commit 780e72b005455d117e2f733707ceca14792a67f1 Author: Greg Kroah-Hartman Date: Wed Jul 22 09:34:29 2020 +0200 Linux 5.7.10 commit b3944d5248c6be0f2dc95a231822c6c67d6f6fd9 Author: Umesh Nerlige Ramappa Date: Thu Jul 9 23:45:03 2020 +0100 drm/i915/perf: Use GTT when saving/restoring engine GPR commit aee62e02c48bd62b9b07f5e297ecfc9aaa964937 upstream. MI_STORE_REGISTER_MEM and MI_LOAD_REGISTER_MEM need to know which translation to use when saving restoring the engine general purpose registers to and from the GT scratch. Since GT scratch is mapped to ggtt, we need to set an additional bit in the command to use GTT. Fixes: daed3e44396d17 ("drm/i915/perf: implement active wait for noa configurations") Suggested-by: Prathap Kumar Valsan Signed-off-by: Umesh Nerlige Ramappa Reviewed-by: Lionel Landwerlin Reviewed-by: Chris Wilson Link: https://patchwork.freedesktop.org/patch/msgid/20200709224504.11345-1-chris@chris-wilson.co.uk Signed-off-by: Chris Wilson (cherry picked from commit e43ff99c8deda85234e6233e0f4af6cb09566a37) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 1b751c786612b948a47c0a8b78ca4021c3186ed8 Author: Lorenz Bauer Date: Mon Jun 29 10:56:28 2020 +0100 bpf: sockmap: Require attach_bpf_fd when detaching a program commit bb0de3131f4c60a9bf976681e0fe4d1e55c7a821 upstream. The sockmap code currently ignores the value of attach_bpf_fd when detaching a program. This is contrary to the usual behaviour of checking that attach_bpf_fd represents the currently attached program. Ensure that attach_bpf_fd is indeed the currently attached program. It turns out that all sockmap selftests already do this, which indicates that this is unlikely to cause breakage. Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: Lorenz Bauer Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20200629095630.7933-5-lmb@cloudflare.com Signed-off-by: Greg Kroah-Hartman commit 121b45b726e0a604a28ddf374d4d95993562359e Author: Lorenz Bauer Date: Mon Jun 29 10:56:27 2020 +0100 bpf: sockmap: Check value of unused args to BPF_PROG_ATTACH commit 9b2b09717e1812e450782a43ca0c2790651cf380 upstream. Using BPF_PROG_ATTACH on a sockmap program currently understands no flags or replace_bpf_fd, but accepts any value. Return EINVAL instead. Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: Lorenz Bauer Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20200629095630.7933-4-lmb@cloudflare.com Signed-off-by: Greg Kroah-Hartman commit a073671be2a1459a4b92985c839feafc33c0df57 Author: Andy Shevchenko Date: Fri Jun 5 16:40:36 2020 +0300 gpio: pca953x: disable regmap locking for automatic address incrementing commit ec3decd21380081e3b5de4ba8d85d90a95f201a0 upstream. It's a repetition of the commit aa58a21ae378 ("gpio: pca953x: disable regmap locking") which states the following: This driver uses its own locking but regmap silently uses a mutex for all operations too. Add the option to disable locking to the regmap config struct. Fixes: bcf41dc480b1 ("gpio: pca953x: fix handling of automatic address incrementing") Cc: Uwe Kleine-König Signed-off-by: Andy Shevchenko Reviewed-by: Uwe Kleine-König Signed-off-by: Bartosz Golaszewski Signed-off-by: Greg Kroah-Hartman commit 7924e77bf17003aad76f31126d27afe17439876d Author: Colin Xu Date: Mon Jun 1 11:06:38 2020 +0800 drm/i915/gvt: Fix two CFL MMIO handling caused by regression. commit fccd0f7cf4d532674d727c7f204f038456675dee upstream. D_CFL was incorrectly removed for: GAMT_CHKN_BIT_REG GEN9_CTX_PREEMPT_REG V2: Update commit message. V3: Rebase and split Fixes and mis-handled MMIO. Fixes: 43226e6fe798 (drm/i915/gvt: replaced register address with name) Reviewed-by: Zhenyu Wang Signed-off-by: Colin Xu Signed-off-by: Zhenyu Wang Link: http://patchwork.freedesktop.org/patch/msgid/20200601030638.16002-1-colin.xu@intel.com Signed-off-by: Greg Kroah-Hartman commit d08e3e30b5abbd2b205f67ac96763bc2ff87c3ca Author: Arjun Roy Date: Thu Jun 25 20:30:01 2020 -0700 mm/memory.c: properly pte_offset_map_lock/unlock in vm_insert_pages() commit 7f70c2a68a51496289df163f6969d4db7c383f30 upstream. Calls to pte_offset_map() in vm_insert_pages() are erroneously not matched with a call to pte_unmap(). This would cause problems on architectures where that is not a no-op. This patch does away with the non-traditional locking in the existing code, and instead uses pte_offset_map_lock/unlock() as usual, incrementing PTE as necessary. The PTE pointer is kept within bounds since we clamp it with PTRS_PER_PTE. Link: http://lkml.kernel.org/r/20200618220446.20284-1-arjunroy.kdev@gmail.com Fixes: 8cd3984d81d5 ("mm/memory.c: add vm_insert_pages()") Signed-off-by: Arjun Roy Acked-by: David Rientjes Cc: Eric Dumazet Cc: Hugh Dickins Cc: Soheil Hassas Yeganeh Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 95e5553ecc0326d9f1c65d1513d0cdd3776dc6e9 Author: Lu Baolu Date: Tue Jun 23 07:13:40 2020 +0800 iommu/vt-d: Make Intel SVM code 64-bit only commit 9486727f5981a5ec5c0b699fb1777451bd6786e4 upstream. Current Intel SVM is designed by setting the pgd_t of the processor page table to FLPTR field of the PASID entry. The first level translation only supports 4 and 5 level paging structures, hence it's infeasible for the IOMMU to share a processor's page table when it's running in 32-bit mode. Let's disable 32bit support for now and claim support only when all the missing pieces are ready in the future. Fixes: 1c4f88b7f1f92 ("iommu/vt-d: Shared virtual address in scalable mode") Suggested-by: Joerg Roedel Signed-off-by: Lu Baolu Link: https://lore.kernel.org/r/20200622231345.29722-2-baolu.lu@linux.intel.com Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 0c52fb8782267d051a657f71e72ab02c89c630ee Author: Shannon Nelson Date: Tue Jun 16 08:06:26 2020 -0700 ionic: export features for vlans to use commit ef7232da6bcd4294cbb2d424bc35885721570f01 upstream. Set up vlan_features for use by any vlans above us. Fixes: beead698b173 ("ionic: Add the basic NDO callbacks for netdev support") Signed-off-by: Shannon Nelson Acked-by: Jonathan Toppins Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1c547524c9d0c6fbc42f8133ea7ed26b0253a41b Author: Shannon Nelson Date: Mon Jun 15 18:14:59 2020 -0700 ionic: no link check while resetting queues commit 3103b6feb4454646558eedc50ece728bc469f341 upstream. If the driver is busy resetting queues after a change in MTU or queue parameters, don't bother checking the link, wait until the next watchdog cycle. Fixes: 987c0871e8ae ("ionic: check for linkup in watchdog") Signed-off-by: Shannon Nelson Acked-by: Jonathan Toppins Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e59515ce46a9af79dbf0e5b4bef6f04fc697aebb Author: Lingling Xu Date: Tue Jun 2 16:24:15 2020 +0800 spi: sprd: switch the sequence of setting WDG_LOAD_LOW and _HIGH commit 8bdd79dae1ff5397351b95e249abcae126572617 upstream. The watchdog counter consists of WDG_LOAD_LOW and WDG_LOAD_HIGH, which would be loaded to watchdog counter once writing WDG_LOAD_LOW. Fixes: ac1775012058 ("spi: sprd: Add the support of restarting the system") Signed-off-by: Lingling Xu Signed-off-by: Chunyan Zhang Link: https://lore.kernel.org/r/20200602082415.5848-1-zhang.lyra@gmail.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 64d7aedd839f740898667242ef7bdedd0b90f116 Author: David Howells Date: Wed Jun 17 22:50:33 2020 +0100 rxrpc: Fix trace string commit aadf9dcef9d4cd68c73a4ab934f93319c4becc47 upstream. The trace symbol printer (__print_symbolic()) ignores symbols that map to an empty string and prints the hex value instead. Fix the symbol for rxrpc_cong_no_change to " -" instead of "" to avoid this. Fixes: b54a134a7de4 ("rxrpc: Fix handling of enums-to-string translation in tracing") Signed-off-by: David Howells Signed-off-by: Greg Kroah-Hartman commit 39abafdcdd151a93dd77f1e6085408ca3ad54308 Author: Ilya Dryomov Date: Tue Jun 9 11:57:56 2020 +0200 libceph: don't omit recovery_deletes in target_copy() commit 2f3fead62144002557f322c2a7c15e1255df0653 upstream. Currently target_copy() is used only for sending linger pings, so this doesn't come up, but generally omitting recovery_deletes can result in unneeded resends (force_resend in calc_target()). Fixes: ae78dd8139ce ("libceph: make RECOVERY_DELETES feature create a new interval") Signed-off-by: Ilya Dryomov Reviewed-by: Jeff Layton Signed-off-by: Greg Kroah-Hartman commit b99382de1233866a7eea4a016029d417bdcc0fe7 Author: Chris Wilson Date: Mon Jul 13 17:05:49 2020 +0100 drm/i915/gt: Only swap to a random sibling once upon creation commit 110f9efa858f584c6bed177cd48d0c0f526940e1 upstream. The danger in switching at random upon intel_context_pin is that the context may still actually be inflight, as it will not be scheduled out until a context switch after it is complete -- that may be a long time after we do a final intel_context_unpin. Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/2118 Fixes: 6d06779e8672 ("drm/i915: Load balancing across a virtual engine") Signed-off-by: Chris Wilson Cc: Tvrtko Ursulin Cc: # v5.3+ Reviewed-by: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/20200713160549.17344-1-chris@chris-wilson.co.uk (cherry picked from commit 90a987205c6cf74116a102ed446d22d92cdaf915) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit efce4c5bf8873329a578b70c4b5b0df0fee73e2d Author: Chris Wilson Date: Sat Jul 11 21:32:36 2020 +0100 drm/i915/gt: Ignore irq enabling on the virtual engines commit 858f1299fd6f7518ddef19ddd304c8398ac79fa5 upstream. We do not use the virtual engines for interrupts (they have physical components), but we do use them to decouple the fence signaling during submission. Currently, when we submit a completed request, we try to enable the interrupt handler for the virtual engine, but we never disarm it. A quick fix is then to mark the irq as enabled, and it will then remain enabled -- and this prevents us from waking the device and never letting it sleep again. Fixes: f8db4d051b5e ("drm/i915: Initialise breadcrumb lists on the virtual engine") Signed-off-by: Chris Wilson Cc: Mika Kuoppala Cc: Tvrtko Ursulin Cc: # v5.5+ Reviewed-by: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/20200711203236.12330-1-chris@chris-wilson.co.uk (cherry picked from commit 4fe6abb8f51355224808ab02a9febf65d184c40b) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit bc4727542c394ac99e1826e35d708d83088591d3 Author: Maarten Lankhorst Date: Wed Feb 12 14:54:45 2020 +0100 drm/i915: Move cec_notifier to intel_hdmi_connector_unregister, v2. commit 6647e6cdba753e71170be7da2acfead7154f56d8 upstream. This fixes the following KASAN splash on module reload: [ 145.136327] ================================================================== [ 145.136502] BUG: KASAN: use-after-free in intel_hdmi_destroy+0x74/0x80 [i915] [ 145.136514] Read of size 8 at addr ffff888216641830 by task kworker/1:1/134 [ 145.136535] CPU: 1 PID: 134 Comm: kworker/1:1 Tainted: G U T 5.5.0-rc7-valkyria+ #5783 [ 145.136539] Hardware name: GIGABYTE GB-BKi3A-7100/MFLP3AP-00, BIOS F1 07/27/2016 [ 145.136546] Workqueue: events drm_connector_free_work_fn [ 145.136551] Call Trace: [ 145.136560] dump_stack+0xa1/0xe0 [ 145.136571] print_address_description.constprop.0+0x1e/0x210 [ 145.136639] ? intel_hdmi_destroy+0x74/0x80 [i915] [ 145.136703] ? intel_hdmi_destroy+0x74/0x80 [i915] [ 145.136710] __kasan_report.cold+0x1b/0x37 [ 145.136790] ? intel_hdmi_destroy+0x74/0x80 [i915] [ 145.136863] ? intel_hdmi_destroy+0x74/0x80 [i915] [ 145.136870] kasan_report+0x27/0x30 [ 145.136881] __asan_report_load8_noabort+0x1c/0x20 [ 145.136946] intel_hdmi_destroy+0x74/0x80 [i915] [ 145.136954] drm_connector_free_work_fn+0xd1/0x100 [ 145.136967] process_one_work+0x86e/0x1610 [ 145.136987] ? pwq_dec_nr_in_flight+0x2f0/0x2f0 [ 145.137004] ? move_linked_works+0x128/0x2c0 [ 145.137021] worker_thread+0x63e/0xc90 [ 145.137048] kthread+0x2f6/0x3f0 [ 145.137054] ? calculate_sigpending+0x81/0xa0 [ 145.137059] ? process_one_work+0x1610/0x1610 [ 145.137064] ? kthread_bind+0x40/0x40 [ 145.137075] ret_from_fork+0x24/0x30 [ 145.137111] Allocated by task 0: [ 145.137119] (stack is not available) [ 145.137137] Freed by task 5053: [ 145.137147] save_stack+0x28/0x90 [ 145.137152] __kasan_slab_free+0x136/0x180 [ 145.137157] kasan_slab_free+0x26/0x30 [ 145.137161] kfree+0xe6/0x350 [ 145.137242] intel_ddi_encoder_destroy+0x60/0x80 [i915] [ 145.137252] drm_mode_config_cleanup+0x11d/0x8f0 [ 145.137329] intel_modeset_driver_remove+0x1f5/0x350 [i915] [ 145.137403] i915_driver_remove+0xc4/0x130 [i915] [ 145.137482] i915_pci_remove+0x3e/0x90 [i915] [ 145.137489] pci_device_remove+0x108/0x2d0 [ 145.137494] device_release_driver_internal+0x1e6/0x4a0 [ 145.137499] driver_detach+0xcb/0x198 [ 145.137503] bus_remove_driver+0xde/0x204 [ 145.137508] driver_unregister+0x6d/0xa0 [ 145.137513] pci_unregister_driver+0x2e/0x230 [ 145.137576] i915_exit+0x1f/0x26 [i915] [ 145.137157] kasan_slab_free+0x26/0x30 [ 145.137161] kfree+0xe6/0x350 [ 145.137242] intel_ddi_encoder_destroy+0x60/0x80 [i915] [ 145.137252] drm_mode_config_cleanup+0x11d/0x8f0 [ 145.137329] intel_modeset_driver_remove+0x1f5/0x350 [i915] [ 145.137403] i915_driver_remove+0xc4/0x130 [i915] [ 145.137482] i915_pci_remove+0x3e/0x90 [i915] [ 145.137489] pci_device_remove+0x108/0x2d0 [ 145.137494] device_release_driver_internal+0x1e6/0x4a0 [ 145.137499] driver_detach+0xcb/0x198 [ 145.137503] bus_remove_driver+0xde/0x204 [ 145.137508] driver_unregister+0x6d/0xa0 [ 145.137513] pci_unregister_driver+0x2e/0x230 [ 145.137576] i915_exit+0x1f/0x26 [i915] [ 145.137581] __x64_sys_delete_module+0x35b/0x470 [ 145.137586] do_syscall_64+0x99/0x4e0 [ 145.137591] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 145.137606] The buggy address belongs to the object at ffff888216640000 which belongs to the cache kmalloc-8k of size 8192 [ 145.137618] The buggy address is located 6192 bytes inside of 8192-byte region [ffff888216640000, ffff888216642000) [ 145.137630] The buggy address belongs to the page: [ 145.137640] page:ffffea0008599000 refcount:1 mapcount:0 mapping:ffff888107c02a80 index:0xffff888216644000 compound_mapcount: 0 [ 145.137647] raw: 0200000000010200 0000000000000000 0000000100000001 ffff888107c02a80 [ 145.137652] raw: ffff888216644000 0000000080020001 00000001ffffffff 0000000000000000 [ 145.137656] page dumped because: kasan: bad access detected [ 145.137668] Memory state around the buggy address: [ 145.137678] ffff888216641700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 145.137687] ffff888216641780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 145.137697] >ffff888216641800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 145.137706] ^ [ 145.137715] ffff888216641880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 145.137724] ffff888216641900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 145.137733] ================================================================== [ 145.137742] Disabling lock debugging due to kernel taint Changes since v1: - Add fixes tags. - Use early unregister. Signed-off-by: Maarten Lankhorst Fixes: 9c229127aee2 ("drm/i915: hdmi: add CEC notifier to intel_hdmi") Cc: # v4.19+ Reviewed-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20200212135445.1469133-1-maarten.lankhorst@linux.intel.com (cherry picked from commit a581483b1e5466d28fc50ff623fba31cea2cccb6) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 4c76a5a3db25f24accb12acf4a6f3707ee283761 Author: Alex Deucher Date: Fri Jul 10 17:50:00 2020 -0400 drm/amdgpu/display: create fake mst encoders ahead of time (v4) commit 3168470142e0a82b5732c04ed4c031a9322ae170 upstream. Prevents a warning in the MST create connector case. v2: create global fake encoders rather per connector fake encoders to avoid running out of encoder indices. v3: use the actual number of crtcs on the asic rather than the max to conserve encoders. v4: v3 plus missing hunk I forgot to git add. Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1108 Fixes: c6385e503aeaf9 ("drm/amdgpu: drop legacy drm load and unload callbacks") Reviewed-by: Nicholas Kazlauskas Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 5.7.x Signed-off-by: Greg Kroah-Hartman commit 702e13f8d26c6d18389c299347580783fef02bcd Author: hersen wu Date: Mon Jun 22 13:29:16 2020 -0400 drm/amd/display: OLED panel backlight adjust not work with external display connected commit b448d30b0c303d5454ea572b772d1ffae96bc6e7 upstream. [Why] amdgpu_dm->backlight_caps is for single eDP only. the caps are upddated for very connector. Real eDP caps will be overwritten by other external display. For OLED panel, caps->aux_support is set to 1 for OLED pnael. after external connected, caps+.aux_support is set to 0. This causes OLED backlight adjustment not work. [How] within update_conector_ext_caps, backlight caps will be updated only for eDP connector. Cc: stable@vger.kernel.org Signed-off-by: hersen wu Reviewed-by: Nicholas Kazlauskas Acked-by: Rodrigo Siqueira Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit adfe5ec9ac3ff13e9dabe42216fb34a9e9c19738 Author: Josip Pavic Date: Mon Jul 6 15:43:39 2020 -0400 drm/amd/display: handle failed allocation during stream construction commit be73e608ae2711dc8a1ab8b9549d9e348061b2ee upstream. [Why] Failing to allocate a transfer function during stream construction leads to a null pointer dereference [How] Handle the failed allocation by failing the stream construction Cc: stable@vger.kernel.org Signed-off-by: Josip Pavic Reviewed-by: Aric Cyr Acked-by: Rodrigo Siqueira Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 7c7df36732772d4f68e0ed50667ced18440bb2ad Author: Xiaojie Yuan Date: Tue Jul 14 15:47:31 2020 +0800 drm/amdgpu/sdma5: fix wptr overwritten in ->get_wptr() commit 05051496b2622e4d12e2036b35165969aa502f89 upstream. "u64 *wptr" points to the the wptr value in write back buffer and "*wptr = (*wptr) >> 2;" results in the value being overwritten each time when ->get_wptr() is called. umr uses /sys/kernel/debug/dri/0/amdgpu_ring_sdma0 to get rptr/wptr and decode ring content and it is affected by this issue. fix and simplify the logic similar as sdma_v4_0_ring_get_wptr(). v2: fix for sdma5.2 as well v3: drop sdma 5.2 changes for 5.8 and stable Suggested-by: Le Ma Signed-off-by: Xiaojie Yuan Reviewed-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit b22a2501543e9ebe88b8375652ad41715f1e765d Author: chen gong Date: Mon Jul 13 16:11:24 2020 +0800 drm/amdgpu/powerplay: Modify SMC message name for setting power profile mode commit 98a34cf931e848f8489d3fb15a8f5fc03802ad65 upstream. I consulted Cai Land(Chuntian.Cai@amd.com), he told me corresponding smc message name to fSMC_MSG_SetWorkloadMask() is "PPSMC_MSG_ActiveProcessNotify" in firmware code of Renoir. Strange though it may seem, but it's a fact. Signed-off-by: chen gong Reviewed-by: Evan Quan Acked-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 6d03387205bde13c0a68ed97e1fe7e5f6741e070 Author: Roland Scheidegger Date: Thu Jul 9 18:54:14 2020 +0200 drm/vmwgfx: fix update of display surface when resolution changes commit 1f054fd26e29784d373c3d29c348ee48f1c41fb2 upstream. The assignment of metadata overwrote the new display resolution values, hence we'd miss the size actually changed and wouldn't redefine the surface. This would then lead to command buffer error when trying to update the screen target (due to the size mismatch), and result in a VM with black screen. Fixes: 504901dbb0b5 ("drm/vmwgfx: Refactor surface_define to use vmw_surface_metadata") Reviewed-by: Charmaine Lee Signed-off-by: Roland Scheidegger Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 59f56744e6023e8f17f0efda698eb5c58598ecdc Author: Thomas Gleixner Date: Fri Jul 17 18:00:02 2020 +0200 genirq/affinity: Handle affinity setting on inactive interrupts correctly commit baedb87d1b53532f81b4bd0387f83b05d4f7eb9a upstream. Setting interrupt affinity on inactive interrupts is inconsistent when hierarchical irq domains are enabled. The core code should just store the affinity and not call into the irq chip driver for inactive interrupts because the chip drivers may not be in a state to handle such requests. X86 has a hacky workaround for that but all other irq chips have not which causes problems e.g. on GIC V3 ITS. Instead of adding more ugly hacks all over the place, solve the problem in the core code. If the affinity is set on an inactive interrupt then: - Store it in the irq descriptors affinity mask - Update the effective affinity to reflect that so user space has a consistent view - Don't call into the irq chip driver This is the core equivalent of the X86 workaround and works correctly because the affinity setting is established in the irq chip when the interrupt is activated later on. Note, that this is only effective when hierarchical irq domains are enabled by the architecture. Doing it unconditionally would break legacy irq chip implementations. For hierarchial irq domains this works correctly as none of the drivers can have a dependency on affinity setting in inactive state by design. Remove the X86 workaround as it is not longer required. Fixes: 02edee152d6e ("x86/apic/vector: Ignore set_affinity call for inactive interrupts") Reported-by: Ali Saidi Signed-off-by: Thomas Gleixner Tested-by: Ali Saidi Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200529015501.15771-1-alisaidi@amazon.com Link: https://lkml.kernel.org/r/877dv2rv25.fsf@nanos.tec.linutronix.de Signed-off-by: Greg Kroah-Hartman commit 3bbf8195e79707268f4fd072d7575ced0207e4ef Author: Andy Lutomirski Date: Fri Jul 17 16:53:55 2020 -0700 x86/ioperm: Fix io bitmap invalidation on Xen PV commit cadfad870154e14f745ec845708bc17d166065f2 upstream. tss_invalidate_io_bitmap() wasn't wired up properly through the pvop machinery, so the TSS and Xen's io bitmap would get out of sync whenever disabling a valid io bitmap. Add a new pvop for tss_invalidate_io_bitmap() to fix it. This is XSA-329. Fixes: 22fe5b0439dd ("x86/ioperm: Move TSS bitmap update to exit to user work") Signed-off-by: Andy Lutomirski Signed-off-by: Thomas Gleixner Reviewed-by: Juergen Gross Reviewed-by: Thomas Gleixner Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/d53075590e1f91c19f8af705059d3ff99424c020.1595030016.git.luto@kernel.org Signed-off-by: Greg Kroah-Hartman commit 36fd51212070da92919242dee69b70061845c440 Author: Vincent Guittot Date: Fri Jul 10 17:24:26 2020 +0200 sched/fair: handle case of task_h_load() returning 0 commit 01cfcde9c26d8555f0e6e9aea9d6049f87683998 upstream. task_h_load() can return 0 in some situations like running stress-ng mmapfork, which forks thousands of threads, in a sched group on a 224 cores system. The load balance doesn't handle this correctly because env->imbalance never decreases and it will stop pulling tasks only after reaching loop_max, which can be equal to the number of running tasks of the cfs. Make sure that imbalance will be decreased by at least 1. misfit task is the other feature that doesn't handle correctly such situation although it's probably more difficult to face the problem because of the smaller number of CPUs and running tasks on heterogenous system. We can't simply ensure that task_h_load() returns at least one because it would imply to handle underflow in other places. Signed-off-by: Vincent Guittot Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Valentin Schneider Reviewed-by: Dietmar Eggemann Tested-by: Dietmar Eggemann Cc: # v4.4+ Link: https://lkml.kernel.org/r/20200710152426.16981-1-vincent.guittot@linaro.org Signed-off-by: Greg Kroah-Hartman commit c1353804e9fd95307078e61eda3d918ebc73975c Author: Mathieu Desnoyers Date: Mon Jul 6 16:49:10 2020 -0400 sched: Fix unreliable rseq cpu_id for new tasks commit ce3614daabea8a2d01c1dd17ae41d1ec5e5ae7db upstream. While integrating rseq into glibc and replacing glibc's sched_getcpu implementation with rseq, glibc's tests discovered an issue with incorrect __rseq_abi.cpu_id field value right after the first time a newly created process issues sched_setaffinity. For the records, it triggers after building glibc and running tests, and then issuing: for x in {1..2000} ; do posix/tst-affinity-static & done and shows up as: error: Unexpected CPU 2, expected 0 error: Unexpected CPU 2, expected 0 error: Unexpected CPU 2, expected 0 error: Unexpected CPU 2, expected 0 error: Unexpected CPU 138, expected 0 error: Unexpected CPU 138, expected 0 error: Unexpected CPU 138, expected 0 error: Unexpected CPU 138, expected 0 This is caused by the scheduler invoking __set_task_cpu() directly from sched_fork() and wake_up_new_task(), thus bypassing rseq_migrate() which is done by set_task_cpu(). Add the missing rseq_migrate() to both functions. The only other direct use of __set_task_cpu() is done by init_idle(), which does not involve a user-space task. Based on my testing with the glibc test-case, just adding rseq_migrate() to wake_up_new_task() is sufficient to fix the observed issue. Also add it to sched_fork() to keep things consistent. The reason why this never triggered so far with the rseq/basic_test selftest is unclear. The current use of sched_getcpu(3) does not typically require it to be always accurate. However, use of the __rseq_abi.cpu_id field within rseq critical sections requires it to be accurate. If it is not accurate, it can cause corruption in the per-cpu data targeted by rseq critical sections in user-space. Reported-By: Florian Weimer Signed-off-by: Mathieu Desnoyers Signed-off-by: Peter Zijlstra (Intel) Tested-By: Florian Weimer Cc: stable@vger.kernel.org # v4.18+ Link: https://lkml.kernel.org/r/20200707201505.2632-1-mathieu.desnoyers@efficios.com Signed-off-by: Greg Kroah-Hartman commit 78e5d65c7595eb9910d838db818c639e5ca7cfd2 Author: Will Deacon Date: Fri Jul 3 12:08:42 2020 +0100 arm64: compat: Ensure upper 32 bits of x0 are zero on syscall return commit 15956689a0e60aa0c795174f3c310b60d8794235 upstream. Although we zero the upper bits of x0 on entry to the kernel from an AArch32 task, we do not clear them on the exception return path and can therefore expose 64-bit sign extended syscall return values to userspace via interfaces such as the 'perf_regs' ABI, which deal exclusively with 64-bit registers. Explicitly clear the upper 32 bits of x0 on return from a compat system call. Cc: Cc: Mark Rutland Cc: Keno Fischer Cc: Luis Machado Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 57702d565f37fbce4e1b7d10a86224dd3dbb97f2 Author: Will Deacon Date: Thu Jul 2 21:16:20 2020 +0100 arm64: ptrace: Consistently use pseudo-singlestep exceptions commit ac2081cdc4d99c57f219c1a6171526e0fa0a6fff upstream. Although the arm64 single-step state machine can be fast-forwarded in cases where we wish to generate a SIGTRAP without actually executing an instruction, this has two major limitations outside of simply skipping an instruction due to emulation. 1. Stepping out of a ptrace signal stop into a signal handler where SIGTRAP is blocked. Fast-forwarding the stepping state machine in this case will result in a forced SIGTRAP, with the handler reset to SIG_DFL. 2. The hardware implicitly fast-forwards the state machine when executing an SVC instruction for issuing a system call. This can interact badly with subsequent ptrace stops signalled during the execution of the system call (e.g. SYSCALL_EXIT or seccomp traps), as they may corrupt the stepping state by updating the PSTATE for the tracee. Resolve both of these issues by injecting a pseudo-singlestep exception on entry to a signal handler and also on return to userspace following a system call. Cc: Cc: Mark Rutland Tested-by: Luis Machado Reported-by: Keno Fischer Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 715b04b59fe069d017dc772387ae2392bfe9e182 Author: Will Deacon Date: Thu Feb 13 12:06:26 2020 +0000 arm64: ptrace: Override SPSR.SS when single-stepping is enabled commit 3a5a4366cecc25daa300b9a9174f7fdd352b9068 upstream. Luis reports that, when reverse debugging with GDB, single-step does not function as expected on arm64: | I've noticed, under very specific conditions, that a PTRACE_SINGLESTEP | request by GDB won't execute the underlying instruction. As a consequence, | the PC doesn't move, but we return a SIGTRAP just like we would for a | regular successful PTRACE_SINGLESTEP request. The underlying problem is that when the CPU register state is restored as part of a reverse step, the SPSR.SS bit is cleared and so the hardware single-step state can transition to the "active-pending" state, causing an unexpected step exception to be taken immediately if a step operation is attempted. In hindsight, we probably shouldn't have exposed SPSR.SS in the pstate accessible by the GPR regset, but it's a bit late for that now. Instead, simply prevent userspace from configuring the bit to a value which is inconsistent with the TIF_SINGLESTEP state for the task being traced. Cc: Cc: Mark Rutland Cc: Keno Fischer Link: https://lore.kernel.org/r/1eed6d69-d53d-9657-1fc9-c089be07f98c@linaro.org Reported-by: Luis Machado Tested-by: Luis Machado Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 96947dd42e858c345af0b3d291440a12bd7a5f3e Author: Dinh Nguyen Date: Mon Jun 29 12:47:35 2020 -0500 arm64: dts: stratix10: increase QSPI reg address in nand dts file commit 3bf9b8ffc8980c1090bdd3a5570cf42420620838 upstream. Match the QSPI reg address in the socfpga_stratix10_socdk.dts file. Fixes: 80f132d73709 ("arm64: dts: increase the QSPI reg address for Stratix10 and Agilex") Cc: linux-stable # >= v5.6 Signed-off-by: Dinh Nguyen Signed-off-by: Greg Kroah-Hartman commit bdc58d2f9d2ff35b2a2b8f002d166c5fc989b43d Author: Dinh Nguyen Date: Mon Jun 29 11:25:43 2020 -0500 arm64: dts: stratix10: add status to qspi dts node commit 263a0269a59c0b4145829462a107fe7f7327105f upstream. Add status = "okay" to QSPI node. Fixes: 0cb140d07fc75 ("arm64: dts: stratix10: Add QSPI support for Stratix10") Cc: linux-stable # >= v5.6 Signed-off-by: Dinh Nguyen Signed-off-by: Greg Kroah-Hartman commit a16ce125a68a08628b434a120e4f2968e5316731 Author: Dinh Nguyen Date: Mon Jun 29 11:19:21 2020 -0500 arm64: dts: agilex: add status to qspi dts node commit 60176e6be0bb6f629b15aea7dcab5a95ecb158e9 upstream. Add status = "okay" to QSPI node. Fixes: c4c8757b2d895 ("arm64: dts: agilex: add QSPI support for Intel Agilex") Cc: linux-stable # >= v5.5 Signed-off-by: Dinh Nguyen Signed-off-by: Greg Kroah-Hartman commit 20eb0569c03a380835803b3c57a8a84568a33ec3 Author: Tim Harvey Date: Tue Jun 23 12:06:54 2020 -0700 ARM: dts: imx6qdl-gw551x: fix audio SSI commit 4237c625304b212a3f30adf787901082082511ec upstream. The audio codec on the GW551x routes to ssi1. It fixes audio capture on the device. Cc: stable@vger.kernel.org Fixes: 3117e851cef1 ("ARM: dts: imx: Add TDA19971 HDMI Receiver to GW551x") Signed-off-by: Tim Harvey Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit 708b8f14ea8ee0c681ce28ec62fe4465b3f7dcf9 Author: Alex Hung Date: Mon Jun 15 16:39:57 2020 -0600 thermal: int3403_thermal: Downgrade error message commit f3d7fb38976b1b0a8462ba1c7cbd404ddfaad086 upstream. Downgrade "Unsupported event" message from dev_err to dev_dbg to avoid flooding with this message on some platforms. Cc: stable@vger.kernel.org # v5.4+ Suggested-by: Zhang Rui Signed-off-by: Alex Hung [ rzhang: fix typo in changelog ] Signed-off-by: Zhang Rui Link: https://lore.kernel.org/r/20200615223957.183153-1-alex.hung@canonical.com Signed-off-by: Greg Kroah-Hartman commit 855bd4f219f0d078356971796fa7e39383eba609 Author: Charan Teja Kalla Date: Fri Jun 19 17:27:19 2020 +0530 dmabuf: use spinlock to access dmabuf->name commit 6348dd291e3653534a9e28e6917569bc9967b35b upstream. There exists a sleep-while-atomic bug while accessing the dmabuf->name under mutex in the dmabuffs_dname(). This is caused from the SELinux permissions checks on a process where it tries to validate the inherited files from fork() by traversing them through iterate_fd() (which traverse files under spin_lock) and call match_file(security/selinux/hooks.c) where the permission checks happen. This audit information is logged using dump_common_audit_data() where it calls d_path() to get the file path name. If the file check happen on the dmabuf's fd, then it ends up in ->dmabuffs_dname() and use mutex to access dmabuf->name. The flow will be like below: flush_unauthorized_files() iterate_fd() spin_lock() --> Start of the atomic section. match_file() file_has_perm() avc_has_perm() avc_audit() slow_avc_audit() common_lsm_audit() dump_common_audit_data() audit_log_d_path() d_path() dmabuffs_dname() mutex_lock()--> Sleep while atomic. Call trace captured (on 4.19 kernels) is below: ___might_sleep+0x204/0x208 __might_sleep+0x50/0x88 __mutex_lock_common+0x5c/0x1068 __mutex_lock_common+0x5c/0x1068 mutex_lock_nested+0x40/0x50 dmabuffs_dname+0xa0/0x170 d_path+0x84/0x290 audit_log_d_path+0x74/0x130 common_lsm_audit+0x334/0x6e8 slow_avc_audit+0xb8/0xf8 avc_has_perm+0x154/0x218 file_has_perm+0x70/0x180 match_file+0x60/0x78 iterate_fd+0x128/0x168 selinux_bprm_committing_creds+0x178/0x248 security_bprm_committing_creds+0x30/0x48 install_exec_creds+0x1c/0x68 load_elf_binary+0x3a4/0x14e0 search_binary_handler+0xb0/0x1e0 So, use spinlock to access dmabuf->name to avoid sleep-while-atomic. Cc: [5.3+] Signed-off-by: Charan Teja Kalla Reviewed-by: Michael J. Ruhl Acked-by: Christian König [sumits: added comment to spinlock_t definition to avoid warning] Signed-off-by: Sumit Semwal Link: https://patchwork.freedesktop.org/patch/msgid/a83e7f0d-4e54-9848-4b58-e1acdbe06735@codeaurora.org Signed-off-by: Greg Kroah-Hartman commit ce6ad4a140f82644cab46fe09aa82874e831b194 Author: Michał Mirosław Date: Wed Jun 24 13:35:41 2020 +0200 misc: atmel-ssc: lock with mutex instead of spinlock commit b037d60a3b1d1227609fd858fa34321f41829911 upstream. Uninterruptible context is not needed in the driver and causes lockdep warning because of mutex taken in of_alias_get_id(). Convert the lock to mutex to avoid the issue. Cc: stable@vger.kernel.org Fixes: 099343c64e16 ("ARM: at91: atmel-ssc: add device tree support") Signed-off-by: Michał Mirosław Link: https://lore.kernel.org/r/50f0d7fa107f318296afb49477c3571e4d6978c5.1592998403.git.mirq-linux@rere.qmqm.pl Signed-off-by: Greg Kroah-Hartman commit 5e3e3d374c89b85e15cb5dfae80598f63376b31e Author: Robin Gong Date: Tue Jun 30 00:59:58 2020 +0800 dmaengine: fsl-edma-common: correct DSIZE_32BYTE commit e142087b15960a4e1e5932942e5abae1f49d2318 upstream. Correct EDMA_TCD_ATTR_DSIZE_32BYTE define since it's broken by the below: '0x0005 --> BIT(3) | BIT(0))' Fixes: 4d6d3a90e4ac ("dmaengine: fsl-edma: fix macros") Signed-off-by: Robin Gong Tested-by: Angelo Dureghello Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/1593449998-32091-1-git-send-email-yibin.gong@nxp.com Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit 36e4fa9dfaa83605d7070944a42c8af88cae40ab Author: Krzysztof Kozlowski Date: Thu Jun 11 15:21:05 2020 +0200 dmaengine: mcf-edma: Fix NULL pointer exception in mcf_edma_tx_handler commit 8995aa3d164ddd9200e6abcf25c449cf5298c858 upstream. On Toradex Colibri VF50 (Vybrid VF5xx) with fsl-edma driver NULL pointer exception happens occasionally on serial output initiated by login timeout. This was reproduced only if kernel was built with significant debugging options and EDMA driver is used with serial console. Issue looks like a race condition between interrupt handler fsl_edma_tx_handler() (called as a result of fsl_edma_xfer_desc()) and terminating the transfer with fsl_edma_terminate_all(). The fsl_edma_tx_handler() handles interrupt for a transfer with already freed edesc and idle==true. The mcf-edma driver shares design and lot of code with fsl-edma. It looks like being affected by same problem. Fix this pattern the same way as fix for fsl-edma driver. Fixes: e7a3ff92eaf1 ("dmaengine: fsl-edma: add ColdFire mcf5441x edma support") Cc: Signed-off-by: Krzysztof Kozlowski Reviewed-by: Robin Gong Link: https://lore.kernel.org/r/1591881665-25592-1-git-send-email-krzk@kernel.org Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit 182fa842fd8533f11d00e2b1c3387d8f1c301c76 Author: Krzysztof Kozlowski Date: Thu Jun 11 14:17:41 2020 +0200 dmaengine: fsl-edma: Fix NULL pointer exception in fsl_edma_tx_handler commit f5e5677c420346b4e9788051c2e4d750996c428c upstream. NULL pointer exception happens occasionally on serial output initiated by login timeout. This was reproduced only if kernel was built with significant debugging options and EDMA driver is used with serial console. col-vf50 login: root Password: Login timed out after 60 seconds. Unable to handle kernel NULL pointer dereference at virtual address 00000044 Internal error: Oops: 5 [#1] ARM CPU: 0 PID: 157 Comm: login Not tainted 5.7.0-next-20200610-dirty #4 Hardware name: Freescale Vybrid VF5xx/VF6xx (Device Tree) (fsl_edma_tx_handler) from [<8016eb10>] (__handle_irq_event_percpu+0x64/0x304) (__handle_irq_event_percpu) from [<8016eddc>] (handle_irq_event_percpu+0x2c/0x7c) (handle_irq_event_percpu) from [<8016ee64>] (handle_irq_event+0x38/0x5c) (handle_irq_event) from [<801729e4>] (handle_fasteoi_irq+0xa4/0x160) (handle_fasteoi_irq) from [<8016ddcc>] (generic_handle_irq+0x34/0x44) (generic_handle_irq) from [<8016e40c>] (__handle_domain_irq+0x54/0xa8) (__handle_domain_irq) from [<80508bc8>] (gic_handle_irq+0x4c/0x80) (gic_handle_irq) from [<80100af0>] (__irq_svc+0x70/0x98) Exception stack(0x8459fe80 to 0x8459fec8) fe80: 72286b00 e3359f64 00000001 0000412d a0070013 85c98840 85c98840 a0070013 fea0: 8054e0d4 00000000 00000002 00000000 00000002 8459fed0 8081fbe8 8081fbec fec0: 60070013 ffffffff (__irq_svc) from [<8081fbec>] (_raw_spin_unlock_irqrestore+0x30/0x58) (_raw_spin_unlock_irqrestore) from [<8056cb48>] (uart_flush_buffer+0x88/0xf8) (uart_flush_buffer) from [<80554e60>] (tty_ldisc_hangup+0x38/0x1ac) (tty_ldisc_hangup) from [<8054c7f4>] (__tty_hangup+0x158/0x2bc) (__tty_hangup) from [<80557b90>] (disassociate_ctty.part.1+0x30/0x23c) (disassociate_ctty.part.1) from [<8011fc18>] (do_exit+0x580/0xba0) (do_exit) from [<801214f8>] (do_group_exit+0x3c/0xb4) (do_group_exit) from [<80121580>] (__wake_up_parent+0x0/0x14) Issue looks like race condition between interrupt handler fsl_edma_tx_handler() (called as result of fsl_edma_xfer_desc()) and terminating the transfer with fsl_edma_terminate_all(). The fsl_edma_tx_handler() handles interrupt for a transfer with already freed edesc and idle==true. Fixes: d6be34fbd39b ("dma: Add Freescale eDMA engine driver support") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Robin Gong Cc: Link: https://lore.kernel.org/r/1591877861-28156-2-git-send-email-krzk@kernel.org Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit 94ea41080b4ef0c8cb16a98f03d5488dd3dbdb40 Author: Walter Lozano Date: Wed Jul 15 23:54:52 2020 -0300 opp: Increase parsed_static_opps in _of_add_opp_table_v1() commit 6544abc520f0fff701e9da382110dc29676c683a upstream. Currently, when using _of_add_opp_table_v2 parsed_static_opps is increased and this value is used in _opp_remove_all_static() to check if there are static opp entries that need to be freed. Unfortunately this does not happen when using _of_add_opp_table_v1(), which leads to warnings. This patch increases parsed_static_opps in _of_add_opp_table_v1() in a similar way as in _of_add_opp_table_v2(). Fixes: 03758d60265c ("opp: Replace list_kref with a local counter") Cc: v5.6+ # v5.6+ Signed-off-by: Walter Lozano [ Viresh: Do the operation with lock held and set the value to 1 instead of incrementing it ] Signed-off-by: Viresh Kumar Signed-off-by: Greg Kroah-Hartman commit 66cb954175a74a96a0cb2b250043961e8b76d994 Author: Alexander Shishkin Date: Mon Jul 6 19:13:39 2020 +0300 intel_th: Fix a NULL dereference when hub driver is not loaded commit e78e1fdb282726beaf88aa75943682217e6ded0e upstream. Connecting master to an output port when GTH driver module is not loaded triggers a NULL dereference: > RIP: 0010:intel_th_set_output+0x35/0x70 [intel_th] > Call Trace: > ? sth_stm_link+0x12/0x20 [intel_th_sth] > stm_source_link_store+0x164/0x270 [stm_core] > dev_attr_store+0x17/0x30 > sysfs_kf_write+0x3e/0x50 > kernfs_fop_write+0xda/0x1b0 > __vfs_write+0x1b/0x40 > vfs_write+0xb9/0x1a0 > ksys_write+0x67/0xe0 > __x64_sys_write+0x1a/0x20 > do_syscall_64+0x57/0x1d0 > entry_SYSCALL_64_after_hwframe+0x44/0xa9 Make sure the module in question is loaded and return an error if not. Signed-off-by: Alexander Shishkin Fixes: 39f4034693b7c ("intel_th: Add driver infrastructure for Intel(R) Trace Hub devices") Reviewed-by: Andy Shevchenko Reported-by: Ammy Yi Tested-by: Ammy Yi Cc: stable@vger.kernel.org # v4.4 Link: https://lore.kernel.org/r/20200706161339.55468-5-alexander.shishkin@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit ba892f6e8d7fbbe7f2b9aa47dc6ab0f15603e4fe Author: Alexander Shishkin Date: Mon Jul 6 19:13:38 2020 +0300 intel_th: pci: Add Emmitsburg PCH support commit fd73d74a32bfaaf259441322cc5a1c83caaa94f2 upstream. This adds support for the Trace Hub in Emmitsburg PCH. Signed-off-by: Alexander Shishkin Reviewed-by: Andy Shevchenko Cc: stable@vger.kernel.org # v4.14+ Link: https://lore.kernel.org/r/20200706161339.55468-4-alexander.shishkin@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit c4c5c3ae731cf666d46d16881417d6bb9b828ac3 Author: Alexander Shishkin Date: Mon Jul 6 19:13:37 2020 +0300 intel_th: pci: Add Tiger Lake PCH-H support commit 6227585dc7b6a5405fc08dc322f98cb95e2f0eb4 upstream. This adds support for the Trace Hub in Tiger Lake PCH-H. Signed-off-by: Alexander Shishkin Reviewed-by: Andy Shevchenko Cc: stable@vger.kernel.org # v4.14+ Link: https://lore.kernel.org/r/20200706161339.55468-3-alexander.shishkin@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit aff5397943f97c8748a46f3890acaf7a0b110538 Author: Alexander Shishkin Date: Mon Jul 6 19:13:36 2020 +0300 intel_th: pci: Add Jasper Lake CPU support commit 203c1f615052921901b7a8fbe2005d8ea6add076 upstream. This adds support for the Trace Hub in Jasper Lake CPU. Signed-off-by: Alexander Shishkin Reviewed-by: Andy Shevchenko Cc: stable@vger.kernel.org # v4.14+ Link: https://lore.kernel.org/r/20200706161339.55468-2-alexander.shishkin@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 2e0612e1ec09f4d86f521b5155dfcde3fb9d45a4 Author: Satheesh Rajendran Date: Fri Jun 19 12:31:13 2020 +0530 powerpc/pseries/svm: Fix incorrect check for shared_lppaca_size commit b710d27bf72068b15b2f0305d825988183e2ff28 upstream. Early secure guest boot hits the below crash while booting with vcpus numbers aligned with page boundary for PAGE size of 64k and LPPACA size of 1k i.e 64, 128 etc. Partition configured for 64 cpus. CPU maps initialized for 1 thread per core ------------[ cut here ]------------ kernel BUG at arch/powerpc/kernel/paca.c:89! Oops: Exception in kernel mode, sig: 5 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries This is due to the BUG_ON() for shared_lppaca_total_size equal to shared_lppaca_size. Instead the code should only BUG_ON() if we have exceeded the total_size, which indicates we've overflowed the array. Fixes: bd104e6db6f0 ("powerpc/pseries/svm: Use shared memory for LPPACA structures") Cc: stable@vger.kernel.org # v5.4+ Signed-off-by: Satheesh Rajendran Reviewed-by: Laurent Dufour Reviewed-by: Thiago Jung Bauermann [mpe: Reword change log to clarify we're fixing not removing the check] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20200619070113.16696-1-sathnaga@linux.vnet.ibm.com Signed-off-by: Greg Kroah-Hartman commit bf924ac97d73c4a6635f33ec51431c958b590e8d Author: Aneesh Kumar K.V Date: Sun Jul 12 18:50:47 2020 +0530 powerpc/book3s64/pkeys: Fix pkey_access_permitted() for execute disable pkey commit 192b6a780598976feb7321ff007754f8511a4129 upstream. Even if the IAMR value denies execute access, the current code returns true from pkey_access_permitted() for an execute permission check, if the AMR read pkey bit is cleared. This results in repeated page fault loop with a test like below: #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #ifdef SYS_pkey_mprotect #undef SYS_pkey_mprotect #endif #ifdef SYS_pkey_alloc #undef SYS_pkey_alloc #endif #ifdef SYS_pkey_free #undef SYS_pkey_free #endif #undef PKEY_DISABLE_EXECUTE #define PKEY_DISABLE_EXECUTE 0x4 #define SYS_pkey_mprotect 386 #define SYS_pkey_alloc 384 #define SYS_pkey_free 385 #define PPC_INST_NOP 0x60000000 #define PPC_INST_BLR 0x4e800020 #define PROT_RWX (PROT_READ | PROT_WRITE | PROT_EXEC) static int sys_pkey_mprotect(void *addr, size_t len, int prot, int pkey) { return syscall(SYS_pkey_mprotect, addr, len, prot, pkey); } static int sys_pkey_alloc(unsigned long flags, unsigned long access_rights) { return syscall(SYS_pkey_alloc, flags, access_rights); } static int sys_pkey_free(int pkey) { return syscall(SYS_pkey_free, pkey); } static void do_execute(void *region) { /* jump to region */ asm volatile( "mtctr %0;" "bctrl" : : "r"(region) : "ctr", "lr"); } static void do_protect(void *region) { size_t pgsize; int i, pkey; pgsize = getpagesize(); pkey = sys_pkey_alloc(0, PKEY_DISABLE_EXECUTE); assert (pkey > 0); /* perform mprotect */ assert(!sys_pkey_mprotect(region, pgsize, PROT_RWX, pkey)); do_execute(region); /* free pkey */ assert(!sys_pkey_free(pkey)); } int main(int argc, char **argv) { size_t pgsize, numinsns; unsigned int *region; int i; /* allocate memory region to protect */ pgsize = getpagesize(); region = memalign(pgsize, pgsize); assert(region != NULL); assert(!mprotect(region, pgsize, PROT_RWX)); /* fill page with NOPs with a BLR at the end */ numinsns = pgsize / sizeof(region[0]); for (i = 0; i < numinsns - 1; i++) region[i] = PPC_INST_NOP; region[i] = PPC_INST_BLR; do_protect(region); return EXIT_SUCCESS; } The fix is to only check the IAMR for an execute check, the AMR value is not relevant. Fixes: f2407ef3ba22 ("powerpc: helper to validate key-access permissions of a pte") Cc: stable@vger.kernel.org # v4.16+ Reported-by: Sandipan Das Signed-off-by: Aneesh Kumar K.V [mpe: Add detail to change log, tweak wording & formatting] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20200712132047.1038594-1-aneesh.kumar@linux.ibm.com Signed-off-by: Greg Kroah-Hartman commit 10a95be445ebf444116623f2134845ca3aa6a688 Author: Maciej S. Szmigiero Date: Sat Jul 18 14:32:10 2020 +0200 hwmon: (drivetemp) Avoid SCT usage on Toshiba DT01ACA family drives commit c66ef39eb27fe123ee05082b90eb2985c33c7715 upstream. It has been observed that Toshiba DT01ACA family drives have WRITE FPDMA QUEUED command timeouts and sometimes just freeze until power-cycled under heavy write loads when their temperature is getting polled in SCT mode. The SMART mode seems to be fine, though. Let's make sure we don't use SCT mode for these drives then. While only the 3 TB model was actually caught exhibiting the problem let's play safe here to avoid data corruption and extend the ban to the whole family. Fixes: 5b46903d8bf3 ("hwmon: Driver for disk and solid state drives with temperature sensors") Cc: stable@vger.kernel.org Signed-off-by: Maciej S. Szmigiero Link: https://lore.kernel.org/r/0cb2e7022b66c6d21d3f189a12a97878d0e7511b.1595075458.git.mail@maciej.szmigiero.name Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 49482b9b39cd55146cb12c16bb7e484488b853d4 Author: Vishwas M Date: Tue Jul 7 19:57:47 2020 +0530 hwmon: (emc2103) fix unable to change fan pwm1_enable attribute commit 14b0e83dc4f1e52b94acaeb85a18fd7fdd46d2dc upstream. This patch fixes a bug which does not let FAN mode to be changed from sysfs(pwm1_enable). i.e pwm1_enable can not be set to 3, it will always remain at 0. This is caused because the device driver handles the result of "read_u8_from_i2c(client, REG_FAN_CONF1, &conf_reg)" incorrectly. The driver thinks an error has occurred if the (result != 0). This has been fixed by changing the condition to (result < 0). Signed-off-by: Vishwas M Link: https://lore.kernel.org/r/20200707142747.118414-1-vishwas.reddy.vr@gmail.com Fixes: 9df7305b5a86 ("hwmon: Add driver for SMSC EMC2103 temperature monitor and fan controller") Cc: stable@vger.kernel.org Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 16c8af6d1be51cecc0ffbf4b6c969661949f1edb Author: Andreas Schwab Date: Mon Jul 6 14:32:26 2020 +0200 riscv: use 16KB kernel stack on 64-bit commit 0cac21b02ba5f3095fd2dcc77c26a25a0b2432ed upstream. With the current 8KB stack size there are frequent overflows in a 64-bit configuration. We may split IRQ stacks off in the future, but this fixes a number of issues right now. Signed-off-by: Andreas Schwab Reviewed-by: Anup Patel [Palmer: mention irqstack in the commit text] Fixes: 7db91e57a0ac ("RISC-V: Task implementation") Cc: stable@vger.kernel.org Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit fb6d7cc1898a9699260f6095af2453e9c8d323ba Author: Frederic Weisbecker Date: Fri Jul 17 16:05:40 2020 +0200 timer: Fix wheel index calculation on last level commit e2a71bdea81690b6ef11f4368261ec6f5b6891aa upstream. When an expiration delta falls into the last level of the wheel, that delta has be compared against the maximum possible delay and reduced to fit in if necessary. However instead of comparing the delta against the maximum, the code compares the actual expiry against the maximum. Then instead of fixing the delta to fit in, it sets the maximum delta as the expiry value. This can result in various undesired outcomes, the worst possible one being a timer expiring 15 days ahead to fire immediately. Fixes: 500462a9de65 ("timers: Switch to a non-cascading wheel") Signed-off-by: Frederic Weisbecker Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20200717140551.29076-2-frederic@kernel.org Signed-off-by: Greg Kroah-Hartman commit 104c1b9abc106f2eabad186e3f5ad49927cea2a9 Author: Frederic Weisbecker Date: Fri Jul 3 03:06:57 2020 +0200 timer: Prevent base->clk from moving backward commit 30c66fc30ee7a98c4f3adf5fb7e213b61884474f upstream. When a timer is enqueued with a negative delta (ie: expiry is below base->clk), it gets added to the wheel as expiring now (base->clk). Yet the value that gets stored in base->next_expiry, while calling trigger_dyntick_cpu(), is the initial timer->expires value. The resulting state becomes: base->next_expiry < base->clk On the next timer enqueue, forward_timer_base() may accidentally rewind base->clk. As a possible outcome, timers may expire way too early, the worst case being that the highest wheel levels get spuriously processed again. To prevent from that, make sure that base->next_expiry doesn't get below base->clk. Fixes: a683f390b93f ("timers: Forward the wheel clock whenever possible") Signed-off-by: Frederic Weisbecker Signed-off-by: Thomas Gleixner Reviewed-by: Anna-Maria Behnsen Tested-by: Juri Lelli Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20200703010657.2302-1-frederic@kernel.org Signed-off-by: Greg Kroah-Hartman commit 80daa8404491a8eaa518a7e2cd8f63812ce3bbcb Author: Chandrakanth Patil Date: Wed Jul 15 17:31:53 2020 +0530 scsi: megaraid_sas: Remove undefined ENABLE_IRQ_POLL macro commit 07d3f04550023395bbf34b99ec7e00fc50d9859f upstream. As the ENABLE_IRQ_POLL macro is undefined, the check for ENABLE_IRQ_POLL macro in ISR will always be false. This leads to irq polling being non-functional. Remove ENABLE_IRQ_POLL check from ISR. Link: https://lore.kernel.org/r/20200715120153.20512-1-chandrakanth.patil@broadcom.com Fixes: a6ffd5bf6819 ("scsi: megaraid_sas: Call disable_irq from process IRQ") Cc: # v5.3+ Signed-off-by: Chandrakanth Patil Signed-off-by: Kashyap Desai Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 9280c9be5f3ce5f4886d63b24a90eb3e13f27917 Author: Esben Haabendal Date: Wed Jul 1 16:56:58 2020 +0200 uio_pdrv_genirq: fix use without device tree and no interrupt commit bf12fdf0ab728ca8e5933aac46dd972c0dd0421e upstream. While e3a3c3a20555 ("UIO: fix uio_pdrv_genirq with device tree but no interrupt") added support for using uio_pdrv_genirq for devices without interrupt for device tree platforms, the removal of uio_pdrv in 26dac3c49d56 ("uio: Remove uio_pdrv and use uio_pdrv_genirq instead") broke the support for non device tree platforms. This change fixes this, so that uio_pdrv_genirq can be used without interrupt on all platforms. This still leaves the support that uio_pdrv had for custom interrupt handler lacking, as uio_pdrv_genirq does not handle it (yet). Fixes: 26dac3c49d56 ("uio: Remove uio_pdrv and use uio_pdrv_genirq instead") Signed-off-by: Esben Haabendal Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200701145659.3978-3-esben@geanix.com Signed-off-by: Greg Kroah-Hartman commit b0dea10bc279c5367818e2e56cfa573bc6e0859d Author: Esben Haabendal Date: Wed Jul 1 16:56:57 2020 +0200 uio_pdrv_genirq: Remove warning when irq is not specified commit 324ac45f25e634eca6346953ae531e8da3e0c73d upstream. Since e3a3c3a20555 ("UIO: fix uio_pdrv_genirq with device tree but no interrupt"), the uio_pdrv_genirq has supported use without interrupt, so the change in 7723f4c5ecdb ("driver core: platform: Add an error message to") added false warnings for those cases. Fixes: 7723f4c5ecdb ("driver core: platform: Add an error message to platform_get_irq*()") Signed-off-by: Esben Haabendal Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200701145659.3978-2-esben@geanix.com Signed-off-by: Greg Kroah-Hartman commit 92fa276bc6c62cff4f4e3f6eaf8bdafd57d381ef Author: Mike Leach Date: Wed Jul 1 10:08:52 2020 -0600 coresight: etmv4: Fix CPU power management setup in probe() function commit 9b6a3f3633a5cc928b78627764793b60cb62e0f6 upstream. The current probe() function calls a pair of cpuhp_xxx API functions to setup CPU hotplug handling. The hotplug lock is held for the duration of the two calls and other CPU related code using cpus_read_lock() / cpus_read_unlock() calls. The problem is that on error states, goto: statements bypass the cpus_read_unlock() call. This code has increased in complexity as the driver has developed. This patch introduces a pair of helper functions etm4_pm_setup_cpuslocked() and etm4_pm_clear() which correct the issues above and group the PM code a little better. The two functions etm4_cpu_pm_register() and etm4_cpu_pm_unregister() are dropped as these call cpu_pm_register_notifier() / ..unregister_notifier() dependent on CONFIG_CPU_PM - but this define is used to nop these functions out in the pm headers - so the wrapper functions are superfluous. Fixes: f188b5e76aae ("coresight: etm4x: Save/restore state across CPU low power states") Fixes: e9f5d63f84fe ("hwtracing/coresight-etm4x: Use cpuhp_setup_state_nocalls_cpuslocked()") Fixes: 58eb457be028 ("hwtracing/coresight-etm4x: Convert to hotplug state machine") Signed-off-by: Mike Leach Cc: stable Reviewed-by: Mathieu Poirier Link: https://lore.kernel.org/r/20200701160852.2782823-3-mathieu.poirier@linaro.org Signed-off-by: Greg Kroah-Hartman commit 98f40b23eef378e84f0529fd0b903605a90e2b34 Author: Dave Wang Date: Wed Jul 8 22:25:03 2020 -0700 Input: elan_i2c - add more hardware ID for Lenovo laptops commit a50ca29523b18baea548bdf5df9b4b923c2bb4f6 upstream. This adds more hardware IDs for Elan touchpads found in various Lenovo laptops. Signed-off-by: Dave Wang Link: https://lore.kernel.org/r/000201d5a8bd$9fead3f0$dfc07bd0$@emc.com.tw Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 29171aa205271429b724ea49458fc19920b3043c Author: David Pedersen Date: Mon Jul 6 18:48:51 2020 -0700 Input: i8042 - add Lenovo XiaoXin Air 12 to i8042 nomux list commit 17d51429da722cd8fc77a365a112f008abf4f8b3 upstream. This fixes two finger trackpad scroll on the Lenovo XiaoXin Air 12. Without nomux, the trackpad behaves as if only one finger is present and moves the cursor when trying to scroll. Signed-off-by: David Pedersen Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200625133754.291325-1-limero1337@gmail.com Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit e42dc0dab2b7198b126cc0b457fc162f22f93c76 Author: Dmitry Torokhov Date: Mon Jul 6 17:47:35 2020 -0700 Revert "Input: elants_i2c - report resolution information for touch major" commit 93b9de223c0135db495c25334e66cb669bef13e2 upstream. This reverts commit 061706716384f1633d3d5090b22a99f33f1fcf2f - it turns out that the resolution of 1 unit per mm was not correct for a number of touch screens, causing touch sizes to be reported as way too large. See https://crbug.com/1085648 Reported-by: Harry Cutts Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit b2b51526f4ec6e9224278bdab5b5cf6023ff2933 Author: Alexander Usyskin Date: Mon Jun 29 01:53:59 2020 +0300 mei: bus: don't clean driver pointer commit e852c2c251ed9c23ae6e3efebc5ec49adb504207 upstream. It's not needed to set driver to NULL in mei_cl_device_remove() which is bus_type remove() handler as this is done anyway in __device_release_driver(). Actually this is causing an endless loop in driver_detach() on ubuntu patched kernel, while removing (rmmod) the mei_hdcp module. The reason list_empty(&drv->p->klist_devices.k_list) is always not-empty. as the check is always true in __device_release_driver() if (dev->driver != drv) return; The non upstream patch is causing this behavior, titled: 'vfio -- release device lock before userspace requests' Nevertheless the fix is correct also for the upstream. Link: https://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20180912085046.3401-2-apw@canonical.com/ Cc: Cc: Andy Whitcroft Signed-off-by: Alexander Usyskin Signed-off-by: Tomas Winkler Link: https://lore.kernel.org/r/20200628225359.2185929-1-tomas.winkler@intel.com Signed-off-by: Greg Kroah-Hartman commit 8fd782b2376168717dddfbcae0786b47e61777bb Author: Wade Mealing Date: Wed Jun 17 13:49:47 2020 +0200 Revert "zram: convert remaining CLASS_ATTR() to CLASS_ATTR_RO()" commit 853eab68afc80f59f36bbdeb715e5c88c501e680 upstream. Turns out that the permissions for 0400 really are what we want here, otherwise any user can read from this file. [fixed formatting, added changelog, and made attribute static - gregkh] Reported-by: Wade Mealing Cc: stable Fixes: f40609d1591f ("zram: convert remaining CLASS_ATTR() to CLASS_ATTR_RO()") Link: https://bugzilla.redhat.com/show_bug.cgi?id=1847832 Reviewed-by: Steffen Maier Acked-by: Minchan Kim Link: https://lore.kernel.org/r/20200617114946.GA2131650@kroah.com Signed-off-by: Greg Kroah-Hartman commit cd01af51229a924d1b2f5e2edec8379b83f6b8a2 Author: Chirantan Ekbote Date: Tue Jul 14 19:26:39 2020 +0900 fuse: Fix parameter for FS_IOC_{GET,SET}FLAGS commit 31070f6ccec09f3bd4f1e28cd1e592fa4f3ba0b6 upstream. The ioctl encoding for this parameter is a long but the documentation says it should be an int and the kernel drivers expect it to be an int. If the fuse driver treats this as a long it might end up scribbling over the stack of a userspace process that only allocated enough space for an int. This was previously discussed in [1] and a patch for fuse was proposed in [2]. From what I can tell the patch in [2] was nacked in favor of adding new, "fixed" ioctls and using those from userspace. However there is still no "fixed" version of these ioctls and the fact is that it's sometimes infeasible to change all userspace to use the new one. Handling the ioctls specially in the fuse driver seems like the most pragmatic way for fuse servers to support them without causing crashes in userspace applications that call them. [1]: https://lore.kernel.org/linux-fsdevel/20131126200559.GH20559@hall.aurel32.net/T/ [2]: https://sourceforge.net/p/fuse/mailman/message/31771759/ Signed-off-by: Chirantan Ekbote Fixes: 59efec7b9039 ("fuse: implement ioctl support") Cc: Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 1ba86a1018b2d433bea08f5a3f8bbbe753cce057 Author: Miklos Szeredi Date: Tue Jul 14 14:45:41 2020 +0200 fuse: use ->reconfigure() instead of ->remount_fs() commit 0189a2d367f49729622fdafaef5da73161591859 upstream. s_op->remount_fs() is only called from legacy_reconfigure(), which is not used after being converted to the new API. Convert to using ->reconfigure(). This restores the previous behavior of syncing the filesystem and rejecting MS_MANDLOCK on remount. Fixes: c30da2e981a7 ("fuse: convert to use the new mount API") Cc: # v5.4 Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit a7c9426d3f6d820ec44531001b4bc665a86c09d6 Author: Miklos Szeredi Date: Tue Jul 14 14:45:41 2020 +0200 fuse: ignore 'data' argument of mount(..., MS_REMOUNT) commit e8b20a474cf2c42698d1942f939ff2128819f151 upstream. The command mount -o remount -o unknownoption /mnt/fuse succeeds on kernel versions prior to v5.4 and fails on kernel version at or after. This is because fuse_parse_param() rejects any unrecognised options in case of FS_CONTEXT_FOR_RECONFIGURE, just as for FS_CONTEXT_FOR_MOUNT. This causes a regression in case the fuse filesystem is in fstab, since remount sends all options found there to the kernel; even ones that are meant for the initial mount and are consumed by the userspace fuse server. Fix this by ignoring mount options, just as fuse_remount_fs() did prior to the conversion to the new API. Reported-by: Stefan Priebe Fixes: c30da2e981a7 ("fuse: convert to use the new mount API") Cc: # v5.4 Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 383cf066d1f87a38f6452ff0d8349a61868f35ee Author: Amir Goldstein Date: Thu Jun 18 18:43:53 2020 +0300 ovl: fix unneeded call to ovl_change_flags() commit 81a33c1ee941c3bb9ffc6bac8f676be13351344e upstream. The check if user has changed the overlay file was wrong, causing unneeded call to ovl_change_flags() including taking f_lock on every file access. Fixes: d989903058a8 ("ovl: do not generate duplicate fsnotify events for "fake" path") Cc: # v4.19+ Signed-off-by: Amir Goldstein Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 96d30fe6f738c848b97c1a601d991d11069e91bd Author: Amir Goldstein Date: Wed Jun 17 09:57:11 2020 +0300 ovl: relax WARN_ON() when decoding lower directory file handle commit 124c2de2c0aee96271e4ddab190083d8aa7aa71a upstream. Decoding a lower directory file handle to overlay path with cold inode/dentry cache may go as follows: 1. Decode real lower file handle to lower dir path 2. Check if lower dir is indexed (was copied up) 3. If indexed, get the upper dir path from index 4. Lookup upper dir path in overlay 5. If overlay path found, verify that overlay lower is the lower dir from step 1 On failure to verify step 5 above, user will get an ESTALE error and a WARN_ON will be printed. A mismatch in step 5 could be a result of lower directory that was renamed while overlay was offline, after that lower directory has been copied up and indexed. This is a scripted reproducer based on xfstest overlay/052: # Create lower subdir create_dirs create_test_files $lower/lowertestdir/subdir mount_dirs # Copy up lower dir and encode lower subdir file handle touch $SCRATCH_MNT/lowertestdir test_file_handles $SCRATCH_MNT/lowertestdir/subdir -p -o $tmp.fhandle # Rename lower dir offline unmount_dirs mv $lower/lowertestdir $lower/lowertestdir.new/ mount_dirs # Attempt to decode lower subdir file handle test_file_handles $SCRATCH_MNT -p -i $tmp.fhandle Since this WARN_ON() can be triggered by user we need to relax it. Fixes: 4b91c30a5a19 ("ovl: lookup connected ancestor of dir in inode cache") Cc: # v4.16+ Signed-off-by: Amir Goldstein Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit a5d02180886bc9e87a7a3de77b7670d3cce949ec Author: youngjun Date: Tue Jun 16 17:30:43 2020 +0900 ovl: inode reference leak in ovl_is_inuse true case. commit 24f14009b8f1754ec2ae4c168940c01259b0f88a upstream. When "ovl_is_inuse" true case, trap inode reference not put. plus adding the comment explaining sequence of ovl_is_inuse after ovl_setup_trap. Fixes: 0be0bfd2de9d ("ovl: fix regression caused by overlapping layers detection") Cc: # v4.19+ Reviewed-by: Amir Goldstein Signed-off-by: youngjun Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 290c5ac754c9dae404ed07d6d17ccea63bef69d3 Author: Amir Goldstein Date: Wed Jul 8 16:16:13 2020 +0300 ovl: fix regression with re-formatted lower squashfs commit a888db310195400f050b89c47673f0f8babfbb41 upstream. Commit 9df085f3c9a2 ("ovl: relax requirement for non null uuid of lower fs") relaxed the requirement for non null uuid with single lower layer to allow enabling index and nfs_export features with single lower squashfs. Fabian reported a regression in a setup when overlay re-uses an existing upper layer and re-formats the lower squashfs image. Because squashfs has no uuid, the origin xattr in upper layer are decoded from the new lower layer where they may resolve to a wrong origin file and user may get an ESTALE or EIO error on lookup. To avoid the reported regression while still allowing the new features with single lower squashfs, do not allow decoding origin with lower null uuid unless user opted-in to one of the new features that require following the lower inode of non-dir upper (index, xino, metacopy). Reported-by: Fabian Link: https://lore.kernel.org/linux-unionfs/32532923.JtPX5UtSzP@fgdesktop/ Fixes: 9df085f3c9a2 ("ovl: relax requirement for non null uuid of lower fs") Cc: stable@vger.kernel.org # v4.20+ Signed-off-by: Amir Goldstein Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit cbf6751750400deb9c95d591ebf6b878af0af23b Author: Johan Hovold Date: Wed Jun 10 17:22:31 2020 +0200 serial: core: fix sysrq overhead regression commit 08d5470308ac3598e7709d08b8979ce6e9de8da2 upstream. Commit 8e20fc391711 ("serial_core: Move sysrq functions from header file") converted the inline sysrq helpers to exported functions which are now called for every received character, interrupt and break signal also on systems without CONFIG_MAGIC_SYSRQ_SERIAL instead of being optimised away by the compiler. Inlining these helpers again also avoids the function call overhead when CONFIG_MAGIC_SYSRQ_SERIAL is enabled (e.g. when the port is not used as a console). Fixes: 8e20fc391711 ("serial_core: Move sysrq functions from header file") Cc: Dmitry Safonov <0x7f454c46@gmail.com> Signed-off-by: Johan Hovold Cc: stable Reviewed-by: Andy Shevchenko Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com> Link: https://lore.kernel.org/r/20200610152232.16925-3-johan@kernel.org Signed-off-by: Greg Kroah-Hartman commit 04dcaed0440631ea79d160550b6006c2303a0dd5 Author: Johan Hovold Date: Wed Jun 10 17:22:30 2020 +0200 Revert "serial: core: Refactor uart_unlock_and_check_sysrq()" commit 10652a9e9fe3fbcaca090f99cd3060ac3fee2913 upstream. This reverts commit da9a5aa3402db0ff3b57216d8dbf2478e1046cae. In order to ease backporting a fix for a sysrq regression, revert this rewrite which was since added on top. The other sysrq helpers now bail out early when sysrq is not enabled; it's better to keep that pattern here as well. Note that the __releases() attribute won't be needed after the follow-on fix either. Fixes: da9a5aa3402d ("serial: core: Refactor uart_unlock_and_check_sysrq()") Cc: stable Signed-off-by: Johan Hovold Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20200610152232.16925-2-johan@kernel.org Signed-off-by: Greg Kroah-Hartman commit f0579640303266a2be1955b9acc7bbe1a5f92224 Author: Chuhong Yuan Date: Thu Jul 9 21:56:08 2020 +0800 serial: mxs-auart: add missed iounmap() in probe failure and remove commit d8edf8eb5f6e921fe6389f96d2cd05862730a6ff upstream. This driver calls ioremap() in probe, but it misses calling iounmap() in probe's error handler and remove. Add the missed calls to fix it. Fixes: 47d37d6f94cc ("serial: Add auart driver for i.MX23/28") Signed-off-by: Chuhong Yuan Cc: stable Link: https://lore.kernel.org/r/20200709135608.68290-1-hslester96@gmail.com Signed-off-by: Greg Kroah-Hartman commit 785dcb14ec94073598fbc1ea0965901a8fca0634 Author: Lad Prabhakar Date: Wed Jul 1 16:41:40 2020 +0100 serial: sh-sci: Initialize spinlock for uart console commit f38278e9b810b06aff2981d505267be984423ba3 upstream. serial core expects the spinlock to be initialized by the controller driver for serial console, this patch makes sure the spinlock is initialized, fixing the below issue: [ 0.865928] BUG: spinlock bad magic on CPU#0, swapper/0/1 [ 0.865945] lock: sci_ports+0x0/0x4c80, .magic: 00000000, .owner: /-1, .owner_cpu: 0 [ 0.865955] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.8.0-rc1+ #112 [ 0.865961] Hardware name: HopeRun HiHope RZ/G2H with sub board (DT) [ 0.865968] Call trace: [ 0.865979] dump_backtrace+0x0/0x1d8 [ 0.865985] show_stack+0x14/0x20 [ 0.865996] dump_stack+0xe8/0x130 [ 0.866006] spin_dump+0x6c/0x88 [ 0.866012] do_raw_spin_lock+0xb0/0xf8 [ 0.866023] _raw_spin_lock_irqsave+0x80/0xa0 [ 0.866032] uart_add_one_port+0x3a4/0x4e0 [ 0.866039] sci_probe+0x504/0x7c8 [ 0.866048] platform_drv_probe+0x50/0xa0 [ 0.866059] really_probe+0xdc/0x330 [ 0.866066] driver_probe_device+0x58/0xb8 [ 0.866072] device_driver_attach+0x6c/0x90 [ 0.866078] __driver_attach+0x88/0xd0 [ 0.866085] bus_for_each_dev+0x74/0xc8 [ 0.866091] driver_attach+0x20/0x28 [ 0.866098] bus_add_driver+0x14c/0x1f8 [ 0.866104] driver_register+0x60/0x110 [ 0.866109] __platform_driver_register+0x40/0x48 [ 0.866119] sci_init+0x2c/0x34 [ 0.866127] do_one_initcall+0x88/0x428 [ 0.866137] kernel_init_freeable+0x2c0/0x328 [ 0.866143] kernel_init+0x10/0x108 [ 0.866150] ret_from_fork+0x10/0x18 Signed-off-by: Lad Prabhakar Reviewed-by: Biju Das Fixes: a3cb39d258ef ("serial: core: Allow detach and attach serial device for console") Cc: stable Link: https://lore.kernel.org/r/1593618100-2151-1-git-send-email-prabhakar.mahadev-lad.rj@bp.renesas.com Signed-off-by: Greg Kroah-Hartman commit a0683f0c39d74d451a7334d57c3a7e1476c4f927 Author: Alexander Lobakin Date: Tue Jun 23 11:09:33 2020 +0000 virtio: virtio_console: add missing MODULE_DEVICE_TABLE() for rproc serial commit 897c44f0bae574c5fb318c759b060bebf9dd6013 upstream. rproc_serial_id_table lacks an exposure to module devicetable, so when remoteproc firmware requests VIRTIO_ID_RPROC_SERIAL, no uevent is generated and no module autoloading occurs. Add missing MODULE_DEVICE_TABLE() annotation and move the existing one for VIRTIO_ID_CONSOLE right to the table itself. Fixes: 1b6370463e88 ("virtio_console: Add support for remoteproc serial") Cc: # v3.8+ Signed-off-by: Alexander Lobakin Reviewed-by: Amit Shah Link: https://lore.kernel.org/r/x7C_CbeJtoGMy258nwAXASYz3xgFMFpyzmUvOyZzRnQrgWCREBjaqBOpAUS7ol4NnZYvSVwmTsCG0Ohyfvta-ygw6HMHcoeKK0C3QFiAO_Q=@pm.me Signed-off-by: Greg Kroah-Hartman commit f13968b71b6acf8de9d7598e8b84eeb45cded94f Author: Christophe Leroy Date: Fri Jun 12 18:26:07 2020 +0000 tty: serial: cpm_uart: Fix behaviour for non existing GPIOs commit 311eab8d5900ea9088513d4c6b4570058958edb5 upstream. devm_gpiod_get_index() doesn't return NULL but -ENOENT when the requested GPIO doesn't exist, leading to the following messages: [ 2.742468] gpiod_direction_input: invalid GPIO (errorpointer) [ 2.748147] can't set direction for gpio #2: -2 [ 2.753081] gpiod_direction_input: invalid GPIO (errorpointer) [ 2.758724] can't set direction for gpio #3: -2 [ 2.763666] gpiod_direction_output: invalid GPIO (errorpointer) [ 2.769394] can't set direction for gpio #4: -2 [ 2.774341] gpiod_direction_input: invalid GPIO (errorpointer) [ 2.779981] can't set direction for gpio #5: -2 [ 2.784545] ff000a20.serial: ttyCPM1 at MMIO 0xfff00a20 (irq = 39, base_baud = 8250000) is a CPM UART Use devm_gpiod_get_index_optional() instead. At the same time, handle the error case and properly exit with an error. Fixes: 97cbaf2c829b ("tty: serial: cpm_uart: Convert to use GPIO descriptors") Cc: stable@vger.kernel.org Cc: Linus Walleij Signed-off-by: Christophe Leroy Reviewed-by: Linus Walleij Link: https://lore.kernel.org/r/694a25fdce548c5ee8b060ef6a4b02746b8f25c0.1591986307.git.christophe.leroy@csgroup.eu Signed-off-by: Greg Kroah-Hartman commit df858e2fdd9747fcd00e77fe49ea6e5fb7f9cd77 Author: Jan Kiszka Date: Thu Jun 18 10:11:40 2020 +0200 Revert "tty: xilinx_uartps: Fix missing id assignment to the console" commit 76ed2e105796710cf5b8a4ba43c81eceed948b70 upstream. This reverts commit 2ae11c46d5fdc46cb396e35911c713d271056d35. It turned out to break the ultra96-rev1, e.g., which uses uart1 as serial0 (and stdout-path = "serial0:115200n8"). Fixes: 2ae11c46d5fd ("tty: xilinx_uartps: Fix missing id assignment to the console") Cc: stable Signed-off-by: Jan Kiszka Reviewed-by: Michal Simek Tested-by: Michal Simek Link: https://lore.kernel.org/r/f4092727-d8f5-5f91-2c9f-76643aace993@siemens.com Signed-off-by: Greg Kroah-Hartman commit 20bcd07cd040146a711c6d6875ccb120e970a88c Author: Hans de Goede Date: Thu Jul 9 14:08:52 2020 +0200 virt: vbox: Fix guest capabilities mask check commit 59d1d2e8e1e7c50d2657d5e4812b53f71f507968 upstream. Check the passed in capabilities against VMMDEV_GUEST_CAPABILITIES_MASK instead of against VMMDEV_EVENT_VALID_EVENT_MASK. This tightens the allowed mask from 0x7ff to 0x7. Fixes: 0ba002bc4393 ("virt: Add vboxguest driver for Virtual Box Guest integration") Cc: stable@vger.kernel.org Acked-by: Arnd Bergmann Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20200709120858.63928-3-hdegoede@redhat.com Signed-off-by: Greg Kroah-Hartman commit 2e8b01f6c226e8cd8b27918446a0846bc1f29c79 Author: Hans de Goede Date: Thu Jul 9 14:08:51 2020 +0200 virt: vbox: Fix VBGL_IOCTL_VMMDEV_REQUEST_BIG and _LOG req numbers to match upstream commit f794db6841e5480208f0c3a3ac1df445a96b079e upstream. Until this commit the mainline kernel version (this version) of the vboxguest module contained a bug where it defined VBGL_IOCTL_VMMDEV_REQUEST_BIG and VBGL_IOCTL_LOG using _IOC(_IOC_READ | _IOC_WRITE, 'V', ...) instead of _IO(V, ...) as the out of tree VirtualBox upstream version does. Since the VirtualBox userspace bits are always built against VirtualBox upstream's headers, this means that so far the mainline kernel version of the vboxguest module has been failing these 2 ioctls with -ENOTTY. I guess that VBGL_IOCTL_VMMDEV_REQUEST_BIG is never used causing us to not hit that one and sofar the vboxguest driver has failed to actually log any log messages passed it through VBGL_IOCTL_LOG. This commit changes the VBGL_IOCTL_VMMDEV_REQUEST_BIG and VBGL_IOCTL_LOG defines to match the out of tree VirtualBox upstream vboxguest version, while keeping compatibility with the old wrong request defines so as to not break the kernel ABI in case someone has been using the old request defines. Fixes: f6ddd094f579 ("virt: Add vboxguest driver for Virtual Box Guest integration UAPI") Cc: stable@vger.kernel.org Acked-by: Arnd Bergmann Reviewed-by: Arnd Bergmann Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20200709120858.63928-2-hdegoede@redhat.com Signed-off-by: Greg Kroah-Hartman commit 5c56932d440127748248d3aeda1d7d7be4e749e5 Author: AceLan Kao Date: Tue Jul 7 16:15:53 2020 +0800 USB: serial: option: add Quectel EG95 LTE modem commit da6902e5b6dbca9081e3d377f9802d4fd0c5ea59 upstream. Add support for Quectel Wireless Solutions Co., Ltd. EG95 LTE modem T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 5 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=2c7c ProdID=0195 Rev=03.18 S: Manufacturer=Android S: Product=Android C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA I: If#=0x0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) I: If#=0x1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) Signed-off-by: AceLan Kao Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit da404a42d049fd8b6607ee67e21a6114ea4d14ef Author: Jörgen Storvist Date: Tue Jun 23 00:13:59 2020 +0200 USB: serial: option: add GosunCn GM500 series commit 08d4ef5cc9203a113702f24725f6cf4db476c958 upstream. Add USB IDs for GosunCn GM500 series cellular modules. RNDIS config: usb-devices T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 12 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=305a ProdID=1404 Rev=03.18 S: Manufacturer=Android S: Product=Android S: SerialNumber= C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA I: If#=0x0 Alt= 0 #EPs= 1 Cls=e0(wlcon) Sub=01 Prot=03 Driver=rndis_host I: If#=0x1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option MBIM config: usb-devices T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 11 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=305a ProdID=1405 Rev=03.18 S: Manufacturer=Android S: Product=Android S: SerialNumber= C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA I: If#=0x0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option I: If#=0x1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#=0x3 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim I: If#=0x4 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim ECM config: usb-devices T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 13 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=305a ProdID=1406 Rev=03.18 S: Manufacturer=Android S: Product=Android S: SerialNumber= C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA I: If#=0x0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option I: If#=0x1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#=0x3 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether I: If#=0x4 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether Signed-off-by: Jörgen Storvist Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit fead8a15c21158eb1f1b12ae95fbb47ac20452bc Author: Igor Moura Date: Tue Jun 23 05:11:11 2020 -0300 USB: serial: ch341: add new Product ID for CH340 commit 5d0136f8e79f8287e6a36780601f0ce797cf11c2 upstream. Add PID for CH340 that's found on some ESP8266 dev boards made by LilyGO. The specific device that contains such serial converter can be seen here: https://github.com/LilyGO/LILYGO-T-OI. Apparently, it's a regular CH340, but I've confirmed with others that also bought this board that the PID found on this device (0x7522) differs from other devices with the "same" converter (0x7523). Simply adding its PID to the driver and rebuilding it made it work as expected. Signed-off-by: Igor Moura Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit b35c83f53fd6fc7d9ffe8cfc441e56565f215baa Author: James Hilliard Date: Tue Jun 16 16:04:03 2020 -0600 USB: serial: cypress_m8: enable Simply Automated UPB PIM commit 5c45d04c5081c1830d674f4d22d4400ea2083afe upstream. This is a UPB (Universal Powerline Bus) PIM (Powerline Interface Module) which allows for controlling multiple UPB compatible devices from Linux using the standard serial interface. Based on vendor application source code there are two different models of USB based PIM devices in addition to a number of RS232 based PIM's. The vendor UPB application source contains the following USB ID's: #define USB_PCS_VENDOR_ID 0x04b4 #define USB_PCS_PIM_PRODUCT_ID 0x5500 #define USB_SAI_VENDOR_ID 0x17dd #define USB_SAI_PIM_PRODUCT_ID 0x5500 The first set of ID's correspond to the PIM variant sold by Powerline Control Systems while the second corresponds to the Simply Automated Incorporated PIM. As the product ID for both of these match the default cypress HID->COM RS232 product ID it assumed that they both use an internal variant of this HID->COM RS232 converter hardware. However as the vendor ID for the Simply Automated variant is different we need to also add it to the cypress_M8 driver so that it is properly detected. Signed-off-by: James Hilliard Link: https://lore.kernel.org/r/20200616220403.1807003-1-james.hilliard1@gmail.com Cc: stable@vger.kernel.org [ johan: amend VID define entry ] Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit e33f019f85851f963f9a4a37c9a0e957d139b464 Author: Johan Hovold Date: Wed Jul 15 11:02:45 2020 +0200 USB: serial: iuu_phoenix: fix memory corruption commit e7b931bee739e8a77ae216e613d3b99342b6dec0 upstream. The driver would happily overwrite its write buffer with user data in 256 byte increments due to a removed buffer-space sanity check. Fixes: 5fcf62b0f1f2 ("tty: iuu_phoenix: fix locking.") Cc: stable # 2.6.31 Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit f07c5414c9ebb84a561ec05337d8e92a021e00a4 Author: Zhang Qiang Date: Mon Jul 6 13:14:55 2020 +0800 usb: gadget: function: fix missing spinlock in f_uac1_legacy commit 8778eb0927ddcd3f431805c37b78fa56481aeed9 upstream. Add a missing spinlock protection for play_queue, because the play_queue may be destroyed when the "playback_work" work func and "f_audio_out_ep_complete" callback func operate this paly_queue at the same time. Fixes: c6994e6f067cf ("USB: gadget: add USB Audio Gadget driver") Cc: stable Signed-off-by: Zhang Qiang Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit cb6b9388811df0ff5913ccb7881d7fda2490b7a5 Author: Peter Chen Date: Tue Jul 7 14:06:01 2020 +0800 usb: chipidea: core: add wakeup support for extcon commit 876d4e1e8298ad1f94d9e9392fc90486755437b4 upstream. If wakeup event occurred by extcon event, it needs to call ci_irq again since the first ci_irq calling at extcon notifier only wakes up controller, but do noop for event handling, it causes the extcon use case can't work well from low power mode. Cc: Fixes: 3ecb3e09b042 ("usb: chipidea: Use extcon framework for VBUS and ID detect") Reported-by: Philippe Schenker Tested-by: Philippe Schenker Signed-off-by: Peter Chen Link: https://lore.kernel.org/r/20200707060601.31907-2-peter.chen@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 8086a2d4cd0ff22ccec020cdab9a9526431ed6a2 Author: Minas Harutyunyan Date: Sat May 30 11:41:50 2020 +0400 usb: dwc2: Fix shutdown callback in platform commit 4fdf228cdf6925af45a2066d403821e0977bfddb upstream. To avoid lot of interrupts from dwc2 core, which can be asserted in specific conditions need to disable interrupts on HW level instead of disable IRQs on Kernel level, because of IRQ can be shared between drivers. Cc: stable@vger.kernel.org Fixes: a40a00318c7fc ("usb: dwc2: add shutdown callback to platform variant") Tested-by: Frank Mori Hess Reviewed-by: Alan Stern Reviewed-by: Doug Anderson Reviewed-by: Frank Mori Hess Signed-off-by: Minas Harutyunyan Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 44244ee0c36001c7b9671d2bb9aa86c4526fd64d Author: Tom Rix Date: Wed Jul 8 06:12:43 2020 -0700 USB: c67x00: fix use after free in c67x00_giveback_urb commit 211f08347355cba1f769bbf3355816a12b3ddd55 upstream. clang static analysis flags this error c67x00-sched.c:489:55: warning: Use of memory after it is freed [unix.Malloc] usb_hcd_giveback_urb(c67x00_hcd_to_hcd(c67x00), urb, urbp->status); ^~~~~~~~~~~~ Problem happens in this block of code c67x00_release_urb(c67x00, urb); usb_hcd_unlink_urb_from_ep(c67x00_hcd_to_hcd(c67x00), urb); spin_unlock(&c67x00->lock); usb_hcd_giveback_urb(c67x00_hcd_to_hcd(c67x00), urb, urbp->status); In the call to c67x00_release_urb has this freeing of urbp urbp = urb->hcpriv; urb->hcpriv = NULL; list_del(&urbp->hep_node); kfree(urbp); And so urbp is freed before usb_hcd_giveback_urb uses it as its 3rd parameter. Since all is required is the status, pass the status directly as is done in c64x00_urb_dequeue Fixes: e9b29ffc519b ("USB: add Cypress c67x00 OTG controller HCD driver") Signed-off-by: Tom Rix Cc: stable Link: https://lore.kernel.org/r/20200708131243.24336-1-trix@redhat.com Signed-off-by: Greg Kroah-Hartman commit 15e17aa0db84835ad5a1f36a82bab831f3db6fc4 Author: Mika Westerberg Date: Thu Apr 2 12:45:34 2020 +0300 thunderbolt: Fix path indices used in USB3 tunnel discovery commit 8b94a4b92327d061327117e127d7d44a4a43e639 upstream. The USB3 discovery used wrong indices when tunnel is discovered. It should use TB_USB3_PATH_DOWN for path that flows downstream and TB_USB3_PATH_UP when it flows upstream. This should not affect the functionality but better to fix it. Fixes: e6f818585713 ("thunderbolt: Add support for USB 3.x tunnels") Signed-off-by: Mika Westerberg Cc: stable@vger.kernel.org # v5.6+ Signed-off-by: Greg Kroah-Hartman commit 50f1f84454453a713a161241300f70b1040d402d Author: Kailang Yang Date: Thu Jul 16 15:21:59 2020 +0800 ALSA: hda/realtek - Enable Speaker for ASUS UX563 commit 158ae2f5e6fead30be1f0c203037f5556871513b upstream. ASUS UX563 speaker can't output. Add quirk to link suitable model will enable it. This model also could enable headset Mic. Signed-off-by: Kailang Yang Cc: Link: https://lore.kernel.org/r/96dee3ab01a04c28a7b44061e88009dd@realtek.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 3bb60b83969b554fc36aaf698d9fb971c05d9cbd Author: Kailang Yang Date: Thu Jul 16 14:42:33 2020 +0800 ALSA: hda/realtek - Enable Speaker for ASUS UX533 and UX534 commit 473fbe13fd6f9082e413aea37e624ecbce5463cc upstream. ASUS UX533 and UX534 speaker still can't output. End User feedback speaker didn't have output. Add this COEF value will enable it. Fixes: 4e051106730d ("ALSA: hda/realtek: Enable audio jacks of ASUS UX533FD with ALC294") Cc: Signed-off-by: Kailang Yang Link: https://lore.kernel.org/r/80334402a93b48e385f8f4841b59ae09@realtek.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 30f1408b503cfe879b1b8556a6809e4afe10ad2c Author: Jian-Hong Pan Date: Mon Jul 13 14:04:22 2020 +0800 ALSA: hda/realtek: Enable headset mic of Acer TravelMate B311R-31 with ALC256 commit f50a121d2f32bccc1d6b94df925a1ce44ea7eff7 upstream. The Acer TravelMate B311R-31 laptop's audio (1025:1430) with ALC256 cannot detect the headset microphone until ALC256_FIXUP_ACER_MIC_NO_PRESENCE quirk maps the NID 0x19 as the headset mic pin. Signed-off-by: Jian-Hong Pan Cc: Link: https://lore.kernel.org/r/20200713060421.62435-1-jian-hong@endlessm.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit cf2c1757faddb63fd10f940e6e64716f0515b7a9 Author: Armas Spann Date: Sat Jul 11 13:05:57 2020 +0200 ALSA: hda/realtek: enable headset mic of ASUS ROG Zephyrus G14(G401) series with ALC289 commit ff53664daff2a65f4bf2479ac56dfb3e908deff0 upstream. This patch adds support for headset mic to the ASUS ROG Zephyrus G14(GA401) notebook series by adding the corresponding vendor/pci_device id, as well as adding a new fixup for the used realtek ALC289. The fixup stets the correct pin to get the headset mic correctly recognized on audio-jack. Signed-off-by: Armas Spann Cc: Link: https://lore.kernel.org/r/20200711110557.18681-1-zappel@retarded.farm Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 825dbc766e1906a4a496f12ab4c116d8e995c4bf Author: Kailang Yang Date: Fri Jul 10 15:31:11 2020 +0800 ALSA: hda/realtek - change to suitable link model for ASUS platform commit ef9ddb9dc4f8b1da3b975918cd1fd98ec055b918 upstream. ASUS platform couldn't need to use Headset Mode model. It changes to the suitable model. Signed-off-by: Kailang Yang Cc: Link: https://lore.kernel.org/r/d05bcff170784ec7bb35023407148161@realtek.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 05274b202c7733541262e961251649cb70574de0 Author: Takashi Iwai Date: Fri Jul 10 18:06:56 2020 +0200 ALSA: usb-audio: Fix race against the error recovery URB submission commit 9b7e5208a941e2e491a83eb5fa83d889e888fa2f upstream. USB MIDI driver has an error recovery mechanism to resubmit the URB in the delayed timer handler, and this may race with the standard start / stop operations. Although both start and stop operations themselves don't race with each other due to the umidi->mutex protection, but this isn't applied to the timer handler. For fixing this potential race, the following changes are applied: - Since the timer handler can't use the mutex, we apply the umidi->disc_lock protection at each input stream URB submission; this also needs to change the GFP flag to GFP_ATOMIC - Add a check of the URB refcount and skip if already submitted - Move the timer cancel call at disconnection to the beginning of the procedure; this assures the in-flight timer handler is gone properly before killing all pending URBs Reported-by: syzbot+0f4ecfe6a2c322c81728@syzkaller.appspotmail.com Reported-by: syzbot+5f1d24c49c1d2c427497@syzkaller.appspotmail.com Cc: Link: https://lore.kernel.org/r/20200710160656.16819-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit b22a641e98b53a3e11473eac2bda8c10cac74257 Author: Takashi Iwai Date: Fri Jul 10 15:59:59 2020 +0200 ALSA: line6: Sync the pending work cancel at disconnection commit 68359a1ad8447c99732ebeab8c169bfed543667a upstream. Recently syzkaller reported a UAF in LINE6 driver, and it's likely because we call cancel_delayed_work() at the disconnect callback instead of cancel_delayed_work_sync(). Let's use the correct one instead. Reported-by: syzbot+145012a46658ac00fc9e@syzkaller.appspotmail.com Suggested-by: Alan Stern Cc: Link: https://lore.kernel.org/r/s5hlfjr4gio.wl-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 763f7da87185e69c6bd8a1ada71905fab9545f64 Author: Takashi Iwai Date: Fri Jul 10 15:33:51 2020 +0200 ALSA: line6: Perform sanity check for each URB creation commit 6e8a914ad619042c5f25a4feb663357c4170fd8d upstream. LINE6 drivers create stream URBs with a fixed pipe without checking its validity, and this may lead to a kernel WARNING at the submission when a malformed USB descriptor is passed. For avoiding the kernel warning, perform the similar sanity checks for each pipe type at creating a URB. Reported-by: syzbot+c190f6858a04ea7fbc52@syzkaller.appspotmail.com Cc: Link: https://lore.kernel.org/r/s5hv9iv4hq8.wl-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 1a6bdfdea47c756d1713f9ea9f41e46dab25fec5 Author: James Hilliard Date: Tue Jun 23 13:24:15 2020 -0600 HID: quirks: Ignore Simply Automated UPB PIM commit 1ee1369b46de1083238fced60ff718f59de4b8aa upstream. As this is a cypress HID->COM RS232 style device that is handled by the cypress_M8 driver we also need to add it to the ignore list in hid-quirks. Cc: stable Signed-off-by: James Hilliard Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit a78b840e90c1eee3b9b1955f59d1c3079dfd901d Author: Sebastian Parschauer Date: Tue Jun 9 12:00:53 2020 +0200 HID: quirks: Always poll Obins Anne Pro 2 keyboard commit ca28aff0e1dc7dce9e12a7fd9276b7118ce5e73a upstream. The Obins Anne Pro 2 keyboard (04d9:a293) disconnects after a few minutes of inactivity when using it wired and typing does not result in any input events any more. This is a common firmware flaw. So add the ALWAYS_POLL quirk for this device. GitHub user Dietrich Moerman (dietrichm) tested the quirk and requested my help in my project https://github.com/sriemer/fix-linux-mouse issue 22 to provide this patch. Link: https://www.reddit.com/r/AnnePro/comments/gruzcb/anne_pro_2_linux_cant_type_after_inactivity/ Signed-off-by: Sebastian Parschauer Cc: stable@vger.kernel.org # v4.16+ Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 996b680d729c4e5aa7087080cc9e469a4f7b86d7 Author: Dmitry Torokhov Date: Sun May 24 16:51:34 2020 -0700 HID: magicmouse: do not set up autorepeat commit 6363d2065cd399cf9d6dc9d08c437f8658831100 upstream. Neither the trackpad, nor the mouse want input core to generate autorepeat events for their buttons, so let's reset the bit (as hid-input sets it for these devices based on the usage vendor code). Cc: stable@vger.kernel.org Reported-by: Yariv Tested-by: Yariv Signed-off-by: Dmitry Torokhov Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 726504d32eaf353c8d0d2ca90edad9593b21afad Author: Maciej S. Szmigiero Date: Sun Jul 5 19:34:57 2020 +0200 HID: logitech-hidpp: avoid repeated "multiplier = " log messages commit e13762abf38ead29071407f32b9dcec38f21dc34 upstream. These messages appear each time the mouse wakes from sleep, in my case (Logitech M705), every minute or so. Let's downgrade them to the "debug" level so they don't fill the kernel log by default. While we are at it, let's make clear that this is a wheel multiplier (and not, for example, XY movement multiplier). Fixes: 4435ff2f09a2 ("HID: logitech: Enable high-resolution scrolling on Logitech mice") Cc: stable@vger.kernel.org Signed-off-by: Maciej S. Szmigiero Reviewed-by: Harry Cutts Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 200eefab6d87b7f124b5c7a6c26f0de0eba34696 Author: Saravana Kannan Date: Mon May 11 16:13:34 2020 +0100 slimbus: core: Fix mismatch in of_node_get/put commit 01360857486c0e4435dea3aa2f78b47213b7cf6a upstream. Adding missing corresponding of_node_put Fixes: 7588a511bdb4 ("slimbus: core: add support to device tree helper") Signed-off-by: Saravana Kannan [Srini: added fixes tag, removed NULL check and updated log] Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20200511151334.362-3-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman commit 75da5d2f63b2254cadec77edde7deb90197a8012 Author: Taniya Das Date: Sun May 17 15:34:19 2020 +0530 clk: qcom: gcc: Add support for a new frequency for SC7180 commit 1b70061f5939ff1cacd728821b4f378cb0fb7961 upstream. There is a requirement to support 51.2MHz from GPLL6 for qup clocks, thus update the frequency table and parent data/map to use the GPLL6 source PLL. Fixes: 17269568f7267 ("clk: qcom: Add Global Clock controller (GCC) driver for SC7180") Signed-off-by: Taniya Das Link: https://lkml.kernel.org/r/1589709861-27580-2-git-send-email-tdas@codeaurora.org Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit c91850d3c81430b67abc08cbcb93016e3b2d6426 Author: Vinod Koul Date: Wed May 13 12:24:20 2020 +0530 clk: qcom: gcc: Add missing UFS clocks for SM8150 commit 37c72e4cae37f0dace1abb3711ede7fbc6d0862a upstream. Add the missing ufs card and ufs phy clocks for SM8150. They were missed in earlier addition of clock driver. Fixes: 2a1d7eb854bb ("clk: qcom: gcc: Add global clock controller driver for SM8150") Signed-off-by: Vinod Koul Link: https://lkml.kernel.org/r/20200513065420.32735-2-vkoul@kernel.org Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 23396eb15bc635320cc3ee76f778936f44c290ff Author: Vinod Koul Date: Wed May 13 12:24:19 2020 +0530 clk: qcom: gcc: Add GPU and NPU clocks for SM8150 commit f73a4230d5bbc8fc7e1a2479ac997f786111c7bb upstream. Add the GPU and NPU clocks for SM8150. They were missed in earlier addition of clock driver. Fixes: 2a1d7eb854bb ("clk: qcom: gcc: Add global clock controller driver for SM8150") Signed-off-by: Vinod Koul Link: https://lkml.kernel.org/r/20200513065420.32735-1-vkoul@kernel.org Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 39560d89856781a89be875a152990940ad3f5fed Author: Miquel Raynal Date: Tue May 19 15:00:11 2020 +0200 mtd: rawnand: oxnas: Release all devices in the _remove() path commit 0a5f45e57e35d0840bedb816974ce2e63406cd8b upstream. oxnans_nand_remove() should release all MTD devices and clean all NAND devices, not only the first one registered. Fixes: 668592492409 ("mtd: nand: Add OX820 NAND Support") Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20200519130035.1883-39-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit f890e4f1f9dd9e2f386ccd1d22634ca6653026ff Author: Miquel Raynal Date: Tue May 19 15:00:10 2020 +0200 mtd: rawnand: oxnas: Unregister all devices on error commit b60391eb17b2956ff2fc4c348e5a464da21ff9cb upstream. On error, the oxnas probe path just frees the device which failed and aborts the probe, leaving unreleased resources. Fix this situation by calling mtd_device_unregister()/nand_cleanup() on these. Fixes: 668592492409 ("mtd: nand: Add OX820 NAND Support") Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20200519130035.1883-38-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit cd02d1ca210700ce378038b0b5ade43cb78db80b Author: Miquel Raynal Date: Tue May 19 15:00:08 2020 +0200 mtd: rawnand: oxnas: Keep track of registered devices commit 383fc3f613e7eac9f2e3c13b6f9fb8c1f39cb9d5 upstream. All initialized and registered devices should be listed somewhere so that we can unregister/free them in the _remove() path. This patch is not a fix per-se but is needed to apply three other fixes coming right after, explaining the Fixes/Cc: stable tags. Fixes: 668592492409 ("mtd: nand: Add OX820 NAND Support") Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20200519130035.1883-36-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit d6d1f9c1b4b3216bdec5cf17da75afedcee56ab8 Author: Álvaro Fernández Rojas Date: Fri May 22 14:15:21 2020 +0200 mtd: rawnand: brcmnand: fix CS0 layout commit 3d3fb3c5be9ce07fa85d8f67fb3922e4613b955b upstream. Only v3.3-v5.0 have a different CS0 layout. Controllers before v3.3 use the same layout for every CS. Fixes: 27c5b17cd1b1 ("mtd: nand: add NAND driver "library" for Broadcom STB NAND controller") Signed-off-by: Álvaro Fernández Rojas Acked-by: Florian Fainelli Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20200522121524.4161539-3-noltari@gmail.com Signed-off-by: Greg Kroah-Hartman commit 736f040c25e0a2f0bb349eae8e62a5b5485d8543 Author: Álvaro Fernández Rojas Date: Tue May 12 10:24:51 2020 +0200 mtd: rawnand: brcmnand: correctly verify erased pages commit dcb351c03f2fa6a599de1061b174167e03ee312b upstream. The current code checks that the whole OOB area is erased. This is a problem when JFFS2 cleanmarkers are added to the OOB, since it will fail due to the usable OOB bytes not being 0xff. Correct this by only checking that data and ECC bytes aren't 0xff. Fixes: 02b88eea9f9c ("mtd: brcmnand: Add check for erased page bitflips") Signed-off-by: Álvaro Fernández Rojas Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20200512082451.771212-1-noltari@gmail.com Signed-off-by: Greg Kroah-Hartman commit 9f1dc009739ed6dbcbba44a927c5553e98fbc764 Author: Miquel Raynal Date: Tue Apr 28 11:42:55 2020 +0200 mtd: rawnand: timings: Fix default tR_max and tCCS_min timings commit 4d8ec041d9c454029f6cd90622f6d81eb61e781c upstream. tR and tCCS are currently wrongly expressed in femtoseconds, while we expect these values to be expressed in picoseconds. Set right hardcoded values. Fixes: 6a943386ee36 mtd: rawnand: add default values for dynamic timings Signed-off-by: Miquel Raynal Reviewed-by: Boris Brezillon Link: https://lore.kernel.org/linux-mtd/20200428094302.14624-3-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit 59f32b15e568c8fae53fe3623241649dbf3d7914 Author: Miquel Raynal Date: Fri Apr 24 18:44:59 2020 +0200 mtd: rawnand: marvell: Fix probe error path commit c525b7af96714f72e316c70781570a4a3e1c2856 upstream. Ensure all chips are deregistered and cleaned in case of error during the probe. Fixes: 02f26ecf8c77 ("mtd: nand: add reworked Marvell NAND controller driver") Signed-off-by: Miquel Raynal Reviewed-by: Boris Brezillon Link: https://lore.kernel.org/linux-mtd/20200424164501.26719-5-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit b0baea9944cae21189f61c1532d781c1579715a1 Author: Miquel Raynal Date: Fri Apr 24 18:44:58 2020 +0200 mtd: rawnand: marvell: Use nand_cleanup() when the device is not yet registered commit 7a0c18fb5c71c6ac7d4662a145e4227dcd4a36a3 upstream. Do not call nand_release() while the MTD device has not been registered, use nand_cleanup() instead. Fixes: 02f26ecf8c77 ("mtd: nand: add reworked Marvell NAND controller driver") Signed-off-by: Miquel Raynal Reviewed-by: Boris Brezillon Link: https://lore.kernel.org/linux-mtd/20200424164501.26719-4-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit 8a2a49b9d4846128f24b9661a8bdd818061742a7 Author: Miquel Raynal Date: Fri Apr 24 18:44:56 2020 +0200 mtd: rawnand: marvell: Fix the condition on a return code commit c27075772d1f1c8aaf276db9943b35adda8a8b65 upstream. In a previous fix, I changed the condition on which the timeout of an IRQ is reached from: if (!ret) into: if (ret && !pending) While having a non-zero return code is usual in the Linux kernel, here ret comes from a wait_for_completion_timeout() which returns 0 when the waiting period is too long. Hence, the revised condition should be: if (!ret && !pending) The faulty patch did not produce any error because of the !pending condition so this change is finally purely cosmetic and does not change the actual driver behavior. Fixes: cafb56dd741e ("mtd: rawnand: marvell: prevent timeouts on a loaded machine") Signed-off-by: Miquel Raynal Reviewed-by: Boris Brezillon Link: https://lore.kernel.org/linux-mtd/20200424164501.26719-2-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit 7ce1c27ff3233a34d55db9157a895a7ae9d6cbc0 Author: Sergei Shtylyov Date: Mon Apr 20 22:13:58 2020 +0300 mtd: spi-nor: spansion: fix writes on S25FS512S commit 5587fa489747a8e6cbd0558890458c862b797485 upstream. Spansion S25FS-S family has an issue in the Basic Flash Parameter Table (BFPT): Dword-11 bits 7:4 specify a page size of 512 bytes. Actually this is configurable in the vendor unique register (CR3V) and even the factory default setting is to "wrap at 256 bytes", so blindly relying on BFPT breaks the page writes on these chips. Add the post-BFPT fixup which restores the default page size of 256 bytes -- to properly read CR3V this early is quite intrusive and should better be done as a new feature; Alexander Sverdlin had the patch doing that: https://patchwork.ozlabs.org/project/linux-mtd/patch/20200227123657.26030-1-alexander.sverdlin@nokia.com/ Fixes: dfd2b74530e ("mtd: spi-nor: add Spansion S25FS512S ID") Signed-off-by: Sergei Shtylyov Reviewed-by: Alexander Sverdlin Tested-by: Kuldeep Singh Signed-off-by: Tudor Ambarus Signed-off-by: Greg Kroah-Hartman commit 58fe8bb094f1dd0e9423903583efde5970e9f5f6 Author: Mantas Pucka Date: Wed Apr 15 16:48:30 2020 +0300 mtd: spi-nor: winbond: Fix 4-byte opcode support for w25q256 commit e8aec15dd5842b5b11b0e621a2293348d3574a61 upstream. There are 2 different chips (w25q256fv and w25q256jv) that share the same JEDEC ID. Only w25q256jv fully supports 4-byte opcodes. Use SFDP header version to differentiate between them. Fixes: 10050a02f7d5 ("mtd: spi-nor: Add 4B_OPCODES flag to w25q256") Signed-off-by: Mantas Pucka Signed-off-by: Tudor Ambarus Signed-off-by: Greg Kroah-Hartman commit 4590ea420ecf0219edd3d27ff4731aaa4534bde5 Author: Jeffrey Hugo Date: Thu May 28 07:22:05 2020 -0700 clk: qcom: Add missing msm8998 ufs_unipro_core_clk_src commit b1e8d713e6b2d59ee3a7b57c0dab88a19ec0cf33 upstream. ufs_unipro_core_clk_src is required to allow UFS to clock scale for power savings. Fixes: b5f5f525c547 ("clk: qcom: Add MSM8998 Global Clock Control (GCC) driver") Signed-off-by: Jeffrey Hugo Link: https://lkml.kernel.org/r/20200528142205.44003-1-jeffrey.l.hugo@gmail.com Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit a516f0cf396bc72d7338eebe3b4757efda6ffb1b Author: Aharon Landau Date: Mon Apr 27 18:46:36 2020 +0300 RDMA/mlx5: Verify that QP is created with RQ or SQ commit 0eacc574aae7300bf46c10c7116c3ba5825505b7 upstream. RAW packet QP and underlay QP must be created with either RQ or SQ, check that. Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") Link: https://lore.kernel.org/r/20200427154636.381474-37-leon@kernel.org Signed-off-by: Aharon Landau Reviewed-by: Maor Gottlieb Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit 7c0eb53b7ed4d4f568dc0f007dd955f06d78abad Author: Maulik Shah Date: Sun Apr 12 20:20:04 2020 +0530 soc: qcom: rpmh-rsc: Allow using free WAKE TCS for active request commit 38427e5a47bf83299da930bd474c6cb2632ad810 upstream. When there are more than one WAKE TCS available and there is no dedicated ACTIVE TCS available, invalidating all WAKE TCSes and waiting for current transfer to complete in first WAKE TCS blocks using another free WAKE TCS to complete current request. Remove rpmh_rsc_invalidate() to happen from tcs_write() when WAKE TCSes is re-purposed to be used for Active mode. Clear only currently used WAKE TCS's register configuration. Fixes: 2de4b8d33eab (drivers: qcom: rpmh-rsc: allow active requests from wake TCS) Signed-off-by: Maulik Shah Reviewed-by: Douglas Anderson Reviewed-by: Stephen Boyd Link: https://lore.kernel.org/r/1586703004-13674-7-git-send-email-mkshah@codeaurora.org Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit 00681e0789866694fa40ff771e5e93e57af5d513 Author: Raju P.L.S.S.S.N Date: Sun Apr 12 20:20:03 2020 +0530 soc: qcom: rpmh-rsc: Clear active mode configuration for wake TCS commit 15b3bf61b8d48f8e0ccd9d7f1bcb468b543da396 upstream. For RSCs that have sleep & wake TCS but no dedicated active TCS, wake TCS can be re-purposed to send active requests. Once the active requests are sent and response is received, the active mode configuration needs to be cleared so that controller can use wake TCS for sending wake requests. Introduce enable_tcs_irq() to enable completion IRQ for repurposed TCSes. Fixes: 2de4b8d33eab (drivers: qcom: rpmh-rsc: allow active requests from wake TCS) Signed-off-by: Raju P.L.S.S.S.N [mkshah: call enable_tcs_irq() within drv->lock, update commit message] Signed-off-by: Maulik Shah Reviewed-by: Douglas Anderson Reviewed-by: Stephen Boyd Link: https://lore.kernel.org/r/1586703004-13674-6-git-send-email-mkshah@codeaurora.org Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit c7a17679e3fd3bc46a4b710458f91a4df41265ac Author: Maulik Shah Date: Sun Apr 12 20:20:01 2020 +0530 soc: qcom: rpmh: Invalidate SLEEP and WAKE TCSes before flushing new data commit f5ac95f9ca2f439179a5baf48e1c0f22f83d936e upstream. TCSes have previously programmed data when rpmh_flush() is called. This can cause old data to trigger along with newly flushed. Fix this by cleaning SLEEP and WAKE TCSes before new data is flushed. With this there is no need to invoke rpmh_rsc_invalidate() call from rpmh_invalidate(). Simplify rpmh_invalidate() by moving invalidate_batch() inside. Fixes: 600513dfeef3 ("drivers: qcom: rpmh: cache sleep/wake state requests") Signed-off-by: Maulik Shah Reviewed-by: Douglas Anderson Reviewed-by: Stephen Boyd Link: https://lore.kernel.org/r/1586703004-13674-4-git-send-email-mkshah@codeaurora.org Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit 800014229cea9378042dd11710b122089f3aa0dc Author: Maulik Shah Date: Sun Apr 12 20:20:00 2020 +0530 soc: qcom: rpmh: Update dirty flag only when data changes commit bb7000677a1b287206c8d4327c62442fa3050a8f upstream. Currently rpmh ctrlr dirty flag is set for all cases regardless of data is really changed or not. Add changes to update dirty flag when data is changed to newer values. Update dirty flag everytime when data in batch cache is updated since rpmh_flush() may get invoked from any CPU instead of only last CPU going to low power mode. Also move dirty flag updates to happen from within cache_lock and remove unnecessary INIT_LIST_HEAD() call and a default case from switch. Fixes: 600513dfeef3 ("drivers: qcom: rpmh: cache sleep/wake state requests") Signed-off-by: Maulik Shah Reviewed-by: Srinivas Rao L Reviewed-by: Evan Green Reviewed-by: Douglas Anderson Reviewed-by: Stephen Boyd Link: https://lore.kernel.org/r/1586703004-13674-3-git-send-email-mkshah@codeaurora.org Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit 783f787dfd8cbdf54171774ccd4a91e836caeb86 Author: Jin Yao Date: Thu Apr 9 15:07:55 2020 +0800 perf stat: Zero all the 'ena' and 'run' array slot stats for interval mode commit 0e0bf1ea1147fcf74eab19c2d3c853cc3740a72f upstream. As the code comments in perf_stat_process_counter() say, we calculate counter's data every interval, and the display code shows ps->res_stats avg value. We need to zero the stats for interval mode. But the current code only zeros the res_stats[0], it doesn't zero the res_stats[1] and res_stats[2], which are for ena and run of counter. This patch zeros the whole res_stats[] for interval mode. Fixes: 51fd2df1e882 ("perf stat: Fix interval output values") Signed-off-by: Jin Yao Cc: Alexander Shishkin Cc: Andi Kleen Cc: Jin Yao Cc: Jiri Olsa Cc: Kan Liang Cc: Peter Zijlstra Link: http://lore.kernel.org/lkml/20200409070755.17261-1-yao.jin@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit be95ded2aee1503d66a2eb0bc37de9f3a112c2c7 Author: Bjorn Helgaas Date: Tue Apr 7 18:23:15 2020 -0500 PCI/PM: Call .bridge_d3() hook only if non-NULL commit c3aaf086701d05a82c8156ee8620af41e5a7d6fe upstream. 26ad34d510a8 ("PCI / ACPI: Whitelist D3 for more PCIe hotplug ports") added the struct pci_platform_pm_ops.bridge_d3() function pointer and platform_pci_bridge_d3() to use it. The .bridge_d3() op is implemented by acpi_pci_platform_pm, but not by mid_pci_platform_pm. We don't expect platform_pci_bridge_d3() to be called on Intel MID platforms, but nothing in the code itself would prevent that. Check the .bridge_d3() pointer for NULL before calling it. Fixes: 26ad34d510a8 ("PCI / ACPI: Whitelist D3 for more PCIe hotplug ports") Signed-off-by: Bjorn Helgaas Reviewed-by: Mika Westerberg Signed-off-by: Greg Kroah-Hartman commit 7e655371a5471eecf152f05c55de6531e23c5918 Author: Zhu Yanjun Date: Mon Apr 6 20:35:01 2020 +0300 RDMA/rxe: Set default vendor ID commit 0184afd15a141d7ce24c32c0d86a1e3ba6bc0eb3 upstream. The RXE driver doesn't set vendor_id and user space applications see zeros. This causes to pyverbs tests to fail with the following traceback, because the expectation is to have valid vendor_id. Traceback (most recent call last): File "tests/test_device.py", line 51, in test_query_device self.verify_device_attr(attr) File "tests/test_device.py", line 77, in verify_device_attr assert attr.vendor_id != 0 In order to fix it, we will set vendor_id 0XFFFFFF, according to the IBTA v1.4 A3.3.1 VENDOR INFORMATION section. """ A vendor that produces a generic controller (i.e., one that supports a standard I/O protocol such as SRP), which does not have vendor specific device drivers, may use the value of 0xFFFFFF in the VendorID field. """ Before: hca_id: rxe0 transport: InfiniBand (0) fw_ver: 0.0.0 node_guid: 5054:00ff:feaa:5363 sys_image_guid: 5054:00ff:feaa:5363 vendor_id: 0x0000 After: hca_id: rxe0 transport: InfiniBand (0) fw_ver: 0.0.0 node_guid: 5054:00ff:feaa:5363 sys_image_guid: 5054:00ff:feaa:5363 vendor_id: 0xffffff Fixes: 8700e3e7c485 ("Soft RoCE driver") Link: https://lore.kernel.org/r/20200406173501.1466273-1-leon@kernel.org Signed-off-by: Zhu Yanjun Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit 55a9c3e08f0ac68847f31924dd6a94c3245ed6d6 Author: Tomer Tayar Date: Wed Apr 1 19:30:29 2020 +0300 habanalabs: Align protection bits configuration of all TPCs commit 79c823c57e69d9e584a5ee4ee6406eb3854393ae upstream. Align the protection bits configuration of all TPC cores to be as of TPC core 0. Fixes: a513f9a7eca5 ("habanalabs: make tpc registers secured") Signed-off-by: Tomer Tayar Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay Signed-off-by: Greg Kroah-Hartman commit e1753e3d3bd1c738a660d5a37f30dc86c4fc5e99 Author: John Johansen Date: Mon Mar 30 23:37:54 2020 -0700 apparmor: ensure that dfa state tables have entries commit c27c6bd2c4d6b6bb779f9b722d5607993e1d5e5c upstream. Currently it is possible to specify a state machine table with 0 length, this is not valid as optional tables are specified by not defining the table as present. Further this allows by-passing the base tables range check against the next/check tables. Fixes: d901d6a298dc ("apparmor: dfa split verification of table headers") Reported-by: Mike Salvatore Signed-off-by: John Johansen Signed-off-by: Greg Kroah-Hartman commit 0e54b8db0ceb27cd22c175b21f8b190a488a516d Author: Peter Ujfalusi Date: Fri Mar 27 16:42:28 2020 +0200 dmaengine: ti: k3-udma: Disable memcopy via MCU NAVSS on am654 commit a4e688535a0829980d5ef1516c0713777a874c62 upstream. Trace of a test for DMA memcpy domains slipped into the glue layer commit. The memcpy support should be disabled on the MCU UDMAP. Fixes: d702419134133 ("dmaengine: ti: k3-udma: Add glue layer for non DMAengine users") Signed-off-by: Peter Ujfalusi Link: https://lore.kernel.org/r/20200327144228.11101-1-peter.ujfalusi@ti.com Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit 0049ece1a8e92f1e5c9603f41a2af24214f4a050 Author: Srinivas Kandagatla Date: Thu Mar 19 12:14:18 2020 +0000 soc: qcom: socinfo: add missing soc_id sysfs entry commit 27a344139c186889d742764d3c2a62b395949cef upstream. Looks like SoC ID is not exported to sysfs for some reason. This patch adds it! This is mostly used by userspace libraries like Snapdragon Neural Processing Engine (SNPE) SDK for checking supported SoC info. Fixes: efb448d0a3fc ("soc: qcom: Add socinfo driver") Reviewed-by: Stephen Boyd Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20200319121418.5180-1-srinivas.kandagatla@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit 79bef940ec6cb2a93e8aad776bd66b505faffd6b Author: Sean Wang Date: Sun Mar 8 14:34:37 2020 +0800 arm: dts: mt7623: add phy-mode property for gmac2 commit ff5b89c2858f28006f9f9c0a88c55a679488192c upstream. Add phy-mode property required by phylink on gmac2 Fixes: b8fc9f30821e ("net: ethernet: mediatek: Add basic PHYLINK support") Signed-off-by: Sean Wang Link: https://lore.kernel.org/r/70e3eff31ecd500ed4862d9de28325a4dbd15105.1583648927.git.sean.wang@mediatek.com Signed-off-by: Matthias Brugger Signed-off-by: Greg Kroah-Hartman commit 81fe8b27be9da372ff6ee863344ac804a29f5ac3 Author: Kevin Buettner Date: Sat Jul 18 00:20:03 2020 -0700 copy_xstate_to_kernel: Fix typo which caused GDB regression commit 5714ee50bb4375bd586858ad800b1d9772847452 upstream. This fixes a regression encountered while running the gdb.base/corefile.exp test in GDB's test suite. In my testing, the typo prevented the sw_reserved field of struct fxregs_state from being output to the kernel XSAVES area. Thus the correct mask corresponding to XCR0 was not present in the core file for GDB to interrogate, resulting in the following behavior: [kev@f32-1 gdb]$ ./gdb -q testsuite/outputs/gdb.base/corefile/corefile testsuite/outputs/gdb.base/corefile/corefile.core Reading symbols from testsuite/outputs/gdb.base/corefile/corefile... [New LWP 232880] warning: Unexpected size of section `.reg-xstate/232880' in core file. With the typo fixed, the test works again as expected. Signed-off-by: Kevin Buettner Fixes: 9e4636545933 ("copy_xstate_to_kernel(): don't leave parts of destination uninitialized") Cc: Al Viro Cc: Dave Airlie Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e71a2f5a4c8732f98edc49dfcbc98408d8a0a384 Author: Douglas Anderson Date: Wed Jul 15 16:46:15 2020 -0700 regmap: debugfs: Don't sleep while atomic for fast_io regmaps [ Upstream commit 299632e54b2e692d2830af84be51172480dc1e26 ] If a regmap has "fast_io" set then its lock function uses a spinlock. That doesn't work so well with the functions: * regmap_cache_only_write_file() * regmap_cache_bypass_write_file() Both of the above functions have the pattern: 1. Lock the regmap. 2. Call: debugfs_write_file_bool() copy_from_user() __might_fault() __might_sleep() Let's reorder things a bit so that we do all of our sleepable functions before we grab the lock. Fixes: d3dc5430d68f ("regmap: debugfs: Allow writes to cache state settings") Signed-off-by: Douglas Anderson Link: https://lore.kernel.org/r/20200715164611.1.I35b3533e8a80efde0cec1cc70f71e1e74b2fa0da@changeid Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 8313492d3aec2ce166c04999ef4a56425195ed76 Author: Anthony Iliopoulos Date: Tue Jul 14 13:11:59 2020 +0200 nvme: explicitly update mpath disk capacity on revalidation [ Upstream commit 05b29021fba5e725dd385151ef00b6340229b500 ] Commit 3b4b19721ec652 ("nvme: fix possible deadlock when I/O is blocked") reverted multipath head disk revalidation due to deadlocks caused by holding the bd_mutex during revalidate. Updating the multipath disk blockdev size is still required though for userspace to be able to observe any resizing while the device is mounted. Directly update the bdev inode size to avoid unnecessarily holding the bdev->bd_mutex. Fixes: 3b4b19721ec652 ("nvme: fix possible deadlock when I/O is blocked") Signed-off-by: Anthony Iliopoulos Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 889fbfd149fcf41e01ddb35b556c18e2bb49c440 Author: Wei Yongjun Date: Wed Jul 15 23:28:38 2020 +0100 keys: asymmetric: fix error return code in software_key_query() [ Upstream commit 6cbba1f9114a8134cff9138c79add15012fd52b9 ] Fix to return negative error code -ENOMEM from kmalloc() error handling case instead of 0, as done elsewhere in this function. Fixes: f1774cb8956a ("X.509: parse public key parameters from x509 for akcipher") Signed-off-by: Wei Yongjun Signed-off-by: David Howells Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 76ffd155ced102d34abb1a8be0fa65b1a31b9538 Author: Krzysztof Kozlowski Date: Mon Jun 29 10:16:29 2020 +0200 arm64: dts: spcfpga: Align GIC, NAND and UART nodenames with dtschema [ Upstream commit 681a5c71fb829fc2193e3bb524af41525477f5c3 ] Fix dtschema validator warnings like: intc@fffc1000: $nodename:0: 'intc@fffc1000' does not match '^interrupt-controller(@[0-9a-f,]+)*$' Fixes: 78cd6a9d8e15 ("arm64: dts: Add base stratix 10 dtsi") Signed-off-by: Krzysztof Kozlowski Signed-off-by: Dinh Nguyen Signed-off-by: Sasha Levin commit 7e8c2250932957c67a846f5b54de6b758f708a5d Author: Krzysztof Kozlowski Date: Fri Jun 26 10:06:02 2020 +0200 ARM: dts: socfpga: Align L2 cache-controller nodename with dtschema [ Upstream commit d7adfe5ffed9faa05f8926223086b101e14f700d ] Fix dtschema validator warnings like: l2-cache@fffff000: $nodename:0: 'l2-cache@fffff000' does not match '^(cache-controller|cpu)(@[0-9a-f,]+)*$' Fixes: 475dc86d08de ("arm: dts: socfpga: Add a base DTSI for Altera's Arria10 SOC") Signed-off-by: Krzysztof Kozlowski Signed-off-by: Dinh Nguyen Signed-off-by: Sasha Levin commit fe3b01c6588829a4a5d89e4b6d4254087aa40f20 Author: Colin Ian King Date: Wed Jul 15 17:26:04 2020 +0100 xprtrdma: fix incorrect header size calculations [ Upstream commit 912288442cb2f431bf3c8cb097a5de83bc6dbac1 ] Currently the header size calculations are using an assignment operator instead of a += operator when accumulating the header size leading to incorrect sizes. Fix this by using the correct operator. Addresses-Coverity: ("Unused value") Fixes: 302d3deb2068 ("xprtrdma: Prevent inline overflow") Signed-off-by: Colin Ian King Reviewed-by: Chuck Lever Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit 821c341fb0864df59320cb081178a29c20cb2a8d Author: Enric Balletbo i Serra Date: Tue Jul 7 12:34:12 2020 +0200 Revert "thermal: mediatek: fix register index error" [ Upstream commit a8f62f183021be389561570ab5f8c701a5e70298 ] This reverts commit eb9aecd90d1a39601e91cd08b90d5fee51d321a6 The above patch is supposed to fix a register index error on mt2701. It is not clear if the problem solved is a hang or just an invalid value returned, my guess is the second. The patch introduces, though, a new hang on MT8173 device making them unusable. So, seems reasonable, revert the patch because introduces a worst issue. The reason I send a revert instead of trying to fix the issue for MT8173 is because the information needed to fix the issue is in the datasheet and is not public. So I am not really able to fix it. Fixes the following bug when CONFIG_MTK_THERMAL is set on MT8173 devices. [ 2.222488] Unable to handle kernel paging request at virtual address ffff8000125f5001 [ 2.230421] Mem abort info: [ 2.233207] ESR = 0x96000021 [ 2.236261] EC = 0x25: DABT (current EL), IL = 32 bits [ 2.241571] SET = 0, FnV = 0 [ 2.244623] EA = 0, S1PTW = 0 [ 2.247762] Data abort info: [ 2.250640] ISV = 0, ISS = 0x00000021 [ 2.254473] CM = 0, WnR = 0 [ 2.257544] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041850000 [ 2.264251] [ffff8000125f5001] pgd=000000013ffff003, pud=000000013fffe003, pmd=000000013fff9003, pte=006800001100b707 [ 2.274867] Internal error: Oops: 96000021 [#1] PREEMPT SMP [ 2.280432] Modules linked in: [ 2.283483] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.7.0-rc6+ #162 [ 2.289914] Hardware name: Google Elm (DT) [ 2.294003] pstate: 20000005 (nzCv daif -PAN -UAO) [ 2.298792] pc : mtk_read_temp+0xb8/0x1c8 [ 2.302793] lr : mtk_read_temp+0x7c/0x1c8 [ 2.306794] sp : ffff80001003b930 [ 2.310100] x29: ffff80001003b930 x28: 0000000000000000 [ 2.315404] x27: 0000000000000002 x26: ffff0000f9550b10 [ 2.320709] x25: ffff0000f9550a80 x24: 0000000000000090 [ 2.326014] x23: ffff80001003ba24 x22: 00000000610344c0 [ 2.331318] x21: 0000000000002710 x20: 00000000000001f4 [ 2.336622] x19: 0000000000030d40 x18: ffff800011742ec0 [ 2.341926] x17: 0000000000000001 x16: 0000000000000001 [ 2.347230] x15: ffffffffffffffff x14: ffffff0000000000 [ 2.352535] x13: ffffffffffffffff x12: 0000000000000028 [ 2.357839] x11: 0000000000000003 x10: ffff800011295ec8 [ 2.363143] x9 : 000000000000291b x8 : 0000000000000002 [ 2.368447] x7 : 00000000000000a8 x6 : 0000000000000004 [ 2.373751] x5 : 0000000000000000 x4 : ffff800011295cb0 [ 2.379055] x3 : 0000000000000002 x2 : ffff8000125f5001 [ 2.384359] x1 : 0000000000000001 x0 : ffff0000f9550a80 [ 2.389665] Call trace: [ 2.392105] mtk_read_temp+0xb8/0x1c8 [ 2.395760] of_thermal_get_temp+0x2c/0x40 [ 2.399849] thermal_zone_get_temp+0x78/0x160 [ 2.404198] thermal_zone_device_update.part.0+0x3c/0x1f8 [ 2.409589] thermal_zone_device_update+0x34/0x48 [ 2.414286] of_thermal_set_mode+0x58/0x88 [ 2.418375] thermal_zone_of_sensor_register+0x1a8/0x1d8 [ 2.423679] devm_thermal_zone_of_sensor_register+0x64/0xb0 [ 2.429242] mtk_thermal_probe+0x690/0x7d0 [ 2.433333] platform_drv_probe+0x5c/0xb0 [ 2.437335] really_probe+0xe4/0x448 [ 2.440901] driver_probe_device+0xe8/0x140 [ 2.445077] device_driver_attach+0x7c/0x88 [ 2.449252] __driver_attach+0xac/0x178 [ 2.453082] bus_for_each_dev+0x78/0xc8 [ 2.456909] driver_attach+0x2c/0x38 [ 2.460476] bus_add_driver+0x14c/0x230 [ 2.464304] driver_register+0x6c/0x128 [ 2.468131] __platform_driver_register+0x50/0x60 [ 2.472831] mtk_thermal_driver_init+0x24/0x30 [ 2.477268] do_one_initcall+0x50/0x298 [ 2.481098] kernel_init_freeable+0x1ec/0x264 [ 2.485450] kernel_init+0x1c/0x110 [ 2.488931] ret_from_fork+0x10/0x1c [ 2.492502] Code: f9401081 f9400402 b8a67821 8b010042 (b9400042) [ 2.498599] ---[ end trace e43e3105ed27dc99 ]--- [ 2.503367] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b [ 2.511020] SMP: stopping secondary CPUs [ 2.514941] Kernel Offset: disabled [ 2.518421] CPU features: 0x090002,25006005 [ 2.522595] Memory Limit: none [ 2.525644] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b ]-- Cc: Michael Kao Fixes: eb9aecd90d1a ("thermal: mediatek: fix register index error") Signed-off-by: Enric Balletbo i Serra Reviewed-by: Matthias Brugger Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20200707103412.1010823-1-enric.balletbo@collabora.com Signed-off-by: Sasha Levin commit 340aac6efdd3b5a85fc76c1570740e72f90c0b95 Author: dillon min Date: Tue Jul 14 14:35:07 2020 +0800 ARM: dts: Fix dcan driver probe failed on am437x platform [ Upstream commit 2a4117df9b436a0e4c79d211284ab2097bcd00dc ] Got following d_can probe errors with kernel 5.8-rc1 on am437x [ 10.730822] CAN device driver interface Starting Wait for Network to be Configured... [ OK ] Reached target Network. [ 10.787363] c_can_platform 481cc000.can: probe failed [ 10.792484] c_can_platform: probe of 481cc000.can failed with error -2 [ 10.799457] c_can_platform 481d0000.can: probe failed [ 10.804617] c_can_platform: probe of 481d0000.can failed with error -2 actually, Tony has fixed this issue on am335x with the patch [3] Since am437x has the same clock structure with am335x [1][2], so reuse the code from Tony Lindgren's patch [3] to fix it. [1]: https://www.ti.com/lit/pdf/spruh73 Chapter-23, Figure 23-1. DCAN Integration [2]: https://www.ti.com/lit/pdf/spruhl7 Chapter-25, Figure 25-1. DCAN Integration [3]: commit 516f1117d0fb ("ARM: dts: Configure osc clock for d_can on am335x") Fixes: 1a5cd7c23cc5 ("bus: ti-sysc: Enable all clocks directly during init to read revision") Signed-off-by: dillon min [tony@atomide.com: aligned commit message a bit for readability] Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 5e870c75e1536acc25edaaeebe7995670417bfff Author: Vasily Averin Date: Thu Jun 25 12:39:51 2020 +0300 fuse: don't ignore errors from fuse_writepages_fill() [ Upstream commit 7779b047a57f6824a43d0e1f70de2741b7426b9d ] fuse_writepages() ignores some errors taken from fuse_writepages_fill() I believe it is a bug: if .writepages is called with WB_SYNC_ALL it should either guarantee that all data was successfully saved or return error. Fixes: 26d614df1da9 ("fuse: Implement writepages callback") Signed-off-by: Vasily Averin Signed-off-by: Miklos Szeredi Signed-off-by: Sasha Levin commit f247ab500974a21061058a115b315cee7969d05d Author: Anna Schumaker Date: Wed Jul 8 10:33:40 2020 -0400 NFS: Fix interrupted slots by sending a solo SEQUENCE operation [ Upstream commit 913fadc5b105c3619d9e8d0fe8899ff1593cc737 ] We used to do this before 3453d5708b33, but this was changed to better handle the NFS4ERR_SEQ_MISORDERED error code. This commit fixed the slot re-use case when the server doesn't receive the interrupted operation, but if the server does receive the operation then it could still end up replying to the client with mis-matched operations from the reply cache. We can fix this by sending a SEQUENCE to the server while recovering from a SEQ_MISORDERED error when we detect that we are in an interrupted slot situation. Fixes: 3453d5708b33 (NFSv4.1: Avoid false retries when RPC calls are interrupted) Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit a6793b643d90f7c04ac7c8b07cf0a28b44198969 Author: Chuck Lever Date: Sat Jun 27 12:35:20 2020 -0400 xprtrdma: Fix handling of connect errors [ Upstream commit af667527b0e34912d2cb3586d585f66db4e4f486 ] Ensure that the connect worker is awoken if an attempt to establish a connection is unsuccessful. Otherwise the worker waits forever and the transport workload hangs. Connect errors should not attempt to destroy the ep, since the connect worker continues to use it after the handler runs, so these errors are now handled independently of DISCONNECTED events. Reported-by: Dan Aloni Fixes: e28ce90083f0 ("xprtrdma: kmalloc rpcrdma_ep separate from rpcrdma_xprt") Signed-off-by: Chuck Lever Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit b158bdd71ef550981bdac7a9bf63cd4f163f3bb8 Author: Chuck Lever Date: Sat Jun 27 12:35:15 2020 -0400 xprtrdma: Fix return code from rpcrdma_xprt_connect() [ Upstream commit dda9a951dd6dd6073bbaf2c8d3119da2f8fe2d5b ] I noticed that when rpcrdma_xprt_connect() returns -ENOMEM, instead of retrying the connect, the RPC client kills the RPC task that requested the connection. We want a retry here. Fixes: cb586decbb88 ("xprtrdma: Make sendctx queue lifetime the same as connection lifetime") Signed-off-by: Chuck Lever Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit 9e2e58d1d360947ff8b4f772a16ad32cb3c0589b Author: Chuck Lever Date: Sat Jun 27 12:35:09 2020 -0400 xprtrdma: Fix recursion into rpcrdma_xprt_disconnect() [ Upstream commit 4cf44be6f1e86da302085bf3e1dc2c86f3cdaaaa ] Both Dan and I have observed two processes invoking rpcrdma_xprt_disconnect() concurrently. In my case: 1. The connect worker invokes rpcrdma_xprt_disconnect(), which drains the QP and waits for the final completion 2. This causes the newly posted Receive to flush and invoke xprt_force_disconnect() 3. xprt_force_disconnect() sets CLOSE_WAIT and wakes up the RPC task that is holding the transport lock 4. The RPC task invokes xprt_connect(), which calls ->ops->close 5. xprt_rdma_close() invokes rpcrdma_xprt_disconnect(), which tries to destroy the QP. Deadlock. To prevent xprt_force_disconnect() from waking anything, handle the clean up after a failed connection attempt in the xprt's sndtask. The retry loop is removed from rpcrdma_xprt_connect() to ensure that the newly allocated ep and id are properly released before a REJECTED connection attempt can be retried. Reported-by: Dan Aloni Fixes: e28ce90083f0 ("xprtrdma: kmalloc rpcrdma_ep separate from rpcrdma_xprt") Signed-off-by: Chuck Lever Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit 05626795cddba6db062343633e77ea69a00592ae Author: Chuck Lever Date: Sat Jun 27 12:35:04 2020 -0400 xprtrdma: Fix double-free in rpcrdma_ep_create() [ Upstream commit 85bfd71bc34e20d9fadb745131f6314c36d0f75b ] In the error paths, there's no need to call kfree(ep) after calling rpcrdma_ep_put(ep). Fixes: e28ce90083f0 ("xprtrdma: kmalloc rpcrdma_ep separate from rpcrdma_xprt") Signed-off-by: Chuck Lever Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit 674c07adb8310683b3cab7b5c458d97fbcb0d31f Author: Eddie James Date: Thu Jul 9 14:57:05 2020 -0500 clk: AST2600: Add mux for EMMC clock [ Upstream commit c2407ab3bd55064d459bc822efd1c134e852798c ] The EMMC clock can be derived from either the HPLL or the MPLL. Register a clock mux so that the rate is calculated correctly based upon the parent. Signed-off-by: Eddie James Reviewed-by: Andrew Jeffery Link: https://lore.kernel.org/r/20200709195706.12741-2-eajames@linux.ibm.com Acked-by: Joel Stanley Fixes: d3d04f6c330a ("clk: Add support for AST2600 SoC") Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 22d643054af634ced5de8061324b8d421a5a381a Author: Nathan Chancellor Date: Wed Jul 1 13:11:29 2020 -0700 clk: mvebu: ARMADA_AP_CPU_CLK needs to select ARMADA_AP_CP_HELPER [ Upstream commit 8e3709d7e3a67e2d3f42bd1fc2052353a5678944 ] When building arm32 allmodconfig: ld.lld: error: undefined symbol: ap_cp_unique_name >>> referenced by ap-cpu-clk.c >>> clk/mvebu/ap-cpu-clk.o:(ap_cpu_clock_probe) in archive drivers/built-in.a ap_cp_unique_name is only compiled into the kernel image when CONFIG_ARMADA_AP_CP_HELPER is selected (as it is not user selectable). However, CONFIG_ARMADA_AP_CPU_CLK does not select it. This has been a problem since the driver was added to the kernel but it was not built before commit c318ea261749 ("cpufreq: ap806: fix cpufreq driver needs ap cpu clk") so it was never noticed. Fixes: f756e362d938 ("clk: mvebu: add CPU clock driver for Armada 7K/8K") Signed-off-by: Nathan Chancellor Link: https://lore.kernel.org/r/20200701201128.2448427-1-natechancellor@gmail.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 66554c2292aa02de88bdffb1a822d59752541e67 Author: Andy Shevchenko Date: Tue Jul 7 00:49:03 2020 +0300 serial: core: Initialise spin lock before use in uart_configure_port() [ Upstream commit f743061a85f5e9989df22ccbf07c80c98fc90e08 ] The comment near to uart_port_spin_lock_init() says: Ensure that the serial console lock is initialised early. If this port is a console, then the spinlock is already initialised. and there is nothing about enabled or disabled consoles. The commit a3cb39d258ef ("serial: core: Allow detach and attach serial device for console") made a change, which follows the comment, and also to prevent reinitialisation of the lock in use, when user detaches and attaches back the same console device. But this change discovers another issue, that uart_add_one_port() tries to access a spin lock that now may be uninitialised. This happens when a driver expects the serial core to register a console on its behalf. In this case we must initialise a spin lock before use. Fixes: a3cb39d258ef ("serial: core: Allow detach and attach serial device for console") Reported-by: Marc Zyngier Reported-by: Lad Prabhakar Reported-by: Guenter Roeck Reported-by: Anatoly Pugachev Acked-by: Marc Zyngier Tested-by: Tony Lindgren Cc: Geert Uytterhoeven Signed-off-by: Andy Shevchenko Tested-by: Lad Prabhakar Link: https://lore.kernel.org/r/20200706214903.56148-1-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 4b32f8dbb8c9fdec9c63f36db961ce07dcf64bab Author: Dan Carpenter Date: Thu Jul 9 13:29:36 2020 +0300 staging: comedi: verify array index is correct before using it [ Upstream commit ef75e14a6c935eec82abac07ab68e388514e39bc ] This code reads from the array before verifying that "trig" is a valid index. If the index is wildly out of bounds then reading from an invalid address could lead to an Oops. Fixes: a8c66b684efa ("staging: comedi: addi_apci_1500: rewrite the subdevice support functions") Signed-off-by: Dan Carpenter Reviewed-by: Ian Abbott Link: https://lore.kernel.org/r/20200709102936.GA20875@mwanda Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit c796ed3590463c467efa2b9241bce25389c321be Author: Michał Mirosław Date: Thu May 28 20:35:54 2020 +0200 usb: gadget: udc: atmel: fix uninitialized read in debug printk [ Upstream commit 30517ffeb3bff842e1355cbc32f1959d9dbb5414 ] Fixed commit moved the assignment of 'req', but did not update a reference in the DBG() call. Use the argument as it was renamed. Fixes: 5fb694f96e7c ("usb: gadget: udc: atmel: fix possible oops when unloading module") Signed-off-by: Michał Mirosław Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 170852d10334fc7d71779ec3077d3e1f9c326b1c Author: Marc Kleine-Budde Date: Mon Jul 6 16:34:34 2020 +0200 spi: spi-sun6i: sun6i_spi_transfer_one(): fix setting of clock rate [ Upstream commit ed7815db70d17b1741883f2da8e1d80bc2efe517 ] A SPI transfer defines the _maximum_ speed of the SPI transfer. However the driver doesn't take into account that the clock divider is always rounded down (due to integer arithmetics). This results in a too high clock rate for the SPI transfer. E.g.: with a mclk_rate of 24 MHz and a SPI transfer speed of 10 MHz, the original code calculates a reg of "0", which results in a effective divider of "2" and a 12 MHz clock for the SPI transfer. This patch fixes the issue by using DIV_ROUND_UP() instead of a plain integer division. While there simplify the divider calculation for the CDR1 case, use order_base_2() instead of two ilog2() calculations. Fixes: 3558fe900e8a ("spi: sunxi: Add Allwinner A31 SPI controller driver") Signed-off-by: Marc Kleine-Budde Acked-by: Maxime Ripard Link: https://lore.kernel.org/r/20200706143443.9855-2-mkl@pengutronix.de Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit a65230dc5a22d4a7f7b5ebd94b6927088b9755fe Author: Peter Ujfalusi Date: Wed Jul 1 13:12:25 2020 +0300 dmaengine: dmatest: stop completed threads when running without set channel [ Upstream commit fd17d1abce426b4224a916a242b57be94272771b ] The completed threads were not cleared and consequent run would result threads accumulating: echo 800000 > /sys/module/dmatest/parameters/test_buf_size echo 2000 > /sys/module/dmatest/parameters/timeout echo 50 > /sys/module/dmatest/parameters/iterations echo 1 > /sys/module/dmatest/parameters/max_channels echo "" > /sys/module/dmatest/parameters/channel [ 237.507265] dmatest: Added 1 threads using dma1chan2 echo 1 > /sys/module/dmatest/parameters/run [ 244.713360] dmatest: Started 1 threads using dma1chan2 [ 246.117680] dmatest: dma1chan2-copy0: summary 50 tests, 0 failures 2437.47 iops 977623 KB/s (0) echo 1 > /sys/module/dmatest/parameters/run [ 292.381471] dmatest: No channels configured, continue with any [ 292.389307] dmatest: Added 1 threads using dma1chan3 [ 292.394302] dmatest: Started 1 threads using dma1chan2 [ 292.399454] dmatest: Started 1 threads using dma1chan3 [ 293.800835] dmatest: dma1chan3-copy0: summary 50 tests, 0 failures 2624.53 iops 975014 KB/s (0) echo 1 > /sys/module/dmatest/parameters/run [ 307.301429] dmatest: No channels configured, continue with any [ 307.309212] dmatest: Added 1 threads using dma1chan4 [ 307.314197] dmatest: Started 1 threads using dma1chan2 [ 307.319343] dmatest: Started 1 threads using dma1chan3 [ 307.324492] dmatest: Started 1 threads using dma1chan4 [ 308.730773] dmatest: dma1chan4-copy0: summary 50 tests, 0 failures 2390.28 iops 965436 KB/s (0) Fixes: 6b41030fdc79 ("dmaengine: dmatest: Restore default for channel") Reported-by: Grygorii Strashko Signed-off-by: Peter Ujfalusi Link: https://lore.kernel.org/r/20200701101225.8607-1-peter.ujfalusi@ti.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 838f21b2e14d6d555aade5f2ece41be09750f0b3 Author: Andy Shevchenko Date: Sun Jul 5 14:56:20 2020 +0300 dmaengine: dw: Initialize channel before each transfer [ Upstream commit 99ba8b9b0d9780e9937eb1d488d120e9e5c2533d ] In some cases DMA can be used only with a consumer which does runtime power management and on the platforms, that have DMA auto power gating logic (see comments in the drivers/acpi/acpi_lpss.c), may result in DMA losing its context. Simple mitigation of this issue is to initialize channel each time the consumer initiates a transfer. Fixes: cfdf5b6cc598 ("dw_dmac: add support for Lynxpoint DMA controllers") Reported-by: Tsuchiya Yuto Signed-off-by: Andy Shevchenko Acked-by: Viresh Kumar BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=206403 Link: https://lore.kernel.org/r/20200705115620.51929-1-andriy.shevchenko@linux.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 873e48c465649c04993d063beddc6472967da4ff Author: Christophe JAILLET Date: Sun May 17 11:59:53 2020 +0200 iio: adc: ad7780: Fix a resource handling path in 'ad7780_probe()' [ Upstream commit b0536f9826a5ed3328d527b4fc1686867a9f3041 ] If 'ad7780_init_gpios()' fails, we must not release some resources that have not been allocated yet. Return directly instead. Fixes: 5bb30e7daf00 ("staging: iio: ad7780: move regulator to after GPIO init") Fixes: 9085daa4abcc ("staging: iio: ad7780: add gain & filter gpio support") Signed-off-by: Christophe JAILLET Acked-by: Renato Lui Geh Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 20dac5a3eb4befab22cf3f4cf5f6d3fefe2de8ab Author: Tony Lindgren Date: Thu Jul 2 13:57:14 2020 -0700 bus: ti-sysc: Do not disable on suspend for no-idle [ Upstream commit a55de412228cc5a2b4bf8d2a09849898102633e2 ] If we have "ti,no-idle" specified for a module we must not disable the the module on suspend to keep things backwards compatible. Fixes: 386cb76681ca ("bus: ti-sysc: Handle missed no-idle property in addition to no-idle-on-init") Reported-by: Grygorii Strashko Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 884462339af75cb596001fe93172abcd3e502bcb Author: Tony Lindgren Date: Thu Jul 2 10:41:02 2020 -0700 bus: ti-sysc: Fix sleeping function called from invalid context for RTC quirk [ Upstream commit afe6f1eeb08f85e57f0a02b71efb5a0839606aac ] With CONFIG_DEBUG_ATOMIC_SLEEP enabled we can see the following with RTC probe: BUG: sleeping function called from invalid context at drivers/bus/ti-sysc.c:1736 ... (sysc_quirk_rtc) from [] (sysc_write_sysconfig+0x1c/0x60) (sysc_write_sysconfig) from [] (sysc_enable_module+0x11c/0x274) (sysc_enable_module) from [] (sysc_probe+0xe9c/0x1380) (sysc_probe) from [] (platform_drv_probe+0x48/0x98) Fixes: e8639e1c986a ("bus: ti-sysc: Handle module unlock quirk needed for some RTC") Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 826dc08af3f16d0aba7d3308d3fe933d0cc5700e Author: Tony Lindgren Date: Thu Jul 2 10:44:20 2020 -0700 bus: ti-sysc: Fix wakeirq sleeping function called from invalid context [ Upstream commit 9f9113925018d500a95df539014d9ff11ac2c02d ] With CONFIG_DEBUG_ATOMIC_SLEEP enabled we can see the following with wakeirqs and serial console idled: BUG: sleeping function called from invalid context at drivers/bus/ti-sysc.c:242 ... (sysc_wait_softreset) from [] (sysc_enable_module+0x48/0x274) (sysc_enable_module) from [] (sysc_runtime_resume+0x19c/0x1d8) (sysc_runtime_resume) from [] (sysc_child_runtime_resume+0x58/0x84) (sysc_child_runtime_resume) from [] (__rpm_callback+0x30/0x12c) (__rpm_callback) from [] (rpm_callback+0x20/0x80) (rpm_callback) from [] (rpm_resume+0x638/0x7fc) (rpm_resume) from [] (__pm_runtime_resume+0x60/0x9c) (__pm_runtime_resume) from [] (handle_threaded_wake_irq+0x24/0x60) (handle_threaded_wake_irq) from [] (irq_thread_fn+0x1c/0x78) (irq_thread_fn) from [] (irq_thread+0x140/0x26c) We have __pm_runtime_resume() call the sysc_runtime_resume() with spinlock held and interrupts disabled. Fixes: d46f9fbec719 ("bus: ti-sysc: Use optional clocks on for enable and wait for softreset bit") Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit f19eeb88a54abdfdee39766000c88c9b37f0bd89 Author: Dave Jiang Date: Thu Jun 25 12:16:54 2020 -0700 dmaengine: idxd: fix misc interrupt handler thread unmasking [ Upstream commit e3122822a74033ba8d6d9af855078f9ab741e33f ] Fix unmasking of misc interrupt handler when completing normal. It exits early and skips the unmasking with the current implementation. Fix to unmask interrupt when exiting normally. Fixes: bfe1d56091c1 ("dmaengine: idxd: Init and probe for Intel data accelerators") Signed-off-by: Dave Jiang Link: https://lore.kernel.org/r/159311256528.855.11527922406329728512.stgit@djiang5-desk3.ch.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 2a2df2bd10de44c3804661ed15157817c12d6291 Author: Dave Jiang Date: Thu Jun 25 12:17:42 2020 -0700 dmaengine: idxd: cleanup workqueue config after disabling [ Upstream commit da32b28c95a79e399e18c03f8178f41aec9c66e4 ] After disabling a device, we should clean up the internal state for the wqs and zero out the configuration registers. Without doing so can cause issues when the user reprogram the wqs. Fixes: c52ca478233c ("dmaengine: idxd: add configuration component of driver") Reported-by: Yixin Zhang Signed-off-by: Dave Jiang Tested-by: Yixin Zhang Link: https://lore.kernel.org/r/159311264246.1198.11955791213681679428.stgit@djiang5-desk3.ch.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit d8fbb2b8ac3726787bbbb9df7cbc1b326c8e6c6a Author: Neil Armstrong Date: Thu Jun 18 15:27:37 2020 +0200 arm64: dts: meson-gxl-s805x: reduce initial Mali450 core frequency [ Upstream commit b2037dafcf082cd24b88ae9283af628235df36e1 ] When starting at 744MHz, the Mali 450 core crashes on S805X based boards: lima d00c0000.gpu: IRQ ppmmu3 not found lima d00c0000.gpu: IRQ ppmmu4 not found lima d00c0000.gpu: IRQ ppmmu5 not found lima d00c0000.gpu: IRQ ppmmu6 not found lima d00c0000.gpu: IRQ ppmmu7 not found Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.7.2+ #492 Hardware name: Libre Computer AML-S805X-AC (DT) pstate: 40000005 (nZcv daif -PAN -UAO) pc : lima_gp_init+0x28/0x188 ... Call trace: lima_gp_init+0x28/0x188 lima_device_init+0x334/0x534 lima_pdev_probe+0xa4/0xe4 ... Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b Reverting to a safer 666Mhz frequency on the S805X that doesn't use the GP0 PLL makes it more stable. Fixes: fd47716479f5 ("ARM64: dts: add S805X based P241 board") Fixes: 0449b8e371ac ("arm64: dts: meson: add libretech aml-s805x-ac board") Signed-off-by: Neil Armstrong Signed-off-by: Kevin Hilman Link: https://lore.kernel.org/r/20200618132737.14243-1-narmstrong@baylibre.com Signed-off-by: Sasha Levin commit b3a17c8e78746ce9cbdd9ffbf04d56ee5bb52657 Author: Jerome Brunet Date: Wed Jun 17 14:53:46 2020 +0200 arm64: dts: meson: add missing gxl rng clock [ Upstream commit 95ca6f06dd4827ff63be5154120c7a8511cd9a41 ] The peripheral clock of the RNG is missing for gxl while it is present for gxbb. Fixes: 1b3f6d148692 ("ARM64: dts: meson-gx: add clock CLKID_RNG0 to hwrng node") Signed-off-by: Jerome Brunet Signed-off-by: Kevin Hilman Reviewed-by: Neil Armstrong Link: https://lore.kernel.org/r/20200617125346.1163527-1-jbrunet@baylibre.com Signed-off-by: Sasha Levin commit a087a731470c6c9d05cb99f72382686ac8b852ea Author: Colin Ian King Date: Thu Jun 25 13:44:28 2020 +0100 phy: sun4i-usb: fix dereference of pointer phy0 before it is null checked [ Upstream commit 38b1927e5bf9bcad4a2e33189ef1c5569f9599ba ] Currently pointer phy0 is being dereferenced via the assignment of phy on the call to phy_get_drvdata before phy0 is null checked, this can lead to a null pointer dereference. Fix this by performing the null check on phy0 before the call to phy_get_drvdata. Also replace the phy0 == NULL check with the more usual !phy0 idiom. Addresses-Coverity: ("Dereference before null check") Fixes: e6f32efb1b12 ("phy: sun4i-usb: Make sure to disable PHY0 passby for peripheral mode") Signed-off-by: Colin Ian King Link: https://lore.kernel.org/r/20200625124428.83564-1-colin.king@canonical.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit e592f9eb98b84113d85be352691035911df64ff2 Author: Tiezhu Yang Date: Mon May 25 21:08:57 2020 +0800 phy: rockchip: Fix return value of inno_dsidphy_probe() [ Upstream commit fdc355a03df537bc8d8909b86d1688fe07c7032b ] When call function devm_platform_ioremap_resource(), we should use IS_ERR() to check the return value and return PTR_ERR() if failed. Fixes: b7535a3bc0ba ("phy/rockchip: Add support for Innosilicon MIPI/LVDS/TTL PHY") Signed-off-by: Tiezhu Yang Reviewed-by: Heiko Stuebner Link: https://lore.kernel.org/r/1590412138-13903-1-git-send-email-yangtiezhu@loongson.cn Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 0e70973009d86fe281b5c917242759b724a4a62d Author: Yoshihiro Shimoda Date: Thu Jun 18 21:07:33 2020 +0900 dmaengine: sh: usb-dmac: set tx_result parameters [ Upstream commit 466257d9968ac79575831250b039dc07566c7b13 ] A client driver (renesas_usbhs) assumed that dmaengine_tx_status() could return the residue even if the transfer was completed. However, this was not correct usage [1] and this caused to break getting the residue after the commit 24461d9792c2 ("dmaengine: virt-dma: Fix access after free in vchan_complete()") actually. So, this is possible to get wrong received size if the usb controller gets a short packet. For example, g_zero driver causes "bad OUT byte" errors. To use the tx_result from the renesas_usbhs driver when the transfer is completed, set the tx_result parameters. Notes that the renesas_usbhs driver needs to update for it. [1] https://lore.kernel.org/dmaengine/20200616165550.GP2324254@vkoul-mobl/ Reported-by: Hien Dang Fixes: 24461d9792c2 ("dmaengine: virt-dma: Fix access after free in vchan_complete()") Signed-off-by: Yoshihiro Shimoda Link: https://lore.kernel.org/r/1592482053-19433-1-git-send-email-yoshihiro.shimoda.uh@renesas.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit accad539193e980ced538a36f9a0b42a708e9437 Author: Peter Ujfalusi Date: Thu Jun 18 14:40:04 2020 +0300 dmaengine: ti: k3-udma: Fix delayed_work usage for tx drain workaround [ Upstream commit d964d5ff68dba21b53368656adec3fb5f50426bb ] INIT_DELAYED_WORK_ONSTACK() must be used with on-stack delayed work, which is not the case here. Use normal delayed_work for the channels instead. Fixes: 25dcb5dd7b7c ("dmaengine: ti: New driver for K3 UDMA") Reported-by: Tomi Valkeinen Signed-off-by: Peter Ujfalusi Link: https://lore.kernel.org/r/20200618114004.6268-1-peter.ujfalusi@ti.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 5f296630f1ba5fcbc7ab1b0f7f4a901c7eb7574b Author: Nikhil Rao Date: Mon Jun 22 13:38:34 2020 -0700 dmaengine: idxd: fix cdev locking for open and release [ Upstream commit 66983bc18fad17d10766650b3685045f6f092d73 ] add the wq lock in cdev open and release call. This fixes race conditions observed in the open and close routines. Fixes: 42d279f9137a ("dmaengine: idxd: add char driver to expose submission portal to userland") Signed-off-by: Nikhil Rao Signed-off-by: Dave Jiang Link: https://lore.kernel.org/r/159285824892.64944.2905413694915141834.stgit@djiang5-desk3.ch.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit d2c452814bce34cc70edc4b97f29e9771b78ea94 Author: Pierre-Louis Bossart Date: Wed Jun 17 11:35:36 2020 -0500 soundwire: intel: fix memory leak with devm_kasprintf [ Upstream commit bf6d6e68d2028a2d82f4c106f50ec75cc1e6ef89 ] The dais are allocated with devm_kcalloc() but their name isn't resourced managed and never freed. Fix by also using devm_ for the dai names as well. Fixes: c46302ec554c5 ('soundwire: intel: Add audio DAI ops') Signed-off-by: Pierre-Louis Bossart Reviewed-by: Daniel Baluta Reviewed-by: Kai Vehmanen Reviewed-by: Rander Wang Reviewed-by: Guennadi Liakhovetski Reviewed-by: Bard Liao Link: https://lore.kernel.org/r/20200617163536.17401-1-pierre-louis.bossart@linux.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit ac8c350118f459f78402abf39d58cfb081b00f25 Author: Peter Ujfalusi Date: Wed May 27 09:53:57 2020 +0300 dmaengine: ti: k3-udma: Use correct node to read "ti,udma-atype" [ Upstream commit 9f2f3ce3daed229eecf647acac44defbdee1f7c0 ] The "ti,udma-atype" property is expected in the UDMA node and not in the parent navss node. Fixes: 0ebcf1a274c5 ("dmaengine: ti: k3-udma: Implement support for atype (for virtualization)") Signed-off-by: Peter Ujfalusi Link: https://lore.kernel.org/r/20200527065357.30791-1-peter.ujfalusi@ti.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit ef2f762c9a3ffde07b5e6440a2c4ef022f7cf9ef Author: Syed Nayyar Waris Date: Mon Mar 16 18:20:46 2020 +0530 counter: 104-quad-8: Add lock guards - filter clock prescaler [ Upstream commit d5ed76adb926a90fada98f518abc1ab6ef07d28f ] Add lock protection from race conditions to the 104-quad-8 counter driver for filter clock prescaler code changes. Mutex calls used for protection. Signed-off-by: Syed Nayyar Waris Fixes: de65d0556343 ("counter: 104-quad-8: Support Filter Clock Prescaler") Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 3def3445273412a4ca35ca12b63ff6ba0b9edb0a Author: Syed Nayyar Waris Date: Mon Mar 16 18:20:06 2020 +0530 counter: 104-quad-8: Add lock guards - differential encoder [ Upstream commit 708d98932893cea609386cefdfd190f757f5a61c ] Add lock protection from race conditions to 104-quad-8 counter driver for differential encoder status code changes. Mutex lock calls used for protection. Signed-off-by: Syed Nayyar Waris Fixes: 954ab5cc5f3e ("counter: 104-quad-8: Support Differential Encoder Cable Status") Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 145a7a955046e60671e7a1d05ec6022c0adb54d2 Author: Jonathan Cameron Date: Sun May 17 18:29:57 2020 +0100 iio:health:afe4404 Fix timestamp alignment and prevent data leak. [ Upstream commit f88ecccac4be348bbcc6d056bdbc622a8955c04d ] One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses a 40 byte array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data with alignment explicitly requested. This data is allocated with kzalloc so no data can leak appart from previous readings. Fixes: 87aec56e27ef ("iio: health: Add driver for the TI AFE4404 heart monitor") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Acked-by: Andrew F. Davis Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit a6cea2f19e1d89800e65136274c08554e76ad976 Author: Stephan Gerhold Date: Sat Apr 25 13:06:31 2020 -0700 Input: mms114 - add extra compatible for mms345l [ Upstream commit 7842087b0196d674ed877d768de8f2a34d7fdc53 ] MMS345L is another first generation touch screen from Melfas, which uses mostly the same registers as MMS152. However, there is some garbage printed during initialization. Apparently MMS345L does not have the MMS152_COMPAT_GROUP register that is read+printed during initialization. TSP FW Rev: bootloader 0x6 / core 0x26 / config 0x26, Compat group: \x06 On earlier kernel versions the compat group was actually printed as an ASCII control character, seems like it gets escaped now. But we probably shouldn't print something from a random register. Add a separate "melfas,mms345l" compatible that avoids reading from the MMS152_COMPAT_GROUP register. This might also help in case there is some other device-specific quirk in the future. Signed-off-by: Stephan Gerhold Reviewed-by: Andi Shyti Link: https://lore.kernel.org/r/20200423102431.2715-1-stephan@gerhold.net Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 9aa8b4c9c91ba9b25c743f7b369cd478d79a82db Author: Pavel Begunkov Date: Wed Jul 15 22:20:45 2020 +0300 io_uring: fix recvmsg memory leak with buffer selection commit 681fda8d27a66f7e65ff7f2d200d7635e64a8d05 upstream. io_recvmsg() doesn't free memory allocated for struct io_buffer. This can causes a leak when used with automatic buffer selection. Signed-off-by: Pavel Begunkov Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit bc574a45659711f3e59cc1f8fee1afbf4ccb6f36 Author: Krzysztof Kozlowski Date: Mon Jun 22 13:05:41 2020 +0200 spi: spi-fsl-dspi: Fix lockup if device is shutdown during SPI transfer [ Upstream commit 3c525b69e8c1a9a6944e976603c7a1a713e728f9 ] During shutdown, the driver should unregister the SPI controller and stop the hardware. Otherwise the dspi_transfer_one_message() could wait on completion infinitely. Additionally, calling spi_unregister_controller() first in device shutdown reverse-matches the probe function, where SPI controller is registered at the end. Fixes: dc234825997e ("spi: spi-fsl-dspi: Adding shutdown hook") Reported-by: Vladimir Oltean Signed-off-by: Krzysztof Kozlowski Tested-by: Vladimir Oltean Reviewed-by: Vladimir Oltean Cc: Link: https://lore.kernel.org/r/20200622110543.5035-2-krzk@kernel.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit cf40b872a37110742c0dc6be8589ef19ad3d405e Author: Colin Ian King Date: Tue Apr 28 11:20:13 2020 +0100 scsi: qla2xxx: make 1-bit bit-fields unsigned int [ Upstream commit 78b874b7cbf09fbfadfa5f18a347ebef7bbb49fe ] The bitfields mpi_fw_dump_reading and mpi_fw_dumped are currently signed which is not recommended as the representation is an implementation defined behaviour. Fix this by making the bit-fields unsigned ints. Link: https://lore.kernel.org/r/20200428102013.1040598-1-colin.king@canonical.com Fixes: cbb01c2f2f63 ("scsi: qla2xxx: Fix MPI failure AEN (8200) handling") Reviewed-by: Bart Van Assche Reviewed-by: Himanshu Madhani Signed-off-by: Colin Ian King Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 7c1f7e5656890547358ada4907073d1c5d07a059 Author: Sascha Hauer Date: Wed Jun 24 09:00:45 2020 +0200 net: ethernet: mvneta: Add back interface mode validation [ Upstream commit 41c2b6b4f0f807803bb49f65835d136941a70f85 ] When writing the serdes configuration register was moved to mvneta_config_interface() the whole code block was removed from mvneta_port_power_up() in the assumption that its only purpose was to write the serdes configuration register. As mentioned by Russell King its purpose was also to check for valid interface modes early so that later in the driver we do not have to care for unexpected interface modes. Add back the test to let the driver bail out early on unhandled interface modes. Fixes: b4748553f53f ("net: ethernet: mvneta: Fix Serdes configuration for SoCs without comphy") Signed-off-by: Sascha Hauer Reviewed-by: Russell King Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 4b69ed756a9835c07a12d907955f24963d294777 Author: Sascha Hauer Date: Wed Jun 24 09:00:44 2020 +0200 net: ethernet: mvneta: Do not error out in non serdes modes [ Upstream commit d3d239dcb8aae6d7b10642d292b404e57604f7ea ] In mvneta_config_interface() the RGMII modes are catched by the default case which is an error return. The RGMII modes are valid modes for the driver, so instead of returning an error add a break statement to return successfully. This avoids this warning for non comphy SoCs which use RGMII, like SolidRun Clearfog: WARNING: CPU: 0 PID: 268 at drivers/net/ethernet/marvell/mvneta.c:3512 mvneta_start_dev+0x220/0x23c Fixes: b4748553f53f ("net: ethernet: mvneta: Fix Serdes configuration for SoCs without comphy") Signed-off-by: Sascha Hauer Reviewed-by: Russell King Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 7b7e1099e002523ad72a5241795a6de71915382f Author: Dan Carpenter Date: Fri Jul 10 14:36:10 2020 +0300 xen/xenbus: Fix a double free in xenbus_map_ring_pv() [ Upstream commit ba8c423488974f02b538e9dc1730f0334f9b85aa ] When there is an error the caller frees "info->node" so the free here will result in a double free. We should just delete first kfree(). Fixes: 3848e4e0a32a ("xen/xenbus: avoid large structs and arrays on the stack") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/20200710113610.GA92345@mwanda Reviewed-by: Juergen Gross Signed-off-by: Boris Ostrovsky Signed-off-by: Sasha Levin commit 5077daec9578714d954cf2db4d10b5e0e919b366 Author: Florian Fainelli Date: Wed Jul 8 22:13:40 2020 -0700 arm64: Add missing sentinel to erratum_1463225 [ Upstream commit 09c717c92b52df54918e12cbfe6a4658233fda69 ] When the erratum_1463225 array was introduced a sentinel at the end was missing thus causing a KASAN: global-out-of-bounds in is_affected_midr_range_list on arm64 error. Fixes: a9e821b89daa ("arm64: Add KRYO4XX gold CPU cores to erratum list 1463225 and 1418040") Signed-off-by: Florian Fainelli Reviewed-by: Sai Prakash Ranjan Link: https://lore.kernel.org/linux-arm-kernel/CA+G9fYs3EavpU89-rTQfqQ9GgxAMgMAk7jiiVrfP0yxj5s+Q6g@mail.gmail.com/ Link: https://lore.kernel.org/r/20200709051345.14544-1-f.fainelli@gmail.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 22893fb0af03596dfdafbbdb78373efcff9c4316 Author: Jonathan Cameron Date: Sun May 17 18:29:56 2020 +0100 iio:health:afe4403 Fix timestamp alignment and prevent data leak. commit 3f9c6d38797e9903937b007a341dad0c251765d6 upstream. One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses a 32 byte array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data with alignment explicitly requested. This data is allocated with kzalloc so no data can leak appart from previous readings. Fixes: eec96d1e2d31 ("iio: health: Add driver for the TI AFE4403 heart monitor") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Acked-by: Andrew F. Davis Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit b7cf06cc606afafcc5e8423cf3907868c40de822 Author: Jonathan Cameron Date: Sun Jun 7 16:53:57 2020 +0100 iio:pressure:ms5611 Fix buffer element alignment commit 8db4afe163bbdd93dca6fcefbb831ef12ecc6b4d upstream. One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. Here there is no data leak possibility so use an explicit structure on the stack to ensure alignment and nice readable fashion. The forced alignment of ts isn't strictly necessary in this driver as the padding will be correct anyway (there isn't any). However it is probably less fragile to have it there and it acts as documentation of the requirement. Fixes: 713bbb4efb9dc ("iio: pressure: ms5611: Add triggered buffer support") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Acked-by: Tomasz Duszynski Cc: Signed-off-by: Greg Kroah-Hartman commit 953aedb099ad185d891bc42314a755ad558d9cde Author: Jonathan Cameron Date: Sun Jun 7 16:53:53 2020 +0100 iio:humidity:hts221 Fix alignment and data leak issues commit 5c49056ad9f3c786f7716da2dd47e4488fc6bd25 upstream. One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data. This data is allocated with kzalloc so no data can leak apart from previous readings. Explicit alignment of ts needed to ensure consistent padding on all architectures (particularly x86_32 with it's 4 byte alignment of s64) Fixes: e4a70e3e7d84 ("iio: humidity: add support to hts221 rh/temp combo device") Reported-by: Lars-Peter Clausen Acked-by: Lorenzo Bianconi Signed-off-by: Jonathan Cameron Cc: Signed-off-by: Greg Kroah-Hartman commit c9a69ba9196a56453582a7b3681a99be6fd229c8 Author: Navid Emamdoost Date: Thu Jun 4 21:44:44 2020 -0500 iio: pressure: zpa2326: handle pm_runtime_get_sync failure commit d88de040e1df38414fc1e4380be9d0e997ab4d58 upstream. Calling pm_runtime_get_sync increments the counter even in case of failure, causing incorrect ref count. Call pm_runtime_put if pm_runtime_get_sync fails. Signed-off-by: Navid Emamdoost Fixes: 03b262f2bbf4 ("iio:pressure: initial zpa2326 barometer support") Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 8bc16a4690ba12c32216792d32aba464bb8716da Author: Chuhong Yuan Date: Thu May 28 14:41:21 2020 +0800 iio: mma8452: Add missed iio_device_unregister() call in mma8452_probe() commit d7369ae1f4d7cffa7574d15e1f787dcca184c49d upstream. The function iio_device_register() was called in mma8452_probe(). But the function iio_device_unregister() was not called after a call of the function mma8452_set_freefall_mode() failed. Thus add the missed function call for one error case. Fixes: 1a965d405fc6 ("drivers:iio:accel:mma8452: added cleanup provision in case of failure.") Signed-off-by: Chuhong Yuan Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 4f96f95beb442e31a295fc7eec8adf204650ec32 Author: Matt Ranostay Date: Tue Jun 9 06:01:16 2020 +0300 iio: core: add missing IIO_MOD_H2/ETHANOL string identifiers commit 25f02d3242ab4d16d0cee2dec0d89cedb3747fa9 upstream. Add missing strings to iio_modifier_names[] for proper modification of channels. Fixes: b170f7d48443d (iio: Add modifiers for ethanol and H2 gases) Signed-off-by: Matt Ranostay Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 69c88d9cf10779a8b2b939be7020522c0a101627 Author: Dinghao Liu Date: Tue May 26 18:47:17 2020 +0800 iio: magnetometer: ak8974: Fix runtime PM imbalance on error commit 0187294d227dfc42889e1da8f8ce1e44fc25f147 upstream. When devm_regmap_init_i2c() returns an error code, a pairing runtime PM usage counter decrement is needed to keep the counter balanced. For error paths after ak8974_set_power(), ak8974_detect() and ak8974_reset(), things are the same. However, When iio_triggered_buffer_setup() returns an error code, there will be two PM usgae counter decrements. Signed-off-by: Dinghao Liu Fixes: 7c94a8b2ee8c ("iio: magn: add a driver for AK8974") Reviewed-by: Linus Walleij Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit e9e5cbbc9a5890c5323ac16e501ed4292cddc4b4 Author: Jonathan Cameron Date: Sun Jun 7 16:53:52 2020 +0100 iio:humidity:hdc100x Fix alignment and data leak issues commit ea5e7a7bb6205d24371373cd80325db1bc15eded upstream. One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data. This data is allocated with kzalloc so no data can leak apart from previous readings. Fixes: 16bf793f86b2 ("iio: humidity: hdc100x: add triggered buffer support for HDC100X") Reported-by: Lars-Peter Clausen Acked-by: Matt Ranostay Cc: Alison Schofield Signed-off-by: Jonathan Cameron Cc: Signed-off-by: Greg Kroah-Hartman commit 496f933df1165a0ed826c345e295c977eb7fc7b4 Author: Jonathan Cameron Date: Sun Jun 7 16:53:49 2020 +0100 iio:magnetometer:ak8974: Fix alignment and data leak issues commit 838e00b13bfd4cac8b24df25bfc58e2eb99bcc70 upstream. One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data. This data is allocated with kzalloc so no data can leak appart from previous readings. Fixes: 7c94a8b2ee8cf ("iio: magn: add a driver for AK8974") Reported-by: Lars-Peter Clausen Reviewed-by: Linus Walleij Signed-off-by: Jonathan Cameron Cc: Signed-off-by: Greg Kroah-Hartman commit 569d24a1247a78ffbb15b0a0d9173b03ff4c5c0e Author: Ard Biesheuvel Date: Thu Jul 9 15:59:53 2020 +0300 arm64/alternatives: don't patch up internal branches [ Upstream commit 5679b28142193a62f6af93249c0477be9f0c669b ] Commit f7b93d42945c ("arm64/alternatives: use subsections for replacement sequences") moved the alternatives replacement sequences into subsections, in order to keep the as close as possible to the code that they replace. Unfortunately, this broke the logic in branch_insn_requires_update, which assumed that any branch into kernel executable code was a branch that required updating, which is no longer the case now that the code sequences that are patched in are in the same section as the patch site itself. So the only way to discriminate branches that require updating and ones that don't is to check whether the branch targets the replacement sequence itself, and so we can drop the call to kernel_text_address() entirely. Fixes: f7b93d42945c ("arm64/alternatives: use subsections for replacement sequences") Reported-by: Alexandru Elisei Signed-off-by: Ard Biesheuvel Tested-by: Alexandru Elisei Link: https://lore.kernel.org/r/20200709125953.30918-1-ardb@kernel.org Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 826bf01548cf2d3985228af730d719d079415da9 Author: Andy Shevchenko Date: Thu Jul 2 13:15:27 2020 +0300 i2c: eg20t: Load module automatically if ID matches [ Upstream commit 5f90786b31fb7d1e199a8999d46c4e3aea672e11 ] The driver can't be loaded automatically because it misses module alias to be provided. Add corresponding MODULE_DEVICE_TABLE() call to the driver. Signed-off-by: Andy Shevchenko Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit dcce640d5b12f709e12f00d68315e6fc2f979c86 Author: Sai Prakash Ranjan Date: Tue Jun 30 23:30:55 2020 +0530 arm64: Add KRYO4XX silver CPU cores to erratum list 1530923 and 1024718 [ Upstream commit 9b23d95c539ebc5d6d6b5d6f20d2d7922384e76e ] KRYO4XX silver/LITTLE CPU cores with revision r1p0 are affected by erratum 1530923 and 1024718, so add them to the respective list. The variant and revision bits are implementation defined and are different from the their Cortex CPU counterparts on which they are based on, i.e., r1p0 is equivalent to rdpe. Signed-off-by: Sai Prakash Ranjan Link: https://lore.kernel.org/r/7013e8a3f857ca7e82863cc9e34a614293d7f80c.1593539394.git.saiprakash.ranjan@codeaurora.org Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 25a737bbe122bd2b804472e28a6282def402a9dd Author: Sai Prakash Ranjan Date: Tue Jun 30 23:30:54 2020 +0530 arm64: Add KRYO4XX gold CPU cores to erratum list 1463225 and 1418040 [ Upstream commit a9e821b89daa55cc940c546b124101939d3f0451 ] KRYO4XX gold/big CPU core revisions r0p0 to r3p1 are affected by erratum 1463225 and 1418040, so add them to the respective list. The variant and revision bits are implementation defined and are different from the their Cortex CPU counterparts on which they are based on, i.e., (r0p0 to r3p1) is equivalent to (rcpe to rfpf). Signed-off-by: Sai Prakash Ranjan Link: https://lore.kernel.org/r/83780e80c6377c12ca51b5d53186b61241685e49.1593539394.git.saiprakash.ranjan@codeaurora.org Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 7371fc980f584c9503f1a858eb3d8233343d219d Author: Sai Prakash Ranjan Date: Tue Jun 30 23:30:53 2020 +0530 arm64: Add MIDR value for KRYO4XX gold CPU cores [ Upstream commit dce4f2807f6920bb907eb4cd4f95e7f42d918bc6 ] Add MIDR value for KRYO4XX gold/big CPU cores which are used in Qualcomm Technologies, Inc. SoCs. This will be used to identify and apply erratum which are applicable for these CPU cores. Signed-off-by: Sai Prakash Ranjan Link: https://lore.kernel.org/r/9093fb82e22441076280ca1b729242ffde80c432.1593539394.git.saiprakash.ranjan@codeaurora.org Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 3751fcfaceba84d7d0a4cc3fbe9bdcf485a66c21 Author: Bob Peterson Date: Thu Jun 25 14:42:17 2020 -0500 gfs2: The freeze glock should never be frozen [ Upstream commit c860f8ffbea8924de05a281b937128773d30a77c ] Before this patch, some gfs2 code locked the freeze glock with LM_FLAG_NOEXP (Do not freeze) flag, and some did not. We never want to freeze the freeze glock, so this patch makes it consistently use LM_FLAG_NOEXP always. Signed-off-by: Bob Peterson Signed-off-by: Sasha Levin commit c26a517fe322910a7fea885af6328436ccc18dac Author: Bob Peterson Date: Thu Jun 25 13:30:52 2020 -0500 gfs2: When freezing gfs2, use GL_EXACT and not GL_NOCACHE [ Upstream commit 623ba664b74a20f22a2ef7ebd71e171d2d7c626f ] Before this patch, the freeze code in gfs2 specified GL_NOCACHE in several places. That's wrong because we always want to know the state of whether the file system is frozen. There was also a problem with freeze/thaw transitioning the glock from frozen (EX) to thawed (SH) because gfs2 will normally grant glocks in EX to processes that request it in SH mode, unless GL_EXACT is specified. Therefore, the freeze/thaw code, which tried to reacquire the glock in SH mode would get the glock in EX mode, and miss the transition from EX to SH. That made it think the thaw had completed normally, but since the glock was still cached in EX, other nodes could not freeze again. This patch removes the GL_NOCACHE flag to allow the freeze glock to be cached. It also adds the GL_EXACT flag so the glock is fully transitioned from EX to SH, thereby allowing future freeze operations. Signed-off-by: Bob Peterson Signed-off-by: Sasha Levin commit c1647153c8ac5a196149c42f94aa9f8dba04ca60 Author: Bob Peterson Date: Thu Jun 25 13:30:18 2020 -0500 gfs2: read-only mounts should grab the sd_freeze_gl glock [ Upstream commit b780cc615ba4795a7ef0e93b19424828a5ad456a ] Before this patch, only read-write mounts would grab the freeze glock in read-only mode, as part of gfs2_make_fs_rw. So the freeze glock was never initialized. That meant requests to freeze, which request the glock in EX, were granted without any state transition. That meant you could mount a gfs2 file system, which is currently frozen on a different cluster node, in read-only mode. This patch makes read-only mounts lock the freeze glock in SH mode, which will block for file systems that are frozen on another node. Signed-off-by: Bob Peterson Signed-off-by: Sasha Levin commit aa12cb52e1a7c5ec7a013e95cd1950411d665826 Author: Bob Peterson Date: Thu Jun 25 13:29:44 2020 -0500 gfs2: freeze should work on read-only mounts [ Upstream commit 541656d3a5136ae830d604e237f29f406d42c592 ] Before this patch, function freeze_go_sync, called when promoting the freeze glock, was testing for the SDF_JOURNAL_LIVE superblock flag. That's only set for read-write mounts. Read-only mounts don't use a journal, so the bit is never set, so the freeze never happened. This patch removes the check for SDF_JOURNAL_LIVE for freeze requests but still checks it when deciding whether to flush a journal. Signed-off-by: Bob Peterson Signed-off-by: Sasha Levin commit 028bd010bb4b08d17b5e0d0759c6333893d4a218 Author: Bob Peterson Date: Wed Jun 17 07:47:34 2020 -0500 gfs2: eliminate GIF_ORDERED in favor of list_empty [ Upstream commit 7542486b89b2e321ffe0de82163b425d6a38bc72 ] In several places, we used the GIF_ORDERED inode flag to determine if an inode was on the ordered writes list. However, since we always held the sd_ordered_lock spin_lock during the manipulation, we can just as easily check list_empty(&ip->i_ordered) instead. This allows us to keep more than one ordered writes list to make journal writing improvements. This patch eliminates GIF_ORDERED in favor of checking list_empty. Signed-off-by: Bob Peterson Signed-off-by: Sasha Levin commit f4d6ffaeb30836ac90e7686de2e8ec80e9316450 Author: Juergen Gross Date: Wed Jul 1 14:16:38 2020 +0200 xen/xenbus: let xenbus_map_ring_valloc() return errno values only [ Upstream commit 578c1bb9056263ad3c9e09746b3d6e4daf63bdb0 ] Today xenbus_map_ring_valloc() can return either a negative errno value (-ENOMEM or -EINVAL) or a grant status value. This is a mess as e.g -ENOMEM and GNTST_eagain have the same numeric value. Fix that by turning all grant mapping errors into -ENOENT. This is no problem as all callers of xenbus_map_ring_valloc() only use the return value to print an error message, and in case of mapping errors the grant status value has already been printed by __xenbus_map_ring() before. Signed-off-by: Juergen Gross Reviewed-by: Boris Ostrovsky Link: https://lore.kernel.org/r/20200701121638.19840-3-jgross@suse.com Signed-off-by: Boris Ostrovsky Signed-off-by: Sasha Levin commit 41b016e0f6595b118b0c8b393257a8d3c093a9af Author: Juergen Gross Date: Wed Jul 1 14:16:37 2020 +0200 xen/xenbus: avoid large structs and arrays on the stack [ Upstream commit 3848e4e0a32afb96dc3b84e1358c3b9d103c6a2c ] xenbus_map_ring_valloc() and its sub-functions are putting quite large structs and arrays on the stack. This is problematic at runtime, but might also result in build failures (e.g. with clang due to the option -Werror,-Wframe-larger-than=... used). Fix that by moving most of the data from the stack into a dynamically allocated struct. Performance is no issue here, as xenbus_map_ring_valloc() is used only when adding a new PV device to a backend driver. While at it move some duplicated code from pv/hvm specific mapping functions to the single caller. Reported-by: Arnd Bergmann Signed-off-by: Juergen Gross Reviewed-by: Boris Ostrovsky Link: https://lore.kernel.org/r/20200701121638.19840-2-jgross@suse.com Signed-off-by: Boris Ostrovsky Signed-off-by: Sasha Levin commit 15cc8626e3284547ee0acfd853dd4b5b089ce5ea Author: Vasily Averin Date: Sat Jun 13 17:18:33 2020 +0300 tpm_tis: extra chip->ops check on error path in tpm_tis_core_init [ Upstream commit ccf6fb858e17a8f8a914a1c6444d277cfedfeae6 ] Found by smatch: drivers/char/tpm/tpm_tis_core.c:1088 tpm_tis_core_init() warn: variable dereferenced before check 'chip->ops' (see line 979) 'chip->ops' is assigned in the beginning of function in tpmm_chip_alloc->tpm_chip_alloc and is used before first possible goto to error path. Signed-off-by: Vasily Averin Reviewed-by: Jerry Snitselaar Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Sasha Levin commit 5f14dab1a3a956b25cc9afe31e31a90fdcae5a17 Author: Ard Biesheuvel Date: Tue Jun 30 10:19:21 2020 +0200 arm64/alternatives: use subsections for replacement sequences [ Upstream commit f7b93d42945cc71e1346dd5ae07c59061d56745e ] When building very large kernels, the logic that emits replacement sequences for alternatives fails when relative branches are present in the code that is emitted into the .altinstr_replacement section and patched in at the original site and fixed up. The reason is that the linker will insert veneers if relative branches go out of range, and due to the relative distance of the .altinstr_replacement from the .text section where its branch targets usually live, veneers may be emitted at the end of the .altinstr_replacement section, with the relative branches in the sequence pointed at the veneers instead of the actual target. The alternatives patching logic will attempt to fix up the branch to point to its original target, which will be the veneer in this case, but given that the patch site is likely to be far away as well, it will be out of range and so patching will fail. There are other cases where these veneers are problematic, e.g., when the target of the branch is in .text while the patch site is in .init.text, in which case putting the replacement sequence inside .text may not help either. So let's use subsections to emit the replacement code as closely as possible to the patch site, to ensure that veneers are only likely to be emitted if they are required at the patch site as well, in which case they will be in range for the replacement sequence both before and after it is transported to the patch site. This will prevent alternative sequences in non-init code from being released from memory after boot, but this is tolerable given that the entire section is only 512 KB on an allyesconfig build (which weighs in at 500+ MB for the entire Image). Also, note that modules today carry the replacement sequences in non-init sections as well, and any of those that target init code will be emitted into init sections after this change. This fixes an early crash when booting an allyesconfig kernel on a system where any of the alternatives sequences containing relative branches are activated at boot (e.g., ARM64_HAS_PAN on TX2) Signed-off-by: Ard Biesheuvel Cc: Suzuki K Poulose Cc: James Morse Cc: Andre Przywara Cc: Dave P Martin Link: https://lore.kernel.org/r/20200630081921.13443-1-ardb@kernel.org Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 968a1abc3d15732634b86cd5e3d9af38eb6139d2 Author: Ronnie Sahlberg Date: Thu Jul 2 10:55:41 2020 +1000 cifs: prevent truncation from long to int in wait_for_free_credits [ Upstream commit 19e888678bac8c82206eb915eaf72741b2a2615c ] The wait_event_... defines evaluate to long so we should not assign it an int as this may truncate the value. Reported-by: Marshall Midden Signed-off-by: Ronnie Sahlberg Signed-off-by: Steve French Signed-off-by: Sasha Levin commit 5186ca4cf75cde0dfbbc1bac0145afa73d277e2e Author: Masahiro Yamada Date: Fri Jun 26 02:04:31 2020 +0900 dt-bindings: fix error in 'make clean' after 'make dt_binding_check' [ Upstream commit fa714cf58c7c09a454ff9fda2ee8318591128eb6 ] We are having more and more schema files. Commit 8b6b80218b01 ("dt-bindings: Fix command line length limit calling dt-mk-schema") fixed the 'Argument list too long' error of the schema checks, but the same error happens while cleaning too. 'make clean' after 'make dt_binding_check' fails as follows: $ make dt_binding_check [ snip ] $ make clean make[2]: execvp: /bin/sh: Argument list too long make[2]: *** [scripts/Makefile.clean:52: __clean] Error 127 make[1]: *** [scripts/Makefile.clean:66: Documentation/devicetree/bindings] Error 2 make: *** [Makefile:1763: _clean_Documentation] Error 2 'make dt_binding_check' generates so many .example.dts, .dt.yaml files, which are passed to the 'rm' command when you run 'make clean'. I added a small hack to use the 'find' command to clean up most of the build artifacts before they are processed by scripts/Makefile.clean Signed-off-by: Masahiro Yamada Link: https://lore.kernel.org/r/20200625170434.635114-2-masahiroy@kernel.org Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit 4880c316ddb98cb0069a61bf1c0fe765fa626f80 Author: Kangmin Park Date: Thu Jun 25 22:51:58 2020 +0900 dt-bindings: mailbox: zynqmp_ipi: fix unit address [ Upstream commit 35b9c0fdb9f666628ecda02b1fc44306933a2d97 ] Fix unit address to match the first address specified in the reg property of the node in example. Signed-off-by: Kangmin Park Link: https://lore.kernel.org/r/20200625135158.5861-1-l4stpr0gr4m@gmail.com Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit 71b9e938ca30ed83d058355a01697e1b4681c5d6 Author: Masahiro Yamada Date: Tue Jun 23 20:32:42 2020 +0900 dt-bindings: bus: uniphier-system-bus: fix warning in example [ Upstream commit 0fb24d1e5a6cf3b7ca0df325fbfb10895df41bec ] Since commit e69f5dc623f9 ("dt-bindings: serial: Convert 8250 to json-schema"), the schema for "ns16550a" is checked. 'make dt_binding_check' emits the following warning: uart@5,00200000: $nodename:0: 'uart@5,00200000' does not match '^serial(@[0-9a-f,]+)*$' Rename the node to follow the pattern defined in Documentation/devicetree/bindings/serial/serial.yaml While I was here, I removed leading zeros from unit names. Signed-off-by: Masahiro Yamada Link: https://lore.kernel.org/r/20200623113242.779241-1-yamada.masahiro@socionext.com Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit e94821b277f88a5e2a8ee382490f6aace4e2fdfa Author: Angelo Dureghello Date: Wed Jun 17 09:53:41 2020 +0300 m68k: mm: fix node memblock init [ Upstream commit c43e55796dd4d13f4855971a4d7970ce2cd94db4 ] After pulling 5.7.0 (linux-next merge), mcf5441x mmu boot was hanging silently. memblock_add() seems not appropriate, since using MAX_NUMNODES as node id, while memblock_add_node() sets up memory for node id 0. Signed-off-by: Angelo Dureghello Signed-off-by: Mike Rapoport Signed-off-by: Greg Ungerer Signed-off-by: Sasha Levin commit abaa630175faef664d4e353e99f335eb7ad1a5c5 Author: Mike Rapoport Date: Wed Jun 17 09:53:40 2020 +0300 m68k: nommu: register start of the memory with memblock [ Upstream commit d63bd8c81d8ab64db506ffde569cc8ff197516e2 ] The m68k nommu setup code didn't register the beginning of the physical memory with memblock because it was anyway occupied by the kernel. However, commit fa3354e4ea39 ("mm: free_area_init: use maximal zone PFNs rather than zone sizes") changed zones initialization to use memblock.memory to detect the zone extents and this caused inconsistency between zone PFNs and the actual PFNs: BUG: Bad page state in process swapper pfn:20165 page:41fe0ca0 refcount:0 mapcount:1 mapping:00000000 index:0x0 flags: 0x0() raw: 00000000 00000100 00000122 00000000 00000000 00000000 00000000 00000000 page dumped because: nonzero mapcount CPU: 0 PID: 1 Comm: swapper Not tainted 5.8.0-rc1-00001-g3a38f8a60c65-dirty #1 Stack from 404c9ebc: 404c9ebc 4029ab28 4029ab28 40088470 41fe0ca0 40299e21 40299df1 404ba2a4 00020165 00000000 41fd2c10 402c7ba0 41fd2c04 40088504 41fe0ca0 40299e21 00000000 40088a12 41fe0ca0 41fe0ca4 0000020a 00000000 00000001 402ca000 00000000 41fe0ca0 41fd2c10 41fd2c10 00000000 00000000 402b2388 00000001 400a0934 40091056 404c9f44 404c9f44 40088db4 402c7ba0 00000001 41fd2c04 41fe0ca0 41fd2000 41fe0ca0 40089e02 4026ecf4 40089e4e 41fe0ca0 ffffffff Call Trace: [<40088470>] 0x40088470 [<40088504>] 0x40088504 [<40088a12>] 0x40088a12 [<402ca000>] 0x402ca000 [<400a0934>] 0x400a0934 Adjust the memory registration with memblock to include the beginning of the physical memory and make sure that the area occupied by the kernel is marked as reserved. Signed-off-by: Mike Rapoport Signed-off-by: Greg Ungerer Signed-off-by: Sasha Levin commit 1bccfbbd11d431f1550646ce395d6b6b60eb6f1a Author: Hou Tao Date: Tue Apr 28 09:54:56 2020 +0800 blk-mq-debugfs: update blk_queue_flag_name[] accordingly for new flags [ Upstream commit bfe373f608cf81b7626dfeb904001b0e867c5110 ] Else there may be magic numbers in /sys/kernel/debug/block/*/state. Signed-off-by: Hou Tao Reviewed-by: Bart Van Assche Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 56b8faa1129bb53be0b11e0d28889155d3522a0d Author: Srinivas Pandruvada Date: Wed Jun 24 11:51:40 2020 -0700 ACPI: DPTF: Add battery participant for TigerLake [ Upstream commit 1e05daca83bb42cde569f75f3bd7c8828b1ef30f ] Add DPTF battery participant ACPI ID for platforms based on the Intel TigerLake SoC. Signed-off-by: Srinivas Pandruvada [ rjw: Changelog ] Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit b4c2daf782aa634cd0b62ddcd7c581451388ade3 Author: Anson Huang Date: Thu Mar 26 22:29:05 2020 +0800 thermal/drivers: imx: Fix missing of_node_put() at probe time [ Upstream commit b45fd13be340e4ed0a2a9673ba299eb2a71ba829 ] After finishing using cpu node got from of_get_cpu_node(), of_node_put() needs to be called. Signed-off-by: Anson Huang Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/1585232945-23368-1-git-send-email-Anson.Huang@nxp.com Signed-off-by: Sasha Levin commit 041ee87d2fafe0c23ded3b5e072b03102be66893 Author: Petteri Aimonen Date: Tue Jun 16 11:12:57 2020 +0200 x86/fpu: Reset MXCSR to default in kernel_fpu_begin() [ Upstream commit 7ad816762f9bf89e940e618ea40c43138b479e10 ] Previously, kernel floating point code would run with the MXCSR control register value last set by userland code by the thread that was active on the CPU core just before kernel call. This could affect calculation results if rounding mode was changed, or a crash if a FPU/SIMD exception was unmasked. Restore MXCSR to the kernel's default value. [ bp: Carve out from a bigger patch by Petteri, add feature check, add FNINIT call too (amluto). ] Signed-off-by: Petteri Aimonen Signed-off-by: Borislav Petkov Link: https://bugzilla.kernel.org/show_bug.cgi?id=207979 Link: https://lkml.kernel.org/r/20200624114646.28953-2-bp@alien8.de Signed-off-by: Sasha Levin commit 328d258d58b4407a0a4c93eb92e306eef13cf037 Author: Navid Emamdoost Date: Mon Jun 15 00:49:28 2020 -0500 drm/exynos: fix ref count leak in mic_pre_enable [ Upstream commit d4f5a095daf0d25f0b385e1ef26338608433a4c5 ] in mic_pre_enable, pm_runtime_get_sync is called which increments the counter even in case of failure, leading to incorrect ref count. In case of failure, decrement the ref count before returning. Signed-off-by: Navid Emamdoost Signed-off-by: Inki Dae Signed-off-by: Sasha Levin commit 43474d6022d8877c1326860772da76cf6cb73691 Author: Marek Szyprowski Date: Mon Jun 1 17:06:30 2020 +0900 drm/exynos: Properly propagate return value in drm_iommu_attach_device() [ Upstream commit b9c633882de4601015625f9136f248e9abca8a7a ] Propagate the proper error codes from the called functions instead of unconditionally returning 0. Reported-by: kbuild test robot Signed-off-by: Marek Szyprowski Merge conflict so merged it manually. Signed-off-by: Inki Dae Signed-off-by: Sasha Levin commit fa7408f3a20324fa72fc0f7a82c861c15fb1d080 Author: Krishna Manikandan Date: Thu May 28 14:04:28 2020 +0530 drm/msm/dpu: allow initialization of encoder locks during encoder init [ Upstream commit 2e7ec6b5297157efabb50e5f82adc628cf90296c ] In the current implementation, mutex initialization for encoder mutex locks are done during encoder setup. This can lead to scenarios where the lock is used before it is initialized. Move mutex_init to dpu_encoder_init to avoid this. Signed-off-by: Krishna Manikandan Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit e1a5b8403617aa986ca0e0ae01e4980877cee9ea Author: Bernard Zhao Date: Fri Jun 12 09:23:49 2020 +0800 drm/msm: fix potential memleak in error branch [ Upstream commit 177d3819633cd520e3f95df541a04644aab4c657 ] In function msm_submitqueue_create, the queue is a local variable, in return -EINVAL branch, queue didn`t add to ctx`s list yet, and also didn`t kfree, this maybe bring in potential memleak. Signed-off-by: Bernard Zhao [trivial commit msg fixup] Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit 1c06a0be5d3b0352f2cbdb457a3766bc9f9fa6eb Author: Taehee Yoo Date: Thu Jul 2 17:06:19 2020 +0000 hsr: fix interface leak in error path of hsr_dev_finalize() [ Upstream commit ccfc9df1352be5b2f391091e18c4b2395d30ce78 ] To release hsr(upper) interface, it should release its own lower interfaces first. Then, hsr(upper) interface can be released safely. In the current code of error path of hsr_dev_finalize(), it releases hsr interface before releasing a lower interface. So, a warning occurs, which warns about the leak of lower interfaces. In order to fix this problem, changing the ordering of the error path of hsr_dev_finalize() is needed. Test commands: ip link add dummy0 type dummy ip link add dummy1 type dummy ip link add dummy2 type dummy ip link add hsr0 type hsr slave1 dummy0 slave2 dummy1 ip link add hsr1 type hsr slave1 dummy2 slave2 dummy0 Splat looks like: [ 214.923127][ C2] WARNING: CPU: 2 PID: 1093 at net/core/dev.c:8992 rollback_registered_many+0x986/0xcf0 [ 214.923129][ C2] Modules linked in: hsr dummy openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipx [ 214.923154][ C2] CPU: 2 PID: 1093 Comm: ip Not tainted 5.8.0-rc2+ #623 [ 214.923156][ C2] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 [ 214.923157][ C2] RIP: 0010:rollback_registered_many+0x986/0xcf0 [ 214.923160][ C2] Code: 41 8b 4e cc 45 31 c0 31 d2 4c 89 ee 48 89 df e8 e0 47 ff ff 85 c0 0f 84 cd fc ff ff 5 [ 214.923162][ C2] RSP: 0018:ffff8880c5156f28 EFLAGS: 00010287 [ 214.923165][ C2] RAX: ffff8880d1dad458 RBX: ffff8880bd1b9000 RCX: ffffffffb929d243 [ 214.923167][ C2] RDX: 1ffffffff77e63f0 RSI: 0000000000000008 RDI: ffffffffbbf31f80 [ 214.923168][ C2] RBP: dffffc0000000000 R08: fffffbfff77e63f1 R09: fffffbfff77e63f1 [ 214.923170][ C2] R10: ffffffffbbf31f87 R11: 0000000000000001 R12: ffff8880c51570a0 [ 214.923172][ C2] R13: ffff8880bd1b90b8 R14: ffff8880c5157048 R15: ffff8880d1dacc40 [ 214.923174][ C2] FS: 00007fdd257a20c0(0000) GS:ffff8880da200000(0000) knlGS:0000000000000000 [ 214.923175][ C2] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 214.923177][ C2] CR2: 00007ffd78beb038 CR3: 00000000be544005 CR4: 00000000000606e0 [ 214.923179][ C2] Call Trace: [ 214.923180][ C2] ? netif_set_real_num_tx_queues+0x780/0x780 [ 214.923182][ C2] ? dev_validate_mtu+0x140/0x140 [ 214.923183][ C2] ? synchronize_rcu.part.79+0x85/0xd0 [ 214.923185][ C2] ? synchronize_rcu_expedited+0xbb0/0xbb0 [ 214.923187][ C2] rollback_registered+0xc8/0x170 [ 214.923188][ C2] ? rollback_registered_many+0xcf0/0xcf0 [ 214.923190][ C2] unregister_netdevice_queue+0x18b/0x240 [ 214.923191][ C2] hsr_dev_finalize+0x56e/0x6e0 [hsr] [ 214.923192][ C2] hsr_newlink+0x36b/0x450 [hsr] [ 214.923194][ C2] ? hsr_dellink+0x70/0x70 [hsr] [ 214.923195][ C2] ? rtnl_create_link+0x2e4/0xb00 [ 214.923197][ C2] ? __netlink_ns_capable+0xc3/0xf0 [ 214.923198][ C2] __rtnl_newlink+0xbdb/0x1270 [ ... ] Fixes: e0a4b99773d3 ("hsr: use upper/lower device infrastructure") Reported-by: syzbot+7f1c020f68dab95aab59@syzkaller.appspotmail.com Signed-off-by: Taehee Yoo Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 145e5c45c142001b6699f871b5bb5fd2b9543709 Author: Taehee Yoo Date: Thu Jul 2 17:08:55 2020 +0000 net: rmnet: do not allow to add multiple bridge interfaces [ Upstream commit 2fb2799a2abb39d7dbb48abb3baa1133bf5e921a ] rmnet can have only two bridge interface. One of them is a link interface and another one is added by the master operation. rmnet interface shouldn't allow adding additional bridge interfaces by mater operation. But, there is no code to deny additional interfaces. So, interface leak occurs. Test commands: ip link add dummy0 type dummy ip link add dummy1 type dummy ip link add dummy2 type dummy ip link add rmnet0 link dummy0 type rmnet mux_id 1 ip link set dummy1 master rmnet0 ip link set dummy2 master rmnet0 ip link del rmnet0 In the above test command, the dummy0 was attached to rmnet as VND mode. Then, dummy1 was attached to rmnet0 as BRIDGE mode. At this point, dummy0 mode is switched from VND to BRIDGE automatically. Then, dummy2 is attached to rmnet as BRIDGE mode. At this point, rmnet0 should deny this operation. But, rmnet0 doesn't deny this. So that below splat occurs when the rmnet0 interface is deleted. Splat looks like: [ 186.684787][ C2] WARNING: CPU: 2 PID: 1009 at net/core/dev.c:8992 rollback_registered_many+0x986/0xcf0 [ 186.684788][ C2] Modules linked in: rmnet dummy openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_x [ 186.684805][ C2] CPU: 2 PID: 1009 Comm: ip Not tainted 5.8.0-rc1+ #621 [ 186.684807][ C2] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 [ 186.684808][ C2] RIP: 0010:rollback_registered_many+0x986/0xcf0 [ 186.684811][ C2] Code: 41 8b 4e cc 45 31 c0 31 d2 4c 89 ee 48 89 df e8 e0 47 ff ff 85 c0 0f 84 cd fc ff ff 5 [ 186.684812][ C2] RSP: 0018:ffff8880cd9472e0 EFLAGS: 00010287 [ 186.684815][ C2] RAX: ffff8880cc56da58 RBX: ffff8880ab21c000 RCX: ffffffff9329d323 [ 186.684816][ C2] RDX: 1ffffffff2be6410 RSI: 0000000000000008 RDI: ffffffff95f32080 [ 186.684818][ C2] RBP: dffffc0000000000 R08: fffffbfff2be6411 R09: fffffbfff2be6411 [ 186.684819][ C2] R10: ffffffff95f32087 R11: 0000000000000001 R12: ffff8880cd947480 [ 186.684820][ C2] R13: ffff8880ab21c0b8 R14: ffff8880cd947400 R15: ffff8880cdf10640 [ 186.684822][ C2] FS: 00007f00843890c0(0000) GS:ffff8880d4e00000(0000) knlGS:0000000000000000 [ 186.684823][ C2] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 186.684825][ C2] CR2: 000055b8ab1077b8 CR3: 00000000ab612006 CR4: 00000000000606e0 [ 186.684826][ C2] Call Trace: [ 186.684827][ C2] ? lockdep_hardirqs_on_prepare+0x379/0x540 [ 186.684829][ C2] ? netif_set_real_num_tx_queues+0x780/0x780 [ 186.684830][ C2] ? rmnet_unregister_real_device+0x56/0x90 [rmnet] [ 186.684831][ C2] ? __kasan_slab_free+0x126/0x150 [ 186.684832][ C2] ? kfree+0xdc/0x320 [ 186.684834][ C2] ? rmnet_unregister_real_device+0x56/0x90 [rmnet] [ 186.684835][ C2] unregister_netdevice_many.part.135+0x13/0x1b0 [ 186.684836][ C2] rtnl_delete_link+0xbc/0x100 [ ... ] [ 238.440071][ T1009] unregister_netdevice: waiting for rmnet0 to become free. Usage count = 1 Fixes: 037f9cdf72fb ("net: rmnet: use upper/lower device infrastructure") Signed-off-by: Taehee Yoo Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a786e2d942b70ab5745873b5531c4f2fc74a6f5f Author: Paolo Abeni Date: Fri Jul 3 18:06:04 2020 +0200 mptcp: fix DSS map generation on fin retransmission [ Upstream commit 9c29e36152748fd623fcff6cc8f538550f9eeafc ] The RFC 8684 mandates that no-data DATA FIN packets should carry a DSS with 0 sequence number and data len equal to 1. Currently, on FIN retransmission we re-use the existing mapping; if the previous fin transmission was part of a partially acked data packet, we could end-up writing in the egress packet a non-compliant DSS. The above will be detected by a "Bad mapping" warning on the receiver side. This change addresses the issue explicitly checking for 0 len packet when adding the DATA_FIN option. Fixes: 6d0060f600ad ("mptcp: Write MPTCP DSS headers to outgoing data packets") Reported-by: syzbot+42a07faa5923cfaeb9c9@syzkaller.appspotmail.com Tested-by: Christoph Paasch Reviewed-by: Christoph Paasch Reviewed-by: Mat Martineau Signed-off-by: Paolo Abeni Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5d9341e8c977d3c2c27e10029ed6f1e3de465241 Author: Michal Kubecek Date: Thu Jul 9 12:11:50 2020 +0200 ethtool: fix genlmsg_put() failure handling in ethnl_default_dumpit() [ Upstream commit 365f9ae4ee36037e2a9268fe7296065356840b4c ] If the genlmsg_put() call in ethnl_default_dumpit() fails, we bail out without checking if we already have some messages in current skb like we do with ethnl_default_dump_one() failure later. Therefore if existing messages almost fill up the buffer so that there is not enough space even for netlink and genetlink header, we lose all prepared messages and return and error. Rather than duplicating the skb->len check, move the genlmsg_put(), genlmsg_cancel() and genlmsg_end() calls into ethnl_default_dump_one(). This is also more logical as all message composition will be in ethnl_default_dump_one() and only iteration logic will be left in ethnl_default_dumpit(). Fixes: 728480f12442 ("ethtool: default handlers for GET requests") Reported-by: Jakub Kicinski Signed-off-by: Michal Kubecek Reviewed-by: Jakub Kicinski Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit dedadfe5aeba0d623af3e3b3e25e0df581f02101 Author: Miaohe Lin Date: Sat Jun 27 15:47:51 2020 +0800 net: ipv4: Fix wrong type conversion from hint to rt in ip_route_use_hint() [ Upstream commit 2ce578ca9444bb44da66b9a494f56e7ec12e6466 ] We can't cast sk_buff to rtable by (struct rtable *)hint. Use skb_rtable(). Fixes: 02b24941619f ("ipv4: use dst hint for ipv4 list receive") Signed-off-by: Miaohe Lin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 54e5e458698fa3cc736627a8219a4d3c436a0418 Author: Cong Wang Date: Sat Jun 27 00:12:24 2020 -0700 genetlink: get rid of family->attrbuf [ Upstream commit bf64ff4c2aac65d680dc639a511c781cf6b6ec08 ] genl_family_rcv_msg_attrs_parse() reuses the global family->attrbuf when family->parallel_ops is false. However, family->attrbuf is not protected by any lock on the genl_family_rcv_msg_doit() code path. This leads to several different consequences, one of them is UAF, like the following: genl_family_rcv_msg_doit(): genl_start(): genl_family_rcv_msg_attrs_parse() attrbuf = family->attrbuf __nlmsg_parse(attrbuf); genl_family_rcv_msg_attrs_parse() attrbuf = family->attrbuf __nlmsg_parse(attrbuf); info->attrs = attrs; cb->data = info; netlink_unicast_kernel(): consume_skb() genl_lock_dumpit(): genl_dumpit_info(cb)->attrs Note family->attrbuf is an array of pointers to the skb data, once the skb is freed, any dereference of family->attrbuf will be a UAF. Maybe we could serialize the family->attrbuf with genl_mutex too, but that would make the locking more complicated. Instead, we can just get rid of family->attrbuf and always allocate attrbuf from heap like the family->parallel_ops==true code path. This may add some performance overhead but comparing with taking the global genl_mutex, it still looks better. Fixes: 75cdbdd08900 ("net: ieee802154: have genetlink code to parse the attrs during dumpit") Fixes: 057af7071344 ("net: tipc: have genetlink code to parse the attrs during dumpit") Reported-and-tested-by: syzbot+3039ddf6d7b13daf3787@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+80cad1e3cb4c41cde6ff@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+736bcbcb11b60d0c0792@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+520f8704db2b68091d44@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+c96e4dfb32f8987fdeed@syzkaller.appspotmail.com Cc: Jiri Pirko Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f16bc8afeead46937bbcf740cfda82df4f14152c Author: Willem de Bruijn Date: Wed Jul 1 16:00:06 2020 -0400 ip: Fix SO_MARK in RST, ACK and ICMP packets [ Upstream commit 0da7536fb47f51df89ccfcb1fa09f249d9accec5 ] When no full socket is available, skbs are sent over a per-netns control socket. Its sk_mark is temporarily adjusted to match that of the real (request or timewait) socket or to reflect an incoming skb, so that the outgoing skb inherits this in __ip_make_skb. Introduction of the socket cookie mark field broke this. Now the skb is set through the cookie and cork: # init sockc.mark from sk_mark or cmsg ip_append_data ip_setup_cork # convert sockc.mark to cork mark ip_push_pending_frames ip_finish_skb __ip_make_skb # set skb->mark to cork mark But I missed these special control sockets. Update all callers of __ip(6)_make_skb that were originally missed. For IPv6, the same two icmp(v6) paths are affected. The third case is not, as commit 92e55f412cff ("tcp: don't annotate mark on control socket from tcp_v6_send_response()") replaced the ctl_sk->sk_mark with passing the mark field directly as a function argument. That commit predates the commit that introduced the bug. Fixes: c6af0c227a22 ("ip: support SO_MARK cmsg") Signed-off-by: Willem de Bruijn Reported-by: Martin KaFai Lau Reviewed-by: Martin KaFai Lau Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit eaf0f61b02abea29bb66452cf26d77c9b2ae5bfd Author: Alex Elder Date: Tue Jun 30 07:44:44 2020 -0500 net: ipa: introduce ipa_cmd_tag_process() [ Upstream commit 6cb63ea6a39eac9640d109f274a237b34350c183 ] Create a new function ipa_cmd_tag_process() that simply allocates a transaction, adds a tag process command to it to clear the hardware pipeline, and commits the transaction. Call it in from ipa_endpoint_suspend(), after suspending the modem endpoints but before suspending the AP command TX and AP LAN RX endpoints (which are used by the tag sequence). Signed-off-by: Alex Elder Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7a29b159e0aa77e6016c99a1a08e9cde4ab6b1a0 Author: Alex Elder Date: Tue Jun 30 07:44:42 2020 -0500 net: ipa: always check for stopped channel [ Upstream commit 5468cbcddf47f674829c6ada190283108a63d7b5 ] In gsi_channel_stop(), there's a check to see if the channel might have entered STOPPED state since a previous call, which might have timed out before stopping completed. That check actually belongs in gsi_channel_stop_command(), which is called repeatedly by gsi_channel_stop() for RX channels. Fixes: 650d1603825d ("soc: qcom: ipa: the generic software interface") Signed-off-by: Alex Elder Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8975d6b3a251e1cdb7af52dcd3eda633c7d94d32 Author: Cong Wang Date: Thu Jul 9 16:28:44 2020 -0700 cgroup: Fix sock_cgroup_data on big-endian. [ Upstream commit 14b032b8f8fce03a546dcf365454bec8c4a58d7d ] In order for no_refcnt and is_data to be the lowest order two bits in the 'val' we have to pad out the bitfield of the u8. Fixes: ad0f75e5f57c ("cgroup: fix cgroup_sk_alloc() for sk_clone_lock()") Reported-by: Guenter Roeck Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 26d0bcfcf7150bc7c115f2d3f2f1459e64029b98 Author: Cong Wang Date: Thu Jul 2 11:52:56 2020 -0700 cgroup: fix cgroup_sk_alloc() for sk_clone_lock() [ Upstream commit ad0f75e5f57ccbceec13274e1e242f2b5a6397ed ] When we clone a socket in sk_clone_lock(), its sk_cgrp_data is copied, so the cgroup refcnt must be taken too. And, unlike the sk_alloc() path, sock_update_netprioidx() is not called here. Therefore, it is safe and necessary to grab the cgroup refcnt even when cgroup_sk_alloc is disabled. sk_clone_lock() is in BH context anyway, the in_interrupt() would terminate this function if called there. And for sk_alloc() skcd->val is always zero. So it's safe to factor out the code to make it more readable. The global variable 'cgroup_sk_alloc_disabled' is used to determine whether to take these reference counts. It is impossible to make the reference counting correct unless we save this bit of information in skcd->val. So, add a new bit there to record whether the socket has already taken the reference counts. This obviously relies on kmalloc() to align cgroup pointers to at least 4 bytes, ARCH_KMALLOC_MINALIGN is certainly larger than that. This bug seems to be introduced since the beginning, commit d979a39d7242 ("cgroup: duplicate cgroup reference when cloning sockets") tried to fix it but not compeletely. It seems not easy to trigger until the recent commit 090e28b229af ("netprio_cgroup: Fix unlimited memory leak of v2 cgroups") was merged. Fixes: bd1060a1d671 ("sock, cgroup: add sock->sk_cgroup") Reported-by: Cameron Berkenpas Reported-by: Peter Geis Reported-by: Lu Fengqi Reported-by: Daniël Sonck Reported-by: Zhang Qiang Tested-by: Cameron Berkenpas Tested-by: Peter Geis Tested-by: Thomas Lamprecht Cc: Daniel Borkmann Cc: Zefan Li Cc: Tejun Heo Cc: Roman Gushchin Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e01f7dc41b2ab30f9e0a2259837c89cb64538492 Author: Eric Dumazet Date: Wed Jul 1 18:39:33 2020 -0700 tcp: md5: allow changing MD5 keys in all socket states [ Upstream commit 1ca0fafd73c5268e8fc4b997094b8bb2bfe8deea ] This essentially reverts commit 721230326891 ("tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets") Mathieu reported that many vendors BGP implementations can actually switch TCP MD5 on established flows. Quoting Mathieu : Here is a list of a few network vendors along with their behavior with respect to TCP MD5: - Cisco: Allows for password to be changed, but within the hold-down timer (~180 seconds). - Juniper: When password is initially set on active connection it will reset, but after that any subsequent password changes no network resets. - Nokia: No notes on if they flap the tcp connection or not. - Ericsson/RedBack: Allows for 2 password (old/new) to co-exist until both sides are ok with new passwords. - Meta-Switch: Expects the password to be set before a connection is attempted, but no further info on whether they reset the TCP connection on a change. - Avaya: Disable the neighbor, then set password, then re-enable. - Zebos: Would normally allow the change when socket connected. We can revert my prior change because commit 9424e2e7ad93 ("tcp: md5: fix potential overestimation of TCP option space") removed the leak of 4 kernel bytes to the wire that was the main reason for my patch. While doing my investigations, I found a bug when a MD5 key is changed, leading to these commits that stable teams want to consider before backporting this revert : Commit 6a2febec338d ("tcp: md5: add missing memory barriers in tcp_md5_do_add()/tcp_md5_hash_key()") Commit e6ced831ef11 ("tcp: md5: refine tcp_md5_do_add()/tcp_md5_hash_key() barriers") Fixes: 721230326891 "tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets" Signed-off-by: Eric Dumazet Reported-by: Mathieu Desnoyers Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ecedde0d3fa2ad4ad67b3de6684d0ff831f69537 Author: Eric Dumazet Date: Wed Jul 1 11:43:04 2020 -0700 tcp: md5: refine tcp_md5_do_add()/tcp_md5_hash_key() barriers [ Upstream commit e6ced831ef11a2a06e8d00aad9d4fc05b610bf38 ] My prior fix went a bit too far, according to Herbert and Mathieu. Since we accept that concurrent TCP MD5 lookups might see inconsistent keys, we can use READ_ONCE()/WRITE_ONCE() instead of smp_rmb()/smp_wmb() Clearing all key->key[] is needed to avoid possible KMSAN reports, if key->keylen is increased. Since tcp_md5_do_add() is not fast path, using __GFP_ZERO to clear all struct tcp_md5sig_key is simpler. data_race() was added in linux-5.8 and will prevent KCSAN reports, this can safely be removed in stable backports, if data_race() is not yet backported. v2: use data_race() both in tcp_md5_hash_key() and tcp_md5_do_add() Fixes: 6a2febec338d ("tcp: md5: add missing memory barriers in tcp_md5_do_add()/tcp_md5_hash_key()") Signed-off-by: Eric Dumazet Cc: Mathieu Desnoyers Cc: Herbert Xu Cc: Marco Elver Reviewed-by: Mathieu Desnoyers Acked-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 754056791f66153890825c2626174aaa7fe82d16 Author: Toke Høiland-Jørgensen Date: Tue Jul 7 13:03:25 2020 +0200 vlan: consolidate VLAN parsing code and limit max parsing depth [ Upstream commit 469aceddfa3ed16e17ee30533fae45e90f62efd8 ] Toshiaki pointed out that we now have two very similar functions to extract the L3 protocol number in the presence of VLAN tags. And Daniel pointed out that the unbounded parsing loop makes it possible for maliciously crafted packets to loop through potentially hundreds of tags. Fix both of these issues by consolidating the two parsing functions and limiting the VLAN tag parsing to a max depth of 8 tags. As part of this, switch over __vlan_get_protocol() to use skb_header_pointer() instead of pskb_may_pull(), to avoid the possible side effects of the latter and keep the skb pointer 'const' through all the parsing functions. v2: - Use limit of 8 tags instead of 32 (matching XMIT_RECURSION_LIMIT) Reported-by: Toshiaki Makita Reported-by: Daniel Borkmann Fixes: d7bf2ebebc2b ("sched: consistently handle layer3 header accesses in the presence of VLANs") Signed-off-by: Toke Høiland-Jørgensen Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit da515d8113d597d89525bfbafded02a5bb954a65 Author: Eric Dumazet Date: Wed Jul 1 12:41:23 2020 -0700 tcp: md5: do not send silly options in SYNCOOKIES [ Upstream commit e114e1e8ac9d31f25b9dd873bab5d80c1fc482ca ] Whenever cookie_init_timestamp() has been used to encode ECN,SACK,WSCALE options, we can not remove the TS option in the SYNACK. Otherwise, tcp_synack_options() will still advertize options like WSCALE that we can not deduce later when receiving the packet from the client to complete 3WHS. Note that modern linux TCP stacks wont use MD5+TS+SACK in a SYN packet, but we can not know for sure that all TCP stacks have the same logic. Before the fix a tcpdump would exhibit this wrong exchange : 10:12:15.464591 IP C > S: Flags [S], seq 4202415601, win 65535, options [nop,nop,md5 valid,mss 1400,sackOK,TS val 456965269 ecr 0,nop,wscale 8], length 0 10:12:15.464602 IP S > C: Flags [S.], seq 253516766, ack 4202415602, win 65535, options [nop,nop,md5 valid,mss 1400,nop,nop,sackOK,nop,wscale 8], length 0 10:12:15.464611 IP C > S: Flags [.], ack 1, win 256, options [nop,nop,md5 valid], length 0 10:12:15.464678 IP C > S: Flags [P.], seq 1:13, ack 1, win 256, options [nop,nop,md5 valid], length 12 10:12:15.464685 IP S > C: Flags [.], ack 13, win 65535, options [nop,nop,md5 valid], length 0 After this patch the exchange looks saner : 11:59:59.882990 IP C > S: Flags [S], seq 517075944, win 65535, options [nop,nop,md5 valid,mss 1400,sackOK,TS val 1751508483 ecr 0,nop,wscale 8], length 0 11:59:59.883002 IP S > C: Flags [S.], seq 1902939253, ack 517075945, win 65535, options [nop,nop,md5 valid,mss 1400,sackOK,TS val 1751508479 ecr 1751508483,nop,wscale 8], length 0 11:59:59.883012 IP C > S: Flags [.], ack 1, win 256, options [nop,nop,md5 valid,nop,nop,TS val 1751508483 ecr 1751508479], length 0 11:59:59.883114 IP C > S: Flags [P.], seq 1:13, ack 1, win 256, options [nop,nop,md5 valid,nop,nop,TS val 1751508483 ecr 1751508479], length 12 11:59:59.883122 IP S > C: Flags [.], ack 13, win 256, options [nop,nop,md5 valid,nop,nop,TS val 1751508483 ecr 1751508483], length 0 11:59:59.883152 IP S > C: Flags [P.], seq 1:13, ack 13, win 256, options [nop,nop,md5 valid,nop,nop,TS val 1751508484 ecr 1751508483], length 12 11:59:59.883170 IP C > S: Flags [.], ack 13, win 256, options [nop,nop,md5 valid,nop,nop,TS val 1751508484 ecr 1751508484], length 0 Of course, no SACK block will ever be added later, but nothing should break. Technically, we could remove the 4 nops included in MD5+TS options, but again some stacks could break seeing not conventional alignment. Fixes: 4957faade11b ("TCPCT part 1g: Responder Cookie => Initiator") Signed-off-by: Eric Dumazet Cc: Florian Westphal Cc: Mathieu Desnoyers Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 128d5b2632acc3d4da4c499b16cc41557a4c6cb5 Author: Eric Dumazet Date: Tue Jun 30 16:41:01 2020 -0700 tcp: md5: add missing memory barriers in tcp_md5_do_add()/tcp_md5_hash_key() [ Upstream commit 6a2febec338df7e7699a52d00b2e1207dcf65b28 ] MD5 keys are read with RCU protection, and tcp_md5_do_add() might update in-place a prior key. Normally, typical RCU updates would allocate a new piece of memory. In this case only key->key and key->keylen might be updated, and we do not care if an incoming packet could see the old key, the new one, or some intermediate value, since changing the key on a live flow is known to be problematic anyway. We only want to make sure that in the case key->keylen is changed, cpus in tcp_md5_hash_key() wont try to use uninitialized data, or crash because key->keylen was read twice to feed sg_init_one() and ahash_request_set_crypt() Fixes: 9ea88a153001 ("tcp: md5: check md5 signature without socket lock") Signed-off-by: Eric Dumazet Cc: Mathieu Desnoyers Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1bc3b4516a9ff8c59d3749dd34dd39bce64f3836 Author: Christoph Paasch Date: Wed Jul 8 16:18:34 2020 -0700 tcp: make sure listeners don't initialize congestion-control state [ Upstream commit ce69e563b325f620863830c246a8698ccea52048 ] syzkaller found its way into setsockopt with TCP_CONGESTION "cdg". tcp_cdg_init() does a kcalloc to store the gradients. As sk_clone_lock just copies all the memory, the allocated pointer will be copied as well, if the app called setsockopt(..., TCP_CONGESTION) on the listener. If now the socket will be destroyed before the congestion-control has properly been initialized (through a call to tcp_init_transfer), we will end up freeing memory that does not belong to that particular socket, opening the door to a double-free: [ 11.413102] ================================================================== [ 11.414181] BUG: KASAN: double-free or invalid-free in tcp_cleanup_congestion_control+0x58/0xd0 [ 11.415329] [ 11.415560] CPU: 3 PID: 4884 Comm: syz-executor.5 Not tainted 5.8.0-rc2 #80 [ 11.416544] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 [ 11.418148] Call Trace: [ 11.418534] [ 11.418834] dump_stack+0x7d/0xb0 [ 11.419297] print_address_description.constprop.0+0x1a/0x210 [ 11.422079] kasan_report_invalid_free+0x51/0x80 [ 11.423433] __kasan_slab_free+0x15e/0x170 [ 11.424761] kfree+0x8c/0x230 [ 11.425157] tcp_cleanup_congestion_control+0x58/0xd0 [ 11.425872] tcp_v4_destroy_sock+0x57/0x5a0 [ 11.426493] inet_csk_destroy_sock+0x153/0x2c0 [ 11.427093] tcp_v4_syn_recv_sock+0xb29/0x1100 [ 11.427731] tcp_get_cookie_sock+0xc3/0x4a0 [ 11.429457] cookie_v4_check+0x13d0/0x2500 [ 11.433189] tcp_v4_do_rcv+0x60e/0x780 [ 11.433727] tcp_v4_rcv+0x2869/0x2e10 [ 11.437143] ip_protocol_deliver_rcu+0x23/0x190 [ 11.437810] ip_local_deliver+0x294/0x350 [ 11.439566] __netif_receive_skb_one_core+0x15d/0x1a0 [ 11.441995] process_backlog+0x1b1/0x6b0 [ 11.443148] net_rx_action+0x37e/0xc40 [ 11.445361] __do_softirq+0x18c/0x61a [ 11.445881] asm_call_on_stack+0x12/0x20 [ 11.446409] [ 11.446716] do_softirq_own_stack+0x34/0x40 [ 11.447259] do_softirq.part.0+0x26/0x30 [ 11.447827] __local_bh_enable_ip+0x46/0x50 [ 11.448406] ip_finish_output2+0x60f/0x1bc0 [ 11.450109] __ip_queue_xmit+0x71c/0x1b60 [ 11.451861] __tcp_transmit_skb+0x1727/0x3bb0 [ 11.453789] tcp_rcv_state_process+0x3070/0x4d3a [ 11.456810] tcp_v4_do_rcv+0x2ad/0x780 [ 11.457995] __release_sock+0x14b/0x2c0 [ 11.458529] release_sock+0x4a/0x170 [ 11.459005] __inet_stream_connect+0x467/0xc80 [ 11.461435] inet_stream_connect+0x4e/0xa0 [ 11.462043] __sys_connect+0x204/0x270 [ 11.465515] __x64_sys_connect+0x6a/0xb0 [ 11.466088] do_syscall_64+0x3e/0x70 [ 11.466617] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 11.467341] RIP: 0033:0x7f56046dc469 [ 11.467844] Code: Bad RIP value. [ 11.468282] RSP: 002b:00007f5604dccdd8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 11.469326] RAX: ffffffffffffffda RBX: 000000000068bf00 RCX: 00007f56046dc469 [ 11.470379] RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000004 [ 11.471311] RBP: 00000000ffffffff R08: 0000000000000000 R09: 0000000000000000 [ 11.472286] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 11.473341] R13: 000000000041427c R14: 00007f5604dcd5c0 R15: 0000000000000003 [ 11.474321] [ 11.474527] Allocated by task 4884: [ 11.475031] save_stack+0x1b/0x40 [ 11.475548] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 11.476182] tcp_cdg_init+0xf0/0x150 [ 11.476744] tcp_init_congestion_control+0x9b/0x3a0 [ 11.477435] tcp_set_congestion_control+0x270/0x32f [ 11.478088] do_tcp_setsockopt.isra.0+0x521/0x1a00 [ 11.478744] __sys_setsockopt+0xff/0x1e0 [ 11.479259] __x64_sys_setsockopt+0xb5/0x150 [ 11.479895] do_syscall_64+0x3e/0x70 [ 11.480395] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 11.481097] [ 11.481321] Freed by task 4872: [ 11.481783] save_stack+0x1b/0x40 [ 11.482230] __kasan_slab_free+0x12c/0x170 [ 11.482839] kfree+0x8c/0x230 [ 11.483240] tcp_cleanup_congestion_control+0x58/0xd0 [ 11.483948] tcp_v4_destroy_sock+0x57/0x5a0 [ 11.484502] inet_csk_destroy_sock+0x153/0x2c0 [ 11.485144] tcp_close+0x932/0xfe0 [ 11.485642] inet_release+0xc1/0x1c0 [ 11.486131] __sock_release+0xc0/0x270 [ 11.486697] sock_close+0xc/0x10 [ 11.487145] __fput+0x277/0x780 [ 11.487632] task_work_run+0xeb/0x180 [ 11.488118] __prepare_exit_to_usermode+0x15a/0x160 [ 11.488834] do_syscall_64+0x4a/0x70 [ 11.489326] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Wei Wang fixed a part of these CDG-malloc issues with commit c12014440750 ("tcp: memset ca_priv data to 0 properly"). This patch here fixes the listener-scenario: We make sure that listeners setting the congestion-control through setsockopt won't initialize it (thus CDG never allocates on listeners). For those who use AF_UNSPEC to reuse a socket, tcp_disconnect() is changed to cleanup afterwards. (The issue can be reproduced at least down to v4.4.x.) Cc: Wei Wang Cc: Eric Dumazet Fixes: 2b0a8c9eee81 ("tcp: add CDG congestion control") Signed-off-by: Christoph Paasch Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 43e3007dbd6c44ee5285ac40a45af8c42da613c0 Author: Eric Dumazet Date: Tue Jun 30 13:51:28 2020 -0700 tcp: fix SO_RCVLOWAT possible hangs under high mem pressure [ Upstream commit ba3bb0e76ccd464bb66665a1941fabe55dadb3ba ] Whenever tcp_try_rmem_schedule() returns an error, we are under trouble and should make sure to wakeup readers so that they can drain socket queues and eventually make room. Fixes: 03f45c883c6f ("tcp: avoid extra wakeups for SO_RCVLOWAT users") Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 38fd50f9c00eabf7fd52c0e6c00ad13362836d3e Author: Toke Høiland-Jørgensen Date: Fri Jul 3 22:26:43 2020 +0200 sched: consistently handle layer3 header accesses in the presence of VLANs [ Upstream commit d7bf2ebebc2bd61ab95e2a8e33541ef282f303d4 ] There are a couple of places in net/sched/ that check skb->protocol and act on the value there. However, in the presence of VLAN tags, the value stored in skb->protocol can be inconsistent based on whether VLAN acceleration is enabled. The commit quoted in the Fixes tag below fixed the users of skb->protocol to use a helper that will always see the VLAN ethertype. However, most of the callers don't actually handle the VLAN ethertype, but expect to find the IP header type in the protocol field. This means that things like changing the ECN field, or parsing diffserv values, stops working if there's a VLAN tag, or if there are multiple nested VLAN tags (QinQ). To fix this, change the helper to take an argument that indicates whether the caller wants to skip the VLAN tags or not. When skipping VLAN tags, we make sure to skip all of them, so behaviour is consistent even in QinQ mode. To make the helper usable from the ECN code, move it to if_vlan.h instead of pkt_sched.h. v3: - Remove empty lines - Move vlan variable definitions inside loop in skb_protocol() - Also use skb_protocol() helper in IP{,6}_ECN_decapsulate() and bpf_skb_ecn_set_ce() v2: - Use eth_type_vlan() helper in skb_protocol() - Also fix code that reads skb->protocol directly - Change a couple of 'if/else if' statements to switch constructs to avoid calling the helper twice Reported-by: Ilya Ponetayev Fixes: d8b9605d2697 ("net: sched: fix skb->protocol use in case of accelerated vlan path") Signed-off-by: Toke Høiland-Jørgensen Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4228befd567c2d6846f8bdfd3e0b59d9a02543be Author: AceLan Kao Date: Tue Jul 7 16:14:45 2020 +0800 net: usb: qmi_wwan: add support for Quectel EG95 LTE modem [ Upstream commit f815dd5cf48b905eeecf0a2b990e9b7ab048b4f1 ] Add support for Quectel Wireless Solutions Co., Ltd. EG95 LTE modem T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 5 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=2c7c ProdID=0195 Rev=03.18 S: Manufacturer=Android S: Product=Android C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA I: If#=0x0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) I: If#=0x1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) Signed-off-by: AceLan Kao Acked-by: Bjørn Mork Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c68a51e91b11e0bf679f742a04916c66e6571d22 Author: Cong Wang Date: Wed Jul 8 20:13:59 2020 -0700 net_sched: fix a memory leak in atm_tc_init() [ Upstream commit 306381aec7c2b5a658eebca008c8a1b666536cba ] When tcf_block_get() fails inside atm_tc_init(), atm_tc_put() is called to release the qdisc p->link.q. But the flow->ref prevents it to do so, as the flow->ref is still zero. Fix this by moving the p->link.ref initialization before tcf_block_get(). Fixes: 6529eaba33f0 ("net: sched: introduce tcf block infractructure") Reported-and-tested-by: syzbot+d411cff6ab29cc2c311b@syzkaller.appspotmail.com Cc: Jamal Hadi Salim Cc: Jiri Pirko Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 12e7a208a95cfb80a336704337329b092f35c653 Author: Carl Huang Date: Tue Jun 30 14:52:51 2020 +0800 net: qrtr: free flow in __qrtr_node_release [ Upstream commit 28541f3d324f6de1e545e2875283b6cef95c5d36 ] The flow is allocated in qrtr_tx_wait, but not freed when qrtr node is released. (*slot) becomes NULL after radix_tree_iter_delete is called in __qrtr_node_release. The fix is to save (*slot) to a vairable and then free it. This memory leak is catched when kmemleak is enabled in kernel, the report looks like below: unreferenced object 0xffffa0de69e08420 (size 32): comm "kworker/u16:3", pid 176, jiffies 4294918275 (age 82858.876s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 28 84 e0 69 de a0 ff ff ........(..i.... 28 84 e0 69 de a0 ff ff 03 00 00 00 00 00 00 00 (..i............ backtrace: [<00000000e252af0a>] qrtr_node_enqueue+0x38e/0x400 [qrtr] [<000000009cea437f>] qrtr_sendmsg+0x1e0/0x2a0 [qrtr] [<000000008bddbba4>] sock_sendmsg+0x5b/0x60 [<0000000003beb43a>] qmi_send_message.isra.3+0xbe/0x110 [qmi_helpers] [<000000009c9ae7de>] qmi_send_request+0x1c/0x20 [qmi_helpers] Signed-off-by: Carl Huang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1ba3bb7159f41f337605ae32505a9f754933c4d4 Author: Codrin Ciubotariu Date: Thu Jul 2 12:44:50 2020 +0300 net: dsa: microchip: set the correct number of ports [ Upstream commit af199a1a9cb02ec0194804bd46c174b6db262075 ] The number of ports is incorrectly set to the maximum available for a DSA switch. Even if the extra ports are not used, this causes some functions to be called later, like port_disable() and port_stp_state_set(). If the driver doesn't check the port index, it will end up modifying unknown registers. Fixes: b987e98e50ab ("dsa: add DSA switch driver for Microchip KSZ9477") Signed-off-by: Codrin Ciubotariu Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a600d334c0382387fa177d94d3b7ea986b4aa83c Author: Martin Varghese Date: Sun Jul 5 14:23:49 2020 +0530 net: Added pointer check for dst->ops->neigh_lookup in dst_neigh_lookup_skb [ Upstream commit 394de110a73395de2ca4516b0de435e91b11b604 ] The packets from tunnel devices (eg bareudp) may have only metadata in the dst pointer of skb. Hence a pointer check of neigh_lookup is needed in dst_neigh_lookup_skb Kernel crashes when packets from bareudp device is processed in the kernel neighbour subsytem. [ 133.384484] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 133.385240] #PF: supervisor instruction fetch in kernel mode [ 133.385828] #PF: error_code(0x0010) - not-present page [ 133.386603] PGD 0 P4D 0 [ 133.386875] Oops: 0010 [#1] SMP PTI [ 133.387275] CPU: 0 PID: 5045 Comm: ping Tainted: G W 5.8.0-rc2+ #15 [ 133.388052] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 [ 133.391076] RIP: 0010:0x0 [ 133.392401] Code: Bad RIP value. [ 133.394029] RSP: 0018:ffffb79980003d50 EFLAGS: 00010246 [ 133.396656] RAX: 0000000080000102 RBX: ffff9de2fe0d6600 RCX: ffff9de2fe5e9d00 [ 133.399018] RDX: 0000000000000000 RSI: ffff9de2fe5e9d00 RDI: ffff9de2fc21b400 [ 133.399685] RBP: ffff9de2fe5e9d00 R08: 0000000000000000 R09: 0000000000000000 [ 133.400350] R10: ffff9de2fbc6be22 R11: ffff9de2fe0d6600 R12: ffff9de2fc21b400 [ 133.401010] R13: ffff9de2fe0d6628 R14: 0000000000000001 R15: 0000000000000003 [ 133.401667] FS: 00007fe014918740(0000) GS:ffff9de2fec00000(0000) knlGS:0000000000000000 [ 133.402412] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 133.402948] CR2: ffffffffffffffd6 CR3: 000000003bb72000 CR4: 00000000000006f0 [ 133.403611] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 133.404270] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 133.404933] Call Trace: [ 133.405169] [ 133.405367] __neigh_update+0x5a4/0x8f0 [ 133.405734] arp_process+0x294/0x820 [ 133.406076] ? __netif_receive_skb_core+0x866/0xe70 [ 133.406557] arp_rcv+0x129/0x1c0 [ 133.406882] __netif_receive_skb_one_core+0x95/0xb0 [ 133.407340] process_backlog+0xa7/0x150 [ 133.407705] net_rx_action+0x2af/0x420 [ 133.408457] __do_softirq+0xda/0x2a8 [ 133.408813] asm_call_on_stack+0x12/0x20 [ 133.409290] [ 133.409519] do_softirq_own_stack+0x39/0x50 [ 133.410036] do_softirq+0x50/0x60 [ 133.410401] __local_bh_enable_ip+0x50/0x60 [ 133.410871] ip_finish_output2+0x195/0x530 [ 133.411288] ip_output+0x72/0xf0 [ 133.411673] ? __ip_finish_output+0x1f0/0x1f0 [ 133.412122] ip_send_skb+0x15/0x40 [ 133.412471] raw_sendmsg+0x853/0xab0 [ 133.412855] ? insert_pfn+0xfe/0x270 [ 133.413827] ? vvar_fault+0xec/0x190 [ 133.414772] sock_sendmsg+0x57/0x80 [ 133.415685] __sys_sendto+0xdc/0x160 [ 133.416605] ? syscall_trace_enter+0x1d4/0x2b0 [ 133.417679] ? __audit_syscall_exit+0x1d9/0x280 [ 133.418753] ? __prepare_exit_to_usermode+0x5d/0x1a0 [ 133.419819] __x64_sys_sendto+0x24/0x30 [ 133.420848] do_syscall_64+0x4d/0x90 [ 133.421768] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 133.422833] RIP: 0033:0x7fe013689c03 [ 133.423749] Code: Bad RIP value. [ 133.424624] RSP: 002b:00007ffc7288f418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 133.425940] RAX: ffffffffffffffda RBX: 000056151fc63720 RCX: 00007fe013689c03 [ 133.427225] RDX: 0000000000000040 RSI: 000056151fc63720 RDI: 0000000000000003 [ 133.428481] RBP: 00007ffc72890b30 R08: 000056151fc60500 R09: 0000000000000010 [ 133.429757] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040 [ 133.431041] R13: 000056151fc636e0 R14: 000056151fc616bc R15: 0000000000000080 [ 133.432481] Modules linked in: mpls_iptunnel act_mirred act_tunnel_key cls_flower sch_ingress veth mpls_router ip_tunnel bareudp ip6_udp_tunnel udp_tunnel macsec udp_diag inet_diag unix_diag af_packet_diag netlink_diag binfmt_misc xt_MASQUERADE iptable_nat xt_addrtype xt_conntrack nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc ebtable_filter ebtables overlay ip6table_filter ip6_tables iptable_filter sunrpc ext4 mbcache jbd2 pcspkr i2c_piix4 virtio_balloon joydev ip_tables xfs libcrc32c ata_generic qxl pata_acpi drm_ttm_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm ata_piix libata virtio_net net_failover virtio_console failover virtio_blk i2c_core virtio_pci virtio_ring serio_raw floppy virtio dm_mirror dm_region_hash dm_log dm_mod [ 133.444045] CR2: 0000000000000000 [ 133.445082] ---[ end trace f4aeee1958fd1638 ]--- [ 133.446236] RIP: 0010:0x0 [ 133.447180] Code: Bad RIP value. [ 133.448152] RSP: 0018:ffffb79980003d50 EFLAGS: 00010246 [ 133.449363] RAX: 0000000080000102 RBX: ffff9de2fe0d6600 RCX: ffff9de2fe5e9d00 [ 133.450835] RDX: 0000000000000000 RSI: ffff9de2fe5e9d00 RDI: ffff9de2fc21b400 [ 133.452237] RBP: ffff9de2fe5e9d00 R08: 0000000000000000 R09: 0000000000000000 [ 133.453722] R10: ffff9de2fbc6be22 R11: ffff9de2fe0d6600 R12: ffff9de2fc21b400 [ 133.455149] R13: ffff9de2fe0d6628 R14: 0000000000000001 R15: 0000000000000003 [ 133.456520] FS: 00007fe014918740(0000) GS:ffff9de2fec00000(0000) knlGS:0000000000000000 [ 133.458046] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 133.459342] CR2: ffffffffffffffd6 CR3: 000000003bb72000 CR4: 00000000000006f0 [ 133.460782] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 133.462240] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 133.463697] Kernel panic - not syncing: Fatal exception in interrupt [ 133.465226] Kernel Offset: 0xfa00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 133.467025] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- Fixes: aaa0c23cb901 ("Fix dst_neigh_lookup/dst_neigh_lookup_skb return value handling bug") Signed-off-by: Martin Varghese Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6528c11ce8f1b729922b7b6a34d814cb38cbf024 Author: Eric Dumazet Date: Sat Jun 27 13:31:50 2020 -0700 llc: make sure applications use ARPHRD_ETHER [ Upstream commit a9b1110162357689a34992d5c925852948e5b9fd ] syzbot was to trigger a bug by tricking AF_LLC with non sensible addr->sllc_arphrd It seems clear LLC requires an Ethernet device. Back in commit abf9d537fea2 ("llc: add support for SO_BINDTODEVICE") Octavian Purdila added possibility for application to use a zero value for sllc_arphrd, convert it to ARPHRD_ETHER to not cause regressions on existing applications. BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:199 [inline] BUG: KASAN: use-after-free in list_empty include/linux/list.h:268 [inline] BUG: KASAN: use-after-free in waitqueue_active include/linux/wait.h:126 [inline] BUG: KASAN: use-after-free in wq_has_sleeper include/linux/wait.h:160 [inline] BUG: KASAN: use-after-free in skwq_has_sleeper include/net/sock.h:2092 [inline] BUG: KASAN: use-after-free in sock_def_write_space+0x642/0x670 net/core/sock.c:2813 Read of size 8 at addr ffff88801e0b4078 by task ksoftirqd/3/27 CPU: 3 PID: 27 Comm: ksoftirqd/3 Not tainted 5.5.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 __read_once_size include/linux/compiler.h:199 [inline] list_empty include/linux/list.h:268 [inline] waitqueue_active include/linux/wait.h:126 [inline] wq_has_sleeper include/linux/wait.h:160 [inline] skwq_has_sleeper include/net/sock.h:2092 [inline] sock_def_write_space+0x642/0x670 net/core/sock.c:2813 sock_wfree+0x1e1/0x260 net/core/sock.c:1958 skb_release_head_state+0xeb/0x260 net/core/skbuff.c:652 skb_release_all+0x16/0x60 net/core/skbuff.c:663 __kfree_skb net/core/skbuff.c:679 [inline] consume_skb net/core/skbuff.c:838 [inline] consume_skb+0xfb/0x410 net/core/skbuff.c:832 __dev_kfree_skb_any+0xa4/0xd0 net/core/dev.c:2967 dev_kfree_skb_any include/linux/netdevice.h:3650 [inline] e1000_unmap_and_free_tx_resource.isra.0+0x21b/0x3a0 drivers/net/ethernet/intel/e1000/e1000_main.c:1963 e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3854 [inline] e1000_clean+0x4cc/0x1d10 drivers/net/ethernet/intel/e1000/e1000_main.c:3796 napi_poll net/core/dev.c:6532 [inline] net_rx_action+0x508/0x1120 net/core/dev.c:6600 __do_softirq+0x262/0x98c kernel/softirq.c:292 run_ksoftirqd kernel/softirq.c:603 [inline] run_ksoftirqd+0x8e/0x110 kernel/softirq.c:595 smpboot_thread_fn+0x6a3/0xa40 kernel/smpboot.c:165 kthread+0x361/0x430 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 8247: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc mm/kasan/common.c:513 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:521 slab_post_alloc_hook mm/slab.h:584 [inline] slab_alloc mm/slab.c:3320 [inline] kmem_cache_alloc+0x121/0x710 mm/slab.c:3484 sock_alloc_inode+0x1c/0x1d0 net/socket.c:240 alloc_inode+0x68/0x1e0 fs/inode.c:230 new_inode_pseudo+0x19/0xf0 fs/inode.c:919 sock_alloc+0x41/0x270 net/socket.c:560 __sock_create+0xc2/0x730 net/socket.c:1384 sock_create net/socket.c:1471 [inline] __sys_socket+0x103/0x220 net/socket.c:1513 __do_sys_socket net/socket.c:1522 [inline] __se_sys_socket net/socket.c:1520 [inline] __ia32_sys_socket+0x73/0xb0 net/socket.c:1520 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline] do_fast_syscall_32+0x27b/0xe16 arch/x86/entry/common.c:408 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 Freed by task 17: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:335 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474 kasan_slab_free+0xe/0x10 mm/kasan/common.c:483 __cache_free mm/slab.c:3426 [inline] kmem_cache_free+0x86/0x320 mm/slab.c:3694 sock_free_inode+0x20/0x30 net/socket.c:261 i_callback+0x44/0x80 fs/inode.c:219 __rcu_reclaim kernel/rcu/rcu.h:222 [inline] rcu_do_batch kernel/rcu/tree.c:2183 [inline] rcu_core+0x570/0x1540 kernel/rcu/tree.c:2408 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2417 __do_softirq+0x262/0x98c kernel/softirq.c:292 The buggy address belongs to the object at ffff88801e0b4000 which belongs to the cache sock_inode_cache of size 1152 The buggy address is located 120 bytes inside of 1152-byte region [ffff88801e0b4000, ffff88801e0b4480) The buggy address belongs to the page: page:ffffea0000782d00 refcount:1 mapcount:0 mapping:ffff88807aa59c40 index:0xffff88801e0b4ffd raw: 00fffe0000000200 ffffea00008e6c88 ffffea0000782d48 ffff88807aa59c40 raw: ffff88801e0b4ffd ffff88801e0b4000 0000000100000003 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88801e0b3f00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88801e0b3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88801e0b4000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88801e0b4080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88801e0b4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Fixes: abf9d537fea2 ("llc: add support for SO_BINDTODEVICE") Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7610c0a0fd755f556a755864eac01b2fae0b5dcb Author: Xin Long Date: Tue Jul 7 02:02:32 2020 +0800 l2tp: remove skb_dst_set() from l2tp_xmit_skb() [ Upstream commit 27d53323664c549b5bb2dfaaf6f7ad6e0376a64e ] In the tx path of l2tp, l2tp_xmit_skb() calls skb_dst_set() to set skb's dst. However, it will eventually call inet6_csk_xmit() or ip_queue_xmit() where skb's dst will be overwritten by: skb_dst_set_noref(skb, dst); without releasing the old dst in skb. Then it causes dst/dev refcnt leak: unregister_netdevice: waiting for eth0 to become free. Usage count = 1 This can be reproduced by simply running: # modprobe l2tp_eth && modprobe l2tp_ip # sh ./tools/testing/selftests/net/l2tp.sh So before going to inet6_csk_xmit() or ip_queue_xmit(), skb's dst should be dropped. This patch is to fix it by removing skb_dst_set() from l2tp_xmit_skb() and moving skb_dst_drop() into l2tp_xmit_core(). Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core") Reported-by: Hangbin Liu Signed-off-by: Xin Long Acked-by: James Chapman Tested-by: James Chapman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit df182be6e45705ae9beabd6b8560743e8b62b942 Author: David Ahern Date: Tue Jul 7 07:39:24 2020 -0600 ipv6: Fix use of anycast address with loopback [ Upstream commit aea23c323d89836bcdcee67e49def997ffca043b ] Thomas reported a regression with IPv6 and anycast using the following reproducer: echo 1 > /proc/sys/net/ipv6/conf/all/forwarding ip -6 a add fc12::1/16 dev lo sleep 2 echo "pinging lo" ping6 -c 2 fc12:: The conversion of addrconf_f6i_alloc to use ip6_route_info_create missed the use of fib6_is_reject which checks addresses added to the loopback interface and sets the REJECT flag as needed. Update fib6_is_reject for loopback checks to handle RTF_ANYCAST addresses. Fixes: c7a1ce397ada ("ipv6: Change addrconf_f6i_alloc to use ip6_route_info_create") Reported-by: thomas.gambier@nexedi.com Signed-off-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9a749f197cd3ff4f6a5bf33ea5d99669531a765c Author: David Ahern Date: Mon Jul 6 11:45:07 2020 -0600 ipv6: fib6_select_path can not use out path for nexthop objects [ Upstream commit 34fe5a1cf95c3f114068fc16d919c9cf4b00e428 ] Brian reported a crash in IPv6 code when using rpfilter with a setup running FRR and external nexthop objects. The root cause of the crash is fib6_select_path setting fib6_nh in the result to NULL because of an improper check for nexthop objects. More specifically, rpfilter invokes ip6_route_lookup with flowi6_oif set causing fib6_select_path to be called with have_oif_match set. fib6_select_path has early check on have_oif_match and jumps to the out label which presumes a builtin fib6_nh. This path is invalid for nexthop objects; for external nexthops fib6_select_path needs to just return if the fib6_nh has already been set in the result otherwise it returns after the call to nexthop_path_fib6_result. Update the check on have_oif_match to not bail on external nexthops. Update selftests for this problem. Fixes: f88d8ea67fbd ("ipv6: Plumb support for nexthop object in a fib6_info") Reported-by: Brian Rak Signed-off-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit dc96bd44146e7bb44d1bd53a437b001eec91f5a2 Author: Sabrina Dubroca Date: Fri Jul 3 17:00:32 2020 +0200 ipv4: fill fl4_icmp_{type,code} in ping_v4_sendmsg [ Upstream commit 5eff06902394425c722f0a44d9545909a8800f79 ] IPv4 ping sockets don't set fl4.fl4_icmp_{type,code}, which leads to incomplete IPsec ACQUIRE messages being sent to userspace. Currently, both raw sockets and IPv6 ping sockets set those fields. Expected output of "ip xfrm monitor": acquire proto esp sel src 10.0.2.15/32 dst 8.8.8.8/32 proto icmp type 8 code 0 dev ens4 policy src 10.0.2.15/32 dst 8.8.8.8/32 Currently with ping sockets: acquire proto esp sel src 10.0.2.15/32 dst 8.8.8.8/32 proto icmp type 0 code 0 dev ens4 policy src 10.0.2.15/32 dst 8.8.8.8/32 The Libreswan test suite found this problem after Fedora changed the value for the sysctl net.ipv4.ping_group_range. Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") Reported-by: Paul Wouters Tested-by: Paul Wouters Signed-off-by: Sabrina Dubroca Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 27ef12da026bc5156eb43b810951d1c4b2eee0af Author: Sean Tranchetti Date: Tue Jun 30 11:50:17 2020 -0600 genetlink: remove genl_bind [ Upstream commit 1e82a62fec613844da9e558f3493540a5b7a7b67 ] A potential deadlock can occur during registering or unregistering a new generic netlink family between the main nl_table_lock and the cb_lock where each thread wants the lock held by the other, as demonstrated below. 1) Thread 1 is performing a netlink_bind() operation on a socket. As part of this call, it will call netlink_lock_table(), incrementing the nl_table_users count to 1. 2) Thread 2 is registering (or unregistering) a genl_family via the genl_(un)register_family() API. The cb_lock semaphore will be taken for writing. 3) Thread 1 will call genl_bind() as part of the bind operation to handle subscribing to GENL multicast groups at the request of the user. It will attempt to take the cb_lock semaphore for reading, but it will fail and be scheduled away, waiting for Thread 2 to finish the write. 4) Thread 2 will call netlink_table_grab() during the (un)registration call. However, as Thread 1 has incremented nl_table_users, it will not be able to proceed, and both threads will be stuck waiting for the other. genl_bind() is a noop, unless a genl_family implements the mcast_bind() function to handle setting up family-specific multicast operations. Since no one in-tree uses this functionality as Cong pointed out, simply removing the genl_bind() function will remove the possibility for deadlock, as there is no attempt by Thread 1 above to take the cb_lock semaphore. Fixes: c380d9a7afff ("genetlink: pass multicast bind/unbind to families") Suggested-by: Cong Wang Acked-by: Johannes Berg Reported-by: kernel test robot Signed-off-by: Sean Tranchetti Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5386ced3f35efb73b862bc6670632c043b2a3e9b Author: Linus Lüssing Date: Sun Jul 5 21:10:17 2020 +0200 bridge: mcast: Fix MLD2 Report IPv6 payload length check [ Upstream commit 5fc6266af7b427243da24f3443a50cd4584aac06 ] Commit e57f61858b7c ("net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling") introduced a bug in the IPv6 header payload length check which would potentially lead to rejecting a valid MLD2 Report: The check needs to take into account the 2 bytes for the "Number of Sources" field in the "Multicast Address Record" before reading it. And not the size of a pointer to this field. Fixes: e57f61858b7c ("net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling") Acked-by: Nikolay Aleksandrov Signed-off-by: Linus Lüssing Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman