commit 7c2f5f390342492444ca73457ee473859027a975 Author: Alexandre Frade Date: Fri Sep 6 11:23:01 2019 -0300 5.2.13-xanmod10 Signed-off-by: Alexandre Frade commit 5b3ccc1742669e6327dbd448c299e9600b6ea46c Merge: 335682c74559 218ca2e5affe Author: Alexandre Frade Date: Fri Sep 6 10:55:40 2019 -0300 Merge tag 'v5.2.13' into 5.2 This is the 5.2.13 stable release commit 218ca2e5affedf0f98e371a15aa56574a18109f1 Author: Greg Kroah-Hartman Date: Fri Sep 6 12:42:01 2019 +0200 Linux 5.2.13 commit 4c634717d7783c767480fe567ea82bf179f849ca Author: Benjamin Tissoires Date: Fri Sep 6 10:53:45 2019 +0200 Revert "Input: elantech - enable SMBus on new (2018+) systems" This reverts commit 60956b018bfe23b879405a7d88103d0a8f06a5e3 which is commit 883a2a80f79ca5c0c105605fafabd1f3df99b34c upstream. This patch depends on an other series: https://patchwork.kernel.org/project/linux-input/list/?series=122327&state=%2A&archive=both It was a mistake to backport it in the v5.2 branch, as there is a high chance we encounter a touchpad that needs the series above. Link: https://bugzilla.kernel.org/show_bug.cgi?id=204733 Link: https://bugzilla.kernel.org/show_bug.cgi?id=204771 Signed-off-by: Benjamin Tissoires Signed-off-by: Greg Kroah-Hartman commit 140839fe4e71d4db6a7b342d54cd7165490fd1cc Author: Greg Kroah-Hartman Date: Fri Sep 6 10:23:52 2019 +0200 Linux 5.2.12 commit 5566d1c61b2fd9a8710e19a18e5e77557c3c21fe Author: Greg Kroah-Hartman Date: Thu Sep 5 20:48:46 2019 +0200 Revert "ASoC: Fail card instantiation if DAI format setup fails" This reverts commit ab4f4d331a982f52a964f7f4d1ec452280f122e7 which is commit 40aa5383e393d72f6aa3943a4e7b1aae25a1e43b upstream. Mark Brown writes: I nacked this patch when Sasha posted it - it only improves diagnostics and might make systems that worked by accident break since it turns things into a hard failure, it won't make anything that didn't work previously work. Reported-by: Mark Brown Cc: Ricard Wanderlof Cc: Sasha Levin Link: https://lore.kernel.org/lkml/20190904181027.GG4348@sirena.co.uk Signed-off-by: Greg Kroah-Hartman commit 4d8966020827bb83197f995af58ec7e976113d62 Author: Cong Wang Date: Tue Jul 9 23:24:54 2019 -0700 hsr: switch ->dellink() to ->ndo_uninit() [ Upstream commit 311633b604063a8a5d3fbc74d0565b42df721f68 ] Switching from ->priv_destructor to dellink() has an unexpected consequence: existing RCU readers, that is, hsr_port_get_hsr() callers, may still be able to read the port list. Instead of checking the return value of each hsr_port_get_hsr(), we can just move it to ->ndo_uninit() which is called after device unregister and synchronize_net(), and we still have RTNL lock there. Fixes: b9a1e627405d ("hsr: implement dellink to clean up resources") Fixes: edf070a0fb45 ("hsr: fix a NULL pointer deref in hsr_dev_xmit()") Reported-by: syzbot+097ef84cdc95843fbaa8@syzkaller.appspotmail.com Cc: Arvid Brodin Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 072c9337f3a0685f6319fe42fa075c2e3957cf83 Author: Cong Wang Date: Wed Jul 3 17:21:14 2019 -0700 hsr: fix a NULL pointer deref in hsr_dev_xmit() [ Upstream commit edf070a0fb45ac845f534baf172fbadbeb5048c6 ] hsr_port_get_hsr() could return NULL and kernel could crash: BUG: kernel NULL pointer dereference, address: 0000000000000010 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 8000000074b84067 P4D 8000000074b84067 PUD 7057d067 PMD 0 Oops: 0000 [#1] SMP PTI CPU: 0 PID: 754 Comm: a.out Not tainted 5.2.0-rc6+ #718 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014 RIP: 0010:hsr_dev_xmit+0x20/0x31 Code: 48 8b 1b eb e0 5b 5d 41 5c c3 66 66 66 66 90 55 48 89 fd 48 8d be 40 0b 00 00 be 04 00 00 00 e8 ee f2 ff ff 48 89 ef 48 89 c6 <48> 8b 40 10 48 89 45 10 e8 6c 1b 00 00 31 c0 5d c3 66 66 66 66 90 RSP: 0018:ffffb5b400003c48 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff9821b4509a88 RCX: 0000000000000000 RDX: ffff9821b4509a88 RSI: 0000000000000000 RDI: ffff9821bc3fc7c0 RBP: ffff9821bc3fc7c0 R08: 0000000000000000 R09: 00000000000c2019 R10: 0000000000000000 R11: 0000000000000002 R12: ffff9821bc3fc7c0 R13: ffff9821b4509a88 R14: 0000000000000000 R15: 000000000000006e FS: 00007fee112a1800(0000) GS:ffff9821bd800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000006e9ce000 CR4: 00000000000406f0 Call Trace: netdev_start_xmit+0x1b/0x38 dev_hard_start_xmit+0x121/0x21e ? validate_xmit_skb.isra.0+0x19/0x1e3 __dev_queue_xmit+0x74c/0x823 ? lockdep_hardirqs_on+0x12b/0x17d ip6_finish_output2+0x3d3/0x42c ? ip6_mtu+0x55/0x5c ? mld_sendpack+0x191/0x229 mld_sendpack+0x191/0x229 mld_ifc_timer_expire+0x1f7/0x230 ? mld_dad_timer_expire+0x58/0x58 call_timer_fn+0x12e/0x273 __run_timers.part.0+0x174/0x1b5 ? mld_dad_timer_expire+0x58/0x58 ? sched_clock_cpu+0x10/0xad ? mark_lock+0x26/0x1f2 ? __lock_is_held+0x40/0x71 run_timer_softirq+0x26/0x48 __do_softirq+0x1af/0x392 irq_exit+0x53/0xa2 smp_apic_timer_interrupt+0x1c4/0x1d9 apic_timer_interrupt+0xf/0x20 Cc: Arvid Brodin Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 08523d5a2f4a9e4202e00d282c164d453cabe2d2 Author: Cong Wang Date: Wed Jul 3 17:21:13 2019 -0700 hsr: implement dellink to clean up resources commit b9a1e627405d68d475a3c1f35e685ccfb5bbe668 upstream. hsr_link_ops implements ->newlink() but not ->dellink(), which leads that resources not released after removing the device, particularly the entries in self_node_db and node_db. So add ->dellink() implementation to replace the priv_destructor. This also makes the code slightly easier to understand. Reported-by: syzbot+c6167ec3de7def23d1e8@syzkaller.appspotmail.com Cc: Arvid Brodin Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a282179be74711a8fceab4f8dcf592959a15bb7f Author: Daniel Borkmann Date: Fri Aug 23 22:14:23 2019 +0200 bpf: fix use after free in prog symbol exposure commit c751798aa224fadc5124b49eeb38fb468c0fa039 upstream. syzkaller managed to trigger the warning in bpf_jit_free() which checks via bpf_prog_kallsyms_verify_off() for potentially unlinked JITed BPF progs in kallsyms, and subsequently trips over GPF when walking kallsyms entries: [...] 8021q: adding VLAN 0 to HW filter on device batadv0 8021q: adding VLAN 0 to HW filter on device batadv0 WARNING: CPU: 0 PID: 9869 at kernel/bpf/core.c:810 bpf_jit_free+0x1e8/0x2a0 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 9869 Comm: kworker/0:7 Not tainted 5.0.0-rc8+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events bpf_prog_free_deferred Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 panic+0x212/0x40b kernel/panic.c:214 __warn.cold.8+0x1b/0x38 kernel/panic.c:571 report_bug+0x1a4/0x200 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271 do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:290 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973 RIP: 0010:bpf_jit_free+0x1e8/0x2a0 Code: 02 4c 89 e2 83 e2 07 38 d0 7f 08 84 c0 0f 85 86 00 00 00 48 ba 00 02 00 00 00 00 ad de 0f b6 43 02 49 39 d6 0f 84 5f fe ff ff <0f> 0b e9 58 fe ff ff 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 RSP: 0018:ffff888092f67cd8 EFLAGS: 00010202 RAX: 0000000000000007 RBX: ffffc90001947000 RCX: ffffffff816e9d88 RDX: dead000000000200 RSI: 0000000000000008 RDI: ffff88808769f7f0 RBP: ffff888092f67d00 R08: fffffbfff1394059 R09: fffffbfff1394058 R10: fffffbfff1394058 R11: ffffffff89ca02c7 R12: ffffc90001947002 R13: ffffc90001947020 R14: ffffffff881eca80 R15: ffff88808769f7e8 BUG: unable to handle kernel paging request at fffffbfff400d000 #PF error: [normal kernel read fault] PGD 21ffee067 P4D 21ffee067 PUD 21ffed067 PMD 9f942067 PTE 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 9869 Comm: kworker/0:7 Not tainted 5.0.0-rc8+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events bpf_prog_free_deferred RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:495 [inline] RIP: 0010:bpf_tree_comp kernel/bpf/core.c:558 [inline] RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline] RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline] RIP: 0010:bpf_prog_kallsyms_find+0x107/0x2e0 kernel/bpf/core.c:632 Code: 00 f0 ff ff 44 38 c8 7f 08 84 c0 0f 85 fa 00 00 00 41 f6 45 02 01 75 02 0f 0b 48 39 da 0f 82 92 00 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 30 84 c0 74 08 3c 03 0f 8e 45 01 00 00 8b 03 48 c1 e0 [...] Upon further debugging, it turns out that whenever we trigger this issue, the kallsyms removal in bpf_prog_ksym_node_del() was /skipped/ but yet bpf_jit_free() reported that the entry is /in use/. Problem is that symbol exposure via bpf_prog_kallsyms_add() but also perf_event_bpf_event() were done /after/ bpf_prog_new_fd(). Once the fd is exposed to the public, a parallel close request came in right before we attempted to do the bpf_prog_kallsyms_add(). Given at this time the prog reference count is one, we start to rip everything underneath us via bpf_prog_release() -> bpf_prog_put(). The memory is eventually released via deferred free, so we're seeing that bpf_jit_free() has a kallsym entry because we added it from bpf_prog_load() but /after/ bpf_prog_put() from the remote CPU. Therefore, move both notifications /before/ we install the fd. The issue was never seen between bpf_prog_alloc_id() and bpf_prog_new_fd() because upon bpf_prog_get_fd_by_id() we'll take another reference to the BPF prog, so we're still holding the original reference from the bpf_prog_load(). Fixes: 6ee52e2a3fe4 ("perf, bpf: Introduce PERF_RECORD_BPF_EVENT") Fixes: 74451e66d516 ("bpf: make jited programs visible in traces") Reported-by: syzbot+bd3bba6ff3fcea7a6ec6@syzkaller.appspotmail.com Signed-off-by: Daniel Borkmann Cc: Song Liu Signed-off-by: Greg Kroah-Hartman commit 0d5014b80e5c2dcf720b2b21fab298e04bbf3301 Author: Greg Kroah-Hartman Date: Wed Sep 4 12:27:18 2019 +0200 x86/ptrace: fix up botched merge of spectrev1 fix I incorrectly merged commit 31a2fbb390fe ("x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()") when backporting it, as was graciously pointed out at https://grsecurity.net/teardown_of_a_failed_linux_lts_spectre_fix.php Resolve the upstream difference with the stable kernel merge to properly protect things. Reported-by: Brad Spengler Cc: Dianzhang Chen Cc: Thomas Gleixner Cc: Cc: Signed-off-by: Greg Kroah-Hartman commit 3af8db6a99f64f410210e22ebc2c66b9d4857efe Author: Manasi Navare Date: Wed Aug 21 14:59:50 2019 -0700 drm/i915/dp: Fix DSC enable code to use cpu_transcoder instead of encoder->type [ Upstream commit d4c61c4a16decd8ace8660f22c81609a539fccba ] This patch fixes the intel_configure_pps_for_dsc_encoder() function to use cpu_transcoder instead of encoder->type to select the correct DSC registers that was wrongly used in the original patch for one DSC register isntance. Fixes: 7182414e2530 ("drm/i915/dp: Configure i915 Picture parameter Set registers during DSC enabling") Cc: Ville Syrjala Cc: Maarten Lankhorst Cc: Jani Nikula Cc: Ville Syrjala Cc: # v5.0+ Signed-off-by: Manasi Navare Reviewed-by: Maarten Lankhorst Link: https://patchwork.freedesktop.org/patch/msgid/20190821215950.24223-1-manasi.d.navare@intel.com Signed-off-by: Sasha Levin commit b6980646c9ab60e87ad4056e0f9c38dfacda1160 Author: Ville Syrjälä Date: Tue Aug 20 19:16:57 2019 +0300 drm/i915: Do not create a new max_bpc prop for MST connectors [ Upstream commit 1b9bd09630d4db4827cc04d358a41a16a6bc2cb0 ] We're not allowed to create new properties after device registration so for MST connectors we need to either create the max_bpc property earlier, or we reuse one we already have. Let's do the latter apporach since the corresponding SST connector already has the prop and its min/max are correct also for the MST connector. The problem was highlighted by commit 4f5368b5541a ("drm/kms: Catch mode_object lifetime errors") which results in the following spew: [ 1330.878941] WARNING: CPU: 2 PID: 1554 at drivers/gpu/drm/drm_mode_object.c:45 __drm_mode_object_add+0xa0/0xb0 [drm] ... [ 1330.879008] Call Trace: [ 1330.879023] drm_property_create+0xba/0x180 [drm] [ 1330.879036] drm_property_create_range+0x15/0x30 [drm] [ 1330.879048] drm_connector_attach_max_bpc_property+0x62/0x80 [drm] [ 1330.879086] intel_dp_add_mst_connector+0x11f/0x140 [i915] [ 1330.879094] drm_dp_add_port.isra.20+0x20b/0x440 [drm_kms_helper] ... Cc: stable@vger.kernel.org Cc: Lyude Paul Cc: sunpeng.li@amd.com Cc: Daniel Vetter Cc: Sean Paul Fixes: 5ca0ef8a56b8 ("drm/i915: Add max_bpc property for DP MST") Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20190820161657.9658-1-ville.syrjala@linux.intel.com Reviewed-by: José Roberto de Souza Reviewed-by: Lyude Paul Signed-off-by: Sasha Levin commit 79d5d7317ce33e0be347126360847c3e687d983b Author: Luca Coelho Date: Wed Aug 21 20:17:32 2019 +0300 iwlwifi: pcie: handle switching killer Qu B0 NICs to C0 [ Upstream commit b9500577d361522a3d9f14da8cf41dc1d824904e ] We need to use a different firmware for C0 versions of killer Qu NICs. Add structures for them and handle them in the if block that detects C0 revisions. Additionally, instead of having an inclusive check for QnJ devices, make the selection exclusive, so that switching to QnJ is the exception, not the default. This prevents us from having to add all the non-QnJ cards to an exclusion list. To do so, only go into the QnJ block if the device has an RF ID type HR and HW revision QnJ. Cc: stable@vger.kernel.org # 5.2 Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/20190821171732.2266-1-luca@coelho.fi Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 3146a6de3d58b6851583a8c4daa9ddd796fe4bd4 Author: Luca Coelho Date: Fri Aug 16 15:55:53 2019 +0300 iwlwifi: pcie: don't switch FW to qnj when ax201 is detected [ Upstream commit 17e40e6979aaf60f356331bac129df20e1fd74a0 ] We have a too generic condition that switches from Qu configurations to QnJ configurations. We need to exclude some configurations so that they are not erroneously switched. Add the ax201 configuration to the list of exclusions. Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit 9e7e685012f2491fd73a545f4777868f87900548 Author: Luca Coelho Date: Mon Jul 8 18:55:34 2019 +0300 iwlwifi: pcie: add support for qu c-step devices [ Upstream commit a7d544d63120061f89459585f06ca44d30842a22 ] Add support for C-step devices. Currently we don't have a nice way of matching the step and choosing the proper configuration, so we need to switch the config structs one by one. Cc: stable@vger.kernel.org Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit c013312ef7a8be403343ffab1c30c306e15ebe8f Author: Ihab Zhaika Date: Fri Jun 14 11:48:51 2019 +0300 iwlwifi: change 0x02F0 fw from qu to quz [ Upstream commit 658521fc1bf1457a944d8408b8a792b31ed9cc20 ] change the fw of 0x02F0 platform from qu to quz Signed-off-by: Ihab Zhaika Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit feee62efa7adeef8e97701b6ceba4b4e9079f98c Author: Ihab Zhaika Date: Mon Jul 8 18:55:33 2019 +0300 iwlwifi: add new cards for 9000 and 20000 series [ Upstream commit ffcb60a54f245528e1d49f957ca2d20d6079577c ] add two new PCI ID's for 9000 and 20000 series Cc: stable@vger.kernel.org Signed-off-by: Ihab Zhaika Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit 0fdbd727e12a2654841429cc493ef9f08aaaf975 Author: Ihab Zhaika Date: Wed Jun 19 20:59:02 2019 +0300 iwlwifi: add new cards for 22000 and change wrong structs [ Upstream commit a976bfb44bdbc1b69365dc31f7c1339fff436c95 ] add few PCI ID'S for 22000 and chainge few cards structs names Signed-off-by: Ihab Zhaika Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit 805363e2dfa5354c64994da623ed692d6abdb2b8 Author: Ihab Zhaika Date: Fri Jun 14 11:48:49 2019 +0300 iwlwifi: add new cards for 22000 and fix struct name [ Upstream commit d151b0a2efa128cb4f643b11baf54b1e4de2c528 ] add few PCI ID'S for 22000 and fix the wrong name for one of the structs Signed-off-by: Ihab Zhaika Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit e27fc344575113db956cb9c0ae0b13312a7e1dcc Author: Chunyan Zhang Date: Wed Aug 28 10:17:33 2019 +0800 mmc: sdhci-sprd: add get_ro hook function [ Upstream commit 4eae8cbdff942a423926486be4e781a77d619966 ] sprd's sd host controller doesn't support write protect to sd card. Fixes: fb8bd90f83c4 ("mmc: sdhci-sprd: Add Spreadtrum's initial host controller") Signed-off-by: Chunyan Zhang Signed-off-by: Chunyan Zhang Reviewed-by: Baolin Wang Tested-by: Baolin Wang Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 9ad0348f708d7b2ceead282f558a6a16a213d9b9 Author: Baolin Wang Date: Tue Jun 4 16:14:24 2019 +0800 mmc: sdhci-sprd: Implement the get_max_timeout_count() interface [ Upstream commit 7486831d7d6aebcf851f9a4bbe65080351d5c9fb ] Implement the get_max_timeout_count() interface to set the Spredtrum SD host controller actual maximum timeout count. Signed-off-by: Baolin Wang Acked-by: Adrian Hunter Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit d100666e3cfc93956a357b18941e493f265f85ec Author: Chunyan Zhang Date: Wed Aug 28 10:17:36 2019 +0800 mmc: sdhci-sprd: clear the UHS-I modes read from registers [ Upstream commit 2f765c175e1d1acae911f889e71e5933c6488929 ] sprd's sd host controller supports SDR50/SDR104/DDR50 though, the UHS-I mode used by the specific card can be selected via devicetree only. Fixes: fb8bd90f83c4 ("mmc: sdhci-sprd: Add Spreadtrum's initial host controller") Signed-off-by: Chunyan Zhang Signed-off-by: Chunyan Zhang Reviewed-by: Baolin Wang Tested-by: Baolin Wang Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit b018fcb922507e878f4fee3fd1c479e02e7deee8 Author: Denis Kenzior Date: Tue Aug 27 17:41:20 2019 -0500 mac80211: Correctly set noencrypt for PAE frames commit f8b43c5cf4b62a19f2210a0f5367b84e1eff1ab9 upstream. The noencrypt flag was intended to be set if the "frame was received unencrypted" according to include/uapi/linux/nl80211.h. However, the current behavior is opposite of this. Cc: stable@vger.kernel.org Fixes: 018f6fbf540d ("mac80211: Send control port frames over nl80211") Signed-off-by: Denis Kenzior Link: https://lore.kernel.org/r/20190827224120.14545-3-denkenz@gmail.com Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 08392de0ccc790c6892b1c42a6325eb3fc7b9fa9 Author: Denis Kenzior Date: Tue Aug 27 17:41:19 2019 -0500 mac80211: Don't memset RXCB prior to PAE intercept commit c8a41c6afa27b8c3f61622dfd882b912da9d6721 upstream. In ieee80211_deliver_skb_to_local_stack intercepts EAPoL frames if mac80211 is configured to do so and forwards the contents over nl80211. During this process some additional data is also forwarded, including whether the frame was received encrypted or not. Unfortunately just prior to the call to ieee80211_deliver_skb_to_local_stack, skb->cb is cleared, resulting in incorrect data being exposed over nl80211. Fixes: 018f6fbf540d ("mac80211: Send control port frames over nl80211") Cc: stable@vger.kernel.org Signed-off-by: Denis Kenzior Link: https://lore.kernel.org/r/20190827224120.14545-2-denkenz@gmail.com Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 4e118994cea848c5b38cccab69a70357ad610fee Author: Alexander Wetzel Date: Mon Aug 5 14:34:00 2019 +0200 cfg80211: Fix Extended Key ID key install checks commit b67fd72e84a88cae64cea8ab47ccdaab3bb3094d upstream. Fix two shortcomings in the Extended Key ID API: 1) Allow the userspace to install pairwise keys using keyid 1 without NL80211_KEY_NO_TX set. This allows the userspace to install and activate pairwise keys with keyid 1 in the same way as for keyid 0, simplifying the API usage for e.g. FILS and FT key installs. 2) IEEE 802.11 - 2016 restricts Extended Key ID usage to CCMP/GCMP ciphers in IEEE 802.11 - 2016 "9.4.2.25.4 RSN capabilities". Enforce that when installing a key. Cc: stable@vger.kernel.org # 5.2 Fixes: 6cdd3979a2bd ("nl80211/cfg80211: Extended Key ID support") Signed-off-by: Alexander Wetzel Link: https://lore.kernel.org/r/20190805123400.51567-1-alexander@wetzel-home.de Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit b14f5ba7490e2b5edb80621745e60d3122c4297d Author: Johannes Berg Date: Thu Aug 1 09:30:33 2019 +0200 mac80211: fix possible sta leak commit 5fd2f91ad483baffdbe798f8a08f1b41442d1e24 upstream. If TDLS station addition is rejected, the sta memory is leaked. Avoid this by moving the check before the allocation. Cc: stable@vger.kernel.org Fixes: 7ed5285396c2 ("mac80211: don't initiate TDLS connection if station is not associated to AP") Link: https://lore.kernel.org/r/20190801073033.7892-1-johannes@sipsolutions.net Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 3cd42050aac65a135a94be3527a5ed489ed0a776 Author: Hodaszi, Robert Date: Fri Jun 14 13:16:01 2019 +0000 Revert "cfg80211: fix processing world regdomain when non modular" commit 0d31d4dbf38412f5b8b11b4511d07b840eebe8cb upstream. This reverts commit 96cce12ff6e0 ("cfg80211: fix processing world regdomain when non modular"). Re-triggering a reg_process_hint with the last request on all events, can make the regulatory domain fail in case of multiple WiFi modules. On slower boards (espacially with mdev), enumeration of the WiFi modules can end up in an intersected regulatory domain, and user cannot set it with 'iw reg set' anymore. This is happening, because: - 1st module enumerates, queues up a regulatory request - request gets processed by __reg_process_hint_driver(): - checks if previous was set by CORE -> yes - checks if regulator domain changed -> yes, from '00' to e.g. 'US' -> sends request to the 'crda' - 2nd module enumerates, queues up a regulator request (which triggers the reg_todo() work) - reg_todo() -> reg_process_pending_hints() sees, that the last request is not processed yet, so it tries to process it again. __reg_process_hint driver() will run again, and: - checks if the last request's initiator was the core -> no, it was the driver (1st WiFi module) - checks, if the previous initiator was the driver -> yes - checks if the regulator domain changed -> yes, it was '00' (set by core, and crda call did not return yet), and should be changed to 'US' ------> __reg_process_hint_driver calls an intersect Besides, the reg_process_hint call with the last request is meaningless since the crda call has a timeout work. If that timeout expires, the first module's request will lost. Cc: stable@vger.kernel.org Fixes: 96cce12ff6e0 ("cfg80211: fix processing world regdomain when non modular") Signed-off-by: Robert Hodaszi Link: https://lore.kernel.org/r/20190614131600.GA13897@a1-hr Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit b6a0d1f9bf08923bb53bbd4b72f0ff6ce2b2718a Author: Shakeel Butt Date: Fri Aug 30 16:04:53 2019 -0700 mm: memcontrol: fix percpu vmstats and vmevents flush commit 6c1c280805ded72eceb2afc1a0d431b256608554 upstream. Instead of using raw_cpu_read() use per_cpu() to read the actual data of the corresponding cpu otherwise we will be reading the data of the current cpu for the number of online CPUs. Link: http://lkml.kernel.org/r/20190829203110.129263-1-shakeelb@google.com Fixes: bb65f89b7d3d ("mm: memcontrol: flush percpu vmevents before releasing memcg") Fixes: c350a99ea2b1 ("mm: memcontrol: flush percpu vmstats before releasing memcg") Signed-off-by: Shakeel Butt Acked-by: Roman Gushchin Acked-by: Michal Hocko Cc: Johannes Weiner Cc: Vladimir Davydov Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit bba5bcb0cc0ea3d493e5c4a9b72d8b77dff0fbd6 Author: Roman Gushchin Date: Fri Aug 30 16:04:39 2019 -0700 mm, memcg: partially revert "mm/memcontrol.c: keep local VM counters in sync with the hierarchical ones" commit b4c46484dc3fa3721d68fdfae85c1d7b1f6b5472 upstream. Commit 766a4c19d880 ("mm/memcontrol.c: keep local VM counters in sync with the hierarchical ones") effectively decreased the precision of per-memcg vmstats_local and per-memcg-per-node lruvec percpu counters. That's good for displaying in memory.stat, but brings a serious regression into the reclaim process. One issue I've discovered and debugged is the following: lruvec_lru_size() can return 0 instead of the actual number of pages in the lru list, preventing the kernel to reclaim last remaining pages. Result is yet another dying memory cgroups flooding. The opposite is also happening: scanning an empty lru list is the waste of cpu time. Also, inactive_list_is_low() can return incorrect values, preventing the active lru from being scanned and freed. It can fail both because the size of active and inactive lists are inaccurate, and because the number of workingset refaults isn't precise. In other words, the result is pretty random. I'm not sure, if using the approximate number of slab pages in count_shadow_number() is acceptable, but issues described above are enough to partially revert the patch. Let's keep per-memcg vmstat_local batched (they are only used for displaying stats to the userspace), but keep lruvec stats precise. This change fixes the dead memcg flooding on my setup. Link: http://lkml.kernel.org/r/20190817004726.2530670-1-guro@fb.com Fixes: 766a4c19d880 ("mm/memcontrol.c: keep local VM counters in sync with the hierarchical ones") Signed-off-by: Roman Gushchin Acked-by: Yafang Shao Cc: Johannes Weiner Cc: Michal Hocko Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 8706ffe20444c7056a740d53b3093295522f447e Author: Chunyan Zhang Date: Wed Aug 28 10:17:35 2019 +0800 mms: sdhci-sprd: add SDHCI_QUIRK_BROKEN_CARD_DETECTION commit 4324e54bbea0107b054336f20075a26939b2bd51 upstream. sprd's sd host controller doesn't support detection to card insert or remove. Fixes: fb8bd90f83c4 ("mmc: sdhci-sprd: Add Spreadtrum's initial host controller") Signed-off-by: Chunyan Zhang Signed-off-by: Chunyan Zhang Reviewed-by: Baolin Wang Tested-by: Baolin Wang Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit d7c7531ac9a330f74b0c4162a1796e5508e73170 Author: Stanislaw Gruszka Date: Thu Jul 18 12:38:10 2019 +0200 mt76: mt76x0u: do not reset radio on resume commit 8f2d163cb26da87e7d8e1677368b8ba1ba4d30b3 upstream. On some machines mt76x0u firmware can hung during resume, what result on messages like below: [ 475.480062] mt76x0 1-8:1.0: Error: MCU response pre-completed! [ 475.990066] mt76x0 1-8:1.0: Error: send MCU cmd failed:-110 [ 475.990075] mt76x0 1-8:1.0: Error: MCU response pre-completed! [ 476.500003] mt76x0 1-8:1.0: Error: send MCU cmd failed:-110 [ 476.500012] mt76x0 1-8:1.0: Error: MCU response pre-completed! [ 477.010046] mt76x0 1-8:1.0: Error: send MCU cmd failed:-110 [ 477.010055] mt76x0 1-8:1.0: Error: MCU response pre-completed! [ 477.529997] mt76x0 1-8:1.0: Error: send MCU cmd failed:-110 [ 477.530006] mt76x0 1-8:1.0: Error: MCU response pre-completed! [ 477.824907] mt76x0 1-8:1.0: Error: send MCU cmd failed:-71 [ 477.824916] mt76x0 1-8:1.0: Error: MCU response pre-completed! [ 477.825029] usb 1-8: USB disconnect, device number 6 and possible whole system freeze. This can be avoided, if we do not perform mt76x0_chip_onoff() reset. Cc: stable@vger.kernel.org Fixes: 134b2d0d1fcf ("mt76x0: init files") Signed-off-by: Stanislaw Gruszka Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 839e96131567369c509d4c8955686ed6558b88f7 Author: Trond Myklebust Date: Thu Aug 15 17:26:17 2019 -0400 SUNRPC: Don't handle errors if the bind/connect succeeded commit bd736ed3e2d1088d9b4050f727342e1e619c3841 upstream. Don't handle errors in call_bind_status()/call_connect_status() if it turns out that a previous call caused it to succeed. Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org # v5.1+ Signed-off-by: Greg Kroah-Hartman commit 90ff6dd4ced610dac6c32dbeaa3899aead7b2908 Author: Gary R Hook Date: Mon Aug 19 22:23:27 2019 +0000 crypto: ccp - Ignore unconfigured CCP device on suspend/resume commit 5871cd93692c8071fb9358daccb715b5081316ac upstream. If a CCP is unconfigured (e.g. there are no available queues) then there will be no data structures allocated for the device. Thus, we must check for validity of a pointer before trying to access structure members. Fixes: 720419f01832f ("crypto: ccp - Introduce the AMD Secure Processor device") Cc: Signed-off-by: Gary R Hook Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 3c3c233738df7baf8d0dc7a0ef8d4c0e724ca5a0 Author: Nadav Amit Date: Tue Aug 20 13:26:38 2019 -0700 VMCI: Release resource if the work is already queued commit ba03a9bbd17b149c373c0ea44017f35fc2cd0f28 upstream. Francois reported that VMware balloon gets stuck after a balloon reset, when the VMCI doorbell is removed. A similar error can occur when the balloon driver is removed with the following splat: [ 1088.622000] INFO: task modprobe:3565 blocked for more than 120 seconds. [ 1088.622035] Tainted: G W 5.2.0 #4 [ 1088.622087] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 1088.622205] modprobe D 0 3565 1450 0x00000000 [ 1088.622210] Call Trace: [ 1088.622246] __schedule+0x2a8/0x690 [ 1088.622248] schedule+0x2d/0x90 [ 1088.622250] schedule_timeout+0x1d3/0x2f0 [ 1088.622252] wait_for_completion+0xba/0x140 [ 1088.622320] ? wake_up_q+0x80/0x80 [ 1088.622370] vmci_resource_remove+0xb9/0xc0 [vmw_vmci] [ 1088.622373] vmci_doorbell_destroy+0x9e/0xd0 [vmw_vmci] [ 1088.622379] vmballoon_vmci_cleanup+0x6e/0xf0 [vmw_balloon] [ 1088.622381] vmballoon_exit+0x18/0xcc8 [vmw_balloon] [ 1088.622394] __x64_sys_delete_module+0x146/0x280 [ 1088.622408] do_syscall_64+0x5a/0x130 [ 1088.622410] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 1088.622415] RIP: 0033:0x7f54f62791b7 [ 1088.622421] Code: Bad RIP value. [ 1088.622421] RSP: 002b:00007fff2a949008 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ 1088.622426] RAX: ffffffffffffffda RBX: 000055dff8b55d00 RCX: 00007f54f62791b7 [ 1088.622426] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055dff8b55d68 [ 1088.622427] RBP: 000055dff8b55d00 R08: 00007fff2a947fb1 R09: 0000000000000000 [ 1088.622427] R10: 00007f54f62f5cc0 R11: 0000000000000206 R12: 000055dff8b55d68 [ 1088.622428] R13: 0000000000000001 R14: 000055dff8b55d68 R15: 00007fff2a94a3f0 The cause for the bug is that when the "delayed" doorbell is invoked, it takes a reference on the doorbell entry and schedules work that is supposed to run the appropriate code and drop the doorbell entry reference. The code ignores the fact that if the work is already queued, it will not be scheduled to run one more time. As a result one of the references would not be dropped. When the code waits for the reference to get to zero, during balloon reset or module removal, it gets stuck. Fix it. Drop the reference if schedule_work() indicates that the work is already queued. Note that this bug got more apparent (or apparent at all) due to commit ce664331b248 ("vmw_balloon: VMCI_DOORBELL_SET does not check status"). Fixes: 83e2ec765be03 ("VMCI: doorbell implementation.") Reported-by: Francois Rigault Cc: Jorgen Hansen Cc: Adit Ranadive Cc: Alexios Zavras Cc: Vishnu DASA Cc: stable@vger.kernel.org Signed-off-by: Nadav Amit Reviewed-by: Vishnu Dasa Link: https://lore.kernel.org/r/20190820202638.49003-1-namit@vmware.com Signed-off-by: Greg Kroah-Hartman commit 6992ae83866a4f277191d013eb205197050020e1 Author: John Garry Date: Tue Jul 30 21:29:56 2019 +0800 bus: hisi_lpc: Add .remove method to avoid driver unbind crash commit 10e62b47973b0b0ceda076255bcb147b83e20517 upstream. The original driver author seemed to be under the impression that a driver cannot be removed if it does not have a .remove method. Or maybe if it is a built-in platform driver. This is not true. This crash can be created: root@ubuntu:/sys/bus/platform/drivers/hisi-lpc# echo HISI0191\:00 > unbind root@ubuntu:/sys/bus/platform/drivers/hisi-lpc# ipmitool raw 6 1 Unable to handle kernel paging request at virtual address ffff000010035010 Mem abort info: ESR = 0x96000047 Exception class = DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 Data abort info: ISV = 0, ISS = 0x00000047 CM = 0, WnR = 1 swapper pgtable: 4k pages, 48-bit VAs, pgdp=000000000118b000 [ffff000010035010] pgd=0000041ffbfff003, pud=0000041ffbffe003, pmd=0000041ffbffd003, pte=0000000000000000 Internal error: Oops: 96000047 [#1] PREEMPT SMP Modules linked in: CPU: 17 PID: 1473 Comm: ipmitool Not tainted 5.2.0-rc5-00003-gf68c53b414a3-dirty #198 Hardware name: Huawei Taishan 2280 /D05, BIOS Hisilicon D05 IT21 Nemo 2.0 RC0 04/18/2018 pstate: 20000085 (nzCv daIf -PAN -UAO) pc : hisi_lpc_target_in+0x7c/0x120 lr : hisi_lpc_target_in+0x70/0x120 sp : ffff00001efe3930 x29: ffff00001efe3930 x28: ffff841f9f599200 x27: 0000000000000002 x26: 0000000000000000 x25: 0000000000000080 x24: 00000000000000e4 x23: 0000000000000000 x22: 0000000000000064 x21: ffff801fb667d280 x20: 0000000000000001 x19: ffff00001efe39ac x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : ffff841febe60340 x7 : ffff801fb55c52e8 x6 : 0000000000000000 x5 : 0000000000ffc0e3 x4 : 0000000000000001 x3 : ffff801fb667d280 x2 : 0000000000000001 x1 : ffff000010035010 x0 : ffff000010035000 Call trace: hisi_lpc_target_in+0x7c/0x120 hisi_lpc_comm_in+0x88/0x98 logic_inb+0x5c/0xb8 port_inb+0x18/0x20 bt_event+0x38/0x808 smi_event_handler+0x4c/0x5a0 check_start_timer_thread.part.4+0x40/0x58 sender+0x78/0x88 smi_send.isra.6+0x94/0x108 i_ipmi_request+0x2c4/0x8f8 ipmi_request_settime+0x124/0x160 handle_send_req+0x19c/0x208 ipmi_ioctl+0x2c0/0x990 do_vfs_ioctl+0xb8/0x8f8 ksys_ioctl+0x80/0xb8 __arm64_sys_ioctl+0x1c/0x28 el0_svc_common.constprop.0+0x64/0x160 el0_svc_handler+0x28/0x78 el0_svc+0x8/0xc Code: 941d1511 aa0003f9 f94006a0 91004001 (b9000034) ---[ end trace aa842b86af7069e4 ]--- The problem here is that the host goes away but the associated logical PIO region remains registered, as do the children devices. Fix by adding a .remove method to tidy-up by removing the child devices and unregistering the logical PIO region. Cc: stable@vger.kernel.org Fixes: adf38bb0b595 ("HISI LPC: Support the LPC host on Hip06/Hip07 with DT bindings") Signed-off-by: John Garry Signed-off-by: Wei Xu Signed-off-by: Greg Kroah-Hartman commit 0a6caa4e3f21032cc98812db307386f462698269 Author: John Garry Date: Tue Jul 30 21:29:55 2019 +0800 bus: hisi_lpc: Unregister logical PIO range to avoid potential use-after-free commit 1b15a5632a809ab57d403fd972ca68785363b654 upstream. If, after registering a logical PIO range, the driver probe later fails, the logical PIO range memory will be released automatically. This causes an issue, in that the logical PIO range is not unregistered and the released range memory may be later referenced. Fix by unregistering the logical PIO range. And since we now unregister the logical PIO range for probe failure, avoid the special ordering of setting logical PIO range ops, which was the previous (poor) attempt at a safeguard against this. Cc: stable@vger.kernel.org Fixes: adf38bb0b595 ("HISI LPC: Support the LPC host on Hip06/Hip07 with DT bindings") Signed-off-by: John Garry Signed-off-by: Wei Xu Signed-off-by: Greg Kroah-Hartman commit 3e3bf9dfdaf4e3c5c00faa77bf5feac64ca4a860 Author: Andrew Cooks Date: Fri Aug 2 14:52:46 2019 +0200 i2c: piix4: Fix port selection for AMD Family 16h Model 30h commit c7c06a1532f3fe106687ac82a13492c6a619ff1c upstream. Family 16h Model 30h SMBus controller needs the same port selection fix as described and fixed in commit 0fe16195f891 ("i2c: piix4: Fix SMBus port selection for AMD Family 17h chips") commit 6befa3fde65f ("i2c: piix4: Support alternative port selection register") also fixed the port selection for Hudson2, but unfortunately this is not the exact same device and the AMD naming and PCI Device IDs aren't particularly helpful here. The SMBus port selection register is common to the following Families and models, as documented in AMD's publicly available BIOS and Kernel Developer Guides: 50742 - Family 15h Model 60h-6Fh (PCI_DEVICE_ID_AMD_KERNCZ_SMBUS) 55072 - Family 15h Model 70h-7Fh (PCI_DEVICE_ID_AMD_KERNCZ_SMBUS) 52740 - Family 16h Model 30h-3Fh (PCI_DEVICE_ID_AMD_HUDSON2_SMBUS) The Hudson2 PCI Device ID (PCI_DEVICE_ID_AMD_HUDSON2_SMBUS) is shared between Bolton FCH and Family 16h Model 30h, but the location of the SmBus0Sel port selection bits are different: 51192 - Bolton Register Reference Guide We distinguish between Bolton and Family 16h Model 30h using the PCI Revision ID: Bolton is device 0x780b, revision 0x15 Family 16h Model 30h is device 0x780b, revision 0x1F Family 15h Model 60h and 70h are both device 0x790b, revision 0x4A. The following additional public AMD BKDG documents were checked and do not share the same port selection register: 42301 - Family 15h Model 00h-0Fh doesn't mention any 42300 - Family 15h Model 10h-1Fh doesn't mention any 49125 - Family 15h Model 30h-3Fh doesn't mention any 48751 - Family 16h Model 00h-0Fh uses the previously supported index register SB800_PIIX4_PORT_IDX_ALT at 0x2e Signed-off-by: Andrew Cooks Signed-off-by: Jean Delvare Cc: stable@vger.kernel.org [v4.6+] Signed-off-by: Wolfram Sang Signed-off-by: Greg Kroah-Hartman commit 712029329a58bad66fa95e105bbce22c657e5c5a Author: Lyude Paul Date: Fri Aug 23 16:52:51 2019 -0400 drm/i915: Call dma_set_max_seg_size() in i915_driver_hw_probe() commit 32f0a982650b123bdab36865617d3e03ebcacf3b upstream. Currently, we don't call dma_set_max_seg_size() for i915 because we intentionally do not limit the segment length that the device supports. However, this results in a warning being emitted if we try to map anything larger than SZ_64K on a kernel with CONFIG_DMA_API_DEBUG_SG enabled: [ 7.751926] DMA-API: i915 0000:00:02.0: mapping sg segment longer than device claims to support [len=98304] [max=65536] [ 7.751934] WARNING: CPU: 5 PID: 474 at kernel/dma/debug.c:1220 debug_dma_map_sg+0x20f/0x340 This was originally brought up on https://bugs.freedesktop.org/show_bug.cgi?id=108517 , and the consensus there was it wasn't really useful to set a limit (and that dma-debug isn't really all that useful for i915 in the first place). Unfortunately though, CONFIG_DMA_API_DEBUG_SG is enabled in the debug configs for various distro kernels. Since a WARN_ON() will disable automatic problem reporting (and cause any CI with said option enabled to start complaining), we really should just fix the problem. Note that as me and Chris Wilson discussed, the other solution for this would be to make DMA-API not make such assumptions when a driver hasn't explicitly set a maximum segment size. But, taking a look at the commit which originally introduced this behavior, commit 78c47830a5cb ("dma-debug: check scatterlist segments"), there is an explicit mention of this assumption and how it applies to devices with no segment size: Conversely, devices which are less limited than the rather conservative defaults, or indeed have no limitations at all (e.g. GPUs with their own internal MMU), should be encouraged to set appropriate dma_parms, as they may get more efficient DMA mapping performance out of it. So unless there's any concerns (I'm open to discussion!), let's just follow suite and call dma_set_max_seg_size() with UINT_MAX as our limit to silence any warnings. Changes since v3: * Drop patch for enabling CONFIG_DMA_API_DEBUG_SG in CI. It looks like just turning it on causes the kernel to spit out bogus WARN_ONs() during some igt tests which would otherwise require teaching igt to disable the various DMA-API debugging options causing this. This is too much work to be worth it, since DMA-API debugging is useless for us. So, we'll just settle with this single patch to squelch WARN_ONs() during driver load for users that have CONFIG_DMA_API_DEBUG_SG turned on for some reason. * Move dma_set_max_seg_size() call into i915_driver_hw_probe() - Chris Wilson Signed-off-by: Lyude Paul Reviewed-by: Chris Wilson Cc: # v4.18+ Link: https://patchwork.freedesktop.org/patch/msgid/20190823205251.14298-1-lyude@redhat.com (cherry picked from commit acd674af95d3f627062007429b9c195c6b32361d) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 0573f44d42b15825402e6900d216b685244978e9 Author: Xiong Zhang Date: Tue Aug 20 13:46:17 2019 +0800 drm/i915: Don't deballoon unused ggtt drm_mm_node in linux guest commit 0a3dfbb5cd9033752639ef33e319c2f2863c713a upstream. The following call trace may exist in linux guest dmesg when guest i915 driver is unloaded. [ 90.776610] [drm:vgt_deballoon_space.isra.0 [i915]] deballoon space: range [0x0 - 0x0] 0 KiB. [ 90.776621] BUG: unable to handle kernel NULL pointer dereference at 00000000000000c0 [ 90.776691] IP: drm_mm_remove_node+0x4d/0x320 [drm] [ 90.776718] PGD 800000012c7d0067 P4D 800000012c7d0067 PUD 138e4c067 PMD 0 [ 90.777091] task: ffff9adab60f2f00 task.stack: ffffaf39c0fe0000 [ 90.777142] RIP: 0010:drm_mm_remove_node+0x4d/0x320 [drm] [ 90.777573] Call Trace: [ 90.777653] intel_vgt_deballoon+0x4c/0x60 [i915] [ 90.777729] i915_ggtt_cleanup_hw+0x121/0x190 [i915] [ 90.777792] i915_driver_unload+0x145/0x180 [i915] [ 90.777856] i915_pci_remove+0x15/0x20 [i915] [ 90.777890] pci_device_remove+0x3b/0xc0 [ 90.777916] device_release_driver_internal+0x157/0x220 [ 90.777945] driver_detach+0x39/0x70 [ 90.777967] bus_remove_driver+0x51/0xd0 [ 90.777990] pci_unregister_driver+0x23/0x90 [ 90.778019] SyS_delete_module+0x1da/0x240 [ 90.778045] entry_SYSCALL_64_fastpath+0x24/0x87 [ 90.778072] RIP: 0033:0x7f34312af067 [ 90.778092] RSP: 002b:00007ffdea3da0d8 EFLAGS: 00000206 [ 90.778297] RIP: drm_mm_remove_node+0x4d/0x320 [drm] RSP: ffffaf39c0fe3dc0 [ 90.778344] ---[ end trace f4b1bc8305fc59dd ]--- Four drm_mm_node are used to reserve guest ggtt space, but some of them may be skipped and not initialised due to space constraints in intel_vgt_balloon(). If drm_mm_remove_node() is called with uninitialized drm_mm_node, the above call trace occurs. This patch check drm_mm_node's validity before calling drm_mm_remove_node(). Fixes: ff8f797557c7("drm/i915: return the correct usable aperture size under gvt environment") Cc: stable@vger.kernel.org Signed-off-by: Xiong Zhang Acked-by: Zhenyu Wang Reviewed-by: Chris Wilson Signed-off-by: Chris Wilson Link: https://patchwork.freedesktop.org/patch/msgid/1566279978-9659-1-git-send-email-xiong.y.zhang@intel.com (cherry picked from commit 4776f3529d6b1e47f02904ad1d264d25ea22b27b) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit f78e0d8172f35ae96b7d0728142d46eccbe38283 Author: Aaron Liu Date: Tue Aug 27 22:59:45 2019 +0800 drm/amdgpu: fix GFXOFF on Picasso and Raven2 commit 41940ff50f6c347f3541163702566cd526200d98 upstream. For picasso(adev->pdev->device == 0x15d8)&raven2(adev->rev_id >= 0x8), firmware is sufficient to support gfxoff. In commit 98f58ada2d37e, for picasso&raven2, return directly and cause gfxoff disabled. Fixes: 98f58ada2d37 ("drm/amdgpu/gfx9: update pg_flags after determining if gfx off is possible") Reviewed-by: Huang Rui Reviewed-by: Alex Deucher Signed-off-by: Aaron Liu Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 4c7ee7bd4f7e230f7672dd4986ed0db565686b97 Author: Kai-Heng Feng Date: Tue Aug 27 17:33:32 2019 +0800 drm/amdgpu: Add APTX quirk for Dell Latitude 5495 commit 317a3aaef94d73ba6be88aea11b41bb631b2d581 upstream. Needs ATPX rather than _PR3 to really turn off the dGPU. This can save ~5W when dGPU is runtime-suspended. Signed-off-by: Kai-Heng Feng Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 71817079db2f4a8c0676b7b02af45ba4b585ffe1 Author: John Garry Date: Tue Jul 30 21:29:54 2019 +0800 lib: logic_pio: Add logic_pio_unregister_range() commit b884e2de2afc68ce30f7093747378ef972dde253 upstream. Add a function to unregister a logical PIO range. Logical PIO space can still be leaked when unregistering certain LOGIC_PIO_CPU_MMIO regions, but this acceptable for now since there are no callers to unregister LOGIC_PIO_CPU_MMIO regions, and the logical PIO region allocation scheme would need significant work to improve this. Cc: stable@vger.kernel.org Signed-off-by: John Garry Signed-off-by: Wei Xu Signed-off-by: Greg Kroah-Hartman commit 0a6e7568654317183106fcd8e4641c41d5bdf6e4 Author: John Garry Date: Tue Jul 30 21:29:53 2019 +0800 lib: logic_pio: Avoid possible overlap for unregistering regions commit 0a27142bd1ee259e24a0be2b0133e5ca5df8da91 upstream. The code was originally written to not support unregistering logical PIO regions. To accommodate supporting unregistering logical PIO regions, subtly modify LOGIC_PIO_CPU_MMIO region registration code, such that the "end" of the registered regions is the "end" of the last region, and not the sum of the sizes of all the registered regions. Cc: stable@vger.kernel.org Signed-off-by: John Garry Signed-off-by: Wei Xu Signed-off-by: Greg Kroah-Hartman commit 94cfb33438e03f4c9abcc41f10dcd13b32c9d349 Author: John Garry Date: Tue Jul 30 21:29:52 2019 +0800 lib: logic_pio: Fix RCU usage commit 06709e81c668f5f56c65b806895b278517bd44e0 upstream. The traversing of io_range_list with list_for_each_entry_rcu() is not properly protected by rcu_read_lock() and rcu_read_unlock(), so add them. These functions mark the critical section scope where the list is protected for the reader, it cannot be "reclaimed". Any updater - in this case, the logical PIO registration functions - cannot update the list until the reader exits this critical section. In addition, the list traversing used in logic_pio_register_range() does not need to use the rcu variant. This is because we are already using io_range_mutex to guarantee mutual exclusion from mutating the list. Cc: stable@vger.kernel.org Fixes: 031e3601869c ("lib: Add generic PIO mapping method") Signed-off-by: John Garry Signed-off-by: Wei Xu Signed-off-by: Greg Kroah-Hartman commit e0e3650991cd69492258e1fcfb9731d86b4e38e9 Author: Trond Myklebust Date: Fri Aug 16 08:37:26 2019 -0400 Revert "NFSv4/flexfiles: Abort I/O early if the layout segment was invalidated" commit d5711920ec6e578f51db95caa6f185f5090b865e upstream. This reverts commit a79f194aa4879e9baad118c3f8bb2ca24dbef765. The mechanism for aborting I/O is racy, since we are not guaranteed that the request is asleep while we're changing both task->tk_status and task->tk_action. Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org # v5.1 Signed-off-by: Greg Kroah-Hartman commit 666a848c6797090c8bafdc1a14876b020f4dfac9 Author: Trond Myklebust Date: Mon Aug 12 18:04:36 2019 -0400 NFS: Ensure O_DIRECT reports an error if the bytes read/written is 0 commit eb2c50da9e256dbbb3ff27694440e4c1900cfef8 upstream. If the attempt to resend the I/O results in no bytes being read/written, we must ensure that we report the error. Signed-off-by: Trond Myklebust Fixes: 0a00b77b331a ("nfs: mirroring support for direct io") Cc: stable@vger.kernel.org # v3.20+ Signed-off-by: Greg Kroah-Hartman commit 3fd824dc16de2f1aa4607fcc7d17f833ea513cf8 Author: Trond Myklebust Date: Mon Aug 12 15:19:54 2019 -0400 NFSv4/pnfs: Fix a page lock leak in nfs_pageio_resend() commit f4340e9314dbfadc48758945f85fc3b16612d06f upstream. If the attempt to resend the pages fails, we need to ensure that we clean up those pages that were not transmitted. Fixes: d600ad1f2bdb ("NFS41: pop some layoutget errors to application") Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org # v4.5+ Signed-off-by: Greg Kroah-Hartman commit d3a2180a5720e984e731f6572747a9a373c0c84d Author: Raul E Rangel Date: Tue Aug 27 11:36:19 2019 -0600 lkdtm/bugs: fix build error in lkdtm_EXHAUST_STACK commit b9bc7b8b1e9e815b231c1ca0b566ee723f480987 upstream. lkdtm/bugs.c:94:2: error: format '%d' expects argument of type 'int', but argument 2 has type 'long unsigned int' [-Werror=format=] pr_info("Calling function with %d frame size to depth %d ...\n", ^ THREAD_SIZE is defined as a unsigned long, cast CONFIG_FRAME_WARN to unsigned long as well. Fixes: 24cccab42c419 ("lkdtm/bugs: Adjust recursion test to avoid elision") Cc: stable Signed-off-by: Raul E Rangel Acked-by: Kees Cook Link: https://lore.kernel.org/r/20190827173619.170065-1-rrangel@chromium.org Signed-off-by: Greg Kroah-Hartman commit 61c6f2b0000afaaa11ab86db35c8c33328859626 Author: Eddie James Date: Tue Aug 27 12:12:49 2019 +0800 fsi: scom: Don't abort operations for minor errors commit 8919dfcb31161fae7d607bbef5247e5e82fd6457 upstream. The scom driver currently fails out of operations if certain system errors are flagged in the status register; system checkstop, special attention, or recoverable error. These errors won't impact the ability of the scom engine to perform operations, so the driver should continue under these conditions. Also, don't do a PIB reset for these conditions, since it won't help. Fixes: 6b293258cded ("fsi: scom: Major overhaul") Signed-off-by: Eddie James Cc: stable Acked-by: Jeremy Kerr Acked-by: Benjamin Herrenschmidt Signed-off-by: Joel Stanley Link: https://lore.kernel.org/r/20190827041249.13381-1-jk@ozlabs.org Signed-off-by: Greg Kroah-Hartman commit d886915cd91b4393ab7649af6021a74fe4441270 Author: Colin Ian King Date: Thu Aug 22 14:52:12 2019 +0100 typec: tcpm: fix a typo in the comparison of pdo_max_voltage commit a684d8fd87182090ee96e34519ecdf009cef093a upstream. There appears to be a typo in the comparison of pdo_max_voltage[i] with the previous value, currently it is checking against the array pdo_min_voltage rather than pdo_max_voltage. I believe this is a typo. Fix this. Addresses-Coverity: ("Copy-paste error") Fixes: 5007e1b5db73 ("typec: tcpm: Validate source and sink caps") Cc: stable Signed-off-by: Colin Ian King Reviewed-by: Guenter Roeck Reviewed-by: Heikki Krogerus Link: https://lore.kernel.org/r/20190822135212.10195-1-colin.king@canonical.com Signed-off-by: Greg Kroah-Hartman commit 82b520267b49123db76188edd1f3aa0975f86fed Author: Alexander Shishkin Date: Wed Aug 21 10:49:55 2019 +0300 intel_th: pci: Add Tiger Lake support commit 9c78255fdde45c6b9a1ee30f652f7b34c727f5c7 upstream. This adds support for the Trace Hub in Tiger Lake PCH. Signed-off-by: Alexander Shishkin Cc: stable@vger.kernel.org # v4.14+ Link: https://lore.kernel.org/r/20190821074955.3925-5-alexander.shishkin@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 1c01033684f32089f685c283020ce4a7e093ca2b Author: Alexander Shishkin Date: Wed Aug 21 10:49:54 2019 +0300 intel_th: pci: Add support for another Lewisburg PCH commit 164eb56e3b64f3a816238d410c9efec7567a82ef upstream. Add support for the Trace Hub in another Lewisburg PCH. Signed-off-by: Alexander Shishkin Cc: stable@vger.kernel.org # v4.14+ Link: https://lore.kernel.org/r/20190821074955.3925-4-alexander.shishkin@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit d36c706f854ce1c58bd0da838121bb920ff402ec Author: Ding Xiang Date: Wed Aug 21 10:49:52 2019 +0300 stm class: Fix a double free of stm_source_device commit 961b6ffe0e2c403b09a8efe4a2e986b3c415391a upstream. In the error path of stm_source_register_device(), the kfree is unnecessary, as the put_device() before it ends up calling stm_source_device_release() to free stm_source_device, leading to a double free at the outer kfree() call. Remove it. Signed-off-by: Ding Xiang Signed-off-by: Alexander Shishkin Fixes: 7bd1d4093c2fa ("stm class: Introduce an abstraction for System Trace Module devices") Link: https://lore.kernel.org/linux-arm-kernel/1563354988-23826-1-git-send-email-dingxiang@cmss.chinamobile.com/ Cc: stable@vger.kernel.org # v4.4+ Link: https://lore.kernel.org/r/20190821074955.3925-2-alexander.shishkin@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit ba3e88a664c8fa0168fc58a891c9e9af62dd782a Author: Chunyan Zhang Date: Wed Aug 28 10:17:34 2019 +0800 mmc: sdhci-sprd: add SDHCI_QUIRK2_PRESET_VALUE_BROKEN commit 6a526f66ab1494b63c71cd6639d9d96fd7216add upstream. The bit of PRESET_VAL_ENABLE in HOST_CONTROL2 register is reserved on sprd's sd host controller, set quirk2 to disable configuring this. Fixes: fb8bd90f83c4 ("mmc: sdhci-sprd: Add Spreadtrum's initial host controller") Signed-off-by: Chunyan Zhang Signed-off-by: Chunyan Zhang Reviewed-by: Baolin Wang Tested-by: Baolin Wang Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 77162751167c6873d06889af9835dd6b061a8d4d Author: Chunyan Zhang Date: Wed Aug 28 10:17:32 2019 +0800 mmc: sdhci-sprd: fixed incorrect clock divider commit efdaf27517a892238e0dfa046cd91184b039d681 upstream. The register SDHCI_CLOCK_CONTROL should be cleared before config clock divider, otherwise the frequency configured maybe lower than we expected. Fixes: fb8bd90f83c4 ("mmc: sdhci-sprd: Add Spreadtrum's initial host controller") Signed-off-by: Chunyan Zhang Signed-off-by: Chunyan Zhang Reviewed-by: Baolin Wang Tested-by: Baolin Wang Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit a94076eed72e2c97e9ee1e9c753d5dd6a6835b4c Author: Ulf Hansson Date: Tue Aug 27 10:10:43 2019 +0200 mmc: core: Fix init of SD cards reporting an invalid VDD range commit 72741084d903e65e121c27bd29494d941729d4a1 upstream. The OCR register defines the supported range of VDD voltages for SD cards. However, it has turned out that some SD cards reports an invalid voltage range, for example having bit7 set. When a host supports MMC_CAP2_FULL_PWR_CYCLE and some of the voltages from the invalid VDD range, this triggers the core to run a power cycle of the card to try to initialize it at the lowest common supported voltage. Obviously this fails, since the card can't support it. Let's fix this problem, by clearing invalid bits from the read OCR register for SD cards, before proceeding with the VDD voltage negotiation. Cc: stable@vger.kernel.org Reported-by: Philip Langdale Signed-off-by: Ulf Hansson Reviewed-by: Philip Langdale Tested-by: Philip Langdale Tested-by: Manuel Presnitz Signed-off-by: Greg Kroah-Hartman commit b8dd05ea2e74de3483d7725493ec76ced513f467 Author: Masahiro Yamada Date: Thu Aug 29 19:49:26 2019 +0900 mmc: sdhci-cadence: enable v4_mode to fix ADMA 64-bit addressing commit e73a3896eaca95ea5fc895720502a3f040eb4b39 upstream. The IP datasheet says this controller is compatible with SD Host Specification Version v4.00. As it turned out, the ADMA of this IP does not work with 64-bit mode when it is in the Version 3.00 compatible mode; it understands the old 64-bit descriptor table (as defined in SDHCI v2), but the ADMA System Address Register (SDHCI_ADMA_ADDRESS) cannot point to the 64-bit address. I noticed this issue only after commit bd2e75633c80 ("dma-contiguous: use fallback alloc_pages for single pages"). Prior to that commit, dma_set_mask_and_coherent() returned the dma address that fits in 32-bit range, at least for the default arm64 configuration (arch/arm64/configs/defconfig). Now the host->adma_addr exceeds the 32-bit limit, causing the real problem for the Socionext SoCs. (As a side-note, I was also able to reproduce the issue for older kernels by turning off CONFIG_DMA_CMA.) Call sdhci_enable_v4_mode() to fix this. Cc: # v4.20+ Signed-off-by: Masahiro Yamada Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 096179da39b60858c858fa2c01f3f8af010268f1 Author: Eugen Hristev Date: Thu Aug 8 08:35:40 2019 +0000 mmc: sdhci-of-at91: add quirk for broken HS200 commit 7871aa60ae0086fe4626abdf5ed13eeddf306c61 upstream. HS200 is not implemented in the driver, but the controller claims it through caps. Remove it via a quirk, to make sure the mmc core do not try to enable HS200, as it causes the eMMC initialization to fail. Signed-off-by: Eugen Hristev Acked-by: Ludovic Desroches Acked-by: Adrian Hunter Fixes: bb5f8ea4d514 ("mmc: sdhci-of-at91: introduce driver for the Atmel SDMMC") Cc: stable@vger.kernel.org # v4.4+ Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit cb82fa2d124aa1581428e89150dfe9d077ac5a60 Author: Dmitry Osipenko Date: Fri Aug 9 01:24:30 2019 +0300 Revert "mmc: sdhci-tegra: drop ->get_ro() implementation" commit 0f686ca933597cfcc0636253fc1740423c062ec7 upstream. The WRITE_PROTECT bit is always in a "protected mode" on Tegra and WP-GPIO state need to be used instead. In a case of the GPIO absence, write-enable should be assumed. External SD is writable once again as a result of this patch because the offending commit changed behaviour for the case of a missing WP-GPIO to fall back to WRITE_PROTECT bit-checking, which is incorrect for Tegra. Cc: stable@vger.kernel.org # v5.1+ Fixes: e8391453e27f ("mmc: sdhci-tegra: drop ->get_ro() implementation") Signed-off-by: Dmitry Osipenko Acked-by: Thierry Reding Acked-by: Adrian Hunter Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 31f4eb72692c5c9b0242ef17c16f5ed910a99768 Author: Tomas Winkler Date: Mon Aug 19 13:32:10 2019 +0300 mei: me: add Tiger Lake point LP device ID commit 587f17407741a5be07f8a2d1809ec946c8120962 upstream. Add Tiger Lake Point device ID for TGP LP. Signed-off-by: Tomas Winkler Cc: stable Link: https://lore.kernel.org/r/20190819103210.32748-1-tomas.winkler@intel.com Signed-off-by: Greg Kroah-Hartman commit 871c867ac423c755910558440d5f43db462156d0 Author: Marc Zyngier Date: Wed Aug 28 11:10:16 2019 +0100 KVM: arm/arm64: vgic-v2: Handle SGI bits in GICD_I{S,C}PENDR0 as WI commit 82e40f558de566fdee214bec68096bbd5e64a6a4 upstream. A guest is not allowed to inject a SGI (or clear its pending state) by writing to GICD_ISPENDR0 (resp. GICD_ICPENDR0), as these bits are defined as WI (as per ARM IHI 0048B 4.3.7 and 4.3.8). Make sure we correctly emulate the architecture. Fixes: 96b298000db4 ("KVM: arm/arm64: vgic-new: Add PENDING registers handlers") Cc: stable@vger.kernel.org # 4.7+ Reported-by: Andre Przywara Signed-off-by: Marc Zyngier Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit ea93e118ef2eb04b348f2c65149665533ea9b1e6 Author: Heyi Guo Date: Tue Aug 27 12:26:50 2019 +0100 KVM: arm/arm64: vgic: Fix potential deadlock when ap_list is long commit d4a8061a7c5f7c27a2dc002ee4cb89b3e6637e44 upstream. If the ap_list is longer than 256 entries, merge_final() in list_sort() will call the comparison callback with the same element twice, causing a deadlock in vgic_irq_cmp(). Fix it by returning early when irqa == irqb. Cc: stable@vger.kernel.org # 4.7+ Fixes: 8e4447457965 ("KVM: arm/arm64: vgic-new: Add IRQ sorting") Signed-off-by: Zenghui Yu Signed-off-by: Heyi Guo [maz: massaged commit log and patch, added Fixes and Cc-stable] Signed-off-by: Marc Zyngier Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit d69ebe85e16908698844c40f08d3d1dba417405c Author: Alexey Kardashevskiy Date: Mon Aug 26 14:55:20 2019 +1000 KVM: PPC: Book3S: Fix incorrect guest-to-user-translation error handling commit ddfd151f3def9258397fcde7a372205a2d661903 upstream. H_PUT_TCE_INDIRECT handlers receive a page with up to 512 TCEs from a guest. Although we verify correctness of TCEs before we do anything with the existing tables, there is a small window when a check in kvmppc_tce_validate might pass and right after that the guest alters the page of TCEs, causing an early exit from the handler and leaving srcu_read_lock(&vcpu->kvm->srcu) (virtual mode) or lock_rmap(rmap) (real mode) locked. This fixes the bug by jumping to the common exit code with an appropriate unlock. Cc: stable@vger.kernel.org # v4.11+ Fixes: 121f80ba68f1 ("KVM: PPC: VFIO: Add in-kernel acceleration for VFIO") Signed-off-by: Alexey Kardashevskiy Signed-off-by: Paul Mackerras Signed-off-by: Greg Kroah-Hartman commit 3698cd854f436b02ca2db6cf1a8d5a0221dcb03d Author: Pu Wen Date: Sat Aug 31 10:19:58 2019 +0800 tools/power turbostat: Fix caller parameter of get_tdp_amd() commit 9cfa8e042f7cbb1994cc5923e46c78b36f6054f4 upstream. Commit 9392bd98bba760be96ee ("tools/power turbostat: Add support for AMD Fam 17h (Zen) RAPL") add a function get_tdp_amd(), the parameter is CPU family. But the rapl_probe_amd() function use wrong model parameter. Fix the wrong caller parameter of get_tdp_amd() to use family. Cc: # v5.1+ Signed-off-by: Pu Wen Reviewed-by: Calvin Walton Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 2d26f7f401e736ab886f73acb48ff47e95e1f7af Author: Kai-Heng Feng Date: Wed Aug 28 01:34:50 2019 +0800 USB: storage: ums-realtek: Whitelist auto-delink support commit 1902a01e2bcc3abd7c9a18dc05e78c7ab4a53c54 upstream. Auto-delink requires writing special registers to ums-realtek devices. Unconditionally enable auto-delink may break newer devices. So only enable auto-delink by default for the original three IDs, 0x0138, 0x0158 and 0x0159. Realtek is working on a patch to properly support auto-delink for other IDs. BugLink: https://bugs.launchpad.net/bugs/1838886 Signed-off-by: Kai-Heng Feng Acked-by: Alan Stern Cc: stable Link: https://lore.kernel.org/r/20190827173450.13572-2-kai.heng.feng@canonical.com Signed-off-by: Greg Kroah-Hartman commit 35f1b0a62c367dd8cb9f951c6dbccfa248352fb9 Author: Kai-Heng Feng Date: Wed Aug 28 01:34:49 2019 +0800 USB: storage: ums-realtek: Update module parameter description for auto_delink_en commit f6445b6b2f2bb1745080af4a0926049e8bca2617 upstream. The option named "auto_delink_en" is a bit misleading, as setting it to false doesn't really disable auto-delink but let auto-delink be firmware controlled. Update the description to reflect the real usage of this parameter. Signed-off-by: Kai-Heng Feng Cc: stable Link: https://lore.kernel.org/r/20190827173450.13572-1-kai.heng.feng@canonical.com Signed-off-by: Greg Kroah-Hartman commit 960ff077477ee9999456e156790481eef2c563f1 Author: Geert Uytterhoeven Date: Tue Aug 27 14:51:12 2019 +0200 usb: host: xhci: rcar: Fix typo in compatible string matching commit 636bd02a7ba9025ff851d0cfb92768c8fa865859 upstream. It's spelled "renesas", not "renensas". Due to this typo, RZ/G1M and RZ/G1N were not covered by the check. Fixes: 2dc240a3308b ("usb: host: xhci: rcar: retire use of xhci_plat_type_is()") Signed-off-by: Geert Uytterhoeven Cc: stable Reviewed-by: Yoshihiro Shimoda Link: https://lore.kernel.org/r/20190827125112.12192-1-geert+renesas@glider.be Signed-off-by: Greg Kroah-Hartman commit 6ca46f45c2084f4e760fbf2c617bae20029ae073 Author: Yoshihiro Shimoda Date: Tue Aug 27 12:51:50 2019 +0900 usb: host: ohci: fix a race condition between shutdown and irq commit a349b95d7ca0cea71be4a7dac29830703de7eb62 upstream. This patch fixes an issue that the following error is possible to happen when ohci hardware causes an interruption and the system is shutting down at the same time. [ 34.851754] usb 2-1: USB disconnect, device number 2 [ 35.166658] irq 156: nobody cared (try booting with the "irqpoll" option) [ 35.173445] CPU: 0 PID: 22 Comm: kworker/0:1 Not tainted 5.3.0-rc5 #85 [ 35.179964] Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT) [ 35.187886] Workqueue: usb_hub_wq hub_event [ 35.192063] Call trace: [ 35.194509] dump_backtrace+0x0/0x150 [ 35.198165] show_stack+0x14/0x20 [ 35.201475] dump_stack+0xa0/0xc4 [ 35.204785] __report_bad_irq+0x34/0xe8 [ 35.208614] note_interrupt+0x2cc/0x318 [ 35.212446] handle_irq_event_percpu+0x5c/0x88 [ 35.216883] handle_irq_event+0x48/0x78 [ 35.220712] handle_fasteoi_irq+0xb4/0x188 [ 35.224802] generic_handle_irq+0x24/0x38 [ 35.228804] __handle_domain_irq+0x5c/0xb0 [ 35.232893] gic_handle_irq+0x58/0xa8 [ 35.236548] el1_irq+0xb8/0x180 [ 35.239681] __do_softirq+0x94/0x23c [ 35.243253] irq_exit+0xd0/0xd8 [ 35.246387] __handle_domain_irq+0x60/0xb0 [ 35.250475] gic_handle_irq+0x58/0xa8 [ 35.254130] el1_irq+0xb8/0x180 [ 35.257268] kernfs_find_ns+0x5c/0x120 [ 35.261010] kernfs_find_and_get_ns+0x3c/0x60 [ 35.265361] sysfs_unmerge_group+0x20/0x68 [ 35.269454] dpm_sysfs_remove+0x2c/0x68 [ 35.273284] device_del+0x80/0x370 [ 35.276683] hid_destroy_device+0x28/0x60 [ 35.280686] usbhid_disconnect+0x4c/0x80 [ 35.284602] usb_unbind_interface+0x6c/0x268 [ 35.288867] device_release_driver_internal+0xe4/0x1b0 [ 35.293998] device_release_driver+0x14/0x20 [ 35.298261] bus_remove_device+0x110/0x128 [ 35.302350] device_del+0x148/0x370 [ 35.305832] usb_disable_device+0x8c/0x1d0 [ 35.309921] usb_disconnect+0xc8/0x2d0 [ 35.313663] hub_event+0x6e0/0x1128 [ 35.317146] process_one_work+0x1e0/0x320 [ 35.321148] worker_thread+0x40/0x450 [ 35.324805] kthread+0x124/0x128 [ 35.328027] ret_from_fork+0x10/0x18 [ 35.331594] handlers: [ 35.333862] [<0000000079300c1d>] usb_hcd_irq [ 35.338126] [<0000000079300c1d>] usb_hcd_irq [ 35.342389] Disabling IRQ #156 ohci_shutdown() disables all the interrupt and rh_state is set to OHCI_RH_HALTED. In other hand, ohci_irq() is possible to enable OHCI_INTR_SF and OHCI_INTR_MIE on ohci_irq(). Note that OHCI_INTR_SF is possible to be set by start_ed_unlink() which is called: ohci_irq() -> process_done_list() -> takeback_td() -> start_ed_unlink() So, ohci_irq() has the following condition, the issue happens by &ohci->regs->intrenable = OHCI_INTR_MIE | OHCI_INTR_SF and ohci->rh_state = OHCI_RH_HALTED: /* interrupt for some other device? */ if (ints == 0 || unlikely(ohci->rh_state == OHCI_RH_HALTED)) return IRQ_NOTMINE; To fix the issue, ohci_shutdown() holds the spin lock while disabling the interruption and changing the rh_state flag to prevent reenable the OHCI_INTR_MIE unexpectedly. Note that io_watchdog_func() also calls the ohci_shutdown() and it already held the spin lock, so that the patch makes a new function as _ohci_shutdown(). This patch is inspired by a Renesas R-Car Gen3 BSP patch from Tho Vu. Signed-off-by: Yoshihiro Shimoda Cc: stable Acked-by: Alan Stern Link: https://lore.kernel.org/r/1566877910-6020-1-git-send-email-yoshihiro.shimoda.uh@renesas.com Signed-off-by: Greg Kroah-Hartman commit 73830b83ece98461f80d84bc79857b7e72bf490a Author: Peter Chen Date: Tue Aug 20 02:07:58 2019 +0000 usb: chipidea: udc: don't do hardware access if gadget has stopped commit cbe85c88ce80fb92956a0793518d415864dcead8 upstream. After _gadget_stop_activity is executed, we can consider the hardware operation for gadget has finished, and the udc can be stopped and enter low power mode. So, any later hardware operations (from usb_ep_ops APIs or usb_gadget_ops APIs) should be considered invalid, any deinitializatons has been covered at _gadget_stop_activity. I meet this problem when I plug out usb cable from PC using mass_storage gadget, my callstack like: vbus interrupt->.vbus_session-> composite_disconnect ->pm_runtime_put_sync(&_gadget->dev), the composite_disconnect will call fsg_disable, but fsg_disable calls usb_ep_disable using async way, there are register accesses for usb_ep_disable. So sometimes, I get system hang due to visit register without clock, sometimes not. The Linux Kernel USB maintainer Alan Stern suggests this kinds of solution. See: http://marc.info/?l=linux-usb&m=138541769810983&w=2. Cc: #v4.9+ Signed-off-by: Peter Chen Link: https://lore.kernel.org/r/20190820020503.27080-2-peter.chen@nxp.com Signed-off-by: Greg Kroah-Hartman commit 0aa1e87affcefd81184d633d9b52f3c126d0dd5c Author: Schmid, Carsten Date: Fri Aug 23 14:11:28 2019 +0000 usb: hcd: use managed device resources commit 76da906ad727048a74bb8067031ee99fc070c7da upstream. Using managed device resources in usb_hcd_pci_probe() allows devm usage for resource subranges, such as the mmio resource for the platform device created to control host/device mode mux, which is a xhci extended capability, and sits inside the xhci mmio region. If managed device resources are not used then "parent" resource is released before subrange at driver removal as .remove callback is called before the devres list of resources for this device is walked and released. This has been observed with the xhci extended capability driver causing a use-after-free which is now fixed. An additional nice benefit is that error handling on driver initialisation is simplified much. Signed-off-by: Carsten Schmid Tested-by: Carsten Schmid Reviewed-by: Mathias Nyman Fixes: fa31b3cb2ae1 ("xhci: Add Intel extended cap / otg phy mux handling") Cc: # v4.19+ Link: https://lore.kernel.org/r/1566569488679.31808@mentor.com Signed-off-by: Greg Kroah-Hartman commit c07f658df19feb6025da515300ed729afed77f03 Author: Oliver Neukum Date: Tue Aug 27 12:34:36 2019 +0200 USB: cdc-wdm: fix race between write and disconnect due to flag abuse commit 1426bd2c9f7e3126e2678e7469dca9fd9fc6dd3e upstream. In case of a disconnect an ongoing flush() has to be made fail. Nevertheless we cannot be sure that any pending URB has already finished, so although they will never succeed, they still must not be touched. The clean solution for this is to check for WDM_IN_USE and WDM_DISCONNECTED in flush(). There is no point in ever clearing WDM_IN_USE, as no further writes make sense. The issue is as old as the driver. Fixes: afba937e540c9 ("USB: CDC WDM driver") Reported-by: syzbot+d232cca6ec42c2edb3fc@syzkaller.appspotmail.com Signed-off-by: Oliver Neukum Cc: stable Link: https://lore.kernel.org/r/20190827103436.21143-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman commit 43d94dafbcdd3aff2ec75ad363d4501241f3a25f Author: Henk van der Laan Date: Fri Aug 16 22:08:47 2019 +0200 usb-storage: Add new JMS567 revision to unusual_devs commit 08d676d1685c2a29e4d0e1b0242324e564d4589e upstream. Revision 0x0117 suffers from an identical issue to earlier revisions, therefore it should be added to the quirks list. Signed-off-by: Henk van der Laan Cc: stable Link: https://lore.kernel.org/r/20190816200847.21366-1-opensource@henkvdlaan.com Signed-off-by: Greg Kroah-Hartman commit 7300afed03340a3ecc787142c861c10d4353bf9c Author: Oliver Neukum Date: Tue Aug 20 11:28:25 2019 +0200 usbtmc: more sanity checking for packet size commit de7b9aa633b693e77942e12f1769506efae6917b upstream. A malicious device can make the driver divide ny zero with a nonsense maximum packet size. Signed-off-by: Oliver Neukum Cc: stable Link: https://lore.kernel.org/r/20190820092826.17694-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman commit e56b7b3b92561a4284f4f93a4648890f477aeac8 Author: Steven Rostedt (VMware) Date: Fri Aug 30 16:30:01 2019 -0400 ftrace: Check for empty hash and comment the race with registering probes commit 372e0d01da71c84dcecf7028598a33813b0d5256 upstream. The race between adding a function probe and reading the probes that exist is very subtle. It needs a comment. Also, the issue can also happen if the probe has has the EMPTY_HASH as its func_hash. Cc: stable@vger.kernel.org Fixes: 7b60f3d876156 ("ftrace: Dynamically create the probe ftrace_ops for the trace_array") Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman commit d784aa1a0f136740cbd3b94163b66022336342ca Author: Naveen N. Rao Date: Thu Jul 4 20:04:42 2019 +0530 ftrace: Check for successful allocation of hash commit 5b0022dd32b7c2e15edf1827ba80aa1407edf9ff upstream. In register_ftrace_function_probe(), we are not checking the return value of alloc_and_copy_ftrace_hash(). The subsequent call to ftrace_match_records() may end up dereferencing the same. Add a check to ensure this doesn't happen. Link: http://lkml.kernel.org/r/26e92574f25ad23e7cafa3cf5f7a819de1832cbe.1562249521.git.naveen.n.rao@linux.vnet.ibm.com Cc: stable@vger.kernel.org Fixes: 1ec3a81a0cf42 ("ftrace: Have each function probe use its own ftrace_ops") Signed-off-by: Naveen N. Rao Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman commit cd419e7c03e9abe6a1ecd3a8f18a8a417b8ee231 Author: Naveen N. Rao Date: Thu Jul 4 20:04:41 2019 +0530 ftrace: Fix NULL pointer dereference in t_probe_next() commit 7bd46644ea0f6021dc396a39a8bfd3a58f6f1f9f upstream. LTP testsuite on powerpc results in the below crash: Unable to handle kernel paging request for data at address 0x00000000 Faulting instruction address: 0xc00000000029d800 Oops: Kernel access of bad area, sig: 11 [#1] LE SMP NR_CPUS=2048 NUMA PowerNV ... CPU: 68 PID: 96584 Comm: cat Kdump: loaded Tainted: G W NIP: c00000000029d800 LR: c00000000029dac4 CTR: c0000000001e6ad0 REGS: c0002017fae8ba10 TRAP: 0300 Tainted: G W MSR: 9000000000009033 CR: 28022422 XER: 20040000 CFAR: c00000000029d90c DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0 ... NIP [c00000000029d800] t_probe_next+0x60/0x180 LR [c00000000029dac4] t_mod_start+0x1a4/0x1f0 Call Trace: [c0002017fae8bc90] [c000000000cdbc40] _cond_resched+0x10/0xb0 (unreliable) [c0002017fae8bce0] [c0000000002a15b0] t_start+0xf0/0x1c0 [c0002017fae8bd30] [c0000000004ec2b4] seq_read+0x184/0x640 [c0002017fae8bdd0] [c0000000004a57bc] sys_read+0x10c/0x300 [c0002017fae8be30] [c00000000000b388] system_call+0x5c/0x70 The test (ftrace_set_ftrace_filter.sh) is part of ftrace stress tests and the crash happens when the test does 'cat $TRACING_PATH/set_ftrace_filter'. The address points to the second line below, in t_probe_next(), where filter_hash is dereferenced: hash = iter->probe->ops.func_hash->filter_hash; size = 1 << hash->size_bits; This happens due to a race with register_ftrace_function_probe(). A new ftrace_func_probe is created and added into the func_probes list in trace_array under ftrace_lock. However, before initializing the filter, we drop ftrace_lock, and re-acquire it after acquiring regex_lock. If another process is trying to read set_ftrace_filter, it will be able to acquire ftrace_lock during this window and it will end up seeing a NULL filter_hash. Fix this by just checking for a NULL filter_hash in t_probe_next(). If the filter_hash is NULL, then this probe is just being added and we can simply return from here. Link: http://lkml.kernel.org/r/05e021f757625cbbb006fad41380323dbe4e3b43.1562249521.git.naveen.n.rao@linux.vnet.ibm.com Cc: stable@vger.kernel.org Fixes: 7b60f3d876156 ("ftrace: Dynamically create the probe ftrace_ops for the trace_array") Signed-off-by: Naveen N. Rao Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman commit 6c781717c5ccd12940ddced9ab732af60837ec27 Author: Benjamin Tissoires Date: Tue Aug 13 15:38:07 2019 +0200 HID: logitech-hidpp: remove support for the G700 over USB [ Upstream commit a3384b8d9f63cc042711293bb97bdc92dca0391d ] The G700 suffers from the same issue than the G502: when plugging it in, the driver tries to contact it but it fails. This timeout is problematic as it introduce a delay in the boot, and having only the mouse event node means that the hardware macros keys can not be relayed to the userspace. Link: https://github.com/libratbag/libratbag/issues/797 Fixes: 91cf9a98ae41 ("HID: logitech-hidpp: make .probe usbhid capable") Cc: stable@vger.kernel.org # v5.2 Reviewed-by: Filipe Laíns Signed-off-by: Benjamin Tissoires Signed-off-by: Sasha Levin commit 60203848774877fb865f3c04ca2b12cc4ccfb143 Author: Bandan Das Date: Mon Aug 26 06:15:13 2019 -0400 x86/apic: Include the LDR when clearing out APIC registers commit 558682b5291937a70748d36fd9ba757fb25b99ae upstream. Although APIC initialization will typically clear out the LDR before setting it, the APIC cleanup code should reset the LDR. This was discovered with a 32-bit KVM guest jumping into a kdump kernel. The stale bits in the LDR triggered a bug in the KVM APIC implementation which caused the destination mapping for VCPUs to be corrupted. Note that this isn't intended to paper over the KVM APIC bug. The kernel has to clear the LDR when resetting the APIC registers except when X2APIC is enabled. This lacks a Fixes tag because missing to clear LDR goes way back into pre git history. [ tglx: Made x2apic_enabled a function call as required ] Signed-off-by: Bandan Das Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20190826101513.5080-3-bsd@redhat.com Signed-off-by: Greg Kroah-Hartman commit edacccb3468085a77642342b28687a9d39e0ce10 Author: Bandan Das Date: Mon Aug 26 06:15:12 2019 -0400 x86/apic: Do not initialize LDR and DFR for bigsmp commit bae3a8d3308ee69a7dbdf145911b18dfda8ade0d upstream. Legacy apic init uses bigsmp for smp systems with 8 and more CPUs. The bigsmp APIC implementation uses physical destination mode, but it nevertheless initializes LDR and DFR. The LDR even ends up incorrectly with multiple bit being set. This does not cause a functional problem because LDR and DFR are ignored when physical destination mode is active, but it triggered a problem on a 32-bit KVM guest which jumps into a kdump kernel. The multiple bits set unearthed a bug in the KVM APIC implementation. The code which creates the logical destination map for VCPUs ignores the disabled state of the APIC and ends up overwriting an existing valid entry and as a result, APIC calibration hangs in the guest during kdump initialization. Remove the bogus LDR/DFR initialization. This is not intended to work around the KVM APIC bug. The LDR/DFR ininitalization is wrong on its own. The issue goes back into the pre git history. The fixes tag is the commit in the bitkeeper import which introduced bigsmp support in 2003. git://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git Fixes: db7b9e9f26b8 ("[PATCH] Clustered APIC setup for >8 CPU systems") Suggested-by: Thomas Gleixner Signed-off-by: Bandan Das Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20190826101513.5080-2-bsd@redhat.com Signed-off-by: Greg Kroah-Hartman commit af65ce08ec913007f194ab1530b96904b414d0c7 Author: Thomas Gleixner Date: Thu Aug 29 00:31:34 2019 +0200 x86/mm/cpa: Prevent large page split when ftrace flips RW on kernel text commit 7af0145067bc429a09ac4047b167c0971c9f0dc7 upstream. ftrace does not use text_poke() for enabling trace functionality. It uses its own mechanism and flips the whole kernel text to RW and back to RO. The CPA rework removed a loop based check of 4k pages which tried to preserve a large page by checking each 4k page whether the change would actually cover all pages in the large page. This resulted in endless loops for nothing as in testing it turned out that it actually never preserved anything. Of course testing missed to include ftrace, which is the one and only case which benefitted from the 4k loop. As a consequence enabling function tracing or ftrace based kprobes results in a full 4k split of the kernel text, which affects iTLB performance. The kernel RO protection is the only valid case where this can actually preserve large pages. All other static protections (RO data, data NX, PCI, BIOS) are truly static. So a conflict with those protections which results in a split should only ever happen when a change of memory next to a protected region is attempted. But these conflicts are rightfully splitting the large page to preserve the protected regions. In fact a change to the protected regions itself is a bug and is warned about. Add an exception for the static protection check for kernel text RO when the to be changed region spawns a full large page which allows to preserve the large mappings. This also prevents the syslog to be spammed about CPA violations when ftrace is used. The exception needs to be removed once ftrace switched over to text_poke() which avoids the whole issue. Fixes: 585948f4f695 ("x86/mm/cpa: Avoid the 4k pages check completely") Reported-by: Song Liu Signed-off-by: Thomas Gleixner Tested-by: Song Liu Reviewed-by: Song Liu Acked-by: Peter Zijlstra (Intel) Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1908282355340.1938@nanos.tec.linutronix.de Signed-off-by: Greg Kroah-Hartman commit 861e386d11b5b90bd75326c0db957937da2dd38b Author: Sebastian Mayr Date: Sun Jul 28 17:26:17 2019 +0200 uprobes/x86: Fix detection of 32-bit user mode commit 9212ec7d8357ea630031e89d0d399c761421c83b upstream. 32-bit processes running on a 64-bit kernel are not always detected correctly, causing the process to crash when uretprobes are installed. The reason for the crash is that in_ia32_syscall() is used to determine the process's mode, which only works correctly when called from a syscall. In the case of uretprobes, however, the function is called from a exception and always returns 'false' on a 64-bit kernel. In consequence this leads to corruption of the process's return address. Fix this by using user_64bit_mode() instead of in_ia32_syscall(), which is correct in any situation. [ tglx: Add a comment and the following historical info ] This should have been detected by the rename which happened in commit abfb9498ee13 ("x86/entry: Rename is_{ia32,x32}_task() to in_{ia32,x32}_syscall()") which states in the changelog: The is_ia32_task()/is_x32_task() function names are a big misnomer: they suggests that the compat-ness of a system call is a task property, which is not true, the compatness of a system call purely depends on how it was invoked through the system call layer. ..... and then it went and blindly renamed every call site. Sadly enough this was already mentioned here: 8faaed1b9f50 ("uprobes/x86: Introduce sizeof_long(), cleanup adjust_ret_addr() and arch_uretprobe_hijack_return_addr()") where the changelog says: TODO: is_ia32_task() is not what we actually want, TS_COMPAT does not necessarily mean 32bit. Fortunately syscall-like insns can't be probed so it actually works, but it would be better to rename and use is_ia32_frame(). and goes all the way back to: 0326f5a94dde ("uprobes/core: Handle breakpoint and singlestep exceptions") Oh well. 7+ years until someone actually tried a uretprobe on a 32bit process on a 64bit kernel.... Fixes: 0326f5a94dde ("uprobes/core: Handle breakpoint and singlestep exceptions") Signed-off-by: Sebastian Mayr Signed-off-by: Thomas Gleixner Cc: Masami Hiramatsu Cc: Dmitry Safonov Cc: Oleg Nesterov Cc: Srikar Dronamraju Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20190728152617.7308-1-me@sam.st Signed-off-by: Greg Kroah-Hartman commit 4479763b84366e3ec53e73ca2d021baed335365c Author: Sean Christopherson Date: Fri Aug 23 13:55:44 2019 -0700 KVM: x86: Don't update RIP or do single-step on faulting emulation commit 75ee23b30dc712d80d2421a9a547e7ab6e379b44 upstream. Don't advance RIP or inject a single-step #DB if emulation signals a fault. This logic applies to all state updates that are conditional on clean retirement of the emulation instruction, e.g. updating RFLAGS was previously handled by commit 38827dbd3fb85 ("KVM: x86: Do not update EFLAGS on faulting emulation"). Not advancing RIP is likely a nop, i.e. ctxt->eip isn't updated with ctxt->_eip until emulation "retires" anyways. Skipping #DB injection fixes a bug reported by Andy Lutomirski where a #UD on SYSCALL due to invalid state with EFLAGS.TF=1 would loop indefinitely due to emulation overwriting the #UD with #DB and thus restarting the bad SYSCALL over and over. Cc: Nadav Amit Cc: stable@vger.kernel.org Reported-by: Andy Lutomirski Fixes: 663f4c61b803 ("KVM: x86: handle singlestep during emulation") Signed-off-by: Sean Christopherson Signed-off-by: Radim Krčmář Signed-off-by: Greg Kroah-Hartman commit 4344cb8cf72d3335890ca51295467e220de92fd8 Author: Vitaly Kuznetsov Date: Tue Aug 27 18:04:02 2019 +0200 KVM: x86: hyper-v: don't crash on KVM_GET_SUPPORTED_HV_CPUID when kvm_intel.nested is disabled commit ea1529873ab18c204688cf31746df851c098cbea upstream. If kvm_intel is loaded with nested=0 parameter an attempt to perform KVM_GET_SUPPORTED_HV_CPUID results in OOPS as nested_get_evmcs_version hook in kvm_x86_ops is NULL (we assign it in nested_vmx_hardware_setup() and this only happens in case nested is enabled). Check that kvm_x86_ops->nested_get_evmcs_version is not NULL before calling it. With this, we can remove the stub from svm as it is no longer needed. Cc: Fixes: e2e871ab2f02 ("x86/kvm/hyper-v: Introduce nested_get_evmcs_version() helper") Signed-off-by: Vitaly Kuznetsov Reviewed-by: Jim Mattson Signed-off-by: Radim Krčmář Signed-off-by: Greg Kroah-Hartman commit 7d01c081e86142a39ea89588a9cf154816262e52 Author: Radim Krcmar Date: Tue Aug 13 23:37:37 2019 -0400 kvm: x86: skip populating logical dest map if apic is not sw enabled commit b14c876b994f208b6b95c222056e1deb0a45de0e upstream. recalculate_apic_map does not santize ldr and it's possible that multiple bits are set. In that case, a previous valid entry can potentially be overwritten by an invalid one. This condition is hit when booting a 32 bit, >8 CPU, RHEL6 guest and then triggering a crash to boot a kdump kernel. This is the sequence of events: 1. Linux boots in bigsmp mode and enables PhysFlat, however, it still writes to the LDR which probably will never be used. 2. However, when booting into kdump, the stale LDR values remain as they are not cleared by the guest and there isn't a apic reset. 3. kdump boots with 1 cpu, and uses Logical Destination Mode but the logical map has been overwritten and points to an inactive vcpu. Signed-off-by: Radim Krcmar Signed-off-by: Bandan Das Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit e824fe6a6750521ebcf8b71c574e081a09dbdd9d Author: Takashi Iwai Date: Tue Aug 20 08:58:12 2019 +0200 ALSA: usb-audio: Add implicit fb quirk for Behringer UFX1604 commit 1a15718b41df026cffd0e42cfdc38a1384ce19f9 upstream. Behringer UFX1604 requires the similar quirk to apply implicit fb like another Behringer model UFX1204 in order to fix the noisy playback. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=204631 Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 4f3c293ccffe122d53f12c23e9116e8bd0361e62 Author: Takashi Iwai Date: Thu Aug 15 11:41:06 2019 +0200 ALSA: usb-audio: Fix invalid NULL check in snd_emuusb_set_samplerate() commit 6de3c9e3f6b3eaf66859e1379b3f35dda781416b upstream. The quirk function snd_emuusb_set_samplerate() has a NULL check for the mixer element, but this is useless in the current code. It used to be a check against mixer->id_elems[unitid] but it was changed later to the value after mixer_eleme_list_to_info() which is always non-NULL due to the container_of() usage. This patch fixes the check before the conversion. While we're at it, correct a typo in the comment in the function, too. Fixes: 8c558076c740 ("ALSA: usb-audio: Clean up mixer element list traverse") Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ee26f3722d2b0a14bd88c19ffafa6975d1cdf4de Author: Takashi Iwai Date: Sun Aug 25 09:21:44 2019 +0200 ALSA: seq: Fix potential concurrent access to the deleted pool commit 75545304eba6a3d282f923b96a466dc25a81e359 upstream. The input pool of a client might be deleted via the resize ioctl, the the access to it should be covered by the proper locks. Currently the only missing place is the call in snd_seq_ioctl_get_client_pool(), and this patch papers over it. Reported-by: syzbot+4a75454b9ca2777f35c7@syzkaller.appspotmail.com Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 853ccdea876bfb2d537d01f2bc93557618e37131 Author: Jeronimo Borque Date: Sun Aug 18 22:35:38 2019 -0300 ALSA: hda - Fixes inverted Conexant GPIO mic mute led commit f9ef724d4896763479f3921afd1ee61552fc9836 upstream. "enabled" parameter historically referred to the device input or output, not to the led indicator. After the changes added with the led helper functions the mic mute led logic refers to the led and not to the mic input which caused led indicator to be negated. Fixing logic in cxt_update_gpio_led and updated cxt_fixup_gpio_mute_hook Also updated debug messages to ease further debugging if necessary. Fixes: 184e302b46c9 ("ALSA: hda/conexant - Use the mic-mute LED helper") Suggested-by: Takashi Iwai Signed-off-by: Jeronimo Borque Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 441f5ecc1e24afa38ec2a1538a9470efb51c3dc1 Author: Takashi Iwai Date: Wed Aug 21 20:00:02 2019 +0200 ALSA: line6: Fix memory leak at line6_init_pcm() error path commit 1bc8d18c75fef3b478dbdfef722aae09e2a9fde7 upstream. I forgot to release the allocated object at the early error path in line6_init_pcm(). For addressing it, slightly shuffle the code so that the PCM destructor (pcm->private_free) is assigned properly before all error paths. Fixes: 3450121997ce ("ALSA: line6: Fix write on zero-sized buffer") Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 6ff7b2c68d2276f26ebfa8edc7dc9c0591b66b1a Author: Paweł Rekowski Date: Mon Aug 19 22:40:07 2019 +0200 ALSA: hda/ca0132 - Add new SBZ quirk commit 2ca371d847511f97ef991ef612a2ce805489840e upstream. This patch adds a new PCI subsys ID for the SBZ, as found and tested by me and some reddit users. Link: https://lore.kernel.org/lkml/20190819204008.14426-1-p.rekowski@gmail.com Signed-off-by: Paweł Rekowski Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 701ff405be9fa5a3a7ad8a7020d343d3bf3206fd Author: Takashi Iwai Date: Tue Aug 20 21:43:42 2019 +0200 ALSA: usb-audio: Check mixer unit bitmap yet more strictly commit f9f0e9ed350e15d51ad07364b4cf910de50c472a upstream. The bmControls (for UAC1) or bmMixerControls (for UAC2/3) bitmap has a variable size depending on both input and output pins. Its size is to fit with input * output bits. The problem is that the input size can't be determined simply from the unit descriptor itself but it needs to parse the whole connected sources. Although the uac_mixer_unit_get_channels() tries to check some possible overflow of this bitmap, it's incomplete due to the lack of the evaluation of input pins. For covering possible overflows, this patch adds the bitmap overflow check in the loop of input pins in parse_audio_mixer_unit(). Fixes: 0bfe5e434e66 ("ALSA: usb-audio: Check mixer unit descriptors more strictly") Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit b4b92e95d9e5ad3e4711be1bd8b01c121d38b43a Author: Andrew Morton Date: Fri Aug 30 16:04:35 2019 -0700 mm/zsmalloc.c: fix build when CONFIG_COMPACTION=n commit 441e254cd40dc03beec3c650ce6ce6074bc6517f upstream. Fixes: 701d678599d0c1 ("mm/zsmalloc.c: fix race condition in zs_destroy_pool") Link: http://lkml.kernel.org/r/201908251039.5oSbEEUT%25lkp@intel.com Reported-by: kbuild test robot Cc: Sergey Senozhatsky Cc: Henry Burns Cc: Minchan Kim Cc: Shakeel Butt Cc: Jonathan Adams Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 2905d7847cd59c4e4aba72a1b6f249f62156efb8 Author: Hangbin Liu Date: Thu Aug 22 22:19:49 2019 +0800 xfrm/xfrm_policy: fix dst dev null pointer dereference in collect_md mode [ Upstream commit c3b4c3a47e05d5fecf7354d75824a9d1b37f3e84 ] In decode_session{4,6} there is a possibility that the skb dst dev is NULL, e,g, with tunnel collect_md mode, which will cause kernel crash. Here is what the code path looks like, for GRE: - ip6gre_tunnel_xmit - ip6gre_xmit_ipv6 - __gre6_xmit - ip6_tnl_xmit - if skb->len - t->tun_hlen - eth_hlen > mtu; return -EMSGSIZE - icmpv6_send - icmpv6_route_lookup - xfrm_decode_session_reverse - decode_session4 - oif = skb_dst(skb)->dev->ifindex; <-- here - decode_session6 - oif = skb_dst(skb)->dev->ifindex; <-- here The reason is __metadata_dst_init() init dst->dev to NULL by default. We could not fix it in __metadata_dst_init() as there is no dev supplied. On the other hand, the skb_dst(skb)->dev is actually not needed as we called decode_session{4,6} via xfrm_decode_session_reverse(), so oif is not used by: fl4->flowi4_oif = reverse ? skb->skb_iif : oif; So make a dst dev check here should be clean and safe. v4: No changes. v3: No changes. v2: fix the issue in decode_session{4,6} instead of updating shared dst dev in {ip_md, ip6}_tunnel_xmit. Fixes: 8d79266bc48c ("ip6_tunnel: add collect_md mode to IPv6 tunnels") Signed-off-by: Hangbin Liu Tested-by: Jonathan Lemon Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1c7fbbc0fc3fe00812bc642b4378a700a1837bd9 Author: Hangbin Liu Date: Thu Aug 22 22:19:48 2019 +0800 ipv4/icmp: fix rt dst dev null pointer dereference [ Upstream commit e2c693934194fd3b4e795635934883354c06ebc9 ] In __icmp_send() there is a possibility that the rt->dst.dev is NULL, e,g, with tunnel collect_md mode, which will cause kernel crash. Here is what the code path looks like, for GRE: - ip6gre_tunnel_xmit - ip6gre_xmit_ipv4 - __gre6_xmit - ip6_tnl_xmit - if skb->len - t->tun_hlen - eth_hlen > mtu; return -EMSGSIZE - icmp_send - net = dev_net(rt->dst.dev); <-- here The reason is __metadata_dst_init() init dst->dev to NULL by default. We could not fix it in __metadata_dst_init() as there is no dev supplied. On the other hand, the reason we need rt->dst.dev is to get the net. So we can just try get it from skb->dev when rt->dst.dev is NULL. v4: Julian Anastasov remind skb->dev also could be NULL. We'd better still use dst.dev and do a check to avoid crash. v3: No changes. v2: fix the issue in __icmp_send() instead of updating shared dst dev in {ip_md, ip6}_tunnel_xmit. Fixes: c8b34e680a09 ("ip_tunnel: Add tnl_update_pmtu in ip_md_tunnel_xmit") Signed-off-by: Hangbin Liu Reviewed-by: Julian Anastasov Acked-by: Jonathan Lemon Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fc90789e580b8adbec953992bac02622bbb38d91 Author: Yi-Hung Wei Date: Thu Aug 22 13:17:50 2019 -0700 openvswitch: Fix conntrack cache with timeout [ Upstream commit 7177895154e6a35179d332f4a584d396c50d0612 ] This patch addresses a conntrack cache issue with timeout policy. Currently, we do not check if the timeout extension is set properly in the cached conntrack entry. Thus, after packet recirculate from conntrack action, the timeout policy is not applied properly. This patch fixes the aforementioned issue. Fixes: 06bd2bdf19d2 ("openvswitch: Add timeout support to ct action") Reported-by: kbuild test robot Signed-off-by: Yi-Hung Wei Acked-by: Pravin B Shelar Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c1c3307a832acf6ea64afcd170d5dafcc219b462 Author: Alexey Kodanev Date: Fri Aug 23 20:51:43 2019 +0300 ipv4: mpls: fix mpls_xmit for iptunnel [ Upstream commit 803f3e22ae10003a83c781498c0ac34cfe3463ff ] When using mpls over gre/gre6 setup, rt->rt_gw4 address is not set, the same for rt->rt_gw_family. Therefore, when rt->rt_gw_family is checked in mpls_xmit(), neigh_xmit() call is skipped. As a result, such setup doesn't work anymore. This issue was found with LTP mpls03 tests. Fixes: 1550c171935d ("ipv4: Prepare rtable for IPv6 gateway") Signed-off-by: Alexey Kodanev Reviewed-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ae154dcba8f4fc51d0ab4a7e81ac10003128f663 Author: Eric Dumazet Date: Fri Aug 16 21:26:22 2019 -0700 tcp: make sure EPOLLOUT wont be missed [ Upstream commit ef8d8ccdc216f797e66cb4a1372f5c4c285ce1e4 ] As Jason Baron explained in commit 790ba4566c1a ("tcp: set SOCK_NOSPACE under memory pressure"), it is crucial we properly set SOCK_NOSPACE when needed. However, Jason patch had a bug, because the 'nonblocking' status as far as sk_stream_wait_memory() is concerned is governed by MSG_DONTWAIT flag passed at sendmsg() time : long timeo = sock_sndtimeo(sk, flags & MSG_DONTWAIT); So it is very possible that tcp sendmsg() calls sk_stream_wait_memory(), and that sk_stream_wait_memory() returns -EAGAIN with SOCK_NOSPACE cleared, if sk->sk_sndtimeo has been set to a small (but not zero) value. This patch removes the 'noblock' variable since we must always set SOCK_NOSPACE if -EAGAIN is returned. It also renames the do_nonblock label since we might reach this code path even if we were in blocking mode. Fixes: 790ba4566c1a ("tcp: set SOCK_NOSPACE under memory pressure") Signed-off-by: Eric Dumazet Cc: Jason Baron Reported-by: Vladimir Rutsky Acked-by: Soheil Hassas Yeganeh Acked-by: Neal Cardwell Acked-by: Jason Baron Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cbc9336afc74c1da2572d8db4e2cbfd0cb4eff54 Author: Jason Baron Date: Mon Aug 19 14:36:01 2019 -0400 net/smc: make sure EPOLLOUT is raised [ Upstream commit 4651d1802f7063e4d8c0bcad957f46ece0c04024 ] Currently, we are only explicitly setting SOCK_NOSPACE on a write timeout for non-blocking sockets. Epoll() edge-trigger mode relies on SOCK_NOSPACE being set when -EAGAIN is returned to ensure that EPOLLOUT is raised. Expand the setting of SOCK_NOSPACE to non-blocking sockets as well that can use SO_SNDTIMEO to adjust their write timeout. This mirrors the behavior that Eric Dumazet introduced for tcp sockets. Signed-off-by: Jason Baron Cc: Eric Dumazet Cc: Ursula Braun Cc: Karsten Graul Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5b71ce93d7b116d065a670221089310ac0fb70c9 Author: Li RongQing Date: Tue Aug 20 13:52:47 2019 +0800 net: fix __ip_mc_inc_group usage [ Upstream commit a1c4cd67840ef80f6ca5f73326fa9a6719303a95 ] in ip_mc_inc_group, memory allocation flag, not mcast mode, is expected by __ip_mc_inc_group similar issue in __ip_mc_join_group, both mcase mode and gfp_t are needed here, so use ____ip_mc_inc_group(...) Fixes: 9fb20801dab4 ("net: Fix ip_mc_{dec,inc}_group allocation context") Signed-off-by: Li RongQing Signed-off-by: Florian Fainelli Signed-off-by: Zhang Yu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a6058b22e17e7445592c8ac3ca58d1242eca3223 Author: Antoine Tenart Date: Wed Aug 21 16:41:23 2019 +0200 net: cpsw: fix NULL pointer exception in the probe error path [ Upstream commit 2d683eaaeeb9d33d23674ae635e0ef1448523d18 ] In certain cases when the probe function fails the error path calls cpsw_remove_dt() before calling platform_set_drvdata(). This is an issue as cpsw_remove_dt() uses platform_get_drvdata() to retrieve the cpsw_common data and leds to a NULL pointer exception. This patches fixes it by calling platform_set_drvdata() earlier in the probe. Fixes: 83a8471ba255 ("net: ethernet: ti: cpsw: refactor probe to group common hw initialization") Reported-by: Maxime Chevallier Signed-off-by: Antoine Tenart Reviewed-by: Grygorii Strashko Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c5df65fd6f0650dfb4d878e35348e3a77ec992ea Author: Stefano Brivio Date: Tue Aug 13 00:46:01 2019 +0200 ipv6: Fix return value of ipv6_mc_may_pull() for malformed packets Commit ba5ea614622d ("bridge: simplify ip_mc_check_igmp() and ipv6_mc_check_mld() calls") replaces direct calls to pskb_may_pull() in br_ipv6_multicast_mld2_report() with calls to ipv6_mc_may_pull(), that returns -EINVAL on buffers too short to be valid IPv6 packets, while maintaining the previous handling of the return code. This leads to the direct opposite of the intended effect: if the packet is malformed, -EINVAL evaluates as true, and we'll happily proceed with the processing. Return 0 if the packet is too short, in the same way as this was fixed for IPv4 by commit 083b78a9ed64 ("ip: fix ip_mc_may_pull() return value"). I don't have a reproducer for this, unlike the one referred to by the IPv4 commit, but this is clearly broken. Fixes: ba5ea614622d ("bridge: simplify ip_mc_check_igmp() and ipv6_mc_check_mld() calls") Signed-off-by: Stefano Brivio Acked-by: Guillaume Nault Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit dc428ae89cd48b9a8b8b3bad6715bcc66653efe8 Author: Hangbin Liu Date: Tue Aug 20 10:19:47 2019 +0800 ipv6/addrconf: allow adding multicast addr if IFA_F_MCAUTOJOIN is set [ Upstream commit f17f7648a49aa6728649ddf79bdbcac4f1970ce4 ] In commit 93a714d6b53d ("multicast: Extend ip address command to enable multicast group join/leave on") we added a new flag IFA_F_MCAUTOJOIN to make user able to add multicast address on ethernet interface. This works for IPv4, but not for IPv6. See the inet6_addr_add code. static int inet6_addr_add() { ... if (cfg->ifa_flags & IFA_F_MCAUTOJOIN) { ipv6_mc_config(net->ipv6.mc_autojoin_sk, true...) } ifp = ipv6_add_addr(idev, cfg, true, extack); <- always fail with maddr if (!IS_ERR(ifp)) { ... } else if (cfg->ifa_flags & IFA_F_MCAUTOJOIN) { ipv6_mc_config(net->ipv6.mc_autojoin_sk, false...) } } But in ipv6_add_addr() it will check the address type and reject multicast address directly. So this feature is never worked for IPv6. We should not remove the multicast address check totally in ipv6_add_addr(), but could accept multicast address only when IFA_F_MCAUTOJOIN flag supplied. v2: update commit description Fixes: 93a714d6b53d ("multicast: Extend ip address command to enable multicast group join/leave on") Reported-by: Jianlin Shi Signed-off-by: Hangbin Liu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8903c1ed2c148023c0ff2d03c2a9fa9f763ba401 Author: Lorenzo Bianconi Date: Sat Jun 15 16:03:32 2019 +0200 mt76: usb: fix rx A-MSDU support [ Upstream commit 2a92b08b18553c101115423bd34963b1a59a45a3 ] Commit f8f527b16db5 ("mt76: usb: use EP max packet aligned buffer sizes for rx") breaks A-MSDU support. When A-MSDU is enable the device can receive frames up to q->buf_size but they will be discarded in mt76u_process_rx_entry since there is no enough room for skb_shared_info. Fix the issue reallocating the skb and copying in the linear area the first 128B of the received frames and in the frag_list the remaining part Fixes: f8f527b16db5 ("mt76: usb: use EP max packet aligned buffer sizes for rx") Signed-off-by: Lorenzo Bianconi Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit 962d7207f53be320ef7d48cfa167aef4fdceaf46 Author: Tomi Valkeinen Date: Mon Jun 10 16:57:38 2019 +0300 drm/bridge: tfp410: fix memleak in get_modes() [ Upstream commit c08f99c39083ab55a9c93b3e93cef48711294dad ] We don't free the edid blob allocated by the call to drm_get_edid(), causing a memleak. Fix this by calling kfree(edid) at the end of the get_modes(). Signed-off-by: Tomi Valkeinen Signed-off-by: Andrzej Hajda Link: https://patchwork.freedesktop.org/patch/msgid/20190610135739.6077-1-tomi.valkeinen@ti.com Signed-off-by: Sasha Levin commit d4ccc1744b558fbc4a09cec2ce00cc1c414c9d3c Author: Anders Roxell Date: Tue Aug 20 15:41:21 2019 +0200 selftests/bpf: install files test_xdp_vlan.sh [ Upstream commit 3035bb72ee47d494c041465b4add9c6407c832ed ] When ./test_xdp_vlan_mode_generic.sh runs it complains that it can't find file test_xdp_vlan.sh. # selftests: bpf: test_xdp_vlan_mode_generic.sh # ./test_xdp_vlan_mode_generic.sh: line 9: ./test_xdp_vlan.sh: No such file or directory Rework so that test_xdp_vlan.sh gets installed, added to the variable TEST_PROGS_EXTENDED. Fixes: d35661fcf95d ("selftests/bpf: add wrapper scripts for test_xdp_vlan.sh") Signed-off-by: Anders Roxell Acked-by: Jesper Dangaard Brouer Signed-off-by: Daniel Borkmann Signed-off-by: Sasha Levin commit d857dcf1c807ab1bbe2262b03394a522abff96d4 Author: Stefan Wahren Date: Wed May 15 19:14:18 2019 +0200 watchdog: bcm2835_wdt: Fix module autoload [ Upstream commit 215e06f0d18d5d653d6ea269e4dfc684854d48bf ] The commit 5e6acc3e678e ("bcm2835-pm: Move bcm2835-watchdog's DT probe to an MFD.") broke module autoloading on Raspberry Pi. So add a module alias this fix this. Signed-off-by: Stefan Wahren Reviewed-by: Guenter Roeck Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit eeb6b4a09695ee4ddc7147918d2e2cccef556ca9 Author: Peter Zijlstra Date: Mon Aug 26 10:31:14 2019 -0400 lcoking/rwsem: Add missing ACQUIRE to read_slowpath sleep loop [ Upstream commit 99143f82a255e7f054bead8443462fae76dd829e ] While reviewing another read_slowpath patch, both Will and I noticed another missing ACQUIRE, namely: X = 0; CPU0 CPU1 rwsem_down_read() for (;;) { set_current_state(TASK_UNINTERRUPTIBLE); X = 1; rwsem_up_write(); rwsem_mark_wake() atomic_long_add(adjustment, &sem->count); smp_store_release(&waiter->task, NULL); if (!waiter.task) break; ... } r = X; Allows 'r == 0'. Reported-by: Peter Zijlstra (Intel) Reported-by: Will Deacon Signed-off-by: Peter Zijlstra (Intel) Acked-by: Will Deacon Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Ingo Molnar Acked-by: Jan Stancek Signed-off-by: Sasha Levin commit 931424d0781ea980d81c8d848a3a78dd9ed8885b Author: Jan Stancek Date: Mon Aug 26 10:31:13 2019 -0400 locking/rwsem: Add missing ACQUIRE to read_slowpath exit when queue is empty [ Upstream commit e1b98fa316648420d0434d9ff5b92ad6609ba6c3 ] LTP mtest06 has been observed to occasionally hit "still mapped when deleted" and following BUG_ON on arm64. The extra mapcount originated from pagefault handler, which handled pagefault for vma that has already been detached. vma is detached under mmap_sem write lock by detach_vmas_to_be_unmapped(), which also invalidates vmacache. When the pagefault handler (under mmap_sem read lock) calls find_vma(), vmacache_valid() wrongly reports vmacache as valid. After rwsem down_read() returns via 'queue empty' path (as of v5.2), it does so without an ACQUIRE on sem->count: down_read() __down_read() rwsem_down_read_failed() __rwsem_down_read_failed_common() raw_spin_lock_irq(&sem->wait_lock); if (list_empty(&sem->wait_list)) { if (atomic_long_read(&sem->count) >= 0) { raw_spin_unlock_irq(&sem->wait_lock); return sem; The problem can be reproduced by running LTP mtest06 in a loop and building the kernel (-j $NCPUS) in parallel. It does reproduces since v4.20 on arm64 HPE Apollo 70 (224 CPUs, 256GB RAM, 2 nodes). It triggers reliably in about an hour. The patched kernel ran fine for 10+ hours. Signed-off-by: Jan Stancek Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Will Deacon Acked-by: Waiman Long Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: dbueso@suse.de Fixes: 4b486b535c33 ("locking/rwsem: Exit read lock slowpath if queue empty & no writer") Link: https://lkml.kernel.org/r/50b8914e20d1d62bb2dee42d342836c2c16ebee7.1563438048.git.jstancek@redhat.com Signed-off-by: Ingo Molnar Acked-by: Jan Stancek Signed-off-by: Sasha Levin commit 5faa01cc2b1fc55ced2103d31fd68a20ce0427ec Author: Adrian Vladu Date: Mon May 6 16:50:58 2019 +0000 tools: hv: fix KVP and VSS daemons exit code [ Upstream commit b0995156071b0ff29a5902964a9dc8cfad6f81c0 ] HyperV KVP and VSS daemons should exit with 0 when the '--help' or '-h' flags are used. Signed-off-by: Adrian Vladu Cc: "K. Y. Srinivasan" Cc: Haiyang Zhang Cc: Stephen Hemminger Cc: Sasha Levin Cc: Alessandro Pilotti Signed-off-by: Sasha Levin commit b6018c3a79e5e41685927d19ea025e931dd7377d Author: Adrian Vladu Date: Mon May 6 17:27:37 2019 +0000 tools: hv: fixed Python pep8/flake8 warnings for lsvmbus [ Upstream commit 5912e791f3018de0a007c8cfa9cb38c97d3e5f5c ] Fixed pep8/flake8 python style code for lsvmbus tool. The TAB indentation was on purpose ignored (pep8 rule W191) to make sure the code is complying with the Linux code guideline. The following command doe not show any warnings now: pep8 --ignore=W191 lsvmbus flake8 --ignore=W191 lsvmbus Signed-off-by: Adrian Vladu Cc: "K. Y. Srinivasan" Cc: Haiyang Zhang Cc: Stephen Hemminger Cc: Sasha Levin Cc: Dexuan Cui Cc: Alessandro Pilotti Signed-off-by: Sasha Levin commit c983df11ed197bdf2fd640e83ac161748501d274 Author: Hans Ulli Kroll Date: Sat Aug 10 17:04:58 2019 +0200 usb: host: fotg2: restart hcd after port reset [ Upstream commit 777758888ffe59ef754cc39ab2f275dc277732f4 ] On the Gemini SoC the FOTG2 stalls after port reset so restart the HCD after each port reset. Signed-off-by: Hans Ulli Kroll Signed-off-by: Linus Walleij Link: https://lore.kernel.org/r/20190810150458.817-1-linus.walleij@linaro.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 5a3db3021b1727b2f037dda53a9a3a6ae353a955 Author: Y.C. Chen Date: Wed Apr 11 09:27:39 2018 +0800 drm/ast: Fixed reboot test may cause system hanged [ Upstream commit 05b439711f6ff8700e8660f97a1179650778b9cb ] There is another thread still access standard VGA I/O while loading drm driver. Disable standard VGA I/O decode to avoid this issue. Signed-off-by: Y.C. Chen Reviewed-by: Benjamin Herrenschmidt Signed-off-by: Dave Airlie Link: https://patchwork.freedesktop.org/patch/msgid/1523410059-18415-1-git-send-email-yc_chen@aspeedtech.com Signed-off-by: Sasha Levin commit 68fc8f1e9103021ab489dce3732fe3beb814b736 Author: Christian König Date: Fri Aug 9 17:27:21 2019 +0200 drm/scheduler: use job count instead of peek [ Upstream commit e1b4ce25dbc93ab0cb8ed0f236a3b9ff7b03802c ] The spsc_queue_peek function is accessing queue->head which belongs to the consumer thread and shouldn't be accessed by the producer This is fixing a rare race condition when destroying entities. Signed-off-by: Christian König Acked-by: Andrey Grodzovsky Reviewed-by: Monk.liu@amd.com Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 7046212603e0689f9155f70923a5b9e6608eaaeb Author: Wolfram Sang Date: Thu Aug 8 21:54:17 2019 +0200 i2c: emev2: avoid race when unregistering slave client [ Upstream commit d7437fc0d8291181debe032671a289b6bd93f46f ] After we disabled interrupts, there might still be an active one running. Sync before clearing the pointer to the slave device. Fixes: c31d0a00021d ("i2c: emev2: add slave support") Reported-by: Krzysztof Adamski Signed-off-by: Wolfram Sang Reviewed-by: Krzysztof Adamski Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 38869e74c3ac8bcc0300c02b39d4fdc4277353ca Author: Wolfram Sang Date: Thu Aug 8 21:39:10 2019 +0200 i2c: rcar: avoid race when unregistering slave client [ Upstream commit 7b814d852af6944657c2961039f404c4490771c0 ] After we disabled interrupts, there might still be an active one running. Sync before clearing the pointer to the slave device. Fixes: de20d1857dd6 ("i2c: rcar: add slave support") Reported-by: Krzysztof Adamski Signed-off-by: Wolfram Sang Reviewed-by: Krzysztof Adamski Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 6ad482444c981f6dc456ed5e8d856e253049f3fd Author: Paul Walmsley Date: Wed Aug 7 19:07:34 2019 -0700 riscv: fix flush_tlb_range() end address for flush_tlb_page() [ Upstream commit eb93685847a9055283d05951c1b205e737f38533 ] The RISC-V kernel implementation of flush_tlb_page() when CONFIG_SMP is set is wrong. It passes zero to flush_tlb_range() as the final address to flush, but it should be at least 'addr'. Some other Linux architecture ports use the beginning address to flush, plus PAGE_SIZE, as the final address to flush. This might flush slightly more than what's needed, but it seems unlikely that being more clever would improve anything. So let's just take that implementation for now. While here, convert the macro into a static inline function, primarily to avoid unintentional multiple evaluations of 'addr'. This second version of the patch fixes a coding style issue found by Christoph Hellwig . Reported-by: Andreas Schwab Signed-off-by: Paul Walmsley Reviewed-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 325fd0056cc0f6c9d8f5eaa75e64f2d761847764 Author: Will Deacon Date: Mon Aug 12 16:02:25 2019 +0100 arm64: cpufeature: Don't treat granule sizes as strict [ Upstream commit 5717fe5ab38f9ccb32718bcb03bea68409c9cce4 ] If a CPU doesn't support the page size for which the kernel is configured, then we will complain and refuse to bring it online. For secondary CPUs (and the boot CPU on a system booting with EFI), we will also print an error identifying the mismatch. Consequently, the only time that the cpufeature code can detect a granule size mismatch is for a granule other than the one that is currently being used. Although we would rather such systems didn't exist, we've unfortunately lost that battle and Kevin reports that on his amlogic S922X (odroid-n2 board) we end up warning and taining with defconfig because 16k pages are not supported by all of the CPUs. In such a situation, we don't actually care about the feature mismatch, particularly now that KVM only exposes the sanitised view of the CPU registers (commit 93390c0a1b20 - "arm64: KVM: Hide unsupported AArch64 CPU features from guests"). Treat the granule fields as non-strict and let Kevin run without a tainted kernel. Cc: Marc Zyngier Reported-by: Kevin Hilman Tested-by: Kevin Hilman Acked-by: Mark Rutland Acked-by: Suzuki K Poulose Signed-off-by: Will Deacon [catalin.marinas@arm.com: changelog updated with KVM sanitised regs commit] Signed-off-by: Catalin Marinas Signed-off-by: Sasha Levin commit 2a7a7ff625cd4121c6d73356243837cb384ff212 Author: Wenwen Wang Date: Sun Aug 11 12:23:22 2019 -0500 xen/blkback: fix memory leaks [ Upstream commit ae78ca3cf3d9e9f914bfcd0bc5c389ff18b9c2e0 ] In read_per_ring_refs(), after 'req' and related memory regions are allocated, xen_blkif_map() is invoked to map the shared frame, irq, and etc. However, if this mapping process fails, no cleanup is performed, leading to memory leaks. To fix this issue, invoke the cleanup before returning the error. Acked-by: Roger Pau Monné Reviewed-by: Boris Ostrovsky Signed-off-by: Wenwen Wang Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 82fcf8a5d8f721b4cb8a04c48f7e45a0e3a49345 Author: Ben Segal Date: Wed Aug 7 13:54:54 2019 +0000 habanalabs: fix device IRQ unmasking for BE host [ Upstream commit b421d83a3947369fd5718824aecfaebe1efbf7ed ] When unmasking IRQs inside the ASIC, the driver passes an array of all the IRQ to unmask. The ASIC's CPU is working in LE so when running in a BE host, the driver needs to do the proper endianness swapping when preparing this array. In addition, this patch also fixes the endianness of a couple of kernel log debug messages that print values of packets Signed-off-by: Ben Segal Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin commit a1a6c6b4f8d8e74fe62287bc314716b726fde32c Author: Oded Gabbay Date: Thu Aug 8 15:45:58 2019 +0300 habanalabs: fix endianness handling for internal QMAN submission [ Upstream commit b9040c99414ba5b85090595a61abc686a5dbb388 ] The PQs of internal H/W queues (QMANs) can be located in different memory areas for different ASICs. Therefore, when writing PQEs, we need to use the correct function according to the location of the PQ. e.g. if the PQ is located in the device's memory (SRAM or DRAM), we need to use memcpy_toio() so it would work in architectures that have separate address ranges for IO memory. This patch makes the code that writes the PQE to be ASIC-specific so we can handle this properly per ASIC. Signed-off-by: Oded Gabbay Tested-by: Ben Segal Signed-off-by: Sasha Levin commit 1900d706b9c4aff70d9d599d327f283e1b5e0f15 Author: Ben Segal Date: Thu Aug 1 23:22:20 2019 +0000 habanalabs: fix completion queue handling when host is BE [ Upstream commit 4e87334a0ef43663019dbaf3638ad10fd8c3320c ] This patch fix the CQ irq handler to work in hosts with BE architecture. It adds the correct endian-swapping macros around the relevant memory accesses. Signed-off-by: Ben Segal Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin commit 79e338d70c868cf8074e54f292214f9b812af0b2 Author: Ben Segal Date: Thu Aug 1 23:20:32 2019 +0000 habanalabs: fix endianness handling for packets from user [ Upstream commit 213ad5ad016a0da975b35f54e8cd236c3b04724b ] Packets that arrive from the user and need to be parsed by the driver are assumed to be in LE format. This patch fix all the places where the code handles these packets and use the correct endianness macros to handle them, as the driver handles the packets in CPU format (LE or BE depending on the arch). Signed-off-by: Ben Segal Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin commit 0a18515cc03f5425f70dfe2f1de91674541b276f Author: Tomer Tayar Date: Sun Aug 4 07:03:41 2019 +0000 habanalabs: fix DRAM usage accounting on context tear down [ Upstream commit c8113756ba27298d6e95403c087dc5881b419a99 ] The patch fix the DRAM usage accounting by adding a missing update of the DRAM memory consumption, when a context is being torn down without an organized release of the allocated memory. Signed-off-by: Tomer Tayar Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin commit c041ddb7569821131954e63e2c5ced0ab297d78a Author: Benjamin Herrenschmidt Date: Fri Jul 26 14:59:04 2019 +1000 usb: gadget: mass_storage: Fix races between fsg_disable and fsg_set_alt [ Upstream commit 4a56a478a525d6427be90753451c40e1327caa1a ] If fsg_disable() and fsg_set_alt() are called too closely to each other (for example due to a quick reset/reconnect), what can happen is that fsg_set_alt sets common->new_fsg from an interrupt while handle_exception is trying to process the config change caused by fsg_disable(): fsg_disable() ... handle_exception() sets state back to FSG_STATE_NORMAL hasn't yet called do_set_interface() or is inside it. ---> interrupt fsg_set_alt sets common->new_fsg queues a new FSG_STATE_CONFIG_CHANGE <--- Now, the first handle_exception can "see" the updated new_fsg, treats it as if it was a fsg_set_alt() response, call usb_composite_setup_continue() etc... But then, the thread sees the second FSG_STATE_CONFIG_CHANGE, and goes back down the same path, wipes and reattaches a now active fsg, and .. calls usb_composite_setup_continue() which at this point is wrong. Not only we get a backtrace, but I suspect the second set_interface wrecks some state causing the host to get upset in my case. This fixes it by replacing "new_fsg" by a "state argument" (same principle) which is set in the same lock section as the state update, and retrieved similarly. That way, there is never any discrepancy between the dequeued state and the observed value of it. We keep the ability to have the latest reconfig operation take precedence, but we guarantee that once "dequeued" the argument (new_fsg) will not be clobbered by any new event. Signed-off-by: Benjamin Herrenschmidt Acked-by: Alan Stern Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 3f1b93b5a45cb6b6757f88f0029b6e59a1c72a4f Author: Benjamin Herrenschmidt Date: Fri Jul 26 14:59:03 2019 +1000 usb: gadget: composite: Clear "suspended" on reset/disconnect [ Upstream commit 602fda17c7356bb7ae98467d93549057481d11dd ] In some cases, one can get out of suspend with a reset or a disconnect followed by a reconnect. Previously we would leave a stale suspended flag set. Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 4ab6b15a00ca56ecc1ce372478916a611d369151 Author: Lucas Stach Date: Mon Aug 5 17:51:53 2019 +0200 dma-direct: don't truncate dma_required_mask to bus addressing capabilities [ Upstream commit d8ad55538abe443919e20e0bb996561bca9cad84 ] The dma required_mask needs to reflect the actual addressing capabilities needed to handle the whole system RAM. When truncated down to the bus addressing capabilities dma_addressing_limited() will incorrectly signal no limitations for devices which are restricted by the bus_dma_mask. Fixes: b4ebe6063204 (dma-direct: implement complete bus_dma_mask handling) Signed-off-by: Lucas Stach Tested-by: Atish Patra Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 583c8d3118e00e32b1fe64dc6c442e8f241f9198 Author: Robin Murphy Date: Mon Jul 29 17:46:00 2019 +0100 iommu/dma: Handle SG length overflow better [ Upstream commit ab2cbeb0ed301a9f0460078e91b09f39958212ef ] Since scatterlist dimensions are all unsigned ints, in the relatively rare cases where a device's max_segment_size is set to UINT_MAX, then the "cur_len + s_length <= max_len" check in __finalise_sg() will always return true. As a result, the corner case of such a device mapping an excessively large scatterlist which is mergeable to or beyond a total length of 4GB can lead to overflow and a bogus truncated dma_length in the resulting segment. As we already assume that any single segment must be no longer than max_len to begin with, this can easily be addressed by reshuffling the comparison. Fixes: 809eac54cdd6 ("iommu/dma: Implement scatterlist segment merging") Reported-by: Nicolin Chen Tested-by: Nicolin Chen Signed-off-by: Robin Murphy Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 4aab45c37962958fd5263278b26d9861ca2bdc63 Author: Hans Verkuil Date: Fri Aug 9 10:32:40 2019 +0200 omap-dma/omap_vout_vrfb: fix off-by-one fi value [ Upstream commit d555c34338cae844b207564c482e5a3fb089d25e ] The OMAP 4 TRM specifies that when using double-index addressing the address increases by the ES plus the EI value minus 1 within a frame. When a full frame is transferred, the address increases by the ES plus the frame index (FI) value minus 1. The omap-dma code didn't account for the 'minus 1' in the FI register. To get correct addressing, add 1 to the src_icg value. This was found when testing a hacked version of the media m2m-deinterlace.c driver on a Pandaboard. The only other source that uses this feature is omap_vout_vrfb.c, and that adds a + 1 when setting the dst_icg. This is a workaround for the broken omap-dma.c behavior. So remove the workaround at the same time that we fix omap-dma.c. I tested the omap_vout driver with a Beagle XM board to check that the '+ 1' in omap_vout_vrfb.c was indeed a workaround for the omap-dma bug. Signed-off-by: Hans Verkuil Reviewed-by: Laurent Pinchart Acked-by: Peter Ujfalusi Acked-by: Mauro Carvalho Chehab Link: https://lore.kernel.org/r/952e7f51-f208-9333-6f58-b7ed20d2ea0b@xs4all.nl Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 7ceddea2da13abbd22e5d6956d6edcfb334b1159 Author: Jia-Ju Bai Date: Mon Jul 29 10:08:49 2019 +0800 dmaengine: stm32-mdma: Fix a possible null-pointer dereference in stm32_mdma_irq_handler() [ Upstream commit 39c71a5b8212f4b502d9a630c6706ac723abd422 ] In stm32_mdma_irq_handler(), chan is checked on line 1368. When chan is NULL, it is still used on line 1369: dev_err(chan2dev(chan), "MDMA channel not initialized\n"); Thus, a possible null-pointer dereference may occur. To fix this bug, "dev_dbg(mdma2dev(dmadev), ...)" is used instead. Signed-off-by: Jia-Ju Bai Fixes: a4ffb13c8946 ("dmaengine: Add STM32 MDMA driver") Link: https://lore.kernel.org/r/20190729020849.17971-1-baijiaju1990@gmail.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit a4a200842e83d125e20122f35742d98b31bb9106 Author: Yishai Hadas Date: Mon Aug 5 11:30:10 2019 +0300 IB/mlx5: Fix implicit MR release flow [ Upstream commit f591822c3cf314442819486f45ff7dc1f690e0c0 ] Once implicit MR is being called to be released by ib_umem_notifier_release() its leaves were marked as "dying". However, when dereg_mr()->mlx5_ib_free_implicit_mr()->mr_leaf_free() is called, it skips running the mr_leaf_free_action (i.e. umem_odp->work) when those leaves were marked as "dying". As such ib_umem_release() for the leaves won't be called and their MRs will be leaked as well. When an application exits/killed without calling dereg_mr we might hit the above flow. This fatal scenario is reported by WARN_ON() upon mlx5_ib_dealloc_ucontext() as ibcontext->per_mm_list is not empty, the call trace can be seen below. Originally the "dying" mark as part of ib_umem_notifier_release() was introduced to prevent pagefault_mr() from returning a success response once this happened. However, we already have today the completion mechanism so no need for that in those flows any more. Even in case a success response will be returned the firmware will not find the pages and an error will be returned in the following call as a released mm will cause ib_umem_odp_map_dma_pages() to permanently fail mmget_not_zero(). Fix the above issue by dropping the "dying" from the above flows. The other flows that are using "dying" are still needed it for their synchronization purposes. WARNING: CPU: 1 PID: 7218 at drivers/infiniband/hw/mlx5/main.c:2004 mlx5_ib_dealloc_ucontext+0x84/0x90 [mlx5_ib] CPU: 1 PID: 7218 Comm: ibv_rc_pingpong Tainted: G E 5.2.0-rc6+ #13 Call Trace: uverbs_destroy_ufile_hw+0xb5/0x120 [ib_uverbs] ib_uverbs_close+0x1f/0x80 [ib_uverbs] __fput+0xbe/0x250 task_work_run+0x88/0xa0 do_exit+0x2cb/0xc30 ? __fput+0x14b/0x250 do_group_exit+0x39/0xb0 get_signal+0x191/0x920 ? _raw_spin_unlock_bh+0xa/0x20 ? inet_csk_accept+0x229/0x2f0 do_signal+0x36/0x5e0 ? put_unused_fd+0x5b/0x70 ? __sys_accept4+0x1a6/0x1e0 ? inet_hash+0x35/0x40 ? release_sock+0x43/0x90 ? _raw_spin_unlock_bh+0xa/0x20 ? inet_listen+0x9f/0x120 exit_to_usermode_loop+0x5c/0xc6 do_syscall_64+0x182/0x1b0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: 81713d3788d2 ("IB/mlx5: Add implicit MR support") Link: https://lore.kernel.org/r/20190805083010.21777-1-leon@kernel.org Signed-off-by: Yishai Hadas Reviewed-by: Artemy Kovalyov Signed-off-by: Leon Romanovsky Reviewed-by: Jason Gunthorpe Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit a8bd4c018836bb3ecff3afe7faa642f26494aaea Author: Qu Wenruo Date: Tue May 28 16:21:54 2019 +0800 btrfs: trim: Check the range passed into to prevent overflow [ Upstream commit 07301df7d2fc220d3de5f7ad804dcb941400cb00 ] Normally the range->len is set to default value (U64_MAX), but when it's not default value, we should check if the range overflows. And if it overflows, return -EINVAL before doing anything. Reviewed-by: Nikolay Borisov Reviewed-by: Anand Jain Signed-off-by: Qu Wenruo Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit c1b16e1427f41c3588a97154a27cf4d34b6f0ece Author: zhengbin Date: Mon Jul 8 20:42:18 2019 +0800 auxdisplay: panel: need to delete scan_timer when misc_register fails in panel_attach [ Upstream commit b33d567560c1aadf3033290d74d4fd67af47aa61 ] In panel_attach, if misc_register fails, we need to delete scan_timer, which was setup in keypad_init->init_scan_timer. Reported-by: Hulk Robot Signed-off-by: zhengbin Signed-off-by: Miguel Ojeda Signed-off-by: Sasha Levin commit ceac72e0a8cc98fbfcba3ed58b9539a6be541e5e Author: Pierre-Louis Bossart Date: Thu Jul 25 18:40:06 2019 -0500 soundwire: cadence_master: fix definitions for INTSTAT0/1 [ Upstream commit 664b16589f882202b8fa8149d0074f3159bade76 ] Two off-by-one errors: INTSTAT0 missed BIT(31) and INTSTAT1 is only defined on first 16 bits. Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20190725234032.21152-15-pierre-louis.bossart@linux.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 50b59bb1043bfd877b688cb3617f05b10ac0b177 Author: Pierre-Louis Bossart Date: Thu Jul 25 18:40:05 2019 -0500 soundwire: cadence_master: fix register definition for SLAVE_STATE [ Upstream commit b07dd9b400981f487940a4d84292d3a0e7cd9362 ] wrong prefix and wrong macro. Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20190725234032.21152-14-pierre-louis.bossart@linux.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit c88a50ced6de8188725681ed70abe7f0b0133c94 Author: Keith Busch Date: Mon Jul 29 16:34:52 2019 -0600 nvme-pci: Fix async probe remove race [ Upstream commit bd46a90634302bfe791e93ad5496f98f165f7ae0 ] Ensure the controller is not in the NEW state when nvme_probe() exits. This will always allow a subsequent nvme_remove() to set the state to DELETING, fixing a potential race between the initial asynchronous probe and device removal. Reported-by: Li Zhong Reviewed-by: Sagi Grimberg Signed-off-by: Keith Busch Signed-off-by: Sagi Grimberg Signed-off-by: Sasha Levin commit 9dd8dc3d8a798188a2274de8fe24876ab15e28c8 Author: Sagi Grimberg Date: Thu Jul 25 11:56:57 2019 -0700 nvme: fix controller removal race with scan work [ Upstream commit 0157ec8dad3c8fc9bc9790f76e0831ffdaf2e7f0 ] With multipath enabled, nvme_scan_work() can read from the device (through nvme_mpath_add_disk()) and hang [1]. However, with fabrics, once ctrl->state is set to NVME_CTRL_DELETING, the reads will hang (see nvmf_check_ready()) and the mpath stack device make_request will block if head->list is not empty. However, when the head->list consistst of only DELETING/DEAD controllers, we should actually not block, but rather fail immediately. In addition, before we go ahead and remove the namespaces, make sure to clear the current path and kick the requeue list so that the request will fast fail upon requeuing. [1]: -- INFO: task kworker/u4:3:166 blocked for more than 120 seconds. Not tainted 5.2.0-rc6-vmlocalyes-00005-g808c8c2dc0cf #316 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. kworker/u4:3 D 0 166 2 0x80004000 Workqueue: nvme-wq nvme_scan_work Call Trace: __schedule+0x851/0x1400 schedule+0x99/0x210 io_schedule+0x21/0x70 do_read_cache_page+0xa57/0x1330 read_cache_page+0x4a/0x70 read_dev_sector+0xbf/0x380 amiga_partition+0xc4/0x1230 check_partition+0x30f/0x630 rescan_partitions+0x19a/0x980 __blkdev_get+0x85a/0x12f0 blkdev_get+0x2a5/0x790 __device_add_disk+0xe25/0x1250 device_add_disk+0x13/0x20 nvme_mpath_set_live+0x172/0x2b0 nvme_update_ns_ana_state+0x130/0x180 nvme_set_ns_ana_state+0x9a/0xb0 nvme_parse_ana_log+0x1c3/0x4a0 nvme_mpath_add_disk+0x157/0x290 nvme_validate_ns+0x1017/0x1bd0 nvme_scan_work+0x44d/0x6a0 process_one_work+0x7d7/0x1240 worker_thread+0x8e/0xff0 kthread+0x2c3/0x3b0 ret_from_fork+0x35/0x40 INFO: task kworker/u4:1:1034 blocked for more than 120 seconds. Not tainted 5.2.0-rc6-vmlocalyes-00005-g808c8c2dc0cf #316 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. kworker/u4:1 D 0 1034 2 0x80004000 Workqueue: nvme-delete-wq nvme_delete_ctrl_work Call Trace: __schedule+0x851/0x1400 schedule+0x99/0x210 schedule_timeout+0x390/0x830 wait_for_completion+0x1a7/0x310 __flush_work+0x241/0x5d0 flush_work+0x10/0x20 nvme_remove_namespaces+0x85/0x3d0 nvme_do_delete_ctrl+0xb4/0x1e0 nvme_delete_ctrl_work+0x15/0x20 process_one_work+0x7d7/0x1240 worker_thread+0x8e/0xff0 kthread+0x2c3/0x3b0 ret_from_fork+0x35/0x40 -- Reported-by: Logan Gunthorpe Tested-by: Logan Gunthorpe Reviewed-by: Logan Gunthorpe Reviewed-by: Ming Lei Signed-off-by: Sagi Grimberg Signed-off-by: Sasha Levin commit be2e81d1d8d4311101318edf31483b6a198b4bd0 Author: Sagi Grimberg Date: Fri Jul 26 10:29:49 2019 -0700 nvme-rdma: fix possible use-after-free in connect error flow [ Upstream commit d94211b8bad3787e0655a67284105f57db728cb1 ] When start_queue fails, we need to make sure to drain the queue cq before freeing the rdma resources because we might still race with the completion path. Have start_queue() error path safely stop the queue. -- [30371.808111] nvme nvme1: Failed reconnect attempt 11 [30371.808113] nvme nvme1: Reconnecting in 10 seconds... [...] [30382.069315] nvme nvme1: creating 4 I/O queues. [30382.257058] nvme nvme1: Connect Invalid SQE Parameter, qid 4 [30382.257061] nvme nvme1: failed to connect queue: 4 ret=386 [30382.305001] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 [30382.305022] IP: qedr_poll_cq+0x8a3/0x1170 [qedr] [30382.305028] PGD 0 P4D 0 [30382.305037] Oops: 0000 [#1] SMP PTI [...] [30382.305153] Call Trace: [30382.305166] ? __switch_to_asm+0x34/0x70 [30382.305187] __ib_process_cq+0x56/0xd0 [ib_core] [30382.305201] ib_poll_handler+0x26/0x70 [ib_core] [30382.305213] irq_poll_softirq+0x88/0x110 [30382.305223] ? sort_range+0x20/0x20 [30382.305232] __do_softirq+0xde/0x2c6 [30382.305241] ? sort_range+0x20/0x20 [30382.305249] run_ksoftirqd+0x1c/0x60 [30382.305258] smpboot_thread_fn+0xef/0x160 [30382.305265] kthread+0x113/0x130 [30382.305273] ? kthread_create_worker_on_cpu+0x50/0x50 [30382.305281] ret_from_fork+0x35/0x40 -- Reported-by: Nicolas Morey-Chaisemartin Reviewed-by: Max Gurtovoy Reviewed-by: Hannes Reinecke Signed-off-by: Sagi Grimberg Signed-off-by: Sasha Levin commit f3b4b4440a0c53ac0b478463609a46e3fa2e2e56 Author: Sagi Grimberg Date: Wed Jul 31 11:00:26 2019 -0700 nvme: fix a possible deadlock when passthru commands sent to a multipath device [ Upstream commit b9156daeb1601d69007b7e50efcf89d69d72ec1d ] When the user issues a command with side effects, we will end up freezing the namespace request queue when updating disk info (and the same for the corresponding mpath disk node). However, we are not freezing the mpath node request queue, which means that mpath I/O can still come in and block on blk_queue_enter (called from nvme_ns_head_make_request -> direct_make_request). This is a deadlock, because blk_queue_enter will block until the inner namespace request queue is unfroze, but that process is blocked because the namespace revalidation is trying to update the mpath disk info and freeze its request queue (which will never complete because of the I/O that is blocked on blk_queue_enter). Fix this by freezing all the subsystem nsheads request queues before executing the passthru command. Given that these commands are infrequent we should not worry about this temporary I/O freeze to keep things sane. Here is the matching hang traces: -- [ 374.465002] INFO: task systemd-udevd:17994 blocked for more than 122 seconds. [ 374.472975] Not tainted 5.2.0-rc3-mpdebug+ #42 [ 374.478522] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 374.487274] systemd-udevd D 0 17994 1 0x00000000 [ 374.493407] Call Trace: [ 374.496145] __schedule+0x2ef/0x620 [ 374.500047] schedule+0x38/0xa0 [ 374.503569] blk_queue_enter+0x139/0x220 [ 374.507959] ? remove_wait_queue+0x60/0x60 [ 374.512540] direct_make_request+0x60/0x130 [ 374.517219] nvme_ns_head_make_request+0x11d/0x420 [nvme_core] [ 374.523740] ? generic_make_request_checks+0x307/0x6f0 [ 374.529484] generic_make_request+0x10d/0x2e0 [ 374.534356] submit_bio+0x75/0x140 [ 374.538163] ? guard_bio_eod+0x32/0xe0 [ 374.542361] submit_bh_wbc+0x171/0x1b0 [ 374.546553] block_read_full_page+0x1ed/0x330 [ 374.551426] ? check_disk_change+0x70/0x70 [ 374.556008] ? scan_shadow_nodes+0x30/0x30 [ 374.560588] blkdev_readpage+0x18/0x20 [ 374.564783] do_read_cache_page+0x301/0x860 [ 374.569463] ? blkdev_writepages+0x10/0x10 [ 374.574037] ? prep_new_page+0x88/0x130 [ 374.578329] ? get_page_from_freelist+0xa2f/0x1280 [ 374.583688] ? __alloc_pages_nodemask+0x179/0x320 [ 374.588947] read_cache_page+0x12/0x20 [ 374.593142] read_dev_sector+0x2d/0xd0 [ 374.597337] read_lba+0x104/0x1f0 [ 374.601046] find_valid_gpt+0xfa/0x720 [ 374.605243] ? string_nocheck+0x58/0x70 [ 374.609534] ? find_valid_gpt+0x720/0x720 [ 374.614016] efi_partition+0x89/0x430 [ 374.618113] ? string+0x48/0x60 [ 374.621632] ? snprintf+0x49/0x70 [ 374.625339] ? find_valid_gpt+0x720/0x720 [ 374.629828] check_partition+0x116/0x210 [ 374.634214] rescan_partitions+0xb6/0x360 [ 374.638699] __blkdev_reread_part+0x64/0x70 [ 374.643377] blkdev_reread_part+0x23/0x40 [ 374.647860] blkdev_ioctl+0x48c/0x990 [ 374.651956] block_ioctl+0x41/0x50 [ 374.655766] do_vfs_ioctl+0xa7/0x600 [ 374.659766] ? locks_lock_inode_wait+0xb1/0x150 [ 374.664832] ksys_ioctl+0x67/0x90 [ 374.668539] __x64_sys_ioctl+0x1a/0x20 [ 374.672732] do_syscall_64+0x5a/0x1c0 [ 374.676828] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 374.738474] INFO: task nvmeadm:49141 blocked for more than 123 seconds. [ 374.745871] Not tainted 5.2.0-rc3-mpdebug+ #42 [ 374.751419] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 374.760170] nvmeadm D 0 49141 36333 0x00004080 [ 374.766301] Call Trace: [ 374.769038] __schedule+0x2ef/0x620 [ 374.772939] schedule+0x38/0xa0 [ 374.776452] blk_mq_freeze_queue_wait+0x59/0x100 [ 374.781614] ? remove_wait_queue+0x60/0x60 [ 374.786192] blk_mq_freeze_queue+0x1a/0x20 [ 374.790773] nvme_update_disk_info.isra.57+0x5f/0x350 [nvme_core] [ 374.797582] ? nvme_identify_ns.isra.50+0x71/0xc0 [nvme_core] [ 374.804006] __nvme_revalidate_disk+0xe5/0x110 [nvme_core] [ 374.810139] nvme_revalidate_disk+0xa6/0x120 [nvme_core] [ 374.816078] ? nvme_submit_user_cmd+0x11e/0x320 [nvme_core] [ 374.822299] nvme_user_cmd+0x264/0x370 [nvme_core] [ 374.827661] nvme_dev_ioctl+0x112/0x1d0 [nvme_core] [ 374.833114] do_vfs_ioctl+0xa7/0x600 [ 374.837117] ? __audit_syscall_entry+0xdd/0x130 [ 374.842184] ksys_ioctl+0x67/0x90 [ 374.845891] __x64_sys_ioctl+0x1a/0x20 [ 374.850082] do_syscall_64+0x5a/0x1c0 [ 374.854178] entry_SYSCALL_64_after_hwframe+0x44/0xa9 -- Reported-by: James Puthukattukaran Tested-by: James Puthukattukaran Reviewed-by: Keith Busch Signed-off-by: Sagi Grimberg Signed-off-by: Sasha Levin commit d067f76d200912f484d5694ce2005bfb63649a08 Author: Logan Gunthorpe Date: Wed Jul 31 17:35:34 2019 -0600 nvme-core: Fix extra device_put() call on error path [ Upstream commit 8c36e66fb407ce076535a7db98ab9f6d720b866a ] In the error path for nvme_init_subsystem(), nvme_put_subsystem() will call device_put(), but it will get called again after the mutex_unlock(). The device_put() only needs to be called if device_add() fails. This bug caused a KASAN use-after-free error when adding and removing subsytems in a loop: BUG: KASAN: use-after-free in device_del+0x8d9/0x9a0 Read of size 8 at addr ffff8883cdaf7120 by task multipathd/329 CPU: 0 PID: 329 Comm: multipathd Not tainted 5.2.0-rc6-vmlocalyes-00019-g70a2b39005fd-dirty #314 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 Call Trace: dump_stack+0x7b/0xb5 print_address_description+0x6f/0x280 ? device_del+0x8d9/0x9a0 __kasan_report+0x148/0x199 ? device_del+0x8d9/0x9a0 ? class_release+0x100/0x130 ? device_del+0x8d9/0x9a0 kasan_report+0x12/0x20 __asan_report_load8_noabort+0x14/0x20 device_del+0x8d9/0x9a0 ? device_platform_notify+0x70/0x70 nvme_destroy_subsystem+0xf9/0x150 nvme_free_ctrl+0x280/0x3a0 device_release+0x72/0x1d0 kobject_put+0x144/0x410 put_device+0x13/0x20 nvme_free_ns+0xc4/0x100 nvme_release+0xb3/0xe0 __blkdev_put+0x549/0x6e0 ? kasan_check_write+0x14/0x20 ? bd_set_size+0xb0/0xb0 ? kasan_check_write+0x14/0x20 ? mutex_lock+0x8f/0xe0 ? __mutex_lock_slowpath+0x20/0x20 ? locks_remove_file+0x239/0x370 blkdev_put+0x72/0x2c0 blkdev_close+0x8d/0xd0 __fput+0x256/0x770 ? _raw_read_lock_irq+0x40/0x40 ____fput+0xe/0x10 task_work_run+0x10c/0x180 ? filp_close+0xf7/0x140 exit_to_usermode_loop+0x151/0x170 do_syscall_64+0x240/0x2e0 ? prepare_exit_to_usermode+0xd5/0x190 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f5a79af05d7 Code: 00 00 0f 05 48 3d 00 f0 ff ff 77 3f c3 66 0f 1f 44 00 00 53 89 fb 48 83 ec 10 e8 c4 fb ff ff 89 df 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2b 89 d7 89 44 24 0c e8 06 fc ff ff 8b 44 24 RSP: 002b:00007f5a7799c810 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000008 RCX: 00007f5a79af05d7 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000008 RBP: 00007f5a58000f98 R08: 0000000000000002 R09: 00007f5a7935ee80 R10: 0000000000000000 R11: 0000000000000293 R12: 000055e432447240 R13: 0000000000000000 R14: 0000000000000001 R15: 000055e4324a9cf0 Allocated by task 1236: save_stack+0x21/0x80 __kasan_kmalloc.constprop.6+0xab/0xe0 kasan_kmalloc+0x9/0x10 kmem_cache_alloc_trace+0x102/0x210 nvme_init_identify+0x13c3/0x3820 nvme_loop_configure_admin_queue+0x4fa/0x5e0 nvme_loop_create_ctrl+0x469/0xf40 nvmf_dev_write+0x19a3/0x21ab __vfs_write+0x66/0x120 vfs_write+0x154/0x490 ksys_write+0x104/0x240 __x64_sys_write+0x73/0xb0 do_syscall_64+0xa5/0x2e0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 329: save_stack+0x21/0x80 __kasan_slab_free+0x129/0x190 kasan_slab_free+0xe/0x10 kfree+0xa7/0x200 nvme_release_subsystem+0x49/0x60 device_release+0x72/0x1d0 kobject_put+0x144/0x410 put_device+0x13/0x20 klist_class_dev_put+0x31/0x40 klist_put+0x8f/0xf0 klist_del+0xe/0x10 device_del+0x3a7/0x9a0 nvme_destroy_subsystem+0xf9/0x150 nvme_free_ctrl+0x280/0x3a0 device_release+0x72/0x1d0 kobject_put+0x144/0x410 put_device+0x13/0x20 nvme_free_ns+0xc4/0x100 nvme_release+0xb3/0xe0 __blkdev_put+0x549/0x6e0 blkdev_put+0x72/0x2c0 blkdev_close+0x8d/0xd0 __fput+0x256/0x770 ____fput+0xe/0x10 task_work_run+0x10c/0x180 exit_to_usermode_loop+0x151/0x170 do_syscall_64+0x240/0x2e0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: 32fd90c40768 ("nvme: change locking for the per-subsystem controller list") Signed-off-by: Logan Gunthorpe Reviewed-by: Sagi Grimberg Reviewed-by : Chaitanya Kulkarni Signed-off-by: Sagi Grimberg Signed-off-by: Sasha Levin commit a7b13f9b376d37198c42cc0c67add071a7c0e91a Author: Logan Gunthorpe Date: Wed Jul 31 17:35:33 2019 -0600 nvmet-file: fix nvmet_file_flush() always returning an error [ Upstream commit cfc1a1af56200362d1508b82b9a3cc3acb2eae0c ] Presently, nvmet_file_flush() always returns a call to errno_to_nvme_status() but that helper doesn't take into account the case when errno=0. So nvmet_file_flush() always returns an error code. All other callers of errno_to_nvme_status() check for success before calling it. To fix this, ensure errno_to_nvme_status() returns success if the errno is zero. This should prevent future mistakes like this from happening. Fixes: c6aa3542e010 ("nvmet: add error log support for file backend") Signed-off-by: Logan Gunthorpe Reviewed-by: Sagi Grimberg Reviewed-by: Chaitanya Kulkarni Signed-off-by: Sagi Grimberg Signed-off-by: Sasha Levin commit 938f8292e9ef1ed1ba46965d0e75f160a91b76b5 Author: Logan Gunthorpe Date: Wed Jul 31 17:35:32 2019 -0600 nvmet-loop: Flush nvme_delete_wq when removing the port [ Upstream commit 86b9a63e595ff03f9d0a7b92b6acc231fecefc29 ] After calling nvme_loop_delete_ctrl(), the controllers will not yet be deleted because nvme_delete_ctrl() only schedules work to do the delete. This means a race can occur if a port is removed but there are still active controllers trying to access that memory. To fix this, flush the nvme_delete_wq before returning from nvme_loop_remove_port() so that any controllers that might be in the process of being deleted won't access a freed port. Signed-off-by: Logan Gunthorpe Reviewed-by: Sagi Grimberg Reviewed-by: Max Gurtovoy Reviewed-by : Chaitanya Kulkarni Signed-off-by: Sagi Grimberg Signed-off-by: Sasha Levin commit 19620ce482fccce4426459dd12ff22c1227b6097 Author: Logan Gunthorpe Date: Wed Jul 31 17:35:31 2019 -0600 nvmet: Fix use-after-free bug when a port is removed [ Upstream commit 3aed86731ee2b23e4dc4d2c6d943d33992cd551b ] When a port is removed through configfs, any connected controllers are still active and can still send commands. This causes a use-after-free bug which is detected by KASAN for any admin command that dereferences req->port (like in nvmet_execute_identify_ctrl). To fix this, disconnect all active controllers when a subsystem is removed from a port. This ensures there are no active controllers when the port is eventually removed. Signed-off-by: Logan Gunthorpe Reviewed-by: Sagi Grimberg Reviewed-by: Max Gurtovoy Reviewed-by : Chaitanya Kulkarni Signed-off-by: Sagi Grimberg Signed-off-by: Sasha Levin commit a40201a850a833a22cce87c398db35e32dde4a59 Author: David Howells Date: Tue Jul 30 14:38:52 2019 +0100 afs: Fix missing dentry data version updating [ Upstream commit 9dd0b82ef530cdfe805c9f7079c99e104be59a14 ] In the in-kernel afs filesystem, the d_fsdata dentry field is used to hold the data version of the parent directory when it was created or when d_revalidate() last caused it to be updated. This is compared to the ->invalid_before field in the directory inode, rather than the actual data version number, thereby allowing changes due to local edits to be ignored. Only if the server data version gets bumped unexpectedly (eg. by a competing client), do we need to revalidate stuff. However, the d_fsdata field should also be updated if an rpc op is performed that modifies that particular dentry. Such ops return the revised data version of the directory(ies) involved, so we should use that. This is particularly problematic for rename, since a dentry from one directory may be moved directly into another directory (ie. mv a/x b/x). It would then be sporting the wrong data version - and if this is in the future, for the destination directory, revalidations would be missed, leading to foreign renames and hard-link deletion being missed. Fix this by the following means: (1) Return the data version number from operations that read the directory contents - if they issue the read. This starts in afs_dir_iterate() and is used, ignored or passed back by its callers. (2) In afs_lookup*(), set the dentry version to the version returned by (1) before d_splice_alias() is called and the dentry published. (3) In afs_d_revalidate(), set the dentry version to that returned from (1) if an rpc call was issued. This means that if a parallel procedure, such as mkdir(), modifies the directory, we won't accidentally use the data version from that. (4) In afs_{mkdir,create,link,symlink}(), set the new dentry's version to the directory data version before d_instantiate() is called. (5) In afs_{rmdir,unlink}, update the target dentry's version to the directory data version as soon as we've updated the directory inode. (6) In afs_rename(), we need to unhash the old dentry before we start so that we don't get afs_d_revalidate() reverting the version change in cross-directory renames. We then need to set both the old and the new dentry versions the data version of the new directory before we call d_move() as d_move() will rehash them. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: David Howells Signed-off-by: Sasha Levin commit fb64ee1826567d08e443757314f8e63da7c15f96 Author: David Howells Date: Tue Jul 30 14:38:51 2019 +0100 afs: Only update d_fsdata if different in afs_d_revalidate() [ Upstream commit 5dc84855b0fc7e1db182b55c5564fd539d6eff92 ] In the in-kernel afs filesystem, d_fsdata is set with the data version of the parent directory. afs_d_revalidate() will update this to the current directory version, but it shouldn't do this if it the value it read from d_fsdata is the same as no lock is held and cmpxchg() is not used. Fix the code to only change the value if it is different from the current directory version. Fixes: 260a980317da ("[AFS]: Add "directory write" support.") Signed-off-by: David Howells Signed-off-by: Sasha Levin commit b4988bb9011472ccc117102d2a95a3af9d6ef444 Author: David Howells Date: Tue Jul 30 14:38:51 2019 +0100 afs: Fix off-by-one in afs_rename() expected data version calculation [ Upstream commit 37c0bbb3326674940e657118306ac52364314523 ] When afs_rename() calculates the expected data version of the target directory in a cross-directory rename, it doesn't increment it as it should, so it always thinks that the target inode is unexpectedly modified on the server. Fixes: a58823ac4589 ("afs: Fix application of status and callback to be under same lock") Signed-off-by: David Howells Signed-off-by: Sasha Levin commit 768edf3604b64af3f3aca283cdb90dfe1385ee79 Author: Jia-Ju Bai Date: Tue Jul 30 14:38:51 2019 +0100 fs: afs: Fix a possible null-pointer dereference in afs_put_read() [ Upstream commit a6eed4ab5dd4bfb696c1a3f49742b8d1846a66a0 ] In afs_read_dir(), there is an if statement on line 255 to check whether req->pages is NULL: if (!req->pages) goto error; If req->pages is NULL, afs_put_read() on line 337 is executed. In afs_put_read(), req->pages[i] is used on line 195. Thus, a possible null-pointer dereference may occur in this case. To fix this possible bug, an if statement is added in afs_put_read() to check req->pages. This bug is found by a static analysis tool STCheck written by us. Fixes: f3ddee8dc4e2 ("afs: Fix directory handling") Signed-off-by: Jia-Ju Bai Signed-off-by: David Howells Signed-off-by: Sasha Levin commit 3bde518dd5f132a71c07691af7c3f08a318b4d8d Author: Marc Dionne Date: Tue Jul 30 14:38:51 2019 +0100 afs: Fix loop index mixup in afs_deliver_vl_get_entry_by_name_u() [ Upstream commit 4a46fdba449a5cd890271df5a9e23927d519ed00 ] afs_deliver_vl_get_entry_by_name_u() scans through the vl entry received from the volume location server and builds a return list containing the sites that are currently valid. When assigning values for the return list, the index into the vl entry (i) is used rather than the one for the new list (entry->nr_server). If all sites are usable, this works out fine as the indices will match. If some sites are not valid, for example if AFS_VLSF_DONTUSE is set, fs_mask and the uuid will be set for the wrong return site. Fix this by using entry->nr_server as the index into the arrays being filled in rather than i. This can lead to EDESTADDRREQ errors if none of the returned sites have a valid fs_mask. Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation") Signed-off-by: Marc Dionne Signed-off-by: David Howells Reviewed-by: Jeffrey Altman Signed-off-by: Sasha Levin commit 3e5fa7f20b765a310b8571f43168e52aa7b9ff0d Author: David Howells Date: Tue Jul 30 14:38:51 2019 +0100 afs: Fix the CB.ProbeUuid service handler to reply correctly [ Upstream commit 2067b2b3f4846402a040286135f98f46f8919939 ] Fix the service handler function for the CB.ProbeUuid RPC call so that it replies in the correct manner - that is an empty reply for success and an abort of 1 for failure. Putting 0 or 1 in an integer in the body of the reply should result in the fileserver throwing an RX_PROTOCOL_ERROR abort and discarding its record of the client; older servers, however, don't necessarily check that all the data got consumed, and so might incorrectly think that they got a positive response and associate the client with the wrong host record. If the client is incorrectly associated, this will result in callbacks intended for a different client being delivered to this one and then, when the other client connects and responds positively, all of the callback promises meant for the client that issued the improper response will be lost and it won't receive any further change notifications. Fixes: 9396d496d745 ("afs: support the CB.ProbeUuid RPC op") Signed-off-by: David Howells Reviewed-by: Jeffrey Altman Signed-off-by: Sasha Levin commit f902c873cb0f56e07b59b731a891dc61d462a626 Author: Anthony Iliopoulos Date: Mon Jul 29 14:40:40 2019 +0200 nvme-multipath: revalidate nvme_ns_head gendisk in nvme_validate_ns [ Upstream commit fab7772bfbcfe8fb8e3e352a6a8fcaf044cded17 ] When CONFIG_NVME_MULTIPATH is set, only the hidden gendisk associated with the per-controller ns is run through revalidate_disk when a rescan is triggered, while the visible blockdev never gets its size (bdev->bd_inode->i_size) updated to reflect any capacity changes that may have occurred. This prevents online resizing of nvme block devices and in extension of any filesystems atop that will are unable to expand while mounted, as userspace relies on the blockdev size for obtaining the disk capacity (via BLKGETSIZE/64 ioctls). Fix this by explicitly revalidating the actual namespace gendisk in addition to the per-controller gendisk, when multipath is enabled. Signed-off-by: Anthony Iliopoulos Reviewed-by: Sagi Grimberg Reviewed-by: Johannes Thumshirn Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 76c2a562a19378a68239d3bf9c1c433e201a5d65 Author: Arnd Bergmann Date: Fri Jul 12 11:13:30 2019 +0200 dmaengine: ste_dma40: fix unneeded variable warning [ Upstream commit 5d6fb560729a5d5554e23db8d00eb57cd0021083 ] clang-9 points out that there are two variables that depending on the configuration may only be used in an ARRAY_SIZE() expression but not referenced: drivers/dma/ste_dma40.c:145:12: error: variable 'd40_backup_regs' is not needed and will not be emitted [-Werror,-Wunneeded-internal-declaration] static u32 d40_backup_regs[] = { ^ drivers/dma/ste_dma40.c:214:12: error: variable 'd40_backup_regs_chan' is not needed and will not be emitted [-Werror,-Wunneeded-internal-declaration] static u32 d40_backup_regs_chan[] = { Mark these __maybe_unused to shut up the warning. Signed-off-by: Arnd Bergmann Reviewed-by: Nathan Chancellor Reviewed-by: Linus Walleij Link: https://lore.kernel.org/r/20190712091357.744515-1-arnd@arndb.de Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit c3915fe1bf1235dbf3b0bced734c960202915bd5 Author: Greg Kroah-Hartman Date: Thu Aug 29 08:30:28 2019 +0200 Linux 5.2.11 commit 85a55331d9aeb1f91ef71620be92ab52c72e8acd Author: David Howells Date: Fri Aug 9 22:47:47 2019 +0100 rxrpc: Fix local refcounting [ Upstream commit 68553f1a6f746bf860bce3eb42d78c26a717d9c0 ] Fix rxrpc_unuse_local() to handle a NULL local pointer as it can be called on an unbound socket on which rx->local is not yet set. The following reproduced (includes omitted): int main(void) { socket(AF_RXRPC, SOCK_DGRAM, AF_INET); return 0; } causes the following oops to occur: BUG: kernel NULL pointer dereference, address: 0000000000000010 ... RIP: 0010:rxrpc_unuse_local+0x8/0x1b ... Call Trace: rxrpc_release+0x2b5/0x338 __sock_release+0x37/0xa1 sock_close+0x14/0x17 __fput+0x115/0x1e9 task_work_run+0x72/0x98 do_exit+0x51b/0xa7a ? __context_tracking_exit+0x4e/0x10e do_group_exit+0xab/0xab __x64_sys_exit_group+0x14/0x17 do_syscall_64+0x89/0x1d4 entry_SYSCALL_64_after_hwframe+0x49/0xbe Reported-by: syzbot+20dee719a2e090427b5f@syzkaller.appspotmail.com Fixes: 730c5fd42c1e ("rxrpc: Fix local endpoint refcounting") Signed-off-by: David Howells cc: Jeffrey Altman Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit fa321a9ce5992f2ba336c5bf032e874e7b81b0b2 Author: David Howells Date: Mon Aug 12 23:30:06 2019 +0100 rxrpc: Fix local endpoint replacement [ Upstream commit b00df840fb4004b7087940ac5f68801562d0d2de ] When a local endpoint (struct rxrpc_local) ceases to be in use by any AF_RXRPC sockets, it starts the process of being destroyed, but this doesn't cause it to be removed from the namespace endpoint list immediately as tearing it down isn't trivial and can't be done in softirq context, so it gets deferred. If a new socket comes along that wants to bind to the same endpoint, a new rxrpc_local object will be allocated and rxrpc_lookup_local() will use list_replace() to substitute the new one for the old. Then, when the dying object gets to rxrpc_local_destroyer(), it is removed unconditionally from whatever list it is on by calling list_del_init(). However, list_replace() doesn't reset the pointers in the replaced list_head and so the list_del_init() will likely corrupt the local endpoints list. Fix this by using list_replace_init() instead. Fixes: 730c5fd42c1e ("rxrpc: Fix local endpoint refcounting") Reported-by: syzbot+193e29e9387ea5837f1d@syzkaller.appspotmail.com Signed-off-by: David Howells Signed-off-by: Sasha Levin commit d2783ccec7e0310343238371e5ab82c73e14aa67 Author: David Howells Date: Tue Aug 13 22:26:36 2019 +0100 rxrpc: Fix read-after-free in rxrpc_queue_local() commit 06d9532fa6b34f12a6d75711162d47c17c1add72 upstream. rxrpc_queue_local() attempts to queue the local endpoint it is given and then, if successful, prints a trace line. The trace line includes the current usage count - but we're not allowed to look at the local endpoint at this point as we passed our ref on it to the workqueue. Fix this by reading the usage count before queuing the work item. Also fix the reading of local->debug_id for trace lines, which must be done with the same consideration as reading the usage count. Fixes: 09d2bf595db4 ("rxrpc: Add a tracepoint to track rxrpc_local refcounting") Reported-by: syzbot+78e71c5bab4f76a6a719@syzkaller.appspotmail.com Signed-off-by: David Howells Signed-off-by: Greg Kroah-Hartman commit 486a727445071941311e53c0395948f04f8397a5 Author: David Howells Date: Fri Aug 9 15:20:41 2019 +0100 rxrpc: Fix local endpoint refcounting commit 730c5fd42c1e3652a065448fd235cb9fafb2bd10 upstream. The object lifetime management on the rxrpc_local struct is broken in that the rxrpc_local_processor() function is expected to clean up and remove an object - but it may get requeued by packets coming in on the backing UDP socket once it starts running. This may result in the assertion in rxrpc_local_rcu() firing because the memory has been scheduled for RCU destruction whilst still queued: rxrpc: Assertion failed ------------[ cut here ]------------ kernel BUG at net/rxrpc/local_object.c:468! Note that if the processor comes around before the RCU free function, it will just do nothing because ->dead is true. Fix this by adding a separate refcount to count active users of the endpoint that causes the endpoint to be destroyed when it reaches 0. The original refcount can then be used to refcount objects through the work processor and cause the memory to be rcu freed when that reaches 0. Fixes: 4f95dd78a77e ("rxrpc: Rework local endpoint management") Reported-by: syzbot+1e0edc4b8b7494c28450@syzkaller.appspotmail.com Signed-off-by: David Howells Signed-off-by: Greg Kroah-Hartman commit 3981720f800f729e2ab13a68102f082cdc98bf0a Author: Alastair D'Silva Date: Wed Aug 21 10:19:27 2019 +1000 powerpc: Allow flush_(inval_)dcache_range to work across ranges >4GB The upstream commit: 22e9c88d486a ("powerpc/64: reuse PPC32 static inline flush_dcache_range()") has a similar effect, but since it is a rewrite of the assembler to C, is too invasive for stable. This patch is a minimal fix to address the issue in assembler. This patch applies cleanly to v5.2, v4.19 & v4.14. When calling flush_(inval_)dcache_range with a size >4GB, we were masking off the upper 32 bits, so we would incorrectly flush a range smaller than intended. This patch replaces the 32 bit shifts with 64 bit ones, so that the full size is accounted for. Signed-off-by: Alastair D'Silva Acked-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 28ad328e672bc799452e8481ef35fa58654f682f Author: Jens Axboe Date: Wed Aug 21 22:19:11 2019 -0600 io_uring: add need_resched() check in inner poll loop [ Upstream commit 08f5439f1df25a6cf6cf4c72cf6c13025599ce67 ] The outer poll loop checks for whether we need to reschedule, and returns to userspace if we do. However, it's possible to get stuck in the inner loop as well, if the CPU we are running on needs to reschedule to finish the IO work. Add the need_resched() check in the inner loop as well. This fixes a potential hang if the kernel is configured with CONFIG_PREEMPT_VOLUNTARY=y. Reported-by: Sagi Grimberg Reviewed-by: Sagi Grimberg Tested-by: Sagi Grimberg Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 7fe55f17deee0def02df3f604c13d78e94db6e04 Author: Jens Axboe Date: Tue Aug 20 11:03:11 2019 -0600 io_uring: don't enter poll loop if we have CQEs pending [ Upstream commit a3a0e43fd77013819e4b6f55e37e0efe8e35d805 ] We need to check if we have CQEs pending before starting a poll loop, as those could be the events we will be spinning for (and hence we'll find none). This can happen if a CQE triggers an error, or if it is found by eg an IRQ before we get a chance to find it through polling. Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 2b2c2647a19ce1a6a67a9765dfef9f7f3d11d71e Author: Jens Axboe Date: Mon Aug 19 12:15:59 2019 -0600 io_uring: fix potential hang with polled IO [ Upstream commit 500f9fbadef86466a435726192f4ca4df7d94236 ] If a request issue ends up being punted to async context to avoid blocking, we can get into a situation where the original application enters the poll loop for that very request before it has been issued. This should not be an issue, except that the polling will hold the io_uring uring_ctx mutex for the duration of the poll. When the async worker has actually issued the request, it needs to acquire this mutex to add the request to the poll issued list. Since the application polling is already holding this mutex, the workqueue sleeps on the mutex forever, and the application thus never gets a chance to poll for the very request it was interested in. Fix this by ensuring that the polling drops the uring_ctx occasionally if it's not making any progress. Reported-by: Jeffrey M. Birnbaum Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 2a50be6e0551b38eb2ff17e8ad3061b46b1d47d1 Author: Dan Carpenter Date: Mon Aug 19 12:58:14 2019 +0300 dm zoned: fix potential NULL dereference in dmz_do_reclaim() [ Upstream commit e0702d90b79d430b0ccc276ead4f88440bb51352 ] This function is supposed to return error pointers so it matches the dmz_get_rnd_zone_for_reclaim() function. The current code could lead to a NULL dereference in dmz_do_reclaim() Fixes: b234c6d7a703 ("dm zoned: improve error handling in reclaim") Signed-off-by: Dan Carpenter Reviewed-by: Dmitry Fomichev Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit b295171cff3f014dba711c9d57c3104ccb09a7ee Author: Kaike Wan Date: Thu Aug 15 15:20:33 2019 -0400 IB/hfi1: Drop stale TID RDMA packets commit d58c1834bf0d218a0bc00f8fb44874551b21da84 upstream. In a congested fabric with adaptive routing enabled, traces show that the sender could receive stale TID RDMA NAK packets that contain newer KDETH PSNs and older Verbs PSNs. If not dropped, these packets could cause the incorrect rewinding of the software flows and the incorrect completion of TID RDMA WRITE requests, and eventually leading to memory corruption and kernel crash. The current code drops stale TID RDMA ACK/NAK packets solely based on KDETH PSNs, which may lead to erroneous processing. This patch fixes the issue by also checking the Verbs PSN. Addition checks are added before rewinding the TID RDMA WRITE DATA packets. Fixes: 9e93e967f7b4 ("IB/hfi1: Add a function to receive TID RDMA ACK packet") Cc: Reviewed-by: Mike Marciniszyn Signed-off-by: Kaike Wan Signed-off-by: Dennis Dalessandro Link: https://lore.kernel.org/r/20190815192033.105923.44192.stgit@awfm-01.aw.intel.com Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman commit be46f90b7436219da4f9b8e726ddf3779657f6c3 Author: Darrick J. Wong Date: Thu Aug 22 20:55:54 2019 -0700 xfs: fix missing ILOCK unlock when xfs_setattr_nonsize fails due to EDQUOT commit 1fb254aa983bf190cfd685d40c64a480a9bafaee upstream. Benjamin Moody reported to Debian that XFS partially wedges when a chgrp fails on account of being out of disk quota. I ran his reproducer script: # adduser dummy # adduser dummy plugdev # dd if=/dev/zero bs=1M count=100 of=test.img # mkfs.xfs test.img # mount -t xfs -o gquota test.img /mnt # mkdir -p /mnt/dummy # chown -c dummy /mnt/dummy # xfs_quota -xc 'limit -g bsoft=100k bhard=100k plugdev' /mnt (and then as user dummy) $ dd if=/dev/urandom bs=1M count=50 of=/mnt/dummy/foo $ chgrp plugdev /mnt/dummy/foo and saw: ================================================ WARNING: lock held when returning to user space! 5.3.0-rc5 #rc5 Tainted: G W ------------------------------------------------ chgrp/47006 is leaving the kernel with locks still held! 1 lock held by chgrp/47006: #0: 000000006664ea2d (&xfs_nondir_ilock_class){++++}, at: xfs_ilock+0xd2/0x290 [xfs] ...which is clearly caused by xfs_setattr_nonsize failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. Add the missing unlock. Reported-by: benjamin.moody@gmail.com Fixes: 253f4911f297 ("xfs: better xfs_trans_alloc interface") Signed-off-by: Darrick J. Wong Reviewed-by: Dave Chinner Tested-by: Salvatore Bonaccorso Signed-off-by: Greg Kroah-Hartman commit 92aeca3af02ac7aa3f200d4117f657a8cd58e286 Author: Andrey Ryabinin Date: Sat Aug 24 17:55:09 2019 -0700 mm/kasan: fix false positive invalid-free reports with CONFIG_KASAN_SW_TAGS=y commit 00fb24a42a68b1ee0f6495993fe1be7124433dfb upstream. The code like this: ptr = kmalloc(size, GFP_KERNEL); page = virt_to_page(ptr); offset = offset_in_page(ptr); kfree(page_address(page) + offset); may produce false-positive invalid-free reports on the kernel with CONFIG_KASAN_SW_TAGS=y. In the example above we lose the original tag assigned to 'ptr', so kfree() gets the pointer with 0xFF tag. In kfree() we check that 0xFF tag is different from the tag in shadow hence print false report. Instead of just comparing tags, do the following: 1) Check that shadow doesn't contain KASAN_TAG_INVALID. Otherwise it's double-free and it doesn't matter what tag the pointer have. 2) If pointer tag is different from 0xFF, make sure that tag in the shadow is the same as in the pointer. Link: http://lkml.kernel.org/r/20190819172540.19581-1-aryabinin@virtuozzo.com Fixes: 7f94ffbc4c6a ("kasan: add hooks implementation for tag-based mode") Signed-off-by: Andrey Ryabinin Reported-by: Walter Wu Reported-by: Mark Rutland Reviewed-by: Andrey Konovalov Cc: Alexander Potapenko Cc: Dmitry Vyukov Cc: Catalin Marinas Cc: Will Deacon Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f6d997de088319833efb229f8af5f3dd71274758 Author: Henry Burns Date: Sat Aug 24 17:55:06 2019 -0700 mm/zsmalloc.c: fix race condition in zs_destroy_pool commit 701d678599d0c1623aaf4139c03eea260a75b027 upstream. In zs_destroy_pool() we call flush_work(&pool->free_work). However, we have no guarantee that migration isn't happening in the background at that time. Since migration can't directly free pages, it relies on free_work being scheduled to free the pages. But there's nothing preventing an in-progress migrate from queuing the work *after* zs_unregister_migration() has called flush_work(). Which would mean pages still pointing at the inode when we free it. Since we know at destroy time all objects should be free, no new migrations can come in (since zs_page_isolate() fails for fully-free zspages). This means it is sufficient to track a "# isolated zspages" count by class, and have the destroy logic ensure all such pages have drained before proceeding. Keeping that state under the class spinlock keeps the logic straightforward. In this case a memory leak could lead to an eventual crash if compaction hits the leaked page. This crash would only occur if people are changing their zswap backend at runtime (which eventually starts destruction). Link: http://lkml.kernel.org/r/20190809181751.219326-2-henryburns@google.com Fixes: 48b4800a1c6a ("zsmalloc: page migration support") Signed-off-by: Henry Burns Reviewed-by: Sergey Senozhatsky Cc: Henry Burns Cc: Minchan Kim Cc: Shakeel Butt Cc: Jonathan Adams Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e3f9299cbe4c6b9f14494d9bf9c89fac0b5dd524 Author: Henry Burns Date: Sat Aug 24 17:55:03 2019 -0700 mm/zsmalloc.c: migration can leave pages in ZS_EMPTY indefinitely commit 1a87aa03597efa9641e92875b883c94c7f872ccb upstream. In zs_page_migrate() we call putback_zspage() after we have finished migrating all pages in this zspage. However, the return value is ignored. If a zs_free() races in between zs_page_isolate() and zs_page_migrate(), freeing the last object in the zspage, putback_zspage() will leave the page in ZS_EMPTY for potentially an unbounded amount of time. To fix this, we need to do the same thing as zs_page_putback() does: schedule free_work to occur. To avoid duplicated code, move the sequence to a new putback_zspage_deferred() function which both zs_page_migrate() and zs_page_putback() call. Link: http://lkml.kernel.org/r/20190809181751.219326-1-henryburns@google.com Fixes: 48b4800a1c6a ("zsmalloc: page migration support") Signed-off-by: Henry Burns Reviewed-by: Sergey Senozhatsky Cc: Henry Burns Cc: Minchan Kim Cc: Shakeel Butt Cc: Jonathan Adams Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 199faced432fb8192aa35f1fe7541b384ab05d4e Author: Vlastimil Babka Date: Sat Aug 24 17:54:59 2019 -0700 mm, page_owner: handle THP splits correctly commit f7da677bc6e72033f0981b9d58b5c5d409fa641e upstream. THP splitting path is missing the split_page_owner() call that split_page() has. As a result, split THP pages are wrongly reported in the page_owner file as order-9 pages. Furthermore when the former head page is freed, the remaining former tail pages are not listed in the page_owner file at all. This patch fixes that by adding the split_page_owner() call into __split_huge_page(). Link: http://lkml.kernel.org/r/20190820131828.22684-2-vbabka@suse.cz Fixes: a9627bc5e34e ("mm/page_owner: introduce split_page_owner and replace manual handling") Reported-by: Kirill A. Shutemov Signed-off-by: Vlastimil Babka Cc: Michal Hocko Cc: Mel Gorman Cc: Matthew Wilcox Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ef1cb3ee97ecf3ca468edc8063dd682391a070ef Author: Roman Gushchin Date: Sat Aug 24 17:54:50 2019 -0700 mm: memcontrol: flush percpu vmevents before releasing memcg commit bb65f89b7d3d305c14951f49860711fbcae70692 upstream. Similar to vmstats, percpu caching of local vmevents leads to an accumulation of errors on non-leaf levels. This happens because some leftovers may remain in percpu caches, so that they are never propagated up by the cgroup tree and just disappear into nonexistence with on releasing of the memory cgroup. To fix this issue let's accumulate and propagate percpu vmevents values before releasing the memory cgroup similar to what we're doing with vmstats. Since on cpu hotplug we do flush percpu vmstats anyway, we can iterate only over online cpus. Link: http://lkml.kernel.org/r/20190819202338.363363-4-guro@fb.com Fixes: 42a300353577 ("mm: memcontrol: fix recursive statistics correctness & scalabilty") Signed-off-by: Roman Gushchin Acked-by: Michal Hocko Cc: Johannes Weiner Cc: Vladimir Davydov Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 2bd82494d1d62f8b31a2c2a139ccee20d15f42e8 Author: Roman Gushchin Date: Sat Aug 24 17:54:47 2019 -0700 mm: memcontrol: flush percpu vmstats before releasing memcg commit c350a99ea2b1b666c28948d74ab46c16913c28a7 upstream. Percpu caching of local vmstats with the conditional propagation by the cgroup tree leads to an accumulation of errors on non-leaf levels. Let's imagine two nested memory cgroups A and A/B. Say, a process belonging to A/B allocates 100 pagecache pages on the CPU 0. The percpu cache will spill 3 times, so that 32*3=96 pages will be accounted to A/B and A atomic vmstat counters, 4 pages will remain in the percpu cache. Imagine A/B is nearby memory.max, so that every following allocation triggers a direct reclaim on the local CPU. Say, each such attempt will free 16 pages on a new cpu. That means every percpu cache will have -16 pages, except the first one, which will have 4 - 16 = -12. A/B and A atomic counters will not be touched at all. Now a user removes A/B. All percpu caches are freed and corresponding vmstat numbers are forgotten. A has 96 pages more than expected. As memory cgroups are created and destroyed, errors do accumulate. Even 1-2 pages differences can accumulate into large numbers. To fix this issue let's accumulate and propagate percpu vmstat values before releasing the memory cgroup. At this point these numbers are stable and cannot be changed. Since on cpu hotplug we do flush percpu vmstats anyway, we can iterate only over online cpus. Link: http://lkml.kernel.org/r/20190819202338.363363-2-guro@fb.com Fixes: 42a300353577 ("mm: memcontrol: fix recursive statistics correctness & scalabilty") Signed-off-by: Roman Gushchin Acked-by: Michal Hocko Cc: Johannes Weiner Cc: Vladimir Davydov Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 27674f5f49a82502dca9fd47d46ea9ebb6018de2 Author: David Rientjes Date: Sat Aug 24 17:54:40 2019 -0700 mm, page_alloc: move_freepages should not examine struct page of reserved memory commit cd961038381f392b364a7c4a040f4576ca415b1a upstream. After commit 907ec5fca3dc ("mm: zero remaining unavailable struct pages"), struct page of reserved memory is zeroed. This causes page->flags to be 0 and fixes issues related to reading /proc/kpageflags, for example, of reserved memory. The VM_BUG_ON() in move_freepages_block(), however, assumes that page_zone() is meaningful even for reserved memory. That assumption is no longer true after the aforementioned commit. There's no reason why move_freepages_block() should be testing the legitimacy of page_zone() for reserved memory; its scope is limited only to pages on the zone's freelist. Note that pfn_valid() can be true for reserved memory: there is a backing struct page. The check for page_to_nid(page) is also buggy but reserved memory normally only appears on node 0 so the zeroing doesn't affect this. Move the debug checks to after verifying PageBuddy is true. This isolates the scope of the checks to only be for buddy pages which are on the zone's freelist which move_freepages_block() is operating on. In this case, an incorrect node or zone is a bug worthy of being warned about (and the examination of struct page is acceptable bcause this memory is not reserved). Why does move_freepages_block() gets called on reserved memory? It's simply math after finding a valid free page from the per-zone free area to use as fallback. We find the beginning and end of the pageblock of the valid page and that can bring us into memory that was reserved per the e820. pfn_valid() is still true (it's backed by a struct page), but since it's zero'd we shouldn't make any inferences here about comparing its node or zone. The current node check just happens to succeed most of the time by luck because reserved memory typically appears on node 0. The fix here is to validate that we actually have buddy pages before testing if there's any type of zone or node strangeness going on. We noticed it almost immediately after bringing 907ec5fca3dc in on CONFIG_DEBUG_VM builds. It depends on finding specific free pages in the per-zone free area where the math in move_freepages() will bring the start or end pfn into reserved memory and wanting to claim that entire pageblock as a new migratetype. So the path will be rare, require CONFIG_DEBUG_VM, and require fallback to a different migratetype. Some struct pages were already zeroed from reserve pages before 907ec5fca3c so it theoretically could trigger before this commit. I think it's rare enough under a config option that most people don't run that others may not have noticed. I wouldn't argue against a stable tag and the backport should be easy enough, but probably wouldn't single out a commit that this is fixing. Mel said: : The overhead of the debugging check is higher with this patch although : it'll only affect debug builds and the path is not particularly hot. : If this was a concern, I think it would be reasonable to simply remove : the debugging check as the zone boundaries are checked in : move_freepages_block and we never expect a zone/node to be smaller than : a pageblock and stuck in the middle of another zone. Link: http://lkml.kernel.org/r/alpine.DEB.2.21.1908122036560.10779@chino.kir.corp.google.com Signed-off-by: David Rientjes Acked-by: Mel Gorman Cc: Naoya Horiguchi Cc: Masayoshi Mizuma Cc: Oscar Salvador Cc: Pavel Tatashin Cc: Vlastimil Babka Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 764fa2f4ff59591fd04b504f8f8fb46ec16641a9 Author: Henry Burns Date: Sat Aug 24 17:54:37 2019 -0700 mm/z3fold.c: fix race between migration and destruction commit d776aaa9895eb6eb770908e899cb7f5bd5025b3c upstream. In z3fold_destroy_pool() we call destroy_workqueue(&pool->compact_wq). However, we have no guarantee that migration isn't happening in the background at that time. Migration directly calls queue_work_on(pool->compact_wq), if destruction wins that race we are using a destroyed workqueue. Link: http://lkml.kernel.org/r/20190809213828.202833-1-henryburns@google.com Signed-off-by: Henry Burns Cc: Vitaly Wool Cc: Shakeel Butt Cc: Jonathan Adams Cc: Henry Burns Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 641c1d8396dcbc6277e07bee9e4a07f392e91e9c Author: Michael Kelley Date: Thu Aug 1 23:53:53 2019 +0000 genirq: Properly pair kobject_del() with kobject_add() commit d0ff14fdc987303aeeb7de6f1bd72c3749ae2a9b upstream. If alloc_descs() fails before irq_sysfs_init() has run, free_desc() in the cleanup path will call kobject_del() even though the kobject has not been added with kobject_add(). Fix this by making the call to kobject_del() conditional on whether irq_sysfs_init() has run. This problem surfaced because commit aa30f47cf666 ("kobject: Add support for default attribute groups to kobj_type") makes kobject_del() stricter about pairing with kobject_add(). If the pairing is incorrrect, a WARNING and backtrace occur in sysfs_remove_group() because there is no parent. [ tglx: Add a comment to the code and make it work with CONFIG_SYSFS=n ] Fixes: ecb3f394c5db ("genirq: Expose interrupt information through sysfs") Signed-off-by: Michael Kelley Signed-off-by: Thomas Gleixner Acked-by: Greg Kroah-Hartman Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/1564703564-4116-1-git-send-email-mikelley@microsoft.com Signed-off-by: Greg Kroah-Hartman commit f2f89f89e5fe1d7197a7aac6961f76de065e65f7 Author: Dmitry Fomichev Date: Sat Aug 10 14:43:11 2019 -0700 dm zoned: properly handle backing device failure commit 75d66ffb48efb30f2dd42f041ba8b39c5b2bd115 upstream. dm-zoned is observed to lock up or livelock in case of hardware failure or some misconfiguration of the backing zoned device. This patch adds a new dm-zoned target function that checks the status of the backing device. If the request queue of the backing device is found to be in dying state or the SCSI backing device enters offline state, the health check code sets a dm-zoned target flag prompting all further incoming I/O to be rejected. In order to detect backing device failures timely, this new function is called in the request mapping path, at the beginning of every reclaim run and before performing any metadata I/O. The proper way out of this situation is to do dmsetup remove and recreate the target when the problem with the backing device is resolved. Fixes: 3b1a94c88b79 ("dm zoned: drive-managed zoned block device target") Cc: stable@vger.kernel.org Signed-off-by: Dmitry Fomichev Reviewed-by: Damien Le Moal Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 5d77bfe7e69dca7d305adfb17a1dd21c3a3f6e46 Author: Dmitry Fomichev Date: Sat Aug 10 14:43:10 2019 -0700 dm zoned: improve error handling in i/o map code commit d7428c50118e739e672656c28d2b26b09375d4e0 upstream. Some errors are ignored in the I/O path during queueing chunks for processing by chunk works. Since at least these errors are transient in nature, it should be possible to retry the failed incoming commands. The fix - Errors that can happen while queueing chunks are carried upwards to the main mapping function and it now returns DM_MAPIO_REQUEUE for any incoming requests that can not be properly queued. Error logging/debug messages are added where needed. Fixes: 3b1a94c88b79 ("dm zoned: drive-managed zoned block device target") Cc: stable@vger.kernel.org Signed-off-by: Dmitry Fomichev Reviewed-by: Damien Le Moal Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 544518b023cb8f8f46df7b0494aa738af6b3e340 Author: Dmitry Fomichev Date: Sat Aug 10 14:43:09 2019 -0700 dm zoned: improve error handling in reclaim commit b234c6d7a703661b5045c5bf569b7c99d2edbf88 upstream. There are several places in reclaim code where errors are not propagated to the main function, dmz_reclaim(). This function is responsible for unlocking zones that might be still locked at the end of any failed reclaim iterations. As the result, some device zones may be left permanently locked for reclaim, degrading target's capability to reclaim zones. This patch fixes these issues as follows - Make sure that dmz_reclaim_buf(), dmz_reclaim_seq_data() and dmz_reclaim_rnd_data() return error codes to the caller. dmz_reclaim() function is renamed to dmz_do_reclaim() to avoid clashing with "struct dmz_reclaim" and is modified to return the error to the caller. dmz_get_zone_for_reclaim() now returns an error instead of NULL pointer and reclaim code checks for that error. Error logging/debug messages are added where necessary. Fixes: 3b1a94c88b79 ("dm zoned: drive-managed zoned block device target") Cc: stable@vger.kernel.org Signed-off-by: Dmitry Fomichev Reviewed-by: Damien Le Moal Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit ace23a4553833ef8d0d5d8cc98296fadb72020ef Author: Mikulas Patocka Date: Fri Aug 23 09:54:09 2019 -0400 dm table: fix invalid memory accesses with too high sector number commit 1cfd5d3399e87167b7f9157ef99daa0e959f395d upstream. If the sector number is too high, dm_table_find_target() should return a pointer to a zeroed dm_target structure (the caller should test it with dm_target_is_valid). However, for some table sizes, the code in dm_table_find_target() that performs btree lookup will access out of bound memory structures. Fix this bug by testing the sector number at the beginning of dm_table_find_target(). Also, add an "inline" keyword to the function dm_table_get_size() because this is a hot path. Fixes: 512875bd9661 ("dm: table detect io beyond device") Cc: stable@vger.kernel.org Reported-by: Zhang Tao Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 23c9e199076aeda42e2657635daea30f22f6663b Author: ZhangXiaoxu Date: Mon Aug 19 11:31:21 2019 +0800 dm space map metadata: fix missing store of apply_bops() return value commit ae148243d3f0816b37477106c05a2ec7d5f32614 upstream. In commit 6096d91af0b6 ("dm space map metadata: fix occasional leak of a metadata block on resize"), we refactor the commit logic to a new function 'apply_bops'. But when that logic was replaced in out() the return value was not stored. This may lead out() returning a wrong value to the caller. Fixes: 6096d91af0b6 ("dm space map metadata: fix occasional leak of a metadata block on resize") Cc: stable@vger.kernel.org Signed-off-by: ZhangXiaoxu Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit f57bbd7c789468dda655d0b652c06c961eeb510b Author: Wenwen Wang Date: Sun Aug 18 19:18:34 2019 -0500 dm raid: add missing cleanup in raid_ctr() commit dc1a3e8e0cc6b2293b48c044710e63395aeb4fb4 upstream. If rs_prepare_reshape() fails, no cleanup is executed, leading to leak of the raid_set structure allocated at the beginning of raid_ctr(). To fix this issue, go to the label 'bad' if the error occurs. Fixes: 11e4723206683 ("dm raid: stop keeping raid set frozen altogether") Cc: stable@vger.kernel.org Signed-off-by: Wenwen Wang Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit e7b9e2afcc68ffb82462f607cf9d52e30e2217c3 Author: Mikulas Patocka Date: Sat Aug 10 12:30:27 2019 -0400 dm integrity: fix a crash due to BUG_ON in __journal_read_write() commit 5729b6e5a1bcb0bbc28abe82d749c7392f66d2c7 upstream. Fix a crash that was introduced by the commit 724376a04d1a. The crash is reported here: https://gitlab.com/cryptsetup/cryptsetup/issues/468 When reading from the integrity device, the function dm_integrity_map_continue calls find_journal_node to find out if the location to read is present in the journal. Then, it calculates how many sectors are consecutively stored in the journal. Then, it locks the range with add_new_range and wait_and_add_new_range. The problem is that during wait_and_add_new_range, we hold no locks (we don't hold ic->endio_wait.lock and we don't hold a range lock), so the journal may change arbitrarily while wait_and_add_new_range sleeps. The code then goes to __journal_read_write and hits BUG_ON(journal_entry_get_sector(je) != logical_sector); because the journal has changed. In order to fix this bug, we need to re-check the journal location after wait_and_add_new_range. We restrict the length to one block in order to not complicate the code too much. Fixes: 724376a04d1a ("dm integrity: implement fair range locks") Cc: stable@vger.kernel.org # v4.19+ Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 9e3dcb641f084bde6d97e038f2390b8256246931 Author: ZhangXiaoxu Date: Sat Aug 17 13:32:40 2019 +0800 dm btree: fix order of block initialization in btree_split_beneath commit e4f9d6013820d1eba1432d51dd1c5795759aa77f upstream. When btree_split_beneath() splits a node to two new children, it will allocate two blocks: left and right. If right block's allocation failed, the left block will be unlocked and marked dirty. If this happened, the left block'ss content is zero, because it wasn't initialized with the btree struct before the attempot to allocate the right block. Upon return, when flushing the left block to disk, the validator will fail when check this block. Then a BUG_ON is raised. Fix this by completely initializing the left block before allocating and initializing the right block. Fixes: 4dcb8b57df359 ("dm btree: fix leak of bufio-backed block in btree_split_beneath error path") Cc: stable@vger.kernel.org Signed-off-by: ZhangXiaoxu Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit e92dfd8d14032f4f0b6caa833c0af68f933b73ab Author: Bryan Gurney Date: Fri Aug 16 10:09:53 2019 -0400 dm dust: use dust block size for badblocklist index commit 08c04c84a5cde3af9baac0645a7496d6dcd76822 upstream. Change the "frontend" dust_remove_block, dust_add_block, and dust_query_block functions to store the "dust block number", instead of the sector number corresponding to the "dust block number". For the "backend" functions dust_map_read and dust_map_write, right-shift by sect_per_block_shift. This fixes the inability to emulate failure beyond the first sector of each "dust block" (for devices with a "dust block size" larger than 512 bytes). Fixes: e4f3fabd67480bf ("dm: add dust target") Cc: stable@vger.kernel.org Signed-off-by: Bryan Gurney Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit a6d64ebeb5eb97228e59d1a8e6009380ba4d9e79 Author: Dmitry Fomichev Date: Mon Aug 5 16:56:03 2019 -0700 dm kcopyd: always complete failed jobs commit d1fef41465f0e8cae0693fb184caa6bfafb6cd16 upstream. This patch fixes a problem in dm-kcopyd that may leave jobs in complete queue indefinitely in the event of backing storage failure. This behavior has been observed while running 100% write file fio workload against an XFS volume created on top of a dm-zoned target device. If the underlying storage of dm-zoned goes to offline state under I/O, kcopyd sometimes never issues the end copy callback and dm-zoned reclaim work hangs indefinitely waiting for that completion. This behavior was traced down to the error handling code in process_jobs() function that places the failed job to complete_jobs queue, but doesn't wake up the job handler. In case of backing device failure, all outstanding jobs may end up going to complete_jobs queue via this code path and then stay there forever because there are no more successful I/O jobs to wake up the job handler. This patch adds a wake() call to always wake up kcopyd job wait queue for all I/O jobs that fail before dm_io() gets called for that job. The patch also sets the write error status in all sub jobs that are failed because their master job has failed. Fixes: b73c67c2cbb00 ("dm kcopyd: add sequential write feature") Cc: stable@vger.kernel.org Signed-off-by: Dmitry Fomichev Reviewed-by: Damien Le Moal Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 1e2528273532362bde1f42fb92c7e00a2f08f5fd Author: Jason Xing Date: Sat Aug 24 17:54:53 2019 -0700 psi: get poll_work to run when calling poll syscall next time commit 7b2b55da1db10a5525460633ae4b6fb0be060c41 upstream. Only when calling the poll syscall the first time can user receive POLLPRI correctly. After that, user always fails to acquire the event signal. Reproduce case: 1. Get the monitor code in Documentation/accounting/psi.txt 2. Run it, and wait for the event triggered. 3. Kill and restart the process. The question is why we can end up with poll_scheduled = 1 but the work not running (which would reset it to 0). And the answer is because the scheduling side sees group->poll_kworker under RCU protection and then schedules it, but here we cancel the work and destroy the worker. The cancel needs to pair with resetting the poll_scheduled flag. Link: http://lkml.kernel.org/r/1566357985-97781-1-git-send-email-joseph.qi@linux.alibaba.com Signed-off-by: Jason Xing Signed-off-by: Joseph Qi Reviewed-by: Caspar Zhang Reviewed-by: Suren Baghdasaryan Acked-by: Johannes Weiner Cc: Ingo Molnar Cc: Peter Zijlstra Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b9e0cc134d735e3599f119f57d2d988ba177c464 Author: Kaike Wan Date: Thu Aug 15 15:20:58 2019 -0400 IB/hfi1: Drop stale TID RDMA packets that cause TIDErr commit d9d1f5e7bb82415591e8b62b222cbb88c4797ef3 upstream. In a congested fabric with adaptive routing enabled, traces show that packets could be delivered out of order. A stale TID RDMA data packet could lead to TidErr if the TID entries have been released by duplicate data packets generated from retries, and subsequently erroneously force the qp into error state in the current implementation. Since the payload has already been dropped by hardware, the packet can be simply dropped and it is no longer necessary to put the qp into error state. Fixes: 9905bf06e890 ("IB/hfi1: Add functions to receive TID RDMA READ response") Cc: Reviewed-by: Mike Marciniszyn Signed-off-by: Kaike Wan Signed-off-by: Dennis Dalessandro Link: https://lore.kernel.org/r/20190815192058.105923.72324.stgit@awfm-01.aw.intel.com Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman commit a382c2b3d9c2923a40098fe579032fbccaddde90 Author: Kaike Wan Date: Thu Aug 15 15:20:51 2019 -0400 IB/hfi1: Add additional checks when handling TID RDMA WRITE DATA packet commit 90fdae66e72bf0381d168f12dca0259617927895 upstream. In a congested fabric with adaptive routing enabled, traces show that packets could be delivered out of order, which could cause incorrect processing of stale packets. For stale TID RDMA WRITE DATA packets that cause KDETH EFLAGS errors, this patch adds additional checks before processing the packets. Fixes: d72fe7d5008b ("IB/hfi1: Add a function to receive TID RDMA WRITE DATA packet") Cc: Reviewed-by: Mike Marciniszyn Signed-off-by: Kaike Wan Signed-off-by: Dennis Dalessandro Link: https://lore.kernel.org/r/20190815192051.105923.69979.stgit@awfm-01.aw.intel.com Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman commit 47a2c4e414fb3fe6ed080cba3afffcf82ff3ced1 Author: Kaike Wan Date: Thu Aug 15 15:20:45 2019 -0400 IB/hfi1: Add additional checks when handling TID RDMA READ RESP packet commit a8adbf7d0d0a6e3bf7f99da461a06039364e028b upstream. In a congested fabric with adaptive routing enabled, traces show that packets could be delivered out of order, which could cause incorrect processing of stale packets. For stale TID RDMA READ RESP packets that cause KDETH EFLAGS errors, this patch adds additional checks before processing the packets. Fixes: 9905bf06e890 ("IB/hfi1: Add functions to receive TID RDMA READ response") Cc: Reviewed-by: Mike Marciniszyn Signed-off-by: Kaike Wan Signed-off-by: Dennis Dalessandro Link: https://lore.kernel.org/r/20190815192045.105923.59813.stgit@awfm-01.aw.intel.com Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman commit b568370cf1d7c93bbc828c4fb1b057233fa35934 Author: Kaike Wan Date: Thu Aug 15 15:20:39 2019 -0400 IB/hfi1: Unsafe PSN checking for TID RDMA READ Resp packet commit 35d5c8b82e2c32e8e29ca195bb4dac60ba7d97fc upstream. When processing a TID RDMA READ RESP packet that causes KDETH EFLAGS errors, the packet's IB PSN is checked against qp->s_last_psn and qp->s_psn without the protection of qp->s_lock, which is not safe. This patch fixes the issue by acquiring qp->s_lock first. Fixes: 9905bf06e890 ("IB/hfi1: Add functions to receive TID RDMA READ response") Cc: Reviewed-by: Mike Marciniszyn Signed-off-by: Kaike Wan Signed-off-by: Dennis Dalessandro Link: https://lore.kernel.org/r/20190815192039.105923.7852.stgit@awfm-01.aw.intel.com Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman commit f1c2546fff1ffa2f75f7a603d5aeb7d16e5c8801 Author: John Hubbard Date: Wed Aug 21 12:25:13 2019 -0700 x86/boot: Fix boot regression caused by bootparam sanitizing commit 7846f58fba964af7cb8cf77d4d13c33254725211 upstream. commit a90118c445cc ("x86/boot: Save fields explicitly, zero out everything else") had two errors: * It preserved boot_params.acpi_rsdp_addr, and * It failed to preserve boot_params.hdr Therefore, zero out acpi_rsdp_addr, and preserve hdr. Fixes: a90118c445cc ("x86/boot: Save fields explicitly, zero out everything else") Reported-by: Neil MacLeod Suggested-by: Thomas Gleixner Signed-off-by: John Hubbard Signed-off-by: Thomas Gleixner Tested-by: Neil MacLeod Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20190821192513.20126-1-jhubbard@nvidia.com Signed-off-by: Greg Kroah-Hartman commit 6659665f0afdfcf1d85ee2b075b6cb6a1c99232d Author: John Hubbard Date: Tue Jul 30 22:46:27 2019 -0700 x86/boot: Save fields explicitly, zero out everything else commit a90118c445cc7f07781de26a9684d4ec58bfcfd1 upstream. Recent gcc compilers (gcc 9.1) generate warnings about an out of bounds memset, if the memset goes accross several fields of a struct. This generated a couple of warnings on x86_64 builds in sanitize_boot_params(). Fix this by explicitly saving the fields in struct boot_params that are intended to be preserved, and zeroing all the rest. [ tglx: Tagged for stable as it breaks the warning free build there as well ] Suggested-by: Thomas Gleixner Suggested-by: H. Peter Anvin Signed-off-by: John Hubbard Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20190731054627.5627-2-jhubbard@nvidia.com Signed-off-by: Greg Kroah-Hartman commit 4aa0f3b05a3a8f4159d1a8f95199c022247933e4 Author: Tom Lendacky Date: Mon Aug 19 15:52:35 2019 +0000 x86/CPU/AMD: Clear RDRAND CPUID bit on AMD family 15h/16h commit c49a0a80137c7ca7d6ced4c812c9e07a949f6f24 upstream. There have been reports of RDRAND issues after resuming from suspend on some AMD family 15h and family 16h systems. This issue stems from a BIOS not performing the proper steps during resume to ensure RDRAND continues to function properly. RDRAND support is indicated by CPUID Fn00000001_ECX[30]. This bit can be reset by clearing MSR C001_1004[62]. Any software that checks for RDRAND support using CPUID, including the kernel, will believe that RDRAND is not supported. Update the CPU initialization to clear the RDRAND CPUID bit for any family 15h and 16h processor that supports RDRAND. If it is known that the family 15h or family 16h system does not have an RDRAND resume issue or that the system will not be placed in suspend, the "rdrand=force" kernel parameter can be used to stop the clearing of the RDRAND CPUID bit. Additionally, update the suspend and resume path to save and restore the MSR C001_1004 value to ensure that the RDRAND CPUID setting remains in place after resuming from suspend. Note, that clearing the RDRAND CPUID bit does not prevent a processor that normally supports the RDRAND instruction from executing it. So any code that determined the support based on family and model won't #UD. Signed-off-by: Tom Lendacky Signed-off-by: Borislav Petkov Cc: Andrew Cooper Cc: Andrew Morton Cc: Chen Yu Cc: "H. Peter Anvin" Cc: Ingo Molnar Cc: Jonathan Corbet Cc: Josh Poimboeuf Cc: Juergen Gross Cc: Kees Cook Cc: "linux-doc@vger.kernel.org" Cc: "linux-pm@vger.kernel.org" Cc: Nathan Chancellor Cc: Paolo Bonzini Cc: Pavel Machek Cc: "Rafael J. Wysocki" Cc: Cc: Thomas Gleixner Cc: "x86@kernel.org" Link: https://lkml.kernel.org/r/7543af91666f491547bd86cebb1e17c66824ab9f.1566229943.git.thomas.lendacky@amd.com Signed-off-by: Greg Kroah-Hartman commit 50d3cd159713ef1e5d4d75918bcaac47170388e6 Author: Thomas Gleixner Date: Fri Aug 9 14:54:07 2019 +0200 x86/apic: Handle missing global clockevent gracefully commit f897e60a12f0b9146357780d317879bce2a877dc upstream. Some newer machines do not advertise legacy timers. The kernel can handle that situation if the TSC and the CPU frequency are enumerated by CPUID or MSRs and the CPU supports TSC deadline timer. If the CPU does not support TSC deadline timer the local APIC timer frequency has to be known as well. Some Ryzens machines do not advertize legacy timers, but there is no reliable way to determine the bus frequency which feeds the local APIC timer when the machine allows overclocking of that frequency. As there is no legacy timer the local APIC timer calibration crashes due to a NULL pointer dereference when accessing the not installed global clock event device. Switch the calibration loop to a non interrupt based one, which polls either TSC (if frequency is known) or jiffies. The latter requires a global clockevent. As the machines which do not have a global clockevent installed have a known TSC frequency this is a non issue. For older machines where TSC frequency is not known, there is no known case where the legacy timers do not exist as that would have been reported long ago. Reported-by: Daniel Drake Reported-by: Jiri Slaby Signed-off-by: Thomas Gleixner Tested-by: Daniel Drake Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1908091443030.21433@nanos.tec.linutronix.de Link: http://bugzilla.opensuse.org/show_bug.cgi?id=1142926#c12 Signed-off-by: Greg Kroah-Hartman commit 60d4af6a0e5f1c608b5c606f4098d040fa6d0012 Author: Sean Christopherson Date: Thu Aug 22 14:11:22 2019 -0700 x86/retpoline: Don't clobber RFLAGS during CALL_NOSPEC on i386 commit b63f20a778c88b6a04458ed6ffc69da953d3a109 upstream. Use 'lea' instead of 'add' when adjusting %rsp in CALL_NOSPEC so as to avoid clobbering flags. KVM's emulator makes indirect calls into a jump table of sorts, where the destination of the CALL_NOSPEC is a small blob of code that performs fast emulation by executing the target instruction with fixed operands. adcb_al_dl: 0x000339f8 <+0>: adc %dl,%al 0x000339fa <+2>: ret A major motiviation for doing fast emulation is to leverage the CPU to handle consumption and manipulation of arithmetic flags, i.e. RFLAGS is both an input and output to the target of CALL_NOSPEC. Clobbering flags results in all sorts of incorrect emulation, e.g. Jcc instructions often take the wrong path. Sans the nops... asm("push %[flags]; popf; " CALL_NOSPEC " ; pushf; pop %[flags]\n" 0x0003595a <+58>: mov 0xc0(%ebx),%eax 0x00035960 <+64>: mov 0x60(%ebx),%edx 0x00035963 <+67>: mov 0x90(%ebx),%ecx 0x00035969 <+73>: push %edi 0x0003596a <+74>: popf 0x0003596b <+75>: call *%esi 0x000359a0 <+128>: pushf 0x000359a1 <+129>: pop %edi 0x000359a2 <+130>: mov %eax,0xc0(%ebx) 0x000359b1 <+145>: mov %edx,0x60(%ebx) ctxt->eflags = (ctxt->eflags & ~EFLAGS_MASK) | (flags & EFLAGS_MASK); 0x000359a8 <+136>: mov -0x10(%ebp),%eax 0x000359ab <+139>: and $0x8d5,%edi 0x000359b4 <+148>: and $0xfffff72a,%eax 0x000359b9 <+153>: or %eax,%edi 0x000359bd <+157>: mov %edi,0x4(%ebx) For the most part this has gone unnoticed as emulation of guest code that can trigger fast emulation is effectively limited to MMIO when running on modern hardware, and MMIO is rarely, if ever, accessed by instructions that affect or consume flags. Breakage is almost instantaneous when running with unrestricted guest disabled, in which case KVM must emulate all instructions when the guest has invalid state, e.g. when the guest is in Big Real Mode during early BIOS. Fixes: 776b043848fd2 ("x86/retpoline: Add initial retpoline support") Fixes: 1a29b5b7f347a ("KVM: x86: Make indirect calls in emulator speculation safe") Signed-off-by: Sean Christopherson Signed-off-by: Thomas Gleixner Acked-by: Peter Zijlstra (Intel) Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20190822211122.27579-1-sean.j.christopherson@intel.com Signed-off-by: Greg Kroah-Hartman commit accdfad7aed6226d224aaac30fd1208c63198fd7 Author: Oleg Nesterov Date: Sat Aug 24 17:54:56 2019 -0700 userfaultfd_release: always remove uffd flags and clear vm_userfaultfd_ctx commit 46d0b24c5ee10a15dfb25e20642f5a5ed59c5003 upstream. userfaultfd_release() should clear vm_flags/vm_userfaultfd_ctx even if mm->core_state != NULL. Otherwise a page fault can see userfaultfd_missing() == T and use an already freed userfaultfd_ctx. Link: http://lkml.kernel.org/r/20190820160237.GB4983@redhat.com Fixes: 04f5866e41fb ("coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping") Signed-off-by: Oleg Nesterov Reported-by: Kefeng Wang Reviewed-by: Andrea Arcangeli Tested-by: Kefeng Wang Cc: Peter Xu Cc: Mike Rapoport Cc: Jann Horn Cc: Jason Gunthorpe Cc: Michal Hocko Cc: Tetsuo Handa Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 1069617a56d70147a6cb0a3658110c8e7891fb7c Author: Dexuan Cui Date: Tue May 7 07:46:55 2019 +0000 Drivers: hv: vmbus: Fix virt_to_hvpfn() for X86_PAE commit a9fc4340aee041dd186d1fb8f1b5d1e9caf28212 upstream. In the case of X86_PAE, unsigned long is u32, but the physical address type should be u64. Due to the bug here, the netvsc driver can not load successfully, and sometimes the VM can panic due to memory corruption (the hypervisor writes data to the wrong location). Fixes: 6ba34171bcbd ("Drivers: hv: vmbus: Remove use of slow_virt_to_phys()") Cc: stable@vger.kernel.org Cc: Michael Kelley Reported-and-tested-by: Juliana Rodrigueiro Signed-off-by: Dexuan Cui Reviewed-by: Michael Kelley Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit a7ef13769f73ff5b5261d277d703b213f3a92b77 Author: Bartosz Golaszewski Date: Tue Aug 6 13:41:51 2019 +0200 gpiolib: never report open-drain/source lines as 'input' to user-space commit 2c60e6b5c9241b24b8b523fefd3e44fb85622cda upstream. If the driver doesn't support open-drain/source config options, we emulate this behavior when setting the direction by calling gpiod_direction_input() if the default value is 0 (open-source) or 1 (open-drain), thus not actively driving the line in those cases. This however clears the FLAG_IS_OUT bit for the GPIO line descriptor and makes the LINEINFO ioctl() incorrectly report this line's mode as 'input' to user-space. This commit modifies the ioctl() to always set the GPIOLINE_FLAG_IS_OUT bit in the lineinfo structure's flags field. Since it's impossible to use the input mode and open-drain/source options at the same time, we can be sure the reported information will be correct. Fixes: 521a2ad6f862 ("gpio: add userspace ABI for GPIO line information") Cc: stable Signed-off-by: Bartosz Golaszewski Link: https://lore.kernel.org/r/20190806114151.17652-1-brgl@bgdev.pl Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit b3b7c576df8904afa354ce012c0009848f908489 Author: Adrian Hunter Date: Wed Aug 14 15:59:50 2019 +0300 scsi: ufs: Fix NULL pointer dereference in ufshcd_config_vreg_hpm() commit 7c7cfdcf7f1777c7376fc9a239980de04b6b5ea1 upstream. Fix the following BUG: [ 187.065689] BUG: kernel NULL pointer dereference, address: 000000000000001c [ 187.065790] RIP: 0010:ufshcd_vreg_set_hpm+0x3c/0x110 [ufshcd_core] [ 187.065938] Call Trace: [ 187.065959] ufshcd_resume+0x72/0x290 [ufshcd_core] [ 187.065980] ufshcd_system_resume+0x54/0x140 [ufshcd_core] [ 187.065993] ? pci_pm_restore+0xb0/0xb0 [ 187.066005] ufshcd_pci_resume+0x15/0x20 [ufshcd_pci] [ 187.066017] pci_pm_thaw+0x4c/0x90 [ 187.066030] dpm_run_callback+0x5b/0x150 [ 187.066043] device_resume+0x11b/0x220 Voltage regulators are optional, so functions must check they exist before dereferencing. Note this issue is hidden if CONFIG_REGULATORS is not set, because the offending code is optimised away. Notes for stable: The issue first appears in commit 57d104c153d3 ("ufs: add UFS power management support") but is inadvertently fixed in commit 60f0187031c0 ("scsi: ufs: disable vccq if it's not needed by UFS device") which in turn was reverted by commit 730679817d83 ("Revert "scsi: ufs: disable vccq if it's not needed by UFS device""). So fix applies v3.18 to v4.5 and v5.1+ Fixes: 57d104c153d3 ("ufs: add UFS power management support") Fixes: 730679817d83 ("Revert "scsi: ufs: disable vccq if it's not needed by UFS device"") Cc: stable@vger.kernel.org Signed-off-by: Adrian Hunter Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit aaf36ec5aa67658e15ff67832f5b63aab42e6b69 Author: Lyude Paul Date: Thu Jul 25 15:40:01 2019 -0400 drm/nouveau: Don't retry infinitely when receiving no data on i2c over AUX commit c358ebf59634f06d8ed176da651ec150df3c8686 upstream. While I had thought I had fixed this issue in: commit 342406e4fbba ("drm/nouveau/i2c: Disable i2c bus access after ->fini()") It turns out that while I did fix the error messages I was seeing on my P50 when trying to access i2c busses with the GPU in runtime suspend, I accidentally had missed one important detail that was mentioned on the bug report this commit was supposed to fix: that the CPU would only lock up when trying to access i2c busses _on connected devices_ _while the GPU is not in runtime suspend_. Whoops. That definitely explains why I was not able to get my machine to hang with i2c bus interactions until now, as plugging my P50 into it's dock with an HDMI monitor connected allowed me to finally reproduce this locally. Now that I have managed to reproduce this issue properly, it looks like the problem is much simpler then it looks. It turns out that some connected devices, such as MST laptop docks, will actually ACK i2c reads even if no data was actually read: [ 275.063043] nouveau 0000:01:00.0: i2c: aux 000a: 1: 0000004c 1 [ 275.063447] nouveau 0000:01:00.0: i2c: aux 000a: 00 01101000 10040000 [ 275.063759] nouveau 0000:01:00.0: i2c: aux 000a: rd 00000001 [ 275.064024] nouveau 0000:01:00.0: i2c: aux 000a: rd 00000000 [ 275.064285] nouveau 0000:01:00.0: i2c: aux 000a: rd 00000000 [ 275.064594] nouveau 0000:01:00.0: i2c: aux 000a: rd 00000000 Because we don't handle the situation of i2c ack without any data, we end up entering an infinite loop in nvkm_i2c_aux_i2c_xfer() since the value of cnt always remains at 0. This finally properly explains how this could result in a CPU hang like the ones observed in the aforementioned commit. So, fix this by retrying transactions if no data is written or received, and give up and fail the transaction if we continue to not write or receive any data after 32 retries. Signed-off-by: Lyude Paul Cc: stable@vger.kernel.org Signed-off-by: Ben Skeggs Signed-off-by: Greg Kroah-Hartman commit be85d2279c5c669f5b18e44951f2f6faf71922cf Author: Alex Deucher Date: Thu Aug 15 08:27:09 2019 -0500 drm/amdgpu/gfx9: update pg_flags after determining if gfx off is possible commit 98f58ada2d37e68125c056f1fc005748251879c2 upstream. We need to set certain power gating flags after we determine if the firmware version is sufficient to support gfxoff. Previously we set the pg flags in early init, but we later we might have disabled gfxoff if the firmware versions didn't support it. Move adding the additional pg flags after we determine whether or not to support gfxoff. Fixes: 005440066f92 ("drm/amdgpu: enable gfxoff again on raven series (v2)") Tested-by: Kai-Heng Feng Tested-by: Tom St Denis Signed-off-by: Alex Deucher Cc: Kai-Heng Feng Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 9d87603371b7f8ba5eb948ad22dd186da753a2c6 Author: Ilya Dryomov Date: Tue Aug 20 16:40:33 2019 +0200 libceph: fix PG split vs OSD (re)connect race commit a561372405cf6bc6f14239b3a9e57bb39f2788b0 upstream. We can't rely on ->peer_features in calc_target() because it may be called both when the OSD session is established and open and when it's not. ->peer_features is not valid unless the OSD session is open. If this happens on a PG split (pg_num increase), that could mean we don't resend a request that should have been resent, hanging the client indefinitely. In userspace this was fixed by looking at require_osd_release and get_xinfo[osd].features fields of the osdmap. However these fields belong to the OSD section of the osdmap, which the kernel doesn't decode (only the client section is decoded). Instead, let's drop this feature check. It effectively checks for luminous, so only pre-luminous OSDs would be affected in that on a PG split the kernel might resend a request that should not have been resent. Duplicates can occur in other scenarios, so both sides should already be prepared for them: see dup/replay logic on the OSD side and retry_attempt check on the client side. Cc: stable@vger.kernel.org Fixes: 7de030d6b10a ("libceph: resend on PG splits if OSD has RESEND_ON_SPLIT") Link: https://tracker.ceph.com/issues/41162 Reported-by: Jerry Lee Signed-off-by: Ilya Dryomov Tested-by: Jerry Lee Reviewed-by: Jeff Layton Signed-off-by: Greg Kroah-Hartman commit bfb7dd36f7b9f3e9ef73aa88c5132f326cbcfc8b Author: Jeff Layton Date: Thu Aug 15 06:23:38 2019 -0400 ceph: don't try fill file_lock on unsuccessful GETFILELOCK reply commit 28a282616f56990547b9dcd5c6fbd2001344664c upstream. When ceph_mdsc_do_request returns an error, we can't assume that the filelock_reply pointer will be set. Only try to fetch fields out of the r_reply_info when it returns success. Cc: stable@vger.kernel.org Reported-by: Hector Martin Signed-off-by: Jeff Layton Reviewed-by: "Yan, Zheng" Signed-off-by: Ilya Dryomov Signed-off-by: Greg Kroah-Hartman commit a927f8a9dfd526ff80bb20249af478a194a2d974 Author: Erqi Chen Date: Wed Jul 24 10:26:09 2019 +0800 ceph: clear page dirty before invalidate page commit c95f1c5f436badb9bb87e9b30fd573f6b3d59423 upstream. clear_page_dirty_for_io(page) before mapping->a_ops->invalidatepage(). invalidatepage() clears page's private flag, if dirty flag is not cleared, the page may cause BUG_ON failure in ceph_set_page_dirty(). Cc: stable@vger.kernel.org Link: https://tracker.ceph.com/issues/40862 Signed-off-by: Erqi Chen Reviewed-by: Jeff Layton Signed-off-by: Ilya Dryomov Signed-off-by: Greg Kroah-Hartman commit e9e5f8e96fe63dbf4b023e1d9ff7cd4fd5fd810e Author: Dinh Nguyen Date: Wed Aug 14 10:30:14 2019 -0500 clk: socfpga: stratix10: fix rate caclulationg for cnt_clks commit c7ec75ea4d5316518adc87224e3cff47192579e7 upstream. Checking bypass_reg is incorrect for calculating the cnt_clk rates. Instead we should be checking that there is a proper hardware register that holds the clock divider. Cc: stable@vger.kernel.org Signed-off-by: Dinh Nguyen Link: https://lkml.kernel.org/r/20190814153014.12962-1-dinguyen@kernel.org Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 328380940d3ab433ee3d60451cb6072cb041b76b Author: Mikulas Patocka Date: Thu Aug 8 05:40:04 2019 -0400 Revert "dm bufio: fix deadlock with loop device" commit cf3591ef832915892f2499b7e54b51d4c578b28c upstream. Revert the commit bd293d071ffe65e645b4d8104f9d8fe15ea13862. The proper fix has been made available with commit d0a255e795ab ("loop: set PF_MEMALLOC_NOIO for the worker thread"). Note that the fix offered by commit bd293d071ffe doesn't really prevent the deadlock from occuring - if we look at the stacktrace reported by Junxiao Bi, we see that it hangs in bit_wait_io and not on the mutex - i.e. it has already successfully taken the mutex. Changing the mutex from mutex_lock to mutex_trylock won't help with deadlocks that happen afterwards. PID: 474 TASK: ffff8813e11f4600 CPU: 10 COMMAND: "kswapd0" #0 [ffff8813dedfb938] __schedule at ffffffff8173f405 #1 [ffff8813dedfb990] schedule at ffffffff8173fa27 #2 [ffff8813dedfb9b0] schedule_timeout at ffffffff81742fec #3 [ffff8813dedfba60] io_schedule_timeout at ffffffff8173f186 #4 [ffff8813dedfbaa0] bit_wait_io at ffffffff8174034f #5 [ffff8813dedfbac0] __wait_on_bit at ffffffff8173fec8 #6 [ffff8813dedfbb10] out_of_line_wait_on_bit at ffffffff8173ff81 #7 [ffff8813dedfbb90] __make_buffer_clean at ffffffffa038736f [dm_bufio] #8 [ffff8813dedfbbb0] __try_evict_buffer at ffffffffa0387bb8 [dm_bufio] #9 [ffff8813dedfbbd0] dm_bufio_shrink_scan at ffffffffa0387cc3 [dm_bufio] #10 [ffff8813dedfbc40] shrink_slab at ffffffff811a87ce #11 [ffff8813dedfbd30] shrink_zone at ffffffff811ad778 #12 [ffff8813dedfbdc0] kswapd at ffffffff811ae92f #13 [ffff8813dedfbec0] kthread at ffffffff810a8428 #14 [ffff8813dedfbf50] ret_from_fork at ffffffff81745242 Signed-off-by: Mikulas Patocka Cc: stable@vger.kernel.org Fixes: bd293d071ffe ("dm bufio: fix deadlock with loop device") Depends-on: d0a255e795ab ("loop: set PF_MEMALLOC_NOIO for the worker thread") Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 2ad350fb4c924f611d174e2b0da4edba8a6e430a Author: Paolo Bonzini Date: Thu Aug 15 09:43:32 2019 +0200 Revert "KVM: x86/mmu: Zap only the relevant pages when removing a memslot" commit d012a06ab1d23178fc6856d8d2161fbcc4dd8ebd upstream. This reverts commit 4e103134b862314dc2f2f18f2fb0ab972adc3f5f. Alex Williamson reported regressions with device assignment with this patch. Even though the bug is probably elsewhere and still latent, this is needed to fix the regression. Fixes: 4e103134b862 ("KVM: x86/mmu: Zap only the relevant pages when removing a memslot", 2019-02-05) Reported-by: Alex Willamson Cc: stable@vger.kernel.org Cc: Sean Christopherson Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 24c5a3d468b236557f67437394b037e4d0484e4a Author: Jason Gerecke Date: Wed Aug 7 14:11:55 2019 -0700 HID: wacom: Correct distance scale for 2nd-gen Intuos devices commit b72fb1dcd2ea9d29417711cb302cef3006fa8d5a upstream. Distance values reported by 2nd-gen Intuos tablets are on an inverted scale (0 == far, 63 == near). We need to change them over to a normal scale before reporting to userspace or else userspace drivers and applications can get confused. Ref: https://github.com/linuxwacom/input-wacom/issues/98 Fixes: eda01dab53 ("HID: wacom: Add four new Intuos devices") Signed-off-by: Jason Gerecke Cc: # v4.4+ Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit ccdca005c5a3d389cf4c476bd0cd9575cc1b2b16 Author: Aaron Armstrong Skomra Date: Fri Aug 16 12:00:54 2019 -0700 HID: wacom: correct misreported EKR ring values commit fcf887e7caaa813eea821d11bf2b7619a37df37a upstream. The EKR ring claims a range of 0 to 71 but actually reports values 1 to 72. The ring is used in relative mode so this change should not affect users. Signed-off-by: Aaron Armstrong Skomra Fixes: 72b236d60218f ("HID: wacom: Add support for Express Key Remote.") Cc: # v4.3+ Reviewed-by: Ping Cheng Reviewed-by: Jason Gerecke Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 89b925e7361072d544640094148285e5ebfcd2af Author: Johannes Berg Date: Wed Jun 12 11:09:58 2019 +0200 iwlwifi: mvm: disable TX-AMSDU on older NICs [ Upstream commit cfb21b11b891b08b79be07be57c40a85bb926668 ] On older NICs, we occasionally see issues with A-MSDU support, where the commands in the FIFO get confused and then we see an assert EDC because the next command in the FIFO isn't TX. We've tried to isolate this issue and understand where it comes from, but haven't found any errors in building the A-MSDU in software. At least for now, disable A-MSDU support on older hardware so that users can use it again without fearing the assert. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=203315. Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 6c64df9469095e01a475a7f9005f15d62a4f0981 Author: Naresh Kamboju Date: Wed Aug 7 13:58:14 2019 +0000 selftests: kvm: Adding config fragments [ Upstream commit c096397c78f766db972f923433031f2dec01cae0 ] selftests kvm test cases need pre-required kernel configs for the test to get pass. Signed-off-by: Naresh Kamboju Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit b53832252a6866569a6565f65a80685a266c4a26 Author: Marc Zyngier Date: Mon Aug 5 10:34:51 2019 +0100 KVM: arm: Don't write junk to CP15 registers on reset [ Upstream commit c69509c70aa45a8c4954c88c629a64acf4ee4a36 ] At the moment, the way we reset CP15 registers is mildly insane: We write junk to them, call the reset functions, and then check that we have something else in them. The "fun" thing is that this can happen while the guest is running (PSCI, for example). If anything in KVM has to evaluate the state of a CP15 register while junk is in there, bad thing may happen. Let's stop doing that. Instead, we track that we have called a reset function for that register, and assume that the reset function has done something. In the end, the very need of this reset check is pretty dubious, as it doesn't check everything (a lot of the CP15 reg leave outside of the cp15_regs[] array). It may well be axed in the near future. Signed-off-by: Marc Zyngier Signed-off-by: Sasha Levin commit 9b2b6603766b7e7376d1081b21b86e3e4d2267b0 Author: Marc Zyngier Date: Mon Aug 5 10:34:51 2019 +0100 KVM: arm64: Don't write junk to sysregs on reset [ Upstream commit 03fdfb2690099c19160a3f2c5b77db60b3afeded ] At the moment, the way we reset system registers is mildly insane: We write junk to them, call the reset functions, and then check that we have something else in them. The "fun" thing is that this can happen while the guest is running (PSCI, for example). If anything in KVM has to evaluate the state of a system register while junk is in there, bad thing may happen. Let's stop doing that. Instead, we track that we have called a reset function for that register, and assume that the reset function has done something. This requires fixing a couple of sysreg refinition in the trap table. In the end, the very need of this reset check is pretty dubious, as it doesn't check everything (a lot of the sysregs leave outside of the sys_regs[] array). It may well be axed in the near future. Tested-by: Zenghui Yu Signed-off-by: Marc Zyngier Signed-off-by: Sasha Levin commit 2590622af1a66736069af6e4a35e316f4b05953d Author: Paul Walmsley Date: Thu Aug 8 15:36:44 2019 -0700 dt-bindings: riscv: fix the schema compatible string for the HiFive Unleashed board [ Upstream commit b390e0bfd2996f1215231395f4e25a4c011eeaf9 ] The YAML binding document for SiFive boards has an incorrect compatible string for the HiFive Unleashed board. Change it to match the name of the board on the SiFive web site: https://www.sifive.com/boards/hifive-unleashed which also matches the contents of the board DT data file: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/riscv/boot/dts/sifive/hifive-unleashed-a00.dts#n13 Signed-off-by: Paul Walmsley Acked-by: Rob Herring Signed-off-by: Sasha Levin commit 9941192b06ecf15f2a03189c0f95e816334a7341 Author: Jin Yao Date: Mon Jul 29 15:27:55 2019 +0800 perf pmu-events: Fix missing "cpu_clk_unhalted.core" event [ Upstream commit 8e6e5bea2e34c61291d00cb3f47560341aa84bc3 ] The events defined in pmu-events JSON are parsed and added into perf tool. For fixed counters, we handle the encodings between JSON and perf by using a static array fixed[]. But the fixed[] has missed an important event "cpu_clk_unhalted.core". For example, on the Tremont platform, [root@localhost ~]# perf stat -e cpu_clk_unhalted.core -a event syntax error: 'cpu_clk_unhalted.core' \___ parser error With this patch, the event cpu_clk_unhalted.core can be parsed. [root@localhost perf]# ./perf stat -e cpu_clk_unhalted.core -a -vvv ------------------------------------------------------------ perf_event_attr: type 4 size 112 config 0x3c sample_type IDENTIFIER read_format TOTAL_TIME_ENABLED|TOTAL_TIME_RUNNING disabled 1 inherit 1 exclude_guest 1 ------------------------------------------------------------ ... Signed-off-by: Jin Yao Cc: Alexander Shishkin Cc: Andi Kleen Cc: Jin Yao Cc: Jiri Olsa Cc: Kan Liang Cc: Peter Zijlstra Link: http://lkml.kernel.org/r/20190729072755.2166-1-yao.jin@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 40db83cb0c861f4cb64b7c2bf5baccca834bea39 Author: He Zhe Date: Fri Aug 2 16:29:52 2019 +0800 perf cpumap: Fix writing to illegal memory in handling cpumap mask [ Upstream commit 5f5e25f1c7933a6e1673515c0b1d5acd82fea1ed ] cpu_map__snprint_mask() would write to illegal memory pointed by zalloc(0) when there is only one cpu. This patch fixes the calculation and adds sanity check against the input parameters. Signed-off-by: He Zhe Cc: Alexander Shishkin Cc: Alexey Budankov Cc: Jiri Olsa Cc: Kan Liang Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Stephane Eranian Fixes: 4400ac8a9a90 ("perf cpumap: Introduce cpu_map__snprint_mask()") Link: http://lkml.kernel.org/r/1564734592-15624-2-git-send-email-zhe.he@windriver.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit dcd75c90dec1d69d22211bdf5d0faf03fd51b9b7 Author: He Zhe Date: Fri Aug 2 16:29:51 2019 +0800 perf ftrace: Fix failure to set cpumask when only one cpu is present [ Upstream commit cf30ae726c011e0372fd4c2d588466c8b50a8907 ] The buffer containing the string used to set cpumask is overwritten at the end of the string later in cpu_map__snprint_mask due to not enough memory space, when there is only one cpu. And thus causes the following failure: $ perf ftrace ls failed to reset ftrace $ This patch fixes the calculation of the cpumask string size. Signed-off-by: He Zhe Tested-by: Arnaldo Carvalho de Melo Cc: Alexander Shishkin Cc: Alexey Budankov Cc: Jiri Olsa Cc: Kan Liang Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Stephane Eranian Fixes: dc23103278c5 ("perf ftrace: Add support for -a and -C option") Link: http://lkml.kernel.org/r/1564734592-15624-1-git-send-email-zhe.he@windriver.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 371879acb44ece108ad1efbbbbf61fc75a08eee9 Author: Paolo Valente Date: Wed Aug 7 19:21:11 2019 +0200 block, bfq: handle NULL return value by bfq_init_rq() [ Upstream commit fd03177c33b287c6541f4048f1d67b7b45a1abc9 ] As reported in [1], the call bfq_init_rq(rq) may return NULL in case of OOM (in particular, if rq->elv.icq is NULL because memory allocation failed in failed in ioc_create_icq()). This commit handles this circumstance. [1] https://lkml.org/lkml/2019/7/22/824 Cc: Hsin-Yi Wang Cc: Nicolas Boichat Cc: Doug Anderson Reported-by: Guenter Roeck Reported-by: Hsin-Yi Wang Reviewed-by: Guenter Roeck Signed-off-by: Paolo Valente Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 6bfd59d9913325b96f9db14e60fc328e81c656e7 Author: He Zhe Date: Thu Aug 8 11:09:54 2019 +0800 block: aoe: Fix kernel crash due to atomic sleep when exiting [ Upstream commit 430380b4637aec646996b4aef67ad417593923b2 ] Since commit 3582dd291788 ("aoe: convert aoeblk to blk-mq"), aoedev_downdev has had the possibility of sleeping and causing the following crash. BUG: scheduling while atomic: rmmod/2242/0x00000003 Modules linked in: aoe Preemption disabled at: [] flush+0x95/0x4a0 [aoe] CPU: 7 PID: 2242 Comm: rmmod Tainted: G I 5.2.3 #1 Hardware name: Intel Corporation S5520HC/S5520HC, BIOS S5500.86B.01.10.0025.030220091519 03/02/2009 Call Trace: dump_stack+0x4f/0x6a ? flush+0x95/0x4a0 [aoe] __schedule_bug.cold+0x44/0x54 __schedule+0x44f/0x680 schedule+0x44/0xd0 blk_mq_freeze_queue_wait+0x46/0xb0 ? wait_woken+0x80/0x80 blk_mq_freeze_queue+0x1b/0x20 aoedev_downdev+0x111/0x160 [aoe] flush+0xff/0x4a0 [aoe] aoedev_exit+0x23/0x30 [aoe] aoe_exit+0x35/0x948 [aoe] __se_sys_delete_module+0x183/0x210 __x64_sys_delete_module+0x16/0x20 do_syscall_64+0x4d/0x130 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f24e0043b07 Code: 73 01 c3 48 8b 0d 89 73 0b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 59 73 0b 00 f7 d8 64 89 01 48 RSP: 002b:00007ffe18f7f1e8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f24e0043b07 RDX: 000000000000000a RSI: 0000000000000800 RDI: 0000555c3ecf87c8 RBP: 00007ffe18f7f1f0 R08: 0000000000000000 R09: 0000000000000000 R10: 00007f24e00b4ac0 R11: 0000000000000206 R12: 00007ffe18f7f238 R13: 00007ffe18f7f410 R14: 00007ffe18f80e73 R15: 0000555c3ecf8760 This patch, handling in the same way of pass two, unlocks the locks and restart pass one after aoedev_downdev is done. Fixes: 3582dd291788 ("aoe: convert aoeblk to blk-mq") Signed-off-by: He Zhe Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit bcc19f380ecc16710e2fc5bafd945c68f719a96c Author: Colin Ian King Date: Mon Jun 24 09:39:59 2019 -0700 drm/vmwgfx: fix memory leak when too many retries have occurred [ Upstream commit 6b7c3b86f0b63134b2ab56508921a0853ffa687a ] Currently when too many retries have occurred there is a memory leak on the allocation for reply on the error return path. Fix this by kfree'ing reply before returning. Addresses-Coverity: ("Resource leak") Fixes: a9cd9c044aa9 ("drm/vmwgfx: Add a check to handle host message failure") Signed-off-by: Colin Ian King Reviewed-by: Deepak Rawat Signed-off-by: Deepak Rawat Signed-off-by: Thomas Hellstrom Signed-off-by: Sasha Levin commit 41dddcbf27fd610f31df526e3315c43c0599ea43 Author: Valdis Klētnieks Date: Wed Aug 7 23:27:17 2019 -0400 x86/lib/cpu: Address missing prototypes warning [ Upstream commit 04f5bda84b0712d6f172556a7e8dca9ded5e73b9 ] When building with W=1, warnings about missing prototypes are emitted: CC arch/x86/lib/cpu.o arch/x86/lib/cpu.c:5:14: warning: no previous prototype for 'x86_family' [-Wmissing-prototypes] 5 | unsigned int x86_family(unsigned int sig) | ^~~~~~~~~~ arch/x86/lib/cpu.c:18:14: warning: no previous prototype for 'x86_model' [-Wmissing-prototypes] 18 | unsigned int x86_model(unsigned int sig) | ^~~~~~~~~ arch/x86/lib/cpu.c:33:14: warning: no previous prototype for 'x86_stepping' [-Wmissing-prototypes] 33 | unsigned int x86_stepping(unsigned int sig) | ^~~~~~~~~~~~ Add the proper include file so the prototypes are there. Signed-off-by: Valdis Kletnieks Signed-off-by: Thomas Gleixner Link: https://lkml.kernel.org/r/42513.1565234837@turing-police Signed-off-by: Sasha Levin commit 8e88ef54c22a67cfee0e1b562d93f1a6d0123452 Author: Jens Axboe Date: Wed Aug 7 12:23:57 2019 -0600 libata: add SG safety checks in SFF pio transfers [ Upstream commit 752ead44491e8c91e14d7079625c5916b30921c5 ] Abort processing of a command if we run out of mapped data in the SG list. This should never happen, but a previous bug caused it to be possible. Play it safe and attempt to abort nicely if we don't have more SG segments left. Reviewed-by: Kees Cook Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 9ba76a5214e41eaa60f0ba7f57870e9faecc1b9a Author: Jens Axboe Date: Wed Aug 7 12:20:52 2019 -0600 libata: have ata_scsi_rw_xlat() fail invalid passthrough requests [ Upstream commit 2d7271501720038381d45fb3dcbe4831228fc8cc ] For passthrough requests, libata-scsi takes what the user passes in as gospel. This can be problematic if the user fills in the CDB incorrectly. One example of that is in request sizes. For read/write commands, the CDB contains fields describing the transfer length of the request. These should match with the SG_IO header fields, but libata-scsi currently does no validation of that. Check that the number of blocks in the CDB for passthrough requests matches what was mapped into the request. If the CDB asks for more data then the validated SG_IO header fields, error it. Reported-by: Krishna Ram Prakash R Reviewed-by: Kees Cook Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 75d360c01f4822df4c71d65f517bd57a45d8c342 Author: Trond Myklebust Date: Wed Aug 7 07:31:27 2019 -0400 NFSv4: Ensure state recovery handles ETIMEDOUT correctly [ Upstream commit 67e7b52d44e3d539dfbfcd866c3d3d69da23a909 ] Ensure that the state recovery code handles ETIMEDOUT correctly, and also that we set RPC_TASK_TIMEOUT when recovering open state. Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 37f3fc22b32dc4b1e5de475a3e1ead6a071b403d Author: Jiangfeng Xiao Date: Sat Aug 3 20:31:41 2019 +0800 net: hisilicon: Fix dma_map_single failed on arm64 [ Upstream commit 96a50c0d907ac8f5c3d6b051031a19eb8a2b53e3 ] On the arm64 platform, executing "ifconfig eth0 up" will fail, returning "ifconfig: SIOCSIFFLAGS: Input/output error." ndev->dev is not initialized, dma_map_single->get_dma_ops-> dummy_dma_ops->__dummy_map_page will return DMA_ERROR_CODE directly, so when we use dma_map_single, the first parameter is to use the device of platform_device. Signed-off-by: Jiangfeng Xiao Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 36ea6d81a99e6f54e994857a55d430ade650a6ee Author: Jiangfeng Xiao Date: Sat Aug 3 20:31:40 2019 +0800 net: hisilicon: fix hip04-xmit never return TX_BUSY [ Upstream commit f2243b82785942be519016067ee6c55a063bbfe2 ] TX_DESC_NUM is 256, in tx_count, the maximum value of mod(TX_DESC_NUM - 1) is 254, the variable "count" in the hip04_mac_start_xmit function is never equal to (TX_DESC_NUM - 1), so hip04_mac_start_xmit never return NETDEV_TX_BUSY. tx_count is modified to mod(TX_DESC_NUM) so that the maximum value of tx_count can reach (TX_DESC_NUM - 1), then hip04_mac_start_xmit can reurn NETDEV_TX_BUSY. Signed-off-by: Jiangfeng Xiao Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9e7a5c2730bdfa554be23119fded0a636505e607 Author: Jiangfeng Xiao Date: Sat Aug 3 20:31:39 2019 +0800 net: hisilicon: make hip04_tx_reclaim non-reentrant [ Upstream commit 1a2c070ae805910a853b4a14818481ed2e17c727 ] If hip04_tx_reclaim is interrupted while it is running and then __napi_schedule continues to execute hip04_rx_poll->hip04_tx_reclaim, reentrancy occurs and oops is generated. So you need to mask the interrupt during the hip04_tx_reclaim run. The kernel oops exception stack is as follows: Unable to handle kernel NULL pointer dereference at virtual address 00000050 pgd = c0003000 [00000050] *pgd=80000000a04003, *pmd=00000000 Internal error: Oops: 206 [#1] SMP ARM Modules linked in: hip04_eth mtdblock mtd_blkdevs mtd ohci_platform ehci_platform ohci_hcd ehci_hcd vfat fat sd_mod usb_storage scsi_mod usbcore usb_common CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 4.4.185 #1 Hardware name: Hisilicon A15 task: c0a250e0 task.stack: c0a00000 PC is at hip04_tx_reclaim+0xe0/0x17c [hip04_eth] LR is at hip04_tx_reclaim+0x30/0x17c [hip04_eth] pc : [] lr : [] psr: 600e0313 sp : c0a01d88 ip : 00000000 fp : c0601f9c r10: 00000000 r9 : c3482380 r8 : 00000001 r7 : 00000000 r6 : 000000e1 r5 : c3482000 r4 : 0000000c r3 : f2209800 r2 : 00000000 r1 : 00000000 r0 : 00000000 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel Control: 32c5387d Table: 03d28c80 DAC: 55555555 Process swapper/0 (pid: 0, stack limit = 0xc0a00190) Stack: (0xc0a01d88 to 0xc0a02000) [] (hip04_tx_reclaim [hip04_eth]) from [] (hip04_rx_poll+0x88/0x368 [hip04_eth]) [] (hip04_rx_poll [hip04_eth]) from [] (net_rx_action+0x114/0x34c) [] (net_rx_action) from [] (__do_softirq+0x218/0x318) [] (__do_softirq) from [] (irq_exit+0x88/0xac) [] (irq_exit) from [] (msa_irq_exit+0x11c/0x1d4) [] (msa_irq_exit) from [] (__handle_domain_irq+0x110/0x148) [] (__handle_domain_irq) from [] (gic_handle_irq+0xd4/0x118) [] (gic_handle_irq) from [] (__irq_svc+0x40/0x58) Exception stack(0xc0a01f30 to 0xc0a01f78) 1f20: c0ae8b40 00000000 00000000 00000000 1f40: 00000002 ffffe000 c0601f9c 00000000 ffffffff c0a2257c c0a22440 c0831a38 1f60: c0a01ec4 c0a01f80 c0203714 c0203718 600e0213 ffffffff [] (__irq_svc) from [] (arch_cpu_idle+0x20/0x3c) [] (arch_cpu_idle) from [] (cpu_startup_entry+0x244/0x29c) [] (cpu_startup_entry) from [] (rest_init+0xc8/0x10c) [] (rest_init) from [] (start_kernel+0x468/0x514) Code: a40599e5 016086e2 018088e2 7660efe6 (503090e5) ---[ end trace 1db21d6d09c49d74 ]--- Kernel panic - not syncing: Fatal exception in interrupt CPU3: stopping CPU: 3 PID: 0 Comm: swapper/3 Tainted: G D O 4.4.185 #1 Signed-off-by: Jiangfeng Xiao Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 39db6b4e6fa1fe302e2e03aa5054e2c6cfbf0c73 Author: Likun Gao Date: Fri Aug 2 15:18:57 2019 +0800 drm/amdgpu: pin the csb buffer on hw init for gfx v8 [ Upstream commit 72cda9bb5e219aea0f2f62f56ae05198c59022a7 ] Without this pin, the csb buffer will be filled with inconsistent data after S3 resume. And that will causes gfx hang on gfxoff exit since this csb will be executed then. Signed-off-by: Likun Gao Tested-by: Paul Gover Reviewed-by: Feifei Xu Reviewed-by: Xiaojie Yuan Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 84de7cd06750319006a20404f0493bb4119560c1 Author: Jose Abreu Date: Tue Aug 6 15:16:18 2019 +0200 net: stmmac: tc: Do not return a fragment entry [ Upstream commit 4a6a1385a4db5f42258a40fcd497cbfd22075968 ] Do not try to return a fragment entry from TC list. Otherwise we may not clean properly allocated entries. Signed-off-by: Jose Abreu Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f0d73daeef24d50c596444e881d596ebc2cb1d6b Author: Jose Abreu Date: Tue Aug 6 15:16:17 2019 +0200 net: stmmac: Fix issues when number of Queues >= 4 [ Upstream commit e8df7e8c233a18d2704e37ecff47583b494789d3 ] When queues >= 4 we use different registers but we were not subtracting the offset of 4. Fix this. Found out by Coverity. Signed-off-by: Jose Abreu Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9474322cadfd0e99eb7b59934a24e147c01015eb Author: Christophe JAILLET Date: Tue Aug 6 10:55:12 2019 +0200 net: cxgb3_main: Fix a resource leak in a error path in 'init_one()' [ Upstream commit debea2cd3193ac868289e8893c3a719c265b0612 ] A call to 'kfree_skb()' is missing in the error handling path of 'init_one()'. This is already present in 'remove_one()' but is missing here. Signed-off-by: Christophe JAILLET Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 4f339c4018a8ba32886e21ee891565c8c660f00d Author: Gustavo A. R. Silva Date: Tue Aug 6 03:08:08 2019 -0500 ata: rb532_cf: Fix unused variable warning in rb532_pata_driver_probe [ Upstream commit db341a049ec7e87053c91008cb452d0bfa6dde72 ] Fix the following warning (Building: rb532_defconfig mips): drivers/ata/pata_rb532_cf.c: In function ‘rb532_pata_driver_remove’: drivers/ata/pata_rb532_cf.c:161:24: warning: unused variable ‘info’ [-Wunused-variable] struct rb532_cf_info *info = ah->private_data; ^~~~ Fixes: cd56f35e52d9 ("ata: rb532_cf: Convert to use GPIO descriptors") Signed-off-by: Gustavo A. R. Silva Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 976dcd26cb03303545937c27ed01e9fd5f62ec1b Author: Vasily Gorbik Date: Mon Aug 5 14:25:16 2019 +0200 s390: put _stext and _etext into .text section [ Upstream commit 24350fdadbdec780406a1ef988e6cd3875e374a8 ] Perf relies on _etext and _stext symbols being one of 't', 'T', 'v' or 'V'. Put them into .text section to guarantee that. Also moves padding to page boundary inside .text which has an effect that .text section is now padded with nops rather than 0's, which apparently has been the initial intention for specifying 0x0700 fill expression. Reported-by: Thomas Richter Tested-by: Thomas Richter Suggested-by: Andreas Krebbel Signed-off-by: Vasily Gorbik Signed-off-by: Sasha Levin commit d810001f3e92f16229ae57838f9f4554bc5533d5 Author: Vasily Gorbik Date: Fri Jul 26 08:23:20 2019 +0200 s390/mm: fix dump_pagetables top level page table walking [ Upstream commit 8024b5a9fc2bed9a00f0bdba60b443fa3cc4bb5d ] Since commit d1874a0c2805 ("s390/mm: make the pxd_offset functions more robust") behaviour of p4d_offset, pud_offset and pmd_offset has been changed so that they cannot be used to iterate through top level page table, because the index for the top level page table is now calculated in pgd_offset. To avoid dumping the very first region/segment top level table entry 2048 times simply iterate entry pointer like it is already done in other page walking cases. Fixes: d1874a0c2805 ("s390/mm: make the pxd_offset functions more robust") Reported-by: Ilya Leoshkevich Reviewed-by: Heiko Carstens Signed-off-by: Vasily Gorbik Signed-off-by: Sasha Levin commit 580b216496b67126c2514c81da3b89800abcc042 Author: Vasily Gorbik Date: Fri Aug 2 13:27:22 2019 +0200 s390/protvirt: avoid memory sharing for diag 308 set/store [ Upstream commit a287a49e672d9762bb85de117b477bdf3ef20bd5 ] This reverts commit db9492cef45e ("s390/protvirt: add memory sharing for diag 308 set/store") which due to ultravisor implementation change is not needed after all. Fixes: db9492cef45e ("s390/protvirt: add memory sharing for diag 308 set/store") Reviewed-by: Janosch Frank Signed-off-by: Vasily Gorbik Signed-off-by: Sasha Levin commit 1f54a9b84956329bacce075f1a98c0e49de0c027 Author: Suren Baghdasaryan Date: Mon Jul 29 18:33:10 2019 -0700 sched/psi: Do not require setsched permission from the trigger creator [ Upstream commit 04e048cf09d7b5fc995817cdc5ae1acd4482429c ] When a process creates a new trigger by writing into /proc/pressure/* files, permissions to write such a file should be used to determine whether the process is allowed to do so or not. Current implementation would also require such a process to have setsched capability. Setting of psi trigger thread's scheduling policy is an implementation detail and should not be exposed to the user level. Remove the permission check by using _nocheck version of the function. Suggested-by: Nick Kralevich Signed-off-by: Suren Baghdasaryan Signed-off-by: Peter Zijlstra (Intel) Cc: lizefan@huawei.com Cc: mingo@redhat.com Cc: akpm@linux-foundation.org Cc: kernel-team@android.com Cc: dennisszhou@gmail.com Cc: dennis@kernel.org Cc: hannes@cmpxchg.org Cc: axboe@kernel.dk Link: https://lkml.kernel.org/r/20190730013310.162367-1-surenb@google.com Signed-off-by: Sasha Levin commit 9ea2355c3117cc1e36fe43bbdef2abe101b2aae4 Author: Peter Zijlstra Date: Thu Aug 1 12:41:31 2019 +0200 sched/psi: Reduce psimon FIFO priority [ Upstream commit 14f5c7b46a41a595fc61db37f55721714729e59e ] PSI defaults to a FIFO-99 thread, reduce this to FIFO-1. FIFO-99 is the very highest priority available to SCHED_FIFO and it not a suitable default; it would indicate the psi work is the most important work on the machine. Since Real-Time tasks will have pre-allocated memory and locked it in place, Real-Time tasks do not care about PSI. All it needs is to be above OTHER. Signed-off-by: Peter Zijlstra (Intel) Acked-by: Johannes Weiner Tested-by: Suren Baghdasaryan Cc: Thomas Gleixner Signed-off-by: Sasha Levin commit a343eca8fd929d86ed50f3978d4e3272cdbb6c37 Author: Dietmar Eggemann Date: Fri Aug 2 15:59:43 2019 +0100 sched/deadline: Fix double accounting of rq/running bw in push & pull [ Upstream commit f4904815f97a934258445a8f763f6b6c48f007e7 ] {push,pull}_dl_task() always calls {de,}activate_task() with .flags=0 which sets p->on_rq=TASK_ON_RQ_MIGRATING. {push,pull}_dl_task()->{de,}activate_task()->{de,en}queue_task()-> {de,en}queue_task_dl() calls {sub,add}_{running,rq}_bw() since p->on_rq==TASK_ON_RQ_MIGRATING. So {sub,add}_{running,rq}_bw() in {push,pull}_dl_task() is double-accounting for that task. Fix it by removing rq/running bw accounting in [push/pull]_dl_task(). Fixes: 7dd778841164 ("sched/core: Unify p->on_rq updates") Signed-off-by: Dietmar Eggemann Signed-off-by: Peter Zijlstra (Intel) Cc: Valentin Schneider Cc: Ingo Molnar Cc: Luca Abeni Cc: Daniel Bristot de Oliveira Cc: Juri Lelli Cc: Qais Yousef Link: https://lkml.kernel.org/r/20190802145945.18702-2-dietmar.eggemann@arm.com Signed-off-by: Sasha Levin commit 4fe7ee5ed9b045c2c8e54bac39daba265aa288e0 Author: Sebastien Tisserant Date: Thu Aug 1 12:06:08 2019 -0500 SMB3: Kernel oops mounting a encryptData share with CONFIG_DEBUG_VIRTUAL [ Upstream commit ee9d66182392695535cc9fccfcb40c16f72de2a9 ] Fix kernel oops when mounting a encryptData CIFS share with CONFIG_DEBUG_VIRTUAL Signed-off-by: Sebastien Tisserant Reviewed-by: Pavel Shilovsky Signed-off-by: Steve French Signed-off-by: Sasha Levin commit efb86f76c6c846d20ebfa0b4c6c44bf8d0ce95b4 Author: Pavel Shilovsky Date: Mon Jul 22 11:38:22 2019 -0700 SMB3: Fix potential memory leak when processing compound chain [ Upstream commit 3edeb4a4146dc3b54d6fa71b7ee0585cb52ebfdf ] When a reconnect happens in the middle of processing a compound chain the code leaks a buffer from the memory pool. Fix this by properly checking for a return code and freeing buffers in case of error. Also maintain a buf variable to be equal to either smallbuf or bigbuf depending on a response buffer size while parsing a chain and when returning to the caller. Signed-off-by: Pavel Shilovsky Reviewed-by: Ronnie Sahlberg Signed-off-by: Steve French Signed-off-by: Sasha Levin commit 6dfb0916b1fd1a384b87576984091c5c8567dff2 Author: Douglas Anderson Date: Fri Aug 2 11:46:16 2019 -0700 drm/rockchip: Suspend DP late [ Upstream commit f7ccbed656f78212593ca965d9a8f34bf24e0aab ] In commit fe64ba5c6323 ("drm/rockchip: Resume DP early") we moved resume to be early but left suspend at its normal time. This seems like it could be OK, but casues problems if a suspend gets interrupted partway through. The OS only balances matching suspend/resume levels. ...so if suspend was called then resume will be called. If suspend late was called then resume early will be called. ...but if suspend was called resume early might not get called. This leads to an unbalance in the clock enables / disables. Lets take the simple fix and just move suspend to be late to match. This makes the PM core take proper care in keeping things balanced. Fixes: fe64ba5c6323 ("drm/rockchip: Resume DP early") Signed-off-by: Douglas Anderson Signed-off-by: Sean Paul Link: https://patchwork.freedesktop.org/patch/msgid/20190802184616.44822-1-dianders@chromium.org Signed-off-by: Sasha Levin commit ef411a41d35a0dd5dfb5ca0f900fc4ceac3af5a7 Author: Nicolas Saenz Julienne Date: Tue Jun 11 14:13:20 2019 +0200 HID: input: fix a4tech horizontal wheel custom usage [ Upstream commit 1c703b53e5bfb5c2205c30f0fb157ce271fd42fb ] Some a4tech mice use the 'GenericDesktop.00b8' usage to inform whether the previous wheel report was horizontal or vertical. Before c01908a14bf73 ("HID: input: add mapping for "Toggle Display" key") this usage was being mapped to 'Relative.Misc'. After the patch it's simply ignored (usage->type == 0 & usage->code == 0). Which ultimately makes hid-a4tech ignore the WHEEL/HWHEEL selection event, as it has no usage->type. We shouldn't rely on a mapping for that usage as it's nonstandard and doesn't really map to an input event. So we bypass the mapping and make sure the custom event handling properly handles both reports. Fixes: c01908a14bf73 ("HID: input: add mapping for "Toggle Display" key") Signed-off-by: Nicolas Saenz Julienne Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit b6f61042d3c523cf77943a9f463e0542d94b010c Author: István Váradi Date: Wed Jul 24 20:09:18 2019 +0200 HID: quirks: Set the INCREMENT_USAGE_ON_DUPLICATE quirk on Saitek X52 [ Upstream commit 7bc74853fd61432ec59f812a40425bf6d8c986a4 ] The Saitek X52 joystick has a pair of axes that are originally (by the Windows driver) used as mouse pointer controls. The corresponding usage->hid values are 0x50024 and 0x50026. Thus they are handled as unknown axes and both get mapped to ABS_MISC. The quirk makes the second axis to be mapped to ABS_MISC1 and thus made available separately. [jkosina@suse.cz: squashed two patches into one] Signed-off-by: István Váradi Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 3055b274a1412fabd36395e880ceafad9f7f73c7 Author: Trond Myklebust Date: Sat Aug 3 13:39:24 2019 -0400 NFS: Fix regression whereby fscache errors are appearing on 'nofsc' mounts [ Upstream commit dea1bb35c5f35e0577cfc61f79261d80b8715221 ] People are reporing seeing fscache errors being reported concerning duplicate cookies even in cases where they are not setting up fscache at all. The rule needs to be that if fscache is not enabled, then it should have no side effects at all. To ensure this is the case, we disable fscache completely on all superblocks for which the 'fsc' mount option was not set. In order to avoid issues with '-oremount', we also disable the ability to turn fscache on via remount. Fixes: f1fe29b4a02d ("NFS: Use i_writecount to control whether...") Link: https://bugzilla.kernel.org/show_bug.cgi?id=200145 Signed-off-by: Trond Myklebust Cc: Steve Dickson Cc: David Howells Signed-off-by: Sasha Levin commit 83d99ded4b1d799e1f7f75d6558a5cf1c4e4ef69 Author: Trond Myklebust Date: Sat Aug 3 10:11:27 2019 -0400 NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim() [ Upstream commit c77e22834ae9a11891cb613bd9a551be1b94f2bc ] John Hubbard reports seeing the following stack trace: nfs4_do_reclaim rcu_read_lock /* we are now in_atomic() and must not sleep */ nfs4_purge_state_owners nfs4_free_state_owner nfs4_destroy_seqid_counter rpc_destroy_wait_queue cancel_delayed_work_sync __cancel_work_timer __flush_work start_flush_work might_sleep: (kernel/workqueue.c:2975: BUG) The solution is to separate out the freeing of the state owners from nfs4_purge_state_owners(), and perform that outside the atomic context. Reported-by: John Hubbard Fixes: 0aaaf5c424c7f ("NFS: Cache state owners after files are closed") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 55a76b7b9a5c987996fbc3464dd6552b98e0edfa Author: Trond Myklebust Date: Fri Jul 26 14:40:53 2019 +0100 NFSv4.1: Only reap expired delegations [ Upstream commit ad11408970df79d5f481aa9964e91f183133424c ] Fix nfs_reap_expired_delegations() to ensure that we only reap delegations that are actually expired, rather than triggering on random errors. Fixes: 45870d6909d5a ("NFSv4.1: Test delegation stateids when server...") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 00cfd19b4aab5fcb4be629e43224501d9ef7465c Author: Trond Myklebust Date: Mon Jul 22 18:32:59 2019 +0100 NFSv4.1: Fix open stateid recovery [ Upstream commit 27a30cf64a5cbe2105e4ff9613246b32d584766a ] The logic for checking in nfs41_check_open_stateid() whether the state is supported by a delegation is inverted. In addition, it makes more sense to perform that check before we check for expired locks. Fixes: 8a64c4ef106d1 ("NFSv4.1: Even if the stateid is OK,...") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 5ebc4cb0531545d87d3163377549bcef86f552d0 Author: Trond Myklebust Date: Mon Jul 22 09:54:29 2019 +0100 NFSv4: When recovering state fails with EAGAIN, retry the same recovery [ Upstream commit c34fae003c79570b6c930b425fea3f0b7b1e7056 ] If the server returns with EAGAIN when we're trying to recover from a server reboot, we currently delay for 1 second, but then mark the stateid as needing recovery after the grace period has expired. Instead, we should just retry the same recovery process immediately after the 1 second delay. Break out of the loop after 10 retries. Fixes: 35a61606a612 ("NFS: Reduce indentation of the switch statement...") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 8c0391db53efffb30913c06367f1b3793fc3ba18 Author: Trond Myklebust Date: Fri Jul 19 13:48:44 2019 -0400 NFSv4: Fix a credential refcount leak in nfs41_check_delegation_stateid [ Upstream commit 8c39a39e28b86a4021d9be314ce01019bafa5fdc ] It is unsafe to dereference delegation outside the rcu lock, and in any case, the refcount is guaranteed held if cred is non-zero. Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 1cfb3722bb57d257148c77f87468c19eeaa852a2 Author: YueHaibing Date: Thu Aug 1 09:24:19 2019 +0800 enetc: Select PHYLIB while CONFIG_FSL_ENETC_VF is set [ Upstream commit 2802d2cf24b1ca7ea4c54dde266ded6a16020eb5 ] Like FSL_ENETC, when CONFIG_FSL_ENETC_VF is set, we should select PHYLIB, otherwise building still fails: drivers/net/ethernet/freescale/enetc/enetc.o: In function `enetc_open': enetc.c:(.text+0x2744): undefined reference to `phy_start' enetc.c:(.text+0x282c): undefined reference to `phy_disconnect' drivers/net/ethernet/freescale/enetc/enetc.o: In function `enetc_close': enetc.c:(.text+0x28f8): undefined reference to `phy_stop' enetc.c:(.text+0x2904): undefined reference to `phy_disconnect' drivers/net/ethernet/freescale/enetc/enetc_ethtool.o:(.rodata+0x3f8): undefined reference to `phy_ethtool_get_link_ksettings' drivers/net/ethernet/freescale/enetc/enetc_ethtool.o:(.rodata+0x400): undefined reference to `phy_ethtool_set_link_ksettings' Reported-by: Hulk Robot Fixes: d4fd0404c1c9 ("enetc: Introduce basic PF and VF ENETC ethernet drivers") Signed-off-by: YueHaibing Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit bf92682c476b7e9d36564ca518dad1a03c67639d Author: Wang Xiayang Date: Wed Jul 31 16:15:42 2019 +0800 net/ethernet/qlogic/qed: force the string buffer NULL-terminated [ Upstream commit 3690c8c9a8edff0db077a38783112d8fe12a7dd2 ] strncpy() does not ensure NULL-termination when the input string size equals to the destination buffer size 30. The output string is passed to qed_int_deassertion_aeu_bit() which calls DP_INFO() and relies NULL-termination. Use strlcpy instead. The other conditional branch above strncpy() needs no fix as snprintf() ensures NULL-termination. This issue is identified by a Coccinelle script. Signed-off-by: Wang Xiayang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit e9da4fc7d8ec46bec9a5010255fe29047c7040d1 Author: Vijendar Mukunda Date: Fri Aug 2 19:21:23 2019 +0530 ASoC: amd: acp3x: use dma_ops of parent device for acp3x dma driver [ Upstream commit 88639051017fb61a414b636dd0fc490da2b62b64 ] AMD platform device acp3x_rv_i2s created by parent PCI device driver. Pass struct device of the parent to snd_pcm_lib_preallocate_pages() so dma_alloc_coherent() can use correct dma_ops. Otherwise, it will use default dma_ops which is nommu_dma_ops on x86_64 even when IOMMU is enabled and set to non passthrough mode. Signed-off-by: Vijendar Mukunda Link: https://lore.kernel.org/r/1564753899-17124-1-git-send-email-Vijendar.Mukunda@amd.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit ac8bf342add99c6e4ffb4b9519444eab22cfa09c Author: Wang Xiayang Date: Wed Jul 31 15:25:59 2019 +0800 can: peak_usb: force the string buffer NULL-terminated [ Upstream commit e787f19373b8a5fa24087800ed78314fd17b984a ] strncpy() does not ensure NULL-termination when the input string size equals to the destination buffer size IFNAMSIZ. The output string is passed to dev_info() which relies on the NULL-termination. Use strlcpy() instead. This issue is identified by a Coccinelle script. Signed-off-by: Wang Xiayang Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 4a17b244620c856d8e421a947295456fa111ea50 Author: Wang Xiayang Date: Wed Jul 31 15:31:14 2019 +0800 can: sja1000: force the string buffer NULL-terminated [ Upstream commit cd28aa2e056cd1ea79fc5f24eed0ce868c6cab5c ] strncpy() does not ensure NULL-termination when the input string size equals to the destination buffer size IFNAMSIZ. The output string 'name' is passed to dev_info which relies on NULL-termination. Use strlcpy() instead. This issue is identified by a Coccinelle script. Signed-off-by: Wang Xiayang Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit c7bc59702fa8b8e324885bb1105da715bbd73042 Author: Jarkko Nikula Date: Thu Aug 1 16:49:01 2019 +0300 spi: pxa2xx: Add support for Intel Tiger Lake [ Upstream commit a4127952859a869cf3fc5a49547dbe2ffa2eac89 ] Intel Tiger Lake -LP LPSS SPI controller is otherwise similar than Cannon Lake but has more controllers and up to two chip selects per controller. Signed-off-by: Jarkko Nikula Link: https://lore.kernel.org/r/20190801134901.12635-1-jarkko.nikula@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 8da2ee75f21326e8d064cd45ebe270a803ff98ea Author: Jiri Olsa Date: Thu Aug 1 16:26:42 2019 +0200 perf bench numa: Fix cpu0 binding [ Upstream commit 6bbfe4e602691b90ac866712bd4c43c51e546a60 ] Michael reported an issue with perf bench numa failing with binding to cpu0 with '-0' option. # perf bench numa mem -p 3 -t 1 -P 512 -s 100 -zZcm0 --thp 1 -M 1 -ddd # Running 'numa/mem' benchmark: # Running main, "perf bench numa numa-mem -p 3 -t 1 -P 512 -s 100 -zZcm0 --thp 1 -M 1 -ddd" binding to node 0, mask: 0000000000000001 => -1 perf: bench/numa.c:356: bind_to_memnode: Assertion `!(ret)' failed. Aborted (core dumped) This happens when the cpu0 is not part of node0, which is the benchmark assumption and we can see that's not the case for some powerpc servers. Using correct node for cpu0 binding. Reported-by: Michael Petlan Signed-off-by: Jiri Olsa Cc: Alexander Shishkin Cc: Andi Kleen Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Satheesh Rajendran Link: http://lkml.kernel.org/r/20190801142642.28004-1-jolsa@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit cbffa423f725abd42deb6c7de452fa0e2c305454 Author: Jia-Ju Bai Date: Tue Jul 30 16:08:13 2019 +0800 net: phy: phy_led_triggers: Fix a possible null-pointer dereference in phy_led_trigger_change_speed() [ Upstream commit 271da132e29b5341c31eca6ba6a72ea1302ebac8 ] In phy_led_trigger_change_speed(), there is an if statement on line 48 to check whether phy->last_triggered is NULL: if (!phy->last_triggered) When phy->last_triggered is NULL, it is used on line 52: led_trigger_event(&phy->last_triggered->trigger, LED_OFF); Thus, a possible null-pointer dereference may occur. To fix this bug, led_trigger_event(&phy->last_triggered->trigger, LED_OFF) is called when phy->last_triggered is not NULL. This bug is found by a static analysis tool STCheck written by the OSLAB group in Tsinghua University. Signed-off-by: Jia-Ju Bai Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit e17659fd38cf66f44d54f49a621e1170a575fcbb Author: Juliana Rodrigueiro Date: Wed Jul 31 15:17:23 2019 +0200 isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on the stack [ Upstream commit d8a1de3d5bb881507602bc02e004904828f88711 ] Since linux 4.9 it is not possible to use buffers on the stack for DMA transfers. During usb probe the driver crashes with "transfer buffer is on stack" message. This fix k-allocates a buffer to be used on "read_reg_atomic", which is a macro that calls "usb_control_msg" under the hood. Kernel 4.19 backtrace: usb_hcd_submit_urb+0x3e5/0x900 ? sched_clock+0x9/0x10 ? log_store+0x203/0x270 ? get_random_u32+0x6f/0x90 ? cache_alloc_refill+0x784/0x8a0 usb_submit_urb+0x3b4/0x550 usb_start_wait_urb+0x4e/0xd0 usb_control_msg+0xb8/0x120 hfcsusb_probe+0x6bc/0xb40 [hfcsusb] usb_probe_interface+0xc2/0x260 really_probe+0x176/0x280 driver_probe_device+0x49/0x130 __driver_attach+0xa9/0xb0 ? driver_probe_device+0x130/0x130 bus_for_each_dev+0x5a/0x90 driver_attach+0x14/0x20 ? driver_probe_device+0x130/0x130 bus_add_driver+0x157/0x1e0 driver_register+0x51/0xe0 usb_register_driver+0x5d/0x120 ? 0xf81ed000 hfcsusb_drv_init+0x17/0x1000 [hfcsusb] do_one_initcall+0x44/0x190 ? free_unref_page_commit+0x6a/0xd0 do_init_module+0x46/0x1c0 load_module+0x1dc1/0x2400 sys_init_module+0xed/0x120 do_fast_syscall_32+0x7a/0x200 entry_SYSENTER_32+0x6b/0xbe Signed-off-by: Juliana Rodrigueiro Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b7737b00b86d251a55d0825b2817367fca913409 Author: YueHaibing Date: Tue Jul 30 22:29:59 2019 +0800 enetc: Fix build error without PHYLIB [ Upstream commit 5f4e4203add2b860d2345312509a160f8292063b ] If PHYLIB is not set, build enetc will fails: drivers/net/ethernet/freescale/enetc/enetc.o: In function `enetc_open': enetc.c: undefined reference to `phy_disconnect' enetc.c: undefined reference to `phy_start' drivers/net/ethernet/freescale/enetc/enetc.o: In function `enetc_close': enetc.c: undefined reference to `phy_stop' enetc.c: undefined reference to `phy_disconnect' drivers/net/ethernet/freescale/enetc/enetc_ethtool.o: undefined reference to `phy_ethtool_get_link_ksettings' drivers/net/ethernet/freescale/enetc/enetc_ethtool.o: undefined reference to `phy_ethtool_set_link_ksettings' drivers/net/ethernet/freescale/enetc/enetc_mdio.o: In function `enetc_mdio_probe': enetc_mdio.c: undefined reference to `mdiobus_alloc_size' enetc_mdio.c: undefined reference to `mdiobus_free' Reported-by: Hulk Robot Fixes: d4fd0404c1c9 ("enetc: Introduce basic PF and VF ENETC ethernet drivers") Signed-off-by: YueHaibing Acked-by: Claudiu Manoil Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 4784684e960a4053453fb9af7005ca04ff494c88 Author: Gregory Greenman Date: Sun Jun 30 09:18:15 2019 +0300 iwlwifi: mvm: send LQ command always ASYNC [ Upstream commit cd4d6b0bcd51580efda9ae54ab7b2d630b4147dc ] The only place where the command was sent as SYNC is during init and this is not really critical. This change is required for replacing RS mutex with a spinlock (in the subsequent patch), since SYNC comamnd requres sleeping and thus the flow cannot be done when holding a spinlock. Signed-off-by: Gregory Greenman Signed-off-by: Luca Coelho Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 14311a90347b903125ed08b03e4178b0b1d72a00 Author: Johannes Berg Date: Thu Jun 27 09:44:50 2019 +0200 iwlwifi: fix locking in delayed GTK setting [ Upstream commit 6569e7d36773956298ec1d5f4e6a2487913d2752 ] This code clearly never could have worked, since it locks while already locked. Add an unlocked __iwl_mvm_mac_set_key() variant that doesn't do locking to fix that. Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 743fa6a7baa82f12bb2936eb5414c85fe58f03ff Author: Shahar S Matityahu Date: Thu Jun 13 15:11:24 2019 +0300 iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef [ Upstream commit abcbef5977df1fb61026ba429964cd6b9a085699 ] The driver should call iwl_dbg_tlv_free even if debugfs is not defined since ini mode does not depend on debugfs ifdef. Signed-off-by: Shahar S Matityahu Fixes: 68f6f492c4fa ("iwlwifi: trans: support loading ini TLVs from external file") Signed-off-by: Luca Coelho Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 250352ddc2b4c8e709bef227733f1c672e245789 Author: Shahar S Matityahu Date: Thu Jun 13 15:08:24 2019 +0300 iwlwifi: dbg_ini: move iwl_dbg_tlv_load_bin out of debug override ifdef [ Upstream commit 072b30642f90b01d139131ec7bf763778a3a3f41 ] ini debug mode should work even if debug override is not defined. Signed-off-by: Shahar S Matityahu Fixes: 68f6f492c4fa ("iwlwifi: trans: support loading ini TLVs from external file") Signed-off-by: Luca Coelho Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit de0f0564b100e232e9245230b27cd981bb7d59ed Author: Mordechay Goodstein Date: Thu Jun 13 16:34:07 2019 +0300 iwlwifi: mvm: avoid races in rate init and rate perform [ Upstream commit 0f8084cdc1f9d4a6693ef4168167febb0918c6f6 ] Rate perform uses the lq_sta table to calculate the next rate to scale while rate init resets the same table, Rate perform is done in soft irq context in parallel to rate init that can be called in case we are doing changes like AP changes BW or moving state for auth to assoc. Signed-off-by: Mordechay Goodstein Signed-off-by: Luca Coelho Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 505d5fc02a34b21383ece37872a8bcf5e59394e5 Author: Jean Delvare Date: Sun Jul 28 18:42:55 2019 +0200 nvmem: Use the same permissions for eeprom as for nvmem [ Upstream commit e70d8b287301eb6d7c7761c6171c56af62110ea3 ] The compatibility "eeprom" attribute is currently root-only no matter what the configuration says. The "nvmem" attribute does respect the setting of the root_only configuration bit, so do the same for "eeprom". Signed-off-by: Jean Delvare Fixes: b6c217ab9be6 ("nvmem: Add backwards compatibility support for older EEPROM drivers.") Reviewed-by: Bartosz Golaszewski Cc: Andrew Lunn Cc: Srinivas Kandagatla Cc: Arnd Bergmann Link: https://lore.kernel.org/r/20190728184255.563332e6@endymion Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit f1079e415bc193eb6f6d186b7e77008929838ed2 Author: David Howells Date: Tue Jul 30 14:42:50 2019 +0100 rxrpc: Fix the lack of notification when sendmsg() fails on a DATA packet [ Upstream commit c69565ee6681e151e2bb80502930a16e04b553d1 ] Fix the fact that a notification isn't sent to the recvmsg side to indicate a call failed when sendmsg() fails to transmit a DATA packet with the error ENETUNREACH, EHOSTUNREACH or ECONNREFUSED. Without this notification, the afs client just sits there waiting for the call to complete in some manner (which it's not now going to do), which also pins the rxrpc call in place. This can be seen if the client has a scope-level IPv6 address, but not a global-level IPv6 address, and we try and transmit an operation to a server's IPv6 address. Looking in /proc/net/rxrpc/calls shows completed calls just sat there with an abort code of RX_USER_ABORT and an error code of -ENETUNREACH. Fixes: c54e43d752c7 ("rxrpc: Fix missing start of call timeout") Signed-off-by: David Howells Reviewed-by: Marc Dionne Reviewed-by: Jeffrey Altman Signed-off-by: Sasha Levin commit 04ce53b00a89cd1e6c9b59882486231de61382da Author: David Howells Date: Tue Jul 30 14:42:50 2019 +0100 rxrpc: Fix potential deadlock [ Upstream commit 60034d3d146b11922ab1db613bce062dddc0327a ] There is a potential deadlock in rxrpc_peer_keepalive_dispatch() whereby rxrpc_put_peer() is called with the peer_hash_lock held, but if it reduces the peer's refcount to 0, rxrpc_put_peer() calls __rxrpc_put_peer() - which the tries to take the already held lock. Fix this by providing a version of rxrpc_put_peer() that can be called in situations where the lock is already held. The bug may produce the following lockdep report: ============================================ WARNING: possible recursive locking detected 5.2.0-next-20190718 #41 Not tainted -------------------------------------------- kworker/0:3/21678 is trying to acquire lock: 00000000aa5eecdf (&(&rxnet->peer_hash_lock)->rlock){+.-.}, at: spin_lock_bh /./include/linux/spinlock.h:343 [inline] 00000000aa5eecdf (&(&rxnet->peer_hash_lock)->rlock){+.-.}, at: __rxrpc_put_peer /net/rxrpc/peer_object.c:415 [inline] 00000000aa5eecdf (&(&rxnet->peer_hash_lock)->rlock){+.-.}, at: rxrpc_put_peer+0x2d3/0x6a0 /net/rxrpc/peer_object.c:435 but task is already holding lock: 00000000aa5eecdf (&(&rxnet->peer_hash_lock)->rlock){+.-.}, at: spin_lock_bh /./include/linux/spinlock.h:343 [inline] 00000000aa5eecdf (&(&rxnet->peer_hash_lock)->rlock){+.-.}, at: rxrpc_peer_keepalive_dispatch /net/rxrpc/peer_event.c:378 [inline] 00000000aa5eecdf (&(&rxnet->peer_hash_lock)->rlock){+.-.}, at: rxrpc_peer_keepalive_worker+0x6b3/0xd02 /net/rxrpc/peer_event.c:430 Fixes: 330bdcfadcee ("rxrpc: Fix the keepalive generator [ver #2]") Reported-by: syzbot+72af434e4b3417318f84@syzkaller.appspotmail.com Signed-off-by: David Howells Reviewed-by: Marc Dionne Reviewed-by: Jeffrey Altman Signed-off-by: Sasha Levin commit 68c55a2c6c2fab83c9c5c109637ae89e76e25cdf Author: Jozsef Kadlecsik Date: Tue Jul 23 10:25:55 2019 +0200 netfilter: ipset: Fix rename concurrency with listing [ Upstream commit 6c1f7e2c1b96ab9b09ac97c4df2bd9dc327206f6 ] Shijie Luo reported that when stress-testing ipset with multiple concurrent create, rename, flush, list, destroy commands, it can result ipset : Broken LIST kernel message: missing DATA part! error messages and broken list results. The problem was the rename operation was not properly handled with respect of listing. The patch fixes the issue. Reported-by: Shijie Luo Signed-off-by: Jozsef Kadlecsik Signed-off-by: Sasha Levin commit 3fb7dc7af0677cf3a4d405484844432d1d97a7b4 Author: Stefano Brivio Date: Mon Jun 24 15:20:12 2019 +0200 netfilter: ipset: Copy the right MAC address in bitmap:ip,mac and hash:ip,mac sets [ Upstream commit 1b4a75108d5bc153daf965d334e77e8e94534f96 ] In commit 8cc4ccf58379 ("ipset: Allow matching on destination MAC address for mac and ipmac sets"), ipset.git commit 1543514c46a7, I added to the KADT functions for sets matching on MAC addreses the copy of source or destination MAC address depending on the configured match. This was done correctly for hash:mac, but for hash:ip,mac and bitmap:ip,mac, copying and pasting the same code block presents an obvious problem: in these two set types, the MAC address is the second dimension, not the first one, and we are actually selecting the MAC address depending on whether the first dimension (IP address) specifies source or destination. Fix this by checking for the IPSET_DIM_TWO_SRC flag in option flags. This way, mixing source and destination matches for the two dimensions of ip,mac set types works as expected. With this setup: ip netns add A ip link add veth1 type veth peer name veth2 netns A ip addr add 192.0.2.1/24 dev veth1 ip -net A addr add 192.0.2.2/24 dev veth2 ip link set veth1 up ip -net A link set veth2 up dst=$(ip netns exec A cat /sys/class/net/veth2/address) ip netns exec A ipset create test_bitmap bitmap:ip,mac range 192.0.0.0/16 ip netns exec A ipset add test_bitmap 192.0.2.1,${dst} ip netns exec A iptables -A INPUT -m set ! --match-set test_bitmap src,dst -j DROP ip netns exec A ipset create test_hash hash:ip,mac ip netns exec A ipset add test_hash 192.0.2.1,${dst} ip netns exec A iptables -A INPUT -m set ! --match-set test_hash src,dst -j DROP ipset correctly matches a test packet: # ping -c1 192.0.2.2 >/dev/null # echo $? 0 Reported-by: Chen Yi Fixes: 8cc4ccf58379 ("ipset: Allow matching on destination MAC address for mac and ipmac sets") Signed-off-by: Stefano Brivio Signed-off-by: Jozsef Kadlecsik Signed-off-by: Sasha Levin commit 79ebfb394cbe9b53648da6c72a2be55c300002a7 Author: Stefano Brivio Date: Mon Jun 24 15:20:11 2019 +0200 netfilter: ipset: Actually allow destination MAC address for hash:ip,mac sets too [ Upstream commit b89d15480d0cacacae1a0fe0b3da01b529f2914f ] In commit 8cc4ccf58379 ("ipset: Allow matching on destination MAC address for mac and ipmac sets"), ipset.git commit 1543514c46a7, I removed the KADT check that prevents matching on destination MAC addresses for hash:mac sets, but forgot to remove the same check for hash:ip,mac set. Drop this check: functionality is now commented in man pages and there's no reason to restrict to source MAC address matching anymore. Reported-by: Chen Yi Fixes: 8cc4ccf58379 ("ipset: Allow matching on destination MAC address for mac and ipmac sets") Signed-off-by: Stefano Brivio Signed-off-by: Jozsef Kadlecsik Signed-off-by: Sasha Levin commit edd7585d6751c993327a9eff6f56136c3baa4b21 Author: Martin Blumenstingl Date: Sat Jul 27 21:21:37 2019 +0200 net: stmmac: manage errors returned by of_get_mac_address() [ Upstream commit 195b2919ccd7ffcaf6b6bbcb39444a53ab8308c7 ] Commit d01f449c008a ("of_net: add NVMEM support to of_get_mac_address") added support for reading the MAC address from an nvmem-cell. This required changing the logic to return an error pointer upon failure. If stmmac is loaded before the nvmem provider driver then of_get_mac_address() return an error pointer with -EPROBE_DEFER. Propagate this error so the stmmac driver will be probed again after the nvmem provider driver is loaded. Default to a random generated MAC address in case of any other error, instead of using the error pointer as MAC address. Fixes: d01f449c008a ("of_net: add NVMEM support to of_get_mac_address") Signed-off-by: Martin Blumenstingl Reviewed-by: Neil Armstrong Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 79ea14eea8cde6ca9405bed9e4ddac6a1cdaf539 Author: Jia-Ju Bai Date: Mon Jul 29 16:23:32 2019 +0800 mac80211_hwsim: Fix possible null-pointer dereferences in hwsim_dump_radio_nl() [ Upstream commit b55f3b841099e641bdb2701d361a4c304e2dbd6f ] In hwsim_dump_radio_nl(), when genlmsg_put() on line 3617 fails, hdr is assigned to NULL. Then hdr is used on lines 3622 and 3623: genl_dump_check_consistent(cb, hdr); genlmsg_end(skb, hdr); Thus, possible null-pointer dereferences may occur. To fix these bugs, hdr is used here when it is not NULL. This bug is found by a static analysis tool STCheck written by us. Signed-off-by: Jia-Ju Bai Link: https://lore.kernel.org/r/20190729082332.28895-1-baijiaju1990@gmail.com [put braces on all branches] Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 813f42fc5695f164738013b806fcb36a0eae363f Author: Ben Segal Date: Tue Jul 23 11:22:42 2019 +0300 habanalabs: fix F/W download in BE architecture [ Upstream commit 75035fe22b808a520e1d712ebe913684ba406e01 ] writeX macros might perform byte-swapping in BE architectures. As our F/W is in LE format, we need to make sure no byte-swapping will occur. There is a standard kernel function (called memcpy_toio) for copying data to I/O area which is used in a lot of drivers to download F/W to PCIe adapters. That function also makes sure the data is copied "as-is", without byte-swapping. This patch use that function to copy the F/W to the GOYA ASIC instead of writeX macros. Signed-off-by: Ben Segal Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin commit 45d6a121c7dce4b0e472310481967b4b5001028f Author: Jia-Ju Bai Date: Fri Jul 26 16:27:36 2019 +0800 isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in start_isoc_chain() [ Upstream commit a0d57a552b836206ad7705a1060e6e1ce5a38203 ] In start_isoc_chain(), usb_alloc_urb() on line 1392 may fail and return NULL. At this time, fifo->iso[i].urb is assigned to NULL. Then, fifo->iso[i].urb is used at some places, such as: LINE 1405: fill_isoc_urb(fifo->iso[i].urb, ...) urb->number_of_packets = num_packets; urb->transfer_flags = URB_ISO_ASAP; urb->actual_length = 0; urb->interval = interval; LINE 1416: fifo->iso[i].urb->... LINE 1419: fifo->iso[i].urb->... Thus, possible null-pointer dereferences may occur. To fix these bugs, "continue" is added to avoid using fifo->iso[i].urb when it is NULL. These bugs are found by a static analysis tool STCheck written by us. Signed-off-by: Jia-Ju Bai Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c60f443cf03902a86de6fcc0d231bcd78f2f4851 Author: Michal Kalderon Date: Thu Jul 25 13:59:55 2019 +0300 qed: RDMA - Fix the hw_ver returned in device attributes [ Upstream commit 81af04b432fdfabcdbd2c06be2ee647e3ca41a22 ] The hw_ver field was initialized to zero. Return the chip revision. This is relevant for rdma driver. Signed-off-by: Michal Kalderon Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 349b39f98d1bef4c09ba0e2c3044ca6460036406 Author: Bob Ham Date: Wed Jul 24 07:52:27 2019 -0700 net: usb: qmi_wwan: Add the BroadMobi BM818 card [ Upstream commit 9a07406b00cdc6ec689dc142540739575c717f3c ] The BroadMobi BM818 M.2 card uses the QMI protocol Signed-off-by: Bob Ham Signed-off-by: Angus Ainslie (Purism) Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 7446b2794d9f120647bff9d667e2cb1631575c2b Author: Peter Ujfalusi Date: Fri Jul 26 09:42:43 2019 +0300 ASoC: ti: davinci-mcasp: Correct slot_width posed constraint [ Upstream commit 1e112c35e3c96db7c8ca6ddaa96574f00c06e7db ] The slot_width is a property for the bus while the constraint for SNDRV_PCM_HW_PARAM_SAMPLE_BITS is for the in memory format. Applying slot_width constraint to sample_bits works most of the time, but it will blacklist valid formats in some cases. With slot_width 24 we can support S24_3LE and S24_LE formats as they both look the same on the bus, but a a 24 constraint on sample_bits would not allow S24_LE as it is stored in 32bits in memory. Implement a simple hw_rule function to allow all formats which require less or equal number of bits on the bus as slot_width (if configured). Signed-off-by: Peter Ujfalusi Link: https://lore.kernel.org/r/20190726064244.3762-2-peter.ujfalusi@ti.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit ec10dcf3ae89ee4eb19dd788f773c72d0244b94b Author: Cheng-Yi Chiang Date: Fri Jul 26 12:42:02 2019 +0800 ASoC: rockchip: Fix mono capture [ Upstream commit 789e162a6255325325bd321ab0cd51dc7e285054 ] This reverts commit db51707b9c9aeedd310ebce60f15d5bb006567e0. Revert "ASoC: rockchip: i2s: Support mono capture" Previous discussion in https://patchwork.kernel.org/patch/10147153/ explains the issue of the patch. While device is configured as 1-ch, hardware is still generating a 2-ch stream. When user space reads the data and assumes it is a 1-ch stream, the rate will be slower by 2x. Revert the change so 1-ch is not supported. User space can selectively take one channel data out of two channel if 1-ch is preferred. Currently, both channels record identical data. Signed-off-by: Cheng-Yi Chiang Link: https://lore.kernel.org/r/20190726044202.26866-1-cychiang@chromium.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 205cd0f91481f6f5f0cef89e8f4ff5b2b009caa2 Author: Peter Ujfalusi Date: Thu Jul 25 11:34:23 2019 +0300 ASoC: ti: davinci-mcasp: Fix clk PDIR handling for i2s master mode [ Upstream commit 34a2a80ff30b5d2330abfa8980c7f0cc15a8158a ] When running McASP as master capture alone will not record any audio unless a parallel playback stream is running. As soon as the playback stops the captured data is going to be silent again. In McASP master mode we need to set the PDIR for the clock pins and fix the mcasp_set_axr_pdir() to skip the bits in the PDIR registers above AMUTE. This went unnoticed as most of the boards uses McASP as slave and neither of these issues are visible (audible) in those setups. Fixes: ca3d9433349e ("ASoC: davinci-mcasp: Update PDIR (pin direction) register handling") Signed-off-by: Peter Ujfalusi Link: https://lore.kernel.org/r/20190725083423.7321-1-peter.ujfalusi@ti.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 7bd8e226cd6370718eb75e860c0ff28dbc18a6a7 Author: Manikanta Pubbisetty Date: Mon Jul 22 12:44:50 2019 +0530 {nl,mac}80211: fix interface combinations on crypto controlled devices [ Upstream commit e6f4051123fd33901e9655a675b22aefcdc5d277 ] Commit 33d915d9e8ce ("{nl,mac}80211: allow 4addr AP operation on crypto controlled devices") has introduced a change which allows 4addr operation on crypto controlled devices (ex: ath10k). This change has inadvertently impacted the interface combinations logic on such devices. General rule is that software interfaces like AP/VLAN should not be listed under supported interface combinations and should not be considered during validation of these combinations; because of the aforementioned change, AP/VLAN interfaces(if present) will be checked against interfaces supported by the device and blocks valid interface combinations. Consider a case where an AP and AP/VLAN are up and running; when a second AP device is brought up on the same physical device, this AP will be checked against the AP/VLAN interface (which will not be part of supported interface combinations of the device) and blocks second AP to come up. Add a new API cfg80211_iftype_allowed() to fix the problem, this API works for all devices with/without SW crypto control. Signed-off-by: Manikanta Pubbisetty Fixes: 33d915d9e8ce ("{nl,mac}80211: allow 4addr AP operation on crypto controlled devices") Link: https://lore.kernel.org/r/1563779690-9716-1-git-send-email-mpubbise@codeaurora.org Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit cb2150b718c0ffa6a11146373efafe5bae82cbe5 Author: Navid Emamdoost Date: Tue Jul 23 17:11:51 2019 -0500 st_nci_hci_connectivity_event_received: null check the allocation [ Upstream commit 3008e06fdf0973770370f97d5f1fba3701d8281d ] devm_kzalloc may fail and return NULL. So the null check is needed. Signed-off-by: Navid Emamdoost Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 775d026bbfe293c7bda5688097390858688ee6c2 Author: Navid Emamdoost Date: Tue Jul 23 17:04:30 2019 -0500 st21nfca_connectivity_event_received: null check the allocation [ Upstream commit 9891d06836e67324c9e9c4675ed90fc8b8110034 ] devm_kzalloc may fail and return null. So the null check is needed. Signed-off-by: Navid Emamdoost Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 8f28ebbdf9bc5a3e14fe71b5467af2d5ccf1a524 Author: Andrii Nakryiko Date: Wed Jul 24 14:47:53 2019 -0700 libbpf: silence GCC8 warning about string truncation [ Upstream commit cb8ffde5694ae5fffb456eae932aac442aa3a207 ] Despite a proper NULL-termination after strncpy(..., ..., IFNAMSIZ - 1), GCC8 still complains about *expected* string truncation: xsk.c:330:2: error: 'strncpy' output may be truncated copying 15 bytes from a string of length 15 [-Werror=stringop-truncation] strncpy(ifr.ifr_name, xsk->ifname, IFNAMSIZ - 1); This patch gets rid of the issue altogether by using memcpy instead. There is no performance regression, as strncpy will still copy and fill all of the bytes anyway. v1->v2: - rebase against bpf tree. Cc: Magnus Karlsson Signed-off-by: Andrii Nakryiko Acked-by: Magnus Karlsson Acked-by: Song Liu Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 46af9cbcf73adc5e90c846b72da72b1b0b35a900 Author: Jan Sebastian Götte Date: Wed Jul 17 23:41:37 2019 +0900 Staging: fbtft: Fix GPIO handling [ Upstream commit 92e3e884887c0d278042fbbb6f6c9b41d6addb71 ] Commit c440eee1a7a1 ("Staging: fbtft: Switch to the gpio descriptor interface") breaks GPIO handling. In several places, checks to only set a GPIO if it was configured ended up backwards. I have tested this fix. The fixed driver works with a ili9486 display connected to a raspberry pi via SPI. Fixes: c440eee1a7a1d ("Staging: fbtft: Switch to the gpio descriptor interface") Tested-by: Jan Sebastian Götte Reviewed-by: Nicolas Saenz Julienne Signed-off-by: Jan Sebastian Götte Link: https://lore.kernel.org/r/75ada52f-afa1-08bc-d0ce-966fc1110e70@jaseg.net Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit ab4f4d331a982f52a964f7f4d1ec452280f122e7 Author: Ricard Wanderlof Date: Wed Jul 24 11:38:44 2019 +0200 ASoC: Fail card instantiation if DAI format setup fails [ Upstream commit 40aa5383e393d72f6aa3943a4e7b1aae25a1e43b ] If the DAI format setup fails, there is no valid communication format between CPU and CODEC, so fail card instantiation, rather than continue with a card that will most likely not function properly. Signed-off-by: Ricard Wanderlof Link: https://lore.kernel.org/r/alpine.DEB.2.20.1907241132350.6338@lnxricardw1.se.axis.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 2d0befff4db8658aa8c6547f8603e41ac150154b Author: YueHaibing Date: Sat May 18 17:35:43 2019 +0800 can: gw: Fix error path of cgw_module_init [ Upstream commit b7a14297f102b6e2ce6f16feffebbb9bde1e9b55 ] This patch add error path for cgw_module_init to avoid possible crash if some error occurs. Fixes: c1aabdf379bc ("can-gw: add netlink based CAN routing") Signed-off-by: YueHaibing Acked-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit ad14579d403acc0f7c39bc80b5171f7a046fd906 Author: Weitao Hou Date: Tue Jun 25 20:50:48 2019 +0800 can: mcp251x: add error check when wq alloc failed [ Upstream commit 375f755899b8fc21196197e02aab26257df26e85 ] add error check when workqueue alloc failed, and remove redundant code to make it clear. Fixes: e0000163e30e ("can: Driver for the Microchip MCP251x SPI CAN controllers") Signed-off-by: Weitao Hou Acked-by: Willem de Bruijn Tested-by: Sean Nyekjaer Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit eae5534465c8d831e0c818206e7121286c0efa2d Author: Rasmus Villemoes Date: Mon Jun 24 08:34:13 2019 +0000 can: dev: call netif_carrier_off() in register_candev() [ Upstream commit c63845609c4700488e5eacd6ab4d06d5d420e5ef ] CONFIG_CAN_LEDS is deprecated. When trying to use the generic netdev trigger as suggested, there's a small inconsistency with the link property: The LED is on initially, stays on when the device is brought up, and then turns off (as expected) when the device is brought down. Make sure the LED always reflects the state of the CAN device. Signed-off-by: Rasmus Villemoes Acked-by: Willem de Bruijn Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 7dae14d19c4f9ca518c52ef4a14532c902ed60ca Author: Ilya Maximets Date: Tue Jul 23 15:08:10 2019 +0300 libbpf: fix using uninitialized ioctl results [ Upstream commit decb705e01a5d325c9876b9674043cde4b54f0db ] 'channels.max_combined' initialized only on ioctl success and errno is only valid on ioctl failure. The code doesn't produce any runtime issues, but makes memory sanitizers angry: Conditional jump or move depends on uninitialised value(s) at 0x55C056F: xsk_get_max_queues (xsk.c:336) by 0x55C05B2: xsk_create_bpf_maps (xsk.c:354) by 0x55C089F: xsk_setup_xdp_prog (xsk.c:447) by 0x55C0E57: xsk_socket__create (xsk.c:601) Uninitialised value was created by a stack allocation at 0x55C04CD: xsk_get_max_queues (xsk.c:318) Additionally fixed warning on uninitialized bytes in ioctl arguments: Syscall param ioctl(SIOCETHTOOL) points to uninitialised byte(s) at 0x648D45B: ioctl (in /usr/lib64/libc-2.28.so) by 0x55C0546: xsk_get_max_queues (xsk.c:330) by 0x55C05B2: xsk_create_bpf_maps (xsk.c:354) by 0x55C089F: xsk_setup_xdp_prog (xsk.c:447) by 0x55C0E57: xsk_socket__create (xsk.c:601) Address 0x1ffefff378 is on thread 1's stack in frame #1, created by xsk_get_max_queues (xsk.c:318) Uninitialised value was created by a stack allocation at 0x55C04CD: xsk_get_max_queues (xsk.c:318) CC: Magnus Karlsson Fixes: 1cad07884239 ("libbpf: add support for using AF_XDP sockets") Signed-off-by: Ilya Maximets Acked-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 890626e2d964d5525c26fac500544856658a660d Author: Eric Dumazet Date: Tue Jul 23 03:15:38 2019 -0700 selftests/bpf: add another gso_segs access [ Upstream commit be69483bf4f3abaaca5d5ba460dbb50239463552 ] Use BPF_REG_1 for source and destination of gso_segs read, to exercise "bpf: fix access to skb_shared_info->gso_segs" fix. Signed-off-by: Eric Dumazet Suggested-by: Stanislav Fomichev Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 24c21fa645604c17a8368a0816c9a3ddc4b2b573 Author: Ido Schimmel Date: Tue Jul 23 11:19:26 2019 +0300 selftests: forwarding: gre_multipath: Fix flower filters [ Upstream commit 1be79d89b7ae96e004911bd228ce8c2b5cc6415f ] The TC filters used in the test do not work with veth devices because the outer Ethertype is 802.1Q and not IPv4. The test passes with mlxsw netdevs since the hardware always looks at "The first Ethertype that does not point to either: VLAN, CNTAG or configurable Ethertype". Fix this by matching on the VLAN ID instead, but on the ingress side. The reason why this is not performed at egress is explained in the commit cited below. Fixes: 541ad323db3a ("selftests: forwarding: gre_multipath: Update next-hop statistics match criteria") Signed-off-by: Ido Schimmel Reported-by: Stephen Suryaputra Tested-by: Stephen Suryaputra Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f4bed7ed14a2c47cc08a13f95b13eb288b884f2c Author: Ido Schimmel Date: Tue Jul 23 11:19:25 2019 +0300 selftests: forwarding: gre_multipath: Enable IPv4 forwarding [ Upstream commit efa7b79f675da0efafe3f32ba0d6efe916cf4867 ] The test did not enable IPv4 forwarding during its setup phase, which causes the test to fail on machines where IPv4 forwarding is disabled. Fixes: 54818c4c4b93 ("selftests: forwarding: Test multipath tunneling") Signed-off-by: Ido Schimmel Reported-by: Stephen Suryaputra Tested-by: Stephen Suryaputra Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 82d861e06dc6232b7ecd5066c07e54a53eaac35c Author: Maxime Chevallier Date: Fri Jul 19 16:38:48 2019 +0200 net: mvpp2: Don't check for 3 consecutive Idle frames for 10G links [ Upstream commit bba18318e7d1d5c8b0bbafd65010a0cee3c65608 ] PPv2's XLGMAC can wait for 3 idle frames before triggering a link up event. This can cause the link to be stuck low when there's traffic on the interface, so disable this feature. Fixes: 4bb043262878 ("net: mvpp2: phylink support") Signed-off-by: Maxime Chevallier Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a25bd473e8c9d4e0c09e5405b3984151dd729c74 Author: Thomas Falcon Date: Tue Jul 16 17:25:10 2019 -0500 bonding: Force slave speed check after link state recovery for 802.3ad [ Upstream commit 12185dfe44360f814ac4ead9d22ad2af7511b2e9 ] The following scenario was encountered during testing of logical partition mobility on pseries partitions with bonded ibmvnic adapters in LACP mode. 1. Driver receives a signal that the device has been swapped, and it needs to reset to initialize the new device. 2. Driver reports loss of carrier and begins initialization. 3. Bonding driver receives NETDEV_CHANGE notifier and checks the slave's current speed and duplex settings. Because these are unknown at the time, the bond sets its link state to BOND_LINK_FAIL and handles the speed update, clearing AD_PORT_LACP_ENABLE. 4. Driver finishes recovery and reports that the carrier is on. 5. Bond receives a new notification and checks the speed again. The speeds are valid but miimon has not altered the link state yet. AD_PORT_LACP_ENABLE remains off. Because the slave's link state is still BOND_LINK_FAIL, no further port checks are made when it recovers. Though the slave devices are operational and have valid speed and duplex settings, the bond will not send LACPDU's. The simplest fix I can see is to force another speed check in bond_miimon_commit. This way the bond will update AD_PORT_LACP_ENABLE if needed when transitioning from BOND_LINK_FAIL to BOND_LINK_UP. CC: Jarod Wilson CC: Jay Vosburgh CC: Veaceslav Falico CC: Andy Gospodarek Signed-off-by: Thomas Falcon Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1c3e3000de801ca65f8cb7667c2e285d3230de4e Author: Wenwen Wang Date: Mon Jul 22 08:57:44 2019 -0500 ASoC: dapm: fix a memory leak bug [ Upstream commit 45004d66f2a28d78f543fb2ffbc133e31dc2d162 ] In snd_soc_dapm_new_control_unlocked(), a kernel buffer is allocated in dapm_cnew_widget() to hold the new dapm widget. Then, different actions are taken according to the id of the widget, i.e., 'w->id'. If any failure occurs during this process, snd_soc_dapm_new_control_unlocked() should be terminated by going to the 'request_failed' label. However, the allocated kernel buffer is not freed on this code path, leading to a memory leak bug. To fix the above issue, free the buffer before returning from snd_soc_dapm_new_control_unlocked() through the 'request_failed' label. Signed-off-by: Wenwen Wang Link: https://lore.kernel.org/r/1563803864-2809-1-git-send-email-wang6495@umn.edu Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 5fa1d7a76dd0b4c9a59bd78c32e56fc3cee35108 Author: Ilya Leoshkevich Date: Fri Jul 19 11:06:11 2019 +0200 selftests/bpf: fix sendmsg6_prog on s390 [ Upstream commit c8eee4135a456bc031d67cadc454e76880d1afd8 ] "sendmsg6: rewrite IP & port (C)" fails on s390, because the code in sendmsg_v6_prog() assumes that (ctx->user_ip6[0] & 0xFFFF) refers to leading IPv6 address digits, which is not the case on big-endian machines. Since checking bitwise operations doesn't seem to be the point of the test, replace two short comparisons with a single int comparison. Signed-off-by: Ilya Leoshkevich Acked-by: Andrey Ignatov Signed-off-by: Daniel Borkmann Signed-off-by: Sasha Levin commit 5c447c1951cddf1c0e79ac77e706107a28d675cc Author: John Fastabend Date: Fri Jul 19 10:29:21 2019 -0700 bpf: sockmap, only create entry if ulp is not already enabled [ Upstream commit 0e858739c2d2eedeeac1d35bfa0ec3cc2a7190d8 ] Sockmap does not currently support adding sockets after TLS has been enabled. There never was a real use case for this so it was never added. But, we lost the test for ULP at some point so add it here and fail the socket insert if TLS is enabled. Future work could make sockmap support this use case but fixup the bug here. Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: John Fastabend Signed-off-by: Daniel Borkmann Signed-off-by: Sasha Levin commit 47032e94979e01100de1ba846c40d5adf2a30ab4 Author: John Fastabend Date: Fri Jul 19 10:29:20 2019 -0700 bpf: sockmap, synchronize_rcu before free'ing map [ Upstream commit 2bb90e5cc90e1d09f631aeab041a9cf913a5bbe5 ] We need to have a synchronize_rcu before free'ing the sockmap because any outstanding psock references will have a pointer to the map and when they use this could trigger a use after free. Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: John Fastabend Signed-off-by: Daniel Borkmann Signed-off-by: Sasha Levin commit 2a574254d6f59b4e5f64277712c2480e74ef1bc6 Author: John Fastabend Date: Fri Jul 19 10:29:19 2019 -0700 bpf: sockmap, sock_map_delete needs to use xchg [ Upstream commit 45a4521dcbd92e71c9e53031b40e34211d3b4feb ] __sock_map_delete() may be called from a tcp event such as unhash or close from the following trace, tcp_bpf_close() tcp_bpf_remove() sk_psock_unlink() sock_map_delete_from_link() __sock_map_delete() In this case the sock lock is held but this only protects against duplicate removals on the TCP side. If the map is free'd then we have this trace, sock_map_free xchg() <- replaces map entry sock_map_unref() sk_psock_put() sock_map_del_link() The __sock_map_delete() call however uses a read, test, null over the map entry which can result in both paths trying to free the map entry. To fix use xchg in TCP paths as well so we avoid having two references to the same map entry. Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: John Fastabend Signed-off-by: Daniel Borkmann Signed-off-by: Sasha Levin commit 705409085597200cfd027c37c19b0fb6b5d2cdc9 Author: Lubomir Rintel Date: Fri Jul 19 14:27:13 2019 +0200 spi: pxa2xx: Balance runtime PM enable/disable on error [ Upstream commit 1274204542f683e1d8491ebe9cc86284d5a8ebcc ] Don't undo the PM initialization if we error out before we managed to initialize it. The call to pm_runtime_disable() without being preceded by pm_runtime_enable() would disturb the balance of the Force. In practice, this happens if we fail to allocate any of the GPIOS ("cs", "ready") due to -EPROBE_DEFER because we're getting probled before the GPIO driver. Signed-off-by: Lubomir Rintel Link: https://lore.kernel.org/r/20190719122713.3444318-1-lkundrak@v3.sk Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit bdeaab6261ffe3ae99a3f18683abf84ac902d670 Author: Masahiro Yamada Date: Sun Jul 21 23:23:08 2019 +0900 ASoC: SOF: use __u32 instead of uint32_t in uapi headers [ Upstream commit 62ec3d13601bd626ca7a0edef6d45dbb753d94e8 ] When CONFIG_UAPI_HEADER_TEST=y, exported headers are compile-tested to make sure they can be included from user-space. Currently, header.h and fw.h are excluded from the test coverage. To make them join the compile-test, we need to fix the build errors attached below. For a case like this, we decided to use __u{8,16,32,64} variable types in this discussion: https://lkml.org/lkml/2019/6/5/18 Build log: CC usr/include/sound/sof/header.h.s CC usr/include/sound/sof/fw.h.s In file included from :32:0: ./usr/include/sound/sof/header.h:19:2: error: unknown type name ‘uint32_t’ uint32_t magic; /**< 'S', 'O', 'F', '\0' */ ^~~~~~~~ ./usr/include/sound/sof/header.h:20:2: error: unknown type name ‘uint32_t’ uint32_t type; /**< component specific type */ ^~~~~~~~ ./usr/include/sound/sof/header.h:21:2: error: unknown type name ‘uint32_t’ uint32_t size; /**< size in bytes of data excl. this struct */ ^~~~~~~~ ./usr/include/sound/sof/header.h:22:2: error: unknown type name ‘uint32_t’ uint32_t abi; /**< SOF ABI version */ ^~~~~~~~ ./usr/include/sound/sof/header.h:23:2: error: unknown type name ‘uint32_t’ uint32_t reserved[4]; /**< reserved for future use */ ^~~~~~~~ ./usr/include/sound/sof/header.h:24:2: error: unknown type name ‘uint32_t’ uint32_t data[0]; /**< Component data - opaque to core */ ^~~~~~~~ In file included from :32:0: ./usr/include/sound/sof/fw.h:49:2: error: unknown type name ‘uint32_t’ uint32_t size; /* bytes minus this header */ ^~~~~~~~ ./usr/include/sound/sof/fw.h:50:2: error: unknown type name ‘uint32_t’ uint32_t offset; /* offset from base */ ^~~~~~~~ ./usr/include/sound/sof/fw.h:64:2: error: unknown type name ‘uint32_t’ uint32_t size; /* bytes minus this header */ ^~~~~~~~ ./usr/include/sound/sof/fw.h:65:2: error: unknown type name ‘uint32_t’ uint32_t num_blocks; /* number of blocks */ ^~~~~~~~ ./usr/include/sound/sof/fw.h:73:2: error: unknown type name ‘uint32_t’ uint32_t file_size; /* size of file minus this header */ ^~~~~~~~ ./usr/include/sound/sof/fw.h:74:2: error: unknown type name ‘uint32_t’ uint32_t num_modules; /* number of modules */ ^~~~~~~~ ./usr/include/sound/sof/fw.h:75:2: error: unknown type name ‘uint32_t’ uint32_t abi; /* version of header format */ ^~~~~~~~ Signed-off-by: Masahiro Yamada Link: https://lore.kernel.org/r/20190721142308.30306-1-yamada.masahiro@socionext.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 5cecec718e350938a0f2c43b403739fc478d52a6 Author: Charles Keepax Date: Thu Jul 18 09:43:33 2019 +0100 ASoC: dapm: Fix handling of custom_stop_condition on DAPM graph walks [ Upstream commit 8dd26dff00c0636b1d8621acaeef3f6f3a39dd77 ] DPCM uses snd_soc_dapm_dai_get_connected_widgets to build a list of the widgets connected to a specific front end DAI so it can search through this list for available back end DAIs. The custom_stop_condition was added to is_connected_ep to facilitate this list not containing more widgets than is necessary. Doing so both speeds up the DPCM handling as less widgets need to be searched and avoids issues with CODEC to CODEC links as these would be confused with back end DAIs if they appeared in the list of available widgets. custom_stop_condition was implemented by aborting the graph walk when the condition is triggered, however there is an issue with this approach. Whilst walking the graph is_connected_ep should update the endpoints cache on each widget, if the walk is aborted the number of attached end points is unknown for that sub-graph. When the stop condition triggered, the original patch ignored the triggering widget and returned zero connected end points; a later patch updated this to set the triggering widget's cache to 1 and return that. Both of these approaches result in inaccurate values being stored in various end point caches as the values propagate back through the graph, which can result in later issues with widgets powering/not powering unexpectedly. As the original goal was to reduce the size of the widget list passed to the DPCM code, the simplest solution is to limit the functionality of the custom_stop_condition to the widget list. This means the rest of the graph will still be processed resulting in correct end point caches, but only widgets up to the stop condition will be added to the returned widget list. Fixes: 6742064aef7f ("ASoC: dapm: support user-defined stop condition in dai_get_connected_widgets") Fixes: 5fdd022c2026 ("ASoC: dpcm: play nice with CODEC<->CODEC links") Fixes: 09464974eaa8 ("ASoC: dapm: Fix to return correct path list in is_connected_ep.") Signed-off-by: Charles Keepax Link: https://lore.kernel.org/r/20190718084333.15598-1-ckeepax@opensource.cirrus.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 8d376e73adf1d6a84a26bef2fba5a88775e2003a Author: Wenwen Wang Date: Sat Jul 20 07:22:45 2019 -0500 netfilter: ebtables: fix a memory leak bug in compat [ Upstream commit 15a78ba1844a8e052c1226f930133de4cef4e7ad ] In compat_do_replace(), a temporary buffer is allocated through vmalloc() to hold entries copied from the user space. The buffer address is firstly saved to 'newinfo->entries', and later on assigned to 'entries_tmp'. Then the entries in this temporary buffer is copied to the internal kernel structure through compat_copy_entries(). If this copy process fails, compat_do_replace() should be terminated. However, the allocated temporary buffer is not freed on this path, leading to a memory leak. To fix the bug, free the buffer before returning from compat_do_replace(). Signed-off-by: Wenwen Wang Reviewed-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 0ea8657938351d2c57126a13f99980ef556ef08c Author: Andrii Nakryiko Date: Fri Jul 19 12:46:03 2019 -0700 libbpf: sanitize VAR to conservative 1-byte INT [ Upstream commit 1d4126c4e1190d2f7d3f388552f9bd17ae0c64fc ] If VAR in non-sanitized BTF was size less than 4, converting such VAR into an INT with size=4 will cause BTF validation failure due to violationg of STRUCT (into which DATASEC was converted) member size. Fix by conservatively using size=1. Signed-off-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 3883ef3b1de6c8297c5075068da6a1fbb95ba125 Author: Vladimir Kondratiev Date: Tue Jul 16 10:36:56 2019 +0300 mips: fix cacheinfo [ Upstream commit b8bea8a5e5d942e62203416ab41edecaed4fda02 ] Because CONFIG_OF defined for MIPS, cacheinfo attempts to fill information from DT, ignoring data filled by architecture routine. This leads to error reported cacheinfo: Unable to detect cache hierarchy for CPU 0 Way to fix this provided in commit fac51482577d ("drivers: base: cacheinfo: fix x86 with CONFIG_OF enabled") Utilize same mechanism to report that cacheinfo set by architecture specific function Signed-off-by: Vladimir Kondratiev Signed-off-by: Paul Burton Cc: Ralf Baechle Cc: James Hogan Cc: linux-mips@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Sasha Levin commit 7afa881dd42ae9aa45f54f55517ee9f1c783731d Author: Thomas Bogendoerfer Date: Mon May 13 13:47:25 2019 +0200 MIPS: kernel: only use i8253 clocksource with periodic clockevent [ Upstream commit a07e3324538a989b7cdbf2c679be6a7f9df2544f ] i8253 clocksource needs a free running timer. This could only be used, if i8253 clockevent is set up as periodic. Signed-off-by: Thomas Bogendoerfer Signed-off-by: Paul Burton Cc: Ralf Baechle Cc: James Hogan Cc: linux-mips@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Sasha Levin commit 22c0b70969e3787f64e33311805c744ee13b89f2 Author: Ilya Trukhanov Date: Tue Jul 2 13:37:16 2019 +0300 HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT [ Upstream commit 65f11c72780fa9d598df88def045ccb6a885cf80 ] Enable force feedback for the Thrustmaster Dual Trigger 2 in 1 Rumble Force gamepad. Compared to other Thrustmaster devices, left and right rumble motors here are swapped. Signed-off-by: Ilya Trukhanov Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit e6cca5f2ab53acaa7021743946e1ebca28fa4822 Author: Filipe Laíns Date: Tue Jul 16 08:37:26 2019 +0100 HID: logitech-hidpp: add USB PID for a few more supported mice [ Upstream commit 27fc32fd9417968a459d43d9a7c50fd423d53eb9 ] Add more device IDs to logitech-hidpp driver. Signed-off-by: Filipe Laíns Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit e301eb65c86147f76c79b3ecf67f39fb45f2daf6 Author: Hans de Goede Date: Fri Jul 12 13:27:08 2019 +0200 ASoC: Intel: bytcht_es8316: Add quirk for Irbis NB41 netbook [ Upstream commit aa2ba991c4206d5b778dcaa7b4997396e79f8e90 ] The Irbis NB41 netbook has its internal mic on IN2, inverted jack-detect and stereo speakers, add a quirk for this. Cc: russianneuromancer@ya.ru Reported-and-tested-by: russianneuromancer@ya.ru Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20190712112708.25327-1-hdegoede@redhat.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit af3eab0b301696d3f11f4b0d660c47663fa3ee55 Author: Wen Yang Date: Sat Jul 13 11:46:15 2019 +0800 ASoC: samsung: odroid: fix a double-free issue for cpu_dai [ Upstream commit 2abee12c0ab1924a69993d2c063a39a952e7d836 ] The cpu_dai variable is still being used after the of_node_put() call, which may result in double-free: of_node_put(cpu_dai); ---> released here ret = devm_snd_soc_register_card(dev, card); if (ret < 0) { ... goto err_put_clk_i2s; --> jump to err_put_clk_i2s ... err_put_clk_i2s: clk_put(priv->clk_i2s_bus); err_put_sclk: clk_put(priv->sclk_i2s); err_put_cpu_dai: of_node_put(cpu_dai); --> double-free here Fixes: d832d2b246c5 ("ASoC: samsung: odroid: Fix of_node refcount unbalance") Signed-off-by: Wen Yang Cc: Krzysztof Kozlowski Cc: Sangbeom Kim Cc: Sylwester Nawrocki Cc: Liam Girdwood Cc: Mark Brown Cc: Jaroslav Kysela Cc: Takashi Iwai Cc: alsa-devel@alsa-project.org Cc: linux-kernel@vger.kernel.org Link: https://lore.kernel.org/r/1562989575-33785-3-git-send-email-wen.yang99@zte.com.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit b3978884ac59d15be5bda28792d998874853d79e Author: Wen Yang Date: Sat Jul 13 11:46:14 2019 +0800 ASoC: samsung: odroid: fix an use-after-free issue for codec [ Upstream commit 9b6d104a6b150bd4d3e5b039340e1f6b20c2e3c1 ] The codec variable is still being used after the of_node_put() call, which may result in use-after-free. Fixes: bc3cf17b575a ("ASoC: samsung: odroid: Add support for secondary CPU DAI") Signed-off-by: Wen Yang Cc: Krzysztof Kozlowski Cc: Sangbeom Kim Cc: Sylwester Nawrocki Cc: Liam Girdwood Cc: Mark Brown Cc: Jaroslav Kysela Cc: Takashi Iwai Cc: alsa-devel@alsa-project.org Cc: linux-kernel@vger.kernel.org Link: https://lore.kernel.org/r/1562989575-33785-2-git-send-email-wen.yang99@zte.com.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit cb7829e5aeb36ff6db0a70807274bd23c423b26e Author: Jernej Skrabec Date: Sat Jul 13 11:07:17 2019 +0200 regulator: axp20x: fix DCDC5 and DCDC6 for AXP803 [ Upstream commit 8f46e22b5ac692b48d04bb722547ca17b66dda02 ] Refactoring of axp20x driver introduced a bug in AXP803's DCDC6 regulator definition. AXP803_DCDC6_1120mV_STEPS was obtained by subtracting 0x47 and 0x33. This should be 0x14 (hex) and not 14 (dec). Refactoring also carried over a bug in DCDC5 regulator definition. Number of possible voltages must be for 1 bigger than maximum valid voltage index, because 0 is also valid and it means lowest voltage. Fixes: 1dbe0ccb0631 ("regulator: axp20x-regulator: add support for AXP803") Fixes: db4a555f7c4c ("regulator: axp20x: use defines for masks") Signed-off-by: Jernej Skrabec Link: https://lore.kernel.org/r/20190713090717.347-3-jernej.skrabec@siol.net Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 7a2ec3fbdcb1f9bef5e55ba311584e083d77273e Author: Jernej Skrabec Date: Sat Jul 13 11:07:16 2019 +0200 regulator: axp20x: fix DCDCA and DCDCD for AXP806 [ Upstream commit 1ef55fed9219963359a7b3bc7edca8517c6e45ac ] Refactoring of the driver introduced bugs in AXP806's DCDCA and DCDCD regulator definitions. In DCDCA case, AXP806_DCDCA_1120mV_STEPS was obtained by subtracting 0x47 and 0x33. This should be 0x14 (hex) and not 14 (dec). In DCDCD case, axp806_dcdcd_ranges[] contains two ranges with same start and end macros, which is clearly wrong. Second range starts at 1.6V so it should use AXP806_DCDCD_1600mV_[START|END] macros. They are already defined but unused. Fixes: db4a555f7c4c ("regulator: axp20x: use defines for masks") Signed-off-by: Jernej Skrabec Link: https://lore.kernel.org/r/20190713090717.347-2-jernej.skrabec@siol.net Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 3861684475d5e7726024de0014aba62d6e37fe4d Author: Kuninori Morimoto Date: Thu Jul 11 13:10:45 2019 +0900 ASoC: audio-graph-card: add missing const at graph_get_dai_id() [ Upstream commit ec3042ad39d4e2ddbc3a3344f90bb10d8feb53bc ] commit c152f8491a8d9 ("ASoC: audio-graph-card: fix an use-after-free in graph_get_dai_id()") fixups use-after-free issue, but, it need to use "const" for reg. This patch adds it. We will have below without this patch LINUX/sound/soc/generic/audio-graph-card.c: In function 'graph_get_dai_id': LINUX/sound/soc/generic/audio-graph-card.c:87:7: warning: assignment discards\ 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] reg = of_get_property(node, "reg", NULL); Fixes: c152f8491a8d9 ("ASoC: audio-graph-card: fix an use-after-free in graph_get_dai_id()") Signed-off-by: Kuninori Morimoto Acked-by: Wen Yang Link: https://lore.kernel.org/r/87sgrd43ja.wl-kuninori.morimoto.gx@renesas.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit e5e516915f780d9ec69d07607c9da35c41873968 Author: Wen Yang Date: Wed Jul 10 15:25:09 2019 +0800 ASoC: audio-graph-card: fix an use-after-free in graph_get_dai_id() [ Upstream commit c152f8491a8d9a4b25afd65a86eb5e55e2a8c380 ] After calling of_node_put() on the node variable, it is still being used, which may result in use-after-free. Fix this issue by calling of_node_put() after the last usage. Fixes: a0c426fe1433 ("ASoC: simple-card-utils: check "reg" property on asoc_simple_card_get_dai_id()") Link: https://lore.kernel.org/r/1562743509-30496-5-git-send-email-wen.yang99@zte.com.cn Signed-off-by: Wen Yang Acked-by: Kuninori Morimoto Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 7b83af285ad2b2ab9b31cbbdfdb35ed36ce3eb42 Author: Wen Yang Date: Wed Jul 10 15:25:08 2019 +0800 ASoC: audio-graph-card: fix use-after-free in graph_dai_link_of_dpcm() [ Upstream commit aa2e362cb6b3f5ca88093ada01e1a0ace8a517b2 ] After calling of_node_put() on the ports, port, and node variables, they are still being used, which may result in use-after-free. Fix this issue by calling of_node_put() after the last usage. Fixes: dd98fbc558a0 ("ASoC: audio-graph-card: cleanup DAI link loop method - step1") Link: https://lore.kernel.org/r/1562743509-30496-4-git-send-email-wen.yang99@zte.com.cn Signed-off-by: Wen Yang Acked-by: Kuninori Morimoto Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 86827ec32e56268353fb4bb8f4ef1764e9746159 Author: Wen Yang Date: Wed Jul 10 15:25:07 2019 +0800 ASoC: simple-card: fix an use-after-free in simple_for_each_link() [ Upstream commit 27862d5a3325bc531ec15e3c607e44aa0fd57f6f ] The codec variable is still being used after the of_node_put() call, which may result in use-after-free. Fixes: d947cdfd4be2 ("ASoC: simple-card: cleanup DAI link loop method - step1") Link: https://lore.kernel.org/r/1562743509-30496-3-git-send-email-wen.yang99@zte.com.cn Signed-off-by: Wen Yang Acked-by: Kuninori Morimoto Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 9b7f263403ab9d928c5482d1101f2f8077ac0202 Author: Wen Yang Date: Wed Jul 10 15:25:06 2019 +0800 ASoC: simple-card: fix an use-after-free in simple_dai_link_of_dpcm() [ Upstream commit 724808ad556c15e9473418d082f8aae81dd267f6 ] The node variable is still being used after the of_node_put() call, which may result in use-after-free. Fixes: cfc652a73331 ("ASoC: simple-card: tidyup prefix for snd_soc_codec_conf") Link: https://lore.kernel.org/r/1562743509-30496-2-git-send-email-wen.yang99@zte.com.cn Signed-off-by: Wen Yang Acked-by: Kuninori Morimoto Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c9479b9717c301c7e495082a10f4ade47bf4f702 Author: Kuninori Morimoto Date: Wed Jul 10 16:59:55 2019 +0900 ASoC: simple_card_utils.h: care NULL dai at asoc_simple_debug_dai() [ Upstream commit 52db6685932e326ed607644ab7ebdae8c194adda ] props->xxx_dai might be NULL when DPCM. This patch cares it for debug. Fixes: commit 0580dde59438 ("ASoC: simple-card-utils: add asoc_simple_debug_info()") Signed-off-by: Kuninori Morimoto Link: https://lore.kernel.org/r/87o922gw4u.wl-kuninori.morimoto.gx@renesas.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin