commit 216d3815eeff2b1048b6a031b5a1f6cad7ce92f1 Author: Alexandre Frade Date: Wed May 27 15:32:44 2020 -0300 Linux 5.6.14-rt7-xanmod1 Signed-off-by: Alexandre Frade commit 77dc2a3443313a4ea2de0c002724fa1429848aeb Merge: c97bf6c2b713 c4a637d45e25 Author: Alexandre Frade Date: Wed May 27 15:31:42 2020 -0300 Merge tag 'v5.6.14-rt7' into 5.6-rt v5.6.14-rt7 commit c4a637d45e250c33f63c9397c17fc24fccfd902f Author: Sebastian Andrzej Siewior Date: Wed May 27 11:26:19 2020 +0200 v5.6.14-rt7 Signed-off-by: Sebastian Andrzej Siewior commit 2727b7b965f2a00a191c11177c00b7a144ce16f1 Author: Sebastian Andrzej Siewior Date: Wed May 27 11:19:42 2020 +0200 mm/zswap: Use local lock to protect per-CPU data This is an incremental update of the zswap patch. Addtional spots were identified, which were lacking proper locking, during the rework of the patch for upstream. The complete patch description is available as commit 79410590ae87e ("mm/zswap: Use local lock to protect per-CPU data") Signed-off-by: Sebastian Andrzej Siewior commit adc87be67551955f16bbb65437a408b3428d0991 Author: 汪勇10269566 Date: Thu May 21 09:37:44 2020 +0800 printk: Force a line break on pr_cont("\n") Since the printk rework, pr_cont("\n") will not lead to a line break. A new line will only be created if - cpu != c->cpu_owner || !(flags & LOG_CONT) - c->len + len > sizeof(c->buf) Flush the buffer to enforce a new line on pr_cont(). [bigeasy: reword commit message ] Signed-off-by: 汪勇10269566 Signed-off-by: Sebastian Andrzej Siewior Acked-by: John Ogness commit 472b236a1241b38d413edfb05d0a70603b0d7d64 Author: Sebastian Andrzej Siewior Date: Tue May 26 19:36:58 2020 +0200 v5.6.14-rt6 Signed-off-by: Sebastian Andrzej Siewior commit 5e8ee43670b745107d97072a92c6eb240cd6c2a9 Merge: c10e9b174644 e3ac9117b185 Author: Sebastian Andrzej Siewior Date: Tue May 26 19:34:41 2020 +0200 Merge tag 'v5.6.14' into linux-5.6.y-rt This is the 5.6.14 stable release Signed-off-by: Sebastian Andrzej Siewior commit e3ac9117b18596b7363d5b7904ab03a7d782b40c Author: Greg Kroah-Hartman Date: Wed May 20 08:22:38 2020 +0200 Linux 5.6.14 commit 0084b141713cff197c8fac00a464500acf6422c2 Author: Sergei Trofimovich Date: Tue Mar 17 00:07:18 2020 +0000 Makefile: disallow data races on gcc-10 as well commit b1112139a103b4b1101d0d2d72931f2d33d8c978 upstream. gcc-10 will rename --param=allow-store-data-races=0 to -fno-allow-store-data-races. The flag change happened at https://gcc.gnu.org/PR92046. Signed-off-by: Sergei Trofimovich Acked-by: Jiri Kosina Signed-off-by: Masahiro Yamada Cc: Thomas Backlund Signed-off-by: Greg Kroah-Hartman commit 0a51e9ae051436660800b9aa703e626c3e3966d5 Author: Daniel Borkmann Date: Fri May 15 12:11:18 2020 +0200 bpf: Restrict bpf_trace_printk()'s %s usage and add %pks, %pus specifier commit b2a5212fb634561bb734c6356904e37f6665b955 upstream. Usage of plain %s conversion specifier in bpf_trace_printk() suffers from the very same issue as bpf_probe_read{,str}() helpers, that is, it is broken on archs with overlapping address ranges. While the helpers have been addressed through work in 6ae08ae3dea2 ("bpf: Add probe_read_{user, kernel} and probe_read_{user, kernel}_str helpers"), we need an option for bpf_trace_printk() as well to fix it. Similarly as with the helpers, force users to make an explicit choice by adding %pks and %pus specifier to bpf_trace_printk() which will then pick the corresponding strncpy_from_unsafe*() variant to perform the access under KERNEL_DS or USER_DS. The %pk* (kernel specifier) and %pu* (user specifier) can later also be extended for other objects aside strings that are probed and printed under tracing, and reused out of other facilities like bpf_seq_printf() or BTF based type printing. Existing behavior of %s for current users is still kept working for archs where it is not broken and therefore gated through CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE. For archs not having this property we fall-back to pick probing under KERNEL_DS as a sensible default. Fixes: 8d3b7dce8622 ("bpf: add support for %s specifier to bpf_trace_printk()") Reported-by: Linus Torvalds Reported-by: Christoph Hellwig Signed-off-by: Daniel Borkmann Signed-off-by: Alexei Starovoitov Cc: Masami Hiramatsu Cc: Brendan Gregg Link: https://lore.kernel.org/bpf/20200515101118.6508-4-daniel@iogearbox.net Signed-off-by: Greg Kroah-Hartman commit 86937fc5fb5bd54e68696a9c74f2fe7714aa6552 Author: Yonghong Song Date: Wed May 13 22:32:07 2020 -0700 selftests/bpf: Enforce returning 0 for fentry/fexit programs commit 6d74f64b922b8394dccc52576659cb0dc0a1da7b upstream. There are a few fentry/fexit programs returning non-0. The tests with these programs will break with the previous patch which enfoced return-0 rules. Fix them properly. Fixes: ac065870d928 ("selftests/bpf: Add BPF_PROG, BPF_KPROBE, and BPF_KRETPROBE macros") Signed-off-by: Yonghong Song Signed-off-by: Alexei Starovoitov Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20200514053207.1298479-1-yhs@fb.com Signed-off-by: Greg Kroah-Hartman commit 9afc9ff98658bbe517b9d1ee451bbe8e44897424 Author: Yonghong Song Date: Wed May 13 22:32:05 2020 -0700 bpf: Enforce returning 0 for fentry/fexit progs commit e92888c72fbdc6f9d07b3b0604c012e81d7c0da7 upstream. Currently, tracing/fentry and tracing/fexit prog return values are not enforced. In trampoline codes, the fentry/fexit prog return values are ignored. Let us enforce it to be 0 to avoid confusion and allows potential future extension. This patch also explicitly added return value checking for tracing/raw_tp, tracing/fmod_ret, and freplace programs such that these program return values can be anything. The purpose are two folds: 1. to make it explicit about return value expectations for these programs in verifier. 2. for tracing prog_type, if a future attach type is added, the default is -ENOTSUPP which will enforce to specify return value ranges explicitly. Fixes: fec56f5890d9 ("bpf: Introduce BPF trampoline") Signed-off-by: Yonghong Song Signed-off-by: Alexei Starovoitov Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20200514053206.1298415-1-yhs@fb.com Signed-off-by: Greg Kroah-Hartman commit 6a042b9097297b8f44c8b62761198c13506f2e27 Author: Jim Mattson Date: Mon May 11 15:56:16 2020 -0700 KVM: x86: Fix off-by-one error in kvm_vcpu_ioctl_x86_setup_mce commit c4e0e4ab4cf3ec2b3f0b628ead108d677644ebd9 upstream. Bank_num is a one-based count of banks, not a zero-based index. It overflows the allocated space only when strictly greater than KVM_MAX_MCE_BANKS. Fixes: a9e38c3e01ad ("KVM: x86: Catch potential overrun in MCE setup") Signed-off-by: Jue Wang Signed-off-by: Jim Mattson Reviewed-by: Peter Shier Message-Id: <20200511225616.19557-1-jmattson@google.com> Reviewed-by: Vitaly Kuznetsov Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 6bae909dab387fc6b7eccc52b957ea42473f1f73 Author: Kefeng Wang Date: Thu May 7 23:04:45 2020 +0800 riscv: perf: RISCV_BASE_PMU should be independent commit 48084c3595cb7429f6ba734cfea1313573b9a7fa upstream. Selecting PERF_EVENTS without selecting RISCV_BASE_PMU results in a build error. Signed-off-by: Kefeng Wang [Palmer: commit text] Fixes: 178e9fc47aae("perf: riscv: preliminary RISC-V support") Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit cecd2b57f6ee1ac4d7a05191cf0aa7462e1a626e Author: Jason Gunthorpe Date: Thu May 7 09:33:48 2020 +0300 RDMA/uverbs: Move IB_EVENT_DEVICE_FATAL to destroy_uobj commit ccfdbaa5cf4601b9b71601893029dcc9245c002b upstream. When multiple async FDs were allowed to exist the idea was for all broadcast events to be delivered to all async FDs, however IB_EVENT_DEVICE_FATAL was missed. Instead of having ib_uverbs_free_hw_resources() special case the global async_fd, have it cause the event during the uobject destruction. Every async fd is now a uobject so simply generate the IB_EVENT_DEVICE_FATAL while destroying the async fd uobject. This ensures every async FD gets a copy of the event. Fixes: d680e88e2013 ("RDMA/core: Add UVERBS_METHOD_ASYNC_EVENT_ALLOC") Link: https://lore.kernel.org/r/20200507063348.98713-3-leon@kernel.org Signed-off-by: Yishai Hadas Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit 62181003030d83c56be85cabf7ac30fdefe658ee Author: Jason Gunthorpe Date: Thu May 7 09:33:47 2020 +0300 RDMA/uverbs: Do not discard the IB_EVENT_DEVICE_FATAL event commit c485b19d52c4ba269dfd027945dee81755fdd530 upstream. The commit below moved all of the destruction to the disassociate step and cleaned up the event channel during destroy_uobj. However, when ib_uverbs_free_hw_resources() pushes IB_EVENT_DEVICE_FATAL and then immediately goes to destroy all uobjects this causes ib_uverbs_free_event_queue() to discard the queued event if userspace hasn't already read() it. Unlike all other event queues async FD needs to defer the ib_uverbs_free_event_queue() until FD release. This still unregisters the handler from the IB device during disassociation. Fixes: 3e032c0e92aa ("RDMA/core: Make ib_uverbs_async_event_file into a uobject") Link: https://lore.kernel.org/r/20200507063348.98713-2-leon@kernel.org Signed-off-by: Yishai Hadas Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit 2c49736ba5e49cef2497390d6d8ac4913309266c Author: Nayna Jain Date: Fri May 1 10:16:52 2020 -0400 powerpc/ima: Fix secure boot rules in ima arch policy commit fa4f3f56ccd28ac031ab275e673ed4098855fed4 upstream. To prevent verifying the kernel module appended signature twice (finit_module), once by the module_sig_check() and again by IMA, powerpc secure boot rules define an IMA architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is not enabled. This, unfortunately, does not take into account the ability of enabling "sig_enforce" on the boot command line (module.sig_enforce=1). Including the IMA module appraise rule results in failing the finit_module syscall, unless the module signing public key is loaded onto the IMA keyring. This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG instead. Fixes: 4238fad366a6 ("powerpc/ima: Add support to initialize ima policy rules") Signed-off-by: Nayna Jain Signed-off-by: Michael Ellerman Signed-off-by: Mimi Zohar Link: https://lore.kernel.org/r/1588342612-14532-1-git-send-email-nayna@linux.ibm.com Signed-off-by: Greg Kroah-Hartman commit 88293f52850080da0ee628e15303abdda2cfc779 Author: Nicholas Piggin Date: Tue Apr 7 14:12:45 2020 +1000 powerpc/uaccess: Evaluate macro arguments once, before user access is allowed commit d02f6b7dab8228487268298ea1f21081c0b4b3eb upstream. get/put_user() can be called with nontrivial arguments. fs/proc/page.c has a good example: if (put_user(stable_page_flags(ppage), out)) { stable_page_flags() is quite a lot of code, including spin locks in the page allocator. Ensure these arguments are evaluated before user access is allowed. This improves security by reducing code with access to userspace, but it also fixes a PREEMPT bug with KUAP on powerpc/64s: stable_page_flags() is currently called with AMR set to allow writes, it ends up calling spin_unlock(), which can call preempt_schedule. But the task switch code can not be called with AMR set (it relies on interrupts saving the register), so this blows up. It's fine if the code inside allow_user_access() is preemptible, because a timer or IPI will save the AMR, but it's not okay to explicitly cause a reschedule. Fixes: de78a9c42a79 ("powerpc: Add a framework for Kernel Userspace Access Protection") Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20200407041245.600651-1-npiggin@gmail.com Signed-off-by: Greg Kroah-Hartman commit 388011d36065a17f3dc481485be5171692d38a44 Author: Xiyu Yang Date: Sun Apr 26 11:35:15 2020 +0800 bpf: Fix sk_psock refcnt leak when receiving message commit 18f02ad19e2c2a1d9e1d55a4e1c0cbf51419151c upstream. tcp_bpf_recvmsg() invokes sk_psock_get(), which returns a reference of the specified sk_psock object to "psock" with increased refcnt. When tcp_bpf_recvmsg() returns, local variable "psock" becomes invalid, so the refcount should be decreased to keep refcount balanced. The reference counting issue happens in several exception handling paths of tcp_bpf_recvmsg(). When those error scenarios occur such as "flags" includes MSG_ERRQUEUE, the function forgets to decrease the refcnt increased by sk_psock_get(), causing a refcnt leak. Fix this issue by calling sk_psock_put() or pulling up the error queue read handling when those error scenarios occur. Fixes: e7a5f1f1cd000 ("bpf/sockmap: Read psock ingress_msg before sk_receive_queue") Signed-off-by: Xiyu Yang Signed-off-by: Xin Tan Signed-off-by: Daniel Borkmann Reviewed-by: Jakub Sitnicki Link: https://lore.kernel.org/bpf/1587872115-42805-1-git-send-email-xiyuyang19@fudan.edu.cn Signed-off-by: Greg Kroah-Hartman commit 2151e1f2c1ea73a97b50dd115c2cbdd3f132714b Author: Chuck Lever Date: Wed Apr 15 17:36:22 2020 -0400 SUNRPC: Revert 241b1f419f0e ("SUNRPC: Remove xdr_buf_trim()") commit 0a8e7b7d08466b5fc52f8e96070acc116d82a8bb upstream. I've noticed that when krb5i or krb5p security is in use, retransmitted requests are missing the server's duplicate reply cache. The computed checksum on the retransmitted request does not match the cached checksum, resulting in the server performing the retransmitted request again instead of returning the cached reply. The assumptions made when removing xdr_buf_trim() were not correct. In the send paths, the upper layer has already set the segment lengths correctly, and shorting the buffer's content is simply a matter of reducing buf->len. xdr_buf_trim() is the right answer in the receive/unwrap path on both the client and the server. The buffer segment lengths have to be shortened one-by-one. On the server side in particular, head.iov_len needs to be updated correctly to enable nfsd_cache_csum() to work correctly. The simple buf->len computation doesn't do that, and that results in checksumming stale data in the buffer. The problem isn't noticed until there's significant instability of the RPC transport. At that point, the reliability of retransmit detection on the server becomes crucial. Fixes: 241b1f419f0e ("SUNRPC: Remove xdr_buf_trim()") Signed-off-by: Chuck Lever Signed-off-by: Greg Kroah-Hartman commit 6b9c587512691388ac0e4ddf6d01fe158f508a14 Author: Michael Walle Date: Fri Mar 6 21:54:02 2020 +0100 dt-bindings: dma: fsl-edma: fix ls1028a-edma compatible commit d94a05f87327143f94f67dd256932163ac2bcd65 upstream. The bootloader will fix up the IOMMU entries only on nodes with the compatible "fsl,vf610-edma". Thus make this compatible string mandatory for the ls1028a-edma. While at it, fix the "fsl,fsl," typo. Signed-off-by: Michael Walle Fixes: d8c1bdb5288d ("dt-bindings: dma: fsl-edma: add new fsl,fsl,ls1028a-edma") Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit ef2721e1729200abbd02782e78ce0bb9aa0218cb Author: Geert Uytterhoeven Date: Fri May 8 11:59:18 2020 +0200 ARM: dts: r8a7740: Add missing extal2 to CPG node commit e47cb97f153193d4b41ca8d48127da14513d54c7 upstream. The Clock Pulse Generator (CPG) device node lacks the extal2 clock. This may lead to a failure registering the "r" clock, or to a wrong parent for the "usb24s" clock, depending on MD_CK2 pin configuration and boot loader CPG_USBCKCR register configuration. This went unnoticed, as this does not affect the single upstream board configuration, which relies on the first clock input only. Fixes: d9ffd583bf345e2e ("ARM: shmobile: r8a7740: add SoC clocks to DTS") Signed-off-by: Geert Uytterhoeven Reviewed-by: Ulrich Hecht Link: https://lore.kernel.org/r/20200508095918.6061-1-geert+renesas@glider.be Signed-off-by: Greg Kroah-Hartman commit 7633f1760fb734aa35b22a89d0f7d7fd3ded771b Author: Yoshihiro Shimoda Date: Fri Apr 17 16:29:03 2020 +0900 arm64: dts: renesas: r8a77980: Fix IPMMU VIP[01] nodes commit f4d71c6ea9e58c07dd4d02d09c5dd9bb780ec4b1 upstream. Missing the renesas,ipmmu-main property on ipmmu_vip[01] nodes. Fixes: 55697cbb44e4 ("arm64: dts: renesas: r8a779{65,80,90}: Add IPMMU devices nodes) Signed-off-by: Yoshihiro Shimoda Link: https://lore.kernel.org/r/1587108543-23786-1-git-send-email-yoshihiro.shimoda.uh@renesas.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Greg Kroah-Hartman commit 127feea7761fc21206e98515e9d150d80848b943 Author: Geert Uytterhoeven Date: Wed Apr 8 11:09:26 2020 +0200 ARM: dts: r8a73a4: Add missing CMT1 interrupts commit 0f739fdfe9e5ce668bd6d3210f310df282321837 upstream. The R-Mobile APE6 Compare Match Timer 1 generates 8 interrupts, one for each channel, but currently only 1 is described. Fix this by adding the missing interrupts. Fixes: f7b65230019b9dac ("ARM: shmobile: r8a73a4: Add CMT1 node") Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/20200408090926.25201-1-geert+renesas@glider.be Signed-off-by: Greg Kroah-Hartman commit 6955059ca2561b1e110a41247974ba49df1ae199 Author: Adam Ford Date: Fri Mar 27 21:33:53 2020 -0500 arm64: dts: imx8mn: Change SDMA1 ahb clock for imx8mn commit 15ddc3e17aec0de4c69d595b873e184432b9791d upstream. Using SDMA1 with UART1 is causing a "Timeout waiting for CH0" error. This patch changes to ahb clock from SDMA1_ROOT to AHB which fixes the timeout error. Fixes: 6c3debcbae47 ("arm64: dts: freescale: Add i.MX8MN dtsi support") Signed-off-by: Adam Ford Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit 56d1314ee49645d5fbb0c422f9446960a2bffe6c Author: Chen-Yu Tsai Date: Fri Mar 27 11:04:14 2020 +0800 arm64: dts: rockchip: Rename dwc3 device nodes on rk3399 to make dtc happy commit 190c7f6fd43a776d4a6da1dac44408104649e9b7 upstream. The device tree compiler complains that the dwc3 nodes have regs properties but no matching unit addresses. Add the unit addresses to the device node name. While at it, also rename the nodes from "dwc3" to "usb", as guidelines require device nodes have generic names. Fixes: 7144224f2c2b ("arm64: dts: rockchip: support dwc3 USB for rk3399") Signed-off-by: Chen-Yu Tsai Link: https://lore.kernel.org/r/20200327030414.5903-7-wens@kernel.org Signed-off-by: Heiko Stuebner Signed-off-by: Greg Kroah-Hartman commit b4438c85bd702592f7c09f915b57bcc511778076 Author: Chen-Yu Tsai Date: Fri Mar 27 11:04:10 2020 +0800 arm64: dts: rockchip: Replace RK805 PMIC node name with "pmic" on rk3328 boards commit 83b994129fb4c18a8460fd395864a28740e5e7fb upstream. In some board device tree files, "rk805" was used for the RK805 PMIC's node name. However the policy for device trees is that generic names should be used. Replace the "rk805" node name with the generic "pmic" name. Fixes: 1e28037ec88e ("arm64: dts: rockchip: add rk805 node for rk3328-evb") Fixes: 955bebde057e ("arm64: dts: rockchip: add rk3328-rock64 board") Signed-off-by: Chen-Yu Tsai Link: https://lore.kernel.org/r/20200327030414.5903-3-wens@kernel.org Signed-off-by: Heiko Stuebner Signed-off-by: Greg Kroah-Hartman commit e96f952d5676a8b7073ba814a0a9e8172a0d532d Author: Neil Armstrong Date: Thu Mar 26 17:08:57 2020 +0100 arm64: dts: meson-g12-common: fix dwc2 clock names commit e4f634d812634067b0c661af2e3cecfd629c89b8 upstream. Use the correct dwc2 clock name. Fixes: 9baf7d6be730 ("arm64: dts: meson: g12a: Add G12A USB nodes") Signed-off-by: Neil Armstrong Signed-off-by: Kevin Hilman Reviewed-by: Martin Blumenstingl Link: https://lore.kernel.org/r/20200326160857.11929-3-narmstrong@baylibre.com Signed-off-by: Greg Kroah-Hartman commit f1d7624f36403087b52822fb1a6b0332c2780b07 Author: Bjorn Andersson Date: Tue Mar 17 22:44:42 2020 -0700 arm64: dts: qcom: msm8996: Reduce vdd_apc voltage commit 28810eecae08f9458a44831978e36f14ed182c80 upstream. Some msm8996 based devices are unstable when run with VDD_APC of 1.23V, which is listed as the maximum voltage in "Turbo" mode. Given that the CPU cluster is not run in "Turbo" mode, reduce this to 0.98V - the maximum voltage for nominal operation. Tested-by: Loic Poulain Fixes: 7a2a2231ef22 ("arm64: dts: apq8096-db820c: Fix VDD core voltage") Cc: Loic Poulain Link: https://lore.kernel.org/r/20200318054442.3066726-1-bjorn.andersson@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit 14918c16fdddda480bfb59050b97ecfe18a86ccb Author: Neil Armstrong Date: Fri Oct 18 14:02:16 2019 +0000 arm64: dts: meson-g12b-khadas-vim3: add missing frddr_a status property commit 5ac0869fb39b1c1ba84d4d75c550f82e0bf44c96 upstream. In the process of moving the VIM3 audio nodes to a G12B specific dtsi for enabling the SM1 based VIM3L, the frddr_a status = "okay" property got dropped. This re-enables the frddr_a node to fix audio support. Fixes: 4f26cc1c96c9 ("arm64: dts: khadas-vim3: move common nodes into meson-khadas-vim3.dtsi") Reported-by: Christian Hewitt Signed-off-by: Neil Armstrong Signed-off-by: Kevin Hilman Reviewed-by: Jerome Brunet Tested-by: Jerome Brunet Link: https://lore.kernel.org/r/20191018140216.4257-1-narmstrong@baylibre.com Signed-off-by: Greg Kroah-Hartman commit 84a0266ab8f6f0222c6271a1e0eb115343f08fc8 Author: Marc Zyngier Date: Tue May 5 15:09:53 2020 +0100 clk: Unlink clock if failed to prepare or enable commit 018d4671b9bbd4a5c55cf6eab3e1dbc70a50b66e upstream. On failing to prepare or enable a clock, remove the core structure from the list it has been inserted as it is about to be freed. This otherwise leads to random crashes when subsequent clocks get registered, during which parsing of the clock tree becomes adventurous. Observed with QEMU's RPi-3 emulation. Fixes: 12ead77432f2 ("clk: Don't try to enable critical clocks if prepare failed") Signed-off-by: Marc Zyngier Cc: Guenter Roeck Cc: Stephen Boyd Cc: Michael Turquette Link: https://lkml.kernel.org/r/20200505140953.409430-1-maz@kernel.org Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit a4686c5fa3bea8f16cc5c38cd2409be224d74402 Author: Tero Kristo Date: Fri Apr 24 15:47:25 2020 +0300 clk: ti: clkctrl: Fix Bad of_node_put within clkctrl_get_name commit e1f9e0d28ff025564dfdb1001a7839b4af5db2e2 upstream. clkctrl_get_name incorrectly calls of_node_put when it is not really doing of_node_get. This causes a boot time warning later on: [ 0.000000] OF: ERROR: Bad of_node_put() on /ocp/interconnect@4a000000/segmen t@0/target-module@5000/cm_core_aon@0/ipu-cm@500/ipu1-clkctrl@20 Fix by dropping the of_node_put from the function. Reported-by: Naresh Kamboju Fixes: 6c3090520554 ("clk: ti: clkctrl: Fix hidden dependency to node name") Signed-off-by: Tero Kristo Link: https://lkml.kernel.org/r/20200424124725.9895-1-t-kristo@ti.com Acked-by: Tony Lindgren Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit b081c99fe28b774ae8d3b3e082f22e1be3f97a06 Author: Kai-Heng Feng Date: Sun May 3 23:24:46 2020 +0800 Revert "ALSA: hda/realtek: Fix pop noise on ALC225" commit f41224efcf8aafe80ea47ac870c5e32f3209ffc8 upstream. This reverts commit 3b36b13d5e69d6f51ff1c55d1b404a74646c9757. Enable power save node breaks some systems with ACL225. Revert the patch and use a platform specific quirk for the original issue isntead. Fixes: 3b36b13d5e69 ("ALSA: hda/realtek: Fix pop noise on ALC225") BugLink: https://bugs.launchpad.net/bugs/1875916 Signed-off-by: Kai-Heng Feng Link: https://lore.kernel.org/r/20200503152449.22761-1-kai.heng.feng@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 03c3d35c859225e44b97464f43ad5f086ae5bf6d Author: Wei Yongjun Date: Thu May 7 05:13:32 2020 +0000 usb: gadget: legacy: fix error return code in cdc_bind() commit e8f7f9e3499a6d96f7f63a4818dc7d0f45a7783b upstream. If 'usb_otg_descriptor_alloc()' fails, we must return a negative error code -ENOMEM, not 0. Fixes: ab6796ae9833 ("usb: gadget: cdc2: allocate and init otg descriptor by otg capabilities") Reported-by: Hulk Robot Signed-off-by: Wei Yongjun Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 81bdda9764bc4b498f982461123356e68857190d Author: Wei Yongjun Date: Thu May 7 05:13:23 2020 +0000 usb: gadget: legacy: fix error return code in gncm_bind() commit e27d4b30b71c66986196d8a1eb93cba9f602904a upstream. If 'usb_otg_descriptor_alloc()' fails, we must return a negative error code -ENOMEM, not 0. Fixes: 1156e91dd7cc ("usb: gadget: ncm: allocate and init otg descriptor by otg capabilities") Reported-by: Hulk Robot Signed-off-by: Wei Yongjun Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit b0b5e6a96683e8d35eb517c5aa0cd7425c4061a3 Author: Christophe JAILLET Date: Sun May 3 12:47:07 2020 +0200 usb: gadget: audio: Fix a missing error return value in audio_bind() commit 19b94c1f9c9a16d41a8de3ccbdb8536cf1aecdbf upstream. If 'usb_otg_descriptor_alloc()' fails, we must return an error code, not 0. Fixes: 56023ce0fd70 ("usb: gadget: audio: allocate and init otg descriptor by otg capabilities") Reviewed-by: Peter Chen Signed-off-by: Christophe JAILLET Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit bf42b6275ca3ee9e893fcd8268405ff347986ec2 Author: Christophe JAILLET Date: Mon Apr 27 20:04:23 2020 +0200 usb: gadget: net2272: Fix a memory leak in an error handling path in 'net2272_plat_probe()' commit ccaef7e6e354fb65758eaddd3eae8065a8b3e295 upstream. 'dev' is allocated in 'net2272_probe_init()'. It must be freed in the error handling path, as already done in the remove function (i.e. 'net2272_plat_remove()') Fixes: 90fccb529d24 ("usb: gadget: Gadget directory cleanup - group UDC drivers") Signed-off-by: Christophe JAILLET Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 182b3b5c16d1298bb14d846c637929e72680a990 Author: Thierry Reding Date: Fri Apr 17 19:05:37 2020 +0200 usb: gadget: tegra-xudc: Fix idle suspend/resume commit 0534d40160cb9505073b0ecf5e7210daee319a66 upstream. When the XUDC device is idle (i.e. powergated), care must be taken not to access any registers because that would lead to a crash. Move the call to tegra_xudc_device_mode_off() into the same conditional as the tegra_xudc_powergate() call to make sure we only force device mode off if the XUDC is actually powered up. Fixes: 49db427232fe ("usb: gadget: Add UDC driver for tegra XUSB device mode controller") Acked-by: Jon Hunter Tested-by: Jon Hunter Signed-off-by: Thierry Reding Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit d92da48cbe0b780a648ebde9612e6ca66f073b66 Author: Neil Armstrong Date: Thu Mar 26 17:08:56 2020 +0100 arm64: dts: meson-g12b-ugoos-am6: fix usb vbus-supply commit 4e025fd91ba32a16ed8131158aa63cd37d141cbb upstream. The USB supply used the wrong property, fixing: meson-g12b-ugoos-am6.dt.yaml: usb@ffe09000: 'vbus-regulator' does not match any of the regexes: '^usb@[0-9a-f]+$', 'pinctrl-[0-9]+' Fixes: 2cd2310fca4c ("arm64: dts: meson-g12b-ugoos-am6: add initial device-tree") Signed-off-by: Neil Armstrong Signed-off-by: Kevin Hilman Reviewed-by: Martin Blumenstingl Link: https://lore.kernel.org/r/20200326160857.11929-2-narmstrong@baylibre.com Signed-off-by: Greg Kroah-Hartman commit 4e160465114fc5e2cb39389385a308b9fe1fbcdc Author: Amir Goldstein Date: Thu Mar 19 17:10:17 2020 +0200 fanotify: fix merging marks masks with FAN_ONDIR commit 55bf882c7f13dda8bbe624040c6d5b4fbb812d16 upstream. Change the logic of FAN_ONDIR in two ways that are similar to the logic of FAN_EVENT_ON_CHILD, that was fixed in commit 54a307ba8d3c ("fanotify: fix logic of events on child"): 1. The flag is meaningless in ignore mask 2. The flag refers only to events in the mask of the mark where it is set This is what the fanotify_mark.2 man page says about FAN_ONDIR: "Without this flag, only events for files are created." It doesn't say anything about setting this flag in ignore mask to stop getting events on directories nor can I think of any setup where this capability would be useful. Currently, when marks masks are merged, the FAN_ONDIR flag set in one mark affects the events that are set in another mark's mask and this behavior causes unexpected results. For example, a user adds a mark on a directory with mask FAN_ATTRIB | FAN_ONDIR and a mount mark with mask FAN_OPEN (without FAN_ONDIR). An opendir() of that directory (which is inside that mount) generates a FAN_OPEN event even though neither of the marks requested to get open events on directories. Link: https://lore.kernel.org/r/20200319151022.31456-10-amir73il@gmail.com Signed-off-by: Amir Goldstein Signed-off-by: Jan Kara Cc: Rachel Sibley Signed-off-by: Greg Kroah-Hartman commit 4cdb9ae72a2fb0b484d61ed4c4379d0dfc6283d2 Author: John Stultz Date: Mon May 4 23:12:15 2020 +0000 dwc3: Remove check for HWO flag in dwc3_gadget_ep_reclaim_trb_sg() commit 00e21763f2c8cab21b7befa52996d1b18bde5c42 upstream. The check for the HWO flag in dwc3_gadget_ep_reclaim_trb_sg() causes us to break out of the loop before we call dwc3_gadget_ep_reclaim_completed_trb(), which is what likely should be clearing the HWO flag. This can cause odd behavior where we never reclaim all the trbs in the sg list, so we never call giveback on a usb req, and that will causes transfer stalls. This effectively resovles the adb stalls seen on HiKey960 after userland changes started only using AIO in adbd. Cc: YongQin Liu Cc: Anurag Kumar Vulisha Cc: Yang Fei Cc: Thinh Nguyen Cc: Tejas Joglekar Cc: Andrzej Pietrasiewicz Cc: Jack Pham Cc: Josh Gao Cc: Todd Kjos Cc: Felipe Balbi Cc: Greg Kroah-Hartman Cc: linux-usb@vger.kernel.org Cc: stable@vger.kernel.org #4.20+ Signed-off-by: John Stultz Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 93a2c8dcbc4ff87fc0bed42041bf6dbed56867e5 Author: Justin Swartz Date: Tue Jan 14 16:25:02 2020 +0000 clk: rockchip: fix incorrect configuration of rk3228 aclk_gpu* clocks commit cec9d101d70a3509da9bd2e601e0b242154ce616 upstream. The following changes prevent the unrecoverable freezes and rcu_sched stall warnings experienced in each of my attempts to take advantage of lima. Replace the COMPOSITE_NOGATE definition of aclk_gpu_pre with a COMPOSITE that retains the selection of HDMIPHY as the PLL source, but instead makes uses of the aclk_gpu PLL source gate and parent names defined by mux_pll_src_4plls_p rather than mux_aclk_gpu_pre_p. Remove the now unused mux_aclk_gpu_pre_p and the four named but also unused definitions (cpll_gpu, gpll_gpu, hdmiphy_gpu and usb480m_gpu) of the aclk_gpu PLL source gate. Use the correct gate offset for aclk_gpu and aclk_gpu_noc. Fixes: 307a2e9ac524 ("clk: rockchip: add clock controller for rk3228") Cc: stable@vger.kernel.org Signed-off-by: Justin Swartz [double-checked against SoC manual and added fixes tag] Link: https://lore.kernel.org/r/20200114162503.7548-1-justin.swartz@risingedge.co.za Signed-off-by: Heiko Stuebner Signed-off-by: Greg Kroah-Hartman commit f97f0652b8f038925187a37898b50cc36d8a033f Author: Eric W. Biederman Date: Sat May 16 16:29:20 2020 -0500 exec: Move would_dump into flush_old_exec commit f87d1c9559164294040e58f5e3b74a162bf7c6e8 upstream. I goofed when I added mm->user_ns support to would_dump. I missed the fact that in the case of binfmt_loader, binfmt_em86, binfmt_misc, and binfmt_script bprm->file is reassigned. Which made the move of would_dump from setup_new_exec to __do_execve_file before exec_binprm incorrect as it can result in would_dump running on the script instead of the interpreter of the script. The net result is that the code stopped making unreadable interpreters undumpable. Which allows them to be ptraced and written to disk without special permissions. Oops. The move was necessary because the call in set_new_exec was after bprm->mm was no longer valid. To correct this mistake move the misplaced would_dump from __do_execve_file into flos_old_exec, before exec_mmap is called. I tested and confirmed that without this fix I can attach with gdb to a script with an unreadable interpreter, and with this fix I can not. Cc: stable@vger.kernel.org Fixes: f84df2a6f268 ("exec: Ensure mm->user_ns contains the execed files") Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman commit a8472bca52f99d3d2acdb54300151e7eb4d32996 Author: Josh Poimboeuf Date: Thu May 14 15:31:10 2020 -0500 x86/unwind/orc: Fix error handling in __unwind_start() commit 71c95825289f585014fe9741b051d32a7a916680 upstream. The unwind_state 'error' field is used to inform the reliable unwinding code that the stack trace can't be trusted. Set this field for all errors in __unwind_start(). Also, move the zeroing out of the unwind_state struct to before the ORC table initialization check, to prevent the caller from reading uninitialized data if the ORC table is corrupted. Fixes: af085d9084b4 ("stacktrace/x86: add function for detecting reliable stack traces") Fixes: d3a09104018c ("x86/unwinder/orc: Dont bail on stack overflow") Fixes: 98d0c8ebf77e ("x86/unwind/orc: Prevent unwinding before ORC initialization") Reported-by: Pavel Machek Signed-off-by: Josh Poimboeuf Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/d6ac7215a84ca92b895fdd2e1aa546729417e6e6.1589487277.git.jpoimboe@redhat.com Signed-off-by: Greg Kroah-Hartman commit 70bee5eecb9e78b39825c40fb9515f41c454fe36 Author: Borislav Petkov Date: Wed Apr 22 18:11:30 2020 +0200 x86: Fix early boot crash on gcc-10, third try commit a9a3ed1eff3601b63aea4fb462d8b3b92c7c1e7e upstream. ... or the odyssey of trying to disable the stack protector for the function which generates the stack canary value. The whole story started with Sergei reporting a boot crash with a kernel built with gcc-10: Kernel panic — not syncing: stack-protector: Kernel stack is corrupted in: start_secondary CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc5—00235—gfffb08b37df9 #139 Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M—D3H, BIOS F12 11/14/2013 Call Trace: dump_stack panic ? start_secondary __stack_chk_fail start_secondary secondary_startup_64 -—-[ end Kernel panic — not syncing: stack—protector: Kernel stack is corrupted in: start_secondary This happens because gcc-10 tail-call optimizes the last function call in start_secondary() - cpu_startup_entry() - and thus emits a stack canary check which fails because the canary value changes after the boot_init_stack_canary() call. To fix that, the initial attempt was to mark the one function which generates the stack canary with: __attribute__((optimize("-fno-stack-protector"))) ... start_secondary(void *unused) however, using the optimize attribute doesn't work cumulatively as the attribute does not add to but rather replaces previously supplied optimization options - roughly all -fxxx options. The key one among them being -fno-omit-frame-pointer and thus leading to not present frame pointer - frame pointer which the kernel needs. The next attempt to prevent compilers from tail-call optimizing the last function call cpu_startup_entry(), shy of carving out start_secondary() into a separate compilation unit and building it with -fno-stack-protector, was to add an empty asm(""). This current solution was short and sweet, and reportedly, is supported by both compilers but we didn't get very far this time: future (LTO?) optimization passes could potentially eliminate this, which leads us to the third attempt: having an actual memory barrier there which the compiler cannot ignore or move around etc. That should hold for a long time, but hey we said that about the other two solutions too so... Reported-by: Sergei Trofimovich Signed-off-by: Borislav Petkov Tested-by: Kalle Valo Cc: Link: https://lkml.kernel.org/r/20200314164451.346497-1-slyfox@gentoo.org Signed-off-by: Greg Kroah-Hartman commit 3b00e09960d7194809e8af61b95814f012eccc20 Author: Babu Moger Date: Tue May 12 18:59:06 2020 -0500 KVM: x86: Fix pkru save/restore when guest CR4.PKE=0, move it to x86.c commit 37486135d3a7b03acc7755b63627a130437f066a upstream. Though rdpkru and wrpkru are contingent upon CR4.PKE, the PKRU resource isn't. It can be read with XSAVE and written with XRSTOR. So, if we don't set the guest PKRU value here(kvm_load_guest_xsave_state), the guest can read the host value. In case of kvm_load_host_xsave_state, guest with CR4.PKE clear could potentially use XRSTOR to change the host PKRU value. While at it, move pkru state save/restore to common code and the host_pkru field to kvm_vcpu_arch. This will let SVM support protection keys. Cc: stable@vger.kernel.org Reported-by: Jim Mattson Signed-off-by: Babu Moger Message-Id: <158932794619.44260.14508381096663848853.stgit@naples-babu.amd.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 042ae30b46fce74b20e6233a2471c071defc5eea Author: Adam McCoy Date: Wed May 13 11:53:30 2020 +0000 cifs: fix leaked reference on requeued write commit a48137996063d22ffba77e077425f49873856ca5 upstream. Failed async writes that are requeued may not clean up a refcount on the file, which can result in a leaked open. This scenario arises very reliably when using persistent handles and a reconnect occurs while writing. cifs_writev_requeue only releases the reference if the write fails (rc != 0). The server->ops->async_writev operation will take its own reference, so the initial reference can always be released. Signed-off-by: Adam McCoy Signed-off-by: Steve French CC: Stable Reviewed-by: Pavel Shilovsky Signed-off-by: Greg Kroah-Hartman commit 39be29d41660116b440c3a19ffca34ce7b6d6726 Author: Christophe Leroy Date: Mon Apr 20 07:47:05 2020 +0000 powerpc/32s: Fix build failure with CONFIG_PPC_KUAP_DEBUG commit 4833ce06e6855d526234618b746ffb71d6612c9a upstream. gpr2 is not a parametre of kuap_check(), it doesn't exist. Use gpr instead. Fixes: a68c31fc01ef ("powerpc/32s: Implement Kernel Userspace Access Protection") Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/ea599546f2a7771bde551393889e44e6b2632332.1587368807.git.christophe.leroy@c-s.fr Signed-off-by: Greg Kroah-Hartman commit 249b99a8d8d0f19f4694f4c8f05bc6ec7921c425 Author: Christophe Leroy Date: Sat May 9 09:42:14 2020 +0000 powerpc/vdso32: Fallback on getres syscall when clock is unknown commit e963b7a28b2bf2416304e1a15df967fcf662aff5 upstream. There are other clocks than the standard ones, for instance per process clocks. Therefore, being above the last standard clock doesn't mean it is a bad clock. So, fallback to syscall instead of returning -EINVAL inconditionaly. Fixes: e33ffc956b08 ("powerpc/vdso32: implement clock_getres entirely") Cc: stable@vger.kernel.org # v5.6+ Reported-by: Aurelien Jarno Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Tested-by: Aurelien Jarno Link: https://lore.kernel.org/r/7316a9e2c0c2517923eb4b0411c4a08d15e675a4.1589017281.git.christophe.leroy@csgroup.eu Signed-off-by: Greg Kroah-Hartman commit 81f275dfd2cb3ad8d9723b8f3b71e1a13894fd5b Author: Imre Deak Date: Mon May 4 10:58:28 2020 +0300 drm/i915/tgl+: Fix interrupt handling for DP AUX transactions commit 4457a9db2bdec2360ddb15242341696108167886 upstream. Unmask/enable AUX interrupts on all ports on TGL+. So far the interrupts worked only on port A, which meant each transaction on other ports took 10ms. Cc: # v5.4+ Signed-off-by: Imre Deak Reviewed-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20200504075828.20348-1-imre.deak@intel.com (cherry picked from commit 054318c7e35f1d7d06b216143fff5f32405047ee) Signed-off-by: Rodrigo Vivi Signed-off-by: Greg Kroah-Hartman commit 113555dee159d1aa37931679f88567e75bb67460 Author: Tom St Denis Date: Thu May 7 08:35:40 2020 -0400 drm/amd/amdgpu: add raven1 part to the gfxoff quirk list commit 975f543e7522e17b8a4bf34d7daeac44819aee5a upstream. On my raven1 system (rev c6) with VBIOS 113-RAVEN-114 GFXOFF is not stable (resulting in large block tiling noise in some applications). Disabling GFXOFF via the quirk list fixes the problems for me. Signed-off-by: Tom St Denis Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 36ab3ad8b6c9e14a5310eaa49a5725d03945c789 Author: Simon Ser Date: Mon Mar 30 09:23:21 2020 +0000 drm/amd/display: add basic atomic check for cursor plane commit 626bf90fe03fa080d8df06bb0397c95c53ae8e27 upstream. This patch adds a basic cursor check when an atomic test-only commit is performed. The position and size of the cursor plane is checked. This should fix user-space relying on atomic checks to assign buffers to planes. Signed-off-by: Simon Ser Reported-by: Roman Gilg References: https://github.com/emersion/libliftoff/issues/46 Cc: Alex Deucher Cc: Harry Wentland Reviewed-by: Nicholas Kazlauskas Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 008ed582b6992718317ce71a712e5b1783d2b418 Author: Michal Vokáč Date: Tue Mar 17 09:46:28 2020 +0100 ARM: dts: imx6dl-yapp4: Fix Ursa board Ethernet connection commit cbe63a8358310244e6007398bd2c7c70c7fd51cd upstream. The Y Soft yapp4 platform supports up to two Ethernet ports. The Ursa board though has only one Ethernet port populated and that is the port@2. Since the introduction of this platform into mainline a wrong port was deleted and the Ethernet could never work. Fix this by deleting the correct port node. Fixes: 87489ec3a77f ("ARM: dts: imx: Add Y Soft IOTA Draco, Hydra and Ursa boards") Cc: stable@vger.kernel.org Signed-off-by: Michal Vokáč Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit 5246ca21ca4db4a6d03eb8e496ccca8f24f14bac Author: Fabio Estevam Date: Fri Mar 27 10:36:24 2020 -0300 ARM: dts: imx27-phytec-phycard-s-rdk: Fix the I2C1 pinctrl entries commit 0caf34350a25907515d929a9c77b9b206aac6d1e upstream. The I2C2 pins are already used and the following errors are seen: imx27-pinctrl 10015000.iomuxc: pin MX27_PAD_I2C2_SDA already requested by 10012000.i2c; cannot claim for 1001d000.i2c imx27-pinctrl 10015000.iomuxc: pin-69 (1001d000.i2c) status -22 imx27-pinctrl 10015000.iomuxc: could not request pin 69 (MX27_PAD_I2C2_SDA) from group i2c2grp on device 10015000.iomuxc imx-i2c 1001d000.i2c: Error applying setting, reverse things back imx-i2c: probe of 1001d000.i2c failed with error -22 Fix it by adding the correct I2C1 IOMUX entries for the pinctrl_i2c1 group. Cc: Fixes: 61664d0b432a ("ARM: dts: imx27 phyCARD-S pinctrl") Signed-off-by: Fabio Estevam Reviewed-by: Stefan Riedmueller Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit f3b0245a1023e8aab3209a544e1280326544bb94 Author: Kishon Vijay Abraham I Date: Fri Apr 17 12:13:40 2020 +0530 ARM: dts: dra7: Fix bus_dma_limit for PCIe commit 90d4d3f4ea45370d482fa609dbae4d2281b4074f upstream. Even though commit cfb5d65f2595 ("ARM: dts: dra7: Add bus_dma_limit for L3 bus") added bus_dma_limit for L3 bus, the PCIe controller gets incorrect value of bus_dma_limit. Fix it by adding empty dma-ranges property to axi@0 and axi@1 (parent device tree node of PCIe controller). Cc: stable@kernel.org Signed-off-by: Kishon Vijay Abraham I Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit a88c06df4955c541f0f55af9a2550ba083fc8a43 Author: Peter Jones Date: Fri Jul 6 15:04:24 2018 -0400 Make the "Reducing compressed framebufer size" message be DRM_INFO_ONCE() commit 82152d424b6cb6fc1ede7d03d69c04e786688740 upstream. This was sort of annoying me: random:~$ dmesg | tail -1 [523884.039227] [drm] Reducing the compressed framebuffer size. This may lead to less power savings than a non-reduced-size. Try to increase stolen memory size if available in BIOS. random:~$ dmesg | grep -c "Reducing the compressed" 47 This patch makes it DRM_INFO_ONCE() just like the similar message farther down in that function is pr_info_once(). Cc: stable@vger.kernel.org Signed-off-by: Peter Jones Acked-by: Rodrigo Vivi Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/1745 Link: https://patchwork.freedesktop.org/patch/msgid/20180706190424.29194-1-pjones@redhat.com [vsyrjala: Rebase due to per-device logging] Signed-off-by: Ville Syrjälä (cherry picked from commit 6b7fc6a3e6af4ff5773949d0fed70d8e7f68d5ce) [Rodrigo: port back to DRM_INFO_ONCE] Signed-off-by: Rodrigo Vivi Signed-off-by: Greg Kroah-Hartman commit b5c1c7e5c0fee6cc6c94a50ebf489fab631a4ec3 Author: Sriharsha Allenki Date: Thu May 14 14:04:31 2020 +0300 usb: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list commit 3c6f8cb92c9178fc0c66b580ea3df1fa3ac1155a upstream. On platforms with IOMMU enabled, multiple SGs can be coalesced into one by the IOMMU driver. In that case the SG list processing as part of the completion of a urb on a bulk endpoint can result into a NULL pointer dereference with the below stack dump. <6> Unable to handle kernel NULL pointer dereference at virtual address 0000000c <6> pgd = c0004000 <6> [0000000c] *pgd=00000000 <6> Internal error: Oops: 5 [#1] PREEMPT SMP ARM <2> PC is at xhci_queue_bulk_tx+0x454/0x80c <2> LR is at xhci_queue_bulk_tx+0x44c/0x80c <2> pc : [] lr : [] psr: 000000d3 <2> sp : ca337c80 ip : 00000000 fp : ffffffff <2> r10: 00000000 r9 : 50037000 r8 : 00004000 <2> r7 : 00000000 r6 : 00004000 r5 : 00000000 r4 : 00000000 <2> r3 : 00000000 r2 : 00000082 r1 : c2c1a200 r0 : 00000000 <2> Flags: nzcv IRQs off FIQs off Mode SVC_32 ISA ARM Segment none <2> Control: 10c0383d Table: b412c06a DAC: 00000051 <6> Process usb-storage (pid: 5961, stack limit = 0xca336210) <2> [] (xhci_queue_bulk_tx) <2> [] (xhci_urb_enqueue) <2> [] (usb_hcd_submit_urb) <2> [] (usb_sg_wait) <2> [] (usb_stor_bulk_transfer_sglist) <2> [] (usb_stor_bulk_srb) <2> [] (usb_stor_Bulk_transport) <2> [] (usb_stor_invoke_transport) <2> [] (usb_stor_control_thread) <2> [] (kthread) The above NULL pointer dereference is the result of block_len and the sent_len set to zero after the first SG of the list when IOMMU driver is enabled. Because of this the loop of processing the SGs has run more than num_sgs which resulted in a sg_next on the last SG of the list which has SG_END set. Fix this by check for the sg before any attributes of the sg are accessed. [modified reason for null pointer dereference in commit message subject -Mathias] Fixes: f9c589e142d04 ("xhci: TD-fragment, align the unsplittable case with a bounce buffer") Cc: stable@vger.kernel.org Signed-off-by: Sriharsha Allenki Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/20200514110432.25564-2-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 062e571afd9048bdc1d47d77a963fb662ce53246 Author: Kyungtae Kim Date: Sun May 10 05:43:34 2020 +0000 USB: gadget: fix illegal array access in binding with UDC commit 15753588bcd4bbffae1cca33c8ced5722477fe1f upstream. FuzzUSB (a variant of syzkaller) found an illegal array access using an incorrect index while binding a gadget with UDC. Reference: https://www.spinics.net/lists/linux-usb/msg194331.html This bug occurs when a size variable used for a buffer is misused to access its strcpy-ed buffer. Given a buffer along with its size variable (taken from user input), from which, a new buffer is created using kstrdup(). Due to the original buffer containing 0 value in the middle, the size of the kstrdup-ed buffer becomes smaller than that of the original. So accessing the kstrdup-ed buffer with the same size variable triggers memory access violation. The fix makes sure no zero value in the buffer, by comparing the strlen() of the orignal buffer with the size variable, so that the access to the kstrdup-ed buffer is safe. BUG: KASAN: slab-out-of-bounds in gadget_dev_desc_UDC_store+0x1ba/0x200 drivers/usb/gadget/configfs.c:266 Read of size 1 at addr ffff88806a55dd7e by task syz-executor.0/17208 CPU: 2 PID: 17208 Comm: syz-executor.0 Not tainted 5.6.8 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xce/0x128 lib/dump_stack.c:118 print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374 __kasan_report+0x131/0x1b0 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:641 __asan_report_load1_noabort+0x14/0x20 mm/kasan/generic_report.c:132 gadget_dev_desc_UDC_store+0x1ba/0x200 drivers/usb/gadget/configfs.c:266 flush_write_buffer fs/configfs/file.c:251 [inline] configfs_write_file+0x2f1/0x4c0 fs/configfs/file.c:283 __vfs_write+0x85/0x110 fs/read_write.c:494 vfs_write+0x1cd/0x510 fs/read_write.c:558 ksys_write+0x18a/0x220 fs/read_write.c:611 __do_sys_write fs/read_write.c:623 [inline] __se_sys_write fs/read_write.c:620 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:620 do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Signed-off-by: Kyungtae Kim Reported-and-tested-by: Kyungtae Kim Cc: Felipe Balbi Cc: stable Link: https://lore.kernel.org/r/20200510054326.GA19198@pizza01 Signed-off-by: Greg Kroah-Hartman commit 5180330783299da634665a38f89db972b216ec29 Author: Peter Chen Date: Thu Apr 30 15:07:13 2020 +0800 usb: cdns3: gadget: prev_req->trb is NULL for ep0 commit 95cd7dc47abd71d1a0c9c43594ff2fa32552f46c upstream. And there are no multiple TRBs on EP0 and WA1 workaround, so it doesn't need to change TRB for EP0. It fixes below oops. configfs-gadget gadget: high-speed config #1: b android_work: sent uevent USB_STATE=CONFIGURED Unable to handle kernel read from unreadable memory at virtual address 0000000000000008 Mem abort info: android_work: sent uevent USB_STATE=DISCONNECTED ESR = 0x96000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 Data abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=00000008b5bb7000 [0000000000000008] pgd=0000000000000000 Internal error: Oops: 96000004 [#1] PREEMPT SMP Modules linked in: CPU: 2 PID: 430 Comm: HwBinder:401_1 Not tainted 5.4.24-06071-g6fa8921409c1-dirty #77 Hardware name: Freescale i.MX8QXP MEK (DT) pstate: 60400085 (nZCv daIf +PAN -UAO) pc : cdns3_gadget_ep_dequeue+0x1d4/0x270 lr : cdns3_gadget_ep_dequeue+0x48/0x270 sp : ffff800012763ba0 x29: ffff800012763ba0 x28: ffff00082c653c00 x27: 0000000000000000 x26: ffff000068fa7b00 x25: ffff0000699b2000 x24: ffff00082c6ac000 x23: ffff000834f0a480 x22: ffff000834e87b9c x21: 0000000000000000 x20: ffff000834e87800 x19: ffff000069eddc00 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000001 x11: ffff80001180fbe8 x10: 0000000000000001 x9 : ffff800012101558 x8 : 0000000000000001 x7 : 0000000000000006 x6 : ffff000835d9c668 x5 : ffff000834f0a4c8 x4 : 0000000096000000 x3 : 0000000000001810 x2 : 0000000000000000 x1 : ffff800024bd001c x0 : 0000000000000001 Call trace: cdns3_gadget_ep_dequeue+0x1d4/0x270 usb_ep_dequeue+0x34/0xf8 composite_dev_cleanup+0x154/0x170 configfs_composite_unbind+0x6c/0xa8 usb_gadget_remove_driver+0x44/0x70 usb_gadget_unregister_driver+0x74/0xe0 unregister_gadget+0x28/0x58 gadget_dev_desc_UDC_store+0x80/0x110 configfs_write_file+0x1e0/0x2a0 __vfs_write+0x48/0x90 vfs_write+0xe4/0x1c8 ksys_write+0x78/0x100 __arm64_sys_write+0x24/0x30 el0_svc_common.constprop.0+0x74/0x168 el0_svc_handler+0x34/0xa0 el0_svc+0x8/0xc Code: 52830203 b9407660 f94042e4 11000400 (b9400841) ---[ end trace 1574516e4c1772ca ]--- Kernel panic - not syncing: Fatal exception SMP: stopping secondary CPUs Kernel Offset: disabled CPU features: 0x0002,20002008 Memory Limit: none Rebooting in 5 seconds.. Fixes: f616c3bda47e ("usb: cdns3: Fix dequeue implementation") Cc: stable Signed-off-by: Peter Chen Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit d614ebdc69e8f0ed977f0f37fea9b1a987356577 Author: Li Jun Date: Thu May 14 14:04:32 2020 +0300 usb: host: xhci-plat: keep runtime active when removing host commit 1449cb2c2253d37d998c3714aa9b95416d16d379 upstream. While removing the host (e.g. for USB role switch from host to device), if runtime pm is enabled by user, below oops occurs on dwc3 and cdns3 platforms. Keeping the xhci-plat device active during host removal, and disabling runtime pm before calling pm_runtime_set_suspended() fixes them. oops1: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000240 Internal error: Oops: 96000004 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.4.3-00107-g64d454a-dirty Hardware name: FSL i.MX8MP EVK (DT) Workqueue: pm pm_runtime_work pstate: 60000005 (nZCv daif -PAN -UAO) pc : xhci_suspend+0x34/0x698 lr : xhci_plat_runtime_suspend+0x2c/0x38 sp : ffff800011ddbbc0 Call trace: xhci_suspend+0x34/0x698 xhci_plat_runtime_suspend+0x2c/0x38 pm_generic_runtime_suspend+0x28/0x40 __rpm_callback+0xd8/0x138 rpm_callback+0x24/0x98 rpm_suspend+0xe0/0x448 rpm_idle+0x124/0x140 pm_runtime_work+0xa0/0xf8 process_one_work+0x1dc/0x370 worker_thread+0x48/0x468 kthread+0xf0/0x120 ret_from_fork+0x10/0x1c oops2: usb 2-1: USB disconnect, device number 2 xhci-hcd xhci-hcd.1.auto: remove, state 4 usb usb2: USB disconnect, device number 1 xhci-hcd xhci-hcd.1.auto: USB bus 2 deregistered xhci-hcd xhci-hcd.1.auto: remove, state 4 usb usb1: USB disconnect, device number 1 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000138 Internal error: Oops: 96000004 [#1] PREEMPT SMP Modules linked in: CPU: 2 PID: 7 Comm: kworker/u8:0 Not tainted 5.6.0-rc4-next-20200304-03578 Hardware name: Freescale i.MX8QXP MEK (DT) Workqueue: 1-0050 tcpm_state_machine_work pstate: 20000005 (nzCv daif -PAN -UAO) pc : xhci_free_dev+0x214/0x270 lr : xhci_plat_runtime_resume+0x78/0x88 sp : ffff80001006b5b0 Call trace: xhci_free_dev+0x214/0x270 xhci_plat_runtime_resume+0x78/0x88 pm_generic_runtime_resume+0x30/0x48 __rpm_callback+0x90/0x148 rpm_callback+0x28/0x88 rpm_resume+0x568/0x758 rpm_resume+0x260/0x758 rpm_resume+0x260/0x758 __pm_runtime_resume+0x40/0x88 device_release_driver_internal+0xa0/0x1c8 device_release_driver+0x1c/0x28 bus_remove_device+0xd4/0x158 device_del+0x15c/0x3a0 usb_disable_device+0xb0/0x268 usb_disconnect+0xcc/0x300 usb_remove_hcd+0xf4/0x1dc xhci_plat_remove+0x78/0xe0 platform_drv_remove+0x30/0x50 device_release_driver_internal+0xfc/0x1c8 device_release_driver+0x1c/0x28 bus_remove_device+0xd4/0x158 device_del+0x15c/0x3a0 platform_device_del.part.0+0x20/0x90 platform_device_unregister+0x28/0x40 cdns3_host_exit+0x20/0x40 cdns3_role_stop+0x60/0x90 cdns3_role_set+0x64/0xd8 usb_role_switch_set_role.part.0+0x3c/0x68 usb_role_switch_set_role+0x20/0x30 tcpm_mux_set+0x60/0xf8 tcpm_reset_port+0xa4/0xf0 tcpm_detach.part.0+0x28/0x50 tcpm_state_machine_work+0x12ac/0x2360 process_one_work+0x1c8/0x470 worker_thread+0x50/0x428 kthread+0xfc/0x128 ret_from_fork+0x10/0x18 Code: c8037c02 35ffffa3 17ffe7c3 f9800011 (c85f7c01) ---[ end trace 45b1a173d2679e44 ]--- [minor commit message cleanup -Mathias] Cc: Baolin Wang Cc: Fixes: b0c69b4bace3 ("usb: host: plat: Enable xHCI plat runtime PM") Reviewed-by: Peter Chen Tested-by: Peter Chen Signed-off-by: Li Jun Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/20200514110432.25564-3-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit f567366a8150a3c6b506271ad8a0fde99def4a09 Author: Eugeniu Rosca Date: Fri May 15 00:02:46 2020 +0200 usb: core: hub: limit HUB_QUIRK_DISABLE_AUTOSUSPEND to USB5534B commit 76e1ef1d81a4129d7e2fb8c48c83b166d1c8e040 upstream. On Tue, May 12, 2020 at 09:36:07PM +0800, Kai-Heng Feng wrote [1]: > This patch prevents my Raven Ridge xHCI from getting runtime suspend. The problem described in v5.6 commit 1208f9e1d758c9 ("USB: hub: Fix the broken detection of USB3 device in SMSC hub") applies solely to the USB5534B hub [2] present on the Kingfisher Infotainment Carrier Board, manufactured by Shimafuji Electric Inc [3]. Despite that, the aforementioned commit applied the quirk to _all_ hubs carrying vendor ID 0x424 (i.e. SMSC), of which there are more [4] than initially expected. Consequently, the quirk is now enabled on platforms carrying SMSC/Microchip hub models which potentially don't exhibit the original issue. To avoid reports like [1], further limit the quirk's scope to USB5534B [2], by employing both Vendor and Product ID checks. Tested on H3ULCB + Kingfisher rev. M05. [1] https://lore.kernel.org/linux-renesas-soc/73933975-6F0E-40F5-9584-D2B8F615C0F3@canonical.com/ [2] https://www.microchip.com/wwwproducts/en/USB5534B [3] http://www.shimafuji.co.jp/wp/wp-content/uploads/2018/08/SBEV-RCAR-KF-M06Board_HWSpecificationEN_Rev130.pdf [4] https://devicehunt.com/search/type/usb/vendor/0424/device/any Fixes: 1208f9e1d758c9 ("USB: hub: Fix the broken detection of USB3 device in SMSC hub") Cc: stable@vger.kernel.org # v4.14+ Cc: Alan Stern Cc: Hardik Gajjar Cc: linux-renesas-soc@vger.kernel.org Cc: linux-usb@vger.kernel.org Reported-by: Kai-Heng Feng Signed-off-by: Eugeniu Rosca Tested-by: Kai-Heng Feng Link: https://lore.kernel.org/r/20200514220246.13290-1-erosca@de.adit-jv.com Signed-off-by: Greg Kroah-Hartman commit 05049607294ada1cca7df05a44cc99e268c167c9 Author: Jesus Ramos Date: Mon Apr 27 06:21:39 2020 -0700 ALSA: usb-audio: Add control message quirk delay for Kingston HyperX headset commit 073919e09ca445d4486968e3f851372ff44cf2b5 upstream. Kingston HyperX headset with 0951:16ad also needs the same quirk for delaying the frequency controls. Signed-off-by: Jesus Ramos Cc: Link: https://lore.kernel.org/r/BY5PR19MB3634BA68C7CCA23D8DF428E796AF0@BY5PR19MB3634.namprd19.prod.outlook.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 343006873bc08b9bd8a22649ff131a6e752ac867 Author: Takashi Iwai Date: Thu May 7 13:44:56 2020 +0200 ALSA: rawmidi: Fix racy buffer resize under concurrent accesses commit c1f6e3c818dd734c30f6a7eeebf232ba2cf3181d upstream. The rawmidi core allows user to resize the runtime buffer via ioctl, and this may lead to UAF when performed during concurrent reads or writes: the read/write functions unlock the runtime lock temporarily during copying form/to user-space, and that's the race window. This patch fixes the hole by introducing a reference counter for the runtime buffer read/write access and returns -EBUSY error when the resize is performed concurrently against read/write. Note that the ref count field is a simple integer instead of refcount_t here, since the all contexts accessing the buffer is basically protected with a spinlock, hence we need no expensive atomic ops. Also, note that this busy check is needed only against read / write functions, and not in receive/transmit callbacks; the race can happen only at the spinlock hole mentioned in the above, while the whole function is protected for receive / transmit callbacks. Reported-by: butt3rflyh4ck Cc: Link: https://lore.kernel.org/r/CAFcO6XMWpUVK_yzzCpp8_XP7+=oUpQvuBeCbMffEDkpe8jWrfg@mail.gmail.com Link: https://lore.kernel.org/r/s5heerw3r5z.wl-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit e658ffbaf76b8623b017c56317eadccf529f652c Author: Takashi Iwai Date: Tue May 12 09:32:03 2020 +0200 ALSA: hda/realtek - Add COEF workaround for ASUS ZenBook UX431DA commit 1b94e59d30afecf18254ad413e953e7587645a20 upstream. ASUS ZenBook UX431DA requires an additional COEF setup when booted from the recent Windows 10, otherwise it produces the noisy output. The quirk turns on COEF 0x1b bit 10 that has been cleared supposedly due to the pop noise reduction. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207553 Cc: Signed-off-by: Takashi Iwai Link: https://lore.kernel.org/r/20200512073203.14091-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit bebf867a1dede126df9df919f7167145f4dbfb43 Author: Takashi Iwai Date: Thu May 14 18:05:33 2020 +0200 ALSA: hda/realtek - Limit int mic boost for Thinkpad T530 commit b590b38ca305d6d7902ec7c4f7e273e0069f3bcc upstream. Lenovo Thinkpad T530 seems to have a sensitive internal mic capture that needs to limit the mic boost like a few other Thinkpad models. Although we may change the quirk for ALC269_FIXUP_LENOVO_DOCK, this hits way too many other laptop models, so let's add a new fixup model that limits the internal mic boost on top of the existing quirk and apply to only T530. BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1171293 Cc: Link: https://lore.kernel.org/r/20200514160533.10337-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit edc5a8c1ed67cfa24c24bad7c6b05c29475ed4f9 Author: Greg Kroah-Hartman Date: Thu May 14 13:27:11 2020 +0200 USB: usbfs: fix mmap dma mismatch commit a0e710a7def471b8eb779ff551fc27701da49599 upstream. In commit 2bef9aed6f0e ("usb: usbfs: correct kernel->user page attribute mismatch") we switched from always calling remap_pfn_range() to call dma_mmap_coherent() to handle issues with systems with non-coherent USB host controller drivers. Unfortunatly, as syzbot quickly told us, not all the world is host controllers with DMA support, so we need to check what host controller we are attempting to talk to before doing this type of allocation. Thanks to Christoph for the quick idea of how to fix this. Fixes: 2bef9aed6f0e ("usb: usbfs: correct kernel->user page attribute mismatch") Cc: Christoph Hellwig Cc: Hillf Danton Cc: Thomas Gleixner Cc: Jeremy Linton Cc: stable Reported-by: syzbot+353be47c9ce21b68b7ed@syzkaller.appspotmail.com Reviewed-by: Jeremy Linton Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20200514112711.1858252-1-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 582b8f7d5ceedfff9eef4f9e833ea8f8290044d3 Author: Jeremy Linton Date: Mon May 4 15:13:48 2020 -0500 usb: usbfs: correct kernel->user page attribute mismatch commit 2bef9aed6f0e22391c8d4570749b1acc9bc3981e upstream. On some architectures (e.g. arm64) requests for IO coherent memory may use non-cachable attributes if the relevant device isn't cache coherent. If these pages are then remapped into userspace as cacheable, they may not be coherent with the non-cacheable mappings. In particular this happens with libusb, when it attempts to create zero-copy buffers for use by rtl-sdr (https://github.com/osmocom/rtl-sdr/). On low end arm devices with non-coherent USB ports, the application will be unexpectedly killed, while continuing to work fine on arm machines with coherent USB controllers. This bug has been discovered/reported a few times over the last few years. In the case of rtl-sdr a compile time option to enable/disable zero copy was implemented to work around it. Rather than relaying on application specific workarounds, dma_mmap_coherent() can be used instead of remap_pfn_range(). The page cache/etc attributes will then be correctly set in userspace to match the kernel mapping. Signed-off-by: Jeremy Linton Cc: stable Link: https://lore.kernel.org/r/20200504201348.1183246-1-jeremy.linton@arm.com Signed-off-by: Greg Kroah-Hartman commit baf648d4cb3a0b92298ea6b7ec31e6d006ffbcf8 Author: Masami Hiramatsu Date: Mon May 11 10:39:24 2020 +0900 bootconfig: Fix to prevent warning message if no bootconfig option commit 611d0a95d46b0977a530b4d538948c69d447b001 upstream. Commit de462e5f1071 ("bootconfig: Fix to remove bootconfig data from initrd while boot") causes a cosmetic regression on dmesg, which warns "no bootconfig data" message without bootconfig cmdline option. Fix setup_boot_config() by moving no bootconfig check after commandline option check. Link: http://lkml.kernel.org/r/9b1ba335-071d-c983-89a4-2677b522dcc8@molgen.mpg.de Link: http://lkml.kernel.org/r/158916116468.21787.14558782332170588206.stgit@devnote2 Fixes: de462e5f1071 ("bootconfig: Fix to remove bootconfig data from initrd while boot") Reported-by: Paul Menzel Reviewed-by: Paul Menzel Signed-off-by: Masami Hiramatsu Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman commit 32394df25d8e46935b442b429d74b37885c4f092 Author: Masami Hiramatsu Date: Sun Apr 26 15:53:30 2020 +0900 bootconfig: Fix to remove bootconfig data from initrd while boot commit de462e5f10718517bacf2f84c8aa2804567ef7df upstream. If there is a bootconfig data in the tail of initrd/initramfs, initrd image sanity check caused an error while decompression stage as follows. [ 0.883882] Unpacking initramfs... [ 2.696429] Initramfs unpacking failed: invalid magic at start of compressed archive This error will be ignored if CONFIG_BLK_DEV_RAM=n, but CONFIG_BLK_DEV_RAM=y the kernel failed to mount rootfs and causes a panic. To fix this issue, shrink down the initrd_end for removing tailing bootconfig data while boot the kernel. Link: http://lkml.kernel.org/r/158788401014.24243.17424755854115077915.stgit@devnote2 Cc: Borislav Petkov Cc: Kees Cook Cc: Ingo Molnar Cc: Andrew Morton Cc: stable@vger.kernel.org Fixes: 7684b8582c24 ("bootconfig: Load boot config from the tail of initrd") Signed-off-by: Masami Hiramatsu Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman commit d7f25746b0fdd0385d09d75521c965c4c3df4b70 Author: Linus Torvalds Date: Sat May 9 15:58:04 2020 -0700 gcc-10: avoid shadowing standard library 'free()' in crypto commit 1a263ae60b04de959d9ce9caea4889385eefcc7b upstream. gcc-10 has started warning about conflicting types for a few new built-in functions, particularly 'free()'. This results in warnings like: crypto/xts.c:325:13: warning: conflicting types for built-in function ‘free’; expected ‘void(void *)’ [-Wbuiltin-declaration-mismatch] because the crypto layer had its local freeing functions called 'free()'. Gcc-10 is in the wrong here, since that function is marked 'static', and thus there is no chance of confusion with any standard library function namespace. But the simplest thing to do is to just use a different name here, and avoid this gcc mis-feature. [ Side note: gcc knowing about 'free()' is in itself not the mis-feature: the semantics of 'free()' are special enough that a compiler can validly do special things when seeing it. So the mis-feature here is that gcc thinks that 'free()' is some restricted name, and you can't shadow it as a local static function. Making the special 'free()' semantics be a function attribute rather than tied to the name would be the much better model ] Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b08afbbd30d45dcf46125368deb7bd514090efd6 Author: Linus Torvalds Date: Sat May 9 17:50:03 2020 -0700 gcc-10: mark more functions __init to avoid section mismatch warnings commit e99332e7b4cda6e60f5b5916cf9943a79dbef902 upstream. It seems that for whatever reason, gcc-10 ends up not inlining a couple of functions that used to be inlined before. Even if they only have one single callsite - it looks like gcc may have decided that the code was unlikely, and not worth inlining. The code generation difference is harmless, but caused a few new section mismatch errors, since the (now no longer inlined) function wasn't in the __init section, but called other init functions: Section mismatch in reference from the function kexec_free_initrd() to the function .init.text:free_initrd_mem() Section mismatch in reference from the function tpm2_calc_event_log_size() to the function .init.text:early_memremap() Section mismatch in reference from the function tpm2_calc_event_log_size() to the function .init.text:early_memunmap() So add the appropriate __init annotation to make modpost not complain. In both cases there were trivially just a single callsite from another __init function. Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f35ef92069e94995078eb33a7670a8df88e22199 Author: Linus Torvalds Date: Mon May 4 09:16:37 2020 -0700 gcc-10 warnings: fix low-hanging fruit commit 9d82973e032e246ff5663c9805fbb5407ae932e3 upstream. Due to a bug-report that was compiler-dependent, I updated one of my machines to gcc-10. That shows a lot of new warnings. Happily they seem to be mostly the valid kind, but it's going to cause a round of churn for getting rid of them.. This is the really low-hanging fruit of removing a couple of zero-sized arrays in some core code. We have had a round of these patches before, and we'll have many more coming, and there is nothing special about these except that they were particularly trivial, and triggered more warnings than most. Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4a8ff6fa13bfdf1c7b08e69e0c6d6f7fd5367622 Author: Linus Torvalds Date: Sat May 9 15:45:21 2020 -0700 gcc-10: disable 'restrict' warning for now commit adc71920969870dfa54e8f40dac8616284832d02 upstream. gcc-10 now warns about passing aliasing pointers to functions that take restricted pointers. That's actually a great warning, and if we ever start using 'restrict' in the kernel, it might be quite useful. But right now we don't, and it turns out that the only thing this warns about is an idiom where we have declared a few functions to be "printf-like" (which seems to make gcc pick up the restricted pointer thing), and then we print to the same buffer that we also use as an input. And people do that as an odd concatenation pattern, with code like this: #define sysfs_show_gen_prop(buffer, fmt, ...) \ snprintf(buffer, PAGE_SIZE, "%s"fmt, buffer, __VA_ARGS__) where we have 'buffer' as both the destination of the final result, and as the initial argument. Yes, it's a bit questionable. And outside of the kernel, people do have standard declarations like int snprintf( char *restrict buffer, size_t bufsz, const char *restrict format, ... ); where that output buffer is marked as a restrict pointer that cannot alias with any other arguments. But in the context of the kernel, that 'use snprintf() to concatenate to the end result' does work, and the pattern shows up in multiple places. And we have not marked our own version of snprintf() as taking restrict pointers, so the warning is incorrect for now, and gcc picks it up on its own. If we do start using 'restrict' in the kernel (and it might be a good idea if people find places where it matters), we'll need to figure out how to avoid this issue for snprintf and friends. But in the meantime, this warning is not useful. Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f1e9358e1d48b823adf446cd65b0a5f309d37ee8 Author: Linus Torvalds Date: Sat May 9 15:40:52 2020 -0700 gcc-10: disable 'stringop-overflow' warning for now commit 5a76021c2eff7fcf2f0918a08fd8a37ce7922921 upstream. This is the final array bounds warning removal for gcc-10 for now. Again, the warning is good, and we should re-enable all these warnings when we have converted all the legacy array declaration cases to flexible arrays. But in the meantime, it's just noise. Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e96d575ff8f3672be8f10468ad2ec31760bc519f Author: Linus Torvalds Date: Sat May 9 14:52:44 2020 -0700 gcc-10: disable 'array-bounds' warning for now commit 44720996e2d79e47d508b0abe99b931a726a3197 upstream. This is another fine warning, related to the 'zero-length-bounds' one, but hitting the same historical code in the kernel. Because C didn't historically support flexible array members, we have code that instead uses a one-sized array, the same way we have cases of zero-sized arrays. The one-sized arrays come from either not wanting to use the gcc zero-sized array extension, or from a slight convenience-feature, where particularly for strings, the size of the structure now includes the allocation for the final NUL character. So with a "char name[1];" at the end of a structure, you can do things like v = my_malloc(sizeof(struct vendor) + strlen(name)); and avoid the "+1" for the terminator. Yes, the modern way to do that is with a flexible array, and using 'offsetof()' instead of 'sizeof()', and adding the "+1" by hand. That also technically gets the size "more correct" in that it avoids any alignment (and thus padding) issues, but this is another long-term cleanup thing that will not happen for 5.7. So disable the warning for now, even though it's potentially quite useful. Having a slew of warnings that then hide more urgent new issues is not an improvement. Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d6dae2dcef67a661089ab26423f470ebcacc0657 Author: Linus Torvalds Date: Sat May 9 14:30:29 2020 -0700 gcc-10: disable 'zero-length-bounds' warning for now commit 5c45de21a2223fe46cf9488c99a7fbcf01527670 upstream. This is a fine warning, but we still have a number of zero-length arrays in the kernel that come from the traditional gcc extension. Yes, they are getting converted to flexible arrays, but in the meantime the gcc-10 warning about zero-length bounds is very verbose, and is hiding other issues. I missed one actual build failure because it was hidden among hundreds of lines of warning. Thankfully I caught it on the second go before pushing things out, but it convinced me that I really need to disable the new warnings for now. We'll hopefully be all done with our conversion to flexible arrays in the not too distant future, and we can then re-enable this warning. Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e1e123f8d33a126c66605fc871ce63b36a13b915 Author: Linus Torvalds Date: Sat May 9 13:57:10 2020 -0700 Stop the ad-hoc games with -Wno-maybe-initialized commit 78a5255ffb6a1af189a83e493d916ba1c54d8c75 upstream. We have some rather random rules about when we accept the "maybe-initialized" warnings, and when we don't. For example, we consider it unreliable for gcc versions < 4.9, but also if -O3 is enabled, or if optimizing for size. And then various kernel config options disabled it, because they know that they trigger that warning by confusing gcc sufficiently (ie PROFILE_ALL_BRANCHES). And now gcc-10 seems to be introducing a lot of those warnings too, so it falls under the same heading as 4.9 did. At the same time, we have a very straightforward way to _enable_ that warning when wanted: use "W=2" to enable more warnings. So stop playing these ad-hoc games, and just disable that warning by default, with the known and straight-forward "if you want to work on the extra compiler warnings, use W=123". Would it be great to have code that is always so obvious that it never confuses the compiler whether a variable is used initialized or not? Yes, it would. In a perfect world, the compilers would be smarter, and our source code would be simpler. That's currently not the world we live in, though. Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 8ad7f6fd9e3cc98736afd9b49ea62a335a88f506 Author: Jason Gunthorpe Date: Tue Apr 14 20:02:07 2020 -0300 net/rds: Use ERR_PTR for rds_message_alloc_sgs() commit 7dba92037baf3fa00b4880a31fd532542264994c upstream. Returning the error code via a 'int *ret' when the function returns a pointer is very un-kernely and causes gcc 10's static analysis to choke: net/rds/message.c: In function ‘rds_message_map_pages’: net/rds/message.c:358:10: warning: ‘ret’ may be used uninitialized in this function [-Wmaybe-uninitialized] 358 | return ERR_PTR(ret); Use a typical ERR_PTR return instead. Signed-off-by: Jason Gunthorpe Acked-by: Santosh Shilimkar Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f9c29896d45ccfa02cd738ab8a97363c94d3f774 Author: Jason Gunthorpe Date: Tue Apr 14 12:10:50 2020 -0300 pnp: Use list_for_each_entry() instead of open coding commit 01b2bafe57b19d9119413f138765ef57990921ce upstream. Aside from good practice, this avoids a warning from gcc 10: ./include/linux/kernel.h:997:3: warning: array subscript -31 is outside array bounds of ‘struct list_head[1]’ [-Warray-bounds] 997 | ((type *)(__mptr - offsetof(type, member))); }) | ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ./include/linux/list.h:493:2: note: in expansion of macro ‘container_of’ 493 | container_of(ptr, type, member) | ^~~~~~~~~~~~ ./include/linux/pnp.h:275:30: note: in expansion of macro ‘list_entry’ 275 | #define global_to_pnp_dev(n) list_entry(n, struct pnp_dev, global_list) | ^~~~~~~~~~ ./include/linux/pnp.h:281:11: note: in expansion of macro ‘global_to_pnp_dev’ 281 | (dev) != global_to_pnp_dev(&pnp_global); \ | ^~~~~~~~~~~~~~~~~ arch/x86/kernel/rtc.c:189:2: note: in expansion of macro ‘pnp_for_each_dev’ 189 | pnp_for_each_dev(dev) { Because the common code doesn't cast the starting list_head to the containing struct. Signed-off-by: Jason Gunthorpe [ rjw: Whitespace adjustments ] Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit e6819f7586018e8eb036edcb403217a43ab62400 Author: Olga Kornievskaia Date: Thu May 14 16:09:40 2020 -0400 NFSv3: fix rpc receive buffer size for MOUNT call [ Upstream commit 8eed292bc8cbf737e46fb1c119d4c8f6dcb00650 ] Prior to commit e3d3ab64dd66 ("SUNRPC: Use au_rslack when computing reply buffer size"), there was enough slack in the reply buffer to commodate filehandles of size 60bytes. However, the real problem was that the reply buffer size for the MOUNT operation was not correctly calculated. Received buffer size used the filehandle size for NFSv2 (32bytes) which is much smaller than the allowed filehandle size for the v3 mounts. Fix the reply buffer size (decode arguments size) for the MNT command. Fixes: 2c94b8eca1a2 ("SUNRPC: Use au_rslack when computing reply buffer size") Signed-off-by: Olga Kornievskaia Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 3601c141d03c29f9456c04e2dfbd870f376485f6 Author: Sasha Levin Date: Sat May 16 20:45:27 2020 -0400 bpf: Fix bug in mmap() implementation for BPF array map [ Upstream commit 333291ce5055f2039afc907badaf5b66bc1adfdc ] mmap() subsystem allows user-space application to memory-map region with initial page offset. This wasn't taken into account in initial implementation of BPF array memory-mapping. This would result in wrong pages, not taking into account requested page shift, being memory-mmaped into user-space. This patch fixes this gap and adds a test for such scenario. Fixes: fc9702273e2e ("bpf: Add mmap() support for BPF_MAP_TYPE_ARRAY") Signed-off-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20200512235925.3817805-1-andriin@fb.com Signed-off-by: Sasha Levin commit 5891ccd18dee25b6ac02d49be510f89d74017753 Author: Roman Penyaev Date: Wed May 13 17:50:38 2020 -0700 epoll: call final ep_events_available() check under the lock [ Upstream commit 65759097d804d2a9ad2b687db436319704ba7019 ] There is a possible race when ep_scan_ready_list() leaves ->rdllist and ->obflist empty for a short period of time although some events are pending. It is quite likely that ep_events_available() observes empty lists and goes to sleep. Since commit 339ddb53d373 ("fs/epoll: remove unnecessary wakeups of nested epoll") we are conservative in wakeups (there is only one place for wakeup and this is ep_poll_callback()), thus ep_events_available() must always observe correct state of two lists. The easiest and correct way is to do the final check under the lock. This does not impact the performance, since lock is taken anyway for adding a wait entry to the wait queue. The discussion of the problem can be found here: https://lore.kernel.org/linux-fsdevel/a2f22c3c-c25a-4bda-8339-a7bdaf17849e@akamai.com/ In this patch barrierless __set_current_state() is used. This is safe since waitqueue_active() is called under the same lock on wakeup side. Short-circuit for fatal signals (i.e. fatal_signal_pending() check) is moved to the line just before actual events harvesting routine. This is fully compliant to what is said in the comment of the patch where the actual fatal_signal_pending() check was added: c257a340ede0 ("fs, epoll: short circuit fetching events if thread has been killed"). Fixes: 339ddb53d373 ("fs/epoll: remove unnecessary wakeups of nested epoll") Reported-by: Jason Baron Reported-by: Randy Dunlap Signed-off-by: Roman Penyaev Signed-off-by: Andrew Morton Reviewed-by: Jason Baron Cc: Khazhismel Kumykov Cc: Alexander Viro Cc: Link: http://lkml.kernel.org/r/20200505145609.1865152-1-rpenyaev@suse.de Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 90c90cb2906fee61791e082cced3191a762debc6 Author: Yafang Shao Date: Wed May 13 17:50:34 2020 -0700 mm, memcg: fix inconsistent oom event behavior [ Upstream commit 04fd61a4e01028210a91f0efc408c8bc61a3018c ] A recent commit 9852ae3fe529 ("mm, memcg: consider subtrees in memory.events") changed the behavior of memcg events, which will now consider subtrees in memory.events. But oom_kill event is a special one as it is used in both cgroup1 and cgroup2. In cgroup1, it is displayed in memory.oom_control. The file memory.oom_control is in both root memcg and non root memcg, that is different with memory.event as it only in non-root memcg. That commit is okay for cgroup2, but it is not okay for cgroup1 as it will cause inconsistent behavior between root memcg and non-root memcg. Here's an example on why this behavior is inconsistent in cgroup1. root memcg / memcg foo / memcg bar Suppose there's an oom_kill in memcg bar, then the oon_kill will be root memcg : memory.oom_control(oom_kill) 0 / memcg foo : memory.oom_control(oom_kill) 1 / memcg bar : memory.oom_control(oom_kill) 1 For the non-root memcg, its memory.oom_control(oom_kill) includes its descendants' oom_kill, but for root memcg, it doesn't include its descendants' oom_kill. That means, memory.oom_control(oom_kill) has different meanings in different memcgs. That is inconsistent. Then the user has to know whether the memcg is root or not. If we can't fully support it in cgroup1, for example by adding memory.events.local into cgroup1 as well, then let's don't touch its original behavior. Fixes: 9852ae3fe529 ("mm, memcg: consider subtrees in memory.events") Reported-by: Randy Dunlap Signed-off-by: Yafang Shao Signed-off-by: Andrew Morton Reviewed-by: Shakeel Butt Acked-by: Johannes Weiner Acked-by: Chris Down Acked-by: Michal Hocko Cc: Link: http://lkml.kernel.org/r/20200502141055.7378-1-laoar.shao@gmail.com Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit f18d3beac6bc2e1bddfba202f5327200acbda54c Author: Chris Wilson Date: Sat May 9 12:52:17 2020 +0100 drm/i915: Handle idling during i915_gem_evict_something busy loops [ Upstream commit 955da9d77435acac066139e9d7f7723ce7204a1d ] i915_gem_evict_something() is charged with finding a slot within the GTT that we may reuse. Since our goal is not to stall, we first look for a slot that only overlaps idle vma. To this end, on the first pass we move any active vma to the end of the search list. However, we only stopped moving active vma after we see the first active vma twice. If during the search, that first active vma completed, we would not notice and keep on extending the search list. Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/1746 Fixes: 2850748ef876 ("drm/i915: Pull i915_vma_pin under the vm->mutex") Fixes: b1e3177bd1d8 ("drm/i915: Coordinate i915_active with its own mutex") Signed-off-by: Chris Wilson Cc: Tvrtko Ursulin Cc: # v5.5+ Reviewed-by: Mika Kuoppala Link: https://patchwork.freedesktop.org/patch/msgid/20200509115217.26853-1-chris@chris-wilson.co.uk (cherry picked from commit 73e28cc40bf00b5d168cb8f5cff1ae63e9097446) Signed-off-by: Rodrigo Vivi Signed-off-by: Sasha Levin commit 1e83d5a1066800985e95737e7a8a19ea3270b558 Author: Wei Yongjun Date: Wed May 13 09:42:29 2020 +0200 s390/ism: fix error return code in ism_probe() [ Upstream commit 29b74cb75e3572d83708745e81e24d37837415f9 ] Fix to return negative error code -ENOMEM from the smcd_alloc_dev() error handling case instead of 0, as done elsewhere in this function. Fixes: 684b89bc39ce ("s390/ism: add device driver for internal shared memory") Reported-by: Hulk Robot Signed-off-by: Wei Yongjun Signed-off-by: Ursula Braun Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit bfe9f43509f2e4e8c1ac6f87fa6e686674f8a1cc Author: Samu Nuutamo Date: Mon May 11 13:02:19 2020 +0200 hwmon: (da9052) Synchronize access with mfd [ Upstream commit 333e22db228f0bd0c839553015a6a8d3db4ba569 ] When tsi-as-adc is configured it is possible for in7[0123]_input read to return an incorrect value if a concurrent read to in[456]_input is performed. This is caused by a concurrent manipulation of the mux channel without proper locking as hwmon and mfd use different locks for synchronization. Switch hwmon to use the same lock as mfd when accessing the TSI channel. Fixes: 4f16cab19a3d5 ("hwmon: da9052: Add support for TSI channel") Signed-off-by: Samu Nuutamo [rebase to current master, reword commit message slightly] Signed-off-by: Sebastian Reichel Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit 0a6a42a5c71b1165d51e07f52cdd54dab7160604 Author: Steven Rostedt (VMware) Date: Thu Apr 30 20:21:47 2020 -0400 x86/ftrace: Have ftrace trampolines turn read-only at the end of system boot up [ Upstream commit 59566b0b622e3e6ea928c0b8cac8a5601b00b383 ] Booting one of my machines, it triggered the following crash: Kernel/User page tables isolation: enabled ftrace: allocating 36577 entries in 143 pages Starting tracer 'function' BUG: unable to handle page fault for address: ffffffffa000005c #PF: supervisor write access in kernel mode #PF: error_code(0x0003) - permissions violation PGD 2014067 P4D 2014067 PUD 2015063 PMD 7b253067 PTE 7b252061 Oops: 0003 [#1] PREEMPT SMP PTI CPU: 0 PID: 0 Comm: swapper Not tainted 5.4.0-test+ #24 Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./To be filled by O.E.M., BIOS SDBLI944.86P 05/08/2007 RIP: 0010:text_poke_early+0x4a/0x58 Code: 34 24 48 89 54 24 08 e8 bf 72 0b 00 48 8b 34 24 48 8b 4c 24 08 84 c0 74 0b 48 89 df f3 a4 48 83 c4 10 5b c3 9c 58 fa 48 89 df a4 50 9d 48 83 c4 10 5b e9 d6 f9 ff ff 0 41 57 49 RSP: 0000:ffffffff82003d38 EFLAGS: 00010046 RAX: 0000000000000046 RBX: ffffffffa000005c RCX: 0000000000000005 RDX: 0000000000000005 RSI: ffffffff825b9a90 RDI: ffffffffa000005c RBP: ffffffffa000005c R08: 0000000000000000 R09: ffffffff8206e6e0 R10: ffff88807b01f4c0 R11: ffffffff8176c106 R12: ffffffff8206e6e0 R13: ffffffff824f2440 R14: 0000000000000000 R15: ffffffff8206eac0 FS: 0000000000000000(0000) GS:ffff88807d400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffa000005c CR3: 0000000002012000 CR4: 00000000000006b0 Call Trace: text_poke_bp+0x27/0x64 ? mutex_lock+0x36/0x5d arch_ftrace_update_trampoline+0x287/0x2d5 ? ftrace_replace_code+0x14b/0x160 ? ftrace_update_ftrace_func+0x65/0x6c __register_ftrace_function+0x6d/0x81 ftrace_startup+0x23/0xc1 register_ftrace_function+0x20/0x37 func_set_flag+0x59/0x77 __set_tracer_option.isra.19+0x20/0x3e trace_set_options+0xd6/0x13e apply_trace_boot_options+0x44/0x6d register_tracer+0x19e/0x1ac early_trace_init+0x21b/0x2c9 start_kernel+0x241/0x518 ? load_ucode_intel_bsp+0x21/0x52 secondary_startup_64+0xa4/0xb0 I was able to trigger it on other machines, when I added to the kernel command line of both "ftrace=function" and "trace_options=func_stack_trace". The cause is the "ftrace=function" would register the function tracer and create a trampoline, and it will set it as executable and read-only. Then the "trace_options=func_stack_trace" would then update the same trampoline to include the stack tracer version of the function tracer. But since the trampoline already exists, it updates it with text_poke_bp(). The problem is that text_poke_bp() called while system_state == SYSTEM_BOOTING, it will simply do a memcpy() and not the page mapping, as it would think that the text is still read-write. But in this case it is not, and we take a fault and crash. Instead, lets keep the ftrace trampolines read-write during boot up, and then when the kernel executable text is set to read-only, the ftrace trampolines get set to read-only as well. Link: https://lkml.kernel.org/r/20200430202147.4dc6e2de@oasis.local.home Cc: Ingo Molnar Cc: Thomas Gleixner Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Josh Poimboeuf Cc: "H. Peter Anvin" Cc: stable@vger.kernel.org Fixes: 768ae4406a5c ("x86/ftrace: Use text_poke()") Acked-by: Peter Zijlstra Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Sasha Levin commit c6e472f6d6ebd2ee387d6ab473934c7016763cdd Author: Potnuri Bharat Teja Date: Tue May 12 00:26:08 2020 +0530 RDMA/iw_cxgb4: Fix incorrect function parameters [ Upstream commit c8b1f340e54158662acfa41d6dee274846370282 ] While reading the TCB field in t4_tcb_get_field32() the wrong mask is passed as a parameter which leads the driver eventually to a kernel panic/app segfault from access to an illegal SRQ index while flushing the SRQ completions during connection teardown. Fixes: 11a27e2121a5 ("iw_cxgb4: complete the cached SRQ buffers") Link: https://lore.kernel.org/r/20200511185608.5202-1-bharat@chelsio.com Signed-off-by: Potnuri Bharat Teja Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 058c3f45b760669f76f46897447d96ba49116d8d Author: Maor Gottlieb Date: Thu May 7 09:29:42 2020 +0300 RDMA/core: Fix double put of resource [ Upstream commit 50bbe3d34fea74b7c0fabe553c40c2f4a48bb9c3 ] Do not decrease the reference count of resource tracker object twice in the error flow of res_get_common_doit. Fixes: c5dfe0ea6ffa ("RDMA/nldev: Add resource tracker doit callback") Link: https://lore.kernel.org/r/20200507062942.98305-1-leon@kernel.org Signed-off-by: Maor Gottlieb Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 2a5968f266c7b9dc13917ac573af8d7b7da4023c Author: Jack Morgenstein Date: Thu May 7 10:10:12 2020 +0300 IB/core: Fix potential NULL pointer dereference in pkey cache [ Upstream commit 1901b91f99821955eac2bd48fe25ee983385dc00 ] The IB core pkey cache is populated by procedure ib_cache_update(). Initially, the pkey cache pointer is NULL. ib_cache_update allocates a buffer and populates it with the device's pkeys, via repeated calls to procedure ib_query_pkey(). If there is a failure in populating the pkey buffer via ib_query_pkey(), ib_cache_update does not replace the old pkey buffer cache with the updated one -- it leaves the old cache as is. Since initially the pkey buffer cache is NULL, when calling ib_cache_update the first time, a failure in ib_query_pkey() will cause the pkey buffer cache pointer to remain NULL. In this situation, any calls subsequent to ib_get_cached_pkey(), ib_find_cached_pkey(), or ib_find_cached_pkey_exact() will try to dereference the NULL pkey cache pointer, causing a kernel panic. Fix this by checking the ib_cache_update() return value. Fixes: 8faea9fd4a39 ("RDMA/cache: Move the cache per-port data into the main ib_port_data") Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Link: https://lore.kernel.org/r/20200507071012.100594-1-leon@kernel.org Signed-off-by: Jack Morgenstein Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit b2e97acbb3c7e58b3ae5ef7f3566a9654ded2fad Author: Jack Morgenstein Date: Sun Apr 26 10:59:21 2020 +0300 IB/mlx4: Test return value of calls to ib_get_cached_pkey [ Upstream commit 6693ca95bd4330a0ad7326967e1f9bcedd6b0800 ] In the mlx4_ib_post_send() flow, some functions call ib_get_cached_pkey() without checking its return value. If ib_get_cached_pkey() returns an error code, these functions should return failure. Fixes: 1ffeb2eb8be9 ("IB/mlx4: SR-IOV IB context objects and proxy/tunnel SQP support") Fixes: 225c7b1feef1 ("IB/mlx4: Add a driver Mellanox ConnectX InfiniBand adapters") Fixes: e622f2f4ad21 ("IB: split struct ib_send_wr") Link: https://lore.kernel.org/r/20200426075921.130074-1-leon@kernel.org Signed-off-by: Jack Morgenstein Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit ee8677efc90e375f6878488a44d9cbaf08ee6080 Author: Sudip Mukherjee Date: Sun Apr 26 00:35:45 2020 +0100 RDMA/rxe: Always return ERR_PTR from rxe_create_mmap_info() [ Upstream commit bb43c8e382e5da0ee253e3105d4099820ff4d922 ] The commit below modified rxe_create_mmap_info() to return ERR_PTR's but didn't update the callers to handle them. Modify rxe_create_mmap_info() to only return ERR_PTR and fix all error checking after rxe_create_mmap_info() is called. Ensure that all other exit paths properly set the error return. Fixes: ff23dfa13457 ("IB: Pass only ib_udata in function prototypes") Link: https://lore.kernel.org/r/20200425233545.17210-1-sudipm.mukherjee@gmail.com Link: https://lore.kernel.org/r/20200511183742.GB225608@mwanda Cc: stable@vger.kernel.org [5.4+] Signed-off-by: Sudip Mukherjee Signed-off-by: Dan Carpenter Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit ead224c4111ec7c17fa8547373cb603a35b0022c Author: Phil Sutter Date: Mon May 11 15:31:41 2020 +0200 netfilter: nft_set_rbtree: Add missing expired checks [ Upstream commit 340eaff651160234bdbce07ef34b92a8e45cd540 ] Expired intervals would still match and be dumped to user space until garbage collection wiped them out. Make sure they stop matching and disappear (from users' perspective) as soon as they expire. Fixes: 8d8540c4f5e03 ("netfilter: nft_set_rbtree: add timeout support") Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 4577165bfac8a592885a751234737cb078038c48 Author: Pablo Neira Ayuso Date: Mon May 11 11:54:31 2020 +0200 netfilter: flowtable: set NF_FLOW_TEARDOWN flag on entry expiration [ Upstream commit 9ed81c8e0deb7bd2aa0d69371e4a0f9a7b31205d ] If the flow timer expires, the gc sets on the NF_FLOW_TEARDOWN flag. Otherwise, the flowtable software path might race to refresh the timeout, leaving the state machine in inconsistent state. Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support") Reported-by: Paul Blakey Reviewed-by: Roi Dayan Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit d4c4a85ad4e5075e31349d23f2098834b0235c1c Author: Steven Rostedt (VMware) Date: Sun May 10 11:35:10 2020 -0400 tracing: Wait for preempt irq delay thread to execute [ Upstream commit 8b1fac2e73e84ef0d6391051880a8e1d7044c847 ] A bug report was posted that running the preempt irq delay module on a slow machine, and removing it quickly could lead to the thread created by the modlue to execute after the module is removed, and this could cause the kernel to crash. The fix for this was to call kthread_stop() after creating the thread to make sure it finishes before allowing the module to be removed. Now this caused the opposite problem on fast machines. What now happens is the kthread_stop() can cause the kthread never to execute and the test never to run. To fix this, add a completion and wait for the kthread to execute, then wait for it to end. This issue caused the ftracetest selftests to fail on the preemptirq tests. Link: https://lore.kernel.org/r/20200510114210.15d9e4af@oasis.local.home Cc: stable@vger.kernel.org Fixes: d16a8c31077e ("tracing: Wait for preempt irq delay thread to finish") Reviewed-by: Joel Fernandes (Google) Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Sasha Levin commit 251394ab5f630c852429b7b2c0a1cd528d892460 Author: Chuck Lever Date: Sat May 9 14:07:13 2020 -0400 SUNRPC: Signalled ASYNC tasks need to exit [ Upstream commit ce99aa62e1eb793e259d023c7f6ccb7c4879917b ] Ensure that signalled ASYNC rpc_tasks exit immediately instead of spinning until a timeout (or forever). To avoid checking for the signal flag on every scheduler iteration, the check is instead introduced in the client's finite state machine. Signed-off-by: Chuck Lever Fixes: ae67bd3821bb ("SUNRPC: Fix up task signalling") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 6f6422b355ffbf413ca89701317d531b6a7c6ac2 Author: J. Bruce Fields Date: Mon May 11 10:02:48 2020 -0400 nfs: fix NULL deference in nfs4_get_valid_delegation [ Upstream commit 29fe839976266bc7c55b927360a1daae57477723 ] We add the new state to the nfsi->open_states list, making it potentially visible to other threads, before we've finished initializing it. That wasn't a problem when all the readers were also taking the i_lock (as we do here), but since we switched to RCU, there's now a possibility that a reader could see the partially initialized state. Symptoms observed were a crash when another thread called nfs4_get_valid_delegation() on a NULL inode, resulting in an oops like: BUG: unable to handle page fault for address: ffffffffffffffb0 ... RIP: 0010:nfs4_get_valid_delegation+0x6/0x30 [nfsv4] ... Call Trace: nfs4_open_prepare+0x80/0x1c0 [nfsv4] __rpc_execute+0x75/0x390 [sunrpc] ? finish_task_switch+0x75/0x260 rpc_async_schedule+0x29/0x40 [sunrpc] process_one_work+0x1ad/0x370 worker_thread+0x30/0x390 ? create_worker+0x1a0/0x1a0 kthread+0x10c/0x130 ? kthread_park+0x80/0x80 ret_from_fork+0x22/0x30 Fixes: 9ae075fdd190 "NFSv4: Convert open state lookup to use RCU" Reviewed-by: Seiichi Ikarashi Tested-by: Daisuke Matsuda Tested-by: Masayoshi Mizuma Signed-off-by: J. Bruce Fields Cc: stable@vger.kernel.org # v4.20+ Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 2d11f15a55a2c91fb7086c97e8a64cf6ec310b49 Author: Chris Wilson Date: Thu May 7 16:51:09 2020 +0100 drm/i915: Mark concurrent submissions with a weak-dependency [ Upstream commit a9d094dcf7845af85f82adcad9f793e51e4d14c8 ] We recorded the dependencies for WAIT_FOR_SUBMIT in order that we could correctly perform priority inheritance from the parallel branches to the common trunk. However, for the purpose of timeslicing and reset handling, the dependency is weak -- as we the pair of requests are allowed to run in parallel and not in strict succession. The real significance though is that this allows us to rearrange groups of WAIT_FOR_SUBMIT linked requests along the single engine, and so can resolve user level inter-batch scheduling dependencies from user semaphores. Fixes: c81471f5e95c ("drm/i915: Copy across scheduler behaviour flags across submit fences") Testcase: igt/gem_exec_fence/submit Signed-off-by: Chris Wilson Cc: Tvrtko Ursulin Cc: # v5.6+ Reviewed-by: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/20200507155109.8892-1-chris@chris-wilson.co.uk (cherry picked from commit 6b6cd2ebd8d071e55998e32b648bb8081f7f02bb) Signed-off-by: Rodrigo Vivi Signed-off-by: Sasha Levin commit 5e62d09d51cf74d103b67cf871e680b182e78b80 Author: Florian Westphal Date: Sun May 10 14:28:07 2020 +0200 netfilter: conntrack: fix infinite loop on rmmod [ Upstream commit 54ab49fde95605a1077f759ce454d94e84b5ca45 ] 'rmmod nf_conntrack' can hang forever, because the netns exit gets stuck in nf_conntrack_cleanup_net_list(): i_see_dead_people: busy = 0; list_for_each_entry(net, net_exit_list, exit_list) { nf_ct_iterate_cleanup(kill_all, net, 0, 0); if (atomic_read(&net->ct.count) != 0) busy = 1; } if (busy) { schedule(); goto i_see_dead_people; } When nf_ct_iterate_cleanup iterates the conntrack table, all nf_conn structures can be found twice: once for the original tuple and once for the conntracks reply tuple. get_next_corpse() only calls the iterator when the entry is in original direction -- the idea was to avoid unneeded invocations of the iterator callback. When support for clashing entries was added, the assumption that all nf_conn objects are added twice, once in original, once for reply tuple no longer holds -- NF_CLASH_BIT entries are only added in the non-clashing reply direction. Thus, if at least one NF_CLASH entry is in the list then nf_conntrack_cleanup_net_list() always skips it completely. During normal netns destruction, this causes a hang of several seconds, until the gc worker removes the entry (NF_CLASH entries always have a 1 second timeout). But in the rmmod case, the gc worker has already been stopped, so ct.count never becomes 0. We can fix this in two ways: 1. Add a second test for CLASH_BIT and call iterator for those entries as well, or: 2. Skip the original tuple direction and use the reply tuple. 2) is simpler, so do that. Fixes: 6a757c07e51f80ac ("netfilter: conntrack: allow insertion of clashing entries") Reported-by: Chen Yi Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit e6416760a05434097d1fda90ae5530c9cbc2cd4f Author: Christoph Hellwig Date: Sun May 10 09:54:41 2020 +0200 arm64: fix the flush_icache_range arguments in machine_kexec [ Upstream commit d51c214541c5154dda3037289ee895ea3ded5ebd ] The second argument is the end "pointer", not the length. Fixes: d28f6df1305a ("arm64/kexec: Add core kexec support") Cc: # 4.8.x- Signed-off-by: Christoph Hellwig Signed-off-by: Catalin Marinas Signed-off-by: Sasha Levin commit a538b476eb35220aa4e8fc03debe2aed04b7c69c Author: Zhenyu Wang Date: Wed May 6 17:59:18 2020 +0800 drm/i915/gvt: Fix kernel oops for 3-level ppgtt guest [ Upstream commit 72a7a9925e2beea09b109dffb3384c9bf920d9da ] As i915 won't allocate extra PDP for current default PML4 table, so for 3-level ppgtt guest, we would hit kernel pointer access failure on extra PDP pointers. So this trys to bypass that now. It won't impact real shadow PPGTT setup, so guest context still works. This is verified on 4.15 guest kernel with i915.enable_ppgtt=1 to force on old aliasing ppgtt behavior. Fixes: 4f15665ccbba ("drm/i915: Add ppgtt to GVT GEM context") Reviewed-by: Xiong Zhang Signed-off-by: Zhenyu Wang Link: http://patchwork.freedesktop.org/patch/msgid/20200506095918.124913-1-zhenyuw@linux.intel.com Signed-off-by: Sasha Levin commit d373d1fde4d589e9743c8498bc5e9899c048b8c9 Author: Arnd Bergmann Date: Thu Apr 30 23:30:48 2020 +0200 netfilter: conntrack: avoid gcc-10 zero-length-bounds warning [ Upstream commit 2c407aca64977ede9b9f35158e919773cae2082f ] gcc-10 warns around a suspicious access to an empty struct member: net/netfilter/nf_conntrack_core.c: In function '__nf_conntrack_alloc': net/netfilter/nf_conntrack_core.c:1522:9: warning: array subscript 0 is outside the bounds of an interior zero-length array 'u8[0]' {aka 'unsigned char[0]'} [-Wzero-length-bounds] 1522 | memset(&ct->__nfct_init_offset[0], 0, | ^~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from net/netfilter/nf_conntrack_core.c:37: include/net/netfilter/nf_conntrack.h:90:5: note: while referencing '__nfct_init_offset' 90 | u8 __nfct_init_offset[0]; | ^~~~~~~~~~~~~~~~~~ The code is correct but a bit unusual. Rework it slightly in a way that does not trigger the warning, using an empty struct instead of an empty array. There are probably more elegant ways to do this, but this is the smallest change. Fixes: c41884ce0562 ("netfilter: conntrack: avoid zeroing timer") Signed-off-by: Arnd Bergmann Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit f349557d4e0445e8752e09401451cf728ece6767 Author: Guenter Roeck Date: Sat May 9 13:13:33 2020 -0700 hwmon: (drivetemp) Fix SCT support if SCT data tables are not supported [ Upstream commit bcb543cc3d4034da3f3fd8bc4296a26dfeadf47d ] If SCT is supported but SCT data tables are not, the driver unnecessarily tries to fall back to SMART. Use SCT without data tables instead in this situation. Fixes: 5b46903d8bf3 ("hwmon: Driver for disk and solid state drives with temperature sensors") Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit 9262bb40618b3697194513e19d51a5a248f5e371 Author: Dave Wysochanski Date: Thu Apr 16 06:06:08 2020 -0400 NFSv4: Fix fscache cookie aux_data to ensure change_attr is included [ Upstream commit 50eaa652b54df1e2b48dc398d9e6114c9ed080eb ] Commit 402cb8dda949 ("fscache: Attach the index key and aux data to the cookie") added the aux_data and aux_data_len to parameters to fscache_acquire_cookie(), and updated the callers in the NFS client. In the process it modified the aux_data to include the change_attr, but missed adding change_attr to a couple places where aux_data was used. Specifically, when opening a file and the change_attr is not added, the following attempt to lookup an object will fail inside cachefiles_check_object_xattr() = -116 due to nfs_fscache_inode_check_aux() failing memcmp on auxdata and returning FSCACHE_CHECKAUX_OBSOLETE. Fix this by adding nfs_fscache_update_auxdata() to set the auxdata from all relevant fields in the inode, including the change_attr. Fixes: 402cb8dda949 ("fscache: Attach the index key and aux data to the cookie") Signed-off-by: Dave Wysochanski Signed-off-by: David Howells Signed-off-by: Sasha Levin commit 2dfd76303a057a5aa41982561dea5e4d00249a74 Author: Dave Wysochanski Date: Wed Apr 15 16:14:42 2020 -0400 NFS: Fix fscache super_cookie allocation [ Upstream commit 15751612734ca0c419ac43ce986c9badcb5e2829 ] Commit f2aedb713c28 ("NFS: Add fs_context support.") reworked NFS mount code paths for fs_context support which included super_block initialization. In the process there was an extra return left in the code and so we never call nfs_fscache_get_super_cookie even if 'fsc' is given on as mount option. In addition, there is an extra check inside nfs_fscache_get_super_cookie for the NFS_OPTION_FSCACHE which is unnecessary since the only caller nfs_get_cache_cookie checks this flag. Fixes: f2aedb713c28 ("NFS: Add fs_context support.") Signed-off-by: Dave Wysochanski Signed-off-by: David Howells Signed-off-by: Sasha Levin commit 8b189454123ce96d9345d122f109b069ef91c7f0 Author: Dave Wysochanski Date: Wed Apr 15 16:14:41 2020 -0400 NFS: Fix fscache super_cookie index_key from changing after umount [ Upstream commit d9bfced1fbcb35b28d8fbed4e785d2807055ed2b ] Commit 402cb8dda949 ("fscache: Attach the index key and aux data to the cookie") added the index_key and index_key_len parameters to fscache_acquire_cookie(), and updated the callers in the NFS client. One of the callers was inside nfs_fscache_get_super_cookie() and was changed to use the full struct nfs_fscache_key as the index_key. However, a couple members of this structure contain pointers and thus will change each time the same NFS share is remounted. Since index_key is used for fscache_cookie->key_hash and this subsequently is used to compare cookies, the effectiveness of fscache with NFS is reduced to the point at which a umount occurs. Any subsequent remount of the same share will cause a unique NFS super_block index_key and key_hash to be generated for the same data, rendering any prior fscache data unable to be found. A simple reproducer demonstrates the problem. 1. Mount share with 'fsc', create a file, drop page cache systemctl start cachefilesd mount -o vers=3,fsc 127.0.0.1:/export /mnt dd if=/dev/zero of=/mnt/file1.bin bs=4096 count=1 echo 3 > /proc/sys/vm/drop_caches 2. Read file into page cache and fscache, then unmount dd if=/mnt/file1.bin of=/dev/null bs=4096 count=1 umount /mnt 3. Remount and re-read which should come from fscache mount -o vers=3,fsc 127.0.0.1:/export /mnt echo 3 > /proc/sys/vm/drop_caches dd if=/mnt/file1.bin of=/dev/null bs=4096 count=1 4. Check for READ ops in mountstats - there should be none grep READ: /proc/self/mountstats Looking at the history and the removed function, nfs_super_get_key(), we should only use nfs_fscache_key.key plus any uniquifier, for the fscache index_key. Fixes: 402cb8dda949 ("fscache: Attach the index key and aux data to the cookie") Signed-off-by: Dave Wysochanski Signed-off-by: David Howells Signed-off-by: Sasha Levin commit 551ef63c8fc07565a934b2881e8548ffd9bf7167 Author: Alex Deucher Date: Tue May 5 09:42:26 2020 -0400 drm/amdgpu: force fbdev into vram [ Upstream commit a6aacb2b26e85aa619cf0c6f98d0ca77314cd2a1 ] We set the fb smem pointer to the offset into the BAR, so keep the fbdev bo in vram. Bug: https://bugzilla.kernel.org/show_bug.cgi?id=207581 Fixes: 6c8d74caa2fa33 ("drm/amdgpu: Enable scatter gather display support") Reviewed-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit ec28a9a4a27982572fdc30d493bdd9515a42ab40 Author: Christian Brauner Date: Thu May 7 12:32:14 2020 +0200 fork: prevent accidental access to clone3 features [ Upstream commit 3f2c788a13143620c5471ac96ac4f033fc9ac3f3 ] Jan reported an issue where an interaction between sign-extending clone's flag argument on ppc64le and the new CLONE_INTO_CGROUP feature causes clone() to consistently fail with EBADF. The whole story is a little longer. The legacy clone() syscall is odd in a bunch of ways and here two things interact. First, legacy clone's flag argument is word-size dependent, i.e. it's an unsigned long whereas most system calls with flag arguments use int or unsigned int. Second, legacy clone() ignores unknown and deprecated flags. The two of them taken together means that users on 64bit systems can pass garbage for the upper 32bit of the clone() syscall since forever and things would just work fine. Just try this on a 64bit kernel prior to v5.7-rc1 where this will succeed and on v5.7-rc1 where this will fail with EBADF: int main(int argc, char *argv[]) { pid_t pid; /* Note that legacy clone() has different argument ordering on * different architectures so this won't work everywhere. * * Only set the upper 32 bits. */ pid = syscall(__NR_clone, 0xffffffff00000000 | SIGCHLD, NULL, NULL, NULL, NULL); if (pid < 0) exit(EXIT_FAILURE); if (pid == 0) exit(EXIT_SUCCESS); if (wait(NULL) != pid) exit(EXIT_FAILURE); exit(EXIT_SUCCESS); } Since legacy clone() couldn't be extended this was not a problem so far and nobody really noticed or cared since nothing in the kernel ever bothered to look at the upper 32 bits. But once we introduced clone3() and expanded the flag argument in struct clone_args to 64 bit we opened this can of worms. With the first flag-based extension to clone3() making use of the upper 32 bits of the flag argument we've effectively made it possible for the legacy clone() syscall to reach clone3() only flags. The sign extension scenario is just the odd corner-case that we needed to figure this out. The reason we just realized this now and not already when we introduced CLONE_CLEAR_SIGHAND was that CLONE_INTO_CGROUP assumes that a valid cgroup file descriptor has been given. So the sign extension (or the user accidently passing garbage for the upper 32 bits) caused the CLONE_INTO_CGROUP bit to be raised and the kernel to error out when it didn't find a valid cgroup file descriptor. Let's fix this by always capping the upper 32 bits for all codepaths that are not aware of clone3() features. This ensures that we can't reach clone3() only features by accident via legacy clone as with the sign extension case and also that legacy clone() works exactly like before, i.e. ignoring any unknown flags. This solution risks no regressions and is also pretty clean. Fixes: 7f192e3cd316 ("fork: add clone3") Fixes: ef2c41cf38a7 ("clone3: allow spawning processes into cgroups") Reported-by: Jan Stancek Signed-off-by: Christian Brauner Cc: Arnd Bergmann Cc: Dmitry V. Levin Cc: Andreas Schwab Cc: Florian Weimer Cc: libc-alpha@sourceware.org Cc: stable@vger.kernel.org # 5.3+ Link: https://sourceware.org/pipermail/libc-alpha/2020-May/113596.html Link: https://lore.kernel.org/r/20200507103214.77218-1-christian.brauner@ubuntu.com Signed-off-by: Sasha Levin commit 790557697fd5f8075024ae4c421eb41b36a94d81 Author: Andreas Gruenbacher Date: Tue Apr 28 01:15:41 2020 +0200 gfs2: More gfs2_find_jhead fixes [ Upstream commit aa83da7f47b26c9587bade6c4bc4736ffa308f0a ] It turns out that when extending an existing bio, gfs2_find_jhead fails to check if the block number is consecutive, which leads to incorrect reads for fragmented journals. In addition, limit the maximum bio size to an arbitrary value of 2 megabytes: since commit 07173c3ec276 ("block: enable multipage bvecs"), if we just keep adding pages until bio_add_page fails, bios will grow much larger than useful, which pins more memory than necessary with barely any additional performance gains. Fixes: f4686c26ecc3 ("gfs2: read journal in large chunks") Cc: stable@vger.kernel.org # v5.2+ Signed-off-by: Andreas Gruenbacher Signed-off-by: Bob Peterson Signed-off-by: Sasha Levin commit 32107a1681dfba581222f7850af6a15ee8d3c39f Author: Adrian Hunter Date: Fri May 8 09:22:27 2020 +0300 mmc: block: Fix request completion in the CQE timeout path [ Upstream commit c077dc5e0620508a29497dac63a2822324ece52a ] First, it should be noted that the CQE timeout (60 seconds) is substantial so a CQE request that times out is really stuck, and the race between timeout and completion is extremely unlikely. Nevertheless this patch fixes an issue with it. Commit ad73d6feadbd7b ("mmc: complete requests from ->timeout") preserved the existing functionality, to complete the request. However that had only been necessary because the block layer timeout handler had been marking the request to prevent it from being completed normally. That restriction was removed at the same time, the result being that a request that has gone will have been completed anyway. That is, the completion was unnecessary. At the time, the unnecessary completion was harmless because the block layer would ignore it, although that changed in kernel v5.0. Note for stable, this patch will not apply cleanly without patch "mmc: core: Fix recursive locking issue in CQE recovery path" Signed-off-by: Adrian Hunter Fixes: ad73d6feadbd7b ("mmc: complete requests from ->timeout") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200508062227.23144-1-adrian.hunter@intel.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 6b7b9d3faac9047082f5137340f5c4d2d8d59dcc Author: Sarthak Garg Date: Thu May 7 21:45:33 2020 +0530 mmc: core: Fix recursive locking issue in CQE recovery path [ Upstream commit 39a22f73744d5baee30b5f134ae2e30b668b66ed ] Consider the following stack trace -001|raw_spin_lock_irqsave -002|mmc_blk_cqe_complete_rq -003|__blk_mq_complete_request(inline) -003|blk_mq_complete_request(rq) -004|mmc_cqe_timed_out(inline) -004|mmc_mq_timed_out mmc_mq_timed_out acquires the queue_lock for the first time. The mmc_blk_cqe_complete_rq function also tries to acquire the same queue lock resulting in recursive locking where the task is spinning for the same lock which it has already acquired leading to watchdog bark. Fix this issue with the lock only for the required critical section. Cc: Fixes: 1e8e55b67030 ("mmc: block: Add CQE support") Suggested-by: Sahitya Tummala Signed-off-by: Sarthak Garg Acked-by: Adrian Hunter Link: https://lore.kernel.org/r/1588868135-31783-1-git-send-email-vbadigan@codeaurora.org Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit abc14656136abceb1d0c73c64ba14c070c529d7d Author: Veerabhadrarao Badiganti Date: Wed May 6 20:04:02 2020 +0530 mmc: core: Check request type before completing the request [ Upstream commit e6bfb1bf00852b55f4c771f47ae67004c04d3c87 ] In the request completion path with CQE, request type is being checked after the request is getting completed. This is resulting in returning the wrong request type and leading to the IO hang issue. ASYNC request type is getting returned for DCMD type requests. Because of this mismatch, mq->cqe_busy flag is never getting cleared and the driver is not invoking blk_mq_hw_run_queue. So requests are not getting dispatched to the LLD from the block layer. All these eventually leading to IO hang issues. So, get the request type before completing the request. Cc: Fixes: 1e8e55b67030 ("mmc: block: Add CQE support") Signed-off-by: Veerabhadrarao Badiganti Acked-by: Adrian Hunter Link: https://lore.kernel.org/r/1588775643-18037-2-git-send-email-vbadigan@codeaurora.org Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit fef31a6a0f22deb2b119204e4dd429bdcc19ecf4 Author: Ben Chuang Date: Mon May 4 14:39:57 2020 +0800 mmc: sdhci-pci-gli: Fix can not access GL9750 after reboot from Windows 10 [ Upstream commit b56ff195c317ad28c05d354aeecbb9995b8e08c1 ] Need to clear some bits in a vendor-defined register after reboot from Windows 10. Fixes: e51df6ce668a ("mmc: host: sdhci-pci: Add Genesys Logic GL975x support") Reported-by: Grzegorz Kowal Signed-off-by: Ben Chuang Acked-by: Adrian Hunter Tested-by: Grzegorz Kowal Link: https://lore.kernel.org/r/20200504063957.6638-1-benchuanggli@gmail.com Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 84b1fd515b3faff3c2836f15061554efd419f870 Author: Christophe JAILLET Date: Sun Apr 26 22:23:55 2020 +0200 mmc: alcor: Fix a resource leak in the error path for ->probe() [ Upstream commit 7c277dd2b0ff6a16f1732a66c2c52a29f067163e ] If devm_request_threaded_irq() fails, the allocated struct mmc_host needs to be freed via calling mmc_free_host(), so let's do that. Fixes: c5413ad815a6 ("mmc: add new Alcor Micro Cardreader SD/MMC driver") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/20200426202355.43055-1-christophe.jaillet@wanadoo.fr Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 743eebb48b08854551c0a75e3650dca4c91a1c71 Author: Chris Wilson Date: Mon Apr 20 13:53:55 2020 +0100 drm/i915/gem: Remove object_is_locked assertion from unpin_from_display_plane [ Upstream commit 47bf7b7a7151bad568b9523d14477a353a450066 ] Since moving the obj->vma.list to a spin_lock, and the vm->bound_list to its vm->mutex, along with tracking shrinkable status under its own spinlock, we no long require the object to be locked by the caller. This is fortunate as it appears we can be called with the lock along an error path in flipping: <4> [139.942851] WARN_ON(debug_locks && !lock_is_held(&(&((obj)->base.resv)->lock.base)->dep_map)) <4> [139.943242] WARNING: CPU: 0 PID: 1203 at drivers/gpu/drm/i915/gem/i915_gem_domain.c:405 i915_gem_object_unpin_from_display_plane+0x70/0x130 [i915] <4> [139.943263] Modules linked in: snd_hda_intel i915 vgem snd_hda_codec_realtek snd_hda_codec_generic coretemp snd_intel_dspcfg snd_hda_codec snd_hwdep snd_hda_core r8169 lpc_ich snd_pcm realtek prime_numbers [last unloaded: i915] <4> [139.943347] CPU: 0 PID: 1203 Comm: kms_flip Tainted: G U 5.6.0-gd0fda5c2cf3f1-drmtip_474+ #1 <4> [139.943363] Hardware name: /D510MO, BIOS MOPNV10J.86A.0311.2010.0802.2346 08/02/2010 <4> [139.943589] RIP: 0010:i915_gem_object_unpin_from_display_plane+0x70/0x130 [i915] <4> [139.943589] Code: 85 28 01 00 00 be ff ff ff ff 48 8d 78 60 e8 d7 9b f0 e2 85 c0 75 b9 48 c7 c6 50 b9 38 c0 48 c7 c7 e9 48 3c c0 e8 20 d4 e9 e2 <0f> 0b eb a2 48 c7 c1 08 bb 38 c0 ba 0a 01 00 00 48 c7 c6 88 a3 35 <4> [139.943589] RSP: 0018:ffffb774c0603b48 EFLAGS: 00010282 <4> [139.943589] RAX: 0000000000000000 RBX: ffff9a142fa36e80 RCX: 0000000000000006 <4> [139.943589] RDX: 000000000000160d RSI: ffff9a142c1a88f8 RDI: ffffffffa434a64d <4> [139.943589] RBP: ffff9a1410a513c0 R08: ffff9a142c1a88f8 R09: 0000000000000000 <4> [139.943589] R10: 0000000000000000 R11: 0000000000000000 R12: ffff9a1436ee94b8 <4> [139.943589] R13: 0000000000000001 R14: 00000000ffffffff R15: ffff9a1410960000 <4> [139.943589] FS: 00007fc73a744e40(0000) GS:ffff9a143da00000(0000) knlGS:0000000000000000 <4> [139.943589] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 <4> [139.943589] CR2: 00007fc73997e098 CR3: 000000002f5fe000 CR4: 00000000000006f0 <4> [139.943589] Call Trace: <4> [139.943589] intel_pin_and_fence_fb_obj+0x1c9/0x1f0 [i915] <4> [139.943589] intel_plane_pin_fb+0x3f/0xd0 [i915] <4> [139.943589] intel_prepare_plane_fb+0x13b/0x5c0 [i915] <4> [139.943589] drm_atomic_helper_prepare_planes+0x85/0x110 <4> [139.943589] intel_atomic_commit+0xda/0x390 [i915] <4> [139.943589] drm_atomic_helper_page_flip+0x9c/0xd0 <4> [139.943589] ? drm_event_reserve_init+0x46/0x60 <4> [139.943589] drm_mode_page_flip_ioctl+0x587/0x5d0 This completes the symmetry lost in commit 8b1c78e06e61 ("drm/i915: Avoid calling i915_gem_object_unbind holding object lock"). Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/1743 Fixes: 8b1c78e06e61 ("drm/i915: Avoid calling i915_gem_object_unbind holding object lock") Signed-off-by: Chris Wilson Cc: Matthew Auld Cc: Andi Shyti Cc: # v5.6+ Reviewed-by: Matthew Auld Link: https://patchwork.freedesktop.org/patch/msgid/20200420125356.26614-1-chris@chris-wilson.co.uk (cherry picked from commit a95f3ac21d64d62c746f836598d1467d5837fa28) (cherry picked from commit 2208b85fa1766ee4821a9435d548578b67090531) Signed-off-by: Rodrigo Vivi Signed-off-by: Sasha Levin commit ca0438c0904ded0998ec557cf466db99b98cdcf1 Author: John Fastabend Date: Mon May 4 10:21:44 2020 -0700 bpf, sockmap: bpf_tcp_ingress needs to subtract bytes from sg.size [ Upstream commit 81aabbb9fb7b4b1efd073b62f0505d3adad442f3 ] In bpf_tcp_ingress we used apply_bytes to subtract bytes from sg.size which is used to track total bytes in a message. But this is not correct because apply_bytes is itself modified in the main loop doing the mem_charge. Then at the end of this we have sg.size incorrectly set and out of sync with actual sk values. Then we can get a splat if we try to cork the data later and again try to redirect the msg to ingress. To fix instead of trying to track msg.size do the easy thing and include it as part of the sk_msg_xfer logic so that when the msg is moved the sg.size is always correct. To reproduce the below users will need ingress + cork and hit an error path that will then try to 'free' the skmsg. [ 173.699981] BUG: KASAN: null-ptr-deref in sk_msg_free_elem+0xdd/0x120 [ 173.699987] Read of size 8 at addr 0000000000000008 by task test_sockmap/5317 [ 173.700000] CPU: 2 PID: 5317 Comm: test_sockmap Tainted: G I 5.7.0-rc1+ #43 [ 173.700005] Hardware name: Dell Inc. Precision 5820 Tower/002KVM, BIOS 1.9.2 01/24/2019 [ 173.700009] Call Trace: [ 173.700021] dump_stack+0x8e/0xcb [ 173.700029] ? sk_msg_free_elem+0xdd/0x120 [ 173.700034] ? sk_msg_free_elem+0xdd/0x120 [ 173.700042] __kasan_report+0x102/0x15f [ 173.700052] ? sk_msg_free_elem+0xdd/0x120 [ 173.700060] kasan_report+0x32/0x50 [ 173.700070] sk_msg_free_elem+0xdd/0x120 [ 173.700080] __sk_msg_free+0x87/0x150 [ 173.700094] tcp_bpf_send_verdict+0x179/0x4f0 [ 173.700109] tcp_bpf_sendpage+0x3ce/0x5d0 Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: John Fastabend Signed-off-by: Daniel Borkmann Reviewed-by: Jakub Sitnicki Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/bpf/158861290407.14306.5327773422227552482.stgit@john-Precision-5820-Tower Signed-off-by: Sasha Levin commit d0261c30ddd7843ff58a825de03c0cb6c49716de Author: John Fastabend Date: Mon May 4 10:21:23 2020 -0700 bpf, sockmap: msg_pop_data can incorrecty set an sge length [ Upstream commit 3e104c23816220919ea1b3fd93fabe363c67c484 ] When sk_msg_pop() is called where the pop operation is working on the end of a sge element and there is no additional trailing data and there _is_ data in front of pop, like the following case, |____________a_____________|__pop__| We have out of order operations where we incorrectly set the pop variable so that instead of zero'ing pop we incorrectly leave it untouched, effectively. This can cause later logic to shift the buffers around believing it should pop extra space. The result is we have 'popped' more data then we expected potentially breaking program logic. It took us a while to hit this case because typically we pop headers which seem to rarely be at the end of a scatterlist elements but we can't rely on this. Fixes: 7246d8ed4dcce ("bpf: helper to pop data from messages") Signed-off-by: John Fastabend Signed-off-by: Daniel Borkmann Reviewed-by: Jakub Sitnicki Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/bpf/158861288359.14306.7654891716919968144.stgit@john-Precision-5820-Tower Signed-off-by: Sasha Levin commit c2837d9475d97d5c1434012c26b692525c34f1fd Author: Sultan Alsawaf Date: Thu Apr 30 14:46:54 2020 -0700 drm/i915: Don't enable WaIncreaseLatencyIPCEnabled when IPC is disabled [ Upstream commit 421abe200321a2c907ede1a6208c558284ba0b75 ] In commit 5a7d202b1574, a logical AND was erroneously changed to an OR, causing WaIncreaseLatencyIPCEnabled to be enabled unconditionally for kabylake and coffeelake, even when IPC is disabled. Fix the logic so that WaIncreaseLatencyIPCEnabled is only used when IPC is enabled. Fixes: 5a7d202b1574 ("drm/i915: Drop WaIncreaseLatencyIPCEnabled/1140 for cnl") Cc: stable@vger.kernel.org # 5.3.x+ Signed-off-by: Sultan Alsawaf Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20200430214654.51314-1-sultan@kerneltoast.com (cherry picked from commit 690d22dafa88b82453516387b475664047a6bd14) Signed-off-by: Rodrigo Vivi Signed-off-by: Sasha Levin commit e9379433f732d0f686ba0eff58d5e6acdcf615f5 Author: Chris Wilson Date: Fri May 1 13:22:49 2020 +0100 drm/i915/gt: Make timeslicing an explicit engine property [ Upstream commit fe5a708267911d55cce42910d93e303924b088fd ] In order to allow userspace to rely on timeslicing to reorder their batches, we must support preemption of those user batches. Declare timeslicing as an explicit property that is a combination of having the kernel support and HW support. Suggested-by: Tvrtko Ursulin Fixes: 8ee36e048c98 ("drm/i915/execlists: Minimalistic timeslicing") Signed-off-by: Chris Wilson Cc: Tvrtko Ursulin Reviewed-by: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/20200501122249.12417-1-chris@chris-wilson.co.uk (cherry picked from commit a211da9c771bf97395a3ced83a3aa383372b13a7) Signed-off-by: Rodrigo Vivi Signed-off-by: Sasha Levin commit fe61dadcff2afcf9f45c0ac2d2af51c60e728e3c Author: Dan Carpenter Date: Wed Apr 22 12:22:11 2020 +0300 i40iw: Fix error handling in i40iw_manage_arp_cache() [ Upstream commit 37e31d2d26a4124506c24e95434e9baf3405a23a ] The i40iw_arp_table() function can return -EOVERFLOW if i40iw_alloc_resource() fails so we can't just test for "== -1". Fixes: 4e9042e647ff ("i40iw: add hw and utils files") Link: https://lore.kernel.org/r/20200422092211.GA195357@mwanda Signed-off-by: Dan Carpenter Acked-by: Shiraz Saleem Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 303683fe39182d002117ed34eb2c00d3630ec5d5 Author: David Howells Date: Mon May 4 16:12:55 2020 +0100 cachefiles: Fix corruption of the return value in cachefiles_read_or_alloc_pages() [ Upstream commit c5f9d9db83d9f84d2b4aae5a1b29d9b582ccff2f ] The patch which changed cachefiles from calling ->bmap() to using the bmap() wrapper overwrote the running return value with the result of calling bmap(). This causes an assertion failure elsewhere in the code. Fix this by using ret2 rather than ret to hold the return value. The oops looks like: kernel BUG at fs/nfs/fscache.c:468! ... RIP: 0010:__nfs_readpages_from_fscache+0x18b/0x190 [nfs] ... Call Trace: nfs_readpages+0xbf/0x1c0 [nfs] ? __alloc_pages_nodemask+0x16c/0x320 read_pages+0x67/0x1a0 __do_page_cache_readahead+0x1cf/0x1f0 ondemand_readahead+0x172/0x2b0 page_cache_async_readahead+0xaa/0xe0 generic_file_buffered_read+0x852/0xd50 ? mem_cgroup_commit_charge+0x6e/0x140 ? nfs4_have_delegation+0x19/0x30 [nfsv4] generic_file_read_iter+0x100/0x140 ? nfs_revalidate_mapping+0x176/0x2b0 [nfs] nfs_file_read+0x6d/0xc0 [nfs] new_sync_read+0x11a/0x1c0 __vfs_read+0x29/0x40 vfs_read+0x8e/0x140 ksys_read+0x61/0xd0 __x64_sys_read+0x1a/0x20 do_syscall_64+0x60/0x1e0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f5d148267e0 Fixes: 10d83e11a582 ("cachefiles: drop direct usage of ->bmap method.") Reported-by: David Wysochanski Signed-off-by: David Howells Tested-by: David Wysochanski cc: Carlos Maiolino Signed-off-by: Sasha Levin commit 1a1133502839ec8a0507920786938934f9d5b011 Author: Takashi Sakamoto Date: Sun May 3 13:57:18 2020 +0900 ALSA: firewire-lib: fix 'function sizeof not defined' error of tracepoints format [ Upstream commit 1034872123a06b759aba772b1c99612ccb8e632a ] The snd-firewire-lib.ko has 'amdtp-packet' event of tracepoints. Current printk format for the event includes 'sizeof(u8)' macro expected to be extended in compilation time. However, this is not done. As a result, perf tools cannot parse the event for printing: $ mount -l -t debugfs debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime) $ cat /sys/kernel/debug/tracing/events/snd_firewire_lib/amdtp_packet/format ... print fmt: "%02u %04u %04x %04x %02d %03u %02u %03u %02u %01u %02u %s", REC->second, REC->cycle, REC->src, REC->dest, REC->channel, REC->payload_quadlets, REC->data_blocks, REC->data_block_counter, REC->packet_index, REC->irq, REC->index, __print_array(__get_dynamic_array(cip_header), __get_dynamic_array_len(cip_header), sizeof(u8)) $ sudo perf record -e snd_firewire_lib:amdtp_packet [snd_firewire_lib:amdtp_packet] function sizeof not defined Error: expected type 5 but read 0 This commit fixes it by obsoleting the macro with actual size. Cc: Fixes: bde2bbdb307a ("ALSA: firewire-lib: use dynamic array for CIP header of tracing events") Signed-off-by: Takashi Sakamoto Link: https://lore.kernel.org/r/20200503045718.86337-1-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 8ad3bcd4e0aa55a5cf3c059ee31b09efb90ac788 Author: Wei Yongjun Date: Thu Apr 30 08:18:51 2020 +0000 bpf: Fix error return code in map_lookup_and_delete_elem() [ Upstream commit 7f645462ca01d01abb94d75e6768c8b3ed3a188b ] Fix to return negative error code -EFAULT from the copy_to_user() error handling case instead of 0, as done elsewhere in this function. Fixes: bd513cd08f10 ("bpf: add MAP_LOOKUP_AND_DELETE_ELEM syscall") Signed-off-by: Wei Yongjun Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20200430081851.166996-1-weiyongjun1@huawei.com Signed-off-by: Sasha Levin commit 31eaf61c714f03a239ac3b193bf47513d201e13e Author: Thierry Reding Date: Wed Mar 25 21:16:03 2020 +0100 drm/tegra: Fix SMMU support on Tegra124 and Tegra210 [ Upstream commit 501be6c1c72417eab05e7413671a38ea991a8ebc ] When testing whether or not to enable the use of the SMMU, consult the supported DMA mask rather than the actually configured DMA mask, since the latter might already have been restricted. Fixes: 2d9384ff9177 ("drm/tegra: Relax IOMMU usage criteria on old Tegra") Tested-by: Jon Hunter Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit e190ea4dc49672e0610b89217006a3cd97f38282 Author: Grace Kao Date: Fri Apr 17 12:11:54 2020 +0800 pinctrl: cherryview: Add missing spinlock usage in chv_gpio_irq_handler [ Upstream commit 69388e15f5078c961b9e5319e22baea4c57deff1 ] According to Braswell NDA Specification Update (#557593), concurrent read accesses may result in returning 0xffffffff and write instructions may be dropped. We have an established format for the commit references, i.e. cdca06e4e859 ("pinctrl: baytrail: Add missing spinlock usage in byt_gpio_irq_handler") Fixes: 0bd50d719b00 ("pinctrl: cherryview: prevent concurrent access to GPIO controllers") Signed-off-by: Grace Kao Reported-by: Brian Norris Reviewed-by: Brian Norris Acked-by: Mika Westerberg Signed-off-by: Andy Shevchenko Signed-off-by: Sasha Levin commit 6437ef52940a3b15c12979b488031c296514badf Author: Ansuel Smith Date: Tue Apr 14 02:37:26 2020 +0200 pinctrl: qcom: fix wrong write in update_dual_edge [ Upstream commit 90bcb0c3ca0809d1ed358bfbf838df4b3d4e58e0 ] Fix a typo in the readl/writel accessor conversion where val is used instead of pol changing the behavior of the original code. Cc: stable@vger.kernel.org Fixes: 6c73698904aa pinctrl: qcom: Introduce readl/writel accessors Signed-off-by: Ansuel Smith Reviewed-by: Bjorn Andersson Link: https://lore.kernel.org/r/20200414003726.25347-1-ansuelsmth@gmail.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 25c3ed57488748f44345401e13cb09c9ec8be9c9 Author: Andy Shevchenko Date: Wed Dec 11 19:32:54 2019 +0200 pinctrl: baytrail: Enable pin configuration setting for GPIO chip [ Upstream commit ccd025eaddaeb99e982029446197c544252108e2 ] It appears that pin configuration for GPIO chip hasn't been enabled yet due to absence of ->set_config() callback. Enable it here for Intel Baytrail. Fixes: c501d0b149de ("pinctrl: baytrail: Add pin control operations") Depends-on: 2956b5d94a76 ("pinctrl / gpio: Introduce .set_config() callback for GPIO chips") Signed-off-by: Andy Shevchenko Acked-by: Mika Westerberg Signed-off-by: Sasha Levin commit 0cfbd7d638a290153d396038b0b6991634f4e3f2 Author: Andy Shevchenko Date: Wed Apr 1 11:53:00 2020 +0300 pinctrl: sunrisepoint: Fix PAD lock register offset for SPT-H [ Upstream commit 6b7275c87717652daace4c0b8131eb184c7d7516 ] It appears that SPT-H variant has different offset for PAD locking registers. Fix it here. Fixes: 551fa5801ef1 ("pinctrl: intel: sunrisepoint: Add Intel Sunrisepoint-H support") Signed-off-by: Andy Shevchenko Acked-by: Mika Westerberg Signed-off-by: Sasha Levin commit 388843a10ef5f7553f51ab58f70fbb954b000b8a Author: Rafael J. Wysocki Date: Sat May 9 10:44:41 2020 +0200 ACPI: EC: PM: Avoid premature returns from acpi_s2idle_wake() [ Upstream commit 7b301750f7f8f6503e11f1af4a03832525f58c66 ] If the EC GPE status is not set after checking all of the other GPEs, acpi_s2idle_wake() returns 'false', to indicate that the SCI event that has just triggered is not a system wakeup one, but it does that without canceling the pending wakeup and re-arming the SCI for system wakeup which is a mistake, because it may cause s2idle_loop() to busy spin until the next valid wakeup event. [If that happens, the first spurious wakeup is still pending after acpi_s2idle_wake() has returned, so s2idle_enter() does nothing, acpi_s2idle_wake() is called again and it sees that the SCI has triggered, but no GPEs are active, so 'false' is returned again, and so on.] Fix that by moving all of the GPE checking logic from acpi_s2idle_wake() to acpi_ec_dispatch_gpe() and making the latter return 'true' only if a non-EC GPE has triggered and 'false' otherwise, which will cause acpi_s2idle_wake() to cancel the pending SCI wakeup and re-arm the SCI for system wakeup regardless of the EC GPE status. This also addresses a lockup observed on an Elitegroup EF20EA laptop after attempting to wake it up from suspend-to-idle by a key press. Fixes: d5406284ff80 ("ACPI: PM: s2idle: Refine active GPEs check") Link: https://bugzilla.kernel.org/show_bug.cgi?id=207603 Reported-by: Todd Brandt Fixes: fdde0ff8590b ("ACPI: PM: s2idle: Prevent spurious SCIs from waking up the system") Link: https://lore.kernel.org/linux-acpi/CAB4CAwdqo7=MvyG_PE+PGVfeA17AHF5i5JucgaKqqMX6mjArbQ@mail.gmail.com/ Reported-by: Chris Chiu Tested-by: Chris Chiu Cc: 5.4+ # 5.4+ Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit e3986575351ec708907f2c1517767d68ca9365a9 Author: Mike Marciniszyn Date: Mon May 4 09:09:17 2020 -0400 IB/hfi1: Fix another case where pq is left on waitlist [ Upstream commit fa8dac3968635dec8518a13ac78d662f2aa88e4d ] The commit noted below fixed a case where a pq is left on the sdma wait list. It however missed another case. user_sdma_send_pkts() has two calls from hfi1_user_sdma_process_request(). If the first one fails as indicated by -EBUSY, the pq will be placed on the waitlist as by design. If the second call then succeeds, the pq is still on the waitlist setting up a race with the interrupt handler if a subsequent request uses a different SDMA engine Fix by deleting the first call. The use of pcount and the intent to send a short burst of packets followed by the larger balance of packets was never correctly implemented, because the two calls always send pcount packets no matter what. A subsequent patch will correct that issue. Fixes: 9a293d1e21a6 ("IB/hfi1: Ensure pq is not left on waitlist") Link: https://lore.kernel.org/r/20200504130917.175613.43231.stgit@awfm-01.aw.intel.com Cc: Reviewed-by: Kaike Wan Signed-off-by: Mike Marciniszyn Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 7bcc9a1846f335edcdf84d3a29671638d4622690 Author: Ben Chuang Date: Mon Apr 27 18:30:48 2020 +0800 mmc: sdhci-pci-gli: Fix no irq handler from suspend [ Upstream commit 282ede76e47048eebc8ce5324b412890f0ec0a69 ] The kernel prints a message similar to "[ 28.881959] do_IRQ: 5.36 No irq handler for vector" when GL975x resumes from suspend. Implement a resume callback to fix this. Fixes: 31e43f31890c ("mmc: sdhci-pci-gli: Enable MSI interrupt for GL975x") Co-developed-by: Renius Chen Signed-off-by: Renius Chen Tested-by: Dave Flogeras Signed-off-by: Ben Chuang Tested-by: Vineeth Pillai Acked-by: Adrian Hunter Link: https://lore.kernel.org/r/20200427103048.20785-1-benchuanggli@gmail.com Cc: stable@vger.kernel.org Signed-off-by: Samuel Zou [Samuel Zou: Make sdhci_pci_gli_resume() static] Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 0525fe0d148ab63deb296d37f3be34a77053a8a8 Author: Andreas Gruenbacher Date: Mon Apr 20 19:42:04 2020 +0200 gfs2: Another gfs2_walk_metadata fix [ Upstream commit 566a2ab3c9005f62e784bd39022d58d34ef4365c ] Make sure we don't walk past the end of the metadata in gfs2_walk_metadata: the inode holds fewer pointers than indirect blocks. Slightly clean up gfs2_iomap_get. Fixes: a27a0c9b6a20 ("gfs2: gfs2_walk_metadata fix") Cc: stable@vger.kernel.org # v5.3+ Signed-off-by: Andreas Gruenbacher Signed-off-by: Bob Peterson Signed-off-by: Sasha Levin commit 81b5ed02ddc7b5794e3cba7d91334cbc9591758d Author: Kai-Heng Feng Date: Sun May 3 23:24:47 2020 +0800 ALSA: hda/realtek - Fix S3 pop noise on Dell Wyse [ Upstream commit 52e4e36807aeac1cdd07b14e509c8a64101e1a09 ] Commit 317d9313925c ("ALSA: hda/realtek - Set default power save node to 0") makes the ALC225 have pop noise on S3 resume and cold boot. The previous fix enable power save node universally for ALC225, however it makes some ALC225 systems unable to produce any sound. So let's only enable power save node for the affected Dell Wyse platform. Fixes: 317d9313925c ("ALSA: hda/realtek - Set default power save node to 0") BugLink: https://bugs.launchpad.net/bugs/1866357 Signed-off-by: Kai-Heng Feng Link: https://lore.kernel.org/r/20200503152449.22761-2-kai.heng.feng@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit f24b697a728e34b858a444385aed93b6ef5fe744 Author: Vasily Averin Date: Wed May 13 17:50:48 2020 -0700 ipc/util.c: sysvipc_find_ipc() incorrectly updates position index [ Upstream commit 5e698222c70257d13ae0816720dde57c56f81e15 ] Commit 89163f93c6f9 ("ipc/util.c: sysvipc_find_ipc() should increase position index") is causing this bug (seen on 5.6.8): # ipcs -q ------ Message Queues -------- key msqid owner perms used-bytes messages # ipcmk -Q Message queue id: 0 # ipcs -q ------ Message Queues -------- key msqid owner perms used-bytes messages 0x82db8127 0 root 644 0 0 # ipcmk -Q Message queue id: 1 # ipcs -q ------ Message Queues -------- key msqid owner perms used-bytes messages 0x82db8127 0 root 644 0 0 0x76d1fb2a 1 root 644 0 0 # ipcrm -q 0 # ipcs -q ------ Message Queues -------- key msqid owner perms used-bytes messages 0x76d1fb2a 1 root 644 0 0 0x76d1fb2a 1 root 644 0 0 # ipcmk -Q Message queue id: 2 # ipcrm -q 2 # ipcs -q ------ Message Queues -------- key msqid owner perms used-bytes messages 0x76d1fb2a 1 root 644 0 0 0x76d1fb2a 1 root 644 0 0 # ipcmk -Q Message queue id: 3 # ipcrm -q 1 # ipcs -q ------ Message Queues -------- key msqid owner perms used-bytes messages 0x7c982867 3 root 644 0 0 0x7c982867 3 root 644 0 0 0x7c982867 3 root 644 0 0 0x7c982867 3 root 644 0 0 Whenever an IPC item with a low id is deleted, the items with higher ids are duplicated, as if filling a hole. new_pos should jump through hole of unused ids, pos can be updated inside "for" cycle. Fixes: 89163f93c6f9 ("ipc/util.c: sysvipc_find_ipc() should increase position index") Reported-by: Andreas Schwab Reported-by: Randy Dunlap Signed-off-by: Vasily Averin Signed-off-by: Andrew Morton Acked-by: Waiman Long Cc: NeilBrown Cc: Steven Rostedt Cc: Ingo Molnar Cc: Peter Oberparleiter Cc: Davidlohr Bueso Cc: Manfred Spraul Cc: Link: http://lkml.kernel.org/r/4921fe9b-9385-a2b4-1dc4-1099be6d2e39@virtuozzo.com Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 6982667819cae713e3bf5d2ca8f82c948b0051a2 Author: Pavel Begunkov Date: Fri May 1 17:09:37 2020 +0300 io_uring: check non-sync defer_list carefully [ Upstream commit 4ee3631451c9a62e6b6bc7ee51fb9a5b34e33509 ] io_req_defer() do double-checked locking. Use proper helpers for that, i.e. list_empty_careful(). Signed-off-by: Pavel Begunkov Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit c5e2b6fa86ea59d30391ebc82a1181e013b3c4a2 Author: Xiaoguang Wang Date: Fri May 1 08:52:56 2020 +0800 io_uring: use cond_resched() in io_ring_ctx_wait_and_kill() [ Upstream commit 3fd44c86711f71156b586c22b0495c58f69358bb ] While working on to make io_uring sqpoll mode support syscalls that need struct files_struct, I got cpu soft lockup in io_ring_ctx_wait_and_kill(), while (ctx->sqo_thread && !wq_has_sleeper(&ctx->sqo_wait)) cpu_relax(); above loop never has an chance to exit, it's because preempt isn't enabled in the kernel, and the context calling io_ring_ctx_wait_and_kill() and io_sq_thread() run in the same cpu, if io_sq_thread calls a cond_resched() yield cpu and another context enters above loop, then io_sq_thread() will always in runqueue and never exit. Use cond_resched() can fix this issue. Reported-by: syzbot+66243bb7126c410cefe6@syzkaller.appspotmail.com Signed-off-by: Xiaoguang Wang Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 0c32f62729c871455489f828c3b4275de80c6eb5 Author: Ritesh Harjani Date: Thu Apr 30 07:57:46 2020 -0700 fibmap: Warn and return an error in case of block > INT_MAX [ Upstream commit b75dfde1212991b24b220c3995101c60a7b8ae74 ] We better warn the fibmap user and not return a truncated and therefore an incorrect block map address if the bmap() returned block address is greater than INT_MAX (since user supplied integer pointer). It's better to pr_warn() all user of ioctl_fibmap() and return a proper error code rather than silently letting a FS corruption happen if the user tries to fiddle around with the returned block map address. We fix this by returning an error code of -ERANGE and returning 0 as the block mapping address in case if it is > INT_MAX. Now iomap_bmap() could be called from either of these two paths. Either when a user is calling an ioctl_fibmap() interface to get the block mapping address or by some filesystem via use of bmap() internal kernel API. bmap() kernel API is well equipped with handling of u64 addresses. WARN condition in iomap_bmap_actor() was mainly added to warn all the fibmap users. But now that we have directly added this warning for all fibmap users and also made sure to return 0 as block map address in case if addr > INT_MAX. So we can now remove this logic from iomap_bmap_actor(). Signed-off-by: Ritesh Harjani Reviewed-by: Christoph Hellwig Reviewed-by: Jan Kara Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Signed-off-by: Sasha Levin commit 0fe92563fb658fb7573ac632a3385cf251c15fe4 Author: Vasily Averin Date: Wed Apr 29 12:34:36 2020 +0300 drm/qxl: lost qxl_bo_kunmap_atomic_page in qxl_image_init_helper() [ Upstream commit 5b5703dbafae74adfbe298a56a81694172caf5e6 ] v2: removed TODO reminder Signed-off-by: Vasily Averin Link: http://patchwork.freedesktop.org/patch/msgid/a4e0ae09-a73c-1c62-04ef-3f990d41bea9@virtuozzo.com Signed-off-by: Gerd Hoffmann Signed-off-by: Sasha Levin commit 33db420075ce863a3b7b6375cbde16924c680e9a Author: Sung Lee Date: Wed Apr 22 18:07:57 2020 -0400 drm/amd/display: Update downspread percent to match spreadsheet for DCN2.1 [ Upstream commit 668a6741f809f2d15d125cfe2b39661e8f1655ea ] [WHY] The downspread percentage was copied over from a previous version of the display_mode_lib spreadsheet. This value has been updated, and the previous value is too high to allow for such modes as 4K120hz. The new value is sufficient for such modes. [HOW] Update the value in dcn21_resource to match the spreadsheet. Signed-off-by: Sung Lee Reviewed-by: Yongqiang Sun Acked-by: Aurabindo Pillai Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 0e1eba44aa9548ddfc6e8d8557bc48dec768ddf5 Author: Nicholas Kazlauskas Date: Wed Apr 22 18:07:56 2020 -0400 drm/amd/display: Defer cursor update around VUPDATE for all ASIC [ Upstream commit fdfd2a858590d318cfee483bd1c73e00f77533af ] [Why] Fixes the following scenario: - Flip has been prepared sometime during the frame, update pending - Cursor update happens right when VUPDATE would happen - OPTC lock acquired, VUPDATE is blocked until next frame - Flip is delayed potentially infinitely With the igt@kms_cursor_legacy cursor-vs-flip-legacy test we can observe nearly *13* frames of delay for some flips on Navi. [How] Apply the Raven workaround generically. When close enough to VUPDATE block cursor updates from occurring from the dc_stream_set_cursor_* helpers. This could perhaps be a little smarter by checking if there were pending updates or flips earlier in the frame on the HUBP side before applying the delay, but this should be fine for now. This fixes the kms_cursor_legacy test. Signed-off-by: Nicholas Kazlauskas Reviewed-by: Aric Cyr Acked-by: Aurabindo Pillai Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit a4644592867243b5045ccb64c868f4fca98ff294 Author: Dmytro Laktyushkin Date: Wed Apr 22 18:07:52 2020 -0400 drm/amd/display: check if REFCLK_CNTL register is present [ Upstream commit 3159d41db3a04330c31ece32f8b29752fc114848 ] Check before programming the register since it isn't present on all IPs using this code. Signed-off-by: Dmytro Laktyushkin Reviewed-by: Eric Bernstein Acked-by: Aurabindo Pillai Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit a3a419bc086714d77af34f08eaa3de679fa34fb4 Author: Tiecheng Zhou Date: Sun Apr 26 19:03:17 2020 +0800 drm/amd/powerplay: avoid using pm_en before it is initialized revised [ Upstream commit 690ae30be163d5262feae01335b2a6f30569e5aa ] hwmgr->pm_en is initialized at hwmgr_hw_init. during amdgpu_device_init, there is amdgpu_asic_reset that calls to soc15_asic_reset (for V320 usecase, Vega10 asic), in which: 1) soc15_asic_reset_method calls to pp_get_asic_baco_capability (pm_en) 2) soc15_asic_baco_reset calls to pp_set_asic_baco_state (pm_en) pm_en is used in the above two cases while it has not yet been initialized So avoid using pm_en in the above two functions for V320 passthrough. Reviewed-by: Evan Quan Signed-off-by: Tiecheng Zhou Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 191ec5e94776208717d7cf2480d00a6ace444357 Author: Kai Vehmanen Date: Tue Apr 28 15:38:36 2020 +0300 ALSA: hda/hdmi: fix race in monitor detection during probe [ Upstream commit ca76282b6faffc83601c25bd2a95f635c03503ef ] A race exists between build_pcms() and build_controls() phases of codec setup. Build_pcms() sets up notifier for jack events. If a monitor event is received before build_controls() is run, the initial jack state is lost and never reported via mixer controls. The problem can be hit at least with SOF as the controller driver. SOF calls snd_hda_codec_build_controls() in its workqueue-based probe and this can be delayed enough to hit the race condition. Fix the issue by invalidating the per-pin ELD information when build_controls() is called. The existing call to hdmi_present_sense() will update the ELD contents. This ensures initial monitor state is correctly reflected via mixer controls. BugLink: https://github.com/thesofproject/linux/issues/1687 Signed-off-by: Kai Vehmanen Link: https://lore.kernel.org/r/20200428123836.24512-1-kai.vehmanen@linux.intel.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit e7aad813bd1ac064069f887c16570f3433124932 Author: Chris Wilson Date: Fri Apr 10 20:26:29 2020 +0100 cpufreq: intel_pstate: Only mention the BIOS disabling turbo mode once [ Upstream commit 8c539776ac83c0857395e1ccc9c6b516521a2d32 ] Make a note of the first time we discover the turbo mode has been disabled by the BIOS, as otherwise we complain every time we try to update the mode. Signed-off-by: Chris Wilson Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 317f2af0a70f6873c28ab2b1545faa3bd6d06f9e Author: Xiao Yang Date: Tue Apr 7 14:34:19 2020 +0800 selftests/ftrace: Check the first record for kprobe_args_type.tc [ Upstream commit f0c0d0cf590f71b2213b29a7ded2cde3d0a1a0ba ] It is possible to get multiple records from trace during test and then more than 4 arguments are assigned to ARGS. This situation results in the failure of kprobe_args_type.tc. For example: ----------------------------------------------------------- grep testprobe trace ftracetest-5902 [001] d... 111195.682227: testprobe: (_do_fork+0x0/0x460) arg1=334823024 arg2=334823024 arg3=0x13f4fe70 arg4=7 pmlogger-5949 [000] d... 111195.709898: testprobe: (_do_fork+0x0/0x460) arg1=345308784 arg2=345308784 arg3=0x1494fe70 arg4=7 grep testprobe trace sed -e 's/.* arg1=\(.*\) arg2=\(.*\) arg3=\(.*\) arg4=\(.*\)/\1 \2 \3 \4/' ARGS='334823024 334823024 0x13f4fe70 7 345308784 345308784 0x1494fe70 7' ----------------------------------------------------------- We don't care which process calls do_fork so just check the first record to fix the issue. Signed-off-by: Xiao Yang Acked-by: Masami Hiramatsu Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 91e07d58b384e228e730e89c074333bd12aa8d54 Author: Xiaodong Yan Date: Thu Apr 9 17:37:40 2020 +0800 drm/amd/display: blank dp stream before re-train the link [ Upstream commit 718a5569b6fa6e1f49f1ae76a3c18acb4ddb74f1 ] [Why] When link loss happened, monitor can not light up if only re-train the link. [How] Blank all the DP streams on this link before re-train the link, and then unblank the stream Signed-off-by: Xiaodong Yan Reviewed-by: Tony Cheng Acked-by: Rodrigo Siqueira Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 11fc1816ccd2c8503736f9ec82641df1f0ef3fd1 Author: Lubomir Rintel Date: Sun Apr 19 18:49:09 2020 +0200 dmaengine: mmp_tdma: Reset channel error on release [ Upstream commit 0c89446379218698189a47871336cb30286a7197 ] When a channel configuration fails, the status of the channel is set to DEV_ERROR so that an attempt to submit it fails. However, this status sticks until the heat end of the universe, making it impossible to recover from the error. Let's reset it when the channel is released so that further use of the channel with correct configuration is not impacted. Signed-off-by: Lubomir Rintel Link: https://lore.kernel.org/r/20200419164912.670973-5-lkundrak@v3.sk Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 428177a035fb6d6ce8a0797ee5bf404d8e067be2 Author: Lubomir Rintel Date: Sun Apr 19 18:49:06 2020 +0200 dmaengine: mmp_tdma: Do not ignore slave config validation errors [ Upstream commit 363c32701c7fdc8265a84b21a6a4f45d1202b9ca ] With an invalid dma_slave_config set previously, mmp_tdma_prep_dma_cyclic() would detect an error whilst configuring the channel, but proceed happily on: [ 120.756530] mmp-tdma d42a0800.adma: mmp_tdma: unknown burst size. Signed-off-by: Lubomir Rintel Link: https://lore.kernel.org/r/20200419164912.670973-2-lkundrak@v3.sk Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 18f8e10d07f75525679460fa97c97b6e5b78386c Author: Madhuparna Bhowmik Date: Thu Apr 16 11:53:35 2020 +0530 dmaengine: pch_dma.c: Avoid data race between probe and irq handler [ Upstream commit 2e45676a4d33af47259fa186ea039122ce263ba9 ] pd->dma.dev is read in irq handler pd_irq(). However, it is set to pdev->dev after request_irq(). Therefore, set pd->dma.dev to pdev->dev before request_irq() to avoid data race between pch_dma_probe() and pd_irq(). Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Madhuparna Bhowmik Link: https://lore.kernel.org/r/20200416062335.29223-1-madhuparnabhowmik10@gmail.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 6ab8dcf83e8f39d88a415488e8f50f9d6ed51c6e Author: Ilie Halip Date: Wed Apr 15 17:29:58 2020 +0300 riscv: fix vdso build with lld [ Upstream commit 3c1918c8f54166598195d938564072664a8275b1 ] When building with the LLVM linker this error occurrs: LD arch/riscv/kernel/vdso/vdso-syms.o ld.lld: error: no input files This happens because the lld treats -R as an alias to -rpath, as opposed to ld where -R means --just-symbols. Use the long option name for compatibility between the two. Link: https://github.com/ClangBuiltLinux/linux/issues/805 Reported-by: Dmitry Golovin Reviewed-by: Nick Desaulniers Signed-off-by: Ilie Halip Reviewed-by: Fangrui Song Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit 856c9beb034798e007f7516100e113bb457b6d3f Author: Sebastian von Ohr Date: Tue Mar 3 14:05:18 2020 +0100 dmaengine: xilinx_dma: Add missing check for empty list [ Upstream commit b269426011bcfd97b7c3101abfe1a99147b6f40b ] The DMA transfer might finish just after checking the state with dma_cookie_status, but before the lock is acquired. Not checking for an empty list in xilinx_dma_tx_status may result in reading random data or data corruption when desc is written to. This can be reliably triggered by using dma_sync_wait to wait for DMA completion. Signed-off-by: Sebastian von Ohr Tested-by: Radhey Shyam Pandey Link: https://lore.kernel.org/r/20200303130518.333-1-vonohr@smaract.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 977a37ae3971c8497e35132f71783daf940dedb0 Author: Florian Fainelli Date: Wed May 13 08:51:51 2020 -0700 net: broadcom: Select BROADCOM_PHY for BCMGENET [ Upstream commit 99addbe31f5524494f4d7077bcb3f6fa64c5d160 ] The GENET controller on the Raspberry Pi 4 (2711) is typically interfaced with an external Broadcom PHY via a RGMII electrical interface. To make sure that delays are properly configured at the PHY side, ensure that we the dedicated Broadcom PHY driver (CONFIG_BROADCOM_PHY) is enabled for this to happen. Fixes: 402482a6a78e ("net: bcmgenet: Clear ID_MODE_DIS in EXT_RGMII_OOB_CTRL when not needed") Reported-by: Marek Szyprowski Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4a565037f2903ad2d3eca7711f8a2b003356b0d8 Author: Vincent Minet Date: Fri May 8 00:14:22 2020 +0200 umh: fix memory leak on execve failure [ Upstream commit db803036ada7d61d096783726f9771b3fc540370 ] If a UMH process created by fork_usermode_blob() fails to execute, a pair of struct file allocated by umh_pipe_setup() will leak. Under normal conditions, the caller (like bpfilter) needs to manage the lifetime of the UMH and its two pipes. But when fork_usermode_blob() fails, the caller doesn't really have a way to know what needs to be done. It seems better to do the cleanup ourselves in this case. Fixes: 449325b52b7a ("umh: introduce fork_usermode_blob() helper") Signed-off-by: Vincent Minet Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 17f291f373d9c78a04e3dc43f3dce92f5aad9f67 Author: Heiner Kallweit Date: Fri May 8 08:24:14 2020 +0200 r8169: re-establish support for RTL8401 chip version [ Upstream commit 1f8492df081bd66255764f3ce82ba1b2c37def49 ] r8169 never had native support for the RTL8401, however it reportedly worked with the fallback to RTL8101e [0]. Therefore let's add this as an explicit assignment. [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956868 Fixes: b4cc2dcc9c7c ("r8169: remove default chip versions") Reported-by: Camaleón Signed-off-by: Heiner Kallweit Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit f4d1b1a1d85ebbb8c9bbf8baf60ff55acb33b177 Author: Wei Yongjun Date: Fri May 8 07:27:35 2020 +0000 nfp: abm: fix error return code in nfp_abm_vnic_alloc() [ Upstream commit 5099dea0a59f1c89525bb0ceac36689178a4c125 ] Fix to return negative error code -ENOMEM from the kzalloc() error handling case instead of 0, as done elsewhere in this function. Fixes: 174ab544e3bc ("nfp: abm: add cls_u32 offload for simple band classification") Reported-by: Hulk Robot Signed-off-by: Wei Yongjun Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 94e05d0837e4dae9a2ef5a2d8fba7c307ee017a3 Author: Kelly Littlepage Date: Fri May 8 19:58:46 2020 +0000 net: tcp: fix rx timestamp behavior for tcp_recvmsg [ Upstream commit cc4de047b33be247f9c8150d3e496743a49642b8 ] The stated intent of the original commit is to is to "return the timestamp corresponding to the highest sequence number data returned." The current implementation returns the timestamp for the last byte of the last fully read skb, which is not necessarily the last byte in the recv buffer. This patch converts behavior to the original definition, and to the behavior of the previous draft versions of commit 98aaa913b4ed ("tcp: Extend SOF_TIMESTAMPING_RX_SOFTWARE to TCP recvmsg") which also match this behavior. Fixes: 98aaa913b4ed ("tcp: Extend SOF_TIMESTAMPING_RX_SOFTWARE to TCP recvmsg") Co-developed-by: Iris Liu Signed-off-by: Iris Liu Signed-off-by: Kelly Littlepage Signed-off-by: Eric Dumazet Acked-by: Soheil Hassas Yeganeh Acked-by: Willem de Bruijn Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit e2d928d5ee43f372618a9f98b0c73674717f2a2c Author: Zefan Li Date: Sat May 9 11:32:10 2020 +0800 netprio_cgroup: Fix unlimited memory leak of v2 cgroups [ Upstream commit 090e28b229af92dc5b40786ca673999d59e73056 ] If systemd is configured to use hybrid mode which enables the use of both cgroup v1 and v2, systemd will create new cgroup on both the default root (v2) and netprio_cgroup hierarchy (v1) for a new session and attach task to the two cgroups. If the task does some network thing then the v2 cgroup can never be freed after the session exited. One of our machines ran into OOM due to this memory leak. In the scenario described above when sk_alloc() is called cgroup_sk_alloc() thought it's in v2 mode, so it stores the cgroup pointer in sk->sk_cgrp_data and increments the cgroup refcnt, but then sock_update_netprioidx() thought it's in v1 mode, so it stores netprioidx value in sk->sk_cgrp_data, so the cgroup refcnt will never be freed. Currently we do the mode switch when someone writes to the ifpriomap cgroup control file. The easiest fix is to also do the switch when a task is attached to a new cgroup. Fixes: bd1060a1d671 ("sock, cgroup: add sock->sk_cgroup") Reported-by: Yang Yingliang Tested-by: Yang Yingliang Signed-off-by: Zefan Li Acked-by: Tejun Heo Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit c8dd69b74d2f34e552d6c5ebcfa84356b9293dba Author: Paolo Abeni Date: Fri May 8 19:28:34 2020 +0200 net: ipv4: really enforce backoff for redirects [ Upstream commit 57644431a6c2faac5d754ebd35780cf43a531b1a ] In commit b406472b5ad7 ("net: ipv4: avoid mixed n_redirects and rate_tokens usage") I missed the fact that a 0 'rate_tokens' will bypass the backoff algorithm. Since rate_tokens is cleared after a redirect silence, and never incremented on redirects, if the host keeps receiving packets requiring redirect it will reply ignoring the backoff. Additionally, the 'rate_last' field will be updated with the cadence of the ingress packet requiring redirect. If that rate is high enough, that will prevent the host from generating any other kind of ICMP messages The check for a zero 'rate_tokens' value was likely a shortcut to avoid the more complex backoff algorithm after a redirect silence period. Address the issue checking for 'n_redirects' instead, which is incremented on successful redirect, and does not interfere with other ICMP replies. Fixes: b406472b5ad7 ("net: ipv4: avoid mixed n_redirects and rate_tokens usage") Reported-and-tested-by: Colin Walters Signed-off-by: Paolo Abeni Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit a4140fec893c711dbf7329e8286690594d8e632a Author: Florian Fainelli Date: Sat May 9 16:45:44 2020 -0700 net: dsa: loop: Add module soft dependency [ Upstream commit 3047211ca11bf77b3ecbce045c0aa544d934b945 ] There is a soft dependency against dsa_loop_bdinfo.ko which sets up the MDIO device registration, since there are no symbols referenced by dsa_loop.ko, there is no automatic loading of dsa_loop_bdinfo.ko which is needed. Fixes: 98cd1552ea27 ("net: dsa: Mock-up driver") Signed-off-by: Florian Fainelli Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit ac59b7f6d6c5465134950862838ad2bb1adfaee4 Author: Luo bin Date: Sun May 10 19:01:08 2020 +0000 hinic: fix a bug of ndo_stop [ Upstream commit e8a1b0efd632d1c9db7d4e93da66377c7b524862 ] if some function in ndo_stop interface returns failure because of hardware fault, must go on excuting rest steps rather than return failure directly, otherwise will cause memory leak.And bump the timeout for SET_FUNC_STATE to ensure that cmd won't return failure when hw is busy. Otherwise hw may stomp host memory if we free memory regardless of the return value of SET_FUNC_STATE. Fixes: 51ba902a16e6 ("net-next/hinic: Initialize hw interface") Signed-off-by: Luo bin Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit bd6600061fb80b5cbcb88d8c311fd67f9bb68962 Author: Dan Carpenter Date: Fri May 8 17:37:20 2020 +0300 dpaa2-eth: prevent array underflow in update_cls_rule() [ Upstream commit 6d32a5119811d2e9b5caa284181944c6f1f192ed ] The "location" is controlled by the user via the ethtool_set_rxnfc() function. This update_cls_rule() function checks for array overflows but it doesn't check if the value is negative. I have changed the type to unsigned to prevent array underflows. Fixes: afb90dbb5f78 ("dpaa2-eth: Add ethtool support for flow classification") Signed-off-by: Dan Carpenter Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 10c27bd08fd4afa43be980fb58e69a279679b6a2 Author: Michael S. Tsirkin Date: Thu May 7 03:25:56 2020 -0400 virtio_net: fix lockdep warning on 32 bit [ Upstream commit 01c3259818a11f3cc3cd767adbae6b45849c03c1 ] When we fill up a receive VQ, try_fill_recv currently tries to count kicks using a 64 bit stats counter. Turns out, on a 32 bit kernel that uses a seqcount. sequence counts are "lock" constructs where you need to make sure that writers are serialized. In turn, this means that we mustn't run two try_fill_recv concurrently. Which of course we don't. We do run try_fill_recv sometimes from a softirq napi context, and sometimes from a fully preemptible context, but the later always runs with napi disabled. However, when it comes to the seqcount, lockdep is trying to enforce the rule that the same lock isn't accessed from preemptible and softirq context - it doesn't know about napi being enabled/disabled. This causes a false-positive warning: WARNING: inconsistent lock state ... inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. As a work around, shut down the warning by switching to u64_stats_update_begin_irqsave - that works by disabling interrupts on 32 bit only, is a NOP on 64 bit. Reported-by: Thomas Gleixner Suggested-by: Eric Dumazet Signed-off-by: Michael S. Tsirkin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2cb084056baa097693a6e59f69f67d0428d5d7fc Author: Eric Dumazet Date: Tue May 12 06:54:30 2020 -0700 tcp: fix SO_RCVLOWAT hangs with fat skbs [ Upstream commit 24adbc1676af4e134e709ddc7f34cf2adc2131e4 ] We autotune rcvbuf whenever SO_RCVLOWAT is set to account for 100% overhead in tcp_set_rcvlowat() This works well when skb->len/skb->truesize ratio is bigger than 0.5 But if we receive packets with small MSS, we can end up in a situation where not enough bytes are available in the receive queue to satisfy RCVLOWAT setting. As our sk_rcvbuf limit is hit, we send zero windows in ACK packets, preventing remote peer from sending more data. Even autotuning does not help, because it only triggers at the time user process drains the queue. If no EPOLLIN is generated, this can not happen. Note poll() has a similar issue, after commit c7004482e8dc ("tcp: Respect SO_RCVLOWAT in tcp_poll().") Fixes: 03f45c883c6f ("tcp: avoid extra wakeups for SO_RCVLOWAT users") Signed-off-by: Eric Dumazet Acked-by: Soheil Hassas Yeganeh Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 19b4e28334bf17b73b8fbd42fc4e4d70d92fad17 Author: Eric Dumazet Date: Thu May 14 13:58:13 2020 -0700 tcp: fix error recovery in tcp_zerocopy_receive() [ Upstream commit e776af608f692a7a647455106295fa34469e7475 ] If user provides wrong virtual address in TCP_ZEROCOPY_RECEIVE operation we want to return -EINVAL error. But depending on zc->recv_skip_hint content, we might return -EIO error if the socket has SOCK_DONE set. Make sure to return -EINVAL in this case. BUG: KMSAN: uninit-value in tcp_zerocopy_receive net/ipv4/tcp.c:1833 [inline] BUG: KMSAN: uninit-value in do_tcp_getsockopt+0x4494/0x6320 net/ipv4/tcp.c:3685 CPU: 1 PID: 625 Comm: syz-executor.0 Not tainted 5.7.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x220 lib/dump_stack.c:118 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121 __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 tcp_zerocopy_receive net/ipv4/tcp.c:1833 [inline] do_tcp_getsockopt+0x4494/0x6320 net/ipv4/tcp.c:3685 tcp_getsockopt+0xf8/0x1f0 net/ipv4/tcp.c:3728 sock_common_getsockopt+0x13f/0x180 net/core/sock.c:3131 __sys_getsockopt+0x533/0x7b0 net/socket.c:2177 __do_sys_getsockopt net/socket.c:2192 [inline] __se_sys_getsockopt+0xe1/0x100 net/socket.c:2189 __x64_sys_getsockopt+0x62/0x80 net/socket.c:2189 do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:297 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45c829 Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f1deeb72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037 RAX: ffffffffffffffda RBX: 00000000004e01e0 RCX: 000000000045c829 RDX: 0000000000000023 RSI: 0000000000000006 RDI: 0000000000000009 RBP: 000000000078bf00 R08: 0000000020000200 R09: 0000000000000000 R10: 00000000200001c0 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000001d8 R14: 00000000004d3038 R15: 00007f1deeb736d4 Local variable ----zc@do_tcp_getsockopt created at: do_tcp_getsockopt+0x1a74/0x6320 net/ipv4/tcp.c:3670 do_tcp_getsockopt+0x1a74/0x6320 net/ipv4/tcp.c:3670 Fixes: 05255b823a61 ("tcp: add TCP_ZEROCOPY_RECEIVE support for zerocopy receive") Signed-off-by: Eric Dumazet Reported-by: syzbot Acked-by: Soheil Hassas Yeganeh Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f99c74486dcc20f66888613110cf0fd24bc17382 Author: Maciej Żenczykowski Date: Tue May 5 11:57:23 2020 -0700 Revert "ipv6: add mtu lock check in __ip6_rt_update_pmtu" [ Upstream commit 09454fd0a4ce23cb3d8af65066c91a1bf27120dd ] This reverts commit 19bda36c4299ce3d7e5bce10bebe01764a655a6d: | ipv6: add mtu lock check in __ip6_rt_update_pmtu | | Prior to this patch, ipv6 didn't do mtu lock check in ip6_update_pmtu. | It leaded to that mtu lock doesn't really work when receiving the pkt | of ICMPV6_PKT_TOOBIG. | | This patch is to add mtu lock check in __ip6_rt_update_pmtu just as ipv4 | did in __ip_rt_update_pmtu. The above reasoning is incorrect. IPv6 *requires* icmp based pmtu to work. There's already a comment to this effect elsewhere in the kernel: $ git grep -p -B1 -A3 'RTAX_MTU lock' net/ipv6/route.c=4813= static int rt6_mtu_change_route(struct fib6_info *f6i, void *p_arg) ... /* In IPv6 pmtu discovery is not optional, so that RTAX_MTU lock cannot disable it. We still use this lock to block changes caused by addrconf/ndisc. */ This reverts to the pre-4.9 behaviour. Cc: Eric Dumazet Cc: Willem de Bruijn Cc: Xin Long Cc: Hannes Frederic Sowa Signed-off-by: Maciej Żenczykowski Fixes: 19bda36c4299 ("ipv6: add mtu lock check in __ip6_rt_update_pmtu") Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d315cf6cf0d2e4ddea61257acead37f7fddead95 Author: Guillaume Nault Date: Thu May 14 12:15:39 2020 +0200 pppoe: only process PADT targeted at local interfaces [ Upstream commit b8c158395119be62294da73646a3953c29ac974b ] We don't want to disconnect a session because of a stray PADT arriving while the interface is in promiscuous mode. Furthermore, multicast and broadcast packets make no sense here, so only PACKET_HOST is accepted. Reported-by: David Balažic Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c6d80f31e43a949c4053dbe247b53ecb73681369 Author: Vinod Koul Date: Thu May 14 11:58:36 2020 +0530 net: stmmac: fix num_por initialization [ Upstream commit fd4a5177382230d39e0d95632d98103fb2938383 ] Driver missed initializing num_por which is one of the por values that driver configures to hardware. In order to get these values, add a new structure ethqos_emac_driver_data which holds por and num_por values and populate that in driver probe. Fixes: a7c30e62d4b8 ("net: stmmac: Add driver for Qualcomm ethqos") Reported-by: Rahul Ankushrao Kawadgave Signed-off-by: Vinod Koul Reviewed-by: Amit Kucheria Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 077e50d95d3cec2bfb86d6ca8f58b56da4d88445 Author: Heiner Kallweit Date: Tue May 12 21:45:53 2020 +0200 net: phy: fix aneg restart in phy_ethtool_set_eee [ Upstream commit 9de5d235b60a7cdfcdd5461e70c5663e713fde87 ] phy_restart_aneg() enables aneg in the PHY. That's not what we want if phydev->autoneg is disabled. In this case still update EEE advertisement register, but don't enable aneg and don't trigger an aneg restart. Fixes: f75abeb8338e ("net: phy: restart phy autonegotiation after EEE advertisment change") Signed-off-by: Heiner Kallweit Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e6379c382a97246df6653cf4bc58c16d5ec03f5a Author: Paolo Abeni Date: Tue May 12 14:43:14 2020 +0200 netlabel: cope with NULL catmap [ Upstream commit eead1c2ea2509fd754c6da893a94f0e69e83ebe4 ] The cipso and calipso code can set the MLS_CAT attribute on successful parsing, even if the corresponding catmap has not been allocated, as per current configuration and external input. Later, selinux code tries to access the catmap if the MLS_CAT flag is present via netlbl_catmap_getlong(). That may cause null ptr dereference while processing incoming network traffic. Address the issue setting the MLS_CAT flag only if the catmap is really allocated. Additionally let netlbl_catmap_getlong() cope with NULL catmap. Reported-by: Matthew Sheets Fixes: 4b8feff251da ("netlabel: fix the horribly broken catmap functions") Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.") Signed-off-by: Paolo Abeni Acked-by: Paul Moore Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b5178eed232e534f831a4545f2af56085fcc8f95 Author: Cong Wang Date: Thu May 7 12:19:03 2020 -0700 net: fix a potential recursive NETDEV_FEAT_CHANGE [ Upstream commit dd912306ff008891c82cd9f63e8181e47a9cb2fb ] syzbot managed to trigger a recursive NETDEV_FEAT_CHANGE event between bonding master and slave. I managed to find a reproducer for this: ip li set bond0 up ifenslave bond0 eth0 brctl addbr br0 ethtool -K eth0 lro off brctl addif br0 bond0 ip li set br0 up When a NETDEV_FEAT_CHANGE event is triggered on a bonding slave, it captures this and calls bond_compute_features() to fixup its master's and other slaves' features. However, when syncing with its lower devices by netdev_sync_lower_features() this event is triggered again on slaves when the LRO feature fails to change, so it goes back and forth recursively until the kernel stack is exhausted. Commit 17b85d29e82c intentionally lets __netdev_update_features() return -1 for such a failure case, so we have to just rely on the existing check inside netdev_sync_lower_features() and skip NETDEV_FEAT_CHANGE event only for this specific failure case. Fixes: fd867d51f889 ("net/core: generic support for disabling netdev features down stack") Reported-by: syzbot+e73ceacfd8560cc8a3ca@syzkaller.appspotmail.com Reported-by: syzbot+c2fb6f9ddcea95ba49b5@syzkaller.appspotmail.com Cc: Jarod Wilson Cc: Nikolay Aleksandrov Cc: Josh Poimboeuf Cc: Jann Horn Reviewed-by: Jay Vosburgh Signed-off-by: Cong Wang Acked-by: Nikolay Aleksandrov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit be1a859d7980f92a8f28d4c8e0f71658dd931b90 Author: Paolo Abeni Date: Thu May 7 18:53:24 2020 +0200 mptcp: set correct vfs info for subflows [ Upstream commit 7d14b0d2b9b317cfc14161143e2006b95a5da9b1 ] When a subflow is created via mptcp_subflow_create_socket(), a new 'struct socket' is allocated, with a new i_ino value. When inspecting TCP sockets via the procfs and or the diag interface, the above ones are not related to the process owning the MPTCP master socket, even if they are a logical part of it ('ss -p' shows an empty process field) Additionally, subflows created by the path manager get the uid/gid from the running workqueue. Subflows are part of the owning MPTCP master socket, let's adjust the vfs info to reflect this. After this patch, 'ss' correctly displays subflows as belonging to the msk socket creator. Fixes: 2303f994b3e1 ("mptcp: Associate MPTCP context with TCP socket") Signed-off-by: Paolo Abeni Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5111e09ab67e7f6da0f57921ab76462f5db34b38 Author: Ioana Ciornei Date: Fri May 15 15:30:22 2020 +0300 dpaa2-eth: properly handle buffer size restrictions [ Upstream commit efa6a7d07523ffbbf6503c1a7eeb52201c15c0e3 ] Depending on the WRIOP version, the buffer size on the RX path must by a multiple of 64 or 256. Handle this restriction properly by aligning down the buffer size to the necessary value. Also, use the new buffer size dynamically computed instead of the compile time one. Fixes: 27c874867c4e ("dpaa2-eth: Use a single page per Rx buffer") Signed-off-by: Ioana Ciornei Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5642e82c6f6078e270d72bcc51a95b5bdc3b6656 Author: Raul E Rangel Date: Fri May 8 16:54:21 2020 -0600 mmc: sdhci-acpi: Add SDHCI_QUIRK2_BROKEN_64_BIT_DMA for AMDI0040 [ Upstream commit 45a3fe3bf93b7cfeddc28ef7386555e05dc57f06 ] The AMD eMMC 5.0 controller does not support 64 bit DMA. Fixes: 34597a3f60b1 ("mmc: sdhci-acpi: Add support for ACPI HID of AMD Controller with HS400") Signed-off-by: Raul E Rangel Link: https://marc.info/?l=linux-mmc&m=158879884514552&w=2 Reviewed-by: Andy Shevchenko Acked-by: Adrian Hunter Link: https://lore.kernel.org/r/20200508165344.1.Id5bb8b1ae7ea576f26f9d91c761df7ccffbf58c5@changeid Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 1371e6e38e102a5c48631e0266e816e19a99aed2 Author: Vladimir Oltean Date: Mon May 4 01:20:27 2020 +0300 net: mscc: ocelot: ANA_AUTOAGE_AGE_PERIOD holds a value in seconds, not ms [ Upstream commit c0d7eccbc76115b7eb337956c03d47d6a889cf8c ] One may notice that automatically-learnt entries 'never' expire, even though the bridge configures the address age period at 300 seconds. Actually the value written to hardware corresponds to a time interval 1000 times higher than intended, i.e. 83 hours. Fixes: a556c76adc05 ("net: mscc: Add initial Ocelot switch support") Signed-off-by: Vladimir Oltean Reviewed-by: Florian Faineli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit d163824e771e5f39732ec31c7026b79402450b77 Author: Vladimir Oltean Date: Mon May 4 01:20:26 2020 +0300 net: dsa: ocelot: the MAC table on Felix is twice as large [ Upstream commit 21ce7f3e16fbf89faaf149cfe0f730edfc553914 ] When running 'bridge fdb dump' on Felix, sometimes learnt and static MAC addresses would appear, sometimes they wouldn't. Turns out, the MAC table has 4096 entries on VSC7514 (Ocelot) and 8192 entries on VSC9959 (Felix), so the existing code from the Ocelot common library only dumped half of Felix's MAC table. They are both organized as a 4-way set-associative TCAM, so we just need a single variable indicating the correct number of rows. Fixes: 56051948773e ("net: dsa: ocelot: add driver for Felix switch family") Signed-off-by: Vladimir Oltean Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c1a95ee776186667ffffeb3a08935f9a8906d55f Author: Joerg Roedel Date: Mon May 4 14:54:12 2020 +0200 iommu/amd: Update Device Table in increase_address_space() [ Upstream commit 19c6978fba68a2cdedee7d55fb8c3063d47982d9 ] The Device Table needs to be updated before the new page-table root can be published in domain->pt_root. Otherwise a concurrent call to fetch_pte might fetch a PTE which is not reachable through the Device Table Entry. Fixes: 92d420ec028d ("iommu/amd: Relax locking in dma_ops path") Reported-by: Qian Cai Signed-off-by: Joerg Roedel Tested-by: Qian Cai Link: https://lore.kernel.org/r/20200504125413.16798-5-joro@8bytes.org Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit b6c3f375b2d16d29eaf523358fa1b9f30492d075 Author: Joerg Roedel Date: Mon May 4 14:54:09 2020 +0200 iommu/amd: Fix race in increase_address_space()/fetch_pte() [ Upstream commit eb791aa70b90c559eeb371d807c8813d569393f0 ] The 'pt_root' and 'mode' struct members of 'struct protection_domain' need to be get/set atomically, otherwise the page-table of the domain can get corrupted. Merge the fields into one atomic64_t struct member which can be get/set atomically. Fixes: 92d420ec028d ("iommu/amd: Relax locking in dma_ops path") Reported-by: Qian Cai Signed-off-by: Joerg Roedel Tested-by: Qian Cai Link: https://lore.kernel.org/r/20200504125413.16798-2-joro@8bytes.org Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 5cfbd8c087b31becefcb12262cbda2ac51daa970 Author: Colin Ian King Date: Fri May 1 15:10:16 2020 +0100 net: stmmac: gmac5+: fix potential integer overflow on 32 bit multiply [ Upstream commit 44d95cc6b10ff7439d45839c96c581cb4368c088 ] The multiplication of cfg->ctr[1] by 1000000000 is performed using a 32 bit multiplication (since cfg->ctr[1] is a u32) and this can lead to a potential overflow. Fix this by making the constant a ULL to ensure a 64 bit multiply occurs. Fixes: 504723af0d85 ("net: stmmac: Add basic EST support for GMAC5+") Addresses-Coverity: ("Unintentional integer overflow") Signed-off-by: Colin Ian King Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 83864714bd2251cb8965aa7799e828945715358a Author: Cong Wang Date: Thu Apr 30 20:53:49 2020 -0700 net_sched: fix tcm_parent in tc filter dump [ Upstream commit a7df4870d79b00742da6cc93ca2f336a71db77f7 ] When we tell kernel to dump filters from root (ffff:ffff), those filters on ingress (ffff:0000) are matched, but their true parents must be dumped as they are. However, kernel dumps just whatever we tell it, that is either ffff:ffff or ffff:0000: $ nl-cls-list --dev=dummy0 --parent=root cls basic dev dummy0 id none parent root prio 49152 protocol ip match-all cls basic dev dummy0 id :1 parent root prio 49152 protocol ip match-all $ nl-cls-list --dev=dummy0 --parent=ffff: cls basic dev dummy0 id none parent ffff: prio 49152 protocol ip match-all cls basic dev dummy0 id :1 parent ffff: prio 49152 protocol ip match-all This is confusing and misleading, more importantly this is a regression since 4.15, so the old behavior must be restored. And, when tc filters are installed on a tc class, the parent should be the classid, rather than the qdisc handle. Commit edf6711c9840 ("net: sched: remove classid and q fields from tcf_proto") removed the classid we save for filters, we can just restore this classid in tcf_block. Steps to reproduce this: ip li set dev dummy0 up tc qd add dev dummy0 ingress tc filter add dev dummy0 parent ffff: protocol arp basic action pass tc filter show dev dummy0 root Before this patch: filter protocol arp pref 49152 basic filter protocol arp pref 49152 basic handle 0x1 action order 1: gact action pass random type none pass val 0 index 1 ref 1 bind 1 After this patch: filter parent ffff: protocol arp pref 49152 basic filter parent ffff: protocol arp pref 49152 basic handle 0x1 action order 1: gact action pass random type none pass val 0 index 1 ref 1 bind 1 Fixes: a10fa20101ae ("net: sched: propagate q and parent from caller down to tcf_fill_node") Fixes: edf6711c9840 ("net: sched: remove classid and q fields from tcf_proto") Cc: Jamal Hadi Salim Cc: Jiri Pirko Signed-off-by: Cong Wang Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit dbb8f0b6eaa5729b0f3b77f72645e3ca25615dbf Author: Arnd Bergmann Date: Tue Apr 28 23:50:51 2020 +0200 sun6i: dsi: fix gcc-4.8 [ Upstream commit 3a3a71f97c30983f1627c2c550d43566e9b634d2 ] Older compilers warn about initializers with incorrect curly braces: drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c: In function 'sun6i_dsi_encoder_enable': drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c:720:8: error: missing braces around initializer [-Werror=missing-braces] union phy_configure_opts opts = { 0 }; ^ drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c:720:8: error: (near initialization for 'opts.mipi_dphy') [-Werror=missing-braces] Use the GNU empty initializer extension to avoid this. Fixes: bb3b6fcb6849 ("sun6i: dsi: Convert to generic phy handling") Reviewed-by: Paul Kocialkowski Signed-off-by: Arnd Bergmann Signed-off-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20200428215105.3928459-1-arnd@arndb.de Signed-off-by: Sasha Levin commit b8c4c46671d41308296bffb5f2d09cd060794c49 Author: Stefan Hajnoczi Date: Thu Apr 30 15:04:42 2020 +0100 virtio-blk: handle block_device_operations callbacks after hot unplug [ Upstream commit 90b5feb8c4bebc76c27fcaf3e1a0e5ca2d319e9e ] A userspace process holding a file descriptor to a virtio_blk device can still invoke block_device_operations after hot unplug. This leads to a use-after-free accessing vblk->vdev in virtblk_getgeo() when ioctl(HDIO_GETGEO) is invoked: BUG: unable to handle kernel NULL pointer dereference at 0000000000000090 IP: [] virtio_check_driver_offered_feature+0x10/0x90 [virtio] PGD 800000003a92f067 PUD 3a930067 PMD 0 Oops: 0000 [#1] SMP CPU: 0 PID: 1310 Comm: hdio-getgeo Tainted: G OE ------------ 3.10.0-1062.el7.x86_64 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 task: ffff9be5fbfb8000 ti: ffff9be5fa890000 task.ti: ffff9be5fa890000 RIP: 0010:[] [] virtio_check_driver_offered_feature+0x10/0x90 [virtio] RSP: 0018:ffff9be5fa893dc8 EFLAGS: 00010246 RAX: ffff9be5fc3f3400 RBX: ffff9be5fa893e30 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff9be5fbc10b40 RBP: ffff9be5fa893dc8 R08: 0000000000000301 R09: 0000000000000301 R10: 0000000000000000 R11: 0000000000000000 R12: ffff9be5fdc24680 R13: ffff9be5fbc10b40 R14: ffff9be5fbc10480 R15: 0000000000000000 FS: 00007f1bfb968740(0000) GS:ffff9be5ffc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000090 CR3: 000000003a894000 CR4: 0000000000360ff0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: [] virtblk_getgeo+0x47/0x110 [virtio_blk] [] ? handle_mm_fault+0x39d/0x9b0 [] blkdev_ioctl+0x1f5/0xa20 [] block_ioctl+0x41/0x50 [] do_vfs_ioctl+0x3a0/0x5a0 [] SyS_ioctl+0xa1/0xc0 A related problem is that virtblk_remove() leaks the vd_index_ida index when something still holds a reference to vblk->disk during hot unplug. This causes virtio-blk device names to be lost (vda, vdb, etc). Fix these issues by protecting vblk->vdev with a mutex and reference counting vblk so the vd_index_ida index can be removed in all cases. Fixes: 48e4043d4529 ("virtio: add virtio disk geometry feature") Reported-by: Lance Digby Signed-off-by: Stefan Hajnoczi Link: https://lore.kernel.org/r/20200430140442.171016-1-stefanha@redhat.com Signed-off-by: Michael S. Tsirkin Reviewed-by: Stefano Garzarella Signed-off-by: Sasha Levin commit 58530d99096c34c208e990a9187beb54b71e3a84 Author: Arnd Bergmann Date: Thu Apr 30 23:30:49 2020 +0200 drop_monitor: work around gcc-10 stringop-overflow warning [ Upstream commit dc30b4059f6e2abf3712ab537c8718562b21c45d ] The current gcc-10 snapshot produces a false-positive warning: net/core/drop_monitor.c: In function 'trace_drop_common.constprop': cc1: error: writing 8 bytes into a region of size 0 [-Werror=stringop-overflow=] In file included from net/core/drop_monitor.c:23: include/uapi/linux/net_dropmon.h:36:8: note: at offset 0 to object 'entries' with size 4 declared here 36 | __u32 entries; | ^~~~~~~ I reported this in the gcc bugzilla, but in case it does not get fixed in the release, work around it by using a temporary variable. Fixes: 9a8afc8d3962 ("Network Drop Monitor: Adding drop monitor implementation & Netlink protocol") Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94881 Signed-off-by: Arnd Bergmann Acked-by: Neil Horman Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a258498a20d436710626db1bf614dfb350139cac Author: Nathan Chancellor Date: Tue Apr 28 10:54:56 2020 -0700 hv_netvsc: Fix netvsc_start_xmit's return type [ Upstream commit 7fdc66debebc6a7170a37c8c9b0d9585a9788fb4 ] netvsc_start_xmit is used as a callback function for the ndo_start_xmit function pointer. ndo_start_xmit's return type is netdev_tx_t but netvsc_start_xmit's return type is int. This causes a failure with Control Flow Integrity (CFI), which requires function pointer prototypes and callback function definitions to match exactly. When CFI is in enforcing, the kernel panics. When booting a CFI kernel with WSL 2, the VM is immediately terminated because of this. The splat when CONFIG_CFI_PERMISSIVE is used: [ 5.916765] CFI failure (target: netvsc_start_xmit+0x0/0x10): [ 5.916771] WARNING: CPU: 8 PID: 0 at kernel/cfi.c:29 __cfi_check_fail+0x2e/0x40 [ 5.916772] Modules linked in: [ 5.916774] CPU: 8 PID: 0 Comm: swapper/8 Not tainted 5.7.0-rc3-next-20200424-microsoft-cbl-00001-ged4eb37d2c69-dirty #1 [ 5.916776] RIP: 0010:__cfi_check_fail+0x2e/0x40 [ 5.916777] Code: 48 c7 c7 70 98 63 a9 48 c7 c6 11 db 47 a9 e8 69 55 59 00 85 c0 75 02 5b c3 48 c7 c7 73 c6 43 a9 48 89 de 31 c0 e8 12 2d f0 ff <0f> 0b 5b c3 00 00 cc cc 00 00 cc cc 00 00 cc cc 00 00 85 f6 74 25 [ 5.916778] RSP: 0018:ffffa803c0260b78 EFLAGS: 00010246 [ 5.916779] RAX: 712a1af25779e900 RBX: ffffffffa8cf7950 RCX: ffffffffa962cf08 [ 5.916779] RDX: ffffffffa9c36b60 RSI: 0000000000000082 RDI: ffffffffa9c36b5c [ 5.916780] RBP: ffff8ffc4779c2c0 R08: 0000000000000001 R09: ffffffffa9c3c300 [ 5.916781] R10: 0000000000000151 R11: ffffffffa9c36b60 R12: ffff8ffe39084000 [ 5.916782] R13: ffffffffa8cf7950 R14: ffffffffa8d12cb0 R15: ffff8ffe39320140 [ 5.916784] FS: 0000000000000000(0000) GS:ffff8ffe3bc00000(0000) knlGS:0000000000000000 [ 5.916785] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 5.916786] CR2: 00007ffef5749408 CR3: 00000002f4f5e000 CR4: 0000000000340ea0 [ 5.916787] Call Trace: [ 5.916788] [ 5.916790] __cfi_check+0x3ab58/0x450e0 [ 5.916793] ? dev_hard_start_xmit+0x11f/0x160 [ 5.916795] ? sch_direct_xmit+0xf2/0x230 [ 5.916796] ? __dev_queue_xmit.llvm.11471227737707190958+0x69d/0x8e0 [ 5.916797] ? neigh_resolve_output+0xdf/0x220 [ 5.916799] ? neigh_connected_output.cfi_jt+0x8/0x8 [ 5.916801] ? ip6_finish_output2+0x398/0x4c0 [ 5.916803] ? nf_nat_ipv6_out+0x10/0xa0 [ 5.916804] ? nf_hook_slow+0x84/0x100 [ 5.916807] ? ip6_input_finish+0x8/0x8 [ 5.916807] ? ip6_output+0x6f/0x110 [ 5.916808] ? __ip6_local_out.cfi_jt+0x8/0x8 [ 5.916810] ? mld_sendpack+0x28e/0x330 [ 5.916811] ? ip_rt_bug+0x8/0x8 [ 5.916813] ? mld_ifc_timer_expire+0x2db/0x400 [ 5.916814] ? neigh_proxy_process+0x8/0x8 [ 5.916816] ? call_timer_fn+0x3d/0xd0 [ 5.916817] ? __run_timers+0x2a9/0x300 [ 5.916819] ? rcu_core_si+0x8/0x8 [ 5.916820] ? run_timer_softirq+0x14/0x30 [ 5.916821] ? __do_softirq+0x154/0x262 [ 5.916822] ? native_x2apic_icr_write+0x8/0x8 [ 5.916824] ? irq_exit+0xba/0xc0 [ 5.916825] ? hv_stimer0_vector_handler+0x99/0xe0 [ 5.916826] ? hv_stimer0_callback_vector+0xf/0x20 [ 5.916826] [ 5.916828] ? hv_stimer_global_cleanup.cfi_jt+0x8/0x8 [ 5.916829] ? raw_setsockopt+0x8/0x8 [ 5.916830] ? default_idle+0xe/0x10 [ 5.916832] ? do_idle.llvm.10446269078108580492+0xb7/0x130 [ 5.916833] ? raw_setsockopt+0x8/0x8 [ 5.916833] ? cpu_startup_entry+0x15/0x20 [ 5.916835] ? cpu_hotplug_enable.cfi_jt+0x8/0x8 [ 5.916836] ? start_secondary+0x188/0x190 [ 5.916837] ? secondary_startup_64+0xa5/0xb0 [ 5.916838] ---[ end trace f2683fa869597ba5 ]--- Avoid this by using the right return type for netvsc_start_xmit. Fixes: fceaf24a943d8 ("Staging: hv: add the Hyper-V virtual network driver") Link: https://github.com/ClangBuiltLinux/linux/issues/1009 Signed-off-by: Nathan Chancellor Reviewed-by: Haiyang Zhang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0491e3caba4d90dd85c89b57c08e771a1c25fe89 Author: Alan Maguire Date: Wed Feb 19 09:33:29 2020 +0000 ftrace/selftests: workaround cgroup RT scheduling issues [ Upstream commit 57c4cfd4a2eef8f94052bd7c0fce0981f74fb213 ] wakeup_rt.tc and wakeup.tc tests in tracers/ subdirectory fail due to the chrt command returning: chrt: failed to set pid 0's policy: Operation not permitted. To work around this, temporarily disable grout RT scheduling during ftracetest execution. Restore original value on test run completion. With these changes in place, both tests consistently pass. Fixes: c575dea2c1a5 ("selftests/ftrace: Add wakeup_rt tracer testcase") Fixes: c1edd060b413 ("selftests/ftrace: Add wakeup tracer testcase") Signed-off-by: Alan Maguire Acked-by: Steven Rostedt (VMware) Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 96a6e7a05d546112749143444a9f0ad1be1b1952 Author: Christophe JAILLET Date: Sun Apr 26 22:59:21 2020 +0200 net: moxa: Fix a potential double 'free_irq()' [ Upstream commit ee8d2267f0e39a1bfd95532da3a6405004114b27 ] Should an irq requested with 'devm_request_irq' be released explicitly, it should be done by 'devm_free_irq()', not 'free_irq()'. Fixes: 6c821bd9edc9 ("net: Add MOXA ART SoCs ethernet driver") Signed-off-by: Christophe JAILLET Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 10c51cbe0d769ec0ffb00bece173841af0ea8f64 Author: Christophe JAILLET Date: Mon Apr 27 08:18:03 2020 +0200 net/sonic: Fix a resource leak in an error handling path in 'jazz_sonic_probe()' [ Upstream commit 10e3cc180e64385edc9890c6855acf5ed9ca1339 ] A call to 'dma_alloc_coherent()' is hidden in 'sonic_alloc_descriptors()', called from 'sonic_probe1()'. This is correctly freed in the remove function, but not in the error handling path of the probe function. Fix it and add the missing 'dma_free_coherent()' call. While at it, rename a label in order to be slightly more informative. Fixes: efcce839360f ("[PATCH] macsonic/jazzsonic network drivers update") Signed-off-by: Christophe JAILLET Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c252fded06782689b77a494148026f38dfa7b00e Author: Chuck Lever Date: Sat Apr 18 14:38:19 2020 -0400 SUNRPC: Fix GSS privacy computation of auth->au_ralign [ Upstream commit a7e429a6fa6d612d1dacde96c885dc1bb4a9f400 ] When the au_ralign field was added to gss_unwrap_resp_priv, the wrong calculation was used. Setting au_rslack == au_ralign is probably correct for kerberos_v1 privacy, but kerberos_v2 privacy adds additional GSS data after the clear text RPC message. au_ralign needs to be smaller than au_rslack in that fairly common case. When xdr_buf_trim() is restored to gss_unwrap_kerberos_v2(), it does exactly what I feared it would: it trims off part of the clear text RPC message. However, that's because rpc_prepare_reply_pages() does not set up the rq_rcv_buf's tail correctly because au_ralign is too large. Fixing the au_ralign computation also corrects the alignment of rq_rcv_buf->pages so that the client does not have to shift reply data payloads after they are received. Fixes: 35e77d21baa0 ("SUNRPC: Add rpc_auth::au_ralign field") Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit b946ae6be37904161dec32a1b0eaf93b3c7150f8 Author: Chuck Lever Date: Sat Apr 18 21:06:23 2020 -0400 SUNRPC: Add "@len" parameter to gss_unwrap() [ Upstream commit 31c9590ae468478fe47dc0f5f0d3562b2f69450e ] Refactor: This is a pre-requisite to fixing the client-side ralign computation in gss_unwrap_resp_priv(). The length value is passed in explicitly rather that as the value of buf->len. This will subsequently allow gss_unwrap_kerberos_v1() to compute a slack and align value, instead of computing it in gss_unwrap_resp_priv(). Fixes: 35e77d21baa0 ("SUNRPC: Add rpc_auth::au_ralign field") Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit 5470e5308f6ba7a879c59b574b4ea3efe03a84ef Author: Adam Ford Date: Sat Apr 11 20:33:52 2020 -0500 gpio: pca953x: Fix pca953x_gpio_set_config [ Upstream commit dc87f6dd058a648cd2a35e4aa04592dccdc9f0c2 ] pca953x_gpio_set_config is setup to support pull-up/down bias. Currently the driver uses a variable called 'config' to determine which options to use. Unfortunately, this is incorrect. This patch uses function pinconf_to_config_param(config), which converts this 'config' parameter back to pinconfig to determine which option to use. Fixes: 15add06841a3 ("gpio: pca953x: add ->set_config implementation") Signed-off-by: Adam Ford Signed-off-by: Bartosz Golaszewski Signed-off-by: Sasha Levin commit 8d17364ab228ac39921ae00606e1cc03b06ace34 Author: Marc Zyngier Date: Thu Apr 9 13:05:26 2020 +0100 KVM: arm: vgic-v2: Only use the virtual state when userspace accesses pending bits [ Upstream commit ba1ed9e17b581c9a204ec1d72d40472dd8557edd ] There is no point in accessing the HW when writing to any of the ISPENDR/ICPENDR registers from userspace, as only the guest should be allowed to change the HW state. Introduce new userspace-specific accessors that deal solely with the virtual state. Note that the API differs from that of GICv3, where userspace exclusively uses ISPENDR to set the state. Too bad we can't reuse it. Fixes: 82e40f558de56 ("KVM: arm/arm64: vgic-v2: Handle SGI bits in GICD_I{S,C}PENDR0 as WI") Reviewed-by: James Morse Signed-off-by: Marc Zyngier Signed-off-by: Sasha Levin commit 6d44512a2d6b57bd4ec9609ec4ea52055518b6b5 Author: Marc Zyngier Date: Mon Apr 6 16:21:20 2020 +0100 KVM: arm: vgic: Synchronize the whole guest on GIC{D,R}_I{S,C}ACTIVER read [ Upstream commit 9a50ebbffa9862db7604345f5fd763122b0f6fed ] When a guest tries to read the active state of its interrupts, we currently just return whatever state we have in memory. This means that if such an interrupt lives in a List Register on another CPU, we fail to obsertve the latest active state for this interrupt. In order to remedy this, stop all the other vcpus so that they exit and we can observe the most recent value for the state. This is similar to what we are doing for the write side of the same registers, and results in new MMIO handlers for userspace (which do not need to stop the guest, as it is supposed to be stopped already). Reported-by: Julien Grall Reviewed-by: Andre Przywara Signed-off-by: Marc Zyngier Signed-off-by: Sasha Levin commit 32e8ee817d9bb41dd46ce7c0ab7dac314530aaa0 Author: Yuiko Oshino Date: Mon Apr 20 11:51:41 2020 -0400 net: phy: microchip_t1: add lan87xx_phy_init to initialize the lan87xx phy. [ Upstream commit 63edbcceef612bdd95fa28ce100460c7b79008a4 ] lan87xx_phy_init() initializes the lan87xx phy hardware including its TC10 Wake-up and Sleep features. Fixes: 3e50d2da5850 ("Add driver for Microchip LAN87XX T1 PHYs") Signed-off-by: Yuiko Oshino v0->v1: - Add more details in the commit message and source comments. - Update to the latest initialization sequences. - Add access_ereg_modify_changed(). - Fix access_ereg() to access SMI bank correctly. Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 68d5d4675a98e188dc0e0968b6b1dc9969f09ee3 Author: Hugh Dickins Date: Mon Apr 20 18:14:14 2020 -0700 shmem: fix possible deadlocks on shmlock_user_lock [ Upstream commit ea0dfeb4209b4eab954d6e00ed136bc6b48b380d ] Recent commit 71725ed10c40 ("mm: huge tmpfs: try to split_huge_page() when punching hole") has allowed syzkaller to probe deeper, uncovering a long-standing lockdep issue between the irq-unsafe shmlock_user_lock, the irq-safe xa_lock on mapping->i_pages, and shmem inode's info->lock which nests inside xa_lock (or tree_lock) since 4.8's shmem_uncharge(). user_shm_lock(), servicing SysV shmctl(SHM_LOCK), wants shmlock_user_lock while its caller shmem_lock() holds info->lock with interrupts disabled; but hugetlbfs_file_setup() calls user_shm_lock() with interrupts enabled, and might be interrupted by a writeback endio wanting xa_lock on i_pages. This may not risk an actual deadlock, since shmem inodes do not take part in writeback accounting, but there are several easy ways to avoid it. Requiring interrupts disabled for shmlock_user_lock would be easy, but it's a high-level global lock for which that seems inappropriate. Instead, recall that the use of info->lock to guard info->flags in shmem_lock() dates from pre-3.1 days, when races with SHMEM_PAGEIN and SHMEM_TRUNCATE could occur: nowadays it serves no purpose, the only flag added or removed is VM_LOCKED itself, and calls to shmem_lock() an inode are already serialized by the caller. Take info->lock out of the chain and the possibility of deadlock or lockdep warning goes away. Fixes: 4595ef88d136 ("shmem: make shmem_inode_info::lock irq-safe") Reported-by: syzbot+c8a8197c8852f566b9d9@syzkaller.appspotmail.com Reported-by: syzbot+40b71e145e73f78f81ad@syzkaller.appspotmail.com Signed-off-by: Hugh Dickins Signed-off-by: Andrew Morton Acked-by: Yang Shi Cc: Yang Shi Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2004161707410.16322@eggly.anvils Link: https://lore.kernel.org/lkml/000000000000e5838c05a3152f53@google.com/ Link: https://lore.kernel.org/lkml/0000000000003712b305a331d3b1@google.com/ Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 0c15f11f76f1198e956eee70052e9c4f09d7a11a Author: José Roberto de Souza Date: Tue Apr 14 16:04:40 2020 -0700 drm/i915/display: Load DP_TP_CTL/STATUS offset before use it [ Upstream commit 12399028751b887bdc2515f1a1e2c81b4fd74085 ] Right now dp.regs.dp_tp_ctl/status are only set during the encoder pre_enable() hook, what is causing all reads and writes to those registers to go to offset 0x0 before pre_enable() is executed. So if i915 takes the BIOS state and don't do a modeset any following link retraing will fail. In the case that i915 needs to do a modeset, the DDI disable sequence will write to a wrong register not disabling DP 'Transport Enable' in DP_TP_CTL, making a HDMI modeset in the same port/transcoder to not light up the monitor. So here for GENs older than 12, that have those registers fixed at port offset range it is loading at encoder/port init while for GEN12 it will keep setting it at encoder pre_enable() and during HW state readout. Fixes: 4444df6e205b ("drm/i915/tgl: move DP_TP_* to transcoder") Cc: Matt Roper Cc: Lucas De Marchi Signed-off-by: José Roberto de Souza Reviewed-by: Matt Roper Link: https://patchwork.freedesktop.org/patch/msgid/20200414230442.262092-1-jose.souza@intel.com (cherry picked from commit edcb9028d66b44d74ba4f8b9daa379b004dc1f85) Signed-off-by: Rodrigo Vivi Signed-off-by: Sasha Levin commit 294886d445c5a962ddf669bd26801f739f70f256 Author: Matt Roper Date: Wed Apr 15 16:34:34 2020 -0700 drm/i915/tgl: TBT AUX should use TC power well ops [ Upstream commit 335f62e7606a7921775d7cc73f0ad8ffd899bc22 ] As on ICL, we want to use the Type-C aux handlers for the TBT aux wells to ensure the DP_AUX_CH_CTL_TBT_IO flag is set properly. Fixes: 656409bbaf87 ("drm/i915/tgl: Add power well support") Cc: José Roberto de Souza Cc: Imre Deak Signed-off-by: Matt Roper Link: https://patchwork.freedesktop.org/patch/msgid/20200415233435.3064257-1-matthew.d.roper@intel.com Reviewed-by: José Roberto de Souza (cherry picked from commit 3cbdb97564a39020262e62b655e788b63cf426cb) Signed-off-by: Rodrigo Vivi Signed-off-by: Sasha Levin commit 74459a1b36ee880f28fe587fc7740d39a1e86b5f Author: Matt Roper Date: Tue Apr 14 14:11:17 2020 -0700 drm/i915/tgl: Add Wa_14010477008:tgl [ Upstream commit 81fdd7bfeb8e8f76bcdfef9174ec580707c37d38 ] Media decompression support should not be advertised on any display planes for steppings A0-C0. Bspec: 53273 Fixes: 2dfbf9d2873a ("drm/i915/tgl: Gen-12 display can decompress surfaces compressed by the media engine") Cc: Matt Atwood Signed-off-by: Matt Roper Link: https://patchwork.freedesktop.org/patch/msgid/20200414211118.2787489-3-matthew.d.roper@intel.com Reviewed-by: José Roberto de Souza (cherry picked from commit dbff5a8db9c630f61a892ab41a283445e01270f5) Signed-off-by: Rodrigo Vivi Signed-off-by: Sasha Levin commit 417effc3029cacf5a4d117dff86b19fbee4fe9de Author: Chuck Lever Date: Sun Apr 19 20:03:05 2020 -0400 xprtrdma: Fix trace point use-after-free race [ Upstream commit bdb2ce82818577ba6e57b7d68b698b8d17329281 ] It's not safe to use resources pointed to by the @send_wr of ib_post_send() _after_ that function returns. Those resources are typically freed by the Send completion handler, which can run before ib_post_send() returns. Thus the trace points currently around ib_post_send() in the client's RPC/RDMA transport are a hazard, even when they are disabled. Rearrange them so that they touch the Work Request only _before_ ib_post_send() is invoked. Fixes: ab03eff58eb5 ("xprtrdma: Add trace points in RPC Call transmit paths") Signed-off-by: Chuck Lever Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit 151021668ac269c05839380eb192b5fe016ccbbc Author: Chuck Lever Date: Fri Feb 21 17:00:23 2020 -0500 xprtrdma: Clean up the post_send path [ Upstream commit 97d0de8812a10a66510ff95f8fe6e8d3053fd2ca ] Clean up: Simplify the synopses of functions in the post_send path by combining the struct rpcrdma_ia and struct rpcrdma_ep arguments. Signed-off-by: Chuck Lever Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit 7058db7ebd75095b0c5006a5efdce4bf057a6735 Author: Oliver Upton Date: Tue Apr 14 22:47:45 2020 +0000 kvm: nVMX: reflect MTF VM-exits if injected by L1 [ Upstream commit b045ae906b42afb361dc7ecf1a3cea110fb0a65f ] According to SDM 26.6.2, it is possible to inject an MTF VM-exit via the VM-entry interruption-information field regardless of the 'monitor trap flag' VM-execution control. KVM appropriately copies the VM-entry interruption-information field from vmcs12 to vmcs02. However, if L1 has not set the 'monitor trap flag' VM-execution control, KVM fails to reflect the subsequent MTF VM-exit into L1. Fix this by consulting the VM-entry interruption-information field of vmcs12 to determine if L1 has injected the MTF VM-exit. If so, reflect the exit, regardless of the 'monitor trap flag' VM-execution control. Fixes: 5f3d45e7f282 ("kvm/x86: add support for MONITOR_TRAP_FLAG") Signed-off-by: Oliver Upton Reviewed-by: Peter Shier Reviewed-by: Jim Mattson Message-Id: <20200414224746.240324-1-oupton@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 0a1f9ebd4b34a278266116d602f84a236740e81e Author: Oliver Upton Date: Mon Feb 24 12:27:44 2020 -0800 KVM: nVMX: Consolidate nested MTF checks to helper function [ Upstream commit 212617dbb6bac2a21dec6ef7d6012d96bb6dbb5d ] commit 5ef8acbdd687 ("KVM: nVMX: Emulate MTF when performing instruction emulation") introduced a helper to check the MTF VM-execution control in vmcs12. Change pre-existing check in nested_vmx_exit_reflected() to instead use the helper. Signed-off-by: Oliver Upton Reviewed-by: Krish Sadhukhan Reviewed-by: Miaohe Lin Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit c97bf6c2b713ddc18c351588f4f6c41423ba055f Author: NihilisticPandemoniun <152417+nihilisticpandemonium@users.noreply.github.com> Date: Thu Dec 19 00:08:37 2019 -0800 init: add support for zstd compressed modules Signed-off-by: Alexandre Frade commit 5821a5593fa9f28eb6fcc95c35d00454d9bb8624 Author: Greg Kroah-Hartman Date: Thu May 14 07:59:28 2020 +0200 Linux 5.6.13 commit b3c2ebf2530420af637dcb9e4db94fcfe3c74e7a Author: Amir Goldstein Date: Thu Mar 19 17:10:16 2020 +0200 fanotify: merge duplicate events on parent and child [ Upstream commit f367a62a7cad2447d835a9f14fc63997a9137246 ] With inotify, when a watch is set on a directory and on its child, an event on the child is reported twice, once with wd of the parent watch and once with wd of the child watch without the filename. With fanotify, when a watch is set on a directory and on its child, an event on the child is reported twice, but it has the exact same information - either an open file descriptor of the child or an encoded fid of the child. The reason that the two identical events are not merged is because the object id used for merging events in the queue is the child inode in one event and parent inode in the other. For events with path or dentry data, use the victim inode instead of the watched inode as the object id for event merging, so that the event reported on parent will be merged with the event reported on the child. Link: https://lore.kernel.org/r/20200319151022.31456-9-amir73il@gmail.com Signed-off-by: Amir Goldstein Signed-off-by: Jan Kara Signed-off-by: Sasha Levin commit 6ca61ef0fd16a1873f205aa0c64aace0cab98701 Author: Amir Goldstein Date: Thu Mar 19 17:10:15 2020 +0200 fsnotify: replace inode pointer with an object id [ Upstream commit dfc2d2594e4a79204a3967585245f00644b8f838 ] The event inode field is used only for comparison in queue merges and cannot be dereferenced after handle_event(), because it does not hold a refcount on the inode. Replace it with an abstract id to do the same thing. Link: https://lore.kernel.org/r/20200319151022.31456-8-amir73il@gmail.com Signed-off-by: Amir Goldstein Signed-off-by: Jan Kara Signed-off-by: Sasha Levin commit c2867b7fb74453620772efd34308f96413e27492 Author: Max Kellermann Date: Thu May 7 14:56:15 2020 -0600 io_uring: don't use 'fd' for openat/openat2/statx Based on commit 63ff822358b276137059520cf16e587e8073e80f upstream. If an operation's flag `needs_file` is set, the function io_req_set_file() calls io_file_get() to obtain a `struct file*`. This fails for `O_PATH` file descriptors, because io_file_get() calls fget(), which rejects `O_PATH` file descriptors. To support `O_PATH`, fdget_raw() must be used (like path_init() in `fs/namei.c` does). This rejection causes io_req_set_file() to throw `-EBADF`. This breaks the operations `openat`, `openat2` and `statx`, where `O_PATH` file descriptors are commonly used. This could be solved by adding support for `O_PATH` file descriptors with another `io_op_def` flag, but since those three operations don't need the `struct file*` but operate directly on the numeric file descriptors, the best solution here is to simply remove `needs_file` (and the accompanying flag `fd_non_reg`). Cc: stable@vger.kernel.org Signed-off-by: Max Kellermann Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit b6b41444275f6969408ceaad6790512526ccf1cf Author: Christoph Hellwig Date: Mon May 4 14:47:56 2020 +0200 bdi: add a ->dev_name field to struct backing_dev_info [ Upstream commit 6bd87eec23cbc9ed222bed0f5b5b02bf300e9a8d ] Cache a copy of the name for the life time of the backing_dev_info structure so that we can reference it even after unregistering. Fixes: 68f23b89067f ("memcg: fix a crash in wb_workfn when a device disappears") Reported-by: Yufen Yu Signed-off-by: Christoph Hellwig Reviewed-by: Jan Kara Reviewed-by: Bart Van Assche Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit e2dc04099bedaca58031107897cad76592e1c5bd Author: Christoph Hellwig Date: Mon May 4 14:47:54 2020 +0200 bdi: move bdi_dev_name out of line [ Upstream commit eb7ae5e06bb6e6ac6bb86872d27c43ebab92f6b2 ] bdi_dev_name is not a fast path function, move it out of line. This prepares for using it from modular callers without having to export an implementation detail like bdi_unknown_name. Signed-off-by: Christoph Hellwig Reviewed-by: Jan Kara Reviewed-by: Greg Kroah-Hartman Reviewed-by: Bart Van Assche Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 976d383cb017896d63be3d89b78fbf6390bb943c Author: Yafang Shao Date: Thu May 7 18:35:43 2020 -0700 mm, memcg: fix error return value of mem_cgroup_css_alloc() commit 11d6761218d19ca06ae5387f4e3692c4fa9e7493 upstream. When I run my memcg testcase which creates lots of memcgs, I found there're unexpected out of memory logs while there're still enough available free memory. The error log is mkdir: cannot create directory 'foo.65533': Cannot allocate memory The reason is when we try to create more than MEM_CGROUP_ID_MAX memcgs, an -ENOMEM errno will be set by mem_cgroup_css_alloc(), but the right errno should be -ENOSPC "No space left on device", which is an appropriate errno for userspace's failed mkdir. As the errno really misled me, we should make it right. After this patch, the error log will be mkdir: cannot create directory 'foo.65533': No space left on device [akpm@linux-foundation.org: s/EBUSY/ENOSPC/, per Michal] [akpm@linux-foundation.org: s/EBUSY/ENOSPC/, per Michal] Fixes: 73f576c04b94 ("mm: memcontrol: fix cgroup creation failure after many small jobs") Suggested-by: Matthew Wilcox Signed-off-by: Yafang Shao Signed-off-by: Andrew Morton Acked-by: Michal Hocko Acked-by: Johannes Weiner Cc: Vladimir Davydov Link: http://lkml.kernel.org/r/20200407063621.GA18914@dhcp22.suse.cz Link: http://lkml.kernel.org/r/1586192163-20099-1-git-send-email-laoar.shao@gmail.com Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 7d5f0187a0d472fe80daa270b300be403ea02413 Author: Ivan Delalande Date: Thu May 7 18:35:53 2020 -0700 scripts/decodecode: fix trapping instruction formatting commit e08df079b23e2e982df15aa340bfbaf50f297504 upstream. If the trapping instruction contains a ':', for a memory access through segment registers for example, the sed substitution will insert the '*' marker in the middle of the instruction instead of the line address: 2b: 65 48 0f c7 0f cmpxchg16b %gs:*(%rdi) <-- trapping instruction I started to think I had forgotten some quirk of the assembly syntax before noticing that it was actually coming from the script. Fix it to add the address marker at the right place for these instructions: 28: 49 8b 06 mov (%r14),%rax 2b:* 65 48 0f c7 0f cmpxchg16b %gs:(%rdi) <-- trapping instruction 30: 0f 94 c0 sete %al Fixes: 18ff44b189e2 ("scripts/decodecode: make faulting insn ptr more robust") Signed-off-by: Ivan Delalande Signed-off-by: Andrew Morton Reviewed-by: Borislav Petkov Link: http://lkml.kernel.org/r/20200419223653.GA31248@visor Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c130df79f77d19d94691b91dca366ace80f5c165 Author: Julia Lawall Date: Tue May 5 20:47:47 2020 +0200 iommu/virtio: Reverse arguments to list_add commit fb3637a113349f53830f7d6ca45891b7192cd28f upstream. Elsewhere in the file, there is a list_for_each_entry with &vdev->resv_regions as the second argument, suggesting that &vdev->resv_regions is the list head. So exchange the arguments on the list_add call to put the list head in the second argument. Fixes: 2a5a31487445 ("iommu/virtio: Add probe request") Signed-off-by: Julia Lawall Signed-off-by: Greg Kroah-Hartman Reviewed-by: Jean-Philippe Brucker Link: https://lore.kernel.org/r/1588704467-13431-1-git-send-email-Julia.Lawall@inria.fr Signed-off-by: Joerg Roedel commit af9e6058a354c6959e754e6f61727d7952d9504c Author: Josh Poimboeuf Date: Sat Apr 25 05:03:00 2020 -0500 objtool: Fix stack offset tracking for indirect CFAs commit d8dd25a461e4eec7190cb9d66616aceacc5110ad upstream. When the current frame address (CFA) is stored on the stack (i.e., cfa->base == CFI_SP_INDIRECT), objtool neglects to adjust the stack offset when there are subsequent pushes or pops. This results in bad ORC data at the end of the ENTER_IRQ_STACK macro, when it puts the previous stack pointer on the stack and does a subsequent push. This fixes the following unwinder warning: WARNING: can't dereference registers at 00000000f0a6bdba for ip interrupt_entry+0x9f/0xa0 Fixes: 627fce14809b ("objtool: Add ORC unwind table generation") Reported-by: Vince Weaver Reported-by: Dave Jones Reported-by: Steven Rostedt Reported-by: Vegard Nossum Reported-by: Joe Mario Reviewed-by: Miroslav Benes Signed-off-by: Josh Poimboeuf Signed-off-by: Ingo Molnar Cc: Andy Lutomirski Cc: Jann Horn Cc: Peter Zijlstra Cc: Thomas Gleixner Link: https://lore.kernel.org/r/853d5d691b29e250333332f09b8e27410b2d9924.1587808742.git.jpoimboe@redhat.com Signed-off-by: Greg Kroah-Hartman commit 78365618e3c80b73092fd7fbb0b14c6b0712e0f3 Author: Paolo Bonzini Date: Mon May 4 12:19:45 2020 -0400 kvm: ioapic: Restrict lazy EOI update to edge-triggered interrupts commit 8be8f932e3db5fe4ed178b8892eeffeab530273a upstream. Commit f458d039db7e ("kvm: ioapic: Lazy update IOAPIC EOI") introduces the following infinite loop: BUG: stack guard page was hit at 000000008f595917 \ (stack is 00000000bdefe5a4..00000000ae2b06f5) kernel stack overflow (double-fault): 0000 [#1] SMP NOPTI RIP: 0010:kvm_set_irq+0x51/0x160 [kvm] Call Trace: irqfd_resampler_ack+0x32/0x90 [kvm] kvm_notify_acked_irq+0x62/0xd0 [kvm] kvm_ioapic_update_eoi_one.isra.0+0x30/0x120 [kvm] ioapic_set_irq+0x20e/0x240 [kvm] kvm_ioapic_set_irq+0x5c/0x80 [kvm] kvm_set_irq+0xbb/0x160 [kvm] ? kvm_hv_set_sint+0x20/0x20 [kvm] irqfd_resampler_ack+0x32/0x90 [kvm] kvm_notify_acked_irq+0x62/0xd0 [kvm] kvm_ioapic_update_eoi_one.isra.0+0x30/0x120 [kvm] ioapic_set_irq+0x20e/0x240 [kvm] kvm_ioapic_set_irq+0x5c/0x80 [kvm] kvm_set_irq+0xbb/0x160 [kvm] ? kvm_hv_set_sint+0x20/0x20 [kvm] .... The re-entrancy happens because the irq state is the OR of the interrupt state and the resamplefd state. That is, we don't want to show the state as 0 until we've had a chance to set the resamplefd. But if the interrupt has _not_ gone low then ioapic_set_irq is invoked again, causing an infinite loop. This can only happen for a level-triggered interrupt, otherwise irqfd_inject would immediately set the KVM_USERSPACE_IRQ_SOURCE_ID high and then low. Fortunately, in the case of level-triggered interrupts the VMEXIT already happens because TMR is set. Thus, fix the bug by restricting the lazy invocation of the ack notifier to edge-triggered interrupts, the only ones that need it. Tested-by: Suravee Suthikulpanit Reported-by: borisvk@bstnet.org Suggested-by: Paolo Bonzini Link: https://www.spinics.net/lists/kvm/msg213512.html Fixes: f458d039db7e ("kvm: ioapic: Lazy update IOAPIC EOI") Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=207489 Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 646e3be244c1237fb9eaf61e721363edc0bca5be Author: Arnd Bergmann Date: Wed Apr 29 21:00:41 2020 +0200 netfilter: nf_osf: avoid passing pointer to local var commit c165d57b552aaca607fa5daf3fb524a6efe3c5a3 upstream. gcc-10 points out that a code path exists where a pointer to a stack variable may be passed back to the caller: net/netfilter/nfnetlink_osf.c: In function 'nf_osf_hdr_ctx_init': cc1: warning: function may return address of local variable [-Wreturn-local-addr] net/netfilter/nfnetlink_osf.c:171:16: note: declared here 171 | struct tcphdr _tcph; | ^~~~~ I am not sure whether this can happen in practice, but moving the variable declaration into the callers avoids the problem. Fixes: 31a9c29210e2 ("netfilter: nf_osf: add struct nf_osf_hdr_ctx") Signed-off-by: Arnd Bergmann Reviewed-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 381fc914ecab461f08c8cb369c2407ac3ae21641 Author: Guillaume Nault Date: Tue Apr 21 02:42:19 2020 +0200 netfilter: nat: never update the UDP checksum when it's 0 commit ea64d8d6c675c0bb712689b13810301de9d8f77a upstream. If the UDP header of a local VXLAN endpoint is NAT-ed, and the VXLAN device has disabled UDP checksums and enabled Tx checksum offloading, then the skb passed to udp_manip_pkt() has hdr->check == 0 (outer checksum disabled) and skb->ip_summed == CHECKSUM_PARTIAL (inner packet checksum offloaded). Because of the ->ip_summed value, udp_manip_pkt() tries to update the outer checksum with the new address and port, leading to an invalid checksum sent on the wire, as the original null checksum obviously didn't take the old address and port into account. So, we can't take ->ip_summed into account in udp_manip_pkt(), as it might not refer to the checksum we're acting on. Instead, we can base the decision to update the UDP checksum entirely on the value of hdr->check, because it's null if and only if checksum is disabled: * A fully computed checksum can't be 0, since a 0 checksum is represented by the CSUM_MANGLED_0 value instead. * A partial checksum can't be 0, since the pseudo-header always adds at least one non-zero value (the UDP protocol type 0x11) and adding more values to the sum can't make it wrap to 0 as the carry is then added to the wrapped number. * A disabled checksum uses the special value 0. The problem seems to be there from day one, although it was probably not visible before UDP tunnels were implemented. Fixes: 5b1158e909ec ("[NETFILTER]: Add NAT support for nf_conntrack") Signed-off-by: Guillaume Nault Reviewed-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit d91204c65195494cedadc89d507270a71f1380c2 Author: Janakarajan Natarajan Date: Thu May 7 18:35:56 2020 -0700 arch/x86/kvm/svm/sev.c: change flag passed to GUP fast in sev_pin_memory() commit 996ed22c7a5251d76dcdfe5026ef8230e90066d9 upstream. When trying to lock read-only pages, sev_pin_memory() fails because FOLL_WRITE is used as the flag for get_user_pages_fast(). Commit 73b0140bf0fe ("mm/gup: change GUP fast to use flags rather than a write 'bool'") updated the get_user_pages_fast() call sites to use flags, but incorrectly updated the call in sev_pin_memory(). As the original coding of this call was correct, revert the change made by that commit. Fixes: 73b0140bf0fe ("mm/gup: change GUP fast to use flags rather than a write 'bool'") Signed-off-by: Janakarajan Natarajan Signed-off-by: Andrew Morton Reviewed-by: Ira Weiny Cc: Paolo Bonzini Cc: Sean Christopherson Cc: Vitaly Kuznetsov Cc: Wanpeng Li Cc: Jim Mattson Cc: Joerg Roedel Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Borislav Petkov Cc: "H . Peter Anvin" Cc: Mike Marshall Cc: Brijesh Singh Link: http://lkml.kernel.org/r/20200423152419.87202-1-Janakarajan.Natarajan@amd.com Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 61831aa9cf081f9b47486cb72c6e0208a9f2632b Author: Suravee Suthikulpanit Date: Tue Apr 7 01:13:09 2020 -0500 KVM: x86: Fixes posted interrupt check for IRQs delivery modes commit 637543a8d61c6afe4e9be64bfb43c78701a83375 upstream. Current logic incorrectly uses the enum ioapic_irq_destination_types to check the posted interrupt destination types. However, the value was set using APIC_DM_XXX macros, which are left-shifted by 8 bits. Fixes by using the APIC_DM_FIXED and APIC_DM_LOWEST instead. Fixes: (fdcf75621375 'KVM: x86: Disable posted interrupts for non-standard IRQs delivery modes') Cc: Alexander Graf Signed-off-by: Suravee Suthikulpanit Message-Id: <1586239989-58305-1-git-send-email-suravee.suthikulpanit@amd.com> Reviewed-by: Maxim Levitsky Tested-by: Maxim Levitsky Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 0fd83bfd71a5f28b4ce0c813cb0bdc5a62af0774 Author: Josh Poimboeuf Date: Sat Apr 25 05:06:14 2020 -0500 x86/unwind/orc: Fix premature unwind stoppage due to IRET frames commit 81b67439d147677d844d492fcbd03712ea438f42 upstream. The following execution path is possible: fsnotify() [ realign the stack and store previous SP in R10 ] [ only IRET regs saved ] common_interrupt() interrupt_entry() [ full pt_regs saved ] ... [ unwind stack ] When the unwinder goes through the NMI and the IRQ on the stack, and then sees fsnotify(), it doesn't have access to the value of R10, because it only has the five IRET registers. So the unwind stops prematurely. However, because the interrupt_entry() code is careful not to clobber R10 before saving the full regs, the unwinder should be able to read R10 from the previously saved full pt_regs associated with the NMI. Handle this case properly. When encountering an IRET regs frame immediately after a full pt_regs frame, use the pt_regs as a backup which can be used to get the C register values. Also, note that a call frame resets the 'prev_regs' value, because a function is free to clobber the registers. For this fix to work, the IRET and full regs frames must be adjacent, with no FUNC frames in between. So replace the FUNC hint in interrupt_entry() with an IRET_REGS hint. Fixes: ee9f8fce9964 ("x86/unwind: Add the ORC unwinder") Reviewed-by: Miroslav Benes Signed-off-by: Josh Poimboeuf Signed-off-by: Ingo Molnar Cc: Andy Lutomirski Cc: Dave Jones Cc: Jann Horn Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Vince Weaver Link: https://lore.kernel.org/r/97a408167cc09f1cfa0de31a7b70dd88868d743f.1587808742.git.jpoimboe@redhat.com Signed-off-by: Greg Kroah-Hartman commit 58ed593e554f959ec3c3c8811578e41b748a8e6e Author: Josh Poimboeuf Date: Sat Apr 25 05:06:13 2020 -0500 x86/unwind/orc: Fix error path for bad ORC entry type commit a0f81bf26888048100bf017fadf438a5bdffa8d8 upstream. If the ORC entry type is unknown, nothing else can be done other than reporting an error. Exit the function instead of breaking out of the switch statement. Fixes: ee9f8fce9964 ("x86/unwind: Add the ORC unwinder") Reviewed-by: Miroslav Benes Signed-off-by: Josh Poimboeuf Signed-off-by: Ingo Molnar Cc: Andy Lutomirski Cc: Dave Jones Cc: Jann Horn Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Vince Weaver Link: https://lore.kernel.org/r/a7fa668ca6eabbe81ab18b2424f15adbbfdc810a.1587808742.git.jpoimboe@redhat.com Signed-off-by: Greg Kroah-Hartman commit ec90d36948aff1f89b59b256f53c32b940029ace Author: Josh Poimboeuf Date: Sat Apr 25 05:03:08 2020 -0500 x86/unwind/orc: Prevent unwinding before ORC initialization commit 98d0c8ebf77e0ba7c54a9ae05ea588f0e9e3f46e upstream. If the unwinder is called before the ORC data has been initialized, orc_find() returns NULL, and it tries to fall back to using frame pointers. This can cause some unexpected warnings during boot. Move the 'orc_init' check from orc_find() to __unwind_init(), so that it doesn't even try to unwind from an uninitialized state. Fixes: ee9f8fce9964 ("x86/unwind: Add the ORC unwinder") Reviewed-by: Miroslav Benes Signed-off-by: Josh Poimboeuf Signed-off-by: Ingo Molnar Cc: Andy Lutomirski Cc: Dave Jones Cc: Jann Horn Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Vince Weaver Link: https://lore.kernel.org/r/069d1499ad606d85532eb32ce39b2441679667d5.1587808742.git.jpoimboe@redhat.com Signed-off-by: Greg Kroah-Hartman commit d3ed6670d04a10d9c22c4dd851db1798ff0651e2 Author: Miroslav Benes Date: Sat Apr 25 05:03:07 2020 -0500 x86/unwind/orc: Don't skip the first frame for inactive tasks commit f1d9a2abff66aa8156fbc1493abed468db63ea48 upstream. When unwinding an inactive task, the ORC unwinder skips the first frame by default. If both the 'regs' and 'first_frame' parameters of unwind_start() are NULL, 'state->sp' and 'first_frame' are later initialized to the same value for an inactive task. Given there is a "less than or equal to" comparison used at the end of __unwind_start() for skipping stack frames, the first frame is skipped. Drop the equal part of the comparison and make the behavior equivalent to the frame pointer unwinder. Fixes: ee9f8fce9964 ("x86/unwind: Add the ORC unwinder") Reviewed-by: Miroslav Benes Signed-off-by: Miroslav Benes Signed-off-by: Josh Poimboeuf Signed-off-by: Ingo Molnar Cc: Andy Lutomirski Cc: Dave Jones Cc: Jann Horn Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Vince Weaver Link: https://lore.kernel.org/r/7f08db872ab59e807016910acdbe82f744de7065.1587808742.git.jpoimboe@redhat.com Signed-off-by: Greg Kroah-Hartman commit 531c4b24daa64328e0edda3394dd306d7eab5d79 Author: Jann Horn Date: Sat Apr 25 05:03:04 2020 -0500 x86/entry/64: Fix unwind hints in rewind_stack_do_exit() commit f977df7b7ca45a4ac4b66d30a8931d0434c394b1 upstream. The LEAQ instruction in rewind_stack_do_exit() moves the stack pointer directly below the pt_regs at the top of the task stack before calling do_exit(). Tell the unwinder to expect pt_regs. Fixes: 8c1f75587a18 ("x86/entry/64: Add unwind hint annotations") Reviewed-by: Miroslav Benes Signed-off-by: Jann Horn Signed-off-by: Josh Poimboeuf Signed-off-by: Ingo Molnar Cc: Andy Lutomirski Cc: Dave Jones Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Vince Weaver Link: https://lore.kernel.org/r/68c33e17ae5963854916a46f522624f8e1d264f2.1587808742.git.jpoimboe@redhat.com Signed-off-by: Greg Kroah-Hartman commit 0f2db3006858914d2691a157bdf90bb62a2c902f Author: Josh Poimboeuf Date: Sat Apr 25 05:03:03 2020 -0500 x86/entry/64: Fix unwind hints in __switch_to_asm() commit 96c64806b4bf35f5edb465cafa6cec490e424a30 upstream. UNWIND_HINT_FUNC has some limitations: specifically, it doesn't reset all the registers to undefined. This causes objtool to get confused about the RBP push in __switch_to_asm(), resulting in bad ORC data. While __switch_to_asm() does do some stack magic, it's otherwise a normal callable-from-C function, so just annotate it as a function, which makes objtool happy and allows it to produces the correct hints automatically. Fixes: 8c1f75587a18 ("x86/entry/64: Add unwind hint annotations") Reviewed-by: Miroslav Benes Signed-off-by: Josh Poimboeuf Signed-off-by: Ingo Molnar Cc: Andy Lutomirski Cc: Dave Jones Cc: Jann Horn Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Vince Weaver Link: https://lore.kernel.org/r/03d0411920d10f7418f2e909210d8e9a3b2ab081.1587808742.git.jpoimboe@redhat.com Signed-off-by: Greg Kroah-Hartman commit b45ffb761a9dbcbfcd6784dc8b636b484310cfdd Author: Josh Poimboeuf Date: Sat Apr 25 05:03:02 2020 -0500 x86/entry/64: Fix unwind hints in kernel exit path commit 1fb143634a38095b641a3a21220774799772dc4c upstream. In swapgs_restore_regs_and_return_to_usermode, after the stack is switched to the trampoline stack, the existing UNWIND_HINT_REGS hint is no longer valid, which can result in the following ORC unwinder warning: WARNING: can't dereference registers at 000000003aeb0cdd for ip swapgs_restore_regs_and_return_to_usermode+0x93/0xa0 For full correctness, we could try to add complicated unwind hints so the unwinder could continue to find the registers, but when when it's this close to kernel exit, unwind hints aren't really needed anymore and it's fine to just use an empty hint which tells the unwinder to stop. For consistency, also move the UNWIND_HINT_EMPTY in entry_SYSCALL_64_after_hwframe to a similar location. Fixes: 3e3b9293d392 ("x86/entry/64: Return to userspace from the trampoline stack") Reported-by: Vince Weaver Reported-by: Dave Jones Reported-by: Dr. David Alan Gilbert Reported-by: Joe Mario Reported-by: Jann Horn Reported-by: Linus Torvalds Reviewed-by: Miroslav Benes Signed-off-by: Josh Poimboeuf Signed-off-by: Ingo Molnar Cc: Andy Lutomirski Cc: Peter Zijlstra Cc: Thomas Gleixner Link: https://lore.kernel.org/r/60ea8f562987ed2d9ace2977502fe481c0d7c9a0.1587808742.git.jpoimboe@redhat.com Signed-off-by: Greg Kroah-Hartman commit 4c5f624e816f5c823e6b0127ae5df5cff52c318b Author: Josh Poimboeuf Date: Sat Apr 25 05:03:01 2020 -0500 x86/entry/64: Fix unwind hints in register clearing code commit 06a9750edcffa808494d56da939085c35904e618 upstream. The PUSH_AND_CLEAR_REGS macro zeroes each register immediately after pushing it. If an NMI or exception hits after a register is cleared, but before the UNWIND_HINT_REGS annotation, the ORC unwinder will wrongly think the previous value of the register was zero. This can confuse the unwinding process and cause it to exit early. Because ORC is simpler than DWARF, there are a limited number of unwind annotation states, so it's not possible to add an individual unwind hint after each push/clear combination. Instead, the register clearing instructions need to be consolidated and moved to after the UNWIND_HINT_REGS annotation. Fixes: 3f01daecd545 ("x86/entry/64: Introduce the PUSH_AND_CLEAN_REGS macro") Reviewed-by: Miroslav Benes Signed-off-by: Josh Poimboeuf Signed-off-by: Ingo Molnar Cc: Andy Lutomirski Cc: Dave Jones Cc: Jann Horn Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Vince Weaver Link: https://lore.kernel.org/r/68fd3d0bc92ae2d62ff7879d15d3684217d51f08.1587808742.git.jpoimboe@redhat.com Signed-off-by: Greg Kroah-Hartman commit d023b36d24d0812c9b2954c5e4c8d2e36a3d6054 Author: Rick Edgecombe Date: Wed Apr 22 20:13:55 2020 -0700 x86/mm/cpa: Flush direct map alias during cpa commit ab5130186d7476dcee0d4e787d19a521ca552ce9 upstream. As an optimization, cpa_flush() was changed to optionally only flush the range in @cpa if it was small enough. However, this range does not include any direct map aliases changed in cpa_process_alias(). So small set_memory_() calls that touch that alias don't get the direct map changes flushed. This situation can happen when the virtual address taking variants are passed an address in vmalloc or modules space. In these cases, force a full TLB flush. Note this issue does not extend to cases where the set_memory_() calls are passed a direct map address, or page array, etc, as the primary target. In those cases the direct map would be flushed. Fixes: 935f5839827e ("x86/mm/cpa: Optimize cpa_flush_array() TLB invalidation") Signed-off-by: Rick Edgecombe Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20200424105343.GA20730@hirez.programming.kicks-ass.net Signed-off-by: Greg Kroah-Hartman commit c0f3ed270a533aff57588504ee02bd2516e965ef Author: Xiyu Yang Date: Mon Apr 20 13:37:20 2020 +0800 batman-adv: Fix refcnt leak in batadv_v_ogm_process commit 6f91a3f7af4186099dd10fa530dd7e0d9c29747d upstream. batadv_v_ogm_process() invokes batadv_hardif_neigh_get(), which returns a reference of the neighbor object to "hardif_neigh" with increased refcount. When batadv_v_ogm_process() returns, "hardif_neigh" becomes invalid, so the refcount should be decreased to keep refcount balanced. The reference counting issue happens in one exception handling paths of batadv_v_ogm_process(). When batadv_v_ogm_orig_get() fails to get the orig node and returns NULL, the refcnt increased by batadv_hardif_neigh_get() is not decreased, causing a refcnt leak. Fix this issue by jumping to "out" label when batadv_v_ogm_orig_get() fails to get the orig node. Fixes: 9323158ef9f4 ("batman-adv: OGMv2 - implement originators logic") Signed-off-by: Xiyu Yang Signed-off-by: Xin Tan Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich Signed-off-by: Greg Kroah-Hartman commit 2dc1689b56c9f0874da7af6b1f4f9f31f3d0a4d9 Author: Xiyu Yang Date: Wed Apr 15 16:35:21 2020 +0800 batman-adv: Fix refcnt leak in batadv_store_throughput_override commit 6107c5da0fca8b50b4d3215e94d619d38cc4a18c upstream. batadv_show_throughput_override() invokes batadv_hardif_get_by_netdev(), which gets a batadv_hard_iface object from net_dev with increased refcnt and its reference is assigned to a local pointer 'hard_iface'. When batadv_store_throughput_override() returns, "hard_iface" becomes invalid, so the refcount should be decreased to keep refcount balanced. The issue happens in one error path of batadv_store_throughput_override(). When batadv_parse_throughput() returns NULL, the refcnt increased by batadv_hardif_get_by_netdev() is not decreased, causing a refcnt leak. Fix this issue by jumping to "out" label when batadv_parse_throughput() returns NULL. Fixes: 0b5ecc6811bd ("batman-adv: add throughput override attribute to hard_ifaces") Signed-off-by: Xiyu Yang Signed-off-by: Xin Tan Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich Signed-off-by: Greg Kroah-Hartman commit 5ab2882b2e363611644d71de30e3a7549b8e2023 Author: Xiyu Yang Date: Wed Apr 15 16:31:50 2020 +0800 batman-adv: Fix refcnt leak in batadv_show_throughput_override commit f872de8185acf1b48b954ba5bd8f9bc0a0d14016 upstream. batadv_show_throughput_override() invokes batadv_hardif_get_by_netdev(), which gets a batadv_hard_iface object from net_dev with increased refcnt and its reference is assigned to a local pointer 'hard_iface'. When batadv_show_throughput_override() returns, "hard_iface" becomes invalid, so the refcount should be decreased to keep refcount balanced. The issue happens in the normal path of batadv_show_throughput_override(), which forgets to decrease the refcnt increased by batadv_hardif_get_by_netdev() before the function returns, causing a refcnt leak. Fix this issue by calling batadv_hardif_put() before the batadv_show_throughput_override() returns in the normal path. Fixes: 0b5ecc6811bd ("batman-adv: add throughput override attribute to hard_ifaces") Signed-off-by: Xiyu Yang Signed-off-by: Xin Tan Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich Signed-off-by: Greg Kroah-Hartman commit 92718c22ed3db00a08b5f19625da7d6bf3ab6978 Author: George Spelvin Date: Sun Mar 8 09:44:59 2020 -0400 batman-adv: fix batadv_nc_random_weight_tq commit fd0c42c4dea54335967c5a86f15fc064235a2797 upstream. and change to pseudorandom numbers, as this is a traffic dithering operation that doesn't need crypto-grade. The previous code operated in 4 steps: 1. Generate a random byte 0 <= rand_tq <= 255 2. Multiply it by BATADV_TQ_MAX_VALUE - tq 3. Divide by 255 (= BATADV_TQ_MAX_VALUE) 4. Return BATADV_TQ_MAX_VALUE - rand_tq This would apperar to scale (BATADV_TQ_MAX_VALUE - tq) by a random value between 0/255 and 255/255. But! The intermediate value between steps 3 and 4 is stored in a u8 variable. So it's truncated, and most of the time, is less than 255, after which the division produces 0. Specifically, if tq is odd, the product is always even, and can never be 255. If tq is even, there's exactly one random byte value that will produce a product byte of 255. Thus, the return value is 255 (511/512 of the time) or 254 (1/512 of the time). If we assume that the truncation is a bug, and the code is meant to scale the input, a simpler way of looking at it is that it's returning a random value between tq and BATADV_TQ_MAX_VALUE, inclusive. Well, we have an optimized function for doing just that. Fixes: 3c12de9a5c75 ("batman-adv: network coding - code and transmit packets if possible") Signed-off-by: George Spelvin Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich Signed-off-by: Greg Kroah-Hartman commit 0c44725e4f1e77a59f00d6941c3dbc8d3a8c6dd4 Author: Tejun Heo Date: Mon May 4 19:27:54 2020 -0400 iocost: protect iocg->abs_vdebt with iocg->waitq.lock commit 0b80f9866e6bbfb905140ed8787ff2af03652c0c upstream. abs_vdebt is an atomic_64 which tracks how much over budget a given cgroup is and controls the activation of use_delay mechanism. Once a cgroup goes over budget from forced IOs, it has to pay it back with its future budget. The progress guarantee on debt paying comes from the iocg being active - active iocgs are processed by the periodic timer, which ensures that as time passes the debts dissipate and the iocg returns to normal operation. However, both iocg activation and vdebt handling are asynchronous and a sequence like the following may happen. 1. The iocg is in the process of being deactivated by the periodic timer. 2. A bio enters ioc_rqos_throttle(), calls iocg_activate() which returns without anything because it still sees that the iocg is already active. 3. The iocg is deactivated. 4. The bio from #2 is over budget but needs to be forced. It increases abs_vdebt and goes over the threshold and enables use_delay. 5. IO control is enabled for the iocg's subtree and now IOs are attributed to the descendant cgroups and the iocg itself no longer issues IOs. This leaves the iocg with stuck abs_vdebt - it has debt but inactive and no further IOs which can activate it. This can end up unduly punishing all the descendants cgroups. The usual throttling path has the same issue - the iocg must be active while throttled to ensure that future event will wake it up - and solves the problem by synchronizing the throttling path with a spinlock. abs_vdebt handling is another form of overage handling and shares a lot of characteristics including the fact that it isn't in the hottest path. This patch fixes the above and other possible races by strictly synchronizing abs_vdebt and use_delay handling with iocg->waitq.lock. Signed-off-by: Tejun Heo Reported-by: Vlad Dmitriev Cc: stable@vger.kernel.org # v5.4+ Fixes: e1518f63f246 ("blk-iocost: Don't let merges push vtime into the future") Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 3d80728a0a7eb613c61cf5da2d5e1c537b0fa6bd Author: Vincent Chen Date: Mon Apr 27 14:59:24 2020 +0800 riscv: set max_pfn to the PFN of the last page commit c749bb2d554825e007cbc43b791f54e124dadfce upstream. The current max_pfn equals to zero. In this case, I found it caused users cannot get some page information through /proc such as kpagecount in v5.6 kernel because of new sanity checks. The following message is displayed by stress-ng test suite with the command "stress-ng --verbose --physpage 1 -t 1" on HiFive unleashed board. # stress-ng --verbose --physpage 1 -t 1 stress-ng: debug: [109] 4 processors online, 4 processors configured stress-ng: info: [109] dispatching hogs: 1 physpage stress-ng: debug: [109] cache allocate: reducing cache level from L3 (too high) to L0 stress-ng: debug: [109] get_cpu_cache: invalid cache_level: 0 stress-ng: info: [109] cache allocate: using built-in defaults as no suitable cache found stress-ng: debug: [109] cache allocate: default cache size: 2048K stress-ng: debug: [109] starting stressors stress-ng: debug: [109] 1 stressor spawned stress-ng: debug: [110] stress-ng-physpage: started [110] (instance 0) stress-ng: error: [110] stress-ng-physpage: cannot read page count for address 0x3fd34de000 in /proc/kpagecount, errno=0 (Success) stress-ng: error: [110] stress-ng-physpage: cannot read page count for address 0x3fd32db078 in /proc/kpagecount, errno=0 (Success) ... stress-ng: error: [110] stress-ng-physpage: cannot read page count for address 0x3fd32db078 in /proc/kpagecount, errno=0 (Success) stress-ng: debug: [110] stress-ng-physpage: exited [110] (instance 0) stress-ng: debug: [109] process [110] terminated stress-ng: info: [109] successful run completed in 1.00s # After applying this patch, the kernel can pass the test. # stress-ng --verbose --physpage 1 -t 1 stress-ng: debug: [104] 4 processors online, 4 processors configured stress-ng: info: [104] dispatching hogs: 1 physpage stress-ng: info: [104] cache allocate: using defaults, can't determine cache details from sysfs stress-ng: debug: [104] cache allocate: default cache size: 2048K stress-ng: debug: [104] starting stressors stress-ng: debug: [104] 1 stressor spawned stress-ng: debug: [105] stress-ng-physpage: started [105] (instance 0) stress-ng: debug: [105] stress-ng-physpage: exited [105] (instance 0) stress-ng: debug: [104] process [105] terminated stress-ng: info: [104] successful run completed in 1.01s # Cc: stable@vger.kernel.org Signed-off-by: Vincent Chen Reviewed-by: Anup Patel Reviewed-by: Yash Shah Tested-by: Yash Shah Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit 3b75146a055f9716847e67fc80ca55efd5682f8b Author: Luis Chamberlain Date: Thu Apr 16 16:28:59 2020 +0000 coredump: fix crash when umh is disabled commit 3740d93e37902b31159a82da2d5c8812ed825404 upstream. Commit 64e90a8acb859 ("Introduce STATIC_USERMODEHELPER to mediate call_usermodehelper()") added the optiont to disable all call_usermodehelper() calls by setting STATIC_USERMODEHELPER_PATH to an empty string. When this is done, and crashdump is triggered, it will crash on null pointer dereference, since we make assumptions over what call_usermodehelper_exec() did. This has been reported by Sergey when one triggers a a coredump with the following configuration: ``` CONFIG_STATIC_USERMODEHELPER=y CONFIG_STATIC_USERMODEHELPER_PATH="" kernel.core_pattern = |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h %e ``` The way disabling the umh was designed was that call_usermodehelper_exec() would just return early, without an error. But coredump assumes certain variables are set up for us when this happens, and calls ile_start_write(cprm.file) with a NULL file. [ 2.819676] BUG: kernel NULL pointer dereference, address: 0000000000000020 [ 2.819859] #PF: supervisor read access in kernel mode [ 2.820035] #PF: error_code(0x0000) - not-present page [ 2.820188] PGD 0 P4D 0 [ 2.820305] Oops: 0000 [#1] SMP PTI [ 2.820436] CPU: 2 PID: 89 Comm: a Not tainted 5.7.0-rc1+ #7 [ 2.820680] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190711_202441-buildvm-armv7-10.arm.fedoraproject.org-2.fc31 04/01/2014 [ 2.821150] RIP: 0010:do_coredump+0xd80/0x1060 [ 2.821385] Code: e8 95 11 ed ff 48 c7 c6 cc a7 b4 81 48 8d bd 28 ff ff ff 89 c2 e8 70 f1 ff ff 41 89 c2 85 c0 0f 84 72 f7 ff ff e9 b4 fe ff ff <48> 8b 57 20 0f b7 02 66 25 00 f0 66 3d 00 8 0 0f 84 9c 01 00 00 44 [ 2.822014] RSP: 0000:ffffc9000029bcb8 EFLAGS: 00010246 [ 2.822339] RAX: 0000000000000000 RBX: ffff88803f860000 RCX: 000000000000000a [ 2.822746] RDX: 0000000000000009 RSI: 0000000000000282 RDI: 0000000000000000 [ 2.823141] RBP: ffffc9000029bde8 R08: 0000000000000000 R09: ffffc9000029bc00 [ 2.823508] R10: 0000000000000001 R11: ffff88803dec90be R12: ffffffff81c39da0 [ 2.823902] R13: ffff88803de84400 R14: 0000000000000000 R15: 0000000000000000 [ 2.824285] FS: 00007fee08183540(0000) GS:ffff88803e480000(0000) knlGS:0000000000000000 [ 2.824767] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2.825111] CR2: 0000000000000020 CR3: 000000003f856005 CR4: 0000000000060ea0 [ 2.825479] Call Trace: [ 2.825790] get_signal+0x11e/0x720 [ 2.826087] do_signal+0x1d/0x670 [ 2.826361] ? force_sig_info_to_task+0xc1/0xf0 [ 2.826691] ? force_sig_fault+0x3c/0x40 [ 2.826996] ? do_trap+0xc9/0x100 [ 2.827179] exit_to_usermode_loop+0x49/0x90 [ 2.827359] prepare_exit_to_usermode+0x77/0xb0 [ 2.827559] ? invalid_op+0xa/0x30 [ 2.827747] ret_from_intr+0x20/0x20 [ 2.827921] RIP: 0033:0x55e2c76d2129 [ 2.828107] Code: 2d ff ff ff e8 68 ff ff ff 5d c6 05 18 2f 00 00 01 c3 0f 1f 80 00 00 00 00 c3 0f 1f 80 00 00 00 00 e9 7b ff ff ff 55 48 89 e5 <0f> 0b b8 00 00 00 00 5d c3 66 2e 0f 1f 84 0 0 00 00 00 00 0f 1f 40 [ 2.828603] RSP: 002b:00007fffeba5e080 EFLAGS: 00010246 [ 2.828801] RAX: 000055e2c76d2125 RBX: 0000000000000000 RCX: 00007fee0817c718 [ 2.829034] RDX: 00007fffeba5e188 RSI: 00007fffeba5e178 RDI: 0000000000000001 [ 2.829257] RBP: 00007fffeba5e080 R08: 0000000000000000 R09: 00007fee08193c00 [ 2.829482] R10: 0000000000000009 R11: 0000000000000000 R12: 000055e2c76d2040 [ 2.829727] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 2.829964] CR2: 0000000000000020 [ 2.830149] ---[ end trace ceed83d8c68a1bf1 ]--- ``` Cc: # v4.11+ Fixes: 64e90a8acb85 ("Introduce STATIC_USERMODEHELPER to mediate call_usermodehelper()") BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199795 Reported-by: Tony Vroon Reported-by: Sergey Kvachonok Tested-by: Sergei Trofimovich Signed-off-by: Luis Chamberlain Link: https://lore.kernel.org/r/20200416162859.26518-1-mcgrof@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit a81f2a4bf7961429cb35bc001558018a29c1e755 Author: Oscar Carter Date: Fri May 1 17:51:18 2020 +0200 staging: gasket: Check the return value of gasket_get_bar_index() commit 769acc3656d93aaacada814939743361d284fd87 upstream. Check the return value of gasket_get_bar_index function as it can return a negative one (-EINVAL). If this happens, a negative index is used in the "gasket_dev->bar_data" array. Addresses-Coverity-ID: 1438542 ("Negative array index read") Fixes: 9a69f5087ccc2 ("drivers/staging: Gasket driver framework + Apex driver") Signed-off-by: Oscar Carter Cc: stable Reviewed-by: Richard Yeh Link: https://lore.kernel.org/r/20200501155118.13380-1-oscar.carter@gmx.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit f71f5a764f4c3490b9d15de62a761dd0d5fc7ca6 Author: Luis Henriques Date: Tue May 5 13:59:02 2020 +0100 ceph: demote quotarealm lookup warning to a debug message commit 12ae44a40a1be891bdc6463f8c7072b4ede746ef upstream. A misconfigured cephx can easily result in having the kernel client flooding the logs with: ceph: Can't lookup inode 1 (err: -13) Change this message to debug level. Cc: stable@vger.kernel.org URL: https://tracker.ceph.com/issues/44546 Signed-off-by: Luis Henriques Reviewed-by: Jeff Layton Signed-off-by: Ilya Dryomov Signed-off-by: Greg Kroah-Hartman commit cdd3516c2be4bdf8ec309b010e211991ed4947c7 Author: Jeff Layton Date: Tue Apr 28 08:10:22 2020 -0400 ceph: fix endianness bug when handling MDS session feature bits commit 0fa8263367db9287aa0632f96c1a5f93cc478150 upstream. Eduard reported a problem mounting cephfs on s390 arch. The feature mask sent by the MDS is little-endian, so we need to convert it before storing and testing against it. Cc: stable@vger.kernel.org Reported-and-Tested-by: Eduard Shishkin Signed-off-by: Jeff Layton Reviewed-by: "Yan, Zheng" Signed-off-by: Ilya Dryomov Signed-off-by: Greg Kroah-Hartman commit 9d588cbdeba1edceda1901b1f8593d749a6c46e7 Author: Henry Willard Date: Thu May 7 18:36:27 2020 -0700 mm: limit boost_watermark on small zones commit 14f69140ff9c92a0928547ceefb153a842e8492c upstream. Commit 1c30844d2dfe ("mm: reclaim small amounts of memory when an external fragmentation event occurs") adds a boost_watermark() function which increases the min watermark in a zone by at least pageblock_nr_pages or the number of pages in a page block. On Arm64, with 64K pages and 512M huge pages, this is 8192 pages or 512M. It does this regardless of the number of managed pages managed in the zone or the likelihood of success. This can put the zone immediately under water in terms of allocating pages from the zone, and can cause a small machine to fail immediately due to OoM. Unlike set_recommended_min_free_kbytes(), which substantially increases min_free_kbytes and is tied to THP, boost_watermark() can be called even if THP is not active. The problem is most likely to appear on architectures such as Arm64 where pageblock_nr_pages is very large. It is desirable to run the kdump capture kernel in as small a space as possible to avoid wasting memory. In some architectures, such as Arm64, there are restrictions on where the capture kernel can run, and therefore, the space available. A capture kernel running in 768M can fail due to OoM immediately after boost_watermark() sets the min in zone DMA32, where most of the memory is, to 512M. It fails even though there is over 500M of free memory. With boost_watermark() suppressed, the capture kernel can run successfully in 448M. This patch limits boost_watermark() to boosting a zone's min watermark only when there are enough pages that the boost will produce positive results. In this case that is estimated to be four times as many pages as pageblock_nr_pages. Mel said: : There is no harm in marking it stable. Clearly it does not happen very : often but it's not impossible. 32-bit x86 is a lot less common now : which would previously have been vulnerable to triggering this easily. : ppc64 has a larger base page size but typically only has one zone. : arm64 is likely the most vulnerable, particularly when CMA is : configured with a small movable zone. Fixes: 1c30844d2dfe ("mm: reclaim small amounts of memory when an external fragmentation event occurs") Signed-off-by: Henry Willard Signed-off-by: Andrew Morton Reviewed-by: David Hildenbrand Acked-by: Mel Gorman Cc: Vlastimil Babka Cc: Link: http://lkml.kernel.org/r/1588294148-6586-1-git-send-email-henry.willard@oracle.com Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 17a68145e058a80250515159bdf8d3a3a0adca65 Author: David Hildenbrand Date: Thu May 7 18:35:46 2020 -0700 mm/page_alloc: fix watchdog soft lockups during set_zone_contiguous() commit e84fe99b68ce353c37ceeecc95dce9696c976556 upstream. Without CONFIG_PREEMPT, it can happen that we get soft lockups detected, e.g., while booting up. watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [swapper/0:1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.6.0-next-20200331+ #4 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 RIP: __pageblock_pfn_to_page+0x134/0x1c0 Call Trace: set_zone_contiguous+0x56/0x70 page_alloc_init_late+0x166/0x176 kernel_init_freeable+0xfa/0x255 kernel_init+0xa/0x106 ret_from_fork+0x35/0x40 The issue becomes visible when having a lot of memory (e.g., 4TB) assigned to a single NUMA node - a system that can easily be created using QEMU. Inside VMs on a hypervisor with quite some memory overcommit, this is fairly easy to trigger. Signed-off-by: David Hildenbrand Signed-off-by: Andrew Morton Reviewed-by: Pavel Tatashin Reviewed-by: Pankaj Gupta Reviewed-by: Baoquan He Reviewed-by: Shile Zhang Acked-by: Michal Hocko Cc: Kirill Tkhai Cc: Shile Zhang Cc: Pavel Tatashin Cc: Daniel Jordan Cc: Michal Hocko Cc: Alexander Duyck Cc: Baoquan He Cc: Oscar Salvador Cc: Link: http://lkml.kernel.org/r/20200416073417.5003-1-david@redhat.com Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 64bf394bba26e8201079f5119c93d115d4a75f44 Author: Khazhismel Kumykov Date: Thu May 7 18:35:59 2020 -0700 eventpoll: fix missing wakeup for ovflist in ep_poll_callback commit 0c54a6a44bf3d41e76ce3f583a6ece267618df2e upstream. In the event that we add to ovflist, before commit 339ddb53d373 ("fs/epoll: remove unnecessary wakeups of nested epoll") we would be woken up by ep_scan_ready_list, and did no wakeup in ep_poll_callback. With that wakeup removed, if we add to ovflist here, we may never wake up. Rather than adding back the ep_scan_ready_list wakeup - which was resulting in unnecessary wakeups, trigger a wake-up in ep_poll_callback. We noticed that one of our workloads was missing wakeups starting with 339ddb53d373 and upon manual inspection, this wakeup seemed missing to me. With this patch added, we no longer see missing wakeups. I haven't yet tried to make a small reproducer, but the existing kselftests in filesystem/epoll passed for me with this patch. [khazhy@google.com: use if/elif instead of goto + cleanup suggested by Roman] Link: http://lkml.kernel.org/r/20200424190039.192373-1-khazhy@google.com Fixes: 339ddb53d373 ("fs/epoll: remove unnecessary wakeups of nested epoll") Signed-off-by: Khazhismel Kumykov Signed-off-by: Andrew Morton Reviewed-by: Roman Penyaev Cc: Alexander Viro Cc: Roman Penyaev Cc: Heiher Cc: Jason Baron Cc: Link: http://lkml.kernel.org/r/20200424025057.118641-1-khazhy@google.com Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 7f1236c421cf5f6ab942ea17788fc4b65dadd056 Author: Roman Penyaev Date: Thu May 7 18:36:16 2020 -0700 epoll: atomically remove wait entry on wake up commit 412895f03cbf9633298111cb4dfde13b7720e2c5 upstream. This patch does two things: - fixes a lost wakeup introduced by commit 339ddb53d373 ("fs/epoll: remove unnecessary wakeups of nested epoll") - improves performance for events delivery. The description of the problem is the following: if N (>1) threads are waiting on ep->wq for new events and M (>1) events come, it is quite likely that >1 wakeups hit the same wait queue entry, because there is quite a big window between __add_wait_queue_exclusive() and the following __remove_wait_queue() calls in ep_poll() function. This can lead to lost wakeups, because thread, which was woken up, can handle not all the events in ->rdllist. (in better words the problem is described here: https://lkml.org/lkml/2019/10/7/905) The idea of the current patch is to use init_wait() instead of init_waitqueue_entry(). Internally init_wait() sets autoremove_wake_function as a callback, which removes the wait entry atomically (under the wq locks) from the list, thus the next coming wakeup hits the next wait entry in the wait queue, thus preventing lost wakeups. Problem is very well reproduced by the epoll60 test case [1]. Wait entry removal on wakeup has also performance benefits, because there is no need to take a ep->lock and remove wait entry from the queue after the successful wakeup. Here is the timing output of the epoll60 test case: With explicit wakeup from ep_scan_ready_list() (the state of the code prior 339ddb53d373): real 0m6.970s user 0m49.786s sys 0m0.113s After this patch: real 0m5.220s user 0m36.879s sys 0m0.019s The other testcase is the stress-epoll [2], where one thread consumes all the events and other threads produce many events: With explicit wakeup from ep_scan_ready_list() (the state of the code prior 339ddb53d373): threads events/ms run-time ms 8 5427 1474 16 6163 2596 32 6824 4689 64 7060 9064 128 6991 18309 After this patch: threads events/ms run-time ms 8 5598 1429 16 7073 2262 32 7502 4265 64 7640 8376 128 7634 16767 (number of "events/ms" represents event bandwidth, thus higher is better; number of "run-time ms" represents overall time spent doing the benchmark, thus lower is better) [1] tools/testing/selftests/filesystems/epoll/epoll_wakeup_test.c [2] https://github.com/rouming/test-tools/blob/master/stress-epoll.c Signed-off-by: Roman Penyaev Signed-off-by: Andrew Morton Reviewed-by: Jason Baron Cc: Khazhismel Kumykov Cc: Alexander Viro Cc: Heiher Cc: Link: http://lkml.kernel.org/r/20200430130326.1368509-2-rpenyaev@suse.de Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 09cbc41468267a18d813e856cbfc8594d6b6ac1d Author: Oleg Nesterov Date: Thu May 7 18:35:39 2020 -0700 ipc/mqueue.c: change __do_notify() to bypass check_kill_permission() commit b5f2006144c6ae941726037120fa1001ddede784 upstream. Commit cc731525f26a ("signal: Remove kernel interal si_code magic") changed the value of SI_FROMUSER(SI_MESGQ), this means that mq_notify() no longer works if the sender doesn't have rights to send a signal. Change __do_notify() to use do_send_sig_info() instead of kill_pid_info() to avoid check_kill_permission(). This needs the additional notify.sigev_signo != 0 check, shouldn't we change do_mq_notify() to deny sigev_signo == 0 ? Test-case: #include #include #include #include #include static int notified; static void sigh(int sig) { notified = 1; } int main(void) { signal(SIGIO, sigh); int fd = mq_open("/mq", O_RDWR|O_CREAT, 0666, NULL); assert(fd >= 0); struct sigevent se = { .sigev_notify = SIGEV_SIGNAL, .sigev_signo = SIGIO, }; assert(mq_notify(fd, &se) == 0); if (!fork()) { assert(setuid(1) == 0); mq_send(fd, "",1,0); return 0; } wait(NULL); mq_unlink("/mq"); assert(notified); return 0; } [manfred@colorfullife.com: 1) Add self_exec_id evaluation so that the implementation matches do_notify_parent 2) use PIDTYPE_TGID everywhere] Fixes: cc731525f26a ("signal: Remove kernel interal si_code magic") Reported-by: Yoji Signed-off-by: Oleg Nesterov Signed-off-by: Manfred Spraul Signed-off-by: Andrew Morton Acked-by: "Eric W. Biederman" Cc: Davidlohr Bueso Cc: Markus Elfring Cc: <1vier1@web.de> Cc: Link: http://lkml.kernel.org/r/e2a782e4-eab9-4f5c-c749-c07a8f7a4e66@colorfullife.com Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6f0d234dad15425d8e36d5f3e0af7f3f54f651a0 Author: Daniel Kolesa Date: Wed Apr 29 17:02:36 2020 +0200 drm/amd/display: work around fp code being emitted outside of DC_FP_START/END commit 59dfb0c64d3853d20dc84f4561f28d4f5a2ddc7d upstream. The dcn20_validate_bandwidth function would have code touching the incorrect registers emitted outside of the boundaries of the DC_FP_START/END macros, at least on ppc64le. Work around the problem by wrapping the whole function instead. Signed-off-by: Daniel Kolesa Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 5.6.x Signed-off-by: Greg Kroah-Hartman commit 772f7d23042ffd1daef349660bdaff72a4119555 Author: H. Nikolaus Schaller Date: Mon May 4 08:35:12 2020 +0200 drm: ingenic-drm: add MODULE_DEVICE_TABLE commit c59359a02d14a7256cd508a4886b7d2012df2363 upstream. so that the driver can load by matching the device tree if compiled as module. Cc: stable@vger.kernel.org # v5.3+ Fixes: 90b86fcc47b4 ("DRM: Add KMS driver for the Ingenic JZ47xx SoCs") Signed-off-by: H. Nikolaus Schaller Signed-off-by: Paul Cercueil Link: https://patchwork.freedesktop.org/patch/msgid/1694a29b7a3449b6b662cec33d1b33f2ee0b174a.1588574111.git.hns@goldelico.com Signed-off-by: Greg Kroah-Hartman commit 64d795914663efc49109a763be80945394171674 Author: Tomas Winkler Date: Wed Apr 29 00:12:00 2020 +0300 mei: me: disable mei interface on LBG servers. commit d76bc8200f9cf8b6746e66b37317ba477eda25c4 upstream. Disable the MEI driver on LBG SPS (server) platforms, some corner flows such as recovery mode does not work, and the driver doesn't have working use cases. Cc: Signed-off-by: Tomas Winkler Link: https://lore.kernel.org/r/20200428211200.12200-1-tomas.winkler@intel.com Signed-off-by: Greg Kroah-Hartman commit a4b8747205fc05c09ac29febe88c82e1df2bb4e3 Author: Ulf Hansson Date: Wed Apr 22 12:10:13 2020 +0200 amba: Initialize dma_parms for amba devices commit f458488425f1cc9a396aa1d09bb00c48783936da upstream. It's currently the amba driver's responsibility to initialize the pointer, dma_parms, for its corresponding struct device. The benefit with this approach allows us to avoid the initialization and to not waste memory for the struct device_dma_parameters, as this can be decided on a case by case basis. However, it has turned out that this approach is not very practical. Not only does it lead to open coding, but also to real errors. In principle callers of dma_set_max_seg_size() doesn't check the error code, but just assumes it succeeds. For these reasons, let's do the initialization from the common amba bus at the device registration point. This also follows the way the PCI devices are being managed, see pci_device_add(). Suggested-by: Christoph Hellwig Cc: Russell King Cc: Tested-by: Haibo Chen Reviewed-by: Arnd Bergmann Signed-off-by: Ulf Hansson Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20200422101013.31267-1-ulf.hansson@linaro.org Signed-off-by: Greg Kroah-Hartman commit 51cedac68704abe10c8f5410678212c77ed8a033 Author: Ulf Hansson Date: Wed Apr 22 12:09:54 2020 +0200 driver core: platform: Initialize dma_parms for platform devices commit 9495b7e92f716ab2bd6814fab5e97ab4a39adfdd upstream. It's currently the platform driver's responsibility to initialize the pointer, dma_parms, for its corresponding struct device. The benefit with this approach allows us to avoid the initialization and to not waste memory for the struct device_dma_parameters, as this can be decided on a case by case basis. However, it has turned out that this approach is not very practical. Not only does it lead to open coding, but also to real errors. In principle callers of dma_set_max_seg_size() doesn't check the error code, but just assumes it succeeds. For these reasons, let's do the initialization from the common platform bus at the device registration point. This also follows the way the PCI devices are being managed, see pci_device_add(). Suggested-by: Christoph Hellwig Cc: Tested-by: Haibo Chen Reviewed-by: Arnd Bergmann Signed-off-by: Ulf Hansson Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20200422100954.31211-1-ulf.hansson@linaro.org Signed-off-by: Greg Kroah-Hartman commit 8cdbbb56fec54a893a536874b59d91f5a86bc9ec Author: Mark Rutland Date: Tue May 5 13:59:30 2020 +0100 arm64: hugetlb: avoid potential NULL dereference commit 027d0c7101f50cf03aeea9eebf484afd4920c8d3 upstream. The static analyzer in GCC 10 spotted that in huge_pte_alloc() we may pass a NULL pmdp into pte_alloc_map() when pmd_alloc() returns NULL: | CC arch/arm64/mm/pageattr.o | CC arch/arm64/mm/hugetlbpage.o | from arch/arm64/mm/hugetlbpage.c:10: | arch/arm64/mm/hugetlbpage.c: In function ‘huge_pte_alloc’: | ./arch/arm64/include/asm/pgtable-types.h:28:24: warning: dereference of NULL ‘pmdp’ [CWE-690] [-Wanalyzer-null-dereference] | ./arch/arm64/include/asm/pgtable.h:436:26: note: in expansion of macro ‘pmd_val’ | arch/arm64/mm/hugetlbpage.c:242:10: note: in expansion of macro ‘pte_alloc_map’ | |arch/arm64/mm/hugetlbpage.c:232:10: | |./arch/arm64/include/asm/pgtable-types.h:28:24: | ./arch/arm64/include/asm/pgtable.h:436:26: note: in expansion of macro ‘pmd_val’ | arch/arm64/mm/hugetlbpage.c:242:10: note: in expansion of macro ‘pte_alloc_map’ This can only occur when the kernel cannot allocate a page, and so is unlikely to happen in practice before other systems start failing. We can avoid this by bailing out if pmd_alloc() fails, as we do earlier in the function if pud_alloc() fails. Fixes: 66b3923a1a0f ("arm64: hugetlb: add support for PTE contiguous bit") Signed-off-by: Mark Rutland Reported-by: Kyrill Tkachov Cc: # 4.5.x- Cc: Will Deacon Signed-off-by: Catalin Marinas Signed-off-by: Greg Kroah-Hartman commit 743342cd1d65810bceb61f6a1bac1b76452fafc5 Author: Marc Zyngier Date: Wed Apr 29 11:21:55 2020 +0100 KVM: arm64: Fix 32bit PC wrap-around commit 0225fd5e0a6a32af7af0aefac45c8ebf19dc5183 upstream. In the unlikely event that a 32bit vcpu traps into the hypervisor on an instruction that is located right at the end of the 32bit range, the emulation of that instruction is going to increment PC past the 32bit range. This isn't great, as userspace can then observe this value and get a bit confused. Conversly, userspace can do things like (in the context of a 64bit guest that is capable of 32bit EL0) setting PSTATE to AArch64-EL0, set PC to a 64bit value, change PSTATE to AArch32-USR, and observe that PC hasn't been truncated. More confusion. Fix both by: - truncating PC increments for 32bit guests - sanitizing all 32bit regs every time a core reg is changed by userspace, and that PSTATE indicates a 32bit mode. Cc: stable@vger.kernel.org Acked-by: Will Deacon Signed-off-by: Marc Zyngier Signed-off-by: Greg Kroah-Hartman commit ddf16a3eab2bdfc0a4d79d81cb7412fda8b04419 Author: Marc Zyngier Date: Tue Apr 14 15:10:08 2020 +0100 KVM: arm: vgic: Fix limit condition when writing to GICD_I[CS]ACTIVER commit 1c32ca5dc6d00012f0c964e5fdd7042fcc71efb1 upstream. When deciding whether a guest has to be stopped we check whether this is a private interrupt or not. Unfortunately, there's an off-by-one bug here, and we fail to recognize a whole range of interrupts as being global (GICv2 SPIs 32-63). Fix the condition from > to be >=. Cc: stable@vger.kernel.org Fixes: abd7229626b93 ("KVM: arm/arm64: Simplify active_change_prepare and plug race") Reported-by: André Przywara Signed-off-by: Marc Zyngier Signed-off-by: Greg Kroah-Hartman commit 99fa8af7ccf1542665b3aa501a005785d63e0cc5 Author: Sean Christopherson Date: Tue May 5 20:53:55 2020 -0700 KVM: VMX: Explicitly clear RFLAGS.CF and RFLAGS.ZF in VM-Exit RSB path commit c7cb2d650c9e78c03bd2d1c0db89891825f8c0f4 upstream. Clear CF and ZF in the VM-Exit path after doing __FILL_RETURN_BUFFER so that KVM doesn't interpret clobbered RFLAGS as a VM-Fail. Filling the RSB has always clobbered RFLAGS, its current incarnation just happens clear CF and ZF in the processs. Relying on the macro to clear CF and ZF is extremely fragile, e.g. commit 089dd8e53126e ("x86/speculation: Change FILL_RETURN_BUFFER to work with objtool") tweaks the loop such that the ZF flag is always set. Reported-by: Qian Cai Cc: Rick Edgecombe Cc: Peter Zijlstra (Intel) Cc: Josh Poimboeuf Cc: stable@vger.kernel.org Fixes: f2fde6a5bcfcf ("KVM: VMX: Move RSB stuffing to before the first RET after VM-Exit") Signed-off-by: Sean Christopherson Message-Id: <20200506035355.2242-1-sean.j.christopherson@intel.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 8f3f0910a86b1917ef191b75619a28c0aef6f92a Author: Christian Borntraeger Date: Tue May 5 09:27:15 2020 +0200 KVM: s390: Remove false WARN_ON_ONCE for the PQAP instruction commit 5615e74f48dcc982655543e979b6c3f3f877e6f6 upstream. In LPAR we will only get an intercept for FC==3 for the PQAP instruction. Running nested under z/VM can result in other intercepts as well as ECA_APIE is an effective bit: If one hypervisor layer has turned this bit off, the end result will be that we will get intercepts for all function codes. Usually the first one will be a query like PQAP(QCI). So the WARN_ON_ONCE is not right. Let us simply remove it. Cc: Pierre Morel Cc: Tony Krowiak Cc: stable@vger.kernel.org # v5.3+ Fixes: e5282de93105 ("s390: ap: kvm: add PQAP interception for AQIC") Link: https://lore.kernel.org/kvm/20200505083515.2720-1-borntraeger@de.ibm.com Reported-by: Qian Cai Signed-off-by: Christian Borntraeger Reviewed-by: David Hildenbrand Reviewed-by: Cornelia Huck Signed-off-by: Christian Borntraeger Signed-off-by: Greg Kroah-Hartman commit e7b8447e1bbb4c9fd7e9441ab7a3ba4179c4edea Author: Jason A. Donenfeld Date: Wed Apr 22 17:18:53 2020 -0600 crypto: arch/lib - limit simd usage to 4k chunks commit 706024a52c614b478b63f7728d202532ce6591a9 upstream. The initial Zinc patchset, after some mailing list discussion, contained code to ensure that kernel_fpu_enable would not be kept on for more than a 4k chunk, since it disables preemption. The choice of 4k isn't totally scientific, but it's not a bad guess either, and it's what's used in both the x86 poly1305, blake2s, and nhpoly1305 code already (in the form of PAGE_SIZE, which this commit corrects to be explicitly 4k for the former two). Ard did some back of the envelope calculations and found that at 5 cycles/byte (overestimate) on a 1ghz processor (pretty slow), 4k means we have a maximum preemption disabling of 20us, which Sebastian confirmed was probably a good limit. Unfortunately the chunking appears to have been left out of the final patchset that added the glue code. So, this commit adds it back in. Fixes: 84e03fa39fbe ("crypto: x86/chacha - expose SIMD ChaCha routine as library function") Fixes: b3aad5bad26a ("crypto: arm64/chacha - expose arm64 ChaCha routine as library function") Fixes: a44a3430d71b ("crypto: arm/chacha - expose ARM ChaCha routine as library function") Fixes: d7d7b8535662 ("crypto: x86/poly1305 - wire up faster implementations for kernel") Fixes: f569ca164751 ("crypto: arm64/poly1305 - incorporate OpenSSL/CRYPTOGAMS NEON implementation") Fixes: a6b803b3ddc7 ("crypto: arm/poly1305 - incorporate OpenSSL/CRYPTOGAMS NEON implementation") Fixes: ed0356eda153 ("crypto: blake2s - x86_64 SIMD implementation") Cc: Eric Biggers Cc: Sebastian Andrzej Siewior Cc: stable@vger.kernel.org Signed-off-by: Jason A. Donenfeld Reviewed-by: Ard Biesheuvel Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit d4487b633a37700d5c2bf39f9c1627dc6d8b69c8 Author: Jason A. Donenfeld Date: Wed Apr 22 17:18:54 2020 -0600 crypto: arch/nhpoly1305 - process in explicit 4k chunks commit a9a8ba90fa5857c2c8a0e32eef2159cec717da11 upstream. Rather than chunking via PAGE_SIZE, this commit changes the arch implementations to chunk in explicit 4k parts, so that calculations on maximum acceptable latency don't suddenly become invalid on platforms where PAGE_SIZE isn't 4k, such as arm64. Fixes: 0f961f9f670e ("crypto: x86/nhpoly1305 - add AVX2 accelerated NHPoly1305") Fixes: 012c82388c03 ("crypto: x86/nhpoly1305 - add SSE2 accelerated NHPoly1305") Fixes: a00fa0c88774 ("crypto: arm64/nhpoly1305 - add NEON-accelerated NHPoly1305") Fixes: 16aae3595a9d ("crypto: arm/nhpoly1305 - add NEON-accelerated NHPoly1305") Cc: stable@vger.kernel.org Signed-off-by: Jason A. Donenfeld Reviewed-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 088255a073ee730ca0c2c54aaadef24b34b4b976 Author: Steven Rostedt (VMware) Date: Wed May 6 10:36:18 2020 -0400 tracing: Add a vmalloc_sync_mappings() for safe measure commit 11f5efc3ab66284f7aaacc926e9351d658e2577b upstream. x86_64 lazily maps in the vmalloc pages, and the way this works with per_cpu areas can be complex, to say the least. Mappings may happen at boot up, and if nothing synchronizes the page tables, those page mappings may not be synced till they are used. This causes issues for anything that might touch one of those mappings in the path of the page fault handler. When one of those unmapped mappings is touched in the page fault handler, it will cause another page fault, which in turn will cause a page fault, and leave us in a loop of page faults. Commit 763802b53a42 ("x86/mm: split vmalloc_sync_all()") split vmalloc_sync_all() into vmalloc_sync_unmappings() and vmalloc_sync_mappings(), as on system exit, it did not need to do a full sync on x86_64 (although it still needed to be done on x86_32). By chance, the vmalloc_sync_all() would synchronize the page mappings done at boot up and prevent the per cpu area from being a problem for tracing in the page fault handler. But when that synchronization in the exit of a task became a nop, it caused the problem to appear. Link: https://lore.kernel.org/r/20200429054857.66e8e333@oasis.local.home Cc: stable@vger.kernel.org Fixes: 737223fbca3b1 ("tracing: Consolidate buffer allocation code") Reported-by: "Tzvetomir Stoyanov (VMware)" Suggested-by: Joerg Roedel Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman commit 13946ad1d908e05ca8a2ce61b33f64819c9dc8ea Author: Steven Rostedt (VMware) Date: Wed May 6 10:20:10 2020 -0400 tracing: Wait for preempt irq delay thread to finish commit d16a8c31077e75ecb9427fbfea59b74eed00f698 upstream. Running on a slower machine, it is possible that the preempt delay kernel thread may still be executing if the module was immediately removed after added, and this can cause the kernel to crash as the kernel thread might be executing after its code has been removed. There's no reason that the caller of the code shouldn't just wait for the delay thread to finish, as the thread can also be created by a trigger in the sysfs code, which also has the same issues. Link: http://lore.kernel.org/r/5EA2B0C8.2080706@cn.fujitsu.com Cc: stable@vger.kernel.org Fixes: 793937236d1ee ("lib: Add module for testing preemptoff/irqsoff latency tracers") Reported-by: Xiao Yang Reviewed-by: Xiao Yang Reviewed-by: Joel Fernandes Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman commit 8db9e7e13d5a1f251e2edb1c91862f8bd5ca3968 Author: Masami Hiramatsu Date: Sat Apr 25 14:49:26 2020 +0900 tracing/kprobes: Reject new event if loc is NULL commit 5b4dcd2d201a395ad4054067bfae4a07554fbd65 upstream. Reject the new event which has NULL location for kprobes. For kprobes, user must specify at least the location. Link: http://lkml.kernel.org/r/158779376597.6082.1411212055469099461.stgit@devnote2 Cc: Tom Zanussi Cc: Ingo Molnar Cc: stable@vger.kernel.org Fixes: 2a588dd1d5d6 ("tracing: Add kprobe event command generation functions") Signed-off-by: Masami Hiramatsu Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman commit 419b6ef27860b28bb9a7c041478f974ba0fba457 Author: Masami Hiramatsu Date: Sat Apr 25 14:49:17 2020 +0900 tracing/boottime: Fix kprobe event API usage commit da0f1f4167e3af69e1d8b32d6d65195ddd2bfb64 upstream. Fix boottime kprobe events to use API correctly for multiple events. For example, when we set a multiprobe kprobe events in bootconfig like below, ftrace.event.kprobes.myevent { probes = "vfs_read $arg1 $arg2", "vfs_write $arg1 $arg2" } This cause an error; trace_boot: Failed to add probe: p:kprobes/myevent (null) vfs_read $arg1 $arg2 vfs_write $arg1 $arg2 This shows the 1st argument becomes NULL and multiprobes are merged to 1 probe. Link: http://lkml.kernel.org/r/158779375766.6082.201939936008972838.stgit@devnote2 Cc: Ingo Molnar Cc: stable@vger.kernel.org Fixes: 29a154810546 ("tracing: Change trace_boot to use kprobe_event interface") Reviewed-by: Tom Zanussi Signed-off-by: Masami Hiramatsu Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman commit baff4ba57c916c9c3a87a81708fb0672716d28fc Author: Oliver Neukum Date: Wed Apr 15 16:03:04 2020 +0200 USB: serial: garmin_gps: add sanity checking for data length commit e9b3c610a05c1cdf8e959a6d89c38807ff758ee6 upstream. We must not process packets shorter than a packet ID Signed-off-by: Oliver Neukum Reported-and-tested-by: syzbot+d29e9263e13ce0b9f4fd@syzkaller.appspotmail.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 3dbb165ddcc04d95259e9a8391e110615d0a4d6e Author: Bryan O'Donoghue Date: Thu May 7 08:49:18 2020 +0800 usb: chipidea: msm: Ensure proper controller reset using role switch API commit 91edf63d5022bd0464788ffb4acc3d5febbaf81d upstream. Currently we check to make sure there is no error state on the extcon handle for VBUS when writing to the HS_PHY_GENCONFIG_2 register. When using the USB role-switch API we still need to write to this register absent an extcon handle. This patch makes the appropriate update to ensure the write happens if role-switching is true. Fixes: 05559f10ed79 ("usb: chipidea: add role switch class support") Cc: stable Cc: Greg Kroah-Hartman Cc: Philipp Zabel Cc: linux-usb@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: Stephen Boyd Signed-off-by: Bryan O'Donoghue Signed-off-by: Peter Chen Link: https://lore.kernel.org/r/20200507004918.25975-2-peter.chen@kernel.org Signed-off-by: Greg Kroah-Hartman commit 911ddebbdd948169dfcba5607c2a0e30f5520e1b Author: Oliver Neukum Date: Wed Apr 29 17:52:18 2020 +0200 USB: uas: add quirk for LaCie 2Big Quadra commit 9f04db234af691007bb785342a06abab5fb34474 upstream. This device needs US_FL_NO_REPORT_OPCODES to avoid going through prolonged error handling on enumeration. Signed-off-by: Oliver Neukum Reported-by: Julian Groß Cc: stable Link: https://lore.kernel.org/r/20200429155218.7308-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman commit c921814c70069183f28925ca8f516f13d71803c4 Author: Jason Gerecke Date: Fri Apr 24 14:04:00 2020 -0700 HID: wacom: Report 2nd-gen Intuos Pro S center button status over BT commit dcce8ef8f70a8e38e6c47c1bae8b312376c04420 upstream. The state of the center button was not reported to userspace for the 2nd-gen Intuos Pro S when used over Bluetooth due to the pad handling code not being updated to support its reduced number of buttons. This patch uses the actual number of buttons present on the tablet to assemble a button state bitmap. Link: https://github.com/linuxwacom/xf86-input-wacom/issues/112 Fixes: cd47de45b855 ("HID: wacom: Add 2nd gen Intuos Pro Small support") Signed-off-by: Jason Gerecke Cc: stable@vger.kernel.org # v5.3+ Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 7dc8fa096889cbb1c24020b246fc1d5853b2b9c3 Author: Alan Stern Date: Wed Apr 22 16:18:48 2020 -0400 HID: usbhid: Fix race between usbhid_close() and usbhid_stop() commit 0ed08faded1da03eb3def61502b27f81aef2e615 upstream. The syzbot fuzzer discovered a bad race between in the usbhid driver between usbhid_stop() and usbhid_close(). In particular, usbhid_stop() does: usb_free_urb(usbhid->urbin); ... usbhid->urbin = NULL; /* don't mess up next start */ and usbhid_close() does: usb_kill_urb(usbhid->urbin); with no mutual exclusion. If the two routines happen to run concurrently so that usb_kill_urb() is called in between the usb_free_urb() and the NULL assignment, it will access the deallocated urb structure -- a use-after-free bug. This patch adds a mutex to the usbhid private structure and uses it to enforce mutual exclusion of the usbhid_start(), usbhid_stop(), usbhid_open() and usbhid_close() callbacks. Reported-and-tested-by: syzbot+7bf5a7b0f0a1f9446f4c@syzkaller.appspotmail.com Signed-off-by: Alan Stern CC: Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit b109811554e6ba4f684911170a6d9c05544ed073 Author: Jason Gerecke Date: Wed Apr 8 07:58:37 2020 -0700 Revert "HID: wacom: generic: read the number of expected touches on a per collection basis" commit b43f977dd281945960c26b3ef67bba0fa07d39d9 upstream. This reverts commit 15893fa40109f5e7c67eeb8da62267d0fdf0be9d. The referenced commit broke pen and touch input for a variety of devices such as the Cintiq Pro 32. Affected devices may appear to work normally for a short amount of time, but eventually loose track of actual touch state and can leave touch arbitration enabled which prevents the pen from working. The commit is not itself required for any currently-available Bluetooth device, and so we revert it to correct the behavior of broken devices. This breakage occurs due to a mismatch between the order of collections and the order of usages on some devices. This commit tries to read the contact count before processing events, but will fail if the contact count does not occur prior to the first logical finger collection. This is the case for devices like the Cintiq Pro 32 which place the contact count at the very end of the report. Without the contact count set, touches will only be partially processed. The `wacom_wac_finger_slot` function will not open any slots since the number of contacts seen is greater than the expectation of 0, but we will still end up calling `input_mt_sync_frame` for each finger anyway. This can cause problems for userspace separate from the issue currently taking place in the kernel. Only once all of the individual finger collections have been processed do we finally get to the enclosing collection which contains the contact count. The value ends up being used for the *next* report, however. This delayed use of the contact count can cause the driver to loose track of the actual touch state and believe that there are contacts down when there aren't. This leaves touch arbitration enabled and prevents the pen from working. It can also cause userspace to incorrectly treat single- finger input as gestures. Link: https://github.com/linuxwacom/input-wacom/issues/146 Signed-off-by: Jason Gerecke Reviewed-by: Aaron Armstrong Skomra Fixes: 15893fa40109 ("HID: wacom: generic: read the number of expected touches on a per collection basis") Cc: stable@vger.kernel.org # 5.3+ Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit a5ce8531ea508d270822b2bc6140c6198c8a2a7b Author: Jere Leppänen Date: Tue Apr 21 22:03:41 2020 +0300 sctp: Fix bundling of SHUTDOWN with COOKIE-ACK commit 145cb2f7177d94bc54563ed26027e952ee0ae03c upstream. When we start shutdown in sctp_sf_do_dupcook_a(), we want to bundle the SHUTDOWN with the COOKIE-ACK to ensure that the peer receives them at the same time and in the correct order. This bundling was broken by commit 4ff40b86262b ("sctp: set chunk transport correctly when it's a new asoc"), which assigns a transport for the COOKIE-ACK, but not for the SHUTDOWN. Fix this by passing a reference to the COOKIE-ACK chunk as an argument to sctp_sf_do_9_2_start_shutdown() and onward to sctp_make_shutdown(). This way the SHUTDOWN chunk is assigned the same transport as the COOKIE-ACK chunk, which allows them to be bundled. In sctp_sf_do_9_2_start_shutdown(), the void *arg parameter was previously unused. Now that we're taking it into use, it must be a valid pointer to a chunk, or NULL. There is only one call site where it's not, in sctp_sf_autoclose_timer_expire(). Fix that too. Fixes: 4ff40b86262b ("sctp: set chunk transport correctly when it's a new asoc") Signed-off-by: Jere Leppänen Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Cc: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 05aa17c3bbd3ba4d46ed0736af559f7bc0215794 Author: Jason Gerecke Date: Wed Apr 1 14:23:29 2020 -0700 HID: wacom: Read HID_DG_CONTACTMAX directly for non-generic devices commit 778fbf4179991e7652e97d7f1ca1f657ef828422 upstream. We've recently switched from extracting the value of HID_DG_CONTACTMAX at a fixed offset (which may not be correct for all tablets) to injecting the report into the driver for the generic codepath to handle. Unfortunately, this change was made for *all* tablets, even those which aren't generic. Because `wacom_wac_report` ignores reports from non- generic devices, the contact count never gets initialized. Ultimately this results in the touch device itself failing to probe, and thus the loss of touch input. This commit adds back the fixed-offset extraction for non-generic devices. Link: https://github.com/linuxwacom/input-wacom/issues/155 Fixes: 184eccd40389 ("HID: wacom: generic: read HID_DG_CONTACTMAX from any feature report") Signed-off-by: Jason Gerecke Reviewed-by: Aaron Armstrong Skomra CC: stable@vger.kernel.org # 5.3+ Signed-off-by: Benjamin Tissoires Cc: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit c8bd0fd53458419c37ace2d21174eebd867420c7 Author: Jason A. Donenfeld Date: Wed May 6 15:33:04 2020 -0600 wireguard: send/receive: cond_resched() when processing worker ringbuffers [ Upstream commit 4005f5c3c9d006157ba716594e0d70c88a235c5e ] Users with pathological hardware reported CPU stalls on CONFIG_ PREEMPT_VOLUNTARY=y, because the ringbuffers would stay full, meaning these workers would never terminate. That turned out not to be okay on systems without forced preemption, which Sultan observed. This commit adds a cond_resched() to the bottom of each loop iteration, so that these workers don't hog the core. Note that we don't need this on the napi poll worker, since that terminates after its budget is expended. Suggested-by: Sultan Alsawaf Reported-by: Wang Jian Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") Signed-off-by: Jason A. Donenfeld Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit df364086a8c965a453b4a68f6cc2d6f981eda11a Author: Jason A. Donenfeld Date: Wed May 6 15:33:03 2020 -0600 wireguard: socket: remove errant restriction on looping to self [ Upstream commit b673e24aad36981f327a6570412ffa7754de8911 ] It's already possible to create two different interfaces and loop packets between them. This has always been possible with tunnels in the kernel, and isn't specific to wireguard. Therefore, the networking stack already needs to deal with that. At the very least, the packet winds up exceeding the MTU and is discarded at that point. So, since this is already something that happens, there's no need to forbid the not very exceptional case of routing a packet back to the same interface; this loop is no different than others, and we shouldn't special case it, but rather rely on generic handling of loops in general. This also makes it easier to do interesting things with wireguard such as onion routing. At the same time, we add a selftest for this, ensuring that both onion routing works and infinite routing loops do not crash the kernel. We also add a test case for wireguard interfaces nesting packets and sending traffic between each other, as well as the loop in this case too. We make sure to send some throughput-heavy traffic for this use case, to stress out any possible recursion issues with the locks around workqueues. Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") Signed-off-by: Jason A. Donenfeld Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ea1bbba16a0b2cd32695bc4f0b60e17b84f17d0b Author: Dejin Zheng Date: Mon May 4 20:01:27 2020 +0800 net: enetc: fix an issue about leak system resources [ Upstream commit d975cb7ea915e64a3ebcfef8a33051f3e6bf22a8 ] the related system resources were not released when enetc_hw_alloc() return error in the enetc_pci_mdio_probe(), add iounmap() for error handling label "err_hw_alloc" to fix it. Fixes: 6517798dd3432a ("enetc: Make MDIO accessors more generic and export to include/linux/fsl") Cc: Andy Shevchenko Signed-off-by: Dejin Zheng Reviewed-by: Vladimir Oltean Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 52c05feadc64d82bf1bf65ab5c55dbbeadeb5a3b Author: Toke Høiland-Jørgensen Date: Wed Apr 29 14:59:22 2020 -0600 wireguard: receive: use tunnel helpers for decapsulating ECN markings [ Upstream commit eebabcb26ea1e3295704477c6cd4e772c96a9559 ] WireGuard currently only propagates ECN markings on tunnel decap according to the old RFC3168 specification. However, the spec has since been updated in RFC6040 to recommend slightly different decapsulation semantics. This was implemented in the kernel as a set of common helpers for ECN decapsulation, so let's just switch over WireGuard to using those, so it can benefit from this enhancement and any future tweaks. We do not drop packets with invalid ECN marking combinations, because WireGuard is frequently used to work around broken ISPs, which could be doing that. Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") Reported-by: Olivier Tilmans Cc: Dave Taht Cc: Rodney W. Grimes Signed-off-by: Toke Høiland-Jørgensen Signed-off-by: Jason A. Donenfeld Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0ffd4563be3417f80c46c01a881d9402ccff7ebb Author: Jason A. Donenfeld Date: Wed Apr 29 14:59:21 2020 -0600 wireguard: queueing: cleanup ptr_ring in error path of packet_queue_init [ Upstream commit 130c58606171326c81841a49cc913cd354113dd9 ] Prior, if the alloc_percpu of packet_percpu_multicore_worker_alloc failed, the previously allocated ptr_ring wouldn't be freed. This commit adds the missing call to ptr_ring_cleanup in the error case. Reported-by: Sultan Alsawaf Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") Signed-off-by: Jason A. Donenfeld Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 58eea66cc0566abd5518fc91600591d298b3f1dd Author: Dan Carpenter Date: Wed May 6 13:16:56 2020 +0300 net: mvpp2: cls: Prevent buffer overflow in mvpp2_ethtool_cls_rule_del() [ Upstream commit 722c0f00d4feea77475a5dc943b53d60824a1e4e ] The "info->fs.location" is a u32 that comes from the user via the ethtool_set_rxnfc() function. We need to check for invalid values to prevent a buffer overflow. I copy and pasted this check from the mvpp2_ethtool_cls_rule_ins() function. Fixes: 90b509b39ac9 ("net: mvpp2: cls: Add Classification offload support") Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d7e796eaf6ac0692aaef4b420287f37997d2913b Author: Dan Carpenter Date: Wed May 6 13:16:22 2020 +0300 net: mvpp2: prevent buffer overflow in mvpp22_rss_ctx() [ Upstream commit 39bd16df7c31bb8cf5dfd0c88e42abd5ae10029d ] The "rss_context" variable comes from the user via ethtool_get_rxfh(). It can be any u32 value except zero. Eventually it gets passed to mvpp22_rss_ctx() and if it is over MVPP22_N_RSS_TABLES (8) then it results in an array overflow. Fixes: 895586d5dc32 ("net: mvpp2: cls: Use RSS contexts to handle RSS tables") Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cfdccd7b998c966622998d2cd5388881a30844fd Author: Roi Dayan Date: Thu Apr 23 12:37:21 2020 +0300 net/mlx5e: Fix q counters on uplink representors [ Upstream commit 67b38de646894c9a94fe4d6d17719e70cc6028eb ] Need to allocate the q counters before init_rx which needs them when creating the rq. Fixes: 8520fa57a4e9 ("net/mlx5e: Create q counters on uplink representors") Signed-off-by: Roi Dayan Reviewed-by: Vlad Buslov Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit 2103909a6939c9c906a673b068fb9d09cccdc076 Author: Moshe Shemesh Date: Sun Feb 23 03:27:41 2020 +0200 net/mlx5: Fix command entry leak in Internal Error State [ Upstream commit cece6f432cca9f18900463ed01b97a152a03600a ] Processing commands by cmd_work_handler() while already in Internal Error State will result in entry leak, since the handler process force completion without doorbell. Forced completion doesn't release the entry and event completion will never arrive, so entry should be released. Fixes: 73dd3a4839c1 ("net/mlx5: Avoid using pending command interface slots") Signed-off-by: Moshe Shemesh Signed-off-by: Eran Ben Elisha Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit b5b4f1ae5e502107467d854078e4972e3acbbd59 Author: Moshe Shemesh Date: Sun Jul 21 08:40:13 2019 +0300 net/mlx5: Fix forced completion access non initialized command entry [ Upstream commit f3cb3cebe26ed4c8036adbd9448b372129d3c371 ] mlx5_cmd_flush() will trigger forced completions to all valid command entries. Triggered by an asynch event such as fast teardown it can happen at any stage of the command, including command initialization. It will trigger forced completion and that can lead to completion on an uninitialized command entry. Setting MLX5_CMD_ENT_STATE_PENDING_COMP only after command entry is initialized will ensure force completion is treated only if command entry is initialized. Fixes: 73dd3a4839c1 ("net/mlx5: Avoid using pending command interface slots") Signed-off-by: Moshe Shemesh Signed-off-by: Eran Ben Elisha Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit da214fd1046572502d518a8a44a61c3bec7fd872 Author: Erez Shitrit Date: Wed Mar 25 17:19:43 2020 +0200 net/mlx5: DR, On creation set CQ's arm_db member to right value [ Upstream commit 8075411d93b6efe143d9f606f6531077795b7fbf ] In polling mode, set arm_db member to a value that will avoid CQ event recovery by the HW. Otherwise we might get event without completion function. In addition,empty completion function to was added to protect from unexpected events. Fixes: 297cccebdc5a ("net/mlx5: DR, Expose an internal API to issue RDMA operations") Signed-off-by: Erez Shitrit Reviewed-by: Tariq Toukan Reviewed-by: Alex Vesker Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit 9e6f263cd0ef87e2e122352b81687bec192c74a5 Author: Michael Chan Date: Sun Apr 26 16:24:42 2020 -0400 bnxt_en: Fix VLAN acceleration handling in bnxt_fix_features(). [ Upstream commit c72cb303aa6c2ae7e4184f0081c6d11bf03fb96b ] The current logic in bnxt_fix_features() will inadvertently turn on both CTAG and STAG VLAN offload if the user tries to disable both. Fix it by checking that the user is trying to enable CTAG or STAG before enabling both. The logic is supposed to enable or disable both CTAG and STAG together. Fixes: 5a9f6b238e59 ("bnxt_en: Enable and disable RX CTAG and RX STAG VLAN acceleration together.") Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5b90ed93995415671bf66923898515db86d43120 Author: Michael Chan Date: Sun Apr 26 16:24:41 2020 -0400 bnxt_en: Return error when allocating zero size context memory. [ Upstream commit bbf211b1ecb891c7e0cc7888834504183fc8b534 ] bnxt_alloc_ctx_pg_tbls() should return error when the memory size of the context memory to set up is zero. By returning success (0), the caller may proceed normally and may crash later when it tries to set up the memory. Fixes: 08fe9d181606 ("bnxt_en: Add Level 2 context memory paging support.") Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 77c19d216631de3133fa379cd6df77babc553a5f Author: Michael Chan Date: Sun Apr 26 16:24:40 2020 -0400 bnxt_en: Improve AER slot reset. [ Upstream commit bae361c54fb6ac6eba3b4762f49ce14beb73ef13 ] Improve the slot reset sequence by disabling the device to prevent bad DMAs if slot reset fails. Return the proper result instead of always PCI_ERS_RESULT_RECOVERED to the caller. Fixes: 6316ea6db93d ("bnxt_en: Enable AER support.") Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit baac8bc5bde34be81133597e8a15633294d32160 Author: Vasundhara Volam Date: Sun Apr 26 16:24:39 2020 -0400 bnxt_en: Reduce BNXT_MSIX_VEC_MAX value to supported CQs per PF. [ Upstream commit 9e68cb0359b20f99c7b070f1d3305e5e0a9fae6d ] Broadcom adapters support only maximum of 512 CQs per PF. If user sets MSIx vectors more than supported CQs, firmware is setting incorrect value for msix_vec_per_pf_max parameter. Fix it by reducing the BNXT_MSIX_VEC_MAX value to 512, even though the maximum # of MSIx vectors supported by adapter are 1280. Fixes: f399e8497826 ("bnxt_en: Use msix_vec_per_pf_max and msix_vec_per_pf_min devlink params.") Signed-off-by: Vasundhara Volam Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b201e328fb24d02efd99e45bfee59d8fd58d4eda Author: Michael Chan Date: Sun Apr 26 16:24:38 2020 -0400 bnxt_en: Fix VF anti-spoof filter setup. [ Upstream commit c71c4e49afe173823a2a85b0cabc9b3f1176ffa2 ] Fix the logic that sets the enable/disable flag for the source MAC filter according to firmware spec 1.7.1. In the original firmware spec. before 1.7.1, the VF spoof check flags were not latched after making the HWRM_FUNC_CFG call, so there was a need to keep the func_flags so that subsequent calls would perserve the VF spoof check setting. A change was made in the 1.7.1 spec so that the flags became latched. So we now set or clear the anti- spoof setting directly without retrieving the old settings in the stored vf->func_flags which are no longer valid. We also remove the unneeded vf->func_flags. Fixes: 8eb992e876a8 ("bnxt_en: Update firmware interface spec to 1.7.6.2.") Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 74720a3a1be739ff5c95eb483ca8f9de81c5aa39 Author: Toke Høiland-Jørgensen Date: Mon Apr 27 16:11:05 2020 +0200 tunnel: Propagate ECT(1) when decapsulating as recommended by RFC6040 [ Upstream commit b723748750ece7d844cdf2f52c01d37f83387208 ] RFC 6040 recommends propagating an ECT(1) mark from an outer tunnel header to the inner header if that inner header is already marked as ECT(0). When RFC 6040 decapsulation was implemented, this case of propagation was not added. This simply appears to be an oversight, so let's fix that. Fixes: eccc1bb8d4b4 ("tunnel: drop packet if ECN present with not-ECT") Reported-by: Bob Briscoe Reported-by: Olivier Tilmans Cc: Dave Taht Cc: Stephen Hemminger Signed-off-by: Toke Høiland-Jørgensen Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5b0cef8193e433946e854a5c19e82a382f07185b Author: Tuong Lien Date: Mon May 4 11:15:54 2020 +0700 tipc: fix partial topology connection closure [ Upstream commit 980d69276f3048af43a045be2925dacfb898a7be ] When an application connects to the TIPC topology server and subscribes to some services, a new connection is created along with some objects - 'tipc_subscription' to store related data correspondingly... However, there is one omission in the connection handling that when the connection or application is orderly shutdown (e.g. via SIGQUIT, etc.), the connection is not closed in kernel, the 'tipc_subscription' objects are not freed too. This results in: - The maximum number of subscriptions (65535) will be reached soon, new subscriptions will be rejected; - TIPC module cannot be removed (unless the objects are somehow forced to release first); The commit fixes the issue by closing the connection if the 'recvmsg()' returns '0' i.e. when the peer is shutdown gracefully. It also includes the other unexpected cases. Acked-by: Jon Maloy Acked-by: Ying Xue Signed-off-by: Tuong Lien Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9ee28b1c107cad5c6270dbab36591621199bc7d3 Author: Eric Dumazet Date: Wed May 6 09:21:15 2020 -0700 selftests: net: tcp_mmap: fix SO_RCVLOWAT setting [ Upstream commit a84724178bd7081cf3bd5b558616dd6a9a4ca63b ] Since chunk_size is no longer an integer, we can not use it directly as an argument of setsockopt(). This patch should fix tcp_mmap for Big Endian kernels. Fixes: 597b01edafac ("selftests: net: avoid ptl lock contention in tcp_mmap") Signed-off-by: Eric Dumazet Cc: Soheil Hassas Yeganeh Cc: Arjun Roy Acked-by: Soheil Hassas Yeganeh Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c8c0bc59a7544d2b1e3d910a0622d2de836dfcba Author: Eric Dumazet Date: Tue May 5 20:51:06 2020 -0700 selftests: net: tcp_mmap: clear whole tcp_zerocopy_receive struct [ Upstream commit bf5525f3a8e3248be5aa5defe5aaadd60e1c1ba1 ] We added fields in tcp_zerocopy_receive structure, so make sure to clear all fields to not pass garbage to the kernel. We were lucky because recent additions added 'out' parameters, still we need to clean our reference implementation, before folks copy/paste it. Fixes: c8856c051454 ("tcp-zerocopy: Return inq along with tcp receive zerocopy.") Fixes: 33946518d493 ("tcp-zerocopy: Return sk_err (if set) along with tcp receive zerocopy.") Signed-off-by: Eric Dumazet Cc: Arjun Roy Cc: Soheil Hassas Yeganeh Acked-by: Soheil Hassas Yeganeh Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2149c61b047f66241276f708b061b9cbfb097c4f Author: Eric Dumazet Date: Sun Apr 26 18:19:07 2020 -0700 sch_sfq: validate silly quantum values [ Upstream commit df4953e4e997e273501339f607b77953772e3559 ] syzbot managed to set up sfq so that q->scaled_quantum was zero, triggering an infinite loop in sfq_dequeue() More generally, we must only accept quantum between 1 and 2^18 - 7, meaning scaled_quantum must be in [1, 0x7FFF] range. Otherwise, we also could have a loop in sfq_dequeue() if scaled_quantum happens to be 0x8000, since slot->allot could indefinitely switch between 0 and 0x8000. Fixes: eeaeb068f139 ("sch_sfq: allow big packets and be fair") Signed-off-by: Eric Dumazet Reported-by: syzbot+0251e883fe39e7a0cb0a@syzkaller.appspotmail.com Cc: Jason A. Donenfeld Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6bebceac7977f8a9b4d4dc5ac333f08b39114955 Author: Eric Dumazet Date: Sat Apr 25 15:19:51 2020 -0700 sch_choke: avoid potential panic in choke_reset() [ Upstream commit 8738c85c72b3108c9b9a369a39868ba5f8e10ae0 ] If choke_init() could not allocate q->tab, we would crash later in choke_reset(). BUG: KASAN: null-ptr-deref in memset include/linux/string.h:366 [inline] BUG: KASAN: null-ptr-deref in choke_reset+0x208/0x340 net/sched/sch_choke.c:326 Write of size 8 at addr 0000000000000000 by task syz-executor822/7022 CPU: 1 PID: 7022 Comm: syz-executor822 Not tainted 5.7.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x188/0x20d lib/dump_stack.c:118 __kasan_report.cold+0x5/0x4d mm/kasan/report.c:515 kasan_report+0x33/0x50 mm/kasan/common.c:625 check_memory_region_inline mm/kasan/generic.c:187 [inline] check_memory_region+0x141/0x190 mm/kasan/generic.c:193 memset+0x20/0x40 mm/kasan/common.c:85 memset include/linux/string.h:366 [inline] choke_reset+0x208/0x340 net/sched/sch_choke.c:326 qdisc_reset+0x6b/0x520 net/sched/sch_generic.c:910 dev_deactivate_queue.constprop.0+0x13c/0x240 net/sched/sch_generic.c:1138 netdev_for_each_tx_queue include/linux/netdevice.h:2197 [inline] dev_deactivate_many+0xe2/0xba0 net/sched/sch_generic.c:1195 dev_deactivate+0xf8/0x1c0 net/sched/sch_generic.c:1233 qdisc_graft+0xd25/0x1120 net/sched/sch_api.c:1051 tc_modify_qdisc+0xbab/0x1a00 net/sched/sch_api.c:1670 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5454 netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2469 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329 netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:672 ____sys_sendmsg+0x6bf/0x7e0 net/socket.c:2362 ___sys_sendmsg+0x100/0x170 net/socket.c:2416 __sys_sendmsg+0xec/0x1b0 net/socket.c:2449 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 Fixes: 77e62da6e60c ("sch_choke: drop all packets in queue during reset") Signed-off-by: Eric Dumazet Reported-by: syzbot Cc: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f883c51ba6abf83fa4c37b656e22c5dd34d19341 Author: Qiushi Wu Date: Sat May 2 17:42:59 2020 -0500 nfp: abm: fix a memory leak bug [ Upstream commit bd4af432cc71b5fbfe4833510359a6ad3ada250d ] In function nfp_abm_vnic_set_mac, pointer nsp is allocated by nfp_nsp_open. But when nfp_nsp_has_hwinfo_lookup fail, the pointer is not released, which can lead to a memory leak bug. Fix this issue by adding nfp_nsp_close(nsp) in the error path. Fixes: f6e71efdf9fb1 ("nfp: abm: look up MAC addresses via management FW") Signed-off-by: Qiushi Wu Acked-by: Jakub Kicinski Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 00b37d4c30697e3c664f14ede776790cd66fa5df Author: Matt Jolly Date: Sun May 3 01:52:28 2020 +1000 net: usb: qmi_wwan: add support for DW5816e [ Upstream commit 57c7f2bd758eed867295c81d3527fff4fab1ed74 ] Add support for Dell Wireless 5816e to drivers/net/usb/qmi_wwan.c Signed-off-by: Matt Jolly Acked-by: Bjørn Mork Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit af4a1df88c4b7a0c023bda1d311f2703734f53f0 Author: Xiyu Yang Date: Sat Apr 25 21:10:23 2020 +0800 net/tls: Fix sk_psock refcnt leak when in tls_data_ready() [ Upstream commit 62b4011fa7bef9fa00a6aeec26e69685dc1cc21e ] tls_data_ready() invokes sk_psock_get(), which returns a reference of the specified sk_psock object to "psock" with increased refcnt. When tls_data_ready() returns, local variable "psock" becomes invalid, so the refcount should be decreased to keep refcount balanced. The reference counting issue happens in one exception handling path of tls_data_ready(). When "psock->ingress_msg" is empty but "psock" is not NULL, the function forgets to decrease the refcnt increased by sk_psock_get(), causing a refcnt leak. Fix this issue by calling sk_psock_put() on all paths when "psock" is not NULL. Signed-off-by: Xiyu Yang Signed-off-by: Xin Tan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6e9a6cf22c260def60e7ba00927f564dd234f993 Author: Xiyu Yang Date: Sat Apr 25 20:54:37 2020 +0800 net/tls: Fix sk_psock refcnt leak in bpf_exec_tx_verdict() [ Upstream commit 095f5614bfe16e5b3e191b34ea41b10d6fdd4ced ] bpf_exec_tx_verdict() invokes sk_psock_get(), which returns a reference of the specified sk_psock object to "psock" with increased refcnt. When bpf_exec_tx_verdict() returns, local variable "psock" becomes invalid, so the refcount should be decreased to keep refcount balanced. The reference counting issue happens in one exception handling path of bpf_exec_tx_verdict(). When "policy" equals to NULL but "psock" is not NULL, the function forgets to decrease the refcnt increased by sk_psock_get(), causing a refcnt leak. Fix this issue by calling sk_psock_put() on this error path before bpf_exec_tx_verdict() returns. Signed-off-by: Xiyu Yang Signed-off-by: Xin Tan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 86c9fc264744998824c95c884430c64d1bf7e3e1 Author: Anthony Felice Date: Sun Apr 26 22:00:59 2020 -0400 net: tc35815: Fix phydev supported/advertising mask [ Upstream commit 4b5b71f770e2edefbfe74203777264bfe6a9927c ] Commit 3c1bcc8614db ("net: ethernet: Convert phydev advertize and supported from u32 to link mode") updated ethernet drivers to use a linkmode bitmap. It mistakenly dropped a bitwise negation in the tc35815 ethernet driver on a bitmask to set the supported/advertising flags. Found by Anthony via code inspection, not tested as I do not have the required hardware. Fixes: 3c1bcc8614db ("net: ethernet: Convert phydev advertize and supported from u32 to link mode") Signed-off-by: Anthony Felice Reviewed-by: Akshay Bhat Reviewed-by: Heiner Kallweit Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 87e0c4f6ad0e678310764dba8a0cf2418811ab1a Author: Willem de Bruijn Date: Mon May 4 12:48:54 2020 -0400 net: stricter validation of untrusted gso packets [ Upstream commit 9274124f023b5c56dc4326637d4f787968b03607 ] Syzkaller again found a path to a kernel crash through bad gso input: a packet with transport header extending beyond skb_headlen(skb). Tighten validation at kernel entry: - Verify that the transport header lies within the linear section. To avoid pulling linux/tcp.h, verify just sizeof tcphdr. tcp_gso_segment will call pskb_may_pull (th->doff * 4) before use. - Match the gso_type against the ip_proto found by the flow dissector. Fixes: bfd5f4a3d605 ("packet: Add GSO/csum offload support.") Reported-by: syzbot Signed-off-by: Willem de Bruijn Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 73090de570e22c1e41a87b507abc58ad286e100d Author: Eric Dumazet Date: Sat May 2 20:09:25 2020 -0700 net_sched: sch_skbprio: add message validation to skbprio_change() [ Upstream commit 2761121af87de45951989a0adada917837d8fa82 ] Do not assume the attribute has the right size. Fixes: aea5f654e6b7 ("net/sched: add skbprio scheduler") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1aebe1c0fefadc860ab37c8db4eb355d9684de94 Author: Baruch Siach Date: Sun Apr 26 09:22:06 2020 +0300 net: phy: marvell10g: fix temperature sensor on 2110 [ Upstream commit c3e302edca2457bbd0c958c445a7538fbf6a6ac8 ] Read the temperature sensor register from the correct location for the 88E2110 PHY. There is no enable/disable bit on 2110, so make mv3310_hwmon_config() run on 88X3310 only. Fixes: 62d01535474b61 ("net: phy: marvell10g: add support for the 88x2110 PHY") Cc: Maxime Chevallier Reviewed-by: Andrew Lunn Signed-off-by: Baruch Siach Reviewed-by: Russell King Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3544c992056036e617bba24cc5f16ad651022e03 Author: Tariq Toukan Date: Mon May 4 11:36:02 2020 +0300 net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc() [ Upstream commit 40e473071dbad04316ddc3613c3a3d1c75458299 ] When ENOSPC is set the idx is still valid and gets set to the global MLX4_SINK_COUNTER_INDEX. However gcc's static analysis cannot tell that ENOSPC is impossible from mlx4_cmd_imm() and gives this warning: drivers/net/ethernet/mellanox/mlx4/main.c:2552:28: warning: 'idx' may be used uninitialized in this function [-Wmaybe-uninitialized] 2552 | priv->def_counter[port] = idx; Also, when ENOSPC is returned mlx4_allocate_default_counters should not fail. Fixes: 6de5f7f6a1fa ("net/mlx4_core: Allocate default counter per port") Signed-off-by: Jason Gunthorpe Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ad3224f88eedea955d692327895f24ec8b69532d Author: Scott Dial Date: Fri Apr 24 18:51:08 2020 -0400 net: macsec: preserve ingress frame ordering [ Upstream commit ab046a5d4be4c90a3952a0eae75617b49c0cb01b ] MACsec decryption always occurs in a softirq context. Since the FPU may not be usable in the softirq context, the call to decrypt may be scheduled on the cryptd work queue. The cryptd work queue does not provide ordering guarantees. Therefore, preserving order requires masking out ASYNC implementations of gcm(aes). For instance, an Intel CPU with AES-NI makes available the generic-gcm-aesni driver from the aesni_intel module to implement gcm(aes). However, this implementation requires the FPU, so it is not always available to use from a softirq context, and will fallback to the cryptd work queue, which does not preserve frame ordering. With this change, such a system would select gcm_base(ctr(aes-aesni),ghash-generic). While the aes-aesni implementation prefers to use the FPU, it will fallback to the aes-asm implementation if unavailable. By using a synchronous version of gcm(aes), the decryption will complete before returning from crypto_aead_decrypt(). Therefore, the macsec_decrypt_done() callback will be called before returning from macsec_decrypt(). Thus, the order of calls to macsec_post_decrypt() for the frames is preserved. While it's presumable that the pure AES-NI version of gcm(aes) is more performant, the hybrid solution is capable of gigabit speeds on modest hardware. Regardless, preserving the order of frames is paramount for many network protocols (e.g., triggering TCP retries). Within the MACsec driver itself, the replay protection is tripped by the out-of-order frames, and can cause frames to be dropped. This bug has been present in this code since it was added in v4.6, however it may not have been noticed since not all CPUs have FPU offload available. Additionally, the bug manifests as occasional out-of-order packets that are easily misattributed to other network phenomena. When this code was added in v4.6, the crypto/gcm.c code did not restrict selection of the ghash function based on the ASYNC flag. For instance, x86 CPUs with PCLMULQDQ would select the ghash-clmulni driver instead of ghash-generic, which submits to the cryptd work queue if the FPU is busy. However, this bug was was corrected in v4.8 by commit b30bdfa86431afbafe15284a3ad5ac19b49b88e3, and was backported all the way back to the v3.14 stable branch, so this patch should be applicable back to the v4.6 stable branch. Signed-off-by: Scott Dial Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8d7ea7f0afd71e911cdc77c45ac8635bd9fde133 Author: Dejin Zheng Date: Sun May 3 20:32:26 2020 +0800 net: macb: fix an issue about leak related system resources [ Upstream commit b959c77dac09348955f344104c6a921ebe104753 ] A call of the function macb_init() can fail in the function fu540_c000_init. The related system resources were not released then. use devm_platform_ioremap_resource() to replace ioremap() to fix it. Fixes: c218ad559020ff9 ("macb: Add support for SiFive FU540-C000") Cc: Andy Shevchenko Reviewed-by: Yash Shah Suggested-by: Nicolas Ferre Suggested-by: Andy Shevchenko Signed-off-by: Dejin Zheng Acked-by: Nicolas Ferre Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 18ad8a2fe70e52704100472222d2ba6930b2df19 Author: Florian Fainelli Date: Sun May 3 20:50:57 2020 -0700 net: dsa: Do not make user port errors fatal [ Upstream commit 86f8b1c01a0a537a73d2996615133be63cdf75db ] Prior to 1d27732f411d ("net: dsa: setup and teardown ports"), we would not treat failures to set-up an user port as fatal, but after this commit we would, which is a regression for some systems where interfaces may be declared in the Device Tree, but the underlying hardware may not be present (pluggable daughter cards for instance). Fixes: 1d27732f411d ("net: dsa: setup and teardown ports") Signed-off-by: Florian Fainelli Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c1ec21a6dac6ee3baa57b4797cea8dbd1f245eaa Author: Florian Fainelli Date: Mon May 4 13:18:06 2020 -0700 net: dsa: Do not leave DSA master with NULL netdev_ops [ Upstream commit 050569fc8384c8056bacefcc246bcb2dfe574936 ] When ndo_get_phys_port_name() for the CPU port was added we introduced an early check for when the DSA master network device in dsa_master_ndo_setup() already implements ndo_get_phys_port_name(). When we perform the teardown operation in dsa_master_ndo_teardown() we would not be checking that cpu_dp->orig_ndo_ops was successfully allocated and non-NULL initialized. With network device drivers such as virtio_net, this leads to a NPD as soon as the DSA switch hanging off of it gets torn down because we are now assigning the virtio_net device's netdev_ops a NULL pointer. Fixes: da7b9e9b00d4 ("net: dsa: Add ndo_get_phys_port_name() for CPU port") Reported-by: Allen Pais Signed-off-by: Florian Fainelli Tested-by: Allen Pais Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit da98475c7edafa5d80390cdf39041eb9e87eb1c2 Author: Ido Schimmel Date: Thu Apr 30 22:38:45 2020 +0300 net: bridge: vlan: Add a schedule point during VLAN processing [ Upstream commit 7979457b1d3a069cd857f5bd69e070e30223dd0c ] User space can request to delete a range of VLANs from a bridge slave in one netlink request. For each deleted VLAN the FDB needs to be traversed in order to flush all the affected entries. If a large range of VLANs is deleted and the number of FDB entries is large or the FDB lock is contented, it is possible for the kernel to loop through the deleted VLANs for a long time. In case preemption is disabled, this can result in a soft lockup. Fix this by adding a schedule point after each VLAN is deleted to yield the CPU, if needed. This is safe because the VLANs are traversed in process context. Fixes: bdced7ef7838 ("bridge: support for multiple vlans and vlan ranges in setlink and dellink requests") Signed-off-by: Ido Schimmel Reported-by: Stefan Priebe - Profihost AG Tested-by: Stefan Priebe - Profihost AG Acked-by: Nikolay Aleksandrov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b57cc37465ef89b7c18ef73cf544f05b39845921 Author: Roman Mashak Date: Fri May 1 21:34:18 2020 -0400 neigh: send protocol value in neighbor create notification [ Upstream commit 38212bb31fe923d0a2c6299bd2adfbb84cddef2a ] When a new neighbor entry has been added, event is generated but it does not include protocol, because its value is assigned after the event notification routine has run, so move protocol assignment code earlier. Fixes: df9b0e30d44c ("neighbor: Add protocol attribute") Cc: David Ahern Signed-off-by: Roman Mashak Reviewed-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 871b1ca034ce6a9b3b3e0782ca8d38d185f762cd Author: Jiri Pirko Date: Mon Apr 27 18:05:47 2020 +0300 mlxsw: spectrum_acl_tcam: Position vchunk in a vregion list properly [ Upstream commit 6ef4889fc0b3aa6ab928e7565935ac6f762cee6e ] Vregion helpers to get min and max priority depend on the correct ordering of vchunks in the vregion list. However, the current code always adds new chunk to the end of the list, no matter what the priority is. Fix this by finding the correct place in the list and put vchunk there. Fixes: 22a677661f56 ("mlxsw: spectrum: Introduce ACL core with simple TCAM implementation") Signed-off-by: Jiri Pirko Signed-off-by: Ido Schimmel Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2a6cc7d8af5f2e23ce177da1c0eaa9f605a422fc Author: David Ahern Date: Fri May 1 08:53:08 2020 -0600 ipv6: Use global sernum for dst validation with nexthop objects [ Upstream commit 8f34e53b60b337e559f1ea19e2780ff95ab2fa65 ] Nik reported a bug with pcpu dst cache when nexthop objects are used illustrated by the following: $ ip netns add foo $ ip -netns foo li set lo up $ ip -netns foo addr add 2001:db8:11::1/128 dev lo $ ip netns exec foo sysctl net.ipv6.conf.all.forwarding=1 $ ip li add veth1 type veth peer name veth2 $ ip li set veth1 up $ ip addr add 2001:db8:10::1/64 dev veth1 $ ip li set dev veth2 netns foo $ ip -netns foo li set veth2 up $ ip -netns foo addr add 2001:db8:10::2/64 dev veth2 $ ip -6 nexthop add id 100 via 2001:db8:10::2 dev veth1 $ ip -6 route add 2001:db8:11::1/128 nhid 100 Create a pcpu entry on cpu 0: $ taskset -a -c 0 ip -6 route get 2001:db8:11::1 Re-add the route entry: $ ip -6 ro del 2001:db8:11::1 $ ip -6 route add 2001:db8:11::1/128 nhid 100 Route get on cpu 0 returns the stale pcpu: $ taskset -a -c 0 ip -6 route get 2001:db8:11::1 RTNETLINK answers: Network is unreachable While cpu 1 works: $ taskset -a -c 1 ip -6 route get 2001:db8:11::1 2001:db8:11::1 from :: via 2001:db8:10::2 dev veth1 src 2001:db8:10::1 metric 1024 pref medium Conversion of FIB entries to work with external nexthop objects missed an important difference between IPv4 and IPv6 - how dst entries are invalidated when the FIB changes. IPv4 has a per-network namespace generation id (rt_genid) that is bumped on changes to the FIB. Checking if a dst_entry is still valid means comparing rt_genid in the rtable to the current value of rt_genid for the namespace. IPv6 also has a per network namespace counter, fib6_sernum, but the count is saved per fib6_node. With the per-node counter only dst_entries based on fib entries under the node are invalidated when changes are made to the routes - limiting the scope of invalidations. IPv6 uses a reference in the rt6_info, 'from', to track the corresponding fib entry used to create the dst_entry. When validating a dst_entry, the 'from' is used to backtrack to the fib6_node and check the sernum of it to the cookie passed to the dst_check operation. With the inline format (nexthop definition inline with the fib6_info), dst_entries cached in the fib6_nh have a 1:1 correlation between fib entries, nexthop data and dst_entries. With external nexthops, IPv6 looks more like IPv4 which means multiple fib entries across disparate fib6_nodes can all reference the same fib6_nh. That means validation of dst_entries based on external nexthops needs to use the IPv4 format - the per-network namespace counter. Add sernum to rt6_info and set it when creating a pcpu dst entry. Update rt6_get_cookie to return sernum if it is set and update dst_check for IPv6 to look for sernum set and based the check on it if so. Finally, rt6_get_pcpu_route needs to validate the cached entry before returning a pcpu entry (similar to the rt_cache_valid calls in __mkroute_input and __mkroute_output for IPv4). This problem only affects routes using the new, external nexthops. Thanks to the kbuild test robot for catching the IS_ENABLED needed around rt_genid_ipv6 before I sent this out. Fixes: 5b98324ebe29 ("ipv6: Allow routes to use nexthop objects") Reported-by: Nikolay Aleksandrov Signed-off-by: David Ahern Reviewed-by: Nikolay Aleksandrov Tested-by: Nikolay Aleksandrov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 162a9f1cfc3bc0dcf52e4f1b7ffd63ab8020151d Author: Eric Dumazet Date: Sat Apr 25 12:40:25 2020 -0700 fq_codel: fix TCA_FQ_CODEL_DROP_BATCH_SIZE sanity checks [ Upstream commit 14695212d4cd8b0c997f6121b6df8520038ce076 ] My intent was to not let users set a zero drop_batch_size, it seems I once again messed with min()/max(). Fixes: 9d18562a2278 ("fq_codel: add batch ability to fq_codel_drop()") Signed-off-by: Eric Dumazet Acked-by: Toke Høiland-Jørgensen Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 046f1df74e4263e9f3611cc20fec20661bdf0997 Author: Julia Lawall Date: Thu Apr 30 21:51:32 2020 +0200 dp83640: reverse arguments to list_add_tail [ Upstream commit 865308373ed49c9fb05720d14cbf1315349b32a9 ] In this code, it appears that phyter_clocks is a list head, based on the previous list_for_each, and that clock->list is intended to be a list element, given that it has just been initialized in dp83640_clock_init. Accordingly, switch the arguments to list_add_tail, which takes the list head as the second argument. Fixes: cb646e2b02b27 ("ptp: Added a clock driver for the National Semiconductor PHYTER.") Signed-off-by: Julia Lawall Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cb32f450a107df6432e1620bcbb6665efd658e54 Author: Jakub Kicinski Date: Tue Apr 28 19:01:58 2020 -0700 devlink: fix return value after hitting end in region read [ Upstream commit 610a9346c138b9c2c93d38bf5f3728e74ae9cbd5 ] Commit d5b90e99e1d5 ("devlink: report 0 after hitting end in region read") fixed region dump, but region read still returns a spurious error: $ devlink region read netdevsim/netdevsim1/dummy snapshot 0 addr 0 len 128 0000000000000000 a6 f4 c4 1c 21 35 95 a6 9d 34 c3 5b 87 5b 35 79 0000000000000010 f3 a0 d7 ee 4f 2f 82 7f c6 dd c4 f6 a5 c3 1b ae 0000000000000020 a4 fd c8 62 07 59 48 03 70 3b c7 09 86 88 7f 68 0000000000000030 6f 45 5d 6d 7d 0e 16 38 a9 d0 7a 4b 1e 1e 2e a6 0000000000000040 e6 1d ae 06 d6 18 00 85 ca 62 e8 7e 11 7e f6 0f 0000000000000050 79 7e f7 0f f3 94 68 bd e6 40 22 85 b6 be 6f b1 0000000000000060 af db ef 5e 34 f0 98 4b 62 9a e3 1b 8b 93 fc 17 devlink answers: Invalid argument 0000000000000070 61 e8 11 11 66 10 a5 f7 b1 ea 8d 40 60 53 ed 12 This is a minimal fix, I'll follow up with a restructuring so we don't have two checks for the same condition. Fixes: fdd41ec21e15 ("devlink: Return right error code in case of errors for region read") Signed-off-by: Jakub Kicinski Reviewed-by: Jacob Keller Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 966880d62305c2026c6235b2957d89eb627c8f0a Author: Aya Levin Date: Mon May 4 11:27:46 2020 +0300 devlink: Fix reporter's recovery condition [ Upstream commit bea0c5c942d3b4e9fb6ed45f6a7de74c6b112437 ] Devlink health core conditions the reporter's recovery with the expiration of the grace period. This is not relevant for the first recovery. Explicitly demand that the grace period will only apply to recoveries other than the first. Fixes: c8e1da0bf923 ("devlink: Add health report functionality") Signed-off-by: Aya Levin Reviewed-by: Moshe Shemesh Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 29ad780675bbe5730acb57379f4d11cb33885541 Author: Rahul Lakkireddy Date: Thu Apr 30 00:22:19 2020 +0530 cxgb4: fix EOTID leak when disabling TC-MQPRIO offload [ Upstream commit 69422a7e5d578aab277091f4ebb7c1b387f3e355 ] Under heavy load, the EOTID termination FLOWC request fails to get enqueued to the end of the Tx ring due to lack of credits. This results in EOTID leak. When disabling TC-MQPRIO offload, the link is already brought down to cleanup EOTIDs. So, flush any pending enqueued skbs that can't be sent outside the wire, to make room for FLOWC request. Also, move the FLOWC descriptor consumption logic closer to when the FLOWC request is actually posted to hardware. Fixes: 0e395b3cb1fb ("cxgb4: add FLOWC based QoS offload") Signed-off-by: Rahul Lakkireddy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6d5056cedde2fa2643d5dcf9df67b006ac3678bb Author: Andy Shevchenko Date: Mon Apr 27 13:51:20 2020 +0300 net: macb: Fix runtime PM refcounting [ Upstream commit 0ce205d4660c312cdeb4a81066616dcc6f3799c4 ] The commit e6a41c23df0d, while trying to fix an issue, ("net: macb: ensure interface is not suspended on at91rm9200") introduced a refcounting regression, because in error case refcounter must be balanced. Fix it by calling pm_runtime_put_noidle() in error case. While here, fix the same mistake in other couple of places. Fixes: e6a41c23df0d ("net: macb: ensure interface is not suspended on at91rm9200") Cc: Alexandre Belloni Cc: Claudiu Beznea Signed-off-by: Andy Shevchenko Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f0525002add3d82845985f7e1b644fe01e20a0fd Author: Masami Hiramatsu Date: Sat Apr 25 14:49:09 2020 +0900 tracing/kprobes: Fix a double initialization typo [ Upstream commit dcbd21c9fca5e954fd4e3d91884907eb6d47187e ] Fix a typo that resulted in an unnecessary double initialization to addr. Link: http://lkml.kernel.org/r/158779374968.6082.2337484008464939919.stgit@devnote2 Cc: Tom Zanussi Cc: Ingo Molnar Cc: stable@vger.kernel.org Fixes: c7411a1a126f ("tracing/kprobe: Check whether the non-suffixed symbol is notrace") Signed-off-by: Masami Hiramatsu Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Sasha Levin commit e015f333892b802073a910ce1102140a29f4a099 Author: Sagi Grimberg Date: Wed May 6 15:44:02 2020 -0700 nvme: fix possible hang when ns scanning fails during error recovery [ Upstream commit 59c7c3caaaf8750df4ec3255082f15eb4e371514 ] When the controller is reconnecting, the host fails I/O and admin commands as the host cannot reach the controller. ns scanning may revalidate namespaces during that period and it is wrong to remove namespaces due to these failures as we may hang (see 205da2434301). One command that may fail is nvme_identify_ns_descs. Since we return success due to having ns identify descriptor list optional, we continue to compare ns identifiers in nvme_revalidate_disk, obviously fail and return -ENODEV to nvme_validate_ns, which will remove the namespace. Exactly what we don't want to happen. Fixes: 22802bf742c2 ("nvme: Namepace identification descriptor list is optional") Tested-by: Anton Eidelman Signed-off-by: Sagi Grimberg Reviewed-by: Keith Busch Signed-off-by: Christoph Hellwig Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 725758bb1a81b0b29c870bf7cdcf0ecb58d1aff7 Author: Christoph Hellwig Date: Wed Mar 25 14:19:35 2020 +0100 nvme: refactor nvme_identify_ns_descs error handling [ Upstream commit fb314eb0cbb2e11540d1ae1a7b28346397f621ef ] Move the handling of an error into the function from the caller, and only do it for an actual error on the admin command itself, not the command parsing, as that should be enough to deal with devices claiming a bogus version compliance. Signed-off-by: Christoph Hellwig Signed-off-by: Keith Busch Signed-off-by: Sasha Levin commit d0af71d4ddbc3c01d55e1d1a2eed7758cb556210 Author: Eric Whitney Date: Thu Mar 19 11:00:28 2020 -0400 ext4: disable dioread_nolock whenever delayed allocation is disabled [ Upstream commit c8980e1980ccdc2229aa2218d532ddc62e0aabe5 ] The patch "ext4: make dioread_nolock the default" (244adf6426ee) causes generic/422 to fail when run in kvm-xfstests' ext3conv test case. This applies both the dioread_nolock and nodelalloc mount options, a combination not previously tested by kvm-xfstests. The failure occurs because the dioread_nolock code path splits a previously fallocated multiblock extent into a series of single block extents when overwriting a portion of that extent. That causes allocation of an extent tree leaf node and a reshuffling of extents. Once writeback is completed, the individual extents are recombined into a single extent, the extent is moved again, and the leaf node is deleted. The difference in block utilization before and after writeback due to the leaf node triggers the failure. The original reason for this behavior was to avoid ENOSPC when handling I/O completions during writeback in the dioread_nolock code paths when delayed allocation is disabled. It may no longer be necessary, because code was added in the past to reserve extra space to solve this problem when delayed allocation is enabled, and this code may also apply when delayed allocation is disabled. Until this can be verified, don't use the dioread_nolock code paths if delayed allocation is disabled. Signed-off-by: Eric Whitney Link: https://lore.kernel.org/r/20200319150028.24592-1-enwlinux@gmail.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit b1c6b8b73003a585bf3eebd556716c7e62aee5e9 Author: Ritesh Harjani Date: Sat Mar 28 01:37:44 2020 +0530 ext4: don't set dioread_nolock by default for blocksize < pagesize commit 626b035b816b61a7a7b4d2205a6807e2f11a18c1 upstream. Currently on calling echo 3 > drop_caches on host machine, we see FS corruption in the guest. This happens on Power machine where blocksize < pagesize. So as a temporary workaound don't enable dioread_nolock by default for blocksize < pagesize until we identify the root cause. Also emit a warning msg in case if this mount option is manually enabled for blocksize < pagesize. Reported-by: Aneesh Kumar K.V Signed-off-by: Ritesh Harjani Link: https://lore.kernel.org/r/20200327200744.12473-1-riteshh@linux.ibm.com Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit 89a92b314b72f76a1ab30583bf872bcecf9c81f1 Author: Shubhrajyoti Datta Date: Mon May 4 16:27:28 2020 +0200 tty: xilinx_uartps: Fix missing id assignment to the console [ Upstream commit 2ae11c46d5fdc46cb396e35911c713d271056d35 ] When serial console has been assigned to ttyPS1 (which is serial1 alias) console index is not updated property and pointing to index -1 (statically initialized) which ends up in situation where nothing has been printed on the port. The commit 18cc7ac8a28e ("Revert "serial: uartps: Register own uart console and driver structures"") didn't contain this line which was removed by accident. Fixes: 18cc7ac8a28e ("Revert "serial: uartps: Register own uart console and driver structures"") Signed-off-by: Shubhrajyoti Datta Cc: stable Signed-off-by: Michal Simek Link: https://lore.kernel.org/r/ed3111533ef5bd342ee5ec504812240b870f0853.1588602446.git.michal.simek@xilinx.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit cce929e49a31360815a74c3f280c6c13c3c8c5c8 Author: Nicolas Pitre Date: Sat May 2 11:01:07 2020 -0400 vt: fix unicode console freeing with a common interface [ Upstream commit 57d38f26d81e4275748b69372f31df545dcd9b71 ] By directly using kfree() in different places we risk missing one if it is switched to using vfree(), especially if the corresponding vmalloc() is hidden away within a common abstraction. Oh wait, that's exactly what happened here. So let's fix this by creating a common abstraction for the free case as well. Signed-off-by: Nicolas Pitre Reported-by: syzbot+0bfda3ade1ee9288a1be@syzkaller.appspotmail.com Fixes: 9a98e7a80f95 ("vt: don't use kmalloc() for the unicode screen buffer") Cc: Reviewed-by: Sam Ravnborg Link: https://lore.kernel.org/r/nycvar.YSQ.7.76.2005021043110.2671@knanqh.ubzr Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit b1ecb0a9efdac4ac7ef84abbdbf78196b0fccdf6 Author: Evan Quan Date: Fri Apr 24 15:36:22 2020 +0800 drm/amdgpu: drop redundant cg/pg ungate on runpm enter [ Upstream commit f7b52890daba570bc8162d43c96b5583bbdd4edd ] CG/PG ungate is already performed in ip_suspend_phase1. Otherwise, the CG/PG ungate will be performed twice. That will cause gfxoff disablement is performed twice also on runpm enter while gfxoff enablemnt once on rump exit. That will put gfxoff into disabled state. Fixes: b2a7e9735ab286 ("drm/amdgpu: fix the hw hang during perform system reboot and reset") Signed-off-by: Evan Quan Acked-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit 68adba5597a52943b3feb63dc53e75e0fc77fa4e Author: Evan Quan Date: Fri Apr 24 15:32:41 2020 +0800 drm/amdgpu: move kfd suspend after ip_suspend_phase1 [ Upstream commit c457a273e118bb96e1db8d1825f313e6cafe4258 ] This sequence change should be safe as what did in ip_suspend_phase1 is to suspend DCE only. And this is a prerequisite for coming redundant cg/pg ungate dropping. Fixes: 487eca11a321ef ("drm/amdgpu: fix gfx hang during suspend with video playback (v2)") Signed-off-by: Evan Quan Acked-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit 98792c6e227bea72c39fedbc5205491ded553971 Author: Matt Jolly Date: Sun May 3 01:03:47 2020 +1000 USB: serial: qcserial: Add DW5816e support commit 78d6de3cfbd342918d31cf68d0d2eda401338aef upstream. Add support for Dell Wireless 5816e to drivers/usb/serial/qcserial.c Signed-off-by: Matt Jolly Cc: stable Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 4af05950da09840043c52b73c11c9ba6170b5122 Author: Mika Westerberg Date: Thu Apr 9 10:18:10 2020 +0300 thunderbolt: Check return value of tb_sw_read() in usb4_switch_op() commit c3bf9930921b33edb31909006607e478751a6f5e upstream. The function misses checking return value of tb_sw_read() before it accesses the value that was read. Fix this by checking the return value first. Fixes: b04079837b20 ("thunderbolt: Add initial support for USB4") Signed-off-by: Mika Westerberg Reviewed-by: Yehezkel Bernat Cc: stable Signed-off-by: Greg Kroah-Hartman commit c4bbda210077280030b01adf17d2a5fb39ace668 Author: Greg Kroah-Hartman Date: Sun May 10 10:32:53 2020 +0200 Linux 5.6.12 commit d2873537a02df48552d36701b2d6bac5255526db Author: Will Deacon Date: Wed Mar 25 11:13:46 2020 +0000 mm/mremap: Add comment explaining the untagging behaviour of mremap() commit b2a84de2a2deb76a6a51609845341f508c518c03 upstream. Commit dcde237319e6 ("mm: Avoid creating virtual address aliases in brk()/mmap()/mremap()") changed mremap() so that only the 'old' address is untagged, leaving the 'new' address in the form it was passed from userspace. This prevents the unexpected creation of aliasing virtual mappings in userspace, but looks a bit odd when you read the code. Add a comment justifying the untagging behaviour in mremap(). Reported-by: Linus Torvalds Acked-by: Linus Torvalds Reviewed-by: Catalin Marinas Signed-off-by: Will Deacon Signed-off-by: Catalin Marinas Signed-off-by: Greg Kroah-Hartman commit 2133af1e025dd4774feb1290339e7c80ed1ab694 Author: Jiri Slaby Date: Mon Apr 20 09:04:24 2020 +0200 cgroup, netclassid: remove double cond_resched commit 526f3d96b8f83b1b13d73bd0b5c79cc2c487ec8e upstream. Commit 018d26fcd12a ("cgroup, netclassid: periodically release file_lock on classid") added a second cond_resched to write_classid indirectly by update_classid_task. Remove the one in write_classid. Signed-off-by: Jiri Slaby Cc: Dmitry Yakunin Cc: Konstantin Khlebnikov Cc: David S. Miller Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ca4c2a01d57dd80626a22f4ce2ab4fbb6462bc1c Author: Thomas Pedersen Date: Mon Jan 13 21:59:40 2020 -0800 mac80211: add ieee80211_is_any_nullfunc() commit 30b2f0be23fb40e58d0ad2caf8702c2a44cda2e1 upstream. commit 08a5bdde3812 ("mac80211: consider QoS Null frames for STA_NULLFUNC_ACKED") Fixed a bug where we failed to take into account a nullfunc frame can be either non-QoS or QoS. It turns out there is at least one more bug in ieee80211_sta_tx_notify(), introduced in commit 7b6ddeaf27ec ("mac80211: use QoS NDP for AP probing"), where we forgot to check for the QoS variant and so assumed the QoS nullfunc frame never went out Fix this by adding a helper ieee80211_is_any_nullfunc() which consolidates the check for non-QoS and QoS nullfunc frames. Replace existing compound conditionals and add a couple more missing checks for QoS variant. Signed-off-by: Thomas Pedersen Link: https://lore.kernel.org/r/20200114055940.18502-3-thomas@adapt-ip.com Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 29b85f14a6971a9539dd0e5dec62806f2cb5cfc1 Author: Rafael J. Wysocki Date: Fri Mar 20 15:07:29 2020 +0100 ACPI: PM: s2idle: Fix comment in acpi_s2idle_prepare_late() commit 243a98894dc525ad2fbeb608722fcb682be3186d upstream. Fix a comment in acpi_s2idle_prepare_late() that has become outdated after commit f0ac20c3f613 ("ACPI: EC: Fix flushing of pending work"). Fixes: f0ac20c3f613 ("ACPI: EC: Fix flushing of pending work") Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit e0cf5868c4146bfbe7e372cfd727d356b0ae28fa Author: Hans de Goede Date: Fri Mar 6 10:17:24 2020 +0100 platform/x86: GPD pocket fan: Fix error message when temp-limits are out of range commit 1d6f8c5bac93cceb2d4ac8e6331050652004d802 upstream. Commit 1f27dbd8265d ("platform/x86: GPD pocket fan: Allow somewhat lower/higher temperature limits") changed the module-param sanity check to accept temperature limits between 20 and 90 degrees celcius. But the error message printed when the module params are outside this range was not updated. This commit updates the error message to match the new min and max value for the temp-limits. Reported-by: Pavel Machek Signed-off-by: Hans de Goede Acked-by: Pavel Machek Signed-off-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman commit 9fa270b7348e5b6ea29188bd7e0c667296b1220a Author: Qian Cai Date: Thu Apr 2 11:39:55 2020 -0400 x86/kvm: fix a missing-prototypes "vmread_error" commit 514ccc194971d0649e4e7ec8a9b3a6e33561d7bf upstream. The commit 842f4be95899 ("KVM: VMX: Add a trampoline to fix VMREAD error handling") removed the declaration of vmread_error() causes a W=1 build failure with KVM_WERROR=y. Fix it by adding it back. arch/x86/kvm/vmx/vmx.c:359:17: error: no previous prototype for 'vmread_error' [-Werror=missing-prototypes] asmlinkage void vmread_error(unsigned long field, bool fault) ^~~~~~~~~~~~ Signed-off-by: Qian Cai Message-Id: <20200402153955.1695-1-cai@lca.pw> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit c07e922d1d0f491a36d23409dd61c5a5513ae23c Author: Takashi Iwai Date: Fri Apr 24 08:12:22 2020 +0200 ALSA: hda: Match both PCI ID and SSID for driver blacklist commit 977dfef40c8996b69afe23a9094d184049efb7bb upstream. The commit 3c6fd1f07ed0 ("ALSA: hda: Add driver blacklist") added a new blacklist for the devices that are known to have empty codecs, and one of the entries was ASUS ROG Zenith II (PCI SSID 1043:874f). However, it turned out that the very same PCI SSID is used for the previous model that does have the valid HD-audio codecs and the change broke the sound on it. Since the empty codec problem appear on the certain AMD platform (PCI ID 1022:1487), this patch changes the blacklist matching to both PCI ID and SSID using pci_match_id(). Also, the entry that was removed by the previous fix for ASUS ROG Zenigh II is re-added. Link: https://lore.kernel.org/r/20200424061222.19792-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit d0a077eef4ae85e7a6a1134fbe148039068e9d43 Author: Aaron Ma Date: Fri Apr 3 22:34:19 2020 +0800 drm/amdgpu: Fix oops when pp_funcs is unset in ACPI event commit 5932d260a8d85a103bd6c504fbb85ff58b156bf9 upstream. On ARCTURUS and RENOIR, powerplay is not supported yet. When plug in or unplug power jack, ACPI event will issue. Then kernel NULL pointer BUG will be triggered. Check for NULL pointers before calling. Signed-off-by: Aaron Ma Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 99dc0cc0dcf78d3b245290ce9c0055e8167b8690 Author: Jere Leppänen Date: Tue Apr 21 22:03:42 2020 +0300 sctp: Fix SHUTDOWN CTSN Ack in the peer restart case commit 12dfd78e3a74825e6f0bc8df7ef9f938fbc6bfe3 upstream. When starting shutdown in sctp_sf_do_dupcook_a(), get the value for SHUTDOWN Cumulative TSN Ack from the new association, which is reconstructed from the cookie, instead of the old association, which the peer doesn't have anymore. Otherwise the SHUTDOWN is either ignored or replied to with an ABORT by the peer because CTSN Ack doesn't match the peer's Initial TSN. Fixes: bdf6fa52f01b ("sctp: handle association restarts when the socket is closed.") Signed-off-by: Jere Leppänen Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 549e321c9468f0084ae0239c3668dae10a6220e1 Author: Andrii Nakryiko Date: Tue Apr 21 18:24:07 2020 -0700 tools/runqslower: Ensure own vmlinux.h is picked up first [ Upstream commit dfc55ace9939e1e8703ad37ddbba41aaa31cc0cb ] Reorder include paths to ensure that runqslower sources are picking up vmlinux.h, generated by runqslower's own Makefile. When runqslower is built from selftests/bpf, due to current -I$(BPF_INCLUDE) -I$(OUTPUT) ordering, it might pick up not-yet-complete vmlinux.h, generated by selftests Makefile, which could lead to compilation errors like [0]. So ensure that -I$(OUTPUT) goes first and rely on runqslower's Makefile own dependency chain to ensure vmlinux.h is properly completed before source code relying on it is compiled. [0] https://travis-ci.org/github/libbpf/libbpf/jobs/677905925 Signed-off-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20200422012407.176303-1-andriin@fb.com Signed-off-by: Sasha Levin commit 8846b918c55e47123e37f9220f5d5cdc3c78f900 Author: Doug Berger Date: Thu Apr 23 16:13:30 2020 -0700 net: systemport: suppress warnings on failed Rx SKB allocations [ Upstream commit 3554e54a46125030c534820c297ed7f6c3907e24 ] The driver is designed to drop Rx packets and reclaim the buffers when an allocation fails, and the network interface needs to safely handle this packet loss. Therefore, an allocation failure of Rx SKBs is relatively benign. However, the output of the warning message occurs with a high scheduling priority that can cause excessive jitter/latency for other high priority processing. This commit suppresses the warning messages to prevent scheduling problems while retaining the failure count in the statistics of the network interface. Signed-off-by: Doug Berger Acked-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f56650e8f770f9c9f5ff0cc85e83f65720ce33dd Author: Doug Berger Date: Thu Apr 23 16:02:11 2020 -0700 net: bcmgenet: suppress warnings on failed Rx SKB allocations [ Upstream commit ecaeceb8a8a145d93c7e136f170238229165348f ] The driver is designed to drop Rx packets and reclaim the buffers when an allocation fails, and the network interface needs to safely handle this packet loss. Therefore, an allocation failure of Rx SKBs is relatively benign. However, the output of the warning message occurs with a high scheduling priority that can cause excessive jitter/latency for other high priority processing. This commit suppresses the warning messages to prevent scheduling problems while retaining the failure count in the statistics of the network interface. Signed-off-by: Doug Berger Acked-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6a2d15ac54c67ca8e4c6c648a6efd9dda7731eb2 Author: Madhuparna Bhowmik Date: Thu Apr 9 13:59:06 2020 +0530 mac80211: sta_info: Add lockdep condition for RCU list usage [ Upstream commit 8ca47eb9f9e4e10e7e7fa695731a88941732c38d ] The function sta_info_get_by_idx() uses RCU list primitive. It is called with local->sta_mtx held from mac80211/cfg.c. Add lockdep expression to avoid any false positive RCU list warnings. Signed-off-by: Madhuparna Bhowmik Link: https://lore.kernel.org/r/20200409082906.27427-1-madhuparnabhowmik10@gmail.com Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 6f7eb520c385d6b7b97a136376296ec475b0d48b Author: Nathan Chancellor Date: Mon Apr 13 12:50:42 2020 -0700 lib/mpi: Fix building for powerpc with clang [ Upstream commit 5990cdee689c6885b27c6d969a3d58b09002b0bc ] 0day reports over and over on an powerpc randconfig with clang: lib/mpi/generic_mpih-mul1.c:37:13: error: invalid use of a cast in a inline asm context requiring an l-value: remove the cast or build with -fheinous-gnu-extensions Remove the superfluous casts, which have been done previously for x86 and arm32 in commit dea632cadd12 ("lib/mpi: fix build with clang") and commit 7b7c1df2883d ("lib/mpi/longlong.h: fix building with 32-bit x86"). Reported-by: kbuild test robot Signed-off-by: Nathan Chancellor Acked-by: Herbert Xu Signed-off-by: Michael Ellerman Link: https://github.com/ClangBuiltLinux/linux/issues/991 Link: https://lore.kernel.org/r/20200413195041.24064-1-natechancellor@gmail.com Signed-off-by: Sasha Levin commit 7c923fe0217e7df157c2e6e8907dce38243163ee Author: Russell King Date: Thu Apr 23 08:57:42 2020 +0100 net: phy: bcm84881: clear settings on link down [ Upstream commit 796a8fa28980050bf1995617f0876484f3dc1026 ] Clear the link partner advertisement, speed, duplex and pause when the link goes down, as other phylib drivers do. This avoids the stale link partner, speed and duplex settings being reported via ethtool. Signed-off-by: Russell King Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f34a2ce2ae8037303c09a295f55eb79bd3006fdf Author: Steven Rostedt (VMware) Date: Wed Apr 22 21:38:45 2020 -0400 ftrace: Fix memory leak caused by not freeing entry in unregister_ftrace_direct() [ Upstream commit 353da87921a5ec654e7e9024e083f099f1b33c97 ] kmemleak reported the following: unreferenced object 0xffff90d47127a920 (size 32): comm "modprobe", pid 1766, jiffies 4294792031 (age 162.568s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 22 01 00 00 00 00 ad de ........"....... 00 78 12 a7 ff ff ff ff 00 00 b6 c0 ff ff ff ff .x.............. backtrace: [<00000000bb79e72e>] register_ftrace_direct+0xcb/0x3a0 [<00000000295e4f79>] do_one_initcall+0x72/0x340 [<00000000873ead18>] do_init_module+0x5a/0x220 [<00000000974d9de5>] load_module+0x2235/0x2550 [<0000000059c3d6ce>] __do_sys_finit_module+0xc0/0x120 [<000000005a8611b4>] do_syscall_64+0x60/0x230 [<00000000a0cdc49e>] entry_SYSCALL_64_after_hwframe+0x49/0xb3 The entry used to save the direct descriptor needs to be freed when unregistering. Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Sasha Levin commit edc28823ab8f2c7fe111aac9010a149489e3ba7d Author: Vamshi K Sthambamkadi Date: Wed Apr 22 11:45:06 2020 +0530 tracing: Fix memory leaks in trace_events_hist.c [ Upstream commit 9da73974eb9c965dd9989befb593b8c8da9e4bdc ] kmemleak report 1: [<9092c50b>] kmem_cache_alloc_trace+0x138/0x270 [<05a2c9ed>] create_field_var+0xcf/0x180 [<528a2d68>] action_create+0xe2/0xc80 [<63f50b61>] event_hist_trigger_func+0x15b5/0x1920 [<28ea5d3d>] trigger_process_regex+0x7b/0xc0 [<3138e86f>] event_trigger_write+0x4d/0xb0 [] __vfs_write+0x30/0x200 [<4f424a0d>] vfs_write+0x96/0x1b0 [] ksys_write+0x53/0xc0 [<3717101a>] __ia32_sys_write+0x15/0x20 [] do_fast_syscall_32+0x70/0x250 [<46e2629c>] entry_SYSENTER_32+0xaf/0x102 This is because save_vars[] of struct hist_trigger_data are not destroyed kmemleak report 2: [<9092c50b>] kmem_cache_alloc_trace+0x138/0x270 [<6e5e97c5>] create_var+0x3c/0x110 [] create_field_var+0xaf/0x180 [<528a2d68>] action_create+0xe2/0xc80 [<63f50b61>] event_hist_trigger_func+0x15b5/0x1920 [<28ea5d3d>] trigger_process_regex+0x7b/0xc0 [<3138e86f>] event_trigger_write+0x4d/0xb0 [] __vfs_write+0x30/0x200 [<4f424a0d>] vfs_write+0x96/0x1b0 [] ksys_write+0x53/0xc0 [<3717101a>] __ia32_sys_write+0x15/0x20 [] do_fast_syscall_32+0x70/0x250 [<46e2629c>] entry_SYSENTER_32+0xaf/0x102 struct hist_field allocated through create_var() do not initialize "ref" field to 1. The code in __destroy_hist_field() does not destroy object if "ref" is initialized to zero, the condition if (--hist_field->ref > 1) always passes since unsigned int wraps. kmemleak report 3: [] __kmalloc_track_caller+0x139/0x2b0 [] kstrdup+0x27/0x50 [<39d70006>] init_var_ref+0x58/0xd0 [<8ca76370>] create_var_ref+0x89/0xe0 [] action_create+0x38f/0xc80 [<7c146821>] event_hist_trigger_func+0x15b5/0x1920 [<07de3f61>] trigger_process_regex+0x7b/0xc0 [] event_trigger_write+0x4d/0xb0 [<19bf1512>] __vfs_write+0x30/0x200 [<64ce4d27>] vfs_write+0x96/0x1b0 [] ksys_write+0x53/0xc0 [<7d4230cd>] __ia32_sys_write+0x15/0x20 [<8eadca00>] do_fast_syscall_32+0x70/0x250 [<235cf985>] entry_SYSENTER_32+0xaf/0x102 hist_fields (system & event_name) are not freed Link: http://lkml.kernel.org/r/20200422061503.GA5151@cosmos Signed-off-by: Vamshi K Sthambamkadi Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Sasha Levin commit 8c6c4ddc00b4aa4f756ad906ae17d3bbc6121934 Author: Paulo Alcantara Date: Mon Apr 20 19:42:57 2020 -0300 cifs: do not share tcons with DFS [ Upstream commit 65303de829dd6d291a4947c1a31de31896f8a060 ] This disables tcon re-use for DFS shares. tcon->dfs_path stores the path that the tcon should connect to when doing failing over. If that tcon is used multiple times e.g. 2 mounts using it with different prefixpath, each will need a different dfs_path but there is only one tcon. The other solution would be to split the tcon in 2 tcons during failover but that is much harder. tcons could not be shared with DFS in cifs.ko because in a DFS namespace like: //domain/dfsroot -> /serverA/dfsroot, /serverB/dfsroot //serverA/dfsroot/link -> /serverA/target1/aa/bb //serverA/dfsroot/link2 -> /serverA/target1/cc/dd you can see that link and link2 are two DFS links that both resolve to the same target share (/serverA/target1), so cifs.ko will only contain a single tcon for both link and link2. The problem with that is, if we (auto)mount "link" and "link2", cifs.ko will only contain a single tcon for both DFS links so we couldn't perform failover or refresh the DFS cache for both links because tcon->dfs_path was set to either "link" or "link2", but not both -- which is wrong. Signed-off-by: Paulo Alcantara (SUSE) Reviewed-by: Aurelien Aptel Reviewed-by: Ronnie Sahlberg Signed-off-by: Steve French Signed-off-by: Sasha Levin commit 0c25053254f4a1753b3ef64fcb7cd903f1a901e2 Author: Jeremie Francois (on alpha) Date: Fri Apr 10 18:57:40 2020 +0200 scripts/config: allow colons in option strings for sed [ Upstream commit e461bc9f9ab105637b86065d24b0b83f182d477c ] Sed broke on some strings as it used colon as a separator. I made it more robust by using \001, which is legit POSIX AFAIK. E.g. ./config --set-str CONFIG_USBNET_DEVADDR "de:ad:be:ef:00:01" failed with: sed: -e expression #1, char 55: unknown option to `s' Signed-off-by: Jeremie Francois (on alpha) Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin commit dbcfc48203a893137afa982cc135356b535a2e31 Author: Ronnie Sahlberg Date: Tue Apr 21 12:37:39 2020 +1000 cifs: protect updating server->dstaddr with a spinlock [ Upstream commit fada37f6f62995cc449b36ebba1220594bfe55fe ] We use a spinlock while we are reading and accessing the destination address for a server. We need to also use this spinlock to protect when we are modifying this address from reconn_set_ipaddr(). Signed-off-by: Ronnie Sahlberg Reviewed-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Sasha Levin commit 4e7b37d9127a8783874e394853fe0d6453fa0006 Author: Matthias Blankertz Date: Fri Apr 17 17:30:17 2020 +0200 ASoC: rsnd: Fix "status check failed" spam for multi-SSI [ Upstream commit 54cb6221688660670a2e430892d7f4e6370263b8 ] Fix the rsnd_ssi_stop function to skip disabling the individual SSIs of a multi-SSI setup, as the actual stop is performed by rsnd_ssiu_stop_gen2 - the same logic as in rsnd_ssi_start. The attempt to disable these SSIs was harmless, but caused a "status check failed" message to be printed for every SSI in the multi-SSI setup. The disabling of interrupts is still performed, as they are enabled for all SSIs in rsnd_ssi_init, but care is taken to not accidentally set the EN bit for an SSI where it was not set by rsnd_ssi_start. Signed-off-by: Matthias Blankertz Acked-by: Kuninori Morimoto Link: https://lore.kernel.org/r/20200417153017.1744454-3-matthias.blankertz@cetitec.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 762c23029faf3b996f0e9edfb0148d88ec4dffdb Author: Matthias Blankertz Date: Fri Apr 17 17:30:16 2020 +0200 ASoC: rsnd: Don't treat master SSI in multi SSI setup as parent [ Upstream commit 0c258657ddfe81b4fc0183378d800c97ba0b7cdd ] The master SSI of a multi-SSI setup was attached both to the RSND_MOD_SSI slot and the RSND_MOD_SSIP slot of the rsnd_dai_stream. This is not correct wrt. the meaning of being "parent" in the rest of the SSI code, where it seems to indicate an SSI that provides clock and word sync but is not transmitting/receiving audio data. Not treating the multi-SSI master as parent allows removal of various special cases to the rsnd_ssi_is_parent conditions introduced in commit a09fb3f28a60 ("ASoC: rsnd: Fix parent SSI start/stop in multi-SSI mode"). It also fixes the issue that operations performed via rsnd_dai_call() were performed twice for the master SSI. This caused some "status check failed" spam when stopping a multi-SSI stream as the driver attempted to stop the master SSI twice. Signed-off-by: Matthias Blankertz Acked-by: Kuninori Morimoto Link: https://lore.kernel.org/r/20200417153017.1744454-2-matthias.blankertz@cetitec.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 17e001ba9535bc85c03aa59467e56fd4a41ce8f0 Author: Julien Beraud Date: Wed Apr 15 14:24:32 2020 +0200 net: stmmac: Fix sub-second increment [ Upstream commit 91a2559c1dc5b0f7e1256d42b1508935e8eabfbf ] In fine adjustement mode, which is the current default, the sub-second increment register is the number of nanoseconds that will be added to the clock when the accumulator overflows. At each clock cycle, the value of the addend register is added to the accumulator. Currently, we use 20ns = 1e09ns / 50MHz as this value whatever the frequency of the ptp clock actually is. The adjustment is then done on the addend register, only incrementing every X clock cycles X being the ratio between 50MHz and ptp_clock_rate (addend = 2^32 * 50MHz/ptp_clock_rate). This causes the following issues : - In case the frequency of the ptp clock is inferior or equal to 50MHz, the addend value calculation will overflow and the default addend value will be set to 0, causing the clock to not work at all. (For instance, for ptp_clock_rate = 50MHz, addend = 2^32). - The resolution of the timestamping clock is limited to 20ns while it is not needed, thus limiting the accuracy of the timestamping to 20ns. Fix this by setting sub-second increment to 2e09ns / ptp_clock_rate. It will allow to reach the minimum possible frequency for ptp_clk_ref, which is 5MHz for GMII 1000Mps Full-Duplex by setting the sub-second-increment to a higher value. For instance, for 25MHz, it gives ssinc = 80ns and default_addend = 2^31. It will also allow to use a lower value for sub-second-increment, thus improving the timestamping accuracy with frequencies higher than 100MHz, for instance, for 200MHz, ssinc = 10ns and default_addend = 2^31. v1->v2: - Remove modifications to the calculation of default addend, which broke compatibility with clock frequencies for which 2000000000 / ptp_clk_freq is not an integer. - Modify description according to discussions. Signed-off-by: Julien Beraud Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a35f0ff17983761cfc1e42dba31e878baeb702c8 Author: Julien Beraud Date: Wed Apr 15 14:24:31 2020 +0200 net: stmmac: fix enabling socfpga's ptp_ref_clock [ Upstream commit 15ce30609d1e88d42fb1cd948f453e6d5f188249 ] There are 2 registers to write to enable a ptp ref clock coming from the fpga. One that enables the usage of the clock from the fpga for emac0 and emac1 as a ptp ref clock, and the other to allow signals from the fpga to reach emac0 and emac1. Currently, if the dwmac-socfpga has phymode set to PHY_INTERFACE_MODE_MII, PHY_INTERFACE_MODE_GMII, or PHY_INTERFACE_MODE_SGMII, both registers will be written and the ptp ref clock will be set as coming from the fpga. Separate the 2 register writes to only enable signals from the fpga to reach emac0 or emac1 when ptp ref clock is not coming from the fpga. Signed-off-by: Julien Beraud Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a1c6f01e5d2518724bde925a0e5f1e0d84096abb Author: Xiyu Yang Date: Wed Apr 15 16:41:20 2020 +0800 wimax/i2400m: Fix potential urb refcnt leak [ Upstream commit 7717cbec172c3554d470023b4020d5781961187e ] i2400mu_bus_bm_wait_for_ack() invokes usb_get_urb(), which increases the refcount of the "notif_urb". When i2400mu_bus_bm_wait_for_ack() returns, local variable "notif_urb" becomes invalid, so the refcount should be decreased to keep refcount balanced. The issue happens in all paths of i2400mu_bus_bm_wait_for_ack(), which forget to decrease the refcnt increased by usb_get_urb(), causing a refcnt leak. Fix this issue by calling usb_put_urb() before the i2400mu_bus_bm_wait_for_ack() returns. Signed-off-by: Xiyu Yang Signed-off-by: Xin Tan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f345518ed6f25a061338dee71d094b3e57167865 Author: Sandeep Raghuraman Date: Fri Apr 17 01:37:45 2020 +0530 drm/amdgpu: Correctly initialize thermal controller for GPUs with Powerplay table v0 (e.g Hawaii) [ Upstream commit bbc25dadc7ed19f9d6b2e30980f0eb4c741bb8bf ] Initialize thermal controller fields in the PowerPlay table for Hawaii GPUs, so that fan speeds are reported. Signed-off-by: Sandeep Raghuraman Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 506d740cb1c8a239b11d8961eb912f796539b1fe Author: Prike Liang Date: Wed Apr 15 21:43:41 2020 +0800 drm/amd/powerplay: fix resume failed as smu table initialize early exit [ Upstream commit 45a5e639548c459a5accebad340078e4e6e0e512 ] When the amdgpu in the suspend/resume loop need notify the dpm disabled, otherwise the smu table will be uninitialize and result in resume failed. Signed-off-by: Prike Liang Tested-by: Mengbing Wang Reviewed-by: Alex Deucher Reviewed-by: Huang Rui Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 01b3a160750ecacd521a0d128cd80f36f6ae0079 Author: Alex Elder Date: Fri Apr 3 12:50:04 2020 -0500 remoteproc: qcom_q6v5_mss: fix a bug in q6v5_probe() [ Upstream commit 13c060b50a341dd60303e5264d12108b5747f200 ] If looking up the DT "firmware-name" property fails in q6v6_probe(), the function returns without freeing the remoteproc structure that has been allocated. Fix this by jumping to the free_rproc label, which takes care of this. Signed-off-by: Alex Elder Link: https://lore.kernel.org/r/20200403175005.17130-3-elder@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 4b7ac410326d83043dac6545440b1785a1c4aff3 Author: Amadeusz Sławiński Date: Wed Apr 15 12:28:49 2020 -0400 ASoC: codecs: hdac_hdmi: Fix incorrect use of list_for_each_entry [ Upstream commit 326b509238171d37402dbe308e154cc234ed1960 ] If we don't find any pcm, pcm will point at address at an offset from the the list head and not a meaningful structure. Fix this by returning correct pcm if found and NULL if not. Found with coccinelle. Signed-off-by: Amadeusz Sławiński Link: https://lore.kernel.org/r/20200415162849.308-1-amadeuszx.slawinski@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit ff2aef3db9ef733b23e40809a27f5547af8d53cd Author: Matthias Blankertz Date: Wed Apr 15 16:10:17 2020 +0200 ASoC: rsnd: Fix HDMI channel mapping for multi-SSI mode [ Upstream commit b94e164759b82d0c1c80d4b1c8f12c9bee83f11d ] The HDMI?_SEL register maps up to four stereo SSI data lanes onto the sdata[0..3] inputs of the HDMI output block. The upper half of the register contains four blocks of 4 bits, with the most significant controlling the sdata3 line and the least significant the sdata0 line. The shift calculation has an off-by-one error, causing the parent SSI to be mapped to sdata3, the first multi-SSI child to sdata0 and so forth. As the parent SSI transmits the stereo L/R channels, and the HDMI core expects it on the sdata0 line, this causes no audio to be output when playing stereo audio on a multichannel capable HDMI out, and multichannel audio has permutated channels. Fix the shift calculation to map the parent SSI to sdata0, the first child to sdata1 etc. Signed-off-by: Matthias Blankertz Acked-by: Kuninori Morimoto Link: https://lore.kernel.org/r/20200415141017.384017-3-matthias.blankertz@cetitec.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit f5378c3618ff4b1440f659ce3c7ee23a5c1af8dd Author: Matthias Blankertz Date: Wed Apr 15 16:10:16 2020 +0200 ASoC: rsnd: Fix parent SSI start/stop in multi-SSI mode [ Upstream commit a09fb3f28a60ba3e928a1fa94b0456780800299d ] The parent SSI of a multi-SSI setup must be fully setup, started and stopped since it is also part of the playback/capture setup. So only skip the SSI (as per commit 203cdf51f288 ("ASoC: rsnd: SSI parent cares SWSP bit") and commit 597b046f0d99 ("ASoC: rsnd: control SSICR::EN correctly")) if the SSI is parent outside of a multi-SSI setup. Signed-off-by: Matthias Blankertz Acked-by: Kuninori Morimoto Link: https://lore.kernel.org/r/20200415141017.384017-2-matthias.blankertz@cetitec.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 756825fc1d9ec8be1d972536cf788507529d2c45 Author: Thinh Nguyen Date: Fri Jan 31 16:59:27 2020 -0800 usb: dwc3: gadget: Properly set maxpacket limit [ Upstream commit d94ea5319813658ad5861d161ae16a194c2abf88 ] Currently the calculation of max packet size limit for IN endpoints is too restrictive. This prevents a matching of a capable hardware endpoint during configuration. Below is the minimum recommended HW configuration to support a particular endpoint setup from the databook: For OUT endpoints, the databook recommended the minimum RxFIFO size to be at least 3x MaxPacketSize + 3x setup packets size (8 bytes each) + clock crossing margin (16 bytes). For IN endpoints, the databook recommended the minimum TxFIFO size to be at least 3x MaxPacketSize for endpoints that support burst. If the endpoint doesn't support burst or when the device is operating in USB 2.0 mode, a minimum TxFIFO size of 2x MaxPacketSize is recommended. Base on these recommendations, we can calculate the MaxPacketSize limit of each endpoint. This patch revises the IN endpoint MaxPacketSize limit and also sets the MaxPacketSize limit for OUT endpoints. Reference: Databook 3.30a section 3.2.2 and 3.2.3 Signed-off-by: Thinh Nguyen Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 3ac5d22e7cba6442148cf916a3f34c81506ee1b2 Author: Amadeusz Sławiński Date: Wed Apr 15 12:24:35 2020 -0400 ASoC: topology: Fix endianness issue [ Upstream commit 26d87881590fd55ccdd8f829498d7b3033f81990 ] As done in already existing cases, we should use le32_to_cpu macro while accessing hdr->magic. Found with sparse. Signed-off-by: Amadeusz Sławiński Link: https://lore.kernel.org/r/20200415162435.31859-2-amadeuszx.slawinski@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit db23f9177eb538044f57dfbf0156c696f6744264 Author: Sebastian Reichel Date: Tue Apr 14 20:11:40 2020 +0200 ASoC: sgtl5000: Fix VAG power-on handling [ Upstream commit aa7812737f2877e192d57626cbe8825cc7cf6de9 ] As mentioned slightly out of patch context in the code, there is no reset routine for the chip. On boards where the chip is supplied by a fixed regulator, it might not even be resetted during (e.g. watchdog) reboot and can be in any state. If the device is probed with VAG enabled, the driver's probe routine will generate a loud pop sound when ANA_POWER is being programmed. Avoid this by properly disabling just the VAG bit and waiting the required power down time. Signed-off-by: Sebastian Reichel Reviewed-by: Fabio Estevam Link: https://lore.kernel.org/r/20200414181140.145825-1-sebastian.reichel@collabora.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 23ce3e2c4179b15dab7c8c2892ddbf80f0104d6f Author: Wu Bo Date: Tue Apr 14 10:13:28 2020 +0800 scsi: sg: add sg_remove_request in sg_write [ Upstream commit 83c6f2390040f188cc25b270b4befeb5628c1aee ] If the __copy_from_user function failed we need to call sg_remove_request in sg_write. Link: https://lore.kernel.org/r/610618d9-e983-fd56-ed0f-639428343af7@huawei.com Acked-by: Douglas Gilbert Signed-off-by: Wu Bo Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 0d365414d2983409a2d7b2cde8e2541e828ff39f Author: Vasily Khoruzhick Date: Sun Mar 29 15:22:53 2020 -0700 drm/bridge: anx6345: set correct BPC for display_info of connector [ Upstream commit 1e8a6ce9186dbf342eebc07cf14cae5e82164e03 ] Some drivers (e.g. sun4i-drm) need this info to decide whether they need to enable dithering. Currently driver reports what panel supports and if panel supports 8 we don't get dithering enabled. Hardcode BPC to 6 for now since that's the only BPC that driver supports. Fixes: 6aa192698089 ("drm/bridge: Add Analogix anx6345 support") Signed-off-by: Vasily Khoruzhick Acked-by: Jernej Skrabec Signed-off-by: Jernej Skrabec Link: https://patchwork.freedesktop.org/patch/msgid/20200329222253.2941405-1-anarsoul@gmail.com Signed-off-by: Sasha Levin commit 8079acfe5b45d5601a399ba4e938ed75d8dc68c2 Author: Tyler Hicks Date: Mon Apr 13 15:21:45 2020 -0500 selftests/ipc: Fix test failure seen after initial test run [ Upstream commit b87080eab4c1377706c113fc9c0157f19ea8fed1 ] After successfully running the IPC msgque test once, subsequent runs result in a test failure: $ sudo ./run_kselftest.sh TAP version 13 1..1 # selftests: ipc: msgque # Failed to get stats for IPC queue with id 0 # Failed to dump queue: -22 # Bail out! # # Pass 0 Fail 0 Xfail 0 Xpass 0 Skip 0 Error 0 not ok 1 selftests: ipc: msgque # exit=1 The dump_queue() function loops through the possible message queue index values using calls to msgctl(kern_id, MSG_STAT, ...) where kern_id represents the index value. The first time the test is ran, the initial index value of 0 is valid and the test is able to complete. The index value of 0 is not valid in subsequent test runs and the loop attempts to try index values of 1, 2, 3, and so on until a valid index value is found that corresponds to the message queue created earlier in the test. The msgctl() syscall returns -1 and sets errno to EINVAL when invalid index values are used. The test failure is caused by incorrectly comparing errno to -EINVAL when cycling through possible index values. Fix invalid test failures on subsequent runs of the msgque test by correctly comparing errno values to a non-negated EINVAL. Fixes: 3a665531a3b7 ("selftests: IPC message queue copy feature test") Signed-off-by: Tyler Hicks Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit b668423c13b012e6e14b2faf4e9da6c544d70fbb Author: Jarkko Sakkinen Date: Sun Apr 12 17:23:07 2020 +0300 Revert "Kernel selftests: tpm2: check for tpm support" [ Upstream commit aaa2d92efe1f972567f1691b423ab8dc606ab3a9 ] This reverts commit b32694cd0724d4ceca2c62cc7c3d3a8d1ffa11fc. The original comment was neither reviewed nor tested. Thus, this the *only* possible action to take. Cc: Nikita Sobolev Signed-off-by: Jarkko Sakkinen Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit c03b7f4d2422eaf50f843511ba5f22e764879692 Author: Sandipan Das Date: Thu Jan 30 12:31:19 2020 +0530 selftests: vm: Fix 64-bit test builds for powerpc64le [ Upstream commit 963e3e9c9a127013eb4d3c82eb997068b1adbb89 ] Some tests are built only for 64-bit systems. This makes sure that these tests are built for both big and little endian variants of powerpc64. Fixes: 7549b3364201 ("selftests: vm: Build/Run 64bit tests only on 64bit arch") Reviewed-by: Kamalesh Babulal Signed-off-by: Sandipan Das Tested-by: Michael Ellerman Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 036b7355ea0b6574d470b9d1a1f3b001801fd8ad Author: Sandipan Das Date: Thu Jan 30 12:31:18 2020 +0530 selftests: vm: Do not override definition of ARCH [ Upstream commit 24c3f063c57b2a8ae21b259bcfa7690e2eb56dd9 ] Independent builds of the vm selftests is currently broken because commit 7549b3364201 ("selftests: vm: Build/Run 64bit tests only on 64bit arch") overrides the value of ARCH with the machine name from uname. This does not always match the architecture names used for tasks like header installation. E.g. for building tests on powerpc64, we need ARCH=powerpc and not ARCH=ppc64 or ARCH=ppc64le. Otherwise, the build fails as shown below. $ uname -m ppc64le $ make -C tools/testing/selftests/vm make: Entering directory '/home/sandipan/linux/tools/testing/selftests/vm' make --no-builtin-rules ARCH=ppc64le -C ../../../.. headers_install make[1]: Entering directory '/home/sandipan/linux' Makefile:653: arch/ppc64le/Makefile: No such file or directory make[1]: *** No rule to make target 'arch/ppc64le/Makefile'. Stop. make[1]: Leaving directory '/home/sandipan/linux' ../lib.mk:50: recipe for target 'khdr' failed make: *** [khdr] Error 2 make: Leaving directory '/home/sandipan/linux/tools/testing/selftests/vm' Fixes: 7549b3364201 ("selftests: vm: Build/Run 64bit tests only on 64bit arch") Signed-off-by: Sandipan Das Tested-by: Michael Ellerman Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit b508b3442416186adf5359f4e298a7553858357f Author: Yihao Wu Date: Mon Apr 6 01:57:22 2020 +0800 SUNRPC/cache: Fix unsafe traverse caused double-free in cache_purge [ Upstream commit 43e33924c38e8faeb0c12035481cb150e602e39d ] Deleting list entry within hlist_for_each_entry_safe is not safe unless next pointer (tmp) is protected too. It's not, because once hash_lock is released, cache_clean may delete the entry that tmp points to. Then cache_purge can walk to a deleted entry and tries to double free it. Fix this bug by holding only the deleted entry's reference. Suggested-by: NeilBrown Signed-off-by: Yihao Wu Reviewed-by: NeilBrown [ cel: removed unused variable ] Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit 06f47d75e4e316658f94f73534a9436969119fa2 Author: Amadeusz Sławiński Date: Fri Mar 27 16:47:29 2020 -0400 ASoC: topology: Check return value of soc_tplg_dai_config [ Upstream commit dd8e871d4e560eeb8d22af82dde91457ad835a63 ] Function soc_tplg_dai_config can fail, check for and handle possible failure. Signed-off-by: Amadeusz Sławiński Reviewed-by: Ranjani Sridharan Reviewed-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20200327204729.397-7-amadeuszx.slawinski@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 2751ee29744e07417d2c3522cdc52a67bcd36243 Author: Amadeusz Sławiński Date: Fri Mar 27 16:47:28 2020 -0400 ASoC: topology: Check return value of pcm_new_ver [ Upstream commit b3677fc3d68dd942c92de52f0bd9dd8b472a40e6 ] Function pcm_new_ver can fail, so we should check it's return value and handle possible error. Signed-off-by: Amadeusz Sławiński Reviewed-by: Ranjani Sridharan Reviewed-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20200327204729.397-6-amadeuszx.slawinski@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit a65227855e00e7eac6de44ecc219e1d1cb79f7cb Author: Amadeusz Sławiński Date: Fri Mar 27 16:47:27 2020 -0400 ASoC: topology: Check soc_tplg_add_route return value [ Upstream commit 6856e887eae3efc0fe56899cb3f969fe063171c5 ] Function soc_tplg_add_route can propagate error code from callback, we should check its return value and handle fail in correct way. Signed-off-by: Amadeusz Sławiński Reviewed-by: Ranjani Sridharan Reviewed-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20200327204729.397-5-amadeuszx.slawinski@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit ce6786add7b6e295c8ab887ea55c96993093e337 Author: Amadeusz Sławiński Date: Fri Mar 27 16:47:26 2020 -0400 ASoC: topology: Check return value of soc_tplg_*_create [ Upstream commit 2ae548f30d7f6973388fc3769bb3c2f6fd13652b ] Functions soc_tplg_denum_create, soc_tplg_dmixer_create, soc_tplg_dbytes_create can fail, so their return values should be checked and error should be propagated. Signed-off-by: Amadeusz Sławiński Reviewed-by: Ranjani Sridharan Reviewed-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20200327204729.397-4-amadeuszx.slawinski@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 66472b3ae184c6bdb1bb672d3c9273f27bad3547 Author: Amadeusz Sławiński Date: Fri Mar 27 16:47:25 2020 -0400 ASoC: topology: Check return value of soc_tplg_create_tlv [ Upstream commit 482db55ae87f3749db05810a38b1d618dfd4407c ] Function soc_tplg_create_tlv can fail, so we should check if it succeded or not and proceed appropriately. Signed-off-by: Amadeusz Sławiński Reviewed-by: Ranjani Sridharan Reviewed-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20200327204729.397-3-amadeuszx.slawinski@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit e83efd0a2565823bfcdd8ddf548340bc10662019 Author: Amadeusz Sławiński Date: Fri Mar 27 16:47:24 2020 -0400 ASoC: topology: Add missing memory checks [ Upstream commit abc3caac24501008465fdb55c5e89e16d58d5a3d ] kstrdup is an allocation function and it can fail, so its return value should be checked and handled appropriately. In order to check all cases, we need to modify set_stream_info to return a value, so check that everything went correctly when doing kstrdup(). Later add proper checks and error handlers. Signed-off-by: Amadeusz Sławiński Reviewed-by: Ranjani Sridharan Reviewed-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20200327204729.397-2-amadeuszx.slawinski@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 1c416944adfcde8767d12c2fa804bf49e54e0ffd Author: Marek Szyprowski Date: Tue Mar 10 11:34:27 2020 +0100 drm/bridge: analogix_dp: Split bind() into probe() and real bind() [ Upstream commit 83a196773b8bc6702f49df1eddc848180e350340 ] Analogix_dp driver acquires all its resources in the ->bind() callback, what is a bit against the component driver based approach, where the driver initialization is split into a probe(), where all resources are gathered, and a bind(), where all objects are created and a compound driver is initialized. Extract all the resource related operations to analogix_dp_probe() and analogix_dp_remove(), then call them before/after registration of the device components from the main Exynos DP and Rockchip DP drivers. Also move the plat_data initialization to the probe() to make it available for the analogix_dp_probe() function. This fixes the multiple calls to the bind() of the DRM compound driver when the DP PHY driver is not yet loaded/probed: [drm] Exynos DRM: using 14400000.fimd device for DMA mapping operations exynos-drm exynos-drm: bound 14400000.fimd (ops fimd_component_ops [exynosdrm]) exynos-drm exynos-drm: bound 14450000.mixer (ops mixer_component_ops [exynosdrm]) exynos-dp 145b0000.dp-controller: no DP phy configured exynos-drm exynos-drm: failed to bind 145b0000.dp-controller (ops exynos_dp_ops [exynosdrm]): -517 exynos-drm exynos-drm: master bind failed: -517 ... [drm] Exynos DRM: using 14400000.fimd device for DMA mapping operations exynos-drm exynos-drm: bound 14400000.fimd (ops hdmi_enable [exynosdrm]) exynos-drm exynos-drm: bound 14450000.mixer (ops hdmi_enable [exynosdrm]) exynos-drm exynos-drm: bound 145b0000.dp-controller (ops hdmi_enable [exynosdrm]) exynos-drm exynos-drm: bound 14530000.hdmi (ops hdmi_enable [exynosdrm]) [drm] Supports vblank timestamp caching Rev 2 (21.10.2013). Console: switching to colour frame buffer device 170x48 exynos-drm exynos-drm: fb0: exynosdrmfb frame buffer device [drm] Initialized exynos 1.1.0 20180330 for exynos-drm on minor 1 ... Signed-off-by: Marek Szyprowski Acked-by: Andy Yan Reviewed-by: Andrzej Hajda Signed-off-by: Andrzej Hajda Link: https://patchwork.freedesktop.org/patch/msgid/20200310103427.26048-1-m.szyprowski@samsung.com Signed-off-by: Sasha Levin commit d662c04426c0490ff47765c08e2a3f945aba7b0d Author: Jia He Date: Fri May 1 12:38:40 2020 +0800 vhost: vsock: kick send_pkt worker once device is started commit 0b841030625cde5f784dd62aec72d6a766faae70 upstream. Ning Bo reported an abnormal 2-second gap when booting Kata container [1]. The unconditional timeout was caused by VSOCK_DEFAULT_CONNECT_TIMEOUT of connecting from the client side. The vhost vsock client tries to connect an initializing virtio vsock server. The abnormal flow looks like: host-userspace vhost vsock guest vsock ============== =========== ============ connect() --------> vhost_transport_send_pkt_work() initializing | vq->private_data==NULL | will not be queued V schedule_timeout(2s) vhost_vsock_start() <--------- device ready set vq->private_data wait for 2s and failed connect() again vq->private_data!=NULL recv connecting pkt Details: 1. Host userspace sends a connect pkt, at that time, guest vsock is under initializing, hence the vhost_vsock_start has not been called. So vq->private_data==NULL, and the pkt is not been queued to send to guest 2. Then it sleeps for 2s 3. After guest vsock finishes initializing, vq->private_data is set 4. When host userspace wakes up after 2s, send connecting pkt again, everything is fine. As suggested by Stefano Garzarella, this fixes it by additional kicking the send_pkt worker in vhost_vsock_start once the virtio device is started. This makes the pending pkt sent again. After this patch, kata-runtime (with vsock enabled) boot time is reduced from 3s to 1s on a ThunderX2 arm64 server. [1] https://github.com/kata-containers/runtime/issues/1917 Reported-by: Ning Bo Suggested-by: Stefano Garzarella Signed-off-by: Jia He Link: https://lore.kernel.org/r/20200501043840.186557-1-justin.he@arm.com Signed-off-by: Michael S. Tsirkin Reviewed-by: Stefano Garzarella Signed-off-by: Greg Kroah-Hartman