commit d036b5d2dd8fa3de540ec3357f657c436ce1d626 Author: Greg Kroah-Hartman Date: Wed Aug 19 08:24:20 2020 +0200 Linux 5.7.16 Tested-by: Shuah Khan Signed-off-by: Greg Kroah-Hartman commit f93bc10c64afceb019ccdc7b5424ecedbd613f64 Author: Jens Axboe Date: Tue Aug 11 08:04:14 2020 -0600 io_uring: hold 'ctx' reference around task_work queue + execute commit 6d816e088c359866f9867057e04f244c608c42fe upstream. We're holding the request reference, but we need to go one higher to ensure that the ctx remains valid after the request has finished. If the ring is closed with pending task_work inflight, and the given io_kiocb finishes sync during issue, then we need a reference to the ring itself around the task_work execution cycle. Cc: stable@vger.kernel.org # v5.7+ Reported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit da914d858adca1bbfd3b39f8dee44d76a568e43a Author: Jens Axboe Date: Wed Aug 12 17:33:30 2020 -0600 io_uring: enable lookup of links holding inflight files commit f254ac04c8744cf7bfed012717eac34eacc65dfb upstream. When a process exits, we cancel whatever requests it has pending that are referencing the file table. However, if a link is holding a reference, then we cannot find it by simply looking at the inflight list. Enable checking of the poll and timeout list to find the link, and cancel it appropriately. Cc: stable@vger.kernel.org Reported-by: Josef Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 0566463676e0858897acd9555f905e4dcf29a738 Author: Jens Axboe Date: Mon Aug 10 10:54:02 2020 -0600 io_uring: add missing REQ_F_COMP_LOCKED for nested requests commit 9b7adba9eaec28e0e4343c96d0dbeb9578802f5f upstream. When we traverse into failing links or timeouts, we need to ensure we propagate the REQ_F_COMP_LOCKED flag to ensure that we correctly signal to the completion side that we already hold the completion lock. Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit fb910a7d69163ccfc962999bf404589c6072e827 Author: Jens Axboe Date: Thu Aug 13 09:01:38 2020 -0600 task_work: only grab task signal lock when needed commit ebf0d100df0731901c16632f78d78d35f4123bc4 upstream. If JOBCTL_TASK_WORK is already set on the targeted task, then we need not go through {lock,unlock}_task_sighand() to set it again and queue a signal wakeup. This is safe as we're checking it _after_ adding the new task_work with cmpxchg(). The ordering is as follows: task_work_add() get_signal() -------------------------------------------------------------- STORE(task->task_works, new_work); STORE(task->jobctl); mb(); mb(); LOAD(task->jobctl); LOAD(task->task_works); This speeds up TWA_SIGNAL handling quite a bit, which is important now that io_uring is relying on it for all task_work deliveries. Cc: Peter Zijlstra Cc: Jann Horn Acked-by: Oleg Nesterov Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit ff3f5b7bdcfb2d0ed3e2d3ac7504b69d29a7871a Author: Guoyu Huang Date: Wed Aug 5 03:53:50 2020 -0700 io_uring: Fix NULL pointer dereference in loop_rw_iter() commit 2dd2111d0d383df104b144e0d1f6b5a00cb7cd88 upstream. loop_rw_iter() does not check whether the file has a read or write function. This can lead to NULL pointer dereference when the user passes in a file descriptor that does not have read or write function. The crash log looks like this: [ 99.834071] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 99.835364] #PF: supervisor instruction fetch in kernel mode [ 99.836522] #PF: error_code(0x0010) - not-present page [ 99.837771] PGD 8000000079d62067 P4D 8000000079d62067 PUD 79d8c067 PMD 0 [ 99.839649] Oops: 0010 [#2] SMP PTI [ 99.840591] CPU: 1 PID: 333 Comm: io_wqe_worker-0 Tainted: G D 5.8.0 #2 [ 99.842622] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 [ 99.845140] RIP: 0010:0x0 [ 99.845840] Code: Bad RIP value. [ 99.846672] RSP: 0018:ffffa1c7c01ebc08 EFLAGS: 00010202 [ 99.848018] RAX: 0000000000000000 RBX: ffff92363bd67300 RCX: ffff92363d461208 [ 99.849854] RDX: 0000000000000010 RSI: 00007ffdbf696bb0 RDI: ffff92363bd67300 [ 99.851743] RBP: ffffa1c7c01ebc40 R08: 0000000000000000 R09: 0000000000000000 [ 99.853394] R10: ffffffff9ec692a0 R11: 0000000000000000 R12: 0000000000000010 [ 99.855148] R13: 0000000000000000 R14: ffff92363d461208 R15: ffffa1c7c01ebc68 [ 99.856914] FS: 0000000000000000(0000) GS:ffff92363dd00000(0000) knlGS:0000000000000000 [ 99.858651] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 99.860032] CR2: ffffffffffffffd6 CR3: 000000007ac66000 CR4: 00000000000006e0 [ 99.861979] Call Trace: [ 99.862617] loop_rw_iter.part.0+0xad/0x110 [ 99.863838] io_write+0x2ae/0x380 [ 99.864644] ? kvm_sched_clock_read+0x11/0x20 [ 99.865595] ? sched_clock+0x9/0x10 [ 99.866453] ? sched_clock_cpu+0x11/0xb0 [ 99.867326] ? newidle_balance+0x1d4/0x3c0 [ 99.868283] io_issue_sqe+0xd8f/0x1340 [ 99.869216] ? __switch_to+0x7f/0x450 [ 99.870280] ? __switch_to_asm+0x42/0x70 [ 99.871254] ? __switch_to_asm+0x36/0x70 [ 99.872133] ? lock_timer_base+0x72/0xa0 [ 99.873155] ? switch_mm_irqs_off+0x1bf/0x420 [ 99.874152] io_wq_submit_work+0x64/0x180 [ 99.875192] ? kthread_use_mm+0x71/0x100 [ 99.876132] io_worker_handle_work+0x267/0x440 [ 99.877233] io_wqe_worker+0x297/0x350 [ 99.878145] kthread+0x112/0x150 [ 99.878849] ? __io_worker_unuse+0x100/0x100 [ 99.879935] ? kthread_park+0x90/0x90 [ 99.880874] ret_from_fork+0x22/0x30 [ 99.881679] Modules linked in: [ 99.882493] CR2: 0000000000000000 [ 99.883324] ---[ end trace 4453745f4673190b ]--- [ 99.884289] RIP: 0010:0x0 [ 99.884837] Code: Bad RIP value. [ 99.885492] RSP: 0018:ffffa1c7c01ebc08 EFLAGS: 00010202 [ 99.886851] RAX: 0000000000000000 RBX: ffff92363acd7f00 RCX: ffff92363d461608 [ 99.888561] RDX: 0000000000000010 RSI: 00007ffe040d9e10 RDI: ffff92363acd7f00 [ 99.890203] RBP: ffffa1c7c01ebc40 R08: 0000000000000000 R09: 0000000000000000 [ 99.891907] R10: ffffffff9ec692a0 R11: 0000000000000000 R12: 0000000000000010 [ 99.894106] R13: 0000000000000000 R14: ffff92363d461608 R15: ffffa1c7c01ebc68 [ 99.896079] FS: 0000000000000000(0000) GS:ffff92363dd00000(0000) knlGS:0000000000000000 [ 99.898017] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 99.899197] CR2: ffffffffffffffd6 CR3: 000000007ac66000 CR4: 00000000000006e0 Fixes: 32960613b7c3 ("io_uring: correctly handle non ->{read,write}_iter() file_operations") Cc: stable@vger.kernel.org Signed-off-by: Guoyu Huang Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 58de6fc5d72464ad1aea7bf239cc59138ae71604 Author: Jens Axboe Date: Sat Aug 15 11:44:50 2020 -0700 io_uring: sanitize double poll handling commit d4e7cd36a90e38e0276d6ce0c20f5ccef17ec38c upstream. There's a bit of confusion on the matching pairs of poll vs double poll, depending on if the request is a pure poll (IORING_OP_POLL_ADD) or poll driven retry. Add io_poll_get_double() that returns the double poll waitqueue, if any, and io_poll_get_single() that returns the original poll waitqueue. With that, remove the argument to io_poll_remove_double(). Finally ensure that wait->private is cleared once the double poll handler has run, so that remove knows it's already been seen. Cc: stable@vger.kernel.org # v5.8 Reported-by: syzbot+7f617d4a9369028b8a2c@syzkaller.appspotmail.com Fixes: 18bceab101ad ("io_uring: allow POLL_ADD with double poll_wait() users") Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 2c3efa09c6eec4d6fdd8bb76caa45b8fed40e8ad Author: Gerald Schaefer Date: Wed Jul 29 22:22:34 2020 +0200 s390/gmap: improve THP splitting commit ba925fa35057a062ac98c3e8138b013ce4ce351c upstream. During s390_enable_sie(), we need to take care of splitting all qemu user process THP mappings. This is currently done with follow_page(FOLL_SPLIT), by simply iterating over all vma ranges, with PAGE_SIZE increment. This logic is sub-optimal and can result in a lot of unnecessary overhead, especially when using qemu and ASAN with large shadow map. Ilya reported significant system slow-down with one CPU busy for a long time and overall unresponsiveness. Fix this by using walk_page_vma() and directly calling split_huge_pmd() only for present pmds, which greatly reduces overhead. Cc: # v5.4+ Reported-by: Ilya Leoshkevich Tested-by: Ilya Leoshkevich Acked-by: Christian Borntraeger Signed-off-by: Gerald Schaefer Signed-off-by: Heiko Carstens Signed-off-by: Greg Kroah-Hartman commit 16de2abbc0713caded7f84e8ccd8991ae99687a1 Author: Alexander Gordeev Date: Tue Aug 4 20:35:49 2020 +0200 s390/numa: set node distance to LOCAL_DISTANCE commit 535e4fc623fab2e09a0653fc3a3e17f382ad0251 upstream. The node distance is hardcoded to 0, which causes a trouble for some user-level applications. In particular, "libnuma" expects the distance of a node to itself as LOCAL_DISTANCE. This update removes the offending node distance override. Cc: # 4.4 Fixes: 3a368f742da1 ("s390/numa: add core infrastructure") Signed-off-by: Alexander Gordeev Signed-off-by: Heiko Carstens Signed-off-by: Greg Kroah-Hartman commit b091a488ab597cfbb6b66c1b0999d0244e303568 Author: Stefan Haberland Date: Tue Jul 14 22:03:26 2020 +0200 s390/dasd: fix inability to use DASD with DIAG driver commit 9f4aa52387c68049403b59939df5c0dd8e3872cc upstream. During initialization of the DASD DIAG driver a request is issued that has a bio structure that resides on the stack. With virtually mapped kernel stacks this bio address might be in virtual storage which is unsuitable for usage with the diag250 call. In this case the device can not be set online using the DIAG discipline and fails with -EOPNOTSUP. In the system journal the following error message is presented: dasd: X.X.XXXX Setting the DASD online with discipline DIAG failed with rc=-95 Fix by allocating the bio structure instead of having it on the stack. Fixes: ce3dc447493f ("s390: add support for virtually mapped kernel stacks") Signed-off-by: Stefan Haberland Reviewed-by: Peter Oberparleiter Cc: stable@vger.kernel.org #4.20 Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit e21df17c8e38d492eb6b225616ef4289e05867ac Author: Oleksandr Andrushchenko Date: Thu Aug 13 09:21:10 2020 +0300 drm/xen-front: Fix misused IS_ERR_OR_NULL checks commit 14dee058610446aa464254fc5c8e88c7535195e0 upstream. The patch c575b7eeb89f: "drm/xen-front: Add support for Xen PV display frontend" from Apr 3, 2018, leads to the following static checker warning: drivers/gpu/drm/xen/xen_drm_front_gem.c:140 xen_drm_front_gem_create() warn: passing zero to 'ERR_CAST' drivers/gpu/drm/xen/xen_drm_front_gem.c 133 struct drm_gem_object *xen_drm_front_gem_create(struct drm_device *dev, 134 size_t size) 135 { 136 struct xen_gem_object *xen_obj; 137 138 xen_obj = gem_create(dev, size); 139 if (IS_ERR_OR_NULL(xen_obj)) 140 return ERR_CAST(xen_obj); Fix this and the rest of misused places with IS_ERR_OR_NULL in the driver. Fixes: c575b7eeb89f: "drm/xen-front: Add support for Xen PV display frontend" Signed-off-by: Oleksandr Andrushchenko Reported-by: Dan Carpenter Reviewed-by: Dan Carpenter Cc: Link: https://lore.kernel.org/r/20200813062113.11030-3-andr2000@gmail.com Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit ca37f26b27faca9bd66402cd610808c7d1b57969 Author: Oleksandr Andrushchenko Date: Thu Aug 13 09:21:09 2020 +0300 xen/gntdev: Fix dmabuf import with non-zero sgt offset commit 5fa4e6f1c2d8c9a4e47e1931b42893172d388f2b upstream. It is possible that the scatter-gather table during dmabuf import has non-zero offset of the data, but user-space doesn't expect that. Fix this by failing the import, so user-space doesn't access wrong data. Fixes: bf8dc55b1358 ("xen/gntdev: Implement dma-buf import functionality") Signed-off-by: Oleksandr Andrushchenko Acked-by: Juergen Gross Cc: Link: https://lore.kernel.org/r/20200813062113.11030-2-andr2000@gmail.com Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit bdea0200336fcacf4e220275c826fe9fd66bc3e9 Author: Roger Pau Monne Date: Mon Jul 27 11:13:40 2020 +0200 xen/balloon: make the balloon wait interruptible commit 88a479ff6ef8af7f07e11593d58befc644244ff7 upstream. So it can be killed, or else processes can get hung indefinitely waiting for balloon pages. Signed-off-by: Roger Pau Monné Reviewed-by: Juergen Gross Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200727091342.52325-3-roger.pau@citrix.com Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit 775aaa34caf248a8dd377addb8ea6f8505c4d87f Author: Roger Pau Monne Date: Mon Jul 27 11:13:39 2020 +0200 xen/balloon: fix accounting in alloc_xenballooned_pages error path commit 1951fa33ec259abdf3497bfee7b63e7ddbb1a394 upstream. target_unpopulated is incremented with nr_pages at the start of the function, but the call to free_xenballooned_pages will only subtract pgno number of pages, and thus the rest need to be subtracted before returning or else accounting will be skewed. Signed-off-by: Roger Pau Monné Reviewed-by: Juergen Gross Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200727091342.52325-2-roger.pau@citrix.com Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit 3f29275098737306d6597ad7fd6983633120722b Author: Kees Cook Date: Fri Jul 24 14:36:24 2020 -0700 firmware_loader: EFI firmware loader must handle pre-allocated buffer commit 4fb60b158afd3ac9e0fe9975aa476213f5cc0a4d upstream. The EFI platform firmware fallback would clobber any pre-allocated buffers. Instead, correctly refuse to reallocate when too small (as already done in the sysfs fallback), or perform allocation normally when needed. Fixes: e4c2c0ff00ec ("firmware: Add new platform fallback mechanism and firmware_request_platform()") Cc: stable@vger.kernel.org Acked-by: Scott Branden Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20200724213640.389191-4-keescook@chromium.org Signed-off-by: Greg Kroah-Hartman commit 94bab54503b65810226a76b1f75c1a602cc2de10 Author: Jon Derrick Date: Tue Jul 21 14:26:09 2020 -0600 irqdomain/treewide: Free firmware node after domain removal commit ec0160891e387f4771f953b888b1fe951398e5d9 upstream. Commit 711419e504eb ("irqdomain: Add the missing assignment of domain->fwnode for named fwnode") unintentionally caused a dangling pointer page fault issue on firmware nodes that were freed after IRQ domain allocation. Commit e3beca48a45b fixed that dangling pointer issue by only freeing the firmware node after an IRQ domain allocation failure. That fix no longer frees the firmware node immediately, but leaves the firmware node allocated after the domain is removed. The firmware node must be kept around through irq_domain_remove, but should be freed it afterwards. Add the missing free operations after domain removal where where appropriate. Fixes: e3beca48a45b ("irqdomain/treewide: Keep firmware node unconditionally allocated") Signed-off-by: Jon Derrick Signed-off-by: Thomas Gleixner Reviewed-by: Andy Shevchenko Acked-by: Bjorn Helgaas # drivers/pci Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/1595363169-7157-1-git-send-email-jonathan.derrick@intel.com Signed-off-by: Greg Kroah-Hartman commit 841e8bef3b6475b7858e6472e83f886fdc4b6126 Author: Jonathan McDowell Date: Sat Jul 4 18:23:34 2020 +0100 firmware: qcom_scm: Fix legacy convention SCM accessors commit b88c28280c3f7097546db93824686db1e7dceee1 upstream. The move to a combined driver for the QCOM SCM hardware changed the io_writel and io_readl helpers to use non-atomic calls, despite the commit message saying that atomic was a better option. This breaks these helpers on hardware that uses the old legacy convention (access fails with a -95 return code). Switch back to using the atomic calls. Observed as a failure routing GPIO interrupts to the Apps processor on an IPQ8064; fix is confirmed as correctly allowing the interrupts to be routed and observed. Reviewed-by: Elliot Berman Fixes: 57d3b816718c ("firmware: qcom_scm: Remove thin wrappers") Cc: stable@vger.kernel.org Signed-off-by: Jonathan McDowell Link: https://lore.kernel.org/r/20200704172334.GA759@earth.li Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit afb4e0ed91ff699d59052fd46b125c48643bd287 Author: Nathan Huckleberry Date: Fri Jul 10 20:23:37 2020 +0100 ARM: 8992/1: Fix unwind_frame for clang-built kernels commit b4d5ec9b39f8b31d98f65bc5577b5d15d93795d7 upstream. Since clang does not push pc and sp in function prologues, the current implementation of unwind_frame does not work. By using the previous frame's lr/fp instead of saved pc/sp we get valid unwinds on clang-built kernels. The bounds check on next frame pointer must be changed as well since there are 8 less bytes between frames. This fixes /proc//stack. Link: https://github.com/ClangBuiltLinux/linux/issues/912 Reported-by: Miles Chen Tested-by: Miles Chen Cc: stable@vger.kernel.org Reviewed-by: Nick Desaulniers Signed-off-by: Nathan Huckleberry Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 81d06ab16bce5923892310e062dd677586f7b7f1 Author: Marek Szyprowski Date: Thu May 28 10:15:25 2020 +0200 ARM: dts: exynos: Extend all Exynos5800 A15's OPPs with max voltage data commit d644853ff8fcbb7a4e3757f9d8ccc39d930b7e3c upstream. On Exynos5422/5800 the regulator supply for the A15 cores ("vdd_arm") is coupled with the regulator supply for the SoC internal circuits ("vdd_int"), thus all operating points that modify one of those supplies have to specify a triplet of the min/target/max values to properly work with regulator coupling. Fixes: eaffc4de16c6 ("ARM: dts: exynos: Add missing CPU frequencies for Exynos5422/5800") Cc: Signed-off-by: Marek Szyprowski Signed-off-by: Krzysztof Kozlowski Signed-off-by: Greg Kroah-Hartman commit 11ef6a24402fa710614721775187ceb0fb4662cb Author: Sven Schnelle Date: Tue Aug 11 18:19:19 2020 +0200 parisc: mask out enable and reserved bits from sba imask commit 5b24993c21cbf2de11aff077a48c5cb0505a0450 upstream. When using kexec the SBA IOMMU IBASE might still have the RE bit set. This triggers a WARN_ON when trying to write back the IBASE register later, and it also makes some mask calculations fail. Cc: Signed-off-by: Sven Schnelle Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit f95d807577cf10d89936594dab66e086e9858af0 Author: John David Anglin Date: Thu Jul 30 08:59:12 2020 -0400 parisc: Implement __smp_store_release and __smp_load_acquire barriers commit e96ebd589debd9a6a793608c4ec7019c38785dea upstream. This patch implements the __smp_store_release and __smp_load_acquire barriers using ordered stores and loads. This avoids the sync instruction present in the generic implementation. Cc: # 4.14+ Signed-off-by: Dave Anglin Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit 953dcf9b548cbca127f9bdea51697a9a787b9594 Author: John David Anglin Date: Tue Jul 28 19:13:20 2020 +0200 parisc: Do not use an ordered store in pa_tlb_lock() commit e72b23dec1da5e62a0090c5da1d926778284e230 upstream. No need to use an ordered store in pa_tlb_lock() and update the comment regarng usage of the sid register to unlocak a spinlock in tlb_unlock0(). Signed-off-by: John David Anglin Signed-off-by: Helge Deller Cc: # v5.0+ Signed-off-by: Greg Kroah-Hartman commit 7394c2adcddea37f18bca44696150767b4d441dd Author: Helge Deller Date: Tue Jul 28 18:56:14 2020 +0200 Revert "parisc: Revert "Release spinlocks using ordered store"" commit 157e9afcc4fa25068b0e8743bc254a9b56010e13 upstream. This reverts commit 86d4d068df573a8c2105554624796c086d6bec3d. Signed-off-by: Helge Deller Cc: # v5.0+ Signed-off-by: Greg Kroah-Hartman commit abff2f0b44d5c6a52f76da86f21bb05c19850d9d Author: Helge Deller Date: Tue Jul 28 18:54:40 2020 +0200 Revert "parisc: Use ldcw instruction for SMP spinlock release barrier" commit 6e9f06ee6c9566f3606d93182ac8f803a148504b upstream. This reverts commit 9e5c602186a692a7e848c0da17aed40f49d30519. No need to use the ldcw instruction as SMP spinlock release barrier. Revert it to gain back speed again. Signed-off-by: Helge Deller Cc: # v5.2+ Signed-off-by: Greg Kroah-Hartman commit 1da1661a1a268aa57a5d33ce473052db1fce84f0 Author: Helge Deller Date: Tue Jul 28 18:52:58 2020 +0200 Revert "parisc: Drop LDCW barrier in CAS code when running UP" commit 462fb756c7de1ffe5bc6099149136031c2d9c02a upstream. This reverts commit e6eb5fe9123f05dcbf339ae5c0b6d32fcc0685d5. We need to optimize it differently. A follow up patch will correct it. Signed-off-by: Helge Deller Cc: # v5.2+ Signed-off-by: Greg Kroah-Hartman commit 37771e52b0c4173a8d559bd612ca66eabccdd248 Author: Helge Deller Date: Tue Jul 28 18:49:45 2020 +0200 Revert "parisc: Improve interrupt handling in arch_spin_lock_flags()" commit 3d05b8aebc5f10ee3ab129b61100196855dd7249 upstream. This reverts commit 2772f0efd5bbd5413db3d22e363b779ca0fa5310. It turns out that we want to implement the spinlock code differently. Signed-off-by: Helge Deller Cc: # v5.7+ Signed-off-by: Greg Kroah-Hartman commit 0886f58b80f02865c7cfb8c4bdc77ee40fa61393 Author: Gao Xiang Date: Thu Jul 30 01:58:01 2020 +0800 erofs: fix extended inode could cross boundary commit 0dcd3c94e02438f4a571690e26f4ee997524102a upstream. Each ondisk inode should be aligned with inode slot boundary (32-byte alignment) because of nid calculation formula, so all compact inodes (32 byte) cannot across page boundary. However, extended inode is now 64-byte form, which can across page boundary in principle if the location is specified on purpose, although it's hard to be generated by mkfs due to the allocation policy and rarely used by Android use case now mainly for > 4GiB files. For now, only two fields `i_ctime_nsec` and `i_nlink' couldn't be read from disk properly and cause out-of-bound memory read with random value. Let's fix now. Fixes: 431339ba9042 ("staging: erofs: add inode operations") Cc: # 4.19+ Link: https://lore.kernel.org/r/20200729175801.GA23973@xiangao.remote.csb Reviewed-by: Chao Yu Signed-off-by: Gao Xiang Signed-off-by: Greg Kroah-Hartman commit bb4be8753b8018ea4ff05226f826ae948db960b3 Author: Alexander Sverdlin Date: Wed Jul 22 16:01:36 2020 +0200 mtd: spi-nor: intel-spi: Simulate WRDI command commit 44a80df4bfce02f5d51fe5040bdbdf10d0d78f4e upstream. After spi_nor_write_disable() return code checks were introduced in the spi-nor front end intel-spi backend stopped to work because WRDI was never supported and always failed. Just pretend it was sucessful and ignore the command itself. HW sequencer shall do the right thing automatically, while with SW sequencer we cannot do it anyway, because the only tool we had was preopcode and it makes no sense for WRDI. Fixes: bce679e5ae3a ("mtd: spi-nor: Check for errors after each Register Operation") Signed-off-by: Alexander Sverdlin Reviewed-by: Mika Westerberg Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/282e1305-fd08-e446-1a22-eb4dff78cfb4@nokia.com Signed-off-by: Tudor Ambarus Signed-off-by: Greg Kroah-Hartman commit 3bba00dd6b10411bdff3e06e7e836581ea31d55b Author: Sivaprakash Murugesan Date: Fri Jun 12 13:28:15 2020 +0530 mtd: rawnand: qcom: avoid write to unavailable register commit 443440cc4a901af462239d286cd10721aa1c7dfc upstream. SFLASHC_BURST_CFG is only available on older ipq NAND platforms, this register has been removed when the NAND controller got implemented in the qpic controller. Avoid writing this register on devices which are based on qpic NAND controller. Fixes: dce84760b09f ("mtd: nand: qcom: Support for IPQ8074 QPIC NAND controller") Cc: stable@vger.kernel.org Signed-off-by: Sivaprakash Murugesan Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/1591948696-16015-2-git-send-email-sivaprak@codeaurora.org Signed-off-by: Greg Kroah-Hartman commit 06e416c83e85f64c7cff1cca3a6685ff539be6b1 Author: Christian Eggers Date: Tue Jul 28 12:08:32 2020 +0200 spi: spidev: Align buffers for DMA commit aa9e862d7d5bcecd4dca9f39e8b684b93dd84ee7 upstream. Simply copying all xfers from userspace into one bounce buffer causes alignment problems if the SPI controller uses DMA. Ensure that all transfer data blocks within the rx and tx bounce buffers are aligned for DMA (according to ARCH_KMALLOC_MINALIGN). Alignment may increase the usage of the bounce buffers. In some cases, the buffers may need to be increased using the "bufsiz" module parameter. Signed-off-by: Christian Eggers Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200728100832.24788-1-ceggers@arri.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit ef01e32fa51c02204a33e6a82cad7b900a455311 Author: Chanwoo Choi Date: Thu Jul 9 15:51:34 2020 +0900 PM / devfreq: Fix indentaion of devfreq_summary debugfs node commit 0aae11bcdefb4894b6100656ad24cbd85ff34b52 upstream. The commit 66d0e797bf09 ("Revert "PM / devfreq: Modify the device name as devfreq(X) for sysfs"") roll back the device name from 'devfreqX' to device name explained in DT. After applied commit 66d0e797bf09, the indentation of devfreq_summary debugfs node was broken. So, fix indentaion of devfreq_summary debugfs node as following: For example on Exynos5422-based Odroid-XU3 board, $ cat /sys/kernel/debug/devfreq/devfreq_summary dev parent_dev governor polling_ms cur_freq_Hz min_freq_Hz max_freq_Hz ------------------------------ ------------------------------ --------------- ---------- ------------ ------------ ------------ 10c20000.memory-controller null simple_ondemand 0 413000000 165000000 825000000 soc:bus_wcore null simple_ondemand 50 88700000 88700000 532000000 soc:bus_noc soc:bus_wcore passive 0 66600000 66600000 111000000 soc:bus_fsys_apb soc:bus_wcore passive 0 111000000 111000000 222000000 soc:bus_fsys soc:bus_wcore passive 0 75000000 75000000 200000000 soc:bus_fsys2 soc:bus_wcore passive 0 75000000 75000000 200000000 soc:bus_mfc soc:bus_wcore passive 0 83250000 83250000 333000000 soc:bus_gen soc:bus_wcore passive 0 88700000 88700000 266000000 soc:bus_peri soc:bus_wcore passive 0 66600000 66600000 66600000 soc:bus_g2d soc:bus_wcore passive 0 83250000 83250000 333000000 soc:bus_g2d_acp soc:bus_wcore passive 0 0 66500000 266000000 soc:bus_jpeg soc:bus_wcore passive 0 0 75000000 300000000 soc:bus_jpeg_apb soc:bus_wcore passive 0 0 83250000 166500000 soc:bus_disp1_fimd soc:bus_wcore passive 0 0 120000000 200000000 soc:bus_disp1 soc:bus_wcore passive 0 0 120000000 300000000 soc:bus_gscl_scaler soc:bus_wcore passive 0 0 150000000 300000000 soc:bus_mscl soc:bus_wcore passive 0 0 84000000 666000000 Cc: stable@vger.kernel.org Fixes: 66d0e797bf09 ("Revert "PM / devfreq: Modify the device name as devfreq(X) for sysfs"") Signed-off-by: Chanwoo Choi Signed-off-by: Greg Kroah-Hartman commit de85cf79ef7d645b39f2e51658044783021ea62a Author: Marc Zyngier Date: Tue Jun 30 11:05:46 2020 +0100 PM / devfreq: rk3399_dmc: Fix kernel oops when rockchip,pmu is absent commit 63ef91f24f9bfc70b6446319f6cabfd094481372 upstream. Booting a recent kernel on a rk3399-based system (nanopc-t4), equipped with a recent u-boot and ATF results in an Oops due to a NULL pointer dereference. This turns out to be due to the rk3399-dmc driver looking for an *undocumented* property (rockchip,pmu), and happily using a NULL pointer when the property isn't there. Instead, make most of what was brought in with 9173c5ceb035 ("PM / devfreq: rk3399_dmc: Pass ODT and auto power down parameters to TF-A.") conditioned on finding this property in the device-tree, preventing the driver from exploding. Cc: stable@vger.kernel.org Fixes: 9173c5ceb035 ("PM / devfreq: rk3399_dmc: Pass ODT and auto power down parameters to TF-A.") Signed-off-by: Marc Zyngier Signed-off-by: Chanwoo Choi Signed-off-by: Greg Kroah-Hartman commit 123d7603cbcaceaa4f513be5b7c60ba16746d73e Author: Romain Naour Date: Fri Aug 14 17:31:57 2020 -0700 include/asm-generic/vmlinux.lds.h: align ro_after_init commit 7f897acbe5d57995438c831670b7c400e9c0dc00 upstream. Since the patch [1], building the kernel using a toolchain built with binutils 2.33.1 prevents booting a sh4 system under Qemu. Apply the patch provided by Alan Modra [2] that fix alignment of rodata. [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ebd2263ba9a9124d93bbc0ece63d7e0fae89b40e [2] https://www.sourceware.org/ml/binutils/2019-12/msg00112.html Signed-off-by: Romain Naour Signed-off-by: Andrew Morton Cc: Alan Modra Cc: Bin Meng Cc: Chen Zhou Cc: Geert Uytterhoeven Cc: John Paul Adrian Glaubitz Cc: Krzysztof Kozlowski Cc: Kuninori Morimoto Cc: Rich Felker Cc: Sam Ravnborg Cc: Yoshinori Sato Cc: Arnd Bergmann Cc: Link: https://marc.info/?l=linux-sh&m=158429470221261 Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 1ae67cdda6c06759485b009de31733ca61ef6c92 Author: Ivan Kokshaysky Date: Sat Jun 20 17:44:49 2020 +0100 cpufreq: dt: fix oops on armada37xx commit 10470dec3decaf5ed3c596f85debd7c42777ae12 upstream. Commit 0c868627e617e43a295d8 (cpufreq: dt: Allow platform specific intermediate callbacks) added two function pointers to the struct cpufreq_dt_platform_data. However, armada37xx_cpufreq_driver_init() has this struct (pdata) located on the stack and uses only "suspend" and "resume" fields. So these newly added "get_intermediate" and "target_intermediate" pointers are uninitialized and contain arbitrary non-null values, causing all kinds of trouble. For instance, here is an oops on espressobin after an attempt to change the cpefreq governor: [ 29.174554] Unable to handle kernel execute from non-executable memory at virtual address ffff00003f87bdc0 ... [ 29.269373] pc : 0xffff00003f87bdc0 [ 29.272957] lr : __cpufreq_driver_target+0x138/0x580 ... Fixed by zeroing out pdata before use. Cc: # v5.7+ Signed-off-by: Ivan Kokshaysky Reviewed-by: Andrew Lunn Signed-off-by: Viresh Kumar Signed-off-by: Greg Kroah-Hartman commit 98981082d5ba70547152021977826126babdc681 Author: Viresh Kumar Date: Mon Jun 29 13:54:58 2020 +0530 cpufreq: Fix locking issues with governors commit 8cc46ae565c393f77417cb9530b1265eb50f5d2e upstream. The locking around governors handling isn't adequate currently. The list of governors should never be traversed without the locking in place. Also governor modules must not be removed while the code in them is still in use. Reported-by: Quentin Perret Signed-off-by: Viresh Kumar Cc: All applicable [ rjw: Changelog ] Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 983e638fd8583f38265780a18445c3f95cb19e78 Author: Trond Myklebust Date: Wed Aug 5 09:03:56 2020 -0400 NFS: Don't return layout segments that are in use commit d474f96104bd4377573526ebae2ee212205a6839 upstream. If the NFS_LAYOUT_RETURN_REQUESTED flag is set, we want to return the layout as soon as possible, meaning that the affected layout segments should be marked as invalid, and should no longer be in use for I/O. Fixes: f0b429819b5f ("pNFS: Ignore non-recalled layouts in pnfs_layout_need_return()") Cc: stable@vger.kernel.org # v4.19+ Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 36dafe0035debe1887967e4234458fa059a2a946 Author: Trond Myklebust Date: Tue Aug 4 16:30:30 2020 -0400 NFS: Don't move layouts to plh_return_segs list while in use commit ff041727e9e029845857cac41aae118ead5e261b upstream. If the layout segment is still in use for a read or a write, we should not move it to the layout plh_return_segs list. If we do, we can end up returning the layout while I/O is still in progress. Fixes: e0b7d420f72a ("pNFS: Don't discard layout segments that are marked for return") Cc: stable@vger.kernel.org # v4.19+ Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit ae189bfb784786e94b3b8826d01253500f95b605 Author: Jens Axboe Date: Tue Aug 11 09:50:19 2020 -0600 io_uring: fail poll arm on queue proc failure commit a36da65c46565d2527eec3efdb546251e38253fd upstream. Check the ipt.error value, it must have been either cleared to zero or set to another error than the default -EINVAL if we don't go through the waitqueue proc addition. Just give up on poll at that point and return failure, this will fallback to async work. io_poll_add() doesn't suffer from this failure case, as it returns the error value directly. Cc: stable@vger.kernel.org # v5.7+ Reported-by: syzbot+a730016dc0bdce4f6ff5@syzkaller.appspotmail.com Reviewed-by: Stefano Garzarella Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 175852503b41b3b74ffd99789240fa21ea1b8584 Author: Jens Axboe Date: Thu Aug 6 19:41:50 2020 -0600 io_uring: use TWA_SIGNAL for task_work uncondtionally commit 0ba9c9edcd152158a0e321a4c13ac1dfc571ff3d upstream. An earlier commit: b7db41c9e03b ("io_uring: fix regression with always ignoring signals in io_cqring_wait()") ensured that we didn't get stuck waiting for eventfd reads when it's registered with the io_uring ring for event notification, but we still have cases where the task can be waiting on other events in the kernel and need a bigger nudge to make forward progress. Or the task could be in the kernel and running, but on its way to blocking. This means that TWA_RESUME cannot reliably be used to ensure we make progress. Use TWA_SIGNAL unconditionally. Cc: stable@vger.kernel.org # v5.7+ Reported-by: Josef Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 6152c035f87821b3150d2c302f3f38b498e54ebe Author: Jens Axboe Date: Wed Aug 5 12:58:23 2020 -0600 io_uring: set ctx sq/cq entry count earlier commit bd74048108c179cea0ff52979506164c80f29da7 upstream. If we hit an earlier error path in io_uring_create(), then we will have accounted memory, but not set ctx->{sq,cq}_entries yet. Then when the ring is torn down in error, we use those values to unaccount the memory. Ensure we set the ctx entries before we're able to hit a potential error path. Cc: stable@vger.kernel.org Reported-by: Tomáš Chaloupka Tested-by: Tomáš Chaloupka Reviewed-by: Stefano Garzarella Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 7387ad86fe8ef830e88a586b021b322eef316211 Author: Dave Airlie Date: Tue Jul 28 14:17:36 2020 +1000 drm/ttm/nouveau: don't call tt destroy callback on alloc failure. commit 5de5b6ecf97a021f29403aa272cb4e03318ef586 upstream. This is confusing, and from my reading of all the drivers only nouveau got this right. Just make the API act under driver control of it's own allocation failing, and don't call destroy, if the page table fails to create there is nothing to cleanup here. (I'm willing to believe I've missed something here, so please review deeply). Reviewed-by: Christian König Signed-off-by: Dave Airlie Link: https://patchwork.freedesktop.org/patch/msgid/20200728041736.20689-1-airlied@gmail.com Signed-off-by: Greg Kroah-Hartman commit 97b41f19c6dee0e2bbf51388e11122d7e378b338 Author: Tuomas Tynkkynen Date: Sun Jun 21 13:30:40 2020 +0200 media: media-request: Fix crash if memory allocation fails commit e30cc79cc80fd919b697a15c5000d9f57487de8e upstream. Syzbot reports a NULL-ptr deref in the kref_put() call: BUG: KASAN: null-ptr-deref in media_request_put drivers/media/mc/mc-request.c:81 [inline] kref_put include/linux/kref.h:64 [inline] media_request_put drivers/media/mc/mc-request.c:81 [inline] media_request_close+0x4d/0x170 drivers/media/mc/mc-request.c:89 __fput+0x2ed/0x750 fs/file_table.c:281 task_work_run+0x147/0x1d0 kernel/task_work.c:123 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop arch/x86/entry/common.c:165 [inline] prepare_exit_to_usermode+0x48e/0x600 arch/x86/entry/common.c:196 What led to this crash was an injected memory allocation failure in media_request_alloc(): FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 should_failslab+0x5/0x20 kmem_cache_alloc_trace+0x57/0x300 ? anon_inode_getfile+0xe5/0x170 media_request_alloc+0x339/0x440 media_device_request_alloc+0x94/0xc0 media_device_ioctl+0x1fb/0x330 ? do_vfs_ioctl+0x6ea/0x1a00 ? media_ioctl+0x101/0x120 ? __media_device_usb_init+0x430/0x430 ? media_poll+0x110/0x110 __se_sys_ioctl+0xf9/0x160 do_syscall_64+0xf3/0x1b0 When that allocation fails, filp->private_data is left uninitialized which media_request_close() does not expect and crashes. To avoid this, reorder media_request_alloc() such that allocating the struct file happens as the last step thus media_request_close() will no longer get called for a partially created media request. Reported-by: syzbot+6bed2d543cf7e48b822b@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Tuomas Tynkkynen Fixes: 10905d70d788 ("media: media-request: implement media requests") Reviewed-by: Hans Verkuil Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 5ceeb7939260e116d79032a28ace9a2fd74fe074 Author: Tetsuo Handa Date: Mon Jul 13 11:12:54 2020 +0900 driver core: Fix probe_count imbalance in really_probe() commit b292b50b0efcc7095d8bf15505fba6909bb35dce upstream. syzbot is reporting hung task in wait_for_device_probe() [1]. At least, we always need to decrement probe_count if we incremented probe_count in really_probe(). However, since I can't find "Resources present before probing" message in the console log, both "this message simply flowed off" and "syzbot is not hitting this path" will be possible. Therefore, while we are at it, let's also prepare for concurrent wait_for_device_probe() calls by replacing wake_up() with wake_up_all(). [1] https://syzkaller.appspot.com/bug?id=25c833f1983c9c1d512f4ff860dd0d7f5a2e2c0f Reported-by: syzbot Fixes: 7c35e699c88bd607 ("driver core: Print device when resources present in really_probe()") Cc: Geert Uytterhoeven Signed-off-by: Tetsuo Handa Cc: stable Link: https://lore.kernel.org/r/20200713021254.3444-1-penguin-kernel@I-love.SAKURA.ne.jp Signed-off-by: Greg Kroah-Hartman commit 5dc5866b3ae430f6054908cd8c44b91cc8a050d3 Author: Zheng Bin Date: Mon Jun 15 09:21:53 2020 +0800 9p: Fix memory leak in v9fs_mount commit cb0aae0e31c632c407a2cab4307be85a001d4d98 upstream. v9fs_mount v9fs_session_init v9fs_cache_session_get_cookie v9fs_random_cachetag -->alloc cachetag v9ses->fscache = fscache_acquire_cookie -->maybe NULL sb = sget -->fail, goto clunk clunk_fid: v9fs_session_close if (v9ses->fscache) -->NULL kfree(v9ses->cachetag) Thus memleak happens. Link: http://lkml.kernel.org/r/20200615012153.89538-1-zhengbin13@huawei.com Fixes: 60e78d2c993e ("9p: Add fscache support to 9p") Cc: # v2.6.32+ Signed-off-by: Zheng Bin Signed-off-by: Dominique Martinet Signed-off-by: Greg Kroah-Hartman commit 121b2a4689acc7991ac34299dfe60466ae28b4d3 Author: Maxim Levitsky Date: Wed Jul 8 14:57:31 2020 +0300 kvm: x86: replace kvm_spec_ctrl_test_value with runtime test on the host commit 841c2be09fe4f495fe5224952a419bd8c7e5b455 upstream. To avoid complex and in some cases incorrect logic in kvm_spec_ctrl_test_value, just try the guest's given value on the host processor instead, and if it doesn't #GP, allow the guest to set it. One such case is when host CPU supports STIBP mitigation but doesn't support IBRS (as is the case with some Zen2 AMD cpus), and in this case we were giving guest #GP when it tried to use STIBP The reason why can can do the host test is that IA32_SPEC_CTRL msr is passed to the guest, after the guest sets it to a non zero value for the first time (due to performance reasons), and as as result of this, it is pointless to emulate #GP condition on this first access, in a different way than what the host CPU does. This is based on a patch from Sean Christopherson, who suggested this idea. Fixes: 6441fa6178f5 ("KVM: x86: avoid incorrect writes to host MSR_IA32_SPEC_CTRL") Cc: stable@vger.kernel.org Suggested-by: Sean Christopherson Signed-off-by: Maxim Levitsky Message-Id: <20200708115731.180097-1-mlevitsk@redhat.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit a25ca5ea23ed88e4bacaba54e225bf7d73643d98 Author: Eric Biggers Date: Tue Aug 11 18:35:30 2020 -0700 fs/minix: reject too-large maximum file size commit 270ef41094e9fa95273f288d7d785313ceab2ff3 upstream. If the minix filesystem tries to map a very large logical block number to its on-disk location, block_to_path() can return offsets that are too large, causing out-of-bounds memory accesses when accessing indirect index blocks. This should be prevented by the check against the maximum file size, but this doesn't work because the maximum file size is read directly from the on-disk superblock and isn't validated itself. Fix this by validating the maximum file size at mount time. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot+c7d9ec7a1a7272dd71b3@syzkaller.appspotmail.com Reported-by: syzbot+3b7b03a0c28948054fb5@syzkaller.appspotmail.com Reported-by: syzbot+6e056ee473568865f3e6@syzkaller.appspotmail.com Signed-off-by: Eric Biggers Signed-off-by: Andrew Morton Cc: Alexander Viro Cc: Qiujun Huang Cc: Link: http://lkml.kernel.org/r/20200628060846.682158-4-ebiggers@kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9a96bdae0cf289b6d90514d869a97882c25fdc6e Author: Eric Biggers Date: Tue Aug 11 18:35:27 2020 -0700 fs/minix: don't allow getting deleted inodes commit facb03dddec04e4aac1bb2139accdceb04deb1f3 upstream. If an inode has no links, we need to mark it bad rather than allowing it to be accessed. This avoids WARNINGs in inc_nlink() and drop_nlink() when doing directory operations on a fuzzed filesystem. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot+a9ac3de1b5de5fb10efc@syzkaller.appspotmail.com Reported-by: syzbot+df958cf5688a96ad3287@syzkaller.appspotmail.com Signed-off-by: Eric Biggers Signed-off-by: Andrew Morton Cc: Alexander Viro Cc: Qiujun Huang Cc: Link: http://lkml.kernel.org/r/20200628060846.682158-3-ebiggers@kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ab0464176e9eb9e4c4d3bb9f6c8ee49b1362ecc2 Author: Eric Biggers Date: Tue Aug 11 18:35:24 2020 -0700 fs/minix: check return value of sb_getblk() commit da27e0a0e5f655f0d58d4e153c3182bb2b290f64 upstream. Patch series "fs/minix: fix syzbot bugs and set s_maxbytes". This series fixes all syzbot bugs in the minix filesystem: KASAN: null-ptr-deref Write in get_block KASAN: use-after-free Write in get_block KASAN: use-after-free Read in get_block WARNING in inc_nlink KMSAN: uninit-value in get_block WARNING in drop_nlink It also fixes the minix filesystem to set s_maxbytes correctly, so that userspace sees the correct behavior when exceeding the max file size. This patch (of 6): sb_getblk() can fail, so check its return value. This fixes a NULL pointer dereference. Originally from Qiujun Huang. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot+4a88b2b9dc280f47baf4@syzkaller.appspotmail.com Signed-off-by: Eric Biggers Signed-off-by: Andrew Morton Cc: Qiujun Huang Cc: Alexander Viro Cc: Link: http://lkml.kernel.org/r/20200628060846.682158-1-ebiggers@kernel.org Link: http://lkml.kernel.org/r/20200628060846.682158-2-ebiggers@kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 73cec4c441bf4ab7b1d8974162f487c5bb252143 Author: Jakub Kicinski Date: Mon Aug 10 11:21:11 2020 -0700 bitfield.h: don't compile-time validate _val in FIELD_FIT commit 444da3f52407d74c9aa12187ac6b01f76ee47d62 upstream. When ur_load_imm_any() is inlined into jeq_imm(), it's possible for the compiler to deduce a case where _val can only have the value of -1 at compile time. Specifically, /* struct bpf_insn: _s32 imm */ u64 imm = insn->imm; /* sign extend */ if (imm >> 32) { /* non-zero only if insn->imm is negative */ /* inlined from ur_load_imm_any */ u32 __imm = imm >> 32; /* therefore, always 0xffffffff */ if (__builtin_constant_p(__imm) && __imm > 255) compiletime_assert_XXX() This can result in tripping a BUILD_BUG_ON() in __BF_FIELD_CHECK() that checks that a given value is representable in one byte (interpreted as unsigned). FIELD_FIT() should return true or false at runtime for whether a value can fit for not. Don't break the build over a value that's too large for the mask. We'd prefer to keep the inlining and compiler optimizations though we know this case will always return false. Cc: stable@vger.kernel.org Fixes: 1697599ee301a ("bitfield.h: add FIELD_FIT() helper") Link: https://lore.kernel.org/kernel-hardening/CAK7LNASvb0UDJ0U5wkYYRzTAdnEs64HjXpEUL7d=V0CXiAXcNw@mail.gmail.com/ Reported-by: Masahiro Yamada Debugged-by: Sami Tolvanen Signed-off-by: Jakub Kicinski Signed-off-by: Nick Desaulniers Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9ea1ae0cbbed48ac9ebac5b9d662244253128d21 Author: Frederic Weisbecker Date: Fri May 15 02:34:29 2020 +0200 tick/nohz: Narrow down noise while setting current task's tick dependency commit 3c8920e2dbd1a55f72dc14d656df9d0097cf5c72 upstream. Setting a tick dependency on any task, including the case where a task sets that dependency on itself, triggers an IPI to all CPUs. That is of course suboptimal but it had previously not been an issue because it was only used by POSIX CPU timers on nohz_full, which apparently never occurs in latency-sensitive workloads in production. (Or users of such systems are suffering in silence on the one hand or venting their ire on the wrong people on the other.) But RCU now sets a task tick dependency on the current task in order to fix stall issues that can occur during RCU callback processing. Thus, RCU callback processing triggers frequent system-wide IPIs from nohz_full CPUs. This is quite counter-productive, after all, avoiding IPIs is what nohz_full is supposed to be all about. This commit therefore optimizes tasks' self-setting of a task tick dependency by using tick_nohz_full_kick() to avoid the system-wide IPI. Instead, only the execution of the one task is disturbed, which is acceptable given that this disturbance is well down into the noise compared to the degree to which the RCU callback processing itself disturbs execution. Fixes: 6a949b7af82d (rcu: Force on tick when invoking lots of callbacks) Reported-by: Matt Fleming Signed-off-by: Frederic Weisbecker Cc: stable@kernel.org Cc: Paul E. McKenney Cc: Thomas Gleixner Cc: Peter Zijlstra Cc: Ingo Molnar Signed-off-by: Paul E. McKenney Signed-off-by: Greg Kroah-Hartman commit 6b006e9ea0f067b501f5ac3f6846055cecda4ef8 Author: Mikulas Patocka Date: Wed Jun 17 09:48:56 2020 -0400 crypto: cpt - don't sleep of CRYPTO_TFM_REQ_MAY_SLEEP was not specified commit 9e27c99104707f083dccd3b4d79762859b5a0614 upstream. There is this call chain: cvm_encrypt -> cvm_enc_dec -> cptvf_do_request -> process_request -> kzalloc where we call sleeping allocator function even if CRYPTO_TFM_REQ_MAY_SLEEP was not specified. Signed-off-by: Mikulas Patocka Cc: stable@vger.kernel.org # v4.11+ Fixes: c694b233295b ("crypto: cavium - Add the Virtual Function driver for CPT") Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 127432fe787ee473971f31729ecd2c282d3432cb Author: John Allen Date: Mon Jun 22 15:24:02 2020 -0500 crypto: ccp - Fix use of merged scatterlists commit 8a302808c60d441d9884cb00ea7f2b534f2e3ca5 upstream. Running the crypto manager self tests with CONFIG_CRYPTO_MANAGER_EXTRA_TESTS may result in several types of errors when using the ccp-crypto driver: alg: skcipher: cbc-des3-ccp encryption failed on test vector 0; expected_error=0, actual_error=-5 ... alg: skcipher: ctr-aes-ccp decryption overran dst buffer on test vector 0 ... alg: ahash: sha224-ccp test failed (wrong result) on test vector ... These errors are the result of improper processing of scatterlists mapped for DMA. Given a scatterlist in which entries are merged as part of mapping the scatterlist for DMA, the DMA length of a merged entry will reflect the combined length of the entries that were merged. The subsequent scatterlist entry will contain DMA information for the scatterlist entry after the last merged entry, but the non-DMA information will be that of the first merged entry. The ccp driver does not take this scatterlist merging into account. To address this, add a second scatterlist pointer to track the current position in the DMA mapped representation of the scatterlist. Both the DMA representation and the original representation of the scatterlist must be tracked as while most of the driver can use just the DMA representation, scatterlist_map_and_copy() must use the original representation and expects the scatterlist pointer to be accurate to the original representation. In order to properly walk the original scatterlist, the scatterlist must be walked until the combined lengths of the entries seen is equal to the DMA length of the current entry being processed in the DMA mapped representation. Fixes: 63b945091a070 ("crypto: ccp - CCP device driver and interface support") Signed-off-by: John Allen Cc: stable@vger.kernel.org Acked-by: Tom Lendacky Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 46035c400c2e8c57e6b143edabadca704b166025 Author: Tom Rix Date: Mon Jul 13 07:06:34 2020 -0700 crypto: qat - fix double free in qat_uclo_create_batch_init_list commit c06c76602e03bde24ee69a2022a829127e504202 upstream. clang static analysis flags this error qat_uclo.c:297:3: warning: Attempt to free released memory [unix.Malloc] kfree(*init_tab_base); ^~~~~~~~~~~~~~~~~~~~~ When input *init_tab_base is null, the function allocates memory for the head of the list. When there is problem allocating other list elements the list is unwound and freed. Then a check is made if the list head was allocated and is also freed. Keeping track of the what may need to be freed is the variable 'tail_old'. The unwinding/freeing block is while (tail_old) { mem_init = tail_old->next; kfree(tail_old); tail_old = mem_init; } The problem is that the first element of tail_old is also what was allocated for the list head init_header = kzalloc(sizeof(*init_header), GFP_KERNEL); ... *init_tab_base = init_header; flag = 1; } tail_old = init_header; So *init_tab_base/init_header are freed twice. There is another problem. When the input *init_tab_base is non null the tail_old is calculated by traveling down the list to first non null entry. tail_old = init_header; while (tail_old->next) tail_old = tail_old->next; When the unwinding free happens, the last entry of the input list will be freed. So the freeing needs a general changed. If locally allocated the first element of tail_old is freed, else it is skipped. As a bit of cleanup, reset *init_tab_base if it came in as null. Fixes: b4b7e67c917f ("crypto: qat - Intel(R) QAT ucode part of fw loader") Cc: Signed-off-by: Tom Rix Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 2e960d9fdac38303b8e8aaa4e227e8650ab7eb0b Author: Mikulas Patocka Date: Wed Jun 17 09:49:52 2020 -0400 crypto: hisilicon - don't sleep of CRYPTO_TFM_REQ_MAY_SLEEP was not specified commit 5ead051780404b5cb22147170acadd1994dc3236 upstream. There is this call chain: sec_alg_skcipher_encrypt -> sec_alg_skcipher_crypto -> sec_alg_alloc_and_calc_split_sizes -> kcalloc where we call sleeping allocator function even if CRYPTO_TFM_REQ_MAY_SLEEP was not specified. Signed-off-by: Mikulas Patocka Cc: stable@vger.kernel.org # v4.19+ Fixes: 915e4e8413da ("crypto: hisilicon - SEC security accelerator driver") Acked-by: Jonathan Cameron Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit aee93514820efaebbf208e077d617dab0f374fcd Author: Matteo Croce Date: Mon Jul 6 19:37:36 2020 -0700 pstore: Fix linking when crypto API disabled commit fd49e03280e596e54edb93a91bc96170f8e97e4a upstream. When building a kernel with CONFIG_PSTORE=y and CONFIG_CRYPTO not set, a build error happens: ld: fs/pstore/platform.o: in function `pstore_dump': platform.c:(.text+0x3f9): undefined reference to `crypto_comp_compress' ld: fs/pstore/platform.o: in function `pstore_get_backend_records': platform.c:(.text+0x784): undefined reference to `crypto_comp_decompress' This because some pstore code uses crypto_comp_(de)compress regardless of the CONFIG_CRYPTO status. Fix it by wrapping the (de)compress usage by IS_ENABLED(CONFIG_PSTORE_COMPRESS) Signed-off-by: Matteo Croce Link: https://lore.kernel.org/lkml/20200706234045.9516-1-mcroce@linux.microsoft.com Fixes: cb3bee0369bc ("pstore: Use crypto compress API") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook Signed-off-by: Greg Kroah-Hartman commit 46f06b626bfd6a61b66ff0fdb9cf11540b221ef9 Author: Jarkko Sakkinen Date: Fri Jul 3 01:55:59 2020 +0300 tpm: Unify the mismatching TPM space buffer sizes commit 6c4e79d99e6f42b79040f1a33cd4018f5425030b upstream. The size of the buffers for storing context's and sessions can vary from arch to arch as PAGE_SIZE can be anything between 4 kB and 256 kB (the maximum for PPC64). Define a fixed buffer size set to 16 kB. This should be enough for most use with three handles (that is how many we allow at the moment). Parametrize the buffer size while doing this, so that it is easier to revisit this later on if required. Cc: stable@vger.kernel.org Reported-by: Stefan Berger Fixes: 745b361e989a ("tpm: infrastructure for TPM spaces") Reviewed-by: Jerry Snitselaar Tested-by: Stefan Berger Signed-off-by: Jarkko Sakkinen Signed-off-by: Greg Kroah-Hartman commit 7f05e26a5ad9eadf9355165e224bdd6077d68354 Author: Hector Martin Date: Mon Aug 10 17:25:02 2020 +0900 ALSA: usb-audio: add quirk for Pioneer DDJ-RB commit 6e8596172ee1cd46ec0bfd5adcf4ff86371478b6 upstream. This is just another Pioneer device with fixed endpoints. Input is dummy but used as feedback (it always returns silence). Cc: stable@vger.kernel.org Signed-off-by: Hector Martin Link: https://lore.kernel.org/r/20200810082502.225979-1-marcan@marcan.st Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 0bf5808a668943e9e7d1d2838c998ed30def29c0 Author: Hector Martin Date: Mon Aug 10 17:24:00 2020 +0900 ALSA: usb-audio: work around streaming quirk for MacroSilicon MS2109 commit 1b7ecc241a67ad6b584e071bd791a54e0cd5f097 upstream. Further investigation of the L-R swap problem on the MS2109 reveals that the problem isn't that the channels are swapped, but rather that they are swapped and also out of phase by one sample. In other words, the issue is actually that the very first frame that comes from the hardware is a half-frame containing only the right channel, and after that everything becomes offset. So introduce a new quirk field to drop the very first 2 bytes that come in after the format is configured and a capture stream starts. This puts the channels in phase and in the correct order. Cc: stable@vger.kernel.org Signed-off-by: Hector Martin Link: https://lore.kernel.org/r/20200810082400.225858-1-marcan@marcan.st Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 87d779f1b7a2b90f2d796de3c9fff0aeba15e0d6 Author: Hector Martin Date: Mon Aug 10 13:53:19 2020 +0900 ALSA: usb-audio: fix overeager device match for MacroSilicon MS2109 commit 14a720dc1f5332f3bdf30a23a3bc549e81be974c upstream. Matching by device matches all interfaces, which breaks the video/HID portions of the device depending on module load order. Fixes: e337bf19f6af ("ALSA: usb-audio: add quirk for MacroSilicon MS2109") Cc: stable@vger.kernel.org Signed-off-by: Hector Martin Link: https://lore.kernel.org/r/20200810045319.128745-1-marcan@marcan.st Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 13d21d1290b54e66faa1976e4317b5a17b23c3e9 Author: Mirko Dietrich Date: Thu Aug 6 14:48:50 2020 +0200 ALSA: usb-audio: Creative USB X-Fi Pro SB1095 volume knob support commit fec9008828cde0076aae595ac031bfcf49d335a4 upstream. Adds an entry for Creative USB X-Fi to the rc_config array in mixer_quirks.c to allow use of volume knob on the device. Adds support for newer X-Fi Pro card, known as "Model No. SB1095" with USB ID "041e:3263" Signed-off-by: Mirko Dietrich Cc: Link: https://lore.kernel.org/r/20200806124850.20334-1-buzz@l4m1.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 965fdc2c7fd4e176cffb845719d3b04f535f501a Author: Hui Wang Date: Mon Aug 10 10:16:59 2020 +0800 ALSA: hda - fix the micmute led status for Lenovo ThinkCentre AIO commit 386a6539992b82fe9ac4f9dc3f548956fd894d8c upstream. After installing the Ubuntu Linux, the micmute led status is not correct. Users expect that the led is on if the capture is disabled, but with the current kernel, the led is off with the capture disabled. We tried the old linux kernel like linux-4.15, there is no this issue. It looks like we introduced this issue when switching to the led_cdev. Cc: Signed-off-by: Hui Wang Link: https://lore.kernel.org/r/20200810021659.7429-1-hui.wang@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit f37c95d8c6b24d62ccb153f33f55aac625d87db7 Author: Max Gurtovoy Date: Fri Jul 31 15:38:22 2020 +0800 vdpasim: protect concurrent access to iommu iotlb commit 0ea9ee430e74b16c6b17e70757d1c26d8d140e1f upstream. Iommu iotlb can be accessed by different cores for performing IO using multiple virt queues. Add a spinlock to synchronize iotlb accesses. This could be easily reproduced when using more than 1 pktgen threads to inject traffic to vdpa simulator. Fixes: 2c53d0f64c06f("vdpasim: vDPA device simulator") Cc: stable@vger.kernel.org Signed-off-by: Max Gurtovoy Signed-off-by: Jason Wang Link: https://lore.kernel.org/r/20200731073822.13326-1-jasowang@redhat.com Signed-off-by: Michael S. Tsirkin Signed-off-by: Greg Kroah-Hartman commit d37e144863160ce3d6315d85215e1b5c9f244969 Author: Peter Chen Date: Wed Jul 22 11:06:19 2020 +0800 usb: cdns3: gadget: always zeroed TRB buffer when enable endpoint commit 95f5acfc4f58f01a22b66d8c9c0ffb72aa96271c upstream. During the endpoint dequeue operation, it changes dequeued TRB as link TRB, when the endpoint is disabled and re-enabled, the DMA fetches the TRB before the link TRB, after it handles current TRB, the DMA pointer will advance to the TRB after link TRB, but enqueue and dequene variables don't know it due to no hardware interrupt at the time, when the next TRB is added to link TRB position, the DMA will not handle this TRB due to its pointer is already at the next TRB. See the trace log like below: file-storage-675 [001] d..1 86.585657: usb_ep_queue: ep0: req 00000000df9b3a4f length 0/0 sgs 0/0 stream 0 zsI status 0 --> 0 file-storage-675 [001] d..1 86.585663: cdns3_ep_queue: ep1out: req: 000000002ebce364, req buff 00000000f5bc96b4, length: 0/1024 zsi, status: -115, trb: [start:0, end:0: virt addr (null)], flags:0 SID: 0 file-storage-675 [001] d..1 86.585671: cdns3_prepare_trb: ep1out: trb 000000007f770303, dma buf: 0xbd195800, size: 1024, burst: 128 ctrl: 0x00000425 (C=1, T=0, ISP, IOC, Normal) SID:0 LAST_SID:0 file-storage-675 [001] d..1 86.585676: cdns3_ring: Ring contents for ep1out: Ring deq index: 0, trb: 000000007f770303 (virt), 0xc4003000 (dma) Ring enq index: 1, trb: 0000000049c1ba21 (virt), 0xc400300c (dma) free trbs: 38, CCS=1, PCS=1 @0x00000000c4003000 bd195800 80020400 00000425 @0x00000000c400300c c4003018 80020400 00001811 @0x00000000c4003018 bcfcc000 0000001f 00000426 @0x00000000c4003024 bcfce800 0000001f 00000426 ... irq/144-5b13000-698 [000] d... 87.619286: usb_gadget_giveback_request: ep1in: req 0000000031b832eb length 13/13 sgs 0/0 stream 0 zsI status 0 --> 0 file-storage-675 [001] d..1 87.619287: cdns3_ep_queue: ep1out: req: 000000002ebce364, req buff 00000000f5bc96b4, length: 0/1024 zsi, status: -115, trb: [start:0, end:0: virt addr 0x80020400c400300c], flags:0 SID: 0 file-storage-675 [001] d..1 87.619294: cdns3_prepare_trb: ep1out: trb 0000000049c1ba21, dma buf: 0xbd198000, size: 1024, burst: 128 ctrl: 0x00000425 (C=1, T=0, ISP, IOC, Normal) SID:0 LAST_SID:0 file-storage-675 [001] d..1 87.619297: cdns3_ring: Ring contents for ep1out: Ring deq index: 1, trb: 0000000049c1ba21 (virt), 0xc400300c (dma) Ring enq index: 2, trb: 0000000059b34b67 (virt), 0xc4003018 (dma) free trbs: 38, CCS=1, PCS=1 @0x00000000c4003000 bd195800 0000001f 00000427 @0x00000000c400300c bd198000 80020400 00000425 @0x00000000c4003018 bcfcc000 0000001f 00000426 @0x00000000c4003024 bcfce800 0000001f 00000426 ... file-storage-675 [001] d..1 87.619305: cdns3_doorbell_epx: ep1out, ep_trbaddr c4003018 file-storage-675 [001] .... 87.619308: usb_ep_queue: ep1out: req 000000002ebce364 length 0/1024 sgs 0/0 stream 0 zsI status -115 --> 0 irq/144-5b13000-698 [000] d..1 87.619315: cdns3_epx_irq: IRQ for ep1out: 01000c80 TRBERR , ep_traddr: c4003018 ep_last_sid: 00000000 use_streams: 0 irq/144-5b13000-698 [000] d..1 87.619395: cdns3_usb_irq: IRQ 00000008 = Hot Reset Fixes: f616c3bda47e ("usb: cdns3: Fix dequeue implementation") Cc: stable Signed-off-by: Peter Chen Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 806bdf5a41acae4fb0058c3ddc4e22d6016036fb Author: Brant Merryman Date: Fri Jun 26 04:22:58 2020 +0000 USB: serial: cp210x: enable usb generic throttle/unthrottle commit 4387b3dbb079d482d3c2b43a703ceed4dd27ed28 upstream. Assign the .throttle and .unthrottle functions to be generic function in the driver structure to prevent data loss that can otherwise occur if the host does not enable USB throttling. Signed-off-by: Brant Merryman Co-developed-by: Phu Luu Signed-off-by: Phu Luu Link: https://lore.kernel.org/r/57401AF3-9961-461F-95E1-F8AFC2105F5E@silabs.com [ johan: fix up tags ] Fixes: 39a66b8d22a3 ("[PATCH] USB: CP2101 Add support for flow control") Cc: stable # 2.6.12 Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 99dc951ecc1506da6d7f7c978179a6f54110822a Author: Brant Merryman Date: Fri Jun 26 04:24:20 2020 +0000 USB: serial: cp210x: re-enable auto-RTS on open commit c7614ff9b73a1e6fb2b1b51396da132ed22fecdb upstream. CP210x hardware disables auto-RTS but leaves auto-CTS when in hardware flow control mode and UART on cp210x hardware is disabled. When re-opening the port, if auto-CTS is enabled on the cp210x, then auto-RTS must be re-enabled in the driver. Signed-off-by: Brant Merryman Co-developed-by: Phu Luu Signed-off-by: Phu Luu Link: https://lore.kernel.org/r/ECCF8E73-91F3-4080-BE17-1714BC8818FB@silabs.com [ johan: fix up tags and problem description ] Fixes: 39a66b8d22a3 ("[PATCH] USB: CP2101 Add support for flow control") Cc: stable # 2.6.12 Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 26795182d8ed0652c4e9b694f8af2d579c3c838b Author: Marek Behún Date: Mon Aug 10 17:01:58 2020 +0200 net: phy: marvell10g: fix null pointer dereference [ Upstream commit 1b8ef1423dbfd34de2439a2db457b84480b7c8a8 ] Commit c3e302edca24 ("net: phy: marvell10g: fix temperature sensor on 2110") added a check for PHY ID via phydev->drv->phy_id in a function which is called by devres at a time when phydev->drv is already set to null by phy_remove function. This null pointer dereference can be triggered via SFP subsystem with a SFP module containing this Marvell PHY. When the SFP interface is put down, the SFP subsystem removes the PHY. Fixes: c3e302edca24 ("net: phy: marvell10g: fix temperature sensor on 2110") Signed-off-by: Marek Behún Cc: Maxime Chevallier Cc: Andrew Lunn Cc: Baruch Siach Cc: Russell King Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 06fda1d3d617d674bbac29d4767acc400fb09667 Author: Stefano Garzarella Date: Wed Aug 12 14:56:02 2020 +0200 vsock: fix potential null pointer dereference in vsock_poll() [ Upstream commit 1980c05844830a44708c98c96d600833aa3fae08 ] syzbot reported this issue where in the vsock_poll() we find the socket state at TCP_ESTABLISHED, but 'transport' is null: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097] CPU: 0 PID: 8227 Comm: syz-executor.2 Not tainted 5.8.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:vsock_poll+0x75a/0x8e0 net/vmw_vsock/af_vsock.c:1038 Call Trace: sock_poll+0x159/0x460 net/socket.c:1266 vfs_poll include/linux/poll.h:90 [inline] do_pollfd fs/select.c:869 [inline] do_poll fs/select.c:917 [inline] do_sys_poll+0x607/0xd40 fs/select.c:1011 __do_sys_poll fs/select.c:1069 [inline] __se_sys_poll fs/select.c:1057 [inline] __x64_sys_poll+0x18c/0x440 fs/select.c:1057 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384 entry_SYSCALL_64_after_hwframe+0x44/0xa9 This issue can happen if the TCP_ESTABLISHED state is set after we read the vsk->transport in the vsock_poll(). We could put barriers to synchronize, but this can only happen during connection setup, so we can simply check that 'transport' is valid. Fixes: c0cfa2d8a788 ("vsock: add multi-transports support") Reported-and-tested-by: syzbot+a61bac2fcc1a7c6623fe@syzkaller.appspotmail.com Signed-off-by: Stefano Garzarella Reviewed-by: Jorgen Hansen Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cd28bf2c49f08669947b062735fbd1ddb7ec4898 Author: Tim Froidcoeur Date: Tue Aug 11 20:33:24 2020 +0200 net: initialize fastreuse on inet_inherit_port [ Upstream commit d76f3351cea2d927fdf70dd7c06898235035e84e ] In the case of TPROXY, bind_conflict optimizations for SO_REUSEADDR or SO_REUSEPORT are broken, possibly resulting in O(n) instead of O(1) bind behaviour or in the incorrect reuse of a bind. the kernel keeps track for each bind_bucket if all sockets in the bind_bucket support SO_REUSEADDR or SO_REUSEPORT in two fastreuse flags. These flags allow skipping the costly bind_conflict check when possible (meaning when all sockets have the proper SO_REUSE option). For every socket added to a bind_bucket, these flags need to be updated. As soon as a socket that does not support reuse is added, the flag is set to false and will never go back to true, unless the bind_bucket is deleted. Note that there is no mechanism to re-evaluate these flags when a socket is removed (this might make sense when removing a socket that would not allow reuse; this leaves room for a future patch). For this optimization to work, it is mandatory that these flags are properly initialized and updated. When a child socket is created from a listen socket in __inet_inherit_port, the TPROXY case could create a new bind bucket without properly initializing these flags, thus preventing the optimization to work. Alternatively, a socket not allowing reuse could be added to an existing bind bucket without updating the flags, causing bind_conflict to never be called as it should. Call inet_csk_update_fastreuse when __inet_inherit_port decides to create a new bind_bucket or use a different bind_bucket than the one of the listen socket. Fixes: 093d282321da ("tproxy: fix hash locking issue when using port redirection in __inet_inherit_port()") Acked-by: Matthieu Baerts Signed-off-by: Tim Froidcoeur Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ed4a5c1f4a3ad11cdbcf6e2035ea7bf660c33c5c Author: Tim Froidcoeur Date: Tue Aug 11 20:33:23 2020 +0200 net: refactor bind_bucket fastreuse into helper [ Upstream commit 62ffc589abb176821662efc4525ee4ac0b9c3894 ] Refactor the fastreuse update code in inet_csk_get_port into a small helper function that can be called from other places. Acked-by: Matthieu Baerts Signed-off-by: Tim Froidcoeur Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 024f05e30ca61fa92028ba9275ff7ea9ca5c71b3 Author: Ronak Doshi Date: Mon Aug 10 09:55:55 2020 -0700 vmxnet3: use correct tcp hdr length when packet is encapsulated [ Upstream commit 8a7f280f29a80f6e0798f5d6e07c5dd8726620fe ] Commit dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload support") added support for encapsulation offload. However, while calculating tcp hdr length, it does not take into account if the packet is encapsulated or not. This patch fixes this issue by using correct reference for inner tcp header. Fixes: dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload support") Signed-off-by: Ronak Doshi Acked-by: Guolin Yang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 007b015f94f5fa685ebb6e8c2d07814f20d95cbc Author: Jason Baron Date: Mon Aug 10 13:38:39 2020 -0400 tcp: correct read of TFO keys on big endian systems [ Upstream commit f19008e676366c44e9241af57f331b6c6edf9552 ] When TFO keys are read back on big endian systems either via the global sysctl interface or via getsockopt() using TCP_FASTOPEN_KEY, the values don't match what was written. For example, on s390x: # echo "1-2-3-4" > /proc/sys/net/ipv4/tcp_fastopen_key # cat /proc/sys/net/ipv4/tcp_fastopen_key 02000000-01000000-04000000-03000000 Instead of: # cat /proc/sys/net/ipv4/tcp_fastopen_key 00000001-00000002-00000003-00000004 Fix this by converting to the correct endianness on read. This was reported by Colin Ian King when running the 'tcp_fastopen_backup_key' net selftest on s390x, which depends on the read value matching what was written. I've confirmed that the test now passes on big and little endian systems. Signed-off-by: Jason Baron Fixes: 438ac88009bc ("net: fastopen: robustness and endianness fixes for SipHash") Cc: Ard Biesheuvel Cc: Eric Dumazet Reported-and-tested-by: Colin Ian King Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 511406544bcbbc5b7f89ee4f033db549f9a0cc6a Author: Ira Weiny Date: Mon Aug 10 17:02:58 2020 -0700 net/tls: Fix kmap usage [ Upstream commit b06c19d9f827f6743122795570bfc0c72db482b0 ] When MSG_OOB is specified to tls_device_sendpage() the mapped page is never unmapped. Hold off mapping the page until after the flags are checked and the page is actually needed. Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure") Signed-off-by: Ira Weiny Reviewed-by: Jakub Kicinski Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d822a1f1b756632336757b29fc1dafbd442b458a Author: Miaohe Lin Date: Thu Aug 6 19:53:16 2020 +0800 net: Set fput_needed iff FDPUT_FPUT is set [ Upstream commit ce787a5a074a86f76f5d3fd804fa78e01bfb9e89 ] We should fput() file iff FDPUT_FPUT is set. So we should set fput_needed accordingly. Fixes: 00e188ef6a7e ("sockfd_lookup_light(): switch to fdget^W^Waway from fget_light") Signed-off-by: Miaohe Lin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 285c8e62866aed256c87d5a5cd7aed8d592a8864 Author: Johan Hovold Date: Thu Aug 6 17:37:53 2020 +0200 net: phy: fix memory leak in device-create error path [ Upstream commit d02cbc46136105cf86f84ac355e16f04696f538d ] A recent commit introduced a late error path in phy_device_create() which fails to release the device name allocated by dev_set_name(). Fixes: 13d0ab6750b2 ("net: phy: check return code when requesting PHY driver module") Cc: Heiner Kallweit Signed-off-by: Johan Hovold Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f8093f0d1ababcb1a1ea859e1638a14fa5627e42 Author: Qingyu Li Date: Mon Aug 10 09:51:00 2020 +0800 net/nfc/rawsock.c: add CAP_NET_RAW check. [ Upstream commit 26896f01467a28651f7a536143fe5ac8449d4041 ] When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked first. Signed-off-by: Qingyu Li Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8212cbfb914760c0662dce083727ad5d13e30ffb Author: Miaohe Lin Date: Mon Aug 10 08:16:58 2020 -0400 net: Fix potential memory leak in proto_register() [ Upstream commit 0f5907af39137f8183ed536aaa00f322d7365130 ] If we failed to assign proto idx, we free the twsk_slab_name but forget to free the twsk_slab. Add a helper function tw_prot_cleanup() to free these together and also use this helper function in proto_unregister(). Fixes: b45ce32135d1 ("sock: fix potential memory leak in proto_register()") Signed-off-by: Miaohe Lin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cfd8621aa997f595baeb09e2393a75da010010f3 Author: Xie He Date: Wed Aug 5 18:50:40 2020 -0700 drivers/net/wan/lapbether: Added needed_headroom and a skb->len check [ Upstream commit c7ca03c216acb14466a713fedf1b9f2c24994ef2 ] 1. Added a skb->len check This driver expects upper layers to include a pseudo header of 1 byte when passing down a skb for transmission. This driver will read this 1-byte header. This patch added a skb->len check before reading the header to make sure the header exists. 2. Changed to use needed_headroom instead of hard_header_len to request necessary headroom to be allocated In net/packet/af_packet.c, the function packet_snd first reserves a headroom of length (dev->hard_header_len + dev->needed_headroom). Then if the socket is a SOCK_DGRAM socket, it calls dev_hard_header, which calls dev->header_ops->create, to create the link layer header. If the socket is a SOCK_RAW socket, it "un-reserves" a headroom of length (dev->hard_header_len), and assumes the user to provide the appropriate link layer header. So according to the logic of af_packet.c, dev->hard_header_len should be the length of the header that would be created by dev->header_ops->create. However, this driver doesn't provide dev->header_ops, so logically dev->hard_header_len should be 0. So we should use dev->needed_headroom instead of dev->hard_header_len to request necessary headroom to be allocated. This change fixes kernel panic when this driver is used with AF_PACKET SOCK_RAW sockets. Call stack when panic: [ 168.399197] skbuff: skb_under_panic: text:ffffffff819d95fb len:20 put:14 head:ffff8882704c0a00 data:ffff8882704c09fd tail:0x11 end:0xc0 dev:veth0 ... [ 168.399255] Call Trace: [ 168.399259] skb_push.cold+0x14/0x24 [ 168.399262] eth_header+0x2b/0xc0 [ 168.399267] lapbeth_data_transmit+0x9a/0xb0 [lapbether] [ 168.399275] lapb_data_transmit+0x22/0x2c [lapb] [ 168.399277] lapb_transmit_buffer+0x71/0xb0 [lapb] [ 168.399279] lapb_kick+0xe3/0x1c0 [lapb] [ 168.399281] lapb_data_request+0x76/0xc0 [lapb] [ 168.399283] lapbeth_xmit+0x56/0x90 [lapbether] [ 168.399286] dev_hard_start_xmit+0x91/0x1f0 [ 168.399289] ? irq_init_percpu_irqstack+0xc0/0x100 [ 168.399291] __dev_queue_xmit+0x721/0x8e0 [ 168.399295] ? packet_parse_headers.isra.0+0xd2/0x110 [ 168.399297] dev_queue_xmit+0x10/0x20 [ 168.399298] packet_sendmsg+0xbf0/0x19b0 ...... Cc: Willem de Bruijn Cc: Martin Schiller Cc: Brian Norris Signed-off-by: Xie He Acked-by: Willem de Bruijn Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit dac08197b33b3ba81c7390a556073f62a61d6907 Author: John Ogness Date: Thu Aug 13 21:45:25 2020 +0206 af_packet: TPACKET_V3: fix fill status rwlock imbalance [ Upstream commit 88fd1cb80daa20af063bce81e1fad14e945a8dc4 ] After @blk_fill_in_prog_lock is acquired there is an early out vnet situation that can occur. In that case, the rwlock needs to be released. Also, since @blk_fill_in_prog_lock is only acquired when @tp_version is exactly TPACKET_V3, only release it on that exact condition as well. And finally, add sparse annotation so that it is clearer that prb_fill_curr_block() and prb_clear_blk_fill_status() are acquiring and releasing @blk_fill_in_prog_lock, respectively. sparse is still unable to understand the balance, but the warnings are now on a higher level that make more sense. Fixes: 632ca50f2cbd ("af_packet: TPACKET_V3: replace busy-wait loop") Signed-off-by: John Ogness Reported-by: kernel test robot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4482056a5eb74702f554036002e35a1dc5dbc526 Author: Jian Cai Date: Mon Jun 22 16:24:33 2020 -0700 crypto: aesni - add compatibility with IAS [ Upstream commit 44069737ac9625a0f02f0f7f5ab96aae4cd819bc ] Clang's integrated assembler complains "invalid reassignment of non-absolute variable 'var_ddq_add'" while assembling arch/x86/crypto/aes_ctrby8_avx-x86_64.S. It was because var_ddq_add was reassigned with non-absolute values several times, which IAS did not support. We can avoid the reassignment by replacing the uses of var_ddq_add with its definitions accordingly to have compatilibility with IAS. Link: https://github.com/ClangBuiltLinux/linux/issues/1008 Reported-by: Sedat Dilek Reported-by: Fangrui Song Tested-by: Sedat Dilek # build+boot Linux v5.7.5; clang v11.0.0-git Signed-off-by: Jian Cai Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit cf89fd895554385c455a05f0330d66c1d630642b Author: Eric Dumazet Date: Fri Aug 14 11:16:17 2020 -0700 x86/fsgsbase/64: Fix NULL deref in 86_fsgsbase_read_task [ Upstream commit 8ab49526b53d3172d1d8dd03a75c7d1f5bd21239 ] syzbot found its way in 86_fsgsbase_read_task() and triggered this oops: KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 6866 Comm: syz-executor262 Not tainted 5.8.0-syzkaller #0 RIP: 0010:x86_fsgsbase_read_task+0x16d/0x310 arch/x86/kernel/process_64.c:393 Call Trace: putreg32+0x3ab/0x530 arch/x86/kernel/ptrace.c:876 genregs32_set arch/x86/kernel/ptrace.c:1026 [inline] genregs32_set+0xa4/0x100 arch/x86/kernel/ptrace.c:1006 copy_regset_from_user include/linux/regset.h:326 [inline] ia32_arch_ptrace arch/x86/kernel/ptrace.c:1061 [inline] compat_arch_ptrace+0x36c/0xd90 arch/x86/kernel/ptrace.c:1198 __do_compat_sys_ptrace kernel/ptrace.c:1420 [inline] __se_compat_sys_ptrace kernel/ptrace.c:1389 [inline] __ia32_compat_sys_ptrace+0x220/0x2f0 kernel/ptrace.c:1389 do_syscall_32_irqs_on arch/x86/entry/common.c:84 [inline] __do_fast_syscall_32+0x57/0x80 arch/x86/entry/common.c:126 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:149 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c This can happen if ptrace() or sigreturn() pokes an LDT selector into FS or GS for a task with no LDT and something tries to read the base before a return to usermode notices the bad selector and fixes it. The fix is to make sure ldt pointer is not NULL. Fixes: 07e1d88adaae ("x86/fsgsbase/64: Fix ptrace() to read the FS/GS base accurately") Co-developed-by: Jann Horn Signed-off-by: Eric Dumazet Reported-by: syzbot Acked-by: Andy Lutomirski Cc: Chang S. Bae Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Brian Gerst Cc: Dave Hansen Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Markus T Metzger Cc: Peter Zijlstra Cc: Ravi Shankar Cc: Rik van Riel Cc: Thomas Gleixner Cc: Ingo Molnar Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 3fcc358669ac72a390d8bc8ae43a8d0922e4f8d9 Author: Chuck Lever Date: Fri Jul 24 17:08:57 2020 -0400 SUNRPC: Fix ("SUNRPC: Add "@len" parameter to gss_unwrap()") [ Upstream commit 986a4b63d3bc5f2c0eb4083b05aff2bf883b7b2f ] Braino when converting "buf->len -=" to "buf->len = len -". The result is under-estimation of the ralign and rslack values. On krb5p mounts, this has caused READDIR to fail with EIO, and KASAN splats when decoding READLINK replies. As a result of fixing this oversight, the gss_unwrap method now returns a buf->len that can be shorter than priv_len for small RPC messages. The additional adjustment done in unwrap_priv_data() can underflow buf->len. This causes the nfsd_request_too_large check to fail during some NFSv3 operations. Reported-by: Marian Rainer-Harbach Reported-by: Pierre Sauter BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886277 Fixes: 31c9590ae468 ("SUNRPC: Add "@len" parameter to gss_unwrap()") Reviewed-by: J. Bruce Fields Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit b88fd43a6dfc716aa6c700857c5e35f21fc8d3a9 Author: Scott Mayhew Date: Fri Jul 10 16:33:07 2020 -0400 nfsd: avoid a NULL dereference in __cld_pipe_upcall() [ Upstream commit df60446cd1fb487becd1f36f4c0da9e0e523c0cf ] If the rpc_pipefs is unmounted, then the rpc_pipe->dentry becomes NULL and dereferencing the dentry->d_sb will trigger an oops. The only reason we're doing that is to determine the nfsd_net, which could instead be passed in by the caller. So do that instead. Fixes: 11a60d159259 ("nfsd: add a "GetVersion" upcall for nfsdcld") Signed-off-by: Scott Mayhew Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit 196dae5b82d136986fadf669a66d64eaf29f9a2a Author: Chuck Lever Date: Thu Jun 11 12:44:56 2020 -0400 svcrdma: Fix page leak in svc_rdma_recv_read_chunk() [ Upstream commit e814eecbe3bbeaa8b004d25a4b8974d232b765a9 ] Commit 07d0ff3b0cd2 ("svcrdma: Clean up Read chunk path") moved the page saver logic so that it gets executed event when an error occurs. In that case, the I/O is never posted, and those pages are then leaked. Errors in this path, however, are quite rare. Fixes: 07d0ff3b0cd2 ("svcrdma: Clean up Read chunk path") Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit 4c66f7c0c67b28ff3d49d443c7bae9581b059dab Author: Kamal Dasu Date: Fri Jun 12 17:29:01 2020 -0400 mtd: rawnand: brcmnand: Don't default to edu transfer [ Upstream commit bee3ab8bdd3b13faf08e5b6e0218f59b0a49fcc3 ] When flash-dma is absent do not default to using flash-edu. Make sure flash-edu is enabled before setting EDU transfer function. Fixes: a5d53ad26a8b ("mtd: rawnand: brcmnand: Add support for flash-edu for dma transfers") Signed-off-by: Kamal Dasu Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20200612212902.21347-2-kdasu.kdev@gmail.com Signed-off-by: Sasha Levin commit f6df9fa0b4fa1e8538ae9e7b05b2fc5bfce8c0ef Author: Drew Fustini Date: Mon Jun 8 14:51:43 2020 +0200 pinctrl-single: fix pcs_parse_pinconf() return value [ Upstream commit f46fe79ff1b65692a65266a5bec6dbe2bf7fc70f ] This patch causes pcs_parse_pinconf() to return -ENOTSUPP when no pinctrl_map is added. The current behavior is to return 0 when !PCS_HAS_PINCONF or !nconfs. Thus pcs_parse_one_pinctrl_entry() incorrectly assumes that a map was added and sets num_maps = 2. Analysis: ========= The function pcs_parse_one_pinctrl_entry() calls pcs_parse_pinconf() if PCS_HAS_PINCONF is enabled. The function pcs_parse_pinconf() returns 0 to indicate there was no error and num_maps is then set to 2: 980 static int pcs_parse_one_pinctrl_entry(struct pcs_device *pcs, 981 struct device_node *np, 982 struct pinctrl_map **map, 983 unsigned *num_maps, 984 const char **pgnames) 985 { 1053 (*map)->type = PIN_MAP_TYPE_MUX_GROUP; 1054 (*map)->data.mux.group = np->name; 1055 (*map)->data.mux.function = np->name; 1056 1057 if (PCS_HAS_PINCONF && function) { 1058 res = pcs_parse_pinconf(pcs, np, function, map); 1059 if (res) 1060 goto free_pingroups; 1061 *num_maps = 2; 1062 } else { 1063 *num_maps = 1; 1064 } However, pcs_parse_pinconf() will also return 0 if !PCS_HAS_PINCONF or !nconfs. I believe these conditions should indicate that no map was added by returning -ENOTSUPP. Otherwise pcs_parse_one_pinctrl_entry() will set num_maps = 2 even though no maps were successfully added, as it does not reach "m++" on line 940: 895 static int pcs_parse_pinconf(struct pcs_device *pcs, struct device_node *np, 896 struct pcs_function *func, 897 struct pinctrl_map **map) 898 899 { 900 struct pinctrl_map *m = *map; 917 /* If pinconf isn't supported, don't parse properties in below. */ 918 if (!PCS_HAS_PINCONF) 919 return 0; 920 921 /* cacluate how much properties are supported in current node */ 922 for (i = 0; i < ARRAY_SIZE(prop2); i++) { 923 if (of_find_property(np, prop2[i].name, NULL)) 924 nconfs++; 925 } 926 for (i = 0; i < ARRAY_SIZE(prop4); i++) { 927 if (of_find_property(np, prop4[i].name, NULL)) 928 nconfs++; 929 } 930 if (!nconfs) 919 return 0; 932 933 func->conf = devm_kcalloc(pcs->dev, 934 nconfs, sizeof(struct pcs_conf_vals), 935 GFP_KERNEL); 936 if (!func->conf) 937 return -ENOMEM; 938 func->nconfs = nconfs; 939 conf = &(func->conf[0]); 940 m++; This situtation will cause a boot failure [0] on the BeagleBone Black (AM3358) when am33xx_pinmux node in arch/arm/boot/dts/am33xx-l4.dtsi has compatible = "pinconf-single" instead of "pinctrl-single". The patch fixes this issue by returning -ENOSUPP when !PCS_HAS_PINCONF or !nconfs, so that pcs_parse_one_pinctrl_entry() will know that no map was added. Logic is also added to pcs_parse_one_pinctrl_entry() to distinguish between -ENOSUPP and other errors. In the case of -ENOSUPP, num_maps is set to 1 as it is valid for pinconf to be enabled and a given pin group to not any pinconf properties. [0] https://lore.kernel.org/linux-omap/20200529175544.GA3766151@x1/ Fixes: 9dddb4df90d1 ("pinctrl: single: support generic pinconf") Signed-off-by: Drew Fustini Acked-by: Tony Lindgren Link: https://lore.kernel.org/r/20200608125143.GA2789203@x1 Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit a019b553caf1a4fc73784b26ba2166a21844b65a Author: Pavel Machek Date: Thu Aug 6 23:18:09 2020 -0700 ocfs2: fix unbalanced locking [ Upstream commit 57c720d4144a9c2b88105c3e8f7b0e97e4b5cc93 ] Based on what fails, function can return with nfs_sync_rwlock either locked or unlocked. That can not be right. Always return with lock unlocked on error. Fixes: 4cd9973f9ff6 ("ocfs2: avoid inode removal while nfsd is accessing it") Signed-off-by: Pavel Machek (CIP) Signed-off-by: Andrew Morton Reviewed-by: Joseph Qi Reviewed-by: Andrew Morton Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Gang He Cc: Jun Piao Link: http://lkml.kernel.org/r/20200724124443.GA28164@duo.ucw.cz Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 43542c18482696eb06e36e1309c2a099273d2a56 Author: Wang Hai Date: Mon Jun 15 11:25:33 2020 +0800 dlm: Fix kobject memleak [ Upstream commit 0ffddafc3a3970ef7013696e7f36b3d378bc4c16 ] Currently the error return path from kobject_init_and_add() is not followed by a call to kobject_put() - which means we are leaking the kobject. Set do_unreg = 1 before kobject_init_and_add() to ensure that kobject_put() can be called in its error patch. Fixes: 901195ed7f4b ("Kobject: change GFS2 to use kobject_init_and_add") Reported-by: Hulk Robot Signed-off-by: Wang Hai Signed-off-by: David Teigland Signed-off-by: Sasha Levin commit 71de458ba27733b4d30ca71842f366ec215daffd Author: Dan Carpenter Date: Wed Jul 22 14:39:14 2020 +0200 media: mtk-mdp: Fix a refcounting bug on error in init [ Upstream commit dd4eddc4ba31fbf4554fc5fa12d3a553b50e1469 ] We need to call of_node_put(comp->dev_node); on the error paths in this function. Fixes: c8eb2d7e8202 ("[media] media: Add Mediatek MDP Driver") Signed-off-by: Dan Carpenter Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 8788a4a063579d2842ea627db22a81dfb61031f8 Author: Dean Nelson Date: Wed Aug 5 13:18:48 2020 -0500 net: thunderx: initialize VF's mailbox mutex before first usage [ Upstream commit c1055b76ad00aed0e8b79417080f212d736246b6 ] A VF's mailbox mutex is not getting initialized by nicvf_probe() until after it is first used. And such usage is resulting in... [ 28.270927] ------------[ cut here ]------------ [ 28.270934] DEBUG_LOCKS_WARN_ON(lock->magic != lock) [ 28.270980] WARNING: CPU: 9 PID: 675 at kernel/locking/mutex.c:938 __mutex_lock+0xdac/0x12f0 [ 28.270985] Modules linked in: ast(+) nicvf(+) i2c_algo_bit drm_vram_helper drm_ttm_helper ttm nicpf(+) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm ixgbe(+) sg thunder_bgx mdio i2c_thunderx mdio_thunder thunder_xcv mdio_cavium dm_mirror dm_region_hash dm_log dm_mod [ 28.271064] CPU: 9 PID: 675 Comm: systemd-udevd Not tainted 4.18.0+ #1 [ 28.271070] Hardware name: GIGABYTE R120-T34-00/MT30-GS2-00, BIOS F02 08/06/2019 [ 28.271078] pstate: 60000005 (nZCv daif -PAN -UAO) [ 28.271086] pc : __mutex_lock+0xdac/0x12f0 [ 28.271092] lr : __mutex_lock+0xdac/0x12f0 [ 28.271097] sp : ffff800d42146fb0 [ 28.271103] x29: ffff800d42146fb0 x28: 0000000000000000 [ 28.271113] x27: ffff800d24361180 x26: dfff200000000000 [ 28.271122] x25: 0000000000000000 x24: 0000000000000002 [ 28.271132] x23: ffff20001597cc80 x22: ffff2000139e9848 [ 28.271141] x21: 0000000000000000 x20: 1ffff001a8428e0c [ 28.271151] x19: ffff200015d5d000 x18: 1ffff001ae0f2184 [ 28.271160] x17: 0000000000000000 x16: 0000000000000000 [ 28.271170] x15: ffff800d70790c38 x14: ffff20001597c000 [ 28.271179] x13: ffff20001597cc80 x12: ffff040002b2f779 [ 28.271189] x11: 1fffe40002b2f778 x10: ffff040002b2f778 [ 28.271199] x9 : 0000000000000000 x8 : 00000000f1f1f1f1 [ 28.271208] x7 : 00000000f2f2f2f2 x6 : 0000000000000000 [ 28.271217] x5 : 1ffff001ae0f2186 x4 : 1fffe400027eb03c [ 28.271227] x3 : dfff200000000000 x2 : ffff1001a8428dbe [ 28.271237] x1 : c87fdfac7ea11d00 x0 : 0000000000000000 [ 28.271246] Call trace: [ 28.271254] __mutex_lock+0xdac/0x12f0 [ 28.271261] mutex_lock_nested+0x3c/0x50 [ 28.271297] nicvf_send_msg_to_pf+0x40/0x3a0 [nicvf] [ 28.271316] nicvf_register_misc_interrupt+0x20c/0x328 [nicvf] [ 28.271334] nicvf_probe+0x508/0xda0 [nicvf] [ 28.271344] local_pci_probe+0xc4/0x180 [ 28.271352] pci_device_probe+0x3ec/0x528 [ 28.271363] driver_probe_device+0x21c/0xb98 [ 28.271371] device_driver_attach+0xe8/0x120 [ 28.271379] __driver_attach+0xe0/0x2a0 [ 28.271386] bus_for_each_dev+0x118/0x190 [ 28.271394] driver_attach+0x48/0x60 [ 28.271401] bus_add_driver+0x328/0x558 [ 28.271409] driver_register+0x148/0x398 [ 28.271416] __pci_register_driver+0x14c/0x1b0 [ 28.271437] nicvf_init_module+0x54/0x10000 [nicvf] [ 28.271447] do_one_initcall+0x18c/0xc18 [ 28.271457] do_init_module+0x18c/0x618 [ 28.271464] load_module+0x2bc0/0x4088 [ 28.271472] __se_sys_finit_module+0x110/0x188 [ 28.271479] __arm64_sys_finit_module+0x70/0xa0 [ 28.271490] el0_svc_handler+0x15c/0x380 [ 28.271496] el0_svc+0x8/0xc [ 28.271502] irq event stamp: 52649 [ 28.271513] hardirqs last enabled at (52649): [] _raw_spin_unlock_irqrestore+0xc0/0xd8 [ 28.271522] hardirqs last disabled at (52648): [] _raw_spin_lock_irqsave+0x3c/0xf0 [ 28.271530] softirqs last enabled at (52330): [] __do_softirq+0xacc/0x117c [ 28.271540] softirqs last disabled at (52313): [] irq_exit+0x3cc/0x500 [ 28.271545] ---[ end trace a9b90324c8a0d4ee ]--- This problem is resolved by moving the call to mutex_init() up earlier in nicvf_probe(). Fixes: 609ea65c65a0 ("net: thunderx: add mutex to protect mailbox from concurrent calls for same VF") Signed-off-by: Dean Nelson Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit ca318309580dd46e654ab0fff1d2472a090d4da9 Author: Ahmad Fatoum Date: Fri Jul 31 14:38:36 2020 +0200 gpio: don't use same lockdep class for all devm_gpiochip_add_data users [ Upstream commit 5f402bb17533113c21d61c2d4bc4ef4a6fa1c9a5 ] Commit 959bc7b22bd2 ("gpio: Automatically add lockdep keys") documents in its commits message its intention to "create a unique class key for each driver". It does so by having gpiochip_add_data add in-place the definition of two static lockdep classes for LOCKDEP use. That way, every caller of the macro adds their gpiochip with unique lockdep classes. There are many indirect callers of gpiochip_add_data, however, via use of devm_gpiochip_add_data. devm_gpiochip_add_data has external linkage and all its users will share the same lockdep classes, which probably is not intended. Fix this by replicating the gpio_chip_add_data statics-in-macro for the devm_ version as well. Fixes: 959bc7b22bd2 ("gpio: Automatically add lockdep keys") Signed-off-by: Ahmad Fatoum Reviewed-by: Andy Shevchenko Reviewed-by: Bartosz Golaszewski Link: https://lore.kernel.org/r/20200731123835.8003-1-a.fatoum@pengutronix.de Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 4309ab4b8d69bd4a340c26282ba8470fa169ad8c Author: Florinel Iordache Date: Mon Aug 3 10:07:34 2020 +0300 fsl/fman: fix eth hash table allocation [ Upstream commit 3207f715c34317d08e798e11a10ce816feb53c0f ] Fix memory allocation for ethernet address hash table. The code was wrongly allocating an array for eth hash table which is incorrect because this is the main structure for eth hash table (struct eth_hash_t) that contains inside a number of elements. Fixes: 57ba4c9b56d8 ("fsl/fman: Add FMan MAC support") Signed-off-by: Florinel Iordache Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9e22ba73d90004d37d97b6e4c584650850abbc69 Author: Florinel Iordache Date: Mon Aug 3 10:07:33 2020 +0300 fsl/fman: check dereferencing null pointer [ Upstream commit cc5d229a122106733a85c279d89d7703f21e4d4f ] Add a safe check to avoid dereferencing null pointer Fixes: 57ba4c9b56d8 ("fsl/fman: Add FMan MAC support") Signed-off-by: Florinel Iordache Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c1c0f1fd8e1a8843f7a948f28c2d9fb7a4ab7b26 Author: Florinel Iordache Date: Mon Aug 3 10:07:32 2020 +0300 fsl/fman: fix unreachable code [ Upstream commit cc79fd8f557767de90ff199d3b6fb911df43160a ] The parameter 'priority' is incorrectly forced to zero which ultimately induces logically dead code in the subsequent lines. Fixes: 57ba4c9b56d8 ("fsl/fman: Add FMan MAC support") Signed-off-by: Florinel Iordache Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit df17300289181b98033cdf0c793da828fa946e3c Author: Florinel Iordache Date: Mon Aug 3 10:07:31 2020 +0300 fsl/fman: fix dereference null return value [ Upstream commit 0572054617f32670abab4b4e89a876954d54b704 ] Check before using returned value to avoid dereferencing null pointer. Fixes: 18a6c85fcc78 ("fsl/fman: Add FMan Port Support") Signed-off-by: Florinel Iordache Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 95582c0f11c47202e4f78a980b1db8b539be8ed8 Author: Florinel Iordache Date: Mon Aug 3 10:07:30 2020 +0300 fsl/fman: use 32-bit unsigned integer [ Upstream commit 99f47abd9f7bf6e365820d355dc98f6955a562df ] Potentially overflowing expression (ts_freq << 16 and intgr << 16) declared as type u32 (32-bit unsigned) is evaluated using 32-bit arithmetic and then used in a context that expects an expression of type u64 (64-bit unsigned) which ultimately is used as 16-bit unsigned by typecasting to u16. Fixed by using an unsigned 32-bit integer since the value is truncated anyway in the end. Fixes: 414fd46e7762 ("fsl/fman: Add FMan support") Signed-off-by: Florinel Iordache Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a4a413dc683e24f8deca9b1a782f98f4e1165e02 Author: Christophe JAILLET Date: Sun Aug 2 15:53:33 2020 +0200 net: spider_net: Fix the size used in a 'dma_free_coherent()' call [ Upstream commit 36f28f7687a9ce665479cce5d64ce7afaa9e77ae ] Update the size used in 'dma_free_coherent()' in order to match the one used in the corresponding 'dma_alloc_coherent()', in 'spider_net_init_chain()'. Fixes: d4ed8f8d1fb7 ("Spidernet DMA coalescing") Signed-off-by: Christophe JAILLET Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit e569c7c91dc0366498978f334be0680aad5df839 Author: Christophe JAILLET Date: Sun Aug 2 15:52:04 2020 +0200 net: sgi: ioc3-eth: Fix the size used in some 'dma_free_coherent()' calls [ Upstream commit edab74e9cb1d073c70add0f9b75e17aebf0598ff ] Update the size used in 'dma_free_coherent()' in order to match the one used in the corresponding 'dma_alloc_coherent()'. Fixes: 369a782af0f1 ("net: sgi: ioc3-eth: ensure tx ring is 16k aligned.") Signed-off-by: Christophe JAILLET Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1d8fe1832dab3a1087ed1f4ad7689dea859d12c1 Author: Tianjia Zhang Date: Sun Aug 2 19:15:44 2020 +0800 liquidio: Fix wrong return value in cn23xx_get_pf_num() [ Upstream commit aa027850a292ea65524b8fab83eb91a124ad362c ] On an error exit path, a negative error code should be returned instead of a positive return value. Fixes: 0c45d7fe12c7e ("liquidio: fix use of pf in pass-through mode in a virtual machine") Cc: Rick Farrington Signed-off-by: Tianjia Zhang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6f42ff8a38b19dbcdf360d2ad6d1068e38ffdabd Author: Tianjia Zhang Date: Sun Aug 2 19:15:37 2020 +0800 net: ethernet: aquantia: Fix wrong return value [ Upstream commit 0470a48880f8bc42ce26962b79c7b802c5a695ec ] In function hw_atl_a0_hw_multicast_list_set(), when an invalid request is encountered, a negative error code should be returned. Fixes: bab6de8fd180b ("net: ethernet: aquantia: Atlantic A0 and B0 specific functions") Cc: David VomLehn Signed-off-by: Tianjia Zhang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6871b1dedce46a38be350bcafa9d3933497f3808 Author: Josef Bacik Date: Fri Jul 24 20:50:48 2020 -0400 ftrace: Fix ftrace_trace_task return value [ Upstream commit c58b6b0372de0d4cd0536d6585addd1b36b151ae ] I was attempting to use pid filtering with function_graph, but it wasn't allowing anything to make it through. Turns out ftrace_trace_task returns false if ftrace_ignore_pid is not-empty, which isn't correct anymore. We're now setting it to FTRACE_PID_IGNORE if we need to ignore that pid, otherwise it's set to the pid (which is weird considering the name) or to FTRACE_PID_TRACE. Fix the check to check for != FTRACE_PID_IGNORE. With this we can now use function_graph with pid filtering. Link: https://lkml.kernel.org/r/20200725005048.1790-1-josef@toxicpanda.com Fixes: 717e3f5ebc82 ("ftrace: Make function trace pid filtering a bit more exact") Signed-off-by: Josef Bacik Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Sasha Levin commit 68e3b178f2c59258d7285166bd0292d542381e57 Author: Leon Romanovsky Date: Sun Jul 19 11:04:30 2020 +0300 net/mlx5: Delete extra dump stack that gives nothing [ Upstream commit 6c4e9bcfb48933d533ff975e152757991556294a ] The WARN_*() macros are intended to catch impossible situations from the SW point of view. They gave a little in case HW<->SW interface is out-of-sync. Such out-of-sync scenario can be due to SW errors that are not part of this flow or because some HW errors, where dump stack won't help either. This specific WARN_ON() is useless because mlx5_core code is prepared to handle such situations and will unfold everything correctly while providing enough information to the users to understand why FS is not working. WARNING: CPU: 0 PID: 3222 at drivers/net/ethernet/mellanox/mlx5/core/fs_core.c:825 connect_fts_in_prio.isra.20+0x1dd/0x260 linux/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c:825 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 3222 Comm: syz-executor861 Not tainted 5.5.0-rc6+ #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Call Trace: __dump_stack linux/lib/dump_stack.c:77 [inline] dump_stack+0x94/0xce linux/lib/dump_stack.c:118 panic+0x234/0x56f linux/kernel/panic.c:221 __warn+0x1cc/0x1e1 linux/kernel/panic.c:582 report_bug+0x200/0x310 linux/lib/bug.c:195 fixup_bug.part.11+0x32/0x80 linux/arch/x86/kernel/traps.c:174 fixup_bug linux/arch/x86/kernel/traps.c:273 [inline] do_error_trap+0xd3/0x100 linux/arch/x86/kernel/traps.c:267 do_invalid_op+0x31/0x40 linux/arch/x86/kernel/traps.c:286 invalid_op+0x1e/0x30 linux/arch/x86/entry/entry_64.S:1027 RIP: 0010:connect_fts_in_prio.isra.20+0x1dd/0x260 linux/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c:825 Code: 00 00 48 c7 c2 60 8c 31 84 48 c7 c6 00 81 31 84 48 8b 38 e8 3c a8 cb ff 41 83 fd 01 8b 04 24 0f 8e 29 ff ff ff e8 83 7b bc fe <0f> 0b 8b 04 24 e9 1a ff ff ff 89 04 24 e8 c1 20 e0 fe 8b 04 24 eb RSP: 0018:ffffc90004bb7858 EFLAGS: 00010293 RAX: ffff88805de98e80 RBX: 0000000000000c96 RCX: ffffffff827a853d RDX: 0000000000000000 RSI: 0000000000000000 RDI: fffff52000976efa RBP: 0000000000000007 R08: ffffed100da060e3 R09: ffffed100da060e3 R10: 0000000000000001 R11: ffffed100da060e2 R12: dffffc0000000000 R13: 0000000000000002 R14: ffff8880683a1a10 R15: ffffed100d07bc1c connect_prev_fts linux/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c:844 [inline] connect_flow_table linux/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c:975 [inline] __mlx5_create_flow_table+0x8f8/0x1710 linux/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c:1064 mlx5_create_flow_table linux/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c:1094 [inline] mlx5_create_auto_grouped_flow_table+0xe1/0x210 linux/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c:1136 _get_prio linux/drivers/infiniband/hw/mlx5/main.c:3286 [inline] get_flow_table+0x2ea/0x760 linux/drivers/infiniband/hw/mlx5/main.c:3376 mlx5_ib_create_flow+0x331/0x11c0 linux/drivers/infiniband/hw/mlx5/main.c:3896 ib_uverbs_ex_create_flow+0x13e8/0x1b40 linux/drivers/infiniband/core/uverbs_cmd.c:3311 ib_uverbs_write+0xaa5/0xdf0 linux/drivers/infiniband/core/uverbs_main.c:769 __vfs_write+0x7c/0x100 linux/fs/read_write.c:494 vfs_write+0x168/0x4a0 linux/fs/read_write.c:558 ksys_write+0xc8/0x200 linux/fs/read_write.c:611 do_syscall_64+0x9c/0x390 linux/arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45a059 Code: 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fcc17564c98 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fcc17564ca0 RCX: 000000000045a059 RDX: 0000000000000030 RSI: 00000000200003c0 RDI: 0000000000000005 RBP: 0000000000000007 R08: 0000000000000002 R09: 0000000000003131 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006e636c R13: 0000000000000000 R14: 00000000006e6360 R15: 00007ffdcbdaf6a0 Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: disabled Rebooting in 1 seconds.. Fixes: f90edfd279f3 ("net/mlx5_core: Connect flow tables") Reviewed-by: Maor Gottlieb Reviewed-by: Mark Bloch Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 2dc09fe97e235a59a82452548d5e15fc8bdd4349 Author: Alex Vesker Date: Mon Jul 13 14:09:04 2020 +0300 net/mlx5: DR, Change push vlan action sequence [ Upstream commit b206490940216542c68563699b279eed3c55107c ] The DR TX state machine supports the following order: modify header, push vlan and encapsulation. Instead fs_dr would pass: push vlan, modify header and encapsulation. The above caused the rule creation to fail on invalid action sequence provided error. Fixes: 6a48faeeca10 ("net/mlx5: Add direct rule fs_cmd implementation") Signed-off-by: Alex Vesker Reviewed-by: Maor Gottlieb Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit e8bb7b4c812c77c1cc41a79526638d4c0ddd1049 Author: Tianjia Zhang Date: Sun Aug 2 19:15:40 2020 +0800 tools, bpftool: Fix wrong return value in do_dump() [ Upstream commit 041549b7b2c7811ec40e705c439211f00ade2dda ] In case of btf_id does not exist, a negative error code -ENOENT should be returned. Fixes: c93cc69004df3 ("bpftool: add ability to dump BTF types") Signed-off-by: Tianjia Zhang Signed-off-by: Daniel Borkmann Reviewed-by: Tobias Klauser Acked-by: Andrii Nakryiko Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20200802111540.5384-1-tianjia.zhang@linux.alibaba.com Signed-off-by: Sasha Levin commit fc574d322d7f38c51530136fef8e472a0c1bcef0 Author: Andrii Nakryiko Date: Thu Jul 30 19:42:44 2020 -0700 tools, build: Propagate build failures from tools/build/Makefile.build [ Upstream commit a278f3d8191228212c553a5d4303fa603214b717 ] The '&&' command seems to have a bad effect when $(cmd_$(1)) exits with non-zero effect: the command failure is masked (despite `set -e`) and all but the first command of $(dep-cmd) is executed (successfully, as they are mostly printfs), thus overall returning 0 in the end. This means in practice that despite compilation errors, tools's build Makefile will return success. We see this very reliably with libbpf's Makefile, which doesn't get compilation error propagated properly. This in turns causes issues with selftests build, as well as bpftool and other projects that rely on building libbpf. The fix is simple: don't use &&. Given `set -e`, we don't need to chain commands with &&. The shell will exit on first failure, giving desired behavior and propagating error properly. Fixes: 275e2d95591e ("tools build: Move dependency copy into function") Signed-off-by: Andrii Nakryiko Signed-off-by: Daniel Borkmann Acked-by: Jiri Olsa Link: https://lore.kernel.org/bpf/20200731024244.872574-1-andriin@fb.com Signed-off-by: Sasha Levin commit 2827ebc1bd29cdcfd2ccb9d7a3c92b8cbb947a8f Author: Wang Hai Date: Thu Jul 30 15:39:39 2020 +0800 wl1251: fix always return 0 error [ Upstream commit 20e6421344b5bc2f97b8e2db47b6994368417904 ] wl1251_event_ps_report() should not always return 0 because wl1251_ps_set_mode() may fail. Change it to return 'ret'. Fixes: f7ad1eed4d4b ("wl1251: retry power save entry") Reported-by: Hulk Robot Signed-off-by: Wang Hai Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200730073939.33704-1-wanghai38@huawei.com Signed-off-by: Sasha Levin commit 1fac7063714f293c22e46058f6911a880a56426b Author: Wang Hai Date: Thu Jul 30 14:49:10 2020 +0800 qtnfmac: Missing platform_device_unregister() on error in qtnf_core_mac_alloc() [ Upstream commit 141bc9abbbffa89d020957caa9ac4a61d0ef1e26 ] Add the missing platform_device_unregister() before return from qtnf_core_mac_alloc() in the error handling case. Fixes: 616f5701f4ab ("qtnfmac: assign each wiphy to its own virtual platform device") Reported-by: Hulk Robot Signed-off-by: Wang Hai Reviewed-by: Sergey Matyukevich Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200730064910.37589-1-wanghai38@huawei.com Signed-off-by: Sasha Levin commit 4d07d0b5781f590f26b9377cc0bc833fa84239c6 Author: Yan-Hsuan Chuang Date: Fri Jul 17 14:49:34 2020 +0800 rtw88: coex: only skip coex triggered by BT info [ Upstream commit 3f194bd4ca1cd9b8eef34d37d562279dbeb80319 ] The coex mechanism used to skip upon the freeze flag is raised. That will cause the coex mechanism being skipped unexpectedly. Coex only wanted to keep the TDMA table from being changed by BT side. So, check the freeze and reason, if the coex reason is coming from BT info, skip it, to make sure the coex triggered by Wifi itself can work. This is required for the AP mode, while the control flow is different with STA mode. When starting an AP mode, the AP mode needs to start working immedaitely after leaving IPS, and the freeze flag could be raised. If the coex info is skipped, then the AP mode will not set the antenna owner, leads to TX stuck. Fixes: 4136214f7c46 ("rtw88: add BT co-existence support") Signed-off-by: Yan-Hsuan Chuang Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200717064937.27966-5-yhchuang@realtek.com Signed-off-by: Sasha Levin commit 6d15c5653f95a91450a17b920e11ef8f885dc58d Author: Tsang-Shian Lin Date: Fri Jul 17 14:49:32 2020 +0800 rtw88: fix short GI capability based on current bandwidth [ Upstream commit 4dd86b901d1373ef8446ecb50a7ca009f3475211 ] Fix the transmission is not sent with short GI under some conditions even if the receiver supports short GI. If VHT capability IE exists in the beacon, the original code uses the short GI for 80M field as driver's short GI setting for transmission, even the current bandwidth is not 80MHz. Short GI supported fields for 20M/40M are informed in HT capability information element, and short GI supported field for 80M is informed in VHT capability information element. These three fields may be set to different values. Driver needs to record each short GI support field for each bandwidth, and send correct info depends on current bandwidth to the WiFi firmware. Fixes: e3037485c68e ("rtw88: new Realtek 802.11ac driver") Signed-off-by: Tsang-Shian Lin Signed-off-by: Yan-Hsuan Chuang Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200717064937.27966-3-yhchuang@realtek.com Signed-off-by: Sasha Levin commit 4c295463cc3ca7578df5e74f38275cdf269744c8 Author: Tsang-Shian Lin Date: Fri Jul 17 14:49:31 2020 +0800 rtw88: fix LDPC field for RA info [ Upstream commit ae44fa993e8e6c1a1d22e5ca03d9eadd53b2745b ] Convert the type of LDPC field to boolen because LDPC field of RA info H2C command to firmware is only one bit. Fixes: e3037485c68e ("rtw88: new Realtek 802.11ac driver") Signed-off-by: Tsang-Shian Lin Signed-off-by: Yan-Hsuan Chuang Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200717064937.27966-2-yhchuang@realtek.com Signed-off-by: Sasha Levin commit 1dcab82e6aab0da0791ded7a4d6b76e0257fccae Author: Florian Westphal Date: Sun Aug 2 03:27:03 2020 +0200 netfilter: nft_meta: fix iifgroup matching [ Upstream commit 78470d9d0d9f2f8d16f28382a4071568e839c0d5 ] iifgroup matching erroneously checks the output interface. Fixes: 8724e819cc9a ("netfilter: nft_meta: move all interface related keys to helper") Reported-by: Demi M. Obenour Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 7bf75a893dc9c2da2347f90175751ee6374a6350 Author: Surabhi Boob Date: Wed Jul 29 17:19:18 2020 -0700 ice: Graceful error handling in HW table calloc failure [ Upstream commit bcc46cb8a077c6189b44f1555b8659837f748eb2 ] In the ice_init_hw_tbls, if the devm_kcalloc for es->written fails, catch that error and bail out gracefully, instead of continuing with a NULL pointer. Fixes: 32d63fa1e9f3 ("ice: Initialize DDP package structures") Signed-off-by: Surabhi Boob Tested-by: Andrew Bowers Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit ace93ada236f781fa10fb0168550ff058ddad49e Author: Vignesh Sridhar Date: Wed Jul 29 17:19:15 2020 -0700 ice: Clear and free XLT entries on reset [ Upstream commit ec1d1d2302067e3ccbc4d0adcd36d72410933b70 ] This fix has been added to address memory leak issues resulting from triggering a sudden driver reset which does not allow us to follow our normal removal flows for SW XLT entries for advanced features. - Adding call to destroy flow profile locks when clearing SW XLT tables. - Extraction sequence entries were not correctly cleared previously which could cause ownership conflicts for repeated reset-replay calls. Fixes: 31ad4e4ee1e4 ("ice: Allocate flow profile") Signed-off-by: Vignesh Sridhar Tested-by: Andrew Bowers Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit a50920d62c076839c42b71656666bccdac4682f7 Author: Julian Wiedmann Date: Thu Jul 30 17:01:20 2020 +0200 s390/qeth: don't process empty bridge port events [ Upstream commit 02472e28b9a45471c6d8729ff2c7422baa9be46a ] Discard events that don't contain any entries. This shouldn't happen, but subsequent code relies on being able to use entry 0. So better be safe than accessing garbage. Fixes: b4d72c08b358 ("qeth: bridgeport support - basic control") Signed-off-by: Julian Wiedmann Reviewed-by: Alexandra Winter Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b2400fe7e1011c5f3dc2268e8382082465b1c8a2 Author: Julian Wiedmann Date: Thu Jul 30 17:01:18 2020 +0200 s390/qeth: tolerate pre-filled RX buffer [ Upstream commit eff73e16ee116f6eafa2be48fab42659a27cb453 ] When preparing a buffer for RX refill, tolerate that it already has a pool_entry attached. Otherwise we could easily leak such a pool_entry when re-driving the RX refill after an error (from eg. do_qdio()). This needs some minor adjustment in the code that drains RX buffer(s) prior to RX refill and during teardown, so that ->pool_entry is NULLed accordingly. Fixes: 4a71df50047f ("qeth: new qeth device driver") Signed-off-by: Julian Wiedmann Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 4911d559e6f59252170bb831645bdc039a2edffc Author: Shengjiu Wang Date: Fri Jul 31 14:28:15 2020 +0800 ASoC: fsl_sai: Fix value of FSL_SAI_CR1_RFW_MASK [ Upstream commit 5aef1ff2397d021f93d874b57dff032fdfac73de ] The fifo_depth is 64 on i.MX8QM/i.MX8QXP, 128 on i.MX8MQ, 16 on i.MX7ULP. Original FSL_SAI_CR1_RFW_MASK value 0x1F is not suitable for these platform, the FIFO watermark mask should be updated according to the fifo_depth. Fixes: a860fac42097 ("ASoC: fsl_sai: Add support for imx7ulp/imx8mq") Signed-off-by: Shengjiu Wang Reviewed-by: Fabio Estevam Link: https://lore.kernel.org/r/1596176895-28724-1-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 070809f966e3fc4590d02733b16b17e3f7a7ea12 Author: Jerry Crunchtime Date: Fri Jul 31 17:08:01 2020 +0200 libbpf: Fix register in PT_REGS MIPS macros [ Upstream commit 1acf8f90ea7ee59006d0474275922145ac291331 ] The o32, n32 and n64 calling conventions require the return value to be stored in $v0 which maps to $2 register, i.e., the register 2. Fixes: c1932cd ("bpf: Add MIPS support to samples/bpf.") Signed-off-by: Jerry Crunchtime Signed-off-by: Daniel Borkmann Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/43707d31-0210-e8f0-9226-1af140907641@web.de Signed-off-by: Sasha Levin commit d68e1b834b0cee5334ec0f8574be46bcbd408576 Author: Charles Keepax Date: Thu Jul 30 13:07:14 2020 +0100 ASoC: soc-core: Fix regression causing sysfs entries to disappear [ Upstream commit 5c74c9d34aec1ac756de6979dd5580096aba8643 ] The allocation order of things in soc_new_pcm_runtime was changed to move the device_register before the allocation of the rtd structure. This was to allow the rtd allocation to be managed by devm. However currently the sysfs entries are added by device_register and their visibility depends on variables within the rtd structure, this causes the pmdown_time and dapm_widgets sysfs entries to be missing for all rtds. Correct this issue by manually calling device_add_groups after the appropriate information is available. Fixes: d918a37610b1 ("ASoC: soc-core: tidyup soc_new_pcm_runtime() alloc order") Signed-off-by: Charles Keepax Link: https://lore.kernel.org/r/20200730120715.637-1-ckeepax@opensource.cirrus.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 557fa1da7dd849ec86b75878bd25518a952eb43a Author: Jerome Brunet Date: Wed Jul 29 17:44:55 2020 +0200 ASoC: meson: axg-tdm-formatters: fix sclk inversion [ Upstream commit 0d3f01dcdc234001f979a0af0b6b31cb9f25b6c1 ] After carefully checking, it appears that both tdmout and tdmin require the rising edge of the sclk they get to be synchronized with the frame sync event (which should be a rising edge of lrclk). TDMIN was improperly set before this patch. Remove the sclk_invert quirk which is no longer needed and fix the sclk phase. Fixes: 1a11d88f499c ("ASoC: meson: add tdm formatter base driver") Signed-off-by: Jerome Brunet Link: https://lore.kernel.org/r/20200729154456.1983396-4-jbrunet@baylibre.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c0ae5af62414d610eaa68722f7dda17886d6a227 Author: Jerome Brunet Date: Wed Jul 29 17:44:54 2020 +0200 ASoC: meson: axg-tdmin: fix g12a skew [ Upstream commit 80a254394fcfe55450b0351da298ca7231889219 ] After carefully checking the result provided by the TDMIN on the g12a and sm1 SoC families, the TDMIN skew offset appears to be 3 instead of 2 on the axg. Fixes: f01bc67f58fd ("ASoC: meson: axg-tdm-formatter: rework quirks settings") Signed-off-by: Jerome Brunet Link: https://lore.kernel.org/r/20200729154456.1983396-3-jbrunet@baylibre.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit b4a405dc7ac9fcaed5fd53b4fd96ee362c2c7545 Author: Jerome Brunet Date: Wed Jul 29 17:44:53 2020 +0200 ASoC: meson: axg-tdm-interface: fix link fmt setup [ Upstream commit 6878ba91ce84f7a07887a0615af70f969508839f ] The .set_fmt() callback of the axg tdm interface incorrectly test the content of SND_SOC_DAIFMT_MASTER_MASK as if it was a bitfield, which it is not. Implement the test correctly. Fixes: d60e4f1e4be5 ("ASoC: meson: add tdm interface driver") Signed-off-by: Jerome Brunet Link: https://lore.kernel.org/r/20200729154456.1983396-2-jbrunet@baylibre.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit bfc916b65b60298bd42cdaa8a7e315dc70c20662 Author: Sandipan Das Date: Thu Jul 30 10:38:46 2020 +0530 selftests/powerpc: Fix online CPU selection [ Upstream commit dfa03fff86027e58c8dba5c03ae68150d4e513ad ] The size of the CPU affinity mask must be large enough for systems with a very large number of CPUs. Otherwise, tests which try to determine the first online CPU by calling sched_getaffinity() will fail. This makes sure that the size of the allocated affinity mask is dependent on the number of CPUs as reported by get_nprocs_conf(). Fixes: 3752e453f6ba ("selftests/powerpc: Add tests of PMU EBBs") Reported-by: Shirisha Ganta Signed-off-by: Sandipan Das Reviewed-by: Kamalesh Babulal Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/a408c4b8e9a23bb39b539417a21eb0ff47bb5127.1596084858.git.sandipan@linux.ibm.com Signed-off-by: Sasha Levin commit 86a403273436ff935310567e932d9d8468b8e216 Author: Nathan Lynch Date: Thu Sep 19 18:16:33 2019 -0500 powerpc/pseries/hotplug-cpu: Remove double free in error path [ Upstream commit a0ff72f9f5a780341e7ff5e9ba50a0dad5fa1980 ] In the unlikely event that the device tree lacks a /cpus node, find_dlpar_cpus_to_add() oddly frees the cpu_drcs buffer it has been passed before returning an error. Its only caller also frees the buffer on error. Remove the less conventional kfree() of a caller-supplied buffer from find_dlpar_cpus_to_add(). Fixes: 90edf184b9b7 ("powerpc/pseries: Add CPU dlpar add functionality") Signed-off-by: Nathan Lynch Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20190919231633.1344-1-nathanl@linux.ibm.com Signed-off-by: Sasha Levin commit 2f121f384267a9d00aa7dcd14c980bcb8b5b8dde Author: Sven Auhagen Date: Mon Jun 22 14:01:23 2020 +0200 cpufreq: ap806: fix cpufreq driver needs ap cpu clk [ Upstream commit 8c37ad2f523396e15cf002b29f8f796447c71932 ] The Armada 8K cpufreq driver needs the Armada AP CPU CLK to work. This dependency is currently not satisfied and the ARMADA_AP_CPU_CLK can not be selected independently. Add it to the cpufreq Armada8k driver. Fixes: f525a670533d ("cpufreq: ap806: add cpufreq driver for Armada 8K") Signed-off-by: Sven Auhagen Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit be269c557c32f59c87566a908ee3d7347f226892 Author: Hanjun Guo Date: Wed Jul 22 17:44:28 2020 +0800 PCI: Release IVRS table in AMD ACS quirk [ Upstream commit 090688fa4e448284aaa16136372397d7d10814db ] The acpi_get_table() should be coupled with acpi_put_table() if the mapped table is not used at runtime to release the table mapping. In pci_quirk_amd_sb_acs(), IVRS table is just used for checking AMD IOMMU is supported, not used at runtime, so put the table after using it. Fixes: 15b100dfd1c9 ("PCI: Claim ACS support for AMD southbridge devices") Link: https://lore.kernel.org/r/1595411068-15440-1-git-send-email-guohanjun@huawei.com Signed-off-by: Hanjun Guo Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin commit dcc44d973b079cd8f58d6b68e1f5b8629495c7cd Author: Mark Zhang Date: Mon Jul 27 12:58:28 2020 +0300 RDMA/netlink: Remove CAP_NET_RAW check when dump a raw QP [ Upstream commit 1d70ad0f85435a7262de802b104e49e6598c50ff ] When dumping QPs bound to a counter, raw QPs should be allowed to dump without the CAP_NET_RAW privilege. This is consistent with what "rdma res show qp" does. Fixes: c4ffee7c9bdb ("RDMA/netlink: Implement counter dumpit calback") Link: https://lore.kernel.org/r/20200727095828.496195-1-leon@kernel.org Signed-off-by: Mark Zhang Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 99528b9d560828d2298759fef16767ebef3a9d56 Author: Tiezhu Yang Date: Wed Jul 22 11:06:52 2020 +0100 nvmem: sprd: Fix return value of sprd_efuse_probe() [ Upstream commit bcd14bb7a68520bf88e45e91d354e43535624f82 ] When call function devm_platform_ioremap_resource(), we should use IS_ERR() to check the return value and return PTR_ERR() if failed. Fixes: 096030e7f449 ("nvmem: sprd: Add Spreadtrum SoCs eFuse support") Signed-off-by: Tiezhu Yang Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20200722100705.7772-2-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit f10f212ecec049966795109b0d028b626cd3c72c Author: Harish Date: Tue Jun 9 13:44:23 2020 +0530 selftests/powerpc: Fix CPU affinity for child process [ Upstream commit 854eb5022be04f81e318765f089f41a57c8e5d83 ] On systems with large number of cpus, test fails trying to set affinity by calling sched_setaffinity() with smaller size for affinity mask. This patch fixes it by making sure that the size of allocated affinity mask is dependent on the number of CPUs as reported by get_nprocs(). Fixes: 00b7ec5c9cf3 ("selftests/powerpc: Import Anton's context_switch2 benchmark") Reported-by: Shirisha Ganta Signed-off-by: Sandipan Das Signed-off-by: Harish Reviewed-by: Kamalesh Babulal Reviewed-by: Satheesh Rajendran Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20200609081423.529664-1-harish@linux.ibm.com Signed-off-by: Sasha Levin commit 88871a2234af4475a249407776f3fb597b40a6d9 Author: Michael Ellerman Date: Fri Jul 24 23:17:26 2020 +1000 powerpc/boot: Fix CONFIG_PPC_MPC52XX references [ Upstream commit e5eff89657e72a9050d95fde146b54c7dc165981 ] Commit 866bfc75f40e ("powerpc: conditionally compile platform-specific serial drivers") made some code depend on CONFIG_PPC_MPC52XX, which doesn't exist. Fix it to use CONFIG_PPC_MPC52xx. Fixes: 866bfc75f40e ("powerpc: conditionally compile platform-specific serial drivers") Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20200724131728.1643966-7-mpe@ellerman.id.au Signed-off-by: Sasha Levin commit 9b00a93f792674193c664a1bf47d599fbc4392b7 Author: Michael Ellerman Date: Fri Jul 24 23:17:24 2020 +1000 powerpc/32s: Fix CONFIG_BOOK3S_601 uses [ Upstream commit df4d4ef22446b3a789a4efd74d34f2ec1e24deb2 ] We have two uses of CONFIG_BOOK3S_601, which doesn't exist. Fix them to use CONFIG_PPC_BOOK3S_601 which is the correct symbol. Fixes: 12c3f1fd87bf ("powerpc/32s: get rid of CPU_FTR_601 feature") Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20200724131728.1643966-5-mpe@ellerman.id.au Signed-off-by: Sasha Levin commit 659dbb362fc29fd4f1ae856d616a0a5ff183afb5 Author: Oliver O'Halloran Date: Mon Jul 27 11:01:27 2020 +1000 selftests/powerpc: Squash spurious errors due to device removal [ Upstream commit 5f8cf6475828b600ff6d000e580c961ac839cc61 ] For drivers that don't have the error handling callbacks we implement recovery by removing the device and re-probing it. This causes the sysfs directory for the PCI device to be removed which causes the following spurious error to be printed when checking the PE state: Breaking 0005:03:00.0... ./eeh-basic.sh: line 13: can't open /sys/bus/pci/devices/0005:03:00.0/eeh_pe_state: no such file 0005:03:00.0, waited 0/60 0005:03:00.0, waited 1/60 0005:03:00.0, waited 2/60 0005:03:00.0, waited 3/60 0005:03:00.0, waited 4/60 0005:03:00.0, waited 5/60 0005:03:00.0, waited 6/60 0005:03:00.0, waited 7/60 0005:03:00.0, Recovered after 8 seconds We currently try to avoid this by checking if the PE state file exists before reading from it. This is however inherently racy so re-work the state checking so that we only read from the file once, and we squash any errors that occur while reading. Fixes: 85d86c8aa52e ("selftests/powerpc: Add basic EEH selftest") Signed-off-by: Oliver O'Halloran Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20200727010127.23698-1-oohall@gmail.com Signed-off-by: Sasha Levin commit cd1385c095dc126ddddacdecbe3a19e9853da3e1 Author: Darrick J. Wong Date: Tue Jul 14 10:36:08 2020 -0700 xfs: clear XFS_DQ_FREEING if we can't lock the dquot buffer to flush [ Upstream commit c97738a960a86081a147e7d436138e6481757445 ] In commit 8d3d7e2b35ea, we changed xfs_qm_dqpurge to bail out if we can't lock the dquot buf to flush the dquot. This prevents the AIL from blocking on the dquot, but it also forgets to clear the FREEING flag on its way out. A subsequent purge attempt will see the FREEING flag is set and bail out, which leads to dqpurge_all failing to purge all the dquots. (copy-pasting from Dave Chinner's identical patch) This was found by inspection after having xfs/305 hang 1 in ~50 iterations in a quotaoff operation: [ 8872.301115] xfs_quota D13888 92262 91813 0x00004002 [ 8872.302538] Call Trace: [ 8872.303193] __schedule+0x2d2/0x780 [ 8872.304108] ? do_raw_spin_unlock+0x57/0xd0 [ 8872.305198] schedule+0x6e/0xe0 [ 8872.306021] schedule_timeout+0x14d/0x300 [ 8872.307060] ? __next_timer_interrupt+0xe0/0xe0 [ 8872.308231] ? xfs_qm_dqusage_adjust+0x200/0x200 [ 8872.309422] schedule_timeout_uninterruptible+0x2a/0x30 [ 8872.310759] xfs_qm_dquot_walk.isra.0+0x15a/0x1b0 [ 8872.311971] xfs_qm_dqpurge_all+0x7f/0x90 [ 8872.313022] xfs_qm_scall_quotaoff+0x18d/0x2b0 [ 8872.314163] xfs_quota_disable+0x3a/0x60 [ 8872.315179] kernel_quotactl+0x7e2/0x8d0 [ 8872.316196] ? __do_sys_newstat+0x51/0x80 [ 8872.317238] __x64_sys_quotactl+0x1e/0x30 [ 8872.318266] do_syscall_64+0x46/0x90 [ 8872.319193] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 8872.320490] RIP: 0033:0x7f46b5490f2a [ 8872.321414] Code: Bad RIP value. Returning -EAGAIN from xfs_qm_dqpurge() without clearing the XFS_DQ_FREEING flag means the xfs_qm_dqpurge_all() code can never free the dquot, and we loop forever waiting for the XFS_DQ_FREEING flag to go away on the dquot that leaked it via -EAGAIN. Fixes: 8d3d7e2b35ea ("xfs: trylock underlying buffer on dquot flush") Signed-off-by: Darrick J. Wong Reviewed-by: Allison Collins Reviewed-by: Chandan Babu R Reviewed-by: Christoph Hellwig Reviewed-by: Brian Foster Signed-off-by: Dave Chinner Reviewed-by: Dave Chinner Signed-off-by: Sasha Levin commit 1cf33c28a6f5062aec04d59d4d4993d542dc5c7b Author: Brian Foster Date: Wed Jul 15 18:44:50 2020 -0700 xfs: fix inode allocation block res calculation precedence [ Upstream commit b2a8864728683443f34a9fd33a2b78b860934cc1 ] The block reservation calculation for inode allocation is supposed to consist of the blocks required for the inode chunk plus (maxlevels-1) of the inode btree multiplied by the number of inode btrees in the fs (2 when finobt is enabled, 1 otherwise). Instead, the macro returns (ialloc_blocks + 2) due to a precedence error in the calculation logic. This leads to block reservation overruns via generic/531 on small block filesystems with finobt enabled. Add braces to fix the calculation and reserve the appropriate number of blocks. Fixes: 9d43b180af67 ("xfs: update inode allocation/free transaction reservations for finobt") Signed-off-by: Brian Foster Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Sasha Levin commit f089d7f2c97c4a2b25c6732d49ed0c74bbe4eccf Author: Linus Walleij Date: Mon Jul 27 01:34:40 2020 +0200 net: dsa: rtl8366: Fix VLAN set-up [ Upstream commit 788abc6d9d278ed6fa1fa94db2098481a04152b7 ] Alter the rtl8366_vlan_add() to call rtl8366_set_vlan() inside the loop that goes over all VIDs since we now properly support calling that function more than once. Augment the loop to postincrement as this is more intuitive. The loop moved past the last VID but called rtl8366_set_vlan() with the port number instead of the VID, assuming a 1-to-1 correspondence between ports and VIDs. This was also a bug. Cc: DENG Qingfang Cc: Mauri Sandberg Reviewed-by: Florian Fainelli Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver") Signed-off-by: Linus Walleij Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 551f10f54cf22e1bd3581766a4ccef4bee932b89 Author: Linus Walleij Date: Mon Jul 27 01:34:39 2020 +0200 net: dsa: rtl8366: Fix VLAN semantics [ Upstream commit 15ab7906cc9290afb006df1bb1074907fbcc7061 ] The RTL8366 would not handle adding new members (ports) to a VLAN: the code assumed that ->port_vlan_add() was only called once for a single port. When intializing the switch with .configure_vlan_while_not_filtering set to true, the function is called numerous times for adding all ports to VLAN1, which was something the code could not handle. Alter rtl8366_set_vlan() to just |= new members and untagged flags to 4k and MC VLAN table entries alike. This makes it possible to just add new ports to a VLAN. Put in some helpful debug code that can be used to find any further bugs here. Cc: DENG Qingfang Cc: Mauri Sandberg Reviewed-by: Florian Fainelli Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver") Signed-off-by: Linus Walleij Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6355a24b657cc7d0c92edafc325cc6eb856d2b1e Author: Venkata Lakshmi Narayana Gubba Date: Tue Jul 28 21:23:00 2020 +0530 Bluetooth: hci_qca: Stop collecting memdump again for command timeout during SSR [ Upstream commit 58789a1990c1a849a461ac912e72a698a771951a ] Setting memdump state to idle prior to setting of callback function pointer for command timeout to NULL,causing the issue.Now moved the initialisation of memdump state to qca_setup(). Fixes: d841502c79e3 ("Bluetooth: hci_qca: Collect controller memory dump during SSR") Signed-off-by: Venkata Lakshmi Narayana Gubba Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 79baed5a17a3037cef5b41efe19e9348282ce89e Author: Abhishek Pandit-Subedi Date: Tue Jul 28 09:58:07 2020 -0700 Bluetooth: Fix suspend notifier race [ Upstream commit 4e8c36c3b0d73d46aa27cfd4308aaa445a1067df ] Unregister from suspend notifications and cancel suspend preparations before running hci_dev_do_close. Otherwise, the suspend notifier may race with unregister and cause cmd_timeout even after hdev has been freed. Below is the trace from when this panic was seen: [ 832.578518] Bluetooth: hci_core.c:hci_cmd_timeout() hci0: command 0x0c05 tx timeout [ 832.586200] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 832.586203] #PF: supervisor read access in kernel mode [ 832.586205] #PF: error_code(0x0000) - not-present page [ 832.586206] PGD 0 P4D 0 [ 832.586210] PM: suspend exit [ 832.608870] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 832.613232] CPU: 3 PID: 10755 Comm: kworker/3:7 Not tainted 5.4.44-04894-g1e9dbb96a161 #1 [ 832.630036] Workqueue: events hci_cmd_timeout [bluetooth] [ 832.630046] RIP: 0010:__queue_work+0xf0/0x374 [ 832.630051] RSP: 0018:ffff9b5285f1fdf8 EFLAGS: 00010046 [ 832.674033] RAX: ffff8a97681bac00 RBX: 0000000000000000 RCX: ffff8a976a000600 [ 832.681162] RDX: 0000000000000000 RSI: 0000000000000009 RDI: ffff8a976a000748 [ 832.688289] RBP: ffff9b5285f1fe38 R08: 0000000000000000 R09: ffff8a97681bac00 [ 832.695418] R10: 0000000000000002 R11: ffff8a976a0006d8 R12: ffff8a9745107600 [ 832.698045] usb 1-6: new full-speed USB device number 119 using xhci_hcd [ 832.702547] R13: ffff8a9673658850 R14: 0000000000000040 R15: 000000000000001e [ 832.702549] FS: 0000000000000000(0000) GS:ffff8a976af80000(0000) knlGS:0000000000000000 [ 832.702550] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 832.702550] CR2: 0000000000000000 CR3: 000000010415a000 CR4: 00000000003406e0 [ 832.702551] Call Trace: [ 832.702558] queue_work_on+0x3f/0x68 [ 832.702562] process_one_work+0x1db/0x396 [ 832.747397] worker_thread+0x216/0x375 [ 832.751147] kthread+0x138/0x140 [ 832.754377] ? pr_cont_work+0x58/0x58 [ 832.758037] ? kthread_blkcg+0x2e/0x2e [ 832.761787] ret_from_fork+0x22/0x40 [ 832.846191] ---[ end trace fa93f466da517212 ]--- Fixes: 9952d90ea2885 ("Bluetooth: Handle PM_SUSPEND_PREPARE and PM_POST_SUSPEND") Signed-off-by: Abhishek Pandit-Subedi Reviewed-by: Miao-chen Chou Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit dc602e2fa81c30a963cbb784f215a41ddb075d58 Author: Nicolas Boichat Date: Tue Jul 21 10:37:16 2020 +0800 Bluetooth: hci_serdev: Only unregister device if it was registered [ Upstream commit 202798db9570104728dce8bb57dfeed47ce764bc ] We should not call hci_unregister_dev if the device was not successfully registered. Fixes: c34dc3bfa7642fd ("Bluetooth: hci_serdev: Introduce hci_uart_unregister_device()") Signed-off-by: Nicolas Boichat Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit f744a3086f15e9d577ef0c8d58ffa6f3c34269ce Author: Nicolas Boichat Date: Tue Jul 21 10:37:15 2020 +0800 Bluetooth: hci_h5: Set HCI_UART_RESET_ON_INIT to correct flags [ Upstream commit a7ad4b6119d740b1ec5788f1b98be0fd1c1b5a5a ] HCI_UART_RESET_ON_INIT belongs in hdev_flags, not flags. Fixes: ce945552fde4a09 ("Bluetooth: hci_h5: Add support for serdev enumerated devices") Signed-off-by: Nicolas Boichat Reviewed-by: Hans de Goede Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 4bd896e23adb60aa379b8f27ae534d17fc4deaee Author: Ismael Ferreras Morezuelas Date: Sun Jul 26 23:12:28 2020 +0200 Bluetooth: btusb: Fix and detect most of the Chinese Bluetooth controllers [ Upstream commit cde1a8a992875a7479c4321b2a4a190c2e92ec2a ] For some reason they tend to squat on the very first CSR/ Cambridge Silicon Radio VID/PID instead of paying fees. This is an extremely common problem; the issue goes as back as 2013 and these devices are only getting more popular, even rebranded by reputable vendors and sold by retailers everywhere. So, at this point in time there are hundreds of modern dongles reusing the ID of what originally was an early Bluetooth 1.1 controller. Linux is the only place where they don't work due to spotty checks in our detection code. It only covered a minimum subset. So what's the big idea? Take advantage of the fact that all CSR chips report the same internal version as both the LMP sub-version and HCI revision number. It always matches, couple that with the manufacturer code, that rarely lies, and we now have a good idea of who is who. Additionally, by compiling a list of user-reported HCI/lsusb dumps, and searching around for legit CSR dongles in similar product ranges we can find what CSR BlueCore firmware supported which Bluetooth versions. That way we can narrow down ranges of fakes for each of them. e.g. Real CSR dongles with LMP subversion 0x73 are old enough that support BT 1.1 only; so it's a dead giveaway when some third-party BT 4.0 dongle reuses it. So, to sum things up; there are multiple classes of fake controllers reusing the same 0A12:0001 VID/PID. This has been broken for a while. Known 'fake' bcdDevices: 0x0100, 0x0134, 0x1915, 0x2520, 0x7558, 0x8891 IC markings on 0x7558: FR3191AHAL 749H15143 (???) https://bugzilla.kernel.org/show_bug.cgi?id=60824 Fixes: 81cac64ba258ae (Deal with USB devices that are faking CSR vendor) Reported-by: Michał Wiśniewski Tested-by: Mike Johnson Tested-by: Ricardo Rodrigues Tested-by: M.Hanny Sabbagh Tested-by: Oussama BEN BRAHIM Tested-by: Ismael Ferreras Morezuelas Signed-off-by: Ismael Ferreras Morezuelas Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 68bcb83d4caae6b8d34b756a0aa251875c14e88b Author: Tom Rix Date: Sun Jul 12 12:23:51 2020 -0700 power: supply: check if calc_soc succeeded in pm860x_init_battery [ Upstream commit ccf193dee1f0fff55b556928591f7818bac1b3b1 ] clang static analysis flags this error 88pm860x_battery.c:522:19: warning: Assigned value is garbage or undefined [core.uninitialized.Assign] info->start_soc = soc; ^ ~~~ soc is set by calling calc_soc. But calc_soc can return without setting soc. So check the return status and bail similarly to other checks in pm860x_init_battery and initialize soc to silence the warning. Fixes: a830d28b48bf ("power_supply: Enable battery-charger for 88pm860x") Signed-off-by: Tom Rix Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 9ef3fc00dd90ac22decc6b9065c3c90f412f62e7 Author: Dan Carpenter Date: Thu Jul 23 18:23:05 2020 +0300 Smack: prevent underflow in smk_set_cipso() [ Upstream commit 42a2df3e829f3c5562090391b33714b2e2e5ad4a ] We have an upper bound on "maplevel" but forgot to check for negative values. Fixes: e114e473771c ("Smack: Simplified Mandatory Access Control Kernel") Signed-off-by: Dan Carpenter Signed-off-by: Casey Schaufler Signed-off-by: Sasha Levin commit 32fecc76dfdda9f134de11c3f2df3338a6d3abf6 Author: Dan Carpenter Date: Thu Jul 23 18:22:19 2020 +0300 Smack: fix another vsscanf out of bounds [ Upstream commit a6bd4f6d9b07452b0b19842044a6c3ea384b0b88 ] This is similar to commit 84e99e58e8d1 ("Smack: slab-out-of-bounds in vsscanf") where we added a bounds check on "rule". Reported-by: syzbot+a22c6092d003d6fe1122@syzkaller.appspotmail.com Fixes: f7112e6c9abf ("Smack: allow for significantly longer Smack labels v4") Signed-off-by: Dan Carpenter Signed-off-by: Casey Schaufler Signed-off-by: Sasha Levin commit f5080bbff3892e07b6bd6b6e456b4dd358d315d6 Author: Li Heng Date: Sat Jul 25 10:56:27 2020 +0800 RDMA/core: Fix return error value in _ib_modify_qp() to negative [ Upstream commit 47fda651d5af2506deac57d54887cf55ce26e244 ] The error codes in _ib_modify_qp() are supposed to be negative errno. Fixes: 7a5c938b9ed0 ("IB/core: Check for rdma_protocol_ib only after validating port_num") Link: https://lore.kernel.org/r/1595645787-20375-1-git-send-email-liheng40@huawei.com Reported-by: Hulk Robot Signed-off-by: Li Heng Reviewed-by: Parav Pandit Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 7a26f7a35c18ac193f9a14781a56148fdcc2bcea Author: Kishon Vijay Abraham I Date: Wed Jul 22 16:33:11 2020 +0530 PCI: cadence: Fix updating Vendor ID and Subsystem Vendor ID register [ Upstream commit e3bca37d15dca118f2ef1f0a068bb6e07846ea20 ] Commit 1b79c5284439 ("PCI: cadence: Add host driver for Cadence PCIe controller") in order to update Vendor ID, directly wrote to PCI_VENDOR_ID register. However PCI_VENDOR_ID in root port configuration space is read-only register and writing to it will have no effect. Use local management register to configure Vendor ID and Subsystem Vendor ID. Link: https://lore.kernel.org/r/20200722110317.4744-10-kishon@ti.com Fixes: 1b79c5284439 ("PCI: cadence: Add host driver for Cadence PCIe controller") Signed-off-by: Kishon Vijay Abraham I Signed-off-by: Lorenzo Pieralisi Reviewed-by: Rob Herring Signed-off-by: Sasha Levin commit f8eaf30688e6ac4cf872c459dc589591600b7b26 Author: Kishon Vijay Abraham I Date: Wed Jul 22 16:33:04 2020 +0530 PCI: cadence: Fix cdns_pcie_{host|ep}_setup() error path [ Upstream commit 19abcd790b51b26d775e1170ba2ac086823cceeb ] commit bd22885aa188 ("PCI: cadence: Refactor driver to use as a core library") while refactoring the Cadence PCIe driver to be used as library, removed pm_runtime_get_sync() from cdns_pcie_ep_setup() and cdns_pcie_host_setup() but missed to remove the corresponding pm_runtime_put_sync() in the error path. Fix it here. Link: https://lore.kernel.org/r/20200722110317.4744-3-kishon@ti.com Fixes: bd22885aa188 ("PCI: cadence: Refactor driver to use as a core library") Signed-off-by: Kishon Vijay Abraham I Signed-off-by: Lorenzo Pieralisi Reviewed-by: Rob Herring Signed-off-by: Sasha Levin commit f4cbaae61a99426b593129a1f5bcc182a1cbdb9c Author: Finn Thain Date: Sun Jun 28 14:23:12 2020 +1000 macintosh/via-macii: Access autopoll_devs when inside lock [ Upstream commit 59ea38f6b3af5636edf541768a1ed721eeaca99e ] The interrupt handler should be excluded when accessing the autopoll_devs variable. Fixes: d95fd5fce88f0 ("m68k: Mac II ADB fixes") # v5.0+ Signed-off-by: Finn Thain Tested-by: Stan Johnson Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/5952dd8a9bc9de90f1acc4790c51dd42b4c98065.1593318192.git.fthain@telegraphics.com.au Signed-off-by: Sasha Levin commit 84bf49368e675ef1c320c8aed9bf6253b71141fb Author: Chris Packham Date: Fri Jul 24 11:21:20 2020 +1200 net: dsa: mv88e6xxx: MV88E6097 does not support jumbo configuration [ Upstream commit 0f3c66a3c7b4e8b9f654b3c998e9674376a51b0f ] The MV88E6097 chip does not support configuring jumbo frames. Prior to commit 5f4366660d65 only the 6352, 6351, 6165 and 6320 chips configured jumbo mode. The refactor accidentally added the function for the 6097. Remove the erroneous function pointer assignment. Fixes: 5f4366660d65 ("net: dsa: mv88e6xxx: Refactor setting of jumbo frames") Signed-off-by: Chris Packham Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a6b457279b3022d9885280a97f33ed35965e0f21 Author: Finn Thain Date: Thu Jul 23 09:25:51 2020 +1000 scsi: mesh: Fix panic after host or bus reset [ Upstream commit edd7dd2292ab9c3628b65c4d04514c3068ad54f6 ] Booting Linux with a Conner CP3200 drive attached to the MESH SCSI bus results in EH measures and a panic: [ 25.499838] mesh: configured for synchronous 5 MB/s [ 25.787154] mesh: performing initial bus reset... [ 29.867115] scsi host0: MESH [ 29.929527] mesh: target 0 synchronous at 3.6 MB/s [ 29.998763] scsi 0:0:0:0: Direct-Access CONNER CP3200-200mb-3.5 4040 PQ: 0 ANSI: 1 CCS [ 31.989975] sd 0:0:0:0: [sda] 415872 512-byte logical blocks: (213 MB/203 MiB) [ 32.070975] sd 0:0:0:0: [sda] Write Protect is off [ 32.137197] sd 0:0:0:0: [sda] Mode Sense: 5b 00 00 08 [ 32.209661] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA [ 32.332708] sda: [mac] sda1 sda2 sda3 [ 32.417733] sd 0:0:0:0: [sda] Attached SCSI disk ... snip ... [ 76.687067] mesh_abort((ptrval)) [ 76.743606] mesh: state at (ptrval), regs at (ptrval), dma at (ptrval) [ 76.810798] ct=6000 seq=86 bs=4017 fc= 0 exc= 0 err= 0 im= 7 int= 0 sp=85 [ 76.880720] dma stat=84e0 cmdptr=1f73d000 [ 76.941387] phase=4 msgphase=0 conn_tgt=0 data_ptr=24576 [ 77.005567] dma_st=1 dma_ct=0 n_msgout=0 [ 77.065456] target 0: req=(ptrval) goes_out=0 saved_ptr=0 [ 77.130512] mesh_abort((ptrval)) [ 77.187670] mesh: state at (ptrval), regs at (ptrval), dma at (ptrval) [ 77.255594] ct=6000 seq=86 bs=4017 fc= 0 exc= 0 err= 0 im= 7 int= 0 sp=85 [ 77.325778] dma stat=84e0 cmdptr=1f73d000 [ 77.387239] phase=4 msgphase=0 conn_tgt=0 data_ptr=24576 [ 77.453665] dma_st=1 dma_ct=0 n_msgout=0 [ 77.515900] target 0: req=(ptrval) goes_out=0 saved_ptr=0 [ 77.582902] mesh_host_reset [ 88.187083] Kernel panic - not syncing: mesh: double DMA start ! [ 88.254510] CPU: 0 PID: 358 Comm: scsi_eh_0 Not tainted 5.6.13-pmac #1 [ 88.323302] Call Trace: [ 88.378854] [e16ddc58] [c0027080] panic+0x13c/0x308 (unreliable) [ 88.446221] [e16ddcb8] [c02b2478] mesh_start.part.12+0x130/0x414 [ 88.513298] [e16ddcf8] [c02b2fc8] mesh_queue+0x54/0x70 [ 88.577097] [e16ddd18] [c02a1848] scsi_send_eh_cmnd+0x374/0x384 [ 88.643476] [e16dddc8] [c02a1938] scsi_eh_tur+0x5c/0xb8 [ 88.707878] [e16dddf8] [c02a1ab8] scsi_eh_test_devices+0x124/0x178 [ 88.775663] [e16dde28] [c02a2094] scsi_eh_ready_devs+0x588/0x8a8 [ 88.843124] [e16dde98] [c02a31d8] scsi_error_handler+0x344/0x520 [ 88.910697] [e16ddf08] [c00409c8] kthread+0xe4/0xe8 [ 88.975166] [e16ddf38] [c000f234] ret_from_kernel_thread+0x14/0x1c [ 89.044112] Rebooting in 180 seconds.. In theory, a panic can happen after a bus or host reset with dma_started flag set. Fix this by halting the DMA before reinitializing the host. Don't assume that ms->current_req is set when halt_dma() is invoked as it may not hold for bus or host reset. BTW, this particular Conner drive can be made to work by inhibiting disconnect/reselect with 'mesh.resel_targets=0'. Link: https://lore.kernel.org/r/3952bc691e150a7128b29120999b6092071b039a.1595460351.git.fthain@telegraphics.com.au Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: Paul Mackerras Reported-and-tested-by: Stan Johnson Signed-off-by: Finn Thain Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 1eeafd39a81fea021159e1653876eaaf4acef395 Author: Tomas Henzl Date: Thu Jul 9 15:31:44 2020 +0200 scsi: megaraid_sas: Clear affinity hint [ Upstream commit 1eb81df5c53b1e785fdef298d533feab991381e4 ] To avoid a warning in free_irq, clear the affinity hint. Link: https://lore.kernel.org/r/20200709133144.8363-1-thenzl@redhat.com Fixes: f0b9e7bdc309 ("scsi: megaraid_sas: Set affinity for high IOPS reply queues") Acked-by: Sumit Saxena Signed-off-by: Tomas Henzl Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit ebe45ee2542710d0ee71ee7760947cafd58b65b8 Author: Ruslan Bilovol Date: Fri Jul 3 16:49:03 2020 +0300 usb: gadget: f_uac2: fix AC Interface Header Descriptor wTotalLength [ Upstream commit a9cf8715180b18c62addbfe6f6267b8101903119 ] As per UAC2 spec (ch. 4.7.2), wTotalLength of AC Interface Header Descriptor "includes the combined length of this descriptor header and all Clock Source, Unit and Terminal descriptors." Thus add its size to its wTotalLength. Also after recent changes wTotalLength is calculated dynamically, update static definition of uac2_ac_header_descriptor accordingly Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver") Signed-off-by: Ruslan Bilovol Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit e7c4b79d70a70b4b7b0a04c640238a2ef0a7a8c8 Author: Marek Szyprowski Date: Thu Jul 16 14:09:48 2020 +0200 usb: dwc2: Fix error path in gadget registration [ Upstream commit 33a06f1300a79cfd461cea0268f05e969d4f34ec ] When gadget registration fails, one should not call usb_del_gadget_udc(). Ensure this by setting gadget->udc to NULL. Also in case of a failure there is no need to disable low-level hardware, so return immiedetly instead of jumping to error_init label. This fixes the following kernel NULL ptr dereference on gadget failure (can be easily triggered with g_mass_storage without any module parameters): dwc2 12480000.hsotg: dwc2_check_params: Invalid parameter besl=1 dwc2 12480000.hsotg: dwc2_check_params: Invalid parameter g_np_tx_fifo_size=1024 dwc2 12480000.hsotg: EPs: 16, dedicated fifos, 7808 entries in SPRAM Mass Storage Function, version: 2009/09/11 LUN: removable file: (no medium) no file given for LUN0 g_mass_storage 12480000.hsotg: failed to start g_mass_storage: -22 8<--- cut here --- Unable to handle kernel NULL pointer dereference at virtual address 00000104 pgd = (ptrval) [00000104] *pgd=00000000 Internal error: Oops: 805 [#1] PREEMPT SMP ARM Modules linked in: CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.8.0-rc5 #3133 Hardware name: Samsung Exynos (Flattened Device Tree) Workqueue: events deferred_probe_work_func PC is at usb_del_gadget_udc+0x38/0xc4 LR is at __mutex_lock+0x31c/0xb18 ... Process kworker/0:1 (pid: 12, stack limit = 0x(ptrval)) Stack: (0xef121db0 to 0xef122000) ... [] (usb_del_gadget_udc) from [] (dwc2_hsotg_remove+0x10/0x20) [] (dwc2_hsotg_remove) from [] (dwc2_driver_probe+0x57c/0x69c) [] (dwc2_driver_probe) from [] (platform_drv_probe+0x6c/0xa4) [] (platform_drv_probe) from [] (really_probe+0x200/0x48c) [] (really_probe) from [] (driver_probe_device+0x78/0x1fc) [] (driver_probe_device) from [] (bus_for_each_drv+0x74/0xb8) [] (bus_for_each_drv) from [] (__device_attach+0xd4/0x16c) [] (__device_attach) from [] (bus_probe_device+0x88/0x90) [] (bus_probe_device) from [] (deferred_probe_work_func+0x3c/0xd0) [] (deferred_probe_work_func) from [] (process_one_work+0x234/0x7dc) [] (process_one_work) from [] (worker_thread+0x44/0x51c) [] (worker_thread) from [] (kthread+0x158/0x1a0) [] (kthread) from [] (ret_from_fork+0x14/0x20) Exception stack(0xef121fb0 to 0xef121ff8) ... ---[ end trace 9724c2fc7cc9c982 ]--- While fixing this also fix the double call to dwc2_lowlevel_hw_disable() if dr_mode is set to USB_DR_MODE_PERIPHERAL. In such case low-level hardware is already disabled before calling usb_add_gadget_udc(). That function correctly preserves low-level hardware state, there is no need for the second unconditional dwc2_lowlevel_hw_disable() call. Fixes: 207324a321a8 ("usb: dwc2: Postponed gadget registration to the udc class driver") Acked-by: Minas Harutyunyan Signed-off-by: Marek Szyprowski Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 3f3fa83a1c7d690aaf1096e28c72a40b4f24df27 Author: Sumeet Pawnikar Date: Fri Jul 24 13:22:26 2020 +0530 thermal: int340x: processor_thermal: fix: update Jasper Lake PCI id [ Upstream commit 287d959558357e155c889bc35579eb35691a8fcb ] Update PCI device id for Jasper Lake processor thermal device. With this proc_thermal driver is getting loaded and processor thermal functionality works on Jasper Lake system. Fixes: f64a6583d3f5 ("thermal: int340x: processor_thermal: Add Jasper Lake support") Signed-off-by: Sumeet Pawnikar Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/1595577146-1221-1-git-send-email-sumeet.r.pawnikar@intel.com Signed-off-by: Sasha Levin commit 4a37a73035d7fc1a35d814eb4e18aa322fac1f35 Author: Yu Kuai Date: Tue Jul 21 21:47:18 2020 +0800 MIPS: OCTEON: add missing put_device() call in dwc3_octeon_device_init() [ Upstream commit e8b9fc10f2615b9a525fce56981e40b489528355 ] if of_find_device_by_node() succeed, dwc3_octeon_device_init() doesn't have a corresponding put_device(). Thus add put_device() to fix the exception handling for this function implementation. Fixes: 93e502b3c2d4 ("MIPS: OCTEON: Platform support for OCTEON III USB controller") Signed-off-by: Yu Kuai Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 409025b253ecc38608ccc561d7bf884c3b2347e3 Author: Kai Vehmanen Date: Fri Jul 17 13:19:50 2020 +0300 ASoC: hdac_hda: fix deadlock after PCM open error [ Upstream commit 06f07e2365378d51eddd0b5bf23506e1237662b0 ] Commit 5bd70440cb0a ("ASoC: soc-dai: revert all changes to DAI startup/shutdown sequence"), introduced a slight change of semantics to DAI startup/shutdown. If startup() returns an error, shutdown() is now called for the DAI. This causes a deadlock in hdac_hda which issues a call to snd_hda_codec_pcm_put() in case open fails. Upon error, soc_pcm_open() will call shutdown(), and pcm_put() ends up getting called twice. Result is a deadlock on pcm->open_mutex, as snd_device_free() gets called from within snd_pcm_open(). Typical task backtrace looks like this: [ 334.244627] snd_pcm_dev_disconnect+0x49/0x340 [snd_pcm] [ 334.244634] __snd_device_disconnect.part.0+0x2c/0x50 [snd] [ 334.244640] __snd_device_free+0x7f/0xc0 [snd] [ 334.244650] snd_hda_codec_pcm_put+0x87/0x120 [snd_hda_codec] [ 334.244660] soc_pcm_open+0x6a0/0xbe0 [snd_soc_core] [ 334.244676] ? dpcm_add_paths.isra.0+0x491/0x590 [snd_soc_core] [ 334.244679] ? kfree+0x9a/0x230 [ 334.244686] dpcm_be_dai_startup+0x255/0x300 [snd_soc_core] [ 334.244695] dpcm_fe_dai_open+0x20e/0xf30 [snd_soc_core] [ 334.244701] ? snd_pcm_hw_rule_muldivk+0x110/0x110 [snd_pcm] [ 334.244709] ? dpcm_be_dai_startup+0x300/0x300 [snd_soc_core] [ 334.244714] ? snd_pcm_attach_substream+0x3c4/0x540 [snd_pcm] [ 334.244719] snd_pcm_open_substream+0x69a/0xb60 [snd_pcm] [ 334.244729] ? snd_pcm_release_substream+0x30/0x30 [snd_pcm] [ 334.244732] ? __mutex_lock_slowpath+0x10/0x10 [ 334.244736] snd_pcm_open+0x1b3/0x3c0 [snd_pcm] Fixes: 5bd70440cb0a ("ASoC: soc-dai: revert all changes to DAI startup/shutdown sequence") Signed-off-by: Kai Vehmanen Reviewed-by: Pierre-Louis Bossart Reviewed-by: Rander Wang BugLink: https://github.com/thesofproject/linux/issues/2159 Link: https://lore.kernel.org/r/20200717101950.3885187-3-kai.vehmanen@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 5056c95ba7fb6f610811127d96bd5e4199a7cea3 Author: Dan Murphy Date: Mon Jul 20 13:12:02 2020 -0500 ASoC: tas2770: Fix reset gpio property name [ Upstream commit 58b868f51d6e38146e44cb09fcd92b5fc35d83bc ] Fix the reset property name when allocating the GPIO descriptor. The gpiod_get_optional appends either the -gpio or -gpios suffix to the name. Fixes: 1a476abc723e6 ("tas2770: add tas2770 smart PA kernel driver") Signed-off-by: Dan Murphy Link: https://lore.kernel.org/r/20200720181202.31000-2-dmurphy@ti.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 56afb378cbf620b47e115b36ea40ed7468d14edd Author: YueHaibing Date: Fri Jul 17 20:30:59 2020 +0800 tools/bpftool: Fix error handing in do_skeleton() [ Upstream commit 956fcfcd359512f15b19bcd157fa8206ed26605b ] Fix pass 0 to PTR_ERR, also dump more err info using libbpf_strerror. Fixes: 5dc7a8b21144 ("bpftool, selftests/bpf: Embed object file inside skeleton") Signed-off-by: YueHaibing Signed-off-by: Alexei Starovoitov Reviewed-by: Quentin Monnet Link: https://lore.kernel.org/bpf/20200717123059.29624-1-yuehaibing@huawei.com Signed-off-by: Sasha Levin commit ff3e1a7d43e8f06aa839ac5f6b0c742750054b73 Author: Ilya Leoshkevich Date: Fri Jul 17 18:53:25 2020 +0200 s390/bpf: Tolerate not converging code shrinking [ Upstream commit 1491b73311a15bb5beeab5d30e03bff761ef6c18 ] "BPF_MAXINSNS: Maximum possible literals" unnecessarily falls back to the interpreter because of failing sanity check in bpf_set_addr. The problem is that there are a lot of branches that can be shrunk, and doing so opens up the possibility to shrink even more. This process does not converge after 3 passes, causing code offsets to change during the codegen pass, which must never happen. Fix by inserting nops during codegen pass in order to preserve code offets. Fixes: 4e9b4a6883dd ("s390/bpf: Use relative long branches") Signed-off-by: Ilya Leoshkevich Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20200717165326.6786-5-iii@linux.ibm.com Signed-off-by: Sasha Levin commit b5f48c957f335c8d97fd554fd08c73f6dbfb001a Author: Ilya Leoshkevich Date: Fri Jul 17 18:53:24 2020 +0200 s390/bpf: Use brcl for jumping to exit_ip if necessary [ Upstream commit 5fa6974471c5518a50bdd814067508dbcb477251 ] "BPF_MAXINSNS: Maximum possible literals" test causes panic with bpf_jit_harden = 2. The reason is that BPF_JMP | BPF_EXIT is always emitted as brc, however, after removal of JITed image size limitations, brcl might be required. Fix by using brcl when necessary. Fixes: 4e9b4a6883dd ("s390/bpf: Use relative long branches") Signed-off-by: Ilya Leoshkevich Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20200717165326.6786-4-iii@linux.ibm.com Signed-off-by: Sasha Levin commit c3472775e1fb949e8bd365239f156186d1a97d11 Author: Ilya Leoshkevich Date: Fri Jul 17 18:53:23 2020 +0200 s390/bpf: Fix sign extension in branch_ku [ Upstream commit 7477d43be5b1448bc0d4c85cb185a0144cc080e1 ] Both signed and unsigned variants of BPF_JMP | BPF_K require sign-extending the immediate. JIT emits cgfi for the signed case, which is correct, and clgfi for the unsigned case, which is not correct: clgfi zero-extends the immediate. s390 does not provide an instruction that does sign-extension and unsigned comparison at the same time. Therefore, fix by first loading the sign-extended immediate into work register REG_1 and proceeding as if it's BPF_X. Fixes: 4e9b4a6883dd ("s390/bpf: Use relative long branches") Reported-by: Seth Forshee Signed-off-by: Ilya Leoshkevich Signed-off-by: Alexei Starovoitov Tested-by: Seth Forshee Link: https://lore.kernel.org/bpf/20200717165326.6786-3-iii@linux.ibm.com Signed-off-by: Sasha Levin commit c1b83176774b53c994481012f703de8cb15a34e0 Author: Russell King Date: Tue Jul 21 15:40:43 2020 +0100 phy: armada-38x: fix NETA lockup when repeatedly switching speeds [ Upstream commit 1dea06cd643da38931382ebdc151efced201ffad ] The mvneta hardware appears to lock up in various random ways when repeatedly switching speeds between 1G and 2.5G, which involves reprogramming the COMPHY. It is not entirely clear why this happens, but best guess is that reprogramming the COMPHY glitches mvneta clocks causing the hardware to fail. It seems that rebooting resolves the failure, but not down/up cycling the interface alone. Various other approaches have been tried, such as trying to cleanly power down the COMPHY and then take it back through the power up initialisation, but this does not seem to help. It was finally noticed that u-boot's last step when configuring a COMPHY for "SGMII" mode was to poke at a register described as "GBE_CONFIGURATION_REG", which is undocumented in any external documentation. All that we have is the fact that u-boot sets a bit corresponding to the "SGMII" lane at the end of COMPHY initialisation. Experimentation shows that if we clear this bit prior to changing the speed, and then set it afterwards, mvneta does not suffer this problem on the SolidRun Clearfog when switching speeds between 1G and 2.5G. This problem was found while script-testing phylink. This fix also requires the corresponding change to DT to be effective. See "ARM: dts: armada-38x: fix NETA lockup when repeatedly switching speeds". Fixes: 14dc100b4411 ("phy: armada38x: add common phy support") Signed-off-by: Russell King Reviewed-by: Andrew Lunn Link: https://lore.kernel.org/r/E1jxtRj-0003Tz-CG@rmk-PC.armlinux.org.uk Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 50fa9179d0a6d7b608395130cb3ff7be944a9323 Author: Lorenzo Bianconi Date: Tue Jul 21 10:19:22 2020 +0200 mt76: mt7615: fix possible memory leak in mt7615_mcu_wtbl_sta_add [ Upstream commit 2bccc8415883c1cd5ae8836548d9783dbbd84999 ] Free the second mcu skb if __mt76_mcu_skb_send_msg() fails to transmit the first one in mt7615_mcu_wtbl_sta_add(). Fixes: 99c457d902cf9 ("mt76: mt7615: move mt7615_mcu_set_bmc to mt7615_mcu_ops") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 4475bd356c03b559546a0cb0aef6b67d66a8e066 Author: Sean Wang Date: Wed Jul 8 03:16:48 2020 +0800 mt76: mt7615: fix potential memory leak in mcu message handler [ Upstream commit 9248c08c3fc4ef816c82aa49d01123f4746d349f ] Fix potential memory leak in mcu message handler on error condition. Fixes: 0e6a29e477f3 ("mt76: mt7615: add support to read temperature from mcu") Acked-by: Lorenzo Bianconi Signed-off-by: Sean Wang Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 47027981d9583394e210de1c421c3597ae6b672f Author: Madhavan Srinivasan Date: Sun Jun 14 14:06:04 2020 +0530 powerpc/perf: Fix missing is_sier_aviable() during build [ Upstream commit 3c9450c053f88e525b2db1e6990cdf34d14e7696 ] Compilation error: arch/powerpc/perf/perf_regs.c:80:undefined reference to `.is_sier_available' Currently is_sier_available() is part of core-book3s.c, which is added to build based on CONFIG_PPC_PERF_CTRS. A config with CONFIG_PERF_EVENTS and without CONFIG_PPC_PERF_CTRS will have a build break because of missing is_sier_available(). In practice it only breaks when CONFIG_FSL_EMB_PERF_EVENT=n because that also guards the usage of is_sier_available(). That only happens with CONFIG_PPC_BOOK3E_64=y and CONFIG_FSL_SOC_BOOKE=n. Patch adds is_sier_available() in asm/perf_event.h to fix the build break for configs missing CONFIG_PPC_PERF_CTRS. Fixes: 333804dc3b7a ("powerpc/perf: Update perf_regs structure to include SIER") Reported-by: Aneesh Kumar K.V Signed-off-by: Madhavan Srinivasan [mpe: Add detail about CONFIG_FSL_SOC_BOOKE] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20200614083604.302611-1-maddy@linux.ibm.com Signed-off-by: Sasha Levin commit 07bd7e8e9280b6ffbd7858887e49e31fad4d58eb Author: Suzuki K Poulose Date: Thu Jul 16 11:57:46 2020 -0600 coresight: etm4x: Fix save/restore during cpu idle [ Upstream commit 342c8a1d1d9e418d32fa02d635cf96989f9a986e ] The ETM state save/restore incorrectly reads/writes some of the 64bit registers (e.g, address comparators, vmid/cid comparators etc.) using 32bit accesses. Ensure we use the appropriate width accessors for the registers. Fixes: f188b5e76aae ("coresight: etm4x: Save/restore state across CPU low power states") Cc: Mathieu Poirier Cc: Mike Leach Signed-off-by: Suzuki K Poulose Signed-off-by: Mathieu Poirier Link: https://lore.kernel.org/r/20200716175746.3338735-18-mathieu.poirier@linaro.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 2aa3c4843d1730ed142f2d67ef54d302b233ce5a Author: Sai Prakash Ranjan Date: Thu Jul 16 11:57:42 2020 -0600 coresight: tmc: Fix TMC mode read in tmc_read_unprepare_etb() [ Upstream commit d021f5c5ff679432c5e9faee0fd7350db2efb97c ] Reading TMC mode register without proper coresight power management can lead to exceptions like the one in the call trace below in tmc_read_unprepare_etb() when the trace data is read after the sink is disabled. So fix this by having a check for coresight sysfs mode before reading TMC mode management register in tmc_read_unprepare_etb() similar to tmc_read_prepare_etb(). SError Interrupt on CPU6, code 0xbe000411 -- SError pstate: 80400089 (Nzcv daIf +PAN -UAO) pc : tmc_read_unprepare_etb+0x74/0x108 lr : tmc_read_unprepare_etb+0x54/0x108 sp : ffffff80d9507c30 x29: ffffff80d9507c30 x28: ffffff80b3569a0c x27: 0000000000000000 x26: 00000000000a0001 x25: ffffff80cbae9550 x24: 0000000000000010 x23: ffffffd07296b0f0 x22: ffffffd0109ee028 x21: 0000000000000000 x20: ffffff80d19e70e0 x19: ffffff80d19e7080 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: dfffffd000000001 x9 : 0000000000000000 x8 : 0000000000000002 x7 : ffffffd071d0fe78 x6 : 0000000000000000 x5 : 0000000000000080 x4 : 0000000000000001 x3 : ffffffd071d0fe98 x2 : 0000000000000000 x1 : 0000000000000004 x0 : 0000000000000001 Kernel panic - not syncing: Asynchronous SError Interrupt Fixes: 4525412a5046 ("coresight: tmc: making prepare/unprepare functions generic") Reported-by: Mike Leach Signed-off-by: Sai Prakash Ranjan Tested-by: Mike Leach Signed-off-by: Mathieu Poirier Link: https://lore.kernel.org/r/20200716175746.3338735-14-mathieu.poirier@linaro.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 9e8f73a3abb6b3fb07326f81dffc8035be1e7d2b Author: Mike Leach Date: Thu Jul 16 11:57:39 2020 -0600 coresight: etmv4: Counter values not saved on disable [ Upstream commit 8fa43700f69703f995ea715b76be6fabdd2f05de ] The counter value registers change during operation, however this change is not reflected in the values seen by the user in sysfs. This fixes the issue by reading back the values on disable. Signed-off-by: Mike Leach Fixes: 2e1cdfe184b52 ("coresight-etm4x: Adding CoreSight ETM4x driver") Signed-off-by: Mathieu Poirier Link: https://lore.kernel.org/r/20200716175746.3338735-11-mathieu.poirier@linaro.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 0588fb41cf4cd91c57c37d4b774c35a2a6d2e066 Author: Mike Leach Date: Thu Jul 16 11:57:38 2020 -0600 coresight: etmv4: Fix resource selector constant [ Upstream commit cb8bba907a4ff4ba42f1d245cb506d55829674b8 ] ETMv4 max resource selector constant incorrectly set to 16. Updated to the correct 32 value, and adjustments made to limited code using it. Signed-off-by: Mike Leach Fixes: 2e1cdfe184b52 ("coresight-etm4x: Adding CoreSight ETM4x driver") Signed-off-by: Mathieu Poirier Link: https://lore.kernel.org/r/20200716175746.3338735-10-mathieu.poirier@linaro.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 8ba5991753dc16daa86c063809f5aa1fac5b6672 Author: Dan Carpenter Date: Tue Jun 16 12:19:49 2020 +0300 thermal: ti-soc-thermal: Fix reversed condition in ti_thermal_expose_sensor() [ Upstream commit 0f348db01fdf128813fdd659fcc339038fb421a4 ] This condition is reversed and will cause breakage. Fixes: 7440f518dad9 ("thermal/drivers/ti-soc-thermal: Avoid dereferencing ERR_PTR") Signed-off-by: Dan Carpenter Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20200616091949.GA11940@mwanda Signed-off-by: Sasha Levin commit c7adb1632b3e7dc6686438c60758a6126c06cdbe Author: Kars Mulder Date: Tue Jul 7 16:43:50 2020 +0200 usb: core: fix quirks_param_set() writing to a const pointer [ Upstream commit b1b6bed3b5036509b449b5965285d5057ba42527 ] The function quirks_param_set() takes as argument a const char* pointer to the new value of the usbcore.quirks parameter. It then casts this pointer to a non-const char* pointer and passes it to the strsep() function, which overwrites the value. Fix this by creating a copy of the value using kstrdup() and letting that copy be written to by strsep(). Fixes: 027bd6cafd9a ("usb: core: Add "quirks" parameter for usbcore") Signed-off-by: Kars Mulder Link: https://lore.kernel.org/r/5ee2-5f048a00-21-618c5c00@230659773 Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 03146f30ef0e3bd3b173435996f1175a3d89e02f Author: Taniya Das Date: Wed Jul 15 12:24:10 2020 +0530 clk: qcom: gcc: Make disp gpll0 branch aon for sc7180/sdm845 [ Upstream commit 9c3df2b1993da9ab1110702d7b2815d5cd8c02f3 ] The display gpll0 branch clock inside GCC needs to always be enabled. Otherwise the AHB clk (disp_cc_mdss_ahb_clk_src) for the display clk controller (dispcc) will stop clocking while sourcing from gpll0 when this branch inside GCC is turned off during unused clk disabling. We can never turn this branch off because the AHB clk for the display subsystem is needed to read/write any registers inside the display subsystem including clk related ones. This makes this branch a really easy way to turn off AHB access to the display subsystem and cause all sorts of mayhem. Let's just make the clk ops keep the clk enabled forever and ignore any attempts to disable this clk so that dispcc accesses keep working. Signed-off-by: Taniya Das Reported-by: Evan Green Link: https://lore.kernel.org/r/1594796050-14511-1-git-send-email-tdas@codeaurora.org Fixes: 17269568f726 ("clk: qcom: Add Global Clock controller (GCC) driver for SC7180") Fixes: 06391eddb60a ("clk: qcom: Add Global Clock controller (GCC) driver for SDM845") [sboyd@kernel.org: Fill out commit text more] Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 42fffcd014f121362a88cba394c6eb4d23fb1056 Author: Johan Hovold Date: Thu Jul 16 10:50:55 2020 +0200 USB: serial: iuu_phoenix: fix led-activity helpers [ Upstream commit de37458f8c2bfc465500a1dd0d15dbe96d2a698c ] The set-led command is eight bytes long and starts with a command byte followed by six bytes of RGB data and ends with a byte encoding a frequency (see iuu_led() and iuu_rgbf_fill_buffer()). The led activity helpers had a few long-standing bugs which corrupted the command packets by inserting a second command byte and thereby offsetting the RGB data and dropping the frequency in non-xmas mode. In xmas mode, a related off-by-one error left the frequency field uninitialised. Fixes: 60a8fc017103 ("USB: add iuu_phoenix driver") Reported-by: George Spelvin Link: https://lore.kernel.org/r/20200716085056.31471-1-johan@kernel.org Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Sasha Levin commit cdd344f0e1e6a03871870f50e9e5f645543a81d0 Author: Hauke Mehrtens Date: Fri Jul 17 23:56:48 2020 +0200 spi: lantiq-ssc: Fix warning by using WQ_MEM_RECLAIM [ Upstream commit ba3548cf29616b58c93bbaffc3d636898d009858 ] The lantiq-ssc driver uses internally an own workqueue to wait till the data is not only written out of the FIFO but really written to the wire. This workqueue is flushed while the SPI subsystem is working in some other system workqueue. The system workqueue is marked as WQ_MEM_RECLAIM, but the workqueue in the lantiq-ssc driver does not use WQ_MEM_RECLAIM for now. Add this flag too to prevent this warning. This fixes the following warning: [ 2.975956] WARNING: CPU: 1 PID: 17 at kernel/workqueue.c:2614 check_flush_dependency+0x168/0x184 [ 2.984752] workqueue: WQ_MEM_RECLAIM kblockd:blk_mq_run_work_fn is flushing !WQ_MEM_RECLAIM 1e100800.spi:0x0 Fixes: 891b7c5fbf61 ("mtd_blkdevs: convert to blk-mq") Signed-off-by: Hauke Mehrtens Link: https://lore.kernel.org/r/20200717215648.20522-1-hauke@hauke-m.de Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 09d89bf0e0be4593a31250b8b72b045fba4e5bad Author: Steve Longerbeam Date: Wed Jun 17 15:40:36 2020 -0700 gpu: ipu-v3: Restore RGB32, BGR32 [ Upstream commit 22b2cfad752d4b278ea7c38c0ee961ca50198ce8 ] RGB32 and BGR32 formats were inadvertently removed from the switch statement in ipu_pixelformat_to_colorspace(). Restore them. Fixes: a59957172b0c ("gpu: ipu-v3: enable remaining 32-bit RGB V4L2 pixel formats") Signed-off-by: Steve Longerbeam Signed-off-by: Philipp Zabel Signed-off-by: Sasha Levin commit 004ff658bef7cb6463877e8b73399da593ce68a4 Author: Marco Felsch Date: Thu Jun 11 14:43:32 2020 +0200 drm/imx: tve: fix regulator_disable error path [ Upstream commit 7bb58b987fee26da2a1665c01033022624986b7c ] Add missing regulator_disable() as devm_action to avoid dedicated unbind() callback and fix the missing error handling. Fixes: fcbc51e54d2a ("staging: drm/imx: Add support for Television Encoder (TVEv2)") Signed-off-by: Marco Felsch Signed-off-by: Philipp Zabel Signed-off-by: Sasha Levin commit 33a6a0fc1abb0ad0605cf218d9189c4dfc0b6505 Author: Philipp Zabel Date: Thu Jun 11 14:43:31 2020 +0200 drm/imx: fix use after free [ Upstream commit ba807c94f67fd64b3051199810d9e4dd209fdc00 ] Component driver structures allocated with devm_kmalloc() in bind() are freed automatically after unbind(). Since the contained drm structures are accessed afterwards in drm_mode_config_cleanup(), move the allocation into probe() to extend the driver structure's lifetime to the lifetime of the device. This should eventually be changed to use drm resource managed allocations with lifetime of the drm device. We also need to ensure that all componets are available during the unbind() so we need to call component_unbind_all() before we free non-devres resources like planes. Note this patch fixes the the use after free bug but introduces a possible boot loop issue. The issue is triggered if the HDMI support is enabled and a component driver always return -EPROBE_DEFER, see discussion [1] for more details. [1] https://lkml.org/lkml/2020/3/24/1467 Fixes: 17b5001b5143 ("imx-drm: convert to componentised device support") Signed-off-by: Philipp Zabel [m.felsch@pengutronix: fix imx_tve_probe()] [m.felsch@pengutronix: resort component_unbind_all()) [m.felsch@pengutronix: adapt commit message] Signed-off-by: Marco Felsch Signed-off-by: Philipp Zabel Signed-off-by: Sasha Levin commit ea18925e347c8ddad71253b34b3fdba2e034ead0 Author: Aneesh Kumar K.V Date: Thu Jul 9 08:59:24 2020 +0530 powerpc/book3s64/pkeys: Use PVR check instead of cpu feature [ Upstream commit d79e7a5f26f1d179cbb915a8bf2469b6d7431c29 ] We are wrongly using CPU_FTRS_POWER8 to check for P8 support. Instead, we should use PVR value. Now considering we are using CPU_FTRS_POWER8, that implies we returned true for P9 with older firmware. Keep the same behavior by checking for P9 PVR value. Fixes: cf43d3b26452 ("powerpc: Enable pkey subsystem") Signed-off-by: Aneesh Kumar K.V Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20200709032946.881753-2-aneesh.kumar@linux.ibm.com Signed-off-by: Sasha Levin commit cecbf1fe6ccaec8348dde32e968c35dc5122b9f9 Author: Yoshihiro Shimoda Date: Fri Jul 17 20:44:56 2020 +0900 phy: renesas: rcar-gen3-usb2: move irq registration to init [ Upstream commit 08b0ad375ca66181faee725b1b358bcae8d592ee ] If CONFIG_DEBUG_SHIRQ was enabled, r8a77951-salvator-xs could boot correctly. If we appended "earlycon keep_bootcon" to the kernel command like, we could get kernel log like below. SError Interrupt on CPU0, code 0xbf000002 -- SError CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.8.0-rc3-salvator-x-00505-g6c843129e6faaf01 #785 Hardware name: Renesas Salvator-X 2nd version board based on r8a77951 (DT) pstate: 60400085 (nZCv daIf +PAN -UAO BTYPE=--) pc : rcar_gen3_phy_usb2_irq+0x14/0x54 lr : free_irq+0xf4/0x27c This means free_irq() calls the interrupt handler while PM runtime is not getting if DEBUG_SHIRQ is enabled and rcar_gen3_phy_usb2_probe() failed. To fix the issue, move the irq registration place to rcar_gen3_phy_usb2_init() which is ready to handle the interrupts. Note that after the commit 549b6b55b005 ("phy: renesas: rcar-gen3-usb2: enable/disable independent irqs") which is merged into v5.2, since this driver creates multiple phy instances, needs to check whether one of phy instances is initialized. However, if we backport this patch to v5.1 or less, we don't need to check it because such kernel have single phy instance. Reported-by: Wolfram Sang Reported-by: Geert Uytterhoeven Fixes: 9f391c574efc ("phy: rcar-gen3-usb2: add runtime ID/VBUS pin detection") Signed-off-by: Yoshihiro Shimoda Link: https://lore.kernel.org/r/1594986297-12434-2-git-send-email-yoshihiro.shimoda.uh@renesas.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 2cb024f29eb263099dfbb60351dacf9776920975 Author: Christophe JAILLET Date: Thu Jun 25 22:19:47 2020 +0200 media: s5p-g2d: Fix a memory leak in an error handling path in 'g2d_probe()' [ Upstream commit 94b9ce6870f9c90ac92505482689818b254312f7 ] Memory allocated with 'v4l2_m2m_init()' must be freed by a corresponding call to 'v4l2_m2m_release()' Also reorder the code at the end of the probe function so that 'video_register_device()' is called last. Update the error handling path accordingly. Fixes: 5ce60d790a24 ("[media] s5p-g2d: Add DT based discovery support") Fixes: 918847341af0 ("[media] v4l: add G2D driver for s5p device family") Signed-off-by: Christophe JAILLET Signed-off-by: Hans Verkuil [hverkuil-cisco@xs4all.nl: checkpatch: align with parenthesis] Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 1a1fa600974d891f2a2ef4515ee69216c156717a Author: Oliver Neukum Date: Tue May 5 12:50:33 2020 +0200 go7007: add sanity checking for endpoints [ Upstream commit 137641287eb40260783a4413847a0aef06023a6c ] A malicious USB device may lack endpoints the driver assumes to exist Accessing them leads to NULL pointer accesses. This patch introduces sanity checking. Reported-and-tested-by: syzbot+cabfa4b5b05ff6be4ef0@syzkaller.appspotmail.com Signed-off-by: Oliver Neukum Fixes: 866b8695d67e8 ("Staging: add the go7007 video driver") Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 1427f39157f3d599133d697f7bcbc6f82ea76170 Author: Xiongfeng Wang Date: Fri Jul 17 15:59:25 2020 +0800 PCI/ASPM: Add missing newline in sysfs 'policy' [ Upstream commit 3167e3d340c092fd47924bc4d23117a3074ef9a9 ] When I cat ASPM parameter 'policy' by sysfs, it displays as follows. Add a newline for easy reading. Other sysfs attributes already include a newline. [root@localhost ~]# cat /sys/module/pcie_aspm/parameters/policy [default] performance powersave powersupersave [root@localhost ~]# Fixes: 7d715a6c1ae5 ("PCI: add PCI Express ASPM support") Link: https://lore.kernel.org/r/1594972765-10404-1-git-send-email-wangxiongfeng2@huawei.com Signed-off-by: Xiongfeng Wang Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin commit 2a69ccbb5cb125ba7a522fbd6083a8cfcd5e6282 Author: Jing Xiangfeng Date: Fri Jul 17 16:22:42 2020 +0800 ASoC: meson: fixes the missed kfree() for axg_card_add_tdm_loopback [ Upstream commit bd054ece7d9cdd88e900df6625e951a01d9f655e ] axg_card_add_tdm_loopback() misses to call kfree() in an error path. We can use devm_kasprintf() to fix the issue, also improve maintainability. So use it instead. Fixes: c84836d7f650 ("ASoC: meson: axg-card: use modern dai_link style") Signed-off-by: Jing Xiangfeng Reviewed-by: Jerome Brunet Link: https://lore.kernel.org/r/20200717082242.130627-1-jingxiangfeng@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 18f2b5b48102c512660e51c0237b4dae8ed8a713 Author: Colin Ian King Date: Thu Jul 16 16:47:20 2020 +0100 staging: rtl8192u: fix a dubious looking mask before a shift [ Upstream commit c4283950a9a4d3bf4a3f362e406c80ab14f10714 ] Currently the masking of ret with 0xff and followed by a right shift of 8 bits always leaves a zero result. It appears the mask of 0xff is incorrect and should be 0xff00, but I don't have the hardware to test this. Fix this to mask the upper 8 bits before shifting. [ Not tested ] Addresses-Coverity: ("Operands don't affect result") Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging") Signed-off-by: Colin Ian King Link: https://lore.kernel.org/r/20200716154720.1710252-1-colin.king@canonical.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 097ad6fe5795f0933bc4676d8111b8eaf4bc296e Author: Tyler Hicks Date: Thu Jul 9 01:19:05 2020 -0500 ima: Fail rule parsing when the KEY_CHECK hook is combined with an invalid cond [ Upstream commit eb624fe214a2e156ddafd9868377cf91499f789d ] The KEY_CHECK function only supports the uid, pcr, and keyrings conditionals. Make this clear at policy load so that IMA policy authors don't assume that other conditionals are supported. Fixes: 5808611cccb2 ("IMA: Add KEY_CHECK func to measure keys") Signed-off-by: Tyler Hicks Reviewed-by: Lakshmi Ramasubramanian Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin commit dcc7ac519503cb77627ef013151bb81509270c64 Author: Tyler Hicks Date: Thu Jul 9 01:19:04 2020 -0500 ima: Fail rule parsing when the KEXEC_CMDLINE hook is combined with an invalid cond [ Upstream commit db2045f5892a9db7354442bf77f9b03b50ff9ee1 ] The KEXEC_CMDLINE hook function only supports the pcr conditional. Make this clear at policy load so that IMA policy authors don't assume that other conditionals are supported. Since KEXEC_CMDLINE's inception, ima_match_rules() has always returned true on any loaded KEXEC_CMDLINE rule without any consideration for other conditionals present in the rule. Make it clear that pcr is the only supported KEXEC_CMDLINE conditional by returning an error during policy load. An example of why this is a problem can be explained with the following rule: dont_measure func=KEXEC_CMDLINE obj_type=foo_t An IMA policy author would have assumed that rule is valid because the parser accepted it but the result was that measurements for all KEXEC_CMDLINE operations would be disabled. Fixes: b0935123a183 ("IMA: Define a new hook to measure the kexec boot command line arguments") Signed-off-by: Tyler Hicks Reviewed-by: Mimi Zohar Reviewed-by: Lakshmi Ramasubramanian Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin commit be16c9107e9076d923d290e2e9ff21a8577280b2 Author: Tyler Hicks Date: Thu Jul 9 01:19:03 2020 -0500 ima: Fail rule parsing when buffer hook functions have an invalid action [ Upstream commit 712183437ebebc89cd086ef96cf9a521fd97fd09 ] Buffer based hook functions, such as KEXEC_CMDLINE and KEY_CHECK, can only measure. The process_buffer_measurement() function quietly ignores all actions except measure so make this behavior clear at the time of policy load. The parsing of the keyrings conditional had a check to ensure that it was only specified with measure actions but the check should be on the hook function and not the keyrings conditional since "appraise func=KEY_CHECK" is not a valid rule. Fixes: b0935123a183 ("IMA: Define a new hook to measure the kexec boot command line arguments") Fixes: 5808611cccb2 ("IMA: Add KEY_CHECK func to measure keys") Signed-off-by: Tyler Hicks Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin commit f3f7a5868b608012f71c02cec46361ba4d98e197 Author: Tyler Hicks Date: Thu Jul 9 01:19:02 2020 -0500 ima: Free the entire rule if it fails to parse [ Upstream commit 2bdd737c5687d6dec30e205953146ede8a87dbdd ] Use ima_free_rule() to fix memory leaks of allocated ima_rule_entry members, such as .fsname and .keyrings, when an error is encountered during rule parsing. Set the args_p pointer to NULL after freeing it in the error path of ima_lsm_rule_init() so that it isn't freed twice. This fixes a memory leak seen when loading an rule that contains an additional piece of allocated memory, such as an fsname, followed by an invalid conditional: # echo "measure fsname=tmpfs bad=cond" > /sys/kernel/security/ima/policy -bash: echo: write error: Invalid argument # echo scan > /sys/kernel/debug/kmemleak # cat /sys/kernel/debug/kmemleak unreferenced object 0xffff98e7e4ece6c0 (size 8): comm "bash", pid 672, jiffies 4294791843 (age 21.855s) hex dump (first 8 bytes): 74 6d 70 66 73 00 6b a5 tmpfs.k. backtrace: [<00000000abab7413>] kstrdup+0x2e/0x60 [<00000000f11ede32>] ima_parse_add_rule+0x7d4/0x1020 [<00000000f883dd7a>] ima_write_policy+0xab/0x1d0 [<00000000b17cf753>] vfs_write+0xde/0x1d0 [<00000000b8ddfdea>] ksys_write+0x68/0xe0 [<00000000b8e21e87>] do_syscall_64+0x56/0xa0 [<0000000089ea7b98>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: f1b08bbcbdaf ("ima: define a new policy condition based on the filesystem name") Fixes: 2b60c0ecedf8 ("IMA: Read keyrings= option from the IMA policy") Signed-off-by: Tyler Hicks Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin commit cdc9ae91deabc86540ed6ddbeb95e185a1f96526 Author: Tyler Hicks Date: Thu Jul 9 01:19:01 2020 -0500 ima: Free the entire rule when deleting a list of rules [ Upstream commit 465aee77aae857b5fcde56ee192b33dc369fba04 ] Create a function, ima_free_rule(), to free all memory associated with an ima_rule_entry. Use the new function to fix memory leaks of allocated ima_rule_entry members, such as .fsname and .keyrings, when deleting a list of rules. Make the existing ima_lsm_free_rule() function specific to the LSM audit rule array of an ima_rule_entry and require that callers make an additional call to kfree to free the ima_rule_entry itself. This fixes a memory leak seen when loading by a valid rule that contains an additional piece of allocated memory, such as an fsname, followed by an invalid rule that triggers a policy load failure: # echo -e "dont_measure fsname=securityfs\nbad syntax" > \ /sys/kernel/security/ima/policy -bash: echo: write error: Invalid argument # echo scan > /sys/kernel/debug/kmemleak # cat /sys/kernel/debug/kmemleak unreferenced object 0xffff9bab67ca12c0 (size 16): comm "bash", pid 684, jiffies 4295212803 (age 252.344s) hex dump (first 16 bytes): 73 65 63 75 72 69 74 79 66 73 00 6b 6b 6b 6b a5 securityfs.kkkk. backtrace: [<00000000adc80b1b>] kstrdup+0x2e/0x60 [<00000000d504cb0d>] ima_parse_add_rule+0x7d4/0x1020 [<00000000444825ac>] ima_write_policy+0xab/0x1d0 [<000000002b7f0d6c>] vfs_write+0xde/0x1d0 [<0000000096feedcf>] ksys_write+0x68/0xe0 [<0000000052b544a2>] do_syscall_64+0x56/0xa0 [<000000007ead1ba7>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: f1b08bbcbdaf ("ima: define a new policy condition based on the filesystem name") Fixes: 2b60c0ecedf8 ("IMA: Read keyrings= option from the IMA policy") Signed-off-by: Tyler Hicks Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin commit 70a752610d14addbbe6fac5e9459261f4a4cfaa2 Author: Tyler Hicks Date: Thu Jul 9 01:19:00 2020 -0500 ima: Have the LSM free its audit rule [ Upstream commit 9ff8a616dfab96a4fa0ddd36190907dc68886d9b ] Ask the LSM to free its audit rule rather than directly calling kfree(). Both AppArmor and SELinux do additional work in their audit_rule_free() hooks. Fix memory leaks by allowing the LSMs to perform necessary work. Fixes: b16942455193 ("ima: use the lsm policy update notifier") Signed-off-by: Tyler Hicks Cc: Janne Karhunen Cc: Casey Schaufler Reviewed-by: Mimi Zohar Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin commit 6e1ab3bf6ad3e4b88f6ca91ff1d137b98f3dddb8 Author: Mikhail Malygin Date: Thu Jul 16 22:03:41 2020 +0300 RDMA/rxe: Prevent access to wr->next ptr afrer wr is posted to send queue [ Upstream commit 5f0b2a6093a4d9aab093964c65083fe801ef1e58 ] rxe_post_send_kernel() iterates over linked list of wr's, until the wr->next ptr is NULL. However if we've got an interrupt after last wr is posted, control may be returned to the code after send completion callback is executed and wr memory is freed. As a result, wr->next pointer may contain incorrect value leading to panic. Store the wr->next on the stack before posting it. Fixes: 8700e3e7c485 ("Soft RoCE driver") Link: https://lore.kernel.org/r/20200716190340.23453-1-m.malygin@yadro.com Signed-off-by: Mikhail Malygin Signed-off-by: Sergey Kojushev Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 808124cb5c3801e7cf75d51cdfbec801241c19e5 Author: Yuval Basson Date: Wed Jul 8 22:55:26 2020 +0300 RDMA/qedr: SRQ's bug fixes [ Upstream commit acca72e2b031b9fbb4184511072bd246a0abcebc ] QP's with the same SRQ, working on different CQs and running in parallel on different CPUs could lead to a race when maintaining the SRQ consumer count, and leads to FW running out of SRQs. Update the consumer atomically. Make sure the wqe_prod is updated after the sge_prod due to FW requirements. Fixes: 3491c9e799fb ("qedr: Add support for kernel mode SRQ's") Link: https://lore.kernel.org/r/20200708195526.31040-1-ybason@marvell.com Signed-off-by: Michal Kalderon Signed-off-by: Yuval Basson Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 4e560d6028adcd1eddd804be4b0f7c36bfa31804 Author: Milton Miller Date: Thu Jul 16 09:37:04 2020 +1000 powerpc/vdso: Fix vdso cpu truncation [ Upstream commit a9f675f950a07d5c1dbcbb97aabac56f5ed085e3 ] The code in vdso_cpu_init that exposes the cpu and numa node to userspace via SPRG_VDSO incorrctly masks the cpu to 12 bits. This means that any kernel running on a box with more than 4096 threads (NR_CPUS advertises a limit of of 8192 cpus) would expose userspace to two cpu contexts running at the same time with the same cpu number. Note: I'm not aware of any distro shipping a kernel with support for more than 4096 threads today, nor of any system image that currently exceeds 4096 threads. Found via code browsing. Fixes: 18ad51dd342a7eb09dbcd059d0b451b616d4dafc ("powerpc: Add VDSO version of getcpu") Signed-off-by: Milton Miller Signed-off-by: Anton Blanchard Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20200715233704.1352257-1-anton@ozlabs.org Signed-off-by: Sasha Levin commit 18b8586088aa6ec2869ae7761f9fa370578f41d6 Author: Nathan Lynch Date: Fri Jun 12 00:12:22 2020 -0500 powerpc/rtas: don't online CPUs for partition suspend [ Upstream commit ec2fc2a9e9bbad9023aab65bc472ce7a3ca8608f ] Partition suspension, used for hibernation and migration, requires that the OS place all but one of the LPAR's processor threads into one of two states prior to calling the ibm,suspend-me RTAS function: * the architected offline state (via RTAS stop-self); or * the H_JOIN hcall, which does not return until the partition resumes execution Using H_CEDE as the offline mode, introduced by commit 3aa565f53c39 ("powerpc/pseries: Add hooks to put the CPU into an appropriate offline state"), means that any threads which are offline from Linux's point of view must be moved to one of those two states before a partition suspension can proceed. This was eventually addressed in commit 120496ac2d2d ("powerpc: Bring all threads online prior to migration/hibernation"), which added code to temporarily bring up any offline processor threads so they can call H_JOIN. Conceptually this is fine, but the implementation has had multiple races with cpu hotplug operations initiated from user space[1][2][3], the error handling is fragile, and it generates user-visible cpu hotplug events which is a lot of noise for a platform feature that's supposed to minimize disruption to workloads. With commit 3aa565f53c39 ("powerpc/pseries: Add hooks to put the CPU into an appropriate offline state") reverted, this code becomes unnecessary, so remove it. Since any offline CPUs now are truly offline from the platform's point of view, it is no longer necessary to bring up CPUs only to have them call H_JOIN and then go offline again upon resuming. Only active threads are required to call H_JOIN; stopped threads can be left alone. [1] commit a6717c01ddc2 ("powerpc/rtas: use device model APIs and serialization during LPM") [2] commit 9fb603050ffd ("powerpc/rtas: retry when cpu offline races with suspend/migration") [3] commit dfd718a2ed1f ("powerpc/rtas: Fix a potential race between CPU-Offline & Migration") Fixes: 120496ac2d2d ("powerpc: Bring all threads online prior to migration/hibernation") Signed-off-by: Nathan Lynch Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20200612051238.1007764-3-nathanl@linux.ibm.com Signed-off-by: Sasha Levin commit 4d9938b9e54f25414e4f7e4dfb0649e3a8bfc2ef Author: Nathan Lynch Date: Fri Jun 12 00:12:21 2020 -0500 powerpc/pseries: remove cede offline state for CPUs [ Upstream commit 48f6e7f6d948b56489da027bc3284c709b939d28 ] This effectively reverts commit 3aa565f53c39 ("powerpc/pseries: Add hooks to put the CPU into an appropriate offline state"), which added an offline mode for CPUs which uses the H_CEDE hcall instead of the architected stop-self RTAS function in order to facilitate "folding" of dedicated mode processors on PowerVM platforms to achieve energy savings. This has been the default offline mode since its introduction. There's nothing about stop-self that would prevent the hypervisor from achieving the energy savings available via H_CEDE, so the original premise of this change appears to be flawed. I also have encountered the claim that the transition to and from ceded state is much faster than stop-self/start-cpu. Certainly we would not want to use stop-self as an *idle* mode. That is what H_CEDE is for. However, this difference is insignificant in the context of Linux CPU hotplug, where the latency of an offline or online operation on current systems is on the order of 100ms, mainly attributable to all the various subsystems' cpuhp callbacks. The cede offline mode also prevents accurate accounting, as discussed before: https://lore.kernel.org/linuxppc-dev/1571740391-3251-1-git-send-email-ego@linux.vnet.ibm.com/ Unconditionally use stop-self to offline processor threads. This is the architected method for offlining CPUs on PAPR systems. The "cede_offline" boot parameter is rendered obsolete. Removing this code enables the removal of the partition suspend code which temporarily onlines all present CPUs. Fixes: 3aa565f53c39 ("powerpc/pseries: Add hooks to put the CPU into an appropriate offline state") Signed-off-by: Nathan Lynch Reviewed-by: Gautham R. Shenoy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20200612051238.1007764-2-nathanl@linux.ibm.com Signed-off-by: Sasha Levin commit 900951fd4154baf79bfb9acbc93c9853b4f617b1 Author: Amir Goldstein Date: Wed Jul 8 14:11:40 2020 +0300 kernfs: do not call fsnotify() with name without a parent [ Upstream commit 9991bb84b27a2594187898f261866cfc50255454 ] When creating an FS_MODIFY event on inode itself (not on parent) the file_name argument should be NULL. The change to send a non NULL name to inode itself was done on purpuse as part of another commit, as Tejun writes: "...While at it, supply the target file name to fsnotify() from kernfs_node->name.". But this is wrong practice and inconsistent with inotify behavior when watching a single file. When a child is being watched (as opposed to the parent directory) the inotify event should contain the watch descriptor, but not the file name. Fixes: df6a58c5c5aa ("kernfs: don't depend on d_find_any_alias()...") Link: https://lore.kernel.org/r/20200708111156.24659-5-amir73il@gmail.com Acked-by: Tejun Heo Acked-by: Greg Kroah-Hartman Signed-off-by: Amir Goldstein Signed-off-by: Jan Kara Signed-off-by: Sasha Levin commit bacd54a4c1db3daad07a2a85cb79af6742f3c8a8 Author: Dan Carpenter Date: Wed Jul 8 14:58:57 2020 +0300 mwifiex: Prevent memory corruption handling keys [ Upstream commit e18696786548244914f36ec3c46ac99c53df99c3 ] The length of the key comes from the network and it's a 16 bit number. It needs to be capped to prevent a buffer overflow. Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") Signed-off-by: Dan Carpenter Acked-by: Ganapathi Bhat Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200708115857.GA13729@mwanda Signed-off-by: Sasha Levin commit 7199c67322f41eace1f8b22591eb160324d4a6e9 Author: John Garry Date: Thu Jul 9 20:23:19 2020 +0800 scsi: scsi_debug: Add check for sdebug_max_queue during module init [ Upstream commit c87bf24cfb60bce27b4d2c7e56ebfd86fb9d16bb ] sdebug_max_queue should not exceed SDEBUG_CANQUEUE, otherwise crashes like this can be triggered by passing an out-of-range value: Hardware name: Huawei D06 /D06, BIOS Hisilicon D06 UEFI RC0 - V1.16.01 03/15/2019 pstate: 20400009 (nzCv daif +PAN -UAO BTYPE=--) pc : schedule_resp+0x2a4/0xa70 [scsi_debug] lr : schedule_resp+0x52c/0xa70 [scsi_debug] sp : ffff800022ab36f0 x29: ffff800022ab36f0 x28: ffff0023a935a610 x27: ffff800008e0a648 x26: 0000000000000003 x25: ffff0023e84f3200 x24: 00000000003d0900 x23: 0000000000000000 x22: 0000000000000000 x21: ffff0023be60a320 x20: ffff0023be60b538 x19: ffff800008e13000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000001 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 00000000000000c1 x5 : 0000020000200000 x4 : dead0000000000ff x3 : 0000000000000200 x2 : 0000000000000200 x1 : ffff800008e13d88 x0 : 0000000000000000 Call trace: schedule_resp+0x2a4/0xa70 [scsi_debug] scsi_debug_queuecommand+0x2c4/0x9e0 [scsi_debug] scsi_queue_rq+0x698/0x840 __blk_mq_try_issue_directly+0x108/0x228 blk_mq_request_issue_directly+0x58/0x98 blk_mq_try_issue_list_directly+0x5c/0xf0 blk_mq_sched_insert_requests+0x18c/0x200 blk_mq_flush_plug_list+0x11c/0x190 blk_flush_plug_list+0xdc/0x110 blk_finish_plug+0x38/0x210 blkdev_direct_IO+0x450/0x4d8 generic_file_read_iter+0x84/0x180 blkdev_read_iter+0x3c/0x50 aio_read+0xc0/0x170 io_submit_one+0x5c8/0xc98 __arm64_sys_io_submit+0x1b0/0x258 el0_svc_common.constprop.3+0x68/0x170 do_el0_svc+0x24/0x90 el0_sync_handler+0x13c/0x1a8 el0_sync+0x158/0x180 Code: 528847e0 72a001e0 6b00003f 540018cd (3941c340) In addition, it should not be less than 1. So add checks for these, and fail the module init for those cases. [mkp: changed if condition to match error message] Link: https://lore.kernel.org/r/1594297400-24756-2-git-send-email-john.garry@huawei.com Fixes: c483739430f1 ("scsi_debug: add multiple queue support") Reviewed-by: Ming Lei Acked-by: Douglas Gilbert Signed-off-by: John Garry Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 5cfa21ff9fd8483154526cfb64eb2e7ea879d942 Author: Tom Rix Date: Sun Jul 12 08:24:53 2020 -0700 drm/bridge: sil_sii8620: initialize return of sii8620_readb [ Upstream commit 02cd2d3144653e6e2a0c7ccaa73311e48e2dc686 ] clang static analysis flags this error sil-sii8620.c:184:2: warning: Undefined or garbage value returned to caller [core.uninitialized.UndefReturn] return ret; ^~~~~~~~~~ sii8620_readb calls sii8620_read_buf. sii8620_read_buf can return without setting its output pararmeter 'ret'. So initialize ret. Fixes: ce6e153f414a ("drm/bridge: add Silicon Image SiI8620 driver") Signed-off-by: Tom Rix Reviewed-by: Laurent Pinchart Reviewed-by: Andrzej Hajda Signed-off-by: Sam Ravnborg Link: https://patchwork.freedesktop.org/patch/msgid/20200712152453.27510-1-trix@redhat.com Signed-off-by: Sasha Levin commit 60efa34d513f4b00e55ee816bab84fb5e895c122 Author: Chuhong Yuan Date: Tue Jun 9 00:22:26 2020 +0800 mmc: sdhci-of-arasan: Add missed checks for devm_clk_register() [ Upstream commit c99e1d0c91ac8d7db3062ea1af315f21295701d7 ] These functions do not check the return value of devm_clk_register(): - sdhci_arasan_register_sdcardclk() - sdhci_arasan_register_sampleclk() Therefore, add the missed checks to fix them. Fixes: c390f2110adf1 ("mmc: sdhci-of-arasan: Add ability to export card clock") Signed-off-by: Chuhong Yuan Reviewed-by: Douglas Anderson Link: https://lore.kernel.org/r/20200608162226.3259186-1-hslester96@gmail.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit b402c52f0ed60d2e034ad4017ec5c99b1f1e9066 Author: Marek Szyprowski Date: Wed Jul 8 15:38:00 2020 +0200 phy: exynos5-usbdrd: Calibrating makes sense only for USB2.0 PHY [ Upstream commit dcbabfeb17c3c2fdb6bc92a3031ecd37df1834a8 ] PHY calibration is needed only for USB2.0 (UTMI) PHY, so skip calling calibration code when phy_calibrate() is called for USB3.0 (PIPE3) PHY. Fixes: d8c80bb3b55b ("phy: exynos5-usbdrd: Calibrate LOS levels for exynos5420/5800") Signed-off-by: Marek Szyprowski Acked-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20200708133800.3336-1-m.szyprowski@samsung.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 8d067a2e9c63e1f1de5c2d0668487e301f1cb177 Author: Laurent Pinchart Date: Sun Jul 12 01:53:17 2020 +0300 drm: panel: simple: Fix bpc for LG LB070WV8 panel [ Upstream commit a6ae2fe5c9f9fd355a48fb7d21c863e5b20d6c9c ] The LG LB070WV8 panel incorrectly reports a 16 bits per component value, while the panel uses 8 bits per component. Fix it. Fixes: dd0150026901 ("drm/panel: simple: Add support for LG LB070WV8 800x480 7" panel") Signed-off-by: Laurent Pinchart Signed-off-by: Sam Ravnborg Link: https://patchwork.freedesktop.org/patch/msgid/20200711225317.28476-1-laurent.pinchart+renesas@ideasonboard.com Signed-off-by: Sasha Levin commit 087f3e8f75779bbb402615a95b79efaa43c81872 Author: Kai-Heng Feng Date: Thu Jul 2 13:45:00 2020 +0800 leds: core: Flush scheduled work for system suspend [ Upstream commit 302a085c20194bfa7df52e0fe684ee0c41da02e6 ] Sometimes LED won't be turned off by LED_CORE_SUSPENDRESUME flag upon system suspend. led_set_brightness_nopm() uses schedule_work() to set LED brightness. However, there's no guarantee that the scheduled work gets executed because no one flushes the work. So flush the scheduled work to make sure LED gets turned off. Signed-off-by: Kai-Heng Feng Acked-by: Jacek Anaszewski Fixes: 81fe8e5b73e3 ("leds: core: Add led_set_brightness_nosleep{nopm} functions") Signed-off-by: Pavel Machek Signed-off-by: Sasha Levin commit b67ed111a37880e1bcfca93da41e2a0afba37d49 Author: Heikki Krogerus Date: Thu Jun 4 19:46:46 2020 +0200 kobject: Avoid premature parent object freeing in kobject_cleanup() [ Upstream commit 079ad2fb4bf9eba8a0aaab014b49705cd7f07c66 ] If kobject_del() is invoked by kobject_cleanup() to delete the target kobject, it may cause its parent kobject to be freed before invoking the target kobject's ->release() method, which effectively means freeing the parent before dealing with the child entirely. That is confusing at best and it may also lead to functional issues if the callers of kobject_cleanup() are not careful enough about the order in which these calls are made, so avoid the problem by making kobject_cleanup() drop the last reference to the target kobject's parent at the end, after invoking the target kobject's ->release() method. [ rjw: Rewrite the subject and changelog, make kobject_cleanup() drop the parent reference only when __kobject_del() has been called. ] Reported-by: Naresh Kamboju Reported-by: kernel test robot Fixes: 7589238a8cf3 ("Revert "software node: Simplify software_node_release() function"") Suggested-by: Rafael J. Wysocki Signed-off-by: Heikki Krogerus Signed-off-by: Rafael J. Wysocki Link: https://lore.kernel.org/r/1908555.IiAGLGrh1Z@kreacher Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 6a171a1623cd9294f4ad01ecc5f1043339453538 Author: Marek Vasut Date: Sat Feb 29 23:16:49 2020 +0100 drm/stm: repair runtime power management [ Upstream commit ebd267b2e3c25d5f93a08528b47c036569eb8744 ] Add missing pm_runtime_get_sync() into ltdc_crtc_atomic_enable() to match pm_runtime_put_sync() in ltdc_crtc_atomic_disable(), otherwise the LTDC might suspend via runtime PM, disable clock, and then fail to resume later on. The test which triggers it is roughly -- run qt5 application which uses eglfs platform and etnaviv, stop the application, sleep for 15 minutes, run the application again. This leads to a timeout waiting for vsync, because the LTDC has suspended, but did not resume. Fixes: 35ab6cfbf211 ("drm/stm: support runtime power management") Signed-off-by: Marek Vasut Cc: Yannick Fertré Cc: Philippe Cornu Cc: Benjamin Gaignard Cc: Vincent Abriou Cc: Maxime Coquelin Cc: Alexandre Torgue To: dri-devel@lists.freedesktop.org Cc: linux-stm32@st-md-mailman.stormreply.com Cc: linux-arm-kernel@lists.infradead.org Acked-by: Philippe Cornu Tested-by: Yannick Fertre Signed-off-by: Benjamin Gaignard Link: https://patchwork.freedesktop.org/patch/msgid/20200229221649.90813-1-marex@denx.de Signed-off-by: Sasha Levin commit 16256d15c49f9a7344c4aa543190bf40177b5553 Author: Daniel T. Lee Date: Wed Jul 8 03:48:52 2020 +0900 samples: bpf: Fix bpf programs with kprobe/sys_connect event [ Upstream commit af9bd3e3331b8af42b6606c75797d041ab39380c ] Currently, BPF programs with kprobe/sys_connect does not work properly. Commit 34745aed515c ("samples/bpf: fix kprobe attachment issue on x64") This commit modifies the bpf_load behavior of kprobe events in the x64 architecture. If the current kprobe event target starts with "sys_*", add the prefix "__x64_" to the front of the event. Appending "__x64_" prefix with kprobe/sys_* event was appropriate as a solution to most of the problems caused by the commit below. commit d5a00528b58c ("syscalls/core, syscalls/x86: Rename struct pt_regs-based sys_*() to __x64_sys_*()") However, there is a problem with the sys_connect kprobe event that does not work properly. For __sys_connect event, parameters can be fetched normally, but for __x64_sys_connect, parameters cannot be fetched. ffffffff818d3520 <__x64_sys_connect>: ffffffff818d3520: e8 fb df 32 00 callq 0xffffffff81c01520 <__fentry__> ffffffff818d3525: 48 8b 57 60 movq 96(%rdi), %rdx ffffffff818d3529: 48 8b 77 68 movq 104(%rdi), %rsi ffffffff818d352d: 48 8b 7f 70 movq 112(%rdi), %rdi ffffffff818d3531: e8 1a ff ff ff callq 0xffffffff818d3450 <__sys_connect> ffffffff818d3536: 48 98 cltq ffffffff818d3538: c3 retq ffffffff818d3539: 0f 1f 80 00 00 00 00 nopl (%rax) As the assembly code for __x64_sys_connect shows, parameters should be fetched and set into rdi, rsi, rdx registers prior to calling __sys_connect. Because of this problem, this commit fixes the sys_connect event by first getting the value of the rdi register and then the value of the rdi, rsi, and rdx register through an offset based on that value. Fixes: 34745aed515c ("samples/bpf: fix kprobe attachment issue on x64") Signed-off-by: Daniel T. Lee Signed-off-by: Daniel Borkmann Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20200707184855.30968-2-danieltimlee@gmail.com Signed-off-by: Sasha Levin commit 86cf3a7aa77154147b18e98d83fc7d8dfdb83777 Author: Bjorn Helgaas Date: Thu Jun 25 18:14:55 2020 -0500 PCI: Fix pci_cfg_wait queue locking problem [ Upstream commit 2a7e32d0547f41c5ce244f84cf5d6ca7fccee7eb ] The pci_cfg_wait queue is used to prevent user-space config accesses to devices while they are recovering from reset. Previously we used these operations on pci_cfg_wait: __add_wait_queue(&pci_cfg_wait, ...) __remove_wait_queue(&pci_cfg_wait, ...) wake_up_all(&pci_cfg_wait) The wake_up acquires the wait queue lock, but the add and remove do not. Originally these were all protected by the pci_lock, but cdcb33f98244 ("PCI: Avoid possible deadlock on pci_lock and p->pi_lock"), moved wake_up_all() outside pci_lock, so it could race with add/remove operations, which caused occasional kernel panics, e.g., during vfio-pci hotplug/unplug testing: Unable to handle kernel read from unreadable memory at virtual address ffff802dac469000 Resolve this by using wait_event() instead of __add_wait_queue() and __remove_wait_queue(). The wait queue lock is held by both wait_event() and wake_up_all(), so it provides mutual exclusion. Fixes: cdcb33f98244 ("PCI: Avoid possible deadlock on pci_lock and p->pi_lock") Link: https://lore.kernel.org/linux-pci/79827f2f-9b43-4411-1376-b9063b67aee3@huawei.com/T/#u Based-on: https://lore.kernel.org/linux-pci/20191210031527.40136-1-zhengxiang9@huawei.com/ Based-on-patch-by: Xiang Zheng Signed-off-by: Bjorn Helgaas Tested-by: Xiang Zheng Cc: Heyi Guo Cc: Biaoxiang Ye Signed-off-by: Sasha Levin commit eb3b4ec3320f02dae348ef684a877f7423293e0d Author: Zhu Yanjun Date: Tue Jun 30 15:36:05 2020 +0300 RDMA/rxe: Skip dgid check in loopback mode [ Upstream commit 5c99274be8864519328aa74bc550ba410095bc1c ] In the loopback tests, the following call trace occurs. Call Trace: __rxe_do_task+0x1a/0x30 [rdma_rxe] rxe_qp_destroy+0x61/0xa0 [rdma_rxe] rxe_destroy_qp+0x20/0x60 [rdma_rxe] ib_destroy_qp_user+0xcc/0x220 [ib_core] uverbs_free_qp+0x3c/0xc0 [ib_uverbs] destroy_hw_idr_uobject+0x24/0x70 [ib_uverbs] uverbs_destroy_uobject+0x43/0x1b0 [ib_uverbs] uobj_destroy+0x41/0x70 [ib_uverbs] __uobj_get_destroy+0x39/0x70 [ib_uverbs] ib_uverbs_destroy_qp+0x88/0xc0 [ib_uverbs] ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0xb9/0xf0 [ib_uverbs] ib_uverbs_cmd_verbs+0xb16/0xc30 [ib_uverbs] The root cause is that the actual RDMA connection is not created in the loopback tests and the rxe_match_dgid will fail randomly. To fix this call trace which appear in the loopback tests, skip check of the dgid. Fixes: 8700e3e7c485 ("Soft RoCE driver") Link: https://lore.kernel.org/r/20200630123605.446959-1-leon@kernel.org Signed-off-by: Zhu Yanjun Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 526b5288e9529c1ff678f298021ce0c0ea827a0b Author: Darrick J. Wong Date: Mon Jun 29 14:47:18 2020 -0700 xfs: fix reflink quota reservation accounting error [ Upstream commit 83895227aba1ade33e81f586aa7b6b1e143096a5 ] Quota reservations are supposed to account for the blocks that might be allocated due to a bmap btree split. Reflink doesn't do this, so fix this to make the quota accounting more accurate before we start rearranging things. Fixes: 862bb360ef56 ("xfs: reflink extents from one file to another") Signed-off-by: Darrick J. Wong Reviewed-by: Brian Foster Signed-off-by: Sasha Levin commit 427f3f5f76add5174584f52d656a2faaf7a24367 Author: Darrick J. Wong Date: Mon Jun 29 14:47:17 2020 -0700 xfs: don't eat an EIO/ENOSPC writeback error when scrubbing data fork [ Upstream commit eb0efe5063bb10bcb653e4f8e92a74719c03a347 ] The data fork scrubber calls filemap_write_and_wait to flush dirty pages and delalloc reservations out to disk prior to checking the data fork's extent mappings. Unfortunately, this means that scrub can consume the EIO/ENOSPC errors that would otherwise have stayed around in the address space until (we hope) the writer application calls fsync to persist data and collect errors. The end result is that programs that wrote to a file might never see the error code and proceed as if nothing were wrong. xfs_scrub is not in a position to notify file writers about the writeback failure, and it's only here to check metadata, not file contents. Therefore, if writeback fails, we should stuff the error code back into the address space so that an fsync by the writer application can pick that up. Fixes: 99d9d8d05da2 ("xfs: scrub inode block mappings") Signed-off-by: Darrick J. Wong Reviewed-by: Brian Foster Reviewed-by: Dave Chinner Signed-off-by: Sasha Levin commit 2b8e23834a57b3db93972dedd04f2eeaf5e44e99 Author: Dariusz Marcinkiewicz Date: Mon Jun 22 13:46:36 2020 +0200 media: cros-ec-cec: do not bail on device_init_wakeup failure [ Upstream commit 6f01dfb760c027d5dd6199d91ee9599f2676b5c6 ] Do not fail probing when device_init_wakeup fails. device_init_wakeup fails when the device is already enabled as wakeup device. Hence, the driver fails to probe the device if: - The device has already been enabled for wakeup (by e.g. sysfs) - The driver has been unloaded and is being loaded again. This goal of the patch is to fix the above cases. Overwhelming majority of the drivers do not check device_init_wakeup return code. Fixes: cd70de2d356ee ("media: platform: Add ChromeOS EC CEC driver") Signed-off-by: Dariusz Marcinkiewicz Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 0bc8f2d8332b4d62ae650e7eed1773e6de110d81 Author: Chuhong Yuan Date: Thu May 28 08:41:47 2020 +0200 media: exynos4-is: Add missed check for pinctrl_lookup_state() [ Upstream commit 18ffec750578f7447c288647d7282c7d12b1d969 ] fimc_md_get_pinctrl() misses a check for pinctrl_lookup_state(). Add the missed check to fix it. Fixes: 4163851f7b99 ("[media] s5p-fimc: Use pinctrl API for camera ports configuration]") Signed-off-by: Chuhong Yuan Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit e66c2c6bcc88922cb2d1edcb96ce73fc1f75d6b3 Author: Chuhong Yuan Date: Sat Jun 6 16:39:18 2020 +0200 media: tvp5150: Add missed media_entity_cleanup() [ Upstream commit d000e9b5e4a23dd700b3f58a4738c94bb5179ff0 ] This driver does not call media_entity_cleanup() in the error handler of tvp5150_registered() and tvp5150_remove(), while it has called media_entity_pads_init() at first. Add the missed calls to fix it. Fixes: 0556f1d580d4 ("media: tvp5150: add input source selection of_graph support") Signed-off-by: Chuhong Yuan Reviewed-by: Marco Felsch Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit e6a4c993ec1a941918761dc6ee322a0944d706f6 Author: Helen Koike Date: Wed Jun 17 20:08:01 2020 +0200 media: staging: rkisp1: rsz: fix resolution limitation on sink pad [ Upstream commit 906dceb48dfa1e7c99c32e6b25878d47023e916b ] Resizer sink pad is limited by what the ISP can generate. The configurations describes what the resizer can produce. This was tested on a Scarlet device with ChromiumOs, where the selfpath receives 2592x1944 and produces 1600x1200 (which isn't possible without this fix). Fixes: 56e3b29f9f6b2 ("media: staging: rkisp1: add streaming paths") Signed-off-by: Helen Koike Reviewed-by: Tomasz Figa Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit b64c2dbbd72e3a3a8eb2620b9eded1a28ca1df5f Author: Dafna Hirschfeld Date: Thu Jun 18 13:35:15 2020 +0200 media: staging: rkisp1: rsz: supported formats are the isp's src formats, not sink formats [ Upstream commit 7b8ce1f2763b9351a4cb04b802835470e76770a5 ] The rkisp1_resizer's enum callback 'rkisp1_rsz_enum_mbus_code' calls the enum callback of the 'rkisp1_isp' on it's video sink pad. This is a bug, the resizer should support the same formats supported by the 'rkisp1_isp' on the source pad (not the sink pad). Fixes: 56e3b29f9f6b "media: staging: rkisp1: add streaming paths" Signed-off-by: Dafna Hirschfeld Acked-by: Helen Koike Reviewed-by: Tomasz Figa Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 4b1f2a5319518bb7538bb7d323e9448be09edb99 Author: Dan Carpenter Date: Fri Jun 19 16:30:07 2020 +0200 media: allegro: Fix some NULL vs IS_ERR() checks in probe [ Upstream commit d93d45ab716e4107056be54969c8c70e50a8346d ] The devm_ioremap() function doesn't return error pointers, it returns NULL on error. Fixes: f20387dfd065 ("media: allegro: add Allegro DVT video IP core driver") Signed-off-by: Dan Carpenter Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit dc84d093ba5fb591aa110b1cb741f6a6f296c888 Author: Dan Carpenter Date: Fri May 8 16:40:22 2020 +0200 media: firewire: Using uninitialized values in node_probe() [ Upstream commit 2505a210fc126599013aec2be741df20aaacc490 ] If fw_csr_string() returns -ENOENT, then "name" is uninitialized. So then the "strlen(model_names[i]) <= name_len" is true because strlen() is unsigned and -ENOENT is type promoted to a very high positive value. Then the "strncmp(name, model_names[i], name_len)" uses uninitialized data because "name" is uninitialized. Fixes: 92374e886c75 ("[media] firedtv: drop obsolete backend abstraction") Signed-off-by: Dan Carpenter Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 2cc4eecf58dd2a95fa0eeabf18f7702e0432921e Author: Julian Anastasov Date: Wed Jul 1 18:17:19 2020 +0300 ipvs: allow connection reuse for unconfirmed conntrack [ Upstream commit f0a5e4d7a594e0fe237d3dfafb069bb82f80f42f ] YangYuxi is reporting that connection reuse is causing one-second delay when SYN hits existing connection in TIME_WAIT state. Such delay was added to give time to expire both the IPVS connection and the corresponding conntrack. This was considered a rare case at that time but it is causing problem for some environments such as Kubernetes. As nf_conntrack_tcp_packet() can decide to release the conntrack in TIME_WAIT state and to replace it with a fresh NEW conntrack, we can use this to allow rescheduling just by tuning our check: if the conntrack is confirmed we can not schedule it to different real server and the one-second delay still applies but if new conntrack was created, we are free to select new real server without any delays. YangYuxi lists some of the problem reports: - One second connection delay in masquerading mode: https://marc.info/?t=151683118100004&r=1&w=2 - IPVS low throughput #70747 https://github.com/kubernetes/kubernetes/issues/70747 - Apache Bench can fill up ipvs service proxy in seconds #544 https://github.com/cloudnativelabs/kube-router/issues/544 - Additional 1s latency in `host -> service IP -> pod` https://github.com/kubernetes/kubernetes/issues/90854 Fixes: f719e3754ee2 ("ipvs: drop first packet to redirect conntrack") Co-developed-by: YangYuxi Signed-off-by: YangYuxi Signed-off-by: Julian Anastasov Reviewed-by: Simon Horman Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 3c3e890c7d7701b7781a9583fbfb33add3434691 Author: Christophe JAILLET Date: Fri Jun 26 06:05:53 2020 +0200 scsi: eesox: Fix different dev_id between request_irq() and free_irq() [ Upstream commit 86f2da1112ccf744ad9068b1d5d9843faf8ddee6 ] The dev_id used in request_irq() and free_irq() should match. Use 'info' in both cases. Link: https://lore.kernel.org/r/20200626040553.944352-1-christophe.jaillet@wanadoo.fr Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Christophe JAILLET Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit d40ef873655b9e48d26c345768c7fc52a3628b72 Author: Christophe JAILLET Date: Fri Jun 26 05:59:48 2020 +0200 scsi: powertec: Fix different dev_id between request_irq() and free_irq() [ Upstream commit d179f7c763241c1dc5077fca88ddc3c47d21b763 ] The dev_id used in request_irq() and free_irq() should match. Use 'info' in both cases. Link: https://lore.kernel.org/r/20200626035948.944148-1-christophe.jaillet@wanadoo.fr Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Christophe JAILLET Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit ef04199ce9d74b85ce251291f3b945bea3be570f Author: Jason Gunthorpe Date: Fri Jun 26 14:49:10 2020 -0300 RDMA/core: Fix bogus WARN_ON during ib_unregister_device_queued() [ Upstream commit 0cb42c0265837fafa2b4f302c8a7fed2631d7869 ] ib_unregister_device_queued() can only be used by drivers using the new dealloc_device callback flow, and it has a safety WARN_ON to ensure drivers are using it properly. However, if unregister and register are raced there is a special destruction path that maintains the uniform error handling semantic of 'caller does ib_dealloc_device() on failure'. This requires disabling the dealloc_device callback which triggers the WARN_ON. Instead of using NULL to disable the callback use a special function pointer so the WARN_ON does not trigger. Fixes: d0899892edd0 ("RDMA/device: Provide APIs from the core code to help unregistration") Link: https://lore.kernel.org/r/0-v1-a36d512e0a99+762-syz_dealloc_driver_jgg@nvidia.com Reported-by: syzbot+4088ed905e4ae2b0e13b@syzkaller.appspotmail.com Suggested-by: Hillf Danton Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 9a0e58cf2a8ce61b22d6b58b8b6ca52f274cc0e8 Author: Tony Nguyen Date: Wed Jun 24 09:04:22 2020 -0700 iavf: Fix updating statistics [ Upstream commit 9358076642f14cec8c414850d5a909cafca3a9d6 ] Commit bac8486116b0 ("iavf: Refactor the watchdog state machine") inverted the logic for when to update statistics. Statistics should be updated when no other commands are pending, instead they were only requested when a command was processed. iavf_request_stats() would see a pending request and not request statistics to be updated. This caused statistics to never be updated; fix the logic. Fixes: bac8486116b0 ("iavf: Refactor the watchdog state machine") Signed-off-by: Tony Nguyen Tested-by: Andrew Bowers Signed-off-by: Sasha Levin commit 5a38679d2020090973bef30243266a2e17b18b59 Author: Wei Yongjun Date: Thu Jun 18 14:19:53 2020 +0000 iavf: fix error return code in iavf_init_get_resources() [ Upstream commit 753f3884f253de6b6d3a516e6651bda0baf4aede ] Fix to return negative error code -ENOMEM from the error handling case instead of 0, as done elsewhere in this function. Fixes: b66c7bc1cd4d ("iavf: Refactor init state machine") Signed-off-by: Wei Yongjun Tested-by: Andrew Bowers Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit eaef1fec3fc9f8304d7b66a74ae2c34b89e7eded Author: Phil Elwell Date: Mon Jun 29 17:09:06 2020 +0200 staging: vchiq_arm: Add a matching unregister call [ Upstream commit 5d9272e28a9a6117fb63f5f930991304765caa32 ] All the registered children of vchiq have a corresponding call to platform_device_unregister except bcm2835_audio. Fix that. Fixes: 25c7597af20d ("staging: vchiq_arm: Register a platform device for audio") Signed-off-by: Phil Elwell Signed-off-by: Jacopo Mondi Signed-off-by: Nicolas Saenz Julienne Link: https://lore.kernel.org/r/20200629150945.10720-9-nsaenzjulienne@suse.de Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 519fabb88d7fdcea200a438d85b338244f4e905a Author: Colin Ian King Date: Wed Jun 24 13:07:10 2020 +0100 drm/radeon: fix array out-of-bounds read and write issues [ Upstream commit 7ee78aff9de13d5dccba133f4a0de5367194b243 ] There is an off-by-one bounds check on the index into arrays table->mc_reg_address and table->mc_reg_table_entry[k].mc_data[j] that can lead to reads and writes outside of arrays. Fix the bound checking off-by-one error. Addresses-Coverity: ("Out-of-bounds read/write") Fixes: cc8dbbb4f62a ("drm/radeon: add dpm support for CI dGPUs (v2)") Signed-off-by: Colin Ian King Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 251f7e2972a154e63d37b9423477309f68d4af9f Author: Colin Ian King Date: Wed Jun 24 15:54:18 2020 +0100 drm/amdgpu: ensure 0 is returned for success in jpeg_v2_5_wait_for_idle [ Upstream commit 57f01856645afe4c3d0f9915ee2bb043e8dd7982 ] In the cases where adev->jpeg.num_jpeg_inst is zero or the condition adev->jpeg.harvest_config & (1 << i) is always non-zero the variable ret is never set to an error condition and the function returns an uninitialized value in ret. Since the only exit condition at the end if the function is a success then explicitly return 0 rather than a potentially uninitialized value in ret. Addresses-Coverity: ("Uninitialized scalar variable") Fixes: 14f43e8f88c5 ("drm/amdgpu: move JPEG2.5 out from VCN2.5") Signed-off-by: Colin Ian King Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit f84547c2a6a3d00f48a56e439b6d14e8932f3e98 Author: Steven Rostedt (VMware) Date: Mon Jun 29 23:45:56 2020 -0400 tracing: Move pipe reference to trace array instead of current_tracer [ Upstream commit 7ef282e05132d56b6f6b71e3873f317664bea78b ] If a process has the trace_pipe open on a trace_array, the current tracer for that trace array should not be changed. This was original enforced by a global lock, but when instances were introduced, it was moved to the current_trace. But this structure is shared by all instances, and a trace_pipe is for a single instance. There's no reason that a process that has trace_pipe open on one instance should prevent another instance from changing its current tracer. Move the reference counter to the trace_array instead. This is marked as "Fixes" but is more of a clean up than a true fix. Backport if you want, but its not critical. Fixes: cf6ab6d9143b1 ("tracing: Add ref count to tracer for when they are being read by pipe") Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Sasha Levin commit 3ab15afbf32f101ed5aafa2c5e9566055de0e20c Author: Grygorii Strashko Date: Fri Jun 26 21:17:04 2020 +0300 net: ethernet: ti: am65-cpsw-nuss: restore vlan configuration while down/up [ Upstream commit 7bcffde02152dd3cb180f6f3aef27e8586b2a905 ] The vlan configuration is not restored after interface down/up sequence. Steps to check: # ip link add link eth0 name eth0.100 type vlan id 100 # ifconfig eth0 down # ifconfig eth0 up This patch fixes it, restoring vlan ALE entries on .ndo_open(). Fixes: 93a76530316a ("net: ethernet: ti: introduce am65x/j721e gigabit eth subsystem driver") Signed-off-by: Grygorii Strashko Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 2f662d198ecc5b1835e4429cd56217c61342ce8d Author: Kees Cook Date: Thu Jun 25 13:37:04 2020 -0700 lkdtm: Make arch-specific tests always available [ Upstream commit ae56942c14740c2963222efdc36c667ab19555ef ] I'd like arch-specific tests to XFAIL when on a mismatched architecture so that we can more easily compare test coverage across all systems. Lacking kernel configs or CPU features count as a FAIL, not an XFAIL. Additionally fixes a build failure under 32-bit UML. Fixes: b09511c253e5 ("lkdtm: Add a DOUBLE_FAULT crash type on x86") Fixes: cea23efb4de2 ("lkdtm/bugs: Make double-fault test always available") Fixes: 6cb6982f42cb ("lkdtm: arm64: test kernel pointer authentication") Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20200625203704.317097-5-keescook@chromium.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit ccc2f5bfeefe862a731dd6956bfef9b3aebca5bb Author: Kees Cook Date: Thu Jun 25 13:37:03 2020 -0700 selftests/lkdtm: Reset WARN_ONCE to avoid false negatives [ Upstream commit 4fccc8c0ff740e62343b6de38426a48b345b95f4 ] Since we expect to see warnings every time for many tests, just reset the WARN_ONCE flags each time the script runs. Fixes: 46d1a0f03d66 ("selftests/lkdtm: Add tests for LKDTM targets") Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20200625203704.317097-4-keescook@chromium.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 1e84529a93020c8b5cf431af3a5e427a3216f7ec Author: Kees Cook Date: Thu Jun 25 13:37:01 2020 -0700 lkdtm: Avoid more compiler optimizations for bad writes [ Upstream commit 464e86b4abadfc490f426954b431e2ec6a9d7bd2 ] It seems at least Clang is able to throw away writes it knows are destined for read-only memory, which makes things like the WRITE_RO test fail, as the write gets elided. Instead, force the variable to be volatile, and make similar changes through-out other tests in an effort to avoid needing to repeat fixing these kinds of problems. Also includes pr_err() calls in failure paths so that kernel logs are more clear in the failure case. Reported-by: Prasad Sodagudi Suggested-by: Sami Tolvanen Fixes: 9ae113ce5faf ("lkdtm: add tests for additional page permissions") Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20200625203704.317097-2-keescook@chromium.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 014b2f2dbf79e5a1934b766f664f6602fdfe5124 Author: Wang Hai Date: Tue Jun 2 20:07:33 2020 +0800 cxl: Fix kobject memleak [ Upstream commit 85c5cbeba8f4fb28e6b9bfb3e467718385f78f76 ] Currently the error return path from kobject_init_and_add() is not followed by a call to kobject_put() - which means we are leaking the kobject. Fix it by adding a call to kobject_put() in the error path of kobject_init_and_add(). Fixes: b087e6190ddc ("cxl: Export optional AFU configuration record in sysfs") Reported-by: Hulk Robot Signed-off-by: Wang Hai Acked-by: Andrew Donnellan Acked-by: Frederic Barrat Link: https://lore.kernel.org/r/20200602120733.5943-1-wanghai38@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit b73140c51e1fe09ba6f09b5abb619e7e109dd646 Author: Emil Velikov Date: Tue May 5 17:03:29 2020 +0100 drm/mipi: use dcs write for mipi_dsi_dcs_set_tear_scanline [ Upstream commit 7a05c3b6d24b8460b3cec436cf1d33fac43c8450 ] The helper uses the MIPI_DCS_SET_TEAR_SCANLINE, although it's currently using the generic write. This does not look right. Perhaps some platforms don't distinguish between the two writers? Cc: Robert Chiras Cc: Vinay Simha BN Cc: Jani Nikula Cc: Thierry Reding Fixes: e83950816367 ("drm/dsi: Implement set tear scanline") Signed-off-by: Emil Velikov Reviewed-by: Thierry Reding Signed-off-by: Sam Ravnborg Link: https://patchwork.freedesktop.org/patch/msgid/20200505160329.2976059-3-emil.l.velikov@gmail.com Signed-off-by: Sasha Levin commit 3bf150be9e81a22d85a69429dfc46de005a9ef4e Author: Christophe JAILLET Date: Thu Jun 25 22:47:30 2020 +0200 scsi: cumana_2: Fix different dev_id between request_irq() and free_irq() [ Upstream commit 040ab9c4fd0070cd5fa71ba3a7b95b8470db9b4d ] The dev_id used in request_irq() and free_irq() should match. Use 'info' in both cases. Link: https://lore.kernel.org/r/20200625204730.943520-1-christophe.jaillet@wanadoo.fr Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Acked-by: Russell King Signed-off-by: Christophe JAILLET Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 52746910adaf9686642a48479a9a6c4a15c59274 Author: Mark Starovoytov Date: Fri Jun 26 21:40:31 2020 +0300 net: atlantic: MACSec offload statistics checkpatch fix [ Upstream commit 3a8b44546979cf682324bd2fd61e539f428911b4 ] This patch fixes a checkpatch warning. Fixes: aec0f1aac58e ("net: atlantic: MACSec offload statistics implementation") Signed-off-by: Mark Starovoytov Signed-off-by: Igor Russkikh Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1bdb10cf3b6c8c8cfae3f0890b65bc2a010ec8c8 Author: Pierre-Louis Bossart Date: Thu Jun 25 14:12:55 2020 -0500 ASoC: Intel: bxt_rt298: add missing .owner field [ Upstream commit 88cee34b776f80d2da04afb990c2a28c36799c43 ] This field is required for ASoC cards. Not setting it will result in a module->name pointer being NULL and generate problems such as cat /proc/asound/modules 0 (efault) Fixes: 76016322ec56 ('ASoC: Intel: Add Broxton-P machine driver') Reported-by: Jaroslav Kysela Suggested-by: Takashi Iwai Signed-off-by: Pierre-Louis Bossart Reviewed-by: Kai Vehmanen Link: https://lore.kernel.org/r/20200625191308.3322-5-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit b435daf4c8ba222ff5d58747152e987481f781aa Author: Pierre-Louis Bossart Date: Thu Jun 25 14:12:54 2020 -0500 ASoC: Intel: sof_sdw: add missing .owner field [ Upstream commit fb4b42f68972d6bc905c8b6e21a43a490dedfca7 ] This field is required for ASoC cards. Not setting it will result in a module->name pointer being NULL and generate problems such as cat /proc/asound/modules 0 (efault) Fixes: 52db12d193d4 ('ASoC: Intel: boards: add sof_sdw machine driver') Reported-by: Jaroslav Kysela Suggested-by: Takashi Iwai Signed-off-by: Pierre-Louis Bossart Reviewed-by: Kai Vehmanen Link: https://lore.kernel.org/r/20200625191308.3322-4-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 3a7f18b412b008d8c1cc373584f845465a910f75 Author: Pierre-Louis Bossart Date: Thu Jun 25 14:12:53 2020 -0500 ASoC: Intel: cml_rt1011_rt5682: add missing .owner field [ Upstream commit 299120928897d6cb893c7165df7cd232d835e259 ] This field is required for ASoC cards. Not setting it will result in a module->name pointer being NULL and generate problems such as cat /proc/asound/modules 0 (efault) Fixes: 17fe95d6df93 ('ASoC: Intel: boards: Add CML m/c using RT1011 and RT5682') Reported-by: Jaroslav Kysela Suggested-by: Takashi Iwai Signed-off-by: Pierre-Louis Bossart Reviewed-by: Kai Vehmanen Link: https://lore.kernel.org/r/20200625191308.3322-3-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 85c05e891a1f58d92781750cd188397a25e2a630 Author: Pierre-Louis Bossart Date: Thu Jun 25 14:12:52 2020 -0500 ASoC: SOF: nocodec: add missing .owner field [ Upstream commit 8753889e2720c1ef7ebf03370e384f5bf5ff4fab ] This field is required for ASoC cards. Not setting it will result in a module->name pointer being NULL and generate problems such as cat /proc/asound/modules 0 (efault) Fixes: 8017b8fd37bf ('ASoC: SOF: Add Nocodec machine driver support') Reported-by: Jaroslav Kysela Suggested-by: Takashi Iwai Signed-off-by: Pierre-Louis Bossart Reviewed-by: Kai Vehmanen Link: https://lore.kernel.org/r/20200625191308.3322-2-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 19787a1aa4af3370b8536df2632ae87eb031fc38 Author: Ioana Ciornei Date: Wed Jun 24 14:34:19 2020 +0300 dpaa2-eth: fix condition for number of buffer acquire retries [ Upstream commit 0e5ad75b02d9341eb9ca22627247f9a02cc20d6f ] We should keep retrying to acquire buffers through the software portals as long as the function returns -EBUSY and the number of retries is __below__ DPAA2_ETH_SWP_BUSY_RETRIES. Fixes: ef17bd7cc0c8 ("dpaa2-eth: Avoid unbounded while loops") Signed-off-by: Ioana Ciornei Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 07bb7df94438743374dc2bf4e37123c6fe7d19ca Author: Colin Ian King Date: Wed Jun 24 17:39:57 2020 +0100 staging: most: avoid null pointer dereference when iface is null [ Upstream commit e4463e49e29f43eecec86e2e2b2e2ab4feb7d867 ] In the case where the pointer iface is null then the reporting of this error will dereference iface when printing an error message causing which is not ideal. Since the majority of callers to most_register_interface report an error when -EINVAL is returned a simple fix is to just remove the error message, I doubt it will be missed. Addresses-Coverity: ("Dereference after null check") Fixes: 57562a72414c ("Staging: most: add MOST driver's core module") Signed-off-by: Colin Ian King Link: https://lore.kernel.org/r/20200624163957.11676-1-colin.king@canonical.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit c62689ff0de8efc9aea03e1c1bec81a271ef96c5 Author: Chuhong Yuan Date: Wed Jun 3 18:41:22 2020 +0200 media: omap3isp: Add missed v4l2_ctrl_handler_free() for preview_init_entities() [ Upstream commit dc7690a73017e1236202022e26a6aa133f239c8c ] preview_init_entities() does not call v4l2_ctrl_handler_free() when it fails. Add the missed function to fix it. Fixes: de1135d44f4f ("[media] omap3isp: CCDC, preview engine and resizer") Signed-off-by: Chuhong Yuan Reviewed-by: Laurent Pinchart Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit d7ee98ff2dc20f1b4101d4a27e01b4282fcf23f0 Author: Chuhong Yuan Date: Wed Jun 3 18:40:48 2020 +0200 media: marvell-ccic: Add missed v4l2_async_notifier_cleanup() [ Upstream commit 4603a5b4a87ccd6fb90cbfa10195291cfcf6ba34 ] mccic_register() forgets to cleanup the notifier in its error handler. mccic_shutdown() also misses calling v4l2_async_notifier_cleanup(). Add the missed calls to fix them. Fixes: 3eefe36cc00c ("media: marvell-ccic: use async notifier to get the sensor") Signed-off-by: Chuhong Yuan Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 200a210582375e71f03ca5d849ea21fb537e3e16 Author: Arnd Bergmann Date: Thu May 7 23:33:14 2020 +0200 media: cxusb-analog: fix V4L2 dependency [ Upstream commit 1a55caf010c46d4f2073f9e92e97ef65358c16bf ] CONFIG_DVB_USB_CXUSB_ANALOG is a 'bool' symbol with a dependency on the tristate CONFIG_VIDEO_V4L2, which means it can be enabled as =y even when its dependency is =m. This leads to a link failure: drivers/media/usb/dvb-usb/cxusb-analog.o: In function `cxusb_medion_analog_init': cxusb-analog.c:(.text+0x92): undefined reference to `v4l2_subdev_call_wrappers' drivers/media/usb/dvb-usb/cxusb-analog.o: In function `cxusb_medion_register_analog': cxusb-analog.c:(.text+0x466): undefined reference to `v4l2_device_register' cxusb-analog.c:(.text+0x4c3): undefined reference to `v4l2_i2c_new_subdev' cxusb-analog.c:(.text+0x4fb): undefined reference to `v4l2_subdev_call_wrappers' ... Change the dependency only disallow the analog portion of the driver in that configuration. Fixes: e478d4054054 ("media: cxusb: add analog mode support for Medion MD95700") Signed-off-by: Arnd Bergmann Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 655238be7dc5d30a13c4bc1f399bd6a3e4cd2ac5 Author: Sean Wang Date: Fri Jun 19 19:52:02 2020 +0000 Bluetooth: btmtksdio: fix up firmware download sequence [ Upstream commit 737cd06072a72e8984e41af8e5919338d0c5bf2b ] Data RAM on the device have to be powered on before starting to download the firmware. Fixes: 9aebfd4a2200 ("Bluetooth: mediatek: add support for MediaTek MT7663S and MT7668S SDIO devices") Co-developed-by: Mark Chen Signed-off-by: Mark Chen Signed-off-by: Sean Wang Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 09731750e63ed296bd65c18b95fee305ccf16a3e Author: Sean Wang Date: Fri Jun 19 19:52:01 2020 +0000 Bluetooth: btusb: fix up firmware download sequence [ Upstream commit f645125711c80f9651e4a57403d799070c6ad13b ] Data RAM on the device have to be powered on before starting to download the firmware. Fixes: a1c49c434e15 ("Bluetooth: btusb: Add protocol support for MediaTek MT7668U USB devices") Co-developed-by: Mark Chen Signed-off-by: Mark Chen Signed-off-by: Sean Wang Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 7cf5046487a6732969a267af8d39f273f3c1d55d Author: Arnd Bergmann Date: Tue May 5 16:19:17 2020 +0200 leds: lm355x: avoid enum conversion warning [ Upstream commit 985b1f596f9ed56f42b8c2280005f943e1434c06 ] clang points out that doing arithmetic between diffent enums is usually a mistake: drivers/leds/leds-lm355x.c:167:28: warning: bitwise operation between different enumeration types ('enum lm355x_tx2' and 'enum lm355x_ntc') [-Wenum-enum-conversion] reg_val = pdata->pin_tx2 | pdata->ntc_pin; ~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~ drivers/leds/leds-lm355x.c:178:28: warning: bitwise operation between different enumeration types ('enum lm355x_tx2' and 'enum lm355x_ntc') [-Wenum-enum-conversion] reg_val = pdata->pin_tx2 | pdata->ntc_pin | pdata->pass_mode; ~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~ In this driver, it is intentional, so add a cast to hide the false-positive warning. It appears to be the only instance of this warning at the moment. Fixes: b98d13c72592 ("leds: Add new LED driver for lm355x chips") Signed-off-by: Arnd Bergmann Signed-off-by: Pavel Machek Signed-off-by: Sasha Levin commit 4a2b2dfd7262d67f4b8d86781b582a73eb26c5db Author: Christophe Leroy Date: Mon Jun 15 07:48:25 2020 +0000 powerpc/fixmap: Fix FIX_EARLY_DEBUG_BASE when page size is 256k [ Upstream commit 03fd42d458fb9cb69e712600bd69ff77ff3a45a8 ] FIX_EARLY_DEBUG_BASE reserves a 128k area for debuging. When page size is 256k, the calculation results in a 0 number of pages, leading to the following failure: CC arch/powerpc/kernel/asm-offsets.s In file included from ./arch/powerpc/include/asm/nohash/32/pgtable.h:77:0, from ./arch/powerpc/include/asm/nohash/pgtable.h:8, from ./arch/powerpc/include/asm/pgtable.h:20, from ./include/linux/pgtable.h:6, from ./arch/powerpc/include/asm/kup.h:42, from ./arch/powerpc/include/asm/uaccess.h:9, from ./include/linux/uaccess.h:11, from ./include/linux/crypto.h:21, from ./include/crypto/hash.h:11, from ./include/linux/uio.h:10, from ./include/linux/socket.h:8, from ./include/linux/compat.h:15, from arch/powerpc/kernel/asm-offsets.c:14: ./arch/powerpc/include/asm/fixmap.h:75:2: error: overflow in enumeration values __end_of_permanent_fixed_addresses, ^ make[2]: *** [arch/powerpc/kernel/asm-offsets.s] Error 1 Ensure the debug area is at least one page. Fixes: b8e8efaa8639 ("powerpc: reserve fixmap entries for early debug") Reported-by: kernel test robot Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/ca8c9f8249f523b1fab873e67b81b11989d46553.1592207216.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit 89c78fb116d778b036211b77698976c3df822e64 Author: Joe Perches Date: Fri Jun 5 07:18:06 2020 -0700 powerpc/mm: Fix typo in IS_ENABLED() [ Upstream commit 55bd9ac468397c4f12a33b7ec714b5d0362c3aa2 ] IS_ENABLED() matches names exactly, so the missing "CONFIG_" prefix means this code would never be built. Also fixes a missing newline in pr_warn(). Fixes: 970d54f99cea ("powerpc/book3s64/hash: Disable 16M linear mapping size if not aligned") Signed-off-by: Joe Perches Signed-off-by: Kees Cook Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/202006050717.A2F9809E@keescook Signed-off-by: Sasha Levin commit baf740b0ef9b7811d1f0a5dea26dc0e9d1e41727 Author: Álvaro Fernández Rojas Date: Tue Jun 9 13:08:46 2020 +0200 clk: bcm63xx-gate: fix last clock availability [ Upstream commit cf8030d7035bd3e89c9e66f7193a7fc8057a9b9a ] In order to make the last clock available, maxbit has to be set to the highest bit value plus 1. Fixes: 1c099779c1e2 ("clk: add BCM63XX gated clock controller driver") Signed-off-by: Álvaro Fernández Rojas Link: https://lore.kernel.org/r/20200609110846.4029620-1-noltari@gmail.com Reviewed-by: Florian Fainelli Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 4736313a5c75f0af6ea0536def9fce037226c3a2 Author: Colin Ian King Date: Thu Jun 18 11:04:00 2020 +0100 drm/arm: fix unintentional integer overflow on left shift [ Upstream commit 5f368ddea6fec519bdb93b5368f6a844b6ea27a6 ] Shifting the integer value 1 is evaluated using 32-bit arithmetic and then used in an expression that expects a long value leads to a potential integer overflow. Fix this by using the BIT macro to perform the shift to avoid the overflow. Addresses-Coverity: ("Unintentional integer overflow") Fixes: ad49f8602fe8 ("drm/arm: Add support for Mali Display Processors") Signed-off-by: Colin Ian King Acked-by: Liviu Dudau Signed-off-by: Liviu Dudau Link: https://patchwork.freedesktop.org/patch/msgid/20200618100400.11464-1-colin.king@canonical.com Signed-off-by: Sasha Levin commit 17dc46e843bb2594069803b9bce130b127bae5ae Author: Steven Price Date: Fri May 22 16:36:53 2020 +0100 drm/panfrost: Fix inbalance of devfreq record_busy/idle() [ Upstream commit b99773ef258e628bd53cab22d450a755b73b4d55 ] The calls to panfrost_devfreq_record_busy() and panfrost_devfreq_record_idle() must be balanced to ensure that the devfreq utilisation is correctly reported. But there are two cases where this doesn't work correctly. In panfrost_job_hw_submit() if pm_runtime_get_sync() fails or the WARN_ON() fires then no call to panfrost_devfreq_record_busy() is made, but when the job times out the corresponding _record_idle() call is still made in panfrost_job_timedout(). Move the call up to ensure that it always happens. Secondly panfrost_job_timedout() only makes a single call to panfrost_devfreq_record_idle() even if it is cleaning up multiple jobs. Move the call inside the loop to ensure that the number of _record_idle() calls matches the number of _record_busy() calls. Fixes: 9e62b885f715 ("drm/panfrost: Simplify devfreq utilisation tracking") Acked-by: Alyssa Rosenzweig Signed-off-by: Steven Price Link: https://patchwork.freedesktop.org/patch/msgid/20200522153653.40754-1-steven.price@arm.com Signed-off-by: Sasha Levin commit 9f216ebce72f93ee23cbca3d3325e4b78c27d978 Author: Lubomir Rintel Date: Tue Jun 16 23:21:24 2020 +0200 drm/etnaviv: Fix error path on failure to enable bus clk [ Upstream commit f8794feaf65cdc97767604cf864775d20b97f397 ] Since commit 65f037e8e908 ("drm/etnaviv: add support for slave interface clock") the reg clock is enabled before the bus clock and we need to undo its enablement on error. Fixes: 65f037e8e908 ("drm/etnaviv: add support for slave interface clock") Signed-off-by: Lubomir Rintel Signed-off-by: Lucas Stach Signed-off-by: Sasha Levin commit 13528dfb5a360a67efd6f1d8e7cc51b79d9019c6 Author: Stanley Chu Date: Thu Jun 11 18:10:43 2020 +0800 scsi: ufs: Fix imprecise load calculation in devfreq window [ Upstream commit b1bf66d1d5a8fcb54f0e584db5d196ef015b5172 ] The UFS load calculation is based on "total_time" and "busy_time" in a devfreq window. However, the source of time is different for both parameters: "busy_time" is assigned from "jiffies" thus has different accuracy from "total_time" which is assigned from ktime_get(). In addition, the time of window boundary is not exactly the same as the starting busy time in this window if UFS is actually busy in the beginning of the window. A similar accuracy error may also happen for the end of busy time in current window. To guarantee the precision of load calculation, we need to 1. Align time accuracy of both devfreq_dev_status.total_time and devfreq_dev_status.busy_time. For example, use "ktime_get()" directly. 2. Align the following timelines: - The beginning time of devfreq windows - The beginning of busy time in a new window - The end of busy time in the current window Link: https://lore.kernel.org/r/20200611101043.6379-1-stanley.chu@mediatek.com Fixes: a3cd5ec55f6c ("scsi: ufs: add load based scaling of UFS gear") Reviewed-by: Avri Altman Signed-off-by: Stanley Chu Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit a6abea0032aaecfb35b11baa2533d19d319c81c7 Author: Chuhong Yuan Date: Wed Jun 3 17:26:10 2020 +0800 iio: amplifiers: ad8366: Change devm_gpiod_get() to optional and add the missed check [ Upstream commit 9ca39411f9a9c833727750431da8dfd96ff80005 ] Since if there is no GPIO, nothing happens, replace devm_gpiod_get() with devm_gpiod_get_optional(). Also add IS_ERR() to fix the missing-check warning. Fixes: cee211f4e5a0 ("iio: amplifiers: ad8366: Add support for the ADA4961 DGA") Signed-off-by: Chuhong Yuan Acked-by: Alexandru Ardelean Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit f616ff202deb590a74be3678904d145b7fb64e80 Author: Tomasz Duszynski Date: Mon Jun 1 18:15:52 2020 +0200 iio: improve IIO_CONCENTRATION channel type description [ Upstream commit df16c33a4028159d1ba8a7061c9fa950b58d1a61 ] IIO_CONCENTRATION together with INFO_RAW specifier is used for reporting raw concentrations of pollutants. Raw value should be meaningless before being properly scaled. Because of that description shouldn't mention raw value unit whatsoever. Fix this by rephrasing existing description so it follows conventions used throughout IIO ABI docs. Fixes: 8ff6b3bc94930 ("iio: chemical: Add IIO_CONCENTRATION channel type") Signed-off-by: Tomasz Duszynski Acked-by: Matt Ranostay Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit ddd982f1abc67b77fe7adb5493f4a89c88295e1b Author: Balakrishna Godavarthi Date: Fri Jun 12 17:51:31 2020 +0530 Bluetooth: hci_qca: Increase SoC idle timeout to 200ms [ Upstream commit 2d68476cfc2afa1a1a2d9007a23264ffc6308e77 ] In some version of WCN399x, SoC idle timeout is configured as 80ms instead of 20ms or 40ms. To honor all the SoC's supported in the driver increasing SoC idle timeout to 200ms. Fixes: 41d5b25fed0a0 ("Bluetooth: hci_qca: add PM support") Signed-off-by: Balakrishna Godavarthi Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 58fccee659d78db74055f7004cdc34cbdef70afa Author: Venkata Lakshmi Narayana Gubba Date: Tue Jun 9 21:27:08 2020 +0530 Bluetooth: hci_qca: Bug fix during SSR timeout [ Upstream commit f98aa80ff78c34fe328eb9cd3e2cc3058e42bcfd ] Due to race conditions between qca_hw_error and qca_controller_memdump during SSR timeout,the same pointer is freed twice. This results in a double free. Now a lock is acquired before checking the stauts of SSR state. Fixes: d841502c79e3 ("Bluetooth: hci_qca: Collect controller memory dump during SSR") Signed-off-by: Venkata Lakshmi Narayana Gubba Reviewed-by: Abhishek Pandit-Subedi Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 35722349b68c44b9596cd05338326fe83269f023 Author: Evan Green Date: Thu Jun 4 10:59:11 2020 -0700 ath10k: Acquire tx_lock in tx error paths [ Upstream commit a738e766e3ed92c4ee5ec967777276b5ce11dd2c ] ath10k_htt_tx_free_msdu_id() has a lockdep assertion that htt->tx_lock is held. Acquire the lock in a couple of error paths when calling that function to ensure this condition is met. Fixes: 6421969f248fd ("ath10k: refactor tx pending management") Fixes: e62ee5c381c59 ("ath10k: Add support for htt_data_tx_desc_64 descriptor") Signed-off-by: Evan Green Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200604105901.1.I5b8b0c7ee0d3e51a73248975a9da61401b8f3900@changeid Signed-off-by: Sasha Levin commit d790826bcf163cbdba45070b87e92d2c84b450e7 Author: Abhishek Pandit-Subedi Date: Fri Jun 5 13:50:15 2020 -0700 Bluetooth: Allow suspend even when preparation has failed [ Upstream commit a9ec8423134a54c9f0ae8d4ef59e1e833ca917c2 ] It is preferable to allow suspend even when Bluetooth has problems preparing for sleep. When Bluetooth fails to finish preparing for suspend, log the error and allow the suspend notifier to continue instead. To also make it clearer why suspend failed, change bt_dev_dbg to bt_dev_err when handling the suspend timeout. Fixes: dd522a7429b07e ("Bluetooth: Handle LE devices during suspend") Reported-by: Len Brown Signed-off-by: Abhishek Pandit-Subedi Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit ce21cd6ba7623d88b21261aceedfd8aafdc375f5 Author: Matthias Kaehlcke Date: Fri Jun 5 11:46:09 2020 -0700 Bluetooth: hci_qca: Only remove TX clock vote after TX is completed [ Upstream commit eff981f6579d5797d68d27afc0eede529ac8778a ] qca_suspend() removes the vote for the UART TX clock after writing an IBS sleep request to the serial buffer. This is not a good idea since there is no guarantee that the request has been sent at this point. Instead remove the vote after successfully entering IBS sleep. This also fixes the issue of the vote being removed in case of an aborted suspend due to a failure of entering IBS sleep. Fixes: 41d5b25fed0a0 ("Bluetooth: hci_qca: add PM support") Signed-off-by: Matthias Kaehlcke Reviewed-by: Abhishek Pandit-Subedi Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 131f1711758f9f6788590b4d383fb160c7899270 Author: Dan Carpenter Date: Fri May 29 12:59:48 2020 +0300 Bluetooth: hci_qca: Fix an error pointer dereference [ Upstream commit 4c07a5d7aeb39f559b29aa58ec9a8a5ab4282cb0 ] When a function like devm_clk_get_optional() function returns both error pointers on error and NULL then the NULL return means that the optional feature is deliberately disabled. It is a special sort of success and should not trigger an error message. The surrounding code should be written to check for NULL and not crash. On the other hand, if we encounter an error, then the probe from should clean up and return a failure. In this code, if devm_clk_get_optional() returns an error pointer then the kernel will crash inside the call to: clk_set_rate(qcadev->susclk, SUSCLK_RATE_32KHZ); The error handling must be updated to prevent that. Fixes: 77131dfec6af ("Bluetooth: hci_qca: Replace devm_gpiod_get() with devm_gpiod_get_optional()") Signed-off-by: Dan Carpenter Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 99377c394c46dcfc606efe9477b0788be22810ca Author: Christophe JAILLET Date: Wed Apr 29 10:45:05 2020 +0200 video: pxafb: Fix the function used to balance a 'dma_alloc_coherent()' call [ Upstream commit 499a2c41b954518c372873202d5e7714e22010c4 ] 'dma_alloc_coherent()' must be balanced by a call to 'dma_free_coherent()' not 'dma_free_wc()'. The correct dma_free_ function is already used in the error handling path of the probe function. Fixes: 77e196752bdd ("[ARM] pxafb: allow video memory size to be configurable") Signed-off-by: Christophe JAILLET Cc: Sumit Semwal Cc: Rafael J. Wysocki Cc: Jonathan Corbet Cc: Viresh Kumar Cc: Jani Nikula cc: Mauro Carvalho Chehab Cc: Eric Miao Signed-off-by: Bartlomiej Zolnierkiewicz Link: https://patchwork.freedesktop.org/patch/msgid/20200429084505.108897-1-christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit b2c01fb9e951141b86ec771265157c8aab10303c Author: Dejin Zheng Date: Fri Apr 24 00:42:51 2020 +0800 console: newport_con: fix an issue about leak related system resources [ Upstream commit fd4b8243877250c05bb24af7fea5567110c9720b ] A call of the function do_take_over_console() can fail here. The corresponding system resources were not released then. Thus add a call of iounmap() and release_mem_region() together with the check of a failure predicate. and also add release_mem_region() on device removal. Fixes: e86bb8acc0fdc ("[PATCH] VT binding: Make newport_con support binding") Suggested-by: Bartlomiej Zolnierkiewicz Signed-off-by: Dejin Zheng Reviewed-by: Andy Shevchenko Cc: Greg Kroah-Hartman cc: Thomas Gleixner Cc: Andrew Morton Signed-off-by: Bartlomiej Zolnierkiewicz Link: https://patchwork.freedesktop.org/patch/msgid/20200423164251.3349-1-zhengdejin5@gmail.com Signed-off-by: Sasha Levin commit 92a82acf36092d070542b8330eae0e3a019dbebd Author: Dejin Zheng Date: Thu Apr 23 00:07:19 2020 +0800 video: fbdev: sm712fb: fix an issue about iounmap for a wrong address [ Upstream commit 98bd4f72988646c35569e1e838c0ab80d06c77f6 ] the sfb->fb->screen_base is not save the value get by iounmap() when the chip id is 0x720. so iounmap() for address sfb->fb->screen_base is not right. Fixes: 1461d6672864854 ("staging: sm7xxfb: merge sm712fb with fbdev") Cc: Andy Shevchenko Cc: Sudip Mukherjee Cc: Teddy Wang Cc: Greg Kroah-Hartman Signed-off-by: Dejin Zheng Signed-off-by: Bartlomiej Zolnierkiewicz Link: https://patchwork.freedesktop.org/patch/msgid/20200422160719.27763-1-zhengdejin5@gmail.com Signed-off-by: Sasha Levin commit 0e2242c1c6cc55f07b2da943c32bdf5793c21299 Author: Pali Rohár Date: Wed Jun 3 10:22:29 2020 +0200 btmrvl: Fix firmware filename for sd8997 chipset [ Upstream commit 00eb0cb36fad53315047af12e83c643d3a2c2e49 ] Firmware for sd8997 chipset is distributed by Marvell package and also as part of the linux-firmware repository in filename sdsd8997_combo_v4.bin. This patch fixes mwifiex driver to load correct firmware file for sd8997. Fixes: f0ef67485f591 ("Bluetooth: btmrvl: add sd8997 chipset support") Signed-off-by: Pali Rohár Acked-by: Ganapathi Bhat Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit fe5f059a6ac9b37d694b3e5bed48351c18ad36f2 Author: Pali Rohár Date: Wed Jun 3 10:22:28 2020 +0200 btmrvl: Fix firmware filename for sd8977 chipset [ Upstream commit dbec3af5f13b88a96e31f252957ae1a82484a923 ] Firmware for sd8977 chipset is distributed by Marvell package and also as part of the linux-firmware repository in filename sdsd8977_combo_v2.bin. This patch fixes mwifiex driver to load correct firmware file for sd8977. Fixes: 8c57983bf7a79 ("Bluetooth: btmrvl: add support for sd8977 chipset") Signed-off-by: Pali Rohár Acked-by: Ganapathi Bhat Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit e98c7aaf0c079cd4e995b863bc484279911da1e1 Author: Pali Rohár Date: Wed Jun 3 10:22:27 2020 +0200 mwifiex: Fix firmware filename for sd8997 chipset [ Upstream commit 2e1fcac52a9ea53e5a13a585d48a29a0fb4a9daf ] Firmware for sd8997 chipset is distributed by Marvell package and also as part of the linux-firmware repository in filename sdsd8997_combo_v4.bin. This patch fixes mwifiex driver to load correct firmware file for sd8997. Fixes: 6d85ef00d9dfe ("mwifiex: add support for 8997 chipset") Signed-off-by: Pali Rohár Acked-by: Ganapathi Bhat Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 4e5236a4cbf9c8e733009bc99f31a851dfe966f4 Author: Pali Rohár Date: Wed Jun 3 10:22:26 2020 +0200 mwifiex: Fix firmware filename for sd8977 chipset [ Upstream commit 47fd3ee25e13cc5add48ba2ed71f7ee964b9c3a4 ] Firmware for sd8977 chipset is distributed by Marvell package and also as part of the linux-firmware repository in filename sdsd8977_combo_v2.bin. This patch fixes mwifiex driver to load correct firmware file for sd8977. Fixes: 1a0f547831dce ("mwifiex: add support for sd8977 chipset") Signed-off-by: Pali Rohár Acked-by: Ganapathi Bhat Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 58f5095b4fcfd30d3b39c83a1d83e7d3aef2b1ba Author: Qiushi Wu Date: Fri May 22 09:34:51 2020 +0100 agp/intel: Fix a memory leak on module initialisation failure [ Upstream commit b975abbd382fe442713a4c233549abb90e57c22b ] In intel_gtt_setup_scratch_page(), pointer "page" is not released if pci_dma_mapping_error() return an error, leading to a memory leak on module initialisation failure. Simply fix this issue by freeing "page" before return. Fixes: 0e87d2b06cb46 ("intel-gtt: initialize our own scratch page") Signed-off-by: Qiushi Wu Reviewed-by: Chris Wilson Signed-off-by: Chris Wilson Link: https://patchwork.freedesktop.org/patch/msgid/20200522083451.7448-1-chris@chris-wilson.co.uk Signed-off-by: Sasha Levin commit 6478b20d0364d70f32381123d1f717eaa486ec75 Author: Emil Velikov Date: Fri May 15 10:50:47 2020 +0100 drm/amdgpu: use the unlocked drm_gem_object_put [ Upstream commit 1a87f67a66de4ad0c0d79fd86b6c5273143387c3 ] The driver does not hold struct_mutex, thus using the locked version of the helper is incorrect. Cc: Alex Deucher Cc: Christian König Cc: amd-gfx@lists.freedesktop.org Fixes: a39414716ca0 ("drm/amdgpu: add independent DMA-buf import v9") Signed-off-by: Emil Velikov Acked-by: Sam Ravnborg Reviewed-by: Christian König Acked-by: Thomas Zimmermann Link: https://patchwork.freedesktop.org/patch/msgid/20200515095118.2743122-8-emil.l.velikov@gmail.com Signed-off-by: Sasha Levin commit 26cfc53dbf713ef98b6fc5d977f67dac5088ffde Author: Douglas Anderson Date: Mon May 4 21:32:29 2020 -0700 drm/bridge: ti-sn65dsi86: Fix off-by-one error in clock choice [ Upstream commit fe3d7a35497c807d0dad0642afd87d6ba5b6fc86 ] If the rate in our table is _equal_ to the rate we want then it's OK to pick it. It doesn't need to be greater than the one we want. Fixes: a095f15c00e2 ("drm/bridge: add support for sn65dsi86 bridge driver") Signed-off-by: Douglas Anderson Reviewed-by: Stephen Boyd Reviewed-by: Rob Clark Signed-off-by: Sam Ravnborg Link: https://patchwork.freedesktop.org/patch/msgid/20200504213225.1.I21646c7c37ff63f52ae6cdccc9bc829fbc3d9424@changeid Signed-off-by: Sasha Levin commit 6b31720025bdff02f990a82da211a0a394ef8f88 Author: Douglas Anderson Date: Fri May 8 16:33:29 2020 -0700 drm/bridge: ti-sn65dsi86: Clear old error bits before AUX transfers [ Upstream commit baef4d56195b6d6e0f681f6eac03d8c6db011d34 ] The AUX channel transfer error bits in the status register are latched and need to be cleared. Clear them before doing our transfer so we don't see old bits and get confused. Without this patch having a single failure would mean that all future transfers would look like they failed. Fixes: b814ec6d4535 ("drm/bridge: ti-sn65dsi86: Implement AUX channel") Signed-off-by: Douglas Anderson Reviewed-by: Rob Clark Signed-off-by: Sam Ravnborg Link: https://patchwork.freedesktop.org/patch/msgid/20200508163314.1.Idfa69d5d3fc9623083c0ff78572fea87dccb199c@changeid Signed-off-by: Sasha Levin commit 04d83a826f68db88a1059ee8424f44739149b753 Author: Dan Carpenter Date: Fri Mar 20 16:23:34 2020 +0300 drm/gem: Fix a leak in drm_gem_objects_lookup() [ Upstream commit ec0bb482de0ad5e4aba2a4537ea53eaeb77d11a6 ] If the "handles" allocation or the copy_from_user() fails then we leak "objs". It's supposed to be freed in panfrost_job_cleanup(). Fixes: c117aa4d8701 ("drm: Add a drm_gem_objects_lookup helper") Signed-off-by: Dan Carpenter Signed-off-by: Emil Velikov Link: https://patchwork.freedesktop.org/patch/msgid/20200320132334.GC95012@mwanda Signed-off-by: Sasha Levin commit 9be8f0289d1381c46b0ad5cf2f7f21c5961039a0 Author: Rob Clark Date: Wed Jul 1 13:36:00 2020 -0700 drm/msm: ratelimit crtc event overflow error [ Upstream commit 5e16372b5940b1fecc3cc887fc02a50ba148d373 ] This can happen a lot when things go pear shaped. Lets not flood dmesg when this happens. Signed-off-by: Rob Clark Reviewed-by: Abhinav Kumar Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit 8aa7c1fc2f91a45c3b31abe177e142dda156163e Author: Horia Geantă Date: Wed Jul 22 15:14:55 2020 +0300 crypto: caam - silence .setkey in case of bad key length [ Upstream commit da6a66853a381864f4b040832cf11f0dbba0a097 ] In case of bad key length, driver emits "key size mismatch" messages, but only for xts(aes) algorithms. Reduce verbosity by making them visible only when debugging. This way crypto fuzz testing log cleans up a bit. Signed-off-by: Horia Geantă Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 6d0f399b3ab78abf2718b194760504845ae36467 Author: Pavel Begunkov Date: Thu Jul 30 18:43:48 2020 +0300 io_uring: fix stalled deferred requests [ Upstream commit dd9dfcdf5a603680458f5e7b0d2273c66e5417db ] Always do io_commit_cqring() after completing a request, even if it was accounted as overflowed on the CQ side. Failing to do that may lead to not to pushing deferred requests when needed, and so stalling the whole ring. Signed-off-by: Pavel Begunkov Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit e79ec069c60e192d7bc30680b0052ec8c01ccb22 Author: Pavel Begunkov Date: Thu Jul 30 18:43:47 2020 +0300 io_uring: fix racy overflow count reporting [ Upstream commit b2bd1cf99f3e7c8fbf12ea07af2c6998e1209e25 ] All ->cq_overflow modifications should be under completion_lock, otherwise it can report a wrong number to the userspace. Fix it in io_uring_cancel_files(). Signed-off-by: Pavel Begunkov Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 743d10b7dcc675f915d5825e12bca5dedf2f44ee Author: Erik Kaneda Date: Mon Jul 20 10:31:20 2020 -0700 ACPICA: Do not increment operation_region reference counts for field units [ Upstream commit 6a54ebae6d047c988a31f5ac5a64ab5cf83797a2 ] ACPICA commit e17b28cfcc31918d0db9547b6b274b09c413eb70 Object reference counts are used as a part of ACPICA's garbage collection mechanism. This mechanism keeps track of references to heap-allocated structures such as the ACPI operand objects. Recent server firmware has revealed that this reference count can overflow on large servers that declare many field units under the same operation_region. This occurs because each field unit declaration will add a reference count to the source operation_region. This change solves the reference count overflow for operation_regions objects by preventing fieldunits from incrementing their operation_region's reference count. Each operation_region's reference count will not be changed by named objects declared under the Field operator. During namespace deletion, the operation_region namespace node will be deleted and each fieldunit will be deleted without touching the deleted operation_region object. Link: https://github.com/acpica/acpica/commit/e17b28cf Signed-off-by: Erik Kaneda Signed-off-by: Bob Moore Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 05a2081d2ffbc7754c9205da60b1babd236b4c14 Author: Qu Wenruo Date: Tue Jul 14 09:12:20 2020 +0800 btrfs: qgroup: free per-trans reserved space when a subvolume gets dropped [ Upstream commit a3cf0e4342b6af9e6b34a4b913c630fbd03a82ea ] [BUG] Sometime fsstress could lead to qgroup warning for case like generic/013: BTRFS warning (device dm-3): qgroup 0/259 has unreleased space, type 1 rsv 81920 ------------[ cut here ]------------ WARNING: CPU: 9 PID: 24535 at fs/btrfs/disk-io.c:4142 close_ctree+0x1dc/0x323 [btrfs] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:close_ctree+0x1dc/0x323 [btrfs] Call Trace: btrfs_put_super+0x15/0x17 [btrfs] generic_shutdown_super+0x72/0x110 kill_anon_super+0x18/0x30 btrfs_kill_super+0x17/0x30 [btrfs] deactivate_locked_super+0x3b/0xa0 deactivate_super+0x40/0x50 cleanup_mnt+0x135/0x190 __cleanup_mnt+0x12/0x20 task_work_run+0x64/0xb0 __prepare_exit_to_usermode+0x1bc/0x1c0 __syscall_return_slowpath+0x47/0x230 do_syscall_64+0x64/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 ---[ end trace 6c341cdf9b6cc3c1 ]--- BTRFS error (device dm-3): qgroup reserved space leaked While that subvolume 259 is no longer in that filesystem. [CAUSE] Normally per-trans qgroup reserved space is freed when a transaction is committed, in commit_fs_roots(). However for completely dropped subvolume, that subvolume is completely gone, thus is no longer in the fs_roots_radix, and its per-trans reserved qgroup will never be freed. Since the subvolume is already gone, leaked per-trans space won't cause any trouble for end users. [FIX] Just call btrfs_qgroup_free_meta_all_pertrans() before a subvolume is completely dropped. Signed-off-by: Qu Wenruo Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 41177d2076c239f79eb19c6cceab7fe17cba2cd7 Author: Qu Wenruo Date: Wed Jun 24 07:23:50 2020 +0800 btrfs: allow btrfs_truncate_block() to fallback to nocow for data space reservation [ Upstream commit 6d4572a9d71d5fc2affee0258d8582d39859188c ] [BUG] When the data space is exhausted, even if the inode has NOCOW attribute, we will still refuse to truncate unaligned range due to ENOSPC. The following script can reproduce it pretty easily: #!/bin/bash dev=/dev/test/test mnt=/mnt/btrfs umount $dev &> /dev/null umount $mnt &> /dev/null mkfs.btrfs -f $dev -b 1G mount -o nospace_cache $dev $mnt touch $mnt/foobar chattr +C $mnt/foobar xfs_io -f -c "pwrite -b 4k 0 4k" $mnt/foobar > /dev/null xfs_io -f -c "pwrite -b 4k 0 1G" $mnt/padding &> /dev/null sync xfs_io -c "fpunch 0 2k" $mnt/foobar umount $mnt Currently this will fail at the fpunch part. [CAUSE] Because btrfs_truncate_block() always reserves space without checking the NOCOW attribute. Since the writeback path follows NOCOW bit, we only need to bother the space reservation code in btrfs_truncate_block(). [FIX] Make btrfs_truncate_block() follow btrfs_buffered_write() to try to reserve data space first, and fall back to NOCOW check only when we don't have enough space. Such always-try-reserve is an optimization introduced in btrfs_buffered_write(), to avoid expensive btrfs_check_can_nocow() call. This patch will export check_can_nocow() as btrfs_check_can_nocow(), and use it in btrfs_truncate_block() to fix the problem. Reported-by: Martin Doucha Reviewed-by: Filipe Manana Reviewed-by: Anand Jain Signed-off-by: Qu Wenruo Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 2e5d939a8bc9dd1ec89fe8a406f57adf6dae84a6 Author: Coly Li Date: Sat Jul 25 20:00:26 2020 +0800 bcache: fix super block seq numbers comparision in register_cache_set() [ Upstream commit 117f636ea695270fe492d0c0c9dfadc7a662af47 ] In register_cache_set(), c is pointer to struct cache_set, and ca is pointer to struct cache, if ca->sb.seq > c->sb.seq, it means this registering cache has up to date version and other members, the in- memory version and other members should be updated to the newer value. But current implementation makes a cache set only has a single cache device, so the above assumption works well except for a special case. The execption is when a cache device new created and both ca->sb.seq and c->sb.seq are 0, because the super block is never flushed out yet. In the location for the following if() check, 2156 if (ca->sb.seq > c->sb.seq) { 2157 c->sb.version = ca->sb.version; 2158 memcpy(c->sb.set_uuid, ca->sb.set_uuid, 16); 2159 c->sb.flags = ca->sb.flags; 2160 c->sb.seq = ca->sb.seq; 2161 pr_debug("set version = %llu\n", c->sb.version); 2162 } c->sb.version is not initialized yet and valued 0. When ca->sb.seq is 0, the if() check will fail (because both values are 0), and the cache set version, set_uuid, flags and seq won't be updated. The above problem is hiden for current code, because the bucket size is compatible among different super block version. And the next time when running cache set again, ca->sb.seq will be larger than 0 and cache set super block version will be updated properly. But if the large bucket feature is enabled, sb->bucket_size is the low 16bits of the bucket size. For a power of 2 value, when the actual bucket size exceeds 16bit width, sb->bucket_size will always be 0. Then read_super_common() will fail because the if() check to is_power_of_2(sb->bucket_size) is false. This is how the long time hidden bug is triggered. This patch modifies the if() check to the following way, 2156 if (ca->sb.seq > c->sb.seq || c->sb.seq == 0) { Then cache set's version, set_uuid, flags and seq will always be updated corectly including for a new created cache device. Signed-off-by: Coly Li Reviewed-by: Hannes Reinecke Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 5be3ad73b54d5f13e9a2695fbb61cde433653533 Author: Jim Cromie Date: Sun Jul 19 17:10:47 2020 -0600 dyndbg: fix a BUG_ON in ddebug_describe_flags [ Upstream commit f678ce8cc3cb2ad29df75d8824c74f36398ba871 ] ddebug_describe_flags() currently fills a caller provided string buffer, after testing its size (also passed) in a BUG_ON. Fix this by replacing them with a known-big-enough string buffer wrapped in a struct, and passing that instead. Also simplify ddebug_describe_flags() flags parameter from a struct to a member in that struct, and hoist the member deref up to the caller. This makes the function reusable (soon) where flags are unpacked. Acked-by: Signed-off-by: Jim Cromie Link: https://lore.kernel.org/r/20200719231058.1586423-8-jim.cromie@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 4820eb178ca92b1034c6062eab8f44d0ef5fa931 Author: Danesh Petigara Date: Wed Jul 22 13:07:45 2020 -0400 usb: bdc: Halt controller on suspend [ Upstream commit 5fc453d7de3d0c345812453823a3a56783c5f82c ] GISB bus error kernel panics have been observed during S2 transition tests on the 7271t platform. The errors are a result of the BDC interrupt handler trying to access BDC register space after the system's suspend callbacks have completed. Adding a suspend hook to the BDC driver that halts the controller before S2 entry thus preventing unwanted access to the BDC register space during this transition. Signed-off-by: Danesh Petigara Signed-off-by: Al Cooper Acked-by: Florian Fainelli Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 07157bf14a8ec7ba9ea034afc1c5d10b69da1e47 Author: Sasi Kumar Date: Wed Jul 22 13:07:42 2020 -0400 bdc: Fix bug causing crash after multiple disconnects [ Upstream commit a95bdfd22076497288868c028619bc5995f5cc7f ] Multiple connects/disconnects can cause a crash on the second disconnect. The driver had a problem where it would try to send endpoint commands after it was disconnected which is not allowed by the hardware. The fix is to only allow the endpoint commands when the endpoint is connected. This will also fix issues that showed up when using configfs to create gadgets. Signed-off-by: Sasi Kumar Signed-off-by: Al Cooper Acked-by: Florian Fainelli Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit db76035ed4770ebc998ef7a9705f0f90940166f4 Author: Evgeny Novikov Date: Tue Jul 21 23:15:58 2020 +0300 usb: gadget: net2280: fix memory leak on probe error handling paths [ Upstream commit 2468c877da428ebfd701142c4cdfefcfb7d4c00e ] Driver does not release memory for device on error handling paths in net2280_probe() when gadget_release() is not registered yet. The patch fixes the bug like in other similar drivers. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Evgeny Novikov Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit d24e654785e66d6b0a64914802abaf62817062d2 Author: shirley her Date: Mon Jul 20 18:17:33 2020 -0700 mmc: sdhci-pci-o2micro: Bug fix for O2 host controller Seabird1 [ Upstream commit cdd2b769789ae1a030e1a26f6c37c5833cabcb34 ] To fix support for the O2 host controller Seabird1, set the quirk SDHCI_QUIRK2_PRESET_VALUE_BROKEN and the capability bit MMC_CAP2_NO_SDIO. Moreover, assign the ->get_cd() callback. Signed-off-by: Shirley Her Link: https://lore.kernel.org/r/20200721011733.8416-1-shirley.her@bayhubtech.com [Ulf: Updated the commit message] Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 3b0bcd64c4000409b5a8db52df3b77ee35092fd5 Author: Nick Desaulniers Date: Mon Jul 20 13:49:25 2020 -0700 x86/uaccess: Make __get_user_size() Clang compliant on 32-bit [ Upstream commit 158807de5822d1079e162a3762956fd743dd483e ] Clang fails to compile __get_user_size() on 32-bit for the following code: long long val; __get_user(val, usrptr); with: error: invalid output size for constraint '=q' GCC compiles the same code without complaints. The reason is that GCC and Clang are architecturally different, which leads to subtle issues for code that's invalid but clearly dead, i.e. with code that emulates polymorphism with the preprocessor and sizeof. GCC will perform semantic analysis after early inlining and dead code elimination, so it will not warn on invalid code that's dead. Clang strictly performs optimizations after semantic analysis, so it will warn for dead code. Neither Clang nor GCC like this very much with -m32: long long ret; asm ("movb $5, %0" : "=q" (ret)); However, GCC can tolerate this variant: long long ret; switch (sizeof(ret)) { case 1: asm ("movb $5, %0" : "=q" (ret)); break; case 8:; } Clang, on the other hand, won't accept that because it validates the inline asm for the '1' case before the optimisation phase where it realises that it wouldn't have to emit it anyway. If LLVM (Clang's "back end") fails such as during instruction selection or register allocation, it cannot provide accurate diagnostics (warnings / errors) that contain line information, as the AST has been discarded from memory at that point. While there have been early discussions about having C/C++ specific language optimizations in Clang via the use of MLIR, which would enable such earlier optimizations, such work is not scoped and likely a multi-year endeavor. It was discussed to change the asm output constraint for the one byte case from "=q" to "=r". While it works for 64-bit, it fails on 32-bit. With '=r' the compiler could fail to chose a register accessible as high/low which is required for the byte operation. If that happens the assembly will fail. Use a local temporary variable of type 'unsigned char' as output for the byte copy inline asm and then assign it to the real output variable. This prevents Clang from failing the semantic analysis in the above case. The resulting code for the actual one byte copy is not affected as the temporary variable is optimized out. [ tglx: Amended changelog ] Reported-by: Arnd Bergmann Reported-by: David Woodhouse Reported-by: Dmitry Golovin Reported-by: Linus Torvalds Signed-off-by: Nick Desaulniers Signed-off-by: Thomas Gleixner Tested-by: Sedat Dilek Acked-by: Linus Torvalds Acked-by: Dennis Zhou Link: https://bugs.llvm.org/show_bug.cgi?id=33587 Link: https://github.com/ClangBuiltLinux/linux/issues/3 Link: https://github.com/ClangBuiltLinux/linux/issues/194 Link: https://github.com/ClangBuiltLinux/linux/issues/781 Link: https://lore.kernel.org/lkml/20180209161833.4605-1-dwmw2@infradead.org/ Link: https://lore.kernel.org/lkml/CAK8P3a1EBaWdbAEzirFDSgHVJMtWjuNt2HGG8z+vpXeNHwETFQ@mail.gmail.com/ Link: https://lkml.kernel.org/r/20200720204925.3654302-12-ndesaulniers@google.com Signed-off-by: Sasha Levin commit b97a0171da24e58b0e8e81ba2575239dcb070c2b Author: Shannon Nelson Date: Tue Jul 21 13:34:07 2020 -0700 ionic: update eid test for overflow [ Upstream commit 3fbc9bb6ca32d12d4d32a7ae32abef67ac95f889 ] Fix up our comparison to better handle a potential (but largely unlikely) wrap around. Signed-off-by: Shannon Nelson Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit ce8444749a649742fd88e5b9d05f352a478980ec Author: Evan Quan Date: Wed Jul 15 14:01:29 2020 +0800 drm/amd/powerplay: suppress compile error around BUG_ON [ Upstream commit 75bc07e2403caea9ecac69f766dfb7dc33547594 ] To suppress the compile error below for "ARCH=arc". drivers/gpu/drm/amd/amdgpu/../powerplay/arcturus_ppt.c: In function 'arcturus_fill_eeprom_i2c_req': >> arch/arc/include/asm/bug.h:22:2: error: implicit declaration of function 'pr_warn'; did you mean 'pci_warn'? [-Werror=implicit-function-declaration] 22 | pr_warn("BUG: failure at %s:%d/%s()!\n", __FILE__, __LINE__, __func__); \ | ^~~~~~~ include/asm-generic/bug.h:62:57: note: in expansion of macro 'BUG' 62 | #define BUG_ON(condition) do { if (unlikely(condition)) BUG(); } while (0) | ^~~ drivers/gpu/drm/amd/amdgpu/../powerplay/arcturus_ppt.c:2157:2: note: in expansion of macro 'BUG_ON' 2157 | BUG_ON(numbytes > MAX_SW_I2C_COMMANDS); Signed-off-by: Evan Quan Acked-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 7cf4e6f2b365dfd5629a53bbf8efc6ccee2fe25e Author: Dmitry Osipenko Date: Mon Jun 29 06:18:41 2020 +0300 gpu: host1x: debug: Fix multiple channels emitting messages simultaneously [ Upstream commit 35681862808472a0a4b9a8817ae2789c0b5b3edc ] Once channel's job is hung, it dumps the channel's state into KMSG before tearing down the offending job. If multiple channels hang at once, then they dump messages simultaneously, making the debug info unreadable, and thus, useless. This patch adds mutex which allows only one channel to emit debug messages at a time. Signed-off-by: Dmitry Osipenko Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 3fbcad2f1bf0b2e886bfa7af26a2642272f8c9c5 Author: Bolarinwa Olayemi Saheed Date: Mon Jul 13 19:55:27 2020 +0200 iwlegacy: Check the return value of pcie_capability_read_*() [ Upstream commit 9018fd7f2a73e9b290f48a56b421558fa31e8b75 ] On failure pcie_capability_read_dword() sets it's last parameter, val to 0. However, with Patch 14/14, it is possible that val is set to ~0 on failure. This would introduce a bug because (x & x) == (~0 & x). This bug can be avoided without changing the function's behaviour if the return value of pcie_capability_read_dword is checked to confirm success. Check the return value of pcie_capability_read_dword() to ensure success. Suggested-by: Bjorn Helgaas Signed-off-by: Bolarinwa Olayemi Saheed Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200713175529.29715-3-refactormyself@gmail.com Signed-off-by: Sasha Levin commit bfcd172df8217a0e28260daa4a1089e2b129834a Author: Armas Spann Date: Sat Jul 11 11:43:21 2020 +0200 platform/x86: asus-nb-wmi: add support for ASUS ROG Zephyrus G14 and G15 [ Upstream commit 13bceda68fb9ef388ad40d355ab8d03ee64d14c2 ] Add device support for the new ASUS ROG Zephyrus G14 (GA401I) and G15 (GA502I) series. This is accomplished by two new quirk entries (one per each series), as well as all current available G401I/G502I DMI_PRODUCT_NAMEs to match the corresponding devices. Signed-off-by: Armas Spann Signed-off-by: Andy Shevchenko Signed-off-by: Sasha Levin commit 4aae02c9ddb5edf27e47c37f7b45d2cd923faa87 Author: Wright Feng Date: Wed Jun 24 04:16:07 2020 -0500 brcmfmac: set state of hanger slot to FREE when flushing PSQ [ Upstream commit fcdd7a875def793c38d7369633af3eba6c7cf089 ] When USB or SDIO device got abnormal bus disconnection, host driver tried to clean up the skbs in PSQ and TXQ (The skb's pointer in hanger slot linked to PSQ and TSQ), so we should set the state of skb hanger slot to BRCMF_FWS_HANGER_ITEM_STATE_FREE before freeing skb. In brcmf_fws_bus_txq_cleanup it already sets BRCMF_FWS_HANGER_ITEM_STATE_FREE before freeing skb, therefore we add the same thing in brcmf_fws_psq_flush to avoid following warning message. [ 1580.012880] ------------ [ cut here ]------------ [ 1580.017550] WARNING: CPU: 3 PID: 3065 at drivers/net/wireless/broadcom/brcm80211/brcmutil/utils.c:49 brcmu_pkt_buf_free_skb+0x21/0x30 [brcmutil] [ 1580.184017] Call Trace: [ 1580.186514] brcmf_fws_cleanup+0x14e/0x190 [brcmfmac] [ 1580.191594] brcmf_fws_del_interface+0x70/0x90 [brcmfmac] [ 1580.197029] brcmf_proto_bcdc_del_if+0xe/0x10 [brcmfmac] [ 1580.202418] brcmf_remove_interface+0x69/0x190 [brcmfmac] [ 1580.207888] brcmf_detach+0x90/0xe0 [brcmfmac] [ 1580.212385] brcmf_usb_disconnect+0x76/0xb0 [brcmfmac] [ 1580.217557] usb_unbind_interface+0x72/0x260 [ 1580.221857] device_release_driver_internal+0x141/0x200 [ 1580.227152] device_release_driver+0x12/0x20 [ 1580.231460] bus_remove_device+0xfd/0x170 [ 1580.235504] device_del+0x1d9/0x300 [ 1580.239041] usb_disable_device+0x9e/0x270 [ 1580.243160] usb_disconnect+0x94/0x270 [ 1580.246980] hub_event+0x76d/0x13b0 [ 1580.250499] process_one_work+0x144/0x360 [ 1580.254564] worker_thread+0x4d/0x3c0 [ 1580.258247] kthread+0x109/0x140 [ 1580.261515] ? rescuer_thread+0x340/0x340 [ 1580.265543] ? kthread_park+0x60/0x60 [ 1580.269237] ? SyS_exit_group+0x14/0x20 [ 1580.273118] ret_from_fork+0x25/0x30 [ 1580.300446] ------------ [ cut here ]------------ Acked-by: Arend van Spriel Signed-off-by: Wright Feng Signed-off-by: Chi-hsien Lin Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200624091608.25154-2-wright.feng@cypress.com Signed-off-by: Sasha Levin commit fd242b5d841a79dd826dc7c46d1d760dd963f0c7 Author: Prasanna Kerekoppa Date: Thu Jun 4 02:18:35 2020 -0500 brcmfmac: To fix Bss Info flag definition Bug [ Upstream commit fa3266541b13f390eb35bdbc38ff4a03368be004 ] Bss info flag definition need to be fixed from 0x2 to 0x4 This flag is for rssi info received on channel. All Firmware branches defined as 0x4 and this is bug in brcmfmac. Signed-off-by: Prasanna Kerekoppa Signed-off-by: Chi-hsien Lin Signed-off-by: Wright Feng Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200604071835.3842-6-wright.feng@cypress.com Signed-off-by: Sasha Levin commit abba3a079bbbe1ff52205b8801d9b6a69a77355a Author: Wright Feng Date: Thu Jun 4 02:18:33 2020 -0500 brcmfmac: keep SDIO watchdog running when console_interval is non-zero [ Upstream commit eccbf46b15bb3e35d004148f7c3a8fa8e9b26c1e ] brcmfmac host driver makes SDIO bus sleep and stops SDIO watchdog if no pending event or data. As a result, host driver does not poll firmware console buffer before buffer overflow, which leads to missing firmware logs. We should not stop SDIO watchdog if console_interval is non-zero in debug build. Signed-off-by: Wright Feng Signed-off-by: Chi-hsien Lin Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200604071835.3842-4-wright.feng@cypress.com Signed-off-by: Sasha Levin commit c5201aabe493478a6fe3397bb5dab405de325d5f Author: Venkata Lakshmi Narayana Gubba Date: Sat Jul 11 17:01:12 2020 +0530 Bluetooth: hci_qca: Bug fixes for SSR [ Upstream commit 3344537f614b966f726c1ec044d1c70a8cabe178 ] 1.During SSR for command time out if BT SoC goes to inresponsive state, power cycling of BT SoC was not happening. Given the fix by sending hw error event to reset the BT SoC. 2.If SSR is triggered then ignore the transmit data requests to BT SoC until SSR is completed. Signed-off-by: Venkata Lakshmi Narayana Gubba Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 181740eddae2ce9c69474ff61ce324a1779533e5 Author: Wenbo Zhang Date: Fri Jul 10 05:20:35 2020 -0400 bpf: Fix fds_example SIGSEGV error [ Upstream commit eef8a42d6ce087d1c81c960ae0d14f955b742feb ] The `BPF_LOG_BUF_SIZE`'s value is `UINT32_MAX >> 8`, so define an array with it on stack caused an overflow. Signed-off-by: Wenbo Zhang Signed-off-by: Daniel Borkmann Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20200710092035.28919-1-ethercflow@gmail.com Signed-off-by: Sasha Levin commit e6132d0ce6f2ce0227722e42d236e30db3763cea Author: Evan Quan Date: Sun Jun 28 19:12:42 2020 +0800 drm/amd/powerplay: fix compile error with ARCH=arc [ Upstream commit 9822ba2ead1baa3de4860ad9472f652c4cc78c9c ] Fix the compile error below: drivers/gpu/drm/amd/amdgpu/../powerplay/smu_v11_0.c: In function 'smu_v11_0_init_microcode': >> arch/arc/include/asm/bug.h:22:2: error: implicit declaration of function 'pr_warn'; did you mean 'pci_warn'? [-Werror=implicit-function-declaration] 22 | pr_warn("BUG: failure at %s:%d/%s()!\n", __FILE__, __LINE__, __func__); \ | ^~~~~~~ drivers/gpu/drm/amd/amdgpu/../powerplay/smu_v11_0.c:176:3: note: in expansion of macro 'BUG' 176 | BUG(); Reported-by: kernel test robot Signed-off-by: Evan Quan Acked-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit bb4960cc236b57708c44d11e272a9eeff66e90d9 Author: Alex Deucher Date: Wed Jun 17 16:36:05 2020 -0400 drm/amdgpu/display: properly guard the calls to swSMU functions [ Upstream commit 4072327a2622af8688b88f5cd0a472136d3bf33d ] It's only applicable on newer asics. We could end up here when using DC on older asics like SI or KV. Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1170 Reviewed-by: Evan Quan Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit c2013b737bbde32f302575e6a1b74eb21cd419ca Author: Alex Deucher Date: Wed Jun 17 16:33:47 2020 -0400 drm/amdgpu/display bail early in dm_pp_get_static_clocks [ Upstream commit 376814f5fcf1aadda501d1413d56e8af85d19a97 ] If there are no supported callbacks. We'll fall back to the nominal clocks. Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1170 Reviewed-by: Evan Quan Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit aeb79d98b4b1e4007207936b7a8fb074a96c240f Author: Aric Cyr Date: Tue May 26 13:56:53 2020 -0400 drm/amd/display: Improve DisplayPort monitor interop [ Upstream commit eec3303de3378cdfaa0bb86f43546dbbd88f94e2 ] [Why] DC is very fast at link training and stream enablement which causes issues such as blackscreens for non-compliant monitors. [How] After debugging with scaler vendors we implement the minimum delays at the necessary locations to ensure the monitor does not hang. Delays are generic due to lack of IEEE OUI information on the failing displays. Signed-off-by: Aric Cyr Reviewed-by: Wenjing Liu Acked-by: Qingqing Zhuo Acked-by: Tony Cheng Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 61523462770d2b3e85262b042144ef11e8dc67bf Author: Paul E. McKenney Date: Thu Apr 16 16:46:10 2020 -0700 mm/mmap.c: Add cond_resched() for exit_mmap() CPU stalls [ Upstream commit 0a3b3c253a1eb2c7fe7f34086d46660c909abeb3 ] A large process running on a heavily loaded system can encounter the following RCU CPU stall warning: rcu: INFO: rcu_sched self-detected stall on CPU rcu: 3-....: (20998 ticks this GP) idle=4ea/1/0x4000000000000002 softirq=556558/556558 fqs=5190 (t=21013 jiffies g=1005461 q=132576) NMI backtrace for cpu 3 CPU: 3 PID: 501900 Comm: aio-free-ring-w Kdump: loaded Not tainted 5.2.9-108_fbk12_rc3_3858_gb83b75af7909 #1 Hardware name: Wiwynn HoneyBadger/PantherPlus, BIOS HBM6.71 02/03/2016 Call Trace: dump_stack+0x46/0x60 nmi_cpu_backtrace.cold.3+0x13/0x50 ? lapic_can_unplug_cpu.cold.27+0x34/0x34 nmi_trigger_cpumask_backtrace+0xba/0xca rcu_dump_cpu_stacks+0x99/0xc7 rcu_sched_clock_irq.cold.87+0x1aa/0x397 ? tick_sched_do_timer+0x60/0x60 update_process_times+0x28/0x60 tick_sched_timer+0x37/0x70 __hrtimer_run_queues+0xfe/0x270 hrtimer_interrupt+0xf4/0x210 smp_apic_timer_interrupt+0x5e/0x120 apic_timer_interrupt+0xf/0x20 RIP: 0010:kmem_cache_free+0x223/0x300 Code: 88 00 00 00 0f 85 ca 00 00 00 41 8b 55 18 31 f6 f7 da 41 f6 45 0a 02 40 0f 94 c6 83 c6 05 9c 41 5e fa e8 a0 a7 01 00 41 56 9d <49> 8b 47 08 a8 03 0f 85 87 00 00 00 65 48 ff 08 e9 3d fe ff ff 65 RSP: 0018:ffffc9000e8e3da8 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13 RAX: 0000000000020000 RBX: ffff88861b9de960 RCX: 0000000000000030 RDX: fffffffffffe41e8 RSI: 000060777fe3a100 RDI: 000000000001be18 RBP: ffffea00186e7780 R08: ffffffffffffffff R09: ffffffffffffffff R10: ffff88861b9dea28 R11: ffff88887ffde000 R12: ffffffff81230a1f R13: ffff888854684dc0 R14: 0000000000000206 R15: ffff8888547dbc00 ? remove_vma+0x4f/0x60 remove_vma+0x4f/0x60 exit_mmap+0xd6/0x160 mmput+0x4a/0x110 do_exit+0x278/0xae0 ? syscall_trace_enter+0x1d3/0x2b0 ? handle_mm_fault+0xaa/0x1c0 do_group_exit+0x3a/0xa0 __x64_sys_exit_group+0x14/0x20 do_syscall_64+0x42/0x100 entry_SYSCALL_64_after_hwframe+0x44/0xa9 And on a PREEMPT=n kernel, the "while (vma)" loop in exit_mmap() can run for a very long time given a large process. This commit therefore adds a cond_resched() to this loop, providing RCU any needed quiescent states. Cc: Andrew Morton Cc: Reviewed-by: Shakeel Butt Reviewed-by: Joel Fernandes (Google) Signed-off-by: Paul E. McKenney Signed-off-by: Sasha Levin commit 950a1a7f661d7c9e7860cc33fd7057073ea90e19 Author: Bartosz Golaszewski Date: Mon Jun 15 09:44:45 2020 +0200 irqchip/irq-mtk-sysirq: Replace spinlock with raw_spinlock [ Upstream commit 6eeb997ab5075e770a002c51351fa4ec2c6b5c39 ] This driver may take a regular spinlock when a raw spinlock (irq_desc->lock) is already taken which results in the following lockdep splat: ============================= [ BUG: Invalid wait context ] 5.7.0-rc7 #1 Not tainted ----------------------------- swapper/0/0 is trying to lock: ffffff800303b798 (&chip_data->lock){....}-{3:3}, at: mtk_sysirq_set_type+0x48/0xc0 other info that might help us debug this: context-{5:5} 2 locks held by swapper/0/0: #0: ffffff800302ee68 (&desc->request_mutex){....}-{4:4}, at: __setup_irq+0xc4/0x8a0 #1: ffffff800302ecf0 (&irq_desc_lock_class){....}-{2:2}, at: __setup_irq+0xe4/0x8a0 stack backtrace: CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.7.0-rc7 #1 Hardware name: Pumpkin MT8516 (DT) Call trace: dump_backtrace+0x0/0x180 show_stack+0x14/0x20 dump_stack+0xd0/0x118 __lock_acquire+0x8c8/0x2270 lock_acquire+0xf8/0x470 _raw_spin_lock_irqsave+0x50/0x78 mtk_sysirq_set_type+0x48/0xc0 __irq_set_trigger+0x58/0x170 __setup_irq+0x420/0x8a0 request_threaded_irq+0xd8/0x190 timer_of_init+0x1e8/0x2c4 mtk_gpt_init+0x5c/0x1dc timer_probe+0x74/0xf4 time_init+0x14/0x44 start_kernel+0x394/0x4f0 Replace the spinlock_t with raw_spinlock_t to avoid this warning. Signed-off-by: Bartosz Golaszewski Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20200615074445.3579-1-brgl@bgdev.pl Signed-off-by: Sasha Levin commit 58af26f071018869447053c467f6f1afbaa02241 Author: Antoine Tenart Date: Thu Jun 25 17:42:09 2020 +0200 net: phy: mscc: restore the base page in vsc8514/8584_config_init [ Upstream commit 6119dda34e5d0821959e37641b287576826b6378 ] In the vsc8584_config_init and vsc8514_config_init, the base page is set to 'GPIO', configuration is done, and the page is never explicitly restored to the standard page. No bug was triggered as it turns out helpers called in those config_init functions do modify the base page, and set it back to standard. But that is dangerous and any modification to those functions would introduce bugs. This patch fixes this, to improve maintenance, by restoring the base page to 'standard' once 'GPIO' accesses are completed. Signed-off-by: Antoine Tenart Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b0ecffd8339d894d21d9e5b48996ea67f84522c6 Author: Christian König Date: Tue May 12 10:55:58 2020 +0200 drm/radeon: disable AGP by default [ Upstream commit ba806f98f868ce107aa9c453fef751de9980e4af ] Always use the PCI GART instead. We just have to many cases where AGP still causes problems. This means a performance regression for some GPUs, but also a bug fix for some others. Signed-off-by: Christian König Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 740bd6f688e1e2fdb4894f588162a2baa3513f52 Author: Michael Tretter Date: Thu Aug 17 12:43:07 2017 +0200 drm/debugfs: fix plain echo to connector "force" attribute [ Upstream commit c704b17071c4dc571dca3af4e4151dac51de081a ] Using plain echo to set the "force" connector attribute fails with -EINVAL, because echo appends a newline to the output. Replace strcmp with sysfs_streq to also accept strings that end with a newline. v2: use sysfs_streq instead of stripping trailing whitespace Signed-off-by: Michael Tretter Reviewed-by: Jani Nikula Signed-off-by: Emil Velikov Link: https://patchwork.freedesktop.org/patch/msgid/20170817104307.17124-1-m.tretter@pengutronix.de Signed-off-by: Sasha Levin commit 09ec15c17505c26e3bfbc4988cd072a10ee14c50 Author: Akhil P Oommen Date: Fri Jul 10 02:01:55 2020 +0530 drm/msm: Fix a null pointer access in msm_gem_shrinker_count() [ Upstream commit 3cbdc8d8b7f39a7af3ea7b8dfa75caaebfda4e56 ] Adding an msm_gem_object object to the inactive_list before completing its initialization is a bad idea because shrinker may pick it up from the inactive_list. Fix this by making sure that the initialization is complete before moving the msm_obj object to the inactive list. This patch fixes the below error: [10027.553044] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000068 [10027.573305] Mem abort info: [10027.590160] ESR = 0x96000006 [10027.597905] EC = 0x25: DABT (current EL), IL = 32 bits [10027.614430] SET = 0, FnV = 0 [10027.624427] EA = 0, S1PTW = 0 [10027.632722] Data abort info: [10027.638039] ISV = 0, ISS = 0x00000006 [10027.647459] CM = 0, WnR = 0 [10027.654345] user pgtable: 4k pages, 39-bit VAs, pgdp=00000001e3a6a000 [10027.672681] [0000000000000068] pgd=0000000198c31003, pud=0000000198c31003, pmd=0000000000000000 [10027.693900] Internal error: Oops: 96000006 [#1] PREEMPT SMP [10027.738261] CPU: 3 PID: 214 Comm: kswapd0 Tainted: G S 5.4.40 #1 [10027.745766] Hardware name: Qualcomm Technologies, Inc. SC7180 IDP (DT) [10027.752472] pstate: 80c00009 (Nzcv daif +PAN +UAO) [10027.757409] pc : mutex_is_locked+0x14/0x2c [10027.761626] lr : msm_gem_shrinker_count+0x70/0xec [10027.766454] sp : ffffffc011323ad0 [10027.769867] x29: ffffffc011323ad0 x28: ffffffe677e4b878 [10027.775324] x27: 0000000000000cc0 x26: 0000000000000000 [10027.780783] x25: ffffff817114a708 x24: 0000000000000008 [10027.786242] x23: ffffff8023ab7170 x22: 0000000000000001 [10027.791701] x21: ffffff817114a080 x20: 0000000000000119 [10027.797160] x19: 0000000000000068 x18: 00000000000003bc [10027.802621] x17: 0000000004a34210 x16: 00000000000000c0 [10027.808083] x15: 0000000000000000 x14: 0000000000000000 [10027.813542] x13: ffffffe677e0a3c0 x12: 0000000000000000 [10027.819000] x11: 0000000000000000 x10: ffffff8174b94340 [10027.824461] x9 : 0000000000000000 x8 : 0000000000000000 [10027.829919] x7 : 00000000000001fc x6 : ffffffc011323c88 [10027.835373] x5 : 0000000000000001 x4 : ffffffc011323d80 [10027.840832] x3 : ffffffff0477b348 x2 : 0000000000000000 [10027.846290] x1 : ffffffc011323b68 x0 : 0000000000000068 [10027.851748] Call trace: [10027.854264] mutex_is_locked+0x14/0x2c [10027.858121] msm_gem_shrinker_count+0x70/0xec [10027.862603] shrink_slab+0xc0/0x4b4 [10027.866187] shrink_node+0x4a8/0x818 [10027.869860] kswapd+0x624/0x890 [10027.873097] kthread+0x11c/0x12c [10027.876424] ret_from_fork+0x10/0x18 [10027.880102] Code: f9000bf3 910003fd aa0003f3 d503201f (f9400268) [10027.886362] ---[ end trace df5849a1a3543251 ]--- [10027.891518] Kernel panic - not syncing: Fatal exception Signed-off-by: Akhil P Oommen Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit 02407cb3b02061b1c603a6c25bcf8d5a6c3fdcf0 Author: Akhil P Oommen Date: Fri Jul 17 20:04:18 2020 +0530 drm: msm: a6xx: fix gpu failure after system resume [ Upstream commit 57c0bd517c06b088106b0236ed604056c8e06da5 ] On targets where GMU is available, GMU takes over the ownership of GX GDSC during its initialization. So, move the refcount-get on GX PD before we initialize the GMU. This ensures that nobody can collapse the GX GDSC once GMU owns the GX GDSC. This patch fixes some GMU OOB errors seen during GPU wake up during a system resume. Reported-by: Matthias Kaehlcke Signed-off-by: Akhil P Oommen Tested-by: Matthias Kaehlcke Reviewed-by: Jordan Crouse Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit 7463012000574b27126e238fb1c8662672c5282f Author: Chunfeng Yun Date: Mon Jul 27 15:14:59 2020 +0800 usb: mtu3: clear dual mode of u3port when disable device [ Upstream commit f1e51e99ed498d4aa9ae5df28e43d558ea627781 ] If not clear u3port's dual mode when disable device, the IP will fail to enter sleep mode when suspend. Signed-off-by: Chunfeng Yun Link: https://lore.kernel.org/r/1595834101-13094-10-git-send-email-chunfeng.yun@mediatek.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit f4b63f4c49e619c31413e787b0c66de1aa1d7507 Author: Josef Bacik Date: Fri Jul 17 15:12:29 2020 -0400 btrfs: fix lockdep splat from btrfs_dump_space_info [ Upstream commit ab0db043c35da3477e57d4d516492b2d51a5ca0f ] When running with -o enospc_debug you can get the following splat if one of the dump_space_info's trip ====================================================== WARNING: possible circular locking dependency detected 5.8.0-rc5+ #20 Tainted: G OE ------------------------------------------------------ dd/563090 is trying to acquire lock: ffff9e7dbf4f1e18 (&ctl->tree_lock){+.+.}-{2:2}, at: btrfs_dump_free_space+0x2b/0xa0 [btrfs] but task is already holding lock: ffff9e7e2284d428 (&cache->lock){+.+.}-{2:2}, at: btrfs_dump_space_info+0xaa/0x120 [btrfs] which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (&cache->lock){+.+.}-{2:2}: _raw_spin_lock+0x25/0x30 btrfs_add_reserved_bytes+0x3c/0x3c0 [btrfs] find_free_extent+0x7ef/0x13b0 [btrfs] btrfs_reserve_extent+0x9b/0x180 [btrfs] btrfs_alloc_tree_block+0xc1/0x340 [btrfs] alloc_tree_block_no_bg_flush+0x4a/0x60 [btrfs] __btrfs_cow_block+0x122/0x530 [btrfs] btrfs_cow_block+0x106/0x210 [btrfs] commit_cowonly_roots+0x55/0x300 [btrfs] btrfs_commit_transaction+0x4ed/0xac0 [btrfs] sync_filesystem+0x74/0x90 generic_shutdown_super+0x22/0x100 kill_anon_super+0x14/0x30 btrfs_kill_super+0x12/0x20 [btrfs] deactivate_locked_super+0x36/0x70 cleanup_mnt+0x104/0x160 task_work_run+0x5f/0x90 __prepare_exit_to_usermode+0x1bd/0x1c0 do_syscall_64+0x5e/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 -> #2 (&space_info->lock){+.+.}-{2:2}: _raw_spin_lock+0x25/0x30 btrfs_block_rsv_release+0x1a6/0x3f0 [btrfs] btrfs_inode_rsv_release+0x4f/0x170 [btrfs] btrfs_clear_delalloc_extent+0x155/0x480 [btrfs] clear_state_bit+0x81/0x1a0 [btrfs] __clear_extent_bit+0x25c/0x5d0 [btrfs] clear_extent_bit+0x15/0x20 [btrfs] btrfs_invalidatepage+0x2b7/0x3c0 [btrfs] truncate_cleanup_page+0x47/0xe0 truncate_inode_pages_range+0x238/0x840 truncate_pagecache+0x44/0x60 btrfs_setattr+0x202/0x5e0 [btrfs] notify_change+0x33b/0x490 do_truncate+0x76/0xd0 path_openat+0x687/0xa10 do_filp_open+0x91/0x100 do_sys_openat2+0x215/0x2d0 do_sys_open+0x44/0x80 do_syscall_64+0x52/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 -> #1 (&tree->lock#2){+.+.}-{2:2}: _raw_spin_lock+0x25/0x30 find_first_extent_bit+0x32/0x150 [btrfs] write_pinned_extent_entries.isra.0+0xc5/0x100 [btrfs] __btrfs_write_out_cache+0x172/0x480 [btrfs] btrfs_write_out_cache+0x7a/0xf0 [btrfs] btrfs_write_dirty_block_groups+0x286/0x3b0 [btrfs] commit_cowonly_roots+0x245/0x300 [btrfs] btrfs_commit_transaction+0x4ed/0xac0 [btrfs] close_ctree+0xf9/0x2f5 [btrfs] generic_shutdown_super+0x6c/0x100 kill_anon_super+0x14/0x30 btrfs_kill_super+0x12/0x20 [btrfs] deactivate_locked_super+0x36/0x70 cleanup_mnt+0x104/0x160 task_work_run+0x5f/0x90 __prepare_exit_to_usermode+0x1bd/0x1c0 do_syscall_64+0x5e/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 -> #0 (&ctl->tree_lock){+.+.}-{2:2}: __lock_acquire+0x1240/0x2460 lock_acquire+0xab/0x360 _raw_spin_lock+0x25/0x30 btrfs_dump_free_space+0x2b/0xa0 [btrfs] btrfs_dump_space_info+0xf4/0x120 [btrfs] btrfs_reserve_extent+0x176/0x180 [btrfs] __btrfs_prealloc_file_range+0x145/0x550 [btrfs] cache_save_setup+0x28d/0x3b0 [btrfs] btrfs_start_dirty_block_groups+0x1fc/0x4f0 [btrfs] btrfs_commit_transaction+0xcc/0xac0 [btrfs] btrfs_alloc_data_chunk_ondemand+0x162/0x4c0 [btrfs] btrfs_check_data_free_space+0x4c/0xa0 [btrfs] btrfs_buffered_write.isra.0+0x19b/0x740 [btrfs] btrfs_file_write_iter+0x3cf/0x610 [btrfs] new_sync_write+0x11e/0x1b0 vfs_write+0x1c9/0x200 ksys_write+0x68/0xe0 do_syscall_64+0x52/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 other info that might help us debug this: Chain exists of: &ctl->tree_lock --> &space_info->lock --> &cache->lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&cache->lock); lock(&space_info->lock); lock(&cache->lock); lock(&ctl->tree_lock); *** DEADLOCK *** 6 locks held by dd/563090: #0: ffff9e7e21d18448 (sb_writers#14){.+.+}-{0:0}, at: vfs_write+0x195/0x200 #1: ffff9e7dd0410ed8 (&sb->s_type->i_mutex_key#19){++++}-{3:3}, at: btrfs_file_write_iter+0x86/0x610 [btrfs] #2: ffff9e7e21d18638 (sb_internal#2){.+.+}-{0:0}, at: start_transaction+0x40b/0x5b0 [btrfs] #3: ffff9e7e1f05d688 (&cur_trans->cache_write_mutex){+.+.}-{3:3}, at: btrfs_start_dirty_block_groups+0x158/0x4f0 [btrfs] #4: ffff9e7e2284ddb8 (&space_info->groups_sem){++++}-{3:3}, at: btrfs_dump_space_info+0x69/0x120 [btrfs] #5: ffff9e7e2284d428 (&cache->lock){+.+.}-{2:2}, at: btrfs_dump_space_info+0xaa/0x120 [btrfs] stack backtrace: CPU: 3 PID: 563090 Comm: dd Tainted: G OE 5.8.0-rc5+ #20 Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./890FX Deluxe5, BIOS P1.40 05/03/2011 Call Trace: dump_stack+0x96/0xd0 check_noncircular+0x162/0x180 __lock_acquire+0x1240/0x2460 ? wake_up_klogd.part.0+0x30/0x40 lock_acquire+0xab/0x360 ? btrfs_dump_free_space+0x2b/0xa0 [btrfs] _raw_spin_lock+0x25/0x30 ? btrfs_dump_free_space+0x2b/0xa0 [btrfs] btrfs_dump_free_space+0x2b/0xa0 [btrfs] btrfs_dump_space_info+0xf4/0x120 [btrfs] btrfs_reserve_extent+0x176/0x180 [btrfs] __btrfs_prealloc_file_range+0x145/0x550 [btrfs] ? btrfs_qgroup_reserve_data+0x1d/0x60 [btrfs] cache_save_setup+0x28d/0x3b0 [btrfs] btrfs_start_dirty_block_groups+0x1fc/0x4f0 [btrfs] btrfs_commit_transaction+0xcc/0xac0 [btrfs] ? start_transaction+0xe0/0x5b0 [btrfs] btrfs_alloc_data_chunk_ondemand+0x162/0x4c0 [btrfs] btrfs_check_data_free_space+0x4c/0xa0 [btrfs] btrfs_buffered_write.isra.0+0x19b/0x740 [btrfs] ? ktime_get_coarse_real_ts64+0xa8/0xd0 ? trace_hardirqs_on+0x1c/0xe0 btrfs_file_write_iter+0x3cf/0x610 [btrfs] new_sync_write+0x11e/0x1b0 vfs_write+0x1c9/0x200 ksys_write+0x68/0xe0 do_syscall_64+0x52/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 This is because we're holding the block_group->lock while trying to dump the free space cache. However we don't need this lock, we just need it to read the values for the printk, so move the free space cache dumping outside of the block group lock. Signed-off-by: Josef Bacik Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 1163c38e7e03dd19413efa70e5436b1ec672e555 Author: Masahiro Yamada Date: Mon Jul 20 15:11:41 2020 +0900 mmc: sdhci-cadence: do not use hardware tuning for SD mode [ Upstream commit adc40a5179df30421a5537bfeb4545100ab97d5e ] As commit ef6b75671b5f ("mmc: sdhci-cadence: send tune request twice to work around errata") stated, this IP has an errata. This commit applies the second workaround for the SD mode. Due to the errata, it is not possible to use the hardware tuning provided by SDHCI_HOST_CONTROL2. Use the software-controlled tuning like the eMMC mode. Set sdhci_host_ops::platform_execute_tuning instead of overriding mmc_host_ops::execute_tuning. Signed-off-by: Masahiro Yamada Link: https://lore.kernel.org/r/20200720061141.172944-1-yamada.masahiro@socionext.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 8998c915db65cc3d1971cd243ca58eb1a39d9c69 Author: Aditya Pakki Date: Sat Jun 13 20:41:56 2020 -0500 drm/nouveau: fix multiple instances of reference count leaks [ Upstream commit 659fb5f154c3434c90a34586f3b7aa1c39cf6062 ] On calling pm_runtime_get_sync() the reference count of the device is incremented. In case of failure, decrement the ref count before returning the error. Signed-off-by: Aditya Pakki Signed-off-by: Ben Skeggs Signed-off-by: Sasha Levin commit 06d5a05fd6e81eee826cf9a47b0f01ce55011629 Author: Aditya Pakki Date: Sat Jun 13 20:48:37 2020 -0500 drm/nouveau: fix reference count leak in nouveau_debugfs_strap_peek [ Upstream commit 8f29432417b11039ef960ab18987c7d61b2b5396 ] nouveau_debugfs_strap_peek() calls pm_runtime_get_sync() that increments the reference count. In case of failure, decrement the ref count before returning the error. Signed-off-by: Aditya Pakki Signed-off-by: Ben Skeggs Signed-off-by: Sasha Levin commit fc20f2ac67b0aa31254d5363f96ed85e4506731c Author: Krzysztof Kozlowski Date: Mon Jul 20 13:03:01 2020 +0200 memory: samsung: exynos5422-dmc: Do not ignore return code of regmap_read() [ Upstream commit c4f16e96d8fdd62ef12898fc0965c42093bed237 ] Check for regmap_read() return code before using the read value in following write in exynos5_switch_timing_regs(). Pass reading error code to the callers. This does not introduce proper error handling for such failed reads (and obviously regmap_write() error is still ignored) because the driver ignored this in all places. Therefor it only fixes reported issue while matching current driver coding style: drivers/memory/samsung/exynos5422-dmc.c: In function 'exynos5_switch_timing_regs': >> drivers/memory/samsung/exynos5422-dmc.c:216:6: warning: variable 'ret' set but not used [-Wunused-but-set-variable] Reported-by: kernel test robot Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 29c1bca537ec44e67718e3972dcfaf7db1ac97e4 Author: Navid Emamdoost Date: Mon Jun 15 01:12:20 2020 -0500 drm/etnaviv: fix ref count leak via pm_runtime_get_sync [ Upstream commit c5d5a32ead1e3a61a07a1e59eb52a53e4a6b2a7f ] in etnaviv_gpu_submit, etnaviv_gpu_recover_hang, etnaviv_gpu_debugfs, and etnaviv_gpu_init the call to pm_runtime_get_sync increments the counter even in case of failure, leading to incorrect ref count. In case of failure, decrement the ref count before returning. Signed-off-by: Navid Emamdoost Signed-off-by: Lucas Stach Signed-off-by: Sasha Levin commit f997c3409c6668dca6411224ff67bd3f670ba36b Author: Ricardo Cañuelo Date: Mon Jun 1 08:33:06 2020 +0200 arm64: dts: hisilicon: hikey: fixes to comply with adi, adv7533 DT binding [ Upstream commit bbe28fc3cbabbef781bcdf847615d52ce2e26e42 ] hi3660-hikey960.dts: Define a 'ports' node for 'adv7533: adv7533@39' and the 'adi,dsi-lanes' property to make it compliant with the adi,adv7533 DT binding. This fills the requirements to meet the binding requirements, remote endpoints are not defined. hi6220-hikey.dts: Change property name s/pd-gpio/pd-gpios, gpio properties should be plural. This is just a cosmetic change. Signed-off-by: Ricardo Cañuelo Acked-by: Laurent Pinchart Signed-off-by: Wei Xu Signed-off-by: Sasha Levin commit bef697bb84db5f63f5d2a2dacb4e5407d09163d4 Author: Lyude Paul Date: Tue Mar 17 14:54:06 2020 -0400 drm/nouveau/kms/nv50-: Fix disabling dithering [ Upstream commit fb2420b701edbf96c2b6d557f0139902f455dc2b ] While we expose the ability to turn off hardware dithering for nouveau, we actually make the mistake of turning it on anyway, due to dithering_depth containing a non-zero value if our dithering depth isn't also set to 6 bpc. So, fix it by never enabling dithering when it's disabled. Signed-off-by: Lyude Paul Reviewed-by: Ben Skeggs Acked-by: Dave Airlie Link: https://patchwork.freedesktop.org/patch/msgid/20200627194657.156514-6-lyude@redhat.com Signed-off-by: Sasha Levin commit 03b28cfe00fee18bd62b41f293d64457e47eb437 Author: Zhao Heming Date: Thu Jul 9 11:29:29 2020 +0800 md-cluster: fix wild pointer of unlock_all_bitmaps() [ Upstream commit 60f80d6f2d07a6d8aee485a1d1252327eeee0c81 ] reproduction steps: ``` node1 # mdadm -C /dev/md0 -b clustered -e 1.2 -n 2 -l mirror /dev/sda /dev/sdb node2 # mdadm -A /dev/md0 /dev/sda /dev/sdb node1 # mdadm -G /dev/md0 -b none mdadm: failed to remove clustered bitmap. node1 # mdadm -S --scan ^C <==== mdadm hung & kernel crash ``` kernel stack: ``` [ 335.230657] general protection fault: 0000 [#1] SMP NOPTI [...] [ 335.230848] Call Trace: [ 335.230873] ? unlock_all_bitmaps+0x5/0x70 [md_cluster] [ 335.230886] unlock_all_bitmaps+0x3d/0x70 [md_cluster] [ 335.230899] leave+0x10f/0x190 [md_cluster] [ 335.230932] ? md_super_wait+0x93/0xa0 [md_mod] [ 335.230947] ? leave+0x5/0x190 [md_cluster] [ 335.230973] md_cluster_stop+0x1a/0x30 [md_mod] [ 335.230999] md_bitmap_free+0x142/0x150 [md_mod] [ 335.231013] ? _cond_resched+0x15/0x40 [ 335.231025] ? mutex_lock+0xe/0x30 [ 335.231056] __md_stop+0x1c/0xa0 [md_mod] [ 335.231083] do_md_stop+0x160/0x580 [md_mod] [ 335.231119] ? 0xffffffffc05fb078 [ 335.231148] md_ioctl+0xa04/0x1930 [md_mod] [ 335.231165] ? filename_lookup+0xf2/0x190 [ 335.231179] blkdev_ioctl+0x93c/0xa10 [ 335.231205] ? _cond_resched+0x15/0x40 [ 335.231214] ? __check_object_size+0xd4/0x1a0 [ 335.231224] block_ioctl+0x39/0x40 [ 335.231243] do_vfs_ioctl+0xa0/0x680 [ 335.231253] ksys_ioctl+0x70/0x80 [ 335.231261] __x64_sys_ioctl+0x16/0x20 [ 335.231271] do_syscall_64+0x65/0x1f0 [ 335.231278] entry_SYSCALL_64_after_hwframe+0x44/0xa9 ``` Signed-off-by: Zhao Heming Signed-off-by: Song Liu Signed-off-by: Sasha Levin commit c4b89586b298dd8365359899dcff43ed26b93651 Author: Tony Lindgren Date: Mon Jul 13 09:59:47 2020 -0700 bus: ti-sysc: Add missing quirk flags for usb_host_hs [ Upstream commit 4254632dba27271f6de66efd87e444ee405dee29 ] Similar to what we have for the legacy platform data, we need to configure SWSUP_SIDLE and SWSUP_MSTANDBY quirks for usb_host_hs. These are needed to drop the legacy platform data for usb_host_hs. Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 4c70624479fafec7a4ea50383a5ed05ec32c02f3 Author: Evgeny Novikov Date: Tue Jun 30 22:54:51 2020 +0300 video: fbdev: neofb: fix memory leak in neo_scan_monitor() [ Upstream commit edcb3895a751c762a18d25c8d9846ce9759ed7e1 ] neofb_probe() calls neo_scan_monitor() that can successfully allocate a memory for info->monspecs.modedb and proceed to case 0x03. There it does not free the memory and returns -1. neofb_probe() goes to label err_scan_monitor, thus, it does not free this memory through calling fb_destroy_modedb() as well. We can not go to label err_init_hw since neo_scan_monitor() can fail during memory allocation. So, the patch frees the memory directly for case 0x03. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Evgeny Novikov Cc: Jani Nikula Cc: Mike Rapoport Cc: Daniel Vetter Cc: Andrew Morton Signed-off-by: Bartlomiej Zolnierkiewicz Link: https://patchwork.freedesktop.org/patch/msgid/20200630195451.18675-1-novikov@ispras.ru Signed-off-by: Sasha Levin commit 61bd7cfde8a4a47801a86bd70cc4dd949d5c5043 Author: Evgeny Novikov Date: Fri Jun 19 19:21:36 2020 +0300 video: fbdev: savage: fix memory leak on error handling path in probe [ Upstream commit e8d35898a78e34fc854ed9680bc3f9caedab08cd ] savagefb_probe() calls savage_init_fb_info() that can successfully allocate memory for info->pixmap.addr but then fail when fb_alloc_cmap() fails. savagefb_probe() goes to label failed_init and does not free allocated memory. It is not valid to go to label failed_mmio since savage_init_fb_info() can fail during memory allocation as well. So, the patch free allocated memory on the error handling path in savage_init_fb_info() itself. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Evgeny Novikov Cc: Antonino Daplas Signed-off-by: Bartlomiej Zolnierkiewicz Link: https://patchwork.freedesktop.org/patch/msgid/20200619162136.9010-1-novikov@ispras.ru Signed-off-by: Sasha Levin commit 0acffa0b3e5fd95b9b3c3c5ecccd09c7579f3edd Author: Sedat Dilek Date: Fri Jul 3 16:32:06 2020 +0200 crypto: aesni - Fix build with LLVM_IAS=1 [ Upstream commit 3347c8a079d67af21760a78cc5f2abbcf06d9571 ] When building with LLVM_IAS=1 means using Clang's Integrated Assembly (IAS) from LLVM/Clang >= v10.0.1-rc1+ instead of GNU/as from GNU/binutils I see the following breakage in Debian/testing AMD64: :15:74: error: too many positional arguments PRECOMPUTE 8*3+8(%rsp), %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7, ^ arch/x86/crypto/aesni-intel_asm.S:1598:2: note: while in macro instantiation GCM_INIT %r9, 8*3 +8(%rsp), 8*3 +16(%rsp), 8*3 +24(%rsp) ^ :47:2: error: unknown use of instruction mnemonic without a size suffix GHASH_4_ENCRYPT_4_PARALLEL_dec %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, %xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7, %xmm8, enc ^ arch/x86/crypto/aesni-intel_asm.S:1599:2: note: while in macro instantiation GCM_ENC_DEC dec ^ :15:74: error: too many positional arguments PRECOMPUTE 8*3+8(%rsp), %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7, ^ arch/x86/crypto/aesni-intel_asm.S:1686:2: note: while in macro instantiation GCM_INIT %r9, 8*3 +8(%rsp), 8*3 +16(%rsp), 8*3 +24(%rsp) ^ :47:2: error: unknown use of instruction mnemonic without a size suffix GHASH_4_ENCRYPT_4_PARALLEL_enc %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, %xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7, %xmm8, enc ^ arch/x86/crypto/aesni-intel_asm.S:1687:2: note: while in macro instantiation GCM_ENC_DEC enc Craig Topper suggested me in ClangBuiltLinux issue #1050: > I think the "too many positional arguments" is because the parser isn't able > to handle the trailing commas. > > The "unknown use of instruction mnemonic" is because the macro was named > GHASH_4_ENCRYPT_4_PARALLEL_DEC but its being instantiated with > GHASH_4_ENCRYPT_4_PARALLEL_dec I guess gas ignores case on the > macro instantiation, but llvm doesn't. First, I removed the trailing comma in the PRECOMPUTE line. Second, I substituted: 1. GHASH_4_ENCRYPT_4_PARALLEL_DEC -> GHASH_4_ENCRYPT_4_PARALLEL_dec 2. GHASH_4_ENCRYPT_4_PARALLEL_ENC -> GHASH_4_ENCRYPT_4_PARALLEL_enc With these changes I was able to build with LLVM_IAS=1 and boot on bare metal. I confirmed that this works with Linux-kernel v5.7.5 final. NOTE: This patch is on top of Linux v5.7 final. Thanks to Craig and especially Nick for double-checking and his comments. Suggested-by: Craig Topper Suggested-by: Craig Topper Suggested-by: Nick Desaulniers Reviewed-by: Nick Desaulniers Cc: "ClangBuiltLinux" Link: https://github.com/ClangBuiltLinux/linux/issues/1050 Link: https://bugs.llvm.org/show_bug.cgi?id=24494 Signed-off-by: Sedat Dilek Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit f097e7aecaaa4e9b2135eb10c86abdb7871cd2ec Author: Aditya Pakki Date: Sat Jun 13 21:21:22 2020 -0500 drm/radeon: Fix reference count leaks caused by pm_runtime_get_sync [ Upstream commit 9fb10671011143d15b6b40d6d5fa9c52c57e9d63 ] On calling pm_runtime_get_sync() the reference count of the device is incremented. In case of failure, decrement the reference count before returning the error. Acked-by: Evan Quan Signed-off-by: Aditya Pakki Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit df1bd56e839e2461df3b0699a66d482e45ce2679 Author: Jack Xiao Date: Wed Jun 5 16:30:13 2019 +0800 drm/amdgpu: avoid dereferencing a NULL pointer [ Upstream commit 55611b507fd6453d26030c0c0619fdf0c262766d ] Check if irq_src is NULL to avoid dereferencing a NULL pointer, for MES ring is uneccessary to recieve an interrupt notification. Signed-off-by: Jack Xiao Acked-by: Alex Deucher Reviewed-by: Hawking Zhang Reviewed-by: Christian König Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 837d59cc0284e37cdcf042df99fb8beb51fae1ed Author: Paul E. McKenney Date: Fri May 8 14:15:37 2020 -0700 fs/btrfs: Add cond_resched() for try_release_extent_mapping() stalls [ Upstream commit 9f47eb5461aaeb6cb8696f9d11503ae90e4d5cb0 ] Very large I/Os can cause the following RCU CPU stall warning: RIP: 0010:rb_prev+0x8/0x50 Code: 49 89 c0 49 89 d1 48 89 c2 48 89 f8 e9 e5 fd ff ff 4c 89 48 10 c3 4c = 89 06 c3 4c 89 40 10 c3 0f 1f 00 48 8b 0f 48 39 cf 74 38 <48> 8b 47 10 48 85 c0 74 22 48 8b 50 08 48 85 d2 74 0c 48 89 d0 48 RSP: 0018:ffffc9002212bab0 EFLAGS: 00000287 ORIG_RAX: ffffffffffffff13 RAX: ffff888821f93630 RBX: ffff888821f93630 RCX: ffff888821f937e0 RDX: 0000000000000000 RSI: 0000000000102000 RDI: ffff888821f93630 RBP: 0000000000103000 R08: 000000000006c000 R09: 0000000000000238 R10: 0000000000102fff R11: ffffc9002212bac8 R12: 0000000000000001 R13: ffffffffffffffff R14: 0000000000102000 R15: ffff888821f937e0 __lookup_extent_mapping+0xa0/0x110 try_release_extent_mapping+0xdc/0x220 btrfs_releasepage+0x45/0x70 shrink_page_list+0xa39/0xb30 shrink_inactive_list+0x18f/0x3b0 shrink_lruvec+0x38e/0x6b0 shrink_node+0x14d/0x690 do_try_to_free_pages+0xc6/0x3e0 try_to_free_mem_cgroup_pages+0xe6/0x1e0 reclaim_high.constprop.73+0x87/0xc0 mem_cgroup_handle_over_high+0x66/0x150 exit_to_usermode_loop+0x82/0xd0 do_syscall_64+0xd4/0x100 entry_SYSCALL_64_after_hwframe+0x44/0xa9 On a PREEMPT=n kernel, the try_release_extent_mapping() function's "while" loop might run for a very long time on a large I/O. This commit therefore adds a cond_resched() to this loop, providing RCU any needed quiescent states. Signed-off-by: Paul E. McKenney Signed-off-by: Sasha Levin commit 693b925a301f66fcf46c1daffb0053850b0ca6f9 Author: Pavel Begunkov Date: Sat Jun 27 14:04:59 2020 +0300 io_uring: fix req->work corruption [ Upstream commit 8ef77766ba8694968ed4ba24311b4bacee14f235 ] req->work and req->task_work are in a union, so io_req_task_queue() screws everything that was in work. De-union them for now. [ 704.367253] BUG: unable to handle page fault for address: ffffffffaf7330d0 [ 704.367256] #PF: supervisor write access in kernel mode [ 704.367256] #PF: error_code(0x0003) - permissions violation [ 704.367261] CPU: 6 PID: 1654 Comm: io_wqe_worker-0 Tainted: G I 5.8.0-rc2-00038-ge28d0bdc4863-dirty #498 [ 704.367265] RIP: 0010:_raw_spin_lock+0x1e/0x36 ... [ 704.367276] __alloc_fd+0x35/0x150 [ 704.367279] __get_unused_fd_flags+0x25/0x30 [ 704.367280] io_openat2+0xcb/0x1b0 [ 704.367283] io_issue_sqe+0x36a/0x1320 [ 704.367294] io_wq_submit_work+0x58/0x160 [ 704.367295] io_worker_handle_work+0x2a3/0x430 [ 704.367296] io_wqe_worker+0x2a0/0x350 [ 704.367301] kthread+0x136/0x180 [ 704.367304] ret_from_fork+0x22/0x30 Signed-off-by: Pavel Begunkov Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 69accb89e0c2932f9c4714f9b88a5f93916c05b3 Author: Luis Chamberlain Date: Fri Jun 19 20:47:27 2020 +0000 loop: be paranoid on exit and prevent new additions / removals [ Upstream commit 200f93377220504c5e56754823e7adfea6037f1a ] Be pedantic on removal as well and hold the mutex. This should prevent uses of addition while we exit. Signed-off-by: Luis Chamberlain Reviewed-by: Ming Lei Reviewed-by: Christoph Hellwig Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 38964e03097153f7bdbddf2138f223912e7a180a Author: Lihong Kou Date: Tue Jun 23 20:28:41 2020 +0800 Bluetooth: add a mutex lock to avoid UAF in do_enale_set [ Upstream commit f9c70bdc279b191da8d60777c627702c06e4a37d ] In the case we set or free the global value listen_chan in different threads, we can encounter the UAF problems because the method is not protected by any lock, add one to avoid this bug. BUG: KASAN: use-after-free in l2cap_chan_close+0x48/0x990 net/bluetooth/l2cap_core.c:730 Read of size 8 at addr ffff888096950000 by task kworker/1:102/2868 CPU: 1 PID: 2868 Comm: kworker/1:102 Not tainted 5.5.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events do_enable_set Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fb/0x318 lib/dump_stack.c:118 print_address_description+0x74/0x5c0 mm/kasan/report.c:374 __kasan_report+0x149/0x1c0 mm/kasan/report.c:506 kasan_report+0x26/0x50 mm/kasan/common.c:641 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 l2cap_chan_close+0x48/0x990 net/bluetooth/l2cap_core.c:730 do_enable_set+0x660/0x900 net/bluetooth/6lowpan.c:1074 process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264 worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410 kthread+0x332/0x350 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 2870: save_stack mm/kasan/common.c:72 [inline] set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529 kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3551 kmalloc include/linux/slab.h:555 [inline] kzalloc include/linux/slab.h:669 [inline] l2cap_chan_create+0x50/0x320 net/bluetooth/l2cap_core.c:446 chan_create net/bluetooth/6lowpan.c:640 [inline] bt_6lowpan_listen net/bluetooth/6lowpan.c:959 [inline] do_enable_set+0x6a4/0x900 net/bluetooth/6lowpan.c:1078 process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264 worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410 kthread+0x332/0x350 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Freed by task 2870: save_stack mm/kasan/common.c:72 [inline] set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:337 [inline] __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476 kasan_slab_free+0xe/0x10 mm/kasan/common.c:485 __cache_free mm/slab.c:3426 [inline] kfree+0x10d/0x220 mm/slab.c:3757 l2cap_chan_destroy net/bluetooth/l2cap_core.c:484 [inline] kref_put include/linux/kref.h:65 [inline] l2cap_chan_put+0x170/0x190 net/bluetooth/l2cap_core.c:498 do_enable_set+0x66c/0x900 net/bluetooth/6lowpan.c:1075 process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264 worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410 kthread+0x332/0x350 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 The buggy address belongs to the object at ffff888096950000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 0 bytes inside of 2048-byte region [ffff888096950000, ffff888096950800) The buggy address belongs to the page: page:ffffea00025a5400 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea00027d1548 ffffea0002397808 ffff8880aa400e00 raw: 0000000000000000 ffff888096950000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88809694ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88809694ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888096950000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888096950080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888096950100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Reported-by: syzbot+96414aa0033c363d8458@syzkaller.appspotmail.com Signed-off-by: Lihong Kou Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 420ff353cbd94469189497c6eb4e80459f7d796c Author: Guillaume Tucker Date: Fri Jun 12 14:58:37 2020 +0100 ARM: exynos: clear L310_AUX_CTRL_FULL_LINE_ZERO in default l2c_aux_val [ Upstream commit 5b17a04addc29201dc142c8d2c077eb7745d2e35 ] This "alert" error message can be seen on exynos4412-odroidx2: L2C: platform modifies aux control register: 0x02070000 -> 0x3e470001 L2C: platform provided aux values permit register corruption. Followed by this plain error message: L2C-310: enabling full line of zeros but not enabled in Cortex-A9 To fix it, don't set the L310_AUX_CTRL_FULL_LINE_ZERO flag (bit 0) in the default value of l2c_aux_val. It may instead be enabled when applicable by the logic in l2c310_enable() if the attribute "arm,full-line-zero-disable" was set in the device tree. The initial commit that introduced this default value was in v2.6.38 commit 1cf0eb799759 ("ARM: S5PV310: Add L2 cache init function in cpu.c"). However, the code to set the L310_AUX_CTRL_FULL_LINE_ZERO flag and manage that feature was added much later and the default value was not updated then. So this seems to have been a subtle oversight especially since enabling it only in the cache and not in the A9 core doesn't actually prevent the platform from running. According to the TRM, the opposite would be a real issue, if the feature was enabled in the A9 core but not in the cache controller. Reported-by: "kernelci.org bot" Signed-off-by: Guillaume Tucker Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 12777bc94c2e7719e27a70bc0dfd930ccc189cd2 Author: Vladimir Oltean Date: Sun Jun 21 14:45:59 2020 +0300 net: mscc: ocelot: fix encoding destination ports into multicast IPv4 address [ Upstream commit 0897ecf7532577bda3dbcb043ce046a96948889d ] The ocelot hardware designers have made some hacks to support multicast IPv4 and IPv6 addresses. Normally, the MAC table matches on MAC addresses and the destination ports are selected through the DEST_IDX field of the respective MAC table entry. The DEST_IDX points to a Port Group ID (PGID) which contains the bit mask of ports that frames should be forwarded to. But there aren't a lot of PGIDs (only 80 or so) and there are clearly many more IP multicast addresses than that, so it doesn't scale to use this PGID mechanism, so something else was done. Since the first portion of the MAC address is known, the hack they did was to use a single PGID for _flooding_ unknown IPv4 multicast (PGID_MCIPV4 == 62), but for known IP multicast, embed the destination ports into the first 3 bytes of the MAC address recorded in the MAC table. The VSC7514 datasheet explains it like this: 3.9.1.5 IPv4 Multicast Entries MAC table entries with the ENTRY_TYPE = 2 settings are interpreted as IPv4 multicast entries. IPv4 multicasts entries match IPv4 frames, which are classified to the specified VID, and which have DMAC = 0x01005Exxxxxx, where xxxxxx is the lower 24 bits of the MAC address in the entry. Instead of a lookup in the destination mask table (PGID), the destination set is programmed as part of the entry MAC address. This is shown in the following table. Table 78: IPv4 Multicast Destination Mask Destination Ports Record Bit Field --------------------------------------------- Ports 10-0 MAC[34-24] Example: All IPv4 multicast frames in VLAN 12 with MAC 01005E112233 are to be forwarded to ports 3, 8, and 9. This is done by inserting the following entry in the MAC table entry: VALID = 1 VID = 12 MAC = 0x000308112233 ENTRY_TYPE = 2 DEST_IDX = 0 But this procedure is not at all what's going on in the driver. In fact, the code that embeds the ports into the MAC address looks like it hasn't actually been tested. This patch applies the procedure described in the datasheet. Since there are many other fixes to be made around multicast forwarding until it works properly, there is no real reason for this patch to be backported to stable trees, or considered a real fix of something that should have worked. Signed-off-by: Vladimir Oltean Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 05de16779b80a2993dc756cc7f0b1118f0b5a6eb Author: Maulik Shah Date: Mon Jun 22 12:23:25 2020 +0530 soc: qcom: rpmh-rsc: Set suppress_bind_attrs flag [ Upstream commit 1a53ce9ab4faeb841b33d62d23283dc76c0e7c5a ] rpmh-rsc driver is fairly core to system and should not be removable once its probed. However it allows to unbind driver from sysfs using below command which results into a crash on sc7180. echo 18200000.rsc > /sys/bus/platform/drivers/rpmh/unbind Lets prevent unbind at runtime by setting suppress_bind_attrs flag. Reviewed-by: Stephen Boyd Signed-off-by: Maulik Shah Link: https://lore.kernel.org/r/1592808805-2437-1-git-send-email-mkshah@codeaurora.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 665a80d7aa8ccc163b7ea75a35d48f09299b199f Author: Tomi Valkeinen Date: Wed Apr 29 13:42:32 2020 +0300 drm/tilcdc: fix leak & null ref in panel_connector_get_modes [ Upstream commit 3f9c1c872cc97875ddc8d63bc9fe6ee13652b933 ] If videomode_from_timings() returns true, the mode allocated with drm_mode_create will be leaked. Also, the return value of drm_mode_create() is never checked, and thus could cause NULL deref. Fix these two issues. Signed-off-by: Tomi Valkeinen Link: https://patchwork.freedesktop.org/patch/msgid/20200429104234.18910-1-tomi.valkeinen@ti.com Reviewed-by: Jyri Sarha Acked-by: Sam Ravnborg Signed-off-by: Sasha Levin commit 8904c89418a5a691b16be9d862e8bda5f0332803 Author: Johannes Thumshirn Date: Thu Jul 30 20:25:17 2020 +0900 block: don't do revalidate zones on invalid devices [ Upstream commit 1a1206dc4cf02cee4b5cbce583ee4c22368b4c28 ] When we loose a device for whatever reason while (re)scanning zones, we trip over a NULL pointer in blk_revalidate_zone_cb, like in the following log: sd 0:0:0:0: [sda] 3418095616 4096-byte logical blocks: (14.0 TB/12.7 TiB) sd 0:0:0:0: [sda] 52156 zones of 65536 logical blocks sd 0:0:0:0: [sda] Write Protect is off sd 0:0:0:0: [sda] Mode Sense: 37 00 00 08 sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA sd 0:0:0:0: [sda] REPORT ZONES start lba 1065287680 failed sd 0:0:0:0: [sda] REPORT ZONES: Result: hostbyte=0x00 driverbyte=0x08 sd 0:0:0:0: [sda] Sense Key : 0xb [current] sd 0:0:0:0: [sda] ASC=0x0 ASCQ=0x6 sda: failed to revalidate zones sd 0:0:0:0: [sda] 0 4096-byte logical blocks: (0 B/0 B) sda: detected capacity change from 14000519643136 to 0 ================================================================== BUG: KASAN: null-ptr-deref in blk_revalidate_zone_cb+0x1b7/0x550 Write of size 8 at addr 0000000000000010 by task kworker/u4:1/58 CPU: 1 PID: 58 Comm: kworker/u4:1 Not tainted 5.8.0-rc1 #692 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4-rebuilt.opensuse.org 04/01/2014 Workqueue: events_unbound async_run_entry_fn Call Trace: dump_stack+0x7d/0xb0 ? blk_revalidate_zone_cb+0x1b7/0x550 kasan_report.cold+0x5/0x37 ? blk_revalidate_zone_cb+0x1b7/0x550 check_memory_region+0x145/0x1a0 blk_revalidate_zone_cb+0x1b7/0x550 sd_zbc_parse_report+0x1f1/0x370 ? blk_req_zone_write_trylock+0x200/0x200 ? sectors_to_logical+0x60/0x60 ? blk_req_zone_write_trylock+0x200/0x200 ? blk_req_zone_write_trylock+0x200/0x200 sd_zbc_report_zones+0x3c4/0x5e0 ? sd_dif_config_host+0x500/0x500 blk_revalidate_disk_zones+0x231/0x44d ? _raw_write_lock_irqsave+0xb0/0xb0 ? blk_queue_free_zone_bitmaps+0xd0/0xd0 sd_zbc_read_zones+0x8cf/0x11a0 sd_revalidate_disk+0x305c/0x64e0 ? __device_add_disk+0x776/0xf20 ? read_capacity_16.part.0+0x1080/0x1080 ? blk_alloc_devt+0x250/0x250 ? create_object.isra.0+0x595/0xa20 ? kasan_unpoison_shadow+0x33/0x40 sd_probe+0x8dc/0xcd2 really_probe+0x20e/0xaf0 __driver_attach_async_helper+0x249/0x2d0 async_run_entry_fn+0xbe/0x560 process_one_work+0x764/0x1290 ? _raw_read_unlock_irqrestore+0x30/0x30 worker_thread+0x598/0x12f0 ? __kthread_parkme+0xc6/0x1b0 ? schedule+0xed/0x2c0 ? process_one_work+0x1290/0x1290 kthread+0x36b/0x440 ? kthread_create_worker_on_cpu+0xa0/0xa0 ret_from_fork+0x22/0x30 ================================================================== When the device is already gone we end up with the following scenario: The device's capacity is 0 and thus the number of zones will be 0 as well. When allocating the bitmap for the conventional zones, we then trip over a NULL pointer. So if we encounter a zoned block device with a 0 capacity, don't dare to revalidate the zones sizes. Fixes: 6c6b35491422 ("block: set the zone size in blk_revalidate_disk_zones atomically") Signed-off-by: Johannes Thumshirn Reviewed-by: Damien Le Moal Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit feb237bfb25b2d832274c991f0863cf2356aaed9 Author: Hannes Reinecke Date: Mon Jul 27 18:08:03 2020 +0200 nvme-multipath: do not fall back to __nvme_find_path() for non-optimized paths [ Upstream commit fbd6a42d8932e172921c7de10468a2e12c34846b ] When nvme_round_robin_path() finds a valid namespace we should be using it; falling back to __nvme_find_path() for non-optimized paths will cause the result from nvme_round_robin_path() to be ignored for non-optimized paths. Fixes: 75c10e732724 ("nvme-multipath: round-robin I/O policy") Signed-off-by: Martin Wilck Signed-off-by: Hannes Reinecke Reviewed-by: Sagi Grimberg Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit b67cbeeaae05bf41f2365f03df4eaf01f2cb5fa0 Author: Martin Wilck Date: Mon Jul 27 18:08:02 2020 +0200 nvme-multipath: fix logic for non-optimized paths [ Upstream commit 3f6e3246db0e6f92e784965d9d0edb8abe6c6b74 ] Handle the special case where we have exactly one optimized path, which we should keep using in this case. Fixes: 75c10e732724 ("nvme-multipath: round-robin I/O policy") Signed off-by: Martin Wilck Signed-off-by: Hannes Reinecke Reviewed-by: Sagi Grimberg Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit a73a218d7f6114b9358be58e7677a155eaf93e7b Author: Sagi Grimberg Date: Mon Jul 27 17:32:09 2020 -0700 nvme-rdma: fix controller reset hang during traffic [ Upstream commit 9f98772ba307dd89a3d17dc2589f213d3972fc64 ] commit fe35ec58f0d3 ("block: update hctx map when use multiple maps") exposed an issue where we may hang trying to wait for queue freeze during I/O. We call blk_mq_update_nr_hw_queues which in case of multiple queue maps (which we have now for default/read/poll) is attempting to freeze the queue. However we never started queue freeze when starting the reset, which means that we have inflight pending requests that entered the queue that we will not complete once the queue is quiesced. So start a freeze before we quiesce the queue, and unfreeze the queue after we successfully connected the I/O queues (and make sure to call blk_mq_update_nr_hw_queues only after we are sure that the queue was already frozen). This follows to how the pci driver handles resets. Fixes: fe35ec58f0d3 ("block: update hctx map when use multiple maps") Signed-off-by: Sagi Grimberg Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 671b0ede197cbc5b120c15b3f5be65294fe9daf5 Author: Sagi Grimberg Date: Fri Jul 24 15:10:12 2020 -0700 nvme-tcp: fix controller reset hang during traffic [ Upstream commit 2875b0aecabe2f081a8432e2bc85b85df0529490 ] commit fe35ec58f0d3 ("block: update hctx map when use multiple maps") exposed an issue where we may hang trying to wait for queue freeze during I/O. We call blk_mq_update_nr_hw_queues which in case of multiple queue maps (which we have now for default/read/poll) is attempting to freeze the queue. However we never started queue freeze when starting the reset, which means that we have inflight pending requests that entered the queue that we will not complete once the queue is quiesced. So start a freeze before we quiesce the queue, and unfreeze the queue after we successfully connected the I/O queues (and make sure to call blk_mq_update_nr_hw_queues only after we are sure that the queue was already frozen). This follows to how the pci driver handles resets. Fixes: fe35ec58f0d3 ("block: update hctx map when use multiple maps") Signed-off-by: Sagi Grimberg Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 9dcd0ec3989f6f838d0fccf1c2780c6c62819133 Author: Zenghui Yu Date: Tue Jun 30 21:37:46 2020 +0800 irqchip/gic-v4.1: Use GFP_ATOMIC flag in allocate_vpe_l1_table() [ Upstream commit d1bd7e0ba533a2a6f313579ec9b504f6614c35c4 ] Booting the latest kernel with DEBUG_ATOMIC_SLEEP=y on a GICv4.1 enabled box, I get the following kernel splat: [ 0.053766] BUG: sleeping function called from invalid context at mm/slab.h:567 [ 0.053767] in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 0, name: swapper/1 [ 0.053769] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.8.0-rc3+ #23 [ 0.053770] Call trace: [ 0.053774] dump_backtrace+0x0/0x218 [ 0.053775] show_stack+0x2c/0x38 [ 0.053777] dump_stack+0xc4/0x10c [ 0.053779] ___might_sleep+0xfc/0x140 [ 0.053780] __might_sleep+0x58/0x90 [ 0.053782] slab_pre_alloc_hook+0x7c/0x90 [ 0.053783] kmem_cache_alloc_trace+0x60/0x2f0 [ 0.053785] its_cpu_init+0x6f4/0xe40 [ 0.053786] gic_starting_cpu+0x24/0x38 [ 0.053788] cpuhp_invoke_callback+0xa0/0x710 [ 0.053789] notify_cpu_starting+0xcc/0xd8 [ 0.053790] secondary_start_kernel+0x148/0x200 # ./scripts/faddr2line vmlinux its_cpu_init+0x6f4/0xe40 its_cpu_init+0x6f4/0xe40: allocate_vpe_l1_table at drivers/irqchip/irq-gic-v3-its.c:2818 (inlined by) its_cpu_init_lpis at drivers/irqchip/irq-gic-v3-its.c:3138 (inlined by) its_cpu_init at drivers/irqchip/irq-gic-v3-its.c:5166 It turned out that we're allocating memory using GFP_KERNEL (may sleep) within the CPU hotplug notifier, which is indeed an atomic context. Bad thing may happen if we're playing on a system with more than a single CommonLPIAff group. Avoid it by turning this into an atomic allocation. Fixes: 5e5168461c22 ("irqchip/gic-v4.1: VPE table (aka GICR_VPROPBASER) allocation") Signed-off-by: Zenghui Yu Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20200630133746.816-1-yuzenghui@huawei.com Signed-off-by: Sasha Levin commit ff25d0c5a5e5db655602b74fd2bf6e7908b10473 Author: Florian Fainelli Date: Fri Jul 24 11:41:56 2020 -0700 irqchip/irq-bcm7038-l1: Guard uses of cpu_logical_map [ Upstream commit 9808357ff2e5bfe1e0dcafef5e78cc5b617a7078 ] cpu_logical_map is only defined for CONFIG_SMP builds, when we are in an UP configuration, the boot CPU is 0. Fixes: 6468fc18b006 ("irqchip/irq-bcm7038-l1: Add PM support") Reported-by: kernel test robot Signed-off-by: Florian Fainelli Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20200724184157.29150-1-f.fainelli@gmail.com Signed-off-by: Sasha Levin commit 1c69d514785c723351c42a8d29aab295edd0ca50 Author: Tiezhu Yang Date: Tue Jul 7 10:12:51 2020 +0800 irqchip/loongson-liointc: Fix potential dead lock [ Upstream commit fa03587cad9bd32aa552377de4f05c50181a35a8 ] In the function liointc_set_type(), we need to call the function irq_gc_unlock_irqrestore() before returning. Fixes: dbb152267908 ("irqchip: Add driver for Loongson I/O Local Interrupt Controller") Reported-by: Jianmin Lv Signed-off-by: Tiezhu Yang Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/1594087972-21715-8-git-send-email-yangtiezhu@loongson.cn Signed-off-by: Sasha Levin commit bda37473d606dc8c43a77dcfcba4b87399e3bedc Author: Colin Ian King Date: Thu Jul 2 12:35:02 2020 +0100 md: raid0/linear: fix dereference before null check on pointer mddev [ Upstream commit 9a5a85972c073f720d81a7ebd08bfe278e6e16db ] Pointer mddev is being dereferenced with a test_bit call before mddev is being null checked, this may cause a null pointer dereference. Fix this by moving the null pointer checks to sanity check mddev before it is dereferenced. Addresses-Coverity: ("Dereference before null check") Fixes: 62f7b1989c02 ("md raid0/linear: Mark array as 'broken' and fail BIOs if a member is gone") Signed-off-by: Colin Ian King Reviewed-by: Guilherme G. Piccoli Signed-off-by: Song Liu Signed-off-by: Sasha Levin commit b31507ed228f1716fd8a9f5f0924037fb9dd9741 Author: Kees Cook Date: Mon Jun 15 15:42:46 2020 -0700 seccomp: Fix ioctl number for SECCOMP_IOCTL_NOTIF_ID_VALID [ Upstream commit 47e33c05f9f07cac3de833e531bcac9ae052c7ca ] When SECCOMP_IOCTL_NOTIF_ID_VALID was first introduced it had the wrong direction flag set. While this isn't a big deal as nothing currently enforces these bits in the kernel, it should be defined correctly. Fix the define and provide support for the old command until it is no longer needed for backward compatibility. Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace") Signed-off-by: Kees Cook Signed-off-by: Sasha Levin commit 3667a66c7caeef43d5bff034ce3d499b8c80a7f9 Author: Tiezhu Yang Date: Sat Jun 6 17:50:16 2020 +0800 irqchip/ti-sci-inta: Fix return value about devm_ioremap_resource() [ Upstream commit 4b127a14cb1385dd355c7673d975258d5d668922 ] When call function devm_ioremap_resource(), we should use IS_ERR() to check the return value and return PTR_ERR() if failed. Fixes: 9f1463b86c13 ("irqchip/ti-sci-inta: Add support for Interrupt Aggregator driver") Signed-off-by: Tiezhu Yang Signed-off-by: Marc Zyngier Reviewed-by: Grygorii Strashko Link: https://lore.kernel.org/r/1591437017-5295-2-git-send-email-yangtiezhu@loongson.cn Signed-off-by: Sasha Levin commit 04528c6227bb1496af876a242e9d4d747564680e Author: Stephen Smalley Date: Wed Jun 17 15:22:16 2020 -0400 scripts/selinux/mdp: fix initial SID handling [ Upstream commit 382c2b5d23b4245f1818f69286db334355488dc4 ] commit e3e0b582c321 ("selinux: remove unused initial SIDs and improve handling") broke scripts/selinux/mdp since the unused initial SID names were removed and the corresponding generation of policy initial SID definitions by mdp was not updated accordingly. Fix it. With latest upstream checkpolicy it is no longer necessary to include the SID context definitions for the unused initial SIDs but retain them for compatibility with older checkpolicy. Fixes: e3e0b582c321 ("selinux: remove unused initial SIDs and improve handling") Signed-off-by: Stephen Smalley Signed-off-by: Paul Moore Signed-off-by: Sasha Levin commit d850fdbff6f468db14a34c335cc95feb4bfb4be1 Author: Chengming Zhou Date: Thu Jul 30 17:03:21 2020 +0800 iocost: Fix check condition of iocg abs_vdebt [ Upstream commit d9012a59db54442d5b2fcfdfcded35cf566397d3 ] We shouldn't skip iocg when its abs_vdebt is not zero. Fixes: 0b80f9866e6b ("iocost: protect iocg->abs_vdebt with iocg->waitq.lock") Signed-off-by: Chengming Zhou Acked-by: Tejun Heo Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 8a9324f267aac16e4603e51761cdb13293950f30 Author: Yu Kuai Date: Tue Jul 21 21:45:51 2020 +0800 ARM: socfpga: PM: add missing put_device() call in socfpga_setup_ocram_self_refresh() [ Upstream commit 3ad7b4e8f89d6bcc9887ca701cf2745a6aedb1a0 ] if of_find_device_by_node() succeed, socfpga_setup_ocram_self_refresh doesn't have a corresponding put_device(). Thus add a jump target to fix the exception handling for this function implementation. Fixes: 44fd8c7d4005 ("ARM: socfpga: support suspend to ram") Signed-off-by: Yu Kuai Signed-off-by: Dinh Nguyen Signed-off-by: Sasha Levin commit 762ae8916c90a13cfafd39fba2677a66a9b4470b Author: Jon Lin Date: Thu Jul 23 08:43:56 2020 +0800 spi: rockchip: Fix error in SPI slave pio read [ Upstream commit 4294e4accf8d695ea5605f6b189008b692e3e82c ] The RXFLR is possible larger than rx_left in Rockchip SPI, fix it. Fixes: 01b59ce5dac8 ("spi: rockchip: use irq rather than polling") Signed-off-by: Jon Lin Tested-by: Emil Renner Berthing Reviewed-by: Heiko Stuebner Reviewed-by: Emil Renner Berthing Link: https://lore.kernel.org/r/20200723004356.6390-3-jon.lin@rock-chips.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 3399fb0afca941c5711b8e99a0bf966601e35a23 Author: Sibi Sankar Date: Thu Jul 2 01:29:54 2020 +0530 soc: qcom: pdr: Reorder the PD state indication ack [ Upstream commit 72fe996f9643043c8f84e32c0610975b01aa555b ] The Protection Domains (PD) have a mechanism to keep its resources enabled until the PD down indication is acked. Reorder the PD state indication ack so that clients get to release the relevant resources before the PD goes down. Reviewed-by: Bjorn Andersson Reviewed-by: Rishabh Bhatnagar Fixes: fbe639b44a82 ("soc: qcom: Introduce Protection Domain Restart helpers") Reported-by: Rishabh Bhatnagar Signed-off-by: Sibi Sankar Link: https://lore.kernel.org/r/20200701195954.9007-1-sibis@codeaurora.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 5a66ae135e3876ded266c9e1081d0cbdcb80459f Author: Christian Hewitt Date: Tue Jul 21 01:59:50 2020 +0000 arm64: dts: meson: fix mmc0 tuning error on Khadas VIM3 [ Upstream commit f1bb924e8f5b50752a80fa5b48c43003680a7b64 ] Similar to other G12B devices using the W400 dtsi, I see reports of mmc0 tuning errors on VIM3 after a few hours uptime: [12483.917391] mmc0: tuning execution failed: -5 [30535.551221] mmc0: tuning execution failed: -5 [35359.953671] mmc0: tuning execution failed: -5 [35561.875332] mmc0: tuning execution failed: -5 [61733.348709] mmc0: tuning execution failed: -5 I do not see the same on VIM3L, so remove sd-uhs-sdr50 from the common dtsi to silence the error, then (re)add it to the VIM3L dts. Fixes: 4f26cc1c96c9 ("arm64: dts: khadas-vim3: move common nodes into meson-khadas-vim3.dtsi") Fixes: 700ab8d83927 ("arm64: dts: khadas-vim3: add support for the SM1 based VIM3L") Signed-off-by: Christian Hewitt Signed-off-by: Kevin Hilman Link: https://lore.kernel.org/r/20200721015950.11816-1-christianshewitt@gmail.com Signed-off-by: Sasha Levin commit e5b6175966e754ed66bfb52fa42ec5f53708734d Author: Dmitry Vyukov Date: Sat Jul 11 11:31:11 2020 +0200 io_uring: fix sq array offset calculation [ Upstream commit b36200f543ff07a1cb346aa582349141df2c8068 ] rings_size() sets sq_offset to the total size of the rings (the returned value which is used for memory allocation). This is wrong: sq array should be located within the rings, not after them. Set sq_offset to where it should be. Fixes: 75b28affdd6a ("io_uring: allocate the two rings together") Signed-off-by: Dmitry Vyukov Acked-by: Hristo Venev Cc: io-uring@vger.kernel.org Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit cfd61b6121f9a9f5be53b7365c182bfc36296dcd Author: Vladimir Zapolskiy Date: Fri Jul 24 03:50:13 2020 +0300 regulator: fix memory leak on error path of regulator_register() [ Upstream commit 9177514ce34902b3adb2abd490b6ad05d1cfcb43 ] The change corrects registration and deregistration on error path of a regulator, the problem was manifested by a reported memory leak on deferred probe: as3722-regulator as3722-regulator: regulator 13 register failed -517 # cat /sys/kernel/debug/kmemleak unreferenced object 0xecc43740 (size 64): comm "swapper/0", pid 1, jiffies 4294937640 (age 712.880s) hex dump (first 32 bytes): 72 65 67 75 6c 61 74 6f 72 2e 32 34 00 5a 5a 5a regulator.24.ZZZ 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ backtrace: [<0c4c3d1c>] __kmalloc_track_caller+0x15c/0x2c0 [<40c0ad48>] kvasprintf+0x64/0xd4 [<109abd29>] kvasprintf_const+0x70/0x84 [] kobject_set_name_vargs+0x34/0xa8 [<62282ea2>] dev_set_name+0x40/0x64 [] regulator_register+0x3a4/0x1344 [<16a9543f>] devm_regulator_register+0x4c/0x84 [<51a4c6a1>] as3722_regulator_probe+0x294/0x754 ... The memory leak problem was introduced as a side ef another fix in regulator_register() error path, I believe that the proper fix is to decouple device_register() function into its two compounds and initialize a struct device before assigning any values to its fields and then using it before actual registration of a device happens. This lets to call put_device() safely after initialization, and, since now a release callback is called, kfree(rdev->constraints) shall be removed to exclude a double free condition. Fixes: a3cde9534ebd ("regulator: core: fix regulator_register() error paths to properly release rdev") Signed-off-by: Vladimir Zapolskiy Cc: Wen Yang Link: https://lore.kernel.org/r/20200724005013.23278-1-vz@mleia.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit a17389d43003f18cb76decd2482d1d50f564b642 Author: Gregory Herrero Date: Fri Jul 17 16:33:38 2020 +0200 recordmcount: only record relocation of type R_AARCH64_CALL26 on arm64. [ Upstream commit ea0eada45632f4807b2f49de951072283e2d781c ] Currently, if a section has a relocation to '_mcount' symbol, a new __mcount_loc entry will be added whatever the relocation type is. This is problematic when a relocation to '_mcount' is in the middle of a section and is not a call for ftrace use. Such relocation could be generated with below code for example: bool is_mcount(unsigned long addr) { return (target == (unsigned long) &_mcount); } With this snippet of code, ftrace will try to patch the mcount location generated by this code on module load and fail with: Call trace: ftrace_bug+0xa0/0x28c ftrace_process_locs+0x2f4/0x430 ftrace_module_init+0x30/0x38 load_module+0x14f0/0x1e78 __do_sys_finit_module+0x100/0x11c __arm64_sys_finit_module+0x28/0x34 el0_svc_common+0x88/0x194 el0_svc_handler+0x38/0x8c el0_svc+0x8/0xc ---[ end trace d828d06b36ad9d59 ]--- ftrace failed to modify [] 0xffffa2dbf3a3a41c actual: 66:a9:3c:90 Initializing ftrace call sites ftrace record flags: 2000000 (0) expected tramp: ffffa2dc6cf66724 So Limit the relocation type to R_AARCH64_CALL26 as in perl version of recordmcount. Fixes: af64d2aa872a ("ftrace: Add arm64 support to recordmcount") Signed-off-by: Gregory Herrero Acked-by: Steven Rostedt (VMware) Link: https://lore.kernel.org/r/20200717143338.19302-1-gregory.herrero@oracle.com Signed-off-by: Catalin Marinas Signed-off-by: Sasha Levin commit d60bab10c36f856f31c7b4b0d9cdb04b2db6d4b2 Author: Tyler Hicks Date: Fri Jul 10 14:29:55 2020 -0500 tpm: Require that all digests are present in TCG_PCR_EVENT2 structures [ Upstream commit 7f3d176f5f7e3f0477bf82df0f600fcddcdcc4e4 ] Require that the TCG_PCR_EVENT2.digests.count value strictly matches the value of TCG_EfiSpecIdEvent.numberOfAlgorithms in the event field of the TCG_PCClientPCREvent event log header. Also require that TCG_EfiSpecIdEvent.numberOfAlgorithms is non-zero. The TCG PC Client Platform Firmware Profile Specification section 9.1 (Family "2.0", Level 00 Revision 1.04) states: For each Hash algorithm enumerated in the TCG_PCClientPCREvent entry, there SHALL be a corresponding digest in all TCG_PCR_EVENT2 structures. Note: This includes EV_NO_ACTION events which do not extend the PCR. Section 9.4.5.1 provides this description of TCG_EfiSpecIdEvent.numberOfAlgorithms: The number of Hash algorithms in the digestSizes field. This field MUST be set to a value of 0x01 or greater. Enforce these restrictions, as required by the above specification, in order to better identify and ignore invalid sequences of bytes at the end of an otherwise valid TPM2 event log. Firmware doesn't always have the means necessary to inform the kernel of the actual event log size so the kernel's event log parsing code should be stringent when parsing the event log for resiliency against firmware bugs. This is true, for example, when firmware passes the event log to the kernel via a reserved memory region described in device tree. POWER and some ARM systems use the "linux,sml-base" and "linux,sml-size" device tree properties to describe the memory region used to pass the event log from firmware to the kernel. Unfortunately, the "linux,sml-size" property describes the size of the entire reserved memory region rather than the size of the event long within the memory region and the event log format does not include information describing the size of the event log. tpm_read_log_of(), in drivers/char/tpm/eventlog/of.c, is where the "linux,sml-size" property is used. At the end of that function, log->bios_event_log_end is pointing at the end of the reserved memory region. That's typically 0x10000 bytes offset from "linux,sml-base", depending on what's defined in the device tree source. The firmware event log only fills a portion of those 0x10000 bytes and the rest of the memory region should be zeroed out by firmware. Even in the case of a properly zeroed bytes in the remainder of the memory region, the only thing allowing the kernel's event log parser to detect the end of the event log is the following conditional in __calc_tpm2_event_size(): if (event_type == 0 && event_field->event_size == 0) size = 0; If that wasn't there, __calc_tpm2_event_size() would think that a 16 byte sequence of zeroes, following an otherwise valid event log, was a valid event. However, problems can occur if a single bit is set in the offset corresponding to either the TCG_PCR_EVENT2.eventType or TCG_PCR_EVENT2.eventSize fields, after the last valid event log entry. This could confuse the parser into thinking that an additional entry is present in the event log and exposing this invalid entry to userspace in the /sys/kernel/security/tpm0/binary_bios_measurements file. Such problems have been seen if firmware does not fully zero the memory region upon a warm reboot. This patch significantly raises the bar on how difficult it is for stale/invalid memory to confuse the kernel's event log parser but there's still, ultimately, a reliance on firmware to properly initialize the remainder of the memory region reserved for the event log as the parser cannot be expected to detect a stale but otherwise properly formatted firmware event log entry. Fixes: fd5c78694f3f ("tpm: fix handling of the TPM 2.0 event logs") Signed-off-by: Tyler Hicks Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Sasha Levin commit 9620833ec06f59f9759079530b3b0513a3d0419d Author: Dilip Kota Date: Fri Jul 17 14:27:50 2020 +0800 spi: lantiq: fix: Rx overflow error in full duplex mode [ Upstream commit 661ccf2b3f1360be50242726f7c26ced6a9e7d52 ] In full duplex mode, rx overflow error is observed. To overcome the error, wait until the complete data got received and proceed further. Fixes: 17f84b793c01 ("spi: lantiq-ssc: add support for Lantiq SSC SPI controller") Signed-off-by: Dilip Kota Link: https://lore.kernel.org/r/efb650b0faa49a00788c4e0ca8ef7196bdba851d.1594957019.git.eswara.kota@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 3b72b5361f4ddca871a7ab660778d11a1361141d Author: Chen-Yu Tsai Date: Sat Jul 18 00:00:48 2020 +0800 ARM: dts: sunxi: bananapi-m2-plus-v1.2: Fix CPU supply voltages [ Upstream commit e4dae01bf08b754de79072441c357737220b873f ] The Bananapi M2+ uses a GPIO line to change the effective resistance of the CPU supply regulator's feedback resistor network. The voltages described in the device tree were given directly by the vendor. This turns out to be slightly off compared to the real values. The updated voltages are based on calculations of the feedback resistor network, and verified down to three decimal places with a multi-meter. Fixes: 6eeb4180d4b9 ("ARM: dts: sunxi: h3-h5: Add Bananapi M2+ v1.2 device trees") Signed-off-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20200717160053.31191-4-wens@kernel.org Signed-off-by: Sasha Levin commit 9a88fdc08fcb7add806f6f7fabc51f3f420c2c06 Author: Chen-Yu Tsai Date: Sat Jul 18 00:00:47 2020 +0800 ARM: dts: sunxi: bananapi-m2-plus-v1.2: Add regulator supply to all CPU cores [ Upstream commit 55b271af765b0e03d1ff29502f81644b1a3c87fd ] The device tree currently only assigns the a supply for the first CPU core, when in reality the regulator supply is shared by all four cores. This might cause an issue if the implementation does not realize the sharing of the supply. Assign the same regulator supply to the remaining CPU cores to address this. Fixes: 6eeb4180d4b9 ("ARM: dts: sunxi: h3-h5: Add Bananapi M2+ v1.2 device trees") Signed-off-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20200717160053.31191-3-wens@kernel.org Signed-off-by: Sasha Levin commit 2b97b8263317da181479052a126fecb6c838c6bf Author: Dejin Zheng Date: Fri Jun 26 21:00:41 2020 +0800 reset: intel: fix a compile warning about REG_OFFSET redefined [ Upstream commit 308646785e51976dea7e20d29a1842d14bf0b9bd ] kernel test robot reports a compile warning about REG_OFFSET redefined in the reset-intel-gw.c after merging commit e44ab4e14d6f4 ("regmap: Simplify implementation of the regmap_read_poll_timeout() macro"). the warning is like that: drivers/reset/reset-intel-gw.c:18:0: warning: "REG_OFFSET" redefined #define REG_OFFSET GENMASK(31, 16) In file included from ./arch/arm/mach-ixp4xx/include/mach/hardware.h:30:0, from ./arch/arm/mach-ixp4xx/include/mach/io.h:15, from ./arch/arm/include/asm/io.h:198, from ./include/linux/io.h:13, from ./include/linux/iopoll.h:14, from ./include/linux/regmap.h:20, from drivers/reset/reset-intel-gw.c:12: ./arch/arm/mach-ixp4xx/include/mach/platform.h:25:0: note: this is the location of the previous definition #define REG_OFFSET 3 Reported-by: kernel test robot Fixes: c9aef213e38cde ("reset: intel: Add system reset controller driver") Signed-off-by: Dejin Zheng Reviewed-by: Philipp Zabel Signed-off-by: Philipp Zabel Signed-off-by: Sasha Levin commit 63be29ccc8651503e86b6ba3068619a99acafcd9 Author: Marek Szyprowski Date: Tue Jul 14 08:47:59 2020 +0200 ARM: dts: exynos: Disable frequency scaling for FSYS bus on Odroid XU3 family [ Upstream commit 9ff416cf45a08f28167b75045222c762a0347930 ] Commit 1019fe2c7280 ("ARM: dts: exynos: Adjust bus related OPPs to the values correct for Exynos5422 Odroids") changed the parameters of the OPPs for the FSYS bus. Besides the frequency adjustments, it also removed the 'shared-opp' property from the OPP table used for FSYS_APB and FSYS busses. This revealed that in fact the FSYS bus frequency scaling never worked. When one OPP table is marked as 'opp-shared', only the first bus which selects the OPP sets the rate of its clock. Then OPP core assumes that the other busses have been changed to that OPP and no change to their clock rates are needed. Thus when FSYS_APB bus, which was registered first, set the rate for its clock, the OPP core did not change the FSYS bus clock later. The mentioned commit removed that behavior, what introduced a regression on some Odroid XU3 boards. Frequency scaling of the FSYS bus causes instability of the USB host operation, what can be observed as network hangs. To restore old behavior, simply disable frequency scaling for the FSYS bus. Reported-by: Willy Wolff Fixes: 1019fe2c7280 ("ARM: dts: exynos: Adjust bus related OPPs to the values correct for Exynos5422 Odroids") Signed-off-by: Marek Szyprowski Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit ebf9ecad2fff4f2b2d2b55be87a1c0125f43dcb8 Author: yu kuai Date: Thu Jun 4 20:33:01 2020 +0800 ARM: at91: pm: add missing put_device() call in at91_pm_sram_init() [ Upstream commit f87a4f022c44e5b87e842a9f3e644fba87e8385f ] if of_find_device_by_node() succeed, at91_pm_sram_init() doesn't have a corresponding put_device(). Thus add a jump target to fix the exception handling for this function implementation. Fixes: d2e467905596 ("ARM: at91: pm: use the mmio-sram pool to access SRAM") Signed-off-by: yu kuai Signed-off-by: Alexandre Belloni Link: https://lore.kernel.org/r/20200604123301.3905837-1-yukuai3@huawei.com Signed-off-by: Sasha Levin commit bfd995f79c17c9fd1651484cff42edfc751218c2 Author: Niklas Söderlund Date: Mon Jul 13 13:10:16 2020 +0200 ARM: dts: gose: Fix ports node name for adv7612 [ Upstream commit 59692ac5a7bb8c97ff440fc8917828083fbc38d6 ] When adding the adv7612 device node the ports node was misspelled as port, fix this. Fixes: bc63cd87f3ce924f ("ARM: dts: gose: add HDMI input") Signed-off-by: Niklas Söderlund Link: https://lore.kernel.org/r/20200713111016.523189-1-niklas.soderlund+renesas@ragnatech.se Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 137428aa601a8d4017ddd81c141f7f2d2c2f9548 Author: Yoshihiro Shimoda Date: Fri Jul 10 21:03:54 2020 +0900 arm64: dts: renesas: Fix SD Card/eMMC interface device node names [ Upstream commit a6cb262af1e1adfa6287cb43f09021ee42beb21c ] Fix the device node names as "mmc@". Fixes: 663386c3e1aa ("arm64: dts: renesas: r8a774a1: Add SDHI nodes") Fixes: 9b33e3001b67 ("arm64: dts: renesas: Initial r8a774b1 SoC device tree") Fixes: 77223211f44d ("arm64: dts: renesas: r8a774c0: Add SDHI nodes") Fixes: d9d67010e0c6 ("arm64: dts: r8a7795: Add SDHI support to dtsi") Fixes: a513cf1e6457 ("arm64: dts: r8a7796: add SDHI nodes") Fixes: 111cc9ace2b5 ("arm64: dts: renesas: r8a77961: Add SDHI nodes") Fixes: f51746ad7d1f ("arm64: dts: renesas: Add Renesas R8A77961 SoC support") Fixes: df863d6f95f5 ("arm64: dts: renesas: initial R8A77965 SoC device tree") Fixes: 9aa3558a02f0 ("arm64: dts: renesas: ebisu: Add and enable SDHI device nodes") Fixes: 83f18749c2f6 ("arm64: dts: renesas: r8a77995: Add SDHI (MMC) support") Signed-off-by: Yoshihiro Shimoda Link: https://lore.kernel.org/r/1594382634-13714-1-git-send-email-yoshihiro.shimoda.uh@renesas.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit cbf1c644749d2240c2336c2962108bf2e67ba684 Author: Niklas Söderlund Date: Sat Jul 4 17:58:55 2020 +0200 ARM: dts: gose: Fix ports node name for adv7180 [ Upstream commit d344234abde938ae1062edb6c05852b0bafb4a03 ] When adding the adv7180 device node the ports node was misspelled as port, fix this. Fixes: 8cae359049a88b75 ("ARM: dts: gose: add composite video input") Signed-off-by: Niklas Söderlund Link: https://lore.kernel.org/r/20200704155856.3037010-2-niklas.soderlund+renesas@ragnatech.se Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 56f0c3805299c7f6e9bbf574da885e3a99d578d5 Author: Lu Wei Date: Fri Jul 10 17:30:18 2020 +0800 platform/x86: intel-vbtn: Fix return value check in check_acpi_dev() [ Upstream commit 64dd4a5a7d214a07e3d9f40227ec30ac8ba8796e ] In the function check_acpi_dev(), if it fails to create platform device, the return value is ERR_PTR() or NULL. Thus it must use IS_ERR_OR_NULL() to check return value. Fixes: 332e081225fc ("intel-vbtn: new driver for Intel Virtual Button") Reported-by: Hulk Robot Signed-off-by: Lu Wei Signed-off-by: Andy Shevchenko Signed-off-by: Sasha Levin commit 61cd87c69ddb960cf83d6d479b26b0fdfe45806c Author: Lu Wei Date: Fri Jul 10 17:30:17 2020 +0800 platform/x86: intel-hid: Fix return value check in check_acpi_dev() [ Upstream commit 71fbe886ce6dd0be17f20aded9c63fe58edd2806 ] In the function check_acpi_dev(), if it fails to create platform device, the return value is ERR_PTR() or NULL. Thus it must use IS_ERR_OR_NULL() to check return value. Fixes: ecc83e52b28c ("intel-hid: new hid event driver for hotkeys") Reported-by: Hulk Robot Signed-off-by: Lu Wei Signed-off-by: Andy Shevchenko Signed-off-by: Sasha Levin commit a24673a3ea40df907cea8f0e8425a99467f9d88c Author: Finn Thain Date: Sun May 31 09:12:13 2020 +1000 m68k: mac: Fix IOP status/control register writes [ Upstream commit 931fc82a6aaf4e2e4a5490addaa6a090d78c24a7 ] When writing values to the IOP status/control register make sure those values do not have any extraneous bits that will clear interrupt flags. To place the SCC IOP into bypass mode would be desirable but this is not achieved by writing IOP_DMAINACTIVE | IOP_RUN | IOP_AUTOINC | IOP_BYPASS to the control register. Drop this ineffective register write. Remove the flawed and unused iop_bypass() function. Make use of the unused iop_stop() function. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Finn Thain Tested-by: Stan Johnson Cc: Joshua Thompson Link: https://lore.kernel.org/r/09bcb7359a1719a18b551ee515da3c4c3cf709e6.1590880333.git.fthain@telegraphics.com.au Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 6dbb2072b368108e0580f39ae88fb3c37a5a8282 Author: Finn Thain Date: Sun May 31 09:12:13 2020 +1000 m68k: mac: Don't send IOP message until channel is idle [ Upstream commit aeb445bf2194d83e12e85bf5c65baaf1f093bd8f ] In the following sequence of calls, iop_do_send() gets called when the "send" channel is not in the IOP_MSG_IDLE state: iop_ism_irq() iop_handle_send() (msg->handler)() iop_send_message() iop_do_send() Avoid this by testing the channel state before calling iop_do_send(). When sending, and iop_send_queue is empty, call iop_do_send() because the channel is idle. If iop_send_queue is not empty, iop_do_send() will get called later by iop_handle_send(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Finn Thain Tested-by: Stan Johnson Cc: Joshua Thompson Link: https://lore.kernel.org/r/6d667c39e53865661fa5a48f16829d18ed8abe54.1590880333.git.fthain@telegraphics.com.au Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit ecf0cf1147c1b916de1b876259a6fdf72dbc5ea0 Author: Sudeep Holla Date: Thu Jul 9 09:17:05 2020 +0100 clk: scmi: Fix min and max rate when registering clocks with discrete rates [ Upstream commit fcd2e0deae50bce48450f14c8fc5611b08d7438c ] Currently we are not initializing the scmi clock with discrete rates correctly. We fetch the min_rate and max_rate value only for clocks with ranges and ignore the ones with discrete rates. This will lead to wrong initialization of rate range when clock supports discrete rate. Fix this by using the first and the last rate in the sorted list of the discrete clock rates while registering the clock. Link: https://lore.kernel.org/r/20200709081705.46084-2-sudeep.holla@arm.com Fixes: 6d6a1d82eaef7 ("clk: add support for clocks provided by SCMI") Reviewed-by: Stephen Boyd Reported-and-tested-by: Dien Pham Signed-off-by: Sudeep Holla Signed-off-by: Sasha Levin commit e966e1c761887ca928f44d3ff73df802f98338ad Author: Giovanni Cabiddu Date: Mon Jun 29 18:16:17 2020 +0100 crypto: qat - allow xts requests not multiple of block [ Upstream commit 528f776df67c440361b2847b4da400d8754bf030 ] Allow AES-XTS requests that are not multiple of the block size. If a request is smaller than the block size, return -EINVAL. This fixes the following issue reported by the crypto testmgr self-test: alg: skcipher: qat_aes_xts encryption failed on test vector "random: len=116 klen=64"; expected_error=0, actual_error=-22, cfg="random: inplace may_sleep use_finup src_divs=[45.85%@+4077, 54.15%@alignmask+18]" Fixes: 96ee111a659e ("crypto: qat - return error for block...") Signed-off-by: Giovanni Cabiddu Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 74c0a318d7a1858214601fc4c3f31c4a075fa3b8 Author: Qais Yousef Date: Tue Jun 30 12:21:22 2020 +0100 sched/uclamp: Fix initialization of struct uclamp_rq [ Upstream commit d81ae8aac85ca2e307d273f6dc7863a721bf054e ] struct uclamp_rq was zeroed out entirely in assumption that in the first call to uclamp_rq_inc() they'd be initialized correctly in accordance to default settings. But when next patch introduces a static key to skip uclamp_rq_{inc,dec}() until userspace opts in to use uclamp, schedutil will fail to perform any frequency changes because the rq->uclamp[UCLAMP_MAX].value is zeroed at init and stays as such. Which means all rqs are capped to 0 by default. Fix it by making sure we do proper initialization at init without relying on uclamp_rq_inc() doing it later. Fixes: 69842cba9ace ("sched/uclamp: Add CPU's clamp buckets refcounting") Signed-off-by: Qais Yousef Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Valentin Schneider Tested-by: Lukasz Luba Link: https://lkml.kernel.org/r/20200630112123.12076-2-qais.yousef@arm.com Signed-off-by: Sasha Levin commit 2995619f58276c6ced459e0d42cb28ece20af8f6 Author: Alim Akhtar Date: Sun Jul 5 12:39:17 2020 +0530 arm64: dts: exynos: Fix silent hang after boot on Espresso [ Upstream commit b072714bfc0e42c984b8fd6e069f3ca17de8137a ] Once regulators are disabled after kernel boot, on Espresso board silent hang observed because of LDO7 being disabled. LDO7 actually provide power to CPU cores and non-cpu blocks circuitries. Keep this regulator always-on to fix this hang. Fixes: 9589f7721e16 ("arm64: dts: Add S2MPS15 PMIC node on exynos7-espresso") Signed-off-by: Alim Akhtar Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 8cdd7ce8a98b4baaef111a180b70a674b95910a2 Author: Ondrej Jirman Date: Fri Jul 3 21:48:42 2020 +0200 arm64: dts: sun50i-pinephone: dldo4 must not be >= 1.8V [ Upstream commit 86be5c789690eb08656b08c072c50a7b02bf41f1 ] Some outputs from the RTL8723CS are connected to the PL port (BT_WAKE_AP), which runs at 1.8V. When BT_WAKE_AP is high, the PL pin this signal is connected to is overdriven, and the whole PL port's voltage rises somewhat. This results in changing voltage on the R_PWM pin (PL10), which is the cause for backlight flickering very noticeably when typing on a Bluetooth keyboard, because backlight intensity is highly sensitive to the voltage of the R_PWM pin. Limit the maximum WiFi/BT I/O voltage to 1.8V to avoid overdriving the PL port pins via BT and WiFi IO port signals. WiFi and BT functionality is unaffected by this change. This completely stops the backlight flicker when using bluetooth. Fixes: 91f480d40942 ("arm64: dts: allwinner: Add initial support for Pine64 PinePhone") Signed-off-by: Ondrej Jirman Link: https://lore.kernel.org/r/20200703194842.111845-4-megous@megous.com Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit 60f177b86f6f1fb8e30807e82ed5710ddfec2b05 Author: Cristian Marussi Date: Fri Jun 19 23:03:30 2020 +0100 firmware: arm_scmi: Fix SCMI genpd domain probing [ Upstream commit e0f1a30cf184821499eeb67daedd7a3f21bbcb0b ] When, at probe time, an SCMI communication failure inhibits the capacity to query power domains states, such domains should be skipped. Registering partially initialized SCMI power domains with genpd will causes kernel panic. arm-scmi timed out in resp(caller: scmi_power_state_get+0xa4/0xd0) scmi-power-domain scmi_dev.2: failed to get state for domain 9 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x96000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=00000009f3691000 [0000000000000000] pgd=00000009f1ca0003, p4d=00000009f1ca0003, pud=00000009f35ea003, pmd=0000000000000000 Internal error: Oops: 96000006 [#1] PREEMPT SMP CPU: 2 PID: 381 Comm: bash Not tainted 5.8.0-rc1-00011-gebd118c2cca8 #2 Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Jan 3 2020 Internal error: Oops: 96000006 [#1] PREEMPT SMP pstate: 80000005 (Nzcv daif -PAN -UAO BTYPE=--) pc : of_genpd_add_provider_onecell+0x98/0x1f8 lr : of_genpd_add_provider_onecell+0x48/0x1f8 Call trace: of_genpd_add_provider_onecell+0x98/0x1f8 scmi_pm_domain_probe+0x174/0x1e8 scmi_dev_probe+0x90/0xe0 really_probe+0xe4/0x448 driver_probe_device+0xfc/0x168 device_driver_attach+0x7c/0x88 bind_store+0xe8/0x128 drv_attr_store+0x2c/0x40 sysfs_kf_write+0x4c/0x60 kernfs_fop_write+0x114/0x230 __vfs_write+0x24/0x50 vfs_write+0xbc/0x1e0 ksys_write+0x70/0xf8 __arm64_sys_write+0x24/0x30 el0_svc_common.constprop.3+0x94/0x160 do_el0_svc+0x2c/0x98 el0_sync_handler+0x148/0x1a8 el0_sync+0x158/0x180 Do not register any power domain that failed to be queried with genpd. Fixes: 898216c97ed2 ("firmware: arm_scmi: add device power domain support using genpd") Link: https://lore.kernel.org/r/20200619220330.12217-1-cristian.marussi@arm.com Signed-off-by: Cristian Marussi Signed-off-by: Sudeep Holla Signed-off-by: Sasha Levin commit b6d439dae45ed4f021a8ea4ec33c8dacc8f55d2c Author: Uladzislau Rezki (Sony) Date: Mon May 25 23:47:47 2020 +0200 rcu/tree: Repeat the monitor if any free channel is busy [ Upstream commit 594aa5975b9b5cfe9edaec06170e43b8c0607377 ] It is possible that one of the channels cannot be detached because its free channel is busy and previously queued data has not been processed yet. On the other hand, another channel can be successfully detached causing the monitor work to stop. Prevent that by rescheduling the monitor work if there are any channels in the pending state after a detach attempt. Fixes: 34c881745549e ("rcu: Support kfree_bulk() interface in kfree_rcu()") Acked-by: Joel Fernandes (Google) Signed-off-by: Uladzislau Rezki (Sony) Signed-off-by: Paul E. McKenney Signed-off-by: Sasha Levin commit fe8de1c5e8309ca4f8eb9a92e495acf546f0ed7e Author: Marek Szyprowski Date: Mon Jun 29 12:02:18 2020 +0200 ARM: exynos: MCPM: Restore big.LITTLE cpuidle support [ Upstream commit ea9dd8f61c8a890843f68e8dc0062ce78365aab8 ] Call exynos_cpu_power_up(cpunr) unconditionally. This is needed by the big.LITTLE cpuidle driver and has no side-effects on other code paths. The additional soft-reset call during little core power up has been added to properly boot all cores on the Exynos5422-based boards with secure firmware (like Odroid XU3/XU4 family). This however broke big.LITTLE CPUidle driver, which worked only on boards without secure firmware (like Peach-Pit/Pi Chromebooks). Apply the workaround only when board is running under secure firmware. Fixes: 833b5794e330 ("ARM: EXYNOS: reset Little cores when cpu is up") Signed-off-by: Marek Szyprowski Reviewed-by: Lukasz Luba Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 603a81f020bb0c746ba4afbd1de078a5ac3e182e Author: Gilad Ben-Yossef Date: Sun Jun 21 14:19:57 2020 +0300 crypto: ccree - fix resource leak on error path [ Upstream commit 9bc6165d608d676f05d8bf156a2c9923ee38d05b ] Fix a small resource leak on the error path of cipher processing. Signed-off-by: Gilad Ben-Yossef Fixes: 63ee04c8b491e ("crypto: ccree - add skcipher support") Cc: Markus Elfring Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 4470c2949a07883cda4de6899ce8507b0fc6aa5d Author: Luis Chamberlain Date: Fri Jun 19 20:47:28 2020 +0000 blktrace: fix debugfs use after free [ Upstream commit bad8e64fb19d3a0de5e564d9a7271c31bd684369 ] On commit 6ac93117ab00 ("blktrace: use existing disk debugfs directory") merged on v4.12 Omar fixed the original blktrace code for request-based drivers (multiqueue). This however left in place a possible crash, if you happen to abuse blktrace while racing to remove / add a device. We used to use asynchronous removal of the request_queue, and with that the issue was easier to reproduce. Now that we have reverted to synchronous removal of the request_queue, the issue is still possible to reproduce, its however just a bit more difficult. We essentially run two instances of break-blktrace which add/remove a loop device, and setup a blktrace and just never tear the blktrace down. We do this twice in parallel. This is easily reproduced with the script run_0004.sh from break-blktrace [0]. We can end up with two types of panics each reflecting where we race, one a failed blktrace setup: [ 252.426751] debugfs: Directory 'loop0' with parent 'block' already present! [ 252.432265] BUG: kernel NULL pointer dereference, address: 00000000000000a0 [ 252.436592] #PF: supervisor write access in kernel mode [ 252.439822] #PF: error_code(0x0002) - not-present page [ 252.442967] PGD 0 P4D 0 [ 252.444656] Oops: 0002 [#1] SMP NOPTI [ 252.446972] CPU: 10 PID: 1153 Comm: break-blktrace Tainted: G E 5.7.0-rc2-next-20200420+ #164 [ 252.452673] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014 [ 252.456343] RIP: 0010:down_write+0x15/0x40 [ 252.458146] Code: eb ca e8 ae 22 8d ff cc cc cc cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 55 48 89 fd e8 52 db ff ff 31 c0 ba 01 00 00 00 48 0f b1 55 00 75 0f 48 8b 04 25 c0 8b 01 00 48 89 45 08 5d [ 252.463638] RSP: 0018:ffffa626415abcc8 EFLAGS: 00010246 [ 252.464950] RAX: 0000000000000000 RBX: ffff958c25f0f5c0 RCX: ffffff8100000000 [ 252.466727] RDX: 0000000000000001 RSI: ffffff8100000000 RDI: 00000000000000a0 [ 252.468482] RBP: 00000000000000a0 R08: 0000000000000000 R09: 0000000000000001 [ 252.470014] R10: 0000000000000000 R11: ffff958d1f9227ff R12: 0000000000000000 [ 252.471473] R13: ffff958c25ea5380 R14: ffffffff8cce15f1 R15: 00000000000000a0 [ 252.473346] FS: 00007f2e69dee540(0000) GS:ffff958c2fc80000(0000) knlGS:0000000000000000 [ 252.475225] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 252.476267] CR2: 00000000000000a0 CR3: 0000000427d10004 CR4: 0000000000360ee0 [ 252.477526] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 252.478776] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 252.479866] Call Trace: [ 252.480322] simple_recursive_removal+0x4e/0x2e0 [ 252.481078] ? debugfs_remove+0x60/0x60 [ 252.481725] ? relay_destroy_buf+0x77/0xb0 [ 252.482662] debugfs_remove+0x40/0x60 [ 252.483518] blk_remove_buf_file_callback+0x5/0x10 [ 252.484328] relay_close_buf+0x2e/0x60 [ 252.484930] relay_open+0x1ce/0x2c0 [ 252.485520] do_blk_trace_setup+0x14f/0x2b0 [ 252.486187] __blk_trace_setup+0x54/0xb0 [ 252.486803] blk_trace_ioctl+0x90/0x140 [ 252.487423] ? do_sys_openat2+0x1ab/0x2d0 [ 252.488053] blkdev_ioctl+0x4d/0x260 [ 252.488636] block_ioctl+0x39/0x40 [ 252.489139] ksys_ioctl+0x87/0xc0 [ 252.489675] __x64_sys_ioctl+0x16/0x20 [ 252.490380] do_syscall_64+0x52/0x180 [ 252.491032] entry_SYSCALL_64_after_hwframe+0x44/0xa9 And the other on the device removal: [ 128.528940] debugfs: Directory 'loop0' with parent 'block' already present! [ 128.615325] BUG: kernel NULL pointer dereference, address: 00000000000000a0 [ 128.619537] #PF: supervisor write access in kernel mode [ 128.622700] #PF: error_code(0x0002) - not-present page [ 128.625842] PGD 0 P4D 0 [ 128.627585] Oops: 0002 [#1] SMP NOPTI [ 128.629871] CPU: 12 PID: 544 Comm: break-blktrace Tainted: G E 5.7.0-rc2-next-20200420+ #164 [ 128.635595] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014 [ 128.640471] RIP: 0010:down_write+0x15/0x40 [ 128.643041] Code: eb ca e8 ae 22 8d ff cc cc cc cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 55 48 89 fd e8 52 db ff ff 31 c0 ba 01 00 00 00 48 0f b1 55 00 75 0f 65 48 8b 04 25 c0 8b 01 00 48 89 45 08 5d [ 128.650180] RSP: 0018:ffffa9c3c05ebd78 EFLAGS: 00010246 [ 128.651820] RAX: 0000000000000000 RBX: ffff8ae9a6370240 RCX: ffffff8100000000 [ 128.653942] RDX: 0000000000000001 RSI: ffffff8100000000 RDI: 00000000000000a0 [ 128.655720] RBP: 00000000000000a0 R08: 0000000000000002 R09: ffff8ae9afd2d3d0 [ 128.657400] R10: 0000000000000056 R11: 0000000000000000 R12: 0000000000000000 [ 128.659099] R13: 0000000000000000 R14: 0000000000000003 R15: 00000000000000a0 [ 128.660500] FS: 00007febfd995540(0000) GS:ffff8ae9afd00000(0000) knlGS:0000000000000000 [ 128.662204] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 128.663426] CR2: 00000000000000a0 CR3: 0000000420042003 CR4: 0000000000360ee0 [ 128.664776] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 128.666022] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 128.667282] Call Trace: [ 128.667801] simple_recursive_removal+0x4e/0x2e0 [ 128.668663] ? debugfs_remove+0x60/0x60 [ 128.669368] debugfs_remove+0x40/0x60 [ 128.669985] blk_trace_free+0xd/0x50 [ 128.670593] __blk_trace_remove+0x27/0x40 [ 128.671274] blk_trace_shutdown+0x30/0x40 [ 128.671935] blk_release_queue+0x95/0xf0 [ 128.672589] kobject_put+0xa5/0x1b0 [ 128.673188] disk_release+0xa2/0xc0 [ 128.673786] device_release+0x28/0x80 [ 128.674376] kobject_put+0xa5/0x1b0 [ 128.674915] loop_remove+0x39/0x50 [loop] [ 128.675511] loop_control_ioctl+0x113/0x130 [loop] [ 128.676199] ksys_ioctl+0x87/0xc0 [ 128.676708] __x64_sys_ioctl+0x16/0x20 [ 128.677274] do_syscall_64+0x52/0x180 [ 128.677823] entry_SYSCALL_64_after_hwframe+0x44/0xa9 The common theme here is: debugfs: Directory 'loop0' with parent 'block' already present This crash happens because of how blktrace uses the debugfs directory where it places its files. Upon init we always create the same directory which would be needed by blktrace but we only do this for make_request drivers (multiqueue) block drivers. When you race a removal of these devices with a blktrace setup you end up in a situation where the make_request recursive debugfs removal will sweep away the blktrace files and then later blktrace will also try to remove individual dentries which are already NULL. The inverse is also possible and hence the two types of use after frees. We don't create the block debugfs directory on init for these types of block devices: * request-based block driver block devices * every possible partition * scsi-generic And so, this race should in theory only be possible with make_request drivers. We can fix the UAF by simply re-using the debugfs directory for make_request drivers (multiqueue) and only creating the ephemeral directory for the other type of block devices. The new clarifications on relying on the q->blk_trace_mutex *and* also checking for q->blk_trace *prior* to processing a blktrace ensures the debugfs directories are only created if no possible directory name clashes are possible. This goes tested with: o nvme partitions o ISCSI with tgt, and blktracing against scsi-generic with: o block o tape o cdrom o media changer o blktests This patch is part of the work which disputes the severity of CVE-2019-19770 which shows this issue is not a core debugfs issue, but a misuse of debugfs within blktace. Fixes: 6ac93117ab00 ("blktrace: use existing disk debugfs directory") Reported-by: syzbot+603294af2d01acfdd6da@syzkaller.appspotmail.com Signed-off-by: Luis Chamberlain Reviewed-by: Christoph Hellwig Cc: Bart Van Assche Cc: Omar Sandoval Cc: Hannes Reinecke Cc: Nicolai Stange Cc: Greg Kroah-Hartman Cc: Michal Hocko Cc: "Martin K. Petersen" Cc: "James E.J. Bottomley" Cc: yu kuai Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit f9134418c9cc9711d3ca91daf7a07cb0776f9d71 Author: Christophe JAILLET Date: Wed May 6 22:09:07 2020 +0200 memory: tegra: Fix an error handling path in tegra186_emc_probe() [ Upstream commit c3d4eb3bf6ad32466555b31094f33a299444f795 ] The call to tegra_bpmp_get() must be balanced by a call to tegra_bpmp_put() in case of error, as already done in the remove function. Add an error handling path and corresponding goto. Fixes: 52d15dd23f0b ("memory: tegra: Support DVFS on Tegra186 and later") Signed-off-by: Christophe JAILLET Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 4833fe3ed18b9ecfd7ef9e4a3da210d1616c3b93 Author: Stephan Gerhold Date: Fri Jun 5 20:59:14 2020 +0200 arm64: dts: qcom: msm8916: Replace invalid bias-pull-none property [ Upstream commit 1b6a1a162defe649c5599d661b58ac64bb6f31b6 ] msm8916-pins.dtsi specifies "bias-pull-none" for most of the audio pin configurations. This was likely copied from the qcom kernel fork where the same property was used for these audio pins. However, "bias-pull-none" actually does not exist at all - not in mainline and not in downstream. I can only guess that the original intention was to configure "no pull", i.e. bias-disable. Change it to that instead. Fixes: 143bb9ad85b7 ("arm64: dts: qcom: add audio pinctrls") Cc: Srinivas Kandagatla Signed-off-by: Stephan Gerhold Link: https://lore.kernel.org/r/20200605185916.318494-2-stephan@gerhold.net Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 076bc25075522b5ffb6184b6c099463058fe72fb Author: Herbert Xu Date: Fri Jun 5 16:59:18 2020 +1000 crc-t10dif: Fix potential crypto notify dead-lock [ Upstream commit 3906f640224dbe7714b52b66d7d68c0812808e19 ] The crypto notify call occurs with a read mutex held so you must not do any substantial work directly. In particular, you cannot call crypto_alloc_* as they may trigger further notifications which may dead-lock in the presence of another writer. This patch fixes this by postponing the work into a work queue and taking the same lock in the module init function. While we're at it this patch also ensures that all RCU accesses are marked appropriately (tested with sparse). Finally this also reveals a race condition in module param show function as it may be called prior to the module init function. It's fixed by testing whether crct10dif_tfm is NULL (this is true iff the init function has not completed assuming fallback is false). Fixes: 11dcb1037f40 ("crc-t10dif: Allow current transform to be...") Fixes: b76377543b73 ("crc-t10dif: Pick better transform if one...") Signed-off-by: Herbert Xu Reviewed-by: Martin K. Petersen Reviewed-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 2e0ca54e94a6ed9d1719890527562f3de3e2ce29 Author: Qiushi Wu Date: Thu May 28 15:22:37 2020 -0500 EDAC: Fix reference count leaks [ Upstream commit 17ed808ad243192fb923e4e653c1338d3ba06207 ] When kobject_init_and_add() returns an error, it should be handled because kobject_init_and_add() takes a reference even when it fails. If this function returns an error, kobject_put() must be called to properly clean up the memory associated with the object. Therefore, replace calling kfree() and call kobject_put() and add a missing kobject_put() in the edac_device_register_sysfs_main_kobj() error path. [ bp: Massage and merge into a single patch. ] Fixes: b2ed215a3338 ("Kobject: change drivers/edac to use kobject_init_and_add") Signed-off-by: Qiushi Wu Signed-off-by: Borislav Petkov Link: https://lkml.kernel.org/r/20200528202238.18078-1-wu000273@umn.edu Link: https://lkml.kernel.org/r/20200528203526.20908-1-wu000273@umn.edu Signed-off-by: Sasha Levin commit 0cea0161974215c7f78e46866076454fadeb9394 Author: Heiko Stuebner Date: Wed Jun 3 15:28:36 2020 +0200 arm64: dts: rockchip: fix rk3399-puma gmac reset gpio [ Upstream commit 8a445086f8af0b7b9bd8d1901d6f306bb154f70d ] The puma gmac node currently uses opposite active-values for the gmac phy reset pin. The gpio-declaration uses active-high while the separate snps,reset-active-low property marks the pin as active low. While on the kernel side this works ok, other DT users may get confused - as seen with uboot right now. So bring this in line and make both properties match, similar to the other Rockchip board. Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM") Signed-off-by: Heiko Stuebner Link: https://lore.kernel.org/r/20200603132836.362519-1-heiko@sntech.de Signed-off-by: Sasha Levin commit b7858c7fc1b6e06824f2c6c1a5eab220664789bc Author: Heiko Stuebner Date: Thu Jun 4 11:12:39 2020 +0200 arm64: dts: rockchip: fix rk3399-puma vcc5v0-host gpio [ Upstream commit 7a7184f6cfa9279f1a1c10a1845d247d7fad54ff ] The puma vcc5v0_host regulator node currently uses opposite active-values for the enable pin. The gpio-declaration uses active-high while the separate enable-active-low property marks the pin as active low. While on the kernel side this works ok, other DT users may get confused - as seen with uboot right now. So bring this in line and make both properties match, similar to the gmac fix. Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM") Signed-off-by: Heiko Stuebner Link: https://lore.kernel.org/r/20200604091239.424318-1-heiko@sntech.de Signed-off-by: Sasha Levin commit 384a1c2e50ab005dddb48ab47919b9e2b01dac59 Author: Heiko Stuebner Date: Sun Jun 7 23:29:09 2020 +0200 arm64: dts: rockchip: fix rk3368-lion gmac reset gpio [ Upstream commit 2300e6dab473e93181cf76e4fe6671aa3d24c57b ] The lion gmac node currently uses opposite active-values for the gmac phy reset pin. The gpio-declaration uses active-high while the separate snps,reset-active-low property marks the pin as active low. While on the kernel side this works ok, other DT users may get confused - as seen with uboot right now. So bring this in line and make both properties match, similar to the other Rockchip board. Fixes: d99a02bcfa81 ("arm64: dts: rockchip: add RK3368-uQ7 (Lion) SoM") Signed-off-by: Heiko Stuebner Link: https://lore.kernel.org/r/20200607212909.920575-1-heiko@sntech.de Signed-off-by: Sasha Levin commit a3df377d59e6b4021292a066c6b175a8809d9081 Author: Peng Liu Date: Tue Jun 9 23:09:36 2020 +0800 sched: correct SD_flags returned by tl->sd_flags() [ Upstream commit 9b1b234bb86bcdcdb142e900d39b599185465dbb ] During sched domain init, we check whether non-topological SD_flags are returned by tl->sd_flags(), if found, fire a waning and correct the violation, but the code failed to correct the violation. Correct this. Fixes: 143e1e28cb40 ("sched: Rework sched_domain topology definition") Signed-off-by: Peng Liu Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Vincent Guittot Reviewed-by: Valentin Schneider Link: https://lkml.kernel.org/r/20200609150936.GA13060@iZj6chx1xj0e0buvshuecpZ Signed-off-by: Sasha Levin commit 388a27133655a993865c8638643eaa666678cc78 Author: Vincent Guittot Date: Tue Jun 9 14:37:48 2020 +0200 sched/fair: Fix NOHZ next idle balance [ Upstream commit 3ea2f097b17e13a8280f1f9386c331b326a3dbef ] With commit: 'b7031a02ec75 ("sched/fair: Add NOHZ_STATS_KICK")' rebalance_domains of the local cfs_rq happens before others idle cpus have updated nohz.next_balance and its value is overwritten. Move the update of nohz.next_balance for other idles cpus before balancing and updating the next_balance of local cfs_rq. Also, the nohz.next_balance is now updated only if all idle cpus got a chance to rebalance their domains and the idle balance has not been aborted because of new activities on the CPU. In case of need_resched, the idle load balance will be kick the next jiffie in order to address remaining ilb. Fixes: b7031a02ec75 ("sched/fair: Add NOHZ_STATS_KICK") Reported-by: Peng Liu Signed-off-by: Vincent Guittot Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Valentin Schneider Acked-by: Mel Gorman Link: https://lkml.kernel.org/r/20200609123748.18636-1-vincent.guittot@linaro.org Signed-off-by: Sasha Levin commit 1e2ee6ae45dcb563ffdb951e888b96b0b5d53747 Author: Giovanni Gherdovich Date: Sun May 31 20:24:53 2020 +0200 x86, sched: Bail out of frequency invariance if turbo_freq/base_freq gives 0 [ Upstream commit f4291df103315a696f0b8c4f45ca8ae773c17441 ] Be defensive against the case where the processor reports a base_freq larger than turbo_freq (the ratio would be zero). Fixes: 1567c3e3467c ("x86, sched: Add support for frequency invariance") Signed-off-by: Giovanni Gherdovich Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Rafael J. Wysocki Link: https://lkml.kernel.org/r/20200531182453.15254-4-ggherdovich@suse.cz Signed-off-by: Sasha Levin commit cdbaa685222f1f312c79705aa3f253421d1465d2 Author: Giovanni Gherdovich Date: Sun May 31 20:24:52 2020 +0200 x86, sched: Bail out of frequency invariance if turbo frequency is unknown [ Upstream commit 51beea8862a3095559862df39554f05042e1195b ] There may be CPUs that support turbo boost but don't declare any turbo ratio, i.e. their MSR_TURBO_RATIO_LIMIT is all zeroes. In that condition scale-invariant calculations can't be performed. Fixes: 1567c3e3467c ("x86, sched: Add support for frequency invariance") Suggested-by: Ricardo Neri Signed-off-by: Giovanni Gherdovich Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Rafael J. Wysocki Tested-by: Ricardo Neri Link: https://lkml.kernel.org/r/20200531182453.15254-3-ggherdovich@suse.cz Signed-off-by: Sasha Levin commit fc300518e82965eee55d8c87fb33e11929e58498 Author: Kan Liang Date: Thu May 28 08:19:27 2020 -0700 perf/x86/intel/uncore: Fix oops when counting IMC uncore events on some TGL [ Upstream commit 2af834f1faab3f1e218fcbcab70a399121620d62 ] When counting IMC uncore events on some TGL machines, an oops will be triggered. [ 393.101262] BUG: unable to handle page fault for address: ffffb45200e15858 [ 393.101269] #PF: supervisor read access in kernel mode [ 393.101271] #PF: error_code(0x0000) - not-present page Current perf uncore driver still use the IMC MAP SIZE inherited from SNB, which is 0x6000. However, the offset of IMC uncore counters is larger than 0x6000, e.g. 0xd8a0. Enlarge the IMC MAP SIZE for TGL to 0xe000. Fixes: fdb64822443e ("perf/x86: Add Intel Tiger Lake uncore support") Reported-by: Ammy Yi Signed-off-by: Kan Liang Signed-off-by: Peter Zijlstra (Intel) Tested-by: Ammy Yi Tested-by: Chao Qin Link: https://lkml.kernel.org/r/1590679169-61823-1-git-send-email-kan.liang@linux.intel.com Signed-off-by: Sasha Levin commit 0a6357dfe3c44cce13d63e3a95734309f58d71eb Author: Zhenzhong Duan Date: Thu Jun 11 10:32:38 2020 +0800 x86/mce/inject: Fix a wrong assignment of i_mce.status [ Upstream commit 5d7f7d1d5e01c22894dee7c9c9266500478dca99 ] The original code is a nop as i_mce.status is or'ed with part of itself, fix it. Fixes: a1300e505297 ("x86/ras/mce_amd_inj: Trigger deferred and thresholding errors interrupts") Signed-off-by: Zhenzhong Duan Signed-off-by: Borislav Petkov Acked-by: Yazen Ghannam Link: https://lkml.kernel.org/r/20200611023238.3830-1-zhenzhong.duan@gmail.com Signed-off-by: Sasha Levin commit 79d77ab89b0280476cb352d4f842c03b345eba76 Author: Erwan Le Ray Date: Thu May 28 09:40:03 2020 +0200 ARM: dts: stm32: fix uart7_pins_a comments in stm32mp15-pinctrl [ Upstream commit 391e437eedc0dab0a9f2c26997e68e040ae04ea3 ] Fix uart7_pins_a comments to indicate UART7 pins instead of UART4 pins. Fixes: bf4b5f379fed ("ARM: dts: stm32: Add missing pinctrl definitions for STM32MP157") Signed-off-by: Erwan Le Ray Signed-off-by: Alexandre Torgue Signed-off-by: Sasha Levin commit 6cc11c08d74595971b189c3fbf949563ff4e75a5 Author: Grant Likely Date: Fri Jul 10 16:19:39 2020 +0100 HID: input: Fix devices that return multiple bytes in battery report commit 4f57cace81438cc873a96f9f13f08298815c9b51 upstream. Some devices, particularly the 3DConnexion Spacemouse wireless 3D controllers, return more than just the battery capacity in the battery report. The Spacemouse devices return an additional byte with a device specific field. However, hidinput_query_battery_capacity() only requests a 2 byte transfer. When a spacemouse is connected via USB (direct wire, no wireless dongle) and it returns a 3 byte report instead of the assumed 2 byte battery report the larger transfer confuses and frightens the USB subsystem which chooses to ignore the transfer. Then after 2 seconds assume the device has stopped responding and reset it. This can be reproduced easily by using a wired connection with a wireless spacemouse. The Spacemouse will enter a loop of resetting every 2 seconds which can be observed in dmesg. This patch solves the problem by increasing the transfer request to 4 bytes instead of 2. The fix isn't particularly elegant, but it is simple and safe to backport to stable kernels. A further patch will follow to more elegantly handle battery reports that contain additional data. Signed-off-by: Grant Likely Cc: Darren Hart Cc: Jiri Kosina Cc: Benjamin Tissoires Cc: stable@vger.kernel.org Tested-by: Darren Hart Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 903f120e0f213ff4dbf560949ecc6bf30fffb2b6 Author: Jens Axboe Date: Tue Aug 11 12:45:45 2020 -0400 io_uring: abstract out task work running [ Upstream commit 4c6e277c4cc4a6b3b2b9c66a7b014787ae757cc1 ] Provide a helper to run task_work instead of checking and running manually in a bunch of different spots. While doing so, also move the task run state setting where we run the task work. Then we can move it out of the callback helpers. This also helps ensure we only do this once per task_work list run, not per task_work item. Suggested-by: Oleg Nesterov Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit d870e37f9f1d7433a4469b3bb6127e5af39a40e3 Author: Will Chen Date: Wed Jul 8 14:35:43 2020 -0700 kunit: capture stderr on all make subprocess calls [ Upstream commit 5a9fcad71caa970f30aef99134a1cd19bc4b8eea ] Direct stderr to subprocess.STDOUT so error messages get included in the subprocess.CalledProcessError exceptions output field. This results in more meaningful error messages for the user. This is already being done in the make_allyesconfig method. Do the same for make_mrproper, make_olddefconfig, and make methods. With this, failures on unclean trees [1] will give users an error message that includes: "The source tree is not clean, please run 'make ARCH=um mrproper'" [1] https://bugzilla.kernel.org/show_bug.cgi?id=205219 Signed-off-by: Will Chen Reviewed-by: Brendan Higgins Tested-by: Brendan Higgins Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit fe008953876f8673db7209331623a2ae1219791d Author: Nick Desaulniers Date: Thu Jul 30 15:45:54 2020 -0700 tracepoint: Mark __tracepoint_string's __used commit f3751ad0116fb6881f2c3c957d66a9327f69cefb upstream. __tracepoint_string's have their string data stored in .rodata, and an address to that data stored in the "__tracepoint_str" section. Functions that refer to those strings refer to the symbol of the address. Compiler optimization can replace those address references with references directly to the string data. If the address doesn't appear to have other uses, then it appears dead to the compiler and is removed. This can break the /tracing/printk_formats sysfs node which iterates the addresses stored in the "__tracepoint_str" section. Like other strings stored in custom sections in this header, mark these __used to inform the compiler that there are other non-obvious users of the address, so they should still be emitted. Link: https://lkml.kernel.org/r/20200730224555.2142154-2-ndesaulniers@google.com Cc: Ingo Molnar Cc: Miguel Ojeda Cc: stable@vger.kernel.org Fixes: 102c9323c35a8 ("tracing: Add __tracepoint_string() to export string pointers") Reported-by: Tim Murray Reported-by: Simon MacMullen Suggested-by: Greg Hackmann Signed-off-by: Nick Desaulniers Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman