commit 4ccc34c9f441dfe807ab223bc3b44c23201f1764 Author: Alexandre Frade Date: Thu Nov 19 03:21:21 2020 +0000 Linux 5.9.9-xanmod1 Signed-off-by: Alexandre Frade commit 63e1d5a76a98fdfebe1ac543f20e8936078f6535 Merge: 99f1ba6a16a7 1398820fee51 Author: Alexandre Frade Date: Thu Nov 19 00:45:36 2020 +0000 Merge tag 'v5.9.9' into 5.9 This is the 5.9.9 stable release commit 1398820fee515873379809a6415930ad0764b2f6 Author: Greg Kroah-Hartman Date: Wed Nov 18 19:22:33 2020 +0100 Linux 5.9.9 Tested-by: Jon Hunter Tested-by: Jeffrin Jose T Tested-by: Shuah Khan Tested-by: Linux Kernel Functional Testing Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20201117122138.925150709@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit ac39c90de3d9e52d2428950783f72416e9246c07 Author: Boris Protopopov Date: Thu Sep 24 00:36:38 2020 +0000 Convert trailing spaces and periods in path components commit 57c176074057531b249cf522d90c22313fa74b0b upstream. When converting trailing spaces and periods in paths, do so for every component of the path, not just the last component. If the conversion is not done for every path component, then subsequent operations in directories with trailing spaces or periods (e.g. create(), mkdir()) will fail with ENOENT. This is because on the server, the directory will have a special symbol in its name, and the client needs to provide the same. Signed-off-by: Boris Protopopov Acked-by: Ronnie Sahlberg Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 7e87e69e3347b658357a0a699799babacedd755c Author: Mike Leach Date: Thu Oct 29 10:45:59 2020 -0600 coresight: Fix uninitialised pointer bug in etm_setup_aux() commit 39a7661dcf655c8198fd5d72412f5030a8e58444 upstream. Commit [bb1860efc817] changed the sink handling code introducing an uninitialised pointer bug. This results in the default sink selection failing. Prior to commit: static void etm_setup_aux(...) struct coresight_device *sink; /* First get the selected sink from user space. */ if (event->attr.config2) { id = (u32)event->attr.config2; sink = coresight_get_sink_by_id(id); } else { sink = coresight_get_enabled_sink(true); } *sink always initialised - possibly to NULL which triggers the automatic sink selection. After commit: static void etm_setup_aux(...) struct coresight_device *sink; /* First get the selected sink from user space. */ if (event->attr.config2) { id = (u32)event->attr.config2; sink = coresight_get_sink_by_id(id); } *sink pointer uninitialised when not providing a sink on the perf command line. This breaks later checks to enable automatic sink selection. Fixes: bb1860efc817 ("coresight: etm: perf: Sink selection using sysfs is deprecated") Signed-off-by: Mike Leach Signed-off-by: Mathieu Poirier Link: https://lore.kernel.org/r/20201029164559.1268531-3-mathieu.poirier@linaro.org Signed-off-by: Greg Kroah-Hartman commit b689b7318eefce0247c45c008fba33d932f5d00d Author: Linu Cherian Date: Wed Sep 16 13:17:34 2020 -0600 coresight: etm: perf: Sink selection using sysfs is deprecated commit bb1860efc817c18fce4112f25f51043e44346d1b upstream. When using the perf interface, sink selection using sysfs is deprecated. Signed-off-by: Linu Cherian Signed-off-by: Mathieu Poirier Link: https://lore.kernel.org/r/20200916191737.4001561-14-mathieu.poirier@linaro.org Signed-off-by: Greg Kroah-Hartman commit d8c65b3a4dcf81a4dc507fb1b472282921f4b832 Author: Arnaldo Carvalho de Melo Date: Fri Oct 30 08:24:38 2020 -0300 perf scripting python: Avoid declaring function pointers with a visibility attribute commit d0e7b0c71fbb653de90a7163ef46912a96f0bdaf upstream. To avoid this: util/scripting-engines/trace-event-python.c: In function 'python_start_script': util/scripting-engines/trace-event-python.c:1595:2: error: 'visibility' attribute ignored [-Werror=attributes] 1595 | PyMODINIT_FUNC (*initfunc)(void); | ^~~~~~~~~~~~~~ That started breaking when building with PYTHON=python3 and these gcc versions (I haven't checked with the clang ones, maybe it breaks there as well): # export PERF_TARBALL=http://192.168.86.5/perf/perf-5.9.0.tar.xz # dm fedora:33 fedora:rawhide 1 107.80 fedora:33 : Ok gcc (GCC) 10.2.1 20201005 (Red Hat 10.2.1-5), clang version 11.0.0 (Fedora 11.0.0-1.fc33) 2 92.47 fedora:rawhide : Ok gcc (GCC) 10.2.1 20201016 (Red Hat 10.2.1-6), clang version 11.0.0 (Fedora 11.0.0-1.fc34) # Avoid that by ditching that 'initfunc' function pointer with its: #define Py_EXPORTED_SYMBOL _attribute_ ((visibility ("default"))) #define PyMODINIT_FUNC Py_EXPORTED_SYMBOL PyObject* And just call PyImport_AppendInittab() at the end of the ifdef python3 block with the functions that were being attributed to that initfunc. Cc: Adrian Hunter Cc: Ian Rogers Cc: Jiri Olsa Cc: Namhyung Kim Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Tapas Kundu Signed-off-by: Greg Kroah-Hartman commit 88c5766cfc82d6e612dfc9d270503e4a42a82f19 Author: Damien Le Moal Date: Fri Nov 6 20:01:41 2020 +0900 null_blk: Fix scheduling in atomic with zoned mode commit e1777d099728a76a8f8090f89649aac961e7e530 upstream. Commit aa1c09cb65e2 ("null_blk: Fix locking in zoned mode") changed zone locking to using the potentially sleeping wait_on_bit_io() function. This is acceptable when memory backing is enabled as the device queue is in that case marked as blocking, but this triggers a scheduling while in atomic context with memory backing disabled. Fix this by relying solely on the device zone spinlock for zone information protection without temporarily releasing this lock around null_process_cmd() execution in null_zone_write(). This is OK to do since when memory backing is disabled, command processing does not block and the memory backing lock nullb->lock is unused. This solution avoids the overhead of having to mark a zoned null_blk device queue as blocking when memory backing is unused. This patch also adds comments to the zone locking code to explain the unusual locking scheme. Fixes: aa1c09cb65e2 ("null_blk: Fix locking in zoned mode") Reported-by: kernel test robot Signed-off-by: Damien Le Moal Reviewed-by: Christoph Hellwig Cc: stable@vger.kernel.org Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit c7910bdb81151fe14c16dd28b2fbeaf64fef81cd Author: Christophe Leroy Date: Sat Oct 10 15:14:30 2020 +0000 powerpc/603: Always fault when _PAGE_ACCESSED is not set commit 11522448e641e8f1690c9db06e01985e8e19b401 upstream. The kernel expects pte_young() to work regardless of CONFIG_SWAP. Make sure a minor fault is taken to set _PAGE_ACCESSED when it is not already set, regardless of the selection of CONFIG_SWAP. Fixes: 84de6ab0e904 ("powerpc/603: don't handle PAGE_ACCESSED in TLB miss handlers.") Cc: stable@vger.kernel.org Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/a44367744de54e2315b2f1a8cbbd7f88488072e0.1602342806.git.christophe.leroy@csgroup.eu Signed-off-by: Greg Kroah-Hartman commit 6cad8b45b813370cedae6b6c27bc432daf24270f Author: Stefano Brivio Date: Fri Nov 6 17:59:52 2020 +0100 tunnels: Fix off-by-one in lower MTU bounds for ICMP/ICMPv6 replies [ Upstream commit 77a2d673d5c9d1d359b5652ff75043273c5dea28 ] Jianlin reports that a bridged IPv6 VXLAN endpoint, carrying IPv6 packets over a link with a PMTU estimation of exactly 1350 bytes, won't trigger ICMPv6 Packet Too Big replies when the encapsulated datagrams exceed said PMTU value. VXLAN over IPv6 adds 70 bytes of overhead, so an ICMPv6 reply indicating 1280 bytes as inner MTU would be legitimate and expected. This comes from an off-by-one error I introduced in checks added as part of commit 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets"), whose purpose was to prevent sending ICMPv6 Packet Too Big messages with an MTU lower than the smallest permissible IPv6 link MTU, i.e. 1280 bytes. In iptunnel_pmtud_check_icmpv6(), avoid triggering a reply only if the advertised MTU would be less than, and not equal to, 1280 bytes. Also fix the analogous comparison for IPv4, that is, skip the ICMP reply only if the resulting MTU is strictly less than 576 bytes. This becomes apparent while running the net/pmtu.sh bridged VXLAN or GENEVE selftests with adjusted lower-link MTU values. Using e.g. GENEVE, setting ll_mtu to the values reported below, in the test_pmtu_ipvX_over_bridged_vxlanY_or_geneveY_exception() test function, we can see failures on the following tests: test | ll_mtu -------------------------------|-------- pmtu_ipv4_br_geneve4_exception | 626 pmtu_ipv6_br_geneve4_exception | 1330 pmtu_ipv6_br_geneve6_exception | 1350 owing to the different tunneling overheads implied by the corresponding configurations. Reported-by: Jianlin Shi Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets") Signed-off-by: Stefano Brivio Link: https://lore.kernel.org/r/4f5fc2f33bfdf8409549fafd4f952b008bf04d63.1604681709.git.sbrivio@redhat.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit b288c0456ba2fa75deaf4a08ac9881fba8af9bb9 Author: Paolo Abeni Date: Sun Nov 8 19:49:59 2020 +0100 mptcp: provide rmem[0] limit [ Upstream commit 989ef49bdf100cc772b3a8737089df36b1ab1e30 ] The mptcp proto struct currently does not provide the required limit for forward memory scheduling. Under pressure sk_rmem_schedule() will unconditionally try to use such field and will oops. Address the issue inheriting the tcp limit, as we already do for the wmem one. Fixes: 9c3f94e1681b ("mptcp: add missing memory scheduling in the rx path") Signed-off-by: Paolo Abeni Reviewed-by: Matthieu Baerts Link: https://lore.kernel.org/r/37af798bd46f402fb7c79f57ebbdd00614f5d7fa.1604861097.git.pabeni@redhat.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 0ed125fd6e041b3ad65702fcd4619b27319cc3fd Author: Parav Pandit Date: Wed Nov 11 05:47:44 2020 +0200 devlink: Avoid overwriting port attributes of registered port [ Upstream commit 9f73bd1c2c4c304b238051fc92b3f807326f0a89 ] Cited commit in fixes tag overwrites the port attributes for the registered port. Avoid such error by checking registered flag before setting attributes. Fixes: 71ad8d55f8e5 ("devlink: Replace devlink_port_attrs_set parameters with a struct") Signed-off-by: Parav Pandit Reviewed-by: Jiri Pirko Link: https://lore.kernel.org/r/20201111034744.35554-1-parav@nvidia.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 2589466499050a999c091f7e0fcfd9ec96e02b0c Author: Wang Hai Date: Mon Nov 9 22:09:13 2020 +0800 tipc: fix memory leak in tipc_topsrv_start() [ Upstream commit fa6882c63621821f73cc806f291208e1c6ea6187 ] kmemleak report a memory leak as follows: unreferenced object 0xffff88810a596800 (size 512): comm "ip", pid 21558, jiffies 4297568990 (age 112.120s) hex dump (first 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ff ff ff ff ff ff ff ff 00 83 60 b0 ff ff ff ff ..........`..... backtrace: [<0000000022bbe21f>] tipc_topsrv_init_net+0x1f3/0xa70 [<00000000fe15ddf7>] ops_init+0xa8/0x3c0 [<00000000138af6f2>] setup_net+0x2de/0x7e0 [<000000008c6807a3>] copy_net_ns+0x27d/0x530 [<000000006b21adbd>] create_new_namespaces+0x382/0xa30 [<00000000bb169746>] unshare_nsproxy_namespaces+0xa1/0x1d0 [<00000000fe2e42bc>] ksys_unshare+0x39c/0x780 [<0000000009ba3b19>] __x64_sys_unshare+0x2d/0x40 [<00000000614ad866>] do_syscall_64+0x56/0xa0 [<00000000a1b5ca3c>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 'srv' is malloced in tipc_topsrv_start() but not free before leaving from the error handling cases. We need to free it. Fixes: 5c45ab24ac77 ("tipc: make struct tipc_server private for server.c") Reported-by: Hulk Robot Signed-off-by: Wang Hai Link: https://lore.kernel.org/r/20201109140913.47370-1-wanghai38@huawei.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 6f5d15f1e0a906d46e52b495a238544bc2e3af7c Author: Martin Schiller Date: Mon Nov 9 07:54:49 2020 +0100 net/x25: Fix null-ptr-deref in x25_connect [ Upstream commit 361182308766a265b6c521879b34302617a8c209 ] This fixes a regression for blocking connects introduced by commit 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect"). The x25->neighbour is already set to "NULL" by x25_disconnect() now, while a blocking connect is waiting in x25_wait_for_connection_establishment(). Therefore x25->neighbour must not be accessed here again and x25->state is also already set to X25_STATE_0 by x25_disconnect(). Fixes: 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect") Signed-off-by: Martin Schiller Reviewed-by: Xie He Link: https://lore.kernel.org/r/20201109065449.9014-1-ms@dev.tdt.de Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 5025e00a834fd9702bb2a8c7b60108e6a13d01f4 Author: Mao Wenan Date: Tue Nov 10 08:16:31 2020 +0800 net: Update window_clamp if SOCK_RCVBUF is set [ Upstream commit 909172a149749242990a6e64cb55d55460d4e417 ] When net.ipv4.tcp_syncookies=1 and syn flood is happened, cookie_v4_check or cookie_v6_check tries to redo what tcp_v4_send_synack or tcp_v6_send_synack did, rsk_window_clamp will be changed if SOCK_RCVBUF is set, which will make rcv_wscale is different, the client still operates with initial window scale and can overshot granted window, the client use the initial scale but local server use new scale to advertise window value, and session work abnormally. Fixes: e88c64f0a425 ("tcp: allow effective reduction of TCP's rcv-buffer via setsockopt") Signed-off-by: Mao Wenan Signed-off-by: Eric Dumazet Link: https://lore.kernel.org/r/1604967391-123737-1-git-send-email-wenan.mao@linux.alibaba.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 69843804a23de359f5d8f5d388086c68a9704bb2 Author: Alexander Lobakin Date: Wed Nov 11 20:45:25 2020 +0000 net: udp: fix UDP header access on Fast/frag0 UDP GRO [ Upstream commit 4b1a86281cc1d0de46df3ad2cb8c1f86ac07681c ] UDP GRO uses udp_hdr(skb) in its .gro_receive() callback. While it's probably OK for non-frag0 paths (when all headers or even the entire frame are already in skb head), this inline points to junk when using Fast GRO (napi_gro_frags() or napi_gro_receive() with only Ethernet header in skb head and all the rest in the frags) and breaks GRO packet compilation and the packet flow itself. To support both modes, skb_gro_header_fast() + skb_gro_header_slow() are typically used. UDP even has an inline helper that makes use of them, udp_gro_udphdr(). Use that instead of troublemaking udp_hdr() to get rid of the out-of-order delivers. Present since the introduction of plain UDP GRO in 5.0-rc1. Fixes: e20cf8d3f1f7 ("udp: implement GRO for plain UDP sockets.") Cc: Eric Dumazet Signed-off-by: Alexander Lobakin Acked-by: Willem de Bruijn Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 7e7f05d83d00e38d10d5ac92b738d39dfee661ef Author: Alexander Lobakin Date: Wed Nov 11 20:45:38 2020 +0000 net: udp: fix IP header access and skb lookup on Fast/frag0 UDP GRO [ Upstream commit 55e729889bb07d68ab071660ce3f5e7a7872ebe8 ] udp{4,6}_lib_lookup_skb() use ip{,v6}_hdr() to get IP header of the packet. While it's probably OK for non-frag0 paths, this helpers will also point to junk on Fast/frag0 GRO when all headers are located in frags. As a result, sk/skb lookup may fail or give wrong results. To support both GRO modes, skb_gro_network_header() might be used. To not modify original functions, add private versions of udp{4,6}_lib_lookup_skb() only to perform correct sk lookups on GRO. Present since the introduction of "application-level" UDP GRO in 4.7-rc1. Misc: replace totally unneeded ternaries with plain ifs. Fixes: a6024562ffd7 ("udp: Add GRO functions to UDP socket") Suggested-by: Willem de Bruijn Cc: Eric Dumazet Signed-off-by: Alexander Lobakin Acked-by: Willem de Bruijn Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit d0f1a4e3f60cbad46b4a01fb7da998df6f3d28a6 Author: Ursula Braun Date: Mon Nov 9 08:57:05 2020 +0100 net/af_iucv: fix null pointer dereference on shutdown [ Upstream commit 4031eeafa71eaf22ae40a15606a134ae86345daf ] syzbot reported the following KASAN finding: BUG: KASAN: nullptr-dereference in iucv_send_ctrl+0x390/0x3f0 net/iucv/af_iucv.c:385 Read of size 2 at addr 000000000000021e by task syz-executor907/519 CPU: 0 PID: 519 Comm: syz-executor907 Not tainted 5.9.0-syzkaller-07043-gbcf9877ad213 #0 Hardware name: IBM 3906 M04 701 (KVM/Linux) Call Trace: [<00000000c576af60>] unwind_start arch/s390/include/asm/unwind.h:65 [inline] [<00000000c576af60>] show_stack+0x180/0x228 arch/s390/kernel/dumpstack.c:135 [<00000000c9dcd1f8>] __dump_stack lib/dump_stack.c:77 [inline] [<00000000c9dcd1f8>] dump_stack+0x268/0x2f0 lib/dump_stack.c:118 [<00000000c5fed016>] print_address_description.constprop.0+0x5e/0x218 mm/kasan/report.c:383 [<00000000c5fec82a>] __kasan_report mm/kasan/report.c:517 [inline] [<00000000c5fec82a>] kasan_report+0x11a/0x168 mm/kasan/report.c:534 [<00000000c98b5b60>] iucv_send_ctrl+0x390/0x3f0 net/iucv/af_iucv.c:385 [<00000000c98b6262>] iucv_sock_shutdown+0x44a/0x4c0 net/iucv/af_iucv.c:1457 [<00000000c89d3a54>] __sys_shutdown+0x12c/0x1c8 net/socket.c:2204 [<00000000c89d3b70>] __do_sys_shutdown net/socket.c:2212 [inline] [<00000000c89d3b70>] __s390x_sys_shutdown+0x38/0x48 net/socket.c:2210 [<00000000c9e36eac>] system_call+0xe0/0x28c arch/s390/kernel/entry.S:415 There is nothing to shutdown if a connection has never been established. Besides that iucv->hs_dev is not yet initialized if a socket is in IUCV_OPEN state and iucv->path is not yet initialized if socket is in IUCV_BOUND state. So, just skip the shutdown calls for a socket in these states. Fixes: eac3731bd04c ("[S390]: Add AF_IUCV socket support") Fixes: 82492a355fac ("af_iucv: add shutdown for HS transport") Reviewed-by: Vasily Gorbik Signed-off-by: Ursula Braun [jwi: correct one Fixes tag] Signed-off-by: Julian Wiedmann Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 5ec976b6216c041f989ef9f687523505fd33f226 Author: Oliver Herms Date: Tue Nov 3 11:41:33 2020 +0100 IPv6: Set SIT tunnel hard_header_len to zero [ Upstream commit 8ef9ba4d666614497a057d09b0a6eafc1e34eadf ] Due to the legacy usage of hard_header_len for SIT tunnels while already using infrastructure from net/ipv4/ip_tunnel.c the calculation of the path MTU in tnl_update_pmtu is incorrect. This leads to unnecessary creation of MTU exceptions for any flow going over a SIT tunnel. As SIT tunnels do not have a header themsevles other than their transport (L3, L2) headers we're leaving hard_header_len set to zero as tnl_update_pmtu is already taking care of the transport headers sizes. This will also help avoiding unnecessary IPv6 GC runs and spinlock contention seen when using SIT tunnels and for more than net.ipv6.route.gc_thresh flows. Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") Signed-off-by: Oliver Herms Acked-by: Willem de Bruijn Link: https://lore.kernel.org/r/20201103104133.GA1573211@tws Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit e43ca834db40235e3e88f3fcf9e5df88fef31fc6 Author: Alexander Lobakin Date: Sun Nov 8 00:46:15 2020 +0000 ethtool: netlink: add missing netdev_features_change() call [ Upstream commit 413691384a37fe27f43460226c4160e33140e638 ] After updating userspace Ethtool from 5.7 to 5.9, I noticed that NETDEV_FEAT_CHANGE is no more raised when changing netdev features through Ethtool. That's because the old Ethtool ioctl interface always calls netdev_features_change() at the end of user request processing to inform the kernel that our netdevice has some features changed, but the new Netlink interface does not. Instead, it just notifies itself with ETHTOOL_MSG_FEATURES_NTF. Replace this ethtool_notify() call with netdev_features_change(), so the kernel will be aware of any features changes, just like in case with the ioctl interface. This does not omit Ethtool notifications, as Ethtool itself listens to NETDEV_FEAT_CHANGE and drops ETHTOOL_MSG_FEATURES_NTF on it (net/ethtool/netlink.c:ethnl_netdev_event()). >From v1 [1]: - dropped extra new line as advised by Jakub; - no functional changes. [1] https://lore.kernel.org/netdev/AlZXQ2o5uuTVHCfNGOiGgJ8vJ3KgO5YIWAnQjH0cDE@cp3-web-009.plabs.ch Fixes: 0980bfcd6954 ("ethtool: set netdev features with FEATURES_SET request") Signed-off-by: Alexander Lobakin Reviewed-by: Michal Kubecek Link: https://lore.kernel.org/r/ahA2YWXYICz5rbUSQqNG4roJ8OlJzzYQX7PTiG80@cp4-web-028.plabs.ch Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit b2850712c5d732c5d62bab363ff3743dc49be06b Author: Rafael J. Wysocki Date: Tue Nov 10 18:27:40 2020 +0100 cpufreq: intel_pstate: Take CPUFREQ_GOV_STRICT_TARGET into account commit fcb3a1ab79904d54499db77017793ccca665eb7e upstream. Make intel_pstate take the new CPUFREQ_GOV_STRICT_TARGET governor flag into account when it operates in the passive mode with HWP enabled, so as to fix the "powersave" governor behavior in that case (currently, HWP is allowed to scale the performance all the way up to the policy max limit when the "powersave" governor is used, but it should be constrained to the policy min limit then). Fixes: f6ebbcf08f37 ("cpufreq: intel_pstate: Implement passive mode with HWP enabled") Signed-off-by: Rafael J. Wysocki Acked-by: Viresh Kumar Cc: 5.9+ # 5.9+: 9a2a9ebc0a75 cpufreq: Introduce governor flags Cc: 5.9+ # 5.9+: 218f66870181 cpufreq: Introduce CPUFREQ_GOV_STRICT_TARGET Cc: 5.9+ # 5.9+: ea9364bbadf1 cpufreq: Add strict_target to struct cpufreq_policy Signed-off-by: Greg Kroah-Hartman commit 960908eb18ddf95dca07c74744bd9eeb7dca8a6a Author: Rafael J. Wysocki Date: Tue Nov 10 18:26:37 2020 +0100 cpufreq: Add strict_target to struct cpufreq_policy commit ea9364bbadf11f0c55802cf11387d74f524cee84 upstream. Add a new field to be set when the CPUFREQ_GOV_STRICT_TARGET flag is set for the current governor to struct cpufreq_policy, so that the drivers needing to check CPUFREQ_GOV_STRICT_TARGET do not have to access the governor object during every frequency transition. Signed-off-by: Rafael J. Wysocki Acked-by: Viresh Kumar Signed-off-by: Greg Kroah-Hartman commit ddd0dd03fcce5b4516b35e14a21822cc526fff52 Author: Rafael J. Wysocki Date: Tue Nov 10 18:26:10 2020 +0100 cpufreq: Introduce CPUFREQ_GOV_STRICT_TARGET commit 218f66870181bec7aaa6e3c72f346039c590c3c2 upstream. Introduce a new governor flag, CPUFREQ_GOV_STRICT_TARGET, for the governors that want the target frequency to be set exactly to the given value without leaving any room for adjustments on the hardware side and set this flag for the powersave and performance governors. Signed-off-by: Rafael J. Wysocki Acked-by: Viresh Kumar Signed-off-by: Greg Kroah-Hartman commit c539b683b0035d707986835ce5e8335bc2bcea8f Author: Rafael J. Wysocki Date: Tue Nov 10 18:25:57 2020 +0100 cpufreq: Introduce governor flags commit 9a2a9ebc0a758d887ee06e067e9f7f0b36ff7574 upstream. A new cpufreq governor flag will be added subsequently, so replace the bool dynamic_switching fleid in struct cpufreq_governor with a flags field and introduce CPUFREQ_GOV_DYNAMIC_SWITCHING to set for the "dynamic switching" governors instead of it. No intentional functional impact. Signed-off-by: Rafael J. Wysocki Acked-by: Viresh Kumar Signed-off-by: Greg Kroah-Hartman commit f3cbfd01568c779447bbf4b613ddc35123185ac3 Author: Stefano Stabellini Date: Mon Oct 26 17:02:14 2020 -0700 swiotlb: fix "x86: Don't panic if can not alloc buffer for swiotlb" commit e9696d259d0fb5d239e8c28ca41089838ea76d13 upstream. kernel/dma/swiotlb.c:swiotlb_init gets called first and tries to allocate a buffer for the swiotlb. It does so by calling memblock_alloc_low(PAGE_ALIGN(bytes), PAGE_SIZE); If the allocation must fail, no_iotlb_memory is set. Later during initialization swiotlb-xen comes in (drivers/xen/swiotlb-xen.c:xen_swiotlb_init) and given that io_tlb_start is != 0, it thinks the memory is ready to use when actually it is not. When the swiotlb is actually needed, swiotlb_tbl_map_single gets called and since no_iotlb_memory is set the kernel panics. Instead, if swiotlb-xen.c:xen_swiotlb_init knew the swiotlb hadn't been initialized, it would do the initialization itself, which might still succeed. Fix the panic by setting io_tlb_start to 0 on swiotlb initialization failure, and also by setting no_iotlb_memory to false on swiotlb initialization success. Fixes: ac2cbab21f31 ("x86: Don't panic if can not alloc buffer for swiotlb") Reported-by: Elliott Mitchell Tested-by: Elliott Mitchell Signed-off-by: Stefano Stabellini Reviewed-by: Christoph Hellwig Cc: stable@vger.kernel.org Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Greg Kroah-Hartman commit 877d58ecea18838fa0c30d54993b5cea5f438c8a Author: Coiby Xu Date: Fri Nov 6 07:19:09 2020 +0800 pinctrl: amd: fix incorrect way to disable debounce filter commit 06abe8291bc31839950f7d0362d9979edc88a666 upstream. The correct way to disable debounce filter is to clear bit 5 and 6 of the register. Cc: stable@vger.kerne.org Signed-off-by: Coiby Xu Reviewed-by: Hans de Goede Cc: Hans de Goede Link: https://lore.kernel.org/linux-gpio/df2c008b-e7b5-4fdd-42ea-4d1c62b52139@redhat.com/ Link: https://lore.kernel.org/r/20201105231912.69527-2-coiby.xu@gmail.com Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 41620d1b3ea6240497ebad935b22fa2c1817de4d Author: Coiby Xu Date: Fri Nov 6 07:19:10 2020 +0800 pinctrl: amd: use higher precision for 512 RtcClk commit c64a6a0d4a928c63e5bc3b485552a8903a506c36 upstream. RTC is 32.768kHz thus 512 RtcClk equals 15625 usec. The documentation likely has dropped precision and that's why the driver mistakenly took the slightly deviated value. Cc: stable@vger.kernel.org Reported-by: Andy Shevchenko Suggested-by: Andy Shevchenko Suggested-by: Hans de Goede Signed-off-by: Coiby Xu Reviewed-by: Andy Shevchenko Reviewed-by: Hans de Goede Link: https://lore.kernel.org/linux-gpio/2f4706a1-502f-75f0-9596-cc25b4933b6c@redhat.com/ Link: https://lore.kernel.org/r/20201105231912.69527-3-coiby.xu@gmail.com Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 616db99f8e20e467bb6756bddbe95ddb51492843 Author: J. Bruce Fields Date: Wed Oct 21 10:34:15 2020 -0400 NFSv4.2: fix failure to unregister shrinker commit 70438afbf17e5194dd607dd17759560a363b7bb4 upstream. We forgot to unregister the nfs4_xattr_large_entry_shrinker. That leaves the global list of shrinkers corrupted after unload of the nfs module, after which possibly unrelated code that calls register_shrinker() or unregister_shrinker() gets a BUG() with "supervisor write access in kernel mode". And similarly for the nfs4_xattr_large_entry_lru. Reported-by: Kris Karas Tested-By: Kris Karas Fixes: 95ad37f90c33 "NFSv4.2: add client side xattr caching." Signed-off-by: J. Bruce Fields CC: stable@vger.kernel.org Signed-off-by: Anna Schumaker Signed-off-by: Greg Kroah-Hartman commit 3874b709b217f84e6347d30e80922b9045255c8e Author: Thomas Zimmermann Date: Thu Nov 5 20:02:56 2020 +0100 drm/gma500: Fix out-of-bounds access to struct drm_device.vblank[] commit 06ad8d339524bf94b89859047822c31df6ace239 upstream. The gma500 driver expects 3 pipelines in several it's IRQ functions. Accessing struct drm_device.vblank[], this fails with devices that only have 2 pipelines. An example KASAN report is shown below. [ 62.267688] ================================================================== [ 62.268856] BUG: KASAN: slab-out-of-bounds in psb_irq_postinstall+0x250/0x3c0 [gma500_gfx] [ 62.269450] Read of size 1 at addr ffff8880012bc6d0 by task systemd-udevd/285 [ 62.269949] [ 62.270192] CPU: 0 PID: 285 Comm: systemd-udevd Tainted: G E 5.10.0-rc1-1-default+ #572 [ 62.270807] Hardware name: /DN2800MT, BIOS MTCDT10N.86A.0164.2012.1213.1024 12/13/2012 [ 62.271366] Call Trace: [ 62.271705] dump_stack+0xae/0xe5 [ 62.272180] print_address_description.constprop.0+0x17/0xf0 [ 62.272987] ? psb_irq_postinstall+0x250/0x3c0 [gma500_gfx] [ 62.273474] __kasan_report.cold+0x20/0x38 [ 62.273989] ? psb_irq_postinstall+0x250/0x3c0 [gma500_gfx] [ 62.274460] kasan_report+0x3a/0x50 [ 62.274891] psb_irq_postinstall+0x250/0x3c0 [gma500_gfx] [ 62.275380] drm_irq_install+0x131/0x1f0 <...> [ 62.300751] Allocated by task 285: [ 62.301223] kasan_save_stack+0x1b/0x40 [ 62.301731] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 62.302293] drmm_kmalloc+0x55/0x100 [ 62.302773] drm_vblank_init+0x77/0x210 Resolve the issue by only handling vblank entries up to the number of CRTCs. I'm adding a Fixes tag for reference, although the bug has been present since the driver's initial commit. Signed-off-by: Thomas Zimmermann Reviewed-by: Daniel Vetter Fixes: 5c49fd3aa0ab ("gma500: Add the core DRM files and headers") Cc: Alan Cox Cc: Dave Airlie Cc: Patrik Jakobsson Cc: dri-devel@lists.freedesktop.org Cc: stable@vger.kernel.org#v3.3+ Link: https://patchwork.freedesktop.org/patch/msgid/20201105190256.3893-1-tzimmermann@suse.de Signed-off-by: Greg Kroah-Hartman commit 824cbc5564db7828a2ecfc58d69d22448129bab6 Author: Venkata Sandeep Dhanalakota Date: Thu Nov 5 17:18:42 2020 -0800 drm/i915: Correctly set SFC capability for video engines commit 5ce6861d36ed5207aff9e5eead4c7cc38a986586 upstream. SFC capability of video engines is not set correctly because i915 is testing for incorrect bits. Fixes: c5d3e39caa45 ("drm/i915: Engine discovery query") Cc: Matt Roper Cc: Tvrtko Ursulin Signed-off-by: Venkata Sandeep Dhanalakota Signed-off-by: Daniele Ceraolo Spurio Reviewed-by: Tvrtko Ursulin Cc: # v5.3+ Signed-off-by: Chris Wilson Link: https://patchwork.freedesktop.org/patch/msgid/20201106011842.36203-1-daniele.ceraolospurio@intel.com (cherry picked from commit ad18fa0f5f052046cad96fee762b5c64f42dd86a) Signed-off-by: Rodrigo Vivi Signed-off-by: Greg Kroah-Hartman commit e963d95636c19f310dcc27cee0fe7081462187e7 Author: Bhawanpreet Lakha Date: Fri Oct 16 14:57:23 2020 -0400 drm/amd/display: Add missing pflip irq commit a422490a595600659664901b609aacccdbba4a5f upstream. If we have more than 4 displays we will run into dummy irq calls or flip timout issues. Signed-off-by: Bhawanpreet Lakha Reviewed-by: Charlene Liu Acked-by: Qingqing Zhuo Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 5.9.x Signed-off-by: Greg Kroah-Hartman commit c5d5981b27fb0c60a554517480802055c08b3f50 Author: Al Viro Date: Wed Oct 28 16:39:49 2020 -0400 don't dump the threads that had been already exiting when zapped. commit 77f6ab8b7768cf5e6bdd0e72499270a0671506ee upstream. Coredump logics needs to report not only the registers of the dumping thread, but (since 2.5.43) those of other threads getting killed. Doing that might require extra state saved on the stack in asm glue at kernel entry; signal delivery logics does that (we need to be able to save sigcontext there, at the very least) and so does seccomp. That covers all callers of do_coredump(). Secondary threads get hit with SIGKILL and caught as soon as they reach exit_mm(), which normally happens in signal delivery, so those are also fine most of the time. Unfortunately, it is possible to end up with secondary zapped when it has already entered exit(2) (or, worse yet, is oopsing). In those cases we reach exit_mm() when mm->core_state is already set, but the stack contents is not what we would have in signal delivery. At least on two architectures (alpha and m68k) it leads to infoleaks - we end up with a chunk of kernel stack written into coredump, with the contents consisting of normal C stack frames of the call chain leading to exit_mm() instead of the expected copy of userland registers. In case of alpha we leak 312 bytes of stack. Other architectures (including the regset-using ones) might have similar problems - the normal user of regsets is ptrace and the state of tracee at the time of such calls is special in the same way signal delivery is. Note that had the zapper gotten to the exiting thread slightly later, it wouldn't have been included into coredump anyway - we skip the threads that have already cleared their ->mm. So let's pretend that zapper always loses the race. IOW, have exit_mm() only insert into the dumper list if we'd gotten there from handling a fatal signal[*] As the result, the callers of do_exit() that have *not* gone through get_signal() are not seen by coredump logics as secondary threads. Which excludes voluntary exit()/oopsen/traps/etc. The dumper thread itself is unaffected by that, so seccomp is fine. [*] originally I intended to add a new flag in tsk->flags, but ebiederman pointed out that PF_SIGNALED is already doing just what we need. Cc: stable@vger.kernel.org Fixes: d89f3847def4 ("[PATCH] thread-aware coredumps, 2.5.43-C3") History-tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git Acked-by: "Eric W. Biederman" Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 33edb616f3ce7de25c775f0782cb732bf6c7a965 Author: Yoshihiro Shimoda Date: Fri Nov 6 18:25:30 2020 +0900 mmc: renesas_sdhi_core: Add missing tmio_mmc_host_free() at remove commit e8973201d9b281375b5a8c66093de5679423021a upstream. The commit 94b110aff867 ("mmc: tmio: add tmio_mmc_host_alloc/free()") added tmio_mmc_host_free(), but missed the function calling in the sh_mobile_sdhi_remove() at that time. So, fix it. Otherwise, we cannot rebind the sdhi/mmc devices when we use aliases of mmc. Fixes: 94b110aff867 ("mmc: tmio: add tmio_mmc_host_alloc/free()") Signed-off-by: Yoshihiro Shimoda Reviewed-by: Wolfram Sang Tested-by: Wolfram Sang Reviewed-by: Niklas Söderlund Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/1604654730-29914-1-git-send-email-yoshihiro.shimoda.uh@renesas.com Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 85db3a44309410aca8d0c6f7970d56d035cfae61 Author: Yangbo Lu Date: Tue Nov 10 15:13:14 2020 +0800 mmc: sdhci-of-esdhc: Handle pulse width detection erratum for more SoCs commit 71b053276a87ddfa40c8f236315d81543219bfb9 upstream. Apply erratum workaround of unreliable pulse width detection to more affected platforms (LX2160A Rev2.0 and LS1028A Rev1.0). Signed-off-by: Yangbo Lu Fixes: 48e304cc1970 ("mmc: sdhci-of-esdhc: workaround for unreliable pulse width detection") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20201110071314.3868-1-yangbo.lu@nxp.com Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 4e7f3d3c0fa6193bc21ac5a8f60a10725adf5070 Author: Arnaud de Turckheim Date: Wed Nov 4 16:24:55 2020 +0100 gpio: pcie-idio-24: Enable PEX8311 interrupts commit 10a2f11d3c9e48363c729419e0f0530dea76e4fe upstream. This enables the PEX8311 internal PCI wire interrupt and the PEX8311 local interrupt input so the local interrupts are forwarded to the PCI. Fixes: 585562046628 ("gpio: Add GPIO support for the ACCES PCIe-IDIO-24 family") Cc: stable@vger.kernel.org Signed-off-by: Arnaud de Turckheim Reviewed-by: William Breathitt Gray Signed-off-by: Bartosz Golaszewski Signed-off-by: Greg Kroah-Hartman commit 8c431ab5f543619ad2cf14fde0b9e3f8a12bdc7e Author: Arnaud de Turckheim Date: Wed Nov 4 16:24:54 2020 +0100 gpio: pcie-idio-24: Fix IRQ Enable Register value commit 23a7fdc06ebcc334fa667f0550676b035510b70b upstream. This fixes the COS Enable Register value for enabling/disabling the corresponding IRQs bank. Fixes: 585562046628 ("gpio: Add GPIO support for the ACCES PCIe-IDIO-24 family") Cc: stable@vger.kernel.org Signed-off-by: Arnaud de Turckheim Reviewed-by: William Breathitt Gray Signed-off-by: Bartosz Golaszewski Signed-off-by: Greg Kroah-Hartman commit a368f3c429a13b701a1a0a7b6e2b1dfd0127f4ab Author: Arnaud de Turckheim Date: Wed Nov 4 16:24:53 2020 +0100 gpio: pcie-idio-24: Fix irq mask when masking commit d8f270efeac850c569c305dc0baa42ac3d607988 upstream. Fix the bitwise operation to remove only the corresponding bit from the mask. Fixes: 585562046628 ("gpio: Add GPIO support for the ACCES PCIe-IDIO-24 family") Cc: stable@vger.kernel.org Signed-off-by: Arnaud de Turckheim Reviewed-by: William Breathitt Gray Signed-off-by: Bartosz Golaszewski Signed-off-by: Greg Kroah-Hartman commit 02bae88e2c2df48da0407319f8161ca40cb01628 Author: Damien Le Moal Date: Sat Nov 7 17:13:57 2020 +0900 gpio: sifive: Fix SiFive gpio probe commit b72de3ff19fdc4bbe4d4bb3f4483c7e46e00bac3 upstream. Fix the check on the number of IRQs to allow up to the maximum (32) instead of only the maximum minus one. Fixes: 96868dce644d ("gpio/sifive: Add GPIO driver for SiFive SoCs") Cc: stable@vger.kernel.org Signed-off-by: Damien Le Moal Link: https://lore.kernel.org/r/20201107081420.60325-10-damien.lemoal@wdc.com Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 7e88d5dfc6b55fa6f17786847cdb2a2e11b83ebc Author: Jens Axboe Date: Wed Nov 11 10:38:53 2020 -0700 io_uring: round-up cq size before comparing with rounded sq size commit 88ec3211e46344a7d10cf6cb5045f839f7785f8e upstream. If an application specifies IORING_SETUP_CQSIZE to set the CQ ring size to a specific size, we ensure that the CQ size is at least that of the SQ ring size. But in doing so, we compare the already rounded up to power of two SQ size to the as-of yet unrounded CQ size. This means that if an application passes in non power of two sizes, we can return -EINVAL when the final value would've been fine. As an example, an application passing in 100/100 for sq/cq size should end up with 128 for both. But since we round the SQ size first, we compare the CQ size of 100 to 128, and return -EINVAL as that is too small. Cc: stable@vger.kernel.org Fixes: 33a107f0a1b8 ("io_uring: allow application controlled CQ ring size") Reported-by: Dan Melnic Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 23f880dc21bdfc20b50b967cef03dabd873329c2 Author: Chen Zhou Date: Thu Nov 12 21:53:32 2020 +0800 selinux: Fix error return code in sel_ib_pkey_sid_slow() commit c350f8bea271782e2733419bd2ab9bf4ec2051ef upstream. Fix to return a negative error code from the error handling case instead of 0 in function sel_ib_pkey_sid_slow(), as done elsewhere in this function. Cc: stable@vger.kernel.org Fixes: 409dcf31538a ("selinux: Add a cache for quicker retreival of PKey SIDs") Reported-by: Hulk Robot Signed-off-by: Chen Zhou Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit 800c1e71804ba115dd77454692b963a3b1d8bf6f Author: Naveen Krishna Chatradhi Date: Thu Nov 12 22:51:59 2020 +0530 hwmon: (amd_energy) modify the visibility of the counters commit 60268b0e8258fdea9a3c9f4b51e161c123571db3 upstream. This patch limits the visibility to owner and groups only for the energy counters exposed through the hwmon based amd_energy driver. Cc: stable@vger.kernel.org Reviewed-by: Greg Kroah-Hartman Signed-off-by: Naveen Krishna Chatradhi Link: https://lore.kernel.org/r/20201112172159.8781-1-nchatrad@amd.com Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 11db218b6ff6be3c0ae8eec98277c9479115cac5 Author: Wengang Wang Date: Fri Nov 13 22:52:23 2020 -0800 ocfs2: initialize ip_next_orphan commit f5785283dd64867a711ca1fb1f5bb172f252ecdf upstream. Though problem if found on a lower 4.1.12 kernel, I think upstream has same issue. In one node in the cluster, there is the following callback trace: # cat /proc/21473/stack __ocfs2_cluster_lock.isra.36+0x336/0x9e0 [ocfs2] ocfs2_inode_lock_full_nested+0x121/0x520 [ocfs2] ocfs2_evict_inode+0x152/0x820 [ocfs2] evict+0xae/0x1a0 iput+0x1c6/0x230 ocfs2_orphan_filldir+0x5d/0x100 [ocfs2] ocfs2_dir_foreach_blk+0x490/0x4f0 [ocfs2] ocfs2_dir_foreach+0x29/0x30 [ocfs2] ocfs2_recover_orphans+0x1b6/0x9a0 [ocfs2] ocfs2_complete_recovery+0x1de/0x5c0 [ocfs2] process_one_work+0x169/0x4a0 worker_thread+0x5b/0x560 kthread+0xcb/0xf0 ret_from_fork+0x61/0x90 The above stack is not reasonable, the final iput shouldn't happen in ocfs2_orphan_filldir() function. Looking at the code, 2067 /* Skip inodes which are already added to recover list, since dio may 2068 * happen concurrently with unlink/rename */ 2069 if (OCFS2_I(iter)->ip_next_orphan) { 2070 iput(iter); 2071 return 0; 2072 } 2073 The logic thinks the inode is already in recover list on seeing ip_next_orphan is non-NULL, so it skip this inode after dropping a reference which incremented in ocfs2_iget(). While, if the inode is already in recover list, it should have another reference and the iput() at line 2070 should not be the final iput (dropping the last reference). So I don't think the inode is really in the recover list (no vmcore to confirm). Note that ocfs2_queue_orphans(), though not shown up in the call back trace, is holding cluster lock on the orphan directory when looking up for unlinked inodes. The on disk inode eviction could involve a lot of IOs which may need long time to finish. That means this node could hold the cluster lock for very long time, that can lead to the lock requests (from other nodes) to the orhpan directory hang for long time. Looking at more on ip_next_orphan, I found it's not initialized when allocating a new ocfs2_inode_info structure. This causes te reflink operations from some nodes hang for very long time waiting for the cluster lock on the orphan directory. Fix: initialize ip_next_orphan as NULL. Signed-off-by: Wengang Wang Signed-off-by: Andrew Morton Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Gang He Cc: Jun Piao Cc: Link: https://lkml.kernel.org/r/20201109171746.27884-1-wen.gang.wang@oracle.com Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ef792d6ce0db6a56e56743b1de1716a982c3b851 Author: Mike Kravetz Date: Fri Nov 13 22:52:16 2020 -0800 hugetlbfs: fix anon huge page migration race commit 336bf30eb76580b579dc711ded5d599d905c0217 upstream. Qian Cai reported the following BUG in [1] LTP: starting move_pages12 BUG: unable to handle page fault for address: ffffffffffffffe0 ... RIP: 0010:anon_vma_interval_tree_iter_first+0xa2/0x170 avc_start_pgoff at mm/interval_tree.c:63 Call Trace: rmap_walk_anon+0x141/0xa30 rmap_walk_anon at mm/rmap.c:1864 try_to_unmap+0x209/0x2d0 try_to_unmap at mm/rmap.c:1763 migrate_pages+0x1005/0x1fb0 move_pages_and_store_status.isra.47+0xd7/0x1a0 __x64_sys_move_pages+0xa5c/0x1100 do_syscall_64+0x5f/0x310 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Hugh Dickins diagnosed this as a migration bug caused by code introduced to use i_mmap_rwsem for pmd sharing synchronization. Specifically, the routine unmap_and_move_huge_page() is always passing the TTU_RMAP_LOCKED flag to try_to_unmap() while holding i_mmap_rwsem. This is wrong for anon pages as the anon_vma_lock should be held in this case. Further analysis suggested that i_mmap_rwsem was not required to he held at all when calling try_to_unmap for anon pages as an anon page could never be part of a shared pmd mapping. Discussion also revealed that the hack in hugetlb_page_mapping_lock_write to drop page lock and acquire i_mmap_rwsem is wrong. There is no way to keep mapping valid while dropping page lock. This patch does the following: - Do not take i_mmap_rwsem and set TTU_RMAP_LOCKED for anon pages when calling try_to_unmap. - Remove the hacky code in hugetlb_page_mapping_lock_write. The routine will now simply do a 'trylock' while still holding the page lock. If the trylock fails, it will return NULL. This could impact the callers: - migration calling code will receive -EAGAIN and retry up to the hard coded limit (10). - memory error code will treat the page as BUSY. This will force killing (SIGKILL) instead of SIGBUS any mapping tasks. Do note that this change in behavior only happens when there is a race. None of the standard kernel testing suites actually hit this race, but it is possible. [1] https://lore.kernel.org/lkml/20200708012044.GC992@lca.pw/ [2] https://lore.kernel.org/linux-mm/alpine.LSU.2.11.2010071833100.2214@eggly.anvils/ Fixes: c0d0381ade79 ("hugetlbfs: use i_mmap_rwsem for more pmd sharing synchronization") Reported-by: Qian Cai Suggested-by: Hugh Dickins Signed-off-by: Mike Kravetz Signed-off-by: Andrew Morton Acked-by: Naoya Horiguchi Cc: Link: https://lkml.kernel.org/r/20201105195058.78401-1-mike.kravetz@oracle.com Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d2af8b61a6b7dde4bd5096ffcbaaee1b99ef9a8c Author: Matteo Croce Date: Fri Nov 13 22:52:07 2020 -0800 reboot: fix overflow parsing reboot cpu number commit df5b0ab3e08a156701b537809914b339b0daa526 upstream. Limit the CPU number to num_possible_cpus(), because setting it to a value lower than INT_MAX but higher than NR_CPUS produces the following error on reboot and shutdown: BUG: unable to handle page fault for address: ffffffff90ab1bb0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 1c09067 P4D 1c09067 PUD 1c0a063 PMD 0 Oops: 0000 [#1] SMP CPU: 1 PID: 1 Comm: systemd-shutdow Not tainted 5.9.0-rc8-kvm #110 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014 RIP: 0010:migrate_to_reboot_cpu+0xe/0x60 Code: ea ea 00 48 89 fa 48 c7 c7 30 57 f1 81 e9 fa ef ff ff 66 2e 0f 1f 84 00 00 00 00 00 53 8b 1d d5 ea ea 00 e8 14 33 fe ff 89 da <48> 0f a3 15 ea fc bd 00 48 89 d0 73 29 89 c2 c1 e8 06 65 48 8b 3c RSP: 0018:ffffc90000013e08 EFLAGS: 00010246 RAX: ffff88801f0a0000 RBX: 0000000077359400 RCX: 0000000000000000 RDX: 0000000077359400 RSI: 0000000000000002 RDI: ffffffff81c199e0 RBP: ffffffff81c1e3c0 R08: ffff88801f41f000 R09: ffffffff81c1e348 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 00007f32bedf8830 R14: 00000000fee1dead R15: 0000000000000000 FS: 00007f32bedf8980(0000) GS:ffff88801f480000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffff90ab1bb0 CR3: 000000001d057000 CR4: 00000000000006a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __do_sys_reboot.cold+0x34/0x5b do_syscall_64+0x2d/0x40 Fixes: 1b3a5d02ee07 ("reboot: move arch/x86 reboot= handling to generic kernel") Signed-off-by: Matteo Croce Signed-off-by: Andrew Morton Cc: Arnd Bergmann Cc: Fabian Frederick Cc: Greg Kroah-Hartman Cc: Guenter Roeck Cc: Kees Cook Cc: Mike Rapoport Cc: Pavel Tatashin Cc: Petr Mladek Cc: Robin Holt Cc: Link: https://lkml.kernel.org/r/20201103214025.116799-3-mcroce@linux.microsoft.com Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 566fd53d6df36eed3da6fb3007e285ad13abd988 Author: Matteo Croce Date: Fri Nov 13 22:52:02 2020 -0800 Revert "kernel/reboot.c: convert simple_strtoul to kstrtoint" commit 8b92c4ff4423aa9900cf838d3294fcade4dbda35 upstream. Patch series "fix parsing of reboot= cmdline", v3. The parsing of the reboot= cmdline has two major errors: - a missing bound check can crash the system on reboot - parsing of the cpu number only works if specified last Fix both. This patch (of 2): This reverts commit 616feab753972b97. kstrtoint() and simple_strtoul() have a subtle difference which makes them non interchangeable: if a non digit character is found amid the parsing, the former will return an error, while the latter will just stop parsing, e.g. simple_strtoul("123xyx") = 123. The kernel cmdline reboot= argument allows to specify the CPU used for rebooting, with the syntax `s####` among the other flags, e.g. "reboot=warm,s31,force", so if this flag is not the last given, it's silently ignored as well as the subsequent ones. Fixes: 616feab75397 ("kernel/reboot.c: convert simple_strtoul to kstrtoint") Signed-off-by: Matteo Croce Signed-off-by: Andrew Morton Cc: Guenter Roeck Cc: Petr Mladek Cc: Arnd Bergmann Cc: Mike Rapoport Cc: Kees Cook Cc: Pavel Tatashin Cc: Robin Holt Cc: Fabian Frederick Cc: Greg Kroah-Hartman Cc: Link: https://lkml.kernel.org/r/20201103214025.116799-2-mcroce@linux.microsoft.com Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b742ca1b74e4b3e195d3eb9b5779da5e8ee19ebb Author: Jason Gunthorpe Date: Fri Nov 13 22:51:56 2020 -0800 mm/gup: use unpin_user_pages() in __gup_longterm_locked() commit 96e1fac162cc0086c50b2b14062112adb2ba640e upstream. When FOLL_PIN is passed to __get_user_pages() the page list must be put back using unpin_user_pages() otherwise the page pin reference persists in a corrupted state. There are two places in the unwind of __gup_longterm_locked() that put the pages back without checking. Normally on error this function would return the partial page list making this the caller's responsibility, but in these two cases the caller is not allowed to see these pages at all. Fixes: 3faa52c03f44 ("mm/gup: track FOLL_PIN pages") Reported-by: Ira Weiny Signed-off-by: Jason Gunthorpe Signed-off-by: Andrew Morton Reviewed-by: Ira Weiny Reviewed-by: John Hubbard Cc: Aneesh Kumar K.V Cc: Dan Williams Cc: Link: https://lkml.kernel.org/r/0-v2-3ae7d9d162e2+2a7-gup_cma_fix_jgg@nvidia.com Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e20add452163e1d93bc30f1e2cb27c254359ca5a Author: Nicholas Piggin Date: Fri Nov 13 22:51:46 2020 -0800 mm/vmscan: fix NR_ISOLATED_FILE corruption on 64-bit commit 2da9f6305f306ffbbb44790675799328fb73119d upstream. Previously the negated unsigned long would be cast back to signed long which would have the correct negative value. After commit 730ec8c01a2b ("mm/vmscan.c: change prototype for shrink_page_list"), the large unsigned int converts to a large positive signed long. Symptoms include CMA allocations hanging forever holding the cma_mutex due to alloc_contig_range->...->isolate_migratepages_block waiting forever in "while (unlikely(too_many_isolated(pgdat)))". [akpm@linux-foundation.org: fix -stat.nr_lazyfree_fail as well, per Michal] Fixes: 730ec8c01a2b ("mm/vmscan.c: change prototype for shrink_page_list") Signed-off-by: Nicholas Piggin Signed-off-by: Andrew Morton Acked-by: Michal Hocko Cc: Vaneet Narang Cc: Maninder Singh Cc: Amit Sahrawat Cc: Mel Gorman Cc: Vlastimil Babka Cc: Link: https://lkml.kernel.org/r/20201029032320.1448441-1-npiggin@gmail.com Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b65f7b577156add8ac490ab29c85e62fb4064fde Author: Laurent Dufour Date: Fri Nov 13 22:51:53 2020 -0800 mm/slub: fix panic in slab_alloc_node() commit 22e4663e916321b72972c69ca0c6b962f529bd78 upstream. While doing memory hot-unplug operation on a PowerPC VM running 1024 CPUs with 11TB of ram, I hit the following panic: BUG: Kernel NULL pointer dereference on read at 0x00000007 Faulting instruction address: 0xc000000000456048 Oops: Kernel access of bad area, sig: 11 [#2] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS= 2048 NUMA pSeries Modules linked in: rpadlpar_io rpaphp CPU: 160 PID: 1 Comm: systemd Tainted: G D 5.9.0 #1 NIP: c000000000456048 LR: c000000000455fd4 CTR: c00000000047b350 REGS: c00006028d1b77a0 TRAP: 0300 Tainted: G D (5.9.0) MSR: 8000000000009033 CR: 24004228 XER: 00000000 CFAR: c00000000000f1b0 DAR: 0000000000000007 DSISR: 40000000 IRQMASK: 0 GPR00: c000000000455fd4 c00006028d1b7a30 c000000001bec800 0000000000000000 GPR04: 0000000000000dc0 0000000000000000 00000000000374ef c00007c53df99320 GPR08: 000007c53c980000 0000000000000000 000007c53c980000 0000000000000000 GPR12: 0000000000004400 c00000001e8e4400 0000000000000000 0000000000000f6a GPR16: 0000000000000000 c000000001c25930 c000000001d62528 00000000000000c1 GPR20: c000000001d62538 c00006be469e9000 0000000fffffffe0 c0000000003c0ff8 GPR24: 0000000000000018 0000000000000000 0000000000000dc0 0000000000000000 GPR28: c00007c513755700 c000000001c236a4 c00007bc4001f800 0000000000000001 NIP [c000000000456048] __kmalloc_node+0x108/0x790 LR [c000000000455fd4] __kmalloc_node+0x94/0x790 Call Trace: kvmalloc_node+0x58/0x110 mem_cgroup_css_online+0x10c/0x270 online_css+0x48/0xd0 cgroup_apply_control_enable+0x2c4/0x470 cgroup_mkdir+0x408/0x5f0 kernfs_iop_mkdir+0x90/0x100 vfs_mkdir+0x138/0x250 do_mkdirat+0x154/0x1c0 system_call_exception+0xf8/0x200 system_call_common+0xf0/0x27c Instruction dump: e93e0000 e90d0030 39290008 7cc9402a e94d0030 e93e0000 7ce95214 7f89502a 2fbc0000 419e0018 41920230 e9270010 <89290007> 7f994800 419e0220 7ee6bb78 This pointing to the following code: mm/slub.c:2851 if (unlikely(!object || !node_match(page, node))) { c000000000456038: 00 00 bc 2f cmpdi cr7,r28,0 c00000000045603c: 18 00 9e 41 beq cr7,c000000000456054 <__kmalloc_node+0x114> node_match(): mm/slub.c:2491 if (node != NUMA_NO_NODE && page_to_nid(page) != node) c000000000456040: 30 02 92 41 beq cr4,c000000000456270 <__kmalloc_node+0x330> page_to_nid(): include/linux/mm.h:1294 c000000000456044: 10 00 27 e9 ld r9,16(r7) c000000000456048: 07 00 29 89 lbz r9,7(r9) <<<< r9 = NULL node_match(): mm/slub.c:2491 c00000000045604c: 00 48 99 7f cmpw cr7,r25,r9 c000000000456050: 20 02 9e 41 beq cr7,c000000000456270 <__kmalloc_node+0x330> The panic occurred in slab_alloc_node() when checking for the page's node: object = c->freelist; page = c->page; if (unlikely(!object || !node_match(page, node))) { object = __slab_alloc(s, gfpflags, node, addr, c); stat(s, ALLOC_SLOWPATH); The issue is that object is not NULL while page is NULL which is odd but may happen if the cache flush happened after loading object but before loading page. Thus checking for the page pointer is required too. The cache flush is done through an inter processor interrupt when a piece of memory is off-lined. That interrupt is triggered when a memory hot-unplug operation is initiated and offline_pages() is calling the slub's MEM_GOING_OFFLINE callback slab_mem_going_offline_callback() which is calling flush_cpu_slab(). If that interrupt is caught between the reading of c->freelist and the reading of c->page, this could lead to such a situation. That situation is expected and the later call to this_cpu_cmpxchg_double() will detect the change to c->freelist and redo the whole operation. In commit 6159d0f5c03e ("mm/slub.c: page is always non-NULL in node_match()") check on the page pointer has been removed assuming that page is always valid when it is called. It happens that this is not true in that particular case, so check for page before calling node_match() here. Fixes: 6159d0f5c03e ("mm/slub.c: page is always non-NULL in node_match()") Signed-off-by: Laurent Dufour Signed-off-by: Andrew Morton Acked-by: Vlastimil Babka Acked-by: Christoph Lameter Cc: Wei Yang Cc: Pekka Enberg Cc: David Rientjes Cc: Joonsoo Kim Cc: Nathan Lynch Cc: Scott Cheloha Cc: Michal Hocko Cc: Link: https://lkml.kernel.org/r/20201027190406.33283-1-ldufour@linux.ibm.com Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c4629e4e7e098af0ec9d98316636651f3a86ec32 Author: Zi Yan Date: Fri Nov 13 22:51:43 2020 -0800 mm/compaction: stop isolation if too many pages are isolated and we have pages to migrate commit d20bdd571ee5c9966191568527ecdb1bd4b52368 upstream. In isolate_migratepages_block, if we have too many isolated pages and nr_migratepages is not zero, we should try to migrate what we have without wasting time on isolating. In theory it's possible that multiple parallel compactions will cause too_many_isolated() to become true even if each has isolated less than COMPACT_CLUSTER_MAX, and loop forever in the while loop. Bailing immediately prevents that. [vbabka@suse.cz: changelog addition] Fixes: 1da2f328fa64 (“mm,thp,compaction,cma: allow THP migration for CMA allocations”) Suggested-by: Vlastimil Babka Signed-off-by: Zi Yan Signed-off-by: Andrew Morton Cc: Cc: Mel Gorman Cc: Michal Hocko Cc: Rik van Riel Cc: Yang Shi Link: https://lkml.kernel.org/r/20201030183809.3616803-2-zi.yan@sent.com Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f8b40ef128c5c8c1cdd744aa7c78b3f66c60e805 Author: Zi Yan Date: Fri Nov 13 22:51:40 2020 -0800 mm/compaction: count pages and stop correctly during page isolation commit 38935861d85a4d9a353d1dd5a156c97700e2765d upstream. In isolate_migratepages_block, when cc->alloc_contig is true, we are able to isolate compound pages. But nr_migratepages and nr_isolated did not count compound pages correctly, causing us to isolate more pages than we thought. So count compound pages as the number of base pages they contain. Otherwise, we might be trapped in too_many_isolated while loop, since the actual isolated pages can go up to COMPACT_CLUSTER_MAX*512=16384, where COMPACT_CLUSTER_MAX is 32, since we stop isolation after cc->nr_migratepages reaches to COMPACT_CLUSTER_MAX. In addition, after we fix the issue above, cc->nr_migratepages could never be equal to COMPACT_CLUSTER_MAX if compound pages are isolated, thus page isolation could not stop as we intended. Change the isolation stop condition to '>='. The issue can be triggered as follows: In a system with 16GB memory and an 8GB CMA region reserved by hugetlb_cma, if we first allocate 10GB THPs and mlock them (so some THPs are allocated in the CMA region and mlocked), reserving 6 1GB hugetlb pages via /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages will get stuck (looping in too_many_isolated function) until we kill either task. With the patch applied, oom will kill the application with 10GB THPs and let hugetlb page reservation finish. [ziy@nvidia.com: v3] Link: https://lkml.kernel.org/r/20201030183809.3616803-1-zi.yan@sent.com Fixes: 1da2f328fa64 ("cmm,thp,compaction,cma: allow THP migration for CMA allocations") Signed-off-by: Zi Yan Signed-off-by: Andrew Morton Reviewed-by: Yang Shi Acked-by: Vlastimil Babka Cc: Rik van Riel Cc: Michal Hocko Cc: Mel Gorman Cc: Link: https://lkml.kernel.org/r/20201029200435.3386066-1-zi.yan@sent.com Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9d152949f582fc99a59212453d0d2f72763ef33c Author: Masami Hiramatsu Date: Fri Nov 13 02:27:31 2020 +0900 bootconfig: Extend the magic check range to the preceding 3 bytes commit 50b8a742850fce7293bed45753152c425f7e931b upstream. Since Grub may align the size of initrd to 4 if user pass initrd from cpio, we have to check the preceding 3 bytes as well. Link: https://lkml.kernel.org/r/160520205132.303174.4876760192433315429.stgit@devnote2 Cc: stable@vger.kernel.org Fixes: 85c46b78da58 ("bootconfig: Add bootconfig magic word for indicating bootconfig explicitly") Reported-by: Chen Yu Tested-by: Chen Yu Signed-off-by: Masami Hiramatsu Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman commit 3923dd25def337df6fe6c9b25314913df4385d4f Author: Theodore Ts'o Date: Sat Nov 7 00:00:49 2020 -0500 jbd2: fix up sparse warnings in checkpoint code commit 05d5233df85e9621597c5838e95235107eb624a2 upstream. Add missing __acquires() and __releases() annotations. Also, in an "this should never happen" WARN_ON check, if it *does* actually happen, we need to release j_state_lock since this function is always supposed to release that lock. Otherwise, things will quickly grind to a halt after the WARN_ON trips. Fixes: 96f1e0974575 ("jbd2: avoid long hold times of j_state_lock...") Cc: stable@kernel.org Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit 07b4f1246b72343569e28b67efd47569fe62ec56 Author: Dan Carpenter Date: Fri Nov 6 11:52:05 2020 +0300 futex: Don't enable IRQs unconditionally in put_pi_state() commit 1e106aa3509b86738769775969822ffc1ec21bf4 upstream. The exit_pi_state_list() function calls put_pi_state() with IRQs disabled and is not expecting that IRQs will be enabled inside the function. Use the _irqsave() variant so that IRQs are restored to the original state instead of being enabled unconditionally. Fixes: 153fbd1226fb ("futex: Fix more put_pi_state() vs. exit_pi_state_list() races") Signed-off-by: Dan Carpenter Signed-off-by: Thomas Gleixner Acked-by: Peter Zijlstra (Intel) Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20201106085205.GA1159983@mwanda Signed-off-by: Greg Kroah-Hartman commit 67c433c290285db464f45c4159004c87d3e28a0e Author: Alexander Usyskin Date: Thu Oct 29 11:54:42 2020 +0200 mei: protect mei_cl_mtu from null dereference commit bcbc0b2e275f0a797de11a10eff495b4571863fc upstream. A receive callback is queued while the client is still connected but can still be called after the client was disconnected. Upon disconnect cl->me_cl is set to NULL, hence we need to check that ME client is not-NULL in mei_cl_mtu to avoid null dereference. Cc: Signed-off-by: Alexander Usyskin Signed-off-by: Tomas Winkler Link: https://lore.kernel.org/r/20201029095444.957924-2-tomas.winkler@intel.com Signed-off-by: Greg Kroah-Hartman commit 1ce7fd4c3d06f901a5f2a68a357964380be20ec0 Author: Alexander Lobakin Date: Wed Nov 4 15:31:36 2020 +0000 virtio: virtio_console: fix DMA memory allocation for rproc serial commit 9d516aa82b7d4fbe7f6303348697960ba03a530b upstream. Since commit 086d08725d34 ("remoteproc: create vdev subdevice with specific dma memory pool"), every remoteproc has a DMA subdevice ("remoteprocX#vdevYbuffer") for each virtio device, which inherits DMA capabilities from the corresponding platform device. This allowed to associate different DMA pools with each vdev, and required from virtio drivers to perform DMA operations with the parent device (vdev->dev.parent) instead of grandparent (vdev->dev.parent->parent). virtio_rpmsg_bus was already changed in the same merge cycle with commit d999b622fcfb ("rpmsg: virtio: allocate buffer from parent"), but virtio_console did not. In fact, operations using the grandparent worked fine while the grandparent was the platform device, but since commit c774ad010873 ("remoteproc: Fix and restore the parenting hierarchy for vdev") this was changed, and now the grandparent device is the remoteproc device without any DMA capabilities. So, starting v5.8-rc1 the following warning is observed: [ 2.483925] ------------[ cut here ]------------ [ 2.489148] WARNING: CPU: 3 PID: 101 at kernel/dma/mapping.c:427 0x80e7eee8 [ 2.489152] Modules linked in: virtio_console(+) [ 2.503737] virtio_rpmsg_bus rpmsg_core [ 2.508903] [ 2.528898] [ 2.913043] [ 2.914907] ---[ end trace 93ac8746beab612c ]--- [ 2.920102] virtio-ports vport1p0: Error allocating inbufs kernel/dma/mapping.c:427 is: WARN_ON_ONCE(!dev->coherent_dma_mask); obviously because the grandparent now is remoteproc dev without any DMA caps: [ 3.104943] Parent: remoteproc0#vdev1buffer, grandparent: remoteproc0 Fix this the same way as it was for virtio_rpmsg_bus, using just the parent device (vdev->dev.parent, "remoteprocX#vdevYbuffer") for DMA operations. This also allows now to reserve DMA pools/buffers for rproc serial via Device Tree. Fixes: c774ad010873 ("remoteproc: Fix and restore the parenting hierarchy for vdev") Cc: stable@vger.kernel.org # 5.1+ Reviewed-by: Mathieu Poirier Acked-by: Jason Wang Signed-off-by: Alexander Lobakin Date: Thu, 5 Nov 2020 11:10:24 +0800 Link: https://lore.kernel.org/r/AOKowLclCbOCKxyiJ71WeNyuAAj2q8EUtxrXbyky5E@cp7-web-042.plabs.ch Signed-off-by: Greg Kroah-Hartman commit 929f5035ec798ba85b000c15235e901f88df42a1 Author: Zhang Qilong Date: Fri Nov 6 20:22:21 2020 +0800 xhci: hisilicon: fix refercence leak in xhci_histb_probe commit 76255470ffa2795a44032e8b3c1ced11d81aa2db upstream. pm_runtime_get_sync() will increment pm usage at first and it will resume the device later. We should decrease the usage count whetever it succeeded or failed(maybe runtime of the device has error, or device is in inaccessible state, or other error state). If we do not call put operation to decrease the reference, it will result in reference leak in xhci_histb_probe. Moreover, this device cannot enter the idle state and always stay busy or other non-idle state later. So we fixed it by jumping to error handling branch. Fixes: c508f41da0788 ("xhci: hisilicon: support HiSilicon STB xHCI host controller") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201106122221.2304528-1-zhangqilong3@huawei.com Cc: stable Signed-off-by: Greg Kroah-Hartman commit 396d17b10619a5b009ee95e048acfd735dec8f20 Author: Heikki Krogerus Date: Tue Nov 10 15:05:47 2020 +0300 usb: typec: ucsi: Report power supply changes commit 0e6371fbfba3a4f76489e6e97c1c7f8386ad5fd2 upstream. When the ucsi power supply goes online/offline, and when the power levels change, the power supply class needs to be notified so it can inform the user space. Fixes: 992a60ed0d5e ("usb: typec: ucsi: register with power_supply class") Cc: stable@vger.kernel.org Reported-and-tested-by: Vladimir Yerilov Signed-off-by: Heikki Krogerus Link: https://lore.kernel.org/r/20201110120547.67922-1-heikki.krogerus@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit ebc047afe9d2f04fdfd81d74e6c32bb3671b4670 Author: Chris Brandt Date: Wed Nov 11 08:12:09 2020 -0500 usb: cdc-acm: Add DISABLE_ECHO for Renesas USB Download mode commit 6d853c9e4104b4fc8d55dc9cd3b99712aa347174 upstream. Renesas R-Car and RZ/G SoCs have a firmware download mode over USB. However, on reset a banner string is transmitted out which is not expected to be echoed back and will corrupt the protocol. Cc: stable Acked-by: Oliver Neukum Signed-off-by: Chris Brandt Link: https://lore.kernel.org/r/20201111131209.3977903-1-chris.brandt@renesas.com Signed-off-by: Greg Kroah-Hartman commit 16a38a9f8abdae1745db6e4b478eac21e0eb506a Author: Geert Uytterhoeven Date: Thu Nov 12 14:59:00 2020 +0100 Revert "usb: musb: convert to devm_platform_ioremap_resource_byname" commit ffa13d2d94029882eca22a565551783787f121e5 upstream. This reverts commit 2d30e408a2a6b3443d3232593e3d472584a3e9f8. On Beaglebone Black, where each interface has 2 children: musb-dsps 47401c00.usb: can't request region for resource [mem 0x47401800-0x474019ff] musb-hdrc musb-hdrc.1: musb_init_controller failed with status -16 musb-hdrc: probe of musb-hdrc.1 failed with error -16 musb-dsps 47401400.usb: can't request region for resource [mem 0x47401000-0x474011ff] musb-hdrc musb-hdrc.0: musb_init_controller failed with status -16 musb-hdrc: probe of musb-hdrc.0 failed with error -16 Before, devm_ioremap_resource() was called on "dev" ("musb-hdrc.0" or "musb-hdrc.1"), after it is called on "&pdev->dev" ("47401400.usb" or "47401c00.usb"), leading to a duplicate region request, which fails. Signed-off-by: Geert Uytterhoeven Fixes: 2d30e408a2a6 ("usb: musb: convert to devm_platform_ioremap_resource_byname") Cc: stable Link: https://lore.kernel.org/r/20201112135900.3822599-1-geert+renesas@glider.be Signed-off-by: Greg Kroah-Hartman commit f93a741a19a99d1ea894ddf7d193599f84672ee0 Author: Shin'ichiro Kawasaki Date: Mon Nov 2 21:28:19 2020 +0900 uio: Fix use-after-free in uio_unregister_device() commit 092561f06702dd4fdd7fb74dd3a838f1818529b7 upstream. Commit 8fd0e2a6df26 ("uio: free uio id after uio file node is freed") triggered KASAN use-after-free failure at deletion of TCM-user backstores [1]. In uio_unregister_device(), struct uio_device *idev is passed to uio_free_minor() to refer idev->minor. However, before uio_free_minor() call, idev is already freed by uio_device_release() during call to device_unregister(). To avoid reference to idev->minor after idev free, keep idev->minor value in a local variable. Also modify uio_free_minor() argument to receive the value. [1] BUG: KASAN: use-after-free in uio_unregister_device+0x166/0x190 Read of size 4 at addr ffff888105196508 by task targetcli/49158 CPU: 3 PID: 49158 Comm: targetcli Not tainted 5.10.0-rc1 #1 Hardware name: Supermicro Super Server/X10SRL-F, BIOS 2.0 12/17/2015 Call Trace: dump_stack+0xae/0xe5 ? uio_unregister_device+0x166/0x190 print_address_description.constprop.0+0x1c/0x210 ? uio_unregister_device+0x166/0x190 ? uio_unregister_device+0x166/0x190 kasan_report.cold+0x37/0x7c ? kobject_put+0x80/0x410 ? uio_unregister_device+0x166/0x190 uio_unregister_device+0x166/0x190 tcmu_destroy_device+0x1c4/0x280 [target_core_user] ? tcmu_release+0x90/0x90 [target_core_user] ? __mutex_unlock_slowpath+0xd6/0x5d0 target_free_device+0xf3/0x2e0 [target_core_mod] config_item_cleanup+0xea/0x210 configfs_rmdir+0x651/0x860 ? detach_groups.isra.0+0x380/0x380 vfs_rmdir.part.0+0xec/0x3a0 ? __lookup_hash+0x20/0x150 do_rmdir+0x252/0x320 ? do_file_open_root+0x420/0x420 ? strncpy_from_user+0xbc/0x2f0 ? getname_flags.part.0+0x8e/0x450 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f9e2bfc91fb Code: 73 01 c3 48 8b 0d 9d ec 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 54 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6d ec 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffdd2baafe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000054 RAX: ffffffffffffffda RBX: 00007f9e2beb44a0 RCX: 00007f9e2bfc91fb RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007f9e1c20be90 RBP: 00007ffdd2bab000 R08: 0000000000000000 R09: 00007f9e2bdf2440 R10: 00007ffdd2baaf37 R11: 0000000000000246 R12: 00000000ffffff9c R13: 000055f9abb7e390 R14: 000055f9abcf9558 R15: 00007f9e2be7a780 Allocated by task 34735: kasan_save_stack+0x1b/0x40 __kasan_kmalloc.constprop.0+0xc2/0xd0 __uio_register_device+0xeb/0xd40 tcmu_configure_device+0x5a0/0xbc0 [target_core_user] target_configure_device+0x12f/0x760 [target_core_mod] target_dev_enable_store+0x32/0x50 [target_core_mod] configfs_write_file+0x2bb/0x450 vfs_write+0x1ce/0x610 ksys_write+0xe9/0x1b0 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 49158: kasan_save_stack+0x1b/0x40 kasan_set_track+0x1c/0x30 kasan_set_free_info+0x1b/0x30 __kasan_slab_free+0x110/0x150 slab_free_freelist_hook+0x5a/0x170 kfree+0xc6/0x560 device_release+0x9b/0x210 kobject_put+0x13e/0x410 uio_unregister_device+0xf9/0x190 tcmu_destroy_device+0x1c4/0x280 [target_core_user] target_free_device+0xf3/0x2e0 [target_core_mod] config_item_cleanup+0xea/0x210 configfs_rmdir+0x651/0x860 vfs_rmdir.part.0+0xec/0x3a0 do_rmdir+0x252/0x320 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff888105196000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1288 bytes inside of 2048-byte region [ffff888105196000, ffff888105196800) The buggy address belongs to the page: page:0000000098e6ca81 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105190 head:0000000098e6ca81 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x17ffffc0010200(slab|head) raw: 0017ffffc0010200 dead000000000100 dead000000000122 ffff888100043040 raw: 0000000000000000 0000000000080008 00000001ffffffff ffff88810eb55c01 page dumped because: kasan: bad access detected page->mem_cgroup:ffff88810eb55c01 Memory state around the buggy address: ffff888105196400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888105196480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888105196500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888105196580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888105196600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Fixes: 8fd0e2a6df26 ("uio: free uio id after uio file node is freed") Cc: stable Signed-off-by: Shin'ichiro Kawasaki Link: https://lore.kernel.org/r/20201102122819.2346270-1-shinichiro.kawasaki@wdc.com Signed-off-by: Greg Kroah-Hartman commit 59b84822568f81e7625f15f3fbb310ff6af21b42 Author: Petr Vorel Date: Thu Nov 12 17:50:05 2020 +0100 loop: Fix occasional uevent drop commit c01a21b77722db0474bbcc4eafc8c4e0d8fed6d8 upstream. Commit 716ad0986cbd ("loop: Switch to set_capacity_revalidate_and_notify") causes an occasional drop of loop device uevent, which are no longer triggered in loop_set_size() but in a different part of code. Bug is reproducible with LTP test uevent01 [1]: i=0; while true; do i=$((i+1)); echo "== $i ==" lsmod |grep -q loop && rmmod -f loop ./uevent01 || break done Put back triggering through code called in loop_set_size(). Fix required to add yet another parameter to set_capacity_revalidate_and_notify(). [1] https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/uevents/uevent01.c [hch: rebased on a different change to the prototype of set_capacity_revalidate_and_notify] Cc: stable@vger.kernel.org # v5.9 Fixes: 716ad0986cbd ("loop: Switch to set_capacity_revalidate_and_notify") Reported-by: Signed-off-by: Petr Vorel Signed-off-by: Christoph Hellwig Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 40ca77fdac0f4eeeb248778bc95316920ff3d7e2 Author: Christoph Hellwig Date: Thu Nov 12 17:50:04 2020 +0100 block: add a return value to set_capacity_revalidate_and_notify commit 7e890c37c25c7cbca37ff0ab292873d8146e713b upstream. Return if the function ended up sending an uevent or not. Cc: stable@vger.kernel.org # v5.9 Signed-off-by: Christoph Hellwig Reviewed-by: Petr Vorel Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit bdffd69031b8968cec248d13468837b72c6926f7 Author: Jing Xiangfeng Date: Thu Oct 15 16:40:53 2020 +0800 thunderbolt: Add the missed ida_simple_remove() in ring_request_msix() commit 7342ca34d931a357d408aaa25fadd031e46af137 upstream. ring_request_msix() misses to call ida_simple_remove() in an error path. Add a label 'err_ida_remove' and jump to it. Fixes: 046bee1f9ab8 ("thunderbolt: Add MSI-X support") Cc: stable@vger.kernel.org Signed-off-by: Jing Xiangfeng Reviewed-by: Andy Shevchenko Signed-off-by: Mika Westerberg Signed-off-by: Greg Kroah-Hartman commit 134b85544565596771622ae0ec5d7b7a3b13dc6f Author: Mika Westerberg Date: Wed Oct 7 17:06:17 2020 +0300 thunderbolt: Fix memory leak if ida_simple_get() fails in enumerate_services() commit a663e0df4a374b8537562a44d1cecafb472cd65b upstream. The svc->key field is not released as it should be if ida_simple_get() fails so fix that. Fixes: 9aabb68568b4 ("thunderbolt: Fix to check return value of ida_simple_get") Cc: stable@vger.kernel.org Signed-off-by: Mika Westerberg Signed-off-by: Greg Kroah-Hartman commit 263a3db5cabfa1878ff1e23380d70002b21539f9 Author: Samuel Thibault Date: Sun Nov 8 00:33:10 2020 +0100 speakup: Fix clearing selection in safe context commit 640969a69ca4dd2ac025fe873c6bf25eba8f11b3 upstream. speakup_cut() calls speakup_clear_selection() which calls console_lock. Problem is: speakup_cut() is called from a keyboard interrupt context. This would hang if speakup_cut is pressed while the console lock is unfortunately already held. We can however as well just defer calling clear_selection() until the already-deferred set_selection_kernel() call. This was spotted by the lock hardener: Possible unsafe locking scenario:\x0a CPU0 ---- lock(console_lock); lock(console_lock); \x0a *** DEADLOCK ***\x0a [...] Call Trace: dump_stack+0xc2/0x11a print_usage_bug.cold+0x3e0/0x4b1 mark_lock+0xd95/0x1390 ? print_irq_inversion_bug+0xa0/0xa0 __lock_acquire+0x21eb/0x5730 ? __kasan_check_read+0x11/0x20 ? check_chain_key+0x215/0x5e0 ? register_lock_class+0x1580/0x1580 ? lock_downgrade+0x7a0/0x7a0 ? __rwlock_init+0x140/0x140 lock_acquire+0x13f/0x370 ? speakup_clear_selection+0xe/0x20 [speakup] console_lock+0x33/0x50 ? speakup_clear_selection+0xe/0x20 [speakup] speakup_clear_selection+0xe/0x20 [speakup] speakup_cut+0x19e/0x4b0 [speakup] keyboard_notifier_call+0x1f04/0x4a40 [speakup] ? read_all_doc+0x240/0x240 [speakup] notifier_call_chain+0xbf/0x130 __atomic_notifier_call_chain+0x80/0x130 atomic_notifier_call_chain+0x16/0x20 kbd_event+0x7d7/0x3b20 ? k_pad+0x850/0x850 ? sysrq_filter+0x450/0xd40 input_to_handler+0x362/0x4b0 ? rcu_read_lock_sched_held+0xe0/0xe0 input_pass_values+0x408/0x5a0 ? __rwlock_init+0x140/0x140 ? lock_acquire+0x13f/0x370 input_handle_event+0x70e/0x1380 input_event+0x67/0x90 atkbd_interrupt+0xe62/0x1d4e [atkbd] ? __kasan_check_write+0x14/0x20 ? atkbd_event_work+0x130/0x130 [atkbd] ? _raw_spin_lock_irqsave+0x26/0x70 serio_interrupt+0x93/0x120 [serio] i8042_interrupt+0x232/0x510 [i8042] ? rcu_read_lock_bh_held+0xd0/0xd0 ? handle_irq_event+0xa5/0x13a ? i8042_remove+0x1f0/0x1f0 [i8042] __handle_irq_event_percpu+0xe6/0x6c0 handle_irq_event_percpu+0x71/0x150 ? __handle_irq_event_percpu+0x6c0/0x6c0 ? __kasan_check_read+0x11/0x20 ? do_raw_spin_unlock+0x5c/0x240 handle_irq_event+0xad/0x13a handle_edge_irq+0x233/0xa90 do_IRQ+0x10b/0x310 common_interrupt+0xf/0xf Cc: stable@vger.kernel.org Reported-by: Jookia Signed-off-by: Samuel Thibault Link: https://lore.kernel.org/r/20201107233310.7iisvaozpiqj3yvy@function Signed-off-by: Greg Kroah-Hartman commit ac503b2b075b536f61fbf68c32bc81bc7a49fd1a Author: Samuel Thibault Date: Sun Nov 8 14:12:33 2020 +0100 speakup ttyio: Do not schedule() in ttyio_in_nowait commit 3ed1cfb2cee4355ddef49489897bfe474daeeaec upstream. With the ltlk and spkout drivers, the index read function, i.e. in_nowait, is getting called from the read_all_doc mechanism, from the timer softirq: Call Trace: dump_stack+0x71/0x98 dequeue_task_idle+0x1f/0x28 __schedule+0x167/0x5d6 ? trace_hardirqs_on+0x2e/0x3a ? usleep_range+0x7f/0x7f schedule+0x8a/0xae schedule_timeout+0xb1/0xea ? del_timer_sync+0x31/0x31 do_wait_for_common+0xba/0x12b ? wake_up_q+0x45/0x45 wait_for_common+0x37/0x50 ttyio_in+0x2a/0x6b spk_ttyio_in_nowait+0xc/0x13 spk_get_index_count+0x20/0x93 cursor_done+0x1c6/0x4c6 ? read_all_doc+0xb1/0xb1 call_timer_fn+0x89/0x140 run_timer_softirq+0x164/0x1a5 ? read_all_doc+0xb1/0xb1 ? hrtimer_forward+0x7b/0x87 ? timerqueue_add+0x62/0x68 ? enqueue_hrtimer+0x95/0x9f __do_softirq+0x181/0x31f irq_exit+0x6a/0x86 smp_apic_timer_interrupt+0x15e/0x183 apic_timer_interrupt+0xf/0x20 We thus should not schedule() at all, even with timeout == 0, this crashes the kernel. We can however use try_wait_for_completion() instead of wait_for_completion_timeout(0). Cc: stable@vger.kernel.org Reported-by: John Covici Tested-by: John Covici Signed-off-by: Samuel Thibault Link: https://lore.kernel.org/r/20201108131233.tadycr73sxlvodgo@function Signed-off-by: Greg Kroah-Hartman commit a57faaf89a70a8ba9aa8bfbcc86f3047d837f1be Author: Samuel Thibault Date: Mon Oct 12 18:06:46 2020 +0200 speakup: Fix var_id_t values and thus keymap commit d7012df3c9aecdcfb50f7a2ebad766952fd1410e upstream. commit d97a9d7aea04 ("staging/speakup: Add inflection synth parameter") introduced a new "inflection" speakup parameter next to "pitch", but the values of the var_id_t enum are actually used by the keymap tables so we must not renumber them. The effect was that notably the volume control shortcut (speakup-1 or 2) was actually changing the inflection. This moves the INFLECTION value at the end of the var_id_t enum to fix back the enum values. This also adds a warning about it. Fixes: d97a9d7aea04 ("staging/speakup: Add inflection synth parameter") Cc: stable@vger.kernel.org Reported-by: Kirk Reiser Reported-by: Gregory Nowak Tested-by: Gregory Nowak Signed-off-by: Samuel Thibault Link: https://lore.kernel.org/r/20201012160646.qmdo4eqtj24hpch4@function Signed-off-by: Greg Kroah-Hartman commit 5a7a848160f9b45dacb1f93e1ce49f81f235832f Author: Andrew Jones Date: Thu Nov 5 10:10:19 2020 +0100 KVM: arm64: Don't hide ID registers from userspace commit f81cb2c3ad41ac6d8cb2650e3d72d5f67db1aa28 upstream. ID registers are RAZ until they've been allocated a purpose, but that doesn't mean they should be removed from the KVM_GET_REG_LIST list. So far we only have one register, SYS_ID_AA64ZFR0_EL1, that is hidden from userspace when its function, SVE, is not present. Expose SYS_ID_AA64ZFR0_EL1 to userspace as RAZ when SVE is not implemented. Removing the userspace visibility checks is enough to reexpose it, as it will already return zero to userspace when SVE is not present. The register already behaves as RAZ for the guest when SVE is not present. Fixes: 73433762fcae ("KVM: arm64/sve: System register context switch and access support") Reported-by: 张东旭 Signed-off-by: Andrew Jones Signed-off-by: Marc Zyngier Cc: stable@vger.kernel.org#v5.2+ Link: https://lore.kernel.org/r/20201105091022.15373-2-drjones@redhat.com Signed-off-by: Greg Kroah-Hartman commit e2d9f3cc7edd47cd328e3bea0bd0ba2c0c1920a9 Author: Anand Jain Date: Fri Oct 30 06:53:56 2020 +0800 btrfs: dev-replace: fail mount if we don't have replace item with target device commit cf89af146b7e62af55470cf5f3ec3c56ec144a5e upstream. If there is a device BTRFS_DEV_REPLACE_DEVID without the device replace item, then it means the filesystem is inconsistent state. This is either corruption or a crafted image. Fail the mount as this needs a closer look what is actually wrong. As of now if BTRFS_DEV_REPLACE_DEVID is present without the replace item, in __btrfs_free_extra_devids() we determine that there is an extra device, and free those extra devices but continue to mount the device. However, we were wrong in keeping tack of the rw_devices so the syzbot testcase failed: WARNING: CPU: 1 PID: 3612 at fs/btrfs/volumes.c:1166 close_fs_devices.part.0+0x607/0x800 fs/btrfs/volumes.c:1166 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 3612 Comm: syz-executor.2 Not tainted 5.9.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x198/0x1fd lib/dump_stack.c:118 panic+0x347/0x7c0 kernel/panic.c:231 __warn.cold+0x20/0x46 kernel/panic.c:600 report_bug+0x1bd/0x210 lib/bug.c:198 handle_bug+0x38/0x90 arch/x86/kernel/traps.c:234 exc_invalid_op+0x14/0x40 arch/x86/kernel/traps.c:254 asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536 RIP: 0010:close_fs_devices.part.0+0x607/0x800 fs/btrfs/volumes.c:1166 RSP: 0018:ffffc900091777e0 EFLAGS: 00010246 RAX: 0000000000040000 RBX: ffffffffffffffff RCX: ffffc9000c8b7000 RDX: 0000000000040000 RSI: ffffffff83097f47 RDI: 0000000000000007 RBP: dffffc0000000000 R08: 0000000000000001 R09: ffff8880988a187f R10: 0000000000000000 R11: 0000000000000001 R12: ffff88809593a130 R13: ffff88809593a1ec R14: ffff8880988a1908 R15: ffff88809593a050 close_fs_devices fs/btrfs/volumes.c:1193 [inline] btrfs_close_devices+0x95/0x1f0 fs/btrfs/volumes.c:1179 open_ctree+0x4984/0x4a2d fs/btrfs/disk-io.c:3434 btrfs_fill_super fs/btrfs/super.c:1316 [inline] btrfs_mount_root.cold+0x14/0x165 fs/btrfs/super.c:1672 The fix here is, when we determine that there isn't a replace item then fail the mount if there is a replace target device (devid 0). CC: stable@vger.kernel.org # 4.19+ Reported-by: syzbot+4cfe71a4da060be47502@syzkaller.appspotmail.com Signed-off-by: Anand Jain Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit f7a0c9f2cfdfcdea9776558486cf9a2518a55776 Author: Josef Bacik Date: Mon Oct 26 16:57:27 2020 -0400 btrfs: fix min reserved size calculation in merge_reloc_root commit fca3a45d08782a2bb85e048fb8e3128b1388d7b7 upstream. The minimum reserve size was adjusted to take into account the height of the tree we are merging, however we can have a root with a level == 0. What we want is root_level + 1 to get the number of nodes we may have to cow. This fixes the enospc_debug warning pops with btrfs/101. Nikolay: this fixes failures on btrfs/060 btrfs/062 btrfs/063 and btrfs/195 That I was seeing, the call trace was: [ 3680.515564] ------------[ cut here ]------------ [ 3680.515566] BTRFS: block rsv returned -28 [ 3680.515585] WARNING: CPU: 2 PID: 8339 at fs/btrfs/block-rsv.c:521 btrfs_use_block_rsv+0x162/0x180 [ 3680.515587] Modules linked in: [ 3680.515591] CPU: 2 PID: 8339 Comm: btrfs Tainted: G W 5.9.0-rc8-default #95 [ 3680.515593] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 [ 3680.515595] RIP: 0010:btrfs_use_block_rsv+0x162/0x180 [ 3680.515600] RSP: 0018:ffffa01ac9753910 EFLAGS: 00010282 [ 3680.515602] RAX: 0000000000000000 RBX: ffff984b34200000 RCX: 0000000000000027 [ 3680.515604] RDX: 0000000000000027 RSI: 0000000000000000 RDI: ffff984b3bd19e28 [ 3680.515606] RBP: 0000000000004000 R08: ffff984b3bd19e20 R09: 0000000000000001 [ 3680.515608] R10: 0000000000000004 R11: 0000000000000046 R12: ffff984b264fdc00 [ 3680.515609] R13: ffff984b13149000 R14: 00000000ffffffe4 R15: ffff984b34200000 [ 3680.515613] FS: 00007f4e2912b8c0(0000) GS:ffff984b3bd00000(0000) knlGS:0000000000000000 [ 3680.515615] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3680.515617] CR2: 00007fab87122150 CR3: 0000000118e42000 CR4: 00000000000006e0 [ 3680.515620] Call Trace: [ 3680.515627] btrfs_alloc_tree_block+0x8b/0x340 [ 3680.515633] ? __lock_acquire+0x51a/0xac0 [ 3680.515646] alloc_tree_block_no_bg_flush+0x4f/0x60 [ 3680.515651] __btrfs_cow_block+0x14e/0x7e0 [ 3680.515662] btrfs_cow_block+0x144/0x2c0 [ 3680.515670] merge_reloc_root+0x4d4/0x610 [ 3680.515675] ? btrfs_lookup_fs_root+0x78/0x90 [ 3680.515686] merge_reloc_roots+0xee/0x280 [ 3680.515695] relocate_block_group+0x2ce/0x5e0 [ 3680.515704] btrfs_relocate_block_group+0x16e/0x310 [ 3680.515711] btrfs_relocate_chunk+0x38/0xf0 [ 3680.515716] btrfs_shrink_device+0x200/0x560 [ 3680.515728] btrfs_rm_device+0x1ae/0x6a6 [ 3680.515744] ? _copy_from_user+0x6e/0xb0 [ 3680.515750] btrfs_ioctl+0x1afe/0x28c0 [ 3680.515755] ? find_held_lock+0x2b/0x80 [ 3680.515760] ? do_user_addr_fault+0x1f8/0x418 [ 3680.515773] ? __x64_sys_ioctl+0x77/0xb0 [ 3680.515775] __x64_sys_ioctl+0x77/0xb0 [ 3680.515781] do_syscall_64+0x31/0x70 [ 3680.515785] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Reported-by: Nikolay Borisov Fixes: 44d354abf33e ("btrfs: relocation: review the call sites which can be interrupted by signal") CC: stable@vger.kernel.org # 5.4+ Reviewed-by: Nikolay Borisov Tested-by: Nikolay Borisov Signed-off-by: Josef Bacik Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 9d968ee2073cd9e8673036654a211f515ae7e90c Author: Dinghao Liu Date: Wed Oct 21 13:36:55 2020 +0800 btrfs: ref-verify: fix memory leak in btrfs_ref_tree_mod commit 468600c6ec28613b756193c5f780aac062f1acdf upstream. There is one error handling path that does not free ref, which may cause a minor memory leak. CC: stable@vger.kernel.org # 4.19+ Reviewed-by: Josef Bacik Signed-off-by: Dinghao Liu Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 9608f641c492210a620f73ff1e6c3774fbf60220 Author: Matthew Wilcox (Oracle) Date: Sun Oct 4 19:04:26 2020 +0100 btrfs: fix potential overflow in cluster_pages_for_defrag on 32bit arch commit a1fbc6750e212c5675a4e48d7f51d44607eb8756 upstream. On 32-bit systems, this shift will overflow for files larger than 4GB as start_index is unsigned long while the calls to btrfs_delalloc_*_space expect u64. CC: stable@vger.kernel.org # 4.4+ Fixes: df480633b891 ("btrfs: extent-tree: Switch to new delalloc space reserve and release") Reviewed-by: Josef Bacik Signed-off-by: Matthew Wilcox (Oracle) Reviewed-by: David Sterba [ define the variable instead of repeating the shift ] Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit d8f2d469c3365b23aec4a70adfe9cda1dc3003aa Author: Joseph Qi Date: Tue Nov 3 10:29:02 2020 +0800 ext4: unlock xattr_sem properly in ext4_inline_data_truncate() commit 7067b2619017d51e71686ca9756b454de0e5826a upstream. It takes xattr_sem to check inline data again but without unlock it in case not have. So unlock it before return. Fixes: aef1c8513c1f ("ext4: let ext4_truncate handle inline data correctly") Reported-by: Dan Carpenter Cc: Tao Ma Signed-off-by: Joseph Qi Reviewed-by: Andreas Dilger Link: https://lore.kernel.org/r/1604370542-124630-1-git-send-email-joseph.qi@linux.alibaba.com Signed-off-by: Theodore Ts'o Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman commit c315a0b5bac055b4d951bc6ddda406a4054d00b9 Author: Kaixu Xia Date: Thu Oct 29 23:46:36 2020 +0800 ext4: correctly report "not supported" for {usr,grp}jquota when !CONFIG_QUOTA commit 174fe5ba2d1ea0d6c5ab2a7d4aa058d6d497ae4d upstream. The macro MOPT_Q is used to indicates the mount option is related to quota stuff and is defined to be MOPT_NOSUPPORT when CONFIG_QUOTA is disabled. Normally the quota options are handled explicitly, so it didn't matter that the MOPT_STRING flag was missing, even though the usrjquota and grpjquota mount options take a string argument. It's important that's present in the !CONFIG_QUOTA case, since without MOPT_STRING, the mount option matcher will match usrjquota= followed by an integer, and will otherwise skip the table entry, and so "mount option not supported" error message is never reported. [ Fixed up the commit description to better explain why the fix works. --TYT ] Fixes: 26092bf52478 ("ext4: use a table-driven handler for mount options") Signed-off-by: Kaixu Xia Link: https://lore.kernel.org/r/1603986396-28917-1-git-send-email-kaixuxia@tencent.com Signed-off-by: Theodore Ts'o Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman commit b49f87e4951d15b9d56e4bd4bf72d9705eb8880a Author: Gao Xiang Date: Sun Nov 1 03:51:02 2020 +0800 erofs: derive atime instead of leaving it empty commit d3938ee23e97bfcac2e0eb6b356875da73d700df upstream. EROFS has _only one_ ondisk timestamp (ctime is currently documented and recorded, we might also record mtime instead with a new compat feature if needed) for each extended inode since EROFS isn't mainly for archival purposes so no need to keep all timestamps on disk especially for Android scenarios due to security concerns. Also, romfs/cramfs don't have their own on-disk timestamp, and squashfs only records mtime instead. Let's also derive access time from ondisk timestamp rather than leaving it empty, and if mtime/atime for each file are really needed for specific scenarios as well, we can also use xattrs to record them then. Link: https://lore.kernel.org/r/20201031195102.21221-1-hsiangkao@aol.com [ Gao Xiang: It'd be better to backport for user-friendly concern. ] Fixes: 431339ba9042 ("staging: erofs: add inode operations") Cc: stable # 4.19+ Reported-by: nl6720 Reviewed-by: Chao Yu Signed-off-by: Gao Xiang Signed-off-by: Greg Kroah-Hartman commit 877c8cb029a582bdafa1ddbaeeeab5c6e67a5f79 Author: Gao Xiang Date: Thu Oct 22 22:57:21 2020 +0800 erofs: fix setting up pcluster for temporary pages commit a30573b3cdc77b8533d004ece1ea7c0146b437a0 upstream. pcluster should be only set up for all managed pages instead of temporary pages. Since it currently uses page->mapping to identify, the impact is minor for now. [ Update: Vladimir reported the kernel log becomes polluted because PAGE_FLAGS_CHECK_AT_FREE flag(s) set if the page allocation debug option is enabled. ] Link: https://lore.kernel.org/r/20201022145724.27284-1-hsiangkao@aol.com Fixes: 5ddcee1f3a1c ("erofs: get rid of __stagingpage_alloc helper") Cc: # 5.5+ Tested-by: Vladimir Zapolskiy Reviewed-by: Chao Yu Signed-off-by: Gao Xiang Signed-off-by: Greg Kroah-Hartman commit 0c8e4404ed15145b3784829525937b6ccaa465e2 Author: Arnd Bergmann Date: Mon Oct 26 16:54:36 2020 +0100 firmware: xilinx: fix out-of-bounds access commit f3217d6f2f7a76b36a3326ad58c8897f4d5fbe31 upstream. The zynqmp_pm_set_suspend_mode() and zynqmp_pm_get_trustzone_version() functions pass values as api_id into zynqmp_pm_invoke_fn that are beyond PM_API_MAX, resulting in an out-of-bounds access: drivers/firmware/xilinx/zynqmp.c: In function 'zynqmp_pm_set_suspend_mode': drivers/firmware/xilinx/zynqmp.c:150:24: warning: array subscript 2562 is above array bounds of 'u32[64]' {aka 'unsigned int[64]'} [-Warray-bounds] 150 | if (zynqmp_pm_features[api_id] != PM_FEATURE_UNCHECKED) | ~~~~~~~~~~~~~~~~~~^~~~~~~~ drivers/firmware/xilinx/zynqmp.c:28:12: note: while referencing 'zynqmp_pm_features' 28 | static u32 zynqmp_pm_features[PM_API_MAX]; | ^~~~~~~~~~~~~~~~~~ Replace the resulting undefined behavior with an error return. This may break some things that happen to work at the moment but seems better than randomly overwriting kernel data. I assume we need additional fixes for the two functions that now return an error. Fixes: 76582671eb5d ("firmware: xilinx: Add Zynqmp firmware driver") Fixes: e178df31cf41 ("firmware: xilinx: Implement ZynqMP power management APIs") Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20201026155449.3703142-1-arnd@kernel.org Cc: stable Signed-off-by: Greg Kroah-Hartman commit 7dce450ca840e852f582bb624c1443201e10d29d Author: Peter Zijlstra Date: Thu Oct 29 16:29:53 2020 +0100 perf: Fix event multiplexing for exclusive groups [ Upstream commit 2714c3962f304d031d5016c963c4b459337b0749 ] Commit 9e6302056f80 ("perf: Use hrtimers for event multiplexing") placed the hrtimer (re)start call in the wrong place. Instead of capturing all scheduling failures, it only considered the PMU failure. The result is that groups using perf_event_attr::exclusive are no longer rotated. Fixes: 9e6302056f80 ("perf: Use hrtimers for event multiplexing") Reported-by: Andi Kleen Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20201029162902.038667689@infradead.org Signed-off-by: Sasha Levin commit 3a5a900bb247a3b33f1df2bb488876be34402d59 Author: Peter Zijlstra Date: Thu Oct 29 16:29:15 2020 +0100 perf: Simplify group_sched_in() [ Upstream commit 251ff2d49347793d348babcff745289b11910e96 ] Collate the error paths. Code duplication only leads to divergence and extra bugs. Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20201029162901.972161394@infradead.org Signed-off-by: Sasha Levin commit e360c1e21a186e9610d49a2422566b7778c5c094 Author: Sagi Grimberg Date: Mon Nov 9 02:57:34 2020 -0800 nvme: fix incorrect behavior when BLKROSET is called by the user [ Upstream commit 65c5a055b0d567b7e7639d942c0605da9cc54c5e ] The offending commit breaks BLKROSET ioctl because a device revalidation will blindly override BLKROSET setting. Hence, we remove the disk rw setting in case NVME_NS_ATTR_RO is cleared from by the controller. Fixes: 1293477f4f32 ("nvme: set gendisk read only based on nsattr") Signed-off-by: Sagi Grimberg Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 09d90dbab25d6e855118e8f3951e292bd35bcf79 Author: Sasha Levin Date: Sun Nov 15 17:07:55 2020 -0500 nvme: freeze the queue over ->lba_shift updates [ Upstream commit f9d5f4579feafa721dba2f350fc064a1852c6f8c ] Ensure that there can't be any I/O in flight went we change the disk geometry in nvme_update_ns_info, most notable the LBA size by lifting the queue free from nvme_update_disk_info into the caller Signed-off-by: Christoph Hellwig Reviewed-by: Keith Busch Reviewed-by: Damien Le Moal Signed-off-by: Sasha Levin commit 9163d630e435ab5c9c663da991ffcaa3dc7de6e5 Author: Christoph Hellwig Date: Fri Sep 25 07:19:13 2020 +0200 nvme: factor out a nvme_configure_metadata helper [ Upstream commit d4609ea8b3d3fb3423f35805843a82774cb4ef2f ] Factor out a helper from nvme_update_ns_info that configures the per-namespaces metadata and PI settings. Also make sure the helpers clear the flags explicitly instead of all of ->features to allow for potentially reusing ->features for future non-metadata flags. Signed-off-by: Christoph Hellwig Reviewed-by: Keith Busch Reviewed-by: Sagi Grimberg Reviewed-by: Chaitanya Kulkarni Reviewed-by: Damien Le Moal Signed-off-by: Sasha Levin commit 159dbc4dd743512c518953246cb2bf4aa4c6f862 Author: Peter Zijlstra Date: Fri Oct 30 12:49:45 2020 +0100 perf: Fix get_recursion_context() [ Upstream commit ce0f17fc93f63ee91428af10b7b2ddef38cd19e5 ] One should use in_serving_softirq() to detect SoftIRQ context. Fixes: 96f6d4444302 ("perf_counter: avoid recursion") Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20201030151955.120572175@infradead.org Signed-off-by: Sasha Levin commit 2ee7230e40d142c05843508c1f9227d46b15af48 Author: David Howells Date: Sat Nov 14 17:27:57 2020 +0000 afs: Fix afs_write_end() when called with copied == 0 [ver #3] [ Upstream commit 3ad216ee73abc554ed8f13f4f8b70845a7bef6da ] When afs_write_end() is called with copied == 0, it tries to set the dirty region, but there's no way to actually encode a 0-length region in the encoding in page->private. "0,0", for example, indicates a 1-byte region at offset 0. The maths miscalculates this and sets it incorrectly. Fix it to just do nothing but unlock and put the page in this case. We don't actually need to mark the page dirty as nothing presumably changed. Fixes: 65dd2d6072d3 ("afs: Alter dirty range encoding in page->private") Signed-off-by: David Howells Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 9e22b87afbc68524f7b76e1d88703e47023b3ba1 Author: Muchun Song Date: Fri Nov 13 22:52:13 2020 -0800 mm: memcontrol: fix missing wakeup polling thread [ Upstream commit 8b21ca0218d29cc6bb7028125c7e5a10dfb4730c ] When we poll the swap.events, we can miss being woken up when the swap event occurs. Because we didn't notify. Fixes: f3a53a3a1e5b ("mm, memcontrol: implement memory.swap.events") Signed-off-by: Muchun Song Signed-off-by: Andrew Morton Reviewed-by: Shakeel Butt Acked-by: Johannes Weiner Cc: Roman Gushchin Cc: Michal Hocko Cc: Yafang Shao Cc: Chris Down Cc: Tejun Heo Link: https://lkml.kernel.org/r/20201105161936.98312-1-songmuchun@bytedance.com Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 24bd009423fb9656c6b6c61556d0ba9b662b1db1 Author: Santosh Sivaraj Date: Fri Nov 13 22:52:10 2020 -0800 kernel/watchdog: fix watchdog_allowed_mask not used warning [ Upstream commit e7e046155af04cdca5e1157f28b07e1651eb317b ] Define watchdog_allowed_mask only when SOFTLOCKUP_DETECTOR is enabled. Fixes: 7feeb9cd4f5b ("watchdog/sysctl: Clean up sysctl variable name space") Signed-off-by: Santosh Sivaraj Signed-off-by: Andrew Morton Reviewed-by: Petr Mladek Cc: Thomas Gleixner Link: https://lkml.kernel.org/r/20201106015025.1281561-1-santosh@fossix.org Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit e533facb19a192ddf94df8d7074bdd851bc48dba Author: Anshuman Khandual Date: Fri Nov 13 13:00:14 2020 +0530 arm64/mm: Validate hotplug range before creating linear mapping [ Upstream commit 58284a901b426e6130672e9f14c30dfd5a9dbde0 ] During memory hotplug process, the linear mapping should not be created for a given memory range if that would fall outside the maximum allowed linear range. Else it might cause memory corruption in the kernel virtual space. Maximum linear mapping region is [PAGE_OFFSET..(PAGE_END -1)] accommodating both its ends but excluding PAGE_END. Max physical range that can be mapped inside this linear mapping range, must also be derived from its end points. This ensures that arch_add_memory() validates memory hot add range for its potential linear mapping requirements, before creating it with __create_pgd_mapping(). Fixes: 4ab215061554 ("arm64: Add memory hotplug support") Signed-off-by: Anshuman Khandual Reviewed-by: Ard Biesheuvel Cc: Catalin Marinas Cc: Will Deacon Cc: Mark Rutland Cc: Ard Biesheuvel Cc: Steven Price Cc: Robin Murphy Cc: David Hildenbrand Cc: Andrew Morton Cc: linux-arm-kernel@lists.infradead.org Cc: linux-kernel@vger.kernel.org Link: https://lore.kernel.org/r/1605252614-761-1-git-send-email-anshuman.khandual@arm.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 375279dc33c7851d777471b8caf8ab31e8ffec92 Author: Sven Van Asbroeck Date: Thu Nov 12 10:25:13 2020 -0500 lan743x: fix use of uninitialized variable [ Upstream commit edbc21113bde13ca3d06eec24b621b1f628583dd ] When no devicetree is present, the driver will use an uninitialized variable. Fix by initializing this variable. Fixes: 902a66e08cea ("lan743x: correctly handle chips with internal PHY") Reported-by: kernel test robot Signed-off-by: Sven Van Asbroeck Link: https://lore.kernel.org/r/20201112152513.1941-1-TheSven73@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 6fd32c7273313bcbebb804b1e3935d4a20d73112 Author: Martin Willi Date: Fri Nov 6 08:30:30 2020 +0100 vrf: Fix fast path output packet handling with async Netfilter rules [ Upstream commit 9e2b7fa2df4365e99934901da4fb4af52d81e820 ] VRF devices use an optimized direct path on output if a default qdisc is involved, calling Netfilter hooks directly. This path, however, does not consider Netfilter rules completing asynchronously, such as with NFQUEUE. The Netfilter okfn() is called for asynchronously accepted packets, but the VRF never passes that packet down the stack to send it out over the slave device. Using the slower redirect path for this seems not feasible, as we do not know beforehand if a Netfilter hook has asynchronously completing rules. Fix the use of asynchronously completing Netfilter rules in OUTPUT and POSTROUTING by using a special completion function that additionally calls dst_output() to pass the packet down the stack. Also, slightly adjust the use of nf_reset_ct() so that is called in the asynchronous case, too. Fixes: dcdd43c41e60 ("net: vrf: performance improvements for IPv4") Fixes: a9ec54d1b0cd ("net: vrf: performance improvements for IPv6") Signed-off-by: Martin Willi Link: https://lore.kernel.org/r/20201106073030.3974927-1-martin@strongswan.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 5b206841d2cb2c1aea42019c611e351365eba48c Author: Chuck Lever Date: Sat Oct 31 12:44:25 2020 -0400 NFS: Fix listxattr receive buffer size [ Upstream commit 6c2190b3fcbc92cb79e39cc7e7531656b341e463 ] Certain NFSv4.2/RDMA tests fail with v5.9-rc1. rpcrdma_convert_kvec() runs off the end of the rl_segments array because rq_rcv_buf.tail[0].iov_len holds a very large positive value. The resultant kernel memory corruption is enough to crash the client system. Callers of rpc_prepare_reply_pages() must reserve an extra XDR_UNIT in the maximum decode size for a possible XDR pad of the contents of the xdr_buf's pages. That guarantees the allocated receive buffer will be large enough to accommodate the usual contents plus that XDR pad word. encode_op_hdr() cannot add that extra word. If it does, xdr_inline_pages() underruns the length of the tail iovec. Fixes: 3e1f02123fba ("NFSv4.2: add client side XDR handling for extended attributes") Signed-off-by: Chuck Lever Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit 88e215f9cf667d049b2fb7e53a2dd63f39b39e57 Author: Brad Campbell Date: Thu Nov 12 14:08:23 2020 +1100 hwmon: (applesmc) Re-work SMC comms [ Upstream commit 4d64bb4ba5ecf4831448cdb2fe16d0ae91b2b40b ] Commit fff2d0f701e6 ("hwmon: (applesmc) avoid overlong udelay()") introduced an issue whereby communication with the SMC became unreliable with write errors like : [ 120.378614] applesmc: send_byte(0x00, 0x0300) fail: 0x40 [ 120.378621] applesmc: LKSB: write data fail [ 120.512782] applesmc: send_byte(0x00, 0x0300) fail: 0x40 [ 120.512787] applesmc: LKSB: write data fail The original code appeared to be timing sensitive and was not reliable with the timing changes in the aforementioned commit. This patch re-factors the SMC communication to remove the timing dependencies and restore function with the changes previously committed. Tested on : MacbookAir6,2 MacBookPro11,1 iMac12,2, MacBookAir1,1, MacBookAir3,1 Fixes: fff2d0f701e6 ("hwmon: (applesmc) avoid overlong udelay()") Reported-by: Andreas Kemnade Tested-by: Andreas Kemnade # MacBookAir6,2 Acked-by: Arnd Bergmann Signed-off-by: Brad Campbell Signed-off-by: Henrik Rydberg Link: https://lore.kernel.org/r/194a7d71-a781-765a-d177-c962ef296b90@fnarfbargle.com Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit b20e9cb62229db1bd1c305569a699e6289053753 Author: Wang Hai Date: Tue Nov 10 22:46:14 2020 +0800 cosa: Add missing kfree in error path of cosa_write [ Upstream commit 52755b66ddcef2e897778fac5656df18817b59ab ] If memory allocation for 'kbuf' succeed, cosa_write() doesn't have a corresponding kfree() in exception handling. Thus add kfree() for this function implementation. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Hulk Robot Signed-off-by: Wang Hai Acked-by: Jan "Yenya" Kasprzak Link: https://lore.kernel.org/r/20201110144614.43194-1-wanghai38@huawei.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit e2d69c0519869769b6ac3c5e0388b232d351518a Author: Rohit Maheshwari Date: Mon Nov 9 16:21:41 2020 +0530 ch_ktls: tcb update fails sometimes [ Upstream commit 7d01c428c86b525dc780226924d74df2048cf411 ] context id and port id should be filled while sending tcb update. Fixes: 5a4b9fe7fece ("cxgb4/chcr: complete record tx handling") Signed-off-by: Rohit Maheshwari Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit d274cd323ec158c6be13cf06b9cfd8893abd9c81 Author: Rohit Maheshwari Date: Mon Nov 9 16:21:33 2020 +0530 ch_ktls: Update cheksum information [ Upstream commit 86716b51d14fc2201938939b323ba3ad99186910 ] Checksum update was missing in the WR. Fixes: 429765a149f1 ("chcr: handle partial end part of a record") Signed-off-by: Rohit Maheshwari Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 74c441a02ac63f4fa2b8ef1e2d292cd083bd86ae Author: Evan Nimmo Date: Tue Nov 10 15:28:25 2020 +1300 of/address: Fix of_node memory leak in of_dma_is_coherent [ Upstream commit a5bea04fcc0b3c0aec71ee1fd58fd4ff7ee36177 ] Commit dabf6b36b83a ("of: Add OF_DMA_DEFAULT_COHERENT & select it on powerpc") added a check to of_dma_is_coherent which returns early if OF_DMA_DEFAULT_COHERENT is enabled. This results in the of_node_put() being skipped causing a memory leak. Moved the of_node_get() below this check so we now we only get the node if OF_DMA_DEFAULT_COHERENT is not enabled. Fixes: dabf6b36b83a ("of: Add OF_DMA_DEFAULT_COHERENT & select it on powerpc") Signed-off-by: Evan Nimmo Link: https://lore.kernel.org/r/20201110022825.30895-1-evan.nimmo@alliedtelesis.co.nz Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit 16ac78d9dcffacb2e559ff5a1541c9768a93413f Author: Christoph Hellwig Date: Wed Nov 11 08:07:37 2020 -0800 xfs: fix a missing unlock on error in xfs_fs_map_blocks [ Upstream commit 2bd3fa793aaa7e98b74e3653fdcc72fa753913b5 ] We also need to drop the iolock when invalidate_inode_pages2 fails, not only on all other error or successful cases. Fixes: 527851124d10 ("xfs: implement pNFS export operations") Signed-off-by: Christoph Hellwig Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Signed-off-by: Sasha Levin commit 99f672ebb165f717a55754b30f4508a3de317910 Author: Sven Van Asbroeck Date: Mon Nov 9 15:38:28 2020 -0500 lan743x: fix "BUG: invalid wait context" when setting rx mode [ Upstream commit 2b52a4b65bc8f14520fe6e996ea7fb3f7e400761 ] In the net core, the struct net_device_ops -> ndo_set_rx_mode() callback is called with the dev->addr_list_lock spinlock held. However, this driver's ndo_set_rx_mode callback eventually calls lan743x_dp_write(), which acquires a mutex. Mutex acquisition may sleep, and this is not allowed when holding a spinlock. Fix by removing the dp_lock mutex entirely. Its purpose is to prevent concurrent accesses to the data port. No concurrent accesses are possible, because the dev->addr_list_lock spinlock in the core only lets through one thread at a time. Fixes: 23f0703c125b ("lan743x: Add main source files for new lan743x driver") Signed-off-by: Sven Van Asbroeck Link: https://lore.kernel.org/r/20201109203828.5115-1-TheSven73@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 0c94a325075bdac2b2749e051ae6443b9284025b Author: Darrick J. Wong Date: Sun Nov 8 16:32:42 2020 -0800 xfs: fix brainos in the refcount scrubber's rmap fragment processor [ Upstream commit 54e9b09e153842ab5adb8a460b891e11b39e9c3d ] Fix some serious WTF in the reference count scrubber's rmap fragment processing. The code comment says that this loop is supposed to move all fragment records starting at or before bno onto the worklist, but there's no obvious reason why nr (the number of items added) should increment starting from 1, and breaking the loop when we've added the target number seems dubious since we could have more rmap fragments that should have been added to the worklist. This seems to manifest in xfs/411 when adding one to the refcount field. Fixes: dbde19da9637 ("xfs: cross-reference the rmapbt data with the refcountbt") Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 0ca9a072112b18efc9ba9d3a9b77e9dae60f93ac Author: Darrick J. Wong Date: Sun Nov 8 16:32:44 2020 -0800 xfs: fix rmap key and record comparison functions [ Upstream commit 6ff646b2ceb0eec916101877f38da0b73e3a5b7f ] Keys for extent interval records in the reverse mapping btree are supposed to be computed as follows: (physical block, owner, fork, is_btree, is_unwritten, offset) This provides users the ability to look up a reverse mapping from a bmbt record -- start with the physical block; then if there are multiple records for the same block, move on to the owner; then the inode fork type; and so on to the file offset. However, the key comparison functions incorrectly remove the fork/btree/unwritten information that's encoded in the on-disk offset. This means that lookup comparisons are only done with: (physical block, owner, offset) This means that queries can return incorrect results. On consistent filesystems this hasn't been an issue because blocks are never shared between forks or with bmbt blocks; and are never unwritten. However, this bug means that online repair cannot always detect corruption in the key information in internal rmapbt nodes. Found by fuzzing keys[1].attrfork = ones on xfs/371. Fixes: 4b8ed67794fe ("xfs: add rmap btree operations") Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Sasha Levin commit a58e217ad6cdfd9d22fc052b5cd135202ac32140 Author: Darrick J. Wong Date: Sun Nov 8 16:32:43 2020 -0800 xfs: set the unwritten bit in rmap lookup flags in xchk_bmap_get_rmapextents [ Upstream commit 5dda3897fd90783358c4c6115ef86047d8c8f503 ] When the bmbt scrubber is looking up rmap extents, we need to set the extent flags from the bmbt record fully. This will matter once we fix the rmap btree comparison functions to check those flags correctly. Fixes: d852657ccfc0 ("xfs: cross-reference reverse-mapping btree") Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Sasha Levin commit ac560d221919afee17bd1d27eefcf508f24b92c0 Author: Darrick J. Wong Date: Sun Nov 8 16:32:43 2020 -0800 xfs: fix flags argument to rmap lookup when converting shared file rmaps [ Upstream commit ea8439899c0b15a176664df62aff928010fad276 ] Pass the same oldext argument (which contains the existing rmapping's unwritten state) to xfs_rmap_lookup_le_range at the start of xfs_rmap_convert_shared. At this point in the code, flags is zero, which means that we perform lookups using the wrong key. Fixes: 3f165b334e51 ("xfs: convert unwritten status of reverse mappings for shared files") Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Sasha Levin commit d8b36e46de4115163dfbbc77e4ba8928dcdcf656 Author: Heiner Kallweit Date: Sun Nov 8 22:44:02 2020 +0100 net: phy: realtek: support paged operations on RTL8201CP [ Upstream commit f3037c5a31b58a73b32a36e938ad0560085acadd ] The RTL8401-internal PHY identifies as RTL8201CP, and the init sequence in r8169, copied from vendor driver r8168, uses paged operations. Therefore set the same paged operation callbacks as for the other Realtek PHY's. Fixes: cdafdc29ef75 ("r8169: sync support for RTL8401 with vendor driver") Signed-off-by: Heiner Kallweit Link: https://lore.kernel.org/r/69882f7a-ca2f-e0c7-ae83-c9b6937282cd@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 9357eee5067e2030879d7344ffff74d1e7d0c859 Author: Sven Van Asbroeck Date: Sun Nov 8 12:12:24 2020 -0500 lan743x: correctly handle chips with internal PHY [ Upstream commit 902a66e08ceaadb9a7a1ab3a4f3af611cd1d8cba ] Commit 6f197fb63850 ("lan743x: Added fixed link and RGMII support") assumes that chips with an internal PHY will never have a devicetree entry. This is incorrect: even for these chips, a devicetree entry can be useful e.g. to pass the mac address from bootloader to chip: &pcie { status = "okay"; host@0 { reg = <0 0 0 0 0>; #address-cells = <3>; #size-cells = <2>; lan7430: ethernet@0 { /* LAN7430 with internal PHY */ compatible = "microchip,lan743x"; status = "okay"; reg = <0 0 0 0 0>; /* filled in by bootloader */ local-mac-address = [00 00 00 00 00 00]; }; }; }; If a devicetree entry is present, the driver will not attach the chip to its internal phy, and the chip will be non-operational. Fix by tweaking the phy connection algorithm: - first try to connect to a phy specified in the devicetree (could be 'real' phy, or just a 'fixed-link') - if that doesn't succeed, try to connect to an internal phy, even if the chip has a devnode Tested on a LAN7430 with internal PHY. I cannot test a device using fixed-link, as I do not have access to one. Fixes: 6f197fb63850 ("lan743x: Added fixed link and RGMII support") Tested-by: Sven Van Asbroeck # lan7430 Reviewed-by: Andrew Lunn Signed-off-by: Sven Van Asbroeck Link: https://lore.kernel.org/r/20201108171224.23829-1-TheSven73@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 4bf509f4f98f8d0039a06777d4bdace437dbae9f Author: Vinicius Costa Gomes Date: Fri Sep 25 11:35:37 2020 -0700 igc: Fix returning wrong statistics [ Upstream commit 6b7ed22ae4c96a415001f0c3116ebee15bb8491a ] 'igc_update_stats()' was not updating 'netdev->stats', so the returned statistics, for example, requested by: $ ip -s link show dev enp3s0 were not being updated and were always zero. Fix by returning a set of statistics that are actually being updated (adapter->stats64). Fixes: c9a11c23ceb6 ("igc: Add netdev") Signed-off-by: Vinicius Costa Gomes Tested-by: Aaron Brown Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 3fbff00c08d26e0cdb395288370d8bcdf69417cc Author: Slawomir Laba Date: Wed Oct 14 08:54:09 2020 +0000 i40e: Fix MAC address setting for a VF via Host/VM [ Upstream commit 3a7001788fed0311d6fb77ed0dabe7bed3567bc0 ] Fix MAC setting flow for the PF driver. Update the unicast VF's MAC address in VF structure if it is a new setting in i40e_vc_add_mac_addr_msg. When unicast MAC address gets deleted, record that and set the new unicast MAC address that is already waiting in the filter list. This logic is based on the order of messages arriving to the PF driver. Without this change the MAC address setting was interpreted incorrectly in the following use cases: 1) Print incorrect VF MAC or zero MAC ip link show dev $pf 2) Don't preserve MAC between driver reload rmmod iavf; modprobe iavf 3) Update VF MAC when macvlan was set ip link add link $vf address $mac $vf.1 type macvlan 4) Failed to update mac address when VF was trusted ip link set dev $vf address $mac This includes all other configurations including above commands. Fixes: f657a6e1313b ("i40e: Fix VF driver MAC address configuration") Signed-off-by: Slawomir Laba Tested-by: Konrad Jankowski Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 015be7f67c76fe38bd0dd6285b43679115126cd2 Author: Vlad Buslov Date: Sat Nov 7 13:19:28 2020 +0200 selftest: fix flower terse dump tests [ Upstream commit 97adb13dc9ba08ecd4758bc59efc0205f5cbf377 ] Iproute2 tc classifier terse dump has been accepted with modified syntax. Update the tests accordingly. Signed-off-by: Vlad Buslov Fixes: e7534fd42a99 ("selftests: implement flower classifier terse dump tests") Link: https://lore.kernel.org/r/20201107111928.453534-1-vlad@buslov.dev Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 270c6054365d13d9bb2f8d968059a3f556b8be41 Author: Christoph Hellwig Date: Mon Nov 9 18:30:59 2020 +0100 nbd: fix a block_device refcount leak in nbd_release [ Upstream commit 2bd645b2d3f0bacadaa6037f067538e1cd4e42ef ] bdget_disk needs to be paired with bdput to not leak a reference on the block device inode. Fixes: 08ba91ee6e2c ("nbd: Add the nbd NBD_DISCONNECT_ON_CLOSE config flag.") Signed-off-by: Christoph Hellwig Reviewed-by: Josef Bacik Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit a8db9f31a2775010b5556dadb98dd7a48740ebc3 Author: Bjorn Andersson Date: Tue Oct 27 21:36:42 2020 -0700 pinctrl: qcom: sm8250: Specify PDC map [ Upstream commit b41efeed507addecb92e83dd444d86c1fbe38ae0 ] Specify the PDC mapping for SM8250, so that gpio interrupts are propertly mapped to the wakeup IRQs of the PDC. Fixes: 4e3ec9e407ad ("pinctrl: qcom: Add sm8250 pinctrl driver.") Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20201028043642.1141723-1-bjorn.andersson@linaro.org Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 878bfd624d40b82cb203bbc86e823ffe361c9bd8 Author: Maulik Shah Date: Thu Nov 5 13:08:04 2020 +0530 pinctrl: qcom: Move clearing pending IRQ to .irq_request_resources callback [ Upstream commit 71266d9d39366c9b24b866d811b3facaf837f13f ] When GPIOs that are routed to PDC are used as output they can still latch the IRQ pending at GIC. As a result the spurious IRQ was handled when the client driver change the direction to input to starts using it as IRQ. Currently such erroneous latched IRQ are cleared with .irq_enable callback however if the driver continue to use GPIO as interrupt and invokes disable_irq() followed by enable_irq() then everytime during enable_irq() previously latched interrupt gets cleared. This can make edge IRQs not seen after enable_irq() if they had arrived after the driver has invoked disable_irq() and were pending at GIC. Move clearing erroneous IRQ to .irq_request_resources callback as this is the place where GPIO direction is changed as input and its locked as IRQ. While at this add a missing check to invoke msm_gpio_irq_clear_unmask() from .irq_enable callback only when GPIO is not routed to PDC. Fixes: e35a6ae0eb3a ("pinctrl/msm: Setup GPIO chip in hierarchy") Signed-off-by: Maulik Shah Link: https://lore.kernel.org/r/1604561884-10166-1-git-send-email-mkshah@codeaurora.org Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 89e313118c266ebfdd300d28fcfc3ec027edd264 Author: Heiner Kallweit Date: Thu Nov 5 18:14:47 2020 +0100 r8169: disable hw csum for short packets on all chip versions [ Upstream commit 847f0a2bfd2fe16d6afa537816b313b71f32e139 ] RTL8125B has same or similar short packet hw padding bug as RTL8168evl. The main workaround has been extended accordingly, however we have to disable also hw checksumming for short packets on affected new chip versions. Instead of checking for an affected chip version let's simply disable hw checksumming for short packets in general. v2: - remove the version checks and disable short packet hw csum in general - reflect this in commit title and message Fixes: 0439297be951 ("r8169: add support for RTL8125B") Signed-off-by: Heiner Kallweit Link: https://lore.kernel.org/r/7fbb35f0-e244-ef65-aa55-3872d7d38698@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit b579b0c91b96cd9377ef2796d2173474d5031fd5 Author: Heiner Kallweit Date: Thu Nov 5 15:28:42 2020 +0100 r8169: fix potential skb double free in an error path [ Upstream commit cc6528bc9a0c901c83b8220a2e2617f3354d6dd9 ] The caller of rtl8169_tso_csum_v2() frees the skb if false is returned. eth_skb_pad() internally frees the skb on error what would result in a double free. Therefore use __skb_put_padto() directly and instruct it to not free the skb on error. Fixes: b423e9ae49d7 ("r8169: fix offloaded tx checksum for small packets.") Reported-by: Jakub Kicinski Signed-off-by: Heiner Kallweit Link: https://lore.kernel.org/r/f7e68191-acff-9ded-4263-c016428a8762@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit ab68b940dd6f7b5f8e2557937162dcb8a0583a05 Author: David Verbeiren Date: Wed Nov 4 12:23:32 2020 +0100 bpf: Zero-fill re-used per-cpu map element [ Upstream commit d3bec0138bfbe58606fc1d6f57a4cdc1a20218db ] Zero-fill element values for all other cpus than current, just as when not using prealloc. This is the only way the bpf program can ensure known initial values for all cpus ('onallcpus' cannot be set when coming from the bpf program). The scenario is: bpf program inserts some elements in a per-cpu map, then deletes some (or userspace does). When later adding new elements using bpf_map_update_elem(), the bpf program can only set the value of the new elements for the current cpu. When prealloc is enabled, previously deleted elements are re-used. Without the fix, values for other cpus remain whatever they were when the re-used entry was previously freed. A selftest is added to validate correct operation in above scenario as well as in case of LRU per-cpu map element re-use. Fixes: 6c9059817432 ("bpf: pre-allocate hash map elements") Signed-off-by: David Verbeiren Signed-off-by: Alexei Starovoitov Acked-by: Matthieu Baerts Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20201104112332.15191-1-david.verbeiren@tessares.net Signed-off-by: Sasha Levin commit 457e9f9333a1f313dd63b128690a56a7eaa3a70e Author: Lorenz Bauer Date: Thu Nov 5 11:52:30 2020 +0000 tools/bpftool: Fix attaching flow dissector [ Upstream commit f9b7ff0d7f7a466a920424246e7ddc2b84c87e52 ] My earlier patch to reject non-zero arguments to flow dissector attach broke attaching via bpftool. Instead of 0 it uses -1 for target_fd. Fix this by passing a zero argument when attaching the flow dissector. Fixes: 1b514239e859 ("bpf: flow_dissector: Check value of unused flags to BPF_PROG_ATTACH") Reported-by: Jiri Benc Signed-off-by: Lorenz Bauer Signed-off-by: Alexei Starovoitov Acked-by: Song Liu Link: https://lore.kernel.org/bpf/20201105115230.296657-1-lmb@cloudflare.com Signed-off-by: Sasha Levin commit d7cad33df1cab120b83099a8f45d2486dd56a8fa Author: Dai Ngo Date: Thu Oct 29 15:07:16 2020 -0400 NFSD: fix missing refcount in nfsd4_copy by nfsd4_do_async_copy [ Upstream commit 49a361327332c9221438397059067f9b205f690d ] Need to initialize nfsd4_copy's refcount to 1 to avoid use-after-free warning when nfs4_put_copy is called from nfsd4_cb_offload_release. Fixes: ce0887ac96d3 ("NFSD add nfs4 inter ssc to nfsd4_copy") Signed-off-by: Dai Ngo Signed-off-by: J. Bruce Fields Signed-off-by: Sasha Levin commit 175147b6bc1183d5dc526a5aa29cb10971ba209d Author: Dai Ngo Date: Thu Oct 29 15:07:15 2020 -0400 NFSD: Fix use-after-free warning when doing inter-server copy [ Upstream commit 36e1e5ba90fb3fba6888fae26e4dfc28bf70aaf1 ] The source file nfsd_file is not constructed the same as other nfsd_file's via nfsd_file_alloc. nfsd_file_put should not be called to free the object; nfsd_file_put is not the inverse of kzalloc, instead kfree is called by nfsd4_do_async_copy when done. Fixes: ce0887ac96d3 ("NFSD add nfs4 inter ssc to nfsd4_copy") Signed-off-by: Dai Ngo Signed-off-by: J. Bruce Fields Signed-off-by: Sasha Levin commit ea2a764d93626cae1e71d42398f9d15cf6f52386 Author: Chuck Lever Date: Fri Oct 23 10:41:07 2020 -0400 SUNRPC: Fix general protection fault in trace_rpc_xdr_overflow() [ Upstream commit d321ff589c16d8c2207485a6d7fbdb14e873d46e ] The TP_fast_assign() section is careful enough not to dereference xdr->rqst if it's NULL. The TP_STRUCT__entry section is not. Fixes: 5582863f450c ("SUNRPC: Add XDR overflow trace event") Signed-off-by: Chuck Lever Signed-off-by: J. Bruce Fields Signed-off-by: Sasha Levin commit 117fe27f67b208f34bdb3f97197698934c6a1b63 Author: Maxim Mikityanskiy Date: Thu Oct 22 12:49:51 2020 +0300 net/mlx5e: Fix incorrect access of RCU-protected xdp_prog [ Upstream commit 1a50cf9a67ff2241c2949d30bc11c8dd4280eef8 ] rq->xdp_prog is RCU-protected and should be accessed only with rcu_access_pointer for the NULL check in mlx5e_poll_rx_cq. rq->xdp_prog may change on the fly only from one non-NULL value to another non-NULL value, so the checks in mlx5e_xdp_handle and mlx5e_poll_rx_cq will have the same result during one NAPI cycle, meaning that no additional synchronization is needed. Fixes: fe45386a2082 ("net/mlx5e: Use RCU to protect rq->xdp_prog") Signed-off-by: Maxim Mikityanskiy Reviewed-by: Tariq Toukan Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 4f2d4e911a77e99f5a0713ca3d2361dacac9b3cb Author: Aya Levin Date: Wed Sep 23 12:58:44 2020 +0300 net/mlx5e: Fix VXLAN synchronization after function reload [ Upstream commit c5eb51adf06b2644fa28d4af886bfdcc53e288da ] During driver reload, perform firmware tear-down which results in firmware losing the configured VXLAN ports. These ports are still available in the driver's database. Fix this by cleaning up driver's VXLAN database in the nic unload flow, before firmware tear-down. With that, minimize mlx5_vxlan_destroy() to remove only what was added in mlx5_vxlan_create() and warn on leftover UDP ports. Fixes: 18a2b7f969c9 ("net/mlx5: convert to new udp_tunnel infrastructure") Signed-off-by: Aya Levin Reviewed-by: Moshe Shemesh Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 994298ddfbafba79db94f207aa888731758a912f Author: Parav Pandit Date: Mon Nov 2 12:41:28 2020 +0200 net/mlx5: E-switch, Avoid extack error log for disabled vport [ Upstream commit ae35859445607f7f18dd4f332749219cd636ed59 ] When E-switch vport is disabled, querying its hardware address is unsupported. Avoid setting extack error log message in such case. Fixes: f099fde16db3 ("net/mlx5: E-switch, Support querying port function mac address") Signed-off-by: Parav Pandit Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 185f59c8ecfd9d7221e56c9e3209ce4d09b7dc4a Author: Maor Gottlieb Date: Wed Oct 21 08:42:49 2020 +0300 net/mlx5: Fix deletion of duplicate rules [ Upstream commit 465e7baab6d93b399344f5868f84c177ab5cd16f ] When a rule is duplicated, the refcount of the rule is increased so only the second deletion of the rule should cause destruction of the FTE. Currently, the FTE will be destroyed in the first deletion of rule since the modify_mask will be 0. Fix it and call to destroy FTE only if all the rules (FTE's children) have been removed. Fixes: 718ce4d601db ("net/mlx5: Consolidate update FTE for all removal changes") Signed-off-by: Maor Gottlieb Reviewed-by: Mark Bloch Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 493434d8d46fa09e99e0f1e65138500db5cb0b59 Author: Maxim Mikityanskiy Date: Thu Oct 8 11:34:03 2020 +0300 net/mlx5e: Use spin_lock_bh for async_icosq_lock [ Upstream commit f42139ba49791ab6b12443c60044872705b74a1e ] async_icosq_lock may be taken from softirq and non-softirq contexts. It requires protection with spin_lock_bh, otherwise a softirq may be triggered in the middle of the critical section, and it may deadlock if it tries to take the same lock. This patch fixes such a scenario by using spin_lock_bh to disable softirqs on that CPU while inside the critical section. Fixes: 8d94b590f1e4 ("net/mlx5e: Turn XSK ICOSQ into a general asynchronous one") Signed-off-by: Maxim Mikityanskiy Reviewed-by: Tariq Toukan Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 45b7bae55b98b96dc80b5eab10e1fe53942e8a30 Author: Vlad Buslov Date: Mon Aug 31 16:17:29 2020 +0300 net/mlx5e: Protect encap route dev from concurrent release [ Upstream commit 78c906e430b13d30a8cfbdef4ccbbe1686841a9e ] In functions mlx5e_route_lookup_ipv{4|6}() route_dev can be arbitrary net device and not necessary mlx5 eswitch port representor. As such, in order to ensure that route_dev is not destroyed concurrent the code needs either explicitly take reference to the device before releasing reference to rtable instance or ensure that caller holds rtnl lock. First approach is chosen as a fix since rtnl lock dependency was intentionally removed from mlx5 TC layer. To prevent unprotected usage of route_dev in encap code take a reference to the device before releasing rt. Don't save direct pointer to the device in mlx5_encap_entry structure and use ifindex instead. Modify users of route_dev pointer to properly obtain the net device instance from its ifindex. Fixes: 61086f391044 ("net/mlx5e: Protect encap hash table with mutex") Fixes: 6707f74be862 ("net/mlx5e: Update hw flows when encap source mac changed") Signed-off-by: Vlad Buslov Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 8513c3f79a1b11a03531a8422b39fea73f15e886 Author: Maor Dickman Date: Wed Sep 30 16:31:11 2020 +0300 net/mlx5e: Fix modify header actions memory leak [ Upstream commit e68e28b4a9d71261e3f8fd05a72d6cf0b443a493 ] Modify header actions are allocated during parse tc actions and only freed during the flow creation, however, on error flow the allocated memory is wrongly unfreed. Fix this by calling dealloc_mod_hdr_actions in __mlx5e_add_fdb_flow and mlx5e_add_nic_flow error flow. Fixes: d7e75a325cb2 ("net/mlx5e: Add offloading of E-Switch TC pedit (header re-write) actions") Fixes: 2f4fe4cab073 ("net/mlx5e: Add offloading of NIC TC pedit (header re-write) actions") Signed-off-by: Maor Dickman Reviewed-by: Paul Blakey Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 6726fbff19bfdc3d213109cfb8f9acba4a246366 Author: Billy Tsai Date: Fri Oct 30 13:54:50 2020 +0800 pinctrl: aspeed: Fix GPI only function problem. [ Upstream commit 9b92f5c51e9a41352d665f6f956bd95085a56a83 ] Some gpio pin at aspeed soc is input only and the prefix name of these pin is "GPI" only. This patch fine-tune the condition of GPIO check from "GPIO" to "GPI" and it will fix the usage error of banks D and E in the AST2400/AST2500 and banks T and U in the AST2600. Fixes: 4d3d0e4272d8 ("pinctrl: Add core support for Aspeed SoCs") Signed-off-by: Billy Tsai Reviewed-by: Andrew Jeffery Link: https://lore.kernel.org/r/20201030055450.29613-1-billy_tsai@aspeedtech.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 439bbd2f9369cde21e9c0e0a553a327ac7b8f792 Author: Andy Shevchenko Date: Fri Oct 9 21:08:55 2020 +0300 pinctrl: mcp23s08: Use full chunk of memory for regmap configuration [ Upstream commit 2b12c13637134897ba320bd8906a8d918ee7069b ] It appears that simplification of mcp23s08_spi_regmap_init() made a regression due to wrong size calculation for dev_kmemdup() call. It misses the fact that config variable is already a pointer, thus the sizeof() calculation is wrong and only 4 or 8 bytes were copied. Fix the parameters to devm_kmemdup() to copy a full chunk of memory. Fixes: 0874758ecb2b ("pinctrl: mcp23s08: Refactor mcp23s08_spi_regmap_init()") Reported-by: Martin Hundebøll Signed-off-by: Andy Shevchenko Tested-by: Martin Hundebøll Link: https://lore.kernel.org/r/20201009180856.4738-1-andriy.shevchenko@linux.intel.com Tested-by: Jan Kundrát Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 41836573a2cdd642f8d3138ef467e7d50ab5b68d Author: Ian Rogers Date: Thu Oct 29 15:37:07 2020 -0700 libbpf, hashmap: Fix undefined behavior in hash_bits [ Upstream commit 7a078d2d18801bba7bde7337a823d7342299acf7 ] If bits is 0, the case when the map is empty, then the >> is the size of the register which is undefined behavior - on x86 it is the same as a shift by 0. Fix by handling the 0 case explicitly and guarding calls to hash_bits for empty maps in hashmap__for_each_key_entry and hashmap__for_each_entry_safe. Fixes: e3b924224028 ("libbpf: add resizable non-thread safe internal hashmap") Suggested-by: Andrii Nakryiko , Signed-off-by: Ian Rogers Signed-off-by: Daniel Borkmann Acked-by: Andrii Nakryiko Acked-by: Song Liu Link: https://lore.kernel.org/bpf/20201029223707.494059-1-irogers@google.com Signed-off-by: Sasha Levin commit 8361fb42232d2c43daa5cf5267af44f9f6bfac96 Author: Ard Biesheuvel Date: Wed Oct 28 18:15:05 2020 +0100 bpf: Don't rely on GCC __attribute__((optimize)) to disable GCSE [ Upstream commit 080b6f40763565f65ebb9540219c71ce885cf568 ] Commit 3193c0836 ("bpf: Disable GCC -fgcse optimization for ___bpf_prog_run()") introduced a __no_fgcse macro that expands to a function scope __attribute__((optimize("-fno-gcse"))), to disable a GCC specific optimization that was causing trouble on x86 builds, and was not expected to have any positive effect in the first place. However, as the GCC manual documents, __attribute__((optimize)) is not for production use, and results in all other optimization options to be forgotten for the function in question. This can cause all kinds of trouble, but in one particular reported case, it causes -fno-asynchronous-unwind-tables to be disregarded, resulting in .eh_frame info to be emitted for the function. This reverts commit 3193c0836, and instead, it disables the -fgcse optimization for the entire source file, but only when building for X86 using GCC with CONFIG_BPF_JIT_ALWAYS_ON disabled. Note that the original commit states that CONFIG_RETPOLINE=n triggers the issue, whereas CONFIG_RETPOLINE=y performs better without the optimization, so it is kept disabled in both cases. Fixes: 3193c0836f20 ("bpf: Disable GCC -fgcse optimization for ___bpf_prog_run()") Signed-off-by: Ard Biesheuvel Signed-off-by: Alexei Starovoitov Tested-by: Geert Uytterhoeven Reviewed-by: Nick Desaulniers Link: https://lore.kernel.org/lkml/CAMuHMdUg0WJHEcq6to0-eODpXPOywLot6UD2=GFHpzoj_hCoBQ@mail.gmail.com/ Link: https://lore.kernel.org/bpf/20201028171506.15682-2-ardb@kernel.org Signed-off-by: Sasha Levin commit b04c4fc293495ce2f5028e96ff08dc30f10e6687 Author: Andrew Jeffery Date: Thu Oct 22 01:43:59 2020 +0100 ARM: 9019/1: kprobes: Avoid fortify_panic() when copying optprobe template [ Upstream commit 9fa2e7af3d53a4b769136eccc32c02e128a4ee51 ] Setting both CONFIG_KPROBES=y and CONFIG_FORTIFY_SOURCE=y on ARM leads to a panic in memcpy() when injecting a kprobe despite the fixes found in commit e46daee53bb5 ("ARM: 8806/1: kprobes: Fix false positive with FORTIFY_SOURCE") and commit 0ac569bf6a79 ("ARM: 8834/1: Fix: kprobes: optimized kprobes illegal instruction"). arch/arm/include/asm/kprobes.h effectively declares the target type of the optprobe_template_entry assembly label as a u32 which leads memcpy()'s __builtin_object_size() call to determine that the pointed-to object is of size four. However, the symbol is used as a handle for the optimised probe assembly template that is at least 96 bytes in size. The symbol's use despite its type blows up the memcpy() in ARM's arch_prepare_optimized_kprobe() with a false-positive fortify_panic() when it should instead copy the optimised probe template into place: ``` $ sudo perf probe -a aspeed_g6_pinctrl_probe [ 158.457252] detected buffer overflow in memcpy [ 158.458069] ------------[ cut here ]------------ [ 158.458283] kernel BUG at lib/string.c:1153! [ 158.458436] Internal error: Oops - BUG: 0 [#1] SMP ARM [ 158.458768] Modules linked in: [ 158.459043] CPU: 1 PID: 99 Comm: perf Not tainted 5.9.0-rc7-00038-gc53ebf8167e9 #158 [ 158.459296] Hardware name: Generic DT based system [ 158.459529] PC is at fortify_panic+0x18/0x20 [ 158.459658] LR is at __irq_work_queue_local+0x3c/0x74 [ 158.459831] pc : [<8047451c>] lr : [<8020ecd4>] psr: 60000013 [ 158.460032] sp : be2d1d50 ip : be2d1c58 fp : be2d1d5c [ 158.460174] r10: 00000006 r9 : 00000000 r8 : 00000060 [ 158.460348] r7 : 8011e434 r6 : b9e0b800 r5 : 7f000000 r4 : b9fe4f0c [ 158.460557] r3 : 80c04cc8 r2 : 00000000 r1 : be7c03cc r0 : 00000022 [ 158.460801] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none [ 158.461037] Control: 10c5387d Table: b9cd806a DAC: 00000051 [ 158.461251] Process perf (pid: 99, stack limit = 0x81c71a69) [ 158.461472] Stack: (0xbe2d1d50 to 0xbe2d2000) [ 158.461757] 1d40: be2d1d84 be2d1d60 8011e724 80474510 [ 158.462104] 1d60: b9e0b800 b9fe4f0c 00000000 b9fe4f14 80c8ec80 be235000 be2d1d9c be2d1d88 [ 158.462436] 1d80: 801cee44 8011e57c b9fe4f0c 00000000 be2d1dc4 be2d1da0 801d0ad0 801cedec [ 158.462742] 1da0: 00000000 00000000 b9fe4f00 ffffffea 00000000 be235000 be2d1de4 be2d1dc8 [ 158.463087] 1dc0: 80204604 801d0738 00000000 00000000 b9fe4004 ffffffea be2d1e94 be2d1de8 [ 158.463428] 1de0: 80205434 80204570 00385c00 00000000 00000000 00000000 be2d1e14 be2d1e08 [ 158.463880] 1e00: 802ba014 b9fe4f00 b9e718c0 b9fe4f84 b9e71ec8 be2d1e24 00000000 00385c00 [ 158.464365] 1e20: 00000000 626f7270 00000065 802b905c be2d1e94 0000002e 00000000 802b9914 [ 158.464829] 1e40: be2d1e84 be2d1e50 802b9914 8028ff78 804629d0 b9e71ec0 0000002e b9e71ec0 [ 158.465141] 1e60: be2d1ea8 80c04cc8 00000cc0 b9e713c4 00000002 80205834 80205834 0000002e [ 158.465488] 1e80: be235000 be235000 be2d1ea4 be2d1e98 80205854 80204e94 be2d1ecc be2d1ea8 [ 158.465806] 1ea0: 801ee4a0 80205840 00000002 80c04cc8 00000000 0000002e 0000002e 00000000 [ 158.466110] 1ec0: be2d1f0c be2d1ed0 801ee5c8 801ee428 00000000 be2d0000 006b1fd0 00000051 [ 158.466398] 1ee0: 00000000 b9eedf00 0000002e 80204410 006b1fd0 be2d1f60 00000000 00000004 [ 158.466763] 1f00: be2d1f24 be2d1f10 8020442c 801ee4c4 80205834 802c613c be2d1f5c be2d1f28 [ 158.467102] 1f20: 802c60ac 8020441c be2d1fac be2d1f38 8010c764 802e9888 be2d1f5c b9eedf00 [ 158.467447] 1f40: b9eedf00 006b1fd0 0000002e 00000000 be2d1f94 be2d1f60 802c634c 802c5fec [ 158.467812] 1f60: 00000000 00000000 00000000 80c04cc8 006b1fd0 00000003 76f7a610 00000004 [ 158.468155] 1f80: 80100284 be2d0000 be2d1fa4 be2d1f98 802c63ec 802c62e8 00000000 be2d1fa8 [ 158.468508] 1fa0: 80100080 802c63e0 006b1fd0 00000003 00000003 006b1fd0 0000002e 00000000 [ 158.468858] 1fc0: 006b1fd0 00000003 76f7a610 00000004 006b1fb0 0026d348 00000017 7ef2738c [ 158.469202] 1fe0: 76f3431c 7ef272d8 0014ec50 76f34338 60000010 00000003 00000000 00000000 [ 158.469461] Backtrace: [ 158.469683] [<80474504>] (fortify_panic) from [<8011e724>] (arch_prepare_optimized_kprobe+0x1b4/0x1f8) [ 158.470021] [<8011e570>] (arch_prepare_optimized_kprobe) from [<801cee44>] (alloc_aggr_kprobe+0x64/0x70) [ 158.470287] r9:be235000 r8:80c8ec80 r7:b9fe4f14 r6:00000000 r5:b9fe4f0c r4:b9e0b800 [ 158.470478] [<801cede0>] (alloc_aggr_kprobe) from [<801d0ad0>] (register_kprobe+0x3a4/0x5a0) [ 158.470685] r5:00000000 r4:b9fe4f0c [ 158.470790] [<801d072c>] (register_kprobe) from [<80204604>] (__register_trace_kprobe+0xa0/0xa4) [ 158.471001] r9:be235000 r8:00000000 r7:ffffffea r6:b9fe4f00 r5:00000000 r4:00000000 [ 158.471188] [<80204564>] (__register_trace_kprobe) from [<80205434>] (trace_kprobe_create+0x5ac/0x9ac) [ 158.471408] r7:ffffffea r6:b9fe4004 r5:00000000 r4:00000000 [ 158.471553] [<80204e88>] (trace_kprobe_create) from [<80205854>] (create_or_delete_trace_kprobe+0x20/0x3c) [ 158.471766] r10:be235000 r9:be235000 r8:0000002e r7:80205834 r6:80205834 r5:00000002 [ 158.471949] r4:b9e713c4 [ 158.472027] [<80205834>] (create_or_delete_trace_kprobe) from [<801ee4a0>] (trace_run_command+0x84/0x9c) [ 158.472255] [<801ee41c>] (trace_run_command) from [<801ee5c8>] (trace_parse_run_command+0x110/0x1f8) [ 158.472471] r6:00000000 r5:0000002e r4:0000002e [ 158.472594] [<801ee4b8>] (trace_parse_run_command) from [<8020442c>] (probes_write+0x1c/0x28) [ 158.472800] r10:00000004 r9:00000000 r8:be2d1f60 r7:006b1fd0 r6:80204410 r5:0000002e [ 158.472968] r4:b9eedf00 [ 158.473046] [<80204410>] (probes_write) from [<802c60ac>] (vfs_write+0xcc/0x1e8) [ 158.473226] [<802c5fe0>] (vfs_write) from [<802c634c>] (ksys_write+0x70/0xf8) [ 158.473400] r8:00000000 r7:0000002e r6:006b1fd0 r5:b9eedf00 r4:b9eedf00 [ 158.473567] [<802c62dc>] (ksys_write) from [<802c63ec>] (sys_write+0x18/0x1c) [ 158.473745] r9:be2d0000 r8:80100284 r7:00000004 r6:76f7a610 r5:00000003 r4:006b1fd0 [ 158.473932] [<802c63d4>] (sys_write) from [<80100080>] (ret_fast_syscall+0x0/0x54) [ 158.474126] Exception stack(0xbe2d1fa8 to 0xbe2d1ff0) [ 158.474305] 1fa0: 006b1fd0 00000003 00000003 006b1fd0 0000002e 00000000 [ 158.474573] 1fc0: 006b1fd0 00000003 76f7a610 00000004 006b1fb0 0026d348 00000017 7ef2738c [ 158.474811] 1fe0: 76f3431c 7ef272d8 0014ec50 76f34338 [ 158.475171] Code: e24cb004 e1a01000 e59f0004 ebf40dd3 (e7f001f2) [ 158.475847] ---[ end trace 55a5b31c08a29f00 ]--- [ 158.476088] Kernel panic - not syncing: Fatal exception [ 158.476375] CPU0: stopping [ 158.476709] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G D 5.9.0-rc7-00038-gc53ebf8167e9 #158 [ 158.477176] Hardware name: Generic DT based system [ 158.477411] Backtrace: [ 158.477604] [<8010dd28>] (dump_backtrace) from [<8010dfd4>] (show_stack+0x20/0x24) [ 158.477990] r7:00000000 r6:60000193 r5:00000000 r4:80c2f634 [ 158.478323] [<8010dfb4>] (show_stack) from [<8046390c>] (dump_stack+0xcc/0xe8) [ 158.478686] [<80463840>] (dump_stack) from [<80110750>] (handle_IPI+0x334/0x3a0) [ 158.479063] r7:00000000 r6:00000004 r5:80b65cc8 r4:80c78278 [ 158.479352] [<8011041c>] (handle_IPI) from [<801013f8>] (gic_handle_irq+0x88/0x94) [ 158.479757] r10:10c5387d r9:80c01ed8 r8:00000000 r7:c0802000 r6:80c0537c r5:000003ff [ 158.480146] r4:c080200c r3:fffffff4 [ 158.480364] [<80101370>] (gic_handle_irq) from [<80100b6c>] (__irq_svc+0x6c/0x90) [ 158.480748] Exception stack(0x80c01ed8 to 0x80c01f20) [ 158.481031] 1ec0: 000128bc 00000000 [ 158.481499] 1ee0: be7b8174 8011d3a0 80c00000 00000000 80c04cec 80c04d28 80c5d7c2 80a026d4 [ 158.482091] 1f00: 10c5387d 80c01f34 80c01f38 80c01f28 80109554 80109558 60000013 ffffffff [ 158.482621] r9:80c00000 r8:80c5d7c2 r7:80c01f0c r6:ffffffff r5:60000013 r4:80109558 [ 158.482983] [<80109518>] (arch_cpu_idle) from [<80818780>] (default_idle_call+0x38/0x120) [ 158.483360] [<80818748>] (default_idle_call) from [<801585a8>] (do_idle+0xd4/0x158) [ 158.483945] r5:00000000 r4:80c00000 [ 158.484237] [<801584d4>] (do_idle) from [<801588f4>] (cpu_startup_entry+0x28/0x2c) [ 158.484784] r9:80c78000 r8:00000000 r7:80c78000 r6:80c78040 r5:80c04cc0 r4:000000d6 [ 158.485328] [<801588cc>] (cpu_startup_entry) from [<80810a78>] (rest_init+0x9c/0xbc) [ 158.485930] [<808109dc>] (rest_init) from [<80b00ae4>] (arch_call_rest_init+0x18/0x1c) [ 158.486503] r5:80c04cc0 r4:00000001 [ 158.486857] [<80b00acc>] (arch_call_rest_init) from [<80b00fcc>] (start_kernel+0x46c/0x548) [ 158.487589] [<80b00b60>] (start_kernel) from [<00000000>] (0x0) ``` Fixes: e46daee53bb5 ("ARM: 8806/1: kprobes: Fix false positive with FORTIFY_SOURCE") Fixes: 0ac569bf6a79 ("ARM: 8834/1: Fix: kprobes: optimized kprobes illegal instruction") Suggested-by: Kees Cook Signed-off-by: Andrew Jeffery Tested-by: Luka Oreskovic Tested-by: Joel Stanley Reviewed-by: Joel Stanley Acked-by: Masami Hiramatsu Cc: Luka Oreskovic Cc: Juraj Vijtiuk Signed-off-by: Russell King Signed-off-by: Sasha Levin commit ca38e529c1a3814ab5add3913cb6a5238a2cae67 Author: Billy Tsai Date: Mon Oct 19 12:50:26 2020 +0800 gpio: aspeed: fix ast2600 bank properties [ Upstream commit 560b6ac37a87fcb78d580437e3e0bc2b6b5b0295 ] GPIO_T is mapped to the most significant byte of input/output mask, and the byte in "output" mask should be 0 because GPIO_T is input only. All the other bits need to be 1 because GPIO_Q/R/S support both input and output modes. Fixes: ab4a85534c3e ("gpio: aspeed: Add in ast2600 details to Aspeed driver") Signed-off-by: Billy Tsai Reviewed-by: Tao Ren Reviewed-by: Joel Stanley Reviewed-by: Andrew Jeffery Signed-off-by: Bartosz Golaszewski Signed-off-by: Sasha Levin commit 191c52cf4437062d8b261cd0b4533ddfdcdff2f4 Author: Andy Shevchenko Date: Wed Oct 14 13:46:38 2020 +0300 pinctrl: intel: Set default bias in case no particular value given [ Upstream commit f3c75e7a9349d1d33eb53ddc1b31640994969f73 ] When GPIO library asks pin control to set the bias, it doesn't pass any value of it and argument is considered boolean (and this is true for ACPI GpioIo() / GpioInt() resources, by the way). Thus, individual drivers must behave well, when they got the resistance value of 1 Ohm, i.e. transforming it to sane default. In case of Intel pin control hardware the 5 kOhm sounds plausible because on one hand it's a minimum of resistors present in all hardware generations and at the same time it's high enough to minimize leakage current (will be only 200 uA with the above choice). Fixes: e57725eabf87 ("pinctrl: intel: Add support for hardware debouncer") Reported-by: Jamie McClymont Signed-off-by: Andy Shevchenko Acked-by: Mika Westerberg Signed-off-by: Sasha Levin commit 1d8bd6958ab686119527b7076c4c47ac4ca44505 Author: Andy Shevchenko Date: Wed Oct 14 13:46:37 2020 +0300 pinctrl: intel: Fix 2 kOhm bias which is 833 Ohm [ Upstream commit dd26209bc56886cacdbd828571e54a6bca251e55 ] 2 kOhm bias was never an option in Intel GPIO hardware, the available matrix is: 000 none 001 1 kOhm (if available) 010 5 kOhm 100 20 kOhm As easy to get the 3 resistors are gated separately and according to parallel circuits calculations we may get combinations of the above where the result is always strictly less than minimal resistance. Hence, additional values can be: 011 ~833.3 Ohm 101 ~952.4 Ohm 110 ~4 kOhm 111 ~800 Ohm That said, convert TERM definitions to be the bit masks to reflect the above. While at it, enable the same setting for pull down case. Fixes: 7981c0015af2 ("pinctrl: intel: Add Intel Sunrisepoint pin controller and GPIO support") Cc: Jamie McClymont Signed-off-by: Andy Shevchenko Acked-by: Mika Westerberg Signed-off-by: Sasha Levin commit 8c676a84da1a43c132773e063ecf3f51c59fdf0c Author: Baolin Wang Date: Tue Aug 18 11:41:58 2020 +0800 mfd: sprd: Add wakeup capability for PMIC IRQ commit a75bfc824a2d33f57ebdc003bfe6b7a9e11e9cb9 upstream. When changing to use suspend-to-idle to save power, the PMIC irq can not wakeup the system due to lack of wakeup capability, which will cause the sub-irqs (such as power key) of the PMIC can not wake up the system. Thus we can add the wakeup capability for PMIC irq to solve this issue, as well as removing the IRQF_NO_SUSPEND flag to allow PMIC irq to be a wakeup source. Reported-by: Chunyan Zhang Signed-off-by: Baolin Wang Tested-by: Chunyan Zhang Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman commit 8e3f68daf1dd9d23ee597608b7334a7b00e54dbc Author: Martin Hundebøll Date: Thu Nov 5 10:06:15 2020 +0100 spi: bcm2835: remove use of uninitialized gpio flags variable commit bc7f2cd7559c5595dc38b909ae9a8d43e0215994 upstream. Removing the duplicate gpio chip select level handling in bcm2835_spi_setup() left the lflags variable uninitialized. Avoid trhe use of such variable by passing default flags to gpiochip_request_own_desc(). Fixes: 5e31ba0c0543 ("spi: bcm2835: fix gpio cs level inversion") Signed-off-by: Martin Hundebøll Link: https://lore.kernel.org/r/20201105090615.620315-1-martin@geanix.com Signed-off-by: Mark Brown Cc: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman commit 3d916fae61458da323f670e40e5377bba4d2162f Author: Jerry Snitselaar Date: Thu Oct 15 14:44:30 2020 -0700 tpm_tis: Disable interrupts on ThinkPad T490s [ Upstream commit b154ce11ead925de6a94feb3b0317fafeefa0ebc ] There is a misconfiguration in the bios of the gpio pin used for the interrupt in the T490s. When interrupts are enabled in the tpm_tis driver code this results in an interrupt storm. This was initially reported when we attempted to enable the interrupt code in the tpm_tis driver, which previously wasn't setting a flag to enable it. Due to the reports of the interrupt storm that code was reverted and we went back to polling instead of using interrupts. Now that we know the T490s problem is a firmware issue, add code to check if the system is a T490s and disable interrupts if that is the case. This will allow us to enable interrupts for everyone else. If the user has a fixed bios they can force the enabling of interrupts with tpm_tis.interrupts=1 on the kernel command line. Cc: Peter Huewe Cc: Jason Gunthorpe Cc: Hans de Goede Signed-off-by: Jerry Snitselaar Reviewed-by: James Bottomley Reviewed-by: Hans de Goede Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Sasha Levin commit 56cbb085945380057a519adc1e00eb44428a129f Author: Michael Wu Date: Fri Oct 30 16:04:20 2020 +0800 i2c: designware: slave should do WRITE_REQUESTED before WRITE_RECEIVED [ Upstream commit 3b5f7f10ff6e6b66f553e12cc50d9bb751ce60ad ] Sometimes we would get the following flow when doing an i2cset: 0x1 STATUS SLAVE_ACTIVITY=0x1 : RAW_INTR_STAT=0x514 : INTR_STAT=0x4 I2C_SLAVE_WRITE_RECEIVED 0x1 STATUS SLAVE_ACTIVITY=0x0 : RAW_INTR_STAT=0x714 : INTR_STAT=0x204 I2C_SLAVE_WRITE_REQUESTED I2C_SLAVE_WRITE_RECEIVED Documentation/i2c/slave-interface.rst says that I2C_SLAVE_WRITE_REQUESTED, which is mandatory, should be sent while the data did not arrive yet. It means in a write-request I2C_SLAVE_WRITE_REQUESTED should be reported before any I2C_SLAVE_WRITE_RECEIVED. By the way, I2C_SLAVE_STOP didn't be reported in the above case because DW_IC_INTR_STAT was not 0x200. dev->status can be used to record the current state, especially Designware I2C controller has no interrupts to identify a write-request. This patch makes not only I2C_SLAVE_WRITE_REQUESTED been reported first when IC_INTR_RX_FULL is rising and dev->status isn't STATUS_WRITE_IN_PROGRESS but also I2C_SLAVE_STOP been reported when a STOP condition is received. Signed-off-by: Michael Wu Acked-by: Jarkko Nikula Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 0df649e55193ceb9601d0d903ef498f61e649047 Author: Michael Wu Date: Fri Oct 30 16:04:19 2020 +0800 i2c: designware: call i2c_dw_read_clear_intrbits_slave() once [ Upstream commit 66b92313e2ca9208b5f3ebf5d86e9a818299d8fa ] If some bits were cleared by i2c_dw_read_clear_intrbits_slave() in i2c_dw_isr_slave() and not handled immediately, those cleared bits would not be shown again by later i2c_dw_read_clear_intrbits_slave(). They therefore were forgotten to be handled. i2c_dw_read_clear_intrbits_slave() should be called once in an ISR and take its returned state for all later handlings. Signed-off-by: Michael Wu Acked-by: Jarkko Nikula Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 168b746c3de0b6e54cf58ca39e3afb9bda6d82ce Author: Ulrich Hecht Date: Mon Sep 28 17:59:50 2020 +0200 i2c: sh_mobile: implement atomic transfers [ Upstream commit a49cc1fe9d64a2dc4e19b599204f403e5d25f44b ] Implements atomic transfers to fix reboot/shutdown on r8a7790 Lager and similar boards. Signed-off-by: Ulrich Hecht Tested-by: Wolfram Sang Tested-by: Geert Uytterhoeven [wsa: some whitespace fixing] Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 1e0043673ea2f66fed025e7ce1c14d2bfbb68ae8 Author: Sean Anderson Date: Thu Oct 22 16:30:12 2020 -0400 riscv: Set text_offset correctly for M-Mode [ Upstream commit 79605f1394261995c2b955c906a5a20fb27cdc84 ] M-Mode Linux is loaded at the start of RAM, not 2MB later. Perhaps this should be calculated based on PAGE_OFFSET somehow? Even better would be to deprecate text_offset and instead introduce something absolute. Signed-off-by: Sean Anderson Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit 950fd0db5dbfc2f8e1c89c7c19c65daf2684ad9e Author: Benjamin Gwin Date: Tue Nov 3 12:11:06 2020 -0800 arm64: kexec_file: try more regions if loading segments fails [ Upstream commit 108aa503657ee2fe8aa071dc620d96372c252ecd ] It's possible that the first region picked for the new kernel will make it impossible to fit the other segments in the required 32GB window, especially if we have a very large initrd. Instead of giving up, we can keep testing other regions for the kernel until we find one that works. Suggested-by: Ryan O'Leary Signed-off-by: Benjamin Gwin Link: https://lore.kernel.org/r/20201103201106.2397844-1-bgwin@google.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit f3c3bb3bf862c4527a0cc6df60d6560419a1bd26 Author: Tommi Rantala Date: Thu Oct 8 15:26:30 2020 +0300 selftests: proc: fix warning: _GNU_SOURCE redefined [ Upstream commit f3ae6c6e8a3ea49076d826c64e63ea78fbf9db43 ] Makefile already contains -D_GNU_SOURCE, so we can remove it from the *.c files. Signed-off-by: Tommi Rantala Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit c19e013cef0b9c330eed3334995ee6b485230d2c Author: Brian Foster Date: Thu Oct 29 14:30:49 2020 -0700 iomap: clean up writeback state logic on writepage error [ Upstream commit 50e7d6c7a5210063b9a6f0d8799d9d1440907fcf ] The iomap writepage error handling logic is a mash of old and slightly broken XFS writepage logic. When keepwrite writeback state tracking was introduced in XFS in commit 0d085a529b42 ("xfs: ensure WB_SYNC_ALL writeback handles partial pages correctly"), XFS had an additional cluster writeback context that scanned ahead of ->writepage() to process dirty pages over the current ->writepage() extent mapping. This context expected a dirty page and required retention of the TOWRITE tag on partial page processing so the higher level writeback context would revisit the page (in contrast to ->writepage(), which passes a page with the dirty bit already cleared). The cluster writeback mechanism was eventually removed and some of the error handling logic folded into the primary writeback path in commit 150d5be09ce4 ("xfs: remove xfs_cancel_ioend"). This patch accidentally conflated the two contexts by using the keepwrite logic in ->writepage() without accounting for the fact that the page is not dirty. Further, the keepwrite logic has no practical effect on the core ->writepage() caller (write_cache_pages()) because it never revisits a page in the current function invocation. Technically, the page should be redirtied for the keepwrite logic to have any effect. Otherwise, write_cache_pages() may find the tagged page but will skip it since it is clean. Even if the page was redirtied, however, there is still no practical effect to keepwrite since write_cache_pages() does not wrap around within a single invocation of the function. Therefore, the dirty page would simply end up retagged on the next writeback sequence over the associated range. All that being said, none of this really matters because redirtying a partially processed page introduces a potential infinite redirty -> writeback failure loop that deviates from the current design principle of clearing the dirty state on writepage failure to avoid building up too much dirty, unreclaimable memory on the system. Therefore, drop the spurious keepwrite usage and dirty state clearing logic from iomap_writepage_map(), treat the partially processed page the same as a fully processed page, and let the imminent ioend failure clean up the writeback state. Signed-off-by: Brian Foster Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Signed-off-by: Sasha Levin commit 756fec062e4b823bbbe10b95cbcfa84f948131c6 Author: Veerabadhran Gopalakrishnan Date: Thu Oct 29 19:59:46 2020 +0530 amd/amdgpu: Disable VCN DPG mode for Picasso [ Upstream commit c6d2b0fbb893d5c7dda405aa0e7bcbecf1c75f98 ] Concurrent operation of VCN and JPEG decoder in DPG mode is causing ring timeout due to power state. Signed-off-by: Veerabadhran Gopalakrishnan Reviewed-by: Leo Liu Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 6a1d0696c878990360239ff5b466260046b838b6 Author: Qii Wang Date: Fri Oct 30 19:58:01 2020 +0800 i2c: mediatek: move dma reset before i2c reset [ Upstream commit aafced673c06b7c77040c1df42e2e965be5d0376 ] The i2c driver default do dma reset after i2c reset, but sometimes i2c reset will trigger dma tx2rx, then apdma write data to dram which has been i2c_put_dma_safe_msg_buf(kfree). Move dma reset before i2c reset in mtk_i2c_init_hw to fix it. Signed-off-by: Qii Wang Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit fdcbd5e015f9b654abb1cf9805f824e067016c7f Author: Fred Gao Date: Tue Nov 3 02:01:20 2020 +0800 vfio/pci: Bypass IGD init in case of -ENODEV [ Upstream commit e4eccb853664de7bcf9518fb658f35e748bf1f68 ] Bypass the IGD initialization when -ENODEV returns, that should be the case if opregion is not available for IGD or within discrete graphics device's option ROM, or host/lpc bridge is not found. Then use of -ENODEV here means no special device resources found which needs special care for VFIO, but we still allow other normal device resource access. Cc: Zhenyu Wang Cc: Xiong Zhang Cc: Hang Yuan Cc: Stuart Summers Signed-off-by: Fred Gao Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit 0fa7baa5092263f4c8aea0ae4a5239008049a523 Author: Zhang Qilong Date: Sat Oct 31 11:03:53 2020 +0800 vfio: platform: fix reference leak in vfio_platform_open [ Upstream commit bb742ad01961a3b9d1f9d19375487b879668b6b2 ] pm_runtime_get_sync() will increment pm usage counter even it failed. Forgetting to call pm_runtime_put will result in reference leak in vfio_platform_open, so we should fix it. Signed-off-by: Zhang Qilong Acked-by: Eric Auger Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit e68d3689dcfa003b4808e124855ec872f5564fc4 Author: Qian Cai Date: Wed Oct 28 14:27:42 2020 -0400 s390/smp: move rcu_cpu_starting() earlier [ Upstream commit de5d9dae150ca1c1b5c7676711a9ca139d1a8dec ] The call to rcu_cpu_starting() in smp_init_secondary() is not early enough in the CPU-hotplug onlining process, which results in lockdep splats as follows: WARNING: suspicious RCU usage ----------------------------- kernel/locking/lockdep.c:3497 RCU-list traversed in non-reader section!! other info that might help us debug this: RCU used illegally from offline CPU! rcu_scheduler_active = 1, debug_locks = 1 no locks held by swapper/1/0. Call Trace: show_stack+0x158/0x1f0 dump_stack+0x1f2/0x238 __lock_acquire+0x2640/0x4dd0 lock_acquire+0x3a8/0xd08 _raw_spin_lock_irqsave+0xc0/0xf0 clockevents_register_device+0xa8/0x528 init_cpu_timer+0x33e/0x468 smp_init_secondary+0x11a/0x328 smp_start_secondary+0x82/0x88 This is avoided by moving the call to rcu_cpu_starting up near the beginning of the smp_init_secondary() function. Note that the raw_smp_processor_id() is required in order to avoid calling into lockdep before RCU has declared the CPU to be watched for readers. Link: https://lore.kernel.org/lkml/160223032121.7002.1269740091547117869.tip-bot2@tip-bot2/ Signed-off-by: Qian Cai Acked-by: Paul E. McKenney Signed-off-by: Heiko Carstens Signed-off-by: Sasha Levin commit 80eed6eff184c7ea61aeb9ae747b5dd80cf12ba4 Author: Suravee Suthikulpanit Date: Thu Oct 15 02:50:02 2020 +0000 iommu/amd: Increase interrupt remapping table limit to 512 entries [ Upstream commit 73db2fc595f358460ce32bcaa3be1f0cce4a2db1 ] Certain device drivers allocate IO queues on a per-cpu basis. On AMD EPYC platform, which can support up-to 256 cpu threads, this can exceed the current MAX_IRQ_PER_TABLE limit of 256, and result in the error message: AMD-Vi: Failed to allocate IRTE This has been observed with certain NVME devices. AMD IOMMU hardware can actually support upto 512 interrupt remapping table entries. Therefore, update the driver to match the hardware limit. Please note that this also increases the size of interrupt remapping table to 8KB per device when using the 128-bit IRTE format. Signed-off-by: Suravee Suthikulpanit Link: https://lore.kernel.org/r/20201015025002.87997-1-suravee.suthikulpanit@amd.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 2ff5a999c78797efaae724d7d1a350bc1f94e62a Author: Sagi Grimberg Date: Thu Oct 22 10:15:31 2020 +0800 nvme-tcp: avoid repeated request completion [ Upstream commit 0a8a2c85b83589a5c10bc5564b796836bf4b4984 ] The request may be executed asynchronously, and rq->state may be changed to IDLE. To avoid repeated request completion, only MQ_RQ_COMPLETE of rq->state is checked in nvme_tcp_complete_timed_out. It is not safe, so need adding check IDLE for rq->state. Signed-off-by: Sagi Grimberg Signed-off-by: Chao Leng Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 7594c2395500b4dd5d3cd0b81df5f0e6d9ec6646 Author: Sagi Grimberg Date: Thu Oct 22 10:15:23 2020 +0800 nvme-rdma: avoid repeated request completion [ Upstream commit fdf58e02adecbef4c7cbb2073d8ea225e6fd5f26 ] The request may be executed asynchronously, and rq->state may be changed to IDLE. To avoid repeated request completion, only MQ_RQ_COMPLETE of rq->state is checked in nvme_rdma_complete_timed_out. It is not safe, so need adding check IDLE for rq->state. Signed-off-by: Sagi Grimberg Signed-off-by: Chao Leng Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 21a96d98e24b5a52d1f488436cda926d1d8c59fb Author: Chao Leng Date: Thu Oct 22 10:15:15 2020 +0800 nvme-tcp: avoid race between time out and tear down [ Upstream commit d6f66210f4b1aa2f5944f0e34e0f8db44f499f92 ] Now use teardown_lock to serialize for time out and tear down. This may cause abnormal: first cancel all request in tear down, then time out may complete the request again, but the request may already be freed or restarted. To avoid race between time out and tear down, in tear down process, first we quiesce the queue, and then delete the timer and cancel the time out work for the queue. At the same time we need to delete teardown_lock. Signed-off-by: Chao Leng Reviewed-by: Sagi Grimberg Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 987a99014200c1d2e9edddeebe37bfe9168cdb9b Author: Chao Leng Date: Thu Oct 22 10:15:08 2020 +0800 nvme-rdma: avoid race between time out and tear down [ Upstream commit 3017013dcc82a4862bd1e140f8b762cfc594008d ] Now use teardown_lock to serialize for time out and tear down. This may cause abnormal: first cancel all request in tear down, then time out may complete the request again, but the request may already be freed or restarted. To avoid race between time out and tear down, in tear down process, first we quiesce the queue, and then delete the timer and cancel the time out work for the queue. At the same time we need to delete teardown_lock. Signed-off-by: Chao Leng Reviewed-by: Sagi Grimberg Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit c28eec9faf89f938bf55dadcad570d3c05595fde Author: Chao Leng Date: Thu Oct 22 10:15:00 2020 +0800 nvme: introduce nvme_sync_io_queues [ Upstream commit 04800fbff4764ab7b32c49d19628605a5d4cb85c ] Introduce sync io queues for some scenarios which just only need sync io queues not sync all queues. Signed-off-by: Chao Leng Reviewed-by: Sagi Grimberg Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 19e7626fa05b7391384998e4fda0b223af731e60 Author: Sreekanth Reddy Date: Mon Nov 2 12:57:46 2020 +0530 scsi: mpt3sas: Fix timeouts observed while reenabling IRQ [ Upstream commit 5feed64f9199ff90c4239971733f23f30aeb2484 ] While reenabling the IRQ after irq poll there may be small time window where HBA firmware has posted some replies and raise the interrupts but driver has not received the interrupts. So we may observe I/O timeouts as the driver has not processed the replies as interrupts got missed while reenabling the IRQ. To fix this issue the driver has to go for one more round of processing the reply descriptors from reply descriptor post queue after enabling the IRQ. Link: https://lore.kernel.org/r/20201102072746.27410-1-sreekanth.reddy@broadcom.com Reported-by: Tomas Henzl Reviewed-by: Tomas Henzl Signed-off-by: Sreekanth Reddy Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 75472e42a265a9b76e37b0cbedeb3e453f2bf3f0 Author: Hannes Reinecke Date: Thu Sep 24 12:45:59 2020 +0200 scsi: scsi_dh_alua: Avoid crash during alua_bus_detach() [ Upstream commit 5faf50e9e9fdc2117c61ff7e20da49cd6a29e0ca ] alua_bus_detach() might be running concurrently with alua_rtpg_work(), so we might trip over h->sdev == NULL and call BUG_ON(). The correct way of handling it is to not set h->sdev to NULL in alua_bus_detach(), and call rcu_synchronize() before the final delete to ensure that all concurrent threads have left the critical section. Then we can get rid of the BUG_ON() and replace it with a simple if condition. Link: https://lore.kernel.org/r/1600167537-12509-1-git-send-email-jitendra.khasdev@oracle.com Link: https://lore.kernel.org/r/20200924104559.26753-1-hare@suse.de Cc: Brian Bunker Acked-by: Brian Bunker Tested-by: Jitendra Khasdev Reviewed-by: Jitendra Khasdev Signed-off-by: Hannes Reinecke Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit b2a14b4673b78b56110e7cd570016c48c96276b1 Author: Vineet Gupta Date: Thu Oct 29 19:18:34 2020 -0700 ARC: [plat-hsdk] Remap CCMs super early in asm boot trampoline [ Upstream commit 3b57533b460c8dc22a432684b7e8d22571f34d2e ] ARC HSDK platform stopped booting on released v5.10-rc1, getting stuck in startup of non master SMP cores. This was bisected to upstream commit 7fef431be9c9ac25 "(mm/page_alloc: place pages to tail in __free_pages_core())" That commit itself is harmless, it just exposed a subtle assumption in our platform code (hence CC'ing linux-mm just as FYI in case some other arches / platforms trip on it). The upstream commit is semantically disruptive as it reverses the order of page allocations (actually it can be good test for hardware verification to exercise different memory patterns altogether). For ARC HSDK platform that meant a remapped memory region (pertaining to unused Closely Coupled Memory) started getting used early for dynamice allocations, while not effectively remapped on all the cores, triggering memory error exception on those cores. The fix is to move the CCM remapping from early platform code to to early core boot code. And while it is undesirable to riddle common boot code with platform quirks, there is no other way to do this since the faltering code involves setting up stack itself so even function calls are not allowed at that point. If anyone is interested, all the gory details can be found at Link below. Link: https://github.com/foss-for-synopsys-dwc-arc-processors/linux/issues/32 Cc: David Hildenbrand Cc: linux-mm@kvack.org Signed-off-by: Vineet Gupta Signed-off-by: Sasha Levin commit 169a040179c856ae3a3ea511b44ce7632482293c Author: Keith Busch Date: Fri Oct 30 10:28:54 2020 -0700 Revert "nvme-pci: remove last_sq_tail" [ Upstream commit 38210800bf66d7302da1bb5b624ad68638da1562 ] Multiple CPUs may be mapped to the same hctx, allowing mulitple submission contexts to attempt commit_rqs(). We need to verify we're not writing the same doorbell value multiple times since that's a spec violation. Revert commit 54b2fcee1db041a83b52b51752dade6090cf952f. Link: https://bugzilla.redhat.com/show_bug.cgi?id=1878596 Reported-by: "B.L. Jones" Signed-off-by: Keith Busch Signed-off-by: Sasha Levin commit 74c2a09c583f96f1399993d58809f9a54d11d502 Author: Qiujun Huang Date: Sat Oct 31 16:57:14 2020 +0800 tracing: Fix the checking of stackidx in __ftrace_trace_stack [ Upstream commit 906695e59324635c62b5ae59df111151a546ca66 ] The array size is FTRACE_KSTACK_NESTING, so the index FTRACE_KSTACK_NESTING is illegal too. And fix two typos by the way. Link: https://lkml.kernel.org/r/20201031085714.2147-1-hqjagain@gmail.com Signed-off-by: Qiujun Huang Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Sasha Levin commit c9ed6f0c3d8e8277d2cbf0ba70875abcf80a881b Author: Jason A. Donenfeld Date: Thu Oct 29 03:56:05 2020 +0100 wireguard: selftests: check that route_me_harder packets use the right sk [ Upstream commit af8afcf1fdd5f365f70e2386c2d8c7a1abd853d7 ] If netfilter changes the packet mark, the packet is rerouted. The ip_route_me_harder family of functions fails to use the right sk, opting to instead use skb->sk, resulting in a routing loop when used with tunnels. With the next change fixing this issue in netfilter, test for the relevant condition inside our test suite, since wireguard was where the bug was discovered. Reported-by: Chen Minqiang Signed-off-by: Jason A. Donenfeld Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 5ad605509f5369fedda434d5bcecb7aedf5563ee Author: Ye Bin Date: Fri Oct 9 15:02:15 2020 +0800 cfg80211: regulatory: Fix inconsistent format argument [ Upstream commit db18d20d1cb0fde16d518fb5ccd38679f174bc04 ] Fix follow warning: [net/wireless/reg.c:3619]: (warning) %d in format string (no. 2) requires 'int' but the argument type is 'unsigned int'. Reported-by: Hulk Robot Signed-off-by: Ye Bin Link: https://lore.kernel.org/r/20201009070215.63695-1-yebin10@huawei.com Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 70b3d9812c81fc9c0056de5aa05051eae3f27f37 Author: Johannes Berg Date: Fri Oct 9 13:58:22 2020 +0200 cfg80211: initialize wdev data earlier [ Upstream commit 9bdaf3b91efd229dd272b228e13df10310c80d19 ] There's a race condition in the netdev registration in that NETDEV_REGISTER actually happens after the netdev is available, and so if we initialize things only there, we might get called with an uninitialized wdev through nl80211 - not using a wdev but using a netdev interface index. I found this while looking into a syzbot report, but it doesn't really seem to be related, and unfortunately there's no repro for it (yet). I can't (yet) explain how it managed to get into cfg80211_release_pmsr() from nl80211_netlink_notify() without the wdev having been initialized, as the latter only iterates the wdevs that are linked into the rdev, which even without the change here happened after init. However, looking at this, it seems fairly clear that the init needs to be done earlier, otherwise we might even re-init on a netns move, when data might still be pending. Signed-off-by: Johannes Berg Link: https://lore.kernel.org/r/20201009135821.fdcbba3aad65.Ie9201d91dbcb7da32318812effdc1561aeaf4cdc@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 49380f3795dd81abdd2a701acb9463299a6d59b9 Author: Johannes Berg Date: Fri Oct 9 13:25:41 2020 +0200 mac80211: fix use of skb payload instead of header [ Upstream commit 14f46c1e5108696ec1e5a129e838ecedf108c7bf ] When ieee80211_skb_resize() is called from ieee80211_build_hdr() the skb has no 802.11 header yet, in fact it consist only of the payload as the ethernet frame is removed. As such, we're using the payload data for ieee80211_is_mgmt(), which is of course completely wrong. This didn't really hurt us because these are always data frames, so we could only have added more tailroom than we needed if we determined it was a management frame and sdata->crypto_tx_tailroom_needed_cnt was false. However, syzbot found that of course there need not be any payload, so we're using at best uninitialized memory for the check. Fix this to pass explicitly the kind of frame that we have instead of checking there, by replacing the "bool may_encrypt" argument with an argument that can carry the three possible states - it's not going to be encrypted, it's a management frame, or it's a data frame (and then we check sdata->crypto_tx_tailroom_needed_cnt). Reported-by: syzbot+32fd1a1bfe355e93f1e2@syzkaller.appspotmail.com Signed-off-by: Johannes Berg Link: https://lore.kernel.org/r/20201009132538.e1fd7f802947.I799b288466ea2815f9d4c84349fae697dca2f189@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 5b025626a698e78d0f5af5a393e05bbeed900650 Author: Evan Quan Date: Tue Oct 27 10:24:18 2020 +0800 drm/amd/pm: do not use ixFEATURE_STATUS for checking smc running [ Upstream commit 786436b453001dafe81025389f96bf9dac1e9690 ] This reverts commit f87812284172a9809820d10143b573d833cd3f75 ("drm/amdgpu: Fix bug where DPM is not enabled after hibernate and resume"). It was intended to fix Hawaii S4(hibernation) issue but break S3. As ixFEATURE_STATUS is filled with garbage data on resume which can be only cleared by reloading smc firmware(but that will involve many changes). So, we will revert this S4 fix and seek a new way. Signed-off-by: Evan Quan Tested-by: Sandeep Raghuraman Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit c6cf5341a368489f068531b7e46361ae2e30b570 Author: Evan Quan Date: Fri Oct 16 10:45:26 2020 +0800 drm/amd/pm: perform SMC reset on suspend/hibernation [ Upstream commit 277b080f98803cb73a83fb234f0be83a10e63958 ] So that the succeeding resume can be performed based on a clean state. Signed-off-by: Evan Quan Tested-by: Sandeep Raghuraman Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 2f8f95104b9b4b6e5b76b6ed6bfda548b87c3261 Author: Evan Quan Date: Wed Oct 28 15:34:29 2020 +0800 drm/amd/pm: correct the baco reset sequence for CI ASICs [ Upstream commit c108725ef589af462be6b957f63c7925e38213eb ] Correct some registers bitmasks and add mmBIOS_SCRATCH_7 reset. Signed-off-by: Evan Quan Tested-by: Sandeep Raghuraman Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 9817b11bfffa5416bef1e19c223a1c75d33d7c8c Author: Evan Quan Date: Wed Oct 28 15:29:59 2020 +0800 drm/amdgpu: perform srbm soft reset always on SDMA resume [ Upstream commit 253475c455eb5f8da34faa1af92709e7bb414624 ] This can address the random SDMA hang after pci config reset seen on Hawaii. Signed-off-by: Evan Quan Tested-by: Sandeep Raghuraman Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 6ac37951b6b01cf54f746d7441e9ba515f20c4bf Author: Keita Suzuki Date: Tue Oct 27 07:31:24 2020 +0000 scsi: hpsa: Fix memory leak in hpsa_init_one() [ Upstream commit af61bc1e33d2c0ec22612b46050f5b58ac56a962 ] When hpsa_scsi_add_host() fails, h->lastlogicals is leaked since it is missing a free() in the error handler. Fix this by adding free() when hpsa_scsi_add_host() fails. Link: https://lore.kernel.org/r/20201027073125.14229-1-keitasuzuki.park@sslab.ics.keio.ac.jp Tested-by: Don Brace Acked-by: Don Brace Signed-off-by: Keita Suzuki Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit ed0983e84f21e4d5fc58210b1f2839d438732b21 Author: Bob Peterson Date: Wed Oct 28 13:42:18 2020 -0500 gfs2: check for live vs. read-only file system in gfs2_fitrim [ Upstream commit c5c68724696e7d2f8db58a5fce3673208d35c485 ] Before this patch, gfs2_fitrim was not properly checking for a "live" file system. If the file system had something to trim and the file system was read-only (or spectator) it would start the trim, but when it starts the transaction, gfs2_trans_begin returns -EROFS (read-only file system) and it errors out. However, if the file system was already trimmed so there's no work to do, it never called gfs2_trans_begin. That code is bypassed so it never returns the error. Instead, it returns a good return code with 0 work. All this makes for inconsistent behavior: The same fstrim command can return -EROFS in one case and 0 in another. This tripped up xfstests generic/537 which reports the error as: +fstrim with unrecovered metadata just ate your filesystem This patch adds a check for a "live" (iow, active journal, iow, RW) file system, and if not, returns the error properly. Signed-off-by: Bob Peterson Signed-off-by: Andreas Gruenbacher Signed-off-by: Sasha Levin commit 8c8a35635c7f48caae9d6e93f01f0e909bf07285 Author: Bob Peterson Date: Tue Oct 27 10:10:02 2020 -0500 gfs2: Add missing truncate_inode_pages_final for sd_aspace [ Upstream commit a9dd945ccef07a904e412f208f8de708a3d7159e ] Gfs2 creates an address space for its rgrps called sd_aspace, but it never called truncate_inode_pages_final on it. This confused vfs greatly which tried to reference the address space after gfs2 had freed the superblock that contained it. This patch adds a call to truncate_inode_pages_final for sd_aspace, thus avoiding the use-after-free. Signed-off-by: Bob Peterson Signed-off-by: Andreas Gruenbacher Signed-off-by: Sasha Levin commit ff838a9150ab458bdd0a1c0b0a92ce4325a7e6f4 Author: Bob Peterson Date: Tue Oct 27 10:10:01 2020 -0500 gfs2: Free rd_bits later in gfs2_clear_rgrpd to fix use-after-free [ Upstream commit d0f17d3883f1e3f085d38572c2ea8edbd5150172 ] Function gfs2_clear_rgrpd calls kfree(rgd->rd_bits) before calling return_all_reservations, but return_all_reservations still dereferences rgd->rd_bits in __rs_deltree. Fix that by moving the call to kfree below the call to return_all_reservations. Signed-off-by: Bob Peterson Signed-off-by: Andreas Gruenbacher Signed-off-by: Sasha Levin commit 5260e09c90be26c17a675e1517fe46c91c16656d Author: Joerg Roedel Date: Wed Oct 28 17:46:55 2020 +0100 x86/boot/compressed/64: Introduce sev_status [ Upstream commit 3ad84246a4097010f3ae3d6944120c0be00e9e7a ] Introduce sev_status and initialize it together with sme_me_mask to have an indicator which SEV features are enabled. Signed-off-by: Joerg Roedel Signed-off-by: Borislav Petkov Reviewed-by: Tom Lendacky Link: https://lkml.kernel.org/r/20201028164659.27002-2-joro@8bytes.org Signed-off-by: Sasha Levin commit 764ec5a8de54415b80183291259e3cd69dc03d7b Author: Kai-Heng Feng Date: Tue Oct 27 21:00:38 2020 +0800 ALSA: hda: Reinstate runtime_allow() for all hda controllers [ Upstream commit 9fc149c3bce7bdbb94948a8e6bd025e3b3538603 ] The broken jack detection should be fixed by commit a6e7d0a4bdb0 ("ALSA: hda: fix jack detection with Realtek codecs when in D3"), let's try enabling runtime PM by default again. Signed-off-by: Kai-Heng Feng Link: https://lore.kernel.org/r/20201027130038.16463-4-kai.heng.feng@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit a34084ba9a38824a2dbd1339b11ebb31a3665b72 Author: Kai-Heng Feng Date: Tue Oct 27 21:00:37 2020 +0800 ALSA: hda: Separate runtime and system suspend [ Upstream commit f5dac54d9d93826a776dffc848df76746f7135bb ] Both pm_runtime_force_suspend() and pm_runtime_force_resume() have some implicit checks, so it can make code flow more straightforward if we separate runtime and system suspend callbacks. High Definition Audio Specification, 4.5.9.3 Codec Wake From System S3 states that codec can wake the system up from S3 if WAKEEN is toggled. Since HDA controller has different wakeup settings for runtime and system susend, we also need to explicitly disable direct-complete which can be enabled automatically by PCI core. In addition to that, avoid waking up codec if runtime resume is for system suspend, to not break direct-complete for codecs. While at it, also remove AZX_DCAPS_SUSPEND_SPURIOUS_WAKEUP, as the original bug commit a6630529aecb ("ALSA: hda: Workaround for spurious wakeups on some Intel platforms") solves doesn't happen with this patch. Signed-off-by: Kai-Heng Feng Link: https://lore.kernel.org/r/20201027130038.16463-3-kai.heng.feng@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 8abbccb87d8f795591a9bdd531016becb39d9f40 Author: Tommi Rantala Date: Thu Oct 8 15:26:22 2020 +0300 selftests: pidfd: fix compilation errors due to wait.h [ Upstream commit 1948172fdba5ad643529ddcd00a601c0caa913ed ] Drop unneeded header inclusion to fix pidfd compilation errors seen in Fedora 32: In file included from pidfd_open_test.c:9: ../../../../usr/include/linux/wait.h:17:16: error: expected identifier before numeric constant 17 | #define P_ALL 0 | ^ Signed-off-by: Tommi Rantala Reviewed-by: Kees Cook Acked-by: Christian Brauner Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 01fe7bee6679bb0d4ffd5c7cfd8a64062a3d6b7b Author: Colin Ian King Date: Fri Oct 2 14:25:01 2020 +0100 selftests/ftrace: check for do_sys_openat2 in user-memory test [ Upstream commit e3e40312567087fbe6880f316cb2b0e1f3d8a82c ] More recent libc implementations are now using openat/openat2 system calls so also add do_sys_openat2 to the tracing so that the test passes on these systems because do_sys_open may not be called. Thanks to Masami Hiramatsu for the help on getting this fix to work correctly. Signed-off-by: Colin Ian King Acked-by: Masami Hiramatsu Acked-by: Steven Rostedt (VMware) Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 137af564df56625c4323484d1793865074837ef4 Author: Zqiang Date: Tue Oct 27 15:30:44 2020 +0800 usb: raw-gadget: fix memory leak in gadget_setup [ Upstream commit 129aa9734559a17990ee933351c7b6956f1dba62 ] When fetch 'event' from event queue, after copy its address space content to user space, the 'event' the memory space pointed to by the 'event' pointer need be freed. BUG: memory leak unreferenced object 0xffff888110622660 (size 32): comm "softirq", pid 0, jiffies 4294941981 (age 12.480s) hex dump (first 32 bytes): 02 00 00 00 08 00 00 00 80 06 00 01 00 00 40 00 ..............@. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000efd29abd>] kmalloc include/linux/slab.h:554 [inline] [<00000000efd29abd>] raw_event_queue_add drivers/usb/gadget/legacy/raw_gadget.c:66 [inline] [<00000000efd29abd>] raw_queue_event drivers/usb/gadget/legacy/raw_gadget.c:225 [inline] [<00000000efd29abd>] gadget_setup+0xf6/0x220 drivers/usb/gadget/legacy/raw_gadget.c:343 [<00000000952c4a46>] dummy_timer+0xb9f/0x14c0 drivers/usb/gadget/udc/dummy_hcd.c:1899 [<0000000074ac2c54>] call_timer_fn+0x38/0x200 kernel/time/timer.c:1415 [<00000000560a3a79>] expire_timers kernel/time/timer.c:1460 [inline] [<00000000560a3a79>] __run_timers.part.0+0x319/0x400 kernel/time/timer.c:1757 [<000000009d9503d0>] __run_timers kernel/time/timer.c:1738 [inline] [<000000009d9503d0>] run_timer_softirq+0x3d/0x80 kernel/time/timer.c:1770 [<000000009df27c89>] __do_softirq+0xcc/0x2c2 kernel/softirq.c:298 [<000000007a3f1a47>] asm_call_irq_on_stack+0xf/0x20 [<000000004a62cc2e>] __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] [<000000004a62cc2e>] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] [<000000004a62cc2e>] do_softirq_own_stack+0x32/0x40 arch/x86/kernel/irq_64.c:77 [<00000000b0086800>] invoke_softirq kernel/softirq.c:393 [inline] [<00000000b0086800>] __irq_exit_rcu kernel/softirq.c:423 [inline] [<00000000b0086800>] irq_exit_rcu+0x91/0xc0 kernel/softirq.c:435 [<00000000175f9523>] sysvec_apic_timer_interrupt+0x36/0x80 arch/x86/kernel/apic/apic.c:1091 [<00000000a348e847>] asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:631 [<0000000060661100>] native_safe_halt arch/x86/include/asm/irqflags.h:60 [inline] [<0000000060661100>] arch_safe_halt arch/x86/include/asm/irqflags.h:103 [inline] [<0000000060661100>] acpi_safe_halt drivers/acpi/processor_idle.c:111 [inline] [<0000000060661100>] acpi_idle_do_entry+0xc3/0xd0 drivers/acpi/processor_idle.c:517 [<000000003f413b99>] acpi_idle_enter+0x128/0x1f0 drivers/acpi/processor_idle.c:648 [<00000000f5e5afb8>] cpuidle_enter_state+0xc9/0x650 drivers/cpuidle/cpuidle.c:237 [<00000000d50d51fc>] cpuidle_enter+0x29/0x40 drivers/cpuidle/cpuidle.c:351 [<00000000d674baed>] call_cpuidle kernel/sched/idle.c:132 [inline] [<00000000d674baed>] cpuidle_idle_call kernel/sched/idle.c:213 [inline] [<00000000d674baed>] do_idle+0x1c8/0x250 kernel/sched/idle.c:273 Reported-by: syzbot+bd38200f53df6259e6bf@syzkaller.appspotmail.com Signed-off-by: Zqiang Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 766d1dcd3bce8f871fe95d1e8f630692a220580a Author: Evgeny Novikov Date: Fri Oct 2 18:01:55 2020 +0300 usb: gadget: goku_udc: fix potential crashes in probe [ Upstream commit 0d66e04875c5aae876cf3d4f4be7978fa2b00523 ] goku_probe() goes to error label "err" and invokes goku_remove() in case of failures of pci_enable_device(), pci_resource_start() and ioremap(). goku_remove() gets a device from pci_get_drvdata(pdev) and works with it without any checks, in particular it dereferences a corresponding pointer. But goku_probe() did not set this device yet. So, one can expect various crashes. The patch moves setting the device just after allocation of memory for it. Found by Linux Driver Verification project (linuxtesting.org). Reported-by: Pavel Andrianov Signed-off-by: Evgeny Novikov Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 8ec600acec7fdf9750be55c2cc0b18d1d8da731c Author: Viresh Kumar Date: Thu Oct 22 12:26:08 2020 +0530 opp: Reduce the size of critical section in _opp_table_kref_release() [ Upstream commit e0df59de670b48a923246fae1f972317b84b2764 ] There is a lot of stuff here which can be done outside of the big opp_table_lock, do that. This helps avoiding few circular dependency lockdeps around debugfs and interconnects. Reported-by: Rob Clark Reported-by: Dmitry Osipenko Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit 5389f45320f873e8e162f8b0c10f47b752966801 Author: Heikki Krogerus Date: Tue Oct 6 16:02:50 2020 +0300 usb: dwc3: pci: add support for the Intel Alder Lake-S [ Upstream commit 1384ab4fee12c4c4f8bd37bc9f8686881587b286 ] This patch adds the necessary PCI ID for Intel Alder Lake-S devices. Signed-off-by: Heikki Krogerus Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit f55cfb8e5f75065169214e36774155a7946b8a84 Author: Bard Liao Date: Wed Oct 21 21:24:19 2020 +0300 ASoC: SOF: loader: handle all SOF_IPC_EXT types [ Upstream commit 6e5329c6e6032cd997400b43b8299f607a61883e ] Do not emit a warning for extended firmware header fields that are not used by kernel. This creates unnecessary noise to kernel logs like: sof-audio-pci 0000:00:1f.3: warning: unknown ext header type 3 size 0x1c sof-audio-pci 0000:00:1f.3: warning: unknown ext header type 4 size 0x10 Signed-off-by: Bard Liao Reviewed-by: Pierre-Louis Bossart Reviewed-by: Ranjani Sridharan Reviewed-by: Guennadi Liakhovetski Signed-off-by: Kai Vehmanen Link: https://lore.kernel.org/r/20201021182419.1160391-1-kai.vehmanen@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c9a05f6ef65e9f6e4c57355f6872aa52e67f4c6a Author: Olivier Moysan Date: Tue Oct 20 17:01:09 2020 +0200 ASoC: cs42l51: manage mclk shutdown delay [ Upstream commit 20afe581c9b980848ad097c4d54dde9bec7593ef ] A delay must be introduced before the shutdown down of the mclk, as stated in CS42L51 datasheet. Otherwise the codec may produce some noise after the end of DAPM power down sequence. The delay between DAC and CLOCK_SUPPLY widgets is too short. Add a delay in mclk shutdown request to manage the shutdown delay explicitly. From experiments, at least 10ms delay is necessary. Set delay to 20ms as recommended in Documentation/timers/timers-howto.rst when using msleep(). Signed-off-by: Olivier Moysan Link: https://lore.kernel.org/r/20201020150109.482-1-olivier.moysan@st.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0aba4532c183c2643638d16e873df7ec9f620222 Author: Srinivas Kandagatla Date: Fri Oct 23 10:58:49 2020 +0100 ASoC: qcom: sdm845: set driver name correctly [ Upstream commit 3f48b6eba15ea342ef4cb420b580f5ed6605669f ] With the current state of code, we would endup with something like below in /proc/asound/cards for 2 machines based on this driver. Machine 1: 0 [DB845c ]: DB845c - DB845c DB845c Machine 2: 0 [LenovoYOGAC6301]: Lenovo-YOGA-C63 - Lenovo-YOGA-C630-13Q50 LENOVO-81JL-LenovoYOGAC630_13Q50-LNVNB161216 This is not very UCM friendly both w.r.t to common up configs and card identification, and UCM2 became totally not usefull with just one ucm sdm845.conf for two machines which have different setups w.r.t HDMI and other dais. Reasons for such thing is partly because Qualcomm machine drivers never cared to set driver_name. This patch sets up driver name for the this driver to sort out the UCM integration issues! after this patch contents of /proc/asound/cards: Machine 1: 0 [DB845c ]: sdm845 - DB845c DB845c Machine 2: 0 [LenovoYOGAC6301]: sdm845 - Lenovo-YOGA-C630-13Q50 LENOVO-81JL-LenovoYOGAC630_13Q50-LNVNB161216 with this its possible to align with what UCM2 expects and we can have sdm845/DB845.conf sdm845/LENOVO-81JL-LenovoYOGAC630_13Q50-LNVNB161216.conf ... for board variants. This should scale much better! Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20201023095849.22894-1-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit e680e74b8c9c112c24f4296f8fad008557211819 Author: Tzung-Bi Shih Date: Mon Oct 19 12:47:24 2020 +0800 ASoC: mediatek: mt8183-da7219: fix DAPM paths for rt1015 [ Upstream commit eb5a558705c7f63d06b4ddd072898b1ca894e053 ] RT1015's output widget name is "SPO" instead of "Speaker". Fixes it to use the correct names. Signed-off-by: Tzung-Bi Shih Link: https://lore.kernel.org/r/20201019044724.1601476-1-tzungbi@google.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 563dd2e2b95210cf2c3dff8327e516daacfaccc4 Author: Pujin Shi Date: Fri Oct 2 14:35:38 2020 +0800 scsi: ufs: Fix missing brace warning for old compilers commit 6500251e590657066a227dce897a0392f302af24 upstream. For older versions of gcc, the array = {0}; will cause warnings: drivers/scsi/ufs/ufshcd-crypto.c: In function 'ufshcd_crypto_keyslot_program': drivers/scsi/ufs/ufshcd-crypto.c:62:8: warning: missing braces around initializer [-Wmissing-braces] union ufs_crypto_cfg_entry cfg = { 0 }; ^ drivers/scsi/ufs/ufshcd-crypto.c:62:8: warning: (near initialization for 'cfg.reg_val') [-Wmissing-braces] drivers/scsi/ufs/ufshcd-crypto.c: In function 'ufshcd_clear_keyslot': drivers/scsi/ufs/ufshcd-crypto.c:103:8: warning: missing braces around initializer [-Wmissing-braces] union ufs_crypto_cfg_entry cfg = { 0 }; ^ 2 warnings generated Link: https://lore.kernel.org/r/20201002063538.1250-1-shipujin.t@gmail.com Fixes: 70297a8ac7a7 ("scsi: ufs: UFS crypto API") Reviewed-by: Eric Biggers Signed-off-by: Pujin Shi Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 25e617fa4343239f7d2a64c956cf76f5b3b808cf Author: Masashi Honma Date: Sun Aug 9 08:32:58 2020 +0900 ath9k_htc: Use appropriate rs_datalen type commit 5024f21c159f8c1668f581fff37140741c0b1ba9 upstream. kernel test robot says: drivers/net/wireless/ath/ath9k/htc_drv_txrx.c:987:20: sparse: warning: incorrect type in assignment (different base types) drivers/net/wireless/ath/ath9k/htc_drv_txrx.c:987:20: sparse: expected restricted __be16 [usertype] rs_datalen drivers/net/wireless/ath/ath9k/htc_drv_txrx.c:987:20: sparse: got unsigned short [usertype] drivers/net/wireless/ath/ath9k/htc_drv_txrx.c:988:13: sparse: warning: restricted __be16 degrades to integer drivers/net/wireless/ath/ath9k/htc_drv_txrx.c:1001:13: sparse: warning: restricted __be16 degrades to integer Indeed rs_datalen has host byte order, so modify it's own type. Reported-by: kernel test robot Fixes: cd486e627e67 ("ath9k_htc: Discard undersized packets") Signed-off-by: Masashi Honma Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200808233258.4596-1-masashi.honma@gmail.com Signed-off-by: Greg Kroah-Hartman commit e57867b028a003f98a75de3a06fd3cf27ecc512c Author: Stephen Boyd Date: Fri Oct 23 08:47:50 2020 -0700 KVM: arm64: ARM_SMCCC_ARCH_WORKAROUND_1 doesn't return SMCCC_RET_NOT_REQUIRED commit 1de111b51b829bcf01d2e57971f8fd07a665fa3f upstream. According to the SMCCC spec[1](7.5.2 Discovery) the ARM_SMCCC_ARCH_WORKAROUND_1 function id only returns 0, 1, and SMCCC_RET_NOT_SUPPORTED. 0 is "workaround required and safe to call this function" 1 is "workaround not required but safe to call this function" SMCCC_RET_NOT_SUPPORTED is "might be vulnerable or might not be, who knows, I give up!" SMCCC_RET_NOT_SUPPORTED might as well mean "workaround required, except calling this function may not work because it isn't implemented in some cases". Wonderful. We map this SMC call to 0 is SPECTRE_MITIGATED 1 is SPECTRE_UNAFFECTED SMCCC_RET_NOT_SUPPORTED is SPECTRE_VULNERABLE For KVM hypercalls (hvc), we've implemented this function id to return SMCCC_RET_NOT_SUPPORTED, 0, and SMCCC_RET_NOT_REQUIRED. One of those isn't supposed to be there. Per the code we call arm64_get_spectre_v2_state() to figure out what to return for this feature discovery call. 0 is SPECTRE_MITIGATED SMCCC_RET_NOT_REQUIRED is SPECTRE_UNAFFECTED SMCCC_RET_NOT_SUPPORTED is SPECTRE_VULNERABLE Let's clean this up so that KVM tells the guest this mapping: 0 is SPECTRE_MITIGATED 1 is SPECTRE_UNAFFECTED SMCCC_RET_NOT_SUPPORTED is SPECTRE_VULNERABLE Note: SMCCC_RET_NOT_AFFECTED is 1 but isn't part of the SMCCC spec Fixes: c118bbb52743 ("arm64: KVM: Propagate full Spectre v2 workaround state to KVM guests") Signed-off-by: Stephen Boyd Acked-by: Marc Zyngier Acked-by: Will Deacon Cc: Andre Przywara Cc: Steven Price Cc: Marc Zyngier Cc: stable@vger.kernel.org Link: https://developer.arm.com/documentation/den0028/latest [1] Link: https://lore.kernel.org/r/20201023154751.1973872-1-swboyd@chromium.org Signed-off-by: Will Deacon Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 0821c9441d98cbd37d82f290f675baba58fbc80c Author: Tyler Hicks Date: Wed Oct 28 10:41:02 2020 -0500 tpm: efi: Don't create binary_bios_measurements file for an empty log [ Upstream commit 8ffd778aff45be760292225049e0141255d4ad6e ] Mimic the pre-existing ACPI and Device Tree event log behavior by not creating the binary_bios_measurements file when the EFI TPM event log is empty. This fixes the following NULL pointer dereference that can occur when reading /sys/kernel/security/tpm0/binary_bios_measurements after the kernel received an empty event log from the firmware: BUG: kernel NULL pointer dereference, address: 000000000000002c #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 2 PID: 3932 Comm: fwupdtpmevlog Not tainted 5.9.0-00003-g629990edad62 #17 Hardware name: LENOVO 20LCS03L00/20LCS03L00, BIOS N27ET38W (1.24 ) 11/28/2019 RIP: 0010:tpm2_bios_measurements_start+0x3a/0x550 Code: 54 53 48 83 ec 68 48 8b 57 70 48 8b 1e 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 8b 82 c0 06 00 00 48 8b 8a c8 06 00 00 <44> 8b 60 1c 48 89 4d a0 4c 89 e2 49 83 c4 20 48 83 fb 00 75 2a 49 RSP: 0018:ffffa9c901203db0 EFLAGS: 00010246 RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000010 RDX: ffff8ba1eb99c000 RSI: ffff8ba1e4ce8280 RDI: ffff8ba1e4ce8258 RBP: ffffa9c901203e40 R08: ffffa9c901203dd8 R09: ffff8ba1ec443300 R10: ffffa9c901203e50 R11: 0000000000000000 R12: ffff8ba1e4ce8280 R13: ffffa9c901203ef0 R14: ffffa9c901203ef0 R15: ffff8ba1e4ce8258 FS: 00007f6595460880(0000) GS:ffff8ba1ef880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000002c CR3: 00000007d8d18003 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __kmalloc_node+0x113/0x320 ? kvmalloc_node+0x31/0x80 seq_read+0x94/0x420 vfs_read+0xa7/0x190 ksys_read+0xa7/0xe0 __x64_sys_read+0x1a/0x20 do_syscall_64+0x37/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xa9 In this situation, the bios_event_log pointer in the tpm_bios_log struct was not NULL but was equal to the ZERO_SIZE_PTR (0x10) value. This was due to the following kmemdup() in tpm_read_log_efi(): int tpm_read_log_efi(struct tpm_chip *chip) { ... /* malloc EventLog space */ log->bios_event_log = kmemdup(log_tbl->log, log_size, GFP_KERNEL); if (!log->bios_event_log) { ret = -ENOMEM; goto out; } ... } When log_size is zero, due to an empty event log from firmware, ZERO_SIZE_PTR is returned from kmemdup(). Upon a read of the binary_bios_measurements file, the tpm2_bios_measurements_start() function does not perform a ZERO_OR_NULL_PTR() check on the bios_event_log pointer before dereferencing it. Rather than add a ZERO_OR_NULL_PTR() check in functions that make use of the bios_event_log pointer, simply avoid creating the binary_bios_measurements_file as is done in other event log retrieval backends. Explicitly ignore all of the events in the final event log when the main event log is empty. The list of events in the final event log cannot be accurately parsed without referring to the first event in the main event log (the event log header) so the final event log is useless in such a situation. Fixes: 58cc1e4faf10 ("tpm: parse TPM event logs based on EFI table") Link: https://lore.kernel.org/linux-integrity/E1FDCCCB-CA51-4AEE-AC83-9CDE995EAE52@canonical.com/ Reported-by: Kai-Heng Feng Reported-by: Kenneth R. Crudup Reported-by: Mimi Zohar Cc: Thiébaud Weksteen Cc: Ard Biesheuvel Signed-off-by: Tyler Hicks Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Sasha Levin commit 7d67ec8b7784109a85ea9d24d0983747d5e06c34 Author: Zhang Qilong Date: Mon Nov 2 10:26:50 2020 +0800 USB: apple-mfi-fastcharge: fix reference leak in apple_mfi_fc_set_property [ Upstream commit 00bd6bca3fb1e98190a24eda2583062803c9e8b5 ] pm_runtime_get_sync() will increment pm usage at first and it will resume the device later. If runtime of the device has error or device is in inaccessible state(or other error state), resume operation will fail. If we do not call put operation to decrease the reference, the result is that this device cannot enter the idle state and always stay busy or other non-idle state. Fixes: 249fa8217b846 ("USB: Add driver to control USB fast charge for iOS devices") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201102022650.67115-1-zhangqilong3@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit cc8570e6122e9ee1bd53ecaeeccd47c36e858177 Author: Palmer Dabbelt Date: Fri Oct 23 21:50:47 2020 -0700 RISC-V: Fix the VDSO symbol generaton for binutils-2.35+ [ Upstream commit c2c81bb2f69138f902e1a58d3bef6ad97fb8a92c ] We were relying on GNU ld's ability to re-link executable files in order to extract our VDSO symbols. This behavior was deemed a bug as of binutils-2.35 (specifically the binutils-gdb commit a87e1817a4 ("Have the linker fail if any attempt to link in an executable is made."), but as that has been backported to at least Debian's binutils-2.34 in may manifest in other places. The previous version of this was a bit of a mess: we were linking a static executable version of the VDSO, containing only a subset of the input symbols, which we then linked into the kernel. This worked, but certainly wasn't a supported path through the toolchain. Instead this new version parses the textual output of nm to produce a symbol table. Both rely on near-zero addresses being linkable, but as we rely on weak undefined symbols being linkable elsewhere I don't view this as a major issue. Fixes: e2c0cdfba7f6 ("RISC-V: User-facing API") Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit 6809b33291367c07ccaab29c4e366b762b832fe3 Author: Bill Wendling Date: Tue Sep 22 16:21:40 2020 -0700 kbuild: explicitly specify the build id style [ Upstream commit a968433723310f35898b4a2f635a7991aeef66b1 ] ld's --build-id defaults to "sha1" style, while lld defaults to "fast". The build IDs are very different between the two, which may confuse programs that reference them. Signed-off-by: Bill Wendling Acked-by: David S. Miller Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin commit f2ab81646a112bba0451ed401388614e9502ceb0 Author: Anand K Mistry Date: Thu Nov 5 16:33:04 2020 +1100 x86/speculation: Allow IBPB to be conditionally enabled on CPUs with always-on STIBP [ Upstream commit 1978b3a53a74e3230cd46932b149c6e62e832e9a ] On AMD CPUs which have the feature X86_FEATURE_AMD_STIBP_ALWAYS_ON, STIBP is set to on and spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED At the same time, IBPB can be set to conditional. However, this leads to the case where it's impossible to turn on IBPB for a process because in the PR_SPEC_DISABLE case in ib_prctl_set() the spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED condition leads to a return before the task flag is set. Similarly, ib_prctl_get() will return PR_SPEC_DISABLE even though IBPB is set to conditional. More generally, the following cases are possible: 1. STIBP = conditional && IBPB = on for spectre_v2_user=seccomp,ibpb 2. STIBP = on && IBPB = conditional for AMD CPUs with X86_FEATURE_AMD_STIBP_ALWAYS_ON The first case functions correctly today, but only because spectre_v2_user_ibpb isn't updated to reflect the IBPB mode. At a high level, this change does one thing. If either STIBP or IBPB is set to conditional, allow the prctl to change the task flag. Also, reflect that capability when querying the state. This isn't perfect since it doesn't take into account if only STIBP or IBPB is unconditionally on. But it allows the conditional feature to work as expected, without affecting the unconditional one. [ bp: Massage commit message and comment; space out statements for better readability. ] Fixes: 21998a351512 ("x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced IBRS.") Signed-off-by: Anand K Mistry Signed-off-by: Borislav Petkov Acked-by: Thomas Gleixner Acked-by: Tom Lendacky Link: https://lkml.kernel.org/r/20201105163246.v2.1.Ifd7243cd3e2c2206a893ad0a5b9a4f19549e22c6@changeid Signed-off-by: Sasha Levin commit b585ab3ffb1d98dd3bb5f03ea5f0d307e78ea423 Author: Tommi Rantala Date: Thu Oct 8 15:26:33 2020 +0300 selftests: binderfs: use SKIP instead of XFAIL [ Upstream commit 7d764b685ee1bc73a9fa2b6cb4d42fa72b943145 ] XFAIL is gone since commit 9847d24af95c ("selftests/harness: Refactor XFAIL into SKIP"), use SKIP instead. Fixes: 9847d24af95c ("selftests/harness: Refactor XFAIL into SKIP") Signed-off-by: Tommi Rantala Reviewed-by: Kees Cook Acked-by: Christian Brauner Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit d49b1cc32608f6994295bacd2d23d80b009e27b0 Author: Tommi Rantala Date: Thu Oct 8 15:26:32 2020 +0300 selftests: clone3: use SKIP instead of XFAIL [ Upstream commit afba8b0a2cc532b54eaf4254092f57bba5d7eb65 ] XFAIL is gone since commit 9847d24af95c ("selftests/harness: Refactor XFAIL into SKIP"), use SKIP instead. Fixes: 9847d24af95c ("selftests/harness: Refactor XFAIL into SKIP") Signed-off-by: Tommi Rantala Reviewed-by: Kees Cook Acked-by: Christian Brauner Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 991efbfcfc4edceaf8829792db26a2899e6decbc Author: Tommi Rantala Date: Thu Oct 8 15:26:31 2020 +0300 selftests: core: use SKIP instead of XFAIL in close_range_test.c [ Upstream commit 1d44d0dd61b6121b49f25b731f2f7f605cb3c896 ] XFAIL is gone since commit 9847d24af95c ("selftests/harness: Refactor XFAIL into SKIP"), use SKIP instead. Fixes: 9847d24af95c ("selftests/harness: Refactor XFAIL into SKIP") Signed-off-by: Tommi Rantala Reviewed-by: Kees Cook Acked-by: Christian Brauner Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit d0a8729fc122175bc5e2fcc6b45d01239a13ebfd Author: Jeff Layton Date: Mon Oct 12 09:39:06 2020 -0400 ceph: check session state after bumping session->s_seq [ Upstream commit 62575e270f661aba64778cbc5f354511cf9abb21 ] Some messages sent by the MDS entail a session sequence number increment, and the MDS will drop certain types of requests on the floor when the sequence numbers don't match. In particular, a REQUEST_CLOSE message can cross with one of the sequence morphing messages from the MDS which can cause the client to stall, waiting for a response that will never come. Originally, this meant an up to 5s delay before the recurring workqueue job kicked in and resent the request, but a recent change made it so that the client would never resend, causing a 60s stall unmounting and sometimes a blockisting event. Add a new helper for incrementing the session sequence and then testing to see whether a REQUEST_CLOSE needs to be resent, and move the handling of CEPH_MDS_SESSION_CLOSING into that function. Change all of the bare sequence counter increments to use the new helper. Reorganize check_session_state with a switch statement. It should no longer be called when the session is CLOSING, so throw a warning if it ever is (but still handle that case sanely). [ idryomov: whitespace, pr_err() call fixup ] URL: https://tracker.ceph.com/issues/47563 Fixes: fa9967734227 ("ceph: fix potential mdsc use-after-free crash") Reported-by: Patrick Donnelly Signed-off-by: Jeff Layton Reviewed-by: Ilya Dryomov Reviewed-by: Xiubo Li Signed-off-by: Ilya Dryomov Signed-off-by: Sasha Levin commit a1f25f04928e8ac85b6ec3bacb05024c6744db76 Author: Rob Herring Date: Fri Oct 23 09:52:52 2020 -0500 PCI: mvebu: Fix duplicate resource requests [ Upstream commit 832ea234277a2465ec6602fa6a4db5cd9ee87ae3 ] With commit 669cbc708122 ("PCI: Move DT resource setup into devm_pci_alloc_host_bridge()"), the DT 'ranges' is parsed and populated into resources when the host bridge is allocated. The resources are requested as well, but that happens a second time for the mvebu driver in mvebu_pcie_parse_request_resources(). We should only be requesting the additional resources added in mvebu_pcie_parse_request_resources(). These are not added by default because they use custom properties rather than standard DT address translation. Also, the bus ranges was also populated by default, so we can remove it from mvebu_pci_host_probe(). Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=209729 Fixes: 669cbc708122 ("PCI: Move DT resource setup into devm_pci_alloc_host_bridge()") Link: https://lore.kernel.org/r/20201023145252.2691779-1-robh@kernel.org Reported-by: vtolkm@googlemail.com Tested-by: Jan Kundrát Signed-off-by: Rob Herring Signed-off-by: Bjorn Helgaas Acked-by: Lorenzo Pieralisi Cc: Thomas Petazzoni Cc: Jason Cooper Cc: Russell King Signed-off-by: Sasha Levin commit 7db1337e2930996c5919fed8c16297f351d4c9cb Author: Zhao Qiang Date: Tue Nov 3 10:05:46 2020 +0800 spi: fsl-dspi: fix wrong pointer in suspend/resume [ Upstream commit 9bd77a9ce31dd242fece27219d14fbee5068dd85 ] Since commit 530b5affc675 ("spi: fsl-dspi: fix use-after-free in remove path"), this driver causes a "NULL pointer dereference" in dspi_suspend/resume. This is because since this commit, the drivers private data point to "dspi" instead of "ctlr", the codes in suspend and resume func were not modified correspondly. Fixes: 530b5affc675 ("spi: fsl-dspi: fix use-after-free in remove path") Signed-off-by: Zhao Qiang Reviewed-by: Vladimir Oltean Link: https://lore.kernel.org/r/20201103020546.1822-1-qiang.zhao@nxp.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 9154aa2b65222a0c1d972b62b601e567120fb591 Author: Jens Axboe Date: Mon Nov 2 10:39:05 2020 -0700 io_uring: ensure consistent view of original task ->mm from SQPOLL [ Upstream commit 4b70cf9dea4cd239b425f3282fa56ce19e234c8a ] Ensure we get a valid view of the task mm, by using task_lock() when attempting to grab the original task mm. Reported-by: syzbot+b57abf7ee60829090495@syzkaller.appspotmail.com Fixes: 2aede0e417db ("io_uring: stash ctx task reference for SQPOLL") Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 29cd2f610afe911bd9ad249479143a17aea4f065 Author: Darrick J. Wong Date: Mon Nov 2 17:14:07 2020 -0800 xfs: fix scrub flagging rtinherit even if there is no rt device [ Upstream commit c1f6b1ac00756a7108e5fcb849a2f8230c0b62a5 ] The kernel has always allowed directories to have the rtinherit flag set, even if there is no rt device, so this check is wrong. Fixes: 80e4e1268802 ("xfs: scrub inodes") Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 3aaf0ba283b8bf62288cd9819827550da7d617a4 Author: Darrick J. Wong Date: Mon Nov 2 17:14:06 2020 -0800 xfs: fix missing CoW blocks writeback conversion retry [ Upstream commit c2f09217a4305478c55adc9a98692488dd19cd32 ] In commit 7588cbeec6df, we tried to fix a race stemming from the lack of coordination between higher level code that wants to allocate and remap CoW fork extents into the data fork. Christoph cites as examples the always_cow mode, and a directio write completion racing with writeback. According to the comments before the goto retry, we want to restart the lookup to catch the extent in the data fork, but we don't actually reset whichfork or cow_fsb, which means the second try executes using stale information. Up until now I think we've gotten lucky that either there's something left in the CoW fork to cause cow_fsb to be reset, or either data/cow fork sequence numbers have advanced enough to force a fresh lookup from the data fork. However, if we reach the retry with an empty stable CoW fork and a stable data fork, neither of those things happens. The retry foolishly re-calls xfs_convert_blocks on the CoW fork which fails again. This time, we toss the write. I've recently been working on extending reflink to the realtime device. When the realtime extent size is larger than a single block, we have to force the page cache to CoW the entire rt extent if a write (or fallocate) are not aligned with the rt extent size. The strategy I've chosen to deal with this is derived from Dave's blocksize > pagesize series: dirtying around the write range, and ensuring that writeback always starts mapping on an rt extent boundary. This has brought this race front and center, since generic/522 blows up immediately. However, I'm pretty sure this is a bug outright, independent of that. Fixes: 7588cbeec6df ("xfs: retry COW fork delalloc conversion when no extent was found") Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Sasha Levin commit ab39aed544fd6b590d606e7b7db6f4f8a4e1fd1c Author: Brian Foster Date: Thu Oct 29 14:30:48 2020 -0700 xfs: flush new eof page on truncate to avoid post-eof corruption [ Upstream commit 869ae85dae64b5540e4362d7fe4cd520e10ec05c ] It is possible to expose non-zeroed post-EOF data in XFS if the new EOF page is dirty, backed by an unwritten block and the truncate happens to race with writeback. iomap_truncate_page() will not zero the post-EOF portion of the page if the underlying block is unwritten. The subsequent call to truncate_setsize() will, but doesn't dirty the page. Therefore, if writeback happens to complete after iomap_truncate_page() (so it still sees the unwritten block) but before truncate_setsize(), the cached page becomes inconsistent with the on-disk block. A mapped read after the associated page is reclaimed or invalidated exposes non-zero post-EOF data. For example, consider the following sequence when run on a kernel modified to explicitly flush the new EOF page within the race window: $ xfs_io -fc "falloc 0 4k" -c fsync /mnt/file $ xfs_io -c "pwrite 0 4k" -c "truncate 1k" /mnt/file ... $ xfs_io -c "mmap 0 4k" -c "mread -v 1k 8" /mnt/file 00000400: 00 00 00 00 00 00 00 00 ........ $ umount /mnt/; mount /mnt/ $ xfs_io -c "mmap 0 4k" -c "mread -v 1k 8" /mnt/file 00000400: cd cd cd cd cd cd cd cd ........ Update xfs_setattr_size() to explicitly flush the new EOF page prior to the page truncate to ensure iomap has the latest state of the underlying block. Fixes: 68a9f5e7007c ("xfs: implement iomap based buffered write path") Signed-off-by: Brian Foster Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Signed-off-by: Sasha Levin commit 3591d07ab7376b72971632709bf89dbf39c3a2c0 Author: Joakim Zhang Date: Wed Oct 21 02:45:27 2020 +0800 can: flexcan: flexcan_remove(): disable wakeup completely [ Upstream commit ab07ff1c92fa60f29438e655a1b4abab860ed0b6 ] With below sequence, we can see wakeup default is enabled after re-load module, if it was enabled before, so we need disable wakeup in flexcan_remove(). | # cat /sys/bus/platform/drivers/flexcan/5a8e0000.can/power/wakeup | disabled | # echo enabled > /sys/bus/platform/drivers/flexcan/5a8e0000.can/power/wakeup | # cat /sys/bus/platform/drivers/flexcan/5a8e0000.can/power/wakeup | enabled | # rmmod flexcan | # modprobe flexcan | # cat /sys/bus/platform/drivers/flexcan/5a8e0000.can/power/wakeup | enabled Fixes: de3578c198c6 ("can: flexcan: add self wakeup support") Fixes: 915f9666421c ("can: flexcan: add support for DT property 'wakeup-source'") Signed-off-by: Joakim Zhang Link: https://lore.kernel.org/r/20201020184527.8190-1-qiangqing.zhang@nxp.com [mkl: streamlined commit message] Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 0bbb0a0e74bcac8ef0bbf8622d9f0c1f206b50b4 Author: Joakim Zhang Date: Tue Oct 20 23:53:55 2020 +0800 can: flexcan: remove FLEXCAN_QUIRK_DISABLE_MECR quirk for LS1021A [ Upstream commit 018799649071a1638c0c130526af36747df4355a ] After double check with Layerscape CAN owner (Pankaj Bansal), confirm that LS1021A doesn't support ECC feature, so remove FLEXCAN_QUIRK_DISABLE_MECR quirk. Fixes: 99b7668c04b27 ("can: flexcan: adding platform specific details for LS1021A") Cc: Pankaj Bansal Signed-off-by: Joakim Zhang Link: https://lore.kernel.org/r/20201020155402.30318-4-qiangqing.zhang@nxp.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit ad3f9f9f0a4978ec8338afd7d58583eed4905ffe Author: Stephane Grosjean Date: Tue Oct 13 17:39:47 2020 +0200 can: peak_canfd: pucan_handle_can_rx(): fix echo management when loopback is on [ Upstream commit 93ef65e5a6357cc7381f85fcec9283fe29970045 ] Echo management is driven by PUCAN_MSG_LOOPED_BACK bit, while loopback frames are identified with PUCAN_MSG_SELF_RECEIVE bit. Those bits are set for each outgoing frame written to the IP core so that a copy of each one will be placed into the rx path. Thus, - when PUCAN_MSG_LOOPED_BACK is set then the rx frame is an echo of a previously sent frame, - when PUCAN_MSG_LOOPED_BACK+PUCAN_MSG_SELF_RECEIVE are set, then the rx frame is an echo AND a loopback frame. Therefore, this frame must be put into the socket rx path too. This patch fixes how CAN frames are handled when these are sent while the can interface is configured in "loopback on" mode. Signed-off-by: Stephane Grosjean Link: https://lore.kernel.org/r/20201013153947.28012-1-s.grosjean@peak-system.com Fixes: 8ac8321e4a79 ("can: peak: add support for PEAK PCAN-PCIe FD CAN-FD boards") Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 37cc52739ad1839550a39aae8de1f6ae979ed494 Author: Stephane Grosjean Date: Wed Oct 14 10:56:31 2020 +0200 can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping [ Upstream commit ecc7b4187dd388549544195fb13a11b4ea8e6a84 ] Fabian Inostroza has discovered a potential problem in the hardware timestamp reporting from the PCAN-USB USB CAN interface (only), related to the fact that a timestamp of an event may precede the timestamp used for synchronization when both records are part of the same USB packet. However, this case was used to detect the wrapping of the time counter. This patch details and fixes the two identified cases where this problem can occur. Reported-by: Fabian Inostroza Signed-off-by: Stephane Grosjean Link: https://lore.kernel.org/r/20201014085631.15128-1-s.grosjean@peak-system.com Fixes: bb4785551f64 ("can: usb: PEAK-System Technik USB adapters driver core") Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 5013cdd3aebc4fe8c01234ffee9e3661ee8e2655 Author: Dan Carpenter Date: Thu Aug 13 17:06:04 2020 +0300 can: peak_usb: add range checking in decode operations [ Upstream commit a6921dd524fe31d1f460c161d3526a407533b6db ] These values come from skb->data so Smatch considers them untrusted. I believe Smatch is correct but I don't have a way to test this. The usb_if->dev[] array has 2 elements but the index is in the 0-15 range without checks. The cfd->len can be up to 255 but the maximum valid size is CANFD_MAX_DLEN (64) so that could lead to memory corruption. Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/20200813140604.GA456946@mwanda Acked-by: Stephane Grosjean Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 2c4e751f6073ed77dc2a90bc2dc159ccea455b05 Author: Navid Emamdoost Date: Thu Jun 4 22:32:39 2020 -0500 can: xilinx_can: handle failure cases of pm_runtime_get_sync [ Upstream commit 79c43333bdd5a7026a5aab606b53053b643585e7 ] Calling pm_runtime_get_sync increments the counter even in case of failure, causing incorrect ref count. Call pm_runtime_put if pm_runtime_get_sync fails. Signed-off-by: Navid Emamdoost Link: https://lore.kernel.org/r/20200605033239.60664-1-navid.emamdoost@gmail.com Fixes: 4716620d1b62 ("can: xilinx: Convert to runtime_pm") Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 156a84fb97db522d1abe12cd67496bb330de5571 Author: Zhang Changzhong Date: Fri Jul 17 16:04:39 2020 +0800 can: ti_hecc: ti_hecc_probe(): add missed clk_disable_unprepare() in error path [ Upstream commit e002103b36a695f7cb6048b96da73e66c86ddffb ] The driver forgets to call clk_disable_unprepare() in error path after a success calling for clk_prepare_enable(). Fix it by adding a clk_disable_unprepare() in error path. Signed-off-by: Zhang Changzhong Link: https://lore.kernel.org/r/1594973079-27743-1-git-send-email-zhangchangzhong@huawei.com Fixes: befa60113ce7 ("can: ti_hecc: add missing prepare and unprepare of the clock") Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit f43d555c5a8c2b9ba6c32f9fa2d14c1047badfbf Author: Zhang Changzhong Date: Mon Sep 7 14:31:48 2020 +0800 can: j1939: j1939_sk_bind(): return failure if netdev is down [ Upstream commit 08c487d8d807535f509ed80c6a10ad90e6872139 ] When a netdev down event occurs after a successful call to j1939_sk_bind(), j1939_netdev_notify() can handle it correctly. But if the netdev already in down state before calling j1939_sk_bind(), j1939_sk_release() will stay in wait_event_interruptible() blocked forever. Because in this case, j1939_netdev_notify() won't be called and j1939_tp_txtimer() won't call j1939_session_cancel() or other function to clear session for ENETDOWN error, this lead to mismatch of j1939_session_get/put() and jsk->skb_pending will never decrease to zero. To reproduce it use following commands: 1. ip link add dev vcan0 type vcan 2. j1939acd -r 100,80-120 1122334455667788 vcan0 3. presses ctrl-c and thread will be blocked forever This patch adds check for ndev->flags in j1939_sk_bind() to avoid this kind of situation and return with -ENETDOWN. Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") Signed-off-by: Zhang Changzhong Link: https://lore.kernel.org/r/1599460308-18770-1-git-send-email-zhangchangzhong@huawei.com Acked-by: Oleksij Rempel Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit f210a960e01f7a838a491e849bf8eb208c2350ee Author: Yegor Yefremov Date: Thu Oct 22 10:37:08 2020 +0200 can: j1939: swap addr and pgn in the send example [ Upstream commit ea780d39b1888ed5afc243c29b23d9bdb3828c7a ] The address was wrongly assigned to the PGN field and vice versa. Signed-off-by: Yegor Yefremov Link: https://lore.kernel.org/r/20201022083708.8755-1-yegorslists@googlemail.com Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 0b44ba8d3bdaffe90bf70a2eaf52b5a391c29f92 Author: Oleksij Rempel Date: Wed Dec 18 09:39:02 2019 +0100 can: can_create_echo_skb(): fix echo skb generation: always use skb_clone() [ Upstream commit 286228d382ba6320f04fa2e7c6fc8d4d92e428f4 ] All user space generated SKBs are owned by a socket (unless injected into the key via AF_PACKET). If a socket is closed, all associated skbs will be cleaned up. This leads to a problem when a CAN driver calls can_put_echo_skb() on a unshared SKB. If the socket is closed prior to the TX complete handler, can_get_echo_skb() and the subsequent delivering of the echo SKB to all registered callbacks, a SKB with a refcount of 0 is delivered. To avoid the problem, in can_get_echo_skb() the original SKB is now always cloned, regardless of shared SKB or not. If the process exists it can now safely discard its SKBs, without disturbing the delivery of the echo SKB. The problem shows up in the j1939 stack, when it clones the incoming skb, which detects the already 0 refcount. We can easily reproduce this with following example: testj1939 -B -r can0: & cansend can0 1823ff40#0123 WARNING: CPU: 0 PID: 293 at lib/refcount.c:25 refcount_warn_saturate+0x108/0x174 refcount_t: addition on 0; use-after-free. Modules linked in: coda_vpu imx_vdoa videobuf2_vmalloc dw_hdmi_ahb_audio vcan CPU: 0 PID: 293 Comm: cansend Not tainted 5.5.0-rc6-00376-g9e20dcb7040d #1 Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) Backtrace: [] (dump_backtrace) from [] (show_stack+0x20/0x24) [] (show_stack) from [] (dump_stack+0x8c/0xa0) [] (dump_stack) from [] (__warn+0xe0/0x108) [] (__warn) from [] (warn_slowpath_fmt+0xa8/0xcc) [] (warn_slowpath_fmt) from [] (refcount_warn_saturate+0x108/0x174) [] (refcount_warn_saturate) from [] (j1939_can_recv+0x20c/0x210) [] (j1939_can_recv) from [] (can_rcv_filter+0xb4/0x268) [] (can_rcv_filter) from [] (can_receive+0xb0/0xe4) [] (can_receive) from [] (can_rcv+0x48/0x98) [] (can_rcv) from [] (__netif_receive_skb_one_core+0x64/0x88) [] (__netif_receive_skb_one_core) from [] (__netif_receive_skb+0x38/0x94) [] (__netif_receive_skb) from [] (netif_receive_skb_internal+0x64/0xf8) [] (netif_receive_skb_internal) from [] (netif_receive_skb+0x34/0x19c) [] (netif_receive_skb) from [] (can_rx_offload_napi_poll+0x58/0xb4) Fixes: 0ae89beb283a ("can: add destructor for self generated skbs") Signed-off-by: Oleksij Rempel Link: http://lore.kernel.org/r/20200124132656.22156-1-o.rempel@pengutronix.de Acked-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit f5d46ebd0c50866ba539bf0e21a8f17215fa0c0d Author: Oliver Hartkopp Date: Tue Oct 20 08:44:43 2020 +0200 can: dev: __can_get_echo_skb(): fix real payload length return value for RTR frames [ Upstream commit ed3320cec279407a86bc4c72edc4a39eb49165ec ] The can_get_echo_skb() function returns the number of received bytes to be used for netdev statistics. In the case of RTR frames we get a valid (potential non-zero) data length value which has to be passed for further operations. But on the wire RTR frames have no payload length. Therefore the value to be used in the statistics has to be zero for RTR frames. Reported-by: Vincent Mailhol Signed-off-by: Oliver Hartkopp Link: https://lore.kernel.org/r/20201020064443.80164-1-socketcan@hartkopp.net Fixes: cf5046b309b3 ("can: dev: let can_get_echo_skb() return dlc of CAN frame") Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 87530b557affe01c764de32dbeb58cdf47234574 Author: Vincent Mailhol Date: Sat Oct 3 00:41:45 2020 +0900 can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context [ Upstream commit 2283f79b22684d2812e5c76fc2280aae00390365 ] If a driver calls can_get_echo_skb() during a hardware IRQ (which is often, but not always, the case), the 'WARN_ON(in_irq)' in net/core/skbuff.c#skb_release_head_state() might be triggered, under network congestion circumstances, together with the potential risk of a NULL pointer dereference. The root cause of this issue is the call to kfree_skb() instead of dev_kfree_skb_irq() in net/core/dev.c#enqueue_to_backlog(). This patch prevents the skb to be freed within the call to netif_rx() by incrementing its reference count with skb_get(). The skb is finally freed by one of the in-irq-context safe functions: dev_consume_skb_any() or dev_kfree_skb_any(). The "any" version is used because some drivers might call can_get_echo_skb() in a normal context. The reason for this issue to occur is that initially, in the core network stack, loopback skb were not supposed to be received in hardware IRQ context. The CAN stack is an exeption. This bug was previously reported back in 2017 in [1] but the proposed patch never got accepted. While [1] directly modifies net/core/dev.c, we try to propose here a smoother modification local to CAN network stack (the assumption behind is that only CAN devices are affected by this issue). [1] http://lore.kernel.org/r/57a3ffb6-3309-3ad5-5a34-e93c3fe3614d@cetitec.com Signed-off-by: Vincent Mailhol Link: https://lore.kernel.org/r/20201002154219.4887-2-mailhol.vincent@wanadoo.fr Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface") Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 1c1dfcbe700ada8e12b95d9ae116b661c6276ad1 Author: Marc Kleine-Budde Date: Thu Jun 18 12:47:06 2020 +0200 can: rx-offload: don't call kfree_skb() from IRQ context [ Upstream commit 2ddd6bfe7bdbb6c661835c3ff9cab8e0769940a6 ] A CAN driver, using the rx-offload infrastructure, is reading CAN frames (usually in IRQ context) from the hardware and placing it into the rx-offload queue to be delivered to the networking stack via NAPI. In case the rx-offload queue is full, trying to add more skbs results in the skbs being dropped using kfree_skb(). If done from hard-IRQ context this results in the following warning: [ 682.552693] ------------[ cut here ]------------ [ 682.557360] WARNING: CPU: 0 PID: 3057 at net/core/skbuff.c:650 skb_release_head_state+0x74/0x84 [ 682.566075] Modules linked in: can_raw can coda_vpu flexcan dw_hdmi_ahb_audio v4l2_jpeg imx_vdoa can_dev [ 682.575597] CPU: 0 PID: 3057 Comm: cansend Tainted: G W 5.7.0+ #18 [ 682.583098] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) [ 682.589657] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [ 682.597423] [] (show_stack) from [] (dump_stack+0xe0/0x114) [ 682.604759] [] (dump_stack) from [] (__warn+0xc0/0x10c) [ 682.611742] [] (__warn) from [] (warn_slowpath_fmt+0x5c/0xc0) [ 682.619248] [] (warn_slowpath_fmt) from [] (skb_release_head_state+0x74/0x84) [ 682.628143] [] (skb_release_head_state) from [] (skb_release_all+0xc/0x24) [ 682.636774] [] (skb_release_all) from [] (kfree_skb+0x74/0x1c8) [ 682.644479] [] (kfree_skb) from [] (can_rx_offload_queue_sorted+0xe0/0xe8 [can_dev]) [ 682.654051] [] (can_rx_offload_queue_sorted [can_dev]) from [] (can_rx_offload_get_echo_skb+0x48/0x94 [can_dev]) [ 682.666007] [] (can_rx_offload_get_echo_skb [can_dev]) from [] (flexcan_irq+0x194/0x5dc [flexcan]) [ 682.676734] [] (flexcan_irq [flexcan]) from [] (__handle_irq_event_percpu+0x4c/0x3ec) [ 682.686322] [] (__handle_irq_event_percpu) from [] (handle_irq_event_percpu+0x2c/0x88) [ 682.695993] [] (handle_irq_event_percpu) from [] (handle_irq_event+0x38/0x5c) [ 682.704887] [] (handle_irq_event) from [] (handle_fasteoi_irq+0xc8/0x180) [ 682.713432] [] (handle_fasteoi_irq) from [] (generic_handle_irq+0x30/0x44) [ 682.722063] [] (generic_handle_irq) from [] (__handle_domain_irq+0x64/0xdc) [ 682.730783] [] (__handle_domain_irq) from [] (gic_handle_irq+0x48/0x9c) [ 682.739158] [] (gic_handle_irq) from [] (__irq_svc+0x70/0x98) [ 682.746656] Exception stack(0xe80e9dd8 to 0xe80e9e20) [ 682.751725] 9dc0: 00000001 e80e8000 [ 682.759922] 9de0: e820cf80 00000000 ffffe000 00000000 eaf08fe4 00000000 600d0013 00000000 [ 682.768117] 9e00: c1732e3c c16093a8 e820d4c0 e80e9e28 c018a57c c018b870 600d0013 ffffffff [ 682.776315] [] (__irq_svc) from [] (lock_acquire+0x108/0x4e8) [ 682.783821] [] (lock_acquire) from [] (down_write+0x48/0xa8) [ 682.791242] [] (down_write) from [] (unlink_file_vma+0x24/0x40) [ 682.798922] [] (unlink_file_vma) from [] (free_pgtables+0x34/0xb8) [ 682.806858] [] (free_pgtables) from [] (exit_mmap+0xe4/0x170) [ 682.814361] [] (exit_mmap) from [] (mmput+0x5c/0x110) [ 682.821171] [] (mmput) from [] (do_exit+0x374/0xbe4) [ 682.827892] [] (do_exit) from [] (do_group_exit+0x38/0xb4) [ 682.835132] [] (do_group_exit) from [] (__wake_up_parent+0x0/0x14) [ 682.843063] irq event stamp: 1936 [ 682.846399] hardirqs last enabled at (1935): [] rmqueue+0xf4/0xc64 [ 682.853553] hardirqs last disabled at (1936): [] __irq_svc+0x60/0x98 [ 682.860799] softirqs last enabled at (1878): [] raw_release+0x108/0x1f0 [can_raw] [ 682.869256] softirqs last disabled at (1876): [] release_sock+0x18/0x98 [ 682.876753] ---[ end trace 7bca4751ce44c444 ]--- This patch fixes the problem by replacing the kfree_skb() by dev_kfree_skb_any(), as rx-offload might be called from threaded IRQ handlers as well. Fixes: ca913f1ac024 ("can: rx-offload: can_rx_offload_queue_sorted(): fix error handling, avoid skb mem leak") Fixes: 6caf8a6d6586 ("can: rx-offload: can_rx_offload_queue_tail(): fix error handling, avoid skb mem leak") Link: http://lore.kernel.org/r/20201019190524.1285319-3-mkl@pengutronix.de Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 0a444bd17a83cbf213e432dfe46bece9e37b6847 Author: Alex Williamson Date: Mon Nov 2 15:02:00 2020 -0700 vfio/pci: Implement ioeventfd thread handler for contended memory lock [ Upstream commit 38565c93c8a1306dc5f245572a545fbea908ac41 ] The ioeventfd is called under spinlock with interrupts disabled, therefore if the memory lock is contended defer code that might sleep to a thread context. Fixes: bc93b9ae0151 ("vfio-pci: Avoid recursive read-lock usage") Link: https://bugzilla.kernel.org/show_bug.cgi?id=209253#c1 Reported-by: Ian Pilcher Tested-by: Ian Pilcher Tested-by: Justin Gatzen Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit 6b5164fc7104ec031ed6359acd9b1acaa6a36c51 Author: David Howells Date: Tue Nov 3 16:33:07 2020 +0000 afs: Fix incorrect freeing of the ACL passed to the YFS ACL store op [ Upstream commit f4c79144edd8a49ffca8fa737a31d606be742a34 ] The cleanup for the yfs_store_opaque_acl2_operation calls the wrong function to destroy the ACL content buffer. It's an afs_acl struct, not a yfs_acl struct - and the free function for latter may pass invalid pointers to kfree(). Fix this by using the afs_acl_put() function. The yfs_acl_put() function is then no longer used and can be removed. general protection fault, probably for non-canonical address 0x7ebde00000000: 0000 [#1] SMP PTI ... RIP: 0010:compound_head+0x0/0x11 ... Call Trace: virt_to_cache+0x8/0x51 kfree+0x5d/0x79 yfs_free_opaque_acl+0x16/0x29 afs_put_operation+0x60/0x114 __vfs_setxattr+0x67/0x72 __vfs_setxattr_noperm+0x66/0xe9 vfs_setxattr+0x67/0xce setxattr+0x14e/0x184 __do_sys_fsetxattr+0x66/0x8f do_syscall_64+0x2d/0x3a entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: e49c7b2f6de7 ("afs: Build an abstraction around an "operation" concept") Signed-off-by: David Howells Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit fe645064dfda680d3d757c6c96a12759e4264566 Author: David Howells Date: Tue Nov 3 16:32:58 2020 +0000 afs: Fix warning due to unadvanced marshalling pointer [ Upstream commit c80afa1d9c3603d5eddeb8d63368823b1982f3f0 ] When using the afs.yfs.acl xattr to change an AuriStor ACL, a warning can be generated when the request is marshalled because the buffer pointer isn't increased after adding the last element, thereby triggering the check at the end if the ACL wasn't empty. This just causes something like the following warning, but doesn't stop the call from happening successfully: kAFS: YFS.StoreOpaqueACL2: Request buffer underflow (36<108) Fix this simply by increasing the count prior to the check. Fixes: f5e4546347bc ("afs: Implement YFS ACL setting") Signed-off-by: David Howells Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 98d3c3f1e295f9f16c5a29089cec49058a5165ed Author: Liu, Yi L Date: Fri Oct 30 10:37:24 2020 +0800 iommu/vt-d: Fix a bug for PDP check in prq_event_thread [ Upstream commit 71cd8e2d16703a9df5c86a9e19f4cba99316cc53 ] In prq_event_thread(), the QI_PGRP_PDP is wrongly set by 'req->pasid_present' which should be replaced to 'req->priv_data_present'. Fixes: 5b438f4ba315 ("iommu/vt-d: Support page request in scalable mode") Signed-off-by: Liu, Yi L Signed-off-by: Yi Sun Acked-by: Lu Baolu Link: https://lore.kernel.org/r/1604025444-6954-3-git-send-email-yi.y.sun@linux.intel.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 69c7632a8cf55341d442a42909a41f4c5ec104ac Author: Liu Yi L Date: Fri Oct 30 10:37:23 2020 +0800 iommu/vt-d: Fix sid not set issue in intel_svm_bind_gpasid() [ Upstream commit eea4e29ab8bef254b228d6e1e3de188087b2c7d0 ] Should get correct sid and set it into sdev. Because we execute 'sdev->sid != req->rid' in the loop of prq_event_thread(). Fixes: eb8d93ea3c1d ("iommu/vt-d: Report page request faults for guest SVA") Signed-off-by: Liu Yi L Signed-off-by: Yi Sun Acked-by: Lu Baolu Link: https://lore.kernel.org/r/1604025444-6954-2-git-send-email-yi.y.sun@linux.intel.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 6f87ad3a72f7cf7865d7c76f3e573abe8aee7277 Author: Dan Carpenter Date: Tue Nov 3 13:18:07 2020 +0300 ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link() [ Upstream commit 158e1886b6262c1d1c96a18c85fac5219b8bf804 ] This is harmless, but the "addr" comes from the user and it could lead to a negative shift or to shift wrapping if it's too high. Fixes: 0b00a5615dc4 ("ALSA: hdac_ext: add hdac extended controller") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/20201103101807.GC1127762@mwanda Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 9845ec25bc7f656790d89793b3b0a129c1129b15 Author: Namhyung Kim Date: Mon Nov 2 23:02:28 2020 +0900 perf tools: Add missing swap for cgroup events [ Upstream commit 2c589d933e54d183ee2a052971b730e423c62031 ] It was missed to add a swap function for PERF_RECORD_CGROUP. Fixes: ba78c1c5461c ("perf tools: Basic support for CGROUP event") Signed-off-by: Namhyung Kim Acked-by: Jiri Olsa Cc: Alexander Shishkin Cc: Ian Rogers Cc: Mark Rutland Cc: Peter Zijlstra Cc: Stephane Eranian Link: http://lore.kernel.org/lkml/20201102140228.303657-1-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit af8fd8c813b55d019e7f095ec732f43c516f892a Author: Jiri Olsa Date: Mon Nov 2 00:31:03 2020 +0100 perf tools: Add missing swap for ino_generation [ Upstream commit fe01adb72356a4e2f8735e4128af85921ca98fa1 ] We are missing swap for ino_generation field. Fixes: 5c5e854bc760 ("perf tools: Add attr->mmap2 support") Signed-off-by: Jiri Olsa Acked-by: Namhyung Kim Link: https://lore.kernel.org/r/20201101233103.3537427-2-jolsa@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 49c580580edb9037ba904004e843ac3cb7ed9371 Author: Stanislav Ivanichkin Date: Tue Oct 27 12:43:57 2020 +0300 perf trace: Fix segfault when trying to trace events by cgroup [ Upstream commit a6293f36ac92ab513771a98efe486477be2f981f ] # ./perf trace -e sched:sched_switch -G test -a sleep 1 perf: Segmentation fault Obtained 11 stack frames. ./perf(sighandler_dump_stack+0x43) [0x55cfdc636db3] /lib/x86_64-linux-gnu/libc.so.6(+0x3efcf) [0x7fd23eecafcf] ./perf(parse_cgroups+0x36) [0x55cfdc673f36] ./perf(+0x3186ed) [0x55cfdc70d6ed] ./perf(parse_options_subcommand+0x629) [0x55cfdc70e999] ./perf(cmd_trace+0x9c2) [0x55cfdc5ad6d2] ./perf(+0x1e8ae0) [0x55cfdc5ddae0] ./perf(+0x1e8ded) [0x55cfdc5ddded] ./perf(main+0x370) [0x55cfdc556f00] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe6) [0x7fd23eeadb96] ./perf(_start+0x29) [0x55cfdc557389] Segmentation fault # It happens because "struct trace" in option->value is passed to the parse_cgroups function instead of "struct evlist". Fixes: 9ea42ba4411ac ("perf trace: Support setting cgroups as targets") Signed-off-by: Stanislav Ivanichkin Tested-by: Arnaldo Carvalho de Melo Acked-by: Namhyung Kim Cc: Dmitry Monakhov Link: http://lore.kernel.org/lkml/20201027094357.94881-1-sivanichkin@yandex-team.ru Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit a79cf8d05051c478a670e5a2f29c3d5e71a394c1 Author: Steven Price Date: Fri Oct 30 14:58:33 2020 +0000 drm/panfrost: Fix module unload [ Upstream commit 876b15d2c88d8c005f1aebeaa23f1e448d834757 ] When unloading the call to pm_runtime_put_sync_suspend() will attempt to turn the GPU cores off, however panfrost_device_fini() will have turned the clocks off. This leads to the hardware locking up. Instead don't call pm_runtime_put_sync_suspend() and instead simply mark the device as suspended using pm_runtime_set_suspended(). And also include this on the error path in panfrost_probe(). Fixes: aebe8c22a912 ("drm/panfrost: Fix possible suspend in panfrost_remove") Signed-off-by: Steven Price Reviewed-by: Tomeu Vizoso Signed-off-by: Boris Brezillon Link: https://patchwork.freedesktop.org/patch/msgid/20201030145833.29006-1-steven.price@arm.com Signed-off-by: Sasha Levin commit c983371712681f8228d07c10d4c2b30165d03549 Author: Clément Péron Date: Fri Jul 10 11:54:03 2020 +0200 drm/panfrost: move devfreq_init()/fini() in device [ Upstream commit 25e247bbf85af3ad721dfeb2e2caf405f43b7e66 ] Later we will introduce devfreq probing regulator if they are present. As regulator should be probe only one time we need to get this logic in the device_init(). panfrost_device is already taking care of devfreq_resume() and devfreq_suspend(), so it's not totally illogic to move the devfreq_init() and devfreq_fini() here. Reviewed-by: Alyssa Rosenzweig Reviewed-by: Steven Price Signed-off-by: Clément Péron Signed-off-by: Rob Herring Link: https://patchwork.freedesktop.org/patch/msgid/20200710095409.407087-9-peron.clem@gmail.com Signed-off-by: Sasha Levin commit bffbfa6dbdfcbc95771b11b996c253b8bd7600e9 Author: Clément Péron Date: Fri Jul 10 11:54:02 2020 +0200 drm/panfrost: rename error labels in device_init [ Upstream commit d3c335da0200be9287cdf5755d19f62ce1670a8d ] Rename goto labels in device_init it will be easier to maintain. Reviewed-by: Alyssa Rosenzweig Reviewed-by: Steven Price Signed-off-by: Clément Péron Signed-off-by: Rob Herring Link: https://patchwork.freedesktop.org/patch/msgid/20200710095409.407087-8-peron.clem@gmail.com Signed-off-by: Sasha Levin commit b840f06ce499fc4c1f1aa23d3f9b6cc8ffd30ec7 Author: zhongjiang-ali Date: Sun Nov 1 17:07:30 2020 -0800 mm: memcontrol: correct the NR_ANON_THPS counter of hierarchical memcg [ Upstream commit 7de2e9f195b9cb27583c5c64deaaf5e6afcc163e ] memcg_page_state will get the specified number in hierarchical memcg, It should multiply by HPAGE_PMD_NR rather than an page if the item is NR_ANON_THPS. [akpm@linux-foundation.org: fix printk warning] [akpm@linux-foundation.org: use u64 cast, per Michal] Fixes: 468c398233da ("mm: memcontrol: switch to native NR_ANON_THPS counter") Signed-off-by: zhongjiang-ali Signed-off-by: Andrew Morton Acked-by: Johannes Weiner Acked-by: Michal Hocko Link: https://lkml.kernel.org/r/1603722395-72443-1-git-send-email-zhongjiang-ali@linux.alibaba.com Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit c32fe6241edcf00509cadf2bc099de8f6af2e107 Author: Maor Gottlieb Date: Wed Oct 28 08:50:51 2020 +0200 IB/srpt: Fix memory leak in srpt_add_one [ Upstream commit 372a1786283e50e7cb437ab7fdb1b95597310ad7 ] Failure in srpt_refresh_port() for the second port will leave MAD registered for the first one, however, the srpt_add_one() will be marked as "failed" and SRPT will leak resources for that registered but not used and released first port. Unregister the MAD agent for all ports in case of failure. Fixes: a42d985bd5b2 ("ib_srpt: Initial SRP Target merge for v3.3-rc1") Link: https://lore.kernel.org/r/20201028065051.112430-1-leon@kernel.org Signed-off-by: Maor Gottlieb Signed-off-by: Leon Romanovsky Reviewed-by: Bart Van Assche Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit e12c16808ed8e53a021adea6dd3b628efd7e34ec Author: Maxime Ripard Date: Thu Oct 29 20:00:59 2020 +0100 drm/vc4: bo: Add a managed action to cleanup the cache [ Upstream commit 1c80be48c70a2198f7cf04a546b3805b92293ac6 ] The BO cache needs to be cleaned up using vc4_bo_cache_destroy, but it's not used consistently (vc4_drv's bind calls it in its error path, but doesn't in unbind), and we can make that automatic through a managed action. Let's remove the requirement to call vc4_bo_cache_destroy. Fixes: c826a6e10644 ("drm/vc4: Add a BO cache.") Acked-by: Daniel Vetter Signed-off-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20201029190104.2181730-1-maxime@cerno.tech Signed-off-by: Sasha Levin commit b4ca8e9563c7d12efd8072f391901735bbdf7f79 Author: Qian Cai Date: Wed Oct 28 11:27:17 2020 -0400 powerpc/eeh_cache: Fix a possible debugfs deadlock [ Upstream commit fd552e0542b4532483289cce48fdbd27b692984b ] Lockdep complains that a possible deadlock below in eeh_addr_cache_show() because it is acquiring a lock with IRQ enabled, but eeh_addr_cache_insert_dev() needs to acquire the same lock with IRQ disabled. Let's just make eeh_addr_cache_show() acquire the lock with IRQ disabled as well. CPU0 CPU1 ---- ---- lock(&pci_io_addr_cache_root.piar_lock); local_irq_disable(); lock(&tp->lock); lock(&pci_io_addr_cache_root.piar_lock); lock(&tp->lock); *** DEADLOCK *** lock_acquire+0x140/0x5f0 _raw_spin_lock_irqsave+0x64/0xb0 eeh_addr_cache_insert_dev+0x48/0x390 eeh_probe_device+0xb8/0x1a0 pnv_pcibios_bus_add_device+0x3c/0x80 pcibios_bus_add_device+0x118/0x290 pci_bus_add_device+0x28/0xe0 pci_bus_add_devices+0x54/0xb0 pcibios_init+0xc4/0x124 do_one_initcall+0xac/0x528 kernel_init_freeable+0x35c/0x3fc kernel_init+0x24/0x148 ret_from_kernel_thread+0x5c/0x80 lock_acquire+0x140/0x5f0 _raw_spin_lock+0x4c/0x70 eeh_addr_cache_show+0x38/0x110 seq_read+0x1a0/0x660 vfs_read+0xc8/0x1f0 ksys_read+0x74/0x130 system_call_exception+0xf8/0x1d0 system_call_common+0xe8/0x218 Fixes: 5ca85ae6318d ("powerpc/eeh_cache: Add a way to dump the EEH address cache") Signed-off-by: Qian Cai Reviewed-by: Oliver O'Halloran Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20201028152717.8967-1-cai@redhat.com Signed-off-by: Sasha Levin commit a67c6374c2b8e78680ae3f3906cb004690f8020c Author: Greentime Hu Date: Thu Oct 29 10:37:38 2020 +0800 irqchip/sifive-plic: Fix chip_data access within a hierarchy [ Upstream commit f9ac7bbd6e4540dcc6df621b9c9b6eb2e26ded1d ] The plic driver crashes in plic_irq_unmask() when the interrupt is within a hierarchy, as it picks the top-level chip_data instead of its local one. Using irq_data_get_irq_chip_data() instead of irq_get_chip_data() solves the issue for good. Fixes: f1ad1133b18f ("irqchip/sifive-plic: Add support for multiple PLICs") Signed-off-by: Greentime Hu [maz: rewrote commit message] Signed-off-by: Marc Zyngier Reviewed-by: Anup Patel Reviewed-by: Atish Patra Link: https://lore.kernel.org/r/20201029023738.127472-1-greentime.hu@sifive.com Signed-off-by: Sasha Levin commit 66b4345edf0d1f3d2762cfe92cc2bb52ee2b8747 Author: Stefano Brivio Date: Thu Oct 29 16:39:46 2020 +0100 netfilter: ipset: Update byte and packet counters regardless of whether they match [ Upstream commit 7d10e62c2ff8e084c136c94d32d9a94de4d31248 ] In ip_set_match_extensions(), for sets with counters, we take care of updating counters themselves by calling ip_set_update_counter(), and of checking if the given comparison and values match, by calling ip_set_match_counter() if needed. However, if a given comparison on counters doesn't match the configured values, that doesn't mean the set entry itself isn't matching. This fix restores the behaviour we had before commit 4750005a85f7 ("netfilter: ipset: Fix "don't update counters" mode when counters used at the matching"), without reintroducing the issue fixed there: back then, mtype_data_match() first updated counters in any case, and then took care of matching on counters. Now, if the IPSET_FLAG_SKIP_COUNTER_UPDATE flag is set, ip_set_update_counter() will anyway skip counter updates if desired. The issue observed is illustrated by this reproducer: ipset create c hash:ip counters ipset add c 192.0.2.1 iptables -I INPUT -m set --match-set c src --bytes-gt 800 -j DROP if we now send packets from 192.0.2.1, bytes and packets counters for the entry as shown by 'ipset list' are always zero, and, no matter how many bytes we send, the rule will never match, because counters themselves are not updated. Reported-by: Mithil Mhatre Fixes: 4750005a85f7 ("netfilter: ipset: Fix "don't update counters" mode when counters used at the matching") Signed-off-by: Stefano Brivio Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 610c8a51f67f421aad599c51d3f39a03a039ac62 Author: Rajat Jain Date: Wed Oct 28 16:15:45 2020 -0700 PCI: Always enable ACS even if no ACS Capability [ Upstream commit 462b58fb033996e999cc213ed0b430d4f22a28fe ] Some devices support ACS functionality even though they don't have a spec-compliant ACS Capability; pci_enable_acs() has a quirk mechanism to handle them. We want to enable ACS whenever possible, but 52fbf5bdeeef ("PCI: Cache ACS capability offset in device") inadvertently broke this by calling pci_enable_acs() only if we find an ACS Capability. This resulted in ACS not being enabled for these non-compliant devices, which means devices can't be separated into different IOMMU groups, which in turn means we may not be able to pass those devices through to VMs, as reported by Boris V: https://lore.kernel.org/r/74aeea93-8a46-5f5a-343c-790d4c655da3@bstnet.org Fixes: 52fbf5bdeeef ("PCI: Cache ACS capability offset in device") Link: https://lore.kernel.org/r/20201028231545.4116866-1-rajatja@google.com Reported-by: Boris V Signed-off-by: Rajat Jain Signed-off-by: Bjorn Helgaas Reviewed-by: Alex Williamson Signed-off-by: Sasha Levin commit e4bec74d3707f9bddb31ead69f930cf1a59f93e2 Author: Pablo Neira Ayuso Date: Thu Oct 29 13:50:03 2020 +0100 netfilter: nf_tables: missing validation from the abort path [ Upstream commit c0391b6ab810381df632677a1dcbbbbd63d05b6d ] If userspace does not include the trailing end of batch message, then nfnetlink aborts the transaction. This allows to check that ruleset updates trigger no errors. After this patch, invoking this command from the prerouting chain: # nft -c add rule x y fib saddr . oif type local fails since oif is not supported there. This patch fixes the lack of rule validation from the abort/check path to catch configuration errors such as the one above. Fixes: a654de8fdc18 ("netfilter: nf_tables: fix chain dependency validation") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit af9c23375c76fdfb57bd7104591c0d75e7c48d73 Author: Jason A. Donenfeld Date: Thu Oct 29 03:56:06 2020 +0100 netfilter: use actual socket sk rather than skb sk when routing harder [ Upstream commit 46d6c5ae953cc0be38efd0e469284df7c4328cf8 ] If netfilter changes the packet mark when mangling, the packet is rerouted using the route_me_harder set of functions. Prior to this commit, there's one big difference between route_me_harder and the ordinary initial routing functions, described in the comment above __ip_queue_xmit(): /* Note: skb->sk can be different from sk, in case of tunnels */ int __ip_queue_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl, That function goes on to correctly make use of sk->sk_bound_dev_if, rather than skb->sk->sk_bound_dev_if. And indeed the comment is true: a tunnel will receive a packet in ndo_start_xmit with an initial skb->sk. It will make some transformations to that packet, and then it will send the encapsulated packet out of a *new* socket. That new socket will basically always have a different sk_bound_dev_if (otherwise there'd be a routing loop). So for the purposes of routing the encapsulated packet, the routing information as it pertains to the socket should come from that socket's sk, rather than the packet's original skb->sk. For that reason __ip_queue_xmit() and related functions all do the right thing. One might argue that all tunnels should just call skb_orphan(skb) before transmitting the encapsulated packet into the new socket. But tunnels do *not* do this -- and this is wisely avoided in skb_scrub_packet() too -- because features like TSQ rely on skb->destructor() being called when that buffer space is truely available again. Calling skb_orphan(skb) too early would result in buffers filling up unnecessarily and accounting info being all wrong. Instead, additional routing must take into account the new sk, just as __ip_queue_xmit() notes. So, this commit addresses the problem by fishing the correct sk out of state->sk -- it's already set properly in the call to nf_hook() in __ip_local_out(), which receives the sk as part of its normal functionality. So we make sure to plumb state->sk through the various route_me_harder functions, and then make correct use of it following the example of __ip_queue_xmit(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jason A. Donenfeld Reviewed-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit f66f29adac0e6919f680e9c953a4257da05d6f42 Author: Pablo Neira Ayuso Date: Thu Oct 22 22:17:49 2020 +0200 netfilter: nftables: fix netlink report logic in flowtable and genid [ Upstream commit dceababac29d1c53cbc1f7ddf6f688d2df01da87 ] The netlink report should be sent regardless the available listeners. Fixes: 84d7fce69388 ("netfilter: nf_tables: export rule-set generation ID") Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 842be2dfe3a721c4118a6e3d9f6f5fd90824050d Author: Johannes Berg Date: Tue Oct 13 14:01:57 2020 +0200 mac80211: don't require VHT elements for HE on 2.4 GHz [ Upstream commit c2f46814521113f6699a74e0a0424cbc5b305479 ] After the previous similar bugfix there was another bug here, if no VHT elements were found we also disabled HE. Fix this to disable HE only on the 5 GHz band; on 6 GHz it was already not disabled, and on 2.4 GHz there need (should) not be any VHT. Fixes: 57fa5e85d53c ("mac80211: determine chandef from HE 6 GHz operation") Link: https://lore.kernel.org/r/20201013140156.535a2fc6192f.Id6e5e525a60ac18d245d86f4015f1b271fce6ee6@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 48510f80918cf23b1cf1362aaeeaa8477f0f99a7 Author: Darrick J. Wong Date: Mon Oct 26 15:19:38 2020 -0700 xfs: set xefi_discard when creating a deferred agfl free log intent item [ Upstream commit 2c334e12f957cd8c6bb66b4aa3f79848b7c33cab ] Make sure that we actually initialize xefi_discard when we're scheduling a deferred free of an AGFL block. This was (eventually) found by the UBSAN while I was banging on realtime rmap problems, but it exists in the upstream codebase. While we're at it, rearrange the structure to reduce the struct size from 64 to 56 bytes. Fixes: fcb762f5de2e ("xfs: add bmapi nodiscard flag") Signed-off-by: Darrick J. Wong Reviewed-by: Brian Foster Signed-off-by: Sasha Levin commit 3b5c980a8e56de440270821ca1b5c633afa72b68 Author: Bert Vermeulen Date: Tue Oct 6 15:23:46 2020 +0200 mtd: spi-nor: Fix address width on flash chips > 16MB [ Upstream commit 324f78dfb442b82365548b657ec4e6974c677502 ] If a flash chip has more than 16MB capacity but its BFPT reports BFPT_DWORD1_ADDRESS_BYTES_3_OR_4, the spi-nor framework defaults to 3. The check in spi_nor_set_addr_width() doesn't catch it because addr_width did get set. This fixes that check. Fixes: f9acd7fa80be ("mtd: spi-nor: sfdp: default to addr_width of 3 for configurable widths") Signed-off-by: Bert Vermeulen Signed-off-by: Vignesh Raghavendra Reviewed-by: Tudor Ambarus Reviewed-by: Pratyush Yadav Reviewed-by: Joel Stanley Reviewed-by: Cédric Le Goater Tested-by: Joel Stanley Tested-by: Cédric Le Goater Link: https://lore.kernel.org/r/20201006132346.12652-1-bert@biot.com Signed-off-by: Sasha Levin commit 5b733a5d943bd928f06b2609671cb8f91071a2fb Author: Srinivas Kandagatla Date: Wed Oct 28 15:43:40 2020 +0000 ASoC: codecs: wcd9335: Set digital gain range correctly [ Upstream commit 6d6bc54ab4f2404d46078abc04bf4dee4db01def ] digital gain range is -84dB min to 40dB max, however this was not correctly specified in the range. Fix this by with correct range! Fixes: 8c4f021d806a ("ASoC: wcd9335: add basic controls") Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20201028154340.17090-2-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 630a711eb64e90ee7655b4538f81c81b8bd300e7 Author: Srinivas Kandagatla Date: Wed Oct 28 15:43:39 2020 +0000 ASoC: codecs: wcd934x: Set digital gain range correctly [ Upstream commit fc0522bbe02fa4beb95c0514ace66b585616f111 ] digital gain range is -84dB min to 40dB max, however this was not correctly specified in the range. Fix this by with correct range! Fixes: 1cde8b822332 ("ASoC: wcd934x: add basic controls") Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20201028154340.17090-1-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 953e234764b47a7d549fb6ee49b6f4694452a00b Author: Tommi Rantala Date: Thu Oct 8 15:26:21 2020 +0300 selftests: filter kselftest headers from command in lib.mk [ Upstream commit f825d3f7ed9305e7dd0a3e0a74673a4257d0cc53 ] Commit 1056d3d2c97e ("selftests: enforce local header dependency in lib.mk") added header dependency to the rule, but as the rule uses $^, the headers are added to the compiler command line. This can cause unexpected precompiled header files being generated when compilation fails: $ echo { >> openat2_test.c $ make gcc -Wall -O2 -g -fsanitize=address -fsanitize=undefined openat2_test.c tools/testing/selftests/kselftest_harness.h tools/testing/selftests/kselftest.h helpers.c -o tools/testing/selftests/openat2/openat2_test openat2_test.c:313:1: error: expected identifier or ‘(’ before ‘{’ token 313 | { | ^ make: *** [../lib.mk:140: tools/testing/selftests/openat2/openat2_test] Error 1 $ file openat2_test* openat2_test: GCC precompiled header (version 014) for C openat2_test.c: C source, ASCII text Fix it by filtering out the headers, so that we'll only pass the actual *.c files in the compiler command line. Fixes: 1056d3d2c97e ("selftests: enforce local header dependency in lib.mk") Signed-off-by: Tommi Rantala Acked-by: Kees Cook Reviewed-by: Christian Brauner Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit c4bb60aaf0f86fce03c9d65bc71f183166624a0f Author: Ran Wang Date: Fri Oct 16 12:33:26 2020 +0800 usb: gadget: fsl: fix null pointer checking [ Upstream commit 48e7bbbbb261b007fe78aa14ae62df01d236497e ] fsl_ep_fifo_status() should return error if _ep->desc is null. Fixes: 75eaa498c99e (“usb: gadget: Correct NULL pointer checking in fsl gadget”) Reviewed-by: Peter Chen Signed-off-by: Ran Wang Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 02bdf72aa22a9d49b92c6f6ed86247a8b04c27b2 Author: Andy Shevchenko Date: Thu Oct 15 19:28:17 2020 +0300 kunit: Don't fail test suites if one of them is empty [ Upstream commit 3fc48259d5250f7a3ee021ad0492b604c428c564 ] Empty test suite is okay test suite. Don't fail the rest of the test suites if one of them is empty. Fixes: 6ebf5866f2e8 ("kunit: tool: add Python wrappers for running KUnit tests") Signed-off-by: Andy Shevchenko Reviewed-by: Brendan Higgins Tested-by: Brendan Higgins Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit e6ddfc043e65505629f7cfea7d9eb957c565f76b Author: David Gow Date: Wed Oct 21 20:04:55 2020 -0700 kunit: Fix kunit.py --raw_output option [ Upstream commit 3023d8ff3fc60e5d32dc1d05f99ad6ffa12b0033 ] Due to the raw_output() function on kunit_parser.py actually being a generator, it only runs if something reads the lines it returns. Since we no-longer do that (parsing doesn't actually happen if raw_output is enabled), it was not printing anything. Fixes: 45ba7a893ad8 ("kunit: kunit_tool: Separate out config/build/exec/parse") Signed-off-by: David Gow Reviewed-by: Brendan Higgins Tested-by: Brendan Higgins Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit cb5086c5dc7272e856aa7eda55fab22d549daad1 Author: Greentime Hu Date: Tue Oct 20 16:15:32 2020 +0800 irqchip/sifive-plic: Fix broken irq_set_affinity() callback [ Upstream commit a7480c5d725c4ecfc627e70960f249c34f5d13e8 ] An interrupt submitted to an affinity change will always be left enabled after plic_set_affinity() has been called, while the expectation is that it should stay in whatever state it was before the call. Preserving the configuration fixes a PWM hang issue on the Unleashed board. [ 919.015783] rcu: INFO: rcu_sched detected stalls on CPUs/tasks: [ 919.020922] rcu: 0-...0: (0 ticks this GP) idle=7d2/1/0x4000000000000002 softirq=1424/1424 fqs=105807 [ 919.030295] (detected by 1, t=225825 jiffies, g=1561, q=3496) [ 919.036109] Task dump for CPU 0: [ 919.039321] kworker/0:1 R running task 0 30 2 0x00000008 [ 919.046359] Workqueue: events set_brightness_delayed [ 919.051302] Call Trace: [ 919.053738] [] __schedule+0x194/0x4de [ 982.035783] rcu: INFO: rcu_sched detected stalls on CPUs/tasks: [ 982.040923] rcu: 0-...0: (0 ticks this GP) idle=7d2/1/0x4000000000000002 softirq=1424/1424 fqs=113325 [ 982.050294] (detected by 1, t=241580 jiffies, g=1561, q=3509) [ 982.056108] Task dump for CPU 0: [ 982.059321] kworker/0:1 R running task 0 30 2 0x00000008 [ 982.066359] Workqueue: events set_brightness_delayed [ 982.071302] Call Trace: [ 982.073739] [] __schedule+0x194/0x4de [..] Fixes: bb0fed1c60cc ("irqchip/sifive-plic: Switch to fasteoi flow") Signed-off-by: Greentime Hu [maz: tidy-up commit message] Signed-off-by: Marc Zyngier Reviewed-by: Anup Patel Link: https://lore.kernel.org/r/20201020081532.2377-1-greentime.hu@sifive.com Signed-off-by: Sasha Levin commit 1dfc44fd609fc96cd4a7ec2dbf43ca47759d83db Author: Sascha Hauer Date: Wed Oct 21 12:45:13 2020 +0200 spi: imx: fix runtime pm support for !CONFIG_PM [ Upstream commit 43b6bf406cd0319e522638f97c9086b7beebaeaa ] 525c9e5a32bd introduced pm_runtime support for the i.MX SPI driver. With this pm_runtime is used to bring up the clocks initially. When CONFIG_PM is disabled the clocks are no longer enabled and the driver doesn't work anymore. Fix this by enabling the clocks in the probe function and telling pm_runtime that the device is active using pm_runtime_set_active(). Fixes: 525c9e5a32bd spi: imx: enable runtime pm support Tested-by: Christian Eggers [tested for !CONFIG_PM only] Signed-off-by: Sascha Hauer Link: https://lore.kernel.org/r/20201021104513.21560-1-s.hauer@pengutronix.de Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 35b83f670a17f2ad8c844ffbcc425facf1a5be7f Author: Srinivas Kandagatla Date: Thu Oct 22 14:05:18 2020 +0100 ASoC: codecs: wsa881x: add missing stream rates and format [ Upstream commit f47d0742515748162d3fc35f04331c5b81c0ed47 ] Add missing supported rates and formats for the stream, without which attempt to do playback will fail to find any matching rates/format. Fixes: a0aab9e1404a ("ASoC: codecs: add wsa881x amplifier support") Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20201022130518.31723-1-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 21292423bc433e176c11318d13a6c49e068538b0 Author: zhuoliang zhang Date: Fri Oct 23 09:05:35 2020 +0200 net: xfrm: fix a race condition during allocing spi [ Upstream commit a779d91314ca7208b7feb3ad817b62904397c56d ] we found that the following race condition exists in xfrm_alloc_userspi flow: user thread state_hash_work thread ---- ---- xfrm_alloc_userspi() __find_acq_core() /*alloc new xfrm_state:x*/ xfrm_state_alloc() /*schedule state_hash_work thread*/ xfrm_hash_grow_check() xfrm_hash_resize() xfrm_alloc_spi /*hold lock*/ x->id.spi = htonl(spi) spin_lock_bh(&net->xfrm.xfrm_state_lock) /*waiting lock release*/ xfrm_hash_transfer() spin_lock_bh(&net->xfrm.xfrm_state_lock) /*add x into hlist:net->xfrm.state_byspi*/ hlist_add_head_rcu(&x->byspi) spin_unlock_bh(&net->xfrm.xfrm_state_lock) /*add x into hlist:net->xfrm.state_byspi 2 times*/ hlist_add_head_rcu(&x->byspi) 1. a new state x is alloced in xfrm_state_alloc() and added into the bydst hlist in __find_acq_core() on the LHS; 2. on the RHS, state_hash_work thread travels the old bydst and tranfers every xfrm_state (include x) into the new bydst hlist and new byspi hlist; 3. user thread on the LHS gets the lock and adds x into the new byspi hlist again. So the same xfrm_state (x) is added into the same list_hash (net->xfrm.state_byspi) 2 times that makes the list_hash become an inifite loop. To fix the race, x->id.spi = htonl(spi) in the xfrm_alloc_spi() is moved to the back of spin_lock_bh, sothat state_hash_work thread no longer add x which id.spi is zero into the hash_list. Fixes: f034b5d4efdf ("[XFRM]: Dynamic xfrm_state hash table sizing.") Signed-off-by: zhuoliang zhang Acked-by: Herbert Xu Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin commit 9e4eb8cb0c4803ddbdc055759680f88760d1f0e4 Author: Olaf Hering Date: Thu Oct 8 09:12:15 2020 +0200 hv_balloon: disable warning when floor reached [ Upstream commit 2c3bd2a5c86fe744e8377733c5e511a5ca1e14f5 ] It is not an error if the host requests to balloon down, but the VM refuses to do so. Without this change a warning is logged in dmesg every five minutes. Fixes: b3bb97b8a49f3 ("Drivers: hv: balloon: Add logging for dynamic memory operations") Signed-off-by: Olaf Hering Reviewed-by: Michael Kelley Link: https://lore.kernel.org/r/20201008071216.16554-1-olaf@aepfle.de Signed-off-by: Wei Liu Signed-off-by: Sasha Levin commit 5f888e2b10cac401694c90dda17855e6598480cb Author: Marc Zyngier Date: Thu Oct 15 21:41:44 2020 +0100 genirq: Let GENERIC_IRQ_IPI select IRQ_DOMAIN_HIERARCHY [ Upstream commit 151a535171be6ff824a0a3875553ea38570f4c05 ] kernel/irq/ipi.c otherwise fails to compile if nothing else selects it. Fixes: 379b656446a3 ("genirq: Add GENERIC_IRQ_IPI Kconfig symbol") Reported-by: Pavel Machek Tested-by: Pavel Machek Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20201015101222.GA32747@amd Signed-off-by: Sasha Levin commit b87cbe5ad04df29aed68c8e1277ac29b730d303a Author: Tomasz Figa Date: Wed Oct 14 14:16:24 2020 +0000 ASoC: Intel: kbl_rt5663_max98927: Fix kabylake_ssp_fixup function [ Upstream commit 9fe9efd6924c9a62ebb759025bb8927e398f51f7 ] This is a copy of commit 5c5f1baee85a ("ASoC: Intel: kbl_rt5663_rt5514_max98927: Fix kabylake_ssp_fixup function") applied to the kbl_rt5663_max98927 board file. Original explanation of the change: kabylake_ssp_fixup function uses snd_soc_dpcm to identify the codecs DAIs. The HW parameters are changed based on the codec DAI of the stream. The earlier approach to get snd_soc_dpcm was using container_of() macro on snd_pcm_hw_params. The structures have been modified over time and snd_soc_dpcm does not have snd_pcm_hw_params as a reference but as a copy. This causes the current driver to crash when used. This patch changes the way snd_soc_dpcm is extracted. snd_soc_pcm_runtime holds 2 dpcm instances (one for playback and one for capture). 2 codecs on the SSP are dmic (capture) and speakers (playback). Based on the stream direction, snd_soc_dpcm is extracted from snd_soc_pcm_runtime. Fixes a boot crash on a HP Chromebook x2: [ 16.582225] BUG: kernel NULL pointer dereference, address: 0000000000000050 [ 16.582231] #PF: supervisor read access in kernel mode [ 16.582233] #PF: error_code(0x0000) - not-present page [ 16.582234] PGD 0 P4D 0 [ 16.582238] Oops: 0000 [#1] PREEMPT SMP PTI [ 16.582241] CPU: 0 PID: 1980 Comm: cras Tainted: G C 5.4.58 #1 [ 16.582243] Hardware name: HP Soraka/Soraka, BIOS Google_Soraka.10431.75.0 08/30/2018 [ 16.582247] RIP: 0010:kabylake_ssp_fixup+0x19/0xbb [snd_soc_kbl_rt5663_max98927] [ 16.582250] Code: c6 6f c5 80 c0 44 89 f2 31 c0 e8 3e c9 4c d6 eb de 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 53 48 89 f3 48 8b 46 c8 48 8b 4e d0 <48> 8b 49 10 4c 8b 78 10 4c 8b 31 4c 89 f7 48 c7 c6 4b c2 80 c0 e8 [ 16.582252] RSP: 0000:ffffaf7e81e0b958 EFLAGS: 00010282 [ 16.582254] RAX: ffffffff96f13e0d RBX: ffffaf7e81e0ba00 RCX: 0000000000000040 [ 16.582256] RDX: ffffaf7e81e0ba00 RSI: ffffaf7e81e0ba00 RDI: ffffa3b208558028 [ 16.582258] RBP: ffffaf7e81e0b970 R08: ffffa3b203b54160 R09: ffffaf7e81e0ba00 [ 16.582259] R10: 0000000000000000 R11: ffffffffc080b345 R12: ffffa3b209fb6e00 [ 16.582261] R13: ffffa3b1b1a47838 R14: ffffa3b1e6197f28 R15: ffffaf7e81e0ba00 [ 16.582263] FS: 00007eb3f25aaf80(0000) GS:ffffa3b236a00000(0000) knlGS:0000000000000000 [ 16.582265] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 16.582267] CR2: 0000000000000050 CR3: 0000000246bc8006 CR4: 00000000003606f0 [ 16.582269] Call Trace: [ 16.582275] snd_soc_link_be_hw_params_fixup+0x21/0x68 [ 16.582278] snd_soc_dai_hw_params+0x25/0x94 [ 16.582282] soc_pcm_hw_params+0x2d8/0x583 [ 16.582288] dpcm_be_dai_hw_params+0x172/0x29e [ 16.582291] dpcm_fe_dai_hw_params+0x9f/0x12f [ 16.582295] snd_pcm_hw_params+0x137/0x41c [ 16.582298] snd_pcm_hw_params_user+0x3c/0x71 [ 16.582301] snd_pcm_common_ioctl+0x2c6/0x565 [ 16.582304] snd_pcm_ioctl+0x32/0x36 [ 16.582307] do_vfs_ioctl+0x506/0x783 [ 16.582311] ksys_ioctl+0x58/0x83 [ 16.582313] __x64_sys_ioctl+0x1a/0x1e [ 16.582316] do_syscall_64+0x54/0x7e [ 16.582319] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 16.582322] RIP: 0033:0x7eb3f1886157 [ 16.582324] Code: 8a 66 90 48 8b 05 11 dd 2b 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 dc 2b 00 f7 d8 64 89 01 48 [ 16.582326] RSP: 002b:00007ffff7559818 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 16.582329] RAX: ffffffffffffffda RBX: 00005acc9188b140 RCX: 00007eb3f1886157 [ 16.582330] RDX: 00007ffff7559940 RSI: 00000000c2604111 RDI: 000000000000001e [ 16.582332] RBP: 00007ffff7559840 R08: 0000000000000004 R09: 0000000000000000 [ 16.582333] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000bb80 [ 16.582335] R13: 00005acc91702e80 R14: 00007ffff7559940 R15: 00005acc91702e80 [ 16.582337] Modules linked in: rfcomm cmac algif_hash algif_skcipher af_alg uinput hid_google_hammer snd_soc_kbl_rt5663_max98927 snd_soc_hdac_hdmi snd_soc_dmic snd_soc_skl_ssp_clk snd_soc_skl snd_soc_sst_ipc snd_soc_sst_dsp snd_soc_hdac_hda snd_soc_acpi_intel_match snd_soc_acpi snd_hda_ext_core snd_intel_dspcfg snd_hda_codec snd_hwdep snd_hda_core ipu3_cio2 ipu3_imgu(C) videobuf2_v4l2 videobuf2_common videobuf2_dma_sg videobuf2_memops snd_soc_rt5663 snd_soc_max98927 snd_soc_rl6231 ov5670 ov13858 acpi_als v4l2_fwnode dw9714 fuse xt_MASQUERADE iio_trig_sysfs cros_ec_light_prox cros_ec_sensors cros_ec_sensors_core cros_ec_sensors_ring industrialio_triggered_buffer kfifo_buf industrialio cros_ec_sensorhub cdc_ether usbnet btusb btrtl btintel btbcm bluetooth ecdh_generic ecc lzo_rle lzo_compress iwlmvm zram iwl7000_mac80211 r8152 mii iwlwifi cfg80211 joydev [ 16.584243] gsmi: Log Shutdown Reason 0x03 [ 16.584246] CR2: 0000000000000050 [ 16.584248] ---[ end trace c8511d090c11edff ]--- Suggested-by: Łukasz Majczak Fixes: 2e5894d73789e ("ASoC: pcm: Add support for DAI multicodec") Signed-off-by: Tomasz Figa Acked-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20201014141624.4143453-1-tfiga@chromium.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit f294984df764a802e7c9cf5d2bdcb80cfca2c1dd Author: Xin Long Date: Thu Oct 8 16:13:24 2020 +0800 xfrm: interface: fix the priorities for ipip and ipv6 tunnels [ Upstream commit 7fe94612dd4cfcd35fe0ec87745fb31ad2be71f8 ] As Nicolas noticed in his case, when xfrm_interface module is installed the standard IP tunnels will break in receiving packets. This is caused by the IP tunnel handlers with a higher priority in xfrm interface processing incoming packets by xfrm_input(), which would drop the packets and return 0 instead when anything wrong happens. Rather than changing xfrm_input(), this patch is to adjust the priority for the IP tunnel handlers in xfrm interface, so that the packets would go to xfrmi's later than the others', as the others' would not drop the packets when the handlers couldn't process them. Note that IPCOMP also defines its own IPIP tunnel handler and it calls xfrm_input() as well, so we must make its priority lower than xfrmi's, which means having xfrmi loaded would still break IPCOMP. We may seek another way to fix it in xfrm_input() in the future. Reported-by: Nicolas Dichtel Tested-by: Nicolas Dichtel Fixes: da9bbf0598c9 ("xfrm: interface: support IPIP and IPIP6 tunnels processing with .cb_handler") FIxes: d7b360c2869f ("xfrm: interface: support IP6IP6 and IP6IP tunnels processing with .cb_handler") Signed-off-by: Xin Long Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin commit bf375d7cd302856c76d40b9a569a278e7fe9781e Author: Santosh Shukla Date: Mon Oct 26 16:54:07 2020 +0530 KVM: arm64: Force PTE mapping on fault resulting in a device mapping [ Upstream commit 91a2c34b7d6fadc9c5d9433c620ea4c32ee7cae8 ] VFIO allows a device driver to resolve a fault by mapping a MMIO range. This can be subsequently result in user_mem_abort() to try and compute a huge mapping based on the MMIO pfn, which is a sure recipe for things to go wrong. Instead, force a PTE mapping when the pfn faulted in has a device mapping. Fixes: 6d674e28f642 ("KVM: arm/arm64: Properly handle faulting of device mappings") Suggested-by: Marc Zyngier Signed-off-by: Santosh Shukla [maz: rewritten commit message] Signed-off-by: Marc Zyngier Reviewed-by: Gavin Shan Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/1603711447-11998-2-git-send-email-sashukla@nvidia.com Signed-off-by: Sasha Levin commit 97bfb92dd970f5b9049b461e6722be4ecd4f11db Author: Ming Lei Date: Wed Oct 28 15:24:34 2020 +0800 nbd: don't update block size after device is started [ Upstream commit b40813ddcd6bf9f01d020804e4cb8febc480b9e4 ] Mounted NBD device can be resized, one use case is rbd-nbd. Fix the issue by setting up default block size, then not touch it in nbd_size_update() any more. This kind of usage is aligned with loop which has same use case too. Cc: stable@vger.kernel.org Fixes: c8a83a6b54d0 ("nbd: Use set_blocksize() to set device blocksize") Reported-by: lining Signed-off-by: Ming Lei Cc: Josef Bacik Cc: Jan Kara Tested-by: lining Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit d71c591175b5752ce207891a9522011fc8d7492f Author: Roman Gushchin Date: Sun Nov 1 17:07:34 2020 -0800 mm: memcg: link page counters to root if use_hierarchy is false [ Upstream commit 8de15e920dc85d1705ab9c202c95d56845bc2d48 ] Richard reported a warning which can be reproduced by running the LTP madvise6 test (cgroup v1 in the non-hierarchical mode should be used): WARNING: CPU: 0 PID: 12 at mm/page_counter.c:57 page_counter_uncharge (mm/page_counter.c:57 mm/page_counter.c:50 mm/page_counter.c:156) Modules linked in: CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.9.0-rc7-22-default #77 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812d-rebuilt.opensuse.org 04/01/2014 Workqueue: events drain_local_stock RIP: 0010:page_counter_uncharge (mm/page_counter.c:57 mm/page_counter.c:50 mm/page_counter.c:156) Call Trace: __memcg_kmem_uncharge (mm/memcontrol.c:3022) drain_obj_stock (./include/linux/rcupdate.h:689 mm/memcontrol.c:3114) drain_local_stock (mm/memcontrol.c:2255) process_one_work (./arch/x86/include/asm/jump_label.h:25 ./include/linux/jump_label.h:200 ./include/trace/events/workqueue.h:108 kernel/workqueue.c:2274) worker_thread (./include/linux/list.h:282 kernel/workqueue.c:2416) kthread (kernel/kthread.c:292) ret_from_fork (arch/x86/entry/entry_64.S:300) The problem occurs because in the non-hierarchical mode non-root page counters are not linked to root page counters, so the charge is not propagated to the root memory cgroup. After the removal of the original memory cgroup and reparenting of the object cgroup, the root cgroup might be uncharged by draining a objcg stock, for example. It leads to an eventual underflow of the charge and triggers a warning. Fix it by linking all page counters to corresponding root page counters in the non-hierarchical mode. Please note, that in the non-hierarchical mode all objcgs are always reparented to the root memory cgroup, even if the hierarchy has more than 1 level. This patch doesn't change it. The patch also doesn't affect how the hierarchical mode is working, which is the only sane and truly supported mode now. Thanks to Richard for reporting, debugging and providing an alternative version of the fix! Fixes: bf4f059954dc ("mm: memcg/slab: obj_cgroup API") Reported-by: Signed-off-by: Roman Gushchin Signed-off-by: Andrew Morton Reviewed-by: Shakeel Butt Reviewed-by: Michal Koutný Acked-by: Johannes Weiner Cc: Michal Hocko Cc: Link: https://lkml.kernel.org/r/20201026231326.3212225-1-guro@fb.com Debugged-by: Richard Palethorpe Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit f2f4e25f241c90d0d04a81de5f002bd1f0ad3bad Author: Chris Wilson Date: Mon Oct 19 21:38:25 2020 +0100 drm/i915/gem: Flush coherency domains on first set-domain-ioctl [ Upstream commit 59dd13ad310793757e34afa489dd6fc8544fc3da ] Avoid skipping what appears to be a no-op set-domain-ioctl if the cache coherency state is inconsistent with our target domain. This also has the utility of using the population of the pages to validate the backing store. The danger in skipping the first set-domain is leaving the cache inconsistent and submitting stale data, or worse leaving the clean data in the cache and not flushing it to the GPU. The impact should be small as it requires a no-op set-domain as the very first ioctl in a particular sequence not found in typical userspace. Reported-by: Zbigniew Kempczyński Fixes: 754a25442705 ("drm/i915: Skip object locking around a no-op set-domain ioctl") Testcase: igt/gem_mmap_offset/blt-coherency Signed-off-by: Chris Wilson Cc: Joonas Lahtinen Cc: Matthew Auld Cc: Zbigniew Kempczyński Cc: # v5.2+ Reviewed-by: Matthew Auld Link: https://patchwork.freedesktop.org/patch/msgid/20201019203825.10966-1-chris@chris-wilson.co.uk (cherry picked from commit 44c2200afcd59f441b43f27829b4003397cc495d) Signed-off-by: Rodrigo Vivi Signed-off-by: Sasha Levin commit 81a01ed3ac50dce96a5725143626a0abb502a4f8 Author: Chris Wilson Date: Mon Nov 2 16:19:31 2020 +0000 drm/i915: Hold onto an explicit ref to i915_vma_work.pinned [ Upstream commit 537457a979a02a410b555fab289dcb28b588f33b ] Since __vma_release is run by a kworker after the fence has been signaled, it is no longer protected by the active reference on the vma, and so the alias of vw->pinned to vma->obj is also not protected by a reference on the object. Add an explicit reference for vw->pinned so it will always be safe. Found by inspection. Fixes: 54d7195f8c64 ("drm/i915: Unpin vma->obj on early error") Reported-by: Tvrtko Ursulin Signed-off-by: Chris Wilson Cc: Tvrtko Ursulin Cc: # v5.6+ Reviewed-by: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/20201102161931.30031-1-chris@chris-wilson.co.uk (cherry picked from commit bc73e5d33048b7ab5f12b11b5d923700467a8e1d) Signed-off-by: Rodrigo Vivi Signed-off-by: Sasha Levin