commit 7c76bd6c36ed84c0e613ba0f3a1408a515b9f12d Author: Greg Kroah-Hartman Date: Wed Jul 14 16:53:49 2021 +0200 Linux 5.4.132 Link: https://lore.kernel.org/r/20210712060659.886176320@linuxfoundation.org Tested-by: Jon Hunter Tested-by: Florian Fainelli Link: https://lore.kernel.org/r/20210712184735.997723427@linuxfoundation.org Tested-by: Guenter Roeck Tested-by: Shuah Khan Tested-by: Florian Fainelli Tested-by: Jon Hunter Tested-by: Linux Kernel Functional Testing Tested-by: Sudip Mukherjee Tested-by: Hulk Robot commit 792d47ca522872e65ba9d18a742d118cf6cb7531 Author: Joerg Roedel Date: Mon Jun 7 14:49:05 2021 +0200 iommu/dma: Fix compile warning in 32-bit builds commit 7154cbd31c2069726cf730b0ed94e2e79a221602 upstream. Compiling the recent dma-iommu changes under 32-bit x86 triggers this compile warning: drivers/iommu/dma-iommu.c:249:5: warning: format ‘%llx’ expects argument of type ‘long long unsigned int’, but argument 3 has type ‘phys_addr_t’ {aka ‘unsigned int’} [-Wformat=] The reason is that %llx is used to print a variable of type phys_addr_t. Fix it by using the correct %pa format specifier for phys_addr_t. Cc: Srinath Mannam Cc: Robin Murphy Cc: Oza Pawandeep Fixes: 571f316074a20 ("iommu/dma: Fix IOVA reserve dma ranges") Signed-off-by: Joerg Roedel Link: https://lore.kernel.org/r/20210607124905.27525-1-joro@8bytes.org Signed-off-by: Greg Kroah-Hartman commit a7f4f0c4e79aee330b3342e7cf20f46fa21bf7bc Author: Quat Le Date: Tue Jun 29 08:58:26 2021 -0700 scsi: core: Retry I/O for Notify (Enable Spinup) Required error commit 104739aca4488909175e9e31d5cd7d75b82a2046 upstream. If the device is power-cycled, it takes time for the initiator to transmit the periodic NOTIFY (ENABLE SPINUP) SAS primitive, and for the device to respond to the primitive to become ACTIVE. Retry the I/O request to allow the device time to become ACTIVE. Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210629155826.48441-1-quat.le@oracle.com Reviewed-by: Bart Van Assche Signed-off-by: Quat Le Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 4aaace2dc1ada688d71d16bd5e349499725d4b04 Author: Johan Hovold Date: Fri May 21 15:30:26 2021 +0200 mmc: vub3000: fix control-request direction commit 3c0bb3107703d2c58f7a0a7a2060bb57bc120326 upstream. The direction of the pipe argument must match the request-type direction bit or control requests may fail depending on the host-controller-driver implementation. Fix the SET_ROM_WAIT_STATES request which erroneously used usb_rcvctrlpipe(). Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver") Cc: stable@vger.kernel.org # 3.0 Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20210521133026.17296-1-johan@kernel.org Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 5712b828b8d9856738ab8646ed127826c8c11a52 Author: Bean Huo Date: Tue May 4 22:32:09 2021 +0200 mmc: block: Disable CMDQ on the ioctl path commit 70b52f09080565030a530a784f1c9948a7f48ca3 upstream. According to the eMMC Spec: "When command queuing is enabled (CMDQ Mode En bit in CMDQ_MODE_EN field is set to ‘1’) class 11 commands are the only method through which data transfer tasks can be issued. Existing data transfer commands, namely CMD18/CMD17 and CMD25/CMD24, are not supported when command queuing is enabled." which means if CMDQ is enabled, the FFU commands will not be supported. To fix this issue, just simply disable CMDQ on the ioctl path, and re-enable CMDQ once ioctl request is completed. Tested-by: Michael Brunner Signed-off-by: Bean Huo Acked-by: Adrian Hunter Fixes: 1e8e55b67030 (mmc: block: Add CQE support) Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210504203209.361597-1-huobean@gmail.com Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 90d29149e32cc418343acfce6fada3a49de500e4 Author: Long Li Date: Mon Jun 7 12:34:05 2021 -0700 block: return the correct bvec when checking for gaps commit c9c9762d4d44dcb1b2ba90cfb4122dc11ceebf31 upstream. After commit 07173c3ec276 ("block: enable multipage bvecs"), a bvec can have multiple pages. But bio_will_gap() still assumes one page bvec while checking for merging. If the pages in the bvec go across the seg_boundary_mask, this check for merging can potentially succeed if only the 1st page is tested, and can fail if all the pages are tested. Later, when SCSI builds the SG list the same check for merging is done in __blk_segment_map_sg_merge() with all the pages in the bvec tested. This time the check may fail if the pages in bvec go across the seg_boundary_mask (but tested okay in bio_will_gap() earlier, so those BIOs were merged). If this check fails, we end up with a broken SG list for drivers assuming the SG list not having offsets in intermediate pages. This results in incorrect pages written to the disk. Fix this by returning the multi-page bvec when testing gaps for merging. Cc: Jens Axboe Cc: Johannes Thumshirn Cc: Pavel Begunkov Cc: Ming Lei Cc: Tejun Heo Cc: "Matthew Wilcox (Oracle)" Cc: Jeffle Xu Cc: linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org Fixes: 07173c3ec276 ("block: enable multipage bvecs") Signed-off-by: Long Li Reviewed-by: Ming Lei Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/1623094445-22332-1-git-send-email-longli@linuxonhyperv.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 1bfb3a070b580a0873870a396c4f6a0788815ad3 Author: Varun Prakash Date: Wed Apr 14 18:09:09 2021 +0530 scsi: target: cxgbit: Unmap DMA buffer before calling target_execute_cmd() commit 6ecdafaec79d4b3388a5b017245f23a0ff9d852d upstream. Instead of calling dma_unmap_sg() after completing WRITE I/O, call dma_unmap_sg() before calling target_execute_cmd() to sync the DMA buffer. Link: https://lore.kernel.org/r/1618403949-3443-1-git-send-email-varun@chelsio.com Cc: # 5.4+ Signed-off-by: Varun Prakash Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 00d38f7031d4b9a8f15e5b5e13b752de837be63a Author: Arnaldo Carvalho de Melo Date: Thu Jul 1 14:20:58 2021 -0300 perf llvm: Return -ENOMEM when asprintf() fails [ Upstream commit c435c166dcf526ac827bc964d82cc0d5e7a1fd0b ] Zhihao sent a patch but it made llvm__compile_bpf() return what asprintf() returns on error, which is just -1, but since this function returns -errno, fix it by returning -ENOMEM for this case instead. Fixes: cb76371441d098 ("perf llvm: Allow passing options to llc ...") Fixes: 5eab5a7ee032ac ("perf llvm: Display eBPF compiling command ...") Reported-by: Hulk Robot Reported-by: Zhihao Cheng Cc: Alexei Starovoitov Cc: Andrii Nakryiko Cc: Daniel Borkmann Cc: Ingo Molnar Cc: Jiri Olsa Cc: Nathan Chancellor Cc: Nick Desaulniers Cc: Peter Zijlstra Cc: Yu Kuai Cc: clang-built-linux@googlegroups.com Link: http://lore.kernel.org/lkml/20210609115945.2193194-1-chengzhihao1@huawei.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit b00da826cab4c21d86b5565e9501bb74afbd3db8 Author: Dave Hansen Date: Wed Jun 30 18:56:53 2021 -0700 selftests/vm/pkeys: fix alloc_random_pkey() to make it really, really random [ Upstream commit f36ef407628835a7d7fb3d235b1f1aac7022d9a3 ] Patch series "selftests/vm/pkeys: Bug fixes and a new test". There has been a lot of activity on the x86 front around the XSAVE architecture which is used to context-switch processor state (among other things). In addition, AMD has recently joined the protection keys club by adding processor support for PKU. The AMD implementation helped uncover a kernel bug around the PKRU "init state", which actually applied to Intel's implementation but was just harder to hit. This series adds a test which is expected to help find this class of bug both on AMD and Intel. All the work around pkeys on x86 also uncovered a few bugs in the selftest. This patch (of 4): The "random" pkey allocation code currently does the good old: srand((unsigned int)time(NULL)); *But*, it unfortunately does this on every random pkey allocation. There may be thousands of these a second. time() has a one second resolution. So, each time alloc_random_pkey() is called, the PRNG is *RESET* to time(). This is nasty. Normally, if you do: srand(); foo = rand(); bar = rand(); You'll be quite guaranteed that 'foo' and 'bar' are different. But, if you do: srand(1); foo = rand(); srand(1); bar = rand(); You are quite guaranteed that 'foo' and 'bar' are the *SAME*. The recent "fix" effectively forced the test case to use the same "random" pkey for the whole test, unless the test run crossed a second boundary. Only run srand() once at program startup. This explains some very odd and persistent test failures I've been seeing. Link: https://lkml.kernel.org/r/20210611164153.91B76FB8@viggo.jf.intel.com Link: https://lkml.kernel.org/r/20210611164155.192D00FF@viggo.jf.intel.com Fixes: 6e373263ce07 ("selftests/vm/pkeys: fix alloc_random_pkey() to make it really random") Signed-off-by: Dave Hansen Signed-off-by: Thomas Gleixner Tested-by: Aneesh Kumar K.V Cc: Ram Pai Cc: Sandipan Das Cc: Florian Weimer Cc: "Desnes A. Nunes do Rosario" Cc: Ingo Molnar Cc: Thiago Jung Bauermann Cc: Michael Ellerman Cc: Michal Hocko Cc: Michal Suchanek Cc: Shuah Khan Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 49496327c2907eed640684f7058ca8411b67a118 Author: Miaohe Lin Date: Wed Jun 30 18:50:36 2021 -0700 mm/z3fold: fix potential memory leak in z3fold_destroy_pool() [ Upstream commit dac0d1cfda56472378d330b1b76b9973557a7b1d ] There is a memory leak in z3fold_destroy_pool() as it forgets to free_percpu pool->unbuddied. Call free_percpu for pool->unbuddied to fix this issue. Link: https://lkml.kernel.org/r/20210619093151.1492174-6-linmiaohe@huawei.com Fixes: d30561c56f41 ("z3fold: use per-cpu unbuddied lists") Signed-off-by: Miaohe Lin Reviewed-by: Vitaly Wool Cc: Hillf Danton Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 4b515fa9489434e287e5684bd0bee0b22c2d0fd2 Author: Miaohe Lin Date: Wed Jun 30 18:47:57 2021 -0700 mm/huge_memory.c: don't discard hugepage if other processes are mapping it [ Upstream commit babbbdd08af98a59089334eb3effbed5a7a0cf7f ] If other processes are mapping any other subpages of the hugepage, i.e. in pte-mapped thp case, page_mapcount() will return 1 incorrectly. Then we would discard the page while other processes are still mapping it. Fix it by using total_mapcount() which can tell whether other processes are still mapping it. Link: https://lkml.kernel.org/r/20210511134857.1581273-6-linmiaohe@huawei.com Fixes: b8d3c4c3009d ("mm/huge_memory.c: don't split THP page when MADV_FREE syscall is called") Reviewed-by: Yang Shi Signed-off-by: Miaohe Lin Cc: Alexey Dobriyan Cc: "Aneesh Kumar K . V" Cc: Anshuman Khandual Cc: David Hildenbrand Cc: Hugh Dickins Cc: Johannes Weiner Cc: Kirill A. Shutemov Cc: Matthew Wilcox Cc: Minchan Kim Cc: Ralph Campbell Cc: Rik van Riel Cc: Song Liu Cc: William Kucharski Cc: Zi Yan Cc: Mike Kravetz Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 01be55fb26cef96c204cb14fe1b573244ab81692 Author: Alex Williamson Date: Mon Jun 28 14:08:12 2021 -0600 vfio/pci: Handle concurrent vma faults [ Upstream commit 6a45ece4c9af473555f01f0f8b97eba56e3c7d0d ] io_remap_pfn_range() will trigger a BUG_ON if it encounters a populated pte within the mapping range. This can occur because we map the entire vma on fault and multiple faults can be blocked behind the vma_lock. This leads to traces like the one reported below. We can use our vma_list to test whether a given vma is mapped to avoid this issue. [ 1591.733256] kernel BUG at mm/memory.c:2177! [ 1591.739515] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP [ 1591.747381] Modules linked in: vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv680_mii(O) [ 1591.760536] CPU: 2 PID: 227 Comm: lcore-worker-2 Tainted: G O 5.11.0-rc3+ #1 [ 1591.770735] Hardware name: , BIOS HixxxxFPGA 1P B600 V121-1 [ 1591.778872] pstate: 40400009 (nZcv daif +PAN -UAO -TCO BTYPE=--) [ 1591.786134] pc : remap_pfn_range+0x214/0x340 [ 1591.793564] lr : remap_pfn_range+0x1b8/0x340 [ 1591.799117] sp : ffff80001068bbd0 [ 1591.803476] x29: ffff80001068bbd0 x28: 0000042eff6f0000 [ 1591.810404] x27: 0000001100910000 x26: 0000001300910000 [ 1591.817457] x25: 0068000000000fd3 x24: ffffa92f1338e358 [ 1591.825144] x23: 0000001140000000 x22: 0000000000000041 [ 1591.832506] x21: 0000001300910000 x20: ffffa92f141a4000 [ 1591.839520] x19: 0000001100a00000 x18: 0000000000000000 [ 1591.846108] x17: 0000000000000000 x16: ffffa92f11844540 [ 1591.853570] x15: 0000000000000000 x14: 0000000000000000 [ 1591.860768] x13: fffffc0000000000 x12: 0000000000000880 [ 1591.868053] x11: ffff0821bf3d01d0 x10: ffff5ef2abd89000 [ 1591.875932] x9 : ffffa92f12ab0064 x8 : ffffa92f136471c0 [ 1591.883208] x7 : 0000001140910000 x6 : 0000000200000000 [ 1591.890177] x5 : 0000000000000001 x4 : 0000000000000001 [ 1591.896656] x3 : 0000000000000000 x2 : 0168044000000fd3 [ 1591.903215] x1 : ffff082126261880 x0 : fffffc2084989868 [ 1591.910234] Call trace: [ 1591.914837] remap_pfn_range+0x214/0x340 [ 1591.921765] vfio_pci_mmap_fault+0xac/0x130 [vfio_pci] [ 1591.931200] __do_fault+0x44/0x12c [ 1591.937031] handle_mm_fault+0xcc8/0x1230 [ 1591.942475] do_page_fault+0x16c/0x484 [ 1591.948635] do_translation_fault+0xbc/0xd8 [ 1591.954171] do_mem_abort+0x4c/0xc0 [ 1591.960316] el0_da+0x40/0x80 [ 1591.965585] el0_sync_handler+0x168/0x1b0 [ 1591.971608] el0_sync+0x174/0x180 [ 1591.978312] Code: eb1b027f 540000c0 f9400022 b4fffe02 (d4210000) Fixes: 11c4cd07ba11 ("vfio-pci: Fault mmaps to enable vma tracking") Reported-by: Zeng Tao Suggested-by: Zeng Tao Link: https://lore.kernel.org/r/162497742783.3883260.3282953006487785034.stgit@omen Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit 9db3800eeadd1c709558da0ae2e7f5180f905516 Author: Pali Rohár Date: Fri Jun 25 00:49:04 2021 +0200 arm64: dts: marvell: armada-37xx: Fix reg for standard variant of UART [ Upstream commit 2cbfdedef39fb5994b8f1e1df068eb8440165975 ] UART1 (standard variant with DT node name 'uart0') has register space 0x12000-0x12018 and not whole size 0x200. So fix also this in example. Signed-off-by: Pali Rohár Fixes: c737abc193d1 ("arm64: dts: marvell: Fix A37xx UART0 register size") Link: https://lore.kernel.org/r/20210624224909.6350-6-pali@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit b857ff866c76790c12c430c45f13b4370c3fddd1 Author: Pali Rohár Date: Fri Jun 25 00:49:02 2021 +0200 serial: mvebu-uart: correctly calculate minimal possible baudrate [ Upstream commit deeaf963569a0d9d1b08babb771f61bb501a5704 ] For default (x16) scheme which is currently used by mvebu-uart.c driver, maximal divisor of UART base clock is 1023*16. Therefore there is limit for minimal supported baudrate. This change calculate it correctly and prevents setting invalid divisor 0 into hardware registers. Signed-off-by: Pali Rohár Fixes: 68a0db1d7da2 ("serial: mvebu-uart: add function to change baudrate") Link: https://lore.kernel.org/r/20210624224909.6350-4-pali@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 7900c98108b0347a3f097bc844fcb8638f209bf4 Author: Pali Rohár Date: Fri Jun 25 00:49:01 2021 +0200 serial: mvebu-uart: do not allow changing baudrate when uartclk is not available [ Upstream commit ecd6b010d81f97b06b2f64d2d4f50ebf5acddaa9 ] Testing mvuart->clk for non-error is not enough as mvuart->clk may contain valid clk pointer but when clk_prepare_enable(mvuart->clk) failed then port->uartclk is zero. When mvuart->clk is not available then port->uartclk is zero too. Parent clock rate port->uartclk is needed to calculate UART clock divisor and without it is not possible to change baudrate. So fix test condition when it is possible to change baudrate. Signed-off-by: Pali Rohár Fixes: 68a0db1d7da2 ("serial: mvebu-uart: add function to change baudrate") Link: https://lore.kernel.org/r/20210624224909.6350-3-pali@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 44d36a79dcff25d493db6048c1e280ae23fff789 Author: Nicholas Piggin Date: Wed Jun 23 14:12:45 2021 +1000 powerpc: Offline CPU in stop_this_cpu() [ Upstream commit bab26238bbd44d5a4687c0a64fd2c7f2755ea937 ] printk_safe_flush_on_panic() has special lock breaking code for the case where we panic()ed with the console lock held. It relies on panic IPI causing other CPUs to mark themselves offline. Do as most other architectures do. This effectively reverts commit de6e5d38417e ("powerpc: smp_send_stop do not offline stopped CPUs"), unfortunately it may result in some false positive warnings, but the alternative is more situations where we can crash without getting messages out. Fixes: de6e5d38417e ("powerpc: smp_send_stop do not offline stopped CPUs") Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210623041245.865134-1-npiggin@gmail.com Signed-off-by: Sasha Levin commit 3189d9749317ef8ce36bcc7c4a1f1b74ea58ee9f Author: Christophe JAILLET Date: Fri May 21 13:21:01 2021 +0200 leds: ktd2692: Fix an error handling path [ Upstream commit ee78b9360e14c276f5ceaa4a0d06f790f04ccdad ] In 'ktd2692_parse_dt()', if an error occurs after a successful 'regulator_enable()' call, we should call 'regulator_enable()'. This is the same in 'ktd2692_probe()', if an error occurs after a successful 'ktd2692_parse_dt()' call. Instead of adding 'regulator_enable()' in several places, implement a resource managed solution and simplify the remove function accordingly. Fixes: b7da8c5c725c ("leds: Add ktd2692 flash LED driver") Signed-off-by: Christophe JAILLET Signed-off-by: Pavel Machek Signed-off-by: Sasha Levin commit 95288e28c7caf463b6c54f3c40ee95b645d48357 Author: Zhen Lei Date: Sat May 15 11:06:46 2021 +0800 leds: as3645a: Fix error return code in as3645a_parse_node() [ Upstream commit 96a30960a2c5246c8ffebe8a3c9031f9df094d97 ] Return error code -ENODEV rather than '0' when the indicator node can not be found. Fixes: a56ba8fbcb55 ("media: leds: as3645a: Add LED flash class driver") Reported-by: Hulk Robot Acked-by: Sakari Ailus Signed-off-by: Zhen Lei Signed-off-by: Pavel Machek Signed-off-by: Sasha Levin commit f0acb12b986658e1064bdd46d6d0b9807aba7b33 Author: Chung-Chiang Cheng Date: Fri Jun 18 15:59:25 2021 +0800 configfs: fix memleak in configfs_release_bin_file [ Upstream commit 3c252b087de08d3cb32468b54a158bd7ad0ae2f7 ] When reading binary attributes in progress, buffer->bin_buffer is setup in configfs_read_bin_file() but never freed. Fixes: 03607ace807b4 ("configfs: implement binary attributes") Signed-off-by: Chung-Chiang Cheng [hch: move the vfree rather than duplicating it] Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 2993c1f9d7b9fc74c1d4c40c4e16122c44ebbe52 Author: Codrin Ciubotariu Date: Fri Jun 18 18:07:41 2021 +0300 ASoC: atmel-i2s: Fix usage of capture and playback at the same time [ Upstream commit 3b7961a326f8a7e03f54a19f02fedae8d488b80f ] For both capture and playback streams to work at the same time, only the needed values from a register need to be updated. Also, clocks should be enabled only when the first stream is started and stopped when there is no running stream. Fixes: b543e467d1a9 ("ASoC: atmel-i2s: add driver for the new Atmel I2S controller") Signed-off-by: Codrin Ciubotariu Link: https://lore.kernel.org/r/20210618150741.401739-2-codrin.ciubotariu@microchip.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0e0ee2cee65c05854b8de5fce6ee61b324691b9f Author: Marek Szyprowski Date: Fri Apr 23 22:46:24 2021 +0200 extcon: max8997: Add missing modalias string [ Upstream commit dc11fc2991e9efbceef93912b83e333d2835fb19 ] The platform device driver name is "max8997-muic", so advertise it properly in the modalias string. This fixes automated module loading when this driver is compiled as a module. Fixes: b76668ba8a77 ("Extcon: add MAX8997 extcon driver") Signed-off-by: Marek Szyprowski Signed-off-by: Chanwoo Choi Signed-off-by: Sasha Levin commit 4efa7f728bab9f96ee4ee4df653189a6569cf249 Author: Stephan Gerhold Date: Mon May 31 15:34:35 2021 +0200 extcon: sm5502: Drop invalid register write in sm5502_reg_data [ Upstream commit d25b224f8e5507879b36a769a6d1324cf163466c ] When sm5502_init_dev_type() iterates over sm5502_reg_data to initialize the registers it is limited by ARRAY_SIZE(sm5502_reg_data). There is no need to add another empty element to sm5502_reg_data. Having the additional empty element in sm5502_reg_data will just result in writing 0xff to register 0x00, which does not really make sense. Fixes: 914b881f9452 ("extcon: sm5502: Add support new SM5502 extcon device driver") Signed-off-by: Stephan Gerhold Signed-off-by: Chanwoo Choi Signed-off-by: Sasha Levin commit b1c88a56ef6e6f455a110d20e420d565b9cb344e Author: Christophe JAILLET Date: Sat Jun 5 15:17:43 2021 +0200 phy: ti: dm816x: Fix the error handling path in 'dm816x_usb_phy_probe() [ Upstream commit f7eedcb8539ddcbb6fe7791f1b4ccf43f905c72f ] Add an error handling path in the probe to release some resources, as already done in the remove function. Fixes: 609adde838f4 ("phy: Add a driver for dm816x USB PHY") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/ac5136881f6bdec50be19b3bf73b3bc1b15ef1f1.1622898974.git.christophe.jaillet@wanadoo.fr Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 8bc305d146b99c3fdfdded6a5979425ce77d3848 Author: Kunihiko Hayashi Date: Mon Jun 7 12:50:42 2021 +0900 phy: uniphier-pcie: Fix updating phy parameters [ Upstream commit 4a90bbb478dbf18ecdec9dcf8eb708e319d24264 ] The current driver uses a value from register TEST_O as the original value for register TEST_I, though, the value is overwritten by "param", so there is a bug that the original value isn't no longer used. The value of TEST_O[7:0] should be masked with "mask", replaced with "param", and placed in the bitfield TESTI_DAT_MASK as new TEST_I value. Fixes: c6d9b1324159 ("phy: socionext: add PCIe PHY driver support") Signed-off-by: Kunihiko Hayashi Link: https://lore.kernel.org/r/1623037842-19363-1-git-send-email-hayashi.kunihiko@socionext.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 142ab7ff42b631987486bc0fd80aa8eddabdcd47 Author: Richard Fitzgerald Date: Fri Jun 18 15:47:45 2021 +0100 soundwire: stream: Fix test for DP prepare complete [ Upstream commit 3d3e88e336338834086278236d42039f3cde50e1 ] In sdw_prep_deprep_slave_ports(), after the wait_for_completion() the DP prepare status register is read. If this indicates that the port is now prepared, the code should continue with the port setup. It is irrelevant whether the wait_for_completion() timed out if the port is now ready. The previous implementation would always fail if the wait_for_completion() timed out, even if the port was reporting successful prepare. This patch also fixes a minor bug where the return from sdw_read() was not checked for error - any error code with LSBits clear could be misinterpreted as a successful port prepare. Fixes: 79df15b7d37c ("soundwire: Add helpers for ports operations") Signed-off-by: Richard Fitzgerald Reviewed-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20210618144745.30629-1-rf@opensource.cirrus.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 5ec1c609d26ee9e0c8608d25b5e129102093dd74 Author: Zhen Lei Date: Fri May 14 16:13:00 2021 +0800 scsi: mpt3sas: Fix error return value in _scsih_expander_add() [ Upstream commit d6c2ce435ffe23ef7f395ae76ec747414589db46 ] When an expander does not contain any 'phys', an appropriate error code -1 should be returned, as done elsewhere in this function. However, we currently do not explicitly assign this error code to 'rc'. As a result, 0 was incorrectly returned. Link: https://lore.kernel.org/r/20210514081300.6650-1-thunder.leizhen@huawei.com Fixes: f92363d12359 ("[SCSI] mpt3sas: add new driver supporting 12GB SAS") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 35a4e0aee8f3e2bfa1816e85dba2721714fcea39 Author: Yang Yingliang Date: Tue Jun 1 20:58:14 2021 +0800 mtd: rawnand: marvell: add missing clk_disable_unprepare() on error in marvell_nfc_resume() [ Upstream commit ae94c49527aa9bd3b563349adc4b5617747ca6bd ] Add clk_disable_unprepare() on error path in marvell_nfc_resume(). Fixes: bd9c3f9b3c00 ("mtd: rawnand: marvell: add suspend and resume hooks") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20210601125814.3260364-1-yangyingliang@huawei.com Signed-off-by: Sasha Levin commit b1d1cafd6001aa3090bc18e19d427eb2ff3607f4 Author: Geert Uytterhoeven Date: Wed Jun 16 11:27:44 2021 +0200 of: Fix truncation of memory sizes on 32-bit platforms [ Upstream commit 2892d8a00d23d511a0591ac4b2ff3f050ae1f004 ] Variable "size" has type "phys_addr_t", which can be either 32-bit or 64-bit on 32-bit systems, while "unsigned long" is always 32-bit on 32-bit systems. Hence the cast in (unsigned long)size / SZ_1M may truncate a 64-bit size to 32-bit, as casts have a higher operator precedence than divisions. Fix this by inverting the order of the cast and division, which should be safe for memory blocks smaller than 4 PiB. Note that the division is actually a shift, as SZ_1M is a power-of-two constant, hence there is no need to use div_u64(). While at it, use "%lu" to format "unsigned long". Fixes: e8d9d1f5485b52ec ("drivers: of: add initialization code for static reserved memory") Fixes: 3f0c8206644836e4 ("drivers: of: add initialization code for dynamic reserved memory") Signed-off-by: Geert Uytterhoeven Acked-by: Marek Szyprowski Link: https://lore.kernel.org/r/4a1117e72d13d26126f57be034c20dac02f1e915.1623835273.git.geert+renesas@glider.be Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit be192ab7b47a0e24e7bd6dccf14c6f9db55fd09f Author: Richard Fitzgerald Date: Wed Jun 16 14:56:04 2021 +0100 ASoC: cs42l42: Correct definition of CS42L42_ADC_PDN_MASK [ Upstream commit fac165f22ac947b55407cd3a60a2a9824f905235 ] The definition of CS42L42_ADC_PDN_MASK was incorrectly defined as the HP_PDN bit. Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec") Signed-off-by: Richard Fitzgerald Link: https://lore.kernel.org/r/20210616135604.19363-1-rf@opensource.cirrus.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit fe9452c9d7adb56a0a32f6472f2d57da2605c948 Author: Jonathan Cameron Date: Sun Jun 13 16:23:01 2021 +0100 iio: prox: isl29501: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 92babc9938ebbf4050f2fba774836f7edc16a570 ] Add __aligned(8) to ensure the buffer passed to iio_push_to_buffers_with_timestamp() is suitable for the naturally aligned timestamp that will be inserted. Here an explicit structure is not used, because the holes would necessitate the addition of an explict memset(), to avoid a kernel data leak, making for a less minimal fix. Fixes: 1c28799257bc ("iio: light: isl29501: Add support for the ISL29501 ToF sensor.") Signed-off-by: Jonathan Cameron Cc: Mathieu Othacehe Reviewed-by: Nuno Sá Link: https://lore.kernel.org/r/20210613152301.571002-9-jic23@kernel.org Signed-off-by: Sasha Levin commit da8ef748fec2d55db0ae424ab40eee0c737564aa Author: Jonathan Cameron Date: Sun Jun 13 16:23:00 2021 +0100 iio: light: vcnl4035: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit ec90b52c07c0403a6db60d752484ec08d605ead0 ] Add __aligned(8) to ensure the buffer passed to iio_push_to_buffers_with_timestamp() is suitable for the naturally aligned timestamp that will be inserted. Here an explicit structure is not used, because the holes would necessitate the addition of an explict memset(), to avoid a potential kernel data leak, making for a less minimal fix. Fixes: 55707294c4eb ("iio: light: Add support for vishay vcnl4035") Signed-off-by: Jonathan Cameron Cc: Parthiban Nallathambi Reviewed-by: Nuno Sá Link: https://lore.kernel.org/r/20210613152301.571002-8-jic23@kernel.org Signed-off-by: Sasha Levin commit 84c045475ef39d7f1177f23a542b2a04dd930535 Author: Maciej W. Rozycki Date: Thu Jun 10 20:38:34 2021 +0200 serial: 8250: Actually allow UPF_MAGIC_MULTIPLIER baud rates [ Upstream commit 78bcae8616ac277d6cb7f38e211493948ed73e30 ] Support for magic baud rate divisors of 32770 and 32769 used with SMSC Super I/O chips for extra baud rates of 230400 and 460800 respectively where base rate is 115200[1] has been added around Linux 2.5.64, which predates our repo history, but the origin could be identified as commit 2a717aad772f ("Merge with Linux 2.5.64.") with the old MIPS/Linux repo also at: . Code that is now in `serial8250_do_get_divisor' was added back then to `serial8250_get_divisor', but that code would only ever trigger if one of the higher baud rates was actually requested, and that cannot ever happen, because the earlier call to `serial8250_get_baud_rate' never returns them. This is because it calls `uart_get_baud_rate' with the maximum requested being the base rate, that is clk/16 or 115200 for SMSC chips at their nominal clock rate. Fix it then and allow UPF_MAGIC_MULTIPLIER baud rates to be selected, by requesting the maximum baud rate of clk/4 rather than clk/16 if the flag has been set. Also correct the minimum baud rate, observing that these ports only support actual (non-magic) divisors of up to 32767 only. References: [1] "FDC37M81x, PC98/99 Compliant Enhanced Super I/O Controller with Keyboard/Mouse Wake-Up", Standard Microsystems Corporation, Rev. 03/27/2000, Table 31 - "Baud Rates", p. 77 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Maciej W. Rozycki Link: https://lore.kernel.org/r/alpine.DEB.2.21.2105190412280.29169@angie.orcam.me.uk Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit eea7304dc2e9965b152ff6009321631fe1daa6b2 Author: Sergio Paracuellos Date: Mon Jun 14 12:06:17 2021 +0200 staging: mt7621-dts: fix pci address for PCI memory range [ Upstream commit 5b4f167ef3555ec4c334a8dc89c1b44bb2c6bff5 ] Driver code call 'devm_of_pci_get_host_bridge_resources' to get resources and properly fill 'bridge->windows' and 'bridge->dma_ranges'. After parsing the ranges and store as resources, at the end it makes a call to pci function 'pci_add_resource_offset' to set the offset for the memory resource. To calculate offset, resource start address subtracts pci address of the range. MT7621 does not need any offset for the memory resource. Moreover, setting an offset got into 'WARN_ON' calls from pci devices driver code. Until now memory range pci_addr was being '0x00000000' and res->start is '0x60000000' but becase pci controller driver was manually setting resources and adding them using pci function 'pci_add_resource' where a zero is passed as offset, things was properly working. Since PCI_IOBASE is defined now for ralink we don't set nothing manually anymore so we have to properly fix PCI address for this range to make things work and the new pci address must be set to '0x60000000'. Doing in this way the subtract result obtain zero as offset and pci device driver code properly works. Fixes: d59578da2bb8 ("staging: mt7621-dts: add dts files") Signed-off-by: Sergio Paracuellos Link: https://lore.kernel.org/r/20210614100617.28753-4-sergio.paracuellos@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit ce2588dc7fea91ced7a282dccba84d97d8d423a5 Author: Pavel Skripkin Date: Mon Jun 14 01:00:19 2021 +0300 staging: rtl8712: fix memory leak in rtl871x_load_fw_cb [ Upstream commit e02a3b945816a77702a2769a70ef5f9b06e49d54 ] There is a leak in rtl8712 driver. The problem was in non-freed adapter data if firmware load failed. This leak can be reproduced with this code: https://syzkaller.appspot.com/text?tag=ReproC&x=16612f02d00000, Autoload must fail (to not hit memory leak reported by syzkaller) There are 2 possible ways how rtl871x_load_fw_cb() and r871xu_dev_remove() can be called (in case of fw load error). 1st case: r871xu_dev_remove() then rtl871x_load_fw_cb() In this case r871xu_dev_remove() will wait for completion and then will jump to the end, because rtl871x_load_fw_cb() set intfdata to NULL: if (pnetdev) { struct _adapter *padapter = netdev_priv(pnetdev); /* never exit with a firmware callback pending */ wait_for_completion(&padapter->rtl8712_fw_ready); pnetdev = usb_get_intfdata(pusb_intf); usb_set_intfdata(pusb_intf, NULL); if (!pnetdev) goto firmware_load_fail; ... clean up code here ... } 2nd case: rtl871x_load_fw_cb() then r871xu_dev_remove() In this case pnetdev (from code snippet above) will be zero (because rtl871x_load_fw_cb() set it to NULL) And clean up code won't be executed again. So, in all cases we need to free adapted data in rtl871x_load_fw_cb(), because disconnect function cannot take care of it. And there won't be any race conditions, because complete() call happens after setting intfdata to NULL. In previous patch I moved out free_netdev() from r8712_free_drv_sw() and that's why now it's possible to free adapter data and then call complete. Fixes: 8c213fa59199 ("staging: r8712u: Use asynchronous firmware loading") Signed-off-by: Pavel Skripkin Link: https://lore.kernel.org/r/81e68fe0194499cc2e7692d35bc4dcf167827d8f.1623620630.git.paskripkin@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 92538bf2eea884467f5c3e70c05e6f34ad582eb4 Author: Pavel Skripkin Date: Mon Jun 14 01:00:07 2021 +0300 staging: rtl8712: remove redundant check in r871xu_drv_init [ Upstream commit 69d998f1e552f6e2e7b55f5058ce1ac7a72903f9 ] padapter->dvobj_init is initialized rigth before initialization check. There is no need for any branching here. Signed-off-by: Pavel Skripkin Link: https://lore.kernel.org/r/d367e5f39f22af44c545f8710cc18fb00f10e66c.1623620630.git.paskripkin@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 9f0800bd93ea84139307c7d1f42d4ad5dadfac7b Author: Dan Carpenter Date: Mon Jun 14 12:58:36 2021 +0300 staging: gdm724x: check for overflow in gdm_lte_netif_rx() [ Upstream commit 7002b526f4ff1f6da34356e67085caafa6be383a ] This code assumes that "len" is at least 62 bytes, but we need a check to prevent a read overflow. Fixes: 61e121047645 ("staging: gdm7240: adding LTE USB driver") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/YMcoTPsCYlhh2TQo@mwanda Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 4500b944d7f8739df0f8c4095ff9364fec37abfa Author: Dan Carpenter Date: Mon Jun 14 12:55:35 2021 +0300 staging: gdm724x: check for buffer overflow in gdm_lte_multi_sdu_pkt() [ Upstream commit 4a36e160856db8a8ddd6a3d2e5db5a850ab87f82 ] There needs to be a check to verify that we don't read beyond the end of "buf". This function is called from do_rx(). The "buf" is the USB transfer_buffer and "len" is "urb->actual_length". Fixes: 61e121047645 ("staging: gdm7240: adding LTE USB driver") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/YMcnl4zCwGWGDVMG@mwanda Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit f848baa0a5b35d6e49b9ae1c2764c268ffe168ca Author: Jonathan Cameron Date: Sun Jun 13 16:22:58 2021 +0100 iio: magn: rm3100: Fix alignment of buffer in iio_push_to_buffers_with_timestamp() [ Upstream commit b8f939fd20690623cb24845a563e7bc1e4a21482 ] Add __aligned(8) to ensure the buffer passed to iio_push_to_buffers_with_timestamp() is suitable for the naturally aligned timestamp that will be inserted. Here an explicit structure is not used, because this buffer is used in a non-trivial way for data repacking. Fixes: 121354b2eceb ("iio: magnetometer: Add driver support for PNI RM3100") Signed-off-by: Jonathan Cameron Cc: Song Qiang Reviewed-by: Nuno Sá Link: https://lore.kernel.org/r/20210613152301.571002-6-jic23@kernel.org Signed-off-by: Sasha Levin commit 26aa12ef64ee997d293659bbf645c6df99fb73e5 Author: Jonathan Cameron Date: Sun Jun 13 16:22:57 2021 +0100 iio: adc: ti-ads8688: Fix alignment of buffer in iio_push_to_buffers_with_timestamp() [ Upstream commit 61fa5dfa5f52806f5ce37a0ba5712c271eb22f98 ] Add __aligned(8) to ensure the buffer passed to iio_push_to_buffers_with_timestamp() is suitable for the naturally aligned timestamp that will be inserted. Fixes: f214ff521fb1 ("iio: ti-ads8688: Update buffer allocation for timestamps") Signed-off-by: Jonathan Cameron Reviewed-by: Nuno Sá Link: https://lore.kernel.org/r/20210613152301.571002-5-jic23@kernel.org Signed-off-by: Sasha Levin commit 9275b1eaf04ef68ac4e8c21068ced3150ea20049 Author: Jonathan Cameron Date: Sun Jun 13 16:22:56 2021 +0100 iio: adc: mxs-lradc: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 6a6be221b8bd561b053f0701ec752a5ed9007f69 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Add a comment on why the buffer is the size it is as not immediately obvious. Found during an audit of all calls of this function. Fixes: 6dd112b9f85e ("iio: adc: mxs-lradc: Add support for ADC driver") Signed-off-by: Jonathan Cameron Cc: Andreas Klinger Reviewed-by: Nuno Sá Link: https://lore.kernel.org/r/20210613152301.571002-4-jic23@kernel.org Signed-off-by: Sasha Levin commit a79c9b382b7a5dd997438463d5e62cb2b5c62c72 Author: Jonathan Cameron Date: Sun Jun 13 16:22:55 2021 +0100 iio: adc: hx711: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit afe2a789fbf7acd1a05407fc7839cc08d23825e3 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of this function. Fixes: d3bf60450d47 ("iio: hx711: add triggered buffer support") Signed-off-by: Jonathan Cameron Cc: Andreas Klinger Reviewed-by: Nuno Sá Link: https://lore.kernel.org/r/20210613152301.571002-3-jic23@kernel.org Signed-off-by: Sasha Levin commit 73e804beb7598970b25d007a866dbe04c56c76c0 Author: Jonathan Cameron Date: Sun Jun 13 16:22:54 2021 +0100 iio: adc: at91-sama5d2: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 8f884758966259fa8c50c137ac6d4ce9bb7859db ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of this function. Fixes: 5e1a1da0f8c9 ("iio: adc: at91-sama5d2_adc: add hw trigger and buffer support") Signed-off-by: Jonathan Cameron Cc: Eugen Hristev Reviewed-by: Nuno Sá Link: https://lore.kernel.org/r/20210613152301.571002-2-jic23@kernel.org Signed-off-by: Sasha Levin commit 02d3b52f6739359bffeefaf7022711f690b5bb52 Author: Alexandru Ardelean Date: Mon May 25 13:53:41 2020 +0300 iio: at91-sama5d2_adc: remove usage of iio_priv_to_dev() helper [ Upstream commit ebf35aad0baa05823df31fda42df4b67f72e6e72 ] We may want to get rid of the iio_priv_to_dev() helper. The reason is that we will hide some of the members of the iio_dev structure (to prevent drivers from accessing them directly), and that will also mean hiding the implementation of the iio_priv_to_dev() helper inside the IIO core. Hiding the implementation of iio_priv_to_dev() implies that some fast-paths may not be fast anymore, so a general idea is to try to get rid of the iio_priv_to_dev() altogether. The iio_priv() helper won't be affected by the rework, as the iio_dev struct will keep a reference to the private information. For this driver, not using iio_priv_to_dev(), means reworking some paths to pass the iio device and using iio_priv() to access the private information, and also keeping a reference to the iio device for some quirky paths. One [quirky] path is the at91_adc_workq_handler() which requires the IIO device & the state struct to push to buffers. Since this requires the back-ref to the IIO device, the at91_adc_touch_pos() also uses it. This simplifies the patch a bit. The information required in this function is mostly for debugging purposes. Replacing it with a reference to the IIO device would have been a slightly bigger change, which may not be worth it (for just the debugging purpose and given that we need the back-ref to the IIO device anyway). Signed-off-by: Alexandru Ardelean Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit ac7943a7f4adf43507589d0cc1f06aa9095db025 Author: Andy Shevchenko Date: Tue Jun 8 01:17:56 2021 +0300 eeprom: idt_89hpesx: Restore printing the unsupported fwnode name [ Upstream commit e0db3deea73ba418bf5dc21f5a4e32ca87d16dde ] When iterating over child firmware nodes restore printing the name of ones that are not supported. While at it, refactor loop body to clearly show that we stop at the first match. Fixes: db15d73e5f0e ("eeprom: idt_89hpesx: Support both ACPI and OF probing") Cc: Huy Duong Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210607221757.81465-2-andy.shevchenko@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 9fc3fbc3af67bcd5eaf1b6cba0e008b04100fdac Author: Andy Shevchenko Date: Tue Jun 8 01:17:55 2021 +0300 eeprom: idt_89hpesx: Put fwnode in matching case during ->probe() [ Upstream commit 3f6ee1c095156a74ab2df605af13020f1ce3e600 ] device_get_next_child_node() bumps a reference counting of a returned variable. We have to balance it whenever we return to the caller. Fixes: db15d73e5f0e ("eeprom: idt_89hpesx: Support both ACPI and OF probing") Cc: Huy Duong Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210607221757.81465-1-andy.shevchenko@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit d7e33cc4789b0b484c09f83481473ace5efcd420 Author: Clément Lassieur Date: Thu Jun 3 17:59:21 2021 +0200 usb: dwc2: Don't reset the core after setting turnaround time [ Upstream commit aafe93516b8567ab5864e1f4cd3eeabc54fb0e5a ] Every time the hub signals a reset while we (device) are hsotg->connected, dwc2_hsotg_core_init_disconnected() is called, which in turn calls dwc2_hs_phy_init(). GUSBCFG.USBTrdTim is cleared upon Core Soft Reset, so if hsotg->params.phy_utmi_width is 8-bit, the value of GUSBCFG.USBTrdTim (the default one: 0x5, corresponding to 16-bit) is always different from hsotg->params.phy_utmi_width, thus dwc2_core_reset() is called every time (usbcfg != usbcfg_old), which causes 2 issues: 1) The call to dwc2_core_reset() does another reset 300us after the initial Chirp K of the first reset (which should last at least Tuch = 1ms), and messes up the High-speed Detection Handshake: both hub and device drive current into the D+ and D- lines at the same time. 2) GUSBCFG.USBTrdTim is cleared by the second reset, so its value is always the default one (0x5). Setting GUSBCFG.USBTrdTim after the potential call to dwc2_core_reset() fixes both issues. It is now set even when select_phy is false because the cost of the Core Soft Reset is removed. Fixes: 1e868545f2bb ("usb: dwc2: gadget: Move gadget phy init into core phy init") Signed-off-by: Clément Lassieur Link: https://lore.kernel.org/r/20210603155921.940651-1-clement@lassieur.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit a95bbfe690312f05fae3e3d484148d66797cce52 Author: Andrew Gabbasov Date: Thu Jun 3 12:15:07 2021 -0500 usb: gadget: f_fs: Fix setting of device and driver data cross-references [ Upstream commit ecfbd7b9054bddb12cea07fda41bb3a79a7b0149 ] FunctionFS device structure 'struct ffs_dev' and driver data structure 'struct ffs_data' are bound to each other with cross-reference pointers 'ffs_data->private_data' and 'ffs_dev->ffs_data'. While the first one is supposed to be valid through the whole life of 'struct ffs_data' (and while 'struct ffs_dev' exists non-freed), the second one is cleared in 'ffs_closed()' (called from 'ffs_data_reset()' or the last 'ffs_data_put()'). This can be called several times, alternating in different order with 'ffs_free_inst()', that, if possible, clears the other cross-reference. As a result, different cases of these calls order may leave stale cross-reference pointers, used when the pointed structure is already freed. Even if it occasionally doesn't cause kernel crash, this error is reported by KASAN-enabled kernel configuration. For example, the case [last 'ffs_data_put()' - 'ffs_free_inst()'] was fixed by commit cdafb6d8b8da ("usb: gadget: f_fs: Fix use-after-free in ffs_free_inst"). The other case ['ffs_data_reset()' - 'ffs_free_inst()' - 'ffs_data_put()'] now causes KASAN reported error [1], when 'ffs_data_reset()' clears 'ffs_dev->ffs_data', then 'ffs_free_inst()' frees the 'struct ffs_dev', but can't clear 'ffs_data->private_data', which is then accessed in 'ffs_closed()' called from 'ffs_data_put()'. This happens since 'ffs_dev->ffs_data' reference is cleared too early. Moreover, one more use case, when 'ffs_free_inst()' is called immediately after mounting FunctionFS device (that is before the descriptors are written and 'ffs_ready()' is called), and then 'ffs_data_reset()' or 'ffs_data_put()' is called from accessing "ep0" file or unmounting the device. This causes KASAN error report like [2], since 'ffs_dev->ffs_data' is not yet set when 'ffs_free_inst()' can't properly clear 'ffs_data->private_data', that is later accessed to freed structure. Fix these (and may be other) cases of stale pointers access by moving setting and clearing of the mentioned cross-references to the single places, setting both of them when 'struct ffs_data' is created and bound to 'struct ffs_dev', and clearing both of them when one of the structures is destroyed. It seems convenient to make this pointer initialization and structures binding in 'ffs_acquire_dev()' and make pointers clearing in 'ffs_release_dev()'. This required some changes in these functions parameters and return types. Also, 'ffs_release_dev()' calling requires some cleanup, fixing minor issues, like (1) 'ffs_release_dev()' is not called if 'ffs_free_inst()' is called without unmounting the device, and "release_dev" callback is not called at all, or (2) "release_dev" callback is called before "ffs_closed" callback on unmounting, which seems to be not correctly nested with "acquire_dev" and "ffs_ready" callbacks. Make this cleanup togther with other mentioned 'ffs_release_dev()' changes. [1] ================================================================== root@rcar-gen3:~# mkdir /dev/cfs root@rcar-gen3:~# mkdir /dev/ffs root@rcar-gen3:~# modprobe libcomposite root@rcar-gen3:~# mount -t configfs none /dev/cfs root@rcar-gen3:~# mkdir /dev/cfs/usb_gadget/g1 root@rcar-gen3:~# mkdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs [ 64.340664] file system registered root@rcar-gen3:~# mount -t functionfs ffs /dev/ffs root@rcar-gen3:~# cd /dev/ffs root@rcar-gen3:/dev/ffs# /home/root/ffs-test ffs-test: info: ep0: writing descriptors (in v2 format) [ 83.181442] read descriptors [ 83.186085] read strings ffs-test: info: ep0: writing strings ffs-test: dbg: ep1: starting ffs-test: dbg: ep2: starting ffs-test: info: ep1: starts ffs-test: info: ep2: starts ffs-test: info: ep0: starts ^C root@rcar-gen3:/dev/ffs# cd /home/root/ root@rcar-gen3:~# rmdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs [ 98.935061] unloading root@rcar-gen3:~# umount /dev/ffs [ 102.734301] ================================================================== [ 102.742059] BUG: KASAN: use-after-free in ffs_release_dev+0x64/0xa8 [usb_f_fs] [ 102.749683] Write of size 1 at addr ffff0004d46ff549 by task umount/2997 [ 102.756709] [ 102.758311] CPU: 0 PID: 2997 Comm: umount Not tainted 5.13.0-rc4+ #8 [ 102.764971] Hardware name: Renesas Salvator-X board based on r8a77951 (DT) [ 102.772179] Call trace: [ 102.774779] dump_backtrace+0x0/0x330 [ 102.778653] show_stack+0x20/0x2c [ 102.782152] dump_stack+0x11c/0x1ac [ 102.785833] print_address_description.constprop.0+0x30/0x274 [ 102.791862] kasan_report+0x14c/0x1c8 [ 102.795719] __asan_report_store1_noabort+0x34/0x58 [ 102.800840] ffs_release_dev+0x64/0xa8 [usb_f_fs] [ 102.805801] ffs_fs_kill_sb+0x50/0x84 [usb_f_fs] [ 102.810663] deactivate_locked_super+0xa0/0xf0 [ 102.815339] deactivate_super+0x98/0xac [ 102.819378] cleanup_mnt+0xd0/0x1b0 [ 102.823057] __cleanup_mnt+0x1c/0x28 [ 102.826823] task_work_run+0x104/0x180 [ 102.830774] do_notify_resume+0x458/0x14e0 [ 102.835083] work_pending+0xc/0x5f8 [ 102.838762] [ 102.840357] Allocated by task 2988: [ 102.844032] kasan_save_stack+0x28/0x58 [ 102.848071] kasan_set_track+0x28/0x3c [ 102.852016] ____kasan_kmalloc+0x84/0x9c [ 102.856142] __kasan_kmalloc+0x10/0x1c [ 102.860088] __kmalloc+0x214/0x2f8 [ 102.863678] kzalloc.constprop.0+0x14/0x20 [usb_f_fs] [ 102.868990] ffs_alloc_inst+0x8c/0x208 [usb_f_fs] [ 102.873942] try_get_usb_function_instance+0xf0/0x164 [libcomposite] [ 102.880629] usb_get_function_instance+0x64/0x68 [libcomposite] [ 102.886858] function_make+0x128/0x1ec [libcomposite] [ 102.892185] configfs_mkdir+0x330/0x590 [configfs] [ 102.897245] vfs_mkdir+0x12c/0x1bc [ 102.900835] do_mkdirat+0x180/0x1d0 [ 102.904513] __arm64_sys_mkdirat+0x80/0x94 [ 102.908822] invoke_syscall+0xf8/0x25c [ 102.912772] el0_svc_common.constprop.0+0x150/0x1a0 [ 102.917891] do_el0_svc+0xa0/0xd4 [ 102.921386] el0_svc+0x24/0x34 [ 102.924613] el0_sync_handler+0xcc/0x154 [ 102.928743] el0_sync+0x198/0x1c0 [ 102.932238] [ 102.933832] Freed by task 2996: [ 102.937144] kasan_save_stack+0x28/0x58 [ 102.941181] kasan_set_track+0x28/0x3c [ 102.945128] kasan_set_free_info+0x28/0x4c [ 102.949435] ____kasan_slab_free+0x104/0x118 [ 102.953921] __kasan_slab_free+0x18/0x24 [ 102.958047] slab_free_freelist_hook+0x148/0x1f0 [ 102.962897] kfree+0x318/0x440 [ 102.966123] ffs_free_inst+0x164/0x2d8 [usb_f_fs] [ 102.971075] usb_put_function_instance+0x84/0xa4 [libcomposite] [ 102.977302] ffs_attr_release+0x18/0x24 [usb_f_fs] [ 102.982344] config_item_put+0x140/0x1a4 [configfs] [ 102.987486] configfs_rmdir+0x3fc/0x518 [configfs] [ 102.992535] vfs_rmdir+0x114/0x234 [ 102.996122] do_rmdir+0x274/0x2b0 [ 102.999617] __arm64_sys_unlinkat+0x94/0xc8 [ 103.004015] invoke_syscall+0xf8/0x25c [ 103.007961] el0_svc_common.constprop.0+0x150/0x1a0 [ 103.013080] do_el0_svc+0xa0/0xd4 [ 103.016575] el0_svc+0x24/0x34 [ 103.019801] el0_sync_handler+0xcc/0x154 [ 103.023930] el0_sync+0x198/0x1c0 [ 103.027426] [ 103.029020] The buggy address belongs to the object at ffff0004d46ff500 [ 103.029020] which belongs to the cache kmalloc-128 of size 128 [ 103.042079] The buggy address is located 73 bytes inside of [ 103.042079] 128-byte region [ffff0004d46ff500, ffff0004d46ff580) [ 103.054236] The buggy address belongs to the page: [ 103.059262] page:0000000021aa849b refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0004d46fee00 pfn:0x5146fe [ 103.070437] head:0000000021aa849b order:1 compound_mapcount:0 [ 103.076456] flags: 0x8000000000010200(slab|head|zone=2) [ 103.081948] raw: 8000000000010200 fffffc0013521a80 0000000d0000000d ffff0004c0002300 [ 103.090052] raw: ffff0004d46fee00 000000008020001e 00000001ffffffff 0000000000000000 [ 103.098150] page dumped because: kasan: bad access detected [ 103.103985] [ 103.105578] Memory state around the buggy address: [ 103.110602] ffff0004d46ff400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 103.118161] ffff0004d46ff480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 103.125726] >ffff0004d46ff500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 103.133284] ^ [ 103.139120] ffff0004d46ff580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 103.146679] ffff0004d46ff600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 103.154238] ================================================================== [ 103.161792] Disabling lock debugging due to kernel taint [ 103.167319] Unable to handle kernel paging request at virtual address 0037801d6000018e [ 103.175406] Mem abort info: [ 103.178457] ESR = 0x96000004 [ 103.181609] EC = 0x25: DABT (current EL), IL = 32 bits [ 103.187020] SET = 0, FnV = 0 [ 103.190185] EA = 0, S1PTW = 0 [ 103.193417] Data abort info: [ 103.196385] ISV = 0, ISS = 0x00000004 [ 103.200315] CM = 0, WnR = 0 [ 103.203366] [0037801d6000018e] address between user and kernel address ranges [ 103.210611] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 103.216231] Modules linked in: usb_f_fs libcomposite configfs ath9k_htc led_class mac80211 libarc4 ath9k_common ath9k_hw ath cfg80211 aes_ce_blk sata_rc4 [ 103.259233] CPU: 0 PID: 2997 Comm: umount Tainted: G B 5.13.0-rc4+ #8 [ 103.267031] Hardware name: Renesas Salvator-X board based on r8a77951 (DT) [ 103.273951] pstate: 00000005 (nzcv daif -PAN -UAO -TCO BTYPE=--) [ 103.280001] pc : ffs_data_clear+0x138/0x370 [usb_f_fs] [ 103.285197] lr : ffs_data_clear+0x124/0x370 [usb_f_fs] [ 103.290385] sp : ffff800014777a80 [ 103.293725] x29: ffff800014777a80 x28: ffff0004d7649c80 x27: 0000000000000000 [ 103.300931] x26: ffff800014777fb0 x25: ffff60009aec9394 x24: ffff0004d7649ca4 [ 103.308136] x23: 1fffe0009a3d063a x22: dfff800000000000 x21: ffff0004d1e831d0 [ 103.315340] x20: e1c000eb00000bb4 x19: ffff0004d1e83000 x18: 0000000000000000 [ 103.322545] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 103.329748] x14: 0720072007200720 x13: 0720072007200720 x12: 1ffff000012ef658 [ 103.336952] x11: ffff7000012ef658 x10: 0720072007200720 x9 : ffff800011322648 [ 103.344157] x8 : ffff800014777818 x7 : ffff80000977b2c7 x6 : 0000000000000000 [ 103.351359] x5 : 0000000000000001 x4 : ffff7000012ef659 x3 : 0000000000000001 [ 103.358562] x2 : 0000000000000000 x1 : 1c38001d6000018e x0 : e1c000eb00000c70 [ 103.365766] Call trace: [ 103.368235] ffs_data_clear+0x138/0x370 [usb_f_fs] [ 103.373076] ffs_data_reset+0x20/0x304 [usb_f_fs] [ 103.377829] ffs_data_closed+0x1ec/0x244 [usb_f_fs] [ 103.382755] ffs_fs_kill_sb+0x70/0x84 [usb_f_fs] [ 103.387420] deactivate_locked_super+0xa0/0xf0 [ 103.391905] deactivate_super+0x98/0xac [ 103.395776] cleanup_mnt+0xd0/0x1b0 [ 103.399299] __cleanup_mnt+0x1c/0x28 [ 103.402906] task_work_run+0x104/0x180 [ 103.406691] do_notify_resume+0x458/0x14e0 [ 103.410823] work_pending+0xc/0x5f8 [ 103.414351] Code: b4000a54 9102f280 12000802 d343fc01 (38f66821) [ 103.420490] ---[ end trace 57b43a50e8244f57 ]--- Segmentation fault root@rcar-gen3:~# ================================================================== [2] ================================================================== root@rcar-gen3:~# mkdir /dev/ffs root@rcar-gen3:~# modprobe libcomposite root@rcar-gen3:~# root@rcar-gen3:~# mount -t configfs none /dev/cfs root@rcar-gen3:~# mkdir /dev/cfs/usb_gadget/g1 root@rcar-gen3:~# mkdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs [ 54.766480] file system registered root@rcar-gen3:~# mount -t functionfs ffs /dev/ffs root@rcar-gen3:~# rmdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs [ 63.197597] unloading root@rcar-gen3:~# cat /dev/ffs/ep0 cat: read error:[ 67.213506] ================================================================== [ 67.222095] BUG: KASAN: use-after-free in ffs_data_clear+0x70/0x370 [usb_f_fs] [ 67.229699] Write of size 1 at addr ffff0004c26e974a by task cat/2994 [ 67.236446] [ 67.238045] CPU: 0 PID: 2994 Comm: cat Not tainted 5.13.0-rc4+ #8 [ 67.244431] Hardware name: Renesas Salvator-X board based on r8a77951 (DT) [ 67.251624] Call trace: [ 67.254212] dump_backtrace+0x0/0x330 [ 67.258081] show_stack+0x20/0x2c [ 67.261579] dump_stack+0x11c/0x1ac [ 67.265260] print_address_description.constprop.0+0x30/0x274 [ 67.271286] kasan_report+0x14c/0x1c8 [ 67.275143] __asan_report_store1_noabort+0x34/0x58 [ 67.280265] ffs_data_clear+0x70/0x370 [usb_f_fs] [ 67.285220] ffs_data_reset+0x20/0x304 [usb_f_fs] [ 67.290172] ffs_data_closed+0x240/0x244 [usb_f_fs] [ 67.295305] ffs_ep0_release+0x40/0x54 [usb_f_fs] [ 67.300256] __fput+0x304/0x580 [ 67.303576] ____fput+0x18/0x24 [ 67.306893] task_work_run+0x104/0x180 [ 67.310846] do_notify_resume+0x458/0x14e0 [ 67.315154] work_pending+0xc/0x5f8 [ 67.318834] [ 67.320429] Allocated by task 2988: [ 67.324105] kasan_save_stack+0x28/0x58 [ 67.328144] kasan_set_track+0x28/0x3c [ 67.332090] ____kasan_kmalloc+0x84/0x9c [ 67.336217] __kasan_kmalloc+0x10/0x1c [ 67.340163] __kmalloc+0x214/0x2f8 [ 67.343754] kzalloc.constprop.0+0x14/0x20 [usb_f_fs] [ 67.349066] ffs_alloc_inst+0x8c/0x208 [usb_f_fs] [ 67.354017] try_get_usb_function_instance+0xf0/0x164 [libcomposite] [ 67.360705] usb_get_function_instance+0x64/0x68 [libcomposite] [ 67.366934] function_make+0x128/0x1ec [libcomposite] [ 67.372260] configfs_mkdir+0x330/0x590 [configfs] [ 67.377320] vfs_mkdir+0x12c/0x1bc [ 67.380911] do_mkdirat+0x180/0x1d0 [ 67.384589] __arm64_sys_mkdirat+0x80/0x94 [ 67.388899] invoke_syscall+0xf8/0x25c [ 67.392850] el0_svc_common.constprop.0+0x150/0x1a0 [ 67.397969] do_el0_svc+0xa0/0xd4 [ 67.401464] el0_svc+0x24/0x34 [ 67.404691] el0_sync_handler+0xcc/0x154 [ 67.408819] el0_sync+0x198/0x1c0 [ 67.412315] [ 67.413909] Freed by task 2993: [ 67.417220] kasan_save_stack+0x28/0x58 [ 67.421257] kasan_set_track+0x28/0x3c [ 67.425204] kasan_set_free_info+0x28/0x4c [ 67.429513] ____kasan_slab_free+0x104/0x118 [ 67.434001] __kasan_slab_free+0x18/0x24 [ 67.438128] slab_free_freelist_hook+0x148/0x1f0 [ 67.442978] kfree+0x318/0x440 [ 67.446205] ffs_free_inst+0x164/0x2d8 [usb_f_fs] [ 67.451156] usb_put_function_instance+0x84/0xa4 [libcomposite] [ 67.457385] ffs_attr_release+0x18/0x24 [usb_f_fs] [ 67.462428] config_item_put+0x140/0x1a4 [configfs] [ 67.467570] configfs_rmdir+0x3fc/0x518 [configfs] [ 67.472626] vfs_rmdir+0x114/0x234 [ 67.476215] do_rmdir+0x274/0x2b0 [ 67.479710] __arm64_sys_unlinkat+0x94/0xc8 [ 67.484108] invoke_syscall+0xf8/0x25c [ 67.488055] el0_svc_common.constprop.0+0x150/0x1a0 [ 67.493175] do_el0_svc+0xa0/0xd4 [ 67.496671] el0_svc+0x24/0x34 [ 67.499896] el0_sync_handler+0xcc/0x154 [ 67.504024] el0_sync+0x198/0x1c0 [ 67.507520] [ 67.509114] The buggy address belongs to the object at ffff0004c26e9700 [ 67.509114] which belongs to the cache kmalloc-128 of size 128 [ 67.522171] The buggy address is located 74 bytes inside of [ 67.522171] 128-byte region [ffff0004c26e9700, ffff0004c26e9780) [ 67.534328] The buggy address belongs to the page: [ 67.539355] page:000000003177a217 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5026e8 [ 67.549175] head:000000003177a217 order:1 compound_mapcount:0 [ 67.555195] flags: 0x8000000000010200(slab|head|zone=2) [ 67.560687] raw: 8000000000010200 fffffc0013037100 0000000c00000002 ffff0004c0002300 [ 67.568791] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 [ 67.576890] page dumped because: kasan: bad access detected [ 67.582725] [ 67.584318] Memory state around the buggy address: [ 67.589343] ffff0004c26e9600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.596903] ffff0004c26e9680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 67.604463] >ffff0004c26e9700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.612022] ^ [ 67.617860] ffff0004c26e9780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 67.625421] ffff0004c26e9800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.632981] ================================================================== [ 67.640535] Disabling lock debugging due to kernel taint File descriptor[ 67.646100] Unable to handle kernel paging request at virtual address fabb801d4000018d in bad state [ 67.655456] Mem abort info: [ 67.659619] ESR = 0x96000004 [ 67.662801] EC = 0x25: DABT (current EL), IL = 32 bits [ 67.668225] SET = 0, FnV = 0 [ 67.671375] EA = 0, S1PTW = 0 [ 67.674613] Data abort info: [ 67.677587] ISV = 0, ISS = 0x00000004 [ 67.681522] CM = 0, WnR = 0 [ 67.684588] [fabb801d4000018d] address between user and kernel address ranges [ 67.691849] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 67.697470] Modules linked in: usb_f_fs libcomposite configfs ath9k_htc led_class mac80211 libarc4 ath9k_common ath9k_hw ath cfg80211 aes_ce_blk crypto_simd cryptd aes_ce_cipher ghash_ce gf128mul sha2_ce sha1_ce evdev sata_rcar libata xhci_plat_hcd scsi_mod xhci_hcd rene4 [ 67.740467] CPU: 0 PID: 2994 Comm: cat Tainted: G B 5.13.0-rc4+ #8 [ 67.748005] Hardware name: Renesas Salvator-X board based on r8a77951 (DT) [ 67.754924] pstate: 00000005 (nzcv daif -PAN -UAO -TCO BTYPE=--) [ 67.760974] pc : ffs_data_clear+0x138/0x370 [usb_f_fs] [ 67.766178] lr : ffs_data_clear+0x124/0x370 [usb_f_fs] [ 67.771365] sp : ffff800014767ad0 [ 67.774706] x29: ffff800014767ad0 x28: ffff800009cf91c0 x27: ffff0004c54861a0 [ 67.781913] x26: ffff0004dc90b288 x25: 1fffe00099ec10f5 x24: 00000000000a801d [ 67.789118] x23: 1fffe00099f6953a x22: dfff800000000000 x21: ffff0004cfb4a9d0 [ 67.796322] x20: d5e000ea00000bb1 x19: ffff0004cfb4a800 x18: 0000000000000000 [ 67.803526] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 67.810730] x14: 0720072007200720 x13: 0720072007200720 x12: 1ffff000028ecefa [ 67.817934] x11: ffff7000028ecefa x10: 0720072007200720 x9 : ffff80001132c014 [ 67.825137] x8 : ffff8000147677d8 x7 : ffff8000147677d7 x6 : 0000000000000000 [ 67.832341] x5 : 0000000000000001 x4 : ffff7000028ecefb x3 : 0000000000000001 [ 67.839544] x2 : 0000000000000005 x1 : 1abc001d4000018d x0 : d5e000ea00000c6d [ 67.846748] Call trace: [ 67.849218] ffs_data_clear+0x138/0x370 [usb_f_fs] [ 67.854058] ffs_data_reset+0x20/0x304 [usb_f_fs] [ 67.858810] ffs_data_closed+0x240/0x244 [usb_f_fs] [ 67.863736] ffs_ep0_release+0x40/0x54 [usb_f_fs] [ 67.868488] __fput+0x304/0x580 [ 67.871665] ____fput+0x18/0x24 [ 67.874837] task_work_run+0x104/0x180 [ 67.878622] do_notify_resume+0x458/0x14e0 [ 67.882754] work_pending+0xc/0x5f8 [ 67.886282] Code: b4000a54 9102f280 12000802 d343fc01 (38f66821) [ 67.892422] ---[ end trace 6d7cedf53d7abbea ]--- Segmentation fault root@rcar-gen3:~# ================================================================== Fixes: 4b187fceec3c ("usb: gadget: FunctionFS: add devices management code") Fixes: 3262ad824307 ("usb: gadget: f_fs: Stop ffs_closed NULL pointer dereference") Fixes: cdafb6d8b8da ("usb: gadget: f_fs: Fix use-after-free in ffs_free_inst") Reported-by: Bhuvanesh Surachari Tested-by: Eugeniu Rosca Reviewed-by: Eugeniu Rosca Signed-off-by: Andrew Gabbasov Link: https://lore.kernel.org/r/20210603171507.22514-1-andrew_gabbasov@mentor.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 7ba04367b340bd0bdf7bec8651c5839774132b15 Author: Christophe JAILLET Date: Sun Jun 6 16:31:09 2021 +0200 ASoC: mediatek: mtk-btcvsd: Fix an error handling path in 'mtk_btcvsd_snd_probe()' [ Upstream commit b6052c3c7a78f5e2b9756c92ef77c0b56435f107 ] If an error occurs after a successful 'of_iomap()' call, it must be undone by a corresponding 'iounmap()' call, as already done in the remove function. While at it, remove the useless initialization of 'ret' at the beginning of the function. Fixes: 4bd8597dc36c ("ASoC: mediatek: add btcvsd driver") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/0c2ba562c3364e61bfbd5b3013a99dfa0d9045d7.1622989685.git.christophe.jaillet@wanadoo.fr Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 6fee286da89810d5f000ef9d6c46d23e780d0286 Author: Srinath Mannam Date: Mon Sep 14 12:53:19 2020 +0530 iommu/dma: Fix IOVA reserve dma ranges [ Upstream commit 571f316074a203e979ea90211d9acf423dfe5f46 ] Fix IOVA reserve failure in the case when address of first memory region listed in dma-ranges is equal to 0x0. Fixes: aadad097cd46f ("iommu/dma: Reserve IOVA for PCIe inaccessible DMA address") Signed-off-by: Srinath Mannam Reviewed-by: Robin Murphy Tested-by: Sven Peter Link: https://lore.kernel.org/r/20200914072319.6091-1-srinath.mannam@broadcom.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 1e38d79d0bfc254ac85fc313b72e7cfcac5e62e0 Author: Randy Dunlap Date: Thu May 27 17:24:20 2021 -0700 s390: appldata depends on PROC_SYSCTL [ Upstream commit 5d3516b3647621d5a1180672ea9e0817fb718ada ] APPLDATA_BASE should depend on PROC_SYSCTL instead of PROC_FS. Building with PROC_FS but not PROC_SYSCTL causes a build error, since appldata_base.c uses data and APIs from fs/proc/proc_sysctl.c. arch/s390/appldata/appldata_base.o: in function `appldata_generic_handler': appldata_base.c:(.text+0x192): undefined reference to `sysctl_vals' Fixes: c185b783b099 ("[S390] Remove config options.") Signed-off-by: Randy Dunlap Cc: Heiko Carstens Cc: Vasily Gorbik Cc: Christian Borntraeger Cc: linux-s390@vger.kernel.org Signed-off-by: Vasily Gorbik Link: https://lore.kernel.org/r/20210528002420.17634-1-rdunlap@infradead.org Signed-off-by: Vasily Gorbik Signed-off-by: Sasha Levin commit b6e2d45e3fea242aeae549dc89f412d9dc656d23 Author: Zhen Lei Date: Fri May 28 16:26:14 2021 +0800 visorbus: fix error return code in visorchipset_init() [ Upstream commit ce52ec5beecc1079c251f60e3973b3758f60eb59 ] Commit 1366a3db3dcf ("staging: unisys: visorbus: visorchipset_init clean up gotos") assigns the initial value -ENODEV to the local variable 'err', and the first several error branches will return this value after "goto error". But commit f1f537c2e7f5 ("staging: unisys: visorbus: Consolidate controlvm channel creation.") overwrites 'err' in the middle of the way. As a result, some error branches do not successfully return the initial value -ENODEV of 'err', but return 0. In addition, when kzalloc() fails, -ENOMEM should be returned instead of -ENODEV. Fixes: f1f537c2e7f5 ("staging: unisys: visorbus: Consolidate controlvm channel creation.") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Link: https://lore.kernel.org/r/20210528082614.9337-1-thunder.leizhen@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 540c40c6bb4a03965a4ccecf97cccdd22d831dbb Author: Joachim Fenkes Date: Fri Jul 24 16:45:18 2020 +0930 fsi/sbefifo: Fix reset timeout [ Upstream commit 9ab1428dfe2c66b51e0b41337cd0164da0ab6080 ] On BMCs with lower timer resolution than 1ms, msleep(1) will take way longer than 1ms, so looping 10k times won't wait for 10s but significantly longer. Fix this by using jiffies like the rest of the code. Fixes: 9f4a8a2d7f9d ("fsi/sbefifo: Add driver for the SBE FIFO") Signed-off-by: Joachim Fenkes Link: https://lore.kernel.org/r/20200724071518.430515-3-joel@jms.id.au Signed-off-by: Joel Stanley Signed-off-by: Sasha Levin commit aa4577259bfbf41d8ce203c5b50f5f3971884eae Author: Joachim Fenkes Date: Fri Jul 24 16:45:17 2020 +0930 fsi/sbefifo: Clean up correct FIFO when receiving reset request from SBE [ Upstream commit 95152433e46fdb36652ebdbea442356a16ae1fa6 ] When the SBE requests a reset via the down FIFO, that is also the FIFO we should go and reset ;) Fixes: 9f4a8a2d7f9d ("fsi/sbefifo: Add driver for the SBE FIFO") Signed-off-by: Joachim Fenkes Signed-off-by: Joel Stanley Link: https://lore.kernel.org/r/20200724071518.430515-2-joel@jms.id.au Signed-off-by: Joel Stanley Signed-off-by: Sasha Levin commit d903eee764a403b9412e286f48ad05885c5212d8 Author: Eddie James Date: Tue Feb 9 11:12:32 2021 -0600 fsi: occ: Don't accept response from un-initialized OCC [ Upstream commit 8a4659be08576141f47d47d94130eb148cb5f0df ] If the OCC is not initialized and responds as such, the driver should continue waiting for a valid response until the timeout expires. Signed-off-by: Eddie James Reviewed-by: Joel Stanley Fixes: 7ed98dddb764 ("fsi: Add On-Chip Controller (OCC) driver") Link: https://lore.kernel.org/r/20210209171235.20624-2-eajames@linux.ibm.com Signed-off-by: Joel Stanley Signed-off-by: Sasha Levin commit 96c914057aaa66b2c93c53bdf4e12f11d74233c4 Author: Eddie James Date: Mon Mar 29 10:13:44 2021 -0500 fsi: scom: Reset the FSI2PIB engine for any error [ Upstream commit a5c317dac5567206ca7b6bc9d008dd6890c8bced ] The error bits in the FSI2PIB status are only cleared by a reset. So the driver needs to perform a reset after seeing any of the FSI2PIB errors, otherwise subsequent operations will also look like failures. Fixes: 6b293258cded ("fsi: scom: Major overhaul") Signed-off-by: Eddie James Reviewed-by: Joel Stanley Link: https://lore.kernel.org/r/20210329151344.14246-1-eajames@linux.ibm.com Signed-off-by: Joel Stanley Signed-off-by: Sasha Levin commit 19c8f5307a2ea7ac506e04977d4601b92bdef437 Author: Colin Ian King Date: Thu Jun 3 13:28:12 2021 +0100 fsi: core: Fix return of error values on failures [ Upstream commit 910810945707fe9877ca86a0dca4e585fd05e37b ] Currently the cfam_read and cfam_write functions return the provided number of bytes given in the count parameter and not the error return code in variable rc, hence all failures of read/writes are being silently ignored. Fix this by returning the error code in rc. Addresses-Coverity: ("Unused value") Fixes: d1dcd6782576 ("fsi: Add cfam char devices") Signed-off-by: Colin Ian King Reviewed-by: Jeremy Kerr Link: https://lore.kernel.org/r/20210603122812.83587-1-colin.king@canonical.com Signed-off-by: Joel Stanley Signed-off-by: Sasha Levin commit aeed300a2e277934609b826aaa7e8374a8f35964 Author: Randy Dunlap Date: Sat May 29 16:48:57 2021 -0700 scsi: FlashPoint: Rename si_flags field [ Upstream commit 4d431153e751caa93f3b7e6f6313446974e92253 ] The BusLogic driver has build errors on ia64 due to a name collision (in the #included FlashPoint.c file). Rename the struct field in struct sccb_mgr_info from si_flags to si_mflags (manager flags) to mend the build. This is the first problem. There are 50+ others after this one: In file included from ../include/uapi/linux/signal.h:6, from ../include/linux/signal_types.h:10, from ../include/linux/sched.h:29, from ../include/linux/hardirq.h:9, from ../include/linux/interrupt.h:11, from ../drivers/scsi/BusLogic.c:27: ../arch/ia64/include/uapi/asm/siginfo.h:15:27: error: expected ':', ',', ';', '}' or '__attribute__' before '.' token 15 | #define si_flags _sifields._sigfault._flags | ^ ../drivers/scsi/FlashPoint.c:43:6: note: in expansion of macro 'si_flags' 43 | u16 si_flags; | ^~~~~~~~ In file included from ../drivers/scsi/BusLogic.c:51: ../drivers/scsi/FlashPoint.c: In function 'FlashPoint_ProbeHostAdapter': ../drivers/scsi/FlashPoint.c:1076:11: error: 'struct sccb_mgr_info' has no member named '_sifields' 1076 | pCardInfo->si_flags = 0x0000; | ^~ ../drivers/scsi/FlashPoint.c:1079:12: error: 'struct sccb_mgr_info' has no member named '_sifields' Link: https://lore.kernel.org/r/20210529234857.6870-1-rdunlap@infradead.org Fixes: 391e2f25601e ("[SCSI] BusLogic: Port driver to 64-bit.") Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: Christoph Hellwig Cc: Jens Axboe Cc: Hannes Reinecke Cc: Khalid Aziz Cc: Khalid Aziz Reported-by: kernel test robot Reviewed-by: Hannes Reinecke Signed-off-by: Randy Dunlap Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit fde1e59110f1e8121b2e3e08bd289d8304ede381 Author: Andy Shevchenko Date: Mon May 10 12:50:35 2021 +0300 leds: lm3692x: Put fwnode in any case during ->probe() [ Upstream commit f55db1c7fadc2a29c9fa4ff3aec98dbb111f2206 ] device_get_next_child_node() bumps a reference counting of a returned variable. We have to balance it whenever we return to the caller. Fixes: 9a5c1c64ac0a ("leds: lm3692x: Change DT calls to fwnode calls") Cc: Dan Murphy Signed-off-by: Andy Shevchenko Signed-off-by: Pavel Machek Signed-off-by: Sasha Levin commit 08ffeb67e42bcfc1677bde4dc6e54a541bde1d8a Author: Marek Behún Date: Sat Sep 19 20:02:56 2020 +0200 leds: lm36274: cosmetic: rename lm36274_data to chip [ Upstream commit d3ab963cf980151f5f0ba16d842ddc80b232d9c0 ] Rename this variable so that it is easier to read and easier to write in 80 columns. Also rename variable of this type in lm36274_brightness_set from led to chip, to be consistent. Signed-off-by: Marek Behún Tested-by: Dan Murphy Signed-off-by: Pavel Machek Signed-off-by: Sasha Levin commit a42c6c448c9e4272178a17f7cefc7b6419d11316 Author: Andy Shevchenko Date: Mon May 10 12:50:31 2021 +0300 leds: lm3532: select regmap I2C API [ Upstream commit 99be74f61cb0292b518f5e6d7e5c6611555c2ec7 ] Regmap APIs should be selected, otherwise link can fail ERROR: modpost: "__devm_regmap_init_i2c" [drivers/leds/leds-lm3532.ko] undefined! Fixes: bc1b8492c764 ("leds: lm3532: Introduce the lm3532 LED driver") Cc: Dan Murphy Signed-off-by: Andy Shevchenko Signed-off-by: Pavel Machek Signed-off-by: Sasha Levin commit 329e02d6f22d4cc917ed2375bde166da751d0ec1 Author: Christophe JAILLET Date: Tue May 25 20:51:57 2021 +0200 tty: nozomi: Fix the error handling path of 'nozomi_card_init()' [ Upstream commit 6ae7d0f5a92b9619f6e3c307ce56b2cefff3f0e9 ] The error handling path is broken and we may un-register things that have never been registered. Update the loops index accordingly. Fixes: 9842c38e9176 ("kfifo: fix warn_unused_result") Suggested-by: Dan Carpenter Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/e28c2e92c7475da25b03d022ea2d6dcf1ba807a2.1621968629.git.christophe.jaillet@wanadoo.fr Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 7f0b77542e57adf955f1dce160863cb513471465 Author: Christophe JAILLET Date: Fri May 21 20:22:15 2021 +0200 firmware: stratix10-svc: Fix a resource leak in an error handling path [ Upstream commit d99247f9b542533ddbf87a3481a05473b8e48194 ] If an error occurs after a successful 'kfifo_alloc()' call, it must be undone by a corresponding 'kfifo_free()' call, as already done in the remove function. While at it, move the 'platform_device_put()' call to this new error handling path and explicitly return 0 in the success path. Fixes: b5dc75c915cd ("firmware: stratix10-svc: extend svc to support new RSU features") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/0ca3f3ab139c53e846804455a1e7599ee8ae896a.1621621271.git.christophe.jaillet@wanadoo.fr Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit a536c30966c1821536c2d902f637813e19f4e4ae Author: Yu Kuai Date: Fri May 21 20:06:17 2021 +0800 char: pcmcia: error out if 'num_bytes_read' is greater than 4 in set_protocol() [ Upstream commit 37188559c610f1b7eec83c8e448936c361c578de ] Theoretically, it will cause index out of bounds error if 'num_bytes_read' is greater than 4. As we expect it(and was tested) never to be greater than 4, error out if it happens. Fixes: c1986ee9bea3 ("[PATCH] New Omnikey Cardman 4000 driver") Signed-off-by: Yu Kuai Link: https://lore.kernel.org/r/20210521120617.138396-1-yukuai3@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 6490ed7c4684caf9851a0b98e0ab17a8d693dada Author: Corentin Labbe Date: Thu May 20 11:48:50 2021 +0000 mtd: partitions: redboot: seek fis-index-block in the right node [ Upstream commit 237960880960863fb41888763d635b384cffb104 ] fis-index-block is seeked in the master node and not in the partitions node. For following binding and current usage, the driver need to check the partitions subnode. Fixes: c0e118c8a1a3 ("mtd: partitions: Add OF support to RedBoot partitions") Signed-off-by: Corentin Labbe Reviewed-by: Linus Walleij Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20210520114851.1274609-1-clabbe@baylibre.com Signed-off-by: Sasha Levin commit 56c6c7f8ab9b3c1c4b92ee9ade6f8ceedb75f31e Author: Zhen Lei Date: Mon May 24 11:52:42 2021 -0700 Input: hil_kbd - fix error return code in hil_dev_connect() [ Upstream commit d9b576917a1d0efa293801a264150a1b37691617 ] Return error code -EINVAL rather than '0' when the combo devices are not supported. Fixes: fa71c605c2bb ("Input: combine hil_kbd and hil_ptr drivers") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Link: https://lore.kernel.org/r/20210515030053.6824-1-thunder.leizhen@huawei.com Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit ccba2835839721351a54535f72aef4ca516ccf93 Author: Kuninori Morimoto Date: Mon May 24 15:12:09 2021 +0900 ASoC: rsnd: tidyup loop on rsnd_adg_clk_query() [ Upstream commit cf9d5c6619fadfc41cf8f5154cb990cc38e3da85 ] commit 06e8f5c842f2d ("ASoC: rsnd: don't call clk_get_rate() under atomic context") used saved clk_rate, thus for_each_rsnd_clk() is no longer needed. This patch fixes it. Fixes: 06e8f5c842f2d ("ASoC: rsnd: don't call clk_get_rate() under atomic context") Signed-off-by: Kuninori Morimoto Link: https://lore.kernel.org/r/87v978oe2u.wl-kuninori.morimoto.gx@renesas.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 77c61b1b298967ad37d1f74cc8fc0afa756ec2a5 Author: Andy Shevchenko Date: Mon May 10 12:57:16 2021 +0300 backlight: lm3630a_bl: Put fwnode in error case during ->probe() [ Upstream commit 6d1c32dbedd7d7e7372aa38033ec8782c39f6379 ] device_for_each_child_node() bumps a reference counting of a returned variable. We have to balance it whenever we return to the caller. Cc: Brian Masney Cc: Dan Murphy Fixes: 8fbce8efe15cd ("backlight: lm3630a: Add firmware node support") Signed-off-by: Andy Shevchenko Reviewed-by: Brian Masney Reviewed-by: Daniel Thompson Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit 57fd7d8ac921b2e58bbb4e524c238e915c7d62ae Author: Yang Yingliang Date: Tue May 18 12:45:14 2021 +0800 ASoC: hisilicon: fix missing clk_disable_unprepare() on error in hi6210_i2s_startup() [ Upstream commit 375904e3931955fcf0a847f029b2492a117efc43 ] After calling clk_prepare_enable(), clk_disable_unprepare() need be called when calling clk_set_rate() failed. Fixes: 0bf750f4cbe1 ("ASoC: hisilicon: Add hi6210 i2s audio driver") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20210518044514.607010-1-yangyingliang@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 1dc77b6ca0c5f59cc00254b9a27a7b0933e18ab7 Author: Yang Yingliang Date: Tue May 18 15:58:47 2021 +0800 ASoC: rk3328: fix missing clk_disable_unprepare() on error in rk3328_platform_probe() [ Upstream commit d14eece945a8068a017995f7512ea2beac21e34b ] Fix the missing clk_disable_unprepare() before return from rk3328_platform_probe() in the error handling case. Fixes: c32759035ad2 ("ASoC: rockchip: support ACODEC for rk3328") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20210518075847.1116983-1-yangyingliang@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit d89dda5f5652efa50676796097baea6c6b04a750 Author: Jonathan Cameron Date: Sat May 1 18:13:48 2021 +0100 iio: potentiostat: lmp91000: Fix alignment of buffer in iio_push_to_buffers_with_timestamp() [ Upstream commit 8979b67ec61abc232636400ee8c758a16a73c95f ] Add __aligned(8) to ensure the buffer passed to iio_push_to_buffers_with_timestamp() is suitable for the naturally aligned timestamp that will be inserted. Here structure is not used, because this buffer is also used elsewhere in the driver. Fixes: 67e17300dc1d ("iio: potentiostat: add LMP91000 support") Signed-off-by: Jonathan Cameron Cc: Matt Ranostay Acked-by: Matt Ranostay Link: https://lore.kernel.org/r/20210501171352.512953-8-jic23@kernel.org Signed-off-by: Sasha Levin commit 994a076be3361acdc8132033c09d8c6cb9569bfe Author: Jonathan Cameron Date: Sat May 1 18:13:47 2021 +0100 iio: cros_ec_sensors: Fix alignment of buffer in iio_push_to_buffers_with_timestamp() [ Upstream commit 8dea228b174ac9637b567e5ef54f4c40db4b3c41 ] The samples buffer is passed to iio_push_to_buffers_with_timestamp() which requires a buffer aligned to 8 bytes as it is assumed that the timestamp will be naturally aligned if present. Fixes tag is inaccurate but prior to that likely manual backporting needed (for anything before 4.18) Earlier than that the include file to fix is drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.h: commit 974e6f02e27 ("iio: cros_ec_sensors_core: Add common functions for the ChromeOS EC Sensor Hub.") present since kernel stable 4.10. (Thanks to Gwendal for tracking this down) Fixes: 5a0b8cb46624c ("iio: cros_ec: Move cros_ec_sensors_core.h in /include") Signed-off-by: Jonathan Cameron Reviewed-by: Gwendal Grignou commit 2ab4cf6cc0e86c71305bae2c35eca89154484fff Author: Jonathan Cameron Date: Sat May 1 18:01:21 2021 +0100 iio: light: tcs3472: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit df2f37cffd6ed486d613e7ee22aadc8e49ae2dd3 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of uses of iio_push_to_buffers_with_timestamp(). Fixes tag is not strictly accurate as prior to that patch there was potentially an unaligned write. However, any backport past there will need to be done manually. Fixes: 0624bf847dd0 ("iio:tcs3472: Use iio_push_to_buffers_with_timestamp()") Signed-off-by: Jonathan Cameron Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-20-jic23@kernel.org Signed-off-by: Sasha Levin commit d746f8664ce52c8c2b6836f5934cee6a4b52fcc6 Author: Jonathan Cameron Date: Sat May 1 18:01:20 2021 +0100 iio: light: tcs3414: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit ff08fbc22ab32ccc6690c21b0e5e1d402dcc076f ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of uses of iio_push_to_buffers_with_timestamp() Fixes: a244e7b57f0f ("iio: Add driver for AMS/TAOS tcs3414 digital color sensor") Signed-off-by: Jonathan Cameron Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-19-jic23@kernel.org Signed-off-by: Sasha Levin commit f35afa38c5ac9be2890e9f1f92a04cd1dbbc9b43 Author: Jonathan Cameron Date: Sat May 1 18:01:19 2021 +0100 iio: light: isl29125: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 3d4725194de6935dba2ad7c9cc075c885008f747 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of uses of iio_push_to_buffers_with_timestamp() Fixes: 6c25539cbc46 ("iio: Add Intersil isl29125 digital color light sensor driver") Signed-off-by: Jonathan Cameron Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-18-jic23@kernel.org Signed-off-by: Sasha Levin commit 8fdbcbda4dfb29902aefc9460fdcac98a0831a3b Author: Jonathan Cameron Date: Sat May 1 18:01:18 2021 +0100 iio: magn: bmc150: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 7692088f72865c41b6b531fd09486ee99a5da930 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of uses of iio_push_to_buffers_with_timestamp() Fixes: c91746a2361d ("iio: magn: Add support for BMC150 magnetometer") Signed-off-by: Jonathan Cameron Cc: Stephan Gerhold Cc: Linus Walleij Reviewed-by: Linus Walleij Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-17-jic23@kernel.org Signed-off-by: Sasha Levin commit 68c8b28305aea79a51e6f3414436d16f198facd8 Author: Jonathan Cameron Date: Sat May 1 18:01:17 2021 +0100 iio: magn: hmc5843: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 1ef2f51e9fe424ccecca5bb0373d71b900c2cd41 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of uses of iio_push_to_buffers_with_timestamp() Fixes: 7247645f6865 ("iio: hmc5843: Move hmc5843 out of staging") Signed-off-by: Jonathan Cameron Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-16-jic23@kernel.org Signed-off-by: Sasha Levin commit 9fc6ef022b4741c7d55adfc0d133a9208f5e12f6 Author: Jonathan Cameron Date: Sat May 1 18:01:16 2021 +0100 iio: prox: as3935: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 37eb8d8c64f2ecb3a5521ba1cc1fad973adfae41 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of uses of iio_push_to_buffers_with_timestamp() Fixes: 37b1ba2c68cf ("iio: proximity: as3935: fix buffer stack trashing") Signed-off-by: Jonathan Cameron Cc: Matt Ranostay Acked-by: Matt Ranostay Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-15-jic23@kernel.org Signed-off-by: Sasha Levin commit da4dfaed9be8e4731cc3fa530a7f01b8a52d18b9 Author: Jonathan Cameron Date: Sat May 1 18:01:15 2021 +0100 iio: prox: pulsed-light: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 679cc377a03ff1944491eafc7355c1eb1fad4109 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of uses of iio_push_to_buffers_with_timestamp() Fixes: cb119d535083 ("iio: proximity: add support for PulsedLight LIDAR") Signed-off-by: Jonathan Cameron Cc: Matt Ranostay Acked-by: Matt Ranostay Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-14-jic23@kernel.org Signed-off-by: Sasha Levin commit b40dab164dc3fe587533f0d81d120adac41b394e Author: Jonathan Cameron Date: Sat May 1 18:01:14 2021 +0100 iio: prox: srf08: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 19f1a254fe4949fff1e67db386409f48cf438bd7 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of uses of iio_push_to_buffers_with_timestamp() Fixes: 78f839029e1d ("iio: distance: srf08: add IIO driver for us ranger") Signed-off-by: Jonathan Cameron Cc: Andreas Klinger Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-13-jic23@kernel.org Signed-off-by: Sasha Levin commit 1c06080fe28bc99d1f7981145f7639c14565eb7f Author: Jonathan Cameron Date: Sat May 1 18:01:13 2021 +0100 iio: humidity: am2315: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit f4ca2e2595d9fee65d5ce0d218b22ce00e5b2915 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of uses of iio_push_to_buffers_with_timestamp() Fixes: 0d96d5ead3f7 ("iio: humidity: Add triggered buffer support for AM2315") Signed-off-by: Jonathan Cameron Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-12-jic23@kernel.org Signed-off-by: Sasha Levin commit 4538e6589cfb2e4e0a27b98998fe1e70fbbf2d55 Author: Jonathan Cameron Date: Sat May 1 18:01:12 2021 +0100 iio: gyro: bmg160: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 06778d881f3798ce93ffbbbf801234292250b598 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of uses of iio_push_to_buffers_with_timestamp() Fixes: 13426454b649 ("iio: bmg160: Separate i2c and core driver") Signed-off-by: Jonathan Cameron Cc: Stephan Gerhold Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-11-jic23@kernel.org Signed-off-by: Sasha Levin commit acf45f54d192333f6af5a3f36105db3da7cc4389 Author: Jonathan Cameron Date: Sat May 1 18:01:11 2021 +0100 iio: adc: vf610: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 7765dfaa22ea08abf0c175e7553826ba2a939632 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of uses of iio_push_to_buffers_with_timestamp() Fixes: 0010d6b44406 ("iio: adc: vf610: Add IIO buffer support for Vybrid ADC") Signed-off-by: Jonathan Cameron Cc: Stefan-Gabriel Mirea Cc: Sanchayan Maity Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-10-jic23@kernel.org Signed-off-by: Sasha Levin commit 9fad330311e405aee76fabc5dc2c4cd6256bffef Author: Jonathan Cameron Date: Sat May 1 18:01:10 2021 +0100 iio: adc: ti-ads1015: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit d85d71dd1ab67eaa7351f69fec512d8f09d164e1 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of this function. Fixes: ecc24e72f437 ("iio: adc: Add TI ADS1015 ADC driver support") Signed-off-by: Jonathan Cameron Cc: Daniel Baluta Cc: Andy Shevchenko Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-9-jic23@kernel.org Signed-off-by: Sasha Levin commit 8bfa7ffc49ced3f42e7f7988f626d0873f2ec533 Author: Jonathan Cameron Date: Sat May 1 18:01:09 2021 +0100 iio: accel: stk8ba50: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 334883894bc1e145a1e0f5de1b0d1b6a1133f0e6 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of this function. Fixes: db6a19b8251f ("iio: accel: Add trigger support for STK8BA50") Signed-off-by: Jonathan Cameron Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-8-jic23@kernel.org Signed-off-by: Sasha Levin commit 121283ad49f49977c6e774730f73c0f1146bc34a Author: Jonathan Cameron Date: Sat May 1 18:01:08 2021 +0100 iio: accel: stk8312: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit f40a71ffec808e7e51848f63f0c0d3c32d65081b ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of this function. Fixes: 95c12bba51c3 ("iio: accel: Add buffer mode for Sensortek STK8312") Signed-off-by: Jonathan Cameron Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-7-jic23@kernel.org Signed-off-by: Sasha Levin commit 467502dd7dfc4716a8c3ad0b123f240355ba3a5e Author: Jonathan Cameron Date: Sat May 1 18:01:07 2021 +0100 iio: accel: mxc4005: Fix overread of data and alignment issue. [ Upstream commit f65802284a3a337510d7f8f916c97d66c74f2e71 ] The bulk read size is based on the size of an array that also has space for the timestamp alongside the channels. Fix that and also fix alignment of the buffer passed to iio_push_to_buffers_with_timestamp. Found during an audit of all calls to this function. Fixes: 1ce0eda0f757 ("iio: mxc4005: add triggered buffer mode for mxc4005") Signed-off-by: Jonathan Cameron Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-6-jic23@kernel.org Signed-off-by: Sasha Levin commit 57a7deaff13dba77df248045f2906aa11362691e Author: Jonathan Cameron Date: Sun Apr 5 19:03:16 2020 +0100 iio:accel:mxc4005: Drop unnecessary explicit casts in regmap_bulk_read calls [ Upstream commit b01401a228bc4997b0d4bcb669fced448f7a15ca ] regmap_bulk_read takes a void * for its val parameter. It certainly makes no sense to cast to a (u8 *) + no need to explicitly cast at all when converting another pointer type to void *. Signed-off-by: Jonathan Cameron Reviewed-by: Alexandru Ardelean Reviewed-by: Andy Shevchenko Signed-off-by: Sasha Levin commit 3a49b56394376195e8f5577b2973cfc2945dff2b Author: Jonathan Cameron Date: Sat May 1 18:01:06 2021 +0100 iio: accel: kxcjk-1013: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 3ab3aa2e7bd57497f9a7c6275c00dce237d2c9ba ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of this function. Fixes: 1a4fbf6a9286 ("iio: accel: kxcjk1013 3-axis accelerometer driver") Signed-off-by: Jonathan Cameron Cc: Srinivas Pandruvada Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-5-jic23@kernel.org Signed-off-by: Sasha Levin commit 9f23d0df409a4dd82fe1bda68418ba5b63c1debd Author: Jonathan Cameron Date: Sat May 1 18:01:05 2021 +0100 iio: accel: hid: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit c6559bf796ccdb3a0c79db846af96c8f7046880b ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Note this matches what was done in all the other hid sensor drivers. This one was missed previously due to an extra level of indirection. Found during an audit of all calls of this function. Fixes: a96cd0f901ee ("iio: accel: hid-sensor-accel-3d: Add timestamp") Signed-off-by: Jonathan Cameron Cc: Srinivas Pandruvada Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-4-jic23@kernel.org Signed-off-by: Sasha Levin commit a539e2acccfd2648eb2ca23a6361f93b0e70a308 Author: Jonathan Cameron Date: Sat May 1 18:01:04 2021 +0100 iio: accel: bma220: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit 151dbf0078da98206817ee0b87d499035479ef11 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of this function. Fixes: 194dc4c71413 ("iio: accel: Add triggered buffer support for BMA220") Signed-off-by: Jonathan Cameron Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-3-jic23@kernel.org Signed-off-by: Sasha Levin commit 39fec8d9ab96be4d8e04753481041bf6d0fd85b1 Author: Jonathan Cameron Date: Sat May 1 18:01:03 2021 +0100 iio: accel: bma180: Fix buffer alignment in iio_push_to_buffers_with_timestamp() [ Upstream commit fc36da3131a747a9367a05caf06de19be1bcc972 ] To make code more readable, use a structure to express the channel layout and ensure the timestamp is 8 byte aligned. Found during an audit of all calls of this function. Fixes: b9a6a237ffc9 ("iio:bma180: Drop _update_scan_mode()") Signed-off-by: Jonathan Cameron Cc: Peter Meerwald Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-2-jic23@kernel.org Signed-off-by: Sasha Levin commit 2e088ed6fac1149eb448a7516e2728c96b6a9d44 Author: Nuno Sa Date: Thu Apr 22 12:19:04 2021 +0200 iio: adis16400: do not return ints in irq handlers [ Upstream commit ab3df79782e7d8a27a58576c9b4e8c6c4879ad79 ] On an IRQ handler we should not return normal error codes as 'irqreturn_t' is expected. Not necessary to apply to stable as the original check cannot fail and as such the bug cannot actually occur. Fixes: 5eda3550a3cc1 ("staging:iio:adis16400: Preallocate transfer message") Reviewed-by: Alexandru Ardelean Signed-off-by: Nuno Sa Link: https://lore.kernel.org/r/20210422101911.135630-3-nuno.sa@analog.com Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 8271a443e5e4231269ea74e252d4271820f9ca2b Author: Nuno Sa Date: Thu Apr 22 12:19:03 2021 +0200 iio: adis_buffer: do not return ints in irq handlers [ Upstream commit d877539ad8e8fdde9af69887055fec6402be1a13 ] On an IRQ handler we should not return normal error codes as 'irqreturn_t' is expected. Not necessarily stable material as the old check cannot fail, so it's a bug we can not hit. Fixes: ccd2b52f4ac69 ("staging:iio: Add common ADIS library") Reviewed-by: Alexandru Ardelean Signed-off-by: Nuno Sa Link: https://lore.kernel.org/r/20210422101911.135630-2-nuno.sa@analog.com Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit d3a7e5384b3aab23329bbeca349ffcfaa8fa8a70 Author: Arnd Bergmann Date: Sat May 8 00:07:55 2021 +0200 mwifiex: re-fix for unaligned accesses [ Upstream commit 8f4e3d48bb50765ab27ae5bebed2595b20de80a1 ] A patch from 2017 changed some accesses to DMA memory to use get_unaligned_le32() and similar interfaces, to avoid problems with doing unaligned accesson uncached memory. However, the change in the mwifiex_pcie_alloc_sleep_cookie_buf() function ended up changing the size of the access instead, as it operates on a pointer to u8. Change this function back to actually access the entire 32 bits. Note that the pointer is aligned by definition because it came from dma_alloc_coherent(). Fixes: 92c70a958b0b ("mwifiex: fix for unaligned reads") Acked-by: Kalle Valo Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit 3a4043f597d0280aa40456370db293246ba46ad1 Author: Christophe JAILLET Date: Sun May 9 19:22:33 2021 +0200 tty: nozomi: Fix a resource leak in an error handling function [ Upstream commit 31a9a318255960d32ae183e95d0999daf2418608 ] A 'request_irq()' call is not balanced by a corresponding 'free_irq()' in the error handling path, as already done in the remove function. Add it. Fixes: 9842c38e9176 ("kfifo: fix warn_unused_result") Reviewed-by: Jiri Slaby Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/4f0d2b3038e82f081d370ccb0cade3ad88463fe7.1620580838.git.christophe.jaillet@wanadoo.fr Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 61f6c18fff3c94120159dadfb7083804446ce416 Author: Paul E. McKenney Date: Wed Mar 31 10:59:05 2021 -0700 rcu: Invoke rcu_spawn_core_kthreads() from rcu_spawn_gp_kthread() [ Upstream commit 8e4b1d2bc198e34b48fc7cc3a3c5a2fcb269e271 ] Currently, rcu_spawn_core_kthreads() is invoked via an early_initcall(), which works, except that rcu_spawn_gp_kthread() is also invoked via an early_initcall() and rcu_spawn_core_kthreads() relies on adjustments to kthread_prio that are carried out by rcu_spawn_gp_kthread(). There is no guaranttee of ordering among early_initcall() handlers, and thus no guarantee that kthread_prio will be properly checked and range-limited at the time that rcu_spawn_core_kthreads() needs it. In most cases, this bug is harmless. After all, the only reason that rcu_spawn_gp_kthread() adjusts the value of kthread_prio is if the user specified a nonsensical value for this boot parameter, which experience indicates is rare. Nevertheless, a bug is a bug. This commit therefore causes the rcu_spawn_core_kthreads() function to be invoked directly from rcu_spawn_gp_kthread() after any needed adjustments to kthread_prio have been carried out. Fixes: 48d07c04b4cc ("rcu: Enable elimination of Tree-RCU softirq processing") Signed-off-by: Paul E. McKenney Signed-off-by: Sasha Levin commit fbe80b3ee91f07dea25aad8d27009fca39f77866 Author: Andy Shevchenko Date: Mon May 3 20:21:10 2021 +0300 staging: fbtft: Rectify GPIO handling [ Upstream commit ec03c2104365ead0a33627c05e685093eed3eaef ] The infamous commit c440eee1a7a1 ("Staging: staging: fbtft: Switch to the GPIO descriptor interface") broke GPIO handling completely. It has already four commits to rectify and it seems not enough. In order to fix the mess here we: 1) Set default to "inactive" for all requested pins 2) Fix CS#, RD#, and WR# pins polarity since it's active low and GPIO descriptor interface takes it into consideration from the Device Tree or ACPI 3) Consolidate chip activation (CS# assertion) under default ->reset() callback To summarize the expectations about polarity for GPIOs: RD# Low WR# Low CS# Low RESET# Low DC or RS High RW High Data 0 .. 15 High See also Adafruit learning course [1] for the example of the schematics. While at it, drop unneeded NULL checks, since GPIO API is tolerant to that. [1]: https://learn.adafruit.com/adafruit-2-8-and-3-2-color-tft-touchscreen-breakout-v2/downloads Fixes: 92e3e884887c ("Staging: fbtft: Fix GPIO handling") Fixes: b918d1c27066 ("Staging: fbtft: Fix reset assertion when using gpio descriptor") Fixes: dbc4f989c878 ("Staging: fbtft: Fix probing of gpio descriptor") Fixes: c440eee1a7a1 ("Staging: fbtft: Switch to the gpio descriptor interface") Cc: Jan Sebastian Götte Cc: Nishad Kamdar Reviewed-by: Phil Reid Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210503172114.27891-2-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e0aef648f5bd2367e6460c057eda55e4981c6d0c Author: Wei Li Date: Tue Jun 29 22:14:20 2021 +0800 MIPS: Fix PKMAP with 32-bit MIPS huge page support [ Upstream commit cf02ce742f09188272bcc8b0e62d789eb671fc4c ] When 32-bit MIPS huge page support is enabled, we halve the number of pointers a PTE page holds, making its last half go to waste. Correspondingly, we should halve the number of kmap entries, as we just initialized only a single pte table for that in pagetable_init(). Fixes: 35476311e529 ("MIPS: Add partial 32-bit huge page support") Signed-off-by: Wei Li Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 97704efb93b52c4b2b66a533bc0487e96378f7b1 Author: Leon Romanovsky Date: Tue Jun 29 11:51:38 2021 +0300 RDMA/mlx5: Don't access NULL-cleared mpi pointer [ Upstream commit 4a754d7637026b42b0c9ba5787ad5ee3bc2ff77f ] The "dev->port[i].mp.mpi" is set to NULL during mlx5_ib_unbind_slave_port() execution, however that field is needed to add device to unaffiliated list. Such flow causes to the following kernel panic while unloading mlx5_ib module in multi-port mode, hence the device should be added to the list prior to unbind call. RPC: Unregistered rdma transport module. RPC: Unregistered rdma backchannel transport module. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] SMP NOPTI CPU: 4 PID: 1904 Comm: modprobe Not tainted 5.13.0-rc7_for_upstream_min_debug_2021_06_24_12_08 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5_ib_cleanup_multiport_master+0x18b/0x2d0 [mlx5_ib] Code: 00 04 0f 85 c4 00 00 00 48 89 df e8 ef fa ff ff 48 8b 83 40 0d 00 00 48 8b 15 b9 e8 05 00 4a 8b 44 28 20 48 89 05 ad e8 05 00 <48> c7 00 d0 57 c5 a0 48 89 50 08 48 89 02 39 ab 88 0a 00 00 0f 86 RSP: 0018:ffff888116ee3df8 EFLAGS: 00010296 RAX: 0000000000000000 RBX: ffff8881154f6000 RCX: 0000000000000080 RDX: ffffffffa0c557d0 RSI: ffff88810b69d200 RDI: 000000000002d8a0 RBP: 0000000000000002 R08: ffff888110780408 R09: 0000000000000000 R10: ffff88812452e1c0 R11: fffffffffff7e028 R12: 0000000000000000 R13: 0000000000000080 R14: ffff888102c58000 R15: 0000000000000000 FS: 00007f884393a740(0000) GS:ffff8882f5a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000001249f6004 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: mlx5_ib_stage_init_cleanup+0x16/0xd0 [mlx5_ib] __mlx5_ib_remove+0x33/0x90 [mlx5_ib] mlx5r_remove+0x22/0x30 [mlx5_ib] auxiliary_bus_remove+0x18/0x30 __device_release_driver+0x177/0x220 driver_detach+0xc4/0x100 bus_remove_driver+0x58/0xd0 auxiliary_driver_unregister+0x12/0x20 mlx5_ib_cleanup+0x13/0x897 [mlx5_ib] __x64_sys_delete_module+0x154/0x230 ? exit_to_user_mode_prepare+0x104/0x140 do_syscall_64+0x3f/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f8842e095c7 Code: 73 01 c3 48 8b 0d d9 48 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a9 48 2c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffc68f6e758 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 RAX: ffffffffffffffda RBX: 00005638207929c0 RCX: 00007f8842e095c7 RDX: 0000000000000000 RSI: 0000000000000800 RDI: 0000563820792a28 RBP: 00005638207929c0 R08: 00007ffc68f6d701 R09: 0000000000000000 R10: 00007f8842e82880 R11: 0000000000000206 R12: 0000563820792a28 R13: 0000000000000001 R14: 0000563820792a28 R15: 00007ffc68f6fb40 Modules linked in: xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter overlay rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_ipoib ib_cm ib_umad mlx5_ib(-) mlx4_ib ib_uverbs ib_core mlx4_en mlx4_core mlx5_core ptp pps_core [last unloaded: rpcrdma] CR2: 0000000000000000 ---[ end trace a0bb7e20804e9e9b ]--- Fixes: 7ce6095e3bff ("RDMA/mlx5: Don't add slave port to unaffiliated list") Link: https://lore.kernel.org/r/899ac1b33a995be5ec0e16a4765c4e43c2b1ba5b.1624956444.git.leonro@nvidia.com Reviewed-by: Itay Aveksis Reviewed-by: Maor Gottlieb Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit eff9dabc0068e01307c864e43bf7e2f571c29bd8 Author: Pavel Skripkin Date: Fri Jun 25 23:23:48 2021 +0300 net: sched: fix warning in tcindex_alloc_perfect_hash [ Upstream commit 3f2db250099f46988088800052cdf2332c7aba61 ] Syzbot reported warning in tcindex_alloc_perfect_hash. The problem was in too big cp->hash, which triggers warning in kmalloc. Since cp->hash comes from userspace, there is no need to warn if value is not correct Fixes: b9a24bb76bf6 ("net_sched: properly handle failure case of tcf_exts_init()") Reported-and-tested-by: syzbot+1071ad60cd7df39fdadb@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Acked-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 92071a2b8f7ff6365becce28e861bb1571bb9e10 Author: Vadim Fedorenko Date: Fri Jun 25 19:21:39 2021 +0300 net: lwtunnel: handle MTU calculation in forwading [ Upstream commit fade56410c22cacafb1be9f911a0afd3701d8366 ] Commit 14972cbd34ff ("net: lwtunnel: Handle fragmentation") moved fragmentation logic away from lwtunnel by carry encap headroom and use it in output MTU calculation. But the forwarding part was not covered and created difference in MTU for output and forwarding and further to silent drops on ipv4 forwarding path. Fix it by taking into account lwtunnel encap headroom. The same commit also introduced difference in how to treat RTAX_MTU in IPv4 and IPv6 where latter explicitly removes lwtunnel encap headroom from route MTU. Make IPv4 version do the same. Fixes: 14972cbd34ff ("net: lwtunnel: Handle fragmentation") Suggested-by: David Ahern Signed-off-by: Vadim Fedorenko Reviewed-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 5c93fc46682c18c0cac60e09d1e6d375a30c7a85 Author: Muchun Song Date: Fri Apr 2 17:11:45 2021 +0800 writeback: fix obtain a reference to a freeing memcg css [ Upstream commit 8b0ed8443ae6458786580d36b7d5f8125535c5d4 ] The caller of wb_get_create() should pin the memcg, because wb_get_create() relies on this guarantee. The rcu read lock only can guarantee that the memcg css returned by css_from_id() cannot be released, but the reference of the memcg can be zero. rcu_read_lock() memcg_css = css_from_id() wb_get_create(memcg_css) cgwb_create(memcg_css) // css_get can change the ref counter from 0 back to 1 css_get(memcg_css) rcu_read_unlock() Fix it by holding a reference to the css before calling wb_get_create(). This is not a problem I encountered in the real world. Just the result of a code review. Fixes: 682aa8e1a6a1 ("writeback: implement unlocked_inode_to_wb transaction and use it for stat updates") Link: https://lore.kernel.org/r/20210402091145.80635-1-songmuchun@bytedance.com Signed-off-by: Muchun Song Acked-by: Michal Hocko Acked-by: Tejun Heo Signed-off-by: Jan Kara Signed-off-by: Sasha Levin commit 71721ddf4aee271af6e1d7682da6a90a76ccd5a5 Author: Robert Hancock Date: Thu Mar 25 13:26:39 2021 -0600 clk: si5341: Update initialization magic [ Upstream commit 3c9b49b0031aefb81adfdba5ab0ddf3ca3a2cdc9 ] Update the default register settings to include the VCO_RESET_CALCODE settings (set by the SiLabs ClockBuilder software but not described in the datasheet). Also update part of the initialization sequence to match ClockBuilder and the datasheet. Fixes: 3044a860fd ("clk: Add Si5341/Si5340 driver") Signed-off-by: Robert Hancock Link: https://lore.kernel.org/r/20210325192643.2190069-6-robert.hancock@calian.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit f894ba756e8637cfbf943ca4f51cfcd2b3392498 Author: Robert Hancock Date: Thu Mar 25 13:26:37 2021 -0600 clk: si5341: Avoid divide errors due to bogus register contents [ Upstream commit 78f6f406026d688868223d5dbeb197a4f7e9a9fd ] If the Si5341 is being initially programmed and has no stored NVM configuration, some of the register contents may contain unexpected values, such as zeros, which could cause divide by zero errors during driver initialization. Trap errors caused by zero registers or zero clock rates which could result in divide errors later in the code. Fixes: 3044a860fd ("clk: Add Si5341/Si5340 driver") Signed-off-by: Robert Hancock Link: https://lore.kernel.org/r/20210325192643.2190069-4-robert.hancock@calian.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 80bd119c7d27f7f913ff66ecbb152576b67fbe80 Author: Cristian Ciocaltea Date: Thu Jun 10 23:05:23 2021 +0300 clk: actions: Fix bisp_factor_table based clocks on Owl S500 SoC [ Upstream commit a8f1f03caa51aa7a69c671aa87c475034db7d368 ] The following clocks of the Actions Semi Owl S500 SoC have been defined to use a shared clock factor table 'bisp_factor_table[]': DE[1-2], VCE, VDE, BISP, SENSOR[0-1] There are several issues involved in this approach: * 'bisp_factor_table[]' describes the configuration of a regular 8-rates divider, so its usage is redundant. Additionally, judging by the BISP clock context, it is incomplete since it maps only 8 out of 12 possible entries. * The clocks mentioned above are not identical in terms of the available rates, therefore cannot rely on the same factor table. Specifically, BISP and SENSOR* are standard 12-rate dividers so their configuration should rely on a proper clock div table, while VCE and VDE require a factor table that is a actually a subset of the one needed for DE[1-2] clocks. Let's fix this by implementing the following: * Add new factor tables 'de_factor_table' and 'hde_factor_table' to properly handle DE[1-2], VCE and VDE clocks. * Add a common div table 'std12rate_div_table' for BISP and SENSOR[0-1] clocks converted to OWL_COMP_DIV. * Drop the now unused 'bisp_factor_table[]'. Additionally, drop the CLK_IGNORE_UNUSED flag for SENSOR[0-1] since there is no reason to always keep ON those clocks. Fixes: ed6b4795ece4 ("clk: actions: Add clock driver for S500 SoC") Signed-off-by: Cristian Ciocaltea Reviewed-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/e675820a46cd9930d8d576c6cae61d41c1a8416f.1623354574.git.cristian.ciocaltea@gmail.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit a7aefa1a173d80b0a37771a838cfcb35164ec4ef Author: Cristian Ciocaltea Date: Thu Jun 10 23:05:22 2021 +0300 clk: actions: Fix SD clocks factor table on Owl S500 SoC [ Upstream commit fe1f71e338d77814da3ef44e9f64d32981a6ccdf ] Drop the unsupported entries in the factor table used for the SD[0-2] clocks definitions on the Actions Semi Owl S500 SoC. Fixes: ed6b4795ece4 ("clk: actions: Add clock driver for S500 SoC") Signed-off-by: Cristian Ciocaltea Reviewed-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/196c948d708a22b8198c95f064a0f6b6820f9980.1623354574.git.cristian.ciocaltea@gmail.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 1fbd19a9e23f7117545b2318130c4c7dddfe7ca2 Author: Cristian Ciocaltea Date: Thu Jun 10 23:05:21 2021 +0300 clk: actions: Fix UART clock dividers on Owl S500 SoC [ Upstream commit 2dca2a619a907579e3e65e7c1789230c2b912e88 ] Use correct divider registers for the Actions Semi Owl S500 SoC's UART clocks. Fixes: ed6b4795ece4 ("clk: actions: Add clock driver for S500 SoC") Signed-off-by: Cristian Ciocaltea Reviewed-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/4714d05982b19ac5fec2ed74f54be42d8238e392.1623354574.git.cristian.ciocaltea@gmail.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 305e64cbf855e54252f588cf2be70d762d0230e6 Author: Luiz Augusto von Dentz Date: Tue Jun 22 20:59:02 2021 -0700 Bluetooth: Fix handling of HCI_LE_Advertising_Set_Terminated event [ Upstream commit 23837a6d7a1a61818ed94a6b8af552d6cf7d32d5 ] Error status of this event means that it has ended due reasons other than a connection: 'If advertising has terminated as a result of the advertising duration elapsing, the Status parameter shall be set to the error code Advertising Timeout (0x3C).' 'If advertising has terminated because the Max_Extended_Advertising_Events was reached, the Status parameter shall be set to the error code Limit Reached (0x43).' Fixes: acf0aeae431a0 ("Bluetooth: Handle ADv set terminated event") Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 4ad77cea016c6f706baa4e26724dde3dca069e91 Author: Luiz Augusto von Dentz Date: Fri May 28 11:45:02 2021 -0700 Bluetooth: mgmt: Fix slab-out-of-bounds in tlv_data_is_valid [ Upstream commit 799acb9347915bfe4eac0ff2345b468f0a1ca207 ] This fixes parsing of LTV entries when the length is 0. Found with: tools/mgmt-tester -s "Add Advertising - Success (ScRsp only)" Add Advertising - Success (ScRsp only) - run Sending Add Advertising (0x003e) Test condition added, total 1 [ 11.004577] ================================================================== [ 11.005292] BUG: KASAN: slab-out-of-bounds in tlv_data_is_valid+0x87/0xe0 [ 11.005984] Read of size 1 at addr ffff888002c695b0 by task mgmt-tester/87 [ 11.006711] [ 11.007176] [ 11.007429] Allocated by task 87: [ 11.008151] [ 11.008438] The buggy address belongs to the object at ffff888002c69580 [ 11.008438] which belongs to the cache kmalloc-64 of size 64 [ 11.010526] The buggy address is located 48 bytes inside of [ 11.010526] 64-byte region [ffff888002c69580, ffff888002c695c0) [ 11.012423] The buggy address belongs to the page: [ 11.013291] [ 11.013544] Memory state around the buggy address: [ 11.014359] ffff888002c69480: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 11.015453] ffff888002c69500: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 11.016232] >ffff888002c69580: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 11.017010] ^ [ 11.017547] ffff888002c69600: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 11.018296] ffff888002c69680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 11.019116] ================================================================== Fixes: 2bb36870e8cb2 ("Bluetooth: Unify advertising instance flags check") Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 2954b193ebb03ed0214b8a87fabe9261e381f401 Author: Petr Oros Date: Fri Jun 25 10:27:45 2021 +0200 Revert "be2net: disable bh with spin_lock in be_process_mcc" [ Upstream commit d6765985a42a660f078896d5c5b27f97c580a490 ] Patch was based on wrong presumption that be_poll can be called only from bh context. It reintroducing old regression (also reverted) and causing deadlock when we use netconsole with benet in bonding. Old revert: commit 072a9c486004 ("netpoll: revert 6bdb7fe3104 and fix be_poll() instead") [ 331.269715] bond0: (slave enp0s7f0): Releasing backup interface [ 331.270121] CPU: 4 PID: 1479 Comm: ifenslave Not tainted 5.13.0-rc7+ #2 [ 331.270122] Call Trace: [ 331.270122] [c00000001789f200] [c0000000008c505c] dump_stack+0x100/0x174 (unreliable) [ 331.270124] [c00000001789f240] [c008000001238b9c] be_poll+0x64/0xe90 [be2net] [ 331.270125] [c00000001789f330] [c000000000d1e6e4] netpoll_poll_dev+0x174/0x3d0 [ 331.270127] [c00000001789f400] [c008000001bc167c] bond_poll_controller+0xb4/0x130 [bonding] [ 331.270128] [c00000001789f450] [c000000000d1e624] netpoll_poll_dev+0xb4/0x3d0 [ 331.270129] [c00000001789f520] [c000000000d1ed88] netpoll_send_skb+0x448/0x470 [ 331.270130] [c00000001789f5d0] [c0080000011f14f8] write_msg+0x180/0x1b0 [netconsole] [ 331.270131] [c00000001789f640] [c000000000230c0c] console_unlock+0x54c/0x790 [ 331.270132] [c00000001789f7b0] [c000000000233098] vprintk_emit+0x2d8/0x450 [ 331.270133] [c00000001789f810] [c000000000234758] vprintk+0xc8/0x270 [ 331.270134] [c00000001789f850] [c000000000233c28] printk+0x40/0x54 [ 331.270135] [c00000001789f870] [c000000000ccf908] __netdev_printk+0x150/0x198 [ 331.270136] [c00000001789f910] [c000000000ccfdb4] netdev_info+0x68/0x94 [ 331.270137] [c00000001789f950] [c008000001bcbd70] __bond_release_one+0x188/0x6b0 [bonding] [ 331.270138] [c00000001789faa0] [c008000001bcc6f4] bond_do_ioctl+0x42c/0x490 [bonding] [ 331.270139] [c00000001789fb60] [c000000000d0d17c] dev_ifsioc+0x17c/0x400 [ 331.270140] [c00000001789fbc0] [c000000000d0db70] dev_ioctl+0x390/0x890 [ 331.270141] [c00000001789fc10] [c000000000c7c76c] sock_do_ioctl+0xac/0x1b0 [ 331.270142] [c00000001789fc90] [c000000000c7ffac] sock_ioctl+0x31c/0x6e0 [ 331.270143] [c00000001789fd60] [c0000000005b9728] sys_ioctl+0xf8/0x150 [ 331.270145] [c00000001789fdb0] [c0000000000336c0] system_call_exception+0x160/0x2f0 [ 331.270146] [c00000001789fe10] [c00000000000d35c] system_call_common+0xec/0x278 [ 331.270147] --- interrupt: c00 at 0x7fffa6c6ec00 [ 331.270147] NIP: 00007fffa6c6ec00 LR: 0000000105c4185c CTR: 0000000000000000 [ 331.270148] REGS: c00000001789fe80 TRAP: 0c00 Not tainted (5.13.0-rc7+) [ 331.270148] MSR: 800000000280f033 CR: 28000428 XER: 00000000 [ 331.270155] IRQMASK: 0 [ 331.270156] GPR00: 0000000000000036 00007fffd494d5b0 00007fffa6d57100 0000000000000003 [ 331.270158] GPR04: 0000000000008991 00007fffd494d6d0 0000000000000008 00007fffd494f28c [ 331.270161] GPR08: 0000000000000003 0000000000000000 0000000000000000 0000000000000000 [ 331.270164] GPR12: 0000000000000000 00007fffa6dfa220 0000000000000000 0000000000000000 [ 331.270167] GPR16: 0000000105c44880 0000000000000000 0000000105c60088 0000000105c60318 [ 331.270170] GPR20: 0000000105c602c0 0000000105c44560 0000000000000000 0000000000000000 [ 331.270172] GPR24: 00007fffd494dc50 00007fffd494d6a8 0000000105c60008 00007fffd494d6d0 [ 331.270175] GPR28: 00007fffd494f27e 0000000105c6026c 00007fffd494f284 0000000000000000 [ 331.270178] NIP [00007fffa6c6ec00] 0x7fffa6c6ec00 [ 331.270178] LR [0000000105c4185c] 0x105c4185c [ 331.270179] --- interrupt: c00 This reverts commit d0d006a43e9a7a796f6f178839c92fcc222c564d. Fixes: d0d006a43e9a7a ("be2net: disable bh with spin_lock in be_process_mcc") Signed-off-by: Petr Oros Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f6b723ce27ffac84314a7d5831909a008e8c1aea Author: Bailey Forrest Date: Thu Jun 24 19:55:41 2021 -0700 gve: Fix swapped vars when fetching max queues [ Upstream commit 1db1a862a08f85edc36aad091236ac9b818e949e ] Fixes: 893ce44df565 ("gve: Add basic driver framework for Compute Engine Virtual NIC") Signed-off-by: Bailey Forrest Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0e8c17fd80f26c4bdc2582c72ec774155f9d03b4 Author: Gary Lin Date: Wed Jun 23 12:09:18 2021 +0800 bpfilter: Specify the log level for the kmsg message [ Upstream commit a196fa78a26571359740f701cf30d774eb8a72cb ] Per the kmsg document [0], if we don't specify the log level with a prefix "" in the message string, the default log level will be applied to the message. Since the default level could be warning(4), this would make the log utility such as journalctl treat the message, "Started bpfilter", as a warning. To avoid confusion, this commit adds the prefix "<5>" to make the message always a notice. [0] https://www.kernel.org/doc/Documentation/ABI/testing/dev-kmsg Fixes: 36c4357c63f3 ("net: bpfilter: print umh messages to /dev/kmsg") Reported-by: Martin Loviska Signed-off-by: Gary Lin Signed-off-by: Daniel Borkmann Acked-by: Dmitrii Banshchikov Link: https://lore.kernel.org/bpf/20210623040918.8683-1-glin@suse.com Signed-off-by: Sasha Levin commit 482e12bdc5d732597104d060db2122774b4c65c2 Author: Sasha Neftin Date: Thu Jun 24 12:02:48 2021 -0700 e1000e: Check the PCIm state [ Upstream commit 2e7256f12cdb16eaa2515b6231d665044a07c51a ] Complete to commit def4ec6dce393e ("e1000e: PCIm function state support") Check the PCIm state only on CSME systems. There is no point to do this check on non CSME systems. This patch fixes a generation a false-positive warning: "Error in exiting dmoff" Fixes: def4ec6dce39 ("e1000e: PCIm function state support") Signed-off-by: Sasha Neftin Tested-by: Dvora Fuxbrumer Signed-off-by: Tony Nguyen Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 48fa8744989f3aa5bb5fba7e00ceb8e3f9d8b32d Author: Eric Dumazet Date: Thu Jun 24 03:07:20 2021 -0700 ipv6: fix out-of-bound access in ip6_parse_tlv() [ Upstream commit 624085a31c1ad6a80b1e53f686bf6ee92abbf6e8 ] First problem is that optlen is fetched without checking there is more than one byte to parse. Fix this by taking care of IPV6_TLV_PAD1 before fetching optlen (under appropriate sanity checks against len) Second problem is that IPV6_TLV_PADN checks of zero padding are performed before the check of remaining length. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Fixes: c1412fce7ecc ("net/ipv6/exthdrs.c: Strict PadN option checking") Signed-off-by: Eric Dumazet Cc: Paolo Abeni Cc: Tom Herbert Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 3380206e5dc06495f57fc38ea9a8d288a113285a Author: Sukadev Bhattiprolu Date: Wed Jun 23 21:13:15 2021 -0700 ibmvnic: free tx_pool if tso_pool alloc fails [ Upstream commit f6ebca8efa52e4ae770f0325d618e7bcf08ada0c ] Free tx_pool and clear it, if allocation of tso_pool fails. release_tx_pools() assumes we have both tx and tso_pools if ->tx_pool is non-NULL. If allocation of tso_pool fails in init_tx_pools(), the assumption will not be true and we would end up dereferencing ->tx_buff, ->free_map fields from a NULL pointer. Fixes: 3205306c6b8d ("ibmvnic: Update TX pool initialization routine") Signed-off-by: Sukadev Bhattiprolu Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 867a99001718b10541ac7d26d35df541ff0fbdd0 Author: Dany Madden Date: Wed Jun 23 21:13:11 2021 -0700 Revert "ibmvnic: remove duplicate napi_schedule call in open function" [ Upstream commit 2ca220f92878470c6ba03f9946e412323093cc94 ] This reverts commit 7c451f3ef676c805a4b77a743a01a5c21a250a73. When a vnic interface is taken down and then up, connectivity is not restored. We bisected it to this commit. Reverting this commit until we can fully investigate the issue/benefit of the change. Fixes: 7c451f3ef676 ("ibmvnic: remove duplicate napi_schedule call in open function") Reported-by: Cristobal Forno Reported-by: Abdul Haleem Signed-off-by: Dany Madden Signed-off-by: Sukadev Bhattiprolu Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit bbc833fd7daec0ca3d26d47f675ba53783cfe5a0 Author: Mateusz Palczewski Date: Wed Mar 10 11:12:54 2021 +0000 i40e: Fix autoneg disabling for non-10GBaseT links [ Upstream commit 9262793e59f0423437166a879a73d056b1fe6f9a ] Disabling autonegotiation was allowed only for 10GBaseT PHY. The condition was changed to check if link media type is BaseT. Fixes: 3ce12ee9d8f9 ("i40e: Fix order of checks when enabling/disabling autoneg in ethtool") Reviewed-by: Aleksandr Loktionov Reviewed-by: Karen Sornek Signed-off-by: Dawid Lukwinski Signed-off-by: Mateusz Palczewski Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit a3465b94ac5f3c97b760dc1d3e8c58a31844970b Author: Dinghao Liu Date: Sun Feb 28 19:50:58 2021 +0800 i40e: Fix error handling in i40e_vsi_open [ Upstream commit 9c04cfcd4aad232e36306cdc5c74cd9fc9148a7e ] When vsi->type == I40E_VSI_FDIR, we have caught the return value of i40e_vsi_request_irq() but without further handling. Check and execute memory clean on failure just like the other i40e_vsi_request_irq(). Fixes: 8a9eb7d3cbcab ("i40e: rework fdir setup and teardown") Signed-off-by: Dinghao Liu Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 5e98c708a471836edac3791be58dbbc93e6aa0a9 Author: Maciej Żenczykowski Date: Wed Jun 16 17:09:51 2021 -0700 bpf: Do not change gso_size during bpf_skb_change_proto() [ Upstream commit 364745fbe981a4370f50274475da4675661104df ] This is technically a backwards incompatible change in behaviour, but I'm going to argue that it is very unlikely to break things, and likely to fix *far* more then it breaks. In no particular order, various reasons follow: (a) I've long had a bug assigned to myself to debug a super rare kernel crash on Android Pixel phones which can (per stacktrace) be traced back to BPF clat IPv6 to IPv4 protocol conversion causing some sort of ugly failure much later on during transmit deep in the GSO engine, AFAICT precisely because of this change to gso_size, though I've never been able to manually reproduce it. I believe it may be related to the particular network offload support of attached USB ethernet dongle being used for tethering off of an IPv6-only cellular connection. The reason might be we end up with more segments than max permitted, or with a GSO packet with only one segment... (either way we break some assumption and hit a BUG_ON) (b) There is no check that the gso_size is > 20 when reducing it by 20, so we might end up with a negative (or underflowing) gso_size or a gso_size of 0. This can't possibly be good. Indeed this is probably somehow exploitable (or at least can result in a kernel crash) by delivering crafted packets and perhaps triggering an infinite loop or a divide by zero... As a reminder: gso_size (MSS) is related to MTU, but not directly derived from it: gso_size/MSS may be significantly smaller then one would get by deriving from local MTU. And on some NICs (which do loose MTU checking on receive, it may even potentially be larger, for example my work pc with 1500 MTU can receive 1520 byte frames [and sometimes does due to bugs in a vendor plat46 implementation]). Indeed even just going from 21 to 1 is potentially problematic because it increases the number of segments by a factor of 21 (think DoS, or some other crash due to too many segments). (c) It's always safe to not increase the gso_size, because it doesn't result in the max packet size increasing. So the skb_increase_gso_size() call was always unnecessary for correctness (and outright undesirable, see later). As such the only part which is potentially dangerous (ie. could cause backwards compatibility issues) is the removal of the skb_decrease_gso_size() call. (d) If the packets are ultimately destined to the local device, then there is absolutely no benefit to playing around with gso_size. It only matters if the packets will egress the device. ie. we're either forwarding, or transmitting from the device. (e) This logic only triggers for packets which are GSO. It does not trigger for skbs which are not GSO. It will not convert a non-GSO MTU sized packet into a GSO packet (and you don't even know what the MTU is, so you can't even fix it). As such your transmit path must *already* be able to handle an MTU 20 bytes larger then your receive path (for IPv4 to IPv6 translation) - and indeed 28 bytes larger due to IPv4 fragments. Thus removing the skb_decrease_gso_size() call doesn't actually increase the size of the packets your transmit side must be able to handle. ie. to handle non-GSO max-MTU packets, the IPv4/IPv6 device/ route MTUs must already be set correctly. Since for example with an IPv4 egress MTU of 1500, IPv4 to IPv6 translation will already build 1520 byte IPv6 frames, so you need a 1520 byte device MTU. This means if your IPv6 device's egress MTU is 1280, your IPv4 route must be 1260 (and actually 1252, because of the need to handle fragments). This is to handle normal non-GSO packets. Thus the reduction is simply not needed for GSO packets, because when they're correctly built, they will already be the right size. (f) TSO/GSO should be able to exactly undo GRO: the number of packets (TCP segments) should not be modified, so that TCP's MSS counting works correctly (this matters for congestion control). If protocol conversion changes the gso_size, then the number of TCP segments may increase or decrease. Packet loss after protocol conversion can result in partial loss of MSS segments that the sender sent. How's the sending TCP stack going to react to receiving ACKs/SACKs in the middle of the segments it sent? (g) skb_{decrease,increase}_gso_size() are already no-ops for GSO_BY_FRAGS case (besides triggering WARN_ON_ONCE). This means you already cannot guarantee that gso_size (and thus resulting packet MTU) is changed. ie. you must assume it won't be changed. (h) changing gso_size is outright buggy for UDP GSO packets, where framing matters (I believe that's also the case for SCTP, but it's already excluded by [g]). So the only remaining case is TCP, which also doesn't want it (see [f]). (i) see also the reasoning on the previous attempt at fixing this (commit fa7b83bf3b156c767f3e4a25bbf3817b08f3ff8e) which shows that the current behaviour causes TCP packet loss: In the forwarding path GRO -> BPF 6 to 4 -> GSO for TCP traffic, the coalesced packet payload can be > MSS, but < MSS + 20. bpf_skb_proto_6_to_4() will upgrade the MSS and it can be > the payload length. After then tcp_gso_segment checks for the payload length if it is <= MSS. The condition is causing the packet to be dropped. tcp_gso_segment(): [...] mss = skb_shinfo(skb)->gso_size; if (unlikely(skb->len <= mss)) goto out; [...] Thus changing the gso_size is simply a very bad idea. Increasing is unnecessary and buggy, and decreasing can go negative. Fixes: 6578171a7ff0 ("bpf: add bpf_skb_change_proto helper") Signed-off-by: Maciej Żenczykowski Signed-off-by: Daniel Borkmann Cc: Dongseok Yi Cc: Willem de Bruijn Link: https://lore.kernel.org/bpf/CANP3RGfjLikQ6dg=YpBU0OeHvyv7JOki7CyOUS9modaXAi-9vQ@mail.gmail.com Link: https://lore.kernel.org/bpf/20210617000953.2787453-2-zenczykowski@gmail.com Signed-off-by: Sasha Levin commit bc54d98bd21d7ad2ffce48187d4f25a67f11dee6 Author: Eric Dumazet Date: Wed Jun 23 08:27:00 2021 -0700 ipv6: exthdrs: do not blindly use init_net [ Upstream commit bcc3f2a829b9edbe3da5fb117ee5a63686d31834 ] I see no reason why max_dst_opts_cnt and max_hbh_opts_cnt are fetched from the initial net namespace. The other sysctls (max_dst_opts_len & max_hbh_opts_len) are in fact already using the current ns. Note: it is not clear why ipv6_destopt_rcv() use two ways to get to the netns : 1) dev_net(dst->dev) Originally used to increment IPSTATS_MIB_INHDRERRORS 2) dev_net(skb->dev) Tom used this variant in his patch. Maybe this calls to use ipv6_skb_net() instead ? Fixes: 47d3d7ac656a ("ipv6: Implement limits on Hop-by-Hop and Destination options") Signed-off-by: Eric Dumazet Cc: Tom Herbert Cc: Coco Li Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 28db4b5b69f38e50a59bd6e171d897d3023c78bb Author: Jian-Hong Pan Date: Wed Jun 23 11:28:03 2021 +0800 net: bcmgenet: Fix attaching to PYH failed on RPi 4B [ Upstream commit b2ac9800cfe0f8da16abc4e74e003440361c112e ] The Broadcom UniMAC MDIO bus from mdio-bcm-unimac module comes too late. So, GENET cannot find the ethernet PHY on UniMAC MDIO bus. This leads GENET fail to attach the PHY as following log: bcmgenet fd580000.ethernet: GENET 5.0 EPHY: 0x0000 ... could not attach to PHY bcmgenet fd580000.ethernet eth0: failed to connect to PHY uart-pl011 fe201000.serial: no DMA platform data libphy: bcmgenet MII bus: probed ... unimac-mdio unimac-mdio.-19: Broadcom UniMAC MDIO bus This patch adds the soft dependency to load mdio-bcm-unimac module before genet module to avoid the issue. Fixes: 9a4e79697009 ("net: bcmgenet: utilize generic Broadcom UniMAC MDIO controller driver") Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=213485 Signed-off-by: Jian-Hong Pan Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 946bd84826b88b65e5c4f1681854eecb4a2fd826 Author: Ping-Ke Shih Date: Wed Jun 23 21:48:25 2021 +0800 mac80211: remove iwlwifi specific workaround NDPs of null_response [ Upstream commit 744757e46bf13ec3a7b3507d17ab3faab9516d43 ] Remove the remaining workaround that is not removed by the commit e41eb3e408de ("mac80211: remove iwlwifi specific workaround that broke sta NDP tx") Fixes: 41cbb0f5a295 ("mac80211: add support for HE") Signed-off-by: Ping-Ke Shih Link: https://lore.kernel.org/r/20210623134826.10318-1-pkshih@realtek.com Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit cb72c23aa54489181b615f6fcf079d45136516c8 Author: Eric Dumazet Date: Mon Jun 21 11:02:44 2021 -0700 ieee802154: hwsim: avoid possible crash in hwsim_del_edge_nl() [ Upstream commit 0303b30375dff5351a79cc2c3c87dfa4fda29bed ] Both MAC802154_HWSIM_ATTR_RADIO_ID and MAC802154_HWSIM_ATTR_RADIO_EDGE must be present to avoid a crash. Fixes: f25da51fdc38 ("ieee802154: hwsim: add replacement for fakelb") Signed-off-by: Eric Dumazet Cc: Alexander Aring Cc: Stefan Schmidt Reported-by: syzbot Acked-by: Alexander Aring Link: https://lore.kernel.org/r/20210621180244.882076-1-eric.dumazet@gmail.com Signed-off-by: Stefan Schmidt Signed-off-by: Sasha Levin commit 048513280e4191dee4c679f2fe68e652fb8182f9 Author: Dongliang Mu Date: Wed Jun 16 10:09:01 2021 +0800 ieee802154: hwsim: Fix memory leak in hwsim_add_one [ Upstream commit 28a5501c3383f0e6643012c187b7c2027ef42aea ] No matter from hwsim_remove or hwsim_del_radio_nl, hwsim_del fails to remove the entry in the edges list. Take the example below, phy0, phy1 and e0 will be deleted, resulting in e1 not freed and accessed in the future. hwsim_phys | ------------------------------ | | phy0 (edges) phy1 (edges) ----> e1 (idx = 1) ----> e0 (idx = 0) Fix this by deleting and freeing all the entries in the edges list between hwsim_edge_unsubscribe_me and list_del(&phy->list). Reported-by: syzbot+b80c9959009a9325cdff@syzkaller.appspotmail.com Fixes: 1c9f4a3fce77 ("ieee802154: hwsim: fix rcu handling") Signed-off-by: Dongliang Mu Acked-by: Alexander Aring Link: https://lore.kernel.org/r/20210616020901.2759466-1-mudongliangabcd@gmail.com Signed-off-by: Stefan Schmidt Signed-off-by: Sasha Levin commit 9692257004d45881db69bd508aa5a957f922db95 Author: Marcelo Ricardo Leitner Date: Tue Jun 22 12:05:00 2021 -0300 tc-testing: fix list handling [ Upstream commit b4fd096cbb871340be837491fa1795864a48b2d9 ] python lists don't have an 'add' method, but 'append'. Fixes: 14e5175e9e04 ("tc-testing: introduce scapyPlugin for basic traffic") Signed-off-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 117e1495a636c6bfc342dcf2811deb040e8157cc Author: Miao Wang Date: Tue Jun 22 12:24:50 2021 +0800 net/ipv4: swap flow ports when validating source [ Upstream commit c69f114d09891adfa3e301a35d9e872b8b7b5a50 ] When doing source address validation, the flowi4 struct used for fib_lookup should be in the reverse direction to the given skb. fl4_dport and fl4_sport returned by fib4_rules_early_flow_dissect should thus be swapped. Fixes: 5a847a6e1477 ("net/ipv4: Initialize proto and ports in flow struct") Signed-off-by: Miao Wang Reviewed-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 74e76cd6320cbe535fe7ded0400f45072ced70cb Author: Eric Dumazet Date: Mon Jun 21 07:44:17 2021 -0700 vxlan: add missing rcu_read_lock() in neigh_reduce() [ Upstream commit 85e8b032d6ebb0f698a34dd22c2f13443d905888 ] syzbot complained in neigh_reduce(), because rcu_read_lock_bh() is treated differently than rcu_read_lock() WARNING: suspicious RCU usage 5.13.0-rc6-syzkaller #0 Not tainted ----------------------------- include/net/addrconf.h:313 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 3 locks held by kworker/0:0/5: #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline] #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic_long_set include/asm-generic/atomic-long.h:41 [inline] #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:617 [inline] #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline] #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x871/0x1600 kernel/workqueue.c:2247 #1: ffffc90000ca7da8 ((work_completion)(&port->wq)){+.+.}-{0:0}, at: process_one_work+0x8a5/0x1600 kernel/workqueue.c:2251 #2: ffffffff8bf795c0 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x1da/0x3130 net/core/dev.c:4180 stack backtrace: CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.13.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events ipvlan_process_multicast Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 __in6_dev_get include/net/addrconf.h:313 [inline] __in6_dev_get include/net/addrconf.h:311 [inline] neigh_reduce drivers/net/vxlan.c:2167 [inline] vxlan_xmit+0x34d5/0x4c30 drivers/net/vxlan.c:2919 __netdev_start_xmit include/linux/netdevice.h:4944 [inline] netdev_start_xmit include/linux/netdevice.h:4958 [inline] xmit_one net/core/dev.c:3654 [inline] dev_hard_start_xmit+0x1eb/0x920 net/core/dev.c:3670 __dev_queue_xmit+0x2133/0x3130 net/core/dev.c:4246 ipvlan_process_multicast+0xa99/0xd70 drivers/net/ipvlan/ipvlan_core.c:287 process_one_work+0x98d/0x1600 kernel/workqueue.c:2276 worker_thread+0x64c/0x1120 kernel/workqueue.c:2422 kthread+0x3b1/0x4a0 kernel/kthread.c:313 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Fixes: f564f45c4518 ("vxlan: add ipv6 proxy support") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b5bd5b7b7f18aa674468a803aff72bcc664a8a6e Author: Eric Dumazet Date: Mon Jun 21 10:54:49 2021 -0700 pkt_sched: sch_qfq: fix qfq_change_class() error path [ Upstream commit 0cd58e5c53babb9237b741dbef711f0a9eb6d3fd ] If qfq_change_class() is unable to allocate memory for qfq_aggregate, it frees the class that has been inserted in the class hash table, but does not unhash it. Defer the insertion after the problematic allocation. BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:884 [inline] BUG: KASAN: use-after-free in qdisc_class_hash_insert+0x200/0x210 net/sched/sch_api.c:731 Write of size 8 at addr ffff88814a534f10 by task syz-executor.4/31478 CPU: 0 PID: 31478 Comm: syz-executor.4 Not tainted 5.13.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:233 __kasan_report mm/kasan/report.c:419 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:436 hlist_add_head include/linux/list.h:884 [inline] qdisc_class_hash_insert+0x200/0x210 net/sched/sch_api.c:731 qfq_change_class+0x96c/0x1990 net/sched/sch_qfq.c:489 tc_ctl_tclass+0x514/0xe50 net/sched/sch_api.c:2113 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5564 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504 netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1929 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4665d9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fdc7b5f0188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9 RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 RBP: 00007fdc7b5f01d0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002 R13: 00007ffcf7310b3f R14: 00007fdc7b5f0300 R15: 0000000000022000 Allocated by task 31445: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:428 [inline] ____kasan_kmalloc mm/kasan/common.c:507 [inline] ____kasan_kmalloc mm/kasan/common.c:466 [inline] __kasan_kmalloc+0x9b/0xd0 mm/kasan/common.c:516 kmalloc include/linux/slab.h:556 [inline] kzalloc include/linux/slab.h:686 [inline] qfq_change_class+0x705/0x1990 net/sched/sch_qfq.c:464 tc_ctl_tclass+0x514/0xe50 net/sched/sch_api.c:2113 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5564 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504 netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1929 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 31445: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:357 ____kasan_slab_free mm/kasan/common.c:360 [inline] ____kasan_slab_free mm/kasan/common.c:325 [inline] __kasan_slab_free+0xfb/0x130 mm/kasan/common.c:368 kasan_slab_free include/linux/kasan.h:212 [inline] slab_free_hook mm/slub.c:1583 [inline] slab_free_freelist_hook+0xdf/0x240 mm/slub.c:1608 slab_free mm/slub.c:3168 [inline] kfree+0xe5/0x7f0 mm/slub.c:4212 qfq_change_class+0x10fb/0x1990 net/sched/sch_qfq.c:518 tc_ctl_tclass+0x514/0xe50 net/sched/sch_api.c:2113 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5564 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504 netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1929 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88814a534f00 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 16 bytes inside of 128-byte region [ffff88814a534f00, ffff88814a534f80) The buggy address belongs to the page: page:ffffea0005294d00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14a534 flags: 0x57ff00000000200(slab|node=1|zone=2|lastcpupid=0x7ff) raw: 057ff00000000200 ffffea00004fee00 0000000600000006 ffff8880110418c0 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 29797, ts 604817765317, free_ts 604810151744 prep_new_page mm/page_alloc.c:2358 [inline] get_page_from_freelist+0x1033/0x2b60 mm/page_alloc.c:3994 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5200 alloc_pages+0x18c/0x2a0 mm/mempolicy.c:2272 alloc_slab_page mm/slub.c:1646 [inline] allocate_slab+0x2c5/0x4c0 mm/slub.c:1786 new_slab mm/slub.c:1849 [inline] new_slab_objects mm/slub.c:2595 [inline] ___slab_alloc+0x4a1/0x810 mm/slub.c:2758 __slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2798 slab_alloc_node mm/slub.c:2880 [inline] slab_alloc mm/slub.c:2922 [inline] __kmalloc+0x315/0x330 mm/slub.c:4050 kmalloc include/linux/slab.h:561 [inline] kzalloc include/linux/slab.h:686 [inline] __register_sysctl_table+0x112/0x1090 fs/proc/proc_sysctl.c:1318 mpls_dev_sysctl_register+0x1b7/0x2d0 net/mpls/af_mpls.c:1421 mpls_add_dev net/mpls/af_mpls.c:1472 [inline] mpls_dev_notify+0x214/0x8b0 net/mpls/af_mpls.c:1588 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2121 call_netdevice_notifiers_extack net/core/dev.c:2133 [inline] call_netdevice_notifiers net/core/dev.c:2147 [inline] register_netdevice+0x106b/0x1500 net/core/dev.c:10312 veth_newlink+0x585/0xac0 drivers/net/veth.c:1547 __rtnl_newlink+0x1062/0x1710 net/core/rtnetlink.c:3452 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3500 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1298 [inline] free_pcp_prepare+0x223/0x300 mm/page_alloc.c:1342 free_unref_page_prepare mm/page_alloc.c:3250 [inline] free_unref_page+0x12/0x1d0 mm/page_alloc.c:3298 __vunmap+0x783/0xb60 mm/vmalloc.c:2566 free_work+0x58/0x70 mm/vmalloc.c:80 process_one_work+0x98d/0x1600 kernel/workqueue.c:2276 worker_thread+0x64c/0x1120 kernel/workqueue.c:2422 kthread+0x3b1/0x4a0 kernel/kthread.c:313 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Memory state around the buggy address: ffff88814a534e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88814a534e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88814a534f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88814a534f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88814a535000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Fixes: 462dbc9101acd ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 33f897fe34293e7c5cd38aac26eef954ea07ae2a Author: Jakub Kicinski Date: Fri Jun 18 13:34:06 2021 -0700 tls: prevent oversized sendfile() hangs by ignoring MSG_MORE [ Upstream commit d452d48b9f8b1a7f8152d33ef52cfd7fe1735b0a ] We got multiple reports that multi_chunk_sendfile test case from tls selftest fails. This was sort of expected, as the original fix was never applied (see it in the first Link:). The test in question uses sendfile() with count larger than the size of the underlying file. This will make splice set MSG_MORE on all sendpage calls, meaning TLS will never close and flush the last partial record. Eric seem to have addressed a similar problem in commit 35f9c09fe9c7 ("tcp: tcp_sendpages() should call tcp_push() once") by introducing MSG_SENDPAGE_NOTLAST. Unlike MSG_MORE MSG_SENDPAGE_NOTLAST is not set on the last call of a "pipefull" of data (PIPE_DEF_BUFFERS == 16, so every 16 pages or whenever we run out of data). Having a break every 16 pages should be fine, TLS can pack exactly 4 pages into a record, so for aligned reads there should be no difference, unaligned may see one extra record per sendpage(). Sticking to TCP semantics seems preferable to modifying splice, but we can revisit it if real life scenarios show a regression. Reported-by: Vadim Fedorenko Reported-by: Seth Forshee Link: https://lore.kernel.org/netdev/1591392508-14592-1-git-send-email-pooja.trivedi@stackpath.com/ Fixes: 3c4d7559159b ("tls: kernel TLS support") Signed-off-by: Jakub Kicinski Tested-by: Seth Forshee Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6fea1a58c914d69f0573e39ea1b2b9239b841b26 Author: Yunsheng Lin Date: Thu Jun 17 09:04:14 2021 +0800 net: sched: add barrier to ensure correct ordering for lockless qdisc [ Upstream commit 89837eb4b2463c556a123437f242d6c2bc62ce81 ] The spin_trylock() was assumed to contain the implicit barrier needed to ensure the correct ordering between STATE_MISSED setting/clearing and STATE_MISSED checking in commit a90c57f2cedd ("net: sched: fix packet stuck problem for lockless qdisc"). But it turns out that spin_trylock() only has load-acquire semantic, for strongly-ordered system(like x86), the compiler barrier implicitly contained in spin_trylock() seems enough to ensure the correct ordering. But for weakly-orderly system (like arm64), the store-release semantic is needed to ensure the correct ordering as clear_bit() and test_bit() is store operation, see queued_spin_lock(). So add the explicit barrier to ensure the correct ordering for the above case. Fixes: a90c57f2cedd ("net: sched: fix packet stuck problem for lockless qdisc") Signed-off-by: Yunsheng Lin Acked-by: Jakub Kicinski Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit e245ea3b524069e1a264bb50190dceedd59c36fb Author: Antoine Tenart Date: Fri Jun 18 17:15:53 2021 +0200 vrf: do not push non-ND strict packets with a source LLA through packet taps again [ Upstream commit 603113c514e95c3350598bc3cccbd03af7ea4ab2 ] Non-ND strict packets with a source LLA go through the packet taps again, while non-ND strict packets with other source addresses do not, and we can see a clone of those packets on the vrf interface (we should not). This is due to a series of changes: Commit 6f12fa775530[1] made non-ND strict packets not being pushed again in the packet taps. This changed with commit 205704c618af[2] for those packets having a source LLA, as they need a lookup with the orig_iif. The issue now is those packets do not skip the 'vrf_ip6_rcv' function to the end (as the ones without a source LLA) and go through the check to call packet taps again. This check was changed by commit 6f12fa775530[1] and do not exclude non-strict packets anymore. Packets matching 'need_strict && !is_ndisc && is_ll_src' are now being sent through the packet taps again. This can be seen by dumping packets on the vrf interface. Fix this by having the same code path for all non-ND strict packets and selectively lookup with the orig_iif for those with a source LLA. This has the effect to revert to the pre-205704c618af[2] condition, which should also be easier to maintain. [1] 6f12fa775530 ("vrf: mark skb for multicast or link-local as enslaved to VRF") [2] 205704c618af ("vrf: packets with lladdr src needs dst at input with orig_iif when needs strict") Fixes: 205704c618af ("vrf: packets with lladdr src needs dst at input with orig_iif when needs strict") Cc: Stephen Suryaputra Reported-by: Paolo Abeni Signed-off-by: Antoine Tenart Reviewed-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f264d0873d8d4f0ed30e61f2ad7abccbce98e5f4 Author: Pavel Skripkin Date: Fri Jun 18 19:14:47 2021 +0300 net: ethernet: ezchip: fix error handling [ Upstream commit 0de449d599594f5472e00267d651615c7f2c6c1d ] As documented at drivers/base/platform.c for platform_get_irq: * Gets an IRQ for a platform device and prints an error message if finding the * IRQ fails. Device drivers should check the return value for errors so as to * not pass a negative integer value to the request_irq() APIs. So, the driver should check that platform_get_irq() return value is _negative_, not that it's equal to zero, because -ENXIO (return value from request_irq() if irq was not found) will pass this check and it leads to passing negative irq to request_irq() Fixes: 0dd077093636 ("NET: Add ezchip ethernet driver") Signed-off-by: Pavel Skripkin Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a10e00299b8004af6718757a31b1e107084d5615 Author: Pavel Skripkin Date: Fri Jun 18 19:14:31 2021 +0300 net: ethernet: ezchip: fix UAF in nps_enet_remove [ Upstream commit e4b8700e07a86e8eab6916aa5c5ba99042c34089 ] priv is netdev private data, but it is used after free_netdev(). It can cause use-after-free when accessing priv pointer. So, fix it by moving free_netdev() after netif_napi_del() call. Fixes: 0dd077093636 ("NET: Add ezchip ethernet driver") Signed-off-by: Pavel Skripkin Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b7f456df85946c4fdc03944f5b681bcc916a285d Author: Pavel Skripkin Date: Fri Jun 18 17:57:31 2021 +0300 net: ethernet: aeroflex: fix UAF in greth_of_remove [ Upstream commit e3a5de6d81d8b2199935c7eb3f7d17a50a7075b7 ] static int greth_of_remove(struct platform_device *of_dev) { ... struct greth_private *greth = netdev_priv(ndev); ... unregister_netdev(ndev); free_netdev(ndev); of_iounmap(&of_dev->resource[0], greth->regs, resource_size(&of_dev->resource[0])); ... } greth is netdev private data, but it is used after free_netdev(). It can cause use-after-free when accessing greth pointer. So, fix it by moving free_netdev() after of_iounmap() call. Fixes: d4c41139df6e ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver") Signed-off-by: Pavel Skripkin Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit e21b9e8436ef82bf44f77f778f009f72fde2ccdf Author: Wang Hai Date: Wed Jun 16 12:25:34 2021 +0800 samples/bpf: Fix the error return code of xdp_redirect's main() [ Upstream commit 7c6090ee2a7b3315410cfc83a94c3eb057407b25 ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. If bpf_map_update_elem() failed, main() should return a negative error. Fixes: 832622e6bd18 ("xdp: sample program for new bpf_redirect helper") Signed-off-by: Wang Hai Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20210616042534.315097-1-wanghai38@huawei.com Signed-off-by: Sasha Levin commit 66e9a01e4c7c28262c14bf9e8062511d12367e7c Author: Bob Pearson Date: Fri Jun 4 18:05:59 2021 -0500 RDMA/rxe: Fix qp reference counting for atomic ops [ Upstream commit 15ae1375ea91ae2dee6f12d71a79d8c0a10a30bf ] Currently the rdma_rxe driver attempts to protect atomic responder resources by taking a reference to the qp which is only freed when the resource is recycled for a new read or atomic operation. This means that in normal circumstances there is almost always an extra qp reference once an atomic operation has been executed which prevents cleaning up the qp and associated pd and cqs when the qp is destroyed. This patch removes the call to rxe_add_ref() in send_atomic_ack() and the call to rxe_drop_ref() in free_rd_atomic_resource(). If the qp is destroyed while a peer is retrying an atomic op it will cause the operation to fail which is acceptable. Link: https://lore.kernel.org/r/20210604230558.4812-1-rpearsonhpe@gmail.com Reported-by: Zhu Yanjun Fixes: 86af61764151 ("IB/rxe: remove unnecessary skb_clone") Signed-off-by: Bob Pearson Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit da4ad14f87f024f1aaf859915836b6454d0f05d6 Author: Pablo Neira Ayuso Date: Fri Jun 11 19:26:56 2021 +0200 netfilter: nft_tproxy: restrict support to TCP and UDP transport protocols [ Upstream commit 52f0f4e178c757b3d356087376aad8bd77271828 ] Add unfront check for TCP and UDP packets before performing further processing. Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit a3f1e8e316bf8458d853fd0531a01a1a5a773347 Author: Pablo Neira Ayuso Date: Thu Jun 10 20:20:31 2021 +0200 netfilter: nft_osf: check for TCP packet before further processing [ Upstream commit 8f518d43f89ae00b9cf5460e10b91694944ca1a8 ] The osf expression only supports for TCP packets, add a upfront sanity check to skip packet parsing if this is not a TCP packet. Fixes: b96af92d6eaf ("netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf") Signed-off-by: Pablo Neira Ayuso Reported-by: kernel test robot Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 4759c55ff1d52074bde823cb9931377ee1f6051a Author: Pablo Neira Ayuso Date: Thu Jun 10 20:20:30 2021 +0200 netfilter: nft_exthdr: check for IPv6 packet before further processing [ Upstream commit cdd73cc545c0fb9b1a1f7b209f4f536e7990cff4 ] ipv6_find_hdr() does not validate that this is an IPv6 packet. Add a sanity check for calling ipv6_find_hdr() to make sure an IPv6 packet is passed for parsing. Fixes: 96518518cc41 ("netfilter: add nftables") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit e4db789e937e751507d34421176fc7156ffdfdc8 Author: Leon Romanovsky Date: Mon May 31 19:04:44 2021 +0300 RDMA/mlx5: Don't add slave port to unaffiliated list [ Upstream commit 7ce6095e3bff8e20ce018b050960b527e298f7df ] The mlx5_ib_bind_slave_port() doesn't remove multiport device from the unaffiliated list, but mlx5_ib_unbind_slave_port() did it. This unbalanced flow caused to the situation where mlx5_ib_unaffiliated_port_list was changed during iteration. Fixes: 32f69e4be269 ("{net, IB}/mlx5: Manage port association for multiport RoCE") Link: https://lore.kernel.org/r/2726e6603b1e6ecfe76aa5a12a063af72173bcf7.1622477058.git.leonro@nvidia.com Reported-by: Dan Carpenter Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 9b1e991266c49cfd932ac6a1b96fb82ef25ae48c Author: Liu Shixin Date: Tue Jun 15 10:14:44 2021 +0800 netlabel: Fix memory leak in netlbl_mgmt_add_common [ Upstream commit b8f6b0522c298ae9267bd6584e19b942a0636910 ] Hulk Robot reported memory leak in netlbl_mgmt_add_common. The problem is non-freed map in case of netlbl_domhsh_add() failed. BUG: memory leak unreferenced object 0xffff888100ab7080 (size 96): comm "syz-executor537", pid 360, jiffies 4294862456 (age 22.678s) hex dump (first 32 bytes): 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ fe 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................ backtrace: [<0000000008b40026>] netlbl_mgmt_add_common.isra.0+0xb2a/0x1b40 [<000000003be10950>] netlbl_mgmt_add+0x271/0x3c0 [<00000000c70487ed>] genl_family_rcv_msg_doit.isra.0+0x20e/0x320 [<000000001f2ff614>] genl_rcv_msg+0x2bf/0x4f0 [<0000000089045792>] netlink_rcv_skb+0x134/0x3d0 [<0000000020e96fdd>] genl_rcv+0x24/0x40 [<0000000042810c66>] netlink_unicast+0x4a0/0x6a0 [<000000002e1659f0>] netlink_sendmsg+0x789/0xc70 [<000000006e43415f>] sock_sendmsg+0x139/0x170 [<00000000680a73d7>] ____sys_sendmsg+0x658/0x7d0 [<0000000065cbb8af>] ___sys_sendmsg+0xf8/0x170 [<0000000019932b6c>] __sys_sendmsg+0xd3/0x190 [<00000000643ac172>] do_syscall_64+0x37/0x90 [<000000009b79d6dc>] entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: 63c416887437 ("netlabel: Add network address selectors to the NetLabel/LSM domain mapping") Reported-by: Hulk Robot Signed-off-by: Liu Shixin Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9b81edead82499b917a5501f15a829b316bd94fc Author: Yang Li Date: Tue May 25 18:46:17 2021 +0800 ath10k: Fix an error code in ath10k_add_interface() [ Upstream commit e9ca70c735ce66fc6a0e02c8b6958434f74ef8de ] When the code execute this if statement, the value of ret is 0. However, we can see from the ath10k_warn() log that the value of ret should be -EINVAL. Clean up smatch warning: drivers/net/wireless/ath/ath10k/mac.c:5596 ath10k_add_interface() warn: missing error code 'ret' Reported-by: Abaci Robot Fixes: ccec9038c721 ("ath10k: enable raw encap mode and software crypto engine") Signed-off-by: Yang Li Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/1621939577-62218-1-git-send-email-yang.lee@linux.alibaba.com Signed-off-by: Sasha Levin commit 2a8b20d74106954b1bd30a86cf81ef21c4a50b20 Author: Christophe JAILLET Date: Wed May 12 22:58:30 2021 +0200 brcmsmac: mac80211_if: Fix a resource leak in an error handling path [ Upstream commit 9a25344d5177c2b9285532236dc3d10a091f39a8 ] If 'brcms_attach()' fails, we must undo the previous 'ieee80211_alloc_hw()' as already done in the remove function. Fixes: 5b435de0d786 ("net: wireless: add brcm80211 drivers") Signed-off-by: Christophe JAILLET Acked-by: Arend van Spriel Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/8fbc171a1a493b38db5a6f0873c6021fca026a6c.1620852921.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit 771a8b6da36fd1fe54a2922c6b67a3153e2d89ae Author: Alvin Šipraga Date: Thu May 6 13:20:12 2021 +0000 brcmfmac: correctly report average RSSI in station info [ Upstream commit 9a1590934d9a02e570636432b93052c0c035f31f ] The rx_lastpkt_rssi field provided by the firmware is suitable for NL80211_STA_INFO_{SIGNAL,CHAIN_SIGNAL}, while the rssi field is an average. Fix up the assignments and set the correct STA_INFO bits. This lets userspace know that the average RSSI is part of the station info. Fixes: cae355dc90db ("brcmfmac: Add RSSI information to get_station.") Signed-off-by: Alvin Šipraga Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210506132010.3964484-2-alsi@bang-olufsen.dk Signed-off-by: Sasha Levin commit 4940e54549a58722ede27e5ef965d57dcd7189b6 Author: Alvin Šipraga Date: Thu May 6 13:20:12 2021 +0000 brcmfmac: fix setting of station info chains bitmask [ Upstream commit feb45643762172110cb3a44f99dd54304f33b711 ] The sinfo->chains field is a bitmask for filled values in chain_signal and chain_signal_avg, not a count. Treat it as such so that the driver can properly report per-chain RSSI information. Before (MIMO mode): $ iw dev wlan0 station dump ... signal: -51 [-51] dBm After (MIMO mode): $ iw dev wlan0 station dump ... signal: -53 [-53, -54] dBm Fixes: cae355dc90db ("brcmfmac: Add RSSI information to get_station.") Signed-off-by: Alvin Šipraga Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210506132010.3964484-1-alsi@bang-olufsen.dk Signed-off-by: Sasha Levin commit 18b3b70dd11d15ee1875d51aa77ca05fbeed09c9 Author: Zhen Lei Date: Sat May 15 15:29:49 2021 +0800 ssb: Fix error return code in ssb_bus_scan() [ Upstream commit 77a0989baa427dbd242c5784d05a53ca3d197d43 ] Fix to return -EINVAL from the error handling case instead of 0, as done elsewhere in this function. Fixes: 61e115a56d1a ("[SSB]: add Sonics Silicon Backplane bus support") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Acked-by: Michael Büsch Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210515072949.7151-1-thunder.leizhen@huawei.com Signed-off-by: Sasha Levin commit 55ec3e5809e5e97ad274d32ac64a6c1841acf027 Author: Bryan O'Donoghue Date: Sat Jun 5 18:33:47 2021 +0100 wcn36xx: Move hal_buf allocation to devm_kmalloc in probe [ Upstream commit ef48667557c53d4b51a1ee3090eab7699324c9de ] Right now wcn->hal_buf is allocated in wcn36xx_start(). This is a problem since we should have setup all of the buffers we required by the time ieee80211_register_hw() is called. struct ieee80211_ops callbacks may run prior to mac_start() and therefore wcn->hal_buf must be initialized. This is easily remediated by moving the allocation to probe() taking the opportunity to tidy up freeing memory by using devm_kmalloc(). Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware") Signed-off-by: Bryan O'Donoghue Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210605173347.2266003-1-bryan.odonoghue@linaro.org Signed-off-by: Sasha Levin commit 723204726a6a7d8c3833d3771604a77018c93d2d Author: Dongliang Mu Date: Fri Jun 11 09:58:12 2021 +0800 ieee802154: hwsim: Fix possible memory leak in hwsim_subscribe_all_others [ Upstream commit ab372c2293f5d0b279f31c8d768566ea37602dc9 ] In hwsim_subscribe_all_others, the error handling code performs incorrectly if the second hwsim_alloc_edge fails. When this issue occurs, it goes to sub_fail, without cleaning the edges allocated before. Fixes: f25da51fdc38 ("ieee802154: hwsim: add replacement for fakelb") Signed-off-by: Dongliang Mu Acked-by: Alexander Aring Link: https://lore.kernel.org/r/20210611015812.1626999-1-mudongliangabcd@gmail.com Signed-off-by: Stefan Schmidt Signed-off-by: Sasha Levin commit 3986553411f816a9285174ec6624dcb24f3e8a04 Author: Randy Dunlap Date: Mon May 31 17:41:28 2021 +0300 wireless: carl9170: fix LEDS build errors & warnings [ Upstream commit 272fdc0c4542fad173b44965be02a16d6db95499 ] kernel test robot reports over 200 build errors and warnings that are due to this Kconfig problem when CARL9170=m, MAC80211=y, and LEDS_CLASS=m. WARNING: unmet direct dependencies detected for MAC80211_LEDS Depends on [n]: NET [=y] && WIRELESS [=y] && MAC80211 [=y] && (LEDS_CLASS [=m]=y || LEDS_CLASS [=m]=MAC80211 [=y]) Selected by [m]: - CARL9170_LEDS [=y] && NETDEVICES [=y] && WLAN [=y] && WLAN_VENDOR_ATH [=y] && CARL9170 [=m] CARL9170_LEDS selects MAC80211_LEDS even though its kconfig dependencies are not met. This happens because 'select' does not follow any Kconfig dependency chains. Fix this by making CARL9170_LEDS depend on MAC80211_LEDS, where the latter supplies any needed dependencies on LEDS_CLASS. Fixes: 1d7e1e6b1b8ed ("carl9170: Makefile, Kconfig files and MAINTAINERS") Signed-off-by: Randy Dunlap Reported-by: kernel test robot Cc: Kalle Valo Cc: Christian Lamparter Cc: linux-wireless@vger.kernel.org Cc: Arnd Bergmann Suggested-by: Christian Lamparter Acked-by: Arnd Bergmann Acked-by: Christian Lamparter Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210530031134.23274-1-rdunlap@infradead.org Signed-off-by: Sasha Levin commit b6d2cf68f9b1cdf21141b84eea53fb1070a645b8 Author: Yang Yingliang Date: Mon May 31 17:41:28 2021 +0300 ath10k: add missing error return code in ath10k_pci_probe() [ Upstream commit e2783e2f39ba99178dedfc1646d5cc0979d1bab3 ] When chip_id is not supported, the resources will be freed on path err_unsupported, these resources will also be freed when calling ath10k_pci_remove(), it will cause double free, so return -ENODEV when it doesn't support the device with wrong chip_id. Fixes: c0c378f9907c ("ath10k: remove target soc ps code") Fixes: 7505f7c3ec1d ("ath10k: create a chip revision whitelist") Fixes: f8914a14623a ("ath10k: restore QCA9880-AR1A (v1) detection") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210522105822.1091848-3-yangyingliang@huawei.com Signed-off-by: Sasha Levin commit 941ce3bd7fb025321dbd051e927c0093d5f9b920 Author: Yang Yingliang Date: Mon May 31 17:41:28 2021 +0300 ath10k: go to path err_unsupported when chip id is not supported [ Upstream commit 9e88dd431d2345acdb7a549f3e88aaf4c2a307a1 ] When chip id is not supported, it go to path err_unsupported to print the error message. Fixes: f8914a14623a ("ath10k: restore QCA9880-AR1A (v1) detection") Signed-off-by: Yang Yingliang Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210522105822.1091848-2-yangyingliang@huawei.com Signed-off-by: Sasha Levin commit 5f543705309fb8f708e92eb0026ae6bad32c9960 Author: Zhihao Cheng Date: Wed Jun 9 19:59:16 2021 +0800 tools/bpftool: Fix error return code in do_batch() [ Upstream commit ca16b429f39b4ce013bfa7e197f25681e65a2a42 ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 668da745af3c2 ("tools: bpftool: add support for quotations ...") Reported-by: Hulk Robot Signed-off-by: Zhihao Cheng Signed-off-by: Andrii Nakryiko Reviewed-by: Quentin Monnet Link: https://lore.kernel.org/bpf/20210609115916.2186872-1-chengzhihao1@huawei.com Signed-off-by: Sasha Levin commit fe5cca105794070ae379c41f9a86ec59edc61ad0 Author: Colin Ian King Date: Tue Jun 8 17:13:13 2021 +0100 drm: qxl: ensure surf.data is ininitialized [ Upstream commit fbbf23ddb2a1cc0c12c9f78237d1561c24006f50 ] The object surf is not fully initialized and the uninitialized field surf.data is being copied by the call to qxl_bo_create via the call to qxl_gem_object_create. Set surf.data to zero to ensure garbage data from the stack is not being copied. Addresses-Coverity: ("Uninitialized scalar variable") Fixes: f64122c1f6ad ("drm: add new QXL driver. (v1.4)") Signed-off-by: Colin Ian King Link: http://patchwork.freedesktop.org/patch/msgid/20210608161313.161922-1-colin.king@canonical.com Signed-off-by: Gerd Hoffmann Signed-off-by: Sasha Levin commit d9721095a5ce24dfba51ef4c8a9c80d0b3bcdf8f Author: Kamal Heib Date: Thu Jun 3 12:01:12 2021 +0300 RDMA/rxe: Fix failure during driver load [ Upstream commit 32a25f2ea690dfaace19f7a3a916f5d7e1ddafe8 ] To avoid the following failure when trying to load the rdma_rxe module while IPv6 is disabled, add a check for EAFNOSUPPORT and ignore the failure, also delete the needless debug print from rxe_setup_udp_tunnel(). $ modprobe rdma_rxe modprobe: ERROR: could not insert 'rdma_rxe': Operation not permitted Fixes: dfdd6158ca2c ("IB/rxe: Fix kernel panic in udp_setup_tunnel") Link: https://lore.kernel.org/r/20210603090112.36341-1-kamalheib1@gmail.com Reported-by: Yi Zhang Signed-off-by: Kamal Heib Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 2adbd7559dfb14af96d512de3f5e126c17511209 Author: Leon Romanovsky Date: Wed May 19 11:37:31 2021 +0300 RDMA/core: Sanitize WQ state received from the userspace [ Upstream commit f97442887275d11c88c2899e720fe945c1f61488 ] The mlx4 and mlx5 implemented differently the WQ input checks. Instead of duplicating mlx4 logic in the mlx5, let's prepare the input in the central place. The mlx5 implementation didn't check for validity of state input. It is not real bug because our FW checked that, but still worth to fix. Fixes: f213c0527210 ("IB/uverbs: Add WQ support") Link: https://lore.kernel.org/r/ac41ad6a81b095b1a8ad453dcf62cf8d3c5da779.1621413310.git.leonro@nvidia.com Reported-by: Jiapeng Chong Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 9cc3eb8abe2335bb92cc5ca76aa3458e650181ac Author: Boris Sukholitko Date: Tue Jun 1 15:30:50 2021 +0300 net/sched: act_vlan: Fix modify to allow 0 [ Upstream commit 9c5eee0afca09cbde6bd00f77876754aaa552970 ] Currently vlan modification action checks existence of vlan priority by comparing it to 0. Therefore it is impossible to modify existing vlan tag to have priority 0. For example, the following tc command will change the vlan id but will not affect vlan priority: tc filter add dev eth1 ingress matchall action vlan modify id 300 \ priority 0 pipe mirred egress redirect dev eth2 The incoming packet on eth1: ethertype 802.1Q (0x8100), vlan 200, p 4, ethertype IPv4 will be changed to: ethertype 802.1Q (0x8100), vlan 300, p 4, ethertype IPv4 although the user has intended to have p == 0. The fix is to add tcfv_push_prio_exists flag to struct tcf_vlan_params and rely on it when deciding to set the priority. Fixes: 45a497f2d149a4a8061c (net/sched: act_vlan: Introduce TCA_VLAN_ACT_MODIFY vlan action) Signed-off-by: Boris Sukholitko Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0b440951273a86c5da3bfbc3b06fdb42f0aa7057 Author: Zhen Lei Date: Fri May 28 16:55:55 2021 +0800 ehea: fix error return code in ehea_restart_qps() [ Upstream commit 015dbf5662fd689d581c0bc980711b073ca09a1a ] Fix to return -EFAULT from the error handling case instead of 0, as done elsewhere in this function. By the way, when get_zeroed_page() fails, directly return -ENOMEM to simplify code. Fixes: 2c69448bbced ("ehea: DLPAR memory add fix") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Link: https://lore.kernel.org/r/20210528085555.9390-1-thunder.leizhen@huawei.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit e16bd3365d089b0af0f627202936cb46a3887ef6 Author: Thomas Hebb Date: Sun Apr 18 19:04:10 2021 -0700 drm/rockchip: dsi: move all lane config except LCDC mux to bind() [ Upstream commit 43c2de1002d2b70fb5941fa14e97a34e3dc214d4 ] When we first enable the DSI encoder, we currently program some per-chip configuration that we look up in rk3399_chip_data based on the device tree compatible we match. This data configures various parameters of the MIPI lanes, including on RK3399 whether DSI1 is slaved to DSI0 in a dual-mode configuration. It also selects which LCDC (i.e. VOP) to scan out from. This causes a problem in RK3399 dual-mode configurations, though: panel prepare() callbacks run before the encoder gets enabled and expect to be able to write commands to the DSI bus, but the bus isn't fully functional until the lane and master/slave configuration have been programmed. As a result, dual-mode panels (and possibly others too) fail to turn on when the rockchipdrm driver is initially loaded. Because the LCDC mux is the only thing we don't know until enable time (and is the only thing that can ever change), we can actually move most of the initialization to bind() and get it out of the way early. That's what this change does. (Rockchip's 4.4 BSP kernel does it in mode_set(), which also avoids the issue, but bind() seems like the more correct place to me.) Tested on a Google Scarlet board (Acer Chromebook Tab 10), which has a Kingdisplay KD097D04 dual-mode panel. Prior to this change, the panel's backlight would turn on but no image would appear when initially loading rockchipdrm. If I kept rockchipdrm loaded and reloaded the panel driver, it would come on. With this change, the panel successfully turns on during initial rockchipdrm load as expected. Fixes: 2d4f7bdafd70 ("drm/rockchip: dsi: migrate to use dw-mipi-dsi bridge driver") Signed-off-by: Thomas Hebb Tested-by: Jonathan Liu Signed-off-by: Heiko Stuebner Link: https://patchwork.freedesktop.org/patch/msgid/55fe7f3454d8c91dc3837ba5aa741d4a0e67378f.1618797813.git.tommyhebb@gmail.com Signed-off-by: Sasha Levin commit 450c25b8a4c9c5306928df900c3369123496ad11 Author: Yang Yingliang Date: Wed May 19 21:49:28 2021 +0800 drm/rockchip: cdn-dp-core: add missing clk_disable_unprepare() on error in cdn_dp_grf_write() [ Upstream commit ae41d925c75b53798f289c69ee8d9f7d36432f6d ] After calling clk_prepare_enable(), clk_disable_unprepare() need be called when calling regmap_write() failed. Fixes: 1a0f7ed3abe2 ("drm/rockchip: cdn-dp: add cdn DP support for rk3399") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: Heiko Stuebner Link: https://patchwork.freedesktop.org/patch/msgid/20210519134928.2696617-1-yangyingliang@huawei.com Signed-off-by: Sasha Levin commit 01f4245ff75fbce67bcb123fa4fa8d590daadc4f Author: Yang Yingliang Date: Sat May 22 20:02:46 2021 +0800 net: ftgmac100: add missing error return code in ftgmac100_probe() [ Upstream commit 52af13a41489d7bbc1932d17583eff6e5fffc820 ] The variables will be free on path err_phy_connect, it should return error code, or it will cause double free when calling ftgmac100_remove(). Fixes: bd466c3fb5a4 ("net/faraday: Support NCSI mode") Fixes: 39bfab8844a0 ("net: ftgmac100: Add support for DT phy-handle property") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 3858b47c94b97720c7949a5be049867655119e48 Author: Jerome Brunet Date: Thu Apr 29 11:03:25 2021 +0200 clk: meson: g12a: fix gp0 and hifi ranges [ Upstream commit bc794f8c56abddf709f1f84fcb2a3c9e7d9cc9b4 ] While some SoC samples are able to lock with a PLL factor of 55, others samples can't. ATM, a minimum of 60 appears to work on all the samples I have tried. Even with 60, it sometimes takes a long time for the PLL to eventually lock. The documentation says that the minimum rate of these PLLs DCO should be 3GHz, a factor of 125. Let's use that to be on the safe side. With factor range changed, the PLL seems to lock quickly (enough) so far. It is still unclear if the range was the only reason for the delay. Fixes: 085a4ea93d54 ("clk: meson: g12a: add peripheral clock controller") Signed-off-by: Jerome Brunet Acked-by: Neil Armstrong Link: https://lore.kernel.org/r/20210429090325.60970-1-jbrunet@baylibre.com Signed-off-by: Sasha Levin commit 3da37783b0275fe1b34460dfa46601239e0e75c5 Author: Geert Uytterhoeven Date: Fri Apr 30 14:31:01 2021 +0200 pinctrl: renesas: r8a77990: JTAG pins do not have pull-down capabilities [ Upstream commit 702a5fa2fe4d7e7f28fed92a170b540acfff9d34 ] Hence remove the SH_PFC_PIN_CFG_PULL_DOWN flags from their pin descriptions. Fixes: 83f6941a42a5e773 ("pinctrl: sh-pfc: r8a77990: Add bias pinconf support") Signed-off-by: Geert Uytterhoeven Reviewed-by: Niklas Söderlund Link: https://lore.kernel.org/r/da4b2d69955840a506412f1e8099607a0da97ecc.1619785375.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit 4e1cb7fedf688d429415139692888b080e7dd156 Author: Geert Uytterhoeven Date: Fri Apr 30 14:31:00 2021 +0200 pinctrl: renesas: r8a7796: Add missing bias for PRESET# pin [ Upstream commit 2cee31cd49733e89dfedf4f68a56839fc2e42040 ] R-Car Gen3 Hardware Manual Errata for Rev. 0.52 of Nov 30, 2016, added the configuration bit for bias pull-down control for the PRESET# pin on R-Car M3-W. Add driver support for controlling pull-down on this pin. Fixes: 2d40bd24274d2577 ("pinctrl: sh-pfc: r8a7796: Add bias pinconf support") Signed-off-by: Geert Uytterhoeven Reviewed-by: Niklas Söderlund Link: https://lore.kernel.org/r/c479de5b3f235c2f7d5faea9e7e08e6fccb135df.1619785375.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit b0a3770ead571da3645b09391d71bbda79bfc7a5 Author: Andy Shevchenko Date: Mon May 10 19:39:27 2021 +0300 net: pch_gbe: Propagate error from devm_gpio_request_one() [ Upstream commit 9e3617a7b84512bf96c04f9cf82d1a7257d33794 ] If GPIO controller is not available yet we need to defer the probe of GBE until provider will become available. While here, drop GPIOF_EXPORT because it's deprecated and may not be available. Fixes: f1a26fdf5944 ("pch_gbe: Add MinnowBoard support") Signed-off-by: Andy Shevchenko Tested-by: Flavio Suligoi Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a9a33de4be2e415f947a3eddbffa93061ad59e8e Author: Andy Shevchenko Date: Mon May 10 12:58:05 2021 +0300 net: mvpp2: Put fwnode in error case during ->probe() [ Upstream commit 71f0891c84dfdc448736082ab0a00acd29853896 ] In each iteration fwnode_for_each_available_child_node() bumps a reference counting of a loop variable followed by dropping in on a next iteration, Since in error case the loop is broken, we have to drop a reference count by ourselves. Do it for port_fwnode in error case during ->probe(). Fixes: 248122212f68 ("net: mvpp2: use device_*/fwnode_* APIs instead of of_*") Cc: Marcin Wojtas Signed-off-by: Andy Shevchenko Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f9ad0b5ebacc24f382d8d9af86db99078fd8d96b Author: Christophe JAILLET Date: Thu May 6 20:57:05 2021 +0200 video: fbdev: imxfb: Fix an error message [ Upstream commit 767d724a160eb1cd00c86fb8c2e21fa1ab3c37ac ] 'ret' is known to be 0 here. No error code is available, so just remove it from the error message. Fixes: 72330b0eeefc ("i.MX Framebuffer: Use readl/writel instead of direct pointer deref") Reviewed-by: Uwe Kleine-König Signed-off-by: Christophe JAILLET Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/d7b25026f82659da3c6f7159eea480faa9d738be.1620327302.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit 08a7306e119832057dcb3241178a483326b1f660 Author: Sabrina Dubroca Date: Fri Apr 16 11:27:59 2021 +0200 xfrm: xfrm_state_mtu should return at least 1280 for ipv6 [ Upstream commit b515d2637276a3810d6595e10ab02c13bfd0b63a ] Jianwen reported that IPv6 Interoperability tests are failing in an IPsec case where one of the links between the IPsec peers has an MTU of 1280. The peer generates a packet larger than this MTU, the router replies with a "Packet too big" message indicating an MTU of 1280. When the peer tries to send another large packet, xfrm_state_mtu returns 1280 - ipsec_overhead, which causes ip6_setup_cork to fail with EINVAL. We can fix this by forcing xfrm_state_mtu to return IPV6_MIN_MTU when IPv6 is used. After going through IPsec, the packet will then be fragmented to obey the actual network's PMTU, just before leaving the host. Currently, TFC padding is capped to PMTU - overhead to avoid fragementation: after padding and encapsulation, we still fit within the PMTU. That behavior is preserved in this patch. Fixes: 91657eafb64b ("xfrm: take net hdr len into account for esp payload size calculation") Reported-by: Jianwen Ji Signed-off-by: Sabrina Dubroca Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin commit a87a201989ecbec6a11dab3203ac1599eee0d72b Author: Jan Kara Date: Mon Jun 28 19:35:04 2021 -0700 dax: fix ENOMEM handling in grab_mapping_entry() [ Upstream commit 1a14e3779dd58c16b30e56558146e5cc850ba8b0 ] grab_mapping_entry() has a bug in handling of ENOMEM condition. Suppose we have a PMD entry at index i which we are downgrading to a PTE entry. grab_mapping_entry() will set pmd_downgrade to true, lock the entry, clear the entry in xarray, and decrement mapping->nrpages. The it will call: entry = dax_make_entry(pfn_to_pfn_t(0), flags); dax_lock_entry(xas, entry); which inserts new PTE entry into xarray. However this may fail allocating the new node. We handle this by: if (xas_nomem(xas, mapping_gfp_mask(mapping) & ~__GFP_HIGHMEM)) goto retry; however pmd_downgrade stays set to true even though 'entry' returned from get_unlocked_entry() will be NULL now. And we will go again through the downgrade branch. This is mostly harmless except that mapping->nrpages is decremented again and we temporarily have an invalid entry stored in xarray. Fix the problem by setting pmd_downgrade to false each time we lookup the entry we work with so that it matches the entry we found. Link: https://lkml.kernel.org/r/20210622160015.18004-1-jack@suse.cz Fixes: b15cd800682f ("dax: Convert page fault handlers to XArray") Signed-off-by: Jan Kara Reviewed-by: Dan Williams Cc: Matthew Wilcox Cc: "Aneesh Kumar K.V" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 6ea84116b3fe69e336d1abede43915789e5291b6 Author: Dan Carpenter Date: Mon Jun 28 19:34:01 2021 -0700 ocfs2: fix snprintf() checking [ Upstream commit 54e948c60cc843b6e84dc44496edc91f51d2a28e ] The snprintf() function returns the number of bytes which would have been printed if the buffer was large enough. In other words it can return ">= remain" but this code assumes it returns "== remain". The run time impact of this bug is not very severe. The next iteration through the loop would trigger a WARN() when we pass a negative limit to snprintf(). We would then return success instead of -E2BIG. The kernel implementation of snprintf() will never return negatives so there is no need to check and I have deleted that dead code. Link: https://lkml.kernel.org/r/20210511135350.GV1955@kadam Fixes: a860f6eb4c6a ("ocfs2: sysfile interfaces for online file check") Fixes: 74ae4e104dfc ("ocfs2: Create stack glue sysfs files.") Signed-off-by: Dan Carpenter Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Gang He Cc: Jun Piao Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 27d02a4d9dab120dcb2faa44c118dccedd5a48c4 Author: Rafael J. Wysocki Date: Tue Jun 22 21:11:39 2021 +0200 cpufreq: Make cpufreq_online() call driver->offline() on errors [ Upstream commit 3b7180573c250eb6e2a7eec54ae91f27472332ea ] In the CPU removal path the ->offline() callback provided by the driver is always invoked before ->exit(), but in the cpufreq_online() error path it is not, so ->exit() is expected to somehow know the context in which it has been called and act accordingly. That is less than straightforward, so make cpufreq_online() invoke the driver's ->offline() callback, if present, on errors before ->exit() too. This only potentially affects intel_pstate. Fixes: 91a12e91dc39 ("cpufreq: Allow light-weight tear down and bring up of CPUs") Signed-off-by: Rafael J. Wysocki Acked-by: Viresh Kumar Signed-off-by: Sasha Levin commit 3c59143b9a1e0f1ad14d6f04a270e5c7a1a8a167 Author: Nathan Chancellor Date: Tue Jun 22 18:38:01 2021 -0700 ACPI: bgrt: Fix CFI violation [ Upstream commit f37ccf8fce155d08ae2a4fb3db677911ced0c21a ] clang's Control Flow Integrity requires that every indirect call has a valid target, which is based on the type of the function pointer. The *_show() functions in this file are written as if they will be called from dev_attr_show(); however, they will be called from sysfs_kf_seq_show() because the files were created by sysfs_create_group() and the sysfs ops are based on kobj_sysfs_ops because of kobject_add_and_create(). Because the *_show() functions do not match the type of the show() member in struct kobj_attribute, there is a CFI violation. $ cat /sys/firmware/acpi/bgrt/{status,type,version,{x,y}offset}} 1 0 1 522 307 $ dmesg | grep "CFI failure" [ 267.761825] CFI failure (target: type_show.d5e1ad21498a5fd14edbc5c320906598.cfi_jt+0x0/0x8): [ 267.762246] CFI failure (target: xoffset_show.d5e1ad21498a5fd14edbc5c320906598.cfi_jt+0x0/0x8): [ 267.762584] CFI failure (target: status_show.d5e1ad21498a5fd14edbc5c320906598.cfi_jt+0x0/0x8): [ 267.762973] CFI failure (target: yoffset_show.d5e1ad21498a5fd14edbc5c320906598.cfi_jt+0x0/0x8): [ 267.763330] CFI failure (target: version_show.d5e1ad21498a5fd14edbc5c320906598.cfi_jt+0x0/0x8): Convert these functions to the type of the show() member in struct kobj_attribute so that there is no more CFI violation. Because these functions are all so similar, combine them into a macro. Fixes: d1ff4b1cdbab ("ACPI: Add support for exposing BGRT data") Link: https://github.com/ClangBuiltLinux/linux/issues/1406 Signed-off-by: Nathan Chancellor Reviewed-by: Kees Cook Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 6d79e36c9ecea6cb60a45d7f3ab2b37f0c53b227 Author: Dwaipayan Ray Date: Thu Dec 17 18:15:36 2020 +0530 ACPI: Use DEVICE_ATTR_ macros [ Upstream commit 0f39ee8324e75c9d370e84a61323ceb194641a18 ] Instead of open coding DEVICE_ATTR(), use the DEVICE_ATTR_RW(), DEVICE_ATTR_RO() and DEVICE_ATTR_WO() macros wherever possible. This required a few functions to be renamed but the functionality itself is unchanged. Signed-off-by: Dwaipayan Ray Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 7b33b04f85dfb868328609efc71c55a21a5a3cab Author: Zhang Yi Date: Sat Jun 19 17:37:00 2021 +0800 blk-wbt: make sure throttle is enabled properly [ Upstream commit 76a8040817b4b9c69b53f9b326987fa891b4082a ] After commit a79050434b45 ("blk-rq-qos: refactor out common elements of blk-wbt"), if throttle was disabled by wbt_disable_default(), we could not enable again, fix this by set enable_state back to WBT_STATE_ON_DEFAULT. Fixes: a79050434b45 ("blk-rq-qos: refactor out common elements of blk-wbt") Signed-off-by: Zhang Yi Link: https://lore.kernel.org/r/20210619093700.920393-3-yi.zhang@huawei.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit bcf3f42bda3a49021080e6c848e7ffc7b3364aa2 Author: Zhang Yi Date: Sat Jun 19 17:36:59 2021 +0800 blk-wbt: introduce a new disable state to prevent false positive by rwb_enabled() [ Upstream commit 1d0903d61e9645c6330b94247b96dd873dfc11c8 ] Now that we disable wbt by simply zero out rwb->wb_normal in wbt_disable_default() when switch elevator to bfq, but it's not safe because it will become false positive if we change queue depth. If it become false positive between wbt_wait() and wbt_track() when submit write request, it will lead to drop rqw->inflight to -1 in wbt_done(), which will end up trigger IO hung. Fix this issue by introduce a new state which mean the wbt was disabled. Fixes: a79050434b45 ("blk-rq-qos: refactor out common elements of blk-wbt") Signed-off-by: Zhang Yi Link: https://lore.kernel.org/r/20210619093700.920393-2-yi.zhang@huawei.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 1ad25a64c66f326eb2acb907ed9c16c4e9e31edf Author: Matti Vaittinen Date: Tue Jun 8 13:10:31 2021 +0300 extcon: extcon-max8997: Fix IRQ freeing at error path [ Upstream commit 610bdc04830a864115e6928fc944f1171dfff6f3 ] If reading MAX8997_MUIC_REG_STATUS1 fails at probe the driver exits without freeing the requested IRQs. Free the IRQs prior returning if reading the status fails. Fixes: 3e34c8198960 ("extcon: max8997: Avoid forcing UART path on drive probe") Signed-off-by: Matti Vaittinen Reviewed-by: Hans de Goede Acked-by: Chanwoo Choi Link: https://lore.kernel.org/r/27ee4a48ee775c3f8c9d90459c18b6f2b15edc76.1623146580.git.matti.vaittinen@fi.rohmeurope.com Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 258f5c1a5d3d0fb430504950ae25fe52780c50e3 Author: Krzysztof Wilczyński Date: Thu Jun 3 17:12:01 2021 +0000 ACPI: sysfs: Fix a buffer overrun problem with description_show() [ Upstream commit 888be6067b97132c3992866bbcf647572253ab3f ] Currently, a device description can be obtained using ACPI, if the _STR method exists for a particular device, and then exposed to the userspace via a sysfs object as a string value. If the _STR method is available for a given device then the data (usually a Unicode string) is read and stored in a buffer (of the ACPI_TYPE_BUFFER type) with a pointer to said buffer cached in the struct acpi_device_pnp for later access. The description_show() function is responsible for exposing the device description to the userspace via a corresponding sysfs object and internally calls the utf16s_to_utf8s() function with a pointer to the buffer that contains the Unicode string so that it can be converted from UTF16 encoding to UTF8 and thus allowing for the value to be safely stored and later displayed. When invoking the utf16s_to_utf8s() function, the description_show() function also sets a limit of the data that can be saved into a provided buffer as a result of the character conversion to be a total of PAGE_SIZE, and upon completion, the utf16s_to_utf8s() function returns an integer value denoting the number of bytes that have been written into the provided buffer. Following the execution of the utf16s_to_utf8s() a newline character will be added at the end of the resulting buffer so that when the value is read in the userspace through the sysfs object then it would include newline making it more accessible when working with the sysfs file system in the shell, etc. Normally, this wouldn't be a problem, but if the function utf16s_to_utf8s() happens to return the number of bytes written to be precisely PAGE_SIZE, then we would overrun the buffer and write the newline character outside the allotted space which can have undefined consequences or result in a failure. To fix this buffer overrun, ensure that there always is enough space left for the newline character to be safely appended. Fixes: d1efe3c324ea ("ACPI: Add new sysfs interface to export device description") Signed-off-by: Krzysztof Wilczyński Reviewed-by: Bjorn Helgaas Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit dfafa93ae3a747dc79e80c2977ab94dad070846f Author: Herbert Xu Date: Thu Jun 17 15:57:12 2021 +0800 crypto: nx - Fix RCU warning in nx842_OF_upd_status [ Upstream commit 2a96726bd0ccde4f12b9b9a9f61f7b1ac5af7e10 ] The function nx842_OF_upd_status triggers a sparse RCU warning when it directly dereferences the RCU-protected devdata. This appears to be an accident as there was another variable of the same name that was passed in from the caller. After it was removed (because the main purpose of using it, to update the status member was itself removed) the global variable unintenionally stood in as its replacement. This patch restores the devdata parameter. Fixes: 90fd73f912f0 ("crypto: nx - remove pSeries NX 'status' field") Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 55f5d771a2923568d339420d2dea977bfa17a14f Author: Mirko Vogt Date: Mon Jun 14 16:45:07 2021 +0200 spi: spi-sun6i: Fix chipselect/clock bug [ Upstream commit 0d7993b234c9fad8cb6bec6adfaa74694ba85ecb ] The current sun6i SPI implementation initializes the transfer too early, resulting in SCK going high before the transfer. When using an additional (gpio) chipselect with sun6i, the chipselect is asserted at a time when clock is high, making the SPI transfer fail. This is due to SUN6I_GBL_CTL_BUS_ENABLE being written into SUN6I_GBL_CTL_REG at an early stage. Moving that to the transfer function, hence, right before the transfer starts, mitigates that problem. Fixes: 3558fe900e8af (spi: sunxi: Add Allwinner A31 SPI controller driver) Signed-off-by: Mirko Vogt Signed-off-by: Ralf Schlatterbeck Link: https://lore.kernel.org/r/20210614144507.y3udezjfbko7eavv@runtux.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 97f32c7f3322780684930fb54400637c96c41bb4 Author: Qais Yousef Date: Thu Jun 17 17:51:55 2021 +0100 sched/uclamp: Fix uclamp_tg_restrict() [ Upstream commit 0213b7083e81f4acd69db32cb72eb4e5f220329a ] Now cpu.uclamp.min acts as a protection, we need to make sure that the uclamp request of the task is within the allowed range of the cgroup, that is it is clamp()'ed correctly by tg->uclamp[UCLAMP_MIN] and tg->uclamp[UCLAMP_MAX]. As reported by Xuewen [1] we can have some corner cases where there's inversion between uclamp requested by task (p) and the uclamp values of the taskgroup it's attached to (tg). Following table demonstrates 2 corner cases: | p | tg | effective -----------+-----+------+----------- CASE 1 -----------+-----+------+----------- uclamp_min | 60% | 0% | 60% -----------+-----+------+----------- uclamp_max | 80% | 50% | 50% -----------+-----+------+----------- CASE 2 -----------+-----+------+----------- uclamp_min | 0% | 30% | 30% -----------+-----+------+----------- uclamp_max | 20% | 50% | 20% -----------+-----+------+----------- With this fix we get: | p | tg | effective -----------+-----+------+----------- CASE 1 -----------+-----+------+----------- uclamp_min | 60% | 0% | 50% -----------+-----+------+----------- uclamp_max | 80% | 50% | 50% -----------+-----+------+----------- CASE 2 -----------+-----+------+----------- uclamp_min | 0% | 30% | 30% -----------+-----+------+----------- uclamp_max | 20% | 50% | 30% -----------+-----+------+----------- Additionally uclamp_update_active_tasks() must now unconditionally update both UCLAMP_MIN/MAX because changing the tg's UCLAMP_MAX for instance could have an impact on the effective UCLAMP_MIN of the tasks. | p | tg | effective -----------+-----+------+----------- old -----------+-----+------+----------- uclamp_min | 60% | 0% | 50% -----------+-----+------+----------- uclamp_max | 80% | 50% | 50% -----------+-----+------+----------- *new* -----------+-----+------+----------- uclamp_min | 60% | 0% | *60%* -----------+-----+------+----------- uclamp_max | 80% |*70%* | *70%* -----------+-----+------+----------- [1] https://lore.kernel.org/lkml/CAB8ipk_a6VFNjiEnHRHkUMBKbA+qzPQvhtNjJ_YNzQhqV_o8Zw@mail.gmail.com/ Fixes: 0c18f2ecfcc2 ("sched/uclamp: Fix wrong implementation of cpu.uclamp.min") Reported-by: Xuewen Yan Signed-off-by: Qais Yousef Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20210617165155.3774110-1-qais.yousef@arm.com Signed-off-by: Sasha Levin commit a3ddf1fb37f9c8768a69de1f5b6d4074d2a7b922 Author: Vincent Donnefort Date: Mon Jun 21 11:37:52 2021 +0100 sched/rt: Fix Deadline utilization tracking during policy change [ Upstream commit d7d607096ae6d378b4e92d49946d22739c047d4c ] DL keeps track of the utilization on a per-rq basis with the structure avg_dl. This utilization is updated during task_tick_dl(), put_prev_task_dl() and set_next_task_dl(). However, when the current running task changes its policy, set_next_task_dl() which would usually take care of updating the utilization when the rq starts running DL tasks, will not see a such change, leaving the avg_dl structure outdated. When that very same task will be dequeued later, put_prev_task_dl() will then update the utilization, based on a wrong last_update_time, leading to a huge spike in the DL utilization signal. The signal would eventually recover from this issue after few ms. Even if no DL tasks are run, avg_dl is also updated in __update_blocked_others(). But as the CPU capacity depends partly on the avg_dl, this issue has nonetheless a significant impact on the scheduler. Fix this issue by ensuring a load update when a running task changes its policy to DL. Fixes: 3727e0e ("sched/dl: Add dl_rq utilization tracking") Signed-off-by: Vincent Donnefort Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Vincent Guittot Link: https://lore.kernel.org/r/1624271872-211872-3-git-send-email-vincent.donnefort@arm.com Signed-off-by: Sasha Levin commit 3fb53be07fc1cf97651f6db8b61a006cedb89214 Author: Vincent Donnefort Date: Mon Jun 21 11:37:51 2021 +0100 sched/rt: Fix RT utilization tracking during policy change [ Upstream commit fecfcbc288e9f4923f40fd23ca78a6acdc7fdf6c ] RT keeps track of the utilization on a per-rq basis with the structure avg_rt. This utilization is updated during task_tick_rt(), put_prev_task_rt() and set_next_task_rt(). However, when the current running task changes its policy, set_next_task_rt() which would usually take care of updating the utilization when the rq starts running RT tasks, will not see a such change, leaving the avg_rt structure outdated. When that very same task will be dequeued later, put_prev_task_rt() will then update the utilization, based on a wrong last_update_time, leading to a huge spike in the RT utilization signal. The signal would eventually recover from this issue after few ms. Even if no RT tasks are run, avg_rt is also updated in __update_blocked_others(). But as the CPU capacity depends partly on the avg_rt, this issue has nonetheless a significant impact on the scheduler. Fix this issue by ensuring a load update when a running task changes its policy to RT. Fixes: 371bf427 ("sched/rt: Add rt_rq utilization tracking") Signed-off-by: Vincent Donnefort Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Vincent Guittot Link: https://lore.kernel.org/r/1624271872-211872-2-git-send-email-vincent.donnefort@arm.com Signed-off-by: Sasha Levin commit fa3f33b20bd9dfc9e13333b6ddd0aa6ad8d85645 Author: David Sterba Date: Tue Jul 7 18:38:05 2020 +0200 btrfs: clear log tree recovering status if starting transaction fails [ Upstream commit 1aeb6b563aea18cd55c73cf666d1d3245a00f08c ] When a log recovery is in progress, lots of operations have to take that into account, so we keep this status per tree during the operation. Long time ago error handling revamp patch 79787eaab461 ("btrfs: replace many BUG_ONs with proper error handling") removed clearing of the status in an error branch. Add it back as was intended in e02119d5a7b4 ("Btrfs: Add a write ahead tree log to optimize synchronous operations"). There are probably no visible effects, log replay is done only during mount and if it fails all structures are cleared so the stale status won't be kept. Fixes: 79787eaab461 ("btrfs: replace many BUG_ONs with proper error handling") Reviewed-by: Qu Wenruo Reviewed-by: Anand Jain Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit a0876d9dc1c1e0268ae0b2914470491c6d76e3a7 Author: Axel Lin Date: Sun Jun 20 21:27:15 2021 +0800 regulator: hi655x: Fix pass wrong pointer to config.driver_data [ Upstream commit 61eb1b24f9e4f4e0725aa5f8164a932c933f3339 ] Current code sets config.driver_data to a zero initialized regulator which is obviously wrong. Fix it. Fixes: 4618119b9be5 ("regulator: hi655x: enable regulator for hi655x PMIC") Signed-off-by: Axel Lin Link: https://lore.kernel.org/r/20210620132715.60215-1-axel.lin@ingics.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 032fd28ed5594f05a8364cde2d107eb1b1d6ec75 Author: Sean Christopherson Date: Wed Jun 9 16:42:22 2021 -0700 KVM: nVMX: Ensure 64-bit shift when checking VMFUNC bitmap [ Upstream commit 0e75225dfa4c5d5d51291f54a3d2d5895bad38da ] Use BIT_ULL() instead of an open-coded shift to check whether or not a function is enabled in L1's VMFUNC bitmap. This is a benign bug as KVM supports only bit 0, and will fail VM-Enter if any other bits are set, i.e. bits 63:32 are guaranteed to be zero. Note, "function" is bounded by hardware as VMFUNC will #UD before taking a VM-Exit if the function is greater than 63. Before: if ((vmcs12->vm_function_control & (1 << function)) == 0) 0x000000000001a916 <+118>: mov $0x1,%eax 0x000000000001a91b <+123>: shl %cl,%eax 0x000000000001a91d <+125>: cltq 0x000000000001a91f <+127>: and 0x128(%rbx),%rax After: if (!(vmcs12->vm_function_control & BIT_ULL(function & 63))) 0x000000000001a955 <+117>: mov 0x128(%rbx),%rdx 0x000000000001a95c <+124>: bt %rax,%rdx Fixes: 27c42a1bb867 ("KVM: nVMX: Enable VMFUNC for the L1 hypervisor") Signed-off-by: Sean Christopherson Message-Id: <20210609234235.1244004-3-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit a90a2466dde5e38d37f479725dd2d660ff1a4110 Author: Guenter Roeck Date: Wed May 26 08:40:16 2021 -0700 hwmon: (max31790) Fix fan speed reporting for fan7..12 [ Upstream commit cbbf244f0515af3472084f22b6213121b4a63835 ] Fans 7..12 do not have their own set of configuration registers. So far the code ignored that and read beyond the end of the configuration register range to get the tachometer period. This resulted in more or less random fan speed values for those fans. The datasheet is quite vague when it comes to defining the tachometer period for fans 7..12. Experiments confirm that the period is the same for both fans associated with a given set of configuration registers. Fixes: 54187ff9d766 ("hwmon: (max31790) Convert to use new hwmon registration API") Fixes: 195a4b4298a7 ("hwmon: Driver for Maxim MAX31790") Cc: Jan Kundrát Reviewed-by: Jan Kundrát Cc: Václav Kubernát Reviewed-by: Jan Kundrát Signed-off-by: Guenter Roeck Link: https://lore.kernel.org/r/20210526154022.3223012-2-linux@roeck-us.net Signed-off-by: Sasha Levin commit 93110513bcfd18487065695490324eac2700c791 Author: Guenter Roeck Date: Sat May 8 09:50:25 2021 -0700 hwmon: (max31722) Remove non-standard ACPI device IDs [ Upstream commit 97387c2f06bcfd79d04a848d35517b32ee6dca7c ] Valid Maxim Integrated ACPI device IDs would start with MXIM, not with MAX1. On top of that, ACPI device IDs reflecting chip names are almost always invalid. Remove the invalid ACPI IDs. Fixes: 04e1e70afec6 ("hwmon: (max31722) Add support for MAX31722/MAX31723 temperature sensors") Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit b585f9ef6a51487963ed7ec6fa19fc757d948bcc Author: Dillon Min Date: Wed May 26 17:18:32 2021 +0200 media: s5p-g2d: Fix a memory leak on ctx->fh.m2m_ctx [ Upstream commit 5d11e6aad1811ea293ee2996cec9124f7fccb661 ] The m2m_ctx resources was allocated by v4l2_m2m_ctx_init() in g2d_open() should be freed from g2d_release() when it's not used. Fix it Fixes: 918847341af0 ("[media] v4l: add G2D driver for s5p device family") Signed-off-by: Dillon Min Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 3bf0509d25e03bcaeecb0a3dfe26e09eab91dde1 Author: Anshuman Khandual Date: Tue Jun 15 15:02:58 2021 +0530 arm64/mm: Fix ttbr0 values stored in struct thread_info for software-pan [ Upstream commit 9163f01130304fab1f74683d7d44632da7bda637 ] When using CONFIG_ARM64_SW_TTBR0_PAN, a task's thread_info::ttbr0 must be the TTBR0_EL1 value used to run userspace. With 52-bit PAs, the PA must be packed into the TTBR using phys_to_ttbr(), but we forget to do this in some of the SW PAN code. Thus, if the value is installed into TTBR0_EL1 (as may happen in the uaccess routines), this could result in UNPREDICTABLE behaviour. Since hardware with 52-bit PA support almost certainly has HW PAN, which will be used in preference, this shouldn't be a practical issue, but let's fix this for consistency. Cc: Catalin Marinas Cc: Will Deacon Cc: Mark Rutland Cc: James Morse Cc: linux-arm-kernel@lists.infradead.org Cc: linux-kernel@vger.kernel.org Fixes: 529c4b05a3cb ("arm64: handle 52-bit addresses in TTBR") Signed-off-by: Anshuman Khandual Reviewed-by: Catalin Marinas Link: https://lore.kernel.org/r/1623749578-11231-1-git-send-email-anshuman.khandual@arm.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 8e6bcc566400170162d4765b0056e80df2a753bc Author: Mark Rutland Date: Tue Nov 3 10:22:29 2020 +0000 arm64: consistently use reserved_pg_dir [ Upstream commit 833be850f1cabd0e3b5337c0fcab20a6e936dd48 ] Depending on configuration options and specific code paths, we either use the empty_zero_page or the configuration-dependent reserved_ttbr0 as a reserved value for TTBR{0,1}_EL1. To simplify this code, let's always allocate and use the same reserved_pg_dir, replacing reserved_ttbr0. Note that this is allocated (and hence pre-zeroed), and is also marked as read-only in the kernel Image mapping. Keeping this separate from the empty_zero_page potentially helps with robustness as the empty_zero_page is used in a number of cases where a failure to map it read-only could allow it to become corrupted. The (presently unused) swapper_pg_end symbol is also removed, and comments are added wherever we rely on the offsets between the pre-allocated pg_dirs to keep these cases easily identifiable. Signed-off-by: Mark Rutland Cc: Will Deacon Link: https://lore.kernel.org/r/20201103102229.8542-1-mark.rutland@arm.com Signed-off-by: Catalin Marinas Signed-off-by: Sasha Levin commit ccbcdcd4af98055abc888972fcbcc0ce14c2522c Author: Zhen Lei Date: Sat May 8 10:03:21 2021 +0800 mmc: usdhi6rol0: fix error return code in usdhi6_probe() [ Upstream commit 2f9ae69e5267f53e89e296fccee291975a85f0eb ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 75fa9ea6e3c0 ("mmc: add a driver for the Renesas usdhi6rol0 SD/SDIO host controller") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Link: https://lore.kernel.org/r/20210508020321.1677-1-thunder.leizhen@huawei.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit c5d2f917a8f13ce79f5221159cb7b190ae2206fb Author: Zhang Qilong Date: Tue Jun 1 22:51:18 2021 +0800 crypto: omap-sham - Fix PM reference leak in omap sham ops [ Upstream commit ca323b2c61ec321eb9f2179a405b9c34cdb4f553 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to putting operation will result in reference leak here. We fix it by replacing it with pm_runtime_resume_and_get to keep usage counter balanced. Fixes: 604c31039dae4 ("crypto: omap-sham - Check for return value from pm_runtime_get_sync") Signed-off-by: Zhang Qilong Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit b205574dc682bfb70c7e70f0d2ca08fa9bb7ce1f Author: Tong Tiangen Date: Tue Jun 1 18:01:55 2021 +0800 crypto: nitrox - fix unchecked variable in nitrox_register_interrupts [ Upstream commit 57c126661f50b884d3812e7db6e00f2e778eccfb ] Function nitrox_register_interrupts leaves variable 'nr_vecs' unchecked, which would be use as kcalloc parameter later. Fixes: 5155e118dda9 ("crypto: cavium/nitrox - use pci_alloc_irq_vectors() while enabling MSI-X.") Signed-off-by: Tong Tiangen Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit d93cbb6e5fe5634419cdfbbfd1122dc05663eaff Author: Gustavo A. R. Silva Date: Wed Mar 10 19:40:43 2021 -0600 media: siano: Fix out-of-bounds warnings in smscore_load_firmware_family2() [ Upstream commit 13dfead49db07225335d4f587a560a2210391a1a ] Rename struct sms_msg_data4 to sms_msg_data5 and increase the size of its msg_data array from 4 to 5 elements. Notice that at some point the 5th element of msg_data is being accessed in function smscore_load_firmware_family2(): 1006 trigger_msg->msg_data[4] = 4; /* Task ID */ Also, there is no need for the object _trigger_msg_ of type struct sms_msg_data *, when _msg_ can be used, directly. Notice that msg_data in struct sms_msg_data is a one-element array, which causes multiple out-of-bounds warnings when accessing beyond its first element in function smscore_load_firmware_family2(): 992 struct sms_msg_data *trigger_msg = 993 (struct sms_msg_data *) msg; 994 995 pr_debug("sending MSG_SMS_SWDOWNLOAD_TRIGGER_REQ\n"); 996 SMS_INIT_MSG(&msg->x_msg_header, 997 MSG_SMS_SWDOWNLOAD_TRIGGER_REQ, 998 sizeof(struct sms_msg_hdr) + 999 sizeof(u32) * 5); 1000 1001 trigger_msg->msg_data[0] = firmware->start_address; 1002 /* Entry point */ 1003 trigger_msg->msg_data[1] = 6; /* Priority */ 1004 trigger_msg->msg_data[2] = 0x200; /* Stack size */ 1005 trigger_msg->msg_data[3] = 0; /* Parameter */ 1006 trigger_msg->msg_data[4] = 4; /* Task ID */ even when enough dynamic memory is allocated for _msg_: 929 /* PAGE_SIZE buffer shall be enough and dma aligned */ 930 msg = kmalloc(PAGE_SIZE, GFP_KERNEL | coredev->gfp_buf_flags); but as _msg_ is casted to (struct sms_msg_data *): 992 struct sms_msg_data *trigger_msg = 993 (struct sms_msg_data *) msg; the out-of-bounds warnings are actually valid and should be addressed. Fix this by declaring object _msg_ of type struct sms_msg_data5 *, which contains a 5-elements array, instead of just 4. And use _msg_ directly, instead of creating object trigger_msg. This helps with the ongoing efforts to enable -Warray-bounds by fixing the following warnings: CC [M] drivers/media/common/siano/smscoreapi.o drivers/media/common/siano/smscoreapi.c: In function ‘smscore_load_firmware_family2’: drivers/media/common/siano/smscoreapi.c:1003:24: warning: array subscript 1 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds] 1003 | trigger_msg->msg_data[1] = 6; /* Priority */ | ~~~~~~~~~~~~~~~~~~~~~^~~ In file included from drivers/media/common/siano/smscoreapi.c:12: drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’ 619 | u32 msg_data[1]; | ^~~~~~~~ drivers/media/common/siano/smscoreapi.c:1004:24: warning: array subscript 2 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds] 1004 | trigger_msg->msg_data[2] = 0x200; /* Stack size */ | ~~~~~~~~~~~~~~~~~~~~~^~~ In file included from drivers/media/common/siano/smscoreapi.c:12: drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’ 619 | u32 msg_data[1]; | ^~~~~~~~ drivers/media/common/siano/smscoreapi.c:1005:24: warning: array subscript 3 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds] 1005 | trigger_msg->msg_data[3] = 0; /* Parameter */ | ~~~~~~~~~~~~~~~~~~~~~^~~ In file included from drivers/media/common/siano/smscoreapi.c:12: drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’ 619 | u32 msg_data[1]; | ^~~~~~~~ drivers/media/common/siano/smscoreapi.c:1006:24: warning: array subscript 4 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds] 1006 | trigger_msg->msg_data[4] = 4; /* Task ID */ | ~~~~~~~~~~~~~~~~~~~~~^~~ In file included from drivers/media/common/siano/smscoreapi.c:12: drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’ 619 | u32 msg_data[1]; | ^~~~~~~~ Fixes: 018b0c6f8acb ("[media] siano: make load firmware logic to work with newer firmwares") Co-developed-by: Kees Cook Signed-off-by: Kees Cook Signed-off-by: Gustavo A. R. Silva Signed-off-by: Sasha Levin commit 6e8ba90bef7c4aff9492f765818c88755a68f2b8 Author: Randy Dunlap Date: Wed May 26 17:12:51 2021 -0700 m68k: atari: Fix ATARI_KBD_CORE kconfig unmet dependency warning [ Upstream commit c1367ee016e3550745315fb9a2dd1e4ce02cdcf6 ] Since the code for ATARI_KBD_CORE does not use drivers/input/keyboard/ code, just move ATARI_KBD_CORE to arch/m68k/Kconfig.machine to remove the dependency on INPUT_KEYBOARD. Removes this kconfig warning: WARNING: unmet direct dependencies detected for ATARI_KBD_CORE Depends on [n]: !UML && INPUT [=y] && INPUT_KEYBOARD [=n] Selected by [y]: - MOUSE_ATARI [=y] && !UML && INPUT [=y] && INPUT_MOUSE [=y] && ATARI [=y] Fixes: c04cb856e20a ("m68k: Atari keyboard and mouse support.") Signed-off-by: Randy Dunlap Suggested-by: Geert Uytterhoeven Suggested-by: Michael Schmitz Acked-by: Dmitry Torokhov Link: https://lore.kernel.org/r/20210527001251.8529-1-rdunlap@infradead.org Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit e1665624bf9d7f5771d39b5b097f2d5679b5a088 Author: Johan Hovold Date: Mon May 24 13:09:18 2021 +0200 media: gspca/gl860: fix zero-length control requests [ Upstream commit 8ed339f23d41e21660a389adf2e7b2966d457ff6 ] The direction of the pipe argument must match the request-type direction bit or control requests may fail depending on the host-controller-driver implementation. Control transfers without a data stage are treated as OUT requests by the USB stack and should be using usb_sndctrlpipe(). Failing to do so will now trigger a warning. Fix the gl860_RTx() helper so that zero-length control reads fail with an error message instead. Note that there are no current callers that would trigger this. Fixes: 4f7cb8837cec ("V4L/DVB (12954): gspca - gl860: Addition of GL860 based webcams") Signed-off-by: Johan Hovold Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit ffc483de3ecb4a0b509e51fe70736ca868af3e6b Author: Zhen Lei Date: Sat May 15 08:58:30 2021 +0200 media: tc358743: Fix error return code in tc358743_probe_of() [ Upstream commit a6b1e7093f0a099571fc8836ab4a589633f956a8 ] When the CSI bps per lane is not in the valid range, an appropriate error code -EINVAL should be returned. However, we currently do not explicitly assign this error code to 'ret'. As a result, 0 was incorrectly returned. Fixes: 256148246852 ("[media] tc358743: support probe from device tree") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 2bca3c0a95fe3a27c40a233f0fdf32f0dd0e5835 Author: Dan Carpenter Date: Fri May 14 16:20:38 2021 +0200 media: au0828: fix a NULL vs IS_ERR() check [ Upstream commit 8f2e452730d2bcd59fe05246f0e19a4c52e0012d ] The media_device_usb_allocate() function returns error pointers when it's enabled and something goes wrong. It can return NULL as well, but only if CONFIG_MEDIA_CONTROLLER is disabled so that doesn't apply here. Fixes: 812658d88d26 ("media: change au0828 to use Media Device Allocator API") Signed-off-by: Dan Carpenter Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit c04d6687e43e85c6cfeb737a36d567b60b9dc74b Author: Lv Yunlong Date: Sun May 9 10:12:31 2021 +0200 media: exynos4-is: Fix a use after free in isp_video_release [ Upstream commit 01fe904c9afd26e79c1f73aa0ca2e3d785e5e319 ] In isp_video_release, file->private_data is freed via _vb2_fop_release()->v4l2_fh_release(). But the freed file->private_data is still used in v4l2_fh_is_singular_file() ->v4l2_fh_is_singular(file->private_data), which is a use after free bug. My patch uses a variable 'is_singular_file' to avoid the uaf. v3: https://lore.kernel.org/patchwork/patch/1419058/ Fixes: 34947b8aebe3f ("[media] exynos4-is: Add the FIMC-IS ISP capture DMA driver") Signed-off-by: Lv Yunlong Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 6c987e7385e10cffe1c0f16977d8de31697834bd Author: Sergey Shtylyov Date: Sat Mar 20 23:32:38 2021 +0300 pata_ep93xx: fix deferred probing [ Upstream commit 5c8121262484d99bffb598f39a0df445cecd8efb ] The driver overrides the error codes returned by platform_get_irq() to -ENXIO, so if it returns -EPROBE_DEFER, the driver would fail the probe permanently instead of the deferred probing. Propagate the error code upstream, as it should have been done from the start... Fixes: 2fff27512600 ("PATA host controller driver for ep93xx") Signed-off-by: Sergey Shtylyov Link: https://lore.kernel.org/r/509fda88-2e0d-2cc7-f411-695d7e94b136@omprussia.ru Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 3eec64b5967ec2ac19ace9d49932e026fce02515 Author: Christophe JAILLET Date: Thu May 6 07:38:56 2021 +0200 media: rc: i2c: Fix an error message [ Upstream commit 9c87ae1a0dbeb5794957421157fd266d38a869b4 ] 'ret' is known to be 1 here. In fact 'i' is expected instead. Store the return value of 'i2c_master_recv()' in 'ret' so that the error message print the correct error code. Fixes: acaa34bf06e9 ("media: rc: implement zilog transmitter") Signed-off-by: Christophe JAILLET Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 6ee810a55965e348a4c23549e096261584059885 Author: Christophe JAILLET Date: Sun May 16 08:58:04 2021 +0200 crypto: ccp - Fix a resource leak in an error handling path [ Upstream commit a6f8e68e238a15bb15f1726b35c695136c64eaba ] If an error occurs after calling 'sp_get_irqs()', 'sp_free_irqs()' must be called as already done in the error handling path. Fixes: f4d18d656f88 ("crypto: ccp - Abstract interrupt registeration") Signed-off-by: Christophe JAILLET Acked-by: John Allen Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 4020615bd733c491a51e00b1e5292bfea3184877 Author: Mimi Zohar Date: Mon Apr 26 18:13:45 2021 -0400 evm: fix writing /evm overflow [ Upstream commit 49219d9b8785ba712575c40e48ce0f7461254626 ] EVM_SETUP_COMPLETE is defined as 0x80000000, which is larger than INT_MAX. The "-fno-strict-overflow" compiler option properly prevents signaling EVM that the EVM policy setup is complete. Define and read an unsigned int. Fixes: f00d79750712 ("EVM: Allow userspace to signal an RSA key has been loaded") Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin commit 550cf816bb114694e9a184c14b03143853f4a1f5 Author: Sergey Shtylyov Date: Tue May 18 23:38:54 2021 +0300 pata_octeon_cf: avoid WARN_ON() in ata_host_activate() [ Upstream commit bfc1f378c8953e68ccdbfe0a8c20748427488b80 ] Iff platform_get_irq() fails (or returns IRQ0) and thus the polling mode has to be used, ata_host_activate() hits the WARN_ON() due to 'irq_handler' parameter being non-NULL if the polling mode is selected. Let's only set the pointer to the driver's IRQ handler if platform_get_irq() returns a valid IRQ # -- this should avoid the unnecessary WARN_ON()... Fixes: 43f01da0f279 ("MIPS/OCTEON/ata: Convert pata_octeon_cf.c to use device tree.") Signed-off-by: Sergey Shtylyov Link: https://lore.kernel.org/r/3a241167-f84d-1d25-5b9b-be910afbe666@omp.ru Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 8454cfe408413489635e5fd91bffb3998919f211 Author: Josh Poimboeuf Date: Tue May 18 18:59:15 2021 -0500 kbuild: Fix objtool dependency for 'OBJECT_FILES_NON_STANDARD_ := n' [ Upstream commit 8852c552402979508fdc395ae07aa8761aa46045 ] "OBJECT_FILES_NON_STANDARD_vma.o := n" has a dependency bug. When objtool source is updated, the affected object doesn't get re-analyzed by objtool. Peter's new variable-sized jump label feature relies on objtool rewriting the object file. Otherwise the system can fail to boot. That effectively upgrades this minor dependency issue to a major bug. The problem is that variables in prerequisites are expanded early, during the read-in phase. The '$(objtool_dep)' variable indirectly uses '$@', which isn't yet available when the target prerequisites are evaluated. Use '.SECONDEXPANSION:' which causes '$(objtool_dep)' to be expanded in a later phase, after the target-specific '$@' variable has been defined. Fixes: b9ab5ebb14ec ("objtool: Add CONFIG_STACK_VALIDATION option") Fixes: ab3257042c26 ("jump_label, x86: Allow short NOPs") Reported-by: Matthew Wilcox Signed-off-by: Josh Poimboeuf Signed-off-by: Sasha Levin commit dcc9f1253ddd3e54343e272f20855abd3edff235 Author: Luc Van Oostenryck Date: Mon Jun 22 17:45:12 2020 +0200 kbuild: run the checker after the compiler [ Upstream commit 0c33f125732d0d33392ba6774d85469d565d3496 ] Since the pre-git time the checker is run first, before the compiler. But if the source file contains some syntax error, the warnings from the compiler are more useful than those from sparse (and other checker most probably too). So move the 'check' command to run after the compiler. Signed-off-by: Luc Van Oostenryck Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin commit 8e5ffc103928414faed08e63ebbd61f1264cbc9b Author: Qais Yousef Date: Mon May 10 15:50:32 2021 +0100 sched/uclamp: Fix locking around cpu_util_update_eff() [ Upstream commit 93b73858701fd01de26a4a874eb95f9b7156fd4b ] cpu_cgroup_css_online() calls cpu_util_update_eff() without holding the uclamp_mutex or rcu_read_lock() like other call sites, which is a mistake. The uclamp_mutex is required to protect against concurrent reads and writes that could update the cgroup hierarchy. The rcu_read_lock() is required to traverse the cgroup data structures in cpu_util_update_eff(). Surround the caller with the required locks and add some asserts to better document the dependency in cpu_util_update_eff(). Fixes: 7226017ad37a ("sched/uclamp: Fix a bug in propagating uclamp value in new cgroups") Reported-by: Quentin Perret Signed-off-by: Qais Yousef Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20210510145032.1934078-3-qais.yousef@arm.com Signed-off-by: Sasha Levin commit 0b199ce65bc34df1219f2d3f0ad7d25ee0be3732 Author: Qais Yousef Date: Mon May 10 15:50:31 2021 +0100 sched/uclamp: Fix wrong implementation of cpu.uclamp.min [ Upstream commit 0c18f2ecfcc274a4bcc1d122f79ebd4001c3b445 ] cpu.uclamp.min is a protection as described in cgroup-v2 Resource Distribution Model Documentation/admin-guide/cgroup-v2.rst which means we try our best to preserve the minimum performance point of tasks in this group. See full description of cpu.uclamp.min in the cgroup-v2.rst. But the current implementation makes it a limit, which is not what was intended. For example: tg->cpu.uclamp.min = 20% p0->uclamp[UCLAMP_MIN] = 0 p1->uclamp[UCLAMP_MIN] = 50% Previous Behavior (limit): p0->effective_uclamp = 0 p1->effective_uclamp = 20% New Behavior (Protection): p0->effective_uclamp = 20% p1->effective_uclamp = 50% Which is inline with how protections should work. With this change the cgroup and per-task behaviors are the same, as expected. Additionally, we remove the confusing relationship between cgroup and !user_defined flag. We don't want for example RT tasks that are boosted by default to max to change their boost value when they attach to a cgroup. If a cgroup wants to limit the max performance point of tasks attached to it, then cpu.uclamp.max must be set accordingly. Or if they want to set different boost value based on cgroup, then sysctl_sched_util_clamp_min_rt_default must be used to NOT boost to max and set the right cpu.uclamp.min for each group to let the RT tasks obtain the desired boost value when attached to that group. As it stands the dependency on !user_defined flag adds an extra layer of complexity that is not required now cpu.uclamp.min behaves properly as a protection. The propagation model of effective cpu.uclamp.min in child cgroups as implemented by cpu_util_update_eff() is still correct. The parent protection sets an upper limit of what the child cgroups will effectively get. Fixes: 3eac870a3247 (sched/uclamp: Use TG's clamps to restrict TASK's clamps) Signed-off-by: Qais Yousef Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20210510145032.1934078-2-qais.yousef@arm.com Signed-off-by: Sasha Levin commit 127035b4595d7288d351986424901f8a885bca3a Author: Randy Dunlap Date: Fri Apr 30 22:19:55 2021 +0200 media: I2C: change 'RST' to "RSET" to fix multiple build errors [ Upstream commit 8edcb5049ac29aa3c8acc5ef15dd4036543d747e ] The use of an enum named 'RST' conflicts with a #define macro named 'RST' in arch/mips/include/asm/mach-rc32434/rb.h. The MIPS use of RST was there first (AFAICT), so change the media/i2c/ uses of RST to be named 'RSET'. 'git grep -w RSET' does not report any naming conflicts with the new name. This fixes multiple build errors: arch/mips/include/asm/mach-rc32434/rb.h:15:14: error: expected identifier before '(' token 15 | #define RST (1 << 15) | ^ drivers/media/i2c/s5c73m3/s5c73m3.h:356:2: note: in expansion of macro 'RST' 356 | RST, | ^~~ ../arch/mips/include/asm/mach-rc32434/rb.h:15:14: error: expected identifier before '(' token 15 | #define RST (1 << 15) | ^ ../drivers/media/i2c/s5k6aa.c:180:2: note: in expansion of macro 'RST' 180 | RST, | ^~~ ../arch/mips/include/asm/mach-rc32434/rb.h:15:14: error: expected identifier before '(' token 15 | #define RST (1 << 15) | ^ ../drivers/media/i2c/s5k5baf.c:238:2: note: in expansion of macro 'RST' 238 | RST, | ^~~ and some others that I have trimmed. Fixes: cac47f1822fc ("[media] V4L: Add S5C73M3 camera driver") Fixes: 8b99312b7214 ("[media] Add v4l2 subdev driver for S5K4ECGX sensor") Fixes: 7d459937dc09 ("[media] Add driver for Samsung S5K5BAF camera sensor") Fixes: bfa8dd3a0524 ("[media] v4l: Add v4l2 subdev driver for S5K6AAFX sensor") Signed-off-by: Randy Dunlap Reported-by: kernel test robot Cc: Shawn Guo Cc: Sascha Hauer Cc: Pengutronix Kernel Team Cc: Fabio Estevam Cc: NXP Linux Team Cc: linux-arm-kernel@lists.infradead.org (moderated for non-subscribers) Cc: Andrzej Hajda Cc: Sylwester Nawrocki Cc: Sangwook Lee Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 2eccf5160002fb550936801ce04785ac7a361859 Author: Sergey Shtylyov Date: Mon Mar 15 14:46:53 2021 +0300 pata_rb532_cf: fix deferred probing [ Upstream commit 2d3a62fbae8e5badc2342388f65ab2191c209cc0 ] The driver overrides the error codes returned by platform_get_irq() to -ENOENT, so if it returns -EPROBE_DEFER, the driver would fail the probe permanently instead of the deferred probing. Switch to propagating the error code upstream, still checking/overriding IRQ0 as libata regards it as "no IRQ" (thus polling) anyway... Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq") Signed-off-by: Sergey Shtylyov Link: https://lore.kernel.org/r/771ced55-3efb-21f5-f21c-b99920aae611@omprussia.ru Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 3b0dfab928772c91dc03b7cc144e1dfbe919be80 Author: Sergey Shtylyov Date: Sun Mar 14 23:34:27 2021 +0300 sata_highbank: fix deferred probing [ Upstream commit 4a24efa16e7db02306fb5db84518bb0a7ada5a46 ] The driver overrides the error codes returned by platform_get_irq() to -EINVAL, so if it returns -EPROBE_DEFER, the driver would fail the probe permanently instead of the deferred probing. Switch to propagating the error code upstream, still checking/overriding IRQ0 as libata regards it as "no IRQ" (thus polling) anyway... Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq") Signed-off-by: Sergey Shtylyov Link: https://lore.kernel.org/r/105b456d-1199-f6e9-ceb7-ffc5ba551d1a@omprussia.ru Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit faeee7a8f684213f66568953e16ac2b136941478 Author: Zhen Lei Date: Sat May 8 15:00:49 2021 +0800 crypto: ux500 - Fix error return code in hash_hw_final() [ Upstream commit b01360384009ab066940b45f34880991ea7ccbfb ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 8a63b1994c50 ("crypto: ux500 - Add driver for HASH hardware") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Reviewed-by: Linus Walleij Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit a1fa855e770e4c65ce3bc66c204169ec6222b359 Author: Corentin Labbe Date: Wed May 5 20:26:08 2021 +0000 crypto: ixp4xx - dma_unmap the correct address [ Upstream commit 9395c58fdddd79cdd3882132cdd04e8ac7ad525f ] Testing ixp4xx_crypto with CONFIG_DMA_API_DEBUG lead to the following error: DMA-API: platform ixp4xx_crypto.0: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=24 bytes] This is due to dma_unmap using the wrong address. Fixes: 0d44dc59b2b4 ("crypto: ixp4xx - Fix handling of chained sg buffers") Signed-off-by: Corentin Labbe Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 0c5d94f29775163394037e2efc855088466fd4a1 Author: Mauro Carvalho Chehab Date: Wed Apr 28 09:38:56 2021 +0200 media: s5p_cec: decrement usage count if disabled [ Upstream commit 747bad54a677d8633ec14b39dfbeb859c821d7f2 ] There's a bug at s5p_cec_adap_enable(): if called to disable the device, it should call pm_runtime_put() instead of pm_runtime_disable(), as the goal here is to decrement the usage_count and not to disable PM runtime. Reported-by: Sylwester Nawrocki Reviewed-by: Jonathan Cameron Fixes: 1bcbf6f4b6b0 ("[media] cec: s5p-cec: Add s5p-cec driver") Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 80af2c9ee1d67e9e660af1c9f6dd93b9606c6d75 Author: Roman Gushchin Date: Mon Jun 28 19:35:47 2021 -0700 writeback, cgroup: increment isw_nr_in_flight before grabbing an inode [ Upstream commit 8826ee4fe75051f8cbfa5d4a9aa70565938e724c ] isw_nr_in_flight is used to determine whether the inode switch queue should be flushed from the umount path. Currently it's increased after grabbing an inode and even scheduling the switch work. It means the umount path can walk past cleanup_offline_cgwb() with active inode references, which can result in a "Busy inodes after unmount." message and use-after-free issues (with inode->i_sb which gets freed). Fix it by incrementing isw_nr_in_flight before doing anything with the inode and decrementing in the case when switching wasn't scheduled. The problem hasn't yet been seen in the real life and was discovered by Jan Kara by looking into the code. Link: https://lkml.kernel.org/r/20210608230225.2078447-4-guro@fb.com Signed-off-by: Roman Gushchin Suggested-by: Jan Kara Reviewed-by: Jan Kara Cc: Alexander Viro Cc: Dave Chinner Cc: Dennis Zhou Cc: Tejun Heo Cc: Jens Axboe Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 51fd1f683671b2079f9614e43f830a46111369e0 Author: Arnd Bergmann Date: Mon Jun 28 19:33:41 2021 -0700 ia64: mca_drv: fix incorrect array size calculation [ Upstream commit c5f320ff8a79501bb59338278336ec43acb9d7e2 ] gcc points out a mistake in the mca driver that goes back to before the git history: arch/ia64/kernel/mca_drv.c: In function 'init_record_index_pools': arch/ia64/kernel/mca_drv.c:346:54: error: expression does not compute the number of elements in this array; element typ e is 'int', not 'size_t' {aka 'long unsigned int'} [-Werror=sizeof-array-div] 346 | for (i = 1; i < sizeof sal_log_sect_min_sizes/sizeof(size_t); i++) | ^ This is the same as sizeof(size_t), which is two shorter than the actual array. Use the ARRAY_SIZE() macro to get the correct calculation instead. Link: https://lkml.kernel.org/r/20210514214123.875971-1-arnd@kernel.org Signed-off-by: Arnd Bergmann Cc: Masahiro Yamada Cc: Randy Dunlap Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit a3aab894d971cbae033b88668a4d5f07f832f1f5 Author: Petr Mladek Date: Mon Jun 28 19:33:35 2021 -0700 kthread_worker: fix return value when kthread_mod_delayed_work() races with kthread_cancel_delayed_work_sync() [ Upstream commit d71ba1649fa3c464c51ec7163e4b817345bff2c7 ] kthread_mod_delayed_work() might race with kthread_cancel_delayed_work_sync() or another kthread_mod_delayed_work() call. The function lets the other operation win when it sees work->canceling counter set. And it returns @false. But it should return @true as it is done by the related workqueue API, see mod_delayed_work_on(). The reason is that the return value might be used for reference counting. It has to distinguish the case when the number of queued works has changed or stayed the same. The change is safe. kthread_mod_delayed_work() return value is not checked anywhere at the moment. Link: https://lore.kernel.org/r/20210521163526.GA17916@redhat.com Link: https://lkml.kernel.org/r/20210610133051.15337-4-pmladek@suse.com Signed-off-by: Petr Mladek Reported-by: Oleg Nesterov Cc: Nathan Chancellor Cc: Nick Desaulniers Cc: Tejun Heo Cc: Minchan Kim Cc: Cc: Martin Liu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 05bc31902755f9a916f060257eb760d39cfd6ba7 Author: Ming Lei Date: Mon Jun 28 10:33:12 2021 +0800 block: fix discard request merge [ Upstream commit 2705dfb2094777e405e065105e307074af8965c1 ] ll_new_hw_segment() is reached only in case of single range discard merge, and we don't have max discard segment size limit actually, so it is wrong to run the following check: if (req->nr_phys_segments + nr_phys_segs > blk_rq_get_max_segments(req)) it may be always false since req->nr_phys_segments is initialized as one, and bio's segment count is still 1, blk_rq_get_max_segments(reg) is 1 too. Fix the issue by not doing the check and bypassing the calculation of discard request's nr_phys_segments. Based on analysis from Wang Shanker. Cc: Christoph Hellwig Reported-by: Wang Shanker Signed-off-by: Ming Lei Link: https://lore.kernel.org/r/20210628023312.1903255-1-ming.lei@redhat.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 8978dd2518985bf0cc14ab8b0a7883f9da58425e Author: Steve French Date: Thu Jun 24 15:28:04 2021 -0500 cifs: fix missing spinlock around update to ses->status [ Upstream commit 0060a4f28a9ef45ae8163c0805e944a2b1546762 ] In the other places where we update ses->status we protect the updates via GlobalMid_Lock. So to be consistent add the same locking around it in cifs_put_smb_ses where it was missing. Addresses-Coverity: 1268904 ("Data race condition") Signed-off-by: Steve French Signed-off-by: Sasha Levin commit 4061697e2f173ac93aaeea8c3bd2b85523d524ad Author: Jason Gerecke Date: Wed Jun 23 09:58:09 2021 -0700 HID: wacom: Correct base usage for capacitive ExpressKey status bits [ Upstream commit 424d8237945c6c448c8b3f23885d464fb5685c97 ] The capacitive status of ExpressKeys is reported with usages beginning at 0x940, not 0x950. Bring our driver into alignment with reality. Signed-off-by: Jason Gerecke Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 888469c5fa959cd1e11a249ad1b812b3d071d9b6 Author: Richard Fitzgerald Date: Mon Jun 21 16:24:33 2021 +0100 ACPI: tables: Add custom DSDT file as makefile prerequisite [ Upstream commit d1059c1b1146870c52f3dac12cb7b6cbf39ed27f ] A custom DSDT file is mostly used during development or debugging, and in that case it is quite likely to want to rebuild the kernel after changing ONLY the content of the DSDT. This patch adds the custom DSDT as a prerequisite to tables.o to ensure a rebuild if the DSDT file is updated. Make will merge the prerequisites from multiple rules for the same target. Signed-off-by: Richard Fitzgerald Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit dba9cda5aa9969a93d068cbea7a7668233a14882 Author: Paul E. McKenney Date: Thu May 27 12:01:19 2021 -0700 clocksource: Retry clock read if long delays detected [ Upstream commit db3a34e17433de2390eb80d436970edcebd0ca3e ] When the clocksource watchdog marks a clock as unstable, this might be due to that clock being unstable or it might be due to delays that happen to occur between the reads of the two clocks. Yes, interrupts are disabled across those two reads, but there are no shortage of things that can delay interrupts-disabled regions of code ranging from SMI handlers to vCPU preemption. It would be good to have some indication as to why the clock was marked unstable. Therefore, re-read the watchdog clock on either side of the read from the clock under test. If the watchdog clock shows an excessive time delta between its pair of reads, the reads are retried. The maximum number of retries is specified by a new kernel boot parameter clocksource.max_cswd_read_retries, which defaults to three, that is, up to four reads, one initial and up to three retries. If more than one retry was required, a message is printed on the console (the occasional single retry is expected behavior, especially in guest OSes). If the maximum number of retries is exceeded, the clock under test will be marked unstable. However, the probability of this happening due to various sorts of delays is quite small. In addition, the reason (clock-read delays) for the unstable marking will be apparent. Reported-by: Chris Mason Signed-off-by: Paul E. McKenney Signed-off-by: Thomas Gleixner Acked-by: Feng Tang Link: https://lore.kernel.org/r/20210527190124.440372-1-paulmck@kernel.org Signed-off-by: Sasha Levin commit 0aebb12a574d41d5c2e186daefe89c290ee7cfcb Author: Haiyang Zhang Date: Tue May 25 16:17:33 2021 -0700 PCI: hv: Add check for hyperv_initialized in init_hv_pci_drv() [ Upstream commit 7d815f4afa87f2032b650ae1bba7534b550a6b8b ] Add check for hv_is_hyperv_initialized() at the top of init_hv_pci_drv(), so if the pci-hyperv driver is force-loaded on non Hyper-V platforms, the init_hv_pci_drv() will exit immediately, without any side effects, like assignments to hvpci_block_ops, etc. Signed-off-by: Haiyang Zhang Reported-and-tested-by: Mohammad Alqayeem Reviewed-by: Wei Liu Link: https://lore.kernel.org/r/1621984653-1210-1-git-send-email-haiyangz@microsoft.com Signed-off-by: Wei Liu Signed-off-by: Sasha Levin commit f53f229255d6f382e7942466f8f2da366a2173cb Author: Tony Luck Date: Tue Jun 15 10:44:19 2021 -0700 EDAC/Intel: Do not load EDAC driver when running as a guest [ Upstream commit f0a029fff4a50eb01648810a77ba1873e829fdd4 ] There's little to no point in loading an EDAC driver running in a guest: 1) The CPU model reported by CPUID may not represent actual h/w 2) The hypervisor likely does not pass in access to memory controller devices 3) Hypervisors generally do not pass corrected error details to guests Add a check in each of the Intel EDAC drivers for X86_FEATURE_HYPERVISOR and simply return -ENODEV in the init routine. Acked-by: Borislav Petkov Signed-off-by: Tony Luck Link: https://lore.kernel.org/r/20210615174419.GA1087688@agluck-desk2.amr.corp.intel.com Signed-off-by: Sasha Levin commit 26c9e398b4993f5dcae3a6abeae4df44105695ab Author: Hannes Reinecke Date: Tue May 25 14:54:14 2021 +0200 nvmet-fc: do not check for invalid target port in nvmet_fc_handle_fcp_rqst() [ Upstream commit 2a4a910aa4f0acc428dc8d10227c42e14ed21d10 ] When parsing a request in nvmet_fc_handle_fcp_rqst() we should not check for invalid target ports; if we do the command is aborted from the fcp layer, causing the host to assume a transport error. Rather we should still forward this request to the nvmet layer, which will then correctly fail the command with an appropriate error status. Signed-off-by: Hannes Reinecke Reviewed-by: James Smart Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 51af155a4327b81978d2c3274207c6f918a4e1df Author: Jiapeng Chong Date: Wed Jun 2 18:05:48 2021 +0800 platform/x86: toshiba_acpi: Fix missing error code in toshiba_acpi_setup_keyboard() [ Upstream commit 28e367127718a9cb85d615a71e152f7acee41bfc ] The error code is missing in this code scenario, add the error code '-EINVAL' to the return value 'error'. Eliminate the follow smatch warning: drivers/platform/x86/toshiba_acpi.c:2834 toshiba_acpi_setup_keyboard() warn: missing error code 'error'. Reported-by: Abaci Robot Signed-off-by: Jiapeng Chong Link: https://lore.kernel.org/r/1622628348-87035-1-git-send-email-jiapeng.chong@linux.alibaba.com Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 506a2001b71964d3a75b62d354cd66ce8ce9781b Author: Ming Lei Date: Wed Jun 9 09:58:21 2021 +0800 block: fix race between adding/removing rq qos and normal IO [ Upstream commit 2cafe29a8d03f02a3d16193bdaae2f3e82a423f9 ] Yi reported several kernel panics on: [16687.001777] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 ... [16687.163549] pc : __rq_qos_track+0x38/0x60 or [ 997.690455] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 ... [ 997.850347] pc : __rq_qos_done+0x2c/0x50 Turns out it is caused by race between adding rq qos(wbt) and normal IO because rq_qos_add can be run when IO is being submitted, fix this issue by freezing queue before adding/deleting rq qos to queue. rq_qos_exit() needn't to freeze queue because it is called after queue has been frozen. iolatency calls rq_qos_add() during allocating queue, so freezing won't add delay because queue usage refcount works at atomic mode at that time. iocost calls rq_qos_add() when writing cgroup attribute file, that is fine to freeze queue at that time since we usually freeze queue when storing to queue sysfs attribute, meantime iocost only exists on the root cgroup. wbt_init calls it in blk_register_queue() and queue sysfs attribute store(queue_wb_lat_store() when write it 1st time in case of !BLK_WBT_MQ), the following patch will speedup the queue freezing in wbt_init. Reported-by: Yi Zhang Cc: Bart Van Assche Signed-off-by: Ming Lei Reviewed-by: Bart Van Assche Tested-by: Yi Zhang Link: https://lore.kernel.org/r/20210609015822.103433-2-ming.lei@redhat.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit e30d2ecc13d7e56831e6b304047d77b912d86fea Author: Hui Wang Date: Wed Jun 9 10:14:42 2021 +0800 ACPI: resources: Add checks for ACPI IRQ override [ Upstream commit 0ec4e55e9f571f08970ed115ec0addc691eda613 ] The laptop keyboard doesn't work on many MEDION notebooks, but the keyboard works well under Windows and Unix. Through debugging, we found this log in the dmesg: ACPI: IRQ 1 override to edge, high pnp 00:03: Plug and Play ACPI device, IDs PNP0303 (active) And we checked the IRQ definition in the DSDT, it is: IRQ (Level, ActiveLow, Exclusive, ) {1} So the BIOS defines the keyboard IRQ to Level_Low, but the Linux kernel override it to Edge_High. If the Linux kernel is modified to skip the IRQ override, the keyboard will work normally. From the existing comment in acpi_dev_get_irqresource(), the override function only needs to be called when IRQ() or IRQNoFlags() is used to populate the resource descriptor, and according to Section 6.4.2.1 of ACPI 6.4 [1], if IRQ() is empty or IRQNoFlags() is used, the IRQ is High true, edge sensitive and non-shareable. ACPICA also assumes that to be the case (see acpi_rs_set_irq[] in rsirq.c). In accordance with the above, check 3 additional conditions (EdgeSensitive, ActiveHigh and Exclusive) when deciding whether or not to treat an ACPI_RESOURCE_TYPE_IRQ resource as "legacy", in which case the IRQ override is applicable to it. Link: https://uefi.org/specs/ACPI/6.4/06_Device_Configuration/Device_Configuration.html#irq-descriptor # [1] BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=213031 BugLink: http://bugs.launchpad.net/bugs/1909814 Suggested-by: Rafael J. Wysocki Reported-by: Manuel Krause Tested-by: Manuel Krause Signed-off-by: Hui Wang [ rjw: Subject rewrite, changelog edits ] Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 2238732f19926fc49e9d3e00e09da0e91da5e428 Author: Hanjun Guo Date: Wed Jun 2 17:36:50 2021 +0800 ACPI: bus: Call kobject_put() in acpi_init() error path [ Upstream commit 4ac7a817f1992103d4e68e9837304f860b5e7300 ] Although the system will not be in a good condition or it will not boot if acpi_bus_init() fails, it is still necessary to put the kobject in the error path before returning to avoid leaking memory. Signed-off-by: Hanjun Guo [ rjw: Subject and changelog edits ] Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 00f3017e04d42c6e2ae72254a92bf1b298942764 Author: Erik Kaneda Date: Fri Jun 4 14:25:57 2021 -0700 ACPICA: Fix memory leak caused by _CID repair function [ Upstream commit c27bac0314131b11bccd735f7e8415ac6444b667 ] ACPICA commit 180cb53963aa876c782a6f52cc155d951b26051a According to the ACPI spec, _CID returns a package containing hardware ID's. Each element of an ASL package contains a reference count from the parent package as well as the element itself. Name (TEST, Package() { "String object" // this package element has a reference count of 2 }) A memory leak was caused in the _CID repair function because it did not decrement the reference count created by the package. Fix the memory leak by calling acpi_ut_remove_reference on _CID package elements that represent a hardware ID (_HID). Link: https://github.com/acpica/acpica/commit/180cb539 Tested-by: Shawn Guo Signed-off-by: Erik Kaneda Signed-off-by: Bob Moore Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit f8c7e8e572d99440fd28de198787d428d2a87265 Author: Alexander Aring Date: Wed Jun 2 09:45:16 2021 -0400 fs: dlm: fix memory leak when fenced [ Upstream commit 700ab1c363c7b54c9ea3222379b33fc00ab02f7b ] I got some kmemleak report when a node was fenced. The user space tool dlm_controld will therefore run some rmdir() in dlm configfs which was triggering some memleaks. This patch stores the sps and cms attributes which stores some handling for subdirectories of the configfs cluster entry and free them if they get released as the parent directory gets freed. unreferenced object 0xffff88810d9e3e00 (size 192): comm "dlm_controld", pid 342, jiffies 4294698126 (age 55438.801s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 73 70 61 63 65 73 00 00 ........spaces.. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000db8b640b>] make_cluster+0x5d/0x360 [<000000006a571db4>] configfs_mkdir+0x274/0x730 [<00000000b094501c>] vfs_mkdir+0x27e/0x340 [<0000000058b0adaf>] do_mkdirat+0xff/0x1b0 [<00000000d1ffd156>] do_syscall_64+0x40/0x80 [<00000000ab1408c8>] entry_SYSCALL_64_after_hwframe+0x44/0xae unreferenced object 0xffff88810d9e3a00 (size 192): comm "dlm_controld", pid 342, jiffies 4294698126 (age 55438.801s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 63 6f 6d 6d 73 00 00 00 ........comms... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000a7ef6ad2>] make_cluster+0x82/0x360 [<000000006a571db4>] configfs_mkdir+0x274/0x730 [<00000000b094501c>] vfs_mkdir+0x27e/0x340 [<0000000058b0adaf>] do_mkdirat+0xff/0x1b0 [<00000000d1ffd156>] do_syscall_64+0x40/0x80 [<00000000ab1408c8>] entry_SYSCALL_64_after_hwframe+0x44/0xae Signed-off-by: Alexander Aring Signed-off-by: David Teigland Signed-off-by: Sasha Levin commit b6c469a850a4c737937cc955e1088c8e1b4746ea Author: Richard Fitzgerald Date: Tue May 25 13:20:12 2021 +0100 random32: Fix implicit truncation warning in prandom_seed_state() [ Upstream commit d327ea15a305024ef0085252fa3657bbb1ce25f5 ] sparse generates the following warning: include/linux/prandom.h:114:45: sparse: sparse: cast truncates bits from constant value This is because the 64-bit seed value is manipulated and then placed in a u32, causing an implicit cast and truncation. A forced cast to u32 doesn't prevent this warning, which is reasonable because a typecast doesn't prove that truncation was expected. Logical-AND the value with 0xffffffff to make explicit that truncation to 32-bit is intended. Reported-by: kernel test robot Signed-off-by: Richard Fitzgerald Reviewed-by: Petr Mladek Signed-off-by: Petr Mladek Link: https://lore.kernel.org/r/20210525122012.6336-3-rf@opensource.cirrus.com Signed-off-by: Sasha Levin commit 0fc251751c7305bd9cd603045c248ff96efc837e Author: Alexander Aring Date: Fri May 21 15:08:38 2021 -0400 fs: dlm: cancel work sync othercon [ Upstream commit c6aa00e3d20c2767ba3f57b64eb862572b9744b3 ] These rx tx flags arguments are for signaling close_connection() from which worker they are called. Obviously the receive worker cannot cancel itself and vice versa for swork. For the othercon the receive worker should only be used, however to avoid deadlocks we should pass the same flags as the original close_connection() was called. Signed-off-by: Alexander Aring Signed-off-by: David Teigland Signed-off-by: Sasha Levin commit 75b97dcbe956529c3457446007865cbd47accdab Author: zhangyi (F) Date: Sat Mar 13 11:01:44 2021 +0800 block_dump: remove block_dump feature in mark_inode_dirty() [ Upstream commit 12e0613715e1cf305fffafaf0e89d810d9a85cc0 ] block_dump is an old debugging interface, one of it's functions is used to print the information about who write which file on disk. If we enable block_dump through /proc/sys/vm/block_dump and turn on debug log level, we can gather information about write process name, target file name and disk from kernel message. This feature is realized in block_dump___mark_inode_dirty(), it print above information into kernel message directly when marking inode dirty, so it is noisy and can easily trigger log storm. At the same time, get the dentry refcount is also not safe, we found it will lead to deadlock on ext4 file system with data=journal mode. After tracepoints has been introduced into the kernel, we got a tracepoint in __mark_inode_dirty(), which is a better replacement of block_dump___mark_inode_dirty(). The only downside is that it only trace the inode number and not a file name, but it probably doesn't matter because the original printed file name in block_dump is not accurate in some cases, and we can still find it through the inode number and device id. So this patch delete the dirting inode part of block_dump feature. Signed-off-by: zhangyi (F) Reviewed-by: Jan Kara Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20210313030146.2882027-2-yi.zhang@huawei.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 4cee846b30aa128e3372e651b9a1b28b1d677ad3 Author: Chris Chiu Date: Thu May 20 11:09:50 2021 +0800 ACPI: EC: Make more Asus laptops use ECDT _GPE [ Upstream commit 6306f0431914beaf220634ad36c08234006571d5 ] More ASUS laptops have the _GPE define in the DSDT table with a different value than the _GPE number in the ECDT. This is causing media keys not working on ASUS X505BA/BP, X542BA/BP Add model info to the quirks list. Signed-off-by: Chris Chiu Signed-off-by: Jian-Hong Pan Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit e846c2821c2508789001589edde2231c50f1bf06 Author: Richard Fitzgerald Date: Fri May 14 17:12:04 2021 +0100 lib: vsprintf: Fix handling of number field widths in vsscanf [ Upstream commit 900fdc4573766dd43b847b4f54bd4a1ee2bc7360 ] The existing code attempted to handle numbers by doing a strto[u]l(), ignoring the field width, and then repeatedly dividing to extract the field out of the full converted value. If the string contains a run of valid digits longer than will fit in a long or long long, this would overflow and no amount of dividing can recover the correct value. This patch fixes vsscanf() to obey number field widths when parsing the number. A new _parse_integer_limit() is added that takes a limit for the number of characters to parse. The number field conversion in vsscanf is changed to use this new function. If a number starts with a radix prefix, the field width must be long enough for at last one digit after the prefix. If not, it will be handled like this: sscanf("0x4", "%1i", &i): i=0, scanning continues with the 'x' sscanf("0x4", "%2i", &i): i=0, scanning continues with the '4' This is consistent with the observed behaviour of userland sscanf. Note that this patch does NOT fix the problem of a single field value overflowing the target type. So for example: sscanf("123456789abcdef", "%x", &i); Will not produce the correct result because the value obviously overflows INT_MAX. But sscanf will report a successful conversion. Note that where a very large number is used to mean "unlimited", the value INT_MAX is used for consistency with the behaviour of vsnprintf(). Signed-off-by: Richard Fitzgerald Reviewed-by: Petr Mladek Signed-off-by: Petr Mladek Link: https://lore.kernel.org/r/20210514161206.30821-2-rf@opensource.cirrus.com Signed-off-by: Sasha Levin commit 865c6e210bd431e2594620523edda1aec4e17af3 Author: YueHaibing Date: Fri May 14 15:01:16 2021 +0800 hv_utils: Fix passing zero to 'PTR_ERR' warning [ Upstream commit c6a8625fa4c6b0a97860d053271660ccedc3d1b3 ] Sparse warn this: drivers/hv/hv_util.c:753 hv_timesync_init() warn: passing zero to 'PTR_ERR' Use PTR_ERR_OR_ZERO instead of PTR_ERR to fix this. Signed-off-by: YueHaibing Link: https://lore.kernel.org/r/20210514070116.16800-1-yuehaibing@huawei.com [ wei: change %ld to %d ] Signed-off-by: Wei Liu Signed-off-by: Sasha Levin commit 8d64fd2682ae94a2f4f5628682f4f8435bdc36bd Author: Mario Limonciello Date: Wed May 12 17:15:14 2021 -0500 ACPI: processor idle: Fix up C-state latency if not ordered [ Upstream commit 65ea8f2c6e230bdf71fed0137cf9e9d1b307db32 ] Generally, the C-state latency is provided by the _CST method or FADT, but some OEM platforms using AMD Picasso, Renoir, Van Gogh, and Cezanne set the C2 latency greater than C3's which causes the C2 state to be skipped. That will block the core entering PC6, which prevents S0ix working properly on Linux systems. In other operating systems, the latency values are not validated and this does not cause problems by skipping states. To avoid this issue on Linux, detect when latencies are not an arithmetic progression and sort them. Link: https://gitlab.freedesktop.org/agd5f/linux/-/commit/026d186e4592c1ee9c1cb44295912d0294508725 Link: https://gitlab.freedesktop.org/drm/amd/-/issues/1230#note_712174 Suggested-by: Prike Liang Suggested-by: Alex Deucher Signed-off-by: Mario Limonciello [ rjw: Subject and changelog edits ] Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit e9e2683f1b9c046d498468d2bf09c39c911b82cf Author: Bixuan Cui Date: Wed May 12 11:37:27 2021 +0800 EDAC/ti: Add missing MODULE_DEVICE_TABLE [ Upstream commit 0a37f32ba5272b2d4ec8c8d0f6b212b81b578f7e ] The module misses MODULE_DEVICE_TABLE() for of_device_id tables and thus never autoloads on ID matches. Add the missing declaration. Reported-by: Hulk Robot Signed-off-by: Bixuan Cui Signed-off-by: Borislav Petkov Cc: Tero Kristo Link: https://lkml.kernel.org/r/20210512033727.26701-1-cuibixuan@huawei.com Signed-off-by: Sasha Levin commit 9b1b8323871b72c8fb06850dd1db4afcf6d3f3c5 Author: Dmitry Torokhov Date: Fri Mar 19 17:27:16 2021 -0700 HID: do not use down_interruptible() when unbinding devices [ Upstream commit f2145f8dc566c4f3b5a8deb58dcd12bed4e20194 ] Action of unbinding driver from a device is not cancellable and should not fail, and driver core does not pay attention to the result of "remove" method, therefore using down_interruptible() in hid_device_remove() does not make sense. Signed-off-by: Dmitry Torokhov Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 17ca23ef05ed8e7e40b69a45095d501aea2bc1bd Author: Shuah Khan Date: Wed Jun 16 17:19:06 2021 +0200 media: Fix Media Controller API config checks [ Upstream commit 50e7a31d30e8221632675abed3be306382324ca2 ] Smatch static checker warns that "mdev" can be null: sound/usb/media.c:287 snd_media_device_create() warn: 'mdev' can also be NULL If CONFIG_MEDIA_CONTROLLER is disabled, this file should not be included in the build. The below conditions in the sound/usb/Makefile are in place to ensure that media.c isn't included in the build. sound/usb/Makefile: snd-usb-audio-$(CONFIG_SND_USB_AUDIO_USE_MEDIA_CONTROLLER) += media.o select SND_USB_AUDIO_USE_MEDIA_CONTROLLER if MEDIA_CONTROLLER && (MEDIA_SUPPORT=y || MEDIA_SUPPORT=SND_USB_AUDIO) The following config check in include/media/media-dev-allocator.h is in place to enable the API only when CONFIG_MEDIA_CONTROLLER and CONFIG_USB are enabled. #if defined(CONFIG_MEDIA_CONTROLLER) && defined(CONFIG_USB) This check doesn't work as intended when CONFIG_USB=m. When CONFIG_USB=m, CONFIG_USB_MODULE is defined and CONFIG_USB is not. The above config check doesn't catch that CONFIG_USB is defined as a module and disables the API. This results in sound/usb enabling Media Controller specific ALSA driver code, while Media disables the Media Controller API. Fix the problem requires two changes: 1. Change the check to use IS_ENABLED to detect when CONFIG_USB is enabled as a module or static. Since CONFIG_MEDIA_CONTROLLER is a bool, leave the check unchanged to be consistent with drivers/media/Makefile. 2. Change the drivers/media/mc/Makefile to include mc-dev-allocator.o in mc-objs when CONFIG_USB is enabled. Link: https://lore.kernel.org/alsa-devel/YLeAvT+R22FQ%2FEyw@mwanda/ Reported-by: Dan Carpenter Signed-off-by: Shuah Khan Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit ef5792d3995dbd388fa65ed6f1e16c65dedc0abd Author: Axel Lin Date: Fri Jun 18 22:14:11 2021 +0800 regulator: da9052: Ensure enough delay time for .set_voltage_time_sel [ Upstream commit a336dc8f683e5be794186b5643cd34cb28dd2c53 ] Use DIV_ROUND_UP to prevent truncation by integer division issue. This ensures we return enough delay time. Also fix returning negative value when new_sel < old_sel. Signed-off-by: Axel Lin Link: https://lore.kernel.org/r/20210618141412.4014912-1-axel.lin@ingics.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 2aff3f51cd22472e19e71c04b7a018e0ab18672e Author: Hsin-Hsiung Wang Date: Wed Jun 23 12:56:09 2021 +0800 regulator: mt6358: Fix vdram2 .vsel_mask [ Upstream commit 50c9462edcbf900f3d5097ca3ad60171346124de ] The valid vsel value are 0 and 12, so the .vsel_mask should be 0xf. Signed-off-by: Hsin-Hsiung Wang Reviewed-by: Axel Lin Link: https://lore.kernel.org/r/1624424169-510-1-git-send-email-hsin-hsiung.wang@mediatek.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit fc31fb6f36cd7c05a6c978b44118dcce0bffb120 Author: Heiko Carstens Date: Mon Jun 21 16:03:56 2021 +0200 KVM: s390: get rid of register asm usage [ Upstream commit 4fa3b91bdee1b08348c82660668ca0ca34e271ad ] Using register asm statements has been proven to be very error prone, especially when using code instrumentation where gcc may add function calls, which clobbers register contents in an unexpected way. Therefore get rid of register asm statements in kvm code, even though there is currently nothing wrong with them. This way we know for sure that this bug class won't be introduced here. Signed-off-by: Heiko Carstens Reviewed-by: Christian Borntraeger Reviewed-by: Thomas Huth Reviewed-by: Cornelia Huck Reviewed-by: Claudio Imbrenda Link: https://lore.kernel.org/r/20210621140356.1210771-1-hca@linux.ibm.com [borntraeger@de.ibm.com: checkpatch strict fix] Signed-off-by: Christian Borntraeger Signed-off-by: Sasha Levin commit 2ef6cd6e486551250506251fdc7370c004a884f3 Author: Boqun Feng Date: Sat Jun 19 01:01:09 2021 +0800 lockding/lockdep: Avoid to find wrong lock dep path in check_irq_usage() [ Upstream commit 7b1f8c6179769af6ffa055e1169610b51d71edd5 ] In the step #3 of check_irq_usage(), we seach backwards to find a lock whose usage conflicts the usage of @target_entry1 on safe/unsafe. However, we should only keep the irq-unsafe usage of @target_entry1 into consideration, because it could be a case where a lock is hardirq-unsafe but soft-safe, and in check_irq_usage() we find it because its hardirq-unsafe could result into a hardirq-safe-unsafe deadlock, but currently since we don't filter out the other usage bits, so we may find a lock dependency path softirq-unsafe -> softirq-safe, which in fact doesn't cause a deadlock. And this may cause misleading lockdep splats. Fix this by only keeping LOCKF_ENABLED_IRQ_ALL bits when we try the backwards search. Reported-by: Johannes Berg Signed-off-by: Boqun Feng Signed-off-by: Peter Zijlstra (Intel) Link: https://lore.kernel.org/r/20210618170110.3699115-4-boqun.feng@gmail.com Signed-off-by: Sasha Levin commit 1b45a85262bf6954400e0e3a5011881389d51f1c Author: Boqun Feng Date: Sat Jun 19 01:01:07 2021 +0800 locking/lockdep: Fix the dep path printing for backwards BFS [ Upstream commit 69c7a5fb2482636f525f016c8333fdb9111ecb9d ] We use the same code to print backwards lock dependency path as the forwards lock dependency path, and this could result into incorrect printing because for a backwards lock_list ->trace is not the call trace where the lock of ->class is acquired. Fix this by introducing a separate function on printing the backwards dependency path. Also add a few comments about the printing while we are at it. Reported-by: Johannes Berg Signed-off-by: Boqun Feng Signed-off-by: Peter Zijlstra (Intel) Link: https://lore.kernel.org/r/20210618170110.3699115-2-boqun.feng@gmail.com Signed-off-by: Sasha Levin commit 3ee80fc1f5309885529265b18325bb4bdb891773 Author: Christophe Leroy Date: Thu Jun 10 05:23:02 2021 +0000 btrfs: disable build on platforms having page size 256K [ Upstream commit b05fbcc36be1f8597a1febef4892053a0b2f3f60 ] With a config having PAGE_SIZE set to 256K, BTRFS build fails with the following message include/linux/compiler_types.h:326:38: error: call to '__compiletime_assert_791' declared with attribute error: BUILD_BUG_ON failed: (BTRFS_MAX_COMPRESSED % PAGE_SIZE) != 0 BTRFS_MAX_COMPRESSED being 128K, BTRFS cannot support platforms with 256K pages at the time being. There are two platforms that can select 256K pages: - hexagon - powerpc Disable BTRFS when 256K page size is selected. Supporting this would require changes to the subpage mode that's currently being developed. Given that 256K is many times larger than page sizes commonly used and for what the algorithms and structures have been tuned, it's out of scope and disabling build is a reasonable option. Reported-by: kernel test robot Signed-off-by: Christophe Leroy [ update changelog ] Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit af4b53f6d3eae04b27634b0045a9367d6b7ad27e Author: Josef Bacik Date: Fri May 21 16:44:09 2021 -0400 btrfs: abort transaction if we fail to update the delayed inode [ Upstream commit 04587ad9bef6ce9d510325b4ba9852b6129eebdb ] If we fail to update the delayed inode we need to abort the transaction, because we could leave an inode with the improper counts or some other such corruption behind. Signed-off-by: Josef Bacik Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 504081c415e20a0378d29d1db7728b2b98ec7d0d Author: Josef Bacik Date: Fri May 21 16:44:08 2021 -0400 btrfs: fix error handling in __btrfs_update_delayed_inode [ Upstream commit bb385bedded3ccbd794559600de4a09448810f4a ] If we get an error while looking up the inode item we'll simply bail without cleaning up the delayed node. This results in this style of warning happening on commit: WARNING: CPU: 0 PID: 76403 at fs/btrfs/delayed-inode.c:1365 btrfs_assert_delayed_root_empty+0x5b/0x90 CPU: 0 PID: 76403 Comm: fsstress Tainted: G W 5.13.0-rc1+ #373 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014 RIP: 0010:btrfs_assert_delayed_root_empty+0x5b/0x90 RSP: 0018:ffffb8bb815a7e50 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff95d6d07e1888 RCX: ffff95d6c0fa3000 RDX: 0000000000000002 RSI: 000000000029e91c RDI: ffff95d6c0fc8060 RBP: ffff95d6c0fc8060 R08: 00008d6d701a2c1d R09: 0000000000000000 R10: ffff95d6d1760ea0 R11: 0000000000000001 R12: ffff95d6c15a4d00 R13: ffff95d6c0fa3000 R14: 0000000000000000 R15: ffffb8bb815a7e90 FS: 00007f490e8dbb80(0000) GS:ffff95d73bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6e75555cb0 CR3: 00000001101ce001 CR4: 0000000000370ef0 Call Trace: btrfs_commit_transaction+0x43c/0xb00 ? finish_wait+0x80/0x80 ? vfs_fsync_range+0x90/0x90 iterate_supers+0x8c/0x100 ksys_sync+0x50/0x90 __do_sys_sync+0xa/0x10 do_syscall_64+0x3d/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae Because the iref isn't dropped and this leaves an elevated node->count, so any release just re-queues it onto the delayed inodes list. Fix this by going to the out label to handle the proper cleanup of the delayed node. Signed-off-by: Josef Bacik Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit f3d2278a81f74359fbee217658a75de14c3f26a8 Author: Suraj Jitindar Singh Date: Wed Jun 2 14:04:41 2021 +1000 KVM: PPC: Book3S HV: Fix TLB management on SMT8 POWER9 and POWER10 processors [ Upstream commit 77bbbc0cf84834ed130838f7ac1988567f4d0288 ] The POWER9 vCPU TLB management code assumes all threads in a core share a TLB, and that TLBIEL execued by one thread will invalidate TLBs for all threads. This is not the case for SMT8 capable POWER9 and POWER10 (big core) processors, where the TLB is split between groups of threads. This results in TLB multi-hits, random data corruption, etc. Fix this by introducing cpu_first_tlb_thread_sibling etc., to determine which siblings share TLBs, and use that in the guest TLB flushing code. [npiggin@gmail.com: add changelog and comment] Signed-off-by: Paul Mackerras Signed-off-by: Nicholas Piggin Reviewed-by: Fabiano Rosas Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210602040441.3984352-1-npiggin@gmail.com Signed-off-by: Sasha Levin commit 3fea9b708ae37c05df5d9cad50982ef27d12d9ca Author: Jing Xiangfeng Date: Thu Jun 17 20:26:14 2021 +0800 drivers/perf: fix the missed ida_simple_remove() in ddr_perf_probe() [ Upstream commit d96b1b8c9f79b6bb234a31c80972a6f422079376 ] ddr_perf_probe() misses to call ida_simple_remove() in an error path. Jump to cpuhp_state_err to fix it. Signed-off-by: Jing Xiangfeng Reviewed-by: Dong Aisheng Link: https://lore.kernel.org/r/20210617122614.166823-1-jingxiangfeng@huawei.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 2e23607e65dc13446a8f65ee22080e0dcb815d59 Author: Guenter Roeck Date: Wed May 26 08:40:18 2021 -0700 hwmon: (max31790) Fix pwmX_enable attributes [ Upstream commit 148c847c9e5a54b99850617bf9c143af9a344f92 ] pwmX_enable supports three possible values: 0: Fan control disabled. Duty cycle is fixed to 0% 1: Fan control enabled, pwm mode. Duty cycle is determined by values written into Target Duty Cycle registers. 2: Fan control enabled, rpm mode Duty cycle is adjusted such that fan speed matches the values in Target Count registers The current code does not do this; instead, it mixes pwm control configuration with fan speed monitoring configuration. Worse, it reports that pwm control would be disabled (pwmX_enable==0) when it is in fact enabled in pwm mode. Part of the problem may be that the chip sets the "TACH input enable" bit on its own whenever the mode bit is set to RPM mode, but that doesn't mean that "TACH input enable" accurately reflects the pwm mode. Fix it up and only handle pwm control with the pwmX_enable attributes. In the documentation, clarify that disabling pwm control (pwmX_enable=0) sets the pwm duty cycle to 0%. In the code, explain why TACH_INPUT_EN is set together with RPM_MODE. While at it, only update the configuration register if the configuration has changed, and only update the cached configuration if updating the chip configuration was successful. Cc: Jan Kundrát Cc: Václav Kubernát Signed-off-by: Guenter Roeck Tested-by: Václav Kubernát Reviewed-by: Jan Kundrát Link: https://lore.kernel.org/r/20210526154022.3223012-4-linux@roeck-us.net Signed-off-by: Sasha Levin commit d284b53193fa488bd9a1ed9323ce7c670294de56 Author: Guenter Roeck Date: Wed May 26 08:40:17 2021 -0700 hwmon: (max31790) Report correct current pwm duty cycles [ Upstream commit 897f6339893b741a5d68ae8e2475df65946041c2 ] The MAX31790 has two sets of registers for pwm duty cycles, one to request a duty cycle and one to read the actual current duty cycle. Both do not have to be the same. When reporting the pwm duty cycle to the user, the actual pwm duty cycle from pwm duty cycle registers needs to be reported. When setting it, the pwm target duty cycle needs to be written. Since we don't know the actual pwm duty cycle after a target pwm duty cycle has been written, set the valid flag to false to indicate that actual pwm duty cycle should be read from the chip instead of using cached values. Cc: Jan Kundrát Cc: Václav Kubernát Signed-off-by: Guenter Roeck Tested-by: Václav Kubernát Reviewed-by: Jan Kundrát Link: https://lore.kernel.org/r/20210526154022.3223012-3-linux@roeck-us.net Signed-off-by: Sasha Levin commit 4bb7eeb0a200968976dfcbdb818a9de1bd611961 Author: Steve Longerbeam Date: Mon May 17 16:29:23 2021 +0200 media: imx-csi: Skip first few frames from a BT.656 source [ Upstream commit e198be37e52551bb863d07d2edc535d0932a3c4f ] Some BT.656 sensors (e.g. ADV718x) transmit frames with unstable BT.656 sync codes after initial power on. This confuses the imx CSI,resulting in vertical and/or horizontal sync issues. Skip the first 20 frames to avoid the unstable sync codes. [fabio: fixed checkpatch warning and increased the frame skipping to 20] Signed-off-by: Steve Longerbeam Signed-off-by: Fabio Estevam Reviewed-by: Tim Harvey Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 54196d9e77e5c865dfaccf484d0aee2e38e0883d Author: Mauro Carvalho Chehab Date: Thu Jun 10 08:57:02 2021 +0200 media: siano: fix device register error path [ Upstream commit 5368b1ee2939961a16e74972b69088433fc52195 ] As reported by smatch: drivers/media/common/siano/smsdvb-main.c:1231 smsdvb_hotplug() warn: '&client->entry' not removed from list If an error occur at the end of the registration logic, it won't drop the device from the list. Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 7434625f944c819a4a55d0c811a22d3bf53fbcd0 Author: Mauro Carvalho Chehab Date: Wed Jun 16 13:13:54 2021 +0200 media: dvb_net: avoid speculation from net slot [ Upstream commit abc0226df64dc137b48b911c1fe4319aec5891bb ] The risk of especulation is actually almost-non-existing here, as there are very few users of TCP/IP using the DVB stack, as, this is mainly used with DVB-S/S2 cards, and only by people that receives TCP/IP from satellite connections, which limits a lot the number of users of such feature(*). (*) In thesis, DVB-C cards could also benefit from it, but I'm yet to see a hardware that supports it. Yet, fixing it is trivial. Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 80b9d3becd84ef0b096df286cdf4663d74e8354a Author: Ard Biesheuvel Date: Thu Jun 10 08:21:50 2021 +0200 crypto: shash - avoid comparing pointers to exported functions under CFI [ Upstream commit 22ca9f4aaf431a9413dcc115dd590123307f274f ] crypto_shash_alg_has_setkey() is implemented by testing whether the .setkey() member of a struct shash_alg points to the default version, called shash_no_setkey(). As crypto_shash_alg_has_setkey() is a static inline, this requires shash_no_setkey() to be exported to modules. Unfortunately, when building with CFI, function pointers are routed via CFI stubs which are private to each module (or to the kernel proper) and so this function pointer comparison may fail spuriously. Let's fix this by turning crypto_shash_alg_has_setkey() into an out of line function. Cc: Sami Tolvanen Cc: Eric Biggers Signed-off-by: Ard Biesheuvel Reviewed-by: Eric Biggers Reviewed-by: Sami Tolvanen Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 31ef30f8f8786b70a27837634ad176a4b035ac27 Author: Zheyu Ma Date: Thu Jun 3 13:33:20 2021 +0000 mmc: via-sdmmc: add a check against NULL pointer dereference [ Upstream commit 45c8ddd06c4b729c56a6083ab311bfbd9643f4a6 ] Before referencing 'host->data', the driver needs to check whether it is null pointer, otherwise it will cause a null pointer reference. This log reveals it: [ 29.355199] BUG: kernel NULL pointer dereference, address: 0000000000000014 [ 29.357323] #PF: supervisor write access in kernel mode [ 29.357706] #PF: error_code(0x0002) - not-present page [ 29.358088] PGD 0 P4D 0 [ 29.358280] Oops: 0002 [#1] PREEMPT SMP PTI [ 29.358595] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 5.12.4- g70e7f0549188-dirty #102 [ 29.359164] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 29.359978] RIP: 0010:via_sdc_isr+0x21f/0x410 [ 29.360314] Code: ff ff e8 84 aa d0 fd 66 45 89 7e 28 66 41 f7 c4 00 10 75 56 e8 72 aa d0 fd 66 41 f7 c4 00 c0 74 10 e8 65 aa d0 fd 48 8b 43 18 40 14 ac ff ff ff e8 55 aa d0 fd 48 89 df e8 ad fb ff ff e9 77 [ 29.361661] RSP: 0018:ffffc90000118e98 EFLAGS: 00010046 [ 29.362042] RAX: 0000000000000000 RBX: ffff888107d77880 RCX: 0000000000000000 [ 29.362564] RDX: 0000000000000000 RSI: ffffffff835d20bb RDI: 00000000ffffffff [ 29.363085] RBP: ffffc90000118ed8 R08: 0000000000000001 R09: 0000000000000001 [ 29.363604] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000008600 [ 29.364128] R13: ffff888107d779c8 R14: ffffc90009c00200 R15: 0000000000008000 [ 29.364651] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) knlGS:0000000000000000 [ 29.365235] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 29.365655] CR2: 0000000000000014 CR3: 0000000005a2e000 CR4: 00000000000006e0 [ 29.366170] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 29.366683] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 29.367197] Call Trace: [ 29.367381] [ 29.367537] __handle_irq_event_percpu+0x53/0x3e0 [ 29.367916] handle_irq_event_percpu+0x35/0x90 [ 29.368247] handle_irq_event+0x39/0x60 [ 29.368632] handle_fasteoi_irq+0xc2/0x1d0 [ 29.368950] __common_interrupt+0x7f/0x150 [ 29.369254] common_interrupt+0xb4/0xd0 [ 29.369547] [ 29.369708] asm_common_interrupt+0x1e/0x40 [ 29.370016] RIP: 0010:native_safe_halt+0x17/0x20 [ 29.370360] Code: 07 0f 00 2d db 80 43 00 f4 5d c3 0f 1f 84 00 00 00 00 00 8b 05 c2 37 e5 01 55 48 89 e5 85 c0 7e 07 0f 00 2d bb 80 43 00 fb f4 <5d> c3 cc cc cc cc cc cc cc 55 48 89 e5 e8 67 53 ff ff 8b 0d f9 91 [ 29.371696] RSP: 0018:ffffc9000008fe90 EFLAGS: 00000246 [ 29.372079] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 [ 29.372595] RDX: 0000000000000000 RSI: ffffffff854f67a4 RDI: ffffffff85403406 [ 29.373122] RBP: ffffc9000008fe90 R08: 0000000000000001 R09: 0000000000000001 [ 29.373646] R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff86009188 [ 29.374160] R13: 0000000000000000 R14: 0000000000000000 R15: ffff888100258000 [ 29.374690] default_idle+0x9/0x10 [ 29.374944] arch_cpu_idle+0xa/0x10 [ 29.375198] default_idle_call+0x6e/0x250 [ 29.375491] do_idle+0x1f0/0x2d0 [ 29.375740] cpu_startup_entry+0x18/0x20 [ 29.376034] start_secondary+0x11f/0x160 [ 29.376328] secondary_startup_64_no_verify+0xb0/0xbb [ 29.376705] Modules linked in: [ 29.376939] Dumping ftrace buffer: [ 29.377187] (ftrace buffer empty) [ 29.377460] CR2: 0000000000000014 [ 29.377712] ---[ end trace 51a473dffb618c47 ]--- [ 29.378056] RIP: 0010:via_sdc_isr+0x21f/0x410 [ 29.378380] Code: ff ff e8 84 aa d0 fd 66 45 89 7e 28 66 41 f7 c4 00 10 75 56 e8 72 aa d0 fd 66 41 f7 c4 00 c0 74 10 e8 65 aa d0 fd 48 8b 43 18 40 14 ac ff ff ff e8 55 aa d0 fd 48 89 df e8 ad fb ff ff e9 77 [ 29.379714] RSP: 0018:ffffc90000118e98 EFLAGS: 00010046 [ 29.380098] RAX: 0000000000000000 RBX: ffff888107d77880 RCX: 0000000000000000 [ 29.380614] RDX: 0000000000000000 RSI: ffffffff835d20bb RDI: 00000000ffffffff [ 29.381134] RBP: ffffc90000118ed8 R08: 0000000000000001 R09: 0000000000000001 [ 29.381653] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000008600 [ 29.382176] R13: ffff888107d779c8 R14: ffffc90009c00200 R15: 0000000000008000 [ 29.382697] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) knlGS:0000000000000000 [ 29.383277] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 29.383697] CR2: 0000000000000014 CR3: 0000000005a2e000 CR4: 00000000000006e0 [ 29.384223] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 29.384736] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 29.385260] Kernel panic - not syncing: Fatal exception in interrupt [ 29.385882] Dumping ftrace buffer: [ 29.386135] (ftrace buffer empty) [ 29.386401] Kernel Offset: disabled [ 29.386656] Rebooting in 1 seconds.. Signed-off-by: Zheyu Ma Link: https://lore.kernel.org/r/1622727200-15808-1-git-send-email-zheyuma97@gmail.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit b28d6d2df2b3ecc060cb74a1413d4d5a993a0867 Author: Krzysztof Kozlowski Date: Tue Jun 1 11:54:03 2021 +0200 mmc: sdhci-sprd: use sdhci_sprd_writew [ Upstream commit 961470820021e6f9d74db4837bd6831a1a30341b ] The sdhci_sprd_writew() was defined by never used in sdhci_ops: drivers/mmc/host/sdhci-sprd.c:134:20: warning: unused function 'sdhci_sprd_writew' Reported-by: kernel test robot Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20210601095403.236007-2-krzysztof.kozlowski@canonical.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 1e3ad91cb64c26edacef76ed02dd0b704b51d1ef Author: Tong Zhang Date: Tue May 11 12:39:45 2021 -0400 memstick: rtsx_usb_ms: fix UAF [ Upstream commit 42933c8aa14be1caa9eda41f65cde8a3a95d3e39 ] This patch fixes the following issues: 1. memstick_free_host() will free the host, so the use of ms_dev(host) after it will be a problem. To fix this, move memstick_free_host() after when we are done with ms_dev(host). 2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove and free host otherwise memstick_check will be called and UAF will happen. [ 11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms] [ 11.357077] rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms] [ 11.357376] platform_remove+0x2a/0x50 [ 11.367531] Freed by task 298: [ 11.368537] kfree+0xa4/0x2a0 [ 11.368711] device_release+0x51/0xe0 [ 11.368905] kobject_put+0xa2/0x120 [ 11.369090] rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms] [ 11.369386] platform_remove+0x2a/0x50 [ 12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0 [ 12.045432] mutex_lock+0xc9/0xd0 [ 12.046080] memstick_check+0x6a/0x578 [memstick] [ 12.046509] process_one_work+0x46d/0x750 [ 12.052107] Freed by task 297: [ 12.053115] kfree+0xa4/0x2a0 [ 12.053272] device_release+0x51/0xe0 [ 12.053463] kobject_put+0xa2/0x120 [ 12.053647] rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms] [ 12.053939] platform_remove+0x2a/0x50 Signed-off-by: Tong Zhang Co-developed-by: Ulf Hansson Link: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 0ec7eab55b0e804ae171f9accafe1bd6d3ae2ec8 Author: Dongliang Mu Date: Tue May 25 15:06:52 2021 +0200 media: dvd_usb: memory leak in cinergyt2_fe_attach [ Upstream commit 9ad1efee086e0e913914fa2b2173efb830bad68c ] When the driver fails to talk with the hardware with dvb_usb_generic_rw, it will return an error to dvb_usb_adapter_frontend_init. However, the driver forgets to free the resource (e.g., struct cinergyt2_fe_state), which leads to a memory leak. Fix this by freeing struct cinergyt2_fe_state when dvb_usb_generic_rw fails in cinergyt2_frontend_attach. backtrace: [<0000000056e17b1a>] kmalloc include/linux/slab.h:552 [inline] [<0000000056e17b1a>] kzalloc include/linux/slab.h:682 [inline] [<0000000056e17b1a>] cinergyt2_fe_attach+0x21/0x80 drivers/media/usb/dvb-usb/cinergyT2-fe.c:271 [<00000000ae0b1711>] cinergyt2_frontend_attach+0x21/0x70 drivers/media/usb/dvb-usb/cinergyT2-core.c:74 [<00000000d0254861>] dvb_usb_adapter_frontend_init+0x11b/0x1b0 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:290 [<0000000002e08ac6>] dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:84 [inline] [<0000000002e08ac6>] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:173 [inline] [<0000000002e08ac6>] dvb_usb_device_init.cold+0x4d0/0x6ae drivers/media/usb/dvb-usb/dvb-usb-init.c:287 Reported-by: syzbot+e1de8986786b3722050e@syzkaller.appspotmail.com Signed-off-by: Dongliang Mu Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 1fc3ec4ac405ac3955a40b6718ef7e061a6a7e4b Author: Nick Desaulniers Date: Fri May 21 18:26:24 2021 -0700 Makefile: fix GDB warning with CONFIG_RELR [ Upstream commit 27f2a4db76e8d8a8b601fc1c6a7a17f88bd907ab ] GDB produces the following warning when debugging kernels built with CONFIG_RELR: BFD: /android0/linux-next/vmlinux: unknown type [0x13] section `.relr.dyn' when loading a kernel built with CONFIG_RELR into GDB. It can also prevent debugging symbols using such relocations. Peter sugguests: [That flag] means that lld will use dynamic tags and section type numbers in the OS-specific range rather than the generic range. The kernel itself doesn't care about these numbers; it determines the location of the RELR section using symbols defined by a linker script. Link: https://github.com/ClangBuiltLinux/linux/issues/1057 Suggested-by: Peter Collingbourne Reviewed-by: Nathan Chancellor Signed-off-by: Nick Desaulniers Link: https://lore.kernel.org/r/20210522012626.2811297-1-ndesaulniers@google.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 0a825797f791513d504c9c466c3b7270c7a911e1 Author: Evgeny Novikov Date: Wed May 19 14:04:49 2021 +0200 media: st-hva: Fix potential NULL pointer dereferences [ Upstream commit b7fdd208687ba59ebfb09b2199596471c63b69e3 ] When ctx_id >= HVA_MAX_INSTANCES in hva_hw_its_irq_thread() it tries to access fields of ctx that is NULL at that point. The patch gets rid of these accesses. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Evgeny Novikov Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit f6f0190d651b80ec29b59e647c7579a0fc991db1 Author: Zheyu Ma Date: Wed May 12 17:18:36 2021 +0200 media: bt8xx: Fix a missing check bug in bt878_probe [ Upstream commit 1a4520090681853e6b850cbe54b27247a013e0e5 ] In 'bt878_irq', the driver calls 'tasklet_schedule', but this tasklet is set in 'dvb_bt8xx_load_card' of another driver 'dvb-bt8xx'. However, this two drivers are separate. The user may not load the 'dvb-bt8xx' driver when loading the 'bt8xx' driver, that is, the tasklet has not been initialized when 'tasklet_schedule' is called, so it is necessary to check whether the tasklet is initialized in 'bt878_probe'. Fix this by adding a check at the end of bt878_probe. The KASAN's report reveals it: BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 PGD 800000006aab2067 P4D 800000006aab2067 PUD 6b2ea067 PMD 0 Oops: 0010 [#1] PREEMPT SMP KASAN PTI CPU: 2 PID: 8724 Comm: syz-executor.0 Not tainted 4.19.177- gdba4159c14ef-dirty #40 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59- gc9ba5276e321-prebuilt.qemu.org 04/01/2014 RIP: 0010: (null) Code: Bad RIP value. RSP: 0018:ffff88806c287ea0 EFLAGS: 00010246 RAX: fffffbfff1b01774 RBX: dffffc0000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 1ffffffff1b01775 RDI: 0000000000000000 RBP: ffff88806c287f00 R08: fffffbfff1b01774 R09: fffffbfff1b01774 R10: 0000000000000001 R11: fffffbfff1b01773 R12: 0000000000000000 R13: ffff88806c29f530 R14: ffffffff8d80bb88 R15: ffffffff8d80bb90 FS: 00007f6b550e6700(0000) GS:ffff88806c280000(0000) knlGS: 0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000005ec98000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: tasklet_action_common.isra.17+0x141/0x420 kernel/softirq.c:522 tasklet_action+0x50/0x70 kernel/softirq.c:540 __do_softirq+0x224/0x92c kernel/softirq.c:292 invoke_softirq kernel/softirq.c:372 [inline] irq_exit+0x15a/0x180 kernel/softirq.c:412 exiting_irq arch/x86/include/asm/apic.h:535 [inline] do_IRQ+0x123/0x1e0 arch/x86/kernel/irq.c:260 common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:670 RIP: 0010:__do_sys_interrupt kernel/sys.c:2593 [inline] RIP: 0010:__se_sys_interrupt kernel/sys.c:2584 [inline] RIP: 0010:__x64_sys_interrupt+0x5b/0x80 kernel/sys.c:2584 Code: ba 00 04 00 00 48 c7 c7 c0 99 31 8c e8 ae 76 5e 01 48 85 c0 75 21 e8 14 ae 24 00 48 c7 c3 c0 99 31 8c b8 0c 00 00 00 0f 01 c1 <31> db e8 fe ad 24 00 48 89 d8 5b 5d c3 48 c7 c3 ea ff ff ff eb ec RSP: 0018:ffff888054167f10 EFLAGS: 00000212 ORIG_RAX: ffffffffffffffde RAX: 000000000000000c RBX: ffffffff8c3199c0 RCX: ffffc90001ca6000 RDX: 000000000000001a RSI: ffffffff813478fc RDI: ffffffff8c319dc0 RBP: ffff888054167f18 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000080 R11: fffffbfff18633b7 R12: ffff888054167f58 R13: ffff88805f638000 R14: 0000000000000000 R15: 0000000000000000 do_syscall_64+0xb0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4692a9 Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f6b550e5c48 EFLAGS: 00000246 ORIG_RAX: 000000000000014f RAX: ffffffffffffffda RBX: 000000000077bf60 RCX: 00000000004692a9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000140 RBP: 00000000004cf7eb R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf60 R13: 0000000000000000 R14: 000000000077bf60 R15: 00007fff55a1dca0 Modules linked in: Dumping ftrace buffer: (ftrace buffer empty) CR2: 0000000000000000 ---[ end trace 68e5849c3f77cbb6 ]--- RIP: 0010: (null) Code: Bad RIP value. RSP: 0018:ffff88806c287ea0 EFLAGS: 00010246 RAX: fffffbfff1b01774 RBX: dffffc0000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 1ffffffff1b01775 RDI: 0000000000000000 RBP: ffff88806c287f00 R08: fffffbfff1b01774 R09: fffffbfff1b01774 R10: 0000000000000001 R11: fffffbfff1b01773 R12: 0000000000000000 R13: ffff88806c29f530 R14: ffffffff8d80bb88 R15: ffffffff8d80bb90 FS: 00007f6b550e6700(0000) GS:ffff88806c280000(0000) knlGS: 0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000005ec98000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Reported-by: Zheyu Ma Signed-off-by: Zheyu Ma Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 3790d56daf5fbaf303ac2d46e4d32e81ed22d858 Author: Lv Yunlong Date: Sun May 9 10:24:02 2021 +0200 media: v4l2-core: Avoid the dangling pointer in v4l2_fh_release [ Upstream commit 7dd0c9e547b6924e18712b6b51aa3cba1896ee2c ] A use after free bug caused by the dangling pointer filp->privitate_data in v4l2_fh_release. See https://lore.kernel.org/patchwork/patch/1419058/. My patch sets the dangling pointer to NULL to provide robust. Signed-off-by: Lv Yunlong Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit a70de431f713fb662f280bfb6b12fc7162bc5b89 Author: Igor Matheus Andrade Torrente Date: Tue May 4 20:32:49 2021 +0200 media: em28xx: Fix possible memory leak of em28xx struct [ Upstream commit ac5688637144644f06ed1f3c6d4dd8bb7db96020 ] The em28xx struct kref isn't being decreased after an error in the em28xx_ir_init, leading to a possible memory leak. A kref_put and em28xx_shutdown_buttons is added to the error handler code. Signed-off-by: Igor Matheus Andrade Torrente Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 432188f626977f6cfca39e3898726f995a5109b5 Author: Odin Ugedal Date: Tue May 18 14:52:02 2021 +0200 sched/fair: Fix ascii art by relpacing tabs [ Upstream commit 08f7c2f4d0e9f4283f5796b8168044c034a1bfcb ] When using something other than 8 spaces per tab, this ascii art makes not sense, and the reader might end up wondering what this advanced equation "is". Signed-off-by: Odin Ugedal Signed-off-by: Peter Zijlstra (Intel) Acked-by: Vincent Guittot Link: https://lkml.kernel.org/r/20210518125202.78658-4-odin@uged.al Signed-off-by: Sasha Levin commit dd776d2fdf8704b9d2da658968966ee0f3b6a88c Author: Jack Xu Date: Mon May 17 05:13:16 2021 -0400 crypto: qat - remove unused macro in FW loader [ Upstream commit 9afe77cf25d9670e61b489fd52cc6f75fd7f6803 ] Remove the unused macro ICP_DH895XCC_PESRAM_BAR_SIZE in the firmware loader. This is to fix the following warning when compiling the driver using the clang compiler with CC=clang W=2: drivers/crypto/qat/qat_common/qat_uclo.c:345:9: warning: macro is not used [-Wunused-macros] Signed-off-by: Jack Xu Co-developed-by: Zhehui Xiang Signed-off-by: Zhehui Xiang Reviewed-by: Giovanni Cabiddu Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit bcea3fc8f24deca5240cbe0578e96d4544baa4da Author: Jack Xu Date: Mon May 17 05:13:15 2021 -0400 crypto: qat - check return code of qat_hal_rd_rel_reg() [ Upstream commit 96b57229209490c8bca4335b01a426a96173dc56 ] Check the return code of the function qat_hal_rd_rel_reg() and return it to the caller. This is to fix the following warning when compiling the driver with clang scan-build: drivers/crypto/qat/qat_common/qat_hal.c:1436:2: warning: 6th function call argument is an uninitialized value Signed-off-by: Jack Xu Co-developed-by: Zhehui Xiang Signed-off-by: Zhehui Xiang Reviewed-by: Giovanni Cabiddu Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 1580d72ac7fc16b0835f046dee4e37984241fea7 Author: Laurent Pinchart Date: Tue Apr 13 04:29:52 2021 +0200 media: imx: imx7_mipi_csis: Fix logging of only error event counters [ Upstream commit d2fcc9c2de1191ea80366e3658711753738dd10a ] The mipi_csis_events array ends with 6 non-error events, not 4. Update mipi_csis_log_counters() accordingly. While at it, log event counters in forward order, as there's no reason to log them backward. Signed-off-by: Laurent Pinchart Acked-by: Rui Miguel Silva Reviewed-by: Frieder Schrempf Tested-by: Frieder Schrempf Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit eae27d048ee7e7eafa3b03a10a984e215d1f0048 Author: Anirudh Rayabharam Date: Tue May 4 19:08:58 2021 +0200 media: pvrusb2: fix warning in pvr2_i2c_core_done [ Upstream commit f8194e5e63fdcb349e8da9eef9e574d5b1d687cb ] syzbot has reported the following warning in pvr2_i2c_done: sysfs group 'power' not found for kobject '1-0043' When the device is disconnected (pvr_hdw_disconnect), the i2c adapter is not unregistered along with the USB and v4l2 teardown. As part of the USB device disconnect, the sysfs files of the subdevices are also deleted. So, by the time pvr_i2c_core_done is called by pvr_context_destroy, the sysfs files have been deleted. To fix this, unregister the i2c adapter too in pvr_hdw_disconnect. Make the device deregistration code shared by calling pvr_hdw_disconnect from pvr2_hdw_destroy. Reported-by: syzbot+e74a998ca8f1df9cc332@syzkaller.appspotmail.com Tested-by: syzbot+e74a998ca8f1df9cc332@syzkaller.appspotmail.com Reviewed-by: Greg Kroah-Hartman Signed-off-by: Anirudh Rayabharam Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit bb8b5e98b5f509bd1636232ee28d64429a76df6b Author: Hans Verkuil Date: Fri Apr 23 10:00:49 2021 +0200 media: cobalt: fix race condition in setting HPD [ Upstream commit 3d37ef41bed0854805ab9af22c422267510e1344 ] The cobalt_s_bit_sysctrl reads the old register value over PCI, then changes a bit and sets writes the new value to the register. This is used among other things for setting the HPD output pin. But if the HPD is changed for multiple inputs at the same time, then this causes a race condition where a stale value is read. Serialize this function with a mutex. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 162b85d3cf25d45de3acb24c5a8849c539057991 Author: Pavel Skripkin Date: Wed Apr 21 21:43:45 2021 +0200 media: cpia2: fix memory leak in cpia2_usb_probe [ Upstream commit be8656e62e9e791837b606a027802b504a945c97 ] syzbot reported leak in cpia2 usb driver. The problem was in invalid error handling. v4l2_device_register() is called in cpia2_init_camera_struct(), but all error cases after cpia2_init_camera_struct() did not call the v4l2_device_unregister() Reported-by: syzbot+d1e69c888f0d3866ead4@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 5c8c5edb28f3e778bb4caeb32ed35e735970c2a9 Author: Mauro Carvalho Chehab Date: Tue May 18 11:26:31 2021 +0200 media: sti: fix obj-$(config) targets [ Upstream commit 56c1f0876293888f686e31278d183d4af2cac3c3 ] The right thing to do is to add a new object to the building system when a certain config option is selected, and *not* override them. So, fix obj-$(config) logic at sti makefiles, using "+=", instead of ":=". Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 84ac96486ba7bc090cc7bd81a7f875609d98e041 Author: Bixuan Cui Date: Sat May 8 11:14:55 2021 +0800 crypto: nx - add missing MODULE_DEVICE_TABLE [ Upstream commit 06676aa1f455c74e3ad1624cea3acb9ed2ef71ae ] This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this driver when it is built as an external module. Reported-by: Hulk Robot Signed-off-by: Bixuan Cui Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit f4c8a00d61fef36f598857d6db40b3855161a41e Author: Łukasz Stelmach Date: Wed May 5 20:29:14 2021 +0200 hwrng: exynos - Fix runtime PM imbalance on error [ Upstream commit 0cdbabf8bb7a6147f5adf37dbc251e92a1bbc2c7 ] pm_runtime_resume_and_get() wraps around pm_runtime_get_sync() and decrements the runtime PM usage counter in case the latter function fails and keeps the counter balanced. Signed-off-by: Łukasz Stelmach Reviewed-by: Krzysztof Kozlowski Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 022cf057e4432f8f32717ae1edfcc37e8c1a915e Author: Zou Wei Date: Tue May 11 11:53:18 2021 +0800 regulator: uniphier: Add missing MODULE_DEVICE_TABLE [ Upstream commit d019f38a1af3c6015cde6a47951a3ec43beeed80 ] This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this driver when it is built as an external module. Reported-by: Hulk Robot Signed-off-by: Zou Wei Link: https://lore.kernel.org/r/1620705198-104566-1-git-send-email-zou_wei@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit d6518e028103e0b0606d9d6217626c9d7446bcc3 Author: Tian Tao Date: Thu Apr 29 19:20:48 2021 +0800 spi: omap-100k: Fix the length judgment problem [ Upstream commit e7a1a3abea373e41ba7dfe0fbc93cb79b6a3a529 ] word_len should be checked in the omap1_spi100k_setup_transfer function to see if it exceeds 32. Signed-off-by: Tian Tao Link: https://lore.kernel.org/r/1619695248-39045-1-git-send-email-tiantao6@hisilicon.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit afc37630a124f9bd58e936e9b3391c0cba8bd9f3 Author: Jay Fang Date: Thu May 6 15:08:08 2021 +0800 spi: spi-topcliff-pch: Fix potential double free in pch_spi_process_messages() [ Upstream commit 026a1dc1af52742c5897e64a3431445371a71871 ] pch_spi_set_tx() frees data->pkt_tx_buff on failure of kzalloc() for data->pkt_rx_buff, but its caller, pch_spi_process_messages(), will free data->pkt_tx_buff again. Set data->pkt_tx_buff to NULL after kfree() to avoid double free. Signed-off-by: Jay Fang Link: https://lore.kernel.org/r/1620284888-65215-1-git-send-email-f.fangjian@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit ca5ea78475273dcaa0d6371f4f6c6980f573f2e5 Author: Jay Fang Date: Mon May 10 14:58:23 2021 +0800 spi: spi-loopback-test: Fix 'tx_buf' might be 'rx_buf' [ Upstream commit 9e37a3ab0627011fb63875e9a93094b6fc8ddf48 ] In function 'spi_test_run_iter': Value 'tx_buf' might be 'rx_buf'. Signed-off-by: Jay Fang Link: https://lore.kernel.org/r/1620629903-15493-5-git-send-email-f.fangjian@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit b413d8654ed6d4b24ed78c6c8b1ab2692c8d301a Author: Mauro Carvalho Chehab Date: Fri Apr 23 17:19:18 2021 +0200 media: exynos-gsc: fix pm_runtime_get_sync() usage count [ Upstream commit 59087b66ea6730c130c57d23bd9fd139b78c1ba5 ] The pm_runtime_get_sync() internally increments the dev->power.usage_count without decrementing it, even on errors. Replace it by the new pm_runtime_resume_and_get(), introduced by: commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter") in order to properly decrement the usage counter, avoiding a potential PM usage counter leak. As a bonus, as pm_runtime_get_sync() always return 0 on success, the logic can be simplified. Reviewed-by: Jonathan Cameron Reviewed-by: Sylwester Nawrocki Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 8fece55aeb6d2a7ed47e908b000b600e58d62b3b Author: Mauro Carvalho Chehab Date: Fri Apr 23 17:19:21 2021 +0200 media: sti/bdisp: fix pm_runtime_get_sync() usage count [ Upstream commit c44eac5b72e23c31eefc0e10a71d9650036b8341 ] The pm_runtime_get_sync() internally increments the dev->power.usage_count without decrementing it, even on errors. The bdisp_start_streaming() doesn't take it into account, which would unbalance PM usage counter at bdisp_stop_streaming(). The logic at bdisp_probe() is correct, but the best is to use the same call along the driver. So, replace it by the new pm_runtime_resume_and_get(), introduced by: commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter") in order to properly decrement the usage counter, avoiding a potential PM usage counter leak. Reviewed-by: Jonathan Cameron Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit ac69e7aea37d93879a5883e0938d3cc2cb8c9cfc Author: Mauro Carvalho Chehab Date: Fri Apr 23 17:19:10 2021 +0200 media: s5p-jpeg: fix pm_runtime_get_sync() usage count [ Upstream commit 10343de268d10cf07b092b8b525e12ad558ead77 ] The pm_runtime_get_sync() internally increments the dev->power.usage_count without decrementing it, even on errors. Replace it by the new pm_runtime_resume_and_get(), introduced by: commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter") in order to properly decrement the usage counter, avoiding a potential PM usage counter leak. As a plus, pm_runtime_resume_and_get() doesn't return positive numbers, so the return code validation can be removed. Reviewed-by: Jonathan Cameron Reviewed-by: Sylwester Nawrocki Acked-by: Andrzej Pietrasiewicz Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit f1a8951cf1b416317f7e6fa0afa8c2d756abbece Author: Mauro Carvalho Chehab Date: Fri Apr 23 17:19:09 2021 +0200 media: mtk-vcodec: fix PM runtime get logic [ Upstream commit 908711f542c17fe61e5d653da1beb8e5ab5c7b50 ] Currently, the driver just assumes that PM runtime logic succeded resuming the device. That may not be the case, as pm_runtime_get_sync() can fail (but keeping the usage count incremented). Replace the code to use pm_runtime_resume_and_get(), and letting it return the error code. This way, if mtk_vcodec_dec_pw_on() fails, the logic under fops_vcodec_open() will do the right thing and return an error, instead of just assuming that the device is ready to be used. Reviewed-by: Jonathan Cameron Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 908b6f72a910997e0aabd83ab69c8e69e396b025 Author: Mauro Carvalho Chehab Date: Fri Apr 23 17:07:41 2021 +0200 media: sh_vou: fix pm_runtime_get_sync() usage count [ Upstream commit 6e8b1526db164c9d4b9dacfb9bc48e365d7c4860 ] The pm_runtime_get_sync() internally increments the dev->power.usage_count without decrementing it, even on errors. Replace it by the new pm_runtime_resume_and_get(), introduced by: commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter") in order to properly decrement the usage counter, avoiding a potential PM usage counter leak. While here, check if the PM runtime error was caught at open time. Reviewed-by: Jonathan Cameron Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 948bcdcf7fd9f0ea1e16bafc5e22ee980a09e702 Author: Mauro Carvalho Chehab Date: Fri Apr 23 17:04:23 2021 +0200 media: s5p: fix pm_runtime_get_sync() usage count [ Upstream commit fdc34e82c0f968ac4c157bd3d8c299ebc24c9c63 ] The pm_runtime_get_sync() internally increments the dev->power.usage_count without decrementing it, even on errors. Replace it by the new pm_runtime_resume_and_get(), introduced by: commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter") in order to properly decrement the usage counter, avoiding a potential PM usage counter leak. While here, check if the PM runtime error was caught at s5p_cec_adap_enable(). Reviewed-by: Jonathan Cameron Reviewed-by: Sylwester Nawrocki Acked-by: Marek Szyprowski Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 4480cacdbc26ed565a35fb485c54ad940fcc8e11 Author: Mauro Carvalho Chehab Date: Fri Apr 23 16:57:16 2021 +0200 media: mdk-mdp: fix pm_runtime_get_sync() usage count [ Upstream commit d07bb9702cf5f5ccf3fb661e6cab54bbc33cd23f ] The pm_runtime_get_sync() internally increments the dev->power.usage_count without decrementing it, even on errors. Replace it by the new pm_runtime_resume_and_get(), introduced by: commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter") in order to properly decrement the usage counter, avoiding a potential PM usage counter leak. While here, fix the return contition of mtk_mdp_m2m_start_streaming(), as it doesn't make any sense to return 0 if the PM runtime failed to resume. Reviewed-by: Jonathan Cameron Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit ef59dbc06d6a17f16037dd3ddaca1f80d2fa0be3 Author: Charles Keepax Date: Wed Apr 21 11:14:02 2021 +0100 spi: Make of_register_spi_device also set the fwnode [ Upstream commit 0e793ba77c18382f08e440260fe72bc6fce2a3cb ] Currently, the SPI core doesn't set the struct device fwnode pointer when it creates a new SPI device. This means when the device is registered the fwnode is NULL and the check in device_add which sets the fwnode->dev pointer is skipped. This wasn't previously an issue, however these two patches: commit 4731210c09f5 ("gpiolib: Bind gpio_device to a driver to enable fw_devlink=on by default") commit ced2af419528 ("gpiolib: Don't probe gpio_device if it's not the primary device") Added some code to the GPIO core which relies on using that fwnode->dev pointer to determine if a driver is bound to the fwnode and if not bind a stub GPIO driver. This means the GPIO providers behind SPI will get both the expected driver and this stub driver causing the stub driver to fail if it attempts to request any pin configuration. For example on my system: madera-pinctrl madera-pinctrl: pin gpio5 already requested by madera-pinctrl; cannot claim for gpiochip3 madera-pinctrl madera-pinctrl: pin-4 (gpiochip3) status -22 madera-pinctrl madera-pinctrl: could not request pin 4 (gpio5) from group aif1 on device madera-pinctrl gpio_stub_drv gpiochip3: Error applying setting, reverse things back gpio_stub_drv: probe of gpiochip3 failed with error -22 The firmware node on the device created by the GPIO framework is set through the of_node pointer hence things generally actually work, however that fwnode->dev is never set, as the check was skipped at device_add time. This fix appears to match how the I2C subsystem handles the same situation. Signed-off-by: Charles Keepax Link: https://lore.kernel.org/r/20210421101402.8468-1-ckeepax@opensource.cirrus.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit a883c38f1cfa0cb2746eead803990dcd082a04b3 Author: Miklos Szeredi Date: Tue Jun 22 09:15:35 2021 +0200 fuse: reject internal errno commit 49221cf86d18bb66fe95d3338cb33bd4b9880ca5 upstream. Don't allow userspace to report errors that could be kernel-internal. Reported-by: Anatoly Trosinenko Fixes: 334f485df85a ("[PATCH] FUSE - device functions") Cc: # v2.6.14 Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 059dd690bfe02a785db760be51d24fad1028b40a Author: Miklos Szeredi Date: Tue Jun 22 09:15:35 2021 +0200 fuse: check connected before queueing on fpq->io commit 80ef08670d4c28a06a3de954bd350368780bcfef upstream. A request could end up on the fpq->io list after fuse_abort_conn() has reset fpq->connected and aborted requests on that list: Thread-1 Thread-2 ======== ======== ->fuse_simple_request() ->shutdown ->__fuse_request_send() ->queue_request() ->fuse_abort_conn() ->fuse_dev_do_read() ->acquire(fpq->lock) ->wait_for(fpq->lock) ->set err to all req's in fpq->io ->release(fpq->lock) ->acquire(fpq->lock) ->add req to fpq->io After the userspace copy is done the request will be ended, but req->out.h.error will remain uninitialized. Also the copy might block despite being already aborted. Fix both issues by not allowing the request to be queued on the fpq->io list after fuse_abort_conn() has processed this list. Reported-by: Pradeep P V K Fixes: fd22d62ed0c3 ("fuse: no fc->lock for iqueue parts") Cc: # v4.2 Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit e72bec922646c36e684b42c940f2e3f065147480 Author: Miklos Szeredi Date: Fri Jun 18 21:16:42 2021 +0200 fuse: ignore PG_workingset after stealing commit b89ecd60d38ec042d63bdb376c722a16f92bcb88 upstream. Fix the "fuse: trying to steal weird page" warning. Description from Johannes Weiner: "Think of it as similar to PG_active. It's just another usage/heat indicator of file and anon pages on the reclaim LRU that, unlike PG_active, persists across deactivation and even reclaim (we store it in the page cache / swapper cache tree until the page refaults). So if fuse accepts pages that can legally have PG_active set, PG_workingset is fine too." Reported-by: Thomas Lindroth Fixes: 1899ad18c607 ("mm: workingset: tell cache transitions from workingset thrashing") Cc: # v4.20 Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 74e9d920f25ce511f5458ae9d8c5ccd506649367 Author: Roberto Sassu Date: Fri May 14 17:27:44 2021 +0200 evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded commit 9acc89d31f0c94c8e573ed61f3e4340bbd526d0c upstream. EVM_ALLOW_METADATA_WRITES is an EVM initialization flag that can be set to temporarily disable metadata verification until all xattrs/attrs necessary to verify an EVM portable signature are copied to the file. This flag is cleared when EVM is initialized with an HMAC key, to avoid that the HMAC is calculated on unverified xattrs/attrs. Currently EVM unnecessarily denies setting this flag if EVM is initialized with a public key, which is not a concern as it cannot be used to trust xattrs/attrs updates. This patch removes this limitation. Fixes: ae1ba1676b88e ("EVM: Allow userland to permit modification of EVM-protected metadata") Signed-off-by: Roberto Sassu Cc: stable@vger.kernel.org # 4.16.x Signed-off-by: Mimi Zohar Signed-off-by: Greg Kroah-Hartman commit d7dfaf13d24efb39914a53eaed3ebba4599e6141 Author: Roberto Sassu Date: Fri May 14 17:27:42 2021 +0200 evm: Execute evm_inode_init_security() only when an HMAC key is loaded commit 9eea2904292c2d8fa98df141d3bf7c41ec9dc1b5 upstream. evm_inode_init_security() requires an HMAC key to calculate the HMAC on initial xattrs provided by LSMs. However, it checks generically whether a key has been loaded, including also public keys, which is not correct as public keys are not suitable to calculate the HMAC. Originally, support for signature verification was introduced to verify a possibly immutable initial ram disk, when no new files are created, and to switch to HMAC for the root filesystem. By that time, an HMAC key should have been loaded and usable to calculate HMACs for new files. More recently support for requiring an HMAC key was removed from the kernel, so that signature verification can be used alone. Since this is a legitimate use case, evm_inode_init_security() should not return an error when no HMAC key has been loaded. This patch fixes this problem by replacing the evm_key_loaded() check with a check of the EVM_INIT_HMAC flag in evm_initialized. Fixes: 26ddabfe96b ("evm: enable EVM when X509 certificate is loaded") Signed-off-by: Roberto Sassu Cc: stable@vger.kernel.org # 4.5.x Signed-off-by: Mimi Zohar Signed-off-by: Greg Kroah-Hartman commit 5c7c5c49d9b8229eafd6c9b65f4dc6abe26f307c Author: Michael Ellerman Date: Fri Jun 25 16:28:41 2021 +1000 powerpc/stacktrace: Fix spurious "stale" traces in raise_backtrace_ipi() commit 7c6986ade69e3c81bac831645bc72109cd798a80 upstream. In raise_backtrace_ipi() we iterate through the cpumask of CPUs, sending each an IPI asking them to do a backtrace, but we don't wait for the backtrace to happen. We then iterate through the CPU mask again, and if any CPU hasn't done the backtrace and cleared itself from the mask, we print a trace on its behalf, noting that the trace may be "stale". This works well enough when a CPU is not responding, because in that case it doesn't receive the IPI and the sending CPU is left to print the trace. But when all CPUs are responding we are left with a race between the sending and receiving CPUs, if the sending CPU wins the race then it will erroneously print a trace. This leads to spurious "stale" traces from the sending CPU, which can then be interleaved messily with the receiving CPU, note the CPU numbers, eg: [ 1658.929157][ C7] rcu: Stack dump where RCU GP kthread last ran: [ 1658.929223][ C7] Sending NMI from CPU 7 to CPUs 1: [ 1658.929303][ C1] NMI backtrace for cpu 1 [ 1658.929303][ C7] CPU 1 didn't respond to backtrace IPI, inspecting paca. [ 1658.929362][ C1] CPU: 1 PID: 325 Comm: kworker/1:1H Tainted: G W E 5.13.0-rc2+ #46 [ 1658.929405][ C7] irq_soft_mask: 0x01 in_mce: 0 in_nmi: 0 current: 325 (kworker/1:1H) [ 1658.929465][ C1] Workqueue: events_highpri test_work_fn [test_lockup] [ 1658.929549][ C7] Back trace of paca->saved_r1 (0xc0000000057fb400) (possibly stale): [ 1658.929592][ C1] NIP: c00000000002cf50 LR: c008000000820178 CTR: c00000000002cfa0 To fix it, change the logic so that the sending CPU waits 5s for the receiving CPU to print its trace. If the receiving CPU prints its trace successfully then the sending CPU just continues, avoiding any spurious "stale" trace. This has the added benefit of allowing all CPUs to print their traces in order and avoids any interleaving of their output. Fixes: 5cc05910f26e ("powerpc/64s: Wire up arch_trigger_cpumask_backtrace()") Cc: stable@vger.kernel.org # v4.18+ Reported-by: Nathan Lynch Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210625140408.3351173-1-mpe@ellerman.id.au Signed-off-by: Greg Kroah-Hartman commit 9ed57fc5a45b40348d8d362651fb47e9bb059f5a Author: Yun Zhou Date: Sat Jun 26 11:21:56 2021 +0800 seq_buf: Make trace_seq_putmem_hex() support data longer than 8 commit 6a2cbc58d6c9d90cd74288cc497c2b45815bc064 upstream. Since the raw memory 'data' does not go forward, it will dump repeated data if the data length is more than 8. If we want to dump longer data blocks, we need to repeatedly call macro SEQ_PUT_HEX_FIELD. I think it is a bit redundant, and multiple function calls also affect the performance. Link: https://lore.kernel.org/lkml/20210625122453.5e2fe304@oasis.local.home/ Link: https://lkml.kernel.org/r/20210626032156.47889-2-yun.zhou@windriver.com Cc: stable@vger.kernel.org Fixes: 6d2289f3faa7 ("tracing: Make trace_seq_putmem_hex() more robust") Signed-off-by: Yun Zhou Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman commit c65755f595cd9f21da9569224c11c8a43a670ace Author: Steven Rostedt (VMware) Date: Tue Jun 29 09:40:10 2021 -0400 tracepoint: Add tracepoint_probe_register_may_exist() for BPF tracing commit 9913d5745bd720c4266805c8d29952a3702e4eca upstream. All internal use cases for tracepoint_probe_register() is set to not ever be called with the same function and data. If it is, it is considered a bug, as that means the accounting of handling tracepoints is corrupted. If the function and data for a tracepoint is already registered when tracepoint_probe_register() is called, it will call WARN_ON_ONCE() and return with EEXISTS. The BPF system call can end up calling tracepoint_probe_register() with the same data, which now means that this can trigger the warning because of a user space process. As WARN_ON_ONCE() should not be called because user space called a system call with bad data, there needs to be a way to register a tracepoint without triggering a warning. Enter tracepoint_probe_register_may_exist(), which can be called, but will not cause a WARN_ON() if the probe already exists. It will still error out with EEXIST, which will then be sent to the user space that performed the BPF system call. This keeps the previous testing for issues with other users of the tracepoint code, while letting BPF call it with duplicated data and not warn about it. Link: https://lore.kernel.org/lkml/20210626135845.4080-1-penguin-kernel@I-love.SAKURA.ne.jp/ Link: https://syzkaller.appspot.com/bug?id=41f4318cf01762389f4d1c1c459da4f542fe5153 Cc: stable@vger.kernel.org Fixes: c4f6699dfcb85 ("bpf: introduce BPF_RAW_TRACEPOINT") Reported-by: syzbot Reported-by: Tetsuo Handa Tested-by: syzbot+721aa903751db87aa244@syzkaller.appspotmail.com Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman commit acf8494ba567bcece682f4b7dcb3b376c6110efe Author: Steven Rostedt (VMware) Date: Wed Jul 7 11:08:21 2021 -0400 tracing/histograms: Fix parsing of "sym-offset" modifier commit 26c563731056c3ee66f91106c3078a8c36bb7a9e upstream. With the addition of simple mathematical operations (plus and minus), the parsing of the "sym-offset" modifier broke, as it took the '-' part of the "sym-offset" as a minus, and tried to break it up into a mathematical operation of "field.sym - offset", in which case it failed to parse (unless the event had a field called "offset"). Both .sym and .sym-offset modifiers should not be entered into mathematical calculations anyway. If ".sym-offset" is found in the modifier, then simply make it not an operation that can be calculated on. Link: https://lkml.kernel.org/r/20210707110821.188ae255@oasis.local.home Cc: Ingo Molnar Cc: Andrew Morton Cc: Masami Hiramatsu Cc: Namhyung Kim Cc: Daniel Bristot de Oliveira Cc: stable@vger.kernel.org Fixes: 100719dcef447 ("tracing: Add simple expression support to hist triggers") Reviewed-by: Tom Zanussi Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman commit 6707b3d4382238071dadb053ba0e8dbf321dc18e Author: Martin Fuzzey Date: Tue Jun 1 18:19:53 2021 +0200 rsi: fix AP mode with WPA failure due to encrypted EAPOL commit 314538041b5632ffaf64798faaeabaf2793fe029 upstream. In AP mode WPA2-PSK connections were not established. The reason was that the AP was sending the first message of the 4 way handshake encrypted, even though no pairwise key had (correctly) yet been set. Encryption was enabled if the "security_enable" driver flag was set and encryption was not explicitly disabled by IEEE80211_TX_INTFL_DONT_ENCRYPT. However security_enable was set when *any* key, including the AP GTK key, had been set which was causing unwanted encryption even if no key was avaialble for the unicast packet to be sent. Fix this by adding a check that we have a key and drop the old security_enable driver flag which is insufficient and redundant. The Redpine downstream out of tree driver does it this way too. Regarding the Fixes tag the actual code being modified was introduced earlier, with the original driver submission, in dad0d04fa7ba ("rsi: Add RS9113 wireless driver"), however at that time AP mode was not yet supported so there was no bug at that point. So I have tagged the introduction of AP support instead which was part of the patch set "rsi: support for AP mode" [1] It is not clear whether AP WPA has ever worked, I can see nothing on the kernel side that broke it afterwards yet the AP support patch series says "Tests are performed to confirm aggregation, connections in WEP and WPA/WPA2 security." One possibility is that the initial tests were done with a modified userspace (hostapd). [1] https://www.spinics.net/lists/linux-wireless/msg165302.html Signed-off-by: Martin Fuzzey Fixes: 38ef62353acb ("rsi: security enhancements for AP mode") CC: stable@vger.kernel.org Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/1622564459-24430-1-git-send-email-martin.fuzzey@flowbird.group Signed-off-by: Greg Kroah-Hartman commit 5269ac3cf0b5981f6a395a8f191e07e9fa3421ce Author: Marek Vasut Date: Fri May 7 23:31:05 2021 +0200 rsi: Assign beacon rate settings to the correct rate_info descriptor field commit b1c3a24897bd528f2f4fda9fea7da08a84ae25b6 upstream. The RSI_RATE_x bits must be assigned to struct rsi_data_desc rate_info field. The rest of the driver does it correctly, except this one place, so fix it. This is also aligned with the RSI downstream vendor driver. Without this patch, an AP operating at 5 GHz does not transmit any beacons at all, this patch fixes that. Fixes: d26a9559403c ("rsi: add beacon changes for AP mode") Signed-off-by: Marek Vasut Cc: Amitkumar Karwar Cc: Angus Ainslie Cc: David S. Miller Cc: Jakub Kicinski Cc: Kalle Valo Cc: Karun Eagalapati Cc: Martin Kepplinger Cc: Prameela Rani Garnepudi Cc: Sebastian Krzyszkowiak Cc: Siva Rebbagondla Cc: netdev@vger.kernel.org Cc: stable@vger.kernel.org Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210507213105.140138-1-marex@denx.de Signed-off-by: Greg Kroah-Hartman commit f4b4b121521d71ab7df8ebdb8b28457b33eceb22 Author: Michael Buesch Date: Sat May 15 21:02:52 2021 +0200 ssb: sdio: Don't overwrite const buffer if block_write fails commit 47ec636f7a25aa2549e198c48ecb6b1c25d05456 upstream. It doesn't make sense to clobber the const driver-side buffer, if a write-to-device attempt failed. All other SSB variants (PCI, PCMCIA and SoC) also don't corrupt the buffer on any failure in block_write. Therefore, remove this memset from the SDIO variant. Signed-off-by: Michael Büsch Cc: stable@vger.kernel.org Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210515210252.318be2ba@wiggum Signed-off-by: Greg Kroah-Hartman commit 96bb095f8536f7d161b8e5a53b17edb7c4b87221 Author: Pali Rohár Date: Mon May 31 17:41:27 2021 +0300 ath9k: Fix kernel NULL pointer dereference during ath_reset_internal() commit fb312ac5ccb007e843f982b38d4d6886ba4b32f2 upstream. I got this crash more times during debugging of PCIe controller and crash happens somehow at the time when PCIe kernel code started link retraining (as part of ASPM code) when at the same time PCIe link went down and ath9k probably executed hw reset procedure. Currently I'm not able to reproduce this issue as it looks like to be some race condition between link training, ASPM, link down and reset path. And as always, race conditions which depends on more input parameters are hard to reproduce as it depends on precise timings. But it is clear that pointers are zero in this case and should be properly filled as same code pattern is used in ath9k_stop() function. Anyway I was able to reproduce this crash by manually triggering ath reset worker prior putting card up. I created simple patch to export reset functionality via debugfs and use it to "simulate" of triggering reset. s proved that NULL-pointer dereference issue is there. Function ath9k_hw_reset() is dereferencing chan structure pointer, so it needs to be non-NULL pointer. Function ath9k_stop() already contains code which sets ah->curchan to valid non-NULL pointer prior calling ath9k_hw_reset() function. Add same code pattern also into ath_reset_internal() function to prevent kernel NULL pointer dereference in ath9k_hw_reset() function. This change fixes kernel NULL pointer dereference in ath9k_hw_reset() which is caused by calling ath9k_hw_reset() from ath_reset_internal() with NULL chan structure. [ 45.334305] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 [ 45.344417] Mem abort info: [ 45.347301] ESR = 0x96000005 [ 45.350448] EC = 0x25: DABT (current EL), IL = 32 bits [ 45.356166] SET = 0, FnV = 0 [ 45.359350] EA = 0, S1PTW = 0 [ 45.362596] Data abort info: [ 45.365756] ISV = 0, ISS = 0x00000005 [ 45.369735] CM = 0, WnR = 0 [ 45.372814] user pgtable: 4k pages, 39-bit VAs, pgdp=000000000685d000 [ 45.379663] [0000000000000008] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 45.388856] Internal error: Oops: 96000005 [#1] SMP [ 45.393897] Modules linked in: ath9k ath9k_common ath9k_hw [ 45.399574] CPU: 1 PID: 309 Comm: kworker/u4:2 Not tainted 5.12.0-rc2-dirty #785 [ 45.414746] Workqueue: phy0 ath_reset_work [ath9k] [ 45.419713] pstate: 40000005 (nZcv daif -PAN -UAO -TCO BTYPE=--) [ 45.425910] pc : ath9k_hw_reset+0xc4/0x1c48 [ath9k_hw] [ 45.431234] lr : ath9k_hw_reset+0xc0/0x1c48 [ath9k_hw] [ 45.436548] sp : ffffffc0118dbca0 [ 45.439961] x29: ffffffc0118dbca0 x28: 0000000000000000 [ 45.445442] x27: ffffff800dee4080 x26: 0000000000000000 [ 45.450923] x25: ffffff800df9b9d8 x24: 0000000000000000 [ 45.456404] x23: ffffffc0115f6000 x22: ffffffc008d0d408 [ 45.461885] x21: ffffff800dee5080 x20: ffffff800df9b9d8 [ 45.467366] x19: 0000000000000000 x18: 0000000000000000 [ 45.472846] x17: 0000000000000000 x16: 0000000000000000 [ 45.478326] x15: 0000000000000010 x14: ffffffffffffffff [ 45.483807] x13: ffffffc0918db94f x12: ffffffc011498720 [ 45.489289] x11: 0000000000000003 x10: ffffffc0114806e0 [ 45.494770] x9 : ffffffc01014b2ec x8 : 0000000000017fe8 [ 45.500251] x7 : c0000000ffffefff x6 : 0000000000000001 [ 45.505733] x5 : 0000000000000000 x4 : 0000000000000000 [ 45.511213] x3 : 0000000000000000 x2 : ffffff801fece870 [ 45.516693] x1 : ffffffc00eded000 x0 : 000000000000003f [ 45.522174] Call trace: [ 45.524695] ath9k_hw_reset+0xc4/0x1c48 [ath9k_hw] [ 45.529653] ath_reset_internal+0x1a8/0x2b8 [ath9k] [ 45.534696] ath_reset_work+0x2c/0x40 [ath9k] [ 45.539198] process_one_work+0x210/0x480 [ 45.543339] worker_thread+0x5c/0x510 [ 45.547115] kthread+0x12c/0x130 [ 45.550445] ret_from_fork+0x10/0x1c [ 45.554138] Code: 910922c2 9117e021 95ff0398 b4000294 (b9400a61) [ 45.560430] ---[ end trace 566410ba90b50e8b ]--- [ 45.565193] Kernel panic - not syncing: Oops: Fatal exception in interrupt [ 45.572282] SMP: stopping secondary CPUs [ 45.576331] Kernel Offset: disabled [ 45.579924] CPU features: 0x00040002,0000200c [ 45.584416] Memory Limit: none [ 45.587564] Rebooting in 3 seconds.. Signed-off-by: Pali Rohár Cc: stable@vger.kernel.org Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210402122653.24014-1-pali@kernel.org Signed-off-by: Greg Kroah-Hartman commit e931d9a92576d5114c9447a2f93ed658e2b3a621 Author: Ondrej Zary Date: Fri Jun 11 22:19:39 2021 +0200 serial_cs: remove wrong GLOBETROTTER.cis entry commit 11b1d881a90fc184cc7d06e9804eb288c24a2a0d upstream. The GLOBETROTTER.cis entry in serial_cs matches more devices than intended and breaks them. Remove it. Example: # pccardctl info PRODID_1="Option International " PRODID_2="GSM-Ready 56K/ISDN " PRODID_3="021 " PRODID_4="A " MANFID=0013,0000 FUNCID=0 result: pcmcia 0.0: Direct firmware load for cis/GLOBETROTTER.cis failed with error -2 The GLOBETROTTER.cis is nowhere to be found. There's GLOBETROTTER.cis.ihex at https://netdev.vger.kernel.narkive.com/h4inqdxM/patch-axnet-cs-fix-phy-id-detection-for-bogus-asix-chip#post41 It's from completely diffetent card: vers_1 4.1, "Option International", "GSM/GPRS GlobeTrotter", "001", "A" Signed-off-by: Ondrej Zary Cc: stable Link: https://lore.kernel.org/r/20210611201940.23898-1-linux@zary.sk Signed-off-by: Greg Kroah-Hartman commit a3ca189a001855c5a6b738cb39bf21aafb18f76d Author: Ondrej Zary Date: Fri Jun 11 22:19:40 2021 +0200 serial_cs: Add Option International GSM-Ready 56K/ISDN modem commit d495dd743d5ecd47288156e25c4d9163294a0992 upstream. Add support for Option International GSM-Ready 56K/ISDN PCMCIA modem card. Signed-off-by: Ondrej Zary Cc: stable Link: https://lore.kernel.org/r/20210611201940.23898-2-linux@zary.sk Signed-off-by: Greg Kroah-Hartman commit 4bd14de69785c33156900f79b7340db0afd3769f Author: Yoshihiro Shimoda Date: Thu Jun 10 20:08:06 2021 +0900 serial: sh-sci: Stop dmaengine transfer in sci_stop_tx() commit 08a84410a04f05c7c1b8e833f552416d8eb9f6fe upstream. Stop dmaengine transfer in sci_stop_tx(). Otherwise, the following message is possible output when system enters suspend and while transferring data, because clearing TIE bit in SCSCR is not able to stop any dmaengine transfer. sh-sci e6550000.serial: ttySC1: Unable to drain transmitter Note that this driver has already used some #ifdef in the .c file so that this patch also uses #ifdef to fix the issue. Otherwise, build errors happens if the CONFIG_SERIAL_SH_SCI_DMA is disabled. Fixes: 73a19e4c0301 ("serial: sh-sci: Add DMA support.") Cc: # v4.9+ Signed-off-by: Yoshihiro Shimoda Link: https://lore.kernel.org/r/20210610110806.277932-1-yoshihiro.shimoda.uh@renesas.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit a945c2ead2c519fbe79d39d1026fe7f2fa5c2652 Author: Pali Rohár Date: Fri Jun 25 00:49:00 2021 +0200 serial: mvebu-uart: fix calculation of clock divisor commit 9078204ca5c33ba20443a8623a41a68a9995a70d upstream. The clock divisor should be rounded to the closest value. Signed-off-by: Pali Rohár Fixes: 68a0db1d7da2 ("serial: mvebu-uart: add function to change baudrate") Cc: stable@vger.kernel.org # 0e4cf69ede87 ("serial: mvebu-uart: clarify the baud rate derivation") Link: https://lore.kernel.org/r/20210624224909.6350-2-pali@kernel.org Signed-off-by: Greg Kroah-Hartman commit 202a64ad8f2c946b7edfe84b266357c2000ba304 Author: Oliver Lang Date: Thu Jun 10 15:46:18 2021 +0200 iio: ltr501: ltr501_read_ps(): add missing endianness conversion commit 71b33f6f93ef9462c84560e2236ed22209d26a58 upstream. The PS ADC Channel data is spread over 2 registers in little-endian form. This patch adds the missing endianness conversion. Fixes: 2690be905123 ("iio: Add Lite-On ltr501 ambient light / proximity sensor driver") Signed-off-by: Oliver Lang Reviewed-by: Andy Shevchenko Signed-off-by: Marc Kleine-Budde Tested-by: Nikita Travkin # ltr559 Link: https://lore.kernel.org/r/20210610134619.2101372-4-mkl@pengutronix.de Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit aafeedb0996d83317f79413f2113bf3584319b27 Author: Oliver Lang Date: Thu Jun 10 15:46:17 2021 +0200 iio: ltr501: ltr559: fix initialization of LTR501_ALS_CONTR commit 421a26f3d7a7c3ca43f3a9dc0f3cb0f562d5bd95 upstream. The ltr559 chip uses only the lowest bit of the ALS_CONTR register to configure between active and stand-by mode. In the original driver BIT(1) is used, which does a software reset instead. This patch fixes the problem by using BIT(0) as als_mode_active for the ltr559 chip. Fixes: 8592a7eefa54 ("iio: ltr501: Add support for ltr559 chip") Signed-off-by: Oliver Lang Reviewed-by: Andy Shevchenko Signed-off-by: Marc Kleine-Budde Tested-by: Nikita Travkin # ltr559 Link: https://lore.kernel.org/r/20210610134619.2101372-3-mkl@pengutronix.de Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit a27c940a904259522a229c9cfc07ce1594528799 Author: Marc Kleine-Budde Date: Thu Jun 10 15:46:16 2021 +0200 iio: ltr501: mark register holding upper 8 bits of ALS_DATA{0,1} and PS_DATA as volatile, too commit 2ac0b029a04b673ce83b5089368f467c5dca720c upstream. The regmap is configured for 8 bit registers, uses a RB-Tree cache and marks several registers as volatile (i.e. do not cache). The ALS and PS data registers in the chip are 16 bit wide and spans two regmap registers. In the current driver only the base register is marked as volatile, resulting in the upper register only read once. Further the data sheet notes: | When the I2C read operation starts, all four ALS data registers are | locked until the I2C read operation of register 0x8B is completed. Which results in the registers never update after the 2nd read. This patch fixes the problem by marking the upper 8 bits of the ALS and PS registers as volatile, too. Fixes: 2f2c96338afc ("iio: ltr501: Add regmap support.") Reported-by: Oliver Lang Reviewed-by: Andy Shevchenko Signed-off-by: Marc Kleine-Budde Tested-by: Nikita Travkin # ltr559 Link: https://lore.kernel.org/r/20210610134619.2101372-2-mkl@pengutronix.de Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 3287635367a42861dcba3e5fc90cf4939c16e0c8 Author: frank zago Date: Mon Apr 26 21:20:17 2021 -0500 iio: light: tcs3472: do not free unallocated IRQ commit 7cd04c863f9e1655d607705455e7714f24451984 upstream. Allocating an IRQ is conditional to the IRQ existence, but freeing it was not. If no IRQ was allocate, the driver would still try to free IRQ 0. Add the missing checks. This fixes the following trace when the driver is removed: [ 100.667788] Trying to free already-free IRQ 0 [ 100.667793] WARNING: CPU: 0 PID: 2315 at kernel/irq/manage.c:1826 free_irq+0x1fd/0x370 ... [ 100.667914] Call Trace: [ 100.667920] tcs3472_remove+0x3a/0x90 [tcs3472] [ 100.667927] i2c_device_remove+0x2b/0xa0 Signed-off-by: frank zago Link: https://lore.kernel.org/r/20210427022017.19314-2-frank@zago.net Fixes: 9d2f715d592e ("iio: light: tcs3472: support out-of-threshold events") Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 60684282789eebb2fb00df9e18cf23de0a966637 Author: Martin Fuzzey Date: Mon Jun 7 19:36:40 2021 +0200 rtc: stm32: Fix unbalanced clk_disable_unprepare() on probe error path commit 950ac33dbe6ff656a623d862022f0762ec061ba7 upstream. The STM32MP1 RTC may have 2 clocks, the pclk and the rtc_ck. If clk_prepare_enable() fails for the second clock (rtc_ck) we must only call clk_disable_unprepare() for the first clock (pclk) but currently we call it on both leading to a WARN: [ 15.629568] WARNING: CPU: 0 PID: 146 at drivers/clk/clk.c:958 clk_core_disable+0xb0/0xc8 [ 15.637620] ck_rtc already disabled [ 15.663322] CPU: 0 PID: 146 Comm: systemd-udevd Not tainted 5.4.77-pknbsp-svn5759-atag-v5.4.77-204-gea4235203137-dirty #2413 [ 15.674510] Hardware name: STM32 (Device Tree Support) [ 15.679658] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [ 15.687371] [] (show_stack) from [] (dump_stack+0xc0/0xe0) [ 15.694574] [] (dump_stack) from [] (__warn+0xc8/0xf0) [ 15.701428] [] (__warn) from [] (warn_slowpath_fmt+0x60/0x94) [ 15.708894] [] (warn_slowpath_fmt) from [] (clk_core_disable+0xb0/0xc8) [ 15.717230] [] (clk_core_disable) from [] (clk_core_disable_lock+0x18/0x24) [ 15.725924] [] (clk_core_disable_lock) from [] (stm32_rtc_probe+0x124/0x5e4 [rtc_stm32]) [ 15.735739] [] (stm32_rtc_probe [rtc_stm32]) from [] (platform_drv_probe+0x48/0x98) [ 15.745095] [] (platform_drv_probe) from [] (really_probe+0x1f0/0x458) [ 15.753338] [] (really_probe) from [] (driver_probe_device+0x70/0x1c4) [ 15.761584] [] (driver_probe_device) from [] (device_driver_attach+0x58/0x60) [ 15.770439] [] (device_driver_attach) from [] (__driver_attach+0xcc/0x170) [ 15.779032] [] (__driver_attach) from [] (bus_for_each_dev+0x58/0x7c) [ 15.787191] [] (bus_for_each_dev) from [] (bus_add_driver+0xdc/0x1f8) [ 15.795352] [] (bus_add_driver) from [] (driver_register+0x7c/0x110) [ 15.803425] [] (driver_register) from [] (do_one_initcall+0x70/0x1b8) [ 15.811588] [] (do_one_initcall) from [] (do_init_module+0x58/0x1f8) [ 15.819660] [] (do_init_module) from [] (load_module+0x1e58/0x23c8) [ 15.827646] [] (load_module) from [] (sys_finit_module+0xa0/0xd4) [ 15.835459] [] (sys_finit_module) from [] (__sys_trace_return+0x0/0x20) Signed-off-by: Martin Fuzzey Fixes: 4e64350f42e2 ("rtc: add STM32 RTC driver") Cc: stable@vger.kernel.org Reviewed-by: Nobuhiro Iwamatsu Signed-off-by: Alexandre Belloni Link: https://lore.kernel.org/r/1623087421-19722-1-git-send-email-martin.fuzzey@flowbird.group Signed-off-by: Greg Kroah-Hartman commit a470819824b7df5865409050039dca9d77c7a18f Author: Vineeth Vijayan Date: Wed Jun 9 09:21:08 2021 +0200 s390/cio: dont call css_wait_for_slow_path() inside a lock commit c749d8c018daf5fba6dfac7b6c5c78b27efd7d65 upstream. Currently css_wait_for_slow_path() gets called inside the chp->lock. The path-verification-loop of slowpath inside this lock could lead to deadlock as reported by the lockdep validator. The ccw_device_get_chp_desc() during the instance of a device-set-online would try to acquire the same 'chp->lock' to read the chp->desc. The instance of this function can get called from multiple scenario, like probing or setting-device online manually. This could, in some corner-cases lead to the deadlock. lockdep validator reported this as, CPU0 CPU1 ---- ---- lock(&chp->lock); lock(kn->active#43); lock(&chp->lock); lock((wq_completion)cio); The chp->lock was introduced to serialize the access of struct channel_path. This lock is not needed for the css_wait_for_slow_path() function, so invoke the slow-path function outside this lock. Fixes: b730f3a93395 ("[S390] cio: add lock to struct channel_path") Cc: Reviewed-by: Peter Oberparleiter Signed-off-by: Vineeth Vijayan Signed-off-by: Vasily Gorbik Signed-off-by: Greg Kroah-Hartman commit 684bddacf155963af480ca0358a6a200f3d99d2b Author: Nathan Chancellor Date: Mon Jun 21 11:24:40 2021 -0700 KVM: PPC: Book3S HV: Workaround high stack usage with clang commit 51696f39cbee5bb684e7959c0c98b5f54548aa34 upstream. LLVM does not emit optimal byteswap assembly, which results in high stack usage in kvmhv_enter_nested_guest() due to the inlining of byteswap_pt_regs(). With LLVM 12.0.0: arch/powerpc/kvm/book3s_hv_nested.c:289:6: error: stack frame size of 2512 bytes in function 'kvmhv_enter_nested_guest' [-Werror,-Wframe-larger-than=] long kvmhv_enter_nested_guest(struct kvm_vcpu *vcpu) ^ 1 error generated. While this gets fixed in LLVM, mark byteswap_pt_regs() as noinline_for_stack so that it does not get inlined and break the build due to -Werror by default in arch/powerpc/. Not inlining saves approximately 800 bytes with LLVM 12.0.0: arch/powerpc/kvm/book3s_hv_nested.c:290:6: warning: stack frame size of 1728 bytes in function 'kvmhv_enter_nested_guest' [-Wframe-larger-than=] long kvmhv_enter_nested_guest(struct kvm_vcpu *vcpu) ^ 1 warning generated. Cc: stable@vger.kernel.org # v4.20+ Reported-by: kernel test robot Signed-off-by: Nathan Chancellor Signed-off-by: Michael Ellerman Link: https://github.com/ClangBuiltLinux/linux/issues/1292 Link: https://bugs.llvm.org/show_bug.cgi?id=49610 Link: https://lore.kernel.org/r/202104031853.vDT0Qjqj-lkp@intel.com/ Link: https://gist.github.com/ba710e3703bf45043a31e2806c843ffd Link: https://lore.kernel.org/r/20210621182440.990242-1-nathan@kernel.org Signed-off-by: Greg Kroah-Hartman commit f0d3a4b6d5f73d8f4e6e720364c4bbbadfddb360 Author: Robin Murphy Date: Tue Jun 8 12:55:12 2021 +0100 perf/smmuv3: Don't trample existing events with global filter commit 4c1daba15c209b99d192f147fea3dade30f72ed2 upstream. With global filtering, we only allow an event to be scheduled if its filter settings exactly match those of any existing events, therefore it is pointless to reapply the filter in that case. Much worse, though, is that in doing that we trample the event type of counter 0 if it's already active, and never touch the appropriate PMEVTYPERn so the new event is likely not counting the right thing either. Don't do that. CC: stable@vger.kernel.org Signed-off-by: Robin Murphy Link: https://lore.kernel.org/r/32c80c0e46237f49ad8da0c9f8864e13c4a803aa.1623153312.git.robin.murphy@arm.com Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit f9c7f26879234395c43d103c191e2dc80ef468dd Author: Zhang Xiaoxu Date: Sat Jun 26 15:50:42 2021 +0800 SUNRPC: Should wake up the privileged task firstly. commit 5483b904bf336948826594610af4c9bbb0d9e3aa upstream. When find a task from wait queue to wake up, a non-privileged task may be found out, rather than the privileged. This maybe lead a deadlock same as commit dfe1fe75e00e ("NFSv4: Fix deadlock between nfs4_evict_inode() and nfs4_opendata_get_inode()"): Privileged delegreturn task is queued to privileged list because all the slots are assigned. If there has no enough slot to wake up the non-privileged batch tasks(session less than 8 slot), then the privileged delegreturn task maybe lost waked up because the found out task can't get slot since the session is on draining. So we should treate the privileged task as the emergency task, and execute it as for as we can. Reported-by: Hulk Robot Fixes: 5fcdfacc01f3 ("NFSv4: Return delegations synchronously in evict_inode") Cc: stable@vger.kernel.org Signed-off-by: Zhang Xiaoxu Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit d060386ffdbdee047898b39c48923ed09a133167 Author: Zhang Xiaoxu Date: Sat Jun 26 15:50:41 2021 +0800 SUNRPC: Fix the batch tasks count wraparound. commit fcb170a9d825d7db4a3fb870b0300f5a40a8d096 upstream. The 'queue->nr' will wraparound from 0 to 255 when only current priority queue has tasks. This maybe lead a deadlock same as commit dfe1fe75e00e ("NFSv4: Fix deadlock between nfs4_evict_inode() and nfs4_opendata_get_inode()"): Privileged delegreturn task is queued to privileged list because all the slots are assigned. When non-privileged task complete and release the slot, a non-privileged maybe picked out. It maybe allocate slot failed when the session on draining. If the 'queue->nr' has wraparound to 255, and no enough slot to service it, then the privileged delegreturn will lost to wake up. So we should avoid the wraparound on 'queue->nr'. Reported-by: Hulk Robot Fixes: 5fcdfacc01f3 ("NFSv4: Return delegations synchronously in evict_inode") Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Zhang Xiaoxu Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 619c14120c302a3a9554935aa521216ae5aa6c20 Author: Felix Fietkau Date: Sat Jun 19 12:15:17 2021 +0200 mac80211: remove iwlwifi specific workaround that broke sta NDP tx commit e41eb3e408de27982a5f8f50b2dd8002bed96908 upstream. Sending nulldata packets is important for sw AP link probing and detecting 4-address mode links. The checks that dropped these packets were apparently added to work around an iwlwifi firmware bug with multi-TID aggregation. Fixes: 41cbb0f5a295 ("mac80211: add support for HE") Cc: stable@vger.kernel.org Signed-off-by: Felix Fietkau Link: https://lore.kernel.org/r/20210619101517.90806-1-nbd@nbd.name Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 1ff563ec86c7aef270a0ec11e5d43bdfaee4b42f Author: Stephane Grosjean Date: Wed Jun 23 16:26:00 2021 +0200 can: peak_pciefd: pucan_handle_status(): fix a potential starvation issue in TX path commit b17233d385d0b6b43ecf81d43008cb1bbb008166 upstream. Rather than just indicating that transmission can start, this patch requires the explicit flushing of the network TX queue when the driver is informed by the device that it can transmit, next to its configuration. In this way, if frames have already been written by the application, they will actually be transmitted. Fixes: ffd137f7043c ("can: peak/pcie_fd: remove useless code when interface starts") Link: https://lore.kernel.org/r/20210623142600.149904-1-s.grosjean@peak-system.com Cc: linux-stable Signed-off-by: Stephane Grosjean Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 12aad0220812e11581cceeeb2b4a8dd7b7d5b223 Author: Oleksij Rempel Date: Thu Jun 17 15:06:23 2021 +0200 can: j1939: j1939_sk_init(): set SOCK_RCU_FREE to call sk_destruct() after RCU is done commit 22c696fed25c63c7f67508309820358b94a96b6d upstream. Set SOCK_RCU_FREE to let RCU to call sk_destruct() on completion. Without this patch, we will run in to j1939_can_recv() after priv was freed by j1939_sk_release()->j1939_sk_sock_destruct() Fixes: 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct callback") Link: https://lore.kernel.org/r/20210617130623.12705-1-o.rempel@pengutronix.de Cc: linux-stable Reported-by: Thadeu Lima de Souza Cascardo Reported-by: syzbot+bdf710cfc41c186fdff3@syzkaller.appspotmail.com Signed-off-by: Oleksij Rempel Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 7bb931d2c8cf3282ea49d31ffea6e7525976ac1f Author: Oliver Hartkopp Date: Fri Jun 18 19:36:45 2021 +0200 can: gw: synchronize rcu operations before removing gw job entry commit fb8696ab14adadb2e3f6c17c18ed26b3ecd96691 upstream. can_can_gw_rcv() is called under RCU protection, so after calling can_rx_unregister(), we have to call synchronize_rcu in order to wait for any RCU read-side critical sections to finish before removing the kmem_cache entry with the referenced gw job entry. Link: https://lore.kernel.org/r/20210618173645.2238-1-socketcan@hartkopp.net Fixes: c1aabdf379bc ("can-gw: add netlink based CAN routing") Cc: linux-stable Signed-off-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 70a9116b9e5ccd5332d3a60b359fb5902d268fd0 Author: Thadeu Lima de Souza Cascardo Date: Sat Jun 19 13:18:13 2021 -0300 can: bcm: delay release of struct bcm_op after synchronize_rcu() commit d5f9023fa61ee8b94f37a93f08e94b136cf1e463 upstream. can_rx_register() callbacks may be called concurrently to the call to can_rx_unregister(). The callbacks and callback data, though, are protected by RCU and the struct sock reference count. So the callback data is really attached to the life of sk, meaning that it should be released on sk_destruct. However, bcm_remove_op() calls tasklet_kill(), and RCU callbacks may be called under RCU softirq, so that cannot be used on kernels before the introduction of HRTIMER_MODE_SOFT. However, bcm_rx_handler() is called under RCU protection, so after calling can_rx_unregister(), we may call synchronize_rcu() in order to wait for any RCU read-side critical sections to finish. That is, bcm_rx_handler() won't be called anymore for those ops. So, we only free them, after we do that synchronize_rcu(). Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol") Link: https://lore.kernel.org/r/20210619161813.2098382-1-cascardo@canonical.com Cc: linux-stable Reported-by: syzbot+0f7e7e5e2f4f40fa89c0@syzkaller.appspotmail.com Reported-by: Norbert Slusarek Signed-off-by: Thadeu Lima de Souza Cascardo Acked-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 512286ddc3e889c84c600a0393d9882b5e791a4f Author: Stephen Brennan Date: Wed Jun 23 16:21:14 2021 -0700 ext4: use ext4_grp_locked_error in mb_find_extent commit cd84bbbac12a173a381a64c6ec8b76a5277b87b5 upstream. Commit 5d1b1b3f492f ("ext4: fix BUG when calling ext4_error with locked block group") introduces ext4_grp_locked_error to handle unlocking a group in error cases. Otherwise, there is a possibility of a sleep while atomic. However, since 43c73221b3b1 ("ext4: replace BUG_ON with WARN_ON in mb_find_extent()"), mb_find_extent() has contained a ext4_error() call while a group spinlock is held. Replace this with ext4_grp_locked_error. Fixes: 43c73221b3b1 ("ext4: replace BUG_ON with WARN_ON in mb_find_extent()") Cc: # 4.14+ Signed-off-by: Stephen Brennan Reviewed-by: Lukas Czerner Reviewed-by: Junxiao Bi Link: https://lore.kernel.org/r/20210623232114.34457-1-stephen.s.brennan@oracle.com Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit 0bae1ea119819ce68749925b58b29af53a7a8e89 Author: Pan Dong Date: Tue May 25 15:36:56 2021 +0800 ext4: fix avefreec in find_group_orlov commit c89849cc0259f3d33624cc3bd127685c3c0fa25d upstream. The avefreec should be average free clusters instead of average free blocks, otherwize Orlov's allocator will not work properly when bigalloc enabled. Cc: stable@kernel.org Signed-off-by: Pan Dong Link: https://lore.kernel.org/r/20210525073656.31594-1-pandong.peter@bytedance.com Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit 8c06b3d02d655ac0da0787a2f4ff902f3b4d657b Author: Zhang Yi Date: Sat May 22 18:30:44 2021 +0800 ext4: remove check for zero nr_to_scan in ext4_es_scan() commit e5e7010e5444d923e4091cafff61d05f2d19cada upstream. After converting fs shrinkers to new scan/count API, we are no longer pass zero nr_to_scan parameter to detect the number of objects to free, just remove this check. Fixes: 1ab6c4997e04 ("fs: convert fs shrinkers to new scan/count API") Cc: stable@vger.kernel.org # 3.12+ Signed-off-by: Zhang Yi Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20210522103045.690103-2-yi.zhang@huawei.com Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit a0548187482d9e0f6ea7ab9f566651c0d53b05f7 Author: Zhang Yi Date: Sat May 22 18:30:45 2021 +0800 ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit commit 4fb7c70a889ead2e91e184895ac6e5354b759135 upstream. The cache_cnt parameter of tracepoint ext4_es_shrink_exit means the remaining cache count after shrink, but now it is the cache count before shrink, fix it by read sbi->s_extent_cache_cnt again. Fixes: 1ab6c4997e04 ("fs: convert fs shrinkers to new scan/count API") Cc: stable@vger.kernel.org # 3.12+ Signed-off-by: Zhang Yi Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20210522103045.690103-3-yi.zhang@huawei.com Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit f01fa29e8ea03659cc0bc27b9d71068da0914337 Author: Yang Yingliang Date: Mon May 10 19:10:51 2021 +0800 ext4: return error code when ext4_fill_flex_info() fails commit 8f6840c4fd1e7bd715e403074fb161c1a04cda73 upstream. After commit c89128a00838 ("ext4: handle errors on ext4_commit_super"), 'ret' may be set to 0 before calling ext4_fill_flex_info(), if ext4_fill_flex_info() fails ext4_mount() doesn't return error code, it makes 'root' is null which causes crash in legacy_get_tree(). Fixes: c89128a00838 ("ext4: handle errors on ext4_commit_super") Reported-by: Hulk Robot Cc: # v4.18+ Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20210510111051.55650-1-yangyingliang@huawei.com Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit ed628b2531196cc76d7c9b730abe4020cad26b0b Author: Anirudh Rayabharam Date: Fri May 7 00:26:54 2021 +0530 ext4: fix kernel infoleak via ext4_extent_header commit ce3aba43599f0b50adbebff133df8d08a3d5fffe upstream. Initialize eh_generation of struct ext4_extent_header to prevent leaking info to userspace. Fixes KMSAN kernel-infoleak bug reported by syzbot at: http://syzkaller.appspot.com/bug?id=78e9ad0e6952a3ca16e8234724b2fa92d041b9b8 Cc: stable@kernel.org Reported-by: syzbot+2dcfeaf8cb49b05e8f1a@syzkaller.appspotmail.com Fixes: a86c61812637 ("[PATCH] ext3: add extent map support") Signed-off-by: Anirudh Rayabharam Link: https://lore.kernel.org/r/20210506185655.7118-1-mail@anirudhrb.com Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit 16b795a39f3e4e3e82afcbcc9cccd77bedd3177c Author: Zhang Yi Date: Fri May 7 15:19:04 2021 +0800 ext4: cleanup in-core orphan list if ext4_truncate() failed to get a transaction handle commit b9a037b7f3c401d3c63e0423e56aef606b1ffaaf upstream. In ext4_orphan_cleanup(), if ext4_truncate() failed to get a transaction handle, it didn't remove the inode from the in-core orphan list, which may probably trigger below error dump in ext4_destroy_inode() during the final iput() and could lead to memory corruption on the later orphan list changes. EXT4-fs (sda): Inode 6291467 (00000000b8247c67): orphan list check failed! 00000000b8247c67: 0001f30a 00000004 00000000 00000023 ............#... 00000000e24cde71: 00000006 014082a3 00000000 00000000 ......@......... 0000000072c6a5ee: 00000000 00000000 00000000 00000000 ................ ... This patch fix this by cleanup in-core orphan list manually if ext4_truncate() return error. Cc: stable@kernel.org Signed-off-by: Zhang Yi Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20210507071904.160808-1-yi.zhang@huawei.com Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit e3d3cf2e5a7ce3533fb0375dbef3a3f7f4077fae Author: David Sterba Date: Tue Jul 7 18:30:06 2020 +0200 btrfs: clear defrag status of a root if starting transaction fails commit 6819703f5a365c95488b07066a8744841bf14231 upstream. The defrag loop processes leaves in batches and starting transaction for each. The whole defragmentation on a given root is protected by a bit but in case the transaction fails, the bit is not cleared In case the transaction fails the bit would prevent starting defragmentation again, so make sure it's cleared. CC: stable@vger.kernel.org # 4.4+ Reviewed-by: Qu Wenruo Reviewed-by: Anand Jain Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 077f06b648a4e0202d079445984fdfa3af55c39b Author: Filipe Manana Date: Wed Jun 9 11:25:03 2021 +0100 btrfs: send: fix invalid path for unlink operations after parent orphanization commit d8ac76cdd1755b21e8c008c28d0b7251c0b14986 upstream. During an incremental send operation, when processing the new references for the current inode, we might send an unlink operation for another inode that has a conflicting path and has more than one hard link. However this path was computed and cached before we processed previous new references for the current inode. We may have orphanized a directory of that path while processing a previous new reference, in which case the path will be invalid and cause the receiver process to fail. The following reproducer triggers the problem and explains how/why it happens in its comments: $ cat test-send-unlink.sh #!/bin/bash DEV=/dev/sdi MNT=/mnt/sdi mkfs.btrfs -f $DEV >/dev/null mount $DEV $MNT # Create our test files and directory. Inode 259 (file3) has two hard # links. touch $MNT/file1 touch $MNT/file2 touch $MNT/file3 mkdir $MNT/A ln $MNT/file3 $MNT/A/hard_link # Filesystem looks like: # # . (ino 256) # |----- file1 (ino 257) # |----- file2 (ino 258) # |----- file3 (ino 259) # |----- A/ (ino 260) # |---- hard_link (ino 259) # # Now create the base snapshot, which is going to be the parent snapshot # for a later incremental send. btrfs subvolume snapshot -r $MNT $MNT/snap1 btrfs send -f /tmp/snap1.send $MNT/snap1 # Move inode 257 into directory inode 260. This results in computing the # path for inode 260 as "/A" and caching it. mv $MNT/file1 $MNT/A/file1 # Move inode 258 (file2) into directory inode 260, with a name of # "hard_link", moving first inode 259 away since it currently has that # location and name. mv $MNT/A/hard_link $MNT/tmp mv $MNT/file2 $MNT/A/hard_link # Now rename inode 260 to something else (B for example) and then create # a hard link for inode 258 that has the old name and location of inode # 260 ("/A"). mv $MNT/A $MNT/B ln $MNT/B/hard_link $MNT/A # Filesystem now looks like: # # . (ino 256) # |----- tmp (ino 259) # |----- file3 (ino 259) # |----- B/ (ino 260) # | |---- file1 (ino 257) # | |---- hard_link (ino 258) # | # |----- A (ino 258) # Create another snapshot of our subvolume and use it for an incremental # send. btrfs subvolume snapshot -r $MNT $MNT/snap2 btrfs send -f /tmp/snap2.send -p $MNT/snap1 $MNT/snap2 # Now unmount the filesystem, create a new one, mount it and try to # apply both send streams to recreate both snapshots. umount $DEV mkfs.btrfs -f $DEV >/dev/null mount $DEV $MNT # First add the first snapshot to the new filesystem by applying the # first send stream. btrfs receive -f /tmp/snap1.send $MNT # The incremental receive operation below used to fail with the # following error: # # ERROR: unlink A/hard_link failed: No such file or directory # # This is because when send is processing inode 257, it generates the # path for inode 260 as "/A", since that inode is its parent in the send # snapshot, and caches that path. # # Later when processing inode 258, it first processes its new reference # that has the path of "/A", which results in orphanizing inode 260 # because there is a a path collision. This results in issuing a rename # operation from "/A" to "/o260-6-0". # # Finally when processing the new reference "B/hard_link" for inode 258, # it notices that it collides with inode 259 (not yet processed, because # it has a higher inode number), since that inode has the name # "hard_link" under the directory inode 260. It also checks that inode # 259 has two hardlinks, so it decides to issue a unlink operation for # the name "hard_link" for inode 259. However the path passed to the # unlink operation is "/A/hard_link", which is incorrect since currently # "/A" does not exists, due to the orphanization of inode 260 mentioned # before. The path is incorrect because it was computed and cached # before the orphanization. This results in the receiver to fail with # the above error. btrfs receive -f /tmp/snap2.send $MNT umount $MNT When running the test, it fails like this: $ ./test-send-unlink.sh Create a readonly snapshot of '/mnt/sdi' in '/mnt/sdi/snap1' At subvol /mnt/sdi/snap1 Create a readonly snapshot of '/mnt/sdi' in '/mnt/sdi/snap2' At subvol /mnt/sdi/snap2 At subvol snap1 At snapshot snap2 ERROR: unlink A/hard_link failed: No such file or directory Fix this by recomputing a path before issuing an unlink operation when processing the new references for the current inode if we previously have orphanized a directory. A test case for fstests will follow soon. CC: stable@vger.kernel.org # 4.4+ Signed-off-by: Filipe Manana Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 0ede9e8c5a839f96dde86861fa250efd217e1cf6 Author: Ludovic Desroches Date: Fri Oct 25 10:42:10 2019 +0200 ARM: dts: at91: sama5d4: fix pinctrl muxing commit 253adffb0e98eaf6da2e7cf73ae68695e21f2f3c upstream. Fix pinctrl muxing, PD28, PD29 and PD31 can be muxed to peripheral A. It allows to use SCK0, SCK1 and SPI0_NPCS2 signals. Signed-off-by: Ludovic Desroches Fixes: 679f8d92bb01 ("ARM: at91/dt: sama5d4: add pioD pin mux mask and enable pioD") Cc: stable@vger.kernel.org # v4.4+ Reviewed-by: Claudiu Beznea Signed-off-by: Nicolas Ferre Link: https://lore.kernel.org/r/20191025084210.14726-1-ludovic.desroches@microchip.com Signed-off-by: Greg Kroah-Hartman commit efdcd77660f8ce66e579a6fe6e122c792af05696 Author: Yang Jihong Date: Fri Apr 30 09:26:59 2021 +0800 arm_pmu: Fix write counter incorrect in ARMv7 big-endian mode commit fdbef8c4e68ad423416aa6cc93d1616d6f8ac5b3 upstream. Commit 3a95200d3f89 ("arm_pmu: Change API to support 64bit counter values") changes the input "value" type from 32-bit to 64-bit, which introduces the following problem: ARMv7 PMU counters is 32-bit width, in big-endian mode, write counter uses high 32-bit, which writes an incorrect value. Before: Performance counter stats for 'ls': 2.22 msec task-clock # 0.675 CPUs utilized 0 context-switches # 0.000 K/sec 0 cpu-migrations # 0.000 K/sec 49 page-faults # 0.022 M/sec 2150476593 cycles # 966.663 GHz 2148588788 instructions # 1.00 insn per cycle 2147745484 branches # 965435.074 M/sec 2147508540 branch-misses # 99.99% of all branches None of the above hw event counters are correct. Solution: "value" forcibly converted to 32-bit type before being written to PMU register. After: Performance counter stats for 'ls': 2.09 msec task-clock # 0.681 CPUs utilized 0 context-switches # 0.000 K/sec 0 cpu-migrations # 0.000 K/sec 46 page-faults # 0.022 M/sec 2807301 cycles # 1.344 GHz 1060159 instructions # 0.38 insn per cycle 250496 branches # 119.914 M/sec 23192 branch-misses # 9.26% of all branches Fixes: 3a95200d3f89 ("arm_pmu: Change API to support 64bit counter values") Cc: Signed-off-by: Yang Jihong Acked-by: Mark Rutland Link: https://lore.kernel.org/r/20210430012659.232110-1-yangjihong1@huawei.com Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 0f382fa359ca1cb717ce27407538eb579b29a99f Author: Alexander Larkin Date: Sun Jul 4 22:39:36 2021 -0700 Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl commit f8f84af5da9ee04ef1d271528656dac42a090d00 upstream. Even though we validate user-provided inputs we then traverse past validated data when applying the new map. The issue was originally discovered by Murray McAllister with this simple POC (if the following is executed by an unprivileged user it will instantly panic the system): int main(void) { int fd, ret; unsigned int buffer[10000]; fd = open("/dev/input/js0", O_RDONLY); if (fd == -1) printf("Error opening file\n"); ret = ioctl(fd, JSIOCSBTNMAP & ~IOCSIZE_MASK, &buffer); printf("%d\n", ret); } The solution is to traverse internal buffer which is guaranteed to only contain valid date when constructing the map. Fixes: 182d679b2298 ("Input: joydev - prevent potential read overflow in ioctl") Fixes: 999b874f4aa3 ("Input: joydev - validate axis/button maps before clobbering current ones") Reported-by: Murray McAllister Suggested-by: Linus Torvalds Signed-off-by: Alexander Larkin Link: https://lore.kernel.org/r/20210620120030.1513655-1-avlarkin82@gmail.com Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 63e68b5636495459704b7e7812fffd9f4a8dca8c Author: Al Viro Date: Wed Jun 2 14:48:21 2021 -0400 iov_iter_fault_in_readable() should do nothing in xarray case commit 0e8f0d67401589a141950856902c7d0ec8d9c985 upstream. ... and actually should just check it's given an iovec-backed iterator in the first place. Cc: stable@vger.kernel.org Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 846ae1d87931e6fd4fe48dec335b5e07943bdadb Author: Al Viro Date: Tue Apr 27 12:34:04 2021 -0400 copy_page_to_iter(): fix ITER_DISCARD case commit a506abc7b644d71966a75337d5a534f531b3cdc4 upstream. we need to advance the iterator... Cc: stable@vger.kernel.org Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit c4868118fab97f2fdaf57305acad30a7cb66af50 Author: Desmond Cheong Zhi Xi Date: Mon Jun 28 19:33:52 2021 -0700 ntfs: fix validity check for file name attribute commit d98e4d95411bbde2220a7afa38dcc9c14d71acbe upstream. When checking the file name attribute, we want to ensure that it fits within the bounds of ATTR_RECORD. To do this, we should check that (attr record + file name offset + file name length) < (attr record + attr record length). However, the original check did not include the file name offset in the calculation. This means that corrupted on-disk metadata might not caught by the incorrect file name check, and lead to an invalid memory access. An example can be seen in the crash report of a memory corruption error found by Syzbot: https://syzkaller.appspot.com/bug?id=a1a1e379b225812688566745c3e2f7242bffc246 Adding the file name offset to the validity check fixes this error and passes the Syzbot reproducer test. Link: https://lkml.kernel.org/r/20210614050540.289494-1-desmondcheongzx@gmail.com Signed-off-by: Desmond Cheong Zhi Xi Reported-by: syzbot+213ac8bb98f7f4420840@syzkaller.appspotmail.com Tested-by: syzbot+213ac8bb98f7f4420840@syzkaller.appspotmail.com Acked-by: Anton Altaparmakov Cc: Shuah Khan Cc: Greg Kroah-Hartman Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 87a365a4ddeccc619e2f963d7a1bdbcce46148ac Author: Zhangjiantao (Kirin, nanjing) Date: Thu Jun 17 18:03:54 2021 +0300 xhci: solve a double free problem while doing s4 commit b31d9d6d7abbf6483b871b6370bc31c930d53f54 upstream. when system is doing s4, the process of xhci_resume may be as below: 1、xhci_mem_cleanup 2、xhci_init->xhci_mem_init->xhci_mem_cleanup(when memory is not enough). xhci_mem_cleanup will be executed twice when system is out of memory. xhci->port_caps is freed in xhci_mem_cleanup,but it isn't set to NULL. It will be freed twice when xhci_mem_cleanup is called the second time. We got following bug when system resumes from s4: kernel BUG at mm/slub.c:309! Internal error: Oops - BUG: 0 [#1] PREEMPT SMP CPU: 0 PID: 5929 Tainted: G S W 5.4.96-arm64-desktop #1 pc : __slab_free+0x5c/0x424 lr : kfree+0x30c/0x32c Call trace: __slab_free+0x5c/0x424 kfree+0x30c/0x32c xhci_mem_cleanup+0x394/0x3cc xhci_mem_init+0x9ac/0x1070 xhci_init+0x8c/0x1d0 xhci_resume+0x1cc/0x5fc xhci_plat_resume+0x64/0x70 platform_pm_thaw+0x28/0x60 dpm_run_callback+0x54/0x24c device_resume+0xd0/0x200 async_resume+0x24/0x60 async_run_entry_fn+0x44/0x110 process_one_work+0x1f0/0x490 worker_thread+0x5c/0x450 kthread+0x158/0x160 ret_from_fork+0x10/0x24 Original patch that caused this issue was backported to 4.4 stable, so this should be backported to 4.4 stabe as well. Fixes: cf0ee7c60c89 ("xhci: Fix memory leak when caching protocol extended capability PSI tables - take 2") Cc: stable@vger.kernel.org # v4.4+ Signed-off-by: Jiantao Zhang Signed-off-by: Tao Xue Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/20210617150354.1512157-5-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit cc7559e6dd1df229fbbd8e82210829359a0f420e Author: Jing Xiangfeng Date: Thu Jun 17 15:32:26 2021 +0800 usb: typec: Add the missed altmode_id_remove() in typec_register_altmode() commit 03026197bb657d784220b040c6173267a0375741 upstream. typec_register_altmode() misses to call altmode_id_remove() in an error path. Add the missed function call to fix it. Fixes: 8a37d87d72f0 ("usb: typec: Bus type for alternate modes") Cc: stable Acked-by: Heikki Krogerus Signed-off-by: Jing Xiangfeng Link: https://lore.kernel.org/r/20210617073226.47599-1-jingxiangfeng@huawei.com Signed-off-by: Greg Kroah-Hartman commit d5b06a79fe89c671320b3ee89c4637846337fe1a Author: Minas Harutyunyan Date: Thu Jun 17 09:55:24 2021 -0700 usb: dwc3: Fix debugfs creation flow commit 84524d1232ecca7cf8678e851b254f05cff4040a upstream. Creation EP's debugfs called earlier than debugfs folder for dwc3 device created. As result EP's debugfs are created in '/sys/kernel/debug' instead of '/sys/kernel/debug/usb/dwc3.1.auto'. Moved dwc3_debugfs_init() function call before calling dwc3_core_init_mode() to allow create dwc3 debugfs parent before creating EP's debugfs's. Fixes: 8d396bb0a5b6 ("usb: dwc3: debugfs: Add and remove endpoint dirs dynamically") Cc: stable Reviewed-by: Jack Pham Signed-off-by: Minas Harutyunyan Link: https://lore.kernel.org/r/01fafb5b2d8335e98e6eadbac61fc796bdf3ec1a.1623948457.git.Minas.Harutyunyan@synopsys.com Signed-off-by: Greg Kroah-Hartman commit 7941f646a6cdae14514b53a892312738189204be Author: Hannu Hartikainen Date: Tue Jun 22 17:14:54 2021 +0300 USB: cdc-acm: blacklist Heimann USB Appset device commit 4897807753e078655a78de39ed76044d784f3e63 upstream. The device (32a7:0000 Heimann Sensor GmbH USB appset demo) claims to be a CDC-ACM device in its descriptors but in fact is not. If it is run with echo disabled it returns garbled data, probably due to something that happens in the TTY layer. And when run with echo enabled (the default), it will mess up the calibration data of the sensor the first time any data is sent to the device. In short, I had a bad time after connecting the sensor and trying to get it to work. I hope blacklisting it in the cdc-acm driver will save someone else a bit of trouble. Signed-off-by: Hannu Hartikainen Cc: stable Link: https://lore.kernel.org/r/20210622141454.337948-1-hannu@hrtk.in Signed-off-by: Greg Kroah-Hartman commit 8bdef7f21cb6e53c0ce3e1cbcb05975aa0dd0fe9 Author: Linyu Yuan Date: Wed Jun 16 19:51:42 2021 +0800 usb: gadget: eem: fix echo command packet response issue commit 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 upstream. when receive eem echo command, it will send a response, but queue this response to the usb request which allocate from gadget device endpoint zero, and transmit the request to IN endpoint of eem interface. on dwc3 gadget, it will trigger following warning in function __dwc3_gadget_ep_queue(), if (WARN(req->dep != dep, "request %pK belongs to '%s'\n", &req->request, req->dep->name)) return -EINVAL; fix it by allocating a usb request from IN endpoint of eem interface, and transmit the usb request to same IN endpoint of eem interface. Signed-off-by: Linyu Yuan Cc: stable Link: https://lore.kernel.org/r/20210616115142.34075-1-linyyuan@codeaurora.org Signed-off-by: Greg Kroah-Hartman commit 11dfef6aba1ab69dc8b32e37ce352dea99ebf208 Author: Pavel Skripkin Date: Thu Jun 17 21:51:30 2021 +0300 net: can: ems_usb: fix use-after-free in ems_usb_disconnect() commit ab4a0b8fcb9a95c02909b62049811bd2e586aaa4 upstream. In ems_usb_disconnect() dev pointer, which is netdev private data, is used after free_candev() call: | if (dev) { | unregister_netdev(dev->netdev); | free_candev(dev->netdev); | | unlink_all_urbs(dev); | | usb_free_urb(dev->intr_urb); | | kfree(dev->intr_in_buffer); | kfree(dev->tx_msg_buffer); | } Fix it by simply moving free_candev() at the end of the block. Fail log: | BUG: KASAN: use-after-free in ems_usb_disconnect | Read of size 8 at addr ffff88804e041008 by task kworker/1:2/2895 | | CPU: 1 PID: 2895 Comm: kworker/1:2 Not tainted 5.13.0-rc5+ #164 | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.4 | Workqueue: usb_hub_wq hub_event | Call Trace: | dump_stack (lib/dump_stack.c:122) | print_address_description.constprop.0.cold (mm/kasan/report.c:234) | kasan_report.cold (mm/kasan/report.c:420 mm/kasan/report.c:436) | ems_usb_disconnect (drivers/net/can/usb/ems_usb.c:683 drivers/net/can/usb/ems_usb.c:1058) Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface") Link: https://lore.kernel.org/r/20210617185130.5834-1-paskripkin@gmail.com Cc: linux-stable Signed-off-by: Pavel Skripkin Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit aa6f233b949cdb5bb00f58ad6021ab69d6010fed Author: Johan Hovold Date: Mon May 24 10:02:59 2021 -0700 Input: usbtouchscreen - fix control-request directions commit 41e81022a04a0294c55cfa7e366bc14b9634c66e upstream. The direction of the pipe argument must match the request-type direction bit or control requests may fail depending on the host-controller-driver implementation. Fix the four control requests which erroneously used usb_rcvctrlpipe(). Fixes: 1d3e20236d7a ("[PATCH] USB: usbtouchscreen: unified USB touchscreen driver") Fixes: 24ced062a296 ("usbtouchscreen: add support for DMC TSC-10/25 devices") Fixes: 9e3b25837a20 ("Input: usbtouchscreen - add support for e2i touchscreen controller") Signed-off-by: Johan Hovold Cc: stable@vger.kernel.org # 2.6.17 Link: https://lore.kernel.org/r/20210524092048.4443-1-johan@kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit d808329ae1376c61b7344b2d21f1058073d1dc49 Author: Pavel Skripkin Date: Fri May 7 14:50:43 2021 +0200 media: dvb-usb: fix wrong definition commit c680ed46e418e9c785d76cf44eb33bfd1e8cf3f6 upstream. syzbot reported WARNING in vmalloc. The problem was in zero size passed to vmalloc. The root case was in wrong cxusb_bluebird_lgz201_properties definition. adapter array has only 1 entry, but num_adapters was 2. Call Trace: __vmalloc_node mm/vmalloc.c:2963 [inline] vmalloc+0x67/0x80 mm/vmalloc.c:2996 dvb_dmx_init+0xe4/0xb90 drivers/media/dvb-core/dvb_demux.c:1251 dvb_usb_adapter_dvb_init+0x564/0x860 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:184 dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86 [inline] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline] dvb_usb_device_init.cold+0xc94/0x146e drivers/media/usb/dvb-usb/dvb-usb-init.c:308 cxusb_probe+0x159/0x5e0 drivers/media/usb/dvb-usb/cxusb.c:1634 Fixes: 4d43e13f723e ("V4L/DVB (4643): Multi-input patch for DVB-USB device") Cc: stable@vger.kernel.org Reported-by: syzbot+7336195c02c1bd2f64e1@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 3b4dd159db68a1f3a4ea14b06c47da55304e21a5 Author: Takashi Iwai Date: Wed Jun 23 14:20:22 2021 +0200 ALSA: hda/realtek: Apply LED fixup for HP Dragonfly G1, too commit 0ac05b25c3dd8299204ae9d50c1c2f7f05eef08f upstream. HP Dragonfly G1 (SSID 103c:861f) also requires the same quirk for the mute and mic-mute LED just as Dragonfly G2 model. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=213329 Cc: Link: https://lore.kernel.org/r/20210623122022.26179-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 23d443c5b417a92ccb18e07acc254a7c30806e0c Author: Takashi Iwai Date: Sun Jun 20 08:59:52 2021 +0200 ALSA: hda/realtek: Fix bass speaker DAC mapping for Asus UM431D commit f8fbcdfb0665de60997d9746809e1704ed782bbc upstream. Asus Zenbook 14 UM431D has two speaker pins and a headphone pin, and the auto-parser ends up assigning the bass to the third DAC 0x06. Although the tone comes out, it's inconvenient because this DAC has no volume control unlike two other DACs. For obtaining the volume control for the bass speaker, this patch enforces the mapping to let both front and bass speaker pins sharing the same DAC. It's not ideal but a little bit of improvement. Since we've already applied the same workaround for another ASUS machine, we just need to hook the chain to the existing quirk. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=212547 Cc: Link: https://lore.kernel.org/r/20210620065952.18948-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 15f521856e0f10e564780b566a0459c56895c1b5 Author: Elia Devito Date: Sat Jun 19 22:41:04 2021 +0200 ALSA: hda/realtek: Improve fixup for HP Spectre x360 15-df0xxx commit 434591b2a77def0e78abfa38e5d7c4bca954e68a upstream. On HP Spectre x360 15-df0xxx, after system boot with plugged headset, the headset mic are not detected. Moving pincfg and DAC's config to single fixup function fix this. [ The actual bug in the original code was that it used a chain to ALC286_FIXUP_SPEAKER2_TO_DAC1, and it contains not only the DAC1 route fix but also another chain to ALC269_FIXUP_THINKPAD_ACPI. I thought the latter one is harmless for non-Thinkpad, but it doesn't seem so; it contains again yet another chain to ALC269_FIXUP_SKI_IGNORE, and this might be bad for some machines, including this HP machine. -- tiwai ] Signed-off-by: Elia Devito Cc: Link: https://lore.kernel.org/r/20210619204105.5682-1-eliadevito@gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 3911b8ff714c66af0ed91715f69bd20db9b4e735 Author: Takashi Iwai Date: Fri Jun 18 18:17:20 2021 +0200 ALSA: hda/realtek: Add another ALC236 variant support commit 1948fc065a89f18d057b8ffaef6d7242ad99edb8 upstream. The codec chip 10ec:0230 is another variant of ALC236, combined with a card reader. Apply the equivalent setup as 10ec:0236. BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1184869 Cc: Link: https://lore.kernel.org/r/20210618161720.28694-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 23ca8cf4cba0c52d1aa834c3aa699016e05d4b23 Author: Takashi Iwai Date: Thu Jul 8 11:07:38 2021 +0200 ALSA: intel8x0: Fix breakage at ac97 clock measurement commit 24d1e49415be546470b20429d748e240d0518b7e upstream. The recent workaround for the wild interrupts in commit c1f0616124c4 ("ALSA: intel8x0: Don't update period unless prepared") leaded to a regression, causing the interrupt storm during ac97 clock measurement at the driver probe. We need to handle the interrupt while the clock measurement as well as the proper PCM streams. Fixes: c1f0616124c4 ("ALSA: intel8x0: Don't update period unless prepared") Reported-and-tested-by: Max Filippov Tested-by: Sergey Senozhatsky Cc: Link: https://lore.kernel.org/r/CAMo8BfKKMQkcsbOQaeEjq_FsJhdK=fn598dvh7YOcZshUSOH=g@mail.gmail.com Link: https://lore.kernel.org/r/20210708090738.1569-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 1908d78a87cf40b35a4d9d342105cd6ba403040c Author: Takashi Iwai Date: Wed Jun 23 02:30:49 2021 +0930 ALSA: usb-audio: scarlett2: Fix wrong resume call commit 785b6f29a795f109685f286b91e0250c206fbffb upstream. The current way of the scarlett2 mixer code managing the usb_mixer_elem_info object is wrong in two ways: it passes its internal index to the head.id field, and the val_type field is uninitialized. This ended up with the wrong execution at the resume because a bogus unit id is passed wrongly. Also, in the later code extensions, we'll have more mixer elements, and passing the index will overflow the unit id size (of 256). This patch corrects those issues. It introduces a new value type, USB_MIXER_BESPOKEN, which indicates a non-standard mixer element, and use this type for all scarlett2 mixer elements, as well as initializing the fixed unit id 0 for avoiding the overflow. Tested-by: Geoffrey D. Bennett Signed-off-by: Geoffrey D. Bennett Cc: Link: https://lore.kernel.org/r/49721219f45b7e175e729b0d9d9c142fd8f4342a.1624379707.git.g@b4.vu Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 49e5b37fdd0188052c9d9691eabda076ac3e60e3 Author: Takashi Iwai Date: Tue Jun 22 11:06:47 2021 +0200 ALSA: usb-audio: Fix OOB access at proc output commit 362372ceb6556f338e230f2d90af27b47f82365a upstream. At extending the available mixer values for 32bit types, we forgot to add the corresponding entries for the format dump in the proc output. This may result in OOB access. Here adds the missing entries. Fixes: bc18e31c3042 ("ALSA: usb-audio: Fix parameter block size for UAC2 control requests") Cc: Link: https://lore.kernel.org/r/20210622090647.14021-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 5ded94e8516d237e3bce627ad97f4c6f05535f2b Author: Daehwan Jung Date: Wed Jun 16 18:34:55 2021 +0900 ALSA: usb-audio: fix rate on Ozone Z90 USB headset commit aecc19ec404bdc745c781058ac97a373731c3089 upstream. It mislabels its 96 kHz altsetting and that's why it causes some noise Signed-off-by: Daehwan Jung Cc: Link: https://lore.kernel.org/r/1623836097-61918-1-git-send-email-dh10.jung@samsung.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman