above with of_property_count_elems_of_size. To not make such an error go unnoticed again the driver now bails accordingly when of_property_read_u32_array returns an error. Surprisingly the indentation of newlined arguments is lining up again after prepending `rc = `. Fixes: 775d2ffb4af6 ("backlight: qcom-wled: Restructure the driver for WLED3") Signed-off-by: Marijn Suijten Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: Daniel Thompson Signed-off-by: Lee Jones Link: https://lore.kernel.org/r/20211115203459.1634079-3-marijn.suijten@somainline.org Signed-off-by: Sasha Levin commit f2bc76de284705432ea4b323cde3dada4892ed56 Author: Marijn Suijten Date: Mon Nov 15 21:34:51 2021 +0100 backlight: qcom-wled: Validate enabled string indices in DT [ Upstream commit c05b21ebc5bce3ecc78c2c71afd76d92c790a2ac ] The strings passed in DT may possibly cause out-of-bounds register accesses and should be validated before use. Fixes: 775d2ffb4af6 ("backlight: qcom-wled: Restructure the driver for WLED3") Signed-off-by: Marijn Suijten Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: Daniel Thompson Signed-off-by: Lee Jones Link: https://lore.kernel.org/r/20211115203459.1634079-2-marijn.suijten@somainline.org Signed-off-by: Sasha Levin commit 77c5e99644af10d94c6ce32d580d72b81267c933 Author: Paul Chaignon Date: Mon Dec 20 22:45:28 2021 +0100 bpftool: Enable line buffering for stdout [ Upstream commit 1a1a0b0364ad291bd8e509da104ac8b5b1afec5d ] The output of bpftool prog tracelog is currently buffered, which is inconvenient when piping the output into other commands. A simple tracelog | grep will typically not display anything. This patch fixes it by enabling line buffering on stdout for the whole bpftool binary. Fixes: 30da46b5dc3a ("tools: bpftool: add a command to dump the trace pipe") Signed-off-by: Quentin Monnet Signed-off-by: Paul Chaignon Signed-off-by: Andrii Nakryiko Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20211220214528.GA11706@Mem Signed-off-by: Sasha Levin commit 79d6a406df007a7dcd2fba828e7b28c9d880c34a Author: Luiz Augusto von Dentz Date: Wed Dec 8 15:35:48 2021 -0800 Bluetooth: L2CAP: Fix using wrong mode [ Upstream commit 30d57722732d9736554f85f75f9d7ad5402d192e ] If user has a set to use SOCK_STREAM the socket would default to L2CAP_MODE_ERTM which later needs to be adjusted if the destination address is LE which doesn't support such mode. Fixes: 15f02b9105625 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode") Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit a3641f64a9d9ac2fb5e17b9ebd265e9bb8c0548d Author: Johannes Berg Date: Thu Sep 16 13:09:22 2021 +0200 um: virtio_uml: Fix time-travel external time propagation [ Upstream commit 85e73968a040c642fd38f6cba5b73b61f5d0f052 ] When creating an external event, the current time needs to be propagated to other participants of a simulation. This is done in the places here where we kick a virtq etc. However, it must be done for _all_ external events, and that includes making the initial socket connection and later closing it. Call time_travel_propagate_time() to do this before making or closing the socket connection. Apparently, at least for the initial connection creation, due to the remote side in my use cases using microseconds (rather than nanoseconds), this wasn't a problem yet; only started failing between 5.14-rc1 and 5.15-rc1 (didn't test others much), or possibly depending on the configuration, where more delays happen before the virtio devices are initialized. Fixes: 88ce64249233 ("um: Implement time-travel=ext") Signed-off-by: Johannes Berg Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin commit 4e71908ba7cb581342205a9d3b4a8b56109e3ae8 Author: Johannes Berg Date: Wed Sep 15 20:30:22 2021 +0200 lib/logic_iomem: Fix operation on 32-bit [ Upstream commit 4e8a5edac5010820e7c5303fc96f5a262e096bb6 ] On 32-bit, the first entry might be at 0/NULL, but that's strange and leads to issues, e.g. where we check "if (ret)". Use a IOREMAP_BIAS/IOREMAP_MASK of 0x80000000UL to avoid this. This then requires reducing the number of areas (via MAX_AREAS), but we still have 128 areas, which is enough. Fixes: ca2e334232b6 ("lib: add iomem emulation (logic_iomem)") Signed-off-by: Johannes Berg Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin commit 6c72a5bc4df4565164569d4833efc6f19c44dcbc Author: Johannes Berg Date: Wed Sep 15 20:30:21 2021 +0200 lib/logic_iomem: Fix 32-bit build [ Upstream commit 4e84139e14af5ea60772cc4f33d7059aec76e0eb ] On a 32-bit build, the (unsigned long long) casts throw warnings (or errors) due to being to a different integer size. Cast to uintptr_t first (with the __force for sparse) and then further to get the consistent print on 32 and 64-bit. Fixes: ca2e334232b6 ("lib: add iomem emulation (logic_iomem)") Reported-by: Al Viro Signed-off-by: Johannes Berg Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin commit b53c2307b18c4fdcbb46b340c5a13aae49b2b369 Author: Johannes Berg Date: Wed Sep 15 20:30:20 2021 +0200 um: virt-pci: Fix 32-bit compile [ Upstream commit d73820df6437b5d0a57be53faf39db46a0264b3a ] There were a few 32-bit compile warnings that of course turned into errors with -Werror, fix the 32-bit build. Fixes: 68f5d3f3b654 ("um: add PCI over virtio emulation driver") Reported-by: Al Viro Signed-off-by: Johannes Berg Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin commit c3d5f267696d01ed529416706d1cbffb6e49784b Author: Johannes Berg Date: Tue Aug 31 09:11:15 2021 +0200 um: rename set_signals() to um_set_signals() [ Upstream commit bbe33504d4a7fdab9011211e55e262c869b3f6cc ] Rename set_signals() as there's at least one driver that uses the same name and can now be built on UM due to PCI support, and thus we can get symbol conflicts. Also rename set_signals_trace() to be consistent. Reported-by: kernel test robot Fixes: 68f5d3f3b654 ("um: add PCI over virtio emulation driver") Signed-off-by: Johannes Berg Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin commit 2a2f4f3aeafd684d1f8d790ef1ccb663ec8eb844 Author: Johannes Berg Date: Tue Aug 31 09:27:53 2021 +0200 um: fix ndelay/udelay defines [ Upstream commit 5f8539e2ff962e25b57742ca7106456403abbc94 ] Many places in the kernel use 'udelay' as an identifier, and are broken with the current "#define udelay um_udelay". Fix this by adding an argument to the macro, and do the same to 'ndelay' as well, just in case. Fixes: 0bc8fb4dda2b ("um: Implement ndelay/udelay in time-travel mode") Reported-by: kernel test robot Signed-off-by: Johannes Berg Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin commit 3a45c47034918d5496e37eb3e2ffae9a1f30b7af Author: Bernard Zhao Date: Fri Dec 10 04:03:58 2021 -0800 selinux: fix potential memleak in selinux_add_opt() [ Upstream commit 2e08df3c7c4e4e74e3dd5104c100f0bf6288aaa8 ] This patch try to fix potential memleak in error branch. Fixes: ba6418623385 ("selinux: new helper - selinux_add_opt()") Signed-off-by: Bernard Zhao [PM: tweak the subject line, add Fixes tag] Signed-off-by: Paul Moore Signed-off-by: Sasha Levin commit 7be5c25e31556f44bf7c4a2079184dcc93768c5d Author: Christoph Hellwig Date: Tue Dec 21 17:18:51 2021 +0100 block: fix error unwinding in device_add_disk [ Upstream commit 99d8690aae4b2f0d1d90075de355ac087f820a66 ] One device_add is called disk->ev will be freed by disk_release, so we should free it twice. Fix this by allocating disk->ev after device_add so that the extra local unwinding can be removed entirely. Based on an earlier patch from Tetsuo Handa. Reported-by: syzbot Tested-by: syzbot Fixes: 83cbce9574462c6b ("block: add error handling for device_add_disk / add_disk") Signed-off-by: Christoph Hellwig Link: https://lore.kernel.org/r/20211221161851.788424-1-hch@lst.de Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 6c1d0447bf0d24e92def34cb429e967bd6fed131 Author: Sergey Shtylyov Date: Fri Dec 17 23:27:17 2021 +0300 mmc: meson-mx-sdio: add IRQ check [ Upstream commit 8fc9a77bc64e1f23d07953439817d8402ac9706f ] The driver neglects to check the result of platform_get_irq()'s call and blithely passes the negative error codes to devm_request_threaded_irq() (which takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding an original error code. Stop calling devm_request_threaded_irq() with the invalid IRQ #s. Fixes: ed80a13bb4c4 ("mmc: meson-mx-sdio: Add a driver for the Amlogic Meson8 and Meson8b SoC") Signed-off-by: Sergey Shtylyov Reviewed-by: Martin Blumenstingl Link: https://lore.kernel.org/r/20211217202717.10041-3-s.shtylyov@omp.ru Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 0d840e7e2e6c61b9d103b53ba0da9d1fb94dcbdb Author: Sergey Shtylyov Date: Fri Dec 17 23:27:16 2021 +0300 mmc: meson-mx-sdhc: add IRQ check [ Upstream commit 77bed755e0f06135faccdd3948863703f9a6e640 ] The driver neglects to check the result of platform_get_irq()'s call and blithely passes the negative error codes to devm_request_threaded_irq() (which takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding an original error code. Stop calling devm_request_threaded_irq() with the invalid IRQ #s. Fixes: e4bf1b0970ef ("mmc: host: meson-mx-sdhc: new driver for the Amlogic Meson SDHC host") Signed-off-by: Sergey Shtylyov Reviewed-by: Martin Blumenstingl Link: https://lore.kernel.org/r/20211217202717.10041-2-s.shtylyov@omp.ru Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 525c2a0763eee7a211dfbd909c784f15670347de Author: Avraham Stern Date: Sun Dec 19 13:28:26 2021 +0200 iwlwifi: mvm: set protected flag only for NDP ranging [ Upstream commit 6bb2ea37c02db98cb677f978cfcb833ca608c5eb ] Don't use protected ranging negotiation for FTM ranging as responders that support only FTM ranging don't expect the FTM request to be protected. Signed-off-by: Avraham Stern Fixes: 517a5eb9fab2 ("iwlwifi: mvm: when associated with PMF, use protected NDP ranging negotiation") Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20211219132536.f50ed0e3c6b3.Ibff247ee9d4e6e0a1a2d08a3c8a4bbb37e6829dd@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 39cb224bf6511628997c231b08dd47c67e369e36 Author: Avraham Stern Date: Sun Dec 19 12:18:20 2021 +0200 iwlwifi: mvm: perform 6GHz passive scan after suspend [ Upstream commit f4745cbb17572209a7fa27a6796ed70e7ada860b ] The 6GHz passive scan is performed only once every 50 minutes. However, in case of suspend/resume, the regulatory information is reset, so 6GHz channels may become disabled. Fix it by performing a 6GHz passive scan within 60 seconds after suspend/resume even if the 50 minutes timeout did not expire yet. Signed-off-by: Avraham Stern Fixes: e8fe3b41c3a3 ("iwlwifi: mvm: Add support for 6GHz passive scan") Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20211219121514.6d5c043372cf.I251dd5618a3f0b8febbcca788eb861f1cd6039bc@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit e895cfb085c64642a083cda439be46503ab9425a Author: Nathan Errera Date: Sun Dec 19 12:18:15 2021 +0200 iwlwifi: mvm: test roc running status bits before removing the sta [ Upstream commit 998e1aba6e5eb35370eaf30ccc1823426ec11f90 ] In some cases the sta is being removed twice since we do not test the roc aux running before removing it. Start looking at the bit before removing the sta. Signed-off-by: Nathan Errera Fixes: 2c2c3647cde4 ("iwlwifi: mvm: support ADD_STA_CMD_API_S ver 12") Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20211219121514.d5376ac6bcb0.Ic5f8470ea60c072bde9d1503e5f528b65e301e20@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 48338cf56eaa8cb5bd457d62ea239bccf6bdfc3c Author: Johannes Berg Date: Sun Dec 19 11:14:18 2021 +0200 iwlwifi: mvm: fix 32-bit build in FTM [ Upstream commit 8b0f92549f2c2458200935c12a2e2a6e80234cf5 ] On a 32-bit build, the division here needs to be done using do_div(), otherwise the compiler will try to call a function that doesn't exist, thus failing to build. Fixes: b68bd2e3143a ("iwlwifi: mvm: Add FTM initiator RTT smoothing logic") Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20211219111352.e56cbf614a4d.Ib98004ccd2c7a55fd883a8ea7eebd810f406dec6@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 617339466fda09916c4b4151fa5e6a9c1fdae353 Author: Kai-Heng Feng Date: Wed Dec 15 19:46:34 2021 +0800 rtw88: Disable PCIe ASPM while doing NAPI poll on 8821CE [ Upstream commit 24f5e38a13b5ae2b6105cda8bb47c19108e62a9a ] Many Intel based platforms face system random freeze after commit 9e2fd29864c5 ("rtw88: add napi support"). The commit itself shouldn't be the culprit. My guess is that the 8821CE only leaves ASPM L1 for a short period when IRQ is raised. Since IRQ is masked during NAPI polling, the PCIe link stays at L1 and makes RX DMA extremely slow. Eventually the RX ring becomes messed up: [ 1133.194697] rtw_8821ce 0000:02:00.0: pci bus timeout, check dma status Since the 8821CE hardware may fail to leave ASPM L1, manually do it in the driver to resolve the issue. Fixes: 9e2fd29864c5 ("rtw88: add napi support") Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=215131 BugLink: https://bugs.launchpad.net/bugs/1927808 Signed-off-by: Kai-Heng Feng Acked-by: Jian-Hong Pan Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20211215114635.333767-1-kai.heng.feng@canonical.com Signed-off-by: Sasha Levin commit 9b6b5f07702fa0970cdd767e85afc671b0d82c7d Author: Ping-Ke Shih Date: Fri Nov 19 13:24:37 2021 +0800 rtw88: add quirk to disable pci caps on HP 250 G7 Notebook PC [ Upstream commit c81edb8dddaa36c4defa26240cc19127f147283f ] 8821CE causes random freezes on HP 250 G7 Notebook PC. Add a quirk to disable pci ASPM capability. Reported-by: rtl8821cerfe2 Signed-off-by: Ping-Ke Shih Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20211119052437.8671-1-pkshih@realtek.com Signed-off-by: Sasha Levin commit b14e931c386f7cecc15aed970aee4bc4b326bae4 Author: Dan Carpenter Date: Fri Dec 17 18:03:12 2021 +0300 wilc1000: fix double free error in probe() [ Upstream commit 4894edacfa93d7046bec4fc61fc402ac6a2ac9e8 ] Smatch complains that there is a double free in probe: drivers/net/wireless/microchip/wilc1000/spi.c:186 wilc_bus_probe() error: double free of 'spi_priv' drivers/net/wireless/microchip/wilc1000/sdio.c:163 wilc_sdio_probe() error: double free of 'sdio_priv' The problem is that wilc_netdev_cleanup() function frees "wilc->bus_data". That's confusing and a layering violation. Leave the frees in probe(), delete the free in wilc_netdev_cleanup(), and add some new frees to the remove() functions. Fixes: dc8b338f3bcd ("wilc1000: use goto labels on error path") Signed-off-by: Dan Carpenter Reviewed-by: Claudiu Beznea Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20211217150311.GC16611@kili Signed-off-by: Sasha Levin commit 1a25b9c4ce2ab9602cbf9093f9860154d340974b Author: Sean Wang Date: Fri Oct 29 06:29:58 2021 +0800 mt76: mt7921: drop offload_flags overwritten [ Upstream commit 2363b6a646b65a207345b9a9024dff0eff3fec44 ] offload_flags have to be dropped for mt7921 because mt76.omac_idx 0 would always run as station mode that would cause Tx encapsulation setting is not applied to mac80211. Also, drop IEEE80211_OFFLOAD_ENCAP_4ADDR too because it is not really being supported. Fixes: e0f9fdda81bd ("mt76: mt7921: add ieee80211_ops") Signed-off-by: Sean Wang Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit e64a3ea17c19e5bec64e7d24b286422535f10556 Author: Marek Behún Date: Tue Nov 9 17:46:04 2021 +0100 ARM: dts: armada-38x: Add generic compatible to UART nodes [ Upstream commit 62480772263ab6b52e758f2346c70a526abd1d28 ] Add generic compatible string "ns16550a" to serial port nodes of Armada 38x. This makes it possible to use earlycon. Fixes: 0d3d96ab0059 ("ARM: mvebu: add Device Tree description of the Armada 380/385 SoCs") Signed-off-by: Pali Rohár Signed-off-by: Marek Behún Signed-off-by: Gregory CLEMENT Signed-off-by: Sasha Levin commit 4518f459c2c0fc30ba1c4a6c973b345a8524d062 Author: Robert Marko Date: Fri Nov 12 14:44:03 2021 +0100 arm64: dts: marvell: cn9130: enable CP0 GPIO controllers [ Upstream commit 0734f8311ce72c9041e5142769eff2083889c172 ] CN9130 has a built-in CP115 which has 2 GPIO controllers, but unlike in Armada 7k and 8k both are left disabled by the SoC DTSI. This first of all makes no sense as they are always present due to being SoC built-in and its an issue as boards like CN9130-CRB use the CPO GPIO2 pins for regulators and SD card support without enabling them first. So, enable both of them like Armada 7k and 8k do. Fixes: 6b8970bd8d7a ("arm64: dts: marvell: Add support for Marvell CN9130 SoC support") Signed-off-by: Robert Marko Signed-off-by: Gregory CLEMENT Signed-off-by: Sasha Levin commit 864ac5f6bfbe7d2870d5b02e2f2c5ad2e1bd9296 Author: Robert Marko Date: Fri Nov 12 14:44:02 2021 +0100 arm64: dts: marvell: cn9130: add GPIO and SPI aliases [ Upstream commit effd42600b987c1e95f946b14fefc1c7639e7439 ] CN9130 has one CP115 built in, which like the CP110 has 2 GPIO and 2 SPI controllers built-in. However, unlike the Armada 7k and 8k the SoC DTSI doesn't add the required aliases as both the Orion SPI driver and MVEBU GPIO drivers require the aliases to be present. So add the required aliases for GPIO and SPI controllers. Fixes: 6b8970bd8d7a ("arm64: dts: marvell: Add support for Marvell CN9130 SoC support") Signed-off-by: Robert Marko Signed-off-by: Gregory CLEMENT Signed-off-by: Sasha Levin commit 6d88a6849617c607960e79012fce36afd98c9d1a Author: Wei Yongjun Date: Fri Dec 17 16:34:28 2021 +0800 usb: ftdi-elan: fix memory leak on device disconnect [ Upstream commit 1646566b5e0c556f779180a8514e521ac735de1e ] 'ftdi' is alloced when probe device, but not free on device disconnect, this cause a memory leak as follows: unreferenced object 0xffff88800d584000 (size 8400): comm "kworker/0:2", pid 3809, jiffies 4295453055 (age 13.784s) hex dump (first 32 bytes): 00 40 58 0d 80 88 ff ff 00 40 58 0d 80 88 ff ff .@X......@X..... 00 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de .............N.. backtrace: [<000000000d47f947>] kmalloc_order_trace+0x19/0x110 mm/slab_common.c:960 [<000000008548ac68>] ftdi_elan_probe+0x8c/0x880 drivers/usb/misc/ftdi-elan.c:2647 [<000000007f73e422>] usb_probe_interface+0x31b/0x800 drivers/usb/core/driver.c:396 [<00000000fe8d07fc>] really_probe+0x299/0xc30 drivers/base/dd.c:517 [<0000000005da7d32>] __driver_probe_device+0x357/0x500 drivers/base/dd.c:751 [<000000003c2c9579>] driver_probe_device+0x4e/0x140 drivers/base/dd.c:781 Fix it by freeing 'ftdi' after nobody use it. Fixes: a5c66e4b2418 ("USB: ftdi-elan: client driver for ELAN Uxxx adapters") Reported-by: Hulk Robot Signed-off-by: Wei Yongjun Link: https://lore.kernel.org/r/20211217083428.2441-1-weiyongjun1@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 826501a17e98816647e294e14139eb05fbcc9ce9 Author: Andre Przywara Date: Mon Nov 22 16:28:43 2021 +0100 ARM: 9159/1: decompressor: Avoid UNPREDICTABLE NOP encoding [ Upstream commit a92882a4d270fbcc021ee6848de5e48b7f0d27f3 ] In the decompressor's head.S we need to start with an instruction that is some kind of NOP, but also mimics as the PE/COFF header, when the kernel is linked as an UEFI application. The clever solution here is "tstne r0, #0x4d000", which in the worst case just clobbers the condition flags, and bears the magic "MZ" signature in the lowest 16 bits. However the encoding used (0x13105a4d) is actually not valid, since bits [15:12] are supposed to be 0 (written as "(0)" in the ARM ARM). Violating this is UNPREDICTABLE, and *can* trigger an UNDEFINED exception. Common Cortex cores seem to ignore those bits, but QEMU chooses to trap, so the code goes fishing because of a missing exception handler at this point. We are just saved by the fact that commonly (with -kernel or when running from U-Boot) the "Z" bit is set, so the instruction is never executed. See [0] for more details. To make things more robust and avoid UNPREDICTABLE behaviour in the kernel code, lets replace this with a "two-instruction NOP": The first instruction is an exclusive OR, the effect of which the second instruction reverts. This does not leave any trace, neither in a register nor in the condition flags. Also it's a perfectly valid encoding. Kudos to Peter Maydell for coming up with this gem. [0] https://lore.kernel.org/qemu-devel/YTPIdbUCmwagL5%2FD@os.inf.tu-dresden.de/T/ Link: https://lore.kernel.org/linux-arm-kernel/20210908162617.104962-1-andre.przywara@arm.com/T/ Fixes: 81a0bc39ea19 ("ARM: add UEFI stub support") Signed-off-by: Andre Przywara Reported-by: Adam Lackorzynski Suggested-by: Peter Maydell Reviewed-by: Ard Biesheuvel Reviewed-by: Linus Walleij Signed-off-by: Russell King (Oracle) Signed-off-by: Sasha Levin commit 851b00b478325667e79fe0dd33e797c953b1b296 Author: Antony Antony Date: Sun Dec 12 11:35:00 2021 +0100 xfrm: state and policy should fail if XFRMA_IF_ID 0 [ Upstream commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 ] xfrm ineterface does not allow xfrm if_id = 0 fail to create or update xfrm state and policy. With this commit: ip xfrm policy add src 192.0.2.1 dst 192.0.2.2 dir out if_id 0 RTNETLINK answers: Invalid argument ip xfrm state add src 192.0.2.1 dst 192.0.2.2 proto esp spi 1 \ reqid 1 mode tunnel aead 'rfc4106(gcm(aes))' \ 0x1111111111111111111111111111111111111111 96 if_id 0 RTNETLINK answers: Invalid argument v1->v2 change: - add Fixes: tag Fixes: 9f8550e4bd9d ("xfrm: fix disable_xfrm sysctl when used on xfrm interfaces") Signed-off-by: Antony Antony Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin commit eab7928527b524df787246c104a7a1a2326b0868 Author: Antony Antony Date: Sun Dec 12 11:34:30 2021 +0100 xfrm: interface with if_id 0 should return error [ Upstream commit 8dce43919566f06e865f7e8949f5c10d8c2493f5 ] xfrm interface if_id = 0 would cause xfrm policy lookup errors since Commit 9f8550e4bd9d. Now explicitly fail to create an xfrm interface when if_id = 0 With this commit: ip link add ipsec0 type xfrm dev lo if_id 0 Error: if_id must be non zero. v1->v2 change: - add Fixes: tag Fixes: 9f8550e4bd9d ("xfrm: fix disable_xfrm sysctl when used on xfrm interfaces") Signed-off-by: Antony Antony Reviewed-by: Eyal Birger Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin commit afd9ebd40bda62abaf58451273552b187b2c948b Author: Jernej Skrabec Date: Mon Nov 29 19:26:25 2021 +0100 media: hantro: Fix probe func error path [ Upstream commit 37af43b250fda6162005d47bf7c959c70d52b107 ] If clocks for some reason couldn't be enabled, probe function returns immediately, without disabling PM. This obviously leaves PM ref counters unbalanced. Fix that by jumping to appropriate error path, so effects of PM functions are reversed. Fixes: 775fec69008d ("media: add Rockchip VPU JPEG encoder driver") Signed-off-by: Jernej Skrabec Acked-by: Andrzej Pietrasiewicz Reviewed-by: Ezequiel Garcia Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 3ca9f14fe2799ec4b45b167c4d2de5dee7439a06 Author: Robin Murphy Date: Fri Dec 10 17:54:44 2021 +0000 drm/tegra: vic: Fix DMA API misuse [ Upstream commit 5566174cb10a5167d59b0793871cab7990b149b8 ] Upon failure, dma_alloc_coherent() returns NULL. If that does happen, passing some uninitialised stack contents to dma_mapping_error() - which belongs to a different API in the first place - has precious little chance of detecting it. Also include the correct header, because the fragile transitive inclusion currently providing it is going to break soon. Fixes: 20e7dce255e9 ("drm/tegra: Remove memory allocation from Falcon library") CC: Thierry Reding CC: Mikko Perttunen CC: dri-devel@lists.freedesktop.org Signed-off-by: Robin Murphy Reviewed-by: Christoph Hellwig Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 0dbb2617c7137787595e809aa7f832d9bb641202 Author: Thierry Reding Date: Thu Jul 8 16:37:36 2021 +0200 drm/tegra: gr2d: Explicitly control module reset [ Upstream commit 271fca025a6d43f1c18a48543c5aaf31a31e4694 ] As of commit 4782c0a5dd88 ("clk: tegra: Don't deassert reset on enabling clocks"), module resets are no longer automatically deasserted when the module clock is enabled. To make sure that the gr2d module continues to work, we need to explicitly control the module reset. Fixes: 4782c0a5dd88 ("clk: tegra: Don't deassert reset on enabling clocks") Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 3b90135b03f3c160b36dcbfd19929dfb971ba56e Author: Arnd Bergmann Date: Mon Sep 27 11:36:59 2021 +0200 gpu: host1x: select CONFIG_DMA_SHARED_BUFFER [ Upstream commit 6c7a388b62366f0de9936db3c1921d7f4e0011bc ] Linking fails when dma-buf is disabled: ld.lld: error: undefined symbol: dma_fence_release >>> referenced by fence.c >>> gpu/host1x/fence.o:(host1x_syncpt_fence_enable_signaling) in archive drivers/built-in.a >>> referenced by fence.c >>> gpu/host1x/fence.o:(host1x_fence_signal) in archive drivers/built-in.a >>> referenced by fence.c >>> gpu/host1x/fence.o:(do_fence_timeout) in archive drivers/built-in.a Fixes: 687db2207b1b ("gpu: host1x: Add DMA fence implementation") Signed-off-by: Arnd Bergmann Reviewed-by: Mikko Perttunen Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit c0dc02dcfe6ba9d3ee290c761ede8c099876d9c4 Author: Stephen Boyd Date: Tue Dec 14 16:25:29 2021 -0800 drm/bridge: ti-sn65dsi86: Set max register for regmap [ Upstream commit 0b665d4af35837f0a0ae63135b84a3c187c1db3b ] Set the maximum register to 0xff so we can dump the registers for this device in debugfs. Fixes: a095f15c00e2 ("drm/bridge: add support for sn65dsi86 bridge driver") Cc: Rob Clark Cc: Douglas Anderson Cc: Laurent Pinchart Signed-off-by: Stephen Boyd Reviewed-by: Robert Foss Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20211215002529.382383-1-swboyd@chromium.org Signed-off-by: Sasha Levin commit 602662de5f82a98ec840ee972c9b10317fc573b8 Author: Dmitry Baryshkov Date: Thu Dec 2 01:26:27 2021 +0300 drm/msm/dpu: fix safe status debugfs file [ Upstream commit f31b0e24d31e18b4503eeaf0032baeacc0beaff6 ] Make safe_status debugfs fs file actually return safe status rather than danger status data. Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") Signed-off-by: Dmitry Baryshkov Reviewed-by: Abhinav Kumar Link: https://lore.kernel.org/r/20211201222633.2476780-3-dmitry.baryshkov@linaro.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit be12d15a817b68ac345a96c368e29ed9292b1b86 Author: Baruch Siach Date: Tue Dec 7 09:27:10 2021 +0200 arm64: dts: qcom: ipq6018: Fix gpio-ranges property [ Upstream commit 72cb4c48a46a7cfa58eb5842c0d3672ddd5bd9ad ] There must be three parameters in gpio-ranges property. Fixes this not very helpful error message: OF: /soc/pinctrl@1000000: (null) = 3 found 3 Fixes: 1e8277854b49 ("arm64: dts: Add ipq6018 SoC and CP01 board support") Cc: Sricharan R Signed-off-by: Baruch Siach Tested-by: Bryan O'Donoghue Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/8a744cfd96aff5754bfdcf7298d208ddca5b319a.1638862030.git.baruch@tkos.co.il Signed-off-by: Sasha Levin commit 0c7ec53598a3496060cade7b1b002a7be4b0e182 Author: Srinivas Kandagatla Date: Thu Dec 9 17:53:41 2021 +0000 arm64: dts: qcom: c630: Fix soundcard setup [ Upstream commit c02b360ca67ebeb9de07b47b2fe53f964c2561d1 ] Currently Soundcard has 1 rx device for headset and SoundWire Speaker Playback. This setup has issues, ex if we try to play on headset the audio stream is also sent to SoundWire Speakers and we will hear sound in both headsets and speakers. Make a separate device for Speakers and Headset so that the streams are different and handled properly. Fixes: 45021d35fcb2 ("arm64: dts: qcom: c630: Enable audio support") Signed-off-by: Srinivas Kandagatla Tested-by: Steev Klimaszewski Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20211209175342.20386-2-srinivas.kandagatla@linaro.org Signed-off-by: Sasha Levin commit c9fadfaf7b448b9873b13c19aaffe0709927e5f1 Author: Kurt Kanzenbach Date: Tue Dec 14 14:45:08 2021 +0100 net: dsa: hellcreek: Add missing PTP via UDP rules [ Upstream commit 6cf01e451599da630ff1af529d61c5e4db4550ab ] The switch supports PTP for UDP transport too. Therefore, add the missing static FDB entries to ensure correct forwarding of these packets. Fixes: ddd56dfe52c9 ("net: dsa: hellcreek: Add PTP clock support") Signed-off-by: Kurt Kanzenbach Acked-by: Richard Cochran Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit ae914fe9310e772e07b1396cae97c2e31cd603f9 Author: Kurt Kanzenbach Date: Tue Dec 14 14:45:07 2021 +0100 net: dsa: hellcreek: Allow PTP P2P measurements on blocked ports [ Upstream commit cad1798d2d0811ded37d1e946c6796102e58013b ] Allow PTP peer delay measurements on blocked ports by STP. In case of topology changes the PTP stack can d