commit dfce803cd87dc139cfe4da1a68a5b3585e9e47e7 Author: Greg Kroah-Hartman Date: Wed Dec 30 11:51:48 2020 +0100 Linux 5.4.86 Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Linux Kernel Functional Testing Link: https://lore.kernel.org/r/20201229103747.123668426@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 8302bd9afd4bc802c5ab2359bb5cb8d4bc55d04a Author: Yazen Ghannam Date: Mon Nov 9 21:06:56 2020 +0000 x86/CPU/AMD: Save AMD NodeId as cpu_die_id [ Upstream commit 028c221ed1904af9ac3c5162ee98f48966de6b3d ] AMD systems provide a "NodeId" value that represents a global ID indicating to which "Node" a logical CPU belongs. The "Node" is a physical structure equivalent to a Die, and it should not be confused with logical structures like NUMA nodes. Logical nodes can be adjusted based on firmware or other settings whereas the physical nodes/dies are fixed based on hardware topology. The NodeId value can be used when a physical ID is needed by software. Save the AMD NodeId to struct cpuinfo_x86.cpu_die_id. Use the value from CPUID or MSR as appropriate. Default to phys_proc_id otherwise. Do so for both AMD and Hygon systems. Drop the node_id parameter from cacheinfo_*_init_llc_id() as it is no longer needed. Update the x86 topology documentation. Suggested-by: Borislav Petkov Signed-off-by: Yazen Ghannam Signed-off-by: Borislav Petkov Link: https://lkml.kernel.org/r/20201109210659.754018-2-Yazen.Ghannam@amd.com Signed-off-by: Sasha Levin commit 6001db0272dad842c151151f5a9b89a53a7f7520 Author: Steven Rostedt (VMware) Date: Mon Dec 14 12:33:51 2020 -0500 Revert: "ring-buffer: Remove HAVE_64BIT_ALIGNED_ACCESS" commit adab66b71abfe206a020f11e561f4df41f0b2aba upstream. It was believed that metag was the only architecture that required the ring buffer to keep 8 byte words aligned on 8 byte architectures, and with its removal, it was assumed that the ring buffer code did not need to handle this case. It appears that sparc64 also requires this. The following was reported on a sparc64 boot up: kernel: futex hash table entries: 65536 (order: 9, 4194304 bytes, linear) kernel: Running postponed tracer tests: kernel: Testing tracer function: kernel: Kernel unaligned access at TPC[552a20] trace_function+0x40/0x140 kernel: Kernel unaligned access at TPC[552a24] trace_function+0x44/0x140 kernel: Kernel unaligned access at TPC[552a20] trace_function+0x40/0x140 kernel: Kernel unaligned access at TPC[552a24] trace_function+0x44/0x140 kernel: Kernel unaligned access at TPC[552a20] trace_function+0x40/0x140 kernel: PASSED Need to put back the 64BIT aligned code for the ring buffer. Link: https://lore.kernel.org/r/CADxRZqzXQRYgKc=y-KV=S_yHL+Y8Ay2mh5ezeZUnpRvg+syWKw@mail.gmail.com Cc: stable@vger.kernel.org Fixes: 86b3de60a0b6 ("ring-buffer: Remove HAVE_64BIT_ALIGNED_ACCESS") Reported-by: Anatoly Pugachev Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman commit 33afcf723a0e655d35a60afe451bba47c9045ed3 Author: Nikita Shubin Date: Tue Dec 1 12:55:07 2020 +0300 rtc: ep93xx: Fix NULL pointer dereference in ep93xx_rtc_read_time commit 00c33482bb6110bce8110daa351f9b3baf4df7dc upstream. Mismatch in probe platform_set_drvdata set's and method's that call dev_get_platdata will result in "Unable to handle kernel NULL pointer dereference", let's use according method for getting driver data after platform_set_drvdata. 8<--- cut here --- Unable to handle kernel NULL pointer dereference at virtual address 00000000 pgd = (ptrval) [00000000] *pgd=00000000 Internal error: Oops: 5 [#1] ARM Modules linked in: CPU: 0 PID: 1 Comm: swapper Not tainted 5.9.10-00003-g723e101e0037-dirty #4 Hardware name: Technologic Systems TS-72xx SBC PC is at ep93xx_rtc_read_time+0xc/0x2c LR is at __rtc_read_time+0x4c/0x8c [...] [] (ep93xx_rtc_read_time) from [] (__rtc_read_time+0x4c/0x8c) [] (__rtc_read_time) from [] (rtc_read_time+0x2c/0x4c) [] (rtc_read_time) from [] (__rtc_read_alarm+0x28/0x358) [] (__rtc_read_alarm) from [] (__rtc_register_device+0x124/0x2ec) [] (__rtc_register_device) from [] (ep93xx_rtc_probe+0xa4/0xac) [] (ep93xx_rtc_probe) from [] (platform_drv_probe+0x24/0x5c) [] (platform_drv_probe) from [] (really_probe+0x218/0x374) [] (really_probe) from [] (device_driver_attach+0x44/0x60) [] (device_driver_attach) from [] (__driver_attach+0xb4/0xc0) [] (__driver_attach) from [] (bus_for_each_dev+0x68/0xac) [] (bus_for_each_dev) from [] (driver_attach+0x18/0x24) [] (driver_attach) from [] (bus_add_driver+0x150/0x1b4) [] (bus_add_driver) from [] (driver_register+0xb0/0xf4) [] (driver_register) from [] (__platform_driver_register+0x30/0x48) [] (__platform_driver_register) from [] (ep93xx_rtc_driver_init+0x10/0x1c) [] (ep93xx_rtc_driver_init) from [] (do_one_initcall+0x7c/0x1c0) [] (do_one_initcall) from [] (kernel_init_freeable+0x168/0x1ac) [] (kernel_init_freeable) from [] (kernel_init+0x8/0xf4) [] (kernel_init) from [] (ret_from_fork+0x14/0x34) Exception stack(0xc441dfb0 to 0xc441dff8) dfa0: 00000000 00000000 00000000 00000000 dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 dfe0: 00000000 00000000 00000000 00000000 00000013 00000000 Code: e12fff1e e92d4010 e590303c e1a02001 (e5933000) ---[ end trace c914d6030eaa95c8 ]--- Fixes: b809d192eb98 ("rtc: ep93xx: stop setting platform_data") Signed-off-by: Nikita Shubin Signed-off-by: Alexandre Belloni Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20201201095507.10317-1-nikita.shubin@maquefel.me Signed-off-by: Greg Kroah-Hartman commit 7e0f7a293608443b41ad768d5a4042d955a89e44 Author: DingHua Ma Date: Tue Dec 1 08:10:00 2020 +0800 regulator: axp20x: Fix DLDO2 voltage control register mask for AXP22x commit 291de1d102fafef0798cdad9666cd4f8da7da7cc upstream. When I use the axp20x chip to power my SDIO device on the 5.4 kernel, the output voltage of DLDO2 is wrong. After comparing the register manual and source code of the chip, I found that the mask bit of the driver register of the port was wrong. I fixed this error by modifying the mask register of the source code. This error seems to be a copy error of the macro when writing the code. Now the voltage output of the DLDO2 port of axp20x is correct. My development environment is Allwinner A40I of arm architecture, and the kernel version is 5.4. Signed-off-by: DingHua Ma Reviewed-by: Chen-Yu Tsai Cc: Fixes: db4a555f7c4c ("regulator: axp20x: use defines for masks") Link: https://lore.kernel.org/r/20201201001000.22302-1-dinghua.ma.sz@gmail.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit be23b04074b1957fd1d5b90a164483f56a310116 Author: Jubin Zhong Date: Wed Dec 2 10:33:42 2020 +0800 PCI: Fix pci_slot_release() NULL pointer dereference commit 4684709bf81a2d98152ed6b610e3d5c403f9bced upstream. If kobject_init_and_add() fails, pci_slot_release() is called to delete slot->list from parent->slots. But slot->list hasn't been initialized yet, so we dereference a NULL pointer: Unable to handle kernel NULL pointer dereference at virtual address 00000000 ... CPU: 10 PID: 1 Comm: swapper/0 Not tainted 4.4.240 #197 task: ffffeb398a45ef10 task.stack: ffffeb398a470000 PC is at __list_del_entry_valid+0x5c/0xb0 LR is at pci_slot_release+0x84/0xe4 ... __list_del_entry_valid+0x5c/0xb0 pci_slot_release+0x84/0xe4 kobject_put+0x184/0x1c4 pci_create_slot+0x17c/0x1b4 __pci_hp_initialize+0x68/0xa4 pciehp_probe+0x1a4/0x2fc pcie_port_probe_service+0x58/0x84 driver_probe_device+0x320/0x470 Initialize slot->list before calling kobject_init_and_add() to avoid this. Fixes: 8a94644b440e ("PCI: Fix pci_create_slot() reference count leak") Link: https://lore.kernel.org/r/1606876422-117457-1-git-send-email-zhongjubin@huawei.com Signed-off-by: Jubin Zhong Signed-off-by: Bjorn Helgaas Cc: stable@vger.kernel.org # v5.9+ Signed-off-by: Greg Kroah-Hartman commit b1f9419d5e6c02163950d302f0c37055bfd7190a Author: Carlos Garnacho Date: Tue Dec 1 14:57:27 2020 +0100 platform/x86: intel-vbtn: Allow switch events on Acer Switch Alpha 12 commit fe6000990394639ed374cb76c313be3640714f47 upstream. This 2-in-1 model (Product name: Switch SA5-271) features a SW_TABLET_MODE that works as it would be expected, both when detaching the keyboard and when folding it behind the tablet body. It used to work until the introduction of the allow list at commit 8169bd3e6e193 ("platform/x86: intel-vbtn: Switch to an allow-list for SW_TABLET_MODE reporting"). Add this model to it, so that the Virtual Buttons device announces the EV_SW features again. Fixes: 8169bd3e6e193 ("platform/x86: intel-vbtn: Switch to an allow-list for SW_TABLET_MODE reporting") Cc: stable@vger.kernel.org Signed-off-by: Carlos Garnacho Link: https://lore.kernel.org/r/20201201135727.212917-1-carlosg@gnome.org Signed-off-by: Hans de Goede Signed-off-by: Greg Kroah-Hartman commit c16b5849352cd1c15bf9511ecb91407aebcc04b6 Author: Dan Williams Date: Fri Nov 20 08:50:07 2020 -0800 libnvdimm/namespace: Fix reaping of invalidated block-window-namespace labels commit 2dd2a1740ee19cd2636d247276cf27bfa434b0e2 upstream. A recent change to ndctl to attempt to reconfigure namespaces in place uncovered a label accounting problem in block-window-type namespaces. The ndctl "create.sh" test is able to trigger this signature: WARNING: CPU: 34 PID: 9167 at drivers/nvdimm/label.c:1100 __blk_label_update+0x9a3/0xbc0 [libnvdimm] [..] RIP: 0010:__blk_label_update+0x9a3/0xbc0 [libnvdimm] [..] Call Trace: uuid_store+0x21b/0x2f0 [libnvdimm] kernfs_fop_write+0xcf/0x1c0 vfs_write+0xcc/0x380 ksys_write+0x68/0xe0 When allocated capacity for a namespace is renamed (new UUID) the labels with the old UUID need to be deleted. The ndctl behavior to always destroy namespaces on reconfiguration hid this problem. The immediate impact of this bug is limited since block-window-type namespaces only seem to exist in the specification and not in any shipping products. However, the label handling code is being reused for other technologies like CXL region labels, so there is a benefit to making sure both vertical labels sets (block-window) and horizontal label sets (pmem) have a functional reference implementation in libnvdimm. Fixes: c4703ce11c23 ("libnvdimm/namespace: Fix label tracking error") Cc: Cc: Vishal Verma Cc: Dave Jiang Cc: Ira Weiny Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit 68d139a974157b1c18dc97102bfb3e2a04a494c4 Author: SeongJae Park Date: Mon Dec 14 10:08:40 2020 +0100 xenbus/xenbus_backend: Disallow pending watch messages commit 9996bd494794a2fe393e97e7a982388c6249aa76 upstream. 'xenbus_backend' watches 'state' of devices, which is writable by guests. Hence, if guests intensively updates it, dom0 will have lots of pending events that exhausting memory of dom0. In other words, guests can trigger dom0 memory pressure. This is known as XSA-349. However, the watch callback of it, 'frontend_changed()', reads only 'state', so doesn't need to have the pending events. To avoid the problem, this commit disallows pending watch messages for 'xenbus_backend' using the 'will_handle()' watch callback. This is part of XSA-349 Cc: stable@vger.kernel.org Signed-off-by: SeongJae Park Reported-by: Michael Kurth Reported-by: Pawel Wieczorkiewicz Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit d3eaea062b515d5e18aee2aba7191dc80a207068 Author: SeongJae Park Date: Mon Dec 14 10:07:13 2020 +0100 xen/xenbus: Count pending messages for each watch commit 3dc86ca6b4c8cfcba9da7996189d1b5a358a94fc upstream. This commit adds a counter of pending messages for each watch in the struct. It is used to skip unnecessary pending messages lookup in 'unregister_xenbus_watch()'. It could also be used in 'will_handle' callback. This is part of XSA-349 Cc: stable@vger.kernel.org Signed-off-by: SeongJae Park Reported-by: Michael Kurth Reported-by: Pawel Wieczorkiewicz Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit c45b0a8d2a68dae5c5b5723a4c9aaa32fb125c2d Author: SeongJae Park Date: Mon Dec 14 10:05:47 2020 +0100 xen/xenbus/xen_bus_type: Support will_handle watch callback commit be987200fbaceaef340872841d4f7af2c5ee8dc3 upstream. This commit adds support of the 'will_handle' watch callback for 'xen_bus_type' users. This is part of XSA-349 Cc: stable@vger.kernel.org Signed-off-by: SeongJae Park Reported-by: Michael Kurth Reported-by: Pawel Wieczorkiewicz Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit 7da6db982e53e620f4761b9f98f24d1cc9d6f3dd Author: SeongJae Park Date: Mon Dec 14 10:04:18 2020 +0100 xen/xenbus: Add 'will_handle' callback support in xenbus_watch_path() commit 2e85d32b1c865bec703ce0c962221a5e955c52c2 upstream. Some code does not directly make 'xenbus_watch' object and call 'register_xenbus_watch()' but use 'xenbus_watch_path()' instead. This commit adds support of 'will_handle' callback in the 'xenbus_watch_path()' and it's wrapper, 'xenbus_watch_pathfmt()'. This is part of XSA-349 Cc: stable@vger.kernel.org Signed-off-by: SeongJae Park Reported-by: Michael Kurth Reported-by: Pawel Wieczorkiewicz Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit eac0c12e329d489ff36e85fed5ce2a8606e3124d Author: SeongJae Park Date: Mon Dec 14 10:02:45 2020 +0100 xen/xenbus: Allow watches discard events before queueing commit fed1755b118147721f2c87b37b9d66e62c39b668 upstream. If handling logics of watch events are slower than the events enqueue logic and the events can be created from the guests, the guests could trigger memory pressure by intensively inducing the events, because it will create a huge number of pending events that exhausting the memory. Fortunately, some watch events could be ignored, depending on its handler callback. For example, if the callback has interest in only one single path, the watch wouldn't want multiple pending events. Or, some watches could ignore events to same path. To let such watches to volutarily help avoiding the memory pressure situation, this commit introduces new watch callback, 'will_handle'. If it is not NULL, it will be called for each new event just before enqueuing it. Then, if the callback returns false, the event will be discarded. No watch is using the callback for now, though. This is part of XSA-349 Cc: stable@vger.kernel.org Signed-off-by: SeongJae Park Reported-by: Michael Kurth Reported-by: Pawel Wieczorkiewicz Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit 8f3f6de44f7cc93a4723e63ea4381332826a6790 Author: Pawel Wieczorkiewicz Date: Mon Dec 14 10:25:57 2020 +0100 xen-blkback: set ring->xenblkd to NULL after kthread_stop() commit 1c728719a4da6e654afb9cc047164755072ed7c9 upstream. When xen_blkif_disconnect() is called, the kernel thread behind the block interface is stopped by calling kthread_stop(ring->xenblkd). The ring->xenblkd thread pointer being non-NULL determines if the thread has been already stopped. Normally, the thread's function xen_blkif_schedule() sets the ring->xenblkd to NULL, when the thread's main loop ends. However, when the thread has not been started yet (i.e. wake_up_process() has not been called on it), the xen_blkif_schedule() function would not be called yet. In such case the kthread_stop() call returns -EINTR and the ring->xenblkd remains dangling. When this happens, any consecutive call to xen_blkif_disconnect (for example in frontend_changed() callback) leads to a kernel crash in kthread_stop() (e.g. NULL pointer dereference in exit_creds()). This is XSA-350. Cc: # 4.12 Fixes: a24fa22ce22a ("xen/blkback: don't use xen_blkif_get() in xen-blkback kthread") Reported-by: Olivier Benjamin Reported-by: Pawel Wieczorkiewicz Signed-off-by: Pawel Wieczorkiewicz Reviewed-by: Julien Grall Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit 383c60c16dd8a44800717e19418f98d5e6a3ad4c Author: Maarten Lankhorst Date: Tue Nov 24 12:57:07 2020 +0100 dma-buf/dma-resv: Respect num_fences when initializing the shared fence list. commit bf8975837dac156c33a4d15d46602700998cb6dd upstream. We hardcode the maximum number of shared fences to 4, instead of respecting num_fences. Use a minimum of 4, but more if num_fences is higher. This seems to have been an oversight when first implementing the api. Fixes: 04a5faa8cbe5 ("reservation: update api and add some helpers") Cc: # v3.17+ Reported-by: Niranjana Vishwanathapura Signed-off-by: Maarten Lankhorst Reviewed-by: Thomas Hellström Link: https://patchwork.freedesktop.org/patch/msgid/20201124115707.406917-1-maarten.lankhorst@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit b16a6a46e0b210a66f1533ff03c6e2418f81f32f Author: Wang Hai Date: Tue Dec 1 21:59:29 2020 +0800 device-dax/core: Fix memory leak when rmmod dax.ko commit 1aa574312518ef1d60d2dc62d58f7021db3b163a upstream. When I repeatedly modprobe and rmmod dax.ko, kmemleak report a memory leak as follows: unreferenced object 0xffff9a5588c05088 (size 8): comm "modprobe", pid 261, jiffies 4294693644 (age 42.063s) ... backtrace: [<00000000e007ced0>] kstrdup+0x35/0x70 [<000000002ae73897>] kstrdup_const+0x3d/0x50 [<000000002b00c9c3>] kvasprintf_const+0xbc/0xf0 [<000000008023282f>] kobject_set_name_vargs+0x3b/0xd0 [<00000000d2cbaa4e>] kobject_set_name+0x62/0x90 [<00000000202e7a22>] bus_register+0x7f/0x2b0 [<000000000b77792c>] 0xffffffffc02840f7 [<000000002d5be5ac>] 0xffffffffc02840b4 [<00000000dcafb7cd>] do_one_initcall+0x58/0x240 [<00000000049fe480>] do_init_module+0x56/0x1e2 [<0000000022671491>] load_module+0x2517/0x2840 [<000000001a2201cb>] __do_sys_finit_module+0x9c/0xe0 [<000000003eb304e7>] do_syscall_64+0x33/0x40 [<0000000051c5fd06>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 When rmmod dax is executed, dax_bus_exit() is missing. This patch can fix this bug. Fixes: 9567da0b408a ("device-dax: Introduce bus + driver model") Cc: Reported-by: Hulk Robot Signed-off-by: Wang Hai Link: https://lore.kernel.org/r/20201201135929.66530-1-wanghai38@huawei.com Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit f3ede933fbc771ecffa8e23437138c2ccfae5779 Author: Nicolin Chen Date: Wed Oct 28 17:48:20 2020 -0700 clk: tegra: Do not return 0 on failure commit 6160aca443148416994c022a35c77daeba948ea6 upstream. Return values from read_dt_param() will be either TRUE (1) or FALSE (0), while dfll_fetch_pwm_params() returns 0 on success or an ERR code on failure. So this patch fixes the bug of returning 0 on failure. Fixes: 36541f0499fe ("clk: tegra: dfll: support PWM regulator control") Cc: Signed-off-by: Nicolin Chen Signed-off-by: Thierry Reding Signed-off-by: Greg Kroah-Hartman commit f133bfbe1201a8107961b0825231bc81746b9075 Author: Terry Zhou Date: Fri Nov 6 11:00:39 2020 +0100 clk: mvebu: a3700: fix the XTAL MODE pin to MPP1_9 commit 6f37689cf6b38fff96de52e7f0d3e78f22803ba0 upstream. There is an error in the current code that the XTAL MODE pin was set to NB MPP1_31 which should be NB MPP1_9. The latch register of NB MPP1_9 has different offset of 0x8. Signed-off-by: Terry Zhou [pali: Fix pin name in commit message] Signed-off-by: Pali Rohár Fixes: 7ea8250406a6 ("clk: mvebu: Add the xtal clock for Armada 3700 SoC") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20201106100039.11385-1-pali@kernel.org Reviewed-by: Marek Behún Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit ca4fd0284cb3852a706c84ac65f5ba105073003d Author: Paul Cercueil Date: Sat Dec 12 13:57:33 2020 +0000 clk: ingenic: Fix divider calculation with div tables commit 11a163f2c7d6a9f27ce144cd7e367a81c851621a upstream. The previous code assumed that a higher hardware value always resulted in a bigger divider, which is correct for the regular clocks, but is an invalid assumption when a divider table is provided for the clock. Perfect example of this is the PLL0_HALF clock, which applies a /2 divider with the hardware value 0, and a /1 divider otherwise. Fixes: a9fa2893fcc6 ("clk: ingenic: Add support for divider tables") Cc: # 5.2 Signed-off-by: Paul Cercueil Link: https://lore.kernel.org/r/20201212135733.38050-1-paul@crapouillou.net Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 13e6b6259e6d672197a697fc6d0b8164efa8d021 Author: Yangtao Li Date: Tue Nov 10 14:24:40 2020 +0800 pinctrl: sunxi: Always call chained_irq_{enter, exit} in sunxi_pinctrl_irq_handler commit a1158e36f876f6269978a4176e3a1d48d27fe7a1 upstream. It is found on many allwinner soc that there is a low probability that the interrupt status cannot be read in sunxi_pinctrl_irq_handler. This will cause the interrupt status of a gpio bank to always be active on gic, preventing gic from responding to other spi interrupts correctly. So we should call the chained_irq_* each time enter sunxi_pinctrl_irq_handler(). Signed-off-by: Yangtao Li Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/85263ce8b058e80cea25c6ad6383eb256ce96cc8.1604988979.git.frank@allwinnertech.com Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 2fb550de7563950edeffd02763b293fb405d6354 Author: Zhao Heming Date: Thu Nov 19 19:41:34 2020 +0800 md/cluster: fix deadlock when node is doing resync job commit bca5b0658020be90b6b504ca514fd80110204f71 upstream. md-cluster uses MD_CLUSTER_SEND_LOCK to make node can exclusively send msg. During sending msg, node can concurrently receive msg from another node. When node does resync job, grab token_lockres:EX may trigger a deadlock: ``` nodeA nodeB -------------------- -------------------- a. send METADATA_UPDATED held token_lockres:EX b. md_do_sync resync_info_update send RESYNCING + set MD_CLUSTER_SEND_LOCK + wait for holding token_lockres:EX c. mdadm /dev/md0 --remove /dev/sdg + held reconfig_mutex + send REMOVE + wait_event(MD_CLUSTER_SEND_LOCK) d. recv_daemon //METADATA_UPDATED from A process_metadata_update + (mddev_trylock(mddev) || MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD) //this time, both return false forever ``` Explaination: a. A send METADATA_UPDATED This will block another node to send msg b. B does sync jobs, which will send RESYNCING at intervals. This will be block for holding token_lockres:EX lock. c. B do "mdadm --remove", which will send REMOVE. This will be blocked by step : MD_CLUSTER_SEND_LOCK is 1. d. B recv METADATA_UPDATED msg, which send from A in step . This will be blocked by step : holding mddev lock, it makes wait_event can't hold mddev lock. (btw, MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD keep ZERO in this scenario.) There is a similar deadlock in commit 0ba959774e93 ("md-cluster: use sync way to handle METADATA_UPDATED msg") In that commit, step c is "update sb". This patch step c is "mdadm --remove". For fixing this issue, we can refer the solution of function: metadata_update_start. Which does the same grab lock_token action. lock_comm can use the same steps to avoid deadlock. By moving MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD from lock_token to lock_comm. It enlarge a little bit window of MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD, but it is safe & can break deadlock. Repro steps (I only triggered 3 times with hundreds tests): two nodes share 3 iSCSI luns: sdg/sdh/sdi. Each lun size is 1GB. ``` ssh root@node2 "mdadm -S --scan" mdadm -S --scan for i in {g,h,i};do dd if=/dev/zero of=/dev/sd$i oflag=direct bs=1M \ count=20; done mdadm -C /dev/md0 -b clustered -e 1.2 -n 2 -l mirror /dev/sdg /dev/sdh \ --bitmap-chunk=1M ssh root@node2 "mdadm -A /dev/md0 /dev/sdg /dev/sdh" sleep 5 mkfs.xfs /dev/md0 mdadm --manage --add /dev/md0 /dev/sdi mdadm --wait /dev/md0 mdadm --grow --raid-devices=3 /dev/md0 mdadm /dev/md0 --fail /dev/sdg mdadm /dev/md0 --remove /dev/sdg mdadm --grow --raid-devices=2 /dev/md0 ``` test script will hung when executing "mdadm --remove". ``` # dump stacks by "echo t > /proc/sysrq-trigger" md0_cluster_rec D 0 5329 2 0x80004000 Call Trace: __schedule+0x1f6/0x560 ? _cond_resched+0x2d/0x40 ? schedule+0x4a/0xb0 ? process_metadata_update.isra.0+0xdb/0x140 [md_cluster] ? wait_woken+0x80/0x80 ? process_recvd_msg+0x113/0x1d0 [md_cluster] ? recv_daemon+0x9e/0x120 [md_cluster] ? md_thread+0x94/0x160 [md_mod] ? wait_woken+0x80/0x80 ? md_congested+0x30/0x30 [md_mod] ? kthread+0x115/0x140 ? __kthread_bind_mask+0x60/0x60 ? ret_from_fork+0x1f/0x40 mdadm D 0 5423 1 0x00004004 Call Trace: __schedule+0x1f6/0x560 ? __schedule+0x1fe/0x560 ? schedule+0x4a/0xb0 ? lock_comm.isra.0+0x7b/0xb0 [md_cluster] ? wait_woken+0x80/0x80 ? remove_disk+0x4f/0x90 [md_cluster] ? hot_remove_disk+0xb1/0x1b0 [md_mod] ? md_ioctl+0x50c/0xba0 [md_mod] ? wait_woken+0x80/0x80 ? blkdev_ioctl+0xa2/0x2a0 ? block_ioctl+0x39/0x40 ? ksys_ioctl+0x82/0xc0 ? __x64_sys_ioctl+0x16/0x20 ? do_syscall_64+0x5f/0x150 ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 md0_resync D 0 5425 2 0x80004000 Call Trace: __schedule+0x1f6/0x560 ? schedule+0x4a/0xb0 ? dlm_lock_sync+0xa1/0xd0 [md_cluster] ? wait_woken+0x80/0x80 ? lock_token+0x2d/0x90 [md_cluster] ? resync_info_update+0x95/0x100 [md_cluster] ? raid1_sync_request+0x7d3/0xa40 [raid1] ? md_do_sync.cold+0x737/0xc8f [md_mod] ? md_thread+0x94/0x160 [md_mod] ? md_congested+0x30/0x30 [md_mod] ? kthread+0x115/0x140 ? __kthread_bind_mask+0x60/0x60 ? ret_from_fork+0x1f/0x40 ``` At last, thanks for Xiao's solution. Cc: stable@vger.kernel.org Signed-off-by: Zhao Heming Suggested-by: Xiao Ni Reviewed-by: Xiao Ni Signed-off-by: Song Liu Signed-off-by: Greg Kroah-Hartman commit 7523d147087b07506e203cc9a5dc9131db70b6be Author: Zhao Heming Date: Thu Nov 19 19:41:33 2020 +0800 md/cluster: block reshape with remote resync job commit a8da01f79c89755fad55ed0ea96e8d2103242a72 upstream. Reshape request should be blocked with ongoing resync job. In cluster env, a node can start resync job even if the resync cmd isn't executed on it, e.g., user executes "mdadm --grow" on node A, sometimes node B will start resync job. However, current update_raid_disks() only check local recovery status, which is incomplete. As a result, we see user will execute "mdadm --grow" successfully on local, while the remote node deny to do reshape job when it doing resync job. The inconsistent handling cause array enter unexpected status. If user doesn't observe this issue and continue executing mdadm cmd, the array doesn't work at last. Fix this issue by blocking reshape request. When node executes "--grow" and detects ongoing resync, it should stop and report error to user. The following script reproduces the issue with ~100% probability. (two nodes share 3 iSCSI luns: sdg/sdh/sdi. Each lun size is 1GB) ``` # on node1, node2 is the remote node. ssh root@node2 "mdadm -S --scan" mdadm -S --scan for i in {g,h,i};do dd if=/dev/zero of=/dev/sd$i oflag=direct bs=1M \ count=20; done mdadm -C /dev/md0 -b clustered -e 1.2 -n 2 -l mirror /dev/sdg /dev/sdh ssh root@node2 "mdadm -A /dev/md0 /dev/sdg /dev/sdh" sleep 5 mdadm --manage --add /dev/md0 /dev/sdi mdadm --wait /dev/md0 mdadm --grow --raid-devices=3 /dev/md0 mdadm /dev/md0 --fail /dev/sdg mdadm /dev/md0 --remove /dev/sdg mdadm --grow --raid-devices=2 /dev/md0 ``` Cc: stable@vger.kernel.org Signed-off-by: Zhao Heming Signed-off-by: Song Liu Signed-off-by: Greg Kroah-Hartman commit 27b58f6adad8a42770ff00c3b8f74c94dd3ccd60 Author: Jonathan Cameron Date: Sun Sep 20 12:27:42 2020 +0100 iio:adc:ti-ads124s08: Fix alignment and data leak issues. commit 1e405bc2512f80a903ddd6ba8740cee885238d7f upstream. One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp() assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data with alignment explicitly requested. This data is allocated with kzalloc() so no data can leak apart from previous readings. In this driver the timestamp can end up in various different locations depending on what other channels are enabled. As a result, we don't use a structure to specify it's position as that would be misleading. Fixes: e717f8c6dfec ("iio: adc: Add the TI ads124s08 ADC code") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Reviewed-by: Alexandru Ardelean Cc: Dan Murphy Cc: Link: https://lore.kernel.org/r/20200920112742.170751-9-jic23@kernel.org Signed-off-by: Greg Kroah-Hartman commit 2d7229c037d155ff5b91d085b02c50f812c6efff Author: Jonathan Cameron Date: Sun Sep 20 12:27:41 2020 +0100 iio:adc:ti-ads124s08: Fix buffer being too long. commit b0bd27f02d768e3a861c4e6c27f8e369720e6c25 upstream. The buffer is expressed as a u32 array, yet the extra space for the s64 timestamp was expressed as sizeof(s64)/sizeof(u16). This will result in 2 extra u32 elements. Fix by dividing by sizeof(u32). Fixes: e717f8c6dfec ("iio: adc: Add the TI ads124s08 ADC code") Signed-off-by: Jonathan Cameron Reviewed-by: Alexandru Ardelean Cc: Dan Murphy Cc: Link: https://lore.kernel.org/r/20200920112742.170751-8-jic23@kernel.org Signed-off-by: Greg Kroah-Hartman commit d6ea1d559027dc8797db4152beb2ecc15e348bbe Author: Jonathan Cameron Date: Sun Sep 20 12:27:38 2020 +0100 iio:imu:bmi160: Fix too large a buffer. commit dc7de42d6b50a07b37feeba4c6b5136290fcee81 upstream. The comment implies this device has 3 sensor types, but it only has an accelerometer and a gyroscope (both 3D). As such the buffer does not need to be as long as stated. Note I've separated this from the following patch which fixes the alignment for passing to iio_push_to_buffers_with_timestamp() as they are different issues even if they affect the same line of code. Signed-off-by: Jonathan Cameron Reviewed-by: Alexandru Ardelean Cc: Daniel Baluta Cc: Link: https://lore.kernel.org/r/20200920112742.170751-5-jic23@kernel.org Signed-off-by: Greg Kroah-Hartman commit 91b7b231f5e76447ad0c8d9318ca8e72441a10c8 Author: Jonathan Cameron Date: Sun Sep 20 12:27:40 2020 +0100 iio:pressure:mpl3115: Force alignment of buffer commit 198cf32f0503d2ad60d320b95ef6fb8243db857f upstream. Whilst this is another case of the issue Lars reported with an array of elements of smaller than 8 bytes being passed to iio_push_to_buffers_with_timestamp(), the solution here is a bit different from the other cases and relies on __aligned working on the stack (true since 4.6?) This one is unusual. We have to do an explicit memset() each time as we are reading 3 bytes into a potential 4 byte channel which may sometimes be a 2 byte channel depending on what is enabled. As such, moving the buffer to the heap in the iio_priv structure doesn't save us much. We can't use a nice explicit structure on the stack either as the data channels have different storage sizes and are all separately controlled. Fixes: cc26ad455f57 ("iio: Add Freescale MPL3115A2 pressure / temperature sensor driver") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Reviewed-by: Andy Shevchenko Reviewed-by: Alexandru Ardelean Cc: Peter Meerwald Cc: Link: https://lore.kernel.org/r/20200920112742.170751-7-jic23@kernel.org Signed-off-by: Greg Kroah-Hartman commit 9607d22e71d18ed6d9f6792fef418fab98d6fa4c Author: Jonathan Cameron Date: Sun Sep 20 12:27:37 2020 +0100 iio:magnetometer:mag3110: Fix alignment and data leak issues. commit 89deb1334252ea4a8491d47654811e28b0790364 upstream. One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp() assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data. This data is allocated with kzalloc() so no data can leak apart from previous readings. The explicit alignment of ts is not necessary in this case but does make the code slightly less fragile so I have included it. Fixes: 39631b5f9584 ("iio: Add Freescale mag3110 magnetometer driver") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Reviewed-by: Alexandru Ardelean Cc: Link: https://lore.kernel.org/r/20200920112742.170751-4-jic23@kernel.org Signed-off-by: Greg Kroah-Hartman commit 71a326dcd2a8eaf18af6e960af15ea0edcb1857c Author: Jonathan Cameron Date: Sun Sep 20 12:27:36 2020 +0100 iio:light:st_uvis25: Fix timestamp alignment and prevent data leak. commit d837a996f57c29a985177bc03b0e599082047f27 upstream. One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp() assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() This data is allocated with kzalloc() so no data can leak apart from previous readings. A local unsigned int variable is used for the regmap call so it is clear there is no potential issue with writing into the padding of the structure. Fixes: 3025c8688c1e ("iio: light: add support for UVIS25 sensor") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Reviewed-by: Alexandru Ardelean Acked-by: Lorenzo Bianconi Cc: Link: https://lore.kernel.org/r/20200920112742.170751-3-jic23@kernel.org Signed-off-by: Greg Kroah-Hartman commit c18fc255187f33bc84f2800c877af307510850fc Author: Jonathan Cameron Date: Sun Sep 20 12:27:35 2020 +0100 iio:light:rpr0521: Fix timestamp alignment and prevent data leak. commit a61817216bcc755eabbcb1cf281d84ccad267ed1 upstream. One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp() assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv(). This data is allocated with kzalloc() so no data can leak apart from previous readings and in this case the status byte from the device. The forced alignment of ts is not necessary in this case but it potentially makes the code less fragile. >From personal communications with Mikko: We could probably split the reading of the int register, but it would mean a significant performance cost of 20 i2c clock cycles. Fixes: e12ffd241c00 ("iio: light: rpr0521 triggered buffer") Signed-off-by: Jonathan Cameron Reviewed-by: Alexandru Ardelean Cc: Mikko Koivunen Cc: Link: https://lore.kernel.org/r/20200920112742.170751-2-jic23@kernel.org Signed-off-by: Greg Kroah-Hartman commit 860ab67cd81e4a079c3c7ec53731bf34cc804130 Author: Qinglang Miao Date: Tue Nov 3 20:07:43 2020 +0800 iio: adc: rockchip_saradc: fix missing clk_disable_unprepare() on error in rockchip_saradc_resume commit 560c6b914c6ec7d9d9a69fddbb5bf3bf71433e8b upstream. Fix the missing clk_disable_unprepare() of info->pclk before return from rockchip_saradc_resume in the error handling case when fails to prepare and enable info->clk. Suggested-by: Robin Murphy Fixes: 44d6f2ef94f9 ("iio: adc: add driver for Rockchip saradc") Signed-off-by: Qinglang Miao Cc: Link: https://lore.kernel.org/r/20201103120743.110662-1-miaoqinglang@huawei.com Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 0fa2b43b0a2a1304075cb844174d0ead06902a42 Author: Nuno Sá Date: Thu Nov 12 15:43:22 2020 +0100 iio: buffer: Fix demux update commit 19ef7b70ca9487773c29b449adf0c70f540a0aab upstream. When updating the buffer demux, we will skip a scan element from the device in the case `in_ind != out_ind` and we enter the while loop. in_ind should only be refreshed with `find_next_bit()` in the end of the loop. Note, to cause problems we need a situation where we are skippig over an element (channel not enabled) that happens to not have the same size as the next element. Whilst this is a possible situation we haven't actually identified any cases in mainline where it happens as most drivers have consistent channel storage sizes with the exception of the timestamp which is the last element and hence never skipped over. Fixes: 5ada4ea9be16 ("staging:iio: add demux optionally to path from device to buffer") Signed-off-by: Nuno Sá Link: https://lore.kernel.org/r/20201112144323.28887-1-nuno.sa@analog.com Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 82af6e44b7d4de7ecbc95094cb5cdfe995533a74 Author: James Smart Date: Tue Oct 20 13:27:13 2020 -0700 scsi: lpfc: Re-fix use after free in lpfc_rq_buf_free() commit e5785d3ec32f5f44dd88cd7b398e496742630469 upstream. Commit 9816ef6ecbc1 ("scsi: lpfc: Use after free in lpfc_rq_buf_free()") was made to correct a use after free condition in lpfc_rq_buf_free(). Unfortunately, a subsequent patch cut on a tree without the fix inadvertently reverted the fix. Put the fix back: Move the freeing of the rqb_entry to after the print function that references it. Link: https://lore.kernel.org/r/20201020202719.54726-4-james.smart@broadcom.com Fixes: 411de511c694 ("scsi: lpfc: Fix RQ empty firmware trap") Cc: # v4.17+ Signed-off-by: James Smart Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 7ec7630548dc2b8c05f45c62d5cca483ff85da60 Author: James Smart Date: Tue Oct 20 13:27:11 2020 -0700 scsi: lpfc: Fix invalid sleeping context in lpfc_sli4_nvmet_alloc() commit 62e3a931db60daf94fdb3159d685a5bc6ad4d0cf upstream. The following calltrace was seen: BUG: sleeping function called from invalid context at mm/slab.h:494 ... Call Trace: dump_stack+0x9a/0xf0 ___might_sleep.cold.63+0x13d/0x178 slab_pre_alloc_hook+0x6a/0x90 kmem_cache_alloc_trace+0x3a/0x2d0 lpfc_sli4_nvmet_alloc+0x4c/0x280 [lpfc] lpfc_post_rq_buffer+0x2e7/0xa60 [lpfc] lpfc_sli4_hba_setup+0x6b4c/0xa4b0 [lpfc] lpfc_pci_probe_one_s4.isra.15+0x14f8/0x2280 [lpfc] lpfc_pci_probe_one+0x260/0x2880 [lpfc] local_pci_probe+0xd4/0x180 work_for_cpu_fn+0x51/0xa0 process_one_work+0x8f0/0x17b0 worker_thread+0x536/0xb50 kthread+0x30c/0x3d0 ret_from_fork+0x3a/0x50 A prior patch introduced a spin_lock_irqsave(hbalock) in the lpfc_post_rq_buffer() routine. Call trace is seen as the hbalock is held with interrupts disabled during a GFP_KERNEL allocation in lpfc_sli4_nvmet_alloc(). Fix by reordering locking so that hbalock not held when calling sli4_nvmet_alloc() (aka rqb_buf_list()). Link: https://lore.kernel.org/r/20201020202719.54726-2-james.smart@broadcom.com Fixes: 411de511c694 ("scsi: lpfc: Fix RQ empty firmware trap") Cc: # v4.17+ Co-developed-by: Dick Kennedy Signed-off-by: Dick Kennedy Signed-off-by: James Smart Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 6822575cf2046c9a9125abe9fc1ae4b653f37b66 Author: Arun Easi Date: Wed Dec 2 05:23:04 2020 -0800 scsi: qla2xxx: Fix crash during driver load on big endian machines commit 8de309e7299a00b3045fb274f82b326f356404f0 upstream. Crash stack: [576544.715489] Unable to handle kernel paging request for data at address 0xd00000000f970000 [576544.715497] Faulting instruction address: 0xd00000000f880f64 [576544.715503] Oops: Kernel access of bad area, sig: 11 [#1] [576544.715506] SMP NR_CPUS=2048 NUMA pSeries : [576544.715703] NIP [d00000000f880f64] .qla27xx_fwdt_template_valid+0x94/0x100 [qla2xxx] [576544.715722] LR [d00000000f7952dc] .qla24xx_load_risc_flash+0x2fc/0x590 [qla2xxx] [576544.715726] Call Trace: [576544.715731] [c0000004d0ffb000] [c0000006fe02c350] 0xc0000006fe02c350 (unreliable) [576544.715750] [c0000004d0ffb080] [d00000000f7952dc] .qla24xx_load_risc_flash+0x2fc/0x590 [qla2xxx] [576544.715770] [c0000004d0ffb170] [d00000000f7aa034] .qla81xx_load_risc+0x84/0x1a0 [qla2xxx] [576544.715789] [c0000004d0ffb210] [d00000000f79f7c8] .qla2x00_setup_chip+0xc8/0x910 [qla2xxx] [576544.715808] [c0000004d0ffb300] [d00000000f7a631c] .qla2x00_initialize_adapter+0x4dc/0xb00 [qla2xxx] [576544.715826] [c0000004d0ffb3e0] [d00000000f78ce28] .qla2x00_probe_one+0xf08/0x2200 [qla2xxx] Link: https://lore.kernel.org/r/20201202132312.19966-8-njavali@marvell.com Fixes: f73cb695d3ec ("[SCSI] qla2xxx: Add support for ISP2071.") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Arun Easi Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 1b26af7e4c7ff7afb4a9cd2b8ce10dc1c497da2d Author: Sergei Antonov Date: Wed Oct 28 12:49:40 2020 +0300 mtd: rawnand: meson: fix meson_nfc_dma_buffer_release() arguments commit c13d845e9a69580424d40b7b101c37d4f71bcd63 upstream. Arguments 'infolen' and 'datalen' to meson_nfc_dma_buffer_release() were mixed up. Fixes: 8fae856c53500 ("mtd: rawnand: meson: add support for Amlogic NAND flash controller") Cc: stable@vger.kernel.org Signed-off-by: Sergei Antonov Acked-by: Liang Yang Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20201028094940.11765-1-saproj@gmail.com Signed-off-by: Greg Kroah-Hartman commit c5f3e5ca8116130f757151d935a472052d74f5e7 Author: Praveenkumar I Date: Fri Oct 9 13:37:52 2020 +0530 mtd: rawnand: qcom: Fix DMA sync on FLASH_STATUS register read commit bc3686021122de953858a5be4cbf6e3f1d821e79 upstream. After each codeword NAND_FLASH_STATUS is read for possible operational failures. But there is no DMA sync for CPU operation before reading it and this leads to incorrect or older copy of DMA buffer in reg_read_buf. This patch adds the DMA sync on reg_read_buf for CPU before reading it. Fixes: 5bc36b2bf6e2 ("mtd: rawnand: qcom: check for operation errors in case of raw read") Cc: stable@vger.kernel.org Signed-off-by: Praveenkumar I Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/1602230872-25616-1-git-send-email-ipkumar@codeaurora.org Signed-off-by: Greg Kroah-Hartman commit 2aea2b22b6f9ada0e0180bff1a29e56d3eb524de Author: Sven Eckelmann Date: Tue Nov 24 07:25:06 2020 +0100 mtd: parser: cmdline: Fix parsing of part-names with colons commit 639a82434f16a6df0ce0e7c8595976f1293940fd upstream. Some devices (especially QCA ones) are already using hardcoded partition names with colons in it. The OpenMesh A62 for example provides following mtd relevant information via cmdline: root=31:11 mtdparts=spi0.0:256k(0:SBL1),128k(0:MIBIB),384k(0:QSEE),64k(0:CDT),64k(0:DDRPARAMS),64k(0:APPSBLENV),512k(0:APPSBL),64k(0:ART),64k(custom),64k(0:KEYS),0x002b0000(kernel),0x00c80000(rootfs),15552k(inactive) rootfsname=rootfs rootwait The change to split only on the last colon between mtd-id and partitions will cause newpart to see following string for the first partition: KEYS),0x002b0000(kernel),0x00c80000(rootfs),15552k(inactive) Such a partition list cannot be parsed and thus the device fails to boot. Avoid this behavior by making sure that the start of the first part-name ("(") will also be the last byte the mtd-id split algorithm is using for its colon search. Fixes: eb13fa022741 ("mtd: parser: cmdline: Support MTD names containing one or more colons") Cc: stable@vger.kernel.org Cc: Ron Minnich Signed-off-by: Sven Eckelmann Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20201124062506.185392-1-sven@narfation.org Signed-off-by: Greg Kroah-Hartman commit 4290a73c9d670a0a77be1ae5aec3fde884925d58 Author: Miquel Raynal Date: Thu Oct 1 12:20:13 2020 +0200 mtd: spinand: Fix OOB read commit 868cbe2a6dcee451bd8f87cbbb2a73cf463b57e5 upstream. So far OOB have never been used in SPI-NAND, add the missing memcpy to make it work properly. Fixes: 7529df465248 ("mtd: nand: Add core infrastructure to support SPI NANDs") Cc: stable@vger.kernel.org Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20201001102014.20100-6-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit b22739509dcbf5b3288e3df473aca12acd27fa65 Author: Evan Green Date: Tue Sep 29 13:30:57 2020 -0700 soc: qcom: smp2p: Safely acquire spinlock without IRQs commit fc3e62e25c3896855b7c3d72df19ca6be3459c9f upstream. smp2p_update_bits() should disable interrupts when it acquires its spinlock. This is important because without the _irqsave, a priority inversion can occur. This function is called both with interrupts enabled in qcom_q6v5_request_stop(), and with interrupts disabled in ipa_smp2p_panic_notifier(). IRQ handling of spinlocks should be consistent to avoid the panic notifier deadlocking because it's sitting on the thread that's already got the lock via _request_stop(). Found via lockdep. Cc: stable@vger.kernel.org Fixes: 50e99641413e7 ("soc: qcom: smp2p: Qualcomm Shared Memory Point to Point") Reviewed-by: Bjorn Andersson Reviewed-by: Stephen Boyd Signed-off-by: Evan Green Link: https://lore.kernel.org/r/20200929133040.RESEND.1.Ideabf6dcdfc577cf39ce3d95b0e4aa1ac8b38f0c@changeid Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit ddcb518dee78e5bdb1e9beb5bcd6febd76bc3666 Author: Tudor Ambarus Date: Mon Dec 7 15:59:56 2020 +0200 spi: atmel-quadspi: Fix AHB memory accesses commit cac8c821059639b015586abf61623c62cc549a13 upstream. Following error was seen when mounting a 16MByte ubifs: UBIFS error (ubi0:0 pid 1893): check_lpt_type.constprop.6: invalid type (15) in LPT node type QSPI_IFR.TFRTYP was not set correctly. When data transfer is enabled and one wants to access the serial memory through AHB in order to: - read in the serial memory, but not a memory data, for example a JEDEC-ID, QSPI_IFR.TFRTYP must be written to '0' (both sama5d2 and sam9x60). - read in the serial memory, and particularly a memory data, TFRTYP must be written to '1' (both sama5d2 and sam9x60). - write in the serial memory, but not a memory data, for example writing the configuration or the QSPI_SR, TFRTYP must be written to '2' for sama5d2 and to '0' for sam9x60. - write in the serial memory in particular to program a memory data, TFRTYP must be written to '3' for sama5d2 and to '1' for sam9x60. Fix the setting of the QSPI_IFR.TFRTYP field. Fixes: 2d30ac5ed633 ("mtd: spi-nor: atmel-quadspi: Use spi-mem interface for atmel-quadspi driver") Cc: # v5.0+ Reported-by: Tom Burkart Signed-off-by: Tudor Ambarus Link: https://lore.kernel.org/r/20201207135959.154124-2-tudor.ambarus@microchip.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 96f7bd39f56f735e21780e11f949859bfdfeedfe Author: Lukas Wunner Date: Sun Nov 8 23:41:00 2020 +0100 spi: atmel-quadspi: Disable clock in probe error path commit 0e685017c7ba1a2fe9f6f1e7a9302890747d934c upstream. If the call to of_device_get_match_data() fails on probe of the Atmel QuadSPI driver, the clock "aq->pclk" is erroneously not unprepared and disabled. Fix it. Fixes: 2e5c88887358 ("spi: atmel-quadspi: add support for sam9x60 qspi controller") Signed-off-by: Lukas Wunner Cc: # v5.1+ Cc: Tudor Ambarus Cc: Boris Brezillon Reviewed-by: Tudor Ambarus Link: https://lore.kernel.org/r/8f8dc2815aa97b2378528f08f923bf81e19611f0.1604874488.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 8f295baae53db98a138a6bb94ef113b3d2d95993 Author: Lukas Wunner Date: Mon Dec 7 09:17:14 2020 +0100 spi: mt7621: Don't leak SPI master in probe error path commit 46b5c4fb87ce8211e0f9b0383dbde72c3652d2ba upstream. If the calls to device_reset() or devm_spi_register_controller() fail on probe of the MediaTek MT7621 SPI driver, the spi_controller struct is erroneously not freed. Fix by switching over to the new devm_spi_alloc_master() helper. Additionally, there's an ordering issue in mt7621_spi_remove() wherein the spi_controller is unregistered after disabling the SYS clock. The correct order is to call spi_unregister_controller() *before* this teardown step because bus accesses may still be ongoing until that function returns. All of these bugs have existed since the driver was first introduced, so it seems fair to fix them together in a single commit. Fixes: 1ab7f2a43558 ("staging: mt7621-spi: add mt7621 support") Signed-off-by: Lukas Wunner Reviewed-by: Stefan Roese Cc: # v4.17+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation Cc: # v4.17+ Link: https://lore.kernel.org/r/72b680796149f5fcda0b3f530ffb7ee73b04f224.1607286887.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 0818aab8a82b29f44780ec669722caa969f8ebe7 Author: Lukas Wunner Date: Mon Dec 7 09:17:13 2020 +0100 spi: mt7621: Disable clock in probe error path commit 24f7033405abe195224ec793dbc3d7a27dec0b98 upstream. Commit 702b15cb9712 ("spi: mt7621: fix missing clk_disable_unprepare() on error in mt7621_spi_probe") sought to disable the SYS clock on probe errors, but only did so for 2 of 3 potentially failing calls: The clock needs to be disabled on failure of devm_spi_register_controller() as well. Moreover, the commit purports to fix a bug in commit cbd66c626e16 ("spi: mt7621: Move SPI driver out of staging") but in reality the bug has existed since the driver was first introduced. Fixes: 1ab7f2a43558 ("staging: mt7621-spi: add mt7621 support") Signed-off-by: Lukas Wunner Cc: # v4.17+: 702b15cb9712: spi: mt7621: fix missing clk_disable_unprepare() on error in mt7621_spi_probe Cc: # v4.17+ Cc: Qinglang Miao Link: https://lore.kernel.org/r/36ad42760087952fb7c10aae7d2628547c26a7ec.1607286887.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit cad189512c387ebfae1795a084b87cb46806ca43 Author: Lukas Wunner Date: Sun Nov 8 23:41:00 2020 +0100 spi: synquacer: Disable clock in probe error path commit 8853b2503014aca5c793d2c7f0aabc990b32bdad upstream. If the calls to platform_get_irq() or devm_request_irq() fail on probe of the SynQuacer SPI driver, the clock "sspi->clk" is erroneously not unprepared and disabled. If the clock rate "master->max_speed_hz" cannot be determined, the same happens and in addition the spi_master struct is not freed. Fix it. Fixes: b0823ee35cf9 ("spi: Add spi driver for Socionext SynQuacer platform") Signed-off-by: Lukas Wunner Cc: # v5.3+ Cc: Masahisa Kojima Link: https://lore.kernel.org/r/232281df1ab91d8f0f553a62d5f97fc264ace4da.1604874488.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 4051e5b7741b819046870f93416f5585bda772c5 Author: Lukas Wunner Date: Sun Nov 8 23:41:00 2020 +0100 spi: st-ssc4: Fix unbalanced pm_runtime_disable() in probe error path commit 5ef76dac0f2c26aeae4ee79eb830280f16d5aceb upstream. If the calls to devm_platform_ioremap_resource(), irq_of_parse_and_map() or devm_request_irq() fail on probe of the ST SSC4 SPI driver, the runtime PM disable depth is incremented even though it was not decremented before. Fix it. Fixes: cd050abeba2a ("spi: st-ssc4: add missed pm_runtime_disable") Signed-off-by: Lukas Wunner Cc: # v5.5+ Cc: Chuhong Yuan Link: https://lore.kernel.org/r/fbe8768c30dc829e2d77eabe7be062ca22f84024.1604874488.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 3c0e28f2881e140208d7741dd147458a86d86238 Author: Lukas Wunner Date: Mon Dec 7 09:17:11 2020 +0100 spi: sc18is602: Don't leak SPI master in probe error path commit 5b8c88462d83331dacb48aeaec8388117fef82e0 upstream. If the call to devm_gpiod_get_optional() fails on probe of the NXP SC18IS602/603 SPI driver, the spi_master struct is erroneously not freed. Fix by switching over to the new devm_spi_alloc_master() helper. Fixes: f99008013e19 ("spi: sc18is602: Add reset control via gpio pin.") Signed-off-by: Lukas Wunner Cc: # v4.9+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation Cc: # v4.9+ Cc: Phil Reid Link: https://lore.kernel.org/r/d5f715527b894b91d530fe11a86f51b3184a4e1a.1607286887.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 819f9edaaeb9c78ea20bb63a0e28a6d8a13d4a51 Author: Lukas Wunner Date: Mon Dec 7 09:17:10 2020 +0100 spi: rb4xx: Don't leak SPI master in probe error path commit a4729c3506c3eb1a6ca5c0289f4e7cafa4115065 upstream. If the calls to devm_clk_get(), devm_spi_register_master() or clk_prepare_enable() fail on probe of the Mikrotik RB4xx SPI driver, the spi_master struct is erroneously not freed. Fix by switching over to the new devm_spi_alloc_master() helper. Fixes: 05aec357871f ("spi: Add SPI driver for Mikrotik RB4xx series boards") Signed-off-by: Lukas Wunner Cc: # v4.2+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation Cc: # v4.2+ Cc: Bert Vermeulen Link: https://lore.kernel.org/r/369bf26d71927f60943b1d9d8f51810f00b0237d.1607286887.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit c5491ac115590a692f7dd7ff18b25e81a786a0bc Author: Lukas Wunner Date: Sun Nov 8 23:41:00 2020 +0100 spi: pic32: Don't leak DMA channels in probe error path commit c575e9113bff5e024d75481613faed5ef9d465b2 upstream. If the calls to devm_request_irq() or devm_spi_register_master() fail on probe of the PIC32 SPI driver, the DMA channels requested by pic32_spi_dma_prep() are erroneously not released. Plug the leak. Fixes: 1bcb9f8ceb67 ("spi: spi-pic32: Add PIC32 SPI master driver") Signed-off-by: Lukas Wunner Cc: # v4.7+ Cc: Purna Chandra Mandal Link: https://lore.kernel.org/r/9624250e3a7aa61274b38219a62375bac1def637.1604874488.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 3ea835ac604b7975a5a36ff0b212469157335972 Author: Lukas Wunner Date: Mon Dec 7 09:17:07 2020 +0100 spi: mxic: Don't leak SPI master in probe error path commit cc53711b2191cf3b3210283ae89bf0abb98c70a3 upstream. If the calls to devm_clk_get() or devm_ioremap_resource() fail on probe of the Macronix SPI driver, the spi_master struct is erroneously not freed. Fix by switching over to the new devm_spi_alloc_master() helper. Fixes: b942d80b0a39 ("spi: Add MXIC controller driver") Signed-off-by: Lukas Wunner Cc: # v5.0+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation Cc: # v5.0+ Cc: Mason Yang Link: https://lore.kernel.org/r/4fa6857806e7e75741c05d057ac9df3564460114.1607286887.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 0da7709f5ea3d015cc129ab6da5fa6f8b7d6595a Author: Lukas Wunner Date: Mon Dec 7 09:17:09 2020 +0100 spi: gpio: Don't leak SPI master in probe error path commit 7174dc655ef0578877b0b4598e69619d2be28b4d upstream. If the call to devm_spi_register_master() fails on probe of the GPIO SPI driver, the spi_master struct is erroneously not freed: After allocating the spi_master, its reference count is 1. The driver unconditionally decrements the reference count on unbind using a devm action. Before calling devm_spi_register_master(), the driver unconditionally increments the reference count because on success, that function will decrement the reference count on unbind. However on failure, devm_spi_register_master() does *not* decrement the reference count, so the spi_master is leaked. The issue was introduced by commits 8b797490b4db ("spi: gpio: Make sure spi_master_put() is called in every error path") and 79567c1a321e ("spi: gpio: Use devm_spi_register_master()"), which sought to plug leaks introduced by 9b00bc7b901f ("spi: spi-gpio: Rewrite to use GPIO descriptors") but missed this remaining leak. The situation was later aggravated by commit d3b0ffa1d75d ("spi: gpio: prevent memory leak in spi_gpio_probe"), which introduced a use-after-free because it releases a reference on the spi_master if devm_add_action_or_reset() fails even though the function already does that. Fix by switching over to the new devm_spi_alloc_master() helper. Fixes: 9b00bc7b901f ("spi: spi-gpio: Rewrite to use GPIO descriptors") Signed-off-by: Lukas Wunner Reviewed-by: Linus Walleij Cc: # v4.17+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation Cc: # v5.1-: 8b797490b4db: spi: gpio: Make sure spi_master_put() is called in every error path Cc: # v5.1-: 45beec351998: spi: bitbang: Introduce spi_bitbang_init() Cc: # v5.1-: 79567c1a321e: spi: gpio: Use devm_spi_register_master() Cc: # v5.4-: d3b0ffa1d75d: spi: gpio: prevent memory leak in spi_gpio_probe Cc: # v4.17+ Cc: Navid Emamdoost Cc: Andrey Smirnov Link: https://lore.kernel.org/r/86eaed27431c3d709e3748eb76ceecbfc790dd37.1607286887.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit ee1d2aef1c134f77c5c1d1bf24ae01d17b308e93 Author: Rasmus Villemoes Date: Fri Nov 27 16:29:47 2020 +0100 spi: fsl: fix use of spisel_boot signal on MPC8309 commit 122541f2b10897b08f7f7e6db5f1eb693e51f0a1 upstream. Commit 0f0581b24bd0 ("spi: fsl: Convert to use CS GPIO descriptors") broke the use of the SPISEL_BOOT signal as a chip select on the MPC8309. pdata->max_chipselect, which becomes master->num_chipselect, must be initialized to take into account the possibility that there's one more chip select in use than the number of GPIO chip selects. Cc: stable@vger.kernel.org # v5.4+ Cc: Christophe Leroy Cc: Linus Walleij Fixes: 0f0581b24bd0 ("spi: fsl: Convert to use CS GPIO descriptors") Signed-off-by: Rasmus Villemoes Link: https://lore.kernel.org/r/20201127152947.376-1-rasmus.villemoes@prevas.dk Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 614f2529c8ea96a41c677c576491594ffc620ce6 Author: Lukas Wunner Date: Mon Dec 7 09:17:01 2020 +0100 spi: davinci: Fix use-after-free on unbind commit 373afef350a93519b4b8d636b0895da8650b714b upstream. davinci_spi_remove() accesses the driver's private data after it's been freed with spi_master_put(). Fix by moving the spi_master_put() to the end of the function. Fixes: fe5fd2540947 ("spi: davinci: Use dma_request_chan() for requesting DMA channel") Signed-off-by: Lukas Wunner Acked-by: Peter Ujfalusi Cc: # v4.7+ Link: https://lore.kernel.org/r/412f7eb1cf8990e0a3a2153f4c577298deab623e.1607286887.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit c6b9bfb0c477ba8710926d792b1bd0f41775b982 Author: Lukas Wunner Date: Mon Dec 7 09:17:17 2020 +0100 spi: atmel-quadspi: Fix use-after-free on unbind commit c7b884561cb5b641f3dbba950094110794119a6d upstream. atmel_qspi_remove() accesses the driver's private data after calling spi_unregister_controller() even though that function releases the last reference on the spi_controller and thereby frees the private data. Fix by switching over to the new devm_spi_alloc_master() helper which keeps the private data accessible until the driver has unbound. Fixes: 2d30ac5ed633 ("mtd: spi-nor: atmel-quadspi: Use spi-mem interface for atmel-quadspi driver") Signed-off-by: Lukas Wunner Cc: # v5.0+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation Cc: # v5.0+ Cc: Piotr Bugalski Link: https://lore.kernel.org/r/4b05c65cf6f1ea3251484fe9a00b4c65478a1ae3.1607286887.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit bd6d736dbf36152bec16ba51a5b9ea69fb475965 Author: Lukas Wunner Date: Mon Dec 7 09:17:04 2020 +0100 spi: spi-sh: Fix use-after-free on unbind commit e77df3eca12be4b17f13cf9f215cff248c57d98f upstream. spi_sh_remove() accesses the driver's private data after calling spi_unregister_master() even though that function releases the last reference on the spi_master and thereby frees the private data. Fix by switching over to the new devm_spi_alloc_master() helper which keeps the private data accessible until the driver has unbound. Fixes: 680c1305e259 ("spi/spi_sh: use spi_unregister_master instead of spi_master_put in remove path") Signed-off-by: Lukas Wunner Cc: # v3.0+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation Cc: # v3.0+ Cc: Axel Lin Link: https://lore.kernel.org/r/6d97628b536baf01d5e3e39db61108f84d44c8b2.1607286887.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 17360c3af12944233379fcdb360c8392c56d79eb Author: Lukas Wunner Date: Mon Dec 7 09:17:05 2020 +0100 spi: pxa2xx: Fix use-after-free on unbind commit 5626308bb94d9f930aa5f7c77327df4c6daa7759 upstream. pxa2xx_spi_remove() accesses the driver's private data after calling spi_unregister_controller() even though that function releases the last reference on the spi_controller and thereby frees the private data. Fix by switching over to the new devm_spi_alloc_master/slave() helper which keeps the private data accessible until the driver has unbound. Fixes: 32e5b57232c0 ("spi: pxa2xx: Fix controller unregister order") Signed-off-by: Lukas Wunner Cc: # v2.6.17+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation Cc: # v2.6.17+: 32e5b57232c0: spi: pxa2xx: Fix controller unregister order Cc: # v2.6.17+ Link: https://lore.kernel.org/r/5764b04d4a6e43069ebb7808f64c2f774ac6f193.1607286887.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit c5ae864c148c2b016e56677a39a4c15c24059552 Author: Chris Wilson Date: Wed Dec 16 09:29:51 2020 +0000 drm/i915: Fix mismatch between misplaced vma check and vma insert commit 0e53656ad8abc99e0a80c3de611e593ebbf55829 upstream. When inserting a VMA, we restrict the placement to the low 4G unless the caller opts into using the full range. This was done to allow usersapce the opportunity to transition slowly from a 32b address space, and to avoid breaking inherent 32b assumptions of some commands. However, for insert we limited ourselves to 4G-4K, but on verification we allowed the full 4G. This causes some attempts to bind a new buffer to sporadically fail with -ENOSPC, but at other times be bound successfully. commit 48ea1e32c39d ("drm/i915/gen9: Set PIN_ZONE_4G end to 4GB - 1 page") suggests that there is a genuine problem with stateless addressing that cannot utilize the last page in 4G and so we purposefully excluded it. This means that the quick pin pass may cause us to utilize a buggy placement. Reported-by: CQ Tang Testcase: igt/gem_exec_params/larger-than-life-batch Fixes: 48ea1e32c39d ("drm/i915/gen9: Set PIN_ZONE_4G end to 4GB - 1 page") Signed-off-by: Chris Wilson Cc: CQ Tang Reviewed-by: CQ Tang Reviewed-by: Matthew Auld Cc: # v4.5+ Link: https://patchwork.freedesktop.org/patch/msgid/20201216092951.7124-1-chris@chris-wilson.co.uk (cherry picked from commit 5f22cc0b134ab702d7f64b714e26018f7288ffee) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 1e684ad37047e556db2765a5249e219b4ab2a7d7 Author: Zwane Mwaikambo Date: Mon Oct 12 22:59:14 2020 -0700 drm/dp_aux_dev: check aux_dev before use in drm_dp_aux_dev_get_by_minor() commit 73b62cdb93b68d7e2c1d373c6a411bc00c53e702 upstream. I observed this when unplugging a DP monitor whilst a computer is asleep and then waking it up. This left DP chardev nodes still being present on the filesystem and accessing these device nodes caused an oops because drm_dp_aux_dev_get_by_minor() assumes a device exists if it is opened. This can also be reproduced by creating a device node with mknod(1) and issuing an open(2) [166164.933198] BUG: kernel NULL pointer dereference, address: 0000000000000018 [166164.933202] #PF: supervisor read access in kernel mode [166164.933204] #PF: error_code(0x0000) - not-present page [166164.933205] PGD 0 P4D 0 [166164.933208] Oops: 0000 [#1] PREEMPT SMP NOPTI [166164.933211] CPU: 4 PID: 99071 Comm: fwupd Tainted: G W 5.8.0-rc6+ #1 [166164.933213] Hardware name: LENOVO 20RD002VUS/20RD002VUS, BIOS R16ET25W (1.11 ) 04/21/2020 [166164.933232] RIP: 0010:drm_dp_aux_dev_get_by_minor+0x29/0x70 [drm_kms_helper] [166164.933234] Code: 00 0f 1f 44 00 00 55 48 89 e5 41 54 41 89 fc 48 c7 c7 60 01 a4 c0 e8 26 ab 30 d7 44 89 e6 48 c7 c7 80 01 a4 c0 e8 47 94 d6 d6 <8b> 50 18 49 89 c4 48 8d 78 18 85 d2 74 33 8d 4a 01 89 d0 f0 0f b1 [166164.933236] RSP: 0018:ffffb7d7c41cbbf0 EFLAGS: 00010246 [166164.933237] RAX: 0000000000000000 RBX: ffff8a90001fe900 RCX: 0000000000000000 [166164.933238] RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffffffffc0a40180 [166164.933239] RBP: ffffb7d7c41cbbf8 R08: 0000000000000000 R09: ffff8a93e157d6d0 [166164.933240] R10: 0000000000000000 R11: ffffffffc0a40188 R12: 0000000000000003 [166164.933241] R13: ffff8a9402200e80 R14: ffff8a90001fe900 R15: 0000000000000000 [166164.933244] FS: 00007f7fb041eb00(0000) GS:ffff8a9411500000(0000) knlGS:0000000000000000 [166164.933245] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [166164.933246] CR2: 0000000000000018 CR3: 00000000352c2003 CR4: 00000000003606e0 [166164.933247] Call Trace: [166164.933264] auxdev_open+0x1b/0x40 [drm_kms_helper] [166164.933278] chrdev_open+0xa7/0x1c0 [166164.933282] ? cdev_put.part.0+0x20/0x20 [166164.933287] do_dentry_open+0x161/0x3c0 [166164.933291] vfs_open+0x2d/0x30 [166164.933297] path_openat+0xb27/0x10e0 [166164.933306] ? atime_needs_update+0x73/0xd0 [166164.933309] do_filp_open+0x91/0x100 [166164.933313] ? __alloc_fd+0xb2/0x150 [166164.933316] do_sys_openat2+0x210/0x2d0 [166164.933318] do_sys_open+0x46/0x80 [166164.933320] __x64_sys_openat+0x20/0x30 [166164.933328] do_syscall_64+0x52/0xc0 [166164.933336] entry_SYSCALL_64_after_hwframe+0x44/0xa9 (gdb) disassemble drm_dp_aux_dev_get_by_minor+0x29 Dump of assembler code for function drm_dp_aux_dev_get_by_minor: 0x0000000000017b10 <+0>: callq 0x17b15 0x0000000000017b15 <+5>: push %rbp 0x0000000000017b16 <+6>: mov %rsp,%rbp 0x0000000000017b19 <+9>: push %r12 0x0000000000017b1b <+11>: mov %edi,%r12d 0x0000000000017b1e <+14>: mov $0x0,%rdi 0x0000000000017b25 <+21>: callq 0x17b2a 0x0000000000017b2a <+26>: mov %r12d,%esi 0x0000000000017b2d <+29>: mov $0x0,%rdi 0x0000000000017b34 <+36>: callq 0x17b39 0x0000000000017b39 <+41>: mov 0x18(%rax),%edx <========= 0x0000000000017b3c <+44>: mov %rax,%r12 0x0000000000017b3f <+47>: lea 0x18(%rax),%rdi 0x0000000000017b43 <+51>: test %edx,%edx 0x0000000000017b45 <+53>: je 0x17b7a 0x0000000000017b47 <+55>: lea 0x1(%rdx),%ecx 0x0000000000017b4a <+58>: mov %edx,%eax 0x0000000000017b4c <+60>: lock cmpxchg %ecx,(%rdi) 0x0000000000017b50 <+64>: jne 0x17b76 0x0000000000017b52 <+66>: test %edx,%edx 0x0000000000017b54 <+68>: js 0x17b6d 0x0000000000017b56 <+70>: test %ecx,%ecx 0x0000000000017b58 <+72>: js 0x17b6d 0x0000000000017b5a <+74>: mov $0x0,%rdi 0x0000000000017b61 <+81>: callq 0x17b66 0x0000000000017b66 <+86>: mov %r12,%rax 0x0000000000017b69 <+89>: pop %r12 0x0000000000017b6b <+91>: pop %rbp 0x0000000000017b6c <+92>: retq 0x0000000000017b6d <+93>: xor %esi,%esi 0x0000000000017b6f <+95>: callq 0x17b74 0x0000000000017b74 <+100>: jmp 0x17b5a 0x0000000000017b76 <+102>: mov %eax,%edx 0x0000000000017b78 <+104>: jmp 0x17b43 0x0000000000017b7a <+106>: xor %r12d,%r12d 0x0000000000017b7d <+109>: jmp 0x17b5a End of assembler dump. (gdb) list *drm_dp_aux_dev_get_by_minor+0x29 0x17b39 is in drm_dp_aux_dev_get_by_minor (drivers/gpu/drm/drm_dp_aux_dev.c:65). 60 static struct drm_dp_aux_dev *drm_dp_aux_dev_get_by_minor(unsigned index) 61 { 62 struct drm_dp_aux_dev *aux_dev = NULL; 63 64 mutex_lock(&aux_idr_mutex); 65 aux_dev = idr_find(&aux_idr, index); 66 if (!kref_get_unless_zero(&aux_dev->refcount)) 67 aux_dev = NULL; 68 mutex_unlock(&aux_idr_mutex); 69 (gdb) p/x &((struct drm_dp_aux_dev *)(0x0))->refcount $8 = 0x18 Looking at the caller, checks on the minor are pushed down to drm_dp_aux_dev_get_by_minor() static int auxdev_open(struct inode *inode, struct file *file) { unsigned int minor = iminor(inode); struct drm_dp_aux_dev *aux_dev; aux_dev = drm_dp_aux_dev_get_by_minor(minor); <==== if (!aux_dev) return -ENODEV; file->private_data = aux_dev; return 0; } Fixes: e94cb37b34eb ("drm/dp: Add a drm_aux-dev module for reading/writing dpcd registers.") Cc: # v4.6+ Signed-off-by: Zwane Mwaikambo Reviewed-by: Lyude Paul [added Cc to stable] Signed-off-by: Lyude Paul Link: https://patchwork.freedesktop.org/patch/msgid/alpine.DEB.2.21.2010122231070.38717@montezuma.home Signed-off-by: Greg Kroah-Hartman commit e1b1f10c3404c8d40c45c3a6846d304fd403fa2c Author: Stylon Wang Date: Tue Nov 10 15:40:06 2020 +0800 drm/amd/display: Fix memory leaks in S3 resume commit a135a1b4c4db1f3b8cbed9676a40ede39feb3362 upstream. EDID parsing in S3 resume pushes new display modes to probed_modes list but doesn't consolidate to actual mode list. This creates a race condition when amdgpu_dm_connector_ddc_get_modes() re-initializes the list head without walking the list and results in memory leak. Bug: https://bugzilla.kernel.org/show_bug.cgi?id=209987 Acked-by: Harry Wentland Acked-by: Alex Deucher Reviewed-by: Nicholas Kazlauskas Signed-off-by: Stylon Wang Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit b966771b0d69e9bf10f51bcd70ae55a2e5edc539 Author: Arnd Bergmann Date: Thu Dec 3 23:30:56 2020 +0100 platform/x86: mlx-platform: remove an unused variable commit eca6ba20f38cfa2f148d7bd13db7ccd19e88635b upstream. The only reference to the mlxplat_mlxcpld_psu[] array got removed, so there is now a warning from clang: drivers/platform/x86/mlx-platform.c:322:30: error: variable 'mlxplat_mlxcpld_psu' is not needed and will not be emitted [-Werror,-Wunneeded-internal-declaration] static struct i2c_board_info mlxplat_mlxcpld_psu[] = { Remove the array as well and adapt the ARRAY_SIZE() call accordingly. Fixes: 912b341585e3 ("platform/x86: mlx-platform: Remove PSU EEPROM from MSN274x platform configuration") Signed-off-by: Arnd Bergmann Acked-by: Vadim Pasternak Link: https://lore.kernel.org/r/20201203223105.1195709-1-arnd@kernel.org Signed-off-by: Hans de Goede Cc: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman commit cbeb61258186978c26f9ee738c86fe4812cc27af Author: Dave Kleikamp Date: Fri Nov 13 14:58:46 2020 -0600 jfs: Fix array index bounds check in dbAdjTree commit c61b3e4839007668360ed8b87d7da96d2e59fc6c upstream. Bounds checking tools can flag a bug in dbAdjTree() for an array index out of bounds in dmt_stree. Since dmt_stree can refer to the stree in both structures dmaptree and dmapctl, use the larger array to eliminate the false positive. Signed-off-by: Dave Kleikamp Reported-by: butt3rflyh4ck Signed-off-by: Greg Kroah-Hartman commit 8ee70b6db88238b1e1fc7623256086fc125a60a8 Author: lizhe Date: Wed Oct 14 14:54:42 2020 +0800 jffs2: Fix ignoring mounting options problem during remounting commit 08cd274f9b8283a1da93e2ccab216a336da83525 upstream. The jffs2 mount options will be ignored when remounting jffs2. It can be easily reproduced with the steps listed below. 1. mount -t jffs2 -o compr=none /dev/mtdblockx /mnt 2. mount -o remount compr=zlib /mnt Since ec10a24f10c8, the option parsing happens before fill_super and then pass fc, which contains the options parsing results, to function jffs2_reconfigure during remounting. But function jffs2_reconfigure do not update c->mount_opts. This patch add a function jffs2_update_mount_opts to fix this problem. By the way, I notice that tmpfs use the same way to update remounting options. If it is necessary to unify them? Cc: Fixes: ec10a24f10c8 ("vfs: Convert jffs2 to use the new mount API") Signed-off-by: lizhe Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 00e45efaf9ff8fdf9f66c69307f9dd133f33809f Author: Zhe Li Date: Fri May 29 11:37:11 2020 +0800 jffs2: Fix GC exit abnormally commit 9afc9a8a4909fece0e911e72b1060614ba2f7969 upstream. The log of this problem is: jffs2: Error garbage collecting node at 0x***! jffs2: No space for garbage collection. Aborting GC thread This is because GC believe that it do nothing, so it abort. After going over the image of jffs2, I find a scene that can trigger this problem stably. The scene is: there is a normal dirent node at summary-area, but abnormal at corresponding not-summary-area with error name_crc. The reason that GC exit abnormally is because it find that abnormal dirent node to GC, but when it goes to function jffs2_add_fd_to_list, it cannot meet the condition listed below: if ((*prev)->nhash == new->nhash && !strcmp((*prev)->name, new->name)) So no node is marked obsolete, statistical information of erase_block do not change, which cause GC exit abnormally. The root cause of this problem is: we do not check the name_crc of the abnormal dirent node with summary is enabled. Noticed that in function jffs2_scan_dirent_node, we use function jffs2_scan_dirty_space to deal with the dirent node with error name_crc. So this patch add a checking code in function read_direntry to ensure the correctness of dirent node. If checked failed, the dirent node will be marked obsolete so GC will pass this node and this problem will be fixed. Cc: Signed-off-by: Zhe Li Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit ea1e4ba032c5b2ea203a3164148149929560d6c0 Author: Richard Weinberger Date: Mon Nov 16 22:05:30 2020 +0100 ubifs: wbuf: Don't leak kernel memory to flash commit 20f1431160c6b590cdc269a846fc5a448abf5b98 upstream. Write buffers use a kmalloc()'ed buffer, they can leak up to seven bytes of kernel memory to flash if writes are not aligned. So use ubifs_pad() to fill these gaps with padding bytes. This was never a problem while scanning because the scanner logic manually aligns node lengths and skips over these gaps. Cc: Fixes: 1e51764a3c2ac05a2 ("UBIFS: add new flash file system") Signed-off-by: Richard Weinberger Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 32825fe72cb37dcf780e49cc3779d3218a0a2423 Author: Steve French Date: Tue Dec 8 21:13:31 2020 -0600 SMB3: avoid confusing warning message on mount to Azure commit ebcd6de98754d9b6a5f89d7835864b1c365d432f upstream. Mounts to Azure cause an unneeded warning message in dmesg "CIFS: VFS: parse_server_interfaces: incomplete interface info" Azure rounds up the size (by 8 additional bytes, to a 16 byte boundary) of the structure returned on the query of the server interfaces at mount time. This is permissible even though different than other servers so do not log a warning if query network interfaces response is only rounded up by 8 bytes or fewer. CC: Stable Reviewed-by: Ronnie Sahlberg Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit f22f743a2af257cec843e5840a961d5a8168e394 Author: Luis Henriques Date: Thu Nov 12 10:45:12 2020 +0000 ceph: fix race in concurrent __ceph_remove_cap invocations commit e5cafce3ad0f8652d6849314d951459c2bff7233 upstream. A NULL pointer dereference may occur in __ceph_remove_cap with some of the callbacks used in ceph_iterate_session_caps, namely trim_caps_cb and remove_session_caps_cb. Those callers hold the session->s_mutex, so they are prevented from concurrent execution, but ceph_evict_inode does not. Since the callers of this function hold the i_ceph_lock, the fix is simply a matter of returning immediately if caps->ci is NULL. Cc: stable@vger.kernel.org URL: https://tracker.ceph.com/issues/43272 Suggested-by: Jeff Layton Signed-off-by: Luis Henriques Reviewed-by: Jeff Layton Signed-off-by: Ilya Dryomov Signed-off-by: Greg Kroah-Hartman commit a7b014b54c16cf60b4194ac9dde96d258de9054e Author: Anton Ivanov Date: Fri Nov 13 10:26:17 2020 +0000 um: Remove use of asprinf in umid.c commit 97be7ceaf7fea68104824b6aa874cff235333ac1 upstream. asprintf is not compatible with the existing uml memory allocation mechanism. Its use on the "user" side of UML results in a corrupt slab state. Fixes: 0d4e5ac7e780 ("um: remove uses of variable length arrays") Cc: stable@vger.kernel.org Signed-off-by: Anton Ivanov Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 26d72a8460dcf292b2a658039408fbe1279a2f90 Author: Roberto Sassu Date: Thu Nov 26 11:34:56 2020 +0100 ima: Don't modify file descriptor mode on the fly commit 207cdd565dfc95a0a5185263a567817b7ebf5467 upstream. Commit a408e4a86b36b ("ima: open a new file instance if no read permissions") already introduced a second open to measure a file when the original file descriptor does not allow it. However, it didn't remove the existing method of changing the mode of the original file descriptor, which is still necessary if the current process does not have enough privileges to open a new one. Changing the mode isn't really an option, as the filesystem might need to do preliminary steps to make the read possible. Thus, this patch removes the code and keeps the second open as the only option to measure a file when it is unreadable with the original file descriptor. Cc: # 4.20.x: 0014cc04e8ec0 ima: Set file->f_mode Fixes: 2fe5d6def1672 ("ima: integrity appraisal extension") Signed-off-by: Roberto Sassu Reviewed-by: Christoph Hellwig Signed-off-by: Mimi Zohar Signed-off-by: Greg Kroah-Hartman commit a89b91fcb07c09703a82e09c759e5307a84bd297 Author: David Hildenbrand Date: Wed Nov 11 15:53:16 2020 +0100 powerpc/powernv/memtrace: Fix crashing the kernel when enabling concurrently commit d6718941a2767fb383e105d257d2105fe4f15f0e upstream. It's very easy to crash the kernel right now by simply trying to enable memtrace concurrently, hammering on the "enable" interface loop.sh: #!/bin/bash dmesg --console-off while true; do echo 0x40000000 > /sys/kernel/debug/powerpc/memtrace/enable done [root@localhost ~]# loop.sh & [root@localhost ~]# loop.sh & Resulting quickly in a kernel crash. Let's properly protect using a mutex. Fixes: 9d5171a8f248 ("powerpc/powernv: Enable removal of memory for in memory tracing") Cc: stable@vger.kernel.org# v4.14+ Signed-off-by: David Hildenbrand Reviewed-by: Oscar Salvador Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20201111145322.15793-3-david@redhat.com Signed-off-by: Greg Kroah-Hartman commit 45bf367c85504d01ef70af4fdca97b8a3852b298 Author: David Hildenbrand Date: Wed Nov 11 15:53:15 2020 +0100 powerpc/powernv/memtrace: Don't leak kernel memory to user space commit c74cf7a3d59a21b290fe0468f5b470d0b8ee37df upstream. We currently leak kernel memory to user space, because memory offlining doesn't do any implicit clearing of memory and we are missing explicit clearing of memory. Let's keep it simple and clear pages before removing the linear mapping. Reproduced in QEMU/TCG with 10 GiB of main memory: [root@localhost ~]# dd obs=9G if=/dev/urandom of=/dev/null [... wait until "free -m" used counter no longer changes and cancel] 19665802+0 records in 1+0 records out 9663676416 bytes (9.7 GB, 9.0 GiB) copied, 135.548 s, 71.3 MB/s [root@localhost ~]# cat /sys/devices/system/memory/block_size_bytes 40000000 [root@localhost ~]# echo 0x40000000 > /sys/kernel/debug/powerpc/memtrace/enable [ 402.978663][ T1086] page:000000001bc4bc74 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24900 [ 402.980063][ T1086] flags: 0x7ffff000001000(reserved) [ 402.980415][ T1086] raw: 007ffff000001000 c00c000000924008 c00c000000924008 0000000000000000 [ 402.980627][ T1086] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 402.980845][ T1086] page dumped because: unmovable page [ 402.989608][ T1086] Offlined Pages 16384 [ 403.324155][ T1086] memtrace: Allocated trace memory on node 0 at 0x0000000200000000 Before this patch: [root@localhost ~]# hexdump -C /sys/kernel/debug/powerpc/memtrace/00000000/trace | head 00000000 c8 25 72 51 4d 26 36 c5 5c c2 56 15 d5 1a cd 10 |.%rQM&6.\.V.....| 00000010 19 b9 50 b2 cb e3 60 b8 ec 0a f3 ec 4b 3c 39 f0 |..P...`.....K<9.|$ 00000020 4e 5a 4c cf bd 26 19 ff 37 79 13 67 24 b7 b8 57 |NZL..&..7y.g$..W|$ 00000030 98 3e f5 be 6f 14 6a bd a4 52 bc 6e e9 e0 c1 5d |.>..o.j..R.n...]|$ 00000040 76 b3 ae b5 88 d7 da e3 64 23 85 2c 10 88 07 b6 |v.......d#.,....|$ 00000050 9a d8 91 de f7 50 27 69 2e 64 9c 6f d3 19 45 79 |.....P'i.d.o..Ey|$ 00000060 6a 6f 8a 61 71 19 1f c7 f1 df 28 26 ca 0f 84 55 |jo.aq.....(&...U|$ 00000070 01 3f be e4 e2 e1 da ff 7b 8c 8e 32 37 b4 24 53 |.?......{..27.$S|$ 00000080 1b 70 30 45 56 e6 8c c4 0e b5 4c fb 9f dd 88 06 |.p0EV.....L.....|$ 00000090 ef c4 18 79 f1 60 b1 5c 79 59 4d f4 36 d7 4a 5c |...y.`.\yYM.6.J\|$ After this patch: [root@localhost ~]# hexdump -C /sys/kernel/debug/powerpc/memtrace/00000000/trace | head 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 40000000 Fixes: 9d5171a8f248 ("powerpc/powernv: Enable removal of memory for in memory tracing") Cc: stable@vger.kernel.org # v4.14+ Reported-by: Michael Ellerman Signed-off-by: David Hildenbrand Reviewed-by: Oscar Salvador Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20201111145322.15793-2-david@redhat.com Signed-off-by: Greg Kroah-Hartman commit 59334d821e8a981a2dbf921896ba052c615f0f30 Author: Alexey Kardashevskiy Date: Sun Nov 22 18:38:28 2020 +1100 powerpc/powernv/npu: Do not attempt NPU2 setup on POWER8NVL NPU commit b1198a88230f2ce50c271e22b82a8b8610b2eea9 upstream. We execute certain NPU2 setup code (such as mapping an LPID to a device in NPU2) unconditionally if an Nvlink bridge is detected. However this cannot succeed on POWER8NVL machines and errors appear in dmesg. This is harmless as skiboot returns an error and the only place we check it is vfio-pci but that code does not get called on P8+ either. This adds a check if pnv_npu2_xxx helpers are called on a machine with NPU2 which initializes pnv_phb::npu in pnv_npu2_init(); pnv_phb::npu==NULL on POWER8/NVL (Naples). While at this, fix NULL derefencing in pnv_npu_peers_take_ownership/ pnv_npu_peers_release_ownership which occurs when GPUs on mentioned P8s cause EEH which happens if "vfio-pci" disables devices using the D3 power state; the vfio-pci's disable_idle_d3 module parameter controls this and must be set on Naples. The EEH handling clears the entire pnv_ioda_pe struct in pnv_ioda_free_pe() hence the NULL derefencing. We cannot recover from that but at least we stop crashing. Tested on - POWER9 pvr=004e1201, Ubuntu 19.04 host, Ubuntu 18.04 vm, NVIDIA GV100 10de:1db1 driver 418.39 - POWER8 pvr=004c0100, RHEL 7.6 host, Ubuntu 16.10 vm, NVIDIA P100 10de:15f9 driver 396.47 Fixes: 1b785611e119 ("powerpc/powernv/npu: Add release_ownership hook") Cc: stable@vger.kernel.org # 5.0 Signed-off-by: Alexey Kardashevskiy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20201122073828.15446-1-aik@ozlabs.ru Signed-off-by: Greg Kroah-Hartman commit c7f66ad880a953855f6cfa2c522ebc914298ceb3 Author: Christophe Leroy Date: Sat Oct 10 17:30:59 2020 +0000 powerpc/mm: Fix verification of MMU_FTR_TYPE_44x commit 17179aeb9d34cc81e1a4ae3f85e5b12b13a1f8d0 upstream. MMU_FTR_TYPE_44x cannot be checked by cpu_has_feature() Use mmu_has_feature() instead Fixes: 23eb7f560a2a ("powerpc: Convert flush_icache_range & friends to C") Cc: stable@vger.kernel.org Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/ceede82fadf37f3b8275e61fcf8cf29a3e2ec7fe.1602351011.git.christophe.leroy@csgroup.eu Signed-off-by: Greg Kroah-Hartman commit 32e29541b5aaf345fb8685a8d771b421251b6ff0 Author: Christophe Leroy Date: Fri Dec 4 10:11:34 2020 +0000 powerpc/8xx: Fix early debug when SMC1 is relocated commit 1e78f723d6a52966bfe3804209dbf404fdc9d3bb upstream. When SMC1 is relocated and early debug is selected, the board hangs is ppc_md.setup_arch(). This is because ones the microcode has been loaded and SMC1 relocated, early debug writes in the weed. To allow smooth continuation, the SMC1 parameter RAM set up by the bootloader have to be copied into the new location. Fixes: 43db76f41824 ("powerpc/8xx: Add microcode patch to move SMC parameter RAM.") Cc: stable@vger.kernel.org Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/b2f71f39eca543f1e4ec06596f09a8b12235c701.1607076683.git.christophe.leroy@csgroup.eu Signed-off-by: Greg Kroah-Hartman commit 15c9e56b41d08b7156e245b2b38b75574875c0d4 Author: Christophe Leroy Date: Fri Dec 4 10:35:38 2020 +0000 powerpc/xmon: Change printk() to pr_cont() commit 7c6c86b36a36dd4a13d30bba07718e767aa2e7a1 upstream. Since some time now, printk() adds carriage return, leading to unusable xmon output if there is no udbg backend available: [ 54.288722] sysrq: Entering xmon [ 54.292209] Vector: 0 at [cace3d2c] [ 54.292274] pc: [ 54.292331] c0023650 [ 54.292468] : xmon+0x28/0x58 [ 54.292519] [ 54.292574] lr: [ 54.292630] c0023724 [ 54.292749] : sysrq_handle_xmon+0xa4/0xfc [ 54.292801] [ 54.292867] sp: cace3de8 [ 54.292931] msr: 9032 [ 54.292999] current = 0xc28d0000 [ 54.293072] pid = 377, comm = sh [ 54.293157] Linux version 5.10.0-rc6-s3k-dev-01364-gedf13f0ccd76-dirty (root@po17688vm.idsi0.si.c-s.fr) (powerpc64-linux-gcc (GCC) 10.1.0, GNU ld (GNU Binutils) 2.34) #4211 PREEMPT Fri Dec 4 09:32:11 UTC 2020 [ 54.293287] enter ? for help [ 54.293470] [cace3de8] [ 54.293532] c0023724 [ 54.293654] sysrq_handle_xmon+0xa4/0xfc [ 54.293711] (unreliable) ... [ 54.296002] [ 54.296159] --- Exception: c01 (System Call) at [ 54.296217] 0fd4e784 [ 54.296303] [ 54.296375] SP (7fca6ff0) is in userspace [ 54.296431] mon> [ 54.296484] Use pr_cont() instead. Fixes: 4bcc595ccd80 ("printk: reinstate KERN_CONT for printing continuation lines") Cc: stable@vger.kernel.org # v4.9+ Signed-off-by: Christophe Leroy [mpe: Mention that it only happens when udbg is not available] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/c8a6ec704416ecd5ff2bd26213c9bc026bdd19de.1607077340.git.christophe.leroy@csgroup.eu Signed-off-by: Greg Kroah-Hartman commit c7b89d0d71863e24f593dc39fea7bd4956c16a1f Author: Christophe Leroy Date: Mon Oct 12 08:02:13 2020 +0000 powerpc/feature: Add CPU_FTR_NOEXECUTE to G2_LE commit 197493af414ee22427be3343637ac290a791925a upstream. G2_LE has a 603 core, add CPU_FTR_NOEXECUTE. Fixes: 385e89d5b20f ("powerpc/mm: add exec protection on powerpc 603") Cc: stable@vger.kernel.org Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/39a530ee41d83f49747ab3af8e39c056450b9b4d.1602489653.git.christophe.leroy@csgroup.eu Signed-off-by: Greg Kroah-Hartman commit 0f157acd436c3d87c1dfbc25b0aec36595036165 Author: Tyrel Datwyler Date: Tue Dec 8 13:54:34 2020 -0600 powerpc/rtas: Fix typo of ibm,open-errinjct in RTAS filter commit f10881a46f8914428110d110140a455c66bdf27b upstream. Commit bd59380c5ba4 ("powerpc/rtas: Restrict RTAS requests from userspace") introduced the following error when invoking the errinjct userspace tool: [root@ltcalpine2-lp5 librtas]# errinjct open [327884.071171] sys_rtas: RTAS call blocked - exploit attempt? [327884.071186] sys_rtas: token=0x26, nargs=0 (called by errinjct) errinjct: Could not open RTAS error injection facility errinjct: librtas: open: Unexpected I/O error The entry for ibm,open-errinjct in rtas_filter array has a typo where the "j" is omitted in the rtas call name. After fixing this typo the errinjct tool functions again as expected. [root@ltcalpine2-lp5 linux]# errinjct open RTAS error injection facility open, token = 1 Fixes: bd59380c5ba4 ("powerpc/rtas: Restrict RTAS requests from userspace") Cc: stable@vger.kernel.org Signed-off-by: Tyrel Datwyler Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20201208195434.8289-1-tyreld@linux.ibm.com Signed-off-by: Greg Kroah-Hartman commit 30a58a3f7c85a2a9d0a632190f66136ec5ee6b82 Author: Mathieu Desnoyers Date: Thu Oct 22 09:29:20 2020 +0000 powerpc: Fix incorrect stw{, ux, u, x} instructions in __set_pte_at commit d85be8a49e733dcd23674aa6202870d54bf5600d upstream. The placeholder for instruction selection should use the second argument's operand, which is %1, not %0. This could generate incorrect assembly code if the memory addressing of operand %0 is a different form from that of operand %1. Also remove the %Un placeholder because having %Un placeholders for two operands which are based on the same local var (ptep) doesn't make much sense. By the way, it doesn't change the current behaviour because "<>" constraint is missing for the associated "=m". [chleroy: revised commit log iaw segher's comments and removed %U0] Fixes: 9bf2b5cdc5fe ("powerpc: Fixes for CONFIG_PTE_64BIT for SMP support") Cc: # v2.6.28+ Signed-off-by: Mathieu Desnoyers Signed-off-by: Christophe Leroy Acked-by: Segher Boessenkool Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/96354bd77977a6a933fe9020da57629007fdb920.1603358942.git.christophe.leroy@csgroup.eu Signed-off-by: Greg Kroah-Hartman commit 3ee6a2bc1428c00d461fdff18161c4fdb2b165a6 Author: Chuck Lever Date: Tue Dec 8 18:29:02 2020 -0500 xprtrdma: Fix XDRBUF_SPARSE_PAGES support commit 15261b9126cd5bb2ad8521da49d8f5c042d904c7 upstream. Olga K. observed that rpcrdma_marsh_req() allocates sparse pages only when it has determined that a Reply chunk is necessary. There are plenty of cases where no Reply chunk is needed, but the XDRBUF_SPARSE_PAGES flag is set. The result would be a crash in rpcrdma_inline_fixup() when it tries to copy parts of the received Reply into a missing page. To avoid crashing, handle sparse page allocation up front. Until XATTR support was added, this issue did not appear often because the only SPARSE_PAGES consumer always expected a reply large enough to always require a Reply chunk. Reported-by: Olga Kornievskaia Signed-off-by: Chuck Lever Cc: Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 2504e407a39f09e0f3c19700c46677a9658c6427 Author: Nicolas Ferre Date: Thu Dec 3 10:19:49 2020 +0100 ARM: dts: at91: sama5d2: fix CAN message ram offset and size commit 85b8350ae99d1300eb6dc072459246c2649a8e50 upstream. CAN0 and CAN1 instances share the same message ram configured at 0x210000 on sama5d2 Linux systems. According to current configuration of CAN0, we need 0x1c00 bytes so that the CAN1 don't overlap its message ram: 64 x RX FIFO0 elements => 64 x 72 bytes 32 x TXE (TX Event FIFO) elements => 32 x 8 bytes 32 x TXB (TX Buffer) elements => 32 x 72 bytes So a total of 7168 bytes (0x1C00). Fix offset to match this needed size. Make the CAN0 message ram ioremap match exactly this size so that is easily understandable. Adapt CAN1 size accordingly. Fixes: bc6d5d7666b7 ("ARM: dts: at91: sama5d2: add m_can nodes") Reported-by: Dan Sneddon Signed-off-by: Nicolas Ferre Signed-off-by: Alexandre Belloni Tested-by: Cristian Birsan Cc: stable@vger.kernel.org # v4.13+ Link: https://lore.kernel.org/r/20201203091949.9015-1-nicolas.ferre@microchip.com Signed-off-by: Greg Kroah-Hartman commit 789246b9afe8d74961ed4fdf2748c394a6be10c9 Author: H. Nikolaus Schaller Date: Sat Oct 3 16:10:00 2020 +0200 ARM: dts: pandaboard: fix pinmux for gpio user button of Pandaboard ES commit df9dbaf2c415cd94ad520067a1eccfee62f00a33 upstream. The pinmux control register offset passed to OMAP4_IOPAD is odd. Fixes: ab9a13665e7c ("ARM: dts: pandaboard: add gpio user button") Cc: stable@vger.kernel.org Signed-off-by: H. Nikolaus Schaller Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit 6ee6e4e5a4cfc71580c2ff2f276ec2147634cec5 Author: Marc Zyngier Date: Tue Nov 10 11:10:15 2020 +0000 KVM: arm64: Introduce handling of AArch32 TTBCR2 traps commit ca4e514774930f30b66375a974b5edcbebaf0e7e upstream. ARMv8.2 introduced TTBCR2, which shares TCR_EL1 with TTBCR. Gracefully handle traps to this register when HCR_EL2.TVM is set. Cc: stable@vger.kernel.org Reported-by: James Morse Signed-off-by: Marc Zyngier Signed-off-by: Greg Kroah-Hartman commit 8635f0fe06c5ca76ab3fb69c4a89ae8e967abd80 Author: Jan Kara Date: Fri Nov 27 12:06:49 2020 +0100 ext4: fix deadlock with fs freezing and EA inodes commit 46e294efc355c48d1dd4d58501aa56dac461792a upstream. Xattr code using inodes with large xattr data can end up dropping last inode reference (and thus deleting the inode) from places like ext4_xattr_set_entry(). That function is called with transaction started and so ext4_evict_inode() can deadlock against fs freezing like: CPU1 CPU2 removexattr() freeze_super() vfs_removexattr() ext4_xattr_set() handle = ext4_journal_start() ... ext4_xattr_set_entry() iput(old_ea_inode) ext4_evict_inode(old_ea_inode) sb->s_writers.frozen = SB_FREEZE_FS; sb_wait_write(sb, SB_FREEZE_FS); ext4_freeze() jbd2_journal_lock_updates() -> blocks waiting for all handles to stop sb_start_intwrite() -> blocks as sb is already in SB_FREEZE_FS state Generally it is advisable to delete inodes from a separate transaction as it can consume quite some credits however in this case it would be quite clumsy and furthermore the credits for inode deletion are quite limited and already accounted for. So just tweak ext4_evict_inode() to avoid freeze protection if we have transaction already started and thus it is not really needed anyway. Cc: stable@vger.kernel.org Fixes: dec214d00e0d ("ext4: xattr inode deduplication") Signed-off-by: Jan Kara Reviewed-by: Andreas Dilger Link: https://lore.kernel.org/r/20201127110649.24730-1-jack@suse.cz Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit c90a5f4851a81194b2906b5451456a4cc0faf7b7 Author: Chunguang Xu Date: Sat Nov 7 23:58:18 2020 +0800 ext4: fix a memory leak of ext4_free_data commit cca415537244f6102cbb09b5b90db6ae2c953bdd upstream. When freeing metadata, we will create an ext4_free_data and insert it into the pending free list. After the current transaction is committed, the object will be freed. ext4_mb_free_metadata() will check whether the area to be freed overlaps with the pending free list. If true, return directly. At this time, ext4_free_data is leaked. Fortunately, the probability of this problem is small, since it only occurs if the file system is corrupted such that a block is claimed by more one inode and those inodes are deleted within a single jbd2 transaction. Signed-off-by: Chunguang Xu Link: https://lore.kernel.org/r/1604764698-4269-8-git-send-email-brookxu@tencent.com Signed-off-by: Theodore Ts'o Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman commit e21d630a2c0d36e2c9308a2e1fdf598ffeb0c4e7 Author: Qu Wenruo Date: Fri Jul 31 19:29:11 2020 +0800 btrfs: trim: fix underflow in trim length to prevent access beyond device boundary commit c57dd1f2f6a7cd1bb61802344f59ccdc5278c983 upstream [BUG] The following script can lead to tons of beyond device boundary access: mkfs.btrfs -f $dev -b 10G mount $dev $mnt trimfs $mnt btrfs filesystem resize 1:-1G $mnt trimfs $mnt [CAUSE] Since commit 929be17a9b49 ("btrfs: Switch btrfs_trim_free_extents to find_first_clear_extent_bit"), we try to avoid trimming ranges that's already trimmed. So we check device->alloc_state by finding the first range which doesn't have CHUNK_TRIMMED and CHUNK_ALLOCATED not set. But if we shrunk the device, that bits are not cleared, thus we could easily got a range starts beyond the shrunk device size. This results the returned @start and @end are all beyond device size, then we call "end = min(end, device->total_bytes -1);" making @end smaller than device size. Then finally we goes "len = end - start + 1", totally underflow the result, and lead to the beyond-device-boundary access. [FIX] This patch will fix the problem in two ways: - Clear CHUNK_TRIMMED | CHUNK_ALLOCATED bits when shrinking device This is the root fix - Add extra safety check when trimming free device extents We check and warn if the returned range is already beyond current device. Link: https://github.com/kdave/btrfs-progs/issues/282 Fixes: 929be17a9b49 ("btrfs: Switch btrfs_trim_free_extents to find_first_clear_extent_bit") CC: stable@vger.kernel.org # 5.4+ Signed-off-by: Qu Wenruo Reviewed-by: Filipe Manana Signed-off-by: David Sterba [sudip: adjust context and use extent_io.h] Signed-off-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman commit 1d11ed122f6f003929f3afea3efbc91253249c4c Author: Josef Bacik Date: Fri Oct 23 09:58:04 2020 -0400 btrfs: do not shorten unpin len for caching block groups commit 9076dbd5ee837c3882fc42891c14cecd0354a849 upstream. While fixing up our ->last_byte_to_unpin locking I noticed that we will shorten len based on ->last_byte_to_unpin if we're caching when we're adding back the free space. This is correct for the free space, as we cannot unpin more than ->last_byte_to_unpin, however we use len to adjust the ->bytes_pinned counters and such, which need to track the actual pinned usage. This could result in WARN_ON(space_info->bytes_pinned) triggering at unmount time. Fix this by using a local variable for the amount to add to free space cache, and leave len untouched in this case. CC: stable@vger.kernel.org # 5.4+ Reviewed-by: Filipe Manana Signed-off-by: Josef Bacik Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit af7414836d888c321bfdca6d29b34841a04156f1 Author: Johan Hovold Date: Sun Oct 25 18:45:52 2020 +0100 USB: serial: keyspan_pda: fix write unthrottling commit 320f9028c7873c3c7710e8e93e5c979f4c857490 upstream. The driver did not update its view of the available device buffer space until write() was called in task context. This meant that write_room() would return 0 even after the device had sent a write-unthrottle notification, something which could lead to blocked writers not being woken up (e.g. when using OPOST). Note that we must also request an unthrottle notification is case a write() request fills the device buffer exactly. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable Acked-by: Sebastian Andrzej Siewior Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 7dae22ba62b277274585c08f50d7f6760bcc77ae Author: Johan Hovold Date: Sun Oct 25 18:45:51 2020 +0100 USB: serial: keyspan_pda: fix tx-unthrottle use-after-free commit 49fbb8e37a961396a5b6c82937c70df91de45e9d upstream. The driver's transmit-unthrottle work was never flushed on disconnect, something which could lead to the driver port data being freed while the unthrottle work is still scheduled. Fix this by cancelling the unthrottle work when shutting down the port. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Acked-by: Sebastian Andrzej Siewior Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit f99817ab5821ecce05ea7b3ebafe71824387e3a7 Author: Johan Hovold Date: Sun Oct 25 18:45:50 2020 +0100 USB: serial: keyspan_pda: fix write-wakeup use-after-free commit 37faf50615412947868c49aee62f68233307f4e4 upstream. The driver's deferred write wakeup was never flushed on disconnect, something which could lead to the driver port data being freed while the wakeup work is still scheduled. Fix this by using the usb-serial write wakeup which gets cancelled properly on disconnect. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Acked-by: Sebastian Andrzej Siewior Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit a07b690e1976b3919bdbccceb2f1d4669f8e4736 Author: Johan Hovold Date: Sun Oct 25 18:45:49 2020 +0100 USB: serial: keyspan_pda: fix stalled writes commit c01d2c58698f710c9e13ba3e2d296328606f74fd upstream. Make sure to clear the write-busy flag also in case no new data was submitted due to lack of device buffer space so that writing is resumed once space again becomes available. Fixes: 507ca9bc0476 ("[PATCH] USB: add ability for usb-serial drivers to determine if their write urb is currently being used.") Cc: stable # 2.6.13 Acked-by: Sebastian Andrzej Siewior Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 0f13247fabafb1bd79c54e010032b394276471fa Author: Johan Hovold Date: Sun Oct 25 18:45:48 2020 +0100 USB: serial: keyspan_pda: fix write deadlock commit 7353cad7ee4deaefc16e94727e69285563e219f6 upstream. The write() callback can be called in interrupt context (e.g. when used as a console) so interrupts must be disabled while holding the port lock to prevent a possible deadlock. Fixes: e81ee637e4ae ("usb-serial: possible irq lock inversion (PPP vs. usb/serial)") Fixes: 507ca9bc0476 ("[PATCH] USB: add ability for usb-serial drivers to determine if their write urb is currently being used.") Cc: stable # 2.6.19 Acked-by: Sebastian Andrzej Siewior Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit ebd9857a5bd40fe80c6d80c0c3618a2f43acbb01 Author: Johan Hovold Date: Sun Oct 25 18:45:47 2020 +0100 USB: serial: keyspan_pda: fix dropped unthrottle interrupts commit 696c541c8c6cfa05d65aa24ae2b9e720fc01766e upstream. Commit c528fcb116e6 ("USB: serial: keyspan_pda: fix receive sanity checks") broke write-unthrottle handling by dropping well-formed unthrottle-interrupt packets which are precisely two bytes long. This could lead to blocked writers not being woken up when buffer space again becomes available. Instead, stop unconditionally printing the third byte which is (presumably) only valid on modem-line changes. Fixes: c528fcb116e6 ("USB: serial: keyspan_pda: fix receive sanity checks") Cc: stable # 4.11 Acked-by: Sebastian Andrzej Siewior Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 89fb2b91a9da4c382409dc57900e257e38533535 Author: Johan Hovold Date: Mon Oct 26 11:43:06 2020 +0100 USB: serial: digi_acceleport: fix write-wakeup deadlocks commit 5098e77962e7c8947f87bd8c5869c83e000a522a upstream. The driver must not call tty_wakeup() while holding its private lock as line disciplines are allowed to call back into write() from write_wakeup(), leading to a deadlock. Also remove the unneeded work struct that was used to defer wakeup in order to work around a possible race in ancient times (see comment about n_tty write_chan() in commit 14b54e39b412 ("USB: serial: remove changelogs and old todo entries")). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 08c24438fb10cf125ec7813d91ca91685524a162 Author: Johan Hovold Date: Wed Nov 4 17:47:27 2020 +0100 USB: serial: mos7720: fix parallel-port state restore commit 975323ab8f116667676c30ca3502a6757bd89e8d upstream. The parallel-port restore operations is called when a driver claims the port and is supposed to restore the provided state (e.g. saved when releasing the port). Fixes: b69578df7e98 ("USB: usbserial: mos7720: add support for parallel port on moschip 7715") Cc: stable # 2.6.35 Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 6eab3f646b1aa32482746d2959f8a18e73fe1a34 Author: Daniel Jordan Date: Thu Nov 12 12:17:11 2020 -0500 cpuset: fix race between hotplug work and later CPU offline commit 406100f3da08066c00105165db8520bbc7694a36 upstream. One of our machines keeled over trying to rebuild the scheduler domains. Mainline produces the same splat: BUG: unable to handle page fault for address: 0000607f820054db CPU: 2 PID: 149 Comm: kworker/1:1 Not tainted 5.10.0-rc1-master+ #6 Workqueue: events cpuset_hotplug_workfn RIP: build_sched_domains Call Trace: partition_sched_domains_locked rebuild_sched_domains_locked cpuset_hotplug_workfn It happens with cgroup2 and exclusive cpusets only. This reproducer triggers it on an 8-cpu vm and works most effectively with no preexisting child cgroups: cd $UNIFIED_ROOT mkdir cg1 echo 4-7 > cg1/cpuset.cpus echo root > cg1/cpuset.cpus.partition # with smt/control reading 'on', echo off > /sys/devices/system/cpu/smt/control RIP maps to sd->shared = *per_cpu_ptr(sdd->sds, sd_id); from sd_init(). sd_id is calculated earlier in the same function: cpumask_and(sched_domain_span(sd), cpu_map, tl->mask(cpu)); sd_id = cpumask_first(sched_domain_span(sd)); tl->mask(cpu), which reads cpu_sibling_map on x86, returns an empty mask and so cpumask_first() returns >= nr_cpu_ids, which leads to the bogus value from per_cpu_ptr() above. The problem is a race between cpuset_hotplug_workfn() and a later offline of CPU N. cpuset_hotplug_workfn() updates the effective masks when N is still online, the offline clears N from cpu_sibling_map, and then the worker uses the stale effective masks that still have N to generate the scheduling domains, leading the worker to read N's empty cpu_sibling_map in sd_init(). rebuild_sched_domains_locked() prevented the race during the cgroup2 cpuset series up until the Fixes commit changed its check. Make the check more robust so that it can detect an offline CPU in any exclusive cpuset's effective mask, not just the top one. Fixes: 0ccea8feb980 ("cpuset: Make generate_sched_domains() work with partition") Signed-off-by: Daniel Jordan Signed-off-by: Peter Zijlstra (Intel) Acked-by: Tejun Heo Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20201112171711.639541-1-daniel.m.jordan@oracle.com Signed-off-by: Greg Kroah-Hartman commit 066d115fdd29ef4eda11758c2387fd5aa273f6cf Author: Borislav Petkov Date: Sun Nov 22 15:57:21 2020 +0100 EDAC/amd64: Fix PCI component registration commit 706657b1febf446a9ba37dc51b89f46604f57ee9 upstream. In order to setup its PCI component, the driver needs any node private instance in order to get a reference to the PCI device and hand that into edac_pci_create_generic_ctl(). For convenience, it uses the 0th memory controller descriptor under the assumption that if any, the 0th will be always present. However, this assumption goes wrong when the 0th node doesn't have memory and the driver doesn't initialize an instance for it: EDAC amd64: F17h detected (node 0). ... EDAC amd64: Node 0: No DIMMs detected. But looking up node instances is not really needed - all one needs is the pointer to the proper device which gets discovered during instance init. So stash that pointer into a variable and use it when setting up the EDAC PCI component. Clear that variable when the driver needs to unwind due to some instances failing init to avoid any registration imbalance. Cc: Signed-off-by: Borislav Petkov Link: https://lkml.kernel.org/r/20201122150815.13808-1-bp@alien8.de Signed-off-by: Greg Kroah-Hartman commit f4ce4a53c4e4f110b1c0a21b0cd9c003274132e8 Author: Qiuxu Zhuo Date: Tue Nov 17 20:49:51 2020 +0800 EDAC/i10nm: Use readl() to access MMIO registers commit 83ff51c4e3fecf6b8587ce4d46f6eac59f5d7c5a upstream. Instead of raw access, use readl() to access MMIO registers of memory controller to avoid possible compiler re-ordering. Fixes: d4dc89d069aa ("EDAC, i10nm: Add a driver for Intel 10nm server processors") Cc: Signed-off-by: Qiuxu Zhuo Signed-off-by: Tony Luck Signed-off-by: Greg Kroah-Hartman commit f9189a3bb5f93558d17bffb972c8ab06ef292ae4 Author: Ard Biesheuvel Date: Thu Nov 26 08:49:07 2020 +0100 crypto: arm/aes-ce - work around Cortex-A57/A72 silion errata commit f3456b9fd269c6d0c973b136c5449d46b2510f4b upstream. ARM Cortex-A57 and Cortex-A72 cores running in 32-bit mode are affected by silicon errata #1742098 and #1655431, respectively, where the second instruction of a AES instruction pair may execute twice if an interrupt is taken right after the first instruction consumes an input register of which a single 32-bit lane has been updated the last time it was modified. This is not such a rare occurrence as it may seem: in counter mode, only the least significant 32-bit word is incremented in the absence of a carry, which makes our counter mode implementation susceptible to these errata. So let's shuffle the counter assignments around a bit so that the most recent updates when the AES instruction pair executes are 128-bit wide. [0] ARM-EPM-049219 v23 Cortex-A57 MPCore Software Developers Errata Notice [1] ARM-EPM-012079 v11.0 Cortex-A72 MPCore Software Developers Errata Notice Cc: # v5.4+ Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 36a58bda87cd2aec692721a6e1398cf34680de48 Author: Ard Biesheuvel Date: Tue Nov 24 11:47:19 2020 +0100 crypto: ecdh - avoid unaligned accesses in ecdh_set_secret() commit 17858b140bf49961b71d4e73f1c3ea9bc8e7dda0 upstream. ecdh_set_secret() casts a void* pointer to a const u64* in order to feed it into ecc_is_key_valid(). This is not generally permitted by the C standard, and leads to actual misalignment faults on ARMv6 cores. In some cases, these are fixed up in software, but this still leads to performance hits that are entirely avoidable. So let's copy the key into the ctx buffer first, which we will do anyway in the common case, and which guarantees correct alignment. Cc: Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit f26f0e7770a15f80f10e0e35486e1cc038e0d88b Author: Athira Rajeev Date: Wed Nov 25 02:26:55 2020 -0500 powerpc/perf: Exclude kernel samples while counting events in user space. commit aa8e21c053d72b6639ea5a7f1d3a1d0209534c94 upstream. Perf event attritube supports exclude_kernel flag to avoid sampling/profiling in supervisor state (kernel). Based on this event attr flag, Monitor Mode Control Register bit is set to freeze on supervisor state. But sometimes (due to hardware limitation), Sampled Instruction Address Register (SIAR) locks on to kernel address even when freeze on supervisor is set. Patch here adds a check to drop those samples. Cc: stable@vger.kernel.org Signed-off-by: Athira Rajeev Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/1606289215-1433-1-git-send-email-atrajeev@linux.vnet.ibm.com Signed-off-by: Greg Kroah-Hartman commit 8096a2c6b9f627b5640d5cd04572801c1cccac24 Author: Kan Liang Date: Wed Nov 25 13:37:19 2020 -0800 perf/x86/intel: Fix rtm_abort_event encoding on Ice Lake commit 46b72e1bf4fc571da0c29c6fb3e5b2a2107a4c26 upstream. According to the event list from icelake_core_v1.09.json, the encoding of the RTM_RETIRED.ABORTED event on Ice Lake should be, "EventCode": "0xc9", "UMask": "0x04", "EventName": "RTM_RETIRED.ABORTED", Correct the wrong encoding. Fixes: 6017608936c1 ("perf/x86/intel: Add Icelake support") Signed-off-by: Kan Liang Signed-off-by: Peter Zijlstra (Intel) Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20201125213720.15692-1-kan.liang@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit aa3cce9ceff066beeab8c39afde6f39528cab886 Author: Kan Liang Date: Mon Oct 19 09:45:29 2020 -0700 perf/x86/intel: Add event constraint for CYCLE_ACTIVITY.STALLS_MEM_ANY commit 306e3e91edf1c6739a55312edd110d298ff498dd upstream. The event CYCLE_ACTIVITY.STALLS_MEM_ANY (0x14a3) should be available on all 8 GP counters on ICL, but it's only scheduled on the first four counters due to the current ICL constraint table. Add a line for the CYCLE_ACTIVITY.STALLS_MEM_ANY event in the ICL constraint table. Correct the comments for the CYCLE_ACTIVITY.CYCLES_MEM_ANY event. Fixes: 6017608936c1 ("perf/x86/intel: Add Icelake support") Reported-by: Andi Kleen Signed-off-by: Kan Liang Signed-off-by: Peter Zijlstra (Intel) Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20201019164529.32154-1-kan.liang@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 1e3de428d1553e767f4b807df9cf18f1defc8932 Author: Ian Abbott Date: Mon Dec 7 14:58:06 2020 +0000 staging: comedi: mf6x4: Fix AI end-of-conversion detection commit 56c90457ebfe9422496aac6ef3d3f0f0ea8b2ec2 upstream. I have had reports from two different people that attempts to read the analog input channels of the MF624 board fail with an `ETIMEDOUT` error. After triggering the conversion, the code calls `comedi_timeout()` with `mf6x4_ai_eoc()` as the callback function to check if the conversion is complete. The callback returns 0 if complete or `-EBUSY` if not yet complete. `comedi_timeout()` returns `-ETIMEDOUT` if it has not completed within a timeout period which is propagated as an error to the user application. The existing code considers the conversion to be complete when the EOLC bit is high. However, according to the user manuals for the MF624 and MF634 boards, this test is incorrect because EOLC is an active low signal that goes high when the conversion is triggered, and goes low when the conversion is complete. Fix the problem by inverting the test of the EOLC bit state. Fixes: 04b565021a83 ("comedi: Humusoft MF634 and MF624 DAQ cards driver") Cc: # v4.4+ Cc: Rostislav Lisovy Signed-off-by: Ian Abbott Link: https://lore.kernel.org/r/20201207145806.4046-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman commit ee0bcb1721a5c1397948b4f7990ee7b6c8f1c00c Author: Takashi Iwai Date: Tue Dec 8 14:51:54 2020 +0100 ASoC: cx2072x: Fix doubly definitions of Playback and Capture streams commit 0d024a8bec084205fdd9fa17479ba91f45f85db3 upstream. The cx2072x codec driver defines multiple DAIs with the same stream name "Playback" and "Capture". Although the current code works more or less as is as the secondary streams are never used, it still leads the error message like: debugfs: File 'Playback' in directory 'dapm' already present! debugfs: File 'Capture' in directory 'dapm' already present! Fix it by renaming the secondary streams to unique names. Fixes: a497a4363706 ("ASoC: Add support for Conexant CX2072X CODEC") Cc: Signed-off-by: Takashi Iwai Link: https://lore.kernel.org/r/20201208135154.9188-1-tiwai@suse.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 5fbf84689f11dd68566f3bd155111f2b72a6d193 Author: Todd Kjos Date: Fri Nov 20 15:37:43 2020 -0800 binder: add flag to clear buffer on txn complete commit 0f966cba95c78029f491b433ea95ff38f414a761 upstream. Add a per-transaction flag to indicate that the buffer must be cleared when the transaction is complete to prevent copies of sensitive data from being preserved in memory. Signed-off-by: Todd Kjos Link: https://lore.kernel.org/r/20201120233743.3617529-1-tkjos@google.com Cc: stable Signed-off-by: Greg Kroah-Hartman commit a7c256a9fd1885026a0b92cd40d294aae8334211 Author: Stefan Haberland Date: Thu Dec 17 16:59:07 2020 +0100 s390/dasd: fix list corruption of lcu list commit 53a7f655834c7c335bf683f248208d4fbe4b47bc upstream. In dasd_alias_disconnect_device_from_lcu the device is removed from any list on the LCU. Afterwards the LCU is removed from the lcu list if it does not contain devices any longer. The lcu->lock protects the lcu from parallel updates. But to cancel all workers and wait for completion the lcu->lock has to be unlocked. If two devices are removed in parallel and both are removed from the LCU the first device that takes the lcu->lock again will delete the LCU because it is already empty but the second device also tries to free the LCU which leads to a list corruption of the lcu list. Fix by removing the device right before the lcu is checked without unlocking the lcu->lock in between. Fixes: 8e09f21574ea ("[S390] dasd: add hyper PAV support to DASD device driver, part 1") Cc: stable@vger.kernel.org Signed-off-by: Stefan Haberland Reviewed-by: Jan Hoeppner Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 9c40d69a3be2f115805918f7dba7277df6a532a3 Author: Stefan Haberland Date: Thu Dec 17 16:59:06 2020 +0100 s390/dasd: fix list corruption of pavgroup group list commit 0ede91f83aa335da1c3ec68eb0f9e228f269f6d8 upstream. dasd_alias_add_device() moves devices to the active_devices list in case of a scheduled LCU update regardless if they have previously been in a pavgroup or not. Example: device A and B are in the same pavgroup. Device A has already been in a pavgroup and the private->pavgroup pointer is set and points to a valid pavgroup. While going through dasd_add_device it is moved from the pavgroup to the active_devices list. In parallel device B might be removed from the same pavgroup in remove_device_from_lcu() which in turn checks if the group is empty and deletes it accordingly because device A has already been removed from there. When now device A enters remove_device_from_lcu() it is tried to remove it from the pavgroup again because the pavgroup pointer is still set and again the empty group will be cleaned up which leads to a list corruption. Fix by setting private->pavgroup to NULL in dasd_add_device. If the device has been the last device on the pavgroup an empty pavgroup remains but this will be cleaned up by the scheduled lcu_update which iterates over all existing pavgroups. Fixes: 8e09f21574ea ("[S390] dasd: add hyper PAV support to DASD device driver, part 1") Cc: stable@vger.kernel.org Signed-off-by: Stefan Haberland Reviewed-by: Jan Hoeppner Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 042683917f4b4da436eab2471d1e2d903da23ee9 Author: Stefan Haberland Date: Thu Dec 17 16:59:05 2020 +0100 s390/dasd: prevent inconsistent LCU device data commit a29ea01653493b94ea12bb2b89d1564a265081b6 upstream. Prevent _lcu_update from adding a device to a pavgroup if the LCU still requires an update. The data is not reliable any longer and in parallel devices might have been moved on the lists already. This might lead to list corruptions or invalid PAV grouping. Only add devices to a pavgroup if the LCU is up to date. Additional steps are taken by the scheduled lcu update. Fixes: 8e09f21574ea ("[S390] dasd: add hyper PAV support to DASD device driver, part 1") Cc: stable@vger.kernel.org Signed-off-by: Stefan Haberland Reviewed-by: Jan Hoeppner Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit c8acd8d55bb91c5383da51cae0c05666977b665f Author: Stefan Haberland Date: Thu Dec 17 16:59:04 2020 +0100 s390/dasd: fix hanging device offline processing commit 658a337a606f48b7ebe451591f7681d383fa115e upstream. For an LCU update a read unit address configuration IO is required. This is started using sleep_on(), which has early exit paths in case the device is not usable for IO. For example when it is in offline processing. In those cases the LCU update should fail and not be retried. Therefore lcu_update_work checks if EOPNOTSUPP is returned or not. Commit 41995342b40c ("s390/dasd: fix endless loop after read unit address configuration") accidentally removed the EOPNOTSUPP return code from read_unit_address_configuration(), which in turn might lead to an endless loop of the LCU update in offline processing. Fix by returning EOPNOTSUPP again if the device is not able to perform the request. Fixes: 41995342b40c ("s390/dasd: fix endless loop after read unit address configuration") Cc: stable@vger.kernel.org #5.3 Signed-off-by: Stefan Haberland Reviewed-by: Jan Hoeppner Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 3038bbd1bb33a8cbb1e9f21d6bb7aa82bf1a2111 Author: Philipp Rudo Date: Thu Nov 26 18:31:08 2020 +0100 s390/kexec_file: fix diag308 subcode when loading crash kernel commit 613775d62ec60202f98d2c5f520e6e9ba6dd4ac4 upstream. diag308 subcode 0 performes a clear reset which inlcudes the reset of all registers in the system. While this is the preferred behavior when loading a normal kernel via kexec it prevents the crash kernel to store the register values in the dump. To prevent this use subcode 1 when loading a crash kernel instead. Fixes: ee337f5469fd ("s390/kexec_file: Add crash support to image loader") Cc: # 4.17 Signed-off-by: Philipp Rudo Reported-by: Xiaoying Yan Tested-by: Lianbo Jiang Signed-off-by: Heiko Carstens Signed-off-by: Greg Kroah-Hartman commit c185f13918b4a133ccdd80cb56c4c510dae4d247 Author: Sven Schnelle Date: Tue Dec 8 07:35:21 2020 +0100 s390/smp: perform initial CPU reset also for SMT siblings commit b5e438ebd7e808d1d2435159ac4742e01a94b8da upstream. Not resetting the SMT siblings might leave them in unpredictable state. One of the observed problems was that the CPU timer wasn't reset and therefore large system time values where accounted during CPU bringup. Cc: # 4.0 Fixes: 10ad34bc76dfb ("s390: add SMT support") Reviewed-by: Heiko Carstens Signed-off-by: Sven Schnelle Signed-off-by: Heiko Carstens Signed-off-by: Greg Kroah-Hartman commit 48d3f12869ef1b2ee349ffc44d56ab71354cf93d Author: Robin Gong Date: Fri Dec 18 00:15:47 2020 +0800 ALSA: core: memalloc: add page alignment for iram commit 74c64efa1557fef731b59eb813f115436d18078e upstream. Since mmap for userspace is based on page alignment, add page alignment for iram alloc from pool, otherwise, some good data located in the same page of dmab->area maybe touched wrongly by userspace like pulseaudio. Signed-off-by: Robin Gong Cc: Link: https://lore.kernel.org/r/1608221747-3474-1-git-send-email-yibin.gong@nxp.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit cd3ff2a46d9cffb782aaa97902f7ccaa04195105 Author: Takashi Iwai Date: Fri Dec 18 15:58:58 2020 +0100 ALSA: usb-audio: Disable sample read check if firmware doesn't give back commit 9df28edce7c6ab38050235f6f8b43dd7ccd01b6d upstream. Some buggy firmware don't give the current sample rate but leaves zero. Handle this case more gracefully without warning but just skip the current rate verification from the next time. Cc: Link: https://lore.kernel.org/r/20201218145858.2357-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit b1e3c2fb0fbe16888bd9bb9e49a1d248c27d3753 Author: Amadej Kastelic Date: Tue Dec 15 19:09:05 2020 +0100 ALSA: usb-audio: Add VID to support native DSD reproduction on FiiO devices commit 725124d10d00b2f56bb5bd08b431cc74ab3b3ace upstream. Add VID to support native DSD reproduction on FiiO devices. Tested-by: Amadej Kastelic Signed-off-by: Emilio Moretti Signed-off-by: Amadej Kastelic Cc: Link: https://lore.kernel.org/r/X9j7wdXSr4XyK7Bd@ryzen.localdomain Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 58cb166b1f8afe2ea1f9b9a09e074a1904eb9139 Author: Chris Chiu Date: Tue Dec 22 23:04:58 2020 +0800 ALSA: hda/realtek: Apply jack fixup for Quanta NL3 commit 6ca653e3f73a1af0f30dbf9c2c79d2897074989f upstream. The Quanta NL3 laptop has both a headphone output jack and a headset jack, on the right edge of the chassis. The pin information suggests that both of these are at the Front. The PulseAudio is confused to differentiate them so one of the jack can neither get the jack sense working nor the audio output. The ALC269_FIXUP_LIFEBOOK chained with ALC269_FIXUP_QUANTA_MUTE can help to differentiate 2 jacks and get the 'Auto-Mute Mode' working correctly. Signed-off-by: Chris Chiu Cc: Link: https://lore.kernel.org/r/20201222150459.9545-1-chiu@endlessos.org Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit b61b2aa91f2bb58a0f920d9f4592cc85a4dacc0e Author: Takashi Iwai Date: Sun Dec 20 09:09:43 2020 +0100 ALSA: hda/realtek: Add quirk for MSI-GP73 commit 09926202e939fd699650ac0fc0baa5757e069390 upstream. MSI-GP73 (with SSID 1462:1229) requires yet again ALC1220_FIXUP_CLEVO_P950 quirk like other MSI models. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=210793 Cc: Link: https://lore.kernel.org/r/20201220080943.24839-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 89d429ed2cdf8f8584e52eb161f5e1d762e5a9af Author: Chris Chiu Date: Tue Dec 22 23:04:59 2020 +0800 ALSA/hda: apply jack fixup for the Acer Veriton N4640G/N6640G/N2510G commit 13be30f156fda725b168ac89fc91f78651575307 upstream. This Acer Veriton N4640G/N6640G/N2510G desktops have 2 headphone jacks(front and rear), and a separate Mic In jack. The rear headphone jack is actually a line out jack but always silent while playing audio. The front 'Mic In' also fails the jack sensing. Apply the ALC269_FIXUP_LIFEBOOK to have all audio jacks to work as expected. Signed-off-by: Chris Chiu Signed-off-by: Jian-Hong Pan Cc: Link: https://lore.kernel.org/r/20201222150459.9545-2-chiu@endlessos.org Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 0bf907442c5fb40f1074775351c44cb057789e1f Author: Takashi Iwai Date: Fri Dec 18 17:17:30 2020 +0100 ALSA: pcm: oss: Fix a few more UBSAN fixes commit 11cb881bf075cea41092a20236ba708b18e1dbb2 upstream. There are a few places that call round{up|down}_pow_of_two() with the value zero, and this causes undefined behavior warnings. Avoid calling those macros if such a nonsense value is passed; it's a minor optimization as well, as we handle it as either an error or a value to be skipped, instead. Reported-by: syzbot+33ef0b6639a8d2d42b4c@syzkaller.appspotmail.com Cc: Link: https://lore.kernel.org/r/20201218161730.26596-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 11cd11af40582a02887f625d7dff3a074daaf469 Author: Kailang Yang Date: Fri Dec 11 14:17:09 2020 +0800 ALSA: hda/realtek - Add supported for more Lenovo ALC285 Headset Button commit 607184cb1635eaee239fe3fb9648a8b82a5232d7 upstream. Add supported for more Lenovo ALC285 Headset Button. Signed-off-by: Kailang Yang Cc: Link: https://lore.kernel.org/r/bb1f1da1526d460885aa4257be81eb94@realtek.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit da723248c5f8dfe7971d73b5fa8471619a71c41f Author: Chris Chiu Date: Wed Dec 9 12:57:30 2020 +0800 ALSA: hda/realtek - Enable headset mic of ASUS Q524UQK with ALC255 commit 7e413528474d5895e3e315c019fb0c43522eb6d9 upstream. The ASUS laptop Q524UQK with ALC255 codec can't detect the headset microphone until ALC255_FIXUP_ASUS_MIC_NO_PRESENCE quirk applied. Signed-off-by: Chris Chiu Signed-off-by: Jian-Hong Pan Cc: Link: https://lore.kernel.org/r/20201209045730.9972-1-chiu@endlessos.org Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 010a784a1a27d9367bc63047cd9a76e17b6d808c Author: Chris Chiu Date: Mon Dec 7 15:27:55 2020 +0800 ALSA: hda/realtek - Enable headset mic of ASUS X430UN with ALC256 commit 5cfca59604e423f720297e30a9dc493eea623493 upstream. The ASUS laptop X430UN with ALC256 can't detect the headset microphone until ALC256_FIXUP_ASUS_MIC_NO_PRESENCE quirk applied. Signed-off-by: Chris Chiu Signed-off-by: Jian-Hong Pan Cc: Link: https://lore.kernel.org/r/20201207072755.16210-1-chiu@endlessos.org Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 0fc8e6b8568053f0ef4ea402a9369252699c5282 Author: Hui Wang Date: Sat Dec 5 13:11:30 2020 +0800 ALSA: hda/realtek: make bass spk volume adjustable on a yoga laptop commit c72b9bfe0f914639cc475585f45722a3eb57a56d upstream. This change could fix 2 issues on this machine: - the bass speaker's output volume can't be adjusted, that is because the bass speaker is routed to the DAC (Nid 0x6) which has no volume control. - after plugging a headset with vol+, vol- and pause buttons on it, press those buttons, nothing happens, this means those buttons don't work at all. This machine has alc287 codec, need to add the codec id to the disable/enable_headset_jack_key(), then the headset button could work. The quirk of ALC285_FIXUP_THINKPAD_HEADSET_JACK could fix both of these 2 issues. Cc: Signed-off-by: Hui Wang Link: https://lore.kernel.org/r/20201205051130.8122-1-hui.wang@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 52d09e0cdb789100f7081fab390a188fa51366e4 Author: Connor McAdams Date: Thu Dec 10 12:35:48 2020 -0500 ALSA: hda/ca0132 - Fix AE-5 rear headphone pincfg. commit c697ba85a94b8f65bf90dec5ef9af5c39c3e73b2 upstream. The Windows driver sets the pincfg for the AE-5's rear-headphone to report as a microphone. This causes issues with Pulseaudio mistakenly believing there is no headphone plugged in. In Linux, we should instead set it to be a headphone. Fixes: a6b0961b39896 ("ALSA: hda/ca0132 - fix AE-5 pincfg") Cc: Signed-off-by: Connor McAdams Link: https://lore.kernel.org/r/20201208195223.424753-1-conmanx360@gmail.com Link: https://lore.kernel.org/r/20201210173550.2968-1-conmanx360@gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 1ca2437530e5e68f1a11d1a120d80b807c58f5a9 Author: Takashi Iwai Date: Wed Dec 9 16:01:19 2020 +0100 ALSA: hda: Fix regressions on clear and reconfig sysfs commit 2506318e382c4c7daa77bdc48f80a0ee82804588 upstream. It seems that the HD-audio clear and reconfig sysfs don't work any longer after the recent driver core change. There are multiple issues around that: the linked list corruption and the dead device handling. The former issue is fixed by another patch for the driver core itself, while the latter patch needs to be addressed in HD-audio side. This patch corresponds to the latter, it recovers those broken functions by replacing the device detach and attach actions with the standard core API functions, which are almost equivalent with unbind and bind actions. Fixes: 654888327e9f ("driver core: Avoid binding drivers to dead devices") Cc: BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=209207 Link: https://lore.kernel.org/r/20201209150119.7705-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 2c6c6001d07758cf79fc57c705b763d955e1922c Author: Hui Wang Date: Fri Dec 11 10:18:14 2020 +0800 ACPI: PNP: compare the string length in the matching_id() commit b08221c40febcbda9309dd70c61cf1b0ebb0e351 upstream. Recently we met a touchscreen problem on some Thinkpad machines, the touchscreen driver (i2c-hid) is not loaded and the touchscreen can't work. An i2c ACPI device with the name WACF2200 is defined in the BIOS, with the current rule in matching_id(), this device will be regarded as a PNP device since there is WACFXXX in the acpi_pnp_device_ids[] and this PNP device is attached to the acpi device as the 1st physical_node, this will make the i2c bus match fail when i2c bus calls acpi_companion_match() to match the acpi_id_table in the i2c-hid driver. WACF2200 is an i2c device instead of a PNP device, after adding the string length comparing, the matching_id() will return false when matching WACF2200 and WACFXXX, and it is reasonable to compare the string length when matching two IDs. Suggested-by: Rafael J. Wysocki Signed-off-by: Hui Wang Cc: All applicable Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 772dd826a44bd6f44b2c517a6b0c690f7ae9e4cd Author: Daniel Scally Date: Sat Dec 5 17:04:03 2020 +0000 Revert "ACPI / resources: Use AE_CTRL_TERMINATE to terminate resources walks" commit 12fc4dad94dfac25599f31257aac181c691ca96f upstream. This reverts commit 8a66790b7850a6669129af078768a1d42076a0ef. Switching this function to AE_CTRL_TERMINATE broke the documented behaviour of acpi_dev_get_resources() - AE_CTRL_TERMINATE does not, in fact, terminate the resource walk because acpi_walk_resource_buffer() ignores it (specifically converting it to AE_OK), referring to that value as "an OK termination by the user function". This means that acpi_dev_get_resources() does not abort processing when the preproc function returns a negative value. Signed-off-by: Daniel Scally Cc: 3.10+ # 3.10+ Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit b9d93a6666560abfa919577b9651132d0cc127ad Author: Rafael J. Wysocki Date: Tue Nov 24 20:44:00 2020 +0100 PM: ACPI: PCI: Drop acpi_pm_set_bridge_wakeup() commit 7482c5cb90e5a7f9e9e12dd154d405e0219656e3 upstream. The idea behind acpi_pm_set_bridge_wakeup() was to allow bridges to be reference counted for wakeup enabling, because they may be enabled to signal wakeup on behalf of their subordinate devices and that may happen for multiple times in a row, whereas for the other devices it only makes sense to enable wakeup signaling once. However, this becomes problematic if the bridge itself is suspended, because it is treated as a "regular" device in that case and the reference counting doesn't work. For instance, suppose that there are two devices below a bridge and they both can signal wakeup. Every time one of them is suspended, wakeup signaling is enabled for the bridge, so when they both have been suspended, the bridge's wakeup reference counter value is 2. Say that the bridge is suspended subsequently and acpi_pci_wakeup() is called for it. Because the bridge can signal wakeup, that function will invoke acpi_pm_set_device_wakeup() to configure it and __acpi_pm_set_device_wakeup() will be called with the last argument equal to 1. This causes __acpi_device_wakeup_enable() invoked by it to omit the reference counting, because the reference counter of the target device (the bridge) is 2 at that time. Now say that the bridge resumes and one of the device below it resumes too, so the bridge's reference counter becomes 0 and wakeup signaling is disabled for it, but there is still the other suspended device which may need the bridge to signal wakeup on its behalf and that is not going to work. To address this scenario, use wakeup enable reference counting for all devices, not just for bridges, so drop the last argument from __acpi_device_wakeup_enable() and __acpi_pm_set_device_wakeup(), which causes acpi_pm_set_device_wakeup() and acpi_pm_set_bridge_wakeup() to become identical, so drop the latter and use the former instead of it everywhere. Fixes: 1ba51a7c1496 ("ACPI / PCI / PM: Rework acpi_pci_propagate_wakeup()") Signed-off-by: Rafael J. Wysocki Reviewed-by: Mika Westerberg Acked-by: Bjorn Helgaas Cc: 4.14+ # 4.14+ Signed-off-by: Greg Kroah-Hartman commit 670b1b7e0d53f39a30bfaad5a7ebae2bd0c67aba Author: Connor McAdams Date: Thu Dec 10 12:35:49 2020 -0500 ALSA: hda/ca0132 - Change Input Source enum strings. commit 7079f785b50055a32b72eddcb7d9ba5688db24d0 upstream. Change the Input Source enumerated control's strings to make it play nice with pulseaudio. Fixes: 7cb9d94c05de9 ("ALSA: hda/ca0132: add alt_select_in/out for R3Di + SBZ") Cc: Signed-off-by: Connor McAdams Link: https://lore.kernel.org/r/20201208195223.424753-2-conmanx360@gmail.com Link: https://lore.kernel.org/r/20201210173550.2968-2-conmanx360@gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 8f827adb9bbc1f566f8ec6aaa2422c3bf145d11e Author: Arnd Bergmann Date: Mon Dec 14 13:37:46 2020 -0800 Input: cyapa_gen6 - fix out-of-bounds stack access commit f051ae4f6c732c231046945b36234e977f8467c6 upstream. gcc -Warray-bounds warns about a serious bug in cyapa_pip_retrieve_data_structure: drivers/input/mouse/cyapa_gen6.c: In function 'cyapa_pip_retrieve_data_structure.constprop': include/linux/unaligned/access_ok.h:40:17: warning: array subscript -1 is outside array bounds of 'struct retrieve_data_struct_cmd[1]' [-Warray-bounds] 40 | *((__le16 *)p) = cpu_to_le16(val); drivers/input/mouse/cyapa_gen6.c:569:13: note: while referencing 'cmd' 569 | } __packed cmd; | ^~~ Apparently the '-2' was added to the pointer instead of the value, writing garbage into the stack next to this variable. Fixes: c2c06c41f700 ("Input: cyapa - add gen6 device module support") Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20201026161332.3708389-1-arnd@kernel.org Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 98c956a6d9f7f9dc95b212b3c96325da7e3d81c3 Author: Sakari Ailus Date: Fri Oct 9 15:56:05 2020 +0200 media: ipu3-cio2: Make the field on subdev format V4L2_FIELD_NONE commit 219a8b9c04e54872f9a4d566633fb42f08bcbe2a upstream. The ipu3-cio2 doesn't make use of the field and this is reflected in V4L2 buffers as well as the try format. Do this in active format, too. Fixes: c2a6a07afe4a ("media: intel-ipu3: cio2: add new MIPI-CSI2 driver") Signed-off-by: Sakari Ailus Reviewed-by: Bingbu Cao Reviewed-by: Andy Shevchenko Reviewed-by: Laurent Pinchart Cc: stable@vger.kernel.org # v4.16 and up Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit f05ac76139e6616d7463ccafdec322a2b404b885 Author: Sakari Ailus Date: Thu Oct 8 21:33:26 2020 +0200 media: ipu3-cio2: Validate mbus format in setting subdev format commit a86cf9b29e8b12811cf53c4970eefe0c1d290476 upstream. Validate media bus code, width and height when setting the subdev format. This effectively reworks how setting subdev format is implemented in the driver. Fixes: c2a6a07afe4a ("media: intel-ipu3: cio2: add new MIPI-CSI2 driver") Signed-off-by: Sakari Ailus Reviewed-by: Andy Shevchenko Reviewed-by: Laurent Pinchart Cc: stable@vger.kernel.org # v4.16 and up Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 44cb512a020e15551abb951a24b8b54b826a8ab0 Author: Sakari Ailus Date: Thu Oct 8 21:29:38 2020 +0200 media: ipu3-cio2: Serialise access to pad format commit 55a6c6b2be3d6670bf5772364d8208bd8dc17da4 upstream. Pad format can be accessed from user space. Serialise access to it. Fixes: c2a6a07afe4a ("media: intel-ipu3: cio2: add new MIPI-CSI2 driver") Signed-off-by: Sakari Ailus Reviewed-by: Laurent Pinchart Reviewed-by: Bingbu Cao Reviewed-by: Andy Shevchenko Cc: stable@vger.kernel.org # v4.16 and up Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit a47bc844f436b039233f90bacd97ef42fb9d65e8 Author: Sakari Ailus Date: Thu Oct 8 21:06:28 2020 +0200 media: ipu3-cio2: Return actual subdev format commit 8160e86702e0807bd36d40f82648f9f9820b9d5a upstream. Return actual subdev format on ipu3-cio2 subdev pads. The earlier implementation was based on an infinite recursion that exhausted the stack. Reported-by: Tsuchiya Yuto Fixes: c2a6a07afe4a ("media: intel-ipu3: cio2: add new MIPI-CSI2 driver") Signed-off-by: Sakari Ailus Reviewed-by: Laurent Pinchart Reviewed-by: Bingbu Cao Reviewed-by: Andy Shevchenko Cc: stable@vger.kernel.org # v4.16 and up Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 7dc40e1f8044db9ba805cf95e676d2dd3bfad61e Author: Sakari Ailus Date: Mon Oct 12 17:25:28 2020 +0200 media: ipu3-cio2: Remove traces of returned buffers commit 61e7f892b5ee1dd10ea8bff805f3c3fe6e535959 upstream. If starting a video buffer queue fails, the buffers are returned to videobuf2. Remove the reference to the buffer from the driver's queue as well. Fixes: c2a6a07afe4a ("media: intel-ipu3: cio2: add new MIPI-CSI2 driver") Signed-off-by: Sakari Ailus Cc: stable@vger.kernel.org # v4.16 and up Reviewed-by: Andy Shevchenko Reviewed-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit d7e6b7b6a7f7406e3f6519c2133503e9841126ca Author: Lukas Wunner Date: Mon Dec 7 09:17:12 2020 +0100 media: netup_unidvb: Don't leak SPI master in probe error path commit e297ddf296de35037fa97f4302782def196d350a upstream. If the call to spi_register_master() fails on probe of the NetUP Universal DVB driver, the spi_master struct is erroneously not freed. Likewise, if spi_new_device() fails, the spi_controller struct is not unregistered. Plug the leaks. While at it, fix an ordering issue in netup_spi_release() wherein spi_unregister_master() is called after fiddling with the IRQ control register. The correct order is to call spi_unregister_master() *before* this teardown step because bus accesses may still be ongoing until that function returns. Fixes: 52b1eaf4c59a ("[media] netup_unidvb: NetUP Universal DVB-S/S2/T/T2/C PCI-E card driver") Signed-off-by: Lukas Wunner Reviewed-by: Mauro Carvalho Chehab Cc: # v4.3+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation Cc: # v4.3+ Cc: Kozlov Sergey Link: https://lore.kernel.org/r/c4c24f333fc7840f4a3db24789e6e10dd660bede.1607286887.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 0bfbb8393e51772f044f4901e452c4bce8323bf1 Author: Sean Young Date: Mon Nov 9 23:16:52 2020 +0100 media: sunxi-cir: ensure IR is handled when it is continuous commit 3f56df4c8ffeb120ed41906d3aae71799b7e726a upstream. If a user holds a button down on a remote, then no ir idle interrupt will be generated until the user releases the button, depending on how quickly the remote repeats. No IR is processed until that point, which means that holding down a button may not do anything. This also resolves an issue on a Cubieboard 1 where the IR receiver is picking up ambient infrared as IR and spews out endless "rc rc0: IR event FIFO is full!" messages unless you choose to live in the dark. Cc: stable@vger.kernel.org Tested-by: Hans Verkuil Acked-by: Maxime Ripard Reported-by: Hans Verkuil Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 124dc7d4f4b6f46516e2e960db9795f2f63be7da Author: Alan Stern Date: Wed Dec 2 18:20:04 2020 +0100 media: gspca: Fix memory leak in probe commit e469d0b09a19496e1972a20974bbf55b728151eb upstream. The gspca driver leaks memory when a probe fails. gspca_dev_probe2() calls v4l2_device_register(), which takes a reference to the underlying device node (in this case, a USB interface). But the failure pathway neglects to call v4l2_device_unregister(), the routine responsible for dropping this reference. Consequently the memory for the USB interface and its device never gets released. This patch adds the missing function call. Reported-and-tested-by: syzbot+44e64397bd81d5e84cba@syzkaller.appspotmail.com Signed-off-by: Alan Stern CC: Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit f97b54c8152d3f8b23b353397d47fe61b1301cd1 Author: Alexey Kardashevskiy Date: Sun Nov 22 18:39:50 2020 +1100 vfio/pci/nvlink2: Do not attempt NPU2 setup on POWER8NVL NPU commit d22f9a6c92de96304c81792942ae7c306f08ac77 upstream. We execute certain NPU2 setup code (such as mapping an LPID to a device in NPU2) unconditionally if an Nvlink bridge is detected. However this cannot succeed on POWER8NVL machines as the init helpers return an error other than ENODEV which means the device is there is and setup failed so vfio_pci_enable() fails and pass through is not possible. This changes the two NPU2 related init helpers to return -ENODEV if there is no "memory-region" device tree property as this is the distinction between NPU and NPU2. Tested on - POWER9 pvr=004e1201, Ubuntu 19.04 host, Ubuntu 18.04 vm, NVIDIA GV100 10de:1db1 driver 418.39 - POWER8 pvr=004c0100, RHEL 7.6 host, Ubuntu 16.10 vm, NVIDIA P100 10de:15f9 driver 396.47 Fixes: 7f92891778df ("vfio_pci: Add NVIDIA GV100GL [Tesla V100 SXM2] subdriver") Cc: stable@vger.kernel.org # 5.0 Signed-off-by: Alexey Kardashevskiy Signed-off-by: Alex Williamson Signed-off-by: Greg Kroah-Hartman commit df308380cbf3a1727dac197268a5a40ce65f1ae4 Author: Simon Beginn Date: Fri Dec 11 16:17:32 2020 -0800 Input: goodix - add upside-down quirk for Teclast X98 Pro tablet [ Upstream commit cffdd6d90482316e18d686060a4397902ea04bd2 ] The touchscreen on the Teclast x98 Pro is also mounted upside-down in relation to the display orientation. Signed-off-by: Simon Beginn Signed-off-by: Bastien Nocera Link: https://lore.kernel.org/r/20201117004253.27A5A27EFD@localhost Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 070bd3a8ac55132222793a6c1b769e516555ab81 Author: Arnd Bergmann Date: Fri Dec 11 13:36:42 2020 -0800 initramfs: fix clang build failure [ Upstream commit 55d5b7dd6451b58489ce384282ca5a4a289eb8d5 ] There is only one function in init/initramfs.c that is in the .text section, and it is marked __weak. When building with clang-12 and the integrated assembler, this leads to a bug with recordmcount: ./scripts/recordmcount "init/initramfs.o" Cannot find symbol for section 2: .text. init/initramfs.o: failed I'm not quite sure what exactly goes wrong, but I notice that this function is only ever called from an __init function, and normally inlined. Marking it __init as well is clearly correct and it leads to recordmcount no longer complaining. Link: https://lkml.kernel.org/r/20201204165742.3815221-1-arnd@kernel.org Signed-off-by: Arnd Bergmann Cc: Nathan Chancellor Cc: Nick Desaulniers Cc: Barret Rhoden Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit f252a99532498a55e47f2c3d5d319a530da0268e Author: Dmitry Torokhov Date: Wed Dec 9 17:59:53 2020 -0800 Input: cros_ec_keyb - send 'scancodes' in addition to key events [ Upstream commit 80db2a087f425b63f0163bc95217abd01c637cb5 ] To let userspace know what 'scancodes' should be used in EVIOCGKEYCODE and EVIOCSKEYCODE ioctls, we should send EV_MSC/MSC_SCAN events in addition to EV_KEY/KEY_* events. The driver already declared MSC_SCAN capability, so it is only matter of actually sending the events. Link: https://lore.kernel.org/r/X87aOaSptPTvZ3nZ@google.com Acked-by: Rajat Jain Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 2686041cef066d54927185451d1b5aa4246cfdcf Author: Felix Kuehling Date: Tue Dec 8 12:23:15 2020 -0500 drm/amdkfd: Fix leak in dmabuf import [ Upstream commit c897934da15f182ce99536007f8ef61c4748c07e ] Release dmabuf reference before returning from kfd_ioctl_import_dmabuf. amdgpu_amdkfd_gpuvm_import_dmabuf takes a reference to the underlying GEM BO and doesn't keep the reference to the dmabuf wrapper. Signed-off-by: Felix Kuehling Reviewed-by: Kent Russell Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit dc06432d9304a3f4ad97b9cc78e604616060c051 Author: Chris Park Date: Tue Nov 24 20:11:25 2020 -0500 drm/amd/display: Prevent bandwidth overflow [ Upstream commit 80089dd8410f356d5104496d5ab71a66a4f4646b ] [Why] At very high pixel clock, bandwidth calculation exceeds 32 bit size and overflow value. This causes the resulting selection of link rate to be inaccurate. [How] Change order of operation and use fixed point to deal with integer accuracy. Also address bug found when forcing link rate. Signed-off-by: Chris Park Reviewed-by: Wenjing Liu Acked-by: Eryk Brol Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit ca49d919d79c5a5685b7504079598cb0bbd2ed47 Author: Dongdong Wang Date: Fri Dec 4 23:59:45 2020 -0800 lwt: Disable BH too in run_lwt_bpf() [ Upstream commit d9054a1ff585ba01029584ab730efc794603d68f ] The per-cpu bpf_redirect_info is shared among all skb_do_redirect() and BPF redirect helpers. Callers on RX path are all in BH context, disabling preemption is not sufficient to prevent BH interruption. In production, we observed strange packet drops because of the race condition between LWT xmit and TC ingress, and we verified this issue is fixed after we disable BH. Although this bug was technically introduced from the beginning, that is commit 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel infrastructure"), at that time call_rcu() had to be call_rcu_bh() to match the RCU context. So this patch may not work well before RCU flavor consolidation has been completed around v5.0. Update the comments above the code too, as call_rcu() is now BH friendly. Signed-off-by: Dongdong Wang Signed-off-by: Alexei Starovoitov Reviewed-by: Cong Wang Link: https://lore.kernel.org/bpf/20201205075946.497763-1-xiyou.wangcong@gmail.com Signed-off-by: Sasha Levin commit b8dfee2345813128328d2e47db70497b4b64aa07 Author: Serge Hallyn Date: Sun Nov 15 21:55:31 2020 -0600 fix namespaced fscaps when !CONFIG_SECURITY [ Upstream commit ed9b25d1970a4787ac6a39c2091e63b127ecbfc1 ] Namespaced file capabilities were introduced in 8db6c34f1dbc . When userspace reads an xattr for a namespaced capability, a virtualized representation of it is returned if the caller is in a user namespace owned by the capability's owning rootid. The function which performs this virtualization was not hooked up if CONFIG_SECURITY=n. Therefore in that case the original xattr was shown instead of the virtualized one. To test this using libcap-bin (*1), $ v=$(mktemp) $ unshare -Ur setcap cap_sys_admin-eip $v $ unshare -Ur setcap -v cap_sys_admin-eip $v /tmp/tmp.lSiIFRvt8Y: OK "setcap -v" verifies the values instead of setting them, and will check whether the rootid value is set. Therefore, with this bug un-fixed, and with CONFIG_SECURITY=n, setcap -v will fail: $ v=$(mktemp) $ unshare -Ur setcap cap_sys_admin=eip $v $ unshare -Ur setcap -v cap_sys_admin=eip $v nsowner[got=1000, want=0],/tmp/tmp.HHDiOOl9fY differs in [] Fix this bug by calling cap_inode_getsecurity() in security_inode_getsecurity() instead of returning -EOPNOTSUPP, when CONFIG_SECURITY=n. *1 - note, if libcap is too old for getcap to have the '-n' option, then use verify-caps instead. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=209689 Cc: Hervé Guillemet Acked-by: Casey Schaufler Signed-off-by: Serge Hallyn Signed-off-by: Andrew G. Morgan Signed-off-by: James Morris Signed-off-by: Sasha Levin commit 5350b833bb0a41dbcd93d3f1c8c3bf1ac1bf3c69 Author: Sara Sharon Date: Sun Nov 29 17:30:44 2020 +0200 cfg80211: initialize rekey_data [ Upstream commit f495acd8851d7b345e5f0e521b2645b1e1f928a0 ] In case we have old supplicant, the akm field is uninitialized. Signed-off-by: Sara Sharon Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20201129172929.930f0ab7ebee.Ic546e384efab3f4a89f318eafddc3eb7d556aecb@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit ec15d0700709580ce0fd3cc6283eaafc832d2c61 Author: Paul Kocialkowski Date: Sat Oct 31 19:21:29 2020 +0100 ARM: sunxi: Add machine match for the Allwinner V3 SoC [ Upstream commit ad2091f893bd5dfe2824f0d6819600d120698e9f ] The Allwinner V3 SoC shares the same base as the V3s but comes with extra pins and features available. As a result, it has its dedicated compatible string (already used in device trees), which is added here. Signed-off-by: Paul Kocialkowski Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20201031182137.1879521-2-contact@paulk.fr Signed-off-by: Sasha Levin commit d629b50f9fdc08016420aaeca74437ac91678387 Author: Arnaldo Carvalho de Melo Date: Thu Dec 24 10:52:10 2020 -0300 perf probe: Fix memory leak when synthesizing SDT probes [ Upstream commit 5149303fdfe5c67ddb51c911e23262f781cd75eb ] The argv_split() function must be paired with argv_free(), else we must keep a reference to the argv array received or do the freeing ourselves, in synthesize_sdt_probe_command() we were simply leaking that argv[] array. Fixes: 3b1f8311f6963cd1 ("perf probe: Add sdt probes arguments into the uprobe cmd string") Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Alexandre Truong Cc: Alexis Berlemont Cc: He Zhe Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: John Garry Cc: Mark Rutland Cc: Masami Hiramatsu Cc: Mathieu Poirier Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Sumanth Korikkar Cc: Thomas Richter Cc: Will Deacon Link: https://lore.kernel.org/r/20201224135139.GF477817@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit cbcb176b6016ff96d3aabc37d35647df5023b699 Author: Masahiro Yamada Date: Sun Dec 20 03:18:42 2020 +0900 kconfig: fix return value of do_error_if() [ Upstream commit 135b4957eac43af2aedf8e2a277b9540f33c2558 ] $(error-if,...) is expanded to an empty string. Currently, it relies on eval_clause() returning xstrdup("") when all attempts for expansion fail, but the correct implementation is to make do_error_if() return xstrdup(""). Fixes: 1d6272e6fe43 ("kconfig: add 'info', 'warning-if', and 'error-if' built-in functions") Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin commit 6e8beb020d5c40651fafd5c8073dea120291dfb5 Author: Jernej Skrabec Date: Wed Dec 2 21:38:17 2020 +0100 clk: sunxi-ng: Make sure divider tables have sentinel [ Upstream commit 48f68de00c1405351fa0e7bc44bca067c49cd0a3 ] Two clock divider tables are missing sentinel at the end. Effect of that is that clock framework reads past the last entry. Fix that with adding sentinel at the end. Issue was discovered with KASan. Fixes: 0577e4853bfb ("clk: sunxi-ng: Add H3 clocks") Fixes: c6a0637460c2 ("clk: sunxi-ng: Add A64 clocks") Signed-off-by: Jernej Skrabec Link: https://lore.kernel.org/r/20201202203817.438713-1-jernej.skrabec@siol.net Acked-by: Maxime Ripard Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 3cdeedf801b533e36c9967e735cb230e2faed22e Author: Christophe JAILLET Date: Sat Dec 12 13:28:18 2020 +0100 clk: s2mps11: Fix a resource leak in error handling paths in the probe function [ Upstream commit d2d94fc567624f96187e8b52083795620f93e69f ] Some resource should be released in the error handling path of the probe function, as already done in the remove function. The remove function was fixed in commit bf416bd45738 ("clk: s2mps11: Add missing of_node_put and of_clk_del_provider") Fixes: 7cc560dea415 ("clk: s2mps11: Add support for s2mps11") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/20201212122818.86195-1-christophe.jaillet@wanadoo.fr Reviewed-by: Krzysztof Kozlowski Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit ef56621a579a705459be5c60fdd17b87d4e80a3c Author: Alexandre Belloni Date: Wed Dec 2 13:58:15 2020 +0100 clk: at91: sam9x60: remove atmel,osc-bypass support [ Upstream commit 01324f9e88b5cfc1f4c26eef66bdcb52596c9af8 ] The sam9x60 doesn't have the MOSCXTBY bit to enable the crystal oscillator bypass. Fixes: 01e2113de9a5 ("clk: at91: add sam9x60 pmc driver") Reported-by: Claudiu Beznea Signed-off-by: Alexandre Belloni Link: https://lore.kernel.org/r/20201202125816.168618-1-alexandre.belloni@bootlin.com Reviewed-by: Claudiu Beznea Tested-by: Claudiu Beznea Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit e01dfcc08b556c1301f6e2d9baf1b06f750895c8 Author: Dan Carpenter Date: Fri Dec 4 17:23:36 2020 +0300 virtio_ring: Fix two use after free bugs [ Upstream commit e152d8af4220a05c9797591609151d404866beaa ] The "vq" struct is added to the "vdev->vqs" list prematurely. If we encounter an error later in the function then the "vq" is freed, but since it is still on the list that could lead to a use after free bug. Fixes: cbeedb72b97a ("virtio_ring: allocate desc state for split ring separately") Reported-by: Robert Buhren Reported-by: Felicitas Hetzelt Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/X8pGaG/zkI3jk8mk@mwanda Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Signed-off-by: Sasha Levin commit 2d65ff873d06d700aa4328eed83a12134dda7ae7 Author: Dan Carpenter Date: Fri Dec 4 17:23:16 2020 +0300 virtio_net: Fix error code in probe() [ Upstream commit 411ea23a76526e6efed0b601abb603d3c981b333 ] Set a negative error code intead of returning success if the MTU has been changed to something invalid. Fixes: fe36cbe0671e ("virtio_net: clear MTU when out of range") Reported-by: Robert Buhren Reported-by: Felicitas Hetzelt Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/X8pGVJSeeCdII1Ys@mwanda Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Signed-off-by: Sasha Levin commit 5f70910832c7b98259aad7b8364f57384d9953be Author: Dan Carpenter Date: Fri Dec 4 17:23:00 2020 +0300 virtio_ring: Cut and paste bugs in vring_create_virtqueue_packed() [ Upstream commit ae93d8ea0fa701e84ab9df0db9fb60ec6c80d7b8 ] There is a copy and paste bug in the error handling of this code and it uses "ring_dma_addr" three times instead of "device_event_dma_addr" and "driver_event_dma_addr". Fixes: 1ce9e6055fa0 (" virtio_ring: introduce packed ring support") Reported-by: Robert Buhren Reported-by: Felicitas Hetzelt Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/X8pGRJlEzyn+04u2@mwanda Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Signed-off-by: Sasha Levin commit 372f06cd6b89634c2a603034f099f01e539a8a82 Author: Dan Carpenter Date: Wed Dec 16 11:38:04 2020 +0300 qlcnic: Fix error code in probe [ Upstream commit 0d52848632a357948028eab67ff9b7cc0c12a0fb ] Return -EINVAL if we can't find the correct device. Currently it returns success. Fixes: 13159183ec7a ("qlcnic: 83xx base driver") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/X9nHbMqEyI/xPfGd@mwanda Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit c16e42c93241dab3541deccf81e9354cbc5960ed Author: Zheng Zengkai Date: Fri Jul 3 17:33:44 2020 +0800 perf record: Fix memory leak when using '--user-regs=?' to list registers [ Upstream commit 2eb5dd418034ecea2f7031e3d33f2991a878b148 ] When using 'perf record's option '-I' or '--user-regs=' along with argument '?' to list available register names, memory of variable 'os' allocated by strdup() needs to be released before __parse_regs() returns, otherwise memory leak will occur. Fixes: bcc84ec65ad1 ("perf record: Add ability to name registers to record") Signed-off-by: Zheng Zengkai Acked-by: Jiri Olsa Cc: Alexander Shishkin Cc: Li Bin Cc: Mark Rutland Cc: Namhyung Kim Link: https://lore.kernel.org/r/20200703093344.189450-1-zhengzengkai@huawei.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit ceadde18f69a24b92a5d95ae056480adcdd4e90a Author: Lokesh Vutla Date: Fri Oct 30 19:11:35 2020 +0530 pwm: lp3943: Dynamically allocate PWM chip base [ Upstream commit 1f0f1e80fdd3aa9631f6c22cda4f8550cfcfcc3e ] When there are other PWM controllers enabled along with pwm-lp3943, pwm-lp3942 is failing to probe with -EEXIST error. This is because other PWM controllers are probed first and assigned PWM base 0 and pwm-lp3943 is requesting for 0 again. In order to avoid this, assign the chip base with -1, so that it is dynamically allocated. Fixes: af66b3c0934e ("pwm: Add LP3943 PWM driver") Signed-off-by: Lokesh Vutla Reviewed-by: Uwe Kleine-König Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 6bf2ef4bd38dfda75da0b35499d756099926ee42 Author: Uwe Kleine-König Date: Tue Oct 13 10:13:21 2020 +0200 pwm: zx: Add missing cleanup in error path [ Upstream commit 269effd03f6142df4c74814cfdd5f0b041b30bf9 ] zx_pwm_probe() called clk_prepare_enable() before; this must be undone in the error path. Fixes: 4836193c435c ("pwm: Add ZTE ZX PWM device driver") Signed-off-by: Uwe Kleine-König Acked-by: Shawn Guo Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit d4515a24a8029cf0c4c17069f930f057078ab51a Author: Zhang Qilong Date: Fri Nov 13 21:16:23 2020 +0800 clk: ti: Fix memleak in ti_fapll_synth_setup [ Upstream commit 8c6239f6e95f583bb763d0228e02d4dd0fb3d492 ] If clk_register fails, we should goto free branch before function returns to prevent memleak. Fixes: 163152cbbe321 ("clk: ti: Add support for FAPLL on dm816x") Reported-by: Hulk Robot Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201113131623.2098222-1-zhangqilong3@huawei.com Acked-by: Tony Lindgren Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 572eba1ce574bf72153bec7858028b8473d9d3ac Author: Arnd Bergmann Date: Thu Dec 3 23:33:42 2020 +0100 watchdog: coh901327: add COMMON_CLK dependency [ Upstream commit 36c47df85ee8e1f8a35366ac11324f8875de00eb ] clang produces a build failure in configurations without COMMON_CLK when a timeout calculation goes wrong: arm-linux-gnueabi-ld: drivers/watchdog/coh901327_wdt.o: in function `coh901327_enable': coh901327_wdt.c:(.text+0x50): undefined reference to `__bad_udelay' Add a Kconfig dependency to only do build testing when COMMON_CLK is enabled. Fixes: da2a68b3eb47 ("watchdog: Enable COMPILE_TEST where possible") Signed-off-by: Arnd Bergmann Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20201203223358.1269372-1-arnd@kernel.org Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit 2b1575e289065954af4703c9b54ea18acf2a3cfa Author: Manivannan Sadhasivam Date: Mon Dec 7 11:30:05 2020 +0530 watchdog: qcom: Avoid context switch in restart handler [ Upstream commit 7948fab26bcc468aa2a76462f441291b5fb0d5c7 ] The use of msleep() in the restart handler will cause scheduler to induce a context switch which is not desirable. This generates below warning on SDX55 when WDT is the only available restart source: [ 39.800188] reboot: Restarting system [ 39.804115] ------------[ cut here ]------------ [ 39.807855] WARNING: CPU: 0 PID: 678 at kernel/rcu/tree_plugin.h:297 rcu_note_context_switch+0x190/0x764 [ 39.812538] Modules linked in: [ 39.821954] CPU: 0 PID: 678 Comm: reboot Not tainted 5.10.0-rc1-00063-g33a9990d1d66-dirty #47 [ 39.824854] Hardware name: Generic DT based system [ 39.833470] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [ 39.838154] [] (show_stack) from [] (dump_stack+0x8c/0xa0) [ 39.846049] [] (dump_stack) from [] (__warn+0xd8/0xf0) [ 39.853058] [] (__warn) from [] (warn_slowpath_fmt+0x64/0xc8) [ 39.859925] [] (warn_slowpath_fmt) from [] (rcu_note_context_switch+0x190/0x764) [ 39.867503] [] (rcu_note_context_switch) from [] (__schedule+0x84/0x640) [ 39.876685] [] (__schedule) from [] (schedule+0x58/0x10c) [ 39.885095] [] (schedule) from [] (schedule_timeout+0x1e8/0x3d4) [ 39.892135] [] (schedule_timeout) from [] (msleep+0x2c/0x38) [ 39.899947] [] (msleep) from [] (qcom_wdt_restart+0xc4/0xcc) [ 39.907319] [] (qcom_wdt_restart) from [] (watchdog_restart_notifier+0x18/0x28) [ 39.914715] [] (watchdog_restart_notifier) from [] (atomic_notifier_call_chain+0x60/0x84) [ 39.923487] [] (atomic_notifier_call_chain) from [] (machine_restart+0x78/0x7c) [ 39.933551] [] (machine_restart) from [] (__do_sys_reboot+0xdc/0x1e0) [ 39.942397] [] (__do_sys_reboot) from [] (ret_fast_syscall+0x0/0x54) [ 39.950721] Exception stack(0xc3e0bfa8 to 0xc3e0bff0) [ 39.958855] bfa0: 0001221c bed2fe24 fee1dead 28121969 01234567 00000000 [ 39.963832] bfc0: 0001221c bed2fe24 00000003 00000058 000225e0 00000000 00000000 00000000 [ 39.971985] bfe0: b6e62560 bed2fc84 00010fd8 b6e62580 [ 39.980124] ---[ end trace 3f578288bad866e4 ]--- Hence, replace msleep() with mdelay() to fix this issue. Fixes: 05e487d905ab ("watchdog: qcom: register a restart notifier") Signed-off-by: Manivannan Sadhasivam Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20201207060005.21293-1-manivannan.sadhasivam@linaro.org Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit fad88d4625966d529c1cf210bec721a129601b72 Author: Zhang Qilong Date: Sat Dec 5 19:50:56 2020 +0800 libnvdimm/label: Return -ENXIO for no slot in __blk_label_update [ Upstream commit 4c46764733c85b82c07e9559b39da4d00a7dd659 ] Forget to set error code when nd_label_alloc_slot failed, and we add it to avoid overwritten error code. Fixes: 0ba1c634892b ("libnvdimm: write blk label set") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201205115056.2076523-1-zhangqilong3@huawei.com Signed-off-by: Dan Williams Signed-off-by: Sasha Levin commit b6c680755d22238f3d2d2a64412cd5a68a25aece Author: Vincent Stehlé Date: Mon Dec 14 23:09:52 2020 +0100 net: korina: fix return value [ Upstream commit 7eb000bdbe7c7da811ef51942b356f6e819b13ba ] The ndo_start_xmit() method must not attempt to free the skb to transmit when returning NETDEV_TX_BUSY. Therefore, make sure the korina_send_packet() function returns NETDEV_TX_OK when it frees a packet. Fixes: ef11291bcd5f ("Add support the Korina (IDT RC32434) Ethernet MAC") Suggested-by: Jakub Kicinski Signed-off-by: Vincent Stehlé Acked-by: Florian Fainelli Link: https://lore.kernel.org/r/20201214220952.19935-1-vincent.stehle@laposte.net Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 19e73c9ff0bf64f11066a8d928a4dc0724a7ff26 Author: Christophe JAILLET Date: Mon Dec 14 21:21:17 2020 +0100 net: allwinner: Fix some resources leak in the error handling path of the probe and in the remove function [ Upstream commit 322e53d1e2529ae9d501f5e0f20604a79b873aef ] 'irq_of_parse_and_map()' should be balanced by a corresponding 'irq_dispose_mapping()' call. Otherwise, there is some resources leaks. Add such a call in the error handling path of the probe function and in the remove function. Fixes: 492205050d77 ("net: Add EMAC ethernet driver found on Allwinner A10 SoC's") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/20201214202117.146293-1-christophe.jaillet@wanadoo.fr Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 226bcdbb4a60ed676e038d1511c758dda8e3667b Author: Christophe JAILLET Date: Sat Dec 12 19:20:05 2020 +0100 net: bcmgenet: Fix a resource leak in an error handling path in the probe functin [ Upstream commit 4375ada01963d1ebf733d60d1bb6e5db401e1ac6 ] If the 'register_netdev()' call fails, we must undo a previous 'bcmgenet_mii_init()' call. Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file") Signed-off-by: Christophe JAILLET Acked-by: Florian Fainelli Link: https://lore.kernel.org/r/20201212182005.120437-1-christophe.jaillet@wanadoo.fr Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit efc570073cbe2620e1564d9c6246381518298ab2 Author: Sven Van Asbroeck Date: Tue Dec 15 11:19:54 2020 -0500 lan743x: fix rx_napi_poll/interrupt ping-pong [ Upstream commit 57030a0b620f735bf557696e5ceb9f32c2b3bb8f ] Even if there is more rx data waiting on the chip, the rx napi poll fn will never run more than once - it will always read a few buffers, then bail out and re-arm interrupts. Which results in ping-pong between napi and interrupt. This defeats the purpose of napi, and is bad for performance. Fix by making the rx napi poll behave identically to other ethernet drivers: 1. initialize rx napi polling with an arbitrary budget (64). 2. in the polling fn, return full weight if rx queue is not depleted, this tells the napi core to "keep polling". 3. update the rx tail ("ring the doorbell") once for every 8 processed rx ring buffers. Thanks to Jakub Kicinski, Eric Dumazet and Andrew Lunn for their expert opinions and suggestions. Tested with 20 seconds of full bandwidth receive (iperf3): rx irqs softirqs(NET_RX) ----------------------------- before 23827 33620 after 129 4081 Tested-by: Sven Van Asbroeck # lan7430 Fixes: 23f0703c125be ("lan743x: Add main source files for new lan743x driver") Signed-off-by: Sven Van Asbroeck Link: https://lore.kernel.org/r/20201215161954.5950-1-TheSven73@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 9f5b56b5a71d11f96909d913581dbfb7e1d0f8ce Author: Dwaipayan Ray Date: Tue Dec 15 20:45:02 2020 -0800 checkpatch: fix unescaped left brace [ Upstream commit 03f4935135b9efeb780b970ba023c201f81cf4e6 ] There is an unescaped left brace in a regex in OPEN_BRACE check. This throws a runtime error when checkpatch is run with --fix flag and the OPEN_BRACE check is executed. Fix it by escaping the left brace. Link: https://lkml.kernel.org/r/20201115202928.81955-1-dwaipayanray1@gmail.com Fixes: 8d1824780f2f ("checkpatch: add --fix option for a couple OPEN_BRACE misuses") Signed-off-by: Dwaipayan Ray Acked-by: Joe Perches Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit b32c5e0ae6f7404f8e05cc54656eab77e3ef0390 Author: Johannes Weiner Date: Mon Dec 14 19:12:15 2020 -0800 mm: don't wake kswapd prematurely when watermark boosting is disabled [ Upstream commit 597c892038e08098b17ccfe65afd9677e6979800 ] On 2-node NUMA hosts we see bursts of kswapd reclaim and subsequent pressure spikes and stalls from cache refaults while there is plenty of free memory in the system. Usually, kswapd is woken up when all eligible nodes in an allocation are full. But the code related to watermark boosting can wake kswapd on one full node while the other one is mostly empty. This may be justified to fight fragmentation, but is currently unconditionally done whether watermark boosting is occurring or not. In our case, many of our workloads' throughput scales with available memory, and pure utilization is a more tangible concern than trends around longer-term fragmentation. As a result we generally disable watermark boosting. Wake kswapd only woken when watermark boosting is requested. Link: https://lkml.kernel.org/r/20201020175833.397286-1-hannes@cmpxchg.org Fixes: 1c30844d2dfe ("mm: reclaim small amounts of memory when an external fragmentation event occurs") Signed-off-by: Johannes Weiner Acked-by: Mel Gorman Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit c3bf90c6aac58339740ed873f1997002447f47df Author: Matthew Wilcox (Oracle) Date: Mon Dec 14 19:07:59 2020 -0800 sparc: fix handling of page table constructor failure [ Upstream commit 06517c9a336f4c20f2064611bf4b1e7881a95fe1 ] The page has just been allocated, so its refcount is 1. free_unref_page() is for use on pages which have a zero refcount. Use __free_page() like the other implementations of pte_alloc_one(). Link: https://lkml.kernel.org/r/20201125034655.27687-1-willy@infradead.org Fixes: 1ae9ae5f7df7 ("sparc: handle pgtable_page_ctor() fail") Signed-off-by: Matthew Wilcox (Oracle) Reviewed-by: David Hildenbrand Reviewed-by: Mike Rapoport Acked-by: Vlastimil Babka Cc: David Miller Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 6ef298e1cebd3d3216b01bd5f641ec5e6e97291a Author: Vincent Stehlé Date: Sun Dec 13 19:26:22 2020 +0100 powerpc/ps3: use dma_mapping_error() [ Upstream commit d0edaa28a1f7830997131cbce87b6c52472825d1 ] The DMA address returned by dma_map_single() should be checked with dma_mapping_error(). Fix the ps3stor_setup() function accordingly. Fixes: 80071802cb9c ("[POWERPC] PS3: Storage Driver Core") Signed-off-by: Vincent Stehlé Reviewed-by: Geert Uytterhoeven Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20201213182622.23047-1-vincent.stehle@laposte.net Signed-off-by: Sasha Levin commit d864e7e8270a6cf3ae863d5e0928fc13e9205813 Author: Bongsu Jeon Date: Sun Dec 13 18:58:50 2020 +0900 nfc: s3fwrn5: Release the nfc firmware [ Upstream commit a4485baefa1efa596702ebffd5a9c760d42b14b5 ] add the code to release the nfc firmware when the firmware image size is wrong. Fixes: c04c674fadeb ("nfc: s3fwrn5: Add driver for Samsung S3FWRN5 NFC Chip") Signed-off-by: Bongsu Jeon Reviewed-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20201213095850.28169-1-bongsu.jeon@samsung.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 7a3d6a5dfc78776e8872f78c32809dc9f9817320 Author: Leon Romanovsky Date: Sun Dec 13 15:29:39 2020 +0200 RDMA/cma: Don't overwrite sgid_attr after device is released [ Upstream commit e246b7c035d74abfb3507fa10082d0c42cc016c3 ] As part of the cma_dev release, that pointer will be set to NULL. In case it happens in rdma_bind_addr() (part of an error flow), the next call to addr_handler() will have a call to cma_acquire_dev_by_src_ip() which will overwrite sgid_attr without releasing it. WARNING: CPU: 2 PID: 108 at drivers/infiniband/core/cma.c:606 cma_bind_sgid_attr drivers/infiniband/core/cma.c:606 [inline] WARNING: CPU: 2 PID: 108 at drivers/infiniband/core/cma.c:606 cma_acquire_dev_by_src_ip+0x470/0x4b0 drivers/infiniband/core/cma.c:649 CPU: 2 PID: 108 Comm: kworker/u8:1 Not tainted 5.10.0-rc6+ #257 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: ib_addr process_one_req RIP: 0010:cma_bind_sgid_attr drivers/infiniband/core/cma.c:606 [inline] RIP: 0010:cma_acquire_dev_by_src_ip+0x470/0x4b0 drivers/infiniband/core/cma.c:649 Code: 66 d9 4a ff 4d 8b 6e 10 49 8d bd 1c 08 00 00 e8 b6 d6 4a ff 45 0f b6 bd 1c 08 00 00 41 83 e7 01 e9 49 fd ff ff e8 90 c5 29 ff <0f> 0b e9 80 fe ff ff e8 84 c5 29 ff 4c 89 f7 e8 2c d9 4a ff 4d 8b RSP: 0018:ffff8881047c7b40 EFLAGS: 00010293 RAX: ffff888104789c80 RBX: 0000000000000001 RCX: ffffffff820b8ef8 RDX: 0000000000000000 RSI: ffffffff820b9080 RDI: ffff88810cd4c998 RBP: ffff8881047c7c08 R08: ffff888104789c80 R09: ffffed10209f4036 R10: ffff888104fa01ab R11: ffffed10209f4035 R12: ffff88810cd4c800 R13: ffff888105750e28 R14: ffff888108f0a100 R15: ffff88810cd4c998 FS: 0000000000000000(0000) GS:ffff888119c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000104e60005 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: addr_handler+0x266/0x350 drivers/infiniband/core/cma.c:3190 process_one_req+0xa3/0x300 drivers/infiniband/core/addr.c:645 process_one_work+0x54c/0x930 kernel/workqueue.c:2272 worker_thread+0x82/0x830 kernel/workqueue.c:2418 kthread+0x1ca/0x220 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Fixes: ff11c6cd521f ("RDMA/cma: Introduce and use cma_acquire_dev_by_src_ip()") Link: https://lore.kernel.org/r/20201213132940.345554-5-leon@kernel.org Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 2d01f3d75013065a00543d74b52665bcad8b55dc Author: Dan Aloni Date: Sat Dec 5 11:28:35 2020 +0200 sunrpc: fix xs_read_xdr_buf for partial pages receive [ Upstream commit ac9645c87380e39a8fa87a1b51721efcdea89dbf ] When receiving pages data, return value 'ret' when positive includes `buf->page_base`, so we should subtract that before it is used for changing `offset` and comparing against `want`. This was discovered on the very rare cases where the server returned a chunk of bytes that when added to the already received amount of bytes for the pages happened to match the current `recv.len`, for example on this case: buf->page_base : 258356 actually received from socket: 1740 ret : 260096 want : 260096 In this case neither of the two 'if ... goto out' trigger, and we continue to tail parsing. Worth to mention that the ensuing EMSGSIZE from the continued execution of `xs_read_xdr_buf` may be observed by an application due to 4 superfluous bytes being added to the pages data. Fixes: 277e4ab7d530 ("SUNRPC: Simplify TCP receive code by switching to using iterators") Signed-off-by: Dan Aloni Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 4acbc03e4fedb9af68c03e9fd107fe07242b8d74 Author: Anton Ivanov Date: Mon Dec 7 17:19:40 2020 +0000 um: chan_xterm: Fix fd leak [ Upstream commit 9431f7c199ab0d02da1482d62255e0b4621cb1b5 ] xterm serial channel was leaking a fd used in setting up the port helper This bug is prehistoric - it predates switching to git. The "fixes" header here is really just to mark all the versions we would like this to apply to which is "Anything from the Cretaceous period onwards". No dinosaurs were harmed in fixing this bug. Fixes: b40997b872cd ("um: drivers/xterm.c: fix a file descriptor leak") Signed-off-by: Anton Ivanov Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin commit 1bbd5678c0b40cbd28ddea105af8a04401067fb0 Author: Anton Ivanov Date: Mon Dec 7 17:19:39 2020 +0000 um: tty: Fix handling of close in tty lines [ Upstream commit 9b1c0c0e25dcccafd30e7d4c150c249cc65550eb ] Fix a logical error in tty reading. We get 0 and errno == EAGAIN on the first attempt to read from a closed file descriptor. Compared to that a true EAGAIN is EAGAIN and -1. If we check errno for EAGAIN first, before checking the return value we miss the fact that the descriptor is closed. This bug is as old as the driver. It was not showing up with the original POLL based IRQ controller, because it was producing multiple events. Switching to EPOLL unmasked it. Fixes: ff6a17989c08 ("Epoll based IRQ controller") Signed-off-by: Anton Ivanov Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin commit 1355bbe3a7172ead5eb974bf28da653e084e5762 Author: Anton Ivanov Date: Mon Dec 7 17:19:38 2020 +0000 um: Monitor error events in IRQ controller [ Upstream commit e3a01cbee9c5f2c6fc813dd6af007716e60257e7 ] Ensure that file closes, connection closes, etc are propagated as interrupts in the interrupt controller. Fixes: ff6a17989c08 ("Epoll based IRQ controller") Signed-off-by: Anton Ivanov Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin commit a37d283825a48dc3ec70fe2193cb69b1b34596eb Author: Wang ShaoBo Date: Tue Nov 24 14:33:20 2020 +0800 ubifs: Fix error return code in ubifs_init_authentication() [ Upstream commit 3cded66330591cfd2554a3fd5edca8859ea365a2 ] Fix to return PTR_ERR() error code from the error handling case where ubifs_hash_get_desc() failed instead of 0 in ubifs_init_authentication(), as done elsewhere in this function. Fixes: 49525e5eecca5 ("ubifs: Add helper functions for authentication support") Signed-off-by: Wang ShaoBo Reviewed-by: Sascha Hauer Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin commit d4dbcfb7e158b8f635ba63cf06e80c232c43c258 Author: Wang Wensheng Date: Mon Nov 9 13:05:12 2020 +0000 watchdog: Fix potential dereferencing of null pointer [ Upstream commit 6f733cb2e7db38f8141b14740bcde577844a03b7 ] A reboot notifier, which stops the WDT by calling the stop hook without any check, would be registered when we set WDOG_STOP_ON_REBOOT flag. Howerer we allow the WDT driver to omit the stop hook since commit "d0684c8a93549" ("watchdog: Make stop function optional") and provide a module parameter for user that controls the WDOG_STOP_ON_REBOOT flag in commit 9232c80659e94 ("watchdog: Add stop_on_reboot parameter to control reboot policy"). Together that commits make user potential to insert a watchdog driver that don't provide a stop hook but with the stop_on_reboot parameter set, then dereferencing of null pointer occurs on system reboot. Check the stop hook before registering the reboot notifier to fix the issue. Fixes: d0684c8a9354 ("watchdog: Make stop function optional") Signed-off-by: Wang Wensheng Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20201109130512.28121-1-wangwensheng4@huawei.com Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit 4e091ff107be8105ac404155a629f73b52d144cf Author: Lingling Xu Date: Mon Nov 9 11:00:54 2020 +0800 watchdog: sprd: check busy bit before new loading rather than after that [ Upstream commit 3e07d240939803bed9feb2a353d94686a411a7ca ] As the specification described, users must check busy bit before start a new loading operation to make sure that the previous loading is done and the device is ready to accept a new one. [ chunyan: Massaged changelog ] Fixes: 477603467009 ("watchdog: Add Spreadtrum watchdog driver") Signed-off-by: Lingling Xu Signed-off-by: Chunyan Zhang Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20201029023933.24548-3-zhang.lyra@gmail.com Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit 4c8cffffc9266529bb62b7ba259601674617b3bb Author: Lingling Xu Date: Thu Oct 29 10:39:31 2020 +0800 watchdog: sprd: remove watchdog disable from resume fail path [ Upstream commit f61a59acb462840bebcc192f754fe71b6a16ff99 ] sprd_wdt_start() would return fail if the loading operation is not completed in a certain time, disabling watchdog for that case would probably cause the kernel crash when kick watchdog later, that's too bad, so remove the watchdog disable operation for the fail case to make sure other parts in the kernel can run normally. [ chunyan: Massaged changelog ] Fixes: 477603467009 ("watchdog: Add Spreadtrum watchdog driver") Signed-off-by: Lingling Xu Signed-off-by: Chunyan Zhang Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20201029023933.24548-2-zhang.lyra@gmail.com Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit 4a4b31e8b5a73fd5e0527d929f66ee83005b77ad Author: Guenter Roeck Date: Sun Nov 8 08:25:50 2020 -0800 watchdog: sirfsoc: Add missing dependency on HAS_IOMEM [ Upstream commit 8ae2511112d2e18bc7d324b77f965d34083a25a2 ] If HAS_IOMEM is not defined and SIRFSOC_WATCHDOG is enabled, the build fails with the following error. drivers/watchdog/sirfsoc_wdt.o: in function `sirfsoc_wdt_probe': sirfsoc_wdt.c:(.text+0x112): undefined reference to `devm_platform_ioremap_resource' Reported-by: Necip Fazil Yildiran Fixes: da2a68b3eb47 ("watchdog: Enable COMPILE_TEST where possible") Link: https://lore.kernel.org/r/20201108162550.27660-2-linux@roeck-us.net Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit 4d5aea30c1cdb76f9a37555842c7399129f52632 Author: Guenter Roeck Date: Sun Nov 8 08:25:49 2020 -0800 watchdog: armada_37xx: Add missing dependency on HAS_IOMEM [ Upstream commit 7f6f1dfb2dcbe5d2bfa213f2df5d74c147cd5954 ] The following kbuild warning is seen on a system without HAS_IOMEM. WARNING: unmet direct dependencies detected for MFD_SYSCON Depends on [n]: HAS_IOMEM [=n] Selected by [y]: - ARMADA_37XX_WATCHDOG [=y] && WATCHDOG [=y] && (ARCH_MVEBU || COMPILE_TEST This results in a subsequent compile error. drivers/watchdog/armada_37xx_wdt.o: in function `armada_37xx_wdt_probe': armada_37xx_wdt.c:(.text+0xdc): undefined reference to `devm_ioremap' Add the missing dependency. Reported-by: Necip Fazil Yildiran Fixes: 54e3d9b518c8 ("watchdog: Add support for Armada 37xx CPU watchdog") Link: https://lore.kernel.org/r/20201108162550.27660-1-linux@roeck-us.net Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit 849270acd7b64d6e6b9fd848a9fcb5c86a4f5482 Author: Marc Zyngier Date: Sun Nov 29 13:55:25 2020 +0000 irqchip/alpine-msi: Fix freeing of interrupts on allocation error path [ Upstream commit 3841245e8498a789c65dedd7ffa8fb2fee2c0684 ] The alpine-msi driver has an interesting allocation error handling, where it frees the same interrupts repeatedly. Hilarity follows. This code is probably never executed, but let's fix it nonetheless. Fixes: e6b78f2c3e14 ("irqchip: Add the Alpine MSIX interrupt controller") Signed-off-by: Marc Zyngier Reviewed-by: Antoine Tenart Cc: Tsahee Zidenberg Cc: Antoine Tenart Link: https://lore.kernel.org/r/20201129135525.396671-1-maz@kernel.org Signed-off-by: Sasha Levin commit aca4d1bd7e19f59652156dd4f3f1b79deab816d9 Author: Dan Carpenter Date: Wed Dec 9 09:54:09 2020 +0300 ASoC: wm_adsp: remove "ctl" from list on error in wm_adsp_create_control() [ Upstream commit 85a7555575a0e48f9b73db310d0d762a08a46d63 ] The error handling frees "ctl" but it's still on the "dsp->ctl_list" list so that could result in a use after free. Remove it from the list before returning. Fixes: 2323736dca72 ("ASoC: wm_adsp: Add basic support for rev 1 firmware file format") Signed-off-by: Dan Carpenter Acked-by: Charles Keepax Link: https://lore.kernel.org/r/X9B0keV/02wrx9Xs@mwanda Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 297e48ccf1668ff36a6e24c90f0c137afc30b272 Author: Johannes Berg Date: Sun Dec 6 14:54:44 2020 +0200 mac80211: don't set set TDLS STA bandwidth wider than possible [ Upstream commit f65607cdbc6b0da356ef5a22552ddd9313cf87a0 ] When we set up a TDLS station, we set sta->sta.bandwidth solely based on the capabilities, because the "what's the current bandwidth" check is bypassed and only applied for other types of stations. This leads to the unfortunate scenario that the sta->sta.bandwidth is 160 MHz if both stations support it, but we never actually configure this bandwidth unless the AP is already using 160 MHz; even for wider bandwidth support we only go up to 80 MHz (at least right now.) For iwlwifi, this can also lead to firmware asserts, telling us that we've configured the TX rates for a higher bandwidth than is actually available due to the PHY configuration. For non-TDLS, we check against the interface's requested bandwidth, but we explicitly skip this check for TDLS to cope with the wider BW case. Change this to (a) still limit to the TDLS peer's own chandef, which gets factored into the overall PHY configuration we request from the driver, and (b) limit it to when the TDLS peer is authorized, because it's only factored into the channel context in this case. Fixes: 504871e602d9 ("mac80211: fix bandwidth computation for TDLS peers") Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20201206145305.fcc7d29c4590.I11f77e9e25ddf871a3c8d5604650c763e2c5887a@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit d07972d764e838a497e040d4bf4b8cad3214692c Author: Arnd Bergmann Date: Fri Dec 4 00:20:04 2020 +0100 crypto: atmel-i2c - select CONFIG_BITREVERSE [ Upstream commit d33a23b0532d5d1b5b700e8641661261e7dbef61 ] The bitreverse helper is almost always built into the kernel, but in a rare randconfig build it is possible to hit a case in which it is a loadable module while the atmel-i2c driver is built-in: arm-linux-gnueabi-ld: drivers/crypto/atmel-i2c.o: in function `atmel_i2c_checksum': atmel-i2c.c:(.text+0xa0): undefined reference to `byte_rev_table' Add one more 'select' statement to prevent this. Fixes: 11105693fa05 ("crypto: atmel-ecc - introduce Microchip / Atmel ECC driver") Signed-off-by: Arnd Bergmann Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit f71984fc448237869843ad4b978ff9124936cbd0 Author: Marek Szyprowski Date: Tue Dec 8 14:36:27 2020 +0100 extcon: max77693: Fix modalias string [ Upstream commit e1efdb604f5c9903a5d92ef42244009d3c04880f ] The platform device driver name is "max77693-muic", so advertise it properly in the modalias string. This fixes automated module loading when this driver is compiled as a module. Fixes: db1b9037424b ("extcon: MAX77693: Add extcon-max77693 driver to support Maxim MAX77693 MUIC device") Signed-off-by: Marek Szyprowski Signed-off-by: Chanwoo Choi Signed-off-by: Sasha Levin commit a4fd2da3e85e99336fcbcd1c3930ebfba4a7035b Author: Han Xu Date: Tue Dec 8 21:51:04 2020 -0600 mtd: rawnand: gpmi: Fix the random DMA timeout issue [ Upstream commit 7671edeb193910482a9b0c22cd32176e7de7b2ed ] To get better performance, current gpmi driver collected and chained all small DMA transfers in gpmi_nfc_exec_op, the whole chain triggered and wait for complete at the end. But some random DMA timeout found in this new driver, with the help of ftrace, we found the root cause is as follows: Take gpmi_ecc_read_page() as an example, gpmi_nfc_exec_op collected 6 DMA transfers and the DMA chain triggered at the end. It waits for bch completion and check jiffies if it's timeout. The typical function graph shown below, 63.216351 | 1) | gpmi_ecc_read_page() { 63.216352 | 1) 0.750 us | gpmi_bch_layout_std(); 63.216354 | 1) | gpmi_nfc_exec_op() { 63.216355 | 1) | gpmi_chain_command() { 63.216356 | 1) | mxs_dma_prep_slave_sg() { 63.216357 | 1) | /* mxs chan ccw idx: 0 */ 63.216358 | 1) 1.750 us | } 63.216359 | 1) | mxs_dma_prep_slave_sg() { 63.216360 | 1) | /* mxs chan ccw idx: 1 */ 63.216361 | 1) 2.000 us | } 63.216361 | 1) 6.500 us | } 63.216362 | 1) | gpmi_chain_command() { 63.216363 | 1) | mxs_dma_prep_slave_sg() { 63.216364 | 1) | /* mxs chan ccw idx: 2 */ 63.216365 | 1) 1.750 us | } 63.216366 | 1) | mxs_dma_prep_slave_sg() { 63.216367 | 1) | /* mxs chan ccw idx: 3 */ 63.216367 | 1) 1.750 us | } 63.216368 | 1) 5.875 us | } 63.216369 | 1) | /* gpmi_chain_wait_ready */ 63.216370 | 1) | mxs_dma_prep_slave_sg() { 63.216372 | 1) | /* mxs chan ccw idx: 4 */ 63.216373 | 1) 3.000 us | } 63.216374 | 1) | /* gpmi_chain_data_read */ 63.216376 | 1) | mxs_dma_prep_slave_sg() { 63.216377 | 1) | /* mxs chan ccw idx: 5 */ 63.216378 | 1) 2.000 us | } 63.216379 | 1) 1.125 us | mxs_dma_tx_submit(); 63.216381 | 1) 1.000 us | mxs_dma_enable_chan(); 63.216712 | 0) 2.625 us | mxs_dma_int_handler(); 63.216717 | 0) 4.250 us | bch_irq(); 63.216723 | 0) 1.250 us | mxs_dma_tasklet(); 63.216723 | 1) | /* jiffies left 250 */ 63.216725 | 1) ! 372.000 us | } 63.216726 | 1) 2.625 us | gpmi_count_bitflips(); 63.216730 | 1) ! 379.125 us | } but it's not gurantee that bch irq handled always after dma irq handled, sometimes bch_irq comes first and gpmi_nfc_exec_op won't wait anymore, another gpmi_nfc_exec_op may get invoked before last DMA chain IRQ handled, this messed up the next DMA chain and causes DMA timeout. Check the trace log when issue happened. 63.218923 | 1) | gpmi_ecc_read_page() { 63.218924 | 1) 0.625 us | gpmi_bch_layout_std(); 63.218926 | 1) | gpmi_nfc_exec_op() { 63.218927 | 1) | gpmi_chain_command() { 63.218928 | 1) | mxs_dma_prep_slave_sg() { 63.218929 | 1) | /* mxs chan ccw idx: 0 */ 63.218929 | 1) 1.625 us | } 63.218931 | 1) | mxs_dma_prep_slave_sg() { 63.218931 | 1) | /* mxs chan ccw idx: 1 */ 63.218932 | 1) 1.750 us | } 63.218933 | 1) 5.875 us | } 63.218934 | 1) | gpmi_chain_command() { 63.218934 | 1) | mxs_dma_prep_slave_sg() { 63.218935 | 1) | /* mxs chan ccw idx: 2 */ 63.218936 | 1) 1.875 us | } 63.218937 | 1) | mxs_dma_prep_slave_sg() { 63.218938 | 1) | /* mxs chan ccw idx: 3 */ 63.218939 | 1) 1.625 us | } 63.218939 | 1) 5.875 us | } 63.218940 | 1) | /* gpmi_chain_wait_ready */ 63.218941 | 1) | mxs_dma_prep_slave_sg() { 63.218942 | 1) | /* mxs chan ccw idx: 4 */ 63.218942 | 1) 1.625 us | } 63.218943 | 1) | /* gpmi_chain_data_read */ 63.218944 | 1) | mxs_dma_prep_slave_sg() { 63.218945 | 1) | /* mxs chan ccw idx: 5 */ 63.218947 | 1) 2.375 us | } 63.218948 | 1) 0.625 us | mxs_dma_tx_submit(); 63.218949 | 1) 1.000 us | mxs_dma_enable_chan(); 63.219276 | 0) 5.125 us | bch_irq(); <---- 63.219283 | 1) | /* jiffies left 250 */ 63.219285 | 1) ! 358.625 us | } 63.219286 | 1) 2.750 us | gpmi_count_bitflips(); 63.219289 | 1) ! 366.000 us | } 63.219290 | 1) | gpmi_ecc_read_page() { 63.219291 | 1) 0.750 us | gpmi_bch_layout_std(); 63.219293 | 1) | gpmi_nfc_exec_op() { 63.219294 | 1) | gpmi_chain_command() { 63.219295 | 1) | mxs_dma_prep_slave_sg() { 63.219295 | 0) 1.875 us | mxs_dma_int_handler(); <---- 63.219296 | 1) | /* mxs chan ccw idx: 6 */ 63.219297 | 1) 2.250 us | } 63.219298 | 1) | mxs_dma_prep_slave_sg() { 63.219298 | 0) 1.000 us | mxs_dma_tasklet(); 63.219299 | 1) | /* mxs chan ccw idx: 0 */ 63.219300 | 1) 1.625 us | } 63.219300 | 1) 6.375 us | } 63.219301 | 1) | gpmi_chain_command() { 63.219302 | 1) | mxs_dma_prep_slave_sg() { 63.219303 | 1) | /* mxs chan ccw idx: 1 */ 63.219304 | 1) 1.625 us | } 63.219305 | 1) | mxs_dma_prep_slave_sg() { 63.219306 | 1) | /* mxs chan ccw idx: 2 */ 63.219306 | 1) 1.875 us | } 63.219307 | 1) 6.000 us | } 63.219308 | 1) | /* gpmi_chain_wait_ready */ 63.219308 | 1) | mxs_dma_prep_slave_sg() { 63.219309 | 1) | /* mxs chan ccw idx: 3 */ 63.219310 | 1) 2.000 us | } 63.219311 | 1) | /* gpmi_chain_data_read */ 63.219312 | 1) | mxs_dma_prep_slave_sg() { 63.219313 | 1) | /* mxs chan ccw idx: 4 */ 63.219314 | 1) 1.750 us | } 63.219315 | 1) 0.625 us | mxs_dma_tx_submit(); 63.219316 | 1) 0.875 us | mxs_dma_enable_chan(); 64.224227 | 1) | /* jiffies left 0 */ In the first gpmi_nfc_exec_op, bch_irq comes first and gpmi_nfc_exec_op exits, but DMA IRQ still not happened yet until the middle of following gpmi_nfc_exec_op, the first DMA transfer index get messed and DMA get timeout. To fix the issue, when there is bch ops in DMA chain, the gpmi_nfc_exec_op should wait for both completions rather than bch completion only. Fixes: ef347c0cfd61 ("mtd: rawnand: gpmi: Implement exec_op") Signed-off-by: Han Xu Reviewed-by: Sascha Hauer Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20201209035104.22679-3-han.xu@nxp.com Signed-off-by: Sasha Levin commit 86f6e53642fa0e75da9d0eee298ed4a0c43f9393 Author: Dan Carpenter Date: Thu Dec 3 11:39:48 2020 +0300 mtd: rawnand: meson: Fix a resource leak in init [ Upstream commit ad8566d3555c4731e6b48823b92d3929b0394c14 ] Call clk_disable_unprepare(nfc->phase_rx) if the clk_set_rate() function fails to avoid a resource leak. Fixes: 8fae856c5350 ("mtd: rawnand: meson: add support for Amlogic NAND flash controller") Signed-off-by: Dan Carpenter Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/X8ikVCnUsfTpffFB@mwanda Signed-off-by: Sasha Levin commit 5e8715b2383a027a35cbc2c9e99677bdd1fbf433 Author: Zhang Qilong Date: Sat Nov 7 19:05:52 2020 +0800 mtd: rawnand: gpmi: fix reference count leak in gpmi ops [ Upstream commit 1b391c7f2e863985668d705f525af3ceb55bc800 ] pm_runtime_get_sync() will increment pm usage at first and it will resume the device later. If runtime of the device has error or device is in inaccessible state(or other error state), resume operation will fail. If we do not call put operation to decrease the reference, it will result in reference leak in the two functions(gpmi_init and gpmi_nfc_exec_op). Moreover, this device cannot enter the idle state and always stay busy or other non-idle state later. So we fixed it through adding pm_runtime_put_noidle. Fixes: 5bc6bb603b4d0 ("mtd: rawnand: gpmi: Fix suspend/resume problem") Signed-off-by: Zhang Qilong Acked-by: Han Xu Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20201107110552.1568742-1-zhangqilong3@huawei.com Signed-off-by: Sasha Levin commit 9c5b041ba20a1ddbdb24742859c3dbf55dc85635 Author: Dmitry Osipenko Date: Mon Oct 26 01:42:12 2020 +0300 clk: tegra: Fix duplicated SE clock entry [ Upstream commit 5bf5861d6ea6c3f4b38fc8fda2062b2dc44ac63d ] The periph_clks[] array contains duplicated entry for Security Engine clock which was meant to be defined for T210, but it wasn't added properly. This patch corrects the T210 SE entry and fixes the following error message on T114/T124: "Tegra clk 127: register failed with -17". Fixes: dc37fec48314 ("clk: tegra: periph: Add new periph clks and muxes for Tegra210") Tested-by Nicolas Chauvet Reported-by Nicolas Chauvet Signed-off-by: Dmitry Osipenko Link: https://lore.kernel.org/r/20201025224212.7790-1-digetx@gmail.com Acked-by: Thierry Reding Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 1ba196a73c45bb26975a34f4887303b895cb9042 Author: Zhang Changzhong Date: Tue Dec 8 09:54:20 2020 +0800 remoteproc: qcom: Fix potential NULL dereference in adsp_init_mmio() [ Upstream commit c3d4e5b12672bbdf63f4cc933e3169bc6bbec8da ] platform_get_resource() may fail and in this case a NULL dereference will occur. Fix it to use devm_platform_ioremap_resource() instead of calling platform_get_resource() and devm_ioremap(). This is detected by Coccinelle semantic patch. @@ expression pdev, res, n, t, e, e1, e2; @@ res = \(platform_get_resource\|platform_get_resource_byname\)(pdev, t, n); + if (!res) + return -EINVAL; ... when != res == NULL e = devm_ioremap(e1, res->start, e2); Fixes: dc160e449122 ("remoteproc: qcom: Introduce Non-PAS ADSP PIL driver") Signed-off-by: Zhang Changzhong Link: https://lore.kernel.org/r/1607392460-20516-1-git-send-email-zhangchangzhong@huawei.com Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 6f597c451e07779f58ed271d6a17c6c2079d5456 Author: Zhang Qilong Date: Mon Nov 2 22:35:34 2020 +0800 remoteproc: qcom: fix reference leak in adsp_start [ Upstream commit aa37448f597c09844942da87d042fc6793f989c2 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to pm_runtime_put_noidle will result in reference leak in adsp_start, so we should fix it. Fixes: dc160e4491222 ("remoteproc: qcom: Introduce Non-PAS ADSP PIL driver") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201102143534.144484-1-zhangqilong3@huawei.com Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit f61bce4bc8336b4fc75dce777be6462f0d981872 Author: Zhang Qilong Date: Mon Nov 2 22:34:33 2020 +0800 remoteproc: q6v5-mss: fix error handling in q6v5_pds_enable [ Upstream commit a24723050037303e4008b37f1f8dcc99c58901aa ] If the pm_runtime_get_sync failed in q6v5_pds_enable when loop (i), The unroll_pd_votes will start from (i - 1), and it will resulted in following problems: 1) pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to pm_runtime_put_noidle will result in reference leak. 2) Have not reset pds[i] performance state. Then we fix it. Fixes: 4760a896be88e ("remoteproc: q6v5-mss: Vote for rpmh power domains") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201102143433.143996-1-zhangqilong3@huawei.com Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 9b54e31fd08f8d8db507d021c88e760d5f8e4640 Author: Jack Morgenstein Date: Tue Dec 8 09:35:44 2020 +0200 RDMA/core: Do not indicate device ready when device enablement fails [ Upstream commit 779e0bf47632c609c59f527f9711ecd3214dccb0 ] In procedure ib_register_device, procedure kobject_uevent is called (advertising that the device is ready for userspace usage) even when device_enable_and_get() returned an error. As a result, various RDMA modules attempted to register for the device even while the device driver was preparing to unregister the device. Fix this by advertising the device availability only after enabling the device succeeds. Fixes: e7a5b4aafd82 ("RDMA/device: Don't fire uevent before device is fully initialized") Link: https://lore.kernel.org/r/20201208073545.9723-3-leon@kernel.org Suggested-by: Leon Romanovsky Signed-off-by: Jack Morgenstein Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit e6323070bdc75faa47f06f21668f3129da676422 Author: Sean Nyekjaer Date: Wed Dec 11 07:32:27 2019 +0100 can: m_can: m_can_config_endisable(): remove double clearing of clock stop request bit [ Upstream commit c9f4cad6cdfe350ce2637e57f7f2aa7ff326bcc6 ] The CSR bit is already cleared when arriving here so remove this section of duplicate code. The registers set in m_can_config_endisable() is set to same exact values as before this patch. Signed-off-by: Sean Nyekjaer Acked-by: Sriram Dash Acked-by: Dan Murphy Link: https://lore.kernel.org/r/20191211063227.84259-1-sean@geanix.com Fixes: f524f829b75a ("can: m_can: Create a m_can platform framework") Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 6daf2d466380c31a39b46b72fa830d62e8417f31 Author: Huang Jianan Date: Wed Dec 9 19:57:40 2020 +0800 erofs: avoid using generic_block_bmap [ Upstream commit d8b3df8b1048405e73558b88cba2adf29490d468 ] Surprisingly, `block' in sector_t indicates the number of i_blkbits-sized blocks rather than sectors for bmap. In addition, considering buffer_head limits mapped size to 32-bits, should avoid using generic_block_bmap. Link: https://lore.kernel.org/r/20201209115740.18802-1-huangjianan@oppo.com Fixes: 9da681e017a3 ("staging: erofs: support bmap") Reviewed-by: Chao Yu Reviewed-by: Gao Xiang Signed-off-by: Huang Jianan Signed-off-by: Guo Weichao [ Gao Xiang: slightly update the commit message description. ] Signed-off-by: Gao Xiang Signed-off-by: Sasha Levin commit 35e2bec96488d1c12a67b0dd934b0b2cdfb2dcfe Author: Johannes Berg Date: Wed Dec 9 23:16:47 2020 +0200 iwlwifi: mvm: hook up missing RX handlers [ Upstream commit 8a59d39033c35bb484f6bd91891db86ebe07fdc2 ] The RX handlers for probe response data and channel switch weren't hooked up properly, fix that. Fixes: 86e177d80ff7 ("iwlwifi: mvm: add NOA and CSA to a probe response") Fixes: d3a108a48dc6 ("iwlwifi: mvm: Support CSA countdown offloading") Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20201209231352.2d07dcee0d35.I07a61b5d734478db57d9434ff303e4c90bf6c32b@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 857b1403c3e504a1d85ff65bd2fa04e52a0eb7ba Author: Qinglang Miao Date: Tue Dec 1 14:31:50 2020 +0800 s390/cio: fix use-after-free in ccw_device_destroy_console [ Upstream commit 14d4c4fa46eeaa3922e8e1c4aa727eb0a1412804 ] Use of sch->dev reference after the put_device() call could trigger the use-after-free bugs. Fix this by simply adjusting the position of put_device. Fixes: 37db8985b211 ("s390/cio: add basic protected virtualization support") Reported-by: Hulk Robot Suggested-by: Cornelia Huck Signed-off-by: Qinglang Miao Reviewed-by: Cornelia Huck Reviewed-by: Vineeth Vijayan [vneethv@linux.ibm.com: Slight modification in the commit-message] Signed-off-by: Vineeth Vijayan Signed-off-by: Heiko Carstens Signed-off-by: Sasha Levin commit be4d879cb7c4b492d58aabb6fac4c06437e200b4 Author: Zhang Changzhong Date: Fri Dec 4 16:02:47 2020 +0800 bus: fsl-mc: fix error return code in fsl_mc_object_allocate() [ Upstream commit 3d70fb03711c37bc64e8e9aea5830f498835f6bf ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 197f4d6a4a00 ("staging: fsl-mc: fsl-mc object allocator driver") Reported-by: Hulk Robot Acked-by: Laurentiu Tudor Signed-off-by: Zhang Changzhong Link: https://lore.kernel.org/r/1607068967-31991-1-git-send-email-zhangchangzhong@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 9b4f327c0746d3492437ab702185234437f9b872 Author: Stephen Boyd Date: Fri Dec 4 11:35:38 2020 -0800 platform/chrome: cros_ec_spi: Don't overwrite spi::mode [ Upstream commit 74639cbf51d7c0304342544a83dfda354a6bd208 ] There isn't any need to overwrite the mode here in the driver with what has been detected by the firmware, such as DT or ACPI. In fact, if we use the SPI CS gpio descriptor feature we will overwrite the mode with SPI_MODE_0 where it already contains SPI_MODE_0 and more importantly SPI_CS_HIGH. Clearing the SPI_CS_HIGH bit causes the CS line to toggle when the device is probed when it shouldn't change, confusing the driver and making it fail to probe. Drop the assignment and let the spi core take care of it. Fixes: a17d94f0b6e1 ("mfd: Add ChromeOS EC SPI driver") Cc: Simon Glass Cc: Gwendal Grignou Reviewed-by: Douglas Anderson Tested-by: Douglas Anderson Acked-by: Enric Balletbo i Serra Cc: Alexandru M Stan Signed-off-by: Stephen Boyd Reviewed-by: Simon Glass Link: https://lore.kernel.org/r/20201204193540.3047030-2-swboyd@chromium.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 070c57885ec34067fd6aa40c9d9af8012ec40ff8 Author: Masami Hiramatsu Date: Wed Oct 28 23:31:10 2020 +0900 x86/kprobes: Restore BTF if the single-stepping is cancelled [ Upstream commit 78ff2733ff352175eb7f4418a34654346e1b6cd2 ] Fix to restore BTF if single-stepping causes a page fault and it is cancelled. Usually the BTF flag was restored when the single stepping is done (in resume_execution()). However, if a page fault happens on the single stepping instruction, the fault handler is invoked and the single stepping is cancelled. Thus, the BTF flag is not restored. Fixes: 1ecc798c6764 ("x86: debugctlmsr kprobes") Signed-off-by: Masami Hiramatsu Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/160389546985.106936.12727996109376240993.stgit@devnote2 Signed-off-by: Sasha Levin commit 353b19562a03d5605b90abc2858c2b7d305527c1 Author: Cheng Lin Date: Tue Dec 1 07:06:35 2020 -0500 nfs_common: need lock during iterate through the list [ Upstream commit 4a9d81caf841cd2c0ae36abec9c2963bf21d0284 ] If the elem is deleted during be iterated on it, the iteration process will fall into an endless loop. kernel: NMI watchdog: BUG: soft lockup - CPU#4 stuck for 22s! [nfsd:17137] PID: 17137  TASK: ffff8818d93c0000  CPU: 4   COMMAND: "nfsd"     [exception RIP: __state_in_grace+76]     RIP: ffffffffc00e817c  RSP: ffff8818d3aefc98  RFLAGS: 00000246     RAX: ffff881dc0c38298  RBX: ffffffff81b03580  RCX: ffff881dc02c9f50     RDX: ffff881e3fce8500  RSI: 0000000000000001  RDI: ffffffff81b03580     RBP: ffff8818d3aefca0   R8: 0000000000000020   R9: ffff8818d3aefd40     R10: ffff88017fc03800  R11: ffff8818e83933c0  R12: ffff8818d3aefd40     R13: 0000000000000000  R14: ffff8818e8391068  R15: ffff8818fa6e4000     CS: 0010  SS: 0018  #0 [ffff8818d3aefc98] opens_in_grace at ffffffffc00e81e3 [grace]  #1 [ffff8818d3aefca8] nfs4_preprocess_stateid_op at ffffffffc02a3e6c [nfsd]  #2 [ffff8818d3aefd18] nfsd4_write at ffffffffc028ed5b [nfsd]  #3 [ffff8818d3aefd80] nfsd4_proc_compound at ffffffffc0290a0d [nfsd]  #4 [ffff8818d3aefdd0] nfsd_dispatch at ffffffffc027b800 [nfsd]  #5 [ffff8818d3aefe08] svc_process_common at ffffffffc02017f3 [sunrpc]  #6 [ffff8818d3aefe70] svc_process at ffffffffc0201ce3 [sunrpc]  #7 [ffff8818d3aefe98] nfsd at ffffffffc027b117 [nfsd]  #8 [ffff8818d3aefec8] kthread at ffffffff810b88c1  #9 [ffff8818d3aeff50] ret_from_fork at ffffffff816d1607 The troublemake elem: crash> lock_manager ffff881dc0c38298 struct lock_manager {   list = {     next = 0xffff881dc0c38298,     prev = 0xffff881dc0c38298   },   block_opens = false } Fixes: c87fb4a378f9 ("lockd: NLM grace period shouldn't block NFSv4 opens") Signed-off-by: Cheng Lin  Signed-off-by: Yi Wang  Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit 48ed3e57ad58ecb9efea8c4d2d68edd727b36ddc Author: kazuo ito Date: Fri Nov 27 15:26:59 2020 +0900 nfsd: Fix message level for normal termination [ Upstream commit 4420440c57892779f265108f46f83832a88ca795 ] The warning message from nfsd terminating normally can confuse system adminstrators or monitoring software. Though it's not exactly fair to pin-point a commit where it originated, the current form in the current place started to appear in: Fixes: e096bbc6488d ("knfsd: remove special handling for SIGHUP") Signed-off-by: kazuo ito Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit b4ac244716f34fcde69996269dcb200562be9e0e Author: Yang Yingliang Date: Tue Nov 17 09:22:29 2020 +0800 speakup: fix uninitialized flush_lock [ Upstream commit d1b928ee1cfa965a3327bbaa59bfa005d97fa0fe ] The flush_lock is uninitialized, use DEFINE_SPINLOCK to define and initialize flush_lock. Fixes: c6e3fd22cd53 ("Staging: add speakup to the staging directory") Reported-by: Hulk Robot Reviewed-by: Samuel Thibault Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20201117012229.3395186-1-yangyingliang@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 989d5272364397c358cd43d1f2a5f717c973f128 Author: Zhang Qilong Date: Mon Nov 23 22:58:09 2020 +0800 usb: oxu210hp-hcd: Fix memory leak in oxu_create [ Upstream commit e5548b05631ec3e6bfdaef1cad28c799545b791b ] usb_create_hcd will alloc memory for hcd, and we should call usb_put_hcd to free it when adding fails to prevent memory leak. Fixes: b92a78e582b1a ("usb host: Oxford OXU210HP HCD driver") Reported-by: Hulk Robot Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201123145809.1456541-1-zhangqilong3@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 2addd726083fe2fd2c61ffcc2ac1c77427612790 Author: Zhang Qilong Date: Mon Nov 23 22:57:19 2020 +0800 usb: ehci-omap: Fix PM disable depth umbalance in ehci_hcd_omap_probe [ Upstream commit d6ff32478d7e95d6ca199b5c852710d6964d5811 ] The pm_runtime_enable will decrement the power disable depth. Imbalance depth will resulted in enabling runtime PM of device fails later. Thus a pairing decrement must be needed on the error handling path to keep it balanced. Fixes: 6c984b066d84b ("ARM: OMAP: USBHOST: Replace usbhs core driver APIs by Runtime pm APIs") Acked-by: Alan Stern Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201123145719.1455849-1-zhangqilong3@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 3f72486cececf9ab42aca61210fd140c1079d166 Author: Christophe Leroy Date: Wed Dec 9 05:29:21 2020 +0000 powerpc/mm: sanity_check_fault() should work for all, not only BOOK3S [ Upstream commit 7ceb40027e19567a0a066e3b380cc034cdd9a124 ] The verification and message introduced by commit 374f3f5979f9 ("powerpc/mm/hash: Handle user access of kernel address gracefully") applies to all platforms, it should not be limited to BOOK3S. Make the BOOK3S version of sanity_check_fault() the one for all, and bail out earlier if not BOOK3S. Fixes: 374f3f5979f9 ("powerpc/mm/hash: Handle user access of kernel address gracefully") Signed-off-by: Christophe Leroy Reviewed-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/fe199d5af3578d3bf80035d203a94d742a7a28af.1607491748.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit a696ed262e83d0d6a1d338b96cde5ad5c272b284 Author: Chuhong Yuan Date: Fri Dec 4 14:36:10 2020 +0800 ASoC: amd: change clk_get() to devm_clk_get() and add missed checks [ Upstream commit 95d3befbc5e1ee39fc8a78713924cf7ed2b3cabe ] cz_da7219_init() does not check the return values of clk_get(), while da7219_clk_enable() calls clk_set_rate() to dereference the pointers. Add checks to fix the problems. Also, change clk_get() to devm_clk_get() to avoid data leak after failures. Fixes: bb24a31ed584 ("ASoC: AMD: Configure wclk and bclk of master codec") Signed-off-by: Chuhong Yuan Link: https://lore.kernel.org/r/20201204063610.513556-1-hslester96@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 972db497be45b489d0ed689a8c5704fd3db1e6b2 Author: Colin Ian King Date: Mon Dec 7 15:09:37 2020 +0000 drm/mediatek: avoid dereferencing a null hdmi_phy on an error message [ Upstream commit b097efba9580d1f7cbc80cda84e768983e3de541 ] Currently there is a null pointer check for hdmi_phy that implies it may be null, however a dev_err messages dereferences this potential null pointer. Avoid a null pointer dereference by only emitting the dev_err message if hdmi_phy is non-null. It is a moot point if the error message needs to be printed at all, but since this is a relatively new piece of code it may be useful to keep the message in for the moment in case there are unforseen errors that need to be reported. Fixes: be28b6507c46 ("drm/mediatek: separate hdmi phy to different file") Signed-off-by: Colin Ian King Addresses-Coverity: ("Dereference after null check") Link: https://lore.kernel.org/r/20201207150937.170435-1-colin.king@canonical.com [vkoul: fix indent of return call] Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit ef55a3c384ccae78928a83ad71f8b68fe5ae395d Author: Nathan Lynch Date: Mon Dec 7 15:51:56 2020 -0600 powerpc/pseries/hibernation: remove redundant cacheinfo update [ Upstream commit b866459489fe8ef0e92cde3cbd6bbb1af6c4e99b ] Partitions with cache nodes in the device tree can encounter the following warning on resume: CPU 0 already accounted in PowerPC,POWER9@0(Data) WARNING: CPU: 0 PID: 3177 at arch/powerpc/kernel/cacheinfo.c:197 cacheinfo_cpu_online+0x640/0x820 These calls to cacheinfo_cpu_offline/online have been redundant since commit e610a466d16a ("powerpc/pseries/mobility: rebuild cacheinfo hierarchy post-migration"). Fixes: e610a466d16a ("powerpc/pseries/mobility: rebuild cacheinfo hierarchy post-migration") Signed-off-by: Nathan Lynch Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20201207215200.1785968-25-nathanl@linux.ibm.com Signed-off-by: Sasha Levin commit c4115721d1f017170e7230d3324dfd841d9254a4 Author: Nathan Lynch Date: Mon Dec 7 15:51:49 2020 -0600 powerpc/pseries/hibernation: drop pseries_suspend_begin() from suspend ops [ Upstream commit 52719fce3f4c7a8ac9eaa191e8d75a697f9fbcbc ] There are three ways pseries_suspend_begin() can be reached: 1. When "mem" is written to /sys/power/state: kobj_attr_store() -> state_store() -> pm_suspend() -> suspend_devices_and_enter() -> pseries_suspend_begin() This never works because there is no way to supply a valid stream id using this interface, and H_VASI_STATE is called with a stream id of zero. So this call path is useless at best. 2. When a stream id is written to /sys/devices/system/power/hibernate. pseries_suspend_begin() is polled directly from store_hibernate() until the stream is in the "Suspending" state (i.e. the platform is ready for the OS to suspend execution): dev_attr_store() -> store_hibernate() -> pseries_suspend_begin() 3. When a stream id is written to /sys/devices/system/power/hibernate (continued). After #2, pseries_suspend_begin() is called once again from the pm core: dev_attr_store() -> store_hibernate() -> pm_suspend() -> suspend_devices_and_enter() -> pseries_suspend_begin() This is redundant because the VASI suspend state is already known to be Suspending. The begin() callback of platform_suspend_ops is optional, so we can simply remove that assignment with no loss of function. Fixes: 32d8ad4e621d ("powerpc/pseries: Partition hibernation support") Signed-off-by: Nathan Lynch Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20201207215200.1785968-18-nathanl@linux.ibm.com Signed-off-by: Sasha Levin commit 570697132c2c9fc9f491c62b190dd714de51fd03 Author: Vadim Pasternak Date: Mon Dec 7 19:47:44 2020 +0200 platform/x86: mlx-platform: Fix item counter assignment for MSN2700, MSN24xx systems [ Upstream commit ba4939f1dd46dde08c2f9b9d7ac86ed3ea7ead86 ] Fix array names to match assignments for data items and data items counter in 'mlxplat_mlxcpld_default_items' structure for: .data = mlxplat_mlxcpld_default_pwr_items_data, .count = ARRAY_SIZE(mlxplat_mlxcpld_pwr), and .data = mlxplat_mlxcpld_default_fan_items_data, .count = ARRAY_SIZE(mlxplat_mlxcpld_fan), Replace: - 'mlxplat_mlxcpld_pwr' by 'mlxplat_mlxcpld_default_pwr_items_data' for ARRAY_SIZE() calculation. - 'mlxplat_mlxcpld_fan' by 'mlxplat_mlxcpld_default_fan_items_data' for ARRAY_SIZE() calculation. Fixes: c6acad68eb2d ("platform/mellanox: mlxreg-hotplug: Modify to use a regmap interface") Signed-off-by: Vadim Pasternak Link: https://lore.kernel.org/r/20201207174745.22889-2-vadimp@nvidia.com Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit a247efe47743f37e7a9546f95dad641b86d86e27 Author: Zhang Changzhong Date: Fri Dec 4 15:47:39 2020 +0800 scsi: fnic: Fix error return code in fnic_probe() [ Upstream commit d4fc94fe65578738ded138e9fce043db6bfc3241 ] Return a negative error code from the error handling case instead of 0 as done elsewhere in this function. Link: https://lore.kernel.org/r/1607068060-31203-1-git-send-email-zhangchangzhong@huawei.com Fixes: 5df6d737dd4b ("[SCSI] fnic: Add new Cisco PCI-Express FCoE HBA") Reported-by: Hulk Robot Reviewed-by: Karan Tilak Kumar Signed-off-by: Zhang Changzhong Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 0e724f2e80ba23afaada081528c13950bdb4630e Author: Arnd Bergmann Date: Mon Oct 26 17:10:58 2020 +0100 seq_buf: Avoid type mismatch for seq_buf_init [ Upstream commit d9a9280a0d0ae51dc1d4142138b99242b7ec8ac6 ] Building with W=2 prints a number of warnings for one function that has a pointer type mismatch: linux/seq_buf.h: In function 'seq_buf_init': linux/seq_buf.h:35:12: warning: pointer targets in assignment from 'unsigned char *' to 'char *' differ in signedness [-Wpointer-sign] Change the type in the function prototype according to the type in the structure. Link: https://lkml.kernel.org/r/20201026161108.3707783-1-arnd@kernel.org Fixes: 9a7777935c34 ("tracing: Convert seq_buf fields to be like seq_file fields") Reviewed-by: Cezary Rojewski Signed-off-by: Arnd Bergmann Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Sasha Levin commit 0b93626d3965dbb62c9bed2cbfd2430fac7de377 Author: Zhang Qilong Date: Sat Dec 5 19:55:51 2020 +0800 scsi: pm80xx: Fix error return in pm8001_pci_probe() [ Upstream commit 97031ccffa4f62728602bfea8439dd045cd3aeb2 ] The driver did not return an error in the case where pm8001_configure_phy_settings() failed. Use rc to store the return value of pm8001_configure_phy_settings(). Link: https://lore.kernel.org/r/20201205115551.2079471-1-zhangqilong3@huawei.com Fixes: 279094079a44 ("[SCSI] pm80xx: Phy settings support for motherboard controller.") Acked-by: Jack Wang Signed-off-by: Zhang Qilong Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 79e14f1c323c66e083c30c28101941d1c82600b9 Author: Qinglang Miao Date: Mon Nov 9 17:15:18 2020 +0800 scsi: qedi: Fix missing destroy_workqueue() on error in __qedi_probe [ Upstream commit 62eebd5247c4e4ce08826ad5995cf4dd7ce919dd ] Add the missing destroy_workqueue() before return from __qedi_probe in the error handling case when fails to create workqueue qedi->offload_thread. Link: https://lore.kernel.org/r/20201109091518.55941-1-miaoqinglang@huawei.com Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.") Reviewed-by: Mike Christie Signed-off-by: Qinglang Miao Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 172bb906202fead396c7bd1e9342340e5214066e Author: Stefan Agner Date: Mon Dec 7 18:58:02 2020 +0100 arm64: dts: meson: g12a: x96-max: fix PHY deassert timing requirements [ Upstream commit 3d07c3b3a886fefd583c1b485b5e4e3c4e2da493 ] According to the datasheet (Rev. 1.9) the RTL8211F requires at least 72ms "for internal circuits settling time" before accessing the PHY registers. On similar boards with the same PHY this fixes an issue where Ethernet link would not come up when using ip link set down/up. Fixes: ed5e8f689154 ("arm64: dts: meson: g12a: x96-max: fix the Ethernet PHY reset line") Reviewed-by: Martin Blumenstingl Signed-off-by: Stefan Agner Signed-off-by: Kevin Hilman Link: https://lore.kernel.org/r/12506964ca5d5f936579a280ad0a7e7f9a0a2d4c.1607363522.git.stefan@agner.ch Signed-off-by: Sasha Levin commit 13f4c61d2f5c3502f37e57df3d3ff2b5102b7be7 Author: Stefan Agner Date: Mon Dec 7 18:58:01 2020 +0100 ARM: dts: meson: fix PHY deassert timing requirements [ Upstream commit 656ab1bdcd2b755dc161a9774201100d5bf74b8d ] According to the datasheet (Rev. 1.9) the RTL8211F requires at least 72ms "for internal circuits settling time" before accessing the PHY registers. On similar boards with the same PHY this fixes an issue where Ethernet link would not come up when using ip link set down/up. Fixes: a2c6e82e5341 ("ARM: dts: meson: switch to the generic Ethernet PHY reset bindings") Reviewed-by: Martin Blumenstingl Tested-by: Martin Blumenstingl # on Odroid-C1+ Signed-off-by: Stefan Agner Signed-off-by: Kevin Hilman Link: https://lore.kernel.org/r/ff78772b306411e145769c46d4090554344db41e.1607363522.git.stefan@agner.ch Signed-off-by: Sasha Levin commit 154105c0ba5649fa998ca0c12cf41e673bd89e4d Author: Stefan Agner Date: Mon Dec 7 18:58:00 2020 +0100 arm64: dts: meson: fix PHY deassert timing requirements [ Upstream commit c183c406c4321002fe85b345b51bc1a3a04b6d33 ] According to the datasheet (Rev. 1.9) the RTL8211F requires at least 72ms "for internal circuits settling time" before accessing the PHY registers. This fixes an issue seen on ODROID-C2 where the Ethernet link doesn't come up when using ip link set down/up: [ 6630.714855] meson8b-dwmac c9410000.ethernet eth0: Link is Down [ 6630.785775] meson8b-dwmac c9410000.ethernet eth0: PHY [stmmac-0:00] driver [RTL8211F Gigabit Ethernet] (irq=36) [ 6630.893071] meson8b-dwmac c9410000.ethernet: Failed to reset the dma [ 6630.893800] meson8b-dwmac c9410000.ethernet eth0: stmmac_hw_setup: DMA engine initialization failed [ 6630.902835] meson8b-dwmac c9410000.ethernet eth0: stmmac_open: Hw setup failed Fixes: f29cabf240ed ("arm64: dts: meson: use the generic Ethernet PHY reset GPIO bindings") Reviewed-by: Martin Blumenstingl Signed-off-by: Stefan Agner Signed-off-by: Kevin Hilman Link: https://lore.kernel.org/r/4a322c198b86e4c8b3dda015560a683babea4d63.1607363522.git.stefan@agner.ch Signed-off-by: Sasha Levin commit 62b240d2644ed9630c11ed53999343e83d9df272 Author: Jing Xiangfeng Date: Tue Nov 17 10:43:32 2020 +0800 Bluetooth: btmtksdio: Add the missed release_firmware() in mtk_setup_firmware() [ Upstream commit b73b5781a85c03113476f62346c390f0277baa4b ] mtk_setup_firmware() misses to call release_firmware() in an error path. Jump to free_fw to fix it. Fixes: 737cd06072a7 ("Bluetooth: btmtksdio: fix up firmware download sequence") Signed-off-by: Jing Xiangfeng Signed-off-by: Marcel Holtmann Signed-off-by: Johan Hedberg Signed-off-by: Sasha Levin commit 097c4d9921b2be0ca10c91ee32bc634505d90ec4 Author: Jing Xiangfeng Date: Tue Nov 17 10:59:17 2020 +0800 Bluetooth: btusb: Add the missed release_firmware() in btusb_mtk_setup_firmware() [ Upstream commit d1e9d232e1e60fa63df1b836ec3ecba5abd3fa9d ] btusb_mtk_setup_firmware() misses to call release_firmware() in an error path. Jump to err_release_fw to fix it. Fixes: f645125711c8 ("Bluetooth: btusb: fix up firmware download sequence") Signed-off-by: Jing Xiangfeng Signed-off-by: Marcel Holtmann Signed-off-by: Johan Hedberg Signed-off-by: Sasha Levin commit 3d3caa8e971d07ccdba13a351c46b4cc9d751b0c Author: Pali Rohár Date: Tue Nov 3 16:11:38 2020 +0100 cpufreq: scpi: Add missing MODULE_ALIAS [ Upstream commit c0382d049d2def37b81e907a8b22661a4a4a6eb5 ] This patch adds missing MODULE_ALIAS for automatic loading of this cpufreq driver when it is compiled as an external module. Signed-off-by: Pali Rohár Fixes: 8def31034d033 ("cpufreq: arm_big_little: add SCPI interface driver") Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit 6e34c9478fe51215c91a68771c89448cc6e55006 Author: Pali Rohár Date: Tue Nov 3 16:11:37 2020 +0100 cpufreq: loongson1: Add missing MODULE_ALIAS [ Upstream commit b9acab091842ca8b288882798bb809f7abf5408a ] This patch adds missing MODULE_ALIAS for automatic loading of this cpufreq driver when it is compiled as an external module. Signed-off-by: Pali Rohár Fixes: a0a22cf14472f ("cpufreq: Loongson1: Add cpufreq driver for Loongson1B") Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit 3e3feeb0d2ba8354ba0e0ac74ebb5f0ca281fffa Author: Pali Rohár Date: Tue Nov 3 16:11:36 2020 +0100 cpufreq: sun50i: Add missing MODULE_DEVICE_TABLE [ Upstream commit af2096f285077e3339eb835ad06c50bdd59f01b5 ] This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this cpufreq driver when it is compiled as an external module. Signed-off-by: Pali Rohár Fixes: f328584f7bff8 ("cpufreq: Add sun50i nvmem based CPU scaling driver") Reviewed-by: Yangtao Li Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit ef802b5a5e260e93171b273d99f68b5ae11a9a4c Author: Pali Rohár Date: Tue Nov 3 16:11:35 2020 +0100 cpufreq: st: Add missing MODULE_DEVICE_TABLE [ Upstream commit 183747ab52654eb406fc6b5bfb40806b75d31811 ] This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this cpufreq driver when it is compiled as an external module. Signed-off-by: Pali Rohár Fixes: ab0ea257fc58d ("cpufreq: st: Provide runtime initialised driver for ST's platforms") Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit 742697643c94e1be3e54044eca2d6721b35aa442 Author: Pali Rohár Date: Tue Nov 3 16:11:34 2020 +0100 cpufreq: qcom: Add missing MODULE_DEVICE_TABLE [ Upstream commit a5a6031663bc1dd0a10babd49d1bcb3153a8327f ] This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this cpufreq driver when it is compiled as an external module. Signed-off-by: Pali Rohár Fixes: 46e2856b8e188 ("cpufreq: Add Kryo CPU scaling driver") Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit c9d204c02825c0352ad5303fe8ad34486573a969 Author: Pali Rohár Date: Tue Nov 3 16:11:33 2020 +0100 cpufreq: mediatek: Add missing MODULE_DEVICE_TABLE [ Upstream commit af6eca06501118af3e2ad46eee8edab20624b74e ] This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this cpufreq driver when it is compiled as an external module. Signed-off-by: Pali Rohár Fixes: 501c574f4e3a5 ("cpufreq: mediatek: Add support of cpufreq to MT2701/MT7623 SoC") Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit f3754eec127d5abf984b9c5e83c59ed526d05e4a Author: Pali Rohár Date: Tue Nov 3 16:11:32 2020 +0100 cpufreq: highbank: Add missing MODULE_DEVICE_TABLE [ Upstream commit 9433777a6e0aae27468d3434b75cd51bb88ff711 ] This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this cpufreq driver when it is compiled as an external module. Signed-off-by: Pali Rohár Fixes: 6754f556103be ("cpufreq / highbank: add support for highbank cpufreq") Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit e328362210178e3332396a58d5cd22324d87fd64 Author: Pali Rohár Date: Tue Nov 3 16:11:31 2020 +0100 cpufreq: ap806: Add missing MODULE_DEVICE_TABLE [ Upstream commit 925a5bcefe105f2790ecbdc252eb2315573f309d ] This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this cpufreq driver when it is compiled as an external module. Signed-off-by: Pali Rohár Fixes: f525a670533d9 ("cpufreq: ap806: add cpufreq driver for Armada 8K") Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit 3b6ba2fe652484dcfc5c29a2479d8cda6d817295 Author: Keqian Zhu Date: Fri Dec 4 15:31:26 2020 +0800 clocksource/drivers/arm_arch_timer: Correct fault programming of CNTKCTL_EL1.EVNTI [ Upstream commit 8b7770b877d187bfdae1eaf587bd2b792479a31c ] ARM virtual counter supports event stream, it can only trigger an event when the trigger bit (the value of CNTKCTL_EL1.EVNTI) of CNTVCT_EL0 changes, so the actual period of event stream is 2^(cntkctl_evnti + 1). For example, when the trigger bit is 0, then virtual counter trigger an event for every two cycles. While we're at it, rework the way we compute the trigger bit position by making it more obvious that when bits [n:n-1] are both set (with n being the most significant bit), we pick bit (n + 1). Fixes: 037f637767a8 ("drivers: clocksource: add support for ARM architected timer event stream") Suggested-by: Marc Zyngier Signed-off-by: Keqian Zhu Acked-by: Marc Zyngier Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20201204073126.6920-3-zhukeqian1@huawei.com Signed-off-by: Sasha Levin commit b4219894d1542f118ed8ee85b5dc1567a3149368 Author: Keqian Zhu Date: Fri Dec 4 15:31:25 2020 +0800 clocksource/drivers/arm_arch_timer: Use stable count reader in erratum sne [ Upstream commit d8cc3905b8073c7cfbff94af889fa8dc71f21dd5 ] In commit 0ea415390cd3 ("clocksource/arm_arch_timer: Use arch_timer_read_counter to access stable counters"), we separate stable and normal count reader to omit unnecessary overhead on systems that have no timer erratum. However, in erratum_set_next_event_tval_generic(), count reader becomes normal reader. This converts it to stable reader. Fixes: 0ea415390cd3 ("clocksource/arm_arch_timer: Use arch_timer_read_counter to access stable counters") Acked-by: Marc Zyngier Signed-off-by: Keqian Zhu Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20201204073126.6920-2-zhukeqian1@huawei.com Signed-off-by: Sasha Levin commit e223cf39b9281f6973708fefd6e6b7be999a50d7 Author: Wang Li Date: Thu Nov 26 10:44:12 2020 +0800 phy: renesas: rcar-gen3-usb2: disable runtime pm in case of failure [ Upstream commit 51e339deab1e51443f6ac3b1bd5cd6cc8e8fe1d9 ] pm_runtime_enable() will decrease power disable depth. Thus a pairing increment is needed on the error handling path to keep it balanced. Fixes: 5d8042e95fd4 ("phy: rcar-gen3-usb2: Add support for r8a77470") Reported-by: Hulk Robot Signed-off-by: Wang Li Link: https://lore.kernel.org/r/20201126024412.4046845-1-wangli74@huawei.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 675b3ba9cc96e64c51d0e39fd6098ca07fd50b09 Author: Qinglang Miao Date: Sat Nov 28 18:19:59 2020 +0800 dm ioctl: fix error return code in target_message [ Upstream commit 4d7659bfbe277a43399a4a2d90fca141e70f29e1 ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 2ca4c92f58f9 ("dm ioctl: prevent empty message") Reported-by: Hulk Robot Signed-off-by: Qinglang Miao Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit d863d76536df8ad7a87b49e7144abd53392e61f1 Author: Chuhong Yuan Date: Thu Dec 3 22:42:27 2020 +0800 ASoC: jz4740-i2s: add missed checks for clk_get() [ Upstream commit 1c1fb2653a0c2e3f310c07eacd8fc3a10e08c97a ] jz4740_i2s_set_sysclk() does not check the return values of clk_get(), while the file dereferences the pointers in clk_put(). Add the missed checks to fix it. Fixes: 11bd3dd1b7c2 ("ASoC: Add JZ4740 ASoC support") Signed-off-by: Chuhong Yuan Link: https://lore.kernel.org/r/20201203144227.418194-1-hslester96@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 1b760dc9d96762b42f0780954d6c2d940d5be287 Author: Leon Romanovsky Date: Thu Oct 15 14:52:00 2020 +0300 net/mlx5: Properly convey driver version to firmware [ Upstream commit 907af0f0cab4ee5d5604f182ecec2c5b5119d294 ] mlx5 firmware expects driver version in specific format X.X.X, so make it always correct and based on real kernel version aligned with the driver. Fixes: 012e50e109fd ("net/mlx5: Set driver version into firmware") Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit a64822872957e24b617797f62d5218edb313cdce Author: Alexander Sverdlin Date: Thu Dec 3 13:36:48 2020 +0100 MIPS: Don't round up kernel sections size for memblock_add() [ Upstream commit d121f125af22a16f0f679293756d28a9691fa46d ] Linux doesn't own the memory immediately after the kernel image. On Octeon bootloader places a shared structure right close after the kernel _end, refer to "struct cvmx_bootinfo *octeon_bootinfo" in cavium-octeon/setup.c. If check_kernel_sections_mem() rounds the PFNs up, first memblock_alloc() inside early_init_dt_alloc_memory_arch() <= device_tree_init() returns memory block overlapping with the above octeon_bootinfo structure, which is being overwritten afterwards. Fixes: a94e4f24ec83 ("MIPS: init: Drop boot_mem_map") Signed-off-by: Alexander Sverdlin Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 33eeb395515d2a9d956bd1eb4726138919296b42 Author: Jing Xiangfeng Date: Wed Nov 25 09:47:18 2020 +0800 memstick: r592: Fix error return in r592_probe() [ Upstream commit db29d3d1c2451e673e29c7257471e3ce9d50383a ] Fix to return a error code from the error handling case instead of 0. Fixes: 926341250102 ("memstick: add driver for Ricoh R5C592 card reader") Signed-off-by: Jing Xiangfeng Link: https://lore.kernel.org/r/20201125014718.153563-1-jingxiangfeng@huawei.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit e39b37d6a2ce2dc484bddf944f3aaff0b5e74343 Author: Chen-Yu Tsai Date: Fri Dec 4 14:48:05 2020 +0800 arm64: dts: rockchip: Fix UART pull-ups on rk3328 [ Upstream commit 94dad6bed3c86c00050bf7c2b2ad6b630facae31 ] For UARTs, the local pull-ups should be on the RX pin, not the TX pin. UARTs transmit active-low, so a disconnected RX pin should be pulled high instead of left floating to prevent noise being interpreted as transmissions. This gets rid of bogus sysrq events when the UART console is not connected. Fixes: 52e02d377a72 ("arm64: dts: rockchip: add core dtsi file for RK3328 SoCs") Signed-off-by: Chen-Yu Tsai Link: https://lore.kernel.org/r/20201204064805.6480-1-wens@kernel.org Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit 33892a3797f1a0ded27de7077cc69ce1d3668486 Author: Yu Kuai Date: Thu Nov 19 09:12:19 2020 +0800 pinctrl: falcon: add missing put_device() call in pinctrl_falcon_probe() [ Upstream commit 89cce2b3f247a434ee174ab6803698041df98014 ] if of_find_device_by_node() succeed, pinctrl_falcon_probe() doesn't have a corresponding put_device(). Thus add put_device() to fix the exception handling for this function implementation. Fixes: e316cb2b16bb ("OF: pinctrl: MIPS: lantiq: adds support for FALCON SoC") Signed-off-by: Yu Kuai Link: https://lore.kernel.org/r/20201119011219.2248232-1-yukuai3@huawei.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 08e22710601a33464cbec3d2d371cb992738256c Author: Andrii Nakryiko Date: Thu Dec 3 12:46:21 2020 -0800 bpf: Fix bpf_put_raw_tracepoint()'s use of __module_address() [ Upstream commit 12cc126df82c96c89706aa207ad27c56f219047c ] __module_address() needs to be called with preemption disabled or with module_mutex taken. preempt_disable() is enough for read-only uses, which is what this fix does. Also, module_put() does internal check for NULL, so drop it as well. Fixes: a38d1107f937 ("bpf: support raw tracepoints in modules") Signed-off-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/bpf/20201203204634.1325171-2-andrii@kernel.org Signed-off-by: Sasha Levin commit e02d218aa63d20db01ed3af17fa3b5b33f7c02b0 Author: Claudiu Beznea Date: Wed Dec 2 11:57:05 2020 +0200 ARM: dts: at91: sama5d2: map securam as device [ Upstream commit 9b5dcc8d427e2bcb84c49eb03ffefe11e7537a55 ] Due to strobe signal not being propagated from CPU to securam the securam needs to be mapped as device or strongly ordered memory to work properly. Otherwise, updating to one offset may affect the adjacent locations in securam. Fixes: d4ce5f44d4409 ("ARM: dts: at91: sama5d2: Add securam node") Signed-off-by: Claudiu Beznea Signed-off-by: Alexandre Belloni Acked-by: Nicolas Ferre Link: https://lore.kernel.org/r/1606903025-14197-3-git-send-email-claudiu.beznea@microchip.com Signed-off-by: Sasha Levin commit da8890329599b16ef730c0add294add8937dfdcf Author: Lars-Peter Clausen Date: Tue Nov 17 11:37:50 2020 +0100 iio: hrtimer-trigger: Mark hrtimer to expire in hard interrupt context [ Upstream commit 0178297c1e6898e2197fe169ef3be723e019b971 ] On PREEMPT_RT enabled kernels unmarked hrtimers are moved into soft interrupt expiry mode by default. The IIO hrtimer-trigger needs to run in hard interrupt context since it will end up calling generic_handle_irq() which has the requirement to run in hard interrupt context. Explicitly specify that the timer needs to run in hard interrupt context by using the HRTIMER_MODE_REL_HARD flag. Fixes: f5c2f0215e36 ("hrtimer: Move unmarked hrtimers to soft interrupt expiry on RT") Reported-by: Christian Eggers Signed-off-by: Lars-Peter Clausen Acked-by: Sebastian Andrzej Siewior Link: https://lore.kernel.org/r/20201117103751.16131-1-lars@metafoo.de Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit d903b80e1abc85de283917a76e508d4b35db2758 Author: Yu Kuai Date: Mon Nov 16 21:51:23 2020 +0800 clocksource/drivers/cadence_ttc: Fix memory leak in ttc_setup_clockevent() [ Upstream commit eee422c46e6840a81c9db18a497b74387a557b29 ] If clk_notifier_register() failed, ttc_setup_clockevent() will return without freeing 'ttcce', which will leak memory. Fixes: 70504f311d4b ("clocksource/drivers/cadence_ttc: Convert init function to return error") Reported-by: Hulk Robot Signed-off-by: Yu Kuai Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20201116135123.2164033-1-yukuai3@huawei.com Signed-off-by: Sasha Levin commit 742d5de6c2fc7fa1d514ab13afa125c3c990a6b5 Author: Yang Yingliang Date: Wed Nov 11 14:47:06 2020 +0800 clocksource/drivers/orion: Add missing clk_disable_unprepare() on error path [ Upstream commit c1e6cad00aa2f17845e7270e38ff3cc82c7b022a ] After calling clk_prepare_enable(), clk_disable_unprepare() need be called on error path. Fixes: fbe4b3566ddc ("clocksource/drivers/orion: Convert init function...") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20201111064706.3397156-1-yangyingliang@huawei.com Signed-off-by: Sasha Levin commit 40f9ac2b02951d3b261d13c93e59ae76ee5c1b5e Author: Jordan Niethe Date: Mon Nov 30 11:44:04 2020 +1100 powerpc/64: Fix an EMIT_BUG_ENTRY in head_64.S [ Upstream commit fe18a35e685c9bdabc8b11b3e19deb85a068b75d ] Commit 63ce271b5e37 ("powerpc/prom: convert PROM_BUG() to standard trap") added an EMIT_BUG_ENTRY for the trap after the branch to start_kernel(). The EMIT_BUG_ENTRY was for the address "0b", however the trap was not labeled with "0". Hence the address used for bug is in relative_toc() where the previous "0" label is. Label the trap as "0" so the correct address is used. Fixes: 63ce271b5e37 ("powerpc/prom: convert PROM_BUG() to standard trap") Signed-off-by: Jordan Niethe Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20201130004404.30953-1-jniethe5@gmail.com Signed-off-by: Sasha Levin commit 4968cc5ed0c0bdf7e7fd2978afd39d705ed3b223 Author: Athira Rajeev Date: Mon Nov 23 21:40:40 2020 -0500 powerpc/perf: Fix crash with is_sier_available when pmu is not set [ Upstream commit f75e7d73bdf73f07b0701a6d21c111ef5d9021dd ] On systems without any specific PMU driver support registered, running 'perf record' with —intr-regs will crash ( perf record -I ). The relevant portion from crash logs and Call Trace: Unable to handle kernel paging request for data at address 0x00000068 Faulting instruction address: 0xc00000000013eb18 Oops: Kernel access of bad area, sig: 11 [#1] CPU: 2 PID: 13435 Comm: kill Kdump: loaded Not tainted 4.18.0-193.el8.ppc64le #1 NIP: c00000000013eb18 LR: c000000000139f2c CTR: c000000000393d80 REGS: c0000004a07ab4f0 TRAP: 0300 Not tainted (4.18.0-193.el8.ppc64le) NIP [c00000000013eb18] is_sier_available+0x18/0x30 LR [c000000000139f2c] perf_reg_value+0x6c/0xb0 Call Trace: [c0000004a07ab770] [c0000004a07ab7c8] 0xc0000004a07ab7c8 (unreliable) [c0000004a07ab7a0] [c0000000003aa77c] perf_output_sample+0x60c/0xac0 [c0000004a07ab840] [c0000000003ab3f0] perf_event_output_forward+0x70/0xb0 [c0000004a07ab8c0] [c00000000039e208] __perf_event_overflow+0x88/0x1a0 [c0000004a07ab910] [c00000000039e42c] perf_swevent_hrtimer+0x10c/0x1d0 [c0000004a07abc50] [c000000000228b9c] __hrtimer_run_queues+0x17c/0x480 [c0000004a07abcf0] [c00000000022aaf4] hrtimer_interrupt+0x144/0x520 [c0000004a07abdd0] [c00000000002a864] timer_interrupt+0x104/0x2f0 [c0000004a07abe30] [c0000000000091c4] decrementer_common+0x114/0x120 When perf record session is started with "-I" option, capturing registers on each sample calls is_sier_available() to check for the SIER (Sample Instruction Event Register) availability in the platform. This function in core-book3s accesses 'ppmu->flags'. If a platform specific PMU driver is not registered, ppmu is set to NULL and accessing its members results in a crash. Fix the crash by returning false in is_sier_available() if ppmu is not set. Fixes: 333804dc3b7a ("powerpc/perf: Update perf_regs structure to include SIER") Reported-by: Sachin Sant Signed-off-by: Athira Rajeev Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/1606185640-1720-1-git-send-email-atrajeev@linux.vnet.ibm.com Signed-off-by: Sasha Levin commit b0483a32d163b85f0afbd158ca5f8936cd3d8106 Author: Dan Carpenter Date: Tue Nov 17 08:23:40 2020 +0100 media: saa7146: fix array overflow in vidioc_s_audio() [ Upstream commit 8e4d86e241cf035d6d3467cd346e7ce490681937 ] The "a->index" value comes from the user via the ioctl. The problem is that the shift can wrap resulting in setting "mxb->cur_audinput" to an invalid value, which later results in an array overflow. Fixes: 6680427791c9 ("[media] mxb: fix audio handling") Signed-off-by: Dan Carpenter Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit bfdf000e5dd92a97938446ba4524d659f3f1e533 Author: Zhang Qilong Date: Wed Dec 2 22:53:20 2020 +0800 hwmon: (ina3221) Fix PM usage counter unbalance in ina3221_write_enable [ Upstream commit bce776f10069c806290eaac712ba73432ae8ecd7 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to putting operation will result in reference leak here. We fix it by replacing it with pm_runtime_resume_and_get to keep usage counter balanced. It depends on the mainline commit[PM: runtime: Add pm_runtime_resume_and_get to deal with usagecounter]. Fixes: 323aeb0eb5d9a ("hwmon: (ina3221) Add PM runtime support") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201202145320.1135614-1-zhangqilong3@huawei.com Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit a0f07c9ad72d7ac983cc3ca766b27ff1de63b8c4 Author: Jason Gunthorpe Date: Thu Nov 5 12:34:58 2020 -0400 vfio-pci: Use io_remap_pfn_range() for PCI IO memory [ Upstream commit 7b06a56d468b756ad6bb43ac21b11e474ebc54a0 ] commit f8f6ae5d077a ("mm: always have io_remap_pfn_range() set pgprot_decrypted()") allows drivers using mmap to put PCI memory mapped BAR space into userspace to work correctly on AMD SME systems that default to all memory encrypted. Since vfio_pci_mmap_fault() is working with PCI memory mapped BAR space it should be calling io_remap_pfn_range() otherwise it will not work on SME systems. Fixes: 11c4cd07ba11 ("vfio-pci: Fault mmaps to enable vma tracking") Signed-off-by: Jason Gunthorpe Acked-by: Peter Xu Tested-by: Tom Lendacky Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit 5ac81a4e5fa3ae9a5c4c0793d3d630b68fe2ef2e Author: Mickaël Salaün Date: Wed Dec 2 17:26:43 2020 +0100 selftests/seccomp: Update kernel config [ Upstream commit 2c07343abd8932200a45ff7b10950e71081e9e77 ] seccomp_bpf.c uses unshare(CLONE_NEWPID), which requires CONFIG_PID_NS to be set. Cc: Kees Cook Cc: Shuah Khan Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace") Signed-off-by: Mickaël Salaün Acked-by: Tycho Andersen Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20201202162643.249276-1-mic@digikod.net Signed-off-by: Sasha Levin commit 0588b8a034693c097dabce9e398ac67268f52f1e Author: NeilBrown Date: Fri Nov 27 11:24:33 2020 +1100 NFS: switch nfsiod to be an UNBOUND workqueue. [ Upstream commit bf701b765eaa82dd164d65edc5747ec7288bb5c3 ] nfsiod is currently a concurrency-managed workqueue (CMWQ). This means that workitems scheduled to nfsiod on a given CPU are queued behind all other work items queued on any CMWQ on the same CPU. This can introduce unexpected latency. Occaionally nfsiod can even cause excessive latency. If the work item to complete a CLOSE request calls the final iput() on an inode, the address_space of that inode will be dismantled. This takes time proportional to the number of in-memory pages, which on a large host working on large files (e.g.. 5TB), can be a large number of pages resulting in a noticable number of seconds. We can avoid these latency problems by switching nfsiod to WQ_UNBOUND. This causes each concurrent work item to gets a dedicated thread which can be scheduled to an idle CPU. There is precedent for this as several other filesystems use WQ_UNBOUND workqueue for handling various async events. Signed-off-by: NeilBrown Fixes: ada609ee2ac2 ("workqueue: use WQ_MEM_RECLAIM instead of WQ_RESCUER") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 1094bd2edaa2fffd6fe1bbd995327c74eab7290a Author: Calum Mackay Date: Wed Oct 28 20:16:27 2020 +0000 lockd: don't use interval-based rebinding over TCP [ Upstream commit 9b82d88d5976e5f2b8015d58913654856576ace5 ] NLM uses an interval-based rebinding, i.e. it clears the transport's binding under certain conditions if more than 60 seconds have elapsed since the connection was last bound. This rebinding is not necessary for an autobind RPC client over a connection-oriented protocol like TCP. It can also cause problems: it is possible for nlm_bind_host() to clear XPRT_BOUND whilst a connection worker is in the middle of trying to reconnect, after it had already been checked in xprt_connect(). When the connection worker notices that XPRT_BOUND has been cleared under it, in xs_tcp_finish_connecting(), that results in: xs_tcp_setup_socket: connect returned unhandled error -107 Worse, it's possible that the two can get into lockstep, resulting in the same behaviour repeated indefinitely, with the above error every 300 seconds, without ever recovering, and the connection never being established. This has been seen in practice, with a large number of NLM client tasks, following a server restart. The existing callers of nlm_bind_host & nlm_rebind_host should not need to force the rebind, for TCP, so restrict the interval-based rebinding to UDP only. For TCP, we will still rebind when needed, e.g. on timeout, and connection error (including closure), since connection-related errors on an existing connection, ECONNREFUSED when trying to connect, and rpc_check_timeout(), already unconditionally clear XPRT_BOUND. To avoid having to add the fix, and explanation, to both nlm_bind_host() and nlm_rebind_host(), remove the duplicate code from the former, and have it call the latter. Drop the dprintk, which adds no value over a trace. Signed-off-by: Calum Mackay Fixes: 35f5a422ce1a ("SUNRPC: new interface to force an RPC rebind") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit cbb0a57326b8ab428e48c509b0bd1f5efb28fe92 Author: Fedor Tokarev Date: Thu Oct 15 16:59:08 2020 +0300 net: sunrpc: Fix 'snprintf' return value check in 'do_xprt_debugfs' [ Upstream commit 35a6d396721e28ba161595b0fc9e8896c00399bb ] 'snprintf' returns the number of characters which would have been written if enough space had been available, excluding the terminating null byte. Thus, the return value of 'sizeof(buf)' means that the last character has been dropped. Signed-off-by: Fedor Tokarev Fixes: 2f34b8bfae19 ("SUNRPC: add links for all client xprts to debugfs") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit a0842124422eb4e33d1d80cb05cb10875652ac96 Author: Trond Myklebust Date: Fri Nov 13 21:42:16 2020 -0500 NFSv4: Fix the alignment of page data in the getdeviceinfo reply [ Upstream commit 046e5ccb4198b990190e11fb52fd9cfd264402eb ] We can fit the device_addr4 opaque data padding in the pages. Fixes: cf500bac8fd4 ("SUNRPC: Introduce rpc_prepare_reply_pages()") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 73892eef6d9ed18aedab7c805b749f361b4e8203 Author: Trond Myklebust Date: Fri Nov 6 16:33:38 2020 -0500 SUNRPC: xprt_load_transport() needs to support the netid "rdma6" [ Upstream commit d5aa6b22e2258f05317313ecc02efbb988ed6d38 ] According to RFC5666, the correct netid for an IPv6 addressed RDMA transport is "rdma6", which we've supported as a mount option since Linux-4.7. The problem is when we try to load the module "xprtrdma6", that will fail, since there is no modulealias of that name. Fixes: 181342c5ebe8 ("xprtrdma: Add rdma6 option to support NFS/RDMA IPv6") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 2823b897937560822fe4eabac1ae71f07a1564e8 Author: Olga Kornievskaia Date: Fri Nov 6 16:03:38 2020 -0500 NFSv4.2: condition READDIR's mask for security label based on LSM state [ Upstream commit 05ad917561fca39a03338cb21fe9622f998b0f9c ] Currently, the client will always ask for security_labels if the server returns that it supports that feature regardless of any LSM modules (such as Selinux) enforcing security policy. This adds performance penalty to the READDIR operation. Client adjusts superblock's support of the security_label based on the server's support but also current client's configuration of the LSM modules. Thus, prior to using the default bitmask in READDIR, this patch checks the server's capabilities and then instructs READDIR to remove FATTR4_WORD2_SECURITY_LABEL from the bitmask. v5: fixing silly mistakes of the rushed v4 v4: simplifying logic v3: changing label's initialization per Ondrej's comment v2: dropping selinux hook and using the sb cap. Suggested-by: Ondrej Mosnacek Suggested-by: Scott Mayhew Signed-off-by: Olga Kornievskaia Fixes: 2b0143b5c986 ("VFS: normal filesystems (and lustre): d_inode() annotations") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 04e9c169810c0a339083bf71a06fefb4ee817eda Author: Trond Myklebust Date: Thu Oct 22 17:40:33 2020 -0400 SUNRPC: rpc_wake_up() should wake up tasks in the correct order [ Upstream commit e4c72201b6ec3173dfe13fa2e2335a3ad78d4921 ] Currently, we wake up the tasks by priority queue ordering, which means that we ignore the batching that is supposed to help with QoS issues. Fixes: c049f8ea9a0d ("SUNRPC: Remove the bh-safe lock requirement on the rpc_wait_queue->lock") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit a3ac7dd8b16ba82ecd0a89078c1954ade4e6564e Author: Christophe JAILLET Date: Tue Nov 24 17:59:18 2020 +0200 ath10k: Release some resources in an error handling path [ Upstream commit 6364e693f4a7a89a2fb3dd2cbd6cc06d5fd6e26d ] Should an error occur after calling 'ath10k_usb_create()', it should be undone by a corresponding 'ath10k_usb_destroy()' call Fixes: 4db66499df91 ("ath10k: add initial USB support") Signed-off-by: Christophe JAILLET Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20201122170358.1346065-1-christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit 6b6edd2c072bc91910e9bf8f60dcc3193ac7eb9e Author: Christophe JAILLET Date: Tue Nov 24 17:59:18 2020 +0200 ath10k: Fix an error handling path [ Upstream commit ed3573bc3943c27d2d8e405a242f87ed14572ca1 ] If 'ath10k_usb_create()' fails, we should release some resources and report an error instead of silently continuing. Fixes: 4db66499df91 ("ath10k: add initial USB support") Signed-off-by: Christophe JAILLET Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20201122170342.1346011-1-christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit e856abba7fca5cd7b85af2a31f4990cac5b86ad7 Author: Rakesh Pillai Date: Tue Nov 24 17:59:17 2020 +0200 ath10k: Fix the parsing error in service available event [ Upstream commit c7cee9c0f499f27ec6de06bea664b61320534768 ] The wmi service available event has been extended to contain extra 128 bit for new services to be indicated by firmware. Currently the presence of any optional TLVs in the wmi service available event leads to a parsing error with the below error message: ath10k_snoc 18800000.wifi: failed to parse svc_avail tlv: -71 The wmi service available event parsing should not return error for the newly added optional TLV. Fix this parsing for service available event message. Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.3.2.2-00720-QCAHLSWMTPL-1 Fixes: cea19a6ce8bf ("ath10k: add WMI_SERVICE_AVAILABLE_EVENT support") Signed-off-by: Rakesh Pillai Reviewed-by: Douglas Anderson Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/1605501291-23040-1-git-send-email-pillair@codeaurora.org Signed-off-by: Sasha Levin commit f4935d3c7b57cee3ed73aa20417d240c2b43f40f Author: Qinglang Miao Date: Wed Nov 25 14:50:32 2020 +0800 platform/x86: dell-smbios-base: Fix error return code in dell_smbios_init [ Upstream commit 2425ccd30fd78ce35237350fe8baac31dc18bd45 ] Fix to return the error code -ENODEV when fails to init wmi and smm. Fixes: 41e36f2f85af ("platform/x86: dell-smbios: Link all dell-smbios-* modules together") Reported-by: Hulk Robot Signed-off-by: Qinglang Miao Reviewed-by: Mario Limonciello Link: https://lore.kernel.org/r/20201125065032.154125-1-miaoqinglang@huawei.com Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 3d64e8ce592bdc6ab2663b3a5ba4032047b27f41 Author: Alexandre Belloni Date: Sat Nov 28 23:28:17 2020 +0100 ARM: dts: at91: at91sam9rl: fix ADC triggers [ Upstream commit 851a95da583c26e2ddeb7281e9b61f0d76ea5aba ] The triggers for the ADC were taken from at91sam9260 dtsi but are not correct. Fixes: a4c1d6c75822 ("ARM: at91/dt: sam9rl: add lcd, adc, usb gadget and pwm support") Signed-off-by: Alexandre Belloni Link: https://lore.kernel.org/r/20201128222818.1910764-10-alexandre.belloni@bootlin.com Signed-off-by: Sasha Levin commit 09347a537cc71818d7f733162436fc1f87bb6fb5 Author: Yu Kuai Date: Tue Nov 17 09:13:22 2020 +0800 soc: amlogic: canvas: add missing put_device() call in meson_canvas_get() [ Upstream commit 28f851e6afa858f182802e23ac60c3ed7d1c04a1 ] if of_find_device_by_node() succeed, meson_canvas_get() doesn't have a corresponding put_device(). Thus add put_device() to fix the exception handling for this function implementation. Fixes: 382f8be04551 ("soc: amlogic: canvas: Fix meson_canvas_get when probe failed") Signed-off-by: Yu Kuai Reviewed-by: Neil Armstrong Signed-off-by: Kevin Hilman Link: https://lore.kernel.org/r/20201117011322.522477-1-yukuai3@huawei.com Signed-off-by: Sasha Levin commit 8424a5b661ca1d61a0a31053bd2158e0269bc276 Author: Dongjin Kim Date: Mon Nov 30 15:03:20 2020 +0900 arm64: dts: meson-sm1: fix typo in opp table [ Upstream commit b6a1c8a1eaa73b1e2ae251399308e9445d74cef7 ] The freqency 1512000000 should be 1500000000. Signed-off-by: Dongjin Kim Fixes: 3d9e76483049 ("arm64: dts: meson-sm1-sei610: enable DVFS") Reviewed-by: Neil Armstrong Signed-off-by: Kevin Hilman Link: https://lore.kernel.org/r/20201130060320.GA30098@anyang-linuxfactory-or-kr Signed-off-by: Sasha Levin commit f4951cb10668f0d4dab68b6e05a45d672bca69a5 Author: Artem Lapkin Date: Wed Nov 25 02:40:01 2020 +0000 arm64: dts: meson: fix spi-max-frequency on Khadas VIM2 [ Upstream commit b6c605e00ce8910d7ec3d9a54725d78b14db49b9 ] The max frequency for the w25q32 (VIM v1.2) and w25q128 (VIM v1.4) spifc chip should be 104Mhz not 30MHz. Fixes: b8b74dda3908 ("ARM64: dts: meson-gxm: Add support for Khadas VIM2") Signed-off-by: Artem Lapkin Reviewed-by: Neil Armstrong Signed-off-by: Kevin Hilman Link: https://lore.kernel.org/r/20201125024001.19036-1-christianshewitt@gmail.com Signed-off-by: Sasha Levin commit 49b563bfdd662a8b88ff493961a321af0d4f2e6a Author: Bharat Gooty Date: Thu Oct 1 11:30:52 2020 +0530 PCI: iproc: Fix out-of-bound array accesses [ Upstream commit a3ff529f5d368a17ff35ada8009e101162ebeaf9 ] Declare the full size array for all revisions of PAX register sets to avoid potentially out of bound access of the register array when they are being initialized in iproc_pcie_rev_init(). Link: https://lore.kernel.org/r/20201001060054.6616-2-srinath.mannam@broadcom.com Fixes: 06324ede76cdf ("PCI: iproc: Improve core register population") Signed-off-by: Bharat Gooty Signed-off-by: Lorenzo Pieralisi Signed-off-by: Sasha Levin commit 4ef5a46d2964c5a91c9e4908ad4ff652d02363cc Author: Colin Ian King Date: Sat Nov 14 15:48:04 2020 -0600 PCI: Fix overflow in command-line resource alignment requests [ Upstream commit cc73eb321d246776e5a9f7723d15708809aa3699 ] The shift of 1 by align_order is evaluated using 32 bit arithmetic and the result is assigned to a resource_size_t type variable that is a 64 bit unsigned integer on 64 bit platforms. Fix an overflow before widening issue by making the 1 a ULL. Addresses-Coverity: ("Unintentional integer overflow") Fixes: 32a9a682bef2 ("PCI: allow assignment of memory resources with a specified alignment") Signed-off-by: Colin Ian King Signed-off-by: Bjorn Helgaas Reviewed-by: Logan Gunthorpe Signed-off-by: Sasha Levin commit 048b98083c27071b551d57e5259b68ed73e28a75 Author: Bjorn Helgaas Date: Thu Nov 5 14:51:36 2020 -0600 PCI: Bounds-check command-line resource alignment requests [ Upstream commit 6534aac198b58309ff2337981d3f893e0be1d19d ] 32-bit BARs are limited to 2GB size (2^31). By extension, I assume 64-bit BARs are limited to 2^63 bytes. Limit the alignment requested by the "pci=resource_alignment=" command-line parameter to 2^63. Link: https://lore.kernel.org/r/20201007123045.GS4282@kadam Reported-by: Dan Carpenter Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin commit 72577f162cae6e065b3439a43aef948c27324bf8 Author: Bjorn Andersson Date: Mon Nov 30 10:59:24 2020 -0600 arm64: dts: qcom: c630: Polish i2c-hid devices [ Upstream commit 11d0e4f281565ef757479764ce7fd8d35eeb01b0 ] The numbering of the i2c busses differs from ACPI and a number of typos was made in the original patch. Further more the irq flags for the various resources was not correct and i2c3 only has one of the two client devices active in any one device. Also label the various devices, for easier comparison with the ACPI tables. Tested-by: Steev Klimaszewski Fixes: 44acee207844 ("arm64: dts: qcom: Add Lenovo Yoga C630") Link: https://lore.kernel.org/r/20201130165924.319708-1-bjorn.andersson@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit a554b68baf27aa916007fe79d0e61c1491e2951e Author: Michael Walle Date: Sun Nov 8 19:51:05 2020 +0100 arm64: dts: ls1028a: fix ENETC PTP clock input [ Upstream commit d0570a575aa83116bd0f6a99c4de548af773d950 ] On the LS1028A the ENETC reference clock is connected to 4th HWA output, see Figure 7 "Clock subsystem block diagram". The PHC may run with a wrong frequency. ptp_qoriq_auto_config() will read the clock speed of the clock given in the device tree. It is likely that, on the reference board this wasn't noticed because both clocks have the same frequency. But this must not be always the case. Fix it. Fixes: 49401003e260 ("arm64: dts: fsl: ls1028a: add ENETC 1588 timer node") Signed-off-by: Michael Walle Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit a85f3e7cb717057b7fff66addd645c774403927e Author: Marc Zyngier Date: Sun Nov 29 13:55:51 2020 +0000 genirq/irqdomain: Don't try to free an interrupt that has no mapping [ Upstream commit 4615fbc3788ddc8e7c6d697714ad35a53729aa2c ] When an interrupt allocation fails for N interrupts, it is pretty common for the error handling code to free the same number of interrupts, no matter how many interrupts have actually been allocated. This may result in the domain freeing code to be unexpectedly called for interrupts that have no mapping in that domain. Things end pretty badly. Instead, add some checks to irq_domain_free_irqs_hierarchy() to make sure that thiss does not follow the hierarchy if no mapping exists for a given interrupt. Fixes: 6a6544e520abe ("genirq/irqdomain: Remove auto-recursive hierarchy support") Signed-off-by: Marc Zyngier Signed-off-by: Thomas Gleixner Link: https://lore.kernel.org/r/20201129135551.396777-1-maz@kernel.org Signed-off-by: Sasha Levin commit 2f00dcc6ce7aa7ceb8e0b9f7c4e80630657c9e87 Author: Zhang Qilong Date: Mon Nov 2 22:33:21 2020 +0800 power: supply: bq24190_charger: fix reference leak [ Upstream commit b2f6cb78eaa1cad57dd3fe11d0458cd4fae9a584 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to call pm_runtime_put_noidle will result in reference leak in callers(bq24190_sysfs_show, bq24190_charger_get_property, bq24190_charger_set_property, bq24190_battery_get_property, bq24190_battery_set_property), so we should fix it. Fixes: f385e6e2a1532 ("power: bq24190_charger: Use PM runtime autosuspend") Signed-off-by: Zhang Qilong Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit e230e193c966e9efd11d177b6aed8fdf762b0a96 Author: Hans de Goede Date: Wed Nov 18 13:13:12 2020 +0100 power: supply: axp288_charger: Fix HP Pavilion x2 10 DMI matching [ Upstream commit a0f1ccd96c7049377d892a4299b6d5e47ec9179d ] Commit 9c80662a74cd ("power: supply: axp288_charger: Add special handling for HP Pavilion x2 10") added special handling for HP Pavilion x2 10 models which use the weird combination of a Type-C connector and the non Type-C aware AXP288 PMIC. This special handling was activated by a DMI match a the product-name of "HP Pavilion x2 Detachable". Recently I've learned that there are also older "HP Pavilion x2 Detachable" models with an AXP288 PMIC + a micro-usb connector where we should not activate the special handling for the Type-C connectors. Extend the matching to also match on the DMI board-name and match on the 2 boards (one Bay Trail based one Cherry Trail based) of which we are certain that they use the AXP288 + Type-C connector combination. Note the DSDT code from these older (AXP288 + micro-USB) models contains some AML code (which never runs under Linux) which reads the micro-USB connector id-pin and if it is pulled to ground, which would normally mean the port is in host mode!, then it sets the input-current-limit to 3A, it seems HP is using the micro-USB port as a charging only connector and identifies their own 3A capable charger though this hack which is a major violation of the USB specs. Note HP also hardcodes a 2A limit when the id-pin is not pulled to ground, which is also in violation of the specs. I've no intention to add support for HP's hack to support 3A charging on these older models. By making the DMI matches for the Type-C equipped models workaround more tighter, these older models will be treated just like any other AXP288 + micro-USB equipped device and the input-current limit will follow the BC 1.2 spec (using the defacto standard values there where the BC 1.2 spec defines a range). Fixes: 9c80662a74cd ("power: supply: axp288_charger: Add special handling for HP Pavilion x2 10") BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1896924 Signed-off-by: Hans de Goede Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 8e9678d9d13170ec4672a6f6764397a5dd53efaa Author: Chen-Yu Tsai Date: Thu Nov 26 15:33:34 2020 +0800 arm64: dts: rockchip: Set dr_mode to "host" for OTG on rk3328-roc-cc [ Upstream commit 4076a007bd0f6171434bdb119a0b8797749b0502 ] The board has a standard USB A female port connected to the USB OTG controller's data pins. Set dr_mode in the OTG controller node to indicate this usage, instead of having the implementation guess. Fixes: 2171f4fdac06 ("arm64: dts: rockchip: add roc-rk3328-cc board") Signed-off-by: Chen-Yu Tsai Link: https://lore.kernel.org/r/20201126073336.30794-2-wens@kernel.org Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit 11f007a5583df0b07122e39808939dcdb21d84b7 Author: Marek Behún Date: Sat Nov 14 21:42:53 2020 +0100 arm64: dts: armada-3720-turris-mox: update ethernet-phy handle name [ Upstream commit 3aa669a994c9110a2dc7e08a5c0958a9ea5eb17c ] Use property name `phy-handle` instead of the deprecated `phy` to connect eth2 to the PHY. Signed-off-by: Marek Behún Fixes: 7109d817db2e ("arm64: dts: marvell: add DTS for Turris Mox") Cc: Gregory CLEMENT Cc: Andrew Lunn Cc: Rob Herring Cc: devicetree@vger.kernel.org Reviewed-by: Andrew Lunn Signed-off-by: Gregory CLEMENT Signed-off-by: Sasha Levin commit 5a551ef116698b60cf10d2b0896573079554dca1 Author: Chris Packham Date: Tue Sep 8 09:17:11 2020 +1200 ARM: dts: Remove non-existent i2c1 from 98dx3236 [ Upstream commit 7f24479ead579459106bb55c2320a000135731f9 ] The switches with integrated CPUs have only got a single i2c controller. They incorrectly gained one when they were split from the Armada-XP. Fixes: 43e28ba87708 ("ARM: dts: Use armada-370-xp as a base for armada-xp-98dx3236") Signed-off-by: Chris Packham Reviewed-by: Andrew Lunn Signed-off-by: Gregory CLEMENT Signed-off-by: Sasha Levin commit 15305a5b103dddbfec7ccc3f715e76b001b5c41f Author: Jing Xiangfeng Date: Mon Oct 12 10:56:43 2020 +0800 HSI: omap_ssi: Don't jump to free ID in ssi_add_controller() [ Upstream commit 41fff6e19bc8d6d8bca79ea388427c426e72e097 ] In current code, it jumps to ida_simple_remove() when ida_simple_get() failes to allocate an ID. Just return to fix it. Fixes: 0fae198988b8 ("HSI: omap_ssi: built omap_ssi and omap_ssi_port into one module") Signed-off-by: Jing Xiangfeng Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit ec30659ea631a5a82f26e00289ac618741c66cb2 Author: Bjorn Andersson Date: Fri Nov 27 10:24:50 2020 +0000 slimbus: qcom-ngd-ctrl: Avoid sending power requests without QMI [ Upstream commit 39014ce6d6028614a46395923a2c92d058b6fa87 ] Attempting to send a power request during PM operations, when the QMI handle isn't initialized results in a NULL pointer dereference. So check if the QMI handle has been initialized before attempting to post the power requests. Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver") Signed-off-by: Bjorn Andersson Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20201127102451.17114-7-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 76170933d3daf8f374dce8429530f26f1fbb72c6 Author: Dan Carpenter Date: Wed Mar 4 15:23:12 2020 +0100 media: max2175: fix max2175_set_csm_mode() error code [ Upstream commit 9b1b0cb0636166187478ef68d5b95f5caea062ec ] This is supposed to return negative error codes but the type is bool so it returns true instead. Fixes: b47b79d8a231 ("[media] media: i2c: max2175: Add MAX2175 support") Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 5873beee8744d607793f49b854ed36e361f36289 Author: Qinglang Miao Date: Fri Nov 20 15:48:47 2020 +0800 mips: cdmm: fix use-after-free in mips_cdmm_bus_discover [ Upstream commit f0e82242b16826077a2775eacfe201d803bb7a22 ] kfree(dev) has been called inside put_device so anther kfree would cause a use-after-free bug/ Fixes: 8286ae03308c ("MIPS: Add CDMM bus support") Reported-by: Hulk Robot Signed-off-by: Qinglang Miao Acked-by: Serge Semin Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 51795c385f73655ea63272db7eb2e1a6857879b4 Author: Daniel Gomez Date: Thu Oct 3 16:46:24 2019 +0200 media: imx214: Fix stop streaming [ Upstream commit eeb76afbe8d91e112396c6281cd020725160f006 ] Stop video streaming when requested. When s_stream is called to stop the video streaming, if/else condition calls start_streaming function instead of the one for stopping it. Fixes: 436190596241 ("media: imx214: Add imx214 camera sensor driver") Signed-off-by: Daniel Gomez Signed-off-by: Ricardo Ribalda Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit ceff135b9d9368a9034b550bc3ce4ac292f69dc9 Author: Daniel T. Lee Date: Tue Nov 24 09:03:09 2020 +0000 samples: bpf: Fix lwt_len_hist reusing previous BPF map [ Upstream commit 0afe0a998c40085a6342e1aeb4c510cccba46caf ] Currently, lwt_len_hist's map lwt_len_hist_map is uses pinning, and the map isn't cleared on test end. This leds to reuse of that map for each test, which prevents the results of the test from being accurate. This commit fixes the problem by removing of pinned map from bpffs. Also, this commit add the executable permission to shell script files. Fixes: f74599f7c5309 ("bpf: Add tests and samples for LWT-BPF") Signed-off-by: Daniel T. Lee Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20201124090310.24374-7-danieltimlee@gmail.com Signed-off-by: Sasha Levin commit 4dc1360203c442826ed6306d7f73b10eb7cec9ee Author: Vadim Pasternak Date: Wed Nov 25 12:10:56 2020 +0200 platform/x86: mlx-platform: Remove PSU EEPROM from MSN274x platform configuration [ Upstream commit 912b341585e302ee44fc5a2733f7bcf505e2c86f ] Remove PSU EEPROM configuration for systems class equipped with Mellanox chip Spectrum and ATOM CPU - system types MSN274x. Till now all the systems from this class used few types of power units, all equipped with EEPROM device with address space two bytes. Thus, all these devices have been handled by EEPROM driver "24c02". There is a new requirement is to support power unit replacement by "off the shelf" device, matching electrical required parameters. Such device can be equipped with different EEPROM type, which could be one byte address space addressing or even could be not equipped with EEPROM. In such case "24c02" will not work. Fixes: ef08e14a3 ("platform/x86: mlx-platform: Add support for new msn274x system type") Signed-off-by: Vadim Pasternak Link: https://lore.kernel.org/r/20201125101056.174708-3-vadimp@nvidia.com Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 3432883ae89600838b65b321bdbc86f05cc1ac3a Author: Vadim Pasternak Date: Wed Nov 25 12:10:55 2020 +0200 platform/x86: mlx-platform: Remove PSU EEPROM from default platform configuration [ Upstream commit 2bf5046bdb649908df8bcc0a012c56eee931a9af ] Remove PSU EEPROM configuration for systems class equipped with Mellanox chip Spectrum and Celeron CPU - system types MSN2700, MSN2100. Till now all the systems from this class used few types of power units, all equipped with EEPROM device with address space two bytes. Thus, all these devices have been handled by EEPROM driver "24c02". There is a new requirement is to support power unit replacement by "off the shelf" device, matching electrical required parameters. Such device can be equipped with different EEPROM type, which could be one byte address space addressing or even could be not equipped with EEPROM. In such case "24c02" will not work. Fixes: c6acad68e ("platform/mellanox: mlxreg-hotplug: Modify to use a regmap interface") Fixes: ba814fdd0 ("platform/x86: mlx-platform: Use defines for bus assignment") Signed-off-by: Vadim Pasternak Link: https://lore.kernel.org/r/20201125101056.174708-2-vadimp@nvidia.com Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit c14a740743f7c6d020788d0c1de1b75f1ccedb6d Author: Keita Suzuki Date: Wed Sep 9 14:56:57 2020 +0200 media: siano: fix memory leak of debugfs members in smsdvb_hotplug [ Upstream commit abf287eeff4c6da6aa804bbd429dfd9d0dfb6ea7 ] When dvb_create_media_graph fails, the debugfs kept inside client should be released. However, the current implementation does not release them. Fix this by adding a new goto label to call smsdvb_debugfs_release. Fixes: 0d3ab8410dcb ("[media] dvb core: must check dvb_create_media_graph()") Signed-off-by: Keita Suzuki Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 6b93d6c5a88808a450146004fbe93beab06d56d0 Author: Vidya Sagar Date: Mon Oct 26 12:09:02 2020 +0530 arm64: tegra: Fix DT binding for IO High Voltage entry [ Upstream commit 6b26c1a034885923822f6c4d94f8644d32bc2481 ] Fix the device-tree entry that represents I/O High Voltage property by replacing 'nvidia,io-high-voltage' with 'nvidia,io-hv' as the former entry is deprecated. Fixes: dbb72e2c305b ("arm64: tegra: Add configuration for PCIe C5 sideband signals") Signed-off-by: Vidya Sagar Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit b0f1878c2d88ff91d4a934b6b0edd21b4ca2d3e6 Author: Zhihao Cheng Date: Tue Nov 24 09:08:13 2020 +0800 dmaengine: mv_xor_v2: Fix error return code in mv_xor_v2_probe() [ Upstream commit c95e6515a8c065862361f7e0e452978ade7f94ec ] Return the corresponding error code when first_msi_entry() returns NULL in mv_xor_v2_probe(). Fixes: 19a340b1a820430 ("dmaengine: mv_xor_v2: new driver") Reported-by: Hulk Robot Signed-off-by: Zhihao Cheng Link: https://lore.kernel.org/r/20201124010813.1939095-1-chengzhihao1@huawei.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 46f8c79611689ab3695518da50255994f706ca07 Author: Qinglang Miao Date: Thu Nov 19 15:08:42 2020 +0800 cw1200: fix missing destroy_workqueue() on error in cw1200_init_common [ Upstream commit 7ec8a926188eb8e7a3cbaca43ec44f2d7146d71b ] Add the missing destroy_workqueue() before return from cw1200_init_common in the error handling case. Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets") Reported-by: Hulk Robot Signed-off-by: Qinglang Miao Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20201119070842.1011-1-miaoqinglang@huawei.com Signed-off-by: Sasha Levin commit f2e7f608b2741e3ff37f8db9dcb5e7300890cb08 Author: Zhang Changzhong Date: Tue Nov 17 11:07:34 2020 +0800 rsi: fix error return code in rsi_reset_card() [ Upstream commit fb21d14694bd46a538258d86498736490b3ba855 ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 17ff2c794f39 ("rsi: reset device changes for 9116") Reported-by: Hulk Robot Signed-off-by: Zhang Changzhong Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/1605582454-39649-1-git-send-email-zhangchangzhong@huawei.com Signed-off-by: Sasha Levin commit f7a6e378fc175734de2a087c4bd94b6fe9ff4833 Author: Wang Hai Date: Sat Nov 14 20:33:47 2020 +0800 qtnfmac: fix error return code in qtnf_pcie_probe() [ Upstream commit 31e07aa33fa7cdc93fa91c3f78f031e8d38862c2 ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: b7da53cd6cd1 ("qtnfmac_pcie: use single PCIe driver for all platforms") Reported-by: Hulk Robot Signed-off-by: Wang Hai Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20201114123347.29632-1-wanghai38@huawei.com Signed-off-by: Sasha Levin commit d2b95947720d1f487c6072f69246309e0eb21b8f Author: Sebastian Andrzej Siewior Date: Fri Nov 13 22:22:43 2020 +0100 orinoco: Move context allocation after processing the skb [ Upstream commit a31eb615646a63370aa1da1053c45439c7653d83 ] ezusb_xmit() allocates a context which is leaked if orinoco_process_xmit_skb() returns an error. Move ezusb_alloc_ctx() after the invocation of orinoco_process_xmit_skb() because the context is not needed so early. ezusb_access_ltv() will cleanup the context in case of an error. Fixes: bac6fafd4d6a0 ("orinoco: refactor xmit path") Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20201113212252.2243570-2-bigeasy@linutronix.de Signed-off-by: Sasha Levin commit e39908568b40f0de0b7cdbd069e6e0f536da01d6 Author: Zhihao Cheng Date: Sat Nov 21 10:14:31 2020 +0800 mmc: pxamci: Fix error return code in pxamci_probe [ Upstream commit d7b819b5d33869d41bdaa427aeb98ae24c57a38b ] Fix to return the error code from devm_gpiod_get_optional() instaed of 0 in pxamci_probe(). Fixes: f54005b508b9a9d9c ("mmc: pxa: Use GPIO descriptor for power") Reported-by: Hulk Robot Signed-off-by: Zhihao Cheng Link: https://lore.kernel.org/r/20201121021431.3168506-1-chengzhihao1@huawei.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 65f0d3c81c9fc0b49514ea1766d60e97e25bba77 Author: Cristian Birsan Date: Wed Nov 18 14:00:19 2020 +0200 ARM: dts: at91: sama5d3_xplained: add pincontrol for USB Host [ Upstream commit e1062fa7292f1e3744db0a487c4ac0109e09b03d ] The pincontrol node is needed for USB Host since Linux v5.7-rc1. Without it the driver probes but VBus is not powered because of wrong pincontrol configuration. Fixes: b7c2b61570798 ("ARM: at91: add Atmel's SAMA5D3 Xplained board") Signed-off-by: Cristian Birsan Signed-off-by: Alexandre Belloni Acked-by: Ludovic Desroches Link: https://lore.kernel.org/r/20201118120019.1257580-4-cristian.birsan@microchip.com Signed-off-by: Sasha Levin commit c2aab53d1be58460c80c7b9104fe5433e182b702 Author: Cristian Birsan Date: Wed Nov 18 14:00:18 2020 +0200 ARM: dts: at91: sama5d4_xplained: add pincontrol for USB Host [ Upstream commit be4dd2d448816a27c1446f8f37fce375daf64148 ] The pincontrol node is needed for USB Host since Linux v5.7-rc1. Without it the driver probes but VBus is not powered because of wrong pincontrol configuration. Fixes: 38153a017896f ("ARM: at91/dt: sama5d4: add dts for sama5d4 xplained board") Signed-off-by: Cristian Birsan Signed-off-by: Alexandre Belloni Acked-by: Ludovic Desroches Link: https://lore.kernel.org/r/20201118120019.1257580-3-cristian.birsan@microchip.com Signed-off-by: Sasha Levin commit 8ce91557023e49469d304e70becb4cd10b1761bc Author: Qinglang Miao Date: Fri Nov 20 15:48:46 2020 +0800 memstick: fix a double-free bug in memstick_check [ Upstream commit e3e9ced5c93803d5b2ea1942c4bf0192622531d6 ] kfree(host->card) has been called in put_device so that another kfree would raise cause a double-free bug. Fixes: 0193383a5833 ("memstick: core: fix device_register() error handling") Reported-by: Hulk Robot Signed-off-by: Qinglang Miao Link: https://lore.kernel.org/r/20201120074846.31322-1-miaoqinglang@huawei.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 4279ff6deaf32c093c59106dfb858eb54bef1657 Author: Kamal Heib Date: Sun Nov 8 15:20:07 2020 +0200 RDMA/cxgb4: Validate the number of CQEs [ Upstream commit 6d8285e604e0221b67bd5db736921b7ddce37d00 ] Before create CQ, make sure that the requested number of CQEs is in the supported range. Fixes: cfdda9d76436 ("RDMA/cxgb4: Add driver for Chelsio T4 RNIC") Link: https://lore.kernel.org/r/20201108132007.67537-1-kamalheib1@gmail.com Signed-off-by: Kamal Heib Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit d3ff603c2e383eb98e6c66baca3ab490625965ac Author: Kevin Hilman Date: Wed Nov 18 11:09:30 2020 -0800 clk: meson: Kconfig: fix dependency for G12A [ Upstream commit bae69bfa3a586493469078ec4ca35499b754ba5c ] When building only G12A, ensure that VID_PLL_DIV clock driver is selected, otherwise results in this build error: ERROR: modpost: "meson_vid_pll_div_ro_ops" [drivers/clk/meson/g12a.ko] undefined! Fixes: 085a4ea93d54 ("clk: meson: g12a: add peripheral clock controller") Signed-off-by: Kevin Hilman Signed-off-by: Jerome Brunet Link: https://lore.kernel.org/r/20201118190930.34352-1-khilman@baylibre.com Signed-off-by: Sasha Levin commit 2fbd2b0dd7d128939b5348fc1bb344536c9ba28f Author: Zhang Qilong Date: Fri Nov 20 16:36:49 2020 -0800 Input: omap4-keypad - fix runtime PM error handling [ Upstream commit 59bbf83835f591b95c3bdd09d900f3584fa227af ] In omap4_keypad_probe, the patch fix several bugs. 1) pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to pm_runtime_put_noidle will result in reference leak. 2) In err_unmap, forget to disable runtime of device, pm_runtime_enable will increase power disable depth. Thus a pairing decrement is needed on the error handling path to keep it balanced. 3) In err_pm_disable, it will call pm_runtime_put_sync twice not one time. To fix this we factor out code reading revision and disabling touchpad, and drop PM reference once we are done talking to the device. Fixes: f77621cc640a7 ("Input: omap-keypad - dynamically handle register offsets") Fixes: 5ad567ffbaf20 ("Input: omap4-keypad - wire up runtime PM handling") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201120133918.2559681-1-zhangqilong3@huawei.com Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit ff3a152243f81741933be0e12a5482e7381db14f Author: Zhihao Cheng Date: Sat Nov 21 19:22:38 2020 -0800 drivers: soc: ti: knav_qmss_queue: Fix error return code in knav_queue_probe [ Upstream commit 4cba398f37f868f515ff12868418dc28574853a1 ] Fix to return the error code from of_get_child_by_name() instaed of 0 in knav_queue_probe(). Fixes: 41f93af900a20d1a0a ("soc: ti: add Keystone Navigator QMSS driver") Reported-by: Hulk Robot Signed-off-by: Zhihao Cheng Signed-off-by: Santosh Shilimkar Signed-off-by: Sasha Levin commit e16e8cde2bb16edada989e99e119b1fa2fa4039b Author: Zhang Qilong Date: Sat Nov 21 19:22:37 2020 -0800 soc: ti: Fix reference imbalance in knav_dma_probe [ Upstream commit b4fa73358c306d747a2200aec6f7acb97e5750e6 ] The patch fix two reference leak. 1) pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to call put operation will result in reference leak. 2) The pm_runtime_enable will increase power disable depth. Thus a pairing decrement is needed on the error handling path to keep it balanced. We fix it by: 1) adding call pm_runtime_put_noidle or pm_runtime_put_sync in error handling. 2) adding pm_runtime_disable in error handling, to keep usage counter and disable depth balanced. Fixes: 88139ed030583 ("soc: ti: add Keystone Navigator DMA support") Signed-off-by: Zhang Qilong Signed-off-by: Santosh Shilimkar Signed-off-by: Sasha Levin commit 475b489b07130737948d20e416baed39b137b4a4 Author: Zhang Qilong Date: Sat Nov 21 19:22:00 2020 -0800 soc: ti: knav_qmss: fix reference leak in knav_queue_probe [ Upstream commit ec8684847d8062496c4619bc3fcff31c19d56847 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to pm_runtime_put_noidle will result in reference leak in knav_queue_probe, so we should fix it. Fixes: 41f93af900a20 ("soc: ti: add Keystone Navigator QMSS driver") Signed-off-by: Zhang Qilong Signed-off-by: Santosh Shilimkar Signed-off-by: Sasha Levin commit 82b9934e1e7ae94ebd5c493f898687e542d35329 Author: Uwe Kleine-König Date: Thu Nov 19 17:16:02 2020 +0100 spi: fix resource leak for drivers without .remove callback [ Upstream commit 440408dbadfe47a615afd0a0a4a402e629be658a ] Consider an spi driver with a .probe but without a .remove callback (e.g. rtc-ds1347). The function spi_drv_probe() is called to bind a device and so dev_pm_domain_attach() is called. As there is no remove callback spi_drv_remove() isn't called at unbind time however and so calling dev_pm_domain_detach() is missed and the pm domain keeps active. To fix this always use both spi_drv_probe() and spi_drv_remove() and make them handle the respective callback not being set. This has the side effect that for a (hypothetical) driver that has neither .probe nor remove the clk and pm domain setup is done. Fixes: 33cf00e57082 ("spi: attach/detach SPI device to the ACPI power domain") Signed-off-by: Uwe Kleine-König Link: https://lore.kernel.org/r/20201119161604.2633521-1-u.kleine-koenig@pengutronix.de Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 70e19fccf680fba4da528455122c7031dce3effd Author: Zhang Qilong Date: Fri Nov 13 21:17:28 2020 +0800 crypto: omap-aes - Fix PM disable depth imbalance in omap_aes_probe [ Upstream commit ff8107200367f4abe0e5bce66a245e8d0f2d229e ] The pm_runtime_enable will increase power disable depth. Thus a pairing decrement is needed on the error handling path to keep it balanced according to context. Fixes: f7b2b5dd6a62a ("crypto: omap-aes - add error check for pm_runtime_get_sync") Signed-off-by: Zhang Qilong Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit c549355105d9663384659f7e8303de7139e97099 Author: Nathan Chancellor Date: Thu Nov 12 13:07:02 2020 -0700 crypto: crypto4xx - Replace bitwise OR with logical OR in crypto4xx_build_pd [ Upstream commit 5bdad829c31a09069fd508534f03c2ea1576ac75 ] Clang warns: drivers/crypto/amcc/crypto4xx_core.c:921:60: warning: operator '?:' has lower precedence than '|'; '|' will be evaluated first [-Wbitwise-conditional-parentheses] (crypto_tfm_alg_type(req->tfm) == CRYPTO_ALG_TYPE_AEAD) ? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^ drivers/crypto/amcc/crypto4xx_core.c:921:60: note: place parentheses around the '|' expression to silence this warning (crypto_tfm_alg_type(req->tfm) == CRYPTO_ALG_TYPE_AEAD) ? ^ ) drivers/crypto/amcc/crypto4xx_core.c:921:60: note: place parentheses around the '?:' expression to evaluate it first (crypto_tfm_alg_type(req->tfm) == CRYPTO_ALG_TYPE_AEAD) ? ^ ( 1 warning generated. It looks like this should have been a logical OR so that PD_CTL_HASH_FINAL gets added to the w bitmask if crypto_tfm_alg_type is either CRYPTO_ALG_TYPE_AHASH or CRYPTO_ALG_TYPE_AEAD. Change the operator so that everything works properly. Fixes: 4b5b79998af6 ("crypto: crypto4xx - fix stalls under heavy load") Link: https://github.com/ClangBuiltLinux/linux/issues/1198 Signed-off-by: Nathan Chancellor Reviewed-by: Christian Lamparter Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 3e08a61b2f94ee88099b82d66114a37343c29758 Author: Yazen Ghannam Date: Mon Nov 9 21:06:58 2020 +0000 EDAC/mce_amd: Use struct cpuinfo_x86.cpu_die_id for AMD NodeId [ Upstream commit 8de0c9917cc1297bc5543b61992d5bdee4ce621a ] The edac_mce_amd module calls decode_dram_ecc() on AMD Family17h and later systems. This function is used in amd64_edac_mod to do system-specific decoding for DRAM ECC errors. The function takes a "NodeId" as a parameter. In AMD documentation, NodeId is used to identify a physical die in a system. This can be used to identify a node in the AMD_NB code and also it is used with umc_normaddr_to_sysaddr(). However, the input used for decode_dram_ecc() is currently the NUMA node of a logical CPU. In the default configuration, the NUMA node and physical die will be equivalent, so this doesn't have an impact. But the NUMA node configuration can be adjusted with optional memory interleaving modes. This will cause the NUMA node enumeration to not match the physical die enumeration. The mismatch will cause the address translation function to fail or report incorrect results. Use struct cpuinfo_x86.cpu_die_id for the node_id parameter to ensure the physical ID is used. Fixes: fbe63acf62f5 ("EDAC, mce_amd: Use cpu_to_node() to find the node ID") Signed-off-by: Yazen Ghannam Signed-off-by: Borislav Petkov Link: https://lkml.kernel.org/r/20201109210659.754018-4-Yazen.Ghannam@amd.com Signed-off-by: Sasha Levin commit 0789349204a67280b3416bedaf14f742c9a87f1c Author: Christophe Leroy Date: Tue Nov 3 18:07:12 2020 +0000 powerpc/feature: Fix CPU_FTRS_ALWAYS by removing CPU_FTRS_GENERIC_32 [ Upstream commit 78665179e569c7e1fe102fb6c21d0f5b6951f084 ] On 8xx, we get the following features: [ 0.000000] cpu_features = 0x0000000000000100 [ 0.000000] possible = 0x0000000000000120 [ 0.000000] always = 0x0000000000000000 This is not correct. As CONFIG_PPC_8xx is mutually exclusive with all other configurations, the three lines should be equal. The problem is due to CPU_FTRS_GENERIC_32 which is taken when CONFIG_BOOK3S_32 is NOT selected. This CPU_FTRS_GENERIC_32 is pointless because there is no generic configuration supporting all 32 bits but book3s/32. Remove this pointless generic features definition to unbreak the calculation of 'possible' features and 'always' features. Fixes: 76bc080ef5a3 ("[POWERPC] Make default cputable entries reflect selected CPU family") Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/76a85f30bf981d1aeaae00df99321235494da254.1604426550.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit 90b39366d834e4de622f14a29ddb9f9f84d39d79 Author: Ard Biesheuvel Date: Wed Oct 28 09:04:33 2020 +0100 powerpc: Avoid broken GCC __attribute__((optimize)) [ Upstream commit a7223f5bfcaeade4a86d35263493bcda6c940891 ] Commit 7053f80d9696 ("powerpc/64: Prevent stack protection in early boot") introduced a couple of uses of __attribute__((optimize)) with function scope, to disable the stack protector in some early boot code. Unfortunately, and this is documented in the GCC man pages [0], overriding function attributes for optimization is broken, and is only supported for debug scenarios, not for production: the problem appears to be that setting GCC -f flags using this method will cause it to forget about some or all other optimization settings that have been applied. So the only safe way to disable the stack protector is to disable it for the entire source file. [0] https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html Fixes: 7053f80d9696 ("powerpc/64: Prevent stack protection in early boot") Signed-off-by: Ard Biesheuvel [mpe: Drop one remaining use of __nostackprotector, reported by snowpatch] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20201028080433.26799-1-ardb@kernel.org Signed-off-by: Sasha Levin commit 8f6e6ec101dd0bee63587c6fee46f8f91198bed6 Author: Björn Töpel Date: Wed Nov 18 08:16:38 2020 +0100 selftests/bpf: Fix broken riscv build [ Upstream commit 6016df8fe874e1cf36f6357d71438b384198ce06 ] The selftests/bpf Makefile includes system include directories from the host, when building BPF programs. On RISC-V glibc requires that __riscv_xlen is defined. This is not the case for "clang -target bpf", which messes up __WORDSIZE (errno.h -> ... -> wordsize.h) and breaks the build. By explicitly defining __risc_xlen correctly for riscv, we can workaround this. Fixes: 167381f3eac0 ("selftests/bpf: Makefile fix "missing" headers on build with -idirafter") Signed-off-by: Björn Töpel Signed-off-by: Andrii Nakryiko Acked-by: Luke Nelson Link: https://lore.kernel.org/bpf/20201118071640.83773-2-bjorn.topel@gmail.com Signed-off-by: Sasha Levin commit 6f8c6e70738af185f19b914ef2b30f09a1758b63 Author: Zhang Qilong Date: Fri Nov 6 09:24:21 2020 +0800 spi: mxs: fix reference leak in mxs_spi_probe [ Upstream commit 03fc41afaa6549baa2dab7a84e1afaf5cadb5b18 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to pm_runtime_put_noidle will result in reference leak in mxs_spi_probe, so we should fix it. Fixes: b7969caf41a1d ("spi: mxs: implement runtime pm") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201106012421.95420-1-zhangqilong3@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 5df04553ee8ce19438a04cd9c253d6b326ff3cdf Author: Yang Yingliang Date: Tue Nov 17 14:15:00 2020 +0800 usb/max3421: fix return error code in max3421_probe() [ Upstream commit 5a569343e8a618dc73edebe0957eb42f2ab476bd ] retval may be reassigned to 0 after max3421_of_vbus_en_pin(), if allocate memory failed after this, max3421_probe() cann't return ENOMEM, fix this by moving assign retval afther max3421_probe(). Fixes: 721fdc83b31b ("usb: max3421: Add devicetree support") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20201117061500.3454223-1-yangyingliang@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e6405aad35924ae3c63435efccf25c725c426d6d Author: Dmitry Torokhov Date: Wed Nov 11 17:17:11 2020 -0800 Input: ads7846 - fix unaligned access on 7845 [ Upstream commit 03e2c9c782f721b661a0e42b1b58f394b5298544 ] req->sample[1] is not naturally aligned at word boundary, and therefore we should use get_unaligned_be16() when accessing it. Fixes: 3eac5c7e44f3 ("Input: ads7846 - extend the driver for ads7845 controller support") Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 920c379029f90cfeb4a86c664791ed6b51450304 Author: Oleksij Rempel Date: Tue Nov 17 15:33:24 2020 -0800 Input: ads7846 - fix integer overflow on Rt calculation [ Upstream commit 820830ec918f6c3dcd77a54a1c6198ab57407916 ] In some rare cases the 32 bit Rt value will overflow if z2 and x is max, z1 is minimal value and x_plate_ohms is relatively high (for example 800 ohm). This would happen on some screen age with low pressure. There are two possible fixes: - make Rt 64bit - reorder calculation to avoid overflow The second variant seems to be preferable, since 64 bit calculation on 32 bit system is a bit more expensive. Fixes: ffa458c1bd9b6f653008d450f337602f3d52a646 ("spi: ads7846 driver") Co-developed-by: David Jander Signed-off-by: David Jander Signed-off-by: Oleksij Rempel Link: https://lore.kernel.org/r/20201113112240.1360-1-o.rempel@pengutronix.de Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit c7ac50927300fc36623c376d2818031da34ccd76 Author: David Jander Date: Wed Nov 11 11:00:59 2020 -0800 Input: ads7846 - fix race that causes missing releases [ Upstream commit e52cd628a03f72a547dbf90ccb703ee64800504a ] If touchscreen is released while busy reading HWMON device, the release can be missed. The IRQ thread is not started because no touch is active and BTN_TOUCH release event is never sent. Fixes: f5a28a7d4858f94a ("Input: ads7846 - avoid pen up/down when reading hwmon") Co-developed-by: Oleksij Rempel Signed-off-by: David Jander Signed-off-by: Oleksij Rempel Link: https://lore.kernel.org/r/20201027105416.18773-1-o.rempel@pengutronix.de Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 86398df4b283109d3766ddcc0a24cce055e130c9 Author: Yang Yingliang Date: Tue Nov 17 14:10:45 2020 +0800 drm/omap: dmm_tiler: fix return error code in omap_dmm_probe() [ Upstream commit 723ae803218da993143387bf966042eccefac077 ] Return -ENOMEM when allocating refill memory failed. Fixes: 71e8831f6407 ("drm/omap: DMM/TILER support for OMAP4+ platform") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: Thomas Zimmermann Link: https://patchwork.freedesktop.org/patch/msgid/20201117061045.3452287-1-yangyingliang@huawei.com Signed-off-by: Sasha Levin commit e8cd88c3ab0020105eff97daa26cdab1651bf065 Author: Yang Yingliang Date: Tue Nov 17 14:13:50 2020 +0800 video: fbdev: atmel_lcdfb: fix return error code in atmel_lcdfb_of_init() [ Upstream commit ba236455ee750270f33998df57f982433cea4d8e ] If devm_kzalloc() failed after the first time, atmel_lcdfb_of_init() can't return -ENOMEM, fix this by putting the error code in loop. Fixes: b985172b328a ("video: atmel_lcdfb: add device tree suport") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: Thomas Zimmermann Link: https://patchwork.freedesktop.org/patch/msgid/20201117061350.3453742-1-yangyingliang@huawei.com Signed-off-by: Sasha Levin commit 953379fb7ba3672d2e917cd0a4b403553ea23e2c Author: Qinglang Miao Date: Wed Nov 11 04:22:01 2020 +0100 media: solo6x10: fix missing snd_card_free in error handling case [ Upstream commit dcdff74fa6bc00c32079d0bebd620764c26f2d89 ] Fix to goto snd_error in error handling case when fails to do snd_ctl_add, as done elsewhere in this function. Fixes: 28cae868cd24 ("[media] solo6x10: move out of staging into drivers/media/pci.") Reported-by: Hulk Robot Signed-off-by: Qinglang Miao Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit c64d2e15982972bf9f3caaf2f61e95be9a274f84 Author: Martin Wilck Date: Thu Oct 29 18:08:45 2020 +0100 scsi: core: Fix VPD LUN ID designator priorities [ Upstream commit 2e4209b3806cda9b89c30fd5e7bfecb7044ec78b ] The current implementation of scsi_vpd_lun_id() uses the designator length as an implicit measure of priority. This works most of the time, but not always. For example, some Hitachi storage arrays return this in VPD 0x83: VPD INQUIRY: Device Identification page Designation descriptor number 1, descriptor length: 24 designator_type: T10 vendor identification, code_set: ASCII associated with the Addressed logical unit vendor id: HITACHI vendor specific: 5030C3502025 Designation descriptor number 2, descriptor length: 6 designator_type: vendor specific [0x0], code_set: Binary associated with the Target port vendor specific: 08 03 Designation descriptor number 3, descriptor length: 20 designator_type: NAA, code_set: Binary associated with the Addressed logical unit NAA 6, IEEE Company_id: 0x60e8 Vendor Specific Identifier: 0x7c35000 Vendor Specific Identifier Extension: 0x30c35000002025 [0x60060e8007c350000030c35000002025] The current code would use the first descriptor because it's longer than the NAA descriptor. But this is wrong, the kernel is supposed to prefer NAA descriptors over T10 vendor ID. Designator length should only be used to compare designators of the same type. This patch addresses the issue by separating designator priority and length. Link: https://lore.kernel.org/r/20201029170846.14786-1-mwilck@suse.com Fixes: 9983bed3907c ("scsi: Add scsi_vpd_lun_id()") Reviewed-by: Hannes Reinecke Signed-off-by: Martin Wilck Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit efb57c87d8d81bc86ff46ef300096831dccba7ad Author: Jerome Brunet Date: Mon Nov 16 18:24:23 2020 +0100 ASoC: meson: fix COMPILE_TEST error [ Upstream commit 299fe9937dbd1a4d9a1da6a2b6f222298534ca57 ] When compiled with CONFIG_HAVE_CLK, the kernel need to get provider for the clock API. This is usually selected by the platform and the sound drivers should not really care about this. However COMPILE_TEST is special and the platform required may not have been selected, leading to this type of error: > aiu-encoder-spdif.c:(.text+0x3a0): undefined reference to `clk_set_parent' Since we need a sane provider of the API with COMPILE_TEST, depends on COMMON_CLK. Fixes: 6dc4fa179fb8 ("ASoC: meson: add axg fifo base driver") Reported-by: kernel test robot Signed-off-by: Jerome Brunet Link: https://lore.kernel.org/r/20201116172423.546855-1-jbrunet@baylibre.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 2c06ac46f81c20b4860405e3c6daaa715d975aec Author: Lad Prabhakar Date: Thu Sep 17 18:08:47 2020 +0200 media: v4l2-fwnode: Return -EINVAL for invalid bus-type [ Upstream commit 69baf338fc16a4d55c78da8874ce3f06feb38c78 ] Return -EINVAL if invalid bus-type is detected while parsing endpoints. Fixes: 26c1126c9b56 ("media: v4l: fwnode: Use media bus type for bus parser selection") Signed-off-by: Lad Prabhakar Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit d8d35c1ea883df4e21c0ece26761f6aed642e11e Author: Yu Kuai Date: Fri Oct 9 14:38:03 2020 +0200 media: mtk-vcodec: add missing put_device() call in mtk_vcodec_init_enc_pm() [ Upstream commit 4affafd7bec7c65da31777f18bd20420f1aeb5f8 ] if of_find_device_by_node() succeed, mtk_vcodec_init_enc_pm() doesn't have a corresponding put_device(). Thus add jump target to fix the exception handling for this function implementation. Fixes: 4e855a6efa54 ("[media] vcodec: mediatek: Add Mediatek V4L2 Video Encoder Driver") Signed-off-by: Yu Kuai Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit c8adf58057b6c45c32806e9d99524a382e54bea3 Author: Yu Kuai Date: Fri Oct 9 14:38:02 2020 +0200 media: mtk-vcodec: add missing put_device() call in mtk_vcodec_release_dec_pm() [ Upstream commit 27c3943683f74e35e1d390ceb2e3639eff616ad6 ] mtk_vcodec_release_dec_pm() will be called in two places: a. mtk_vcodec_init_dec_pm() succeed while mtk_vcodec_probe() return error. b. mtk_vcodec_dec_remove(). In both cases put_device() call is needed, since of_find_device_by_node() was called in mtk_vcodec_init_dec_pm() previously. Thus add put_devices() call in mtk_vcodec_release_dec_pm() Fixes: 590577a4e525 ("[media] vcodec: mediatek: Add Mediatek V4L2 Video Decoder Driver") Signed-off-by: Yu Kuai Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit c5c403db137fb380fec91120e23080812a36734e Author: Yu Kuai Date: Fri Oct 9 14:38:01 2020 +0200 media: mtk-vcodec: add missing put_device() call in mtk_vcodec_init_dec_pm() [ Upstream commit 5d4fa2c50125c9cda9e380d89268757cc5fa743d ] if of_find_device_by_node() succeed, mtk_vcodec_init_dec_pm() doesn't have a corresponding put_device(). Thus add jump target to fix the exception handling for this function implementation. Fixes: 590577a4e525 ("[media] vcodec: mediatek: Add Mediatek V4L2 Video Decoder Driver") Signed-off-by: Yu Kuai Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 06a3c11c173b8be2480e86bf5110706256252298 Author: Colin Ian King Date: Thu Oct 8 23:12:23 2020 +0200 media: tm6000: Fix sizeof() mismatches [ Upstream commit a08ad6339e0441ca12533969ed94a87e3655426e ] The are two instances of sizeof() being used incorrectly. The sizeof(void *) is incorrect because urb_buffer is a char ** pointer, fix this by using sizeof(*dev->urb_buffer). The sizeof(dma_addr_t *) is incorrect, it should be sizeof(*dev->urb_dma), which is a dma_addr_t and not a dma_addr_t *. This errors did not cause any issues because it just so happens the sizes are the same. Addresses-Coverity: ("Sizeof not portable (SIZEOF_MISMATCH)") Fixes: 16427faf2867 ("[media] tm6000: Add parameter to keep urb bufs allocated") Signed-off-by: Colin Ian King Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 1638c7e3985b986c873867b81c2ee1e7b92e44db Author: Jing Xiangfeng Date: Thu Nov 12 14:49:24 2020 +0800 staging: gasket: interrupt: fix the missed eventfd_ctx_put() in gasket_interrupt.c [ Upstream commit ab5b769a23af12a675b9f3d7dd529250c527f5ac ] gasket_interrupt_set_eventfd() misses to call eventfd_ctx_put() in an error path. We check interrupt is valid before calling eventfd_ctx_fdget() to fix it. There is the same issue in gasket_interrupt_clear_eventfd(), Add the missed function call to fix it. Fixes: 9a69f5087ccc ("drivers/staging: Gasket driver framework + Apex driver") Signed-off-by: Jing Xiangfeng Link: https://lore.kernel.org/r/20201112064924.99680-1-jingxiangfeng@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit aa1d8b959455fca5249d4b58990dde68c3fcab2c Author: Zhang Qilong Date: Mon Nov 9 21:13:46 2020 +0800 staging: greybus: codecs: Fix reference counter leak in error handling [ Upstream commit 3952659a6108f77a0d062d8e8487bdbdaf52a66c ] gb_pm_runtime_get_sync has increased the usage counter of the device here. Forgetting to call gb_pm_runtime_put_noidle will result in usage counter leak in the error branch of (gbcodec_hw_params and gbcodec_prepare). We fixed it by adding it. Fixes: c388ae7696992 ("greybus: audio: Update pm runtime support in dai_ops callback") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201109131347.1725288-2-zhangqilong3@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 5daf659fdf47c8b7bc81ad20e4296b69032f6489 Author: Jack Xu Date: Fri Nov 6 19:27:40 2020 +0800 crypto: qat - fix status check in qat_hal_put_rel_rd_xfer() [ Upstream commit 3b5c130fb2e4c045369791c33c83b59f6e84f7d6 ] The return value of qat_hal_rd_ae_csr() is always a CSR value and never a status and should not be stored in the status variable of qat_hal_put_rel_rd_xfer(). This removes the assignment as qat_hal_rd_ae_csr() is not expected to fail. A more comprehensive handling of the theoretical corner case which could result in a fail will be submitted in a separate patch. Fixes: 8c9478a400b7 ("crypto: qat - reduce stack size with KASAN") Signed-off-by: Jack Xu Reviewed-by: Giovanni Cabiddu Reviewed-by: Fiona Trahe Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 38017f2c06cfcc1509a1ab200affb86c4ff0cf42 Author: Necip Fazil Yildiran Date: Tue Nov 3 00:34:01 2020 +0300 MIPS: BCM47XX: fix kconfig dependency bug for BCM47XX_BCMA [ Upstream commit 3a5fe2fb9635c43359c9729352f45044f3c8df6b ] When BCM47XX_BCMA is enabled and BCMA_DRIVER_PCI is disabled, it results in the following Kbuild warning: WARNING: unmet direct dependencies detected for BCMA_DRIVER_PCI_HOSTMODE Depends on [n]: MIPS [=y] && BCMA_DRIVER_PCI [=n] && PCI_DRIVERS_LEGACY [=y] && BCMA [=y]=y Selected by [y]: - BCM47XX_BCMA [=y] && BCM47XX [=y] && PCI [=y] The reason is that BCM47XX_BCMA selects BCMA_DRIVER_PCI_HOSTMODE without depending on or selecting BCMA_DRIVER_PCI while BCMA_DRIVER_PCI_HOSTMODE depends on BCMA_DRIVER_PCI. This can also fail building the kernel. Honor the kconfig dependency to remove unmet direct dependency warnings and avoid any potential build failures. Fixes: c1d1c5d4213e ("bcm47xx: add support for bcma bus") Link: https://bugzilla.kernel.org/show_bug.cgi?id=209879 Signed-off-by: Necip Fazil Yildiran Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 9e779e6fae58906010d377e1135e918b1c10e7b9 Author: Arnd Bergmann Date: Mon Oct 26 22:12:30 2020 +0100 RDMa/mthca: Work around -Wenum-conversion warning [ Upstream commit fbb7dc5db6dee553b5a07c27e86364a5223e244c ] gcc points out a suspicious mixing of enum types in a function that converts from MTHCA_OPCODE_* values to IB_WC_* values: drivers/infiniband/hw/mthca/mthca_cq.c: In function 'mthca_poll_one': drivers/infiniband/hw/mthca/mthca_cq.c:607:21: warning: implicit conversion from 'enum ' to 'enum ib_wc_opcode' [-Wenum-conversion] 607 | entry->opcode = MTHCA_OPCODE_INVALID; Nothing seems to ever check for MTHCA_OPCODE_INVALID again, no idea if this is meaningful, but it seems harmless as it deals with an invalid input. Remove MTHCA_OPCODE_INVALID and set the ib_wc_opcode to 0xFF, which is still bogus, but at least doesn't make compiler warnings. Fixes: 2a4443a69934 ("[PATCH] IB/mthca: fill in opcode field for send completions") Link: https://lore.kernel.org/r/20201026211311.3887003-1-arnd@kernel.org Signed-off-by: Arnd Bergmann Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 648b9dd270ffde39c3c60cb9ef5db5a6ce9bc6dc Author: Zhang Qilong Date: Wed Nov 11 21:09:20 2020 +0800 ASoC: arizona: Fix a wrong free in wm8997_probe [ Upstream commit 5e7aace13df24ff72511f29c14ebbfe638ef733c ] In the normal path, we should not free the arizona, we should return immediately. It will be free when call remove operation. Fixes: 31833ead95c2c ("ASoC: arizona: Move request of speaker IRQs into bus probe") Reported-by: Richard Fitzgerald Signed-off-by: Zhang Qilong Acked-by: Richard Fitzgerald Link: https://lore.kernel.org/r/20201111130923.220186-2-zhangqilong3@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 7e8200d442003ce9ff88bff17a6e6d56e51ad360 Author: Zhang Qilong Date: Fri Nov 6 09:50:35 2020 +0800 spi: sprd: fix reference leak in sprd_spi_remove [ Upstream commit e4062765bc2a41e025e29dd56bad798505036427 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to pm_runtime_put_noidle will result in reference leak in sprd_spi_remove, so we should fix it. Fixes: e7d973a31c24b ("spi: sprd: Add SPI driver for Spreadtrum SC9860") Signed-off-by: Zhang Qilong Acked-by: Chunyan Zhang Link: https://lore.kernel.org/r/20201106015035.139574-1-zhangqilong3@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c786bc725d8cf6b2ed4dc955694f817411d6dece Author: Zhang Qilong Date: Wed Nov 11 12:13:26 2020 +0800 ASoC: wm8998: Fix PM disable depth imbalance on error [ Upstream commit 193aa0a043645220d2a2f783ba06ae13d4601078 ] The pm_runtime_enable will increase power disable depth. Thus a pairing decrement is needed on the error handling path to keep it balanced according to context. Fixes: 31833ead95c2c ("ASoC: arizona: Move request of speaker IRQs into bus probe") Signed-off-by: Zhang Qilong Reviewed-by: Richard Fitzgerald Link: https://lore.kernel.org/r/20201111041326.1257558-4-zhangqilong3@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 06fa588c7921ad10b8844d056e6cc8b8921ff0f3 Author: Hangbin Liu Date: Tue Nov 10 09:50:12 2020 +0800 selftest/bpf: Add missed ip6ip6 test back [ Upstream commit 58cfa49c2ba7f815adccc27a775e7cf8a8f7f539 ] In comment 173ca26e9b51 ("samples/bpf: add comprehensive ipip, ipip6, ip6ip6 test") we added ip6ip6 test for bpf tunnel testing. But in commit 933a741e3b82 ("selftests/bpf: bpf tunnel test.") when we moved it to the current folder, we didn't add it. This patch add the ip6ip6 test back to bpf tunnel test. Update the ipip6's topology for both IPv4 and IPv6 testing. Since iperf test is removed as currect framework simplified it in purpose, I also removed unused tcp checkings in test_tunnel_kern.c. Fixes: 933a741e3b82 ("selftests/bpf: bpf tunnel test.") Signed-off-by: Hangbin Liu Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20201110015013.1570716-2-liuhangbin@gmail.com Signed-off-by: Sasha Levin commit dab5973ada6b0141ded45599c2f46eb09eb02c69 Author: Tsuchiya Yuto Date: Wed Oct 28 23:21:09 2020 +0900 mwifiex: fix mwifiex_shutdown_sw() causing sw reset failure [ Upstream commit fa74cb1dc0f4da46c441b735ca865ac52de42c0e ] When a PCIe function level reset (FLR) is performed but without fw reset for some reasons (e.g., on Microsoft Surface devices, fw reset requires other quirks), it fails to reset wifi properly. You can trigger the issue on such devices via debugfs entry for reset: $ echo 1 | sudo tee /sys/kernel/debug/mwifiex/mlan0/reset and the resulting dmesg log: [ 45.740508] mwifiex_pcie 0000:03:00.0: Resetting per request [ 45.742937] mwifiex_pcie 0000:03:00.0: info: successfully disconnected from [BSSID]: reason code 3 [ 45.744666] mwifiex_pcie 0000:03:00.0: info: shutdown mwifiex... [ 45.751530] mwifiex_pcie 0000:03:00.0: PREP_CMD: card is removed [ 45.751539] mwifiex_pcie 0000:03:00.0: PREP_CMD: card is removed [ 45.771691] mwifiex_pcie 0000:03:00.0: PREP_CMD: card is removed [ 45.771695] mwifiex_pcie 0000:03:00.0: deleting the crypto keys [ 45.771697] mwifiex_pcie 0000:03:00.0: PREP_CMD: card is removed [ 45.771698] mwifiex_pcie 0000:03:00.0: deleting the crypto keys [ 45.771699] mwifiex_pcie 0000:03:00.0: PREP_CMD: card is removed [ 45.771701] mwifiex_pcie 0000:03:00.0: deleting the crypto keys [ 45.771702] mwifiex_pcie 0000:03:00.0: PREP_CMD: card is removed [ 45.771703] mwifiex_pcie 0000:03:00.0: deleting the crypto keys [ 45.771704] mwifiex_pcie 0000:03:00.0: PREP_CMD: card is removed [ 45.771705] mwifiex_pcie 0000:03:00.0: deleting the crypto keys [ 45.771707] mwifiex_pcie 0000:03:00.0: PREP_CMD: card is removed [ 45.771708] mwifiex_pcie 0000:03:00.0: deleting the crypto keys [ 53.099343] mwifiex_pcie 0000:03:00.0: info: trying to associate to '[SSID]' bssid [BSSID] [ 53.241870] mwifiex_pcie 0000:03:00.0: info: associated to bssid [BSSID] successfully [ 75.377942] mwifiex_pcie 0000:03:00.0: cmd_wait_q terminated: -110 [ 85.385491] mwifiex_pcie 0000:03:00.0: info: successfully disconnected from [BSSID]: reason code 15 [ 87.539408] mwifiex_pcie 0000:03:00.0: cmd_wait_q terminated: -110 [ 87.539412] mwifiex_pcie 0000:03:00.0: deleting the crypto keys [ 99.699917] mwifiex_pcie 0000:03:00.0: cmd_wait_q terminated: -110 [ 99.699925] mwifiex_pcie 0000:03:00.0: deleting the crypto keys [ 111.859802] mwifiex_pcie 0000:03:00.0: cmd_wait_q terminated: -110 [ 111.859808] mwifiex_pcie 0000:03:00.0: deleting the crypto keys [...] When comparing mwifiex_shutdown_sw() with mwifiex_pcie_remove(), it lacks mwifiex_init_shutdown_fw(). This commit fixes mwifiex_shutdown_sw() by adding the missing mwifiex_init_shutdown_fw(). Fixes: 4c5dae59d2e9 ("mwifiex: add PCIe function level reset support") Signed-off-by: Tsuchiya Yuto Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20201028142110.18144-2-kitakar@gmail.com Signed-off-by: Sasha Levin commit 404aadf45c719df3730fbc483780a3742002006d Author: Qinglang Miao Date: Tue Nov 3 15:49:11 2020 +0800 spi: bcm63xx-hsspi: fix missing clk_disable_unprepare() on error in bcm63xx_hsspi_resume [ Upstream commit 9bb9ef2b3e5d9d012876e7e2d7757eb30e865bee ] Fix the missing clk_disable_unprepare() before return from bcm63xx_hsspi_resume in the error handling case when fails to prepare and enable bs->pll_clk. Fixes: 0fd85869c2a9 ("spi/bcm63xx-hsspi: keep pll clk enabled") Signed-off-by: Qinglang Miao Link: https://lore.kernel.org/r/20201103074911.195530-1-miaoqinglang@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 769c2fecefd1e11dc60108a2cddda9f4d19396e5 Author: Zhang Qilong Date: Tue Nov 3 22:13:06 2020 +0800 spi: tegra114: fix reference leak in tegra spi ops [ Upstream commit a042184c7fb99961ea083d4ec192614bec671969 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to pm_runtime_put_noidle will result in reference leak in two callers(tegra_spi_setup and tegra_spi_resume), so we should fix it. Fixes: f333a331adfac ("spi/tegra114: add spi driver") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201103141306.5607-1-zhangqilong3@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 47595d68cee266e0d3a1fe1866234c2ea5b4f532 Author: Zhang Qilong Date: Tue Nov 3 22:13:23 2020 +0800 spi: tegra20-sflash: fix reference leak in tegra_sflash_resume [ Upstream commit 3482e797ab688da6703fe18d8bad52f94199f4f2 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to pm_runtime_put_noidle will result in reference leak in tegra_sflash_resume, so we should fix it. Fixes: 8528547bcc336 ("spi: tegra: add spi driver for sflash controller") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201103141323.5841-1-zhangqilong3@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit f9e5e84eb49f777a121adaa267ca7039dcb527b4 Author: Zhang Qilong Date: Tue Nov 3 22:13:45 2020 +0800 spi: tegra20-slink: fix reference leak in slink ops of tegra20 [ Upstream commit 763eab7074f6e71babd85d796156f05a675f9510 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to pm_runtime_put_noidle will result in reference leak in two callers(tegra_slink_setup and tegra_slink_resume), so we should fix it. Fixes: dc4dc36056392 ("spi: tegra: add spi driver for SLINK controller") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201103141345.6188-1-zhangqilong3@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0a3196271b40b681ed9e06ffcbb2c9f0c2b67d41 Author: Qinglang Miao Date: Tue Nov 3 15:49:12 2020 +0800 spi: mt7621: fix missing clk_disable_unprepare() on error in mt7621_spi_probe [ Upstream commit 702b15cb97123cedcec56a39d9a21c5288eb9ae1 ] Fix the missing clk_disable_unprepare() before return from mt7621_spi_probe in the error handling case. Fixes: cbd66c626e16 ("spi: mt7621: Move SPI driver out of staging") Signed-off-by: Qinglang Miao Link: https://lore.kernel.org/r/20201103074912.195576-1-miaoqinglang@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit a2cf358aacf565a7bb2573983ae022b32ac2c228 Author: Zhang Qilong Date: Tue Nov 3 22:09:47 2020 +0800 spi: spi-ti-qspi: fix reference leak in ti_qspi_setup [ Upstream commit 45c0cba753641e5d7c3207f04241bd0e7a021698 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to pm_runtime_put_noidle will result in reference leak in ti_qspi_setup, so we should fix it. Fixes: 505a14954e2d7 ("spi/qspi: Add qspi flash controller") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201103140947.3815-1-zhangqilong3@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 25b5a48adabf7297c38bb17563e48b91c175c352 Author: Anant Thazhemadam Date: Fri Oct 16 18:44:47 2020 +0530 Bluetooth: hci_h5: fix memory leak in h5_close [ Upstream commit 855af2d74c870d747bf53509f8b2d7b9dc9ee2c3 ] When h5_close() is called, h5 is directly freed when !hu->serdev. However, h5->rx_skb is not freed, which causes a memory leak. Freeing h5->rx_skb and setting it to NULL, fixes this memory leak. Fixes: ce945552fde4 ("Bluetooth: hci_h5: Add support for serdev enumerated devices") Reported-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com Tested-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com Signed-off-by: Anant Thazhemadam Reviewed-by: Hans de Goede Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 5cf3c2e7892ef39c95daf4849b353da56e3cf177 Author: Anmol Karn Date: Wed Sep 30 19:48:13 2020 +0530 Bluetooth: Fix null pointer dereference in hci_event_packet() [ Upstream commit 6dfccd13db2ff2b709ef60a50163925d477549aa ] AMP_MGR is getting derefernced in hci_phy_link_complete_evt(), when called from hci_event_packet() and there is a possibility, that hcon->amp_mgr may not be found when accessing after initialization of hcon. - net/bluetooth/hci_event.c:4945 The bug seems to get triggered in this line: bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon; Fix it by adding a NULL check for the hcon->amp_mgr before checking the ev-status. Fixes: d5e911928bd8 ("Bluetooth: AMP: Process Physical Link Complete evt") Reported-and-tested-by: syzbot+0bef568258653cff272f@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=0bef568258653cff272f Signed-off-by: Anmol Karn Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit d92b81fad01c2ba61acae5c065efc529433d92ff Author: Paweł Chmiel Date: Sat Nov 7 14:39:26 2020 +0100 arm64: dts: exynos: Correct psci compatible used on Exynos7 [ Upstream commit e1e47fbca668507a81bb388fcae044b89d112ecc ] It's not possible to reboot or poweroff Exynos7420 using PSCI. Instead we need to use syscon reboot/poweroff drivers, like it's done for other Exynos SoCs. This was confirmed by checking vendor source and testing it on Samsung Galaxy S6 device based on this SoC. To be able to use custom restart/poweroff handlers instead of PSCI functions, we need to correct psci compatible. This also requires us to provide function ids for CPU_ON and CPU_OFF. Fixes: fb026cb65247 ("arm64: dts: Add reboot node for exynos7") Fixes: b9024cbc937d ("arm64: dts: Add initial device tree support for exynos7") Signed-off-by: Paweł Chmiel Link: https://lore.kernel.org/r/20201107133926.37187-2-pawel.mikolaj.chmiel@gmail.com Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit da8d846375224d4badd5b8634de51036c8a6422c Author: Paweł Chmiel Date: Sat Nov 7 14:39:25 2020 +0100 arm64: dts: exynos: Include common syscon restart/poweroff for Exynos7 [ Upstream commit 73bc7510ea0dafb4ff1ae6808759627a8ec51f5a ] Exynos7 uses the same syscon reboot and poweroff nodes as other Exynos SoCs, so instead of duplicating code we can just include common dtsi file, which already contains definitions of them. After this change, poweroff node will be also available, previously this dts file did contain only reboot node. Fixes: fb026cb65247 ("arm64: dts: Add reboot node for exynos7") Fixes: b9024cbc937d ("arm64: dts: Add initial device tree support for exynos7") Signed-off-by: Paweł Chmiel Link: https://lore.kernel.org/r/20201107133926.37187-1-pawel.mikolaj.chmiel@gmail.com Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 8f14da44523c8944202bb06f77eb92bcb4e9efcf Author: Seung-Woo Kim Date: Wed Oct 28 10:52:47 2020 +0900 brcmfmac: Fix memory leak for unpaired brcmf_{alloc/free} [ Upstream commit 9db946284e07bb27309dd546b7fee528664ba82a ] There are missig brcmf_free() for brcmf_alloc(). Fix memory leak by adding missed brcmf_free(). Reported-by: Jaehoon Chung Fixes: a1f5aac1765a ("brcmfmac: don't realloc wiphy during PCIe reset") Signed-off-by: Seung-Woo Kim Reviewed-by: Arend van Spriel Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/1603849967-22817-1-git-send-email-sw0312.kim@samsung.com Signed-off-by: Sasha Levin commit 5c5b92c1d6ab18bb83936de1aaf850a15d4b258d Author: Zhang Qilong Date: Fri Nov 6 09:52:17 2020 +0800 spi: stm32: fix reference leak in stm32_spi_resume [ Upstream commit 900ccdcb79bb61471df1566a70b2b39687a628d5 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to pm_runtime_put_noidle will result in reference leak in stm32_spi_resume, so we should fix it. Fixes: db96bf976a4fc ("spi: stm32: fixes suspend/resume management") Signed-off-by: Zhang Qilong Reviewed-by: Alain Volmat Link: https://lore.kernel.org/r/20201106015217.140476-1-zhangqilong3@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c807042f2d58edc5a4dac442c393e545969c4642 Author: Paul Moore Date: Tue Nov 3 11:49:38 2020 -0500 selinux: fix inode_doinit_with_dentry() LABEL_INVALID error handling [ Upstream commit 200ea5a2292dc444a818b096ae6a32ba3caa51b9 ] A previous fix, commit 83370b31a915 ("selinux: fix error initialization in inode_doinit_with_dentry()"), changed how failures were handled before a SELinux policy was loaded. Unfortunately that patch was potentially problematic for two reasons: it set the isec->initialized state without holding a lock, and it didn't set the inode's SELinux label to the "default" for the particular filesystem. The later can be a problem if/when a later attempt to revalidate the inode fails and SELinux reverts to the existing inode label. This patch should restore the default inode labeling that existed before the original fix, without affecting the LABEL_INVALID marking such that revalidation will still be attempted in the future. Fixes: 83370b31a915 ("selinux: fix error initialization in inode_doinit_with_dentry()") Reported-by: Sven Schnelle Tested-by: Sven Schnelle Reviewed-by: Ondrej Mosnacek Signed-off-by: Paul Moore Signed-off-by: Sasha Levin commit ae54a6d9947814079ebdca0ad92b8fdbf6f32f8a Author: Cezary Rojewski Date: Mon Oct 26 11:01:29 2020 +0100 ASoC: pcm: DRAIN support reactivation [ Upstream commit 4c22b80f61540ea99d9b4af0127315338755f05b ] soc-pcm's dpcm_fe_dai_do_trigger() supported DRAIN commnad up to kernel v5.4 where explicit switch(cmd) has been introduced which takes into account all SNDRV_PCM_TRIGGER_xxx but SNDRV_PCM_TRIGGER_DRAIN. Update switch statement to reactive support for it. As DRAIN is somewhat unique by lacking negative/stop counterpart, bring behaviour of dpcm_fe_dai_do_trigger() for said command back to its pre-v5.4 state by adding it to START/RESUME/PAUSE_RELEASE group. Fixes: acbf27746ecf ("ASoC: pcm: update FE/BE trigger order based on the command") Signed-off-by: Cezary Rojewski Reviewed-by: Ranjani Sridharan Link: https://lore.kernel.org/r/20201026100129.8216-1-cezary.rojewski@intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 009a982ea25b1fb61e57fb7648577e42aff0f42a Author: Zhang Qilong Date: Tue Nov 3 22:09:10 2020 +0800 spi: spi-mem: fix reference leak in spi_mem_access_start [ Upstream commit c02bb16b0e826bf0e19aa42c3ae60ea339f32cf5 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to pm_runtime_put_noidle will result in reference leak in spi_mem_access_start, so we should fix it. Fixes: f86c24f479530 ("spi: spi-mem: Split spi_mem_exec_op() code") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201103140910.3482-1-zhangqilong3@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 68ad1bd244bd2ec48ecfd0242a628b2efaee7a8b Author: Dmitry Baryshkov Date: Thu Oct 15 22:03:30 2020 +0300 drm/msm/dsi_pll_10nm: restore VCO rate during restore_state [ Upstream commit a4ccc37693a271330a46208afbeaed939d54fdbb ] PHY disable/enable resets PLL registers to default values. Thus in addition to restoring several registers we also need to restore VCO rate settings. Signed-off-by: Dmitry Baryshkov Fixes: c6659785dfb3 ("drm/msm/dsi/pll: call vco set rate explicitly") Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit 0a8f14baed8e802055a7b8761cf095bc23c7ac75 Author: Jaegeuk Kim Date: Sun Oct 25 07:35:47 2020 -0700 f2fs: call f2fs_get_meta_page_retry for nat page [ Upstream commit 3acc4522d89e0a326db69e9d0afaad8cf763a54c ] When running fault injection test, if we don't stop checkpoint, some stale NAT entries were flushed which breaks consistency. Fixes: 86f33603f8c5 ("f2fs: handle errors of f2fs_get_meta_page_nofail") Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 311da238f2f766dc6da1b95d6ee8e36a885590b4 Author: Zhang Qilong Date: Mon Nov 2 22:56:51 2020 +0800 spi: img-spfi: fix reference leak in img_spfi_resume [ Upstream commit ee5558a9084584015c8754ffd029ce14a5827fa8 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to pm_runtime_put_noidle will result in reference leak in img_spfi_resume, so we should fix it. Fixes: deba25800a12b ("spi: Add driver for IMG SPFI controller") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201102145651.3875-1-zhangqilong3@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 4e20cee19c2e18a518060978a00083afa5548218 Author: Jordan Niethe Date: Wed Oct 14 18:28:36 2020 +1100 powerpc/64: Set up a kernel stack for secondaries before cpu_restore() [ Upstream commit 3c0b976bf20d236c57adcefa80f86a0a1d737727 ] Currently in generic_secondary_smp_init(), cur_cpu_spec->cpu_restore() is called before a stack has been set up in r1. This was previously fine as the cpu_restore() functions were implemented in assembly and did not use a stack. However commit 5a61ef74f269 ("powerpc/64s: Support new device tree binding for discovering CPU features") used __restore_cpu_cpufeatures() as the cpu_restore() function for a device-tree features based cputable entry. This is a C function and hence uses a stack in r1. generic_secondary_smp_init() is entered on the secondary cpus via the primary cpu using the OPAL call opal_start_cpu(). In OPAL, each hardware thread has its own stack. The OPAL call is ran in the primary's hardware thread. During the call, a job is scheduled on a secondary cpu that will start executing at the address of generic_secondary_smp_init(). Hence the value that will be left in r1 when the secondary cpu enters the kernel is part of that secondary cpu's individual OPAL stack. This means that __restore_cpu_cpufeatures() will write to that OPAL stack. This is not horribly bad as each hardware thread has its own stack and the call that enters the kernel from OPAL never returns, but it is still wrong and should be corrected. Create the temp kernel stack before calling cpu_restore(). As noted by mpe, for a kexec boot, the secondary CPUs are released from the spin loop at address 0x60 by smp_release_cpus() and then jump to generic_secondary_smp_init(). The call to smp_release_cpus() is in setup_arch(), and it comes before the call to emergency_stack_init(). emergency_stack_init() allocates an emergency stack in the PACA for each CPU. This address in the PACA is what is used to set up the temp kernel stack in generic_secondary_smp_init(). Move releasing the secondary CPUs to after the PACAs have been allocated an emergency stack, otherwise the PACA stack pointer will contain garbage and hence the temp kernel stack created from it will be broken. Fixes: 5a61ef74f269 ("powerpc/64s: Support new device tree binding for discovering CPU features") Signed-off-by: Jordan Niethe Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20201014072837.24539-1-jniethe5@gmail.com Signed-off-by: Sasha Levin commit 3988d96589d974d954f525fae33ffdb81f44e634 Author: Arnd Bergmann Date: Mon Oct 26 22:00:32 2020 +0100 drm/amdgpu: fix build_coefficients() argument [ Upstream commit dbb60031dd0c2b85f10ce4c12ae604c28d3aaca4 ] gcc -Wextra warns about a function taking an enum argument being called with a bool: drivers/gpu/drm/amd/amdgpu/../display/modules/color/color_gamma.c: In function 'apply_degamma_for_user_regamma': drivers/gpu/drm/amd/amdgpu/../display/modules/color/color_gamma.c:1617:29: warning: implicit conversion from 'enum ' to 'enum dc_transfer_func_predefined' [-Wenum-conversion] 1617 | build_coefficients(&coeff, true); It appears that a patch was added using the old calling conventions after the type was changed, and the value should actually be 0 (TRANSFER_FUNCTION_SRGB) here instead of 1 (true). Fixes: 55a01d4023ce ("drm/amd/display: Add user_regamma to color module") Reviewed-by: Harry Wentland Signed-off-by: Arnd Bergmann Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit a4110e76e5500af74c8b7a85a550315c843ce506 Author: Vijay Khemka Date: Thu Aug 13 12:04:30 2020 -0700 ARM: dts: aspeed: tiogapass: Remove vuart [ Upstream commit 14f100c00f1e35e5890340d4c6a64bda5dff4320 ] Removed vuart for facebook tiogapass platform as it uses uart2 and uart3 pin with aspeed uart routing feature. Signed-off-by: Vijay Khemka Reviewed-by: Joel Stanley Fixes: ffdbf494821d ("ARM: dts: aspeed: tiogapass: Enable VUART") Link: https://lore.kernel.org/r/20200813190431.3331026-1-vijaykhemka@fb.com Signed-off-by: Joel Stanley Signed-off-by: Sasha Levin commit 129df833e15c4a7b25d287a0f17ae97216c1eebb Author: Clément Péron Date: Fri Oct 30 15:46:34 2020 +0100 ASoC: sun4i-i2s: Fix lrck_period computation for I2S justified mode [ Upstream commit 93c0210671d8f3ec2262da703fab93a1497158a8 ] Left and Right justified mode are computed using the same formula as DSP_A and DSP_B mode. Which is wrong and the user manual explicitly says: LRCK_PERDIOD: PCM Mode: Number of BCLKs within (Left + Right) channel width. I2S/Left-Justified/Right-Justified Mode: Number of BCLKs within each individual channel width(Left or Right) Fix this by using the same formula as the I2S mode. Fixes: 7ae7834ec446 ("ASoC: sun4i-i2s: Add support for DSP formats") Signed-off-by: Clément Péron Acked-by: Maxime Ripard Link: https://lore.kernel.org/r/20201030144648.397824-2-peron.clem@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 9edff753ade77fcf251d264407c18222987b0795 Author: Colin Ian King Date: Sat Oct 10 17:47:36 2020 +0100 crypto: inside-secure - Fix sizeof() mismatch [ Upstream commit c98e233062cd9d0e2f10e445a671f0799daaef67 ] An incorrect sizeof() is being used, sizeof(priv->ring[i].rdr_req) is not correct, it should be sizeof(*priv->ring[i].rdr_req). Note that since the size of ** is the same size as * this is not causing any issues. Addresses-Coverity: ("Sizeof not portable (SIZEOF_MISMATCH)") Fixes: 9744fec95f06 ("crypto: inside-secure - remove request list to improve performance") Signed-off-by: Colin Ian King Acked-by: Antoine Tenart Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 7044a69699f3edeb6504b859d697cc3dc6d7825a Author: Christophe Leroy Date: Thu Oct 8 09:34:56 2020 +0000 crypto: talitos - Fix return type of current_desc_hdr() [ Upstream commit 0237616173fd363a54bd272aa3bd376faa1d7caa ] current_desc_hdr() returns a u32 but in fact this is a __be32, leading to a lot of sparse warnings. Change the return type to __be32 and ensure it is handled as sure by the caller. Fixes: 3e721aeb3df3 ("crypto: talitos - handle descriptor not found in error path") Signed-off-by: Christophe Leroy Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 8a73ee0a0a1ee6c306e988a4c3d4778a8de7ac83 Author: Christophe Leroy Date: Thu Oct 8 09:34:55 2020 +0000 crypto: talitos - Endianess in current_desc_hdr() [ Upstream commit 195404db27f9533c71fdcb78d32a77075c2cb4a2 ] current_desc_hdr() compares the value of the current descriptor with the next_desc member of the talitos_desc struct. While the current descriptor is obtained from in_be32() which return CPU ordered bytes, next_desc member is in big endian order. Convert the current descriptor into big endian before comparing it with next_desc. This fixes a sparse warning. Fixes: 37b5e8897eb5 ("crypto: talitos - chain in buffered data for ahash on SEC1") Signed-off-by: Christophe Leroy Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit b9b8429042bd72e03839734025e7829914377f8c Author: Arnd Bergmann Date: Mon Oct 26 22:00:30 2020 +0100 drm/amdgpu: fix incorrect enum type [ Upstream commit a110f3750bf8b93764f13bd1402c7cba03d15d61 ] core_link_write_dpcd() returns enum dc_status, not ddc_result: display/dc/core/dc_link_dp.c: In function 'dp_set_panel_mode': display/dc/core/dc_link_dp.c:4237:11: warning: implicit conversion from 'enum dc_status' to 'enum ddc_result' [-Wenum-conversion] Avoid the warning by using the correct enum in the caller. Fixes: 0b226322434c ("drm/amd/display: Synchronous DisplayPort Link Training") Signed-off-by: Arnd Bergmann Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 52f525f2bdc78acecc4ae0997d2032e50934c1af Author: Thomas Gleixner Date: Tue Oct 20 16:46:55 2020 +0200 sched: Reenable interrupts in do_sched_yield() [ Upstream commit 345a957fcc95630bf5535d7668a59ed983eb49a7 ] do_sched_yield() invokes schedule() with interrupts disabled which is not allowed. This goes back to the pre git era to commit a6efb709806c ("[PATCH] irqlock patch 2.5.27-H6") in the history tree. Reenable interrupts and remove the misleading comment which "explains" it. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Thomas Gleixner Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/87r1pt7y5c.fsf@nanos.tec.linutronix.de Signed-off-by: Sasha Levin commit 35975f2e83a5a2ebdfe5ee81ab59beeefb2114e2 Author: Peng Liu Date: Thu Oct 8 23:49:42 2020 +0800 sched/deadline: Fix sched_dl_global_validate() [ Upstream commit a57415f5d1e43c3a5c5d412cd85e2792d7ed9b11 ] When change sched_rt_{runtime, period}_us, we validate that the new settings should at least accommodate the currently allocated -dl bandwidth: sched_rt_handler() --> sched_dl_bandwidth_validate() { new_bw = global_rt_runtime()/global_rt_period(); for_each_possible_cpu(cpu) { dl_b = dl_bw_of(cpu); if (new_bw < dl_b->total_bw) <------- ret = -EBUSY; } } But under CONFIG_SMP, dl_bw is per root domain , but not per CPU, dl_b->total_bw is the allocated bandwidth of the whole root domain. Instead, we should compare dl_b->total_bw against "cpus*new_bw", where 'cpus' is the number of CPUs of the root domain. Also, below annotation(in kernel/sched/sched.h) implied implementation only appeared in SCHED_DEADLINE v2[1], then deadline scheduler kept evolving till got merged(v9), but the annotation remains unchanged, meaningless and misleading, update it. * With respect to SMP, the bandwidth is given on a per-CPU basis, * meaning that: * - dl_bw (< 100%) is the bandwidth of the system (group) on each CPU; * - dl_total_bw array contains, in the i-eth element, the currently * allocated bandwidth on the i-eth CPU. [1]: https://lore.kernel.org/lkml/1267385230.13676.101.camel@Palantir/ Fixes: 332ac17ef5bf ("sched/deadline: Add bandwidth management for SCHED_DEADLINE tasks") Signed-off-by: Peng Liu Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Daniel Bristot de Oliveira Acked-by: Juri Lelli Link: https://lkml.kernel.org/r/db6bbda316048cda7a1bbc9571defde193a8d67e.1602171061.git.iwtbavbm@gmail.com Signed-off-by: Sasha Levin commit a3ec54b95c1a31301fb3110951a91e3513a320f2 Author: David Woodhouse Date: Sat Oct 24 22:35:01 2020 +0100 x86/apic: Fix x2apic enablement without interrupt remapping [ Upstream commit 26573a97746c7a99f394f9d398ce91a8853b3b89 ] Currently, Linux as a hypervisor guest will enable x2apic only if there are no CPUs present at boot time with an APIC ID above 255. Hotplugging a CPU later with a higher APIC ID would result in a CPU which cannot be targeted by external interrupts. Add a filter in x2apic_apic_id_valid() which can be used to prevent such CPUs from coming online, and allow x2apic to be enabled even if they are present at boot time. Fixes: ce69a784504 ("x86/apic: Enable x2APIC without interrupt remapping under KVM") Signed-off-by: David Woodhouse Signed-off-by: Thomas Gleixner Link: https://lore.kernel.org/r/20201024213535.443185-2-dwmw2@infradead.org Signed-off-by: Sasha Levin commit b7ec74246c3273bdfc43647d59a52b3fc6772f23 Author: Ard Biesheuvel Date: Mon Sep 21 00:10:16 2020 +0200 ARM: p2v: fix handling of LPAE translation in BE mode [ Upstream commit 4e79f0211b473f8e1eab8211a9fd50cc41a3a061 ] When running in BE mode on LPAE hardware with a PA-to-VA translation that exceeds 4 GB, we patch bits 39:32 of the offset into the wrong byte of the opcode. So fix that, by rotating the offset in r0 to the right by 8 bits, which will put the 8-bit immediate in bits 31:24. Note that this will also move bit #22 in its correct place when applying the rotation to the constant #0x400000. Fixes: d9a790df8e984 ("ARM: 7883/1: fix mov to mvn conversion in case of 64 bit phys_addr_t and BE") Acked-by: Nicolas Pitre Reviewed-by: Linus Walleij Signed-off-by: Ard Biesheuvel Signed-off-by: Sasha Levin commit 0a72e7286c676b88f05313b1c100d317535b4437 Author: Arvind Sankar Date: Tue Oct 27 19:06:48 2020 -0400 x86/mm/ident_map: Check for errors from ident_pud_init() [ Upstream commit 1fcd009102ee02e217f2e7635ab65517d785da8e ] Commit ea3b5e60ce80 ("x86/mm/ident_map: Add 5-level paging support") added ident_p4d_init() to support 5-level paging, but this function doesn't check and return errors from ident_pud_init(). For example, the decompressor stub uses this code to create an identity mapping. If it runs out of pages while trying to allocate a PMD pagetable, the error will be currently ignored. Fix this to propagate errors. [ bp: Space out statements for better readability. ] Fixes: ea3b5e60ce80 ("x86/mm/ident_map: Add 5-level paging support") Signed-off-by: Arvind Sankar Signed-off-by: Borislav Petkov Reviewed-by: Joerg Roedel Acked-by: Kirill A. Shutemov Link: https://lkml.kernel.org/r/20201027230648.1885111-1-nivedita@alum.mit.edu Signed-off-by: Sasha Levin commit 0fd78ab5ef71614aeb2458fda68eade2e95f1aa0 Author: Bob Pearson Date: Tue Oct 13 12:07:42 2020 -0500 RDMA/rxe: Compute PSN windows correctly [ Upstream commit bb3ab2979fd69db23328691cb10067861df89037 ] The code which limited the number of unacknowledged PSNs was incorrect. The PSNs are limited to 24 bits and wrap back to zero from 0x00ffffff. The test was computing a 32 bit value which wraps at 32 bits so that qp->req.psn can appear smaller than the limit when it is actually larger. Replace '>' test with psn_compare which is used for other PSN comparisons and correctly handles the 24 bit size. Fixes: 8700e3e7c485 ("Soft RoCE driver") Link: https://lore.kernel.org/r/20201013170741.3590-1-rpearson@hpe.com Signed-off-by: Bob Pearson Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 35f18561616f7973aade905f62fd3282ef4bfead Author: Joel Stanley Date: Tue Sep 22 16:12:34 2020 +0930 ARM: dts: aspeed: s2600wf: Fix VGA memory region location [ Upstream commit 9e1cc9679776f5b9e42481d392b1550753ebd084 ] The VGA memory region is always from the top of RAM. On this board, that is 0x80000000 + 0x20000000 - 0x01000000 = 0x9f000000. This was not an issue in practice as the region is "reserved" by the vendor's u-boot reducing the amount of available RAM, and the only user is the host VGA device poking at RAM over PCIe. That is, nothing from the ARM touches it. It is worth fixing as developers copy existing device trees when building their machines, and the XDMA driver does use the memory region from the ARM side. Fixes: c4043ecac34a ("ARM: dts: aspeed: Add S2600WF BMC Machine") Reported-by: John Wang Link: https://lore.kernel.org/r/20200922064234.163799-1-joel@jms.id.au Signed-off-by: Joel Stanley Signed-off-by: Sasha Levin commit 4aae08a71e681aa74459c9e49bf3821382a4f2c3 Author: Tianyue Ren Date: Fri Oct 9 09:36:30 2020 +0800 selinux: fix error initialization in inode_doinit_with_dentry() [ Upstream commit 83370b31a915493231e5b9addc72e4bef69f8d31 ] Mark the inode security label as invalid if we cannot find a dentry so that we will retry later rather than marking it initialized with the unlabeled SID. Fixes: 9287aed2ad1f ("selinux: Convert isec->lock into a spinlock") Signed-off-by: Tianyue Ren [PM: minor comment tweaks] Signed-off-by: Paul Moore Signed-off-by: Sasha Levin commit de49a51e7938b77a4bc2e79733f57ecd15f75b50 Author: Dan Carpenter Date: Thu Oct 22 10:04:51 2020 +0300 rtc: pcf2127: fix pcf2127_nvmem_read/write() returns [ Upstream commit ba1c30bf3f2536f248d262c6f257b5a787305991 ] These functions should return zero on success. Non-zero returns are treated as error. On some paths, this doesn't matter but in nvmem_cell_read() a non-zero return would be passed to ERR_PTR() and lead to an Oops. Fixes: d6c3029f32f7 ("rtc: pcf2127: add support for accessing internal static RAM") Signed-off-by: Dan Carpenter Signed-off-by: Alexandre Belloni Link: https://lore.kernel.org/r/20201022070451.GA2817669@mwanda Signed-off-by: Sasha Levin commit 57df1b39d990e0092966519a2125496a2abac329 Author: Kamal Heib Date: Wed Oct 21 14:49:52 2020 +0300 RDMA/bnxt_re: Set queue pair state when being queried [ Upstream commit 53839b51a7671eeb3fb44d479d541cf3a0f2dd45 ] The API for ib_query_qp requires the driver to set cur_qp_state on return, add the missing set. Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") Link: https://lore.kernel.org/r/20201021114952.38876-1-kamalheib1@gmail.com Signed-off-by: Kamal Heib Acked-by: Selvin Xavier Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit e11c7d39fa7e56221ef120e68ef801914fec9943 Author: Douglas Anderson Date: Tue Oct 13 14:25:29 2020 -0700 Revert "i2c: i2c-qcom-geni: Fix DMA transfer race" [ Upstream commit 9cb4c67d7717135d6f4600a49ab07b470ea4ee2f ] This reverts commit 02b9aec59243c6240fc42884acc958602146ddf6. As talked about in the patch ("soc: qcom: geni: More properly switch to DMA mode"), swapping the order of geni_se_setup_m_cmd() and geni_se_xx_dma_prep() can sometimes cause corrupted transfers. Thus we traded one problem for another. Now that we've debugged the problem further and fixed the geni helper functions to more disable FIFO interrupts when we move to DMA mode we can revert it and end up with (hopefully) zero problems! To be explicit, the patch ("soc: qcom: geni: More properly switch to DMA mode") is a prerequisite for this one. Fixes: 02b9aec59243 ("i2c: i2c-qcom-geni: Fix DMA transfer race") Signed-off-by: Douglas Anderson Reviewed-by: Stephen Boyd Reviewed-by: Akash Asthana Tested-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20201013142448.v2.2.I7b22281453b8a18ab16ef2bfd4c641fb1cc6a92c@changeid Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 4b3ee79fbe774ce9739e35519e97ff8e24d677a4 Author: Douglas Anderson Date: Tue Oct 13 14:25:28 2020 -0700 soc: qcom: geni: More properly switch to DMA mode [ Upstream commit 4b6ea87be44ef34732846fc71e44c41125f0c4fa ] On geni-i2c transfers using DMA, it was seen that if you program the command (I2C_READ) before calling geni_se_rx_dma_prep() that it could cause interrupts to fire. If we get unlucky, these interrupts can just keep firing (and not be handled) blocking further progress and hanging the system. In commit 02b9aec59243 ("i2c: i2c-qcom-geni: Fix DMA transfer race") we avoided that by making sure we didn't program the command until after geni_se_rx_dma_prep() was called. While that avoided the problems, it also turns out to be invalid. At least in the TX case we started seeing sporadic corrupted transfers. This is easily seen by adding an msleep() between the DMA prep and the writing of the command, which makes the problem worse. That means we need to revert that commit and find another way to fix the bogus IRQs. Specifically, after reverting commit 02b9aec59243 ("i2c: i2c-qcom-geni: Fix DMA transfer race"), I put some traces in. I found that the when the interrupts were firing like crazy: - "m_stat" had bits for M_RX_IRQ_EN, M_RX_FIFO_WATERMARK_EN set. - "dma" was set. Further debugging showed that I could make the problem happen more reliably by adding an "msleep(1)" any time after geni_se_setup_m_cmd() ran up until geni_se_rx_dma_prep() programmed the length. A rather simple fix is to change geni_se_select_dma_mode() so it's a true inverse of geni_se_select_fifo_mode() and disables all the FIFO related interrupts. Now the problematic interrupts can't fire and we can program things in the correct order without worrying. As part of this, let's also change the writel_relaxed() in the prepare function to a writel() so that our DMA is guaranteed to be prepared now that we can't rely on geni_se_setup_m_cmd()'s writel(). NOTE: the only current user of GENI_SE_DMA in mainline is i2c. Fixes: 37692de5d523 ("i2c: i2c-qcom-geni: Add bus driver for the Qualcomm GENI I2C controller") Fixes: 02b9aec59243 ("i2c: i2c-qcom-geni: Fix DMA transfer race") Signed-off-by: Douglas Anderson Reviewed-by: Stephen Boyd Reviewed-by: Akash Asthana Tested-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20201013142448.v2.1.Ifdb1b69fa3367b81118e16e9e4e63299980ca798@changeid Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit d3bed198333a2c9009be72baa134cd3b5890339e Author: Nicolas Boichat Date: Mon Sep 28 11:31:35 2020 +0800 soc: mediatek: Check if power domains can be powered on at boot time [ Upstream commit 4007844b05815717f522c7ea9914e24ad0ff6c79 ] In the error case, where a power domain cannot be powered on successfully at boot time (in mtk_register_power_domains), pm_genpd_init would still be called with is_off=false, and the system would later try to disable the power domain again, triggering warnings as disabled clocks are disabled again (and other potential issues). Also print a warning splat in that case, as this should never happen. Fixes: c84e358718a66f7 ("soc: Mediatek: Add SCPSYS power domain driver") Signed-off-by: Nicolas Boichat Link: https://lore.kernel.org/r/20200928113107.v2.1.I5e6f8c262031d0451fe7241b744f4f3111c1ce71@changeid Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit fcb0be5ba2e9da41ea73d951dc0f86aab44d35e3 Author: Dan Carpenter Date: Wed Sep 23 14:31:42 2020 +0300 soc: renesas: rmobile-sysc: Fix some leaks in rmobile_init_pm_domains() [ Upstream commit cf25d802e029c31efac8bdc979236927f37183bd ] This code needs to call iounmap() on one error path. Fixes: 2173fc7cb681 ("ARM: shmobile: R-Mobile: Add DT support for PM domains") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/20200923113142.GC1473821@mwanda Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 38cded30497a7ab7e4ef6a2e90ae246c0b75a91e Author: Biju Das Date: Thu Oct 15 14:23:50 2020 +0100 arm64: dts: renesas: cat875: Remove rxc-skew-ps from ethernet-phy node [ Upstream commit 53e573dc39fba1834f3e4fa002cb754b61a30701 ] The CAT875 sub board from Silicon Linux uses Realtek phy and the driver does not support rxc-skew-ps property. Fixes: 6b170cd3ed02949f ("arm64: dts: renesas: cat875: Add ethernet support") Signed-off-by: Biju Das Reviewed-by: Lad Prabhakar Link: https://lore.kernel.org/r/20201015132350.8360-2-biju.das.jz@bp.renesas.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 14be28959f6926fa7677a15d55694c73d19bf29e Author: Biju Das Date: Thu Oct 15 14:23:49 2020 +0100 arm64: dts: renesas: hihope-rzg2-ex: Drop rxc-skew-ps from ethernet-phy node [ Upstream commit 67d3dcf12a3d245b6fd6ca5672893f7ae4e137ed ] HiHope RZG2[HMN] boards uses Realtek phy and the driver does not support rxc-skew-ps property. So remove rxc-skew-ps from ethernet-phy node. Fixes: 7433f1fb8ec8fe ("arm64: dts: renesas: Add HiHope RZ/G2M sub board support") Signed-off-by: Biju Das Reviewed-by: Lad Prabhakar Link: https://lore.kernel.org/r/20201015132350.8360-1-biju.das.jz@bp.renesas.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit c2712546a6e08cb0f9da29c22986b49a84e90daf Author: Krzysztof Kozlowski Date: Thu Aug 27 09:11:07 2020 +0200 drm/tve200: Fix handling of platform_get_irq() error [ Upstream commit 77bb5aaf2bb8180e7d1bb70b4df306f511707a7d ] platform_get_irq() returns -ERRNO on error. In such case comparison to 0 would pass the check. Fixes: 179c02fe90a4 ("drm/tve200: Add new driver for TVE200") Signed-off-by: Krzysztof Kozlowski Acked-by: Linus Walleij Signed-off-by: Sam Ravnborg Link: https://patchwork.freedesktop.org/patch/msgid/20200827071107.27429-2-krzk@kernel.org Signed-off-by: Sasha Levin commit f61e9dbb56bab44a9b932cce7cae4279103bb197 Author: Krzysztof Kozlowski Date: Thu Aug 27 09:11:06 2020 +0200 drm/mcde: Fix handling of platform_get_irq() error [ Upstream commit e2dae672a9d5e11856fe30ede63467c65f999a81 ] platform_get_irq() returns -ERRNO on error. In such case comparison to 0 would pass the check. Fixes: 5fc537bfd000 ("drm/mcde: Add new driver for ST-Ericsson MCDE") Signed-off-by: Krzysztof Kozlowski Acked-by: Linus Walleij Signed-off-by: Sam Ravnborg Link: https://patchwork.freedesktop.org/patch/msgid/20200827071107.27429-1-krzk@kernel.org Signed-off-by: Sasha Levin commit 29f34feb3860c1f93a20daa8e787acd5ba2cfa98 Author: Randy Dunlap Date: Sun Oct 11 16:01:31 2020 -0700 drm/aspeed: Fix Kconfig warning & subsequent build errors [ Upstream commit bf296b35489b46780b73b74ad984d06750ed5479 ] Kernel test robot reported build errors (undefined references) that didn't make much sense. After reproducing them, there is also a Kconfig warning that is the root cause of the build errors, so fix that Kconfig problem. Fixes this Kconfig warning: WARNING: unmet direct dependencies detected for CMA Depends on [n]: MMU [=n] Selected by [m]: - DRM_ASPEED_GFX [=m] && HAS_IOMEM [=y] && DRM [=m] && OF [=y] && (COMPILE_TEST [=y] || ARCH_ASPEED) && HAVE_DMA_CONTIGUOUS [=y] and these dependent build errors: (.text+0x10c8c): undefined reference to `start_isolate_page_range' microblaze-linux-ld: (.text+0x10f14): undefined reference to `test_pages_isolated' microblaze-linux-ld: (.text+0x10fd0): undefined reference to `undo_isolate_page_range' Fixes: 76356a966e33 ("drm: aspeed: Clean up Kconfig options") Reported-by: kernel test robot Signed-off-by: Randy Dunlap Reviewed-by: Joel Stanley Cc: Joel Stanley Cc: Andrew Jeffery Cc: Daniel Vetter Cc: Michal Simek Cc: Andrew Morton Cc: Mike Rapoport Cc: linux-mm@kvack.org Cc: linux-aspeed@lists.ozlabs.org Cc: linux-arm-kernel@lists.infradead.org Cc: David Airlie Cc: dri-devel@lists.freedesktop.org Signed-off-by: Joel Stanley Link: https://patchwork.freedesktop.org/patch/msgid/20201011230131.4922-1-rdunlap@infradead.org Signed-off-by: Joel Stanley Signed-off-by: Sasha Levin commit 37028b8bc53dc7bb76b64628a8033d44b834aa33 Author: Tom Rix Date: Sat Oct 3 12:39:28 2020 -0700 drm/gma500: fix double free of gma_connector [ Upstream commit 4e19d51ca5b28a1d435a844c7b2a8e1b1b6fa237 ] clang static analysis reports this problem: cdv_intel_dp.c:2101:2: warning: Attempt to free released memory kfree(gma_connector); ^~~~~~~~~~~~~~~~~~~~ In cdv_intel_dp_init() when the call to cdv_intel_edp_panel_vdd_off() fails, the handler calls cdv_intel_dp_destroy(connector) which does the first free of gma_connector. So adjust the goto label and skip the second free. Fixes: d112a8163f83 ("gma500/cdv: Add eDP support") Signed-off-by: Tom Rix Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20201003193928.18869-1-trix@redhat.com Signed-off-by: Sasha Levin commit de630248e740df1647d1b0e0796afec8139a2877 Author: Dae R. Jeong Date: Thu Oct 22 10:21:28 2020 +0900 md: fix a warning caused by a race between concurrent md_ioctl()s commit c731b84b51bf7fe83448bea8f56a6d55006b0615 upstream. Syzkaller reports a warning as belows. WARNING: CPU: 0 PID: 9647 at drivers/md/md.c:7169 ... Call Trace: ... RIP: 0010:md_ioctl+0x4017/0x5980 drivers/md/md.c:7169 RSP: 0018:ffff888096027950 EFLAGS: 00010293 RAX: ffff88809322c380 RBX: 0000000000000932 RCX: ffffffff84e266f2 RDX: 0000000000000000 RSI: ffffffff84e299f7 RDI: 0000000000000007 RBP: ffff888096027bc0 R08: ffff88809322c380 R09: ffffed101341a482 R10: ffff888096027940 R11: ffff88809a0d240f R12: 0000000000000932 R13: ffff8880a2c14100 R14: ffff88809a0d2268 R15: ffff88809a0d2408 __blkdev_driver_ioctl block/ioctl.c:304 [inline] blkdev_ioctl+0xece/0x1c10 block/ioctl.c:606 block_ioctl+0xee/0x130 fs/block_dev.c:1930 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:509 [inline] do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:696 ksys_ioctl+0xab/0xd0 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718 do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x49/0xbe This is caused by a race between two concurrenct md_ioctl()s closing the array. CPU1 (md_ioctl()) CPU2 (md_ioctl()) ------ ------ set_bit(MD_CLOSING, &mddev->flags); did_set_md_closing = true; WARN_ON_ONCE(test_bit(MD_CLOSING, &mddev->flags)); if(did_set_md_closing) clear_bit(MD_CLOSING, &mddev->flags); Fix the warning by returning immediately if the MD_CLOSING bit is set in &mddev->flags which indicates that the array is being closed. Fixes: 065e519e71b2 ("md: MD_CLOSING needs to be cleared after called md_set_readonly or do_md_stop") Reported-by: syzbot+1e46a0864c1a6e9bd3d8@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Dae R. Jeong Signed-off-by: Song Liu Signed-off-by: Greg Kroah-Hartman commit 054be9aed8473ce48076c13f749b2f5fa825c336 Author: Eric Biggers Date: Mon Oct 26 13:07:15 2020 -0700 crypto: af_alg - avoid undefined behavior accessing salg_name commit 92eb6c3060ebe3adf381fd9899451c5b047bb14d upstream. Commit 3f69cc60768b ("crypto: af_alg - Allow arbitrarily long algorithm names") made the kernel start accepting arbitrarily long algorithm names in sockaddr_alg. However, the actual length of the salg_name field stayed at the original 64 bytes. This is broken because the kernel can access indices >= 64 in salg_name, which is undefined behavior -- even though the memory that is accessed is still located within the sockaddr structure. It would only be defined behavior if the array were properly marked as arbitrary-length (either by making it a flexible array, which is the recommended way these days, or by making it an array of length 0 or 1). We can't simply change salg_name into a flexible array, since that would break source compatibility with userspace programs that embed sockaddr_alg into another struct, or (more commonly) declare a sockaddr_alg like 'struct sockaddr_alg sa = { .salg_name = "foo" };'. One solution would be to change salg_name into a flexible array only when '#ifdef __KERNEL__'. However, that would keep userspace without an easy way to actually use the longer algorithm names. Instead, add a new structure 'sockaddr_alg_new' that has the flexible array field, and expose it to both userspace and the kernel. Make the kernel use it correctly in alg_bind(). This addresses the syzbot report "UBSAN: array-index-out-of-bounds in alg_bind" (https://syzkaller.appspot.com/bug?extid=92ead4eb8e26a26d465e). Reported-by: syzbot+92ead4eb8e26a26d465e@syzkaller.appspotmail.com Fixes: 3f69cc60768b ("crypto: af_alg - Allow arbitrarily long algorithm names") Cc: # v4.12+ Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 5a225303a68fd5875f4373f1b848ed005a3bec7f Author: Antti Palosaari Date: Sat Aug 17 03:12:10 2019 +0200 media: msi2500: assign SPI bus number dynamically commit 9c60cc797cf72e95bb39f32316e9f0e5f85435f9 upstream. SPI bus number must be assigned dynamically for each device, otherwise it will crash when multiple devices are plugged to system. Reported-and-tested-by: syzbot+c60ddb60b685777d9d59@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Antti Palosaari Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 01182045346afeff36cfbd40203b4096540b03ca Author: Jan Kara Date: Mon Nov 2 16:16:29 2020 +0100 quota: Sanity-check quota file headers on load commit 11c514a99bb960941535134f0587102855e8ddee upstream. Perform basic sanity checks of quota headers to avoid kernel crashes on corrupted quota files. CC: stable@vger.kernel.org Reported-by: syzbot+f816042a7ae2225f25ba@syzkaller.appspotmail.com Reviewed-by: Andreas Dilger Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit df95ea1228cc2c367a06cc2578eb52b406529da6 Author: Peilin Ye Date: Wed Sep 9 03:17:00 2020 -0400 Bluetooth: Fix slab-out-of-bounds read in hci_le_direct_adv_report_evt() commit f7e0e8b2f1b0a09b527885babda3e912ba820798 upstream. `num_reports` is not being properly checked. A malformed event packet with a large `num_reports` number makes hci_le_direct_adv_report_evt() read out of bounds. Fix it. Cc: stable@vger.kernel.org Fixes: 2f010b55884e ("Bluetooth: Add support for handling LE Direct Advertising Report events") Reported-and-tested-by: syzbot+24ebd650e20bd263ca01@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=24ebd650e20bd263ca01 Signed-off-by: Peilin Ye Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman commit cda2f222e7e4b3395ee5749b2078e8d07b1af28d Author: Alexey Kardashevskiy Date: Thu Dec 3 16:58:34 2020 +1100 serial_core: Check for port state when tty is in error state commit 2f70e49ed860020f5abae4f7015018ebc10e1f0e upstream. At the moment opening a serial device node (such as /dev/ttyS3) succeeds even if there is no actual serial device behind it. Reading/writing/ioctls fail as expected because the uart port is not initialized (the type is PORT_UNKNOWN) and the TTY_IO_ERROR error state bit is set fot the tty. However setting line discipline does not have these checks 8250_port.c (8250 is the default choice made by univ8250_console_init()). As the result of PORT_UNKNOWN, uart_port::iobase is NULL which a platform translates onto some address accessing which produces a crash like below. This adds tty_port_initialized() to uart_set_ldisc() to prevent the crash. Found by syzkaller. Signed-off-by: Alexey Kardashevskiy Link: https://lore.kernel.org/r/20201203055834.45838-1-aik@ozlabs.ru Cc: stable Signed-off-by: Greg Kroah-Hartman commit 863cab3017bccc3640a141b5b96769c9cbb071d2 Author: Julian Sax Date: Thu Nov 26 18:51:58 2020 +0100 HID: i2c-hid: add Vero K147 to descriptor override commit c870d50ce387d84b6438211a7044c60afbd5d60a upstream. This device uses the SIPODEV SP1064 touchpad, which does not supply descriptors, so it has to be added to the override list. Cc: stable@vger.kernel.org Signed-off-by: Julian Sax Reviewed-by: Hans de Goede Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit fd819f54065c590308a5ff24d50d4f7500b87101 Author: Arnd Bergmann Date: Fri Oct 30 17:44:20 2020 +0100 scsi: megaraid_sas: Check user-provided offsets commit 381d34e376e3d9d27730fda8a0e870600e6c8196 upstream. It sounds unwise to let user space pass an unchecked 32-bit offset into a kernel structure in an ioctl. This is an unsigned variable, so checking the upper bound for the size of the structure it points into is sufficient to avoid data corruption, but as the pointer might also be unaligned, it has to be written carefully as well. While I stumbled over this problem by reading the code, I did not continue checking the function for further problems like it. Link: https://lore.kernel.org/r/20201030164450.1253641-2-arnd@kernel.org Fixes: c4a3e0a529ab ("[SCSI] MegaRAID SAS RAID: new driver") Cc: # v2.6.15+ Reviewed-by: Christoph Hellwig Signed-off-by: Arnd Bergmann Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 152631f0273fbecd9eee66b1274c4ccefb297f1b Author: Sai Prakash Ranjan Date: Fri Nov 27 10:52:51 2020 -0700 coresight: etb10: Fix possible NULL ptr dereference in etb_enable_perf() commit 22b2beaa7f166f550424cbb3b988aeaa7ef0425a upstream. There was a report of NULL pointer dereference in ETF enable path for perf CS mode with PID monitoring. It is almost 100% reproducible when the process to monitor is something very active such as chrome and with ETF as the sink, not ETR. But code path shows that ETB has a similar path as ETF, so there could be possible NULL pointer dereference crash in ETB as well. Currently in a bid to find the pid, the owner is dereferenced via task_pid_nr() call in etb_enable_perf() and with owner being NULL, we can get a NULL pointer dereference, so have a similar fix as ETF where we cache PID in alloc_buffer() callback which is called as the part of etm_setup_aux(). Fixes: 75d7dbd38824 ("coresight: etb10: Add support for CPU-wide trace scenarios") Cc: stable@vger.kernel.org Signed-off-by: Sai Prakash Ranjan Signed-off-by: Mathieu Poirier Link: https://lore.kernel.org/r/20201127175256.1092685-11-mathieu.poirier@linaro.org Signed-off-by: Greg Kroah-Hartman commit 4c461e8d0e8861d4768a7955151a05263d08e9da Author: Suzuki K Poulose Date: Tue Dec 8 11:26:49 2020 -0700 coresight: tmc-etr: Fix barrier packet insertion for perf buffer commit 83be0b84fe846edf0c722fefe225482d5f0d7395 upstream. When the ETR is used in perf mode with a larger buffer (configured via sysfs or the default size of 1M) than the perf aux buffer size, we end up inserting the barrier packet at the wrong offset, while moving the offset forward. i.e, instead of the "new moved offset", we insert it at the current hardware buffer offset. These packets will not be visible as they are never copied and could lead to corruption in the trace decoding side, as the decoder is not aware that it needs to reset the decoding. Fixes: ec13c78d7b45 ("coresight: tmc-etr: Add barrier packets when moving offset forward") Cc: Mathieu Poirier Cc: stable@vger.kernel.org Reported-by: Al Grant Tested-by: Mike Leach Signed-off-by: Suzuki K Poulose Signed-off-by: Mathieu Poirier Link: https://lore.kernel.org/r/20201208182651.1597945-2-mathieu.poirier@linaro.org Signed-off-by: Greg Kroah-Hartman commit e81884d45a70745368bcb203f6e25bc00898c190 Author: Mao Jinlong Date: Fri Nov 27 10:52:53 2020 -0700 coresight: tmc-etr: Check if page is valid before dma_map_page() commit 1cc573d5754e92372a7e30e35468644f8811e1a4 upstream. alloc_pages_node() return should be checked before calling dma_map_page() to make sure that valid page is mapped or else it can lead to aborts as below: Unable to handle kernel paging request at virtual address ffffffc008000000 Mem abort info: ... pc : __dma_inv_area+0x40/0x58 lr : dma_direct_map_page+0xd8/0x1c8 Call trace: __dma_inv_area tmc_pages_alloc tmc_alloc_data_pages tmc_alloc_sg_table tmc_init_etr_sg_table tmc_alloc_etr_buf tmc_enable_etr_sink_sysfs tmc_enable_etr_sink coresight_enable_path coresight_enable enable_source_store dev_attr_store sysfs_kf_write Fixes: 99443ea19e8b ("coresight: Add generic TMC sg table framework") Cc: stable@vger.kernel.org Reviewed-by: Suzuki K Poulose Signed-off-by: Mao Jinlong Signed-off-by: Sai Prakash Ranjan Signed-off-by: Mathieu Poirier Link: https://lore.kernel.org/r/20201127175256.1092685-13-mathieu.poirier@linaro.org Signed-off-by: Greg Kroah-Hartman commit ec13738c6ec645fbc3fa8d5d0b9920170e9c200f Author: Sai Prakash Ranjan Date: Fri Nov 27 10:52:50 2020 -0700 coresight: tmc-etf: Fix NULL ptr dereference in tmc_enable_etf_sink_perf() commit 868663dd5d69fef05bfb004f91da5c30e9b93461 upstream. There was a report of NULL pointer dereference in ETF enable path for perf CS mode with PID monitoring. It is almost 100% reproducible when the process to monitor is something very active such as chrome and with ETF as the sink and not ETR. Currently in a bid to find the pid, the owner is dereferenced via task_pid_nr() call in tmc_enable_etf_sink_perf() and with owner being NULL, we get a NULL pointer dereference. Looking at the ETR and other places in the kernel, ETF and the ETB are the only places trying to dereference the task(owner) in tmc_enable_etf_sink_perf() which is also called from the sched_in path as in the call trace. Owner(task) is NULL even in the case of ETR in tmc_enable_etr_sink_perf(), but since we cache the PID in alloc_buffer() callback and it is done as part of etm_setup_aux() when allocating buffer for ETR sink, we never dereference this NULL pointer and we are safe. So lets do the same thing with ETF and cache the PID to which the cs_buffer belongs in tmc_alloc_etf_buffer() as done for ETR. This will also remove the unnecessary function calls(task_pid_nr()) since we are caching the PID. Easily reproducible running below: perf record -e cs_etm/@tmc_etf0/ -N -p Unable to handle kernel NULL pointer dereference at virtual address 0000000000000548 Mem abort info: ESR = 0x96000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 ... Call trace: tmc_enable_etf_sink+0xe4/0x280 coresight_enable_path+0x168/0x1fc etm_event_start+0x8c/0xf8 etm_event_add+0x38/0x54 event_sched_in+0x194/0x2ac group_sched_in+0x54/0x12c flexible_sched_in+0xd8/0x120 visit_groups_merge+0x100/0x16c ctx_flexible_sched_in+0x50/0x74 ctx_sched_in+0xa4/0xa8 perf_event_sched_in+0x60/0x6c perf_event_context_sched_in+0x98/0xe0 __perf_event_task_sched_in+0x5c/0xd8 finish_task_switch+0x184/0x1cc schedule_tail+0x20/0xec ret_from_fork+0x4/0x18 Fixes: 880af782c6e8 ("coresight: tmc-etf: Add support for CPU-wide trace scenarios") Cc: stable@vger.kernel.org Signed-off-by: Sai Prakash Ranjan Signed-off-by: Mathieu Poirier Link: https://lore.kernel.org/r/20201127175256.1092685-10-mathieu.poirier@linaro.org Signed-off-by: Greg Kroah-Hartman commit d923c0ec129208e0576fa3d32b57019454b49b5a Author: Krzysztof Kozlowski Date: Thu Oct 15 20:20:43 2020 +0200 ARM: dts: exynos: fix USB 3.0 pins supply being turned off on Odroid XU commit bd7e7ff56feea7810df900fb09c9741d259861d9 upstream. On Odroid XU LDO12 and LDO15 supplies the power to USB 3.0 blocks but the GPK GPIO pins are supplied by LDO7 (VDDQ_LCD). LDO7 also supplies GPJ GPIO pins. The Exynos pinctrl driver does not take any supplies, so to have entire GPIO block always available, make the regulator always on. Fixes: 88644b4c750b ("ARM: dts: exynos: Configure PWM, usb3503, PMIC and thermal on Odroid XU board") Signed-off-by: Krzysztof Kozlowski Cc: Link: https://lore.kernel.org/r/20201015182044.480562-3-krzk@kernel.org Tested-by: Gabriel Ribba Esteva Signed-off-by: Greg Kroah-Hartman commit 43598dbdcbf0ac90346bdd86876c1c75e3e8c2fd Author: Krzysztof Kozlowski Date: Thu Oct 15 20:20:42 2020 +0200 ARM: dts: exynos: fix USB 3.0 VBUS control and over-current pins on Exynos5410 commit 3d992fd8f4e0f09c980726308d2f2725587b32d6 upstream. The VBUS control (PWREN) and over-current pins of USB 3.0 DWC3 controllers are on Exynos5410 regular GPIOs. This is different than for example on Exynos5422 where these are special ETC pins with proper reset values (pulls, functions). Therefore these pins should be configured to enable proper USB 3.0 peripheral and host modes. This also fixes over-current warning: [ 6.024658] usb usb4-port1: over-current condition [ 6.028271] usb usb3-port1: over-current condition Fixes: cb0896562228 ("ARM: dts: exynos: Add USB to Exynos5410") Signed-off-by: Krzysztof Kozlowski Cc: Link: https://lore.kernel.org/r/20201015182044.480562-2-krzk@kernel.org Tested-by: Gabriel Ribba Esteva Signed-off-by: Greg Kroah-Hartman commit 2c6f6cd2cdfb1874ff07b91233f3af79fc7e4c00 Author: Krzysztof Kozlowski Date: Thu Oct 15 20:20:41 2020 +0200 ARM: dts: exynos: fix roles of USB 3.0 ports on Odroid XU commit ecc1ff532b499d20304a4f682247137025814c34 upstream. On Odroid XU board the USB3-0 port is a microUSB and USB3-1 port is USB type A (host). The roles were copied from Odroid XU3 (Exynos5422) design which has it reversed. Fixes: 8149afe4dbf9 ("ARM: dts: exynos: Add initial support for Odroid XU board") Signed-off-by: Krzysztof Kozlowski Cc: Link: https://lore.kernel.org/r/20201015182044.480562-1-krzk@kernel.org Tested-by: Gabriel Ribba Esteva Signed-off-by: Greg Kroah-Hartman commit 4202cbbd2c4d7839b53945a46e1be9e498d0bd9d Author: Fabio Estevam Date: Mon Dec 7 10:09:09 2020 +0800 usb: chipidea: ci_hdrc_imx: Pass DISABLE_DEVICE_STREAMING flag to imx6ul commit c7721e15f434920145c376e8fe77e1c079fc3726 upstream. According to the i.MX6UL Errata document: https://www.nxp.com/docs/en/errata/IMX6ULCE.pdf ERR007881 also affects i.MX6UL, so pass the CI_HDRC_DISABLE_DEVICE_STREAMING flag to workaround the issue. Fixes: 52fe568e5d71 ("usb: chipidea: imx: add imx6ul usb support") Cc: Signed-off-by: Fabio Estevam Signed-off-by: Peter Chen Link: https://lore.kernel.org/r/20201207020909.22483-2-peter.chen@kernel.org Signed-off-by: Greg Kroah-Hartman commit 8e19cfae3bb086658487df3263c74b53dd674494 Author: Will McVicker Date: Fri Nov 27 15:05:55 2020 +0100 USB: gadget: f_rndis: fix bitrate for SuperSpeed and above commit b00f444f9add39b64d1943fa75538a1ebd54a290 upstream. Align the SuperSpeed Plus bitrate for f_rndis to match f_ncm's ncm_bitrate defined by commit 1650113888fe ("usb: gadget: f_ncm: add SuperSpeed descriptors for CDC NCM"). Cc: Felipe Balbi Cc: EJ Hsu Cc: Peter Chen Cc: stable Signed-off-by: Will McVicker Reviewed-by: Peter Chen Link: https://lore.kernel.org/r/20201127140559.381351-2-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 8c124b35a53b32f12f667cdb03ccffe536005bba Author: Jack Pham Date: Tue Oct 27 16:07:31 2020 -0700 usb: gadget: f_fs: Re-use SS descriptors for SuperSpeedPlus commit a353397b0d5dfa3c99b372505db3378fc919c6c6 upstream. In many cases a function that supports SuperSpeed can very well operate in SuperSpeedPlus, if a gadget controller supports it, as the endpoint descriptors (and companion descriptors) are generally identical and can be re-used. This is true for two commonly used functions: Android's ADB and MTP. So we can simply assign the usb_function's ssp_descriptors array to point to its ss_descriptors, if available. Similarly, we need to allow an epfile's ioctl for FUNCTIONFS_ENDPOINT_DESC to correctly return the corresponding SuperSpeed endpoint descriptor in case the connected speed is SuperSpeedPlus as well. The only exception is if a function wants to implement an Isochronous endpoint capable of transferring more than 48KB per service interval when operating at greater than USB 3.1 Gen1 speed, in which case it would require an additional SuperSpeedPlus Isochronous Endpoint Companion descriptor to be returned as part of the Configuration Descriptor. Support for that would need to be separately added to the userspace-facing FunctionFS API which may not be a trivial task--likely a new descriptor format (v3?) may need to be devised to allow for separate SS and SSP descriptors to be supplied. Signed-off-by: Jack Pham Cc: stable Link: https://lore.kernel.org/r/20201027230731.9073-1-jackp@codeaurora.org Signed-off-by: Greg Kroah-Hartman commit 3389281e0e6e212a5d0dac4fcdaa93258a01314a Author: Will McVicker Date: Fri Nov 27 15:05:57 2020 +0100 USB: gadget: f_midi: setup SuperSpeed Plus descriptors commit 457a902ba1a73b7720666b21ca038cd19764db18 upstream. Needed for SuperSpeed Plus support for f_midi. This allows the gadget to work properly without crashing at SuperSpeed rates. Cc: Felipe Balbi Cc: stable Signed-off-by: Will McVicker Reviewed-by: Peter Chen Link: https://lore.kernel.org/r/20201127140559.381351-4-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 0ddb1d96a5dbd858ae9a908170b257a12107d122 Author: taehyun.cho Date: Fri Nov 27 15:05:56 2020 +0100 USB: gadget: f_acm: add support for SuperSpeed Plus commit 3ee05c20656782387aa9eb010fdb9bb16982ac3f upstream. Setup the SuperSpeed Plus descriptors for f_acm. This allows the gadget to work properly without crashing at SuperSpeed rates. Cc: Felipe Balbi Cc: stable Signed-off-by: taehyun.cho Signed-off-by: Will McVicker Reviewed-by: Peter Chen Link: https://lore.kernel.org/r/20201127140559.381351-3-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 9ad41aa399db7cdfc209a68b7fbbafa8dbb3e496 Author: Johan Hovold Date: Wed Dec 9 11:42:21 2020 +0100 USB: serial: option: add interface-number sanity check to flag handling commit a251963f76fa0226d0fdf0c4f989496f18d9ae7f upstream. Add an interface-number sanity check before testing the device flags to avoid relying on undefined behaviour when left shifting in case a device uses an interface number greater than or equal to BITS_PER_LONG (i.e. 64 or 32). Reported-by: syzbot+8881b478dad0a7971f79@syzkaller.appspotmail.com Fixes: c3a65808f04a ("USB: serial: option: reimplement interface masking") Cc: stable@vger.kernel.org Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 57e22590c41b59430d8c2ac54d3496f6f59d2bef Author: Dan Carpenter Date: Thu Dec 3 11:41:13 2020 +0300 usb: mtu3: fix memory corruption in mtu3_debugfs_regset() commit 3f6f6343a29d9ea7429306b83b18e66dc1331d5c upstream. This code is using the wrong sizeof() so it does not allocate enough memory. It allocates 32 bytes but 72 are required. That will lead to memory corruption. Fixes: ae07809255d3 ("usb: mtu3: add debugfs interface files") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/X8ikqc4Mo2/0G72j@mwanda Cc: stable Signed-off-by: Greg Kroah-Hartman commit 80cb9450705417aadb949f13e8a456c146991b55 Author: Nicolin Chen Date: Wed Nov 18 20:44:57 2020 -0800 soc/tegra: fuse: Fix index bug in get_process_id commit b9ce9b0f83b536a4ac7de7567a265d28d13e5bea upstream. This patch simply fixes a bug of referencing speedos[num] in every for-loop iteration in get_process_id function. Fixes: 0dc5a0d83675 ("soc/tegra: fuse: Add Tegra210 support") Cc: Signed-off-by: Nicolin Chen Signed-off-by: Thierry Reding Signed-off-by: Greg Kroah-Hartman commit 037c65990d76ed72693c643dbc88a9c873f5f941 Author: Masahiro Yamada Date: Fri Dec 4 02:55:51 2020 +0900 kbuild: avoid split lines in .mod files [ Upstream commit 7d32358be8acb119dcfe39b6cf67ec6d94bf1fe7 ] "xargs echo" is not a safe way to remove line breaks because the input may exceed the command line limit and xargs may break it up into multiple invocations of echo. This should never happen because scripts/gen_autoksyms.sh expects all undefined symbols are placed in the second line of .mod files. One possible way is to replace "xargs echo" with "sed ':x;N;$!bx;s/\n/ /g'" or something, but I rewrote the code by using awk because it is more readable. This issue was reported by Sami Tolvanen; in his Clang LTO patch set, $(multi-used-m) is no longer an ELF object, but a thin archive that contains LLVM bitcode files. llvm-nm prints out symbols for each archive member separately, which results a lot of dupications, in some places, beyond the system-defined limit. This problem must be fixed irrespective of LTO, and we must ensure zero possibility of having this issue. Link: https://lkml.org/lkml/2020/12/1/1658 Reported-by: Sami Tolvanen Signed-off-by: Masahiro Yamada Reviewed-by: Sami Tolvanen Signed-off-by: Sasha Levin commit a803ea15b0dca8f073b3d5139b962a0a93354e00 Author: Stephane Eranian Date: Thu Nov 26 20:09:22 2020 +0900 perf/x86/intel: Check PEBS status correctly [ Upstream commit fc17db8aa4c53cbd2d5469bb0521ea0f0a6dbb27 ] The kernel cannot disambiguate when 2+ PEBS counters overflow at the same time. This is what the comment for this code suggests. However, I see the comparison is done with the unfiltered p->status which is a copy of IA32_PERF_GLOBAL_STATUS at the time of the sample. This register contains more than the PEBS counter overflow bits. It also includes many other bits which could also be set. Signed-off-by: Namhyung Kim Signed-off-by: Stephane Eranian Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20201126110922.317681-2-namhyung@kernel.org Signed-off-by: Sasha Levin commit 12db619c91d78d3db7e8cd05147108ed1eaa4783 Author: Brandon Syu Date: Thu Nov 12 15:35:52 2020 +0800 drm/amd/display: Init clock value by current vbios CLKs [ Upstream commit 7e0b367db85ef7b91399006253759a024eab7653 ] [Why] While booting into OS, driver updates DPP/DISP CLKs. But init clock value is zero which is invalid. [How] Get current clocks value to update init clocks. To avoid underflow. Signed-off-by: Brandon Syu Reviewed-by: Tony Cheng Acked-by: Aurabindo Pillai Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit c137a880ae6c82050937433c78f7f9219044fa94 Author: Luca Coelho Date: Wed Dec 2 14:41:49 2020 +0200 iwlwifi: pcie: add one missing entry for AX210 [ Upstream commit 5febcdef30902fa870128b9789b873199f13aff1 ] The 0x0024 subsytem device ID was missing from the list, so some AX210 devices were not recognized. Add it. Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/iwlwifi.20201202143859.308eab4db42c.I3763196cd3f7bb36f3dcabf02ec4e7c4fe859c0f@changeid Signed-off-by: Sasha Levin commit e124c5afaf88c4b25dcfcaf7d16e3a6f24b850c0 Author: Thomas Gleixner Date: Fri Nov 13 15:19:10 2020 +0100 dm table: Remove BUG_ON(in_interrupt()) [ Upstream commit e7b624183d921b49ef0a96329f21647d38865ee9 ] The BUG_ON(in_interrupt()) in dm_table_event() is a historic leftover from a rework of the dm table code which changed the calling context. Issuing a BUG for a wrong calling context is frowned upon and in_interrupt() is deprecated and only covering parts of the wrong contexts. The sanity check for the context is covered by CONFIG_DEBUG_ATOMIC_SLEEP and other debug facilities already. Signed-off-by: Thomas Gleixner Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit 8a89abb26e304f52622fc32447fde14bfe92e5dc Author: Sreekanth Reddy Date: Mon Nov 30 13:57:33 2020 +0530 scsi: mpt3sas: Increase IOCInit request timeout to 30s [ Upstream commit 85dad327d9b58b4c9ce08189a2707167de392d23 ] Currently the IOCInit request message timeout is set to 10s. This is not sufficient in some scenarios such as during HBA FW downgrade operations. Increase the IOCInit request timeout to 30s. Link: https://lore.kernel.org/r/20201130082733.26120-1-sreekanth.reddy@broadcom.com Signed-off-by: Sreekanth Reddy Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit cd14a53938e0e7006b6eceebab435fe3b7a986cb Author: Sven Eckelmann Date: Thu Nov 26 13:52:47 2020 +0100 vxlan: Copy needed_tailroom from lowerdev [ Upstream commit a5e74021e84bb5eadf760aaf2c583304f02269be ] While vxlan doesn't need any extra tailroom, the lowerdev might need it. In that case, copy it over to reduce the chance for additional (re)allocations in the transmit path. Signed-off-by: Sven Eckelmann Link: https://lore.kernel.org/r/20201126125247.1047977-2-sven@narfation.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 0b9ce087f75b05fa7eabcd632a40219a5db6daca Author: Sven Eckelmann Date: Thu Nov 26 13:52:46 2020 +0100 vxlan: Add needed_headroom for lower device [ Upstream commit 0a35dc41fea67ac4495ce7584406bf9557a6e7d0 ] It was observed that sending data via batadv over vxlan (on top of wireguard) reduced the performance massively compared to raw ethernet or batadv on raw ethernet. A check of perf data showed that the vxlan_build_skb was calling all the time pskb_expand_head to allocate enough headroom for: min_headroom = LL_RESERVED_SPACE(dst->dev) + dst->header_len + VXLAN_HLEN + iphdr_len; But the vxlan_config_apply only requested needed headroom for: lowerdev->hard_header_len + VXLAN6_HEADROOM or VXLAN_HEADROOM So it completely ignored the needed_headroom of the lower device. The first caller of net_dev_xmit could therefore never make sure that enough headroom was allocated for the rest of the transmit path. Cc: Annika Wickert Signed-off-by: Sven Eckelmann Tested-by: Annika Wickert Link: https://lore.kernel.org/r/20201126125247.1047977-1-sven@narfation.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 230290dca255ba54a48d28302141526e2a79856d Author: Mark Rutland Date: Mon Nov 30 11:59:40 2020 +0000 arm64: syscall: exit userspace before unmasking exceptions [ Upstream commit ca1314d73eed493c49bb1932c60a8605530db2e4 ] In el0_svc_common() we unmask exceptions before we call user_exit(), and so there's a window where an IRQ or debug exception can be taken while RCU is not watching. In do_debug_exception() we account for this in via debug_exception_{enter,exit}(), but in the el1_irq asm we do not and we call trace functions which rely on RCU before we have a guarantee that RCU is watching. Let's avoid this by having el0_svc_common() exit userspace before unmasking exceptions, matching what we do for all other EL0 entry paths. We can use user_exit_irqoff() to avoid the pointless save/restore of IRQ flags while we're sure exceptions are masked in DAIF. The workaround for Cortex-A76 erratum 1463225 may trigger a debug exception before this point, but the debug code invoked in this case is safe even when RCU is not watching. Signed-off-by: Mark Rutland Cc: Catalin Marinas Cc: James Morse Cc: Will Deacon Link: https://lore.kernel.org/r/20201130115950.22492-2-mark.rutland@arm.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 34c07547dbe56a884d37b4617318924f48440d33 Author: Ofir Bitton Date: Sun Nov 29 09:34:12 2020 +0200 habanalabs: put devices before driver removal [ Upstream commit 5555b7c56bdec7a29c789fec27f84d40f52fbdfa ] Driver never puts its device and control_device objects, hence a memory leak is introduced every driver removal. Signed-off-by: Ofir Bitton Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin commit be063ce1004ca6123de395c168200a49938bc5b5 Author: Qinglang Miao Date: Fri Oct 30 09:34:24 2020 +0800 drm/tegra: sor: Disable clocks on error in tegra_sor_init() [ Upstream commit bf3a3cdcad40e5928a22ea0fd200d17fd6d6308d ] Fix the missing clk_disable_unprepare() before return from tegra_sor_init() in the error handling case. Signed-off-by: Qinglang Miao Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 9b6ebb202bbbf442cfa9a57a7d094dacceeedb80 Author: Nicholas Piggin Date: Thu Nov 26 20:25:29 2020 +1000 kernel/cpu: add arch override for clear_tasks_mm_cpumask() mm handling [ Upstream commit 8ff00399b153440c1c83e20c43020385b416415b ] powerpc/64s keeps a counter in the mm which counts bits set in mm_cpumask as well as other things. This means it can't use generic code to clear bits out of the mask and doesn't adjust the arch specific counter. Add an arch override that allows powerpc/64s to use clear_tasks_mm_cpumask(). Signed-off-by: Nicholas Piggin Reviewed-by: Aneesh Kumar K.V Acked-by: Peter Zijlstra (Intel) Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20201126102530.691335-4-npiggin@gmail.com Signed-off-by: Sasha Levin commit d8baf15b21962c08cfc5500a345733032bbad23d Author: Deepak R Varma Date: Thu Nov 5 23:29:28 2020 +0530 drm/tegra: replace idr_init() by idr_init_base() [ Upstream commit 41f71629b4c432f8dd47d70ace813be5f79d4d75 ] idr_init() uses base 0 which is an invalid identifier for this driver. The new function idr_init_base allows IDR to set the ID lookup from base 1. This avoids all lookups that otherwise starts from 0 since 0 is always unused. References: commit 6ce711f27500 ("idr: Make 1-based IDRs more efficient") Signed-off-by: Deepak R Varma Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 76812738841c2daa89420a2f61ab100f0dea8eb9 Author: Russell King Date: Sat Jun 20 10:21:32 2020 +0100 net: mvpp2: add mvpp2_phylink_to_port() helper [ Upstream commit 6c2b49eb96716e91f202756bfbd3f5fea3b2b172 ] Add a helper to convert the struct phylink_config pointer passed in from phylink to the drivers internal struct mvpp2_port. Signed-off-by: Russell King Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6aa270eb2f900c41e96a9a4f93fbf76ed32e4d7b Author: Paolo Abeni Date: Wed Dec 9 12:21:13 2020 +0100 selftests: fix poll error in udpgro.sh [ Upstream commit 38bf8cd821be292e7d8e6f6283d67c5d9708f887 ] The test program udpgso_bench_rx always invokes the poll() syscall with a timeout of 10ms. If a larger timeout is specified via the command line, udpgso_bench_rx is supposed to do multiple poll() calls till the timeout is expired or an event is received. Currently the poll() loop errors out after the first invocation with no events, and may causes self-tests failure alike: failed GRO with custom segment size ./udpgso_bench_rx: poll: 0x0 expected 0x1 This change addresses the issue allowing the poll() loop to consume all the configured timeout. Fixes: ada641ff6ed3 ("selftests: fixes for UDP GRO") Signed-off-by: Paolo Abeni Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0e2b048ffe442807c01738ad6fef7d4062fcf38d Author: Björn Töpel Date: Tue Aug 25 19:27:35 2020 +0200 ixgbe: avoid premature Rx buffer reuse [ Upstream commit a06316dc87bdc000f7f39a315476957af2ba0f05 ] The page recycle code, incorrectly, relied on that a page fragment could not be freed inside xdp_do_redirect(). This assumption leads to that page fragments that are used by the stack/XDP redirect can be reused and overwritten. To avoid this, store the page count prior invoking xdp_do_redirect(). Fixes: 6453073987ba ("ixgbe: add initial support for xdp redirect") Reported-and-analyzed-by: Li RongQing Signed-off-by: Björn Töpel Tested-by: Sandeep Penigalapati Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 75bbe7bd90032e3d9233f29004e31f170ebe883e Author: Björn Töpel Date: Tue Aug 25 19:27:34 2020 +0200 i40e: avoid premature Rx buffer reuse [ Upstream commit 75aab4e10ae6a4593a60f66d13de755d4e91f400 ] The page recycle code, incorrectly, relied on that a page fragment could not be freed inside xdp_do_redirect(). This assumption leads to that page fragments that are used by the stack/XDP redirect can be reused and overwritten. To avoid this, store the page count prior invoking xdp_do_redirect(). Longer explanation: Intel NICs have a recycle mechanism. The main idea is that a page is split into two parts. One part is owned by the driver, one part might be owned by someone else, such as the stack. t0: Page is allocated, and put on the Rx ring +--------------- used by NIC ->| upper buffer (rx_buffer) +--------------- | lower buffer +--------------- page count == USHRT_MAX rx_buffer->pagecnt_bias == USHRT_MAX t1: Buffer is received, and passed to the stack (e.g.) +--------------- | upper buff (skb) +--------------- used by NIC ->| lower buffer (rx_buffer) +--------------- page count == USHRT_MAX rx_buffer->pagecnt_bias == USHRT_MAX - 1 t2: Buffer is received, and redirected +--------------- | upper buff (skb) +--------------- used by NIC ->| lower buffer (rx_buffer) +--------------- Now, prior calling xdp_do_redirect(): page count == USHRT_MAX rx_buffer->pagecnt_bias == USHRT_MAX - 2 This means that buffer *cannot* be flipped/reused, because the skb is still using it. The problem arises when xdp_do_redirect() actually frees the segment. Then we get: page count == USHRT_MAX - 1 rx_buffer->pagecnt_bias == USHRT_MAX - 2 From a recycle perspective, the buffer can be flipped and reused, which means that the skb data area is passed to the Rx HW ring! To work around this, the page count is stored prior calling xdp_do_redirect(). Note that this is not optimal, since the NIC could actually reuse the "lower buffer" again. However, then we need to track whether XDP_REDIRECT consumed the buffer or not. Fixes: d9314c474d4f ("i40e: add support for XDP_REDIRECT") Reported-and-analyzed-by: Li RongQing Signed-off-by: Björn Töpel Tested-by: George Kuruvinakunnel Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit b05fdd74ffb7948588a8a0ffe9cf0f4e88bf90b0 Author: Li RongQing Date: Tue Aug 18 15:07:57 2020 +0800 i40e: optimise prefetch page refcount [ Upstream commit 1fa5cef283420b3dad93cd6ab04d7125bc1562de ] refcount of rx_buffer page will be added here originally, so prefetchw is needed, but after commit 1793668c3b8c ("i40e/i40evf: Update code to better handle incrementing page count"), and refcount is not added every time, so change prefetchw as prefetch. Now it mainly services page_address(), but which accesses struct page only when WANT_PAGE_VIRTUAL or HASHED_PAGE_VIRTUAL is defined otherwise it returns address based on offset, so we prefetch it conditionally. Jakub suggested to define prefetch_page_address in a common header. Reported-by: kernel test robot Suggested-by: Jakub Kicinski Signed-off-by: Li RongQing Reviewed-by: Jesse Brandeburg Tested-by: Aaron Brown Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 405bfd36f0720a562ace48ec2921cf9c6105124b Author: Björn Töpel Date: Wed May 20 21:20:54 2020 +0200 i40e: Refactor rx_bi accesses [ Upstream commit e1675f97367bed74d4dcfe08de9ce9b5d6b288c1 ] As a first step to migrate i40e to the new MEM_TYPE_XSK_BUFF_POOL APIs, code that accesses the rx_bi (SW/shadow ring) is refactored to use an accessor function. Signed-off-by: Björn Töpel Signed-off-by: Alexei Starovoitov Cc: intel-wired-lan@lists.osuosl.org Link: https://lore.kernel.org/bpf/20200520192103.355233-7-bjorn.topel@gmail.com Signed-off-by: Sasha Levin commit 6935f5385f7547997537fb70742f118acf3d5720 Author: Leon Romanovsky Date: Fri Dec 4 08:42:05 2020 +0200 RDMA/cm: Fix an attempt to use non-valid pointer when cleaning timewait [ Upstream commit 340b940ea0ed12d9adbb8f72dea17d516b2019e8 ] If cm_create_timewait_info() fails, the timewait_info pointer will contain an error value and will be used in cm_remove_remote() later. general protection fault, probably for non-canonical address 0xdffffc0000000024: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0×0000000000000120-0×0000000000000127] CPU: 2 PID: 12446 Comm: syz-executor.3 Not tainted 5.10.0-rc5-5d4c0742a60e #27 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:cm_remove_remote.isra.0+0x24/0×170 drivers/infiniband/core/cm.c:978 Code: 84 00 00 00 00 00 41 54 55 53 48 89 fb 48 8d ab 2d 01 00 00 e8 7d bf 4b fe 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 04 02 48 89 ea 83 e2 07 38 d0 7f 08 84 c0 0f 85 fc 00 00 00 RSP: 0018:ffff888013127918 EFLAGS: 00010006 RAX: dffffc0000000000 RBX: fffffffffffffff4 RCX: ffffc9000a18b000 RDX: 0000000000000024 RSI: ffffffff82edc573 RDI: fffffffffffffff4 RBP: 0000000000000121 R08: 0000000000000001 R09: ffffed1002624f1d R10: 0000000000000003 R11: ffffed1002624f1c R12: ffff888107760c70 R13: ffff888107760c40 R14: fffffffffffffff4 R15: ffff888107760c9c FS: 00007fe1ffcc1700(0000) GS:ffff88811a600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2ff21000 CR3: 000000010f504001 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: cm_destroy_id+0x189/0×15b0 drivers/infiniband/core/cm.c:1155 cma_connect_ib drivers/infiniband/core/cma.c:4029 [inline] rdma_connect_locked+0x1100/0×17c0 drivers/infiniband/core/cma.c:4107 rdma_connect+0x2a/0×40 drivers/infiniband/core/cma.c:4140 ucma_connect+0x277/0×340 drivers/infiniband/core/ucma.c:1069 ucma_write+0x236/0×2f0 drivers/infiniband/core/ucma.c:1724 vfs_write+0x220/0×830 fs/read_write.c:603 ksys_write+0x1df/0×240 fs/read_write.c:658 do_syscall_64+0x33/0×40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: a977049dacde ("[PATCH] IB: Add the kernel CM implementation") Link: https://lore.kernel.org/r/20201204064205.145795-1-leon@kernel.org Reviewed-by: Maor Gottlieb Reported-by: Amit Matityahu Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 2107658d6d62aa0ca5c826e04c0231b946e5138e Author: Toke Høiland-Jørgensen Date: Wed Dec 9 14:57:42 2020 +0100 selftests/bpf/test_offload.py: Reset ethtool features after failed setting [ Upstream commit 766e62b7fcd2cf1d43e6594ba37c659dc48f7ddb ] When setting the ethtool feature flag fails (as expected for the test), the kernel now tracks that the feature was requested to be 'off' and refuses to subsequently disable it again. So reset it back to 'on' so a subsequent disable (that's not supposed to fail) can succeed. Fixes: 417ec26477a5 ("selftests/bpf: add offload test based on netdevsim") Signed-off-by: Toke Høiland-Jørgensen Signed-off-by: Daniel Borkmann Acked-by: Jakub Kicinski Link: https://lore.kernel.org/bpf/160752226280.110217.10696241563705667871.stgit@toke.dk Signed-off-by: Sasha Levin commit 3b79aea56dffcc7485a76eb654193ed2c8d19353 Author: Brett Mastbergen Date: Tue Dec 8 16:39:24 2020 -0500 netfilter: nft_ct: Remove confirmation check for NFT_CT_ID [ Upstream commit 2d94b20b95b009eec1a267dcf026b01af627c0cd ] Since commit 656c8e9cc1ba ("netfilter: conntrack: Use consistent ct id hash calculation") the ct id will not change from initialization to confirmation. Removing the confirmation check allows for things like adding an element to a 'typeof ct id' set in prerouting upon reception of the first packet of a new connection, and then being able to reference that set consistently both before and after the connection is confirmed. Fixes: 656c8e9cc1ba ("netfilter: conntrack: Use consistent ct id hash calculation") Signed-off-by: Brett Mastbergen Acked-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 0a652b181d757c0ed88fc781b60e112e3f70af4b Author: Chunyan Zhang Date: Wed Dec 9 13:51:06 2020 +0800 gpio: eic-sprd: break loop when getting NULL device resource [ Upstream commit 263ade7166a2e589c5b605272690c155c0637dcb ] EIC controller have unfixed numbers of banks on different Spreadtrum SoCs, and each bank has its own base address, the loop of getting there base address in driver should break if the resource gotten via platform_get_resource() is NULL already. The later ones would be all NULL even if the loop continues. Fixes: 25518e024e3a ("gpio: Add Spreadtrum EIC driver support") Signed-off-by: Chunyan Zhang Link: https://lore.kernel.org/r/20201209055106.840100-1-zhang.lyra@gmail.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 2ebb2df149d416bbdd52f6d82ec84d0fbcee6958 Author: Baolin Wang Date: Wed Apr 1 17:59:25 2020 +0800 Revert "gpio: eic-sprd: Use devm_platform_ioremap_resource()" [ Upstream commit 4ed7d7dd4890bb8120a3e77c16191a695fdfcc5a ] This reverts commit 0f5cb8cc27a266c81e6523b436479802e9aafc9e. This commit will cause below warnings, since our EIC controller can support differnt banks on different Spreadtrum SoCs, and each bank has its own base address, we will get invalid resource warning if the bank number is less than SPRD_EIC_MAX_BANK on some Spreadtrum SoCs. So we should not use devm_platform_ioremap_resource() here to remove the warnings. [ 1.118508] sprd-eic 40210000.gpio: invalid resource [ 1.118535] sprd-eic 40210000.gpio: invalid resource [ 1.119034] sprd-eic 40210080.gpio: invalid resource [ 1.119055] sprd-eic 40210080.gpio: invalid resource [ 1.119462] sprd-eic 402100a0.gpio: invalid resource [ 1.119482] sprd-eic 402100a0.gpio: invalid resource [ 1.119893] sprd-eic 402100c0.gpio: invalid resource [ 1.119913] sprd-eic 402100c0.gpio: invalid resource Signed-off-by: Baolin Wang Link: https://lore.kernel.org/r/8d3579f4b49bb675dc805035960f24852898be28.1585734060.git.baolin.wang7@gmail.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 64795af3bdc7e477cb23ed10af573bbf9e6b44b7 Author: David Howells Date: Tue Dec 8 23:52:03 2020 +0000 afs: Fix memory leak when mounting with multiple source parameters [ Upstream commit 4cb682964706deffb4861f0a91329ab3a705039f ] There's a memory leak in afs_parse_source() whereby multiple source= parameters overwrite fc->source in the fs_context struct without freeing the previously recorded source. Fix this by only permitting a single source parameter and rejecting with an error all subsequent ones. This was caught by syzbot with the kernel memory leak detector, showing something like the following trace: unreferenced object 0xffff888114375440 (size 32): comm "repro", pid 5168, jiffies 4294923723 (age 569.948s) backtrace: slab_post_alloc_hook+0x42/0x79 __kmalloc_track_caller+0x125/0x16a kmemdup_nul+0x24/0x3c vfs_parse_fs_string+0x5a/0xa1 generic_parse_monolithic+0x9d/0xc5 do_new_mount+0x10d/0x15a do_mount+0x5f/0x8e __do_sys_mount+0xff/0x127 do_syscall_64+0x2d/0x3a entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: 13fcc6837049 ("afs: Add fs_context support") Reported-by: syzbot+86dc6632faaca40133ab@syzkaller.appspotmail.com Signed-off-by: David Howells cc: Randy Dunlap Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 6581512f0afc355f36c2056751b3730874708bae Author: Pablo Neira Ayuso Date: Tue Dec 8 18:25:53 2020 +0100 netfilter: nft_dynset: fix timeouts later than 23 days [ Upstream commit 917d80d376ffbaa9725fde9e3c0282f63643f278 ] Use nf_msecs_to_jiffies64 and nf_jiffies64_to_msecs as provided by 8e1102d5a159 ("netfilter: nf_tables: support timeouts larger than 23 days"), otherwise ruleset listing breaks. Fixes: a8b1e36d0d1d ("netfilter: nft_dynset: fix element timeout for HZ != 1000") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 810bc556e347812d343baa7b1bc899eab569dadd Author: Florian Westphal Date: Fri Jul 24 13:34:46 2020 +0200 netfilter: nft_compat: make sure xtables destructors have run [ Upstream commit ffe8923f109b7ea92c0842c89e61300eefa11c94 ] Pablo Neira found that after recent update of xt_IDLETIMER the iptables-nft tests sometimes show an error. He tracked this down to the delayed cleanup used by nf_tables core: del rule (transaction A) add rule (transaction B) Its possible that by time transaction B (both in same netns) runs, the xt target destructor has not been invoked yet. For native nft expressions this is no problem because all expressions that have such side effects make sure these are handled from the commit phase, rather than async cleanup. For nft_compat however this isn't true. Instead of forcing synchronous behaviour for nft_compat, keep track of the number of outstanding destructor calls. When we attempt to create a new expression, flush the cleanup worker to make sure destructors have completed. With lots of help from Pablo Neira. Reported-by: Pablo Neira Ayso Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit b17244cebb24b30b886d46938cc5f798f7337574 Author: Subash Abhinov Kasiviswanathan Date: Wed Nov 25 11:27:22 2020 -0700 netfilter: x_tables: Switch synchronization to RCU [ Upstream commit cc00bcaa589914096edef7fb87ca5cee4a166b5c ] When running concurrent iptables rules replacement with data, the per CPU sequence count is checked after the assignment of the new information. The sequence count is used to synchronize with the packet path without the use of any explicit locking. If there are any packets in the packet path using the table information, the sequence count is incremented to an odd value and is incremented to an even after the packet process completion. The new table value assignment is followed by a write memory barrier so every CPU should see the latest value. If the packet path has started with the old table information, the sequence counter will be odd and the iptables replacement will wait till the sequence count is even prior to freeing the old table info. However, this assumes that the new table information assignment and the memory barrier is actually executed prior to the counter check in the replacement thread. If CPU decides to execute the assignment later as there is no user of the table information prior to the sequence check, the packet path in another CPU may use the old table information. The replacement thread would then free the table information under it leading to a use after free in the packet processing context- Unable to handle kernel NULL pointer dereference at virtual address 000000000000008e pc : ip6t_do_table+0x5d0/0x89c lr : ip6t_do_table+0x5b8/0x89c ip6t_do_table+0x5d0/0x89c ip6table_filter_hook+0x24/0x30 nf_hook_slow+0x84/0x120 ip6_input+0x74/0xe0 ip6_rcv_finish+0x7c/0x128 ipv6_rcv+0xac/0xe4 __netif_receive_skb+0x84/0x17c process_backlog+0x15c/0x1b8 napi_poll+0x88/0x284 net_rx_action+0xbc/0x23c __do_softirq+0x20c/0x48c This could be fixed by forcing instruction order after the new table information assignment or by switching to RCU for the synchronization. Fixes: 80055dab5de0 ("netfilter: x_tables: make xt_replace_table wait until old rules are not used anymore") Reported-by: Sean Tranchetti Reported-by: kernel test robot Suggested-by: Florian Westphal Signed-off-by: Subash Abhinov Kasiviswanathan Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 22faec182eecd84a1010586a63afbba65daba17e Author: Andrew Jeffery Date: Thu Nov 26 17:03:37 2020 +1030 pinctrl: aspeed: Fix GPIO requests on pass-through banks [ Upstream commit 7aeb353802611a8e655e019f09a370ff682af1a6 ] Commit 6726fbff19bf ("pinctrl: aspeed: Fix GPI only function problem.") fixes access to GPIO banks T and U on the AST2600. Both banks contain input-only pins and the GPIO pin function is named GPITx and GPIUx respectively. Unfortunately the fix had a negative impact on GPIO banks D and E for the AST2400 and AST2500 where the GPIO pass-through functions take similar "GPI"-style names. The net effect on the older SoCs was that when the GPIO subsystem requested a pin in banks D or E be muxed for GPIO, they were instead muxed for pass-through mode. Mistakenly muxing pass-through mode e.g. breaks booting the host on IBM's Witherspoon (AC922) platform where GPIOE0 is used for FSI. Further exploit the names in the provided expression structure to differentiate pass-through from pin-specific GPIO modes. This follow-up fix gives the expected behaviour for the following tests: Witherspoon BMC (AST2500): 1. Power-on the Witherspoon host 2. Request GPIOD1 be muxed via /sys/class/gpio/export 3. Request GPIOE1 be muxed via /sys/class/gpio/export 4. Request the balls for GPIOs E2 and E3 be muxed as GPIO pass-through ("GPIE2" mode) via a pinctrl hog in the devicetree Rainier BMC (AST2600): 5. Request GPIT0 be muxed via /sys/class/gpio/export 6. Request GPIU0 be muxed via /sys/class/gpio/export Together the tests demonstrate that all three pieces of functionality (general GPIOs via 1, 2 and 3, input-only GPIOs via 5 and 6, pass-through mode via 4) operate as desired across old and new SoCs. Fixes: 9b92f5c51e9a ("pinctrl: aspeed: Fix GPI only function problem.") Signed-off-by: Andrew Jeffery Tested-by: Joel Stanley Reviewed-by: Joel Stanley Cc: Billy Tsai Cc: Joel Stanley Link: https://lore.kernel.org/r/20201126063337.489927-1-andrew@aj.id.au Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit f7e6636831dfdac0837e038a0343d052d9213a7a Author: Douglas Anderson Date: Mon Apr 20 09:24:51 2020 -0700 blk-mq: In blk_mq_dispatch_rq_list() "no budget" is a reason to kick [ Upstream commit ab3cee3762e5e69f27c302c43691289fdfc12316 ] In blk_mq_dispatch_rq_list(), if blk_mq_sched_needs_restart() returns true and the driver returns BLK_STS_RESOURCE then we'll kick the queue. However, there's another case where we might need to kick it. If we were unable to get budget we can be in much the same state as when the driver returns BLK_STS_RESOURCE, so we should treat it the same. It should be noted that even if we add a whole bunch of extra kicking to the queue in other patches this patch is still important. Specifically any kicking that happened before we re-spliced leftover requests into 'hctx->dispatch' wouldn't have found any work, so we really need to make sure we kick ourselves after we've done the splicing. Signed-off-by: Douglas Anderson Reviewed-by: Ming Lei Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 4f3e3fa6239d52378e251382d84ab0932483e674 Author: Johannes Thumshirn Date: Wed Mar 25 00:24:44 2020 +0900 block: factor out requeue handling from dispatch code [ Upstream commit c92a41031a6d57395889b5c87cea359220a24d2a ] Factor out the requeue handling from the dispatch code, this will make subsequent addition of different requeueing schemes easier. Signed-off-by: Johannes Thumshirn Reviewed-by: Christoph Hellwig Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 9e54ca3d4f9d4a877e7539747a701c68c96b7eb8 Author: Damien Le Moal Date: Sun Oct 27 23:05:43 2019 +0900 block: Simplify REQ_OP_ZONE_RESET_ALL handling [ Upstream commit c7a1d926dc4076aadad187614500afcd8de78818 ] There is no need for the function __blkdev_reset_all_zones() as REQ_OP_ZONE_RESET_ALL can be handled directly in blkdev_reset_zones() bio loop with an early break from the loop. This patch removes this function and modifies blkdev_reset_zones(), simplifying the code. Reviewed-by: Christoph Hellwig Signed-off-by: Damien Le Moal Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 71e0f9c5c3df743bdec2ce2f36c1f4bc974f340c Author: Geert Uytterhoeven Date: Mon Nov 30 09:57:43 2020 +0100 clk: renesas: r9a06g032: Drop __packed for portability [ Upstream commit ceabbf94c317c6175dee6e91805fca4a6353745a ] The R9A06G032 clock driver uses an array of packed structures to reduce kernel size. However, this array contains pointers, which are no longer aligned naturally, and cannot be relocated on PPC64. Hence when compile-testing this driver on PPC64 with CONFIG_RELOCATABLE=y (e.g. PowerPC allyesconfig), the following warnings are produced: WARNING: 136 bad relocations c000000000616be3 R_PPC64_UADDR64 .rodata+0x00000000000cf338 c000000000616bfe R_PPC64_UADDR64 .rodata+0x00000000000cf370 ... Fix this by dropping the __packed attribute from the r9a06g032_clkdesc definition, trading a small size increase for portability. This increases the 156-entry clock table by 1 byte per entry, but due to the compiler generating more efficient code for unpacked accesses, the net size increase is only 76 bytes (gcc 9.3.0 on arm32). Reported-by: Stephen Rothwell Fixes: 4c3d88526eba2143 ("clk: renesas: Renesas R9A06G032 clock driver") Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/20201130085743.1656317-1-geert+renesas@glider.be Tested-by: Stephen Rothwell # PowerPC allyesconfig build Acked-by: Stephen Boyd Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 43a373488e924ae6bca232c265427258183e6c38 Author: Zhang Qilong Date: Fri Dec 4 14:35:06 2020 +0100 can: softing: softing_netdev_open(): fix error handling [ Upstream commit 4d1be581ec6b92a338bb7ed23e1381f45ddf336f ] If softing_netdev_open() fails, we should call close_candev() to avoid reference leak. Fixes: 03fd3cf5a179d ("can: add driver for Softing card") Signed-off-by: Zhang Qilong Acked-by: Kurt Van Dijck Link: https://lore.kernel.org/r/20201202151632.1343786-1-zhangqilong3@huawei.com Signed-off-by: Marc Kleine-Budde Link: https://lore.kernel.org/r/20201204133508.742120-2-mkl@pengutronix.de Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 36f460d51ac5921a4ea7f90076b1f7344cef58f8 Author: Xuan Zhuo Date: Tue Dec 1 21:56:57 2020 +0800 xsk: Replace datagram_poll by sock_poll_wait [ Upstream commit f5da54187e33dce9bea63170667dbb0ca8d98194 ] datagram_poll will judge the current socket status (EPOLLIN, EPOLLOUT) based on the traditional socket information (eg: sk_wmem_alloc), but this does not apply to xsk. So this patch uses sock_poll_wait instead of datagram_poll, and the mask is calculated by xsk_poll. Fixes: c497176cb2e4 ("xsk: add Rx receive functions and poll support") Signed-off-by: Xuan Zhuo Signed-off-by: Daniel Borkmann Acked-by: Magnus Karlsson Link: https://lore.kernel.org/bpf/e82f4697438cd63edbf271ebe1918db8261b7c09.1606555939.git.xuanzhuo@linux.alibaba.com Signed-off-by: Sasha Levin commit 50ae52e07d2b78cbf4643ff6eb79ee80ff4866ce Author: Luc Van Oostenryck Date: Wed Nov 20 01:10:42 2019 +0100 xsk: Fix xsk_poll()'s return type [ Upstream commit 5d946c5abbaf68083fa6a41824dd79e1f06286d8 ] xsk_poll() is defined as returning 'unsigned int' but the .poll method is declared as returning '__poll_t', a bitwise type. Fix this by using the proper return type and using the EPOLL constants instead of the POLL ones, as required for __poll_t. Signed-off-by: Luc Van Oostenryck Signed-off-by: Daniel Borkmann Acked-by: Björn Töpel Link: https://lore.kernel.org/bpf/20191120001042.30830-1-luc.vanoostenryck@gmail.com Signed-off-by: Sasha Levin commit 369ed255958fcfb83cdc5f05fa18aaf0918da130 Author: Randy Dunlap Date: Sat Nov 28 23:09:16 2020 -0800 scsi: bnx2i: Requires MMU [ Upstream commit 2d586494c4a001312650f0b919d534e429dd1e09 ] The SCSI_BNX2_ISCSI kconfig symbol selects CNIC and CNIC selects UIO, which depends on MMU. Since 'select' does not follow dependency chains, add the same MMU dependency to SCSI_BNX2_ISCSI. Quietens this kconfig warning: WARNING: unmet direct dependencies detected for CNIC Depends on [n]: NETDEVICES [=y] && ETHERNET [=y] && NET_VENDOR_BROADCOM [=y] && PCI [=y] && (IPV6 [=m] || IPV6 [=m]=n) && MMU [=n] Selected by [m]: - SCSI_BNX2_ISCSI [=m] && SCSI_LOWLEVEL [=y] && SCSI [=y] && NET [=y] && PCI [=y] && (IPV6 [=m] || IPV6 [=m]=n) Link: https://lore.kernel.org/r/20201129070916.3919-1-rdunlap@infradead.org Fixes: cf4e6363859d ("[SCSI] bnx2i: Add bnx2i iSCSI driver.") Cc: linux-scsi@vger.kernel.org Cc: Nilesh Javali Cc: Manish Rangankar Cc: GR-QLogic-Storage-Upstream@marvell.com Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Signed-off-by: Randy Dunlap Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit e190d1b3c4d28425f7bae1c21734d081be4bd746 Author: Baruch Siach Date: Wed Dec 2 09:15:32 2020 +0200 gpio: mvebu: fix potential user-after-free on probe [ Upstream commit 7ee1a01e47403f72b9f38839a737692f6991263e ] When mvebu_pwm_probe() fails IRQ domain is not released. Move pwm probe before IRQ domain allocation. Add pwm cleanup code to the failure path. Fixes: 757642f9a584 ("gpio: mvebu: Add limited PWM support") Reported-by: Andrew Lunn Signed-off-by: Baruch Siach Signed-off-by: Bartosz Golaszewski Signed-off-by: Sasha Levin commit ec64dea576d57d4369fb7fec56a806e12198b9af Author: Qinglang Miao Date: Fri Nov 27 17:44:45 2020 +0800 gpio: zynq: fix reference leak in zynq_gpio functions [ Upstream commit 7f57b295f990c0fa07f96d51ca1c82c52dbf79cc ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to putting operation will result in a reference leak here. A new function pm_runtime_resume_and_get is introduced in [0] to keep usage counter balanced. So We fix the reference leak by replacing it with new funtion. [0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter") Fixes: c2df3de0d07e ("gpio: zynq: properly support runtime PM for GPIO used as interrupts") Reported-by: Hulk Robot Signed-off-by: Qinglang Miao Signed-off-by: Bartosz Golaszewski Signed-off-by: Sasha Levin commit 823f42bd61933a46658da20c8e897df720f77c94 Author: Zhang Qilong Date: Tue Nov 10 17:29:32 2020 +0800 PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter [ Upstream commit dd8088d5a8969dc2b42f71d7bc01c25c61a78066 ] In many case, we need to check return value of pm_runtime_get_sync, but it brings a trouble to the usage counter processing. Many callers forget to decrease the usage counter when it failed, which could resulted in reference leak. It has been discussed a lot[0][1]. So we add a function to deal with the usage counter for better coding. [0]https://lkml.org/lkml/2020/6/14/88 [1]https://patchwork.ozlabs.org/project/linux-tegra/list/?series=178139 Signed-off-by: Zhang Qilong Acked-by: Rafael J. Wysocki Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 74e38f86ab530232e45a9e1c787c023d1255d58d Author: Bernd Bauer Date: Thu Nov 26 18:56:28 2020 +0100 ARM: dts: imx6qdl-kontron-samx6i: fix I2C_PM scl pin [ Upstream commit 19ba8fb810c60b46869acc9f455613de454e0fca ] Use the correct pin for the i2c scl signal else we can't access the SoM eeprom. Fixes: 2a51f9dae13d ("ARM: dts: imx6qdl-kontron-samx6i: Add iMX6-based Kontron SMARC-sAMX6i module") Signed-off-by: Bernd Bauer [m.felsch@pengutronix.de: Adapt commit message] Signed-off-by: Marco Felsch Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit f7fbde0f0b1495b5257c59fa7006b001acc18b22 Author: Fabio Estevam Date: Mon Nov 30 17:54:47 2020 -0300 ARM: dts: imx6qdl-wandboard-revd1: Remove PAD_GPIO_6 from enetgrp [ Upstream commit 58d6bca5efc73235b0f84c0d53321737177c651e ] Since commit 8ad2d1dcce54 ("ARM: dts: imx6qdl-wandboard: Add OV5645 camera support") the PAD_GPIO_6 is used for providing the camera sensor clock. Remove it from the enetgrp to fix the following IOMXU conflict: [ 9.972414] imx6q-pinctrl 20e0000.pinctrl: pin MX6Q_PAD_GPIO_6 already requested by 2188000.ethernet; cannot claim for 1-003c [ 9.983857] imx6q-pinctrl 20e0000.pinctrl: pin-140 (1-003c) status -22 [ 9.990514] imx6q-pinctrl 20e0000.pinctrl: could not request pin 140 (MX6Q_PAD_GPIO_6) from group ov5645grp on device 20e0000.pinctrl Fixes: 8ad2d1dcce54 ("ARM: dts: imx6qdl-wandboard: Add OV5645 camera support") Signed-off-by: Fabio Estevam Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 4b008707bac48bcb86f44be74f615aa449fea606 Author: Adam Sampson Date: Mon Nov 23 17:47:39 2020 +0000 ARM: dts: sun7i: pcduino3-nano: enable RGMII RX/TX delay on PHY [ Upstream commit a7361b9c4615951f52ffd2b1afa09a1384c7b4e4 ] The RX/TX delays for the Ethernet PHY on the Linksprite pcDuino 3 Nano are configured in hardware, using resistors that are populated to pull the RTL8211E's RXDLY/TXDLY pins low or high as needed. phy-mode should be set to rgmii-id to reflect this. Previously it was set to rgmii, which used to work but now results in the delays being disabled again as a result of the bugfix in commit bbc4d71d6354 ("net: phy: realtek: fix rtl8211e rx/tx delay config"). Tested on two pcDuino 3 Nano boards purchased in 2015. Without this fix, Ethernet works unreliably on one board and doesn't work at all on the other. Fixes: 061035d456c9 ("ARM: dts: sun7i: Add dts file for pcDuino 3 Nano board") Signed-off-by: Adam Sampson Signed-off-by: Maxime Ripard Reviewed-by: Andrew Lunn Acked-by: Chen-Yu Tsai Link: https://lore.kernel.org/r/20201123174739.6809-1-ats@offog.org Signed-off-by: Sasha Levin commit 76c475d5d7881b0796d73d0abd5258a5a8a5d733 Author: Icenowy Zheng Date: Fri Nov 20 13:08:51 2020 +0800 ARM: dts: sun8i: v3s: fix GIC node memory range [ Upstream commit a98fd117a2553ab1a6d2fe3c7acae88c1eca4372 ] Currently the GIC node in V3s DTSI follows some old DT examples, and being broken. This leads a warning at boot. Fix this. Fixes: f989086ccbc6 ("ARM: dts: sunxi: add dtsi file for V3s SoC") Signed-off-by: Icenowy Zheng Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20201120050851.4123759-1-icenowy@aosc.io Signed-off-by: Sasha Levin commit 9ebc986a2ea5780f25799422126de717cba4cd4f Author: Andy Shevchenko Date: Thu Nov 12 21:03:01 2020 +0200 pinctrl: baytrail: Avoid clearing debounce value when turning it off [ Upstream commit 0b74e40a4e41f3cbad76dff4c50850d47b525b26 ] Baytrail pin control has a common register to set up debounce timeout. When a pin configuration requested debounce to be disabled, the rest of the pins may still want to have debounce enabled and thus rely on the common timeout value. Avoid clearing debounce value when turning it off for one pin while others may still use it. Fixes: 658b476c742f ("pinctrl: baytrail: Add debounce configuration") Depends-on: 04ff5a095d66 ("pinctrl: baytrail: Rectify debounce support") Depends-on: 827e1579e1d5 ("pinctrl: baytrail: Rectify debounce support (part 2)") Signed-off-by: Andy Shevchenko Acked-by: Mika Westerberg Signed-off-by: Sasha Levin commit e2556e0228974db18f7a03edc63c79c70b9427fc Author: Andy Shevchenko Date: Wed Nov 11 14:06:05 2020 +0200 pinctrl: merrifield: Set default bias in case no particular value given [ Upstream commit 0fa86fc2e28227f1e64f13867e73cf864c6d25ad ] When GPIO library asks pin control to set the bias, it doesn't pass any value of it and argument is considered boolean (and this is true for ACPI GpioIo() / GpioInt() resources, by the way). Thus, individual drivers must behave well, when they got the resistance value of 1 Ohm, i.e. transforming it to sane default. In case of Intel Merrifield pin control hardware the 20 kOhm sounds plausible because it gives a good trade off between weakness and minimization of leakage current (will be only 50 uA with the above choice). Fixes: 4e80c8f50574 ("pinctrl: intel: Add Intel Merrifield pin controller support") Depends-on: 2956b5d94a76 ("pinctrl / gpio: Introduce .set_config() callback for GPIO chips") Signed-off-by: Andy Shevchenko Acked-by: Mika Westerberg Signed-off-by: Sasha Levin commit 2ec85a7a5adf3822d6a2896314b02b0efbae1516 Author: Pablo Greco Date: Mon Nov 2 11:19:29 2020 -0300 ARM: dts: sun8i: v40: bananapi-m2-berry: Fix ethernet node [ Upstream commit 8a82d91fa275aaea49be06d7f5b1407ce1c0dd4b ] Ethernet PHY on BananaPi M2 Berry provides RX and TX delays. Fix ethernet node to reflect that fact. Fixes: 27e81e1970a8 ("ARM: dts: sun8i: v40: bananapi-m2-berry: Enable GMAC ethernet controller") Signed-off-by: Pablo Greco Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/1604326769-39802-1-git-send-email-pgreco@centosproject.org Signed-off-by: Sasha Levin commit 9f69f6f8528886f31e37f2727d8c18c8e370a08f Author: Pablo Greco Date: Mon Nov 2 11:19:14 2020 -0300 ARM: dts: sun8i: r40: bananapi-m2-berry: Fix dcdc1 regulator [ Upstream commit bd5cdcdc66e1f7179ff6d172d1e5f55e43403aa8 ] DCDC1 regulator powers many different subsystems. While some of them can work at 3.0 V, some of them can not. For example, VCC-HDMI can only work between 3.24 V and 3.36 V. According to OS images provided by the board manufacturer this regulator should be set to 3.3 V. Set DCDC1 and DCDC1SW to 3.3 V in order to fix this. Fixes: 23edc168bd98 ("ARM: dts: sun8i: Add board dts file for Banana Pi M2 Berry") Fixes: 27e81e1970a8 ("ARM: dts: sun8i: v40: bananapi-m2-berry: Enable GMAC ethernet controller") Signed-off-by: Pablo Greco Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/1604326755-39742-1-git-send-email-pgreco@centosproject.org Signed-off-by: Sasha Levin commit 389033996cec1648b0b1d2b8dccb2e19b8e95e59 Author: Pablo Greco Date: Mon Nov 2 11:16:40 2020 -0300 ARM: dts: sun7i: bananapi: Enable RGMII RX/TX delay on Ethernet PHY [ Upstream commit 8c9cb4094ccf242eddd140efba13872c55f68a87 ] The Ethernet PHY on the Bananapi M1 has the RX and TX delays enabled on the PHY, using pull-ups on the RXDLY and TXDLY pins. Fix the phy-mode description to correct reflect this so that the implementation doesn't reconfigure the delays incorrectly. This happened with commit bbc4d71d6354 ("net: phy: realtek: fix rtl8211e rx/tx delay config"). Fixes: 8a5b272fbf44 ("ARM: dts: sun7i: Add Banana Pi board") Signed-off-by: Pablo Greco Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/1604326600-39544-1-git-send-email-pgreco@centosproject.org Signed-off-by: Sasha Levin